# Database Setup

## Manual Migrations

This directory contains SQL migrations that require superuser access and are applied manually.

## Applying Migrations

### Apply with psql:

```bash
# Connect as superuser
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/01-app-role.sql
```

### Environment Variables

- `DATABASE_URL` - Application connection (as `tia_app` role)
- `DATABASE_URL_SUPERUSER` - Superuser connection (for migrations only)

## Migration 01: App Role

File: `01-app-role.sql`

Creates `tia_app` role for application connections.

**Before applying:**
1. Change the password in the SQL file to a strong random value:
   ```sql
   CREATE ROLE tia_app WITH LOGIN PASSWORD 'your-secure-random-password';
   ```

2. Update `DATABASE_URL` in Dokploy to use `tia_app`:
   ```
   postgresql://tia_app:your-password@host:5432/tia
   ```

**Apply:**
```bash
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/01-app-role.sql
```

**After applying:**
- Test application works with new role
- Verify `tia_app` can SELECT/INSERT/UPDATE/DELETE
- Verify `tia_app` CANNOT DROP tables, CREATE TABLE, or ALTER ROLE

## Migration 02: Enable RLS

File: `02-enable-rls.sql`

Enables Row-Level Security on all family-scoped tables.

**Apply after H2.1 and H2.2 are complete:**
```bash
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/02-enable-rls.sql
```