-- ============================================================================
-- Per-Module Database Users
-- ============================================================================
-- Creates isolated database users for each StellaOps module.
-- This enables least-privilege access control and audit trail per module.
--
-- Password format: {module}_dev (for development only)
-- In production, use secrets management and rotate credentials.
-- ============================================================================

-- Core Platform
CREATE USER authority_user WITH PASSWORD 'authority_dev';

-- Data Ingestion
CREATE USER concelier_user WITH PASSWORD 'concelier_dev';
CREATE USER excititor_user WITH PASSWORD 'excititor_dev';

-- Scanning & Analysis
CREATE USER scanner_user WITH PASSWORD 'scanner_dev';

-- Scheduling & Orchestration
CREATE USER scheduler_user WITH PASSWORD 'scheduler_dev';
CREATE USER taskrunner_user WITH PASSWORD 'taskrunner_dev';

-- Policy & Risk
CREATE USER policy_user WITH PASSWORD 'policy_dev';
CREATE USER unknowns_user WITH PASSWORD 'unknowns_dev';

-- Artifacts & Evidence
CREATE USER attestor_user WITH PASSWORD 'attestor_dev';
CREATE USER signer_user WITH PASSWORD 'signer_dev';

-- Notifications
CREATE USER notify_user WITH PASSWORD 'notify_dev';

-- Signals & Observability
CREATE USER signals_user WITH PASSWORD 'signals_dev';

-- Registry
CREATE USER packs_user WITH PASSWORD 'packs_dev';

-- ============================================================================
-- Log created users
-- ============================================================================
DO $$
BEGIN
    RAISE NOTICE 'Created per-module database users:';
    RAISE NOTICE '  - authority_user, concelier_user, excititor_user';
    RAISE NOTICE '  - scanner_user, scheduler_user, taskrunner_user';
    RAISE NOTICE '  - policy_user, unknowns_user';
    RAISE NOTICE '  - attestor_user, signer_user';
    RAISE NOTICE '  - notify_user, signals_user, packs_user';
END $$;