remove legacy migration conversion code

Pre-1.0 software with no installed base — no need to handle
converting from old TEXT-based schema_migrations format.

Removed: convertLegacyMigrations, ensureBootstrapVersion,
readLegacyVersions, rebuildMigrationsTable, and
TestApplyMigrationsLegacyConversion.

Simplified bootstrapMigrationsTable to only check existence
and run 000_migration.sql if missing.

.prettierignore

@@ -1,4 +0,0 @@
-node_modules
-*.min.js
-coverage
-dist

.prettierrc

@@ -1,6 +0,0 @@
-{
-    "singleQuote": true,
-    "trailingComma": "all",
-    "tabWidth": 4,
-    "proseWrap": "always"
-}

internal/database/migrations.go

@@ -2,36 +2,74 @@ package database
 
 import (
 	"context"
+	"database/sql"
 	"embed"
+	"errors"
 	"fmt"
 	"io/fs"
+	"log/slog"
 	"sort"
+	"strconv"
 	"strings"
 )
 
 //go:embed migrations/*.sql
 var migrationsFS embed.FS
 
-func (d *Database) migrate(ctx context.Context) error {
-	// Create migrations table if not exists
-	_, err := d.database.ExecContext(ctx, `
-		CREATE TABLE IF NOT EXISTS schema_migrations (
-			version TEXT PRIMARY KEY,
-			applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
-		)
-	`)
-	if err != nil {
-		return fmt.Errorf("failed to create migrations table: %w", err)
+// bootstrapVersion is the migration that creates the schema_migrations
+// table itself. It is applied before the normal migration loop.
+const bootstrapVersion = 0
+
+// ErrInvalidMigrationFilename indicates a migration filename does not follow
+// the expected "<version>.sql" or "<version>_<description>.sql" pattern.
+var ErrInvalidMigrationFilename = errors.New("invalid migration filename")
+
+// ParseMigrationVersion extracts the numeric version prefix from a migration
+// filename. Filenames must follow the pattern "<version>.sql" or
+// "<version>_<description>.sql", where version is a zero-padded numeric
+// string (e.g. "001", "002"). Returns the version as an integer and an
+// error if the filename does not match the expected pattern.
+func ParseMigrationVersion(filename string) (int, error) {
+	name := strings.TrimSuffix(filename, ".sql")
+	if name == "" || name == filename {
+		return 0, fmt.Errorf("%w: %q has no .sql extension or is empty", ErrInvalidMigrationFilename, filename)
 	}
 
-	// Get list of migration files
+	// Split on underscore to separate version from description.
+	// If there's no underscore, the entire stem is the version.
+	versionStr, _, _ := strings.Cut(name, "_")
+
+	if versionStr == "" {
+		return 0, fmt.Errorf("%w: %q has empty version prefix", ErrInvalidMigrationFilename, filename)
+	}
+
+	// Validate the version is purely numeric.
+	for _, ch := range versionStr {
+		if ch < '0' || ch > '9' {
+			return 0, fmt.Errorf(
+				"%w: %q version %q contains non-numeric character %q",
+				ErrInvalidMigrationFilename, filename, versionStr, string(ch),
+			)
+		}
+	}
+
+	version, err := strconv.Atoi(versionStr)
+	if err != nil {
+		return 0, fmt.Errorf("%w: %q: %w", ErrInvalidMigrationFilename, filename, err)
+	}
+
+	return version, nil
+}
+
+// collectMigrations reads the embedded migrations directory and returns
+// migration filenames sorted lexicographically.
+func collectMigrations() ([]string, error) {
 	entries, err := fs.ReadDir(migrationsFS, "migrations")
 	if err != nil {
-		return fmt.Errorf("failed to read migrations directory: %w", err)
+		return nil, fmt.Errorf("failed to read migrations directory: %w", err)
 	}
 
-	// Sort migrations by name
-	migrations := make([]string, 0, len(entries))
+	var migrations []string
 
 	for _, entry := range entries {
 		if !entry.IsDir() && strings.HasSuffix(entry.Name(), ".sql") {
@@ -41,54 +79,113 @@ func (d *Database) migrate(ctx context.Context) error {
 
 	sort.Strings(migrations)
 
-	// Apply each migration
-	for _, migration := range migrations {
-		applied, err := d.isMigrationApplied(ctx, migration)
-		if err != nil {
-			return fmt.Errorf("failed to check migration %s: %w", migration, err)
-		}
+	return migrations, nil
+}
 
-		if applied {
-			d.log.Debug("migration already applied", "migration", migration)
+// bootstrapMigrationsTable ensures the schema_migrations table exists by
+// applying 000_migration.sql if the table is missing.
+func bootstrapMigrationsTable(ctx context.Context, db *sql.DB, log *slog.Logger) error {
+	var tableExists int
 
-			continue
-		}
+	err := db.QueryRowContext(ctx,
+		"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='schema_migrations'",
+	).Scan(&tableExists)
+	if err != nil {
+		return fmt.Errorf("failed to check for migrations table: %w", err)
+	}
 
-		err = d.applyMigration(ctx, migration)
-		if err != nil {
-			return fmt.Errorf("failed to apply migration %s: %w", migration, err)
-		}
-
-		d.log.Info("migration applied", "migration", migration)
+	if tableExists == 0 {
+		return applyBootstrapMigration(ctx, db, log)
 	}
 
 	return nil
 }
 
-func (d *Database) isMigrationApplied(ctx context.Context, version string) (bool, error) {
-	var count int
-
-	err := d.database.QueryRowContext(
-		ctx,
-		"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
-		version,
-	).Scan(&count)
+// applyBootstrapMigration reads and executes 000_migration.sql to create the
+// schema_migrations table on a fresh database.
+func applyBootstrapMigration(ctx context.Context, db *sql.DB, log *slog.Logger) error {
+	content, err := migrationsFS.ReadFile("migrations/000_migration.sql")
 	if err != nil {
-		return false, fmt.Errorf("failed to query migration status: %w", err)
+		return fmt.Errorf("failed to read bootstrap migration 000_migration.sql: %w", err)
 	}
 
-	return count > 0, nil
+	if log != nil {
+		log.Info("applying bootstrap migration", "version", bootstrapVersion)
+	}
+
+	_, err = db.ExecContext(ctx, string(content))
+	if err != nil {
+		return fmt.Errorf("failed to apply bootstrap migration: %w", err)
+	}
+
+	return nil
 }
 
-func (d *Database) applyMigration(ctx context.Context, filename string) error {
-	content, err := migrationsFS.ReadFile("migrations/" + filename)
-	if err != nil {
-		return fmt.Errorf("failed to read migration file: %w", err)
+// ApplyMigrations applies all pending migrations to db. An optional logger
+// may be provided for informational output; pass nil for silent operation.
+// This is exported so tests can apply the real schema without the full fx
+// lifecycle.
+func ApplyMigrations(ctx context.Context, db *sql.DB, log *slog.Logger) error {
+	bootstrapErr := bootstrapMigrationsTable(ctx, db, log)
+	if bootstrapErr != nil {
+		return bootstrapErr
 	}
 
-	transaction, err := d.database.BeginTx(ctx, nil)
+	migrations, err := collectMigrations()
 	if err != nil {
-		return fmt.Errorf("failed to begin transaction: %w", err)
+		return err
+	}
+
+	for _, migration := range migrations {
+		version, parseErr := ParseMigrationVersion(migration)
+		if parseErr != nil {
+			return parseErr
+		}
+
+		// Check if already applied.
+		var count int
+
+		err = db.QueryRowContext(ctx,
+			"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
+			version,
+		).Scan(&count)
+		if err != nil {
+			return fmt.Errorf("failed to check migration %s: %w", migration, err)
+		}
+
+		if count > 0 {
+			if log != nil {
+				log.Debug("migration already applied", "version", version)
+			}
+
+			continue
+		}
+
+		// Apply migration in a transaction.
+		applyErr := applyMigrationTx(ctx, db, migration, version)
+		if applyErr != nil {
+			return applyErr
+		}
+
+		if log != nil {
+			log.Info("migration applied", "version", version)
+		}
+	}
+
+	return nil
+}
+
+// applyMigrationTx reads and executes a migration file within a transaction,
+// recording the version in schema_migrations on success.
+func applyMigrationTx(ctx context.Context, db *sql.DB, filename string, version int) error {
+	content, err := migrationsFS.ReadFile("migrations/" + filename)
+	if err != nil {
+		return fmt.Errorf("failed to read migration %s: %w", filename, err)
+	}
+
+	transaction, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("failed to begin transaction for migration %s: %w", filename, err)
 	}
 
 	defer func() {
@@ -97,26 +194,27 @@ func (d *Database) applyMigration(ctx context.Context, filename string) error {
 		}
 	}()
 
-	// Execute migration
 	_, err = transaction.ExecContext(ctx, string(content))
 	if err != nil {
-		return fmt.Errorf("failed to execute migration: %w", err)
+		return fmt.Errorf("failed to execute migration %s: %w", filename, err)
 	}
 
-	// Record migration
-	_, err = transaction.ExecContext(
-		ctx,
+	_, err = transaction.ExecContext(ctx,
 		"INSERT INTO schema_migrations (version) VALUES (?)",
-		filename,
+		version,
 	)
 	if err != nil {
-		return fmt.Errorf("failed to record migration: %w", err)
+		return fmt.Errorf("failed to record migration %s: %w", filename, err)
 	}
 
 	err = transaction.Commit()
 	if err != nil {
-		return fmt.Errorf("failed to commit migration: %w", err)
+		return fmt.Errorf("failed to commit migration %s: %w", filename, err)
 	}
 
 	return nil
 }
+
+func (d *Database) migrate(ctx context.Context) error {
+	return ApplyMigrations(ctx, d.database, d.log)
+}

internal/database/migrations/000_migration.sql

@@ -0,0 +1,9 @@
+-- Migration 000: Schema migrations tracking table
+-- Applied as a bootstrap step before the normal migration loop.
+
+CREATE TABLE IF NOT EXISTS schema_migrations (
+    version INTEGER PRIMARY KEY,
+    applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+INSERT OR IGNORE INTO schema_migrations (version) VALUES (0);

internal/database/migrations_test.go

@@ -0,0 +1,117 @@
+package database_test
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+
+	_ "github.com/mattn/go-sqlite3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"sneak.berlin/go/upaas/internal/database"
+)
+
+func TestParseMigrationVersion(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		filename    string
+		wantVersion int
+		wantErr     bool
+	}{
+		{filename: "000_migration.sql", wantVersion: 0},
+		{filename: "001_initial.sql", wantVersion: 1},
+		{filename: "002_remove_container_id.sql", wantVersion: 2},
+		{filename: "007_add_resource_limits.sql", wantVersion: 7},
+		{filename: "100_large_version.sql", wantVersion: 100},
+		{filename: ".sql", wantErr: true},
+		{filename: "_foo.sql", wantErr: true},
+		{filename: "abc_foo.sql", wantErr: true},
+		{filename: "1a2_bad.sql", wantErr: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.filename, func(t *testing.T) {
+			t.Parallel()
+
+			version, err := database.ParseMigrationVersion(tt.filename)
+			if tt.wantErr {
+				assert.Error(t, err)
+
+				return
+			}
+
+			require.NoError(t, err)
+			assert.Equal(t, tt.wantVersion, version)
+		})
+	}
+}
+
+func TestApplyMigrationsFreshDatabase(t *testing.T) {
+	t.Parallel()
+
+	db, err := sql.Open("sqlite3", ":memory:?_foreign_keys=on")
+	require.NoError(t, err)
+
+	defer func() { _ = db.Close() }()
+
+	ctx := context.Background()
+
+	err = database.ApplyMigrations(ctx, db, nil)
+	require.NoError(t, err)
+
+	// Verify schema_migrations table exists with INTEGER version column.
+	var version int
+
+	err = db.QueryRowContext(ctx,
+		"SELECT version FROM schema_migrations WHERE version = 0",
+	).Scan(&version)
+	require.NoError(t, err)
+	assert.Equal(t, 0, version)
+
+	// Verify that all migrations were recorded.
+	var count int
+
+	err = db.QueryRowContext(ctx,
+		"SELECT COUNT(*) FROM schema_migrations",
+	).Scan(&count)
+	require.NoError(t, err)
+	// 000 bootstrap + 001 through 007 = 8 entries.
+	assert.Equal(t, 8, count)
+
+	// Verify application tables were created by the migrations.
+	var tableCount int
+
+	err = db.QueryRowContext(ctx,
+		"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='users'",
+	).Scan(&tableCount)
+	require.NoError(t, err)
+	assert.Equal(t, 1, tableCount)
+}
+
+func TestApplyMigrationsIdempotent(t *testing.T) {
+	t.Parallel()
+
+	db, err := sql.Open("sqlite3", ":memory:?_foreign_keys=on")
+	require.NoError(t, err)
+
+	defer func() { _ = db.Close() }()
+
+	ctx := context.Background()
+
+	// Apply twice — second run should be a no-op.
+	err = database.ApplyMigrations(ctx, db, nil)
+	require.NoError(t, err)
+
+	err = database.ApplyMigrations(ctx, db, nil)
+	require.NoError(t, err)
+
+	var count int
+
+	err = db.QueryRowContext(ctx,
+		"SELECT COUNT(*) FROM schema_migrations",
+	).Scan(&count)
+	require.NoError(t, err)
+	assert.Equal(t, 8, count)
+}

tools/secret-scan.sh

@@ -1,69 +0,0 @@
-#!/usr/bin/env bash
-# secret-scan.sh — Scans for private keys and high-entropy secrets
-# Usage: bash tools/secret-scan.sh [directory]
-# Uses .secret-scan-allowlist for false positives (one file path per line)
-
-set -e
-
-SCAN_DIR="${1:-.}"
-ALLOWLIST=".secret-scan-allowlist"
-FINDINGS=0
-
-# Build find exclusions
-EXCLUDES=(-not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/coverage/*" -not -path "*/dist/*")
-
-# Load allowlist
-ALLOWLIST_PATHS=()
-if [ -f "$ALLOWLIST" ]; then
-    while IFS= read -r line || [ -n "$line" ]; do
-        [[ "$line" =~ ^#.*$ || -z "$line" ]] && continue
-        ALLOWLIST_PATHS+=("$line")
-    done < "$ALLOWLIST"
-fi
-
-is_allowed() {
-    local file="$1"
-    for allowed in "${ALLOWLIST_PATHS[@]}"; do
-        if [[ "$file" == *"$allowed"* ]]; then
-            return 0
-        fi
-    done
-    return 1
-}
-
-echo "Scanning $SCAN_DIR for secrets..."
-
-# Scan for private keys
-while IFS= read -r file; do
-    [ -f "$file" ] || continue
-    is_allowed "$file" && continue
-    if grep -qE '-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null; then
-        echo "FINDING [private-key]: $file"
-        FINDINGS=$((FINDINGS + 1))
-    fi
-done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f)
-
-# Scan for high-entropy hex strings (40+ chars)
-while IFS= read -r file; do
-    [ -f "$file" ] || continue
-    is_allowed "$file" && continue
-    if grep -qE '[0-9a-f]{40,}' "$file" 2>/dev/null; then
-        # Filter out common false positives (git SHAs in lock files, etc.)
-        BASENAME=$(basename "$file")
-        if [[ "$BASENAME" != "package-lock.json" && "$BASENAME" != "*.lock" ]]; then
-            MATCHES=$(grep -oE '[0-9a-f]{40,}' "$file" 2>/dev/null || true)
-            if [ -n "$MATCHES" ]; then
-                echo "FINDING [high-entropy-hex]: $file"
-                FINDINGS=$((FINDINGS + 1))
-            fi
-        fi
-    fi
-done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f -not -name "package-lock.json" -not -name "*.lock")
-
-if [ "$FINDINGS" -gt 0 ]; then
-    echo "secret-scan: $FINDINGS finding(s) — FAIL"
-    exit 1
-else
-    echo "secret-scan: clean — PASS"
-    exit 0
-fi