fixes save

devops/compose/postgres-init/01-extensions.sql

@@ -1,5 +1,7 @@
--- PostgreSQL initialization for StellaOps air-gap deployment
+-- ============================================================================
+-- PostgreSQL initialization for StellaOps
 -- This script runs automatically on first container start
+-- ============================================================================
 
 -- Enable pg_stat_statements extension for query performance analysis
 CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
@@ -9,25 +11,59 @@ CREATE EXTENSION IF NOT EXISTS pg_trgm;      -- Fuzzy text search
 CREATE EXTENSION IF NOT EXISTS btree_gin;    -- GIN indexes for scalar types
 CREATE EXTENSION IF NOT EXISTS pgcrypto;     -- Cryptographic functions
 
+-- ============================================================================
 -- Create schemas for all modules
 -- Migrations will create tables within these schemas
-CREATE SCHEMA IF NOT EXISTS authority;
-CREATE SCHEMA IF NOT EXISTS vuln;
-CREATE SCHEMA IF NOT EXISTS vex;
-CREATE SCHEMA IF NOT EXISTS scheduler;
-CREATE SCHEMA IF NOT EXISTS notify;
-CREATE SCHEMA IF NOT EXISTS policy;
-CREATE SCHEMA IF NOT EXISTS concelier;
-CREATE SCHEMA IF NOT EXISTS audit;
-CREATE SCHEMA IF NOT EXISTS unknowns;
+-- ============================================================================
 
--- Grant usage to application user (assumes POSTGRES_USER is the app user)
-GRANT USAGE ON SCHEMA authority TO PUBLIC;
-GRANT USAGE ON SCHEMA vuln TO PUBLIC;
-GRANT USAGE ON SCHEMA vex TO PUBLIC;
-GRANT USAGE ON SCHEMA scheduler TO PUBLIC;
-GRANT USAGE ON SCHEMA notify TO PUBLIC;
-GRANT USAGE ON SCHEMA policy TO PUBLIC;
-GRANT USAGE ON SCHEMA concelier TO PUBLIC;
-GRANT USAGE ON SCHEMA audit TO PUBLIC;
-GRANT USAGE ON SCHEMA unknowns TO PUBLIC;
+-- Core Platform
+CREATE SCHEMA IF NOT EXISTS authority;     -- Authentication, authorization, OAuth/OIDC
+
+-- Data Ingestion
+CREATE SCHEMA IF NOT EXISTS vuln;          -- Concelier vulnerability data
+CREATE SCHEMA IF NOT EXISTS vex;           -- Excititor VEX documents
+
+-- Scanning & Analysis
+CREATE SCHEMA IF NOT EXISTS scanner;       -- Container scanning, SBOM generation
+
+-- Scheduling & Orchestration
+CREATE SCHEMA IF NOT EXISTS scheduler;     -- Job scheduling
+CREATE SCHEMA IF NOT EXISTS taskrunner;    -- Task execution
+
+-- Policy & Risk
+CREATE SCHEMA IF NOT EXISTS policy;        -- Policy engine
+CREATE SCHEMA IF NOT EXISTS unknowns;      -- Unknown component tracking
+
+-- Artifacts & Evidence
+CREATE SCHEMA IF NOT EXISTS proofchain;    -- Attestor proof chains
+CREATE SCHEMA IF NOT EXISTS attestor;      -- Attestor submission queue
+CREATE SCHEMA IF NOT EXISTS signer;        -- Key management
+
+-- Notifications
+CREATE SCHEMA IF NOT EXISTS notify;        -- Notification delivery
+
+-- Signals & Observability
+CREATE SCHEMA IF NOT EXISTS signals;       -- Runtime signals
+
+-- Registry
+CREATE SCHEMA IF NOT EXISTS packs;         -- Task packs registry
+
+-- Audit
+CREATE SCHEMA IF NOT EXISTS audit;         -- System-wide audit log
+
+-- ============================================================================
+-- Grant usage to application user (for single-user mode)
+-- Per-module users are created in 02-create-users.sql
+-- ============================================================================
+DO $$
+DECLARE
+    schema_name TEXT;
+BEGIN
+    FOR schema_name IN SELECT unnest(ARRAY[
+        'authority', 'vuln', 'vex', 'scanner', 'scheduler', 'taskrunner',
+        'policy', 'unknowns', 'proofchain', 'attestor', 'signer',
+        'notify', 'signals', 'packs', 'audit'
+    ]) LOOP
+        EXECUTE format('GRANT USAGE ON SCHEMA %I TO PUBLIC', schema_name);
+    END LOOP;
+END $$;