Database Migrations
JITSudo uses Goose for PostgreSQL schema migrations. Migration files live in migrations/.
Running Migrations
Section titled “Running Migrations”# Via Make target (requires DATABASE_URL)make migrate
# Via binary directly./bin/migrateIn Docker Compose, migrations run automatically via the migrate service before the server and worker start.
Schema Overview
Section titled “Schema Overview”The migration history creates these core tables:
| Table | Purpose |
|---|---|
tenants | Multi-tenant root, includes aws_role_arn |
tenant_domains | Email domain → tenant mapping |
requests | Access request lifecycle (status, duration, break_glass, timeout) |
request_messages | Threaded messages on requests |
grants | Approved access grants with provisioning state |
policy_rules | Cedar policy rules (decomposed fields + conditions) |
api_keys | Per-tenant API authentication keys |
audit_log | Compliance audit trail (actor, action, resource, metadata) |
notification_channels | Event notification configuration with filters |
aws_resources | Cached AWS resource metadata |
oidc_config | Per-tenant OIDC provider configuration |
system_settings | Key-value system settings |
users | Local user accounts |
All tables include tenant_id foreign keys for isolation. Core tables support JSONB metadata columns for flexible extension.