package policy

// OutboundRule captures one account's send-side enforcement.
type OutboundRule struct {
	Mode                string // RO | RW
	WhitelistOutEnabled bool
	WhitelistOut        []string
}

// Check reports whether a send to the given recipient set is permitted. On a
// block it returns a stable reason: "ro_mode" (account is read-only) or
// "whitelist_out" (a recipient is not whitelisted). The whole send is blocked
// if any single recipient fails — there is no partial send.
func (r OutboundRule) Check(recipients []string) (bool, string) {
	if r.Mode == "RO" {
		return false, "ro_mode"
	}
	if r.WhitelistOutEnabled {
		for _, addr := range recipients {
			if !MatchAddress(r.WhitelistOut, addr) {
				return false, "whitelist_out"
			}
		}
	}
	return true, ""
}