# Hosted API Contract

Hosted V1 uses the `personal-brain-api` Supabase Edge Function deployed to the Bezel Projects Supabase database.

Base URL:

```text
https://fyauumztocuinwhcokbn.supabase.co/functions/v1/personal-brain-api
```

## Install

Create a brain namespace and install token.

```http
POST /install
content-type: application/json

{
  "name": "My Personal Brain"
}
```

Response includes:

- `brain.id`
- `brain.namespace`
- `install_token`
- `.env` helper values

Do not print the install token in logs.

## Authenticated Requests

All non-install requests require:

```http
authorization: Bearer <install_token>
x-brain-id: <brain_id>
```

## Endpoints

```http
GET /brain
DELETE /brain
GET /thoughts
POST /thoughts
GET /ideas
POST /ideas
GET /tasks
POST /tasks
PATCH /tasks
```

## Trust Boundary

The generated local app must use this API surface in hosted V1.

It must not receive a Supabase service role key.

It must not run migrations against the hosted Projects DB.

It must not write directly to hosted Supabase tables unless a later recipe version adds an explicit RLS-backed public client contract.

## Cleanup

`DELETE /brain` deletes the current hosted sandbox brain and cascades its thoughts, ideas, tasks, and install tokens. Local generated apps should use this only for explicit user-initiated sandbox deletion or smoke-test cleanup.