feat: Add Database Migration Safety Agent

[Umair0343]

User description

• Comprehensive safety analysis for database migrations
• Detects dangerous operations (DROP TABLE, TRUNCATE, DELETE without WHERE, DROP COLUMN)
• Assesses data loss risks and validates safety practices
• Provides safer alternatives with code examples
• Supports multiple database systems (PostgreSQL, MySQL, SQLite, SQL Server, Oracle)
• CI/CD integration examples for GitHub Actions, GitLab CI, Azure DevOps, Jenkins
• Risk scoring algorithm with SAFE, CAUTION, DANGEROUS, CRITICAL levels
• Comprehensive documentation and usage examples

This agent prevents catastrophic data loss and production incidents through automated migration safety analysis, addressing a critical gap in database migration tooling.

---

PR Type

Enhancement

---

Description

• Add comprehensive database migration safety agent

• Detect dangerous operations and assess data loss risks

• Provide CI/CD integration examples for multiple platforms

• Include risk scoring with safety recommendations

---

Diagram Walkthrough

flowchart LR
  A["Migration Files"] --> B["Safety Agent"]
  B --> C["Risk Analysis"]
  C --> D["Safety Score"]
  C --> E["Dangerous Operations"]
  C --> F["Safer Alternatives"]
  D --> G["CI/CD Integration"]
  E --> G
  F --> G

Loading

File Walkthrough

	Relevant files
Configuration changes	5 files jenkins-pipeline.groovy Jenkins CI/CD pipeline configuration                                          +155/-0  agent.toml Agent configuration with safety analysis instructions        +338/-0  azure-devops.yml Azure DevOps pipeline configuration                                            +121/-0  github-actions.yml GitHub Actions workflow configuration                                        +102/-0  gitlab-ci.yml GitLab CI pipeline configuration                                                  +115/-0
Documentation	4 files README.md Comprehensive documentation and usage guide                            +266/-0  dangerous-migration.sql Example dangerous migration with DROP operations                  +15/-0    safe-migration.sql Example safe migration with ADD operations                              +16/-0    usage-examples.md Comprehensive usage examples and scenarios                              +463/-0

---

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned third-party tool Description: The pipeline installs a global npm package @qodo/command without pinning a version or verifying integrity, which risks supply-chain compromise in CI. jenkins-pipeline.groovy [26-29] Referred Code sh 'node --version' sh 'npm --version' sh 'npm install -g @qodo/command' }
	Unpinned third-party tool Description: Global installation of @qodo/command without version pinning or checksum verification introduces supply-chain risk in CI environments. github-actions.yml [31-33] Referred Code - name: Install Qodo Command run: npm install -g @qodo/command
	Unpinned third-party tool Description: Installing @qodo/command without explicit version pinning in CI can allow malicious updates to be pulled inadvertently. gitlab-ci.yml [13-14] Referred Code - npm install -g @qodo/command
	Unpinned third-party tool Description: The pipeline installs @qodo/command with npm globally without version pinning or signature verification, enabling potential supply-chain attacks. azure-devops.yml [41-42] Referred Code npm install -g @qodo/command displayName: 'Install Qodo Command'
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use a deterministic SQL parser Replace the non-deterministic LLM-based SQL analysis with a reliable, deterministic SQL parsing library. This involves using an Abstract Syntax Tree (AST) to accurately identify dangerous operations, which is crucial for a safety-critical tool. Examples: agents/database-migration-safety/agent.toml [7-185] instructions = """ You are a database migration safety specialist responsible for preventing catastrophic data loss and production incidents through comprehensive migration analysis. ## Core Mission Analyze SQL migration files to identify dangerous operations, assess data loss risks, validate safety practices, and provide actionable recommendations to prevent production disasters. ## Analysis Framework ### 1. MIGRATION DISCOVERY PHASE ... (clipped 169 lines) Solution Walkthrough: Before: // agent.toml instructions for the LLM instructions = """ You are a database migration safety specialist... ### 2. DANGEROUS OPERATION DETECTION - Parse SQL migration files using your own intelligence. - Identify operations like DROP TABLE, TRUNCATE, DELETE without WHERE. ... """ // Agent execution (simplified) function run_agent(files) { // The LLM is responsible for both parsing and analysis return llm.execute(instructions, files); } After: // New agent logic with a deterministic parser function analyze_sql_file(sql_content) { ast = SQL_PARSER.parse(sql_content); dangerous_ops = []; // Deterministically find dangerous operations from the AST for (statement in ast.statements) { if (statement.type == 'DROP_TABLE' || (statement.type == 'DELETE' && !statement.has_where_clause)) { dangerous_ops.push(statement); } } return dangerous_ops; } // LLM is now used for higher-level tasks function run_agent(files) { all_dangerous_ops = files.map(analyze_sql_file); return llm.summarize_and_suggest_alternatives(all_dangerous_ops); } Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical design flaw, as using a non-deterministic LLM for safety-critical SQL parsing undermines the agent's core reliability and purpose.	High
Possible issue	Define missing agent output argument Add the missing output_file argument to the agent's configuration in agent.toml to align with its usage in the provided CI/CD examples. agents/database-migration-safety/agent.toml [188-196] arguments = [ { name = "migration_directory", type = "string", required = false, default = ".", description = "Directory to scan for migration files" }, { name = "database_type", type = "string", required = false, description = "Database type for analysis (postgresql, mysql, sqlite, sqlserver, oracle)" }, { name = "risk_threshold", type = "string", required = false, default = "caution", description = "Minimum risk level to report (safe, caution, dangerous, critical)" }, { name = "include_rollback_check", type = "boolean", required = false, default = true, description = "Check for rollback script presence" }, { name = "check_backup_requirements", type = "boolean", required = false, default = true, description = "Validate backup procedures for destructive operations" }, { name = "suggest_alternatives", type = "boolean", required = false, default = true, description = "Provide safer alternative suggestions" }, - { name = "exclude_patterns", type = "string", required = false, description = "Comma-separated list of file patterns to exclude from analysis" } + { name = "exclude_patterns", type = "string", required = false, description = "Comma-separated list of file patterns to exclude from analysis" }, + { name = "output_file", type = "string", required = false, description = "File path to save the JSON results" } ] Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that the --output_file argument, used in multiple CI/CD examples, is missing from the agent's definition in agent.toml, which would cause the examples to fail.	Medium
	Add missing output file argument Add the --output_file=migration-safety-results.json argument to the qodo command in the github-actions.yml workflow to ensure the analysis results are saved for subsequent steps. agents/database-migration-safety/examples/ci-configs/github-actions.yml [34-42] - name: Check Migration Safety + id: safety_check run: | echo "🔍 Analyzing database migrations for safety..." qodo database_migration_safety \ --migration_directory=./migrations \ --risk_threshold=caution \ --include_rollback_check=true \ --check_backup_requirements=true \ - --suggest_alternatives=true + --suggest_alternatives=true \ + --output_file=migration-safety-results.json Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a missing --output_file argument in the qodo command, which is essential for the subsequent step that reads the output file, thus fixing a bug in the example workflow.	Medium
	Use correct task for publishing artifacts In azure-devops.yml, replace the incorrect PublishTestResults@2 task with PublishBuildArtifacts@1 to correctly handle the JSON output file as a build artifact. agents/database-migration-safety/examples/ci-configs/azure-devops.yml [55-60] -- task: PublishTestResults@2 +- task: PublishBuildArtifacts@1 inputs: - testResultsFormat: 'JUnit' - testResultsFiles: 'migration-safety-results.json' - testRunTitle: 'Migration Safety Analysis' - displayName: 'Publish Test Results' + pathToPublish: 'migration-safety-results.json' + artifactName: 'migration-safety-results' + displayName: 'Publish Migration Safety Results' Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the PublishTestResults@2 task is misused with a JSON file and proposes replacing it with an appropriate task, which fixes an error in the example pipeline.	Medium
	Remove incorrect JUnit report configuration In gitlab-ci.yml, remove the reports: junit configuration from the artifacts section to correctly handle the JSON output as a standard build artifact instead of a JUnit report. agents/database-migration-safety/examples/ci-configs/gitlab-ci.yml [26-31] artifacts: - reports: - junit: migration-safety-results.json paths: - migration-safety-results.json expire_in: 1 week Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that a JSON file is being incorrectly declared as a JUnit report, which would cause a pipeline error, and provides a correct fix.	Medium
General	Use standard Jenkins mail step Replace the emailext step with the more standard mail step in the Jenkins pipeline's post block to reduce dependency on non-default plugins and improve compatibility. agents/database-migration-safety/examples/ci-configs/jenkins-pipeline.groovy [133-154] post { always { echo "Migration safety check completed" } success { echo "✅ Migration safety check passed" } failure { echo "❌ Migration safety check failed" - emailext ( + mail ( subject: "Migration Safety Check Failed - ${env.JOB_NAME} - ${env.BUILD_NUMBER}", body: "The migration safety check has failed. Please review the results and address any issues.", to: "${env.CHANGE_AUTHOR_EMAIL ?: '[email protected]'}" ) } unstable { echo "⚠️ Migration safety check unstable" } } Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion improves the robustness of the Jenkins example by replacing a dependency on a non-standard plugin (emailext) with a more common one (mail), making the example more universally applicable.	Low
Update