@orgii/collab-hub 0.1.0

package/README.md

@@ -0,0 +1,66 @@
+# ORGII Collaboration Hub
+
+Self-deployable Cloudflare relay for ORGII collaboration orgs. It stores org metadata, members, invites, lightweight session metadata, and group chat messages, then relays live JSON updates through Durable Object WebSockets.
+
+## Who needs this?
+
+Only one admin per ORGII collaboration org needs to deploy a hub. Teammates who join an existing org do not need npm, Cloudflare, Wrangler, or repo access; they only need the invite link generated by ORGII.
+
+## Create a hub project
+
+```bash
+npx @orgii/collab-hub init my-orgii-hub
+cd my-orgii-hub
+npm install
+```
+
+## Deploy to Cloudflare
+
+Log in to Cloudflare:
+
+```bash
+npx wrangler login
+```
+
+Create the D1 database:
+
+```bash
+npm run db:create
+```
+
+Cloudflare prints a `database_id`. Paste that value into `wrangler.jsonc` under `d1_databases[0].database_id`.
+
+Apply migrations:
+
+```bash
+npm run db:migrate
+```
+
+Deploy the Worker:
+
+```bash
+npm run deploy
+```
+
+Wrangler prints the Worker URL, for example:
+
+```text
+https://my-orgii-hub.example.workers.dev
+```
+
+Paste that URL into ORGII under `Add Org` → `Create Org` → `Cloudflare hub URL`.
+
+## Invite teammates
+
+After creating the org in ORGII, copy the generated invite link and send it to teammates. The invite link includes the hub URL and invite code, so teammates do not need to configure Cloudflare.
+
+## Local development
+
+```bash
+npm run dev
+npm run typecheck
+```
+
+## Source repo workflow
+
+Developers building ORGII from source can also work directly from the `cloudflare/collab-hub` folder in the ORGII repository. The npm package exists so bundled-app users can deploy the hub without cloning the app repo.

package/bin/orgii-collab-hub.js

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const PACKAGE_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+const TEMPLATE_DIR = path.join(PACKAGE_ROOT, "templates", "worker");
+
+function printHelp() {
+  console.log(`ORGII Collaboration Hub
+
+Usage:
+  npx @orgii/collab-hub init <directory>
+
+Commands:
+  init <directory>  Create a deployable Cloudflare Worker hub project.
+
+After init:
+  cd <directory>
+  npm install
+  npx wrangler login
+  npm run db:create
+  npm run db:migrate
+  npm run deploy
+`);
+}
+
+function normalizeProjectName(targetDir) {
+  return path.basename(path.resolve(targetDir)).replace(/[^a-zA-Z0-9_-]/g, "-");
+}
+
+function updateTemplatePackageJson(targetDir) {
+  const packageJsonPath = path.join(targetDir, "package.json");
+  const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
+  packageJson.name = normalizeProjectName(targetDir);
+  fs.writeFileSync(packageJsonPath, `${JSON.stringify(packageJson, null, 2)}\n`);
+}
+
+function formatCdTarget(targetArg, targetDir) {
+  return path.isAbsolute(targetArg) ? targetDir : targetArg;
+}
+
+function initProject(targetArg) {
+  if (!targetArg) {
+    throw new Error("Missing target directory. Usage: npx @orgii/collab-hub init <directory>");
+  }
+
+  const targetDir = path.resolve(process.cwd(), targetArg);
+  if (fs.existsSync(targetDir) && fs.readdirSync(targetDir).length > 0) {
+    throw new Error(`Target directory is not empty: ${targetDir}`);
+  }
+
+  fs.mkdirSync(targetDir, { recursive: true });
+  fs.cpSync(TEMPLATE_DIR, targetDir, { recursive: true });
+  updateTemplatePackageJson(targetDir);
+
+  console.log(`Created ORGII Collaboration Hub project at ${targetDir}`);
+  console.log(`
+Next steps:
+  cd ${formatCdTarget(targetArg, targetDir)}
+  npm install
+  npx wrangler login
+  npm run db:create
+
+Then paste the returned database_id into wrangler.jsonc and run:
+  npm run db:migrate
+  npm run deploy
+
+After deploy, paste the Worker URL into ORGII > Add Org > Create Org.`);
+}
+
+try {
+  const [command, targetDir] = process.argv.slice(2);
+  if (!command || command === "--help" || command === "-h") {
+    printHelp();
+    process.exit(0);
+  }
+
+  if (command !== "init") {
+    throw new Error(`Unknown command: ${command}`);
+  }
+
+  initProject(targetDir);
+} catch (error) {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@orgii/collab-hub",
+  "version": "0.1.0",
+  "description": "Self-deployable Cloudflare Collaboration Hub for ORGII team presence, invites, session metadata, and group chat.",
+  "private": false,
+  "type": "module",
+  "bin": {
+    "orgii-collab-hub": "./bin/orgii-collab-hub.js"
+  },
+  "files": [
+    "bin",
+    "templates",
+    "README.md"
+  ],
+  "scripts": {
+    "dev": "wrangler dev",
+    "deploy": "wrangler deploy",
+    "typecheck": "tsc --noEmit",
+    "typecheck:template": "cd templates/worker && npm install && npm run typecheck",
+    "pack:dry": "npm pack --dry-run"
+  },
+  "keywords": [
+    "orgii",
+    "collaboration",
+    "cloudflare",
+    "workers",
+    "durable-objects",
+    "d1"
+  ],
+  "license": "UNLICENSED",
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260613.1",
+    "typescript": "^5.3.3",
+    "wrangler": "^4.100.0"
+  }
+}

package/templates/worker/migrations/0001_initial.sql

@@ -0,0 +1,64 @@
+CREATE TABLE IF NOT EXISTS orgs (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  admin_member_id TEXT NOT NULL,
+  created_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS members (
+  id TEXT PRIMARY KEY,
+  org_id TEXT NOT NULL,
+  display_name TEXT NOT NULL,
+  avatar_initials TEXT NOT NULL,
+  avatar_variant TEXT NOT NULL,
+  role TEXT NOT NULL CHECK (role IN ('admin', 'member')),
+  identity_kind TEXT NOT NULL CHECK (identity_kind IN ('human', 'agent')),
+  access_token_hash TEXT NOT NULL,
+  joined_at TEXT NOT NULL,
+  removed_at TEXT,
+  FOREIGN KEY (org_id) REFERENCES orgs(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_members_org_id ON members(org_id);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_members_org_token ON members(org_id, access_token_hash);
+
+CREATE TABLE IF NOT EXISTS invites (
+  id TEXT PRIMARY KEY,
+  org_id TEXT NOT NULL,
+  token_hash TEXT NOT NULL UNIQUE,
+  inviter_member_id TEXT NOT NULL,
+  expires_at TEXT,
+  usage_limit INTEGER NOT NULL DEFAULT 1,
+  usage_count INTEGER NOT NULL DEFAULT 0,
+  created_at TEXT NOT NULL,
+  revoked_at TEXT,
+  FOREIGN KEY (org_id) REFERENCES orgs(id),
+  FOREIGN KEY (inviter_member_id) REFERENCES members(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_invites_org_id ON invites(org_id);
+
+CREATE TABLE IF NOT EXISTS events (
+  id TEXT PRIMARY KEY,
+  org_id TEXT NOT NULL,
+  member_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  payload_json TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  FOREIGN KEY (org_id) REFERENCES orgs(id),
+  FOREIGN KEY (member_id) REFERENCES members(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_events_org_created ON events(org_id, created_at);
+
+CREATE TABLE IF NOT EXISTS chat_messages (
+  id TEXT PRIMARY KEY,
+  org_id TEXT NOT NULL,
+  author_member_id TEXT NOT NULL,
+  body TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  FOREIGN KEY (org_id) REFERENCES orgs(id),
+  FOREIGN KEY (author_member_id) REFERENCES members(id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_chat_messages_org_created ON chat_messages(org_id, created_at);

package/templates/worker/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "orgii-collab-hub-worker",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "wrangler dev",
+    "deploy": "wrangler deploy",
+    "typecheck": "tsc --noEmit",
+    "db:create": "wrangler d1 create orgii-collab-hub",
+    "db:migrate": "wrangler d1 migrations apply orgii-collab-hub"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260613.1",
+    "typescript": "^5.3.3",
+    "wrangler": "^4.100.0"
+  }
+}

package/templates/worker/src/index.ts

@@ -0,0 +1,655 @@
+import { jsonResponse, matchCollabHubRoute } from "./route";
+
+const COLLAB_ROLE = {
+  ADMIN: "admin",
+  MEMBER: "member",
+} as const;
+
+const COLLAB_IDENTITY_KIND = {
+  HUMAN: "human",
+  AGENT: "agent",
+} as const;
+
+const COLLAB_MESSAGE_TYPE = {
+  CHAT_MESSAGE: "chat.message",
+} as const;
+
+const COLLAB_PROTOCOL_VERSION = 1;
+const MAX_CHAT_BODY_LENGTH = 4000;
+const DEFAULT_CHAT_HISTORY_LIMIT = 100;
+const MAX_CHAT_HISTORY_LIMIT = 200;
+
+type CollabRole = (typeof COLLAB_ROLE)[keyof typeof COLLAB_ROLE];
+type CollabIdentityKind =
+  (typeof COLLAB_IDENTITY_KIND)[keyof typeof COLLAB_IDENTITY_KIND];
+
+interface Env {
+  DB: D1Database;
+  ORG_ROOMS: DurableObjectNamespace;
+}
+
+interface CreateOrgRequest {
+  name?: string;
+  displayName?: string;
+  identityKind?: CollabIdentityKind;
+}
+
+interface AcceptInviteRequest {
+  displayName?: string;
+  identityKind?: CollabIdentityKind;
+}
+
+interface CreateInviteRequest {
+  expiresAt?: string;
+  usageLimit?: number;
+}
+
+interface PostChatMessageRequest {
+  body?: string;
+}
+
+interface StoredMember {
+  id: string;
+  org_id: string;
+  display_name: string;
+  avatar_initials: string;
+  avatar_variant: string;
+  role: CollabRole;
+  identity_kind: CollabIdentityKind;
+  joined_at: string;
+  removed_at: string | null;
+}
+
+interface StoredOrg {
+  id: string;
+  name: string;
+  admin_member_id: string;
+  created_at: string;
+}
+
+interface StoredInvite {
+  id: string;
+  org_id: string;
+  token_hash: string;
+  inviter_member_id: string;
+  expires_at: string | null;
+  usage_limit: number;
+  usage_count: number;
+  revoked_at: string | null;
+}
+
+interface StoredChatMessage {
+  id: string;
+  org_id: string;
+  author_member_id: string;
+  author_display_name: string;
+  author_identity_kind: CollabIdentityKind;
+  body: string;
+  created_at: string;
+}
+
+interface AuthContext {
+  orgId: string;
+  memberId: string;
+  role: CollabRole;
+}
+
+function createId(prefix: string): string {
+  return `${prefix}_${crypto.randomUUID().replaceAll("-", "")}`;
+}
+
+function createSecret(): string {
+  const bytes = new Uint8Array(24);
+  crypto.getRandomValues(bytes);
+  return btoa(String.fromCharCode(...bytes))
+    .replaceAll("+", "-")
+    .replaceAll("/", "_")
+    .replaceAll("=", "");
+}
+
+async function sha256(value: string): Promise<string> {
+  const digest = await crypto.subtle.digest(
+    "SHA-256",
+    new TextEncoder().encode(value)
+  );
+  return [...new Uint8Array(digest)]
+    .map((byte) => byte.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+function createAvatar(displayName: string): {
+  initials: string;
+  variant: string;
+} {
+  const words = displayName.trim().split(/\s+/).filter(Boolean);
+  const initials = `${words[0]?.[0] ?? "U"}${words[1]?.[0] ?? ""}`
+    .toLocaleUpperCase()
+    .slice(0, 2);
+  const seed = [...displayName].reduce(
+    (sum, character) => sum + character.charCodeAt(0),
+    0
+  );
+  return { initials, variant: seed % 2 === 0 ? "v" : "h" };
+}
+
+function isIdentityKind(value: unknown): value is CollabIdentityKind {
+  return (
+    value === COLLAB_IDENTITY_KIND.HUMAN || value === COLLAB_IDENTITY_KIND.AGENT
+  );
+}
+
+async function readJson<T>(request: Request): Promise<T> {
+  return (await request.json()) as T;
+}
+
+function publicMember(member: StoredMember) {
+  return {
+    id: member.id,
+    orgId: member.org_id,
+    displayName: member.display_name,
+    avatar: {
+      initials: member.avatar_initials,
+      variant: member.avatar_variant,
+    },
+    role: member.role,
+    identityKind: member.identity_kind,
+    joinedAt: member.joined_at,
+    removedAt: member.removed_at ?? undefined,
+  };
+}
+
+function publicOrg(org: StoredOrg) {
+  return {
+    id: org.id,
+    name: org.name,
+    adminMemberId: org.admin_member_id,
+    createdAt: org.created_at,
+  };
+}
+
+function publicChatMessage(message: StoredChatMessage) {
+  return {
+    id: message.id,
+    orgId: message.org_id,
+    authorMemberId: message.author_member_id,
+    authorDisplayName: message.author_display_name,
+    authorIdentityKind: message.author_identity_kind,
+    body: message.body,
+    createdAt: message.created_at,
+  };
+}
+
+function readBearerToken(request: Request): string | null {
+  const authHeader = request.headers.get("authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice("Bearer ".length);
+  }
+  const url = new URL(request.url);
+  return url.searchParams.get("access_token");
+}
+
+async function getAuthContext(
+  request: Request,
+  env: Env,
+  orgId: string
+): Promise<AuthContext | null> {
+  const accessToken = readBearerToken(request);
+  if (!accessToken) return null;
+  const tokenHash = await sha256(accessToken);
+  const member = await env.DB.prepare(
+    "SELECT id, role FROM members WHERE org_id = ? AND access_token_hash = ? AND removed_at IS NULL"
+  )
+    .bind(orgId, tokenHash)
+    .first<{ id: string; role: CollabRole }>();
+  if (!member) return null;
+  return { orgId, memberId: member.id, role: member.role };
+}
+
+async function requireAdmin(
+  request: Request,
+  env: Env,
+  orgId: string
+): Promise<AuthContext | Response> {
+  const context = await getAuthContext(request, env, orgId);
+  if (!context) return jsonResponse({ error: "Unauthorized" }, { status: 401 });
+  if (context.role !== COLLAB_ROLE.ADMIN) {
+    return jsonResponse({ error: "Admin role required" }, { status: 403 });
+  }
+  return context;
+}
+
+async function handleCreateOrg(request: Request, env: Env): Promise<Response> {
+  const body = await readJson<CreateOrgRequest>(request);
+  const name = body.name?.trim();
+  const displayName = body.displayName?.trim();
+  const identityKind = isIdentityKind(body.identityKind)
+    ? body.identityKind
+    : COLLAB_IDENTITY_KIND.HUMAN;
+
+  if (!name)
+    return jsonResponse({ error: "Org name is required" }, { status: 400 });
+  if (!displayName) {
+    return jsonResponse({ error: "Display name is required" }, { status: 400 });
+  }
+
+  const now = new Date().toISOString();
+  const orgId = createId("org");
+  const memberId = createId("mem");
+  const accessToken = createSecret();
+  const tokenHash = await sha256(accessToken);
+  const avatar = createAvatar(displayName);
+
+  await env.DB.batch([
+    env.DB.prepare(
+      "INSERT INTO orgs (id, name, admin_member_id, created_at) VALUES (?, ?, ?, ?)"
+    ).bind(orgId, name, memberId, now),
+    env.DB.prepare(
+      "INSERT INTO members (id, org_id, display_name, avatar_initials, avatar_variant, role, identity_kind, access_token_hash, joined_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"
+    ).bind(
+      memberId,
+      orgId,
+      displayName,
+      avatar.initials,
+      avatar.variant,
+      COLLAB_ROLE.ADMIN,
+      identityKind,
+      tokenHash,
+      now
+    ),
+  ]);
+
+  return jsonResponse({
+    org: {
+      id: orgId,
+      name,
+      adminMemberId: memberId,
+      createdAt: now,
+    },
+    member: {
+      id: memberId,
+      orgId,
+      displayName,
+      avatar,
+      role: COLLAB_ROLE.ADMIN,
+      identityKind,
+      accessToken,
+      joinedAt: now,
+    },
+  });
+}
+
+async function handleCreateInvite(
+  request: Request,
+  env: Env,
+  orgId: string
+): Promise<Response> {
+  const auth = await requireAdmin(request, env, orgId);
+  if (auth instanceof Response) return auth;
+  const body: CreateInviteRequest = await readJson<CreateInviteRequest>(
+    request
+  ).catch(() => ({}));
+  const inviteCode = createSecret();
+  const tokenHash = await sha256(inviteCode);
+  const inviteId = createId("inv");
+  const now = new Date().toISOString();
+  const usageLimit = Math.max(1, Math.min(body.usageLimit ?? 1, 100));
+
+  await env.DB.prepare(
+    "INSERT INTO invites (id, org_id, token_hash, inviter_member_id, expires_at, usage_limit, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)"
+  )
+    .bind(
+      inviteId,
+      orgId,
+      tokenHash,
+      auth.memberId,
+      body.expiresAt ?? null,
+      usageLimit,
+      now
+    )
+    .run();
+
+  return jsonResponse({
+    invite: {
+      id: inviteId,
+      orgId,
+      inviteCode,
+      expiresAt: body.expiresAt,
+      createdAt: now,
+    },
+  });
+}
+
+async function handleAcceptInvite(
+  request: Request,
+  env: Env,
+  inviteCode: string
+): Promise<Response> {
+  const body = await readJson<AcceptInviteRequest>(request);
+  const displayName = body.displayName?.trim();
+  const identityKind = isIdentityKind(body.identityKind)
+    ? body.identityKind
+    : COLLAB_IDENTITY_KIND.HUMAN;
+  if (!displayName) {
+    return jsonResponse({ error: "Display name is required" }, { status: 400 });
+  }
+
+  const tokenHash = await sha256(inviteCode);
+  const invite = await env.DB.prepare(
+    "SELECT id, org_id, token_hash, inviter_member_id, expires_at, usage_limit, usage_count, revoked_at FROM invites WHERE token_hash = ?"
+  )
+    .bind(tokenHash)
+    .first<StoredInvite>();
+
+  if (!invite || invite.revoked_at) {
+    return jsonResponse({ error: "Invite not found" }, { status: 404 });
+  }
+  if (invite.expires_at && Date.parse(invite.expires_at) < Date.now()) {
+    return jsonResponse({ error: "Invite expired" }, { status: 410 });
+  }
+  if (invite.usage_count >= invite.usage_limit) {
+    return jsonResponse({ error: "Invite already used" }, { status: 409 });
+  }
+
+  const org = await env.DB.prepare(
+    "SELECT id, name, admin_member_id, created_at FROM orgs WHERE id = ?"
+  )
+    .bind(invite.org_id)
+    .first<StoredOrg>();
+  if (!org) return jsonResponse({ error: "Org not found" }, { status: 404 });
+
+  const now = new Date().toISOString();
+  const memberId = createId("mem");
+  const accessToken = createSecret();
+  const tokenHashForMember = await sha256(accessToken);
+  const avatar = createAvatar(displayName);
+
+  await env.DB.batch([
+    env.DB.prepare(
+      "INSERT INTO members (id, org_id, display_name, avatar_initials, avatar_variant, role, identity_kind, access_token_hash, joined_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"
+    ).bind(
+      memberId,
+      org.id,
+      displayName,
+      avatar.initials,
+      avatar.variant,
+      COLLAB_ROLE.MEMBER,
+      identityKind,
+      tokenHashForMember,
+      now
+    ),
+    env.DB.prepare(
+      "UPDATE invites SET usage_count = usage_count + 1 WHERE id = ?"
+    ).bind(invite.id),
+  ]);
+
+  return jsonResponse({
+    org: publicOrg(org),
+    member: {
+      id: memberId,
+      orgId: org.id,
+      displayName,
+      avatar,
+      role: COLLAB_ROLE.MEMBER,
+      identityKind,
+      accessToken,
+      joinedAt: now,
+    },
+  });
+}
+
+async function handleRemoveMember(
+  request: Request,
+  env: Env,
+  orgId: string,
+  memberId: string
+): Promise<Response> {
+  const auth = await requireAdmin(request, env, orgId);
+  if (auth instanceof Response) return auth;
+  if (auth.memberId === memberId) {
+    return jsonResponse({ error: "Admin cannot remove self" }, { status: 400 });
+  }
+  await env.DB.prepare(
+    "UPDATE members SET removed_at = ? WHERE org_id = ? AND id = ? AND removed_at IS NULL"
+  )
+    .bind(new Date().toISOString(), orgId, memberId)
+    .run();
+  return jsonResponse({ ok: true });
+}
+
+async function handleBootstrap(
+  request: Request,
+  env: Env,
+  orgId: string
+): Promise<Response> {
+  const auth = await getAuthContext(request, env, orgId);
+  if (!auth) return jsonResponse({ error: "Unauthorized" }, { status: 401 });
+  const org = await env.DB.prepare(
+    "SELECT id, name, admin_member_id, created_at FROM orgs WHERE id = ?"
+  )
+    .bind(orgId)
+    .first<StoredOrg>();
+  if (!org) return jsonResponse({ error: "Org not found" }, { status: 404 });
+  const members = await env.DB.prepare(
+    "SELECT id, org_id, display_name, avatar_initials, avatar_variant, role, identity_kind, joined_at, removed_at FROM members WHERE org_id = ?"
+  )
+    .bind(orgId)
+    .all<StoredMember>();
+  return jsonResponse({
+    org: publicOrg(org),
+    members: members.results.map(publicMember),
+  });
+}
+
+async function handleListChatMessages(
+  request: Request,
+  env: Env,
+  orgId: string
+): Promise<Response> {
+  const auth = await getAuthContext(request, env, orgId);
+  if (!auth) return jsonResponse({ error: "Unauthorized" }, { status: 401 });
+
+  const url = new URL(request.url);
+  const limitParam = Number(url.searchParams.get("limit"));
+  const limit = Number.isFinite(limitParam)
+    ? Math.max(1, Math.min(limitParam, MAX_CHAT_HISTORY_LIMIT))
+    : DEFAULT_CHAT_HISTORY_LIMIT;
+
+  const messages = await env.DB.prepare(
+    `SELECT chat_messages.id,
+            chat_messages.org_id,
+            chat_messages.author_member_id,
+            members.display_name AS author_display_name,
+            members.identity_kind AS author_identity_kind,
+            chat_messages.body,
+            chat_messages.created_at
+       FROM chat_messages
+       JOIN members ON members.id = chat_messages.author_member_id
+      WHERE chat_messages.org_id = ?
+      ORDER BY chat_messages.created_at DESC
+      LIMIT ?`
+  )
+    .bind(orgId, limit)
+    .all<StoredChatMessage>();
+
+  return jsonResponse({
+    messages: messages.results.map(publicChatMessage).reverse(),
+  });
+}
+
+async function insertChatMessage({
+  env,
+  orgId,
+  authorMemberId,
+  body,
+}: {
+  env: Env;
+  orgId: string;
+  authorMemberId: string;
+  body: string;
+}) {
+  const member = await env.DB.prepare(
+    "SELECT id, org_id, display_name, avatar_initials, avatar_variant, role, identity_kind, joined_at, removed_at FROM members WHERE org_id = ? AND id = ? AND removed_at IS NULL"
+  )
+    .bind(orgId, authorMemberId)
+    .first<StoredMember>();
+  if (!member) return null;
+
+  const id = createId("msg");
+  const createdAt = new Date().toISOString();
+  await env.DB.prepare(
+    "INSERT INTO chat_messages (id, org_id, author_member_id, body, created_at) VALUES (?, ?, ?, ?, ?)"
+  )
+    .bind(id, orgId, authorMemberId, body, createdAt)
+    .run();
+
+  return {
+    id,
+    org_id: orgId,
+    author_member_id: authorMemberId,
+    author_display_name: member.display_name,
+    author_identity_kind: member.identity_kind,
+    body,
+    created_at: createdAt,
+  } satisfies StoredChatMessage;
+}
+
+async function handlePostChatMessage(
+  request: Request,
+  env: Env,
+  orgId: string
+): Promise<Response> {
+  const auth = await getAuthContext(request, env, orgId);
+  if (!auth) return jsonResponse({ error: "Unauthorized" }, { status: 401 });
+  const body = await readJson<PostChatMessageRequest>(request);
+  const messageBody = body.body?.trim();
+  if (!messageBody) {
+    return jsonResponse({ error: "Message body is required" }, { status: 400 });
+  }
+  if (messageBody.length > MAX_CHAT_BODY_LENGTH) {
+    return jsonResponse({ error: "Message body is too long" }, { status: 413 });
+  }
+
+  const message = await insertChatMessage({
+    env,
+    orgId,
+    authorMemberId: auth.memberId,
+    body: messageBody,
+  });
+  if (!message) return jsonResponse({ error: "Member not found" }, { status: 404 });
+
+  const publicMessage = publicChatMessage(message);
+  await routeToOrgRoom(
+    new Request(`https://collab.internal/orgs/${encodeURIComponent(orgId)}/ws`, {
+      method: "POST",
+      body: JSON.stringify({
+        protocolVersion: COLLAB_PROTOCOL_VERSION,
+        id: createId("evt"),
+        type: COLLAB_MESSAGE_TYPE.CHAT_MESSAGE,
+        orgId,
+        senderMemberId: auth.memberId,
+        sentAt: publicMessage.createdAt,
+        payload: { message: publicMessage },
+      }),
+    }),
+    env,
+    orgId
+  );
+
+  return jsonResponse({ message: publicMessage });
+}
+
+function routeToOrgRoom(
+  request: Request,
+  env: Env,
+  orgId: string
+): Response | Promise<Response> {
+  const id = env.ORG_ROOMS.idFromName(orgId);
+  return env.ORG_ROOMS.get(id).fetch(request);
+}
+
+export class CollabOrgRoom implements DurableObject {
+  private sessions = new Set<WebSocket>();
+
+  constructor(
+    private state: DurableObjectState,
+    private env: Env
+  ) {}
+
+  async fetch(request: Request): Promise<Response> {
+    const upgradeHeader = request.headers.get("upgrade");
+    if (request.method === "POST" && upgradeHeader !== "websocket") {
+      const message = await request.text();
+      this.broadcast(message);
+      return jsonResponse({ ok: true });
+    }
+
+    if (upgradeHeader !== "websocket") {
+      return jsonResponse(
+        { error: "WebSocket upgrade required" },
+        { status: 426 }
+      );
+    }
+
+    const pair = new WebSocketPair();
+    const [client, server] = Object.values(pair);
+    this.sessions.add(server);
+    server.accept();
+    server.addEventListener("message", (event) => {
+      this.broadcast(event.data, server);
+    });
+    server.addEventListener("close", () => this.sessions.delete(server));
+    server.addEventListener("error", () => this.sessions.delete(server));
+
+    return new Response(null, { status: 101, webSocket: client });
+  }
+
+  private broadcast(message: string | ArrayBuffer, except?: WebSocket): void {
+    for (const socket of this.sessions) {
+      if (socket !== except && socket.readyState === WebSocket.OPEN) {
+        socket.send(message);
+      }
+    }
+  }
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const route = matchCollabHubRoute(request);
+    try {
+      switch (route.kind) {
+        case "createOrg":
+          return await handleCreateOrg(request, env);
+        case "createInvite":
+          return await handleCreateInvite(request, env, route.orgId);
+        case "acceptInvite":
+          return await handleAcceptInvite(request, env, route.inviteCode);
+        case "removeMember":
+          return await handleRemoveMember(
+            request,
+            env,
+            route.orgId,
+            route.memberId
+          );
+        case "listChatMessages":
+          return await handleListChatMessages(request, env, route.orgId);
+        case "postChatMessage":
+          return await handlePostChatMessage(request, env, route.orgId);
+        case "bootstrap":
+          return await handleBootstrap(request, env, route.orgId);
+        case "webSocket": {
+          const auth = await getAuthContext(request, env, route.orgId);
+          if (!auth)
+            return jsonResponse({ error: "Unauthorized" }, { status: 401 });
+          return routeToOrgRoom(request, env, route.orgId);
+        }
+        case "notFound":
+          return jsonResponse({ error: "Not found" }, { status: 404 });
+      }
+    } catch (error) {
+      return jsonResponse(
+        { error: error instanceof Error ? error.message : "Internal error" },
+        { status: 500 }
+      );
+    }
+  },
+};

package/templates/worker/src/route.ts

@@ -0,0 +1,105 @@
+export const COLLAB_HUB_ROUTE = {
+  ORGS: "orgs",
+  INVITES: "invites",
+  MEMBERS: "members",
+  CHAT: "chat",
+  BOOTSTRAP: "bootstrap",
+  WS: "ws",
+  REMOVE: "remove",
+} as const;
+
+export type CollabHubRouteMatch =
+  | { kind: "createOrg" }
+  | { kind: "createInvite"; orgId: string }
+  | { kind: "acceptInvite"; inviteCode: string }
+  | { kind: "removeMember"; orgId: string; memberId: string }
+  | { kind: "listChatMessages"; orgId: string }
+  | { kind: "postChatMessage"; orgId: string }
+  | { kind: "bootstrap"; orgId: string }
+  | { kind: "webSocket"; orgId: string }
+  | { kind: "notFound" };
+
+export function matchCollabHubRoute(request: Request): CollabHubRouteMatch {
+  const url = new URL(request.url);
+  const parts = url.pathname.split("/").filter(Boolean).map(decodeURIComponent);
+
+  if (request.method === "POST" && parts.length === 1 && parts[0] === "orgs") {
+    return { kind: "createOrg" };
+  }
+
+  if (
+    request.method === "POST" &&
+    parts.length === 3 &&
+    parts[0] === COLLAB_HUB_ROUTE.ORGS &&
+    parts[2] === COLLAB_HUB_ROUTE.INVITES
+  ) {
+    return { kind: "createInvite", orgId: parts[1] };
+  }
+
+  if (
+    request.method === "POST" &&
+    parts.length === 3 &&
+    parts[0] === COLLAB_HUB_ROUTE.INVITES &&
+    parts[2] === "accept"
+  ) {
+    return { kind: "acceptInvite", inviteCode: parts[1] };
+  }
+
+  if (
+    request.method === "POST" &&
+    parts.length === 5 &&
+    parts[0] === COLLAB_HUB_ROUTE.ORGS &&
+    parts[2] === COLLAB_HUB_ROUTE.MEMBERS &&
+    parts[4] === COLLAB_HUB_ROUTE.REMOVE
+  ) {
+    return { kind: "removeMember", orgId: parts[1], memberId: parts[3] };
+  }
+
+  if (
+    request.method === "GET" &&
+    parts.length === 3 &&
+    parts[0] === COLLAB_HUB_ROUTE.ORGS &&
+    parts[2] === COLLAB_HUB_ROUTE.CHAT
+  ) {
+    return { kind: "listChatMessages", orgId: parts[1] };
+  }
+
+  if (
+    request.method === "POST" &&
+    parts.length === 3 &&
+    parts[0] === COLLAB_HUB_ROUTE.ORGS &&
+    parts[2] === COLLAB_HUB_ROUTE.CHAT
+  ) {
+    return { kind: "postChatMessage", orgId: parts[1] };
+  }
+
+  if (
+    request.method === "GET" &&
+    parts.length === 3 &&
+    parts[0] === COLLAB_HUB_ROUTE.ORGS &&
+    parts[2] === COLLAB_HUB_ROUTE.BOOTSTRAP
+  ) {
+    return { kind: "bootstrap", orgId: parts[1] };
+  }
+
+  if (
+    request.method === "GET" &&
+    parts.length === 3 &&
+    parts[0] === COLLAB_HUB_ROUTE.ORGS &&
+    parts[2] === COLLAB_HUB_ROUTE.WS
+  ) {
+    return { kind: "webSocket", orgId: parts[1] };
+  }
+
+  return { kind: "notFound" };
+}
+
+export function jsonResponse(value: unknown, init?: ResponseInit): Response {
+  return new Response(JSON.stringify(value), {
+    ...init,
+    headers: {
+      "content-type": "application/json; charset=utf-8",
+      ...init?.headers,
+    },
+  });
+}

package/templates/worker/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "lib": ["ES2022", "WebWorker"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "noImplicitAny": true,
+    "noFallthroughCasesInSwitch": true,
+    "skipLibCheck": true,
+    "isolatedModules": true
+  },
+  "include": ["src/**/*.ts"]
+}

package/templates/worker/wrangler.jsonc

@@ -0,0 +1,27 @@
+{
+  "$schema": "node_modules/wrangler/config-schema.json",
+  "name": "orgii-collab-hub",
+  "main": "src/index.ts",
+  "compatibility_date": "2026-06-15",
+  "durable_objects": {
+    "bindings": [
+      {
+        "name": "ORG_ROOMS",
+        "class_name": "CollabOrgRoom"
+      }
+    ]
+  },
+  "migrations": [
+    {
+      "tag": "v1",
+      "new_sqlite_classes": ["CollabOrgRoom"]
+    }
+  ],
+  "d1_databases": [
+    {
+      "binding": "DB",
+      "database_name": "orgii-collab-hub",
+      "database_id": "replace-with-cloudflare-d1-database-id"
+    }
+  ]
+}