// Routes signed-in users to the surface that matches their role:
//   - partner staff (User.partnerId set) on '/' → /partner
//   - non-partner-staff hitting /partner/* → /
//
// Runs after the OIDC global middleware (00.auth.global from nuxt-oidc-auth)
// so we know the user is authenticated by the time we get here. /me is
// fetched lazily via useMe() and cached in useState — first nav after sign-in
// pays one round-trip, subsequent navs read from cache.
//
// Auth pages (/auth/*, /signed-out) are skipped because they're public.

export default defineNuxtRouteMiddleware(async (to) => {
  if (to.path.startsWith('/auth/') || to.path === '/signed-out') return

  const { fetchMe, isPartnerStaff } = useMe()
  const me = await fetchMe()
  if (!me) return  // Not signed in yet — OIDC middleware handles the bounce

  if (to.path === '/' && isPartnerStaff.value) {
    return navigateTo('/partner')
  }
  if (to.path.startsWith('/partner') && !isPartnerStaff.value) {
    return navigateTo('/')
  }
})