fix: remove unique constraint from workspace name in schema and tests

[khaliqgant]

Summary

Part 1 of 2 — deploy this first, then the engine check removal.

PR #76 added migration 0003_workspace_name_not_globally_unique.sql to drop the unique index, but the Drizzle schema and test SQL weren't updated:

• packages/server/src/db/schema.ts — remove .unique() from name column
• packages/server/src/__tests__/directory.test.ts — remove UNIQUE from inline SQL
• packages/server/src/__tests__/routing.test.ts — remove UNIQUE from inline SQL

Test plan

• CI tests pass
• Drizzle schema matches production DB (migration already applied)

🤖 Generated with Claude Code

---

[devin-ai-integration]

Devin Review found 2 potential issues.

View 3 additional findings in Devin Review.

[devin-ai-integration]

🟡 Stale application-level uniqueness check in createWorkspace contradicts migration intent

The migration at packages/server/src/db/migrations/0009_drop_workspace_name_unique.sql:2 explicitly states "Workspace names are NOT globally unique — multiple workspaces can share a name." However, createWorkspace at packages/server/src/engine/workspace.ts:10-18 still checks for an existing workspace with the same name and throws a 409 error, preventing duplicate-named workspaces from being created via POST /workspaces. This contradicts the PR's stated intent. Additionally, without the DB unique index backing it, this application-level check now has a TOCTOU race condition — two concurrent POST /workspaces requests with the same name can both pass the check and create duplicates.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[github-actions]

Preview deployed!

Environment	URL
API	https://pr113-api.relaycast.dev
Health	https://pr113-api.relaycast.dev/health
Observer	https://pr113-observer.relaycast.dev/observer

This preview shares the staging database and will be cleaned up when the PR is merged or closed.

Run E2E tests

npm run e2e -- https://pr113-api.relaycast.dev --ci

Open observer dashboard

https://pr113-observer.relaycast.dev/observer

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 5 additional findings in Devin Review.

[devin-ai-integration]

🔴 Removing unique constraint makes getWorkspaceByName and A2A workspace resolution non-deterministic

With the UNIQUE constraint removed from workspaces.name, duplicate workspace names can now be created via PATCH /workspace (the updateWorkspace function at packages/server/src/engine/workspace.ts:88-118 has no application-level name uniqueness check — it relied entirely on the DB constraint). Once duplicates exist, getWorkspaceByName (packages/server/src/engine/workspace.ts:53-68) will silently return an arbitrary matching workspace. This affects the public GET /workspaces/by-name/:name endpoint and, more critically, the A2A handleWorkspaceAgentCard function at packages/server/src/routes/a2a.ts:245-249, which resolves a workspace by name to serve its agent card — potentially exposing the wrong workspace's agent data to an unauthenticated caller.

Prompt for agents

The unique constraint on workspaces.name was removed, but multiple code paths still assume workspace names are globally unique. You need to either:

1. Update all workspace-by-name lookups to handle ambiguity (return an error or a list instead of a single arbitrary result). Affected locations:
   - packages/server/src/engine/workspace.ts:53-68 (getWorkspaceByName) — used by GET /workspaces/by-name/:name
   - packages/server/src/routes/a2a.ts:245-249 (handleWorkspaceAgentCard) — resolves workspace for A2A agent card

2. OR add application-level uniqueness enforcement in updateWorkspace (packages/server/src/engine/workspace.ts:88-118) to prevent PATCH /workspace from creating duplicate names, similar to the existing check in createWorkspace.

Option 2 is simpler but contradicts the migration comment that says names are NOT globally unique. If the intent truly is to allow duplicate names, option 1 is needed, and these endpoints may need to be changed to use workspace ID instead of name.

---

Was this helpful? React with 👍 or 👎 to provide feedback.