npm - @hexis-ai/engram-server - Versions diffs - 0.12.0 → 0.14.0 - Mend

@hexis-ai/engram-server 0.12.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/dist/adapters/memory-key-store.d.ts +13 -0
package/dist/adapters/memory-key-store.js +27 -0
package/dist/adapters/memory.js +53 -66
package/dist/adapters/pg-tagged.d.ts +18 -0
package/dist/adapters/pg-tagged.js +29 -0
package/dist/adapters/postgres-key-store.d.ts +5 -0
package/dist/adapters/postgres-key-store.js +21 -5
package/dist/adapters/postgres-org-store.d.ts +5 -1
package/dist/adapters/postgres-org-store.js +25 -8
package/dist/adapters/postgres.js +76 -83
package/dist/adapters/util.d.ts +27 -0
package/dist/adapters/util.js +47 -0
package/dist/admin.js +78 -89
package/dist/key-store.d.ts +13 -0
package/dist/main.js +29 -44
package/dist/migrations/0008-trigger-metadata.d.ts +2 -0
package/dist/migrations/0008-trigger-metadata.js +15 -0
package/dist/migrations/index.js +2 -0
package/dist/openapi.js +340 -3
package/dist/org-store.d.ts +7 -6
package/dist/routes/orgs.d.ts +27 -0
package/dist/routes/orgs.js +185 -0
package/dist/schemas.d.ts +22 -0
package/dist/schemas.js +23 -0
package/dist/server.d.ts +13 -0
package/dist/server.js +40 -23
package/dist/services/orgs.d.ts +99 -0
package/dist/services/orgs.js +163 -0
package/dist/storage.d.ts +8 -0
package/dist/storage.js +20 -0
package/openapi.json +1331 -13
package/package.json +4 -13

package/dist/main.js CHANGED Viewed

@@ -1,32 +1,9 @@
-/**
- * Production entrypoint.
- *
- * Required env:
- *   ENGRAM_ADMIN_TOKEN  platform-level bearer for `/admin/v1/*`. Treat as a
- *                       root credential — anyone with it can mint workspaces
- *                       and API keys.
- *
- * Optional env:
- *   PORT                       default 8080
- *   DATABASE_URL               if unset, falls back to InMemoryKeyStore +
- *                              InMemoryAdapter (NOT durable across restarts)
- *   DATABASE_SOCKET_PATH       Cloud SQL Auth Proxy unix socket dir
- *
- * Optional env (engram-web cookie auth — see ./auth.ts for the full set):
- *   ENGRAM_AUTH_SECRET, ENGRAM_AUTH_URL,
- *   ENGRAM_AUTH_GOOGLE_ID, ENGRAM_AUTH_GOOGLE_SECRET,
- *   ENGRAM_AUTH_COOKIE_DOMAIN, ENGRAM_AUTH_TRUSTED_ORIGINS,
- *   ENGRAM_AUTH_EMAIL_DOMAIN
- *
- * Workspaces and their API keys are provisioned exclusively through the
- * admin API. There is no single-tenant fallback — every caller must hold a
- * workspace-scoped key issued by `POST /admin/v1/workspaces`.
- */
 import { createServer } from "./server";
 import { InMemoryAdapter } from "./adapters/memory";
 import { PostgresAdapter } from "./adapters/postgres";
 import { InMemoryKeyStore } from "./adapters/memory-key-store";
 import { PostgresKeyStore } from "./adapters/postgres-key-store";
+import { pgSqlClient } from "./adapters/pg-tagged";
 import { buildAuth } from "./auth";
 import { makeCookieAuthResolver } from "./auth-resolver";
 import { PostgresOrgStore } from "./adapters/postgres-org-store";
@@ -38,8 +15,9 @@ if (!ADMIN_TOKEN) {
     console.error("[engram-server] ENGRAM_ADMIN_TOKEN is required");
     process.exit(1);
 }
-const { keyStore, getStorage } = await buildStores();
-const { authHandler, cookieAuth, orgStore } = await buildCookieAuth(getStorage);
+const pool = await buildPool();
+const { keyStore, getStorage } = await buildStores(pool);
+const { authHandler, cookieAuth, orgStore } = await buildCookieAuth(pool, getStorage);
 const CORS_ORIGINS = (process.env.ENGRAM_CORS_ORIGINS ?? "")
     .split(",")
     .map((s) => s.trim())
@@ -54,6 +32,7 @@ const app = createServer({
     ...(authHandler ? { authHandler } : {}),
     ...(cookieAuth ? { cookieAuth } : {}),
     ...(orgStore ? { orgStore } : {}),
+    keyStore,
     ...(CORS_ORIGINS.length > 0 ? { corsOrigins: CORS_ORIGINS } : {}),
     admin: {
         token: ADMIN_TOKEN,
@@ -63,8 +42,26 @@ const app = createServer({
 });
 console.log(`[engram-server] listening on :${PORT}`);
 export default { port: PORT, fetch: app.fetch };
-async function buildStores() {
-    if (!DATABASE_URL) {
+/**
+ * Single Postgres connection pool shared by both the engram tables
+ * (sessions/persons/keys/orgs via `pg-tagged`) and better-auth's
+ * Kysely adapter. Returns `null` in in-memory mode.
+ */
+async function buildPool() {
+    if (!DATABASE_URL)
+        return null;
+    const { Pool } = await import("pg");
+    const url = new URL(DATABASE_URL);
+    return new Pool({
+        host: DATABASE_SOCKET_PATH ?? url.hostname,
+        port: DATABASE_SOCKET_PATH ? undefined : Number(url.port || 5432),
+        user: decodeURIComponent(url.username),
+        password: decodeURIComponent(url.password),
+        database: url.pathname.replace(/^\//, ""),
+    });
+}
+async function buildStores(pool) {
+    if (!pool) {
         console.warn("[engram-server] DATABASE_URL not set — in-memory mode (data is volatile)");
         const ks = new InMemoryKeyStore();
         const adapters = new Map();
@@ -80,10 +77,7 @@ async function buildStores() {
             },
         };
     }
-    const { default: postgres } = await import("postgres");
-    const sql = (DATABASE_SOCKET_PATH
-        ? postgres(DATABASE_URL, { host: DATABASE_SOCKET_PATH })
-        : postgres(DATABASE_URL));
+    const sql = pgSqlClient(pool);
     const ks = new PostgresKeyStore(sql);
     await ks.ensureSchema();
     // Session schema is workspace-independent — one bootstrap call is enough.
@@ -107,30 +101,21 @@ async function buildStores() {
  * Google OAuth configured) — the rest of the server still works,
  * but only api-key callers can reach /v1.
  */
-async function buildCookieAuth(getStorage) {
+async function buildCookieAuth(pool, getStorage) {
     const secret = process.env.ENGRAM_AUTH_SECRET;
     const baseURL = process.env.ENGRAM_AUTH_URL;
     const googleId = process.env.ENGRAM_AUTH_GOOGLE_ID;
     const googleSecret = process.env.ENGRAM_AUTH_GOOGLE_SECRET;
     if (!secret || !baseURL || !googleId || !googleSecret) {
-        if (DATABASE_URL) {
+        if (pool) {
             console.warn("[engram-server] cookie auth disabled (set ENGRAM_AUTH_SECRET/URL/GOOGLE_ID/GOOGLE_SECRET to enable engram-web sign-in)");
         }
         return {};
     }
-    if (!DATABASE_URL) {
+    if (!pool) {
         console.warn("[engram-server] cookie auth requires DATABASE_URL — skipping");
         return {};
     }
-    const { Pool } = await import("pg");
-    const url = new URL(DATABASE_URL);
-    const pool = new Pool({
-        host: DATABASE_SOCKET_PATH ?? url.hostname,
-        port: DATABASE_SOCKET_PATH ? undefined : Number(url.port || 5432),
-        user: decodeURIComponent(url.username),
-        password: decodeURIComponent(url.password),
-        database: url.pathname.replace(/^\//, ""),
-    });
     const trusted = (process.env.ENGRAM_AUTH_TRUSTED_ORIGINS ?? "")
         .split(",")
         .map((s) => s.trim())

package/dist/migrations/0008-trigger-metadata.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare const name = "0008-trigger-metadata";
2	+ export declare const sql = "\n-- Hosts that open a side-conversation with a stated goal (monet's\n-- start_conversation tool) need to thread two free-text fields through\n-- engram for the agent's resume flow:\n--\n-- trigger_purpose what this side-conv exists to accomplish\n-- trigger_resume_hint the condition that should resume the parent\n--\n-- Both are opaque to engram \u2014 we store and serve them verbatim. Nullable\n-- because most sessions aren't side-conversations.\n\nALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_purpose TEXT;\nALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_resume_hint TEXT;\n";

package/dist/migrations/0008-trigger-metadata.js ADDED Viewed

@@ -0,0 +1,15 @@
+export const name = "0008-trigger-metadata";
+export const sql = `
+-- Hosts that open a side-conversation with a stated goal (monet's
+-- start_conversation tool) need to thread two free-text fields through
+-- engram for the agent's resume flow:
+--
+--   trigger_purpose      what this side-conv exists to accomplish
+--   trigger_resume_hint  the condition that should resume the parent
+--
+-- Both are opaque to engram — we store and serve them verbatim. Nullable
+-- because most sessions aren't side-conversations.
+ALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_purpose TEXT;
+ALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_resume_hint TEXT;
+`;

package/dist/migrations/index.js CHANGED Viewed

@@ -5,6 +5,7 @@ import * as m0004 from "./0004-schema-completion";
 import * as m0005 from "./0005-session-updated-at";
 import * as m0006 from "./0006-auth";
 import * as m0007 from "./0007-orgs";
+import * as m0008 from "./0008-trigger-metadata";
 /**
  * Schema migrations, applied in array order. Add a new file under
  * `migrations/NNNN-<slug>.ts` exporting `name` and `sql`, then append it
@@ -20,4 +21,5 @@ export const MIGRATIONS = [
     { name: m0005.name, sql: m0005.sql },
     { name: m0006.name, sql: m0006.sql },
     { name: m0007.name, sql: m0007.sql },
+    { name: m0008.name, sql: m0008.sql },
 ];

package/dist/openapi.js CHANGED Viewed

@@ -18,7 +18,7 @@
  * codes stay as-is.
  */
 import { z } from "zod";
-import { createWorkspaceSchema, eventBatchSchema, issueKeySchema, personCreateSchema, personUpdateSchema, searchRequestSchema, sessionInitSchema, } from "./schemas";
+import { addMemberSchema, createOrgSchema, createWorkspaceSchema, eventBatchSchema, issueKeySchema, orgPatchSchema, personCreateSchema, personUpdateSchema, searchRequestSchema, sessionInitSchema, sessionUpdateSchema, aliasUpsertSchema, identityUpsertSchema, workspacePatchSchema, } from "./schemas";
 /** Convert a Zod schema to a JSON Schema object for an OpenAPI component. */
 function toComponent(schema) {
     const js = z.toJSONSchema(schema);
@@ -37,7 +37,7 @@ const pathParam = (name, description) => ({
     schema: { type: "string" },
     description,
 });
-const queryParam = (name, description, schema = { type: "string" }) => ({ name, in: "query", required: false, schema, description });
+const queryParam = (name, description, schema = { type: "string" }, required = false) => ({ name, in: "query", required, schema, description });
 const res = (description) => ({ description });
 /** Default security: a workspace API key. `/admin/v1` paths override this. */
 const workspaceAuth = [{ workspaceKey: [] }];
@@ -54,14 +54,23 @@ const adminAuth = [{ adminToken: [] }];
 // ---------------------------------------------------------------------
 /** Every tag, in sidebar order, with a Japanese description. */
 const TAG_DEFS = [
-    { name: "Me", description: "識別プローブ" },
+    { name: "Me", description: "識別プローブ・閲覧可能な workspace/org 一覧" },
     { name: "Sessions", description: "セッションの作成・取得・イベント追加" },
     { name: "Search", description: "ワークスペースコーパスへのスコアリング検索" },
     { name: "Persons", description: "person の作成・更新・検索" },
+    { name: "Aliases", description: "ワークスペース横断の alias 解決" },
     {
         name: "Identities",
         description: "外部 ID（slack: / email: など）の resolve と upsert",
     },
+    {
+        name: "Orgs (self-serve)",
+        description: "engram-web からの cookie 認証 + org-member ロールでの org / workspace / API キー管理",
+    },
+    {
+        name: "Orgs (admin)",
+        description: "プラットフォーム管理者トークンでの org 管理",
+    },
     {
         name: "Workspaces (admin)",
         description: "ワークスペースの管理（管理者トークン必須）",
@@ -99,6 +108,24 @@ function buildPaths() {
                 },
             },
         }),
+        "/v1/me/workspaces": tagged("Me", {
+            get: {
+                summary: "サインイン中のユーザーが閲覧できる workspace 一覧。cookie 認証専用 — workspace 選択前にも到達できるよう workspace ゲートの前段に置かれている。",
+                responses: {
+                    "200": res("workspace 一覧"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/me/orgs": tagged("Me", {
+            get: {
+                summary: "サインイン中のユーザーが member として所属する org 一覧（自分の role 付き）。cookie 認証専用。",
+                responses: {
+                    "200": res("org 一覧"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
         "/v1/sessions": tagged("Sessions", {
             post: {
                 summary: "セッションを作成する。",
@@ -282,6 +309,16 @@ function buildPaths() {
                 },
             },
         }),
+        "/v1/aliases": tagged("Aliases", {
+            get: {
+                summary: "ワークスペース全体で alias 名を case-insensitive に逆引き。同名の alias を持つ複数の person を `last_used` desc で返す。`persons` map も同梱。",
+                parameters: [queryParam("name", "alias 名（URL-encoded）。", { type: "string" }, true)],
+                responses: {
+                    "200": res("alias 一覧 + persons map"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
         "/v1/identities/{ref}": tagged("Identities", {
             put: {
                 summary: "ref（例: `slack:U12345`、`email:foo@bar.com`）で identity を upsert する。",
@@ -304,6 +341,299 @@ function buildPaths() {
                 },
             },
         }),
+        // ------------------------------------------------------------------
+        // Self-service org surface (Wave G5). Cookie auth + org membership.
+        // engram-web の settings UI から呼ばれる。/admin/v1/orgs/* と同じ
+        // 操作を「自分が所属する org に絞って」叩けるエンドポイント群。
+        // ------------------------------------------------------------------
+        "/v1/orgs/{id}": tagged("Orgs (self-serve)", {
+            get: {
+                summary: "自分が member の org を取得する（自分の role 付き）。",
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "200": res("org + role"),
+                    "403": res("この org の member ではない"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            patch: {
+                summary: "org の name / metadata を更新する（owner / admin のみ）。",
+                parameters: [pathParam("id", "org id。")],
+                requestBody: jsonBody("OrgPatch"),
+                responses: {
+                    "200": res("更新後の org"),
+                    "403": res("権限不足（owner / admin が必要）"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/orgs/{id}/members": tagged("Orgs (self-serve)", {
+            get: {
+                summary: "org の member 一覧。",
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "200": res("member 一覧"),
+                    "403": res("この org の member ではない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            post: {
+                summary: "member を追加する（owner / admin のみ）。`email` か `userId` のいずれかを必須で渡す。",
+                parameters: [pathParam("id", "org id。")],
+                requestBody: jsonBody("AddMember"),
+                responses: {
+                    "200": res("追加された membership"),
+                    "400": res("`userId` も `email` も無い、または body が不正"),
+                    "403": res("権限不足"),
+                    "404": res("email から user を解決できない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/orgs/{id}/members/{userId}": tagged("Orgs (self-serve)", {
+            delete: {
+                summary: "member を削除する（owner / admin のみ）。最後の owner は削除拒否（`cannot_remove_last_owner`）。",
+                parameters: [pathParam("id", "org id。"), pathParam("userId", "user id。")],
+                responses: {
+                    "204": res("削除完了"),
+                    "400": res("最後の owner は削除できない"),
+                    "403": res("権限不足"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/orgs/{id}/workspaces": tagged("Orgs (self-serve)", {
+            get: {
+                summary: "org の workspace 一覧。",
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "200": res("workspace 一覧"),
+                    "403": res("この org の member ではない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            post: {
+                summary: "workspace を作成し、（issueKey=false でなければ）初期 API キーも発行する。owner / admin のみ。",
+                parameters: [pathParam("id", "org id。")],
+                requestBody: jsonBody("CreateWorkspace"),
+                responses: {
+                    "200": res("workspace（issueKey=false でない限り key も含む）"),
+                    "400": res("body または workspace id が不正"),
+                    "403": res("権限不足"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/orgs/{id}/workspaces/{wsId}": tagged("Orgs (self-serve)", {
+            patch: {
+                summary: "workspace の name / metadata を更新する（owner / admin のみ）。",
+                parameters: [pathParam("id", "org id。"), pathParam("wsId", "workspace id。")],
+                requestBody: jsonBody("WorkspacePatch"),
+                responses: {
+                    "200": res("更新後の workspace"),
+                    "403": res("権限不足"),
+                    "404": res("workspace がこの org に属さない / 存在しない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            delete: {
+                summary: "workspace を削除する（セッション・persons・identities・API キーにカスケード）。owner / admin のみ。",
+                parameters: [pathParam("id", "org id。"), pathParam("wsId", "workspace id。")],
+                responses: {
+                    "204": res("削除完了"),
+                    "403": res("権限不足"),
+                    "404": res("workspace がこの org に属さない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/orgs/{id}/workspaces/{wsId}/keys": tagged("Orgs (self-serve)", {
+            get: {
+                summary: "workspace の API キー一覧（owner / admin のみ）。",
+                parameters: [pathParam("id", "org id。"), pathParam("wsId", "workspace id。")],
+                responses: {
+                    "200": res("キー一覧"),
+                    "403": res("権限不足"),
+                    "404": res("workspace がこの org に属さない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            post: {
+                summary: "新しい API キーを発行する（owner / admin のみ）。",
+                parameters: [pathParam("id", "org id。"), pathParam("wsId", "workspace id。")],
+                requestBody: jsonBody("IssueKey", false),
+                responses: {
+                    "200": res("発行されたキー（raw は一度のみ返却）"),
+                    "403": res("権限不足"),
+                    "404": res("workspace がこの org に属さない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/v1/orgs/{id}/workspaces/{wsId}/keys/{keyId}": tagged("Orgs (self-serve)", {
+            delete: {
+                summary: "API キーを無効化する（owner / admin のみ）。",
+                parameters: [
+                    pathParam("id", "org id。"),
+                    pathParam("wsId", "workspace id。"),
+                    pathParam("keyId", "key id。"),
+                ],
+                responses: {
+                    "204": res("無効化完了"),
+                    "403": res("権限不足"),
+                    "404": res("workspace / key がこの org に属さない、または存在しない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        // ------------------------------------------------------------------
+        // Admin org surface (Wave G1). Platform admin token.
+        // ------------------------------------------------------------------
+        "/admin/v1/orgs": tagged("Orgs (admin)", {
+            post: {
+                summary: "org を作成する。",
+                security: adminAuth,
+                requestBody: jsonBody("CreateOrg"),
+                responses: {
+                    "200": res("作成された org"),
+                    "400": res("body が不正"),
+                    "401": res("認証エラー"),
+                },
+            },
+            get: {
+                summary: "全 org を一覧取得する。",
+                security: adminAuth,
+                responses: {
+                    "200": res("org 一覧"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/admin/v1/orgs/{id}": tagged("Orgs (admin)", {
+            get: {
+                summary: "単一の org を取得する。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "200": res("org"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            delete: {
+                summary: "org を削除する（member と workspace にカスケード）。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "204": res("削除完了"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/admin/v1/orgs/{id}/members": tagged("Orgs (admin)", {
+            get: {
+                summary: "org の member 一覧。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "200": res("member 一覧"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            post: {
+                summary: "member を追加する（email または userId）。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。")],
+                requestBody: jsonBody("AddMember"),
+                responses: {
+                    "200": res("追加された membership"),
+                    "400": res("`userId` も `email` も無い、または body が不正"),
+                    "404": res("org または email から user を解決できない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/admin/v1/orgs/{id}/members/{userId}": tagged("Orgs (admin)", {
+            delete: {
+                summary: "member を削除する。最後の owner は削除拒否（`cannot_remove_last_owner`）。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。"), pathParam("userId", "user id。")],
+                responses: {
+                    "204": res("削除完了"),
+                    "400": res("最後の owner は削除できない"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/admin/v1/orgs/{id}/workspaces": tagged("Orgs (admin)", {
+            post: {
+                summary: "org の下に workspace を作成し、（issueKey=false でなければ）初期 API キーも発行する。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。")],
+                requestBody: jsonBody("CreateWorkspace"),
+                responses: {
+                    "200": res("workspace（issueKey=false でない限り key も含む）"),
+                    "400": res("body または workspace id が不正"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+            get: {
+                summary: "org の workspace 一覧。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。")],
+                responses: {
+                    "200": res("workspace 一覧"),
+                    "404": res("org が見つからない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/admin/v1/orgs/{id}/workspaces/{wsId}/keys": tagged("Orgs (admin)", {
+            get: {
+                summary: "org 配下の workspace の API キー一覧（ハッシュのみ）。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。"), pathParam("wsId", "workspace id。")],
+                responses: {
+                    "200": res("キー一覧"),
+                    "404": res("workspace がこの org に属さない / org が無い"),
+                    "401": res("認証エラー"),
+                },
+            },
+            post: {
+                summary: "org 配下の workspace に新しい API キーを発行する。`createWorkspaceUnderOrg` 後のキー rotation に使う。",
+                security: adminAuth,
+                parameters: [pathParam("id", "org id。"), pathParam("wsId", "workspace id。")],
+                requestBody: jsonBody("IssueKey", false),
+                responses: {
+                    "200": res("発行されたキー（raw は一度のみ返却）"),
+                    "400": res("リクエストボディが不正"),
+                    "404": res("workspace がこの org に属さない / org が無い"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
+        "/admin/v1/orgs/{id}/workspaces/{wsId}/keys/{keyId}": tagged("Orgs (admin)", {
+            delete: {
+                summary: "org 配下の workspace の API キーを無効化する。",
+                security: adminAuth,
+                parameters: [
+                    pathParam("id", "org id。"),
+                    pathParam("wsId", "workspace id。"),
+                    pathParam("keyId", "key id。"),
+                ],
+                responses: {
+                    "204": res("無効化完了"),
+                    "404": res("workspace / key がこの org に属さない、または存在しない"),
+                    "401": res("認証エラー"),
+                },
+            },
+        }),
         "/admin/v1/workspaces": tagged("Workspaces (admin)", {
             post: {
                 summary: "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
@@ -425,15 +755,22 @@ export function buildOpenApiDocument() {
             },
             schemas: {
                 SessionInit: toComponent(sessionInitSchema),
+                SessionUpdate: toComponent(sessionUpdateSchema),
                 // `EventBatch` inlines the per-event shape. A standalone `SessionEvent`
                 // component (cross-`$ref`'d) is a planned follow-up alongside response
                 // schemas — zod's `toJSONSchema` inlines by default.
                 EventBatch: toComponent(eventBatchSchema),
                 PersonCreate: toComponent(personCreateSchema),
                 PersonUpdate: toComponent(personUpdateSchema),
+                AliasUpsert: toComponent(aliasUpsertSchema),
+                IdentityUpsert: toComponent(identityUpsertSchema),
                 SearchRequest: toComponent(searchRequestSchema),
                 CreateWorkspace: toComponent(createWorkspaceSchema),
                 IssueKey: toComponent(issueKeySchema),
+                CreateOrg: toComponent(createOrgSchema),
+                OrgPatch: toComponent(orgPatchSchema),
+                WorkspacePatch: toComponent(workspacePatchSchema),
+                AddMember: toComponent(addMemberSchema),
             },
         },
         paths: buildPaths(),

package/dist/org-store.d.ts CHANGED Viewed

@@ -29,6 +29,10 @@ export interface OrgStore {
     }): Promise<OrgRow>;
     getOrg(id: string): Promise<OrgRow | null>;
     listOrgs(): Promise<OrgRow[]>;
+    updateOrg(id: string, patch: {
+        name?: string;
+        metadata?: Record<string, unknown>;
+    }): Promise<OrgRow>;
     deleteOrg(id: string): Promise<void>;
     listMembers(orgId: string): Promise<OrgMembershipRow[]>;
     upsertMember(input: {
@@ -44,12 +48,6 @@ export interface OrgStore {
     } | null>;
     /** Orgs the given user is a member of. */
     listOrgsForUser(userId: string): Promise<OrgMembershipRow[]>;
-    /**
-     * Set the org an already-existing workspace belongs to. Called
-     * by the admin endpoint that creates a workspace under an org
-     * (key issuance and engram_workspaces.org_id are written together).
-     */
-    setWorkspaceOrg(workspaceId: string, orgId: string): Promise<void>;
     /** Workspaces in the given org. */
     listWorkspacesForOrg(orgId: string): Promise<{
         id: string;
@@ -63,4 +61,7 @@ export interface OrgStore {
     }[]>;
     /** Returns true if the user is an org-member of the workspace's org. */
     userCanAccessWorkspace(userId: string, workspaceId: string): Promise<boolean>;
+    /** Returns true if the workspace's `org_id` matches. Admin-side check
+     *  with no user context. */
+    workspaceInOrg(orgId: string, workspaceId: string): Promise<boolean>;
 }

package/dist/routes/orgs.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Cookie-auth org self-service routes (Wave G5).
+ *
+ * Auth gating only — the underlying logic lives in services/orgs.ts so
+ * the admin-token surface (`/admin/v1/orgs/*`) can call the same code
+ * without duplicating it.
+ *
+ * Mount BEFORE the workspace gate in src/server.ts; these endpoints
+ * have their own membership check and a chosen workspace would be
+ * irrelevant noise.
+ */
+import { Hono } from "hono";
+import type { EngramAuth } from "../auth";
+import type { KeyStore } from "../key-store";
+import type { OrgStore } from "../org-store";
+export interface OrgsRouteOptions {
+    authHandler: EngramAuth;
+    orgStore: OrgStore;
+    keyStore: KeyStore;
+}
+type Env = {
+    Variables: {
+        request_id: string;
+    };
+};
+export declare function orgsRoutes(opts: OrgsRouteOptions): Hono<Env>;
+export {};