[1.0.1][Security] Prevent destructive DB schema drop on startup (go-api) #94
Description
Summary
go-api currently executes a destructive schema reset path during initialization, which can wipe data on service restart.
Why this matters
This is a production data-loss risk. Any startup path that can drop tables by default is unacceptable for production readiness.
Evidence
In minor-projects/go-api/sirius/postgres/connection.go, initializeSchema() calls dropTablesInOrder() before migration.
Current behavior
- startup ->
initializeSchema() initializeSchema()->dropTablesInOrder()- then migrations run
Expected behavior
- destructive schema reset is disabled by default
- production start never drops tables automatically
- reset path requires explicit opt-in flag for dev/test only
Proposed fix
- Introduce explicit env gate (example:
DB_RESET_SCHEMA=true). - Default to safe (
false) when unset. - Guard
dropTablesInOrder()behind that flag. - Add startup log warning when reset mode is enabled.
- Add tests for both safe and reset modes.
- Ensure production compose/deploy configs never set reset flag.
Acceptance criteria
- Service startup does not drop tables when reset flag is unset.
- Reset only occurs when explicit flag is true.
- Unit/integration test covers safe and reset startup modes.
- Production deployment docs/config explicitly state reset flag must remain disabled.
Release target
1.0.1 security hardening