diff --git a/docker-compose.yml b/docker-compose.yml
index 58089e3..9d94bcc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,6 +14,8 @@ services:
       - ./supabase/pg_hba.conf:/etc/postgresql/pg_hba.conf:ro
       - ./supabase/migrations/00-run-init.sh:/docker-entrypoint-initdb.d/00-run-init.sh:ro
       - ./supabase/migrations/01-init.sql:/docker-entrypoint-initdb.d/01-init.sql:ro
+      - ./supabase/migrations/02-image-and-pricing.sql:/docker-entrypoint-initdb.d/02-image-and-pricing.sql:ro
+      - ./supabase/migrations/03-global-keywords.sql:/docker-entrypoint-initdb.d/03-global-keywords.sql:ro
       - ./supabase/migrations/post-boot.sql:/docker-entrypoint-initdb.d/post-boot.sql:ro
     command: >
       postgres
diff --git a/supabase/migrations/post-boot.sql b/supabase/migrations/post-boot.sql
index eda3d0f..01d5f46 100644
--- a/supabase/migrations/post-boot.sql
+++ b/supabase/migrations/post-boot.sql
@@ -1,12 +1,40 @@
 -- ============================================================
 -- post-boot — runs after all migrations have been applied.
--- Grants INSERT/UPDATE to authenticator on user-facing tables.
--- Seeds initial admin user (telegram_id 298181113).
+-- Grants permissions to authenticator and supabase_admin,
+-- then seeds initial admin user (telegram_id 298181113).
 -- ============================================================
 
-GRANT INSERT, UPDATE ON search_queries TO authenticator;
-GRANT INSERT, UPDATE ON notifications TO authenticator;
+-- -----------------------------------------------------------
+-- supabase_admin — role for Supabase Studio / pg-meta
+-- Uses explicit grants rather than SUPERUSER + hardcoded pass.
+-- -----------------------------------------------------------
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'supabase_admin') THEN
+        CREATE ROLE supabase_admin WITH LOGIN;
+    END IF;
+END $$;
 
+GRANT USAGE ON SCHEMA public TO supabase_admin;
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO supabase_admin;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO supabase_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+    GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO supabase_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+    GRANT USAGE, SELECT ON SEQUENCES TO supabase_admin;
+
+-- -----------------------------------------------------------
+-- authenticator — writes to user-facing tables (PostgREST)
+-- -----------------------------------------------------------
+GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO authenticator;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO authenticator;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+    GRANT SELECT, INSERT, UPDATE ON TABLES TO authenticator;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+    GRANT USAGE, SELECT ON SEQUENCES TO authenticator;
+
+-- -----------------------------------------------------------
+-- Seed: initial admin user
+-- -----------------------------------------------------------
 INSERT INTO users (telegram_id, username, first_name, is_admin, is_active)
 VALUES (298181113, NULL, 'Admin', true, true)
 ON CONFLICT (telegram_id) DO NOTHING;