#!/bin/bash
set -e

# ===========================================================================
# Supabase role password bootstrap
# 
# Runs AFTER migrate.sh (zzz- prefix ensures alphabetical ordering).
# By this point all roles exist (created by init-scripts/00000000000000-initial-schema.sql).
# Sets passwords so PostgREST, Storage, Auth, and Studio can connect via TCP.
# ===========================================================================

psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -d postgres <<-EOSQL
  -- PostgREST connects as authenticator
  ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';

  -- Storage API connects as supabase_storage_admin
  ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';

  -- GoTrue (Auth) connects as supabase_auth_admin
  ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';

  -- Studio / pg_meta connects as dashboard_user
  ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';

  -- postgres (created by migrate.sh, needs password for TCP auth)
  ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD}';

  -- Realtime needs the _realtime schema
  CREATE SCHEMA IF NOT EXISTS _realtime;
  GRANT ALL ON SCHEMA _realtime TO supabase_admin;
  GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;
EOSQL

echo "✅ All Supabase role passwords set successfully."