wasi-auth PostgreSQL relational kernel. Users, credentials, sessions,
providers, passkeys, organizations, roles, policies, and audit rows are
authoritative relational records; auth event replay and projection catch-up
are not part of this product. Each mutation is one typed PostgreSQL statement
that also commits idempotency, authorization revision, audit, and encrypted
outbox changes. Embedded Cedar is the default authorizer; mail and optional
SpiceDB relationships share the canonical auth_outbox.
This page is the production checklist for examples/fullstack-app. It does not
replace database backups, provider credential setup, or cloud-specific network
allowlisting.
Backend Status
Configuration
Use the public Makefile inputs.DATABASE_URL is an internal value passed from
the Makefile to the Spin component.
Fresh Schema Reset
The reset target erases only fullstack auth tables for the selected backend. It does not carry or recreate a second schema copy;wasi-auth reapplies its
checksum-verified canonical migration when the app next starts.
fresh for local development, disposable integration databases, or a
planned destructive reset. Do not run it against production data unless the
event history has been exported or the environment is intentionally being
destroyed.
Do not treat historical MySQL auth-stack evidence as evidence for this
consolidated template. PostgreSQL must be re-verified against the current
wasi-auth schema and all REST/gRPC/browser flows before stable promotion.
Safe Rollout Sequence
- Back up the SQL database or snapshot the managed database instance.
-
Compile the selected backend:
-
Apply additive schema changes with the generated
wasi-auth-migratebinary before starting Spin. The request component never mutates schema. - Start the Spin app with the selected backend URL.
-
Check storage status:
-
Run the auth smoke suite against the live app:
Start that test server with
AUTH_BOOTSTRAP_ADMIN_EMAILS=storage-smoke@example.test. The smoke enrolls MFA, uses the verified session cookie plus CSRF token for administration, and never installs a shared system token.
Migration Rules
- Never edit an applied migration or overwrite its checksum.
- Apply additive numbered migrations under the PostgreSQL advisory lock.
- Reject checksum drift, gaps, duplicates, and unknown future versions.
- Run
wasi-auth-migrate verify-databaseafter apply and before serving. - Back up authoritative relational tables before a destructive transform.
Rollback Rules
- If command writes fail after a deploy, stop writes first.
- Roll back app code only when the older binary supports the already-applied additive schema.
- Never roll back by deleting migration rows or restoring old checksums.
- If authoritative auth rows are corrupt or missing, restore from database backup; there is no auth event log from which to rebuild them.
Production Gate
Before a backend is marked stable for fullstack production use, capture:- Compile evidence for HTTP and gRPC features.
- Reset evidence against a disposable live database.
CHECK_STORAGE_EVENTS=1smoke evidence.wasi-auth-migrate verify-databaseafter the final migration.- The dedicated live PostgreSQL kernel contracts, including final-owner concurrency, token replay, outbox delivery, and invalidation notification.