@hexis-ai/engram-server 0.13.0 → 0.15.0

package/dist/adapters/memory-key-store.d.ts

@@ -6,11 +6,20 @@ export declare class InMemoryKeyStore implements KeyStore {
     private readonly workspaces;
     private readonly keys;
     private readonly byHash;
+    /** Mirror of engram_workspaces.org_id. Lookup-only — fakes / org-stores
+     *  in tests read this to answer membership queries without re-tracking
+     *  the binding themselves. */
+    private readonly orgIds;
     createWorkspace(input: {
         id?: string;
         name?: string;
         metadata?: Record<string, unknown>;
+        orgId?: string;
     }): Promise<Workspace>;
+    /** Org id stamped on a workspace at creation, or undefined if not org-scoped. */
+    getWorkspaceOrgId(workspaceId: string): string | undefined;
+    /** All (workspaceId, orgId) pairs. Read-only view for fakes. */
+    workspaceOrgBindings(): ReadonlyMap<string, string>;
     getWorkspace(id: string): Promise<Workspace | null>;
     listWorkspaces(): Promise<Workspace[]>;
     updateWorkspace(id: string, patch: {

package/dist/adapters/memory-key-store.js

@@ -6,6 +6,10 @@ export class InMemoryKeyStore {
     workspaces = new Map();
     keys = new Map();
     byHash = new Map();
+    /** Mirror of engram_workspaces.org_id. Lookup-only — fakes / org-stores
+     *  in tests read this to answer membership queries without re-tracking
+     *  the binding themselves. */
+    orgIds = new Map();
     async createWorkspace(input) {
         const id = resolveWorkspaceId(input);
         const existing = this.workspaces.get(id);
@@ -18,8 +22,18 @@ export class InMemoryKeyStore {
             createdAt: new Date().toISOString(),
         };
         this.workspaces.set(id, ws);
+        if (input.orgId !== undefined)
+            this.orgIds.set(id, input.orgId);
         return ws;
     }
+    /** Org id stamped on a workspace at creation, or undefined if not org-scoped. */
+    getWorkspaceOrgId(workspaceId) {
+        return this.orgIds.get(workspaceId);
+    }
+    /** All (workspaceId, orgId) pairs. Read-only view for fakes. */
+    workspaceOrgBindings() {
+        return this.orgIds;
+    }
     async getWorkspace(id) {
         return this.workspaces.get(id) ?? null;
     }
@@ -40,6 +54,7 @@ export class InMemoryKeyStore {
     }
     async deleteWorkspace(id) {
         this.workspaces.delete(id);
+        this.orgIds.delete(id);
         for (const [keyId, row] of this.keys) {
             if (row.workspaceId === id) {
                 this.byHash.delete(row.keyHash);

package/dist/adapters/memory.js

@@ -42,6 +42,12 @@ export class InMemoryAdapter {
                 ...(init.trigger_event_id != null
                     ? { trigger_event_id: init.trigger_event_id }
                     : {}),
+                ...(init.trigger_purpose != null
+                    ? { trigger_purpose: init.trigger_purpose }
+                    : {}),
+                ...(init.trigger_resume_hint != null
+                    ? { trigger_resume_hint: init.trigger_resume_hint }
+                    : {}),
             },
             events: new Map(),
         });

package/dist/adapters/postgres-key-store.d.ts

@@ -12,6 +12,7 @@ export declare class PostgresKeyStore implements KeyStore {
         id?: string;
         name?: string;
         metadata?: Record<string, unknown>;
+        orgId?: string;
     }): Promise<Workspace>;
     getWorkspace(id: string): Promise<Workspace | null>;
     listWorkspaces(): Promise<Workspace[]>;

package/dist/adapters/postgres-key-store.js

@@ -16,8 +16,13 @@ export class PostgresKeyStore {
     async createWorkspace(input) {
         const id = resolveWorkspaceId(input);
         await this.sql `
-      INSERT INTO engram_workspaces (id, name, metadata)
-      VALUES (${id}, ${input.name ?? null}, ${(input.metadata ?? {})})
+      INSERT INTO engram_workspaces (id, name, metadata, org_id)
+      VALUES (
+        ${id},
+        ${input.name ?? null},
+        ${(input.metadata ?? {})},
+        ${input.orgId ?? null}
+      )
       ON CONFLICT (id) DO NOTHING
     `;
         const ws = await this.getWorkspace(id);

package/dist/adapters/postgres-org-store.d.ts

@@ -27,7 +27,6 @@ export declare class PostgresOrgStore implements OrgStore {
         email: string;
     } | null>;
     listOrgsForUser(userId: string): Promise<OrgMembershipRow[]>;
-    setWorkspaceOrg(workspaceId: string, orgId: string): Promise<void>;
     listWorkspacesForOrg(orgId: string): Promise<{
         id: string;
         name: string | null;

package/dist/adapters/postgres-org-store.js

@@ -89,9 +89,8 @@ export class PostgresOrgStore {
         return rows.map(toMember);
     }
     // ---------- workspace ↔ org link -----------------------------
-    async setWorkspaceOrg(workspaceId, orgId) {
-        await this.pool.query(`UPDATE engram_workspaces SET org_id = $1 WHERE id = $2`, [orgId, workspaceId]);
-    }
+    // engram_workspaces.org_id is written by KeyStore.createWorkspace in
+    // the same INSERT as the workspace row. This store only reads.
     async listWorkspacesForOrg(orgId) {
         const { rows } = await this.pool.query(`SELECT id, name FROM engram_workspaces WHERE org_id = $1 ORDER BY created_at`, [orgId]);
         return rows;

package/dist/adapters/postgres.js

@@ -31,7 +31,8 @@ export class PostgresAdapter {
       INSERT INTO engram_sessions (
         workspace_id, id, title, channel, participants, viewable_by,
         created_at, updated_at, status, summary, model,
-        trigger_conversation_id, trigger_event_id
+        trigger_conversation_id, trigger_event_id,
+        trigger_purpose, trigger_resume_hint
       )
       VALUES (
         ${this.workspaceId},
@@ -46,7 +47,9 @@ export class PostgresAdapter {
         ${init.summary ?? null},
         ${init.model ?? null},
         ${init.trigger_conversation_id ?? null},
-        ${init.trigger_event_id ?? null}
+        ${init.trigger_event_id ?? null},
+        ${init.trigger_purpose ?? null},
+        ${init.trigger_resume_hint ?? null}
       )
       ON CONFLICT (workspace_id, id) DO NOTHING
     `;
@@ -97,7 +100,8 @@ export class PostgresAdapter {
         const rows = await this.sql `
       SELECT id, title, channel, participants, viewable_by, created_at,
              updated_at, status, summary, model,
-             trigger_conversation_id, trigger_event_id
+             trigger_conversation_id, trigger_event_id,
+             trigger_purpose, trigger_resume_hint
       FROM engram_sessions
       WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
       LIMIT 1
@@ -122,6 +126,8 @@ export class PostgresAdapter {
         const model = pickPatch(patch, "model");
         const tcId = pickPatch(patch, "trigger_conversation_id");
         const teId = pickPatch(patch, "trigger_event_id");
+        const tPurpose = pickPatch(patch, "trigger_purpose");
+        const tResume = pickPatch(patch, "trigger_resume_hint");
         const rows = await this.sql `
       UPDATE engram_sessions SET
         title    = CASE WHEN ${title.provided}   THEN ${title.value}   ELSE title   END,
@@ -133,6 +139,10 @@ export class PostgresAdapter {
           THEN ${tcId.value} ELSE trigger_conversation_id END,
         trigger_event_id = CASE WHEN ${teId.provided}
           THEN ${teId.value} ELSE trigger_event_id END,
+        trigger_purpose = CASE WHEN ${tPurpose.provided}
+          THEN ${tPurpose.value} ELSE trigger_purpose END,
+        trigger_resume_hint = CASE WHEN ${tResume.provided}
+          THEN ${tResume.value} ELSE trigger_resume_hint END,
         updated_at = now()
       WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
       RETURNING id
@@ -474,6 +484,12 @@ function toSessionRow(r) {
         ...(r.trigger_event_id !== null
             ? { trigger_event_id: r.trigger_event_id }
             : {}),
+        ...(r.trigger_purpose !== null
+            ? { trigger_purpose: r.trigger_purpose }
+            : {}),
+        ...(r.trigger_resume_hint !== null
+            ? { trigger_resume_hint: r.trigger_resume_hint }
+            : {}),
     };
 }
 function toAliasInfo(r) {

package/dist/admin.d.ts

@@ -1,17 +1,17 @@
 import { Hono } from "hono";
-import { type KeyStore } from "./key-store";
+import type { KeyStore } from "./key-store";
 import type { OrgStore } from "./org-store";
 export interface AdminOptions {
     /** Bearer token required for every /admin/v1 request. */
     token: string;
     keyStore: KeyStore;
     /**
-     * Optional org store. When provided, mounts the orgs surface
-     * (\`/admin/v1/orgs/*\` plus \`/admin/v1/orgs/:id/workspaces\` for
-     * org-scoped workspace creation). Without it only the legacy
-     * \`/admin/v1/workspaces\` endpoints are exposed.
+     * Org store. Required — every admin endpoint is org-scoped.
+     * (The previous opt-out, where admin.ts also exposed a non-org
+     * `/admin/v1/workspaces` surface for `orgStore`-less deployments,
+     * was removed in v0.15.)
      */
-    orgStore?: OrgStore;
+    orgStore: OrgStore;
 }
 interface Env {
     Variables: {
@@ -24,20 +24,20 @@ interface Env {
  * Auth model: a single platform-level bearer token
  * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
  *
- * Surface, when orgStore is wired:
+ * Surface:
  *
- *   POST   /orgs                                  create org
- *   GET    /orgs                                  list orgs
- *   GET    /orgs/:id                              get org
- *   DELETE /orgs/:id                              delete org (CASCADE)
- *   POST   /orgs/:id/members                      add member (email|userId)
+ *   POST   /orgs                                          create org
+ *   GET    /orgs                                          list orgs
+ *   GET    /orgs/:id                                      get org
+ *   DELETE /orgs/:id                                      delete org (CASCADE)
+ *   POST   /orgs/:id/members                              add member (email|userId)
  *   GET    /orgs/:id/members
  *   DELETE /orgs/:id/members/:userId
- *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   POST   /orgs/:id/workspaces                           create workspace + key
  *   GET    /orgs/:id/workspaces
- *
- * Plus the lower-level workspace + key endpoints from before
- * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
+ *   GET    /orgs/:id/workspaces/:wsId/keys                list workspace keys
+ *   POST   /orgs/:id/workspaces/:wsId/keys                issue a new key
+ *   DELETE /orgs/:id/workspaces/:wsId/keys/:keyId         revoke a key
  */
 export declare function createAdminRouter(opts: AdminOptions): Hono<Env>;
 export {};

package/dist/admin.js

@@ -1,5 +1,4 @@
 import { Hono } from "hono";
-import { isValidWorkspaceId } from "./key-store";
 import { createWorkspaceSchema, issueKeySchema, parseJsonBody } from "./schemas";
 import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow, OrgServiceError, removeMember, requireWorkspaceInOrg, revokeWorkspaceKey, } from "./services/orgs";
 /**
@@ -8,23 +7,25 @@ import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow
  * Auth model: a single platform-level bearer token
  * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
  *
- * Surface, when orgStore is wired:
+ * Surface:
  *
- *   POST   /orgs                                  create org
- *   GET    /orgs                                  list orgs
- *   GET    /orgs/:id                              get org
- *   DELETE /orgs/:id                              delete org (CASCADE)
- *   POST   /orgs/:id/members                      add member (email|userId)
+ *   POST   /orgs                                          create org
+ *   GET    /orgs                                          list orgs
+ *   GET    /orgs/:id                                      get org
+ *   DELETE /orgs/:id                                      delete org (CASCADE)
+ *   POST   /orgs/:id/members                              add member (email|userId)
  *   GET    /orgs/:id/members
  *   DELETE /orgs/:id/members/:userId
- *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   POST   /orgs/:id/workspaces                           create workspace + key
  *   GET    /orgs/:id/workspaces
- *
- * Plus the lower-level workspace + key endpoints from before
- * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
+ *   GET    /orgs/:id/workspaces/:wsId/keys                list workspace keys
+ *   POST   /orgs/:id/workspaces/:wsId/keys                issue a new key
+ *   DELETE /orgs/:id/workspaces/:wsId/keys/:keyId         revoke a key
  */
 export function createAdminRouter(opts) {
     const app = new Hono();
+    const { orgStore } = opts;
+    const deps = { orgStore, keyStore: opts.keyStore };
     app.use("*", async (c, next) => {
         const supplied = c.req.header("x-admin-token") ??
             c.req.header("authorization")?.match(/^Bearer\s+(.+)$/i)?.[1];
@@ -33,94 +34,6 @@ export function createAdminRouter(opts) {
         }
         await next();
     });
-    // -------------------- workspaces (legacy / api-key-only) ----
-    // Kept for backwards compatibility; new callers should create
-    // workspaces under an org so they're reachable from the web UI.
-    app.post("/workspaces", async (c) => {
-        const body = await parseJsonBody(c, createWorkspaceSchema);
-        if (body instanceof Response)
-            return body;
-        if (body.id !== undefined && !isValidWorkspaceId(body.id)) {
-            return c.json({ error: "invalid_workspace_id" }, 400);
-        }
-        try {
-            const ws = await opts.keyStore.createWorkspace({
-                ...(body.id !== undefined ? { id: body.id } : {}),
-                ...(body.name !== undefined ? { name: body.name } : {}),
-                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
-            });
-            if (body.issueKey === false) {
-                return c.json({ workspace: ws });
-            }
-            const key = await opts.keyStore.issueKey(ws.id, {
-                ...(body.keyName !== undefined ? { name: body.keyName } : {}),
-            });
-            return c.json({ workspace: ws, key });
-        }
-        catch (e) {
-            return c.json({ error: e.message }, 400);
-        }
-    });
-    app.get("/workspaces", async (c) => {
-        const workspaces = await opts.keyStore.listWorkspaces();
-        return c.json({ workspaces });
-    });
-    app.get("/workspaces/:id", async (c) => {
-        const ws = await opts.keyStore.getWorkspace(c.req.param("id"));
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        return c.json(ws);
-    });
-    app.delete("/workspaces/:id", async (c) => {
-        const id = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(id);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        await opts.keyStore.deleteWorkspace(id);
-        return c.body(null, 204);
-    });
-    app.post("/workspaces/:id/keys", async (c) => {
-        const workspaceId = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(workspaceId);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        const raw = await c.req.json().catch(() => ({}));
-        const parsed = issueKeySchema.safeParse(raw);
-        if (!parsed.success) {
-            return c.json({ error: "invalid_body", issues: parsed.error.issues }, 400);
-        }
-        const key = await opts.keyStore.issueKey(workspaceId, {
-            ...(parsed.data.name !== undefined ? { name: parsed.data.name } : {}),
-        });
-        return c.json(key);
-    });
-    app.get("/workspaces/:id/keys", async (c) => {
-        const workspaceId = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(workspaceId);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        const keys = await opts.keyStore.listKeys(workspaceId);
-        return c.json({ keys });
-    });
-    app.delete("/workspaces/:id/keys/:keyId", async (c) => {
-        const workspaceId = c.req.param("id");
-        const keyId = c.req.param("keyId");
-        try {
-            await opts.keyStore.revokeKey(workspaceId, keyId);
-        }
-        catch (e) {
-            if (e.message === "key_not_found") {
-                return c.json({ error: "key_not_found" }, 404);
-            }
-            throw e;
-        }
-        return c.body(null, 204);
-    });
-    // -------------------- orgs (org-scoped admin surface) -------
-    const orgStore = opts.orgStore;
-    if (!orgStore)
-        return app;
-    const deps = { orgStore, keyStore: opts.keyStore };
     app.post("/orgs", async (c) => runService(c, async () => {
         const body = (await c.req.json().catch(() => ({})));
         const org = await createOrg(deps, body);
@@ -158,9 +71,9 @@ export function createAdminRouter(opts) {
         return c.body(null, 204);
     }));
     // ----- org workspaces ---------------------------------------
-    // Stands up a tenant in one round-trip. createWorkspaceUnderOrg
-    // wraps createWorkspace + setWorkspaceOrg + issueKey and applies
-    // the same id validation as the legacy /workspaces POST.
+    // Stands up a tenant. createWorkspaceUnderOrg writes the workspace
+    // + org binding in a single INSERT (atomic) and then issues the
+    // initial API key (separate insert; retry-safe via ON CONFLICT).
     app.post("/orgs/:id/workspaces", async (c) => runService(c, async () => {
         const orgId = c.req.param("id");
         await getOrgOrThrow(deps, orgId);

package/dist/key-store.d.ts

@@ -29,10 +29,18 @@ export interface KeyResolution {
     keyId: string;
 }
 export interface KeyStore {
+    /**
+     * Persist a workspace row. `orgId`, when supplied, lands in the same
+     * INSERT so the workspace and its org binding are committed atomically
+     * (no orphaned workspace if a follow-up `setWorkspaceOrg` would have
+     * failed). Legacy callers without an org still work — `org_id` stays
+     * NULL.
+     */
     createWorkspace(input: {
         id?: string;
         name?: string;
         metadata?: Record<string, unknown>;
+        orgId?: string;
     }): Promise<Workspace>;
     getWorkspace(id: string): Promise<Workspace | null>;
     listWorkspaces(): Promise<Workspace[]>;

package/dist/main.js

@@ -22,6 +22,10 @@ const CORS_ORIGINS = (process.env.ENGRAM_CORS_ORIGINS ?? "")
     .split(",")
     .map((s) => s.trim())
     .filter(Boolean);
+if (!orgStore) {
+    console.error("[engram-server] orgStore is required (DATABASE_URL + ENGRAM_AUTH_* env vars) — every admin endpoint is now org-scoped");
+    process.exit(1);
+}
 const app = createServer({
     auth: async (key) => {
         const r = await keyStore.resolveKey(key);
@@ -31,14 +35,10 @@ const app = createServer({
     },
     ...(authHandler ? { authHandler } : {}),
     ...(cookieAuth ? { cookieAuth } : {}),
-    ...(orgStore ? { orgStore } : {}),
+    orgStore,
     keyStore,
     ...(CORS_ORIGINS.length > 0 ? { corsOrigins: CORS_ORIGINS } : {}),
-    admin: {
-        token: ADMIN_TOKEN,
-        keyStore,
-        ...(orgStore ? { orgStore } : {}),
-    },
+    admin: { token: ADMIN_TOKEN, keyStore, orgStore },
 });
 console.log(`[engram-server] listening on :${PORT}`);
 export default { port: PORT, fetch: app.fetch };

package/dist/migrations/0008-trigger-metadata.d.ts

@@ -0,0 +1,2 @@
+export declare const name = "0008-trigger-metadata";
+export declare const sql = "\n-- Hosts that open a side-conversation with a stated goal (monet's\n-- start_conversation tool) need to thread two free-text fields through\n-- engram for the agent's resume flow:\n--\n--   trigger_purpose      what this side-conv exists to accomplish\n--   trigger_resume_hint  the condition that should resume the parent\n--\n-- Both are opaque to engram \u2014 we store and serve them verbatim. Nullable\n-- because most sessions aren't side-conversations.\n\nALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_purpose TEXT;\nALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_resume_hint TEXT;\n";

package/dist/migrations/0008-trigger-metadata.js

@@ -0,0 +1,15 @@
+export const name = "0008-trigger-metadata";
+export const sql = `
+-- Hosts that open a side-conversation with a stated goal (monet's
+-- start_conversation tool) need to thread two free-text fields through
+-- engram for the agent's resume flow:
+--
+--   trigger_purpose      what this side-conv exists to accomplish
+--   trigger_resume_hint  the condition that should resume the parent
+--
+-- Both are opaque to engram — we store and serve them verbatim. Nullable
+-- because most sessions aren't side-conversations.
+
+ALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_purpose TEXT;
+ALTER TABLE engram_sessions ADD COLUMN IF NOT EXISTS trigger_resume_hint TEXT;
+`;

package/dist/migrations/index.js

@@ -5,6 +5,7 @@ import * as m0004 from "./0004-schema-completion";
 import * as m0005 from "./0005-session-updated-at";
 import * as m0006 from "./0006-auth";
 import * as m0007 from "./0007-orgs";
+import * as m0008 from "./0008-trigger-metadata";
 /**
  * Schema migrations, applied in array order. Add a new file under
  * `migrations/NNNN-<slug>.ts` exporting `name` and `sql`, then append it
@@ -20,4 +21,5 @@ export const MIGRATIONS = [
     { name: m0005.name, sql: m0005.sql },
     { name: m0006.name, sql: m0006.sql },
     { name: m0007.name, sql: m0007.sql },
+    { name: m0008.name, sql: m0008.sql },
 ];

package/dist/openapi.js

@@ -71,14 +71,6 @@ const TAG_DEFS = [
         name: "Orgs (admin)",
         description: "プラットフォーム管理者トークンでの org 管理",
     },
-    {
-        name: "Workspaces (admin)",
-        description: "ワークスペースの管理（管理者トークン必須）",
-    },
-    {
-        name: "API Keys (admin)",
-        description: "ワークスペース API キーの発行・無効化（管理者トークン必須）",
-    },
 ];
 /**
  * Stamp `tag` onto every operation in a path-item. The path declares its
@@ -634,87 +626,6 @@ function buildPaths() {
                 },
             },
         }),
-        "/admin/v1/workspaces": tagged("Workspaces (admin)", {
-            post: {
-                summary: "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
-                security: adminAuth,
-                requestBody: jsonBody("CreateWorkspace"),
-                responses: {
-                    "200": res("ワークスペース（issueKey=false でない限りキーも含む）"),
-                    "400": res("リクエストボディまたはワークスペース id が不正"),
-                    "401": res("認証エラー"),
-                },
-            },
-            get: {
-                summary: "全ワークスペースを一覧取得する。",
-                security: adminAuth,
-                responses: {
-                    "200": res("ワークスペース一覧"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}": tagged("Workspaces (admin)", {
-            get: {
-                summary: "単一のワークスペースを取得する。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "200": res("ワークスペース"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-            delete: {
-                summary: "ワークスペースを削除する（キー・セッション・イベントにカスケードする）。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "204": res("削除完了"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}/keys": tagged("API Keys (admin)", {
-            post: {
-                summary: "ワークスペースに新しい API キーを発行する。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                requestBody: jsonBody("IssueKey", false),
-                responses: {
-                    "200": res("発行されたキー（生のキーは一度のみ返却）"),
-                    "400": res("リクエストボディが不正"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-            get: {
-                summary: "ワークスペースの API キー一覧を取得する（ハッシュのみ）。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "200": res("キー一覧"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}/keys/{keyId}": tagged("API Keys (admin)", {
-            delete: {
-                summary: "API キーを無効化する。",
-                security: adminAuth,
-                parameters: [
-                    pathParam("id", "ワークスペース id。"),
-                    pathParam("keyId", "キー id。"),
-                ],
-                responses: {
-                    "204": res("無効化完了（冪等）"),
-                    "404": res("キーが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
     };
 }
 /**

package/dist/org-store.d.ts

@@ -48,12 +48,6 @@ export interface OrgStore {
     } | null>;
     /** Orgs the given user is a member of. */
     listOrgsForUser(userId: string): Promise<OrgMembershipRow[]>;
-    /**
-     * Set the org an already-existing workspace belongs to. Called
-     * by the admin endpoint that creates a workspace under an org
-     * (key issuance and engram_workspaces.org_id are written together).
-     */
-    setWorkspaceOrg(workspaceId: string, orgId: string): Promise<void>;
     /** Workspaces in the given org. */
     listWorkspacesForOrg(orgId: string): Promise<{
         id: string;

package/dist/schemas.d.ts

@@ -24,6 +24,8 @@ export declare const sessionInitSchema: z.ZodObject<{
     model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     trigger_conversation_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     trigger_event_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    trigger_purpose: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    trigger_resume_hint: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, z.core.$strip>;
 export declare const sessionUpdateSchema: z.ZodObject<{
     title: z.ZodOptional<z.ZodNullable<z.ZodString>>;
@@ -37,6 +39,8 @@ export declare const sessionUpdateSchema: z.ZodObject<{
     model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     trigger_conversation_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     trigger_event_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    trigger_purpose: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    trigger_resume_hint: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, z.core.$strip>;
 export declare const sessionEventSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
     type: z.ZodLiteral<"step">;

package/dist/schemas.js

@@ -20,6 +20,8 @@ export const sessionInitSchema = z.object({
     model: z.string().nullable().optional(),
     trigger_conversation_id: z.string().nullable().optional(),
     trigger_event_id: z.string().nullable().optional(),
+    trigger_purpose: z.string().nullable().optional(),
+    trigger_resume_hint: z.string().nullable().optional(),
 });
 export const sessionUpdateSchema = z.object({
     title: z.string().nullable().optional(),
@@ -29,6 +31,8 @@ export const sessionUpdateSchema = z.object({
     model: z.string().nullable().optional(),
     trigger_conversation_id: z.string().nullable().optional(),
     trigger_event_id: z.string().nullable().optional(),
+    trigger_purpose: z.string().nullable().optional(),
+    trigger_resume_hint: z.string().nullable().optional(),
 });
 const stepEventSchema = z.object({
     type: z.literal("step"),

package/dist/services/orgs.d.ts

@@ -3,8 +3,9 @@
  * (`/admin/v1/*`) and the cookie-auth self-service surface (`/v1/orgs/*`).
  *
  * Auth and HTTP framing stay in the route modules. This file owns:
- *   - the multi-step orchestrations (createWorkspace + setWorkspaceOrg
- *     + issueKey; email→userId lookup + upsertMember)
+ *   - the multi-step orchestrations (createWorkspaceUnderOrg writes
+ *     the workspace + org binding atomically and then issues a key;
+ *     email→userId lookup + upsertMember)
  *   - the safety invariants (workspace id validation, last-owner
  *     protection on member removal)
  *   - the canonical error → status mapping (OrgServiceError.status)
@@ -70,12 +71,15 @@ export interface CreateWorkspaceResult {
     key?: IssuedKey;
 }
 /**
- * Stand up a new workspace under an org in one round-trip:
- *   createWorkspace → setWorkspaceOrg → (optional) issueKey.
+ * Stand up a new workspace under an org. The workspace + org binding
+ * commit atomically because the KeyStore writes `org_id` in the same
+ * INSERT as the workspace row. Issuing the initial API key remains a
+ * follow-up call (idempotent — a retry of the workspace POST returns
+ * the existing row via ON CONFLICT DO NOTHING).
  *
  * Validates the workspace id shape up front so a bad id fails before
- * touching either store. Returns the workspace with `orgId` stamped on
- * so callers don't need a second lookup.
+ * touching the store. Returns the workspace with `orgId` stamped on so
+ * callers don't need a second lookup.
  */
 export declare function createWorkspaceUnderOrg(deps: OrgServiceDeps, orgId: string, body: CreateWorkspaceInput): Promise<CreateWorkspaceResult>;
 export declare function updateOrgWorkspace(deps: OrgServiceDeps, orgId: string, wsId: string, body: {

package/dist/services/orgs.js

@@ -3,8 +3,9 @@
  * (`/admin/v1/*`) and the cookie-auth self-service surface (`/v1/orgs/*`).
  *
  * Auth and HTTP framing stay in the route modules. This file owns:
- *   - the multi-step orchestrations (createWorkspace + setWorkspaceOrg
- *     + issueKey; email→userId lookup + upsertMember)
+ *   - the multi-step orchestrations (createWorkspaceUnderOrg writes
+ *     the workspace + org binding atomically and then issues a key;
+ *     email→userId lookup + upsertMember)
  *   - the safety invariants (workspace id validation, last-owner
  *     protection on member removal)
  *   - the canonical error → status mapping (OrgServiceError.status)
@@ -92,12 +93,15 @@ export async function removeMember(deps, orgId, userId) {
     await deps.orgStore.removeMember(orgId, userId);
 }
 /**
- * Stand up a new workspace under an org in one round-trip:
- *   createWorkspace → setWorkspaceOrg → (optional) issueKey.
+ * Stand up a new workspace under an org. The workspace + org binding
+ * commit atomically because the KeyStore writes `org_id` in the same
+ * INSERT as the workspace row. Issuing the initial API key remains a
+ * follow-up call (idempotent — a retry of the workspace POST returns
+ * the existing row via ON CONFLICT DO NOTHING).
  *
  * Validates the workspace id shape up front so a bad id fails before
- * touching either store. Returns the workspace with `orgId` stamped on
- * so callers don't need a second lookup.
+ * touching the store. Returns the workspace with `orgId` stamped on so
+ * callers don't need a second lookup.
  */
 export async function createWorkspaceUnderOrg(deps, orgId, body) {
     if (body.id !== undefined && !isValidWorkspaceId(body.id)) {
@@ -108,8 +112,8 @@ export async function createWorkspaceUnderOrg(deps, orgId, body) {
             ...(body.id !== undefined ? { id: body.id } : {}),
             ...(body.name !== undefined ? { name: body.name } : {}),
             ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
+            orgId,
         });
-        await deps.orgStore.setWorkspaceOrg(ws.id, orgId);
         if (body.issueKey === false) {
             return { workspace: { ...ws, orgId } };
         }

package/dist/storage.d.ts

@@ -147,6 +147,8 @@ export interface SessionRow {
     model?: string;
     trigger_conversation_id?: string;
     trigger_event_id?: string;
+    trigger_purpose?: string;
+    trigger_resume_hint?: string;
 }
 export declare function foldEvents(row: SessionRow, events: SessionEvent[], now: Date): Session;
 /**

package/dist/storage.js

@@ -35,6 +35,12 @@ export function foldEvents(row, events, now) {
         ...(row.trigger_event_id !== undefined
             ? { trigger_event_id: row.trigger_event_id }
             : {}),
+        ...(row.trigger_purpose !== undefined
+            ? { trigger_purpose: row.trigger_purpose }
+            : {}),
+        ...(row.trigger_resume_hint !== undefined
+            ? { trigger_resume_hint: row.trigger_resume_hint }
+            : {}),
         updated_at: row.updatedAt,
     };
 }

package/openapi.json

@@ -37,14 +37,6 @@
     {
       "name": "Orgs (admin)",
       "description": "プラットフォーム管理者トークンでの org 管理"
-    },
-    {
-      "name": "Workspaces (admin)",
-      "description": "ワークスペースの管理（管理者トークン必須）"
-    },
-    {
-      "name": "API Keys (admin)",
-      "description": "ワークスペース API キーの発行・無効化（管理者トークン必須）"
     }
   ],
   "servers": [
@@ -145,6 +137,26 @@
                 "type": "null"
               }
             ]
+          },
+          "trigger_purpose": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ]
+          },
+          "trigger_resume_hint": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ]
           }
         },
         "additionalProperties": false
@@ -219,6 +231,26 @@
                 "type": "null"
               }
             ]
+          },
+          "trigger_purpose": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ]
+          },
+          "trigger_resume_hint": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ]
           }
         },
         "additionalProperties": false
@@ -2462,252 +2494,6 @@
           "Orgs (admin)"
         ]
       }
-    },
-    "/admin/v1/workspaces": {
-      "post": {
-        "summary": "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "requestBody": {
-          "required": true,
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/CreateWorkspace"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "ワークスペース（issueKey=false でない限りキーも含む）"
-          },
-          "400": {
-            "description": "リクエストボディまたはワークスペース id が不正"
-          },
-          "401": {
-            "description": "認証エラー"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      },
-      "get": {
-        "summary": "全ワークスペースを一覧取得する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "ワークスペース一覧"
-          },
-          "401": {
-            "description": "認証エラー"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}": {
-      "get": {
-        "summary": "単一のワークスペースを取得する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "ワークスペース"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      },
-      "delete": {
-        "summary": "ワークスペースを削除する（キー・セッション・イベントにカスケードする）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "削除完了"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}/keys": {
-      "post": {
-        "summary": "ワークスペースに新しい API キーを発行する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "requestBody": {
-          "required": false,
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/IssueKey"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "発行されたキー（生のキーは一度のみ返却）"
-          },
-          "400": {
-            "description": "リクエストボディが不正"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      },
-      "get": {
-        "summary": "ワークスペースの API キー一覧を取得する（ハッシュのみ）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "キー一覧"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}/keys/{keyId}": {
-      "delete": {
-        "summary": "API キーを無効化する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          },
-          {
-            "name": "keyId",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "キー id。"
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "無効化完了（冪等）"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "キーが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      }
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hexis-ai/engram-server",
-  "version": "0.13.0",
+  "version": "0.15.0",
   "description": "Engram server: ingest agent session events, persist via a pluggable adapter, expose search.",
   "keywords": [
     "engram",
@@ -49,8 +49,8 @@
     "dev": "bun --hot src/dev.ts"
   },
   "dependencies": {
-    "@hexis-ai/engram-core": "^0.2.0",
-    "@hexis-ai/engram-sdk": "^0.14.0",
+    "@hexis-ai/engram-core": "^0.3.0",
+    "@hexis-ai/engram-sdk": "^0.16.0",
     "better-auth": "^1.6.11",
     "hono": "^4.6.0",
     "pg": "^8.13.0",