feat: add PATCH /v1/web/settings with per-workspace retention

[isuttell]

Summary

Phase 3 backlog item #2 (docs/ops/project-status.md, docs/ops/web-app-todo.md). Adds the dashboard settings write path and makes retention a real per-workspace value instead of the global default.

• workspaces gains auto_deletion_days (int, default 30, CHECK between 1 and 90) via migration 0007; Drizzle schema + snapshot updated, db:check green.
• GET /v1/web/settings now reads the persisted per-workspace value (was deriving from the global USAGE_POLICY default).
• PATCH /v1/web/settings (workos access token, admin scope, idempotent, actor rate limit) updates workspace name + retention through runCommand and writes a workspace.settings.updated audit event.

Changes

• contracts: UpdateWebSettingsRequest (bounds derived from mvpUsagePolicy.min/max_ttl_seconds = 1..90 days; name 1..120); web.settings.update route; HttpMethod gains PATCH; OpenAPI path + golden regenerated; MVP route-registry test updated.
• db: auto_deletion_days on schema/type/snapshot + migration 0007; workspaces.update port + Postgres/local adapters; updateWebSettings in RepositoryCore; toWebSettings dedups the GET/PATCH shape; both workspace-provisioning paths set the default.
• api: webUpdateSettings handler + mount, mirroring the web.apiKeys.create mutation pattern.

Risk

Low. Additive column with a safe default (30) and an idempotent, re-runnable migration; pre-launch so no back-compat surface. Bounds enforced at both the Zod contract and the DB check constraint. New route is admin-scoped and goes through the existing idempotent command/audit path.

Test plan

• pnpm verify green (70/70 turbo tasks): lint, typecheck, test, openapi:check, db:check.
• api worker tests +8 (PATCH happy path, out-of-range -> 400, forbidden/non-member, idempotency); db repo tests +2 (persisted update + audit, GET reflects persisted value).
• Local CodeRabbit review run before opening (no actionable findings).

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added PATCH /v1/web/settings to update workspace name and auto-deletion days (requires idempotency key).
  • Workspace auto-deletion days configurable between 1 and 90; default is 30 days.

• Database

  • Persisted auto-deletion setting in workspace records and enforced with a DB constraint/migration.

• Tests

  • Expanded coverage for success, validation, idempotency and authorization failure scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 13fd70f8-0f19-4f4a-9ac6-1d8cfb59e1f6

📥 Commits

Reviewing files that changed from the base of the PR and between d1f93d1 and 850e365.

📒 Files selected for processing (2)

• packages/db/src/index.test.ts
• packages/db/src/repository/core.ts

---

Walkthrough

This PR adds a complete PATCH /v1/web/settings endpoint for updating workspace settings. It introduces an auto_deletion_days column to the workspaces table with a 1–90 day range derived from the USAGE_POLICY TTL bounds. The feature includes database migrations, Drizzle schema updates, Zod/OpenAPI contract definitions, Repository interface and RepositoryCore implementation with idempotency support, entity adapter wiring, an API handler with member authorization and request validation, and extensive test coverage for success cases, validation errors, idempotency, and scope requirements.

Sequence Diagram

sequenceDiagram
  participant Client
  participant Handler as webUpdateSettings
  participant Validation as UpdateWebSettingsRequest
  participant Idempotent as runIdempotent
  participant Core as RepositoryCore
  participant DB as Database
  Client->>Handler: PATCH /v1/web/settings + Idempotency-Key
  Handler->>Handler: verify member actor with admin scope
  Handler->>Validation: safeParse(workspace_name, auto_deletion_days)
  Handler->>Idempotent: call with idempotency key
  Idempotent->>Core: updateWebSettings(actor, workspaceName, autoDeletionDays)
  Core->>DB: update workspaces set name, auto_deletion_days, updated_at
  Core->>DB: insert workspace.settings.updated operation event
  Core-->>Idempotent: return WebSettings
  Idempotent-->>Handler: return result (or replay if key reused)
  Handler-->>Client: 200 WebSettingsResponse

Loading

Possibly Related PRs

• zaks-io/agent-paste#24: Adds/extends web API framework and web settings read endpoint that this PR builds upon.
• zaks-io/agent-paste#15: Introduces the Zod→OpenAPI generation pipeline used to register UpdateWebSettingsRequest and OpenAPI paths.
• zaks-io/agent-paste#4: Adds idempotency handling (runIdempotent) and Idempotency-Key wiring reused by this PATCH endpoint.

Poem

🐰 I hopped to change a workspace's tune,
I stored the days beneath the moon,
An idempotent patch with care —
Your settings saved, safe in my lair. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main feature: adding a PATCH endpoint for web settings with per-workspace retention configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch agents/web-settings-patch

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-44.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-44.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-44.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-44.isaac-a46.workers.dev
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-empty-violet-apggjevp

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/contracts/openapi/api.json`:
- Around line 7598-8070: The web.settings.update operation is missing a 403
forbidden response for admin-scope denial; add a "403" response object to the
responses map for operationId "web.settings.update" that mirrors the existing
error-envelope shape (an object with required "error" containing
"code","message", optional "docs" and "request_id") and include a descriptive
"description" like "Forbidden — insufficient scope" so clients can
programmatically handle authorization failures.

In `@packages/db/src/repository/core.ts`:
- Around line 479-503: The updateWebSettings path must validate
input.autoDeletionDays in repository core before calling
entities.workspaces.update to prevent local-adapter persistence of out-of-range
values; add a guard in updateWebSettings (inside the uow.command callback,
before calling entities.workspaces.update) that checks input.autoDeletionDays
against the same min/max bounds used by the DB (or a shared constant like
MIN_AUTO_DELETION_DAYS / MAX_AUTO_DELETION_DAYS), and throw a clear error (e.g.,
`invalid_auto_deletion_days`) when outside bounds so invalid values are rejected
before persisting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 9e2d7f58-6c0f-4c2d-ae4a-62e4611692ba

📥 Commits

Reviewing files that changed from the base of the PR and between d8b7c7f and d1f93d1.

📒 Files selected for processing (21)

• apps/api/src/index.test.ts
• apps/api/src/index.ts
• packages/contracts/openapi/api.json
• packages/contracts/src/mvp-contracts.test.ts
• packages/contracts/src/openapi/api.ts
• packages/contracts/src/openapi/shared.ts
• packages/contracts/src/routes.ts
• packages/contracts/src/web.ts
• packages/db/migrations/0007_workspace_auto_deletion_days.sql
• packages/db/snapshot/schema.sql
• packages/db/src/index.test.ts
• packages/db/src/policy.ts
• packages/db/src/queries/workspaces.ts
• packages/db/src/repository/core.ts
• packages/db/src/repository/interface.ts
• packages/db/src/repository/local-entities.ts
• packages/db/src/repository/ports.ts
• packages/db/src/repository/postgres-entities.ts
• packages/db/src/schema.ts
• packages/db/src/types.ts
• scripts/local-mvp-server.mjs

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-44.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-44.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-44.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-44.isaac-a46.workers.dev
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-empty-violet-apggjevp

[github-actions]

agent-paste PR preview resources were cleaned up. The pr-preview-${context.issue.number} environment is left in place; remove it from the GitHub UI if desired.