feat: add pgque-specific schema additions

[NikolayS]

Summary

• Add sql/pgque-additions/ with pgque-specific schema objects layered on top of transformed PgQ core
• config.sql: pgque.config singleton table storing ticker_job_id, maint_job_id, installed_at (for pg_cron integration)
• queue_max_retries.sql: idempotently adds queue_max_retries int4 column to pgque.queue
• roles.sql: creates pgque_reader, pgque_writer, pgque_admin roles with granular function-level grants matching actual PgQ function signatures
• lifecycle.sql: pgque.start(), pgque.stop(), pgque.uninstall(), pgque.version() stubs (Sprint 2 pg_cron integration); all SECURITY DEFINER with pinned search_path
• notify.sql: documents LISTEN/NOTIFY ticker integration plan
• tests/test_pgque_additions.sql: acceptance tests for all additions

Design notes

• Role grants use exact function signatures from vendor/pgq/functions/ (e.g., pgque.insert_event(text, text, text), pgque.next_batch_custom(text, text, interval, int4, interval)) rather than wildcards for reader/writer; admin uses grant execute on all functions as catch-all
• All schema additions are idempotent (create table if not exists, do $$ ... if not exists ..., on conflict do nothing)
• Follows CLAUDE.md style: lowercase SQL keywords, SECURITY DEFINER functions pin search_path

Test plan

• Run tests/test_pgque_additions.sql against a database with pgque installed (requires Issue Create build/transform.sh — mechanical transformation pipeline #2 transform + Issue Assemble pgque-install.sql and pgque-uninstall.sql with idempotency #4 install script)
• Verify config table has exactly 1 row with singleton = true
• Verify queue_max_retries column exists on pgque.queue
• Verify all three roles exist in pg_roles
• Verify pgque.version() returns '1.0.0-dev'
• Verify re-running all addition scripts is idempotent (no errors)

Closes #3

🤖 Generated with Claude Code

[NikolayS]

REV Code Review Report

• PR: NikolayS/pgque#7 — feat: add pgque-specific schema additions
• Author: @NikolayS
• Branch: feat/3-pgque-additions
• CI: ⚪ no CI configured yet

---

BLOCKING ISSUES (1)

HIGH sql/pgque-additions/roles.sql:10-11 — GRANT role TO role not idempotent on PG14/15

grant pgque_reader to pgque_writer;
grant pgque_writer to pgque_admin;

PostgreSQL 14 and 15 raise ERROR: role X is already a member of role Y on duplicate GRANT role TO role. The IF NOT EXISTS clause for role grants was added only in PG16. Since pgque requires PG14+, re-running this file fails on PG14/15.
Fix: Wrap each in DO $$ BEGIN ... EXCEPTION WHEN duplicate_object THEN null; END $$; or guard with a pg_auth_members check.

---

NON-BLOCKING (2)

MEDIUM sql/pgque-additions/roles.sql:64 + lifecycle.sql:28-29 — pgque_admin can invoke pgque.uninstall()

The blanket grant execute on all functions in schema pgque to pgque_admin includes uninstall() which runs DROP SCHEMA pgque CASCADE. This may be too permissive.
Suggestion: Add REVOKE EXECUTE ON FUNCTION pgque.uninstall() FROM pgque_admin; after the catch-all grant, or add a superuser guard inside uninstall().

MEDIUM sql/pgque-additions/lifecycle.sql:22-26 — Subtransaction in uninstall()

BEGIN ... EXCEPTION WHEN OTHERS THEN NULL; END; — CLAUDE.md rule 4 discourages subtransactions. Also silently swallows all errors from stop().
Suggestion: Since stop() is currently a stub that just raises NOTICE, remove the exception block. When Sprint 2 implements stop(), it should handle its own errors gracefully.

---

POTENTIAL ISSUES (2)

LOW tests/test_pgque_additions.sql — Tests only verify existence, not behavior (confidence: 7/10)

Tests check that config table, columns, and roles exist but don't test role inheritance, idempotency, or that grants actually work (e.g., pgque_reader can SELECT but not INSERT). More coverage needed in Issue #5.

LOW sql/pgque-additions/notify.sql — Design note as SQL file with no implementation path (confidence: 5/10)

This is a comment-only file. Consider adding a -- TODO(#2) reference or moving to blueprints/.

---

Summary

Area	Findings	Potential	Filtered
Security	1 (non-blocking)	0	0
Bugs	1 (blocking)	0	0
Tests	0	1	0
Guidelines	1 (non-blocking)	0	0
Docs	0	1	0

Verdict: Changes requested. Must fix the PG14/15 GRANT role TO role idempotency issue (blocking). The uninstall privilege and subtransaction issues are recommended fixes.

---

REV-assisted review (AI analysis by postgres-ai/rev)

[NikolayS]

All three review findings addressed in d83fbb6:

1. Role grants idempotent on PG14/15 — grant pgque_reader to pgque_writer and grant pgque_writer to pgque_admin are now wrapped in do $$ begin ... exception when duplicate_object then null; end $$ so re-runs don't fail on PG14/15 (which lack IF NOT EXISTS for role grants).

2. pgque_admin can no longer invoke uninstall() — Added revoke execute on function pgque.uninstall() from pgque_admin after the catch-all grant. Only the schema owner / superuser can drop everything.

3. Subtransaction removed from uninstall() — Replaced the BEGIN ... EXCEPTION WHEN OTHERS block with a direct perform pgque.stop() call. Added a comment that Sprint 2's stop() must handle its own errors when pg_cron integration lands.

[NikolayS]

REV Re-review

All blocking and recommended fixes verified:

• ✅ Role grants wrapped in EXCEPTION WHEN duplicate_object for PG14/15 idempotency
• ✅ REVOKE EXECUTE ON FUNCTION pgque.uninstall() FROM pgque_admin added
• ✅ Subtransaction removed from uninstall(), direct perform pgque.stop() call

Verdict: PASSED. Ready to merge.

---

REV-assisted review (AI analysis by postgres-ai/rev)