Problem Statement
quantara/web_app/alembic.ini:53 contains sqlalchemy.url = driver://user:pass@localhost/dbname — a literal placeholder never configured for any environment. alembic/env.py does not read from environment variables to override this.
Evidence
# quantara/web_app/alembic.ini line 53
sqlalchemy.url = driver://user:pass@localhost/dbname
alembic/env.py has no os.getenv("DB_HOST") or similar override.
Impact
High — migration safety risk. If runtime override mechanism fails, Alembic tries connecting to localhost with user:pass — could corrupt a real database or fail silently in CI. Valid-looking URL is also a security scanner false-positive risk.
Proposed Solution
Update alembic/env.py to construct database URL from the same env vars used by database.py (DB_USER, DB_PASSWORD, DB_HOST, DB_PORT, DB_NAME). Set alembic.ini sqlalchemy.url to REPLACE_ME sentinel.
Acceptance Criteria
File Map
quantara/web_app/alembic.ini:53 — replace placeholder with REPLACE_MEquantara/web_app/alembic/env.py — add env-based URL construction
Testing Strategy
- Unit: Test URL construction with valid, partial, and missing env vars
- Integration: Run
alembic upgrade head and alembic downgrade -1 in test database
- Manual: Unset
DB_HOST, run alembic, verify clear error
Security Considerations
Fixes configuration weakness. Sentinel value (REPLACE_ME) ensures fail-fast: if env override doesn't run, Alembic immediately errors rather than silently connecting to localhost.
Definition of Done
Labels: security, quick-win
Priority: High
Difficulty: Beginner
Estimated Effort: 0.5h
Problem Statement
quantara/web_app/alembic.ini:53containssqlalchemy.url = driver://user:pass@localhost/dbname— a literal placeholder never configured for any environment.alembic/env.pydoes not read from environment variables to override this.Evidence
alembic/env.pyhas noos.getenv("DB_HOST")or similar override.Impact
High — migration safety risk. If runtime override mechanism fails, Alembic tries connecting to
localhostwithuser:pass— could corrupt a real database or fail silently in CI. Valid-looking URL is also a security scanner false-positive risk.Proposed Solution
Update
alembic/env.pyto construct database URL from the same env vars used bydatabase.py(DB_USER,DB_PASSWORD,DB_HOST,DB_PORT,DB_NAME). Setalembic.inisqlalchemy.urltoREPLACE_MEsentinel.Acceptance Criteria
alembic/env.pyconstructs DB URL fromDB_USER,DB_PASSWORD,DB_HOST,DB_PORT,DB_NAMEalembic.inisqlalchemy.urlset toREPLACE_ME(not a valid URL)docker exec backend_dev alembic upgrade head)File Map
quantara/web_app/alembic.ini:53— replace placeholder withREPLACE_MEquantara/web_app/alembic/env.py— add env-based URL constructionTesting Strategy
alembic upgrade headandalembic downgrade -1in test databaseDB_HOST, run alembic, verify clear errorSecurity Considerations
Fixes configuration weakness. Sentinel value (
REPLACE_ME) ensures fail-fast: if env override doesn't run, Alembic immediately errors rather than silently connecting to localhost.Definition of Done
Labels: security, quick-win
Priority: High
Difficulty: Beginner
Estimated Effort: 0.5h