fix(db): always run migrations on boot; drop AUTO_MIGRATE gate

brunobuddy · brunobuddy · commit 8df6e3deffb0 · 2026-04-13T11:09:26.000-07:00
Removes the AUTO_MIGRATE / NODE_ENV gate on TypeORM migrationsRun and makes migrations run unconditionally on every boot. The gate was a relic of when the same config served dev / test / prod with different needs; with synchronize permanently false, committed migrations are the only path for schema changes and there's no production scenario where booting with pending migrations is correct. 5.45.1 shipped this gate without honoring AUTO_MIGRATE, so fresh production installs only got Better Auth's 4 tables — the dashboard 500'd on missing user_providers / notification_rules. The fix landed in fc7890f and is in 5.46.0+, but pinning behavior to an env var that compose must set is a footgun: a future env-var typo would silently re-introduce the bug. Promoting the default removes the class of mistake. Compose and the docker run examples drop the AUTO_MIGRATE=true line since it's now redundant. The autoMigrate config field and its three spec tests are removed — nothing in production code reads them. Companion to the Phase 3 hardening pass (#1551 / #1557).
diff --git a/docker/DOCKER_README.md b/docker/DOCKER_README.md
@@ -130,7 +130,6 @@ docker run -d \
   -e DATABASE_URL=postgresql://user:pass@host:5432/manifest \
   -e BETTER_AUTH_SECRET=$(openssl rand -hex 32) \
   -e BETTER_AUTH_URL=http://localhost:3001 \
-  -e AUTO_MIGRATE=true \
   manifestdotbuild/manifest
 ```
 
@@ -147,7 +146,6 @@ docker run -d `
   -e DATABASE_URL=postgresql://user:pass@host:5432/manifest `
   -e BETTER_AUTH_SECRET=$secret `
   -e BETTER_AUTH_URL=http://localhost:3001 `
-  -e AUTO_MIGRATE=true `
   manifestdotbuild/manifest
 ```
 
@@ -164,13 +162,12 @@ docker run -d ^
   -e DATABASE_URL=postgresql://user:pass@host:5432/manifest ^
   -e BETTER_AUTH_SECRET=<your-64-char-secret> ^
   -e BETTER_AUTH_URL=http://localhost:3001 ^
-  -e AUTO_MIGRATE=true ^
   manifestdotbuild/manifest
 ```
 
 </details>
 
-`AUTO_MIGRATE=true` runs TypeORM migrations on first boot. Then visit [http://localhost:3001](http://localhost:3001) and complete the setup wizard to create your admin account.
+TypeORM migrations run automatically on every boot — fresh installs come up with the schema in place. Then visit [http://localhost:3001](http://localhost:3001) and complete the setup wizard to create your admin account.
 
 ### Verifying the image signature
 
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -32,7 +32,6 @@ services:
       - BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:3001}
       - SEED_DATA=false
       - NODE_ENV=production
-      - AUTO_MIGRATE=true
       # Email provider (optional). Covers both login/verification emails
       # and threshold alert notifications. Set one provider block — see
       # DOCKER_README.md "Email setup". Supports resend, mailgun, sendgrid.
diff --git a/packages/backend/.env.example b/packages/backend/.env.example
@@ -12,7 +12,6 @@ BETTER_AUTH_URL=http://localhost:3001
 # FRONTEND_PORT=             # Extra trusted origin port for Better Auth
 
 # ── Database ─────────────────────────────────────────
-# AUTO_MIGRATE=true          # Run TypeORM migrations on startup (dev/test auto-run; set true for self-hosted prod first boot)
 # DB_POOL_MAX=20             # PostgreSQL connection pool size (default: 20)
 
 # ── Rate Limiting ────────────────────────────────────
diff --git a/packages/backend/src/config/app.config.spec.ts b/packages/backend/src/config/app.config.spec.ts
@@ -86,24 +86,6 @@ describe('appConfig', () => {
     expect(config.databaseUrl).toContain('postgresql://');
   });
 
-  it('defaults autoMigrate to false', async () => {
-    delete process.env['AUTO_MIGRATE'];
-    const config = await loadConfig();
-    expect(config.autoMigrate).toBe(false);
-  });
-
-  it('reads AUTO_MIGRATE=true from env', async () => {
-    process.env['AUTO_MIGRATE'] = 'true';
-    const config = await loadConfig();
-    expect(config.autoMigrate).toBe(true);
-  });
-
-  it('ignores non-true AUTO_MIGRATE values', async () => {
-    process.env['AUTO_MIGRATE'] = '1';
-    const config = await loadConfig();
-    expect(config.autoMigrate).toBe(false);
-  });
-
   it('reads EMAIL_PROVIDER from env', async () => {
     process.env['EMAIL_PROVIDER'] = 'resend';
     const config = await loadConfig();
diff --git a/packages/backend/src/config/app.config.ts b/packages/backend/src/config/app.config.ts
@@ -12,7 +12,6 @@ export const appConfig = registerAs('app', () => ({
   port: Number(process.env['PORT'] ?? 3001),
   nodeEnv: process.env['NODE_ENV'] ?? 'development',
   databaseUrl: resolveDatabaseUrl(),
-  autoMigrate: process.env['AUTO_MIGRATE'] === 'true',
 
   corsOrigin: process.env['CORS_ORIGIN'] ?? 'http://localhost:3000',
   betterAuthUrl: process.env['BETTER_AUTH_URL'] ?? '',
diff --git a/packages/backend/src/database/database.module.ts b/packages/backend/src/database/database.module.ts
@@ -149,9 +149,13 @@ const migrations = [
         url: config.get<string>('app.databaseUrl'),
         entities,
         synchronize: false,
-        migrationsRun:
-          process.env['AUTO_MIGRATE'] === 'true' ||
-          ['development', 'test'].includes(config.get<string>('app.nodeEnv') ?? ''),
+        // Run migrations on every boot. `synchronize: false` is permanent, so
+        // committed migrations are the only source of schema changes — there's
+        // no scenario where production should boot with pending migrations
+        // unapplied (the dashboard 500s on missing tables). Previously this
+        // was gated on AUTO_MIGRATE=true / NODE_ENV, which broke fresh
+        // production installs whose env didn't set the var (see #1551 / 5.45.1).
+        migrationsRun: true,
         migrationsTransactionMode: 'all' as const,
         migrations,
         logging: false,
