Address a number of the CodeRabbit findings.

Author: Gavin Williams

packages/db/prisma/schema.prisma

@@ -627,7 +627,7 @@ model AgentConfig {
   connections AgentConfigToConnection[]
 
   /// Extensible per-agent settings stored as JSON.
-  /// Shape: { autoReviewEnabled?: boolean, reviewCommand?: string, model?: string }
+  /// Shape: { autoReviewEnabled?: boolean, reviewCommand?: string, model?: string, contextFiles?: string }
   settings    Json        @default("{}")
 
   createdAt   DateTime    @default(now())

packages/web/src/app/(app)/agents/configs/[agentId]/page.tsx

@@ -2,6 +2,7 @@ import { authenticatedPage } from "@/middleware/authenticatedPage";
 import { NavigationMenu } from "@/app/(app)/components/navigationMenu";
 import { AgentConfigForm } from "../agentConfigForm";
 import { notFound } from "next/navigation";
+import { OrgRole } from "@sourcebot/db";
 
 type Props = {
     params: Promise<{ agentId: string }>;
@@ -59,4 +60,4 @@ export default authenticatedPage(async ({ prisma, org }, { params }: Props) => {
             </div>
         </div>
     );
-});
+}, { minRole: OrgRole.OWNER, redirectTo: '/agents' });

packages/web/src/app/(app)/agents/configs/new/page.tsx

@@ -1,6 +1,7 @@
 import { authenticatedPage } from "@/middleware/authenticatedPage";
 import { NavigationMenu } from "@/app/(app)/components/navigationMenu";
 import { AgentConfigForm } from "../agentConfigForm";
+import { OrgRole } from "@sourcebot/db";
 
 export default authenticatedPage(async ({ prisma, org }) => {
     const connections = await prisma.connection.findMany({
@@ -24,4 +25,4 @@ export default authenticatedPage(async ({ prisma, org }) => {
             </div>
         </div>
     );
-});
+}, { minRole: OrgRole.OWNER, redirectTo: '/agents' });

packages/web/src/app/api/(server)/agents/[agentId]/route.test.ts

@@ -0,0 +1,232 @@
+import { expect, test, vi, describe, beforeEach } from 'vitest';
+import { NextRequest } from 'next/server';
+import { MOCK_ORG, MOCK_USER_WITH_ACCOUNTS, prisma } from '@/__mocks__/prisma';
+import { AgentConfig, AgentScope, AgentType, OrgRole, PromptMode } from '@sourcebot/db';
+import { StatusCodes } from 'http-status-codes';
+
+vi.mock('@/prisma', async () => {
+    const actual = await vi.importActual<typeof import('@/__mocks__/prisma')>('@/__mocks__/prisma');
+    return { ...actual };
+});
+
+vi.mock('server-only', () => ({ default: vi.fn() }));
+
+vi.mock('@sourcebot/shared', () => ({
+    createLogger: () => ({
+        debug: vi.fn(),
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+    }),
+    env: {},
+}));
+
+vi.mock('@/lib/posthog', () => ({ captureEvent: vi.fn() }));
+
+vi.mock('@/middleware/withAuth', () => ({
+    withAuth: vi.fn(async (fn: Function) =>
+        fn({ org: MOCK_ORG, user: MOCK_USER_WITH_ACCOUNTS, role: OrgRole.OWNER, prisma })
+    ),
+}));
+
+// app.ts imports heavy node deps — provide a real Zod schema so updateAgentConfigBodySchema.safeParse works.
+vi.mock('@/features/agents/review-agent/app', async () => {
+    const { z } = await import('zod');
+    return {
+        agentConfigSettingsSchema: z.object({
+            autoReviewEnabled: z.boolean().optional(),
+            reviewCommand: z.string().optional(),
+            model: z.string().optional(),
+            contextFiles: z.string().optional(),
+        }),
+    };
+});
+
+import { GET, PATCH, DELETE } from './route';
+
+// ── helpers ───────────────────────────────────────────────────────────────────
+
+function makeUrl(agentId: string): string {
+    return `http://localhost/api/agents/${agentId}`;
+}
+
+function makePatchRequest(agentId: string, body: unknown): NextRequest {
+    return new NextRequest(makeUrl(agentId), {
+        method: 'PATCH',
+        body: JSON.stringify(body),
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+
+function makeGetRequest(agentId: string): NextRequest {
+    return new NextRequest(makeUrl(agentId), { method: 'GET' });
+}
+
+function makeDeleteRequest(agentId: string): NextRequest {
+    return new NextRequest(makeUrl(agentId), { method: 'DELETE' });
+}
+
+function makeDbConfig(overrides: Partial<AgentConfig> = {}): AgentConfig & { repos: []; connections: [] } {
+    return {
+        id: 'cfg-abc',
+        orgId: MOCK_ORG.id,
+        name: 'my-config',
+        description: null,
+        type: AgentType.CODE_REVIEW,
+        enabled: true,
+        prompt: null,
+        promptMode: PromptMode.APPEND,
+        scope: AgentScope.ORG,
+        settings: {},
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        repos: [],
+        connections: [],
+        ...overrides,
+    };
+}
+
+// ── GET /api/agents/[agentId] ─────────────────────────────────────────────────
+
+describe('GET /api/agents/[agentId]', () => {
+    test('returns 404 when config does not exist', async () => {
+        prisma.agentConfig.findFirst.mockResolvedValue(null);
+
+        const res = await GET(makeGetRequest('cfg-missing'), { params: Promise.resolve({ agentId: 'cfg-missing' }) });
+
+        expect(res.status).toBe(StatusCodes.NOT_FOUND);
+    });
+
+    test('returns 200 with the config when found', async () => {
+        prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig() as any);
+
+        const res = await GET(makeGetRequest('cfg-abc'), { params: Promise.resolve({ agentId: 'cfg-abc' }) });
+
+        expect(res.status).toBe(StatusCodes.OK);
+        const body = await res.json();
+        expect(body.id).toBe('cfg-abc');
+    });
+});
+
+// ── PATCH /api/agents/[agentId] ───────────────────────────────────────────────
+
+describe('PATCH /api/agents/[agentId]', () => {
+    const AGENT_ID = 'cfg-abc';
+    const params = { params: Promise.resolve({ agentId: AGENT_ID }) };
+
+    describe('not found', () => {
+        test('returns 404 when the config does not exist', async () => {
+            prisma.agentConfig.findFirst.mockResolvedValue(null);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { name: 'new-name' }), params);
+
+            expect(res.status).toBe(StatusCodes.NOT_FOUND);
+        });
+    });
+
+    describe('name collision', () => {
+        beforeEach(() => {
+            prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig() as any);
+        });
+
+        test('returns 409 when renaming to a name used by another config', async () => {
+            prisma.agentConfig.findUnique.mockResolvedValue(makeDbConfig({ id: 'cfg-other', name: 'taken-name' }) as any);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { name: 'taken-name' }), params);
+
+            expect(res.status).toBe(StatusCodes.CONFLICT);
+            const body = await res.json();
+            expect(body.message).toContain('taken-name');
+        });
+
+        test('does not call update when a name collision is detected', async () => {
+            prisma.agentConfig.findUnique.mockResolvedValue(makeDbConfig({ id: 'cfg-other' }) as any);
+
+            await PATCH(makePatchRequest(AGENT_ID, { name: 'taken-name' }), params);
+
+            expect(prisma.agentConfig.update).not.toHaveBeenCalled();
+        });
+
+        test('returns 200 when renaming to the same name the config already has', async () => {
+            // No collision — the config has name 'my-config' and we're "renaming" to the same value.
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+            prisma.agentConfig.update.mockResolvedValue(makeDbConfig() as any);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { name: 'my-config' }), params);
+
+            expect(res.status).toBe(StatusCodes.OK);
+        });
+
+        test('does not query for collision when name is not in the patch body', async () => {
+            prisma.agentConfig.update.mockResolvedValue(makeDbConfig() as any);
+
+            await PATCH(makePatchRequest(AGENT_ID, { enabled: false }), params);
+
+            expect(prisma.agentConfig.findUnique).not.toHaveBeenCalled();
+        });
+
+        test('returns 200 when renaming to a free name', async () => {
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+            prisma.agentConfig.update.mockResolvedValue(makeDbConfig({ name: 'free-name' }) as any);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { name: 'free-name' }), params);
+
+            expect(res.status).toBe(StatusCodes.OK);
+        });
+    });
+
+    describe('successful update', () => {
+        beforeEach(() => {
+            prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig() as any);
+            prisma.agentConfig.findUnique.mockResolvedValue(null);
+        });
+
+        test('returns 200 on a valid patch', async () => {
+            prisma.agentConfig.update.mockResolvedValue(makeDbConfig({ enabled: false }) as any);
+
+            const res = await PATCH(makePatchRequest(AGENT_ID, { enabled: false }), params);
+
+            expect(res.status).toBe(StatusCodes.OK);
+        });
+
+        test('calls prisma.agentConfig.update with the patched fields', async () => {
+            prisma.agentConfig.update.mockResolvedValue(makeDbConfig() as any);
+
+            await PATCH(makePatchRequest(AGENT_ID, { enabled: false, prompt: 'Be strict.' }), params);
+
+            expect(prisma.agentConfig.update).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    data: expect.objectContaining({
+                        enabled: false,
+                        prompt: 'Be strict.',
+                    }),
+                }),
+            );
+        });
+    });
+});
+
+// ── DELETE /api/agents/[agentId] ──────────────────────────────────────────────
+
+describe('DELETE /api/agents/[agentId]', () => {
+    const AGENT_ID = 'cfg-abc';
+    const params = { params: Promise.resolve({ agentId: AGENT_ID }) };
+
+    test('returns 404 when the config does not exist', async () => {
+        prisma.agentConfig.findFirst.mockResolvedValue(null);
+
+        const res = await DELETE(makeDeleteRequest(AGENT_ID), params);
+
+        expect(res.status).toBe(StatusCodes.NOT_FOUND);
+    });
+
+    test('returns 200 and calls delete when the config exists', async () => {
+        prisma.agentConfig.findFirst.mockResolvedValue(makeDbConfig() as any);
+        prisma.agentConfig.delete.mockResolvedValue(makeDbConfig() as any);
+
+        const res = await DELETE(makeDeleteRequest(AGENT_ID), params);
+
+        expect(res.status).toBe(StatusCodes.OK);
+        expect(prisma.agentConfig.delete).toHaveBeenCalledWith({ where: { id: AGENT_ID } });
+    });
+});

packages/web/src/app/api/(server)/agents/[agentId]/route.ts

@@ -3,21 +3,19 @@
 import { apiHandler } from "@/lib/apiHandler";
 import { requestBodySchemaValidationError, serviceErrorResponse, notFound } from "@/lib/serviceError";
 import { isServiceError } from "@/lib/utils";
+import { ErrorCode } from "@/lib/errorCodes";
 import { withAuth } from "@/middleware/withAuth";
+import { withMinimumOrgRole } from "@/middleware/withMinimumOrgRole";
+import { OrgRole } from "@sourcebot/db";
 import { NextRequest } from "next/server";
 import { z } from "zod";
 import { StatusCodes } from "http-status-codes";
 import { AgentScope, AgentType, PromptMode } from "@sourcebot/db";
 import { createLogger } from "@sourcebot/shared";
+import { agentConfigSettingsSchema } from "@/features/agents/review-agent/app";
 
 const logger = createLogger('agents-api');
 
-const agentConfigSettingsSchema = z.object({
-    autoReviewEnabled: z.boolean().optional(),
-    reviewCommand: z.string().optional(),
-    model: z.string().optional(),
-});
-
 const updateAgentConfigBodySchema = z.object({
     name: z.string().min(1).max(255).optional(),
     description: z.string().nullable().optional(),
@@ -85,7 +83,8 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
 
     const { name, description, type, enabled, prompt, promptMode, scope, repoIds, connectionIds, settings } = parsed.data;
 
-    const result = await withAuth(async ({ org, prisma }) => {
+    const result = await withAuth(async ({ org, role, prisma }) => {
+        return withMinimumOrgRole(role, OrgRole.OWNER, async () => {
         const existing = await prisma.agentConfig.findFirst({
             where: { id: agentId, orgId: org.id },
         });
@@ -94,6 +93,21 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
             return notFound(`Agent config '${agentId}' not found`);
         }
 
+        // Check for name collision with a different config in the same org
+        if (name !== undefined && name !== existing.name) {
+            const collision = await prisma.agentConfig.findUnique({
+                where: { orgId_name: { orgId: org.id, name } },
+            });
+
+            if (collision) {
+                return {
+                    statusCode: StatusCodes.CONFLICT,
+                    errorCode: ErrorCode.AGENT_CONFIG_ALREADY_EXISTS,
+                    message: `An agent config named '${name}' already exists`,
+                };
+            }
+        }
+
         const effectiveScope = scope ?? existing.scope;
 
         // When scope changes to REPO/CONNECTION, IDs must be supplied
@@ -113,6 +127,33 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
             };
         }
 
+        // Verify all provided IDs belong to this org
+        if (repoIds && repoIds.length > 0) {
+            const count = await prisma.repo.count({
+                where: { id: { in: repoIds }, orgId: org.id },
+            });
+            if (count !== repoIds.length) {
+                return {
+                    statusCode: StatusCodes.BAD_REQUEST,
+                    errorCode: ErrorCode.INVALID_REQUEST_BODY,
+                    message: "One or more repoIds are invalid or do not belong to this org",
+                };
+            }
+        }
+
+        if (connectionIds && connectionIds.length > 0) {
+            const count = await prisma.connection.count({
+                where: { id: { in: connectionIds }, orgId: org.id },
+            });
+            if (count !== connectionIds.length) {
+                return {
+                    statusCode: StatusCodes.BAD_REQUEST,
+                    errorCode: ErrorCode.INVALID_REQUEST_BODY,
+                    message: "One or more connectionIds are invalid or do not belong to this org",
+                };
+            }
+        }
+
         try {
             // Rebuild junction table rows when scope or IDs are updated
             const updated = await prisma.agentConfig.update({
@@ -147,6 +188,7 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
             logger.error('Error updating agent config', { error, agentId, orgId: org.id });
             throw error;
         }
+        });
     });
 
     if (isServiceError(result)) {
@@ -159,7 +201,8 @@ export const PATCH = apiHandler(async (request: NextRequest, { params }: RoutePa
 export const DELETE = apiHandler(async (_request: NextRequest, { params }: RouteParams) => {
     const { agentId } = await params;
 
-    const result = await withAuth(async ({ org, prisma }) => {
+    const result = await withAuth(async ({ org, role, prisma }) => {
+        return withMinimumOrgRole(role, OrgRole.OWNER, async () => {
         const existing = await prisma.agentConfig.findFirst({
             where: { id: agentId, orgId: org.id },
         });
@@ -175,6 +218,7 @@ export const DELETE = apiHandler(async (_request: NextRequest, { params }: Route
             logger.error('Error deleting agent config', { error, agentId, orgId: org.id });
             throw error;
         }
+        });
     });
 
     if (isServiceError(result)) {