feat(api): merge Acontext-admin fork into main repo (#458)

* feat(api): merge Acontext-admin fork into main repo

Add admin API as a second entry point (cmd/admin/main.go) sharing the
same Go module. This eliminates the need for a separate fork and manual
sync-api.sh workflow.

- Add admin handlers, services, and repos for project management, usage
  analytics, and metrics
- Add SupabaseAuth and MetricsAuth middleware
- Add admin bootstrap container extending the base DI container
- Add admin router extending the base router with /admin/v1 and
  /metrics/v1 route groups
- Add Dockerfile.admin and CI/CD workflows (admin/vX.Y.Z tags)
- Add MetricsCfg, SupabaseCfg, and JaegerQueryEndpoint config fields
- Add PathMatcher utility for quota route matching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(api): address code review issues from admin merge PR #458

- Reuse SupabaseAuth client across requests instead of creating per-request
- Wrap storage metrics delete+create in a DB transaction to prevent data loss
- Reuse http.Client in projectService instead of creating per-request
- Whitelist safe headers (Accept, Content-Type) for Jaeger proxy instead of forwarding all
- Remove bearer token plaintext log at admin startup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(api): address additional code review issues for admin merge PR #458

Remove unused MetricTag constants to align Go with Python, update
config.admin.yaml pool defaults to match PR #457, fix Swagger BasePath
annotation, whitelist Jaeger proxy query params, and filter unsafe
response headers in Jaeger proxy.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(api): fix stale table references and GORM autoUpdateTime in admin merge

- Replace removed `spaces` table with `learning_spaces` in AnalyzeUsages
- Replace removed `tool_references` table with `agent_skills` in AnalyzeStatistics
- Remove autoUpdateTime from Metric model to preserve epoch sentinel values set by quota logic

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: GenerQAQ

.github/workflows/admin-release.yaml

@@ -0,0 +1,70 @@
+name: Admin API Release
+
+on:
+  push:
+    tags:
+      - "admin/v*"
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
+        with:
+          images: ghcr.io/memodb-io/acontext-admin
+          tags: |
+            type=sha
+            type=semver,pattern={{version}},match=admin/v(\d+\.\d+\.\d+)$
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
+
+      - name: Build and Push Docker image
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        with:
+          platforms: linux/amd64,linux/arm64
+          context: ./src/server/api/go
+          file: ./src/server/api/go/Dockerfile.admin
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: mode=max
+          cache-from: type=gha,scope=acontext-admin
+          cache-to: type=gha,mode=max,scope=acontext-admin
+
+      - name: Generate Changelog
+        run: |
+          bash .github/scripts/generate-changelog.sh \
+            --tag-prefix "admin/v" \
+            --source-dir "src/server/api/go" \
+            --display-name "Admin API" \
+            --output "$GITHUB_WORKSPACE-CHANGELOG.txt" \
+            --footer "Published to https://github.com/memodb-io/Acontext/pkgs/container/acontext-admin"
+
+      - name: Create Release
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe
+        with:
+          body_path: ${{ github.workspace }}-CHANGELOG.txt

.github/workflows/admin-test.yaml

@@ -0,0 +1,49 @@
+name: Go Admin API Test
+
+on:
+  push:
+    branches:
+      - dev
+    paths:
+      - 'src/server/api/go/**'
+      - '.github/workflows/admin-test.yaml'
+  pull_request:
+    branches:
+      - dev
+    paths:
+      - 'src/server/api/go/**'
+      - '.github/workflows/admin-test.yaml'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    defaults:
+      run:
+        working-directory: src/server/api/go
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Setup Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
+        with:
+          go-version-file: src/server/api/go/go.mod
+          cache: true
+          cache-dependency-path: src/server/api/go/go.sum
+      - run: go mod tidy
+      - name: Run tests with coverage
+        run: go test -v -timeout 30m -coverprofile=coverage.out -covermode=atomic ./...
+      - name: Upload coverage artifact
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: go-admin-coverage
+          path: src/server/api/go/coverage.out
+          retention-days: 30

AGENTS.md

@@ -77,6 +77,7 @@ When releasing a new version, follow these steps in order:
 | Component          | Tag Pattern                         | Publishes To                                | Source Directory                  | Workflow                                  |
 | ------------------ | ----------------------------------- | ------------------------------------------- | --------------------------------- | ----------------------------------------- |
 | API                | `api/vX.Y.Z`                        | ghcr.io (Docker, multi-arch)                | `src/server/api/go`               | `api-release.yaml`                        |
+| Admin API          | `admin/vX.Y.Z`                      | ghcr.io (Docker, multi-arch)                | `src/server/api/go`               | `admin-release.yaml`                      |
 | Core               | `core/vX.Y.Z`                       | ghcr.io (Docker, multi-arch)                | `src/server/core`                 | `core-release.yaml`                       |
 | UI (OSS)           | `ui/vX.Y.Z`                         | ghcr.io (Docker, multi-arch)                | `src/server/ui`                   | `ui-release.yaml`                         |
 | TypeScript SDK     | `sdk-ts/vX.Y.Z`                     | npm (`@acontext/acontext`)                  | `src/client/acontext-ts`          | `client-release-ts.yaml`                  |

src/server/api/go/Dockerfile.admin

@@ -0,0 +1,32 @@
+FROM --platform=$BUILDPLATFORM golang:1.26 AS build-stage
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
+
+WORKDIR /app
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -o /acontext-admin ./cmd/admin/main.go
+
+FROM build-stage AS run-test-stage
+RUN go test -v ./...
+
+FROM alpine:3.23 AS build-release-stage
+
+WORKDIR /
+
+COPY --from=build-stage /acontext-admin /acontext-admin
+COPY ./configs/config.admin.yaml /configs/config.yaml
+
+
+# TODO: use non-root user
+
+EXPOSE 8028
+
+ENTRYPOINT ["/acontext-admin"]

src/server/api/go/cmd/admin/main.go

@@ -0,0 +1,149 @@
+package main
+
+//	@title			Acontext Admin API
+//	@version		1.0
+//	@description	API for Acontext Admin.
+//	@schemes		http https
+//	@BasePath		/
+
+//  Bearer at Project level
+//	@securityDefinitions.apikey	BearerAuth
+//	@in							header
+//	@name						Authorization
+//	@description				Dynamically generate a signature for admin-level authentication
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/memodb-io/Acontext/internal/bootstrap"
+	"github.com/memodb-io/Acontext/internal/config"
+	"github.com/memodb-io/Acontext/internal/infra/cache"
+	dbpkg "github.com/memodb-io/Acontext/internal/infra/db"
+	"github.com/memodb-io/Acontext/internal/modules/handler"
+	"github.com/memodb-io/Acontext/internal/pkg/tokenizer"
+	"github.com/memodb-io/Acontext/internal/router"
+	"github.com/memodb-io/Acontext/internal/telemetry"
+	"github.com/redis/go-redis/v9"
+	"github.com/samber/do"
+	"go.uber.org/zap"
+	"gorm.io/gorm"
+)
+
+func main() {
+	// build dependency injection container (admin = base + admin deps)
+	inj := bootstrap.BuildAdminContainer()
+
+	cfg := do.MustInvoke[*config.Config](inj)
+	log := do.MustInvoke[*zap.Logger](inj)
+	db := do.MustInvoke[*gorm.DB](inj)
+	rdb := do.MustInvoke[*redis.Client](inj)
+
+	// Initialize tokenizer (vocabulary is already embedded in the package)
+	if err := tokenizer.Init(log); err != nil {
+		log.Sugar().Fatalw("failed to initialize tokenizer", "err", err)
+	}
+
+	// Setup OpenTelemetry tracing (using configuration system)
+	tp, err := telemetry.SetupTracing(cfg)
+	if err != nil {
+		log.Sugar().Warnw("failed to setup tracing, continuing without tracing", "err", err)
+	} else if tp != nil {
+		log.Sugar().Info("OpenTelemetry tracing enabled", "endpoint", cfg.Telemetry.OtlpEndpoint)
+		defer func() {
+			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+			if err := telemetry.Shutdown(ctx); err != nil {
+				log.Sugar().Errorw("failed to shutdown tracer", "err", err)
+			}
+		}()
+
+		// Register GORM OpenTelemetry plugin after tracer provider is set
+		if err := dbpkg.RegisterOpenTelemetryPlugin(db); err != nil {
+			log.Sugar().Warnw("failed to register GORM OpenTelemetry plugin, continuing without database tracing", "err", err)
+		} else {
+			log.Sugar().Info("GORM OpenTelemetry plugin registered")
+		}
+
+		// Register Redis OpenTelemetry plugin after tracer provider is set
+		if err := cache.RegisterOpenTelemetryPlugin(rdb); err != nil {
+			log.Sugar().Warnw("failed to register Redis OpenTelemetry plugin, continuing without Redis tracing", "err", err)
+		} else {
+			log.Sugar().Info("Redis OpenTelemetry plugin registered")
+		}
+	}
+
+	// init gin
+	gin.SetMode(cfg.App.Env)
+
+	// build base handlers
+	sessionHandler := do.MustInvoke[*handler.SessionHandler](inj)
+	diskHandler := do.MustInvoke[*handler.DiskHandler](inj)
+	artifactHandler := do.MustInvoke[*handler.ArtifactHandler](inj)
+	taskHandler := do.MustInvoke[*handler.TaskHandler](inj)
+	agentSkillsHandler := do.MustInvoke[*handler.AgentSkillsHandler](inj)
+	userHandler := do.MustInvoke[*handler.UserHandler](inj)
+	sandboxHandler := do.MustInvoke[*handler.SandboxHandler](inj)
+	learningSpaceHandler := do.MustInvoke[*handler.LearningSpaceHandler](inj)
+	sessionEventHandler := do.MustInvoke[*handler.SessionEventHandler](inj)
+	projectHandler := do.MustInvoke[*handler.ProjectHandler](inj)
+
+	// build admin-specific handlers
+	adminHandler := do.MustInvoke[*handler.AdminHandler](inj)
+	metricsHandler := do.MustInvoke[*handler.MetricsHandler](inj)
+
+	engine := router.NewAdminRouter(router.AdminRouterDeps{
+		RouterDeps: router.RouterDeps{
+			Config:               cfg,
+			DB:                   db,
+			Log:                  log,
+			SessionHandler:       sessionHandler,
+			DiskHandler:          diskHandler,
+			ArtifactHandler:      artifactHandler,
+			TaskHandler:          taskHandler,
+			AgentSkillsHandler:   agentSkillsHandler,
+			UserHandler:          userHandler,
+			SandboxHandler:       sandboxHandler,
+			LearningSpaceHandler: learningSpaceHandler,
+			SessionEventHandler:  sessionEventHandler,
+			ProjectHandler:       projectHandler,
+		},
+		AdminHandler:   adminHandler,
+		MetricsHandler: metricsHandler,
+	})
+
+	addr := fmt.Sprintf("%s:%d", cfg.App.Host, cfg.App.Port)
+	srv := &http.Server{
+		Addr:              addr,
+		Handler:           engine,
+		ReadHeaderTimeout: 30 * time.Second,
+		WriteTimeout:      15 * time.Minute,
+		IdleTimeout:       120 * time.Second,
+	}
+
+	go func() {
+		log.Sugar().Infow("starting admin http server", "addr", addr)
+		log.Sugar().Infow("swagger url", "url", addr+"/swagger/index.html")
+		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Sugar().Fatalw("listen error", "err", err)
+		}
+	}()
+
+	// graceful shutdown
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
+	<-quit
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	if err := srv.Shutdown(ctx); err != nil {
+		log.Sugar().Errorw("server shutdown", "err", err)
+	}
+	log.Sugar().Info("admin server exited")
+}

src/server/api/go/configs/config.admin.yaml

@@ -0,0 +1,64 @@
+app:
+  name: acontext-admin
+  env: ${APP_ENV} # available mode: debug / release / test
+  host: 0.0.0.0
+  port: ${API_EXPORT_PORT} # Bind to .env 8028
+
+root:
+  apiBearerToken: "${ROOT_API_BEARER_TOKEN}"
+  secretPepper: "your-secret-pepper"
+  enableArgon2Verification: ${ENABLE_ARGON2_VERIFICATION}
+
+log:
+  level: info # debug/info/warn/error
+
+database:
+  dsn: "host=${DATABASE_HOST} user=${DATABASE_USER} password=${DATABASE_PASSWORD} dbname=${DATABASE_NAME} port=${DATABASE_EXPORT_PORT} sslmode=disable TimeZone=UTC"
+  maxOpen: 50
+  maxIdle: 25
+  maxIdleTimeSec: 300
+  autoMigrate: true
+  enableTLS: ${DATABASE_ENABLE_TLS}
+
+redis:
+  addr: "${REDIS_HOST}:${REDIS_EXPORT_PORT}"
+  password: "${REDIS_PASSWORD}"
+  db: 0
+  poolSize: 30
+  enableTLS: ${REDIS_ENABLE_TLS}
+
+rabbitmq:
+  url: "amqp://${RABBITMQ_USER}:${RABBITMQ_PASSWORD}@${RABBITMQ_HOST}:${RABBITMQ_EXPORT_PORT}/${RABBITMQ_VHOST_ENCODED}"
+  prefetch: 10
+  enableTLS: ${RABBITMQ_ENABLE_TLS}
+
+s3:
+  endpoint: "${S3_ENDPOINT}"
+  internalEndpoint: "${S3_INTERNAL_ENDPOINT}"
+  region: "${S3_REGION}"
+  accessKey: "${S3_ACCESS_KEY}"
+  secretKey: "${S3_SECRET_KEY}"
+  bucket: "${S3_BUCKET}"
+  usePathStyle: true
+  presignExpireSec: 900
+  # sse: "aws:kms"
+
+core:
+  baseURL: "${CORE_BASE_URL}"
+
+metrics:
+  pushURL: "${METRICS_PUSH_URL}"
+
+telemetry:
+  otlpEndpoint: "${OTEL_EXPORTER_OTLP_ENDPOINT}"
+  enabled: true
+  sampleRatio: 1.0  # Sampling ratio, 0.0-1.0, default 1.0 (100%)
+  jaegerQueryEndpoint: "${JAEGER_QUERY_ENDPOINT}"
+
+supabase:
+  projectReference: "${SUPABASE_PROJECT_REFERENCE}"
+  apiKey: "${SUPABASE_API_KEY}"
+  authURL: "${SUPABASE_AUTH_URL}"  # Optional: custom auth URL
+
+artifact:
+  maxUploadSizeBytes: ${ARTIFACT_MAX_UPLOAD_SIZE_BYTES}  # Default 16MB (16 * 1024 * 1024 bytes)

src/server/api/go/go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/samber/do v1.6.0
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
+	github.com/supabase-community/auth-go v1.5.0
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.1
 	github.com/swaggo/swag v1.16.6
@@ -141,6 +142,7 @@ require (
 	github.com/tidwall/match v1.2.0 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
+	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect