ENG-3324: Address review comments on the inheritance data model

* **Rename migration file** to ``xx_2026_05_13_0900_6ebb8e54e130_...`` —
  the previous filename was dated 2026-04-09 but the rebased
  ``down_revision`` (``e3f4a5b6c7d8``) is from 2026-04-23, leaving the
  migration filename apparently predating its predecessor. Fix the
  docstring ``Revises:`` to match the actual ``down_revision`` and bump
  ``Create Date`` to today.
* **Fix ``server_default`` for the ``source`` column** — ``server_default``
  treats plain strings as raw SQL expressions, so ``server_default="explicit"``
  rendered ``DEFAULT explicit`` (unquoted identifier) rather than
  ``DEFAULT 'explicit'``. Use ``sa.text("'explicit'")`` in both the migration
  and the ORM model (matching the ``sa.text("true")`` pattern already used
  for the ``inherit_system_stewards`` column).
* **Add DB-level CHECK constraints on ``monitorsteward.source``**:
  * ``ck_monitorsteward_source_values``: ``source IN ('explicit', 'inherited')``
    — prevents an API-only sentinel (like ``"both"``) from being persisted
    even if application code misuses the enum.
  * ``ck_monitorsteward_inherited_has_system``: ``source != 'inherited' OR
    source_system_id IS NOT NULL`` — encodes the domain invariant directly
    at the DB level since inherited rows are populated by separate logic.
  Mirrored in the ORM ``__table_args__`` so the constraints are visible at
  the model level too.
* **Remove ``StewardSource.both`` from the fides enum** — the value is
  API-only (computed when a user has rows of both sources on a monitor)
  and mixing it into a DB-backed ``StrEnum`` is a footgun. Keep the enum
  pure DB-side; fidesplus moves the response-layer attribution (including
  ``both``) to its own schema module that references these values rather
  than redefining them.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Author: adamsachs

…b8e54e130_monitor_steward_inheritance.py …b8e54e130_monitor_steward_inheritance.pysrc/fides/api/alembic/migrations/versions/xx_2026_04_09_1000_6ebb8e54e130_monitor_steward_inheritance.py renamed to src/fides/api/alembic/migrations/versions/xx_2026_05_13_0900_6ebb8e54e130_monitor_steward_inheritance.py src/fides/api/alembic/migrations/versions/xx_2026_04_09_1000_6ebb8e54e130_monitor_steward_inheritance.py renamed to src/fides/api/alembic/migrations/versions/xx_2026_05_13_0900_6ebb8e54e130_monitor_steward_inheritance.py

@@ -8,8 +8,8 @@
 current behavior is preserved.  New monitors default to true.
 
 Revision ID: 6ebb8e54e130
-Revises: 6a42f48c23dd
-Create Date: 2026-04-09 10:00:00.000000
+Revises: e3f4a5b6c7d8
+Create Date: 2026-05-13 09:00:00.000000
 """
 
 import sqlalchemy as sa
@@ -42,7 +42,7 @@ def upgrade():
             "source",
             sa.String(),
             nullable=False,
-            server_default="explicit",
+            server_default=sa.text("'explicit'"),
         ),
     )
 
@@ -81,8 +81,35 @@ def upgrade():
         ["user_id", "monitor_config_id", "source"],
     )
 
+    # --- monitorsteward: DB-level guards on source ---
+    # Whitelist the only persistable values (matches StewardSource db-side members).
+    op.create_check_constraint(
+        "ck_monitorsteward_source_values",
+        "monitorsteward",
+        "source IN ('explicit', 'inherited')",
+    )
+    # Inherited rows MUST point at the system that contributed them; explicit
+    # rows have no source system.
+    op.create_check_constraint(
+        "ck_monitorsteward_inherited_has_system",
+        "monitorsteward",
+        "source != 'inherited' OR source_system_id IS NOT NULL",
+    )
+
 
 def downgrade():
+    # --- monitorsteward: drop DB-level source guards ---
+    op.drop_constraint(
+        "ck_monitorsteward_inherited_has_system",
+        "monitorsteward",
+        type_="check",
+    )
+    op.drop_constraint(
+        "ck_monitorsteward_source_values",
+        "monitorsteward",
+        type_="check",
+    )
+
     # --- monitorsteward: restore original unique constraint ---
     op.drop_constraint(
         "uq_monitorsteward_user_monitor_source",

src/fides/api/models/detection_discovery/monitor_steward.py

@@ -1,22 +1,26 @@
 from enum import StrEnum
 
-from sqlalchemy import Column, ForeignKey, String, UniqueConstraint
+from sqlalchemy import (
+    CheckConstraint,
+    Column,
+    ForeignKey,
+    String,
+    UniqueConstraint,
+    text,
+)
 
 from fides.api.db.base_class import Base
 
 
 class StewardSource(StrEnum):
-    """How a monitor steward row was assigned.
+    """Persisted values for ``MonitorSteward.source``.
 
-    ``explicit`` and ``inherited`` are the values actually persisted to
-    ``MonitorSteward.source``. ``both`` is API-only — it's never stored;
-    callers building response payloads return it when a user has both an
-    explicit and an inherited row for the same monitor.
+    DB-side enum only — response-layer attribution values are defined
+    separately in the API schema.
     """
 
     explicit = "explicit"
     inherited = "inherited"
-    both = "both"
 
 
 class MonitorSteward(Base):
@@ -45,7 +49,7 @@ class MonitorSteward(Base):
         String,
         nullable=False,
         default=StewardSource.explicit.value,
-        server_default=StewardSource.explicit.value,
+        server_default=text("'explicit'"),
     )
     source_system_id = Column(
         String,
@@ -61,4 +65,12 @@ class MonitorSteward(Base):
             "source",
             name="uq_monitorsteward_user_monitor_source",
         ),
+        CheckConstraint(
+            "source IN ('explicit', 'inherited')",
+            name="ck_monitorsteward_source_values",
+        ),
+        CheckConstraint(
+            "source != 'inherited' OR source_system_id IS NOT NULL",
+            name="ck_monitorsteward_inherited_has_system",
+        ),
     )