| name | migration-patterns |
| description | Database migration creation with mandatory RLS policies and ARCHitect approval workflow. Use when creating migrations, adding tables with RLS, or updating Prisma schema. |
Migration Patterns Skill
Purpose
Guide database migration creation with mandatory RLS policies, following security-first architecture and approval workflow.
When This Skill Applies
- Creating database migrations
- Adding new tables (all tables need RLS)
- Updating Prisma schema
- Adding GRANT statements
- Schema impact analysis
- Data migration planning
Stop-the-Line Conditions
FORBIDDEN Patterns
CREATE TABLE user_data (...);
npx prisma migrate resolve
CREATE TABLE payments (...);
CORRECT Patterns
CREATE TABLE user_data (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id TEXT NOT NULL,
data JSONB,
created_at TIMESTAMPTZ DEFAULT NOW()
);
ALTER TABLE user_data ENABLE ROW LEVEL SECURITY;
CREATE POLICY user_data_user_select ON user_data
FOR SELECT TO {{PROJECT}}_app_user
USING (user_id = current_setting('app.current_user_id', true));
CREATE INDEX idx_user_data_user_id ON user_data(user_id);
GRANT SELECT, INSERT, UPDATE ON user_data TO {{PROJECT}}_app_user;
Migration Workflow (MANDATORY)
Step 1: Get ARCHitect Approval
Before ANY schema change:
1. Document proposed changes
2. Get ARCHitect approval (create issue or discussion)
3. Only proceed after explicit approval
Step 2: Create Migration
npx prisma migrate dev --name descriptive_name
ls prisma/migrations/
Step 3: Add RLS to Migration
Edit the generated migration to include:
Step 4: Verify Locally
DATABASE_URL="..." npx prisma migrate dev
psql -c "SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public';"
Step 5: Update Documentation
After successful migration:
RLS Policy Templates
User Read Policy
CREATE POLICY {table}_user_select ON {table}
FOR SELECT TO {{PROJECT}}_app_user
USING (user_id = current_setting('app.current_user_id', true));
User Write Policy
CREATE POLICY {table}_user_insert ON {table}
FOR INSERT TO {{PROJECT}}_app_user
WITH CHECK (user_id = current_setting('app.current_user_id', true));
Admin Policy
CREATE POLICY {table}_admin_all ON {table}
FOR ALL TO {{PROJECT}}_app_user
USING (current_setting('app.user_role', true) = 'admin');
System Policy (Background Jobs)
CREATE POLICY {table}_system_all ON {table}
FOR ALL TO {{PROJECT}}_app_user
USING (current_setting('app.context_type', true) = 'system');
Migration Checklist
Before PR:
PROD Migration Requirements
For production migrations:
Reference
- Migration SOP:
docs/database/RLS_DATABASE_MIGRATION_SOP.md (MANDATORY)
- Data Dictionary:
docs/database/DATA_DICTIONARY.md (update after changes)
- RLS Implementation:
docs/database/RLS_IMPLEMENTATION_GUIDE.md
- RLS Policies:
docs/database/RLS_POLICY_CATALOG.md
- Security First:
docs/guides/SECURITY_FIRST_ARCHITECTURE.md