-- Hammerhead Workspace - Patch 10: Revert accidental guard onboarding
-- The "Generate Logins for Everyone Without Access" feature had a bug that
-- pulled in employees (security guards) who should have stayed excluded.
-- This clears login credentials back off every employee record - nobody in
-- `employees` should have login access right now per explicit instruction.
-- Managers are completely untouched by this patch.
-- Safe to re-run.

UPDATE `employees`
SET `username` = NULL,
    `password_hash` = NULL,
    `force_password_change` = 0,
    `reset_token` = NULL,
    `reset_expires` = NULL;

-- Also clear any role/department/project assignments and audit log entries
-- that got created for employees during the accidental bulk run.
DELETE FROM `user_roles` WHERE `user_type` = 'employee';
DELETE FROM `user_departments` WHERE `user_type` = 'employee';
DELETE FROM `user_projects` WHERE `user_type` = 'employee';
