# Database migrations

Additive, idempotent SQL migrations for the LinumIQ web app. Each file is safe
to run multiple times.

## Applying a migration

Migrations are plain SQL applied with `psql` inside the running Supabase
Postgres container.

Default self-hosted Supabase credentials are user `postgres`, database
`postgres`. Adjust `DB_USER` / `DB_NAME` / `CONTAINER` to match your deployment.

### Production

```sh
CONTAINER=supabase-db
DB_USER=postgres
DB_NAME=postgres

docker exec -i "$CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" < supabase/migrations/0001_admin.sql
```

### Development

```sh
docker exec -i supabase-dev-db psql -U postgres -d postgres < supabase/migrations/0001_admin.sql
```

## Migrations

| File              | Description                                                                 |
| ----------------- | --------------------------------------------------------------------------- |
| `0001_admin.sql`  | `admin_audit_log` + `reserved_subdomains` tables (RLS on, service-role only) |

## Bootstrapping the first admin

The admin role lives in `auth.users.app_metadata.role`. To promote a user to
admin manually (only the service role / SQL can write `app_metadata`):

```sql
update auth.users
set raw_app_meta_data =
  coalesce(raw_app_meta_data, '{}'::jsonb) || '{"role":"admin"}'::jsonb
where email = 'you@example.com';
```

Run it the same way:

```sh
docker exec -i supabase-db psql -U postgres -d postgres -c \
  "update auth.users set raw_app_meta_data = coalesce(raw_app_meta_data,'{}'::jsonb) || '{\"role\":\"admin\"}'::jsonb where email = 'you@example.com';"
```