-- Roles used by the application.
-- NF-AUDIT: audit_log must be append-only at the SQL level. The application
-- writes via mimic_audit_writer (INSERT only). The standard mimic_app role
-- has SELECT on audit_log but no UPDATE/DELETE.
--
-- This file runs once at container init. Production deployment uses Ansible
-- to apply the same grants idempotently.

DO $$
BEGIN
    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mimic_audit_writer') THEN
        CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'CHANGE_ME';
    END IF;
END
$$;

-- The mimic_app user is created by the official image entrypoint
-- via $POSTGRES_USER. We only need to make sure the audit writer exists.
-- Per-table grants are applied by the application's bootstrap step after
-- migrations land (so the audit_log table actually exists).