Revert "Revert "Revert "Revert "fix: scope sub_agent_skills unique constraint to tenant/project/agent""""

[amikofalvy]

Reverts #2215

Going for some kind of reversion record, I suppose.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a678cba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Feb 21, 2026 8:10pm
agents-docs	Ready	Preview, Comment	Feb 21, 2026 8:10pm
agents-manage-ui	Building	Preview, Comment	Feb 21, 2026 8:10pm

[claude]

PR Review Summary

(0) Total Issues | Risk: Low

---

🟡 Minor (0) 🟡

No minor issues found.

💭 Consider (1) 💭

Inline Comments:

• 💭 Consider: subAgentSkills.cross-tenant.test.ts:164 Assert specific constraint error type instead of generic .toThrow()

---

✅ APPROVE

Summary: This PR correctly fixes a multi-tenant isolation bug in the sub_agent_skills table. The unique constraint now properly includes tenant_id, project_id, and agent_id, aligning with the table's hierarchical scoping model and preventing cross-tenant collisions. The migration is safe (the new constraint is a superset of the original), comprehensive tests validate the fix, and all reviewers confirmed the implementation is correct. Ship it! 🚀

---

Discarded (4)

Location	Issue	Reason Discarded
0010_oval_angel.sql:1-2	Migration transaction safety concern	Drizzle migrations run in transactions by default; new constraint is a superset making violations impossible
subAgentSkills.cross-tenant.test.ts	Missing cross-project isolation test	Cross-tenant test adequately validates multi-column constraint behavior
subAgentSkills.cross-tenant.test.ts	Missing cross-agent isolation test	Already implicitly covered by existing subAgentSkills.scoping.test.ts
0010_oval_angel.sql:1-2	Constraint is relaxation, not tightening	Informational confirmation, not an issue

Reviewers (5)

Reviewer	Returned	Main Findings	Consider	While You're Here	Inline Comments	Pending Recs	Discarded
pr-review-breaking-changes	3	0	0	0	0	0	3
pr-review-tests	3	0	0	0	1	0	2
pr-review-standards	0	0	0	0	0	0	0
pr-review-types	0	0	0	0	0	0	0
pr-review-security-iam	0	0	0	0	0	0	0
Total	6	0	0	0	1	0	5

Note: Types and Security-IAM reviewers explicitly confirmed the fix is correct for multi-tenant isolation.

[claude]

💭 Consider: Assert specific constraint error

Issue: The test uses .rejects.toThrow() without specifying the error type or message.

Why: This test would pass even if the insert failed for an unrelated reason (e.g., foreign key violation, connection error). Asserting the specific constraint name makes the test more robust against false positives.

Fix: Consider specifying the constraint name in the assertion:

).rejects.toThrow(/sub_agent_skills_sub_agent_skill_unique|unique constraint|duplicate key/i);

Refs:

• PostgreSQL error codes — code 23505 is unique_violation