Skip to content
Select themeSelect language

post_api_projects

POST
/api/projects
curl --request POST \
--url https://example.com/api/projects \
--header 'Content-Type: application/json' \
--cookie supacloud_session=<supacloud_session> \
--data '{ "automations": [ { "agent_profile_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "autonomy_override": 1, "candidate_profile_ids": [ "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" ], "close_source_issue": true, "completion_action": "example", "denied_tools": [ "example" ], "enabled": true, "environment_scope": "example", "kind": "example", "pipeline_config": "example", "post_completion_comment": true, "review_enabled": true, "severity_min": "example", "source_filter": "example", "trigger": "example", "webhook_secret": "example" } ], "backlog_classifier": "example", "backlog_daily_budget_usd": 1, "backlog_max_concurrent": 1, "backlog_merge_policy": "example", "backlog_mode_enabled": true, "backlog_required_reviewers": 1, "closeout_config": "example", "denied_tools": [ "example" ], "git_credential_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "git_default_branch": "example", "git_provider": "example", "git_repo_url": "example", "issue_tracker": "example", "issue_tracker_autodev_enabled": true, "issue_tracker_credential_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "issue_tracker_key": "example", "issue_tracker_state_map": "example", "issue_tracker_webhook_secret": "example", "memory_governance_policy": "example", "name": "example" }'
Media typeapplication/json
object
automations

ADR 0045 Stage 1b — the consolidated Automation section’s per-kind rows, dual-written into project_automations alongside the legacy flag columns.

Array<object> | null

What a save supplies for one automation. webhook_secret = None keeps any stored secret on update (the persistence COALESCE) — a config edit need not re-type it. autonomy_override is the REQUESTED level; the service clamps it to the workspace ceiling before persist.

object
agent_profile_id
string | null format: uuid
autonomy_override
integer | null format: int32
candidate_profile_ids

#534 WS-2 — the multi-agent work-lane candidate pool (backlog/simple lane). Some(None) clears; Some(Some([])) = the All wildcard (every keyed workspace profile, dynamic); Some(Some([ids])) = an explicit set; an omitted key (outer None) keeps the stored pool.

Array<string> | null
close_source_issue
boolean | null
completion_action

#538 L12 — the post-completion issue action (close | comment | nothing). Legacy: the FE now sends the two booleans below; kept for back-compat + dual-write.

string | null
denied_tools
Array<string> | null
enabled
boolean | null
environment_scope
string | null
kind
required
string
pipeline_config

#538 feinschliff — the dev-pipeline knobs JSONB (return_to_sender, convergence_level, max_rounds, max_cost_usd, per-stage overrides; mig 231).

post_completion_comment

#708 C1 — the two ADDITIVE completion booleans (post the closing comment × close/ transition the source issue). An omitted key keeps the stored value; when set, the write derives + dual-writes completion_action (lossy for “silent close”).

boolean | null
review_enabled

#538 feinschliff — the Review toggle (the gated audit tail).

boolean | null
severity_min
string | null
source_filter
trigger
string | null
webhook_secret

Write-only HMAC secret; an omitted/empty value keeps the stored secret (the persistence COALESCE), a non-empty value overwrites it.

string | null
backlog_classifier

#626 G1 — backlog classifier variant ('llm' default | 'rules', mig 167 CHECK). None leaves the column at its default.

string | null
backlog_daily_budget_usd

#708 B4 — per-project daily backlog $-budget (null = no cap). Owner/admin.

number | null format: double
backlog_max_concurrent

#708 B4 — per-project backlog concurrency cap (null = inherit workspace). Owner/admin.

integer | null format: int32
backlog_merge_policy

ADR 0045 Stage 1b — backlog merge policy ('pr_only' default).

string | null
backlog_mode_enabled

ADR 0045 Stage 1b — autonomous backlog-dispatch mode (XOR PR-flow auto-developer; the UI enforces the exclusivity, the server does not).

boolean | null
backlog_required_reviewers

#708 B4 — required distinct-human reviewer bar (mig 167). Owner/admin.

integer | null format: int32
closeout_config

#712 — the project-tier SPARSE standard-closeout override (mig 283). None stores SQL NULL (inherit the workspace default); a value stores the sparse override (shape-validated on write). Owner/admin safety rail.

denied_tools

ADR 0045 Stage 1b — per-project blast-radius tool denylist (mig 210).

Array<string> | null
git_credential_id
string | null format: uuid
git_default_branch
string | null
git_provider
string | null
git_repo_url
string | null
issue_tracker
string | null
issue_tracker_autodev_enabled
boolean | null
issue_tracker_credential_id
string | null format: uuid
issue_tracker_key
string | null
issue_tracker_state_map
issue_tracker_webhook_secret
string | null
memory_governance_policy

#708 W13 — the project-tier SPARSE memory-governance override (mig 289). None stores SQL NULL (inherit the workspace policy); a value stores the sparse override (shape-validated on write). Owner/admin safety rail.

name
required
string
Examplegenerated
{
"automations": [
{
"agent_profile_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"autonomy_override": 1,
"candidate_profile_ids": [
"2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
],
"close_source_issue": true,
"completion_action": "example",
"denied_tools": [
"example"
],
"enabled": true,
"environment_scope": "example",
"kind": "example",
"pipeline_config": "example",
"post_completion_comment": true,
"review_enabled": true,
"severity_min": "example",
"source_filter": "example",
"trigger": "example",
"webhook_secret": "example"
}
],
"backlog_classifier": "example",
"backlog_daily_budget_usd": 1,
"backlog_max_concurrent": 1,
"backlog_merge_policy": "example",
"backlog_mode_enabled": true,
"backlog_required_reviewers": 1,
"closeout_config": "example",
"denied_tools": [
"example"
],
"git_credential_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"git_default_branch": "example",
"git_provider": "example",
"git_repo_url": "example",
"issue_tracker": "example",
"issue_tracker_autodev_enabled": true,
"issue_tracker_credential_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"issue_tracker_key": "example",
"issue_tracker_state_map": "example",
"issue_tracker_webhook_secret": "example",
"memory_governance_policy": "example",
"name": "example"
}

Project created

Media typeapplication/json
object
auto_developer_workflow_id
required

D1 — the materialized Auto Developer workflow’s id, surfaced so the project-edit UI can render an “Edit workflow” link. None until the arm’s workflow is materialized.

string | null format: uuid
autonomy_level
required

ADR 0045 Stage 4 — the project-scope autonomy level (0..=100), or null to inherit from the workspace. The project-edit form seeds the autonomy slider from it.

integer | null format: int32
autonomy_overrides
required

ADR 0045 Stage 4 — the Advanced per-axis autonomy override vector (free-form string-keyed bag, e.g. {"level": N}). Defaults to {}. The project-edit form seeds the Advanced overrides from it.

object
key
additional properties
backlog_classifier
required

Issue #532 — how items are classified: 'llm' (default — one LLM call per item, tuned by the backlog automation’s source_filter classifier config) or 'rules' (the deterministic mapping). Surfaced so the Automation section shows the editable Classifier tuning for llm and the read-only rules mapping for rules.

string
backlog_daily_budget_usd
required

#708 B4 — per-project daily backlog $-budget (null = no cap). Surfaced so the backlog-limits field can seed + round-trip its current value.

number | null format: double
backlog_max_concurrent
required

#708 B4 — per-project backlog concurrency cap (null = inherit the workspace ceiling). Surfaced so the backlog-limits field can seed + round-trip.

integer | null format: int32
backlog_merge_policy
required

ADR 0045 Stage 1b — backlog merge policy: 'pr_only' (default) | 'auto_on_green' | 'full_auto'. Surfaced so the consolidated Automation section can round-trip the selected Approval-mode.

string
backlog_mode_enabled
required

#364 / #388 — whether the project runs in autonomous backlog-dispatch mode (mutually exclusive with PR-flow auto-developer). Surfaced so the #358 board + project detail can render the “Backlog” chip.

boolean
backlog_required_reviewers
required

ADR 0045 Stage 1b — N human approvals required on the backlog in_review → done/merge step. Surfaced read-only on the project detail.

integer format: int32
closeout_config
required
One of:
null
created_at
required
string format: date-time
daily_budget_usd
required

#708 M5 — the project-TOTAL daily/monthly $-budget caps (mig 296; every launch, not just backlog). Surfaced so the Guardrails budget inputs seed + round-trip their current value. null = no project cap.

number | null format: double
denied_tools
required

ADR 0045 Stage 1b — per-project blast-radius tool denylist (mig 210). Surfaced so the Automation section can render + round-trip the chosen Blast-radius denied tools.

Array<string>
detected_stack
required
git_credential_id
required
string | null format: uuid
git_default_branch
required
string | null
git_provider
required
string | null
git_repo_url
required
string | null
id
required
string format: uuid
image_built_at
required
string | null format: date-time
image_config
required
image_error
required
string | null
image_size
required
integer | null format: int64
image_status
required
string | null
image_tag
required
string | null
issue_tracker
required

ADR 0029 Slice 5 — Linear/Notion issue tracker config.

string | null
issue_tracker_autodev_enabled
required

ADR 0029 Slice 7 — tracker auto-developer toggle. The webhook secret itself (the HMAC signing secret the Linear/Notion receiver verifies against) is NEVER returned outward: a member who could read it could forge validly-signed webhooks that launch agents (H1 audit). Mirroring the auto_developer_webhook_secret posture, we expose only whether one is configured. The user supplies the secret on create/update, so they already know its value and never need it read back.

boolean
issue_tracker_credential_id
required
string | null format: uuid
issue_tracker_key
required
string | null
issue_tracker_state_map
required

ADR 0029 Slice 6 (D7) — per-provider state-name overrides. The runtime type stays serde_json::Value (a free-form JSONB column); the spec is narrowed to the real serialized shape — a map keyed by tracker provider name (linear / notion) to a [TrackerStateNames] override bag.

object | null
issue_tracker_webhook_secret_set
required
boolean
max_concurrent_runs
required

Issue #110: per-project concurrency cap; None = unlimited.

integer | null format: int32
memory_governance_policy
required

#708 W13 — the project-tier SPARSE memory-governance override (mig 289), or null to inherit the workspace policy entirely. A sparse per-scope JSONB bag ({workspace, project, personal}) the project-edit settings seed from.

monthly_budget_usd
required
number | null format: double
name
required
string
user_id
required
string format: uuid
workspace_id
required
string | null format: uuid
Examplegenerated
{
"auto_developer_workflow_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"autonomy_level": 1,
"autonomy_overrides": {
"additionalProperty": "example"
},
"backlog_classifier": "example",
"backlog_daily_budget_usd": 1,
"backlog_max_concurrent": 1,
"backlog_merge_policy": "example",
"backlog_mode_enabled": true,
"backlog_required_reviewers": 1,
"closeout_config": {
"memory": true,
"project_docs": {
"condition": "example",
"enabled": true,
"globs": [
"example"
]
},
"user_docs": {
"condition": "example",
"enabled": true,
"globs": [
"example"
],
"langs": [
"example"
]
},
"wiki": {
"condition": "example",
"enabled": true
}
},
"created_at": "2026-04-15T12:00:00Z",
"daily_budget_usd": 1,
"denied_tools": [
"example"
],
"detected_stack": "example",
"git_credential_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"git_default_branch": "example",
"git_provider": "example",
"git_repo_url": "example",
"id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"image_built_at": "2026-04-15T12:00:00Z",
"image_config": "example",
"image_error": "example",
"image_size": 1,
"image_status": "example",
"image_tag": "example",
"issue_tracker": "example",
"issue_tracker_autodev_enabled": true,
"issue_tracker_credential_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"issue_tracker_key": "example",
"issue_tracker_state_map": "example",
"issue_tracker_webhook_secret_set": true,
"max_concurrent_runs": 1,
"memory_governance_policy": "example",
"monthly_budget_usd": 1,
"name": "example",
"user_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"workspace_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
}

Structured client error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Authentication required

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Permission denied

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Structured server error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}