Pass create-key workspace_id (from OPENROUTER_WORKSPACE_ID, defaulting to the
project workspace) so minted keys land in the intended workspace instead of the
management key's default. Rename key to non-PII llmapikey/gh-<id>.
- buildCreateKeyBody emits workspace_id only when set (omission keeps default).
- createKey threads workspaceId; mintAndPersist sources it from env.
- Test asserts workspace_id presence/omission; document the new env var.
Self-contained GitHub OAuth (Arctic) with a stateless HS256 signed-cookie
session (jose); Supabase is downgraded to the Postgres host only.
- Origin-derived callback (no redirect-uri env); read:user scope; access
token read once at callback and discarded (no token storage).
- CSRF via single-use state cookie; open-redirect guard on next.
- getCurrentGithubIdentity() now reads the session cookie, preserving the
numeric provider_id identity contract for admin/dashboard/mint.
- Remove @supabase/ssr + @supabase/supabase-js, middleware, and the
supabase-dependent rls test; delete lib/supabase clients.
tiennm99