diff --git a/alembic/versions/002_better_auth_tables.py b/alembic/versions/002_better_auth_tables.py
index 169ed38..efa283f 100644
--- a/alembic/versions/002_better_auth_tables.py
+++ b/alembic/versions/002_better_auth_tables.py
@@ -25,16 +25,14 @@ def upgrade() -> None:
     inspector = sa.inspect(conn)
 
     # --- Extend users table for Better-Auth compatibility ---
-    existing_user_cols = (
-        [c["name"] for c in inspector.get_columns("users")]
-        if inspector.has_table("users")
-        else []
-    )
-
-    if "email_verified" not in existing_user_cols:
-        op.add_column("users", sa.Column("email_verified", sa.Boolean(), nullable=False, server_default="false"))
-    if "image" not in existing_user_cols:
-        op.add_column("users", sa.Column("image", sa.Text(), nullable=True))
+    # Guard: on a fresh DB Base.metadata.create_all (called in env.py after migrations)
+    # creates the users table with all columns, so migration 002 must not re-run add_column.
+    if inspector.has_table("users"):
+        existing_user_cols = [c["name"] for c in inspector.get_columns("users")]
+        if "email_verified" not in existing_user_cols:
+            op.add_column("users", sa.Column("email_verified", sa.Boolean(), nullable=False, server_default="false"))
+        if "image" not in existing_user_cols:
+            op.add_column("users", sa.Column("image", sa.Text(), nullable=True))
 
     # --- Create sessions table ---
     if not inspector.has_table("sessions"):
diff --git a/alembic/versions/005_add_email_inbound_token.py b/alembic/versions/005_add_email_inbound_token.py
index 4fb7c2c..c5cc2a9 100644
--- a/alembic/versions/005_add_email_inbound_token.py
+++ b/alembic/versions/005_add_email_inbound_token.py
@@ -18,6 +18,15 @@ depends_on = None
 
 
 def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    # Guard: on a fresh DB Base.metadata.create_all creates users table with the column already present
+    if not inspector.has_table("users"):
+        return
+    existing_cols = [c["name"] for c in inspector.get_columns("users")]
+    if "email_inbound_token" in existing_cols:
+        return
+
     # Add column nullable first so existing rows can be backfilled
     op.add_column(
         "users",
@@ -25,11 +34,10 @@ def upgrade() -> None:
     )
 
     # Backfill existing users with unique tokens
-    connection = op.get_bind()
-    result = connection.execute(sa.text("SELECT id FROM users WHERE email_inbound_token IS NULL"))
+    result = conn.execute(sa.text("SELECT id FROM users WHERE email_inbound_token IS NULL"))
     for (user_id,) in result:
         token = secrets.token_urlsafe(16)
-        connection.execute(
+        conn.execute(
             sa.text("UPDATE users SET email_inbound_token = :token WHERE id = :id"),
             {"token": token, "id": user_id},
         )
diff --git a/alembic/versions/006_email_inbound_token_server_default.py b/alembic/versions/006_email_inbound_token_server_default.py
index ac1c678..e090016 100644
--- a/alembic/versions/006_email_inbound_token_server_default.py
+++ b/alembic/versions/006_email_inbound_token_server_default.py
@@ -15,6 +15,16 @@ depends_on = None
 
 
 def upgrade() -> None:
+    conn = op.get_bind()
+    inspector = sa.inspect(conn)
+    # Guard: on a fresh DB Base.metadata.create_all already sets the server_default
+    if not inspector.has_table("users"):
+        return
+    cols = {c["name"]: c for c in inspector.get_columns("users")}
+    if "email_inbound_token" not in cols:
+        return
+    if cols["email_inbound_token"].get("default") is not None:
+        return
     op.alter_column(
         "users",
         "email_inbound_token",