create table if not exists public.application_admins (
  id uuid primary key default gen_random_uuid(),
  email text not null,
  email_normalized text not null,
  status text not null default 'active' check (status in ('active', 'disabled')),
  permissions_json jsonb not null default '[]'::jsonb,
  created_by_user_id uuid references public.users (id) on delete set null,
  created_at timestamptz not null default now(),
  updated_at timestamptz not null default now()
);

create unique index if not exists application_admins_email_normalized_idx on public.application_admins (email_normalized);

drop trigger if exists set_application_admins_updated_at on public.application_admins;
create trigger set_application_admins_updated_at
before update on public.application_admins
for each row
execute function public.set_updated_at();

create table if not exists public.admin_access_audit (
  id uuid primary key default gen_random_uuid(),
  actor_user_id uuid references public.users (id) on delete set null,
  actor_email text,
  route text not null,
  action text not null,
  target_workspace_id uuid references public.workspaces (id) on delete set null,
  metadata_json jsonb not null default '{}'::jsonb,
  occurred_at timestamptz not null default now()
);

create index if not exists admin_access_audit_occurred_at_idx on public.admin_access_audit (occurred_at desc);
create index if not exists admin_access_audit_actor_user_id_idx on public.admin_access_audit (actor_user_id);
create index if not exists admin_access_audit_target_workspace_id_idx on public.admin_access_audit (target_workspace_id);