phase 1 core platform

Milestone 1.1.1: Postgres Migration System — complete.

Milestone 1.1.1: Postgres Migration System

Status: Complete (merged PR #11, 3fcf75f)
Goal: 1.1 Persistence and auth data plane

Summary

Introduce infra/migrations/postgres/, a migration runner wired into Makefile / dev-tool.sh, and the minimal ibex_core schema required for auth (organizations + tokens) with RLS policies.

Branch

chore/m1-1-1-postgres-migrations

PR title (example)

chore(db): postgres migrations (m1.1.1)

Estimated effort

2–3 days

Prerequisites

  • Foundation-004 complete on main
  • make compose-dev-up healthy Postgres

Tasks

  • Write ADR-0005: migration tool choice, directory layout, CI policy
  • Add github.com/golang-migrate/migrate/v4 to root go.mod (or shell-only CLI via documented install — prefer embed for CI reproducibility)
  • Create infra/migrations/postgres/ with numbered SQL files:
    • 000001_init_schemas.up.sqlibex_core schema
    • 000002_organizations.up.sql — subset of DATABASE_SCHEMA.md organizations table
    • 000003_tokens.up.sqlibex_core.tokens subset (PAT fields, Argon2id hash column, permission bitmap, org FK)
    • 000004_rls.up.sql — RLS policies + helper role grants for dev
    • Matching .down.sql for each
  • Add infra/scripts/db-migrate.sh (up, down one step, version)
  • Add Make targets via dev-tool.sh: db-migrate, db-migrate-down, db-version
  • Document env vars in ENVIRONMENT_VARIABLES.md (POSTGRES_DSN for migrate)
  • CI advisory job: docker compose up + migrate against ephemeral Postgres (or reuse compose-validate pattern)
  • Integration test: migrate twice (second run no-op); verify tables exist; basic RLS smoke with two org_ids

Files affected (anticipated)

PathAction
infra/migrations/postgres/*.sqlAdd
infra/scripts/db-migrate.shAdd
infra/scripts/dev-tool.shExtend
MakefileDelegate new targets
docs/adr/ADR-0005-migration-strategy.mdAdd
docs/adr/README.mdIndex ADR-0005
docs/DATABASE_SCHEMA.mdNote "applied via migrations" for implemented tables
docs/DEVELOPMENT_GUIDE.mdLink make db-migrate
.github/workflows/ci.ymlOptional advisory db-migrate-smoke job
go.mod / go.sumIf embed migrate

Testing requirements

  • Unit: migration file naming/version monotonicity check (script or Go test)
  • Integration (real Postgres): apply up → verify schema → apply up again → no error
  • Cross-tenant RLS: session A cannot SELECT org B row when app.current_org_id set (minimal SQL test or Go integration)

Per TESTING_STRATEGY.md: do not mock RLS behavior.

Documentation updates

  • ADR-0005
  • DATABASE_SCHEMA.md reference section
  • DEVELOPMENT_GUIDE.md local DB section
  • docs/app/content/roadmap/CURRENT_STATE after merge

Definition of done

  • make compose-dev-up && make db-migrate succeeds on clean volume
  • Re-running make db-migrate is idempotent
  • Schema for organizations + tokens matches documented subset (columns, constraints, indexes)
  • RLS enabled on tenant tables; fail closed without app.current_org_id
  • Required CI green; advisory migrate job green if added
  • No application token validation logic in this PR (migrations only)

Risks

RiskMitigation
golang-migrate path issues on WindowsTest Git Bash; document PATH
pgvector extension not needed yetDo not enable extension until Phase 3 unless compose already has it
Over-scoping schemaStick to orgs + tokens only
← Back to roadmap overview
Edit on GitHub

Last updated on

Previous1.0.1 GO IntegrationNext1.1.2 Auth Proto

On this page

0%