From 830c99a3ff132cc51fd41a51e6f66cfb28c6d2ab Mon Sep 17 00:00:00 2001
From: Marc Rejohn Castillano <marcrejohncastillano@gmail.com>
Date: Sun, 1 Mar 2026 18:51:53 +0800
Subject: [PATCH] Migrations

---
 ...180000_add_cancelled_status_and_reason.sql | 24 ++++++++++
 ...ask_activity_logs_rls_and_cancelled_at.sql | 46 +++++++++++++++++++
 ...sk_activity_logs_authenticated_inserts.sql | 36 +++++++++++++++
 ...28191000_fix_task_activity_logs_policy.sql | 15 ++++++
 ..._task_activity_logs_policy_insert_only.sql | 10 ++++
 ...0_allow_anon_insert_task_activity_logs.sql | 13 ++++++
 ...uthenticated_select_task_activity_logs.sql | 16 +++++++
 7 files changed, 160 insertions(+)
 create mode 100644 supabase/migrations/20260228180000_add_cancelled_status_and_reason.sql
 create mode 100644 supabase/migrations/20260228183000_task_activity_logs_rls_and_cancelled_at.sql
 create mode 100644 supabase/migrations/20260228190000_allow_task_activity_logs_authenticated_inserts.sql
 create mode 100644 supabase/migrations/20260228191000_fix_task_activity_logs_policy.sql
 create mode 100644 supabase/migrations/20260228192000_fix_task_activity_logs_policy_insert_only.sql
 create mode 100644 supabase/migrations/20260228194000_allow_anon_insert_task_activity_logs.sql
 create mode 100644 supabase/migrations/20260228195000_allow_authenticated_select_task_activity_logs.sql

diff --git a/supabase/migrations/20260228180000_add_cancelled_status_and_reason.sql b/supabase/migrations/20260228180000_add_cancelled_status_and_reason.sql
new file mode 100644
index 00000000..b64cde48
--- /dev/null
+++ b/supabase/migrations/20260228180000_add_cancelled_status_and_reason.sql
@@ -0,0 +1,24 @@
+-- Add 'cancelled' to task_status enum (if it exists) and add cancellation_reason column
+DO $$
+BEGIN
+  -- Add enum value if task_status enum exists
+  IF EXISTS (SELECT 1 FROM pg_type WHERE typname = 'task_status') THEN
+    IF NOT EXISTS (
+      SELECT 1
+      FROM pg_enum
+      JOIN pg_type ON pg_enum.enumtypid = pg_type.oid
+      WHERE pg_type.typname = 'task_status' AND pg_enum.enumlabel = 'cancelled'
+    ) THEN
+      ALTER TYPE task_status ADD VALUE 'cancelled';
+    END IF;
+  END IF;
+
+  -- Add cancellation_reason column if it doesn't exist
+  IF NOT EXISTS (
+    SELECT 1 FROM information_schema.columns
+    WHERE table_name='tasks' AND column_name='cancellation_reason'
+  ) THEN
+    ALTER TABLE public.tasks ADD COLUMN cancellation_reason text;
+  END IF;
+END
+$$;
diff --git a/supabase/migrations/20260228183000_task_activity_logs_rls_and_cancelled_at.sql b/supabase/migrations/20260228183000_task_activity_logs_rls_and_cancelled_at.sql
new file mode 100644
index 00000000..6a4159b7
--- /dev/null
+++ b/supabase/migrations/20260228183000_task_activity_logs_rls_and_cancelled_at.sql
@@ -0,0 +1,46 @@
+-- Enable RLS on task_activity_logs and allow authenticated inserts
+-- Also add cancelled_at column to tasks table if missing
+
+-- Enable RLS for task_activity_logs (idempotent)
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    EXECUTE 'ALTER TABLE public.task_activity_logs ENABLE ROW LEVEL SECURITY';
+  END IF;
+EXCEPTION WHEN others THEN
+  -- ignore
+END
+$$;
+
+-- Create a permissive INSERT policy for authenticated users (idempotent)
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    IF NOT EXISTS (
+      SELECT 1 FROM pg_policies WHERE polname = 'allow_authenticated_inserts'
+        AND polrelid = 'public.task_activity_logs'::regclass
+    ) THEN
+      CREATE POLICY allow_authenticated_inserts
+        ON public.task_activity_logs
+        FOR INSERT
+        TO authenticated
+        USING (true)
+        WITH CHECK (true);
+    END IF;
+  END IF;
+EXCEPTION WHEN others THEN
+  -- ignore
+END
+$$;
+
+-- Add cancelled_at column to tasks if it does not exist
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM information_schema.columns
+    WHERE table_name='tasks' AND column_name='cancelled_at'
+  ) THEN
+    ALTER TABLE public.tasks ADD COLUMN cancelled_at timestamptz;
+  END IF;
+END
+$$;
diff --git a/supabase/migrations/20260228190000_allow_task_activity_logs_authenticated_inserts.sql b/supabase/migrations/20260228190000_allow_task_activity_logs_authenticated_inserts.sql
new file mode 100644
index 00000000..e65d08b3
--- /dev/null
+++ b/supabase/migrations/20260228190000_allow_task_activity_logs_authenticated_inserts.sql
@@ -0,0 +1,36 @@
+-- Ensure authenticated users can insert into task_activity_logs
+-- Idempotent: drops and re-creates a permissive INSERT policy for `authenticated`.
+
+DO $$
+BEGIN
+  -- Ensure table exists
+  IF NOT EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    RAISE NOTICE 'table task_activity_logs does not exist; skipping policy creation';
+    RETURN;
+  END IF;
+
+  -- Enable row level security (idempotent)
+  EXECUTE 'ALTER TABLE IF EXISTS public.task_activity_logs ENABLE ROW LEVEL SECURITY';
+
+  -- Drop any existing permissive insert policy we manage
+  IF EXISTS (
+    SELECT 1 FROM pg_policies
+    WHERE polname = 'allow_auth_inserts_all'
+      AND polrelid = 'public.task_activity_logs'::regclass
+  ) THEN
+    EXECUTE 'DROP POLICY IF EXISTS allow_auth_inserts_all ON public.task_activity_logs';
+  END IF;
+
+  -- Create a permissive INSERT policy for authenticated users
+  EXECUTE 'CREATE POLICY allow_auth_inserts_all ON public.task_activity_logs FOR INSERT TO authenticated USING (true) WITH CHECK (true)';
+
+  -- Also allow the service_role for function-based inserts (optional)
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_policies
+    WHERE polname = 'allow_service_role_all'
+      AND polrelid = 'public.task_activity_logs'::regclass
+  ) THEN
+    EXECUTE 'CREATE POLICY allow_service_role_all ON public.task_activity_logs FOR ALL TO authenticated USING (true) WITH CHECK (true)';
+  END IF;
+END
+$$;
diff --git a/supabase/migrations/20260228191000_fix_task_activity_logs_policy.sql b/supabase/migrations/20260228191000_fix_task_activity_logs_policy.sql
new file mode 100644
index 00000000..1fd2b86f
--- /dev/null
+++ b/supabase/migrations/20260228191000_fix_task_activity_logs_policy.sql
@@ -0,0 +1,15 @@
+-- Recreate a permissive INSERT policy for authenticated users on task_activity_logs
+-- Idempotent: drops existing policy and recreates it.
+
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    -- enable RLS (idempotent)
+    EXECUTE 'ALTER TABLE IF EXISTS public.task_activity_logs ENABLE ROW LEVEL SECURITY';
+
+    -- drop any old policy and recreate permissive insert policy for authenticated role
+    EXECUTE 'DROP POLICY IF EXISTS allow_authenticated_inserts ON public.task_activity_logs';
+    EXECUTE 'CREATE POLICY allow_authenticated_inserts ON public.task_activity_logs FOR INSERT TO authenticated USING (true) WITH CHECK (true)';
+  END IF;
+END
+$$;
diff --git a/supabase/migrations/20260228192000_fix_task_activity_logs_policy_insert_only.sql b/supabase/migrations/20260228192000_fix_task_activity_logs_policy_insert_only.sql
new file mode 100644
index 00000000..a54cb039
--- /dev/null
+++ b/supabase/migrations/20260228192000_fix_task_activity_logs_policy_insert_only.sql
@@ -0,0 +1,10 @@
+-- Fix INSERT policy for task_activity_logs: WITH CHECK only for INSERT
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    EXECUTE 'ALTER TABLE IF EXISTS public.task_activity_logs ENABLE ROW LEVEL SECURITY';
+    EXECUTE 'DROP POLICY IF EXISTS allow_authenticated_inserts ON public.task_activity_logs';
+    EXECUTE 'CREATE POLICY allow_authenticated_inserts ON public.task_activity_logs FOR INSERT TO authenticated WITH CHECK (true)';
+  END IF;
+END
+$$;
diff --git a/supabase/migrations/20260228194000_allow_anon_insert_task_activity_logs.sql b/supabase/migrations/20260228194000_allow_anon_insert_task_activity_logs.sql
new file mode 100644
index 00000000..f5b39c49
--- /dev/null
+++ b/supabase/migrations/20260228194000_allow_anon_insert_task_activity_logs.sql
@@ -0,0 +1,13 @@
+-- Add permissive INSERT policy for anon (idempotent).
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    -- create policy only if it doesn't already exist
+    IF NOT EXISTS (
+      SELECT 1 FROM pg_policies WHERE tablename = 'task_activity_logs' AND policyname = 'allow_anon_insert'
+    ) THEN
+      EXECUTE 'CREATE POLICY allow_anon_insert ON public.task_activity_logs FOR INSERT TO anon WITH CHECK (true)';
+    END IF;
+  END IF;
+END
+$$;
diff --git a/supabase/migrations/20260228195000_allow_authenticated_select_task_activity_logs.sql b/supabase/migrations/20260228195000_allow_authenticated_select_task_activity_logs.sql
new file mode 100644
index 00000000..90783a42
--- /dev/null
+++ b/supabase/migrations/20260228195000_allow_authenticated_select_task_activity_logs.sql
@@ -0,0 +1,16 @@
+-- Allow authenticated users to SELECT from task_activity_logs
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name='task_activity_logs') THEN
+    -- enable RLS (idempotent)
+    EXECUTE 'ALTER TABLE IF EXISTS public.task_activity_logs ENABLE ROW LEVEL SECURITY';
+
+    -- create SELECT policy for authenticated if not exists
+    IF NOT EXISTS (
+      SELECT 1 FROM pg_policies WHERE tablename = 'task_activity_logs' AND policyname = 'allow_authenticated_select'
+    ) THEN
+      EXECUTE 'CREATE POLICY allow_authenticated_select ON public.task_activity_logs FOR SELECT TO authenticated USING (true)';
+    END IF;
+  END IF;
+END
+$$;