-- ============================================================================
-- Asaas Gateway — RLS policies
-- ----------------------------------------------------------------------------
-- Owner-scoped: cada terapeuta vê só os customers/payments do seu tenant.
-- INSERT/UPDATE bloqueado client-side — só Edge Functions (service role)
-- podem escrever. Browser só lê (pra exibir QR code, status, etc).
--
-- API keys em payment_settings: já tem RLS (não duplica).
-- ============================================================================

BEGIN;

-- ──────────────────────────────────────────────────────────────────────────
-- asaas_customers
-- ──────────────────────────────────────────────────────────────────────────
ALTER TABLE public.asaas_customers ENABLE ROW LEVEL SECURITY;

CREATE POLICY asaas_customers_member_select
    ON public.asaas_customers FOR SELECT TO authenticated
    USING (public.is_tenant_member(tenant_id));

-- INSERT/UPDATE/DELETE bloqueados — Edge Functions usam service_role que bypassa RLS
CREATE POLICY asaas_customers_no_client_write
    ON public.asaas_customers FOR INSERT TO authenticated
    WITH CHECK (false);
CREATE POLICY asaas_customers_no_client_update
    ON public.asaas_customers FOR UPDATE TO authenticated
    USING (false);
CREATE POLICY asaas_customers_no_client_delete
    ON public.asaas_customers FOR DELETE TO authenticated
    USING (false);

-- ──────────────────────────────────────────────────────────────────────────
-- asaas_payments
-- ──────────────────────────────────────────────────────────────────────────
ALTER TABLE public.asaas_payments ENABLE ROW LEVEL SECURITY;

CREATE POLICY asaas_payments_member_select
    ON public.asaas_payments FOR SELECT TO authenticated
    USING (public.is_tenant_member(tenant_id));

CREATE POLICY asaas_payments_no_client_write
    ON public.asaas_payments FOR INSERT TO authenticated
    WITH CHECK (false);
CREATE POLICY asaas_payments_no_client_update
    ON public.asaas_payments FOR UPDATE TO authenticated
    USING (false);
CREATE POLICY asaas_payments_no_client_delete
    ON public.asaas_payments FOR DELETE TO authenticated
    USING (false);

-- ──────────────────────────────────────────────────────────────────────────
-- asaas_webhook_events
-- ──────────────────────────────────────────────────────────────────────────
-- Audit table — saas_admin lê pra debug. Members não veem.
ALTER TABLE public.asaas_webhook_events ENABLE ROW LEVEL SECURITY;

CREATE POLICY asaas_webhook_events_saas_admin_select
    ON public.asaas_webhook_events FOR SELECT TO authenticated
    USING (public.is_saas_admin());

CREATE POLICY asaas_webhook_events_no_client_write
    ON public.asaas_webhook_events FOR INSERT TO authenticated
    WITH CHECK (false);
CREATE POLICY asaas_webhook_events_no_update
    ON public.asaas_webhook_events FOR UPDATE TO authenticated
    USING (false);
CREATE POLICY asaas_webhook_events_no_delete
    ON public.asaas_webhook_events FOR DELETE TO authenticated
    USING (false);

COMMIT;