KBN-101: separate PostgreSQL migration-owner and runtime application identities #771
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Objective
Introduce a fail-closed PostgreSQL identity split so schema migrations run as a migration owner while Mosaic runtime connections use a non-owner application role with only the privileges required by the Native Kanban contract.
Blocker origin
KBN-100 issue #769 cannot certify immutable artifact/event/evidence records while the Gateway/storage bootstrap runs migrations and runtime queries through the same
DATABASE_URLtable-owner identity.REVOKE FROM PUBLICand triggers do not prove the deployed application identity is non-owner.Requirements
DATABASE_URLis the non-owner runtime identity.DATABASE_MIGRATION_URL) is used only by migration commands/bootstrap.Scope to determine before coding
DB client/migration API, Gateway/storage bootstrap, strict configuration DTOs, installer/compose/CI examples, and operator/security documentation. Deployment-specific secret wiring is separately enumerated; no manual production mutation.
Mandatory evidence
TDD RED/GREEN; owner/non-owner real-PostgreSQL integration; startup same-role/missing-role denials; migration success then runtime CRUD; immutable UPDATE/DELETE denial; credential redaction; N-1 configuration behavior; independent code/security review; Ultron; PR/main CI and issue closure.
Dependencies
0016and current main.