@hexis-ai/engram-server 0.12.0 → 0.13.0

package/dist/admin.js

@@ -1,6 +1,7 @@
 import { Hono } from "hono";
 import { isValidWorkspaceId } from "./key-store";
 import { createWorkspaceSchema, issueKeySchema, parseJsonBody } from "./schemas";
+import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow, OrgServiceError, removeMember, requireWorkspaceInOrg, revokeWorkspaceKey, } from "./services/orgs";
 /**
  * Build the admin sub-router. Mount under \`/admin/v1\`.
  *
@@ -119,117 +120,105 @@ export function createAdminRouter(opts) {
     const orgStore = opts.orgStore;
     if (!orgStore)
         return app;
-    app.post("/orgs", async (c) => {
+    const deps = { orgStore, keyStore: opts.keyStore };
+    app.post("/orgs", async (c) => runService(c, async () => {
         const body = (await c.req.json().catch(() => ({})));
-        try {
-            const org = await orgStore.createOrg({
-                ...(body.id !== undefined ? { id: body.id } : {}),
-                ...(body.name !== undefined ? { name: body.name } : {}),
-                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
-            });
-            return c.json({ org });
-        }
-        catch (e) {
-            return c.json({ error: e.message }, 400);
-        }
-    });
+        const org = await createOrg(deps, body);
+        return c.json({ org });
+    }));
     app.get("/orgs", async (c) => {
         const orgs = await orgStore.listOrgs();
         return c.json({ orgs });
     });
-    app.get("/orgs/:id", async (c) => {
-        const org = await orgStore.getOrg(c.req.param("id"));
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
+    app.get("/orgs/:id", async (c) => runService(c, async () => {
+        const org = await getOrgOrThrow(deps, c.req.param("id"));
         return c.json({ org });
-    });
-    app.delete("/orgs/:id", async (c) => {
-        const id = c.req.param("id");
-        const org = await orgStore.getOrg(id);
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
-        await orgStore.deleteOrg(id);
+    }));
+    app.delete("/orgs/:id", async (c) => runService(c, async () => {
+        await deleteOrg(deps, c.req.param("id"));
         return c.body(null, 204);
-    });
+    }));
     // ----- org members ------------------------------------------
-    app.get("/orgs/:id/members", async (c) => {
+    app.get("/orgs/:id/members", async (c) => runService(c, async () => {
         const id = c.req.param("id");
-        const org = await orgStore.getOrg(id);
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
+        await getOrgOrThrow(deps, id);
         return c.json({ members: await orgStore.listMembers(id) });
-    });
-    app.post("/orgs/:id/members", async (c) => {
+    }));
+    app.post("/orgs/:id/members", async (c) => runService(c, async () => {
         const orgId = c.req.param("id");
-        const org = await orgStore.getOrg(orgId);
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
+        await getOrgOrThrow(deps, orgId);
         const body = (await c.req.json().catch(() => ({})));
-        let userId = body.userId;
-        if (!userId && body.email) {
-            const u = await orgStore.findUserByEmail(body.email);
-            if (!u)
-                return c.json({ error: "user_not_found" }, 404);
-            userId = u.id;
-        }
-        if (!userId)
-            return c.json({ error: "userId_or_email_required" }, 400);
-        const member = await orgStore.upsertMember({
-            orgId,
-            userId,
-            ...(body.role !== undefined ? { role: body.role } : {}),
-        });
+        const member = await addMember(deps, orgId, body);
         return c.json({ member });
-    });
-    app.delete("/orgs/:id/members/:userId", async (c) => {
+    }));
+    app.delete("/orgs/:id/members/:userId", async (c) => runService(c, async () => {
         const orgId = c.req.param("id");
-        const org = await orgStore.getOrg(orgId);
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
-        await orgStore.removeMember(orgId, c.req.param("userId"));
+        await getOrgOrThrow(deps, orgId);
+        await removeMember(deps, orgId, c.req.param("userId"));
         return c.body(null, 204);
-    });
+    }));
     // ----- org workspaces ---------------------------------------
-    // Combines createWorkspace + setWorkspaceOrg + issueKey so a
-    // tenant can be stood up in one round-trip. Mirrors the legacy
-    // /workspaces POST shape but adds org scoping.
-    app.post("/orgs/:id/workspaces", async (c) => {
+    // Stands up a tenant in one round-trip. createWorkspaceUnderOrg
+    // wraps createWorkspace + setWorkspaceOrg + issueKey and applies
+    // the same id validation as the legacy /workspaces POST.
+    app.post("/orgs/:id/workspaces", async (c) => runService(c, async () => {
         const orgId = c.req.param("id");
-        const org = await orgStore.getOrg(orgId);
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
+        await getOrgOrThrow(deps, orgId);
         const body = await parseJsonBody(c, createWorkspaceSchema);
         if (body instanceof Response)
             return body;
-        if (body.id !== undefined && !isValidWorkspaceId(body.id)) {
-            return c.json({ error: "invalid_workspace_id" }, 400);
-        }
-        try {
-            const ws = await opts.keyStore.createWorkspace({
-                ...(body.id !== undefined ? { id: body.id } : {}),
-                ...(body.name !== undefined ? { name: body.name } : {}),
-                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
-            });
-            await orgStore.setWorkspaceOrg(ws.id, orgId);
-            if (body.issueKey === false) {
-                return c.json({ workspace: { ...ws, orgId } });
-            }
-            const key = await opts.keyStore.issueKey(ws.id, {
-                ...(body.keyName !== undefined ? { name: body.keyName } : {}),
-            });
-            return c.json({ workspace: { ...ws, orgId }, key });
-        }
-        catch (e) {
-            return c.json({ error: e.message }, 400);
-        }
-    });
-    app.get("/orgs/:id/workspaces", async (c) => {
+        return c.json(await createWorkspaceUnderOrg(deps, orgId, body));
+    }));
+    app.get("/orgs/:id/workspaces", async (c) => runService(c, async () => {
         const orgId = c.req.param("id");
-        const org = await orgStore.getOrg(orgId);
-        if (!org)
-            return c.json({ error: "org_not_found" }, 404);
+        await getOrgOrThrow(deps, orgId);
         const workspaces = await orgStore.listWorkspacesForOrg(orgId);
         return c.json({ workspaces });
-    });
+    }));
+    // ----- per-workspace api keys (scoped to an org) -----------
+    // Org-scoped equivalent of the legacy /admin/v1/workspaces/:id/keys
+    // routes. monet uses these for key rotation after the initial
+    // createWorkspaceUnderOrg + key issuance.
+    app.get("/orgs/:id/workspaces/:wsId/keys", async (c) => runService(c, async () => {
+        const orgId = c.req.param("id");
+        const wsId = c.req.param("wsId");
+        await getOrgOrThrow(deps, orgId);
+        await requireWorkspaceInOrg(deps, orgId, wsId);
+        return c.json({ keys: await opts.keyStore.listKeys(wsId) });
+    }));
+    app.post("/orgs/:id/workspaces/:wsId/keys", async (c) => runService(c, async () => {
+        const orgId = c.req.param("id");
+        const wsId = c.req.param("wsId");
+        await getOrgOrThrow(deps, orgId);
+        await requireWorkspaceInOrg(deps, orgId, wsId);
+        const raw = await c.req.json().catch(() => ({}));
+        const parsed = issueKeySchema.safeParse(raw);
+        if (!parsed.success) {
+            return c.json({ error: "invalid_body", issues: parsed.error.issues }, 400);
+        }
+        const key = await opts.keyStore.issueKey(wsId, {
+            ...(parsed.data.name !== undefined ? { name: parsed.data.name } : {}),
+        });
+        return c.json(key);
+    }));
+    app.delete("/orgs/:id/workspaces/:wsId/keys/:keyId", async (c) => runService(c, async () => {
+        const orgId = c.req.param("id");
+        const wsId = c.req.param("wsId");
+        await getOrgOrThrow(deps, orgId);
+        await requireWorkspaceInOrg(deps, orgId, wsId);
+        await revokeWorkspaceKey(deps, wsId, c.req.param("keyId"));
+        return c.body(null, 204);
+    }));
     return app;
 }
+/** Run a service call, mapping OrgServiceError to a JSON response. */
+async function runService(c, fn) {
+    try {
+        return await fn();
+    }
+    catch (e) {
+        if (e instanceof OrgServiceError)
+            return c.json({ error: e.code }, e.status);
+        throw e;
+    }
+}

package/dist/key-store.d.ts

@@ -36,6 +36,11 @@ export interface KeyStore {
     }): Promise<Workspace>;
     getWorkspace(id: string): Promise<Workspace | null>;
     listWorkspaces(): Promise<Workspace[]>;
+    /** Patch a workspace's name (and/or metadata). Returns the updated row. */
+    updateWorkspace(id: string, patch: {
+        name?: string;
+        metadata?: Record<string, unknown>;
+    }): Promise<Workspace>;
     /** Hard delete: cascades to keys, sessions, and events for this workspace. */
     deleteWorkspace(id: string): Promise<void>;
     issueKey(workspaceId: string, opts?: {

package/dist/main.js

@@ -1,32 +1,9 @@
-/**
- * Production entrypoint.
- *
- * Required env:
- *   ENGRAM_ADMIN_TOKEN  platform-level bearer for `/admin/v1/*`. Treat as a
- *                       root credential — anyone with it can mint workspaces
- *                       and API keys.
- *
- * Optional env:
- *   PORT                       default 8080
- *   DATABASE_URL               if unset, falls back to InMemoryKeyStore +
- *                              InMemoryAdapter (NOT durable across restarts)
- *   DATABASE_SOCKET_PATH       Cloud SQL Auth Proxy unix socket dir
- *
- * Optional env (engram-web cookie auth — see ./auth.ts for the full set):
- *   ENGRAM_AUTH_SECRET, ENGRAM_AUTH_URL,
- *   ENGRAM_AUTH_GOOGLE_ID, ENGRAM_AUTH_GOOGLE_SECRET,
- *   ENGRAM_AUTH_COOKIE_DOMAIN, ENGRAM_AUTH_TRUSTED_ORIGINS,
- *   ENGRAM_AUTH_EMAIL_DOMAIN
- *
- * Workspaces and their API keys are provisioned exclusively through the
- * admin API. There is no single-tenant fallback — every caller must hold a
- * workspace-scoped key issued by `POST /admin/v1/workspaces`.
- */
 import { createServer } from "./server";
 import { InMemoryAdapter } from "./adapters/memory";
 import { PostgresAdapter } from "./adapters/postgres";
 import { InMemoryKeyStore } from "./adapters/memory-key-store";
 import { PostgresKeyStore } from "./adapters/postgres-key-store";
+import { pgSqlClient } from "./adapters/pg-tagged";
 import { buildAuth } from "./auth";
 import { makeCookieAuthResolver } from "./auth-resolver";
 import { PostgresOrgStore } from "./adapters/postgres-org-store";
@@ -38,8 +15,9 @@ if (!ADMIN_TOKEN) {
     console.error("[engram-server] ENGRAM_ADMIN_TOKEN is required");
     process.exit(1);
 }
-const { keyStore, getStorage } = await buildStores();
-const { authHandler, cookieAuth, orgStore } = await buildCookieAuth(getStorage);
+const pool = await buildPool();
+const { keyStore, getStorage } = await buildStores(pool);
+const { authHandler, cookieAuth, orgStore } = await buildCookieAuth(pool, getStorage);
 const CORS_ORIGINS = (process.env.ENGRAM_CORS_ORIGINS ?? "")
     .split(",")
     .map((s) => s.trim())
@@ -54,6 +32,7 @@ const app = createServer({
     ...(authHandler ? { authHandler } : {}),
     ...(cookieAuth ? { cookieAuth } : {}),
     ...(orgStore ? { orgStore } : {}),
+    keyStore,
     ...(CORS_ORIGINS.length > 0 ? { corsOrigins: CORS_ORIGINS } : {}),
     admin: {
         token: ADMIN_TOKEN,
@@ -63,8 +42,26 @@ const app = createServer({
 });
 console.log(`[engram-server] listening on :${PORT}`);
 export default { port: PORT, fetch: app.fetch };
-async function buildStores() {
-    if (!DATABASE_URL) {
+/**
+ * Single Postgres connection pool shared by both the engram tables
+ * (sessions/persons/keys/orgs via `pg-tagged`) and better-auth's
+ * Kysely adapter. Returns `null` in in-memory mode.
+ */
+async function buildPool() {
+    if (!DATABASE_URL)
+        return null;
+    const { Pool } = await import("pg");
+    const url = new URL(DATABASE_URL);
+    return new Pool({
+        host: DATABASE_SOCKET_PATH ?? url.hostname,
+        port: DATABASE_SOCKET_PATH ? undefined : Number(url.port || 5432),
+        user: decodeURIComponent(url.username),
+        password: decodeURIComponent(url.password),
+        database: url.pathname.replace(/^\//, ""),
+    });
+}
+async function buildStores(pool) {
+    if (!pool) {
         console.warn("[engram-server] DATABASE_URL not set — in-memory mode (data is volatile)");
         const ks = new InMemoryKeyStore();
         const adapters = new Map();
@@ -80,10 +77,7 @@ async function buildStores() {
             },
         };
     }
-    const { default: postgres } = await import("postgres");
-    const sql = (DATABASE_SOCKET_PATH
-        ? postgres(DATABASE_URL, { host: DATABASE_SOCKET_PATH })
-        : postgres(DATABASE_URL));
+    const sql = pgSqlClient(pool);
     const ks = new PostgresKeyStore(sql);
     await ks.ensureSchema();
     // Session schema is workspace-independent — one bootstrap call is enough.
@@ -107,30 +101,21 @@ async function buildStores() {
  * Google OAuth configured) — the rest of the server still works,
  * but only api-key callers can reach /v1.
  */
-async function buildCookieAuth(getStorage) {
+async function buildCookieAuth(pool, getStorage) {
     const secret = process.env.ENGRAM_AUTH_SECRET;
     const baseURL = process.env.ENGRAM_AUTH_URL;
     const googleId = process.env.ENGRAM_AUTH_GOOGLE_ID;
     const googleSecret = process.env.ENGRAM_AUTH_GOOGLE_SECRET;
     if (!secret || !baseURL || !googleId || !googleSecret) {
-        if (DATABASE_URL) {
+        if (pool) {
             console.warn("[engram-server] cookie auth disabled (set ENGRAM_AUTH_SECRET/URL/GOOGLE_ID/GOOGLE_SECRET to enable engram-web sign-in)");
         }
         return {};
     }
-    if (!DATABASE_URL) {
+    if (!pool) {
         console.warn("[engram-server] cookie auth requires DATABASE_URL — skipping");
         return {};
     }
-    const { Pool } = await import("pg");
-    const url = new URL(DATABASE_URL);
-    const pool = new Pool({
-        host: DATABASE_SOCKET_PATH ?? url.hostname,
-        port: DATABASE_SOCKET_PATH ? undefined : Number(url.port || 5432),
-        user: decodeURIComponent(url.username),
-        password: decodeURIComponent(url.password),
-        database: url.pathname.replace(/^\//, ""),
-    });
     const trusted = (process.env.ENGRAM_AUTH_TRUSTED_ORIGINS ?? "")
         .split(",")
         .map((s) => s.trim())