-- audit.view: read-only audit trail (super_admin already has *; explicit grant for tooling / future roles)
INSERT IGNORE INTO permissions (slug, description) VALUES
('audit.view', 'Denetim günlüğü okuma');

INSERT IGNORE INTO role_permissions (role_id, permission_id)
SELECT r.id, p.id FROM roles r JOIN permissions p ON p.slug = 'audit.view' WHERE r.slug = 'super_admin';