/* black-ledger-cloud / styles / role.css  —  Role-based visibility (Phase 5)
 *
 * Hides admin-only UI from non-admin sessions. The role is set as a
 * `data-role` attribute on <body> by js/auth/supabase.js after every
 * auth state change. Possible values:
 *
 *   data-role="admin"      — full access (the owner)
 *   data-role="basic"      — regular signed-in user (the mother, friends)
 *   data-role="anonymous"  — not signed in (will be on auth screen anyway)
 *
 * Visual hiding only. JS-level guards (requireAdmin) in supabase.js
 * prevent direct function calls from the console.
 */

/* Hide admin-only UI from basic users */
body[data-role="basic"] .admin-only,
body[data-role="basic"] [data-admin-only="true"] {
  display: none !important;
}

/* Hide admin-only UI from anonymous (defence-in-depth; the auth router
 * already redirects them to /auth/login). */
body[data-role="anonymous"] .admin-only,
body[data-role="anonymous"] [data-admin-only="true"] {
  display: none !important;
}

/* Optional flash-prevention: hide admin-only until role is determined,
 * but only when an element opts in with .role-strict. Most cases let
 * legacy.js initialise without flicker. */
body:not([data-role]) .admin-only.role-strict {
  display: none !important;
}