Discovery (live) corrected the design: webhook_receiver, ingest_worker, and worker
all run run_migrations.py (DDL) and write telemetry — worker is the same image as
ingest_worker, not a reader. Because they ALTER objects they must own them, so all
three connect as the shared non-superuser tracksolid_owner (the role the repo already
intends to own these schemas). dashboard_api backend stays a reader (dashboard_app).
- app_roles_tracksolid_db.sql rewritten: tracksolid_owner LOGIN + CONNECTION LIMIT 30
+ GUCs + USAGE/CREATE; Timescale-aware ownership reassignment (skips table-linked
sequences, ALTER MATERIALIZED VIEW for continuous aggregates, leaves reporting.v_trips
with reporting_refresher, reassigns functions); dashboard_app read role.
- Reassignment validated in a rolled-back transaction on the live DB: reassigns the
31-chunk position_history hypertable + the v_mileage_daily_cagg continuous aggregate,
and as tracksolid_owner can ALTER the hypertable and create/drop tables.
- Runbook updated: discovery marked done, ownership folded into the apply (safe while
apps still run as postgres — superuser bypasses ownership), corrected cutover order.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>