fix(workflow-tags): enforce workspace scoping for tag links

[daryllimyt]

Checklist

• Read CONTRIBUTING.md.
• PR title is short and non-generic (see previously merged PRs for examples).
• PR only implements a single feature or fixes a single bug.
• Tests passing (uv run pytest tests)?
• Lint / pre-commits passing (pre-commit run --all-files)?

Description

Related Issues

Screenshots / Recordings

Steps to QA

---

Note

Medium Risk
Primarily query-level scoping changes to prevent cross-tenant data access; risk is moderate because it can change 404/409 behavior and potentially break callers relying on previously-permissive lookups.

Overview
Hardens tenant isolation by enforcing organization/workspace scoping in several read/write paths.

Workflow tag links now require both the workflow and tag to exist in the caller’s workspace; duplicate associations are translated to a 409, and missing/cross-workspace refs return 404. Case tag listing and table column lookup are updated to join through the parent Case/Table and filter by workspace_id, and RBAC group member remove/list now verifies the group belongs to the caller’s organization.

Adds unit/HTTP tests covering cross-workspace/org non-leakage and the new workflow-tags error mapping.

^{Written by Cursor Bugbot for commit b5a42ef. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Enforces workspace scoping for workflow tag links, case tag associations, and table column lookups, and scopes RBAC group member operations by organization. Duplicate workflow tag adds are idempotent; missing or cross‑workspace refs return 404.

• Bug Fixes
  • Workflow tags: list/get join Workflow and WorkflowTag and require both in the caller’s workspace; POST maps missing refs to 404; duplicate adds succeed without error.
  • Case tags: list/get join through Case and CaseTag and filter by the caller’s workspace; stale cross‑workspace links are ignored.
  • Tables: get_column joins Table and enforces the table’s workspace; cross‑workspace lookups return not found.
  • RBAC: group member remove/list join through Group and filter by caller organization.

^{Written for commit e181fb6. Summary will update on new commits.}

[daryllimyt]

• fix(workflow-tags): enforce workspace scoping for tag links #2206 👈 (View in Graphite)
• feat(tables): enforce RLS on dynamic workspace schemas #2212
• feat(db): add PostgreSQL Row-Level Security for multi-tenancy #1957
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Free Tier Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cubic-dev-ai]

1 issue found across 9 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tracecat/workflow/tags/router.py">

<violation number="1" location="tracecat/workflow/tags/router.py:41">
P2: Duplicate tag assignments will raise an unhandled `IntegrityError`, resulting in a 500 Internal Server Error. Following the error handling guidelines, the service layer should catch `IntegrityError`, roll back, and raise a `ValueError`, which this router should then map to a 409 Conflict.

(Based on your team's feedback about Error handling posture (updated) and returning HTTP 409 Conflict for duplicate assignments.) [FEEDBACK_USED]</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0150cb6194

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0150cb6194

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0018b1336c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4b62d41c49

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35f07c43ae

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to e181fb6.

Security Overview

• 🔎 Scanned files: 10 changed file(s)
• 🔗 Scan Link: https://zeropath.com/app/repositories/00dffd6c-8834-4dc9-b6d8-b44cd1622986?scanId=ea212044-54ab-4484-8d2c-16e717c1beec&codeScanTypes=PrScan&tab=issues

Detected Code Changes

Change Type

Relevant files

Enhancement

► packages/tracecat-ee/tracecat_ee/rbac/service.py     Add organization ID filtering to group member removal and listing operations ► tests/unit/api/test_api_workflow_tags.py     Add tests for workflow tag API endpoints ► tests/unit/test_case_tags_service.py     Add fixtures for secondary workspaces and roles     Add tests for cross-workspace tag isolation and stale link handling ► tests/unit/test_rbac_service.py     Add tests to ensure cross-organization group operations are rejected ► tests/unit/test_tables_service.py     Add fixtures for secondary workspaces and roles     Add test for cross-workspace column lookup rejection ► tests/unit/test_tags_service.py     Add fixtures for secondary workspaces and roles     Add tests for workspace scope enforcement in workflow tag operations ► tracecat/cases/tags/service.py     Enforce workspace scope in list_tags_for_case and get_case_tag ► tracecat/tables/service.py     Enforce workspace scope in get_column ► tracecat/workflow/tags/router.py     Handle NoResultFound for workflow or tag not found ► tracecat/workflow/tags/service.py     Implement workspace scope enforcement for workflow tags     Add method to require workflow and tag to be in the same workspace

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17b69cd5d2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".