Add db-dump and db-migrate scripts to strip \restrict lines

PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump
output (CVE-2025-8714 security fix), causing schema.sql to appear
changed on every dump even when the schema hasn't changed.

These wrapper scripts run dbmate and strip the \restrict lines from
the output to keep schema.sql stable.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/db-dump

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Wrapper for dbmate dump that strips PostgreSQL's \restrict lines.
+# PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump output
+# (CVE-2025-8714 security fix), causing schema.sql to change on every dump.
+
+set -euo pipefail
+
+SCHEMA_FILE="${DBMATE_SCHEMA_FILE:-./db/schema.sql}"
+
+dbmate dump "$@"
+
+# Strip \restrict and \unrestrict lines (they start with backslash)
+if [[ -f "$SCHEMA_FILE" ]]; then
+  grep -v '^\\' "$SCHEMA_FILE" > "${SCHEMA_FILE}.tmp"
+  mv "${SCHEMA_FILE}.tmp" "$SCHEMA_FILE"
+fi

scripts/db-migrate

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Wrapper for dbmate migrate that strips PostgreSQL's \restrict lines.
+# PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump output
+# (CVE-2025-8714 security fix), causing schema.sql to change on every dump.
+
+set -euo pipefail
+
+SCHEMA_FILE="${DBMATE_SCHEMA_FILE:-./db/schema.sql}"
+
+dbmate migrate "$@"
+
+# Strip \restrict and \unrestrict lines (they start with backslash)
+if [[ -f "$SCHEMA_FILE" ]]; then
+  grep -v '^\\' "$SCHEMA_FILE" > "${SCHEMA_FILE}.tmp"
+  mv "${SCHEMA_FILE}.tmp" "$SCHEMA_FILE"
+fi