disclosure-bureau/infra/supabase/migrations/0006_investigator_serial_sequences.sql

-- 0006_investigator_serial_sequences.sql
--
-- BIGSERIAL on each investigation table created auto-sequences (e.g.
-- `evidence_evidence_pk_seq`) that 0004 forgot to GRANT to the investigator
-- role. Without those grants, every INSERT failed with:
--   permission denied for sequence evidence_evidence_pk_seq
--
-- Idempotent. Apply as supabase_admin.

BEGIN;

DO $$
DECLARE
  s TEXT;
BEGIN
  FOREACH s IN ARRAY ARRAY[
    'evidence_evidence_pk_seq',
    'hypotheses_hypothesis_pk_seq',
    'contradictions_contradiction_pk_seq',
    'witnesses_witness_pk_seq',
    'gaps_gap_pk_seq',
    'residual_uncertainties_ru_pk_seq'
  ]
  LOOP
    IF EXISTS (SELECT 1 FROM pg_class WHERE relname = s AND relkind = 'S') THEN
      EXECUTE format('GRANT USAGE, SELECT, UPDATE ON SEQUENCE public.%I TO investigator', s);
    END IF;
  END LOOP;
END
$$;

COMMIT;
W3 followup: drop _FOR_WEB token, fix claude CLI args + writer guards, BIGSERIAL grants Token consolidation: - docker-compose web service now reads ${CLAUDE_CODE_OAUTH_TOKEN} directly, drop the W1-F8 CLAUDE_CODE_OAUTH_TOKEN_FOR_WEB indirection (user feedback: one var name, no _FOR_WEB suffix). investigator-runtime claude.ts: - --system-prompt silently dropped by CLI v2.1.150 for multi-KB prompts; inline the system content into the user prompt with a separator (mirrors scripts/reextract/run.py pattern). - Multi-line prompts via positional -- broke ("Input must be provided …"); pipe via stdin instead. - --allowedTools "" is rejected; when no tools wanted, omit it and explicitly --disallowedTools the writer/reader set so the model can't reach for any. investigator-runtime locard.ts: - Log the raw response (first 600 chars) to container stderr — saved hours of debugging when the writer rejected. - Grade fallback: when Locard omits `grade` but provides custody_steps, infer the highest grade that fits (≥3 → A, ≥2 → B, ≥1 → C). investigator-runtime write_evidence.ts: - Filter related_hypotheses entries with empty/null hypothesis_id silently (Locard sometimes emits [{}] when it knows no link yet) instead of failing the whole write. Migration 0006_investigator_serial_sequences.sql: - BIGSERIAL on the 7 investigation tables created auto-sequences (evidence_evidence_pk_seq etc) that 0004 forgot to GRANT to the investigator role. Without those grants every INSERT failed with "permission denied for sequence …". Grant USAGE/SELECT/UPDATE on each auto-seq. Verified live: Locard wrote E-0002 + E-0003 from real Sandia chunks (green fireball Feb 1949; cobalt particle analysis). Grade B, confidence high, custody chain of 3 steps with honest gaps. Cost $0.09 for both, ~70s wall. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-24 00:05:35 +00:00			`-- 0006_investigator_serial_sequences.sql`
			`--`
			`-- BIGSERIAL on each investigation table created auto-sequences (e.g.`
			-- `evidence_evidence_pk_seq`) that 0004 forgot to GRANT to the investigator
			`-- role. Without those grants, every INSERT failed with:`
			`-- permission denied for sequence evidence_evidence_pk_seq`
			`--`
			`-- Idempotent. Apply as supabase_admin.`

			`BEGIN;`

			`DO $$`
			`DECLARE`
			`s TEXT;`
			`BEGIN`
			`FOREACH s IN ARRAY ARRAY[`
			`'evidence_evidence_pk_seq',`
			`'hypotheses_hypothesis_pk_seq',`
			`'contradictions_contradiction_pk_seq',`
			`'witnesses_witness_pk_seq',`
			`'gaps_gap_pk_seq',`
			`'residual_uncertainties_ru_pk_seq'`
			`]`
			`LOOP`
			`IF EXISTS (SELECT 1 FROM pg_class WHERE relname = s AND relkind = 'S') THEN`
			`EXECUTE format('GRANT USAGE, SELECT, UPDATE ON SEQUENCE public.%I TO investigator', s);`
			`END IF;`
			`END LOOP;`
			`END`
			`$$;`

			`COMMIT;`