From 848d9e9af16d6a492376f2013f1071a67aa29b59 Mon Sep 17 00:00:00 2001
From: igm <ian@rev.iq>
Date: Mon, 12 Jan 2026 12:33:20 +0800
Subject: [PATCH] Add db-dump and db-migrate scripts to strip \restrict lines

PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump
output (CVE-2025-8714 security fix), causing schema.sql to appear
changed on every dump even when the schema hasn't changed.

These wrapper scripts run dbmate and strip the \restrict lines from
the output to keep schema.sql stable.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 CLAUDE.md          |  8 ++++++++
 README.md          |  2 ++
 db/schema.sql      |  2 --
 scripts/db-dump    | 16 ++++++++++++++++
 scripts/db-migrate | 16 ++++++++++++++++
 5 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100755 scripts/db-dump
 create mode 100755 scripts/db-migrate

diff --git a/CLAUDE.md b/CLAUDE.md
index 8693868..f8e1618 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,5 +1,13 @@
 # Claude Code Notes
 
+## Database Scripts
+
+Use the wrapper scripts instead of running dbmate directly:
+- `./scripts/db-dump` - Dump schema without random `\restrict` tokens
+- `./scripts/db-migrate` - Run migrations and dump clean schema
+
+PostgreSQL 17.6+ adds random `\restrict`/`\unrestrict` lines to pg_dump output (CVE-2025-8714 fix), causing schema.sql to show as changed on every dump. These scripts strip those lines.
+
 ## Development Server
 
 Before starting the dev server, check if it's already running:
diff --git a/README.md b/README.md
index b39620e..5c41809 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,8 @@ bun run dev
 | `bun run lint:fix` | Fix linting issues |
 | `bun run test` | Run tests |
 | `bun run db:codegen` | Generate database types |
+| `./scripts/db-dump` | Dump database schema (strips `\restrict` lines) |
+| `./scripts/db-migrate` | Run migrations (strips `\restrict` lines) |
 
 ## CLI
 
diff --git a/db/schema.sql b/db/schema.sql
index 6be1a60..386cd62 100644
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -1,4 +1,3 @@
-\restrict F9AizESreuRieL4inRcHWWg3hyNET0FgnBDFBBBU3cZGPEpHjb591l8S2iglpap
 
 -- Dumped from database version 17.7
 -- Dumped by pg_dump version 17.7
@@ -1084,7 +1083,6 @@ ALTER TABLE ONLY public.user_devices
 -- PostgreSQL database dump complete
 --
 
-\unrestrict F9AizESreuRieL4inRcHWWg3hyNET0FgnBDFBBBU3cZGPEpHjb591l8S2iglpap
 
 
 --
diff --git a/scripts/db-dump b/scripts/db-dump
new file mode 100755
index 0000000..86c335d
--- /dev/null
+++ b/scripts/db-dump
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Wrapper for dbmate dump that strips PostgreSQL's \restrict lines.
+# PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump output
+# (CVE-2025-8714 security fix), causing schema.sql to change on every dump.
+
+set -euo pipefail
+
+SCHEMA_FILE="${DBMATE_SCHEMA_FILE:-./db/schema.sql}"
+
+dbmate dump "$@"
+
+# Strip \restrict and \unrestrict lines (they start with backslash)
+if [[ -f "$SCHEMA_FILE" ]]; then
+  grep -v '^\\' "$SCHEMA_FILE" > "${SCHEMA_FILE}.tmp"
+  mv "${SCHEMA_FILE}.tmp" "$SCHEMA_FILE"
+fi
diff --git a/scripts/db-migrate b/scripts/db-migrate
new file mode 100755
index 0000000..f0454f6
--- /dev/null
+++ b/scripts/db-migrate
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Wrapper for dbmate migrate that strips PostgreSQL's \restrict lines.
+# PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump output
+# (CVE-2025-8714 security fix), causing schema.sql to change on every dump.
+
+set -euo pipefail
+
+SCHEMA_FILE="${DBMATE_SCHEMA_FILE:-./db/schema.sql}"
+
+dbmate migrate "$@"
+
+# Strip \restrict and \unrestrict lines (they start with backslash)
+if [[ -f "$SCHEMA_FILE" ]]; then
+  grep -v '^\\' "$SCHEMA_FILE" > "${SCHEMA_FILE}.tmp"
+  mv "${SCHEMA_FILE}.tmp" "$SCHEMA_FILE"
+fi