-- Relax admin_audit_log SELECT policy to not require AAL2
-- This allows admins to view audit logs without constant MFA step-up
-- Write operations still require AAL2 for security

-- Drop the existing SELECT policy
DROP POLICY IF EXISTS "Admins can view audit log" ON public.admin_audit_log;

-- Create new SELECT policy without AAL2 requirement for reads
CREATE POLICY "Admins can view audit log"
ON public.admin_audit_log
FOR SELECT
TO authenticated
USING (
  is_moderator(auth.uid())
);