docs/design/daemon-multi-workspace-session-organization-mutations.md
Add PATCH /workspaces/:workspace/session/:id/organization as a
workspace-qualified session organization mutation.
The route applies pin, group, and color changes to the session organization store owned by the selected workspace. It extends the existing plural REST surface without changing capabilities, request or response schemas, ACP, or UI behavior.
Workspace-qualified session reads already target the selected workspace.
GET /workspaces/:workspace/sessions can return persisted, archived, and live
sessions from a trusted non-primary runtime and can apply organized views and
group filters against that runtime's organization store.
The only organization mutation today is
PATCH /session/:id/organization. That legacy route is primary-workspace-only.
Consequently, a client can read organization state for a secondary workspace
but cannot update it through the matching workspace-qualified REST surface.
Register PATCH /workspaces/:workspace/session/:id/organization beside the
other workspace-qualified session storage routes.
The :workspace selector resolves exactly like the existing plural routes:
The selected runtime is the complete scope of the operation. Session lookup, group validation, organization mutation, and persistence all use that runtime's workspace cwd and stores. The handler never falls back to the primary runtime or searches another registered workspace.
:workspace to one registered runtime.:id in its active persisted store, archived
persisted store, or live bridge.groupId is present and non-null, the target runtime's group store
validates that group.isPinned, groupId, and
color with the existing semantics.Persisted active sessions, persisted archived sessions, and matching live-only sessions are valid targets. Organization remains sidecar state: the mutation does not rewrite transcript JSONL or change transcript modification time.
Plural route conventions determine the observable order:
400 { code: "workspace_mismatch" } response.403 { code: "untrusted_workspace" } before session or group existence is
disclosed.404.404 { code: "group_not_found" }.500 { code: "session_organization_store_unreadable" }.Archive and delete conflicts retain the existing archive coordinator errors.
There is no cross-workspace fallback at any error stage. A session or group that exists only in the primary workspace remains unknown when a secondary workspace is selected, and vice versa.
PATCH /session/:id/organization retains its current primary-only behavior,
including its mutation gate, validation, lookup, persistence, error shapes,
and response schema. Existing clients therefore keep the same routing and
duplicate-id behavior.
Clients use the plural mutation only after both session_organization and
workspace_qualified_rest_core are advertised. No new capability tag is
introduced.
ACP dispatch does not change. The qualified dispatcher already operates on
rt.bridge and rt.workspaceCwd, so workspace-qualified ACP session actions
are already bound to the selected runtime. This change is limited to the REST
organization mutation that was missing from the plural surface.
SessionOrganizationService uses its existing per-sidecar lock only to
serialize group and session-organization read-modify-write operations against
that same sidecar. The existing archive coordinator coordinates organization
updates with archive and delete transitions. This route adds no daemon-wide
lock and no new cross-service transaction or atomicity guarantee.
The automated tests and real E2E acceptance strategy together cover:
null updates return
the existing response shape.404 for a session that
exists only in a secondary workspace.403 before session or group lookup.Acceptance also includes build, typecheck, focused route and SDK tests, and an E2E pass covering two trusted workspaces plus negative trust and selector cases.
This change introduces no capability tag or capability payload change, no request or response schema change, no ACP behavior change, and no UI change. It does not make the legacy route multi-workspace-aware, add cross-workspace session discovery, or change archive, list, group, or transcript semantics.