addressing review comments

Author: tsivaprasad

server/internal/orchestrator/swarm/orchestrator.go

@@ -583,6 +583,59 @@ func (o *Orchestrator) buildServiceInstanceResources(spec *database.ServiceInsta
 	}, nil
 }
 
+// generateRAGInstanceResources returns the resources needed for one RAG service
+// instance. RAG only requires read access, so a single ServiceUserRoleRO is
+// created per database node using the same canonical+per-node pattern as MCP.
+func (o *Orchestrator) generateRAGInstanceResources(spec *database.ServiceInstanceSpec) (*database.ServiceInstanceResources, error) {
+	canonicalROID := ServiceUserRoleIdentifier(spec.ServiceSpec.ServiceID, ServiceUserRoleRO)
+
+	// Canonical read-only role — runs on the node co-located with this instance.
+	canonicalRO := &ServiceUserRole{
+		ServiceID:    spec.ServiceSpec.ServiceID,
+		DatabaseID:   spec.DatabaseID,
+		DatabaseName: spec.DatabaseName,
+		NodeName:     spec.NodeName,
+		Mode:         ServiceUserRoleRO,
+	}
+
+	orchestratorResources := []resource.Resource{canonicalRO}
+
+	// Per-node RO role for each additional database node so that RAG instances
+	// on other hosts can authenticate against their co-located Postgres.
+	if len(spec.DatabaseNodes) > 1 {
+		for _, nodeInst := range spec.DatabaseNodes[1:] {
+			orchestratorResources = append(orchestratorResources, &ServiceUserRole{
+				ServiceID:        spec.ServiceSpec.ServiceID,
+				DatabaseID:       spec.DatabaseID,
+				DatabaseName:     spec.DatabaseName,
+				NodeName:         nodeInst.NodeName,
+				Mode:             ServiceUserRoleRO,
+				CredentialSource: &canonicalROID,
+			})
+		}
+	}
+
+	data := make([]*resource.ResourceData, len(orchestratorResources))
+	for i, res := range orchestratorResources {
+		d, err := resource.ToResourceData(res)
+		if err != nil {
+			return nil, fmt.Errorf("failed to convert resource to resource data: %w", err)
+		}
+		data[i] = d
+	}
+
+	return &database.ServiceInstanceResources{
+		ServiceInstance: &database.ServiceInstance{
+			ServiceInstanceID: spec.ServiceInstanceID,
+			ServiceID:         spec.ServiceSpec.ServiceID,
+			DatabaseID:        spec.DatabaseID,
+			HostID:            spec.HostID,
+			State:             database.ServiceInstanceStateCreating,
+		},
+		Resources: data,
+	}, nil
+}
+
 func (o *Orchestrator) GetInstanceConnectionInfo(ctx context.Context, databaseID, instanceID string) (*database.ConnectionInfo, error) {
 	container, err := GetPostgresContainer(ctx, o.docker, instanceID)
 	if err != nil {