From 6f1becf21fecb2520224b6ebda825619ed897f6f Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Fri, 10 Apr 2026 03:46:29 +0000
Subject: [PATCH] feat: add admin_engine and get_admin_db for BYPASSRLS admin
 endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/core/admin_database.py | 36 ++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 backend/app/core/admin_database.py

diff --git a/backend/app/core/admin_database.py b/backend/app/core/admin_database.py
new file mode 100644
index 00000000..1e84a132
--- /dev/null
+++ b/backend/app/core/admin_database.py
@@ -0,0 +1,36 @@
+# backend/app/core/admin_database.py
+"""
+Admin database engine — connects as resolutionflow_admin (BYPASSRLS).
+
+Use ONLY for /admin/* endpoints and internal tooling.
+Never use this engine from user-facing endpoints.
+"""
+from collections.abc import AsyncGenerator
+
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+
+from app.core.config import settings
+
+admin_engine = create_async_engine(
+    settings.ADMIN_DATABASE_URL,
+    echo=settings.DEBUG,
+    future=True,
+)
+
+_admin_session_factory = async_sessionmaker(
+    admin_engine,
+    class_=AsyncSession,
+    expire_on_commit=False,
+)
+
+
+async def get_admin_db() -> AsyncGenerator[AsyncSession, None]:
+    """Yield an admin DB session (BYPASSRLS). Use only on /admin/* endpoints."""
+    async with _admin_session_factory() as session:
+        try:
+            yield session
+        except Exception:
+            await session.rollback()
+            raise
+        finally:
+            await session.close()