You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Platform-side provisioning for the module-shared schema feature shipped in SDK issue #31. Issue #20 covers the per-(module, app) role but NOT the per-module role and `mod_` schema that `Module.ModuleDB` / `Module.ModuleTx` depend on.
Schema creation — on module install, `CREATE SCHEMA mod_` in the shared Postgres cluster. The module's `Config.ID` regex (`^[a-z][a-z0-9_]{0,30}$`, enforced in SDK validate Config.ID format in New() #65) guarantees the schema name is a safe identifier.
Per-module DB role — separate from the per-(module, app) role. Naming convention e.g. `mod__module`. Has `USAGE` on `mod` only; the per-(module, app) role does NOT. This is the trust boundary for cross-app module state (outbox tables, dedup ledgers, module-wide config).
IAM token injection — same IAM auth pattern as Platform: IAM auth token generation for per-app DB credentials #19 but the `db.ModuleCredential` is injected via a separate field in the Lambda payload (`Resources.ModuleDB` — NB: this is not currently in the `Resources` struct, the architect review flagged it as a follow-up).
Migration execution — platform runs `sql/module/` migrations against the `mod_` schema using the per-module role. The SDK's `/lifecycle/module/*` endpoints are wired correctly after fix(lifecycle): wire ModuleTx for module-scope handlers #67.
Disjoint GRANTs — per-(module, app) role gets USAGE on `app_` ONLY. Per-module role gets USAGE on `mod_` ONLY. Cross-access is a platform bug.
Summary
Platform-side provisioning for the module-shared schema feature shipped in SDK issue #31. Issue #20 covers the per-(module, app) role but NOT the per-module role and `mod_` schema that `Module.ModuleDB` / `Module.ModuleTx` depend on.
What the SDK expects (from merged PR #63)
Schema creation — on module install, `CREATE SCHEMA mod_` in the shared Postgres cluster. The module's `Config.ID` regex (`^[a-z][a-z0-9_]{0,30}$`, enforced in SDK validate Config.ID format in New() #65) guarantees the schema name is a safe identifier.
Per-module DB role — separate from the per-(module, app) role. Naming convention e.g. `mod__module`. Has `USAGE` on `mod` only; the per-(module, app) role does NOT. This is the trust boundary for cross-app module state (outbox tables, dedup ledgers, module-wide config).
IAM token injection — same IAM auth pattern as Platform: IAM auth token generation for per-app DB credentials #19 but the `db.ModuleCredential` is injected via a separate field in the Lambda payload (`Resources.ModuleDB` — NB: this is not currently in the `Resources` struct, the architect review flagged it as a follow-up).
Migration execution — platform runs `sql/module/` migrations against the `mod_` schema using the per-module role. The SDK's `/lifecycle/module/*` endpoints are wired correctly after fix(lifecycle): wire ModuleTx for module-scope handlers #67.
Disjoint GRANTs — per-(module, app) role gets USAGE on `app_` ONLY. Per-module role gets USAGE on `mod_` ONLY. Cross-access is a platform bug.
Related
Files / systems affected
Origin
Feature was shipped in SDK PRs #59, #60, #61, #63, #67 (closing #31 and #66) but the platform-side provisioning never got its own tracker.