Runbook
Runbook
Section titled “Runbook”Last updated: 2026-05-19
DB Role Provisioning
Section titled “DB Role Provisioning”The Rust backend requires two Postgres roles with specific RLS attributes. Run this once per environment after creating the Postgres database.
Dev (docker compose):
cd finstack-rsbash scripts/provision_db.sh# Uses POSTGRES_USER=finstack, default dev passwords# Runs RLS leak-check at end — should return 0 leaked rowsProd (Neon / Fly Postgres / RDS):
export DATABASE_ADMIN_URL="postgres://owner:pw@host/finstack"export FINSTACK_APP_PASSWORD="$(openssl rand -base64 32 | tr -d /=+ | head -c 40)"export FINSTACK_WORKER_PASSWORD="$(openssl rand -base64 32 | tr -d /=+ | head -c 40)"cd finstack-rsbash scripts/provision_db_prod.sh# Store both passwords in Fly secrets / 1Password before the shell closes# fly secrets set DATABASE_URL_APP=postgres://finstack_app:$FINSTACK_APP_PASSWORD@host/finstack# fly secrets set DATABASE_URL_WORKER=postgres://finstack_worker:$FINSTACK_WORKER_PASSWORD@host/finstackRole model:
| Role | BYPASSRLS | Used by |
|---|---|---|
finstack_app | NO | API server — all queries RLS-scoped to app.tenant_id |
finstack_worker | YES | Background worker — webhook sweep, analytics rollup, cross-tenant reads |
Note (Neon): Neon’s free tier does not support BYPASSRLS. The finstack_worker role will be created but the BYPASSRLS attribute will be silently stripped. The provisioning script’s role-attribute check will print MISCONFIGURED — upgrade to a paid Neon project or use SET LOCAL row_security = off requires a superuser role workaround. See crates/finstack-webhooks/src/service/sweep.rs for the impact.
Common Operations
Section titled “Common Operations”Deploy
Section titled “Deploy”galactic deploy --slug finstackTail Logs
Section titled “Tail Logs”galactic logs finstackQuery Database
Section titled “Query Database”galactic db query "SELECT ..." --slug finstack