@hexis-ai/engram-server 0.11.3 → 0.12.0

package/dist/server.js

@@ -1,4 +1,5 @@
 import { Hono } from "hono";
+import { cors } from "hono/cors";
 import { log, newRequestId } from "./logger";
 import { createAdminRouter } from "./admin";
 import { aliasesRoutes } from "./routes/aliases";
@@ -39,6 +40,28 @@ export function createServer(opts) {
             });
         }
     });
+    // CORS — required so engram-web (different origin) can carry the
+    // auth cookie. Applies to /auth/* and /v1/* only; admin uses a
+    // bearer token from server-side callers and doesn't need CORS.
+    if (opts.corsOrigins && opts.corsOrigins.length > 0) {
+        const origins = opts.corsOrigins;
+        const corsMw = cors({
+            origin: (o) => (origins.includes(o) ? o : null),
+            credentials: true,
+            allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+            allowHeaders: [
+                "content-type",
+                "x-api-key",
+                "x-workspace-id",
+                "x-request-id",
+                "authorization",
+            ],
+            exposeHeaders: ["x-request-id"],
+            maxAge: 600,
+        });
+        app.use("/auth/*", corsMw);
+        app.use("/v1/*", corsMw);
+    }
     app.onError((err, c) => {
         log.error("unhandled", {
             request_id: c.var.request_id,
@@ -71,22 +94,60 @@ export function createServer(opts) {
     if (opts.admin) {
         app.route("/admin/v1", createAdminRouter(opts.admin));
     }
-    // Workspace auth gate — every `/v1/*` route runs behind this.
+    // better-auth catchall. Mounted before `/v1` so /auth/* never falls
+    // through to the workspace gate.
+    if (opts.authHandler) {
+        const handler = opts.authHandler;
+        app.all("/auth/*", (c) => handler.handler(c.req.raw));
+    }
+    // Workspace auth gate — every `/v1/*` route runs behind this. Tries
+    // api-key first; falls back to cookie session when configured. The
+    // Bearer header is reserved for api-keys here; engram-web uses the
+    // session cookie, not a Bearer.
     app.use("/v1/*", async (c, next) => {
         const apiKey = c.req.header("x-api-key") ??
             c.req.header("authorization")?.match(/^Bearer\s+(.+)$/i)?.[1];
-        if (!apiKey)
-            return c.json({ error: "unauthorized" }, 401);
-        const ctx = await opts.auth(apiKey);
+        let ctx = apiKey ? await opts.auth(apiKey) : null;
+        if (!ctx && !apiKey && opts.cookieAuth) {
+            ctx = await opts.cookieAuth(c.req.raw);
+        }
         if (!ctx)
             return c.json({ error: "unauthorized" }, 401);
         c.set("ctx", ctx);
         await next();
     });
-    // Identity probe — echoes the workspace the caller's key resolves to.
-    // Used by host clients (e.g. monet's `/v1/engram/*` proxy) to label
-    // which tenant they're viewing.
+    // Identity probe — echoes the workspace the caller's auth
+    // resolves to. Cheap, used as a health/whoami by clients.
     app.get("/v1/me", (c) => c.json({ workspaceId: c.var.ctx.workspaceId }));
+    // Cookie-auth helpers for engram-web: list every workspace / org
+    // the signed-in user can reach. api-key callers don't need these
+    // (they already know which workspace they're scoped to).
+    if (opts.authHandler && opts.orgStore) {
+        const auth = opts.authHandler;
+        const orgStore = opts.orgStore;
+        const requireUser = async (req) => {
+            const s = await auth.api.getSession({ headers: req.headers }).catch(() => null);
+            return s?.user ?? null;
+        };
+        app.get("/v1/me/workspaces", async (c) => {
+            const user = await requireUser(c.req.raw);
+            if (!user)
+                return c.json({ error: "unauthorized" }, 401);
+            const workspaces = await orgStore.listWorkspacesForUser(user.id);
+            return c.json({ workspaces });
+        });
+        app.get("/v1/me/orgs", async (c) => {
+            const user = await requireUser(c.req.raw);
+            if (!user)
+                return c.json({ error: "unauthorized" }, 401);
+            const memberships = await orgStore.listOrgsForUser(user.id);
+            const orgs = await Promise.all(memberships.map(async (m) => ({
+                ...(await orgStore.getOrg(m.orgId)),
+                role: m.role,
+            })));
+            return c.json({ orgs: orgs.filter((o) => o.id) });
+        });
+    }
     app.route("/v1", sessionsRoutes(cfg));
     app.route("/v1", personsRoutes(cfg));
     app.route("/v1", identitiesRoutes(cfg));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hexis-ai/engram-server",
-  "version": "0.11.3",
+  "version": "0.12.0",
   "description": "Engram server: ingest agent session events, persist via a pluggable adapter, expose search.",
   "keywords": [
     "engram",
@@ -50,8 +50,10 @@
   },
   "dependencies": {
     "@hexis-ai/engram-core": "^0.2.0",
-    "@hexis-ai/engram-sdk": "^0.12.0",
+    "@hexis-ai/engram-sdk": "^0.13.0",
+    "better-auth": "^1.6.11",
     "hono": "^4.6.0",
+    "pg": "^8.13.0",
     "zod": "^4.0.0"
   },
   "peerDependencies": {
@@ -63,6 +65,7 @@
     }
   },
   "devDependencies": {
+    "@types/pg": "^8.11.10",
     "postgres": "^3.4.0"
   },
   "publishConfig": {