Add ACMCC app source, Supabase backend, and project config

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

supabase/migrations/20260317163948_7db012dd-5f9c-4e5b-9a54-d469582a0c07.sql

@@ -0,0 +1,102 @@
+
+-- Project comments/discussion table
+CREATE TABLE public.project_comments (
+  id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
+  project_id UUID NOT NULL REFERENCES public.projects(id) ON DELETE CASCADE,
+  user_id UUID NOT NULL,
+  content TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+ALTER TABLE public.project_comments ENABLE ROW LEVEL SECURITY;
+
+-- Project files table
+CREATE TABLE public.project_files (
+  id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
+  project_id UUID NOT NULL REFERENCES public.projects(id) ON DELETE CASCADE,
+  user_id UUID NOT NULL,
+  file_name TEXT NOT NULL,
+  file_url TEXT NOT NULL,
+  file_size BIGINT,
+  mime_type TEXT,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+ALTER TABLE public.project_files ENABLE ROW LEVEL SECURITY;
+
+-- Storage bucket for project files
+INSERT INTO storage.buckets (id, name, public) VALUES ('project-files', 'project-files', true);
+
+-- Enable realtime for comments
+ALTER PUBLICATION supabase_realtime ADD TABLE public.project_comments;
+
+-- RLS for project_comments: authenticated users can read all, insert own
+CREATE POLICY "Authenticated users can read project comments"
+  ON public.project_comments FOR SELECT TO authenticated USING (true);
+
+CREATE POLICY "Authenticated users can insert own comments"
+  ON public.project_comments FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() = user_id);
+
+CREATE POLICY "Users can update own comments"
+  ON public.project_comments FOR UPDATE TO authenticated
+  USING (auth.uid() = user_id);
+
+CREATE POLICY "Users can delete own comments"
+  ON public.project_comments FOR DELETE TO authenticated
+  USING (auth.uid() = user_id);
+
+-- RLS for project_files: authenticated users can read all, insert own
+CREATE POLICY "Authenticated users can read project files"
+  ON public.project_files FOR SELECT TO authenticated USING (true);
+
+CREATE POLICY "Authenticated users can upload files"
+  ON public.project_files FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() = user_id);
+
+CREATE POLICY "Users can delete own files"
+  ON public.project_files FOR DELETE TO authenticated
+  USING (auth.uid() = user_id);
+
+-- Admin/manager can delete any file
+CREATE POLICY "Admins can delete any file"
+  ON public.project_files FOR DELETE TO authenticated
+  USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'));
+
+-- Storage policies for project-files bucket
+CREATE POLICY "Authenticated users can read project files storage"
+  ON storage.objects FOR SELECT TO authenticated
+  USING (bucket_id = 'project-files');
+
+CREATE POLICY "Authenticated users can upload project files storage"
+  ON storage.objects FOR INSERT TO authenticated
+  WITH CHECK (bucket_id = 'project-files');
+
+CREATE POLICY "Users can delete own project files storage"
+  ON storage.objects FOR DELETE TO authenticated
+  USING (bucket_id = 'project-files');
+
+-- Update projects RLS: drop old policy, add new ones allowing clients to create and view
+DROP POLICY IF EXISTS "Staff full access on projects" ON public.projects;
+
+-- Admins/managers full access
+CREATE POLICY "Admin manager full access on projects"
+  ON public.projects FOR ALL TO authenticated
+  USING (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'))
+  WITH CHECK (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'));
+
+-- All authenticated can read projects
+CREATE POLICY "Authenticated users can view projects"
+  ON public.projects FOR SELECT TO authenticated
+  USING (true);
+
+-- All authenticated can create projects
+CREATE POLICY "Authenticated users can create projects"
+  ON public.projects FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() = created_by);
+
+-- Users can update own projects (but not status to completed - enforced in app)
+CREATE POLICY "Users can update own projects"
+  ON public.projects FOR UPDATE TO authenticated
+  USING (auth.uid() = created_by);