ClawHub

migratesafe

v1.0.2

Database migration safety checker — catches destructive migrations before they reach production

0· 97· 2 versions· 0 current· 0 all-time· Updated 10h ago· MIT-0
by@suhteevah

Security Scans

VirusTotalBenignClawScanBenignStatic analysisBenign

Install

openclaw skills install migratesafe

MigrateSafe — Database Migration Safety Checker

MigrateSafe analyzes database migration files for destructive operations before they reach production. It detects DROP TABLE, column removals, risky type changes, missing rollbacks, lock hazards, and unsafe ALTER operations across raw SQL, Rails, Django, Knex.js, Prisma, Flyway, and Liquibase migrations. It uses regex-based pattern matching with risk scoring and produces compliance reports.

Commands

Free Tier (No license required)

migratesafe scan [file|directory]

One-shot scan of migration files for destructive operations.

How to execute:

bash "<SKILL_DIR>/scripts/migratesafe.sh" scan [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Auto-detects migration framework (SQL, Rails, Django, Knex, Prisma, Flyway, Liquibase)
  3. Finds all migration files in standard locations (db/migrate, migrations/, prisma/migrations, sql/)
  4. Runs 15+ destructive operation patterns against each file
  5. Calculates a risk score (0-100) per file and overall
  6. Outputs findings with: file, line number, severity, operation, recommendation
  7. Exit code 0 if safe, exit code 1 if critical/high risk operations detected
  8. Free tier limited to 3 migration files per scan

Example usage scenarios:

  • "Check my migrations for destructive operations" -> runs migratesafe scan .
  • "Is this migration safe to deploy?" -> runs migratesafe scan db/migrate/20240115_add_users.sql
  • "Scan my SQL files for DROP statements" -> runs migratesafe scan migrations/

migratesafe help

Show available commands and usage information.

bash "<SKILL_DIR>/scripts/migratesafe.sh" help

migratesafe version

Show version information.

bash "<SKILL_DIR>/scripts/migratesafe.sh" version

Pro Tier ($19/user/month -- requires MIGRATESAFE_LICENSE_KEY)

migratesafe hooks install

Install git pre-commit hooks that scan staged migration files before every commit.

How to execute:

bash "<SKILL_DIR>/scripts/migratesafe.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Copies lefthook config to project root
  3. Installs lefthook pre-commit hook
  4. On every commit: scans all staged migration files, blocks commit if critical/high risk, shows remediation advice

migratesafe hooks uninstall

Remove MigrateSafe git hooks.

bash "<SKILL_DIR>/scripts/migratesafe.sh" hooks uninstall

migratesafe rollback-check [directory]

Verify that every UP migration has a corresponding DOWN/rollback migration.

bash "<SKILL_DIR>/scripts/migratesafe.sh" rollback-check [directory]

What it does:

  1. Validates Pro+ license
  2. Scans migration directories for UP migrations
  3. Checks for corresponding rollback/down files or reversible blocks
  4. Reports missing rollbacks with severity assessment

migratesafe diff <file1> <file2>

Compare two schema versions and highlight dangerous changes.

bash "<SKILL_DIR>/scripts/migratesafe.sh" diff schema_v1.sql schema_v2.sql

What it does:

  1. Validates Pro+ license
  2. Compares two SQL schema files
  3. Identifies dropped tables, removed columns, type changes
  4. Shows side-by-side diff with risk annotations

Team Tier ($39/user/month -- requires MIGRATESAFE_LICENSE_KEY with team tier)

migratesafe history [directory]

Show migration risk history across all migrations in the project.

bash "<SKILL_DIR>/scripts/migratesafe.sh" history [directory]

What it does:

  1. Validates Team+ license
  2. Scans all migration files chronologically
  3. Builds a risk timeline showing when dangerous migrations were introduced
  4. Reports cumulative risk score and trends

migratesafe report [directory]

Generate a full compliance report in markdown format.

bash "<SKILL_DIR>/scripts/migratesafe.sh" report [directory]

What it does:

  1. Validates Team+ license
  2. Runs full scan of all migration files
  3. Generates a formatted markdown report from template
  4. Includes per-file breakdowns, risk scores, recommendations, rollback status
  5. Output suitable for compliance audits and change advisory boards

Detected Destructive Operations

MigrateSafe detects 15+ destructive patterns across 7 migration frameworks:

CategoryExamplesSeverity
Table DropsDROP TABLE, drop_table, DeleteModel, dropTableCritical
TruncationTRUNCATE TABLE, unconditional DELETE FROMCritical
Column DropsDROP COLUMN, remove_column, RemoveField, dropColumnHigh
Type ChangesALTER COLUMN...TYPE, change_column, AlterFieldHigh
Constraint RemovalDROP CONSTRAINT, DROP INDEX, RemoveConstraint, remove_indexHigh
NOT NULL AdditionsSET NOT NULL (without DEFAULT), add non-null columnMedium
Missing TransactionsMigrations not wrapped in BEGIN/COMMITMedium
Lock HazardsCREATE INDEX (without CONCURRENTLY), ALTER TABLE on large tablesMedium
Cascade DeletesON DELETE CASCADE, CASCADE changesMedium
Column RenamesRENAME COLUMN, rename_column, RenameFieldLow
Data Loss RiskREPLACE operations, ON DELETE SET NULL changesLow

Supported Migration Frameworks

FrameworkFile PatternDetection
Raw SQL*.sqlFull SQL pattern matching
Railsdb/migrate/*.rbremove_column, drop_table, change_column, etc.
Djangomigrations/*.pyRemoveField, DeleteModel, AlterField, etc.
Knex.jsmigrations/.js/.tsdropTable, dropColumn, raw.*DROP, etc.
Prismaprisma/migrations/*.sqlFull SQL pattern matching
Flywaysql/V*.sqlFull SQL pattern matching
Liquibase*.xml changesetsdropTable, dropColumn, modifyDataType, etc.

Configuration

Add to ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "migratesafe": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY",
        "config": {
          "severityThreshold": "high",
          "migrationDirs": ["db/migrate", "migrations", "prisma/migrations", "sql"],
          "ignorePatterns": ["**/test/**", "**/seed/**"],
          "requireRollbacks": true,
          "blockOnCritical": true
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately -- no configuration needed
  • All scanning happens locally -- no code or schema data sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Supports multiple migration frameworks in the same project
  • Risk scores are cumulative -- a file with multiple issues scores higher
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = safe, 1 = dangerous operations detected (for CI/CD integration)

Error Handling

  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://migratesafe.pages.dev/renew
  • If no migration files found in target, report clean scan with info message
  • If a file is binary, skip it automatically with no warning
  • If migration framework cannot be determined, fall back to raw SQL pattern matching

When to Use MigrateSafe

The user might say things like:

  • "Check my migrations for destructive operations"
  • "Is this migration safe to run?"
  • "Scan for DROP TABLE statements"
  • "Verify my rollback migrations exist"
  • "Generate a migration safety report"
  • "Set up pre-commit hooks for migrations"
  • "Check if this schema change is dangerous"
  • "Block destructive migrations from being committed"
  • "Compare two schema versions"
  • "Show migration risk history"

Version tags

latestvk97erhzv1ysehrmk594akdv6x984vwyb

Runtime requirements

🗄️ Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envMIGRATESAFE_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook