@realtimex/folio 0.1.15 → 0.1.17

package/api/src/middleware/auth.ts

@@ -13,10 +13,19 @@ declare global {
     interface Request {
       user?: User;
       supabase?: SupabaseClient;
+      workspaceId?: string;
+      workspaceRole?: string;
     }
   }
 }
 
+type WorkspaceMembershipRow = {
+  workspace_id: string;
+  role: "owner" | "admin" | "member";
+  status: "active" | "invited" | "disabled";
+  created_at: string;
+};
+
 function resolveSupabaseConfig(req: Request): { url: string; anonKey: string } | null {
   const headerConfig = getSupabaseConfigFromHeaders(req.headers as Record<string, unknown>);
 
@@ -31,6 +40,64 @@ function resolveSupabaseConfig(req: Request): { url: string; anonKey: string } |
   return headerConfig;
 }
 
+function resolvePreferredWorkspaceId(req: Request): string | null {
+  const raw = req.headers["x-workspace-id"];
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    return trimmed.length > 0 ? trimmed : null;
+  }
+  if (Array.isArray(raw) && typeof raw[0] === "string") {
+    const trimmed = raw[0].trim();
+    return trimmed.length > 0 ? trimmed : null;
+  }
+  return null;
+}
+
+async function resolveWorkspaceContext(
+  req: Request,
+  supabase: SupabaseClient,
+  user: User
+): Promise<{ workspaceId: string; workspaceRole: "owner" | "admin" | "member" } | null> {
+  const preferredWorkspaceId = resolvePreferredWorkspaceId(req);
+  const { data, error } = await supabase
+    .from("workspace_members")
+    .select("workspace_id,role,status,created_at")
+    .eq("user_id", user.id)
+    .eq("status", "active")
+    .order("created_at", { ascending: true });
+
+  if (error) {
+    const errorCode = (error as { code?: string }).code;
+    // Backward compatibility: allow projects that haven't migrated yet.
+    if (errorCode === "42P01") {
+      return null;
+    }
+    throw new AuthorizationError(`Failed to resolve workspace membership: ${error.message}`);
+  }
+
+  const memberships = (data ?? []) as WorkspaceMembershipRow[];
+  if (memberships.length === 0) {
+    return null;
+  }
+
+  if (preferredWorkspaceId) {
+    const preferred = memberships.find((membership) => membership.workspace_id === preferredWorkspaceId);
+    if (preferred) {
+      return {
+        workspaceId: preferred.workspace_id,
+        workspaceRole: preferred.role,
+      };
+    }
+  }
+
+  const active = memberships[0];
+  if (!active) return null;
+  return {
+    workspaceId: active.workspace_id,
+    workspaceRole: active.role,
+  };
+}
+
 export async function authMiddleware(req: Request, _res: Response, next: NextFunction): Promise<void> {
   try {
     const supabaseConfig = resolveSupabaseConfig(req);
@@ -60,6 +127,11 @@ export async function authMiddleware(req: Request, _res: Response, next: NextFun
 
       req.user = user;
       req.supabase = supabase;
+      const workspace = await resolveWorkspaceContext(req, supabase, user);
+      if (workspace) {
+        req.workspaceId = workspace.workspaceId;
+        req.workspaceRole = workspace.workspaceRole;
+      }
       Logger.setPersistence(supabase, user.id);
       return next();
     }
@@ -90,6 +162,11 @@ export async function authMiddleware(req: Request, _res: Response, next: NextFun
 
     req.user = user;
     req.supabase = supabase;
+    const workspace = await resolveWorkspaceContext(req, supabase, user);
+    if (workspace) {
+      req.workspaceId = workspace.workspaceId;
+      req.workspaceRole = workspace.workspaceRole;
+    }
     Logger.setPersistence(supabase, user.id);
     next();
   } catch (error) {

package/api/src/routes/chat.ts

@@ -142,7 +142,13 @@ router.post(
         }
 
         try {
-            const aiMessage = await ChatService.handleMessage(normalizedSessionId, req.user.id, trimmedContent, req.supabase);
+            const aiMessage = await ChatService.handleMessage(
+                normalizedSessionId,
+                req.user.id,
+                trimmedContent,
+                req.supabase,
+                req.workspaceId
+            );
             res.json({ success: true, message: aiMessage });
         } catch (error) {
             const message = error instanceof Error ? error.message : "Failed to process message";

package/api/src/routes/index.ts

@@ -14,6 +14,7 @@ import settingsRoutes from "./settings.js";
 import rulesRoutes from "./rules.js";
 import chatRoutes from "./chat.js";
 import statsRoutes from "./stats.js";
+import workspaceRoutes from "./workspaces.js";
 
 const router = Router();
 
@@ -31,5 +32,6 @@ router.use("/settings", settingsRoutes);
 router.use("/rules", rulesRoutes);
 router.use("/chat", chatRoutes);
 router.use("/stats", statsRoutes);
+router.use("/workspaces", workspaceRoutes);
 
 export default router;

package/api/src/routes/ingestions.ts

@@ -7,6 +7,7 @@ import crypto from "crypto";
 import { asyncHandler } from "../middleware/errorHandler.js";
 import { optionalAuth } from "../middleware/auth.js";
 import { IngestionService } from "../services/IngestionService.js";
+import { SDKService } from "../services/SDKService.js";
 
 const router = Router();
 const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 20 * 1024 * 1024 } });
@@ -21,10 +22,14 @@ router.get(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const page = Math.max(1, parseInt(req.query["page"] as string) || 1);
         const pageSize = Math.min(100, Math.max(1, parseInt(req.query["pageSize"] as string) || 20));
         const query = (req.query["q"] as string | undefined)?.trim() || undefined;
-        const { ingestions, total } = await IngestionService.list(req.supabase, req.user.id, { page, pageSize, query });
+        const { ingestions, total } = await IngestionService.list(req.supabase, req.workspaceId, { page, pageSize, query });
         res.json({ success: true, ingestions, total, page, pageSize });
     })
 );
@@ -37,7 +42,11 @@ router.get(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
-        const ingestion = await IngestionService.get(req.params["id"] as string, req.supabase, req.user.id);
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
+        const ingestion = await IngestionService.get(req.params["id"] as string, req.supabase, req.workspaceId);
         if (!ingestion) {
             res.status(404).json({ success: false, error: "Not found" });
             return;
@@ -55,6 +64,10 @@ router.post(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const file = req.file;
         if (!file) {
             res.status(400).json({ success: false, error: "No file uploaded" });
@@ -68,7 +81,11 @@ router.post(
             .eq("user_id", req.user.id)
             .maybeSingle();
 
-        const dropzoneDir = settings?.storage_path || path.join(os.homedir(), ".realtimex", "folio", "dropzone");
+        const configuredStoragePath = typeof settings?.storage_path === "string" ? settings.storage_path.trim() : "";
+        const legacyDefaultDropzoneDir = path.join(os.homedir(), ".realtimex", "folio", "dropzone");
+        const dropzoneDir = !configuredStoragePath || configuredStoragePath === legacyDefaultDropzoneDir
+            ? await SDKService.getDefaultDropzoneDir()
+            : configuredStoragePath;
         await fs.mkdir(dropzoneDir, { recursive: true });
 
         // Compute SHA-256 hash before writing — used for deduplication
@@ -85,6 +102,7 @@ router.post(
         const ingestion = await IngestionService.ingest({
             supabase: req.supabase,
             userId: req.user.id,
+            workspaceId: req.workspaceId,
             filename: file.originalname,
             mimeType: file.mimetype,
             fileSize: file.size,
@@ -106,7 +124,11 @@ router.post(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
-        const matched = await IngestionService.rerun(req.params["id"] as string, req.supabase, req.user.id);
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
+        const matched = await IngestionService.rerun(req.params["id"] as string, req.supabase, req.user.id, req.workspaceId);
         res.json({ success: true, matched });
     })
 );
@@ -119,6 +141,10 @@ router.post(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
 
         const policyId = typeof req.body?.policy_id === "string" ? req.body.policy_id.trim() : "";
         if (!policyId) {
@@ -135,6 +161,7 @@ router.post(
                 policyId,
                 req.supabase,
                 req.user.id,
+                req.workspaceId,
                 {
                     learn,
                     rerun,
@@ -165,6 +192,10 @@ router.post(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
 
         const policyId = typeof req.body?.policy_id === "string" ? req.body.policy_id.trim() : "";
         if (!policyId) {
@@ -178,6 +209,7 @@ router.post(
                 policyId,
                 req.supabase,
                 req.user.id,
+                req.workspaceId,
                 {
                     provider: typeof req.body?.provider === "string" ? req.body.provider : undefined,
                     model: typeof req.body?.model === "string" ? req.body.model : undefined,
@@ -207,6 +239,10 @@ router.post(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const { data: settingsRow } = await req.supabase
             .from("user_settings")
             .select("llm_provider, llm_model, ingestion_llm_provider, ingestion_llm_model")
@@ -219,6 +255,7 @@ router.post(
             req.params["id"] as string,
             req.supabase,
             req.user.id,
+            req.workspaceId,
             llmSettings
         );
         res.json({ success: true, summary });
@@ -233,6 +270,10 @@ router.patch(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const tags: unknown = req.body?.tags;
         if (!Array.isArray(tags) || tags.some((t) => typeof t !== "string")) {
             res.status(400).json({ success: false, error: "tags must be an array of strings" });
@@ -243,7 +284,7 @@ router.patch(
             .from("ingestions")
             .update({ tags: normalized })
             .eq("id", req.params["id"] as string)
-            .eq("user_id", req.user.id);
+            .eq("workspace_id", req.workspaceId);
         if (error) {
             res.status(500).json({ success: false, error: error.message });
             return;
@@ -260,7 +301,11 @@ router.delete(
             res.status(401).json({ success: false, error: "Authentication required" });
             return;
         }
-        const deleted = await IngestionService.delete(req.params["id"] as string, req.supabase, req.user.id);
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
+        const deleted = await IngestionService.delete(req.params["id"] as string, req.supabase, req.workspaceId);
         if (!deleted) {
             res.status(404).json({ success: false, error: "Not found" });
             return;

package/api/src/routes/policies.ts

@@ -15,8 +15,17 @@ router.use(optionalAuth);
 router.get(
     "/",
     asyncHandler(async (req, res) => {
-        const policies = await PolicyLoader.load(false, req.supabase);
-        if (!req.supabase || !req.user || policies.length === 0) {
+        if (!req.supabase || !req.user) {
+            const policies = await PolicyLoader.load(false, req.supabase, req.workspaceId);
+            res.json({ success: true, policies });
+            return;
+        }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
+        const policies = await PolicyLoader.load(false, req.supabase, req.workspaceId);
+        if (policies.length === 0) {
             res.json({ success: true, policies });
             return;
         }
@@ -24,6 +33,7 @@ router.get(
         const stats = await PolicyLearningService.getPolicyLearningStats({
             supabase: req.supabase,
             userId: req.user.id,
+            workspaceId: req.workspaceId,
             policyIds: policies.map((policy) => policy.metadata.id),
         });
 
@@ -47,12 +57,20 @@ router.get(
 router.post(
     "/",
     asyncHandler(async (req, res) => {
+        if (!req.supabase || !req.user) {
+            res.status(401).json({ success: false, error: "Authentication required" });
+            return;
+        }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const policy = req.body;
         if (!PolicyLoader.validate(policy)) {
             res.status(400).json({ success: false, error: "Invalid policy schema" });
             return;
         }
-        const filePath = await PolicyLoader.save(policy, req.supabase, req.user?.id);
+        const filePath = await PolicyLoader.save(policy, req.supabase, req.user.id, req.workspaceId);
         res.status(201).json({ success: true, filePath });
     })
 );
@@ -61,7 +79,15 @@ router.post(
 router.delete(
     "/:id",
     asyncHandler(async (req, res) => {
-        const deleted = await PolicyLoader.delete(req.params["id"] as string, req.supabase, req.user?.id);
+        if (!req.supabase || !req.user) {
+            res.status(401).json({ success: false, error: "Authentication required" });
+            return;
+        }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
+        const deleted = await PolicyLoader.delete(req.params["id"] as string, req.supabase, req.user.id, req.workspaceId);
         if (!deleted) {
             res.status(404).json({ success: false, error: "Policy not found" });
             return;
@@ -74,12 +100,21 @@ router.delete(
 router.patch(
     "/:id",
     asyncHandler(async (req, res) => {
+        if (!req.supabase || !req.user) {
+            res.status(401).json({ success: false, error: "Authentication required" });
+            return;
+        }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const { enabled, name, description, tags, priority } = req.body;
         await PolicyLoader.patch(
             req.params["id"] as string,
             { enabled, name, description, tags, priority },
             req.supabase,
-            req.user?.id
+            req.user.id,
+            req.workspaceId
         );
         res.json({ success: true });
     })
@@ -89,8 +124,16 @@ router.patch(
 router.post(
     "/reload",
     asyncHandler(async (req, res) => {
-        PolicyLoader.invalidateCache();
-        const policies = await PolicyLoader.load(true, req.supabase);
+        if (!req.supabase || !req.user) {
+            res.status(401).json({ success: false, error: "Authentication required" });
+            return;
+        }
+        if (!req.workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
+        PolicyLoader.invalidateCache(req.workspaceId);
+        const policies = await PolicyLoader.load(true, req.supabase, req.workspaceId);
         res.json({ success: true, count: policies.length });
     })
 );

package/api/src/routes/stats.ts

@@ -20,33 +20,37 @@ router.get("/", async (req, res) => {
     }
 
     try {
-        const userId = req.user.id;
+        const workspaceId = req.workspaceId;
+        if (!workspaceId) {
+            res.status(403).json({ success: false, error: "Workspace membership required" });
+            return;
+        }
         const s = req.supabase; // the scoped service client
 
         // 1. Total Documents Ingested
         const { count: totalDocumentsCount, error: err1 } = await s
             .from("ingestions")
             .select("*", { count: 'exact', head: true })
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
 
         // 2. Active Policies
         const { count: activePoliciesCount, error: err2 } = await s
             .from("policies")
             .select("*", { count: 'exact', head: true })
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .eq("enabled", true);
 
         // 3. RAG Knowledge Base (Chunks)
         const { count: ragChunksCount, error: err3 } = await s
             .from("document_chunks")
             .select("*", { count: 'exact', head: true })
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
 
         // 4. Automation Runs (Sum of actions taken across ingestions)
         const { data: ingestionsWithActions, error: err4 } = await s
             .from("ingestions")
             .select("actions_taken")
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .not("actions_taken", "is", null);
 
         let automationRunsCount = 0;