svc-infra 0.1.595__py3-none-any.whl → 1.1.0__py3-none-any.whl

svc_infra/db/sql/core.py

@@ -3,9 +3,9 @@ from __future__ import annotations
 import contextlib
 import io
 import os
+from collections.abc import Sequence
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Optional, Sequence
 
 from alembic import command
 from alembic.config import Config
@@ -30,7 +30,7 @@ from svc_infra.db.sql.utils import (
 def init_alembic(
     *,
     script_location: str = "migrations",
-    discover_packages: Optional[Sequence[str]] = None,
+    discover_packages: Sequence[str] | None = None,
     overwrite: bool = False,
 ) -> Path:
     """
@@ -140,7 +140,7 @@ def revision(
         cfg,
         message=message,
         autogenerate=autogenerate,
-        head=head,
+        head=head or "head",
         branch_label=branch_label,
         version_path=version_path,
         sql=sql,
@@ -157,7 +157,7 @@ def revision(
 def upgrade(
     revision_target: str = "head",
     *,
-    database_url: Optional[str] = None,
+    database_url: str | None = None,
 ) -> dict:
     """
     Apply migrations forward.
@@ -181,7 +181,7 @@ def upgrade(
 def downgrade(
     *,
     revision_target: str = "-1",
-    database_url: Optional[str] = None,
+    database_url: str | None = None,
 ) -> dict:
     """Revert migrations down to the specified revision or relative step.
 
@@ -203,7 +203,7 @@ def downgrade(
 def current(
     verbose: bool = False,
     *,
-    database_url: Optional[str] = None,
+    database_url: str | None = None,
 ) -> dict:
     """Print the current database revision(s)."""
     root = prepare_env()
@@ -224,7 +224,7 @@ def current(
 def history(
     *,
     verbose: bool = False,
-    database_url: Optional[str] = None,
+    database_url: str | None = None,
 ) -> dict:
     """Show the migration history for this project."""
     root = prepare_env()
@@ -245,7 +245,7 @@ def history(
 def stamp(
     *,
     revision_target: str = "head",
-    database_url: Optional[str] = None,
+    database_url: str | None = None,
 ) -> dict:
     """Set the current database revision without running migrations. Useful for marking an existing database as up-to-date."""
     root = prepare_env()
@@ -262,8 +262,8 @@ def stamp(
 
 def merge_heads(
     *,
-    message: Optional[str] = None,
-    database_url: Optional[str] = None,
+    message: str | None = None,
+    database_url: str | None = None,
 ) -> dict:
     """Create a merge revision that joins multiple migration heads."""
     root = prepare_env()
@@ -309,8 +309,8 @@ def setup_and_migrate(
     create_followup_revision: bool = True,
     initial_message: str = "initial schema",
     followup_message: str = "autogen",
-    database_url: Optional[str] = None,
-    discover_packages: Optional[Sequence[str]] = None,
+    database_url: str | None = None,
+    discover_packages: Sequence[str] | None = None,
 ) -> dict:
     """
     Ensure DB + Alembic are ready and up-to-date.
@@ -319,7 +319,7 @@ def setup_and_migrate(
     """
     resolved_url = database_url or get_database_url_from_env(required=True)
     root = prepare_env()
-    if create_db_if_missing:
+    if create_db_if_missing and resolved_url:
         ensure_database_exists(resolved_url)
 
     mig_dir = init_alembic(

svc_infra/db/sql/management.py

@@ -15,20 +15,19 @@ def _sa_columns(model: type[object]) -> list[Column]:
 def _py_type(col: Column) -> type:
     # Prefer SQLAlchemy-provided python_type when available
     if getattr(col.type, "python_type", None):
-        return col.type.python_type  # type: ignore[no-any-return]
+        return col.type.python_type
 
     from datetime import date, datetime
-    from typing import Any as _Any
     from uuid import UUID
 
     from sqlalchemy import JSON, Boolean, Date, DateTime, Integer, String, Text
 
     try:
         from sqlalchemy.dialects.postgresql import JSONB
-        from sqlalchemy.dialects.postgresql import UUID as PG_UUID  # type: ignore
+        from sqlalchemy.dialects.postgresql import UUID as PG_UUID
     except Exception:  # pragma: no cover
-        PG_UUID = None  # type: ignore
-        JSONB = None  # type: ignore
+        PG_UUID = None  # type: ignore[misc,assignment]
+        JSONB = None  # type: ignore[misc,assignment]
 
     t = col.type
     if PG_UUID is not None and isinstance(t, PG_UUID):
@@ -47,7 +46,7 @@ def _py_type(col: Column) -> type:
         return dict
     if JSONB is not None and isinstance(t, JSONB):
         return dict
-    return _Any
+    return object  # fallback type for unknown column types
 
 
 def _exclude_from_create(col: Column) -> bool:

svc_infra/db/sql/repository.py

@@ -1,11 +1,25 @@
 from __future__ import annotations
 
-from typing import Any, Iterable, Optional, Sequence, Set
+import inspect
+import logging
+from collections.abc import Iterable, Sequence
+from typing import Any, cast
 
 from sqlalchemy import Select, String, and_, func, or_, select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import InstrumentedAttribute, class_mapper
 
+logger = logging.getLogger(__name__)
+
+
+def _escape_ilike(q: str) -> str:
+    """Escape special characters for ILIKE pattern matching.
+
+    Prevents SQL injection via wildcard characters that could match
+    unintended data (e.g., % matches any string, _ matches any char).
+    """
+    return q.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")
+
 
 class SqlRepository:
     """
@@ -20,22 +34,22 @@ class SqlRepository:
         soft_delete: bool = False,
         soft_delete_field: str = "deleted_at",
         soft_delete_flag_field: str | None = None,
-        immutable_fields: Optional[Set[str]] = None,
+        immutable_fields: set[str] | None = None,
     ):
         self.model = model
         self.id_attr = id_attr
         self.soft_delete = soft_delete
         self.soft_delete_field = soft_delete_field
         self.soft_delete_flag_field = soft_delete_flag_field
-        self.immutable_fields: Set[str] = set(
+        self.immutable_fields: set[str] = set(
             immutable_fields or {"id", "created_at", "updated_at"}
         )
 
     def _model_columns(self) -> set[str]:
         return {c.key for c in class_mapper(self.model).columns}
 
-    def _id_column(self) -> InstrumentedAttribute:
-        return getattr(self.model, self.id_attr)
+    def _id_column(self) -> InstrumentedAttribute[Any]:
+        return cast("InstrumentedAttribute[Any]", getattr(self.model, self.id_attr))
 
     def _base_select(self) -> Select:
         stmt = select(self.model)
@@ -55,21 +69,36 @@ class SqlRepository:
         *,
         limit: int,
         offset: int,
-        order_by: Optional[Sequence[Any]] = None,
+        order_by: Sequence[Any] | None = None,
+        where: Sequence[Any] | None = None,
     ) -> Sequence[Any]:
-        stmt = self._base_select().limit(limit).offset(offset)
+        stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
+        stmt = stmt.limit(limit).offset(offset)
         if order_by:
             stmt = stmt.order_by(*order_by)
-        rows = (await session.execute(stmt)).scalars().all()
-        return rows
+        result = (await session.execute(stmt)).scalars().all()
+        return list(result)
 
-    async def count(self, session: AsyncSession) -> int:
-        stmt = select(func.count()).select_from(self._base_select().subquery())
-        return (await session.execute(stmt)).scalar_one()
+    async def count(self, session: AsyncSession, *, where: Sequence[Any] | None = None) -> int:
+        base = self._base_select()
+        if where:
+            base = base.where(and_(*where))
+        stmt = select(func.count()).select_from(base.subquery())
+        return int((await session.execute(stmt)).scalar_one())
 
-    async def get(self, session: AsyncSession, id_value: Any) -> Any | None:
+    async def get(
+        self,
+        session: AsyncSession,
+        id_value: Any,
+        *,
+        where: Sequence[Any] | None = None,
+    ) -> Any | None:
         # honors soft-delete if configured
         stmt = self._base_select().where(self._id_column() == id_value)
+        if where:
+            stmt = stmt.where(and_(*where))
         return (await session.execute(stmt)).scalars().first()
 
     async def create(self, session: AsyncSession, data: dict[str, Any]) -> Any:
@@ -78,12 +107,18 @@ class SqlRepository:
         obj = self.model(**filtered)
         session.add(obj)
         await session.flush()
+        await session.refresh(obj)
         return obj
 
     async def update(
-        self, session: AsyncSession, id_value: Any, data: dict[str, Any]
+        self,
+        session: AsyncSession,
+        id_value: Any,
+        data: dict[str, Any],
+        *,
+        where: Sequence[Any] | None = None,
     ) -> Any | None:
-        obj = await self.get(session, id_value)
+        obj = await self.get(session, id_value, where=where)
         if not obj:
             return None
         valid = self._model_columns()
@@ -91,21 +126,38 @@ class SqlRepository:
             if k in valid and k not in self.immutable_fields:
                 setattr(obj, k, v)
         await session.flush()
+        await session.refresh(obj)
         return obj
 
-    async def delete(self, session: AsyncSession, id_value: Any) -> bool:
-        obj = await session.get(self.model, id_value)
+    async def delete(
+        self,
+        session: AsyncSession,
+        id_value: Any,
+        *,
+        where: Sequence[Any] | None = None,
+    ) -> bool:
+        # Fast path: when no extra filters provided, use session.get for simplicity (matches tests)
+        if not where:
+            obj = await session.get(self.model, id_value)
+        else:
+            # Respect soft-delete and optional tenant/extra filters by selecting through base select
+            stmt = self._base_select().where(self._id_column() == id_value)
+            stmt = stmt.where(and_(*where))
+            obj = (await session.execute(stmt)).scalars().first()
         if not obj:
             return False
         if self.soft_delete:
             # Prefer timestamp, also optionally set flag to False
-            if hasattr(self.model, self.soft_delete_field):
+            # Check attributes on the instance to support test doubles without class-level fields
+            if hasattr(obj, self.soft_delete_field):
                 setattr(obj, self.soft_delete_field, func.now())
-            if self.soft_delete_flag_field and hasattr(self.model, self.soft_delete_flag_field):
+            if self.soft_delete_flag_field and hasattr(obj, self.soft_delete_flag_field):
                 setattr(obj, self.soft_delete_flag_field, False)
             await session.flush()
             return True
-        session.delete(obj)
+        delete_result = session.delete(obj)
+        if inspect.isawaitable(delete_result):
+            await delete_result
         await session.flush()
         return True
 
@@ -117,19 +169,23 @@ class SqlRepository:
         fields: Sequence[str],
         limit: int,
         offset: int,
-        order_by: Optional[Sequence[Any]] = None,
+        order_by: Sequence[Any] | None = None,
+        where: Sequence[Any] | None = None,
     ) -> Sequence[Any]:
-        ilike = f"%{q}%"
+        ilike = f"%{_escape_ilike(q)}%"
         conditions = []
         for f in fields:
             col = getattr(self.model, f, None)
             if col is not None:
                 try:
                     conditions.append(col.cast(String).ilike(ilike))
-                except Exception:
+                except Exception as e:
                     # skip columns that cannot be used in ilike even with cast
+                    logger.debug("Column %s cannot be cast for ILIKE search: %s", f, e)
                     continue
         stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
         if conditions:
             stmt = stmt.where(or_(*conditions))
         stmt = stmt.limit(limit).offset(offset)
@@ -137,17 +193,27 @@ class SqlRepository:
             stmt = stmt.order_by(*order_by)
         return (await session.execute(stmt)).scalars().all()
 
-    async def count_filtered(self, session: AsyncSession, *, q: str, fields: Sequence[str]) -> int:
-        ilike = f"%{q}%"
+    async def count_filtered(
+        self,
+        session: AsyncSession,
+        *,
+        q: str,
+        fields: Sequence[str],
+        where: Sequence[Any] | None = None,
+    ) -> int:
+        ilike = f"%{_escape_ilike(q)}%"
         conditions = []
         for f in fields:
             col = getattr(self.model, f, None)
             if col is not None:
                 try:
                     conditions.append(col.cast(String).ilike(ilike))
-                except Exception:
+                except Exception as e:
+                    logger.debug("Column %s cannot be cast for ILIKE search: %s", f, e)
                     continue
         stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
         if conditions:
             stmt = stmt.where(or_(*conditions))
         # SELECT COUNT(*) FROM (<stmt>) as t

svc_infra/db/sql/resource.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
 
+from collections.abc import Callable
 from dataclasses import dataclass
-from typing import TYPE_CHECKING, Callable, Optional
+from typing import TYPE_CHECKING
 
 from svc_infra.db.sql.repository import SqlRepository
 
@@ -14,23 +15,28 @@ if TYPE_CHECKING:
 class SqlResource:
     model: type[object]
     prefix: str
-    tags: Optional[list[str]] = None
+    tags: list[str] | None = None
 
     id_attr: str = "id"
     soft_delete: bool = False
-    search_fields: Optional[list[str]] = None
-    ordering_default: Optional[str] = None
-    allowed_order_fields: Optional[list[str]] = None
+    search_fields: list[str] | None = None
+    ordering_default: str | None = None
+    allowed_order_fields: list[str] | None = None
 
-    read_schema: Optional[type] = None
-    create_schema: Optional[type] = None
-    update_schema: Optional[type] = None
+    read_schema: type | None = None
+    create_schema: type | None = None
+    update_schema: type | None = None
 
-    read_name: Optional[str] = None
-    create_name: Optional[str] = None
-    update_name: Optional[str] = None
+    read_name: str | None = None
+    create_name: str | None = None
+    update_name: str | None = None
 
     create_exclude: tuple[str, ...] = ("id",)
 
     # Only a type reference; no runtime dependency on FastAPI layer
-    service_factory: Optional[Callable[[SqlRepository], "SqlService"]] = None
+    service_factory: Callable[[SqlRepository], SqlService] | None = None
+
+    # Tenancy
+    tenant_field: str | None = (
+        None  # when set, CRUD router will require TenantId and scope by field
+    )

svc_infra/db/sql/scaffold.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 import os
 from pathlib import Path
-from typing import Any, Dict, Literal, Optional
+from typing import Any, Literal
 
 from svc_infra.db.utils import normalize_dir, pascal, plural_snake, snake
 from svc_infra.utils import ensure_init_py, render_template, write
@@ -13,7 +13,7 @@ _INIT_CONTENT_PAIRED = 'from . import models, schemas\n\n__all__ = ["models", "s
 _INIT_CONTENT_MINIMAL = "# package marker; add explicit exports here if desired\n"
 
 
-def _ensure_init_py(dir_path: Path, overwrite: bool, paired: bool) -> Dict[str, Any]:
+def _ensure_init_py(dir_path: Path, overwrite: bool, paired: bool) -> dict[str, Any]:
     """Create __init__.py; paired=True writes models/schemas re-exports, otherwise minimal."""
     content = _INIT_CONTENT_PAIRED if paired else _INIT_CONTENT_MINIMAL
     return ensure_init_py(dir_path, overwrite, paired, content)
@@ -31,14 +31,14 @@ def scaffold_core(
     schemas_dir: Path | str,
     kind: Kind = "entity",
     entity_name: str = "Item",
-    table_name: Optional[str] = None,
+    table_name: str | None = None,
     include_tenant: bool = True,
     include_soft_delete: bool = False,
     overwrite: bool = False,
     same_dir: bool = False,
-    models_filename: Optional[str] = None,
-    schemas_filename: Optional[str] = None,
-) -> Dict[str, Any]:
+    models_filename: str | None = None,
+    schemas_filename: str | None = None,
+) -> dict[str, Any]:
     """
     Create starter model + schema files.
 
@@ -150,12 +150,12 @@ def scaffold_models_core(
     dest_dir: Path | str,
     kind: Kind = "entity",
     entity_name: str = "Item",
-    table_name: Optional[str] = None,
+    table_name: str | None = None,
     include_tenant: bool = True,
     include_soft_delete: bool = False,
     overwrite: bool = False,
-    models_filename: Optional[str] = None,  # <--- NEW
-) -> Dict[str, Any]:
+    models_filename: str | None = None,  # <--- NEW
+) -> dict[str, Any]:
     """Create only a model file (defaults to <snake(entity)>.py unless models_filename is provided)."""
     dest = normalize_dir(dest_dir)
 
@@ -216,8 +216,8 @@ def scaffold_schemas_core(
     entity_name: str = "Item",
     include_tenant: bool = True,
     overwrite: bool = False,
-    schemas_filename: Optional[str] = None,  # <--- NEW
-) -> Dict[str, Any]:
+    schemas_filename: str | None = None,  # <--- NEW
+) -> dict[str, Any]:
     """Create only a schema file (defaults to <snake(entity)>.py unless schemas_filename is provided)."""
     dest = normalize_dir(dest_dir)
 

svc_infra/db/sql/service.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
-from typing import Any, Sequence
+from collections.abc import Sequence
+from typing import Any
 
 from fastapi import HTTPException
 from sqlalchemy.exc import IntegrityError

svc_infra/db/sql/service_with_hooks.py

@@ -1,4 +1,5 @@
-from typing import Any, Callable, Optional
+from collections.abc import Callable
+from typing import Any
 
 from svc_infra.db.sql.service import SqlService
 
@@ -9,8 +10,8 @@ class SqlServiceWithHooks(SqlService):
     def __init__(
         self,
         repo,
-        pre_create: Optional[PreHook] = None,
-        pre_update: Optional[PreHook] = None,
+        pre_create: PreHook | None = None,
+        pre_update: PreHook | None = None,
     ):
         super().__init__(repo)
         self._pre_create = pre_create

svc_infra/db/sql/templates/models_schemas/auth/models.py.tmpl

@@ -129,62 +129,13 @@ for _ix in make_unique_sql_indexes(
     # Registered with Table metadata (alembic/autogenerate will pick them up)
     pass
 
-# ------------------------------ Model: ProviderAccount -------------------------
-
-class ProviderAccount(ModelBase):
-    """
-    Links a local user to an external identity provider account.
-
-    - (provider, provider_account_id) is unique
-    - Optionally stores tokens for later API calls (refresh_token encrypted at rest)
-    """
-    __tablename__ = "provider_accounts"
-
-    id: Mapped[uuid.UUID] = mapped_column(GUID(), primary_key=True, default=uuid.uuid4)
-
-    user_id: Mapped[uuid.UUID] = mapped_column(
-        GUID(), ForeignKey("${auth_table_name}.id", ondelete="CASCADE"), nullable=False
-    )
-    user: Mapped["${AuthEntity}"] = relationship(
-        back_populates="provider_accounts",
-        lazy="selectin",
-    )
-
-    provider: Mapped[str] = mapped_column(String(50), nullable=False)               # "google"|"github"|"linkedin"|"microsoft"|...
-    provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)   # sub/oid (OIDC) or id (github/linkedin)
-
-    # Optional token material
-    access_token: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
-
-    # Store encrypted refresh_token in the same column name for DB compatibility.
-    _refresh_token: Mapped[Optional[str]] = mapped_column("refresh_token", Text, nullable=True)
-
-    @property
-    def refresh_token(self) -> Optional[str]:
-        return _decrypt(self._refresh_token)
-
-    @refresh_token.setter
-    def refresh_token(self, value: Optional[str]) -> None:
-        self._refresh_token = _encrypt(value)
-
-    expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
-    raw_claims: Mapped[Optional[dict]] = mapped_column(MutableDict.as_mutable(JSON), nullable=True)
-
-    created_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-    updated_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"),
-        onupdate=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-
-    __table_args__ = (
-        UniqueConstraint("provider", "provider_account_id", name="uq_provider_account"),
-        Index("ix_provider_accounts_user_id", "user_id"),
-    )
-
-    def __repr__(self) -> str:
-        return f"<ProviderAccount provider={self.provider!r} provider_account_id={self.provider_account_id!r} user_id={self.user_id}>"
+# NOTE: ProviderAccount model is imported from svc_infra.security.oauth_models
+# It's an opt-in OAuth model that links users to providers (Google, GitHub, etc.)
+# The relationship 'provider_accounts' is defined above in the ${AuthEntity} class.
+# To enable OAuth in your project:
+#   1. Set ALEMBIC_ENABLE_OAUTH=true in your .env
+#   2. Pass provider_account_model=ProviderAccount to add_auth_users()
+#   3. Import: from svc_infra.security.oauth_models import ProviderAccount
 
 # --- Auth service factory ------------------------------------------------------
 

svc_infra/db/sql/templates/setup/env_async.py.tmpl

@@ -6,13 +6,10 @@ from typing import List, Tuple
 import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
+from sqlalchemy import MetaData
 from sqlalchemy.engine import make_url, URL
-from sqlalchemy.ext.asyncio import create_async_engine
 
-from svc_infra.db.sql.utils import (
-    get_database_url_from_env,
-    _ensure_ssl_default_async as _ensure_ssl_default,
-)
+from svc_infra.db.sql.utils import get_database_url_from_env
 
 try:
     from svc_infra.db.sql.types import GUID as _GUID  # type: ignore
@@ -105,7 +102,6 @@ def _coerce_to_async(u: URL) -> URL:
 
 u = make_url(effective_url)
 u = _coerce_to_async(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
 # feature flags
@@ -131,15 +127,16 @@ def _collect_metadata() -> list[object]:
 
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and getattr(md, "tables"):
+        # Strict check: must be actual MetaData instance
+        if isinstance(md, MetaData) and md.tables:
             found.append(md)
 
     def _scan_module_objects(mod: object) -> None:
         try:
             for val in vars(mod).values():
-                md = getattr(val, "metadata", None) or None
-                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
-                    found.append(md)
+                # Strict check: must be actual MetaData instance
+                if isinstance(val, MetaData) and val.tables:
+                    found.append(val)
         except Exception:
             pass
 
@@ -177,8 +174,16 @@ def _collect_metadata() -> list[object]:
                 if name not in pkgs:
                     pkgs.append(name)
 
+    # Only attempt bare 'models' import if it is discoverable to avoid noisy tracebacks
     if "models" not in pkgs:
-        pkgs.append("models")
+        try:
+            spec = getattr(importlib, "util", None)
+            if spec is not None and getattr(spec, "find_spec", None) is not None:
+                if spec.find_spec("models") is not None:
+                    pkgs.append("models")
+        except Exception:
+            # Best-effort; if discovery fails, skip adding bare 'models'
+            pass
 
     def _import_and_collect(modname: str):
         try:
@@ -221,6 +226,21 @@ def _collect_metadata() -> list[object]:
     except Exception:
         _note("ModelBase import", False, traceback.format_exc())
 
+    # Core security models (AuthSession, RefreshToken, etc.)
+    try:
+        import svc_infra.security.models  # noqa: F401
+        _note("svc_infra.security.models", True, None)
+    except Exception:
+        _note("svc_infra.security.models", False, traceback.format_exc())
+
+    # OAuth models (opt-in via environment variable)
+    if os.getenv("ALEMBIC_ENABLE_OAUTH", "").lower() in {"1", "true", "yes"}:
+        try:
+            import svc_infra.security.oauth_models  # noqa: F401
+            _note("svc_infra.security.oauth_models", True, None)
+        except Exception:
+            _note("svc_infra.security.oauth_models", False, traceback.format_exc())
+
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model
         try_autobind_apikey_model(require_env=False)
@@ -352,7 +372,9 @@ def _do_run_migrations(connection):
 
 async def run_migrations_online() -> None:
     url = config.get_main_option("sqlalchemy.url")
-    engine = create_async_engine(url)
+    # Use build_engine to ensure proper driver-specific handling (e.g., asyncpg SSL)
+    from svc_infra.db.sql.utils import build_engine
+    engine = build_engine(url)
     async with engine.connect() as connection:
         await connection.run_sync(_do_run_migrations)
     await engine.dispose()