PR-1: Migrations & Base Schema (tenant_keys, person)

.github/workflows/php-ci.yml

@@ -24,4 +24,55 @@ jobs:
 
   test:
     name: PEST Tests
-    uses: SecPal/.github/.github/workflows/reusable-php-test.yml@main
+    runs-on: ubuntu-latest
+    if: ${{ !startsWith(github.head_ref, 'spike/') && !startsWith(github.ref, 'refs/heads/spike/') }}
+
+    services:
+      postgres:
+        image: postgres:17-alpine
+        env:
+          POSTGRES_DB: db
+          POSTGRES_USER: db
+          POSTGRES_PASSWORD: db
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.4"
+          extensions: mbstring, xml, ctype, iconv, intl, pdo, pdo_pgsql
+          coverage: xdebug
+
+      - name: Get Composer Cache Directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-interaction
+
+      - name: Run tests
+        env:
+          DB_CONNECTION: pgsql
+          DB_HOST: localhost
+          DB_PORT: 5432
+          DB_DATABASE: db
+          DB_USERNAME: db
+          DB_PASSWORD: db
+        run: php artisan test

.github/workflows/quality.yml

@@ -44,7 +44,56 @@ jobs:
 
   pest:
     name: PEST Tests
-    uses: SecPal/.github/.github/workflows/reusable-php-test.yml@main
-    with:
-      php-version: "8.4"
-      test-command: "./vendor/bin/pest"
+    runs-on: ubuntu-latest
+    # Skip tests for spike branches (exploration/prototyping)
+    # Spike branches are for experimentation and cannot be merged to main
+    # See: CONTRIBUTING.md - Spike Branch Policy
+    if: ${{ !startsWith(github.head_ref, 'spike/') && !startsWith(github.ref, 'refs/heads/spike/') }}
+    services:
+      postgres:
+        image: postgres:17-alpine
+        env:
+          POSTGRES_DB: testing
+          POSTGRES_USER: testing
+          POSTGRES_PASSWORD: testing
+        options: >-
+          --health-cmd="pg_isready -U testing"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=5
+        ports:
+          - 5432:5432
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.4"
+          extensions: mbstring, xml, ctype, iconv, intl, pdo_pgsql
+          coverage: xdebug
+
+      - name: Get Composer Cache Directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-interaction
+
+      - name: Run Tests
+        env:
+          DB_CONNECTION: pgsql
+          DB_HOST: localhost
+          DB_PORT: 5432
+          DB_DATABASE: testing
+          DB_USERNAME: testing
+          DB_PASSWORD: testing
+        run: ./vendor/bin/pest

composer.json

@@ -11,7 +11,9 @@
   "require": {
     "php": "^8.4",
     "laravel/framework": "^12.36",
-    "laravel/tinker": "^2.10.1"
+    "laravel/sanctum": "^4.2",
+    "laravel/tinker": "^2.10.1",
+    "spatie/laravel-permission": "^6.22"
   },
   "require-dev": {
     "fakerphp/faker": "^1.23",

database/migrations/2025_11_01_165633_create_tenant_keys_table.php

@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * SPDX-FileCopyrightText: 2025 SecPal Contributors
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::create('tenant_keys', function (Blueprint $table) {
+            $table->id();
+            $table->binary('dek_wrapped');
+            $table->binary('dek_nonce');
+            $table->binary('idx_wrapped');
+            $table->binary('idx_nonce');
+            $table->integer('key_version')->default(1);
+            $table->timestamp('created_at')->useCurrent();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::dropIfExists('tenant_keys');
+    }
+};

database/migrations/2025_11_01_165901_create_person_table.php

@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * SPDX-FileCopyrightText: 2025 SecPal Contributors
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::create('person', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('tenant_id')->constrained('tenant_keys')->onDelete('cascade');
+            $table->binary('email_enc');
+            $table->binary('email_idx');
+            $table->binary('phone_enc');
+            $table->binary('phone_idx');
+            $table->text('note_enc')->nullable();
+            $table->timestamps();
+
+            $table->index(['tenant_id', 'email_idx']);
+            $table->index(['tenant_id', 'phone_idx']);
+        });
+
+        // PostgreSQL-specific full-text search support
+        if (DB::connection()->getDriverName() === 'pgsql') {
+            DB::statement('ALTER TABLE person ADD COLUMN note_tsv tsvector');
+            DB::statement('CREATE INDEX person_note_tsv_idx ON person USING GIN (note_tsv)');
+        }
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::dropIfExists('person');
+    }
+};

phpunit.xml

@@ -30,8 +30,8 @@ SPDX-License-Identifier: CC0-1.0
         <env name="BCRYPT_ROUNDS" value="4"/>
         <env name="BROADCAST_CONNECTION" value="null"/>
         <env name="CACHE_STORE" value="array"/>
-        <env name="DB_CONNECTION" value="sqlite"/>
-        <env name="DB_DATABASE" value=":memory:"/>
+        <env name="DB_CONNECTION" value="pgsql"/>
+        <env name="DB_DATABASE" value="testing"/>
         <env name="MAIL_MAILER" value="array"/>
         <env name="QUEUE_CONNECTION" value="sync"/>
         <env name="SESSION_DRIVER" value="array"/>