| name | migration-patterns |
| description | Database migration creation with mandatory RLS policies and ARCHitect approval workflow. Use when creating migrations, adding tables with RLS, updating ORM schema, adding GRANT statements, or planning data migrations. Do NOT use for application code changes without schema impact.
|
Migration Patterns Skill
TEMPLATE: This skill uses {{PLACEHOLDER}} tokens. Replace with your project values before use.
Purpose
Guide database migration creation with mandatory RLS policies, following security-first architecture and approval workflow.
When This Skill Applies
- Creating database migrations
- Adding new tables (all tables need RLS)
- Updating ORM schema
- Adding GRANT statements
- Schema impact analysis
- Data migration planning
Stop-the-Line Conditions
FORBIDDEN Patterns
CREATE TABLE user_data (...);
CREATE TABLE payments (...);
CORRECT Patterns
CREATE TABLE user_data (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id TEXT NOT NULL,
data JSONB,
created_at TIMESTAMPTZ DEFAULT NOW()
);
ALTER TABLE user_data ENABLE ROW LEVEL SECURITY;
CREATE POLICY user_data_user_select ON user_data
FOR SELECT TO {{PROJECT}}_app_user
USING (user_id = current_setting('app.current_user_id', true));
CREATE INDEX idx_user_data_user_id ON user_data(user_id);
GRANT SELECT, INSERT, UPDATE ON user_data TO {{PROJECT}}_app_user;
Migration Workflow (MANDATORY)
Step 1: Get ARCHitect Approval
Before ANY schema change:
1. Document proposed changes
2. Get ARCHitect approval (create issue or discussion)
3. Only proceed after explicit approval
Step 2: Create Migration
npx prisma migrate dev --name descriptive_name
alembic revision --autogenerate -m "descriptive_name"
ls {{MIGRATIONS_DIR}}/
Step 3: Add RLS to Migration
Edit the generated migration to include:
Step 4: Verify Locally
{{MIGRATION_RUN_COMMAND}}
psql -c "SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public';"
Step 5: Update Documentation
After successful migration:
RLS Policy Templates
User Read Policy
CREATE POLICY {table}_user_select ON {table}
FOR SELECT TO {{PROJECT}}_app_user
USING (user_id = current_setting('app.current_user_id', true));
User Write Policy
CREATE POLICY {table}_user_insert ON {table}
FOR INSERT TO {{PROJECT}}_app_user
WITH CHECK (user_id = current_setting('app.current_user_id', true));
Admin Policy
CREATE POLICY {table}_admin_all ON {table}
FOR ALL TO {{PROJECT}}_app_user
USING (current_setting('app.user_role', true) = 'admin');
System Policy (Background Jobs)
CREATE POLICY {table}_system_all ON {table}
FOR ALL TO {{PROJECT}}_app_user
USING (current_setting('app.context_type', true) = 'system');
Migration Checklist
Before PR:
Production Migration Requirements
For production migrations:
Authoritative References
- Migration SOP:
docs/database/RLS_DATABASE_MIGRATION_SOP.md (MANDATORY)
- Data Dictionary:
docs/database/DATA_DICTIONARY.md (update after changes)
- RLS Implementation:
docs/database/RLS_IMPLEMENTATION_GUIDE.md
- RLS Policies:
docs/database/RLS_POLICY_CATALOG.md
- Security First:
docs/guides/SECURITY_FIRST_ARCHITECTURE.md