-- Fix anon SELECT: restrict to rows matching a vote_token or access_code filter
DROP POLICY IF EXISTS "Anon can select own voter record by token" ON public.election_eligible_voters;
CREATE POLICY "Anon can select own voter record by token" ON public.election_eligible_voters
  FOR SELECT TO anon
  USING (
    vote_token::text = current_setting('request.headers', true)::json->>'x-vote-token'
    OR access_code = current_setting('request.headers', true)::json->>'x-access-code'
  );

-- Fix anon UPDATE: restrict to rows matching vote_token filter
DROP POLICY IF EXISTS "Anon can update voted status by token" ON public.election_eligible_voters;
CREATE POLICY "Anon can update voted status by token" ON public.election_eligible_voters
  FOR UPDATE TO anon
  USING (
    vote_token::text = current_setting('request.headers', true)::json->>'x-vote-token'
  )
  WITH CHECK (
    vote_token::text = current_setting('request.headers', true)::json->>'x-vote-token'
  );