-- =========================================================
-- Migration 015: IT-Security Training Modules
-- =========================================================
-- 8 neue IT-Security Micro-/Annual-Trainingsmodule
-- fuer Breakpilot-Tenant
-- =========================================================

DO $$
DECLARE
    bp_id UUID := '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e';
    b_sec_pwd   UUID;
    b_sec_desk  UUID;
    b_sec_kiai  UUID;
    b_sec_byod  UUID;
    b_sec_video UUID;
    b_sec_usb   UUID;
    b_sec_inc   UUID;
    b_sec_home  UUID;
BEGIN
    -- Skip if already exists
    IF EXISTS (SELECT 1 FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-PWD' LIMIT 1) THEN
        RAISE NOTICE 'IT-Security modules already exist for Breakpilot tenant, skipping';
        RETURN;
    END IF;

    -- Insert 8 IT-Security modules
    INSERT INTO training_modules (id, tenant_id, module_code, title, description, regulation_area, nis2_relevant, frequency_type, validity_days, risk_weight, duration_minutes, pass_threshold, sort_order)
    VALUES
        (gen_random_uuid(), bp_id, 'SEC-PWD',   'Passwortsicherheit & MFA',            'Sichere Passwoerter, Multi-Faktor-Authentifizierung, Passwort-Manager',              'iso27001', false, 'micro',  180, 1.5, 10, 70, 21),
        (gen_random_uuid(), bp_id, 'SEC-DESK',  'Sichere Datenablage & Clean Desk',    'Clean-Desk-Policy, sichere Ablage, Bildschirmsperre, Dokumentenvernichtung',         'iso27001', false, 'micro',  180, 1.5, 10, 70, 22),
        (gen_random_uuid(), bp_id, 'SEC-KIAI',  'Personenbezogene Daten in KI-Tools',  'DSGVO-konforme Nutzung von KI, ChatGPT und Co., Datenweitergabe-Risiken',            'dsgvo',    false, 'annual', 365, 2.5, 30, 70, 23),
        (gen_random_uuid(), bp_id, 'SEC-BYOD',  'BYOD & Mobile Security',              'Bring Your Own Device, Mobile Device Management, Geraetetrennung',                   'iso27001', false, 'annual', 365, 2.0, 15, 70, 24),
        (gen_random_uuid(), bp_id, 'SEC-VIDEO', 'Sichere Videokonferenzen',             'Datenschutz in Videokonferenzen, Screensharing-Risiken, Aufzeichnungsregeln',        'iso27001', false, 'micro',  180, 1.5, 10, 70, 25),
        (gen_random_uuid(), bp_id, 'SEC-USB',   'USB & Externe Medien',                 'Risiken externer Datentraeger, USB-Richtlinien, Verschluesselung',                   'iso27001', false, 'micro',  180, 1.5, 10, 70, 26),
        (gen_random_uuid(), bp_id, 'SEC-INC',   'Sicherheitsvorfall melden',            'Erkennung von Sicherheitsvorfaellen, Meldewege, Sofortmassnahmen, Dokumentation',    'iso27001', true,  'micro',  180, 1.5, 10, 70, 27),
        (gen_random_uuid(), bp_id, 'SEC-HOME',  'Homeoffice-Sicherheit',                'Sicheres Arbeiten von zuhause, VPN, WLAN-Sicherheit, physische Sicherheit',          'iso27001', false, 'annual', 365, 2.0, 15, 70, 28);

    -- Lookup module IDs
    SELECT id INTO b_sec_pwd   FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-PWD';
    SELECT id INTO b_sec_desk  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-DESK';
    SELECT id INTO b_sec_kiai  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-KIAI';
    SELECT id INTO b_sec_byod  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-BYOD';
    SELECT id INTO b_sec_video FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-VIDEO';
    SELECT id INTO b_sec_usb   FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-USB';
    SELECT id INTO b_sec_inc   FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-INC';
    SELECT id INTO b_sec_home  FROM training_modules WHERE tenant_id = bp_id AND module_code = 'SEC-HOME';

    -- CTM: R2 IT-Leitung
    INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
        (bp_id, 'R2', b_sec_byod,  true, 3),
        (bp_id, 'R2', b_sec_usb,   true, 3),
        (bp_id, 'R2', b_sec_inc,   true, 2);

    -- CTM: R3 DSB
    INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
        (bp_id, 'R3', b_sec_kiai, true, 2);

    -- CTM: R7 Fachabteilung
    INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
        (bp_id, 'R7', b_sec_pwd,  true, 3),
        (bp_id, 'R7', b_sec_kiai, true, 3),
        (bp_id, 'R7', b_sec_inc,  true, 2);

    -- CTM: R8 IT-Admin
    INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
        (bp_id, 'R8', b_sec_pwd,  true, 3),
        (bp_id, 'R8', b_sec_byod, true, 3),
        (bp_id, 'R8', b_sec_usb,  true, 3),
        (bp_id, 'R8', b_sec_inc,  true, 2),
        (bp_id, 'R8', b_sec_home, true, 3);

    -- CTM: R9 Alle Mitarbeiter
    INSERT INTO training_matrix (tenant_id, role_code, module_id, is_mandatory, priority) VALUES
        (bp_id, 'R9', b_sec_pwd,   true,  3),
        (bp_id, 'R9', b_sec_desk,  true,  3),
        (bp_id, 'R9', b_sec_kiai,  true,  3),
        (bp_id, 'R9', b_sec_byod,  true,  3),
        (bp_id, 'R9', b_sec_video, false, 5),
        (bp_id, 'R9', b_sec_usb,   true,  3),
        (bp_id, 'R9', b_sec_inc,   true,  2),
        (bp_id, 'R9', b_sec_home,  true,  3);

    RAISE NOTICE 'IT-Security modules inserted for Breakpilot tenant';
END $$;