-- Hostinger Reach integration: one global API token + per-association segment/sync tracking.

CREATE TABLE IF NOT EXISTS public.hostinger_reach_config (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  api_token text NOT NULL,
  created_by uuid,
  created_at timestamptz NOT NULL DEFAULT now(),
  updated_at timestamptz NOT NULL DEFAULT now()
);

CREATE TABLE IF NOT EXISTS public.hostinger_reach_segments (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  association_id uuid NOT NULL UNIQUE REFERENCES public.associations(id) ON DELETE CASCADE,
  segment_uuid text,
  segment_name text,
  last_sync_at timestamptz,
  last_sync_status text,
  last_sync_count integer,
  last_sync_error text,
  created_at timestamptz NOT NULL DEFAULT now(),
  updated_at timestamptz NOT NULL DEFAULT now()
);

ALTER TABLE public.hostinger_reach_config ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.hostinger_reach_segments ENABLE ROW LEVEL SECURITY;

-- Admin-only access (service role bypasses RLS for the edge functions).
CREATE POLICY "Admins manage reach config" ON public.hostinger_reach_config
  FOR ALL USING (public.has_role(auth.uid(), 'admin'::public.app_role))
  WITH CHECK (public.has_role(auth.uid(), 'admin'::public.app_role));

CREATE POLICY "Admins manage reach segments" ON public.hostinger_reach_segments
  FOR ALL USING (public.has_role(auth.uid(), 'admin'::public.app_role))
  WITH CHECK (public.has_role(auth.uid(), 'admin'::public.app_role));

CREATE TRIGGER set_reach_config_updated_at BEFORE UPDATE ON public.hostinger_reach_config
  FOR EACH ROW EXECUTE FUNCTION public.update_updated_at_column();
CREATE TRIGGER set_reach_segments_updated_at BEFORE UPDATE ON public.hostinger_reach_segments
  FOR EACH ROW EXECUTE FUNCTION public.update_updated_at_column();