fix(reliability): migration 064 — forwarder_sent.audit_log_id FK (closes gap #6)

.claude/skills/instant-ship/SKILL.md

@@ -104,6 +104,33 @@ curl -sf http://localhost:${NODE_PORT}/healthz
 
 ---
 
+## Step 6b: Post-deploy smoke (catches the 2026-05-13 outage class)
+
+`/healthz` only checks the api process — it does NOT exercise the api→provisioner
+gRPC auth path. The 2026-05-13 outage shipped a green `/healthz` while every
+`/db/new` returned 503 because `PROVISIONER_SECRET` was rotated without
+restarting the provisioner pods (the auth interceptor closes over `secret`
+at server boot). The script below catches that class of failure:
+
+```bash
+EXPECTED_COMMIT=$(git rev-parse --short HEAD)
+NODE_PORT=$(kubectl get svc instant-api -n instant -o jsonpath='{.spec.ports[0].nodePort}')
+bash scripts/post-deploy-smoke.sh "http://localhost:${NODE_PORT}" "${EXPECTED_COMMIT}"
+```
+
+The script asserts `/healthz` commit_id matches the just-built SHA, then
+POSTs to `/db/new` and asserts the response is 200/201/202/402/429 (NOT a
+503 with a provisioner-error body). Exit code 3 specifically signals the
+auth-path regression.
+
+**If exit code 3:** Run
+`kubectl rollout restart deployment/instant-provisioner -n instant-infra`
+to force a re-read of the rotated secret, then re-run the smoke.
+
+**If any other non-zero exit:** **STOP.** Show the script output.
+
+---
+
 ## Step 7: E2E tests
 
 ```bash

.gitattributes

@@ -0,0 +1,13 @@
+# .gitattributes — repo-level git behavior overrides.
+#
+# export-ignore: paths matched here are excluded from `git archive` (the
+# command that builds release tarballs / GitHub source-zip downloads).
+# We want the repo's contents available to anyone cloning the private
+# remote, but NOT bundled into archives that might end up on a CDN, in a
+# Docker layer cache, or attached to a public release page.
+
+# INTERNAL-OPS.md is the operator runbook for the admin surface — secrets,
+# rotation procedures, incident response. Public-ish exposure of this file
+# would defeat the unguessable-path-prefix gate by documenting the surface.
+# Keep it version-controlled here, keep it out of every archive.
+INTERNAL-OPS.md export-ignore

.github/workflows/ci.yml

@@ -10,15 +10,59 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [master]
+    # CI-minute savings (2026-05-21): skip CI on docs-only commits.
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'CLAUDE.md'
+      - '.gitignore'
+      - 'LICENSE'
+      - 'BUGBASH-*/**'
   pull_request:
-    branches: [main]
+    branches: [master]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'CLAUDE.md'
+      - '.gitignore'
+      - 'LICENSE'
+      - 'BUGBASH-*/**'
   schedule:
     # Weekly — reserved for optional scheduled jobs (see e2e job).
     - cron: '0 6 * * 1'
   workflow_dispatch:
 
+concurrency:
+  # CI-minute savings (2026-05-21): cancel prior in-flight CI run for the
+  # same branch/PR when a new commit lands. Different PRs/branches still
+  # run in parallel (group key includes github.ref).
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
+  # Stale-green guard. A PR can show a green CI run that was executed BEFORE a
+  # breaking commit landed on the base branch — merging it would ship a broken
+  # master. This job FAILS if the PR branch does not contain origin/<base> as
+  # an ancestor, forcing an "Update branch" before the PR can merge.
+  up-to-date-with-base:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Fail if PR branch is behind its base branch
+        run: |
+          BASE="${{ github.event.pull_request.base.ref }}"
+          git fetch origin "${BASE}" --depth=1
+          if git merge-base --is-ancestor "origin/${BASE}" HEAD; then
+            echo "PR branch contains origin/${BASE} — up to date."
+          else
+            echo "::error::PR branch is behind origin/${BASE}. Update the branch (merge/rebase ${BASE}) and re-run CI so it validates against current base."
+            exit 1
+          fi
+
   build-and-test:
     runs-on: ubuntu-latest
     services:
@@ -47,26 +91,76 @@ jobs:
     env:
       TEST_DATABASE_URL: postgres://postgres:postgres@localhost:5432/instant_dev_test?sslmode=disable
       TEST_REDIS_URL: redis://localhost:6379/15
+      # db-provider admin target. internal/providers/db/local.go CREATEs a
+      # customer database per /db/new; in tests it connects to
+      # TEST_POSTGRES_CUSTOMERS_URL. testhelpers defaults this to an
+      # unreachable localhost:5434, so without this every postgres-
+      # provisioning test (TestDBNew_*, TestBulkTwin_*) 503'd. Points at an
+      # instant_customers DB created on the same service container below —
+      # exactly as deploy.yml's proven-green gate does.
+      TEST_POSTGRES_CUSTOMERS_URL: postgres://postgres:postgres@localhost:5432/instant_customers?sslmode=disable
     steps:
       - uses: actions/checkout@v4
 
       - name: Checkout proto sibling (for go.mod replace ../proto)
         uses: actions/checkout@v4
         with:
           repository: ${{ vars.PROTO_REPO || format('{0}/proto', github.repository_owner) }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
           path: _proto_ci
 
       - name: Place ../proto for Go replace directive
         run: mv _proto_ci ../proto
 
+      - name: Checkout common sibling (for go.mod replace ../common)
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ vars.COMMON_REPO || format('{0}/common', github.repository_owner) }}
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          path: _common_ci
+
+      - name: Place ../common for Go replace directive
+        run: mv _common_ci ../common
+
       - uses: actions/setup-go@v5
         with:
           go-version: '1.25'
 
+      - name: Apply DB migrations to the test database
+        # Mirrors deploy.yml's proven-green gate. Before this step CI ran
+        # tests against a BARE Postgres whose schema came ONLY from
+        # testhelpers.runMigrations — a hand-maintained mirror. This step
+        # applies the REAL migration files (exactly like `make test-db-up`),
+        # then creates instant_customers — the db provider's local backend
+        # (internal/providers/db/local.go) CREATEs a customer database per
+        # /db/new and connects to TEST_POSTGRES_CUSTOMERS_URL for it. Without
+        # this DB every postgres provision (TestDBNew_*, TestBulkTwin_*) 503'd.
+        env:
+          PGPASSWORD: postgres
+        run: |
+          for f in $(ls internal/db/migrations/*.sql | sort); do
+            echo "→ applying $(basename "$f")"
+            psql -h localhost -U postgres -d instant_dev_test -f "$f" >/dev/null
+          done
+          echo "all migrations applied to instant_dev_test"
+          psql -h localhost -U postgres -d postgres -c "CREATE DATABASE instant_customers" >/dev/null
+          echo "created instant_customers (db-provider admin target)"
+
       - run: go build ./...
       - run: go vet ./...
-      - run: go test ./... -v -race -count=1
+
+      # The gate. This MUST stay equal to deploy.yml's proven-green
+      # invocation (`go test ./... -short -count=1 -p 1`) PLUS `-race`:
+      #   - `-p 1` is load-bearing: every package shares the single
+      #     instant_dev_test DB + redis/15. Default parallelism runs ~25
+      #     package binaries at once and they corrupt each other's DB/redis
+      #     state mid-test. `-p 1` serialises package execution.
+      #   - `-short` matches deploy.yml so the two gates run the identical
+      #     hermetic suite (tests that genuinely need a live k8s/provisioner
+      #     stack are tagged `e2e` and excluded from `./...` anyway).
+      #   - `-race` is the extra rigor CI adds over deploy.yml — it caught
+      #     the BillingHandler.ensureRazorpayFns data race.
+      - run: go test ./... -short -race -count=1 -p 1
 
   # E2E requires a live Kubernetes stack (see repo CLAUDE.md). This job does not
   # run on push/PR — only on schedule or manual dispatch — so default CI stays fast.
@@ -80,11 +174,19 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: ${{ vars.PROTO_REPO || format('{0}/proto', github.repository_owner) }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
           path: _proto_ci
 
       - run: mv _proto_ci ../proto
 
+      - name: Checkout common sibling
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ vars.COMMON_REPO || format('{0}/common', github.repository_owner) }}
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          path: _common_ci
+      - run: mv _common_ci ../common
+
       - uses: actions/setup-go@v5
         with:
           go-version: '1.25'