fix: adding db recovery practices (bye bye db)

2026-03-02 11:16:52 -06:00
parent 301b3f8967
commit d9df9b0fe4
11 changed files with 409 additions and 15 deletions
--- a/tests-results-for-OWASP/README.md
+++ b/tests-results-for-OWASP/README.md
@@ -25,6 +25,7 @@ This directory is the source of truth for SkyMoney OWASP validation work.
 - `post-deployment-verification-checklist.md`: Production smoke checks after each deploy.
 - `evidence-log-template.md`: Copy/paste template for recording each verification run.
 - `residual-risk-backlog.md`: Open non-blocking hardening items tracked release-to-release.
+- `../docs/production-db-recovery-runbook.md`: Incident response + recovery + admin bootstrap runbook.

 ## Current status

--- a/tests-results-for-OWASP/evidence-log-template.md
+++ b/tests-results-for-OWASP/evidence-log-template.md
@@ -6,12 +6,16 @@
 - Environment: `local` | `staging` | `production`
 - App/API version (git SHA):
 - Operator:
+- Incident/reference ticket (if recovery event):

 ## Environment flags

 - `NODE_ENV`:
 - `AUTH_DISABLED`:
 - `ALLOW_INSECURE_AUTH_FOR_DEV`:
+- `COMPOSE_PROJECT_NAME`:
+- `EXPECTED_PROD_DB_HOST`:
+- `EXPECTED_PROD_DB_NAME`:

 ## Commands executed

@@ -33,6 +37,30 @@ Output summary:
 ```
 Output summary:

+4.
+```bash
+# command
+```
+Output summary:
+
+## Recoverability Evidence
+
+- Current Postgres container:
+- Mounted volume(s):
+- Candidate old volume(s) inspected:
+- Recoverable artifact found: `yes` | `no`
+- Artifact location:
+- Recovery decision:
+
+## Backup/Restore Drill Evidence
+
+- Latest backup file:
+- Latest checksum file:
+- Checksum verified: `yes` | `no`
+- Restore test DB name:
+- Restore succeeded: `yes` | `no`
+- Row count checks performed:
+
 ## Results

 - A01 protected route unauthenticated check: `pass` | `fail`
@@ -56,6 +84,8 @@ Output summary:
 - New issues observed:
 - Regressions observed:
 - Follow-up tickets:
+- Data recovery status:
+- Admin user bootstrap status:

 ## Residual Risk Review

--- a/tests-results-for-OWASP/post-deployment-verification-checklist.md
+++ b/tests-results-for-OWASP/post-deployment-verification-checklist.md
@@ -18,6 +18,55 @@ echo "$TEST_DATABASE_URL"
 Expected:
 - single valid URL value
 - host/port match the intended test database (for local runs usually `127.0.0.1:5432`)
+5. Compose/DB safety preflight:
+- `COMPOSE_PROJECT_NAME=skymoney` is set for deploy runtime.
+- `docker-compose.yml` volume `pgdata` is pinned to `skymoney_pgdata`.
+- `scripts/validate-prod-db-target.sh` passes for current `.env`.
+- deploy runbook acknowledges forbidden destructive commands in prod:
+  - `prisma migrate reset`
+  - `prisma migrate dev`
+  - `prisma db push --accept-data-loss`
+  - `docker compose down -v` / `docker-compose down -v`
+
+## Database recoverability and safety checks
+
+### 0) Capture current container and volume bindings
+
+```bash
+docker ps --format '{{.Names}}'
+docker inspect <postgres-container> --format '{{json .Mounts}}'
+docker volume ls | grep -E 'pgdata|skymoney|postgres'
+```
+
+Expected:
+- production Postgres uses `skymoney_pgdata`.
+- no unexpected new empty volume silently substituted.
+
+### 0.1) Validate latest backup artifact exists and verifies
+
+```bash
+ls -lt /opt/skymoney/backups | head
+LATEST_DUMP="$(ls -1t /opt/skymoney/backups/*.dump | head -n 1)"
+sha256sum -c "${LATEST_DUMP}.sha256"
+```
+
+Expected:
+- latest dump and checksum exist.
+- checksum verification returns `OK`.
+
+### 0.2) Restore drill into isolated test DB (same VPS)
+
+```bash
+RESTORE_DB="skymoney_restore_test_$(date +%Y%m%d%H%M)" \
+BACKUP_FILE="$LATEST_DUMP" \
+RESTORE_DATABASE_URL="postgres://<user>:<pass>@127.0.0.1:5432/${RESTORE_DB}" \
+DATABASE_URL="postgres://<admin-user>:<admin-pass>@127.0.0.1:5432/skymoney" \
+./scripts/restore.sh
+```
+
+Expected:
+- restore completes without manual edits.
+- key tables readable in restored DB.

 ## A01 smoke checks

@@ -51,7 +100,7 @@ curl -i -X POST "${API_BASE}/admin/rollover" \
 ```

 Expected:
- HTTP `403`
+- HTTP `401` or `403` (must not be publicly callable)

 ## A09 smoke checks

@@ -98,10 +147,11 @@ Expected:
 Note:
 - A06/A07 runtime suites require PostgreSQL availability.
 - `SECURITY_DB_TESTS=0` runs non-DB security controls only.
- `SECURITY_DB_TESTS=1` includes DB-backed A06/A07 suites.
+- `SECURITY_DB_TESTS=1` includes DB-backed A06/A07/forgot-password suites.

 ## Sign-off

 1. Record outputs in `evidence-log-template.md`.
 2. Review open residual risks in `residual-risk-backlog.md`.
-3. Mark release security check as pass/fail.
+3. Record backup + restore drill evidence.
+4. Mark release security check as pass/fail.