remdb 0.2.6__py3-none-any.whl → 0.3.118__py3-none-any.whl

rem/sql/migrations/001_install.sql

@@ -218,6 +218,7 @@ COMMENT ON FUNCTION rebuild_kv_store() IS
 -- Returns structured columns extracted from entity records
 -- Parameters: entity_key, tenant_id (for backward compat), user_id (actual filter)
 -- Note: tenant_id parameter exists for backward compatibility but is ignored
+-- Note: Includes user-owned AND public (NULL user_id) resources
 CREATE OR REPLACE FUNCTION rem_lookup(
     p_entity_key VARCHAR(255),
     p_tenant_id VARCHAR(100),
@@ -230,13 +231,17 @@ RETURNS TABLE(
 DECLARE
     entity_table VARCHAR(100);
     query_sql TEXT;
+    effective_user_id VARCHAR(100);
 BEGIN
-    -- Use p_user_id for filtering (p_tenant_id ignored for backward compat)
+    effective_user_id := COALESCE(p_user_id, p_tenant_id);
+
     -- First lookup in KV store to get entity_type (table name)
+    -- Include user-owned AND public (NULL user_id) entries
     SELECT kv.entity_type INTO entity_table
     FROM kv_store kv
-    WHERE kv.user_id = p_user_id
-    AND kv.entity_key = p_entity_key;
+    WHERE (kv.user_id = effective_user_id OR kv.user_id IS NULL)
+    AND kv.entity_key = p_entity_key
+    LIMIT 1;
 
     -- If not found, return empty
     IF entity_table IS NULL THEN
@@ -250,73 +255,63 @@ BEGIN
             %L::VARCHAR(100) AS entity_type,
             row_to_json(t)::jsonb AS data
         FROM %I t
-        WHERE t.user_id = $1
+        WHERE (t.user_id = $1 OR t.user_id IS NULL)
         AND t.name = $2
         AND t.deleted_at IS NULL
     ', entity_table, entity_table);
 
-    RETURN QUERY EXECUTE query_sql USING p_user_id, p_entity_key;
+    RETURN QUERY EXECUTE query_sql USING effective_user_id, p_entity_key;
 END;
 $$ LANGUAGE plpgsql STABLE;
 
 COMMENT ON FUNCTION rem_lookup IS
-'REM LOOKUP query: O(1) entity lookup by natural key. Returns raw entity data as JSONB for LLM consumption. tenant_id parameter exists for backward compatibility but filtering uses user_id.';
+'REM LOOKUP: O(1) entity lookup. Returns user-owned AND public (NULL user_id) entities.';
 
 -- REM FETCH: Fetch full entity records from multiple tables
 -- Takes JSONB mapping of {table_name: [entity_keys]}, fetches all records
 -- Returns complete entity records as JSONB (not just KV store metadata)
+-- Note: Includes user-owned AND public (NULL user_id) resources
 CREATE OR REPLACE FUNCTION rem_fetch(
     p_entities_by_table JSONB,
     p_user_id VARCHAR(100)
 )
 RETURNS TABLE(
-    entity_key TEXT,
-    entity_type TEXT,
+    entity_key VARCHAR(255),
+    entity_type VARCHAR(100),
     entity_record JSONB
 ) AS $$
 DECLARE
     table_name TEXT;
-    entity_keys TEXT[];
+    entity_keys JSONB;
     query_sql TEXT;
-    result_record RECORD;
 BEGIN
-    -- Iterate over each table in the JSONB object
-    FOR table_name IN SELECT jsonb_object_keys(p_entities_by_table)
+    -- For each table in the input JSONB
+    FOR table_name, entity_keys IN SELECT * FROM jsonb_each(p_entities_by_table)
     LOOP
-        -- Extract array of keys for this table
-        entity_keys := ARRAY(
-            SELECT jsonb_array_elements_text(p_entities_by_table->table_name)
-        );
-
-        -- Build dynamic query for this table
+        -- Dynamic query to fetch records from the table
+        -- Include user-owned AND public (NULL user_id)
         query_sql := format('
             SELECT
-                t.name AS entity_key,
-                %L AS entity_type,
+                t.name::VARCHAR(255) AS entity_key,
+                %L::VARCHAR(100) AS entity_type,
                 row_to_json(t)::jsonb AS entity_record
             FROM %I t
-            WHERE t.user_id = $1
-            AND t.name = ANY($2)
+            WHERE t.name = ANY(SELECT jsonb_array_elements_text($1))
+            AND (t.user_id = $2 OR t.user_id IS NULL)
             AND t.deleted_at IS NULL
         ', table_name, table_name);
 
-        -- Execute and return rows for this table
-        FOR result_record IN EXECUTE query_sql USING p_user_id, entity_keys
-        LOOP
-            entity_key := result_record.entity_key;
-            entity_type := result_record.entity_type;
-            entity_record := result_record.entity_record;
-            RETURN NEXT;
-        END LOOP;
+        RETURN QUERY EXECUTE query_sql USING entity_keys, p_user_id;
     END LOOP;
 END;
 $$ LANGUAGE plpgsql STABLE;
 
 COMMENT ON FUNCTION rem_fetch IS
-'REM FETCH: Fetch full entity records (all columns as JSONB) from multiple tables. Takes JSONB mapping {table_name: [keys]}, fetches all records, returns unified result set. Use for hydrating LOOKUP, FUZZY, SEARCH, and TRAVERSE results.';
+'REM FETCH: Batch fetch entities. Returns user-owned AND public (NULL user_id) entities.';
 
 -- REM FUZZY: Fuzzy text search using pg_trgm similarity
 -- Returns raw entity data as JSONB for LLM consumption
+-- Note: Includes user-owned AND public (NULL user_id) resources
 CREATE OR REPLACE FUNCTION rem_fuzzy(
     p_query TEXT,
     p_tenant_id VARCHAR(100),
@@ -333,16 +328,18 @@ DECLARE
     kv_matches RECORD;
     entities_by_table JSONB := '{}'::jsonb;
     table_keys JSONB;
+    effective_user_id VARCHAR(100);
 BEGIN
-    -- First, find matching keys in KV store with similarity scores
-    -- Group by table to prepare for batch fetch
+    effective_user_id := COALESCE(p_user_id, p_tenant_id);
+
+    -- Find matching keys in KV store (user-owned AND public)
     FOR kv_matches IN
         SELECT
             kv.entity_key,
             kv.entity_type,
             similarity(kv.entity_key, p_query) AS sim_score
         FROM kv_store kv
-        WHERE kv.user_id = COALESCE(p_user_id, p_tenant_id)
+        WHERE (kv.user_id = effective_user_id OR kv.user_id IS NULL)
         AND kv.entity_key % p_query  -- Trigram similarity operator
         AND similarity(kv.entity_key, p_query) >= p_threshold
         ORDER BY sim_score DESC
@@ -365,29 +362,155 @@ BEGIN
         END IF;
     END LOOP;
 
-    -- Fetch full records using rem_fetch helper
-    -- Return raw entity data as JSONB for LLM consumption
-    -- Use p_user_id (not p_tenant_id) for actual filtering
+    -- Fetch full records using rem_fetch (which now supports NULL user_id)
     RETURN QUERY
     SELECT
         f.entity_type::VARCHAR(100),
         similarity(f.entity_key, p_query) AS similarity_score,
         f.entity_record AS data
-    FROM rem_fetch(entities_by_table, COALESCE(p_user_id, p_tenant_id)) f
+    FROM rem_fetch(entities_by_table, effective_user_id) f
     ORDER BY similarity_score DESC;
 END;
 $$ LANGUAGE plpgsql STABLE;
 
 COMMENT ON FUNCTION rem_fuzzy IS
-'REM FUZZY query: Fuzzy text search using pg_trgm. Returns raw entity data as JSONB for LLM consumption. tenant_id parameter exists for backward compatibility but filtering uses user_id.';
+'REM FUZZY: Fuzzy text search. Returns user-owned AND public (NULL user_id) entities.';
+
+-- ============================================================================
+-- REM TRAVERSE (Graph Traversal)
+-- ============================================================================
+
+-- REM TRAVERSE: Recursive graph traversal following edges
+-- Explores graph_edges starting from entity_key up to max_depth
+-- Uses cached kv_store.graph_edges for fast traversal (no polymorphic view!)
+-- When keys_only=false, automatically fetches full entity records
+-- Note: Includes user-owned AND public (NULL user_id) resources
+CREATE OR REPLACE FUNCTION rem_traverse(
+    p_entity_key VARCHAR(255),
+    p_tenant_id VARCHAR(100),  -- Backward compat parameter (not used for filtering)
+    p_user_id VARCHAR(100),
+    p_max_depth INTEGER DEFAULT 1,
+    p_rel_type VARCHAR(100) DEFAULT NULL,
+    p_keys_only BOOLEAN DEFAULT FALSE
+)
+RETURNS TABLE(
+    depth INTEGER,
+    entity_key VARCHAR(255),
+    entity_type VARCHAR(100),
+    entity_id UUID,
+    rel_type VARCHAR(100),
+    rel_weight REAL,
+    path TEXT[],
+    entity_record JSONB
+) AS $$
+DECLARE
+    graph_keys RECORD;
+    entities_by_table JSONB := '{}'::jsonb;
+    table_keys JSONB;
+    effective_user_id VARCHAR(100);
+BEGIN
+    effective_user_id := COALESCE(p_user_id, p_tenant_id);
+
+    FOR graph_keys IN
+        WITH RECURSIVE graph_traversal AS (
+            -- Base case: Find starting entity (user-owned OR public)
+            SELECT
+                0 AS depth,
+                kv.entity_key,
+                kv.entity_type,
+                kv.entity_id,
+                NULL::VARCHAR(100) AS rel_type,
+                NULL::REAL AS rel_weight,
+                ARRAY[kv.entity_key]::TEXT[] AS path
+            FROM kv_store kv
+            WHERE (kv.user_id = effective_user_id OR kv.user_id IS NULL)
+            AND kv.entity_key = p_entity_key
+
+            UNION ALL
+
+            -- Recursive case: Follow outbound edges
+            SELECT
+                gt.depth + 1,
+                target_kv.entity_key,
+                target_kv.entity_type,
+                target_kv.entity_id,
+                (edge->>'rel_type')::VARCHAR(100) AS rel_type,
+                COALESCE((edge->>'weight')::REAL, 1.0) AS rel_weight,
+                gt.path || target_kv.entity_key AS path
+            FROM graph_traversal gt
+            JOIN kv_store source_kv ON source_kv.entity_key = gt.entity_key
+                AND (source_kv.user_id = effective_user_id OR source_kv.user_id IS NULL)
+            CROSS JOIN LATERAL jsonb_array_elements(COALESCE(source_kv.graph_edges, '[]'::jsonb)) AS edge
+            JOIN kv_store target_kv ON target_kv.entity_key = (edge->>'dst')::VARCHAR(255)
+                AND (target_kv.user_id = effective_user_id OR target_kv.user_id IS NULL)
+            WHERE gt.depth < p_max_depth
+            AND (p_rel_type IS NULL OR (edge->>'rel_type')::VARCHAR(100) = p_rel_type)
+            AND NOT (target_kv.entity_key = ANY(gt.path))
+        )
+        SELECT DISTINCT ON (entity_key)
+            gt.depth,
+            gt.entity_key,
+            gt.entity_type,
+            gt.entity_id,
+            gt.rel_type,
+            gt.rel_weight,
+            gt.path
+        FROM graph_traversal gt
+        WHERE gt.depth > 0
+        ORDER BY gt.entity_key, gt.depth
+    LOOP
+        IF p_keys_only THEN
+            depth := graph_keys.depth;
+            entity_key := graph_keys.entity_key;
+            entity_type := graph_keys.entity_type;
+            entity_id := graph_keys.entity_id;
+            rel_type := graph_keys.rel_type;
+            rel_weight := graph_keys.rel_weight;
+            path := graph_keys.path;
+            entity_record := NULL;
+            RETURN NEXT;
+        ELSE
+            IF entities_by_table ? graph_keys.entity_type THEN
+                table_keys := entities_by_table->graph_keys.entity_type;
+                entities_by_table := jsonb_set(
+                    entities_by_table,
+                    ARRAY[graph_keys.entity_type],
+                    table_keys || jsonb_build_array(graph_keys.entity_key)
+                );
+            ELSE
+                entities_by_table := jsonb_set(
+                    entities_by_table,
+                    ARRAY[graph_keys.entity_type],
+                    jsonb_build_array(graph_keys.entity_key)
+                );
+            END IF;
+        END IF;
+    END LOOP;
 
--- REM TRAVERSE: Moved to 002_install_models.sql (after entity tables are created)
--- See 002_install_models.sql for the full rem_traverse function with keys_only parameter
+    IF NOT p_keys_only AND entities_by_table != '{}'::jsonb THEN
+        RETURN QUERY
+        SELECT
+            NULL::INTEGER AS depth,
+            f.entity_key::VARCHAR(255),
+            f.entity_type::VARCHAR(100),
+            NULL::UUID AS entity_id,
+            NULL::VARCHAR(100) AS rel_type,
+            NULL::REAL AS rel_weight,
+            NULL::TEXT[] AS path,
+            f.entity_record
+        FROM rem_fetch(entities_by_table, effective_user_id) f;
+    END IF;
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION rem_traverse IS
+'REM TRAVERSE: Graph traversal. Returns user-owned AND public (NULL user_id) entities.';
 
 -- REM SEARCH: Vector similarity search using embeddings
 -- Joins to embeddings table for semantic search
+-- Note: Includes user-owned AND public (NULL user_id) resources
 CREATE OR REPLACE FUNCTION rem_search(
-    p_query_embedding vector(1536),
+    p_query_embedding vector,
     p_table_name VARCHAR(100),
     p_field_name VARCHAR(100),
     p_tenant_id VARCHAR(100),
@@ -405,39 +528,38 @@ DECLARE
     embeddings_table VARCHAR(200);
     source_table VARCHAR(100);
     query_sql TEXT;
+    effective_user_id VARCHAR(100);
 BEGIN
-    -- Construct embeddings table name
     embeddings_table := 'embeddings_' || p_table_name;
     source_table := p_table_name;
+    effective_user_id := COALESCE(p_user_id, p_tenant_id);
 
-    -- Dynamic query to join source table with embeddings table
-    -- Returns raw entity data as JSONB for LLM consumption
-    -- Note: Using inner product for OpenAI embeddings (normalized vectors)
-    -- Inner product <#> returns negative value, so we negate it to get [0, 1]
-    -- where 1 = perfect match, 0 = orthogonal
+    -- Uses cosine distance <=> operator (0-2 range, 0=identical)
+    -- Similarity = 1 - distance gives 0-1 range where 1 = most similar
+    -- Includes user-owned AND public (NULL user_id) resources
     query_sql := format('
         SELECT
             %L::VARCHAR(100) AS entity_type,
-            (1.0 - (e.embedding <#> $1) * -1.0)::REAL AS similarity_score,
+            (1.0 - (e.embedding <=> $1))::REAL AS similarity_score,
             row_to_json(t)::jsonb AS data
         FROM %I t
         JOIN %I e ON e.entity_id = t.id
-        WHERE t.user_id = $2
+        WHERE (t.user_id = $2 OR t.user_id IS NULL)
         AND e.field_name = $3
         AND e.provider = $4
-        AND (1.0 - (e.embedding <#> $1) * -1.0) >= $5
+        AND (1.0 - (e.embedding <=> $1)) >= $5
         AND t.deleted_at IS NULL
-        ORDER BY e.embedding <#> $1 DESC
+        ORDER BY e.embedding <=> $1
         LIMIT $6
     ', source_table, source_table, embeddings_table);
 
     RETURN QUERY EXECUTE query_sql
-    USING p_query_embedding, p_user_id, p_field_name, p_provider, p_min_similarity, p_limit;
+    USING p_query_embedding, effective_user_id, p_field_name, p_provider, p_min_similarity, p_limit;
 END;
 $$ LANGUAGE plpgsql STABLE;
 
 COMMENT ON FUNCTION rem_search IS
-'REM SEARCH query: Vector similarity search using inner product for OpenAI normalized embeddings. Returns raw entity data as JSONB for LLM consumption, scoped to user_id';
+'REM SEARCH: Vector similarity search. Returns user-owned AND public (NULL user_id) resources.';
 
 -- Function to get migration status
 CREATE OR REPLACE FUNCTION migration_status()
@@ -464,6 +586,180 @@ $$ LANGUAGE plpgsql;
 COMMENT ON FUNCTION migration_status() IS
 'Get summary of applied migrations by type';
 
+-- ============================================================================
+-- RATE LIMITS (UNLOGGED for performance)
+-- ============================================================================
+-- High-performance rate limiting table. Uses UNLOGGED for speed - counts may
+-- be lost on database crash/restart, which is acceptable (fail-open on error).
+
+CREATE UNLOGGED TABLE IF NOT EXISTS rate_limits (
+    key VARCHAR(512) PRIMARY KEY,
+    count INTEGER NOT NULL DEFAULT 1,
+    expires_at TIMESTAMP NOT NULL,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_rate_limits_expires ON rate_limits (expires_at);
+
+COMMENT ON TABLE rate_limits IS
+'UNLOGGED rate limiting table. Counts may be lost on crash (acceptable for rate limiting).';
+
+-- ============================================================================
+-- SHARED SESSIONS HELPER FUNCTIONS
+-- ============================================================================
+-- Note: The shared_sessions TABLE is created by 002_install_models.sql (auto-generated)
+-- These functions provide aggregate queries for the session sharing workflow.
+
+-- Count distinct users sharing sessions with the current user
+CREATE OR REPLACE FUNCTION fn_count_shared_with_me(
+    p_tenant_id VARCHAR(100),
+    p_user_id VARCHAR(256)
+)
+RETURNS BIGINT AS $$
+BEGIN
+    RETURN (
+        SELECT COUNT(DISTINCT owner_user_id)
+        FROM shared_sessions
+        WHERE tenant_id = p_tenant_id
+          AND shared_with_user_id = p_user_id
+          AND deleted_at IS NULL
+    );
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION fn_count_shared_with_me IS
+'Count distinct users sharing sessions with the specified user.';
+
+-- Get aggregated summary of users sharing sessions with current user
+CREATE OR REPLACE FUNCTION fn_get_shared_with_me(
+    p_tenant_id VARCHAR(100),
+    p_user_id VARCHAR(256),
+    p_limit INTEGER DEFAULT 50,
+    p_offset INTEGER DEFAULT 0
+)
+RETURNS TABLE(
+    user_id VARCHAR(256),
+    name VARCHAR(256),
+    email VARCHAR(256),
+    session_count BIGINT,
+    message_count BIGINT,
+    first_message_at TIMESTAMP,
+    last_message_at TIMESTAMP
+) AS $$
+BEGIN
+    RETURN QUERY
+    SELECT
+        ss.owner_user_id AS user_id,
+        COALESCE(u.name, ss.owner_user_id) AS name,
+        u.email AS email,
+        COUNT(DISTINCT ss.session_id)::BIGINT AS session_count,
+        COALESCE(SUM(msg_counts.msg_count), 0)::BIGINT AS message_count,
+        MIN(msg_counts.first_msg)::TIMESTAMP AS first_message_at,
+        MAX(msg_counts.last_msg)::TIMESTAMP AS last_message_at
+    FROM shared_sessions ss
+    LEFT JOIN users u ON u.user_id = ss.owner_user_id AND u.tenant_id = ss.tenant_id
+    LEFT JOIN (
+        SELECT
+            m.session_id,
+            m.user_id,
+            COUNT(*)::BIGINT AS msg_count,
+            MIN(m.created_at) AS first_msg,
+            MAX(m.created_at) AS last_msg
+        FROM messages m
+        WHERE m.tenant_id = p_tenant_id
+          AND m.deleted_at IS NULL
+        GROUP BY m.session_id, m.user_id
+    ) msg_counts ON msg_counts.session_id = ss.session_id AND msg_counts.user_id = ss.owner_user_id
+    WHERE ss.tenant_id = p_tenant_id
+      AND ss.shared_with_user_id = p_user_id
+      AND ss.deleted_at IS NULL
+    GROUP BY ss.owner_user_id, u.name, u.email
+    ORDER BY MAX(msg_counts.last_msg) DESC NULLS LAST
+    LIMIT p_limit
+    OFFSET p_offset;
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION fn_get_shared_with_me IS
+'Get aggregated summary of users sharing sessions with the specified user.';
+
+-- Count messages in sessions shared by a specific user
+CREATE OR REPLACE FUNCTION fn_count_shared_messages(
+    p_tenant_id VARCHAR(100),
+    p_recipient_user_id VARCHAR(256),
+    p_owner_user_id VARCHAR(256)
+)
+RETURNS BIGINT AS $$
+BEGIN
+    RETURN (
+        SELECT COUNT(*)
+        FROM messages m
+        WHERE m.tenant_id = p_tenant_id
+          AND m.deleted_at IS NULL
+          AND m.session_id IN (
+              SELECT ss.session_id
+              FROM shared_sessions ss
+              WHERE ss.tenant_id = p_tenant_id
+                AND ss.owner_user_id = p_owner_user_id
+                AND ss.shared_with_user_id = p_recipient_user_id
+                AND ss.deleted_at IS NULL
+          )
+    );
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION fn_count_shared_messages IS
+'Count messages in sessions shared by a specific user with the recipient.';
+
+-- Get messages from sessions shared by a specific user
+CREATE OR REPLACE FUNCTION fn_get_shared_messages(
+    p_tenant_id VARCHAR(100),
+    p_recipient_user_id VARCHAR(256),
+    p_owner_user_id VARCHAR(256),
+    p_limit INTEGER DEFAULT 50,
+    p_offset INTEGER DEFAULT 0
+)
+RETURNS TABLE(
+    id UUID,
+    content TEXT,
+    message_type VARCHAR(256),
+    session_id VARCHAR(256),
+    model VARCHAR(256),
+    token_count INTEGER,
+    created_at TIMESTAMP,
+    metadata JSONB
+) AS $$
+BEGIN
+    RETURN QUERY
+    SELECT
+        m.id,
+        m.content,
+        m.message_type,
+        m.session_id,
+        m.model,
+        m.token_count,
+        m.created_at,
+        m.metadata
+    FROM messages m
+    WHERE m.tenant_id = p_tenant_id
+      AND m.deleted_at IS NULL
+      AND m.session_id IN (
+          SELECT ss.session_id
+          FROM shared_sessions ss
+          WHERE ss.tenant_id = p_tenant_id
+            AND ss.owner_user_id = p_owner_user_id
+            AND ss.shared_with_user_id = p_recipient_user_id
+            AND ss.deleted_at IS NULL
+      )
+    ORDER BY m.created_at DESC
+    LIMIT p_limit
+    OFFSET p_offset;
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+COMMENT ON FUNCTION fn_get_shared_messages IS
+'Get messages from sessions shared by a specific user with the recipient.';
+
 -- ============================================================================
 -- RECORD INSTALLATION
 -- ============================================================================
@@ -474,6 +770,43 @@ ON CONFLICT (name) DO UPDATE
 SET applied_at = CURRENT_TIMESTAMP,
     applied_by = CURRENT_USER;
 
+-- ============================================================================
+-- GRANTS FOR APPLICATION USER
+-- ============================================================================
+-- Grant permissions to remuser (the application database user)
+-- This ensures the application can run migrations and manage schema
+-- Note: remuser is created by CNPG as the database owner in bootstrap.initdb.owner
+
+DO $$
+DECLARE
+    app_user TEXT := 'remuser';
+BEGIN
+    -- Only grant if the user exists (handles different deployment scenarios)
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = app_user) THEN
+        -- Grant ownership of migration tracking table so app can record migrations
+        EXECUTE format('ALTER TABLE rem_migrations OWNER TO %I', app_user);
+        EXECUTE format('ALTER TABLE kv_store OWNER TO %I', app_user);
+        EXECUTE format('ALTER TABLE rate_limits OWNER TO %I', app_user);
+
+        -- Grant usage on schema
+        EXECUTE format('GRANT ALL ON SCHEMA public TO %I', app_user);
+
+        -- Grant privileges on all tables in public schema
+        EXECUTE format('GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO %I', app_user);
+        EXECUTE format('GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO %I', app_user);
+        EXECUTE format('GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO %I', app_user);
+
+        -- Set default privileges for future objects
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO %I', app_user);
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO %I', app_user);
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO %I', app_user);
+
+        RAISE NOTICE '✓ Granted permissions to application user: %', app_user;
+    ELSE
+        RAISE NOTICE 'Application user % does not exist, skipping grants', app_user;
+    END IF;
+END $$;
+
 -- ============================================================================
 -- COMPLETION
 -- ============================================================================