From 2e632caea35739689f7fbd81cf2fb93eae81486c Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Sun, 2 Nov 2025 02:43:09 +0000
Subject: [PATCH] Fix audit log RLS policy

---
 ...24255_bf859683-9b2a-4761-b4b7-78283b764ea2.sql | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 supabase/migrations/20251102024255_bf859683-9b2a-4761-b4b7-78283b764ea2.sql

diff --git a/supabase/migrations/20251102024255_bf859683-9b2a-4761-b4b7-78283b764ea2.sql b/supabase/migrations/20251102024255_bf859683-9b2a-4761-b4b7-78283b764ea2.sql
new file mode 100644
index 00000000..0423216a
--- /dev/null
+++ b/supabase/migrations/20251102024255_bf859683-9b2a-4761-b4b7-78283b764ea2.sql
@@ -0,0 +1,15 @@
+-- Relax admin_audit_log SELECT policy to not require AAL2
+-- This allows admins to view audit logs without constant MFA step-up
+-- Write operations still require AAL2 for security
+
+-- Drop the existing SELECT policy
+DROP POLICY IF EXISTS "Admins can view audit log" ON public.admin_audit_log;
+
+-- Create new SELECT policy without AAL2 requirement for reads
+CREATE POLICY "Admins can view audit log"
+ON public.admin_audit_log
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid())
+);
\ No newline at end of file