-- Phase A: paliad.users extends auth.users with firm-specific profile fields.
-- Every authenticated user has a row here; created by the onboarding flow (Phase D).
-- Without a row, the user has no office → can see no Akten. That is the safe default.

CREATE TABLE paliad.users (
    id              uuid PRIMARY KEY REFERENCES auth.users(id) ON DELETE CASCADE,
    email           text NOT NULL,
    display_name    text NOT NULL DEFAULT '',
    office          text NOT NULL CHECK (office IN (
                        'munich', 'duesseldorf', 'hamburg',
                        'amsterdam', 'london', 'paris', 'milan'
                    )),
    practice_group  text,
    role            text NOT NULL DEFAULT 'associate' CHECK (role IN (
                        'partner', 'associate', 'pa', 'admin'
                    )),
    created_at      timestamptz NOT NULL DEFAULT now(),
    updated_at      timestamptz NOT NULL DEFAULT now()
);

CREATE INDEX users_office_idx ON paliad.users (office);
CREATE INDEX users_role_idx   ON paliad.users (role);