# @yumi/hub — the unified Yumi backend

The "all in one" core. One service that every surface (desktop, web/mobile, Office)
talks to. It centralizes the three things that must NOT be re-implemented per flavor:

1. **Identity** — resolves the signed-in user from SSO (FlowMaster tenant,
   `yumi.flow-master.ai`) to a canonical Yumi identity, across Microsoft / Google / Apple.
2. **Memory broker** — the ONLY component that maps a user → their Hindsight bank + PAT
   (`src/hindsight-broker.js`). Surfaces never hold a shared Hindsight token again —
   which is what **closes the cross-user data leak** (`docs/SECURITY.md`).
3. **Session + admin** — shared conversations/projects (one session, every surface) and
   the admin API behind the console (`apps/admin`).

## Why it exists
The live cross-user leak came from each flavor independently reading a shared
`HINDSIGHT_API_MCP_AUTH_TOKEN` pointed at `/mcp/mmd/`. The hub removes that: a surface
authenticates via SSO, the hub resolves the user's own bank, and only that bank is ever
touched. Fail-closed by design.

## Endpoints (initial)
- `GET  /api/me` → the signed-in Yumi identity + linked providers
- `POST /api/hindsight/*` → per-user MCP proxy (bank resolved server-side from the session)
- `GET  /api/admin/users|orgs|banks|subscriptions` → admin API (RBAC-gated; powers `apps/admin`)
- `POST /api/token?connector=&scope=` → per-user delegated connector-token broker (BFF)

## Config
- `YUMI_SSO_DOMAIN` (default `yumi.flow-master.ai`)
- `HINDSIGHT_PUBLIC_URL` (default `https://hindsight.baobab-ts.com`)
- `HINDSIGHT_BANK_PATS` (JSON `{bank: pat}`) or `HINDSIGHT_BANK_PATS_FILE` (mounted secret)

## Status
Scaffold + the broker module (the leak-fix core) are in place; the SSO middleware +
endpoint wiring are the next build step (P1). See `docs/YUMI_MASTER.md §7, §10`, `docs/SECURITY.md`.