fix(dashboard): persist widgets on PUT and invalidate response cache

Two bugs prevented dashboard widget commands from working correctly:

1. stripWidgetServerFields used a denylist that missed dozens of extra
   fields returned by the GET API via Zod .passthrough() (description,
   thresholds, interval, axisRange, datasetSource, etc.). Switch to an
   allowlist that only includes fields the PUT API accepts.

2. updateDashboard PUT succeeded but subsequent dashboard view returned
   stale cached GET data. Add invalidateCachedResponse() to response-cache
   and call it after every dashboard PUT with the correct URL format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: betegon

src/lib/api/dashboards.ts

@@ -11,6 +11,7 @@ import type {
 } from "../../types/dashboard.js";
 
 import { resolveOrgRegion } from "../region.js";
+import { invalidateCachedResponse } from "../response-cache.js";
 
 import { apiRequestToRegion } from "./infrastructure.js";
 
@@ -88,10 +89,18 @@ export async function updateDashboard(
   body: { title: string; widgets: DashboardWidget[]; projects?: number[] }
 ): Promise<DashboardDetail> {
   const regionUrl = await resolveOrgRegion(orgSlug);
-  const { data } = await apiRequestToRegion<DashboardDetail>(
-    regionUrl,
-    `/organizations/${orgSlug}/dashboards/${dashboardId}/`,
-    { method: "PUT", body }
-  );
+  const path = `/organizations/${orgSlug}/dashboards/${dashboardId}/`;
+  const { data } = await apiRequestToRegion<DashboardDetail>(regionUrl, path, {
+    method: "PUT",
+    body,
+  });
+
+  // Invalidate cached GET for this dashboard so subsequent view commands
+  // return fresh data instead of the pre-mutation cached response.
+  const normalizedBase = regionUrl.endsWith("/")
+    ? regionUrl.slice(0, -1)
+    : regionUrl;
+  await invalidateCachedResponse(`${normalizedBase}/api/0${path}`);
+
   return data;
 }

src/lib/response-cache.ts

@@ -555,6 +555,23 @@ async function writeResponseToCache(
   return serialized.length;
 }
 
+/**
+ * Invalidate the cached GET response for a specific URL.
+ *
+ * Used by mutation commands (PUT/POST/DELETE) that change server state,
+ * so subsequent GET commands don't serve stale data.
+ *
+ * @param url - Full URL of the GET endpoint to invalidate
+ */
+export async function invalidateCachedResponse(url: string): Promise<void> {
+  try {
+    const key = buildCacheKey("GET", url);
+    await rm(cacheFilePath(key), { force: true });
+  } catch {
+    // Best-effort — ignore if file doesn't exist or can't be deleted
+  }
+}
+
 /**
  * Remove all cached responses.
  * Called on `auth logout` and `auth login` since cached data is tied to the user.

src/types/dashboard.ts

@@ -507,60 +507,57 @@ export function assignDefaultLayout(
 
 // ---------------------------------------------------------------------------
 // Server field stripping utilities
+//
+// The Sentry dashboard API returns many extra fields via GET that should NOT
+// be sent back in PUT requests. Using an allowlist approach ensures only
+// fields the API accepts are included, avoiding silent rejection of widgets.
 // ---------------------------------------------------------------------------
 
-/**
- * Server-generated fields on widget queries that must be stripped before PUT.
- * NEVER strip user-controlled fields like conditions, columns, aggregates.
- */
-const QUERY_SERVER_FIELDS = ["id", "widgetId", "dateCreated"] as const;
-
-/**
- * Server-generated fields on widgets that must be stripped before PUT.
- * CRITICAL: Never strip widgetType, displayType, or layout — these are
- * user-controlled and stripping them causes widgets to reset to defaults.
- */
-const WIDGET_SERVER_FIELDS = ["id", "dashboardId", "dateCreated"] as const;
-
-/**
- * Server-generated fields on widget layout that must be stripped before PUT.
- */
-const LAYOUT_SERVER_FIELDS = ["isResizable"] as const;
+/** Extract only the query fields the PUT API accepts */
+function cleanQuery(q: DashboardWidgetQuery): DashboardWidgetQuery {
+  return {
+    name: q.name ?? "",
+    conditions: q.conditions ?? "",
+    columns: q.columns ?? [],
+    aggregates: q.aggregates ?? [],
+    fields: q.fields ?? [],
+    ...(q.fieldAliases && { fieldAliases: q.fieldAliases }),
+    ...(q.orderby && { orderby: q.orderby }),
+  };
+}
 
 /**
- * Strip server-generated fields from a single widget for PUT requests.
+ * Strip server-generated and passthrough fields from a widget for PUT requests.
+ *
+ * Uses an allowlist approach: only includes fields the dashboard PUT API
+ * accepts. The GET response includes many extra fields (description, thresholds,
+ * interval, axisRange, datasetSource, etc.) that cause silent failures if
+ * sent back in PUT.
  *
  * @param widget - Widget object from GET response
- * @returns Widget safe for PUT (widgetType, displayType, layout preserved)
+ * @returns Widget safe for PUT (only API-accepted fields)
  */
 export function stripWidgetServerFields(
   widget: DashboardWidget
 ): DashboardWidget {
-  const cleaned = { ...widget };
-
-  // Strip widget-level server fields
-  for (const field of WIDGET_SERVER_FIELDS) {
-    delete (cleaned as Record<string, unknown>)[field];
-  }
-
-  // Strip query-level server fields
-  if (cleaned.queries) {
-    cleaned.queries = cleaned.queries.map((q) => {
-      const cleanedQuery = { ...q };
-      for (const field of QUERY_SERVER_FIELDS) {
-        delete (cleanedQuery as Record<string, unknown>)[field];
-      }
-      return cleanedQuery;
-    });
-  }
+  const cleaned: DashboardWidget = {
+    title: widget.title,
+    displayType: widget.displayType,
+    ...(widget.widgetType && { widgetType: widget.widgetType }),
+    ...(widget.queries && { queries: widget.queries.map(cleanQuery) }),
+    ...(widget.limit !== undefined &&
+      widget.limit !== null && { limit: widget.limit }),
+  };
 
-  // Strip layout server fields
-  if (cleaned.layout) {
-    const cleanedLayout = { ...cleaned.layout };
-    for (const field of LAYOUT_SERVER_FIELDS) {
-      delete (cleanedLayout as Record<string, unknown>)[field];
-    }
-    cleaned.layout = cleanedLayout;
+  // Preserve layout (x, y, w, h, minH only — not isResizable)
+  if (widget.layout) {
+    cleaned.layout = {
+      x: widget.layout.x,
+      y: widget.layout.y,
+      w: widget.layout.w,
+      h: widget.layout.h,
+      ...(widget.layout.minH !== undefined && { minH: widget.layout.minH }),
+    };
   }
 
   return cleaned;