-- Relax RLS on test_data_registry to not require MFA for management operations
-- Separate SELECT (viewing) from INSERT/UPDATE/DELETE (management)

-- Drop ALL existing policies on test_data_registry
DROP POLICY IF EXISTS "Moderators can manage test data registry" ON test_data_registry;
DROP POLICY IF EXISTS "Moderators can view test data registry" ON test_data_registry;

-- Keep MFA requirement for viewing (sensitive operation tracking)
CREATE POLICY "Moderators can view test data registry"
ON test_data_registry
FOR SELECT
TO authenticated
USING (
  is_moderator(auth.uid()) 
  AND (
    (NOT EXISTS (
      SELECT 1 FROM auth.mfa_factors 
      WHERE user_id = auth.uid() AND status = 'verified'
    ))
    OR has_aal2()
  )
);

-- Allow moderators to insert/update/delete without MFA requirement
-- Test data cleanup is a low-risk development operation
CREATE POLICY "Moderators can manage test data registry"
ON test_data_registry
FOR ALL
TO authenticated
USING (is_moderator(auth.uid()))
WITH CHECK (is_moderator(auth.uid()));