From 0ecee43ac86237cdf52583071c14268b7774f336 Mon Sep 17 00:00:00 2001
From: Daniel Sun <optimystic@DJ-MBP-3.local>
Date: Mon, 11 May 2026 16:30:15 -0700
Subject: [PATCH] fix: enable RLS on analytics tables

---
 database/schema.sql | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/database/schema.sql b/database/schema.sql
index e6c879f..21a578b 100644
--- a/database/schema.sql
+++ b/database/schema.sql
@@ -744,6 +744,9 @@ ALTER TABLE annotations            ENABLE ROW LEVEL SECURITY;
 ALTER TABLE reading_sessions       ENABLE ROW LEVEL SECURITY;
 ALTER TABLE premium_subscriptions  ENABLE ROW LEVEL SECURITY;
 ALTER TABLE donations              ENABLE ROW LEVEL SECURITY;
+ALTER TABLE search_queries         ENABLE ROW LEVEL SECURITY;
+ALTER TABLE affiliate_clicks       ENABLE ROW LEVEL SECURITY;
+ALTER TABLE system_jobs            ENABLE ROW LEVEL SECURITY;
 
 -- Helper that returns NULL outside Supabase (so the schema still loads in plain docker)
 CREATE OR REPLACE FUNCTION current_auth_uid() RETURNS UUID AS $$
@@ -813,6 +816,10 @@ CREATE POLICY donations_self ON donations FOR SELECT
     USING (user_id = current_auth_uid() OR anonymous = FALSE);
     -- Writes via service_role only.
 
+-- search_queries, affiliate_clicks, and system_jobs hold analytics, tracking,
+-- and worker audit data. Keep direct anon/authenticated access closed; server
+-- routes, cron jobs, and workers should use service_role, which bypasses RLS.
+
 -- ============================================================
 -- SAMPLE DATA (dev only)
 -- ============================================================