
-- Add new roles to the enum
ALTER TYPE public.app_role ADD VALUE IF NOT EXISTS 'admin';
ALTER TYPE public.app_role ADD VALUE IF NOT EXISTS 'security_officer';

COMMIT;

-- Update RLS policies on security_guards to include new manager roles
DROP POLICY IF EXISTS "Managers can insert guards" ON public.security_guards;
DROP POLICY IF EXISTS "Managers can update guards" ON public.security_guards;
DROP POLICY IF EXISTS "Managers can delete guards" ON public.security_guards;

CREATE POLICY "Managers can insert guards" ON public.security_guards
FOR INSERT TO authenticated
WITH CHECK (public.has_any_role(auth.uid(), ARRAY['super_admin','admin','company_admin','ops_manager','security_officer','supervisor']::app_role[]));

CREATE POLICY "Managers can update guards" ON public.security_guards
FOR UPDATE TO authenticated
USING (public.has_any_role(auth.uid(), ARRAY['super_admin','admin','company_admin','ops_manager','security_officer','supervisor']::app_role[]));

CREATE POLICY "Managers can delete guards" ON public.security_guards
FOR DELETE TO authenticated
USING (public.has_any_role(auth.uid(), ARRAY['super_admin','admin','company_admin','ops_manager','security_officer']::app_role[]));
