a93c959444
- pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed)
21 lines
819 B
SQL
21 lines
819 B
SQL
-- Roles used by the application.
|
|
-- NF-AUDIT: audit_log must be append-only at the SQL level. The application
|
|
-- writes via mimic_audit_writer (INSERT only). The standard mimic_app role
|
|
-- has SELECT on audit_log but no UPDATE/DELETE.
|
|
--
|
|
-- This file runs once at container init. Production deployment uses Ansible
|
|
-- to apply the same grants idempotently.
|
|
|
|
DO $$
|
|
BEGIN
|
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mimic_audit_writer') THEN
|
|
CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'CHANGE_ME';
|
|
END IF;
|
|
END
|
|
$$;
|
|
|
|
-- The mimic_app user is created by the official image entrypoint
|
|
-- via $POSTGRES_USER. We only need to make sure the audit writer exists.
|
|
-- Per-table grants are applied by the application's bootstrap step after
|
|
-- migrations land (so the audit_log table actually exists).
|