getsentry · JerrySentry · Oct 17, 2025 · Oct 17, 2025 · Oct 20, 2025 · Oct 20, 2025
diff --git a/migrations_lockfile.txt b/migrations_lockfile.txt
@@ -25,6 +25,8 @@ notifications: 0002_notificationmessage_jsonfield
 
 preprod: 0017_break_commit_fks
 
+prevent: 0001_initial_prevent_ai_configuration
+
 releases: 0001_release_models
 
 replays: 0006_add_bulk_delete_job

diff --git a/src/sentry/api/serializers/models/organization.py b/src/sentry/api/serializers/models/organization.py
@@ -77,7 +77,6 @@
 from sentry.models.team import Team, TeamStatus
 from sentry.organizations.absolute_url import generate_organization_url
 from sentry.organizations.services.organization import RpcOrganizationSummary
-from sentry.types.prevent_config import PREVENT_AI_CONFIG_GITHUB_DEFAULT
 from sentry.users.models.user import User
 from sentry.users.services.user.model import RpcUser
 from sentry.users.services.user.service import user_service
@@ -555,7 +554,6 @@ class DetailedOrganizationSerializerResponse(_DetailedOrganizationSerializerResp
     streamlineOnly: bool
     defaultAutofixAutomationTuning: str
     defaultSeerScannerAutomation: bool
-    preventAiConfigGithub: dict[str, Any]
     enablePrReviewTestGeneration: bool
     enableSeerEnhancedAlerts: bool
     enableSeerCoding: bool
@@ -697,10 +695,6 @@ def serialize(  # type: ignore[override]
                 "sentry:default_seer_scanner_automation",
                 DEFAULT_SEER_SCANNER_AUTOMATION_DEFAULT,
             ),
-            "preventAiConfigGithub": obj.get_option(
-                "sentry:prevent_ai_config_github",
-                PREVENT_AI_CONFIG_GITHUB_DEFAULT,
-            ),
             "enablePrReviewTestGeneration": bool(
                 obj.get_option(
                     "sentry:enable_pr_review_test_generation",

@@ -437,6 +437,7 @@
 from sentry.prevent.endpoints.organization_github_repos import (
     OrganizationPreventGitHubReposEndpoint,
 )
+from sentry.prevent.endpoints.pr_review_config import OrganizationPreventGitHubConfigEndpoint
 from sentry.releases.endpoints.organization_release_assemble import (
     OrganizationReleaseAssembleEndpoint,
 )
@@ -1160,6 +1161,17 @@ def create_group_urls(name_prefix: str) -> list[URLPattern | URLResolver]:
         SyncReposEndpoint.as_view(),
         name="sentry-api-0-repositories-sync",
     ),
+    # Prevent AI endpoints
+    re_path(
+        r"^ai/github/config/(?P<git_organization_id>[^/]+)/$",
+        OrganizationPreventGitHubConfigEndpoint.as_view(),
+        name="sentry-api-0-organization-prevent-github-config",
+    ),
+    re_path(
+        r"^ai/github/repos/$",
+        OrganizationPreventGitHubReposEndpoint.as_view(),
+        name="sentry-api-0-organization-prevent-github-repos",
+    ),
 ]
 
 USER_URLS = [
@@ -2143,12 +2155,6 @@ def create_group_urls(name_prefix: str) -> list[URLPattern | URLResolver]:
         OrganizationRepositoryCommitsEndpoint.as_view(),
         name="sentry-api-0-organization-repository-commits",
     ),
-    # Prevent AI endpoints
-    re_path(
-        r"^(?P<organization_id_or_slug>[^/]+)/prevent/github/repos/$",
-        OrganizationPreventGitHubReposEndpoint.as_view(),
-        name="sentry-api-0-organization-prevent-github-repos",
-    ),
     re_path(
         r"^(?P<organization_id_or_slug>[^/]+)/plugins/$",
         OrganizationPluginsEndpoint.as_view(),

diff --git a/src/sentry/audit_log/register.py b/src/sentry/audit_log/register.py
@@ -627,7 +627,14 @@
         template="disconnected detector {detector_name} from workflow {workflow_name}",
     )
 )
-
+default_manager.add(
+    AuditLogEvent(
+        event_id=203,
+        name="PREVENT_CONFIG_EDIT",
+        api_name="prevent.config.edit",
+        template="prevent_ai.config.edit: {service} {git_organization}",
+    )
+)
 default_manager.add(
     AuditLogEvent(
         event_id=204,

diff --git a/src/sentry/conf/server.py b/src/sentry/conf/server.py
@@ -479,6 +479,7 @@ def env(
     "sentry.insights",
     "sentry.preprod",
     "sentry.releases",
+    "sentry.prevent",
 )
 
 # Silence internal hints from Django's system checks

diff --git a/src/sentry/core/endpoints/organization_details.py b/src/sentry/core/endpoints/organization_details.py
@@ -5,7 +5,6 @@
 from datetime import datetime, timedelta, timezone
 from typing import TypedDict
 
-from django import forms
 from django.db import models, router, transaction
 from django.db.models.query_utils import DeferredAttribute
 from django.urls import reverse
@@ -104,10 +103,8 @@
     OrganizationSlugCollisionException,
     organization_provisioning_service,
 )
-from sentry.types.prevent_config import PREVENT_AI_CONFIG_GITHUB_DEFAULT, PREVENT_AI_CONFIG_SCHEMA
 from sentry.users.services.user.serial import serialize_generic_user
 from sentry.utils.audit import create_audit_entry
-from sentry.workflow_engine.endpoints.validators.utils import validate_json_schema
 
 ERR_DEFAULT_ORG = "You cannot remove the default organization."
 ERR_NO_USER = "This request requires an authenticated user."
@@ -237,12 +234,6 @@
         bool,
         DEFAULT_SEER_SCANNER_AUTOMATION_DEFAULT,
     ),
-    (
-        "preventAiConfigGithub",
-        "sentry:prevent_ai_config_github",
-        dict,
-        PREVENT_AI_CONFIG_GITHUB_DEFAULT,
-    ),
     (
         "enablePrReviewTestGeneration",
         "sentry:enable_pr_review_test_generation",
@@ -348,7 +339,6 @@ class OrganizationSerializer(BaseOrganizationSerializer):
     )
     enablePrReviewTestGeneration = serializers.BooleanField(required=False)
     enableSeerEnhancedAlerts = serializers.BooleanField(required=False)
-    preventAiConfigGithub = serializers.JSONField(required=False)
     enableSeerCoding = serializers.BooleanField(required=False)
     ingestThroughTrustedRelaysOnly = serializers.ChoiceField(
         choices=[("enabled", "enabled"), ("disabled", "disabled")], required=False
@@ -459,14 +449,6 @@ def validate_samplingMode(self, value):
 
         return value
 
-    def validate_preventAiConfigGithub(self, value):
-        """Validate the structure using JSON Schema - generic error for invalid configs."""
-        try:
-            validate_json_schema(value, PREVENT_AI_CONFIG_SCHEMA)
-        except forms.ValidationError:
-            raise serializers.ValidationError("Prevent AI config option is invalid")
-        return value
-
     def validate(self, attrs):
         attrs = super().validate(attrs)
         if attrs.get("avatarType") == "upload":
@@ -742,7 +724,6 @@ def create_console_platform_audit_log(
         "genAIConsent",
         "defaultAutofixAutomationTuning",
         "defaultSeerScannerAutomation",
-        "preventAiConfigGithub",
         "ingestThroughTrustedRelaysOnly",
         "enabledConsolePlatforms",
     ]

@@ -21,8 +21,8 @@
 )
 from sentry.models.organization import Organization
 from sentry.models.repository import Repository
+from sentry.prevent.types.config import PREVENT_AI_CONFIG_GITHUB_DEFAULT
 from sentry.silo.base import SiloMode
-from sentry.types.prevent_config import PREVENT_AI_CONFIG_GITHUB_DEFAULT
 
 logger = logging.getLogger(__name__)
 

@@ -0,0 +1,90 @@
+from copy import deepcopy
+from typing import Any
+
+from jsonschema import validate
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from sentry import audit_log
+from sentry.api.api_owners import ApiOwner
+from sentry.api.api_publish_status import ApiPublishStatus
+from sentry.api.base import region_silo_endpoint
+from sentry.api.bases.organization import OrganizationEndpoint, OrganizationPermission
+from sentry.models.organization import Organization
+from sentry.prevent.models import PreventAIConfiguration
+from sentry.prevent.types.config import ORG_CONFIG_SCHEMA, PREVENT_AI_CONFIG_GITHUB_DEFAULT
+
+
+class PreventAIConfigPermission(OrganizationPermission):
+    scope_map = {
+        "GET": ["org:read", "org:write", "org:admin"],
+        # allow any organization member to update the PR review config
+        "PUT": ["org:read", "org:write", "org:admin"],
+    }
+
+
+@region_silo_endpoint
+class OrganizationPreventGitHubConfigEndpoint(OrganizationEndpoint):
+    """
+    Get and set the GitHub PR review config for a Sentry organization
+    """
+
+    owner = ApiOwner.CODECOV
+    publish_status = {
+        "GET": ApiPublishStatus.EXPERIMENTAL,
+        "PUT": ApiPublishStatus.EXPERIMENTAL,
+    }
+    permission_classes = (PreventAIConfigPermission,)
+
+    def get(
+        self, request: Request, organization: Organization, git_organization_id: str
+    ) -> Response:
+        """
+        Get the Prevent AI GitHub configuration for a specific git organization.
+        """
+        response_data: dict[str, Any] = deepcopy(PREVENT_AI_CONFIG_GITHUB_DEFAULT)
+
+        config = PreventAIConfiguration.objects.filter(
+            organization_id=organization.id,
+            provider="github",
+            git_organization_id=git_organization_id,
+        ).first()
+
+        if config:
+            response_data["github_organization"][git_organization_id] = config.data
+
+        return Response(response_data, status=200)
+
+    def put(
+        self, request: Request, organization: Organization, git_organization_id: str
+    ) -> Response:
+        """
+        Update the Prevent AI GitHub configuration for an organization.
+        """
+        try:
+            validate(request.data, ORG_CONFIG_SCHEMA)
+        except Exception:
+            return Response({"detail": "Invalid config"}, status=400)
+
+        PreventAIConfiguration.objects.update_or_create(
+            organization_id=organization.id,
+            provider="github",
+            git_organization_id=git_organization_id,
+            defaults={"data": request.data},
+        )
+
+        self.create_audit_entry(
+            request=request,
+            organization=organization,
+            target_object=organization.id,
+            event=audit_log.get_event_id("PREVENT_CONFIG_EDIT"),
+            data={
+                "git_organization": git_organization_id,
+                "provider": "github",
+            },
+        )
+
+        response_data: dict[str, Any] = deepcopy(PREVENT_AI_CONFIG_GITHUB_DEFAULT)
+        response_data["github_organization"][git_organization_id] = request.data
+
+        return Response(response_data, status=200)
@@ -0,0 +1,53 @@
+# Generated by Django 5.2.1 on 2025-10-22 21:03
+
+from django.db import migrations, models
+
+import sentry.db.models.fields.bounded
+from sentry.new_migrations.migrations import CheckedMigration
+
+
+class Migration(CheckedMigration):
+    # This flag is used to mark that a migration shouldn't be automatically run in production.
+    # This should only be used for operations where it's safe to run the migration after your
+    # code has deployed. So this should not be used for most operations that alter the schema
+    # of a table.
+    # Here are some things that make sense to mark as post deployment:
+    # - Large data migrations. Typically we want these to be run manually so that they can be
+    #   monitored and not block the deploy for a long period of time while they run.
+    # - Adding indexes to large tables. Since this can take a long time, we'd generally prefer to
+    #   run this outside deployments so that we don't block them. Note that while adding an index
+    #   is a schema change, it's completely safe to run the operation after the code has deployed.
+    # Once deployed, run these manually via: https://develop.sentry.dev/database-migrations/#migration-deployment
+
+    is_post_deployment = False
+
+    initial = True
+
+    dependencies = []
+
+    operations = [
+        migrations.CreateModel(
+            name="PreventAIConfiguration",
+            fields=[
+                (
+                    "id",
+                    sentry.db.models.fields.bounded.BoundedBigAutoField(
+                        primary_key=True, serialize=False
+                    ),
+                ),
+                ("date_updated", models.DateTimeField(auto_now=True)),
+                ("date_added", models.DateTimeField(auto_now_add=True)),
+                (
+                    "organization_id",
+                    sentry.db.models.fields.bounded.BoundedBigIntegerField(db_index=True),
+                ),
+                ("provider", models.CharField(max_length=64)),
+                ("git_organization_id", models.CharField(max_length=255)),
+                ("data", models.JSONField(default=dict)),
+            ],
+            options={
+                "db_table": "sentry_preventaiconfiguration",
+                "unique_together": {("organization_id", "provider", "git_organization_id")},
+            },
+        ),
+    ]
@@ -0,0 +1,29 @@
+from __future__ import annotations
+
+from django.db import models
+
+from sentry.backup.scopes import RelocationScope
+from sentry.db.models.base import DefaultFieldsModel, region_silo_model
+from sentry.db.models.fields.bounded import BoundedBigIntegerField
+
+
+@region_silo_model
+class PreventAIConfiguration(DefaultFieldsModel):
+    """
+    Configuration for Prevent AI features for git organizations per Sentry organization.
+
+    This model stores configurations for Prevent AI functionality,
+    allowing different settings for different git organizations and repos.
+    """
+
+    __relocation_scope__ = RelocationScope.Excluded
+
+    organization_id = BoundedBigIntegerField(db_index=True)
+    provider = models.CharField(max_length=64)
+    git_organization_id = models.CharField(max_length=255)
+    data = models.JSONField(default=dict)
+
+    class Meta:
+        app_label = "prevent"
+        db_table = "sentry_preventaiconfiguration"
+        unique_together = (("organization_id", "provider", "git_organization_id"),)
@@ -78,31 +78,14 @@
     "additionalProperties": False,
 }
 
-_ORG_CONFIG_SCHEMA = {
+ORG_CONFIG_SCHEMA = {
     "type": "object",
     "properties": {
         "org_defaults": _ORG_DEFAULTS_SCHEMA,
         "repo_overrides": _REPO_OVERRIDES_SCHEMA,
-    },
-    "required": ["org_defaults", "repo_overrides"],
-    "additionalProperties": False,
-}
-
-
-PREVENT_AI_CONFIG_SCHEMA = {
-    "type": "object",
-    "properties": {
         "schema_version": {"type": "string", "enum": ["v1"]},
-        "default_org_config": _ORG_CONFIG_SCHEMA,
-        "github_organizations": {
-            "type": "object",
-            "patternProperties": {
-                ".*": _ORG_CONFIG_SCHEMA,
-            },
-            "additionalProperties": False,
-        },
     },
-    "required": ["schema_version", "default_org_config", "github_organizations"],
+    "required": ["org_defaults", "repo_overrides"],
     "additionalProperties": False,
 }
 
@@ -136,5 +119,5 @@
         },
         "repo_overrides": {},
     },
-    "github_organizations": {},
+    "github_organization": {},
 }