Simplify df.grant_usage/df.revoke_usage privilege helpers

[pinodeca]

Summary

Rationalizes the df.grant_usage() / df.revoke_usage() privilege helpers for the unreleased v0.2.3, removing defensive code that PostgreSQL already handles and making the two functions symmetric.

Changes

• grant_usage
  • Drops the per-function GRANT EXECUTE allowlist. Ordinary df.* functions keep PostgreSQL's default PUBLIC EXECUTE, so USAGE ON SCHEMA df is the single access gate. Only the sensitive functions (df.http, df.grant_usage, df.revoke_usage) — which have PUBLIC EXECUTE revoked at install time — are granted explicitly.
  • Drops the redundant role-existence check (a named role that doesn't exist fails naturally on the first GRANT; granting to PUBLIC is a deliberate admin choice).
• revoke_usage
  • Mirror of grant_usage (Option A): undoes only what grant_usage grants.
  • Drops the role-existence and self-revoke guards — PostgreSQL's grantor rules already prevent a non-superuser from removing another role's grants, so self-revoke is a harmless no-op.
• Upgrade script (sql/pg_durable--0.2.2--0.2.3.sql): same CREATE OR REPLACE bodies as src/lib.rs.
• E2E test 18 (18_delegated_grants.sql): adds schema/HTTP assertions (5b), asserts loss of schema USAGE after revoke (8), and verifies self-revoke is a harmless no-op (10).
• Docs: USER_GUIDE.md — fixes the inaccurate self-revoke "safety measure" claim, notes that df.grant_usage('public') grants cluster-wide, and trims the stale per-function manual-grants list. docs/upgrade-testing.md — documents both simplifications.

pgspot gate

The 0.2.2 → 0.2.3 upgrade script is the first non-excluded upgrade script that defines functions. Scanned standalone (without the CREATE SCHEMA df that the install SQL emits, so pgspot can't prove df is extension-owned), the helper bodies tripped PS001/PS005/PS016.

• Schema-qualified the grant_usage/revoke_usage bodies — pg_catalog.format(...), OPERATOR(pg_catalog.||), and SET search_path = pg_catalog, pg_temp — applied byte-identically in src/lib.rs and the upgrade script. The install SQL stays clean because pgspot suppresses those findings via the emitted CREATE SCHEMA df.
• Allowlisted PS002 (unsafe CREATE OR REPLACE) for the two exact function signatures in scripts/run-pgspot.sh. PostgreSQL 14.5+ blocks the CREATE OR REPLACE attack inside extension scripts, so this is safe.

Upgrade & Migration

• B1 (binary backward compat): Function signatures are unchanged; only bodies are simplified. Legacy installs may retain inert per-function EXECUTE grants, which are harmless.
• All changes fold into the existing 0.2.2 → 0.2.3 upgrade script; no new SQL fixtures needed.

Testing

• cargo fmt -p pg_durable -- --check ✅
• cargo build --features pg17 ✅ (only the pre-existing extract_host dead-code warning)
• ./scripts/test-e2e-local.sh 18_delegated_grants --verbose ✅ (1 passed, 0 failed)
• scripts/run-pgspot.sh sql/pg_durable--0.2.2--0.2.3.sql ✅ (gate passes; only the two allowlisted PS002 findings)