@hexis-ai/engram-server 0.14.0 → 0.16.0

package/dist/adapters/postgres.d.ts

@@ -10,6 +10,12 @@ export interface SqlClient {
     <T = Record<string, unknown>>(strings: TemplateStringsArray, ...values: unknown[]): Promise<T[]>;
     /** Raw query for DDL / multi-statement strings. */
     unsafe: (query: string) => Promise<unknown>;
+    /**
+     * Open a transaction. Statements issued via the callback's `tx`
+     * argument commit together, or roll back together if the callback
+     * throws. Mirrors the `postgres` package's signature.
+     */
+    begin<T>(fn: (tx: SqlClient) => Promise<T>): Promise<T>;
 }
 export interface PostgresAdapterOptions {
     /** Workspace scope baked into every row. Required for multi-tenant isolation. */

package/dist/adapters/postgres.js

@@ -57,63 +57,73 @@ export class PostgresAdapter {
     async appendEvents(sessionId, events) {
         if (events.length === 0)
             return;
-        for (const ev of events) {
-            await this.sql `
-        INSERT INTO engram_events (workspace_id, session_id, seq, type, at, payload)
-        VALUES (
-          ${this.workspaceId},
-          ${sessionId},
-          ${ev.seq},
-          ${ev.type},
-          ${ev.at},
-          ${ev}
-        )
-        ON CONFLICT (workspace_id, session_id, seq) DO NOTHING
-      `;
-            // Participant events also widen the session's participants array so
-            // a one-shot listSessions can answer "who took part" without folding
-            // events at read time. viewable_by widens too (participants ⊆ viewable_by).
-            if (ev.type === "participant") {
-                await this.sql `
-          UPDATE engram_sessions
-          SET participants = (
-                SELECT ARRAY(SELECT DISTINCT unnest(participants || ARRAY[${ev.personId}]::text[]))
-              ),
-              viewable_by  = (
-                SELECT ARRAY(SELECT DISTINCT unnest(viewable_by || ARRAY[${ev.personId}]::text[]))
-              )
-          WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
+        // Wrap the whole batch in a transaction so the event log and the
+        // denormalized session row (participants[] / viewable_by[] /
+        // updated_at) can never diverge. Previously each INSERT + UPDATE
+        // landed as a separate statement; a mid-batch failure left the
+        // materialized state out of sync with the ledger with no way to
+        // reconstruct it.
+        await this.sql.begin(async (tx) => {
+            for (const ev of events) {
+                await tx `
+          INSERT INTO engram_events (workspace_id, session_id, seq, type, at, payload)
+          VALUES (
+            ${this.workspaceId},
+            ${sessionId},
+            ${ev.seq},
+            ${ev.type},
+            ${ev.at},
+            ${ev}
+          )
+          ON CONFLICT (workspace_id, session_id, seq) DO NOTHING
         `;
+                // Participant events also widen the session's participants array
+                // so a one-shot listSessions can answer "who took part" without
+                // folding events at read time. viewable_by widens too
+                // (participants ⊆ viewable_by).
+                if (ev.type === "participant") {
+                    await tx `
+            UPDATE engram_sessions
+            SET participants = (
+                  SELECT ARRAY(SELECT DISTINCT unnest(participants || ARRAY[${ev.personId}]::text[]))
+                ),
+                viewable_by  = (
+                  SELECT ARRAY(SELECT DISTINCT unnest(viewable_by || ARRAY[${ev.personId}]::text[]))
+                )
+            WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
+          `;
+                }
             }
-        }
-        // Bump updated_at once per batch so list-by-recent-activity stays
-        // accurate. Using the latest event's `at` (not now()) keeps the
-        // semantics deterministic for back-dated batches.
-        const latest = events[events.length - 1];
-        await this.sql `
-      UPDATE engram_sessions
-      SET updated_at = GREATEST(updated_at, ${latest.at}::timestamptz)
-      WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
-    `;
+            // Bump updated_at once per batch so list-by-recent-activity stays
+            // accurate. Using the latest event's `at` (not now()) keeps the
+            // semantics deterministic for back-dated batches.
+            const latest = events[events.length - 1];
+            await tx `
+        UPDATE engram_sessions
+        SET updated_at = GREATEST(updated_at, ${latest.at}::timestamptz)
+        WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
+      `;
+        });
     }
     async getSession(sessionId) {
         const rows = await this.sql `
-      SELECT id, title, channel, participants, viewable_by, created_at,
-             updated_at, status, summary, model,
-             trigger_conversation_id, trigger_event_id,
-             trigger_purpose, trigger_resume_hint
-      FROM engram_sessions
-      WHERE workspace_id = ${this.workspaceId} AND id = ${sessionId}
+      SELECT s.id, s.title, s.channel, s.participants, s.viewable_by,
+             s.created_at, s.updated_at, s.status, s.summary, s.model,
+             s.trigger_conversation_id, s.trigger_event_id,
+             s.trigger_purpose, s.trigger_resume_hint,
+             COALESCE(
+               (SELECT json_agg(e.payload ORDER BY e.seq)
+                FROM engram_events e
+                WHERE e.workspace_id = s.workspace_id AND e.session_id = s.id),
+               '[]'::json
+             ) AS events
+      FROM engram_sessions s
+      WHERE s.workspace_id = ${this.workspaceId} AND s.id = ${sessionId}
       LIMIT 1
     `;
         if (rows.length === 0)
             return null;
-        const events = await this.sql `
-      SELECT payload FROM engram_events
-      WHERE workspace_id = ${this.workspaceId} AND session_id = ${sessionId}
-      ORDER BY seq
-    `;
-        return foldEvents(toSessionRow(rows[0]), events.map((e) => e.payload), new Date());
+        return foldRowWithEvents(rows[0]);
     }
     async updateSession(sessionId, patch) {
         // Per-column "provided" flags drive a CASE WHEN per field: undefined
@@ -173,45 +183,78 @@ export class PostgresAdapter {
         const hasTrigger = opts.has_trigger === true;
         const noSummary = opts.no_summary === true;
         const updatedBefore = opts.updated_before ?? null;
+        // Single query: session columns + the per-session event payload
+        // array via a correlated subquery (uses the engram_events PK index
+        // (workspace_id, session_id, seq)). Replaces the prior pattern of
+        // SELECT id + N follow-up getSession() round-trips.
         const rows = await this.sql `
-      SELECT id FROM engram_sessions
-      WHERE workspace_id = ${this.workspaceId}
-        AND (${channelFilter}::text IS NULL OR channel = ${channelFilter}::text)
-        AND (${channelPrefix}::text IS NULL OR channel LIKE ${channelPrefix ? channelPrefix + "%" : null}::text)
-        AND (${statusFilter}::text IS NULL OR status  = ${statusFilter}::text)
-        AND (${hasTrigger}::boolean = FALSE OR trigger_conversation_id IS NOT NULL)
-        AND (${noSummary}::boolean = FALSE OR summary IS NULL)
-        AND (${updatedBefore}::timestamptz IS NULL OR updated_at < ${updatedBefore}::timestamptz)
-      ORDER BY updated_at DESC
+      SELECT s.id, s.title, s.channel, s.participants, s.viewable_by,
+             s.created_at, s.updated_at, s.status, s.summary, s.model,
+             s.trigger_conversation_id, s.trigger_event_id,
+             s.trigger_purpose, s.trigger_resume_hint,
+             COALESCE(
+               (SELECT json_agg(e.payload ORDER BY e.seq)
+                FROM engram_events e
+                WHERE e.workspace_id = s.workspace_id AND e.session_id = s.id),
+               '[]'::json
+             ) AS events
+      FROM engram_sessions s
+      WHERE s.workspace_id = ${this.workspaceId}
+        AND (${channelFilter}::text IS NULL OR s.channel = ${channelFilter}::text)
+        AND (${channelPrefix}::text IS NULL OR s.channel LIKE ${channelPrefix ? channelPrefix + "%" : null}::text)
+        AND (${statusFilter}::text IS NULL OR s.status  = ${statusFilter}::text)
+        AND (${hasTrigger}::boolean = FALSE OR s.trigger_conversation_id IS NOT NULL)
+        AND (${noSummary}::boolean = FALSE OR s.summary IS NULL)
+        AND (${updatedBefore}::timestamptz IS NULL OR s.updated_at < ${updatedBefore}::timestamptz)
+      ORDER BY s.updated_at DESC
       LIMIT ${opts.limit}
     `;
-        const sessions = await Promise.all(rows.map((r) => this.getSession(r.id)));
-        return sessions.filter((s) => s !== null);
+        return rows.map(foldRowWithEvents);
     }
     async sessionsForPerson(personId, opts) {
         const channelFilter = opts.channel ?? null;
         const scope = opts.scope ?? "participant";
         // Identifier (column name) can't be parameterized in tagged templates,
-        // so branch the query. Both arms are otherwise identical.
+        // so branch the query. Both arms are otherwise identical and share
+        // the same single-query fold as listSessions.
         const rows = scope === "viewable"
             ? await this.sql `
-          SELECT id FROM engram_sessions
-          WHERE workspace_id = ${this.workspaceId}
-            AND viewable_by @> ARRAY[${personId}]::text[]
-            AND (${channelFilter}::text IS NULL OR channel = ${channelFilter}::text)
-          ORDER BY created_at DESC
+          SELECT s.id, s.title, s.channel, s.participants, s.viewable_by,
+                 s.created_at, s.updated_at, s.status, s.summary, s.model,
+                 s.trigger_conversation_id, s.trigger_event_id,
+                 s.trigger_purpose, s.trigger_resume_hint,
+                 COALESCE(
+                   (SELECT json_agg(e.payload ORDER BY e.seq)
+                    FROM engram_events e
+                    WHERE e.workspace_id = s.workspace_id AND e.session_id = s.id),
+                   '[]'::json
+                 ) AS events
+          FROM engram_sessions s
+          WHERE s.workspace_id = ${this.workspaceId}
+            AND s.viewable_by @> ARRAY[${personId}]::text[]
+            AND (${channelFilter}::text IS NULL OR s.channel = ${channelFilter}::text)
+          ORDER BY s.created_at DESC
           LIMIT ${opts.limit}
         `
             : await this.sql `
-          SELECT id FROM engram_sessions
-          WHERE workspace_id = ${this.workspaceId}
-            AND participants @> ARRAY[${personId}]::text[]
-            AND (${channelFilter}::text IS NULL OR channel = ${channelFilter}::text)
-          ORDER BY created_at DESC
+          SELECT s.id, s.title, s.channel, s.participants, s.viewable_by,
+                 s.created_at, s.updated_at, s.status, s.summary, s.model,
+                 s.trigger_conversation_id, s.trigger_event_id,
+                 s.trigger_purpose, s.trigger_resume_hint,
+                 COALESCE(
+                   (SELECT json_agg(e.payload ORDER BY e.seq)
+                    FROM engram_events e
+                    WHERE e.workspace_id = s.workspace_id AND e.session_id = s.id),
+                   '[]'::json
+                 ) AS events
+          FROM engram_sessions s
+          WHERE s.workspace_id = ${this.workspaceId}
+            AND s.participants @> ARRAY[${personId}]::text[]
+            AND (${channelFilter}::text IS NULL OR s.channel = ${channelFilter}::text)
+          ORDER BY s.created_at DESC
           LIMIT ${opts.limit}
         `;
-        const sessions = await Promise.all(rows.map((r) => this.getSession(r.id)));
-        return sessions.filter((s) => s !== null);
+        return rows.map(foldRowWithEvents);
     }
     // --- Persons ------------------------------------------------------
     async createPerson(input) {
@@ -464,6 +507,11 @@ function toPersonInfo(r) {
         updated_at: isoString(r.updated_at),
     };
 }
+/** Convenience wrapper used by every read path: lifts the joined row
+ *  into a SessionRow + events and folds in a single step. */
+function foldRowWithEvents(r) {
+    return foldEvents(toSessionRow(r), r.events ?? [], new Date());
+}
 function toSessionRow(r) {
     return {
         id: r.id,

package/dist/admin.d.ts

@@ -1,17 +1,17 @@
 import { Hono } from "hono";
-import { type KeyStore } from "./key-store";
+import type { KeyStore } from "./key-store";
 import type { OrgStore } from "./org-store";
 export interface AdminOptions {
     /** Bearer token required for every /admin/v1 request. */
     token: string;
     keyStore: KeyStore;
     /**
-     * Optional org store. When provided, mounts the orgs surface
-     * (\`/admin/v1/orgs/*\` plus \`/admin/v1/orgs/:id/workspaces\` for
-     * org-scoped workspace creation). Without it only the legacy
-     * \`/admin/v1/workspaces\` endpoints are exposed.
+     * Org store. Required — every admin endpoint is org-scoped.
+     * (The previous opt-out, where admin.ts also exposed a non-org
+     * `/admin/v1/workspaces` surface for `orgStore`-less deployments,
+     * was removed in v0.15.)
      */
-    orgStore?: OrgStore;
+    orgStore: OrgStore;
 }
 interface Env {
     Variables: {
@@ -24,20 +24,20 @@ interface Env {
  * Auth model: a single platform-level bearer token
  * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
  *
- * Surface, when orgStore is wired:
+ * Surface:
  *
- *   POST   /orgs                                  create org
- *   GET    /orgs                                  list orgs
- *   GET    /orgs/:id                              get org
- *   DELETE /orgs/:id                              delete org (CASCADE)
- *   POST   /orgs/:id/members                      add member (email|userId)
+ *   POST   /orgs                                          create org
+ *   GET    /orgs                                          list orgs
+ *   GET    /orgs/:id                                      get org
+ *   DELETE /orgs/:id                                      delete org (CASCADE)
+ *   POST   /orgs/:id/members                              add member (email|userId)
  *   GET    /orgs/:id/members
  *   DELETE /orgs/:id/members/:userId
- *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   POST   /orgs/:id/workspaces                           create workspace + key
  *   GET    /orgs/:id/workspaces
- *
- * Plus the lower-level workspace + key endpoints from before
- * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
+ *   GET    /orgs/:id/workspaces/:wsId/keys                list workspace keys
+ *   POST   /orgs/:id/workspaces/:wsId/keys                issue a new key
+ *   DELETE /orgs/:id/workspaces/:wsId/keys/:keyId         revoke a key
  */
 export declare function createAdminRouter(opts: AdminOptions): Hono<Env>;
 export {};

package/dist/admin.js

@@ -1,5 +1,4 @@
 import { Hono } from "hono";
-import { isValidWorkspaceId } from "./key-store";
 import { createWorkspaceSchema, issueKeySchema, parseJsonBody } from "./schemas";
 import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow, OrgServiceError, removeMember, requireWorkspaceInOrg, revokeWorkspaceKey, } from "./services/orgs";
 /**
@@ -8,23 +7,25 @@ import { addMember, createOrg, createWorkspaceUnderOrg, deleteOrg, getOrgOrThrow
  * Auth model: a single platform-level bearer token
  * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
  *
- * Surface, when orgStore is wired:
+ * Surface:
  *
- *   POST   /orgs                                  create org
- *   GET    /orgs                                  list orgs
- *   GET    /orgs/:id                              get org
- *   DELETE /orgs/:id                              delete org (CASCADE)
- *   POST   /orgs/:id/members                      add member (email|userId)
+ *   POST   /orgs                                          create org
+ *   GET    /orgs                                          list orgs
+ *   GET    /orgs/:id                                      get org
+ *   DELETE /orgs/:id                                      delete org (CASCADE)
+ *   POST   /orgs/:id/members                              add member (email|userId)
  *   GET    /orgs/:id/members
  *   DELETE /orgs/:id/members/:userId
- *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   POST   /orgs/:id/workspaces                           create workspace + key
  *   GET    /orgs/:id/workspaces
- *
- * Plus the lower-level workspace + key endpoints from before
- * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
+ *   GET    /orgs/:id/workspaces/:wsId/keys                list workspace keys
+ *   POST   /orgs/:id/workspaces/:wsId/keys                issue a new key
+ *   DELETE /orgs/:id/workspaces/:wsId/keys/:keyId         revoke a key
  */
 export function createAdminRouter(opts) {
     const app = new Hono();
+    const { orgStore } = opts;
+    const deps = { orgStore, keyStore: opts.keyStore };
     app.use("*", async (c, next) => {
         const supplied = c.req.header("x-admin-token") ??
             c.req.header("authorization")?.match(/^Bearer\s+(.+)$/i)?.[1];
@@ -33,94 +34,6 @@ export function createAdminRouter(opts) {
         }
         await next();
     });
-    // -------------------- workspaces (legacy / api-key-only) ----
-    // Kept for backwards compatibility; new callers should create
-    // workspaces under an org so they're reachable from the web UI.
-    app.post("/workspaces", async (c) => {
-        const body = await parseJsonBody(c, createWorkspaceSchema);
-        if (body instanceof Response)
-            return body;
-        if (body.id !== undefined && !isValidWorkspaceId(body.id)) {
-            return c.json({ error: "invalid_workspace_id" }, 400);
-        }
-        try {
-            const ws = await opts.keyStore.createWorkspace({
-                ...(body.id !== undefined ? { id: body.id } : {}),
-                ...(body.name !== undefined ? { name: body.name } : {}),
-                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
-            });
-            if (body.issueKey === false) {
-                return c.json({ workspace: ws });
-            }
-            const key = await opts.keyStore.issueKey(ws.id, {
-                ...(body.keyName !== undefined ? { name: body.keyName } : {}),
-            });
-            return c.json({ workspace: ws, key });
-        }
-        catch (e) {
-            return c.json({ error: e.message }, 400);
-        }
-    });
-    app.get("/workspaces", async (c) => {
-        const workspaces = await opts.keyStore.listWorkspaces();
-        return c.json({ workspaces });
-    });
-    app.get("/workspaces/:id", async (c) => {
-        const ws = await opts.keyStore.getWorkspace(c.req.param("id"));
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        return c.json(ws);
-    });
-    app.delete("/workspaces/:id", async (c) => {
-        const id = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(id);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        await opts.keyStore.deleteWorkspace(id);
-        return c.body(null, 204);
-    });
-    app.post("/workspaces/:id/keys", async (c) => {
-        const workspaceId = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(workspaceId);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        const raw = await c.req.json().catch(() => ({}));
-        const parsed = issueKeySchema.safeParse(raw);
-        if (!parsed.success) {
-            return c.json({ error: "invalid_body", issues: parsed.error.issues }, 400);
-        }
-        const key = await opts.keyStore.issueKey(workspaceId, {
-            ...(parsed.data.name !== undefined ? { name: parsed.data.name } : {}),
-        });
-        return c.json(key);
-    });
-    app.get("/workspaces/:id/keys", async (c) => {
-        const workspaceId = c.req.param("id");
-        const ws = await opts.keyStore.getWorkspace(workspaceId);
-        if (!ws)
-            return c.json({ error: "workspace_not_found" }, 404);
-        const keys = await opts.keyStore.listKeys(workspaceId);
-        return c.json({ keys });
-    });
-    app.delete("/workspaces/:id/keys/:keyId", async (c) => {
-        const workspaceId = c.req.param("id");
-        const keyId = c.req.param("keyId");
-        try {
-            await opts.keyStore.revokeKey(workspaceId, keyId);
-        }
-        catch (e) {
-            if (e.message === "key_not_found") {
-                return c.json({ error: "key_not_found" }, 404);
-            }
-            throw e;
-        }
-        return c.body(null, 204);
-    });
-    // -------------------- orgs (org-scoped admin surface) -------
-    const orgStore = opts.orgStore;
-    if (!orgStore)
-        return app;
-    const deps = { orgStore, keyStore: opts.keyStore };
     app.post("/orgs", async (c) => runService(c, async () => {
         const body = (await c.req.json().catch(() => ({})));
         const org = await createOrg(deps, body);

package/dist/main.js

@@ -22,6 +22,10 @@ const CORS_ORIGINS = (process.env.ENGRAM_CORS_ORIGINS ?? "")
     .split(",")
     .map((s) => s.trim())
     .filter(Boolean);
+if (!orgStore) {
+    console.error("[engram-server] orgStore is required (DATABASE_URL + ENGRAM_AUTH_* env vars) — every admin endpoint is now org-scoped");
+    process.exit(1);
+}
 const app = createServer({
     auth: async (key) => {
         const r = await keyStore.resolveKey(key);
@@ -31,14 +35,10 @@ const app = createServer({
     },
     ...(authHandler ? { authHandler } : {}),
     ...(cookieAuth ? { cookieAuth } : {}),
-    ...(orgStore ? { orgStore } : {}),
+    orgStore,
     keyStore,
     ...(CORS_ORIGINS.length > 0 ? { corsOrigins: CORS_ORIGINS } : {}),
-    admin: {
-        token: ADMIN_TOKEN,
-        keyStore,
-        ...(orgStore ? { orgStore } : {}),
-    },
+    admin: { token: ADMIN_TOKEN, keyStore, orgStore },
 });
 console.log(`[engram-server] listening on :${PORT}`);
 export default { port: PORT, fetch: app.fetch };

package/dist/migrations/0009-events-type-index.d.ts

@@ -0,0 +1,2 @@
+export declare const name = "0009-events-type-index";
+export declare const sql = "\n-- Type-aware event index for callers that filter by event type\n-- (the most common is monet's conversation-repository, which fetches\n-- only `type='message'` events to materialize the chat transcript).\n--\n-- The existing PK `(workspace_id, session_id, seq)` lets PG find\n-- events for a session quickly, but it has to read every row to filter\n-- by type. This composite index trades a small write-side cost for an\n-- index-only scan on the typical \"messages for this session\" query.\n\nCREATE INDEX IF NOT EXISTS idx_engram_events_workspace_session_type\n  ON engram_events (workspace_id, session_id, type);\n";

package/dist/migrations/0009-events-type-index.js

@@ -0,0 +1,14 @@
+export const name = "0009-events-type-index";
+export const sql = `
+-- Type-aware event index for callers that filter by event type
+-- (the most common is monet's conversation-repository, which fetches
+-- only \`type='message'\` events to materialize the chat transcript).
+--
+-- The existing PK \`(workspace_id, session_id, seq)\` lets PG find
+-- events for a session quickly, but it has to read every row to filter
+-- by type. This composite index trades a small write-side cost for an
+-- index-only scan on the typical "messages for this session" query.
+
+CREATE INDEX IF NOT EXISTS idx_engram_events_workspace_session_type
+  ON engram_events (workspace_id, session_id, type);
+`;

package/dist/migrations/index.js

@@ -6,6 +6,7 @@ import * as m0005 from "./0005-session-updated-at";
 import * as m0006 from "./0006-auth";
 import * as m0007 from "./0007-orgs";
 import * as m0008 from "./0008-trigger-metadata";
+import * as m0009 from "./0009-events-type-index";
 /**
  * Schema migrations, applied in array order. Add a new file under
  * `migrations/NNNN-<slug>.ts` exporting `name` and `sql`, then append it
@@ -22,4 +23,5 @@ export const MIGRATIONS = [
     { name: m0006.name, sql: m0006.sql },
     { name: m0007.name, sql: m0007.sql },
     { name: m0008.name, sql: m0008.sql },
+    { name: m0009.name, sql: m0009.sql },
 ];

package/dist/openapi.js

@@ -71,14 +71,6 @@ const TAG_DEFS = [
         name: "Orgs (admin)",
         description: "プラットフォーム管理者トークンでの org 管理",
     },
-    {
-        name: "Workspaces (admin)",
-        description: "ワークスペースの管理（管理者トークン必須）",
-    },
-    {
-        name: "API Keys (admin)",
-        description: "ワークスペース API キーの発行・無効化（管理者トークン必須）",
-    },
 ];
 /**
  * Stamp `tag` onto every operation in a path-item. The path declares its
@@ -634,87 +626,6 @@ function buildPaths() {
                 },
             },
         }),
-        "/admin/v1/workspaces": tagged("Workspaces (admin)", {
-            post: {
-                summary: "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
-                security: adminAuth,
-                requestBody: jsonBody("CreateWorkspace"),
-                responses: {
-                    "200": res("ワークスペース（issueKey=false でない限りキーも含む）"),
-                    "400": res("リクエストボディまたはワークスペース id が不正"),
-                    "401": res("認証エラー"),
-                },
-            },
-            get: {
-                summary: "全ワークスペースを一覧取得する。",
-                security: adminAuth,
-                responses: {
-                    "200": res("ワークスペース一覧"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}": tagged("Workspaces (admin)", {
-            get: {
-                summary: "単一のワークスペースを取得する。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "200": res("ワークスペース"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-            delete: {
-                summary: "ワークスペースを削除する（キー・セッション・イベントにカスケードする）。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "204": res("削除完了"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}/keys": tagged("API Keys (admin)", {
-            post: {
-                summary: "ワークスペースに新しい API キーを発行する。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                requestBody: jsonBody("IssueKey", false),
-                responses: {
-                    "200": res("発行されたキー（生のキーは一度のみ返却）"),
-                    "400": res("リクエストボディが不正"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-            get: {
-                summary: "ワークスペースの API キー一覧を取得する（ハッシュのみ）。",
-                security: adminAuth,
-                parameters: [pathParam("id", "ワークスペース id。")],
-                responses: {
-                    "200": res("キー一覧"),
-                    "404": res("ワークスペースが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
-        "/admin/v1/workspaces/{id}/keys/{keyId}": tagged("API Keys (admin)", {
-            delete: {
-                summary: "API キーを無効化する。",
-                security: adminAuth,
-                parameters: [
-                    pathParam("id", "ワークスペース id。"),
-                    pathParam("keyId", "キー id。"),
-                ],
-                responses: {
-                    "204": res("無効化完了（冪等）"),
-                    "404": res("キーが見つからない"),
-                    "401": res("認証エラー"),
-                },
-            },
-        }),
     };
 }
 /**

package/openapi.json

@@ -37,14 +37,6 @@
     {
       "name": "Orgs (admin)",
       "description": "プラットフォーム管理者トークンでの org 管理"
-    },
-    {
-      "name": "Workspaces (admin)",
-      "description": "ワークスペースの管理（管理者トークン必須）"
-    },
-    {
-      "name": "API Keys (admin)",
-      "description": "ワークスペース API キーの発行・無効化（管理者トークン必須）"
     }
   ],
   "servers": [
@@ -2502,252 +2494,6 @@
           "Orgs (admin)"
         ]
       }
-    },
-    "/admin/v1/workspaces": {
-      "post": {
-        "summary": "ワークスペースを作成する（デフォルトで初期キーも発行する）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "requestBody": {
-          "required": true,
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/CreateWorkspace"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "ワークスペース（issueKey=false でない限りキーも含む）"
-          },
-          "400": {
-            "description": "リクエストボディまたはワークスペース id が不正"
-          },
-          "401": {
-            "description": "認証エラー"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      },
-      "get": {
-        "summary": "全ワークスペースを一覧取得する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "ワークスペース一覧"
-          },
-          "401": {
-            "description": "認証エラー"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}": {
-      "get": {
-        "summary": "単一のワークスペースを取得する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "ワークスペース"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      },
-      "delete": {
-        "summary": "ワークスペースを削除する（キー・セッション・イベントにカスケードする）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "削除完了"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "Workspaces (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}/keys": {
-      "post": {
-        "summary": "ワークスペースに新しい API キーを発行する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "requestBody": {
-          "required": false,
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/IssueKey"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "description": "発行されたキー（生のキーは一度のみ返却）"
-          },
-          "400": {
-            "description": "リクエストボディが不正"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      },
-      "get": {
-        "summary": "ワークスペースの API キー一覧を取得する（ハッシュのみ）。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "キー一覧"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "ワークスペースが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      }
-    },
-    "/admin/v1/workspaces/{id}/keys/{keyId}": {
-      "delete": {
-        "summary": "API キーを無効化する。",
-        "security": [
-          {
-            "adminToken": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "id",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "ワークスペース id。"
-          },
-          {
-            "name": "keyId",
-            "in": "path",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "description": "キー id。"
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "無効化完了（冪等）"
-          },
-          "401": {
-            "description": "認証エラー"
-          },
-          "404": {
-            "description": "キーが見つからない"
-          }
-        },
-        "tags": [
-          "API Keys (admin)"
-        ]
-      }
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hexis-ai/engram-server",
-  "version": "0.14.0",
+  "version": "0.16.0",
   "description": "Engram server: ingest agent session events, persist via a pluggable adapter, expose search.",
   "keywords": [
     "engram",
@@ -50,7 +50,7 @@
   },
   "dependencies": {
     "@hexis-ai/engram-core": "^0.3.0",
-    "@hexis-ai/engram-sdk": "^0.15.0",
+    "@hexis-ai/engram-sdk": "^0.16.0",
     "better-auth": "^1.6.11",
     "hono": "^4.6.0",
     "pg": "^8.13.0",