npm - @angriff36/manifest - Versions diffs - 2.18.0 - Mend

@angriff36/manifest 2.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (995) hide show

package/dist/manifest/runtime-engine.js ADDED Viewed

@@ -0,0 +1,3872 @@
+import { dateOf, timeOf, datetimeOf, isValidDateString, isValidTimeString } from './date-time.js';
+import { applyMaskStrategy } from './masking.js';
+import { RateLimiter } from './runtime-rate-limit.js';
+import { checkRateLimitGate, executeWithRetry, policyHasRateLimit, } from './runtime-command-extensions.js';
+import { getSchedulesFromIR } from './runtime-schedule.js';
+import { RuntimeProfilingBridge } from './runtime-profiling-bridge.js';
+// Note: PostgresStore and SupabaseStore are in stores.node.ts for server-side use only.
+// This file is browser-safe and only includes MemoryStore and LocalStorageStore.
+/**
+ * Detect if running in production mode.
+ * Checks NODE_ENV environment variable (server-side) or global location (browser).
+ * In browsers, defaults to development since there's no standard production detection.
+ */
+function isProductionMode() {
+    // Server-side: check process.env.NODE_ENV
+    if (typeof process !== 'undefined' && process.env?.NODE_ENV === 'production') {
+        return true;
+    }
+    // Browser: no standard production detection, default to development
+    // for safety. Users can explicitly set requireValidProvenance in browser apps.
+    return false;
+}
+/**
+ * Thrown when an adapter action (persist/publish/effect) is executed in deterministicMode.
+ * This is a programming error, not a domain failure.
+ * See docs/spec/adapters.md for the normative exception to default no-op behavior.
+ */
+export class ManifestEffectBoundaryError extends Error {
+    actionKind;
+    constructor(actionKind) {
+        super(`Action '${actionKind}' is not allowed in deterministicMode. ` +
+            `Adapter actions (persist/publish/effect) must be handled externally. ` +
+            `See docs/spec/adapters.md.`);
+        this.name = 'ManifestEffectBoundaryError';
+        this.actionKind = actionKind;
+    }
+}
+/**
+ * Thrown when reaction cascading exceeds the maximum depth (default: 10).
+ * Indicates a potential infinite loop in reaction chains.
+ * See docs/spec/semantics.md § "Reactions".
+ */
+export class ManifestReactionDepthError extends Error {
+    depth;
+    triggerEvent;
+    targetCommand;
+    constructor(depth, triggerEvent, targetCommand) {
+        super(`Reaction depth limit (${depth}) exceeded. ` +
+            `Event '${triggerEvent}' → command '${targetCommand}' would exceed max depth. ` +
+            `Check for circular reaction chains.`);
+        this.name = 'ManifestReactionDepthError';
+        this.depth = depth;
+        this.triggerEvent = triggerEvent;
+        this.targetCommand = targetCommand;
+    }
+}
+/**
+ * In-memory JobQueue implementation for async commands.
+ * Suitable for testing and development. Production deployments should
+ * provide a durable implementation (e.g. database-backed).
+ */
+export class MemoryJobQueue {
+    jobs = [];
+    async enqueue(job) {
+        this.jobs.push({ ...job });
+    }
+    async drainPending() {
+        const pending = this.jobs.filter(j => j.status === 'pending');
+        for (const job of pending) {
+            job.status = 'running';
+        }
+        return pending;
+    }
+    async updateStatus(jobId, status, detail) {
+        const job = this.jobs.find(j => j.jobId === jobId);
+        if (job) {
+            job.status = status;
+            if (detail) {
+                job.result = detail.result;
+                job.error = detail.error;
+            }
+        }
+    }
+    /** Test utility: get all jobs */
+    getAll() {
+        return [...this.jobs];
+    }
+}
+/**
+ * Thrown when expression evaluation exceeds configured depth or step limits.
+ * This is a domain failure (caught and converted to CommandResult), not a programming error.
+ * See docs/spec/manifest-vnext.md § "Diagnostic Payload Bounding".
+ */
+export class EvaluationBudgetExceededError extends Error {
+    limitType;
+    limit;
+    constructor(limitType, limit) {
+        super(`Evaluation budget exceeded: ${limitType} limit ${limit} reached`);
+        this.name = 'EvaluationBudgetExceededError';
+        this.limitType = limitType;
+        this.limit = limit;
+    }
+}
+class MemoryStore {
+    items = new Map();
+    generateId;
+    constructor(generateId) {
+        this.generateId = generateId || (() => crypto.randomUUID());
+    }
+    async getAll() {
+        return Array.from(this.items.values());
+    }
+    async getById(id) {
+        return this.items.get(id);
+    }
+    async create(data) {
+        const id = data.id || this.generateId();
+        const item = { ...data, id };
+        this.items.set(id, item);
+        return item;
+    }
+    async update(id, data) {
+        const existing = this.items.get(id);
+        if (!existing)
+            return undefined;
+        const updated = { ...existing, ...data, id };
+        this.items.set(id, updated);
+        return updated;
+    }
+    async delete(id) {
+        return this.items.delete(id);
+    }
+    async clear() {
+        this.items.clear();
+    }
+}
+class LocalStorageStore {
+    key;
+    constructor(key) {
+        this.key = key;
+    }
+    load() {
+        try {
+            const data = localStorage.getItem(this.key);
+            return data ? JSON.parse(data) : [];
+        }
+        catch {
+            return [];
+        }
+    }
+    save(items) {
+        localStorage.setItem(this.key, JSON.stringify(items));
+    }
+    async getAll() {
+        return this.load();
+    }
+    async getById(id) {
+        return this.load().find(item => item.id === id);
+    }
+    async create(data) {
+        const items = this.load();
+        const id = data.id || crypto.randomUUID();
+        const item = { ...data, id };
+        items.push(item);
+        this.save(items);
+        return item;
+    }
+    async update(id, data) {
+        const items = this.load();
+        const idx = items.findIndex(item => item.id === id);
+        if (idx === -1)
+            return undefined;
+        const updated = { ...items[idx], ...data, id };
+        items[idx] = updated;
+        this.save(items);
+        return updated;
+    }
+    async delete(id) {
+        const items = this.load();
+        const idx = items.findIndex(item => item.id === id);
+        if (idx === -1)
+            return false;
+        items.splice(idx, 1);
+        this.save(items);
+        return true;
+    }
+    async clear() {
+        localStorage.removeItem(this.key);
+    }
+}
+export class RuntimeEngine {
+    ir;
+    context;
+    options;
+    stores = new Map();
+    eventListeners = [];
+    eventLog = [];
+    /** Current reaction nesting depth to prevent infinite loops */
+    reactionDepth = 0;
+    static MAX_REACTION_DEPTH = 10;
+    /** Index of relationships for efficient lookup during expression evaluation */
+    relationshipIndex = new Map();
+    /** Memoization cache for resolved relationships to avoid repeated store queries */
+    relationshipMemoCache = new Map();
+    /** Index of roles by name for O(1) permission checks */
+    roleIndex = new Map();
+    /** Track whether version has been incremented for the current command execution */
+    versionIncrementedForCommand = false;
+    /** Track instances that were just created (to prevent version increment on subsequent mutate actions) */
+    justCreatedInstanceIds = new Set();
+    /**
+     * Command-scoped write buffer. While set, mutate/compute actions apply their
+     * changes to an in-memory working copy (`instance`) and accumulate a single
+     * store-form `patch` instead of issuing one store read + write per action.
+     * The buffer is flushed in one `store.update` at the end of the action loop,
+     * then cleared — so a command that mutates N fields performs one read and one
+     * write rather than N. Scoped to the command's target instance only; nested
+     * (reaction/fan-out) commands save and restore the outer buffer.
+     */
+    commandBuffer = null;
+    /** Last transition validation error (set by updateInstance, checked by _executeCommandInternal) */
+    lastTransitionError = null;
+    /** Last concurrency conflict (set by updateInstance, checked by _executeCommandInternal) */
+    lastConcurrencyConflict = null;
+    /** Per-engine sliding-window rate limiter (in-memory; durable store is a follow-up) */
+    rateLimiter = new RateLimiter();
+    profilingBridge;
+    actionTraceCounter = 0;
+    /**
+     * In-process approval request cache, keyed by
+     * `${entity}:${instanceId}:${approvalName}`. Always maintained as a mirror
+     * so the synchronous `getApprovalRequest`/`expireApprovals` accessors work.
+     * When `options.approvalStore` is set, that store is the source of truth and
+     * this Map is just a write-through mirror; otherwise this Map IS the store.
+     */
+    approvalRequests = new Map();
+    /**
+     * Load an approval request, preferring the durable store when configured.
+     * Refreshes the in-process mirror so synchronous accessors stay coherent.
+     */
+    async loadApprovalState(key) {
+        const store = this.options.approvalStore;
+        if (store) {
+            const loaded = await store.load(key);
+            if (loaded)
+                this.approvalRequests.set(key, loaded);
+            else
+                this.approvalRequests.delete(key);
+            return loaded;
+        }
+        return this.approvalRequests.get(key);
+    }
+    /**
+     * Persist an approval request to the durable store (when configured) and
+     * always mirror it in-process so a later synchronous read sees it.
+     */
+    async saveApprovalState(key, state) {
+        this.approvalRequests.set(key, state);
+        const store = this.options.approvalStore;
+        if (store)
+            await store.save(key, state);
+    }
+    /** Per-entry-point evaluation budget for bounded complexity enforcement */
+    evalBudget = null;
+    /** Cache for computed property values, keyed by "entityName:instanceId:propertyName" */
+    computedPropertyCache = new Map();
+    /** Request-scoped cache for computed properties (cleared per command) */
+    computedPropertyRequestCache = new Map();
+    /**
+     * Initialize evaluation budget if not already active (re-entrant safe).
+     * Returns true if this call initialized the budget (caller must clear it in finally).
+     * Returns false if budget was already active (caller should NOT clear it).
+     */
+    initEvalBudget() {
+        if (this.evalBudget)
+            return false; // Already active — re-entrant call
+        this.evalBudget = {
+            depth: 0,
+            steps: 0,
+            maxDepth: this.options.evaluationLimits?.maxExpressionDepth ?? 64,
+            maxSteps: this.options.evaluationLimits?.maxEvaluationSteps ?? 10_000,
+        };
+        return true;
+    }
+    /** Clear evaluation budget (only call if initEvalBudget returned true) */
+    clearEvalBudget() {
+        this.evalBudget = null;
+    }
+    // ── Field-level encryption helpers ──────────────────────────────────
+    /**
+     * Returns the set of property names marked `encrypted` for the given entity.
+     * Cached per entity name since IR is immutable at runtime.
+     */
+    encryptedPropertyNamesCache = new Map();
+    encryptedPropertyNames(entityName) {
+        let cached = this.encryptedPropertyNamesCache.get(entityName);
+        if (cached)
+            return cached;
+        const entity = this.getEntity(entityName);
+        cached = new Set();
+        if (entity) {
+            for (const prop of entity.properties) {
+                if (prop.modifiers.includes('encrypted')) {
+                    cached.add(prop.name);
+                }
+            }
+        }
+        this.encryptedPropertyNamesCache.set(entityName, cached);
+        return cached;
+    }
+    /**
+     * Encrypt property values before a store write.
+     * Returns a shallow copy with encrypted fields replaced by envelope JSON.
+     * No-op when encryptionProvider is not configured or entity has no encrypted fields.
+     */
+    async encryptProperties(entityName, data) {
+        const provider = this.options.encryptionProvider;
+        if (!provider)
+            return data;
+        const names = this.encryptedPropertyNames(entityName);
+        if (names.size === 0)
+            return data;
+        const out = { ...data };
+        for (const name of names) {
+            if (!(name in out) || out[name] == null)
+                continue;
+            const plaintext = String(out[name]);
+            const { ciphertext, keyId } = await provider.encrypt(plaintext);
+            out[name] = JSON.stringify({ v: 1, kid: keyId, ct: ciphertext });
+        }
+        return out;
+    }
+    /**
+     * Decrypt property values after a store read.
+     * Returns a shallow copy with encrypted envelope JSON replaced by plaintext.
+     * No-op when encryptionProvider is not configured or entity has no encrypted fields.
+     */
+    async decryptProperties(entityName, instance) {
+        const provider = this.options.encryptionProvider;
+        if (!provider)
+            return instance;
+        const names = this.encryptedPropertyNames(entityName);
+        if (names.size === 0)
+            return instance;
+        const out = { ...instance };
+        for (const name of names) {
+            const raw = out[name];
+            if (typeof raw !== 'string')
+                continue;
+            try {
+                const envelope = JSON.parse(raw);
+                if (envelope && envelope.v === 1 && envelope.kid && envelope.ct) {
+                    out[name] = await provider.decrypt(envelope.ct, envelope.kid);
+                }
+            }
+            catch {
+                // Not an envelope — leave value as-is (e.g. plaintext from before encryption was enabled)
+            }
+        }
+        return out;
+    }
+    /**
+     * Resolve the active tenant value from runtime context using the IR tenant
+     * config's contextPath. Returns undefined when no tenant declaration exists
+     * in the IR or the context lacks the value.
+     */
+    resolveTenantValue() {
+        const tenantConfig = this.ir.tenant;
+        if (!tenantConfig)
+            return undefined;
+        const parts = tenantConfig.contextPath.split('.');
+        let current = undefined;
+        for (let i = 0; i < parts.length; i++) {
+            const part = parts[i];
+            if (i === 0) {
+                if (part === 'context')
+                    current = this.context;
+                else if (part === 'user')
+                    current = this.context.user;
+                else
+                    current = this.context[part];
+            }
+            else {
+                if (current && typeof current === 'object') {
+                    current = current[part];
+                }
+                else {
+                    return undefined;
+                }
+            }
+        }
+        return typeof current === 'string' ? current : undefined;
+    }
+    constructor(ir, context = {}, options = {}) {
+        this.ir = ir;
+        this.context = context;
+        this.options = options;
+        this.profilingBridge = new RuntimeProfilingBridge(options.profiling);
+        this.initializeStores();
+        this.buildRelationshipIndex();
+        this.buildRoleIndex();
+    }
+    initializeStores() {
+        for (const entity of this.ir.entities) {
+            // First check if a storeProvider is configured and use it
+            if (this.options.storeProvider) {
+                const customStore = this.options.storeProvider(entity.name);
+                if (customStore) {
+                    this.stores.set(entity.name, customStore);
+                    continue;
+                }
+            }
+            // Fall back to default store initialization
+            const storeConfig = this.ir.stores.find(s => s.entity === entity.name);
+            let store;
+            if (storeConfig) {
+                switch (storeConfig.target) {
+                    case 'localStorage': {
+                        const key = storeConfig.config.key?.kind === 'string'
+                            ? storeConfig.config.key.value
+                            : `${entity.name.toLowerCase()}s`;
+                        store = new LocalStorageStore(key);
+                        break;
+                    }
+                    case 'memory':
+                        store = new MemoryStore(this.options.generateId);
+                        break;
+                    case 'postgres':
+                        throw new Error(`PostgreSQL storage for entity '${entity.name}' is not available in browser environments. ` +
+                            `Use 'memory' or 'localStorage' for browser, or provide a custom store via the storeProvider option. ` +
+                            `For server-side use, import PostgresStore from stores.node.ts.`);
+                    case 'supabase':
+                        throw new Error(`Supabase storage for entity '${entity.name}' is not available in browser environments. ` +
+                            `Use 'memory' or 'localStorage' for browser, or provide a custom store via the storeProvider option. ` +
+                            `For server-side use, import SupabaseStore from stores.node.ts.`);
+                    case 'mongodb':
+                        throw new Error(`MongoDB storage for entity '${entity.name}' is not available in browser environments. ` +
+                            `Use 'memory' or 'localStorage' for browser, or provide a custom store via the storeProvider option. ` +
+                            `For server-side use, import MongoDBStore from stores.node.ts.`);
+                    case 'durable':
+                        // `'durable'` is a backend-neutral semantic signal — it intentionally does NOT
+                        // map to any built-in store. Consumers MUST supply a custom store adapter via
+                        // the storeProvider option (e.g. a Prisma-backed adapter). This is the deliberate
+                        // handoff point: core stays backend-neutral. (Matches v0.9.0 behavior.)
+                        throw new Error(`Entity '${entity.name}' declares 'store ... in durable' but no storeProvider is bound. ` +
+                            `'durable' is backend-neutral and requires a runtime store adapter supplied via the storeProvider option.`);
+                    default:
+                        // Custom store adapter scheme — requires a storeProvider that handles this target.
+                        // Plugin-registered adapters (e.g. 'redis', 'dynamodb') are resolved through the
+                        // CompositeStoreProvider built by the plugin loader.
+                        throw new Error(`Entity '${entity.name}' declares store target '${storeConfig.target}' but no storeProvider ` +
+                            `returned a store for it. Custom store targets require a matching StoreAdapterPlugin registered ` +
+                            `via the plugin API, or a storeProvider that handles the '${storeConfig.target}' scheme.`);
+                }
+            }
+            else {
+                store = new MemoryStore(this.options.generateId);
+            }
+            this.stores.set(entity.name, store);
+        }
+    }
+    /**
+     * Build an index of all relationships for efficient lookup during expression evaluation.
+     * Maps "EntityName.relationshipName" to relationship metadata.
+     */
+    buildRelationshipIndex() {
+        for (const entity of this.ir.entities) {
+            for (const rel of entity.relationships) {
+                const key = `${entity.name}.${rel.name}`;
+                this.relationshipIndex.set(key, {
+                    entityName: entity.name,
+                    relationshipName: rel.name,
+                    kind: rel.kind,
+                    targetEntity: rel.target,
+                    // Only extract the FK field name for single-column FKs.
+                    // Composite FKs (fields.length > 1) are left undefined so the runtime
+                    // falls back to the `${relName}Id` convention rather than silently
+                    // resolving by fields[0] alone and potentially returning the wrong row.
+                    // Composite FK resolution requires a full store adapter (e.g. Prisma).
+                    foreignKey: rel.foreignKey && rel.foreignKey.fields.length === 1
+                        ? rel.foreignKey.fields[0]
+                        : undefined,
+                });
+            }
+        }
+    }
+    buildRoleIndex() {
+        if (this.ir.roles) {
+            for (const role of this.ir.roles) {
+                this.roleIndex.set(role.name, role);
+            }
+        }
+    }
+    /**
+     * Check if a role has a specific permission.
+     * Uses precomputed effectivePermissions for O(1) lookup.
+     * Unknown role → false (no permissive default, per house style).
+     */
+    roleHasPermission(roleName, action, target) {
+        const role = this.roleIndex.get(roleName);
+        if (!role)
+            return false;
+        return role.effectivePermissions.some(p => {
+            const actionMatch = p.action === 'all' || p.action === action;
+            const targetMatch = p.target === undefined || p.target === target;
+            return actionMatch && targetMatch;
+        });
+    }
+    /**
+     * Clear the relationship memoization cache.
+     * Called at the start of each command execution to ensure fresh data.
+     */
+    clearMemoCache() {
+        this.relationshipMemoCache.clear();
+        this.computedPropertyRequestCache.clear();
+    }
+    /**
+     * Resolve a relationship for a given instance.
+     * Uses memoization cache to avoid repeated store queries within a single command execution.
+     * @param entityName - The source entity name
+     * @param instance - The source instance (must have an id)
+     * @param relationshipName - The relationship name to resolve
+     * @returns For hasMany: array of related instances; for hasOne/belongsTo/ref: single instance or null
+     */
+    async resolveRelationship(entityName, instance, relationshipName) {
+        const key = `${entityName}.${relationshipName}`;
+        const rel = this.relationshipIndex.get(key);
+        if (!rel) {
+            return null;
+        }
+        const sourceId = instance.id;
+        if (!sourceId) {
+            return null;
+        }
+        // Build cache key including instance ID for accurate memoization
+        const cacheKey = `${entityName}.${sourceId}.${relationshipName}`;
+        // Check cache first
+        const cached = this.relationshipMemoCache.get(cacheKey);
+        if (cached) {
+            return cached.result;
+        }
+        let result = null;
+        switch (rel.kind) {
+            case 'belongsTo':
+            case 'ref': {
+                // For belongsTo/ref: the foreign key on the source instance contains the target ID
+                const fkProperty = rel.foreignKey || `${rel.relationshipName}Id`;
+                const targetId = instance[fkProperty];
+                if (!targetId) {
+                    result = null;
+                }
+                else {
+                    result = await this.getInstanceRaw(rel.targetEntity, targetId) ?? null;
+                }
+                break;
+            }
+            case 'hasOne': {
+                // For hasOne: find the target instance where its belongsTo foreign key equals source ID
+                // We need to find the inverse relationship on the target entity
+                const targetEntity = this.getEntity(rel.targetEntity);
+                if (!targetEntity) {
+                    result = null;
+                    break;
+                }
+                // Find the inverse belongsTo relationship
+                const inverseRel = targetEntity.relationships.find(r => (r.kind === 'belongsTo' || r.kind === 'ref') &&
+                    r.target === entityName);
+                if (inverseRel) {
+                    // Use the inverse relationship's foreign key
+                    const fkProperty = inverseRel.foreignKey?.fields[0] ?? `${inverseRel.name}Id`;
+                    const allTargets = await this.getAllInstancesRaw(rel.targetEntity);
+                    result = allTargets.find(t => t[fkProperty] === sourceId) ?? null;
+                }
+                else {
+                    // Fallback: assume the foreign key is named after the source entity
+                    const assumedFk = `${entityName.toLowerCase()}Id`;
+                    const allTargets = await this.getAllInstancesRaw(rel.targetEntity);
+                    result = allTargets.find(t => t[assumedFk] === sourceId) ?? null;
+                }
+                break;
+            }
+            case 'hasMany': {
+                // For hasMany: find all target instances where their belongsTo foreign key equals source ID
+                const targetEntity = this.getEntity(rel.targetEntity);
+                if (!targetEntity) {
+                    result = [];
+                    break;
+                }
+                // Find the inverse belongsTo relationship
+                const inverseRel = targetEntity.relationships.find(r => (r.kind === 'belongsTo' || r.kind === 'ref') &&
+                    r.target === entityName);
+                if (inverseRel) {
+                    const fkProperty = inverseRel.foreignKey?.fields[0] ?? `${inverseRel.name}Id`;
+                    const allTargets = await this.getAllInstancesRaw(rel.targetEntity);
+                    result = allTargets.filter(t => t[fkProperty] === sourceId);
+                }
+                else {
+                    // Fallback: assume the foreign key is named after the source entity
+                    const assumedFk = `${entityName.toLowerCase()}Id`;
+                    const allTargets = await this.getAllInstancesRaw(rel.targetEntity);
+                    result = allTargets.filter(t => t[assumedFk] === sourceId);
+                }
+                break;
+            }
+            default:
+                result = null;
+        }
+        // Enrich resolved instances with _entity metadata for chained traversal
+        // (e.g., self.order.customer.name follows Order → Customer → name)
+        if (result !== null) {
+            if (Array.isArray(result)) {
+                result = result.map(r => ({ ...r, _entity: rel.targetEntity }));
+            }
+            else {
+                result = { ...result, _entity: rel.targetEntity };
+            }
+        }
+        // Cache the result
+        this.relationshipMemoCache.set(cacheKey, {
+            result,
+            timestamp: this.getNow(),
+        });
+        return result;
+    }
+    getNow() {
+        return this.options.now ? this.options.now() : Date.now();
+    }
+    /**
+     * Generate a unique identifier for runtime-internal records (audit
+     * records, outbox entry ids). Uses the caller-supplied generator from
+     * RuntimeOptions when present; otherwise falls back to crypto.randomUUID.
+     * Distinct from `getBuiltins().uuid` only by intent — keeping a named
+     * helper avoids leaking the fallback chain across call sites.
+     */
+    nextRuntimeId() {
+        return this.options.generateId ? this.options.generateId() : crypto.randomUUID();
+    }
+    getBuiltins() {
+        // Custom builtins from plugins are spread first; core builtins override
+        // any name collision so reserved names cannot be replaced.
+        const custom = this.options.customBuiltins;
+        return {
+            ...(custom ? Object.fromEntries(custom) : undefined),
+            // Core builtins
+            now: () => this.getNow(),
+            uuid: () => this.options.generateId ? this.options.generateId() : crypto.randomUUID(),
+            // String builtins
+            trim: (s) => typeof s === 'string' ? s.trim() : s,
+            split: (s, sep) => typeof s === 'string' ? s.split(sep) : s,
+            count: (v) => Array.isArray(v) ? v.length : v,
+            startsWith: (s, prefix) => typeof s === 'string' ? s.startsWith(prefix) : false,
+            endsWith: (s, suffix) => typeof s === 'string' ? s.endsWith(suffix) : false,
+            replace: (s, search, replacement) => typeof s === 'string' ? s.replace(new RegExp(search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'), () => replacement) : s,
+            toUpperCase: (s) => typeof s === 'string' ? s.toUpperCase() : s,
+            toLowerCase: (s) => typeof s === 'string' ? s.toLowerCase() : s,
+            length: (v) => {
+                if (typeof v === 'string')
+                    return v.length;
+                if (Array.isArray(v))
+                    return v.length;
+                return v;
+            },
+            substring: (s, start, end) => typeof s === 'string'
+                ? (end !== undefined ? s.substring(start, end) : s.substring(start))
+                : s,
+            indexOf: (s, search) => typeof s === 'string' ? s.indexOf(search) : -1,
+            matches: (s, pattern) => {
+                if (typeof s !== 'string' || typeof pattern !== 'string')
+                    return false;
+                try {
+                    return new RegExp(pattern).test(s);
+                }
+                catch {
+                    return false;
+                }
+            },
+            search: (text, query) => {
+                if (typeof text !== 'string' || typeof query !== 'string')
+                    return false;
+                const tokenize = (s) => s.toLowerCase().split(/[^a-z0-9]+/i).filter(Boolean);
+                const haystack = new Set(tokenize(text));
+                const needles = tokenize(query);
+                if (needles.length === 0)
+                    return false;
+                return needles.every(n => haystack.has(n));
+            },
+            // Math builtins
+            abs: (v) => typeof v === 'number' ? Math.abs(v) : v,
+            round: (v) => typeof v === 'number' ? Math.round(v) : v,
+            floor: (v) => typeof v === 'number' ? Math.floor(v) : v,
+            ceil: (v) => typeof v === 'number' ? Math.ceil(v) : v,
+            min: (...args) => {
+                const nums = args.filter((a) => typeof a === 'number');
+                return nums.length > 0 ? Math.min(...nums) : undefined;
+            },
+            max: (...args) => {
+                const nums = args.filter((a) => typeof a === 'number');
+                return nums.length > 0 ? Math.max(...nums) : undefined;
+            },
+            between: (value, low, high) => typeof value === 'number' && typeof low === 'number' && typeof high === 'number'
+                ? value >= low && value <= high
+                : false,
+            // Array / aggregate builtins
+            sum: (arr, mapper) => {
+                if (Array.isArray(arr)) {
+                    if (typeof mapper === 'function') {
+                        return (async () => {
+                            let total = 0;
+                            for (const element of arr) {
+                                const v = await Promise.resolve(mapper(element));
+                                if (typeof v === 'number')
+                                    total += v;
+                            }
+                            return total;
+                        })();
+                    }
+                    return arr.reduce((acc, v) => typeof v === 'number' ? acc + v : acc, 0);
+                }
+                return arr;
+            },
+            avg: (arr, mapper) => {
+                if (Array.isArray(arr) && arr.length > 0) {
+                    if (typeof mapper === 'function') {
+                        return (async () => {
+                            let total = 0;
+                            let count = 0;
+                            for (const element of arr) {
+                                const v = await Promise.resolve(mapper(element));
+                                if (typeof v === 'number') {
+                                    total += v;
+                                    count++;
+                                }
+                            }
+                            return count > 0 ? total / count : 0;
+                        })();
+                    }
+                    const nums = arr.filter((v) => typeof v === 'number');
+                    return nums.length > 0 ? nums.reduce((a, b) => a + b, 0) / nums.length : 0;
+                }
+                return 0;
+            },
+            min_of: (arr, mapper) => {
+                if (Array.isArray(arr) && arr.length > 0) {
+                    if (typeof mapper === 'function') {
+                        return (async () => {
+                            let result;
+                            for (const element of arr) {
+                                const v = await Promise.resolve(mapper(element));
+                                if (typeof v === 'number' && (result === undefined || v < result))
+                                    result = v;
+                            }
+                            return result;
+                        })();
+                    }
+                    const nums = arr.filter((v) => typeof v === 'number');
+                    return nums.length > 0 ? Math.min(...nums) : undefined;
+                }
+                return undefined;
+            },
+            max_of: (arr, mapper) => {
+                if (Array.isArray(arr) && arr.length > 0) {
+                    if (typeof mapper === 'function') {
+                        return (async () => {
+                            let result;
+                            for (const element of arr) {
+                                const v = await Promise.resolve(mapper(element));
+                                if (typeof v === 'number' && (result === undefined || v > result))
+                                    result = v;
+                            }
+                            return result;
+                        })();
+                    }
+                    const nums = arr.filter((v) => typeof v === 'number');
+                    return nums.length > 0 ? Math.max(...nums) : undefined;
+                }
+                return undefined;
+            },
+            count_of: (arr, predicate) => {
+                if (Array.isArray(arr)) {
+                    if (typeof predicate === 'function') {
+                        return (async () => {
+                            let count = 0;
+                            for (const element of arr) {
+                                const v = await Promise.resolve(predicate(element));
+                                if (v)
+                                    count++;
+                            }
+                            return count;
+                        })();
+                    }
+                    return arr.length;
+                }
+                return 0;
+            },
+            filter: (arr, predicate) => {
+                if (Array.isArray(arr) && typeof predicate === 'function') {
+                    return (async () => {
+                        const result = [];
+                        for (const element of arr) {
+                            const v = await Promise.resolve(predicate(element));
+                            if (v)
+                                result.push(element);
+                        }
+                        return result;
+                    })();
+                }
+                return Array.isArray(arr) ? arr : [];
+            },
+            map: (arr, mapper) => {
+                if (Array.isArray(arr) && typeof mapper === 'function') {
+                    return (async () => {
+                        const result = [];
+                        for (const element of arr) {
+                            result.push(await Promise.resolve(mapper(element)));
+                        }
+                        return result;
+                    })();
+                }
+                return Array.isArray(arr) ? arr : [];
+            },
+            // Date builtins (UTC components; ts is milliseconds since epoch)
+            year: (ts) => typeof ts === 'number' ? new Date(ts).getUTCFullYear() : ts,
+            month: (ts) => typeof ts === 'number' ? new Date(ts).getUTCMonth() + 1 : ts,
+            day: (ts) => typeof ts === 'number' ? new Date(ts).getUTCDate() : ts,
+            hours: (ts) => typeof ts === 'number' ? new Date(ts).getUTCHours() : ts,
+            minutes: (ts) => typeof ts === 'number' ? new Date(ts).getUTCMinutes() : ts,
+            seconds: (ts) => typeof ts === 'number' ? new Date(ts).getUTCSeconds() : ts,
+            // Date/time primitive builtins (pure, UTC-only).
+            // Convention note: the legacy `year`..`seconds` builtins above pass non-number
+            // input through unchanged; these newer builtins return null on invalid input
+            // (non-number, NaN, or Infinity).
+            dateOf: (ts) => dateOf(ts),
+            timeOf: (ts) => timeOf(ts),
+            datetimeOf: (d, t) => datetimeOf(d, t),
+            addDuration: (ts, d) => typeof ts === 'number' && Number.isFinite(ts) && typeof d === 'number' && Number.isFinite(d) ? ts + d : null,
+            durationBetween: (a, b) => typeof a === 'number' && Number.isFinite(a) && typeof b === 'number' && Number.isFinite(b) ? b - a : null,
+            durationDays: (n) => typeof n === 'number' && Number.isFinite(n) ? n * 86400000 : null,
+            durationHours: (n) => typeof n === 'number' && Number.isFinite(n) ? n * 3600000 : null,
+            durationMinutes: (n) => typeof n === 'number' && Number.isFinite(n) ? n * 60000 : null,
+            durationSeconds: (n) => typeof n === 'number' && Number.isFinite(n) ? n * 1000 : null,
+            // Feature flag builtin
+            flag: (name) => {
+                if (typeof name !== 'string')
+                    return false;
+                if (this.options.flagProvider) {
+                    return this.options.flagProvider(name);
+                }
+                return false;
+            },
+            // Role hierarchy builtins
+            hasPermission: (action, target) => {
+                if (typeof action !== 'string')
+                    return false;
+                const roleName = this.context.user?.role;
+                if (typeof roleName !== 'string')
+                    return false;
+                return this.roleHasPermission(roleName, action, typeof target === 'string' ? target : undefined);
+            },
+            roleAllows: (roleName, action, target) => {
+                if (typeof roleName !== 'string' || typeof action !== 'string')
+                    return false;
+                return this.roleHasPermission(roleName, action, typeof target === 'string' ? target : undefined);
+            },
+        };
+    }
+    getIR() {
+        return this.ir;
+    }
+    /**
+     * Get the provenance metadata from the IR
+     */
+    getProvenance() {
+        return this.ir.provenance;
+    }
+    /**
+     * Log provenance information at startup
+     * This can be called by UI code to display provenance
+     */
+    logProvenance() {
+        const prov = this.getProvenance();
+        if (!prov) {
+            console.warn('[Manifest Runtime] No provenance information found in IR.');
+            return;
+        }
+        // Provenance information is available via getProvenance() for programmatic access
+    }
+    /**
+     * Verify the IR integrity by checking that the computed hash matches the expected hash.
+     * Returns true if verification passes, false otherwise.
+     *
+     * @param expectedHash - Optional expected hash. If not provided, uses the IR's self-reported irHash
+     * @returns true if hash matches or if no hash is available to verify
+     */
+    async verifyIRHash(expectedHash) {
+        const prov = this.ir.provenance;
+        if (!prov) {
+            console.warn('[Manifest Runtime] No provenance information found, cannot verify IR hash.');
+            return false;
+        }
+        const targetHash = expectedHash || prov.irHash;
+        if (!targetHash) {
+            console.warn('[Manifest Runtime] No IR hash available for verification.');
+            return false;
+        }
+        try {
+            // Compute hash of the current IR (excluding the irHash field itself)
+            const { irHash: _irHash, ...provenanceWithoutIrHash } = prov;
+            const canonical = {
+                ...this.ir,
+                provenance: provenanceWithoutIrHash,
+            };
+            // Use deterministic JSON serialization with recursive key sorting (same as compiler).
+            // A replacer function sorts object keys at every nesting level to ensure
+            // the recomputed hash matches the compiler's hash for unmodified IR.
+            const json = JSON.stringify(canonical, (_key, value) => {
+                if (value && typeof value === 'object' && !Array.isArray(value)) {
+                    const sorted = {};
+                    for (const k of Object.keys(value).sort()) {
+                        sorted[k] = value[k];
+                    }
+                    return sorted;
+                }
+                return value;
+            });
+            const encoder = new TextEncoder();
+            const data = encoder.encode(json);
+            const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+            const hashArray = Array.from(new Uint8Array(hashBuffer));
+            const computedHash = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+            const isValid = computedHash === targetHash;
+            if (!isValid) {
+                console.error(`[Manifest Runtime] IR hash verification failed!\n` +
+                    `  Expected: ${targetHash}\n` +
+                    `  Computed: ${computedHash}\n` +
+                    `  The IR may have been tampered with or modified since compilation.`);
+            }
+            return isValid;
+        }
+        catch (error) {
+            console.error('[Manifest Runtime] Error during IR hash verification:', error);
+            return false;
+        }
+    }
+    /**
+     * Verify IR and throw if invalid. Use this when requireValidProvenance is true.
+     * @throws Error if IR hash verification fails
+     */
+    async assertValidProvenance() {
+        if (this.options.requireValidProvenance) {
+            const isValid = await this.verifyIRHash(this.options.expectedIRHash);
+            if (!isValid) {
+                throw new Error('IR provenance verification failed. The IR may have been modified since compilation. ' +
+                    'This runtime requires valid provenance for execution.');
+            }
+        }
+    }
+    getContext() {
+        return this.context;
+    }
+    setContext(ctx) {
+        this.context = { ...this.context, ...ctx };
+    }
+    replaceContext(ctx) {
+        this.context = { ...ctx };
+    }
+    getEntities() {
+        return this.ir.entities;
+    }
+    getEntity(name) {
+        return this.ir.entities.find(e => e.name === name);
+    }
+    getCommands() {
+        return this.ir.commands;
+    }
+    getCommand(name, entityName) {
+        if (entityName) {
+            const entity = this.getEntity(entityName);
+            if (!entity || !entity.commands.includes(name))
+                return undefined;
+            return this.ir.commands.find(c => c.name === name && c.entity === entityName);
+        }
+        return this.ir.commands.find(c => c.name === name);
+    }
+    getPolicies() {
+        return this.ir.policies;
+    }
+    /** Return all schedule declarations from the compiled IR. */
+    getSchedules() {
+        return Array.from(getSchedulesFromIR(this.ir).values());
+    }
+    /**
+     * Run a named schedule: evaluate bound params and dispatch the target command.
+     * Sets context.source to 'schedule' and context.scheduleName for the invocation.
+     */
+    async runSchedule(scheduleName, options = {}) {
+        const schedule = getSchedulesFromIR(this.ir).get(scheduleName);
+        if (!schedule) {
+            return {
+                success: false,
+                error: `Schedule '${scheduleName}' not found`,
+                emittedEvents: [],
+            };
+        }
+        const input = {};
+        const now = this.getNow();
+        const paramContext = {
+            ...this.buildEvalContext({}, undefined, schedule.entityName),
+            now,
+        };
+        if (schedule.params) {
+            for (const param of schedule.params) {
+                input[param.name] = await this.evaluateExpression(param.expression, paramContext);
+            }
+        }
+        const prevSource = this.context.source;
+        const prevScheduleName = this.context.scheduleName;
+        this.context.source = 'schedule';
+        this.context.scheduleName = scheduleName;
+        try {
+            return await this.runCommand(schedule.commandName, input, {
+                ...(schedule.entityName ? { entityName: schedule.entityName } : {}),
+                ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+            });
+        }
+        finally {
+            this.context.source = prevSource;
+            if (prevScheduleName !== undefined) {
+                this.context.scheduleName = prevScheduleName;
+            }
+            else {
+                delete this.context.scheduleName;
+            }
+        }
+    }
+    getStore(entityName) {
+        return this.stores.get(entityName);
+    }
+    /**
+     * Get collected command profiles when profiling is enabled.
+     * Returns an empty array when profiling is not configured.
+     */
+    getProfiles() {
+        return [...this.profilingBridge.getProfiles()];
+    }
+    /**
+     * Execute middleware registered for a given hook.
+     * Returns a short-circuit result if any middleware short-circuits,
+     * or undefined to continue normal execution.
+     */
+    async runMiddleware(hook, command, evalContext, input, options, emittedEvents = []) {
+        const middlewares = this.options.middleware;
+        if (!middlewares || middlewares.length === 0)
+            return undefined;
+        for (const mw of middlewares) {
+            if (!mw.hooks.includes(hook))
+                continue;
+            const ctx = {
+                hook,
+                command,
+                evalContext,
+                input,
+                runtimeContext: this.context,
+                entityName: options.entityName,
+                instanceId: options.instanceId,
+                emittedEvents,
+            };
+            const result = await mw.handler(ctx);
+            if (result.contextPatch) {
+                Object.assign(evalContext, result.contextPatch);
+            }
+            if (result.shortCircuit && result.result) {
+                return result.result;
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Public read surface: tenant filter → decrypt → mask (read-projection only).
+     * Execution paths (guards, actions, policies, computed properties, relationship
+     * resolution) use getAllInstancesRaw and always see real values.
+     */
+    async getAllInstances(entityName) {
+        const all = await this.getAllInstancesRaw(entityName);
+        const masked = [];
+        for (const inst of all) {
+            masked.push(await this.applyMasking(entityName, inst));
+        }
+        return masked;
+    }
+    /** Internal read path: tenant filter + decryption, NO masking. */
+    async getAllInstancesRaw(entityName) {
+        const store = this.stores.get(entityName);
+        if (!store)
+            return [];
+        let all = await store.getAll();
+        if (this.ir.tenant) {
+            const tv = this.resolveTenantValue();
+            if (tv) {
+                const prop = this.ir.tenant.property;
+                all = all.filter(inst => inst[prop] === tv);
+            }
+        }
+        // Decrypt encrypted fields after store read
+        const decrypted = [];
+        for (const inst of all) {
+            decrypted.push(await this.decryptProperties(entityName, inst));
+        }
+        return decrypted;
+    }
+    /**
+     * Public read surface: tenant filter → decrypt → mask (read-projection only).
+     * Execution paths use getInstanceRaw and always see real values.
+     */
+    async getInstance(entityName, id) {
+        const inst = await this.getInstanceRaw(entityName, id);
+        return inst ? await this.applyMasking(entityName, inst) : inst;
+    }
+    /** Internal read path: tenant filter + decryption, NO masking. */
+    async getInstanceRaw(entityName, id) {
+        // Command working copy: during command execution, reads of the target
+        // instance return the in-memory copy carrying this command's mutations,
+        // so guards/computes/refreshes see pending changes without a store read.
+        const buf = this.commandBuffer;
+        if (buf && buf.entityName === entityName && buf.id === id && buf.instance) {
+            return buf.instance;
+        }
+        const store = this.stores.get(entityName);
+        if (!store)
+            return undefined;
+        const inst = await store.getById(id);
+        if (inst && this.ir.tenant) {
+            const tv = this.resolveTenantValue();
+            if (tv && inst[this.ir.tenant.property] !== tv) {
+                return undefined;
+            }
+        }
+        // Decrypt encrypted fields after store read
+        return inst ? await this.decryptProperties(entityName, inst) : undefined;
+    }
+    // ── Property masking (docs/spec/semantics.md, "Property Masking") ───
+    /** Cache of properties carrying maskStrategy, per entity (IR is immutable at runtime). */
+    maskedPropertiesCache = new Map();
+    maskedProperties(entityName) {
+        let cached = this.maskedPropertiesCache.get(entityName);
+        if (cached)
+            return cached;
+        const entity = this.getEntity(entityName);
+        cached = entity ? entity.properties.filter(p => p.maskStrategy !== undefined) : [];
+        this.maskedPropertiesCache.set(entityName, cached);
+        return cached;
+    }
+    /**
+     * Apply read-time masking to an instance (after decryption and tenant filtering).
+     * - `private` wins over `masked`: the property is excluded entirely.
+     * - `null`/`undefined` pass through unmasked.
+     * - `unmaskWhen` falsy or throwing ⇒ value stays masked (secure by default).
+     *   An evaluation error additionally surfaces a diagnostic; it never changes
+     *   the masked outcome (diagnostics explain, never compensate).
+     */
+    async applyMasking(entityName, instance) {
+        const maskedProps = this.maskedProperties(entityName);
+        if (maskedProps.length === 0)
+            return instance;
+        const out = { ...instance };
+        for (const prop of maskedProps) {
+            if (prop.modifiers.includes('private')) {
+                delete out[prop.name];
+                continue;
+            }
+            const value = out[prop.name];
+            if (value === null || value === undefined)
+                continue;
+            const strategy = prop.maskStrategy;
+            if (strategy.unmaskWhen) {
+                const ownsEvalBudget = this.initEvalBudget();
+                try {
+                    // self.* binds the raw instance (real values); user.*/context.* from runtime context
+                    const evalContext = this.buildEvalContext({}, instance, entityName);
+                    const allowed = await this.evaluateExpression(strategy.unmaskWhen, evalContext);
+                    if (allowed)
+                        continue; // truthy ⇒ real value returned
+                }
+                catch (error) {
+                    // Secure by default: an error keeps the value masked. Surface a diagnostic
+                    // carrying the expression and resolved values; never alter the outcome.
+                    let resolved = [];
+                    try {
+                        const evalContext = this.buildEvalContext({}, instance, entityName);
+                        resolved = await this.resolveExpressionValues(strategy.unmaskWhen, evalContext);
+                    }
+                    catch {
+                        // resolution itself failed — report without resolved values
+                    }
+                    console.warn(`[Manifest Runtime] unmaskWhen evaluation error for '${entityName}.${prop.name}' (value stays masked):`, {
+                        expression: this.formatExpression(strategy.unmaskWhen),
+                        resolved,
+                        error: error instanceof Error ? error.message : String(error),
+                    });
+                }
+                finally {
+                    if (ownsEvalBudget)
+                        this.clearEvalBudget();
+                }
+            }
+            out[prop.name] = applyMaskStrategy(strategy, value);
+        }
+        return out;
+    }
+    /**
+     * Check entity constraints against instance data
+     * Returns array of constraint failures (empty if all pass)
+     * Useful for diagnostic purposes without mutating state
+     */
+    async checkConstraints(entityName, data) {
+        const entity = this.getEntity(entityName);
+        if (!entity)
+            return [];
+        const ownsEvalBudget = this.initEvalBudget();
+        try {
+            const outcomes = await this.validateConstraints(entity, data);
+            // Return only failed constraints for backwards compatibility with test patterns
+            // (Callers can still see all outcomes by using validateConstraints directly)
+            return outcomes.filter(o => !o.passed);
+        }
+        finally {
+            if (ownsEvalBudget)
+                this.clearEvalBudget();
+        }
+    }
+    /**
+     * Evaluate all entity constraints against instance data, returning every outcome
+     * (both passed and failed). Useful for diagnostic UIs that show full constraint status.
+     */
+    async evaluateAllConstraints(entityName, data) {
+        const entity = this.getEntity(entityName);
+        if (!entity)
+            return [];
+        const ownsEvalBudget = this.initEvalBudget();
+        try {
+            return await this.validateConstraints(entity, data);
+        }
+        finally {
+            if (ownsEvalBudget)
+                this.clearEvalBudget();
+        }
+    }
+    async createInstance(entityName, data) {
+        const ownsEvalBudget = this.initEvalBudget();
+        try {
+            return (await this.createInstanceWithOutcomes(entityName, data)).instance;
+        }
+        finally {
+            if (ownsEvalBudget)
+                this.clearEvalBudget();
+        }
+    }
+    prepareCreateData(entity, data) {
+        const defaults = {};
+        for (const prop of entity.properties) {
+            if (prop.defaultValue) {
+                defaults[prop.name] = this.irValueToJs(prop.defaultValue);
+            }
+            else if (prop.autoNow) {
+                // `= now()` / `= today()` default: stamp current time on create.
+                defaults[prop.name] = this.getNow();
+            }
+            else {
+                defaults[prop.name] = this.getDefaultForType(prop.type);
+            }
+        }
+        const mergedData = { ...defaults, ...data };
+        if (this.ir.tenant) {
+            const tv = this.resolveTenantValue();
+            if (tv) {
+                mergedData[this.ir.tenant.property] = tv;
+            }
+        }
+        // Handle version properties for optimistic concurrency control
+        if (entity.versionProperty) {
+            mergedData[entity.versionProperty] = 1;
+        }
+        if (entity.versionAtProperty) {
+            mergedData[entity.versionAtProperty] = this.getNow();
+        }
+        if (entity.timestamps) {
+            const now = this.getNow();
+            mergedData.createdAt = now;
+            mergedData.updatedAt = now;
+        }
+        return mergedData;
+    }
+    reportConstraintOutcomes(constraintOutcomes) {
+        const blockingFailures = constraintOutcomes.filter(o => !o.passed && o.severity === 'block');
+        if (blockingFailures.length > 0) {
+            // Log blocking constraint failures for diagnostics
+            console.warn('[Manifest Runtime] Blocking constraint validation failed:', blockingFailures);
+            return false;
+        }
+        // Log non-blocking outcomes (warn/ok) for diagnostics
+        const nonBlockingOutcomes = constraintOutcomes.filter(o => !o.passed && o.severity !== 'block');
+        if (nonBlockingOutcomes.length > 0) {
+            console.info('[Manifest Runtime] Non-blocking constraint outcomes:', nonBlockingOutcomes);
+        }
+        return true;
+    }
+    async createInstanceWithOutcomes(entityName, data) {
+        const entity = this.getEntity(entityName);
+        if (!entity)
+            return {};
+        const mergedData = this.prepareCreateData(entity, data);
+        return this.persistPreparedCreate(entityName, entity, mergedData);
+    }
+    /** Date/time primitive write-time validation (docs/spec/semantics.md, Date/Time Types). */
+    validateDateTimeTypes(entity, data) {
+        const outcomes = [];
+        for (const prop of entity.properties) {
+            const t = prop.type?.name;
+            if (t !== 'date' && t !== 'time' && t !== 'datetime' && t !== 'duration')
+                continue;
+            if (!(prop.name in data))
+                continue;
+            const value = data[prop.name];
+            if (value === null || value === undefined)
+                continue;
+            let ok = true;
+            let code = '';
+            if (t === 'date') {
+                ok = isValidDateString(value);
+                code = 'E_TYPE_DATE';
+            }
+            else if (t === 'time') {
+                ok = isValidTimeString(value);
+                code = 'E_TYPE_TIME';
+            }
+            else if (t === 'datetime') {
+                // Must be within the representable Date range (±8,640,000,000,000,000 ms).
+                ok = typeof value === 'number' && Number.isFinite(value) && Math.abs(value) <= 8.64e15;
+                code = 'E_TYPE_DATETIME';
+            }
+            else {
+                ok = typeof value === 'number' && Number.isFinite(value);
+                code = 'E_TYPE_DURATION';
+            }
+            if (!ok) {
+                const shown = typeof value === 'number' ? String(value) : JSON.stringify(value) ?? String(value);
+                const message = `Property "${prop.name}" expects ${t}; got ${shown}`;
+                outcomes.push({
+                    code,
+                    constraintName: prop.name,
+                    severity: 'block',
+                    passed: false,
+                    formatted: message,
+                    message,
+                    details: { property: prop.name, expectedType: t, value },
+                });
+            }
+        }
+        return outcomes;
+    }
+    async persistPreparedCreate(entityName, entity, mergedData) {
+        const constraintOutcomes = [
+            ...this.validateDateTimeTypes(entity, mergedData),
+            ...await this.validateConstraints(entity, mergedData),
+        ];
+        if (!this.reportConstraintOutcomes(constraintOutcomes)) {
+            return { constraintOutcomes };
+        }
+        const store = this.stores.get(entityName);
+        if (!store)
+            return { constraintOutcomes };
+        // Encrypt fields before store write (no-op without encryptionProvider)
+        const dataToStore = await this.encryptProperties(entityName, mergedData);
+        const result = await store.create(dataToStore);
+        // Track newly created instance to prevent version increment on subsequent mutate actions
+        if (result && result.id) {
+            this.justCreatedInstanceIds.add(result.id);
+        }
+        // Decrypt fields before returning to caller
+        const decrypted = result ? await this.decryptProperties(entityName, result) : result;
+        return { instance: decrypted, constraintOutcomes };
+    }
+    async updateInstance(entityName, id, data) {
+        const entity = this.getEntity(entityName);
+        const store = this.stores.get(entityName);
+        if (!store || !entity)
+            return undefined;
+        // During command execution the target instance is buffered: load it from
+        // the store at most once, then mutate the in-memory working copy.
+        const buf = this.commandBuffer;
+        const buffering = !!buf && buf.entityName === entityName && buf.id === id;
+        let existing;
+        if (buffering && buf.instance) {
+            existing = buf.instance;
+        }
+        else {
+            const rawExisting = await store.getById(id);
+            if (!rawExisting)
+                return undefined;
+            // Decrypt existing instance so constraint/transition checks see plaintext
+            existing = await this.decryptProperties(entityName, rawExisting);
+            if (buffering)
+                buf.instance = existing;
+        }
+        const ownsEvalBudget = this.initEvalBudget();
+        try {
+            // Optimistic concurrency control: check version if entity has versionProperty
+            if (entity.versionProperty) {
+                const existingVersion = existing[entity.versionProperty];
+                const providedVersion = data[entity.versionProperty];
+                if (existingVersion !== undefined && providedVersion !== undefined) {
+                    if (existingVersion !== providedVersion) {
+                        // Concurrency conflict - store structured details, emit event, and return undefined
+                        this.lastConcurrencyConflict = {
+                            entityType: entityName,
+                            entityId: id,
+                            expectedVersion: providedVersion,
+                            actualVersion: existingVersion,
+                            conflictCode: 'VERSION_MISMATCH',
+                        };
+                        await this.emitConcurrencyConflictEvent(entityName, id, providedVersion, existingVersion);
+                        return undefined;
+                    }
+                }
+                // Auto-increment version on successful update
+                // Only increment once per command execution to handle commands with multiple mutate actions
+                // If version is explicitly provided in data, use that (for optimistic concurrency checks)
+                // Skip increment for instances that were just created in the same command (e.g., create command's mutate actions)
+                const wasJustCreated = this.justCreatedInstanceIds.has(id);
+                if (providedVersion === undefined && !this.versionIncrementedForCommand && !wasJustCreated) {
+                    data[entity.versionProperty] = (existingVersion || 0) + 1;
+                    this.versionIncrementedForCommand = true;
+                }
+            }
+            // Update versionAt timestamp if present
+            if (entity.versionAtProperty) {
+                data[entity.versionAtProperty] = this.getNow();
+            }
+            if (entity.timestamps) {
+                data.updatedAt = this.getNow();
+            }
+            const mergedData = { ...existing, ...data };
+            // Validate state transitions if entity declares them
+            if (entity.transitions && entity.transitions.length > 0) {
+                for (const [prop, newValue] of Object.entries(data)) {
+                    const rules = entity.transitions.filter(t => t.property === prop);
+                    if (rules.length === 0)
+                        continue;
+                    const currentValue = existing[prop];
+                    if (currentValue === undefined)
+                        continue;
+                    const matchingRule = rules.find(t => t.from === String(currentValue));
+                    if (matchingRule && !matchingRule.to.includes(String(newValue))) {
+                        const allowed = matchingRule.to.map(v => `'${v}'`).join(', ');
+                        this.lastTransitionError = `Invalid state transition for '${prop}': '${currentValue}' -> '${newValue}' is not allowed. Allowed from '${currentValue}': [${allowed}]`;
+                        return undefined;
+                    }
+                }
+            }
+            // Validate entity constraints.
+            // Date/time type validation runs against the patch only, so previously
+            // stored values are not re-validated on unrelated updates.
+            const constraintOutcomes = [
+                ...this.validateDateTimeTypes(entity, data),
+                ...await this.validateConstraints(entity, mergedData),
+            ];
+            // Only block on severity='block' constraints that failed
+            const blockingFailures = constraintOutcomes.filter(o => !o.passed && o.severity === 'block');
+            if (blockingFailures.length > 0) {
+                // Log blocking constraint failures for diagnostics
+                console.warn('[Manifest Runtime] Blocking constraint validation failed:', blockingFailures);
+                return undefined;
+            }
+            // Log non-blocking outcomes (warn/ok) for diagnostics
+            const nonBlockingOutcomes = constraintOutcomes.filter(o => !o.passed && o.severity !== 'block');
+            if (nonBlockingOutcomes.length > 0) {
+                console.info('[Manifest Runtime] Non-blocking constraint outcomes:', nonBlockingOutcomes);
+            }
+            // Mark cached computed properties as stale when their dependencies change
+            this.markComputedPropertiesStale(entityName, id, Object.keys(data));
+            // Encrypt fields before store write, decrypt result before returning
+            const encryptedData = await this.encryptProperties(entityName, data);
+            if (buffering) {
+                // Batched path: advance the working copy and accumulate the patch. The
+                // single store.update runs once when the command flushes the buffer, so
+                // a command mutating N fields persists once rather than N times.
+                buf.instance = mergedData;
+                Object.assign(buf.patch, encryptedData);
+                return mergedData;
+            }
+            const result = await store.update(id, encryptedData);
+            return result ? await this.decryptProperties(entityName, result) : result;
+        }
+        finally {
+            if (ownsEvalBudget)
+                this.clearEvalBudget();
+        }
+    }
+    /**
+     * Mark cached computed properties as stale when their dependencies are mutated.
+     * Scans the entity's computed properties for any that depend on the changed properties,
+     * and sets their cache entries' stale flag to true. Handles transitive staleness.
+     */
+    markComputedPropertiesStale(entityName, instanceId, changedProperties, visited = new Set()) {
+        const entity = this.getEntity(entityName);
+        if (!entity)
+            return;
+        for (const cp of entity.computedProperties) {
+            if (visited.has(cp.name))
+                continue;
+            const dependsOnChanged = cp.dependencies.some(dep => changedProperties.includes(dep));
+            if (!dependsOnChanged)
+                continue;
+            visited.add(cp.name);
+            const cacheKey = `${entityName}:${instanceId}:${cp.name}`;
+            // Mark in session/TTL cache
+            const cached = this.computedPropertyCache.get(cacheKey);
+            if (cached)
+                cached.stale = true;
+            // Mark in request cache
+            const reqCached = this.computedPropertyRequestCache.get(cacheKey);
+            if (reqCached)
+                reqCached.stale = true;
+            // Also mark any computed properties that depend on this computed property (transitive staleness)
+            this.markComputedPropertiesStale(entityName, instanceId, [cp.name], visited);
+        }
+    }
+    async deleteInstance(entityName, id) {
+        const store = this.stores.get(entityName);
+        return store ? await store.delete(id) : false;
+    }
+    async runCommand(commandName, input, options = {}) {
+        // Per docs/spec/adapters.md § "Audit Sink": when an AuditSink is wired in,
+        // runCommand emits exactly one AuditRecord per invocation regardless of
+        // outcome. The recordId is generated once up front so callers can correlate
+        // the same attempt across logs even if `result` is constructed late.
+        const auditEnabled = !!this.options.auditSink;
+        const auditRecordId = auditEnabled ? this.nextRuntimeId() : undefined;
+        const auditOccurredAt = auditEnabled ? this.getNow() : 0;
+        let result;
+        let thrown;
+        try {
+            // Tenant context gate: fail closed before ANY work, including idempotency
+            // cache reads/writes. Falsy values (undefined, '', null) all count as
+            // missing — preventing accidental empty-string passes.
+            // Gate activates when EITHER the explicit option is set OR the IR declares a tenant.
+            const tenantRequired = this.options.requireTenantContext || !!this.ir.tenant;
+            const tenantValue = this.ir.tenant ? this.resolveTenantValue() : this.context.tenantId;
+            if (tenantRequired && !tenantValue) {
+                result = {
+                    success: false,
+                    error: 'MISSING_TENANT_CONTEXT: tenant-scoped command invoked without context.tenantId',
+                    emittedEvents: [],
+                };
+                return result;
+            }
+            // Idempotency short-circuit (before ANY evaluation)
+            if (this.options.idempotencyStore) {
+                if (options.idempotencyKey === undefined) {
+                    result = {
+                        success: false,
+                        error: 'IdempotencyStore is configured but no idempotencyKey was provided',
+                        emittedEvents: [],
+                    };
+                    return result;
+                }
+                const cached = await this.options.idempotencyStore.get(options.idempotencyKey);
+                if (cached !== undefined) {
+                    result = cached;
+                    return cached;
+                }
+            }
+            // Async command branch: enqueue job instead of executing synchronously.
+            // Re-entry from job worker (context.source === 'job') bypasses this branch
+            // so the actual command body runs during drainJobs().
+            const command = this.getCommand(commandName, options.entityName);
+            if (command?.async && this.context.source !== 'job') {
+                // Validate policies/constraints/guards synchronously (fail-fast)
+                const validation = await this._validateAsyncCommand(commandName, input, options);
+                if (!validation.success) {
+                    result = validation;
+                    return result;
+                }
+                if (!this.options.jobQueue) {
+                    result = {
+                        success: false,
+                        error: 'MISSING_JOB_QUEUE: async command invoked but no jobQueue is configured in RuntimeOptions',
+                        emittedEvents: [],
+                    };
+                    return result;
+                }
+                const jobId = this.nextRuntimeId();
+                const enqueuedAt = this.getNow();
+                await this.options.jobQueue.enqueue({
+                    jobId,
+                    commandName,
+                    entityName: options.entityName,
+                    instanceId: options.instanceId,
+                    input,
+                    correlationId: options.correlationId,
+                    causationId: options.causationId,
+                    enqueuedAt,
+                    status: 'pending',
+                });
+                result = {
+                    success: true,
+                    result: { jobId, status: 'pending', enqueuedAt },
+                    emittedEvents: [],
+                };
+                return result;
+            }
+            // Full command execution (with optional retry wrapper)
+            if (this.profilingBridge.isEnabled()) {
+                this.profilingBridge.beginCommand(commandName, options.entityName, options.instanceId, this.getNow());
+            }
+            const runOnce = () => this._executeCommandInternal(commandName, input, options);
+            if (command?.retry) {
+                result = await executeWithRetry(command.retry, runOnce, {
+                    sleep: this.options.sleep,
+                    retryJitter: this.options.retryJitter,
+                });
+            }
+            else {
+                result = await runOnce();
+            }
+            // Outbox enqueue: when an OutboxStore is wired in and the command
+            // succeeded with one or more emitted events, durably persist the
+            // semantic events. NOTE: the in-memory runtime has no shared
+            // transaction boundary, so this enqueue is NOT transactional w.r.t.
+            // mutation today — see docs/spec/adapters.md § "Outbox Store".
+            if (this.options.outboxStore && result.success && result.emittedEvents.length > 0) {
+                await this.enqueueOutbox(result.emittedEvents, commandName, options);
+            }
+            // Cache result (success OR failure)
+            if (this.options.idempotencyStore && options.idempotencyKey !== undefined) {
+                await this.options.idempotencyStore.set(options.idempotencyKey, result);
+            }
+            return result;
+        }
+        catch (e) {
+            thrown = e;
+            throw e;
+        }
+        finally {
+            if (this.profilingBridge.isEnabled() && result !== undefined) {
+                this.profilingBridge.complete(result.success, this.ir.entities.length, this.stores.size);
+            }
+            if (auditEnabled) {
+                await this.emitAudit({
+                    sink: this.options.auditSink,
+                    recordId: auditRecordId,
+                    occurredAt: auditOccurredAt,
+                    commandName,
+                    entityName: options.entityName,
+                    result,
+                    thrown,
+                });
+            }
+        }
+    }
+    // ─── Saga Orchestration ──────────────────────────────────────────────
+    /**
+     * Execute a saga: run steps in declaration order, compensating completed
+     * steps in reverse order on failure (when onFailure === 'compensate').
+     * Each step dispatches via `runCommand` — all policies, guards, and
+     * constraints of the step's command still apply.
+     */
+    async runSaga(sagaName, stepInputs = {}, options = {}) {
+        const saga = (this.ir.sagas || []).find(s => s.name === sagaName);
+        if (!saga) {
+            return {
+                saga: sagaName, success: false, status: 'aborted',
+                steps: [], emittedEvents: [],
+                error: `Unknown saga '${sagaName}'`,
+            };
+        }
+        const correlationId = options.correlationId ?? this.nextRuntimeId();
+        const emittedEvents = [];
+        const stepResults = [];
+        const completed = [];
+        // 1. Emit SagaStarted (only if declared in saga's emits)
+        this.emitSagaLifecycle(saga, 'SagaStarted', { sagaName: saga.name }, correlationId, emittedEvents);
+        // 2. Execute steps in declaration order
+        for (const step of saga.steps) {
+            const cfg = stepInputs[step.name] ?? {};
+            const res = await this.runCommand(step.command, cfg.input ?? {}, {
+                entityName: step.commandEntity,
+                instanceId: cfg.instanceId,
+                correlationId,
+                causationId: `${saga.name}:${step.name}`,
+            });
+            emittedEvents.push(...res.emittedEvents);
+            if (!res.success) {
+                // Step failed
+                stepResults.push({
+                    step: step.name, command: `${step.commandEntity}.${step.command}`,
+                    status: 'failed', result: res, error: res.error,
+                });
+                if (saga.onFailure === 'compensate') {
+                    // Compensate completed steps in reverse order
+                    await this.compensateSagaSteps(saga, completed, stepInputs, correlationId, emittedEvents, stepResults);
+                    this.emitSagaLifecycle(saga, 'SagaFailed', { sagaName: saga.name, failedStep: step.name }, correlationId, emittedEvents);
+                    return {
+                        saga: saga.name, success: false, status: 'compensated',
+                        steps: stepResults, emittedEvents, failedStep: step.name, error: res.error,
+                    };
+                }
+                else {
+                    // Abort: no compensation
+                    this.emitSagaLifecycle(saga, 'SagaFailed', { sagaName: saga.name, failedStep: step.name }, correlationId, emittedEvents);
+                    return {
+                        saga: saga.name, success: false, status: 'aborted',
+                        steps: stepResults, emittedEvents, failedStep: step.name, error: res.error,
+                    };
+                }
+            }
+            // Step succeeded
+            stepResults.push({
+                step: step.name, command: `${step.commandEntity}.${step.command}`,
+                status: 'completed', result: res,
+            });
+            completed.push({ step, instanceId: cfg.instanceId });
+            this.emitSagaLifecycle(saga, 'SagaStepCompleted', { sagaName: saga.name, step: step.name }, correlationId, emittedEvents);
+        }
+        // 3. All steps completed successfully
+        this.emitSagaLifecycle(saga, 'SagaCompleted', { sagaName: saga.name }, correlationId, emittedEvents);
+        return {
+            saga: saga.name, success: true, status: 'completed',
+            steps: stepResults, emittedEvents,
+        };
+    }
+    /**
+     * Compensate completed saga steps in reverse order (best-effort).
+     * Compensation failures are recorded but do not throw — all remaining
+     * compensations still execute.
+     */
+    async compensateSagaSteps(saga, completed, stepInputs, correlationId, emittedEvents, stepResults) {
+        // Iterate completed steps in reverse
+        for (let i = completed.length - 1; i >= 0; i--) {
+            const { step, instanceId } = completed[i];
+            const matchingResult = stepResults.find(r => r.step === step.name);
+            if (!step.compensate || !step.compensateEntity) {
+                // No compensation declared — mark as skipped
+                if (matchingResult)
+                    matchingResult.status = 'skipped';
+                continue;
+            }
+            // Hand the original forward-step input to the compensation. A refund
+            // needs the charge's amount, a release needs the reserve's quantity, etc.
+            // Without this, the compensation command's guards see nothing and the
+            // reversal silently no-ops. See spec/semantics.md § Saga compensation.
+            const compensationInput = stepInputs[step.name]?.input ?? {};
+            try {
+                const compResult = await this.runCommand(step.compensate, compensationInput, {
+                    entityName: step.compensateEntity,
+                    instanceId,
+                    correlationId,
+                    causationId: `${saga.name}:${step.name}:compensate`,
+                });
+                emittedEvents.push(...compResult.emittedEvents);
+                if (matchingResult) {
+                    matchingResult.compensation = compResult;
+                    // A compensation that fails its guard/policy/constraint returns
+                    // success:false (no throw). Such a step was NOT reversed — surface
+                    // it as compensation_failed rather than mislabeling it 'compensated'.
+                    if (compResult.success) {
+                        matchingResult.status = 'compensated';
+                    }
+                    else {
+                        matchingResult.status = 'compensation_failed';
+                        matchingResult.error = compResult.error;
+                    }
+                }
+            }
+            catch (e) {
+                // A thrown compensation is also a failed reversal. Record the error and
+                // keep compensating the remaining steps (best-effort), but do not claim
+                // this step was reversed.
+                if (matchingResult) {
+                    matchingResult.status = 'compensation_failed';
+                    matchingResult.error = e instanceof Error ? e.message : String(e);
+                }
+            }
+        }
+    }
+    /**
+     * Emit a saga lifecycle event (SagaStarted, SagaCompleted, SagaFailed,
+     * SagaStepCompleted) only if declared in the saga's `emits` array.
+     */
+    emitSagaLifecycle(saga, eventName, payload, correlationId, sink) {
+        if (!saga.emits.includes(eventName))
+            return;
+        const event = (this.ir.events || []).find(e => e.name === eventName);
+        const prov = this.ir.provenance;
+        const emitted = {
+            name: eventName,
+            channel: event?.channel || eventName,
+            payload,
+            timestamp: this.getNow(),
+            ...(prov ? {
+                provenance: {
+                    contentHash: prov.contentHash,
+                    compilerVersion: prov.compilerVersion,
+                    schemaVersion: prov.schemaVersion,
+                },
+            } : {}),
+            correlationId,
+            causationId: `saga:${saga.name}`,
+        };
+        sink.push(emitted);
+        this.eventLog.push(emitted);
+        this.notifyListeners(emitted);
+    }
+    /**
+     * Map a CommandResult and any thrown error into a CommandOutcome for the
+     * AuditRecord. The mapping mirrors the exit paths inside runCommand and
+     * _executeCommandInternal — keep them in lock-step when adding new
+     * failure modes.
+     */
+    classifyOutcome(result, thrown) {
+        if (thrown !== undefined)
+            return 'error';
+        if (!result)
+            return 'error';
+        if (result.success)
+            return 'success';
+        if (result.policyDenial)
+            return 'policy_denied';
+        if (result.guardFailure)
+            return 'guard_denied';
+        if (result.rateLimitDenial)
+            return 'rate_limit_denied';
+        if (result.concurrencyConflict)
+            return 'concurrency_conflict';
+        if (typeof result.error === 'string' && result.error.startsWith('MISSING_TENANT_CONTEXT')) {
+            return 'missing_tenant_context';
+        }
+        // A blocking constraint failure is distinguishable by the presence of a
+        // blocking outcome on result.constraintOutcomes (non-blocking warn/ok
+        // outcomes ride along with success too, so we must check severity).
+        if (result.constraintOutcomes?.some(o => !o.passed && !o.overridden && o.severity === 'block')) {
+            return 'constraint_failed';
+        }
+        return 'error';
+    }
+    /**
+     * Build and emit a single AuditRecord through the configured sink.
+     * Sink errors are caught and logged — audit emission MUST NOT alter
+     * command-execution behavior. This is the documented fail-open policy
+     * (see docs/spec/adapters.md § "Audit Sink").
+     */
+    async emitAudit(args) {
+        const { sink, recordId, occurredAt, commandName, entityName, result, thrown } = args;
+        const outcome = this.classifyOutcome(result, thrown);
+        const commandId = entityName ? `${entityName}.${commandName}` : commandName;
+        // Diagnostics surface the structured failure for failed outcomes; for
+        // success we carry along non-blocking constraint outcomes when present.
+        let diagnostics = undefined;
+        if (thrown !== undefined) {
+            diagnostics = { error: thrown instanceof Error ? thrown.message : String(thrown) };
+        }
+        else if (result) {
+            const parts = {};
+            if (result.error !== undefined)
+                parts.error = result.error;
+            if (result.deniedBy !== undefined)
+                parts.deniedBy = result.deniedBy;
+            if (result.policyDenial)
+                parts.policyDenial = result.policyDenial;
+            if (result.guardFailure)
+                parts.guardFailure = result.guardFailure;
+            if (result.concurrencyConflict)
+                parts.concurrencyConflict = result.concurrencyConflict;
+            if (result.constraintOutcomes && result.constraintOutcomes.length > 0) {
+                parts.constraintOutcomes = result.constraintOutcomes;
+            }
+            if (result.overrideRequests && result.overrideRequests.length > 0) {
+                parts.overrideRequests = result.overrideRequests;
+            }
+            if (Object.keys(parts).length > 0)
+                diagnostics = parts;
+        }
+        const emittedEventNames = result?.emittedEvents?.map(e => e.name);
+        const record = {
+            recordId,
+            occurredAt,
+            command: commandName,
+            commandId,
+            outcome,
+            ...(entityName !== undefined ? { entity: entityName } : {}),
+            ...(this.context.tenantId !== undefined ? { tenantId: this.context.tenantId } : {}),
+            ...(this.context.orgId !== undefined ? { orgId: this.context.orgId } : {}),
+            ...(this.context.actorId !== undefined ? { actorId: this.context.actorId } : {}),
+            ...(this.context.requestId !== undefined ? { requestId: this.context.requestId } : {}),
+            ...(this.context.source !== undefined ? { source: this.context.source } : {}),
+            ...(this.ir.provenance?.contentHash ? { irHash: this.ir.provenance.contentHash } : {}),
+            ...(diagnostics !== undefined ? { diagnostics } : {}),
+            ...(emittedEventNames && emittedEventNames.length > 0 ? { emittedEventNames } : {}),
+        };
+        try {
+            await sink.emit(record);
+        }
+        catch (sinkError) {
+            // Fail-open: audit sink errors MUST NOT alter command execution.
+            // Surface the failure on stderr so operators can wire alerts off it.
+            console.warn('[Manifest Runtime] AuditSink.emit failed; record dropped:', sinkError instanceof Error ? sinkError.message : sinkError);
+        }
+    }
+    /**
+     * Enqueue emitted events into the configured OutboxStore as a batch.
+     * Wraps the call in try/catch and logs failures — outbox failures MUST
+     * NOT alter the CommandResult shape callers already received.
+     *
+     * Non-transactional caveat: the in-memory runtime does not yet expose a
+     * shared transaction boundary, so a successful command followed by an
+     * outbox enqueue failure leaves state mutated without an outbox row.
+     * Durable adapters MUST honor the `tx` parameter and enqueue inside the
+     * same transaction that mutated state.
+     */
+    async enqueueOutbox(events, _commandName, _runOptions) {
+        const store = this.options.outboxStore;
+        if (!store)
+            return;
+        const enqueuedAt = this.getNow();
+        const entries = events.map(event => ({
+            entryId: this.nextRuntimeId(),
+            enqueuedAt,
+            event,
+            status: 'pending',
+            attempts: 0,
+        }));
+        try {
+            await store.enqueue(entries);
+        }
+        catch (storeError) {
+            console.warn('[Manifest Runtime] OutboxStore.enqueue failed; events not durably persisted:', storeError instanceof Error ? storeError.message : storeError);
+        }
+    }
+    /**
+     * Validate an async command synchronously (policies, constraints, guards)
+     * without executing actions. Used for fail-fast before enqueuing a job.
+     */
+    async _validateAsyncCommand(commandName, input, options) {
+        const command = this.getCommand(commandName, options.entityName);
+        if (!command) {
+            return {
+                success: false,
+                error: `Command '${commandName}' not found`,
+                emittedEvents: [],
+            };
+        }
+        const instance = options.instanceId && options.entityName
+            ? await this.getInstanceRaw(options.entityName, options.instanceId)
+            : undefined;
+        const evalContext = this.buildEvalContext(input, instance, options.entityName);
+        // Check policies
+        const policyResult = await this.checkPolicies(command, evalContext);
+        if (!policyResult.allowed) {
+            return {
+                success: false,
+                error: policyResult.denial?.message,
+                deniedBy: policyResult.denial?.policyName,
+                policyDenial: policyResult.denial,
+                emittedEvents: [],
+            };
+        }
+        // Evaluate constraints
+        const commandContext = { commandName, entityName: options.entityName, instanceId: options.instanceId };
+        const constraintResult = await this.evaluateCommandConstraints(command, evalContext, options.overrideRequests, commandContext);
+        if (!constraintResult.allowed) {
+            const blocking = constraintResult.outcomes.find(o => !o.passed && !o.overridden && o.severity === 'block');
+            return {
+                success: false,
+                error: blocking?.message || `Command blocked by constraint '${blocking?.constraintName}'`,
+                constraintOutcomes: constraintResult.outcomes,
+                emittedEvents: [],
+            };
+        }
+        // Evaluate guards
+        for (let i = 0; i < command.guards.length; i += 1) {
+            const guard = command.guards[i];
+            const result = await this.evaluateExpression(guard, evalContext);
+            if (!result) {
+                return {
+                    success: false,
+                    error: `Guard condition failed for command '${commandName}'`,
+                    guardFailure: {
+                        index: i + 1,
+                        expression: guard,
+                        formatted: this.formatExpression(guard),
+                        resolved: await this.resolveExpressionValues(guard, evalContext),
+                    },
+                    constraintOutcomes: constraintResult.outcomes.length > 0 ? constraintResult.outcomes : undefined,
+                    emittedEvents: [],
+                };
+            }
+        }
+        // All validation passed
+        return { success: true, emittedEvents: [] };
+    }
+    /**
+     * Drain all pending jobs from the job queue and execute them.
+     * Returns an array of CommandResults, one per drained job.
+     * For deterministic testing: executes jobs synchronously in FIFO order.
+     *
+     * For each job:
+     * - Sets context.source = 'job' to bypass the async enqueue branch
+     * - Executes the full command body (actions + emits)
+     * - Emits completion or failure event on the synthesized channel
+     * - Updates job status in the queue
+     */
+    async drainJobs() {
+        if (!this.options.jobQueue) {
+            return [];
+        }
+        const pending = await this.options.jobQueue.drainPending();
+        const results = [];
+        const originalSource = this.context.source;
+        for (const job of pending) {
+            // Set context.source = 'job' so the async branch is bypassed
+            this.context.source = 'job';
+            try {
+                const result = await this._executeCommandInternal(job.commandName, job.input, {
+                    entityName: job.entityName,
+                    instanceId: job.instanceId,
+                    correlationId: job.correlationId,
+                    causationId: job.causationId,
+                });
+                if (result.success) {
+                    await this.options.jobQueue.updateStatus(job.jobId, 'completed', { result: result.result });
+                    // Emit synthesized completion event
+                    const command = this.getCommand(job.commandName, job.entityName);
+                    if (command?.completionEvent) {
+                        const completionEvent = {
+                            name: command.completionEvent,
+                            channel: `jobs.${job.commandName}`,
+                            payload: { jobId: job.jobId, result: result.result, completedAt: this.getNow() },
+                            timestamp: this.getNow(),
+                            correlationId: job.correlationId,
+                            causationId: job.causationId,
+                        };
+                        result.emittedEvents.push(completionEvent);
+                    }
+                }
+                else {
+                    await this.options.jobQueue.updateStatus(job.jobId, 'failed', { error: result.error });
+                    // Emit synthesized failure event
+                    const command = this.getCommand(job.commandName, job.entityName);
+                    if (command?.failureEvent) {
+                        const failureEvent = {
+                            name: command.failureEvent,
+                            channel: `jobs.${job.commandName}`,
+                            payload: { jobId: job.jobId, error: result.error || 'Unknown error', failedAt: this.getNow() },
+                            timestamp: this.getNow(),
+                            correlationId: job.correlationId,
+                            causationId: job.causationId,
+                        };
+                        result.emittedEvents.push(failureEvent);
+                    }
+                }
+                results.push(result);
+            }
+            catch (e) {
+                await this.options.jobQueue.updateStatus(job.jobId, 'failed', {
+                    error: e instanceof Error ? e.message : String(e),
+                });
+                // Emit synthesized failure event
+                const command = this.getCommand(job.commandName, job.entityName);
+                if (command?.failureEvent) {
+                    const failureEvent = {
+                        name: command.failureEvent,
+                        channel: `jobs.${job.commandName}`,
+                        payload: { jobId: job.jobId, error: e instanceof Error ? e.message : String(e), failedAt: this.getNow() },
+                        timestamp: this.getNow(),
+                        correlationId: job.correlationId,
+                        causationId: job.causationId,
+                    };
+                    results.push({
+                        success: false,
+                        error: e instanceof Error ? e.message : String(e),
+                        emittedEvents: [failureEvent],
+                    });
+                }
+                else {
+                    results.push({
+                        success: false,
+                        error: e instanceof Error ? e.message : String(e),
+                        emittedEvents: [],
+                    });
+                }
+            }
+        }
+        // Restore original source
+        this.context.source = originalSource;
+        return results;
+    }
+    async _executeCommandInternal(commandName, input, options) {
+        // Clear relationship memoization cache at the start of each command execution
+        // to ensure fresh data after any mutations
+        this.clearMemoCache();
+        // Reset version increment flag at the start of each command execution
+        this.versionIncrementedForCommand = false;
+        // Clear just-created instance tracking
+        this.justCreatedInstanceIds.clear();
+        // Clear transition error tracking
+        this.lastTransitionError = null;
+        // Clear concurrency conflict tracking
+        this.lastConcurrencyConflict = null;
+        this.actionTraceCounter = 0;
+        // Initialize evaluation budget for bounded complexity enforcement
+        const ownsEvalBudget = this.initEvalBudget();
+        try {
+            const command = this.getCommand(commandName, options.entityName);
+            if (!command) {
+                return {
+                    success: false,
+                    error: `Command '${commandName}' not found`,
+                    ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                    ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                    emittedEvents: [],
+                };
+            }
+            const shouldAutoCreateInstance = commandName === 'create' && !!options.entityName && !options.instanceId;
+            let autoCreateEntity;
+            let autoCreatePreparedData;
+            let autoCreateEvalInput;
+            if (shouldAutoCreateInstance && options.entityName) {
+                autoCreateEntity = this.getEntity(options.entityName);
+                if (autoCreateEntity) {
+                    const bodyId = typeof input.id === 'string' && input.id !== '' ? input.id : this.nextRuntimeId();
+                    autoCreatePreparedData = this.prepareCreateData(autoCreateEntity, {
+                        ...input,
+                        id: bodyId,
+                    });
+                    autoCreateEvalInput = { ...input, id: autoCreatePreparedData.id };
+                }
+            }
+            const instance = options.instanceId && options.entityName
+                ? await this.getInstanceRaw(options.entityName, options.instanceId)
+                : autoCreatePreparedData;
+            const evalContext = this.buildEvalContext(autoCreateEvalInput ?? input, instance, options.entityName);
+            if (command.rateLimit) {
+                const tenantValue = this.ir.tenant ? this.resolveTenantValue() : this.context.tenantId;
+                const rl = checkRateLimitGate(this.rateLimiter, command.rateLimit, evalContext, tenantValue, this.getNow());
+                if (!rl.allowed) {
+                    return {
+                        success: false,
+                        error: `Rate limit exceeded for scope ${rl.denial.scopeKey}`,
+                        rateLimitDenial: rl.denial,
+                        ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                        ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                        emittedEvents: [],
+                    };
+                }
+            }
+            // Middleware: before-policy hook
+            const beforePolicyResult = await this.runMiddleware('before-policy', command, evalContext, input, options);
+            if (beforePolicyResult)
+                return beforePolicyResult;
+            const policyResult = await this.profilingBridge.trackPhase('policyEvaluation', () => this.checkPolicies(command, evalContext));
+            if (!policyResult.allowed) {
+                return {
+                    success: false,
+                    error: policyResult.denial?.message,
+                    deniedBy: policyResult.denial?.policyName,
+                    policyDenial: policyResult.denial,
+                    ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                    ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                    emittedEvents: [],
+                };
+            }
+            // vNext: Evaluate command constraints (after policies, before guards)
+            // Pass command context so OverrideApplied events include commandName/entityName/instanceId per spec
+            const commandContext = { commandName, entityName: options.entityName, instanceId: options.instanceId };
+            const constraintResult = await this.profilingBridge.trackPhase('constraintValidation', () => this.evaluateCommandConstraints(command, evalContext, options.overrideRequests, commandContext));
+            if (!constraintResult.allowed) {
+                // Find the blocking constraint for the error message
+                const blocking = constraintResult.outcomes.find(o => !o.passed && !o.overridden && o.severity === 'block');
+                return {
+                    success: false,
+                    error: blocking?.message || `Command blocked by constraint '${blocking?.constraintName}'`,
+                    constraintOutcomes: constraintResult.outcomes,
+                    overrideRequests: options.overrideRequests,
+                    ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                    ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                    emittedEvents: [],
+                };
+            }
+            // Middleware: before-guard hook
+            const beforeGuardResult = await this.runMiddleware('before-guard', command, evalContext, input, options);
+            if (beforeGuardResult)
+                return beforeGuardResult;
+            this.profilingBridge.startPhase('guardEvaluation');
+            for (let i = 0; i < command.guards.length; i += 1) {
+                const guard = command.guards[i];
+                const result = await this.evaluateExpression(guard, evalContext);
+                if (!result) {
+                    this.profilingBridge.endPhase('guardEvaluation');
+                    return {
+                        success: false,
+                        error: `Guard condition failed for command '${commandName}'`,
+                        guardFailure: {
+                            index: i + 1,
+                            expression: guard,
+                            formatted: this.formatExpression(guard),
+                            resolved: await this.resolveExpressionValues(guard, evalContext),
+                        },
+                        // Include constraint outcomes even if guards fail
+                        constraintOutcomes: constraintResult.outcomes.length > 0 ? constraintResult.outcomes : undefined,
+                        ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                        ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                        emittedEvents: [],
+                    };
+                }
+            }
+            this.profilingBridge.endPhase('guardEvaluation');
+            // ── Approval gate: block command if pending approval required ──
+            this.profilingBridge.startPhase('approvalGate');
+            if (options.entityName) {
+                const approvalResult = await this.checkApprovalGate(commandName, options.entityName, options.instanceId, evalContext, options);
+                if (approvalResult) {
+                    this.profilingBridge.endPhase('approvalGate');
+                    return approvalResult;
+                }
+            }
+            this.profilingBridge.endPhase('approvalGate');
+            let autoCreatedInstance;
+            let createConstraintOutcomes;
+            if (shouldAutoCreateInstance && options.entityName && autoCreateEntity && autoCreatePreparedData) {
+                this.profilingBridge.startPhase('autoCreate');
+                const createResult = await this.persistPreparedCreate(options.entityName, autoCreateEntity, autoCreatePreparedData);
+                this.profilingBridge.endPhase('autoCreate');
+                createConstraintOutcomes = createResult.constraintOutcomes;
+                if (!createResult.instance) {
+                    const blocking = createConstraintOutcomes?.find(o => !o.passed && !o.overridden && o.severity === 'block');
+                    return {
+                        success: false,
+                        error: blocking?.message || `Command blocked by constraint '${blocking?.constraintName}'`,
+                        constraintOutcomes: createConstraintOutcomes,
+                        overrideRequests: options.overrideRequests,
+                        ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                        ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                        emittedEvents: [],
+                    };
+                }
+                autoCreatedInstance = createResult.instance;
+                options.instanceId = createResult.instance.id;
+                const createdEvalContext = this.buildEvalContext(autoCreateEvalInput ?? input, createResult.instance, options.entityName);
+                Object.assign(evalContext, createdEvalContext);
+            }
+            // Include any OverrideApplied events from constraint evaluation
+            // Per spec: OverrideApplied events are included in CommandResult.emittedEvents
+            // alongside command-declared events (override events come first)
+            const emittedEvents = [...constraintResult.overrideEvents];
+            let result;
+            const emitCounter = { value: emittedEvents.length };
+            const workflowMeta = {
+                correlationId: options.correlationId,
+                causationId: options.causationId,
+            };
+            // Pre-compute base subject for action-emitted events (entity + command + instanceId).
+            // Full subject.id resolution (created-id / payload.id fallbacks) happens after the
+            // action loop for command-declared events.
+            const baseSubject = { command: commandName };
+            if (options.entityName) {
+                baseSubject.entity = options.entityName;
+            }
+            if (options.instanceId) {
+                baseSubject.id = options.instanceId;
+            }
+            // Middleware: before-action hook (before each action in the loop)
+            const beforeActionResult = await this.runMiddleware('before-action', command, evalContext, input, options);
+            if (beforeActionResult)
+                return beforeActionResult;
+            // Open a command-scoped write buffer so mutate/compute actions batch into a
+            // single store.update (flushed once below) instead of one read+write each.
+            // Seeded with the already-loaded instance so no extra read is incurred.
+            // Nested (reaction) commands save and restore the outer buffer.
+            const prevBuffer = this.commandBuffer;
+            if (options.entityName && options.instanceId) {
+                this.commandBuffer = {
+                    entityName: options.entityName,
+                    id: options.instanceId,
+                    instance: (autoCreatedInstance ?? instance) ?? null,
+                    patch: {},
+                };
+            }
+            try {
+                this.profilingBridge.startPhase('actionExecution');
+                for (const action of command.actions) {
+                    const actionResult = await this.executeAction(action, evalContext, options, emitCounter, workflowMeta, baseSubject);
+                    // Check for transition validation errors after mutate/compute actions.
+                    // Returning here skips the flush below: a failed command persists nothing.
+                    if (this.lastTransitionError) {
+                        return {
+                            success: false,
+                            error: this.lastTransitionError,
+                            ...(workflowMeta.correlationId !== undefined ? { correlationId: workflowMeta.correlationId } : {}),
+                            ...(workflowMeta.causationId !== undefined ? { causationId: workflowMeta.causationId } : {}),
+                            emittedEvents: [],
+                        };
+                    }
+                    // Check for concurrency conflict after mutate/compute actions
+                    // Per spec: "Commands receiving a ConcurrencyConflict MUST NOT apply mutations"
+                    if (this.lastConcurrencyConflict) {
+                        const conflict = this.lastConcurrencyConflict;
+                        this.lastConcurrencyConflict = null;
+                        return {
+                            success: false,
+                            error: `Concurrency conflict on ${conflict.entityType}#${conflict.entityId}: expected version ${conflict.expectedVersion}, actual ${conflict.actualVersion}`,
+                            concurrencyConflict: conflict,
+                            ...(workflowMeta.correlationId !== undefined ? { correlationId: workflowMeta.correlationId } : {}),
+                            ...(workflowMeta.causationId !== undefined ? { causationId: workflowMeta.causationId } : {}),
+                            emittedEvents: [],
+                        };
+                    }
+                    if ((action.kind === 'mutate' || action.kind === 'compute') && options.instanceId && options.entityName) {
+                        const currentInstance = await this.getInstanceRaw(options.entityName, options.instanceId);
+                        // Enrich re-fetched instance with _entity for relationship resolution
+                        const enriched = currentInstance ? { ...currentInstance, _entity: options.entityName } : currentInstance;
+                        // Refresh both self/this bindings and spread instance properties into evalContext
+                        evalContext.self = enriched;
+                        evalContext.this = enriched;
+                        Object.assign(evalContext, enriched);
+                        Object.assign(evalContext, input);
+                    }
+                    result = actionResult;
+                }
+                this.profilingBridge.endPhase('actionExecution');
+                if (autoCreatedInstance && options.entityName) {
+                    const currentInstance = await this.getInstanceRaw(options.entityName, autoCreatedInstance.id);
+                    autoCreatedInstance = currentInstance ?? autoCreatedInstance;
+                    result = autoCreatedInstance;
+                }
+                // Flush the accumulated field changes in a single store write. Runs before
+                // event emission and reaction dispatch so emitted events and any reactions
+                // observe the final committed command state.
+                const cb = this.commandBuffer;
+                if (cb && Object.keys(cb.patch).length > 0) {
+                    const cbStore = this.stores.get(cb.entityName);
+                    if (cbStore)
+                        await cbStore.update(cb.id, cb.patch);
+                }
+            }
+            finally {
+                this.commandBuffer = prevBuffer;
+            }
+            this.profilingBridge.startPhase('eventEmission');
+            // Finalize canonical subject metadata for command-declared events.
+            // Resolution order for subject.id:
+            //   1. instanceId passed to runCommand (already set on baseSubject)
+            //   2. A single deterministically created record id (justCreatedInstanceIds)
+            //   3. Top-level payload.id from the emitted event payload (checked per-event below)
+            //   4. Unset
+            const subject = { ...baseSubject };
+            if (!subject.id && this.justCreatedInstanceIds.size === 1) {
+                const [createdId] = this.justCreatedInstanceIds;
+                subject.id = createdId;
+            }
+            for (const eventName of command.emits) {
+                const event = this.ir.events.find(e => e.name === eventName);
+                const prov = this.ir.provenance;
+                const eventPayload = { ...input, result };
+                // G7: populate explicitly-declared payload fields (`emit Event { field: expr }`).
+                // Evaluated against the post-action evalContext (self = current instance,
+                // command input, user, context) so reactions can read declared event fields
+                // instead of finding them undefined.
+                const payloadSpec = command.emitPayloads?.find(ep => ep.eventName === eventName);
+                if (payloadSpec) {
+                    for (const field of payloadSpec.fields) {
+                        eventPayload[field.name] = await this.evaluateExpression(field.expression, evalContext);
+                    }
+                }
+                // Fallback: resolve subject.id from payload.id if not yet set
+                const eventSubject = subject.id
+                    ? { ...subject }
+                    : {
+                        ...subject,
+                        ...(typeof eventPayload.id === 'string' &&
+                            eventPayload.id !== ''
+                            ? { id: eventPayload.id }
+                            : {}),
+                    };
+                const emitted = {
+                    name: eventName,
+                    channel: event?.channel || eventName,
+                    payload: eventPayload,
+                    subject: eventSubject,
+                    timestamp: this.getNow(),
+                    ...(prov ? {
+                        provenance: {
+                            contentHash: prov.contentHash,
+                            compilerVersion: prov.compilerVersion,
+                            schemaVersion: prov.schemaVersion,
+                        },
+                    } : {}),
+                    ...(workflowMeta.correlationId !== undefined ? { correlationId: workflowMeta.correlationId } : {}),
+                    ...(workflowMeta.causationId !== undefined ? { causationId: workflowMeta.causationId } : {}),
+                    emitIndex: emitCounter.value++,
+                };
+                emittedEvents.push(emitted);
+                this.eventLog.push(emitted);
+                this.notifyListeners(emitted);
+            }
+            // Execute matching reaction rules for emitted events (declaration order)
+            const reactions = this.ir.reactions || [];
+            if (reactions.length > 0 && emittedEvents.length > 0) {
+                // Use index-based iteration since cascading reactions may append to emittedEvents
+                const initialLength = emittedEvents.length;
+                for (let ei = 0; ei < initialLength; ei++) {
+                    const emitted = emittedEvents[ei];
+                    const matchingReactions = reactions.filter(r => r.event === emitted.name);
+                    for (const reaction of matchingReactions) {
+                        if (this.reactionDepth >= RuntimeEngine.MAX_REACTION_DEPTH) {
+                            throw new ManifestReactionDepthError(this.reactionDepth, reaction.event, `${reaction.targetEntity}.${reaction.targetCommand}`);
+                        }
+                        // Evaluate resolve and params expressions against event context.
+                        // Available bindings:
+                        //   payload  — event payload fields merged with subject metadata
+                        //   self     — alias for payload (convenient for member access)
+                        const eventPayloadBase = typeof emitted.payload === 'object' && emitted.payload !== null ? emitted.payload : {};
+                        const enrichedPayload = {
+                            ...eventPayloadBase,
+                            // Alias the event source id to top-level `id` so reaction expressions
+                            // like `self.id` / `payload.id` resolve (the Convex projection's
+                            // reaction payload does the same). Only when the payload has no id.
+                            ...(eventPayloadBase.id === undefined && emitted.subject?.id !== undefined ? { id: emitted.subject.id } : {}),
+                            _subject: emitted.subject,
+                            _eventName: emitted.name,
+                            _channel: emitted.channel,
+                        };
+                        const reactionContext = {
+                            payload: enrichedPayload,
+                            self: enrichedPayload,
+                        };
+                        // Fan-out reaction: dispatch the command on EVERY target row where
+                        // row.<matchField> == matchSource (evaluated against the event payload),
+                        // instead of one resolved target. The collection match replaces resolve.
+                        if (reaction.fanOut) {
+                            const matchValue = await this.evaluateExpression(reaction.fanOut.matchSource, reactionContext);
+                            const fanInput = {};
+                            if (reaction.params) {
+                                for (const p of reaction.params) {
+                                    fanInput[p.name] = await this.evaluateExpression(p.expression, reactionContext);
+                                }
+                            }
+                            const matchField = reaction.fanOut.matchField;
+                            const matches = (await this.getAllInstancesRaw(reaction.targetEntity))
+                                .filter(inst => inst[matchField] === matchValue);
+                            for (const m of matches) {
+                                if (this.reactionDepth >= RuntimeEngine.MAX_REACTION_DEPTH) {
+                                    throw new ManifestReactionDepthError(this.reactionDepth, reaction.event, `${reaction.targetEntity}.${reaction.targetCommand}`);
+                                }
+                                this.reactionDepth++;
+                                try {
+                                    const fanResult = await this.runCommand(reaction.targetCommand, fanInput, {
+                                        entityName: reaction.targetEntity,
+                                        instanceId: String(m.id ?? ''),
+                                        correlationId: workflowMeta.correlationId,
+                                        causationId: emitted.name,
+                                    });
+                                    if (fanResult.emittedEvents)
+                                        emittedEvents.push(...fanResult.emittedEvents);
+                                }
+                                finally {
+                                    this.reactionDepth--;
+                                }
+                            }
+                            continue;
+                        }
+                        // Single-target reaction: fanOut reactions have no resolve and continue above.
+                        if (!reaction.resolve)
+                            continue;
+                        const resolvedId = await this.evaluateExpression(reaction.resolve, reactionContext);
+                        // Evaluate param mappings
+                        const reactionInput = {};
+                        if (reaction.params) {
+                            for (const param of reaction.params) {
+                                reactionInput[param.name] = await this.evaluateExpression(param.expression, reactionContext);
+                            }
+                        }
+                        // A reaction whose target command is `create` must flow through the
+                        // auto-create path (runCommand only auto-creates when instanceId is
+                        // ABSENT). Forcing instanceId here made create-target reactions run
+                        // mutate actions against a non-existent instance and persist nothing.
+                        // For create targets the resolved value identifies the NEW instance's
+                        // id, so thread it through as input.id (unless params set one).
+                        const isCreateTarget = reaction.targetCommand === 'create';
+                        let reactionInstanceId = String(resolvedId);
+                        if (isCreateTarget) {
+                            reactionInstanceId = undefined;
+                            if (reactionInput.id === undefined && resolvedId !== undefined && resolvedId !== null) {
+                                reactionInput.id = String(resolvedId);
+                            }
+                        }
+                        // Dispatch the reaction command
+                        this.reactionDepth++;
+                        try {
+                            const reactionResult = await this.runCommand(reaction.targetCommand, reactionInput, {
+                                entityName: reaction.targetEntity,
+                                instanceId: reactionInstanceId,
+                                correlationId: workflowMeta.correlationId,
+                                causationId: emitted.name,
+                            });
+                            // Collect events from reaction-triggered commands
+                            if (reactionResult.emittedEvents) {
+                                emittedEvents.push(...reactionResult.emittedEvents);
+                            }
+                        }
+                        finally {
+                            this.reactionDepth--;
+                        }
+                    }
+                }
+            }
+            this.profilingBridge.endPhase('eventEmission');
+            const commandResult = {
+                success: true,
+                result,
+                ...(autoCreatedInstance ? { instance: autoCreatedInstance } : {}),
+                // Include constraint outcomes in successful result
+                constraintOutcomes: [...constraintResult.outcomes, ...(createConstraintOutcomes ?? [])].length > 0
+                    ? [...constraintResult.outcomes, ...(createConstraintOutcomes ?? [])]
+                    : undefined,
+                ...(workflowMeta.correlationId !== undefined ? { correlationId: workflowMeta.correlationId } : {}),
+                ...(workflowMeta.causationId !== undefined ? { causationId: workflowMeta.causationId } : {}),
+                emittedEvents,
+            };
+            // Middleware: after-emit hook
+            const afterEmitResult = await this.runMiddleware('after-emit', command, evalContext, input, options, emittedEvents);
+            if (afterEmitResult)
+                return afterEmitResult;
+            return commandResult;
+        }
+        catch (e) {
+            if (e instanceof EvaluationBudgetExceededError) {
+                return {
+                    success: false,
+                    error: e.message,
+                    ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+                    ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+                    emittedEvents: [],
+                };
+            }
+            throw e; // re-throw other errors (ManifestEffectBoundaryError, etc.)
+        }
+        finally {
+            if (ownsEvalBudget)
+                this.clearEvalBudget();
+        }
+    }
+    buildEvalContext(input, instance, entityName) {
+        // Enrich instance with _entity metadata so relationship resolution works
+        // when the member expression handler reads _entity from self/this
+        const enrichedInstance = (instance && entityName)
+            ? { ...instance, _entity: entityName }
+            : instance;
+        const baseContext = {
+            ...(enrichedInstance || {}),
+            ...input,
+            self: enrichedInstance ?? null,
+            this: enrichedInstance ?? null,
+            user: this.context.user ?? null,
+            context: this.context ?? {},
+        };
+        return baseContext;
+    }
+    async checkPolicies(command, evalContext) {
+        // If command has explicit policies (expanded from entity defaults or declared),
+        // evaluate only those policies by name
+        let relevantPolicies;
+        if (command.policies && command.policies.length > 0) {
+            // Filter by policy names specified on the command
+            const policyNames = new Set(command.policies);
+            relevantPolicies = this.ir.policies.filter(p => policyNames.has(p.name));
+        }
+        else {
+            // Fallback: filter by entity match and action type (legacy behavior)
+            relevantPolicies = this.ir.policies.filter(p => {
+                if (p.entity && command.entity && p.entity !== command.entity)
+                    return false;
+                if (p.action !== 'all' && p.action !== 'execute')
+                    return false;
+                return true;
+            });
+        }
+        const tenantValue = this.ir.tenant ? this.resolveTenantValue() : this.context.tenantId;
+        for (const policy of relevantPolicies) {
+            if (policyHasRateLimit(policy) && policy.rateLimit) {
+                const rl = checkRateLimitGate(this.rateLimiter, policy.rateLimit, evalContext, tenantValue, this.getNow(), `policy:${policy.name}`);
+                if (!rl.allowed) {
+                    return {
+                        allowed: false,
+                        denial: {
+                            policyName: policy.name,
+                            expression: policy.expression,
+                            formatted: this.formatExpression(policy.expression),
+                            message: policy.message || `Rate limit exceeded for policy '${policy.name}'`,
+                            contextKeys: this.extractContextKeys(policy.expression),
+                        },
+                    };
+                }
+            }
+            const result = await this.evaluateExpression(policy.expression, evalContext);
+            if (!result) {
+                // Extract context keys (not values for security)
+                const contextKeys = this.extractContextKeys(policy.expression);
+                // Resolve expression values for diagnostics
+                const resolved = await this.resolveExpressionValues(policy.expression, evalContext);
+                return {
+                    allowed: false,
+                    denial: {
+                        policyName: policy.name,
+                        expression: policy.expression,
+                        formatted: this.formatExpression(policy.expression),
+                        message: policy.message || `Denied by policy '${policy.name}'`,
+                        contextKeys,
+                        resolved,
+                    },
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Validate entity constraints against instance data
+     * Returns array of constraint failures (empty if all pass)
+     *
+     * Constraint semantics:
+     * - Expression evaluates to TRUE → condition is met → constraint PASSES
+     * - Expression evaluates to FALSE → condition is not met → constraint FAILS
+     *
+     * Severity affects what gets reported as failures:
+     * - severity='block': Failed constraints are returned as failures (block execution)
+     * - severity='warn': Failed constraints are NOT returned as failures (informational only)
+     * - severity='ok': Failed constraints are NOT returned as failures (informational only)
+     *
+     * CONSTRAINT SEMANTICS (vNext hybrid support):
+     * - Positive constraints (default): Expression describes what MUST be true for validity
+     *   - When FALSE → constraint FAILS (e.g., "amount >= 0" fails when amount = -1)
+     *   - When TRUE → constraint PASSES
+     * - Negative constraints (detected by "severity" prefix): Expression describes BAD state
+     *   - When TRUE → constraint FIRES (e.g., "status == 'cancelled'" fires when cancelled)
+     *   - When FALSE → constraint PASSES (no bad state present)
+     */
+    async validateConstraints(entity, instanceData) {
+        const outcomes = [];
+        // Enrich instance with _entity metadata so relationship resolution works
+        // when the member expression handler reads _entity from self/this
+        const enrichedData = { ...instanceData, _entity: entity.name };
+        const evalContext = {
+            ...enrichedData,
+            self: enrichedData,
+            this: enrichedData,
+            user: this.context.user ?? null,
+            context: this.context ?? {},
+        };
+        // Use evaluateConstraint to build proper ConstraintOutcome objects
+        for (const constraint of entity.constraints) {
+            const outcome = await this.evaluateConstraint(constraint, evalContext);
+            outcomes.push(outcome);
+        }
+        return outcomes;
+    }
+    extractContextKeys(expr) {
+        const keys = new Set();
+        const walk = (node) => {
+            switch (node.kind) {
+                case 'identifier':
+                    // Add built-in identifiers and any user-defined identifiers
+                    if (node.name === 'self' || node.name === 'this' || node.name === 'user' || node.name === 'context') {
+                        keys.add(node.name);
+                    }
+                    return;
+                case 'member': {
+                    // Add the base identifier (e.g., 'user' from 'user.role')
+                    walk(node.object);
+                    // Also add the full path as a key
+                    const base = this.formatExpression(node.object);
+                    keys.add(`${base}.${node.property}`);
+                    return;
+                }
+                case 'binary':
+                    walk(node.left);
+                    walk(node.right);
+                    return;
+                case 'unary':
+                    walk(node.operand);
+                    return;
+                case 'call':
+                    node.args.forEach(walk);
+                    return;
+                case 'conditional':
+                    walk(node.condition);
+                    walk(node.consequent);
+                    walk(node.alternate);
+                    return;
+                case 'array':
+                    node.elements.forEach(walk);
+                    return;
+                case 'object':
+                    node.properties.forEach(p => walk(p.value));
+                    return;
+                case 'lambda':
+                    walk(node.body);
+                    return;
+                default:
+                    return;
+            }
+        };
+        walk(expr);
+        return Array.from(keys).sort();
+    }
+    formatExpression(expr) {
+        switch (expr.kind) {
+            case 'literal':
+                return this.formatValue(expr.value);
+            case 'identifier':
+                return expr.name;
+            case 'member':
+                return `${this.formatExpression(expr.object)}.${expr.property}`;
+            case 'binary':
+                return `${this.formatExpression(expr.left)} ${expr.operator} ${this.formatExpression(expr.right)}`;
+            case 'unary':
+                return expr.operator === 'not'
+                    ? `not ${this.formatExpression(expr.operand)}`
+                    : `${expr.operator}${this.formatExpression(expr.operand)}`;
+            case 'call':
+                return `${this.formatExpression(expr.callee)}(${expr.args.map(arg => this.formatExpression(arg)).join(', ')})`;
+            case 'conditional':
+                return `${this.formatExpression(expr.condition)} ? ${this.formatExpression(expr.consequent)} : ${this.formatExpression(expr.alternate)}`;
+            case 'array':
+                return `[${expr.elements.map(el => this.formatExpression(el)).join(', ')}]`;
+            case 'object':
+                return `{ ${expr.properties.map(p => `${p.key}: ${this.formatExpression(p.value)}`).join(', ')} }`;
+            case 'lambda':
+                return `(${expr.params.join(', ')}) => ${this.formatExpression(expr.body)}`;
+            default:
+                return '<expr>';
+        }
+    }
+    formatValue(value) {
+        switch (value.kind) {
+            case 'string':
+                return JSON.stringify(value.value);
+            case 'number':
+                return String(value.value);
+            case 'boolean':
+                return String(value.value);
+            case 'null':
+                return 'null';
+            case 'array':
+                return `[${value.elements.map(el => this.formatValue(el)).join(', ')}]`;
+            case 'object':
+                return `{ ${Object.entries(value.properties).map(([k, v]) => `${k}: ${this.formatValue(v)}`).join(', ')} }`;
+            default:
+                return 'null';
+        }
+    }
+    async resolveExpressionValues(expr, evalContext) {
+        const entries = [];
+        const seen = new Set();
+        const addEntry = async (node) => {
+            const formatted = this.formatExpression(node);
+            if (seen.has(formatted))
+                return;
+            seen.add(formatted);
+            let value;
+            try {
+                value = await this.evaluateExpression(node, evalContext);
+            }
+            catch {
+                value = undefined;
+            }
+            entries.push({ expression: formatted, value });
+        };
+        const walk = async (node) => {
+            switch (node.kind) {
+                case 'literal':
+                case 'identifier':
+                case 'member':
+                    await addEntry(node);
+                    return;
+                case 'binary':
+                    await walk(node.left);
+                    await walk(node.right);
+                    return;
+                case 'unary':
+                    await walk(node.operand);
+                    return;
+                case 'call':
+                    for (const arg of node.args) {
+                        await walk(arg);
+                    }
+                    return;
+                case 'conditional':
+                    await walk(node.condition);
+                    await walk(node.consequent);
+                    await walk(node.alternate);
+                    return;
+                case 'array':
+                    for (const el of node.elements) {
+                        await walk(el);
+                    }
+                    return;
+                case 'object':
+                    for (const prop of node.properties) {
+                        await walk(prop.value);
+                    }
+                    return;
+                case 'lambda':
+                    await walk(node.body);
+                    return;
+                default:
+                    return;
+            }
+        };
+        await walk(expr);
+        return entries;
+    }
+    async notifyActionTrace(index, kind, target, options) {
+        const hook = this.options.actionTraceHook;
+        if (!hook)
+            return;
+        await hook({
+            index,
+            kind,
+            target,
+            entityName: options.entityName,
+            instanceId: options.instanceId,
+        });
+    }
+    async executeAction(action, evalContext, options, emitCounter, workflowMeta, subject) {
+        // Effect boundary enforcement: in deterministic mode, adapter actions hard-error.
+        // Sources, in precedence order: options.deterministicMode (explicit caller intent),
+        // then context.deterministic (ambient context). See docs/spec/semantics.md
+        // § "Runtime Context Schema".
+        const deterministic = this.options.deterministicMode ?? this.context.deterministic ?? false;
+        if (deterministic &&
+            (action.kind === 'persist' || action.kind === 'publish' || action.kind === 'effect')) {
+            throw new ManifestEffectBoundaryError(action.kind);
+        }
+        const value = await this.evaluateExpression(action.expression, evalContext);
+        const traceIndex = ++this.actionTraceCounter;
+        switch (action.kind) {
+            case 'mutate':
+                if (action.target && options.instanceId && options.entityName) {
+                    await this.updateInstance(options.entityName, options.instanceId, {
+                        [action.target]: value,
+                    });
+                }
+                await this.notifyActionTrace(traceIndex, action.kind, action.target, options);
+                return value;
+            case 'emit':
+            case 'publish': {
+                const prov = this.ir.provenance;
+                const event = {
+                    name: 'action_event',
+                    channel: 'default',
+                    payload: value,
+                    ...(subject ? { subject } : {}),
+                    timestamp: this.getNow(),
+                    ...(prov ? {
+                        provenance: {
+                            contentHash: prov.contentHash,
+                            compilerVersion: prov.compilerVersion,
+                            schemaVersion: prov.schemaVersion,
+                        },
+                    } : {}),
+                    ...(workflowMeta.correlationId !== undefined ? { correlationId: workflowMeta.correlationId } : {}),
+                    ...(workflowMeta.causationId !== undefined ? { causationId: workflowMeta.causationId } : {}),
+                    emitIndex: emitCounter.value++,
+                };
+                this.eventLog.push(event);
+                this.notifyListeners(event);
+                await this.notifyActionTrace(traceIndex, action.kind, undefined, options);
+                return value;
+            }
+            case 'persist':
+                await this.notifyActionTrace(traceIndex, action.kind, undefined, options);
+                return value;
+            case 'compute':
+                if (action.target && options.instanceId && options.entityName) {
+                    await this.updateInstance(options.entityName, options.instanceId, {
+                        [action.target]: value,
+                    });
+                }
+                await this.notifyActionTrace(traceIndex, action.kind, action.target, options);
+                return value;
+            case 'effect':
+            default:
+                await this.notifyActionTrace(traceIndex, action.kind, undefined, options);
+                return value;
+        }
+    }
+    async evaluateExpression(expr, context) {
+        // Bounded complexity enforcement
+        if (this.evalBudget) {
+            this.evalBudget.steps++;
+            if (this.evalBudget.steps > this.evalBudget.maxSteps) {
+                throw new EvaluationBudgetExceededError('steps', this.evalBudget.maxSteps);
+            }
+            this.evalBudget.depth++;
+            if (this.evalBudget.depth > this.evalBudget.maxDepth) {
+                throw new EvaluationBudgetExceededError('depth', this.evalBudget.maxDepth);
+            }
+        }
+        try {
+            // WASM fast path: if a WASM evaluator is configured and ready, and the
+            // expression is a pure computational expression (no relationship resolution
+            // needed), use the WASM module for near-native execution speed.
+            // Falls back transparently to TypeScript on any error.
+            if (this.options.wasmEvaluator?.isReady() && this.isWasmCompatible(expr)) {
+                try {
+                    const result = await this.options.wasmEvaluator.evaluate(expr, context);
+                    return result;
+                }
+                catch {
+                    // Fall through to TypeScript evaluation on WASM error
+                }
+            }
+            switch (expr.kind) {
+                case 'literal':
+                    return this.irValueToJs(expr.value);
+                case 'identifier': {
+                    const name = expr.name;
+                    if (name in context)
+                        return context[name];
+                    if (name === 'true')
+                        return true;
+                    if (name === 'false')
+                        return false;
+                    if (name === 'null')
+                        return null;
+                    return undefined;
+                }
+                case 'member': {
+                    const obj = await this.evaluateExpression(expr.object, context);
+                    if (obj && typeof obj === 'object') {
+                        // Check if this is an entity instance that may have relationships
+                        // Works for direct self/this access AND chained traversal (self.order.customer)
+                        // because resolveRelationship enriches results with _entity metadata
+                        if ('id' in obj && typeof obj.id === 'string') {
+                            const entityName = obj._entity;
+                            if (entityName) {
+                                const relKey = `${entityName}.${expr.property}`;
+                                if (this.relationshipIndex.has(relKey)) {
+                                    return await this.resolveRelationship(entityName, obj, expr.property);
+                                }
+                            }
+                        }
+                        // Use hasOwnProperty check to prevent prototype pollution
+                        return Object.prototype.hasOwnProperty.call(obj, expr.property)
+                            ? obj[expr.property]
+                            : undefined;
+                    }
+                    return undefined;
+                }
+                case 'binary': {
+                    const left = await this.evaluateExpression(expr.left, context);
+                    const right = await this.evaluateExpression(expr.right, context);
+                    return this.evaluateBinaryOp(expr.operator, left, right);
+                }
+                case 'unary': {
+                    const operand = await this.evaluateExpression(expr.operand, context);
+                    return this.evaluateUnaryOp(expr.operator, operand);
+                }
+                case 'call': {
+                    // Check if callee is a built-in function identifier
+                    const calleeExpr = expr.callee;
+                    if (calleeExpr.kind === 'identifier') {
+                        const builtins = this.getBuiltins();
+                        if (calleeExpr.name in builtins) {
+                            const args = await Promise.all(expr.args.map(a => this.evaluateExpression(a, context)));
+                            return builtins[calleeExpr.name](...args);
+                        }
+                    }
+                    // Array method calls: arr.contains(x), arr.all(pred), arr.any(pred)
+                    if (calleeExpr.kind === 'member') {
+                        const property = calleeExpr.property;
+                        const arr = await this.evaluateExpression(calleeExpr.object, context);
+                        if (Array.isArray(arr)) {
+                            if (property === 'contains') {
+                                const needle = await this.evaluateExpression(expr.args[0], context);
+                                return arr.includes(needle);
+                            }
+                            if (property === 'all' || property === 'any') {
+                                const predicate = await this.evaluateExpression(expr.args[0], context);
+                                if (typeof predicate === 'function') {
+                                    if (property === 'all') {
+                                        for (const element of arr) {
+                                            const result = await Promise.resolve(predicate(element));
+                                            if (!result)
+                                                return false;
+                                        }
+                                        return true;
+                                    }
+                                    for (const element of arr) {
+                                        const result = await Promise.resolve(predicate(element));
+                                        if (result)
+                                            return true;
+                                    }
+                                    return false;
+                                }
+                            }
+                        }
+                    }
+                    // Default: evaluate callee and call as function
+                    const callee = await this.evaluateExpression(expr.callee, context);
+                    const args = await Promise.all(expr.args.map(a => this.evaluateExpression(a, context)));
+                    if (typeof callee === 'function') {
+                        return callee(...args);
+                    }
+                    return undefined;
+                }
+                case 'conditional': {
+                    const condition = await this.evaluateExpression(expr.condition, context);
+                    return condition
+                        ? await this.evaluateExpression(expr.consequent, context)
+                        : await this.evaluateExpression(expr.alternate, context);
+                }
+                case 'array':
+                    return await Promise.all(expr.elements.map(e => this.evaluateExpression(e, context)));
+                case 'object': {
+                    const result = {};
+                    for (const prop of expr.properties) {
+                        result[prop.key] = await this.evaluateExpression(prop.value, context);
+                    }
+                    return result;
+                }
+                case 'lambda': {
+                    return (...args) => {
+                        const localContext = { ...context };
+                        expr.params.forEach((p, i) => {
+                            localContext[p] = args[i];
+                        });
+                        return this.evaluateExpression(expr.body, localContext);
+                    };
+                }
+                case 'aggregate': {
+                    // count(Entity where field == value, ...) — count rows of `entity`
+                    // matching every ANDed equality predicate. Predicate values resolve in
+                    // the surrounding context (reaction params: the event payload). Count
+                    // is order-independent, so this is deterministic for a given store
+                    // snapshot regardless of row ordering.
+                    if (expr.op !== 'count')
+                        return undefined;
+                    // Resolve predicate values once (they do not depend on the counted row).
+                    const resolved = await Promise.all(expr.predicates.map(async (p) => ({ field: p.field, value: await this.evaluateExpression(p.value, context) })));
+                    const rows = await this.getAllInstancesRaw(expr.entity);
+                    let count = 0;
+                    for (const row of rows) {
+                        const r = row;
+                        let match = true;
+                        for (const pred of resolved) {
+                            if (r[pred.field] !== pred.value) {
+                                match = false;
+                                break;
+                            }
+                        }
+                        if (match)
+                            count++;
+                    }
+                    return count;
+                }
+                default:
+                    return undefined;
+            }
+        }
+        finally {
+            if (this.evalBudget) {
+                this.evalBudget.depth--;
+            }
+        }
+    }
+    /**
+     * Check whether an expression can be safely evaluated by the WASM module.
+     * Pure computational expressions (no entity relationships, no async effects)
+     * are compatible. The check is conservative — when in doubt, return false
+     * to ensure the TypeScript evaluator is used.
+     */
+    isWasmCompatible(expr) {
+        // Walk the expression tree checking for features that need TypeScript runtime
+        const walk = (node) => {
+            switch (node.kind) {
+                case 'literal':
+                case 'identifier':
+                    return true;
+                case 'member': {
+                    // Member access on identifiers (e.g., self.foo) needs runtime context.
+                    // Only allow member access on plain property reads of simple identifiers.
+                    if (node.object.kind === 'identifier') {
+                        return walk(node.object);
+                    }
+                    return false;
+                }
+                case 'binary':
+                    return walk(node.left) && walk(node.right);
+                case 'unary':
+                    return walk(node.operand);
+                case 'call': {
+                    // Only allow calls to builtins (identifier callees), not function values
+                    if (node.callee.kind === 'identifier') {
+                        return node.args.every(walk);
+                    }
+                    return false;
+                }
+                case 'conditional':
+                    return walk(node.condition) && walk(node.consequent) && walk(node.alternate);
+                case 'array':
+                    return node.elements.every(walk);
+                case 'object':
+                    return node.properties.every(p => walk(p.value));
+                case 'lambda':
+                    // Lambdas are not yet supported in WASM core
+                    return false;
+                default:
+                    return false;
+            }
+        };
+        return walk(expr);
+    }
+    evaluateBinaryOp(op, left, right) {
+        switch (op) {
+            case '+':
+                if (typeof left === 'string' || typeof right === 'string') {
+                    return String(left) + String(right);
+                }
+                return left + right;
+            case '-': return left - right;
+            case '*': return left * right;
+            case '/': return left / right;
+            case '%': return left % right;
+            case '==':
+            case 'is': return left == right; // Loose equality: undefined == null is true
+            case '!=': return left != right; // Loose inequality: undefined != null is false
+            case '<': return left < right;
+            case '>': return left > right;
+            case '<=': return left <= right;
+            case '>=': return left >= right;
+            case '&&':
+            case 'and': return Boolean(left) && Boolean(right);
+            case '||':
+            case 'or': return Boolean(left) || Boolean(right);
+            case 'in':
+                if (Array.isArray(right))
+                    return right.includes(left);
+                if (typeof right === 'string')
+                    return right.includes(String(left));
+                return false;
+            case 'contains':
+                if (Array.isArray(left))
+                    return left.includes(right);
+                if (typeof left === 'string')
+                    return left.includes(String(right));
+                return false;
+            default:
+                return undefined;
+        }
+    }
+    evaluateUnaryOp(op, operand) {
+        switch (op) {
+            case '!':
+            case 'not': return !operand;
+            case '-': return -operand;
+            default: return operand;
+        }
+    }
+    irValueToJs(value) {
+        switch (value.kind) {
+            case 'string': return value.value;
+            case 'number': return value.value;
+            case 'boolean': return value.value;
+            case 'null': return null;
+            case 'array': return value.elements.map(e => this.irValueToJs(e));
+            case 'object': {
+                const result = {};
+                for (const [k, v] of Object.entries(value.properties)) {
+                    result[k] = this.irValueToJs(v);
+                }
+                return result;
+            }
+        }
+    }
+    getDefaultForType(type) {
+        if (type.nullable)
+            return null;
+        switch (type.name) {
+            case 'string': return '';
+            case 'number': return 0;
+            case 'boolean': return false;
+            case 'list': return [];
+            case 'array': return [];
+            case 'map': return {};
+            default: return null;
+        }
+    }
+    async evaluateComputed(entityName, instanceId, propertyName) {
+        const meta = await this.evaluateComputedWithMeta(entityName, instanceId, propertyName);
+        return meta?.value;
+    }
+    /**
+     * Evaluate a computed property and return metadata including cache status and staleness.
+     * Returns { value, stale, cached } or undefined if the entity/property/instance doesn't exist.
+     */
+    async evaluateComputedWithMeta(entityName, instanceId, propertyName) {
+        const entity = this.getEntity(entityName);
+        if (!entity)
+            return undefined;
+        const computed = entity.computedProperties.find(c => c.name === propertyName);
+        if (!computed)
+            return undefined;
+        const instance = await this.getInstanceRaw(entityName, instanceId);
+        if (!instance)
+            return undefined;
+        const cacheKey = `${entityName}:${instanceId}:${propertyName}`;
+        // Check cache based on strategy
+        if (computed.cache) {
+            const cached = this.getCachedComputedValue(computed.cache, cacheKey);
+            if (cached !== undefined) {
+                return { value: cached.value, stale: cached.stale, cached: true };
+            }
+        }
+        const ownsEvalBudget = this.initEvalBudget();
+        try {
+            const value = await this.evaluateComputedInternal(entity, instance, propertyName, new Set());
+            // Store in cache if strategy is configured
+            if (computed.cache) {
+                this.setCachedComputedValue(computed.cache, cacheKey, value);
+            }
+            return { value, stale: false, cached: false };
+        }
+        finally {
+            if (ownsEvalBudget)
+                this.clearEvalBudget();
+        }
+    }
+    /**
+     * Look up a cached computed property value based on the configured cache strategy.
+     * Returns the cache entry if valid, or undefined if cache miss or expired.
+     */
+    getCachedComputedValue(cacheConfig, cacheKey) {
+        switch (cacheConfig.strategy) {
+            case 'request': {
+                const entry = this.computedPropertyRequestCache.get(cacheKey);
+                if (entry)
+                    return { value: entry.value, stale: entry.stale };
+                return undefined;
+            }
+            case 'session': {
+                const entry = this.computedPropertyCache.get(cacheKey);
+                if (entry)
+                    return { value: entry.value, stale: entry.stale };
+                return undefined;
+            }
+            case 'ttl': {
+                const entry = this.computedPropertyCache.get(cacheKey);
+                if (entry) {
+                    const now = this.getNow();
+                    const ttlMs = (cacheConfig.ttlSeconds ?? 0) * 1000;
+                    if (now - entry.computedAt < ttlMs) {
+                        return { value: entry.value, stale: entry.stale };
+                    }
+                    // TTL expired — remove stale entry
+                    this.computedPropertyCache.delete(cacheKey);
+                }
+                return undefined;
+            }
+            default:
+                return undefined;
+        }
+    }
+    /**
+     * Store a computed property value in the appropriate cache based on strategy.
+     */
+    setCachedComputedValue(cacheConfig, cacheKey, value) {
+        const entry = { value, computedAt: this.getNow(), stale: false };
+        switch (cacheConfig.strategy) {
+            case 'request':
+                this.computedPropertyRequestCache.set(cacheKey, entry);
+                break;
+            case 'session':
+            case 'ttl':
+                this.computedPropertyCache.set(cacheKey, entry);
+                break;
+        }
+    }
+    async evaluateComputedInternal(entity, instance, propertyName, visited) {
+        if (visited.has(propertyName))
+            return undefined;
+        visited.add(propertyName);
+        const computed = entity.computedProperties.find(c => c.name === propertyName);
+        if (!computed)
+            return undefined;
+        const computedValues = {};
+        if (computed.dependencies) {
+            for (const dep of computed.dependencies) {
+                const depComputed = entity.computedProperties.find(c => c.name === dep);
+                if (depComputed && !visited.has(dep)) {
+                    computedValues[dep] = await this.evaluateComputedInternal(entity, instance, dep, new Set(visited));
+                }
+            }
+        }
+        // Enrich instance with _entity metadata so relationship resolution works
+        // when the member expression handler reads _entity from self/this
+        const enrichedInstance = { ...instance, _entity: entity.name };
+        const context = {
+            self: enrichedInstance,
+            this: enrichedInstance,
+            ...enrichedInstance,
+            ...computedValues,
+            user: this.context.user ?? null,
+            context: this.context ?? {},
+        };
+        return await this.evaluateExpression(computed.expression, context);
+    }
+    /**
+     * vNext: Interpolate template placeholders with values from context
+     * Supports {placeholder} syntax where placeholders are resolved from:
+     * 1. details mapping (if present)
+     * 2. resolved expression values (by expression string)
+     * 3. evaluation context (direct property access)
+     */
+    interpolateTemplate(template, evalContext, details, resolved) {
+        // Create a lookup map for resolved values by expression
+        const resolvedMap = new Map();
+        if (resolved) {
+            for (const r of resolved) {
+                // Use the expression string as the key
+                resolvedMap.set(r.expression, r.value);
+            }
+        }
+        return template.replace(/\{([^}]+)\}/g, (_match, placeholder) => {
+            // First check details mapping
+            if (details && placeholder in details) {
+                return String(details[placeholder]);
+            }
+            // Then check resolved expressions
+            if (resolvedMap.has(placeholder)) {
+                const value = resolvedMap.get(placeholder);
+                return value === undefined ? placeholder : String(value);
+            }
+            // Finally check evaluation context
+            if (placeholder in evalContext) {
+                const value = evalContext[placeholder];
+                return value === undefined ? placeholder : String(value);
+            }
+            // Placeholder not found, return original
+            return _match;
+        });
+    }
+    /**
+     * vNext: Evaluate a single constraint and return detailed outcome
+     */
+    async evaluateConstraint(constraint, evalContext) {
+        const result = await this.evaluateExpression(constraint.expression, evalContext);
+        // Hybrid constraint semantics:
+        // - Negative-type constraints (name starts with "severity"): fire when TRUE (bad state detected)
+        // - Positive-type constraints: fail when FALSE (required condition not met)
+        const isNegativeType = constraint.name.startsWith('severity');
+        const passed = isNegativeType ? !result : !!result;
+        // Build details mapping if specified
+        let details = undefined;
+        if (constraint.detailsMapping) {
+            details = {};
+            for (const [key, expr] of Object.entries(constraint.detailsMapping)) {
+                details[key] = await this.evaluateExpression(expr, evalContext);
+            }
+        }
+        // Resolve expression values for debugging
+        const resolved = await this.resolveExpressionValues(constraint.expression, evalContext);
+        // Build message with template interpolation if messageTemplate is used
+        let message = constraint.message;
+        if (constraint.messageTemplate && !message) {
+            message = this.interpolateTemplate(constraint.messageTemplate, evalContext, details, resolved.map(r => ({ expression: r.expression, value: r.value })));
+        }
+        return {
+            code: constraint.code,
+            constraintName: constraint.name,
+            severity: constraint.severity || 'block',
+            formatted: this.formatExpression(constraint.expression),
+            message,
+            details,
+            passed,
+            resolved: resolved.map(r => ({ expression: r.expression, value: r.value })),
+        };
+    }
+    /**
+     * vNext: Evaluate command constraints with override support
+     * Returns allowed flag, all constraint outcomes, and any OverrideApplied events.
+     * Per spec (manifest-vnext.md § OverrideApplied Event Shape):
+     * OverrideApplied events MUST be included in CommandResult.emittedEvents.
+     */
+    async evaluateCommandConstraints(command, evalContext, overrideRequests, commandContext) {
+        const outcomes = [];
+        const overrideEvents = [];
+        for (const constraint of command.constraints || []) {
+            const outcome = await this.evaluateConstraint(constraint, evalContext);
+            // Check for override if constraint failed and is overrideable
+            if (!outcome.passed && constraint.overrideable) {
+                // First check for explicit override request
+                if (overrideRequests) {
+                    const overrideReq = overrideRequests.find(o => o.constraintCode === constraint.code);
+                    if (overrideReq) {
+                        const authorized = await this.validateOverrideAuthorization(constraint, overrideReq, evalContext);
+                        if (authorized) {
+                            outcome.overridden = true;
+                            outcome.overriddenBy = overrideReq.authorizedBy;
+                            const event = this.buildOverrideAppliedEvent(constraint, overrideReq, commandContext);
+                            overrideEvents.push(event);
+                            this.eventLog.push(event);
+                            this.notifyListeners(event);
+                        }
+                    }
+                }
+                // If still not overridden and has overridePolicyRef, automatically check policy
+                if (!outcome.overridden && constraint.overridePolicyRef) {
+                    const policy = this.ir.policies.find(p => p.name === constraint.overridePolicyRef);
+                    if (policy && policy.action === 'override') {
+                        const policyResult = await this.evaluateExpression(policy.expression, evalContext);
+                        const authorized = Boolean(policyResult);
+                        if (authorized) {
+                            outcome.overridden = true;
+                            outcome.overriddenBy = 'policy:' + policy.name;
+                        }
+                    }
+                }
+            }
+            outcomes.push(outcome);
+            // Block execution if non-passing constraint is not overridden
+            if (!outcome.passed && !outcome.overridden && outcome.severity === 'block') {
+                return { allowed: false, outcomes, overrideEvents };
+            }
+        }
+        return { allowed: true, outcomes, overrideEvents };
+    }
+    /**
+     * vNext: Validate override authorization via policy or default admin check
+     */
+    async validateOverrideAuthorization(constraint, overrideReq, evalContext) {
+        // If constraint has overridePolicyRef, check that policy
+        if (constraint.overridePolicyRef) {
+            const policy = this.ir.policies.find(p => p.name === constraint.overridePolicyRef);
+            if (policy) {
+                const overrideContext = {
+                    ...evalContext,
+                    _override: {
+                        constraintCode: constraint.code,
+                        constraintName: constraint.name,
+                        reason: overrideReq.reason,
+                        authorizedBy: overrideReq.authorizedBy,
+                    },
+                };
+                const result = await this.evaluateExpression(policy.expression, overrideContext);
+                return Boolean(result);
+            }
+        }
+        // Default: check if user has admin-like role
+        const user = this.context.user;
+        return user?.role === 'admin' || false;
+    }
+    /**
+     * vNext: Build OverrideApplied event for auditing.
+     * Per spec (manifest-vnext.md § OverrideApplied Event Shape):
+     * payload MUST contain: constraintCode, reason, authorizedBy, timestamp, commandName,
+     * and optionally entityName, instanceId.
+     * The event is a runtime-synthesized event included in CommandResult.emittedEvents.
+     */
+    buildOverrideAppliedEvent(constraint, overrideReq, commandContext) {
+        const payload = {
+            constraintCode: constraint.code,
+            reason: overrideReq.reason,
+            authorizedBy: overrideReq.authorizedBy,
+            timestamp: this.getNow(),
+            commandName: commandContext?.commandName || '',
+        };
+        if (commandContext?.entityName) {
+            payload.entityName = commandContext.entityName;
+        }
+        if (commandContext?.instanceId) {
+            payload.instanceId = commandContext.instanceId;
+        }
+        return {
+            name: 'OverrideApplied',
+            channel: 'system',
+            payload,
+            timestamp: this.getNow(),
+            provenance: this.getProvenanceInfo(),
+        };
+    }
+    /**
+     * vNext: Emit ConcurrencyConflict event
+     */
+    async emitConcurrencyConflictEvent(entityName, entityId, expectedVersion, actualVersion) {
+        const event = {
+            name: 'ConcurrencyConflict',
+            channel: 'system',
+            payload: {
+                entityType: entityName,
+                entityId,
+                expectedVersion,
+                actualVersion,
+                conflictCode: 'VERSION_MISMATCH',
+                timestamp: this.getNow(),
+            },
+            timestamp: this.getNow(),
+            provenance: this.getProvenanceInfo(),
+        };
+        this.eventLog.push(event);
+        this.notifyListeners(event);
+    }
+    /**
+     * vNext: Get provenance info for events
+     */
+    getProvenanceInfo() {
+        const prov = this.ir.provenance;
+        if (!prov)
+            return undefined;
+        return {
+            contentHash: prov.contentHash,
+            compilerVersion: prov.compilerVersion,
+            schemaVersion: prov.schemaVersion,
+        };
+    }
+    onEvent(listener) {
+        this.eventListeners.push(listener);
+        return () => {
+            const idx = this.eventListeners.indexOf(listener);
+            if (idx !== -1)
+                this.eventListeners.splice(idx, 1);
+        };
+    }
+    /**
+     * Subscribe to events for a single entity (docs/spec/semantics.md,
+     * "Realtime Entities"). Convenience over onEvent: the listener receives
+     * only events whose `subject.entity === entityName`. Events WITHOUT a
+     * subject entity are NOT delivered — use onEvent for the unfiltered
+     * firehose. Returns an unsubscribe function. Exists regardless of any
+     * entity's `realtime` flag (the flag is a projection hint only).
+     */
+    subscribe(entityName, listener) {
+        return this.onEvent((event) => {
+            if (event.subject?.entity === entityName) {
+                listener(event);
+            }
+        });
+    }
+    notifyListeners(event) {
+        for (const listener of this.eventListeners) {
+            try {
+                listener(event);
+            }
+            catch {
+                // Ignore errors in event listeners
+            }
+        }
+    }
+    getEventLog() {
+        return [...this.eventLog];
+    }
+    clearEventLog() {
+        this.eventLog = [];
+    }
+    async serialize() {
+        const storeData = {};
+        for (const [name, store] of this.stores) {
+            storeData[name] = await store.getAll();
+        }
+        return {
+            ir: this.ir,
+            context: this.context,
+            stores: storeData,
+        };
+    }
+    async restore(data) {
+        for (const [name, instances] of Object.entries(data.stores)) {
+            const store = this.stores.get(name);
+            if (store) {
+                await store.clear();
+                for (const instance of instances) {
+                    await store.create(instance);
+                }
+            }
+        }
+    }
+    /**
+     * Static factory method to create a RuntimeEngine with optional provenance verification.
+     * This is useful when you want to verify IR integrity before execution.
+     *
+     * In production mode (NODE_ENV=production), provenance verification is enabled by default.
+     * Set `requireValidProvenance: false` to explicitly disable.
+     *
+     * @param ir - The IR to execute
+     * @param context - Runtime context (user, etc.)
+     * @param options - Runtime options including requireValidProvenance
+     * @returns A tuple of [runtime, verificationResult]
+     *
+     * @example
+     * ```ts
+     * // Production: verification enabled by default
+     * const [runtime, result] = await RuntimeEngine.create(ir, context);
+     * if (!result.valid) {
+     *   throw new Error(`Invalid IR: ${result.error}`);
+     * }
+     *
+     * // Development: explicitly disable verification
+     * const [runtime] = await RuntimeEngine.create(ir, context, { requireValidProvenance: false });
+     * ```
+     */
+    // ─── Approval Workflow Methods ─────────────────────────────────────
+    /**
+     * Build an approval-request key for the Map.
+     */
+    approvalKey(entity, instanceId, approvalName) {
+        return `${entity}:${instanceId}:${approvalName}`;
+    }
+    /**
+     * Find approval declarations on an entity that gate a given command name.
+     */
+    findApprovalsForCommand(entityName, commandName) {
+        const entity = this.getEntity(entityName);
+        if (!entity?.approvals)
+            return [];
+        return entity.approvals.filter(a => a.command === commandName);
+    }
+    /**
+     * Check the approval gate for a command. Returns a CommandResult (blocked)
+     * if the command requires approval that hasn't been granted yet, or
+     * undefined if the command may proceed.
+     */
+    async checkApprovalGate(commandName, entityName, instanceId, evalContext, options) {
+        const approvals = this.findApprovalsForCommand(entityName, commandName);
+        if (approvals.length === 0)
+            return undefined;
+        // Use the first matching approval (typically one-to-one command→approval)
+        const approval = approvals[0];
+        const resolvedInstanceId = instanceId ?? 'unknown';
+        const key = this.approvalKey(entityName, resolvedInstanceId, approval.name);
+        // Determine which stages are required (evaluate `when` conditions)
+        const requiredStages = [];
+        for (const stage of approval.stages) {
+            if (stage.when) {
+                const whenResult = await this.evaluateExpression(stage.when, evalContext);
+                if (whenResult)
+                    requiredStages.push(stage.name);
+            }
+            else {
+                requiredStages.push(stage.name);
+            }
+        }
+        // If no stages are required (all `when` conditions false), proceed
+        if (requiredStages.length === 0)
+            return undefined;
+        // Check existing approval request (durable store wins when configured)
+        const existing = await this.loadApprovalState(key);
+        if (existing && existing.status === 'granted') {
+            // All stages were granted — consume the approval and proceed
+            return undefined;
+        }
+        // Create or refresh a pending request
+        let request = existing;
+        if (!request || request.status === 'expired' || request.status === 'denied') {
+            const now = this.getNow();
+            request = {
+                entity: entityName,
+                instanceId: resolvedInstanceId,
+                approvalName: approval.name,
+                command: commandName,
+                status: 'pending',
+                requiredStages,
+                grants: [],
+                requestedAt: now,
+                expiresAt: approval.timeout ? now + approval.timeout * 3600000 : undefined,
+            };
+            await this.saveApprovalState(key, request);
+        }
+        // Determine which stages are still pending
+        const pendingStages = this.getPendingStages(request, approval);
+        return {
+            success: false,
+            error: `Command '${commandName}' requires approval '${approval.name}'`,
+            approvalRequired: {
+                approvalName: approval.name,
+                pendingStages,
+                requestKey: key,
+            },
+            ...(options.correlationId !== undefined ? { correlationId: options.correlationId } : {}),
+            ...(options.causationId !== undefined ? { causationId: options.causationId } : {}),
+            emittedEvents: [],
+        };
+    }
+    /**
+     * Get the list of stages that still need approvals.
+     */
+    getPendingStages(request, approval) {
+        const pending = [];
+        for (const stageName of request.requiredStages) {
+            const stageSpec = approval.stages.find(s => s.name === stageName);
+            if (!stageSpec)
+                continue;
+            const grantCount = request.grants.filter(g => g.stage === stageName).length;
+            if (grantCount < stageSpec.required) {
+                pending.push(stageName);
+            }
+        }
+        return pending;
+    }
+    /**
+     * Request approval for a command on an entity instance.
+     * Creates or returns the existing approval request state.
+     */
+    async requestApproval(entityName, instanceId, approvalName) {
+        const key = this.approvalKey(entityName, instanceId, approvalName);
+        const existing = await this.loadApprovalState(key);
+        if (existing)
+            return existing;
+        const entity = this.getEntity(entityName);
+        const approval = entity?.approvals?.find(a => a.name === approvalName);
+        if (!approval) {
+            throw new Error(`Approval '${approvalName}' not found on entity '${entityName}'`);
+        }
+        // Evaluate which stages are required using a minimal context
+        const instance = await this.getInstanceRaw(entityName, instanceId);
+        const evalContext = this.buildEvalContext({}, instance, entityName);
+        const requiredStages = [];
+        for (const stage of approval.stages) {
+            if (stage.when) {
+                const whenResult = await this.evaluateExpression(stage.when, evalContext);
+                if (whenResult)
+                    requiredStages.push(stage.name);
+            }
+            else {
+                requiredStages.push(stage.name);
+            }
+        }
+        const now = this.getNow();
+        const state = {
+            entity: entityName,
+            instanceId,
+            approvalName,
+            command: approval.command,
+            status: 'pending',
+            requiredStages,
+            grants: [],
+            requestedAt: now,
+            expiresAt: approval.timeout ? now + approval.timeout * 3600000 : undefined,
+        };
+        await this.saveApprovalState(key, state);
+        return state;
+    }
+    /**
+     * Grant approval for a specific stage. Evaluates the stage policy to verify
+     * the approver is authorized. When all required stages are satisfied, marks
+     * the approval as 'granted'.
+     */
+    async approveStage(entityName, instanceId, approvalName, stageName, approver) {
+        const key = this.approvalKey(entityName, instanceId, approvalName);
+        const request = await this.loadApprovalState(key);
+        if (!request) {
+            throw new Error(`No pending approval request for key '${key}'`);
+        }
+        if (request.status !== 'pending') {
+            throw new Error(`Approval '${approvalName}' is not pending (status: ${request.status})`);
+        }
+        const entity = this.getEntity(entityName);
+        const approval = entity?.approvals?.find(a => a.name === approvalName);
+        if (!approval) {
+            throw new Error(`Approval '${approvalName}' not found on entity '${entityName}'`);
+        }
+        const stageSpec = approval.stages.find(s => s.name === stageName);
+        if (!stageSpec) {
+            throw new Error(`Stage '${stageName}' not found in approval '${approvalName}'`);
+        }
+        // Verify this stage is required
+        if (!request.requiredStages.includes(stageName)) {
+            throw new Error(`Stage '${stageName}' is not required for this approval request`);
+        }
+        // Build the approver's user context for the stage policy. A bare string
+        // is the legacy form (userId doubles as role); an object carries a real
+        // role/roles/permissions so RBAC policies like `user.role == "manager"`
+        // evaluate against the actual role rather than the user id.
+        const approverId = typeof approver === 'string' ? approver : approver.id;
+        const userContext = typeof approver === 'string'
+            ? { id: approver, role: approver }
+            : { ...approver };
+        const instance = await this.getInstanceRaw(entityName, instanceId);
+        const evalContext = this.buildEvalContext({}, instance, entityName);
+        Object.assign(evalContext, { user: userContext });
+        const policyResult = await this.evaluateExpression(stageSpec.policy, evalContext);
+        if (!policyResult) {
+            throw new Error(`User '${approverId}' is not authorized to approve stage '${stageName}'`);
+        }
+        // Record the grant
+        request.grants.push({
+            stage: stageName,
+            by: approverId,
+            at: this.getNow(),
+        });
+        // Check if all required stages are now satisfied
+        const pendingStages = this.getPendingStages(request, approval);
+        if (pendingStages.length === 0) {
+            request.status = 'granted';
+        }
+        await this.saveApprovalState(key, request);
+        return request;
+    }
+    /**
+     * Deny an approval request.
+     */
+    async denyApproval(entityName, instanceId, approvalName, deniedBy, reason) {
+        const key = this.approvalKey(entityName, instanceId, approvalName);
+        const request = await this.loadApprovalState(key);
+        if (!request) {
+            throw new Error(`No pending approval request for key '${key}'`);
+        }
+        if (request.status !== 'pending') {
+            throw new Error(`Approval '${approvalName}' is not pending (status: ${request.status})`);
+        }
+        request.status = 'denied';
+        request.deniedBy = deniedBy;
+        request.deniedReason = reason;
+        await this.saveApprovalState(key, request);
+        return request;
+    }
+    /**
+     * Expire any pending approvals that have exceeded their timeout.
+     * Approvals with `onTimeout: 'cancel'` are set to 'expired'.
+     * Approvals with `onTimeout: 'escalate'` are flagged but kept pending (future).
+     *
+     * Operates on the in-process request set. In durable mode
+     * (`options.approvalStore` configured), run set-based expiry across all
+     * stored requests via `approvalStore.expire(now)` from a cron/worker; this
+     * synchronous accessor only sees requests this engine has touched.
+     */
+    expireApprovals(now) {
+        const currentTime = now ?? this.getNow();
+        const expired = [];
+        for (const request of this.approvalRequests.values()) {
+            if (request.status !== 'pending' || !request.expiresAt)
+                continue;
+            if (currentTime >= request.expiresAt) {
+                request.status = 'expired';
+                expired.push(request);
+            }
+        }
+        return expired;
+    }
+    /**
+     * Get the current approval request state for an entity instance.
+     */
+    getApprovalRequest(entityName, instanceId, approvalName) {
+        return this.approvalRequests.get(this.approvalKey(entityName, instanceId, approvalName));
+    }
+    static async create(ir, context = {}, options = {}) {
+        const runtime = new RuntimeEngine(ir, context, options);
+        let result = { valid: true };
+        // Default to true in production mode, or if explicitly set
+        const shouldVerify = options.requireValidProvenance ?? isProductionMode();
+        if (shouldVerify) {
+            const isValid = await runtime.verifyIRHash(options.expectedIRHash);
+            result = {
+                valid: isValid,
+                expectedHash: options.expectedIRHash || ir.provenance?.irHash,
+            };
+            if (!isValid) {
+                result.error = 'IR hash verification failed';
+            }
+        }
+        return [runtime, result];
+    }
+}
+//# sourceMappingURL=runtime-engine.js.map