engram-sdk 0.5.4 → 0.5.6

package/dist/hosted.js

@@ -4,8 +4,68 @@ import { mkdirSync } from 'node:fs';
 import path from 'node:path';
 import { Vault } from './vault.js';
 import { GeminiEmbeddings } from './embeddings.js';
-import { AccountStore, PLAN_LIMITS } from './accounts.js';
-import { handleWebhook, createCheckoutSession, createCustomerPortalSession } from './stripe.js';
+import { AccountStore, PLAN_LIMITS, isValidEmail } from './accounts.js';
+import { handleWebhook, createCheckoutSession, createCustomerPortalSession, retrieveCheckoutSession, stripeRequest, priceToPlan } from './stripe.js';
+import { generateMagicToken, verifyMagicToken, sendMagicLinkEmail } from './magic-link.js';
+// ============================================================
+// Security Constants
+// ============================================================
+const MAX_BODY_BYTES = 1 * 1024 * 1024; // 1 MB
+const ALLOWED_ORIGINS = new Set([
+    'https://engram.fyi',
+    'https://www.engram.fyi',
+]);
+class IPRateLimiter {
+    windows = new Map();
+    limit;
+    windowMs;
+    constructor(limit, windowMs) {
+        this.limit = limit;
+        this.windowMs = windowMs;
+        // Cleanup stale entries every 60s
+        setInterval(() => {
+            const now = Date.now();
+            for (const [key, entry] of this.windows) {
+                if (now - entry.windowStart > this.windowMs * 2) {
+                    this.windows.delete(key);
+                }
+            }
+        }, 60_000);
+    }
+    /** Check AND increment. Used for signup/checkout where every attempt counts. */
+    check(ip) {
+        const now = Date.now();
+        const entry = this.windows.get(ip);
+        if (!entry || now - entry.windowStart > this.windowMs) {
+            this.windows.set(ip, { count: 1, windowStart: now });
+            return true;
+        }
+        entry.count++;
+        return entry.count <= this.limit;
+    }
+    /** Check WITHOUT incrementing. Used with record() for failure-only counting. */
+    isBlocked(ip) {
+        const now = Date.now();
+        const entry = this.windows.get(ip);
+        if (!entry || now - entry.windowStart > this.windowMs)
+            return false;
+        return entry.count >= this.limit;
+    }
+    /** Record a failure. Only call this on actual auth failures. */
+    record(ip) {
+        const now = Date.now();
+        const entry = this.windows.get(ip);
+        if (!entry || now - entry.windowStart > this.windowMs) {
+            this.windows.set(ip, { count: 1, windowStart: now });
+        }
+        else {
+            entry.count++;
+        }
+    }
+}
+const signupLimiter = new IPRateLimiter(5, 60_000); // 5 signups per IP per minute
+const authFailLimiter = new IPRateLimiter(20, 60_000); // 20 failed auths per IP per minute
+const checkoutLimiter = new IPRateLimiter(10, 60_000); // 10 checkouts per IP per minute
 // ============================================================
 // Engram Hosted — Multi-Tenant API Server
 // ============================================================
@@ -15,18 +75,21 @@ const GEMINI_API_KEY = process.env.GEMINI_API_KEY ?? '';
 const ADMIN_KEY = process.env.ADMIN_KEY ?? '';
 const VAULTS_DIR = process.env.VAULTS_DIR ?? './vaults';
 const ACCOUNTS_DB = process.env.ACCOUNTS_DB ?? './accounts.db';
+const RESEND_API_KEY = process.env.RESEND_API_KEY ?? '';
 const vaultCache = new Map();
 const EVICT_MS = 30 * 60 * 1000;
 function getVault(accountId) {
-    const cached = vaultCache.get(accountId);
+    // Route to org vault if account belongs to an org, otherwise personal vault
+    const vaultId = accountStore.getVaultId(accountId);
+    const cached = vaultCache.get(vaultId);
     if (cached) {
         cached.lastAccess = Date.now();
         return cached.vault;
     }
-    const dbPath = path.join(VAULTS_DIR, `${accountId}.db`);
+    const dbPath = path.join(VAULTS_DIR, `${vaultId}.db`);
     const embedder = GEMINI_API_KEY ? new GeminiEmbeddings(GEMINI_API_KEY) : undefined;
-    const vault = new Vault({ owner: accountId, dbPath }, embedder);
-    vaultCache.set(accountId, { vault, lastAccess: Date.now() });
+    const vault = new Vault({ owner: vaultId, dbPath }, embedder);
+    vaultCache.set(vaultId, { vault, lastAccess: Date.now() });
     return vault;
 }
 // Evict idle vaults every 5 minutes
@@ -42,13 +105,26 @@ setInterval(async () => {
 // ============================================================
 // Helpers
 // ============================================================
-async function readBody(req) {
+async function readBody(req, maxBytes = MAX_BODY_BYTES) {
     const chunks = [];
+    let totalBytes = 0;
     for await (const chunk of req) {
-        chunks.push(typeof chunk === 'string' ? Buffer.from(chunk) : chunk);
+        const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+        totalBytes += buf.length;
+        if (totalBytes > maxBytes) {
+            req.destroy();
+            throw new PayloadTooLargeError(`Request body exceeds ${Math.round(maxBytes / 1024)}KB limit`);
+        }
+        chunks.push(buf);
     }
     return Buffer.concat(chunks).toString('utf-8');
 }
+class PayloadTooLargeError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'PayloadTooLargeError';
+    }
+}
 function json(res, status, data) {
     res.writeHead(status, { 'Content-Type': 'application/json' });
     res.end(JSON.stringify(data));
@@ -56,6 +132,21 @@ function json(res, status, data) {
 function errorResponse(res, status, message) {
     json(res, status, { error: message });
 }
+function parseJSONSafe(text) {
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return null;
+    }
+}
+function getClientIP(req) {
+    // Fly.io sets Fly-Client-IP; fall back to x-forwarded-for, then socket
+    return req.headers['fly-client-ip']
+        ?? req.headers['x-forwarded-for']?.split(',')[0]?.trim()
+        ?? req.socket.remoteAddress
+        ?? 'unknown';
+}
 function rateLimitResponse(res, type, limit, used, resetAt) {
     res.writeHead(429, { 'Content-Type': 'application/json' });
     res.end(JSON.stringify({
@@ -90,7 +181,24 @@ route('POST', '/v1/memories', async (req, res, { account, vault }) => {
     const check = accountStore.checkLimit(account, 'memory');
     if (!check.allowed)
         return rateLimitResponse(res, 'memory', check.limit, check.used, check.resetAt);
-    const body = JSON.parse(await readBody(req));
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    // Reject local-only memories on hosted API
+    if (body.scope === 'local')
+        return errorResponse(res, 400, 'Cannot store local-scoped memories on hosted API. Use scope "hosted" or "both".');
+    // Stamp user attribution on every memory (critical for shared org vaults)
+    if (!body.source)
+        body.source = {};
+    if (!body.source.agentId)
+        body.source.agentId = account.email;
+    // Auto-add user as an entity so Engram tracks per-person context
+    if (!body.entities)
+        body.entities = [];
+    const userName = account.email.split('@')[0];
+    if (!body.entities.some((e) => e.toLowerCase() === userName.toLowerCase() || e.toLowerCase() === account.email.toLowerCase())) {
+        body.entities.push(userName);
+    }
     const memory = vault.remember(body);
     accountStore.trackUsage(account.id, 'memory');
     json(res, 201, memory);
@@ -117,7 +225,9 @@ route('POST', '/v1/memories/recall', async (req, res, { account, vault }) => {
     const check = accountStore.checkLimit(account, 'recall');
     if (!check.allowed)
         return rateLimitResponse(res, 'recall', check.limit, check.used, check.resetAt);
-    const body = JSON.parse(await readBody(req));
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
     const memories = await vault.recall(body);
     accountStore.trackUsage(account.id, 'recall');
     json(res, 200, { memories, count: memories.length });
@@ -125,6 +235,10 @@ route('POST', '/v1/memories/recall', async (req, res, { account, vault }) => {
 route('DELETE', '/v1/memories/:id', (req, res, { account, vault, params }) => {
     const url = new URL(req.url, `http://${req.headers.host}`);
     const hard = url.searchParams.get('hard') === 'true';
+    // Hard delete restricted to org admins (or solo accounts)
+    if (hard && account.orgId && account.role !== 'admin') {
+        return errorResponse(res, 403, 'Only organization admins can hard-delete memories. Omit ?hard=true for soft delete.');
+    }
     vault.forget(params.id, hard);
     accountStore.decrementMemories(account.id);
     json(res, 200, { deleted: params.id, hard });
@@ -179,60 +293,214 @@ publicRoute('POST', '/stripe/webhook', async (req, res) => {
     json(res, result.status, result.body);
 });
 publicRoute('POST', '/checkout', async (req, res) => {
-    const body = JSON.parse(await readBody(req));
-    if (!body.email)
-        return errorResponse(res, 400, 'email is required');
+    const ip = getClientIP(req);
+    if (!checkoutLimiter.check(ip)) {
+        return errorResponse(res, 429, 'Too many checkout attempts. Try again in a minute.');
+    }
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    if (body.email && !isValidEmail(body.email))
+        return errorResponse(res, 400, 'Invalid email format');
     if (!body.plan || !['developer', 'team', 'business'].includes(body.plan)) {
         return errorResponse(res, 400, 'plan must be developer, team, or business');
     }
     try {
-        const result = await createCheckoutSession(body.email, body.plan);
+        const result = await createCheckoutSession(body.email ?? null, body.plan);
         json(res, 200, result);
     }
     catch (e) {
-        errorResponse(res, 500, e.message);
+        errorResponse(res, 500, 'Checkout failed');
     }
 });
-publicRoute('POST', '/billing/portal', async (req, res) => {
-    const body = JSON.parse(await readBody(req));
-    if (!body.customerId)
-        return errorResponse(res, 400, 'customerId is required');
+route('POST', '/billing/portal', async (req, res, { account }) => {
+    // Authenticated: only the account owner can access their own billing portal
+    if (!account.stripeCustomerId) {
+        return errorResponse(res, 400, 'No billing account found. Subscribe to a paid plan first.');
+    }
     try {
-        const result = await createCustomerPortalSession(body.customerId);
+        const result = await createCustomerPortalSession(account.stripeCustomerId);
         json(res, 200, result);
     }
     catch (e) {
-        errorResponse(res, 500, e.message);
+        errorResponse(res, 500, 'Failed to create billing session');
     }
 });
 // ============================================================
 // Public Signup (free tier)
 // ============================================================
 publicRoute('POST', '/signup', async (req, res) => {
-    const body = JSON.parse(await readBody(req));
+    const ip = getClientIP(req);
+    if (!signupLimiter.check(ip)) {
+        return errorResponse(res, 429, 'Too many signup attempts. Try again in a minute.');
+    }
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
     if (!body.email)
         return errorResponse(res, 400, 'email is required');
+    if (!isValidEmail(body.email))
+        return errorResponse(res, 400, 'Invalid email format');
     try {
         const existing = accountStore.getAccountByEmail(body.email);
         if (existing) {
-            return json(res, 200, { apiKey: existing.apiKey, plan: existing.plan, message: 'Account already exists' });
+            // Never leak the existing API key -- tell them to check their email
+            return json(res, 200, { message: 'If this email is registered, the API key was sent at signup. Contact support if you need a new key.' });
         }
         const account = accountStore.createAccount(body.email, 'free');
         json(res, 201, { apiKey: account.apiKey, plan: 'free', message: 'Account created' });
     }
     catch (e) {
-        errorResponse(res, 500, e.message);
+        errorResponse(res, 500, 'Signup failed');
     }
 });
 // ============================================================
+// Account Login (Magic Link Email)
+// ============================================================
+const accountLookupLimiter = new IPRateLimiter(5, 60_000); // 5 lookups per IP per minute
+// Step 1: User enters email -> we send a magic link
+publicRoute('POST', '/account/login', async (req, res) => {
+    const ip = getClientIP(req);
+    if (!accountLookupLimiter.check(ip)) {
+        return errorResponse(res, 429, 'Too many attempts. Try again in a minute.');
+    }
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    if (!body.email)
+        return errorResponse(res, 400, 'email is required');
+    if (!isValidEmail(body.email))
+        return errorResponse(res, 400, 'Invalid email format');
+    const account = accountStore.getAccountByEmail(body.email);
+    // Always return success to avoid leaking whether an account exists
+    if (!account) {
+        return json(res, 200, { sent: true });
+    }
+    if (!RESEND_API_KEY) {
+        console.error('RESEND_API_KEY not configured -- cannot send magic link');
+        return json(res, 200, { sent: true });
+    }
+    const token = generateMagicToken(account.email, ADMIN_KEY);
+    const sent = await sendMagicLinkEmail(account.email, token, RESEND_API_KEY);
+    if (!sent) {
+        console.error(`Failed to send magic link to ${account.email}`);
+    }
+    json(res, 200, { sent: true });
+});
+// Step 2: User clicks magic link -> verify token, return account data
+publicRoute('POST', '/account/verify', async (req, res) => {
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    if (!body.token)
+        return errorResponse(res, 400, 'token is required');
+    const email = verifyMagicToken(body.token, ADMIN_KEY);
+    if (!email) {
+        return errorResponse(res, 401, 'Invalid or expired link. Please request a new one.');
+    }
+    const account = accountStore.getAccountByEmail(email);
+    if (!account) {
+        return errorResponse(res, 404, 'Account not found');
+    }
+    const limits = PLAN_LIMITS[account.plan];
+    // Generate Stripe billing portal URL if they have a subscription
+    let portalUrl;
+    if (account.stripeCustomerId) {
+        try {
+            const portal = await createCustomerPortalSession(account.stripeCustomerId);
+            portalUrl = portal.url;
+        }
+        catch { /* no portal if Stripe fails */ }
+    }
+    json(res, 200, {
+        email: account.email,
+        plan: account.plan,
+        apiKey: account.apiKey,
+        usage: {
+            memoriesStored: account.memoriesStored,
+            recallsThisMonth: account.recallsThisMonth,
+            consolidationsThisMonth: account.consolidationsThisMonth,
+            usageResetAt: account.usageResetAt,
+        },
+        limits,
+        portalUrl,
+    });
+});
+// Keep old endpoint as alias during transition
+publicRoute('POST', '/account/lookup', async (req, res) => {
+    // Redirect to login flow
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    json(res, 200, { message: 'This endpoint has moved. Use POST /account/login to receive a magic link.' });
+});
+// ============================================================
+// Post-Checkout API Key Retrieval
+// ============================================================
+publicRoute('POST', '/checkout/complete', async (req, res) => {
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    if (!body.sessionId)
+        return errorResponse(res, 400, 'sessionId is required');
+    // Look up the Stripe checkout session to get the customer email
+    const session = await retrieveCheckoutSession(body.sessionId);
+    if (!session) {
+        return errorResponse(res, 404, 'Checkout session not found or still processing');
+    }
+    // Try to find existing account (created by webhook)
+    let account = accountStore.getAccountByEmail(session.email);
+    // Fallback: if webhook hasn't fired yet, create the account now
+    // The webhook will find this account later and just update Stripe IDs
+    if (!account) {
+        try {
+            // Determine plan from subscription
+            let plan = 'developer';
+            if (session.subscriptionId) {
+                const sub = await stripeRequest(`/subscriptions/${session.subscriptionId}`, 'GET');
+                const priceId = sub.items?.data?.[0]?.price?.id;
+                if (priceId)
+                    plan = priceToPlan(priceId) ?? 'developer';
+            }
+            account = accountStore.createAccount(session.email, plan);
+            accountStore.updateStripeIds(account.id, session.customerId, session.subscriptionId);
+            console.log(`Created account via checkout/complete fallback: ${session.email} (${plan})`);
+        }
+        catch (e) {
+            // If createAccount fails (e.g., race with webhook), try fetching again
+            account = accountStore.getAccountByEmail(session.email);
+            if (!account) {
+                return errorResponse(res, 500, 'Failed to create account. Please contact support.');
+            }
+        }
+    }
+    // Verify Stripe customer ID matches if set (prevents session ID guessing)
+    if (account.stripeCustomerId && account.stripeCustomerId !== session.customerId) {
+        return errorResponse(res, 403, 'Session does not match this account');
+    }
+    // Ensure Stripe IDs are set (in case webhook created account without them)
+    if (!account.stripeCustomerId) {
+        accountStore.updateStripeIds(account.id, session.customerId, session.subscriptionId);
+    }
+    json(res, 200, {
+        apiKey: account.apiKey,
+        plan: account.plan,
+        email: account.email,
+    });
+});
+// ============================================================
 // Admin Routes
 // ============================================================
 adminRoute('POST', '/admin/accounts', async (req, res) => {
-    const body = JSON.parse(await readBody(req));
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
     if (!body.email)
         return errorResponse(res, 400, 'email is required');
+    if (!isValidEmail(body.email))
+        return errorResponse(res, 400, 'Invalid email format');
     const plan = body.plan ?? 'free';
-    if (!['free', 'developer', 'team', 'business', 'enterprise'].includes(plan))
+    if (!['free', 'developer', 'team', 'business', 'enterprise', 'enterprise_trial'].includes(plan))
         return errorResponse(res, 400, 'invalid plan');
     try {
         const account = accountStore.createAccount(body.email, plan);
@@ -253,6 +521,82 @@ adminRoute('GET', '/admin/accounts/:id', (req, res, params) => {
         return errorResponse(res, 404, 'account not found');
     json(res, 200, account);
 });
+// ── Organization Admin Routes ──
+adminRoute('POST', '/admin/orgs', async (req, res) => {
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    if (!body.name)
+        return errorResponse(res, 400, 'name is required');
+    if (!body.adminEmail)
+        return errorResponse(res, 400, 'adminEmail is required');
+    if (!isValidEmail(body.adminEmail))
+        return errorResponse(res, 400, 'Invalid email format');
+    const plan = body.plan ?? 'enterprise';
+    if (!['enterprise', 'enterprise_trial'].includes(plan)) {
+        return errorResponse(res, 400, 'Org plan must be enterprise or enterprise_trial');
+    }
+    try {
+        const { org, owner } = accountStore.createOrg(body.name, body.adminEmail, plan, {
+            trialDays: body.trialDays ?? 60,
+            allowedDomain: body.allowedDomain ?? null,
+        });
+        json(res, 201, { org, owner });
+    }
+    catch (e) {
+        if (e.message?.includes('UNIQUE'))
+            return errorResponse(res, 409, 'Account with this email already exists');
+        throw e;
+    }
+});
+adminRoute('GET', '/admin/orgs', (req, res) => {
+    json(res, 200, accountStore.listOrgs());
+});
+adminRoute('GET', '/admin/orgs/:id', (req, res, params) => {
+    const org = accountStore.getOrgById(params.id);
+    if (!org)
+        return errorResponse(res, 404, 'Organization not found');
+    const members = accountStore.getOrgMembers(params.id);
+    json(res, 200, { org, members });
+});
+adminRoute('POST', '/admin/orgs/:id/members', async (req, res, params) => {
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    if (!body.email)
+        return errorResponse(res, 400, 'email is required');
+    if (!isValidEmail(body.email))
+        return errorResponse(res, 400, 'Invalid email format');
+    try {
+        const member = accountStore.addOrgMember(params.id, body.email, body.role ?? 'member');
+        json(res, 201, member);
+    }
+    catch (e) {
+        if (e.message?.includes('domain'))
+            return errorResponse(res, 400, e.message);
+        if (e.message?.includes('UNIQUE'))
+            return errorResponse(res, 409, 'Account with this email already exists');
+        if (e.message?.includes('not found'))
+            return errorResponse(res, 404, e.message);
+        throw e;
+    }
+});
+adminRoute('POST', '/admin/orgs/:id/extend-trial', async (req, res, params) => {
+    const body = parseJSONSafe(await readBody(req));
+    if (!body)
+        return errorResponse(res, 400, 'Invalid JSON');
+    const days = body.days ?? 30;
+    try {
+        accountStore.extendTrial(params.id, days);
+        const org = accountStore.getOrgById(params.id);
+        json(res, 200, { message: `Trial extended by ${days} days`, org });
+    }
+    catch (e) {
+        if (e.message?.includes('not found'))
+            return errorResponse(res, 404, e.message);
+        throw e;
+    }
+});
 // ============================================================
 // Server
 // ============================================================
@@ -267,12 +611,21 @@ function startServer() {
     const server = createServer(async (req, res) => {
         const start = Date.now();
         let status = 200;
-        // CORS
-        res.setHeader('Access-Control-Allow-Origin', '*');
-        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
-        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+        // CORS — restrict to known origins; API clients don't need CORS
+        const origin = req.headers.origin;
+        if (origin && ALLOWED_ORIGINS.has(origin)) {
+            res.setHeader('Access-Control-Allow-Origin', origin);
+            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
+            res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+            res.setHeader('Vary', 'Origin');
+        }
         if (req.method === 'OPTIONS') {
-            res.writeHead(204);
+            if (origin && ALLOWED_ORIGINS.has(origin)) {
+                res.writeHead(204);
+            }
+            else {
+                res.writeHead(204);
+            }
             res.end();
             return;
         }
@@ -307,6 +660,7 @@ function startServer() {
                     return;
                 }
                 // User auth
+                const clientIP = getClientIP(req);
                 const authHeader = req.headers.authorization;
                 if (!authHeader?.startsWith('Bearer ')) {
                     status = 401;
@@ -315,17 +669,47 @@ function startServer() {
                     return;
                 }
                 const apiKey = authHeader.slice(7);
+                // Check if this IP is blocked from too many past failures
+                if (authFailLimiter.isBlocked(clientIP)) {
+                    status = 429;
+                    errorResponse(res, 429, 'Too many authentication failures. Try again in a minute.');
+                    log(req, pathname, status, start);
+                    return;
+                }
                 const account = accountStore.getAccountByKey(apiKey);
                 if (!account) {
+                    // Only count failures against the rate limit
+                    authFailLimiter.record(clientIP);
                     status = 401;
+                    console.warn(`Auth failure from ${clientIP}: invalid API key (${apiKey.slice(0, 12)}...)`);
                     json(res, 401, { error: 'unauthorized', message: 'Invalid API key' });
                     log(req, pathname, status, start);
                     return;
                 }
+                // Check org trial expiry
+                if (account.orgId) {
+                    if (accountStore.isTrialExpired(account.orgId)) {
+                        status = 403;
+                        json(res, 403, { error: 'trial_expired', message: 'Organization trial has expired. Contact sales@engram.fyi to upgrade.' });
+                        log(req, pathname, status, start);
+                        return;
+                    }
+                }
+                // RBAC: readonly members can only read
+                if (account.role === 'readonly') {
+                    const isWrite = req.method === 'POST' || req.method === 'DELETE' || req.method === 'PUT' || req.method === 'PATCH';
+                    const isReadEndpoint = pathname.startsWith('/v1/memories/recall') || pathname === '/v1/stats' || pathname === '/v1/entities' || pathname === '/v1/account';
+                    if (isWrite && !isReadEndpoint) {
+                        status = 403;
+                        json(res, 403, { error: 'forbidden', message: 'Readonly members cannot create, modify, or delete memories' });
+                        log(req, pathname, status, start, account.email);
+                        return;
+                    }
+                }
                 const vault = getVault(account.id);
                 await r.handler(req, res, { account, vault, params });
                 status = res.statusCode;
-                log(req, pathname, status, start);
+                log(req, pathname, status, start, account.email);
                 return;
             }
             status = 404;
@@ -333,9 +717,27 @@ function startServer() {
             log(req, pathname, status, start);
         }
         catch (err) {
-            status = 500;
-            console.error(`Error handling ${req.method} ${pathname}:`, err);
-            errorResponse(res, 500, err.message ?? 'Internal server error');
+            if (err instanceof PayloadTooLargeError) {
+                status = 413;
+                errorResponse(res, 413, err.message);
+            }
+            else if (err instanceof SyntaxError && err.message?.includes('JSON')) {
+                status = 400;
+                errorResponse(res, 400, 'Invalid JSON in request body');
+            }
+            else if (err?.name === 'ZodError' || err?.issues) {
+                // Zod validation error (e.g. content too long, missing required fields)
+                status = 400;
+                const issues = err.issues ?? [];
+                const msg = issues.map((i) => `${i.path?.join('.')}: ${i.message}`).join('; ') || 'Validation error';
+                errorResponse(res, 400, msg);
+            }
+            else {
+                status = 500;
+                // Log full error server-side, return generic message to client
+                console.error(`Error handling ${req.method} ${pathname}:`, err);
+                errorResponse(res, 500, 'Internal server error');
+            }
             log(req, pathname, status, start);
         }
     });
@@ -348,7 +750,7 @@ function startServer() {
             console.log(`⚠ No GEMINI_API_KEY — semantic search disabled`);
         console.log(`✓ Listening on http://${HOST}:${PORT}`);
         console.log();
-        console.log(`Admin key: ${ADMIN_KEY.slice(0, 12)}...`);
+        console.log(`Admin key: configured ✓`);
         console.log(`Create accounts: POST /admin/accounts -d '{"email":"user@co.com","plan":"growth"}'`);
     });
     // Graceful shutdown
@@ -363,9 +765,11 @@ function startServer() {
     process.on('SIGINT', shutdown);
     process.on('SIGTERM', shutdown);
 }
-function log(req, path, status, start) {
+function log(req, path, status, start, user) {
     const ms = Date.now() - start;
-    console.log(`${new Date().toISOString()} ${req.method} ${path} ${status} ${ms}ms`);
+    const ip = getClientIP(req);
+    const userTag = user ? ` [${user}]` : '';
+    console.log(`${new Date().toISOString()} ${req.method} ${path} ${status} ${ms}ms ${ip}${userTag}`);
 }
 // ============================================================
 // CLI Entry Point