From 84146ea67a163dc0ef30774baf04bf1a2b7f6302 Mon Sep 17 00:00:00 2001
From: Jason Staack <jason@staack.com>
Date: Sun, 15 Mar 2026 07:02:18 -0500
Subject: [PATCH] fix(ci): use app_engine for get_db override to preserve RLS
 enforcement

get_db must use app_engine (non-superuser, RLS enforced) so tenant
isolation tests work correctly. get_admin_db uses admin_engine.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/tests/integration/conftest.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/backend/tests/integration/conftest.py b/backend/tests/integration/conftest.py
index fcaa3c0..69c40cc 100644
--- a/backend/tests/integration/conftest.py
+++ b/backend/tests/integration/conftest.py
@@ -292,12 +292,17 @@ async def test_app(admin_engine, app_engine):
 
     setup_rate_limiting(app)
 
-    test_session_factory = async_sessionmaker(
+    # get_db uses app_engine (RLS-enforced) so tenant isolation is tested correctly
+    test_app_session_factory = async_sessionmaker(
+        app_engine, class_=AsyncSession, expire_on_commit=False
+    )
+    # get_admin_db uses admin_engine (superuser) for auth/bootstrap routes
+    test_admin_session_factory = async_sessionmaker(
         admin_engine, class_=AsyncSession, expire_on_commit=False
     )
 
     async def override_get_db() -> AsyncGenerator[AsyncSession, None]:
-        async with test_session_factory() as session:
+        async with test_app_session_factory() as session:
             try:
                 yield session
                 await session.commit()
@@ -306,7 +311,7 @@ async def test_app(admin_engine, app_engine):
                 raise
 
     async def override_get_admin_db() -> AsyncGenerator[AsyncSession, None]:
-        async with test_session_factory() as session:
+        async with test_admin_session_factory() as session:
             try:
                 yield session
                 await session.commit()