@realtimex/folio 0.1.16 → 0.1.17

package/api/src/services/PolicyLearningService.ts

@@ -276,11 +276,19 @@ export class PolicyLearningService {
     static async recordManualMatch(opts: {
         supabase: SupabaseClient;
         userId: string;
+        workspaceId?: string;
         ingestion: IngestionLike;
         policyId: string;
         policyName?: string;
     }): Promise<void> {
-        const { supabase, userId, ingestion, policyId, policyName } = opts;
+        const { supabase, userId, workspaceId, ingestion, policyId, policyName } = opts;
+        if (!workspaceId) {
+            logger.warn("Skipping policy learning feedback: missing workspace context", {
+                ingestionId: ingestion.id,
+                policyId,
+            });
+            return;
+        }
         const features = buildFromIngestionRow(ingestion);
 
         if (features.tokens.length === 0) {
@@ -292,6 +300,7 @@ export class PolicyLearningService {
         }
 
         const row = {
+            workspace_id: workspaceId,
             user_id: userId,
             ingestion_id: ingestion.id,
             policy_id: policyId,
@@ -302,7 +311,7 @@ export class PolicyLearningService {
 
         const { error } = await supabase
             .from("policy_match_feedback")
-            .upsert(row, { onConflict: "user_id,ingestion_id,policy_id" });
+            .upsert(row, { onConflict: "workspace_id,ingestion_id,policy_id" });
 
         if (error) {
             logger.error("Failed to save policy match feedback", {
@@ -323,15 +332,19 @@ export class PolicyLearningService {
     static async getPolicyLearningStats(opts: {
         supabase: SupabaseClient;
         userId: string;
+        workspaceId?: string;
         policyIds?: string[];
     }): Promise<PolicyLearningStats> {
-        const { supabase, userId } = opts;
+        const { supabase, userId, workspaceId } = opts;
+        if (!workspaceId) {
+            return {};
+        }
         const normalizedPolicyIds = (opts.policyIds ?? []).map((id) => id.trim()).filter(Boolean);
 
         let query = supabase
             .from("policy_match_feedback")
             .select("policy_id,created_at")
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .order("created_at", { ascending: false })
             .limit(5000);
 
@@ -366,12 +379,13 @@ export class PolicyLearningService {
     static async resolveLearnedCandidate(opts: {
         supabase: SupabaseClient;
         userId: string;
+        workspaceId?: string;
         policyIds: string[];
         filePath: string;
         baselineEntities: Record<string, unknown>;
         documentText?: string;
     }): Promise<LearnedCandidateResolution> {
-        const { supabase, userId, policyIds, filePath, baselineEntities, documentText } = opts;
+        const { supabase, userId, workspaceId, policyIds, filePath, baselineEntities, documentText } = opts;
         if (policyIds.length === 0) {
             return {
                 candidate: null,
@@ -383,6 +397,17 @@ export class PolicyLearningService {
                 },
             };
         }
+        if (!workspaceId) {
+            return {
+                candidate: null,
+                diagnostics: {
+                    reason: "no_feedback_samples",
+                    evaluatedPolicies: policyIds.length,
+                    evaluatedSamples: 0,
+                    topCandidates: [],
+                },
+            };
+        }
 
         const docFeatures = buildFromDocInput({ filePath, baselineEntities, documentText });
         if (docFeatures.tokens.length === 0) {
@@ -400,7 +425,7 @@ export class PolicyLearningService {
         const { data, error } = await supabase
             .from("policy_match_feedback")
             .select("policy_id,policy_name,features")
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .in("policy_id", policyIds)
             .order("created_at", { ascending: false })
             .limit(400);

package/api/src/services/PolicyLoader.ts

@@ -63,7 +63,7 @@ export interface FolioPolicy {
 }
 
 // ─── Cache ───────────────────────────────────────────────────────────────────
-// Keyed by user_id so one user's policies never bleed into another's.
+// Keyed by workspace_id so one workspace's policies never bleed into another's.
 
 const _cache = new Map<string, { policies: FolioPolicy[]; loadedAt: number }>();
 const CACHE_TTL_MS = 30_000;
@@ -90,21 +90,27 @@ function rowToPolicy(row: any): FolioPolicy {
 export class PolicyLoader {
 
     /**
-     * Load all policies for the authenticated user from Supabase.
+     * Load all policies for the active workspace from Supabase.
      * Returns [] if no Supabase client is provided (unauthenticated state).
      */
-    static async load(forceRefresh = false, supabase?: SupabaseClient | null): Promise<FolioPolicy[]> {
+    static async load(
+        forceRefresh = false,
+        supabase?: SupabaseClient | null,
+        workspaceId?: string
+    ): Promise<FolioPolicy[]> {
         if (!supabase) {
             logger.info("No Supabase client — policies require authentication");
             return [];
         }
 
-        // Resolve the user ID to scope the cache correctly
-        const { data: { user } } = await supabase.auth.getUser();
-        const userId = user?.id ?? "anonymous";
+        const resolvedWorkspaceId = (workspaceId ?? "").trim();
+        if (!resolvedWorkspaceId) {
+            logger.warn("No workspace context — returning empty policy set");
+            return [];
+        }
 
         const now = Date.now();
-        const cached = _cache.get(userId);
+        const cached = _cache.get(resolvedWorkspaceId);
         if (!forceRefresh && cached && now - cached.loadedAt < CACHE_TTL_MS) {
             return cached.policies;
         }
@@ -113,14 +119,15 @@ export class PolicyLoader {
             const { data, error } = await supabase
                 .from("policies")
                 .select("*")
+                .eq("workspace_id", resolvedWorkspaceId)
                 .eq("enabled", true)
                 .order("priority", { ascending: false });
 
             if (error) throw error;
 
             const policies = (data ?? []).map(rowToPolicy);
-            _cache.set(userId, { policies, loadedAt: Date.now() });
-            logger.info(`Loaded ${policies.length} policies from DB for user ${userId}`);
+            _cache.set(resolvedWorkspaceId, { policies, loadedAt: Date.now() });
+            logger.info(`Loaded ${policies.length} policies from DB for workspace ${resolvedWorkspaceId}`);
             return policies;
         } catch (err) {
             logger.error("Failed to load policies from DB", { err });
@@ -128,9 +135,9 @@ export class PolicyLoader {
         }
     }
 
-    static invalidateCache(userId?: string) {
-        if (userId) {
-            _cache.delete(userId);
+    static invalidateCache(workspaceId?: string) {
+        if (workspaceId) {
+            _cache.delete(workspaceId);
         } else {
             _cache.clear();
         }
@@ -152,12 +159,18 @@ export class PolicyLoader {
      * Save (upsert) a policy to Supabase.
      * Throws if no Supabase client is available.
      */
-    static async save(policy: FolioPolicy, supabase?: SupabaseClient | null, userId?: string): Promise<string> {
-        if (!supabase || !userId) {
+    static async save(
+        policy: FolioPolicy,
+        supabase?: SupabaseClient | null,
+        userId?: string,
+        workspaceId?: string
+    ): Promise<string> {
+        if (!supabase || !userId || !workspaceId) {
             throw new Error("Authentication required to save policies");
         }
 
         const row = {
+            workspace_id: workspaceId,
             user_id: userId,
             policy_id: policy.metadata.id,
             api_version: policy.apiVersion,
@@ -170,11 +183,11 @@ export class PolicyLoader {
 
         const { error } = await supabase
             .from("policies")
-            .upsert(row, { onConflict: "user_id,policy_id" });
+            .upsert(row, { onConflict: "workspace_id,policy_id" });
 
         if (error) throw new Error(`Failed to save policy: ${error.message}`);
 
-        this.invalidateCache();
+        this.invalidateCache(workspaceId);
         logger.info(`Saved policy to DB: ${policy.metadata.id}`);
         return `db:policies/${policy.metadata.id}`;
     }
@@ -186,9 +199,10 @@ export class PolicyLoader {
         policyId: string,
         patch: { enabled?: boolean; name?: string; description?: string; tags?: string[]; priority?: number },
         supabase?: SupabaseClient | null,
-        userId?: string
+        userId?: string,
+        workspaceId?: string
     ): Promise<boolean> {
-        if (!supabase || !userId) {
+        if (!supabase || !userId || !workspaceId) {
             throw new Error("Authentication required to update policies");
         }
 
@@ -196,7 +210,7 @@ export class PolicyLoader {
             .from("policies")
             .select("metadata, priority, enabled")
             .eq("policy_id", policyId)
-            .eq("user_id", userId)
+            .eq("workspace_id", workspaceId)
             .single();
 
         if (fetchErr || !existing) throw new Error("Policy not found");
@@ -217,11 +231,11 @@ export class PolicyLoader {
                 priority: patch.priority ?? existing.priority,
             })
             .eq("policy_id", policyId)
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
 
         if (error) throw new Error(`Failed to patch policy: ${error.message}`);
 
-        this.invalidateCache();
+        this.invalidateCache(workspaceId);
         logger.info(`Patched policy: ${policyId}`);
         return true;
     }
@@ -230,8 +244,13 @@ export class PolicyLoader {
      * Delete a policy by ID from Supabase.
      * Throws if no Supabase client is available.
      */
-    static async delete(policyId: string, supabase?: SupabaseClient | null, userId?: string): Promise<boolean> {
-        if (!supabase || !userId) {
+    static async delete(
+        policyId: string,
+        supabase?: SupabaseClient | null,
+        userId?: string,
+        workspaceId?: string
+    ): Promise<boolean> {
+        if (!supabase || !userId || !workspaceId) {
             throw new Error("Authentication required to delete policies");
         }
 
@@ -239,11 +258,11 @@ export class PolicyLoader {
             .from("policies")
             .delete({ count: "exact" })
             .eq("policy_id", policyId)
-            .eq("user_id", userId);
+            .eq("workspace_id", workspaceId);
 
         if (error) throw new Error(`Failed to delete policy: ${error.message}`);
 
-        this.invalidateCache();
+        this.invalidateCache(workspaceId);
         return (count ?? 0) > 0;
     }
 }

package/api/src/services/RAGService.ts

@@ -133,7 +133,8 @@ export class RAGService {
         userId: string,
         rawText: string,
         supabase: SupabaseClient,
-        settings?: EmbeddingSettings
+        settings?: EmbeddingSettings,
+        workspaceId?: string
     ): Promise<void> {
         if (/^\[VLM_(IMAGE|PDF)_DATA:/.test(rawText)) {
             logger.info(`Skipping chunking and embedding for VLM base64 multimodal data (Ingestion: ${ingestionId})`);
@@ -147,6 +148,22 @@ export class RAGService {
         }
 
         const resolvedModel = await this.resolveEmbeddingModel(settings || {});
+        let resolvedWorkspaceId = (workspaceId ?? "").trim();
+        if (!resolvedWorkspaceId) {
+            const { data: ingestionRow, error: ingestionLookupError } = await supabase
+                .from("ingestions")
+                .select("workspace_id")
+                .eq("id", ingestionId)
+                .maybeSingle();
+            if (ingestionLookupError) {
+                throw new Error(`Failed to resolve workspace for ingestion ${ingestionId}: ${ingestionLookupError.message}`);
+            }
+            resolvedWorkspaceId = String(ingestionRow?.workspace_id ?? "").trim();
+            if (!resolvedWorkspaceId) {
+                throw new Error(`Workspace context is required to index chunks for ingestion ${ingestionId}`);
+            }
+        }
+
         logger.info(
             `Extracted ${chunks.length} chunks for ingestion ${ingestionId}. Embedding with ${resolvedModel.provider}/${resolvedModel.model}...`
         );
@@ -164,6 +181,7 @@ export class RAGService {
                     const { data: existing } = await supabase
                         .from("document_chunks")
                         .select("id")
+                        .eq("workspace_id", resolvedWorkspaceId)
                         .eq("ingestion_id", ingestionId)
                         .eq("content_hash", hash)
                         .eq("embedding_provider", resolvedModel.provider)
@@ -181,6 +199,7 @@ export class RAGService {
                     const vector_dim = embedding.length;
 
                     const { error } = await supabase.from("document_chunks").insert({
+                        workspace_id: resolvedWorkspaceId,
                         user_id: userId,
                         ingestion_id: ingestionId,
                         content,
@@ -212,6 +231,7 @@ export class RAGService {
      */
     private static async runSearchForModel(args: {
         userId: string;
+        workspaceId?: string;
         supabase: SupabaseClient;
         modelScope: ModelScope;
         queryEmbedding: number[];
@@ -219,17 +239,26 @@ export class RAGService {
         similarityThreshold: number;
         topK: number;
     }): Promise<RetrievedChunk[]> {
-        const { userId, supabase, modelScope, queryEmbedding, queryDim, similarityThreshold, topK } = args;
+        const { userId, workspaceId, supabase, modelScope, queryEmbedding, queryDim, similarityThreshold, topK } = args;
 
-        const { data, error } = await supabase.rpc("search_documents", {
-            p_user_id: userId,
+        const basePayload = {
             p_embedding_provider: modelScope.provider,
             p_embedding_model: modelScope.model,
             query_embedding: queryEmbedding,
             match_threshold: similarityThreshold,
             match_count: topK,
             query_dim: queryDim
-        });
+        };
+
+        const { data, error } = workspaceId
+            ? await supabase.rpc("search_workspace_documents", {
+                p_workspace_id: workspaceId,
+                ...basePayload
+            })
+            : await supabase.rpc("search_documents", {
+                p_user_id: userId,
+                ...basePayload
+            });
 
         if (error) {
             throw new Error(`Knowledge base search failed for ${modelScope.provider}/${modelScope.model}: ${error.message}`);
@@ -238,19 +267,27 @@ export class RAGService {
         return (data || []) as RetrievedChunk[];
     }
 
-    private static async listUserModelScopes(
+    private static async listModelScopes(
         userId: string,
-        supabase: SupabaseClient
+        supabase: SupabaseClient,
+        workspaceId?: string
     ): Promise<ModelScope[]> {
-        const { data, error } = await supabase
+        let query = supabase
             .from("document_chunks")
             .select("embedding_provider, embedding_model, vector_dim, created_at")
-            .eq("user_id", userId)
             .order("created_at", { ascending: false })
             .limit(2000);
 
+        if (workspaceId) {
+            query = query.eq("workspace_id", workspaceId);
+        } else {
+            query = query.eq("user_id", userId);
+        }
+
+        const { data, error } = await query;
+
         if (error) {
-            logger.warn("Failed to list user embedding scopes for RAG fallback", { error });
+            logger.warn("Failed to list embedding scopes for RAG fallback", { userId, workspaceId, error });
             return [];
         }
 
@@ -284,12 +321,14 @@ export class RAGService {
             topK?: number;
             similarityThreshold?: number;
             settings?: EmbeddingSettings;
+            workspaceId?: string;
         } = {}
     ): Promise<RetrievedChunk[]> {
         const {
             topK = 5,
             similarityThreshold = 0.7,
-            settings
+            settings,
+            workspaceId
         } = options;
 
         const minThreshold = Math.max(0.1, Math.min(similarityThreshold, 0.4));
@@ -325,6 +364,7 @@ export class RAGService {
 
             const hits = await this.runSearchForModel({
                 userId,
+                workspaceId,
                 supabase,
                 modelScope: scope,
                 queryEmbedding,
@@ -363,7 +403,7 @@ export class RAGService {
         }
 
         if (collected.size === 0) {
-            const scopes = await this.listUserModelScopes(userId, supabase);
+            const scopes = await this.listModelScopes(userId, supabase, workspaceId);
             const fallbackScopes = scopes.filter(
                 (scope) => !(scope.provider === preferredScope.provider && scope.model === preferredScope.model)
             );

package/dist/api/src/middleware/auth.js

@@ -14,6 +14,55 @@ function resolveSupabaseConfig(req) {
     }
     return headerConfig;
 }
+function resolvePreferredWorkspaceId(req) {
+    const raw = req.headers["x-workspace-id"];
+    if (typeof raw === "string") {
+        const trimmed = raw.trim();
+        return trimmed.length > 0 ? trimmed : null;
+    }
+    if (Array.isArray(raw) && typeof raw[0] === "string") {
+        const trimmed = raw[0].trim();
+        return trimmed.length > 0 ? trimmed : null;
+    }
+    return null;
+}
+async function resolveWorkspaceContext(req, supabase, user) {
+    const preferredWorkspaceId = resolvePreferredWorkspaceId(req);
+    const { data, error } = await supabase
+        .from("workspace_members")
+        .select("workspace_id,role,status,created_at")
+        .eq("user_id", user.id)
+        .eq("status", "active")
+        .order("created_at", { ascending: true });
+    if (error) {
+        const errorCode = error.code;
+        // Backward compatibility: allow projects that haven't migrated yet.
+        if (errorCode === "42P01") {
+            return null;
+        }
+        throw new AuthorizationError(`Failed to resolve workspace membership: ${error.message}`);
+    }
+    const memberships = (data ?? []);
+    if (memberships.length === 0) {
+        return null;
+    }
+    if (preferredWorkspaceId) {
+        const preferred = memberships.find((membership) => membership.workspace_id === preferredWorkspaceId);
+        if (preferred) {
+            return {
+                workspaceId: preferred.workspace_id,
+                workspaceRole: preferred.role,
+            };
+        }
+    }
+    const active = memberships[0];
+    if (!active)
+        return null;
+    return {
+        workspaceId: active.workspace_id,
+        workspaceRole: active.role,
+    };
+}
 export async function authMiddleware(req, _res, next) {
     try {
         const supabaseConfig = resolveSupabaseConfig(req);
@@ -38,6 +87,11 @@ export async function authMiddleware(req, _res, next) {
                 });
             req.user = user;
             req.supabase = supabase;
+            const workspace = await resolveWorkspaceContext(req, supabase, user);
+            if (workspace) {
+                req.workspaceId = workspace.workspaceId;
+                req.workspaceRole = workspace.workspaceRole;
+            }
             Logger.setPersistence(supabase, user.id);
             return next();
         }
@@ -59,6 +113,11 @@ export async function authMiddleware(req, _res, next) {
         }
         req.user = user;
         req.supabase = supabase;
+        const workspace = await resolveWorkspaceContext(req, supabase, user);
+        if (workspace) {
+            req.workspaceId = workspace.workspaceId;
+            req.workspaceRole = workspace.workspaceRole;
+        }
         Logger.setPersistence(supabase, user.id);
         next();
     }

package/dist/api/src/routes/chat.js

@@ -103,7 +103,7 @@ router.post("/message", asyncHandler(async (req, res) => {
         await req.supabase.from("chat_sessions").update({ title }).eq("id", normalizedSessionId);
     }
     try {
-        const aiMessage = await ChatService.handleMessage(normalizedSessionId, req.user.id, trimmedContent, req.supabase);
+        const aiMessage = await ChatService.handleMessage(normalizedSessionId, req.user.id, trimmedContent, req.supabase, req.workspaceId);
         res.json({ success: true, message: aiMessage });
     }
     catch (error) {

package/dist/api/src/routes/index.js

@@ -13,6 +13,7 @@ import settingsRoutes from "./settings.js";
 import rulesRoutes from "./rules.js";
 import chatRoutes from "./chat.js";
 import statsRoutes from "./stats.js";
+import workspaceRoutes from "./workspaces.js";
 const router = Router();
 router.use("/health", healthRoutes);
 router.use("/migrate", migrateRoutes);
@@ -28,4 +29,5 @@ router.use("/settings", settingsRoutes);
 router.use("/rules", rulesRoutes);
 router.use("/chat", chatRoutes);
 router.use("/stats", statsRoutes);
+router.use("/workspaces", workspaceRoutes);
 export default router;

package/dist/api/src/routes/ingestions.js

@@ -17,10 +17,14 @@ router.get("/", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
     const page = Math.max(1, parseInt(req.query["page"]) || 1);
     const pageSize = Math.min(100, Math.max(1, parseInt(req.query["pageSize"]) || 20));
     const query = req.query["q"]?.trim() || undefined;
-    const { ingestions, total } = await IngestionService.list(req.supabase, req.user.id, { page, pageSize, query });
+    const { ingestions, total } = await IngestionService.list(req.supabase, req.workspaceId, { page, pageSize, query });
     res.json({ success: true, ingestions, total, page, pageSize });
 }));
 // GET /api/ingestions/:id — get single ingestion
@@ -29,7 +33,11 @@ router.get("/:id", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
-    const ingestion = await IngestionService.get(req.params["id"], req.supabase, req.user.id);
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
+    const ingestion = await IngestionService.get(req.params["id"], req.supabase, req.workspaceId);
     if (!ingestion) {
         res.status(404).json({ success: false, error: "Not found" });
         return;
@@ -42,6 +50,10 @@ router.post("/upload", upload.single("file"), asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
     const file = req.file;
     if (!file) {
         res.status(400).json({ success: false, error: "No file uploaded" });
@@ -70,6 +82,7 @@ router.post("/upload", upload.single("file"), asyncHandler(async (req, res) => {
     const ingestion = await IngestionService.ingest({
         supabase: req.supabase,
         userId: req.user.id,
+        workspaceId: req.workspaceId,
         filename: file.originalname,
         mimeType: file.mimetype,
         fileSize: file.size,
@@ -86,7 +99,11 @@ router.post("/:id/rerun", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
-    const matched = await IngestionService.rerun(req.params["id"], req.supabase, req.user.id);
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
+    const matched = await IngestionService.rerun(req.params["id"], req.supabase, req.user.id, req.workspaceId);
     res.json({ success: true, matched });
 }));
 // POST /api/ingestions/:id/match — manually assign a policy and optionally learn from it
@@ -95,6 +112,10 @@ router.post("/:id/match", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
     const policyId = typeof req.body?.policy_id === "string" ? req.body.policy_id.trim() : "";
     if (!policyId) {
         res.status(400).json({ success: false, error: "policy_id is required" });
@@ -104,7 +125,7 @@ router.post("/:id/match", asyncHandler(async (req, res) => {
     const rerun = req.body?.rerun !== false;
     const allowSideEffects = req.body?.allow_side_effects === true;
     try {
-        const ingestion = await IngestionService.matchToPolicy(req.params["id"], policyId, req.supabase, req.user.id, {
+        const ingestion = await IngestionService.matchToPolicy(req.params["id"], policyId, req.supabase, req.user.id, req.workspaceId, {
             learn,
             rerun,
             allowSideEffects,
@@ -130,13 +151,17 @@ router.post("/:id/refine-policy", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
     const policyId = typeof req.body?.policy_id === "string" ? req.body.policy_id.trim() : "";
     if (!policyId) {
         res.status(400).json({ success: false, error: "policy_id is required" });
         return;
     }
     try {
-        const suggestion = await IngestionService.suggestPolicyRefinement(req.params["id"], policyId, req.supabase, req.user.id, {
+        const suggestion = await IngestionService.suggestPolicyRefinement(req.params["id"], policyId, req.supabase, req.user.id, req.workspaceId, {
             provider: typeof req.body?.provider === "string" ? req.body.provider : undefined,
             model: typeof req.body?.model === "string" ? req.body.model : undefined,
         });
@@ -161,13 +186,17 @@ router.post("/:id/summarize", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
     const { data: settingsRow } = await req.supabase
         .from("user_settings")
         .select("llm_provider, llm_model, ingestion_llm_provider, ingestion_llm_model")
         .eq("user_id", req.user.id)
         .maybeSingle();
     const llmSettings = IngestionService.resolveIngestionLlmSettings(settingsRow);
-    const summary = await IngestionService.summarize(req.params["id"], req.supabase, req.user.id, llmSettings);
+    const summary = await IngestionService.summarize(req.params["id"], req.supabase, req.user.id, req.workspaceId, llmSettings);
     res.json({ success: true, summary });
 }));
 // PATCH /api/ingestions/:id/tags — replace tags array (human edits)
@@ -176,6 +205,10 @@ router.patch("/:id/tags", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
     const tags = req.body?.tags;
     if (!Array.isArray(tags) || tags.some((t) => typeof t !== "string")) {
         res.status(400).json({ success: false, error: "tags must be an array of strings" });
@@ -186,7 +219,7 @@ router.patch("/:id/tags", asyncHandler(async (req, res) => {
         .from("ingestions")
         .update({ tags: normalized })
         .eq("id", req.params["id"])
-        .eq("user_id", req.user.id);
+        .eq("workspace_id", req.workspaceId);
     if (error) {
         res.status(500).json({ success: false, error: error.message });
         return;
@@ -199,7 +232,11 @@ router.delete("/:id", asyncHandler(async (req, res) => {
         res.status(401).json({ success: false, error: "Authentication required" });
         return;
     }
-    const deleted = await IngestionService.delete(req.params["id"], req.supabase, req.user.id);
+    if (!req.workspaceId) {
+        res.status(403).json({ success: false, error: "Workspace membership required" });
+        return;
+    }
+    const deleted = await IngestionService.delete(req.params["id"], req.supabase, req.workspaceId);
     if (!deleted) {
         res.status(404).json({ success: false, error: "Not found" });
         return;