feat(auth): assign default editor role to verified users without roles

Update bootstrap rules to grant 'editor' role to verified users
Backfill existing verified users without roles in schema.sql
Apply default role automatically during email verification

backend/db/schema.sql

@@ -368,6 +368,19 @@ CROSS JOIN roles r
 WHERE r.key = 'owner'
 ON CONFLICT DO NOTHING;
 
+INSERT INTO user_roles (user_id, role_id)
+SELECT u.id, r.id
+FROM users u
+CROSS JOIN roles r
+WHERE u.email_verified_at IS NOT NULL
+  AND r.key = 'editor'
+  AND NOT EXISTS (
+    SELECT 1
+    FROM user_roles ur
+    WHERE ur.user_id = u.id
+  )
+ON CONFLICT DO NOTHING;
+
 CREATE TABLE IF NOT EXISTS system_wording_keys (
   key text PRIMARY KEY,
   module text NOT NULL,

backend/src/auth.ts

@@ -422,6 +422,24 @@ async function ensureOwnerRoleForUser(client: DbClient, userId: number): Promise
   );
 }
 
+async function ensureDefaultEditorRoleForUser(client: DbClient, userId: number): Promise<void> {
+  await client.query(
+    `
+      INSERT INTO user_roles (user_id, role_id)
+      SELECT $1, r.id
+      FROM roles r
+      WHERE r.key = 'editor'
+        AND NOT EXISTS (
+          SELECT 1
+          FROM user_roles ur
+          WHERE ur.user_id = $1
+        )
+      ON CONFLICT DO NOTHING
+    `,
+    [userId]
+  );
+}
+
 function toRoleSummary(row: RoleRow): RoleSummary {
   return {
     id: row.id,
@@ -832,6 +850,7 @@ export async function verifyEmail(payload: Record<string, unknown>, locale = def
       user.id
     ]);
     await ensureOwnerRoleForUser(client, user.id);
+    await ensureDefaultEditorRoleForUser(client, user.id);
 
     const publicUser = await publicUserById(user.id, client);
     return { message: await authMessage(locale, 'emailVerified'), user: publicUser ?? toPublicUser(user) };