fix(security): fix alembic.ini placeholder database URL (#44)

[demilade18-git]

Summary

Resolves #44 — the alembic.ini had a literal placeholder URL (driver://user:pass@localhost/dbname) that posed a security scanner false-positive risk and could silently connect to wrong hosts if the env-var override path failed.

Changes

• quantara/web_app/alembic.ini: Replaced sqlalchemy.url = driver://user:pass@localhost/dbname with sqlalchemy.url = REPLACE_ME sentinel — an invalid URL that guarantees Alembic fails fast if the env-var override path is ever skipped.

• quantara/web_app/alembic/env.py: Replaced the import of get_database_url() with a self-contained _build_db_url() that:

  • Reads DB_USER, DB_PASSWORD, DB_HOST, DB_PORT, DB_NAME from environment
  • Raises RuntimeError with a clear list of missing variables when any required var is absent
  • Defaults DB_PORT to 5432

• quantara/web_app/tests/test_alembic_env.py (new): 4 unit tests covering correct URL construction, default port fallback, the sentinel value assertion, and presence of all components in the URL.

How CI passes

CI sets DB_HOST=localhost, DB_USER=postgres, DB_PASSWORD=password, DB_NAME=quantara as env vars. _build_db_url() finds all required vars and constructs postgresql://postgres:password@localhost:5432/quantara. The migration round-trip test and alembic upgrade head step both work correctly.

Test plan

• test_alembic_ini_sentinel_value — asserts placeholder is gone and REPLACE_ME is present
• test_get_database_url_constructs_correctly — full URL with all vars
• test_get_database_url_default_port — port defaults to 5432
• test_get_database_url_includes_all_components — each component in URL

Closes #44

🤖 Generated with Claude Code

[YaronZaki]

LGTM