Add hard safety checks to prevent accidental data loss

- Fail migration if DELETE count != 5 (exactly what we found)
- Fail migration if UPDATE count != 1 (exactly what we found)
- Remove percentage-based checks in favor of exact numbers
- Add detailed logging before and after operations

This ensures the migration will only proceed if it encounters
exactly the data issues we identified and tested for.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: tadasant

go.mod

@@ -32,6 +32,7 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect

go.sum

@@ -42,6 +42,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

internal/database/migrations/008_clean_invalid_data.sql

@@ -3,14 +3,19 @@
 
 BEGIN;
 
--- Log what we're about to clean up for audit purposes
+-- Safety check: Count exactly what we'll be modifying
 DO $$
 DECLARE
     invalid_name_count INTEGER;
     empty_version_count INTEGER;
     invalid_status_count INTEGER;
     duplicate_count INTEGER;
+    total_to_delete INTEGER;
+    total_servers INTEGER;
 BEGIN
+    -- Get total server count
+    SELECT COUNT(*) INTO total_servers FROM servers;
+
     -- Count servers with invalid name format
     SELECT COUNT(*) INTO invalid_name_count
     FROM servers
@@ -37,19 +42,38 @@ BEGIN
         HAVING COUNT(*) > 1
     ) dups;
 
-    -- Log the cleanup operations
-    IF invalid_name_count > 0 OR empty_version_count > 0 THEN
-        RAISE NOTICE 'Deleting % servers with invalid names and % servers with empty versions',
-            invalid_name_count, empty_version_count;
+    -- Calculate total deletions (some servers might have both invalid name AND empty version)
+    SELECT COUNT(*) INTO total_to_delete
+    FROM servers
+    WHERE value->>'name' NOT SIMILAR TO '[a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z0-9]/[a-zA-Z0-9][a-zA-Z0-9._-]*[a-zA-Z0-9]'
+       OR value->>'version' IS NULL
+       OR value->>'version' = '';
+
+    -- Log the cleanup operations with safety check
+    RAISE NOTICE 'Migration 008 Data Cleanup Plan:';
+    RAISE NOTICE '  Total servers in database: %', total_servers;
+
+    IF total_servers > 0 THEN
+        RAISE NOTICE '  Servers to DELETE: % (%.2f%%)', total_to_delete, (total_to_delete::float / total_servers * 100);
+    ELSE
+        RAISE NOTICE '  Servers to DELETE: %', total_to_delete;
     END IF;
 
-    IF invalid_status_count > 0 THEN
-        RAISE NOTICE 'Fixing % servers with invalid status values (changing to ''active'')',
-            invalid_status_count;
+    RAISE NOTICE '    - Invalid names: %', invalid_name_count;
+    RAISE NOTICE '    - Empty versions: %', empty_version_count;
+    RAISE NOTICE '  Servers to UPDATE (fix status): %', invalid_status_count;
+    RAISE NOTICE '  Duplicate name+version pairs: %', duplicate_count;
+
+    -- SAFETY CHECK: Fail if numbers don't match what we found in production
+    -- Based on comprehensive analysis of production data (2025-09-30), we expect:
+    -- - 5 servers to delete (1 invalid name + 4 empty versions)
+    -- - 1 server status to update
+    IF total_to_delete != 5 THEN
+        RAISE EXCEPTION 'Safety check failed: Expected to delete exactly 5 servers but would delete %. Aborting to prevent data loss.', total_to_delete;
     END IF;
 
-    IF duplicate_count > 0 THEN
-        RAISE NOTICE 'Found % duplicate name+version combinations to clean up', duplicate_count;
+    IF invalid_status_count != 1 THEN
+        RAISE EXCEPTION 'Safety check failed: Expected to update exactly 1 server status but would update %. Aborting to prevent data corruption.', invalid_status_count;
     END IF;
 END $$;
 
@@ -78,13 +102,43 @@ WHERE EXISTS (
     AND s2.version_id > s1.version_id
 );
 
--- Log completion
+-- Verify the operations completed as expected
 DO $$
 DECLARE
     remaining_count INTEGER;
+    actual_deleted INTEGER;
+    actual_updated INTEGER;
+    still_invalid_names INTEGER;
+    still_empty_versions INTEGER;
+    still_invalid_status INTEGER;
 BEGIN
     SELECT COUNT(*) INTO remaining_count FROM servers;
-    RAISE NOTICE 'Data cleanup complete. % servers remaining in database.', remaining_count;
+
+    -- Check if any invalid data remains
+    SELECT COUNT(*) INTO still_invalid_names
+    FROM servers
+    WHERE value->>'name' NOT SIMILAR TO '[a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z0-9]/[a-zA-Z0-9][a-zA-Z0-9._-]*[a-zA-Z0-9]';
+
+    SELECT COUNT(*) INTO still_empty_versions
+    FROM servers
+    WHERE value->>'version' IS NULL OR value->>'version' = '';
+
+    SELECT COUNT(*) INTO still_invalid_status
+    FROM servers
+    WHERE value->>'status' IS NOT NULL
+      AND value->>'status' != ''
+      AND value->>'status' NOT IN ('active', 'deprecated', 'deleted');
+
+    RAISE NOTICE 'Data cleanup complete:';
+    RAISE NOTICE '  Servers remaining: %', remaining_count;
+    RAISE NOTICE '  Invalid names remaining: %', still_invalid_names;
+    RAISE NOTICE '  Empty versions remaining: %', still_empty_versions;
+    RAISE NOTICE '  Invalid status remaining: %', still_invalid_status;
+
+    -- Final safety check: Ensure we cleaned everything we intended to
+    IF still_invalid_names > 0 OR still_empty_versions > 0 OR still_invalid_status > 0 THEN
+        RAISE EXCEPTION 'Cleanup incomplete! Invalid data still remains. Aborting.';
+    END IF;
 END $$;
 
 COMMIT;