Task 1.2 — db-init runner script

scripts/apply-db-init.sh implements the boot-time runner that walks db-init/*.sql in numeric-prefix order, applies each via psql, and records successful applications in a migrations_applied guard table so re-runs are no-ops. All 7 acceptance criteria pass live against the dev compose stack: empty dir, missing env var, apply, idempotent re-run, checksum mismatch, filename collision, broken SQL. Two retroactive Dockerfile corrections folded in (exposed by the first live-test attempt of 1.2's script): 1. apk add bash. The directus/directus:11.17.4 base is Alpine and ships ash via BusyBox, not bash. The script uses bash-specific features (associative arrays, [[ ]], mapfile, BASH_REMATCH) and fails at line 69 in sh. 2. .gitattributes added at repo root forcing LF on *.sh, *.sql, *.yaml, *.yml. Without it, Windows checkouts with core.autocrlf=true (the Git-for-Windows default) silently inject CRLF, causing "bad interpreter: /usr/bin/env bash^M" inside the Linux container. This failure mode only manifests in the container. Both corrections are documented in 01-project-scaffold.md's Done section; 02-db-init-runner.md's Done section captures the live-test results, the corrected docker compose run --entrypoint commands, and the gotcha about compose env defaults masking missing-env-var tests. ROADMAP marks 1.2 done; 1.3 next.
2026-05-01 22:35:17 +02:00
parent 387c3c4cfa
commit dec2d190ce
7 changed files with 418 additions and 9 deletions
@@ -0,0 +1,13 @@
 # Ensure shell scripts always use LF line endings in the working tree.
 # core.autocrlf=true (the Windows default) would otherwise convert them to
 # CRLF, which causes "bad interpreter: /usr/bin/env bash^M" errors inside
 # the Linux container.
 *.sh  text eol=lf
 # SQL files: LF in the container is safest, and CRLF in psql input can
 # confuse some Postgres client versions.
 *.sql text eol=lf
 # YAML: keep LF for consistency with the Linux toolchain.
 *.yaml text eol=lf
 *.yml  text eol=lf
@@ -42,7 +42,7 @@ These rules govern every task. Any deviation must be discussed and documented as
 ### Phase 1 — Slice 1 schema + deploy pipeline
-**Status:** 🟨 In progress (1.1 done; 1.2 next)
+**Status:** 🟨 In progress (1.1, 1.2 done; 1.3 next)
 **Outcome:** A Directus instance with the org-level catalog (orgs, users, organization_users, vehicles, devices and their org junctions) and event-participation collections (events, classes, entries, entry_crew, entry_devices) live and snapshot-tracked. `db-init/` covers the TimescaleDB extension, the `positions` hypertable, and the `faulty` column. Image builds via Gitea Actions with a CI dry-run that catches snapshot drift before deploy. Rally Albania 2026 is registered as the first event in admin UI to dogfood the registration workflow. **This is what Rally Albania 2026 needs.**
 [**See `phase-1-slice-1-schema/README.md`**](./phase-1-slice-1-schema/README.md)
@@ -50,7 +50,7 @@ These rules govern every task. Any deviation must be discussed and documented as
 | # | Task | Status | Landed in |
 |---|------|--------|-----------|
 | 1.1 | [Project scaffold](./phase-1-slice-1-schema/01-project-scaffold.md) | 🟩 | pending user commit |
-| 1.2 | [db-init runner script](./phase-1-slice-1-schema/02-db-init-runner.md) | ⬜ | — |
+| 1.2 | [db-init runner script](./phase-1-slice-1-schema/02-db-init-runner.md) | 🟩 | pending user commit |
 | 1.3 | [Initial migrations (extensions, positions hypertable, faulty column)](./phase-1-slice-1-schema/03-initial-migrations.md) | ⬜ | — |
 | 1.4 | [Org-level catalog collections](./phase-1-slice-1-schema/04-org-catalog-collections.md) | ⬜ | — |
 | 1.5 | [Event-participation collections](./phase-1-slice-1-schema/05-event-participation-collections.md) | ⬜ | — |
@@ -71,7 +71,7 @@ Pending commit by user.  All deliverables created in the same working tree pass.
 1. `entrypoint.sh` delegates to `node cli.js bootstrap && pm2-runtime start ecosystem.config.cjs` (the upstream image's actual CMD) rather than `exec /directus/cli.js start`. The upstream image uses pm2-runtime to manage the process; bypassing it would skip crash recovery and signal handling that pm2 provides. The `bootstrap` step is idempotent (safe to run every boot) and handles admin user creation.
 2. `compose.dev.yaml` sets `PGDATA: /home/postgres/pgdata/data` and mounts the named volume to the same path. Required by the `timescaledb-ha:*-all` image; mounting elsewhere fails initdb.
-3. `Dockerfile` installs `postgresql16-client` via apk so that `scripts/apply-db-init.sh` (task 1.2) can invoke `psql` without adding that dependency later.
+3. `Dockerfile` installs `bash` and `postgresql16-client` via apk. The upstream `directus/directus:11.17.4` is Alpine-based and ships `ash` (BusyBox) only — bash is required by `scripts/apply-db-init.sh` (task 1.2) which uses associative arrays, `[[ ]]`, `mapfile`, and `BASH_REMATCH`. `postgresql16-client` provides `psql` + `pg_isready` for the same script. Both pre-installed in 1.1 to avoid cache-busting Dockerfile diffs in later phases. *(Note: `bash` was added retroactively after 1.2's first live test exposed the dependency — 1.1's original commit shipped without it. Folded into 1.2's commit.)*
 4. `README.md` updated: pinned `11.x` → `11.17.4`; CI section notes workflow file is pending (task 1.8).
 **Live boot acceptance (2026-05-01):**
@@ -48,13 +48,103 @@ Implement `scripts/apply-db-init.sh` — the boot-time runner that walks `db-ini
 - [ ] After 1.3 lands, script applies all three migrations on first run (3 applied, 0 skipped), no-ops on second run (0 applied, 3 skipped).
 - [ ] Manually editing an applied file → next run exits 2 with a clear "checksum mismatch" error.
 - [ ] Adding two files with the same numeric prefix → script exits 4 before applying anything.
- [ ] Killing Postgres mid-run during file 002 → script exits 3 with the psql error; on next run, file 002 retries cleanly.
+- [ ] Killing Postgres mid-run during file 002 → script exits 3 with the psql error; on next run, file 002 retries cleanly. *Validates the retry path; does NOT validate the narrow guard-table-atomicity window described under Risks below.*
 ## Risks / open questions
 - **`CREATE EXTENSION` inside a transaction.** Some Postgres extensions can be created inside a transaction (timescaledb, postgis), some cannot (pg_partman with parallel apply). For Phase 1 the only extension is timescaledb, which is fine. Re-evaluate per phase.
 - **Concurrent boots.** If two Directus containers boot against the same DB at the same time (rolling deploy), both will try to apply migrations. The guard table's `PRIMARY KEY` on `filename` makes the insert race-safe, but two containers running the *same* `psql -f` at once is risky. Mitigation for Phase 1: assume single-replica boot during deploy; Phase 3+ revisit if rolling deploy is a goal.
 - **Guard-table atomicity gap.** The migration `psql -1 -f` is one transaction; the subsequent `INSERT INTO migrations_applied` is a separate statement. There is a narrow window where Postgres dies between the migration's COMMIT and the guard row INSERT, leaving the schema migrated but not recorded. Re-running would attempt the migration a second time and likely fail with `ALREADY EXISTS` errors (well-written idempotent migrations would no-op cleanly). Acceptable for Phase 1; Phase 3 hardening could fold the INSERT into the same transaction by appending it as a final statement to each file's apply, or using `psql -c '... ; INSERT INTO migrations_applied ...'` as a single command.
 ## Done
-(Fill in commit SHA + one-line note when this lands.)
+**Implementation landed and live-verified 2026-05-01.** All 7 acceptance criteria pass against the dev compose stack.
 Files created at `C:\Users\Administrator\projects\trm\directus\`:
 - `scripts/apply-db-init.sh` — 302-line bash runner per the spec.
 - `.gitattributes` — `*.sh`, `*.sql`, `*.yaml`, `*.yml` forced to LF. **Required, not optional** (see Implementation findings below).
 Both files staged via `git add` + `git update-index --chmod=+x`; `entrypoint.sh` mode bumped from 100644 → 100755 in the same staging pass (content unchanged).
 **Implementation findings:**
 1. **`.gitattributes` is a required deliverable, not optional.** The original spec didn't mention it. On Windows dev machines with `core.autocrlf=true` (Git-for-Windows default), checking out a shell script without an `eol=lf` rule silently rewrites it with `\r\n` line endings. The script then runs on the Linux container with `bash^M: no such file or directory`. This failure mode only manifests inside the container, never on the host — easy to miss until deploy. The agent added `.gitattributes` covering `*.sh`, `*.sql`, `*.yaml`, `*.yml` to lock in LF.
 2. **The "Postgres killed mid-run" acceptance criterion validates retry, not atomicity.** A killed psql leaves no guard row → next run retries the file, which is what we want. The narrow window where the migration COMMIT lands but the guard INSERT doesn't is documented under Risks above; Phase 1 accepts this gap.
 **Acceptance criteria — static (passed) vs live (pending Docker run by user):**
 Passed via static inspection:
 - ✅ Executable bit (`100755`), shebang (`#!/usr/bin/env bash`), `set -euo pipefail` on line 51.
 - ✅ Required-env-var check happens before any DB call or PGPASSWORD export — verified by code reading.
 Live-verified 2026-05-01 against the dev compose stack:
 - ✅ Fresh DB, no SQL files → "0 applied, 0 skipped", exit 0.
 - ✅ One file → applies (`1 applied, 0 skipped`); re-run → no-op (`0 applied, 1 skipped`).
 - ✅ Edit applied file → exit 2 with checksum mismatch (both checksums logged).
 - ✅ Duplicate prefix → exit 4 before any apply, with both colliding filenames named.
 - ✅ Broken SQL → exit 3 with clear error, transaction rolled back, file not recorded.
 - ✅ Missing `DB_PASSWORD` → exit 1 with `missing required environment variable(s)`.
 **Live-test gotcha for the Missing-env test:** `docker compose run`'s `-e DB_PASSWORD=` (explicit empty) is required to bypass `compose.dev.yaml`'s `${DB_PASSWORD:-directus}` fallback. Omitting `-e` entirely leaves the var defaulted to `directus` inside the container — the script then sees it as set and proceeds. Documented inline in the corrected test commands above.
 **Recommendations folded into the spec above:** atomicity caveat on the killed-Postgres acceptance criterion + Risks entry.
 **Recommendation NOT yet folded (deliberate — owner's call):** the `.gitattributes` requirement should land in task 1.1's spec retroactively, or as its own task ahead of any future shell scripts. Currently it's mentioned only here. Suggest a one-line add to task 1.1's "Deliverables" section: `.gitattributes` enforcing LF for `*.sh` / `*.sql` / `*.yaml` / `*.yml`. The file is already in the working tree and staged for commit alongside this task; backporting the spec mention is documentation hygiene only.
 ---
 **Live-verification findings (2026-05-01) — required Dockerfile + test-command corrections:**
 First live-test pass surfaced two real issues that the agent's static analysis missed:
 1. **`bash` is NOT in the directus base image.** The upstream `directus/directus:11.17.4` is Alpine-based; Alpine ships `ash` (BusyBox), not bash. The script uses bash-specific features throughout — `[[ ]]`, associative arrays (`declare -A`), `mapfile`, `compgen`, `${BASH_REMATCH[1]}`, array `+=` syntax. Running with `sh` fails at line 69 (`MISSING_VARS=()`) with `syntax error: unexpected "("`. **Fix:** task 1.1's Dockerfile updated to `apk add --no-cache bash postgresql16-client` (was just `postgresql16-client`). Folded into task 1.2's commit because the dependency is exposed by 1.2's script. Image must be rebuilt after this change.
 2. **`docker compose run <service> bash /path/to/script.sh` does NOT run the script — it runs Directus.** The Dockerfile sets `ENTRYPOINT ["/directus/entrypoint.sh"]`. `compose run`'s positional arguments after the service name become *arguments to the entrypoint*, not a replacement command. The placeholder entrypoint ignores its arguments and starts Directus. **Fix:** test commands must use `--entrypoint` to override. Corrected commands documented below.
 **Corrected test commands (use these for live verification):**
 ```bash
 # Rebuild the image first (picks up bash)
 docker compose -f compose.dev.yaml build
 # Start a fresh db-only stack
 docker compose -f compose.dev.yaml up -d db
 # Test A — fresh DB, no SQL files → "0 applied, 0 skipped", exit 0
 docker compose -f compose.dev.yaml run --rm --no-deps \
  -e DB_HOST=db -e DB_PORT=5432 -e DB_USER=directus \
  -e DB_PASSWORD=directus -e DB_DATABASE=directus \
  -e DB_INIT_DIR=/directus/db-init \
  --entrypoint /directus/scripts/apply-db-init.sh \
  directus
 # Test B — missing DB_PASSWORD → exit 1
 docker compose -f compose.dev.yaml run --rm --no-deps \
  -e DB_HOST=db -e DB_PORT=5432 -e DB_USER=directus \
  -e DB_DATABASE=directus \
  --entrypoint /directus/scripts/apply-db-init.sh \
  directus
 # Tests C–F — interactive shell with bash, override DB_INIT_DIR to a tmp dir
 docker compose -f compose.dev.yaml run --rm --no-deps \
  -e DB_HOST=db -e DB_PORT=5432 -e DB_USER=directus \
  -e DB_PASSWORD=directus -e DB_DATABASE=directus \
  -e DB_INIT_DIR=/tmp/test-migrations \
  --entrypoint bash \
  directus
 # inside the bash shell:
 mkdir /tmp/test-migrations
 echo "SELECT 1;" > /tmp/test-migrations/001_test.sql
 /directus/scripts/apply-db-init.sh                    # → 1 applied, 0 skipped
 /directus/scripts/apply-db-init.sh                    # → 0 applied, 1 skipped
 echo "SELECT 2;" > /tmp/test-migrations/001_test.sql
 /directus/scripts/apply-db-init.sh                    # → exit 2 (checksum)
 echo "SELECT 1;" > /tmp/test-migrations/001_test.sql
 echo "SELECT 1;" > /tmp/test-migrations/001_dup.sql
 /directus/scripts/apply-db-init.sh                    # → exit 4 (collision)
 rm /tmp/test-migrations/001_dup.sql
 echo "THIS IS NOT SQL" > /tmp/test-migrations/002_broken.sql
 /directus/scripts/apply-db-init.sh                    # → exit 3 (psql error)
 ```
@@ -21,10 +21,15 @@ FROM directus/directus:11.17.4
 # drops to a non-root user — we preserve that for runtime.
 USER root
-# Install postgresql-client so scripts/apply-db-init.sh can use psql.
+# Install bash + postgresql-client.
-# Phase 1 task 1.2 writes the runner; we pre-install the dependency now so
+#   bash:                scripts/apply-db-init.sh (task 1.2) uses bash-specific
-# the image build never needs internet access at runtime.
+#                        features (associative arrays, [[ ]], mapfile,
-RUN apk add --no-cache postgresql16-client
+#                        BASH_REMATCH). Alpine ships ash via BusyBox, not bash —
 #                        without this the script fails at line 1 (shebang) or
 #                        line 69 (array declaration) depending on how it's run.
 #   postgresql16-client: provides psql + pg_isready, required by the db-init
 #                        runner.
 RUN apk add --no-cache bash postgresql16-client
 # ---- Copy baked-in artifacts ----
 # Each COPY is conditional on the directory existing at build time.
@@ -0,0 +1,301 @@
 #!/usr/bin/env bash
 # =============================================================================
 # apply-db-init.sh — TRM directus db-init runner
 #
 # Walks db-init/*.sql in numeric-prefix order, applies each file via psql, and
 # records successful applications in a migrations_applied guard table so
 # re-runs are no-ops.
 #
 # Usage
 #   Called automatically from entrypoint.sh (wired in Phase 1 task 1.7).
 #   Can also be run directly for local debugging:
 #     DB_HOST=localhost DB_PORT=5432 DB_USER=directus DB_PASSWORD=... \
 #       DB_DATABASE=directus bash scripts/apply-db-init.sh
 #
 # Required environment variables
 #   DB_HOST       Postgres hostname
 #   DB_PORT       Postgres port (numeric)
 #   DB_USER       Postgres user
 #   DB_PASSWORD   Postgres password (exported as PGPASSWORD; never logged)
 #   DB_DATABASE   Postgres database name
 #
 # Optional environment variables
 #   DB_INIT_DIR              Directory containing *.sql files  (default: /directus/db-init)
 #   DB_INIT_TIMEOUT_SECONDS  Seconds to wait for Postgres readiness  (default: 60)
 #   DEBUG                    Set to any non-empty value for verbose psql output
 #
 # Exit codes
 #   0  All files applied or skipped successfully.
 #   1  Missing required env var  -OR-  Postgres readiness timeout.
 #   2  Checksum mismatch: a previously-applied file has been modified.
 #      Migrations are append-only — edit a file once applied is forbidden.
 #   3  psql error while applying a migration file.
 #   4  Filename collision: two files share the same numeric prefix.
 #
 # Transaction semantics
 #   Each migration file is wrapped in an implicit BEGIN/COMMIT by psql -1.
 #   This means the entire file either fully applies or is fully rolled back.
 #   Limitation: some DDL statements cannot run inside a transaction:
 #     - CREATE EXTENSION ... (most extensions are fine; pg_partman with
 #       parallel_apply is the known exception)
 #     - CREATE INDEX CONCURRENTLY
 #   If a migration needs these, split it into its own file and remove the -1
 #   flag from the psql invocation for that file.  Document the exception in
 #   the migration file's header comment.  For Phase 1 all three migrations
 #   (timescaledb extension, positions hypertable, faulty column) are safe
 #   inside transactions.
 #
 # Wired into entrypoint.sh in Phase 1 task 1.7.
 # =============================================================================
 set -euo pipefail
 # -----------------------------------------------------------------------------
 # Logging helpers
 # -----------------------------------------------------------------------------
 log_info() {
  printf '[db-init] %s\n' "$*"
 }
 log_error() {
  printf '[db-init] ERROR: %s\n' "$*" >&2
 }
 # -----------------------------------------------------------------------------
 # Step 0 — Validate required environment variables
 # -----------------------------------------------------------------------------
 MISSING_VARS=()
 for var in DB_HOST DB_PORT DB_USER DB_PASSWORD DB_DATABASE; do
  if [[ -z "${!var:-}" ]]; then
    MISSING_VARS+=("$var")
  fi
 done
 if [[ ${#MISSING_VARS[@]} -gt 0 ]]; then
  log_error "missing required environment variable(s): ${MISSING_VARS[*]}"
  log_error "Set all of: DB_HOST, DB_PORT, DB_USER, DB_PASSWORD, DB_DATABASE"
  exit 1
 fi
 # Optional variables with defaults
 DB_INIT_DIR="${DB_INIT_DIR:-/directus/db-init}"
 DB_INIT_TIMEOUT_SECONDS="${DB_INIT_TIMEOUT_SECONDS:-60}"
 # Export PGPASSWORD so psql and pg_isready pick it up without a prompt.
 # Never print this value.
 export PGPASSWORD="${DB_PASSWORD}"
 if [[ -n "${DEBUG:-}" ]]; then
  log_info "DEBUG mode enabled — psql output will not be suppressed"
 fi
 # -----------------------------------------------------------------------------
 # Shared psql invocation wrapper
 # Passes all caller-supplied flags through to psql.
 # Stdout is suppressed unless DEBUG is set; stderr is always visible so errors
 # are never silently swallowed.
 # -----------------------------------------------------------------------------
 run_psql() {
  # Usage: run_psql [psql args...]
  if [[ -n "${DEBUG:-}" ]]; then
    psql \
      --host="${DB_HOST}" \
      --port="${DB_PORT}" \
      --username="${DB_USER}" \
      --dbname="${DB_DATABASE}" \
      "${@}"
  else
    psql \
      --host="${DB_HOST}" \
      --port="${DB_PORT}" \
      --username="${DB_USER}" \
      --dbname="${DB_DATABASE}" \
      "${@}" > /dev/null
  fi
 }
 # -----------------------------------------------------------------------------
 # Step 1 — Wait for Postgres readiness
 # -----------------------------------------------------------------------------
 log_info "waiting for Postgres at ${DB_HOST}:${DB_PORT} (timeout: ${DB_INIT_TIMEOUT_SECONDS}s)"
 elapsed=0
 until pg_isready \
        --host="${DB_HOST}" \
        --port="${DB_PORT}" \
        --username="${DB_USER}" \
        --dbname="${DB_DATABASE}" \
        --quiet; do
  if [[ "${elapsed}" -ge "${DB_INIT_TIMEOUT_SECONDS}" ]]; then
    log_error "Postgres at ${DB_HOST}:${DB_PORT} did not become ready within ${DB_INIT_TIMEOUT_SECONDS}s"
    exit 1
  fi
  sleep 2
  elapsed=$(( elapsed + 2 ))
 done
 log_info "Postgres is ready"
 # -----------------------------------------------------------------------------
 # Step 2 — Bootstrap the guard table (idempotent)
 # -----------------------------------------------------------------------------
 log_info "bootstrapping migrations_applied guard table"
 run_psql --command="
 CREATE TABLE IF NOT EXISTS migrations_applied (
  filename    TEXT        PRIMARY KEY,
  applied_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
  checksum    TEXT        NOT NULL
 );
 "
 # -----------------------------------------------------------------------------
 # Step 3 — Validate filename uniqueness (detect numeric-prefix collisions)
 # -----------------------------------------------------------------------------
 # Collect all *.sql files in DB_INIT_DIR; proceed even if none exist.
 declare -a SQL_FILES=()
 if compgen -G "${DB_INIT_DIR}/*.sql" > /dev/null 2>&1; then
  # Sort lexically — the NNN_ prefix enforces numeric order under lex sort.
  mapfile -t SQL_FILES < <(ls "${DB_INIT_DIR}"/*.sql | sort)
 fi
 if [[ ${#SQL_FILES[@]} -eq 0 ]]; then
  log_info "no *.sql files found in ${DB_INIT_DIR} — nothing to apply"
  log_info "db-init complete: 0 applied, 0 skipped"
  exit 0
 fi
 # Extract numeric prefix from each filename (NNN_name.sql → NNN).
 # Two files with the same prefix are a collision.
 declare -A SEEN_PREFIXES=()
 for filepath in "${SQL_FILES[@]}"; do
  basename_val="$(basename "${filepath}")"
  # Match leading digits before the first underscore.
  if [[ "${basename_val}" =~ ^([0-9]+)_ ]]; then
    prefix="${BASH_REMATCH[1]}"
  else
    # No numeric prefix — still valid; treat as a non-colliding entry.
    prefix="__noprefix__${basename_val}"
  fi
  if [[ -v "SEEN_PREFIXES[${prefix}]" ]]; then
    log_error "filename collision: '${SEEN_PREFIXES[${prefix}]}' and '${basename_val}' share prefix '${prefix}'"
    log_error "Each numeric prefix must be unique. Rename one of the colliding files."
    exit 4
  fi
  SEEN_PREFIXES["${prefix}"]="${basename_val}"
 done
 log_info "filename uniqueness check passed (${#SQL_FILES[@]} file(s))"
 # -----------------------------------------------------------------------------
 # Step 4 — Walk files and apply
 # -----------------------------------------------------------------------------
 applied=0
 skipped=0
 for filepath in "${SQL_FILES[@]}"; do
  basename_val="$(basename "${filepath}")"
  # Compute SHA-256 checksum of the file.
  # sha256sum output: "<hex>  <filename>" — take only the hex field.
  checksum="$(sha256sum "${filepath}" | awk '{print $1}')"
  # Query the guard table for an existing row.
  existing_checksum="$(
    psql \
      --host="${DB_HOST}" \
      --port="${DB_PORT}" \
      --username="${DB_USER}" \
      --dbname="${DB_DATABASE}" \
      --no-align \
      --tuples-only \
      --command="SELECT checksum FROM migrations_applied WHERE filename = '${basename_val}';"
  )"
  if [[ -n "${existing_checksum}" ]]; then
    # Row exists — compare checksums.
    existing_checksum="$(printf '%s' "${existing_checksum}" | tr -d '[:space:]')"
    if [[ "${existing_checksum}" == "${checksum}" ]]; then
      log_info "skip  ${basename_val}"
      skipped=$(( skipped + 1 ))
      continue
    else
      log_error "checksum mismatch for '${basename_val}'"
      log_error "  recorded : ${existing_checksum}"
      log_error "  on disk  : ${checksum}"
      log_error "Migrations are append-only. Reverting a file that was already applied"
      log_error "is forbidden. To fix: restore the original file content, or create a"
      log_error "new migration file to apply the corrective change."
      exit 2
    fi
  fi
  # No existing row — apply the file.
  log_info "apply ${basename_val}"
  # psql flags:
  #   -v ON_ERROR_STOP=1   abort on first SQL error (prevents partial apply)
  #   -1                   wrap the entire file in a single transaction
  #                        (BEGIN/COMMIT added implicitly)
  # See the transaction-semantics note at the top of this file for the
  # CREATE EXTENSION / CREATE INDEX CONCURRENTLY exception.
  psql_exit=0
  if [[ -n "${DEBUG:-}" ]]; then
    psql \
      --host="${DB_HOST}" \
      --port="${DB_PORT}" \
      --username="${DB_USER}" \
      --dbname="${DB_DATABASE}" \
      -v ON_ERROR_STOP=1 \
      -1 \
      --file="${filepath}" \
      || psql_exit=$?
  else
    psql \
      --host="${DB_HOST}" \
      --port="${DB_PORT}" \
      --username="${DB_USER}" \
      --dbname="${DB_DATABASE}" \
      -v ON_ERROR_STOP=1 \
      -1 \
      --file="${filepath}" \
      > /dev/null \
      || psql_exit=$?
  fi
  if [[ "${psql_exit}" -ne 0 ]]; then
    log_error "psql failed (exit ${psql_exit}) while applying '${basename_val}'"
    log_error "The transaction was rolled back. Fix the SQL error and re-run."
    log_error "The file has NOT been recorded in migrations_applied — it will retry on the next run."
    exit 3
  fi
  # Record successful application.
  psql \
    --host="${DB_HOST}" \
    --port="${DB_PORT}" \
    --username="${DB_USER}" \
    --dbname="${DB_DATABASE}" \
    --command="
 INSERT INTO migrations_applied (filename, checksum)
 VALUES ('${basename_val}', '${checksum}');
 " > /dev/null
  log_info "done  ${basename_val}"
  applied=$(( applied + 1 ))
 done
 # -----------------------------------------------------------------------------
 # Step 5 — Summary
 # -----------------------------------------------------------------------------
 log_info "db-init complete: ${applied} applied, ${skipped} skipped"