Supabase one-shot schema replaced with six node-pg-migrate files
Commit `b9f5f60a` is the portability change that makes this fork runnable on plain Postgres 16. The upstream one-shot schema - with its `auth.users` FK, RLS policies, and `handle_new_user` trigger - is broken into six sequential migration files runnable against any Postgres instance, plus a migration runner with Managed Identity support for Azure.
The six migrations are: 0000_initial (upstream schema with all Supabase-specific items stripped and annotated with TODO(entraid) comments explaining each removal), 0001_tenant_policy (tenants and tenant_group_policies tables for Entra multi-tenant mode), 0002_user_profile_email (adds an email column so user lookups don't need the Supabase Auth admin API), 0003_user_profile_provider_keys (OpenAI and Azure OpenAI key columns), 0004_user_profile_fast_model, and 0005_postgres_roles (recreates the web_anon / authenticated / service_role PostgREST role topology).
The runner in scripts/runMigrations.ts uses node-pg-migrate. For supabase and local modes it picks DATABASE_URL directly. For entra mode it mints a Postgres Flexible Server Managed Identity token via @azure/identity and injects it as the password. After all migrations complete the runner emits NOTIFY pgrst, 'reload schema' so PostgREST picks up schema changes without a container restart.
The Supabase-specific pieces that were removed: the user_id FK to auth.users (now a plain unique constraint, with the Entra OID stored directly), all RLS policies (authorization moved to backend/src/lib/access.ts), and the handle_new_user trigger (profile creation is now an application-level upsert in the auth middleware).
The MI token-minting branch in the runner is Entra-specific. If you adopt this migration set for a non-Azure deployment, that branch needs to be stripped or made conditional.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?