docs: add session notes implementation plan

Made-with: Cursor
2026-03-22 23:49:13 -04:00
parent 8c36b399d0
commit 341257a04d
2 changed files with 1655 additions and 2 deletions
--- a/docs/superpowers/plans/2026-03-22-session-notes-read-edit-delete.md
+++ b/docs/superpowers/plans/2026-03-22-session-notes-read-edit-delete.md
--- a/docs/superpowers/specs/2026-03-22-session-notes-read-edit-delete-design.md
+++ b/docs/superpowers/specs/2026-03-22-session-notes-read-edit-delete-design.md
@@ -28,7 +28,7 @@ Minimal extension of existing infrastructure (Approach A). No database schema ch
 - **Body:** `{ "notes": "markdown string" }`
 - **Behavior:** Overwrites `sessions.notes` for the given session (no COALESCE merge — full replacement)
 - **Response:** Updated session object
- **Errors:** 404 if session not found, 401 if unauthenticated
+- **Errors:** 404 if session not found, 401 if no auth header, 403 if token invalid/expired (consistent with existing `authenticateToken` middleware behavior)

 #### `DELETE /api/sessions/:id/notes`

@@ -36,7 +36,7 @@ Minimal extension of existing infrastructure (Approach A). No database schema ch
 - **Body:** None
 - **Behavior:** Sets `sessions.notes = NULL`
 - **Response:** `{ success: true }`
- **Errors:** 404 if session not found, 401 if unauthenticated
+- **Errors:** 404 if session not found, 401 if no auth header, 403 if token invalid/expired

 ### Modified Endpoints

@@ -46,6 +46,7 @@ Add two fields to each session object in the response:

 - `has_notes` (boolean) — `true` if `notes IS NOT NULL AND notes != ''`
 - `notes_preview` (string | null) — first paragraph of the markdown, truncated to ~150 characters. `null` if no notes.
+- **Remove `notes` from list response** — the full `notes` field must be omitted from list items. Use explicit column selection instead of `SELECT s.*` to avoid leaking full notes to unauthenticated clients. The list endpoint only returns `has_notes` and `notes_preview`.

 These are computed server-side from the existing `notes` column.