Citus issue fix - remove the relations

[priyanka-TL]

… for tenant validation

Summary by CodeRabbit

• Bug Fixes

  • Improved OTP generation tenant identification to ensure correct user lookup.

• Refactor

  • Strengthened and tightened database constraint behavior for feature–role mappings to reduce unintended cascades and enforce uniqueness.
  • Added safer migration handling and logging to reduce migration failures.
  • Removed a redundant feature-to-role association to simplify feature-role relationships.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@priyanka-TL has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 18 minutes and 38 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between b4f8d8d and 161d2a2.

📒 Files selected for processing (1)

• src/database/migrations/20251211000000-modify-feature-role-mapping-fk-constraints.js (1 hunks)

Walkthrough

Modifies foreign-key behavior and migration error handling for feature_role_mapping, removes a Feature → FeatureRoleMapping association, and updates a service call parameter in the account service.

Changes

Cohort / File(s)	Change Summary
Account service src/services/account.js	Removed an extra blank line and changed the third argument in findUserWithOrganization from tenantDomain.tenant_code to true.
Feature-role mapping — adjustments to existing migration src/database/migrations/20251003155747-add-feature-role-mapping-constraints.js	Wrapped migration operations in try/catch; changed feature_code FK behavior to NO ACTION; retained composite FKs and unique partial index (on non-deleted rows) but moved creation into try block; down migration uses guarded removeConstraint(...).catch(()=>{}) and drops the index.
Feature-role mapping — new migration to modify FKs src/database/migrations/20251211000000-modify-feature-role-mapping-fk-constraints.js	New migration that drops existing FK constraints (with IF EXISTS/guarding), then adds two composite FKs with ON UPDATE NO ACTION and ON DELETE NO ACTION; down migration removes these NO ACTION constraints with logging and best-effort handling.
Model association removal src/database/models/Feature.js	Removed Feature.hasMany(models.FeatureRoleMapping, { foreignKey: 'feature_code', sourceKey: 'code', as: 'featureRoleMappings' }) from associations.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review migration ordering and SQL correctness (drop/create constraint statements).
• Verify the impact of changing CASCADE→NO ACTION on existing data and application behavior.
• Confirm removal of Feature.hasMany does not break codepaths or queries referencing featureRoleMappings.
• Validate the service parameter change in src/services/account.js for callers and tests.

Possibly related PRs

• feat: implement feature-role mapping #836 — Changes and migrations around FeatureRoleMapping and Feature association that appear directly related to the association/migration adjustments in this PR.

Poem

🐰 I hopped through tables, columns, and lines,

Swapped cascades for steadier signs,
A mapping removed, a constraint made new,
I nibbled a bug and left a clue —
Hooray for migrations, and code that’s true! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Citus issue fix - remove the relations' directly aligns with the main change: removing the Feature-to-FeatureRoleMapping association in Feature.js, along with related constraint modifications in migrations and a functional change in account.js.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/services/account.js (1)

1049-1098: Fix findUserWithOrganization call: incorrect parameter type and missing tenant filtering

The third argument should be a boolean (raw flag), not tenantDetail.code. The function signature is findUserWithOrganization(filter, options = {}, raw = false) where raw controls output transformation, not tenant filtering. Tenant filtering is handled by filter.tenant_code, which must be included in the filter object.

Change line 1049 from:

const user = await userQueries.findUserWithOrganization(query, {}, tenantDetail.code)

To include tenant_code in the filter and use the correct boolean parameter:

const user = await userQueries.findUserWithOrganization({...query, tenant_code: tenantDetail.code}, {})

Without tenant_code in the filter, the function's tenant isolation checks fail (accessing undefined filter.tenant_code in WHERE clauses).

🧹 Nitpick comments (3)

src/database/models/TenantDomain.js (1)

48-54: Tenant–TenantDomain association wiring looks correct; consider explicit cascade options

The belongsTo setup (foreignKey tenant_code, targetKey code, alias tenant) matches the new include usage and should enable domainWithTenant.tenant cleanly. You may want to add explicit onDelete/onUpdate semantics (e.g., RESTRICT or CASCADE) to avoid accidental orphaning or unexpected tenant reassignment when tenants change.

src/services/account.js (1)

658-699: Combined domain+tenant lookup in login looks good; note behavior on query failures

Using tenantDomainQueries.findOneWithTenant({ domain }) and then validating domainWithTenant.tenant with an ACTIVE status is a solid improvement and avoids an extra round-trip. Be aware that, since the query helper returns errors instead of throwing, any underlying DB/ORM error here will be surfaced to the user as TENANT_NOT_FOUND_PING_ADMIN rather than a 5xx; that matches the existing pattern in this service, but if you want clearer operational signals you might consider standardizing on throwing from query helpers later.

src/database/queries/tenantDomain.js (1)

2-63: New findOneWithTenant helper correctly models domain→tenant join; consider future options passthrough

Importing both TenantDomain and Tenant and using an include with alias tenant aligns with the model association and the domainWithTenant.tenant access in account.login. The LEFT JOIN plus result.get({ plain: true }) is appropriate for returning a simple object while still allowing “domain found but tenant missing” handling. Right now this helper only respects attributes and tenantAttributes from options; if you later need to pass things like transactions, paranoid, or logging, you may want to selectively spread additional safe options into the query.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2025dd and b87fcf6.

📒 Files selected for processing (3)

• src/database/models/TenantDomain.js (1 hunks)
• src/database/queries/tenantDomain.js (2 hunks)
• src/services/account.js (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/services/**

⚙️ CodeRabbit configuration file

This is core business logic. Please check for correctness, efficiency, and potential edge cases.

Files:

• src/services/account.js

src/database/queries/**

⚙️ CodeRabbit configuration file

Review database queries for performance. Check for N+1 problems and ensure indexes can be used.

Files:

• src/database/queries/tenantDomain.js

🧠 Learnings (4)

📓 Common learnings

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

📚 Learning: 2025-09-29T08:17:56.193Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 827
File: src/validators/v1/user.js:77-81
Timestamp: 2025-09-29T08:17:56.193Z
Learning: In src/validators/v1/user.js, the tenant_code field validation for the profileById function is intentionally required (not optional) for the /profileById endpoint, ensuring tenant_code must always be provided when fetching user profiles by ID.

Applied to files:

• src/services/account.js

📚 Learning: 2025-07-31T08:44:36.982Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/services/entities.js:18-23
Timestamp: 2025-07-31T08:44:36.982Z
Learning: In the ELEVATE-Project/user codebase, organizationCode and tenantCode parameters passed to service methods always come from req.decodedToken.organization_code and req.decodedToken.tenant_code, which are guaranteed to be present after token validation. Additional validation for these parameters in service methods is unnecessary as the token validation process ensures they are always available.

Applied to files:

• src/services/account.js

📚 Learning: 2025-07-31T08:43:35.971Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

Applied to files:

• src/services/account.js

🧬 Code graph analysis (2)

src/services/account.js (2)

src/services/public.js (3)

• tenantDetail (35-35)
• tenantDetail (80-83)
• common (14-14)

src/services/admin.js (2)

• tenantDetail (250-253)
• common (15-15)

src/database/queries/tenantDomain.js (1)

src/database/queries/tenants.js (1)

• Tenant (2-2)

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/services/account.js (2)

69-79: Tenant/domain join usage looks good; consider minor consistency tweaks

The new findOneWithTenant usage and ACTIVE-status validation are correct and align the create flow with tenant lifecycle. Also good to see portalURL now driven from the tenant-domain record.

Two small consistency nits you may want to address:

• Line 210: you use domainWithTenant.tenant_code here but elsewhere in this method you consistently use tenantDetail.code. Since these should always match, using tenantDetail.code everywhere would reduce cognitive load and avoid future confusion if findOneWithTenant ever changes its shape.
• Lines 570/586: portalURL is now the raw domainWithTenant.domain. If templates previously expected a fully qualified URL (e.g. including scheme or path), double‑check that this change doesn’t alter email/SMS link behavior. If they do, consider normalizing the value (e.g. adding a scheme) at a single helper instead of per‑callsite.

Also applies to: 210-210, 570-571, 586-587

---

656-665: Login tenant validation is correct; consider reusing it across OTP/reset flows

The switch to findOneWithTenant({ domain }) and enforcing tenantDetail.status === ACTIVE before login is a solid improvement and matches the PR’s goal of tenant validation. The commented isUsername helper is also fine since the fallback branch already treats “not email/phone” as username.

To avoid inconsistent behavior across flows:

• generateOtp and resetPassword still only verify that a tenant exists, not that it’s ACTIVE. You might want to reuse the same domainWithTenant + ACTIVE-status check there so suspended tenants can’t request OTPs or reset passwords while being blocked at login/create.

Also applies to: 672-672

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b87fcf6 and 8f3e433.

📒 Files selected for processing (1)

• src/services/account.js (7 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

src/services/**

⚙️ CodeRabbit configuration file

This is core business logic. Please check for correctness, efficiency, and potential edge cases.

Files:

• src/services/account.js

🧠 Learnings (4)

📓 Common learnings

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

📚 Learning: 2025-09-29T08:17:56.193Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 827
File: src/validators/v1/user.js:77-81
Timestamp: 2025-09-29T08:17:56.193Z
Learning: In src/validators/v1/user.js, the tenant_code field validation for the profileById function is intentionally required (not optional) for the /profileById endpoint, ensuring tenant_code must always be provided when fetching user profiles by ID.

Applied to files:

• src/services/account.js

📚 Learning: 2025-07-31T08:43:35.971Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

Applied to files:

• src/services/account.js

📚 Learning: 2025-07-31T08:44:36.982Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/services/entities.js:18-23
Timestamp: 2025-07-31T08:44:36.982Z
Learning: In the ELEVATE-Project/user codebase, organizationCode and tenantCode parameters passed to service methods always come from req.decodedToken.organization_code and req.decodedToken.tenant_code, which are guaranteed to be present after token validation. Additional validation for these parameters in service methods is unnecessary as the token validation process ensures they are always available.

Applied to files:

• src/services/account.js

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/services/account.js (1)

1047-1055: Fix findUserWithOrganization third parameter in generateOtp—should be raw flag, not tenant code

Here you’re calling:

const user = await userQueries.findUserWithOrganization(query, {}, tenantDetail.code)

but elsewhere in this file the same helper is used as:

const userInstance = await userQueries.findUserWithOrganization(query, {}, true)
let user = userInstance ? userInstance.toJSON() : null

and in other call sites without a third argument at all. The third parameter is a boolean “raw / return instance” flag, not a tenant code; passing tenantDetail.code here is a type misuse and was already flagged in a previous review on this file.

A consistent, safe pattern here would be:

-			const user = await userQueries.findUserWithOrganization(query, {}, tenantDetail.code)
+			const userInstance = await userQueries.findUserWithOrganization(query, {}, true)
+			const user = userInstance ? userInstance.toJSON() : null

The tenant scoping is already enforced via query.tenant_code = tenantDetail.code, so no extra tenant parameter is needed.

🧹 Nitpick comments (3)

src/database/queries/tenantDomain.js (1)

2-62: findOneWithTenant query shape looks good; consider passing through common Sequelize options

The new helper correctly uses a single findOne with an include on Tenant (alias 'tenant'), avoiding N+1 issues and matching the TenantDomain→Tenant association. Returning result.get({ plain: true }) also keeps the service layer simple.

One gap vs the existing findOne helper is that options are not forwarded (aside from attributes). Callers can’t currently pass transaction, paranoid, logging, etc., which may matter in flows that need transactional consistency.

You can keep control of include and raw while still allowing the usual options by destructuring:

-exports.findOneWithTenant = async (filter, options = {}) => {
+exports.findOneWithTenant = async (filter, options = {}) => {
 	try {
+		const { attributes, tenantAttributes, ...restOptions } = options
 		const result = await TenantDomain.findOne({
 			where: filter,
-			attributes: options.attributes || undefined,
+			attributes: attributes || undefined,
 			include: [
 				{
 					model: Tenant,
 					as: 'tenant',
 					required: false, // LEFT JOIN to allow separate validation
-					attributes: options.tenantAttributes || [
+					attributes: tenantAttributes || [
 						'code',
 						'name',
 						'status',
 						'description',
 						'logo',
 						'meta',
 						'theming',
 					],
 				},
 			],
-			raw: false, // Need nested object structure
+			raw: false, // Need nested object structure
+			...restOptions, // e.g., transaction, paranoid
 		})

This keeps the public API flexible without letting callers override include/raw.

src/services/account.js (2)

69-76: Domain→tenant validation in create looks solid; tiny consistency tweak for tenant code usage

Using tenantDomainQueries.findOneWithTenant({ domain }) and then enforcing tenantDetail.status === ACTIVE before proceeding is a good tightening of the create flow. It also cleanly separates “unknown domain” vs “inactive tenant” error messages.

filterCondition.tenant_code = domainWithTenant.tenant_code is correct, since domainWithTenant comes from the same query; for readability you might standardize on tenantDetail.code as the canonical source throughout this method:

-			const tenantDetail = domainWithTenant.tenant
+			const tenantDetail = domainWithTenant.tenant
@@
-			filterCondition.tenant_code = domainWithTenant.tenant_code
+			filterCondition.tenant_code = tenantDetail.code

Functionally everything looks correct as-is; this is just for consistency.

Also applies to: 210-213

---

656-665: Login flow’s ACTIVE tenant check is correct; consider aligning generate/reset flows

The login flow now:

• Resolves domainWithTenant via findOneWithTenant({ domain }).
• Enforces tenantDetail.status === common.ACTIVE_STATUS before looking up the user.

This matches the intent of blocking logins for inactive tenants and is implemented correctly.

For consistency of tenant validation across account flows, consider applying the same status: common.ACTIVE_STATUS / active check in generateOtp and resetPassword as well (those currently only check that a tenant exists, not that it’s ACTIVE). That would ensure deactivated tenants can’t continue to request OTPs or reset passwords unless that behavior is explicitly desired.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f3e433 and d5b636d.

📒 Files selected for processing (2)

• src/database/queries/tenantDomain.js (2 hunks)
• src/services/account.js (6 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/services/**

⚙️ CodeRabbit configuration file

This is core business logic. Please check for correctness, efficiency, and potential edge cases.

Files:

• src/services/account.js

src/database/queries/**

⚙️ CodeRabbit configuration file

Review database queries for performance. Check for N+1 problems and ensure indexes can be used.

Files:

• src/database/queries/tenantDomain.js

🧠 Learnings (6)

📓 Common learnings

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

📚 Learning: 2025-09-12T10:35:28.285Z

Learnt from: praveenKDass
Repo: ELEVATE-Project/user PR: 816
File: src/services/admin.js:704-704
Timestamp: 2025-09-12T10:35:28.285Z
Learning: In ELEVATE-Project/user admin.js, there's an inconsistency in organizationQueries.update usage: addOrgAdmin calls it without options (returns number), while deactivateOrg calls it with { returning: true, raw: true } (returns object). The validation logic 'if (orgRowsAffected === 0)' only works for the first case - the second case needs 'if (orgRowsAffected.rowsAffected === 0)' to properly validate updates.

Applied to files:

• src/services/account.js

📚 Learning: 2025-09-12T10:35:28.285Z

Learnt from: praveenKDass
Repo: ELEVATE-Project/user PR: 816
File: src/services/admin.js:704-704
Timestamp: 2025-09-12T10:35:28.285Z
Learning: In the ELEVATE-Project/user codebase, when organizationQueries.update is called with { returning: true, raw: true }, it returns an object { rowsAffected, updatedRows }, not just a number. The validation logic in admin.js deactivateOrg method checking 'if (orgRowsAffected === 0)' is incorrect and should be 'if (orgRowsAffected.rowsAffected === 0)' to properly validate successful updates.

Applied to files:

• src/services/account.js

📚 Learning: 2025-09-12T10:35:28.285Z

Learnt from: praveenKDass
Repo: ELEVATE-Project/user PR: 816
File: src/services/admin.js:704-704
Timestamp: 2025-09-12T10:35:28.285Z
Learning: In the ELEVATE-Project/user codebase, when using organizationQueries.update with { returning: true, raw: true } options, the method consistently returns a structured result with updatedRows property when successful. The initial check for orgRowsAffected === 0 already handles failed updates, so additional null checking for updatedRows is redundant when the code execution reaches the event emission logic.

Applied to files:

• src/services/account.js

📚 Learning: 2025-07-31T08:44:36.982Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/services/entities.js:18-23
Timestamp: 2025-07-31T08:44:36.982Z
Learning: In the ELEVATE-Project/user codebase, organizationCode and tenantCode parameters passed to service methods always come from req.decodedToken.organization_code and req.decodedToken.tenant_code, which are guaranteed to be present after token validation. Additional validation for these parameters in service methods is unnecessary as the token validation process ensures they are always available.

Applied to files:

• src/services/account.js

📚 Learning: 2025-09-29T08:17:56.193Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 827
File: src/validators/v1/user.js:77-81
Timestamp: 2025-09-29T08:17:56.193Z
Learning: In src/validators/v1/user.js, the tenant_code field validation for the profileById function is intentionally required (not optional) for the /profileById endpoint, ensuring tenant_code must always be provided when fetching user profiles by ID.

Applied to files:

• src/services/account.js

🧬 Code graph analysis (2)

src/services/account.js (2)

src/controllers/v1/admin.js (2)

• user (34-34)
• user (77-77)

src/database/queries/users.js (1)

• user (228-273)

src/database/queries/tenantDomain.js (2)

src/database/models/TenantDomain.js (1)

• TenantDomain (3-46)

src/database/queries/tenants.js (1)

• Tenant (2-2)

🔇 Additional comments (1)

src/services/account.js (1)

562-575: Using domainWithTenant.domain for portalURL keeps notifications aligned with the tenant domain

Switching the registration email/SMS portalURL variable to domainWithTenant.domain reuses the same canonical source you validated at the start of create, which is preferable to relying on request input. No issues here.

Also applies to: 578-591

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d5b636d and 4fea988.

📒 Files selected for processing (4)

• src/database/migrations/20251003155747-add-feature-role-mapping-constraints.js (1 hunks)
• src/database/migrations/20251211000000-modify-feature-role-mapping-fk-constraints.js (1 hunks)
• src/database/models/Feature.js (0 hunks)
• src/services/account.js (1 hunks)

💤 Files with no reviewable changes (1)

• src/database/models/Feature.js

🚧 Files skipped from review as they are similar to previous changes (1)

• src/services/account.js

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

📚 Learning: 2025-07-31T08:43:35.971Z

Learnt from: nevil-mathew
Repo: ELEVATE-Project/user PR: 776
File: src/database/models/entityType.js:38-38
Timestamp: 2025-07-31T08:43:35.971Z
Learning: The migration for converting tenant_code to a primary key in the EntityType model was already handled in a previous PR, not in the current refactoring PR that focuses on organization codes instead of organization IDs.

Applied to files:

• src/database/migrations/20251003155747-add-feature-role-mapping-constraints.js
• src/database/migrations/20251211000000-modify-feature-role-mapping-fk-constraints.js

🔇 Additional comments (2)

src/database/migrations/20251003155747-add-feature-role-mapping-constraints.js (1)

6-44: LGTM: Up migration with proper error handling.

The try/catch pattern with re-throw ensures Sequelize properly tracks migration failure state. The mixed FK behaviors (NO ACTION for feature_code, CASCADE for composite keys) appear intentional for this Citus-related fix.

src/database/migrations/20251211000000-modify-feature-role-mapping-fk-constraints.js (1)

1-78: Error handling pattern is appropriate for migrations.

The try/catch with re-throw ensures proper migration failure tracking. The defensive .catch(() => {}) combined with DROP CONSTRAINT IF EXISTS is redundant but harmless—provides extra safety across different PostgreSQL configurations.