fix(db): index two more nullable FK columns missing covering indexes

[jaydeep-pipaliya]

What

Two more nullable FK columns shipped without covering indexes — sister fix to #6965 and #6966. The per-row RI trigger on each parent delete falls back to a seq-scan of the child table on every gateway / gateway-pool delete:

• dynamic_secrets.gatewayPoolId (RESTRICT to gateway_pools, nullable). Set only when a dynamic secret is pinned to a pool, so most rows are NULL.
• pam_sessions.gatewayId (SET NULL to gateways_v2, nullable). Set when a pool-backed PAM session resolves to a specific gateway, so most rows are NULL.

Both get partial indexes filtered to the non-NULL rows (same shape as the previous two migrations). The partial form keeps the index tiny and imposes near-zero write overhead on the live insert path.

Why partial

For pool-pinned dynamic secrets and resolved PAM sessions, gatewayPoolId / gatewayId are NULL on the live insert path and only get set as a side effect of pinning / resolution. The cascade lookup only ever walks specific non-null values, so a partial index over the non-NULL rows fully serves the cascade while staying small.

Checklist

• I have read the contributing guide
• I have added tests (DDL-only migration)
• The change is limited to the affected code path

[greptile-apps]

Greptile Summary

This migration adds partial WHERE column IS NOT NULL indexes on two nullable FK columns that were missing covering indexes, causing sequential scans on every parent row delete. The change follows the same pattern used in the companion migrations for related gateway columns.

• Adds dynamic_secrets_gateway_pool_id_idx on dynamic_secrets.gatewayPoolId (FK → gateway_pools, RESTRICT), filtered to non-NULL rows.
• Adds pam_sessions_gateway_id_idx on pam_sessions.gatewayId (FK → gateways_v2, SET NULL), filtered to non-NULL rows. Both up and down paths include table/column/index existence checks, making the migration safe to apply more than once.

Confidence Score: 5/5

Safe to merge — this is a pure DDL migration that only adds (and drops) partial indexes with no data changes and no risk of data loss.

The migration is tightly scoped: it adds two partial indexes that are correct in shape (nullable FK columns, non-NULL predicate, matching the established pattern in the repo). Existence guards on table, column, and index name make both up and down idempotent. Column names and table names are verified against the schema definitions.

No files require special attention.

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260624075011_add-fk-indexes-gateway-pool-and-pam-session.ts	Adds partial indexes on two nullable FK columns (dynamic_secrets.gatewayPoolId and pam_sessions.gatewayId) with proper idempotency guards in both up and down migrations.

_{Reviews (1): Last reviewed commit: "fix(db): index two more nullable FK colu..." | Re-trigger Greptile}