-- 001_viz_anon_role.sql
-- Creates the read-only role used by PostgREST as its anonymous identity.
-- Only granted on the public schema; never on tracksolid.* directly.
--
-- After running, set a login password out-of-band (do NOT commit):
--   ALTER ROLE viz_anon LOGIN PASSWORD '<generated>';

DO $$
BEGIN
  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'viz_anon') THEN
    CREATE ROLE viz_anon NOLOGIN;
  END IF;
END
$$;

GRANT USAGE ON SCHEMA public TO viz_anon;