-- Allow management to post status updates that are hidden from the board portal.
alter table public.status_updates
  add column if not exists hidden_from_board boolean not null default false;

-- Board members can only read status_updates via association membership. Re-create
-- that SELECT policy so association-only readers (board members) do NOT see updates
-- flagged hidden_from_board. Staff roles (admin/manager/employee) and admins still
-- see everything (the separate "Admins can view all status_updates" policy is unchanged).
drop policy if exists "Authenticated users can read status updates for their associati" on public.status_updates;
create policy "Authenticated users can read status updates for their associati"
on public.status_updates
for select
to authenticated
using (
  ((association_id in (select get_user_association_ids())) and hidden_from_board = false)
  or has_role(auth.uid(), 'admin'::app_role)
  or has_role(auth.uid(), 'manager'::app_role)
  or has_role(auth.uid(), 'employee'::app_role)
);