@realtimex/folio 0.1.16 → 0.1.17

package/api/src/routes/workspaces.ts

@@ -0,0 +1,290 @@
+import { Router } from "express";
+
+import { config } from "../config/index.js";
+import { optionalAuth } from "../middleware/auth.js";
+import { asyncHandler } from "../middleware/errorHandler.js";
+import { getSupabaseConfigFromHeaders } from "../services/supabase.js";
+
+type WorkspaceRole = "owner" | "admin" | "member";
+type WorkspaceStatus = "active" | "invited" | "disabled";
+
+type WorkspaceMembershipRow = {
+    workspace_id: string;
+    role: WorkspaceRole;
+    status: WorkspaceStatus;
+    created_at: string;
+    updated_at: string;
+};
+
+type WorkspaceRow = {
+    id: string;
+    name: string;
+    owner_user_id: string;
+    created_at: string;
+    updated_at: string;
+};
+
+type WorkspaceMemberRow = {
+    user_id: string;
+    role: WorkspaceRole;
+    status: WorkspaceStatus;
+    joined_at: string;
+    first_name: string | null;
+    last_name: string | null;
+    email: string | null;
+    avatar_url: string | null;
+    is_current_user: boolean;
+};
+
+function mapRpcStatus(errorCode?: string): number {
+    if (errorCode === "42501") return 403;
+    if (errorCode === "22023") return 400;
+    return 500;
+}
+
+const router = Router();
+router.use(optionalAuth);
+
+router.get("/", asyncHandler(async (req, res) => {
+    if (!req.user || !req.supabase) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+
+    const { data: membershipsData, error: membershipsError } = await req.supabase
+        .from("workspace_members")
+        .select("workspace_id,role,status,created_at,updated_at")
+        .eq("user_id", req.user.id)
+        .eq("status", "active")
+        .order("created_at", { ascending: true });
+
+    if (membershipsError) {
+        const code = (membershipsError as { code?: string }).code;
+        // Backward compatibility for projects before workspace migration.
+        if (code === "42P01") {
+            res.json({
+                success: true,
+                workspaces: [],
+                activeWorkspaceId: null,
+                activeWorkspaceRole: null,
+            });
+            return;
+        }
+        res.status(500).json({ success: false, error: membershipsError.message });
+        return;
+    }
+
+    const memberships = (membershipsData ?? []) as WorkspaceMembershipRow[];
+    if (memberships.length === 0) {
+        res.json({
+            success: true,
+            workspaces: [],
+            activeWorkspaceId: null,
+            activeWorkspaceRole: null,
+        });
+        return;
+    }
+
+    const workspaceIds = memberships.map((membership) => membership.workspace_id);
+    const { data: workspaceData, error: workspaceError } = await req.supabase
+        .from("workspaces")
+        .select("id,name,owner_user_id,created_at,updated_at")
+        .in("id", workspaceIds);
+
+    if (workspaceError) {
+        res.status(500).json({ success: false, error: workspaceError.message });
+        return;
+    }
+
+    const workspaceMap = new Map<string, WorkspaceRow>();
+    for (const workspace of (workspaceData ?? []) as WorkspaceRow[]) {
+        workspaceMap.set(workspace.id, workspace);
+    }
+
+    const workspaces = memberships
+        .map((membership) => {
+            const workspace = workspaceMap.get(membership.workspace_id);
+            if (!workspace) return null;
+            return {
+                id: workspace.id,
+                name: workspace.name,
+                owner_user_id: workspace.owner_user_id,
+                created_at: workspace.created_at,
+                updated_at: workspace.updated_at,
+                role: membership.role,
+                membership_status: membership.status,
+                membership_created_at: membership.created_at,
+            };
+        })
+        .filter((workspace): workspace is NonNullable<typeof workspace> => Boolean(workspace));
+
+    const activeWorkspaceId = req.workspaceId ?? workspaces[0]?.id ?? null;
+    const activeWorkspace = workspaces.find((workspace) => workspace.id === activeWorkspaceId) ?? null;
+
+    res.json({
+        success: true,
+        workspaces,
+        activeWorkspaceId,
+        activeWorkspaceRole: activeWorkspace?.role ?? null,
+    });
+}));
+
+router.get("/:workspaceId/members", asyncHandler(async (req, res) => {
+    if (!req.user || !req.supabase) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+
+    const workspaceId = req.params["workspaceId"] as string;
+    if (!workspaceId) {
+        res.status(400).json({ success: false, error: "workspaceId is required" });
+        return;
+    }
+
+    const { data, error } = await req.supabase.rpc("workspace_list_members", {
+        p_workspace_id: workspaceId,
+    });
+
+    if (error) {
+        const status = mapRpcStatus((error as { code?: string }).code);
+        res.status(status).json({ success: false, error: error.message });
+        return;
+    }
+
+    res.json({
+        success: true,
+        members: (data ?? []) as WorkspaceMemberRow[],
+    });
+}));
+
+router.post("/:workspaceId/members/invite", asyncHandler(async (req, res) => {
+    if (!req.user || !req.supabase) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+
+    const workspaceId = req.params["workspaceId"] as string;
+    const email = typeof req.body?.email === "string" ? req.body.email.trim() : "";
+    const role = req.body?.role === "admin" ? "admin" : "member";
+
+    if (!workspaceId) {
+        res.status(400).json({ success: false, error: "workspaceId is required" });
+        return;
+    }
+
+    if (!email) {
+        res.status(400).json({ success: false, error: "email is required" });
+        return;
+    }
+
+    const headerConfig = getSupabaseConfigFromHeaders(req.headers as Record<string, unknown>);
+    const envUrl = config.supabase.url;
+    const envKey = config.supabase.anonKey;
+    const envIsValid = envUrl.startsWith("http://") || envUrl.startsWith("https://");
+    const supabaseUrl = envIsValid && envKey ? envUrl : headerConfig?.url;
+    const anonKey = envIsValid && envKey ? envKey : headerConfig?.anonKey;
+
+    if (!supabaseUrl || !anonKey) {
+        res.status(500).json({ success: false, error: "Supabase config unavailable for invite workflow." });
+        return;
+    }
+
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+
+    const response = await fetch(`${supabaseUrl}/functions/v1/workspace-invite`, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Authorization: authHeader,
+            apikey: anonKey,
+        },
+        body: JSON.stringify({
+            workspace_id: workspaceId,
+            email,
+            role,
+        }),
+    });
+
+    const payload = await response.json().catch(() => ({}));
+    if (!response.ok) {
+        res.status(response.status).json({
+            success: false,
+            error: payload?.error?.message || payload?.error || `Invite workflow failed (${response.status})`,
+        });
+        return;
+    }
+
+    res.json(payload);
+}));
+
+router.patch("/:workspaceId/members/:userId", asyncHandler(async (req, res) => {
+    if (!req.user || !req.supabase) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+
+    const workspaceId = req.params["workspaceId"] as string;
+    const userId = req.params["userId"] as string;
+    const role = req.body?.role === "admin" ? "admin" : req.body?.role === "member" ? "member" : "";
+
+    if (!workspaceId || !userId) {
+        res.status(400).json({ success: false, error: "workspaceId and userId are required" });
+        return;
+    }
+
+    if (!role) {
+        res.status(400).json({ success: false, error: "role must be admin or member" });
+        return;
+    }
+
+    const { data, error } = await req.supabase.rpc("workspace_update_member_role", {
+        p_workspace_id: workspaceId,
+        p_target_user_id: userId,
+        p_role: role,
+    });
+
+    if (error) {
+        const status = mapRpcStatus((error as { code?: string }).code);
+        res.status(status).json({ success: false, error: error.message });
+        return;
+    }
+
+    res.json({
+        success: true,
+        member: Array.isArray(data) ? data[0] ?? null : null,
+    });
+}));
+
+router.delete("/:workspaceId/members/:userId", asyncHandler(async (req, res) => {
+    if (!req.user || !req.supabase) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+
+    const workspaceId = req.params["workspaceId"] as string;
+    const userId = req.params["userId"] as string;
+
+    if (!workspaceId || !userId) {
+        res.status(400).json({ success: false, error: "workspaceId and userId are required" });
+        return;
+    }
+
+    const { data, error } = await req.supabase.rpc("workspace_remove_member", {
+        p_workspace_id: workspaceId,
+        p_target_user_id: userId,
+    });
+
+    if (error) {
+        const status = mapRpcStatus((error as { code?: string }).code);
+        res.status(status).json({ success: false, error: error.message });
+        return;
+    }
+
+    res.json({ success: true, removed: data === true });
+}));
+
+export default router;

package/api/src/services/ChatService.ts

@@ -24,7 +24,8 @@ export class ChatService {
         sessionId: string,
         userId: string,
         content: string,
-        supabase: SupabaseClient
+        supabase: SupabaseClient,
+        workspaceId?: string
     ): Promise<Message> {
         // 1. Get User/Session Settings (Models to use)
         const { data: settings } = await supabase
@@ -75,7 +76,12 @@ export class ChatService {
                 content,
                 userId,
                 supabase,
-                { topK: 5, similarityThreshold: 0.65, settings: embedSettings }
+                {
+                    topK: 5,
+                    similarityThreshold: 0.65,
+                    settings: embedSettings,
+                    workspaceId
+                }
             );
             Actuator.logEvent(null, userId, "analysis", "RAG Retrieval", {
                 action: "RAG query response",

package/api/src/services/IngestionService.ts

@@ -199,6 +199,7 @@ export class IngestionService {
     private static queueVlmSemanticEmbedding(opts: {
         ingestionId: string;
         userId: string;
+        workspaceId: string;
         filename: string;
         finalStatus: string;
         policyName?: string;
@@ -232,7 +233,8 @@ export class IngestionService {
             opts.userId,
             syntheticText,
             opts.supabase,
-            opts.embedSettings
+            opts.embedSettings,
+            opts.workspaceId
         ).then(() => {
             Actuator.logEvent(opts.ingestionId, opts.userId, "analysis", "RAG Embedding", {
                 action: "Completed synthetic VLM embedding",
@@ -364,6 +366,7 @@ export class IngestionService {
     static async ingest(opts: {
         supabase: SupabaseClient;
         userId: string;
+        workspaceId: string;
         filename: string;
         mimeType?: string;
         fileSize?: number;
@@ -372,14 +375,14 @@ export class IngestionService {
         content: string;
         fileHash?: string;
     }): Promise<Ingestion> {
-        const { supabase, userId, filename, mimeType, fileSize, source = "upload", filePath, content, fileHash } = opts;
+        const { supabase, userId, workspaceId, filename, mimeType, fileSize, source = "upload", filePath, content, fileHash } = opts;
 
         // Duplicate detection — check if this exact file content was already ingested
         if (fileHash) {
             const { data: existing } = await supabase
                 .from("ingestions")
                 .select("id, filename, created_at")
-                .eq("user_id", userId)
+                .eq("workspace_id", workspaceId)
                 .eq("file_hash", fileHash)
                 .eq("status", "matched")
                 .order("created_at", { ascending: true })
@@ -391,6 +394,7 @@ export class IngestionService {
                 const { data: dupIngestion } = await supabase
                     .from("ingestions")
                     .insert({
+                        workspace_id: workspaceId,
                         user_id: userId,
                         source,
                         filename,
@@ -411,6 +415,7 @@ export class IngestionService {
         const { data: ingestion, error: insertErr } = await supabase
             .from("ingestions")
             .insert({
+                workspace_id: workspaceId,
                 user_id: userId,
                 source,
                 filename,
@@ -513,7 +518,7 @@ export class IngestionService {
             try {
                 // 3. Fast Path — fetch all dependencies in parallel
                 const [userPolicies, processingSettingsRow, baselineConfig] = await Promise.all([
-                    PolicyLoader.load(false, supabase),
+                    PolicyLoader.load(false, supabase, workspaceId),
                     supabase.from("user_settings").select("llm_provider, llm_model, ingestion_llm_provider, ingestion_llm_model, embedding_provider, embedding_model").eq("user_id", userId).maybeSingle(),
                     BaselineConfigService.getActive(supabase, userId),
                 ]);
@@ -529,12 +534,12 @@ export class IngestionService {
                     attemptContent: string,
                     attemptType: "primary" | "reencoded_image_retry"
                 ): Promise<Ingestion> => {
-                    const doc = { filePath: filePath, text: attemptContent, ingestionId: ingestion.id, userId, supabase };
+                    const doc = { filePath: filePath, text: attemptContent, ingestionId: ingestion.id, userId, workspaceId, supabase };
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     const baselineTrace: Array<{ timestamp: string; step: string; details?: any }> = [];
 
                     // Fire and forget Semantic Embedding Storage
-                    RAGService.chunkAndEmbed(ingestion.id, userId, doc.text, supabase, embedSettings).catch(err => {
+                    RAGService.chunkAndEmbed(ingestion.id, userId, doc.text, supabase, embedSettings, workspaceId).catch(err => {
                         logger.error(`RAG embedding failed for ${ingestion.id}`, err);
                     });
 
@@ -614,6 +619,7 @@ export class IngestionService {
                         const embeddingMeta = this.queueVlmSemanticEmbedding({
                             ingestionId: ingestion.id,
                             userId,
+                            workspaceId,
                             filename,
                             finalStatus,
                             policyName,
@@ -788,13 +794,14 @@ export class IngestionService {
         ingestionId: string,
         supabase: SupabaseClient,
         userId: string,
+        workspaceId: string,
         opts: { forcedPolicyId?: string } = {}
     ): Promise<boolean> {
         const { data: ingestion, error } = await supabase
             .from("ingestions")
             .select("*")
             .eq("id", ingestionId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
 
         if (error || !ingestion) throw new Error("Ingestion not found");
@@ -889,7 +896,7 @@ export class IngestionService {
 
         if (isFastPath) {
             const [userPolicies, processingSettingsRow, baselineConfig] = await Promise.all([
-                PolicyLoader.load(false, supabase),
+                PolicyLoader.load(false, supabase, workspaceId),
                 supabase.from("user_settings").select("llm_provider, llm_model, ingestion_llm_provider, ingestion_llm_model, embedding_provider, embedding_model").eq("user_id", userId).maybeSingle(),
                 BaselineConfigService.getActive(supabase, userId),
             ]);
@@ -905,12 +912,12 @@ export class IngestionService {
                 attemptContent: string,
                 attemptType: "primary" | "reencoded_image_retry"
             ): Promise<boolean> => {
-                const doc = { filePath, text: attemptContent, ingestionId, userId, supabase };
+                const doc = { filePath, text: attemptContent, ingestionId, userId, workspaceId, supabase };
                 // eslint-disable-next-line @typescript-eslint/no-explicit-any
                 const baselineTrace: Array<{ timestamp: string; step: string; details?: any }> = [];
 
                 // Fire and forget Semantic Embedding Storage for re-runs
-                RAGService.chunkAndEmbed(ingestionId, userId, doc.text, supabase, embedSettings).catch(err => {
+                RAGService.chunkAndEmbed(ingestionId, userId, doc.text, supabase, embedSettings, workspaceId).catch(err => {
                     logger.error(`RAG embedding failed during rerun for ${ingestionId}`, err);
                 });
 
@@ -1008,6 +1015,7 @@ export class IngestionService {
                     const embeddingMeta = this.queueVlmSemanticEmbedding({
                         ingestionId,
                         userId,
+                        workspaceId,
                         filename,
                         finalStatus,
                         policyName,
@@ -1159,6 +1167,7 @@ export class IngestionService {
         policyId: string,
         supabase: SupabaseClient,
         userId: string,
+        workspaceId: string,
         opts: { learn?: boolean; rerun?: boolean; allowSideEffects?: boolean } = {}
     ): Promise<Ingestion> {
         const learn = opts.learn !== false;
@@ -1173,7 +1182,7 @@ export class IngestionService {
             .from("ingestions")
             .select("*")
             .eq("id", ingestionId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         if (ingestionError || !ingestion) {
             throw new Error("Ingestion not found");
@@ -1183,7 +1192,7 @@ export class IngestionService {
             throw new Error("Cannot manually match while ingestion is still processing");
         }
 
-        const policies = await PolicyLoader.load(false, supabase);
+        const policies = await PolicyLoader.load(false, supabase, workspaceId);
         const policy = policies.find((item) => item.metadata.id === normalizedPolicyId);
         if (!policy) {
             throw new Error(`Policy "${normalizedPolicyId}" was not found or is disabled.`);
@@ -1207,8 +1216,8 @@ export class IngestionService {
                 risky_actions: riskyActions,
             }, supabase);
 
-            await this.rerun(ingestionId, supabase, userId, { forcedPolicyId: policy.metadata.id });
-            const refreshed = await this.get(ingestionId, supabase, userId);
+            await this.rerun(ingestionId, supabase, userId, workspaceId, { forcedPolicyId: policy.metadata.id });
+            const refreshed = await this.get(ingestionId, supabase, workspaceId);
             if (!refreshed) {
                 throw new Error("Ingestion not found after rerun.");
             }
@@ -1238,7 +1247,7 @@ export class IngestionService {
                     trace: nextTrace,
                 })
                 .eq("id", ingestionId)
-                .eq("user_id", userId)
+                .eq("workspace_id", workspaceId)
                 .select("*")
                 .single();
 
@@ -1260,6 +1269,7 @@ export class IngestionService {
             await PolicyLearningService.recordManualMatch({
                 supabase,
                 userId,
+                workspaceId,
                 ingestion: effectiveIngestion,
                 policyId: policy.metadata.id,
                 policyName: policy.metadata.name,
@@ -1278,6 +1288,7 @@ export class IngestionService {
         policyId: string,
         supabase: SupabaseClient,
         userId: string,
+        workspaceId: string,
         opts: { provider?: string; model?: string } = {}
     ): Promise<{ policy: FolioPolicy; rationale: string[] }> {
         const normalizedPolicyId = policyId.trim();
@@ -1289,14 +1300,14 @@ export class IngestionService {
             .from("ingestions")
             .select("id,filename,mime_type,status,tags,summary,extracted,trace")
             .eq("id", ingestionId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
 
         if (ingestionError || !ingestion) {
             throw new Error("Ingestion not found");
         }
 
-        const policies = await PolicyLoader.load(false, supabase);
+        const policies = await PolicyLoader.load(false, supabase, workspaceId);
         const targetPolicy = policies.find((policy) => policy.metadata.id === normalizedPolicyId);
         if (!targetPolicy) {
             throw new Error(`Policy "${normalizedPolicyId}" was not found or is disabled.`);
@@ -1333,14 +1344,14 @@ export class IngestionService {
     }
 
     /**
-     * List ingestions for a user, newest first.
+     * List ingestions for an active workspace, newest first.
      * Supports server-side pagination and ILIKE search across native text columns
      * (filename, policy_name, summary). Tags are handled client-side via the
      * filter bar; extracted JSONB search requires a tsvector migration (deferred).
      */
     static async list(
         supabase: SupabaseClient,
-        userId: string,
+        workspaceId: string,
         opts: { page?: number; pageSize?: number; query?: string } = {}
     ): Promise<{ ingestions: Ingestion[]; total: number }> {
         const { page = 1, pageSize = 20, query } = opts;
@@ -1350,7 +1361,7 @@ export class IngestionService {
         let q = supabase
             .from("ingestions")
             .select("*", { count: "exact" })
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .order("created_at", { ascending: false });
 
         if (query?.trim()) {
@@ -1374,12 +1385,12 @@ export class IngestionService {
     /**
      * Get a single ingestion by ID.
      */
-    static async get(id: string, supabase: SupabaseClient, userId: string): Promise<Ingestion | null> {
+    static async get(id: string, supabase: SupabaseClient, workspaceId: string): Promise<Ingestion | null> {
         const { data } = await supabase
             .from("ingestions")
             .select("*")
             .eq("id", id)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
         return data as Ingestion | null;
     }
@@ -1387,12 +1398,12 @@ export class IngestionService {
     /**
      * Delete an ingestion record.
      */
-    static async delete(id: string, supabase: SupabaseClient, userId: string): Promise<boolean> {
+    static async delete(id: string, supabase: SupabaseClient, workspaceId: string): Promise<boolean> {
         const { count, error } = await supabase
             .from("ingestions")
             .delete({ count: "exact" })
             .eq("id", id)
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
 
         if (error) throw new Error(`Failed to delete ingestion: ${error.message}`);
         return (count ?? 0) > 0;
@@ -1407,13 +1418,14 @@ export class IngestionService {
         id: string,
         supabase: SupabaseClient,
         userId: string,
+        workspaceId: string,
         llmSettings: { llm_provider?: string; llm_model?: string } = {}
     ): Promise<string | null> {
         const { data: ing } = await supabase
             .from("ingestions")
             .select("id, filename, extracted, summary, status")
             .eq("id", id)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
 
         if (!ing) throw new Error("Ingestion not found");
@@ -1481,7 +1493,7 @@ export class IngestionService {
                 .from("ingestions")
                 .update({ summary })
                 .eq("id", id)
-                .eq("user_id", userId);
+                .eq("workspace_id", workspaceId);
 
             logger.info(`Summary generated and cached for ingestion ${id}`);
             return summary;

package/api/src/services/PolicyEngine.ts

@@ -23,6 +23,8 @@ export interface DocumentObject {
     ingestionId: string;
     /** ID of the user */
     userId: string;
+    /** Active workspace scope for this ingestion */
+    workspaceId?: string;
     /** Authenticated Supabase client used for RLS-safe event writes */
     supabase?: SupabaseClient;
 }
@@ -942,7 +944,7 @@ export class PolicyEngine {
      */
     static async process(doc: DocumentObject, settings: { llm_provider?: string; llm_model?: string } = {}, baselineEntities: Record<string, unknown> = {}): Promise<ProcessingResult> {
         logger.info(`Processing document: ${doc.filePath}`);
-        const policies = await PolicyLoader.load();
+        const policies = await PolicyLoader.load(false, doc.supabase, doc.workspaceId);
         const globalTrace: TraceLog[] = [{ timestamp: new Date().toISOString(), step: "Loaded policies", details: { count: policies.length } }];
         Actuator.logEvent(doc.ingestionId, doc.userId, "info", "Triage", { action: "Loaded policies", count: policies.length }, doc.supabase);
 
@@ -1034,6 +1036,7 @@ export class PolicyEngine {
                 const learned = await PolicyLearningService.resolveLearnedCandidate({
                     supabase: doc.supabase,
                     userId: doc.userId,
+                    workspaceId: doc.workspaceId,
                     policyIds: policies.map((policy) => policy.metadata.id),
                     filePath: doc.filePath,
                     baselineEntities,