-- 0003: least-privilege table grants (A4/W3 hardening).
-- Supabase's default privileges grant ALL on public tables to anon &
-- authenticated. RLS gates DML, but TRUNCATE bypasses RLS and unauthenticated
-- (anon) should have no direct table rights at all. Reduce to the minimum the
-- app actually needs; service_role (which bypasses RLS) keeps full access.
BEGIN;

REVOKE ALL ON public.tunnels       FROM anon, authenticated;
REVOKE ALL ON public.subscriptions FROM anon, authenticated;
REVOKE ALL ON public.usage_samples FROM anon, authenticated;
REVOKE ALL ON public.users_profile FROM anon, authenticated;

-- Authenticated users get read-only dashboard access (still gated by RLS
-- owner policies). users_profile also needs UPDATE (it has an owner policy).
GRANT SELECT          ON public.tunnels       TO authenticated;
GRANT SELECT          ON public.subscriptions TO authenticated;
GRANT SELECT, UPDATE  ON public.users_profile TO authenticated;
-- usage_samples: service_role only (no anon/authenticated access).

COMMIT;