-- Migration 024: DSFA — Datenschutz-Folgenabschaetzung (Art. 35 DSGVO)

CREATE TABLE IF NOT EXISTS compliance_dsfas (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id VARCHAR(255) NOT NULL,
    title VARCHAR(500) NOT NULL,
    description TEXT DEFAULT '',
    status VARCHAR(50) NOT NULL DEFAULT 'draft',
    risk_level VARCHAR(50) NOT NULL DEFAULT 'low',
    processing_activity VARCHAR(500) DEFAULT '',
    data_categories JSONB DEFAULT '[]',
    recipients JSONB DEFAULT '[]',
    measures JSONB DEFAULT '[]',
    approved_by VARCHAR(255),
    approved_at TIMESTAMPTZ,
    created_by VARCHAR(255) DEFAULT 'system',
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX IF NOT EXISTS idx_dsfas_tenant ON compliance_dsfas(tenant_id);
CREATE INDEX IF NOT EXISTS idx_dsfas_status ON compliance_dsfas(status);

CREATE TABLE IF NOT EXISTS compliance_dsfa_audit_log (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id VARCHAR(255),
    dsfa_id UUID REFERENCES compliance_dsfas(id) ON DELETE SET NULL,
    action VARCHAR(50) NOT NULL,
    changed_by VARCHAR(255) DEFAULT 'system',
    old_values JSONB,
    new_values JSONB,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);