Skip to content

Implement migration integrity verification for migrate up/down commands #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
RobbieMcKinstry merged 3 commits into from
Jan 24, 2026
Merged

Implement migration integrity verification for migrate up/down commands #68

RobbieMcKinstry merged 3 commits into from
Jan 24, 2026

Conversation

@RobbieMcKinstry
Copy link
Contributor

@RobbieMcKinstry RobbieMcKinstry commented Jan 24, 2026

FEATURE: Add comprehensive integrity verification before migration execution

This commit implements the migration integrity verification design:

Schema verification:

  • Add verify_schema_checksum() method to MigrationTracker that computes
    the live database schema's xxhash3 checksum and compares against the
    expected value stored in tern.migrations
  • Add get_schema_hash() method to retrieve a migration's schema checksum
  • Verify schema integrity before executing migrate up/down commands
  • Detect when database has been modified outside of Tern migrations

Migration hash verification:

  • Verify migration file content matches what was originally applied
  • Add MigrationModified error for detecting modified migration files
  • Check migration hash before reverting in migrate down

Error handling:

  • Add SchemaDrift error variant with detailed diagnostic help
  • Add MigrationModified error variant with resolution steps
  • Both errors include expected vs actual checksums and guidance

CLI updates:

  • Add --force flag to migrate up and migrate down commands to skip
    integrity verification in emergency situations
  • Display warning when --force is used
  • Update tern verify to compare against database's schema_hash instead
    of local state.json (with --include-local-state flag for backwards
    compatibility)

The design follows the principle of detecting both:

  1. Database modifications made outside of Tern (via schema checksum)
  2. Migration file tampering after application (via migration hash)

claude added 3 commits January 24, 2026 21:11
@claude
Implement migration integrity verification for migrate up/down commands
fdb3c93 
FEATURE: Add comprehensive integrity verification before migration execution

This commit implements the migration integrity verification design:

Schema verification:
- Add verify_schema_checksum() method to MigrationTracker that computes
  the live database schema's xxhash3 checksum and compares against the
  expected value stored in tern.migrations
- Add get_schema_hash() method to retrieve a migration's schema checksum
- Verify schema integrity before executing migrate up/down commands
- Detect when database has been modified outside of Tern migrations

Migration hash verification:
- Verify migration file content matches what was originally applied
- Add MigrationModified error for detecting modified migration files
- Check migration hash before reverting in migrate down

Error handling:
- Add SchemaDrift error variant with detailed diagnostic help
- Add MigrationModified error variant with resolution steps
- Both errors include expected vs actual checksums and guidance

CLI updates:
- Add --force flag to migrate up and migrate down commands to skip
  integrity verification in emergency situations
- Display warning when --force is used
- Update tern verify to compare against database's schema_hash instead
  of local state.json (with --include-local-state flag for backwards
  compatibility)

The design follows the principle of detecting both:
1. Database modifications made outside of Tern (via schema checksum)
2. Migration file tampering after application (via migration hash)
@claude
Change --force to verify but warn instead of skip verification
e344b15 
FEATURE: Improve --force flag behavior for better transparency

Previously, --force would skip integrity verification entirely. Now:

- Verification is always performed even when --force is used
- If verification fails with --force: print warning and proceed
- If verification passes with --force: print "force was unnecessary"
- Without --force: error on verification failure (unchanged)

This gives users better visibility into the state of their database
while still allowing emergency overrides when needed.

Changes:
- Add check_integrity() method to MigrationExecutor for explicit
  verification without execution
- Add VerificationStatus, SchemaMismatch, and HistoryDivergence types
  to capture verification results
- Update migrate up CLI to call check_integrity() when --force is used
- Update migrate down CLI to always verify but decide based on --force
  whether to error or warn
@claude
Remove migration integrity verification design document
a31aeb8 
CHORE: Remove design document after implementation complete

The migration integrity verification feature has been fully implemented,
so the design document is no longer needed.
@RobbieMcKinstry RobbieMcKinstry merged commit 93bf51c into trunk Jan 24, 2026
5 checks passed
@RobbieMcKinstry RobbieMcKinstry deleted the claude/implement-migration-integrity-BE9wA branch January 24, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RobbieMcKinstry @claude