CREATE TABLE public.zoho_reporting_tag_mappings (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  association_id uuid NOT NULL REFERENCES public.associations(id) ON DELETE CASCADE,
  zoho_tag_id text NOT NULL,
  zoho_tag_option_id text NOT NULL,
  zoho_tag_name text,
  zoho_option_name text,
  created_at timestamptz NOT NULL DEFAULT now(),
  updated_at timestamptz NOT NULL DEFAULT now(),
  UNIQUE(association_id, zoho_tag_id)
);

ALTER TABLE public.zoho_reporting_tag_mappings ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Staff full access on zoho_reporting_tag_mappings"
  ON public.zoho_reporting_tag_mappings
  FOR ALL
  TO authenticated
  USING (has_role(auth.uid(), 'admin'::app_role) OR has_role(auth.uid(), 'manager'::app_role))
  WITH CHECK (has_role(auth.uid(), 'admin'::app_role) OR has_role(auth.uid(), 'manager'::app_role));