fix(api): bound internal route workloads

[daryllimyt]

Summary

• Add default/max bounds to hot /internal table lookup, case comments, and case metrics routes.
• Stop internal case reads from recording case-view events.
• Batch case metrics context loading for cases, custom fields, and dropdown values.
• Move attachment base64, file validation, hashing, and integrity checks off the async event loop.

Tests

• uv run pytest tests/unit/api/test_api_internal_cases.py tests/unit/api/test_api_internal_tables.py -q
• uv run pytest tests/unit/test_case_comments_service.py::TestCaseCommentsService::test_list_comments tests/unit/test_tables_service.py::TestTableRows::test_lookup_rows_applies_default_limit tests/unit/test_tables_service.py::TestTableRows::test_lookup_row_multiple tests/unit/test_case_attachments_service.py::test_create_list_download_delete_attachment -q
• uv run ruff check tracecat/config.py tracecat/tables/internal_router.py tracecat/tables/service.py tracecat/cases/internal_router.py tracecat/cases/service.py tracecat/cases/dropdowns/service.py tracecat/cases/attachments/internal_router.py tracecat/cases/attachments/service.py tests/unit/api/test_api_internal_tables.py tests/unit/api/test_api_internal_cases.py tests/unit/test_case_comments_service.py tests/unit/test_tables_service.py
• uv run ruff format --check tracecat/config.py tracecat/tables/internal_router.py tracecat/tables/service.py tracecat/cases/internal_router.py tracecat/cases/service.py tracecat/cases/dropdowns/service.py tracecat/cases/attachments/internal_router.py tracecat/cases/attachments/service.py tests/unit/api/test_api_internal_tables.py tests/unit/api/test_api_internal_cases.py tests/unit/test_case_comments_service.py tests/unit/test_tables_service.py
• uv run basedpyright tracecat/config.py tracecat/tables/internal_router.py tracecat/tables/service.py tracecat/cases/internal_router.py tracecat/cases/service.py tracecat/cases/dropdowns/service.py tracecat/cases/attachments/internal_router.py tracecat/cases/attachments/service.py tests/unit/api/test_api_internal_tables.py tests/unit/api/test_api_internal_cases.py tests/unit/test_case_comments_service.py tests/unit/test_tables_service.py

---

Summary by cubic

Bound internal API workloads with sane defaults and max limits, batched case metrics context loading, and moved blocking attachment work off the event loop to improve stability and latency. Internal case reads no longer record case-view events.

• Refactors

  • Added bounded defaults/max in tracecat.config and applied them to table lookup, case comments, and case metrics.
  • Batched case metrics context: use CasesService.get_cases, fields.batch_get_fields, and dropdown batch loading to remove N+1 DB calls.
  • Offloaded attachment base64 work, file validation, hashing, and integrity checks via asyncio.to_thread.
  • Internal get_case now sets track_view=False to avoid view-side effects.

• Bug Fixes

  • Enforced limits and validation across table lookup, comments, and metrics; apply defaults when omitted and return 422 for oversized metrics batches.

^{Written for commit 2b83671. Summary will update on new commits. Review in cubic}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2b83671a91

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve complete comment threads when limiting rows

When the internal /comments/threads endpoint is called for a case with more than the default 100 comments (or more than the requested limit), this passes the cap into the raw chronological comment query before grouping, so replies or even root comments past that prefix are dropped and reply_count/last_activity_at are computed from incomplete data. The internal SDK calls this endpoint without any cursor or pagination parameter, so workflow users can receive silently truncated thread data; limit/paginate top-level threads first or fetch/count complete threads after selecting the roots.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

No issues found across 12 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[zeropath-ai]

✅ No security or compliance issues detected. Reviewed everything up to 2b83671.

Security Overview

• 🔎 Scanned files: 12 changed file(s)
• 🔗 Scan Link: https://zeropath.com/app/repositories/00dffd6c-8834-4dc9-b6d8-b44cd1622986?scanId=7ab1cf54-3616-40ea-8207-ed8f54e261e2&codeScanTypes=PrScan&tab=issues

Detected Code Changes

Change Type	Relevant files
Enhancement	► tests/unit/api/test_api_internal_cases.py     Add assertions for get_case track_view parameter     Add assertion for get_case when including rows     Add assertion for get_case when including rows in update     Add assertion for case comments service limit     Add test for case metrics batch context loaders     Add test for oversized case metrics batches ► tests/unit/api/test_api_internal_tables.py     Add test for lookup_rows default limit ► tests/unit/test_case_comments_service.py     Add test for limited comment listing ► tests/unit/test_tables_service.py     Add test for lookup_rows default limit ► tracecat/cases/attachments/internal_router.py     Use asyncio.to_thread for base64 decoding and encoding ► tracecat/cases/attachments/service.py     Use asyncio.to_thread for validation and hashing ► tracecat/cases/dropdowns/service.py     Add batch method for listing dropdown values for cases ► tracecat/cases/internal_router.py     Implement _list_case_dropdown_values_by_case helper function     Update get_case to set track_view to False     Add limit parameter to list_comments and list_comment_threads     Add Pydantic Field max_length for case_ids in CaseMetricsRequest     Add batch fetching for cases and fields in get_case_metrics     Add call to _list_case_dropdown_values_by_case in get_case_metrics ► tracecat/cases/service.py     Add get_cases method for retrieving multiple cases     Add limit parameter to _list_comment_rows, list_comments, and list_comment_threads ► tracecat/config.py     Add TRACECAT__LIMIT_TABLE_LOOKUP_DEFAULT config variable     Add TRACECAT__LIMIT_CASE_COMMENTS_DEFAULT and TRACECAT__LIMIT_CASE_COMMENTS_MAX config variables     Add TRACECAT__LIMIT_CASE_METRICS_MAX config variable ► tracecat/tables/internal_router.py     Set default limit for TableLookupRequest to TRACECAT__LIMIT_TABLE_LOOKUP_DEFAULT ► tracecat/tables/service.py     Apply default limit for lookup_rows if no limit is provided
Configuration changes	► tracecat/tables/internal_router.py     Update TableLookupRequest limit field default value

[blacksmith-sh]

Found 1 test failure on Blacksmith runners:

Failure

Test	View Logs
TestCaseDurationMetrics/test_get_case_metrics_returns_metrics	View Logs