Add ACMCC app source, Supabase backend, and project config

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

supabase/migrations/20260411181324_5751f0fa-0a75-48c1-be50-a0e05bd739e4.sql

@@ -0,0 +1,192 @@
+
+-- Fix all association-scoped policies to include staff bypass
+
+-- billable_expenses
+DROP POLICY IF EXISTS "Users can view own association billable expenses" ON public.billable_expenses;
+CREATE POLICY "Users can view own association billable expenses"
+  ON public.billable_expenses FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- annual_meetings
+DROP POLICY IF EXISTS "Users can view own association annual meetings" ON public.annual_meetings;
+CREATE POLICY "Users can view own association annual meetings"
+  ON public.annual_meetings FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- journal_entries
+DROP POLICY IF EXISTS "Users can view own association journal entries" ON public.journal_entries;
+CREATE POLICY "Users can view own association journal entries"
+  ON public.journal_entries FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- parking_records
+DROP POLICY IF EXISTS "Users can view own association parking records" ON public.parking_records;
+CREATE POLICY "Users can view own association parking records"
+  ON public.parking_records FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- projects
+DROP POLICY IF EXISTS "Users can view own association projects" ON public.projects;
+CREATE POLICY "Users can view own association projects"
+  ON public.projects FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- unit_timeline_events
+DROP POLICY IF EXISTS "Users can view own association timeline events" ON public.unit_timeline_events;
+CREATE POLICY "Users can view own association timeline events"
+  ON public.unit_timeline_events FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- document_validation_proofs
+DROP POLICY IF EXISTS "Users can view own association proofs" ON public.document_validation_proofs;
+CREATE POLICY "Users can view own association proofs"
+  ON public.document_validation_proofs FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+  );
+
+-- board_resources
+DROP POLICY IF EXISTS "Users can view own association board resources" ON public.board_resources;
+CREATE POLICY "Users can view own association board resources"
+  ON public.board_resources FOR SELECT TO authenticated
+  USING (
+    is_active = true AND (
+      has_role(auth.uid(), 'admin'::app_role)
+      OR has_role(auth.uid(), 'manager'::app_role)
+      OR association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- arc_application_comments (join-based)
+DROP POLICY IF EXISTS "Users can view own association arc comments" ON public.arc_application_comments;
+CREATE POLICY "Users can view own association arc comments"
+  ON public.arc_application_comments FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR EXISTS (
+      SELECT 1 FROM public.arc_applications a
+      WHERE a.id = arc_application_comments.application_id
+      AND a.association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- arc_application_votes (join-based)
+DROP POLICY IF EXISTS "Users can view own association arc votes" ON public.arc_application_votes;
+CREATE POLICY "Users can view own association arc votes"
+  ON public.arc_application_votes FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR EXISTS (
+      SELECT 1 FROM public.arc_applications a
+      WHERE a.id = arc_application_votes.application_id
+      AND a.association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- bill_comments (join-based)
+DROP POLICY IF EXISTS "Users can view own association bill comments" ON public.bill_comments;
+CREATE POLICY "Users can view own association bill comments"
+  ON public.bill_comments FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR EXISTS (
+      SELECT 1 FROM public.bills b
+      WHERE b.id = bill_comments.bill_id
+      AND b.association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- board_vote_responses (join-based)
+DROP POLICY IF EXISTS "Users can view own association vote responses" ON public.board_vote_responses;
+CREATE POLICY "Users can view own association vote responses"
+  ON public.board_vote_responses FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR EXISTS (
+      SELECT 1 FROM public.board_votes bv
+      WHERE bv.id = board_vote_responses.board_vote_id
+      AND bv.association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- project_comments (join-based)
+DROP POLICY IF EXISTS "Users can view own association project comments" ON public.project_comments;
+CREATE POLICY "Users can view own association project comments"
+  ON public.project_comments FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR EXISTS (
+      SELECT 1 FROM public.projects p
+      WHERE p.id = project_comments.project_id
+      AND p.association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- project_files (join-based)
+DROP POLICY IF EXISTS "Users can view own association project files" ON public.project_files;
+CREATE POLICY "Users can view own association project files"
+  ON public.project_files FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR EXISTS (
+      SELECT 1 FROM public.projects p
+      WHERE p.id = project_files.project_id
+      AND p.association_id IN (SELECT get_user_association_ids())
+    )
+  );
+
+-- bank_accounts - also needs staff bypass (was overly restricted)
+DROP POLICY IF EXISTS "Staff full access on own association bank_accounts" ON public.bank_accounts;
+CREATE POLICY "Staff full access on bank_accounts"
+  ON public.bank_accounts FOR ALL TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+  )
+  WITH CHECK (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+  );
+
+-- chart_of_accounts - was already USING(true), check if it needs fixing
+DROP POLICY IF EXISTS "Authenticated users can view chart_of_accounts" ON public.chart_of_accounts;
+CREATE POLICY "Users can view chart of accounts"
+  ON public.chart_of_accounts FOR SELECT TO authenticated
+  USING (
+    has_role(auth.uid(), 'admin'::app_role)
+    OR has_role(auth.uid(), 'manager'::app_role)
+    OR association_id IN (SELECT get_user_association_ids())
+    OR association_id IS NULL
+  );