<?php
// ─── POST /api/jobcards/timeline-delete.php ──────────────────────────────
define('ROOT', dirname(__DIR__, 2));
require_once ROOT . '/core/DB.php';
require_once ROOT . '/core/Response.php';
require_once ROOT . '/core/Auth.php';

$user = Auth::require();
$db   = DB::get();

// Only admin/dev can delete timeline entries
$role = Auth::role($user);
if (!in_array($role, ['admin', 'dev', 'test'])) {
    Response::error('Permission denied.', 403);
}

$record_id = (int) ($_POST['record_id'] ?? 0);
if (!$record_id) Response::error('record_id is required.');

$db->run("DELETE FROM jobcard_timeline WHERE record_id = ?", [$record_id]);

Response::ok(null, 'Timeline entry deleted.');