initial commit. phase 1 complete

backend/apps/core/apps.py

@@ -0,0 +1,52 @@
+"""
+Core app configuration.
+
+Connects a post_migrate signal to enable PostgreSQL Row-Level Security
+on the core_node table. The policy is permissive for now (allow all);
+Phase 2+ can tighten it for multi-user support.
+"""
+
+import logging
+
+from django.apps import AppConfig
+
+logger = logging.getLogger(__name__)
+
+
+class CoreConfig(AppConfig):
+    name = "apps.core"
+    verbose_name = "Infrastructure Core"
+    default_auto_field = "django.db.models.BigAutoField"
+
+    def ready(self) -> None:
+        from django.db.models.signals import post_migrate
+
+        post_migrate.connect(_enable_node_rls, sender=self)
+
+
+def _enable_node_rls(sender: AppConfig, **kwargs: object) -> None:
+    """Enable PostgreSQL RLS on the node table after migrations complete."""
+    from django.db import connection
+    from django.db.utils import OperationalError, ProgrammingError
+
+    try:
+        with connection.cursor() as cursor:
+            # Bail out early if core_node doesn't exist yet (fires before core migrations)
+            cursor.execute(
+                "SELECT EXISTS ("
+                "  SELECT 1 FROM information_schema.tables WHERE table_name = 'core_node'"
+                ");"
+            )
+            row = cursor.fetchone()
+            if row is None or not row[0]:
+                return
+            cursor.execute("ALTER TABLE core_node ENABLE ROW LEVEL SECURITY;")
+            cursor.execute(
+                "DO $$ BEGIN "
+                "  IF NOT EXISTS (SELECT 1 FROM pg_policies WHERE tablename = 'core_node' AND policyname = 'allow_all_for_now') THEN "
+                "    CREATE POLICY allow_all_for_now ON core_node USING (true) WITH CHECK (true); "
+                "  END IF; "
+                "END $$;"
+            )
+    except (OperationalError, ProgrammingError):
+        logger.debug("core_node table not yet available for RLS setup; will apply on next migrate.")