Skip to content

Comments

Revert "fix: scope sub_agent_skills unique constraint to tenant/project/agent"#2205

Merged
amikofalvy merged 1 commit intomainfrom
revert-2190-fix/sub-agent-skills-unique-constraint
Feb 20, 2026
Merged

Revert "fix: scope sub_agent_skills unique constraint to tenant/project/agent"#2205
amikofalvy merged 1 commit intomainfrom
revert-2190-fix/sub-agent-skills-unique-constraint

Conversation

@amikofalvy
Copy link
Collaborator

@amikofalvy amikofalvy commented Feb 20, 2026

Reverts #2190

@vercel
Copy link

vercel bot commented Feb 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agents-api Ready Ready Preview, Comment Feb 20, 2026 2:14am
agents-docs Ready Ready Preview, Comment Feb 20, 2026 2:14am
agents-manage-ui Ready Ready Preview, Comment Feb 20, 2026 2:14am

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Feb 20, 2026

⚠️ No Changeset found

Latest commit: d9508f6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@amikofalvy amikofalvy merged commit 1c5138d into main Feb 20, 2026
4 of 9 checks passed
@amikofalvy amikofalvy deleted the revert-2190-fix/sub-agent-skills-unique-constraint branch February 20, 2026 02:10
claude[bot]
claude bot reviewed Feb 20, 2026
View reviewed changes
Copy link
Contributor

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review Summary

(3) Total Issues | Risk: Medium

⚠️ Post-merge review — This PR was already merged. The findings below are for documentation and potential follow-up actions.

🟠⚠️ Major (2) 🟠⚠️

🟠 1) manage-schema.ts:293 Multi-tenant isolation regression risk

Issue: The unique constraint on sub_agent_skills reverts from (tenantId, projectId, agentId, subAgentId, skillId) to (subAgentId, skillId). Since subAgentId is scoped to tenant/project/agent (per the sub_agents table's PK at line 240), this narrower constraint could cause cross-tenant collisions.

Why: The original fix (PR #2190) addressed a multi-tenancy isolation bug where different tenants using the same sub-agent ID + skill ID combination would conflict. With this revert:

  • Tenant A creates (subAgentId: "helper", skillId: "coding")
  • Tenant B attempts same combination → unique constraint violation

This violates multi-tenant isolation where each tenant's data should be independent.

Fix: If there were operational issues with the original fix (migration failures, data conflicts), consider:

  1. Identifying and resolving the root cause
  2. Re-applying the fix with a new migration
  3. Or documenting why the narrower constraint is acceptable (e.g., if subAgentIds are UUID-generated and effectively unique)

Refs:

  • sub_agents PKsubAgentId is (tenantId, projectId, agentId) scoped
  • Original fix: PR #2190

🟠 2) 0010_oval_angel.sql (deleted) Migration deletion may cause schema drift

Issue: Deleting migration file 0010 rather than creating a rollback migration (0011) violates the data-model-changes rule: "NEVER manually delete migration files — use pnpm db:drop" and "create new migrations instead of editing/deleting existing ones".

Why: If migration 0010 was applied to any environment (staging, production) before this revert merged:

  • Those environments have the broader constraint (tenantId, projectId, agentId, subAgentId, skillId)
  • The codebase now expects the narrower constraint (subAgentId, skillId)
  • Running pnpm db:migrate will not detect or fix this drift
  • Future migrations may fail due to constraint name conflicts

Fix: Verify environment state:

  1. Check if migration 0010 was deployed to production
  2. If yes, create migration 0011 to explicitly revert the constraint: 
    ALTER TABLE "sub_agent_skills" DROP CONSTRAINT "sub_agent_skills_sub_agent_skill_unique";
ALTER TABLE "sub_agent_skills" ADD CONSTRAINT "sub_agent_skills_sub_agent_skill_unique" UNIQUE("sub_agent_id","skill_id");
  3. Run pnpm db:check to verify schema consistency

Refs:

Inline Comments:

  • 🟠 Major: manage-schema.ts:293 Multi-tenant isolation regression

🟡 Minor (1) 🟡

🟡 1) subAgentSkills.cross-tenant.test.ts (deleted) Cross-tenant test coverage removed

Issue: The deleted test (174 lines) validated two critical behaviors:

  1. Different tenants CAN use the same (subAgentId, skillId) combination
  2. Same tenant/project/agent CANNOT duplicate skill assignments

Why: Without this test, regressions in multi-tenant isolation won't be caught. The remaining subAgentSkills.scoping.test.ts only tests within-project scoping, not cross-tenant scenarios.

Fix: If the revert is intentional, consider:

  • Retaining the test with .skip and a comment explaining the known limitation
  • Or creating an issue to track the multi-tenant constraint problem

Refs:

💡 APPROVE WITH SUGGESTIONS

Summary: This revert PR was already merged, so this review serves as documentation. The revert potentially reintroduces a multi-tenant isolation issue where different tenants could conflict on (subAgentId, skillId) combinations. If the revert was necessary due to operational issues with the original fix, consider tracking this as a known limitation and planning a proper resolution. The migration deletion approach also risks schema drift if the migration was deployed before the revert.

Discarded (1)
Location Issue Reason Discarded
meta/_journal.json Manual editing of Drizzle meta files Covered by the migration deletion finding — same root cause
Reviewers (4)
Reviewer Returned Main Findings Consider While You're Here Inline Comments Pending Recs Discarded
pr-review-standards 0 0 0 0 0 0 0
pr-review-breaking-changes 4 2 0 0 1 0 1
pr-review-architecture 3 1 0 0 0 0 2
pr-review-tests 1 1 0 0 0 0 0
Total 8 3 0 0 1 0 3

Note: Architecture and tests findings largely overlapped with breaking-changes findings and were consolidated.

packages/agents-core/src/db/manage/manage-schema.ts
table.subAgentId,
table.skillId
),
unique('sub_agent_skills_sub_agent_skill_unique').on(table.subAgentId, table.skillId),
Copy link
Contributor

@claude claude bot Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 MAJOR Multi-tenant isolation regression risk

Issue: This revert changes the unique constraint from (tenantId, projectId, agentId, subAgentId, skillId) back to (subAgentId, skillId). Since subAgentId is scoped to tenant/project/agent (not globally unique), this constraint could cause cross-tenant collisions if different tenants create sub-agents with the same ID.

Why: The original fix (PR #2190) addressed a multi-tenancy isolation bug. With this narrower constraint, if Tenant A creates a skill assignment for (subAgentId: "helper", skillId: "coding"), Tenant B cannot create the same combination — even though they're separate tenants with independent data.

Refs:

@github-actions github-actions bot deleted a comment from claude bot Feb 20, 2026
@amikofalvy amikofalvy mentioned this pull request Feb 20, 2026
Merged
@claude claude bot mentioned this pull request Feb 20, 2026
Closed
3 tasks
@nick-inkeep nick-inkeep mentioned this pull request Feb 20, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amikofalvy