Prevent Agent overlaps at the various config levels.

PATCH handler findFirst include — Added repos: { select: { repoId: true } } and connections: { select: { connectionId: true } } to the PATCH handler's initial
findFirst, so existing.repos and existing.connections are available when computing effective IDs for the scope conflict check.

resolveAgentConfig.ts — Removed orderBy: { updatedAt: 'desc' } from all three findFirst queries (REPO, CONNECTION, ORG). Scope-level uniqueness is now enforced at
the API layer, making tiebreaker ordering unnecessary.

Tests — Added scope conflict coverage to both route test files:
- route.test.ts (POST): 5 new tests — ORG conflict, REPO overlap, CONNECTION overlap, disabled bypass, no create on conflict
- [agentId]/route.test.ts (PATCH): 5 new tests — ORG conflict, REPO overlap, CONNECTION overlap, disabled bypass, no update on conflict
- Fixed beforeEach mock chaining in PATCH name-collision and successful-update suites (was inadvertently passing makeDbConfig back for the conflict findFirst too)
- Updated makeDbConfig overrides type to accept repos/connections relation arrays

Author: Gavin Williams

docs/docs/features/agents/review-agent.mdx

@@ -147,6 +147,14 @@ Configs are managed on the **Agents** page in the Sourcebot UI. Each config has
 - **Connection** — applies to all repos in a specific connection
 - **Org** — applies to all repositories in your org (lowest priority, catch-all)
 
+Sourcebot enforces uniqueness within each scope level to avoid ambiguity:
+
+- Only one enabled org-scoped config can exist per agent type.
+- No two enabled repo-scoped configs can cover the same repository.
+- No two enabled connection-scoped configs can cover the same connection.
+
+Sourcebot rejects a create or update request that would violate these rules. To apply a different config to a subset of repos covered by an existing config, disable the existing config first, then create the new narrower one.
+
 When a PR or MR arrives, Sourcebot selects the most specific matching config. If no config exists, the agent falls back to global environment variable defaults.
 
 ## Custom prompt

packages/web/src/app/api/(server)/agents/[agentId]/route.test.ts

@@ -66,7 +66,12 @@ function makeDeleteRequest(agentId: string): NextRequest {
     return new NextRequest(makeUrl(agentId), { method: 'DELETE' });
 }
 
-function makeDbConfig(overrides: Partial<AgentConfig> = {}): AgentConfig & { repos: []; connections: [] } {
+type DbConfigOverrides = Partial<AgentConfig> & {
+    repos?: { repoId: number }[];
+    connections?: { connectionId: number }[];
+};
+
+function makeDbConfig(overrides: DbConfigOverrides = {}): AgentConfig & { repos: { repoId: number }[]; connections: { connectionId: number }[] } {
     return {
         id: 'cfg-abc',
         orgId: MOCK_ORG.id,
@@ -126,7 +131,10 @@ describe('PATCH /api/agents/[agentId]', () => {
 
     describe('name collision', () => {
         beforeEach(() => {
-            prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig() as any);
+            // First findFirst: fetch existing config. Subsequent calls (scope conflict): no conflict.
+            prisma.agentConfig.findFirst
+                .mockResolvedValueOnce(makeDbConfig() as any)
+                .mockResolvedValue(null);
         });
 
         test('returns 409 when renaming to a name used by another config', async () => {
@@ -177,7 +185,10 @@ describe('PATCH /api/agents/[agentId]', () => {
 
     describe('successful update', () => {
         beforeEach(() => {
-            prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig() as any);
+            // First findFirst: fetch existing config. Subsequent calls (scope conflict): no conflict.
+            prisma.agentConfig.findFirst
+                .mockResolvedValueOnce(makeDbConfig() as any)
+                .mockResolvedValue(null);
             prisma.agentConfig.findUnique.mockResolvedValue(null);
         });
 
@@ -204,6 +215,75 @@ describe('PATCH /api/agents/[agentId]', () => {
             );
         });
     });
+
+    describe('scope conflict', () => {
+        const params = { params: Promise.resolve({ agentId: AGENT_ID }) };
+
+        test('returns 409 when patching an ORG config conflicts with another enabled org-wide config', async () => {
+            prisma.agentConfig.findFirst
+                .mockResolvedValueOnce(makeDbConfig() as any)                                         // existing
+                .mockResolvedValueOnce(makeDbConfig({ id: 'cfg-other', name: 'conflicting' }) as any); // scope conflict
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { name: 'renamed' }), params);
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+            const body = await res.json();
+            expect(body.message).toContain('conflicting');
+        });
+
+        test('does not call update when a scope conflict is detected', async () => {
+            prisma.agentConfig.findFirst
+                .mockResolvedValueOnce(makeDbConfig() as any)
+                .mockResolvedValueOnce(makeDbConfig({ id: 'cfg-other', name: 'conflicting' }) as any);
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+
+            await PATCH(makePatchRequest(AGENT_ID, { name: 'renamed' }), params);
+
+            expect(prisma.agentConfig.update).not.toHaveBeenCalled();
+        });
+
+        test('returns 409 when a REPO config overlaps with another enabled REPO config', async () => {
+            const existingRepoConfig = makeDbConfig({
+                scope: AgentScope.REPO,
+                repos: [{ repoId: 5 }] as any,
+            });
+            prisma.agentConfig.findFirst
+                .mockResolvedValueOnce(existingRepoConfig as any)
+                .mockResolvedValueOnce(makeDbConfig({ id: 'cfg-other', name: 'conflicting', scope: AgentScope.REPO }) as any);
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { prompt: 'updated' }), params);
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+        });
+
+        test('returns 409 when a CONNECTION config overlaps with another enabled CONNECTION config', async () => {
+            const existingConnConfig = makeDbConfig({
+                scope: AgentScope.CONNECTION,
+                connections: [{ connectionId: 7 }] as any,
+            });
+            prisma.agentConfig.findFirst
+                .mockResolvedValueOnce(existingConnConfig as any)
+                .mockResolvedValueOnce(makeDbConfig({ id: 'cfg-other', name: 'conflicting', scope: AgentScope.CONNECTION }) as any);
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { prompt: 'updated' }), params);
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+        });
+
+        test('does not check scope conflict when patching enabled to false', async () => {
+            prisma.agentConfig.findFirst.mockResolvedValueOnce(makeDbConfig() as any);
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+            prisma.agentConfig.update.mockResolvedValue(makeDbConfig({ enabled: false }) as any);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { enabled: false }), params);
+
+            expect(res.status).toBe(StatusCodes.OK);
+            expect(prisma.agentConfig.findFirst).toHaveBeenCalledTimes(1);
+        });
+    });
 });
 
 // ── DELETE /api/agents/[agentId] ──────────────────────────────────────────────

packages/web/src/app/api/(server)/agents/[agentId]/route.ts

@@ -87,6 +87,10 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
         return withMinimumOrgRole(role, OrgRole.OWNER, async () => {
         const existing = await prisma.agentConfig.findFirst({
             where: { id: agentId, orgId: org.id },
+            include: {
+                repos: { select: { repoId: true } },
+                connections: { select: { connectionId: true } },
+            },
         });
 
         if (!existing) {
@@ -154,6 +158,64 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
             }
         }
 
+        // Enforce scope-level uniqueness (only when the config is or will be enabled)
+        const willBeEnabled = enabled !== undefined ? enabled : existing.enabled;
+        if (willBeEnabled) {
+            const effectiveType = type ?? existing.type;
+            const notSelf = { id: { not: agentId } };
+
+            if (effectiveScope === AgentScope.ORG) {
+                const conflict = await prisma.agentConfig.findFirst({
+                    where: { orgId: org.id, type: effectiveType, scope: AgentScope.ORG, enabled: true, ...notSelf },
+                });
+                if (conflict) {
+                    return {
+                        statusCode: StatusCodes.CONFLICT,
+                        errorCode: ErrorCode.AGENT_CONFIG_SCOPE_CONFLICT,
+                        message: `An org-wide config of this type already exists: '${conflict.name}'`,
+                    };
+                }
+            }
+
+            const effectiveRepoIds = repoIds ?? (effectiveScope === AgentScope.REPO
+                ? existing.repos?.map((r: { repoId: number }) => r.repoId) ?? []
+                : []);
+            if (effectiveScope === AgentScope.REPO && effectiveRepoIds.length > 0) {
+                const conflict = await prisma.agentConfig.findFirst({
+                    where: {
+                        orgId: org.id, type: effectiveType, scope: AgentScope.REPO, enabled: true, ...notSelf,
+                        repos: { some: { repoId: { in: effectiveRepoIds } } },
+                    },
+                });
+                if (conflict) {
+                    return {
+                        statusCode: StatusCodes.CONFLICT,
+                        errorCode: ErrorCode.AGENT_CONFIG_SCOPE_CONFLICT,
+                        message: `One or more of the selected repos is already covered by config '${conflict.name}'`,
+                    };
+                }
+            }
+
+            const effectiveConnectionIds = connectionIds ?? (effectiveScope === AgentScope.CONNECTION
+                ? existing.connections?.map((c: { connectionId: number }) => c.connectionId) ?? []
+                : []);
+            if (effectiveScope === AgentScope.CONNECTION && effectiveConnectionIds.length > 0) {
+                const conflict = await prisma.agentConfig.findFirst({
+                    where: {
+                        orgId: org.id, type: effectiveType, scope: AgentScope.CONNECTION, enabled: true, ...notSelf,
+                        connections: { some: { connectionId: { in: effectiveConnectionIds } } },
+                    },
+                });
+                if (conflict) {
+                    return {
+                        statusCode: StatusCodes.CONFLICT,
+                        errorCode: ErrorCode.AGENT_CONFIG_SCOPE_CONFLICT,
+                        message: `One or more of the selected connections is already covered by config '${conflict.name}'`,
+                    };
+                }
+            }
+        }
+
         try {
             // Rebuild junction table rows when scope or IDs are updated
             const updated = await prisma.agentConfig.update({

packages/web/src/app/api/(server)/agents/route.test.ts

@@ -194,6 +194,61 @@ describe('POST /api/agents', () => {
         });
     });
 
+    describe('scope conflict', () => {
+        beforeEach(() => {
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+        });
+
+        test('returns 409 when an enabled ORG-scoped config of the same type already exists', async () => {
+            prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig({ id: 'cfg-conflict', name: 'existing' }) as any);
+
+            const res = await POST(makePostRequest({ name: 'new-config', type: 'CODE_REVIEW', scope: 'ORG' }));
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+            const body = await res.json();
+            expect(body.message).toContain('existing');
+        });
+
+        test('returns 409 when a REPO-scoped config already covers one of the provided repos', async () => {
+            prisma.repo.count.mockResolvedValue(1);
+            prisma.agentConfig.findFirst.mockResolvedValue(
+                makeDbConfig({ id: 'cfg-conflict', name: 'repo-config', scope: AgentScope.REPO }) as any,
+            );
+
+            const res = await POST(makePostRequest({ name: 'new-config', type: 'CODE_REVIEW', scope: 'REPO', repoIds: [1] }));
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+        });
+
+        test('returns 409 when a CONNECTION-scoped config already covers one of the provided connections', async () => {
+            prisma.connection.count.mockResolvedValue(1);
+            prisma.agentConfig.findFirst.mockResolvedValue(
+                makeDbConfig({ id: 'cfg-conflict', name: 'conn-config', scope: AgentScope.CONNECTION }) as any,
+            );
+
+            const res = await POST(makePostRequest({ name: 'new-config', type: 'CODE_REVIEW', scope: 'CONNECTION', connectionIds: [2] }));
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+        });
+
+        test('does not check for scope conflict when enabled is false', async () => {
+            prisma.agentConfig.create.mockResolvedValue(makeDbConfig({ enabled: false }) as any);
+
+            const res = await POST(makePostRequest({ name: 'new-config', type: 'CODE_REVIEW', scope: 'ORG', enabled: false }));
+
+            expect(res.status).toBe(StatusCodes.CREATED);
+            expect(prisma.agentConfig.findFirst).not.toHaveBeenCalled();
+        });
+
+        test('does not call create when a scope conflict is detected', async () => {
+            prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig({ id: 'cfg-conflict', name: 'existing' }) as any);
+
+            await POST(makePostRequest({ name: 'new-config', type: 'CODE_REVIEW', scope: 'ORG' }));
+
+            expect(prisma.agentConfig.create).not.toHaveBeenCalled();
+        });
+    });
+
     describe('name collision', () => {
         test('returns 409 when a config with the same name already exists', async () => {
             prisma.agentConfig.findUnique.mockResolvedValue(makeDbConfig() as any);

packages/web/src/app/api/(server)/agents/route.ts

@@ -131,6 +131,54 @@ export const POST = apiHandler(async (request: NextRequest) => {
             }
         }
 
+        // Enforce scope-level uniqueness
+        if (enabled !== false) {
+            if (scope === AgentScope.ORG) {
+                const conflict = await prisma.agentConfig.findFirst({
+                    where: { orgId: org.id, type, scope: AgentScope.ORG, enabled: true },
+                });
+                if (conflict) {
+                    return {
+                        statusCode: StatusCodes.CONFLICT,
+                        errorCode: ErrorCode.AGENT_CONFIG_SCOPE_CONFLICT,
+                        message: `An org-wide config of this type already exists: '${conflict.name}'`,
+                    };
+                }
+            }
+
+            if (scope === AgentScope.REPO && repoIds && repoIds.length > 0) {
+                const conflict = await prisma.agentConfig.findFirst({
+                    where: {
+                        orgId: org.id, type, scope: AgentScope.REPO, enabled: true,
+                        repos: { some: { repoId: { in: repoIds } } },
+                    },
+                });
+                if (conflict) {
+                    return {
+                        statusCode: StatusCodes.CONFLICT,
+                        errorCode: ErrorCode.AGENT_CONFIG_SCOPE_CONFLICT,
+                        message: `One or more of the selected repos is already covered by config '${conflict.name}'`,
+                    };
+                }
+            }
+
+            if (scope === AgentScope.CONNECTION && connectionIds && connectionIds.length > 0) {
+                const conflict = await prisma.agentConfig.findFirst({
+                    where: {
+                        orgId: org.id, type, scope: AgentScope.CONNECTION, enabled: true,
+                        connections: { some: { connectionId: { in: connectionIds } } },
+                    },
+                });
+                if (conflict) {
+                    return {
+                        statusCode: StatusCodes.CONFLICT,
+                        errorCode: ErrorCode.AGENT_CONFIG_SCOPE_CONFLICT,
+                        message: `One or more of the selected connections is already covered by config '${conflict.name}'`,
+                    };
+                }
+            }
+        }
+
         try {
             const config = await prisma.agentConfig.create({
                 data: {

packages/web/src/features/agents/review-agent/resolveAgentConfig.ts

@@ -28,7 +28,6 @@ export async function resolveAgentConfig(
                 some: { repoId },
             },
         },
-        orderBy: { updatedAt: 'desc' },
     });
 
     if (repoConfig) {
@@ -53,7 +52,6 @@ export async function resolveAgentConfig(
                 },
             },
         },
-        orderBy: { updatedAt: 'desc' },
     });
 
     if (connectionConfig) {
@@ -69,7 +67,6 @@ export async function resolveAgentConfig(
             enabled: true,
             scope: 'ORG',
         },
-        orderBy: { updatedAt: 'desc' },
     });
 
     if (orgConfig) {

packages/web/src/lib/errorCodes.ts

@@ -36,4 +36,5 @@ export enum ErrorCode {
     API_KEY_USAGE_DISABLED = 'API_KEY_USAGE_DISABLED',
     AGENT_CONFIG_NOT_FOUND = 'AGENT_CONFIG_NOT_FOUND',
     AGENT_CONFIG_ALREADY_EXISTS = 'AGENT_CONFIG_ALREADY_EXISTS',
+    AGENT_CONFIG_SCOPE_CONFLICT = 'AGENT_CONFIG_SCOPE_CONFLICT',
 }