Group root-level files (accreted from incremental changes) by purpose
without moving any deployment entrypoint or breaking imports:
- migrations/ : numbered SQL 02-10
- data/ : source CSVs
- legacy/ : superseded pre-_rev scripts + old pipeline notes (not deployed)
- docs/{manuals,reference,reports}/ : loose manuals, references, reports
- strip stray ** / *** prefixes from 5 doc filenames
- delete empty documents.txt / push_webhook.md
Reference updates so nothing breaks:
- run_migrations.py -> /app/migrations/<file>
- run_migrations.sh -> $SCRIPT_DIR/migrations
- import_drivers_csv.py -> data/<csv>
- docker-compose.yaml -> runbook path comment
- CLAUDE.md -> codebase map + inline doc references
Deployed Python (3 services + ts_shared_rev + run_migrations) and the
documented ops one-shots stay at root, preserving the flat-import layout
and all documented commands. Verified: py_compile clean across all modules,
every MIGRATIONS entry resolves under migrations/, CI-referenced paths
(tests/, mypy targets, db_audit) and the grafana build context intact.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
32 lines
1 KiB
PL/PgSQL
32 lines
1 KiB
PL/PgSQL
-- 10_pgbouncer_auth.sql
|
|
-- pgbouncer SCRAM passthrough auth: dedicated role + user_lookup() function.
|
|
-- Runbook: 260507_pgbouncer_deployment.md
|
|
--
|
|
-- Idempotent. Re-applying is a no-op:
|
|
-- * Role created only when missing (placeholder password, replaced on every
|
|
-- container startup by run_migrations.py:sync_role_passwords from
|
|
-- PGBOUNCER_AUTH_PASSWORD).
|
|
-- * Function uses CREATE OR REPLACE.
|
|
-- * GRANT/REVOKE are safe to re-run.
|
|
|
|
DO $$
|
|
BEGIN
|
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'pgbouncer') THEN
|
|
CREATE ROLE pgbouncer LOGIN PASSWORD 'SET_PASSWORD_IN_ENV';
|
|
END IF;
|
|
END
|
|
$$;
|
|
|
|
CREATE OR REPLACE FUNCTION public.user_lookup(in_user text,
|
|
OUT uname text, OUT phash text) RETURNS record AS $$
|
|
BEGIN
|
|
SELECT usename, passwd
|
|
FROM pg_catalog.pg_shadow
|
|
WHERE usename = in_user
|
|
INTO uname, phash;
|
|
RETURN;
|
|
END;
|
|
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
|
|
|
REVOKE ALL ON FUNCTION public.user_lookup(text) FROM public;
|
|
GRANT EXECUTE ON FUNCTION public.user_lookup(text) TO pgbouncer;
|