fix(api): use proper RLS for call_logs instead of service role

- Fixed RLS policy with explicit table references (stores.id, stores.user_id)
- Simplified API endpoints to rely on RLS for authorization
- RLS policy joins call_logs.store_id -> stores where stores.user_id = auth.uid()

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

supabase/functions/api/index.ts

@@ -2102,38 +2102,10 @@ serve(async (req) => {
 
     // GET /api/call-logs - List all call logs for the user's stores
     if (path === 'call-logs' && req.method === 'GET') {
-      // First, get all store IDs that belong to this user
-      const { data: userStores, error: storesError } = await supabase
-        .from('stores')
-        .select('id')
-        .eq('user_id', user.id)
-
-      if (storesError) {
-        console.error('Error fetching user stores:', storesError)
-        return new Response(
-          JSON.stringify({ error: 'Failed to fetch stores' }),
-          { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
-        )
-      }
-
-      const storeIds = userStores?.map(s => s.id) || []
-
-      if (storeIds.length === 0) {
-        return new Response(
-          JSON.stringify({ success: true, call_logs: [] }),
-          { status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
-        )
-      }
-
-      // Use service role to bypass RLS for call_logs (we've already verified store ownership above)
-      const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
-      const supabaseAdmin = createClient(supabaseUrl, supabaseServiceKey)
-
-      // Fetch call logs for these stores
-      const { data: callLogs, error: logsError } = await supabaseAdmin
+      // Fetch call logs - RLS policy ensures user can only see logs for their stores
+      const { data: callLogs, error: logsError } = await supabase
         .from('call_logs')
         .select('id, store_id, created_at, started_at, ended_at, duration, caller, cost_total')
-        .in('store_id', storeIds)
         .order('created_at', { ascending: false })
 
       if (logsError) {
@@ -2155,32 +2127,11 @@ serve(async (req) => {
     if (callLogMatch && req.method === 'GET') {
       const callLogId = callLogMatch[1]
 
-      // First, get all store IDs that belong to this user
-      const { data: userStores, error: storesError } = await supabase
-        .from('stores')
-        .select('id')
-        .eq('user_id', user.id)
-
-      if (storesError) {
-        console.error('Error fetching user stores:', storesError)
-        return new Response(
-          JSON.stringify({ error: 'Failed to fetch stores' }),
-          { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
-        )
-      }
-
-      const storeIds = userStores?.map(s => s.id) || []
-
-      // Use service role to bypass RLS for call_logs (we've already verified store ownership above)
-      const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
-      const supabaseAdmin = createClient(supabaseUrl, supabaseServiceKey)
-
-      // Fetch the specific call log (only if it belongs to user's stores)
-      const { data: callLog, error: logError } = await supabaseAdmin
+      // Fetch the specific call log - RLS policy ensures user can only see logs for their stores
+      const { data: callLog, error: logError } = await supabase
         .from('call_logs')
         .select('*')
         .eq('id', callLogId)
-        .in('store_id', storeIds)
         .single()
 
       if (logError || !callLog) {