From aa0ea91cb037626882e69d48ac18326509c9d027 Mon Sep 17 00:00:00 2001 From: Yuval Kashtan Date: Wed, 6 May 2026 20:55:57 +0000 Subject: [PATCH] [SAR] APPENG-5144: Add database SSL/TLS enforcement option Add DATABASE_REQUIRE_SSL setting that enables SSL for PostgreSQL connections when set to true. This ensures database traffic is encrypted in transit, protecting credentials and query data. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/lightspeed_agent/config/settings.py | 4 ++++ src/lightspeed_agent/db/base.py | 2 ++ 2 files changed, 6 insertions(+) diff --git a/src/lightspeed_agent/config/settings.py b/src/lightspeed_agent/config/settings.py index d8565aa9..d19d2344 100644 --- a/src/lightspeed_agent/config/settings.py +++ b/src/lightspeed_agent/config/settings.py @@ -283,6 +283,10 @@ class Settings(BaseSettings): default=10, description="Maximum overflow connections beyond pool size", ) + database_require_ssl: bool = Field( + default=False, + description="Require SSL/TLS for PostgreSQL database connections", + ) # Session configuration: controls ADK session storage backend # Separate from marketplace DB for security isolation - each agent can have its own diff --git a/src/lightspeed_agent/db/base.py b/src/lightspeed_agent/db/base.py index 418440de..62a6fa30 100644 --- a/src/lightspeed_agent/db/base.py +++ b/src/lightspeed_agent/db/base.py @@ -48,6 +48,8 @@ def get_engine() -> AsyncEngine: else: engine_kwargs["pool_size"] = settings.database_pool_size engine_kwargs["max_overflow"] = settings.database_pool_max_overflow + if settings.database_require_ssl: + engine_kwargs["connect_args"] = {"ssl": True} _engine = create_async_engine(settings.database_url, **engine_kwargs) logger.info("Created database engine for %s", settings.database_url.split("@")[-1]) return _engine