-- ============================================================
-- Supabase Core Roles & Schemas Initialization
-- Runs first (50-) to set up all roles required by later scripts
-- ============================================================

-- Create supabase_admin role
DO
$$
BEGIN
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_admin') THEN
    CREATE ROLE supabase_admin WITH LOGIN CREATEROLE REPLICATION BYPASSRLS PASSWORD 'siqt3T9iHjWpjATtKdlBjJKOifiLf0Oe';
  END IF;
END
$$;

-- Create ALL standard Supabase roles needed by subsequent init scripts
-- (56-roles.sql will ALTER these, so they must pre-exist)
DO
$$
BEGIN
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'anon') THEN
    CREATE ROLE anon NOLOGIN NOINHERIT;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'authenticated') THEN
    CREATE ROLE authenticated NOLOGIN NOINHERIT;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'service_role') THEN
    CREATE ROLE service_role NOLOGIN NOINHERIT BYPASSRLS;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'authenticator') THEN
    CREATE ROLE authenticator WITH NOINHERIT LOGIN PASSWORD 'siqt3T9iHjWpjATtKdlBjJKOifiLf0Oe';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'pgbouncer') THEN
    CREATE ROLE pgbouncer WITH LOGIN PASSWORD 'siqt3T9iHjWpjATtKdlBjJKOifiLf0Oe';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_auth_admin') THEN
    CREATE ROLE supabase_auth_admin WITH NOINHERIT CREATEROLE LOGIN PASSWORD 'siqt3T9iHjWpjATtKdlBjJKOifiLf0Oe';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_storage_admin') THEN
    CREATE ROLE supabase_storage_admin WITH NOINHERIT CREATEROLE LOGIN PASSWORD 'siqt3T9iHjWpjATtKdlBjJKOifiLf0Oe';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_functions_admin') THEN
    CREATE ROLE supabase_functions_admin WITH NOINHERIT CREATEROLE LOGIN PASSWORD 'siqt3T9iHjWpjATtKdlBjJKOifiLf0Oe';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_replication_admin') THEN
    CREATE ROLE supabase_replication_admin LOGIN REPLICATION;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_read_only_user') THEN
    CREATE ROLE supabase_read_only_user BYPASSRLS;
  END IF;
END
$$;

-- Grant pg_read_server_files to supabase_admin (required by pg_net extension)
GRANT pg_read_server_files TO supabase_admin;

-- Core grants
GRANT ALL ON DATABASE postgres TO supabase_admin WITH GRANT OPTION;
GRANT anon TO authenticator;
GRANT authenticated TO authenticator;
GRANT service_role TO authenticator;
GRANT supabase_auth_admin TO supabase_admin;
GRANT supabase_storage_admin TO supabase_admin;
GRANT supabase_functions_admin TO supabase_admin;

-- Create _supabase database for internal Supabase services
CREATE DATABASE _supabase WITH OWNER supabase_admin;

-- Create required schemas in postgres database
CREATE SCHEMA IF NOT EXISTS _supabase AUTHORIZATION supabase_admin;
CREATE SCHEMA IF NOT EXISTS extensions AUTHORIZATION supabase_admin;

-- Stub schemas: auth/storage populated by GoTrue/Storage services at runtime
-- but must exist for 61-core-schema.sql to pass validation
CREATE SCHEMA IF NOT EXISTS auth;
CREATE SCHEMA IF NOT EXISTS storage;
GRANT USAGE ON SCHEMA auth TO supabase_admin, supabase_auth_admin;
GRANT USAGE ON SCHEMA storage TO supabase_admin, supabase_storage_admin;

-- Switch to _supabase database and create required schemas
\connect _supabase
CREATE SCHEMA IF NOT EXISTS _analytics AUTHORIZATION supabase_admin;