-- In-database grants for the moments database.
-- Run after asset/sql/bootstrap.sql, against the moments database.
-- Idempotent — safe to re-run on every deploy.
--
-- (a) mTLS as `grenade`:
--
--       PGSSLMODE=verify-full \
--       PGSSLCERT=/etc/pki/tls/misc/$(hostname -f).pem \
--       PGSSLKEY=/etc/pki/tls/private/$(hostname -f).pem \
--       PGSSLROOTCERT=/etc/pki/ca-trust/source/anchors/root-internal.pem \
--       psql -h magrathea.kosherinata.internal -U grenade -d moments \
--            -f asset/sql/bootstrap-moments.sql
--
-- (b) ssh + sudo to the local postgres peer:
--
--       ssh magrathea.kosherinata.internal \
--           sudo --user postgres psql -d moments -f - \
--         < asset/sql/bootstrap-moments.sql
--
-- The schema itself is created by sqlx migrations executed by moments-api
-- on startup (which runs as moments_rw, the database owner). This file
-- only manages the read-only role's access to whatever moments_rw creates.

GRANT USAGE ON SCHEMA public TO moments_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO moments_ro;

-- Tables created later by moments_rw (running migrations) inherit SELECT for moments_ro.
ALTER DEFAULT PRIVILEGES FOR ROLE moments_rw IN SCHEMA public
  GRANT SELECT ON TABLES TO moments_ro;