-- Migration 111: Organizational Compliance Roles + Document Review Workflow
-- Creates tables for:
--   1. compliance_org_roles — role assignments per project (DSB, GF, IT-Leiter, etc.)
--   2. compliance_document_reviews — review tracking for generated documents
--   3. compliance_document_role_mapping — which roles review which document types

BEGIN;

-- =============================================================================
-- Table 1: Organizational Compliance Roles
-- =============================================================================

CREATE TABLE IF NOT EXISTS compliance_org_roles (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    project_id UUID,
    role_key VARCHAR(50) NOT NULL,
    role_label VARCHAR(200) NOT NULL,
    person_name VARCHAR(300),
    person_email VARCHAR(300),
    department VARCHAR(200),
    is_active BOOLEAN NOT NULL DEFAULT TRUE,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    UNIQUE(tenant_id, project_id, role_key)
);

CREATE INDEX IF NOT EXISTS idx_org_roles_tenant ON compliance_org_roles(tenant_id);
CREATE INDEX IF NOT EXISTS idx_org_roles_project ON compliance_org_roles(tenant_id, project_id);

-- =============================================================================
-- Table 2: Document Reviews
-- =============================================================================

CREATE TABLE IF NOT EXISTS compliance_document_reviews (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    project_id UUID,
    document_type VARCHAR(100) NOT NULL,
    document_title VARCHAR(500) NOT NULL,
    document_content_hash VARCHAR(64),
    reviewer_role_key VARCHAR(50) NOT NULL,
    reviewer_name VARCHAR(300),
    reviewer_email VARCHAR(300),
    status VARCHAR(20) NOT NULL DEFAULT 'pending'
        CHECK (status IN ('pending', 'in_review', 'approved', 'rejected')),
    submitted_at TIMESTAMPTZ,
    submitted_by VARCHAR(200),
    reviewed_at TIMESTAMPTZ,
    review_comment TEXT,
    review_link TEXT,
    email_sent BOOLEAN NOT NULL DEFAULT FALSE,
    email_sent_at TIMESTAMPTZ,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX IF NOT EXISTS idx_doc_reviews_tenant ON compliance_document_reviews(tenant_id);
CREATE INDEX IF NOT EXISTS idx_doc_reviews_status ON compliance_document_reviews(tenant_id, status);
CREATE INDEX IF NOT EXISTS idx_doc_reviews_doctype ON compliance_document_reviews(document_type);

-- =============================================================================
-- Table 3: Document-to-Role Mapping (seed defaults)
-- =============================================================================

CREATE TABLE IF NOT EXISTS compliance_document_role_mapping (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    document_type VARCHAR(100) NOT NULL,
    role_key VARCHAR(50) NOT NULL,
    is_primary BOOLEAN NOT NULL DEFAULT TRUE,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    UNIQUE(tenant_id, document_type, role_key)
);

CREATE INDEX IF NOT EXISTS idx_role_mapping_tenant ON compliance_document_role_mapping(tenant_id);

-- =============================================================================
-- Seed: Default document-to-role mapping (tenant_id = '__default__')
-- Every document type has at least one primary reviewer.
-- Tenants get a copy on first use; editable per tenant.
-- =============================================================================

-- DSB — Datenschutzbeauftragter
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'privacy_policy', 'dsb'), ('__default__', 'vvt_register', 'dsb'),
('__default__', 'tom_documentation', 'dsb'), ('__default__', 'dsfa', 'dsb'),
('__default__', 'loeschkonzept', 'dsb'), ('__default__', 'dpa', 'dsb'),
('__default__', 'pflichtenregister', 'dsb'), ('__default__', 'data_protection_concept', 'dsb'),
('__default__', 'data_protection_policy', 'dsb'), ('__default__', 'data_retention_policy', 'dsb'),
('__default__', 'data_transfer_policy', 'dsb'), ('__default__', 'data_classification_policy', 'dsb'),
('__default__', 'privacy_incident_policy', 'dsb'), ('__default__', 'informationspflichten', 'dsb'),
('__default__', 'verpflichtungserklaerung', 'dsb'), ('__default__', 'consent_texts', 'dsb'),
('__default__', 'dsr_process_art15', 'dsb'), ('__default__', 'dsr_process_art16', 'dsb'),
('__default__', 'dsr_process_art17', 'dsb'), ('__default__', 'dsr_process_art18', 'dsb'),
('__default__', 'dsr_process_art19', 'dsb'), ('__default__', 'dsr_process_art20', 'dsb'),
('__default__', 'dsr_process_art21', 'dsb')
ON CONFLICT DO NOTHING;

-- GF — Geschaeftsfuehrung
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'agb', 'gf'), ('__default__', 'terms_of_use', 'gf'),
('__default__', 'nda', 'gf'), ('__default__', 'sla', 'gf'),
('__default__', 'impressum', 'gf'), ('__default__', 'widerruf', 'gf'),
('__default__', 'whistleblower_policy', 'gf'),
('__default__', 'cloud_service_agreement', 'gf'),
('__default__', 'standard_operating_procedure', 'gf'),
('__default__', 'data_usage_clause', 'gf')
ON CONFLICT DO NOTHING;

-- IT-Leiter / CISO
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'it_security_concept', 'it_leiter'),
('__default__', 'isms_manual', 'it_leiter'),
('__default__', 'backup_recovery_concept', 'it_leiter'),
('__default__', 'logging_concept', 'it_leiter'),
('__default__', 'incident_response_plan', 'it_leiter'),
('__default__', 'access_control_concept', 'it_leiter'),
('__default__', 'risk_management_concept', 'it_leiter'),
('__default__', 'information_security_policy', 'it_leiter'),
('__default__', 'access_control_policy', 'it_leiter'),
('__default__', 'password_policy', 'it_leiter'),
('__default__', 'encryption_policy', 'it_leiter'),
('__default__', 'logging_policy', 'it_leiter'),
('__default__', 'backup_policy', 'it_leiter'),
('__default__', 'incident_response_policy', 'it_leiter'),
('__default__', 'change_management_policy', 'it_leiter'),
('__default__', 'patch_management_policy', 'it_leiter'),
('__default__', 'asset_management_policy', 'it_leiter'),
('__default__', 'cloud_security_policy', 'it_leiter'),
('__default__', 'devsecops_policy', 'it_leiter'),
('__default__', 'secrets_management_policy', 'it_leiter'),
('__default__', 'vulnerability_management_policy', 'it_leiter'),
('__default__', 'cybersecurity_policy', 'it_leiter'),
('__default__', 'business_continuity_policy', 'it_leiter'),
('__default__', 'disaster_recovery_policy', 'it_leiter'),
('__default__', 'crisis_management_policy', 'it_leiter')
ON CONFLICT DO NOTHING;

-- HR-Leitung
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'employee_dsi', 'hr_leitung'),
('__default__', 'applicant_dsi', 'hr_leitung'),
('__default__', 'employee_security_policy', 'hr_leitung'),
('__default__', 'security_awareness_policy', 'hr_leitung'),
('__default__', 'remote_work_policy', 'hr_leitung'),
('__default__', 'offboarding_policy', 'hr_leitung'),
('__default__', 'byod_policy', 'hr_leitung')
ON CONFLICT DO NOTHING;

-- Marketing-Leitung
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'cookie_banner', 'marketing_leitung'),
('__default__', 'cookie_policy', 'marketing_leitung'),
('__default__', 'social_media_dsi', 'marketing_leitung'),
('__default__', 'community_guidelines', 'marketing_leitung'),
('__default__', 'acceptable_use', 'marketing_leitung'),
('__default__', 'media_content_policy', 'marketing_leitung'),
('__default__', 'copyright_policy', 'marketing_leitung'),
('__default__', 'video_conference_dsi', 'marketing_leitung')
ON CONFLICT DO NOTHING;

-- Compliance-Beauftragter
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'ai_usage_policy', 'compliance_beauftragter')
ON CONFLICT DO NOTHING;

-- Einkauf / Vendor Management
INSERT INTO compliance_document_role_mapping (tenant_id, document_type, role_key) VALUES
('__default__', 'vendor_risk_management_policy', 'einkauf'),
('__default__', 'third_party_security_policy', 'einkauf'),
('__default__', 'supplier_security_policy', 'einkauf'),
('__default__', 'transfer_impact_assessment', 'einkauf'),
('__default__', 'scc_companion', 'einkauf')
ON CONFLICT DO NOTHING;

COMMIT;