-- docker/postgres/initdb.d/01-init-users.sql
-- Runs as the POSTGRES_USER (postgres superuser) on first container start only.
-- Note: Table-level grants (USAGE ON SCHEMA public, SELECT/INSERT/UPDATE/DELETE ON ALL TABLES,
-- ALTER DEFAULT PRIVILEGES) are issued by the Alembic initial migration (Plan 03), not here.

-- Migration user: DDL privileges (CREATE TABLE, ALTER TABLE, CREATE INDEX)
CREATE USER docuvault_migrate WITH PASSWORD 'changeme_migrate';
GRANT ALL PRIVILEGES ON DATABASE docuvault TO docuvault_migrate;
-- PostgreSQL 15+: schema CREATE is not granted by default even with GRANT ALL ON DATABASE
GRANT ALL ON SCHEMA public TO docuvault_migrate;

-- App user: runtime DML only (SELECT, INSERT, UPDATE, DELETE) — no DDL
CREATE USER docuvault_app WITH PASSWORD 'changeme_app';
GRANT CONNECT ON DATABASE docuvault TO docuvault_app;
GRANT USAGE ON SCHEMA public TO docuvault_app;