pn-new-crm/src/app/(dashboard)/layout.tsx

import { redirect } from 'next/navigation';
import { cookies, headers } from 'next/headers';
import { eq } from 'drizzle-orm';

import { auth } from '@/lib/auth';
import { db } from '@/lib/db';
import { ports as portsTable } from '@/lib/db/schema/ports';
import { userPortRoles, userProfiles } from '@/lib/db/schema/users';
import { QueryProvider } from '@/providers/query-provider';
import { SocketProvider } from '@/providers/socket-provider';
import { PortProvider } from '@/providers/port-provider';
import { PermissionsProvider } from '@/providers/permissions-provider';
import { AppShell } from '@/components/layout/app-shell';
import { DevModeBanner } from '@/components/shared/dev-mode-banner';
import { RealtimeToasts } from '@/components/shared/realtime-toasts';
import { WebVitalsReporter } from '@/components/shared/web-vitals-reporter';
import { classifyFormFactor } from '@/lib/form-factor';
import { getPortBrandingConfig } from '@/lib/services/port-config';

export default async function DashboardLayout({ children }: { children: React.ReactNode }) {
  const headerList = await headers();
  const session = await auth.api.getSession({ headers: headerList });
  if (!session?.user) redirect('/login');

  // Super admins have implicit access to every port; everyone else only sees
  // ports they have an explicit user_port_roles row for.
  const profile = await db.query.userProfiles.findFirst({
    where: eq(userProfiles.userId, session.user.id),
  });

  const portRoles = await db.query.userPortRoles.findMany({
    where: eq(userPortRoles.userId, session.user.id),
    with: { port: true, role: true },
  });

  const ports = profile?.isSuperAdmin
    ? await db.query.ports.findMany({ orderBy: portsTable.name })
    : portRoles.map((pr) => pr.port);

  // Prefer a previously-resolved tier from the client's cookie so the
  // server renders the matching shell on first paint — eliminates the
  // mobile↔desktop chrome flicker that happens when UA-based classification
  // disagrees with the actual viewport (e.g. macOS Safari with the
  // window dragged below 1024). AppShell writes the cookie after the
  // first matchMedia evaluation; subsequent reloads use the hint.
  const cookieStore = await cookies();
  const tierCookie = cookieStore.get('pn-crm.viewport-tier')?.value;
  const initialFormFactor: 'mobile' | 'desktop' =
    tierCookie === 'mobile'
      ? 'mobile'
      : tierCookie === 'tablet' || tierCookie === 'desktop'
        ? 'desktop'
        : classifyFormFactor(headerList.get('user-agent'));
  const user = {
    name: profile?.displayName ?? session.user.name ?? session.user.email,
    email: session.user.email,
  };

  // Per-port logo map for the sidebar. Resolved server-side so the
  // sidebar can swap brand on port switch without an extra round-trip.
  // Falls back to null per port when no logo is configured — the
  // sidebar surfaces nothing rather than leaking a generic placeholder.
  const portBrandingEntries = await Promise.all(
    ports.map(async (p) => {
      try {
        const cfg = await getPortBrandingConfig(p.id);
        return [p.id, cfg.logoUrl] as const;
      } catch {
        return [p.id, null] as const;
      }
    }),
  );
  const portLogoUrls: Record<string, string | null> = Object.fromEntries(portBrandingEntries);

  return (
    <QueryProvider>
      <PortProvider ports={ports} defaultPortId={ports[0]?.id ?? null}>
        <PermissionsProvider>
          <SocketProvider>
            <RealtimeToasts />
            <WebVitalsReporter />
            {/* Sticky banner across the app whenever EMAIL_REDIRECT_TO is
                set so reps + admins always know outbound mail is being
                rerouted. Production hides itself (env.ts forbids the
                flag in prod) so the banner is dev/staging-only. */}
            <DevModeBanner />
            {/* #26: AppShell mounts ONE responsive tree (desktop OR
             *  mobile) per render — never both — so pages don't pay the
             *  double-state, double-fetch, double-Tabs-provider tax. */}
            <AppShell
              portRoles={portRoles}
              isSuperAdmin={profile?.isSuperAdmin ?? false}
              user={user}
              ports={ports}
              portLogoUrls={portLogoUrls}
              initialFormFactor={initialFormFactor}
            >
              {children}
            </AppShell>
          </SocketProvider>
        </PermissionsProvider>
      </PortProvider>
    </QueryProvider>
  );
}