Phase 3C — Commit Summary

feat: workspaces — collaborative repo namespaces
Backend
- internal/models/workspace.go — Workspace (handle, displayName,
  description, createdBy) + WorkspaceMember (workspaceId, userId,
  username, role: owner/admin/member)
- internal/models/repo.go — added nullable workspace_id column; existing
  user repos unaffected
- internal/models/migrations/011_workspaces.go — syncs both tables +
  adds column to repository
- internal/api/handlers/workspace.go — ListWorkspaces, CreateWorkspace,
  GetWorkspace, UpdateWorkspace, DeleteWorkspace (blocks if repos
  remain), ListRepos, ListMembers, AddMember, UpdateMember, RemoveMember
- internal/api/handlers/repos.go — lookupRepo resolves workspace
  handles; Create accepts workspace field; List includes workspace
  member repos; withOwnerName uses workspace handle for workspace-owned
  repos
- internal/api/handlers/dashboard.go — recentRuns + repo list include
  workspace repos the user is a member of
- internal/api/router.go — /workspaces, /workspaces/:handle/* routes
  Workspace rules enforced:
- Handle globally unique across usernames + workspace handles (409 on
  collision)
- Creator auto-assigned owner role
- Delete blocked if repos exist
- Last owner cannot be demoted/removed
  ---
  feat: secret management hierarchy (Global → Workspace → Repo → Env)
  Backend
- internal/models/secret.go — Secret struct +
  EncryptSecret/DecryptSecret with AES-256-GCM (key = SHA-256 of
  SESSION_SECRET); values never serialised to JSON
- internal/models/migrations/012_secrets.go — syncs secret table
- internal/api/handlers/secret.go — List/Upsert/Delete for all four
  scopes; ResolveSecretsForRun builds merged env map for CI
- internal/domain/ci/executor.go — JobContext.Secrets field; secrets
  injected as --env KEY=VALUE into docker run; buildJobContext calls
  resolveSecrets(Global < Workspace < Repo < Env)
- internal/domain/ci/runner_manager.go — passes cfg.SessionSecret to
  buildJobContext
- internal/api/router.go — /repos/:owner/:repo/secrets,
  /environments/:envName/secrets, /workspaces/:handle/secrets,
  /admin/secrets
  ---
  feat: workspace + secret management UI
  Frontend
- types/api.ts — Workspace, WorkspaceWithMeta, WorkspaceMember,
  SecretListItem types
- api/queries/workspaces.ts — full CRUD hooks + WorkspaceRepo type
- api/queries/secrets.ts — repo/env/workspace secret hooks
- pages/WorkspacesPage.tsx — list + create modal
- pages/WorkspacePage.tsx — workspace dashboard with repo list
- pages/WorkspaceSettingsPage.tsx — general settings, members CRUD,
  workspace secrets, danger zone
- pages/RepoSecretsPage.tsx — repo secrets + per-environment secret
  sections with priority hierarchy callout
- pages/CreateRepoPage.tsx — ?workspace= query param pre-fills owner
  selector; only admin/owner workspaces shown
- components/layout/Sidebar.tsx — "Workspaces" global nav item +
  workspace quick-links; "Secrets" in RepoSubNav; new SecretsIcon,
  WorkspaceIcon
- App.tsx — routes for /workspaces, /workspaces/:handle,
  /workspaces/:handle/settings, /repos/:owner/:repo/secrets

frontend/src/api/queries/repos.ts

@@ -186,6 +186,7 @@ export function useCreateRepo() {
       defaultBranch?: string
       initReadme?: 'none' | 'blank' | 'tutorial'
       initGitignore?: boolean
+      workspace?: string
     }) => api.post<Repository>('/api/v1/repos', repositorySchema, data),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ['repos'] })

frontend/src/api/queries/secrets.ts

@@ -0,0 +1,118 @@
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
+import { z } from 'zod'
+import { api } from '../client'
+import type { SecretListItem } from '../../types/api'
+
+const secretSchema = z.object({
+  id: z.number(),
+  name: z.string(),
+  createdAt: z.string(),
+  updatedAt: z.string(),
+})
+
+const secretsSchema = z.array(secretSchema)
+
+// ── Repo secrets ──────────────────────────────────────────────────────────────
+
+export function useRepoSecrets(owner: string, repo: string) {
+  return useQuery({
+    queryKey: ['repos', owner, repo, 'secrets'],
+    queryFn: () =>
+      api.get<SecretListItem[]>(`/api/v1/repos/${owner}/${repo}/secrets`, secretsSchema),
+    enabled: Boolean(owner && repo),
+  })
+}
+
+export function useUpsertRepoSecret(owner: string, repo: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (body: { name: string; value: string }) =>
+      api.post<SecretListItem>(`/api/v1/repos/${owner}/${repo}/secrets`, secretSchema, body),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['repos', owner, repo, 'secrets'] }),
+  })
+}
+
+export function useDeleteRepoSecret(owner: string, repo: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (name: string) =>
+      api.delete<void>(
+        `/api/v1/repos/${owner}/${repo}/secrets/${encodeURIComponent(name)}`,
+        z.unknown() as z.ZodType<void>,
+      ),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['repos', owner, repo, 'secrets'] }),
+  })
+}
+
+// ── Environment secrets ───────────────────────────────────────────────────────
+
+export function useEnvSecrets(owner: string, repo: string, envName: string) {
+  return useQuery({
+    queryKey: ['repos', owner, repo, 'environments', envName, 'secrets'],
+    queryFn: () =>
+      api.get<SecretListItem[]>(
+        `/api/v1/repos/${owner}/${repo}/environments/${envName}/secrets`,
+        secretsSchema,
+      ),
+    enabled: Boolean(owner && repo && envName),
+  })
+}
+
+export function useUpsertEnvSecret(owner: string, repo: string, envName: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (body: { name: string; value: string }) =>
+      api.post<SecretListItem>(
+        `/api/v1/repos/${owner}/${repo}/environments/${envName}/secrets`,
+        secretSchema,
+        body,
+      ),
+    onSuccess: () =>
+      qc.invalidateQueries({ queryKey: ['repos', owner, repo, 'environments', envName, 'secrets'] }),
+  })
+}
+
+export function useDeleteEnvSecret(owner: string, repo: string, envName: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (name: string) =>
+      api.delete<void>(
+        `/api/v1/repos/${owner}/${repo}/environments/${envName}/secrets/${encodeURIComponent(name)}`,
+        z.unknown() as z.ZodType<void>,
+      ),
+    onSuccess: () =>
+      qc.invalidateQueries({ queryKey: ['repos', owner, repo, 'environments', envName, 'secrets'] }),
+  })
+}
+
+// ── Workspace secrets ─────────────────────────────────────────────────────────
+
+export function useWorkspaceSecrets(handle: string) {
+  return useQuery({
+    queryKey: ['workspaces', handle, 'secrets'],
+    queryFn: () =>
+      api.get<SecretListItem[]>(`/api/v1/workspaces/${handle}/secrets`, secretsSchema),
+    enabled: Boolean(handle),
+  })
+}
+
+export function useUpsertWorkspaceSecret(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (body: { name: string; value: string }) =>
+      api.post<SecretListItem>(`/api/v1/workspaces/${handle}/secrets`, secretSchema, body),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces', handle, 'secrets'] }),
+  })
+}
+
+export function useDeleteWorkspaceSecret(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (name: string) =>
+      api.delete<void>(
+        `/api/v1/workspaces/${handle}/secrets/${encodeURIComponent(name)}`,
+        z.unknown() as z.ZodType<void>,
+      ),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces', handle, 'secrets'] }),
+  })
+}

frontend/src/api/queries/workspaces.ts

@@ -0,0 +1,157 @@
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
+import { z } from 'zod'
+import { api } from '../client'
+import type { WorkspaceWithMeta, WorkspaceMember } from '../../types/api'
+
+// ── Schemas ───────────────────────────────────────────────────────────────────
+
+const wsSchema = z.object({
+  id: z.number(),
+  handle: z.string(),
+  displayName: z.string(),
+  description: z.string(),
+  avatarUrl: z.string(),
+  createdBy: z.number(),
+  createdAt: z.string(),
+  updatedAt: z.string(),
+  memberCount: z.number(),
+  repoCount: z.number(),
+  myRole: z.string(),
+})
+
+const memberSchema = z.object({
+  id: z.number(),
+  workspaceId: z.number(),
+  userId: z.number(),
+  username: z.string(),
+  role: z.enum(['owner', 'admin', 'member']),
+  addedAt: z.string(),
+})
+
+// WorkspaceRepo — raw repo as returned by the workspace list endpoint
+export interface WorkspaceRepo {
+  id: number
+  ownerId: number
+  workspaceId?: number | null
+  ownerName: string
+  name: string
+  description: string
+  isPrivate: boolean
+  defaultBranch: string
+  createdAt: string
+  updatedAt: string
+}
+
+const repoSchema = z.object({
+  id: z.number(),
+  ownerId: z.number(),
+  workspaceId: z.number().nullable().optional(),
+  ownerName: z.string(),
+  name: z.string(),
+  description: z.string(),
+  isPrivate: z.boolean(),
+  defaultBranch: z.string(),
+  createdAt: z.string(),
+  updatedAt: z.string(),
+})
+
+// ── Queries ───────────────────────────────────────────────────────────────────
+
+export function useWorkspaces() {
+  return useQuery({
+    queryKey: ['workspaces'],
+    queryFn: () => api.get<WorkspaceWithMeta[]>('/api/v1/workspaces', z.array(wsSchema)),
+  })
+}
+
+export function useWorkspace(handle: string) {
+  return useQuery({
+    queryKey: ['workspaces', handle],
+    queryFn: () => api.get<WorkspaceWithMeta>(`/api/v1/workspaces/${handle}`, wsSchema),
+    enabled: Boolean(handle),
+  })
+}
+
+export function useWorkspaceMembers(handle: string) {
+  return useQuery({
+    queryKey: ['workspaces', handle, 'members'],
+    queryFn: () =>
+      api.get<WorkspaceMember[]>(`/api/v1/workspaces/${handle}/members`, z.array(memberSchema)),
+    enabled: Boolean(handle),
+  })
+}
+
+export function useWorkspaceRepos(handle: string) {
+  return useQuery({
+    queryKey: ['workspaces', handle, 'repos'],
+    queryFn: () =>
+      api.get<WorkspaceRepo[]>(`/api/v1/workspaces/${handle}/repos`, z.array(repoSchema)),
+    enabled: Boolean(handle),
+  })
+}
+
+// ── Mutations ─────────────────────────────────────────────────────────────────
+
+export function useCreateWorkspace() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (body: { handle: string; displayName?: string; description?: string }) =>
+      api.post<WorkspaceWithMeta>('/api/v1/workspaces', wsSchema, body),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces'] }),
+  })
+}
+
+export function useUpdateWorkspace(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (body: { displayName?: string; description?: string }) =>
+      api.patch<WorkspaceWithMeta>(`/api/v1/workspaces/${handle}`, wsSchema, body),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['workspaces'] })
+      qc.invalidateQueries({ queryKey: ['workspaces', handle] })
+    },
+  })
+}
+
+export function useDeleteWorkspace(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: () =>
+      api.delete<void>(`/api/v1/workspaces/${handle}`, z.unknown() as z.ZodType<void>),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces'] }),
+  })
+}
+
+export function useAddWorkspaceMember(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (body: { username: string; role: string }) =>
+      api.post<WorkspaceMember>(`/api/v1/workspaces/${handle}/members`, memberSchema, body),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces', handle, 'members'] }),
+  })
+}
+
+export function useUpdateWorkspaceMember(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({ username, role }: { username: string; role: string }) =>
+      api.patch<WorkspaceMember>(
+        `/api/v1/workspaces/${handle}/members/${username}`,
+        memberSchema,
+        { role },
+      ),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces', handle, 'members'] }),
+  })
+}
+
+export function useRemoveWorkspaceMember(handle: string) {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (username: string) =>
+      api.delete<void>(
+        `/api/v1/workspaces/${handle}/members/${username}`,
+        z.unknown() as z.ZodType<void>,
+      ),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['workspaces', handle, 'members'] }),
+  })
+}