@hexis-ai/engram-server 0.14.0 → 0.15.0

package/dist/admin.d.ts

@@ -1,17 +1,17 @@
 import { Hono } from "hono";
-import { type KeyStore } from "./key-store";
+import type { KeyStore } from "./key-store";
 import type { OrgStore } from "./org-store";
 export interface AdminOptions {
     /** Bearer token required for every /admin/v1 request. */
     token: string;
     keyStore: KeyStore;
     /**
-     * Optional org store. When provided, mounts the orgs surface
-     * (\`/admin/v1/orgs/*\` plus \`/admin/v1/orgs/:id/workspaces\` for
-     * org-scoped workspace creation). Without it only the legacy
-     * \`/admin/v1/workspaces\` endpoints are exposed.
+     * Org store. Required — every admin endpoint is org-scoped.
+     * (The previous opt-out, where admin.ts also exposed a non-org
+     * `/admin/v1/workspaces` surface for `orgStore`-less deployments,
+     * was removed in v0.15.)
      */
-    orgStore?: OrgStore;
+    orgStore: OrgStore;
 }
 interface Env {
     Variables: {
@@ -24,20 +24,20 @@ interface Env {
  * Auth model: a single platform-level bearer token
  * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
  *
- * Surface, when orgStore is wired:
+ * Surface:
  *
- *   POST   /orgs                                  create org
- *   GET    /orgs                                  list orgs
- *   GET    /orgs/:id                              get org
- *   DELETE /orgs/:id                              delete org (CASCADE)
- *   POST   /orgs/:id/members                      add member (email|userId)
+ *   POST   /orgs                                          create org
+ *   GET    /orgs                                          list orgs
+ *   GET    /orgs/:id                                      get org
+ *   DELETE /orgs/:id                                      delete org (CASCADE)
+ *   POST   /orgs/:id/members                              add member (email|userId)
  *   GET    /orgs/:id/members
  *   DELETE /orgs/:id/members/:userId
- *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   POST   /orgs/:id/workspaces                           create workspace + key
  *   GET    /orgs/:id/workspaces
- *
- * Plus the lower-level workspace + key endpoints from before
- * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
+ *   GET    /orgs/:id/workspaces/:wsId/keys                list workspace keys
+ *   POST   /orgs/:id/workspaces/:wsId/keys                issue a new key
+ *   DELETE /orgs/:id/workspaces/:wsId/keys/:keyId         revoke a key
  */
 export declare function createAdminRouter(opts: AdminOptions): Hono<Env>;
 export {};

package/dist/admin.js

@@ -1,5 +1,4 @@
 import { Hono } from "hono";
-import { isValidWorkspaceId } from "./key-store";
 import { createWorkspaceSchema, issueKeySchema, parseJsonBody } from "./schemas";
 import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow, OrgServiceError, removeMember, requireWorkspaceInOrg, revokeWorkspaceKey, } from "./services/orgs";
 /**
@@ -8,23 +7,25 @@ import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow
  * Auth model: a single platform-level bearer token
  * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
  *
- * Surface, when orgStore is wired:
+ * Surface:
  *
- *   POST   /orgs                                  create org
- *   GET    /orgs                                  list orgs
- *   GET    /orgs/:id                              get org
- *   DELETE /orgs/:id                              delete org (CASCADE)
- *   POST   /orgs/:id/members                      add member (email|userId)
+ *   POST   /orgs                                          create org
+ *   GET    /orgs                                          list orgs
+ *   GET    /orgs/:id                                      get org
+ *   DELETE /orgs/:id                                      delete org (CASCADE)
+ *   POST   /orgs/:id/members                              add member (email|userId)
  *   GET    /orgs/:id/members
  *   DELETE /orgs/:id/members/:userId
- *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   POST   /orgs/:id/workspaces                           create workspace + key
  *   GET    /orgs/:id/workspaces
- *
- * Plus the lower-level workspace + key endpoints from before
- * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
+ *   GET    /orgs/:id/workspaces/:wsId/keys                list workspace keys
+ *   POST   /orgs/:id/workspaces/:wsId/keys                issue a new key
+ *   DELETE /orgs/:id/workspaces/:wsId/keys/:keyId         revoke a key
  */
 export function createAdminRouter(opts) {
     const app = new Hono();
+    const { orgStore } = opts;
+    const deps = { orgStore, keyStore: opts.keyStore };
     app.use("*", async (c, next) => {
         const supplied = c.req.header("x-admin-token") ??
             c.req.header("authorization")?.match(/^Bearer\s+(.+)$/i)?.[1];
@@ -33,94 +34,6 @@ export function createAdminRouter(opts) {
         }
         await next();
     });
-    // -------------------- workspaces (legacy / api-key-only) ----
-    // Kept for backwards compatibility; new callers should create
-    // workspaces under an org so they're reachable from the web UI.
-    app.post("/workspaces", async (c) => {
-        const body = await parseJsonBody(c, createWorkspaceSchema);
-        if (body instanceof Response)
-            return body;
-        if (body.id !== undefined && !isValidWorkspaceId(body.id)) {
-            return c.json({ error: "invalid_workspace_id" }, 400);
-        }
-        try {
-            const ws = await opts.keyStore.createWorkspace({
-                ...(body.id !== undefined ? { id: body.id } : {}),
-                ...(body.name !== undefined ? { name: body.name } : {}),
-                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
-            });
-            if (body.issueKey === false) {
-                return c.json({ workspace: ws });
-            }
-            const key = await opts.keyStore.issueKey(ws.id, {
-                ...(body.keyName !== undefined ? { name: body.keyName } : {}),
-            });
-            return c.json({ workspace: ws, key });
-        }
-        catch (e) {
-            return c.json({ error: e.message }, 400);
-        }
-    });
-    app.get("/workspaces", async (c) => {
-        const workspaces = await opts.keyStore.listWorkspaces();
-        return c.json({ workspaces });
-    });
-    app.get("/workspaces/:id", async (c) => {
-        const ws = await opts.keyStore.getWorkspace(c.req.param("id"));
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        return c.json(ws);
-    });
-    app.delete("/workspaces/:id", async (c) => {
-        const id = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(id);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        await opts.keyStore.deleteWorkspace(id);
-        return c.body(null, 204);
-    });
-    app.post("/workspaces/:id/keys", async (c) => {
-        const workspaceId = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(workspaceId);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        const raw = await c.req.json().catch(() => ({}));
-        const parsed = issueKeySchema.safeParse(raw);
-        if (!parsed.success) {
-            return c.json({ error: "invalid_body", issues: parsed.error.issues }, 400);
-        }
-        const key = await opts.keyStore.issueKey(workspaceId, {
-            ...(parsed.data.name !== undefined ? { name: parsed.data.name } : {}),
-        });
-        return c.json(key);
-    });
-    app.get("/workspaces/:id/keys", async (c) => {
-        const workspaceId = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(workspaceId);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        const keys = await opts.keyStore.listKeys(workspaceId);
-        return c.json({ keys });
-    });
-    app.delete("/workspaces/:id/keys/:keyId", async (c) => {
-        const workspaceId = c.req.param("id");
-        const keyId = c.req.param("keyId");
-        try {
-            await opts.keyStore.revokeKey(workspaceId, keyId);
-        }
-        catch (e) {
-            if (e.message === "key_not_found") {
-                return c.json({ error: "key_not_found" }, 404);
-            }
-            throw e;
-        }
-        return c.body(null, 204);
-    });
-    // -------------------- orgs (org-scoped admin surface) -------
-    const orgStore = opts.orgStore;
-    if (!orgStore)
-        return app;
-    const deps = { orgStore, keyStore: opts.keyStore };
     app.post("/orgs", async (c) => runService(c, async () => {
         const body = (await c.req.json().catch(() => ({})));
         const org = await createOrg(deps, body);

package/dist/main.js

@@ -22,6 +22,10 @@ const CORS_ORIGINS = (process.env.ENGRAM_CORS_ORIGINS ?? "")
     .split(",")
     .map((s) => s.trim())
     .filter(Boolean);
+if (!orgStore) {
+    console.error("[engram-server] orgStore is required (DATABASE_URL + ENGRAM_AUTH_* env vars) — every admin endpoint is now org-scoped");
+    process.exit(1);
+}
 const app = createServer({
     auth: async (key) => {
         const r = await keyStore.resolveKey(key);
@@ -31,14 +35,10 @@ const app = createServer({
     },
     ...(authHandler ? { authHandler } : {}),
     ...(cookieAuth ? { cookieAuth } : {}),
-    ...(orgStore ? { orgStore } : {}),
+    orgStore,
     keyStore,
     ...(CORS_ORIGINS.length > 0 ? { corsOrigins: CORS_ORIGINS } : {}),
-    admin: {
-        token: ADMIN_TOKEN,
-        keyStore,
-        ...(orgStore ? { orgStore } : {}),
-    },
+    admin: { token: ADMIN_TOKEN, keyStore, orgStore },
 });
 console.log(`[engram-server] listening on :${PORT}`);
 export default { port: PORT, fetch: app.fetch };

package/dist/openapi.js

@@ -71,14 +71,6 @@ const TAG_DEFS = [
         name: "Orgs (admin)",
         description: "プラットフォーム管理者トークンでの org 管理",
     },
-    {
-        name: "Workspaces (admin)",
-        description: "ワークスペースの管理（管理者トークン必須）",
-    },
-    {
-        name: "API Keys (admin)",
-        description: "ワークスペース API キーの発行・無効化（管理者トークン必須）",
-    },
 ];
 /**
  * Stamp `tag` onto every operation in a path-item. The path declares its
@@ -634,87 +626,6 @@ function buildPaths() {
                 },
             },
         }),
-        "/admin/v1/workspaces": tagged("Workspaces (admin)", {
-            post: {
-                summary: "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
-                security: adminAuth,
-                requestBody: jsonBody("CreateWorkspace"),
-                responses: {
-                    "200": res("ワークスペース（issueKey=false でない限りキーも含む）"),
-                    "400": res("リクエストボディまたはワークスペース id が不正"),
-                    "401": res("認証エラー"),
-                },
-            },
-            get: {
-                summary: "全ワークスペースを一覧取得する。",
-                security: adminAuth,
-                responses: {
-                    "200": res("ワークスペース一覧"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}": tagged("Workspaces (admin)", {
-            get: {
-                summary: "単一のワークスペースを取得する。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "200": res("ワークスペース"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-            delete: {
-                summary: "ワークスペースを削除する（キー・セッション・イベントにカスケードする）。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "204": res("削除完了"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}/keys": tagged("API Keys (admin)", {
-            post: {
-                summary: "ワークスペースに新しい API キーを発行する。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                requestBody: jsonBody("IssueKey", false),
-                responses: {
-                    "200": res("発行されたキー（生のキーは一度のみ返却）"),
-                    "400": res("リクエストボディが不正"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-            get: {
-                summary: "ワークスペースの API キー一覧を取得する（ハッシュのみ）。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "200": res("キー一覧"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}/keys/{keyId}": tagged("API Keys (admin)", {
-            delete: {
-                summary: "API キーを無効化する。",
-                security: adminAuth,
-                parameters: [
-                    pathParam("id", "ワークスペース id。"),
-                    pathParam("keyId", "キー id。"),
-                ],
-                responses: {
-                    "204": res("無効化完了（冪等）"),
-                    "404": res("キーが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
     };
 }
 /**

package/openapi.json

@@ -37,14 +37,6 @@
     {
       "name": "Orgs (admin)",
       "description": "プラットフォーム管理者トークンでの org 管理"
-    },
-    {
-      "name": "Workspaces (admin)",
-      "description": "ワークスペースの管理（管理者トークン必須）"
-    },
-    {
-      "name": "API Keys (admin)",
-      "description": "ワークスペース API キーの発行・無効化（管理者トークン必須）"
     }
   ],
   "servers": [
@@ -2502,252 +2494,6 @@
           "Orgs (admin)"
         ]
       }
-    },
-    "/admin/v1/workspaces": {
-      "post": {
-        "summary": "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "requestBody": {
-          "required": true,
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/CreateWorkspace"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "ワークスペース（issueKey=false でない限りキーも含む）"
-          },
-          "400": {
-            "description": "リクエストボディまたはワークスペース id が不正"
-          },
-          "401": {
-            "description": "認証エラー"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      },
-      "get": {
-        "summary": "全ワークスペースを一覧取得する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "ワークスペース一覧"
-          },
-          "401": {
-            "description": "認証エラー"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}": {
-      "get": {
-        "summary": "単一のワークスペースを取得する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "ワークスペース"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      },
-      "delete": {
-        "summary": "ワークスペースを削除する（キー・セッション・イベントにカスケードする）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "削除完了"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}/keys": {
-      "post": {
-        "summary": "ワークスペースに新しい API キーを発行する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "requestBody": {
-          "required": false,
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/IssueKey"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "発行されたキー（生のキーは一度のみ返却）"
-          },
-          "400": {
-            "description": "リクエストボディが不正"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      },
-      "get": {
-        "summary": "ワークスペースの API キー一覧を取得する（ハッシュのみ）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "キー一覧"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}/keys/{keyId}": {
-      "delete": {
-        "summary": "API キーを無効化する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          },
-          {
-            "name": "keyId",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "キー id。"
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "無効化完了（冪等）"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "キーが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      }
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hexis-ai/engram-server",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "description": "Engram server: ingest agent session events, persist via a pluggable adapter, expose search.",
   "keywords": [
     "engram",
@@ -50,7 +50,7 @@
   },
   "dependencies": {
     "@hexis-ai/engram-core": "^0.3.0",
-    "@hexis-ai/engram-sdk": "^0.15.0",
+    "@hexis-ai/engram-sdk": "^0.16.0",
     "better-auth": "^1.6.11",
     "hono": "^4.6.0",
     "pg": "^8.13.0",