feat: Public community rooms infrastructure (bd-viral-001)

[khaliqgant]

Adds infrastructure for public community workspaces.

• Add isPublic field to workspace schema
• Create migration for workspace visibility
• Update workspace API to support public workspaces
• Add admin endpoint to list public workspaces
• Update provisioner to set isPublic flag
• Add seed script for community workspace setup

Infrastructure ready for always-on AI agents deployment (bd-agent-public-001).

Implements bd-viral-001 viral growth feature.

---

[my-senior-dev-pr-review]

🤖 My Senior Dev — Analysis Complete

👤 For @khaliqgant

📁 Expert in src (662 edits) • ⚡ 152nd PR this month

View your contributor analytics →

---

📊 7 files reviewed • 3 high risk • 3 need attention

🚨 High Risk:

• packages/cloud/src/api/admin.ts — Critical new endpoints for administrative tasks including community workspace creation.

⚠️ Needs Attention:

• packages/cloud/src/api/admin.ts — Includes important logic and security changes around workspace management.

---

🚀 Open Interactive Review →

The full interface unlocks features not available in GitHub:

• 💬 AI Chat — Ask questions on any file, get context-aware answers
• 🔍 Smart Hovers — See symbol definitions and usage without leaving the diff
• 📚 Code Archeology — Understand how files evolved over time (/archeology)
• 🎯 Learning Insights — See how this PR compares to similar changes

---

💬 Chat here: @my-senior-dev explain this change — or try @chaos-monkey @security-auditor @optimizer @skeptic @junior-dev

📖 View all 12 personas & slash commands

You can interact with me by mentioning @my-senior-dev in any comment:

In PR comments or on any line of code:

• Ask questions about the code or PR
• Request explanations of specific changes
• Get suggestions for improvements

Slash commands:

• /help — Show all available commands
• /archeology — See the history and evolution of changed files
• /profile — Performance analysis and suggestions
• /expertise — Find who knows this code best
• /personas — List all available AI personas

AI Personas (mention to get their perspective):

Persona	Focus
@chaos-monkey 🐵	Edge cases & failure scenarios
@skeptic 🤨	Challenge assumptions
@optimizer ⚡	Performance & efficiency
@security-auditor 🔒	Security vulnerabilities
@accessibility-advocate ♿	Inclusive design
@junior-dev 🌱	Simple explanations
@tech-debt-collector 💳	Code quality & shortcuts
@ux-champion 🎨	User experience
@devops-engineer 🚀	Deployment & scaling
@documentation-nazi 📚	Documentation gaps
@legacy-whisperer 🏛️	Working with existing code
@test-driven-purist ✅	Testing & TDD

For the best experience, view this PR on myseniordev.com — includes AI chat, file annotations, and interactive reviews.

[devin-ai-integration]

Devin Review found 2 potential issues.

View issues and 5 additional flags in Devin Review.

[devin-ai-integration]

Devin Review found 2 new potential issues.

View issues and 7 additional flags in Devin Review.

[devin-ai-integration]

🔴 Seed script imports wrong db interface - will crash at runtime

The seed script imports getDb from drizzle.ts and assigns it to db, but then uses it with query namespace methods like db.users.findByGithubUsername() and db.workspaces.findByUserId().

Click to expand

Root Cause

getDb() returns a raw Drizzle database instance (drizzle(getPool(), { schema })), not the db object with query namespaces exported from db/index.ts.

In scripts/seed-community-workspace.ts:19 and scripts/seed-community-workspace.ts:24:

import { getDb } from '../packages/cloud/src/db/drizzle.js';
// ...
const db = getDb();

Usage at lines 29, 41, 54:

const systemUser = await db.users.findByGithubUsername('agent-relay');
const existingWorkspaces = await db.workspaces.findByUserId(systemUser.id);
await db.workspaces.update(communityWorkspace.id, { isPublic: true });

Actual vs Expected

• Actual: getDb() returns a Drizzle ORM instance which doesn't have .users or .workspaces properties with these query methods.
• Expected: Should import db from ../packages/cloud/src/db/index.js which exports the object with query namespaces.

Impact

The seed script will crash with a TypeError when trying to access db.users.findByGithubUsername because the property doesn't exist on the Drizzle instance.

Recommendation: Change import to: import { db } from '../packages/cloud/src/db/index.js'; and remove the const db = getDb(); line.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 Cache staleness when public workspace status changes

The checkWorkspaceAccess function caches access results for 5 minutes, but when a workspace's isPublic flag or status changes, the cache is never invalidated.

Click to expand

Root Cause

At packages/cloud/src/api/workspaces.ts:346-348, access is granted based on workspace.isPublic && workspace.status === 'running' and cached:

if (workspace.isPublic && workspace.status === 'running') {
  setCachedAccess(userId, workspaceId, { hasAccess: true, accessType: 'public', permission: 'read' });
  return { hasAccess: true, accessType: 'public', permission: 'read' };
}

The _invalidateCachedAccess function exists at line 51 but is never called anywhere in the codebase when workspace visibility or status changes.

Actual vs Expected

• Actual: If a public workspace is made private or stops running, users may still have cached hasAccess: true for up to 5 minutes. Conversely, if a workspace becomes public, users who previously checked access may be denied for up to 5 minutes.
• Expected: Cache should be invalidated when isPublic or status changes.

Impact

• Users could access a workspace that was made private (security issue)
• Users could access a workspace that is no longer running
• Users may be denied access to newly public workspaces

Recommendation: Call _invalidateCachedAccess when workspace visibility or status changes. Since access is cached per user-workspace pair, consider broadcasting cache invalidation when isPublic changes, or reduce the cache TTL for public workspace access checks.

---

Was this helpful? React with 👍 or 👎 to provide feedback.