import { auth } from '@/auth' import { prisma } from '@/lib/prisma' import { NextResponse } from 'next/server' /** * Checks if the authenticated user has explicit GDPR AI processing consent. * Persistent consent: UserAISettings.aiProcessingConsent * Session-only consent: signed JWT claim (not client headers — GDPR-safe) */ export async function hasUserAiConsent(): Promise { const session = await auth() if (!session?.user?.id) { return false } if (session.aiSessionConsent === true) { return true } const settings = await prisma.userAISettings.findUnique({ where: { userId: session.user.id }, select: { aiProcessingConsent: true }, }) return settings?.aiProcessingConsent ?? false } export function aiConsentForbiddenResponse() { return NextResponse.json({ error: 'ai_consent_required' }, { status: 403 }) }