feat: add PATCH endpoint for session scratchpad

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/endpoints/sessions.py

@@ -10,7 +10,7 @@ from app.core.database import get_db
 from app.models.tree import Tree
 from app.models.session import Session
 from app.models.user import User
-from app.schemas.session import SessionCreate, SessionUpdate, SessionResponse, SessionExport
+from app.schemas.session import SessionCreate, SessionUpdate, SessionResponse, SessionExport, ScratchpadUpdate
 from app.api.deps import get_current_user
 
 router = APIRouter(prefix="/sessions", tags=["sessions"])
@@ -183,6 +183,35 @@ async def complete_session(
     return session
 
 
+@router.patch("/{session_id}/scratchpad", response_model=SessionResponse)
+async def update_scratchpad(
+    session_id: UUID,
+    data: ScratchpadUpdate,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(get_current_user)]
+):
+    """Update session scratchpad. Accepts updates on both active and completed sessions."""
+    result = await db.execute(select(Session).where(Session.id == session_id))
+    session = result.scalar_one_or_none()
+
+    if not session:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Session not found"
+        )
+
+    if session.user_id != current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You don't have access to this session"
+        )
+
+    session.scratchpad = data.scratchpad
+    await db.commit()
+    await db.refresh(session)
+    return session
+
+
 @router.post("/{session_id}/export")
 async def export_session(
     session_id: UUID,