@realtimex/folio 0.1.15 → 0.1.17

package/dist/api/src/services/IngestionService.js

@@ -161,7 +161,7 @@ export class IngestionService {
             action: "Queued synthetic VLM embedding",
             ...details,
         }, opts.supabase);
-        RAGService.chunkAndEmbed(opts.ingestionId, opts.userId, syntheticText, opts.supabase, opts.embedSettings).then(() => {
+        RAGService.chunkAndEmbed(opts.ingestionId, opts.userId, syntheticText, opts.supabase, opts.embedSettings, opts.workspaceId).then(() => {
             Actuator.logEvent(opts.ingestionId, opts.userId, "analysis", "RAG Embedding", {
                 action: "Completed synthetic VLM embedding",
                 ...details,
@@ -257,13 +257,13 @@ export class IngestionService {
      * Ingest a document using Hybrid Routing Architecture.
      */
     static async ingest(opts) {
-        const { supabase, userId, filename, mimeType, fileSize, source = "upload", filePath, content, fileHash } = opts;
+        const { supabase, userId, workspaceId, filename, mimeType, fileSize, source = "upload", filePath, content, fileHash } = opts;
         // Duplicate detection — check if this exact file content was already ingested
         if (fileHash) {
             const { data: existing } = await supabase
                 .from("ingestions")
                 .select("id, filename, created_at")
-                .eq("user_id", userId)
+                .eq("workspace_id", workspaceId)
                 .eq("file_hash", fileHash)
                 .eq("status", "matched")
                 .order("created_at", { ascending: true })
@@ -274,6 +274,7 @@ export class IngestionService {
                 const { data: dupIngestion } = await supabase
                     .from("ingestions")
                     .insert({
+                    workspace_id: workspaceId,
                     user_id: userId,
                     source,
                     filename,
@@ -293,6 +294,7 @@ export class IngestionService {
         const { data: ingestion, error: insertErr } = await supabase
             .from("ingestions")
             .insert({
+            workspace_id: workspaceId,
             user_id: userId,
             source,
             filename,
@@ -397,7 +399,7 @@ export class IngestionService {
             try {
                 // 3. Fast Path — fetch all dependencies in parallel
                 const [userPolicies, processingSettingsRow, baselineConfig] = await Promise.all([
-                    PolicyLoader.load(false, supabase),
+                    PolicyLoader.load(false, supabase, workspaceId),
                     supabase.from("user_settings").select("llm_provider, llm_model, ingestion_llm_provider, ingestion_llm_model, embedding_provider, embedding_model").eq("user_id", userId).maybeSingle(),
                     BaselineConfigService.getActive(supabase, userId),
                 ]);
@@ -409,11 +411,11 @@ export class IngestionService {
                 const resolvedProvider = llmSettings.llm_provider ?? llmProvider;
                 const resolvedModel = llmSettings.llm_model ?? llmModel;
                 const runFastPathAttempt = async (attemptContent, attemptType) => {
-                    const doc = { filePath: filePath, text: attemptContent, ingestionId: ingestion.id, userId, supabase };
+                    const doc = { filePath: filePath, text: attemptContent, ingestionId: ingestion.id, userId, workspaceId, supabase };
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     const baselineTrace = [];
                     // Fire and forget Semantic Embedding Storage
-                    RAGService.chunkAndEmbed(ingestion.id, userId, doc.text, supabase, embedSettings).catch(err => {
+                    RAGService.chunkAndEmbed(ingestion.id, userId, doc.text, supabase, embedSettings, workspaceId).catch(err => {
                         logger.error(`RAG embedding failed for ${ingestion.id}`, err);
                     });
                     // 4. Stage 1: Baseline extraction (always runs, LLM call 1 of max 2)
@@ -482,6 +484,7 @@ export class IngestionService {
                         const embeddingMeta = this.queueVlmSemanticEmbedding({
                             ingestionId: ingestion.id,
                             userId,
+                            workspaceId,
                             filename,
                             finalStatus,
                             policyName,
@@ -646,12 +649,12 @@ export class IngestionService {
     /**
      * Re-run an existing ingestion
      */
-    static async rerun(ingestionId, supabase, userId, opts = {}) {
+    static async rerun(ingestionId, supabase, userId, workspaceId, opts = {}) {
         const { data: ingestion, error } = await supabase
             .from("ingestions")
             .select("*")
             .eq("id", ingestionId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         if (error || !ingestion)
             throw new Error("Ingestion not found");
@@ -747,7 +750,7 @@ export class IngestionService {
         }
         if (isFastPath) {
             const [userPolicies, processingSettingsRow, baselineConfig] = await Promise.all([
-                PolicyLoader.load(false, supabase),
+                PolicyLoader.load(false, supabase, workspaceId),
                 supabase.from("user_settings").select("llm_provider, llm_model, ingestion_llm_provider, ingestion_llm_model, embedding_provider, embedding_model").eq("user_id", userId).maybeSingle(),
                 BaselineConfigService.getActive(supabase, userId),
             ]);
@@ -759,11 +762,11 @@ export class IngestionService {
             const resolvedProvider = llmSettings.llm_provider ?? llmProvider;
             const resolvedModel = llmSettings.llm_model ?? llmModel;
             const runFastPathAttempt = async (attemptContent, attemptType) => {
-                const doc = { filePath, text: attemptContent, ingestionId, userId, supabase };
+                const doc = { filePath, text: attemptContent, ingestionId, userId, workspaceId, supabase };
                 // eslint-disable-next-line @typescript-eslint/no-explicit-any
                 const baselineTrace = [];
                 // Fire and forget Semantic Embedding Storage for re-runs
-                RAGService.chunkAndEmbed(ingestionId, userId, doc.text, supabase, embedSettings).catch(err => {
+                RAGService.chunkAndEmbed(ingestionId, userId, doc.text, supabase, embedSettings, workspaceId).catch(err => {
                     logger.error(`RAG embedding failed during rerun for ${ingestionId}`, err);
                 });
                 baselineTrace.push({
@@ -842,6 +845,7 @@ export class IngestionService {
                     const embeddingMeta = this.queueVlmSemanticEmbedding({
                         ingestionId,
                         userId,
+                        workspaceId,
                         filename,
                         finalStatus,
                         policyName,
@@ -982,7 +986,7 @@ export class IngestionService {
      * Manually assign an ingestion to a policy and optionally persist it as
      * learning feedback for future automatic matching.
      */
-    static async matchToPolicy(ingestionId, policyId, supabase, userId, opts = {}) {
+    static async matchToPolicy(ingestionId, policyId, supabase, userId, workspaceId, opts = {}) {
         const learn = opts.learn !== false;
         const rerun = opts.rerun !== false;
         const allowSideEffects = opts.allowSideEffects === true;
@@ -994,7 +998,7 @@ export class IngestionService {
             .from("ingestions")
             .select("*")
             .eq("id", ingestionId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         if (ingestionError || !ingestion) {
             throw new Error("Ingestion not found");
@@ -1002,7 +1006,7 @@ export class IngestionService {
         if (ingestion.status === "processing" || ingestion.status === "pending") {
             throw new Error("Cannot manually match while ingestion is still processing");
         }
-        const policies = await PolicyLoader.load(false, supabase);
+        const policies = await PolicyLoader.load(false, supabase, workspaceId);
         const policy = policies.find((item) => item.metadata.id === normalizedPolicyId);
         if (!policy) {
             throw new Error(`Policy "${normalizedPolicyId}" was not found or is disabled.`);
@@ -1021,8 +1025,8 @@ export class IngestionService {
                 learn,
                 risky_actions: riskyActions,
             }, supabase);
-            await this.rerun(ingestionId, supabase, userId, { forcedPolicyId: policy.metadata.id });
-            const refreshed = await this.get(ingestionId, supabase, userId);
+            await this.rerun(ingestionId, supabase, userId, workspaceId, { forcedPolicyId: policy.metadata.id });
+            const refreshed = await this.get(ingestionId, supabase, workspaceId);
             if (!refreshed) {
                 throw new Error("Ingestion not found after rerun.");
             }
@@ -1052,7 +1056,7 @@ export class IngestionService {
                 trace: nextTrace,
             })
                 .eq("id", ingestionId)
-                .eq("user_id", userId)
+                .eq("workspace_id", workspaceId)
                 .select("*")
                 .single();
             if (updateError || !updatedIngestion) {
@@ -1071,6 +1075,7 @@ export class IngestionService {
             await PolicyLearningService.recordManualMatch({
                 supabase,
                 userId,
+                workspaceId,
                 ingestion: effectiveIngestion,
                 policyId: policy.metadata.id,
                 policyName: policy.metadata.name,
@@ -1082,7 +1087,7 @@ export class IngestionService {
      * Generate a user-reviewable refinement draft for an existing policy
      * using evidence from a specific ingestion.
      */
-    static async suggestPolicyRefinement(ingestionId, policyId, supabase, userId, opts = {}) {
+    static async suggestPolicyRefinement(ingestionId, policyId, supabase, userId, workspaceId, opts = {}) {
         const normalizedPolicyId = policyId.trim();
         if (!normalizedPolicyId) {
             throw new Error("policy_id is required");
@@ -1091,12 +1096,12 @@ export class IngestionService {
             .from("ingestions")
             .select("id,filename,mime_type,status,tags,summary,extracted,trace")
             .eq("id", ingestionId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         if (ingestionError || !ingestion) {
             throw new Error("Ingestion not found");
         }
-        const policies = await PolicyLoader.load(false, supabase);
+        const policies = await PolicyLoader.load(false, supabase, workspaceId);
         const targetPolicy = policies.find((policy) => policy.metadata.id === normalizedPolicyId);
         if (!targetPolicy) {
             throw new Error(`Policy "${normalizedPolicyId}" was not found or is disabled.`);
@@ -1125,19 +1130,19 @@ export class IngestionService {
         };
     }
     /**
-     * List ingestions for a user, newest first.
+     * List ingestions for an active workspace, newest first.
      * Supports server-side pagination and ILIKE search across native text columns
      * (filename, policy_name, summary). Tags are handled client-side via the
      * filter bar; extracted JSONB search requires a tsvector migration (deferred).
      */
-    static async list(supabase, userId, opts = {}) {
+    static async list(supabase, workspaceId, opts = {}) {
         const { page = 1, pageSize = 20, query } = opts;
         const from = (page - 1) * pageSize;
         const to = from + pageSize - 1;
         let q = supabase
             .from("ingestions")
             .select("*", { count: "exact" })
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .order("created_at", { ascending: false });
         if (query?.trim()) {
             const term = `%${query.trim()}%`;
@@ -1156,24 +1161,24 @@ export class IngestionService {
     /**
      * Get a single ingestion by ID.
      */
-    static async get(id, supabase, userId) {
+    static async get(id, supabase, workspaceId) {
         const { data } = await supabase
             .from("ingestions")
             .select("*")
             .eq("id", id)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         return data;
     }
     /**
      * Delete an ingestion record.
      */
-    static async delete(id, supabase, userId) {
+    static async delete(id, supabase, workspaceId) {
         const { count, error } = await supabase
             .from("ingestions")
             .delete({ count: "exact" })
             .eq("id", id)
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
         if (error)
             throw new Error(`Failed to delete ingestion: ${error.message}`);
         return (count ?? 0) > 0;
@@ -1183,12 +1188,12 @@ export class IngestionService {
      * Builds the prompt from already-extracted entities — no file I/O needed.
      * The result is saved back to ingestion.summary so subsequent calls are instant.
      */
-    static async summarize(id, supabase, userId, llmSettings = {}) {
+    static async summarize(id, supabase, userId, workspaceId, llmSettings = {}) {
         const { data: ing } = await supabase
             .from("ingestions")
             .select("id, filename, extracted, summary, status")
             .eq("id", id)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         if (!ing)
             throw new Error("Ingestion not found");
@@ -1244,7 +1249,7 @@ export class IngestionService {
                 .from("ingestions")
                 .update({ summary })
                 .eq("id", id)
-                .eq("user_id", userId);
+                .eq("workspace_id", workspaceId);
             logger.info(`Summary generated and cached for ingestion ${id}`);
             return summary;
         }

package/dist/api/src/services/PolicyEngine.js

@@ -767,7 +767,7 @@ export class PolicyEngine {
      */
     static async process(doc, settings = {}, baselineEntities = {}) {
         logger.info(`Processing document: ${doc.filePath}`);
-        const policies = await PolicyLoader.load();
+        const policies = await PolicyLoader.load(false, doc.supabase, doc.workspaceId);
         const globalTrace = [{ timestamp: new Date().toISOString(), step: "Loaded policies", details: { count: policies.length } }];
         Actuator.logEvent(doc.ingestionId, doc.userId, "info", "Triage", { action: "Loaded policies", count: policies.length }, doc.supabase);
         for (const policy of policies) {
@@ -841,6 +841,7 @@ export class PolicyEngine {
                 const learned = await PolicyLearningService.resolveLearnedCandidate({
                     supabase: doc.supabase,
                     userId: doc.userId,
+                    workspaceId: doc.workspaceId,
                     policyIds: policies.map((policy) => policy.metadata.id),
                     filePath: doc.filePath,
                     baselineEntities,

package/dist/api/src/services/PolicyLearningService.js

@@ -182,7 +182,14 @@ function buildFromIngestionRow(ingestion) {
 }
 export class PolicyLearningService {
     static async recordManualMatch(opts) {
-        const { supabase, userId, ingestion, policyId, policyName } = opts;
+        const { supabase, userId, workspaceId, ingestion, policyId, policyName } = opts;
+        if (!workspaceId) {
+            logger.warn("Skipping policy learning feedback: missing workspace context", {
+                ingestionId: ingestion.id,
+                policyId,
+            });
+            return;
+        }
         const features = buildFromIngestionRow(ingestion);
         if (features.tokens.length === 0) {
             logger.warn("Skipping policy learning feedback: no usable tokens", {
@@ -192,6 +199,7 @@ export class PolicyLearningService {
             return;
         }
         const row = {
+            workspace_id: workspaceId,
             user_id: userId,
             ingestion_id: ingestion.id,
             policy_id: policyId,
@@ -201,7 +209,7 @@ export class PolicyLearningService {
         };
         const { error } = await supabase
             .from("policy_match_feedback")
-            .upsert(row, { onConflict: "user_id,ingestion_id,policy_id" });
+            .upsert(row, { onConflict: "workspace_id,ingestion_id,policy_id" });
         if (error) {
             logger.error("Failed to save policy match feedback", {
                 ingestionId: ingestion.id,
@@ -217,12 +225,15 @@ export class PolicyLearningService {
         });
     }
     static async getPolicyLearningStats(opts) {
-        const { supabase, userId } = opts;
+        const { supabase, userId, workspaceId } = opts;
+        if (!workspaceId) {
+            return {};
+        }
         const normalizedPolicyIds = (opts.policyIds ?? []).map((id) => id.trim()).filter(Boolean);
         let query = supabase
             .from("policy_match_feedback")
             .select("policy_id,created_at")
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .order("created_at", { ascending: false })
             .limit(5000);
         if (normalizedPolicyIds.length > 0) {
@@ -251,7 +262,7 @@ export class PolicyLearningService {
         return stats;
     }
     static async resolveLearnedCandidate(opts) {
-        const { supabase, userId, policyIds, filePath, baselineEntities, documentText } = opts;
+        const { supabase, userId, workspaceId, policyIds, filePath, baselineEntities, documentText } = opts;
         if (policyIds.length === 0) {
             return {
                 candidate: null,
@@ -263,6 +274,17 @@ export class PolicyLearningService {
                 },
             };
         }
+        if (!workspaceId) {
+            return {
+                candidate: null,
+                diagnostics: {
+                    reason: "no_feedback_samples",
+                    evaluatedPolicies: policyIds.length,
+                    evaluatedSamples: 0,
+                    topCandidates: [],
+                },
+            };
+        }
         const docFeatures = buildFromDocInput({ filePath, baselineEntities, documentText });
         if (docFeatures.tokens.length === 0) {
             return {
@@ -278,7 +300,7 @@ export class PolicyLearningService {
         const { data, error } = await supabase
             .from("policy_match_feedback")
             .select("policy_id,policy_name,features")
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .in("policy_id", policyIds)
             .order("created_at", { ascending: false })
             .limit(400);

package/dist/api/src/services/PolicyLoader.js

@@ -1,7 +1,7 @@
 import { createLogger } from "../utils/logger.js";
 const logger = createLogger("PolicyLoader");
 // ─── Cache ───────────────────────────────────────────────────────────────────
-// Keyed by user_id so one user's policies never bleed into another's.
+// Keyed by workspace_id so one workspace's policies never bleed into another's.
 const _cache = new Map();
 const CACHE_TTL_MS = 30_000;
 // ─── Row → Policy ────────────────────────────────────────────────────────────
@@ -22,19 +22,21 @@ function rowToPolicy(row) {
 // ─── PolicyLoader ────────────────────────────────────────────────────────────
 export class PolicyLoader {
     /**
-     * Load all policies for the authenticated user from Supabase.
+     * Load all policies for the active workspace from Supabase.
      * Returns [] if no Supabase client is provided (unauthenticated state).
      */
-    static async load(forceRefresh = false, supabase) {
+    static async load(forceRefresh = false, supabase, workspaceId) {
         if (!supabase) {
             logger.info("No Supabase client — policies require authentication");
             return [];
         }
-        // Resolve the user ID to scope the cache correctly
-        const { data: { user } } = await supabase.auth.getUser();
-        const userId = user?.id ?? "anonymous";
+        const resolvedWorkspaceId = (workspaceId ?? "").trim();
+        if (!resolvedWorkspaceId) {
+            logger.warn("No workspace context — returning empty policy set");
+            return [];
+        }
         const now = Date.now();
-        const cached = _cache.get(userId);
+        const cached = _cache.get(resolvedWorkspaceId);
         if (!forceRefresh && cached && now - cached.loadedAt < CACHE_TTL_MS) {
             return cached.policies;
         }
@@ -42,13 +44,14 @@ export class PolicyLoader {
             const { data, error } = await supabase
                 .from("policies")
                 .select("*")
+                .eq("workspace_id", resolvedWorkspaceId)
                 .eq("enabled", true)
                 .order("priority", { ascending: false });
             if (error)
                 throw error;
             const policies = (data ?? []).map(rowToPolicy);
-            _cache.set(userId, { policies, loadedAt: Date.now() });
-            logger.info(`Loaded ${policies.length} policies from DB for user ${userId}`);
+            _cache.set(resolvedWorkspaceId, { policies, loadedAt: Date.now() });
+            logger.info(`Loaded ${policies.length} policies from DB for workspace ${resolvedWorkspaceId}`);
             return policies;
         }
         catch (err) {
@@ -56,9 +59,9 @@ export class PolicyLoader {
             return [];
         }
     }
-    static invalidateCache(userId) {
-        if (userId) {
-            _cache.delete(userId);
+    static invalidateCache(workspaceId) {
+        if (workspaceId) {
+            _cache.delete(workspaceId);
         }
         else {
             _cache.clear();
@@ -78,11 +81,12 @@ export class PolicyLoader {
      * Save (upsert) a policy to Supabase.
      * Throws if no Supabase client is available.
      */
-    static async save(policy, supabase, userId) {
-        if (!supabase || !userId) {
+    static async save(policy, supabase, userId, workspaceId) {
+        if (!supabase || !userId || !workspaceId) {
             throw new Error("Authentication required to save policies");
         }
         const row = {
+            workspace_id: workspaceId,
             user_id: userId,
             policy_id: policy.metadata.id,
             api_version: policy.apiVersion,
@@ -94,25 +98,25 @@ export class PolicyLoader {
         };
         const { error } = await supabase
             .from("policies")
-            .upsert(row, { onConflict: "user_id,policy_id" });
+            .upsert(row, { onConflict: "workspace_id,policy_id" });
         if (error)
             throw new Error(`Failed to save policy: ${error.message}`);
-        this.invalidateCache();
+        this.invalidateCache(workspaceId);
         logger.info(`Saved policy to DB: ${policy.metadata.id}`);
         return `db:policies/${policy.metadata.id}`;
     }
     /**
      * Partially update a policy (enabled toggle, name, description, tags, priority).
      */
-    static async patch(policyId, patch, supabase, userId) {
-        if (!supabase || !userId) {
+    static async patch(policyId, patch, supabase, userId, workspaceId) {
+        if (!supabase || !userId || !workspaceId) {
             throw new Error("Authentication required to update policies");
         }
         const { data: existing, error: fetchErr } = await supabase
             .from("policies")
             .select("metadata, priority, enabled")
             .eq("policy_id", policyId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         if (fetchErr || !existing)
             throw new Error("Policy not found");
@@ -131,10 +135,10 @@ export class PolicyLoader {
             priority: patch.priority ?? existing.priority,
         })
             .eq("policy_id", policyId)
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
         if (error)
             throw new Error(`Failed to patch policy: ${error.message}`);
-        this.invalidateCache();
+        this.invalidateCache(workspaceId);
         logger.info(`Patched policy: ${policyId}`);
         return true;
     }
@@ -142,18 +146,18 @@ export class PolicyLoader {
      * Delete a policy by ID from Supabase.
      * Throws if no Supabase client is available.
      */
-    static async delete(policyId, supabase, userId) {
-        if (!supabase || !userId) {
+    static async delete(policyId, supabase, userId, workspaceId) {
+        if (!supabase || !userId || !workspaceId) {
             throw new Error("Authentication required to delete policies");
         }
         const { error, count } = await supabase
             .from("policies")
             .delete({ count: "exact" })
             .eq("policy_id", policyId)
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
         if (error)
             throw new Error(`Failed to delete policy: ${error.message}`);
-        this.invalidateCache();
+        this.invalidateCache(workspaceId);
         return (count ?? 0) > 0;
     }
 }

package/dist/api/src/services/RAGService.js

@@ -89,7 +89,7 @@ export class RAGService {
     /**
      * Process an ingested document's raw text: chunk it, embed it, and store in DB.
      */
-    static async chunkAndEmbed(ingestionId, userId, rawText, supabase, settings) {
+    static async chunkAndEmbed(ingestionId, userId, rawText, supabase, settings, workspaceId) {
         if (/^\[VLM_(IMAGE|PDF)_DATA:/.test(rawText)) {
             logger.info(`Skipping chunking and embedding for VLM base64 multimodal data (Ingestion: ${ingestionId})`);
             return;
@@ -100,6 +100,21 @@ export class RAGService {
             return;
         }
         const resolvedModel = await this.resolveEmbeddingModel(settings || {});
+        let resolvedWorkspaceId = (workspaceId ?? "").trim();
+        if (!resolvedWorkspaceId) {
+            const { data: ingestionRow, error: ingestionLookupError } = await supabase
+                .from("ingestions")
+                .select("workspace_id")
+                .eq("id", ingestionId)
+                .maybeSingle();
+            if (ingestionLookupError) {
+                throw new Error(`Failed to resolve workspace for ingestion ${ingestionId}: ${ingestionLookupError.message}`);
+            }
+            resolvedWorkspaceId = String(ingestionRow?.workspace_id ?? "").trim();
+            if (!resolvedWorkspaceId) {
+                throw new Error(`Workspace context is required to index chunks for ingestion ${ingestionId}`);
+            }
+        }
         logger.info(`Extracted ${chunks.length} chunks for ingestion ${ingestionId}. Embedding with ${resolvedModel.provider}/${resolvedModel.model}...`);
         // Global gate: background fire-and-forget jobs are bounded process-wide.
         await this.acquireEmbedJobSlot();
@@ -113,6 +128,7 @@ export class RAGService {
                     const { data: existing } = await supabase
                         .from("document_chunks")
                         .select("id")
+                        .eq("workspace_id", resolvedWorkspaceId)
                         .eq("ingestion_id", ingestionId)
                         .eq("content_hash", hash)
                         .eq("embedding_provider", resolvedModel.provider)
@@ -126,6 +142,7 @@ export class RAGService {
                     const embedding = await this.embedTextWithResolvedModel(content, resolvedModel);
                     const vector_dim = embedding.length;
                     const { error } = await supabase.from("document_chunks").insert({
+                        workspace_id: resolvedWorkspaceId,
                         user_id: userId,
                         ingestion_id: ingestionId,
                         content,
@@ -155,30 +172,44 @@ export class RAGService {
      * Semantically search the document chunks using dynamic pgvector partial indexing.
      */
     static async runSearchForModel(args) {
-        const { userId, supabase, modelScope, queryEmbedding, queryDim, similarityThreshold, topK } = args;
-        const { data, error } = await supabase.rpc("search_documents", {
-            p_user_id: userId,
+        const { userId, workspaceId, supabase, modelScope, queryEmbedding, queryDim, similarityThreshold, topK } = args;
+        const basePayload = {
             p_embedding_provider: modelScope.provider,
             p_embedding_model: modelScope.model,
             query_embedding: queryEmbedding,
             match_threshold: similarityThreshold,
             match_count: topK,
             query_dim: queryDim
-        });
+        };
+        const { data, error } = workspaceId
+            ? await supabase.rpc("search_workspace_documents", {
+                p_workspace_id: workspaceId,
+                ...basePayload
+            })
+            : await supabase.rpc("search_documents", {
+                p_user_id: userId,
+                ...basePayload
+            });
         if (error) {
             throw new Error(`Knowledge base search failed for ${modelScope.provider}/${modelScope.model}: ${error.message}`);
         }
         return (data || []);
     }
-    static async listUserModelScopes(userId, supabase) {
-        const { data, error } = await supabase
+    static async listModelScopes(userId, supabase, workspaceId) {
+        let query = supabase
             .from("document_chunks")
             .select("embedding_provider, embedding_model, vector_dim, created_at")
-            .eq("user_id", userId)
             .order("created_at", { ascending: false })
             .limit(2000);
+        if (workspaceId) {
+            query = query.eq("workspace_id", workspaceId);
+        }
+        else {
+            query = query.eq("user_id", userId);
+        }
+        const { data, error } = await query;
         if (error) {
-            logger.warn("Failed to list user embedding scopes for RAG fallback", { error });
+            logger.warn("Failed to list embedding scopes for RAG fallback", { userId, workspaceId, error });
             return [];
         }
         const scopes = new Map();
@@ -203,7 +234,7 @@ export class RAGService {
         return Array.from(scopes.values());
     }
     static async searchDocuments(query, userId, supabase, options = {}) {
-        const { topK = 5, similarityThreshold = 0.7, settings } = options;
+        const { topK = 5, similarityThreshold = 0.7, settings, workspaceId } = options;
         const minThreshold = Math.max(0.1, Math.min(similarityThreshold, 0.4));
         const thresholdLevels = Array.from(new Set([similarityThreshold, minThreshold]));
         const preferred = await this.resolveEmbeddingModel(settings || {});
@@ -232,6 +263,7 @@ export class RAGService {
             logger.info(`Searching knowledge base (${scope.provider}/${scope.model}, dim=${queryDim}, topK=${topK}, threshold=${threshold})`);
             const hits = await this.runSearchForModel({
                 userId,
+                workspaceId,
                 supabase,
                 modelScope: scope,
                 queryEmbedding,
@@ -268,7 +300,7 @@ export class RAGService {
             });
         }
         if (collected.size === 0) {
-            const scopes = await this.listUserModelScopes(userId, supabase);
+            const scopes = await this.listModelScopes(userId, supabase, workspaceId);
             const fallbackScopes = scopes.filter((scope) => !(scope.provider === preferredScope.provider && scope.model === preferredScope.model));
             for (const scope of fallbackScopes) {
                 try {