feat(#59): ticket-first gate for database migrations + /migration skill + migration AgDR template

[atlas-apex]

Summary

Ships Phase 1 of the migration-gate feature: a new hook that refuses edits to migration files without a labelled migration ticket + linked AgDR, plus the /migration skill that produces both artefacts in one guided flow, plus the migration AgDR template.

Three layers:

1. Hook (.claude/hooks/require-migration-ticket.sh) — PreToolUse on Edit/Write/MultiEdit. On migration-path match, runs three gates: active ticket marker exists, referenced issue is OPEN with migration label, issue body references a migration AgDR. Runs before require-active-ticket.sh so migration-specific messages surface first.

2. Skill (.claude/skills/migration/SKILL.md) — asks for type / affected tables / rollback plan / downtime / consumers / volume / testing / observability. Writes the AgDR first (reversible local write), then creates the labelled GitHub issue, then back-fills the AgDR with the ticket URL. Tells the user to run /start-ticket as the next step — doesn't do it automatically so the handoff stays explicit.

3. Template (templates/agdr-migration.md) — extends the base AgDR shape with migration-specific sections: explicit Rollback Plan (not buried under Consequences), Cross-Service Consumers, Testing Plan, Observability, plus frontmatter fields for migration type / affected tables / downtime / data volume / target environments.

Default migration paths (overridable per project via .claude/project-config.json → migration_paths)

• **/migrate-*.{ts,js,py,sql} — one-off migration scripts
• **/migrations/** — any file under a migrations/ directory
• prisma/schema.prisma, prisma/migrations/** — Prisma
• src/migrations/*.{ts,js} — TypeORM convention
• alembic/versions/*.py — Alembic
• db/migrate/*.rb — Rails
• *.sql under any migrations/ subtree

Exempt regardless of pattern: .claude/, docs/, projects/*/docs/, any *.md, any *.example.

Docs wiring

• .claude/rules/workflow-gates.md: new gate row 3a + dedicated "Migration Gate" section
• .claude/hooks/README.md: new section 1a
• CLAUDE.md: hook count 16→17, skill count 31→32, template + skill table rows
• workflows/sdlc.md: new "Sub-Workflow: Database Migrations" block after Phase 3 showing /migration → /start-ticket → edit → dev smoke → staging → prod → monitor

Testing

11 path-matching smoke cases against an isolated /tmp mock ops root — all pass:

PASS  non-migration *.ts → pass-through
PASS  *.md → pass-through
PASS  .claude/ → pass-through
PASS  *.example → pass-through
PASS  migrate-*.ts, no marker → BLOCK
PASS  migrations/NNN.sql, no marker → BLOCK
PASS  prisma/schema.prisma, no marker → BLOCK
PASS  src/migrations/*.ts, no marker → BLOCK
PASS  alembic/versions/*.py, no marker → BLOCK
PASS  db/migrate/*.rb, no marker → BLOCK
PASS  any file under migrations/, no marker → BLOCK

Gates 2 (label check) and 3 (AgDR body ref) require live gh calls — verified in real-usage flow: /migration → create ticket + AgDR → /start-ticket → retry the migration-file edit → hook allows.

Deferred — issue's Phase 2

sam validate / terraform plan introspection to auto-detect AWS::DynamoDB::Table / aws_rds_cluster / aws_dynamodb_table additions-or-modifications. Complex, and 80% of the value comes from the path-pattern heuristic + per-project migration_paths overrides.

Glossary

Term	Definition
migration gate	The three-check PreToolUse hook that refuses migration-file edits without a labelled ticket + AgDR
migration path	A file path matching one of the default patterns (or a project-configured pattern) that identifies a database-migration file
migration AgDR	An Agent Decision Record that captures rollback plan, downtime, cross-service consumers, testing plan, and observability for a migration — lives at docs/agdr/AgDR-NNNN-migration-<slug>.md in the project's repo
rollback runbook	The explicit step-by-step sequence to reverse a migration, written at AgDR time (not post-hoc during review)

Related

• Closes [Feature] Ticket-first gate for database migrations + /migration skill + migration AgDR template #59
• Depends on feat: per-project active ticket markers in ops repo #41 (per-project ticket markers) — the migration hook reuses that resolution
• Complements existing require-active-ticket.sh (runs after migration hook; handles non-migration ticket-first enforcement)

[atlas-apex]

Code Review: PR #72

Commit: e8ca0372b62b6db483f685ca3e583d35f2e7ccfd

Summary

Phase 1 of the migration gate ships cleanly: new require-migration-ticket.sh PreToolUse hook (3 gates: marker → open+labelled issue → AgDR body ref), /migration skill that produces ticket + AgDR in one guided flow, and templates/agdr-migration.md extending base AgDR with rollback/consumers/testing/observability. Docs wiring is consistent (hook count 16→17, skill count 31→32, new gate row 3a, new SDLC sub-workflow block).

Checklist Results

• Architecture & Design: Pass — hook slots in BEFORE active-ticket, reuses #41 marker resolution cleanly, skill writes AgDR first (reversible) then ticket then back-fill.
• Code Quality: Pass — is_migration_path() isolated, exemptions short-circuit before network, clear block messages point at /migration with exact invocation.
• Testing: Pass for path-matching (11/11 smoke cases); Gates 2/3 verified via real-usage flow (noted in PR body).
• Security: N/A — no new surface; gh auth reused, no shell-injection (all interpolations quoted).
• Performance: Pass — exempt paths exit before any gh call.
• PR Description & Glossary: Pass — 4 terms, all migration-specific.
• Technical Decisions (AgDR): N/A — this PR IS the AgDR mechanism; no separate decision record needed for shipping the gate itself.

Findings

1. Path-match false-positive risk — LOW, but one sharp edge. The generic fallback */migrations/* (line 156) is the widest pattern. It catches config/migrations/notes.md (though .md exempt short-circuits earlier) and would catch e.g. src/utils/migrations/helpers.ts if a project puts non-migration helpers under a migrations/ subtree. Acceptable given exemptions cover docs/meta and projects can override via migration_paths. The specific concern raised (migrations.yml in a config dir): safe, because */migrations/* requires /migrations/ as a directory segment, not a filename prefix.

2. Custom-paths override semantic (override, not union) — CORRECT. Lines 129–139 explicitly bail after custom patterns without falling through. This is right: a project setting migration_paths is declaring "here, and nowhere else, are my migrations." Union semantics would surprise — a user who just registered src/db/** would not expect db/migrate/*.rb to also gate. Consider documenting this explicitly in hooks/README.md (the skill already implies it).

3. Gate ordering UX — CORRECT. Migration hook before active-ticket means migration files get the targeted message (pointing at /migration), non-migration files get the generic active-ticket message. Pass-through when not a migration path is silent (exit 0) so no double-block.

4. AgDR slug regex — SUFFICIENTLY STRICT. AgDR-[0-9]+-[^[:space:]]*migration[^[:space:]]*\.md requires the word "migration" in the slug. Technically a user could game it by naming a non-migration AgDR with "migration" in the slug — but that's active evasion, not accidental bypass. Combined with the template forcing the shape, this is the right strictness level. Tightening to AgDR-\d+-migration- would be more rigid but would break the handful of legit slugs like AgDR-0042-data-migration-split.md.

5. Skill flow (AgDR-first, ticket-second, back-fill-third) — CLEAR. Rationale in rule 5 is well-articulated (ghost-ticket exposure minimised). The explicit "do NOT auto-run /start-ticket" handoff is the right UX call.

Suggestions (non-blocking)

• Consider logging the matched pattern in the block message (already done on gate 1 block — line 198 — nice touch).
• hooks/README.md could note the "override replaces, not unions" semantic explicitly.

Verdict

APPROVED

---

Rex (Code Reviewer Agent)
Reviewed commit: e8ca0372b62b6db483f685ca3e583d35f2e7ccfd

[atlas-apex]

Code Review: PR #72 (re-review)

Commit: a2694e93239812938df18b25f20a1b2b419e0da0

Summary

Incremental follow-up addressing 4 CI-lint findings. Verified diff vs prior approved SHA e8ca037 is purely lint fixes — no logic changes.

Incremental Diff Verified

• .claude/hooks/require-migration-ticket.sh:
  • Exempt-arm: removed subsumed */projects/*/docs/* (covered by */docs/* since shell case * crosses /), added explanatory comment — correct.
  • Default migration-arm: removed subsumed */migrations/*/*.sql (covered by */migrations/*.sql), added explanatory comment — correct.
  • Added # shellcheck disable=SC2254 before the intentional glob case "$path" in $pat) with clear justification — correct.
• templates/agdr-migration.md: added blank line before bulleted list (MD032) — correct.

Checklist Results

• Architecture & Design: Pass (unchanged)
• Code Quality: Pass
• Testing: Pass (unchanged)
• Security: Pass (unchanged)
• Performance: Pass (unchanged)
• PR Description & Glossary: Pass (unchanged)
• Technical Decisions (AgDR):Pass (unchanged)

Verdict

APPROVED (via comment — cannot self-approve own PR) — lint-only delta, semantics preserved, CI green.

---

Reviewed by Rex (Code Reviewer Agent)
Reviewed commit: a2694e93239812938df18b25f20a1b2b419e0da0