sh3-server 0.13.0 → 0.13.2

package/dist/projects.d.ts

@@ -0,0 +1,39 @@
+/**
+ * ProjectStore — multi-member project scope identity primitive.
+ *
+ * Project ids derive from a slug of the project name plus a 4-char base36
+ * hash so collisions are rare and ids stay readable. Members and the app
+ * allowlist are stored alongside the project's metadata; document content
+ * lives under the same per-scope filesystem layout as personal scopes.
+ */
+export interface ProjectRecord {
+    id: string;
+    name: string;
+    description?: string;
+    members: string[];
+    appAllowlist: string[];
+    createdBy: string;
+    createdAt: number;
+    updatedAt: number;
+}
+export declare class ProjectStore {
+    #private;
+    constructor(dataDir: string);
+    list(): ProjectRecord[];
+    get(id: string): ProjectRecord | null;
+    listForUser(userId: string): ProjectRecord[];
+    isMember(projectId: string, userId: string): boolean;
+    create(input: {
+        name: string;
+        description?: string;
+        members: string[];
+        appAllowlist: string[];
+        createdBy: string;
+    }): ProjectRecord;
+    update(id: string, patch: Partial<Pick<ProjectRecord, 'name' | 'description' | 'members' | 'appAllowlist'>>): ProjectRecord | null;
+    delete(id: string): boolean;
+    deleteWithData(id: string, dataDir: string): {
+        ok: boolean;
+        wipedData: boolean;
+    };
+}

package/dist/projects.js

@@ -0,0 +1,128 @@
+/**
+ * ProjectStore — multi-member project scope identity primitive.
+ *
+ * Project ids derive from a slug of the project name plus a 4-char base36
+ * hash so collisions are rare and ids stay readable. Members and the app
+ * allowlist are stored alongside the project's metadata; document content
+ * lives under the same per-scope filesystem layout as personal scopes.
+ */
+import { readFileSync, writeFileSync, mkdirSync, existsSync, rmSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { randomBytes } from 'node:crypto';
+const ID_HASH_LEN = 4;
+const SLUG_MAX_LEN = 32;
+function slugify(name) {
+    return name
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, '-')
+        .replace(/^-+|-+$/g, '')
+        .slice(0, SLUG_MAX_LEN) || 'project';
+}
+function randomBase36(len) {
+    const bytes = randomBytes(len);
+    let s = '';
+    for (const b of bytes)
+        s += (b % 36).toString(36);
+    return s.slice(0, len);
+}
+export class ProjectStore {
+    #path;
+    #projects = [];
+    constructor(dataDir) {
+        this.#path = join(dataDir, 'projects.json');
+        this.#load();
+    }
+    #load() {
+        if (existsSync(this.#path)) {
+            try {
+                this.#projects = JSON.parse(readFileSync(this.#path, 'utf-8'));
+            }
+            catch {
+                this.#projects = [];
+            }
+        }
+    }
+    #save() {
+        mkdirSync(dirname(this.#path), { recursive: true });
+        writeFileSync(this.#path, JSON.stringify(this.#projects, null, 2));
+    }
+    #generateId(name) {
+        const slug = slugify(name);
+        for (let attempt = 0; attempt < 10; attempt++) {
+            const candidate = `${slug}-${randomBase36(ID_HASH_LEN)}`;
+            if (!this.#projects.some(p => p.id === candidate))
+                return candidate;
+        }
+        throw new Error('Failed to generate unique project id after 10 attempts');
+    }
+    list() {
+        return [...this.#projects];
+    }
+    get(id) {
+        return this.#projects.find(p => p.id === id) ?? null;
+    }
+    listForUser(userId) {
+        return this.#projects.filter(p => p.members.includes(userId));
+    }
+    isMember(projectId, userId) {
+        const p = this.get(projectId);
+        return p ? p.members.includes(userId) : false;
+    }
+    create(input) {
+        const now = Date.now();
+        const project = {
+            id: this.#generateId(input.name),
+            name: input.name,
+            description: input.description,
+            members: [...input.members],
+            appAllowlist: [...input.appAllowlist],
+            createdBy: input.createdBy,
+            createdAt: now,
+            updatedAt: now,
+        };
+        this.#projects.push(project);
+        this.#save();
+        return project;
+    }
+    update(id, patch) {
+        const project = this.#projects.find(p => p.id === id);
+        if (!project)
+            return null;
+        if (patch.name !== undefined)
+            project.name = patch.name;
+        if (patch.description !== undefined)
+            project.description = patch.description;
+        if (patch.members !== undefined)
+            project.members = [...patch.members];
+        if (patch.appAllowlist !== undefined)
+            project.appAllowlist = [...patch.appAllowlist];
+        project.updatedAt = Date.now();
+        this.#save();
+        return project;
+    }
+    delete(id) {
+        const before = this.#projects.length;
+        this.#projects = this.#projects.filter(p => p.id !== id);
+        if (this.#projects.length < before) {
+            this.#save();
+            return true;
+        }
+        return false;
+    }
+    deleteWithData(id, dataDir) {
+        if (!this.delete(id))
+            return { ok: false, wipedData: false };
+        const docsDir = join(dataDir, 'docs', id);
+        let wipedData = false;
+        try {
+            if (existsSync(docsDir)) {
+                rmSync(docsDir, { recursive: true, force: true });
+                wipedData = true;
+            }
+        }
+        catch (err) {
+            console.warn(`[sh3] project ${id}: failed to remove ${docsDir}:`, err);
+        }
+        return { ok: true, wipedData };
+    }
+}

package/dist/routes/admin.js

@@ -117,7 +117,7 @@ export function createAdminRouter(users, settings, sessions, keys, dataDir) {
         if (!label) {
             return c.json({ error: 'Label required' }, 400);
         }
-        const key = keys.generate({ label, tenantId: null, ownerUserId: null, mintedByShardId: null, scopes: ['admin:*'] });
+        const key = keys.generate({ label, scopeId: null, ownerUserId: null, mintedByShardId: null, scopes: ['admin:*'] });
         return c.json(key, 201);
     });
     router.delete('/keys/:id', (c) => {

package/dist/routes/docs.d.ts

@@ -6,15 +6,29 @@
  * advance, conflict bucket). This router is intentionally thin: it validates
  * auth and path shape, then calls the store.
  *
- * GET    /api/docs/:tenant/_shards         → listAll (shard ids)
- * GET    /api/docs/:tenant/_all            → listAll
- * GET    /api/docs/:tenant/:shard          → list
- * GET    /api/docs/:tenant/:shard/*path    → read
- * HEAD   /api/docs/:tenant/:shard/*path    → exists
- * PUT    /api/docs/:tenant/:shard/*path    → write
- * DELETE /api/docs/:tenant/:shard/*path    → delete
+ * GET    /api/docs/:scope/_shards         → listAll (shard ids)
+ * GET    /api/docs/:scope/_all            → listAll
+ * GET    /api/docs/:scope/:shard          → list
+ * GET    /api/docs/:scope/:shard/*path    → read
+ * HEAD   /api/docs/:scope/:shard/*path    → exists
+ * PUT    /api/docs/:scope/:shard/*path    → write
+ * DELETE /api/docs/:scope/:shard/*path    → delete
  */
 import { Hono } from 'hono';
 import type { SettingsStore } from '../settings.js';
-import type { TenantDocStore } from '../doc-store/index.js';
-export declare function createDocsRouter(store: TenantDocStore, settings?: SettingsStore): Hono;
+import type { ScopedDocStore } from '../doc-store/index.js';
+import type { ProjectStore } from '../projects.js';
+interface AppRegistry {
+    get(id: string): {
+        manifest: {
+            requiredShards: string[];
+        };
+    } | null;
+}
+export interface DocsRouterOptions {
+    settings?: SettingsStore;
+    projectStore?: ProjectStore;
+    appRegistry?: AppRegistry;
+}
+export declare function createDocsRouter(store: ScopedDocStore, options?: DocsRouterOptions | SettingsStore): Hono;
+export {};

package/dist/routes/docs.js

@@ -6,49 +6,58 @@
  * advance, conflict bucket). This router is intentionally thin: it validates
  * auth and path shape, then calls the store.
  *
- * GET    /api/docs/:tenant/_shards         → listAll (shard ids)
- * GET    /api/docs/:tenant/_all            → listAll
- * GET    /api/docs/:tenant/:shard          → list
- * GET    /api/docs/:tenant/:shard/*path    → read
- * HEAD   /api/docs/:tenant/:shard/*path    → exists
- * PUT    /api/docs/:tenant/:shard/*path    → write
- * DELETE /api/docs/:tenant/:shard/*path    → delete
+ * GET    /api/docs/:scope/_shards         → listAll (shard ids)
+ * GET    /api/docs/:scope/_all            → listAll
+ * GET    /api/docs/:scope/:shard          → list
+ * GET    /api/docs/:scope/:shard/*path    → read
+ * HEAD   /api/docs/:scope/:shard/*path    → exists
+ * PUT    /api/docs/:scope/:shard/*path    → write
+ * DELETE /api/docs/:scope/:shard/*path    → delete
  */
 import { Hono } from 'hono';
-import { tenantParamMatch } from '../scope.js';
-export function createDocsRouter(store, settings) {
+import { scopeAccessMatch } from '../scope.js';
+import { projectAppAllowlist } from '../middleware/project-allowlist.js';
+export function createDocsRouter(store, options = {}) {
+    // Backward-compat: callers used to pass the SettingsStore as the second
+    // positional arg. Detect that shape and adapt.
+    const opts = options && typeof options.get === 'function' && !('settings' in options)
+        ? { settings: options }
+        : options;
     const router = new Hono();
-    router.use('/:tenant/*', tenantParamMatch('tenant', settings));
-    router.use('/:tenant', tenantParamMatch('tenant', settings));
+    router.use('/:scope/*', scopeAccessMatch('scope', opts.settings));
+    router.use('/:scope', scopeAccessMatch('scope', opts.settings));
+    if (opts.projectStore && opts.appRegistry) {
+        router.use('/:scope/:shard/*', projectAppAllowlist({ projectStore: opts.projectStore, appRegistry: opts.appRegistry }));
+    }
     function isReservedShardId(shard) {
         return shard.startsWith('__');
     }
     // Shards list
-    router.get('/:tenant/_shards', async (c) => {
-        const { tenant } = c.req.param();
-        const all = await store.listAll(tenant);
+    router.get('/:scope/_shards', async (c) => {
+        const { scope } = c.req.param();
+        const all = await store.listAll(scope);
         const seen = new Set();
         for (const e of all)
             seen.add(e.shardId);
         return c.json([...seen].filter((id) => !isReservedShardId(id)));
     });
     // All docs
-    router.get('/:tenant/_all', async (c) => {
-        const { tenant } = c.req.param();
-        return c.json(await store.listAll(tenant));
+    router.get('/:scope/_all', async (c) => {
+        const { scope } = c.req.param();
+        return c.json(await store.listAll(scope));
     });
     // Per-shard list
-    router.get('/:tenant/:shard', async (c) => {
-        const { tenant, shard } = c.req.param();
+    router.get('/:scope/:shard', async (c) => {
+        const { scope, shard } = c.req.param();
         if (isReservedShardId(shard))
             return c.notFound();
-        return c.json(await store.list(tenant, shard));
+        return c.json(await store.list(scope, shard));
     });
     // Branch content read — conflict-branch by origin. Registered before the
     // generic read handler so the `/branch` suffix isn't swallowed as a path.
-    router.get('/:tenant/:shard/*', async (c, next) => {
-        const { tenant, shard } = c.req.param();
-        const prefix = `/api/docs/${tenant}/${shard}/`;
+    router.get('/:scope/:shard/*', async (c, next) => {
+        const { scope, shard } = c.req.param();
+        const prefix = `/api/docs/${scope}/${shard}/`;
         const rawPath = c.req.path.replace(prefix, '');
         if (!rawPath.endsWith('/branch'))
             return next();
@@ -60,26 +69,26 @@ export function createDocsRouter(store, settings) {
         const origin = c.req.query('origin');
         if (!origin)
             return c.json({ error: 'Missing origin query param' }, 400);
-        const content = await store.readBranchContent(tenant, shard, filePath, origin);
+        const content = await store.readBranchContent(scope, shard, filePath, origin);
         if (content === null)
             return c.notFound();
         return c.text(content);
     });
     // Read
-    router.get('/:tenant/:shard/*', async (c) => {
-        const { tenant, shard } = c.req.param();
+    router.get('/:scope/:shard/*', async (c) => {
+        const { scope, shard } = c.req.param();
         if (isReservedShardId(shard))
             return c.notFound();
-        const filePath = c.req.path.replace(`/api/docs/${tenant}/${shard}/`, '');
+        const filePath = c.req.path.replace(`/api/docs/${scope}/${shard}/`, '');
         if (!filePath)
             return c.json({ error: 'Missing file path' }, 400);
         if (c.req.query('meta') === '1') {
-            const meta = await store.readMeta(tenant, shard, filePath);
+            const meta = await store.readMeta(scope, shard, filePath);
             if (!meta)
                 return c.json({ exists: false });
             const payload = { exists: true, ...meta };
             if (meta.syncState === 'conflict') {
-                const cf = await store.readConflict(tenant, shard, filePath);
+                const cf = await store.readConflict(scope, shard, filePath);
                 if (cf) {
                     payload.branches = cf.branches.map((b) => ({
                         origin: b.origin,
@@ -90,28 +99,28 @@ export function createDocsRouter(store, settings) {
             }
             return c.json(payload);
         }
-        const content = await store.read(tenant, shard, filePath);
+        const content = await store.read(scope, shard, filePath);
         if (content === null)
             return c.notFound();
         return c.text(content);
     });
     // Exists
-    router.on('HEAD', '/:tenant/:shard/*', async (c) => {
-        const { tenant, shard } = c.req.param();
+    router.on('HEAD', '/:scope/:shard/*', async (c) => {
+        const { scope, shard } = c.req.param();
         if (isReservedShardId(shard))
             return c.notFound();
-        const filePath = c.req.path.replace(`/api/docs/${tenant}/${shard}/`, '');
+        const filePath = c.req.path.replace(`/api/docs/${scope}/${shard}/`, '');
         return new Response(null, {
-            status: (await store.exists(tenant, shard, filePath)) ? 200 : 404,
+            status: (await store.exists(scope, shard, filePath)) ? 200 : 404,
         });
     });
     // Conflict resolve and rename — must match before the generic PUT so the
     // suffixes aren't captured as part of the file path.
-    router.post('/:tenant/:shard/*', async (c) => {
-        const { tenant, shard } = c.req.param();
+    router.post('/:scope/:shard/*', async (c) => {
+        const { scope, shard } = c.req.param();
         if (isReservedShardId(shard))
             return c.json({ error: 'Reserved shard id' }, 400);
-        const rawPath = c.req.path.replace(`/api/docs/${tenant}/${shard}/`, '');
+        const rawPath = c.req.path.replace(`/api/docs/${scope}/${shard}/`, '');
         if (rawPath.endsWith('/resolve')) {
             const filePath = rawPath.replace(/\/resolve$/, '');
             if (!filePath)
@@ -120,7 +129,7 @@ export function createDocsRouter(store, settings) {
             if (!body || typeof body.choice === 'undefined') {
                 return c.json({ error: 'Body must include { choice }' }, 400);
             }
-            await store.resolveConflict(tenant, shard, filePath, body.choice);
+            await store.resolveConflict(scope, shard, filePath, body.choice);
             return c.json({ ok: true });
         }
         if (rawPath.endsWith('/rename')) {
@@ -135,7 +144,7 @@ export function createDocsRouter(store, settings) {
                 return c.json({ error: 'Rename target must differ from source' }, 400);
             }
             try {
-                await store.rename(tenant, shard, oldPath, body.to);
+                await store.rename(scope, shard, oldPath, body.to);
             }
             catch (err) {
                 const msg = String(err?.message ?? err);
@@ -145,30 +154,30 @@ export function createDocsRouter(store, settings) {
                     return c.json({ error: msg }, 409);
                 throw err;
             }
-            const meta = await store.readMeta(tenant, shard, body.to);
+            const meta = await store.readMeta(scope, shard, body.to);
             return c.json({ ok: true, version: meta?.version });
         }
         return c.json({ error: 'Unknown docs POST endpoint' }, 404);
     });
     // Write
-    router.put('/:tenant/:shard/*', async (c) => {
-        const { tenant, shard } = c.req.param();
+    router.put('/:scope/:shard/*', async (c) => {
+        const { scope, shard } = c.req.param();
         if (isReservedShardId(shard))
             return c.json({ error: 'Reserved shard id' }, 400);
-        const filePath = c.req.path.replace(`/api/docs/${tenant}/${shard}/`, '');
+        const filePath = c.req.path.replace(`/api/docs/${scope}/${shard}/`, '');
         if (!filePath)
             return c.json({ error: 'Missing file path' }, 400);
         const body = await c.req.text();
-        const result = await store.write(tenant, shard, filePath, body);
+        const result = await store.write(scope, shard, filePath, body);
         return c.json({ ok: true, ...result });
     });
     // Delete
-    router.delete('/:tenant/:shard/*', async (c) => {
-        const { tenant, shard } = c.req.param();
+    router.delete('/:scope/:shard/*', async (c) => {
+        const { scope, shard } = c.req.param();
         if (isReservedShardId(shard))
             return c.json({ error: 'Reserved shard id' }, 400);
-        const filePath = c.req.path.replace(`/api/docs/${tenant}/${shard}/`, '');
-        await store.delete(tenant, shard, filePath);
+        const filePath = c.req.path.replace(`/api/docs/${scope}/${shard}/`, '');
+        await store.delete(scope, shard, filePath);
         return c.json({ ok: true });
     });
     return router;

package/dist/routes/keys.d.ts

@@ -1,8 +1,8 @@
 /**
- * User-tenant key management endpoints.
+ * User-scope key management endpoints.
  *
- * Auth: uses `caller.tenantId` set by resolveCaller. Each caller can only
- * see and revoke keys in their own tenant.
+ * Auth: uses `caller.scopeId` set by resolveCaller. Each caller can only
+ * see and revoke keys in their own scope.
  *
  * Mint flow:
  *   1. Shell calls POST /consent (session-only) → receives a short-lived ticket.
@@ -13,7 +13,7 @@
 import { Hono } from 'hono';
 import type { KeyStore, ApiKeyPublic } from '../keys.js';
 export interface RevocationEvent {
-    tenantId: string;
+    scopeId: string;
     id: string;
     row: ApiKeyPublic;
 }

package/dist/routes/keys.js

@@ -1,8 +1,8 @@
 /**
- * User-tenant key management endpoints.
+ * User-scope key management endpoints.
  *
- * Auth: uses `caller.tenantId` set by resolveCaller. Each caller can only
- * see and revoke keys in their own tenant.
+ * Auth: uses `caller.scopeId` set by resolveCaller. Each caller can only
+ * see and revoke keys in their own scope.
  *
  * Mint flow:
  *   1. Shell calls POST /consent (session-only) → receives a short-lived ticket.
@@ -12,7 +12,7 @@
  */
 import { Hono } from 'hono';
 import { randomBytes } from 'node:crypto';
-import { tenantRequired } from '../scope.js';
+import { requireCallerScope } from '../scope.js';
 const TICKET_TTL_MS = 60_000;
 function sweepExpired(tickets) {
     const now = Date.now();
@@ -31,11 +31,11 @@ export function createKeysRouter(keys, onRevoke) {
         for (const fn of sseSubscribers)
             fn(ev);
     }
-    router.use('*', tenantRequired);
+    router.use('*', requireCallerScope);
     router.get('/', (c) => {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         const caller = c.get('caller');
-        return c.json(keys.listForTenant(caller.tenantId));
+        return c.json(keys.listForScope(caller.scopeId));
     });
     /**
      * POST /consent — shell-only endpoint that issues a single-use consent ticket.
@@ -65,7 +65,7 @@ export function createKeysRouter(keys, onRevoke) {
             peerRole: body.peerRole,
             peerId: body.peerId,
             expiresIn: body.expiresIn,
-            tenantId: caller.tenantId,
+            scopeId: caller.scopeId,
             userId: caller.userId,
             issuedAt: Date.now(),
         });
@@ -91,7 +91,7 @@ export function createKeysRouter(keys, onRevoke) {
         if (Date.now() - entry.issuedAt > TICKET_TTL_MS) {
             return c.json({ error: 'Ticket invalid or already used' }, 400);
         }
-        if (entry.tenantId !== caller.tenantId) {
+        if (entry.scopeId !== caller.scopeId) {
             return c.json({ error: 'Ticket invalid or already used' }, 400);
         }
         const expiresAt = entry.expiresIn
@@ -99,7 +99,7 @@ export function createKeysRouter(keys, onRevoke) {
             : undefined;
         const row = keys.generate({
             label: entry.label,
-            tenantId: entry.tenantId,
+            scopeId: entry.scopeId,
             ownerUserId: entry.userId,
             mintedByShardId: entry.shardId,
             scopes: entry.scopes,
@@ -116,7 +116,7 @@ export function createKeysRouter(keys, onRevoke) {
      * tenant is revoked from any source. The client-side revocation bus
      * consumes this stream and dispatches `onKeyRevoked` on the owning shard.
      *
-     * Auth: tenantRequired (already applied via the `*` middleware above).
+     * Auth: requireCallerScope (already applied via the `*` middleware above).
      * Each connected tab gets its own stream. Connections are cleaned up
      * automatically when the client disconnects (abort signal).
      */
@@ -154,10 +154,10 @@ export function createKeysRouter(keys, onRevoke) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         const caller = c.get('caller');
         const id = c.req.param('id');
-        const removed = keys.revoke(caller.tenantId, id);
+        const removed = keys.revoke(caller.scopeId, id);
         if (!removed)
             return c.json({ error: 'Key not found' }, 404);
-        await onRevoke({ tenantId: caller.tenantId, id, row: removed });
+        await onRevoke({ scopeId: caller.scopeId, id, row: removed });
         // Broadcast to SSE subscribers so other browser tabs learn of the revocation.
         pushToBus({ id, shardId: removed.mintedByShardId ?? null });
         return c.json({ ok: true });

package/dist/routes/projects.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Projects HTTP API.
+ *
+ * - GET    /              — list projects the caller is a member of
+ * - GET    /all           — admin: list every project
+ * - GET    /:id           — fetch one (member or admin)
+ * - POST   /              — admin: create a project
+ * - PATCH  /:id           — admin: mutate a project
+ * - DELETE /:id           — admin: delete a project
+ */
+import { Hono } from 'hono';
+import type { ProjectStore } from '../projects.js';
+export declare function createProjectsRouter(store: ProjectStore, dataDir?: string): Hono;

package/dist/routes/projects.js

@@ -0,0 +1,101 @@
+/**
+ * Projects HTTP API.
+ *
+ * - GET    /              — list projects the caller is a member of
+ * - GET    /all           — admin: list every project
+ * - GET    /:id           — fetch one (member or admin)
+ * - POST   /              — admin: create a project
+ * - PATCH  /:id           — admin: mutate a project
+ * - DELETE /:id           — admin: delete a project
+ */
+import { Hono } from 'hono';
+function isAdmin(caller) {
+    return !!caller?.scopes.includes('admin:*');
+}
+export function createProjectsRouter(store, dataDir) {
+    const router = new Hono();
+    router.get('/', (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        if (!caller?.userId)
+            return c.json({ error: 'Unauthenticated' }, 401);
+        return c.json({ projects: store.listForUser(caller.userId) });
+    });
+    router.get('/all', (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        if (!isAdmin(caller))
+            return c.json({ error: 'Admin required' }, 403);
+        return c.json({ projects: store.list() });
+    });
+    router.get('/:id', (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        const project = store.get(c.req.param('id'));
+        if (!project)
+            return c.json({ error: 'Not found' }, 404);
+        const allowed = isAdmin(caller) || (caller?.userId !== null && caller?.userId !== undefined && project.members.includes(caller.userId));
+        if (!allowed)
+            return c.json({ error: 'Not a member' }, 403);
+        return c.json(project);
+    });
+    router.post('/', async (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        if (!isAdmin(caller))
+            return c.json({ error: 'Admin required' }, 403);
+        const body = await c.req.json().catch(() => null);
+        if (!body ||
+            typeof body.name !== 'string' ||
+            !Array.isArray(body.members) ||
+            !Array.isArray(body.appAllowlist)) {
+            return c.json({ error: 'Body must include { name, members, appAllowlist }' }, 400);
+        }
+        const project = store.create({
+            name: body.name,
+            description: typeof body.description === 'string' ? body.description : undefined,
+            members: body.members,
+            appAllowlist: body.appAllowlist,
+            createdBy: caller.userId ?? 'admin-key',
+        });
+        return c.json(project, 201);
+    });
+    router.patch('/:id', async (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        if (!isAdmin(caller))
+            return c.json({ error: 'Admin required' }, 403);
+        const body = await c.req.json().catch(() => null);
+        if (!body)
+            return c.json({ error: 'Body required' }, 400);
+        const updated = store.update(c.req.param('id'), {
+            name: body.name,
+            description: body.description,
+            members: body.members,
+            appAllowlist: body.appAllowlist,
+        });
+        if (!updated)
+            return c.json({ error: 'Not found' }, 404);
+        return c.json(updated);
+    });
+    router.delete('/:id', (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        if (!isAdmin(caller))
+            return c.json({ error: 'Admin required' }, 403);
+        const id = c.req.param('id');
+        if (c.req.query('wipeData') === '1') {
+            if (!dataDir)
+                return c.json({ error: 'wipeData unsupported (no dataDir wired)' }, 500);
+            const result = store.deleteWithData(id, dataDir);
+            if (!result.ok)
+                return c.json({ error: 'Not found' }, 404);
+            return c.json(result);
+        }
+        const ok = store.delete(id);
+        if (!ok)
+            return c.json({ error: 'Not found' }, 404);
+        return c.json({ ok: true, wipedData: false });
+    });
+    return router;
+}