-- AtlasOS - Calypso
-- Add Backup Permissions
-- Version: 10.0

-- Insert backup permissions
INSERT INTO permissions (name, resource, action, description) VALUES
    ('backup:read', 'backup', 'read', 'View backup jobs and history'),
    ('backup:write', 'backup', 'write', 'Create and manage backup jobs'),
    ('backup:manage', 'backup', 'manage', 'Full backup management')
ON CONFLICT (name) DO NOTHING;

-- Assign backup permissions to roles

-- Admin gets all backup permissions (explicitly assign since admin query in 001 only runs once)
INSERT INTO role_permissions (role_id, permission_id)
SELECT r.id, p.id
FROM roles r, permissions p
WHERE r.name = 'admin'
  AND p.resource = 'backup'
ON CONFLICT DO NOTHING;

-- Operator gets read and write permissions for backup
INSERT INTO role_permissions (role_id, permission_id)
SELECT r.id, p.id
FROM roles r, permissions p
WHERE r.name = 'operator'
  AND p.resource = 'backup'
  AND p.action IN ('read', 'write')
ON CONFLICT DO NOTHING;

-- ReadOnly gets only read permission for backup
INSERT INTO role_permissions (role_id, permission_id)
SELECT r.id, p.id
FROM roles r, permissions p
WHERE r.name = 'readonly'
  AND p.resource = 'backup'
  AND p.action = 'read'
ON CONFLICT DO NOTHING;