Skip to main content
Status: DEFERRED - Schedule for next deployment cycle
Created: 2026-02-08
Author: AI Assistant
Target Release: 2026-02-15 (or later after code validation)

Overview

Three database migrations are required to complete HR-09-P5 implementation:
  1. HR References: Secure token storage via hashing
  2. Candidate Portal Sessions: Organization isolation
  3. Job Board Integrations: Centralized credential management
Each migration requires code changes and a transition period to maintain backward compatibility.

Migration 1: hr_references - Token Hashing (Phase 5.1)

Purpose

Migrate reference submission tokens from plaintext storage to cryptographically hashed format to comply with security best practices and reduce data breach risk.

SQL Migration

Code Changes Required

Edge Function: supabase/functions/hr-reference-submit/index.ts

Transition Strategy

Phase 1: Dual Support (Week 1-2)
  • New reference requests: Use hashed tokens
  • Existing references: Still accept plaintext tokens
  • Log all token validations for audit
Phase 2: Migration (Week 3-4)
  • Run data migration script to hash existing plaintext tokens
  • Verify all existing references can still be accessed
  • Monitor error logs for validation failures
Phase 3: Deprecation (Week 5+)
  • Stop generating plaintext tokens
  • Require hashed tokens for all new validations
  • Schedule column removal after 30-day deprecation period

Rollback Plan

If issues arise before column removal:
  1. Keep access_token plaintext column indefinitely
  2. Continue dual-path validation (hash first, then plaintext)
  3. Document why hashing was reverted

Migration 2: hr_candidate_portal_sessions - Organization Isolation

Purpose

Add organization_id column to enforce tenant isolation and enable RLS policies. Currently sessions may lack org context, preventing proper multi-tenant access control.

SQL Migration

Code Changes Required

Hook: src/cores/hr/hooks/useCandidatePortalSession.ts
Portal Component: Ensure organization context is passed when creating sessions.

Transition Strategy

Pre-Migration:
  • Code changes deployed (accepting but not requiring organization_id)
  • All new sessions created WITH organization_id
  • Existing sessions continue to work
Migration Day:
  1. Run SQL backfill
  2. Verify RLS policies work correctly
  3. Test portal access with org-scoped sessions
  4. Make organization_id NOT NULL
Post-Migration:
  • Enforce organization_id in application code
  • Monitor RLS errors in logs
  • Remove code paths that don’t set organization_id

Migration 3: hr_job_board_integrations - Credential Encryption

Purpose

Move API keys, secrets, and refresh tokens to centralized pf_credentials table for encryption at rest and audit logging. Plaintext credentials in hr_job_board_integrations pose security risk.

SQL Migration

Credential Migration Helper (Manual Process)

Code Changes Required

Hook: src/cores/hr/hooks/useJobBoardIntegrations.ts

Transition Strategy

Phase 1: Dual Support (Week 1-2)
  • Read from credential_id if set, else fallback to plaintext columns
  • New integrations: Require credential_id
  • Existing integrations: Continue to work with plaintext
Phase 2: Migration (Week 3-4)
  • Run migration script to move all plaintext credentials to pf_credentials
  • Verify all integrations still sync correctly
  • Monitor edge function logs for credential lookup failures
Phase 3: Enforcement (Week 5+)
  • Require credential_id for all read/write operations
  • Remove fallback to plaintext columns
  • Schedule column removal after 30-day deprecation

Migration Validation Checklist

Before applying migrations:
  • Code changes deployed and tested
  • Rollback procedures documented
  • Data backup taken (per Supabase backup policy)
  • RLS policies reviewed and tested
  • Audit logging configured
  • Team notified of maintenance window
  • Monitoring alerts configured
During migration:
  • SQL scripts executed successfully
  • Backfill completed without errors
  • RLS policies tested with real user sessions
  • Logs monitored for errors
  • Rollback procedure rehearsed
After migration:
  • All E2E tests pass
  • RLS tests pass
  • Unit tests pass
  • Performance benchmarks stable
  • No increases in error rates
  • Deprecation warnings logged appropriately

TypeScript Type Updates

After migrations are applied, regenerate Supabase types:
Then update components to include new columns:

Deployment Timeline

Target: Week of Feb 15, 2026 (flexible based on validation)

Rollback Procedures

Migration 1: Token Hashing

  • Keep plaintext access_token column
  • Revert edge function to plaintext token validation
  • RLS policies unchanged

Migration 2: Organization Isolation

  • Backfill organization_id from hr_candidates again
  • Restore RLS policies to previous (less strict) version
  • No data loss

Migration 3: Credential Encryption

  • Keep plaintext columns populated
  • Revert hooks to read from plaintext columns
  • Migrate pf_credentials back to plaintext table
  • No data loss

Contact & Support

Questions: Post in #database-migrations Slack channel
Issues during migration: Contact DevOps on-call
Post-migration issues: File bug report with error logs