SEC-104Overduepolicy
Read-only prod DB for migration dry-run?
Platform team needs to validate the new migration against real prod data shapes. Three options weighed; security owns the call.
Decider
@rae · security
overdue 1d
OVR
Drafted memo
A scoped read role on the migrations schema gives us 24h of validation against real data without exposing customer rows.
A sanitized dump takes 4 hours to produce and grows stale immediately.
Recommendation: 24h read role, audited, scoped to schema-level access only.
Options
Grant 24h read role scoped to migrations schema
Auditable, time-boxed, real data shapes
cost: 0 — audit log + auto-revoke already in place
Provide a sanitized dump
Strongest isolation
cost: 4h to generate + stale within hours
When you ship Cloud, deciders pick from Slack or here. The decision is committed back as a memo under .crastinating/decisions/.