svc-infra 0.1.640__py3-none-any.whl → 0.1.664__py3-none-any.whl

svc_infra/api/fastapi/apf_payments/setup.py

@@ -7,7 +7,6 @@ from fastapi import FastAPI
 
 from svc_infra.apf_payments.provider.registry import get_provider_registry
 from svc_infra.api.fastapi.apf_payments.router import build_payments_routers
-from svc_infra.api.fastapi.docs.scoped import add_prefixed_docs
 
 logger = logging.getLogger(__name__)
 
@@ -51,7 +50,6 @@ def add_payments(
     - Reuses your OpenAPI defaults (security + responses) via DualAPIRouter factories.
     """
     _maybe_register_default_providers(register_default_providers, adapters)
-    add_prefixed_docs(app, prefix=prefix, title="Payments")
 
     for r in build_payments_routers(prefix=prefix):
         app.include_router(

svc_infra/api/fastapi/auth/add.py

@@ -17,7 +17,6 @@ from svc_infra.api.fastapi.paths.prefix import AUTH_PREFIX, USER_PREFIX
 from svc_infra.app.env import CURRENT_ENVIRONMENT, DEV_ENV, LOCAL_ENV
 from svc_infra.db.sql.apikey import bind_apikey_model
 
-from ..docs.scoped import add_prefixed_docs
 from .policy import AuthPolicy, DefaultAuthPolicy
 from .providers import providers_from_settings
 from .settings import get_auth_settings
@@ -293,9 +292,6 @@ def add_auth_users(
             https_only=bool(getattr(settings_obj, "session_cookie_secure", False)),
         )
 
-    add_prefixed_docs(app, prefix=user_prefix, title="Users")
-    add_prefixed_docs(app, prefix=auth_prefix, title="Auth")
-
     if enable_password:
         setup_password_authentication(
             app,

svc_infra/api/fastapi/auth/routers/oauth_router.py

@@ -373,9 +373,8 @@ async def _update_provider_account(
 def _determine_final_redirect_url(request: Request, provider: str, post_login_redirect: str) -> str:
     """Determine the final redirect URL after successful authentication."""
     st = get_auth_settings()
-    redirect_url = str(
-        getattr(st, "post_login_redirect", post_login_redirect) or post_login_redirect
-    )
+    # Prioritize the parameter passed to the router over settings
+    redirect_url = str(post_login_redirect or getattr(st, "post_login_redirect", "/"))
     allow_hosts = parse_redirect_allow_hosts(getattr(st, "redirect_allow_hosts_raw", None))
     require_https = bool(getattr(st, "session_cookie_secure", False))
 
@@ -669,7 +668,23 @@ def _create_oauth_router(
             ip_hash=None,
         )
 
-        # Create response with auth + refresh cookies
+        # Generate JWT token for the response
+        strategy = auth_backend.get_strategy()
+        jwt_token = await strategy.write_token(user)
+
+        # If redirecting to a different origin, append token as URL fragment for frontend to extract
+        # This handles cross-port scenarios like localhost:8000 -> localhost:3000
+        parsed_redirect = urlparse(redirect_url)
+        request_origin = f"{request.url.scheme}://{request.url.netloc}"
+        redirect_origin = f"{parsed_redirect.scheme}://{parsed_redirect.netloc}"
+
+        if redirect_origin and redirect_origin != request_origin:
+            # Cross-origin redirect: append token as URL fragment
+            # Fragment is not sent to server, only accessible to client-side JS
+            separator = "#" if not parsed_redirect.fragment else "&"
+            redirect_url = f"{redirect_url}{separator}access_token={jwt_token}"
+
+        # Create response with auth + refresh cookies (for same-origin requests)
         resp = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
         await _set_cookie_on_response(resp, auth_backend, user, refresh_raw=raw_refresh)
 

svc_infra/api/fastapi/cache/add.py

@@ -1,3 +1,5 @@
+from contextlib import asynccontextmanager
+
 from fastapi import FastAPI
 
 from svc_infra.cache.backend import shutdown_cache
@@ -5,10 +7,12 @@ from svc_infra.cache.decorators import init_cache
 
 
 def setup_caching(app: FastAPI) -> None:
-    @app.on_event("startup")
-    async def _startup():
+    @asynccontextmanager
+    async def lifespan(_app: FastAPI):
         init_cache()
+        try:
+            yield
+        finally:
+            await shutdown_cache()
 
-    @app.on_event("shutdown")
-    async def _shutdown():
-        await shutdown_cache()
+    app.router.lifespan_context = lifespan

svc_infra/api/fastapi/db/nosql/mongo/add.py

@@ -38,8 +38,8 @@ def add_mongo_db_with_url(app: FastAPI, url: str, db_name: str) -> None:
 
 
 def add_mongo_db(app: FastAPI, *, dsn_env: str = "MONGO_URL") -> None:
-    @app.on_event("startup")
-    async def _startup() -> None:
+    @asynccontextmanager
+    async def lifespan(_app: FastAPI):
         if not os.getenv(dsn_env):
             raise RuntimeError(f"Missing environment variable {dsn_env} for Mongo URL")
         await init_mongo()
@@ -47,10 +47,12 @@ def add_mongo_db(app: FastAPI, *, dsn_env: str = "MONGO_URL") -> None:
         db = await acquire_db()
         if expected and db.name != expected:
             raise RuntimeError(f"Connected to Mongo DB '{db.name}', expected '{expected}'.")
+        try:
+            yield
+        finally:
+            await close_mongo()
 
-    @app.on_event("shutdown")
-    async def _shutdown() -> None:
-        await close_mongo()
+    app.router.lifespan_context = lifespan
 
 
 def add_mongo_health(
@@ -62,46 +64,50 @@ def add_mongo_health(
 
 
 def add_mongo_resources(app: FastAPI, resources: Sequence[NoSqlResource]) -> None:
-    for r in resources:
+    for resource in resources:
         repo = NoSqlRepository(
-            collection_name=r.resolved_collection(),
-            id_field=r.id_field,
-            soft_delete=r.soft_delete,
-            soft_delete_field=r.soft_delete_field,
-            soft_delete_flag_field=r.soft_delete_flag_field,
+            collection_name=resource.resolved_collection(),
+            id_field=resource.id_field,
+            soft_delete=resource.soft_delete,
+            soft_delete_field=resource.soft_delete_field,
+            soft_delete_flag_field=resource.soft_delete_flag_field,
         )
-        svc = r.service_factory(repo) if r.service_factory else NoSqlService(repo)
+        svc = resource.service_factory(repo) if resource.service_factory else NoSqlService(repo)
 
-        if r.read_schema and r.create_schema and r.update_schema:
-            Read, Create, Update = r.read_schema, r.create_schema, r.update_schema
-        elif r.document_model is not None:
+        if resource.read_schema and resource.create_schema and resource.update_schema:
+            Read, Create, Update = (
+                resource.read_schema,
+                resource.create_schema,
+                resource.update_schema,
+            )
+        elif resource.document_model is not None:
             # CRITICAL: teach Pydantic to dump ObjectId/PyObjectId
             Read, Create, Update = make_document_crud_schemas(
-                r.document_model,
-                create_exclude=r.create_exclude,
-                read_name=r.read_name,
-                create_name=r.create_name,
-                update_name=r.update_name,
-                read_exclude=r.read_exclude,
-                update_exclude=r.update_exclude,
+                resource.document_model,
+                create_exclude=resource.create_exclude,
+                read_name=resource.read_name,
+                create_name=resource.create_name,
+                update_name=resource.update_name,
+                read_exclude=resource.read_exclude,
+                update_exclude=resource.update_exclude,
                 json_encoders={ObjectId: str, PyObjectId: str},
             )
         else:
             raise RuntimeError(
-                f"Resource for collection '{r.collection}' requires either explicit schemas "
+                f"Resource for collection '{resource.collection}' requires either explicit schemas "
                 f"(read/create/update) or a 'document_model' to derive them."
             )
 
         router = make_crud_router_plus_mongo(
-            collection=r.resolved_collection(),
+            collection=resource.resolved_collection(),
             repo=repo,
             service=svc,
             read_schema=Read,
             create_schema=Create,
             update_schema=Update,
-            prefix=r.prefix,
-            tags=r.tags,
-            search_fields=r.search_fields,
+            prefix=resource.prefix,
+            tags=resource.tags,
+            search_fields=resource.search_fields,
             default_ordering=None,
             allowed_order_fields=None,
         )

svc_infra/api/fastapi/db/sql/add.py

@@ -86,16 +86,19 @@ def add_sql_db(app: FastAPI, *, url: Optional[str] = None, dsn_env: str = "SQL_U
         app.router.lifespan_context = lifespan
         return
 
-    @app.on_event("startup")
-    async def _startup() -> None:  # noqa: ANN202
+    # Use lifespan context manager instead of deprecated on_event
+    @asynccontextmanager
+    async def lifespan(_app: FastAPI):
         env_url = os.getenv(dsn_env)
         if not env_url:
             raise RuntimeError(f"Missing environment variable {dsn_env} for database URL")
         initialize_session(env_url)
+        try:
+            yield
+        finally:
+            await dispose_session()
 
-    @app.on_event("shutdown")
-    async def _shutdown() -> None:  # noqa: ANN202
-        await dispose_session()
+    app.router.lifespan_context = lifespan
 
 
 def add_sql_health(

svc_infra/api/fastapi/db/sql/crud_router.py

@@ -122,7 +122,7 @@ def make_crud_router_plus_sql(
     )
     async def create_item(
         session: SqlSessionDep,  # type: ignore[name-defined]
-        payload: Any = Body(...),
+        payload: create_schema = Body(...),
     ):
         if isinstance(payload, BaseModel):
             data = payload.model_dump(exclude_unset=True)
@@ -141,7 +141,7 @@ def make_crud_router_plus_sql(
     async def update_item(
         item_id: Any,
         session: SqlSessionDep,  # type: ignore[name-defined]
-        payload: Any = Body(...),
+        payload: update_schema = Body(...),
     ):
         if isinstance(payload, BaseModel):
             data = payload.model_dump(exclude_unset=True)
@@ -266,7 +266,7 @@ def make_tenant_crud_router_plus_sql(
     async def create_item(
         session: SqlSessionDep,  # type: ignore[name-defined]
         tenant_id: TenantId,
-        payload: Any = Body(...),
+        payload: create_schema = Body(...),
     ):
         svc = await _svc(session, tenant_id)
         if isinstance(payload, BaseModel):
@@ -282,7 +282,7 @@ def make_tenant_crud_router_plus_sql(
         item_id: Any,
         session: SqlSessionDep,  # type: ignore[name-defined]
         tenant_id: TenantId,
-        payload: Any = Body(...),
+        payload: update_schema = Body(...),
     ):
         svc = await _svc(session, tenant_id)
         if isinstance(payload, BaseModel):

svc_infra/api/fastapi/docs/scoped.py

@@ -65,11 +65,18 @@ def _close_over_component_refs(
 
 
 def _prune_to_paths(
-    full_schema: Dict, keep_paths: Dict[str, dict], title_suffix: Optional[str]
+    full_schema: Dict,
+    keep_paths: Dict[str, dict],
+    title_suffix: Optional[str],
+    server_prefix: Optional[str] = None,
 ) -> Dict:
     schema = copy.deepcopy(full_schema)
     schema["paths"] = keep_paths
 
+    # Set server URL for scoped docs
+    if server_prefix is not None:
+        schema["servers"] = [{"url": server_prefix}]
+
     used_tags: Set[str] = set()
     direct_refs: Set[Tuple[str, str]] = set()
     used_security_schemes: Set[str] = set()
@@ -124,7 +131,26 @@ def _build_filtered_schema(
     keep_paths = {
         p: v for p, v in paths.items() if _path_included(p, include_prefixes, exclude_prefixes)
     }
-    return _prune_to_paths(full_schema, keep_paths, title_suffix)
+
+    # Determine the server prefix for scoped docs
+    server_prefix = None
+    if include_prefixes and len(include_prefixes) == 1:
+        # Single include prefix = scoped docs
+        server_prefix = include_prefixes[0].rstrip("/") or "/"
+
+        # Strip prefix from paths to make them relative to the server
+        stripped_paths = {}
+        for path, spec in keep_paths.items():
+            if path.startswith(server_prefix) and path != server_prefix:
+                # Remove prefix, keeping the leading slash
+                relative_path = path[len(server_prefix) :]
+                stripped_paths[relative_path] = spec
+            else:
+                # Path equals prefix or doesn't start with it
+                stripped_paths[path] = spec
+        keep_paths = stripped_paths
+
+    return _prune_to_paths(full_schema, keep_paths, title_suffix, server_prefix=server_prefix)
 
 
 def _ensure_original_openapi_saved(app: FastAPI) -> None:
@@ -175,11 +201,23 @@ def add_prefixed_docs(
     auto_exclude_from_root: bool = True,
     visible_envs: Optional[Iterable[Environment | str]] = (LOCAL_ENV, DEV_ENV),
 ) -> None:
+    scope = prefix.rstrip("/") or "/"
+
+    # Always exclude from root if requested, regardless of environment
+    if auto_exclude_from_root:
+        _ensure_original_openapi_saved(app)
+        # Add to exclusion list for root docs
+        if not hasattr(app.state, "_scoped_root_exclusions"):
+            app.state._scoped_root_exclusions = []
+        if scope not in app.state._scoped_root_exclusions:
+            app.state._scoped_root_exclusions.append(scope)
+            _install_root_filter(app, app.state._scoped_root_exclusions)
+
+    # Only create scoped docs in allowed environments
     allow = _normalize_envs(visible_envs)
     if allow is not None and CURRENT_ENVIRONMENT not in allow:
         return
 
-    scope = prefix.rstrip("/") or "/"
     openapi_path = f"{scope}/openapi.json"
     swagger_path = f"{scope}/docs"
     redoc_path = f"{scope}/redoc"
@@ -211,9 +249,6 @@ def add_prefixed_docs(
 
     DOC_SCOPES.append((scope, swagger_path, redoc_path, openapi_path, title))
 
-    if auto_exclude_from_root:
-        _ensure_root_excludes_registered_scopes(app)
-
 
 def replace_root_openapi_with_exclusions(app: FastAPI, *, exclude_prefixes: List[str]) -> None:
     _install_root_filter(app, exclude_prefixes)

svc_infra/api/fastapi/setup.py

@@ -158,8 +158,7 @@ def _build_parent_app(
     root_server_url: str | None = None,
     root_include_api_key: bool = False,
 ) -> FastAPI:
-    show_root_docs = CURRENT_ENVIRONMENT in (LOCAL_ENV, DEV_ENV)
-
+    # Root docs are now enabled in all environments to match root card visibility
     parent = FastAPI(
         title=service.name,
         version=service.release,
@@ -167,9 +166,9 @@ def _build_parent_app(
         license_info=_dump_or_none(service.license),
         terms_of_service=service.terms_of_service,
         description=service.description,
-        docs_url=("/docs" if show_root_docs else None),
-        redoc_url=("/redoc" if show_root_docs else None),
-        openapi_url=("/openapi.json" if show_root_docs else None),
+        docs_url="/docs",
+        redoc_url="/redoc",
+        openapi_url="/openapi.json",
     )
 
     _setup_cors(parent, public_cors_origins)
@@ -247,14 +246,13 @@ def setup_service_api(
         cards: list[CardSpec] = []
         is_local_dev = CURRENT_ENVIRONMENT in (LOCAL_ENV, DEV_ENV)
 
-        if is_local_dev:
-            # Root card
-            cards.append(
-                CardSpec(
-                    tag="",
-                    docs=DocTargets(swagger="/docs", redoc="/redoc", openapi_json="/openapi.json"),
-                )
+        # Root card - always show in all environments
+        cards.append(
+            CardSpec(
+                tag="",
+                docs=DocTargets(swagger="/docs", redoc="/redoc", openapi_json="/openapi.json"),
             )
+        )
 
         # Version cards
         for spec in versions:

svc_infra/api/fastapi/versioned.py

@@ -0,0 +1,101 @@
+"""
+Utilities for capturing routers from add_* functions for versioned routing.
+
+This module provides helpers to use integration functions (add_banking, add_payments, etc.)
+under versioned routing without creating separate documentation cards.
+
+See: svc-infra/docs/versioned-integrations.md
+"""
+
+from __future__ import annotations
+
+from typing import Any, Callable, TypeVar
+from unittest.mock import patch
+
+from fastapi import APIRouter, FastAPI
+
+__all__ = ["extract_router"]
+
+T = TypeVar("T")
+
+
+def extract_router(
+    add_function: Callable[..., T],
+    *,
+    prefix: str,
+    **kwargs: Any,
+) -> tuple[APIRouter, T]:
+    """
+    Capture the router from an add_* function for versioned mounting.
+
+    This allows you to use integration functions like add_banking(), add_payments(),
+    etc. under versioned routing (e.g., /v0/banking) without creating separate
+    documentation cards.
+
+    Args:
+        add_function: The add_* function to capture from (e.g., add_banking)
+        prefix: URL prefix for the routes (e.g., "/banking")
+        **kwargs: Arguments to pass to the add_function
+
+    Returns:
+        Tuple of (router, return_value) where:
+        - router: The captured APIRouter with all routes
+        - return_value: The original return value from add_function (e.g., provider instance)
+
+    Example:
+        ```python
+        # In routers/v0/banking.py
+        from svc_infra.api.fastapi.versioned import extract_router
+        from fin_infra.banking import add_banking
+
+        router, banking_provider = extract_router(
+            add_banking,
+            prefix="/banking",
+            provider="plaid",
+            cache_ttl=60,
+        )
+
+        # svc-infra auto-discovers 'router' and mounts at /v0/banking
+        ```
+
+    Pattern:
+        1. Creates a mock FastAPI app
+        2. Intercepts include_router to capture the router
+        3. Patches add_prefixed_docs to prevent separate card creation
+        4. Calls the add_function which creates all routes
+        5. Returns the captured router for auto-discovery
+
+    See Also:
+        - docs/versioned-integrations.md: Full pattern documentation
+        - api/fastapi/dual/public.py: Similar pattern for dual routers
+    """
+    # Create mock app to capture router
+    mock_app = FastAPI()
+    captured_router: APIRouter | None = None
+
+    def _capture_router(router: APIRouter, **_kwargs: Any) -> None:
+        """Intercept include_router to capture instead of mount."""
+        nonlocal captured_router
+        captured_router = router
+
+    mock_app.include_router = _capture_router  # type: ignore[assignment]
+
+    # Patch add_prefixed_docs to prevent separate card (no-op if function doesn't call it)
+    def _noop_docs(*args: Any, **kwargs: Any) -> None:
+        pass
+
+    # Call add_function with patches active
+    with patch("svc_infra.api.fastapi.docs.scoped.add_prefixed_docs", _noop_docs):
+        result = add_function(
+            mock_app,
+            prefix=prefix,
+            **kwargs,
+        )
+
+    if captured_router is None:
+        raise RuntimeError(
+            f"Failed to capture router from {add_function.__name__}. "
+            f"The function may not call app.include_router()."
+        )
+
+    return captured_router, result

svc_infra/db/sql/templates/models_schemas/auth/models.py.tmpl

@@ -129,62 +129,13 @@ for _ix in make_unique_sql_indexes(
     # Registered with Table metadata (alembic/autogenerate will pick them up)
     pass
 
-# ------------------------------ Model: ProviderAccount -------------------------
-
-class ProviderAccount(ModelBase):
-    """
-    Links a local user to an external identity provider account.
-
-    - (provider, provider_account_id) is unique
-    - Optionally stores tokens for later API calls (refresh_token encrypted at rest)
-    """
-    __tablename__ = "provider_accounts"
-
-    id: Mapped[uuid.UUID] = mapped_column(GUID(), primary_key=True, default=uuid.uuid4)
-
-    user_id: Mapped[uuid.UUID] = mapped_column(
-        GUID(), ForeignKey("${auth_table_name}.id", ondelete="CASCADE"), nullable=False
-    )
-    user: Mapped["${AuthEntity}"] = relationship(
-        back_populates="provider_accounts",
-        lazy="selectin",
-    )
-
-    provider: Mapped[str] = mapped_column(String(50), nullable=False)               # "google"|"github"|"linkedin"|"microsoft"|...
-    provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)   # sub/oid (OIDC) or id (github/linkedin)
-
-    # Optional token material
-    access_token: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
-
-    # Store encrypted refresh_token in the same column name for DB compatibility.
-    _refresh_token: Mapped[Optional[str]] = mapped_column("refresh_token", Text, nullable=True)
-
-    @property
-    def refresh_token(self) -> Optional[str]:
-        return _decrypt(self._refresh_token)
-
-    @refresh_token.setter
-    def refresh_token(self, value: Optional[str]) -> None:
-        self._refresh_token = _encrypt(value)
-
-    expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
-    raw_claims: Mapped[Optional[dict]] = mapped_column(MutableDict.as_mutable(JSON), nullable=True)
-
-    created_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-    updated_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"),
-        onupdate=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-
-    __table_args__ = (
-        UniqueConstraint("provider", "provider_account_id", name="uq_provider_account"),
-        Index("ix_provider_accounts_user_id", "user_id"),
-    )
-
-    def __repr__(self) -> str:
-        return f"<ProviderAccount provider={self.provider!r} provider_account_id={self.provider_account_id!r} user_id={self.user_id}>"
+# NOTE: ProviderAccount model is imported from svc_infra.security.oauth_models
+# It's an opt-in OAuth model that links users to providers (Google, GitHub, etc.)
+# The relationship 'provider_accounts' is defined above in the ${AuthEntity} class.
+# To enable OAuth in your project:
+#   1. Set ALEMBIC_ENABLE_OAUTH=true in your .env
+#   2. Pass provider_account_model=ProviderAccount to add_auth_users()
+#   3. Import: from svc_infra.security.oauth_models import ProviderAccount
 
 # --- Auth service factory ------------------------------------------------------
 

svc_infra/db/sql/templates/setup/env_async.py.tmpl

@@ -6,13 +6,10 @@ from typing import List, Tuple
 import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
+from sqlalchemy import MetaData
 from sqlalchemy.engine import make_url, URL
-from sqlalchemy.ext.asyncio import create_async_engine
 
-from svc_infra.db.sql.utils import (
-    get_database_url_from_env,
-    _ensure_ssl_default_async as _ensure_ssl_default,
-)
+from svc_infra.db.sql.utils import get_database_url_from_env
 
 try:
     from svc_infra.db.sql.types import GUID as _GUID  # type: ignore
@@ -105,7 +102,6 @@ def _coerce_to_async(u: URL) -> URL:
 
 u = make_url(effective_url)
 u = _coerce_to_async(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
 # feature flags
@@ -131,15 +127,16 @@ def _collect_metadata() -> list[object]:
 
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and getattr(md, "tables"):
+        # Strict check: must be actual MetaData instance
+        if isinstance(md, MetaData) and md.tables:
             found.append(md)
 
     def _scan_module_objects(mod: object) -> None:
         try:
             for val in vars(mod).values():
-                md = getattr(val, "metadata", None) or None
-                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
-                    found.append(md)
+                # Strict check: must be actual MetaData instance
+                if isinstance(val, MetaData) and val.tables:
+                    found.append(val)
         except Exception:
             pass
 
@@ -229,6 +226,21 @@ def _collect_metadata() -> list[object]:
     except Exception:
         _note("ModelBase import", False, traceback.format_exc())
 
+    # Core security models (AuthSession, RefreshToken, etc.)
+    try:
+        import svc_infra.security.models  # noqa: F401
+        _note("svc_infra.security.models", True, None)
+    except Exception:
+        _note("svc_infra.security.models", False, traceback.format_exc())
+
+    # OAuth models (opt-in via environment variable)
+    if os.getenv("ALEMBIC_ENABLE_OAUTH", "").lower() in {"1", "true", "yes"}:
+        try:
+            import svc_infra.security.oauth_models  # noqa: F401
+            _note("svc_infra.security.oauth_models", True, None)
+        except Exception:
+            _note("svc_infra.security.oauth_models", False, traceback.format_exc())
+
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model
         try_autobind_apikey_model(require_env=False)
@@ -360,7 +372,9 @@ def _do_run_migrations(connection):
 
 async def run_migrations_online() -> None:
     url = config.get_main_option("sqlalchemy.url")
-    engine = create_async_engine(url)
+    # Use build_engine to ensure proper driver-specific handling (e.g., asyncpg SSL)
+    from svc_infra.db.sql.utils import build_engine
+    engine = build_engine(url)
     async with engine.connect() as connection:
         await connection.run_sync(_do_run_migrations)
     await engine.dispose()