-- ============================================================================
-- E2EE Policy Fix Migration
-- ============================================================================
-- This migration safely recreates policies that may have failed on initial run.
-- Uses DROP IF EXISTS before CREATE to be idempotent.
-- ============================================================================

-- ============================================================================
-- 1. Fix e2ee_session_commands policies
-- ============================================================================

DROP POLICY IF EXISTS session_commands_select_own ON e2ee_session_commands;
DROP POLICY IF EXISTS session_commands_insert_own ON e2ee_session_commands;
DROP POLICY IF EXISTS session_commands_update_own ON e2ee_session_commands;

CREATE POLICY session_commands_select_own ON e2ee_session_commands
    FOR SELECT USING (auth.uid() = user_id);

CREATE POLICY session_commands_insert_own ON e2ee_session_commands
    FOR INSERT WITH CHECK (auth.uid() = user_id);

CREATE POLICY session_commands_update_own ON e2ee_session_commands
    FOR UPDATE USING (auth.uid() = user_id);

-- ============================================================================
-- 2. Fix e2ee_session_events policies
-- ============================================================================

DROP POLICY IF EXISTS session_events_select_own ON e2ee_session_events;
DROP POLICY IF EXISTS session_events_insert_own ON e2ee_session_events;
DROP POLICY IF EXISTS session_events_update_own ON e2ee_session_events;

CREATE POLICY session_events_select_own ON e2ee_session_events
    FOR SELECT USING (auth.uid() = user_id);

CREATE POLICY session_events_insert_own ON e2ee_session_events
    FOR INSERT WITH CHECK (auth.uid() = user_id);

CREATE POLICY session_events_update_own ON e2ee_session_events
    FOR UPDATE USING (auth.uid() = user_id);

-- ============================================================================
-- 3. Fix e2ee_decryption_failures policies
-- ============================================================================

DROP POLICY IF EXISTS decryption_failures_select_own ON e2ee_decryption_failures;
DROP POLICY IF EXISTS decryption_failures_insert_own ON e2ee_decryption_failures;
DROP POLICY IF EXISTS decryption_failures_update_own ON e2ee_decryption_failures;

CREATE POLICY decryption_failures_select_own ON e2ee_decryption_failures
    FOR SELECT USING (auth.uid() = recipient_id);

CREATE POLICY decryption_failures_insert_own ON e2ee_decryption_failures
    FOR INSERT WITH CHECK (auth.uid() = recipient_id);

CREATE POLICY decryption_failures_update_own ON e2ee_decryption_failures
    FOR UPDATE USING (auth.uid() = recipient_id);

-- ============================================================================
-- 4. Fix e2ee_session_state policies
-- ============================================================================

DROP POLICY IF EXISTS session_state_select_own ON e2ee_session_state;

CREATE POLICY session_state_select_own ON e2ee_session_state
    FOR SELECT USING (auth.uid() = user_id OR auth.uid() = peer_id);

-- ============================================================================
-- 5. Safely add tables to realtime publication (ignore if already added)
-- ============================================================================

DO $$
BEGIN
    -- Add e2ee_session_events if not already in publication
    IF NOT EXISTS (
        SELECT 1 FROM pg_publication_tables
        WHERE pubname = 'supabase_realtime'
        AND tablename = 'e2ee_session_events'
    ) THEN
        ALTER PUBLICATION supabase_realtime ADD TABLE e2ee_session_events;
    END IF;

    -- Add e2ee_session_commands if not already in publication
    IF NOT EXISTS (
        SELECT 1 FROM pg_publication_tables
        WHERE pubname = 'supabase_realtime'
        AND tablename = 'e2ee_session_commands'
    ) THEN
        ALTER PUBLICATION supabase_realtime ADD TABLE e2ee_session_commands;
    END IF;

    -- Add e2ee_session_state if not already in publication
    IF NOT EXISTS (
        SELECT 1 FROM pg_publication_tables
        WHERE pubname = 'supabase_realtime'
        AND tablename = 'e2ee_session_state'
    ) THEN
        ALTER PUBLICATION supabase_realtime ADD TABLE e2ee_session_state;
    END IF;
END $$;

-- ============================================================================
-- 6. Ensure event type constraint includes all types
-- ============================================================================

ALTER TABLE e2ee_session_events
    DROP CONSTRAINT IF EXISTS e2ee_session_events_event_type_check;

ALTER TABLE e2ee_session_events
    ADD CONSTRAINT e2ee_session_events_event_type_check
    CHECK (event_type IN ('session_reset', 'conversation_cleanup', 'key_refresh', 'decryption_failure', 'session_mismatch', 'session_established'));