fix(api): don't run migrations as moments_ro

The api connects as the read-only role and was failing on startup
with `permission denied for schema public` because moments_ro lacks
CREATE rights — moments_rw owns the database and runs migrations.

Migrations are now owned exclusively by moments-worker. In deploy
(step 7) systemd ordering ensures the worker runs at least once
before the api unit starts, so the schema is in place by the time
the api accepts traffic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/moments-api/src/main.rs

@@ -36,8 +36,12 @@ async fn main() -> anyhow::Result<()> {
     init_tracing();
     let args = Args::parse();
 
+    // The api connects as moments_ro and never writes — migrations are owned
+    // by moments-worker, which is the database owner (moments_rw). Running
+    // migrations from here would fail with `permission denied for schema
+    // public`. The worker must have run at least once before the api accepts
+    // traffic; in deploy this is ordered via systemd dependencies (§3).
     let store = PgStore::connect(&args.database_url).await?;
-    store.migrate().await?;
     let state = AppState {
         store: Arc::new(store),
     };