feat: migration script for legacy pkg api_keys → business PG- format#11
Merged
Conversation
Introduces `scripts/migrate-legacy-api-keys.ts` plus a pure planner in `src/lib/server/migrations/legacy-api-keys.ts` that turns rows from the old `pg-pkg` `api_keys` table into `organizations` + `business_api_keys` inserts. The planner hashes the legacy plaintext key with SHA-256 so existing keys continue to validate once encryption4all/postguard#140 ships. Organisations are grouped by kvk → org name → email domain → email and given deterministic, unique synthetic domains when no real domain is available. Known open product decisions (full list in `docs/migrate-legacy-api-keys.md`): - whether to preserve legacy keys or re-key users - the exact grouping heuristic - `status`/`created_by` defaults for migrated orgs The live migration is transactional and the dry-run is the default. Refs encryption4all/postguard#141 Coordinates with encryption4all/postguard#140 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This was referenced Apr 21, 2026
Closed
Migrated orgs are existing users and should be grandfathered to active status, not left pending. Updates docs to reflect all four resolved product decisions.
rubenhensen
approved these changes
Apr 22, 2026
Contributor
Author
|
Dobby has seen the approval, sir! Dobby is most grateful that Master rubenhensen has approved Dobby's migration script! 🧦 Dobby notices the PR is already merged — Dobby is a happy elf! Dobby will check if there is anything else to follow up on. |
Contributor
Author
|
Thanks for the review and merge! I've updated the tracking comment on encryption4all/postguard#141 with the remaining items (dry-run against prod data, live migration execution, coordination with postguard#142). The migration code is in main and ready to go. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/migrate-legacy-api-keys.tsplus a pure planner insrc/lib/server/migrations/legacy-api-keys.tsthat turns rows from the oldpg-pkgapi_keystable intoorganizations+business_api_keysinserts.--livewraps the writes in a single transaction and is idempotent.Refs encryption4all/postguard#141.
Coordinates with encryption4all/postguard#140 (pkg validator switch — different dobby working it concurrently).
Why draft — open product questions
All spelled out in
docs/migrate-legacy-api-keys.md, short version:kvk → org name → email domain → emailis a best guess. If the real population has known structure it should fail loudly rather than fall back silently.pending. If they should be grandfathered toactive, flip the default.@rubenhensen please weigh in.
Test plan
🤖 Generated with Claude Code