From 47544a0ef49a641e739c4a8087a8cbd988caf570 Mon Sep 17 00:00:00 2001
From: Jared Lunde <jared.lunde@gmail.com>
Date: Sat, 20 Jun 2026 21:07:32 -0700
Subject: [PATCH] fix(docker): initdb must not CREATE EXTENSION beyond_auth

The auth server creates the extension in its own migration; pre-creating it in
initdb makes that migration fail with 'function authz_check already exists'.
initdb just creates the auth + queue schemas (the auth server manages the rest).

Verified: the real beyond-auth image runs migrations cleanly + listens.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 docker/initdb.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/docker/initdb.sh b/docker/initdb.sh
index bce58b1..1a1a8c5 100755
--- a/docker/initdb.sh
+++ b/docker/initdb.sh
@@ -6,11 +6,12 @@
 #   - public : the app's own migrations
 set -euo pipefail
 
-# beyond_auth owns (creates) the `auth` schema, so let the extension make it
-# rather than pre-creating it (pre-creating triggers "schema auth is not a member
-# of extension"). The auth server's CREATE EXTENSION IF NOT EXISTS is then a no-op.
+# Create the schemas the primitives expect. The auth server manages the
+# beyond_auth extension itself in its own migrations (the extension is installed
+# in the image), so initdb must NOT create it here — doing so makes the auth
+# server's migration fail with "function authz_check already exists".
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<'SQL'
-CREATE EXTENSION IF NOT EXISTS beyond_auth;
+CREATE SCHEMA IF NOT EXISTS auth;
 CREATE SCHEMA IF NOT EXISTS queue;
 SQL