Add default USER role assignment on signup

[Copilot]

New users signing up were never assigned a role, leaving user_roles empty and breaking role-based access control for those accounts.

Changes

• UserService: Added createUserRole() method that inserts a user_roles row with the default 'USER' role for the given user ID
• UserRepository.createNewUser(): Calls createUserRole() after profile and person creation, before invalidating the signup code

// UserService
Future<void> createUserRole({required String userId}) async {
  final roleId = const UuidV4().generate();
  await _supabaseClient.from('user_roles').insert({
    'id': roleId,
    'user_profile_id': userId,
    'role': 'USER',
  });
}

The 'USER' string matches the AppRoles.USER enum member name as stored in the PostgreSQL app_roles enum, consistent with how the Python backend seeds users in update_db_sample_data.py.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[kheimerl]

@philion I had claude make a PR, how's it look?

[kheimerl]

My read is that it's not adding a specific user role, but instead generating a new UUID?

[kheimerl]

like, shouldn't this be a set role and not a UUID?

[philion]

The current (this is how I found it) implementation maps user_profile_id to the role enum. The id field is to identify the row. I don't think it's necessary, and the user_profile_id could be both primary and foreign key (I think).

[kheimerl]

or is this where its setting it to "USER" by default? Shouldn't that be a const somewhere?

[philion]

It doesn't need to be set (or a row created) (I think) if the user doesn't need special privileges. "user" is assumed, never checked. Once you've logged in, you have access to what that user has access to.

This role is only checked a few places, determining when to display admin-level pages or features.