fix: solve internal schema issue

Author: Bulletdev

db/migrate/20260125000001_enable_rls_on_remaining_tables.rb

@@ -18,9 +18,9 @@ def up
     enable_rls_on_table(:support_faqs)
     enable_rls_on_table(:organizations)
 
-    # Enable RLS on Rails internal tables (block all API access)
-    enable_rls_on_table(:ar_internal_metadata)
-    enable_rls_on_table(:schema_migrations)
+    # NOTE: schema_migrations and ar_internal_metadata intentionally excluded.
+    # Adding FORCE RLS with deny-all to Rails internal tables breaks db:migrate
+    # on every deploy. These tables are not exposed via any API and need no RLS.
 
     # ===========================================================================
     # SUPPORT TICKETS - Organization scoped
@@ -297,24 +297,6 @@ def up
       USING (false);
     SQL
 
-    # ===========================================================================
-    # RAILS INTERNAL TABLES - Block all API access
-    # These should never be accessible via PostgREST/API
-    # ===========================================================================
-
-    # ar_internal_metadata - Rails internal
-    execute <<-SQL
-      CREATE POLICY ar_internal_metadata_deny_all ON ar_internal_metadata
-      FOR ALL
-      USING (false);
-    SQL
-
-    # schema_migrations - Rails internal
-    execute <<-SQL
-      CREATE POLICY schema_migrations_deny_all ON schema_migrations
-      FOR ALL
-      USING (false);
-    SQL
   end
 
   def down
@@ -372,10 +354,6 @@ def down
     drop_policy(:organizations, 'organizations_update_policy')
     drop_policy(:organizations, 'organizations_delete_policy')
 
-    # Drop policies for Rails internal tables
-    drop_policy(:ar_internal_metadata, 'ar_internal_metadata_deny_all')
-    drop_policy(:schema_migrations, 'schema_migrations_deny_all')
-
     # Disable RLS
     disable_rls_on_table(:support_tickets)
     disable_rls_on_table(:support_ticket_messages)
@@ -386,8 +364,6 @@ def down
     disable_rls_on_table(:opponent_teams)
     disable_rls_on_table(:support_faqs)
     disable_rls_on_table(:organizations)
-    disable_rls_on_table(:ar_internal_metadata)
-    disable_rls_on_table(:schema_migrations)
   end
 
   private

db/migrate/20260418000001_remove_rls_from_rails_internal_tables.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+# Rails internal tables (schema_migrations, ar_internal_metadata) should never
+# have RLS. With FORCE ROW LEVEL SECURITY and a deny-all policy, db:migrate
+# fails on every deploy because the prostaff user cannot INSERT into
+# schema_migrations to record completed migrations. This migration undoes the
+# RLS applied by EnableRlsOnRemainingTables (20260125000001).
+class RemoveRlsFromRailsInternalTables < ActiveRecord::Migration[7.2]
+  def up
+    execute "DROP POLICY IF EXISTS schema_migrations_deny_all ON schema_migrations;"
+    execute "ALTER TABLE schema_migrations NO FORCE ROW LEVEL SECURITY;"
+    execute "ALTER TABLE schema_migrations DISABLE ROW LEVEL SECURITY;"
+
+    execute "DROP POLICY IF EXISTS ar_internal_metadata_deny_all ON ar_internal_metadata;"
+    execute "ALTER TABLE ar_internal_metadata NO FORCE ROW LEVEL SECURITY;"
+    execute "ALTER TABLE ar_internal_metadata DISABLE ROW LEVEL SECURITY;"
+  end
+
+  def down
+    execute "ALTER TABLE schema_migrations ENABLE ROW LEVEL SECURITY;"
+    execute "ALTER TABLE schema_migrations FORCE ROW LEVEL SECURITY;"
+    execute <<-SQL
+      CREATE POLICY schema_migrations_deny_all ON schema_migrations
+      FOR ALL USING (false);
+    SQL
+
+    execute "ALTER TABLE ar_internal_metadata ENABLE ROW LEVEL SECURITY;"
+    execute "ALTER TABLE ar_internal_metadata FORCE ROW LEVEL SECURITY;"
+    execute <<-SQL
+      CREATE POLICY ar_internal_metadata_deny_all ON ar_internal_metadata
+      FOR ALL USING (false);
+    SQL
+  end
+end