refactor: align backend layout and supabase infra

Consolidate backend modules/tests under the backend package while syncing Supabase compose/env config and related plans.

backend/alembic/README.md

@@ -0,0 +1 @@
+Generic single-database configuration.

backend/alembic/alembic.ini

@@ -0,0 +1,149 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts.
+# this is typically a path given in POSIX (e.g. forward slashes)
+# format, relative to the token %(here)s which refers to the location of this
+# ini file
+script_location = %(here)s
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# see https://alembic.sqlalchemy.org/en/latest/tutorial.html#editing-the-ini-file
+# for all available tokens
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+# Or organize into date-based subdirectories (requires recursive_version_locations = true)
+# file_template = %%(year)d/%%(month).2d/%%(day).2d_%%(hour).2d%%(minute).2d_%%(second).2d_%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.  for multiple paths, the path separator
+# is defined by "path_separator" below.
+prepend_sys_path = .
+
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the tzdata library which can be installed by adding
+# `alembic[tz]` to the pip requirements.
+# string value is passed to ZoneInfo()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; This defaults
+# to <script_location>/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path.
+# The path separator used here should be the separator specified by "path_separator"
+# below.
+# version_locations = %(here)s/bar:%(here)s/bat:%(here)s/alembic/versions
+
+# path_separator; This indicates what character is used to split lists of file
+# paths, including version_locations and prepend_sys_path within configparser
+# files such as alembic.ini.
+# The default rendered in new alembic.ini files is "os", which uses os.pathsep
+# to provide os-dependent path splitting.
+#
+# Note that in order to support legacy alembic.ini files, this default does NOT
+# take place if path_separator is not present in alembic.ini.  If this
+# option is omitted entirely, fallback logic is as follows:
+#
+# 1. Parsing of the version_locations option falls back to using the legacy
+#    "version_path_separator" key, which if absent then falls back to the legacy
+#    behavior of splitting on spaces and/or commas.
+# 2. Parsing of the prepend_sys_path option falls back to the legacy
+#    behavior of splitting on spaces, commas, or colons.
+#
+# Valid values for path_separator are:
+#
+# path_separator = :
+# path_separator = ;
+# path_separator = space
+# path_separator = newline
+#
+# Use os.pathsep. Default configuration used for new projects.
+path_separator = os
+
+# set to 'true' to search source files recursively
+# in each "version_locations" directory
+# new in Alembic version 1.10
+# recursive_version_locations = false
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+# database URL.  This is consumed by the user-maintained env.py script only.
+# other means of configuring database URLs may be customized within the env.py
+# file.
+sqlalchemy.url = driver://user:pass@localhost/dbname
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# lint with attempts to fix using "ruff" - use the module runner, against the "ruff" module
+# hooks = ruff
+# ruff.type = module
+# ruff.module = ruff
+# ruff.options = check --fix REVISION_SCRIPT_FILENAME
+
+# Alternatively, use the exec runner to execute a binary found on your PATH
+# hooks = ruff
+# ruff.type = exec
+# ruff.executable = ruff
+# ruff.options = check --fix REVISION_SCRIPT_FILENAME
+
+# Logging configuration.  This is also consumed by the user-maintained
+# env.py script only.
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARNING
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARNING
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

backend/alembic/env.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+
+import asyncio
+import sys
+from logging.config import fileConfig
+from pathlib import Path
+from typing import TYPE_CHECKING, Any
+
+from alembic import context
+from sqlalchemy import pool
+from sqlalchemy.ext.asyncio import async_engine_from_config
+
+project_root = Path(__file__).resolve().parents[1]
+src_path = project_root / "src"
+if str(src_path) not in sys.path:
+    sys.path = [str(src_path), *sys.path]
+
+from core.config.settings import config  # noqa: E402
+from core.db.base import Base  # noqa: E402
+from models import Profile  # noqa: F401,E402
+
+if TYPE_CHECKING:
+    from sqlalchemy.engine import Connection
+
+alembic_config = context.config
+
+if alembic_config.config_file_name is not None:
+    fileConfig(alembic_config.config_file_name)
+
+target_metadata = Base.metadata
+
+
+def _get_database_url() -> str:
+    database_url = config.database_url
+    if not database_url:
+        raise RuntimeError(
+            "DATABASE_URL is not configured. Set SOCIAL_INFRA__SUPABASE__DATABASE_URL."
+        )
+    return database_url
+
+
+def _build_config() -> dict[str, Any]:
+    section = alembic_config.get_section(alembic_config.config_ini_section) or {}
+    return {**section, "sqlalchemy.url": _get_database_url()}
+
+
+def run_migrations_offline() -> None:
+    url = _get_database_url()
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        compare_type=True,
+        compare_server_default=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def _do_run_migrations(connection: "Connection" | Any) -> None:
+    context.configure(
+        connection=connection,
+        target_metadata=target_metadata,
+        compare_type=True,
+        compare_server_default=True,
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+async def run_migrations_online() -> None:
+    connectable = async_engine_from_config(
+        _build_config(),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    async with connectable.connect() as connection:
+        await connection.run_sync(_do_run_migrations)
+
+    await connectable.dispose()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    asyncio.run(run_migrations_online())

backend/alembic/script.py.mako

@@ -0,0 +1,28 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, Sequence[str], None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    ${downgrades if downgrades else "pass"}

backend/alembic/versions/20260205_create_profiles_table.py

@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import sqlalchemy as sa
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+
+revision = "20260205_create_profiles_table"
+down_revision = None
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "profiles",
+        sa.Column("id", postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column("username", sa.String(length=30), nullable=False),
+        sa.Column("display_name", sa.String(length=50), nullable=True),
+        sa.Column("avatar_url", sa.Text(), nullable=True),
+        sa.Column("bio", sa.String(length=200), nullable=True),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
+        sa.PrimaryKeyConstraint("id", name="pk_profiles"),
+        sa.UniqueConstraint("username", name="uq_profiles_username"),
+    )
+    op.create_index("ix_profiles_username", "profiles", ["username"])
+    op.create_index("ix_profiles_deleted_at", "profiles", ["deleted_at"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_profiles_deleted_at", table_name="profiles")
+    op.drop_index("ix_profiles_username", table_name="profiles")
+    op.drop_table("profiles")

backend/alembic/versions/85d25a191d06_enable_rls_security_policies.py

@@ -0,0 +1,86 @@
+"""enable_rls_security_policies
+
+Revision ID: 85d25a191d06
+Revises: 20260205_create_profiles_table
+Create Date: 2026-02-05 15:08:33.430692
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+
+
+# revision identifiers, used by Alembic.
+revision: str = "85d25a191d06"
+down_revision: Union[str, Sequence[str], None] = "20260205_create_profiles_table"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Enable RLS security policies.
+
+    Security measures:
+    1. Revoke anon role access to alembic_version (internal table)
+    2. Enable RLS on profiles table
+    3. Add defensive policies for profiles (deny all public access by default)
+
+    Architecture:
+    - Backend uses service_role connection (bypasses RLS)
+    - RLS provides defense-in-depth security layer
+    - Prevents accidental direct PostgREST access
+    """
+
+    # 1. Revoke anon role access to alembic_version table
+    op.execute("REVOKE ALL ON TABLE public.alembic_version FROM anon")
+    op.execute("REVOKE ALL ON TABLE public.alembic_version FROM authenticated")
+
+    # 2. Enable RLS on profiles table
+    op.execute("ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY")
+
+    # 3. Add defensive policies for profiles table
+    # These policies deny all public access by default
+    # Backend service_role connection bypasses these policies
+
+    # Deny all SELECT operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_select ON public.profiles "
+        "FOR SELECT TO anon, authenticated USING (false)"
+    )
+
+    # Deny all INSERT operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_insert ON public.profiles "
+        "FOR INSERT TO anon, authenticated WITH CHECK (false)"
+    )
+
+    # Deny all UPDATE operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_update ON public.profiles "
+        "FOR UPDATE TO anon, authenticated USING (false) WITH CHECK (false)"
+    )
+
+    # Deny all DELETE operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_delete ON public.profiles "
+        "FOR DELETE TO anon, authenticated USING (false)"
+    )
+
+
+def downgrade() -> None:
+    """Rollback RLS security policies."""
+
+    # 1. Drop all policies on profiles table
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_select ON public.profiles")
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_insert ON public.profiles")
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_update ON public.profiles")
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_delete ON public.profiles")
+
+    # 2. Disable RLS on profiles table
+    op.execute("ALTER TABLE public.profiles DISABLE ROW LEVEL SECURITY")
+
+    # 3. Re-grant default privileges to anon role on alembic_version
+    # (reverting to Alembic's default behavior)
+    op.execute("GRANT SELECT ON TABLE public.alembic_version TO anon")
+    op.execute("GRANT SELECT ON TABLE public.alembic_version TO authenticated")