fix(rls): reserve __tc namespace for dynamic schemas

Author: daryllimyt

alembic/versions/b5fc4168fe22_apply_model_a_rls_to_dynamic_workspace_.py

@@ -1,7 +1,7 @@
 """apply model a rls to dynamic workspace schemas
 
 Revision ID: b5fc4168fe22
-Revises: c76f9b01fad7
+Revises: 6171727be56a
 Create Date: 2026-02-27 11:43:07.059399
 
 """
@@ -19,7 +19,7 @@
 
 # revision identifiers, used by Alembic.
 revision: str = "b5fc4168fe22"
-down_revision: str | None = "9a6d0e0ec5b1"
+down_revision: str | None = "6171727be56a"
 branch_labels: str | Sequence[str] | None = None
 depends_on: str | Sequence[str] | None = None
 

tests/unit/test_case_fields_service.py

@@ -180,16 +180,14 @@ async def test_create_field_rejects_internal_name(
                 CaseFieldCreate(name="__TC_workspace_id", type=SqlType.TEXT)
             )
 
-    async def test_create_field_allows_legacy_tc_prefix_name(
+    async def test_create_field_rejects_internal_namespace_prefix(
         self, case_fields_service: CaseFieldsService
     ) -> None:
-        """Only the exact internal tenant column name should be reserved."""
-        with patch.object(
-            case_fields_service.editor, "create_column"
-        ) as mock_create_column:
-            field_params = CaseFieldCreate(name="__tc_shadow", type=SqlType.TEXT)
-            await case_fields_service.create_field(field_params)
-            mock_create_column.assert_called_once_with(field_params)
+        """The internal Tracecat namespace prefix should be reserved."""
+        with pytest.raises(ValueError, match="reserved for internal use"):
+            await case_fields_service.create_field(
+                CaseFieldCreate(name="__tc_shadow", type=SqlType.TEXT)
+            )
 
     async def test_update_field(self, case_fields_service: CaseFieldsService) -> None:
         """Test updating a case field."""

tests/unit/test_tables_service.py

@@ -152,10 +152,10 @@ async def _list_rows(
 @pytest.mark.anyio
 class TestTablesService:
     async def test_internal_column_name_check_is_case_insensitive(self) -> None:
-        """Internal column detection should normalize case for exact matches."""
+        """Internal column detection should normalize case for reserved namespaces."""
         assert is_internal_column_name("__tc_workspace_id") is True
         assert is_internal_column_name("__TC_workspace_id") is True
-        assert is_internal_column_name("__tc_shadow") is False
+        assert is_internal_column_name("__tc_shadow") is True
         assert is_internal_column_name("user_field") is False
 
     async def test_create_and_get_table(self, tables_service: TablesService) -> None:

tracecat/cases/service.py

@@ -1010,7 +1010,6 @@ class CaseFieldsService(CustomFieldsService):
         "case_id",
         "created_at",
         "updated_at",
-        "workspace_id",
         DYNAMIC_WORKSPACE_TENANT_COLUMN,
     }
 

tracecat/tables/service.py

@@ -78,6 +78,7 @@
 RLS_BYPASS_VAR = "app.rls_bypass"
 RLS_BYPASS_ON = "on"
 INTERNAL_COLUMN_NAMES: frozenset[str] = frozenset({DYNAMIC_WORKSPACE_TENANT_COLUMN})
+INTERNAL_COLUMN_PREFIX = "__tc_"
 SYSTEM_VISIBLE_COLUMN_NAMES: tuple[str, ...] = ("id", "created_at", "updated_at")
 
 
@@ -2240,4 +2241,7 @@ def sanitize_identifier(identifier: str) -> str:
 
 def is_internal_column_name(column_name: str) -> bool:
     """Check whether a column is internal/system-managed for dynamic schemas."""
-    return column_name.lower() in INTERNAL_COLUMN_NAMES
+    normalized_name = column_name.lower()
+    return normalized_name in INTERNAL_COLUMN_NAMES or normalized_name.startswith(
+        INTERNAL_COLUMN_PREFIX
+    )