svc-infra 0.1.600__py3-none-any.whl → 0.1.664__py3-none-any.whl

svc_infra/db/nosql/mongo/README.md

@@ -29,17 +29,17 @@ We provide four CLI commands. You can register them on your Typer app or invoke
 
 ### Commands
 
-- `mongo-scaffold` — create both document **and** CRUD schemas
-- `mongo-scaffold-documents` — create only the **document** model (Pydantic)
-- `mongo-scaffold-schemas` — create only the **CRUD schemas**
-- `mongo-scaffold-resources` — create a starter `resources.py` with a `RESOURCES` list
+- `mongo scaffold` — create both document **and** CRUD schemas
+- `mongo scaffold-documents` — create only the **document** model (Pydantic)
+- `mongo scaffold-schemas` — create only the **CRUD schemas**
+- `mongo scaffold-resources` — create a starter `resources.py` with a `RESOURCES` list
 
 ### Typical usage
 
 #### A) Scaffold documents + schemas together
 
 ```bash
-yourapp mongo-scaffold \
+yourapp mongo scaffold \
   --entity-name Product \
   --documents-dir ./src/your_app/products \
   --schemas-dir ./src/your_app/products \
@@ -57,7 +57,7 @@ src/your_app/products/schemas.py     # ProductRead/ProductCreate/ProductUpdate
 B) Documents only
 
 ```bash
-yourapp mongo-scaffold-documents \
+yourapp mongo scaffold-documents \
   --dest-dir ./src/your_app/products \
   --entity-name Product \
   --documents-filename product_doc.py
@@ -66,7 +66,7 @@ yourapp mongo-scaffold-documents \
 C) Schemas only
 
 ```bash
-yourapp mongo-scaffold-schemas \
+yourapp mongo scaffold-schemas \
   --dest-dir ./src/your_app/products \
   --entity-name Product \
   --schemas-filename product_schemas.py
@@ -75,7 +75,7 @@ yourapp mongo-scaffold-schemas \
 D) Starter resources.py
 
 ```bash
-yourapp mongo-scaffold-resources \
+yourapp mongo scaffold-resources \
   --dest-dir ./src/your_app/mongo \
   --filename resources.py \
   --overwrite
@@ -131,7 +131,7 @@ There are two flavors:
 A) Async, minimal (connect, create collections, apply indexes)
 
 ```bash
-yourapp mongo-prepare \
+yourapp mongo prepare \
   --resources your_app.mongo.resources:RESOURCES \
   --mongo-url "$MONGO_URL" \
   --mongo-db "$MONGO_DB"
@@ -140,7 +140,7 @@ yourapp mongo-prepare \
 B) Synchronous wrapper (end-to-end convenience)
 
 ```bash
-yourapp mongo-setup-and-prepare \
+yourapp mongo setup-and-prepare \
   --resources your_app.mongo.resources:RESOURCES \
   --mongo-url "$MONGO_URL" \
   --mongo-db "$MONGO_DB"
@@ -149,7 +149,7 @@ yourapp mongo-setup-and-prepare \
 You can also ping connectivity:
 
 ```bash
-yourapp mongo-ping --mongo-url "$MONGO_URL" --mongo-db "$MONGO_DB"
+yourapp mongo ping --mongo-url "$MONGO_URL" --mongo-db "$MONGO_DB"
 ```
 
 Behind the scenes, preparation also locks a service ID to a DB name to prevent accidental cross-DB usage. You can pass --allow-rebind if you intentionally move environments.
@@ -430,9 +430,9 @@ NoSqlResource(
 	•	If using explicit schemas with PyObjectId, make sure model_config.json_encoders includes {PyObjectId: str}.
 	•	When using auto-schemas, we expose ObjectId-like fields as str so no custom encoder is needed.
 	•	Connected to wrong DB name
-	•	The system locks a service_id to the DB name once prepared. If you change DBs, run mongo-prepare with --allow-rebind.
+  •	The system locks a service_id to the DB name once prepared. If you change DBs, run `mongo prepare` with --allow-rebind.
 	•	Indexes not created
-	•	Double-check RESOURCES[indexes]. Run mongo-prepare again and inspect the output dictionary of created indexes.
+  •	Double-check RESOURCES[indexes]. Run `mongo prepare` again and inspect the output dictionary of created indexes.
 
 ⸻
 

svc_infra/db/sql/repository.py

@@ -56,20 +56,31 @@ class SqlRepository:
         limit: int,
         offset: int,
         order_by: Optional[Sequence[Any]] = None,
+        where: Optional[Sequence[Any]] = None,
     ) -> Sequence[Any]:
-        stmt = self._base_select().limit(limit).offset(offset)
+        stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
+        stmt = stmt.limit(limit).offset(offset)
         if order_by:
             stmt = stmt.order_by(*order_by)
         rows = (await session.execute(stmt)).scalars().all()
         return rows
 
-    async def count(self, session: AsyncSession) -> int:
-        stmt = select(func.count()).select_from(self._base_select().subquery())
+    async def count(self, session: AsyncSession, *, where: Optional[Sequence[Any]] = None) -> int:
+        base = self._base_select()
+        if where:
+            base = base.where(and_(*where))
+        stmt = select(func.count()).select_from(base.subquery())
         return (await session.execute(stmt)).scalar_one()
 
-    async def get(self, session: AsyncSession, id_value: Any) -> Any | None:
+    async def get(
+        self, session: AsyncSession, id_value: Any, *, where: Optional[Sequence[Any]] = None
+    ) -> Any | None:
         # honors soft-delete if configured
         stmt = self._base_select().where(self._id_column() == id_value)
+        if where:
+            stmt = stmt.where(and_(*where))
         return (await session.execute(stmt)).scalars().first()
 
     async def create(self, session: AsyncSession, data: dict[str, Any]) -> Any:
@@ -78,12 +89,18 @@ class SqlRepository:
         obj = self.model(**filtered)
         session.add(obj)
         await session.flush()
+        await session.refresh(obj)
         return obj
 
     async def update(
-        self, session: AsyncSession, id_value: Any, data: dict[str, Any]
+        self,
+        session: AsyncSession,
+        id_value: Any,
+        data: dict[str, Any],
+        *,
+        where: Optional[Sequence[Any]] = None,
     ) -> Any | None:
-        obj = await self.get(session, id_value)
+        obj = await self.get(session, id_value, where=where)
         if not obj:
             return None
         valid = self._model_columns()
@@ -91,17 +108,28 @@ class SqlRepository:
             if k in valid and k not in self.immutable_fields:
                 setattr(obj, k, v)
         await session.flush()
+        await session.refresh(obj)
         return obj
 
-    async def delete(self, session: AsyncSession, id_value: Any) -> bool:
-        obj = await session.get(self.model, id_value)
+    async def delete(
+        self, session: AsyncSession, id_value: Any, *, where: Optional[Sequence[Any]] = None
+    ) -> bool:
+        # Fast path: when no extra filters provided, use session.get for simplicity (matches tests)
+        if not where:
+            obj = await session.get(self.model, id_value)
+        else:
+            # Respect soft-delete and optional tenant/extra filters by selecting through base select
+            stmt = self._base_select().where(self._id_column() == id_value)
+            stmt = stmt.where(and_(*where))
+            obj = (await session.execute(stmt)).scalars().first()
         if not obj:
             return False
         if self.soft_delete:
             # Prefer timestamp, also optionally set flag to False
-            if hasattr(self.model, self.soft_delete_field):
+            # Check attributes on the instance to support test doubles without class-level fields
+            if hasattr(obj, self.soft_delete_field):
                 setattr(obj, self.soft_delete_field, func.now())
-            if self.soft_delete_flag_field and hasattr(self.model, self.soft_delete_flag_field):
+            if self.soft_delete_flag_field and hasattr(obj, self.soft_delete_flag_field):
                 setattr(obj, self.soft_delete_flag_field, False)
             await session.flush()
             return True
@@ -118,6 +146,7 @@ class SqlRepository:
         limit: int,
         offset: int,
         order_by: Optional[Sequence[Any]] = None,
+        where: Optional[Sequence[Any]] = None,
     ) -> Sequence[Any]:
         ilike = f"%{q}%"
         conditions = []
@@ -130,6 +159,8 @@ class SqlRepository:
                     # skip columns that cannot be used in ilike even with cast
                     continue
         stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
         if conditions:
             stmt = stmt.where(or_(*conditions))
         stmt = stmt.limit(limit).offset(offset)
@@ -137,7 +168,14 @@ class SqlRepository:
             stmt = stmt.order_by(*order_by)
         return (await session.execute(stmt)).scalars().all()
 
-    async def count_filtered(self, session: AsyncSession, *, q: str, fields: Sequence[str]) -> int:
+    async def count_filtered(
+        self,
+        session: AsyncSession,
+        *,
+        q: str,
+        fields: Sequence[str],
+        where: Optional[Sequence[Any]] = None,
+    ) -> int:
         ilike = f"%{q}%"
         conditions = []
         for f in fields:
@@ -148,6 +186,8 @@ class SqlRepository:
                 except Exception:
                     continue
         stmt = self._base_select()
+        if where:
+            stmt = stmt.where(and_(*where))
         if conditions:
             stmt = stmt.where(or_(*conditions))
         # SELECT COUNT(*) FROM (<stmt>) as t

svc_infra/db/sql/resource.py

@@ -34,3 +34,8 @@ class SqlResource:
 
     # Only a type reference; no runtime dependency on FastAPI layer
     service_factory: Optional[Callable[[SqlRepository], "SqlService"]] = None
+
+    # Tenancy
+    tenant_field: Optional[str] = (
+        None  # when set, CRUD router will require TenantId and scope by field
+    )

svc_infra/db/sql/templates/models_schemas/auth/models.py.tmpl

@@ -129,62 +129,13 @@ for _ix in make_unique_sql_indexes(
     # Registered with Table metadata (alembic/autogenerate will pick them up)
     pass
 
-# ------------------------------ Model: ProviderAccount -------------------------
-
-class ProviderAccount(ModelBase):
-    """
-    Links a local user to an external identity provider account.
-
-    - (provider, provider_account_id) is unique
-    - Optionally stores tokens for later API calls (refresh_token encrypted at rest)
-    """
-    __tablename__ = "provider_accounts"
-
-    id: Mapped[uuid.UUID] = mapped_column(GUID(), primary_key=True, default=uuid.uuid4)
-
-    user_id: Mapped[uuid.UUID] = mapped_column(
-        GUID(), ForeignKey("${auth_table_name}.id", ondelete="CASCADE"), nullable=False
-    )
-    user: Mapped["${AuthEntity}"] = relationship(
-        back_populates="provider_accounts",
-        lazy="selectin",
-    )
-
-    provider: Mapped[str] = mapped_column(String(50), nullable=False)               # "google"|"github"|"linkedin"|"microsoft"|...
-    provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)   # sub/oid (OIDC) or id (github/linkedin)
-
-    # Optional token material
-    access_token: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
-
-    # Store encrypted refresh_token in the same column name for DB compatibility.
-    _refresh_token: Mapped[Optional[str]] = mapped_column("refresh_token", Text, nullable=True)
-
-    @property
-    def refresh_token(self) -> Optional[str]:
-        return _decrypt(self._refresh_token)
-
-    @refresh_token.setter
-    def refresh_token(self, value: Optional[str]) -> None:
-        self._refresh_token = _encrypt(value)
-
-    expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
-    raw_claims: Mapped[Optional[dict]] = mapped_column(MutableDict.as_mutable(JSON), nullable=True)
-
-    created_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-    updated_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"),
-        onupdate=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-
-    __table_args__ = (
-        UniqueConstraint("provider", "provider_account_id", name="uq_provider_account"),
-        Index("ix_provider_accounts_user_id", "user_id"),
-    )
-
-    def __repr__(self) -> str:
-        return f"<ProviderAccount provider={self.provider!r} provider_account_id={self.provider_account_id!r} user_id={self.user_id}>"
+# NOTE: ProviderAccount model is imported from svc_infra.security.oauth_models
+# It's an opt-in OAuth model that links users to providers (Google, GitHub, etc.)
+# The relationship 'provider_accounts' is defined above in the ${AuthEntity} class.
+# To enable OAuth in your project:
+#   1. Set ALEMBIC_ENABLE_OAUTH=true in your .env
+#   2. Pass provider_account_model=ProviderAccount to add_auth_users()
+#   3. Import: from svc_infra.security.oauth_models import ProviderAccount
 
 # --- Auth service factory ------------------------------------------------------
 

svc_infra/db/sql/templates/setup/env_async.py.tmpl

@@ -6,13 +6,10 @@ from typing import List, Tuple
 import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
+from sqlalchemy import MetaData
 from sqlalchemy.engine import make_url, URL
-from sqlalchemy.ext.asyncio import create_async_engine
 
-from svc_infra.db.sql.utils import (
-    get_database_url_from_env,
-    _ensure_ssl_default_async as _ensure_ssl_default,
-)
+from svc_infra.db.sql.utils import get_database_url_from_env
 
 try:
     from svc_infra.db.sql.types import GUID as _GUID  # type: ignore
@@ -105,7 +102,6 @@ def _coerce_to_async(u: URL) -> URL:
 
 u = make_url(effective_url)
 u = _coerce_to_async(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
 # feature flags
@@ -131,15 +127,16 @@ def _collect_metadata() -> list[object]:
 
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and getattr(md, "tables"):
+        # Strict check: must be actual MetaData instance
+        if isinstance(md, MetaData) and md.tables:
             found.append(md)
 
     def _scan_module_objects(mod: object) -> None:
         try:
             for val in vars(mod).values():
-                md = getattr(val, "metadata", None) or None
-                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
-                    found.append(md)
+                # Strict check: must be actual MetaData instance
+                if isinstance(val, MetaData) and val.tables:
+                    found.append(val)
         except Exception:
             pass
 
@@ -177,8 +174,16 @@ def _collect_metadata() -> list[object]:
                 if name not in pkgs:
                     pkgs.append(name)
 
+    # Only attempt bare 'models' import if it is discoverable to avoid noisy tracebacks
     if "models" not in pkgs:
-        pkgs.append("models")
+        try:
+            spec = getattr(importlib, "util", None)
+            if spec is not None and getattr(spec, "find_spec", None) is not None:
+                if spec.find_spec("models") is not None:
+                    pkgs.append("models")
+        except Exception:
+            # Best-effort; if discovery fails, skip adding bare 'models'
+            pass
 
     def _import_and_collect(modname: str):
         try:
@@ -221,6 +226,21 @@ def _collect_metadata() -> list[object]:
     except Exception:
         _note("ModelBase import", False, traceback.format_exc())
 
+    # Core security models (AuthSession, RefreshToken, etc.)
+    try:
+        import svc_infra.security.models  # noqa: F401
+        _note("svc_infra.security.models", True, None)
+    except Exception:
+        _note("svc_infra.security.models", False, traceback.format_exc())
+
+    # OAuth models (opt-in via environment variable)
+    if os.getenv("ALEMBIC_ENABLE_OAUTH", "").lower() in {"1", "true", "yes"}:
+        try:
+            import svc_infra.security.oauth_models  # noqa: F401
+            _note("svc_infra.security.oauth_models", True, None)
+        except Exception:
+            _note("svc_infra.security.oauth_models", False, traceback.format_exc())
+
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model
         try_autobind_apikey_model(require_env=False)
@@ -352,7 +372,9 @@ def _do_run_migrations(connection):
 
 async def run_migrations_online() -> None:
     url = config.get_main_option("sqlalchemy.url")
-    engine = create_async_engine(url)
+    # Use build_engine to ensure proper driver-specific handling (e.g., asyncpg SSL)
+    from svc_infra.db.sql.utils import build_engine
+    engine = build_engine(url)
     async with engine.connect() as connection:
         await connection.run_sync(_do_run_migrations)
     await engine.dispose()

svc_infra/db/sql/templates/setup/env_sync.py.tmpl

@@ -6,11 +6,10 @@ from typing import List, Tuple
 import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
+from sqlalchemy import MetaData
 from sqlalchemy.engine import make_url, URL
 
 from svc_infra.db.sql.utils import (
-    _coerce_sync_driver,
-    _ensure_ssl_default,
     get_database_url_from_env,
     build_engine,
 )
@@ -103,7 +102,6 @@ if not effective_url:
 
 u = make_url(effective_url)
 u = _coerce_sync_driver(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
 
@@ -142,14 +140,16 @@ def _collect_metadata() -> list[object]:
 
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and getattr(md, "tables"):
+        # Strict check: must be actual MetaData instance
+        if isinstance(md, MetaData) and md.tables:
             found.append(md)
 
     def _scan_module_objects(mod: object) -> None:
         try:
             for val in vars(mod).values():
                 md = getattr(val, "metadata", None) or None
-                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
+                # Only add if it's a SQLAlchemy MetaData object (has tables dict, not a callable/generator)
+                if md is not None and hasattr(md, "tables") and isinstance(getattr(md, "tables", None), dict):
                     found.append(md)
         except Exception:
             pass
@@ -191,9 +191,16 @@ def _collect_metadata() -> list[object]:
                 if name not in pkgs:
                     pkgs.append(name)
 
-    # Always also try a bare 'models'
+    # Only attempt a bare 'models' import if discoverable to avoid noisy tracebacks
     if "models" not in pkgs:
-        pkgs.append("models")
+        try:
+            spec = getattr(importlib, "util", None)
+            if spec is not None and getattr(spec, "find_spec", None) is not None:
+                if spec.find_spec("models") is not None:
+                    pkgs.append("models")
+        except Exception:
+            # If discovery fails, skip adding bare 'models'
+            pass
 
     def _import_and_collect(modname: str):
         try:
@@ -239,6 +246,21 @@ def _collect_metadata() -> list[object]:
     except Exception:
         _note("ModelBase import", False, traceback.format_exc())
 
+    # Core security models (AuthSession, RefreshToken, etc.)
+    try:
+        import svc_infra.security.models  # noqa: F401
+        _note("svc_infra.security.models", True, None)
+    except Exception:
+        _note("svc_infra.security.models", False, traceback.format_exc())
+
+    # OAuth models (opt-in via environment variable)
+    if os.getenv("ALEMBIC_ENABLE_OAUTH", "").lower() in {"1", "true", "yes"}:
+        try:
+            import svc_infra.security.oauth_models  # noqa: F401
+            _note("svc_infra.security.oauth_models", True, None)
+        except Exception:
+            _note("svc_infra.security.oauth_models", False, traceback.format_exc())
+
     # Optional: autobind API key model
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model

svc_infra/db/sql/tenant.py

@@ -0,0 +1,79 @@
+from __future__ import annotations
+
+from typing import Any, Sequence
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from .service import SqlService
+
+
+class TenantSqlService(SqlService):
+    """
+    SQL service wrapper that automatically scopes operations to a tenant.
+
+    - Adds a where filter (model.tenant_field == tenant_id) for list/get/update/delete/search/count.
+    - On create, if the model has the tenant field and it's not set in data, injects tenant_id.
+    """
+
+    def __init__(self, repo, *, tenant_id: str, tenant_field: str = "tenant_id"):
+        super().__init__(repo)
+        self.tenant_id = tenant_id
+        self.tenant_field = tenant_field
+
+    def _where(self) -> Sequence[Any]:
+        model = self.repo.model
+        col = getattr(model, self.tenant_field, None)
+        if col is None:
+            return []
+        return [col == self.tenant_id]
+
+    async def list(self, session: AsyncSession, *, limit: int, offset: int, order_by=None):
+        return await self.repo.list(
+            session, limit=limit, offset=offset, order_by=order_by, where=self._where()
+        )
+
+    async def count(self, session: AsyncSession) -> int:
+        return await self.repo.count(session, where=self._where())
+
+    async def get(self, session: AsyncSession, id_value: Any):
+        return await self.repo.get(session, id_value, where=self._where())
+
+    async def create(self, session: AsyncSession, data: dict[str, Any]):
+        data = await self.pre_create(data)
+        # inject tenant_id if model supports it and value missing
+        if self.tenant_field in self.repo._model_columns() and self.tenant_field not in data:
+            data[self.tenant_field] = self.tenant_id
+        return await self.repo.create(session, data)
+
+    async def update(self, session: AsyncSession, id_value: Any, data: dict[str, Any]):
+        data = await self.pre_update(data)
+        return await self.repo.update(session, id_value, data, where=self._where())
+
+    async def delete(self, session: AsyncSession, id_value: Any) -> bool:
+        return await self.repo.delete(session, id_value, where=self._where())
+
+    async def search(
+        self,
+        session: AsyncSession,
+        *,
+        q: str,
+        fields: Sequence[str],
+        limit: int,
+        offset: int,
+        order_by=None,
+    ):
+        return await self.repo.search(
+            session,
+            q=q,
+            fields=fields,
+            limit=limit,
+            offset=offset,
+            order_by=order_by,
+            where=self._where(),
+        )
+
+    async def count_filtered(self, session: AsyncSession, *, q: str, fields: Sequence[str]) -> int:
+        return await self.repo.count_filtered(session, q=q, fields=fields, where=self._where())
+
+
+__all__ = ["TenantSqlService"]

svc_infra/db/sql/utils.py

@@ -196,10 +196,17 @@ def _ensure_timeout_default(u: URL) -> URL:
     """
     Ensure a conservative connection timeout is present for libpq-based drivers.
     For psycopg/psycopg2, 'connect_timeout' is honored via the query string.
+    For asyncpg, timeout is set via connect_args (not query string).
     """
     backend = (u.get_backend_name() or "").lower()
     if backend not in ("postgresql", "postgres"):
         return u
+
+    # asyncpg doesn't support connect_timeout in query string - use connect_args instead
+    dn = (u.drivername or "").lower()
+    if "+asyncpg" in dn:
+        return u
+
     if "connect_timeout" in u.query:
         return u
     # Default 10s unless overridden
@@ -337,9 +344,8 @@ def _ensure_ssl_default(u: URL) -> URL:
     mode = (mode_env or "").strip()
 
     if "+asyncpg" in driver:
-        # asyncpg: use 'ssl=true' (SQLAlchemy forwards to asyncpg)
-        if "ssl" not in u.query:
-            return u.set(query={**u.query, "ssl": "true"})
+        # asyncpg: SSL is handled in connect_args in build_engine(), not in URL query
+        # Do not add ssl parameter to URL query for asyncpg
         return u
     else:
         # libpq-based drivers: use sslmode (default 'require' for hosted PG)
@@ -382,10 +388,18 @@ def build_engine(url: URL | str, echo: bool = False) -> Union[SyncEngine, AsyncE
                 "Async driver URL provided but SQLAlchemy async extras are not available."
             )
 
-        # asyncpg: honor connection timeout
+        # asyncpg: honor connection timeout only (NOT connect_timeout)
         if "+asyncpg" in (u.drivername or ""):
             connect_args["timeout"] = int(os.getenv("DB_CONNECT_TIMEOUT", "10"))
 
+            # asyncpg doesn't accept sslmode or ssl=true in query params
+            # Remove these and set ssl='require' in connect_args
+            if "ssl" in u.query or "sslmode" in u.query:
+                new_query = {k: v for k, v in u.query.items() if k not in ("ssl", "sslmode")}
+                u = u.set(query=new_query)
+            # Set ssl in connect_args - 'require' is safest for hosted databases
+            connect_args["ssl"] = "require"
+
         # NEW: aiomysql SSL default
         if "+aiomysql" in (u.drivername or "") and not any(
             k in u.query for k in ("ssl", "ssl_ca", "sslmode")