fix: remove unauthenticated test scaffold endpoints from backend

[andeplane]

Fixes #301

Problem

The backend shipped with scaffold /test endpoints that were never removed:

• POST /test — unauthenticated writes to the database
• GET /test — unauthenticated reads from the database

These were registered unconditionally in main.py and exposed in production.

Fix

Full removal of all scaffold code:

• Deleted routers/test.py
• Removed test router wiring from main.py and routers/__init__.py
• Removed TestRecord imports from db/database.py and migrations/env.py
• Deleted the initial_test_schema migration (created only the test_records table)

The /health endpoint is untouched.

[gemini-code-assist]

Summary of Changes

Hello @andeplane, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security and cleanup task by fully removing unauthenticated /test endpoints and all related scaffold code from the backend. These endpoints, which were inadvertently shipped, allowed direct, unauthenticated database interactions. The removal ensures a more secure and streamlined application by eliminating unnecessary and potentially vulnerable components.

Highlights

• Removal of Unauthenticated Test Endpoints: The /test endpoints, which allowed unauthenticated reads and writes to the database, have been completely removed from the backend.
• Cleanup of Scaffold Code: All associated scaffold code, including the TestRecord model, its imports, and the initial test schema migration, has been deleted.
• Enhanced Security: This change eliminates a potential security vulnerability by removing endpoints that could be exploited for unauthorized database access.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• backend/migrations/env.py
  • Removed the import statement for TestRecord.
• backend/migrations/versions/20251222_1017_2da813b175f0_initial_test_schema.py
  • Deleted the migration file that created the test_records table.
• backend/src/atomify_api/db/database.py
  • Removed the import statement for TestRecord.
• backend/src/atomify_api/main.py
  • Removed the import for test_router.
  • Removed the inclusion of test_router in the FastAPI application.
• backend/src/atomify_api/routers/init.py
  • Removed the import for test_router.
  • Removed test_router from the __all__ export list.
• backend/src/atomify_api/routers/test.py
  • Deleted the entire file containing the TestRecord model and /test endpoints.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully removes all unauthenticated test scaffold endpoints and their associated code from the backend. The changes correctly delete the routers/test.py file, remove references to TestRecord in backend/migrations/env.py and backend/src/atomify_api/db/database.py, and update backend/src/atomify_api/main.py and backend/src/atomify_api/routers/__init__.py to no longer include the test router. Additionally, the initial_test_schema migration file has been removed. The changes are clean and directly address the problem of exposed test endpoints, enhancing the security and cleanliness of the codebase.

[andeplane]

/gemini review

[gemini-code-assist]

Code Review

This pull request correctly removes unauthenticated test scaffold endpoints, which is a critical security improvement. The removal of the test router, model, and associated code is thorough. My only suggestion for improvement relates to the database migration strategy. I've left a comment on the deleted migration file explaining why creating a new migration to drop the table is a safer practice than deleting the old migration file, to ensure the integrity of the database schema history across different environments.

I am having trouble creating individual review comments. Click here to see my feedback.

backend/migrations/versions/20251222_1017_2da813b175f0_initial_test_schema.py (1-37)

Deleting an Alembic migration file is generally discouraged if it has been applied to any database environment. This can cause issues with future alembic commands because the database's version history will reference a migration file that no longer exists.

A safer and more robust approach is to create a new migration that reverses the changes. In this case, a new migration could drop the test_records table.

Example of a new migration's upgrade and downgrade functions:

def upgrade() -> None:
    op.drop_table('test_records')

def downgrade() -> None:
    # Recreate table if needed for rollback
    op.create_table('test_records',
        sa.Column('id', sa.Integer(), nullable=False),
        sa.Column('message', sqlmodel.sql.sqltypes.AutoString(), nullable=False),
        sa.Column('created_at', sa.DateTime(), nullable=False),
        sa.PrimaryKeyConstraint('id')
    )

This preserves the migration history and ensures schema changes are applied consistently. If you are absolutely certain this migration has not been run on any persistent database, then deleting the file is acceptable. Otherwise, please consider this alternative approach.