-- Security lint remediations
-- 1) Make view_searchable_tags SECURITY INVOKER (avoid definer semantics)
create or replace view view_searchable_tags
with (security_invoker = true) as
select
  unnest(tags) as tag,
  count(*) as count
from posts
where deleted_at is null
  and tags is not null
  and array_length(tags, 1) > 0
group by unnest(tags)
order by count desc;

-- 2) Enable RLS on notifications with per-user visibility
alter table if exists notifications enable row level security;
drop policy if exists "Users can view own notifications" on notifications;
create policy "Users can view own notifications" on notifications
  for select
  using (user_id = auth.uid());

-- Allow inserts/updates/deletes via service role (if your functions need it)
drop policy if exists "Service role manages notifications" on notifications;
create policy "Service role manages notifications" on notifications
  for all
  using (auth.role() = 'service_role')
  with check (auth.role() = 'service_role');

-- 3) Enforce RLS on spatial_ref_sys unconditionally (run as owner/superuser)
alter table spatial_ref_sys enable row level security;
drop policy if exists "Public read spatial_ref_sys" on spatial_ref_sys;
create policy "Public read spatial_ref_sys" on spatial_ref_sys
  for select
  using (true);