Phase 1: config loading, database migrations, audit log

- internal/config: TOML config with env overrides (MCR_ prefix),
  required field validation, same-filesystem check, defaults
- internal/db: SQLite via modernc.org/sqlite, WAL mode, 2 migrations
  (core registry tables + policy/audit), foreign key cascades
- internal/db: audit log write/list with filtering and pagination
- deploy/examples/mcr.toml: annotated example configuration
- .golangci.yaml: disable fieldalignment (readability over micro-opt)
- checkpoint skill copied from mcias

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/db/audit.go

@@ -0,0 +1,147 @@
+package db
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+)
+
+// AuditEvent represents a row in the audit_log table.
+type AuditEvent struct {
+	ID         int64             `json:"id"`
+	EventTime  string            `json:"event_time"`
+	EventType  string            `json:"event_type"`
+	ActorID    string            `json:"actor_id,omitempty"`
+	Repository string            `json:"repository,omitempty"`
+	Digest     string            `json:"digest,omitempty"`
+	IPAddress  string            `json:"ip_address,omitempty"`
+	Details    map[string]string `json:"details,omitempty"`
+}
+
+// WriteAuditEvent inserts a new audit log entry.
+func (d *DB) WriteAuditEvent(eventType, actorID, repository, digest, ip string, details map[string]string) error {
+	var detailsJSON *string
+	if len(details) > 0 {
+		b, err := json.Marshal(details)
+		if err != nil {
+			return fmt.Errorf("db: marshal audit details: %w", err)
+		}
+		s := string(b)
+		detailsJSON = &s
+	}
+
+	_, err := d.Exec(
+		`INSERT INTO audit_log (event_type, actor_id, repository, digest, ip_address, details)
+		 VALUES (?, ?, ?, ?, ?, ?)`,
+		eventType,
+		nullIfEmpty(actorID),
+		nullIfEmpty(repository),
+		nullIfEmpty(digest),
+		nullIfEmpty(ip),
+		detailsJSON,
+	)
+	if err != nil {
+		return fmt.Errorf("db: write audit event: %w", err)
+	}
+	return nil
+}
+
+// AuditFilter specifies criteria for listing audit events.
+type AuditFilter struct {
+	EventType  string
+	ActorID    string
+	Repository string
+	Since      string // RFC 3339
+	Until      string // RFC 3339
+	Limit      int
+	Offset     int
+}
+
+// ListAuditEvents returns audit events matching the filter, ordered by
+// event_time descending (most recent first).
+func (d *DB) ListAuditEvents(f AuditFilter) ([]AuditEvent, error) {
+	var clauses []string
+	var args []any
+
+	if f.EventType != "" {
+		clauses = append(clauses, "event_type = ?")
+		args = append(args, f.EventType)
+	}
+	if f.ActorID != "" {
+		clauses = append(clauses, "actor_id = ?")
+		args = append(args, f.ActorID)
+	}
+	if f.Repository != "" {
+		clauses = append(clauses, "repository = ?")
+		args = append(args, f.Repository)
+	}
+	if f.Since != "" {
+		clauses = append(clauses, "event_time >= ?")
+		args = append(args, f.Since)
+	}
+	if f.Until != "" {
+		clauses = append(clauses, "event_time <= ?")
+		args = append(args, f.Until)
+	}
+
+	query := "SELECT id, event_time, event_type, actor_id, repository, digest, ip_address, details FROM audit_log"
+	if len(clauses) > 0 {
+		query += " WHERE " + strings.Join(clauses, " AND ")
+	}
+	query += " ORDER BY event_time DESC"
+
+	limit := f.Limit
+	if limit <= 0 {
+		limit = 50
+	}
+	query += fmt.Sprintf(" LIMIT %d", limit)
+
+	if f.Offset > 0 {
+		query += fmt.Sprintf(" OFFSET %d", f.Offset)
+	}
+
+	rows, err := d.Query(query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("db: list audit events: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	var events []AuditEvent
+	for rows.Next() {
+		var e AuditEvent
+		var actorID, repository, digest, ip, detailsStr *string
+		if err := rows.Scan(&e.ID, &e.EventTime, &e.EventType, &actorID, &repository, &digest, &ip, &detailsStr); err != nil {
+			return nil, fmt.Errorf("db: scan audit event: %w", err)
+		}
+		if actorID != nil {
+			e.ActorID = *actorID
+		}
+		if repository != nil {
+			e.Repository = *repository
+		}
+		if digest != nil {
+			e.Digest = *digest
+		}
+		if ip != nil {
+			e.IPAddress = *ip
+		}
+		if detailsStr != nil {
+			if err := json.Unmarshal([]byte(*detailsStr), &e.Details); err != nil {
+				return nil, fmt.Errorf("db: unmarshal audit details: %w", err)
+			}
+		}
+		events = append(events, e)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("db: iterate audit events: %w", err)
+	}
+
+	return events, nil
+}
+
+func nullIfEmpty(s string) *string {
+	if s == "" {
+		return nil
+	}
+	return &s
+}

internal/db/audit_test.go

@@ -0,0 +1,174 @@
+package db
+
+import (
+	"testing"
+)
+
+func migratedTestDB(t *testing.T) *DB {
+	t.Helper()
+	d := openTestDB(t)
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+	return d
+}
+
+func TestWriteAndListAuditEvents(t *testing.T) {
+	d := migratedTestDB(t)
+
+	err := d.WriteAuditEvent("login_ok", "user-uuid-1", "", "", "10.0.0.1", nil)
+	if err != nil {
+		t.Fatalf("WriteAuditEvent: %v", err)
+	}
+
+	err = d.WriteAuditEvent("manifest_pushed", "user-uuid-1", "myapp", "sha256:abc", "10.0.0.1",
+		map[string]string{"tag": "latest"})
+	if err != nil {
+		t.Fatalf("WriteAuditEvent: %v", err)
+	}
+
+	events, err := d.ListAuditEvents(AuditFilter{})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(events) != 2 {
+		t.Fatalf("event count: got %d, want 2", len(events))
+	}
+
+	// Most recent first.
+	if events[0].EventType != "manifest_pushed" {
+		t.Fatalf("first event type: got %q, want %q", events[0].EventType, "manifest_pushed")
+	}
+	if events[0].Repository != "myapp" {
+		t.Fatalf("repository: got %q, want %q", events[0].Repository, "myapp")
+	}
+	if events[0].Digest != "sha256:abc" {
+		t.Fatalf("digest: got %q, want %q", events[0].Digest, "sha256:abc")
+	}
+	if events[0].Details["tag"] != "latest" {
+		t.Fatalf("details.tag: got %q, want %q", events[0].Details["tag"], "latest")
+	}
+}
+
+func TestListAuditEventsFilterByType(t *testing.T) {
+	d := migratedTestDB(t)
+
+	_ = d.WriteAuditEvent("login_ok", "u1", "", "", "", nil)
+	_ = d.WriteAuditEvent("manifest_pushed", "u1", "repo", "", "", nil)
+	_ = d.WriteAuditEvent("login_ok", "u2", "", "", "", nil)
+
+	events, err := d.ListAuditEvents(AuditFilter{EventType: "login_ok"})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(events) != 2 {
+		t.Fatalf("event count: got %d, want 2", len(events))
+	}
+	for _, e := range events {
+		if e.EventType != "login_ok" {
+			t.Fatalf("unexpected event type: %q", e.EventType)
+		}
+	}
+}
+
+func TestListAuditEventsFilterByActor(t *testing.T) {
+	d := migratedTestDB(t)
+
+	_ = d.WriteAuditEvent("login_ok", "actor-a", "", "", "", nil)
+	_ = d.WriteAuditEvent("login_ok", "actor-b", "", "", "", nil)
+
+	events, err := d.ListAuditEvents(AuditFilter{ActorID: "actor-a"})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(events) != 1 {
+		t.Fatalf("event count: got %d, want 1", len(events))
+	}
+	if events[0].ActorID != "actor-a" {
+		t.Fatalf("actor_id: got %q, want %q", events[0].ActorID, "actor-a")
+	}
+}
+
+func TestListAuditEventsFilterByRepository(t *testing.T) {
+	d := migratedTestDB(t)
+
+	_ = d.WriteAuditEvent("manifest_pushed", "u1", "repo-a", "", "", nil)
+	_ = d.WriteAuditEvent("manifest_pushed", "u1", "repo-b", "", "", nil)
+
+	events, err := d.ListAuditEvents(AuditFilter{Repository: "repo-a"})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(events) != 1 {
+		t.Fatalf("event count: got %d, want 1", len(events))
+	}
+}
+
+func TestListAuditEventsPagination(t *testing.T) {
+	d := migratedTestDB(t)
+
+	for i := range 5 {
+		_ = d.WriteAuditEvent("login_ok", "u1", "", "", "", map[string]string{"i": string(rune('0' + i))})
+	}
+
+	// First page.
+	page1, err := d.ListAuditEvents(AuditFilter{Limit: 2, Offset: 0})
+	if err != nil {
+		t.Fatalf("ListAuditEvents page 1: %v", err)
+	}
+	if len(page1) != 2 {
+		t.Fatalf("page 1 count: got %d, want 2", len(page1))
+	}
+
+	// Second page.
+	page2, err := d.ListAuditEvents(AuditFilter{Limit: 2, Offset: 2})
+	if err != nil {
+		t.Fatalf("ListAuditEvents page 2: %v", err)
+	}
+	if len(page2) != 2 {
+		t.Fatalf("page 2 count: got %d, want 2", len(page2))
+	}
+
+	// Pages should not overlap.
+	if page1[0].ID == page2[0].ID {
+		t.Fatal("page 1 and page 2 overlap")
+	}
+
+	// Third page (partial).
+	page3, err := d.ListAuditEvents(AuditFilter{Limit: 2, Offset: 4})
+	if err != nil {
+		t.Fatalf("ListAuditEvents page 3: %v", err)
+	}
+	if len(page3) != 1 {
+		t.Fatalf("page 3 count: got %d, want 1", len(page3))
+	}
+}
+
+func TestListAuditEventsNullFields(t *testing.T) {
+	d := migratedTestDB(t)
+
+	// Write event with all optional fields empty.
+	err := d.WriteAuditEvent("gc_started", "", "", "", "", nil)
+	if err != nil {
+		t.Fatalf("WriteAuditEvent: %v", err)
+	}
+
+	events, err := d.ListAuditEvents(AuditFilter{})
+	if err != nil {
+		t.Fatalf("ListAuditEvents: %v", err)
+	}
+	if len(events) != 1 {
+		t.Fatalf("event count: got %d, want 1", len(events))
+	}
+
+	e := events[0]
+	if e.ActorID != "" {
+		t.Fatalf("actor_id: got %q, want empty", e.ActorID)
+	}
+	if e.Repository != "" {
+		t.Fatalf("repository: got %q, want empty", e.Repository)
+	}
+	if e.Details != nil {
+		t.Fatalf("details: got %v, want nil", e.Details)
+	}
+}

internal/db/db.go

@@ -0,0 +1,49 @@
+package db
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	_ "modernc.org/sqlite"
+)
+
+// DB wraps a SQLite database connection.
+type DB struct {
+	*sql.DB
+}
+
+// Open opens (or creates) a SQLite database at the given path with the
+// standard Metacircular pragmas: WAL mode, foreign keys, busy timeout.
+func Open(path string) (*DB, error) {
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return nil, fmt.Errorf("db: create directory %s: %w", dir, err)
+	}
+
+	sqlDB, err := sql.Open("sqlite", path)
+	if err != nil {
+		return nil, fmt.Errorf("db: open %s: %w", path, err)
+	}
+
+	pragmas := []string{
+		"PRAGMA journal_mode = WAL",
+		"PRAGMA foreign_keys = ON",
+		"PRAGMA busy_timeout = 5000",
+	}
+	for _, p := range pragmas {
+		if _, err := sqlDB.Exec(p); err != nil {
+			_ = sqlDB.Close()
+			return nil, fmt.Errorf("db: %s: %w", p, err)
+		}
+	}
+
+	// Set file permissions to 0600 (owner read/write only).
+	if err := os.Chmod(path, 0600); err != nil {
+		_ = sqlDB.Close()
+		return nil, fmt.Errorf("db: chmod %s: %w", path, err)
+	}
+
+	return &DB{sqlDB}, nil
+}

internal/db/db_test.go

@@ -0,0 +1,197 @@
+package db
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func openTestDB(t *testing.T) *DB {
+	t.Helper()
+	path := filepath.Join(t.TempDir(), "test.db")
+	d, err := Open(path)
+	if err != nil {
+		t.Fatalf("Open: %v", err)
+	}
+	t.Cleanup(func() { _ = d.Close() })
+	return d
+}
+
+func TestOpenAndMigrate(t *testing.T) {
+	d := openTestDB(t)
+
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+
+	// Verify schema version.
+	ver, err := d.SchemaVersion()
+	if err != nil {
+		t.Fatalf("SchemaVersion: %v", err)
+	}
+	if ver != 2 {
+		t.Fatalf("schema version: got %d, want 2", ver)
+	}
+}
+
+func TestMigrateIdempotent(t *testing.T) {
+	d := openTestDB(t)
+
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate (first): %v", err)
+	}
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate (second): %v", err)
+	}
+
+	ver, err := d.SchemaVersion()
+	if err != nil {
+		t.Fatalf("SchemaVersion: %v", err)
+	}
+	if ver != 2 {
+		t.Fatalf("schema version: got %d, want 2", ver)
+	}
+}
+
+func TestTablesExist(t *testing.T) {
+	d := openTestDB(t)
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+
+	tables := []string{
+		"schema_migrations",
+		"repositories",
+		"manifests",
+		"tags",
+		"blobs",
+		"manifest_blobs",
+		"uploads",
+		"policy_rules",
+		"audit_log",
+	}
+
+	for _, table := range tables {
+		var name string
+		err := d.QueryRow(
+			`SELECT name FROM sqlite_master WHERE type='table' AND name=?`, table,
+		).Scan(&name)
+		if err != nil {
+			t.Fatalf("table %q not found: %v", table, err)
+		}
+	}
+}
+
+func TestForeignKeyEnforcement(t *testing.T) {
+	d := openTestDB(t)
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+
+	// Inserting a manifest with a nonexistent repository_id should fail.
+	_, err := d.Exec(`INSERT INTO manifests (repository_id, digest, media_type, content, size)
+		VALUES (9999, 'sha256:abc', 'application/json', '{}', 2)`)
+	if err == nil {
+		t.Fatal("expected foreign key violation, got nil")
+	}
+}
+
+func TestTagCascadeOnManifestDelete(t *testing.T) {
+	d := openTestDB(t)
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+
+	// Create a repository, manifest, and tag.
+	_, err := d.Exec(`INSERT INTO repositories (name) VALUES ('testrepo')`)
+	if err != nil {
+		t.Fatalf("insert repo: %v", err)
+	}
+
+	_, err = d.Exec(`INSERT INTO manifests (repository_id, digest, media_type, content, size)
+		VALUES (1, 'sha256:abc123', 'application/vnd.oci.image.manifest.v1+json', '{}', 2)`)
+	if err != nil {
+		t.Fatalf("insert manifest: %v", err)
+	}
+
+	_, err = d.Exec(`INSERT INTO tags (repository_id, name, manifest_id) VALUES (1, 'latest', 1)`)
+	if err != nil {
+		t.Fatalf("insert tag: %v", err)
+	}
+
+	// Delete the manifest — tag should cascade.
+	_, err = d.Exec(`DELETE FROM manifests WHERE id = 1`)
+	if err != nil {
+		t.Fatalf("delete manifest: %v", err)
+	}
+
+	var count int
+	if err := d.QueryRow(`SELECT COUNT(*) FROM tags`).Scan(&count); err != nil {
+		t.Fatalf("count tags: %v", err)
+	}
+	if count != 0 {
+		t.Fatalf("tags after manifest delete: got %d, want 0", count)
+	}
+}
+
+func TestManifestBlobsCascadeOnManifestDelete(t *testing.T) {
+	d := openTestDB(t)
+	if err := d.Migrate(); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+
+	_, err := d.Exec(`INSERT INTO repositories (name) VALUES ('testrepo')`)
+	if err != nil {
+		t.Fatalf("insert repo: %v", err)
+	}
+
+	_, err = d.Exec(`INSERT INTO manifests (repository_id, digest, media_type, content, size)
+		VALUES (1, 'sha256:abc123', 'application/vnd.oci.image.manifest.v1+json', '{}', 2)`)
+	if err != nil {
+		t.Fatalf("insert manifest: %v", err)
+	}
+
+	_, err = d.Exec(`INSERT INTO blobs (digest, size) VALUES ('sha256:layer1', 1024)`)
+	if err != nil {
+		t.Fatalf("insert blob: %v", err)
+	}
+
+	_, err = d.Exec(`INSERT INTO manifest_blobs (manifest_id, blob_id) VALUES (1, 1)`)
+	if err != nil {
+		t.Fatalf("insert manifest_blobs: %v", err)
+	}
+
+	// Delete manifest — manifest_blobs should cascade, blob should remain.
+	_, err = d.Exec(`DELETE FROM manifests WHERE id = 1`)
+	if err != nil {
+		t.Fatalf("delete manifest: %v", err)
+	}
+
+	var mbCount int
+	if err := d.QueryRow(`SELECT COUNT(*) FROM manifest_blobs`).Scan(&mbCount); err != nil {
+		t.Fatalf("count manifest_blobs: %v", err)
+	}
+	if mbCount != 0 {
+		t.Fatalf("manifest_blobs after delete: got %d, want 0", mbCount)
+	}
+
+	// Blob row should still exist (GC handles file cleanup).
+	var blobCount int
+	if err := d.QueryRow(`SELECT COUNT(*) FROM blobs`).Scan(&blobCount); err != nil {
+		t.Fatalf("count blobs: %v", err)
+	}
+	if blobCount != 1 {
+		t.Fatalf("blobs after manifest delete: got %d, want 1", blobCount)
+	}
+}
+
+func TestWALMode(t *testing.T) {
+	d := openTestDB(t)
+
+	var mode string
+	if err := d.QueryRow(`PRAGMA journal_mode`).Scan(&mode); err != nil {
+		t.Fatalf("PRAGMA journal_mode: %v", err)
+	}
+	if mode != "wal" {
+		t.Fatalf("journal_mode: got %q, want %q", mode, "wal")
+	}
+}

internal/db/migrate.go

@@ -0,0 +1,174 @@
+package db
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+// migration is a numbered schema change.
+type migration struct {
+	version int
+	name    string
+	sql     string
+}
+
+// migrations is the ordered list of schema migrations.
+var migrations = []migration{
+	{
+		version: 1,
+		name:    "core registry tables",
+		sql: `
+CREATE TABLE IF NOT EXISTS repositories (
+    id         INTEGER PRIMARY KEY,
+    name       TEXT    NOT NULL UNIQUE,
+    created_at TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE TABLE IF NOT EXISTS manifests (
+    id            INTEGER PRIMARY KEY,
+    repository_id INTEGER NOT NULL REFERENCES repositories(id) ON DELETE CASCADE,
+    digest        TEXT    NOT NULL,
+    media_type    TEXT    NOT NULL,
+    content       BLOB   NOT NULL,
+    size          INTEGER NOT NULL,
+    created_at    TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    UNIQUE(repository_id, digest)
+);
+
+CREATE INDEX IF NOT EXISTS idx_manifests_repo   ON manifests (repository_id);
+CREATE INDEX IF NOT EXISTS idx_manifests_digest ON manifests (digest);
+
+CREATE TABLE IF NOT EXISTS tags (
+    id            INTEGER PRIMARY KEY,
+    repository_id INTEGER NOT NULL REFERENCES repositories(id) ON DELETE CASCADE,
+    name          TEXT    NOT NULL,
+    manifest_id   INTEGER NOT NULL REFERENCES manifests(id) ON DELETE CASCADE,
+    updated_at    TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    UNIQUE(repository_id, name)
+);
+
+CREATE INDEX IF NOT EXISTS idx_tags_repo     ON tags (repository_id);
+CREATE INDEX IF NOT EXISTS idx_tags_manifest ON tags (manifest_id);
+
+CREATE TABLE IF NOT EXISTS blobs (
+    id         INTEGER PRIMARY KEY,
+    digest     TEXT    NOT NULL UNIQUE,
+    size       INTEGER NOT NULL,
+    created_at TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE TABLE IF NOT EXISTS manifest_blobs (
+    manifest_id INTEGER NOT NULL REFERENCES manifests(id) ON DELETE CASCADE,
+    blob_id     INTEGER NOT NULL REFERENCES blobs(id),
+    PRIMARY KEY (manifest_id, blob_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_manifest_blobs_blob ON manifest_blobs (blob_id);
+
+CREATE TABLE IF NOT EXISTS uploads (
+    id            INTEGER PRIMARY KEY,
+    uuid          TEXT    NOT NULL UNIQUE,
+    repository_id INTEGER NOT NULL REFERENCES repositories(id) ON DELETE CASCADE,
+    byte_offset   INTEGER NOT NULL DEFAULT 0,
+    created_at    TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+`,
+	},
+	{
+		version: 2,
+		name:    "policy and audit tables",
+		sql: `
+CREATE TABLE IF NOT EXISTS policy_rules (
+    id          INTEGER PRIMARY KEY,
+    priority    INTEGER NOT NULL DEFAULT 100,
+    description TEXT    NOT NULL,
+    rule_json   TEXT    NOT NULL,
+    enabled     INTEGER NOT NULL DEFAULT 1 CHECK (enabled IN (0,1)),
+    created_by  TEXT,
+    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    updated_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+);
+
+CREATE TABLE IF NOT EXISTS audit_log (
+    id          INTEGER PRIMARY KEY,
+    event_time  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+    event_type  TEXT    NOT NULL,
+    actor_id    TEXT,
+    repository  TEXT,
+    digest      TEXT,
+    ip_address  TEXT,
+    details     TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_time  ON audit_log (event_time);
+CREATE INDEX IF NOT EXISTS idx_audit_actor ON audit_log (actor_id);
+CREATE INDEX IF NOT EXISTS idx_audit_event ON audit_log (event_type);
+`,
+	},
+}
+
+// Migrate applies all pending migrations. It creates the schema_migrations
+// tracking table if it does not exist. Migrations are idempotent.
+func (d *DB) Migrate() error {
+	_, err := d.Exec(`CREATE TABLE IF NOT EXISTS schema_migrations (
+		version    INTEGER PRIMARY KEY,
+		applied_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+	)`)
+	if err != nil {
+		return fmt.Errorf("db: create schema_migrations: %w", err)
+	}
+
+	for _, m := range migrations {
+		applied, err := d.migrationApplied(m.version)
+		if err != nil {
+			return err
+		}
+		if applied {
+			continue
+		}
+
+		tx, err := d.Begin()
+		if err != nil {
+			return fmt.Errorf("db: begin migration %d (%s): %w", m.version, m.name, err)
+		}
+
+		if _, err := tx.Exec(m.sql); err != nil {
+			_ = tx.Rollback()
+			return fmt.Errorf("db: migration %d (%s): %w", m.version, m.name, err)
+		}
+
+		if _, err := tx.Exec(`INSERT INTO schema_migrations (version) VALUES (?)`, m.version); err != nil {
+			_ = tx.Rollback()
+			return fmt.Errorf("db: record migration %d: %w", m.version, err)
+		}
+
+		if err := tx.Commit(); err != nil {
+			return fmt.Errorf("db: commit migration %d: %w", m.version, err)
+		}
+	}
+
+	return nil
+}
+
+func (d *DB) migrationApplied(version int) (bool, error) {
+	var count int
+	err := d.QueryRow(`SELECT COUNT(*) FROM schema_migrations WHERE version = ?`, version).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf("db: check migration %d: %w", version, err)
+	}
+	return count > 0, nil
+}
+
+// SchemaVersion returns the highest applied migration version, or 0 if
+// no migrations have been applied.
+func (d *DB) SchemaVersion() (int, error) {
+	var version sql.NullInt64
+	err := d.QueryRow(`SELECT MAX(version) FROM schema_migrations`).Scan(&version)
+	if err != nil {
+		return 0, fmt.Errorf("db: schema version: %w", err)
+	}
+	if !version.Valid {
+		return 0, nil
+	}
+	return int(version.Int64), nil
+}