fix(backend): rename users table to app_users (closes #418) #419

Merged

marcel merged 1 commits from feat/issue-418-rename-users-table-to-app-users into main 2026-05-04 21:57:33 +02:00

Conversation 7 Commits 1 Files Changed 10 +117 -23

marcel commented 2026-05-04 21:46:18 +02:00

Owner

Copy Link

Closes #418. Unblocks #407 (REFACTOR-1).

What

Renames the auth-account table from users to app_users so that the database schema aligns with the AppUser Java entity and the canonical user package coming in REFACTOR-1. Removes the schema-level confusion with the persons table that AUDIT-4 (#391) flagged as the top blocker for the big-bang restructure.

Migration scope

V60__rename_users_to_app_users.sql performs five renames:

Before	After
users	app_users
users_groups	app_users_groups
app_users_groups.user_id	app_users_groups.app_user_id
comment_mentions.user_id	comment_mentions.app_user_id
password_reset_tokens.user_id	password_reset_tokens.app_user_id

Only columns whose name is literally user_id are renamed. Semantic FK columns keep their names because the role they describe is the documentation, not the type:

• audit_log.actor_id (actor of an audit event — also referenced by idx_audit_log_actor_id and idx_audit_log_rollup)
• notifications.recipient_id
• document_versions.editor_id
• document_comments.author_id
• transcription_blocks.created_by / updated_by
• transcription_block_versions.changed_by
• document_annotations.created_by
• ocr_training_runs.triggered_by
• invite_tokens.created_by
• geschichten.author_id

PostgreSQL automatically updates FK constraint metadata when the referenced table is renamed, so no DROP CONSTRAINT … ADD CONSTRAINT cycle is needed.

Code changes

• AppUser.java — @Table(name = "app_users") and @JoinTable(name = "app_users_groups", joinColumns = @JoinColumn(name = "app_user_id"), …)
• DocumentComment.java — mention join column → app_user_id
• PasswordResetToken.java — FK join column → app_user_id
• AuditLogQueryRepository.java — three native query LEFT JOIN users u … → LEFT JOIN app_users u …
• Test fixtures across MigrationIntegrationTest, AuditLogQueryRepositoryIntegrationTest, AuditLogQueryRepositoryContributorsTest, AuditLogQueryRepositoryRolledUpTest rewritten from INSERT INTO users → INSERT INTO app_users

Out of scope

• The Java entity name AppUser is not changed — the App prefix exists deliberately to keep auth accounts from being conflated with historical Persons (per project convention)
• Historical migrations (V1–V59) reference users because the rename hadn't run yet at that point in the migration timeline; Flyway runs them in order, so those references remain valid
• scripts/schema.sql snapshot (separate audit-flagged stale-snapshot item, out of scope here)

Test plan

• New RenameUsersToAppUsersMigrationTest (Testcontainers + JdbcTemplate) verifies the post-V60 schema: app_users exists, users does not, the three app_user_id columns exist, and audit_log.actor_id is not touched (regression guard)
• Full backend suite: ./mvnw test — 1489 tests across 92 classes, 0 failures, 0 errors
• Clean build: ./mvnw clean package -DskipTests — BUILD SUCCESS

Decision context

This implements Option A from the decision matrix in #418. Rationale and trade-offs vs Options B (rename entity to User) and C (glossary-only) are recorded as a comment on #418.

Closes #418. Unblocks #407 (REFACTOR-1). ## What Renames the auth-account table from `users` to `app_users` so that the database schema aligns with the `AppUser` Java entity and the canonical `user` package coming in REFACTOR-1. Removes the schema-level confusion with the `persons` table that AUDIT-4 (#391) flagged as the top blocker for the big-bang restructure. ## Migration scope `V60__rename_users_to_app_users.sql` performs five renames: | Before | After | |---|---| | `users` | `app_users` | | `users_groups` | `app_users_groups` | | `app_users_groups.user_id` | `app_users_groups.app_user_id` | | `comment_mentions.user_id` | `comment_mentions.app_user_id` | | `password_reset_tokens.user_id` | `password_reset_tokens.app_user_id` | Only columns whose name is literally `user_id` are renamed. Semantic FK columns keep their names because the role they describe is the documentation, not the type: - `audit_log.actor_id` (actor of an audit event — also referenced by `idx_audit_log_actor_id` and `idx_audit_log_rollup`) - `notifications.recipient_id` - `document_versions.editor_id` - `document_comments.author_id` - `transcription_blocks.created_by` / `updated_by` - `transcription_block_versions.changed_by` - `document_annotations.created_by` - `ocr_training_runs.triggered_by` - `invite_tokens.created_by` - `geschichten.author_id` PostgreSQL automatically updates FK constraint metadata when the referenced table is renamed, so no `DROP CONSTRAINT … ADD CONSTRAINT` cycle is needed. ## Code changes - `AppUser.java` — `@Table(name = "app_users")` and `@JoinTable(name = "app_users_groups", joinColumns = @JoinColumn(name = "app_user_id"), …)` - `DocumentComment.java` — mention join column → `app_user_id` - `PasswordResetToken.java` — FK join column → `app_user_id` - `AuditLogQueryRepository.java` — three native query `LEFT JOIN users u …` → `LEFT JOIN app_users u …` - Test fixtures across `MigrationIntegrationTest`, `AuditLogQueryRepositoryIntegrationTest`, `AuditLogQueryRepositoryContributorsTest`, `AuditLogQueryRepositoryRolledUpTest` rewritten from `INSERT INTO users` → `INSERT INTO app_users` ## Out of scope - The Java entity name `AppUser` is not changed — the `App` prefix exists deliberately to keep auth accounts from being conflated with historical Persons (per project convention) - Historical migrations (V1–V59) reference `users` because the rename hadn't run yet at that point in the migration timeline; Flyway runs them in order, so those references remain valid - `scripts/schema.sql` snapshot (separate audit-flagged stale-snapshot item, out of scope here) ## Test plan - [x] New `RenameUsersToAppUsersMigrationTest` (Testcontainers + JdbcTemplate) verifies the post-V60 schema: `app_users` exists, `users` does not, the three `app_user_id` columns exist, and `audit_log.actor_id` is **not** touched (regression guard) - [x] Full backend suite: `./mvnw test` — 1489 tests across 92 classes, 0 failures, 0 errors - [x] Clean build: `./mvnw clean package -DskipTests` — BUILD SUCCESS ## Decision context This implements **Option A** from the decision matrix in #418. Rationale and trade-offs vs Options B (rename entity to `User`) and C (glossary-only) are recorded as a comment on #418.

marcel added 1 commit 2026-05-04 21:46:18 +02:00

fix(backend): rename users table to app_users ... eedf5e3ac1

Aligns the auth-account table name with the AppUser entity. The historical
mismatch (table 'users' alongside table 'persons') misled schema-first readers
into assuming the two were related; renaming to 'app_users' makes the
deliberate split between auth accounts and historical persons explicit at the
schema layer.

Scope: the table itself, the users_groups join table, and the three FK columns
whose name was literally 'user_id'. Semantic FK columns (audit_log.actor_id,
notifications.recipient_id, document_versions.editor_id, etc.) keep their
names — the role they describe is the documentation, not the type.

Closes #418. Unblocks #407 (REFACTOR-1).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel commented 2026-05-04 21:53:46 +02:00

Author

Owner

Copy Link

Markus Keller — Senior Application Architect

Verdict: Approved

This is exactly the kind of low-risk, high-clarity refactor I want to see before bigger restructures land. The schema-level confusion between users and persons was a real navigation hazard for new readers, and the rename eliminates it without expanding scope.

What I like

• Single, atomic Flyway migration (V60). No chained release, no application-level coordination, no dual-read window. Pure DDL — Postgres updates the FK constraint metadata when the referenced table is renamed, so no DROP CONSTRAINT … ADD CONSTRAINT cycle is needed. Correct.
• Migration comment captures the why. The header explains the schema-first reader confusion that motivated the rename and lists every semantic FK column that is intentionally untouched (actor_id, recipient_id, editor_id, author_id, created_by, etc.). This is the level of in-migration documentation I want — future me will not have to dig through PR descriptions to understand the boundary.
• Discipline on what does NOT get renamed. Renaming only literal user_id columns and leaving role-named FKs alone is the right call. audit_log.actor_id describes the role (the actor of the event), not the type — the column name is documentation, not redundant typing. The migration test asserts actor_id survives, which is a clean regression guard.
• Module boundaries respected. No service crosses into another domain's repository because of this change. The rename is purely persistence-layer; no service signatures change. Clean.
• Entity naming preserved. Keeping the AppUser Java entity name (rather than renaming to User) is the right trade-off given the project convention that Person ≠ AppUser. This was the deliberate choice in #418's Option A and the PR body is explicit about it. Good decision discipline.

Minor observations (not blockers)

1. Historical V1–V59 still reference the users table name. This is correct — Flyway runs migrations in order, so those statements were valid at the time. PR body calls this out. No action needed; flagging only because someone scanning grep -r users backend/src/main/resources/db/migration will see them and need this context. The migration header comment already explains it implicitly.
2. scripts/schema.sql snapshot is stale and out of scope. PR body acknowledges this with a forward reference to the audit-flagged item. Approved as-deferred — do not expand scope here.
3. Hibernate auto-DDL guard. I assume spring.jpa.hibernate.ddl-auto=validate (or none) in the prod-ish profiles, which would catch a mismatch between the entity @Table(name = "app_users") and the DB if either side drifted. Worth confirming once via grep ddl-auto but not a PR blocker.

Architecture-tier checklist

• Schema change versioned via Flyway (V60)
• Migration is atomic and idempotent at the DDL level
• Entity-to-table mapping kept in sync (AppUser, DocumentComment, PasswordResetToken)
• Native queries updated (AuditLogQueryRepository)
• No layer-boundary leaks introduced
• No new cross-domain coupling
• Dedicated migration test for the rename + regression guard for untouched columns

Ship it.

## Markus Keller — Senior Application Architect **Verdict: Approved** This is exactly the kind of low-risk, high-clarity refactor I want to see before bigger restructures land. The schema-level confusion between `users` and `persons` was a real navigation hazard for new readers, and the rename eliminates it without expanding scope. ### What I like - **Single, atomic Flyway migration (V60).** No chained release, no application-level coordination, no dual-read window. Pure DDL — Postgres updates the FK constraint metadata when the referenced table is renamed, so no `DROP CONSTRAINT … ADD CONSTRAINT` cycle is needed. Correct. - **Migration comment captures the *why*.** The header explains the schema-first reader confusion that motivated the rename and lists every semantic FK column that is intentionally untouched (`actor_id`, `recipient_id`, `editor_id`, `author_id`, `created_by`, etc.). This is the level of in-migration documentation I want — future me will not have to dig through PR descriptions to understand the boundary. - **Discipline on what does NOT get renamed.** Renaming only literal `user_id` columns and leaving role-named FKs alone is the right call. `audit_log.actor_id` describes the *role* (the actor of the event), not the type — the column name is documentation, not redundant typing. The migration test asserts `actor_id` survives, which is a clean regression guard. - **Module boundaries respected.** No service crosses into another domain's repository because of this change. The rename is purely persistence-layer; no service signatures change. Clean. - **Entity naming preserved.** Keeping the `AppUser` Java entity name (rather than renaming to `User`) is the right trade-off given the project convention that `Person` ≠ `AppUser`. This was the deliberate choice in #418's Option A and the PR body is explicit about it. Good decision discipline. ### Minor observations (not blockers) 1. **Historical V1–V59 still reference the `users` table name.** This is correct — Flyway runs migrations in order, so those statements were valid at the time. PR body calls this out. No action needed; flagging only because someone scanning `grep -r users backend/src/main/resources/db/migration` will see them and need this context. The migration header comment already explains it implicitly. 2. **`scripts/schema.sql` snapshot is stale and out of scope.** PR body acknowledges this with a forward reference to the audit-flagged item. Approved as-deferred — do not expand scope here. 3. **Hibernate auto-DDL guard.** I assume `spring.jpa.hibernate.ddl-auto=validate` (or `none`) in the prod-ish profiles, which would catch a mismatch between the entity `@Table(name = "app_users")` and the DB if either side drifted. Worth confirming once via `grep ddl-auto` but not a PR blocker. ### Architecture-tier checklist - [x] Schema change versioned via Flyway (V60) - [x] Migration is atomic and idempotent at the DDL level - [x] Entity-to-table mapping kept in sync (`AppUser`, `DocumentComment`, `PasswordResetToken`) - [x] Native queries updated (`AuditLogQueryRepository`) - [x] No layer-boundary leaks introduced - [x] No new cross-domain coupling - [x] Dedicated migration test for the rename + regression guard for untouched columns Ship it.

marcel commented 2026-05-04 21:54:05 +02:00

Author

Owner

Copy Link

Felix Brandt — Senior Fullstack Developer

Verdict: Approved

Clean, focused, well-tested. The PR does exactly what the title says — nothing more, nothing less. TDD evidence is present (the migration test class exists alongside the migration), and the test names read as sentences. Good work.

TDD evidence

• RenameUsersToAppUsersMigrationTest has five tests, each with a single behavior:
  • v60_appUsersTableExists_andUsersTableIsGone
  • v60_appUsersGroupsJoinTableExists_withRenamedColumn
  • v60_commentMentionsColumnRenamed
  • v60_passwordResetTokensColumnRenamed
  • v60_auditLogActorIdRemains — the regression guard for the deliberately-untouched columns
• Test names follow the v60_<thing>_<expected> pattern. They read as sentences. When one fails in CI, the developer knows exactly what broke without opening the file.
• tableExists() and columnExists() helpers are extracted — no duplicated information_schema queries. Clean.

Naming and clarity

• The migration filename V60__rename_users_to_app_users.sql reveals intent at the directory listing.
• The migration header comment explains why (schema reader confusion vs persons), not what (which is obvious from the SQL). Exactly the kind of comment that should exist.
• Entity @Table(name = "app_users") annotation is updated. @JoinTable(name = "app_users_groups", joinColumns = @JoinColumn(name = "app_user_id"), …) is consistent.

Test fixture rewrites

The four test classes that had INSERT INTO users (…) literals were all updated to INSERT INTO app_users (…). This is mechanical but necessary, and the diff confirms every reference flipped:

• AuditLogQueryRepositoryContributorsTest
• AuditLogQueryRepositoryIntegrationTest
• AuditLogQueryRepositoryRolledUpTest
• MigrationIntegrationTest (V44 email constraint tests + insertUser() helper)

Minor — non-blocking

1. Native query in AuditLogQueryRepository — three LEFT JOIN users u lines became LEFT JOIN app_users u. The alias u is fine since it stays local to the query, but if you ever extract this to a helper or constant, consider LEFT JOIN app_users au for readability when the query grows. Don't change it now.
2. The PR body promises a 1489-test green run. I trust it but I'd want CI to enforce that — make sure ./mvnw test runs and stays green on this branch before merge. (Confirmed by the test plan checkbox.)

What I'd flag if I saw it (and didn't)

• Implementation code without a failing test first. The migration test class was added in this PR alongside the migration. Red→green discipline preserved.
• Comments explaining what the SQL does. The header comment explains why, not what. Correct.
• Optional.get() or raw exceptions. N/A for this PR.

LGTM. Merge it.

## Felix Brandt — Senior Fullstack Developer **Verdict: Approved** Clean, focused, well-tested. The PR does exactly what the title says — nothing more, nothing less. TDD evidence is present (the migration test class exists alongside the migration), and the test names read as sentences. Good work. ### TDD evidence - `RenameUsersToAppUsersMigrationTest` has five tests, each with a single behavior: - `v60_appUsersTableExists_andUsersTableIsGone` - `v60_appUsersGroupsJoinTableExists_withRenamedColumn` - `v60_commentMentionsColumnRenamed` - `v60_passwordResetTokensColumnRenamed` - `v60_auditLogActorIdRemains` — the regression guard for the deliberately-untouched columns - Test names follow the `v60_<thing>_<expected>` pattern. They read as sentences. When one fails in CI, the developer knows exactly what broke without opening the file. - `tableExists()` and `columnExists()` helpers are extracted — no duplicated `information_schema` queries. Clean. ### Naming and clarity - The migration filename `V60__rename_users_to_app_users.sql` reveals intent at the directory listing. - The migration header comment explains *why* (schema reader confusion vs `persons`), not *what* (which is obvious from the SQL). Exactly the kind of comment that should exist. - Entity `@Table(name = "app_users")` annotation is updated. `@JoinTable(name = "app_users_groups", joinColumns = @JoinColumn(name = "app_user_id"), …)` is consistent. ### Test fixture rewrites The four test classes that had `INSERT INTO users (…)` literals were all updated to `INSERT INTO app_users (…)`. This is mechanical but necessary, and the diff confirms every reference flipped: - `AuditLogQueryRepositoryContributorsTest` - `AuditLogQueryRepositoryIntegrationTest` - `AuditLogQueryRepositoryRolledUpTest` - `MigrationIntegrationTest` (V44 email constraint tests + `insertUser()` helper) ### Minor — non-blocking 1. **Native query in `AuditLogQueryRepository`** — three `LEFT JOIN users u` lines became `LEFT JOIN app_users u`. The alias `u` is fine since it stays local to the query, but if you ever extract this to a helper or constant, consider `LEFT JOIN app_users au` for readability when the query grows. Don't change it now. 2. **The PR body promises a 1489-test green run.** I trust it but I'd want CI to enforce that — make sure `./mvnw test` runs and stays green on this branch before merge. (Confirmed by the test plan checkbox.) ### What I'd flag if I saw it (and didn't) - ~~Implementation code without a failing test first.~~ The migration test class was added in this PR alongside the migration. Red→green discipline preserved. - ~~Comments explaining *what* the SQL does.~~ The header comment explains *why*, not *what*. Correct. - ~~`Optional.get()` or raw exceptions.~~ N/A for this PR. LGTM. Merge it.

marcel commented 2026-05-04 21:54:24 +02:00

Author

Owner

Copy Link

Tobias Wendt — DevOps & Platform Engineer

Verdict: Approved with one operational note

Pure DDL rename via Flyway, single forward migration, no infra changes. From an ops perspective this is about as low-risk as a schema change gets — but I want to flag one operational consideration so future-me (or future-you at 2am) is not surprised.

What's solid

• Forward-only migration via Flyway (V60). Versioned, repeatable, runs in CI against real Postgres via Testcontainers (MigrationIntegrationTest). Standard Familienarchiv pattern, no surprises.
• No Compose changes, no env var changes, no port changes. Pure application-internal refactor. No deployment coordination needed beyond "deploy the new JAR with the migration in it."
• postgres:16-alpine is pinned everywhere. No version drift concerns.
• CI test path covers it. ./mvnw test runs all 92 test classes including the new RenameUsersToAppUsersMigrationTest. If the migration breaks, CI catches it before prod.

Operational note (not a blocker)

Rollback strategy is forward-only. If you deploy this to prod and need to revert, you cannot just redeploy the previous JAR — Flyway will see V60 has already run and the previous JAR's entities still expect users/users_groups/user_id. A real rollback requires either:

• A new V61 migration that renames back (and a redeploy with the old code), or
• Manual ALTER TABLE app_users RENAME TO users; ... on the prod DB followed by a flyway repair to clear the V60 entry from the history table.

This is normal for Flyway forward-only migrations and not a reason to block the PR — but it does mean the deploy needs:

1. A pg_dump immediately before the deploy (your Layer 1 nightly might be up to 24h stale)
2. Confirmation that the deploy is happening during a window where you can tolerate a few minutes of "everyone needs to log back in" if anything goes sideways with app_users_groups lookups during the rename
3. A note in your deploy log saying "V60 ran, rename complete" so a later forensics session can pinpoint the moment

The rename itself takes milliseconds — ALTER TABLE … RENAME is metadata-only in Postgres, no table rewrite. So the application downtime window is essentially the JAR restart, not the migration runtime. Good.

Backup verification

Worth running your monthly pg_dump → restore test on a backup taken after this deploys, just to confirm the new schema names round-trip cleanly through your backup pipeline. This is normal practice for any migration that renames a table — not specific to this PR.

Self-hosted compose / production checklist

• No new images added — no version pinning needed
• No new ports exposed
• No secrets touched
• No CI workflow changes
• Migration runs in Testcontainers CI suite

Approved. Take a fresh pg_dump before deploying to prod and you're set.

## Tobias Wendt — DevOps & Platform Engineer **Verdict: Approved with one operational note** Pure DDL rename via Flyway, single forward migration, no infra changes. From an ops perspective this is about as low-risk as a schema change gets — but I want to flag one operational consideration so future-me (or future-you at 2am) is not surprised. ### What's solid - **Forward-only migration via Flyway (V60).** Versioned, repeatable, runs in CI against real Postgres via Testcontainers (`MigrationIntegrationTest`). Standard Familienarchiv pattern, no surprises. - **No Compose changes, no env var changes, no port changes.** Pure application-internal refactor. No deployment coordination needed beyond "deploy the new JAR with the migration in it." - **`postgres:16-alpine` is pinned everywhere.** No version drift concerns. - **CI test path covers it.** `./mvnw test` runs all 92 test classes including the new `RenameUsersToAppUsersMigrationTest`. If the migration breaks, CI catches it before prod. ### Operational note (not a blocker) **Rollback strategy is forward-only.** If you deploy this to prod and need to revert, you cannot just redeploy the previous JAR — Flyway will see V60 has already run and the previous JAR's entities still expect `users`/`users_groups`/`user_id`. A real rollback requires either: - A new V61 migration that renames back (and a redeploy with the old code), or - Manual `ALTER TABLE app_users RENAME TO users; ...` on the prod DB followed by a `flyway repair` to clear the V60 entry from the history table. This is normal for Flyway forward-only migrations and not a reason to block the PR — but it does mean the deploy needs: 1. A pg_dump immediately before the deploy (your Layer 1 nightly might be up to 24h stale) 2. Confirmation that the deploy is happening during a window where you can tolerate a few minutes of "everyone needs to log back in" if anything goes sideways with `app_users_groups` lookups during the rename 3. A note in your deploy log saying "V60 ran, rename complete" so a later forensics session can pinpoint the moment The rename itself takes milliseconds — `ALTER TABLE … RENAME` is metadata-only in Postgres, no table rewrite. So the application downtime window is essentially the JAR restart, not the migration runtime. Good. ### Backup verification Worth running your monthly pg_dump → restore test on a backup taken **after** this deploys, just to confirm the new schema names round-trip cleanly through your backup pipeline. This is normal practice for any migration that renames a table — not specific to this PR. ### Self-hosted compose / production checklist - [x] No new images added — no version pinning needed - [x] No new ports exposed - [x] No secrets touched - [x] No CI workflow changes - [x] Migration runs in Testcontainers CI suite Approved. Take a fresh pg_dump before deploying to prod and you're set.

marcel commented 2026-05-04 21:54:45 +02:00

Author

Owner

Copy Link

Elicit — Senior Requirements Engineer

Verdict: Approved

Working in Brownfield mode. The PR is a refactor with a single, well-bounded requirement: align the schema name with the entity name to remove a documented source of reader confusion (issue #418). I am evaluating it against the Definition of Ready / Definition of Done and the issue-quality lens.

Issue-quality audit (#418 → PR #419)

Criterion	Status
Clear, descriptive title (verb-noun)	Yes — "rename users table to app_users"
Context explained	Yes — schema-reader confusion vs persons table is named explicitly
Acceptance criteria / "done" condition	Implicit but verifiable: V60 migration runs, app_users exists, users does not, three FK columns renamed, semantic FKs untouched
Labeled / categorized	Per the PR body, this is a refactor closing #418 and unblocking #407 (REFACTOR-1)
Sized	Implicitly small (10 changed files, +117 / -23)
Dependencies identified	Yes — closes #418, unblocks #407, references AUDIT-4 (#391)
Decision context	Recorded — "Option A from the decision matrix in #418" with comment on rationale vs Options B and C
Free of ambiguity	Yes — scope explicitly enumerates what is renamed and what is not

This is the kind of issue-to-PR traceability I wish more refactors had.

Definition of Done check

• Acceptance criteria met (assertable via RenameUsersToAppUsersMigrationTest)
• Code committed with descriptive message referencing the issue (fix(backend): rename users table to app_users)
• Happy path tested (table exists, columns renamed)
• Error / regression path tested (v60_auditLogActorIdRemains proves we did NOT touch what we said we would not touch)
• Out-of-scope items explicitly listed in PR body
• No user-facing change — no a11y / mobile / i18n implications

Glossary impact

This PR strengthens the project glossary by removing a long-standing ambiguity:

• Person (historical entity, never has an account) — table persons
• AppUser (auth account, never a historical entity) — was users, now app_users

The rename makes the boundary visible at the schema layer, which is what the project's persona separation guidance (Person ≠ AppUser) has always asked for. Approved as a glossary-tightening change.

Open questions / TBD

• OQ-001: Should the entity AppUser eventually be renamed for further symmetry? Per the PR body and #418's decision matrix, the answer is "no" — AppUser keeps its name deliberately to prevent conflation with Person. This is the correct, documented decision. No follow-up needed.
• OQ-002: scripts/schema.sql snapshot is stale (called out in PR body). This is a separate audit-tracked item, not a blocker for this PR. Defer.

Scope discipline

The PR resists scope creep. It does not:

• Rename the entity (would conflate auth accounts with historical persons)
• Update the stale scripts/schema.sql snapshot (separate tracked item)
• Touch frontend types or i18n keys (none reference the table name)

Resisting these temptations is exactly the right move for a refactor PR. Ship it.

## Elicit — Senior Requirements Engineer **Verdict: Approved** Working in Brownfield mode. The PR is a refactor with a single, well-bounded requirement: align the schema name with the entity name to remove a documented source of reader confusion (issue #418). I am evaluating it against the Definition of Ready / Definition of Done and the issue-quality lens. ### Issue-quality audit (#418 → PR #419) | Criterion | Status | |---|---| | Clear, descriptive title (verb-noun) | Yes — "rename users table to app_users" | | Context explained | Yes — schema-reader confusion vs `persons` table is named explicitly | | Acceptance criteria / "done" condition | Implicit but verifiable: V60 migration runs, `app_users` exists, `users` does not, three FK columns renamed, semantic FKs untouched | | Labeled / categorized | Per the PR body, this is a refactor closing #418 and unblocking #407 (REFACTOR-1) | | Sized | Implicitly small (10 changed files, +117 / -23) | | Dependencies identified | Yes — closes #418, unblocks #407, references AUDIT-4 (#391) | | Decision context | Recorded — "Option A from the decision matrix in #418" with comment on rationale vs Options B and C | | Free of ambiguity | Yes — scope explicitly enumerates what is renamed and what is not | This is the kind of issue-to-PR traceability I wish more refactors had. ### Definition of Done check - [x] Acceptance criteria met (assertable via `RenameUsersToAppUsersMigrationTest`) - [x] Code committed with descriptive message referencing the issue (`fix(backend): rename users table to app_users`) - [x] Happy path tested (table exists, columns renamed) - [x] Error / regression path tested (`v60_auditLogActorIdRemains` proves we did NOT touch what we said we would not touch) - [x] Out-of-scope items explicitly listed in PR body - [x] No user-facing change — no a11y / mobile / i18n implications ### Glossary impact This PR strengthens the project glossary by removing a long-standing ambiguity: - `Person` (historical entity, never has an account) — table `persons` - `AppUser` (auth account, never a historical entity) — was `users`, now `app_users` The rename makes the boundary visible at the schema layer, which is what the project's persona separation guidance (Person ≠ AppUser) has always asked for. Approved as a glossary-tightening change. ### Open questions / TBD - **OQ-001:** Should the entity `AppUser` eventually be renamed for further symmetry? Per the PR body and #418's decision matrix, the answer is "no" — `AppUser` keeps its name deliberately to prevent conflation with `Person`. This is the correct, documented decision. No follow-up needed. - **OQ-002:** `scripts/schema.sql` snapshot is stale (called out in PR body). This is a separate audit-tracked item, not a blocker for this PR. Defer. ### Scope discipline The PR resists scope creep. It does not: - Rename the entity (would conflate auth accounts with historical persons) - Update the stale `scripts/schema.sql` snapshot (separate tracked item) - Touch frontend types or i18n keys (none reference the table name) Resisting these temptations is exactly the right move for a refactor PR. Ship it.

marcel commented 2026-05-04 21:55:08 +02:00

Author

Owner

Copy Link

Nora "NullX" Steiner — Application Security Engineer

Verdict: Approved

This PR is a pure DDL rename with no security-relevant logic changes. I checked the security-sensitive surfaces: authentication lookups, password reset tokens, comment mentions (which determine who is notified), and the audit log query layer (which is read by the activity dashboard). All correct.

Security surface review

1. AppUser entity rename — auth-account integrity preserved

• @Table(name = "app_users") updated, @JoinTable(name = "app_users_groups", joinColumns = @JoinColumn(name = "app_user_id"), ...) updated. The relationship between AppUser and UserGroup (which carries the Set<String> permissions) is intact.
• No change to authentication flow. No change to password hashing. No change to session storage. No change to @RequirePermission enforcement.
• This means: PermissionAspect continues to read currentUser.getGroups().stream().flatMap(g -> g.getPermissions().stream()) exactly as before. Authorization is not weakened.

2. PasswordResetToken.user_id → app_user_id rename

• The @JoinColumn(name = "app_user_id", nullable = false) is preserved. nullable = false is critical — a null user on a password reset token would be exploitable. This constraint survives the rename. Good.
• Token uniqueness, length, and expiry semantics are unchanged.

3. comment_mentions.user_id → app_user_id rename

• Mentions drive notifications — a wrongly-mapped column would either silently drop notifications (degraded but safe) or send notifications to the wrong recipient (privacy leak). The @JoinTable in DocumentComment is updated to inverseJoinColumns = @JoinColumn(name = "app_user_id"). Correct mapping preserved.

4. AuditLogQueryRepository native queries

• Three native query LEFT JOIN users u ON u.id = a.actor_id joins were updated to LEFT JOIN app_users u ON u.id = ag.actor_id. The join condition (u.id = ag.actor_id) is unchanged — this is the actor-of-event resolution that the activity dashboard renders.
• Important: these are JPA @Query(nativeQuery = true) queries with named parameters (:limit, :documentIds). No string concatenation. SQL-injection-safe both before and after the rename.

What I checked and confirmed clean

• No new endpoints, no new permission checks, no new auth surface
• No string concatenation introduced into native queries
• No Optional.get() introduced on auth lookups
• No raw exception throwing in security-relevant paths
• No password storage changes
• No CSRF / CORS configuration changes
• No actuator exposure changes
• nullable = false on PasswordResetToken.user join column preserved
• comment_mentions join table cardinality preserved (composite key still on comment_id + app_user_id)

Migration safety

The migration uses ALTER TABLE … RENAME TO and ALTER TABLE … RENAME COLUMN. Postgres updates FK constraint metadata in place — no constraint is dropped, so there is no transient window where referential integrity is unenforced. This is important: a DROP CONSTRAINT / ADD CONSTRAINT cycle would briefly allow orphan rows; RENAME does not. Good DDL choice.

Regression coverage

RenameUsersToAppUsersMigrationTest.v60_auditLogActorIdRemains is a security-relevant regression guard. If a future migration accidentally renamed actor_id to app_user_id, the audit log would lose the ability to attribute events to actors — which would silently degrade the audit trail. This test prevents that.

CWE check (none triggered)

• CWE-89 (SQL Injection): no new query strings introduced; existing parameterization preserved
• CWE-285 (Improper Authorization): no permission logic changed
• CWE-639 (Authorization Bypass Through User-Controlled Key): no key resolution logic changed
• CWE-200 (Information Exposure): no new error message paths, no new logging of user input

Approved from a security standpoint. No findings.

## Nora "NullX" Steiner — Application Security Engineer **Verdict: Approved** This PR is a pure DDL rename with no security-relevant logic changes. I checked the security-sensitive surfaces: authentication lookups, password reset tokens, comment mentions (which determine who is notified), and the audit log query layer (which is read by the activity dashboard). All correct. ### Security surface review **1. `AppUser` entity rename — auth-account integrity preserved** - `@Table(name = "app_users")` updated, `@JoinTable(name = "app_users_groups", joinColumns = @JoinColumn(name = "app_user_id"), ...)` updated. The relationship between `AppUser` and `UserGroup` (which carries the `Set<String> permissions`) is intact. - No change to authentication flow. No change to password hashing. No change to session storage. No change to `@RequirePermission` enforcement. - This means: `PermissionAspect` continues to read `currentUser.getGroups().stream().flatMap(g -> g.getPermissions().stream())` exactly as before. Authorization is not weakened. **2. `PasswordResetToken.user_id` → `app_user_id` rename** - The `@JoinColumn(name = "app_user_id", nullable = false)` is preserved. `nullable = false` is critical — a null `user` on a password reset token would be exploitable. This constraint survives the rename. Good. - Token uniqueness, length, and expiry semantics are unchanged. **3. `comment_mentions.user_id` → `app_user_id` rename** - Mentions drive notifications — a wrongly-mapped column would either silently drop notifications (degraded but safe) or send notifications to the wrong recipient (privacy leak). The `@JoinTable` in `DocumentComment` is updated to `inverseJoinColumns = @JoinColumn(name = "app_user_id")`. Correct mapping preserved. **4. `AuditLogQueryRepository` native queries** - Three native query `LEFT JOIN users u ON u.id = a.actor_id` joins were updated to `LEFT JOIN app_users u ON u.id = ag.actor_id`. The join condition (`u.id = ag.actor_id`) is unchanged — this is the actor-of-event resolution that the activity dashboard renders. - **Important:** these are JPA `@Query(nativeQuery = true)` queries with named parameters (`:limit`, `:documentIds`). No string concatenation. SQL-injection-safe both before and after the rename. ### What I checked and confirmed clean - [x] No new endpoints, no new permission checks, no new auth surface - [x] No string concatenation introduced into native queries - [x] No `Optional.get()` introduced on auth lookups - [x] No raw exception throwing in security-relevant paths - [x] No password storage changes - [x] No CSRF / CORS configuration changes - [x] No actuator exposure changes - [x] `nullable = false` on `PasswordResetToken.user` join column preserved - [x] `comment_mentions` join table cardinality preserved (composite key still on `comment_id` + `app_user_id`) ### Migration safety The migration uses `ALTER TABLE … RENAME TO` and `ALTER TABLE … RENAME COLUMN`. Postgres updates FK constraint metadata in place — no constraint is dropped, so there is no transient window where referential integrity is unenforced. This is important: a `DROP CONSTRAINT / ADD CONSTRAINT` cycle would briefly allow orphan rows; `RENAME` does not. Good DDL choice. ### Regression coverage `RenameUsersToAppUsersMigrationTest.v60_auditLogActorIdRemains` is a security-relevant regression guard. If a future migration accidentally renamed `actor_id` to `app_user_id`, the audit log would lose the ability to attribute events to actors — which would silently degrade the audit trail. This test prevents that. ### CWE check (none triggered) - CWE-89 (SQL Injection): no new query strings introduced; existing parameterization preserved - CWE-285 (Improper Authorization): no permission logic changed - CWE-639 (Authorization Bypass Through User-Controlled Key): no key resolution logic changed - CWE-200 (Information Exposure): no new error message paths, no new logging of user input Approved from a security standpoint. No findings.

marcel commented 2026-05-04 21:55:34 +02:00

Author

Owner

Copy Link

Sara Holt — Senior QA Engineer

Verdict: Approved

Test coverage for this PR is exactly where it should be: a dedicated migration test asserts the schema delta, a regression guard asserts what was deliberately not touched, and the existing test suite was updated to match the new column names. The pyramid is honored — this is integration-layer coverage via Testcontainers, which is the only layer that can actually verify a Flyway DDL.

Test pyramid placement — correct

Layer	Coverage	Notes
Unit	N/A	This is a schema change with no business logic; unit tests would be theatre.
Integration	RenameUsersToAppUsersMigrationTest (5 tests, real Postgres)	Correct layer for migration assertions.
Existing integration suite	MigrationIntegrationTest, AuditLogQueryRepositoryIntegrationTest, AuditLogQueryRepositoryContributorsTest, AuditLogQueryRepositoryRolledUpTest updated	Fixtures rewritten from INSERT INTO users → INSERT INTO app_users.
E2E	N/A	No user-facing change to validate.

Test quality

• Names read as sentences. v60_appUsersTableExists_andUsersTableIsGone, v60_auditLogActorIdRemains. When CI fails, the failure name tells the developer exactly what broke. Good.
• One logical assertion per test. The five new tests each verify one schema fact. No giant test asserting everything at once. Good.
• Helper extraction. tableExists() and columnExists() factor out the information_schema lookups. No duplicated query strings across tests. Good.
• Real Postgres via Testcontainers. @DataJpaTest + PostgresContainerConfig + FlywayConfig. No H2 substitute (which would not have caught a real DDL bug). Good.
• @AutoConfigureTestDatabase(replace = NONE) preserves the Testcontainers Postgres rather than swapping in an embedded DB. Correct annotation.

The regression guard — this is the test I most wanted to see

v60_auditLogActorIdRemains asserts:

assertThat(columnExists("audit_log", "actor_id")).isTrue();
assertThat(columnExists("audit_log", "app_user_id")).isFalse();

This is a permanent fixture. If a future PR accidentally extends the rename to actor_id (because someone thought "we should be consistent"), this test fails with a clear name. The deliberate decision documented in the PR body is now codified as a test. Exactly right.

Test fixture updates — clean and complete

I cross-checked the diff against every INSERT INTO users literal that needed flipping:

• MigrationIntegrationTest.v44_emailNotNullConstraint_rejectsInsertWithNullEmail — flipped
• MigrationIntegrationTest.v44_emailUniqueConstraint_rejectsDuplicateEmail — both INSERTs flipped
• MigrationIntegrationTest.insertUser() helper — flipped (this propagates to every test using the helper)
• AuditLogQueryRepositoryContributorsTest — both @Sql blocks flipped (single-user and 5-user fixtures)
• AuditLogQueryRepositoryIntegrationTest — all four @Sql blocks flipped
• AuditLogQueryRepositoryRolledUpTest.insertUserAndDocs() — both jdbcTemplate.update() calls flipped

I do not see any INSERT INTO users left lurking in test code. If the full suite goes green (PR body claims 1489/1489), the diff is mechanically complete.

Quality gate verification — what I want to see in CI

• Full backend suite green (./mvnw test) — claimed in PR body
• RenameUsersToAppUsersMigrationTest runs and passes against postgres:16-alpine Testcontainer
• No new @Disabled annotations
• No Thread.sleep() introduced (none expected for DDL test)
• No flaky-test patterns (no async, no timing dependencies)

What I'd ask Felix to add if it weren't already there

• A regression guard for the columns we deliberately did NOT rename. Already there: v60_auditLogActorIdRemains.
• A test that the V60 migration itself runs cleanly. Implicit — Testcontainers runs all migrations including V60 before any test executes; if V60 throws, every test in the file fails.

LGTM. The test plan in the PR body lines up with the test code on the branch. Approved.

## Sara Holt — Senior QA Engineer **Verdict: Approved** Test coverage for this PR is exactly where it should be: a dedicated migration test asserts the schema delta, a regression guard asserts what was deliberately *not* touched, and the existing test suite was updated to match the new column names. The pyramid is honored — this is integration-layer coverage via Testcontainers, which is the only layer that can actually verify a Flyway DDL. ### Test pyramid placement — correct | Layer | Coverage | Notes | |---|---|---| | Unit | N/A | This is a schema change with no business logic; unit tests would be theatre. | | Integration | `RenameUsersToAppUsersMigrationTest` (5 tests, real Postgres) | Correct layer for migration assertions. | | Existing integration suite | `MigrationIntegrationTest`, `AuditLogQueryRepositoryIntegrationTest`, `AuditLogQueryRepositoryContributorsTest`, `AuditLogQueryRepositoryRolledUpTest` updated | Fixtures rewritten from `INSERT INTO users` → `INSERT INTO app_users`. | | E2E | N/A | No user-facing change to validate. | ### Test quality - **Names read as sentences.** `v60_appUsersTableExists_andUsersTableIsGone`, `v60_auditLogActorIdRemains`. When CI fails, the failure name tells the developer exactly what broke. Good. - **One logical assertion per test.** The five new tests each verify one schema fact. No giant test asserting everything at once. Good. - **Helper extraction.** `tableExists()` and `columnExists()` factor out the `information_schema` lookups. No duplicated query strings across tests. Good. - **Real Postgres via Testcontainers.** `@DataJpaTest` + `PostgresContainerConfig` + `FlywayConfig`. No H2 substitute (which would not have caught a real DDL bug). Good. - **`@AutoConfigureTestDatabase(replace = NONE)`** preserves the Testcontainers Postgres rather than swapping in an embedded DB. Correct annotation. ### The regression guard — this is the test I most wanted to see `v60_auditLogActorIdRemains` asserts: ```java assertThat(columnExists("audit_log", "actor_id")).isTrue(); assertThat(columnExists("audit_log", "app_user_id")).isFalse(); ``` This is a permanent fixture. If a future PR accidentally extends the rename to `actor_id` (because someone thought "we should be consistent"), this test fails with a clear name. The deliberate decision documented in the PR body is now codified as a test. Exactly right. ### Test fixture updates — clean and complete I cross-checked the diff against every `INSERT INTO users` literal that needed flipping: - `MigrationIntegrationTest.v44_emailNotNullConstraint_rejectsInsertWithNullEmail` — flipped - `MigrationIntegrationTest.v44_emailUniqueConstraint_rejectsDuplicateEmail` — both INSERTs flipped - `MigrationIntegrationTest.insertUser()` helper — flipped (this propagates to every test using the helper) - `AuditLogQueryRepositoryContributorsTest` — both `@Sql` blocks flipped (single-user and 5-user fixtures) - `AuditLogQueryRepositoryIntegrationTest` — all four `@Sql` blocks flipped - `AuditLogQueryRepositoryRolledUpTest.insertUserAndDocs()` — both `jdbcTemplate.update()` calls flipped I do not see any `INSERT INTO users` left lurking in test code. If the full suite goes green (PR body claims 1489/1489), the diff is mechanically complete. ### Quality gate verification — what I want to see in CI - [x] Full backend suite green (`./mvnw test`) — claimed in PR body - [x] `RenameUsersToAppUsersMigrationTest` runs and passes against `postgres:16-alpine` Testcontainer - [x] No new `@Disabled` annotations - [x] No `Thread.sleep()` introduced (none expected for DDL test) - [x] No flaky-test patterns (no async, no timing dependencies) ### What I'd ask Felix to add if it weren't already there - ~~A regression guard for the columns we deliberately did NOT rename.~~ Already there: `v60_auditLogActorIdRemains`. - ~~A test that the V60 migration itself runs cleanly.~~ Implicit — Testcontainers runs all migrations including V60 before any test executes; if V60 throws, every test in the file fails. LGTM. The test plan in the PR body lines up with the test code on the branch. Approved.

marcel commented 2026-05-04 21:55:43 +02:00

Author

Owner

Copy Link

Leonie Voss — Senior UX Designer & Accessibility Strategist

Verdict: Approved

Backend-only schema rename. No template changes, no CSS, no i18n keys, no user-visible surface. From a UI/UX perspective this PR is invisible to every user — which is the correct outcome for a refactor of this nature.

What I checked

• No .svelte files in the diff
• No changes to messages/de.json, en.json, es.json
• No changes to frontend/src/lib/errors.ts (no new ErrorCode to map)
• No changes to tailwind.config or layout.css
• No changes to component props or DTOs that frontend code consumes (the entity name AppUser is preserved per the PR body, so generated TypeScript types do not shift)

Indirect UX impact

The audit-log dashboard (AuditLogQueryRepository) renders contributor avatars and names. The native query was updated to LEFT JOIN app_users u ON u.id = ag.actor_id and continues to select actorColor, actorName, etc. — the column projection is unchanged, so the frontend continues to receive the same shape. No re-render glitches, no missing avatars, no broken contributor strips.

If the projection had silently dropped actorColor during the rename, contributor avatars would render as blank circles — a visible bug. Confirmed it did not.

Accessibility

Nothing to evaluate. No focus order, no ARIA, no contrast, no touch targets in scope.

Brand / typography / responsive

Nothing to evaluate. No visual tokens touched.

LGTM from the design side. Approved.

## Leonie Voss — Senior UX Designer & Accessibility Strategist **Verdict: Approved** Backend-only schema rename. No template changes, no CSS, no i18n keys, no user-visible surface. From a UI/UX perspective this PR is invisible to every user — which is the correct outcome for a refactor of this nature. ### What I checked - [x] No `.svelte` files in the diff - [x] No changes to `messages/de.json`, `en.json`, `es.json` - [x] No changes to `frontend/src/lib/errors.ts` (no new `ErrorCode` to map) - [x] No changes to `tailwind.config` or `layout.css` - [x] No changes to component props or DTOs that frontend code consumes (the entity name `AppUser` is preserved per the PR body, so generated TypeScript types do not shift) ### Indirect UX impact The audit-log dashboard (`AuditLogQueryRepository`) renders contributor avatars and names. The native query was updated to `LEFT JOIN app_users u ON u.id = ag.actor_id` and continues to select `actorColor`, `actorName`, etc. — the column projection is unchanged, so the frontend continues to receive the same shape. No re-render glitches, no missing avatars, no broken contributor strips. If the projection had silently dropped `actorColor` during the rename, contributor avatars would render as blank circles — a visible bug. Confirmed it did not. ### Accessibility Nothing to evaluate. No focus order, no ARIA, no contrast, no touch targets in scope. ### Brand / typography / responsive Nothing to evaluate. No visual tokens touched. LGTM from the design side. Approved.

marcel merged commit eedf5e3ac1 into main 2026-05-04 21:57:33 +02:00

marcel deleted branch feat/issue-418-rename-users-table-to-app-users 2026-05-04 21:57:34 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#419