[CHORE]: Prevent users from editing the source attached function collection metadata

[tanujnay112]

Description of changes

Summarize the changes made by this PR.

• Improvements & Bug fixes
  • Make chroma::source_collection_id a protected collection metadata field by checking for this on the CreateCollection and UpdateCollection paths.
• New functionality
  • ...

Test plan

Added a test in test_task_api.py

• Tests pass locally with pytest for python, yarn test for js, cargo test for rust

Migration plan

Are there any migrations, or any forwards/backwards compatibility changes needed in order to make sure this change deploys reliably?

Observability plan

What is the plan to instrument and monitor this change?

Documentation Changes

Are all docstrings for user-facing APIs updated if required? Do we need to make documentation changes in the docs section?

[github-actions]

Reviewer Checklist

Please leverage this checklist to ensure your code review is thorough before approving

Testing, Bugs, Errors, Logs, Documentation

• Can you think of any use case in which the code does not behave as intended? Have they been tested?
• Can you think of any inputs or external events that could break the code? Is user input validated and safe? Have they been tested?
• If appropriate, are there adequate property based tests?
• If appropriate, are there adequate unit tests?
• Should any logging, debugging, tracing information be added or removed?
• Are error messages user-friendly?
• Have all documentation changes needed been made?
• Have all non-obvious changes been commented?

System Compatibility

• Are there any potential impacts on other parts of the system or backward compatibility?
• Does this change intersect with any items on our roadmap, and if so, is there a plan for fitting them together?

Quality

• Is this code of a unexpectedly high quality (Readability, Modularity, Intuitiveness)

[tanujnay112]

• [CHORE]: Prevent users from editing the source attached function collection metadata #6016 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[propel-code-bot]

Protect system-managed collection metadata from user updates

Adds server-side guards around collection metadata to stop clients from setting or changing the chroma:source_attached_function_id system key. The gRPC create path now rejects requests containing reserved keys, the catalog update path validates that existing system metadata values remain unchanged, and dedicated integration tests verify both the create-time and modify-time protections.

Key Changes

• Defined coordinator.SystemCollectionMetadataKeys with reserved metadata keys and added validation helper validateSystemMetadataKeysUnchanged in go/pkg/sysdb/coordinator/table_catalog.go.
• Updated Catalog.UpdateCollection to check that system-reserved metadata values match the persisted values before replacing metadata rows.
• Added gRPC-layer validation in go/pkg/sysdb/grpc/collection_service.go to reject CreateCollection requests supplying reserved metadata keys.
• Extended integration coverage in chromadb/test/distributed/test_task_api.py to ensure users cannot create or modify collections with chroma:source_attached_function_id and added a new ErrSystemMetadataKeyNotAllowed error in go/pkg/common/errors.go.

Affected Areas

• go/pkg/sysdb/coordinator/table_catalog.go
• go/pkg/sysdb/grpc/collection_service.go
• go/pkg/common/errors.go
• chromadb/test/distributed/test_task_api.py

This summary was automatically generated by @propel-code-bot

[propel-code-bot]

[Logic] This is a great test for preventing direct modification of a system key. To make it more robust, it would be beneficial to also verify that system keys are preserved when modifying other metadata fields.

The current implementation in table_catalog.go might allow for the deletion of system keys if they are omitted from the metadata object in a modify call. Adding a test case for this would help catch that potential regression.

You could add a check like this after the existing pytest.raises block:

    # Also attempt to modify non-system metadata, which should succeed
    # and preserve the system key.
    output_collection.modify(
        metadata={"user_key": "user_value"}
    )

    # Verify the system metadata key was preserved and user key was added
    output_collection = client.get_collection(name="output_collection")
    assert output_collection.metadata is not None
    assert "user_key" in output_collection.metadata
    assert output_collection.metadata["user_key"] == "user_value"
    assert "chroma:source_attached_function_id" in output_collection.metadata
    assert output_collection.metadata["chroma:source_attached_function_id"] == str(
        attached_fn.id
    )

Context for Agents

This is a great test for preventing direct modification of a system key. To make it more robust, it would be beneficial to also verify that system keys are preserved when modifying *other* metadata fields.

The current implementation in `table_catalog.go` might allow for the deletion of system keys if they are omitted from the `metadata` object in a `modify` call. Adding a test case for this would help catch that potential regression.

You could add a check like this after the existing `pytest.raises` block:

```python
    # Also attempt to modify non-system metadata, which should succeed
    # and preserve the system key.
    output_collection.modify(
        metadata={"user_key": "user_value"}
    )

    # Verify the system metadata key was preserved and user key was added
    output_collection = client.get_collection(name="output_collection")
    assert output_collection.metadata is not None
    assert "user_key" in output_collection.metadata
    assert output_collection.metadata["user_key"] == "user_value"
    assert "chroma:source_attached_function_id" in output_collection.metadata
    assert output_collection.metadata["chroma:source_attached_function_id"] == str(
        attached_fn.id
    )
```

File: chromadb/test/distributed/test_task_api.py
Line: 493