feat(api): DB schema + CRUD REST API for interactive agent sessions (#501)

## Summary

- Adds `interactive_sessions` and `session_messages` tables to `SchemaManager` (idempotent DDL with CHECK constraints on state/role and composite indexes)
- `InteractiveSessionRepository` with full CRUD: create, get, list, update_state, update_cost, end, add_message, get_messages
- 6 REST endpoints at `/api/v2/sessions`: POST, GET, LIST, DELETE, POST messages, GET messages
- State/role validation at both app and DB layers; rate limiting on all endpoints
- `app.state.db` initialized in server lifespan for global DB access
- `task_id`, `updated_at` included in `SessionResponse`
- 20 tests in `tests/unit/test_interactive_sessions_api.py` using real in-memory SQLite

## Validation

- Review feedback: All addressed (3 rounds — claude-review + coderabbit)
- Demo: All 5 acceptance criteria verified via Showboat (API-only, no frontend)
- Tests: 20/20 passing
- CI: All checks green (Backend Unit Tests, Code Quality, Test Summary, claude-review, CodeRabbit, GitGuardian)
- Linting: Clean

Closes #501

Author: frankbria

codeframe/persistence/database.py

@@ -38,6 +38,7 @@
     PRRepository,
     APIKeyRepository,
 )
+from codeframe.persistence.repositories.interactive_sessions import InteractiveSessionRepository
 
 if TYPE_CHECKING:
     pass
@@ -111,6 +112,7 @@ def __init__(self, db_path: Path | str):
         self.audit_logs: Optional[AuditRepository] = None
         self.pull_requests: Optional[PRRepository] = None
         self.api_keys: Optional[APIKeyRepository] = None
+        self.interactive_sessions: Optional[InteractiveSessionRepository] = None
 
     def initialize(self) -> None:
         """Initialize database schema and repositories."""
@@ -158,6 +160,7 @@ def _initialize_repositories(self) -> None:
         self.audit_logs = AuditRepository(sync_conn=self.conn, async_conn=self._async_conn, database=self, sync_lock=self._sync_lock)
         self.pull_requests = PRRepository(sync_conn=self.conn, async_conn=self._async_conn, database=self, sync_lock=self._sync_lock)
         self.api_keys = APIKeyRepository(sync_conn=self.conn, async_conn=self._async_conn, database=self, sync_lock=self._sync_lock)
+        self.interactive_sessions = InteractiveSessionRepository(sync_conn=self.conn, async_conn=self._async_conn, database=self, sync_lock=self._sync_lock)
 
     # Backward compatibility properties (maintain old *_repository naming)
     @property
@@ -219,7 +222,7 @@ def _update_repository_async_connections(self) -> None:
                      self.memories, self.context_items, self.checkpoints, self.git_branches,
                      self.test_results, self.lint_results, self.code_reviews, self.quality_gates,
                      self.token_usage, self.correction_attempts, self.activities, self.audit_logs,
-                     self.pull_requests]:
+                     self.pull_requests, self.interactive_sessions]:
             if repo:
                 repo._async_conn = self._async_conn
 

codeframe/persistence/repositories/interactive_sessions.py

@@ -0,0 +1,165 @@
+"""Repository for interactive agent session operations."""
+
+from __future__ import annotations
+
+import json
+import uuid
+from datetime import datetime, UTC
+from typing import Optional
+
+from codeframe.persistence.repositories.base import BaseRepository
+
+
+class InteractiveSessionRepository(BaseRepository):
+    """Repository for interactive_sessions and session_messages tables."""
+
+    # -------------------------------------------------------------------------
+    # Sessions
+    # -------------------------------------------------------------------------
+
+    def create(
+        self,
+        workspace_path: str,
+        task_id: Optional[str] = None,
+        agent_type: str = "claude",
+        model: Optional[str] = None,
+    ) -> dict:
+        now = datetime.now(UTC).isoformat()
+        session_id = str(uuid.uuid4())
+        self._execute(
+            """
+            INSERT INTO interactive_sessions
+                (id, workspace_path, task_id, state, agent_type, model,
+                 cost_usd, input_tokens, output_tokens, created_at, updated_at, ended_at)
+            VALUES (?, ?, ?, 'active', ?, ?, 0.0, 0, 0, ?, ?, NULL)
+            """,
+            (session_id, workspace_path, task_id, agent_type, model, now, now),
+        )
+        self._commit()
+        return self.get(session_id)
+
+    def get(self, session_id: str) -> Optional[dict]:
+        row = self._fetchone(
+            "SELECT * FROM interactive_sessions WHERE id = ?", (session_id,)
+        )
+        return self._row_to_dict(row) if row else None
+
+    def list(
+        self,
+        workspace_path: Optional[str] = None,
+        state: Optional[str] = None,
+        limit: int = 50,
+    ) -> list[dict]:
+        query = "SELECT * FROM interactive_sessions WHERE 1=1"
+        params: list = []
+        if workspace_path is not None:
+            query += " AND workspace_path = ?"
+            params.append(workspace_path)
+        if state is not None:
+            query += " AND state = ?"
+            params.append(state)
+        query += " ORDER BY created_at DESC LIMIT ?"
+        params.append(limit)
+        rows = self._fetchall(query, tuple(params))
+        return [self._row_to_dict(r) for r in rows]
+
+    def update_state(self, session_id: str, state: str) -> None:
+        """Update session state. Called internally by the agent runtime, not via REST API.
+
+        Callers are responsible for validating state against VALID_STATES before calling.
+        """
+        now = datetime.now(UTC).isoformat()
+        self._execute(
+            "UPDATE interactive_sessions SET state = ?, updated_at = ? WHERE id = ?",
+            (state, now, session_id),
+        )
+        self._commit()
+
+    def update_cost(
+        self, session_id: str, cost_usd: float, input_tokens: int, output_tokens: int
+    ) -> None:
+        """Accumulate cost and token counts. Called internally by the agent runtime, not via REST API.
+
+        The increment is applied atomically at the DB level to prevent lost-update races.
+        """
+        now = datetime.now(UTC).isoformat()
+        self._execute(
+            """
+            UPDATE interactive_sessions
+            SET cost_usd = cost_usd + ?, input_tokens = input_tokens + ?,
+                output_tokens = output_tokens + ?, updated_at = ?
+            WHERE id = ?
+            """,
+            (cost_usd, input_tokens, output_tokens, now, session_id),
+        )
+        self._commit()
+
+    def end(self, session_id: str) -> Optional[dict]:
+        """End a session. Returns the updated row, or None if session_id not found."""
+        now = datetime.now(UTC).isoformat()
+        cursor = self._execute(
+            """
+            UPDATE interactive_sessions
+            SET state = 'ended', ended_at = ?, updated_at = ?
+            WHERE id = ?
+            """,
+            (now, now, session_id),
+        )
+        self._commit()
+        if cursor.rowcount == 0:
+            return None
+        return self.get(session_id)
+
+    # -------------------------------------------------------------------------
+    # Messages
+    # -------------------------------------------------------------------------
+
+    def add_message(
+        self,
+        session_id: str,
+        role: str,
+        content: str,
+        metadata: Optional[dict] = None,
+    ) -> dict:
+        now = datetime.now(UTC).isoformat()
+        message_id = str(uuid.uuid4())
+        metadata_json = json.dumps(metadata) if metadata is not None else None
+        self._execute(
+            """
+            INSERT INTO session_messages (id, session_id, role, content, metadata, created_at)
+            VALUES (?, ?, ?, ?, ?, ?)
+            """,
+            (message_id, session_id, role, content, metadata_json, now),
+        )
+        self._commit()
+        return {
+            "id": message_id,
+            "session_id": session_id,
+            "role": role,
+            "content": content,
+            "metadata": metadata,
+            "created_at": now,
+        }
+
+    def get_messages(
+        self, session_id: str, limit: int = 100, offset: int = 0
+    ) -> list[dict]:
+        rows = self._fetchall(
+            """
+            SELECT * FROM session_messages
+            WHERE session_id = ?
+            ORDER BY created_at
+            LIMIT ? OFFSET ?
+            """,
+            (session_id, limit, offset),
+        )
+        result = []
+        for row in rows:
+            d = self._row_to_dict(row)
+            if d.get("metadata"):
+                try:
+                    d["metadata"] = json.loads(d["metadata"])
+                except (json.JSONDecodeError, TypeError):
+                    d["metadata"] = None
+            result.append(d)
+        return result

codeframe/persistence/schema_manager.py

@@ -60,6 +60,9 @@ def create_schema(self) -> None:
         # Metrics and audit tables
         self._create_metrics_audit_tables(cursor)
 
+        # Interactive session tables
+        self._create_interactive_session_tables(cursor)
+
         # Apply schema migrations for existing databases BEFORE creating indexes
         # (indexes may reference columns added by migrations)
         self._apply_migrations(cursor)
@@ -832,6 +835,42 @@ def _create_metrics_audit_tables(self, cursor: sqlite3.Cursor) -> None:
         """
         )
 
+    def _create_interactive_session_tables(self, cursor: sqlite3.Cursor) -> None:
+        """Create interactive_sessions and session_messages tables."""
+        cursor.execute(
+            """
+            CREATE TABLE IF NOT EXISTS interactive_sessions (
+                id          TEXT PRIMARY KEY,
+                workspace_path TEXT NOT NULL,
+                task_id     TEXT,
+                state       TEXT NOT NULL DEFAULT 'active'
+                    CHECK (state IN ('active', 'paused', 'ended')),
+                agent_type  TEXT NOT NULL DEFAULT 'claude',
+                model       TEXT,
+                cost_usd    REAL DEFAULT 0.0,
+                input_tokens  INTEGER DEFAULT 0,
+                output_tokens INTEGER DEFAULT 0,
+                created_at  TEXT NOT NULL,
+                updated_at  TEXT NOT NULL,
+                ended_at    TEXT
+            )
+            """
+        )
+
+        cursor.execute(
+            """
+            CREATE TABLE IF NOT EXISTS session_messages (
+                id          TEXT PRIMARY KEY,
+                session_id  TEXT NOT NULL REFERENCES interactive_sessions(id) ON DELETE CASCADE,
+                role        TEXT NOT NULL
+                    CHECK (role IN ('user', 'assistant', 'tool_use', 'tool_result', 'thinking', 'system', 'error')),
+                content     TEXT NOT NULL,
+                metadata    TEXT,
+                created_at  TEXT NOT NULL
+            )
+            """
+        )
+
     def _create_indexes(self, cursor: sqlite3.Cursor) -> None:
         """Create all database indexes for performance."""
         # Issues indexes
@@ -951,6 +990,17 @@ def _create_indexes(self, cursor: sqlite3.Cursor) -> None:
             "CREATE INDEX IF NOT EXISTS idx_pull_requests_branch ON pull_requests(project_id, branch_name)"
         )
 
+        # Interactive session indexes
+        cursor.execute(
+            "CREATE INDEX IF NOT EXISTS idx_interactive_sessions_workspace ON interactive_sessions(workspace_path, state)"
+        )
+        cursor.execute(
+            "CREATE INDEX IF NOT EXISTS idx_interactive_sessions_state ON interactive_sessions(state, created_at DESC)"
+        )
+        cursor.execute(
+            "CREATE INDEX IF NOT EXISTS idx_session_messages_session ON session_messages(session_id, created_at)"
+        )
+
         # Audit logs indexes
         cursor.execute(
             "CREATE INDEX IF NOT EXISTS idx_audit_logs_user_id ON audit_logs(user_id, timestamp DESC)"