Add API rules setup to database initialization

The period_logs collection was returning 403 errors because API rules
were only configured in the e2e test harness, not in the production
setup script. This consolidates the setup logic so both prod and test
use the same setupApiRules() function.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

e2e/pocketbase-harness.ts

@@ -8,9 +8,11 @@ import * as os from "node:os";
 import * as path from "node:path";
 import PocketBase from "pocketbase";
 import {
+  addUserFields,
   createCollection,
   getExistingCollectionNames,
   getMissingCollections,
+  setupApiRules,
 } from "../scripts/setup-db";
 
 /**
@@ -172,77 +174,6 @@ async function createAdminUser(
   throw lastError;
 }
 
-/**
- * Adds custom fields to the users collection.
- */
-async function addUserFields(pb: PocketBase): Promise<void> {
-  const usersCollection = await pb.collections.getOne("users");
-
-  // Define the custom user fields
-  const customFields = [
-    { name: "garminConnected", type: "bool" },
-    { name: "garminOauth1Token", type: "text" },
-    { name: "garminOauth2Token", type: "text" },
-    { name: "garminTokenExpiresAt", type: "date" },
-    { name: "calendarToken", type: "text" },
-    { name: "lastPeriodDate", type: "date" },
-    { name: "cycleLength", type: "number" },
-    { name: "notificationTime", type: "text" },
-    { name: "timezone", type: "text" },
-    { name: "activeOverrides", type: "json" },
-  ];
-
-  // Get existing field names
-  const existingFieldNames = new Set(
-    (usersCollection.fields || []).map((f: { name: string }) => f.name),
-  );
-
-  // Filter to only new fields
-  const newFields = customFields.filter((f) => !existingFieldNames.has(f.name));
-
-  if (newFields.length > 0) {
-    // Combine existing fields with new ones
-    const allFields = [...(usersCollection.fields || []), ...newFields];
-
-    await pb.collections.update(usersCollection.id, {
-      fields: allFields,
-    });
-  }
-}
-
-/**
- * Sets up API rules for collections to allow user access.
- */
-async function setupApiRules(pb: PocketBase): Promise<void> {
-  // Allow users to update their own user record
-  // viewRule allows reading user records by ID (needed for ICS calendar feed)
-  const usersCollection = await pb.collections.getOne("users");
-  await pb.collections.update(usersCollection.id, {
-    viewRule: "", // Empty string = allow all authenticated & unauthenticated reads
-    updateRule: "id = @request.auth.id",
-  });
-
-  // Allow users to read/write their own period_logs
-  const periodLogs = await pb.collections.getOne("period_logs");
-  await pb.collections.update(periodLogs.id, {
-    listRule: "user = @request.auth.id",
-    viewRule: "user = @request.auth.id",
-    createRule: "user = @request.auth.id",
-    updateRule: "user = @request.auth.id",
-    deleteRule: "user = @request.auth.id",
-  });
-
-  // Allow users to read/write their own dailyLogs
-  const dailyLogs = await pb.collections.getOne("dailyLogs");
-  await pb.collections.update(dailyLogs.id, {
-    listRule: "user = @request.auth.id",
-    viewRule: "user = @request.auth.id",
-    createRule: "user = @request.auth.id",
-    updateRule: "user = @request.auth.id",
-    deleteRule: "user = @request.auth.id",
-  });
-}
-
 /**
  * Sets up the database collections using the SDK.
  */