-
Notifications
You must be signed in to change notification settings - Fork 0
Open
Labels
enhancementNew feature or requestNew feature or request
Description
Problem
The current checksum verification only detects mismatches in strata status and does not act as a gate (blocking mechanism) during strata apply. There is a risk of applying tampered migration files in production. Additionally, there is no mechanism to guarantee migration integrity across different environments.
Proposed Solution
Make checksum verification mandatory before migration application, blocking execution on mismatch.
Features
-
Pre-apply checksum verification
- When
strata applyruns, compare the.meta.yamlchecksum with the actual hash ofup.sql/down.sqlfiles for unapplied migrations - Block on mismatch (explicitly skippable with
--skip-checksum-verify)
- When
-
Checksum lock file
- Generate
migrations/.checksum-lock.yamlcontaining checksums for all migrations - In CI/CD, run
strata check --verify-checksumsto verify consistency with the lock file
- Generate
-
Cross-environment integrity check
- Add
--verifyflag tostrata statusto compare DB-recorded checksums with local files
- Add
Implementation Plan
-
Checksum verification service (
src/db/src/services/checksum_verifier.rs— new)pub struct ChecksumVerifier; impl ChecksumVerifier { /// Compute SHA-256 checksum of a file pub fn compute_checksum(path: &Path) -> Result<String>; /// Compare .meta.yaml checksum with actual file checksum pub fn verify_migration(migration_dir: &Path) -> Result<ChecksumVerifyResult>; /// Verify all migrations pub fn verify_all(migrations_dir: &Path) -> Result<Vec<ChecksumVerifyResult>>; }
-
Changes to apply command (
src/cli/src/cli/commands/apply.rs)- Call
ChecksumVerifier::verify_all()before application - Display errors and block on mismatch
- Call
-
Lock file generation (during
strata generate)- Automatically update
.checksum-lock.yamlwhen generating migrations
- Automatically update
-
Extend check command (
src/cli/src/cli/commands/check.rs)- Add
--verify-checksumsflag for checksum verification
- Add
Files Affected
src/db/src/services/checksum_verifier.rs(new)src/cli/src/cli/commands/apply.rs— Add verification gatesrc/cli/src/cli/commands/generate.rs— Lock file generationsrc/cli/src/cli/commands/check.rs— Add verification flag
Alternatives Considered
- Git hooks: Verify checksums in pre-commit hooks. This creates a Git dependency, so built-in verification is more appropriate
- DB-side verification only: Comparing DB-recorded checksums with files cannot detect tampering of unapplied migrations
Additional Context
- Corresponds to "Add checksum verification gates for production applies" in ROADMAP.md
- The existing
sha2crate enables SHA-256 computation - The existing
.meta.yamlalready has achecksumfield
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
enhancementNew feature or requestNew feature or request