feat: expose encrypt/decrypt endpoints on standard API for OSS compatibility

Move encrypt/decrypt logic into shared package-level functions in
handler/encryption.go. Both AdminHandler and ProjectHandler delegate
to these functions, eliminating code duplication.

Register POST /api/v1/project/encrypt and POST /api/v1/project/decrypt
on the standard API router so OSS Docker deployments (which don't run
the admin binary) can use encryption features.

Admin binary retains /admin/v1/project/encrypt and /admin/v1/project/decrypt
for backward compatibility.

E2E tests updated to call the standard API endpoints.

Author: GenerQAQ

src/server/api/go/internal/bootstrap/container.go

@@ -409,7 +409,12 @@ func BuildContainer() *do.Injector {
 		), nil
 	})
 	do.Provide(inj, func(i *do.Injector) (*handler.ProjectHandler, error) {
-		return handler.NewProjectHandler(do.MustInvoke[*gorm.DB](i)), nil
+		return handler.NewProjectHandler(
+			do.MustInvoke[*gorm.DB](i),
+			do.MustInvoke[*redis.Client](i),
+			do.MustInvoke[*blob.S3Deps](i),
+			do.MustInvoke[repo.AssetReferenceRepo](i),
+		), nil
 	})
 	return inj
 }

src/server/api/go/internal/modules/handler/admin.go

@@ -240,105 +240,13 @@ func (h *AdminHandler) AnalyzeProjectMetrics(c *gin.Context) {
 // EncryptProject encrypts all existing S3 data for a project and enables encryption.
 // Requires project API key as Bearer auth (uses ProjectAuth middleware).
 func (h *AdminHandler) EncryptProject(c *gin.Context) {
-	project, ok := c.MustGet("project").(*model.Project)
-	if !ok {
-		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("project not found")))
-		return
-	}
-
-	userKEK := middleware.GetUserKEK(c)
-	if userKEK == nil {
-		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("API key required to derive encryption key")))
-		return
-	}
-
-	// No early-return if EncryptionEnabled is already true — allow idempotent
-	// retry so that partial failures (crash after flag set, before all objects
-	// encrypted) can be recovered by re-calling this endpoint.
-	// EncryptObject skips already-encrypted objects, and the DB UPDATE is a no-op
-	// when the flag is already true.
-
-	// Set encryption_enabled = true FIRST for crash safety.
-	// If we crash after this but before encrypting all objects, reads will use KEK
-	// and unencrypted objects pass through decryption gracefully. Retry re-encrypts
-	// remaining objects (EncryptObject is idempotent).
-	if err := h.db.WithContext(c.Request.Context()).Model(&model.Project{}).
-		Where("id = ?", project.ID).
-		Update("encryption_enabled", true).Error; err != nil {
-		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to update project", err))
-		return
-	}
-
-	// Invalidate cached project so subsequent requests see encryption_enabled = true
-	middleware.InvalidateProjectAuthCache(h.rdb, project.SecretKeyHMAC)
-
-	// Enumerate all S3 keys for this project
-	s3Keys, err := h.assetRefRepo.ListS3KeysByProject(c.Request.Context(), project.ID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to list S3 keys", err))
-		return
-	}
-
-	// Encrypt each object (idempotent — skips already-encrypted objects)
-	for _, key := range s3Keys {
-		if err := h.s3.EncryptObject(c.Request.Context(), key, userKEK); err != nil {
-			c.JSON(http.StatusInternalServerError, serializer.DBErr(fmt.Sprintf("failed to encrypt object %s", key), err))
-			return
-		}
-	}
-
-	c.JSON(http.StatusOK, serializer.Response{Msg: "encryption enabled"})
+	encryptProject(c, h.db, h.rdb, h.s3, h.assetRefRepo)
 }
 
 // DecryptProject decrypts all existing S3 data for a project and disables encryption.
 // Requires project API key as Bearer auth (uses ProjectAuth middleware).
 func (h *AdminHandler) DecryptProject(c *gin.Context) {
-	project, ok := c.MustGet("project").(*model.Project)
-	if !ok {
-		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("project not found")))
-		return
-	}
-
-	userKEK := middleware.GetUserKEK(c)
-	if userKEK == nil {
-		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("API key required to derive encryption key")))
-		return
-	}
-
-	if !project.EncryptionEnabled {
-		c.JSON(http.StatusBadRequest, serializer.ParamErr("project encryption is not enabled", nil))
-		return
-	}
-
-	// Enumerate all S3 keys for this project
-	s3Keys, err := h.assetRefRepo.ListS3KeysByProject(c.Request.Context(), project.ID)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to list S3 keys", err))
-		return
-	}
-
-	// Decrypt each object FIRST, then clear the flag (idempotent — skips already-decrypted).
-	// If we crash mid-decrypt, flag stays true so reads use KEK, which works on
-	// both encrypted and already-decrypted objects. Retry re-decrypts remaining.
-	for _, key := range s3Keys {
-		if err := h.s3.DecryptObject(c.Request.Context(), key, userKEK); err != nil {
-			c.JSON(http.StatusInternalServerError, serializer.DBErr(fmt.Sprintf("failed to decrypt object %s", key), err))
-			return
-		}
-	}
-
-	// Set encryption_enabled = false AFTER all objects are decrypted
-	if err := h.db.WithContext(c.Request.Context()).Model(&model.Project{}).
-		Where("id = ?", project.ID).
-		Update("encryption_enabled", false).Error; err != nil {
-		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to update project", err))
-		return
-	}
-
-	// Invalidate cached project so subsequent requests see encryption_enabled = false
-	middleware.InvalidateProjectAuthCache(h.rdb, project.SecretKeyHMAC)
-
-	c.JSON(http.StatusOK, serializer.Response{Msg: "encryption disabled"})
+	decryptProject(c, h.db, h.rdb, h.s3, h.assetRefRepo)
 }
 
 // RotateProjectSecretKeyAdmin rotates the project API key (admin JWT auth).

src/server/api/go/internal/modules/handler/encryption.go

@@ -0,0 +1,120 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/redis/go-redis/v9"
+
+	"github.com/memodb-io/Acontext/internal/infra/blob"
+	"github.com/memodb-io/Acontext/internal/middleware"
+	"github.com/memodb-io/Acontext/internal/modules/model"
+	"github.com/memodb-io/Acontext/internal/modules/repo"
+	"github.com/memodb-io/Acontext/internal/modules/serializer"
+	"gorm.io/gorm"
+)
+
+// encryptProject is the shared implementation for enabling project encryption.
+// Both AdminHandler and ProjectHandler delegate to this function.
+func encryptProject(c *gin.Context, db *gorm.DB, rdb *redis.Client, s3 *blob.S3Deps, assetRefRepo repo.AssetReferenceRepo) {
+	project, ok := c.MustGet("project").(*model.Project)
+	if !ok {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("project not found")))
+		return
+	}
+
+	userKEK := middleware.GetUserKEK(c)
+	if userKEK == nil {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("API key required to derive encryption key")))
+		return
+	}
+
+	// No early-return if EncryptionEnabled is already true — allow idempotent
+	// retry so that partial failures (crash after flag set, before all objects
+	// encrypted) can be recovered by re-calling this endpoint.
+	// EncryptObject skips already-encrypted objects, and the DB UPDATE is a no-op
+	// when the flag is already true.
+
+	// Set encryption_enabled = true FIRST for crash safety.
+	// If we crash after this but before encrypting all objects, reads will use KEK
+	// and unencrypted objects pass through decryption gracefully. Retry re-encrypts
+	// remaining objects (EncryptObject is idempotent).
+	if err := db.WithContext(c.Request.Context()).Model(&model.Project{}).
+		Where("id = ?", project.ID).
+		Update("encryption_enabled", true).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to update project", err))
+		return
+	}
+
+	// Invalidate cached project so subsequent requests see encryption_enabled = true
+	middleware.InvalidateProjectAuthCache(rdb, project.SecretKeyHMAC)
+
+	// Enumerate all S3 keys for this project
+	s3Keys, err := assetRefRepo.ListS3KeysByProject(c.Request.Context(), project.ID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to list S3 keys", err))
+		return
+	}
+
+	// Encrypt each object (idempotent — skips already-encrypted objects)
+	for _, key := range s3Keys {
+		if err := s3.EncryptObject(c.Request.Context(), key, userKEK); err != nil {
+			c.JSON(http.StatusInternalServerError, serializer.DBErr(fmt.Sprintf("failed to encrypt object %s", key), err))
+			return
+		}
+	}
+
+	c.JSON(http.StatusOK, serializer.Response{Msg: "encryption enabled"})
+}
+
+// decryptProject is the shared implementation for disabling project encryption.
+// Both AdminHandler and ProjectHandler delegate to this function.
+func decryptProject(c *gin.Context, db *gorm.DB, rdb *redis.Client, s3 *blob.S3Deps, assetRefRepo repo.AssetReferenceRepo) {
+	project, ok := c.MustGet("project").(*model.Project)
+	if !ok {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("project not found")))
+		return
+	}
+
+	userKEK := middleware.GetUserKEK(c)
+	if userKEK == nil {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("", fmt.Errorf("API key required to derive encryption key")))
+		return
+	}
+
+	if !project.EncryptionEnabled {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("project encryption is not enabled", nil))
+		return
+	}
+
+	// Enumerate all S3 keys for this project
+	s3Keys, err := assetRefRepo.ListS3KeysByProject(c.Request.Context(), project.ID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to list S3 keys", err))
+		return
+	}
+
+	// Decrypt each object FIRST, then clear the flag (idempotent — skips already-decrypted).
+	// If we crash mid-decrypt, flag stays true so reads use KEK, which works on
+	// both encrypted and already-decrypted objects. Retry re-decrypts remaining.
+	for _, key := range s3Keys {
+		if err := s3.DecryptObject(c.Request.Context(), key, userKEK); err != nil {
+			c.JSON(http.StatusInternalServerError, serializer.DBErr(fmt.Sprintf("failed to decrypt object %s", key), err))
+			return
+		}
+	}
+
+	// Set encryption_enabled = false AFTER all objects are decrypted
+	if err := db.WithContext(c.Request.Context()).Model(&model.Project{}).
+		Where("id = ?", project.ID).
+		Update("encryption_enabled", false).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, serializer.DBErr("failed to update project", err))
+		return
+	}
+
+	// Invalidate cached project so subsequent requests see encryption_enabled = false
+	middleware.InvalidateProjectAuthCache(rdb, project.SecretKeyHMAC)
+
+	c.JSON(http.StatusOK, serializer.Response{Msg: "encryption disabled"})
+}

src/server/api/go/internal/modules/handler/project.go

@@ -4,17 +4,24 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"github.com/redis/go-redis/v9"
+
+	"github.com/memodb-io/Acontext/internal/infra/blob"
 	"github.com/memodb-io/Acontext/internal/modules/model"
+	"github.com/memodb-io/Acontext/internal/modules/repo"
 	"github.com/memodb-io/Acontext/internal/modules/serializer"
 	"gorm.io/gorm"
 )
 
 type ProjectHandler struct {
-	db *gorm.DB
+	db           *gorm.DB
+	rdb          *redis.Client
+	s3           *blob.S3Deps
+	assetRefRepo repo.AssetReferenceRepo
 }
 
-func NewProjectHandler(db *gorm.DB) *ProjectHandler {
-	return &ProjectHandler{db: db}
+func NewProjectHandler(db *gorm.DB, rdb *redis.Client, s3 *blob.S3Deps, assetRefRepo repo.AssetReferenceRepo) *ProjectHandler {
+	return &ProjectHandler{db: db, rdb: rdb, s3: s3, assetRefRepo: assetRefRepo}
 }
 
 // GetConfigs godoc
@@ -147,3 +154,35 @@ func (h *ProjectHandler) PatchConfigs(c *gin.Context) {
 		Msg:  "ok",
 	})
 }
+
+// EncryptProject encrypts all existing S3 data for a project and enables encryption.
+// Requires project API key as Bearer auth (uses ProjectAuth middleware).
+//
+//	@Summary		Enable project encryption
+//	@Description	Encrypts all existing S3 data for the project and enables encryption for future writes.
+//	@Tags			Project
+//	@Produce		json
+//	@Security		BearerAuth
+//	@Success		200	{object}	serializer.Response
+//	@Failure		400	{object}	serializer.Response
+//	@Failure		500	{object}	serializer.Response
+//	@Router			/project/encrypt [post]
+func (h *ProjectHandler) EncryptProject(c *gin.Context) {
+	encryptProject(c, h.db, h.rdb, h.s3, h.assetRefRepo)
+}
+
+// DecryptProject decrypts all existing S3 data for a project and disables encryption.
+// Requires project API key as Bearer auth (uses ProjectAuth middleware).
+//
+//	@Summary		Disable project encryption
+//	@Description	Decrypts all existing S3 data for the project and disables encryption for future writes.
+//	@Tags			Project
+//	@Produce		json
+//	@Security		BearerAuth
+//	@Success		200	{object}	serializer.Response
+//	@Failure		400	{object}	serializer.Response
+//	@Failure		500	{object}	serializer.Response
+//	@Router			/project/decrypt [post]
+func (h *ProjectHandler) DecryptProject(c *gin.Context) {
+	decryptProject(c, h.db, h.rdb, h.s3, h.assetRefRepo)
+}

src/server/api/go/internal/router/router.go

@@ -158,6 +158,8 @@ func NewRouter(d RouterDeps) *gin.Engine {
 		{
 			project.GET("/configs", d.ProjectHandler.GetConfigs)
 			project.PATCH("/configs", d.ProjectHandler.PatchConfigs)
+			project.POST("/encrypt", d.ProjectHandler.EncryptProject)
+			project.POST("/decrypt", d.ProjectHandler.DecryptProject)
 		}
 
 		learningSpaces := v1.Group("/learning_spaces")

src/server/tests/e2e/test_encryption.py

@@ -207,9 +207,9 @@ async def enable_encryption(
     client: httpx.AsyncClient,
     bearer_token: str,
 ) -> httpx.Response:
-    """Enable encryption on a project via admin endpoint."""
+    """Enable encryption on a project via standard API endpoint."""
     return await client.post(
-        f"{ADMIN_URL}/admin/v1/project/encrypt",
+        f"{API_URL}/api/v1/project/encrypt",
         headers={"Authorization": f"Bearer {bearer_token}"},
     )
 
@@ -218,9 +218,9 @@ async def disable_encryption(
     client: httpx.AsyncClient,
     bearer_token: str,
 ) -> httpx.Response:
-    """Disable encryption on a project via admin endpoint."""
+    """Disable encryption on a project via standard API endpoint."""
     return await client.post(
-        f"{ADMIN_URL}/admin/v1/project/decrypt",
+        f"{API_URL}/api/v1/project/decrypt",
         headers={"Authorization": f"Bearer {bearer_token}"},
     )