export function canAct(actor, action, entity_type) {
  if (!actor) return 'deny';
  if (actor.kind === 'user') return 'allow';
  if (actor.kind === 'cron' || actor.kind === 'worker' || actor.kind === 'system') return 'allow';

  if (actor.kind !== 'agent') return 'deny';

  const caps = actor.capabilities || {};
  const scopes = actor.scopes || {};

  if (action === 'read') return caps.read ? 'allow' : 'deny';

  const isMutation = ['create','update','delete'].includes(action);
  if (!isMutation) return 'deny';

  if (caps.write && scopes[entity_type]) return 'allow';
  if (caps.suggest) return 'suggest';
  return 'deny';
}