-- Fix admin_audit_log view policy to allow viewing without AAL2
-- Viewing logs is a read-only operation and doesn't require the same
-- security level as modifying data. We still require moderator role.

DROP POLICY IF EXISTS "Admins can view audit log" ON public.admin_audit_log;
CREATE POLICY "Admins can view audit log"
ON public.admin_audit_log
FOR SELECT
TO authenticated
USING (
  is_moderator(auth.uid())
);

-- Keep the strict AAL2 requirement for inserting audit logs
-- (This policy already exists but we're documenting it here for clarity)
COMMENT ON POLICY "Admins can insert audit log with MFA" ON public.admin_audit_log 
IS 'Requires AAL2 (MFA step-up) for inserting audit logs to ensure high security for write operations';

COMMENT ON POLICY "Admins can view audit log" ON public.admin_audit_log 
IS 'Allows moderators to view audit logs without AAL2 since this is a read-only operation';