Add billing record policies

Author: lovable-dev[bot]

src/integrations/supabase/types.ts

@@ -598,6 +598,10 @@ export type Database = {
         Args: { activity_type?: string; user_id?: string }
         Returns: boolean
       }
+      log_billing_access: {
+        Args: { access_type: string; record_id: string }
+        Returns: undefined
+      }
       log_security_event: {
         Args: { details?: Json; event_type: string; user_id?: string }
         Returns: undefined
@@ -606,6 +610,10 @@ export type Database = {
         Args: { campaign_id: string; requesting_user_id?: string }
         Returns: boolean
       }
+      validate_billing_record_ownership: {
+        Args: { record_id: string }
+        Returns: boolean
+      }
       validate_campaign_ownership: {
         Args: { campaign_id: string; user_id?: string }
         Returns: boolean

supabase/migrations/20250905164311_31d6a216-f377-430f-b547-1a104a2b2706.sql

@@ -0,0 +1,40 @@
+-- Add security monitoring functions for billing records
+
+-- Create security audit function for billing record access
+CREATE OR REPLACE FUNCTION public.log_billing_access(record_id uuid, access_type text)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  -- Log financial data access for security monitoring
+  PERFORM public.log_security_event(
+    'billing_record_access', 
+    auth.uid(), 
+    jsonb_build_object(
+      'record_id', record_id,
+      'access_type', access_type,
+      'timestamp', now()
+    )
+  );
+END;
+$$;
+
+-- Create function to validate billing record ownership before sensitive operations
+CREATE OR REPLACE FUNCTION public.validate_billing_record_ownership(record_id uuid)
+RETURNS boolean
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  record_owner uuid;
+BEGIN
+  SELECT user_id INTO record_owner 
+  FROM billing_records 
+  WHERE id = record_id;
+  
+  RETURN (record_owner = auth.uid());
+END;
+$$;