whekin/household-bot
1
0
Fork 0
mirror of https://github.com/whekin/household-bot.git synced 2026-04-01 00:24:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(db): enforce runtime RLS boundaries

Browse Source
This commit is contained in:
whekin
2026-03-22 22:49:47 +04:00
parent 7665af0268
commit 97b5edcc0a
24 changed files with 2054 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/runbooks/migrations.md
View File

@@ -47,9 +47,16 @@ bun run build
## CD behavior
- CD deploy runs migrations before deploy and now requires the `DATABASE_URL` GitHub secret.
- CD deploy runs migrations before deploy and requires the owner-only `DATABASE_URL` GitHub secret.
- If `DATABASE_URL` is missing, CD fails fast instead of deploying schema-dependent code without migrations.
## Runtime connection split
- `DATABASE_URL` is for migrations, schema checks, and other owner-only maintenance tasks.
- `APP_DATABASE_URL` is for authenticated request paths such as mini app routes.
- `WORKER_DATABASE_URL` is for Telegram ingestion, reminders, scheduler jobs, and other internal worker flows.
- Runtime services should not use `DATABASE_URL`.
## Safety rules
- Prefer additive migrations first (new columns/tables) over destructive changes.