-- Always enable RLS
ALTER TABLE projects ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users view own data"
ON projects FOR SELECT
TO authenticated
USING (auth.uid() = user_id);

CREATE POLICY "Users insert own data"
ON projects FOR INSERT
TO authenticated
WITH CHECK (auth.uid() = user_id);

CREATE POLICY "Users update own data"
ON projects FOR UPDATE
TO authenticated
USING (auth.uid() = user_id)
WITH CHECK (auth.uid() = user_id);

CREATE POLICY "Users delete own data"
ON projects FOR DELETE
TO authenticated
USING (auth.uid() = user_id);

-- Users can see projects in their teams
CREATE POLICY "Team members view projects"
ON projects FOR SELECT
TO authenticated
USING (
  team_id IN (
    SELECT team_id FROM team_members
    WHERE user_id = auth.uid()
  )
);

-- Check user role for admin access
CREATE POLICY "Admins can do everything"
ON projects FOR ALL
TO authenticated
USING (
  EXISTS (
    SELECT 1 FROM user_roles
    WHERE user_id = auth.uid()
    AND role = 'admin'
  )
);

import { createClient } from '@supabase/supabase-js';

// This bypasses RLS - use carefully!
const supabaseAdmin = createClient(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.SUPABASE_SERVICE_ROLE_KEY!, // Not ANON key!
  { auth: { persistSession: false } }
);

-- Test as specific user
SET request.jwt.claim.sub = 'user-uuid-here';

-- Run query and check results
SELECT * FROM projects;

-- Reset
RESET request.jwt.claim.sub;