-- ============================================================
-- Fix: RLS addon_credits e addon_transactions
-- 1. SaaS Admin: acesso total
-- 2. Tenant members: SELECT nos seus créditos/transações
-- Agência PSI — 2026-03-22
-- ============================================================

-- ── addon_products: admin pode tudo (CRUD) ────────────────────
DROP POLICY IF EXISTS "addon_products_admin_all" ON public.addon_products;
CREATE POLICY "addon_products_admin_all"
  ON public.addon_products FOR ALL
  TO authenticated
  USING (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  )
  WITH CHECK (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  );

-- ── addon_credits: admin pode ver todos ───────────────────────
DROP POLICY IF EXISTS "addon_credits_admin_select" ON public.addon_credits;
CREATE POLICY "addon_credits_admin_select"
  ON public.addon_credits FOR SELECT
  TO authenticated
  USING (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  );

-- ── addon_credits: admin pode inserir/atualizar ───────────────
DROP POLICY IF EXISTS "addon_credits_admin_write" ON public.addon_credits;
CREATE POLICY "addon_credits_admin_write"
  ON public.addon_credits FOR ALL
  TO authenticated
  USING (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  )
  WITH CHECK (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  );

-- ── addon_transactions: admin pode ver todas ──────────────────
DROP POLICY IF EXISTS "addon_transactions_admin_select" ON public.addon_transactions;
CREATE POLICY "addon_transactions_admin_select"
  ON public.addon_transactions FOR SELECT
  TO authenticated
  USING (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  );

-- ── addon_transactions: admin pode inserir ────────────────────
DROP POLICY IF EXISTS "addon_transactions_admin_insert" ON public.addon_transactions;
CREATE POLICY "addon_transactions_admin_insert"
  ON public.addon_transactions FOR INSERT
  TO authenticated
  WITH CHECK (
    EXISTS (SELECT 1 FROM public.saas_admins WHERE user_id = auth.uid())
  );

-- ══════════════════════════════════════════════════════════════
-- Corrige policies de tenant members (SELECT)
-- A policy original usava tenant_id = auth.uid(), mas o auth.uid()
-- é o user_id, não o tenant_id. Usa is_tenant_member() em vez disso.
-- ══════════════════════════════════════════════════════════════

-- addon_credits: membro do tenant vê os créditos do seu tenant
DROP POLICY IF EXISTS "addon_credits_select_own" ON public.addon_credits;
CREATE POLICY "addon_credits_select_own"
  ON public.addon_credits FOR SELECT
  TO authenticated
  USING (
    public.is_tenant_member(tenant_id)
    OR owner_id = auth.uid()
  );

-- addon_transactions: membro do tenant vê as transações do seu tenant
DROP POLICY IF EXISTS "addon_transactions_select_own" ON public.addon_transactions;
CREATE POLICY "addon_transactions_select_own"
  ON public.addon_transactions FOR SELECT
  TO authenticated
  USING (
    public.is_tenant_member(tenant_id)
    OR owner_id = auth.uid()
  );