docs(dev-cycle): §4.7 expand-only + flag-gate, amend §10.5.1 triage eligibility

[jinhongkuan]

Summary

• Adds §4.7 "Schema-touching PRs — expand-only + flag-gate" to DEV_CYCLE.md. Two complementary rules for any PR that touches ledger/schema.py or its _MIGRATIONS registry: migrations must be additive only (destructive ops live in dedicated later-release commits), and code paths that depend on new schema must be feature-flag gated default-off in prod.
• Amends §10.5.1 to replace the blanket "schema-migrating changes are not triage-eligible" rule with "schema migrations CAN ride a triage release if they comply with §4.7." Destructive schema changes and flag-flip releases stay non-triage-eligible.

Linked issues

No tracked issue — doctrine amendment surfaced during the v0.15.0 release planning (PR #388), where the existing rule blocked a v17 → v24 migration chain from ever reaching main through triage and forced an all-or-nothing full release.

Linked decisions

Closes decision:cp25jfz1nt6h3u2gjzmu — Schema migrations must be expand-only; destructive ops live in dedicated commits.
Closes decision:adklplvfhthkdch05pe9 — Code paths depending on new schema must be feature-flag gated, default off in prod.
Closes decision:0ok1249n2tdrfud2a5j9 — DEV_CYCLE.md §10.5.1 (triage eligibility) amended: triage releases CAN carry schema migrations when (a) every migration is expand-only and (b) every feature is flag-gated.

Plan / Audit / Seal

• Plan: doctrine-only change to docs/DEV_CYCLE.md. No code, no behavior change. Rules apply prospectively to PRs landing after this merges.
• Audit: rationale rooted in a cross-tool research survey of migration patterns (2026-05-15) — Rails, Django, Alembic, EF Core, Flyway, Liquibase, sqlx, golang-migrate. All converge on the same answer: migration chains are append-only; the workaround is to decouple schema from features. Stripe, GitHub (gh-ost), Thoughtworks, and Harness all advocate the expand-only + flag-gate pattern this PR encodes.
• Risk: L1 — doctrine-only, single-file change. No CI behavior change (the §4.7.1 CI lint is planned, not shipped in this PR).

Backwards compatibility with current state

• The v0.15.0 release PR (release: v0.15.0 — PII archive, hard-delete remove_decision, schema v17→v24 chain #388) drains the existing dev → main backlog under the old rule (all-or-nothing). The v18 → v24 migration chain that PR carries was not authored under §4.7's discipline — it predates this PR. That's fine; the rules apply prospectively.
• After this PR merges to dev, every subsequent schema-touching PR is evaluated under §4.7. The next triage release can carry expand-only migrations.

Test plan

• markdownlint docs/DEV_CYCLE.md would catch syntax issues (not currently run in CI — verified by inspection).
• Manual read-through to verify §4.7 cross-references (§4.7.1, §4.7.2, §4.7.3) resolve and the §10.5.1 amendment references §4.7 correctly.
• CI lint workflow (pr-body-refs-lint.yml) checks Closes #N / Closes decision:… formatting in this PR body.

Follow-up work (not in this PR)

• scripts/lint_schema_destructive.py — CI gate that parses ledger/schema.py diffs and flags REMOVE / breaking ALTER / tightening-ASSERT operations in any commit that also modifies non-migration code. §4.7.1 references this as planned. Separate PR with a tracked issue.
• Audit the existing _MIGRATIONS chain on dev (v17 → v24) against §4.7.1 retrospectively — most are already additive, but the audit produces a clean baseline for future "every migration in the chain since vN complies with §4.7" claims.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 82e9bdd6-814c-4029-9107-a2b0eb3d27a7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/dev-cycle-expand-only-flag-gate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}