Add ACMCC app source, Supabase backend, and project config

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

supabase/migrations/20260317171128_131fb9c4-6a4d-408a-9d7d-bcde035d4b54.sql

@@ -0,0 +1,60 @@
+
+-- Add new roles to app_role enum for committee members
+ALTER TYPE public.app_role ADD VALUE IF NOT EXISTS 'board_member';
+ALTER TYPE public.app_role ADD VALUE IF NOT EXISTS 'arc_member';
+ALTER TYPE public.app_role ADD VALUE IF NOT EXISTS 'fining_member';
+
+-- Create role_permissions table for feature-area CRUD permissions
+CREATE TABLE public.role_permissions (
+  id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
+  role TEXT NOT NULL,
+  feature_area TEXT NOT NULL,
+  can_read BOOLEAN NOT NULL DEFAULT false,
+  can_create BOOLEAN NOT NULL DEFAULT false,
+  can_edit BOOLEAN NOT NULL DEFAULT false,
+  can_delete BOOLEAN NOT NULL DEFAULT false,
+  created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),
+  updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),
+  UNIQUE(role, feature_area)
+);
+
+ALTER TABLE public.role_permissions ENABLE ROW LEVEL SECURITY;
+
+-- Only admins can manage permissions
+CREATE POLICY "Admins can manage role_permissions"
+ON public.role_permissions
+FOR ALL
+TO authenticated
+USING (public.has_role(auth.uid(), 'admin'::app_role))
+WITH CHECK (public.has_role(auth.uid(), 'admin'::app_role));
+
+-- All authenticated can read permissions (needed to enforce them client-side)
+CREATE POLICY "Authenticated can read role_permissions"
+ON public.role_permissions
+FOR SELECT
+TO authenticated
+USING (true);
+
+-- Seed default permissions for all roles and feature areas
+INSERT INTO public.role_permissions (role, feature_area, can_read, can_create, can_edit, can_delete)
+SELECT r.role, f.feature_area, 
+  CASE WHEN r.role = 'homeowner' THEN 
+    f.feature_area IN ('Owner Portal', 'Documents', 'Announcements', 'Calendar')
+  ELSE true END,
+  CASE WHEN r.role = 'homeowner' THEN false
+       WHEN r.role IN ('board_member','arc_member','fining_member') THEN false
+       ELSE true END,
+  CASE WHEN r.role = 'homeowner' THEN false
+       WHEN r.role IN ('board_member','arc_member','fining_member') THEN false
+       ELSE true END,
+  CASE WHEN r.role IN ('admin') THEN true ELSE false END
+FROM 
+  (VALUES ('admin'),('manager'),('staff'),('employee'),('homeowner'),('board_member'),('arc_member'),('fining_member')) AS r(role),
+  (VALUES ('Financial'),('Owners & Units'),('Violations'),('ARC Applications'),('Collections'),('Documents'),('Announcements'),('Calendar'),('Vendors & Bills'),('Projects'),('Email & Notifications'),('Legal Matters'),('Inspections'),('Owner Portal'),('Board Votes'),('Estoppels'),('Parking')) AS f(feature_area)
+ON CONFLICT (role, feature_area) DO NOTHING;
+
+-- Trigger for updated_at
+CREATE TRIGGER update_role_permissions_updated_at
+BEFORE UPDATE ON public.role_permissions
+FOR EACH ROW
+EXECUTE FUNCTION public.update_updated_at_column();