@checkstack/catalog-backend 1.1.6 → 1.3.0

package/CHANGELOG.md

@@ -1,5 +1,162 @@
 # @checkstack/catalog-backend
 
+## 1.3.0
+
+### Minor Changes
+
+- b995afb: Make `catalog-system` and `catalog-group` plugin-backed reactive entities via the Model-B entity state machine.
+
+  Catalog defines a `catalog-system` entity `{ name, description, metadata }` and a `catalog-group` entity `{ name, metadata }`. The `systems` / `groups` tables are BOTH authoritative AND the entities' current-state storage - there is no framework `entity_state` row for a catalog system/group. `defineEntity` is given plugin `read` accessors (`EntityService.getManySystemEntityStates` / `getManyGroupEntityStates`) that project the reactive subsets straight off those tables, and every reactive-state write goes through `handle.mutate` / `handle.remove`: `apply` performs the REAL `systems` / `groups` write (the plugin's own db/tx) and returns the new state; the framework snapshots `prev` via `read` BEFORE the write, appends the transition log, and emits `ENTITY_CHANGED` AFTER the write commits. Covered sites: create-system, update-system, delete-system (tombstone), create-group, update-group, delete-group (tombstone), and the `system.update_metadata` automation action. Create sites pre-generate the id so the handle is keyed on it and the create's `prev` snapshot reads the not-yet-existing row as absent; `EntityService.createSystem` / `createGroup` accept an optional pre-generated `id` (server-owned either way).
+
+  Change -> trigger-event derivers reproduce the existing qualified events (emitting the TRIGGER event ids automations match on, not the dotted hook ids):
+
+  - `catalog-system`: create -> `catalog.created`; tombstone -> `catalog.deleted`; field update -> `catalog.updated`.
+  - `catalog-group`: create -> `catalog.group.created`; tombstone -> `catalog.group.deleted` (a pure group update fires nothing).
+
+  Mirrors are diff-suppressed (a save-with-no-diff stays a no-op). The `catalog.system.*` / `catalog.group.*` cross-plugin hooks are removed in the same effort (see the healthcheck/catalog hook-removal changeset); cross-plugin consumers (incident, dependency, slo, healthcheck) read via `onEntityChanged`.
+
+  BREAKING CHANGES (behavior): none for trigger-event consumers - the same qualified trigger events still fire via the change derivers, and `onEntityChanged` consumers see the same change event. The only observable change is internal: catalog current state is read from the `systems` / `groups` tables instead of `entity_state`, and writes route through the entity handle. The `system.update_metadata` action's race-deleted ("disappeared mid-update") path now drives a no-op entity write (the framework diffs it as no change) before returning failure, instead of skipping the write entirely; no event fires either way.
+
+- b995afb: Close a run-secret masking gap on run-originated catalog entity writes (security).
+
+  `writeCatalogSystemEntity` / `writeCatalogGroupEntity` had no `opts` parameter, so the `system.update_metadata` automation action (which has the dispatch `runId` in scope) could not forward it. Catalog `metadata` is `z.record(z.string(), z.unknown())` — the only reactive catalog field that can carry an arbitrary secret string — so a run-resolved secret merged into metadata would land UNMASKED in both the `entity_transitions` rows and the cluster-wide `ENTITY_CHANGED` event.
+
+  The catalog entity writers now accept `opts?: EntityMutationOpts` and forward it into `handle.mutate` / `handle.remove` (mirroring maintenance/slo), and `system.update_metadata` passes `opts: { runId }`. Run-resolved secrets in metadata are now masked in both the emit and the transition rows.
+
+- b995afb: Remove the now-unused healthcheck + catalog entity hooks; rely on the reactive entities + change derivers (reactive automation engine Phase 4, final step of §10.3 / §10.4).
+
+  Now that every cross-plugin consumer (slo, dependency, incident, and healthcheck's own catalog-cleanup) reads these domains via `onEntityChanged`, the producers stop emitting the entity-change hooks and the trigger registrations become entity-driven (fired by the entity change deriver via Stage-1 routing, with a no-op `setup` so they stay in the editor's trigger catalog).
+
+  - **healthcheck**: stops emitting `healthcheck.system.degraded` / `.healthy` / `.health_changed` from the queue executor (the `health` entity mirror is the single source of truth). Its own `catalog.system.deleted` consumer switched to `onEntityChanged({ kind: "catalog-system" })` on tombstones (work-queue delivery preserved). The directional/umbrella triggers are now entity-driven.
+  - **catalog**: stops emitting `catalog.system.created` / `.updated` / `.deleted` and `catalog.group.created` / `.deleted` from the router + the `system.update_metadata` action (the `catalog-system` / `catalog-group` mirrors are authoritative). The system triggers are now entity-driven.
+
+  CORRECTNESS FIX (also affects the earlier healthcheck/catalog Phase-4 steps in this branch): the change derivers now emit the TRIGGER qualifiedIds that automations actually store in `trigger.event` and that Stage-1 routing matches on (`findEnabledByTriggerEvent`), NOT the dotted hook ids. Healthcheck triggers use underscore ids, so the deriver emits `healthcheck.system_degraded` / `system_healthy` / `system_health_changed` (not `healthcheck.system.degraded`). Catalog system triggers use ids `created`/`updated`/`deleted`, so the deriver emits `catalog.created` / `catalog.updated` / `catalog.deleted` (not `catalog.system.created`). Without this fix the migrated automations would never fire.
+
+  BREAKING CHANGES:
+
+  - `healthcheck.system.degraded` / `healthcheck.system.healthy` / `healthcheck.system.health_changed` cross-plugin hooks are removed. The reactive `health` entity drives the matching trigger events (`healthcheck.system_degraded` / `_healthy` / `_health_changed`), so existing automations keep firing. Kept healthcheck hooks: `assignment.changed`, `check.completed`, `check.failed`, `flapping_detected`.
+  - `catalog.system.created` / `.updated` / `.deleted` and `catalog.group.created` / `.deleted` cross-plugin hooks are removed. The reactive `catalog-system` / `catalog-group` entities drive the matching trigger events (`catalog.created` / `.updated` / `.deleted`); cross-plugin cleanup reactors subscribe to the `catalog-system` tombstone via `onEntityChanged`. `catalogHooks` / `healthCheckHooks` remain exported (the removed members are gone) for a stable import surface.
+
+- b995afb: Restore the documented domain payload fields on entity-driven automation triggers.
+
+  Migrated triggers declare domain-named `payloadSchema`s (incident `incidentId`; health `systemId` / `previousStatus`; catalog `systemId` / `changedFields`; dependency `dependencyId`), but Stage-2 dispatch built `trigger.payload` from the generic entity-change shape (`{ kind, id, prev, next, delta, ...next }`). Operator filters and templates reading `trigger.payload.incidentId` / `.systemId` / `.previousStatus` silently resolved to `undefined` — a regression vs the legacy hook payloads.
+
+  Changes:
+
+  - `@checkstack/automation-backend`: `registerChangeDeriver` now accepts an optional per-kind `toPayload(changed) => Record<string, unknown>` mapper (at most one per kind; a second distinct mapper throws). Stage-2's `changedToPayload` uses the registered mapper to build `trigger.payload` so it matches the kind's declared `payloadSchema`, falling back to the generic change shape for kinds without a mapper. New exported type `EntityChangePayloadMapper`.
+  - `@checkstack/incident-backend`, `@checkstack/healthcheck-backend`, `@checkstack/catalog-backend`, `@checkstack/dependency-backend`: implement and register a `toPayload` for each entity-driven kind so `trigger.payload` carries the legacy domain keys again.
+
+  Descriptive incident payload fields not derivable from the reactive entity state (`title`, `description`, `createdAt`, `resolvedAt`) are now OPTIONAL on the incident trigger `payloadSchema`s — they were always absent from an entity-driven payload.
+
+### Patch Changes
+
+- b995afb: Extract a shared `withEntityWrite` / `withEntityRemove` guard for PLUGIN-BACKED (Model B) reactive entities and refactor the per-domain copies onto it.
+
+  Every plugin-backed domain (incident, catalog, dependency, maintenance, slo, satellite) reimplemented the same "no handle wired → run the plugin write directly; handle wired → route through `handle.mutate` / `handle.remove`" guard, varying only in the id-key name. `@checkstack/automation-backend` now exports `withEntityWrite` / `withEntityRemove` (from the entity barrel) and each domain's thin, well-named wrappers (`writeIncidentEntity`, `writeMaintenanceEntity`, satellite's `mirror`, …) delegate to it, so the branch lives in exactly one place. Behavior is unchanged.
+
+  `writeHealthEntity` (healthcheck-backend) is intentionally NOT migrated onto the helper — it is genuinely bespoke (closure-captured durable state, distinct rethrow-vs-fail-soft branches, a per-system serializer, and it returns the computed state). SLO keeps its fail-soft `onError` wrapper around the shared guard.
+
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [b995afb]
+  - @checkstack/backend-api@0.19.0
+  - @checkstack/automation-backend@0.3.0
+  - @checkstack/gitops-common@0.5.0
+  - @checkstack/gitops-backend@0.4.0
+  - @checkstack/auth-backend@0.4.32
+  - @checkstack/cache-api@0.3.7
+  - @checkstack/command-backend@0.1.32
+  - @checkstack/cache-utils@0.2.12
+
+## 1.2.0
+
+### Minor Changes
+
+- 41c77f4: feat(catalog): system triggers + update_metadata action for the Automation Platform
+
+  Ships the catalog chunk of Phase 9:
+
+  - Triggers: `catalog.created`, `catalog.updated`, `catalog.deleted`
+    — named consistently with the other plugin lifecycle triggers
+    (incident.created, dependency.created, maintenance.created, …).
+    Each carries `contextKey: (p) => p.systemId` so `wait_for_trigger`
+    can resume the right run.
+  - Action: `catalog.update_metadata` — sets or merges metadata on a
+    system (`strategy: "merge" | "replace"`). Default is `merge` so
+    untouched keys survive. Returns a `catalog.system_record` artifact
+    (`systemId`, `systemName`, `metadata`).
+
+  New hook: `catalogHooks.systemUpdated` (`{ systemId, systemName,
+changedFields }`). Emitted from both the `updateSystem` RPC handler
+  and the `update_metadata` automation action so downstream automations
+  and caches see both code paths. Emission is skipped when no tracked
+  field changed (no-op saves don't spam subscribers).
+
+  The `system.health_changed`, `system.set_maintenance`, and
+  `system.clear_maintenance` items in the original Phase 9 plan move to
+  the **healthcheck** and **maintenance** chunks respectively, where the
+  underlying data and RPCs live.
+
+### Patch Changes
+
+- Updated dependencies [e2d6f25]
+- Updated dependencies [41c77f4]
+- Updated dependencies [e1a2077]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [41c77f4]
+- Updated dependencies [6d52276]
+- Updated dependencies [6d52276]
+- Updated dependencies [35bc682]
+  - @checkstack/automation-backend@0.2.0
+  - @checkstack/common@0.12.0
+  - @checkstack/backend-api@0.18.0
+  - @checkstack/catalog-common@2.2.3
+  - @checkstack/auth-backend@0.4.31
+  - @checkstack/auth-common@0.7.2
+  - @checkstack/command-backend@0.1.31
+  - @checkstack/gitops-backend@0.3.7
+  - @checkstack/gitops-common@0.4.2
+  - @checkstack/notification-common@1.2.1
+  - @checkstack/cache-api@0.3.6
+  - @checkstack/cache-utils@0.2.11
+
 ## 1.1.6
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/catalog-backend",
-  "version": "1.1.6",
+  "version": "1.3.0",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -11,29 +11,32 @@
     "typecheck": "tsgo -b",
     "generate": "drizzle-kit generate",
     "lint": "bun run lint:code",
-    "lint:code": "eslint . --max-warnings 0"
+    "lint:code": "eslint . --max-warnings 0",
+    "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.17.0",
-    "@checkstack/cache-api": "0.3.4",
-    "@checkstack/cache-utils": "0.2.9",
-    "@checkstack/auth-common": "0.7.1",
-    "@checkstack/catalog-common": "2.2.2",
-    "@checkstack/command-backend": "0.1.29",
-    "@checkstack/auth-backend": "0.4.29",
-    "@checkstack/gitops-backend": "0.3.5",
-    "@checkstack/gitops-common": "0.4.1",
-    "@checkstack/notification-common": "1.2.0",
+    "@checkstack/backend-api": "0.18.0",
+    "@checkstack/automation-backend": "0.2.0",
+    "@checkstack/cache-api": "0.3.6",
+    "@checkstack/cache-utils": "0.2.11",
+    "@checkstack/auth-common": "0.7.2",
+    "@checkstack/catalog-common": "2.2.3",
+    "@checkstack/command-backend": "0.1.31",
+    "@checkstack/auth-backend": "0.4.31",
+    "@checkstack/gitops-backend": "0.3.7",
+    "@checkstack/gitops-common": "0.4.2",
+    "@checkstack/notification-common": "1.2.1",
     "@orpc/server": "^1.13.2",
     "drizzle-orm": "^0.45.0",
     "hono": "^4.12.14",
     "uuid": "^14.0.0",
     "zod": "^4.2.1",
-    "@checkstack/common": "0.11.0"
+    "@checkstack/common": "0.12.0"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.5",
-    "@checkstack/scripts": "0.3.3",
+    "@checkstack/scripts": "0.3.4",
+    "@checkstack/test-utils-backend": "0.1.31",
     "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.3.5",
     "@types/node": "^20.0.0",

package/src/automations.test.ts

@@ -0,0 +1,442 @@
+/**
+ * Behaviour tests for the catalog automation triggers + actions.
+ *
+ * The triggers are dataclasses (id, payloadSchema, hook, contextKey),
+ * so we lock down their payload validation + contextKey extraction.
+ * The `update_metadata` action carries the real behaviour: shallow
+ * merge vs. replace, cache invalidation, hook emission, the
+ * "missing system" failure path, and the "race-deleted mid-update"
+ * failure path.
+ */
+import { describe, expect, it, mock } from "bun:test";
+import type { Logger } from "@checkstack/backend-api";
+import { createMockLogger } from "@checkstack/test-utils-backend";
+
+import {
+  catalogTriggers,
+  createCatalogActions,
+  systemCreatedTrigger,
+  systemDeletedTrigger,
+  systemRecordArtifactType,
+  systemUpdatedTrigger,
+} from "./automations";
+import type { EntityService } from "./services/entity-service";
+import type { createCatalogCache } from "./cache";
+
+const logger = createMockLogger() as Logger;
+
+const ctxBase = {
+  runId: "run-1",
+  automationId: "auto-1",
+  contextKey: null,
+  logger,
+  getService: async <T,>(): Promise<T> => {
+    throw new Error("not used");
+  },
+};
+
+// ─── Triggers ──────────────────────────────────────────────────────────
+
+describe("catalog triggers", () => {
+  it("exposes three triggers in a stable order", () => {
+    expect(catalogTriggers).toHaveLength(3);
+    expect(catalogTriggers[0]).toBe(
+      systemCreatedTrigger as (typeof catalogTriggers)[number],
+    );
+    expect(catalogTriggers[1]).toBe(
+      systemUpdatedTrigger as (typeof catalogTriggers)[number],
+    );
+    expect(catalogTriggers[2]).toBe(
+      systemDeletedTrigger as (typeof catalogTriggers)[number],
+    );
+  });
+
+  it("validates the systemCreated payload + extracts systemId as contextKey", () => {
+    const payload = { systemId: "sys-1", systemName: "API" };
+    const parsed = systemCreatedTrigger.payloadSchema.safeParse(payload);
+    expect(parsed.success).toBe(true);
+    expect(systemCreatedTrigger.contextKey?.(payload)).toBe("sys-1");
+    // Entity-driven now (§10.4): no hook, a no-op setup keeps it in the
+    // editor catalog; the `catalog-system` deriver fires `catalog.created`.
+    expect(systemCreatedTrigger.hook).toBeUndefined();
+    expect(typeof systemCreatedTrigger.setup).toBe("function");
+  });
+
+  it("requires changedFields on the systemUpdated payload", () => {
+    const ok = systemUpdatedTrigger.payloadSchema.safeParse({
+      systemId: "sys-1",
+      systemName: "API",
+      changedFields: ["metadata"],
+    });
+    expect(ok.success).toBe(true);
+
+    const bad = systemUpdatedTrigger.payloadSchema.safeParse({
+      systemId: "sys-1",
+      systemName: "API",
+    });
+    expect(bad.success).toBe(false);
+
+    const badEnum = systemUpdatedTrigger.payloadSchema.safeParse({
+      systemId: "sys-1",
+      systemName: "API",
+      changedFields: ["unknown_field"],
+    });
+    expect(badEnum.success).toBe(false);
+  });
+
+  it("accepts an optional systemName on the systemDeleted payload", () => {
+    const withName = systemDeletedTrigger.payloadSchema.safeParse({
+      systemId: "sys-1",
+      systemName: "API",
+    });
+    const withoutName = systemDeletedTrigger.payloadSchema.safeParse({
+      systemId: "sys-1",
+    });
+    expect(withName.success).toBe(true);
+    expect(withoutName.success).toBe(true);
+  });
+});
+
+// ─── Artifact type ─────────────────────────────────────────────────────
+
+describe("systemRecordArtifactType", () => {
+  it("validates the canonical artifact shape", () => {
+    const ok = systemRecordArtifactType.schema.safeParse({
+      systemId: "sys-1",
+      systemName: "API",
+      metadata: { tier: "gold" },
+    });
+    expect(ok.success).toBe(true);
+  });
+
+  it("rejects when metadata is missing", () => {
+    const bad = systemRecordArtifactType.schema.safeParse({
+      systemId: "sys-1",
+      systemName: "API",
+    });
+    expect(bad.success).toBe(false);
+  });
+});
+
+// ─── Action: system.update_metadata ────────────────────────────────────
+
+interface FakeSystemRow {
+  id: string;
+  name: string;
+  description?: string | null;
+  metadata: Record<string, unknown> | null;
+}
+
+interface ActionFixture {
+  service: EntityService;
+  cache: ReturnType<typeof createCatalogCache>;
+  mutateMock: ReturnType<typeof mock>;
+  /** Reactive states returned by each `apply()` the action drove. */
+  mutateResults: unknown[];
+  getSystemEntity: () => never;
+  updateSystemMock: ReturnType<typeof mock>;
+  getSystemMock: ReturnType<typeof mock>;
+  invalidateTopologyMock: ReturnType<typeof mock>;
+}
+
+function makeFixture(args: {
+  initialRow: FakeSystemRow | undefined;
+  /**
+   * If set, updateSystem returns this value instead of the merged
+   * row. Use `{ value: undefined }` to simulate a race-deleted row.
+   * Omit to get the default "merge + return updated row" behaviour.
+   */
+  updateResult?: { value: FakeSystemRow | undefined };
+}): ActionFixture {
+  let row = args.initialRow ? { ...args.initialRow } : undefined;
+  const getSystemMock = mock(async (_id: string) => row);
+  const updateSystemMock = mock(
+    async (id: string, data: { metadata?: Record<string, unknown> }) => {
+      if (args.updateResult) return args.updateResult.value;
+      if (row) {
+        row = { ...row, metadata: data.metadata ?? row.metadata };
+        return row;
+      }
+      return undefined;
+    },
+  );
+  const service = {
+    getSystem: getSystemMock,
+    updateSystem: updateSystemMock,
+  } as unknown as EntityService;
+
+  const invalidateTopologyMock = mock(async () => {});
+  const cache = {
+    invalidateTopology: invalidateTopologyMock,
+    // Other cache methods aren't exercised by the action; cast to the
+    // full shape so the factory's deps typecheck.
+    invalidateContacts: mock(async () => {}),
+  } as unknown as ReturnType<typeof createCatalogCache>;
+
+  // The action now drives its write through `handle.mutate({ id, apply })`:
+  // it runs `apply()` (the real `updateSystem`) once and records the id + the
+  // resulting reactive state, mirroring the framework handle.
+  const mutateResults: unknown[] = [];
+  const mutateMock = mock(
+    async (input: {
+      id: string;
+      opts?: { runId?: string };
+      apply: () => Promise<unknown>;
+    }) => {
+      const next = await input.apply();
+      mutateResults.push(next);
+      return next;
+    },
+  );
+  const getSystemEntity = () =>
+    ({ kind: "catalog-system", mutate: mutateMock }) as never;
+
+  return {
+    service,
+    cache,
+    mutateMock,
+    mutateResults,
+    getSystemEntity,
+    updateSystemMock,
+    getSystemMock,
+    invalidateTopologyMock,
+  };
+}
+
+describe("catalog.system.update_metadata", () => {
+  it("shallow-merges by default and preserves untouched keys", async () => {
+    const fx = makeFixture({
+      initialRow: {
+        id: "sys-1",
+        name: "API",
+        metadata: { tier: "gold", region: "eu-central-1" },
+      },
+    });
+    const [action] = createCatalogActions({
+      entityService: fx.service,
+      cache: fx.cache,
+      getSystemEntity: fx.getSystemEntity,
+    });
+
+    const result = await action!.execute({
+      ...ctxBase,
+      consumedArtifacts: {},
+      config: {
+        systemId: "sys-1",
+        strategy: "merge",
+        metadata: { tier: "platinum", owner: "platform" },
+      } as never,
+    });
+
+    expect(result.success).toBe(true);
+    if (!result.success) return;
+    const artifact = result.artifact as {
+      metadata: Record<string, unknown>;
+    };
+    expect(artifact.metadata).toEqual({
+      tier: "platinum",
+      region: "eu-central-1",
+      owner: "platform",
+    });
+
+    // Service was called with the merged metadata, not the partial config.
+    expect(fx.updateSystemMock).toHaveBeenCalledTimes(1);
+    const updateCall = fx.updateSystemMock.mock.calls[0]!;
+    expect(updateCall[0]).toBe("sys-1");
+    expect((updateCall[1] as { metadata: Record<string, unknown> }).metadata)
+      .toEqual({
+        tier: "platinum",
+        region: "eu-central-1",
+        owner: "platform",
+      });
+
+    expect(fx.invalidateTopologyMock).toHaveBeenCalledTimes(1);
+    // The old `systemUpdated` hook emission was replaced by driving the edit
+    // through the reactive `catalog-system` entity via `handle.mutate` (§10.4):
+    // the handle is keyed by system id, and `apply` returns the resulting
+    // reactive state.
+    expect(fx.mutateMock).toHaveBeenCalledTimes(1);
+    const mutateCall = fx.mutateMock.mock.calls[0]![0] as { id: string };
+    expect(mutateCall.id).toBe("sys-1");
+    expect(fx.mutateResults[0]).toEqual({
+      name: "API",
+      description: null,
+      metadata: {
+        tier: "platinum",
+        region: "eu-central-1",
+        owner: "platform",
+      },
+    });
+  });
+
+  // Fix 3 (security): the action resolves config (including `metadata` values)
+  // against the run scope, which can contain run-resolved secrets. It MUST pass
+  // `opts: { runId }` into the entity write so the framework handle masks any
+  // such secret in the `entity_transitions` rows + the cluster-wide
+  // `ENTITY_CHANGED` (the masking itself is proven end-to-end in
+  // automation-backend's mutate-handle masking test).
+  it("forwards the dispatch runId to handle.mutate (secret-masking choke point)", async () => {
+    const fx = makeFixture({
+      initialRow: { id: "sys-1", name: "API", metadata: {} },
+    });
+    const [action] = createCatalogActions({
+      entityService: fx.service,
+      cache: fx.cache,
+      getSystemEntity: fx.getSystemEntity,
+    });
+
+    await action!.execute({
+      ...ctxBase,
+      consumedArtifacts: {},
+      config: {
+        systemId: "sys-1",
+        strategy: "merge",
+        metadata: { token: "resolved-secret-value" },
+      } as never,
+    });
+
+    expect(fx.mutateMock).toHaveBeenCalledTimes(1);
+    const mutateCall = fx.mutateMock.mock.calls[0]![0] as {
+      opts?: { runId?: string };
+    };
+    expect(mutateCall.opts?.runId).toBe("run-1");
+  });
+
+  it("replaces the whole metadata object when strategy=replace", async () => {
+    const fx = makeFixture({
+      initialRow: {
+        id: "sys-1",
+        name: "API",
+        metadata: { tier: "gold", region: "eu-central-1" },
+      },
+    });
+    const [action] = createCatalogActions({
+      entityService: fx.service,
+      cache: fx.cache,
+      getSystemEntity: fx.getSystemEntity,
+    });
+
+    const result = await action!.execute({
+      ...ctxBase,
+      consumedArtifacts: {},
+      config: {
+        systemId: "sys-1",
+        strategy: "replace",
+        metadata: { owner: "platform" },
+      } as never,
+    });
+
+    expect(result.success).toBe(true);
+    if (!result.success) return;
+    const artifact = result.artifact as {
+      metadata: Record<string, unknown>;
+    };
+    expect(artifact.metadata).toEqual({ owner: "platform" });
+
+    const updateCall = fx.updateSystemMock.mock.calls[0]!;
+    expect((updateCall[1] as { metadata: Record<string, unknown> }).metadata)
+      .toEqual({ owner: "platform" });
+  });
+
+  it("treats a null existing metadata as an empty object when merging", async () => {
+    const fx = makeFixture({
+      initialRow: {
+        id: "sys-1",
+        name: "API",
+        metadata: null,
+      },
+    });
+    const [action] = createCatalogActions({
+      entityService: fx.service,
+      cache: fx.cache,
+      getSystemEntity: fx.getSystemEntity,
+    });
+
+    const result = await action!.execute({
+      ...ctxBase,
+      consumedArtifacts: {},
+      config: {
+        systemId: "sys-1",
+        strategy: "merge",
+        metadata: { tier: "gold" },
+      } as never,
+    });
+
+    expect(result.success).toBe(true);
+    if (!result.success) return;
+    const artifact = result.artifact as {
+      metadata: Record<string, unknown>;
+    };
+    expect(artifact.metadata).toEqual({ tier: "gold" });
+  });
+
+  it("returns failure when the target system does not exist", async () => {
+    const fx = makeFixture({ initialRow: undefined });
+    const [action] = createCatalogActions({
+      entityService: fx.service,
+      cache: fx.cache,
+      getSystemEntity: fx.getSystemEntity,
+    });
+
+    const result = await action!.execute({
+      ...ctxBase,
+      consumedArtifacts: {},
+      config: {
+        systemId: "missing",
+        strategy: "merge",
+        metadata: { tier: "gold" },
+      } as never,
+    });
+
+    expect(result.success).toBe(false);
+    if (result.success) return;
+    expect(result.error).toMatch(/System not found/);
+    expect(fx.updateSystemMock).not.toHaveBeenCalled();
+    expect(fx.invalidateTopologyMock).not.toHaveBeenCalled();
+    // The probe failed, so no entity write was driven.
+    expect(fx.mutateMock).not.toHaveBeenCalled();
+  });
+
+  it("returns failure if updateSystem returns undefined (race-deleted mid-update)", async () => {
+    const fx = makeFixture({
+      initialRow: {
+        id: "sys-1",
+        name: "API",
+        metadata: {},
+      },
+      // Simulate a race: getSystem found the row, but updateSystem
+      // returned `undefined` (the row was deleted between the two
+      // queries).
+      updateResult: { value: undefined },
+    });
+    const [action] = createCatalogActions({
+      entityService: fx.service,
+      cache: fx.cache,
+      getSystemEntity: fx.getSystemEntity,
+    });
+
+    const result = await action!.execute({
+      ...ctxBase,
+      consumedArtifacts: {},
+      config: {
+        systemId: "sys-1",
+        strategy: "merge",
+        metadata: { tier: "gold" },
+      } as never,
+    });
+
+    expect(result.success).toBe(false);
+    if (result.success) return;
+    expect(result.error).toMatch(/disappeared mid-update/);
+    expect(fx.invalidateTopologyMock).not.toHaveBeenCalled();
+    // The probe found the row, so the write was driven — but `apply` fell
+    // back to the pre-write state, so the framework handle would diff it as a
+    // no-op (no spurious `catalog.updated`). The action still reports failure.
+    expect(fx.mutateMock).toHaveBeenCalledTimes(1);
+    expect(fx.mutateResults[0]).toEqual({
+      name: "API",
+      description: null,
+      metadata: {},
+    });
+  });
+});