erp-core-database/seeds/dev/03-roles.sql

-- ============================================================================
-- ERP GENERIC - SEED DATA: ROLES (Development)
-- ============================================================================
-- Description: Default roles and permissions for development
-- ============================================================================

-- ===========================================
-- TENANT-SPECIFIC ROLES (Demo Company)
-- ===========================================

-- Super Admin for Demo tenant
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    '5e29aadd-1d9f-4280-a38b-fefe7cdece5a',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Super Administrator',
    'super_admin',
    'Full system access. Reserved for system administrators.',
    true,
    '#FF0000',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Admin
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    'fed1cfa2-8ea1-4d86-bfef-b3dcc08801c2',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Administrator',
    'admin',
    'Full access within the tenant. Can manage users, settings, and all modules.',
    true,
    '#4CAF50',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Manager
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    '1a35fbf0-a282-487d-95ef-13b3f702e8d6',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Manager',
    'manager',
    'Can manage operations, approve documents, and view reports.',
    false,
    '#2196F3',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Accountant
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    'c91f1a60-bd0d-40d3-91b8-36c226ce3d29',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Accountant',
    'accountant',
    'Access to financial module: journals, invoices, payments, reports.',
    false,
    '#9C27B0',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Sales
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    '493568ed-972f-472f-9ac1-236a32438936',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Sales Representative',
    'sales',
    'Access to sales module: quotations, orders, customers.',
    false,
    '#FF9800',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Purchasing
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    '80515d77-fc15-4a5a-a213-7b9f869db15a',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Purchasing Agent',
    'purchasing',
    'Access to purchase module: RFQs, purchase orders, vendors.',
    false,
    '#00BCD4',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Warehouse
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    '0a86a34a-7fd6-47e2-9e0c-4c547c6af9f1',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Warehouse Operator',
    'warehouse',
    'Access to inventory module: stock moves, pickings, adjustments.',
    false,
    '#795548',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- Employee (basic)
INSERT INTO auth.roles (id, tenant_id, name, code, description, is_system, color, created_at)
VALUES (
    '88e299e6-8cda-4fd1-a32f-afc2aa7b8975',
    '1c7dfbb0-19b8-4e87-a225-a74da6f26dbf',
    'Employee',
    'employee',
    'Basic access: timesheets, expenses, personal information.',
    false,
    '#607D8B',
    CURRENT_TIMESTAMP
) ON CONFLICT (id) DO NOTHING;

-- ===========================================
-- PERMISSIONS (using resource + action pattern)
-- ===========================================

INSERT INTO auth.permissions (id, resource, action, description, module, created_at)
VALUES
    -- Users
    ('26389d69-6b88-48a5-9ca9-118394d32cd6', 'users', 'read', 'View user list and details', 'auth', CURRENT_TIMESTAMP),
    ('be0f398a-7c7f-4bd0-a9b7-fd74cde7e5a0', 'users', 'create', 'Create new users', 'auth', CURRENT_TIMESTAMP),
    ('4a584c2f-0485-453c-a93d-8c6df33e18d4', 'users', 'update', 'Edit existing users', 'auth', CURRENT_TIMESTAMP),
    ('4650549e-b016-438a-bf4b-5cfcb0e9d3bb', 'users', 'delete', 'Delete users', 'auth', CURRENT_TIMESTAMP),
    -- Companies
    ('22f7d6c6-c65f-4aa4-b15c-dc6c3efd9baa', 'companies', 'read', 'View companies', 'core', CURRENT_TIMESTAMP),
    ('11b94a84-65f2-40f6-b468-748fbc56a30a', 'companies', 'create', 'Create companies', 'core', CURRENT_TIMESTAMP),
    ('3f1858a5-4381-4763-b23e-dee57e7cb3cf', 'companies', 'update', 'Edit companies', 'core', CURRENT_TIMESTAMP),
    -- Partners
    ('abc6a21a-1674-4acf-8155-3a0d5b130586', 'partners', 'read', 'View customers/vendors', 'core', CURRENT_TIMESTAMP),
    ('a52fab21-24e0-446e-820f-9288b1468a36', 'partners', 'create', 'Create partners', 'core', CURRENT_TIMESTAMP),
    ('bd453537-ba4c-4497-a982-1c923009a399', 'partners', 'update', 'Edit partners', 'core', CURRENT_TIMESTAMP),
    -- Financial - Accounting
    ('7a22be70-b5f7-446f-a9b9-8d6ba50615cc', 'journal_entries', 'read', 'View journal entries', 'financial', CURRENT_TIMESTAMP),
    ('41eb796e-952f-4e34-8811-5adc4967d8ce', 'journal_entries', 'create', 'Create journal entries', 'financial', CURRENT_TIMESTAMP),
    ('f5a77c95-f771-4854-8bc3-d1922f63deb7', 'journal_entries', 'approve', 'Approve/post journal entries', 'financial', CURRENT_TIMESTAMP),
    -- Financial - Invoices
    ('546ce323-7f80-49b1-a11f-76939d2b4289', 'invoices', 'read', 'View invoices', 'financial', CURRENT_TIMESTAMP),
    ('139b4ed3-59e7-44d7-b4d9-7a2d02529152', 'invoices', 'create', 'Create invoices', 'financial', CURRENT_TIMESTAMP),
    ('dacf3592-a892-4374-82e5-7f10603c107a', 'invoices', 'approve', 'Validate invoices', 'financial', CURRENT_TIMESTAMP),
    -- Inventory
    ('04481809-1d01-4516-afa2-dcaae8a1b331', 'products', 'read', 'View products', 'inventory', CURRENT_TIMESTAMP),
    ('3df9671e-db5a-4a22-b570-9210d3c0a2e3', 'products', 'create', 'Create products', 'inventory', CURRENT_TIMESTAMP),
    ('101f7d9f-f50f-4673-94da-d2002e65348b', 'stock_moves', 'read', 'View stock movements', 'inventory', CURRENT_TIMESTAMP),
    ('5e5de64d-68b6-46bc-9ec4-d34ca145b1cc', 'stock_moves', 'create', 'Create stock movements', 'inventory', CURRENT_TIMESTAMP),
    -- Purchase
    ('7c602d68-d1d2-4ba1-b0fd-9d7b70d3f12a', 'purchase_orders', 'read', 'View purchase orders', 'purchase', CURRENT_TIMESTAMP),
    ('38cf2a54-60db-4ba5-8a95-fd34d2cba6cf', 'purchase_orders', 'create', 'Create purchase orders', 'purchase', CURRENT_TIMESTAMP),
    ('3356eb5b-538e-4bde-a12c-3b7d35ebd657', 'purchase_orders', 'approve', 'Approve purchase orders', 'purchase', CURRENT_TIMESTAMP),
    -- Sales
    ('ffc586d2-3928-4fc7-bf72-47d52ec5e692', 'sales_orders', 'read', 'View sales orders', 'sales', CURRENT_TIMESTAMP),
    ('5d3a2eee-98e7-429f-b907-07452de3fb0e', 'sales_orders', 'create', 'Create sales orders', 'sales', CURRENT_TIMESTAMP),
    ('00481e6e-571c-475d-a4a2-81620866ff1a', 'sales_orders', 'approve', 'Confirm sales orders', 'sales', CURRENT_TIMESTAMP),
    -- Reports
    ('c699419a-e99c-4808-abd6-c6352e2eeb67', 'reports', 'read', 'View reports', 'system', CURRENT_TIMESTAMP),
    ('c648cac1-d3cc-4e9b-a84a-533f28132768', 'reports', 'export', 'Export reports', 'system', CURRENT_TIMESTAMP)
ON CONFLICT (resource, action) DO NOTHING;

-- ===========================================
-- ROLE-PERMISSION ASSIGNMENTS
-- ===========================================

-- Admin role gets all permissions
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    'fed1cfa2-8ea1-4d86-bfef-b3dcc08801c2',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
ON CONFLICT DO NOTHING;

-- Manager role (most permissions except user management)
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    '1a35fbf0-a282-487d-95ef-13b3f702e8d6',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
WHERE resource NOT IN ('users')
ON CONFLICT DO NOTHING;

-- Accountant role (financial MGN-004 + read partners + reports)
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    'c91f1a60-bd0d-40d3-91b8-36c226ce3d29',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
WHERE module = 'MGN-004'
   OR (resource = 'partners' AND action = 'read')
   OR (resource = 'reports')
ON CONFLICT DO NOTHING;

-- Sales role (MGN-007 + sales + partners + read invoices/products/reports)
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    '493568ed-972f-472f-9ac1-236a32438936',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
WHERE module IN ('sales', 'MGN-007')
   OR (resource = 'partners')
   OR (resource = 'invoices' AND action = 'read')
   OR (resource = 'products' AND action = 'read')
   OR (resource = 'reports' AND action = 'read')
ON CONFLICT DO NOTHING;

-- Purchasing role (MGN-006 + partners + products read)
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    '80515d77-fc15-4a5a-a213-7b9f869db15a',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
WHERE module = 'MGN-006'
   OR (resource = 'partners')
   OR (resource = 'products' AND action = 'read')
ON CONFLICT DO NOTHING;

-- Warehouse role (MGN-005 inventory + products)
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    '0a86a34a-7fd6-47e2-9e0c-4c547c6af9f1',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
WHERE module = 'MGN-005'
ON CONFLICT DO NOTHING;

-- Employee role (basic read permissions)
INSERT INTO auth.role_permissions (role_id, permission_id, granted_at)
SELECT
    '88e299e6-8cda-4fd1-a32f-afc2aa7b8975',
    id,
    CURRENT_TIMESTAMP
FROM auth.permissions
WHERE action = 'read'
  AND resource IN ('companies', 'partners', 'products', 'reports')
ON CONFLICT DO NOTHING;

-- Output confirmation
DO $$
BEGIN
    RAISE NOTICE 'Roles seed data loaded: 8 roles, 28 permissions';
END $$;