is there any recommendations against manipulating the kratos database directly? i.e. setting a bunch of triggers to keep identities in sync with some legacy system while migration is undergoing

You could probably utilize hooks in Kratos instead of database triggers and then deal with accessing database if need be in the hook itself

It is possible to do this Yan, but you have to take extra caution ( messing with the database directly can be destructive). Fazals recommendation to use Hooks instead sounds a bit safer!

but you can't sync credentials using hooks, right?

Yeah, there's no way to do a seamless migration without database access AFAIK. What I suggested is to use hooks instead of triggers and then access the database within the hook itself. That way you don't have to have triggers in database, minimizing modifications to database.

minimizing modifications to database

I'm afraid that's exactly what I had in mind 😅 Lets say a user resets the password from the kratos self service. I would like to push the new hash back to the "legacy" table, so the "legacy" APIs would still be able to authenticate the way they're used to.

There is an after recovery hook. You could probably use that. Again you would need to get the hash from the DB. As a general guideline I'd probably depend on one system for authentication so that migration is only needed one way. From legacy -> new. Unless you can't bring changes to legacy code base.

tbh the legacy stack uses express with passport-local so it would not be terribly difficult to update that codebase