-- Enable Row Level Security on the modules table.
-- This blocks all direct PostgREST access by default.
-- The backend app connects via the service role (DATABASE_URL), which bypasses RLS,
-- so existing functionality is unaffected.

ALTER TABLE public.modules ENABLE ROW LEVEL SECURITY;

-- Deny all access to anonymous (unauthenticated) PostgREST callers.
-- No policy = no access. This is the default when RLS is enabled, but
-- the explicit policy below makes the intent clear.
CREATE POLICY "deny_anon" ON public.modules
    AS RESTRICTIVE
    FOR ALL
    TO anon
    USING (false);

-- Deny all access to authenticated PostgREST callers too.
-- The modules table is internal admin-only and should never be
-- queried directly via the Supabase REST API.
CREATE POLICY "deny_authenticated" ON public.modules
    AS RESTRICTIVE
    FOR ALL
    TO authenticated
    USING (false);