@objectstack/runtime 4.0.5 → 4.1.1

package/dist/index.js

@@ -231,7 +231,7 @@ var init_seed_loader = __esm({
           this.logger.info("[SeedLoader] Pass 2: resolving deferred references", {
             count: deferredUpdates.length
           });
-          await this.resolveDeferredUpdates(deferredUpdates, insertedRecords, allResults, allErrors);
+          await this.resolveDeferredUpdates(deferredUpdates, insertedRecords, allResults, allErrors, config.organizationId);
         }
         const durationMs = Date.now() - startTime;
         return this.buildResult(config, graph, allResults, allErrors, durationMs);
@@ -288,7 +288,11 @@ var init_seed_loader = __esm({
         }
         let existingRecords;
         if ((mode === "upsert" || mode === "update" || mode === "ignore") && !config.dryRun) {
-          existingRecords = await this.loadExistingRecords(objectName, externalId);
+          existingRecords = await this.loadExistingRecords(
+            objectName,
+            externalId,
+            config.organizationId
+          );
         }
         const objectRefs = refMap.get(objectName) || [];
         const seedNow = /* @__PURE__ */ new Date();
@@ -303,6 +307,9 @@ var init_seed_loader = __esm({
               `[SeedLoader] Failed to resolve dynamic values for ${objectName} record #${i}: ${seedResult.error.message}`
             );
           }
+          if (config.organizationId && record["organization_id"] == null) {
+            record["organization_id"] = config.organizationId;
+          }
           for (const ref of objectRefs) {
             const fieldValue = record[ref.field];
             if (fieldValue === void 0 || fieldValue === null) continue;
@@ -313,7 +320,7 @@ var init_seed_loader = __esm({
               record[ref.field] = resolvedId;
               referencesResolved++;
             } else if (!config.dryRun) {
-              const dbId = await this.resolveFromDatabase(ref.targetObject, ref.targetField, fieldValue);
+              const dbId = await this.resolveFromDatabase(ref.targetObject, ref.targetField, fieldValue, config.organizationId);
               if (dbId) {
                 record[ref.field] = dbId;
                 referencesResolved++;
@@ -407,10 +414,12 @@ var init_seed_loader = __esm({
       // ==========================================================================
       // Internal: Reference Resolution
       // ==========================================================================
-      async resolveFromDatabase(targetObject, targetField, value) {
+      async resolveFromDatabase(targetObject, targetField, value, organizationId) {
         try {
+          const where = { [targetField]: value };
+          if (organizationId) where.organization_id = organizationId;
           const records = await this.engine.find(targetObject, {
-            where: { [targetField]: value },
+            where,
             fields: ["id"],
             limit: 1,
             context: { isSystem: true }
@@ -422,7 +431,7 @@ var init_seed_loader = __esm({
         }
         return null;
       }
-      async resolveDeferredUpdates(deferredUpdates, insertedRecords, allResults, allErrors) {
+      async resolveDeferredUpdates(deferredUpdates, insertedRecords, allResults, allErrors, organizationId) {
         for (const deferred of deferredUpdates) {
           const targetMap = insertedRecords.get(deferred.targetObject);
           let resolvedId = targetMap?.get(String(deferred.attemptedValue));
@@ -430,7 +439,8 @@ var init_seed_loader = __esm({
             resolvedId = await this.resolveFromDatabase(
               deferred.targetObject,
               deferred.targetField,
-              deferred.attemptedValue
+              deferred.attemptedValue,
+              organizationId
             ) ?? void 0;
           }
           if (resolvedId) {
@@ -626,13 +636,15 @@ var init_seed_loader = __esm({
         }
         return map2;
       }
-      async loadExistingRecords(objectName, externalId) {
+      async loadExistingRecords(objectName, externalId, organizationId) {
         const map2 = /* @__PURE__ */ new Map();
         try {
-          const records = await this.engine.find(objectName, {
+          const findArgs = {
             fields: ["id", externalId],
             context: { isSystem: true }
-          });
+          };
+          if (organizationId) findArgs.where = { organization_id: organizationId };
+          const records = await this.engine.find(objectName, findArgs);
           for (const record of records || []) {
             const key = String(record[externalId] ?? "");
             if (key) {
@@ -1161,9 +1173,12 @@ function buildSandboxApi(engineCtx, ql, errLabel) {
 }
 function buildSandboxContext(engineCtx, ql) {
   const inputSnapshot = unwrapProxyToPlain(engineCtx?.input ?? engineCtx?.doc);
+  const previousRaw = engineCtx?.previous ?? engineCtx?.previousDoc;
   return {
-    input: inputSnapshot,
-    previous: unwrapProxyToPlain(engineCtx?.previous ?? engineCtx?.previousDoc),
+    input: inputSnapshot ?? {},
+    // Preserve `undefined` for `previous` on insert events so hooks can
+    // reliably distinguish create (`!ctx.previous`) from update/delete.
+    previous: unwrapProxyToPlain(previousRaw),
     user: engineCtx?.user ?? engineCtx?.session?.user,
     session: engineCtx?.session,
     event: typeof engineCtx?.event === "string" ? engineCtx.event : void 0,
@@ -1190,12 +1205,13 @@ function buildActionSandboxContext(actionCtx, ql) {
   };
 }
 function unwrapProxyToPlain(v) {
-  if (!v || typeof v !== "object") return {};
-  if (Array.isArray(v)) return {};
+  if (v === void 0 || v === null) return void 0;
+  if (typeof v !== "object") return void 0;
+  if (Array.isArray(v)) return void 0;
   try {
     return Object.fromEntries(Object.entries(v));
   } catch {
-    return {};
+    return void 0;
   }
 }
 var init_body_runner = __esm({
@@ -1412,8 +1428,51 @@ var init_app_plugin = __esm({
               appId
             });
           }
+          try {
+            const approvals = Array.isArray(this.bundle.approvals) ? this.bundle.approvals : Array.isArray((this.bundle.manifest || {}).approvals) ? this.bundle.manifest.approvals : [];
+            if (approvals.length > 0) {
+              ctx.hook("kernel:ready", async () => {
+                let svc;
+                try {
+                  svc = ctx.getService("approvals");
+                } catch {
+                }
+                if (!svc || typeof svc.defineProcess !== "function") {
+                  ctx.logger.warn("[AppPlugin] approvals service not registered \u2014 skipping declarative processes", {
+                    appId,
+                    processCount: approvals.length
+                  });
+                  return;
+                }
+                const sysCtx = { isSystem: true, roles: [], permissions: [] };
+                let ok = 0;
+                for (const proc of approvals) {
+                  try {
+                    await svc.defineProcess({
+                      name: proc.name,
+                      label: proc.label,
+                      object: proc.object,
+                      description: proc.description,
+                      active: proc.active !== false,
+                      definition: proc
+                    }, sysCtx);
+                    ok++;
+                  } catch (err) {
+                    ctx.logger.warn("[AppPlugin] Failed to register approval process", {
+                      appId,
+                      process: proc?.name,
+                      error: err?.message ?? String(err)
+                    });
+                  }
+                }
+                ctx.logger.info("[AppPlugin] Registered approval processes", { appId, count: ok });
+              });
+            }
+          } catch (err) {
+            ctx.logger.error("[AppPlugin] Failed to schedule approval-process registration", err, { appId });
+          }
           this.emitCatalogEvent(ctx, "app:registered", sys);
-          this.loadTranslations(ctx, appId);
+          await this.loadTranslations(ctx, appId);
           const seedDatasets = [];
           if (Array.isArray(this.bundle.data)) {
             seedDatasets.push(...this.bundle.data);
@@ -1429,46 +1488,107 @@ var init_app_plugin = __esm({
               object: d.object
             }));
             try {
-              const metadata = ctx.getService("metadata");
-              if (metadata) {
-                const seedLoader = new SeedLoaderService(ql, metadata, ctx.logger);
+              const kernel = ctx.kernel;
+              const existing = (() => {
+                try {
+                  return kernel?.getService?.("seed-datasets");
+                } catch {
+                  return void 0;
+                }
+              })();
+              const merged = Array.isArray(existing) ? [...existing, ...normalizedDatasets] : normalizedDatasets;
+              const registerSvc = (name, value) => {
+                if (kernel?.registerService) kernel.registerService(name, value);
+                else if (typeof ctx.registerService === "function") ctx.registerService(name, value);
+              };
+              registerSvc("seed-datasets", merged);
+              const metadataNow = ctx.getService("metadata");
+              const loggerRef = ctx.logger;
+              const replayer = async (organizationId) => {
+                if (!organizationId) return { inserted: 0, updated: 0, errors: [] };
+                const md = metadataNow ?? ctx.getService("metadata");
+                if (!md) {
+                  loggerRef.warn("[seed-replayer] metadata service unavailable");
+                  return { inserted: 0, updated: 0, errors: [] };
+                }
+                const datasetsNow = (() => {
+                  try {
+                    return kernel?.getService?.("seed-datasets");
+                  } catch {
+                    return merged;
+                  }
+                })() ?? merged;
+                if (!Array.isArray(datasetsNow) || datasetsNow.length === 0) {
+                  return { inserted: 0, updated: 0, errors: [] };
+                }
+                const seedLoader = new SeedLoaderService(ql, md, loggerRef);
                 const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
                 const request = SeedLoaderRequestSchema.parse({
-                  datasets: normalizedDatasets,
-                  config: { defaultMode: "upsert", multiPass: true }
+                  datasets: datasetsNow,
+                  config: {
+                    defaultMode: "upsert",
+                    multiPass: true,
+                    organizationId
+                  }
                 });
                 const result = await seedLoader.load(request);
-                ctx.logger.info("[Seeder] Seed loading complete", {
+                return {
                   inserted: result.summary.totalInserted,
                   updated: result.summary.totalUpdated,
-                  errors: result.errors.length
-                });
-              } else {
-                ctx.logger.debug("[Seeder] No metadata service; using basic insert fallback");
+                  errors: result.errors
+                };
+              };
+              registerSvc("seed-replayer", replayer);
+              ctx.logger.info(`[Seeder] Registered ${normalizedDatasets.length} datasets + replayer on kernel (total datasets: ${merged.length})`);
+            } catch (e) {
+              ctx.logger.warn("[Seeder] Failed to register seed-datasets/seed-replayer service", { error: e?.message });
+            }
+            const multiTenant = String(process.env.OS_MULTI_TENANT ?? "true").toLowerCase() !== "false";
+            if (multiTenant) {
+              ctx.logger.info("[Seeder] multi-tenant mode \u2014 skipping inline seed; per-org replay will run on sys_organization insert");
+            } else {
+              try {
+                const metadata = ctx.getService("metadata");
+                if (metadata) {
+                  const seedLoader = new SeedLoaderService(ql, metadata, ctx.logger);
+                  const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
+                  const request = SeedLoaderRequestSchema.parse({
+                    datasets: normalizedDatasets,
+                    config: { defaultMode: "upsert", multiPass: true }
+                  });
+                  const result = await seedLoader.load(request);
+                  ctx.logger.info("[Seeder] Seed loading complete", {
+                    inserted: result.summary.totalInserted,
+                    updated: result.summary.totalUpdated,
+                    errors: result.errors.length
+                  });
+                } else {
+                  ctx.logger.debug("[Seeder] No metadata service; using basic insert fallback");
+                  for (const dataset of normalizedDatasets) {
+                    ctx.logger.info(`[Seeder] Seeding ${dataset.records.length} records for ${dataset.object}`);
+                    for (const record of dataset.records) {
+                      try {
+                        await ql.insert(dataset.object, record, { context: { isSystem: true } });
+                      } catch (err) {
+                        ctx.logger.warn(`[Seeder] Failed to insert ${dataset.object} record:`, { error: err.message });
+                      }
+                    }
+                  }
+                  ctx.logger.info("[Seeder] Data seeding complete.");
+                }
+              } catch (err) {
+                ctx.logger.warn("[Seeder] SeedLoaderService failed, falling back to basic insert", { error: err.message });
                 for (const dataset of normalizedDatasets) {
-                  ctx.logger.info(`[Seeder] Seeding ${dataset.records.length} records for ${dataset.object}`);
                   for (const record of dataset.records) {
                     try {
                       await ql.insert(dataset.object, record, { context: { isSystem: true } });
-                    } catch (err) {
-                      ctx.logger.warn(`[Seeder] Failed to insert ${dataset.object} record:`, { error: err.message });
+                    } catch (insertErr) {
+                      ctx.logger.warn(`[Seeder] Failed to insert ${dataset.object} record:`, { error: insertErr.message });
                     }
                   }
                 }
-                ctx.logger.info("[Seeder] Data seeding complete.");
+                ctx.logger.info("[Seeder] Data seeding complete (fallback).");
               }
-            } catch (err) {
-              ctx.logger.warn("[Seeder] SeedLoaderService failed, falling back to basic insert", { error: err.message });
-              for (const dataset of normalizedDatasets) {
-                for (const record of dataset.records) {
-                  try {
-                    await ql.insert(dataset.object, record, { context: { isSystem: true } });
-                  } catch (insertErr) {
-                    ctx.logger.warn(`[Seeder] Failed to insert ${dataset.object} record:`, { error: insertErr.message });
-                  }
-                }
-              }
-              ctx.logger.info("[Seeder] Data seeding complete (fallback).");
             }
           }
         };
@@ -1527,7 +1647,7 @@ var init_app_plugin = __esm({
        * Gracefully skips when the i18n service is not registered —
        * this keeps AppPlugin resilient across server/dev/mock environments.
        */
-      loadTranslations(ctx, appId) {
+      async loadTranslations(ctx, appId) {
         let i18nService;
         try {
           i18nService = ctx.getService("i18n");
@@ -1543,13 +1663,33 @@ var init_app_plugin = __esm({
         }
         if (!i18nService) {
           if (bundles.length > 0) {
-            ctx.logger.warn(
-              `[i18n] App "${appId}" has ${bundles.length} translation bundle(s) but no i18n service is registered. Translations will not be served via REST API. Register I18nServicePlugin from @objectstack/service-i18n, or use DevPlugin which auto-detects translations and registers the i18n service automatically.`
-            );
+            try {
+              const mod = await import("@objectstack/core");
+              const createMemoryI18n = mod.createMemoryI18n;
+              if (typeof createMemoryI18n === "function") {
+                const fallback = createMemoryI18n();
+                ctx.registerService("i18n", fallback);
+                i18nService = fallback;
+                ctx.logger.info(
+                  `[i18n] Auto-registered in-memory i18n fallback for "${appId}" (${bundles.length} bundle(s) detected). Install I18nServicePlugin from @objectstack/service-i18n for file-based / production use.`
+                );
+              }
+            } catch (err) {
+              ctx.logger.warn(
+                `[i18n] App "${appId}" has ${bundles.length} translation bundle(s) but auto-fallback failed: ${err?.message ?? err}.`
+              );
+              return;
+            }
+            if (!i18nService) {
+              ctx.logger.warn(
+                `[i18n] App "${appId}" has ${bundles.length} translation bundle(s) but no i18n service is registered.`
+              );
+              return;
+            }
           } else {
             ctx.logger.debug("[i18n] No i18n service registered; skipping translation loading", { appId });
+            return;
           }
-          return;
         }
         const i18nConfig = this.bundle.i18n || (this.bundle.manifest || this.bundle)?.i18n;
         if (i18nConfig?.defaultLocale && typeof i18nService.setDefaultLocale === "function") {
@@ -34368,8 +34508,360 @@ var init_dist = __esm({
   }
 });
 
+// src/cloud/platform-sso.ts
+var platform_sso_exports = {};
+__export(platform_sso_exports, {
+  PLATFORM_SSO_PROVIDER_ID: () => PLATFORM_SSO_PROVIDER_ID,
+  backfillPlatformSsoClients: () => backfillPlatformSsoClients,
+  buildPlatformSsoRedirectUri: () => buildPlatformSsoRedirectUri,
+  derivePlatformSsoClientId: () => derivePlatformSsoClientId,
+  derivePlatformSsoClientSecret: () => derivePlatformSsoClientSecret,
+  hashPlatformSsoClientSecret: () => hashPlatformSsoClientSecret,
+  seedPlatformSsoClient: () => seedPlatformSsoClient
+});
+import { createHmac, createHash } from "crypto";
+function derivePlatformSsoClientId(projectId) {
+  return `project_${projectId}`;
+}
+function derivePlatformSsoClientSecret(baseSecret, projectId) {
+  return createHmac("sha256", baseSecret).update(`oauth-client:${projectId}`).digest("hex");
+}
+function hashPlatformSsoClientSecret(plaintext) {
+  return createHash("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
+  let host;
+  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
+    host = hostname;
+  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
+    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
+    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
+    host = `http://${hostWithPort}`;
+  } else {
+    host = `https://${hostname}`;
+  }
+  const trimmed = host.replace(/\/+$/, "");
+  const path = basePath.replace(/\/+$/, "");
+  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
+}
+async function seedPlatformSsoClient(opts) {
+  const { ql, projectId, hostname, baseSecret, logger, throwOnError } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { projectId });
+    return;
+  }
+  const clientId = derivePlatformSsoClientId(projectId);
+  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, projectId);
+  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
+  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
+  let existing = null;
+  try {
+    const rows = await ql.find("sys_oauth_application", {
+      where: { client_id: clientId },
+      limit: 1
+    }, { context: { isSystem: true } });
+    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+    existing = list[0] ?? null;
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
+      projectId,
+      error: err?.message
+    });
+    return;
+  }
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  if (!existing) {
+    const redirects = desiredRedirect ? [desiredRedirect] : [];
+    try {
+      await ql.insert("sys_oauth_application", {
+        id: `oauthc_${projectId}`,
+        name: `Project ${projectId}`,
+        client_id: clientId,
+        client_secret: clientSecretStored,
+        type: "web",
+        redirect_uris: JSON.stringify(redirects),
+        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+        response_types: JSON.stringify(["code"]),
+        scopes: JSON.stringify(["openid", "email", "profile"]),
+        token_endpoint_auth_method: "client_secret_basic",
+        require_pkce: false,
+        skip_consent: true,
+        disabled: false,
+        subject_type: "public",
+        created_at: nowIso,
+        updated_at: nowIso
+      }, { context: { isSystem: true } });
+      logger?.info?.("[platform-sso] sys_oauth_application row created", { projectId, clientId });
+    } catch (err) {
+      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
+        projectId,
+        error: err?.message
+      });
+      if (throwOnError) throw err;
+    }
+    return;
+  }
+  let currentRedirects = [];
+  try {
+    const raw = existing.redirect_uris;
+    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
+    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
+  } catch {
+  }
+  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
+  const repairPatch = {
+    name: existing.name || `Project ${projectId}`,
+    client_secret: clientSecretStored,
+    type: existing.type || "web",
+    redirect_uris: JSON.stringify(mergedRedirects),
+    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+    response_types: JSON.stringify(["code"]),
+    scopes: JSON.stringify(["openid", "email", "profile"]),
+    token_endpoint_auth_method: "client_secret_basic",
+    require_pkce: false,
+    skip_consent: true,
+    disabled: false,
+    subject_type: "public",
+    updated_at: nowIso
+  };
+  try {
+    await ql.update(
+      "sys_oauth_application",
+      repairPatch,
+      { where: { id: existing.id } },
+      { context: { isSystem: true } }
+    );
+    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
+      projectId,
+      clientId,
+      redirect_uris: mergedRedirects
+    });
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
+      projectId,
+      error: err?.message
+    });
+    if (throwOnError) throw err;
+  }
+}
+async function backfillPlatformSsoClients(opts) {
+  const { ql, baseSecret, logger, limit = 1e3 } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
+  }
+  let projects = [];
+  try {
+    const rows = await ql.find("sys_environment", {
+      limit,
+      fields: ["id", "hostname", "status"]
+    }, { context: { isSystem: true } });
+    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+  } catch (err) {
+    logger?.warn?.("[platform-sso] backfill: sys_project read failed", {
+      error: err?.message
+    });
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ projectId: "<scan>", error: err?.message ?? String(err) }] };
+  }
+  let seeded = 0;
+  let alreadyExisted = 0;
+  const failures = [];
+  for (const p of projects) {
+    if (!p?.id) continue;
+    const before = await (async () => {
+      try {
+        const r = await ql.find("sys_oauth_application", {
+          where: { client_id: derivePlatformSsoClientId(p.id) },
+          limit: 1
+        }, { context: { isSystem: true } });
+        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+        return list[0] ?? null;
+      } catch {
+        return null;
+      }
+    })();
+    try {
+      await seedPlatformSsoClient({ ql, projectId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
+      if (before) alreadyExisted++;
+      else {
+        const after = await (async () => {
+          try {
+            const r = await ql.find("sys_oauth_application", {
+              where: { client_id: derivePlatformSsoClientId(p.id) },
+              limit: 1
+            }, { context: { isSystem: true } });
+            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+            return list[0] ?? null;
+          } catch (err) {
+            return { _readErr: err?.message };
+          }
+        })();
+        if (after && !after._readErr) seeded++;
+        else failures.push({ projectId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
+      }
+    } catch (err) {
+      failures.push({ projectId: p.id, error: err?.message ?? String(err) });
+    }
+  }
+  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
+  return { scanned: projects.length, seeded, alreadyExisted, failures };
+}
+var PLATFORM_SSO_PROVIDER_ID;
+var init_platform_sso = __esm({
+  "src/cloud/platform-sso.ts"() {
+    "use strict";
+    PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
+  }
+});
+
+// src/cloud/project-org-seed.ts
+var project_org_seed_exports = {};
+__export(project_org_seed_exports, {
+  seedProjectMember: () => seedProjectMember,
+  seedProjectOrganization: () => seedProjectOrganization
+});
+async function seedProjectOrganization(kernel, seed, logger) {
+  if (!seed?.id || !seed?.name) return "skipped";
+  try {
+    const ql = kernel.getService("objectql");
+    if (!ql?.insert || !ql?.find) {
+      logger?.warn?.("[seedProjectOrganization] objectql service unavailable", { orgId: seed.id });
+      return "skipped";
+    }
+    try {
+      const existing = await ql.find(SYS_ORG, { where: { id: seed.id } });
+      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
+      if (Array.isArray(rows) && rows.length > 0) return "exists";
+    } catch {
+    }
+    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+    await ql.insert(SYS_ORG, {
+      id: seed.id,
+      name: seed.name,
+      slug: seed.slug ?? null,
+      logo: seed.logo ?? null,
+      metadata: null,
+      created_at: nowIso
+    });
+    logger?.info?.("[seedProjectOrganization] org seeded", {
+      orgId: seed.id,
+      name: seed.name
+    });
+    return "inserted";
+  } catch (err) {
+    logger?.warn?.("[seedProjectOrganization] failed (non-fatal)", {
+      orgId: seed.id,
+      error: err?.message
+    });
+    return "error";
+  }
+}
+async function seedProjectMember(kernel, args, logger) {
+  const { userId, organizationId } = args;
+  const role = args.role ?? "member";
+  if (!userId || !organizationId) return "skipped";
+  try {
+    const ql = kernel.getService("objectql");
+    if (!ql?.insert || !ql?.find) {
+      logger?.warn?.("[seedProjectMember] objectql service unavailable", { userId, organizationId });
+      return "skipped";
+    }
+    try {
+      const existing = await ql.find("sys_member", {
+        where: { user_id: userId, organization_id: organizationId }
+      });
+      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
+      if (Array.isArray(rows) && rows.length > 0) return "exists";
+    } catch {
+    }
+    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+    const memId = `mem_${Math.random().toString(36).slice(2, 14)}`;
+    await ql.insert("sys_member", {
+      id: memId,
+      organization_id: organizationId,
+      user_id: userId,
+      role,
+      created_at: nowIso
+    });
+    logger?.info?.("[seedProjectMember] member seeded", {
+      userId,
+      organizationId,
+      role
+    });
+    return "inserted";
+  } catch (err) {
+    logger?.warn?.("[seedProjectMember] failed (non-fatal)", {
+      userId,
+      organizationId,
+      error: err?.message
+    });
+    return "error";
+  }
+}
+var SYS_ORG;
+var init_project_org_seed = __esm({
+  "src/cloud/project-org-seed.ts"() {
+    "use strict";
+    SYS_ORG = "sys_organization";
+  }
+});
+
+// src/cloud/project-owner-seed.ts
+var project_owner_seed_exports = {};
+__export(project_owner_seed_exports, {
+  seedProjectOwner: () => seedProjectOwner
+});
+async function seedProjectOwner(kernel, seed, logger) {
+  if (!seed?.userId || !seed?.email) return "skipped";
+  try {
+    const ql = kernel.getService("objectql");
+    if (!ql?.insert || !ql?.find) {
+      logger?.warn?.("[seedProjectOwner] objectql service unavailable", { userId: seed.userId });
+      return "skipped";
+    }
+    try {
+      const existing = await ql.find(SYS_USER, { where: { id: seed.userId } });
+      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
+      if (Array.isArray(rows) && rows.length > 0) return "exists";
+    } catch {
+    }
+    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+    await ql.insert(SYS_USER, {
+      id: seed.userId,
+      email: seed.email,
+      name: seed.name ?? seed.email.split("@")[0] ?? "Owner",
+      image: seed.image ?? null,
+      // Cloud already verified the upstream email. Marking it verified
+      // here is what unblocks better-auth's accountLinking check on
+      // the first SSO callback (alongside the trustedProviders config
+      // in plugin-auth/auth-manager.ts).
+      email_verified: true,
+      created_at: nowIso,
+      updated_at: nowIso
+    });
+    logger?.info?.("[seedProjectOwner] owner seeded", {
+      userId: seed.userId,
+      email: seed.email
+    });
+    return "inserted";
+  } catch (err) {
+    logger?.warn?.("[seedProjectOwner] failed (non-fatal)", {
+      userId: seed.userId,
+      error: err?.message
+    });
+    return "error";
+  }
+}
+var SYS_USER;
+var init_project_owner_seed = __esm({
+  "src/cloud/project-owner-seed.ts"() {
+    "use strict";
+    SYS_USER = "sys_user";
+  }
+});
+
 // src/index.ts
-import { ObjectKernel as ObjectKernel3 } from "@objectstack/core";
+import { ObjectKernel as ObjectKernel4 } from "@objectstack/core";
 
 // src/runtime.ts
 import { ObjectKernel } from "@objectstack/core";
@@ -34506,15 +34998,45 @@ async function createStandaloneStack(config) {
     new ObjectQLPlugin({ projectId })
   ];
   if (artifactBundle) plugins.push(new AppPlugin2(artifactBundle));
+  const requires = Array.isArray(artifactBundle?.requires) ? artifactBundle.requires.filter((c) => typeof c === "string") : void 0;
+  const objects = Array.isArray(artifactBundle?.objects) ? artifactBundle.objects : void 0;
+  const manifest = artifactBundle?.manifest;
   return {
     plugins,
     api: {
       enableProjectScoping: false,
       projectResolution: "none"
-    }
+    },
+    ...requires ? { requires } : {},
+    ...objects ? { objects } : {},
+    ...manifest ? { manifest } : {}
   };
 }
 
+// src/default-host.ts
+import { resolve as resolvePath3 } from "path";
+import { existsSync } from "fs";
+init_load_artifact_bundle();
+function resolveDefaultArtifactPath(explicitPath, cwd = process.cwd()) {
+  const candidate = explicitPath ?? process.env.OS_ARTIFACT_PATH ?? resolvePath3(cwd, "dist/objectstack.json");
+  if (isHttpUrl(candidate)) return candidate;
+  if (explicitPath || process.env.OS_ARTIFACT_PATH) return candidate;
+  return existsSync(candidate) ? candidate : void 0;
+}
+async function createDefaultHostConfig(options = {}) {
+  const { requireArtifact = true, ...standaloneOpts } = options;
+  const resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
+  if (!resolvedArtifact && requireArtifact) {
+    throw new Error(
+      "[createDefaultHostConfig] No artifact source available. Set OS_ARTIFACT_PATH (file path or http(s):// URL), place the artifact at <cwd>/dist/objectstack.json, or pass `{ artifactPath: ... }` explicitly. To boot an empty kernel anyway, pass `{ requireArtifact: false }`."
+    );
+  }
+  return createStandaloneStack({
+    ...standaloneOpts,
+    artifactPath: resolvedArtifact
+  });
+}
+
 // src/index.ts
 init_driver_plugin();
 init_app_plugin();
@@ -34869,7 +35391,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    * so project-scoped meta routes can resolve their project).
    */
   async resolveEnvironmentContext(context, path) {
-    const skipPaths = ["/auth", "/cloud", "/health", "/discovery"];
+    const skipPaths = ["/cloud", "/health", "/discovery"];
     if (skipPaths.some((p) => path.startsWith(p))) {
       return;
     }
@@ -34941,7 +35463,7 @@ var _HttpDispatcher = class _HttpDispatcher {
           const qlService = await this.getObjectQLService();
           const ql = qlService ?? await this.resolveService("objectql");
           if (ql) {
-            let rows = await ql.find("sys_project", {
+            let rows = await ql.find("sys_environment", {
               where: {
                 organization_id: activeOrganizationId,
                 is_default: true
@@ -35028,8 +35550,8 @@ var _HttpDispatcher = class _HttpDispatcher {
       const qlService = await this.getObjectQLService();
       const ql = qlService ?? await this.resolveService("objectql");
       if (!ql) return null;
-      let rows = await ql.find("sys_project_member", {
-        where: { project_id: projectId, user_id: userId },
+      let rows = await ql.find("sys_environment_member", {
+        where: { environment_id: projectId, user_id: userId },
         limit: 1
       });
       if (rows && rows.value) rows = rows.value;
@@ -35284,8 +35806,9 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       return { handled: true, response: this.success({ types: ["object", "app", "plugin"] }) };
     }
-    if (parts.length === 3 && parts[2] === "published" && (!method || method === "GET")) {
-      const [type, name] = parts;
+    if (parts.length >= 3 && parts[parts.length - 1] === "published" && (!method || method === "GET")) {
+      const type = parts[0];
+      const name = parts.slice(1, -1).join("/");
       const metadataService = await this.getService(CoreServiceName.enum.metadata);
       if (metadataService && typeof metadataService.getPublished === "function") {
         const data = await metadataService.getPublished(type, name);
@@ -35302,14 +35825,16 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       return { handled: true, response: this.error("Not found", 404) };
     }
-    if (parts.length === 2) {
-      const [type, name] = parts;
+    if (parts.length >= 2) {
+      const type = parts[0];
+      const name = parts.slice(1).join("/");
       const packageId = query?.package || void 0;
       if (method === "PUT" && body) {
         const protocol = await this.resolveService("protocol");
         if (protocol && typeof protocol.saveMetaItem === "function") {
           try {
-            const result = await protocol.saveMetaItem({ type, name, item: body });
+            const organizationId = await this.resolveActiveOrganizationId(_context);
+            const result = await protocol.saveMetaItem({ type, name, item: body, organizationId });
             return { handled: true, response: this.success(result) };
           } catch (e) {
             return { handled: true, response: this.error(e.message, 400) };
@@ -35333,7 +35858,8 @@ var _HttpDispatcher = class _HttpDispatcher {
           const scoped = scopedEnv !== void 0;
           if (scoped && typeof protocol2.getMetaItem === "function") {
             try {
-              const data = await protocol2.getMetaItem({ type: "object", name });
+              const organizationId = await this.resolveActiveOrganizationId(_context);
+              const data = await protocol2.getMetaItem({ type: "object", name, organizationId });
               if (data && (data.item ?? data)) {
                 return { handled: true, response: this.success(data) };
               }
@@ -35347,7 +35873,8 @@ var _HttpDispatcher = class _HttpDispatcher {
           }
           if (!scoped && protocol2 && typeof protocol2.getMetaItem === "function") {
             try {
-              const data = await protocol2.getMetaItem({ type: "object", name });
+              const organizationId = await this.resolveActiveOrganizationId(_context);
+              const data = await protocol2.getMetaItem({ type: "object", name, organizationId });
               if (data && (data.item ?? data)) {
                 return { handled: true, response: this.success(data) };
               }
@@ -35360,7 +35887,8 @@ var _HttpDispatcher = class _HttpDispatcher {
         const protocol = await this.resolveService("protocol");
         if (protocol && typeof protocol.getMetaItem === "function") {
           try {
-            const data = await protocol.getMetaItem({ type: singularType, name, packageId });
+            const organizationId = await this.resolveActiveOrganizationId(_context);
+            const data = await protocol.getMetaItem({ type: singularType, name, packageId, organizationId });
             return { handled: true, response: this.success(data) };
           } catch (e) {
           }
@@ -35384,7 +35912,8 @@ var _HttpDispatcher = class _HttpDispatcher {
       const protocol = await this.resolveService("protocol");
       if (protocol && typeof protocol.getMetaItems === "function") {
         try {
-          const data = await protocol.getMetaItems({ type: typeOrName, packageId });
+          const organizationId = await this.resolveActiveOrganizationId(_context);
+          const data = await protocol.getMetaItems({ type: typeOrName, packageId, organizationId });
           if (data && (data.items !== void 0 || Array.isArray(data))) {
             return { handled: true, response: this.success(data) };
           }
@@ -35723,6 +36252,61 @@ var _HttpDispatcher = class _HttpDispatcher {
    * Physical database addressing (database_url, database_driver, etc.)
    * is stored directly on the sys_project row.
    */
+  /**
+   * Resolve the calling user id from the request session, if any.
+   * Returns `undefined` for anonymous calls or when auth is not wired up.
+   */
+  async resolveActiveOrganizationId(context) {
+    try {
+      const authService = await this.resolveService(CoreServiceName.enum.auth);
+      const rawHeaders = context.request?.headers;
+      let headers = rawHeaders;
+      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
+        try {
+          const h = new Headers();
+          for (const [k, v] of Object.entries(rawHeaders)) {
+            if (v == null) continue;
+            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
+          }
+          headers = h;
+        } catch {
+          headers = rawHeaders;
+        }
+      }
+      const apiObj = authService?.auth?.api ?? authService?.api;
+      const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
+      const oid = sessionData?.session?.activeOrganizationId;
+      return typeof oid === "string" && oid.length > 0 ? oid : void 0;
+    } catch {
+      return void 0;
+    }
+  }
+  async resolveCallerUserId(context) {
+    try {
+      const authService = await this.resolveService(CoreServiceName.enum.auth);
+      const rawHeaders = context.request?.headers;
+      let headers = rawHeaders;
+      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
+        try {
+          const h = new Headers();
+          for (const [k, v] of Object.entries(rawHeaders)) {
+            if (v == null) continue;
+            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
+          }
+          headers = h;
+        } catch {
+          headers = rawHeaders;
+        }
+      }
+      const sessionData = await (authService?.auth?.api?.getSession ?? authService?.api?.getSession)?.call(
+        authService?.auth?.api ?? authService?.api,
+        { headers }
+      );
+      return sessionData?.user?.id ?? sessionData?.session?.userId;
+    } catch (e) {
+      return void 0;
+    }
+  }
   async handleCloud(path, method, body, query, _context) {
     const m = method.toUpperCase();
     const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
@@ -35731,9 +36315,9 @@ var _HttpDispatcher = class _HttpDispatcher {
     if (!ql) {
       return { handled: true, response: this.error("Project service not available (ObjectQL missing)", 503) };
     }
-    const ENV = "sys_project";
-    const CRED = "sys_project_credential";
-    const MEM = "sys_project_member";
+    const ENV = "sys_environment";
+    const CRED = "sys_environment_credential";
+    const MEM = "sys_environment_member";
     const PKG_INSTALL = "sys_package_installation";
     const PKG = "sys_package";
     const PKG_VERSION = "sys_package_version";
@@ -35781,7 +36365,7 @@ var _HttpDispatcher = class _HttpDispatcher {
       const pkgRow = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
       if (!pkgRow?.id) return null;
       return await ql.findOne(PKG_INSTALL, {
-        where: { project_id: envId, package_id: pkgRow.id }
+        where: { environment_id: envId, package_id: pkgRow.id }
       });
     };
     const toShortName = (driverId) => {
@@ -35880,6 +36464,44 @@ var _HttpDispatcher = class _HttpDispatcher {
           return { handled: true, response: this.success({ templates: [], total: 0 }) };
         }
       }
+      if (parts.length === 3 && parts[0] === "admin" && parts[1] === "platform-sso" && parts[2] === "backfill" && m === "POST") {
+        const baseSecret = (process.env.OS_AUTH_SECRET ?? process.env.AUTH_SECRET ?? "").trim();
+        if (!baseSecret) {
+          return { handled: true, response: this.error("OS_AUTH_SECRET not configured on this worker", 503) };
+        }
+        const rawHeaders = _context?.request?.headers;
+        let authHeader;
+        if (rawHeaders && typeof rawHeaders.get === "function") {
+          authHeader = rawHeaders.get("authorization") ?? void 0;
+        } else if (rawHeaders && typeof rawHeaders === "object") {
+          authHeader = rawHeaders["authorization"] ?? rawHeaders["Authorization"];
+        }
+        const presented = typeof authHeader === "string" && authHeader.startsWith("Bearer ") ? authHeader.slice(7).trim() : "";
+        if (!presented || presented !== baseSecret) {
+          return { handled: true, response: this.error("forbidden: Bearer token must match OS_AUTH_SECRET", 403) };
+        }
+        try {
+          const { backfillPlatformSsoClients: backfillPlatformSsoClients2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
+          const result = await backfillPlatformSsoClients2({
+            ql,
+            baseSecret,
+            logger: console
+          });
+          let sample = [];
+          let total = 0;
+          try {
+            const rows = await ql.find("sys_oauth_application", { limit: 5 }, { context: { isSystem: true } });
+            const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+            sample = list;
+            total = typeof rows?.total === "number" ? rows.total : list.length;
+          } catch (e) {
+            sample = [{ _readErr: e?.message ?? String(e) }];
+          }
+          return { handled: true, response: this.success({ ...result, total, sample }) };
+        } catch (err) {
+          return { handled: true, response: this.error(`backfill failed: ${err?.message ?? String(err)}`, 500) };
+        }
+      }
       if (parts.length === 1 && parts[0] === "projects" && m === "GET") {
         const where = {};
         if (query?.organizationId) where.organization_id = query.organizationId;
@@ -35893,16 +36515,26 @@ var _HttpDispatcher = class _HttpDispatcher {
         const req = body || {};
         if (req.organization_id === "__session__" || req.created_by === "__session__") {
           try {
-            const authService = await this.getService(CoreServiceName.enum.auth);
-            const sessionData = await authService?.api?.getSession?.({
-              headers: _context?.request?.headers
-            });
+            const userId = await this.resolveCallerUserId(_context);
+            if (req.created_by === "__session__") {
+              req.created_by = userId ?? "system";
+            }
             if (req.organization_id === "__session__") {
+              const authService = await this.resolveService(CoreServiceName.enum.auth);
+              const rawHeaders = _context?.request?.headers;
+              let headers = rawHeaders;
+              if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
+                const h = new Headers();
+                for (const [k, v] of Object.entries(rawHeaders)) {
+                  if (v == null) continue;
+                  h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
+                }
+                headers = h;
+              }
+              const apiObj = authService?.auth?.api ?? authService?.api;
+              const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
               req.organization_id = sessionData?.session?.activeOrganizationId ?? void 0;
             }
-            if (req.created_by === "__session__") {
-              req.created_by = sessionData?.user?.id ?? "system";
-            }
           } catch {
           }
         }
@@ -35940,14 +36572,14 @@ var _HttpDispatcher = class _HttpDispatcher {
           try {
             const orgRow = await findOne("sys_organization", { id: req.organization_id });
             const orgSlug = orgRow?.slug || req.organization_id;
-            const rootDomain = getEnv("ROOT_DOMAIN", "objectstack.app");
+            const rootDomain = getEnv("OS_ROOT_DOMAIN") ?? getEnv("ROOT_DOMAIN", "objectstack.app");
             computedHostname = `${orgSlug}-${shortId}.${rootDomain}`;
           } catch {
             computedHostname = `${req.organization_id}-${shortId}.objectstack.app`;
           }
         }
         try {
-          const existing = await findOne("sys_project", {
+          const existing = await findOne("sys_environment", {
             hostname: computedHostname
           });
           if (existing && existing.id !== projectId) {
@@ -35965,6 +36597,40 @@ var _HttpDispatcher = class _HttpDispatcher {
         const baseMetadata = { ...req.metadata ?? {} };
         const simulateFailure = Boolean(baseMetadata.__simulateFailure);
         const simulateDelayMs = Number(baseMetadata.__simulateDelayMs ?? 1500);
+        try {
+          let ownerUserId = req.created_by && req.created_by !== "system" ? String(req.created_by) : void 0;
+          if (!ownerUserId) {
+            ownerUserId = await this.resolveCallerUserId(_context);
+          }
+          if (ownerUserId) {
+            const userRow = await ql.find("sys_user", { where: { id: ownerUserId } });
+            const userRows = Array.isArray(userRow) ? userRow : userRow?.value ?? [];
+            const u = Array.isArray(userRows) && userRows.length > 0 ? userRows[0] : null;
+            if (u?.email) {
+              baseMetadata.ownerSeed = {
+                userId: String(ownerUserId),
+                email: String(u.email),
+                name: u.name ? String(u.name) : null,
+                image: u.image ? String(u.image) : null
+              };
+            }
+          }
+        } catch {
+        }
+        try {
+          const orgRow = await ql.find("sys_organization", { where: { id: req.organization_id } });
+          const orgRows = Array.isArray(orgRow) ? orgRow : orgRow?.value ?? [];
+          const org = Array.isArray(orgRows) && orgRows.length > 0 ? orgRows[0] : null;
+          if (org?.id && org?.name) {
+            baseMetadata.orgSeed = {
+              id: String(org.id),
+              name: String(org.name),
+              slug: org.slug ? String(org.slug) : null,
+              logo: org.logo ? String(org.logo) : null
+            };
+          }
+        } catch {
+        }
         await ql.insert(ENV, {
           id: projectId,
           organization_id: req.organization_id,
@@ -35981,8 +36647,30 @@ var _HttpDispatcher = class _HttpDispatcher {
           database_driver: driver,
           storage_limit_mb: req.storage_limit_mb ?? 1024,
           provisioned_at: null,
-          hostname: computedHostname
+          hostname: computedHostname,
+          visibility: (() => {
+            const raw = String(req.visibility ?? "private");
+            return raw === "unlisted" ? "private" : raw;
+          })()
         });
+        try {
+          const { seedPlatformSsoClient: seedPlatformSsoClient2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
+          const baseSecret = (process.env.OS_AUTH_SECRET ?? process.env.AUTH_SECRET ?? "").trim();
+          if (baseSecret) {
+            await seedPlatformSsoClient2({
+              ql,
+              projectId,
+              hostname: computedHostname,
+              baseSecret,
+              logger: console
+            });
+          }
+        } catch (ssoErr) {
+          console.warn?.("[http-dispatcher] platform SSO seed failed (non-fatal)", {
+            projectId,
+            error: ssoErr?.message
+          });
+        }
         const runProvisioning = async () => {
           try {
             if (simulateDelayMs > 0) {
@@ -36020,7 +36708,7 @@ var _HttpDispatcher = class _HttpDispatcher {
             );
             await ql.insert(CRED, {
               id: credentialId,
-              project_id: projectId,
+              environment_id: projectId,
               secret_ciphertext: plaintextSecret,
               encryption_key_id: "noop",
               authorization: "full_access",
@@ -36135,8 +36823,9 @@ var _HttpDispatcher = class _HttpDispatcher {
         if (m === "GET") {
           const envRow = await findOne(ENV, { id });
           if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          const credRow = await findOne(CRED, { project_id: id, status: "active" });
-          const membership = await findOne(MEM, { project_id: id });
+          const credRow = await findOne(CRED, { environment_id: id, status: "active" });
+          const callerUserId = await this.resolveCallerUserId(_context);
+          const membership = callerUserId ? await findOne(MEM, { environment_id: id, user_id: callerUserId }) : await findOne(MEM, { environment_id: id });
           const credMeta = credRow ? {
             id: credRow.id,
             status: credRow.status,
@@ -36163,6 +36852,14 @@ var _HttpDispatcher = class _HttpDispatcher {
           if (body?.plan !== void 0) patch.plan = body.plan;
           if (body?.status !== void 0) patch.status = body.status;
           if (body?.is_default !== void 0) patch.is_default = body.is_default;
+          if (body?.visibility !== void 0) {
+            let v = String(body.visibility);
+            if (v === "unlisted") v = "private";
+            if (!["private", "public"].includes(v)) {
+              return { handled: true, response: this.error(`Invalid visibility '${v}' (expected private | public)`, 400) };
+            }
+            patch.visibility = v;
+          }
           if (body?.metadata !== void 0) patch.metadata = JSON.stringify(body.metadata);
           patch.updated_at = (/* @__PURE__ */ new Date()).toISOString();
           await ql.update(ENV, patch, { where: { id } });
@@ -36369,11 +37066,11 @@ var _HttpDispatcher = class _HttpDispatcher {
               },
               { where: { id } }
             );
-            const existingCred = await findOne(CRED, { project_id: id, status: "active" });
+            const existingCred = await findOne(CRED, { environment_id: id, status: "active" });
             if (!existingCred) {
               await ql.insert(CRED, {
                 id: randomUUID(),
-                project_id: id,
+                environment_id: id,
                 secret_ciphertext: retrySecret,
                 encryption_key_id: "noop",
                 authorization: "full_access",
@@ -36420,7 +37117,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         const envRow = await findOne(ENV, { id });
         if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
         const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        let existing = await ql.find(CRED, { where: { project_id: id, status: "active" } });
+        let existing = await ql.find(CRED, { where: { environment_id: id, status: "active" } });
         if (existing && existing.value) existing = existing.value;
         for (const row of Array.isArray(existing) ? existing : []) {
           await ql.update(CRED, {
@@ -36432,7 +37129,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         const credentialId = randomUUID();
         await ql.insert(CRED, {
           id: credentialId,
-          project_id: id,
+          environment_id: id,
           secret_ciphertext: plaintext,
           encryption_key_id: "noop",
           authorization: "full_access",
@@ -36451,14 +37148,154 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "GET") {
         const id = decodeURIComponent(parts[1]);
-        let rows = await ql.find(MEM, { where: { project_id: id } });
+        let rows = await ql.find(MEM, { where: { environment_id: id } });
         if (rows && rows.value) rows = rows.value;
         const members = Array.isArray(rows) ? rows : [];
-        return { handled: true, response: this.success({ members }) };
+        const userIds = Array.from(new Set(members.map((mem) => mem.user_id).filter(Boolean)));
+        const userMap = /* @__PURE__ */ new Map();
+        for (const uid of userIds) {
+          let row = null;
+          for (const tableName of ["sys_user", "user"]) {
+            try {
+              const u = await ql.findOne(tableName, { where: { id: uid } });
+              row = u?.value ?? u;
+              if (row) break;
+            } catch {
+            }
+          }
+          if (row) userMap.set(String(uid), {
+            id: row.id,
+            name: row.name ?? row.display_name,
+            email: row.email,
+            image: row.image ?? row.avatar_url
+          });
+        }
+        const enriched = members.map((mem) => ({
+          ...mem,
+          user: userMap.get(String(mem.user_id)) ?? void 0
+        }));
+        return { handled: true, response: this.success({ members: enriched }) };
+      }
+      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "POST") {
+        const id = decodeURIComponent(parts[1]);
+        const project = await findOne(ENV, { id });
+        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
+        const callerId = await this.resolveCallerUserId(_context);
+        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
+        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
+        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
+          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
+        }
+        const email = typeof body?.email === "string" ? String(body.email).trim().toLowerCase() : null;
+        let inviteUserId = typeof body?.user_id === "string" ? String(body.user_id).trim() : null;
+        let role = String(body?.role ?? "member").trim().toLowerCase();
+        if (!["owner", "admin", "member", "viewer"].includes(role)) {
+          return { handled: true, response: this.error(`Invalid role '${role}' (expected owner | admin | member | viewer)`, 400) };
+        }
+        if (!email && !inviteUserId) {
+          return { handled: true, response: this.error("email or user_id is required", 400) };
+        }
+        if (!inviteUserId && email) {
+          let row = null;
+          for (const tableName of ["sys_user", "user"]) {
+            try {
+              const u = await ql.findOne(tableName, { where: { email } });
+              row = u?.value ?? u;
+              if (row) break;
+            } catch {
+            }
+          }
+          if (!row?.id) {
+            return { handled: true, response: this.error(`No user found with email '${email}'`, 404) };
+          }
+          inviteUserId = String(row.id);
+        }
+        const existing = await findOne(MEM, { environment_id: id, user_id: inviteUserId });
+        if (existing) {
+          return { handled: true, response: this.success({ member: existing, alreadyMember: true }) };
+        }
+        try {
+          const memberId = randomUUID();
+          await ql.insert(MEM, {
+            id: memberId,
+            environment_id: id,
+            user_id: inviteUserId,
+            role,
+            invited_by: callerId,
+            organization_id: project.organization_id ?? null
+          });
+          const created = await findOne(MEM, { id: memberId });
+          return { handled: true, response: this.success({ member: created, alreadyMember: false }) };
+        } catch (e) {
+          return { handled: true, response: this.error(e?.message ?? "Failed to add member", 500) };
+        }
+      }
+      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "PATCH") {
+        const id = decodeURIComponent(parts[1]);
+        const memberId = decodeURIComponent(parts[3]);
+        const project = await findOne(ENV, { id });
+        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
+        const callerId = await this.resolveCallerUserId(_context);
+        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
+        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
+        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
+          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
+        }
+        const target = await findOne(MEM, { id: memberId, environment_id: id });
+        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
+        const newRole = String(body?.role ?? "").trim().toLowerCase();
+        if (!["owner", "admin", "member", "viewer"].includes(newRole)) {
+          return { handled: true, response: this.error(`Invalid role '${newRole}'`, 400) };
+        }
+        if (target.role === "owner" && newRole !== "owner") {
+          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
+          if (owners && owners.value) owners = owners.value;
+          const ownerCount = Array.isArray(owners) ? owners.length : 0;
+          if (ownerCount <= 1) {
+            return { handled: true, response: this.error("Cannot demote the last owner", 409) };
+          }
+        }
+        try {
+          await ql.update(MEM, { role: newRole, updated_at: (/* @__PURE__ */ new Date()).toISOString() }, { where: { id: memberId } });
+          const updated = await findOne(MEM, { id: memberId });
+          return { handled: true, response: this.success({ member: updated }) };
+        } catch (e) {
+          return { handled: true, response: this.error(e?.message ?? "Failed to update role", 500) };
+        }
+      }
+      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "DELETE") {
+        const id = decodeURIComponent(parts[1]);
+        const memberId = decodeURIComponent(parts[3]);
+        const project = await findOne(ENV, { id });
+        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
+        const callerId = await this.resolveCallerUserId(_context);
+        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
+        const target = await findOne(MEM, { id: memberId, environment_id: id });
+        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
+        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
+        const isSelf = String(target.user_id) === String(callerId);
+        const isPrivileged = callerMem && ["owner", "admin"].includes(String(callerMem.role));
+        if (!isSelf && !isPrivileged) {
+          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
+        }
+        if (target.role === "owner") {
+          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
+          if (owners && owners.value) owners = owners.value;
+          const ownerCount = Array.isArray(owners) ? owners.length : 0;
+          if (ownerCount <= 1) {
+            return { handled: true, response: this.error("Cannot remove the last owner", 409) };
+          }
+        }
+        try {
+          await ql.delete(MEM, { where: { id: memberId } });
+          return { handled: true, response: this.success({ removed: true, memberId }) };
+        } catch (e) {
+          return { handled: true, response: this.error(e?.message ?? "Failed to remove member", 500) };
+        }
       }
       if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
         const envId = decodeURIComponent(parts[1]);
-        let rows = await ql.find(PKG_INSTALL, { where: { project_id: envId } });
+        let rows = await ql.find(PKG_INSTALL, { where: { environment_id: envId } });
         if (rows && rows.value) rows = rows.value;
         const installs = Array.isArray(rows) ? rows : [];
         const packages = await Promise.all(
@@ -36519,7 +37356,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         }
         const resolvedVersion = version ?? manifest?.version ?? "1.0.0";
         const dup = await ql.findOne(PKG_INSTALL, {
-          where: { project_id: envId, package_id: packageId }
+          where: { environment_id: envId, package_id: packageId }
         });
         if (dup?.id) {
           return { handled: true, response: this.error(`Package '${packageId}' is already installed in this project`, 409) };
@@ -36530,7 +37367,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         const recordId = randomUUID();
         await ql.insert(PKG_INSTALL, {
           id: recordId,
-          project_id: envId,
+          environment_id: envId,
           package_id: sysPackageId,
           package_version_id: sysPackageVersionId,
           status: "installed",
@@ -36550,7 +37387,7 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
         const envId = decodeURIComponent(parts[1]);
         const pkgId = decodeURIComponent(parts[3]);
-        const record = await ql.findOne(PKG_INSTALL, { where: { project_id: envId, package_id: pkgId } });
+        const record = await ql.findOne(PKG_INSTALL, { where: { environment_id: envId, package_id: pkgId } });
         if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
         return { handled: true, response: this.success({ package: record }) };
       }
@@ -36657,7 +37494,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    */
   async deleteProjectCascade(projectId, deps) {
     const { ql, findOne, getRealAdapter, force } = deps;
-    const ENV = "sys_project";
+    const ENV = "sys_environment";
     const warnings = [];
     const row = await findOne(ENV, { id: projectId });
     if (!row) {
@@ -36675,9 +37512,9 @@ var _HttpDispatcher = class _HttpDispatcher {
       };
     }
     const cascade = [
-      { object: "sys_project_credential", field: "project_id" },
-      { object: "sys_project_member", field: "project_id" },
-      { object: "sys_package_installation", field: "project_id" }
+      { object: "sys_environment_credential", field: "environment_id" },
+      { object: "sys_environment_member", field: "environment_id" },
+      { object: "sys_package_installation", field: "environment_id" }
     ];
     for (const { object, field } of cascade) {
       try {
@@ -37353,8 +38190,316 @@ _HttpDispatcher.SYSTEM_PROJECT_ID = "00000000-0000-0000-0000-000000000001";
 _HttpDispatcher.PLATFORM_ORG_ID = "00000000-0000-0000-0000-000000000000";
 var HttpDispatcher = _HttpDispatcher;
 
+// src/security/security-headers.ts
+function buildSecurityHeaders(opts = {}) {
+  const h = {};
+  if (opts.contentSecurityPolicy !== false) {
+    h["Content-Security-Policy"] = opts.contentSecurityPolicy ?? "default-src 'none'; frame-ancestors 'none'";
+  }
+  if (opts.hsts) {
+    const cfg = typeof opts.hsts === "object" ? opts.hsts : {};
+    const maxAge = cfg.maxAge ?? 15552e3;
+    const parts = [`max-age=${maxAge}`];
+    if (cfg.includeSubDomains ?? true) parts.push("includeSubDomains");
+    if (cfg.preload) parts.push("preload");
+    h["Strict-Transport-Security"] = parts.join("; ");
+  }
+  h["X-Content-Type-Options"] = "nosniff";
+  if (opts.frameOptions !== false) {
+    h["X-Frame-Options"] = opts.frameOptions ?? "DENY";
+  }
+  if (opts.referrerPolicy !== false) {
+    h["Referrer-Policy"] = opts.referrerPolicy ?? "no-referrer";
+  }
+  if (opts.permissionsPolicy !== false) {
+    h["Permissions-Policy"] = opts.permissionsPolicy ?? "geolocation=(), camera=(), microphone=(), payment=()";
+  }
+  if (opts.corp !== false) {
+    h["Cross-Origin-Resource-Policy"] = opts.corp ?? "same-origin";
+  }
+  if (opts.extra) {
+    Object.assign(h, opts.extra);
+  }
+  return h;
+}
+
+// src/security/rate-limit.ts
+var MemoryStore = class {
+  constructor(maxEntries = 1e5) {
+    this.buckets = /* @__PURE__ */ new Map();
+    this.maxEntries = maxEntries;
+  }
+  get(key) {
+    return this.buckets.get(key);
+  }
+  set(key, state) {
+    if (this.buckets.size >= this.maxEntries) {
+      const dropCount = Math.max(1, Math.floor(this.maxEntries / 10));
+      const iter = this.buckets.keys();
+      for (let i = 0; i < dropCount; i++) {
+        const k = iter.next().value;
+        if (!k) break;
+        this.buckets.delete(k);
+      }
+    }
+    this.buckets.set(key, state);
+  }
+  prune(olderThanMs) {
+    const cutoff = Date.now() - olderThanMs;
+    for (const [k, v] of this.buckets) {
+      if (v.lastRefill < cutoff) this.buckets.delete(k);
+    }
+  }
+};
+var RateLimiter = class {
+  constructor(config, opts = {}) {
+    if (config.capacity <= 0) throw new Error("RateLimiter: capacity must be > 0");
+    if (config.refillPerSec <= 0) throw new Error("RateLimiter: refillPerSec must be > 0");
+    this.config = config;
+    this.store = opts.store ?? new MemoryStore();
+    this.now = opts.now ?? Date.now;
+  }
+  /**
+   * Attempt to consume `cost` tokens for `key`. Returns a decision
+   * describing whether the request should proceed and, if not, how
+   * long the caller should wait before retrying.
+   */
+  consume(key, cost = this.config.defaultCost ?? 1) {
+    const now = this.now();
+    const { capacity, refillPerSec } = this.config;
+    let state = this.store.get(key);
+    if (!state) {
+      state = { tokens: capacity, lastRefill: now };
+    } else {
+      const elapsedSec = (now - state.lastRefill) / 1e3;
+      if (elapsedSec > 0) {
+        state = {
+          tokens: Math.min(capacity, state.tokens + elapsedSec * refillPerSec),
+          lastRefill: now
+        };
+      }
+    }
+    if (state.tokens >= cost) {
+      state.tokens -= cost;
+      this.store.set(key, state);
+      return {
+        allowed: true,
+        remaining: Math.floor(state.tokens),
+        retryAfterMs: 0,
+        resetAt: now + Math.ceil((capacity - state.tokens) / refillPerSec * 1e3)
+      };
+    }
+    const tokensNeeded = cost - state.tokens;
+    const retryAfterMs = Math.ceil(tokensNeeded / refillPerSec * 1e3);
+    this.store.set(key, state);
+    return {
+      allowed: false,
+      remaining: Math.floor(state.tokens),
+      retryAfterMs,
+      resetAt: now + retryAfterMs
+    };
+  }
+  /** Force-reset a key (e.g. after a successful auth flow). */
+  reset(key) {
+    this.store.set(key, { tokens: this.config.capacity, lastRefill: this.now() });
+  }
+};
+var DEFAULT_RATE_LIMITS = {
+  auth: { capacity: 10, refillPerSec: 10 / 60 },
+  write: { capacity: 60, refillPerSec: 60 / 60 },
+  read: { capacity: 600, refillPerSec: 600 / 60 }
+};
+
+// src/observability/request-context.ts
+var MAX_REQUEST_ID_LENGTH = 200;
+var REQUEST_ID_PATTERN = /^[A-Za-z0-9._:-]+$/;
+function extractRequestId(headers) {
+  if (!headers || typeof headers !== "object") return void 0;
+  for (const [k, v] of Object.entries(headers)) {
+    if (k.toLowerCase() !== "x-request-id") continue;
+    const raw = Array.isArray(v) ? v[0] : v;
+    if (typeof raw !== "string") return void 0;
+    const trimmed = raw.trim();
+    if (!trimmed || trimmed.length > MAX_REQUEST_ID_LENGTH) return void 0;
+    if (!REQUEST_ID_PATTERN.test(trimmed)) return void 0;
+    return trimmed;
+  }
+  return void 0;
+}
+function generateRequestId() {
+  const g = globalThis.crypto;
+  if (g && typeof g.randomUUID === "function") {
+    return `req_${g.randomUUID().replace(/-/g, "")}`;
+  }
+  const t = Date.now().toString(36);
+  const r = Math.random().toString(36).slice(2, 12);
+  return `req_${t}${r}`;
+}
+function resolveRequestId(headers, generate = generateRequestId) {
+  return extractRequestId(headers) ?? generate();
+}
+var TRACEPARENT_PATTERN = /^([0-9a-f]{2})-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/;
+function parseTraceparent(value) {
+  if (typeof value !== "string") return void 0;
+  const m = TRACEPARENT_PATTERN.exec(value.trim().toLowerCase());
+  if (!m) return void 0;
+  const [, version, traceId, spanId, flags] = m;
+  if (version !== "00") return void 0;
+  if (/^0+$/.test(traceId) || /^0+$/.test(spanId)) return void 0;
+  const sampled = (parseInt(flags, 16) & 1) === 1;
+  return { traceId, spanId, sampled };
+}
+function formatTraceparent(ctx) {
+  const flag = ctx.sampled ? "01" : "00";
+  return `00-${ctx.traceId}-${ctx.spanId}-${flag}`;
+}
+
+// src/observability/metrics.ts
+var NoopMetricsRegistry = class {
+  counter() {
+  }
+  histogram() {
+  }
+  gauge() {
+  }
+};
+var InMemoryMetricsRegistry = class {
+  constructor() {
+    this.samples = [];
+  }
+  counter(name, labels = {}, value = 1) {
+    this.samples.push({ name, kind: "counter", value, labels, at: Date.now() });
+  }
+  histogram(name, value, labels = {}) {
+    this.samples.push({ name, kind: "histogram", value, labels, at: Date.now() });
+  }
+  gauge(name, value, labels = {}) {
+    this.samples.push({ name, kind: "gauge", value, labels, at: Date.now() });
+  }
+  /**
+   * Sum of all counter increments matching `name` (and optionally a
+   * label subset). Useful in tests: `metrics.totalCounter('http_requests_total', { status: '500' })`.
+   */
+  totalCounter(name, labelMatch = {}) {
+    return this.samples.filter(
+      (s) => s.kind === "counter" && s.name === name && matchesLabels(s.labels, labelMatch)
+    ).reduce((acc, s) => acc + s.value, 0);
+  }
+  /**
+   * All histogram observations matching `name` (and optionally a
+   * label subset), as raw values.
+   */
+  histogramValues(name, labelMatch = {}) {
+    return this.samples.filter(
+      (s) => s.kind === "histogram" && s.name === name && matchesLabels(s.labels, labelMatch)
+    ).map((s) => s.value);
+  }
+  /** Clear all recorded samples. */
+  reset() {
+    this.samples.length = 0;
+  }
+};
+function matchesLabels(actual, expected) {
+  for (const [k, v] of Object.entries(expected)) {
+    if (actual[k] !== v) return false;
+  }
+  return true;
+}
+var RUNTIME_METRICS = {
+  /** Counter, labels: method, route, status. */
+  httpRequestsTotal: "http_requests_total",
+  /** Histogram (ms), labels: method, route. */
+  httpRequestDurationMs: "http_request_duration_ms",
+  /** Counter, labels: method, route. Incremented when an in-flight handler throws (after the response is sent). */
+  httpRequestErrorsTotal: "http_request_errors_total"
+};
+
+// src/observability/error-reporter.ts
+var NoopErrorReporter = class {
+  captureException() {
+  }
+};
+var InMemoryErrorReporter = class {
+  constructor() {
+    this.captured = [];
+  }
+  captureException(error2, context = {}) {
+    this.captured.push({ error: error2, context, at: Date.now() });
+  }
+  reset() {
+    this.captured.length = 0;
+  }
+};
+
+// src/observability/instrument.ts
+function instrumentRouteHandler(method, route, handler, opts = {}) {
+  const metrics = opts.metrics ?? new NoopMetricsRegistry();
+  const errorReporter = opts.errorReporter ?? new NoopErrorReporter();
+  const generateRequestId2 = opts.generateRequestId;
+  const requestIdHeader = opts.requestIdHeader ?? "X-Request-Id";
+  const now = opts.now ?? Date.now;
+  return async (req, res) => {
+    const requestId = resolveRequestId(req?.headers, generateRequestId2);
+    try {
+      req.requestId = requestId;
+    } catch {
+    }
+    if (typeof res?.header === "function") {
+      try {
+        res.header(requestIdHeader, requestId);
+      } catch {
+      }
+    }
+    let status = 200;
+    const origStatus = typeof res?.status === "function" ? res.status.bind(res) : void 0;
+    if (origStatus) {
+      res.status = (code) => {
+        status = code;
+        return origStatus(code);
+      };
+    }
+    const startedAt = now();
+    let threw = false;
+    try {
+      await handler(req, res);
+    } catch (err) {
+      threw = true;
+      status = err?.statusCode ?? 500;
+      metrics.counter(RUNTIME_METRICS.httpRequestErrorsTotal, { method, route });
+      if (status >= 500) {
+        safeReport(errorReporter, err, { requestId, method, route });
+      }
+      throw err;
+    } finally {
+      const elapsed = now() - startedAt;
+      metrics.counter(RUNTIME_METRICS.httpRequestsTotal, {
+        method,
+        route,
+        status: String(status)
+      });
+      metrics.histogram(
+        RUNTIME_METRICS.httpRequestDurationMs,
+        elapsed,
+        { method, route }
+      );
+      if (!threw && status >= 500) {
+        const recorded = res?.__obsRecordedError;
+        if (recorded !== void 0) {
+          safeReport(errorReporter, recorded, { requestId, method, route });
+        }
+      }
+    }
+  };
+}
+function safeReport(reporter, err, ctx) {
+  try {
+    reporter.captureException(err, ctx);
+  } catch {
+  }
+}
+
 // src/dispatcher-plugin.ts
-function mountRouteOnServer(route, server, routePath) {
+function mountRouteOnServer(route, server, routePath, securityHeaders) {
   const handler = async (req, res) => {
     try {
       const result = await route.handler({
@@ -37364,6 +38509,11 @@ function mountRouteOnServer(route, server, routePath) {
       });
       if (result.stream && result.events) {
         res.status(result.status);
+        if (securityHeaders) {
+          for (const [k, v] of Object.entries(securityHeaders)) {
+            res.header(k, v);
+          }
+        }
         if (result.headers) {
           for (const [k, v] of Object.entries(result.headers)) {
             res.header(k, String(v));
@@ -37389,6 +38539,11 @@ function mountRouteOnServer(route, server, routePath) {
         }
       } else {
         res.status(result.status);
+        if (securityHeaders) {
+          for (const [k, v] of Object.entries(securityHeaders)) {
+            res.header(k, v);
+          }
+        }
         if (result.body !== void 0) {
           res.json(result.body);
         } else {
@@ -37396,7 +38551,7 @@ function mountRouteOnServer(route, server, routePath) {
         }
       }
     } catch (err) {
-      errorResponse(err, res);
+      errorResponseBase(err, res, securityHeaders);
     }
   };
   const m = route.method.toLowerCase();
@@ -37412,10 +38567,17 @@ function mountRouteOnServer(route, server, routePath) {
   }
   return false;
 }
-function sendResult(result, res) {
+function sendResultBase(result, res, securityHeaders) {
+  const applySecurityHeaders = () => {
+    if (!securityHeaders) return;
+    for (const [k, v] of Object.entries(securityHeaders)) {
+      res.header(k, v);
+    }
+  };
   if (result.handled) {
     if (result.response) {
       res.status(result.response.status);
+      applySecurityHeaders();
       if (result.response.headers) {
         for (const [k, v] of Object.entries(result.response.headers)) {
           res.header(k, v);
@@ -37425,11 +38587,15 @@ function sendResult(result, res) {
       return;
     }
     if (result.result) {
-      res.status(200).json(result.result);
+      res.status(200);
+      applySecurityHeaders();
+      res.json(result.result);
       return;
     }
   }
-  res.status(404).json({
+  res.status(404);
+  applySecurityHeaders();
+  res.json({
     success: false,
     error: {
       message: "Not Found",
@@ -37439,9 +38605,21 @@ function sendResult(result, res) {
     }
   });
 }
-function errorResponse(err, res) {
+function errorResponseBase(err, res, securityHeaders) {
   const code = err.statusCode || 500;
-  res.status(code).json({
+  res.status(code);
+  if (securityHeaders) {
+    for (const [k, v] of Object.entries(securityHeaders)) {
+      res.header(k, v);
+    }
+  }
+  if (code >= 500) {
+    try {
+      res.__obsRecordedError = err;
+    } catch {
+    }
+  }
+  res.json({
     success: false,
     error: { message: err.message || "Internal Server Error", code }
   });
@@ -37466,10 +38644,52 @@ function createDispatcherPlugin(config = {}) {
         enforceProjectMembership: enforceMembership
       });
       const prefix = config.prefix || "/api/v1";
+      const securityHeaders = config.securityHeaders === false ? void 0 : buildSecurityHeaders(
+        typeof config.securityHeaders === "object" ? config.securityHeaders : {}
+      );
+      const sendResult = (result, res) => sendResultBase(result, res, securityHeaders);
+      const errorResponse = (err, res) => errorResponseBase(err, res, securityHeaders);
+      const metrics = config.observability?.metrics ?? new NoopMetricsRegistry();
+      const errorReporter = config.observability?.errorReporter ?? new NoopErrorReporter();
+      const generateRequestId2 = config.observability?.generateRequestId;
+      const requestIdHeader = config.observability?.requestIdHeader ?? "X-Request-Id";
+      const rawServer = server;
+      server = new Proxy(rawServer, {
+        get(target, prop, receiver) {
+          if (prop === "get" || prop === "post" || prop === "delete") {
+            const method = String(prop).toUpperCase();
+            const original = target[prop];
+            if (typeof original !== "function") return original;
+            return (route, handler) => {
+              return original.call(
+                target,
+                route,
+                instrumentRouteHandler(method, route, handler, {
+                  metrics,
+                  errorReporter,
+                  generateRequestId: generateRequestId2,
+                  requestIdHeader
+                })
+              );
+            };
+          }
+          return Reflect.get(target, prop, receiver);
+        }
+      });
       server.get("/.well-known/objectstack", async (_req, res) => {
+        if (securityHeaders) {
+          for (const [k, v] of Object.entries(securityHeaders)) {
+            res.header(k, v);
+          }
+        }
         res.json({ data: await dispatcher.getDiscoveryInfo(prefix) });
       });
       server.get(`${prefix}/discovery`, async (_req, res) => {
+        if (securityHeaders) {
+          for (const [k, v] of Object.entries(securityHeaders)) {
+            res.header(k, v);
+          }
+        }
         res.json({ data: await dispatcher.getDiscoveryInfo(prefix) });
       });
       server.get(`${prefix}/health`, async (_req, res) => {
@@ -37491,6 +38711,11 @@ function createDispatcherPlugin(config = {}) {
       server.post(`${prefix}/graphql`, async (req, res) => {
         try {
           const result = await dispatcher.handleGraphQL(req.body, { request: req });
+          if (securityHeaders) {
+            for (const [k, v] of Object.entries(securityHeaders)) {
+              res.header(k, v);
+            }
+          }
           res.json(result);
         } catch (err) {
           errorResponse(err, res);
@@ -37498,7 +38723,7 @@ function createDispatcherPlugin(config = {}) {
       });
       server.post(`${prefix}/analytics/query`, async (req, res) => {
         try {
-          const result = await dispatcher.handleAnalytics("query", "POST", req.body, { request: req });
+          const result = await dispatcher.dispatch("POST", "/analytics/query", req.body, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -37506,7 +38731,7 @@ function createDispatcherPlugin(config = {}) {
       });
       server.get(`${prefix}/analytics/meta`, async (req, res) => {
         try {
-          const result = await dispatcher.handleAnalytics("meta", "GET", {}, { request: req });
+          const result = await dispatcher.dispatch("GET", "/analytics/meta", void 0, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -37514,7 +38739,7 @@ function createDispatcherPlugin(config = {}) {
       });
       server.post(`${prefix}/analytics/sql`, async (req, res) => {
         try {
-          const result = await dispatcher.handleAnalytics("sql", "POST", req.body, { request: req });
+          const result = await dispatcher.dispatch("POST", "/analytics/sql", req.body, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -37592,6 +38817,14 @@ function createDispatcherPlugin(config = {}) {
           errorResponse(err, res);
         }
       });
+      server.post(`${prefix}/cloud/admin/platform-sso/backfill`, async (req, res) => {
+        try {
+          const result = await dispatcher.handleCloud("/admin/platform-sso/backfill", "POST", req.body, req.query, { request: req });
+          sendResult(result, res);
+        } catch (err) {
+          errorResponse(err, res);
+        }
+      });
       server.get(`${prefix}/cloud/templates`, async (req, res) => {
         try {
           const result = await dispatcher.handleCloud("/templates", "GET", {}, req.query, { request: req });
@@ -37704,6 +38937,30 @@ function createDispatcherPlugin(config = {}) {
           errorResponse(err, res);
         }
       });
+      server.post(`${prefix}/cloud/projects/:id/members`, async (req, res) => {
+        try {
+          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "POST", req.body, {}, { request: req });
+          sendResult(result, res);
+        } catch (err) {
+          errorResponse(err, res);
+        }
+      });
+      server.patch(`${prefix}/cloud/projects/:id/members/:memberId`, async (req, res) => {
+        try {
+          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "PATCH", req.body, {}, { request: req });
+          sendResult(result, res);
+        } catch (err) {
+          errorResponse(err, res);
+        }
+      });
+      server.delete(`${prefix}/cloud/projects/:id/members/:memberId`, async (req, res) => {
+        try {
+          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "DELETE", req.body ?? {}, {}, { request: req });
+          sendResult(result, res);
+        } catch (err) {
+          errorResponse(err, res);
+        }
+      });
       server.get(`${prefix}/cloud/projects/:id/packages`, async (req, res) => {
         try {
           const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "GET", {}, req.query, { request: req });
@@ -37778,7 +39035,7 @@ function createDispatcherPlugin(config = {}) {
       });
       server.get(`${prefix}/i18n/locales`, async (req, res) => {
         try {
-          const result = await dispatcher.handleI18n("/locales", "GET", req.query, { request: req });
+          const result = await dispatcher.dispatch("GET", "/i18n/locales", void 0, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -37786,7 +39043,7 @@ function createDispatcherPlugin(config = {}) {
       });
       server.get(`${prefix}/i18n/translations/:locale`, async (req, res) => {
         try {
-          const result = await dispatcher.handleI18n(`/translations/${req.params.locale}`, "GET", req.query, { request: req });
+          const result = await dispatcher.dispatch("GET", `/i18n/translations/${req.params.locale}`, void 0, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -37794,7 +39051,7 @@ function createDispatcherPlugin(config = {}) {
       });
       server.get(`${prefix}/i18n/labels/:object/:locale`, async (req, res) => {
         try {
-          const result = await dispatcher.handleI18n(`/labels/${req.params.object}/${req.params.locale}`, "GET", req.query, { request: req });
+          const result = await dispatcher.dispatch("GET", `/i18n/labels/${req.params.object}/${req.params.locale}`, void 0, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -37803,7 +39060,7 @@ function createDispatcherPlugin(config = {}) {
       const registerAutomationRoutes = (base2) => {
         server.get(`${base2}/automation`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation("", "GET", {}, { request: req });
+            const result = await dispatcher.dispatch("GET", "/automation", void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37811,7 +39068,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.post(`${base2}/automation`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation("", "POST", req.body, { request: req });
+            const result = await dispatcher.dispatch("POST", "/automation", req.body, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37819,7 +39076,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.get(`${base2}/automation/:name`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}`, "GET", {}, { request: req });
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37827,7 +39084,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.put(`${base2}/automation/:name`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}`, "PUT", req.body, { request: req });
+            const result = await dispatcher.dispatch("PUT", `/automation/${req.params.name}`, req.body, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37835,7 +39092,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.delete(`${base2}/automation/:name`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}`, "DELETE", {}, { request: req });
+            const result = await dispatcher.dispatch("DELETE", `/automation/${req.params.name}`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37843,7 +39100,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.post(`${base2}/automation/trigger/:name`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`trigger/${req.params.name}`, "POST", req.body, { request: req });
+            const result = await dispatcher.dispatch("POST", `/automation/trigger/${req.params.name}`, req.body, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37851,7 +39108,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.post(`${base2}/automation/:name/trigger`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}/trigger`, "POST", req.body, { request: req });
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/trigger`, req.body, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37859,7 +39116,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.post(`${base2}/automation/:name/toggle`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}/toggle`, "POST", req.body, { request: req });
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/toggle`, req.body, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37867,7 +39124,7 @@ function createDispatcherPlugin(config = {}) {
         });
         server.get(`${base2}/automation/:name/runs`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}/runs`, "GET", {}, { request: req }, req.query);
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -37875,13 +39132,34 @@ function createDispatcherPlugin(config = {}) {
         });
         server.get(`${base2}/automation/:name/runs/:runId`, async (req, res) => {
           try {
-            const result = await dispatcher.handleAutomation(`${req.params.name}/runs/${req.params.runId}`, "GET", {}, { request: req });
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs/${req.params.runId}`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
           }
         });
       };
+      const registerAIRoutes = (base2) => {
+        const wildcards = [
+          ["get", `${base2}/ai/*`],
+          ["post", `${base2}/ai/*`],
+          ["delete", `${base2}/ai/*`],
+          ["put", `${base2}/ai/*`]
+        ];
+        for (const [method, pattern] of wildcards) {
+          server[method](pattern, async (req, res) => {
+            try {
+              const fullPath = req.path ?? "";
+              const idx = fullPath.lastIndexOf("/ai");
+              const aiSubPath = idx >= 0 ? fullPath.slice(idx) : "/ai";
+              const result = await dispatcher.dispatch(method.toUpperCase(), aiSubPath, req.body, req.query, { request: req });
+              sendResult(result, res);
+            } catch (err) {
+              errorResponse(err, res);
+            }
+          });
+        }
+      };
       const registerActionRoutes = (base2) => {
         server.post(`${base2}/actions/:object/:action`, async (req, res) => {
           try {
@@ -37909,12 +39187,15 @@ function createDispatcherPlugin(config = {}) {
       if (enableProjectScoping && projectResolution === "required") {
         registerAutomationRoutes(`${prefix}/projects/:projectId`);
         registerActionRoutes(`${prefix}/projects/:projectId`);
+        registerAIRoutes(`${prefix}/projects/:projectId`);
       } else {
         registerAutomationRoutes(prefix);
         registerActionRoutes(prefix);
+        registerAIRoutes(prefix);
         if (enableProjectScoping) {
           registerAutomationRoutes(`${prefix}/projects/:projectId`);
           registerActionRoutes(`${prefix}/projects/:projectId`);
+          registerAIRoutes(`${prefix}/projects/:projectId`);
         }
       }
       ctx.logger.info("Dispatcher bridge routes registered", { prefix, enableProjectScoping, projectResolution });
@@ -37930,11 +39211,11 @@ function createDispatcherPlugin(config = {}) {
         const routePath = route.path.startsWith("/api/v1") ? route.path : `${prefix}${route.path}`;
         let count = 0;
         if (enableProjectScoping && projectResolution === "required") {
-          if (mountRouteOnServer(route, server, toScopedPath(routePath))) count++;
+          if (mountRouteOnServer(route, server, toScopedPath(routePath), securityHeaders)) count++;
         } else {
-          if (mountRouteOnServer(route, server, routePath)) count++;
+          if (mountRouteOnServer(route, server, routePath, securityHeaders)) count++;
           if (enableProjectScoping) {
-            if (mountRouteOnServer(route, server, toScopedPath(routePath))) count++;
+            if (mountRouteOnServer(route, server, toScopedPath(routePath), securityHeaders)) count++;
           }
         }
         return count;
@@ -38259,6 +39540,1334 @@ var MiddlewareManager = class {
 // src/index.ts
 init_load_artifact_bundle();
 
+// src/cloud/kernel-manager.ts
+var KernelManager = class {
+  constructor(config) {
+    this.cache = /* @__PURE__ */ new Map();
+    this.pending = /* @__PURE__ */ new Map();
+    this.factory = config.factory;
+    this.maxSize = config.maxSize ?? 32;
+    this.ttlMs = config.ttlMs ?? 15 * 60 * 1e3;
+    this.logger = config.logger ?? console;
+  }
+  /** Returns the currently cached projectIds (ordered by insertion). */
+  keys() {
+    return Array.from(this.cache.keys());
+  }
+  /** Cache size for diagnostics. */
+  get size() {
+    return this.cache.size;
+  }
+  /**
+   * Resolve or construct the kernel for `projectId`.
+   *
+   * - Cache hit (fresh): bumps `lastAccess` and returns immediately.
+   * - Cache hit (TTL expired): evicts then falls through to factory.
+   * - Cache miss: dedupes concurrent callers through `pending`.
+   */
+  async getOrCreate(projectId) {
+    const existing = this.cache.get(projectId);
+    if (existing) {
+      if (this.ttlMs > 0 && Date.now() - existing.lastAccess > this.ttlMs) {
+        await this.evict(projectId);
+      } else {
+        existing.lastAccess = Date.now();
+        return existing.kernel;
+      }
+    }
+    const inflight = this.pending.get(projectId);
+    if (inflight) return inflight;
+    const promise = (async () => {
+      const kernel = await this.factory.create(projectId);
+      const now = Date.now();
+      this.cache.set(projectId, { kernel, createdAt: now, lastAccess: now });
+      await this.enforceMaxSize();
+      return kernel;
+    })();
+    this.pending.set(projectId, promise);
+    try {
+      return await promise;
+    } finally {
+      this.pending.delete(projectId);
+    }
+  }
+  /**
+   * Evict the kernel for `projectId` and invoke `kernel.shutdown()`.
+   * No-op when the entry is absent.
+   */
+  async evict(projectId) {
+    const entry = this.cache.get(projectId);
+    if (!entry) return;
+    this.cache.delete(projectId);
+    try {
+      await entry.kernel.shutdown();
+    } catch (err) {
+      this.logger.error?.("[KernelManager] shutdown failed", { projectId, err });
+    }
+  }
+  /** Evict all resident kernels. Used on runtime shutdown. */
+  async evictAll() {
+    const ids = Array.from(this.cache.keys());
+    await Promise.all(ids.map((id) => this.evict(id)));
+  }
+  async enforceMaxSize() {
+    while (this.cache.size > this.maxSize) {
+      let oldestKey;
+      let oldestAccess = Infinity;
+      for (const [key, entry] of this.cache) {
+        if (entry.lastAccess < oldestAccess) {
+          oldestAccess = entry.lastAccess;
+          oldestKey = key;
+        }
+      }
+      if (!oldestKey) return;
+      await this.evict(oldestKey);
+    }
+  }
+};
+
+// src/cloud/artifact-api-client.ts
+var ArtifactApiClient = class {
+  constructor(config) {
+    this.hostnameCache = /* @__PURE__ */ new Map();
+    this.artifactCache = /* @__PURE__ */ new Map();
+    this.pendingHostname = /* @__PURE__ */ new Map();
+    this.pendingArtifact = /* @__PURE__ */ new Map();
+    if (!config.controlPlaneUrl) {
+      throw new Error("[ArtifactApiClient] controlPlaneUrl is required");
+    }
+    this.base = config.controlPlaneUrl.replace(/\/+$/, "");
+    this.apiKey = config.apiKey;
+    this.cacheTtlMs = config.cacheTtlMs ?? 5 * 60 * 1e3;
+    this.requestTimeoutMs = config.requestTimeoutMs ?? 1e4;
+    this.fetchImpl = config.fetch ?? globalThis.fetch;
+    this.logger = config.logger ?? console;
+    if (typeof this.fetchImpl !== "function") {
+      throw new Error("[ArtifactApiClient] global fetch is not available \u2014 provide config.fetch");
+    }
+  }
+  /**
+   * Resolve a hostname to its project. Returns `null` on 404 or
+   * malformed responses. Errors (network / 5xx) are thrown so
+   * upstream callers can retry.
+   */
+  async resolveHostname(host) {
+    const cached = this.hostnameCache.get(host);
+    if (cached && cached.expiresAt > Date.now()) return cached.value;
+    const inflight = this.pendingHostname.get(host);
+    if (inflight) return inflight;
+    const promise = (async () => {
+      try {
+        const url = `${this.base}/api/v1/cloud/resolve-hostname?host=${encodeURIComponent(host)}`;
+        const res = await this.request(url);
+        if (res === null) return null;
+        const body = res.success === false ? null : res.data ?? res;
+        if (!body || typeof body.projectId !== "string" || !body.projectId) return null;
+        const value = {
+          projectId: body.projectId,
+          organizationId: body.organizationId,
+          runtime: body.runtime
+        };
+        this.hostnameCache.set(host, { value, expiresAt: Date.now() + this.cacheTtlMs });
+        return value;
+      } finally {
+        this.pendingHostname.delete(host);
+      }
+    })();
+    this.pendingHostname.set(host, promise);
+    return promise;
+  }
+  /**
+   * Fetch the compiled artifact for a project.
+   *
+   * When `opts.commit` is set, requests that specific revision via the
+   * existing `?commit=` query param. Different commits are cached
+   * independently (the cache key includes the commit id) so the preview
+   * runtime can hold multiple versions in memory simultaneously.
+   */
+  async fetchArtifact(projectId, opts) {
+    const commit = opts?.commit?.trim() || "";
+    const cacheKey = commit ? `${projectId}@${commit}` : projectId;
+    const cached = this.artifactCache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) return cached.value;
+    const inflight = this.pendingArtifact.get(cacheKey);
+    if (inflight) return inflight;
+    const promise = (async () => {
+      try {
+        const qs = commit ? `?commit=${encodeURIComponent(commit)}` : "";
+        const url = `${this.base}/api/v1/cloud/projects/${encodeURIComponent(projectId)}/artifact${qs}`;
+        const res = await this.request(url);
+        if (res === null) return null;
+        const body = res.success === false ? null : res.data ?? res;
+        if (!body || typeof body !== "object") return null;
+        if (!body.metadata) {
+          this.logger.warn?.("[ArtifactApiClient] artifact response missing `metadata`", { projectId, commit });
+          return null;
+        }
+        const value = body;
+        this.artifactCache.set(cacheKey, { value, expiresAt: Date.now() + this.cacheTtlMs });
+        return value;
+      } finally {
+        this.pendingArtifact.delete(cacheKey);
+      }
+    })();
+    this.pendingArtifact.set(cacheKey, promise);
+    return promise;
+  }
+  /**
+   * Resolve an 8-hex project short id (first 8 hex chars of the UUID,
+   * dashes stripped) to the full projectId. Used by the preview
+   * runtime, which encodes project ids in subdomains.
+   *
+   * Returns `null` on 404 or ambiguity (the control plane returns 409
+   * if the prefix matches more than one project).
+   */
+  async lookupProjectByShortId(shortId) {
+    const short = String(shortId ?? "").trim().toLowerCase();
+    if (!/^[0-9a-f]{8,}$/.test(short)) return null;
+    const url = `${this.base}/api/v1/cloud/projects-by-short-id/${encodeURIComponent(short)}`;
+    const res = await this.request(url);
+    if (res === null) return null;
+    const body = res.success === false ? null : res.data ?? res;
+    if (!body || typeof body.projectId !== "string" || !body.projectId) return null;
+    return { projectId: body.projectId, organizationId: body.organizationId };
+  }
+  /**
+   * Fetch the head commit of a branch. Returns the commit id (and the
+   * matching revision row's `published_at` for cache-validity checks).
+   * Reuses the existing `GET /cloud/projects/:id/branches` endpoint.
+   */
+  async fetchBranchHead(projectId, branchName) {
+    const url = `${this.base}/api/v1/cloud/projects/${encodeURIComponent(projectId)}/branches`;
+    const res = await this.request(url);
+    if (res === null) return null;
+    const body = res.success === false ? null : res.data ?? res;
+    const branches = Array.isArray(body?.branches) ? body.branches : [];
+    const target = String(branchName ?? "").trim().toLowerCase();
+    const found = branches.find((b) => String(b?.branch ?? "").toLowerCase() === target);
+    if (!found?.headCommitId) return null;
+    return { commitId: String(found.headCommitId), publishedAt: found.headPublishedAt ?? null };
+  }
+  /** Drop cached entries for a project (and any matching hostname). */
+  invalidate(projectId) {
+    this.artifactCache.delete(projectId);
+    const prefix = `${projectId}@`;
+    for (const key of Array.from(this.artifactCache.keys())) {
+      if (key.startsWith(prefix)) this.artifactCache.delete(key);
+    }
+    for (const [host, entry] of this.hostnameCache) {
+      if (entry.value.projectId === projectId) this.hostnameCache.delete(host);
+    }
+  }
+  /** Drop everything. Used on shutdown / hot-reload. */
+  clear() {
+    this.hostnameCache.clear();
+    this.artifactCache.clear();
+  }
+  async request(url) {
+    const controller = typeof AbortController !== "undefined" ? new AbortController() : null;
+    const timer = controller ? setTimeout(() => controller.abort(), this.requestTimeoutMs) : null;
+    try {
+      const res = await this.fetchImpl(url, {
+        method: "GET",
+        headers: this.buildHeaders(),
+        signal: controller?.signal
+      });
+      if (res.status === 404) return null;
+      if (!res.ok) {
+        throw new Error(`[ArtifactApiClient] ${url} \u2192 HTTP ${res.status}`);
+      }
+      return await res.json();
+    } finally {
+      if (timer) clearTimeout(timer);
+    }
+  }
+  buildHeaders() {
+    const headers = {
+      "accept": "application/json",
+      "user-agent": "objectos-runtime"
+    };
+    if (this.apiKey) headers["authorization"] = `Bearer ${this.apiKey}`;
+    return headers;
+  }
+};
+
+// src/cloud/artifact-environment-registry.ts
+import { resolve as resolvePathNode } from "path";
+var ArtifactEnvironmentRegistry = class {
+  constructor(config) {
+    this.hostnameCache = /* @__PURE__ */ new Map();
+    this.idCache = /* @__PURE__ */ new Map();
+    this.pending = /* @__PURE__ */ new Map();
+    this.client = config.client;
+    this.cacheTTL = config.cacheTtlMs ?? 5 * 60 * 1e3;
+    this.logger = config.logger ?? console;
+  }
+  async resolveByHostname(host) {
+    const cached = this.hostnameCache.get(host);
+    if (cached && cached.expiresAt > Date.now()) {
+      return { projectId: cached.projectId, driver: cached.driver };
+    }
+    const key = `host:${host}`;
+    const inflight = this.pending.get(key);
+    if (inflight) {
+      const result = await inflight;
+      return result ? { projectId: result.projectId, driver: result.driver } : null;
+    }
+    const promise = (async () => {
+      try {
+        const resolved = await this.client.resolveHostname(host);
+        if (!resolved) return null;
+        const entry2 = await this.buildCacheEntry(resolved.projectId, resolved.runtime, resolved.organizationId, host);
+        if (!entry2) return null;
+        this.hostnameCache.set(host, entry2);
+        this.idCache.set(entry2.projectId, entry2);
+        return entry2;
+      } catch (err) {
+        this.logger.error?.("[ArtifactEnvironmentRegistry] resolveByHostname failed", {
+          host,
+          error: err?.message ?? err
+        });
+        return null;
+      } finally {
+        this.pending.delete(key);
+      }
+    })();
+    this.pending.set(key, promise);
+    const entry = await promise;
+    return entry ? { projectId: entry.projectId, driver: entry.driver } : null;
+  }
+  async resolveById(projectId) {
+    const cached = this.idCache.get(projectId);
+    if (cached && cached.expiresAt > Date.now()) return cached.driver;
+    const key = `id:${projectId}`;
+    const inflight = this.pending.get(key);
+    if (inflight) {
+      const result = await inflight;
+      return result?.driver ?? null;
+    }
+    const promise = (async () => {
+      try {
+        const entry2 = await this.buildCacheEntry(projectId, void 0, void 0, void 0);
+        if (!entry2) return null;
+        this.idCache.set(projectId, entry2);
+        if (entry2.project?.hostname) this.hostnameCache.set(entry2.project.hostname, entry2);
+        return entry2;
+      } catch (err) {
+        this.logger.error?.("[ArtifactEnvironmentRegistry] resolveById failed", {
+          projectId,
+          error: err?.message ?? err
+        });
+        return null;
+      } finally {
+        this.pending.delete(key);
+      }
+    })();
+    this.pending.set(key, promise);
+    const entry = await promise;
+    return entry?.driver ?? null;
+  }
+  peekById(projectId) {
+    const cached = this.idCache.get(projectId);
+    if (cached && cached.expiresAt > Date.now()) {
+      return { projectId: cached.projectId, driver: cached.driver, project: cached.project };
+    }
+    return null;
+  }
+  invalidate(projectId) {
+    this.idCache.delete(projectId);
+    for (const [host, entry] of this.hostnameCache) {
+      if (entry.projectId === projectId) this.hostnameCache.delete(host);
+    }
+    this.client.invalidate(projectId);
+  }
+  async buildCacheEntry(projectId, runtimeFromHostname, orgIdFromHostname, hostname) {
+    let runtime = runtimeFromHostname;
+    let organizationId = orgIdFromHostname;
+    let host = hostname;
+    let artifactProjectId = projectId;
+    if (!runtime || !organizationId) {
+      const artifact = await this.client.fetchArtifact(projectId);
+      if (!artifact) {
+        this.logger.warn?.("[ArtifactEnvironmentRegistry] artifact not found", { projectId });
+        return null;
+      }
+      artifactProjectId = artifact.projectId ?? projectId;
+      if (!runtime) runtime = artifact.runtime ?? extractRuntimeFromMetadata(artifact.metadata);
+      if (!organizationId) organizationId = artifact.runtime?.organizationId;
+      if (!host) host = artifact.runtime?.hostname;
+    }
+    if (!runtime || !runtime.databaseUrl || !runtime.databaseDriver) {
+      this.logger.warn?.("[ArtifactEnvironmentRegistry] no runtime config for project", { projectId });
+      return null;
+    }
+    const driver = await createDriver(runtime.databaseDriver, runtime.databaseUrl, runtime.databaseAuthToken ?? "");
+    const projectRow = {
+      id: artifactProjectId,
+      organization_id: organizationId,
+      hostname: host,
+      database_url: runtime.databaseUrl,
+      database_driver: runtime.databaseDriver,
+      metadata: runtime.metadata
+    };
+    return {
+      projectId: artifactProjectId,
+      driver,
+      project: projectRow,
+      expiresAt: Date.now() + this.cacheTTL
+    };
+  }
+};
+function extractRuntimeFromMetadata(metadata) {
+  const datasources = metadata?.datasources;
+  if (!Array.isArray(datasources) || datasources.length === 0) return void 0;
+  const mapping = metadata?.datasourceMapping;
+  let preferredName;
+  if (mapping) {
+    const def = mapping.find((m) => m?.default === true);
+    if (def?.datasource) preferredName = def.datasource;
+  }
+  const ds = preferredName ? datasources.find((d) => d?.name === preferredName) : datasources[0];
+  if (!ds || typeof ds !== "object") return void 0;
+  const config = ds.config ?? {};
+  const url = config.url ?? config.connectionString ?? config.connection ?? config.filename;
+  const driver = ds.driver;
+  if (typeof driver !== "string" || typeof url !== "string") return void 0;
+  return {
+    databaseDriver: driver,
+    databaseUrl: url,
+    databaseAuthToken: typeof config.authToken === "string" ? config.authToken : void 0
+  };
+}
+async function createDriver(driverType, databaseUrl, authToken) {
+  switch (driverType) {
+    case "memory": {
+      const { InMemoryDriver } = await import("@objectstack/driver-memory");
+      const dbName = databaseUrl.replace(/^memory:\/\//, "").trim();
+      const filePath = dbName ? resolvePathNode(process.cwd(), ".objectstack/data/projects", `${dbName}.json`) : void 0;
+      return new InMemoryDriver({
+        persistence: filePath ? { type: "file", path: filePath } : "file"
+      });
+    }
+    case "sqlite":
+    case "sql": {
+      const filePath = databaseUrl.replace(/^file:/, "").replace(/^sql:\/\//, "");
+      const { SqlDriver } = await import("@objectstack/driver-sql");
+      return new SqlDriver({
+        client: "better-sqlite3",
+        connection: { filename: filePath },
+        useNullAsDefault: true
+      });
+    }
+    case "libsql":
+    case "turso": {
+      const { TursoDriver } = await import("@objectstack/driver-turso");
+      return new TursoDriver({ url: databaseUrl, authToken });
+    }
+    case "postgres":
+    case "postgresql":
+    case "pg": {
+      const { SqlDriver } = await import("@objectstack/driver-sql");
+      return new SqlDriver({
+        client: "pg",
+        connection: databaseUrl,
+        pool: { min: 0, max: 5 }
+      });
+    }
+    case "mongodb":
+    case "mongo": {
+      const { MongoDBDriver: MongoDBDriver2 } = await Promise.resolve().then(() => (init_dist(), dist_exports));
+      return new MongoDBDriver2({ url: databaseUrl });
+    }
+    default:
+      throw new Error(`[ArtifactEnvironmentRegistry] Unsupported driver type: ${driverType}`);
+  }
+}
+
+// src/cloud/artifact-kernel-factory.ts
+init_driver_plugin();
+init_app_plugin();
+import { createHmac as createHmac2 } from "crypto";
+import { ObjectKernel as ObjectKernel3 } from "@objectstack/core";
+
+// src/cloud/capability-loader.ts
+var CAPABILITY_PROVIDERS = {
+  automation: {
+    pkg: "@objectstack/service-automation",
+    export: "AutomationServicePlugin",
+    extras: [
+      { pkg: "@objectstack/service-automation", export: "CrudNodesPlugin" },
+      { pkg: "@objectstack/service-automation", export: "LogicNodesPlugin" },
+      { pkg: "@objectstack/service-automation", export: "HttpConnectorPlugin" },
+      { pkg: "@objectstack/service-automation", export: "ScreenNodesPlugin" }
+    ]
+  },
+  ai: {
+    pkg: "@objectstack/service-ai",
+    export: "AIServicePlugin"
+  },
+  analytics: {
+    pkg: "@objectstack/service-analytics",
+    export: "AnalyticsServicePlugin",
+    configKey: "analyticsCubes"
+  },
+  audit: {
+    pkg: "@objectstack/plugin-audit",
+    export: "AuditPlugin"
+  },
+  cache: {
+    pkg: "@objectstack/service-cache",
+    export: "CacheServicePlugin"
+  },
+  storage: {
+    pkg: "@objectstack/service-storage",
+    export: "StorageServicePlugin"
+  },
+  queue: {
+    pkg: "@objectstack/service-queue",
+    export: "QueueServicePlugin"
+  },
+  job: {
+    pkg: "@objectstack/service-job",
+    export: "JobServicePlugin"
+  },
+  realtime: {
+    pkg: "@objectstack/service-realtime",
+    export: "RealtimeServicePlugin"
+  },
+  feed: {
+    pkg: "@objectstack/service-feed",
+    export: "FeedServicePlugin"
+  },
+  settings: {
+    pkg: "@objectstack/service-settings",
+    export: "SettingsServicePlugin"
+  }
+};
+async function loadCapabilities(opts) {
+  const { kernel, requires, bundle, projectId } = opts;
+  const logger = opts.logger ?? console;
+  const installed = [];
+  for (const cap of requires) {
+    const spec = CAPABILITY_PROVIDERS[cap];
+    if (!spec) {
+      continue;
+    }
+    try {
+      const mod = await import(
+        /* webpackIgnore: true */
+        spec.pkg
+      );
+      const Ctor = mod[spec.export];
+      if (!Ctor) {
+        logger.warn?.(
+          `[CapabilityLoader] '${cap}': package '${spec.pkg}' did not export '${spec.export}'`,
+          { projectId }
+        );
+        continue;
+      }
+      let arg;
+      if (spec.configKey) {
+        const v = bundle[spec.configKey];
+        if (spec.configKey === "analyticsCubes") {
+          arg = { cubes: Array.isArray(v) ? v : [] };
+        } else if (v !== void 0) {
+          arg = v;
+        }
+      }
+      await kernel.use(arg !== void 0 ? new Ctor(arg) : new Ctor());
+      installed.push(spec.export);
+      if (spec.extras) {
+        for (const ex of spec.extras) {
+          try {
+            const exMod = await import(
+              /* webpackIgnore: true */
+              ex.pkg
+            );
+            const ExCtor = exMod[ex.export];
+            if (ExCtor) {
+              await kernel.use(new ExCtor());
+              installed.push(ex.export);
+            }
+          } catch {
+          }
+        }
+      }
+      logger.info?.(
+        `[CapabilityLoader] '${cap}' installed (${spec.export}${spec.extras ? " + " + spec.extras.length + " extras" : ""})`,
+        { projectId }
+      );
+    } catch (err) {
+      const msg = err?.message ?? String(err);
+      if (msg.includes("Cannot find module") || msg.includes("ERR_MODULE_NOT_FOUND")) {
+        logger.warn?.(
+          `[CapabilityLoader] '${cap}' requested but '${spec.pkg}' not installed in host \u2014 skipped`,
+          { projectId }
+        );
+      } else {
+        logger.error?.(
+          `[CapabilityLoader] '${cap}' load failed: ${msg}`,
+          { projectId }
+        );
+      }
+    }
+  }
+  return installed;
+}
+
+// src/cloud/artifact-kernel-factory.ts
+init_platform_sso();
+function deriveProjectAuthSecret(baseSecret, projectId) {
+  return createHmac2("sha256", baseSecret).update(`project:${projectId}`).digest("hex");
+}
+var ArtifactKernelFactory = class {
+  constructor(config) {
+    this.client = config.client;
+    this.envRegistry = config.envRegistry;
+    this.logger = config.logger ?? console;
+    this.kernelConfig = config.kernelConfig;
+    this.authBaseSecret = (config.authBaseSecret ?? process.env.OS_AUTH_SECRET ?? process.env.AUTH_SECRET ?? "").trim();
+  }
+  async create(projectId) {
+    let cached = this.envRegistry.peekById(projectId);
+    if (!cached) {
+      const driver2 = await this.envRegistry.resolveById(projectId);
+      if (!driver2) {
+        throw new Error(`[ArtifactKernelFactory] Could not resolve driver for project '${projectId}'`);
+      }
+      cached = this.envRegistry.peekById(projectId);
+      if (!cached) {
+        throw new Error(`[ArtifactKernelFactory] envRegistry returned a driver but no cached entry for '${projectId}'`);
+      }
+    }
+    const driver = cached.driver;
+    const project = cached.project;
+    const artifact = await this.client.fetchArtifact(projectId);
+    if (!artifact) {
+      throw new Error(`[ArtifactKernelFactory] Artifact not available for project '${projectId}'`);
+    }
+    const { ObjectQLPlugin } = await import("@objectstack/objectql");
+    const { MetadataPlugin } = await import("@objectstack/metadata");
+    const kernel = new ObjectKernel3(this.kernelConfig);
+    await kernel.use(new DriverPlugin(driver, { datasourceName: "cloud" }));
+    await kernel.use(new ObjectQLPlugin({ projectId, skipSchemaSync: false }));
+    await kernel.use(new MetadataPlugin({
+      watch: false,
+      projectId,
+      organizationId: project.organization_id,
+      // ADR-0005: customization overlays (user-created views, dashboards,
+      // edited objects, ...) are persisted by
+      // ObjectStackProtocolImplementation.saveMetaItem on whichever
+      // engine the protocol is attached to. For per-project kernels that
+      // means the project's own DB, so the sys_metadata + history tables
+      // MUST be provisioned here. The previous `false` setting caused
+      // "no such table: sys_metadata" errors on any PUT /api/v1/meta/*
+      // call (e.g. Studio "Create View") against a project deployment.
+      registerSystemObjects: true
+    }));
+    if (this.authBaseSecret) {
+      try {
+        const { AuthPlugin } = await import("@objectstack/plugin-auth");
+        const projectSecret = deriveProjectAuthSecret(this.authBaseSecret, projectId);
+        const baseUrl = project.hostname ? project.hostname.startsWith("http") ? project.hostname : /(\.|^)localhost(:\d+)?$/i.test(project.hostname) ? (() => {
+          const runtimePort = (process.env.OS_RUNTIME_PORT ?? "").trim();
+          const hasPort = /:\d+$/.test(project.hostname);
+          const hostWithPort = hasPort || !runtimePort ? project.hostname : `${project.hostname}:${runtimePort}`;
+          return `http://${hostWithPort}`;
+        })() : `https://${project.hostname}` : void 0;
+        const trustedOriginsList = [];
+        if (baseUrl) trustedOriginsList.push(baseUrl);
+        const platformOrigins = (process.env.OS_TRUSTED_ORIGINS ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+        for (const o of platformOrigins) {
+          if (!trustedOriginsList.includes(o)) trustedOriginsList.push(o);
+        }
+        const rootDomain = (process.env.OS_ROOT_DOMAIN ?? "").trim().replace(/^https?:\/\//, "");
+        if (rootDomain) {
+          const wildcard = `https://*.${rootDomain}`;
+          if (!trustedOriginsList.includes(wildcard)) trustedOriginsList.push(wildcard);
+        }
+        if (project.hostname) {
+          const bareHost = project.hostname.replace(/^https?:\/\//, "");
+          if (bareHost.endsWith(".localhost") || bareHost === "localhost") {
+            trustedOriginsList.push(`http://${bareHost}`);
+            trustedOriginsList.push(`http://${bareHost}:*`);
+            trustedOriginsList.push(`https://${bareHost}:*`);
+          }
+        }
+        const platformSsoEnabled = String(
+          process.env.OS_PLATFORM_SSO ?? "true"
+        ).toLowerCase() !== "false";
+        const cloudBaseUrl = (process.env.OS_CLOUD_URL ?? "").trim().replace(/\/+$/, "");
+        const oidcProviders = platformSsoEnabled && cloudBaseUrl && /^https?:\/\//.test(cloudBaseUrl) ? [{
+          providerId: PLATFORM_SSO_PROVIDER_ID,
+          name: "ObjectStack",
+          discoveryUrl: `${cloudBaseUrl}/.well-known/openid-configuration`,
+          clientId: derivePlatformSsoClientId(projectId),
+          clientSecret: derivePlatformSsoClientSecret(this.authBaseSecret, projectId),
+          scopes: ["openid", "email", "profile"]
+        }] : void 0;
+        await kernel.use(new AuthPlugin({
+          secret: projectSecret,
+          baseUrl,
+          // Project kernel has no http-server (host owns it). The
+          // dispatcher's handleAuth path resolves `auth` via
+          // getService and invokes the handler directly — route
+          // registration is unnecessary and would warn.
+          registerRoutes: false,
+          // Identity tables live in the project's own DB — keep
+          // sys_user/sys_session local to this kernel.
+          manifestDatasource: "default",
+          // Cookie scope: default to the project's own host. We
+          // intentionally do NOT pass crossSubDomainCookies here
+          // so cookies stay isolated per project subdomain.
+          trustedOrigins: trustedOriginsList.length ? trustedOriginsList : void 0,
+          ...oidcProviders ? { oidcProviders } : {}
+        }));
+        if (oidcProviders) {
+          this.logger.info?.("[ArtifactKernelFactory] platform SSO wired", {
+            projectId,
+            cloudBaseUrl
+          });
+        }
+      } catch (err) {
+        this.logger.warn?.("[ArtifactKernelFactory] AuthPlugin not registered", {
+          projectId,
+          error: err?.message
+        });
+      }
+    } else {
+      this.logger.warn?.("[ArtifactKernelFactory] OS_AUTH_SECRET not set \u2014 per-project AuthPlugin skipped (auth endpoints will return 404)", { projectId });
+    }
+    try {
+      const { SecurityPlugin } = await import("@objectstack/plugin-security");
+      const multiTenant = String(process.env.OS_MULTI_TENANT ?? "true").toLowerCase() !== "false";
+      await kernel.use(new SecurityPlugin({ multiTenant }));
+    } catch (err) {
+      this.logger.warn?.("[ArtifactKernelFactory] SecurityPlugin not registered", {
+        projectId,
+        error: err?.message
+      });
+    }
+    const projectName = project.hostname ?? projectId;
+    const bundle = artifact.metadata;
+    const sys = bundle?.manifest ?? bundle;
+    const packageId = sys?.packageId ?? sys?.package_id ?? bundle?.packageId;
+    const i18nCfg = bundle?.i18n ?? sys?.i18n ?? {};
+    const trArr = Array.isArray(bundle?.translations) ? bundle.translations : Array.isArray(sys?.translations) ? sys.translations : [];
+    try {
+      const { I18nServicePlugin } = await import("@objectstack/service-i18n");
+      await kernel.use(new I18nServicePlugin({
+        defaultLocale: i18nCfg.defaultLocale,
+        fallbackLocale: i18nCfg.fallbackLocale ?? i18nCfg.defaultLocale ?? "en",
+        // Routes are dispatched by HttpDispatcher.handleI18n via
+        // kernel.getService('i18n'); the host worker owns the
+        // HTTP server. Skip self-registration to avoid warnings.
+        registerRoutes: false
+      }));
+      console.warn(
+        `[ArtifactKernelFactory] I18nServicePlugin registered (project=${projectId}, translations=${trArr.length}, defaultLocale=${i18nCfg.defaultLocale ?? "en"})`
+      );
+    } catch (err) {
+      this.logger.warn?.("[ArtifactKernelFactory] I18nServicePlugin not registered", {
+        projectId,
+        error: err?.message
+      });
+    }
+    const requiresRaw = (Array.isArray(bundle?.requires) ? bundle.requires : null) ?? (Array.isArray(sys?.requires) ? sys.requires : null) ?? [];
+    const requires = requiresRaw.filter((x) => typeof x === "string" && x.length > 0);
+    if (requires.length > 0) {
+      const installed = await loadCapabilities({
+        kernel,
+        requires,
+        bundle: { ...bundle ?? {}, ...sys ?? {} },
+        logger: this.logger,
+        projectId
+      });
+      this.logger.info?.("[ArtifactKernelFactory] capabilities loaded", {
+        projectId,
+        requires,
+        installed
+      });
+    }
+    await kernel.use(new AppPlugin(bundle, {
+      projectId,
+      organizationId: project.organization_id ?? "",
+      projectName,
+      packageId,
+      source: packageId ? "package" : "user"
+    }));
+    await kernel.bootstrap();
+    try {
+      const projMeta = typeof project?.metadata === "string" ? JSON.parse(project.metadata) : project?.metadata ?? {};
+      const ownerSeed = projMeta?.ownerSeed;
+      const orgSeed = projMeta?.orgSeed;
+      if (orgSeed?.id && orgSeed?.name) {
+        try {
+          const { seedProjectOrganization: seedProjectOrganization2 } = await Promise.resolve().then(() => (init_project_org_seed(), project_org_seed_exports));
+          await seedProjectOrganization2(kernel, orgSeed, this.logger);
+        } catch (e) {
+          this.logger.warn?.("[ArtifactKernelFactory] orgSeed threw", {
+            projectId,
+            error: e?.message
+          });
+        }
+      }
+      if (ownerSeed?.userId && ownerSeed?.email) {
+        try {
+          const { seedProjectOwner: seedProjectOwner2 } = await Promise.resolve().then(() => (init_project_owner_seed(), project_owner_seed_exports));
+          await seedProjectOwner2(kernel, ownerSeed, this.logger);
+        } catch (e) {
+          this.logger.warn?.("[ArtifactKernelFactory] ownerSeed threw", {
+            projectId,
+            error: e?.message
+          });
+        }
+        if (orgSeed?.id) {
+          try {
+            const { seedProjectMember: seedProjectMember2 } = await Promise.resolve().then(() => (init_project_org_seed(), project_org_seed_exports));
+            await seedProjectMember2(
+              kernel,
+              { userId: ownerSeed.userId, organizationId: orgSeed.id, role: "owner" },
+              this.logger
+            );
+          } catch (e) {
+            this.logger.warn?.("[ArtifactKernelFactory] memberSeed threw", {
+              projectId,
+              error: e?.message
+            });
+          }
+        }
+      }
+    } catch (err) {
+      this.logger.warn?.("[ArtifactKernelFactory] owner/org seed skipped", {
+        projectId,
+        error: err?.message
+      });
+    }
+    try {
+      const datasetsNow = (() => {
+        try {
+          return kernel.getService?.("seed-datasets");
+        } catch {
+          return void 0;
+        }
+      })();
+      const replayer = (() => {
+        try {
+          return kernel.getService?.("seed-replayer");
+        } catch {
+          return void 0;
+        }
+      })();
+      if (Array.isArray(datasetsNow) && datasetsNow.length > 0 && typeof replayer === "function") {
+        const projMetaRaw = project?.metadata;
+        const projMeta = typeof projMetaRaw === "string" ? (() => {
+          try {
+            return JSON.parse(projMetaRaw);
+          } catch {
+            return {};
+          }
+        })() : projMetaRaw ?? {};
+        let primaryOrgId = projMeta?.orgSeed?.id;
+        if (!primaryOrgId) {
+          try {
+            const ql = kernel.getService?.("objectql");
+            if (ql?.find) {
+              const rows = await ql.find("sys_organization", { limit: 5, orderBy: [{ field: "created_at", direction: "asc" }] });
+              const list = Array.isArray(rows) ? rows : rows?.value ?? rows?.records ?? [];
+              if (Array.isArray(list) && list.length > 0 && list[0]?.id) {
+                primaryOrgId = String(list[0].id);
+              }
+            }
+          } catch {
+          }
+        }
+        if (primaryOrgId) {
+          try {
+            const summary = await replayer(primaryOrgId);
+            const inserted = summary?.inserted ?? 0;
+            const updated = summary?.updated ?? 0;
+            const errs = summary?.errors?.length ?? 0;
+            if (inserted > 0 || updated > 0 || errs > 0) {
+              this.logger.info?.("[ArtifactKernelFactory] post-bootstrap seed replay", {
+                projectId,
+                organizationId: primaryOrgId,
+                datasets: datasetsNow.length,
+                inserted,
+                updated,
+                errors: errs
+              });
+            }
+          } catch (e) {
+            this.logger.warn?.("[ArtifactKernelFactory] post-bootstrap seed replay failed", {
+              projectId,
+              organizationId: primaryOrgId,
+              error: e?.message
+            });
+          }
+        }
+      }
+    } catch (err) {
+      this.logger.warn?.("[ArtifactKernelFactory] post-bootstrap seed step threw", {
+        projectId,
+        error: err?.message
+      });
+    }
+    let i18nSvc = null;
+    try {
+      i18nSvc = kernel.getService?.("i18n");
+    } catch {
+      i18nSvc = null;
+    }
+    try {
+      if (i18nSvc && typeof i18nSvc.loadTranslations === "function") {
+        if (i18nCfg.defaultLocale && typeof i18nSvc.setDefaultLocale === "function") {
+          i18nSvc.setDefaultLocale(i18nCfg.defaultLocale);
+        }
+        let loaded = 0;
+        for (const tbundle of trArr) {
+          if (!tbundle || typeof tbundle !== "object") continue;
+          for (const [locale, data] of Object.entries(tbundle)) {
+            if (data && typeof data === "object") {
+              try {
+                i18nSvc.loadTranslations(locale, data);
+                loaded++;
+              } catch (err) {
+                this.logger.warn?.("[ArtifactKernelFactory] i18n loadTranslations failed", {
+                  projectId,
+                  locale,
+                  error: err?.message
+                });
+              }
+            }
+          }
+        }
+        if (loaded > 0) {
+          this.logger.info?.("[ArtifactKernelFactory] i18n direct-load complete", {
+            projectId,
+            locales: loaded,
+            bundles: trArr.length
+          });
+        }
+      }
+    } catch (err) {
+      this.logger.warn?.("[ArtifactKernelFactory] i18n direct-load failed", {
+        projectId,
+        error: err?.message
+      });
+    }
+    this.logger.info?.("[ArtifactKernelFactory] kernel ready", {
+      projectId,
+      commitId: artifact.commitId,
+      checksum: artifact.checksum,
+      authEnabled: Boolean(this.authBaseSecret)
+    });
+    return kernel;
+  }
+};
+
+// src/cloud/auth-proxy-plugin.ts
+var AUTH_PREFIX = "/api/v1/auth";
+function pickHandler(svc) {
+  if (!svc) return void 0;
+  if (typeof svc.handleRequest === "function") return svc.handleRequest.bind(svc);
+  if (typeof svc.handler === "function") return svc.handler.bind(svc);
+  if (svc.api && typeof svc.api.handler === "function") return svc.api.handler.bind(svc.api);
+  if (svc.auth && typeof svc.auth.handler === "function") return svc.auth.handler.bind(svc.auth);
+  return void 0;
+}
+async function resolveAuthHandler(svc) {
+  const direct = pickHandler(svc);
+  if (direct) return direct;
+  if (typeof svc?.getApi === "function") {
+    try {
+      const api = await svc.getApi();
+      return pickHandler(api) ?? pickHandler({ api });
+    } catch {
+      return void 0;
+    }
+  }
+  return void 0;
+}
+var AuthProxyPlugin = class {
+  constructor() {
+    this.name = "com.objectstack.runtime.auth-proxy";
+    this.version = "1.0.0";
+    this.init = async (_ctx) => {
+    };
+    this.start = async (ctx) => {
+      ctx.hook("kernel:ready", async () => {
+        let httpServer;
+        try {
+          httpServer = ctx.getService("http-server");
+        } catch {
+          ctx.logger?.warn?.("[AuthProxyPlugin] http-server not available \u2014 auth routes not mounted");
+          return;
+        }
+        if (!httpServer || typeof httpServer.getRawApp !== "function") {
+          ctx.logger?.warn?.("[AuthProxyPlugin] http-server missing getRawApp() \u2014 auth routes not mounted");
+          return;
+        }
+        const rawApp = httpServer.getRawApp();
+        const kernelManager = ctx.getService("kernel-manager");
+        const envRegistry = ctx.getService("env-registry");
+        const handler = async (c) => {
+          try {
+            const url = new URL(c.req.url);
+            const host = url.hostname;
+            let projectId;
+            try {
+              const env = await envRegistry.resolveByHostname(host);
+              projectId = env?.projectId;
+            } catch {
+            }
+            if (!projectId) {
+              return c.json({ error: "project_not_found", host }, 404);
+            }
+            const projectKernel = await kernelManager.getOrCreate(projectId);
+            let authSvc;
+            try {
+              authSvc = await projectKernel.getServiceAsync?.("auth");
+            } catch {
+              authSvc = void 0;
+            }
+            if (!authSvc) {
+              try {
+                authSvc = projectKernel.getService?.("auth");
+              } catch {
+              }
+            }
+            const subPath = url.pathname.startsWith(AUTH_PREFIX + "/") ? url.pathname.substring(AUTH_PREFIX.length + 1) : "";
+            if (c.req.method === "GET" && (subPath === "config" || subPath === "bootstrap-status")) {
+              if (subPath === "config") {
+                try {
+                  const config = typeof authSvc?.getPublicConfig === "function" ? authSvc.getPublicConfig() : null;
+                  if (config) {
+                    return c.json({ success: true, data: config });
+                  }
+                  return c.json({ success: false, error: { code: "auth_config_unavailable", message: "AuthManager has no getPublicConfig()" } }, 503);
+                } catch (e) {
+                  return c.json({ success: false, error: { code: "auth_config_error", message: String(e?.message ?? e) } }, 500);
+                }
+              }
+              try {
+                try {
+                  const pubCfg = typeof authSvc?.getPublicConfig === "function" ? authSvc.getPublicConfig() : null;
+                  const ssoProviders = Array.isArray(pubCfg?.socialProviders) ? pubCfg.socialProviders : [];
+                  const ssoWired = ssoProviders.some(
+                    (p) => p?.enabled !== false && p?.id === "objectstack-cloud"
+                  );
+                  if (ssoWired) {
+                    return c.json({ hasOwner: true });
+                  }
+                } catch {
+                }
+                const dataEngine = typeof authSvc?.getDataEngine === "function" ? authSvc.getDataEngine() : null;
+                if (!dataEngine || typeof dataEngine.count !== "function") {
+                  return c.json({ hasOwner: true });
+                }
+                const count = await dataEngine.count("sys_user", {});
+                return c.json({ hasOwner: (count ?? 0) > 0 });
+              } catch {
+                return c.json({ hasOwner: true });
+              }
+            }
+            const fn = await resolveAuthHandler(authSvc);
+            if (!fn) {
+              return c.json({ error: "auth_service_unavailable", projectId }, 503);
+            }
+            const resp = await fn(c.req.raw);
+            const rootDomain = process.env.OS_ROOT_DOMAIN || "";
+            if (rootDomain) {
+              const leakyDomain = rootDomain.startsWith(".") ? rootDomain : `.${rootDomain}`;
+              const leakyNames = [
+                "__Secure-better-auth.session_token",
+                "better-auth.session_token",
+                "__Secure-better-auth.state",
+                "better-auth.state",
+                "__Secure-better-auth.csrf_token",
+                "better-auth.csrf_token"
+              ];
+              try {
+                for (const n of leakyNames) {
+                  const isSecure = n.startsWith("__Secure-");
+                  const attrs = `Max-Age=0; Path=/; Domain=${leakyDomain}; SameSite=Lax${isSecure ? "; Secure" : ""}`;
+                  resp.headers?.append?.("Set-Cookie", `${n}=; ${attrs}`);
+                }
+              } catch {
+              }
+            }
+            return resp;
+          } catch (err) {
+            ctx.logger?.error?.("[AuthProxyPlugin] auth dispatch failed", {
+              error: err?.message,
+              stack: err?.stack
+            });
+            return c.json({
+              error: "auth_dispatch_failed",
+              message: err?.message ?? String(err)
+            }, 500);
+          }
+        };
+        if (typeof rawApp.all === "function") {
+          rawApp.all(`${AUTH_PREFIX}/*`, handler);
+        } else {
+          for (const m of ["get", "post", "put", "delete", "patch", "options"]) {
+            try {
+              rawApp[m]?.(`${AUTH_PREFIX}/*`, handler);
+            } catch {
+            }
+          }
+        }
+        ctx.logger?.info?.(`[AuthProxyPlugin] auth proxy mounted at ${AUTH_PREFIX}/*`);
+      });
+    };
+  }
+};
+
+// src/cloud/file-artifact-api-client.ts
+import { readFile as readFile2, stat } from "fs/promises";
+import { resolve as resolvePath4 } from "path";
+var FileArtifactApiClient = class {
+  constructor(config = {}) {
+    const cwd = process.cwd();
+    this.artifactPath = resolvePath4(
+      cwd,
+      config.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? "dist/objectstack.json"
+    );
+    this.projectId = config.projectId ?? process.env.OS_PROJECT_ID ?? "proj_local";
+    this.organizationId = config.organizationId ?? process.env.OS_ORGANIZATION_ID ?? "org_local";
+    this.overrideRuntime = config.runtime;
+    this.watch = config.watch ?? true;
+    this.logger = config.logger ?? console;
+  }
+  async resolveHostname(_host) {
+    const runtime = this.overrideRuntime ?? await this.readRuntimeFromArtifact();
+    return {
+      projectId: this.projectId,
+      organizationId: this.organizationId,
+      ...runtime ? { runtime } : {}
+    };
+  }
+  async fetchArtifact(_projectId, _opts) {
+    return this.loadArtifact();
+  }
+  async lookupProjectByShortId(_shortId) {
+    return { projectId: this.projectId, organizationId: this.organizationId };
+  }
+  async fetchBranchHead(_projectId, _branchName) {
+    const artifact = await this.loadArtifact();
+    return artifact ? { commitId: artifact.commitId ?? "local", publishedAt: null } : null;
+  }
+  invalidate(_projectId) {
+    this.cached = void 0;
+  }
+  clear() {
+    this.cached = void 0;
+  }
+  async loadArtifact() {
+    try {
+      const stats = await stat(this.artifactPath);
+      const mtimeMs = stats.mtimeMs;
+      if (!this.watch && this.cached) return this.cached.response;
+      if (this.cached && this.cached.mtimeMs === mtimeMs) return this.cached.response;
+      const raw = await readFile2(this.artifactPath, "utf8");
+      const parsed = JSON.parse(raw);
+      const isEnvelope = parsed && typeof parsed === "object" && typeof parsed.metadata === "object" && parsed.metadata !== null;
+      const metadata = isEnvelope ? parsed.metadata : parsed;
+      const runtime = this.overrideRuntime ?? (isEnvelope ? parsed.runtime : void 0) ?? this.deriveRuntimeFromMetadata(metadata) ?? this.defaultLocalSqliteRuntime();
+      const response = {
+        schemaVersion: parsed.schemaVersion ?? "1",
+        projectId: parsed.projectId ?? this.projectId,
+        commitId: parsed.commitId ?? "local",
+        checksum: parsed.checksum ?? "",
+        publishedAt: parsed.publishedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+        metadata,
+        functions: parsed.functions,
+        manifest: parsed.manifest,
+        runtime: {
+          organizationId: this.organizationId,
+          ...runtime
+        }
+      };
+      this.cached = { mtimeMs, response };
+      return response;
+    } catch (err) {
+      this.logger.error?.("[FileArtifactApiClient] failed to load artifact", {
+        artifactPath: this.artifactPath,
+        error: err?.message ?? err
+      });
+      return null;
+    }
+  }
+  async readRuntimeFromArtifact() {
+    const artifact = await this.loadArtifact();
+    return artifact?.runtime;
+  }
+  deriveRuntimeFromMetadata(metadata) {
+    const datasources = metadata?.datasources;
+    if (!Array.isArray(datasources) || datasources.length === 0) return void 0;
+    const mapping = metadata?.datasourceMapping;
+    let preferredName;
+    if (mapping) {
+      const def = mapping.find((m) => m?.default === true);
+      if (def?.datasource) preferredName = def.datasource;
+    }
+    const ds = preferredName ? datasources.find((d) => d?.name === preferredName) ?? datasources[0] : datasources[0];
+    if (!ds || typeof ds !== "object") return void 0;
+    const config = ds.config ?? {};
+    const url = config.url ?? config.connectionString ?? config.connection ?? config.filename;
+    const driver = ds.driver;
+    if (typeof driver !== "string" || typeof url !== "string") return void 0;
+    return {
+      databaseDriver: driver,
+      databaseUrl: url,
+      databaseAuthToken: typeof config.authToken === "string" ? config.authToken : void 0
+    };
+  }
+  defaultLocalSqliteRuntime() {
+    const cwd = process.cwd();
+    const dbPath = resolvePath4(cwd, ".objectstack/data", `${this.projectId}.db`);
+    return {
+      databaseDriver: "sqlite",
+      databaseUrl: `file:${dbPath}`
+    };
+  }
+};
+
+// src/cloud/objectos-stack.ts
+async function createHostEnginePlugins() {
+  const { ObjectQLPlugin } = await import("@objectstack/objectql");
+  const { DriverPlugin: DriverPlugin2 } = await Promise.resolve().then(() => (init_driver_plugin(), driver_plugin_exports));
+  const { MetadataPlugin } = await import("@objectstack/metadata");
+  const { InMemoryDriver } = await import("@objectstack/driver-memory");
+  const driver = new InMemoryDriver();
+  const driverName = "memory";
+  const oqlRef = { ql: null };
+  const objectql = {
+    name: "com.objectstack.engine.objectql",
+    version: "0.0.0",
+    async init(ctx) {
+      const plugin = new ObjectQLPlugin();
+      this._inner = plugin;
+      if (plugin.init) await plugin.init(ctx);
+      oqlRef.ql = plugin.ql ?? plugin;
+    },
+    async start(ctx) {
+      const plugin = this._inner;
+      if (plugin?.start) await plugin.start(ctx);
+    },
+    async destroy() {
+      const plugin = this._inner;
+      if (plugin?.destroy) await plugin.destroy();
+      else if (plugin?.stop) await plugin.stop();
+    }
+  };
+  const datasourceMapping = {
+    name: "objectos-host-datasource-mapping",
+    version: "0.0.0",
+    dependencies: ["com.objectstack.engine.objectql"],
+    async init() {
+      const ql = oqlRef.ql;
+      if (ql?.setDatasourceMapping) {
+        ql.setDatasourceMapping([
+          { default: true, datasource: `com.objectstack.driver.${driverName}` }
+        ]);
+      }
+    }
+  };
+  const driverPlugin = new DriverPlugin2(driver, driverName);
+  const metadata = new MetadataPlugin({
+    watch: false,
+    // The host kernel is a routing shell. It doesn't own metadata —
+    // every per-project kernel registers its own.
+    registerSystemObjects: false
+  });
+  return [objectql, datasourceMapping, driverPlugin, metadata];
+}
+var ObjectOSProjectPlugin = class {
+  constructor(config) {
+    this.name = "com.objectstack.runtime.objectos-project";
+    this.version = "1.0.0";
+    this.init = async (ctx) => {
+      const client = this.config.client ?? (this.config.controlPlaneUrl === "file" ? new FileArtifactApiClient({
+        ...this.config.fileConfig ?? {},
+        logger: ctx.logger
+      }) : new ArtifactApiClient({
+        controlPlaneUrl: this.config.controlPlaneUrl,
+        apiKey: this.config.controlPlaneApiKey,
+        cacheTtlMs: this.config.artifactCacheTtlMs,
+        logger: ctx.logger
+      }));
+      this.client = client;
+      const envRegistry = new ArtifactEnvironmentRegistry({
+        client,
+        cacheTtlMs: this.config.envCacheTtlMs,
+        logger: ctx.logger
+      });
+      const factory = new ArtifactKernelFactory({
+        client,
+        envRegistry,
+        logger: ctx.logger
+      });
+      const kernelManager = new KernelManager({
+        factory,
+        maxSize: this.config.kernelCacheSize,
+        ttlMs: this.config.kernelTtlMs,
+        logger: ctx.logger
+      });
+      this.kernelManager = kernelManager;
+      ctx.registerService("env-registry", envRegistry);
+      ctx.registerService("kernel-manager", kernelManager);
+      ctx.registerService("artifact-api-client", client);
+      ctx.logger.info?.("ObjectOSProjectPlugin: registered env-registry + kernel-manager", {
+        mode: this.config.controlPlaneUrl === "file" ? "file" : "http",
+        controlPlaneUrl: this.config.controlPlaneUrl
+      });
+    };
+    this.destroy = async () => {
+      try {
+        await this.kernelManager?.evictAll();
+      } catch {
+      }
+      try {
+        this.client?.clear();
+      } catch {
+      }
+    };
+    this.config = config;
+  }
+};
+async function createObjectOSStack(config) {
+  if (!config.controlPlaneUrl && !config.client) {
+    throw new Error("[createObjectOSStack] either controlPlaneUrl or client is required");
+  }
+  const merged = {
+    ...config,
+    kernelCacheSize: Number(process.env.OS_KERNEL_CACHE_SIZE ?? config.kernelCacheSize ?? 32),
+    kernelTtlMs: Number(process.env.OS_KERNEL_TTL_MS ?? config.kernelTtlMs ?? 15 * 60 * 1e3),
+    envCacheTtlMs: Number(process.env.OS_ENV_CACHE_TTL_MS ?? config.envCacheTtlMs ?? 5 * 60 * 1e3),
+    artifactCacheTtlMs: Number(process.env.OS_ARTIFACT_CACHE_TTL_MS ?? config.artifactCacheTtlMs ?? 5 * 60 * 1e3)
+  };
+  const enginePlugins = await createHostEnginePlugins();
+  return {
+    plugins: [...enginePlugins, new ObjectOSProjectPlugin(merged), new AuthProxyPlugin()],
+    api: {
+      enableProjectScoping: true,
+      projectResolution: "auto",
+      // ObjectOS is multi-tenant: anonymous /api/v1/data/* must never
+      // leak per-project data across organisations. AuthProxyPlugin
+      // verifies upstream tokens and populates ctx.userId; requireAuth
+      // turns missing userId into 401 at the REST layer before the
+      // request reaches the per-project kernel.
+      requireAuth: true
+    }
+  };
+}
+
+// src/index.ts
+init_platform_sso();
+
 // src/sandbox/script-runner.ts
 var UnimplementedScriptRunner = class {
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -38291,12 +40900,26 @@ import {
 export * from "@objectstack/core";
 export {
   AppPlugin,
+  ArtifactApiClient,
+  ArtifactEnvironmentRegistry,
+  ArtifactKernelFactory,
+  AuthProxyPlugin,
+  DEFAULT_RATE_LIMITS,
   DriverPlugin,
+  FileArtifactApiClient,
   HttpDispatcher,
   HttpServer,
+  InMemoryErrorReporter,
+  InMemoryMetricsRegistry,
+  KernelManager,
   MiddlewareManager,
-  ObjectKernel3 as ObjectKernel,
+  NoopErrorReporter,
+  NoopMetricsRegistry,
+  ObjectKernel4 as ObjectKernel,
+  PLATFORM_SSO_PROVIDER_ID,
   QuickJSScriptRunner,
+  RUNTIME_METRICS,
+  RateLimiter,
   RestServer,
   RouteGroupBuilder,
   RouteManager,
@@ -38306,17 +40929,31 @@ export {
   SeedLoaderService,
   UnimplementedScriptRunner,
   actionBodyRunnerFactory,
+  backfillPlatformSsoClients,
+  buildPlatformSsoRedirectUri,
+  buildSecurityHeaders,
   collectBundleActions,
   collectBundleFunctions,
   collectBundleHooks,
+  createDefaultHostConfig,
   createDispatcherPlugin,
+  createObjectOSStack,
   createRestApiPlugin,
   createStandaloneStack,
   createSystemProjectPlugin,
+  derivePlatformSsoClientId,
+  derivePlatformSsoClientSecret,
+  extractRequestId,
+  formatTraceparent,
+  generateRequestId,
   hookBodyRunnerFactory,
   isHttpUrl,
   loadArtifactBundle,
   mergeRuntimeModule,
-  readArtifactSource
+  parseTraceparent,
+  readArtifactSource,
+  resolveDefaultArtifactPath,
+  resolveRequestId,
+  seedPlatformSsoClient
 };
 //# sourceMappingURL=index.js.map