Conversation
…ings.partition Keep meta-all scoped to the JWT's active team — but make the matching robust against `team.settings.partition` drift. Previous behaviour required `team.settings.partition === jwt.partition`. That's a soft setting that can fall out of sync with the canonical team identity (`team.name`, set at creation time by `deriveTeamName(email, partition)`). Real-world failure: a team named "blue.is" had `settings.partition` left at "bluecar.is" after a migration. The user was a member-owner of the right team, request-time `defineUserScope` would have accepted any cube on it, but meta-all returned an empty catalog because the soft setting didn't agree with the JWT — so the agent truthfully reported "no cubes" with nothing to query. Match a team to the JWT partition if EITHER condition holds: - `team.name === partition` (canonical — what `deriveTeamName` writes) - `team.settings.partition === partition` (soft — back-compat for teams that set it explicitly without changing the name) Either alone is sufficient. Same scope semantics as before (single team per JWT), just no longer brittle on the soft setting. Also threads `team.name` through the `findUser` GraphQL projection so the match has the canonical field available. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
hamdi-ibrahim
approved these changes
Apr 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Keep
/api/v1/meta-allscoped to the JWT's active team (one team per partition), but make the matching robust againstteam.settings.partitiondrift.A team now matches the JWT
partitionclaim if either:team.name === partition— canonical, set at team creation byderiveTeamName(email, partition)team.settings.partition === partition— soft, back-compat for teams that set it explicitly without changing the nameEither alone is sufficient. Same scope semantics as before (single partition's team), just no longer brittle on the soft setting.
Also threads
team.namethrough thefindUserGraphQL projection so the match has the canonical field available.Why
Real-world failure mode caught while debugging Tychi → cube_list end-to-end:
blue.ishadsettings.partitionleft at"bluecar.is"after a copy/migration.blue.is. Request-timedefineUserScopewould have accepted any cube on it.meta-allreturned{ datasources: [] }because the soft setting didn't agree with the JWT partition"blue.is"— so the catalog was empty, the cube_list MCP tool returned no datasources, and the agent truthfully reported "no cubes" with nothing to query.Symmetric: any user who can pass runtime auth on their team's cubes should see those cubes in the catalog. The team-name match makes that the case for the typical setup, and the soft-setting match keeps existing explicit configurations working.
What's not changed
public, member-roleaccess_list).resolvePartitionTeamIds(deleteDataschema, versionDiff, refreshCompiler, discover) are untouched.Test plan
partition=blue.is), curlhttps://dbx.fraios.dev/api/v1/meta-all→ returnsblue.is's 2 datasources (was empty before).{ datasources: [] }as before.settings.partitionmatches but name doesn't → still returns that team's datasources (back-compat).cube_listreturns the cubes in the active partition.🤖 Generated with Claude Code