svc-infra 0.1.506__py3-none-any.whl → 0.1.654__py3-none-any.whl

svc_infra/db/sql/authref.py

@@ -0,0 +1,61 @@
+from __future__ import annotations
+
+from typing import Optional, Tuple
+
+from sqlalchemy import ForeignKeyConstraint
+from sqlalchemy.sql.type_api import TypeEngine
+
+from svc_infra.db.sql.base import ModelBase
+from svc_infra.db.sql.types import GUID
+
+
+def _find_auth_mapper() -> Optional[Tuple[str, TypeEngine, str]]:
+    """
+    Returns (table_name, pk_sqlatype, pk_name) for the auth user model.
+    Looks for any mapped class with __svc_infra_auth_user__ = True that
+    is already registered on ModelBase.registry (your env imports handle this).
+    """
+    try:
+        for mapper in list(ModelBase.registry.mappers):
+            cls = mapper.class_
+            if getattr(cls, "__svc_infra_auth_user__", False):
+                table = mapper.local_table or getattr(cls, "__table__", None)
+                if table is None:
+                    continue
+                pk_cols = list(table.primary_key.columns)
+                if len(pk_cols) != 1:
+                    continue  # require single-column PK
+                pk_col = pk_cols[0]
+                return (table.name, pk_col.type, pk_col.name)
+    except Exception:
+        pass
+    return None
+
+
+def resolve_auth_table_pk() -> Tuple[str, TypeEngine, str]:
+    """
+    Single source of truth for the auth table and PK.
+    Falls back to ('users', GUID(), 'id') if nothing is marked.
+    """
+    found = _find_auth_mapper()
+    if found is not None:
+        return found
+    return ("users", GUID(), "id")
+
+
+def user_id_type() -> TypeEngine:
+    """
+    Returns a SQLAlchemy TypeEngine matching the auth user PK type.
+    """
+    _, pk_type, _ = resolve_auth_table_pk()
+    return pk_type
+
+
+def user_fk_constraint(
+    column_name: str = "user_id", *, ondelete: str = "SET NULL"
+) -> ForeignKeyConstraint:
+    """
+    Returns a table-level ForeignKeyConstraint([...], [<auth_table>.<pk>]) for the given column.
+    """
+    table, _pk_type, pk_name = resolve_auth_table_pk()
+    return ForeignKeyConstraint([column_name], [f"{table}.{pk_name}"], ondelete=ondelete)

svc_infra/db/sql/core.py

@@ -310,6 +310,7 @@ def setup_and_migrate(
     initial_message: str = "initial schema",
     followup_message: str = "autogen",
     database_url: Optional[str] = None,
+    discover_packages: Optional[Sequence[str]] = None,
 ) -> dict:
     """
     Ensure DB + Alembic are ready and up-to-date.
@@ -318,12 +319,11 @@ def setup_and_migrate(
     """
     resolved_url = database_url or get_database_url_from_env(required=True)
     root = prepare_env()
-
     if create_db_if_missing:
         ensure_database_exists(resolved_url)
 
     mig_dir = init_alembic(
-        discover_packages=None,
+        discover_packages=discover_packages,
         overwrite=overwrite_scaffold,
     )
     versions_dir = mig_dir / "versions"

svc_infra/db/sql/repository.py

@@ -56,20 +56,31 @@ class SqlRepository:
         limit: int,
         offset: int,
         order_by: Optional[Sequence[Any]] = None,
+        where: Optional[Sequence[Any]] = None,
     ) -> Sequence[Any]:
-        stmt = self._base_select().limit(limit).offset(offset)
+        stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
+        stmt = stmt.limit(limit).offset(offset)
         if order_by:
             stmt = stmt.order_by(*order_by)
         rows = (await session.execute(stmt)).scalars().all()
         return rows
 
-    async def count(self, session: AsyncSession) -> int:
-        stmt = select(func.count()).select_from(self._base_select().subquery())
+    async def count(self, session: AsyncSession, *, where: Optional[Sequence[Any]] = None) -> int:
+        base = self._base_select()
+        if where:
+            base = base.where(and_(*where))
+        stmt = select(func.count()).select_from(base.subquery())
         return (await session.execute(stmt)).scalar_one()
 
-    async def get(self, session: AsyncSession, id_value: Any) -> Any | None:
+    async def get(
+        self, session: AsyncSession, id_value: Any, *, where: Optional[Sequence[Any]] = None
+    ) -> Any | None:
         # honors soft-delete if configured
         stmt = self._base_select().where(self._id_column() == id_value)
+        if where:
+            stmt = stmt.where(and_(*where))
         return (await session.execute(stmt)).scalars().first()
 
     async def create(self, session: AsyncSession, data: dict[str, Any]) -> Any:
@@ -78,12 +89,18 @@ class SqlRepository:
         obj = self.model(**filtered)
         session.add(obj)
         await session.flush()
+        await session.refresh(obj)
         return obj
 
     async def update(
-        self, session: AsyncSession, id_value: Any, data: dict[str, Any]
+        self,
+        session: AsyncSession,
+        id_value: Any,
+        data: dict[str, Any],
+        *,
+        where: Optional[Sequence[Any]] = None,
     ) -> Any | None:
-        obj = await self.get(session, id_value)
+        obj = await self.get(session, id_value, where=where)
         if not obj:
             return None
         valid = self._model_columns()
@@ -91,21 +108,32 @@ class SqlRepository:
             if k in valid and k not in self.immutable_fields:
                 setattr(obj, k, v)
         await session.flush()
+        await session.refresh(obj)
         return obj
 
-    async def delete(self, session: AsyncSession, id_value: Any) -> bool:
-        obj = await session.get(self.model, id_value)
+    async def delete(
+        self, session: AsyncSession, id_value: Any, *, where: Optional[Sequence[Any]] = None
+    ) -> bool:
+        # Fast path: when no extra filters provided, use session.get for simplicity (matches tests)
+        if not where:
+            obj = await session.get(self.model, id_value)
+        else:
+            # Respect soft-delete and optional tenant/extra filters by selecting through base select
+            stmt = self._base_select().where(self._id_column() == id_value)
+            stmt = stmt.where(and_(*where))
+            obj = (await session.execute(stmt)).scalars().first()
         if not obj:
             return False
         if self.soft_delete:
             # Prefer timestamp, also optionally set flag to False
-            if hasattr(self.model, self.soft_delete_field):
+            # Check attributes on the instance to support test doubles without class-level fields
+            if hasattr(obj, self.soft_delete_field):
                 setattr(obj, self.soft_delete_field, func.now())
-            if self.soft_delete_flag_field and hasattr(self.model, self.soft_delete_flag_field):
+            if self.soft_delete_flag_field and hasattr(obj, self.soft_delete_flag_field):
                 setattr(obj, self.soft_delete_flag_field, False)
             await session.flush()
             return True
-        await session.delete(obj)
+        session.delete(obj)
         await session.flush()
         return True
 
@@ -118,6 +146,7 @@ class SqlRepository:
         limit: int,
         offset: int,
         order_by: Optional[Sequence[Any]] = None,
+        where: Optional[Sequence[Any]] = None,
     ) -> Sequence[Any]:
         ilike = f"%{q}%"
         conditions = []
@@ -130,6 +159,8 @@ class SqlRepository:
                     # skip columns that cannot be used in ilike even with cast
                     continue
         stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
         if conditions:
             stmt = stmt.where(or_(*conditions))
         stmt = stmt.limit(limit).offset(offset)
@@ -137,7 +168,14 @@ class SqlRepository:
             stmt = stmt.order_by(*order_by)
         return (await session.execute(stmt)).scalars().all()
 
-    async def count_filtered(self, session: AsyncSession, *, q: str, fields: Sequence[str]) -> int:
+    async def count_filtered(
+        self,
+        session: AsyncSession,
+        *,
+        q: str,
+        fields: Sequence[str],
+        where: Optional[Sequence[Any]] = None,
+    ) -> int:
         ilike = f"%{q}%"
         conditions = []
         for f in fields:
@@ -148,6 +186,8 @@ class SqlRepository:
                 except Exception:
                     continue
         stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
         if conditions:
             stmt = stmt.where(or_(*conditions))
         # SELECT COUNT(*) FROM (<stmt>) as t

svc_infra/db/sql/resource.py

@@ -34,3 +34,8 @@ class SqlResource:
 
     # Only a type reference; no runtime dependency on FastAPI layer
     service_factory: Optional[Callable[[SqlRepository], "SqlService"]] = None
+
+    # Tenancy
+    tenant_field: Optional[str] = (
+        None  # when set, CRUD router will require TenantId and scope by field
+    )

svc_infra/db/sql/scaffold.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os
 from pathlib import Path
 from typing import Any, Dict, Literal, Optional
 
@@ -35,8 +36,8 @@ def scaffold_core(
     include_soft_delete: bool = False,
     overwrite: bool = False,
     same_dir: bool = False,
-    models_filename: Optional[str] = None,  # <--- NEW
-    schemas_filename: Optional[str] = None,  # <--- NEW
+    models_filename: Optional[str] = None,
+    schemas_filename: Optional[str] = None,
 ) -> Dict[str, Any]:
     """
     Create starter model + schema files.
@@ -52,7 +53,12 @@ def scaffold_core(
     # content per kind
     if kind == "auth":
         auth_ent = pascal(entity_name or "User")
-        auth_tbl = table_name or plural_snake(auth_ent)
+        env_tbl = (
+            os.getenv("AUTH_TABLE_NAME")
+            or os.getenv("SVC_INFRA_AUTH_TABLE")
+            or os.getenv("APF_AUTH_TABLE_NAME")
+        )
+        auth_tbl = (table_name or env_tbl or plural_snake(auth_ent)).strip()
 
         models_txt = render_template(
             tmpl_dir="svc_infra.db.sql.templates.models_schemas.auth",
@@ -155,7 +161,13 @@ def scaffold_models_core(
 
     if kind == "auth":
         auth_ent = pascal(entity_name or "User")
-        auth_tbl = table_name or plural_snake(auth_ent)
+        env_tbl = (
+            os.getenv("AUTH_TABLE_NAME")
+            or os.getenv("SVC_INFRA_AUTH_TABLE")
+            or os.getenv("APF_AUTH_TABLE_NAME")
+        )
+        auth_tbl = (table_name or env_tbl or plural_snake(auth_ent)).strip()
+
         txt = render_template(
             tmpl_dir="svc_infra.db.sql.templates.models_schemas.auth",
             name="models.py.tmpl",

svc_infra/db/sql/templates/models_schemas/auth/schemas.py.tmpl

@@ -18,7 +18,7 @@ class Timestamped(BaseModel):
 
 class ProviderAccountBase(BaseModel):
     model_config = ConfigDict(from_attributes=True)
-    provider: str = Field(..., examples=["google", "github", "linkedin", "microsoft"])
+    provider: str = Field(..., json_schema_extra={"examples": ["google", "github", "linkedin", "microsoft"]})
     provider_account_id: str
 
 class ProviderAccountRead(ProviderAccountBase, Timestamped):

svc_infra/db/sql/templates/setup/env_async.py.tmpl

@@ -1,21 +1,18 @@
-# Alembic async env.py generated by svc-infra
+# Alembic async env.py
 from __future__ import annotations
 import os
 import logging
-from typing import List
+from typing import List, Tuple
+import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
 from sqlalchemy.engine import make_url, URL
-from sqlalchemy.ext.asyncio import create_async_engine
 
-from svc_infra.db.sql.utils import (
-    get_database_url_from_env,
-    _ensure_ssl_default_async as _ensure_ssl_default,
-)
+from svc_infra.db.sql.utils import get_database_url_from_env
 
 try:
     from svc_infra.db.sql.types import GUID as _GUID  # type: ignore
-except Exception:  # keep env.py robust if package unavailable at import time
+except Exception:
     _GUID = None
 
 def _render_item(type_, obj, autogen_context):
@@ -30,23 +27,34 @@ def _render_item(type_, obj, autogen_context):
 # Logging
 config = context.config
 if config.config_file_name is not None:
-    import logging.config
-    logging.config.fileConfig(config.config_file_name)
+    import logging.config as _lc
+    _lc.fileConfig(config.config_file_name)
+
 logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
 
-# --- sys.path bootstrap for src-layout projects ---
-import sys, pathlib, importlib.util
+# sys.path bootstrap (append)
 prepend = config.get_main_option("prepend_sys_path") or ""
+script_loc = config.get_main_option("script_location") or os.path.dirname(__file__)
+migrations_dir = pathlib.Path(script_loc).resolve()
+project_root = migrations_dir.parent
+
+def _ensure_on_syspath_end(p: pathlib.Path) -> None:
+    s = str(p)
+    if s and s not in sys.path:
+        sys.path.append(s)
+
 if prepend:
-    if prepend not in sys.path:
-        sys.path.insert(0, prepend)
+    _ensure_on_syspath_end(pathlib.Path(prepend))
     src_path = pathlib.Path(prepend) / "src"
     if src_path.exists():
-        s = str(src_path)
-        if s not in sys.path:
-            sys.path.insert(0, s)
+        _ensure_on_syspath_end(src_path)
 
-# --- robust x-arg parsing for all Alembic versions ---
+_ensure_on_syspath_end(project_root)
+if (project_root / "src").exists():
+    _ensure_on_syspath_end(project_root / "src")
+
+# x-args
 def _x_args_dict() -> dict:
     try:
         return context.get_x_argument(as_dictionary=True)  # type: ignore[arg-type]
@@ -64,7 +72,7 @@ def _x_args_dict() -> dict:
             out[item] = ""
     return out
 
-# --- Resolve effective DB URL (priority: -x -> env -> helper -> ini) ---
+# DB URL
 _x = _x_args_dict()
 cli_dburl = _x.get("dburl", "").strip()
 env_dburl = os.getenv("SQL_URL", "").strip()
@@ -93,102 +101,190 @@ def _coerce_to_async(u: URL) -> URL:
 
 u = make_url(effective_url)
 u = _coerce_to_async(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
-# --- metadata discovery (same as sync) ---
-DISCOVER_PACKAGES: List[str] = [__PACKAGES_LIST__]
+# feature flags
+WANT_PAYMENTS = os.getenv("APF_ENABLE_PAYMENTS", "").lower() in {"1", "true", "yes"}
+FORCE_PAYMENTS = os.getenv("ALEMBIC_FORCE_PAYMENTS", "").lower() in {"1", "true", "yes"}
+PAYMENT_TABLES = {"pay_customers", "pay_intents", "pay_events", "ledger_entries"}
+
+# metadata discovery (scan ALL attrs; do not shadow site-packages)
+DISCOVER_PACKAGES: List[str] = []  # do not seed payments by default
 ENV_DISCOVER = os.getenv("ALEMBIC_DISCOVER_PACKAGES")
 if ENV_DISCOVER:
     DISCOVER_PACKAGES = [s.strip() for s in ENV_DISCOVER.split(',') if s.strip()]
 
 def _collect_metadata() -> list[object]:
-    try:
-        from svc_infra.db.sql.base import ModelBase  # type: ignore
-        md = getattr(ModelBase, "metadata", None)
-        if md is not None and hasattr(md, "tables") and md.tables:
-            return [md]
-    except Exception as e:
-        logger.debug("ModelBase not available or empty: %s", e)
-
-    import importlib, pkgutil, pathlib
+    tried: list[Tuple[str, str]] = []
+    errors: list[Tuple[str, str]] = []
     found: list[object] = []
 
+    def _note(name: str, ok: bool, err: str | None = None):
+        tried.append((name, "ok" if ok else "err"))
+        if not ok and err:
+            errors.append((name, err))
+
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and hasattr(md, "schema"):
+        if hasattr(md, "tables") and getattr(md, "tables"):
             found.append(md)
 
-    pkgs = list(DISCOVER_PACKAGES) or []
-    if not pkgs:
-        roots = []
-        if prepend:
-            roots.append(pathlib.Path(prepend))
-            roots.append(pathlib.Path(prepend) / "src")
-        for root in roots:
-            if not root or not root.exists():
-                continue
-            for p in root.iterdir():
-                if p.is_dir() and (p / "__init__.py").exists():
-                    pkgs.append(p.name)
+    def _scan_module_objects(mod: object) -> None:
+        try:
+            for val in vars(mod).values():
+                md = getattr(val, "metadata", None) or None
+                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
+                    found.append(md)
+        except Exception:
+            pass
 
-    for pkg_name in pkgs:
+    # Force-load payments only when enabled/forced
+    if WANT_PAYMENTS or FORCE_PAYMENTS:
         try:
-            pkg = importlib.import_module(pkg_name)
-        except Exception as e:
-            logger.debug("Failed to import %s: %s", pkg_name, e)
-            continue
+            importlib.import_module("svc_infra.apf_payments.models")
+            context.config.print_stdout("[alembic env (async)] payments module import: ok (svc_infra.apf_payments.models)")
+        except Exception:
+            context.config.print_stdout("[alembic env (async)] payments module import: ERR (svc_infra.apf_payments.models)")
+            context.config.print_stdout(traceback.format_exc())
+
+    pkgs: list[str] = []
+    if WANT_PAYMENTS or FORCE_PAYMENTS:
+        pkgs.append("svc_infra.apf_payments.models")
+
+    for p in list(DISCOVER_PACKAGES or []):
+        if p and p not in pkgs:
+            pkgs.append(p)
+
+    env_pkgs = os.getenv("ALEMBIC_DISCOVER_PACKAGES", "")
+    if env_pkgs:
+        for p in (x.strip() for x in env_pkgs.split(",") if x.strip()):
+            if p not in pkgs:
+                pkgs.append(p)
+
+    fs_roots: list[pathlib.Path] = []
+    for candidate in {project_root, project_root / "src"}:
+        if candidate.exists():
+            fs_roots.append(candidate)
+    for root in fs_roots:
+        for p in root.iterdir():
+            if p.is_dir() and (p / "__init__.py").exists():
+                name = p.name
+                if name not in pkgs:
+                    pkgs.append(name)
+
+    # Only attempt bare 'models' import if it is discoverable to avoid noisy tracebacks
+    if "models" not in pkgs:
+        try:
+            spec = getattr(importlib, "util", None)
+            if spec is not None and getattr(spec, "find_spec", None) is not None:
+                if spec.find_spec("models") is not None:
+                    pkgs.append("models")
+        except Exception:
+            # Best-effort; if discovery fails, skip adding bare 'models'
+            pass
 
+    def _import_and_collect(modname: str):
+        try:
+            mod = importlib.import_module(modname)
+            _note(modname, True, None)
+        except Exception:
+            _note(modname, False, traceback.format_exc())
+            return None
         for attr in ("metadata", "MetaData", "Base", "base"):
-            obj = getattr(pkg, attr, None)
+            obj = getattr(mod, attr, None)
             if obj is not None:
                 _maybe_add(obj)
+        _scan_module_objects(mod)
+        return mod
 
-        for subname in ("models",):
-            try:
-                sub = importlib.import_module(f"{pkg_name}.{subname}")
-                for attr in ("metadata", "MetaData", "Base", "base"):
-                    obj = getattr(sub, attr, None)
-                    if obj is not None:
-                        _maybe_add(obj)
-            except Exception:
-                pass
-
+    for pkg_name in pkgs:
+        pkg = _import_and_collect(pkg_name)
+        if pkg is None:
+            continue
+        for subname in ("models", "db", "orm", "entities"):
+            _import_and_collect(f"{pkg_name}.{subname}")
         mod_path = getattr(pkg, "__path__", None)
         if not mod_path:
             continue
         for _, name, ispkg in pkgutil.walk_packages(mod_path, prefix=pkg_name + "."):
-            if ispkg or not any(x in name for x in (".models", ".db", ".orm", ".entities")):
+            if ispkg:
                 continue
-            try:
-                mod = importlib.import_module(name)
-            except Exception:
+            if not any(x in name for x in (".models", ".db", ".orm", ".entities")):
                 continue
-            for attr in ("metadata", "MetaData", "Base", "base"):
-                obj = getattr(mod, attr, None)
-                if obj is not None:
-                    _maybe_add(obj)
+            _import_and_collect(name)
+
+    try:
+        from svc_infra.db.sql.base import ModelBase  # type: ignore
+        mb_md = getattr(ModelBase, "metadata", None)
+        if mb_md is not None and getattr(mb_md, "tables", {}):
+            found.append(mb_md)
+            _note("ModelBase.metadata", True, None)
+        else:
+            _note("ModelBase.metadata(empty)", True, None)
+    except Exception:
+        _note("ModelBase import", False, traceback.format_exc())
 
-    # --- AUTOBIND API KEY MODEL (if a marked User model exists) ---
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model
-        # If you prefer gating on env, pass require_env=True and set AUTH_ENABLE_API_KEYS=1
         try_autobind_apikey_model(require_env=False)
-    except Exception as e:
-        logger.debug("svc-infra apikey autobind skipped: %s", e)
+        _note("svc_infra.db.sql.apikey.try_autobind_apikey_model", True, None)
+    except Exception:
+        _note("svc_infra.db.sql.apikey.try_autobind_apikey_model", False, traceback.format_exc())
 
-    uniq, seen = [], set()
+    uniq: list[object] = []
+    seen: set[int] = set()
     for md in found:
+        try:
+            if not getattr(md, "tables", {}):
+                continue
+        except Exception:
+            continue
         if id(md) not in seen:
             seen.add(id(md))
             uniq.append(md)
+
+    total_tables = 0
+    try:
+        total_tables = sum(len(getattr(md, "tables", {})) for md in uniq)
+    except Exception:
+        pass
+
+    context.config.print_stdout(
+        f"[alembic env (async)] discovered {len(uniq)} metadata objects with {total_tables} tables total"
+    )
+
+    if WANT_PAYMENTS and not FORCE_PAYMENTS:
+        saw_pay = any(any(tn in PAYMENT_TABLES for tn in md.tables.keys()) for md in uniq) if uniq else False
+        if not saw_pay:
+            context.config.print_stdout(
+                "[alembic env (async)] WARNING: APF_ENABLE_PAYMENTS is set but no payments tables were discovered. "
+                "If you still see this, a local package named 'svc_infra' may be shadowing the installed one."
+            )
+
+    if total_tables == 0:
+        context.config.print_stdout("[alembic env (async)] import attempts (ok/err):")
+        for name, status in tried:
+            context.config.print_stdout(f"  - {status:3s}  {name}")
+        for name, tb in errors[:10]:
+            context.config.print_stdout(f"  --- import error: {name} ---")
+            context.config.print_stdout(tb)
+
     return uniq
 
 target_metadata = _collect_metadata()
 
 def _want_include_schemas() -> bool:
     val = _x.get("include_schemas", "") or os.getenv("ALEMBIC_INCLUDE_SCHEMAS", "")
-    return str(val).strip() in {"1", "true", "True", "yes"}
+    if str(val).strip() in {"1", "true", "True", "yes"}:
+        return True
+    try:
+        for md in (target_metadata or []):
+            for t in getattr(md, "tables", {}).values():
+                if getattr(t, "schema", None):
+                    return True
+    except Exception:
+        pass
+    return False
 
 def _system_schemas_for(url: str) -> set[str]:
     try:
@@ -207,13 +303,38 @@ def _system_schemas_for(url: str) -> set[str]:
 
 def _include_object_factory(url: str):
     sys_schemas = _system_schemas_for(url)
+    skip_drops = os.getenv("ALEMBIC_SKIP_DROPS", "").lower() in {"1", "true", "yes"}
+    want_payments = WANT_PAYMENTS or FORCE_PAYMENTS
+
     def _include_object(obj, name, type_, reflected, compare_to):
         schema = getattr(obj, "schema", None)
         if schema and str(schema) in sys_schemas:
             return False
-        if type_ == "table" and name == (context.get_x_argument(as_dictionary=True).get("version_table") or "alembic_version"):
+
+        version_table = (
+            context.get_x_argument(as_dictionary=True).get("version_table")
+            if hasattr(context, "get_x_argument")
+            else None
+        ) or os.getenv("ALEMBIC_VERSION_TABLE", "alembic_version")
+        if type_ == "table" and name == version_table:
             return True
+
+        if skip_drops and type_ == "table" and reflected and compare_to is None:
+            return False
+
+        if not want_payments:
+            if type_ == "table" and name in PAYMENT_TABLES:
+                return False
+            if type_ == "index":
+                try:
+                    parent = getattr(obj, "table", None)
+                    if parent is not None and getattr(parent, "name", None) in PAYMENT_TABLES:
+                        return False
+                except Exception:
+                    pass
+
         return True
+
     return _include_object
 
 def _do_run_migrations(connection):
@@ -234,7 +355,9 @@ def _do_run_migrations(connection):
 
 async def run_migrations_online() -> None:
     url = config.get_main_option("sqlalchemy.url")
-    engine = create_async_engine(url)
+    # Use build_engine to ensure proper driver-specific handling (e.g., asyncpg SSL)
+    from svc_infra.db.sql.utils import build_engine
+    engine = build_engine(url)
     async with engine.connect() as connection:
         await connection.run_sync(_do_run_migrations)
     await engine.dispose()