[memory-bank] Overhaul based on current usage

 - merge learning-journal.md into existing docs
 - introduce public-api.md
 - introduce components.md for more reliable lookup

Author: geropl

memory-bank/components.md

@@ -0,0 +1,49 @@
+# Gitpod Components Index
+
+This file serves as index for the per-component documentation in individual md files in the `memory-bank/components` directory.
+
+- [server](components/server.md)
+- [content-service](components/content-service.md)
+- [ws-manager-mk2](components/ws-manager-mk2.md)
+- [ws-daemon](components/ws-daemon.md)
+- [image-builder-mk3](components/image-builder-mk3.md)
+- [content-service-api](components/content-service-api.md)
+- [ws-manager-api](components/ws-manager-api.md)
+- [ws-daemon-api](components/ws-daemon-api.md)
+- [image-builder-api](components/image-builder-api.md)
+- [supervisor-api](components/supervisor-api.md)
+- [registry-facade-api](components/registry-facade-api.md)
+- [ide-service-api](components/ide-service-api.md)
+- [ide-metrics-api](components/ide-metrics-api.md)
+- [ws-manager-bridge-api](components/ws-manager-bridge-api.md)
+- [public-api](components/public-api.md)
+- [usage-api](components/usage-api.md)
+- [local-app-api](components/local-app-api.md)
+- [dashboard](components/dashboard.md)
+- [ide](components/ide.md)
+- [proxy](components/proxy.md)
+- [registry-facade](components/registry-facade.md)
+- [blobserve](components/blobserve.md)
+- [ipfs](components/ipfs.md)
+- [openvsx-proxy](components/openvsx-proxy.md)
+- [scheduler-extender](components/scheduler-extender.md)
+- [gitpod-db](components/gitpod-db.md)
+- [gitpod-protocol](components/gitpod-protocol.md)
+- [supervisor](components/supervisor.md)
+- [workspacekit](components/workspacekit.md)
+- [ws-proxy](components/ws-proxy.md)
+- [ide-proxy](components/ide-proxy.md)
+- [ide-service](components/ide-service.md)
+- [ide-metrics](components/ide-metrics.md)
+- [docker-up](components/docker-up.md)
+- [common-go](components/common-go.md)
+- [service-waiter](components/service-waiter.md)
+- [node-labeler](components/node-labeler.md)
+- [scrubber](components/scrubber.md)
+- [spicedb](components/spicedb.md)
+- [public-api-server](components/public-api-server.md)
+- [gitpod-cli](components/gitpod-cli.md)
+- [local-app](components/local-app.md)
+- [ws-manager-bridge](components/ws-manager-bridge.md)
+- [image-builder-bob](components/image-builder-bob.md)
+- [usage](components/usage.md)

memory-bank/components/content-service-api.md

@@ -98,13 +98,6 @@ This script performs the following actions:
 - Generates TypeScript code
 - Updates license headers
 
-### Implementation Details
-The `generate.sh` script uses functions from the shared script at `scripts/protoc-generator.sh`, which provides common functionality for all API components:
-
-- `install_dependencies`: Installs required protoc plugins
-- `protoc_buf_generate`: Uses the `buf` tool to generate code based on the configuration in `buf.gen.yaml`
-- `update_license`: Updates license headers in generated files
-
 ### Building After Code Generation
 After regenerating the code, you may need to rebuild components that depend on the Content Service API. This typically involves:
 

memory-bank/components/gitpod-db.md

@@ -49,7 +49,7 @@ The Gitpod DB component defines numerous entities that map to database tables, i
 - **User**: User accounts and profiles
 - **Workspace**: Workspace metadata and configuration
 - **WorkspaceInstance**: Running workspace instances
-- **Team**: Team organization and membership
+- **Team**: Represents an "Organization" within Gitpod, storing its core details, membership, and organization-level state. The entity is named `DBTeam` for historical reasons.
 - **Project**: Project configuration and settings
 - **Identity**: User identity and authentication
 - **Token**: Authentication tokens and credentials

memory-bank/components/gitpod-protocol.md

@@ -50,6 +50,7 @@ The Gitpod Protocol defines numerous core data structures, including:
 - `User`: User account information
 - `Identity`: Authentication provider identity
 - `Token`: Authentication tokens
+- `Organization` (defined in `src/teams-projects-protocol.ts`): Represents a team/organization, including its settings
 - `GitpodToken`: API tokens
 - `AuthProviderInfo`: Authentication provider metadata
 - `AuthProviderEntry`: Authentication provider configuration

memory-bank/components/ide-metrics-api.md

@@ -86,15 +86,6 @@ This script performs the following actions:
 - Generates Java code
 - Updates license headers
 
-### Implementation Details
-The `generate.sh` script uses functions from the shared script at `scripts/protoc-generator.sh` and defines some custom functions:
-
-- `install_dependencies`: Installs required protoc plugins
-- `local_go_protoc`: Generates Go code with specific include paths
-- `go_protoc_gateway`: Generates gRPC Gateway code for REST endpoints
-- `local_java_protoc`: Generates Java code
-- `update_license`: Updates license headers in generated files
-
 The IDE Metrics API is unique in that it generates both gRPC and REST API endpoints using the gRPC Gateway, and it also generates Java code for use in JetBrains IDE plugins.
 
 ### Building After Code Generation

memory-bank/components/ide-service-api.md

@@ -105,14 +105,6 @@ This script performs the following actions:
 - Generates TypeScript code using `ts_proto`
 - Updates license headers
 
-### Implementation Details
-The `generate.sh` script uses functions from the shared script at `scripts/protoc-generator.sh`:
-
-- `install_dependencies`: Installs required protoc plugins
-- `go_protoc`: Generates Go code
-- `typescript_ts_protoc`: Generates TypeScript code using ts_proto
-- `update_license`: Updates license headers in generated files
-
 The IDE Service API generates TypeScript code using the ts_proto plugin, which creates more modern TypeScript interfaces compared to the standard protoc TypeScript generator.
 
 ### Building After Code Generation

memory-bank/components/image-builder-api.md

@@ -109,14 +109,6 @@ This script performs the following actions:
 - Patches the generated TypeScript code for compatibility
 - Updates license headers
 
-### Implementation Details
-The `generate.sh` script uses functions from the shared script at `scripts/protoc-generator.sh`:
-
-- `install_dependencies`: Installs required protoc plugins
-- `go_protoc`: Generates Go code
-- `typescript_protoc`: Generates TypeScript code
-- `update_license`: Updates license headers in generated files
-
 Additionally, the script:
 - Generates mock implementations using `mockgen` for testing
 - Patches the generated TypeScript code using a script from the content-service-api

memory-bank/components/local-app-api.md

@@ -74,13 +74,6 @@ This script performs the following actions:
 - Generates Go code using `protoc-gen-go` and `protoc-gen-go-grpc`
 - Updates license headers
 
-### Implementation Details
-The `generate.sh` script uses functions from the shared script at `scripts/protoc-generator.sh` and defines some custom functions:
-
-- `install_dependencies`: Installs required protoc plugins
-- `local_go_protoc`: Generates Go code with specific include paths for third-party dependencies
-- `update_license`: Updates license headers in generated files
-
 The Local App API has a dependency on the Supervisor API for tunnel visibility definitions, which is included in the protoc generation process.
 
 ### Building After Code Generation

memory-bank/components/public-api-server.md

@@ -120,7 +120,7 @@ The Public API Server is configured through a JSON configuration file:
 ## Integration Points
 
 The Public API Server integrates with:
-1. **Gitpod Server**: For core Gitpod functionality
+1. **Gitpod Server**: For core Gitpod functionality. The Public API Server often acts as a gRPC gateway, proxying requests to the Gitpod Server (TypeScript component) where the business logic for many `gitpod.v1` services (like `OrganizationService`) is implemented.
 2. **Database**: For persistent storage
 3. **Redis**: For caching and session management
 4. **Billing Service**: For billing-related operations

memory-bank/components/public-api.md

@@ -0,0 +1,191 @@
+# Public API
+
+## Overview
+The Public API defines the gRPC interfaces for programmatic access to Gitpod functionality. It serves as the canonical way for external integrations, automation, and third-party tools to interact with Gitpod's core services. The API is structured into two packages (stable and experimental) with different compatibility guarantees and is designed to be backward compatible, well-documented, and follow modern API design principles.
+
+## Purpose
+This API provides a standardized interface for:
+- Programmatically managing workspaces (create, start, stop, delete)
+- Accessing and managing user information
+- Working with organizations and teams
+- Managing projects and repositories
+- Integrating with source code management systems
+- Configuring editors and IDEs
+- Authenticating via OpenID Connect
+- Managing personal access tokens
+- Automating Gitpod workflows
+
+## Architecture
+The Public API is implemented as a set of gRPC services defined in Protocol Buffer files. These definitions are used to generate client and server code in Go, TypeScript, and Java. The API is exposed on `api.gitpod.io` or `api.<domain>` for Dedicated installations.
+
+The API is structured into two main packages:
+
+1. **Stable (v1)**:
+   - Located in `gitpod/v1/`
+   - Provides compatibility guarantees
+   - Services, calls, types, and fields are not removed without following a deprecation policy
+   - Services, calls, types, and fields are not renamed
+   - Non-successful responses are described exhaustively
+   - **Implementation**: Directly implemented in the server component using Connect
+
+2. **Experimental**:
+   - Located in `gitpod/experimental/v1/`
+   - Provides no compatibility guarantees
+   - May change frequently
+   - **Implementation**: Handled in the public-api-server component, and either:
+     - Implemented directly in Go
+     - Forwarded to the old websocket API in the server component
+
+## Implementation Patterns
+
+### Stable API Implementation
+The stable API (v1) is implemented directly in the server component using Connect. This means:
+- The server component handles the business logic for these API endpoints
+- The implementation is in TypeScript using Connect
+
+### Experimental API Implementation
+The experimental API is handled in the public-api-server component in two ways:
+
+1. **Direct Implementation**:
+   - Some services are implemented directly in Go within the public-api-server
+   - These implementations handle the business logic directly
+   - They may interact with the database or other services directly
+
+2. **Forwarded Implementation**:
+   - Other services forward requests to the old websocket API in the server component
+   - The public-api-server acts as a proxy, translating gRPC requests to websocket API calls
+   - The server component handles the actual business logic
+   - This approach is often used for functionality that already exists in the server component
+
+## Key Services
+
+### Stable API (v1)
+All implemented in server component using Connect:
+- WorkspaceService
+- OrganizationService
+- UserService
+- TokenService
+- SCMService
+- AuthProviderService
+- ConfigurationService
+- EnvVarService
+- InstallationService
+- PrebuildService
+- SSHService
+- VerificationService
+
+### Experimental API
+Implemented in public-api-server:
+- WorkspacesService (Forwarded to server)
+- TeamsService (Directly implemented in Go)
+- ProjectsService (Forwarded to server)
+- EditorService (Directly implemented in Go)
+- IDEClientService (Directly implemented in Go)
+- OIDCService (Directly implemented in Go)
+- IdentityProviderService (Directly implemented in Go)
+- TokensService (Forwarded to server)
+- UserService (Forwarded to server)
+- StatsService (Directly implemented in Go)
+
+## Communication Patterns
+- The API uses gRPC for efficient, typed communication
+- Connect is used for the stable API implementation
+- Requests include authentication tokens for identifying the user
+- Pagination is supported for listing operations
+- Streaming is used for real-time updates (e.g., workspace status changes)
+- Field masks are used to specify which fields to return or update
+
+### Implementation-specific Patterns
+- **Stable API (v1)**:
+  - Requests are handled by the server component using Connect
+  - The public-api-server routes requests to the server component
+
+- **Experimental API**:
+  - Directly implemented services handle requests in the public-api-server
+  - Forwarded services translate gRPC requests to websocket API calls to the server component
+
+## Dependencies
+- **Server Component**: Implements the stable API and handles forwarded experimental API requests
+- **Public-api-server Component**: Implements experimental APIs directly or forwards to server
+- **Database**: Stores user, workspace, and organization data
+- **Redis**: Used for caching and session management
+- **gRPC and Connect**: Used for API implementation
+- **Protocol Buffers**: Used for API definition and code generation
+
+## Usage Examples
+- Creating and managing workspaces programmatically
+- Building custom dashboards and management tools
+- Integrating Gitpod with CI/CD pipelines
+- Automating workspace provisioning
+- Building IDE extensions that interact with Gitpod
+- Implementing custom authentication flows
+- Integrating with third-party services
+
+## Version Compatibility
+The API uses Protocol Buffers version 3 (proto3) syntax, which provides forward and backward compatibility features.
+
+### Stable API (v1)
+- Services, calls, types, and fields are not removed without following a deprecation policy
+- Services, calls, types, and fields are not renamed
+- Non-successful responses are described exhaustively
+- Changes require an API User Experience review
+
+### Experimental API
+- No compatibility guarantees
+- May change frequently
+- Should not be relied upon for production use
+
+## Code Generation and Building
+
+### Regenerating Code from Protobuf Definitions
+The Public API uses Protocol Buffers and gRPC for defining interfaces. When changes are made to the `.proto` files, the corresponding code in Go, TypeScript, and Java needs to be regenerated.
+
+To regenerate the code:
+
+1. Navigate to the public-api directory:
+   ```bash
+   cd components/public-api
+   ```
+
+2. Run the generate script:
+   ```bash
+   ./generate.sh
+   ```
+
+3. Rebuild the typescript code:
+   ```bash
+   cd typescript-commond && yarn build
+   ```
+
+This script performs the following actions:
+- Installs necessary dependencies
+- Lints the proto files using buf
+- Runs breaking change detection against the main branch
+- Removes previously generated files
+- Generates Go, TypeScript, and Java code using buf
+- Updates license headers
+- Runs formatting tools
+- Builds the TypeScript package
+
+### Building After Code Generation
+After regenerating the code, you may need to rebuild components that depend on the Public API. This typically involves:
+
+1. For Go components:
+   ```bash
+   cd <component-directory>
+   go build ./...
+   ```
+
+2. For TypeScript components:
+   ```bash
+   cd <component-directory>
+   yarn install
+   yarn build
+   ```
+
+3. Using Leeway (for CI/CD):
+   ```bash
+   leeway build -D components/<component-name>:app
+   ```
+
+The Public API is a critical component for enabling programmatic access to Gitpod functionality. It enables third-party integrations, automation, and custom tooling to interact with Gitpod in a standardized, versioned way.

memory-bank/components/registry-facade-api.md

@@ -86,13 +86,6 @@ This script performs the following actions:
 - Generates Go code using `protoc-gen-go` and `protoc-gen-go-grpc`
 - Updates license headers
 
-### Implementation Details
-The `generate.sh` script uses functions from the shared script at `scripts/protoc-generator.sh`:
-
-- `install_dependencies`: Installs required protoc plugins
-- `go_protoc`: Generates Go code
-- `update_license`: Updates license headers in generated files
-
 The Registry Facade API is relatively simple compared to other APIs, focusing primarily on defining the structure of image specifications rather than complex service interactions.
 
 ### Building After Code Generation

memory-bank/components/server.md

@@ -21,7 +21,7 @@ The primary purposes of the Server component are:
 
 The Server operates as an Express.js application with several key components:
 
-1. **API Server**: Provides HTTP and WebSocket endpoints for client communication
+1. **API Server**: Provides HTTP and WebSocket endpoints for client communication. It also directly hosts and implements `gitpod.v1` gRPC services (defined in `.proto` files within `components/public-api/`) for programmatic access.
 2. **Authentication System**: Handles user authentication and session management
 3. **Database Interface**: Interacts with the database for persistent storage
 4. **WebSocket Manager**: Manages real-time communication with clients
@@ -40,6 +40,7 @@ The server is designed as a modular application using dependency injection (Inve
 - `src/auth/`: Authentication and authorization
 - `src/workspace/`: Workspace management
 - `src/user/`: User management
+- `src/orgs/`: Organization management
 - `src/prebuilds/`: Prebuild functionality
 - `src/billing/`: Billing and subscription management
 - `src/github/`, `src/gitlab/`, `src/bitbucket/`: SCM integrations
@@ -79,8 +80,9 @@ The Server is configured via environment variables and configuration files, incl
 The Server exposes multiple API endpoints:
 
 1. **User API**: User management, authentication, and preferences
-2. **Workspace API**: Workspace creation, management, and access
-3. **SCM Integration APIs**: GitHub, GitLab, Bitbucket webhooks and OAuth
+2. **Organization API**: Handles organization creation, settings, member management, and administrative functions like maintenance mode.
+3. **Workspace API**: Workspace creation, management, and access
+4. **SCM Integration APIs**: GitHub, GitLab, Bitbucket webhooks and OAuth
 4. **Billing API**: Subscription and payment management
 5. **WebSocket API**: Real-time communication with clients
 6. **Health and Metrics API**: System health and monitoring
@@ -94,7 +96,7 @@ The Server supports multiple authentication methods:
 3. **OAuth Integration**: With GitHub, GitLab, Bitbucket, etc.
 4. **Personal Access Tokens**: For programmatic access
 
-Authorization is handled through a combination of user roles, permissions, and access controls.
+Authorization is handled through a combination of user roles and permissions, leveraging SpiceDB for fine-grained access control checks within its service implementations (including for gRPC services).
 
 ## Integration Points