Created: 2026-02-08
Author: AI Assistant
Target Release: 2026-02-15 (or later after code validation)
Overview
Three database migrations are required to complete HR-09-P5 implementation:- HR References: Secure token storage via hashing
- Candidate Portal Sessions: Organization isolation
- Job Board Integrations: Centralized credential management
Migration 1: hr_references - Token Hashing (Phase 5.1)
Purpose
Migrate reference submission tokens from plaintext storage to cryptographically hashed format to comply with security best practices and reduce data breach risk.SQL Migration
Code Changes Required
Edge Function:supabase/functions/hr-reference-submit/index.ts
Transition Strategy
Phase 1: Dual Support (Week 1-2)- New reference requests: Use hashed tokens
- Existing references: Still accept plaintext tokens
- Log all token validations for audit
- Run data migration script to hash existing plaintext tokens
- Verify all existing references can still be accessed
- Monitor error logs for validation failures
- Stop generating plaintext tokens
- Require hashed tokens for all new validations
- Schedule column removal after 30-day deprecation period
Rollback Plan
If issues arise before column removal:- Keep
access_tokenplaintext column indefinitely - Continue dual-path validation (hash first, then plaintext)
- Document why hashing was reverted
Migration 2: hr_candidate_portal_sessions - Organization Isolation
Purpose
Addorganization_id column to enforce tenant isolation and enable RLS policies. Currently sessions may lack org context, preventing proper multi-tenant access control.
SQL Migration
Code Changes Required
Hook:src/cores/hr/hooks/useCandidatePortalSession.ts
Transition Strategy
Pre-Migration:- Code changes deployed (accepting but not requiring organization_id)
- All new sessions created WITH organization_id
- Existing sessions continue to work
- Run SQL backfill
- Verify RLS policies work correctly
- Test portal access with org-scoped sessions
- Make organization_id NOT NULL
- Enforce organization_id in application code
- Monitor RLS errors in logs
- Remove code paths that don’t set organization_id
Migration 3: hr_job_board_integrations - Credential Encryption
Purpose
Move API keys, secrets, and refresh tokens to centralizedpf_credentials table for encryption at rest and audit logging. Plaintext credentials in hr_job_board_integrations pose security risk.
SQL Migration
Credential Migration Helper (Manual Process)
Code Changes Required
Hook:src/cores/hr/hooks/useJobBoardIntegrations.ts
Transition Strategy
Phase 1: Dual Support (Week 1-2)- Read from
credential_idif set, else fallback to plaintext columns - New integrations: Require credential_id
- Existing integrations: Continue to work with plaintext
- Run migration script to move all plaintext credentials to pf_credentials
- Verify all integrations still sync correctly
- Monitor edge function logs for credential lookup failures
- Require credential_id for all read/write operations
- Remove fallback to plaintext columns
- Schedule column removal after 30-day deprecation
Migration Validation Checklist
Before applying migrations:- Code changes deployed and tested
- Rollback procedures documented
- Data backup taken (per Supabase backup policy)
- RLS policies reviewed and tested
- Audit logging configured
- Team notified of maintenance window
- Monitoring alerts configured
- SQL scripts executed successfully
- Backfill completed without errors
- RLS policies tested with real user sessions
- Logs monitored for errors
- Rollback procedure rehearsed
- All E2E tests pass
- RLS tests pass
- Unit tests pass
- Performance benchmarks stable
- No increases in error rates
- Deprecation warnings logged appropriately
TypeScript Type Updates
After migrations are applied, regenerate Supabase types:Deployment Timeline
Target: Week of Feb 15, 2026 (flexible based on validation)Rollback Procedures
Migration 1: Token Hashing
- Keep plaintext
access_tokencolumn - Revert edge function to plaintext token validation
- RLS policies unchanged
Migration 2: Organization Isolation
- Backfill organization_id from
hr_candidatesagain - Restore RLS policies to previous (less strict) version
- No data loss
Migration 3: Credential Encryption
- Keep plaintext columns populated
- Revert hooks to read from plaintext columns
- Migrate pf_credentials back to plaintext table
- No data loss
Contact & Support
Questions: Post in #database-migrations Slack channelIssues during migration: Contact DevOps on-call
Post-migration issues: File bug report with error logs