-- Enable RLS and define policies for filesystem tables

-- 1) Enable RLS
alter table if exists public.file_cabinets enable row level security;
alter table if exists public.files enable row level security;
alter table if exists public.brain_files enable row level security;
alter table if exists public.document_artefacts enable row level security;

drop policy if exists "User can access own cabinets" on public.file_cabinets;
create policy "User can access own cabinets" on public.file_cabinets
using (user_id = auth.uid())
with check (user_id = auth.uid());

drop policy if exists "User can access files in own cabinet" on public.files;
create policy "User can access files in own cabinet" on public.files
using (exists (
  select 1 from public.file_cabinets c
  where c.id = files.cabinet_id and c.user_id = auth.uid()
))
with check (exists (
  select 1 from public.file_cabinets c
  where c.id = files.cabinet_id and c.user_id = auth.uid()
));

drop policy if exists "User can insert files into own cabinet" on public.files;
create policy "User can insert files into own cabinet" on public.files for insert to authenticated
with check (exists (
  select 1 from public.file_cabinets c
  where c.id = files.cabinet_id and c.user_id = auth.uid()
));

drop policy if exists "User can update files in own cabinet" on public.files;
create policy "User can update files in own cabinet" on public.files for update to authenticated
using (exists (
  select 1 from public.file_cabinets c
  where c.id = files.cabinet_id and c.user_id = auth.uid()
))
with check (exists (
  select 1 from public.file_cabinets c
  where c.id = files.cabinet_id and c.user_id = auth.uid()
));

drop policy if exists "User can delete files from own cabinet" on public.files;
create policy "User can delete files from own cabinet" on public.files for delete
using (exists (
  select 1 from public.file_cabinets c
  where c.id = files.cabinet_id and c.user_id = auth.uid()
));

-- 4) Brain-files: allow linking owned files to owned brains
drop policy if exists "User can link files they own to their brains" on public.brain_files;
create policy "User can link files they own to their brains" on public.brain_files
using (
  exists (select 1 from public.brains b where b.id = brain_files.brain_id and b.user_id = auth.uid())
  and exists (
    select 1 from public.files f join public.file_cabinets c on f.cabinet_id = c.id
    where f.id = brain_files.file_id and c.user_id = auth.uid()
  )
)
with check (true);

-- 5) Document artefacts: allow reads to owners via file cabinet, writes via service_role
drop policy if exists "artefacts_read_by_owner" on public.document_artefacts;
create policy "artefacts_read_by_owner" on public.document_artefacts for select to authenticated
using (exists (
  select 1 from public.files f join public.file_cabinets c on f.cabinet_id = c.id
  where f.id = document_artefacts.file_id and c.user_id = auth.uid()
));

drop policy if exists "artefacts_rw_service" on public.document_artefacts;
create policy "artefacts_rw_service" on public.document_artefacts to service_role
using (true) with check (true);

-- Allow owners to delete their artefacts (needed for cascades under RLS)
drop policy if exists "artefacts_delete_by_owner" on public.document_artefacts;
create policy "artefacts_delete_by_owner" on public.document_artefacts for delete to authenticated
using (exists (
  select 1 from public.files f join public.file_cabinets c on f.cabinet_id = c.id
  where f.id = document_artefacts.file_id and c.user_id = auth.uid()
));

-- File vectors RLS and policies are defined in 67-vectors.sql after the table is created