feat(THU-603): user-private scope for workspace resources

[raivieiraadriano92]

Summary

THU-603 — Adds a per-row scope = 'workspace' | 'user' axis to workspace resources (skills, models, MCP servers, agents, modes, prompts, triggers, model_profiles, model_profiles), gated by a deployment-level allowUserScopedResources flag. 'user' rows are private to their author within the workspace; 'workspace' rows behave as today.

Along the way also:

• Reorganises the settings sidebar into Account Settings / Extensions / Workspace.
• Opens Workspace → General to every member of a shared workspace; non-admins see the page in read-only mode (the Duplicate action stays gated to admins).
• Fixes a backend bug in the upload-handler row lookup where composite-PK tables with shared default-data ids (e.g. tasks) silently mis-routed a second user's PUT to the first user's row.
• Stops seeding default onboarding tasks into freshly-created shared workspaces.
• Stabilises two FE test flakes (logout-modal window.location.reload setup, useConfigStore state leaking between suites).

Commits

```
chore(THU-603): add scope column to workspace resource schemas
feat(THU-603): split sync rules by resource scope
feat(THU-603): scope-aware upload handler + config flag
feat(THU-603): thread scope through FE config and DAL
feat(THU-603): add scope picker primitive and gate hook
feat(THU-603): expose scope picker in resource UIs
feat(THU-603): accept user scope in workspace upload handler
fix(THU-603): skip default tasks when seeding new workspaces
fix(THU-603): honor composite PK in upload-handler row lookup
fix: stabilize logout-modal and skills-view flaky tests
refactor: split settings sidebar into Account / Extensions / Workspace
feat: open Workspace > General to members; read-only for non-admins
fix: reset useConfigStore between test suites to prevent leak
```

Test plan

• Toggle `allowUserScopedResources` server-side; confirm the scope picker disappears in shared workspaces.
• In a shared workspace as owner/admin, create a skill scoped to `'user'`; sign in as another admin/member and confirm the row is invisible (sync + listing).
• As the row owner, flip a `'user'` skill back to `'workspace'` and confirm the other members see it.
• Non-owner attempts to flip another member's `'user'` row: the picker is hidden in edit mode; a direct PATCH is silently dropped server-side.
• Personal workspace shows no scope picker on any resource.
• Sign in with a second account that's only a member of a shared workspace, confirm the personal workspace's default tasks sync (regression for the NOT_ROW_OWNER bug).
• Shared-workspace member opens Workspace → General: page renders, all inputs are disabled, "Duplicate Workspace" is hidden.
• Settings sidebar reads Account Settings → Extensions → Workspace with Skills / Integrations / Models / MCP Servers / Agents under Extensions.

---

Note

Medium Risk
Changes authorization and sync visibility across core workspace resources; mistakes could leak private rows or block legitimate multi-user default-data sync, though the upload-handler and bucket split are heavily tested.

Overview
Introduces per-row visibility (scope: workspace vs user) on eight synced workspace resource types (skills, models, agents, MCP servers, modes, prompts, triggers, model profiles), so authors can keep resources private within a shared workspace while shared rows behave as before.

Data & sync: A migration adds scope (default workspace) on those tables. PowerSync splits buckets: workspace_data only syncs scope = 'workspace' rows; a new user_scope_resources bucket syncs scope = 'user' rows to the row owner only.

Server: Upload handlers are scope-aware—scope = 'user' rows enforce owner-only PATCH/DELETE/upsert, with deployment flag allowUserScopedResources (env ALLOW_USER_SCOPED_RESOURCES, default on) blocking new user-scoped creates when off. fetchRowScope is fixed to disambiguate composite-PK rows when the same default-data id exists in multiple personal workspaces. Shared workspace creation no longer seeds default onboarding tasks.

Client: ScopePicker and useScopePickerEnabled wire into resource UIs (e.g. custom agents); DAL create paths persist scope. GET /config exposes allowUserScopedResources. Workspace → General is open to all members with read-only fields for non-admins; the settings sidebar is reorganized into Account / Extensions / Workspace.

Tests: Broad coverage for scope upload rules, composite-id collisions, config flag, and minor test stability fixes.

^{Reviewed by Cursor Bugbot for commit 2d4ff9d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 45dff70. Configure here.}

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+819 / -205
JS bundle size (gzipped)	🔴 682.3 KB → 747.6 KB (+65.3 KB, +9.6%)
Test coverage	🟡 78.09% → 76.97% (-1.1%)
Performance (preview)	Preview not ready — Render deploy may have timed out
Accessibility	—
Best Practices	—
SEO	—

Updated Thu, 18 Jun 2026 17:01:57 GMT · run #1944