curiositech/database-migration-manager
skills/database-migration-manager/SKILL.md
Safe database migration manager for zero-downtime DDL changes and rollback plans. Activate on: database migration, schema change, DDL, rollback plan, zero-downtime migration, Prisma migrate, Drizzle kit, Flyway, column rename, table alter. NOT for: query optimization (use database-optimizer), ORM modeling (use data-pipeline-engineer), backup/restore (use devops-automator).
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills database-migration-managerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:11 PM38.5s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- database-migration-manager
- description:
- Safe database migration manager for zero-downtime DDL changes and rollback plans. Activate on: database migration, schema change, DDL, rollback plan, zero-downtime migration, Prisma migrate, Drizzle kit, Flyway, column rename, table alter. NOT for: query optimization (use database-optimizer), ORM modeling (use data-pipeline-engineer), backup/restore (use devops-automator).
- allowed-tools:
- Read,Write,Edit,Bash(docker:*,kubectl:*,terraform:*,npm:*,npx:*)
- category:
- Backend & Infrastructure
- - skill:
- data-pipeline-engineer
- reason:
- Schema design that migrations implement
Database Migration Manager
Expert in safe, reversible database schema migrations with zero-downtime deployment strategies.
Activation Triggers
Activate on: "database migration", "schema change", "alter table", "add column", "drop column", "zero-downtime DDL", "rollback plan", "Prisma migrate", "Drizzle kit", "Flyway", "migration strategy"
NOT for: Query optimization → database-optimizer | ORM data modeling → data-pipeline-engineer | Backup/restore → devops-automator
Quick Start
- Assess the change — additive (safe), modification (needs strategy), or destructive (needs expand-contract)
- Write the migration — forward migration with explicit rollback SQL
- Test on staging — run against a copy of production data volume
- Plan zero-downtime — use expand-contract for breaking changes
- Execute with monitoring — deploy migration, watch error rates, rollback if needed
Core Capabilities
| Domain | Technologies | |--------|-------------| | ORM Migrations | Prisma Migrate, Drizzle Kit, TypeORM, Sequelize | | SQL Migrations | Flyway, Liquibase, golang-migrate, dbmate, Atlas | | Zero-Downtime | Expand-contract, shadow columns, online DDL (pt-online-schema-change) | | Databases | PostgreSQL 17, MySQL 8.4, SQLite, CockroachDB, PlanetScale | | Safety | Rollback scripts, dry-run validation, lock timeout guards |
Architecture Patterns
Expand-Contract Pattern (Zero-Downtime Column Rename)
Phase 1 — EXPAND (deploy migration, app reads both):
├─ Add new column `full_name`
├─ Backfill: UPDATE users SET full_name = name
├─ Add trigger: sync writes to both columns
└─ Deploy app reading `full_name`, falling back to `name`
Phase 2 — MIGRATE (app writes to new only):
├─ Deploy app writing only to `full_name`
└─ Verify no reads/writes to old column (query logs)
Phase 3 — CONTRACT (remove old):
├─ Drop trigger
├─ Drop old column `name`
└─ Clean migration: one final migration file
Safe Migration Template (PostgreSQL)
-- migrations/20260320_001_add_email_verified.sql
-- FORWARD
BEGIN;
SET lock_timeout = '5s'; -- Fail fast if table locked
ALTER TABLE users
ADD COLUMN IF NOT EXISTS email_verified boolean
DEFAULT false NOT NULL;
CREATE INDEX CONCURRENTLY IF NOT EXISTS
idx_users_email_verified ON users(email_verified)
WHERE email_verified = true;
COMMIT;
-- ROLLBACK (in companion file or comment block)
-- BEGIN;
-- DROP INDEX CONCURRENTLY IF EXISTS idx_users_email_verified;
-- ALTER TABLE users DROP COLUMN IF EXISTS email_verified;
-- COMMIT;
Migration Safety Ladder
Risk Level 1 (Safe): ADD COLUMN (nullable), CREATE INDEX CONCURRENTLY
Risk Level 2 (Caution): ADD COLUMN (with default), ADD NOT NULL constraint
Risk Level 3 (Danger): ALTER COLUMN TYPE, RENAME COLUMN
Risk Level 4 (Critical): DROP COLUMN, DROP TABLE
↓
Requires expand-contract pattern
Anti-Patterns
- Running migrations in application startup — if the migration fails, the app cannot start and cannot roll back. Run migrations as a separate CI/CD step with its own rollback.
- No lock_timeout —
ALTER TABLEacquires an ACCESS EXCLUSIVE lock. Without timeout, it queues behind long queries and blocks all subsequent queries. Always setlock_timeout. - Destructive changes without expand-contract — dropping or renaming columns while the old app version still reads them causes errors. Always use the expand-contract pattern for breaking changes.
- Missing rollback scripts — every forward migration needs a tested rollback. If you cannot roll back, the migration is not safe for production.
- Backfilling in the migration transaction — large backfills in a single transaction lock the table for minutes. Backfill in batches outside the DDL transaction.
Quality Checklist
[ ] Migration has explicit rollback SQL
[ ] lock_timeout set for all DDL statements
[ ] CREATE INDEX uses CONCURRENTLY
[ ] Breaking changes use expand-contract pattern
[ ] Backfills run in batches (1000-10000 rows per batch)
[ ] Migration tested against production-volume staging data
[ ] No data loss — dropped columns backed up or archived
[ ] Migration is idempotent (IF NOT EXISTS / IF EXISTS guards)
[ ] Application code deployed before destructive phase
[ ] Monitoring dashboards checked during and after migration
[ ] Migration numbered/timestamped for ordering
[ ] Rollback tested independently on staging
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026