Migration and Upgrade Guide
Plystra Migration and Upgrade Guide
Section titled “Plystra Migration and Upgrade Guide”Document Status
Section titled “Document Status”| Field | Value |
|---|---|
| Product | Plystra |
| Version | v1.0 |
| Document Type | Operations guide |
| Scope | Migrations, upgrades, Ent drift, production safety |
| Status | Active guide |
1. Purpose
Section titled “1. Purpose”This guide explains how to apply migrations, verify schema state, and upgrade Plystra Core safely.
Plystra v1.0 uses Ent inside the Core repository, but production upgrades must use versioned migrations.
Production must not rely on Ent auto migration.
The primary goals are:
avoid schema driftavoid accidental destructive changesensure Core code matches database schemaensure upgrades are repeatableensure operators can recover from failed upgrades2. Core Rules
Section titled “2. Core Rules”Rule 1: Use Versioned Migrations in Production
Section titled “Rule 1: Use Versioned Migrations in Production”Production upgrades must use:
plystractl migrate upDo not use Ent auto migration as the production upgrade mechanism.
Rule 2: Verify After Migration
Section titled “Rule 2: Verify After Migration”Always run:
plystractl migrate verifyplystractl ent checkplystractl doctorRule 3: Backup Before Upgrade
Section titled “Rule 3: Backup Before Upgrade”Always back up PostgreSQL before applying production migrations.
Rule 4: Do Not Skip Migrations
Section titled “Rule 4: Do Not Skip Migrations”Do not manually edit schema to match the latest code.
Use project-provided migrations.
Rule 5: Treat AuditLog Carefully
Section titled “Rule 5: Treat AuditLog Carefully”AuditLog is append-only.
Never manually mutate audit records unless following an emergency recovery procedure approved by maintainers.
Backend OS Alpha Template Setup
Section titled “Backend OS Alpha Template Setup”Backend OS Alpha includes an inspectable template setup command. It creates a local application directory from an official template manifest and writes the operational files needed to launch, inspect, back up, and upgrade the app.
plystractl templates listplystractl templates describe auth-ready-saasplystractl templates create --template auth-ready-saas --name "Acme SaaS" --out ./acme-saasThe generated directory contains:
| File | Purpose |
|---|---|
README.md | Start and operation commands for the generated app. |
.env.example | Production-oriented environment template with placeholder secrets only. |
docker-compose.yml | Core, PostgreSQL, and required official plugin sidecar services for the selected template. |
plystra/template-installation.json | Template manifest, deployment profile, preview, required plugins, and capability requirements. |
plystra/install-explanation.md | Human-readable install explanation, defaults, operator actions, and limitations. |
The command is intentionally transparent rather than magical. It does not generate real secrets, does not create the first instance super admin, does not run migrations automatically, and does not imply a public marketplace. Review the generated files, copy .env.example to .env, set strong secrets, then start and verify:
docker compose --env-file .env up -d postgresdocker compose --env-file .env run --rm plystra-core plystractl migrate updocker compose --env-file .env run --rm plystra-core plystractl migrate verifydocker compose --env-file .env run --rm plystra-core plystractl doctordocker compose --env-file .env up -dFor templates that require Complete Auth, configure the plugin database settings in plugin_auth_settings before enabling public auth flows. Production email delivery must use an independent email capability provider.
3. Migration Commands
Section titled “3. Migration Commands”3.1 Apply Migrations
Section titled “3.1 Apply Migrations”plystractl migrate upExpected behavior:
connects to configured databasedetects current migration versionapplies pending migrations in orderrecords applied migration versionsreturns clear success or failure result3.2 Verify Migrations
Section titled “3.2 Verify Migrations”plystractl migrate verifyExpected behavior:
checks migration tablechecks expected schema statechecks migration integrity where supportedreports missing or failed migrations3.3 Check Ent Drift
Section titled “3.3 Check Ent Drift”plystractl ent checkExpected behavior:
compares Ent schema expectations with database schemareports drift if schema and code are inconsistentreturns zero only when no drift exists3.4 Doctor
Section titled “3.4 Doctor”plystractl doctorExpected behavior:
checks configurationchecks database connectivitychecks migration statechecks schema readinesschecks runtime readinessreturns actionable diagnostics4. Development Migration Workflow
Section titled “4. Development Migration Workflow”In development, maintainers may use Ent tools to iterate.
Recommended workflow:
1. Modify ent/schema.2. Generate Ent code.3. Generate versioned migration.4. Apply migration to local database.5. Run tests.6. Run ent check.7. Commit schema, generated code, and migration together.Example:
go generate ./entplystractl migrate diffplystractl migrate upplystractl ent checkgo test ./...Exact commands may differ depending on project tooling.
The invariant remains:
Ent schema, generated code, and migrations must be committed together.5. CI Migration Workflow
Section titled “5. CI Migration Workflow”CI must validate:
generated Ent code is currentmigrations are currentmigrations apply to empty databasemigrations apply from previous release schemaauthz conformance tests pass after migrationRecommended CI jobs:
codegen-checkmigration-diff-checkmigration-apply-empty-dbmigration-apply-upgrade-dbauthz-conformance-test5.1 Codegen Check
Section titled “5.1 Codegen Check”Example:
go generate ./entgit diff --exit-code5.2 Migration Diff Check
Section titled “5.2 Migration Diff Check”Example:
plystractl migrate diff --checkor equivalent Atlas/Ent command.
Expected:
no uncommitted migration diff5.3 Empty DB Migration Test
Section titled “5.3 Empty DB Migration Test”Example:
createdb plystra_empty_testPLYSTRA_DATABASE_URL=... plystractl migrate upPLYSTRA_DATABASE_URL=... plystractl migrate verify5.4 Upgrade DB Migration Test
Section titled “5.4 Upgrade DB Migration Test”Example:
restore previous release schemaPLYSTRA_DATABASE_URL=... plystractl migrate upPLYSTRA_DATABASE_URL=... plystractl migrate verifyPLYSTRA_DATABASE_URL=... go test ./...6. Production Upgrade Procedure
Section titled “6. Production Upgrade Procedure”Follow this procedure for production upgrades.
6.1 Before Upgrade
Section titled “6.1 Before Upgrade”Step 1: Read Release Notes
Section titled “Step 1: Read Release Notes”Review:
release notesmigration notesbreaking changescompatibility notesknown limitationsStep 2: Check Current Version
Section titled “Step 2: Check Current Version”curl -s http://localhost:8080/api/v1/versionRecord:
Core versionschema versiontrace versionbuild metadataStep 3: Run Doctor
Section titled “Step 3: Run Doctor”plystractl doctorDo not upgrade if doctor reports critical issues.
Step 4: Backup PostgreSQL
Section titled “Step 4: Backup PostgreSQL”Example:
pg_dump "$DATABASE_URL" > plystra-backup-before-v1.0.sqlRecommended:
store backup outside the serverencrypt backup if it contains sensitive dataverify backup file is non-emptyrecord backup timestamprecord current app versionrecord current schema versionStep 5: Optional Restore Test
Section titled “Step 5: Optional Restore Test”For production-critical deployments, test restore on a staging database.
createdb plystra_restore_testpsql plystra_restore_test < plystra-backup-before-v1.0.sql6.2 During Upgrade
Section titled “6.2 During Upgrade”Step 1: Stop or Quiesce Core
Section titled “Step 1: Stop or Quiesce Core”Depending on deployment:
docker compose stop plystra-coreor put the application in maintenance mode.
Step 2: Pull New Version
Section titled “Step 2: Pull New Version”git fetch --tagsgit checkout v0.0.1or update Docker image tag.
Step 3: Apply Migrations
Section titled “Step 3: Apply Migrations”plystractl migrate upStep 4: Verify Migrations
Section titled “Step 4: Verify Migrations”plystractl migrate verifyplystractl ent checkStep 5: Start Core
Section titled “Step 5: Start Core”docker compose up -d plystra-coreStep 6: Run Doctor
Section titled “Step 6: Run Doctor”plystractl doctor6.3 After Upgrade
Section titled “6.3 After Upgrade”Run smoke tests:
curl -s http://localhost:8080/api/v1/healthcurl -s http://localhost:8080/api/v1/readycurl -s http://localhost:8080/api/v1/versionRun authorization smoke tests:
authz/check allow caseauthz/check deny caseauthz/explain allow caseauthz/explain deny caseCheck logs:
docker compose logs --tail=200 plystra-coreCheck AuditLog:
recent allow decisionrecent deny decisionrequest_id correlationtrace snapshot shape7. Production Ent Apply Rejection
Section titled “7. Production Ent Apply Rejection”Plystra production mode intentionally rejects unsafe Ent auto apply behavior.
This is not a bug.
7.1 Why It Is Rejected
Section titled “7.1 Why It Is Rejected”Ent auto migration can be useful in development, but production upgrades require:
reviewable migration filesrepeatable upgrade processCI validationbackup planningrollback planningoperator visibilityTherefore production should use:
plystractl migrate upnot automatic schema mutation.
7.2 Expected Error Behavior
Section titled “7.2 Expected Error Behavior”If an unsafe Ent apply command is attempted in production, the system should return a clear error:
Ent auto migration is disabled in production.Use versioned migrations through plystractl migrate up.7.3 Documentation Requirement
Section titled “7.3 Documentation Requirement”Release notes and upgrade docs must mention this behavior.
8. Rollback Guidance
Section titled “8. Rollback Guidance”Rollback depends on migration type.
8.1 Application Rollback
Section titled “8.1 Application Rollback”If migrations are backward-compatible:
docker compose stop plystra-coregit checkout previous-versiondocker compose up -d plystra-coreor use previous Docker image.
8.2 Database Rollback
Section titled “8.2 Database Rollback”If migrations are not backward-compatible, restore from backup.
Example:
dropdb plystracreatedb plystrapsql plystra < plystra-backup-before-upgrade.sql8.3 Rollback Checklist
Section titled “8.3 Rollback Checklist”Before rollback:
identify failed componentpreserve logspreserve error outputpreserve current database snapshot if usefulconfirm backup availabilitystop write traffic if possiblerestore app and DB consistentlyrun doctor after rollback8.4 AuditLog Consideration
Section titled “8.4 AuditLog Consideration”AuditLog records created during failed upgrade windows should be preserved if possible.
If database restore removes them, document the operational event outside Plystra.
9. Migration Safety Requirements
Section titled “9. Migration Safety Requirements”Each migration should document:
purposeaffected tablesnew columnsremoved columns if anyindexesconstraintsdata backfill if anyrollback strategycompatibility notesMigrations that affect these areas require extra review:
UserMemberMemberRolePermissionResourceAuditLogGroup pathDeny code fieldsTrace schema fields10. Data Migration Guidance
Section titled “10. Data Migration Guidance”Data migrations must be separate from schema migrations when practical.
Examples:
backfill UserMember.is_primarybackfill Resource.statusbackfill AuditLog.deny_codenormalize Group pathsseed system permissionsData migrations should be:
idempotent where possibleloggedtested on staging datasafe to retry when possibledocumented11. Schema Drift Troubleshooting
Section titled “11. Schema Drift Troubleshooting”11.1 Symptom: ent check Fails
Section titled “11.1 Symptom: ent check Fails”Possible causes:
migration not appliedmigration file missingmanual DB changegenerated Ent code stalewrong database URLwrong environmentRecommended steps:
echo $PLYSTRA_DATABASE_URLplystractl migrate verifyplystractl ent checkgo generate ./entgit diff11.2 Symptom: Core Starts But API Fails
Section titled “11.2 Symptom: Core Starts But API Fails”Possible causes:
schema version mismatchmissing columnold migration statewrong databasestale Docker imageRecommended steps:
curl -s /api/v1/versionplystractl doctorplystractl migrate verifydocker compose logs --tail=200 plystra-core11.3 Symptom: Authz Results Are Wrong After Upgrade
Section titled “11.3 Symptom: Authz Results Are Wrong After Upgrade”Possible causes:
seed data changedRolePermission missingMemberRole scope anchor missingResource group_id missingUserMember revoked/expiredGroup path changedcandidate permission filtering bugRecommended checks:
verify actor contextverify Resource recordverify MemberRole.scope_anchor_group_idverify Permission resource/action/scopeverify Group pathrun Finance Reviewer demorun authz/explain12. Backup Guidance
Section titled “12. Backup Guidance”Minimum backup:
pg_dump "$DATABASE_URL" > plystra-backup.sqlRecommended production backup strategy:
scheduled PostgreSQL backupsoff-server storageencrypted backupsrestore testsretention policypre-upgrade backuppost-upgrade verificationBackup should include:
Core tablesAuditLogResource Registry recordsmigration version tableplugin metadata if presentIf future plugins own separate tables, plugin-owned data must also be included.
13. Upgrade Smoke Test Checklist
Section titled “13. Upgrade Smoke Test Checklist”After every production upgrade, run:
health endpointready endpointversion endpointdoctor commandmigrate verifyent checkauthz/check allowauthz/check denyauthz/explainResource Registry queryAuditLog queryrequest ID correlationMinimum command examples:
curl -s http://localhost:8080/api/v1/healthcurl -s http://localhost:8080/api/v1/readycurl -s http://localhost:8080/api/v1/versionplystractl doctorplystractl migrate verifyplystractl ent check14. Release Maintainer Checklist
Section titled “14. Release Maintainer Checklist”Before publishing a release:
all migrations committedgenerated Ent code committedmigration tests passent drift check passesdoctor passesauthz conformance tests passOpenAPI updatedrelease notes updatedupgrade guide updatedDocker image builttag createdclean install verifiedupgrade install verified15. Summary
Section titled “15. Summary”Plystra v1.0 treats migrations as a production safety boundary.
Use Ent for schema modeling and code generation inside Core.
Use versioned migrations for production upgrades.
Always verify:
migration stateEnt driftdoctor outputauthz correctnessAuditLog correctnessNever rely on production Ent auto apply.