Per-service DB ownership: self-provisioning, no cross-schema reads

[kaseywright]

Makes fluent-api provision and own its own database concern inside the one shared Postgres — least-privilege runtime role plus a separate migration role, created by an idempotent bootstrap that runs before migrations. No more shared db/init SQL or cross-schema role grants. (Companion PRs in fluent-platform and fluent-ai.)

• src/db/scripts/bootstrap.ts (new) — idempotently creates api_migrator (DDL, owns public) and api_user (least-privilege runtime), the pgboss schema, and default grants;
  identifiers/passwords are quoted server-side and all three URLs are asserted to target one DB.
• docker-entrypoint.sh — runs bootstrap → migrate → seed → start; drizzle.config.ts migrates as the migration role (MIGRATIONS_DATABASE_URL).
• queue.ts — pg-boss createSchema: false so the runtime role needs no CREATE-on-database (schema is pre-created by bootstrap).
• Remove db/init/01-init-db.sql (legacy roles + cross-schema reads); compose.yaml + .env.example inject BOOTSTRAP_/MIGRATIONS_/DATABASE_URL and move the runtime connection
  off the postgres superuser to api_user.
• fapi.sh / fapi.ps1 — Podman path uses the per-service role URLs; db:init runs the repo's own migrations + seeds; dropped the db/init initdb mount.

Test plan

• ./fapi.sh clean && ./fapi.sh up → bootstrap runs, migrations apply, server starts
• PSQL: \du api_user, api_migrator → both present; api_user is not superuser
• PSQL: \dt → tables present
• curl -f http://localhost:9999/health → 200 (confirms api_user can read/write public, incl. BetterAuth tables)