@objectstack/metadata-protocol 11.1.0

package/dist/index.cjs

@@ -0,0 +1,4855 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } async function _asyncNullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return await rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+var _chunkJRNTUZG6cjs = require('./chunk-JRNTUZG6.cjs');
+
+
+var _chunk7LOFAEHAcjs = require('./chunk-7LOFAEHA.cjs');
+
+// src/protocol.ts
+var _types = require('@objectstack/types');
+
+// src/sys-metadata-repository.ts
+var _metadatacore = require('@objectstack/metadata-core');
+
+var _kernel = require('@objectstack/spec/kernel');
+var _shared = require('@objectstack/spec/shared');
+var OVERLAY_ALLOWED_TYPES = new Set(
+  _kernel.DEFAULT_METADATA_TYPE_REGISTRY.filter((e) => e.allowOrgOverride).map((e) => e.type)
+);
+var STATIC_REGISTRY_TYPES = new Set(
+  _kernel.DEFAULT_METADATA_TYPE_REGISTRY.map((e) => e.type)
+);
+var RUNTIME_CREATE_ALLOWED_TYPES = new Set(
+  _kernel.DEFAULT_METADATA_TYPE_REGISTRY.filter((e) => e.allowRuntimeCreate).map((e) => e.type)
+);
+var _envWritableMetadataTypes = null;
+function envWritableMetadataTypes() {
+  if (_envWritableMetadataTypes !== null) return _envWritableMetadataTypes;
+  const raw = _types.readEnvWithDeprecation.call(void 0, "OS_METADATA_WRITABLE", []) || "";
+  const set = /* @__PURE__ */ new Set();
+  for (const tok of raw.split(",")) {
+    const t = tok.trim();
+    if (!t) continue;
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[t], () => ( t));
+    set.add(singular);
+    const plural = _shared.SINGULAR_TO_PLURAL[singular];
+    if (plural) set.add(plural);
+  }
+  _envWritableMetadataTypes = set;
+  return set;
+}
+function resetEnvWritableMetadataTypes() {
+  _envWritableMetadataTypes = null;
+}
+var SysMetadataRepository = class {
+  constructor(opts) {
+    /**
+     * Local seq counter for in-memory watch() event broadcasts. Mirrors
+     * the durable `event_seq` we write into `sys_metadata_history` on
+     * each successful put/delete — assigned AFTER the transaction commits
+     * so we never broadcast events that got rolled back.
+     */
+    this.seqCounter = 0;
+    this.watchers = /* @__PURE__ */ new Set();
+    this.closed = false;
+    /** Table name for the durable event log. */
+    this.historyTable = "sys_metadata_history";
+    this.engine = opts.engine;
+    this.organizationId = _nullishCoalesce(opts.organizationId, () => ( null));
+    this.orgLabel = _nullishCoalesce(opts.orgLabel, () => ( (_nullishCoalesce(opts.organizationId, () => ( "system")))));
+  }
+  /**
+   * Run `cb` inside `engine.transaction(...)` if the engine supports it,
+   * otherwise fall through to a direct call. Matches the real
+   * `ObjectQL.transaction` semantics — in-memory drivers (and our test
+   * fakes) get no rollback, which is acceptable because production
+   * always runs on a SQL driver with real ACID.
+   */
+  async withTxn(cb) {
+    if (typeof this.engine.transaction === "function") {
+      return this.engine.transaction(cb);
+    }
+    return cb(void 0);
+  }
+  /**
+   * Read the current overlay row. Returns null if no row exists —
+   * callers (e.g. LayeredRepository) fall through to lower layers.
+   *
+   * `opts.state` selects which lifecycle row to read: defaults to the
+   * live published row (`'active'`). Pass `'draft'` to read the pending
+   * unpublished revision (if any).
+   */
+  async get(ref, opts) {
+    this.assertOpen();
+    const state = _nullishCoalesce(_optionalChain([opts, 'optionalAccess', _ => _.state]), () => ( "active"));
+    const row = await this.engine.findOne("sys_metadata", {
+      where: this.whereFor(ref, state, opts && "packageId" in opts ? _nullishCoalesce(opts.packageId, () => ( null)) : void 0)
+    });
+    if (!row) return null;
+    return this.rowToItem(ref, row);
+  }
+  /**
+   * Resolve a historical version by content hash (ADR-0009).
+   *
+   * Looks up `sys_metadata_history` by `(organization_id, type, name,
+   * checksum)`. Returns null if no row matches. `executionPinned` types
+   * are guaranteed to find their body here because history GC skips
+   * them.
+   */
+  async getByHash(ref, hash) {
+    this.assertOpen();
+    const full = this.fullRef(ref);
+    const row = await this.engine.findOne(this.historyTable, {
+      where: {
+        organization_id: this.organizationId,
+        type: full.type,
+        name: full.name,
+        checksum: hash
+      }
+    });
+    if (!row) return null;
+    const rawBody = row.metadata;
+    if (rawBody === null || rawBody === void 0) {
+      return null;
+    }
+    const body = typeof rawBody === "string" ? JSON.parse(rawBody) : rawBody;
+    return {
+      ref: { ...full, version: void 0 },
+      body,
+      hash,
+      parentHash: _nullishCoalesce(row.previous_checksum, () => ( null)),
+      authoredBy: _nullishCoalesce(row.recorded_by, () => ( "unknown")),
+      authoredAt: _nullishCoalesce(row.recorded_at, () => ( (/* @__PURE__ */ new Date(0)).toISOString())),
+      message: _nullishCoalesce(row.change_note, () => ( void 0)),
+      seq: _nullishCoalesce(row.event_seq, () => ( 0))
+    };
+  }
+  async put(ref, spec, opts) {
+    this.assertOpen();
+    this.assertAllowed(ref.type, opts.intent);
+    const state = _nullishCoalesce(opts.state, () => ( "active"));
+    const body = _nullishCoalesce(spec, () => ( {}));
+    const hash = _metadatacore.hashSpec.call(void 0, body);
+    const result = await this.withTxn(async (ctx) => {
+      const existing = await this.engine.findOne("sys_metadata", {
+        where: this.whereFor(ref, state, _nullishCoalesce(opts.packageId, () => ( null))),
+        context: ctx
+      });
+      const existingHash = _nullishCoalesce(_optionalChain([existing, 'optionalAccess', _2 => _2.checksum]), () => ( null));
+      if (opts.parentVersion !== existingHash) {
+        throw new (0, _metadatacore.ConflictError)(this.fullRef(ref), opts.parentVersion, existingHash);
+      }
+      if (existing && existingHash === hash) {
+        const item2 = this.rowToItem(ref, existing);
+        return { skipped: true, version: hash, seq: item2.seq, item: item2 };
+      }
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const baseOp = existing ? "update" : "create";
+      const op = _nullishCoalesce(opts.opType, () => ( baseOp));
+      const version = await this.nextItemVersion(ref, ctx);
+      const eventSeq = await this.nextEventSeq(ctx);
+      const parentRowData = {
+        type: ref.type,
+        name: ref.name,
+        organization_id: this.organizationId,
+        metadata: JSON.stringify(body),
+        checksum: hash,
+        state,
+        version,
+        updated_at: now
+      };
+      if (existing) {
+        const existingPkg = _nullishCoalesce(existing.package_id, () => ( null));
+        parentRowData.package_id = _nullishCoalesce(_nullishCoalesce(existingPkg, () => ( opts.packageId)), () => ( null));
+      } else {
+        parentRowData.package_id = _nullishCoalesce(opts.packageId, () => ( null));
+      }
+      if (existing) {
+        const existingId = existing.id;
+        if (existingId === void 0) {
+          throw new Error(
+            `SysMetadataRepository.put: existing row for ${ref.type}/${ref.name} has no id column`
+          );
+        }
+        await this.engine.update("sys_metadata", parentRowData, {
+          where: { id: existingId },
+          context: ctx
+        });
+      } else {
+        parentRowData.created_at = now;
+        await this.engine.insert("sys_metadata", parentRowData, { context: ctx });
+      }
+      await this.engine.insert(
+        this.historyTable,
+        {
+          id: this.uuid(),
+          event_seq: eventSeq,
+          type: ref.type,
+          name: ref.name,
+          version,
+          operation_type: op,
+          metadata: JSON.stringify(body),
+          checksum: hash,
+          previous_checksum: existingHash,
+          change_note: opts.message,
+          source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo")),
+          organization_id: this.organizationId,
+          recorded_by: opts.actor,
+          recorded_at: now
+        },
+        { context: ctx }
+      );
+      const item = {
+        ref: this.fullRef(ref),
+        body,
+        hash,
+        parentHash: existingHash,
+        authoredBy: opts.actor,
+        authoredAt: now,
+        message: opts.message,
+        seq: eventSeq
+      };
+      return {
+        skipped: false,
+        version: hash,
+        seq: eventSeq,
+        item,
+        op,
+        existingHash,
+        now,
+        source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo")),
+        message: opts.message,
+        actor: opts.actor
+      };
+    });
+    if (result.skipped) {
+      return { version: result.version, seq: result.seq, item: result.item };
+    }
+    this.seqCounter = result.seq;
+    if (state === "active") {
+      this.broadcast({
+        seq: result.seq,
+        op: result.op,
+        ref: this.fullRef(ref),
+        hash: result.version,
+        parentHash: result.existingHash,
+        actor: result.actor,
+        message: result.message,
+        ts: result.now,
+        source: result.source
+      });
+    }
+    return { version: result.version, seq: result.seq, item: result.item };
+  }
+  async delete(ref, opts) {
+    this.assertOpen();
+    this.assertAllowed(ref.type, opts.intent);
+    const state = _nullishCoalesce(opts.state, () => ( "active"));
+    const result = await this.withTxn(async (ctx) => {
+      const existing = await this.engine.findOne("sys_metadata", {
+        where: this.whereFor(ref, state),
+        context: ctx
+      });
+      if (!existing) {
+        throw new (0, _metadatacore.ConflictError)(this.fullRef(ref), opts.parentVersion, null);
+      }
+      const existingHash = _nullishCoalesce(existing.checksum, () => ( null));
+      if (opts.parentVersion !== existingHash) {
+        throw new (0, _metadatacore.ConflictError)(this.fullRef(ref), opts.parentVersion, existingHash);
+      }
+      const existingId = existing.id;
+      if (existingId === void 0) {
+        throw new Error(
+          `SysMetadataRepository.delete: existing row for ${ref.type}/${ref.name} has no id column`
+        );
+      }
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      let version = 0;
+      let eventSeq = 0;
+      if (state === "active") {
+        version = await this.nextItemVersion(ref, ctx);
+        eventSeq = await this.nextEventSeq(ctx);
+      }
+      await this.engine.delete("sys_metadata", {
+        where: { id: existingId },
+        context: ctx
+      });
+      if (state === "active") {
+        await this.engine.insert(
+          this.historyTable,
+          {
+            id: this.uuid(),
+            event_seq: eventSeq,
+            type: ref.type,
+            name: ref.name,
+            version,
+            operation_type: "delete",
+            metadata: null,
+            checksum: null,
+            previous_checksum: existingHash,
+            change_note: opts.message,
+            source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo")),
+            organization_id: this.organizationId,
+            recorded_by: opts.actor,
+            recorded_at: now
+          },
+          { context: ctx }
+        );
+      }
+      return {
+        eventSeq,
+        existingHash,
+        now,
+        source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo")),
+        message: opts.message,
+        actor: opts.actor
+      };
+    });
+    if (state === "active") {
+      this.seqCounter = result.eventSeq;
+      this.broadcast({
+        seq: result.eventSeq,
+        op: "delete",
+        ref: this.fullRef(ref),
+        hash: null,
+        parentHash: result.existingHash,
+        actor: result.actor,
+        message: result.message,
+        ts: result.now,
+        source: result.source
+      });
+    }
+    return { seq: result.eventSeq };
+  }
+  /**
+   * Promote the pending draft row for `ref` into the live (`active`)
+   * overlay. Atomic: reads the draft inside the same transaction, runs
+   * the canonical `put` to upsert the active row (which appends a
+   * history event with `operation_type='publish'`), then deletes the
+   * draft row.
+   *
+   * Errors if no draft exists (callers should 404). The active row's
+   * `parentVersion` is computed from the current active hash so this
+   * also surfaces optimistic-lock conflicts when something else has
+   * published in between (e.g. another admin reverted to an older
+   * version since the draft was authored).
+   */
+  async promoteDraft(ref, opts) {
+    this.assertOpen();
+    const draftRow = await this.engine.findOne("sys_metadata", {
+      where: this.whereFor(ref, "draft")
+    });
+    if (!draftRow) {
+      const err = new Error(
+        `[no_draft] No pending draft exists for ${ref.type}/${ref.name} \u2014 nothing to publish.`
+      );
+      err.code = "no_draft";
+      err.status = 404;
+      throw err;
+    }
+    const draftPackageId = _nullishCoalesce(draftRow.package_id, () => ( null));
+    const draft = this.rowToItem(ref, draftRow);
+    const currentActive = await this.get(ref, { state: "active", packageId: draftPackageId });
+    const result = await this.put(ref, draft.body, {
+      parentVersion: _nullishCoalesce(_optionalChain([currentActive, 'optionalAccess', _3 => _3.hash]), () => ( null)),
+      actor: opts.actor,
+      source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo.publish")),
+      message: _nullishCoalesce(opts.message, () => ( `publish draft (hash ${draft.hash})`)),
+      intent: _nullishCoalesce(opts.intent, () => ( "override-artifact")),
+      state: "active",
+      opType: "publish",
+      packageId: draftPackageId
+    });
+    try {
+      await this.delete(ref, {
+        parentVersion: draft.hash,
+        actor: opts.actor,
+        source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo.publish")),
+        intent: _nullishCoalesce(opts.intent, () => ( "override-artifact")),
+        state: "draft"
+      });
+    } catch (e2) {
+    }
+    return result;
+  }
+  /**
+   * Restore the body recorded in history at `targetVersion` (per-org
+   * lineage counter) as the new active row. Writes a history event
+   * with `operation_type='revert'` so the audit trail captures the
+   * intent. Does NOT touch any draft row.
+   *
+   * Throws `[version_not_found]` (404) if the target version row is
+   * missing or is a delete tombstone (no body to restore).
+   */
+  async restoreVersion(ref, targetVersion, opts) {
+    this.assertOpen();
+    const full = this.fullRef(ref);
+    const row = await this.engine.findOne(this.historyTable, {
+      where: {
+        organization_id: this.organizationId,
+        type: full.type,
+        name: full.name,
+        version: targetVersion
+      }
+    });
+    if (!row) {
+      const err = new Error(
+        `[version_not_found] No history row at version ${targetVersion} for ${ref.type}/${ref.name}.`
+      );
+      err.code = "version_not_found";
+      err.status = 404;
+      throw err;
+    }
+    const raw = row.metadata;
+    if (raw === null || raw === void 0) {
+      const err = new Error(
+        `[version_not_restorable] Version ${targetVersion} for ${ref.type}/${ref.name} is a delete tombstone \u2014 nothing to restore.`
+      );
+      err.code = "version_not_restorable";
+      err.status = 409;
+      throw err;
+    }
+    const body = typeof raw === "string" ? JSON.parse(raw) : raw;
+    const currentActive = await this.get(ref, { state: "active" });
+    return this.put(ref, body, {
+      parentVersion: _nullishCoalesce(_optionalChain([currentActive, 'optionalAccess', _4 => _4.hash]), () => ( null)),
+      actor: opts.actor,
+      source: _nullishCoalesce(opts.source, () => ( "sys-metadata-repo.revert")),
+      message: _nullishCoalesce(opts.message, () => ( `revert to version ${targetVersion}`)),
+      intent: _nullishCoalesce(opts.intent, () => ( "override-artifact")),
+      state: "active",
+      opType: "revert"
+    });
+  }
+  async *list(filter) {
+    this.assertOpen();
+    const where = {
+      organization_id: this.organizationId,
+      state: "active"
+    };
+    if (filter.type) where.type = filter.type;
+    const rows = await this.engine.find("sys_metadata", {
+      where,
+      limit: filter.limit
+    });
+    for (const row of rows) {
+      if (filter.nameContains && !String(row.name).includes(filter.nameContains)) continue;
+      const item = this.rowToItem(
+        { ...this.fullRef({ type: row.type, name: row.name }) },
+        row
+      );
+      const { body, ...header } = item;
+      yield header;
+    }
+  }
+  /**
+   * List pending DRAFT rows (ADR-0033) for this org, optionally narrowed by
+   * `type` and/or `packageId`. Unlike {@link list} (which is hard-scoped to
+   * `state='active'`), this reads `state='draft'` so the console can surface
+   * what an AI authored but a human hasn't published yet. Returns a light
+   * header projection (no body) suitable for a "pending changes" list.
+   */
+  async listDrafts(filter) {
+    this.assertOpen();
+    const where = { state: "draft" };
+    if (this.organizationId != null) {
+      where.$or = [
+        { organization_id: this.organizationId },
+        { organization_id: null }
+      ];
+    } else {
+      where.organization_id = null;
+    }
+    if (_optionalChain([filter, 'optionalAccess', _5 => _5.type])) where.type = filter.type;
+    if (_optionalChain([filter, 'optionalAccess', _6 => _6.packageId])) where.package_id = filter.packageId;
+    const rows = await this.engine.find("sys_metadata", { where });
+    return rows.map((row) => ({
+      type: row.type,
+      name: row.name,
+      packageId: _nullishCoalesce(row.package_id, () => ( null)),
+      updatedAt: _nullishCoalesce(_nullishCoalesce(row.updated_at, () => ( row.created_at)), () => ( null)),
+      updatedBy: _nullishCoalesce(_nullishCoalesce(row.updated_by, () => ( row.created_by)), () => ( null))
+    }));
+  }
+  /**
+   * Yield every history event for `(org, type?, name?)` from the
+   * durable log, ordered by per-(type,name) `version` ascending. When
+   * `filter.type`/`filter.name` are unset the consumer gets the full
+   * org-scoped event stream — still ordered by version within each
+   * (type,name) bucket, then by `recorded_at` across buckets (we sort
+   * client-side because the test engine doesn't honor `orderBy`).
+   */
+  async *history(ref, opts) {
+    this.assertOpen();
+    const full = this.fullRef(ref);
+    const where = {
+      organization_id: this.organizationId,
+      type: full.type,
+      name: full.name
+    };
+    const rows = await this.engine.find(this.historyTable, { where });
+    rows.sort((a, b) => {
+      const va = typeof a.event_seq === "number" ? a.event_seq : 0;
+      const vb = typeof b.event_seq === "number" ? b.event_seq : 0;
+      return va - vb;
+    });
+    let yielded = 0;
+    for (const row of rows) {
+      if (_optionalChain([opts, 'optionalAccess', _7 => _7.sinceSeq]) !== void 0 && (_nullishCoalesce(row.event_seq, () => ( 0))) <= opts.sinceSeq) continue;
+      if (_optionalChain([opts, 'optionalAccess', _8 => _8.limit]) !== void 0 && yielded >= opts.limit) break;
+      yielded++;
+      yield {
+        seq: _nullishCoalesce(row.event_seq, () => ( 0)),
+        op: _nullishCoalesce(row.operation_type, () => ( "update")),
+        ref: full,
+        hash: _nullishCoalesce(row.checksum, () => ( null)),
+        parentHash: _nullishCoalesce(row.previous_checksum, () => ( null)),
+        version: typeof row.version === "number" ? row.version : void 0,
+        actor: _nullishCoalesce(row.recorded_by, () => ( "unknown")),
+        message: _nullishCoalesce(row.change_note, () => ( void 0)),
+        ts: _nullishCoalesce(row.recorded_at, () => ( (/* @__PURE__ */ new Date(0)).toISOString())),
+        source: _nullishCoalesce(row.source, () => ( "sys-metadata-repo"))
+      };
+    }
+  }
+  /**
+   * Live event stream. Fires for every successful put/delete on THIS
+   * instance — cross-replica fan-out is M1. Manual AsyncIterator (not
+   * an async generator) so we can deterministically tear down via
+   * `iter.return()`, matching the pattern used by InMemoryRepository.
+   */
+  watch(filter, since) {
+    const self = this;
+    return {
+      [Symbol.asyncIterator]: () => {
+        const queue = [];
+        let pendingResolve = null;
+        let stopped = false;
+        const dispatch = (evt) => {
+          if (stopped) return;
+          if (!self.matchesFilter(evt, filter)) return;
+          if (since !== void 0 && evt.seq <= since) return;
+          if (pendingResolve) {
+            const r = pendingResolve;
+            pendingResolve = null;
+            r({ value: evt, done: false });
+          } else {
+            queue.push(evt);
+          }
+        };
+        self.watchers.add(dispatch);
+        return {
+          next() {
+            if (stopped) return Promise.resolve({ value: void 0, done: true });
+            const buffered = queue.shift();
+            if (buffered) return Promise.resolve({ value: buffered, done: false });
+            return new Promise((resolve) => {
+              pendingResolve = resolve;
+            });
+          },
+          return() {
+            stopped = true;
+            self.watchers.delete(dispatch);
+            if (pendingResolve) {
+              const r = pendingResolve;
+              pendingResolve = null;
+              r({ value: void 0, done: true });
+            }
+            return Promise.resolve({ value: void 0, done: true });
+          }
+        };
+      }
+    };
+  }
+  /** Shut down all watch iterators. */
+  close() {
+    this.closed = true;
+    const snapshot = Array.from(this.watchers);
+    for (const w of snapshot) {
+      try {
+        w({
+          seq: -1,
+          op: "delete",
+          ref: { org: "", type: "view", name: "_close" },
+          hash: null,
+          parentHash: null,
+          actor: "system",
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          source: "sys-metadata-repo-close"
+        });
+      } catch (e3) {
+      }
+    }
+    this.watchers.clear();
+  }
+  // ── helpers ─────────────────────────────────────────────────────────
+  assertOpen() {
+    if (this.closed) throw new Error("SysMetadataRepository is closed");
+  }
+  /**
+   * Defense-in-depth authorization gate.
+   *
+   * `intent` defaults to `'override-artifact'` (the historical strict
+   * behavior). The protocol layer passes `'runtime-only'` after it has
+   * verified — via the schema registry — that no artifact item exists
+   * at `(type, name)`. In that case we accept types with
+   * `allowRuntimeCreate: true`, even when `allowOrgOverride` is false.
+   *
+   * The env-var escape hatch (`OS_METADATA_WRITABLE`) still
+   * applies to BOTH intents, so operators can opt into artifact
+   * overrides at runtime for emergency fixes.
+   */
+  assertAllowed(type, intent = "override-artifact") {
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+    const allowedByRegistry = OVERLAY_ALLOWED_TYPES.has(singular) || OVERLAY_ALLOWED_TYPES.has(type);
+    if (allowedByRegistry) return;
+    if (intent === "runtime-only") {
+      if (RUNTIME_CREATE_ALLOWED_TYPES.has(singular) || RUNTIME_CREATE_ALLOWED_TYPES.has(type)) {
+        return;
+      }
+      if (!STATIC_REGISTRY_TYPES.has(singular) && !STATIC_REGISTRY_TYPES.has(type)) {
+        return;
+      }
+    }
+    const env = envWritableMetadataTypes();
+    if (env.has(singular) || env.has(type)) return;
+    const allowed = [
+      ...OVERLAY_ALLOWED_TYPES,
+      ...envWritableMetadataTypes()
+    ];
+    const code = intent === "runtime-only" ? "not_creatable" : "not_overridable";
+    const detail = intent === "runtime-only" ? `'${type}' has neither allowOrgOverride nor allowRuntimeCreate in the registry. ` : `'${type}' is not allowOrgOverride in the registry. `;
+    const err = new Error(
+      `[${code}] ${detail}Overlay-allowed: ${Array.from(new Set(allowed)).join(", ") || "(none)"}. Set OS_METADATA_WRITABLE to enable additional types at runtime.`
+    );
+    err.code = code;
+    err.status = 403;
+    throw err;
+  }
+  whereFor(ref, state = "active", packageId) {
+    const where = {
+      type: ref.type,
+      name: ref.name,
+      organization_id: this.organizationId,
+      state
+    };
+    if (packageId !== void 0) where.package_id = packageId;
+    return where;
+  }
+  fullRef(ref) {
+    return {
+      org: this.orgLabel,
+      type: ref.type,
+      name: ref.name
+    };
+  }
+  rowToItem(ref, row) {
+    const body = typeof row.metadata === "string" ? JSON.parse(row.metadata) : _nullishCoalesce(row.metadata, () => ( {}));
+    const hash = _nullishCoalesce(row.checksum, () => ( _metadatacore.hashSpec.call(void 0, body)));
+    return {
+      ref: this.fullRef(ref),
+      body,
+      hash,
+      parentHash: null,
+      authoredBy: _nullishCoalesce(_nullishCoalesce(row.updated_by, () => ( row.created_by)), () => ( "unknown")),
+      authoredAt: _nullishCoalesce(_nullishCoalesce(row.updated_at, () => ( row.created_at)), () => ( (/* @__PURE__ */ new Date()).toISOString())),
+      message: void 0,
+      seq: this.seqCounter
+    };
+  }
+  broadcast(evt) {
+    for (const w of Array.from(this.watchers)) {
+      try {
+        w(evt);
+      } catch (e4) {
+      }
+    }
+  }
+  matchesFilter(evt, filter) {
+    if (filter.type && evt.ref.type !== filter.type) return false;
+    if (filter.name && evt.ref.name !== filter.name) return false;
+    if (filter.org && evt.ref.org !== filter.org) return false;
+    return true;
+  }
+  /**
+   * Per-org monotonic event sequence. Reads `MAX(event_seq) + 1` from
+   * `sys_metadata_history` scoped by `organization_id`. MUST be called
+   * inside a transaction (the only caller is the put/delete txn body) —
+   * concurrent writers in the same org race otherwise.
+   */
+  async nextEventSeq(ctx) {
+    try {
+      const rows = await this.engine.find(this.historyTable, {
+        where: { organization_id: this.organizationId },
+        context: ctx
+      });
+      let max = 0;
+      for (const row of rows) {
+        const v = typeof row.event_seq === "number" ? row.event_seq : 0;
+        if (v > max) max = v;
+      }
+      return max + 1;
+    } catch (e5) {
+      return 1;
+    }
+  }
+  /**
+   * Per-(org,type,name) lineage counter. Reads from history (not from
+   * `sys_metadata.version`) so delete + recreate continues incrementing
+   * instead of restarting at 1.
+   */
+  async nextItemVersion(ref, ctx) {
+    try {
+      const rows = await this.engine.find(this.historyTable, {
+        where: {
+          organization_id: this.organizationId,
+          type: ref.type,
+          name: ref.name
+        },
+        context: ctx
+      });
+      let max = 0;
+      for (const row of rows) {
+        const v = typeof row.version === "number" ? row.version : 0;
+        if (v > max) max = v;
+      }
+      return max + 1;
+    } catch (e6) {
+      return 1;
+    }
+  }
+  /** Lightweight UUID-ish id for history rows; sufficient for an audit log. */
+  uuid() {
+    if (typeof _optionalChain([globalThis, 'access', _9 => _9.crypto, 'optionalAccess', _10 => _10.randomUUID]) === "function") {
+      return globalThis.crypto.randomUUID();
+    }
+    return `evt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+  }
+};
+
+// src/protocol.ts
+
+var _data = require('@objectstack/spec/data');
+
+var _ui = require('@objectstack/spec/ui');
+var _system = require('@objectstack/spec/system');
+
+
+
+
+
+
+
+var _zod = require('zod');
+
+// src/metadata-diagnostics.ts
+
+
+function computeMetadataDiagnostics(type, item) {
+  const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+  const schema = _kernel.getMetadataTypeSchema.call(void 0, singular);
+  if (!schema) return void 0;
+  if (item === null || item === void 0 || typeof item !== "object") {
+    return {
+      valid: false,
+      errors: [{
+        path: "",
+        message: "Metadata document must be a non-null object",
+        code: "invalid_type"
+      }]
+    };
+  }
+  const candidate = "_diagnostics" in item ? stripDiagnostics(item) : item;
+  const parsed = schema.safeParse(candidate);
+  if (parsed.success) {
+    return { valid: true };
+  }
+  const errors = parsed.error.issues.map((issue) => ({
+    path: issue.path.map(String).join("."),
+    message: issue.message,
+    code: issue.code
+  }));
+  return { valid: false, errors };
+}
+function stripDiagnostics(item) {
+  const { _diagnostics: _drop, ...rest } = item;
+  void _drop;
+  return rest;
+}
+function decorateMetadataItem(type, item) {
+  if (!item || typeof item !== "object") return item;
+  const diagnostics = computeMetadataDiagnostics(type, item);
+  if (!diagnostics) return item;
+  return { ...item, _diagnostics: diagnostics };
+}
+function decorateMetadataItems(type, items) {
+  if (!Array.isArray(items)) return items;
+  return items.map((item) => decorateMetadataItem(type, item));
+}
+function fieldMap(objectDef) {
+  const map = /* @__PURE__ */ new Map();
+  const fields = _optionalChain([objectDef, 'optionalAccess', _11 => _11.fields]);
+  if (Array.isArray(fields)) {
+    for (const f of fields) if (_optionalChain([f, 'optionalAccess', _12 => _12.name])) map.set(f.name, f);
+  } else if (fields && typeof fields === "object") {
+    for (const [name, f] of Object.entries(fields)) map.set(name, _nullishCoalesce(f, () => ( {})));
+  }
+  return map;
+}
+function computeViewReferenceDiagnostics(view, objectDef) {
+  const fields = fieldMap(objectDef);
+  const errors = [];
+  const requireField = (name, path) => {
+    if (typeof name !== "string" || !name) return;
+    if (!fields.has(name)) {
+      errors.push({
+        path,
+        message: `Field "${name}" does not exist on the source object`,
+        code: "reference_not_found"
+      });
+    }
+  };
+  const userFilters = _optionalChain([view, 'optionalAccess', _13 => _13.userFilters]);
+  _optionalChain([userFilters, 'optionalAccess', _14 => _14.fields, 'optionalAccess', _15 => _15.forEach, 'call', _16 => _16((f, i) => requireField(_optionalChain([f, 'optionalAccess', _17 => _17.field]), `userFilters.fields.${i}.field`))]);
+  _optionalChain([userFilters, 'optionalAccess', _18 => _18.tabs, 'optionalAccess', _19 => _19.forEach, 'call', _20 => _20((t, i) => _optionalChain([t, 'optionalAccess', _21 => _21.filter, 'optionalAccess', _22 => _22.forEach, 'call', _23 => _23((r, j) => requireField(_optionalChain([r, 'optionalAccess', _24 => _24.field]), `userFilters.tabs.${i}.filter.${j}.field`))]))]);
+  _optionalChain([view, 'optionalAccess', _25 => _25.tabs, 'optionalAccess', _26 => _26.forEach, 'call', _27 => _27((t, i) => _optionalChain([t, 'optionalAccess', _28 => _28.filter, 'optionalAccess', _29 => _29.forEach, 'call', _30 => _30((r, j) => requireField(_optionalChain([r, 'optionalAccess', _31 => _31.field]), `tabs.${i}.filter.${j}.field`))]))]);
+  _optionalChain([view, 'optionalAccess', _32 => _32.filterableFields, 'optionalAccess', _33 => _33.forEach, 'call', _34 => _34((f, i) => requireField(f, `filterableFields.${i}`))]);
+  const kanban = _optionalChain([view, 'optionalAccess', _35 => _35.kanban]);
+  if (_optionalChain([kanban, 'optionalAccess', _36 => _36.groupByField])) {
+    requireField(kanban.groupByField, "kanban.groupByField");
+    const def = fields.get(kanban.groupByField);
+    if (def && def.type && !["select", "multi-select", "boolean", "lookup", "master_detail", "user"].includes(def.type)) {
+      errors.push({
+        path: "kanban.groupByField",
+        message: `Field "${kanban.groupByField}" (type "${def.type}") cannot group a kanban \u2014 use a select-like field`,
+        code: "invalid_binding"
+      });
+    }
+  }
+  return errors.length ? { valid: false, errors } : { valid: true };
+}
+
+// src/protocol.ts
+var TYPE_TO_FORM = _system.METADATA_FORM_REGISTRY;
+var _jsonSchemaCache = /* @__PURE__ */ new WeakMap();
+function toJsonSchemaSafe(schema) {
+  const cached = _jsonSchemaCache.get(schema);
+  if (cached !== void 0) return _nullishCoalesce(cached, () => ( void 0));
+  try {
+    const result = _zod.z.toJSONSchema(schema, { unrepresentable: "any" });
+    _jsonSchemaCache.set(schema, result);
+    return result;
+  } catch (e7) {
+    _jsonSchemaCache.set(schema, null);
+    return void 0;
+  }
+}
+var HAND_CRAFTED_SCHEMAS = {
+  object: {
+    type: "object",
+    properties: {
+      name: { type: "string" },
+      label: { type: "string" },
+      pluralLabel: { type: "string" },
+      icon: { type: "string" },
+      description: { type: "string" },
+      tags: { type: "array", items: { type: "string" } },
+      active: { type: "boolean", default: true },
+      isSystem: { type: "boolean", default: false },
+      abstract: { type: "boolean", default: false },
+      datasource: { type: "string" },
+      fields: {
+        // Canonical Object.fields is a name-keyed map
+        // (Record<string, FieldDefinition>) — insertion order is
+        // display order. The SchemaForm engine recognises
+        // `additionalProperties` as a Record and dispatches to
+        // the `record` form-field renderer (ADR-0007). The form
+        // layout in `object.form.ts` declares `type: 'record'`
+        // so the inner `additionalProperties` schema is used to
+        // shape each value.
+        type: "object",
+        default: {},
+        additionalProperties: {
+          type: "object",
+          properties: {
+            name: { type: "string" },
+            label: { type: "string" },
+            type: { type: "string" },
+            required: { type: "boolean", default: false },
+            unique: { type: "boolean", default: false },
+            defaultValue: {},
+            description: { type: "string" }
+          },
+          required: ["type"]
+        }
+      },
+      capabilities: { type: "object", additionalProperties: true }
+    },
+    required: ["name"],
+    additionalProperties: true
+  },
+  action: {
+    type: "object",
+    properties: {
+      name: { type: "string" },
+      label: { type: "string" },
+      objectName: { type: "string" },
+      icon: { type: "string" },
+      type: { type: "string", enum: ["url", "flow", "api", "script"] },
+      variant: { type: "string", enum: ["primary", "secondary", "danger", "ghost", "outline"] },
+      target: { type: "string" },
+      method: { type: "string", enum: ["GET", "POST", "PUT", "PATCH", "DELETE"] },
+      body: {
+        type: "array",
+        default: [],
+        items: {
+          type: "object",
+          properties: {
+            line: { type: "string" }
+          }
+        }
+      },
+      params: {
+        type: "array",
+        default: [],
+        items: {
+          type: "object",
+          properties: {
+            name: { type: "string" },
+            label: { type: "string" },
+            type: { type: "string" },
+            required: { type: "boolean", default: false }
+          },
+          required: ["name"]
+        }
+      },
+      confirmText: { type: "string" },
+      successMessage: { type: "string" },
+      refreshAfter: { type: "boolean", default: true },
+      locations: {
+        type: "array",
+        default: [],
+        items: {
+          type: "object",
+          properties: {
+            location: { type: "string" }
+          }
+        }
+      },
+      component: { type: "string" },
+      visible: { type: "string" },
+      disabled: { type: "string" },
+      shortcut: { type: "string" },
+      bulkEnabled: { type: "boolean", default: false },
+      aiExposed: { type: "boolean", default: false },
+      recordIdParam: { type: "string" },
+      recordIdField: { type: "string" },
+      bodyShape: { type: "string", enum: ["flat", "nested"] }
+    },
+    required: ["name", "label", "type"],
+    additionalProperties: true
+  },
+  // Validation rules live inside `object.validations[]`. The canonical
+  // ValidationRuleSchema is a discriminated union of 9 variants; the
+  // generic SchemaForm renderer treats unions as opaque JSON, so we
+  // ship a *flat* form-friendly schema covering the common base
+  // properties plus every variant-specific field as optional. Save-time
+  // validation is unaffected — the union schema is still authoritative
+  // at write time.
+  validation: {
+    type: "object",
+    properties: {
+      // --- Base fields (all variants) ---
+      name: { type: "string", description: "Unique rule name (snake_case)" },
+      label: { type: "string" },
+      description: { type: "string" },
+      type: {
+        type: "string",
+        enum: [
+          "script",
+          "unique",
+          "state_machine",
+          "format",
+          "cross_field",
+          "json",
+          "async",
+          "custom",
+          "conditional"
+        ],
+        default: "script",
+        description: "Validation variant"
+      },
+      active: { type: "boolean", default: true },
+      events: {
+        type: "array",
+        items: { type: "string", enum: ["insert", "update", "delete"] },
+        default: ["insert", "update"]
+      },
+      priority: { type: "number", default: 100, minimum: 0, maximum: 9999 },
+      severity: {
+        type: "string",
+        enum: ["error", "warning", "info"],
+        default: "error"
+      },
+      message: { type: "string" },
+      tags: { type: "array", items: { type: "string" } },
+      // --- Variant-specific (all optional, gated by `type`) ---
+      condition: {
+        type: "string",
+        description: "CEL predicate (type=script). True \u21D2 validation fails."
+      },
+      fields: {
+        type: "array",
+        items: { type: "string" },
+        description: "Fields (type=unique / cross_field)."
+      },
+      scope: { type: "string", description: "CEL scope predicate (type=unique)." },
+      caseSensitive: { type: "boolean", default: true },
+      field: { type: "string", description: "Single field (type=state_machine / format)." },
+      transitions: {
+        type: "object",
+        additionalProperties: { type: "array", items: { type: "string" } },
+        description: "Map { OldState: [AllowedNewStates] } (type=state_machine)."
+      },
+      regex: { type: "string", description: "Regex (type=format)." },
+      format: {
+        type: "string",
+        enum: ["email", "url", "phone", "json"],
+        description: "Built-in format (type=format)."
+      },
+      url: { type: "string", description: "Endpoint URL (type=async)." },
+      handler: { type: "string", description: "Handler reference (type=custom)." },
+      when: { type: "string", description: "Outer condition (type=conditional)." }
+    },
+    required: ["name", "type", "message"],
+    additionalProperties: true
+  }
+};
+function resolveOverlaySchema(type, _item) {
+  const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+  return _nullishCoalesce(_kernel.getMetadataTypeSchema.call(void 0, singular), () => ( null));
+}
+function normalizeViewMetadata(type, item, saveName) {
+  const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+  if (singular !== "view") return item;
+  if (!item || typeof item !== "object" || Array.isArray(item)) return item;
+  const it = item;
+  return it.name ? it : { ...it, name: saveName };
+}
+function mergeArtifactProtection(item, artifactItem) {
+  if (item === void 0 || item === null) return item;
+  if (artifactItem === void 0 || artifactItem === null) return item;
+  const a = artifactItem;
+  if (typeof a !== "object") return item;
+  const out = { ...item };
+  if (a._lock !== void 0) out._lock = a._lock;
+  if (a._lockReason !== void 0) out._lockReason = a._lockReason;
+  if (a._lockDocsUrl !== void 0) out._lockDocsUrl = a._lockDocsUrl;
+  if (a._lockSource !== void 0) out._lockSource = a._lockSource;
+  if (a._packageId !== void 0) out._packageId = a._packageId;
+  if (a._packageVersion !== void 0) out._packageVersion = a._packageVersion;
+  if (a._provenance !== void 0) out._provenance = a._provenance;
+  return out;
+}
+function simpleHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(16);
+}
+var ConcurrentUpdateError = class extends Error {
+  constructor(opts) {
+    super(_nullishCoalesce(opts.message, () => ( "Record was modified by another user")));
+    this.code = "CONCURRENT_UPDATE";
+    this.status = 409;
+    this.name = "ConcurrentUpdateError";
+    this.currentVersion = opts.currentVersion;
+    this.currentRecord = opts.currentRecord;
+  }
+};
+function normaliseVersionToken(v) {
+  if (v === null || v === void 0) return null;
+  const s = String(v).trim();
+  if (!s) return null;
+  if (s.length >= 2 && s.startsWith('"') && s.endsWith('"')) {
+    return s.slice(1, -1);
+  }
+  return s;
+}
+var CLONE_STRIP_FIELDS = [
+  "id",
+  "created_at",
+  "created_by",
+  "updated_at",
+  "updated_by"
+];
+var SERVICE_CONFIG = {
+  auth: { route: "/api/v1/auth", plugin: "plugin-auth" },
+  automation: { route: "/api/v1/automation", plugin: "plugin-automation" },
+  cache: { route: "/api/v1/cache", plugin: "plugin-redis" },
+  queue: { route: "/api/v1/queue", plugin: "plugin-bullmq" },
+  job: { route: "/api/v1/jobs", plugin: "job-scheduler" },
+  ui: { route: "/api/v1/ui", plugin: "ui-plugin" },
+  workflow: { route: "/api/v1/workflow", plugin: "plugin-workflow" },
+  realtime: { route: "/api/v1/realtime", plugin: "plugin-realtime" },
+  notification: { route: "/api/v1/notifications", plugin: "plugin-notifications" },
+  ai: { route: "/api/v1/ai", plugin: "plugin-ai" },
+  i18n: { route: "/api/v1/i18n", plugin: "service-i18n" },
+  graphql: { route: "/graphql", plugin: "plugin-graphql" },
+  // GraphQL uses /graphql by convention (not versioned REST)
+  "file-storage": { route: "/api/v1/storage", plugin: "plugin-storage" },
+  search: { route: "/api/v1/search", plugin: "plugin-search" }
+};
+var REFERENCE_PATHS = {
+  object: [
+    { fromType: "view", paths: ["object", "objectName"], kind: "view" },
+    { fromType: "dashboard", paths: ["widgets[].object", "widgets[].objectName"], kind: "dashboard widget" },
+    { fromType: "flow", paths: ["object", "context.object", "trigger.object", "targetObject"], kind: "flow" },
+    { fromType: "workflow", paths: ["object", "targetObject"], kind: "workflow" },
+    { fromType: "permission", paths: ["objects[].name", "objects[].object"], kind: "permission" },
+    { fromType: "app", paths: ["navItems[].objectName", "navItems[].object", "tabs[].objectName", "tabs[].object"], kind: "app nav" },
+    { fromType: "page", paths: ["object", "objectName"], kind: "page" },
+    { fromType: "report", paths: ["object", "objectName"], kind: "report" },
+    { fromType: "action", paths: ["object", "objectName"], kind: "action" },
+    { fromType: "validation", paths: ["object", "objectName"], kind: "validation" },
+    { fromType: "hook", paths: ["object", "objectName"], kind: "hook" },
+    { fromType: "object", paths: ["fields[].referenceTo", "fields{}.referenceTo", "fields{}.reference"], kind: "field reference" }
+  ],
+  view: [
+    { fromType: "dashboard", paths: ["widgets[].view", "widgets[].viewName"], kind: "dashboard widget" },
+    { fromType: "app", paths: ["navItems[].viewName", "tabs[].viewName"], kind: "app nav" },
+    { fromType: "page", paths: ["viewName"], kind: "page" }
+  ],
+  tool: [
+    { fromType: "agent", paths: ["tools[]", "tools[].name"], kind: "agent tool" }
+  ],
+  skill: [
+    { fromType: "agent", paths: ["skills[]", "skills[].name"], kind: "agent skill" }
+  ],
+  flow: [
+    { fromType: "app", paths: ["navItems[].flowName", "tabs[].flowName"], kind: "app nav" }
+  ],
+  dashboard: [
+    { fromType: "app", paths: ["navItems[].dashboardName", "tabs[].dashboardName"], kind: "app nav" }
+  ],
+  page: [
+    { fromType: "app", paths: ["navItems[].pageName", "tabs[].pageName"], kind: "app nav" }
+  ]
+};
+function extractPathValues(item, path) {
+  if (!item || typeof item !== "object") return [];
+  const segments = path.split(".");
+  let current = [item];
+  for (const rawSeg of segments) {
+    let kind = "value";
+    let seg = rawSeg;
+    if (seg.endsWith("[]")) {
+      kind = "array";
+      seg = seg.slice(0, -2);
+    } else if (seg.endsWith("{}")) {
+      kind = "record";
+      seg = seg.slice(0, -2);
+    }
+    const next = [];
+    for (const node of current) {
+      if (!node || typeof node !== "object") continue;
+      let value;
+      if (seg === "") {
+        value = node;
+      } else {
+        value = node[seg];
+      }
+      if (value === void 0 || value === null) continue;
+      if (kind === "array") {
+        if (Array.isArray(value)) {
+          for (const v of value) next.push(v);
+        }
+      } else if (kind === "record") {
+        if (Array.isArray(value)) {
+          for (const v of value) next.push(v);
+        } else if (typeof value === "object") {
+          for (const v of Object.values(value)) next.push(v);
+        }
+      } else {
+        next.push(value);
+      }
+    }
+    current = next;
+    if (current.length === 0) return [];
+  }
+  const out = [];
+  for (const v of current) {
+    if (typeof v === "string" && v.length > 0) out.push(v);
+    else if (v && typeof v === "object" && "name" in v && typeof v.name === "string") {
+      out.push(v.name);
+    }
+  }
+  return out;
+}
+function diffShallow(from, to) {
+  const added = [];
+  const removed = [];
+  const changed = [];
+  const fromKeys = new Set(Object.keys(_nullishCoalesce(from, () => ( {}))));
+  const toKeys = new Set(Object.keys(_nullishCoalesce(to, () => ( {}))));
+  for (const k of toKeys) {
+    if (!fromKeys.has(k)) {
+      added.push({ path: k, value: to[k] });
+    } else {
+      const a = from[k];
+      const b = to[k];
+      const aStr = JSON.stringify(a);
+      const bStr = JSON.stringify(b);
+      if (aStr !== bStr) {
+        changed.push({ path: k, from: a, to: b });
+      }
+    }
+  }
+  for (const k of fromKeys) {
+    if (!toKeys.has(k)) {
+      removed.push({ path: k, value: from[k] });
+    }
+  }
+  return { added, removed, changed };
+}
+function detectDestructiveObjectChanges(prev, next) {
+  if (!prev || typeof prev !== "object" || !next || typeof next !== "object") return [];
+  const prevFields = prev.fields && typeof prev.fields === "object" ? prev.fields : {};
+  const nextFields = next.fields && typeof next.fields === "object" ? next.fields : {};
+  const issues = [];
+  for (const fname of Object.keys(prevFields)) {
+    if (_optionalChain([prevFields, 'access', _37 => _37[fname], 'optionalAccess', _38 => _38.system])) continue;
+    if (!(fname in nextFields)) {
+      issues.push({
+        code: "field_removed",
+        field: fname,
+        message: `Field '${fname}' removed \u2014 existing data in this column will become inaccessible.`
+      });
+    }
+  }
+  const TYPE_COMPATIBILITY = {
+    text: /* @__PURE__ */ new Set(["textarea", "markdown", "html", "code"]),
+    number: /* @__PURE__ */ new Set([]),
+    boolean: /* @__PURE__ */ new Set([]),
+    date: /* @__PURE__ */ new Set(["datetime"]),
+    datetime: /* @__PURE__ */ new Set(["date"])
+  };
+  for (const fname of Object.keys(nextFields)) {
+    const prevField = prevFields[fname];
+    const nextField = nextFields[fname];
+    if (!prevField) continue;
+    const prevType = prevField.type;
+    const nextType = nextField.type;
+    if (prevType && nextType && prevType !== nextType) {
+      const compatible = _optionalChain([TYPE_COMPATIBILITY, 'access', _39 => _39[prevType], 'optionalAccess', _40 => _40.has, 'call', _41 => _41(nextType)]);
+      if (!compatible) {
+        issues.push({
+          code: "field_type_change",
+          field: fname,
+          message: `Field '${fname}' type changed from '${prevType}' to '${nextType}' \u2014 existing values may not convert cleanly.`
+        });
+      }
+    }
+    if (!prevField.required && nextField.required && nextField.defaultValue === void 0) {
+      issues.push({
+        code: "field_required_no_default",
+        field: fname,
+        message: `Field '${fname}' is now required but has no default value \u2014 existing rows with null values may fail validation.`
+      });
+    }
+  }
+  return issues;
+}
+var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementation {
+  constructor(engine, getServicesRegistry, getFeedService, environmentId) {
+    /**
+     * Lazily-instantiated SysMetadataRepository per organization. Keyed by
+     * `${organizationId ?? '__env__'}`. Repositories are stateful — they
+     * carry the per-org `seqCounter` and watch subscribers — so we cache
+     * them rather than constructing one per call.
+     */
+    this.overlayRepos = /* @__PURE__ */ new Map();
+    /**
+     * One-time guard for ensuring the overlay-uniqueness UNIQUE INDEX exists
+     * on `sys_metadata`. ADR-0005: scopes overlays by
+     * `(type, name, organization_id, environment_id, scope)` for active rows only.
+     * Idempotent SQL — safe to attempt on every protocol instance.
+     *
+     * Inlined here (rather than importing from @objectstack/metadata/migrations)
+     * to avoid a circular dependency: metadata already depends on objectql.
+     */
+    this.overlayIndexEnsured = false;
+    this.engine = engine;
+    this.getServicesRegistry = getServicesRegistry;
+    this.getFeedService = getFeedService;
+    this.environmentId = environmentId;
+  }
+  /**
+   * Lazily obtain a SysMetadataRepository for the given organization.
+   * Env-wide overlays (organizationId == null) share a singleton under
+   * the `__env__` key.
+   */
+  getOverlayRepo(organizationId) {
+    const key = _nullishCoalesce(organizationId, () => ( "__env__"));
+    let repo = this.overlayRepos.get(key);
+    if (!repo) {
+      repo = new SysMetadataRepository({
+        engine: this.engine,
+        organizationId,
+        orgLabel: _nullishCoalesce(organizationId, () => ( "env"))
+      });
+      this.overlayRepos.set(key, repo);
+    }
+    return repo;
+  }
+  async ensureOverlayIndex() {
+    if (this.overlayIndexEnsured) return;
+    this.overlayIndexEnsured = true;
+    try {
+      const engineAny = this.engine;
+      let driver = _nullishCoalesce(_optionalChain([engineAny, 'optionalAccess', _42 => _42.driver]), () => ( _optionalChain([engineAny, 'optionalAccess', _43 => _43.getDriver, 'optionalCall', _44 => _44()])));
+      if (!driver && _optionalChain([engineAny, 'optionalAccess', _45 => _45.drivers]) instanceof Map) {
+        for (const candidate of engineAny.drivers.values()) {
+          if (candidate && (typeof candidate.raw === "function" || typeof candidate.execute === "function")) {
+            driver = candidate;
+            break;
+          }
+        }
+      }
+      if (!driver) return;
+      const exec = async (sql) => {
+        if (typeof driver.raw === "function") {
+          await driver.raw(sql);
+        } else if (typeof driver.execute === "function") {
+          await driver.execute(sql);
+        } else {
+          throw new Error("driver has neither raw nor execute");
+        }
+      };
+      try {
+        await exec("DROP INDEX IF EXISTS idx_sys_metadata_overlay_active");
+      } catch (e8) {
+      }
+      const partialSql = "CREATE UNIQUE INDEX IF NOT EXISTS idx_sys_metadata_overlay_active ON sys_metadata (type, name, organization_id, COALESCE(package_id, '')) WHERE state = 'active'";
+      const fallbackSql = "CREATE INDEX IF NOT EXISTS idx_sys_metadata_overlay_active ON sys_metadata (type, name, organization_id, package_id)";
+      try {
+        await exec(partialSql);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (/partial|where clause|syntax/i.test(msg)) {
+          try {
+            await exec(fallbackSql);
+          } catch (e9) {
+          }
+        }
+      }
+      try {
+        await exec("DROP INDEX IF EXISTS idx_sys_metadata_overlay_draft");
+      } catch (e10) {
+      }
+      const draftPartialSql = "CREATE UNIQUE INDEX IF NOT EXISTS idx_sys_metadata_overlay_draft ON sys_metadata (type, name, organization_id, COALESCE(package_id, '')) WHERE state = 'draft'";
+      try {
+        await exec(draftPartialSql);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (/partial|where clause|syntax/i.test(msg)) {
+          try {
+            await exec(
+              "CREATE INDEX IF NOT EXISTS idx_sys_metadata_overlay_draft ON sys_metadata (type, name, organization_id, package_id)"
+            );
+          } catch (e11) {
+          }
+        }
+      }
+    } catch (e12) {
+    }
+  }
+  /**
+   * Exposes the project scope the protocol is bound to. Consumers like
+   * the HTTP dispatcher use this to decide whether to trust the process-
+   * wide SchemaRegistry or whether they must route a read through the
+   * protocol's environment_id-filtered lookup.
+   */
+  getProjectId() {
+    return this.environmentId;
+  }
+  requireFeedService() {
+    const svc = _optionalChain([this, 'access', _46 => _46.getFeedService, 'optionalCall', _47 => _47()]);
+    if (!svc) {
+      throw new Error("Feed service not available. Install and register service-feed to enable feed operations.");
+    }
+    return svc;
+  }
+  async getDiscovery() {
+    const registeredServices = this.getServicesRegistry ? this.getServicesRegistry() : /* @__PURE__ */ new Map();
+    const services = {
+      // --- Kernel-provided (objectql is an example kernel implementation) ---
+      metadata: { enabled: true, status: "available", route: "/api/v1/meta", provider: "objectql" },
+      data: { enabled: true, status: "available", route: "/api/v1/data", provider: "objectql" },
+      analytics: { enabled: true, status: "available", route: "/api/v1/analytics", provider: "objectql" }
+    };
+    for (const [serviceName, config] of Object.entries(SERVICE_CONFIG)) {
+      if (registeredServices.has(serviceName)) {
+        services[serviceName] = {
+          enabled: true,
+          status: "available",
+          route: config.route,
+          provider: config.plugin
+        };
+      } else {
+        services[serviceName] = {
+          enabled: false,
+          status: "unavailable",
+          message: `Install ${config.plugin} to enable`
+        };
+      }
+    }
+    const serviceToRouteKey = {
+      auth: "auth",
+      automation: "automation",
+      ui: "ui",
+      workflow: "workflow",
+      realtime: "realtime",
+      notification: "notifications",
+      ai: "ai",
+      i18n: "i18n",
+      graphql: "graphql",
+      "file-storage": "storage"
+    };
+    const optionalRoutes = {
+      analytics: "/api/v1/analytics"
+    };
+    for (const [serviceName, config] of Object.entries(SERVICE_CONFIG)) {
+      if (registeredServices.has(serviceName)) {
+        const routeKey = serviceToRouteKey[serviceName];
+        if (routeKey) {
+          optionalRoutes[routeKey] = config.route;
+        }
+      }
+    }
+    if (registeredServices.has("feed")) {
+      services["feed"] = {
+        enabled: true,
+        status: "available",
+        route: "/api/v1/data",
+        provider: "service-feed"
+      };
+    } else {
+      services["feed"] = {
+        enabled: false,
+        status: "unavailable",
+        message: "Install service-feed to enable"
+      };
+    }
+    const routes = {
+      data: "/api/v1/data",
+      metadata: "/api/v1/meta",
+      ...optionalRoutes
+    };
+    const wellKnown = {
+      feed: registeredServices.has("feed"),
+      comments: registeredServices.has("feed"),
+      automation: registeredServices.has("automation"),
+      cron: registeredServices.has("job"),
+      search: registeredServices.has("search"),
+      export: registeredServices.has("automation") || registeredServices.has("queue"),
+      chunkedUpload: registeredServices.has("file-storage")
+    };
+    const capabilities = {};
+    for (const [key, enabled] of Object.entries(wellKnown)) {
+      capabilities[key] = { enabled };
+    }
+    return {
+      version: "1.0",
+      apiName: "ObjectStack API",
+      routes,
+      services,
+      capabilities
+    };
+  }
+  async getMetaTypes() {
+    const schemaTypes = this.engine.registry.getRegisteredTypes();
+    let runtimeTypes = [];
+    try {
+      const services = _optionalChain([this, 'access', _48 => _48.getServicesRegistry, 'optionalCall', _49 => _49()]);
+      const metadataService = _optionalChain([services, 'optionalAccess', _50 => _50.get, 'call', _51 => _51("metadata")]);
+      if (metadataService && typeof metadataService.getRegisteredTypes === "function") {
+        runtimeTypes = await metadataService.getRegisteredTypes();
+      }
+    } catch (e13) {
+    }
+    const allTypes = Array.from(/* @__PURE__ */ new Set([...schemaTypes, ...runtimeTypes]));
+    const writableOverrides = _ObjectStackProtocolImplementation.envWritableTypes();
+    const registryByType = new Map(
+      _kernel.DEFAULT_METADATA_TYPE_REGISTRY.map((e) => [e.type, e])
+    );
+    const entries = allTypes.map((type) => {
+      const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+      const zodSchema = _kernel.getMetadataTypeSchema.call(void 0, singular);
+      const schema = _nullishCoalesce((zodSchema ? toJsonSchemaSafe(zodSchema) : void 0), () => ( HAND_CRAFTED_SCHEMAS[singular]));
+      const form = TYPE_TO_FORM[singular];
+      const createSeed = _kernel.getMetadataCreateSeed.call(void 0, singular);
+      const typeActions = _kernel.getMetadataTypeActions.call(void 0, singular);
+      const base = registryByType.get(singular);
+      if (base) {
+        const isEnvOverridden = writableOverrides.has(singular);
+        return {
+          ...base,
+          type: singular,
+          schemaId: singular,
+          // API client expects schemaId field
+          allowOrgOverride: base.allowOrgOverride || isEnvOverridden,
+          overrideSource: isEnvOverridden && !base.allowOrgOverride ? "env" : "registry",
+          schema,
+          form,
+          ...createSeed !== void 0 ? { createSeed } : {},
+          // Override the spread `base.actions` with the merged view
+          // (declarative + plugin-registered). Omit when empty to
+          // preserve the prior "no actions key" response shape.
+          ...typeActions.length ? { actions: typeActions } : {}
+        };
+      }
+      return {
+        type: singular,
+        schemaId: singular,
+        // API client expects schemaId field
+        label: singular,
+        description: void 0,
+        filePatterns: [],
+        supportsOverlay: false,
+        allowOrgOverride: writableOverrides.has(singular),
+        allowRuntimeCreate: true,
+        supportsVersioning: false,
+        executionPinned: false,
+        loadOrder: 1e3,
+        domain: "system",
+        overrideSource: writableOverrides.has(singular) ? "env" : "registry",
+        schema,
+        form,
+        ...createSeed !== void 0 ? { createSeed } : {},
+        // Plugin-registered actions on a type with no registry entry.
+        ...typeActions.length ? { actions: typeActions } : {}
+      };
+    }).sort((a, b) => {
+      if (a.domain !== b.domain) return a.domain.localeCompare(b.domain);
+      return a.type.localeCompare(b.type);
+    });
+    return { types: allTypes, entries };
+  }
+  /**
+   * Sweep all (or filtered) metadata types and report entries that
+   * fail spec validation. Powers the Studio governance view
+   * (`GET /api/v1/meta/diagnostics`) and `os doctor`-style CLI
+   * checks.
+   *
+   * `severity` defaults to `'error'` — only entries with at least
+   * one Zod error issue are returned. `'warning'` includes
+   * everything we surface (warnings are reserved for a future lint
+   * layer on top of spec validation).
+   *
+   * `type` may be either a singular (`'view'`) or plural (`'views'`)
+   * identifier; the underlying `getMetaItems` already normalises.
+   *
+   * Implementation note: leverages the `_diagnostics` already
+   * decorated onto items by `getMetaItems()` to avoid running
+   * `safeParse()` twice. For types whose schema is unregistered we
+   * skip silently (they cannot be validated and should not appear
+   * as "valid" either — they are simply opaque to this report).
+   */
+  async getMetaDiagnostics(request = {}) {
+    const includeWarnings = request.severity === "warning";
+    const targetTypes = request.type ? [request.type] : _kernel.DEFAULT_METADATA_TYPE_REGISTRY.filter((e) => _kernel.getMetadataTypeSchema.call(void 0, e.type)).map((e) => e.type);
+    const entries = [];
+    const stats = {};
+    let scannedItems = 0;
+    for (const t of targetTypes) {
+      let listed;
+      try {
+        listed = await this.getMetaItems({
+          type: t,
+          organizationId: request.organizationId,
+          packageId: request.packageId
+        });
+      } catch (e14) {
+        continue;
+      }
+      const items = Array.isArray(_optionalChain([listed, 'optionalAccess', _52 => _52.items])) ? listed.items : Array.isArray(listed) ? listed : [];
+      const pkgSet = /* @__PURE__ */ new Set();
+      let lockedCount = 0;
+      for (const item of items) {
+        scannedItems += 1;
+        const pkg = _nullishCoalesce(_optionalChain([item, 'optionalAccess', _53 => _53._packageId]), () => ( null));
+        if (pkg) pkgSet.add(pkg);
+        const lock = _optionalChain([item, 'optionalAccess', _54 => _54._lock]);
+        if (lock && lock !== "none") lockedCount += 1;
+        const diag = _nullishCoalesce(_optionalChain([item, 'optionalAccess', _55 => _55._diagnostics]), () => ( computeMetadataDiagnostics(t, item)));
+        if (!diag) continue;
+        if (diag.valid && !includeWarnings) continue;
+        if (diag.valid && includeWarnings && !_optionalChain([diag, 'access', _56 => _56.warnings, 'optionalAccess', _57 => _57.length])) continue;
+        entries.push({
+          type: t,
+          name: typeof _optionalChain([item, 'optionalAccess', _58 => _58.name]) === "string" ? item.name : "<unknown>",
+          diagnostics: diag
+        });
+      }
+      stats[t] = { count: items.length, locked: lockedCount, packages: [...pkgSet].sort() };
+    }
+    return {
+      entries,
+      total: entries.length,
+      scannedTypes: targetTypes.length,
+      scannedItems,
+      stats
+    };
+  }
+  async getMetaItems(request) {
+    const { packageId } = request;
+    let items = [];
+    if (this.environmentId === void 0) {
+      items = [...this.engine.registry.listItems(request.type, packageId)];
+      if (items.length === 0) {
+        const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+        if (alt) items = [...this.engine.registry.listItems(alt, packageId)];
+      }
+    } else {
+      items = [...this.engine.registry.listItems(request.type, packageId)];
+      if (items.length === 0) {
+        const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+        if (alt) items = [...this.engine.registry.listItems(alt, packageId)];
+      }
+    }
+    try {
+      const orgId = request.organizationId;
+      const queryByOrg = async (oid) => {
+        const whereClause = {
+          type: request.type,
+          state: "active",
+          organization_id: oid
+        };
+        if (packageId) whereClause.package_id = packageId;
+        let rs = await this.engine.find("sys_metadata", { where: whereClause });
+        if (!rs || rs.length === 0) {
+          const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+          if (alt) {
+            const altWhere = { type: alt, state: "active", organization_id: oid };
+            if (packageId) altWhere.package_id = packageId;
+            rs = await this.engine.find("sys_metadata", { where: altWhere });
+          }
+        }
+        return _nullishCoalesce(rs, () => ( []));
+      };
+      const envWideRecords = await queryByOrg(null);
+      const orgRecords = orgId ? await queryByOrg(orgId) : [];
+      const mergedMap = /* @__PURE__ */ new Map();
+      for (const r of envWideRecords) mergedMap.set(r.name, r);
+      for (const r of orgRecords) mergedMap.set(r.name, r);
+      const records = Array.from(mergedMap.values());
+      if (records && records.length > 0) {
+        const byName = /* @__PURE__ */ new Map();
+        for (const existing of items) {
+          const entry = existing;
+          if (entry && typeof entry === "object" && "name" in entry) {
+            byName.set(entry.name, entry);
+          }
+        }
+        for (const record of records) {
+          const data = typeof record.metadata === "string" ? JSON.parse(record.metadata) : record.metadata;
+          if (data && typeof data === "object" && "name" in data) {
+            const recPkg = _nullishCoalesce(record.package_id, () => ( void 0));
+            if (recPkg && data._packageId === void 0) {
+              data._packageId = recPkg;
+            }
+            byName.set(data.name, data);
+          }
+          if (this.environmentId === void 0 && data && typeof data === "object") {
+            const artifact = this.lookupArtifactItem(request.type, data.name);
+            this.engine.registry.registerItem(
+              request.type,
+              mergeArtifactProtection(data, artifact),
+              "name"
+            );
+          }
+        }
+        items = Array.from(byName.values());
+      }
+    } catch (e15) {
+    }
+    if (request.previewDrafts) {
+      try {
+        const orgId = request.organizationId;
+        const queryDrafts = async (oid) => {
+          const whereClause = { type: request.type, state: "draft", organization_id: oid };
+          if (packageId) whereClause.package_id = packageId;
+          let rs = await this.engine.find("sys_metadata", { where: whereClause });
+          if (!rs || rs.length === 0) {
+            const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+            if (alt) {
+              const altWhere = { type: alt, state: "draft", organization_id: oid };
+              if (packageId) altWhere.package_id = packageId;
+              rs = await this.engine.find("sys_metadata", { where: altWhere });
+            }
+          }
+          return _nullishCoalesce(rs, () => ( []));
+        };
+        const draftRecords = [...await queryDrafts(null), ...orgId ? await queryDrafts(orgId) : []];
+        if (draftRecords.length > 0) {
+          const byName = /* @__PURE__ */ new Map();
+          for (const existing of items) {
+            const entry = existing;
+            if (entry && typeof entry === "object" && "name" in entry) byName.set(entry.name, entry);
+          }
+          for (const record of draftRecords) {
+            const data = typeof record.metadata === "string" ? JSON.parse(record.metadata) : record.metadata;
+            if (data && typeof data === "object" && "name" in data) {
+              const recPkg = _nullishCoalesce(record.package_id, () => ( void 0));
+              if (recPkg && data._packageId === void 0) data._packageId = recPkg;
+              data._draft = true;
+              byName.set(data.name, data);
+            }
+          }
+          items = Array.from(byName.values());
+        }
+      } catch (e16) {
+      }
+    }
+    try {
+      const services = _optionalChain([this, 'access', _59 => _59.getServicesRegistry, 'optionalCall', _60 => _60()]);
+      const metadataService = _optionalChain([services, 'optionalAccess', _61 => _61.get, 'call', _62 => _62("metadata")]);
+      if (metadataService && typeof metadataService.list === "function") {
+        let runtimeItems = await metadataService.list(request.type);
+        if (packageId && runtimeItems && runtimeItems.length > 0) {
+          runtimeItems = runtimeItems.filter((item) => _optionalChain([item, 'optionalAccess', _63 => _63._packageId]) === packageId);
+        }
+        if (runtimeItems && runtimeItems.length > 0) {
+          const itemMap = /* @__PURE__ */ new Map();
+          for (const item of items) {
+            const entry = item;
+            if (entry && typeof entry === "object" && "name" in entry) {
+              itemMap.set(entry.name, entry);
+            }
+          }
+          for (const item of runtimeItems) {
+            const entry = item;
+            if (entry && typeof entry === "object" && "name" in entry) {
+              if (!itemMap.has(entry.name)) {
+                itemMap.set(entry.name, entry);
+              }
+            }
+          }
+          items = Array.from(itemMap.values());
+        }
+      }
+    } catch (e17) {
+    }
+    if (request.type !== "package" && request.type !== "object" && request.type !== "objects") {
+      items = items.filter(
+        (it) => !this.engine.registry.isPackageDisabled(_optionalChain([it, 'optionalAccess', _64 => _64._packageId]))
+      );
+    }
+    if (request.type === "view" || request.type === "views") {
+      items = items.filter((it) => !_ui.isAggregatedViewContainer.call(void 0, it));
+    }
+    if (request.type === "app" || request.type === "apps") {
+      items = items.map((app) => this.engine.registry.applyNavContributions(app));
+    }
+    return {
+      type: request.type,
+      items: decorateMetadataItems(
+        request.type,
+        items.map((it) => {
+          const a = this.lookupArtifactItem(
+            request.type,
+            _optionalChain([it, 'optionalAccess', _65 => _65.name]),
+            _nullishCoalesce(packageId, () => ( _optionalChain([it, 'optionalAccess', _66 => _66._packageId])))
+          );
+          return mergeArtifactProtection(it, a);
+        })
+      )
+    };
+  }
+  async getMetaItem(request) {
+    let item;
+    const orgId = request.organizationId;
+    const readState = request.state === "draft" ? "draft" : "active";
+    if (request.previewDrafts && readState !== "draft") {
+      try {
+        const findDraft = async (oid) => {
+          const lookup = async (t) => {
+            const base = {
+              type: t,
+              name: request.name,
+              state: "draft",
+              organization_id: oid
+            };
+            if (request.packageId) {
+              const scoped = await this.engine.findOne("sys_metadata", {
+                where: { ...base, package_id: request.packageId }
+              });
+              if (scoped) return scoped;
+              return await this.engine.findOne("sys_metadata", {
+                where: { ...base, package_id: null }
+              });
+            }
+            return await this.engine.findOne("sys_metadata", { where: base });
+          };
+          const rec = await lookup(request.type);
+          if (rec) return rec;
+          const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+          if (alt) return await lookup(alt);
+          return void 0;
+        };
+        const draftRec = await _asyncNullishCoalesce((orgId ? await findDraft(orgId) : void 0), async () => ( await findDraft(null)));
+        if (draftRec) {
+          const draftItem = typeof draftRec.metadata === "string" ? JSON.parse(draftRec.metadata) : draftRec.metadata;
+          if (draftItem && typeof draftItem === "object") {
+            const recPkg = _nullishCoalesce(draftRec.package_id, () => ( void 0));
+            if (recPkg && draftItem._packageId === void 0) draftItem._packageId = recPkg;
+            draftItem._draft = true;
+          }
+          return { type: request.type, name: request.name, item: decorateMetadataItem(request.type, draftItem) };
+        }
+      } catch (e18) {
+      }
+    }
+    try {
+      const findOverlay = async (oid) => {
+        const lookup = async (t) => {
+          const base = {
+            type: t,
+            name: request.name,
+            state: readState,
+            organization_id: oid
+          };
+          if (request.packageId) {
+            const scoped = await this.engine.findOne("sys_metadata", {
+              where: { ...base, package_id: request.packageId }
+            });
+            if (scoped) return scoped;
+            return await this.engine.findOne("sys_metadata", {
+              where: { ...base, package_id: null }
+            });
+          }
+          return await this.engine.findOne("sys_metadata", { where: base });
+        };
+        const rec = await lookup(request.type);
+        if (rec) return rec;
+        const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+        if (alt) return await lookup(alt);
+        return void 0;
+      };
+      const record = await _asyncNullishCoalesce((orgId ? await findOverlay(orgId) : void 0), async () => ( await findOverlay(null)));
+      if (record) {
+        item = typeof record.metadata === "string" ? JSON.parse(record.metadata) : record.metadata;
+        const recPkg = _nullishCoalesce(record.package_id, () => ( void 0));
+        if (recPkg && item && typeof item === "object" && item._packageId === void 0) {
+          item._packageId = recPkg;
+        }
+      }
+    } catch (e19) {
+    }
+    if (readState === "draft") {
+      if (item === void 0) {
+        const err = new Error(
+          `[no_draft] No pending draft exists for ${request.type}/${request.name}.`
+        );
+        err.code = "no_draft";
+        err.status = 404;
+        throw err;
+      }
+      return { type: request.type, name: request.name, item: decorateMetadataItem(request.type, item) };
+    }
+    if (item === void 0) {
+      try {
+        const services = _optionalChain([this, 'access', _67 => _67.getServicesRegistry, 'optionalCall', _68 => _68()]);
+        const metadataService = _optionalChain([services, 'optionalAccess', _69 => _69.get, 'call', _70 => _70("metadata")]);
+        if (metadataService && typeof metadataService.get === "function") {
+          const fromService = await metadataService.get(request.type, request.name, request.packageId);
+          if (fromService !== void 0 && fromService !== null) {
+            item = fromService;
+          } else {
+            const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+            if (alt) {
+              const altFromService = await metadataService.get(alt, request.name, request.packageId);
+              if (altFromService !== void 0 && altFromService !== null) {
+                item = altFromService;
+              }
+            }
+          }
+        }
+      } catch (e20) {
+      }
+    }
+    if (item === void 0) {
+      item = this.engine.registry.getItem(request.type, request.name, request.packageId);
+      if (item === void 0) {
+        const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+        if (alt) item = this.engine.registry.getItem(alt, request.name, request.packageId);
+      }
+    }
+    if ((request.type === "app" || request.type === "apps") && item) {
+      item = this.engine.registry.applyNavContributions(item);
+    }
+    const artifactItem = this.lookupArtifactItem(request.type, request.name, request.packageId);
+    let decorated = decorateMetadataItem(
+      request.type,
+      mergeArtifactProtection(item, artifactItem)
+    );
+    if ((request.type === "view" || request.type === "views") && decorated && typeof decorated === "object") {
+      try {
+        const viewDoc = decorated;
+        const sourceObject = _nullishCoalesce(_nullishCoalesce(_nullishCoalesce(_optionalChain([viewDoc, 'optionalAccess', _71 => _71.object]), () => ( _optionalChain([viewDoc, 'optionalAccess', _72 => _72.data, 'optionalAccess', _73 => _73.object]))), () => ( _optionalChain([viewDoc, 'optionalAccess', _74 => _74.objectName]))), () => ( _optionalChain([viewDoc, 'optionalAccess', _75 => _75.list, 'optionalAccess', _76 => _76.data, 'optionalAccess', _77 => _77.object])));
+        const objectDef = typeof sourceObject === "string" ? this.engine.registry.getObject(sourceObject) : void 0;
+        if (objectDef) {
+          const refs = computeViewReferenceDiagnostics(viewDoc, objectDef);
+          if (!refs.valid) {
+            const prior = viewDoc._diagnostics;
+            decorated = {
+              ...viewDoc,
+              _diagnostics: {
+                valid: false,
+                errors: [
+                  ...prior && prior.valid === false && Array.isArray(prior.errors) ? prior.errors : [],
+                  ..._nullishCoalesce(refs.errors, () => ( []))
+                ]
+              }
+            };
+          }
+        }
+      } catch (e21) {
+      }
+    }
+    const artifactBacked = this.isArtifactBacked(request.type, request.name);
+    const lockState = _kernel.resolveLockState.call(void 0, decorated, artifactBacked);
+    return {
+      type: request.type,
+      name: request.name,
+      item: decorated,
+      lock: lockState.lock,
+      ...lockState.lockReason !== void 0 ? { lockReason: lockState.lockReason } : {},
+      ...lockState.lockSource !== void 0 ? { lockSource: lockState.lockSource } : {},
+      ...lockState.lockDocsUrl !== void 0 ? { lockDocsUrl: lockState.lockDocsUrl } : {},
+      ...lockState.provenance !== void 0 ? { provenance: lockState.provenance } : {},
+      ...lockState.packageId !== void 0 ? { packageId: lockState.packageId } : {},
+      ...lockState.packageVersion !== void 0 ? { packageVersion: lockState.packageVersion } : {},
+      editable: lockState.editable,
+      deletable: lockState.deletable,
+      resettable: lockState.resettable
+    };
+  }
+  /**
+   * Phase 3a-layered-get: return the 3 layers of a metadata item
+   * separately — `code` (artifact-loaded baseline), `overlay` (per-org
+   * customisation row, if any), and `effective` (what `getMetaItem`
+   * would return, i.e. overlay-wins merge).
+   *
+   * Drives the "Code default vs Overlay vs Effective" diff tab in the
+   * generic Metadata Resource Edit page. Admins can see exactly what
+   * was customised and reset selectively.
+   *
+   * `code` is null if no artifact baseline exists; `overlay` is null if
+   * no sys_metadata row exists for the requested scope; `effective` is
+   * never null when either layer exists.
+   */
+  async getMetaItemLayered(request) {
+    const orgId = request.organizationId;
+    let code = null;
+    try {
+      const services = _optionalChain([this, 'access', _78 => _78.getServicesRegistry, 'optionalCall', _79 => _79()]);
+      const metadataService = _optionalChain([services, 'optionalAccess', _80 => _80.get, 'call', _81 => _81("metadata")]);
+      if (metadataService && typeof metadataService.get === "function") {
+        let fromService = await metadataService.get(request.type, request.name, request.packageId);
+        if (fromService === void 0 || fromService === null) {
+          const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+          if (alt) fromService = await metadataService.get(alt, request.name, request.packageId);
+        }
+        if (fromService !== void 0 && fromService !== null) code = fromService;
+      }
+    } catch (e22) {
+    }
+    if (code === null) {
+      let regItem = _nullishCoalesce(this.lookupArtifactItem(request.type, request.name, request.packageId), () => ( this.engine.registry.getItem(request.type, request.name, request.packageId)));
+      if (regItem === void 0) {
+        const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+        if (alt) regItem = this.engine.registry.getItem(alt, request.name, request.packageId);
+      }
+      if (regItem !== void 0) code = regItem;
+    }
+    let overlay = null;
+    let overlayScope = null;
+    try {
+      const findOverlay = async (oid) => {
+        const lookup = async (t) => {
+          const base = {
+            type: t,
+            name: request.name,
+            state: "active",
+            organization_id: oid
+          };
+          if (request.packageId) {
+            const scoped = await this.engine.findOne("sys_metadata", {
+              where: { ...base, package_id: request.packageId }
+            });
+            if (scoped) return scoped;
+            return await this.engine.findOne("sys_metadata", {
+              where: { ...base, package_id: null }
+            });
+          }
+          return await this.engine.findOne("sys_metadata", { where: base });
+        };
+        let rec = await lookup(request.type);
+        if (!rec) {
+          const alt = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( _shared.SINGULAR_TO_PLURAL[request.type]));
+          if (alt) rec = await lookup(alt);
+        }
+        return rec;
+      };
+      if (orgId) {
+        const rec = await findOverlay(orgId);
+        if (rec) {
+          overlay = typeof rec.metadata === "string" ? JSON.parse(rec.metadata) : rec.metadata;
+          overlayScope = "org";
+        }
+      }
+      if (overlay === null) {
+        const rec = await findOverlay(null);
+        if (rec) {
+          overlay = typeof rec.metadata === "string" ? JSON.parse(rec.metadata) : rec.metadata;
+          overlayScope = "env";
+        }
+      }
+    } catch (e23) {
+    }
+    const effective = _nullishCoalesce(overlay, () => ( code));
+    const _diagnostics = effective !== null && effective !== void 0 ? computeMetadataDiagnostics(request.type, effective) : void 0;
+    const artifactBacked = this.isArtifactBacked(request.type, request.name);
+    const lockSource = _nullishCoalesce(_nullishCoalesce(code, () => ( overlay)), () => ( {}));
+    const lockState = _kernel.resolveLockState.call(void 0, lockSource, artifactBacked);
+    return {
+      type: request.type,
+      name: request.name,
+      code,
+      overlay,
+      overlayScope,
+      effective,
+      ..._diagnostics ? { _diagnostics } : {},
+      lock: lockState.lock,
+      ...lockState.lockReason !== void 0 ? { lockReason: lockState.lockReason } : {},
+      ...lockState.lockSource !== void 0 ? { lockSource: lockState.lockSource } : {},
+      ...lockState.lockDocsUrl !== void 0 ? { lockDocsUrl: lockState.lockDocsUrl } : {},
+      ...lockState.provenance !== void 0 ? { provenance: lockState.provenance } : {},
+      ...lockState.packageId !== void 0 ? { packageId: lockState.packageId } : {},
+      ...lockState.packageVersion !== void 0 ? { packageVersion: lockState.packageVersion } : {},
+      editable: lockState.editable,
+      deletable: lockState.deletable,
+      resettable: lockState.resettable
+    };
+  }
+  /**
+   * ADR-0010 §3.6 / Phase 4.1 — read the metadata-protection audit log
+   * for a single item. Returns the most-recent rows of
+   * `sys_metadata_audit` for this (type, name) tuple, sorted newest
+   * first. Refused (`denied`) and forced (`forced`) writes both appear
+   * here — they never reach the `history` endpoint, which only tracks
+   * successful body snapshots.
+   *
+   * The table is provisioned by `platform-objects` and is the
+   * compliance surface for the lock-enforcement story. When the
+   * environment has not yet provisioned the table (legacy install
+   * prior to ADR-0010) the call returns `{ events: [] }` instead of
+   * raising, keeping the Studio tab harmless.
+   */
+  async auditMetaItem(request) {
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    const limit = Math.min(
+      Math.max(1, _nullishCoalesce(request.limit, () => ( 100))),
+      500
+    );
+    try {
+      const where = {
+        type: singular,
+        name: request.name
+      };
+      const rows = await this.engine.find("sys_metadata_audit", {
+        where,
+        orderBy: [{ field: "occurred_at", direction: "desc" }],
+        limit
+      });
+      const events = (Array.isArray(rows) ? rows : []).map((r) => ({
+        id: r.id,
+        occurredAt: typeof r.occurred_at === "string" ? r.occurred_at : r.occurred_at instanceof Date ? r.occurred_at.toISOString() : String(_nullishCoalesce(r.occurred_at, () => ( ""))),
+        actor: String(_nullishCoalesce(r.actor, () => ( "system"))),
+        source: _nullishCoalesce(r.source, () => ( null)),
+        operation: r.operation,
+        outcome: r.outcome,
+        code: String(_nullishCoalesce(r.code, () => ( ""))),
+        lockState: _nullishCoalesce(r.lock_state, () => ( null)),
+        lockOverridden: Boolean(r.lock_overridden),
+        requestId: _nullishCoalesce(r.request_id, () => ( null)),
+        note: _nullishCoalesce(r.note, () => ( null))
+      }));
+      return { events };
+    } catch (err) {
+      console.warn(
+        `[Protocol] auditMetaItem read failed for ${request.type}/${request.name}: ${_nullishCoalesce(_optionalChain([err, 'optionalAccess', _82 => _82.message]), () => ( err))}`
+      );
+      return { events: [] };
+    }
+  }
+  async getUiView(request) {
+    const schema = this.engine.registry.getObject(request.object);
+    if (!schema) throw new Error(`Object ${request.object} not found`);
+    const fields = schema.fields || {};
+    const fieldKeys = Object.keys(fields);
+    if (request.type === "list") {
+      const priorityFields = ["name", "title", "label", "subject", "email", "status", "type", "category", "created_at"];
+      let columns = fieldKeys.filter((k) => priorityFields.includes(k));
+      if (columns.length < 5) {
+        const remaining = fieldKeys.filter((k) => !columns.includes(k) && k !== "id" && !fields[k].hidden);
+        columns = [...columns, ...remaining.slice(0, 5 - columns.length)];
+      }
+      return {
+        list: {
+          type: "grid",
+          object: request.object,
+          label: schema.label || schema.name,
+          columns: columns.map((f) => ({
+            field: f,
+            label: _optionalChain([fields, 'access', _83 => _83[f], 'optionalAccess', _84 => _84.label]) || f,
+            sortable: true
+          })),
+          sort: fields["created_at"] ? [{ field: "created_at", order: "desc" }] : void 0,
+          searchableFields: columns.slice(0, 3)
+          // Make first few textual columns searchable
+        }
+      };
+    } else {
+      const formFields = fieldKeys.filter((k) => k !== "id" && k !== "created_at" && k !== "updated_at" && !fields[k].hidden).map((f) => ({
+        field: f,
+        label: _optionalChain([fields, 'access', _85 => _85[f], 'optionalAccess', _86 => _86.label]),
+        required: _optionalChain([fields, 'access', _87 => _87[f], 'optionalAccess', _88 => _88.required]),
+        readonly: _optionalChain([fields, 'access', _89 => _89[f], 'optionalAccess', _90 => _90.readonly]),
+        type: _optionalChain([fields, 'access', _91 => _91[f], 'optionalAccess', _92 => _92.type]),
+        // Default to 2 columns for most, 1 for textareas
+        colSpan: _optionalChain([fields, 'access', _93 => _93[f], 'optionalAccess', _94 => _94.type]) === "textarea" || _optionalChain([fields, 'access', _95 => _95[f], 'optionalAccess', _96 => _96.type]) === "html" ? 2 : 1
+      }));
+      return {
+        form: {
+          type: "simple",
+          object: request.object,
+          label: `Edit ${schema.label || schema.name}`,
+          sections: [
+            {
+              label: "General Information",
+              columns: 2,
+              collapsible: false,
+              collapsed: false,
+              fields: formFields
+            }
+          ]
+        }
+      };
+    }
+  }
+  async findData(request) {
+    const options = { ...request.query };
+    if (request.context !== void 0) {
+      options.context = request.context;
+    }
+    for (const [dollar, bare] of [
+      ["$top", "top"],
+      ["$skip", "skip"],
+      ["$orderby", "orderBy"],
+      ["$select", "select"],
+      ["$count", "count"],
+      ["$search", "search"],
+      ["$searchFields", "searchFields"]
+    ]) {
+      if (options[dollar] != null && options[bare] == null) {
+        options[bare] = options[dollar];
+      }
+      delete options[dollar];
+    }
+    if (options.top != null) {
+      options.limit = Number(options.top);
+      delete options.top;
+    }
+    if (options.skip != null) {
+      options.offset = Number(options.skip);
+      delete options.skip;
+    }
+    if (options.limit != null) options.limit = Number(options.limit);
+    if (options.offset != null) options.offset = Number(options.offset);
+    if (typeof options.select === "string") {
+      options.fields = options.select.split(",").map((s) => s.trim()).filter(Boolean);
+    } else if (Array.isArray(options.select)) {
+      options.fields = options.select;
+    }
+    if (options.select !== void 0) delete options.select;
+    const sortValue = _nullishCoalesce(options.orderBy, () => ( options.sort));
+    if (typeof sortValue === "string") {
+      const parsed = sortValue.split(",").map((part) => {
+        const trimmed = part.trim();
+        if (trimmed.startsWith("-")) {
+          return { field: trimmed.slice(1), order: "desc" };
+        }
+        const [field, order] = trimmed.split(/\s+/);
+        return { field, order: _optionalChain([order, 'optionalAccess', _97 => _97.toLowerCase, 'call', _98 => _98()]) === "desc" ? "desc" : "asc" };
+      }).filter((s) => s.field);
+      options.orderBy = parsed;
+    } else if (Array.isArray(sortValue)) {
+      options.orderBy = sortValue;
+    }
+    delete options.sort;
+    const filterValue = _nullishCoalesce(_nullishCoalesce(_nullishCoalesce(options.filter, () => ( options.filters)), () => ( options.$filter)), () => ( options.where));
+    delete options.filter;
+    delete options.filters;
+    delete options.$filter;
+    if (filterValue !== void 0) {
+      let parsedFilter = filterValue;
+      if (typeof parsedFilter === "string") {
+        try {
+          parsedFilter = JSON.parse(parsedFilter);
+        } catch (e24) {
+        }
+      }
+      if (_data.isFilterAST.call(void 0, parsedFilter)) {
+        parsedFilter = _data.parseFilterAST.call(void 0, parsedFilter);
+      }
+      options.where = parsedFilter;
+    }
+    const populateValue = options.populate;
+    const expandValue = _nullishCoalesce(options.$expand, () => ( options.expand));
+    const expandNames = [];
+    if (typeof populateValue === "string") {
+      expandNames.push(...populateValue.split(",").map((s) => s.trim()).filter(Boolean));
+    } else if (Array.isArray(populateValue)) {
+      expandNames.push(...populateValue);
+    }
+    if (!expandNames.length && expandValue) {
+      if (typeof expandValue === "string") {
+        expandNames.push(...expandValue.split(",").map((s) => s.trim()).filter(Boolean));
+      } else if (Array.isArray(expandValue)) {
+        expandNames.push(...expandValue);
+      }
+    }
+    delete options.populate;
+    delete options.$expand;
+    if (typeof options.expand !== "object" || options.expand === null) {
+      delete options.expand;
+    }
+    if (expandNames.length > 0 && !options.expand) {
+      options.expand = {};
+      for (const rel of expandNames) {
+        options.expand[rel] = { object: rel };
+      }
+    }
+    for (const key of ["distinct", "count"]) {
+      if (options[key] === "true") options[key] = true;
+      else if (options[key] === "false") options[key] = false;
+    }
+    const knownParams = /* @__PURE__ */ new Set([
+      "top",
+      "limit",
+      "offset",
+      "orderBy",
+      "fields",
+      "where",
+      "expand",
+      "distinct",
+      "count",
+      "aggregations",
+      "groupBy",
+      "search",
+      "searchFields",
+      "context",
+      "cursor"
+    ]);
+    if (!options.where) {
+      const implicitFilters = {};
+      for (const key of Object.keys(options)) {
+        if (!knownParams.has(key)) {
+          implicitFilters[key] = options[key];
+          delete options[key];
+        }
+      }
+      if (Object.keys(implicitFilters).length > 0) {
+        options.where = implicitFilters;
+      }
+    }
+    const hasGroupBy = Array.isArray(options.groupBy) && options.groupBy.length > 0;
+    const hasAggregations = Array.isArray(options.aggregations) && options.aggregations.length > 0;
+    if (hasGroupBy || hasAggregations) {
+      const records2 = await this.engine.aggregate(request.object, {
+        where: options.where,
+        groupBy: options.groupBy,
+        aggregations: options.aggregations,
+        context: options.context
+      });
+      const limited = typeof options.limit === "number" && options.limit > 0 ? records2.slice(0, options.limit) : records2;
+      return {
+        object: request.object,
+        records: limited,
+        total: records2.length,
+        hasMore: limited.length < records2.length
+      };
+    }
+    const records = await this.engine.find(request.object, options);
+    const pageLimit = typeof options.limit === "number" && options.limit > 0 ? options.limit : void 0;
+    const pageOffset = typeof options.offset === "number" && options.offset > 0 ? options.offset : 0;
+    let total = records.length;
+    let hasMore = false;
+    if (pageLimit !== void 0) {
+      const countable = options.search == null && options.distinct == null;
+      if (countable) {
+        try {
+          total = await this.engine.count(request.object, {
+            where: options.where,
+            context: options.context
+          });
+        } catch (e25) {
+          total = pageOffset + records.length;
+        }
+        hasMore = pageOffset + records.length < total;
+      } else {
+        hasMore = records.length === pageLimit;
+        total = pageOffset + records.length + (hasMore ? 1 : 0);
+      }
+    }
+    return {
+      object: request.object,
+      records,
+      total,
+      hasMore
+    };
+  }
+  async getData(request) {
+    const queryOptions = {
+      where: { id: request.id }
+    };
+    if (request.context !== void 0) {
+      queryOptions.context = request.context;
+    }
+    if (request.select) {
+      queryOptions.fields = typeof request.select === "string" ? request.select.split(",").map((s) => s.trim()).filter(Boolean) : request.select;
+    }
+    if (request.expand) {
+      const expandNames = typeof request.expand === "string" ? request.expand.split(",").map((s) => s.trim()).filter(Boolean) : request.expand;
+      queryOptions.expand = {};
+      for (const rel of expandNames) {
+        queryOptions.expand[rel] = { object: rel };
+      }
+    }
+    const result = await this.engine.findOne(request.object, queryOptions);
+    if (result) {
+      return {
+        object: request.object,
+        id: request.id,
+        record: result
+      };
+    }
+    const err = new Error(`Record ${request.id} not found in ${request.object}`);
+    err.code = "RECORD_NOT_FOUND";
+    err.status = 404;
+    err.object = request.object;
+    throw err;
+  }
+  async createData(request) {
+    const result = await this.engine.insert(
+      request.object,
+      request.data,
+      request.context !== void 0 ? { context: request.context } : void 0
+    );
+    return {
+      object: request.object,
+      id: result.id,
+      record: result
+    };
+  }
+  /**
+   * Clone a record — read the source, drop engine-owned columns, and
+   * insert a fresh copy. Gated by the object's `enable.clone` capability
+   * (default `true`; only an explicit `enable.clone === false` disables it).
+   *
+   * Shallow by design: it duplicates the record's own scalar/business field
+   * values, not its related child records. The insert path re-stamps audit
+   * columns, regenerates `autonumber` fields, and recomputes derived
+   * (`formula`/`summary`) fields, so the copy is a valid new row rather than
+   * a byte-identical twin. Caller-supplied `overrides` are applied last and
+   * win over the copied values — the natural place to set a new `name`,
+   * clear a unique field, or reset status before insert.
+   */
+  async cloneData(request) {
+    const schema = this.engine.registry.getObject(request.object);
+    if (!schema) {
+      const err = new Error(`Object '${request.object}' not found`);
+      err.code = "OBJECT_NOT_FOUND";
+      err.status = 404;
+      err.object = request.object;
+      throw err;
+    }
+    if (_optionalChain([schema, 'access', _99 => _99.enable, 'optionalAccess', _100 => _100.clone]) === false) {
+      const err = new Error(`Cloning is disabled for object '${request.object}'`);
+      err.code = "CLONE_DISABLED";
+      err.status = 403;
+      err.object = request.object;
+      throw err;
+    }
+    const ctx = request.context;
+    const ctxOpt = ctx !== void 0 ? { context: ctx } : void 0;
+    const source = await this.engine.findOne(
+      request.object,
+      { where: { id: request.id }, ...ctxOpt }
+    );
+    if (!source) {
+      const err = new Error(`Record ${request.id} not found in ${request.object}`);
+      err.code = "RECORD_NOT_FOUND";
+      err.status = 404;
+      err.object = request.object;
+      throw err;
+    }
+    const data = { ...source };
+    for (const f of CLONE_STRIP_FIELDS) delete data[f];
+    const fields = schema.fields || {};
+    for (const [name, def] of Object.entries(fields)) {
+      if (!def) continue;
+      if (def.system === true || def.type === "autonumber" || def.type === "formula" || def.type === "summary") {
+        delete data[name];
+      }
+    }
+    if (request.overrides && typeof request.overrides === "object") {
+      Object.assign(data, request.overrides);
+    }
+    const result = await this.engine.insert(request.object, data, ctxOpt);
+    return {
+      object: request.object,
+      id: result.id,
+      sourceId: request.id,
+      record: result
+    };
+  }
+  async updateData(request) {
+    await this.assertVersionMatch(request.object, request.id, request.expectedVersion, request.context);
+    const opts = { where: { id: request.id } };
+    if (request.context !== void 0) opts.context = request.context;
+    const result = await this.engine.update(request.object, request.data, opts);
+    return {
+      object: request.object,
+      id: request.id,
+      record: result
+    };
+  }
+  async deleteData(request) {
+    await this.assertVersionMatch(request.object, request.id, request.expectedVersion, request.context);
+    const opts = { where: { id: request.id } };
+    if (request.context !== void 0) opts.context = request.context;
+    await this.engine.delete(request.object, opts);
+    return {
+      object: request.object,
+      id: request.id,
+      success: true
+    };
+  }
+  /**
+   * Optimistic Concurrency Control gate shared by updateData/deleteData.
+   *
+   * When the caller passes a non-empty `expectedVersion` token (typically
+   * the `updated_at` value they read), this fetches the current record
+   * and compares its `updated_at` against the token. Mismatch → throw
+   * `ConcurrentUpdateError` which the REST layer maps to 409.
+   *
+   * Behaviour:
+   *  - Empty/missing token → no check (opt-in semantics; existing callers
+   *    that haven't yet adopted OCC are unaffected).
+   *  - Record not found → no check; downstream `engine.update` will
+   *    surface the usual `RECORD_NOT_FOUND` 404. We intentionally do not
+   *    treat "missing record" as a concurrency conflict.
+   *  - Record has no `updated_at` field (timestamps disabled) → no check.
+   *    Logging would be noisy here; OCC is opt-in and the absence of a
+   *    version column is an explicit "this object doesn't support OCC"
+   *    signal.
+   */
+  async assertVersionMatch(object, id, expectedVersion, context) {
+    const expected = normaliseVersionToken(expectedVersion);
+    if (!expected) return;
+    const findOpts = { where: { id } };
+    if (context !== void 0) findOpts.context = context;
+    const current = await this.engine.findOne(object, findOpts);
+    if (!current) return;
+    const currentVersion = normaliseVersionToken(current.updated_at);
+    if (!currentVersion) return;
+    if (currentVersion !== expected) {
+      throw new ConcurrentUpdateError({
+        currentVersion,
+        currentRecord: current,
+        message: `Record ${object}/${id} was modified by another user (current version ${currentVersion}, expected ${expected})`
+      });
+    }
+  }
+  // ==========================================
+  // Global Search (M10.5)
+  // ==========================================
+  /**
+   * Cross-object substring search across all registered objects that opt in
+   * via `enable.searchable !== false` and `enable.apiEnabled !== false`.
+   * Searches text-like fields (text/textarea/email/url/phone/markdown/html/string)
+   * whose `searchable: true` flag is set, falling back to the object's
+   * `displayNameField` (or `name`) when no fields are explicitly searchable.
+   *
+   * The query is split into whitespace-separated terms; each term must match
+   * (case-insensitive LIKE) at least one searchable field. RBAC/RLS is
+   * enforced by forwarding the caller's `context` to `engine.find` so users
+   * only see records they are entitled to read.
+   */
+  async searchAll(request) {
+    const q = (_nullishCoalesce(request.q, () => ( ""))).trim();
+    if (!q) {
+      return { query: "", hits: [], totalObjects: 0, totalHits: 0, truncated: false };
+    }
+    const overallLimit = Math.max(1, Math.min(100, Number(_nullishCoalesce(request.limit, () => ( 20)))));
+    const perObject = Math.max(1, Math.min(25, Number(_nullishCoalesce(request.perObject, () => ( 5)))));
+    const objectsFilter = request.objects && request.objects.length ? new Set(request.objects) : null;
+    const terms = q.split(/\s+/).filter(Boolean).slice(0, 8);
+    const allObjects = _nullishCoalesce(_optionalChain([this, 'access', _101 => _101.engine, 'access', _102 => _102.registry, 'optionalAccess', _103 => _103.getAllObjects, 'optionalCall', _104 => _104()]), () => ( []));
+    const hits = [];
+    let objectsScanned = 0;
+    for (const obj of allObjects) {
+      if (hits.length >= overallLimit) break;
+      if (!_optionalChain([obj, 'optionalAccess', _105 => _105.name])) continue;
+      if (objectsFilter && !objectsFilter.has(obj.name)) continue;
+      const enable = _nullishCoalesce(obj.enable, () => ( {}));
+      if (enable.searchable === false) continue;
+      if (enable.apiEnabled === false) continue;
+      if (obj.name.startsWith("sys_audit_log") || obj.name.startsWith("sys_activity") || obj.name.startsWith("sys_session") || obj.name.startsWith("sys_presence") || obj.name.startsWith("sys_metadata") || obj.name.startsWith("sys_account")) {
+        continue;
+      }
+      const fieldsRaw = obj.fields;
+      const fields = Array.isArray(fieldsRaw) ? fieldsRaw : fieldsRaw && typeof fieldsRaw === "object" ? Object.entries(fieldsRaw).map(([name, f]) => ({ name, ...f || {} })) : [];
+      const TEXT_TYPES = /* @__PURE__ */ new Set(["text", "textarea", "string", "email", "url", "phone", "markdown", "html"]);
+      const fieldByName = new Map(fields.map((f) => [f.name, f]));
+      const hasField = (n) => fieldByName.has(n);
+      const titleFormatSource = obj.titleFormat && (obj.titleFormat.source || obj.titleFormat) || void 0;
+      const renderTitle = (row) => {
+        if (typeof titleFormatSource === "string") {
+          let allResolved = true;
+          const rendered = titleFormatSource.replace(/\{\{?\s*([a-zA-Z0-9_.]+)\s*\}?\}/g, (_m, key) => {
+            const v = row[key];
+            if (v == null || v === "") {
+              allResolved = false;
+              return "";
+            }
+            return String(v);
+          }).trim();
+          if (rendered && allResolved) return rendered;
+          if (rendered) return rendered.replace(/\s+-\s+$/, "").replace(/^\s+-\s+/, "").trim() || row.id;
+        }
+        const candidates = [
+          obj.displayNameField,
+          "name",
+          "full_name",
+          "title",
+          "subject",
+          "label",
+          "company"
+        ].filter((c) => typeof c === "string" && hasField(c));
+        for (const c of candidates) {
+          const v = row[c];
+          if (v != null && String(v).trim()) return String(v);
+        }
+        const fn = row.first_name, ln = row.last_name;
+        if (fn || ln) return `${_nullishCoalesce(fn, () => ( ""))} ${_nullishCoalesce(ln, () => ( ""))}`.trim();
+        return String(row.id);
+      };
+      const titleFieldName = obj.displayNameField || (hasField("name") ? "name" : void 0) || (hasField("title") ? "title" : void 0) || _optionalChain([fields, 'access', _106 => _106.find, 'call', _107 => _107((f) => TEXT_TYPES.has(f.type)), 'optionalAccess', _108 => _108.name]);
+      let searchableFields = fields.filter((f) => f && TEXT_TYPES.has(f.type) && f.searchable === true).map((f) => f.name);
+      if (searchableFields.length === 0 && titleFieldName) {
+        searchableFields = [titleFieldName];
+      }
+      if (searchableFields.length === 0) continue;
+      objectsScanned++;
+      const andClauses = terms.map((term) => ({
+        $or: searchableFields.map((f) => ({ [f]: { $contains: term } }))
+      }));
+      const where = andClauses.length === 1 ? andClauses[0] : { $and: andClauses };
+      try {
+        const opts = {
+          where,
+          limit: perObject,
+          orderBy: [{ field: "updated_at", direction: "desc" }]
+        };
+        if (request.context !== void 0) opts.context = request.context;
+        const rows = await this.engine.find(obj.name, opts);
+        for (const row of rows || []) {
+          if (hits.length >= overallLimit) break;
+          const title = renderTitle(row);
+          let snippet;
+          for (const f of searchableFields) {
+            const v = row[f];
+            if (typeof v === "string" && v) {
+              const lc = v.toLowerCase();
+              const idx = terms.map((t) => lc.indexOf(t.toLowerCase())).find((i) => i >= 0);
+              if (idx != null && idx >= 0) {
+                const start = Math.max(0, idx - 30);
+                const end = Math.min(v.length, idx + 90);
+                snippet = (start > 0 ? "\u2026" : "") + v.slice(start, end) + (end < v.length ? "\u2026" : "");
+                break;
+              }
+            }
+          }
+          hits.push({
+            object: obj.name,
+            id: row.id,
+            title,
+            snippet,
+            record: row
+          });
+        }
+      } catch (e26) {
+        continue;
+      }
+    }
+    return {
+      query: q,
+      hits,
+      totalObjects: objectsScanned,
+      totalHits: hits.length,
+      truncated: hits.length >= overallLimit
+    };
+  }
+  // ==========================================
+  // Metadata Caching
+  // ==========================================
+  async getMetaItemCached(request) {
+    try {
+      const result = await this.getMetaItem({ type: request.type, name: request.name });
+      const item = _optionalChain([result, 'optionalAccess', _109 => _109.item]);
+      if (!item) {
+        throw new Error(`Metadata item ${request.type}/${request.name} not found`);
+      }
+      const content = JSON.stringify(item);
+      const hash = simpleHash(request.locale ? `${request.locale}\0${content}` : content);
+      const etag = { value: hash, weak: false };
+      if (_optionalChain([request, 'access', _110 => _110.cacheRequest, 'optionalAccess', _111 => _111.ifNoneMatch])) {
+        const clientEtag = request.cacheRequest.ifNoneMatch.replace(/^"(.*)"$/, "$1").replace(/^W\/"(.*)"$/, "$1");
+        if (clientEtag === hash) {
+          return {
+            notModified: true,
+            etag
+          };
+        }
+      }
+      return {
+        data: item,
+        etag,
+        lastModified: (/* @__PURE__ */ new Date()).toISOString(),
+        cacheControl: {
+          // Metadata is invalidated by publish, so freshness must be
+          // gated by the ETag validator — not a TTL. `no-cache` lets
+          // clients store the body but forces an `If-None-Match`
+          // revalidation on every use: a cheap 304 when unchanged,
+          // fresh fields the instant a publish bumps the ETag. The old
+          // `max-age=3600` pinned the schema for up to an hour, so the
+          // AI-build "New" form kept rendering pre-publish fields until
+          // the TTL lapsed (no revalidation in between). `private` also
+          // keeps per-tenant metadata out of shared CDN/proxy caches.
+          directives: ["private", "no-cache"]
+        },
+        notModified: false
+      };
+    } catch (error) {
+      throw error;
+    }
+  }
+  // ==========================================
+  // Batch Operations
+  // ==========================================
+  async batchData(request) {
+    const { object, request: batchReq } = request;
+    const { operation, records, options } = batchReq;
+    const results = [];
+    let succeeded = 0;
+    let failed = 0;
+    for (const record of records) {
+      try {
+        switch (operation) {
+          case "create": {
+            const created = await this.engine.insert(object, record.data || record);
+            results.push({ id: created.id, success: true, record: created });
+            succeeded++;
+            break;
+          }
+          case "update": {
+            if (!record.id) throw new Error("Record id is required for update");
+            const updated = await this.engine.update(object, record.data || {}, { where: { id: record.id } });
+            results.push({ id: record.id, success: true, record: updated });
+            succeeded++;
+            break;
+          }
+          case "upsert": {
+            if (record.id) {
+              try {
+                const existing = await this.engine.findOne(object, { where: { id: record.id } });
+                if (existing) {
+                  const updated = await this.engine.update(object, record.data || {}, { where: { id: record.id } });
+                  results.push({ id: record.id, success: true, record: updated });
+                } else {
+                  const created = await this.engine.insert(object, { id: record.id, ...record.data || {} });
+                  results.push({ id: created.id, success: true, record: created });
+                }
+              } catch (e27) {
+                const created = await this.engine.insert(object, { id: record.id, ...record.data || {} });
+                results.push({ id: created.id, success: true, record: created });
+              }
+            } else {
+              const created = await this.engine.insert(object, record.data || record);
+              results.push({ id: created.id, success: true, record: created });
+            }
+            succeeded++;
+            break;
+          }
+          case "delete": {
+            if (!record.id) throw new Error("Record id is required for delete");
+            await this.engine.delete(object, { where: { id: record.id } });
+            results.push({ id: record.id, success: true });
+            succeeded++;
+            break;
+          }
+          default:
+            results.push({ id: record.id, success: false, error: `Unknown operation: ${operation}` });
+            failed++;
+        }
+      } catch (err) {
+        results.push({ id: record.id, success: false, error: err.message });
+        failed++;
+        if (_optionalChain([options, 'optionalAccess', _112 => _112.atomic])) {
+          break;
+        }
+        if (!_optionalChain([options, 'optionalAccess', _113 => _113.continueOnError])) {
+          break;
+        }
+      }
+    }
+    return {
+      success: failed === 0,
+      operation,
+      total: records.length,
+      succeeded,
+      failed,
+      results: _optionalChain([options, 'optionalAccess', _114 => _114.returnRecords]) !== false ? results : results.map((r) => ({ id: r.id, success: r.success, error: r.error }))
+    };
+  }
+  async createManyData(request) {
+    const records = await this.engine.insert(request.object, request.records);
+    return {
+      object: request.object,
+      records,
+      count: records.length
+    };
+  }
+  async updateManyData(request) {
+    const { object, records, options } = request;
+    const results = [];
+    let succeeded = 0;
+    let failed = 0;
+    for (const record of records) {
+      try {
+        const updated = await this.engine.update(object, record.data, { where: { id: record.id } });
+        results.push({ id: record.id, success: true, record: updated });
+        succeeded++;
+      } catch (err) {
+        results.push({ id: record.id, success: false, error: err.message });
+        failed++;
+        if (!_optionalChain([options, 'optionalAccess', _115 => _115.continueOnError])) {
+          break;
+        }
+      }
+    }
+    return {
+      success: failed === 0,
+      operation: "update",
+      total: records.length,
+      succeeded,
+      failed,
+      results
+    };
+  }
+  async analyticsQuery(request) {
+    const { query, cube } = request;
+    const object = cube;
+    const groupBy = query.dimensions || [];
+    const aggregations = [];
+    if (query.measures) {
+      for (const measure of query.measures) {
+        if (measure === "count" || measure === "count_all") {
+          aggregations.push({ field: "*", method: "count", alias: "count" });
+        } else if (measure.includes(".")) {
+          const [field, method] = measure.split(".");
+          aggregations.push({ field, method, alias: `${field}_${method}` });
+        } else {
+          aggregations.push({ field: measure, method: "sum", alias: measure });
+        }
+      }
+    }
+    let filter = void 0;
+    if (query.filters && query.filters.length > 0) {
+      const conditions = query.filters.map((f) => {
+        const op = this.mapAnalyticsOperator(f.operator);
+        if (f.values && f.values.length === 1) {
+          return { [f.member]: { [op]: f.values[0] } };
+        } else if (f.values && f.values.length > 1) {
+          return { [f.member]: { $in: f.values } };
+        }
+        return { [f.member]: { [op]: true } };
+      });
+      filter = conditions.length === 1 ? conditions[0] : { $and: conditions };
+    }
+    const rows = await this.engine.aggregate(object, {
+      where: filter,
+      groupBy: groupBy.length > 0 ? groupBy : void 0,
+      aggregations: aggregations.length > 0 ? aggregations.map((a) => ({ function: a.method, field: a.field, alias: a.alias })) : [{ function: "count", alias: "count" }]
+    });
+    const fields = [
+      ...groupBy.map((d) => ({ name: d, type: "string" })),
+      ...aggregations.map((a) => ({ name: a.alias, type: "number" }))
+    ];
+    return {
+      success: true,
+      data: {
+        rows,
+        fields
+      }
+    };
+  }
+  async getAnalyticsMeta(request) {
+    const objects = this.engine.registry.listItems("object");
+    const cubeFilter = _optionalChain([request, 'optionalAccess', _116 => _116.cube]);
+    const cubes = [];
+    for (const obj of objects) {
+      const schema = obj;
+      if (cubeFilter && schema.name !== cubeFilter) continue;
+      const measures = {};
+      const dimensions = {};
+      const fields = schema.fields || {};
+      measures["count"] = {
+        name: "count",
+        label: "Count",
+        type: "count",
+        sql: "*"
+      };
+      for (const [fieldName, fieldDef] of Object.entries(fields)) {
+        const fd = fieldDef;
+        const fieldType = fd.type || "text";
+        if (["number", "currency", "percent"].includes(fieldType)) {
+          measures[`${fieldName}_sum`] = {
+            name: `${fieldName}_sum`,
+            label: `${fd.label || fieldName} (Sum)`,
+            type: "sum",
+            sql: fieldName
+          };
+          measures[`${fieldName}_avg`] = {
+            name: `${fieldName}_avg`,
+            label: `${fd.label || fieldName} (Avg)`,
+            type: "avg",
+            sql: fieldName
+          };
+          dimensions[fieldName] = {
+            name: fieldName,
+            label: fd.label || fieldName,
+            type: "number",
+            sql: fieldName
+          };
+        } else if (["date", "datetime"].includes(fieldType)) {
+          dimensions[fieldName] = {
+            name: fieldName,
+            label: fd.label || fieldName,
+            type: "time",
+            sql: fieldName,
+            granularities: ["day", "week", "month", "quarter", "year"]
+          };
+        } else if (["boolean"].includes(fieldType)) {
+          dimensions[fieldName] = {
+            name: fieldName,
+            label: fd.label || fieldName,
+            type: "boolean",
+            sql: fieldName
+          };
+        } else {
+          dimensions[fieldName] = {
+            name: fieldName,
+            label: fd.label || fieldName,
+            type: "string",
+            sql: fieldName
+          };
+        }
+      }
+      cubes.push({
+        name: schema.name,
+        title: schema.label || schema.name,
+        description: schema.description,
+        sql: schema.name,
+        measures,
+        dimensions,
+        public: true
+      });
+    }
+    return {
+      success: true,
+      data: { cubes }
+    };
+  }
+  mapAnalyticsOperator(op) {
+    const map = {
+      equals: "$eq",
+      notEquals: "$ne",
+      contains: "$contains",
+      notContains: "$notContains",
+      gt: "$gt",
+      gte: "$gte",
+      lt: "$lt",
+      lte: "$lte",
+      set: "$ne",
+      notSet: "$eq"
+    };
+    return map[op] || "$eq";
+  }
+  async triggerAutomation(_request) {
+    throw new Error('triggerAutomation requires plugin-automation service. Install and register a plugin that provides the "automation" service.');
+  }
+  async deleteManyData(request) {
+    return this.engine.delete(request.object, {
+      where: { id: { $in: request.ids } },
+      ...request.options
+    });
+  }
+  static envWritableTypes() {
+    if (this._envWritableTypes !== null) return this._envWritableTypes;
+    const raw = _types.readEnvWithDeprecation.call(void 0, "OS_METADATA_WRITABLE", "OBJECTSTACK_METADATA_WRITABLE") || "";
+    const set = /* @__PURE__ */ new Set();
+    for (const tok of raw.split(",")) {
+      const t = tok.trim();
+      if (!t) continue;
+      const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[t], () => ( t));
+      set.add(singular);
+      const plural = _shared.SINGULAR_TO_PLURAL[singular];
+      if (plural) set.add(plural);
+    }
+    this._envWritableTypes = set;
+    return set;
+  }
+  /** Test hook — clear the memoised env-writable cache. */
+  static resetEnvWritableCache() {
+    this._envWritableTypes = null;
+  }
+  /** Normalize plural→singular before consulting the allow-list. */
+  static isOverlayAllowed(type) {
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+    if (this.OVERLAY_ALLOWED_TYPES.has(singular) || this.OVERLAY_ALLOWED_TYPES.has(type)) {
+      return true;
+    }
+    const env = this.envWritableTypes();
+    return env.has(singular) || env.has(type);
+  }
+  /** Does this type permit creating brand-new (artifact-free) items? */
+  static isRuntimeCreateAllowed(type) {
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+    if (this.RUNTIME_CREATE_ALLOWED_TYPES.has(singular) || this.RUNTIME_CREATE_ALLOWED_TYPES.has(type)) {
+      return true;
+    }
+    if (!this.STATIC_REGISTRY_TYPES.has(singular) && !this.STATIC_REGISTRY_TYPES.has(type)) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Does an artifact (npm-package-loaded) item exist at `(type, name)`?
+   *
+   * The schema registry's `_packageId` tag is set only when
+   * `registerItem(..., packageId)` is called with a truthy packageId
+   * — and only artifact loaders do that. DB-rehydrated items
+   * (sys_metadata rows registered back into the registry by
+   * `getMetaItems` / `loadMetaFromDb`) call `registerItem` without a
+   * packageId, so they carry no `_packageId` and are correctly
+   * excluded here.
+   *
+   * Used by the two-tier authorization model to distinguish
+   * "overlaying a packaged item" (requires `allowOrgOverride`) from
+   * "authoring a DB-only item" (requires only `allowRuntimeCreate`).
+   */
+  isArtifactBacked(type, name) {
+    return this.lookupArtifactItem(type, name) !== void 0;
+  }
+  // ───────────────────────────────────────────────────────────────────
+  // ADR-0010 — metadata protection (Phase 1: L3 item-level lock)
+  // ───────────────────────────────────────────────────────────────────
+  /**
+   * Look up an item from the artifact registry across both the requested
+   * type and its singular/plural twin. Returns `undefined` when the
+   * registry is unavailable or the item is not artifact-backed.
+   */
+  lookupArtifactItem(type, name, currentPackageId) {
+    const registry = _optionalChain([this, 'access', _117 => _117.engine, 'optionalAccess', _118 => _118.registry]);
+    if (!registry) return void 0;
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+    if (typeof registry.getArtifactItem === "function") {
+      return _nullishCoalesce(registry.getArtifactItem(singular, name, currentPackageId), () => ( registry.getArtifactItem(type, name, currentPackageId)));
+    }
+    if (typeof registry.getItem !== "function") return void 0;
+    const item = _nullishCoalesce(registry.getItem(singular, name, currentPackageId), () => ( registry.getItem(type, name, currentPackageId)));
+    if (!item || !item._packageId || item._packageId === "sys_metadata") {
+      return void 0;
+    }
+    return item;
+  }
+  /**
+   * True when `packageId` is a **writable base** — a DB-backed package an
+   * org or the AI may author *new* metadata into (ADR-0070 D2). The two
+   * read-only kinds return `false`:
+   *
+   *   • **Booted code packages** — they register a manifest into the engine
+   *     at startup (`registerApp` → `engine.manifests`); their items are
+   *     code-shipped artifacts. Only `allowOrgOverride` overlays are allowed
+   *     (ADR-0005), never fresh authored items.
+   *   • **Installed / platform packages** — manifest `scope` is `system` or
+   *     `cloud` (marketplace / platform-delivered).
+   *
+   * A project-scoped DB package, or a bare ADR-0048 *authoring-workspace* id
+   * with no registered manifest, is writable.
+   *
+   * NOTE: the code-package signal is the engine manifest map ONLY — we
+   * deliberately do NOT fall back to "owns ≥1 registered object" (the old
+   * `isLoadedPackage` heuristic). A writable base accrues registered objects
+   * once its drafts publish, and that must never flip the base to read-only
+   * — that is the exact #2252 read-only-after-publish trap this ADR removes.
+   */
+  isWritablePackage(packageId) {
+    if (!packageId) return false;
+    const engine = this.engine;
+    if (_optionalChain([engine, 'optionalAccess', _119 => _119.manifests, 'optionalAccess', _120 => _120.has, 'optionalCall', _121 => _121(packageId)])) return false;
+    const scope = _optionalChain([engine, 'optionalAccess', _122 => _122.registry, 'optionalAccess', _123 => _123.getPackage, 'optionalCall', _124 => _124(packageId), 'optionalAccess', _125 => _125.manifest, 'optionalAccess', _126 => _126.scope]);
+    if (scope === "system" || scope === "cloud") return false;
+    return true;
+  }
+  /**
+   * Resolve the effective `_lock` for an item by consulting the
+   * artifact registry first, then the persisted overlay row. Artifact
+   * always wins — by design, an overlay cannot loosen a packaged
+   * lock (ADR-0010 §3.3).
+   *
+   * Returns `'none'` when nothing is locked, which is the common
+   * case. Safe to call when `environmentId` is undefined (control-
+   * plane bootstrap) — the lock check is only meaningful in tenant
+   * scope and the caller is expected to also gate on `environmentId`.
+   */
+  async getEffectiveLock(type, name, organizationId) {
+    const artifactItem = this.lookupArtifactItem(type, name);
+    if (artifactItem) {
+      const p = _kernel.extractProtection.call(void 0, artifactItem);
+      if (p.lock !== "none") {
+        return { lock: p.lock, lockReason: p.lockReason, lockSource: "artifact" };
+      }
+    }
+    try {
+      const where = {
+        type,
+        name,
+        state: "active",
+        organization_id: _nullishCoalesce(organizationId, () => ( null))
+      };
+      const row = await this.engine.findOne("sys_metadata", { where });
+      if (row) {
+        const body = typeof row.metadata === "string" ? JSON.parse(row.metadata) : row.metadata;
+        const p = _kernel.extractProtection.call(void 0, body);
+        if (p.lock !== "none") {
+          return { lock: p.lock, lockReason: p.lockReason, lockSource: "overlay" };
+        }
+      }
+    } catch (e28) {
+    }
+    return { lock: "none", lockReason: void 0, lockSource: void 0 };
+  }
+  /**
+   * Best-effort audit-row writer (ADR-0010 §3.6). Failures here are
+   * logged but never block the underlying decision: an environment
+   * without the audit table provisioned (legacy installs before this
+   * ADR landed) still answers normal API calls, just without the
+   * compliance trail. Phase 2 will make the audit table a hard
+   * dependency.
+   */
+  async recordMetadataAudit(entry) {
+    try {
+      await this.engine.insert("sys_metadata_audit", {
+        occurred_at: (/* @__PURE__ */ new Date()).toISOString(),
+        actor: _nullishCoalesce(entry.actor, () => ( "system")),
+        source: _nullishCoalesce(entry.source, () => ( "protocol")),
+        type: _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[entry.type], () => ( entry.type)),
+        name: entry.name,
+        organization_id: _nullishCoalesce(entry.organizationId, () => ( null)),
+        operation: entry.operation,
+        outcome: entry.outcome,
+        code: entry.code,
+        lock_state: _nullishCoalesce(entry.lockState, () => ( "none")),
+        lock_overridden: _nullishCoalesce(entry.lockOverridden, () => ( false)),
+        request_id: _nullishCoalesce(entry.requestId, () => ( null)),
+        note: _nullishCoalesce(entry.note, () => ( null))
+      });
+    } catch (err) {
+      console.warn(
+        `[Protocol] sys_metadata_audit write failed for ${entry.type}/${entry.name}: ${_nullishCoalesce(_optionalChain([err, 'optionalAccess', _127 => _127.message]), () => ( err))}`
+      );
+    }
+  }
+  /**
+   * Phase 1 L3 enforcement for write operations (save / publish /
+   * rollback). Returns null on allow. Returns the structured `Error`
+   * the caller should `throw` on deny — also records the denial in
+   * the audit log so refused attempts are visible in compliance
+   * reports (refused writes never reach sys_metadata_history).
+   */
+  async assertLockAllowsWrite(args) {
+    if (this.environmentId === void 0) return null;
+    const state = await this.getEffectiveLock(args.type, args.name, _nullishCoalesce(args.organizationId, () => ( null)));
+    const refusal = _kernel.evaluateLockForWrite.call(void 0, state.lock);
+    if (!refusal) return null;
+    const reason = _nullishCoalesce(state.lockReason, () => ( refusal.reason));
+    const err = new Error(
+      `[item_locked] ${args.type}/${args.name} is locked (_lock=${state.lock}${state.lockSource ? `, source=${state.lockSource}` : ""}). ${reason} \u2014 See ADR-0010 \xA73.3.`
+    );
+    err.code = "item_locked";
+    err.status = 403;
+    err.lock = state.lock;
+    err.lockReason = reason;
+    await this.recordMetadataAudit({
+      type: args.type,
+      name: args.name,
+      organizationId: _nullishCoalesce(args.organizationId, () => ( null)),
+      operation: args.operation,
+      outcome: "denied",
+      code: "item_locked",
+      lockState: state.lock,
+      actor: args.actor,
+      source: _nullishCoalesce(args.source, () => ( `protocol.${args.operation}MetaItem`)),
+      requestId: args.requestId,
+      note: reason
+    });
+    return err;
+  }
+  /** Counterpart of {@link assertLockAllowsWrite} for delete. */
+  async assertLockAllowsDelete(args) {
+    if (this.environmentId === void 0) return null;
+    const state = await this.getEffectiveLock(args.type, args.name, _nullishCoalesce(args.organizationId, () => ( null)));
+    const refusal = _kernel.evaluateLockForDelete.call(void 0, state.lock);
+    if (!refusal) return null;
+    const reason = _nullishCoalesce(state.lockReason, () => ( refusal.reason));
+    const err = new Error(
+      `[item_locked] ${args.type}/${args.name} is locked (_lock=${state.lock}${state.lockSource ? `, source=${state.lockSource}` : ""}). ${reason} \u2014 See ADR-0010 \xA73.3.`
+    );
+    err.code = "item_locked";
+    err.status = 403;
+    err.lock = state.lock;
+    err.lockReason = reason;
+    await this.recordMetadataAudit({
+      type: args.type,
+      name: args.name,
+      organizationId: _nullishCoalesce(args.organizationId, () => ( null)),
+      operation: "delete",
+      outcome: "denied",
+      code: "item_locked",
+      lockState: state.lock,
+      actor: args.actor,
+      source: _nullishCoalesce(args.source, () => ( "protocol.deleteMetaItem")),
+      requestId: args.requestId,
+      note: reason
+    });
+    return err;
+  }
+  /**
+   * Mirror an object-type overlay write into the in-memory engine
+   * registry so subsequent CRUD finds the new schema. Idempotent and
+   * safe to call after a successful persistence call. For the legacy
+   * write path this is invoked BEFORE persistence (historical behavior
+   * preserved); for the PR-10d.3 repository path it is invoked only
+   * AFTER `put()` resolves successfully, so a failed write — DB error,
+   * optimistic-lock conflict, validation failure — never leaks a
+   * stale schema into the registry.
+   */
+  applyObjectRegistryMutation(request) {
+    if (request.type !== "object" && request.type !== "objects") return;
+    this.engine.registry.registerItem(request.type, request.item, "name");
+    try {
+      this.engine.registry.registerObject(request.item, "sys_metadata");
+    } catch (err) {
+      console.warn(
+        `[Protocol] registerObject failed for ${request.name}: ${_nullishCoalesce(_optionalChain([err, 'optionalAccess', _128 => _128.message]), () => ( err))}`
+      );
+    }
+  }
+  /**
+   * Heal the in-memory registry after a metadata reset (overlay-row
+   * delete) on control-plane kernels. Two layers:
+   *
+   *  1. Drop the plain-key runtime shadow so the packaged artifact
+   *     (registered under `<packageId>:<name>`) becomes the visible
+   *     value again. The shadow is written by the overlay-hydration
+   *     paths (`getMetaItems` / `loadMetaFromDb`) and — pre-fix —
+   *     survived the reset until restart, leaving stale overlay
+   *     content (and a stripped `_lock` envelope) in every
+   *     registry-direct read (ADR-0010 §3.3).
+   *  2. When no composite-key artifact exists, fall back to the
+   *     MetadataService baseline (FilesystemLoader-sourced types) and
+   *     re-register it, preserving the historical refresh behaviour
+   *     for items the SchemaRegistry never held as artifacts.
+   *
+   * Best-effort: a failure must never block the delete that already
+   * succeeded; the next full reload fixes the registry anyway.
+   */
+  async restoreArtifactRegistryView(type, name) {
+    try {
+      const registry = this.engine.registry;
+      let healed = false;
+      if (typeof registry.removeRuntimeShadow === "function") {
+        const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+        healed = registry.removeRuntimeShadow(singular, name);
+        if (type !== singular) {
+          healed = registry.removeRuntimeShadow(type, name) || healed;
+        }
+      }
+      if (healed) return;
+      if (this.environmentId !== void 0) return;
+      const services = _optionalChain([this, 'access', _129 => _129.getServicesRegistry, 'optionalCall', _130 => _130()]);
+      const metadataService = _optionalChain([services, 'optionalAccess', _131 => _131.get, 'call', _132 => _132("metadata")]);
+      if (metadataService && typeof metadataService.get === "function") {
+        const artifactItem = await metadataService.get(type, name);
+        if (artifactItem !== void 0) {
+          this.engine.registry.registerItem(type, artifactItem, "name");
+        }
+      }
+    } catch (e29) {
+    }
+  }
+  /**
+   * Ensure a just-PUBLISHED object's physical table exists so it is usable
+   * for data CRUD immediately — without a server restart. Registering the
+   * object (above) only updates the in-memory registry; the table is created
+   * by the driver's schema sync, which otherwise only runs at boot. Without
+   * this, inserting into a freshly-published object fails with "no such
+   * table" (surfaced as `object_not_found`) until the next restart.
+   * Best-effort + non-fatal: drivers without DDL (or read-only datasources)
+   * simply no-op, and a sync failure must not abort the publish.
+   */
+  async ensureObjectStorage(type, name) {
+    if (type !== "object" && type !== "objects") return;
+    try {
+      await this.engine.syncObjectSchema(name);
+    } catch (err) {
+      console.warn(`[Protocol] table sync failed for object '${name}': ${_nullishCoalesce(_optionalChain([err, 'optionalAccess', _133 => _133.message]), () => ( err))}`);
+    }
+  }
+  /**
+   * Inverse of {@link ensureObjectStorage}: drop an object's physical table.
+   * DESTRUCTIVE — deletes the table and all its rows. Only invoked when a
+   * delete explicitly opts into storage teardown (see {@link deleteMetaItem}'s
+   * `dropStorage`), so publishing an object solely to preview it can be undone
+   * without leaving an orphan table. Best-effort: a failure is logged, not
+   * thrown — the metadata delete already succeeded, and a stray table is
+   * reclaimed by the next sync/drop rather than blocking the delete.
+   */
+  async dropObjectStorage(type, name) {
+    if (type !== "object" && type !== "objects") return;
+    try {
+      await this.engine.dropObjectSchema(name);
+    } catch (err) {
+      console.warn(`[Protocol] table drop failed for object '${name}': ${_nullishCoalesce(_optionalChain([err, 'optionalAccess', _134 => _134.message]), () => ( err))}`);
+    }
+  }
+  /**
+   * Guard for storage teardown on delete. Drops a physical table only when
+   * the caller opted in AND it is safe: object types only (others have no
+   * table), active state only (drafts were never materialised), and never a
+   * `sys_`-prefixed platform table.
+   */
+  shouldDropStorage(type, name, dropStorage, state) {
+    if (!dropStorage) return false;
+    const singular = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[type], () => ( type));
+    if (singular !== "object") return false;
+    if (state !== "active") return false;
+    if (name.startsWith("sys_")) return false;
+    return true;
+  }
+  async saveMetaItem(request) {
+    if (!request.item) {
+      throw new Error("Item data is required");
+    }
+    const mode = request.mode === "draft" ? "draft" : "publish";
+    if (this.environmentId !== void 0) {
+      const overlayAllowed = _ObjectStackProtocolImplementation.isOverlayAllowed(request.type);
+      const runtimeCreateAllowed = _ObjectStackProtocolImplementation.isRuntimeCreateAllowed(request.type);
+      const artifactBacked = this.isArtifactBacked(request.type, request.name);
+      if (artifactBacked && !overlayAllowed) {
+        const err = new Error(
+          `[not_overridable] Metadata item '${request.type}/${request.name}' is provided by a code package and the type has not opted into per-org overlay writes (allowOrgOverride=false). Edit the source artifact and redeploy, or set OS_METADATA_WRITABLE to grant a runtime escape hatch. See docs/adr/0005-metadata-customization-overlay.md.`
+        );
+        err.code = "not_overridable";
+        err.status = 403;
+        throw err;
+      }
+      if (!artifactBacked && !overlayAllowed && !runtimeCreateAllowed) {
+        const err = new Error(
+          `[not_creatable] Metadata type '${request.type}' does not allow runtime creation (allowRuntimeCreate=false, allowOrgOverride=false). New items of this type must be defined in source code.`
+        );
+        err.code = "not_creatable";
+        err.status = 403;
+        throw err;
+      }
+      const lockErr = await this.assertLockAllowsWrite({
+        type: request.type,
+        name: request.name,
+        ...request.organizationId ? { organizationId: request.organizationId } : {},
+        operation: "save",
+        ...request.actor ? { actor: request.actor } : {},
+        source: "protocol.saveMetaItem"
+      });
+      if (lockErr) throw lockErr;
+    }
+    const singularType = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    if (!request.force && (singularType === "object" || singularType === "field")) {
+      try {
+        const existing = await this.getMetaItem({
+          type: request.type,
+          name: request.name,
+          ...request.organizationId ? { organizationId: request.organizationId } : {}
+        });
+        const prev = _optionalChain([existing, 'optionalAccess', _135 => _135.item]);
+        if (prev) {
+          const issues = detectDestructiveObjectChanges(prev, request.item);
+          if (issues.length > 0) {
+            const summary = issues.slice(0, 3).map((i) => i.message).join("; ");
+            const err = new Error(
+              `[destructive_change] ${request.type}/${request.name} would drop or transform existing data: ${summary}` + (issues.length > 3 ? ` (+${issues.length - 3} more)` : "") + ` \u2014 re-submit with ?force=true to proceed.`
+            );
+            err.code = "destructive_change";
+            err.status = 409;
+            err.issues = issues;
+            throw err;
+          }
+        }
+      } catch (err) {
+        if (_optionalChain([err, 'optionalAccess', _136 => _136.code]) === "destructive_change") throw err;
+      }
+    }
+    {
+      const it = request.item;
+      const looksLikeLayeredEnvelope = it && typeof it === "object" && !Array.isArray(it) && "code" in it && "overlay" in it && "overlayScope" in it && "effective" in it;
+      if (looksLikeLayeredEnvelope) {
+        const err = new Error(
+          `[invalid_metadata] ${request.type}/${request.name}: the request body is a layered read envelope ({ code, overlay, overlayScope, effective }), not a metadata body. Unwrap and send the effective/overlay document instead \u2014 the layered shape is read-only (GET ?layers=true) and must never be persisted.`
+        );
+        err.code = "invalid_metadata";
+        err.status = 422;
+        throw err;
+      }
+    }
+    request.item = normalizeViewMetadata(request.type, request.item, request.name);
+    {
+      const schema = resolveOverlaySchema(request.type, request.item);
+      if (schema) {
+        const parsed = schema.safeParse(request.item);
+        if (!parsed.success) {
+          const issues = parsed.error.issues.map((i) => ({
+            path: i.path.join("."),
+            message: i.message,
+            code: i.code
+          }));
+          const summary = issues.slice(0, 3).map((i) => `${i.path || "<root>"}: ${i.message}`).join("; ");
+          const err = new Error(
+            `[invalid_metadata] ${request.type}/${request.name} failed spec validation: ${summary}` + (issues.length > 3 ? ` (+${issues.length - 3} more)` : "")
+          );
+          err.code = "invalid_metadata";
+          err.status = 422;
+          err.issues = issues;
+          throw err;
+        }
+      }
+    }
+    await this.ensureOverlayIndex();
+    const singularTypeForRepo = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    const overlayAllowedForRepo = _ObjectStackProtocolImplementation.isOverlayAllowed(singularTypeForRepo);
+    const runtimeCreateAllowedForRepo = _ObjectStackProtocolImplementation.isRuntimeCreateAllowed(singularTypeForRepo);
+    const useRepoPath = overlayAllowedForRepo || runtimeCreateAllowedForRepo;
+    if (useRepoPath) {
+      const artifactBacked = this.isArtifactBacked(singularTypeForRepo, request.name);
+      const intent = artifactBacked ? "override-artifact" : "runtime-only";
+      if (intent === "runtime-only" && request.packageId != null && !this.isWritablePackage(request.packageId)) {
+        const err = new Error(
+          `[writable_package_required] Cannot author ${singularTypeForRepo}/${request.name} into '${request.packageId}': it is a read-only code/installed package, not a writable base. Create or select a writable base (package) first, then retry. See docs/adr/0070-package-first-authoring.md.`
+        );
+        err.code = "writable_package_required";
+        err.status = 422;
+        err.packageId = request.packageId;
+        throw err;
+      }
+      const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+      const repo = this.getOverlayRepo(orgId);
+      const ref = {
+        type: singularTypeForRepo,
+        name: request.name,
+        org: _nullishCoalesce(orgId, () => ( "env"))
+      };
+      let parentVersion;
+      if (request.parentVersion !== void 0) {
+        parentVersion = request.parentVersion;
+      } else {
+        const current = await repo.get(ref, {
+          state: mode === "draft" ? "draft" : "active",
+          packageId: _nullishCoalesce(request.packageId, () => ( null))
+        });
+        parentVersion = _nullishCoalesce(_optionalChain([current, 'optionalAccess', _137 => _137.hash]), () => ( null));
+      }
+      try {
+        const result = await repo.put(ref, request.item, {
+          parentVersion,
+          actor: _nullishCoalesce(request.actor, () => ( "system")),
+          source: "protocol.saveMetaItem",
+          intent,
+          state: mode === "draft" ? "draft" : "active",
+          ...request.packageId !== void 0 ? { packageId: request.packageId } : {}
+        });
+        if (mode === "publish") {
+          this.applyObjectRegistryMutation(request);
+          await this.ensureObjectStorage(request.type, request.name);
+        }
+        await this.recordMetadataAudit({
+          type: request.type,
+          name: request.name,
+          organizationId: orgId,
+          operation: "save",
+          outcome: "allowed",
+          code: "ok",
+          ...request.actor ? { actor: request.actor } : {},
+          source: "protocol.saveMetaItem",
+          note: mode === "draft" ? "draft" : "active"
+        });
+        return {
+          success: true,
+          version: result.version,
+          seq: result.seq,
+          state: mode === "draft" ? "draft" : "active",
+          message: orgId ? `Saved customization overlay (org=${orgId}, state=${mode === "draft" ? "draft" : "active"}) \u2014 type=${request.type}, name=${request.name} [seq=${result.seq}]` : `Saved customization overlay (env-wide, state=${mode === "draft" ? "draft" : "active"}) \u2014 type=${request.type}, name=${request.name} [seq=${result.seq}]`
+        };
+      } catch (err) {
+        if (err instanceof _metadatacore.ConflictError) {
+          const conflict = new Error(
+            `[metadata_conflict] ${request.type}/${request.name} has been modified since you loaded it. Expected parent ${_nullishCoalesce(err.expectedParent, () => ( "null"))} but current is ${_nullishCoalesce(err.actualHead, () => ( "null"))}.`
+          );
+          conflict.code = "metadata_conflict";
+          conflict.status = 409;
+          conflict.expectedParent = err.expectedParent;
+          conflict.actualHead = err.actualHead;
+          throw conflict;
+        }
+        throw err;
+      }
+    }
+    this.applyObjectRegistryMutation(request);
+    try {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+      const scopedWhere = {
+        type: request.type,
+        name: request.name,
+        organization_id: orgId,
+        state: "active"
+      };
+      const existing = await this.engine.findOne("sys_metadata", {
+        where: scopedWhere
+      });
+      if (existing) {
+        const updateRow = {
+          metadata: JSON.stringify(request.item),
+          updated_at: now,
+          version: (existing.version || 0) + 1,
+          state: "active"
+        };
+        const existingPkg = _nullishCoalesce(existing.package_id, () => ( null));
+        const nextPkg = _nullishCoalesce(_nullishCoalesce(existingPkg, () => ( request.packageId)), () => ( null));
+        if (nextPkg !== null) updateRow.package_id = nextPkg;
+        await this.engine.update("sys_metadata", updateRow, {
+          where: { id: existing.id }
+        });
+      } else {
+        const id = typeof crypto !== "undefined" && typeof crypto.randomUUID === "function" ? crypto.randomUUID() : `meta_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+        const row = {
+          id,
+          name: request.name,
+          type: request.type,
+          // `scope` enum is ['system','platform','user']; per-org
+          // overlays use 'platform' as the informational tag. The
+          // authoritative isolation key is `organization_id`.
+          scope: "platform",
+          metadata: JSON.stringify(request.item),
+          state: "active",
+          version: 1,
+          created_at: now,
+          updated_at: now,
+          organization_id: orgId
+        };
+        if (request.packageId) row.package_id = request.packageId;
+        await this.engine.insert("sys_metadata", row);
+      }
+      return {
+        success: true,
+        message: orgId ? `Saved customization overlay (org=${orgId}) \u2014 type=${request.type}, name=${request.name}` : `Saved customization overlay (env-wide) \u2014 type=${request.type}, name=${request.name}`
+      };
+    } catch (dbError) {
+      console.error(
+        `[Protocol] sys_metadata persistence failed for ${request.type}/${request.name}: ${dbError.message}`
+      );
+      const err = new Error(
+        `Failed to persist customization overlay to sys_metadata: ${dbError.message}. In-memory registry was updated but will be lost on restart.`
+      );
+      err.code = "overlay_persistence_failed";
+      err.status = 500;
+      throw err;
+    }
+  }
+  /**
+   * Yield the durable change-log for a single metadata item — every
+   * put/delete recorded in `sys_metadata_history` for `(org, type, name)`,
+   * in event_seq order. Powers the Studio "History" tab and any
+   * client-side audit timeline.
+   *
+   * Returns `[]` for non-overlay-allowed types (the legacy raw-engine
+   * path doesn't record history) instead of throwing — callers can treat
+   * "no history" uniformly.
+   */
+  async historyMetaItem(request) {
+    const singularType = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    if (!_ObjectStackProtocolImplementation.isOverlayAllowed(singularType) && !_ObjectStackProtocolImplementation.isRuntimeCreateAllowed(singularType)) {
+      return { events: [] };
+    }
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const repo = this.getOverlayRepo(orgId);
+    const ref = {
+      type: singularType,
+      name: request.name,
+      org: _nullishCoalesce(orgId, () => ( "env"))
+    };
+    const events = [];
+    const opts = {};
+    if (request.sinceSeq !== void 0) opts.sinceSeq = request.sinceSeq;
+    if (request.limit !== void 0) opts.limit = request.limit;
+    for await (const ev of repo.history(ref, opts)) events.push(ev);
+    return { events };
+  }
+  /**
+   * Promote the pending draft overlay to the live (`active`) row.
+   * Records a history event with `op='publish'`. 404 (`[no_draft]`)
+   * when there is nothing to publish.
+   */
+  async publishMetaItem(request) {
+    const singularType = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    if (!_ObjectStackProtocolImplementation.isOverlayAllowed(singularType) && !_ObjectStackProtocolImplementation.isRuntimeCreateAllowed(singularType)) {
+      const err = new Error(
+        `[not_overridable] Metadata type '${request.type}' is not draftable \u2014 no overlay/runtime-create permission.`
+      );
+      err.code = "not_overridable";
+      err.status = 403;
+      throw err;
+    }
+    const _publishLockErr = await this.assertLockAllowsWrite({
+      type: request.type,
+      name: request.name,
+      ...request.organizationId ? { organizationId: request.organizationId } : {},
+      operation: "publish",
+      ...request.actor ? { actor: request.actor } : {},
+      source: "protocol.publishMetaItem"
+    });
+    if (_publishLockErr) throw _publishLockErr;
+    await this.ensureOverlayIndex();
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const repo = this.getOverlayRepo(orgId);
+    const artifactBacked = this.isArtifactBacked(singularType, request.name);
+    const intent = artifactBacked ? "override-artifact" : "runtime-only";
+    const ref = {
+      type: singularType,
+      name: request.name,
+      org: _nullishCoalesce(orgId, () => ( "env"))
+    };
+    try {
+      const result = await repo.promoteDraft(ref, {
+        actor: _nullishCoalesce(request.actor, () => ( "system")),
+        source: "protocol.publishMetaItem",
+        ...request.message ? { message: request.message } : {},
+        intent
+      });
+      this.applyObjectRegistryMutation({
+        type: request.type,
+        name: request.name,
+        item: result.item.body
+      });
+      await this.ensureObjectStorage(request.type, request.name);
+      const response = {
+        success: true,
+        version: result.version,
+        seq: result.seq,
+        message: `Published draft \u2014 type=${request.type}, name=${request.name} [seq=${result.seq}]`
+      };
+      if (singularType === "seed" && !request._skipSeedApply) {
+        response.seedApplied = await this.applySeedBodies([result.item.body], orgId);
+      }
+      return response;
+    } catch (err) {
+      if (err instanceof _metadatacore.ConflictError) {
+        const conflict = new Error(
+          `[metadata_conflict] ${request.type}/${request.name} published row advanced while you held the draft. Expected parent ${_nullishCoalesce(err.expectedParent, () => ( "null"))} but current is ${_nullishCoalesce(err.actualHead, () => ( "null"))}.`
+        );
+        conflict.code = "metadata_conflict";
+        conflict.status = 409;
+        conflict.expectedParent = err.expectedParent;
+        conflict.actualHead = err.actualHead;
+        throw conflict;
+      }
+      throw err;
+    }
+  }
+  /**
+   * Materialize published `seed` bodies into data rows via the SeedLoaderService
+   * (externalId-keyed upsert, multi-pass for cross-seed references). Passing ALL
+   * of a publish's seed bodies in ONE call lets a child seed reference a parent
+   * seed's rows regardless of publish order. Best-effort: any failure is
+   * returned, never thrown — publishing metadata must not be blocked by a data
+   * problem, but the caller surfaces `seedApplied` so the failure is LOUD.
+   */
+  async applySeedBodies(bodies, organizationId) {
+    try {
+      const seeds = bodies.filter(
+        (b) => b && typeof b.object === "string" && Array.isArray(b.records)
+      );
+      if (seeds.length === 0) {
+        return { success: false, inserted: 0, updated: 0, error: "seed apply: no readable seed bodies" };
+      }
+      const { SeedLoaderService: SeedLoaderService2 } = await Promise.resolve().then(() => _interopRequireWildcard(require("./seed-loader-IFRY33L4.cjs")));
+      const { SeedLoaderRequestSchema } = await Promise.resolve().then(() => _interopRequireWildcard(require("@objectstack/spec/data")));
+      const metadataAdapter = {
+        getObject: async (name) => {
+          const wrapper = await this.getMetaItem({
+            type: "object",
+            name,
+            ...organizationId ? { organizationId } : {}
+          });
+          return _nullishCoalesce(_nullishCoalesce(_optionalChain([wrapper, 'optionalAccess', _138 => _138.item]), () => ( wrapper)), () => ( null));
+        }
+      };
+      const loader = new SeedLoaderService2(
+        this.engine,
+        metadataAdapter,
+        console
+      );
+      const request = SeedLoaderRequestSchema.parse({
+        seeds,
+        config: {
+          defaultMode: "upsert",
+          multiPass: true,
+          ...organizationId ? { organizationId } : {}
+        }
+      });
+      const r = await loader.load(request);
+      return {
+        success: r.success,
+        inserted: r.summary.totalInserted,
+        updated: r.summary.totalUpdated,
+        ..._optionalChain([r, 'access', _139 => _139.errors, 'optionalAccess', _140 => _140.length]) ? { errors: r.errors } : {}
+      };
+    } catch (e) {
+      return { success: false, inserted: 0, updated: 0, error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _141 => _141.message]), () => ( "seed apply failed")) };
+    }
+  }
+  /**
+   * List pending DRAFT metadata (ADR-0033) for the org, optionally narrowed
+   * by `packageId` and/or `type`. The list reads of `getMetaItems` only see
+   * the ACTIVE registry; this exposes what an AI authored but a human hasn't
+   * published yet, so the console can show a "pending changes" surface and a
+   * just-built app package isn't displayed as empty. No body is returned.
+   */
+  async listDrafts(request) {
+    await this.ensureOverlayIndex();
+    const orgId = _nullishCoalesce(_optionalChain([request, 'optionalAccess', _142 => _142.organizationId]), () => ( null));
+    const repo = this.getOverlayRepo(orgId);
+    const drafts = await repo.listDrafts({
+      ..._optionalChain([request, 'optionalAccess', _143 => _143.type]) ? { type: _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type)) } : {},
+      ..._optionalChain([request, 'optionalAccess', _144 => _144.packageId]) ? { packageId: request.packageId } : {}
+    });
+    return { drafts };
+  }
+  /**
+   * Publish every pending DRAFT bound to a package in one shot (ADR-0033) —
+   * the "publish whole app" action. Promotes each draft→active by reusing the
+   * per-item {@link publishMetaItem} primitive (which runs the overridable /
+   * lock guards and refreshes the runtime registry), so this needs NO
+   * `metadata` service (unlike `MetadataService.publishPackage`, which reads
+   * the in-memory registry and 503s when that service is absent). Per-item
+   * failures are collected and do NOT abort the rest.
+   */
+  async publishPackageDrafts(request) {
+    await this.ensureOverlayIndex();
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const repo = this.getOverlayRepo(orgId);
+    const drafts = await repo.listDrafts({ packageId: request.packageId });
+    const published = [];
+    const failed = [];
+    const ordered = [
+      ...drafts.filter((d) => d.type !== "seed"),
+      ...drafts.filter((d) => d.type === "seed")
+    ];
+    const seedBodies = [];
+    const commitItems = [];
+    for (const d of ordered) {
+      try {
+        const activeRow = await this.engine.findOne("sys_metadata", {
+          where: { organization_id: orgId, type: d.type, name: d.name, state: "active" }
+        });
+        commitItems.push({
+          type: d.type,
+          name: d.name,
+          existedBefore: !!activeRow,
+          prevVersion: activeRow && typeof activeRow.version === "number" ? activeRow.version : null
+        });
+      } catch (e30) {
+        commitItems.push({ type: d.type, name: d.name, existedBefore: false, prevVersion: null });
+      }
+    }
+    const publishedSeqs = [];
+    for (const d of ordered) {
+      try {
+        if (d.type === "seed") {
+          const ref = { type: d.type, name: d.name, org: _nullishCoalesce(orgId, () => ( "env")) };
+          const draft = await repo.get(ref, { state: "draft" });
+          if (_optionalChain([draft, 'optionalAccess', _145 => _145.body])) seedBodies.push(draft.body);
+        }
+        const r = await this.publishMetaItem({
+          type: d.type,
+          name: d.name,
+          ...request.organizationId ? { organizationId: request.organizationId } : {},
+          ...request.actor ? { actor: request.actor } : {},
+          message: `publish app package '${request.packageId}'`,
+          _skipSeedApply: true
+        });
+        published.push({ type: d.type, name: d.name, version: r.version });
+        if (typeof r.seq === "number") publishedSeqs.push(r.seq);
+      } catch (e) {
+        failed.push({
+          type: d.type,
+          name: d.name,
+          error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _146 => _146.message]), () => ( "publish failed")),
+          ..._optionalChain([e, 'optionalAccess', _147 => _147.code]) ? { code: e.code } : {}
+        });
+      }
+    }
+    const seedApplied = seedBodies.length > 0 ? await this.applySeedBodies(seedBodies, orgId) : void 0;
+    let probes;
+    if (published.length > 0) {
+      try {
+        const { runBuildProbes: runBuildProbes2 } = await Promise.resolve().then(() => _interopRequireWildcard(require("./build-probes-I3227FYL.cjs")));
+        const analytics = _optionalChain([this, 'access', _148 => _148.getServicesRegistry, 'optionalCall', _149 => _149(), 'access', _150 => _150.get, 'call', _151 => _151("analytics")]);
+        probes = await runBuildProbes2({
+          engine: this.engine,
+          getItem: async (type, name) => {
+            const wrapper = await this.getMetaItem({
+              type,
+              name,
+              ...orgId ? { organizationId: orgId } : {}
+            });
+            return _nullishCoalesce(_nullishCoalesce(_optionalChain([wrapper, 'optionalAccess', _152 => _152.item]), () => ( wrapper)), () => ( void 0));
+          },
+          published,
+          ...analytics && typeof analytics.queryDataset === "function" ? { analytics } : {},
+          organizationId: orgId
+        });
+      } catch (e31) {
+        probes = void 0;
+      }
+    }
+    let commit = null;
+    if (published.length > 0) {
+      const publishedKeys = new Set(published.map((p) => `${p.type}/${p.name}`));
+      commit = await this.recordPackageCommit({
+        orgId,
+        packageId: request.packageId,
+        operation: "apply",
+        ...request.message ? { message: request.message } : {},
+        ...request.actor ? { actor: request.actor } : {},
+        ...request.aiModel ? { aiModel: request.aiModel } : {},
+        items: commitItems.filter((it) => publishedKeys.has(`${it.type}/${it.name}`)),
+        ...publishedSeqs.length ? { eventSeqStart: Math.min(...publishedSeqs), eventSeqEnd: Math.max(...publishedSeqs) } : {}
+      });
+    }
+    return {
+      success: failed.length === 0 && published.length > 0,
+      publishedCount: published.length,
+      failedCount: failed.length,
+      published,
+      failed,
+      ...seedApplied ? { seedApplied } : {},
+      ...probes ? { probes } : {},
+      ...commit ? { commitId: commit.commitId } : {}
+    };
+  }
+  /**
+   * Discard every pending DRAFT bound to a package — the NON-destructive
+   * inverse of {@link publishPackageDrafts}. Drops only `state='draft'` rows
+   * (via the per-item delete primitive), reverting the package to its last
+   * published baseline; active/published metadata and physical tables are
+   * left untouched.
+   *
+   * Use case: "I edited this app for a while and it turned out worse than
+   * before — abandon all my changes." Routes through the sys_metadata path
+   * (no metadata-service dependency, unlike `POST /packages/:id/revert`).
+   */
+  async discardPackageDrafts(request) {
+    await this.ensureOverlayIndex();
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const repo = this.getOverlayRepo(orgId);
+    const drafts = await repo.listDrafts({ packageId: request.packageId });
+    const discarded = [];
+    const failed = [];
+    for (const d of drafts) {
+      try {
+        await this.deleteMetaItem({
+          type: d.type,
+          name: d.name,
+          state: "draft",
+          ...request.organizationId ? { organizationId: request.organizationId } : {},
+          ...request.actor ? { actor: request.actor } : {}
+        });
+        discarded.push({ type: d.type, name: d.name });
+      } catch (e) {
+        failed.push({
+          type: d.type,
+          name: d.name,
+          error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _153 => _153.message]), () => ( "discard failed")),
+          ..._optionalChain([e, 'optionalAccess', _154 => _154.code]) ? { code: e.code } : {}
+        });
+      }
+    }
+    return {
+      success: failed.length === 0 && discarded.length > 0,
+      discardedCount: discarded.length,
+      failedCount: failed.length,
+      discarded,
+      failed
+    };
+  }
+  /**
+   * Delete an ENTIRE package: every `sys_metadata` row bound to it (active
+   * AND draft) and — by default — the physical table of each object it
+   * defined. DESTRUCTIVE: removes the app and its data. Use case: "I don't
+   * want this package anymore."
+   *
+   * Set `keepData: true` to remove the metadata but preserve object tables.
+   * The `sys_`-table guard in {@link deleteMetaItem} still applies, so
+   * platform storage is never dropped. Drafts are removed before active rows
+   * so each object's table is torn down once. Per-item failures are collected
+   * without aborting the rest.
+   */
+  async deletePackage(request) {
+    const where = { package_id: request.packageId };
+    if (request.organizationId) where.organization_id = request.organizationId;
+    const rows = await this.engine.find("sys_metadata", { where });
+    const dropStorage = request.keepData !== true;
+    const ordered = [...rows].sort((a, b) => (a.state === "draft" ? 0 : 1) - (b.state === "draft" ? 0 : 1));
+    const deleted = [];
+    const failed = [];
+    for (const row of ordered) {
+      const state = row.state === "draft" ? "draft" : "active";
+      try {
+        await this.deleteMetaItem({
+          type: row.type,
+          name: row.name,
+          state,
+          ...row.organization_id ? { organizationId: row.organization_id } : {},
+          ...request.actor ? { actor: request.actor } : {},
+          ...dropStorage ? { dropStorage: true } : {}
+        });
+        deleted.push({ type: row.type, name: row.name, state });
+      } catch (e) {
+        failed.push({
+          type: row.type,
+          name: row.name,
+          error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _155 => _155.message]), () => ( "delete failed")),
+          ..._optionalChain([e, 'optionalAccess', _156 => _156.code]) ? { code: e.code } : {}
+        });
+      }
+    }
+    return {
+      success: failed.length === 0 && deleted.length > 0,
+      deletedCount: deleted.length,
+      failedCount: failed.length,
+      deleted,
+      failed
+    };
+  }
+  /**
+   * ADR-0070 D4 — duplicate a writable base into a NEW package (the Airtable
+   * "duplicate base" gesture). Clones every ACTIVE item the source owns into
+   * `targetPackageId`, RE-NAMESPACING object names — the blueprint prefixes a
+   * base's object names with its namespace (e.g. `iojn_repair_ticket`), and
+   * `sys_metadata` keys on (type,name,org), so a same-name copy would collide
+   * with the source — and rewriting every intra-package reference (lookup
+   * `reference`, view `object`, expressions, etc.) to the new names. Per-item
+   * best-effort; one failure never aborts the whole clone.
+   */
+  async duplicatePackage(request) {
+    const registry = this.engine.registry;
+    const srcPkg = _optionalChain([registry, 'optionalAccess', _157 => _157.getPackage, 'optionalCall', _158 => _158(request.sourcePackageId)]);
+    const sourceNs = _nullishCoalesce(_optionalChain([srcPkg, 'optionalAccess', _159 => _159.manifest, 'optionalAccess', _160 => _160.namespace]), () => ( (_nullishCoalesce(request.sourcePackageId.split(".").pop(), () => ( "")))));
+    const targetNs = _nullishCoalesce(request.targetNamespace, () => ( (_nullishCoalesce(request.targetPackageId.split(".").pop(), () => ( request.targetPackageId)))));
+    const where = { package_id: request.sourcePackageId, state: "active" };
+    if (request.organizationId) where.organization_id = request.organizationId;
+    const rows = await this.engine.find("sys_metadata", { where });
+    const renameName = (name) => sourceNs && typeof name === "string" && name.startsWith(`${sourceNs}_`) ? `${targetNs}_${name.slice(sourceNs.length + 1)}` : name;
+    const renameMap = /* @__PURE__ */ new Map();
+    for (const row of rows) {
+      if (_optionalChain([row, 'optionalAccess', _161 => _161.type]) === "object") {
+        const nn = renameName(row.name);
+        if (nn !== row.name) renameMap.set(row.name, nn);
+      }
+    }
+    const olds = [...renameMap.keys()].sort((a, b) => b.length - a.length);
+    const esc = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const re = olds.length ? new RegExp(`(${olds.map(esc).join("|")})(?![A-Za-z0-9_])`, "g") : null;
+    const deepRewrite = (v) => {
+      if (typeof v === "string") return re ? v.replace(re, (m) => _nullishCoalesce(renameMap.get(m), () => ( m))) : v;
+      if (Array.isArray(v)) return v.map(deepRewrite);
+      if (v && typeof v === "object") {
+        const o = {};
+        for (const [k, val] of Object.entries(v)) o[k] = deepRewrite(val);
+        return o;
+      }
+      return v;
+    };
+    if (_optionalChain([srcPkg, 'optionalAccess', _162 => _162.manifest]) && typeof _optionalChain([registry, 'optionalAccess', _163 => _163.installPackage]) === "function") {
+      try {
+        registry.installPackage({
+          ...srcPkg.manifest,
+          id: request.targetPackageId,
+          name: _nullishCoalesce(request.targetName, () => ( `${_nullishCoalesce(srcPkg.manifest.name, () => ( request.sourcePackageId))} (copy)`)),
+          namespace: targetNs
+        });
+      } catch (e32) {
+      }
+    }
+    const copied = [];
+    const failed = [];
+    for (const row of rows) {
+      const newName = renameName(row.name);
+      let item;
+      try {
+        item = typeof row.metadata === "string" ? JSON.parse(row.metadata) : _nullishCoalesce(row.metadata, () => ( {}));
+      } catch (e33) {
+        failed.push({ type: row.type, name: row.name, error: "unparseable metadata" });
+        continue;
+      }
+      const rewritten = deepRewrite(item);
+      if (rewritten && typeof rewritten === "object" && !Array.isArray(rewritten)) rewritten.name = newName;
+      try {
+        await this.saveMetaItem({
+          type: row.type,
+          name: newName,
+          item: rewritten,
+          mode: "publish",
+          packageId: request.targetPackageId,
+          ...request.organizationId ? { organizationId: request.organizationId } : {},
+          ...request.actor ? { actor: request.actor } : {}
+        });
+        copied.push({ type: row.type, name: newName });
+      } catch (e) {
+        failed.push({ type: row.type, name: row.name, error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _164 => _164.message]), () => ( "copy failed")) });
+      }
+    }
+    return {
+      success: failed.length === 0 && copied.length > 0,
+      copiedCount: copied.length,
+      failedCount: failed.length,
+      targetPackageId: request.targetPackageId,
+      copied,
+      failed
+    };
+  }
+  /**
+   * ADR-0070 D5 — adopt orphaned (package-less) metadata into a base. The
+   * pre-package-first stopgaps left runtime-authored items with
+   * `package_id = null` (or the `sys_metadata` sentinel). This bulk-rebinds
+   * every such orphan to `targetPackageId` so the env converges on the
+   * package-first model and the "Local / Custom" migration scope can be
+   * retired. Owned rows (already bound to a real package) are left untouched.
+   * Updates the durable column; the in-memory registry picks the new binding
+   * up on the next metadata reload.
+   */
+  async reassignOrphanedMetadata(request) {
+    const where = {};
+    if (request.organizationId) where.organization_id = request.organizationId;
+    const rows = await this.engine.find("sys_metadata", { where });
+    const orphans = rows.filter(
+      (r) => _optionalChain([r, 'optionalAccess', _165 => _165.package_id]) == null || r.package_id === "" || r.package_id === "sys_metadata"
+    );
+    const reassigned = [];
+    for (const row of orphans) {
+      try {
+        await this.engine.update(
+          "sys_metadata",
+          { package_id: request.targetPackageId },
+          { where: { id: row.id } }
+        );
+        reassigned.push({ type: row.type, name: row.name });
+      } catch (e34) {
+      }
+    }
+    return {
+      success: reassigned.length > 0,
+      reassignedCount: reassigned.length,
+      reassigned,
+      targetPackageId: request.targetPackageId
+    };
+  }
+  // ─────────────────────────────────────────────────────────────────────
+  // ADR-0067 — package-scoped commit history & rollback
+  // ─────────────────────────────────────────────────────────────────────
+  /**
+   * Record one commit row (best-effort) grouping a turn's published
+   * artifacts. Returns the commit id, or null if the commit store is
+   * unavailable (e.g. unit-test stubs) — recording never blocks a publish.
+   */
+  async recordPackageCommit(args) {
+    try {
+      const commitId = "cmt_" + (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function" ? crypto.randomUUID() : `${_nullishCoalesce(args.eventSeqEnd, () => ( 0))}-${args.items.length}-${args.packageId}`);
+      await this.engine.insert("sys_metadata_commit", {
+        id: commitId,
+        package_id: args.packageId,
+        operation: args.operation,
+        ...args.message ? { message: args.message } : {},
+        ...args.actor ? { actor: args.actor } : {},
+        ...args.aiModel ? { ai_model: args.aiModel } : {},
+        ...args.parentCommitId ? { parent_commit_id: args.parentCommitId } : {},
+        ...args.eventSeqStart !== void 0 ? { event_seq_start: args.eventSeqStart } : {},
+        ...args.eventSeqEnd !== void 0 ? { event_seq_end: args.eventSeqEnd } : {},
+        items: JSON.stringify(args.items),
+        item_count: args.items.length,
+        organization_id: args.orgId,
+        created_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      return { commitId };
+    } catch (e35) {
+      return null;
+    }
+  }
+  parseCommitItems(raw) {
+    if (Array.isArray(raw)) return raw;
+    if (typeof raw === "string") {
+      try {
+        const p = JSON.parse(raw);
+        return Array.isArray(p) ? p : [];
+      } catch (e36) {
+        return [];
+      }
+    }
+    return [];
+  }
+  /**
+   * List the commit timeline for a package, newest-first (ADR-0067). Returns
+   * [] if the commit store is unavailable.
+   */
+  async listCommits(request) {
+    try {
+      const where = { package_id: request.packageId };
+      if (request.organizationId) where.organization_id = request.organizationId;
+      const rows = await this.engine.find("sys_metadata_commit", {
+        where,
+        ...request.limit ? { limit: request.limit } : {}
+      });
+      const mapped = rows.map((r) => ({
+        id: r.id,
+        operation: _nullishCoalesce(r.operation, () => ( "apply")),
+        ...r.message ? { message: r.message } : {},
+        ...r.actor ? { actor: r.actor } : {},
+        ...r.ai_model ? { aiModel: r.ai_model } : {},
+        ...r.parent_commit_id ? { parentCommitId: r.parent_commit_id } : {},
+        itemCount: typeof r.item_count === "number" ? r.item_count : 0,
+        items: this.parseCommitItems(r.items),
+        ...r.created_at ? { createdAt: r.created_at } : {}
+      }));
+      mapped.sort((a, b) => String(_nullishCoalesce(b.createdAt, () => ( ""))).localeCompare(String(_nullishCoalesce(a.createdAt, () => ( "")))));
+      return mapped;
+    } catch (e37) {
+      return [];
+    }
+  }
+  /**
+   * Revert a single commit (ADR-0067): undo exactly the artifacts it touched.
+   * A created-by-this-commit artifact is soft-removed (metadata row deleted;
+   * the data table is NOT dropped — recoverable, per ADR-0067 §5); a modified
+   * artifact is restored to its pre-commit `prevVersion`. The revert is itself
+   * recorded as a NEW commit (operation='revert'), so history stays
+   * append-only and the revert is itself revertible.
+   */
+  async revertCommit(request) {
+    await this.ensureOverlayIndex();
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const where = { id: request.commitId };
+    if (request.organizationId) where.organization_id = request.organizationId;
+    const row = await this.engine.findOne("sys_metadata_commit", { where });
+    if (!row) {
+      const err = new Error(`[commit_not_found] No commit '${request.commitId}'.`);
+      err.code = "commit_not_found";
+      err.status = 404;
+      throw err;
+    }
+    const items = this.parseCommitItems(row.items);
+    const repo = this.getOverlayRepo(orgId);
+    const actor = _nullishCoalesce(request.actor, () => ( "system"));
+    const reverted = [];
+    const failed = [];
+    for (const it of [...items].reverse()) {
+      const ref = { type: it.type, name: it.name, org: _nullishCoalesce(orgId, () => ( "env")) };
+      try {
+        const current = await repo.get(ref, { state: "active" });
+        if (!it.existedBefore) {
+          if (current) {
+            await repo.delete(ref, {
+              parentVersion: current.hash,
+              actor,
+              source: "protocol.revertCommit",
+              intent: "override-artifact",
+              state: "active"
+            });
+          }
+          reverted.push({ type: it.type, name: it.name, action: "removed" });
+        } else if (it.prevVersion !== null && it.prevVersion !== void 0) {
+          await repo.restoreVersion(ref, it.prevVersion, {
+            actor,
+            source: "protocol.revertCommit",
+            message: `revert commit ${request.commitId}`
+          });
+          reverted.push({ type: it.type, name: it.name, action: "restored" });
+        }
+      } catch (e) {
+        failed.push({
+          type: it.type,
+          name: it.name,
+          error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _166 => _166.message]), () => ( "revert failed")),
+          ..._optionalChain([e, 'optionalAccess', _167 => _167.code]) ? { code: e.code } : {}
+        });
+      }
+    }
+    const revertCommit = await this.recordPackageCommit({
+      orgId,
+      packageId: row.package_id,
+      operation: "revert",
+      message: `Revert: ${_nullishCoalesce(row.message, () => ( request.commitId))}`,
+      ...request.actor ? { actor: request.actor } : {},
+      parentCommitId: request.commitId,
+      items: reverted.map((r) => ({
+        type: r.type,
+        name: r.name,
+        existedBefore: r.action === "restored",
+        prevVersion: null
+      }))
+    });
+    return {
+      success: failed.length === 0 && reverted.length > 0,
+      revertedCount: reverted.length,
+      failedCount: failed.length,
+      reverted,
+      failed,
+      ...revertCommit ? { revertCommitId: revertCommit.commitId } : {}
+    };
+  }
+  /**
+   * Roll a package back THROUGH every `apply` commit newer than `commitId`
+   * (newest first), leaving the package as it was at that commit. Each step is
+   * an individual `revertCommit`, so the whole rollback is itself audited.
+   */
+  async rollbackToPackageCommit(request) {
+    const where = { id: request.commitId };
+    if (request.organizationId) where.organization_id = request.organizationId;
+    const target = await this.engine.findOne("sys_metadata_commit", { where });
+    if (!target) {
+      const err = new Error(`[commit_not_found] No commit '${request.commitId}'.`);
+      err.code = "commit_not_found";
+      err.status = 404;
+      throw err;
+    }
+    const all = await this.listCommits({
+      packageId: target.package_id,
+      ...request.organizationId ? { organizationId: request.organizationId } : {}
+    });
+    const targetCreatedAt = String(_nullishCoalesce(target.created_at, () => ( "")));
+    const toRevert = all.filter(
+      (c) => String(_nullishCoalesce(c.createdAt, () => ( ""))) > targetCreatedAt && c.operation === "apply"
+    );
+    const revertedCommits = [];
+    const failed = [];
+    for (const c of toRevert) {
+      try {
+        await this.revertCommit({
+          commitId: c.id,
+          ...request.organizationId ? { organizationId: request.organizationId } : {},
+          ...request.actor ? { actor: request.actor } : {}
+        });
+        revertedCommits.push(c.id);
+      } catch (e) {
+        failed.push({ commitId: c.id, error: _nullishCoalesce(_optionalChain([e, 'optionalAccess', _168 => _168.message]), () => ( "revert failed")) });
+      }
+    }
+    return { success: failed.length === 0, revertedCommits, failed };
+  }
+  /**
+   * Restore the body recorded at history `toVersion` as the new
+   * live row. Writes a history event with `op='revert'`. 404
+   * (`[version_not_found]`) when the target version doesn't exist;
+   * 409 (`[version_not_restorable]`) when the target is a delete
+   * tombstone (no body to bring back).
+   */
+  async rollbackMetaItem(request) {
+    if (!Number.isFinite(request.toVersion) || request.toVersion < 1) {
+      const err = new Error(
+        `[invalid_request] rollbackMetaItem requires a positive integer 'toVersion' (got ${request.toVersion}).`
+      );
+      err.code = "invalid_request";
+      err.status = 400;
+      throw err;
+    }
+    const singularType = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    if (!_ObjectStackProtocolImplementation.isOverlayAllowed(singularType) && !_ObjectStackProtocolImplementation.isRuntimeCreateAllowed(singularType)) {
+      const err = new Error(
+        `[not_overridable] Metadata type '${request.type}' is not revertable \u2014 no overlay/runtime-create permission.`
+      );
+      err.code = "not_overridable";
+      err.status = 403;
+      throw err;
+    }
+    const _rollbackLockErr = await this.assertLockAllowsWrite({
+      type: request.type,
+      name: request.name,
+      ...request.organizationId ? { organizationId: request.organizationId } : {},
+      operation: "rollback",
+      ...request.actor ? { actor: request.actor } : {},
+      source: "protocol.rollbackMetaItem"
+    });
+    if (_rollbackLockErr) throw _rollbackLockErr;
+    await this.ensureOverlayIndex();
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const repo = this.getOverlayRepo(orgId);
+    const artifactBacked = this.isArtifactBacked(singularType, request.name);
+    const intent = artifactBacked ? "override-artifact" : "runtime-only";
+    const ref = {
+      type: singularType,
+      name: request.name,
+      org: _nullishCoalesce(orgId, () => ( "env"))
+    };
+    try {
+      const result = await repo.restoreVersion(ref, request.toVersion, {
+        actor: _nullishCoalesce(request.actor, () => ( "system")),
+        source: "protocol.rollbackMetaItem",
+        ...request.message ? { message: request.message } : {},
+        intent
+      });
+      this.applyObjectRegistryMutation({
+        type: request.type,
+        name: request.name,
+        item: result.item.body
+      });
+      return {
+        success: true,
+        version: result.version,
+        seq: result.seq,
+        restoredFromVersion: request.toVersion,
+        message: `Reverted to version ${request.toVersion} \u2014 type=${request.type}, name=${request.name} [seq=${result.seq}]`
+      };
+    } catch (err) {
+      if (err instanceof _metadatacore.ConflictError) {
+        const conflict = new Error(
+          `[metadata_conflict] ${request.type}/${request.name} advanced during rollback. Expected parent ${_nullishCoalesce(err.expectedParent, () => ( "null"))} but current is ${_nullishCoalesce(err.actualHead, () => ( "null"))}.`
+        );
+        conflict.code = "metadata_conflict";
+        conflict.status = 409;
+        conflict.expectedParent = err.expectedParent;
+        conflict.actualHead = err.actualHead;
+        throw conflict;
+      }
+      throw err;
+    }
+  }
+  /**
+   * Compute a shallow structural diff between two historical
+   * versions of a metadata item. Either side may be omitted: when
+   * `toVersion` is undefined the current active body is used; when
+   * `fromVersion` is undefined the immediately previous history row
+   * is used. Returns `{ added, removed, changed }` keyed by JSON
+   * pointer-style paths for primitive leaves; nested objects/arrays
+   * are reported as a single change record.
+   */
+  async diffMetaItem(request) {
+    const singularType = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+    const events = (await this.historyMetaItem({
+      type: singularType,
+      name: request.name,
+      ...orgId ? { organizationId: orgId } : {}
+    })).events;
+    const versions = events.map((ev) => ev.version).filter((v) => typeof v === "number");
+    const repo = this.getOverlayRepo(orgId);
+    const fullRef = {
+      type: singularType,
+      name: request.name,
+      org: _nullishCoalesce(orgId, () => ( "env"))
+    };
+    const histRows = [];
+    try {
+      const engineAny = this.engine;
+      const rows = await engineAny.find("sys_metadata_history", {
+        where: {
+          organization_id: orgId,
+          type: singularType,
+          name: request.name
+        }
+      });
+      rows.sort((a, b) => (_nullishCoalesce(a.version, () => ( 0))) - (_nullishCoalesce(b.version, () => ( 0))));
+      for (const r of rows) {
+        const body = r.metadata == null ? null : typeof r.metadata === "string" ? JSON.parse(r.metadata) : r.metadata;
+        histRows.push({ version: _nullishCoalesce(r.version, () => ( 0)), body });
+      }
+    } catch (e38) {
+    }
+    const byVersion = /* @__PURE__ */ new Map();
+    for (const r of histRows) byVersion.set(r.version, r.body);
+    let fromBody = null;
+    let toBody = null;
+    let fromVersion = null;
+    let toVersion = null;
+    if (request.toVersion !== void 0) {
+      toVersion = request.toVersion;
+      toBody = _nullishCoalesce(byVersion.get(request.toVersion), () => ( null));
+    } else {
+      const current = await repo.get(fullRef, { state: "active" });
+      toBody = current ? current.body : null;
+      toVersion = histRows.length ? histRows[histRows.length - 1].version : null;
+    }
+    if (request.fromVersion !== void 0) {
+      fromVersion = request.fromVersion;
+      fromBody = _nullishCoalesce(byVersion.get(request.fromVersion), () => ( null));
+    } else if (toVersion !== null) {
+      const sorted = histRows.map((r) => r.version).filter((v) => v < toVersion);
+      if (sorted.length) {
+        fromVersion = sorted[sorted.length - 1];
+        fromBody = _nullishCoalesce(byVersion.get(fromVersion), () => ( null));
+      }
+    }
+    const diff = diffShallow(_nullishCoalesce(fromBody, () => ( {})), _nullishCoalesce(toBody, () => ( {})));
+    const _used = versions;
+    void _used;
+    return {
+      type: request.type,
+      name: request.name,
+      fromVersion,
+      toVersion,
+      ...diff
+    };
+  }
+  /**
+   * Remove a customization overlay row for the given metadata item, so the
+   * next read falls through to the artifact-loaded default. Implements the
+   * "Reset to factory default" semantic from ADR-0005. Whitelist is shared
+   * with {@link saveMetaItem}.
+   */
+  async deleteMetaItem(request) {
+    if (this.environmentId !== void 0) {
+      const overlayAllowed = _ObjectStackProtocolImplementation.isOverlayAllowed(request.type);
+      const runtimeCreateAllowed = _ObjectStackProtocolImplementation.isRuntimeCreateAllowed(request.type);
+      const artifactBacked = this.isArtifactBacked(request.type, request.name);
+      if (artifactBacked && !overlayAllowed) {
+        const err = new Error(
+          `[not_overridable] Metadata item '${request.type}/${request.name}' is provided by a code package and the type has not opted into per-org overlay writes. See docs/adr/0005-metadata-customization-overlay.md.`
+        );
+        err.code = "not_overridable";
+        err.status = 403;
+        throw err;
+      }
+      if (!artifactBacked && !overlayAllowed && !runtimeCreateAllowed) {
+        const err = new Error(
+          `[not_creatable] Metadata type '${request.type}' does not allow runtime creation or deletion.`
+        );
+        err.code = "not_creatable";
+        err.status = 403;
+        throw err;
+      }
+      const lockErr = await this.assertLockAllowsDelete({
+        type: request.type,
+        name: request.name,
+        ...request.organizationId ? { organizationId: request.organizationId } : {},
+        ...request.actor ? { actor: request.actor } : {},
+        source: "protocol.deleteMetaItem"
+      });
+      if (lockErr) throw lockErr;
+    }
+    const singularTypeForRepo = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    const overlayAllowedForRepoDel = _ObjectStackProtocolImplementation.isOverlayAllowed(singularTypeForRepo);
+    const runtimeCreateAllowedForRepoDel = _ObjectStackProtocolImplementation.isRuntimeCreateAllowed(singularTypeForRepo);
+    const useRepoPath = overlayAllowedForRepoDel || runtimeCreateAllowedForRepoDel;
+    if (useRepoPath) {
+      const orgId = _nullishCoalesce(request.organizationId, () => ( null));
+      const repo = this.getOverlayRepo(orgId);
+      const ref = {
+        type: singularTypeForRepo,
+        name: request.name,
+        org: _nullishCoalesce(orgId, () => ( "env"))
+      };
+      try {
+        const targetState = request.state === "draft" ? "draft" : "active";
+        const current = await repo.get(ref, { state: targetState });
+        if (!current) {
+          if (targetState === "active") {
+            await this.restoreArtifactRegistryView(request.type, request.name);
+          }
+          return {
+            success: true,
+            reset: false,
+            message: targetState === "draft" ? `No pending draft for ${request.type}/${request.name}.` : `No customization overlay found for ${request.type}/${request.name} \u2014 already at artifact default.`
+          };
+        }
+        const parentVersion = request.parentVersion !== void 0 ? _nullishCoalesce(request.parentVersion, () => ( current.hash)) : current.hash;
+        const result = await repo.delete(ref, {
+          parentVersion,
+          actor: _nullishCoalesce(request.actor, () => ( "system")),
+          source: "protocol.deleteMetaItem",
+          intent: this.isArtifactBacked(singularTypeForRepo, request.name) ? "override-artifact" : "runtime-only",
+          state: targetState
+        });
+        if (targetState === "active") {
+          await this.restoreArtifactRegistryView(request.type, request.name);
+        }
+        if (this.shouldDropStorage(request.type, request.name, request.dropStorage, targetState)) {
+          await this.dropObjectStorage(singularTypeForRepo, request.name);
+        }
+        await this.recordMetadataAudit({
+          type: request.type,
+          name: request.name,
+          organizationId: orgId,
+          operation: "delete",
+          outcome: "allowed",
+          code: "ok",
+          ...request.actor ? { actor: request.actor } : {},
+          source: "protocol.deleteMetaItem",
+          note: targetState
+        });
+        return {
+          success: true,
+          reset: true,
+          seq: result.seq,
+          message: request.state === "draft" ? `Draft discarded \u2014 ${request.type}/${request.name}. [seq=${result.seq}]` : `Customization overlay deleted \u2014 ${request.type}/${request.name} reset to artifact default. [seq=${result.seq}]`
+        };
+      } catch (err) {
+        if (err instanceof _metadatacore.ConflictError) {
+          const conflict = new Error(
+            `[metadata_conflict] ${request.type}/${request.name} has been modified since you loaded it. Expected parent ${_nullishCoalesce(err.expectedParent, () => ( "null"))} but current is ${_nullishCoalesce(err.actualHead, () => ( "null"))}.`
+          );
+          conflict.code = "metadata_conflict";
+          conflict.status = 409;
+          conflict.expectedParent = err.expectedParent;
+          conflict.actualHead = err.actualHead;
+          throw conflict;
+        }
+        const e = new Error(`Failed to delete customization overlay: ${_nullishCoalesce(err.message, () => ( err))}`);
+        e.status = _nullishCoalesce(_optionalChain([err, 'optionalAccess', _169 => _169.status]), () => ( 500));
+        throw e;
+      }
+    }
+    const scopedWhere = {
+      type: request.type,
+      name: request.name,
+      organization_id: _nullishCoalesce(request.organizationId, () => ( null))
+    };
+    try {
+      const existing = await this.engine.findOne("sys_metadata", { where: scopedWhere });
+      if (!existing) {
+        return {
+          success: true,
+          reset: false,
+          message: `No customization overlay found for ${request.type}/${request.name} \u2014 already at artifact default.`
+        };
+      }
+      await this.engine.delete("sys_metadata", { where: { id: existing.id } });
+      {
+        const targetState = request.state === "draft" ? "draft" : "active";
+        if (this.shouldDropStorage(request.type, request.name, request.dropStorage, targetState)) {
+          await this.dropObjectStorage(_nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type)), request.name);
+        }
+      }
+      if (request.state !== "draft") {
+        await this.restoreArtifactRegistryView(request.type, request.name);
+      }
+      return {
+        success: true,
+        reset: true,
+        message: `Customization overlay deleted \u2014 ${request.type}/${request.name} reset to artifact default.`
+      };
+    } catch (err) {
+      const e = new Error(`Failed to delete customization overlay: ${err.message}`);
+      e.status = 500;
+      throw e;
+    }
+  }
+  /**
+   * Hydrate SchemaRegistry from the database on startup.
+   * Loads all active metadata records and registers them in the in-memory registry.
+   * Safe to call repeatedly — idempotent (latest DB record wins).
+   *
+   * Per ADR-0005, project-kernel mode ALSO hydrates from sys_metadata —
+   * customization overlay rows must survive restart. Scope filter
+   * (`environment_id = this.environmentId ?? null`) keeps tenants isolated.
+   */
+  async loadMetaFromDb() {
+    let loaded = 0;
+    let errors = 0;
+    try {
+      const where = {
+        state: "active",
+        organization_id: null
+      };
+      const records = await this.engine.find("sys_metadata", { where });
+      for (const record of records) {
+        try {
+          const data = typeof record.metadata === "string" ? JSON.parse(record.metadata) : record.metadata;
+          const normalizedType = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[record.type], () => ( record.type));
+          if (normalizedType === "object") {
+            this.engine.registry.registerObject(data, record.packageId || "sys_metadata");
+          } else {
+            const artifact = this.lookupArtifactItem(normalizedType, _optionalChain([data, 'optionalAccess', _170 => _170.name]));
+            this.engine.registry.registerItem(
+              normalizedType,
+              mergeArtifactProtection(data, artifact),
+              "name"
+            );
+          }
+          loaded++;
+        } catch (e) {
+          errors++;
+          console.warn(`[Protocol] Failed to hydrate ${record.type}/${record.name}: ${e instanceof Error ? e.message : String(e)}`);
+        }
+      }
+    } catch (e) {
+      if (!/no such table/i.test(_nullishCoalesce(e.message, () => ( "")))) {
+        console.warn(`[Protocol] DB hydration skipped: ${e.message}`);
+      }
+    }
+    return { loaded, errors };
+  }
+  // ==========================================
+  // Metadata References (Phase 3a-references)
+  // ==========================================
+  /**
+   * Scan all loaded metadata for references pointing at the given
+   * `{type, name}` target. Returns one row per referring artifact with
+   * the path that produced the hit, so the admin UI can render an
+   * "Used by" panel before destructive actions (rename / delete /
+   * type-narrowing).
+   *
+   * Coverage is driven by the hand-curated {@link REFERENCE_PATHS}
+   * registry. Types not present in the registry simply return no hits
+   * — the engine never throws.
+   */
+  async findReferencesToMeta(request) {
+    const singularTarget = _nullishCoalesce(_shared.PLURAL_TO_SINGULAR[request.type], () => ( request.type));
+    const targetName = request.name;
+    const matchers = REFERENCE_PATHS[singularTarget];
+    if (!matchers || matchers.length === 0) {
+      return { references: [] };
+    }
+    const seen = /* @__PURE__ */ new Set();
+    const out = [];
+    await Promise.all(
+      matchers.map(async (matcher) => {
+        let items = [];
+        try {
+          const result = await this.getMetaItems({
+            type: matcher.fromType,
+            ...request.organizationId ? { organizationId: request.organizationId } : {}
+          });
+          items = _nullishCoalesce(_optionalChain([result, 'optionalAccess', _171 => _171.items]), () => ( []));
+        } catch (e39) {
+          return;
+        }
+        for (const raw of items) {
+          if (!raw || typeof raw !== "object") continue;
+          const sourceName = raw.name;
+          if (!sourceName) continue;
+          const isSelfReference = matcher.fromType === singularTarget && sourceName === targetName;
+          for (const path of matcher.paths) {
+            const values = extractPathValues(raw, path);
+            if (!values.includes(targetName)) continue;
+            if (isSelfReference && !path.includes("[]") && !path.includes("{}")) continue;
+            const key = `${matcher.fromType}|${sourceName}|${path}`;
+            if (seen.has(key)) continue;
+            seen.add(key);
+            const label = raw.label;
+            out.push({
+              type: matcher.fromType,
+              name: sourceName,
+              ...label ? { label } : {},
+              path,
+              kind: matcher.kind
+            });
+          }
+        }
+      })
+    );
+    out.sort((a, b) => a.type.localeCompare(b.type) || a.name.localeCompare(b.name));
+    return { references: out };
+  }
+  // ==========================================
+  // Feed Operations
+  // ==========================================
+  async listFeed(request) {
+    const svc = this.requireFeedService();
+    const result = await svc.listFeed({
+      object: request.object,
+      recordId: request.recordId,
+      filter: request.type,
+      limit: request.limit,
+      cursor: request.cursor
+    });
+    return { success: true, data: result };
+  }
+  async createFeedItem(request) {
+    const svc = this.requireFeedService();
+    const item = await svc.createFeedItem({
+      object: request.object,
+      recordId: request.recordId,
+      type: request.type,
+      actor: { type: "user", id: "current_user" },
+      body: request.body,
+      mentions: request.mentions,
+      parentId: request.parentId,
+      visibility: request.visibility
+    });
+    return { success: true, data: item };
+  }
+  async updateFeedItem(request) {
+    const svc = this.requireFeedService();
+    const item = await svc.updateFeedItem(request.feedId, {
+      body: request.body,
+      mentions: request.mentions,
+      visibility: request.visibility
+    });
+    return { success: true, data: item };
+  }
+  async deleteFeedItem(request) {
+    const svc = this.requireFeedService();
+    await svc.deleteFeedItem(request.feedId);
+    return { success: true, data: { feedId: request.feedId } };
+  }
+  async addReaction(request) {
+    const svc = this.requireFeedService();
+    const reactions = await svc.addReaction(request.feedId, request.emoji, "current_user");
+    return { success: true, data: { reactions } };
+  }
+  async removeReaction(request) {
+    const svc = this.requireFeedService();
+    const reactions = await svc.removeReaction(request.feedId, request.emoji, "current_user");
+    return { success: true, data: { reactions } };
+  }
+  async pinFeedItem(request) {
+    const svc = this.requireFeedService();
+    const item = await svc.getFeedItem(request.feedId);
+    if (!item) throw new Error(`Feed item ${request.feedId} not found`);
+    await svc.updateFeedItem(request.feedId, { visibility: item.visibility });
+    return { success: true, data: { feedId: request.feedId, pinned: true, pinnedAt: (/* @__PURE__ */ new Date()).toISOString() } };
+  }
+  async unpinFeedItem(request) {
+    const svc = this.requireFeedService();
+    const item = await svc.getFeedItem(request.feedId);
+    if (!item) throw new Error(`Feed item ${request.feedId} not found`);
+    await svc.updateFeedItem(request.feedId, { visibility: item.visibility });
+    return { success: true, data: { feedId: request.feedId, pinned: false } };
+  }
+  async starFeedItem(request) {
+    const svc = this.requireFeedService();
+    const item = await svc.getFeedItem(request.feedId);
+    if (!item) throw new Error(`Feed item ${request.feedId} not found`);
+    await svc.updateFeedItem(request.feedId, { visibility: item.visibility });
+    return { success: true, data: { feedId: request.feedId, starred: true, starredAt: (/* @__PURE__ */ new Date()).toISOString() } };
+  }
+  async unstarFeedItem(request) {
+    const svc = this.requireFeedService();
+    const item = await svc.getFeedItem(request.feedId);
+    if (!item) throw new Error(`Feed item ${request.feedId} not found`);
+    await svc.updateFeedItem(request.feedId, { visibility: item.visibility });
+    return { success: true, data: { feedId: request.feedId, starred: false } };
+  }
+  async searchFeed(request) {
+    const svc = this.requireFeedService();
+    const result = await svc.listFeed({
+      object: request.object,
+      recordId: request.recordId,
+      filter: request.type,
+      limit: request.limit,
+      cursor: request.cursor
+    });
+    const queryLower = (request.query || "").toLowerCase();
+    const filtered = result.items.filter(
+      (item) => _optionalChain([item, 'access', _172 => _172.body, 'optionalAccess', _173 => _173.toLowerCase, 'call', _174 => _174(), 'access', _175 => _175.includes, 'call', _176 => _176(queryLower)])
+    );
+    return { success: true, data: { items: filtered, total: filtered.length, hasMore: false } };
+  }
+  async getChangelog(request) {
+    const svc = this.requireFeedService();
+    const result = await svc.listFeed({
+      object: request.object,
+      recordId: request.recordId,
+      filter: "changes_only",
+      limit: request.limit,
+      cursor: request.cursor
+    });
+    const entries = result.items.map((item) => ({
+      id: item.id,
+      object: item.object,
+      recordId: item.recordId,
+      actor: item.actor,
+      changes: item.changes || [],
+      timestamp: item.createdAt,
+      source: item.source
+    }));
+    return { success: true, data: { entries, total: result.total, nextCursor: result.nextCursor, hasMore: result.hasMore } };
+  }
+  async feedSubscribe(request) {
+    const svc = this.requireFeedService();
+    const subscription = await svc.subscribe({
+      object: request.object,
+      recordId: request.recordId,
+      userId: "current_user",
+      events: request.events,
+      channels: request.channels
+    });
+    return { success: true, data: subscription };
+  }
+  async feedUnsubscribe(request) {
+    const svc = this.requireFeedService();
+    const unsubscribed = await svc.unsubscribe(request.object, request.recordId, "current_user");
+    return { success: true, data: { object: request.object, recordId: request.recordId, unsubscribed } };
+  }
+  /**
+   * Install a package from a manifest — the single canonical write primitive
+   * for the package subsystem (ADR-0033 consolidation).
+   *
+   * It writes BOTH stores that the runtime keeps for packages, so a package
+   * surfaces consistently no matter which read path is used:
+   *   1. the in-memory `SchemaRegistry` (what the dispatcher's
+   *      `/api/v1/packages` list/detail and `getMetaItems({type:'package'})`
+   *      read — i.e. what Studio's package selector shows), and
+   *   2. the durable `sys_packages` table via the optional `package` service
+   *      (so the package survives a restart; that service re-hydrates these
+   *      rows back into the registry on boot).
+   *
+   * The DB write is best-effort and non-fatal: when the `package` service is
+   * absent (e.g. the `marketplace` capability is off) the package is still
+   * registered in-memory and visible for the lifetime of the process.
+   */
+  async installPackage(request) {
+    const manifest = request.manifest;
+    const pkg = this.engine.registry.installPackage(manifest, request.settings);
+    try {
+      const services = _optionalChain([this, 'access', _177 => _177.getServicesRegistry, 'optionalCall', _178 => _178()]);
+      const pkgSvc = _optionalChain([services, 'optionalAccess', _179 => _179.get, 'call', _180 => _180("package")]);
+      if (_optionalChain([pkgSvc, 'optionalAccess', _181 => _181.publish]) && _optionalChain([manifest, 'optionalAccess', _182 => _182.version])) {
+        await pkgSvc.publish({ manifest, metadata: {} });
+      }
+    } catch (e) {
+      console.warn(
+        `[protocol.installPackage] sys_packages persist skipped for '${_optionalChain([manifest, 'optionalAccess', _183 => _183.id])}': ${_optionalChain([e, 'optionalAccess', _184 => _184.message])}`
+      );
+    }
+    return { package: pkg, message: `Installed package: ${_optionalChain([manifest, 'optionalAccess', _185 => _185.id])}` };
+  }
+};
+/**
+ * Metadata types that are customer-overridable via {@link saveMetaItem}/
+ * {@link deleteMetaItem} in project-kernel mode. Derived from the canonical
+ * registry in {@link DEFAULT_METADATA_TYPE_REGISTRY}: a type opts in by
+ * setting `allowOrgOverride: true` on its registry entry. The set is
+ * augmented with the plural form of every singular so callers using REST
+ * conventions (`/api/v1/meta/views/...`) get the same gate. See ADR-0005
+ * §"Whitelist enforcement" for the rationale and the per-type rollout
+ * checklist.
+ */
+_ObjectStackProtocolImplementation.OVERLAY_ALLOWED_TYPES = (() => {
+  const out = /* @__PURE__ */ new Set();
+  for (const entry of _kernel.DEFAULT_METADATA_TYPE_REGISTRY) {
+    if (!entry.allowOrgOverride) continue;
+    out.add(entry.type);
+    const plural = _shared.SINGULAR_TO_PLURAL[entry.type];
+    if (plural) out.add(plural);
+  }
+  return out;
+})();
+/**
+ * Phase 3a-env-writable: parse `OS_METADATA_WRITABLE` once.
+ * Comma-separated singular type names. When the env var is set, the
+ * listed types get treated as `allowOrgOverride: true` regardless of
+ * their static registry entry. This is the runtime escape hatch admins
+ * use to enable Studio-side editing of types whose protocol-level flag
+ * is still false (object, field, permission, …).
+ *
+ * Memoised at first call. Tests can override by clearing the cache via
+ * {@link ObjectStackProtocolImplementation.resetEnvWritableCache}.
+ */
+_ObjectStackProtocolImplementation._envWritableTypes = null;
+/**
+ * Types that opt into runtime creation of brand-new items (ADR-0005
+ * extension — two-tier model). A type may have
+ * `allowOrgOverride: false` (cannot overlay artifact-shipped items)
+ * yet still set `allowRuntimeCreate: true` (users can author new
+ * items in `sys_metadata`). The two flags are orthogonal; see
+ * {@link isArtifactBacked} for how the protocol decides which gate
+ * applies to a given save/delete.
+ */
+/**
+ * Set of type names that have a static entry in
+ * `DEFAULT_METADATA_TYPE_REGISTRY`. Anything outside this set is
+ * runtime-registered (plugin-provided types like `theme`, `api`,
+ * `connector`) — the listing endpoint at `getMetaTypes()` synthesises
+ * those with `allowRuntimeCreate: true`, so this gate must agree.
+ */
+_ObjectStackProtocolImplementation.STATIC_REGISTRY_TYPES = (() => {
+  const out = /* @__PURE__ */ new Set();
+  for (const entry of _kernel.DEFAULT_METADATA_TYPE_REGISTRY) {
+    out.add(entry.type);
+    const plural = _shared.SINGULAR_TO_PLURAL[entry.type];
+    if (plural) out.add(plural);
+  }
+  return out;
+})();
+_ObjectStackProtocolImplementation.RUNTIME_CREATE_ALLOWED_TYPES = (() => {
+  const out = /* @__PURE__ */ new Set();
+  for (const entry of _kernel.DEFAULT_METADATA_TYPE_REGISTRY) {
+    if (!entry.allowRuntimeCreate) continue;
+    out.add(entry.type);
+    const plural = _shared.SINGULAR_TO_PLURAL[entry.type];
+    if (plural) out.add(plural);
+  }
+  return out;
+})();
+var ObjectStackProtocolImplementation = _ObjectStackProtocolImplementation;
+
+
+
+
+
+
+
+
+
+
+
+
+exports.ConcurrentUpdateError = ConcurrentUpdateError; exports.ObjectStackProtocolImplementation = ObjectStackProtocolImplementation; exports.SeedLoaderService = _chunkJRNTUZG6cjs.SeedLoaderService; exports.SysMetadataRepository = SysMetadataRepository; exports.computeMetadataDiagnostics = computeMetadataDiagnostics; exports.computeViewReferenceDiagnostics = computeViewReferenceDiagnostics; exports.decorateMetadataItem = decorateMetadataItem; exports.decorateMetadataItems = decorateMetadataItems; exports.normalizeViewMetadata = normalizeViewMetadata; exports.resetEnvWritableMetadataTypes = resetEnvWritableMetadataTypes; exports.runBuildProbes = _chunk7LOFAEHAcjs.runBuildProbes;
+//# sourceMappingURL=index.cjs.map