-- Store validation proof records for forms & letters
CREATE TABLE public.document_validation_proofs (
  id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
  document_type TEXT NOT NULL,
  document_title TEXT,
  generated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),
  generated_by UUID,
  association_id UUID REFERENCES public.associations(id),
  metadata JSONB DEFAULT '{}',
  verification_hash TEXT NOT NULL,
  created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now()
);

ALTER TABLE public.document_validation_proofs ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Staff full access on document_validation_proofs"
ON public.document_validation_proofs
FOR ALL
TO authenticated
USING (public.has_role(auth.uid(), 'admin'::app_role) OR public.has_role(auth.uid(), 'manager'::app_role))
WITH CHECK (public.has_role(auth.uid(), 'admin'::app_role) OR public.has_role(auth.uid(), 'manager'::app_role));

-- Anyone can verify a proof by ID (public read for verification)
CREATE POLICY "Anyone can verify proofs"
ON public.document_validation_proofs
FOR SELECT
TO authenticated
USING (true);