Add API rules setup to database initialization

The period_logs collection was returning 403 errors because API rules
were only configured in the e2e test harness, not in the production
setup script. This consolidates the setup logic so both prod and test
use the same setupApiRules() function.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/setup-db.ts

@@ -285,6 +285,40 @@ export async function createCollection(
   });
 }
 
+/**
+ * Sets up API rules for collections to allow user access.
+ * Configures row-level security so users can only access their own records.
+ */
+export async function setupApiRules(pb: PocketBase): Promise<void> {
+  // Allow users to view any user record (needed for ICS calendar feed)
+  // and update only their own record
+  const usersCollection = await pb.collections.getOne("users");
+  await pb.collections.update(usersCollection.id, {
+    viewRule: "",
+    updateRule: "id = @request.auth.id",
+  });
+
+  // Allow users to read/write their own period_logs
+  const periodLogs = await pb.collections.getOne("period_logs");
+  await pb.collections.update(periodLogs.id, {
+    listRule: "user = @request.auth.id",
+    viewRule: "user = @request.auth.id",
+    createRule: "user = @request.auth.id",
+    updateRule: "user = @request.auth.id",
+    deleteRule: "user = @request.auth.id",
+  });
+
+  // Allow users to read/write their own dailyLogs
+  const dailyLogs = await pb.collections.getOne("dailyLogs");
+  await pb.collections.update(dailyLogs.id, {
+    listRule: "user = @request.auth.id",
+    viewRule: "user = @request.auth.id",
+    createRule: "user = @request.auth.id",
+    updateRule: "user = @request.auth.id",
+    deleteRule: "user = @request.auth.id",
+  });
+}
+
 /**
  * Main setup function - creates missing collections.
  */
@@ -337,25 +371,29 @@ async function main(): Promise<void> {
   const missing = getMissingCollections(existingNames);
 
   if (missing.length === 0) {
-    console.log("All required collections already exist. Nothing to do.");
-    return;
-  }
+    console.log("All required collections already exist.");
+  } else {
+    console.log(
+      `Creating ${missing.length} missing collection(s):`,
+      missing.map((c) => c.name),
+    );
 
-  console.log(
-    `Creating ${missing.length} missing collection(s):`,
-    missing.map((c) => c.name),
-  );
-
-  for (const collection of missing) {
-    try {
-      await createCollection(pb, collection);
-      console.log(`  Created: ${collection.name}`);
-    } catch (error) {
-      console.error(`  Failed to create ${collection.name}:`, error);
-      process.exit(1);
+    for (const collection of missing) {
+      try {
+        await createCollection(pb, collection);
+        console.log(`  Created: ${collection.name}`);
+      } catch (error) {
+        console.error(`  Failed to create ${collection.name}:`, error);
+        process.exit(1);
+      }
     }
   }
 
+  // Set up API rules for all collections
+  console.log("Configuring API rules...");
+  await setupApiRules(pb);
+  console.log("  API rules configured.");
+
   console.log("Database setup complete!");
 }