diff --git a/stacks/claude-memory/main.tf b/stacks/claude-memory/main.tf
index ecce701b..a030a5b5 100644
--- a/stacks/claude-memory/main.tf
+++ b/stacks/claude-memory/main.tf
@@ -6,6 +6,7 @@ variable "postgresql_host" { type = string }
 variable "claude_memory_db_password" {
   type      = string
   sensitive = true
+  default   = "" # falls back to Vault `secret/claude-memory.db_password` below
 }
 
 data "vault_kv_secret_v2" "secrets" {
@@ -112,11 +113,13 @@ resource "kubernetes_job" "db_init" {
             "sh", "-c",
             <<-EOT
               set -e
-              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_roles WHERE rolname='claude_memory'" | grep -q 1 || \
-                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -c "CREATE ROLE claude_memory WITH LOGIN PASSWORD '${var.claude_memory_db_password}'"
-              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_database WHERE datname='claude_memory'" | grep -q 1 || \
-                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -c "CREATE DATABASE claude_memory OWNER claude_memory"
-              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -c "GRANT ALL PRIVILEGES ON DATABASE claude_memory TO claude_memory"
+              # -d postgres: psql defaults database name to username; root user
+              # doesn't have a root-named database, so be explicit.
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -tc "SELECT 1 FROM pg_roles WHERE rolname='claude_memory'" | grep -q 1 || \
+                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -c "CREATE ROLE claude_memory WITH LOGIN PASSWORD '${coalesce(var.claude_memory_db_password, data.vault_kv_secret_v2.secrets.data["db_password"])}'"
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -tc "SELECT 1 FROM pg_database WHERE datname='claude_memory'" | grep -q 1 || \
+                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -c "CREATE DATABASE claude_memory OWNER claude_memory"
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE claude_memory TO claude_memory"
               echo "Database init complete"
             EOT
           ]
diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf
index 848c05b0..5779d483 100644
--- a/stacks/resume/main.tf
+++ b/stacks/resume/main.tf
@@ -2,7 +2,10 @@ variable "tls_secret_name" {
   type      = string
   sensitive = true
 }
-variable "resume_database_url" { type = string }
+variable "resume_database_url" {
+  type    = string
+  default = ""
+}
 variable "nfs_server" { type = string }
 variable "mail_host" { type = string }