From 5bd331ca92567f8a004dae143b86898301ba350d Mon Sep 17 00:00:00 2001 From: chihlasm Date: Fri, 10 Apr 2026 06:57:41 +0000 Subject: [PATCH] fix: clarify step_library RLS comment; remove unused sqlalchemy import Co-Authored-By: Claude Sonnet 4.6 --- .../alembic/versions/70a5dd746e83_enable_rls_phase2.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/backend/alembic/versions/70a5dd746e83_enable_rls_phase2.py b/backend/alembic/versions/70a5dd746e83_enable_rls_phase2.py index aa39efaa..a70f1555 100644 --- a/backend/alembic/versions/70a5dd746e83_enable_rls_phase2.py +++ b/backend/alembic/versions/70a5dd746e83_enable_rls_phase2.py @@ -20,8 +20,6 @@ Create Date: 2026-04-10 06:54:49.431817 from typing import Sequence, Union from alembic import op -import sqlalchemy as sa - # revision identifiers, used by Alembic. revision: str = '70a5dd746e83' @@ -41,8 +39,11 @@ _CURRENT_ACCOUNT = ( _STANDARD_USING = f"account_id = {_CURRENT_ACCOUNT}" # Visibility-aware policy for step_library — public steps (visibility='public') -# must be visible to ALL tenants regardless of account_id, mirroring -# build_step_visibility_filter() in app/core/filters.py. +# must be visible to ALL tenants regardless of account_id. This covers the +# visibility='public' arm of build_step_visibility_filter() in app/core/filters.py. +# The created_by arm (private steps visible to their author) is covered +# transitively: private steps share account_id with their creator, so the +# account_id match handles it. This relies on account_id NOT NULL on step_library. _STEP_LIBRARY_USING = f"account_id = {_CURRENT_ACCOUNT} OR visibility = 'public'" # Standard tables: strict tenant isolation, no cross-tenant visibility.