-- Add UPDATE policy for rate_limit_alerts to allow moderators to resolve alerts
CREATE POLICY "Moderators can resolve rate limit alerts"
ON public.rate_limit_alerts
FOR UPDATE
TO authenticated
USING (
  EXISTS (
    SELECT 1 FROM public.user_roles
    WHERE user_id = auth.uid()
    AND role IN ('admin', 'moderator', 'superuser')
  )
)
WITH CHECK (
  -- Only allow updating resolved_at field
  resolved_at IS NOT NULL
);

-- Update system_alerts policy to allow moderators to resolve alerts
DROP POLICY IF EXISTS "Admins can manage system alerts" ON public.system_alerts;

CREATE POLICY "Staff can manage system alerts"
ON public.system_alerts
FOR UPDATE
TO authenticated
USING (
  EXISTS (
    SELECT 1 FROM public.user_roles
    WHERE user_id = auth.uid()
    AND role IN ('admin', 'superuser', 'moderator')
  )
)
WITH CHECK (
  EXISTS (
    SELECT 1 FROM public.user_roles
    WHERE user_id = auth.uid()
    AND role IN ('admin', 'superuser', 'moderator')
  )
);