npm - @objectstack/runtime - Versions diffs - 7.2.1 → 7.4.0 - Mend

@objectstack/runtime 7.2.1 → 7.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -7,6 +7,7 @@ import { z } from 'zod';
 import * as Contracts from '@objectstack/spec/contracts';
 import { ISeedLoaderService, IDataEngine, IMetadataService } from '@objectstack/spec/contracts';
 import { SeedLoaderRequest, SeedLoaderResult, ObjectDependencyGraph, Dataset, SeedLoaderConfigInput, ExpressionBody, ScriptBody, HookBody, Hook } from '@objectstack/spec/data';
+import { SchemaDiffEntry } from '@objectstack/spec/shared';
 import { MetricsRegistry, ErrorReporter } from '@objectstack/observability';
 export { CapturedError, ErrorReporter, InMemoryErrorReporter, InMemoryMetricsRegistry, MetricSample, MetricsRegistry, NoopErrorReporter, NoopMetricsRegistry, OBSERVABILITY_ERRORS_SERVICE, OBSERVABILITY_METRICS_SERVICE, RUNTIME_METRICS } from '@objectstack/observability';
 import { MiddlewareConfig, MiddlewareType } from '@objectstack/spec/system';
@@ -231,6 +232,30 @@ declare class AppPlugin implements Plugin {
     init: (ctx: PluginContext) => Promise<void>;
     start: (ctx: PluginContext) => Promise<void>;
     stop: (ctx: PluginContext) => Promise<void>;
+    /**
+     * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
+     *
+     * On a fresh boot there are zero users until the first human sign-up
+     * (which the SeedLoader runs *before*), so identity-derived seeds like
+     * `owner_id: cel`os.user.id`` had nothing to resolve against and were
+     * dropped silently. To make seeds deterministic and self-sufficient we
+     * upsert a single non-loginable **system user** (`usr_system`) and bind
+     * it as `os.user`.
+     *
+     * Why a dedicated system user rather than the login admin:
+     *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
+     *    password lives in `sys_account`, so a *loginable* admin can only be
+     *    minted through better-auth (the CLI does this via HTTP sign-up after
+     *    boot). A raw insert here would bypass those invariants.
+     *  - `usr_system` is an owner identity only (no credential row), analogous
+     *    to Salesforce's "Automated Process" user. The human admin is created
+     *    independently and need not be the seed owner.
+     *
+     * Idempotent: matches by the stable id, inserts once, reuses thereafter.
+     * Failures are non-fatal (logged) — records that actually need `os.user`
+     * then fail loudly in the loader with an actionable message.
+     */
+    private ensureSeedIdentity;
     /**
      * Emit a kernel hook so the control-plane `AppCatalogService` can
      * upsert / delete the corresponding `sys_app` row. Silently no-ops
@@ -329,6 +354,64 @@ declare class SeedLoaderService implements ISeedLoaderService {
     private buildResult;
 }
+/**
+ * Payload of the `external.schema.drift` event emitted on the kernel bus by the
+ * background drift checker (ADR-0015 §5.2). Consumed by `audit` / `notification`
+ * services. One event per drifted federated object.
+ */
+interface ExternalSchemaDriftEvent {
+    datasource: string;
+    object: string;
+    diffs: SchemaDiffEntry[];
+}
+/**
+ * Boot-validation plugin — Gate 2 of ADR-0015 §5.2.
+ *
+ * On `kernel:ready`, validates every federated object against its remote table
+ * (via the `external-datasource` service) and applies the datasource's
+ * `external.validation.onMismatch` policy:
+ *   - `fail`   → throws `ExternalSchemaMismatchError` (aborts boot) — default,
+ *   - `warn`   → logs the diff and continues,
+ *   - `ignore` → does nothing.
+ *
+ * No-op when the `external-datasource` service is not registered (federation
+ * unused).
+ */
+declare class ExternalValidationPlugin implements Plugin {
+    name: string;
+    type: string;
+    version: string;
+    /** Active background drift-check timers, keyed by datasource name. */
+    private driftTimers;
+    init: (_ctx: PluginContext) => void;
+    start: (ctx: PluginContext) => void;
+    /** Tear down background drift-check timers (idempotent). */
+    stop: () => void;
+    /** Exposed for testing; invoked from the kernel:ready handler. */
+    runValidation(ctx: PluginContext): Promise<void>;
+    /**
+     * Arm a background drift checker for every federated datasource that declares
+     * `external.validation.checkIntervalMs`. Each fires on its own interval and
+     * emits `external.schema.drift` events — it never throws or aborts the
+     * process, since drift past boot is observational, not fatal.
+     *
+     * No-op when metadata can't be enumerated or no datasource opts in. Re-arming
+     * (e.g. a second `kernel:ready`) first clears existing timers so intervals
+     * don't accumulate.
+     */
+    scheduleDriftChecks(ctx: PluginContext): Promise<void>;
+    /**
+     * Re-validate one datasource's federated objects and emit an
+     * `external.schema.drift` event per mismatch. Exposed for testing; invoked
+     * from the interval armed by {@link scheduleDriftChecks}. Never throws.
+     *
+     * @returns the number of drift events emitted.
+     */
+    runDriftCheck(ctx: PluginContext, datasource: string): Promise<number>;
+}
+/** Convenience factory mirroring the createXxxPlugin convention. */
+declare function createExternalValidationPlugin(): ExternalValidationPlugin;
 /**
  * Security response headers builder.
  *
@@ -1368,6 +1451,26 @@ declare class HttpDispatcher {
      * Uses ObjectQL SchemaRegistry directly (via the 'objectql' service).
      */
     handlePackages(path: string, method: string, body: any, query: any, _context: HttpProtocolContext): Promise<HttpDispatcherResult>;
+    /**
+     * Assemble a portable, offline-installable package manifest from the
+     * `sys_metadata` overlay rows bound to `packageId`.
+     *
+     * The resulting shape mirrors what `marketplace-install-local` →
+     * `manifestService.register()` → `engine.registerApp()` consumes:
+     *   `{ id, name, version, objects:[…], views:[…], flows:[…], … }`
+     * where each category key is the PLURAL manifest name and its value is
+     * an array of clean metadata bodies (provenance decorations stripped).
+     *
+     * Only the metadata categories that `registerApp` can actually consume
+     * are exported. `datasources` and `emailTemplates` are intentionally
+     * excluded (not registered by the import path). `tools` / `skills` ARE
+     * round-tripped: they are registered by `registerApp` on import and
+     * surfaced by `getMetaItems('tool' | 'skill')` on export.
+     *
+     * @returns the manifest object, or `null` if the package id is unknown
+     *          AND has no overlay-authored metadata.
+     */
+    private assemblePackageManifest;
     /**
      * Cloud / Environment Control-Plane routes.
      *
@@ -1411,19 +1514,6 @@ declare class HttpDispatcher {
      * Returns `undefined` for anonymous calls or when auth is not wired up.
      */
     private resolveActiveOrganizationId;
-    private resolveCallerUserId;
-    handleCloud(path: string, method: string, body: any, query: any, _context: HttpProtocolContext): Promise<HttpDispatcherResult>;
-    /**
-     * Cascade-delete a project: cred / member / package_installation rows,
-     * then the physical database via the provisioning adapter, then the
-     * `sys_environment` row itself. Used by both `DELETE /cloud/environments/:id`
-     * and the org-cascade in `DELETE /cloud/organizations/:id`.
-     *
-     * Idempotent and best-effort: missing rows / unreachable adapters
-     * become warnings rather than hard failures, so a half-provisioned
-     * project can still be cleaned out.
-     */
-    private deleteProjectCascade;
     /**
      * Handles Storage requests
      * path: sub-path after /storage/
@@ -1440,6 +1530,8 @@ declare class HttpDispatcher {
      *
      * Routes:
      *   GET    /                     → listFlows
+     *   GET    /actions              → getActionDescriptors (ADR-0018; ?paradigm/?source/?category filters)
+     *   GET    /connectors           → getConnectorDescriptors (ADR-0022; ?type filter)
      *   GET    /:name                → getFlow
      *   POST   /                     → createFlow (registerFlow)
      *   PUT    /:name                → updateFlow
@@ -1448,6 +1540,8 @@ declare class HttpDispatcher {
      *   POST   /:name/toggle         → toggleFlow
      *   GET    /:name/runs           → listRuns
      *   GET    /:name/runs/:runId    → getRun
+     *   POST   /:name/runs/:runId/resume → resume a paused run (screen input / ADR-0019)
+     *   GET    /:name/runs/:runId/screen → the screen a paused run awaits
      */
     handleAutomation(path: string, method: string, body: any, context: HttpProtocolContext, query?: any): Promise<HttpDispatcherResult>;
     private getServicesMap;
@@ -1908,7 +2002,7 @@ declare function createObjectOSStack(config: ObjectOSStackConfig): Promise<Objec
  *   - The Console SPA stays on the tenant origin, so no CORS configuration
  *     is required on the cloud side.
  *   - Local-dev `os serve` works regardless of whether the developer's
- *     browser has cookies for cloud.objectos.app.
+ *     browser has cookies for cloud.objectos.ai.
  *   - Adds a single, easily auditable network seam between tenant and
  *     control plane.
  *
@@ -1922,7 +2016,7 @@ declare function createObjectOSStack(config: ObjectOSStackConfig): Promise<Objec
 interface MarketplaceProxyPluginConfig {
     /**
-     * Control-plane base URL (e.g. https://cloud.objectos.app). When the
+     * Control-plane base URL (e.g. https://cloud.objectos.ai). When the
      * caller passes nothing AND the runtime has no OS_CLOUD_URL set, the
      * plugin falls back to the public ObjectStack-operated cloud so that
      * `objectstack dev` can browse the marketplace out of the box. Set
@@ -2144,7 +2238,7 @@ declare class RuntimeConfigPlugin implements Plugin {
  * ObjectStack-operated control plane so a vanilla `objectstack dev` can
  * browse the marketplace out of the box.
  */
-declare const DEFAULT_CLOUD_URL = "https://cloud.objectos.app";
+declare const DEFAULT_CLOUD_URL = "https://cloud.objectos.ai";
 /**
  * Resolve the effective control-plane URL from an explicit constructor
  * value, the OS_CLOUD_URL env var, or the default. Returns an empty
@@ -2350,7 +2444,7 @@ interface SeedPlatformSsoClientOptions {
     /** Project id (also used to derive client_id + client_secret). */
     environmentId: string;
     /**
-     * Project hostname (e.g. `acme-crm.objectos.app`). Optional — projects
+     * Project hostname (e.g. `acme-crm.objectos.ai`). Optional — projects
      * may be created before a hostname is assigned, in which case no
      * redirect_uri is registered yet and the row is upserted with an
      * empty `redirect_uris` array. Calling this function again once the
@@ -2636,4 +2730,4 @@ declare function actionBodyRunnerFactory(runner: ScriptRunner, opts: FactoryOpti
     timeoutMs?: number;
 }) => ((actionCtx: any) => Promise<unknown>) | undefined;
-export { AppPlugin, ArtifactApiClient, type ArtifactApiClientConfig, ArtifactEnvironmentRegistry, type ArtifactEnvironmentRegistryConfig, ArtifactKernelFactory, type ArtifactKernelFactoryConfig, AuthProxyPlugin, type BackfillPlatformSsoClientsOptions, DEFAULT_CLOUD_URL, DEFAULT_RATE_LIMITS, type DefaultHostConfigOptions, type DefaultHostConfigResult, type DispatcherPluginConfig, DriverPlugin, type EnvironmentArtifactResponse, type EnvironmentDriverRegistry, type EnvironmentKernelFactory, type EnvironmentRuntimeConfig, FileArtifactApiClient, type FileArtifactApiClientConfig, HttpDispatcher, type HttpDispatcherResult, type HttpProtocolContext, HttpServer, KernelManager, type KernelManagerConfig, type LoadArtifactBundleOptions, MarketplaceInstallLocalPlugin, type MarketplaceInstallLocalPluginConfig, MarketplaceProxyPlugin, type MarketplaceProxyPluginConfig, MiddlewareManager, type ObjectOSStackConfig, type ObjectOSStackResult, ObservabilityServicePlugin, type ObservabilityServicePluginOptions, PLATFORM_SSO_PROVIDER_ID, QuickJSScriptRunner, type QuickJSScriptRunnerOptions, type RateLimitBucketConfig, type RateLimitDecision, type RateLimitDefaults, type RateLimitStore, RateLimiter, type ResolvedHostname, Runtime, type RuntimeConfig, RuntimeConfigPlugin, type RuntimeConfigPluginConfig, SYSTEM_ENVIRONMENT_ID, SandboxError, type ScriptContext, type ScriptOrigin, type ScriptResult, type ScriptRunOptions, type ScriptRunner, type SecurityHeadersOptions, SeedLoaderService, type SeedPlatformSsoClientOptions, type StandaloneStackConfig, type StandaloneStackResult, type SystemEnvironmentPluginConfig, type TraceContext, UnimplementedScriptRunner, actionBodyRunnerFactory, backfillPlatformSsoClients, buildPlatformSsoRedirectUri, buildSecurityHeaders, collectBundleActions, collectBundleFunctions, collectBundleHooks, createDefaultHostConfig, createDispatcherPlugin, createObjectOSStack, createStandaloneStack, createSystemEnvironmentPlugin, derivePlatformSsoClientId, derivePlatformSsoClientSecret, extractRequestId, formatTraceparent, generateRequestId, hookBodyRunnerFactory, isHttpUrl, loadArtifactBundle, mergeRuntimeModule, parseTraceparent, readArtifactSource, resolveCloudUrl, resolveDefaultArtifactPath, resolveErrorReporter, resolveMetrics, resolveObjectStackHome, resolveRequestId, seedPlatformSsoClient };
+export { AppPlugin, ArtifactApiClient, type ArtifactApiClientConfig, ArtifactEnvironmentRegistry, type ArtifactEnvironmentRegistryConfig, ArtifactKernelFactory, type ArtifactKernelFactoryConfig, AuthProxyPlugin, type BackfillPlatformSsoClientsOptions, DEFAULT_CLOUD_URL, DEFAULT_RATE_LIMITS, type DefaultHostConfigOptions, type DefaultHostConfigResult, type DispatcherPluginConfig, DriverPlugin, type EnvironmentArtifactResponse, type EnvironmentDriverRegistry, type EnvironmentKernelFactory, type EnvironmentRuntimeConfig, type ExternalSchemaDriftEvent, ExternalValidationPlugin, FileArtifactApiClient, type FileArtifactApiClientConfig, HttpDispatcher, type HttpDispatcherResult, type HttpProtocolContext, HttpServer, KernelManager, type KernelManagerConfig, type LoadArtifactBundleOptions, MarketplaceInstallLocalPlugin, type MarketplaceInstallLocalPluginConfig, MarketplaceProxyPlugin, type MarketplaceProxyPluginConfig, MiddlewareManager, type ObjectOSStackConfig, type ObjectOSStackResult, ObservabilityServicePlugin, type ObservabilityServicePluginOptions, PLATFORM_SSO_PROVIDER_ID, QuickJSScriptRunner, type QuickJSScriptRunnerOptions, type RateLimitBucketConfig, type RateLimitDecision, type RateLimitDefaults, type RateLimitStore, RateLimiter, type ResolvedHostname, Runtime, type RuntimeConfig, RuntimeConfigPlugin, type RuntimeConfigPluginConfig, SYSTEM_ENVIRONMENT_ID, SandboxError, type ScriptContext, type ScriptOrigin, type ScriptResult, type ScriptRunOptions, type ScriptRunner, type SecurityHeadersOptions, SeedLoaderService, type SeedPlatformSsoClientOptions, type StandaloneStackConfig, type StandaloneStackResult, type SystemEnvironmentPluginConfig, type TraceContext, UnimplementedScriptRunner, actionBodyRunnerFactory, backfillPlatformSsoClients, buildPlatformSsoRedirectUri, buildSecurityHeaders, collectBundleActions, collectBundleFunctions, collectBundleHooks, createDefaultHostConfig, createDispatcherPlugin, createExternalValidationPlugin, createObjectOSStack, createStandaloneStack, createSystemEnvironmentPlugin, derivePlatformSsoClientId, derivePlatformSsoClientSecret, extractRequestId, formatTraceparent, generateRequestId, hookBodyRunnerFactory, isHttpUrl, loadArtifactBundle, mergeRuntimeModule, parseTraceparent, readArtifactSource, resolveCloudUrl, resolveDefaultArtifactPath, resolveErrorReporter, resolveMetrics, resolveObjectStackHome, resolveRequestId, seedPlatformSsoClient };

package/dist/index.d.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import { z } from 'zod';
 import * as Contracts from '@objectstack/spec/contracts';
 import { ISeedLoaderService, IDataEngine, IMetadataService } from '@objectstack/spec/contracts';
 import { SeedLoaderRequest, SeedLoaderResult, ObjectDependencyGraph, Dataset, SeedLoaderConfigInput, ExpressionBody, ScriptBody, HookBody, Hook } from '@objectstack/spec/data';
+import { SchemaDiffEntry } from '@objectstack/spec/shared';
 import { MetricsRegistry, ErrorReporter } from '@objectstack/observability';
 export { CapturedError, ErrorReporter, InMemoryErrorReporter, InMemoryMetricsRegistry, MetricSample, MetricsRegistry, NoopErrorReporter, NoopMetricsRegistry, OBSERVABILITY_ERRORS_SERVICE, OBSERVABILITY_METRICS_SERVICE, RUNTIME_METRICS } from '@objectstack/observability';
 import { MiddlewareConfig, MiddlewareType } from '@objectstack/spec/system';
@@ -231,6 +232,30 @@ declare class AppPlugin implements Plugin {
     init: (ctx: PluginContext) => Promise<void>;
     start: (ctx: PluginContext) => Promise<void>;
     stop: (ctx: PluginContext) => Promise<void>;
+    /**
+     * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
+     *
+     * On a fresh boot there are zero users until the first human sign-up
+     * (which the SeedLoader runs *before*), so identity-derived seeds like
+     * `owner_id: cel`os.user.id`` had nothing to resolve against and were
+     * dropped silently. To make seeds deterministic and self-sufficient we
+     * upsert a single non-loginable **system user** (`usr_system`) and bind
+     * it as `os.user`.
+     *
+     * Why a dedicated system user rather than the login admin:
+     *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
+     *    password lives in `sys_account`, so a *loginable* admin can only be
+     *    minted through better-auth (the CLI does this via HTTP sign-up after
+     *    boot). A raw insert here would bypass those invariants.
+     *  - `usr_system` is an owner identity only (no credential row), analogous
+     *    to Salesforce's "Automated Process" user. The human admin is created
+     *    independently and need not be the seed owner.
+     *
+     * Idempotent: matches by the stable id, inserts once, reuses thereafter.
+     * Failures are non-fatal (logged) — records that actually need `os.user`
+     * then fail loudly in the loader with an actionable message.
+     */
+    private ensureSeedIdentity;
     /**
      * Emit a kernel hook so the control-plane `AppCatalogService` can
      * upsert / delete the corresponding `sys_app` row. Silently no-ops
@@ -329,6 +354,64 @@ declare class SeedLoaderService implements ISeedLoaderService {
     private buildResult;
 }
+/**
+ * Payload of the `external.schema.drift` event emitted on the kernel bus by the
+ * background drift checker (ADR-0015 §5.2). Consumed by `audit` / `notification`
+ * services. One event per drifted federated object.
+ */
+interface ExternalSchemaDriftEvent {
+    datasource: string;
+    object: string;
+    diffs: SchemaDiffEntry[];
+}
+/**
+ * Boot-validation plugin — Gate 2 of ADR-0015 §5.2.
+ *
+ * On `kernel:ready`, validates every federated object against its remote table
+ * (via the `external-datasource` service) and applies the datasource's
+ * `external.validation.onMismatch` policy:
+ *   - `fail`   → throws `ExternalSchemaMismatchError` (aborts boot) — default,
+ *   - `warn`   → logs the diff and continues,
+ *   - `ignore` → does nothing.
+ *
+ * No-op when the `external-datasource` service is not registered (federation
+ * unused).
+ */
+declare class ExternalValidationPlugin implements Plugin {
+    name: string;
+    type: string;
+    version: string;
+    /** Active background drift-check timers, keyed by datasource name. */
+    private driftTimers;
+    init: (_ctx: PluginContext) => void;
+    start: (ctx: PluginContext) => void;
+    /** Tear down background drift-check timers (idempotent). */
+    stop: () => void;
+    /** Exposed for testing; invoked from the kernel:ready handler. */
+    runValidation(ctx: PluginContext): Promise<void>;
+    /**
+     * Arm a background drift checker for every federated datasource that declares
+     * `external.validation.checkIntervalMs`. Each fires on its own interval and
+     * emits `external.schema.drift` events — it never throws or aborts the
+     * process, since drift past boot is observational, not fatal.
+     *
+     * No-op when metadata can't be enumerated or no datasource opts in. Re-arming
+     * (e.g. a second `kernel:ready`) first clears existing timers so intervals
+     * don't accumulate.
+     */
+    scheduleDriftChecks(ctx: PluginContext): Promise<void>;
+    /**
+     * Re-validate one datasource's federated objects and emit an
+     * `external.schema.drift` event per mismatch. Exposed for testing; invoked
+     * from the interval armed by {@link scheduleDriftChecks}. Never throws.
+     *
+     * @returns the number of drift events emitted.
+     */
+    runDriftCheck(ctx: PluginContext, datasource: string): Promise<number>;
+}
+/** Convenience factory mirroring the createXxxPlugin convention. */
+declare function createExternalValidationPlugin(): ExternalValidationPlugin;
 /**
  * Security response headers builder.
  *
@@ -1368,6 +1451,26 @@ declare class HttpDispatcher {
      * Uses ObjectQL SchemaRegistry directly (via the 'objectql' service).
      */
     handlePackages(path: string, method: string, body: any, query: any, _context: HttpProtocolContext): Promise<HttpDispatcherResult>;
+    /**
+     * Assemble a portable, offline-installable package manifest from the
+     * `sys_metadata` overlay rows bound to `packageId`.
+     *
+     * The resulting shape mirrors what `marketplace-install-local` →
+     * `manifestService.register()` → `engine.registerApp()` consumes:
+     *   `{ id, name, version, objects:[…], views:[…], flows:[…], … }`
+     * where each category key is the PLURAL manifest name and its value is
+     * an array of clean metadata bodies (provenance decorations stripped).
+     *
+     * Only the metadata categories that `registerApp` can actually consume
+     * are exported. `datasources` and `emailTemplates` are intentionally
+     * excluded (not registered by the import path). `tools` / `skills` ARE
+     * round-tripped: they are registered by `registerApp` on import and
+     * surfaced by `getMetaItems('tool' | 'skill')` on export.
+     *
+     * @returns the manifest object, or `null` if the package id is unknown
+     *          AND has no overlay-authored metadata.
+     */
+    private assemblePackageManifest;
     /**
      * Cloud / Environment Control-Plane routes.
      *
@@ -1411,19 +1514,6 @@ declare class HttpDispatcher {
      * Returns `undefined` for anonymous calls or when auth is not wired up.
      */
     private resolveActiveOrganizationId;
-    private resolveCallerUserId;
-    handleCloud(path: string, method: string, body: any, query: any, _context: HttpProtocolContext): Promise<HttpDispatcherResult>;
-    /**
-     * Cascade-delete a project: cred / member / package_installation rows,
-     * then the physical database via the provisioning adapter, then the
-     * `sys_environment` row itself. Used by both `DELETE /cloud/environments/:id`
-     * and the org-cascade in `DELETE /cloud/organizations/:id`.
-     *
-     * Idempotent and best-effort: missing rows / unreachable adapters
-     * become warnings rather than hard failures, so a half-provisioned
-     * project can still be cleaned out.
-     */
-    private deleteProjectCascade;
     /**
      * Handles Storage requests
      * path: sub-path after /storage/
@@ -1440,6 +1530,8 @@ declare class HttpDispatcher {
      *
      * Routes:
      *   GET    /                     → listFlows
+     *   GET    /actions              → getActionDescriptors (ADR-0018; ?paradigm/?source/?category filters)
+     *   GET    /connectors           → getConnectorDescriptors (ADR-0022; ?type filter)
      *   GET    /:name                → getFlow
      *   POST   /                     → createFlow (registerFlow)
      *   PUT    /:name                → updateFlow
@@ -1448,6 +1540,8 @@ declare class HttpDispatcher {
      *   POST   /:name/toggle         → toggleFlow
      *   GET    /:name/runs           → listRuns
      *   GET    /:name/runs/:runId    → getRun
+     *   POST   /:name/runs/:runId/resume → resume a paused run (screen input / ADR-0019)
+     *   GET    /:name/runs/:runId/screen → the screen a paused run awaits
      */
     handleAutomation(path: string, method: string, body: any, context: HttpProtocolContext, query?: any): Promise<HttpDispatcherResult>;
     private getServicesMap;
@@ -1908,7 +2002,7 @@ declare function createObjectOSStack(config: ObjectOSStackConfig): Promise<Objec
  *   - The Console SPA stays on the tenant origin, so no CORS configuration
  *     is required on the cloud side.
  *   - Local-dev `os serve` works regardless of whether the developer's
- *     browser has cookies for cloud.objectos.app.
+ *     browser has cookies for cloud.objectos.ai.
  *   - Adds a single, easily auditable network seam between tenant and
  *     control plane.
  *
@@ -1922,7 +2016,7 @@ declare function createObjectOSStack(config: ObjectOSStackConfig): Promise<Objec
 interface MarketplaceProxyPluginConfig {
     /**
-     * Control-plane base URL (e.g. https://cloud.objectos.app). When the
+     * Control-plane base URL (e.g. https://cloud.objectos.ai). When the
      * caller passes nothing AND the runtime has no OS_CLOUD_URL set, the
      * plugin falls back to the public ObjectStack-operated cloud so that
      * `objectstack dev` can browse the marketplace out of the box. Set
@@ -2144,7 +2238,7 @@ declare class RuntimeConfigPlugin implements Plugin {
  * ObjectStack-operated control plane so a vanilla `objectstack dev` can
  * browse the marketplace out of the box.
  */
-declare const DEFAULT_CLOUD_URL = "https://cloud.objectos.app";
+declare const DEFAULT_CLOUD_URL = "https://cloud.objectos.ai";
 /**
  * Resolve the effective control-plane URL from an explicit constructor
  * value, the OS_CLOUD_URL env var, or the default. Returns an empty
@@ -2350,7 +2444,7 @@ interface SeedPlatformSsoClientOptions {
     /** Project id (also used to derive client_id + client_secret). */
     environmentId: string;
     /**
-     * Project hostname (e.g. `acme-crm.objectos.app`). Optional — projects
+     * Project hostname (e.g. `acme-crm.objectos.ai`). Optional — projects
      * may be created before a hostname is assigned, in which case no
      * redirect_uri is registered yet and the row is upserted with an
      * empty `redirect_uris` array. Calling this function again once the
@@ -2636,4 +2730,4 @@ declare function actionBodyRunnerFactory(runner: ScriptRunner, opts: FactoryOpti
     timeoutMs?: number;
 }) => ((actionCtx: any) => Promise<unknown>) | undefined;
-export { AppPlugin, ArtifactApiClient, type ArtifactApiClientConfig, ArtifactEnvironmentRegistry, type ArtifactEnvironmentRegistryConfig, ArtifactKernelFactory, type ArtifactKernelFactoryConfig, AuthProxyPlugin, type BackfillPlatformSsoClientsOptions, DEFAULT_CLOUD_URL, DEFAULT_RATE_LIMITS, type DefaultHostConfigOptions, type DefaultHostConfigResult, type DispatcherPluginConfig, DriverPlugin, type EnvironmentArtifactResponse, type EnvironmentDriverRegistry, type EnvironmentKernelFactory, type EnvironmentRuntimeConfig, FileArtifactApiClient, type FileArtifactApiClientConfig, HttpDispatcher, type HttpDispatcherResult, type HttpProtocolContext, HttpServer, KernelManager, type KernelManagerConfig, type LoadArtifactBundleOptions, MarketplaceInstallLocalPlugin, type MarketplaceInstallLocalPluginConfig, MarketplaceProxyPlugin, type MarketplaceProxyPluginConfig, MiddlewareManager, type ObjectOSStackConfig, type ObjectOSStackResult, ObservabilityServicePlugin, type ObservabilityServicePluginOptions, PLATFORM_SSO_PROVIDER_ID, QuickJSScriptRunner, type QuickJSScriptRunnerOptions, type RateLimitBucketConfig, type RateLimitDecision, type RateLimitDefaults, type RateLimitStore, RateLimiter, type ResolvedHostname, Runtime, type RuntimeConfig, RuntimeConfigPlugin, type RuntimeConfigPluginConfig, SYSTEM_ENVIRONMENT_ID, SandboxError, type ScriptContext, type ScriptOrigin, type ScriptResult, type ScriptRunOptions, type ScriptRunner, type SecurityHeadersOptions, SeedLoaderService, type SeedPlatformSsoClientOptions, type StandaloneStackConfig, type StandaloneStackResult, type SystemEnvironmentPluginConfig, type TraceContext, UnimplementedScriptRunner, actionBodyRunnerFactory, backfillPlatformSsoClients, buildPlatformSsoRedirectUri, buildSecurityHeaders, collectBundleActions, collectBundleFunctions, collectBundleHooks, createDefaultHostConfig, createDispatcherPlugin, createObjectOSStack, createStandaloneStack, createSystemEnvironmentPlugin, derivePlatformSsoClientId, derivePlatformSsoClientSecret, extractRequestId, formatTraceparent, generateRequestId, hookBodyRunnerFactory, isHttpUrl, loadArtifactBundle, mergeRuntimeModule, parseTraceparent, readArtifactSource, resolveCloudUrl, resolveDefaultArtifactPath, resolveErrorReporter, resolveMetrics, resolveObjectStackHome, resolveRequestId, seedPlatformSsoClient };
+export { AppPlugin, ArtifactApiClient, type ArtifactApiClientConfig, ArtifactEnvironmentRegistry, type ArtifactEnvironmentRegistryConfig, ArtifactKernelFactory, type ArtifactKernelFactoryConfig, AuthProxyPlugin, type BackfillPlatformSsoClientsOptions, DEFAULT_CLOUD_URL, DEFAULT_RATE_LIMITS, type DefaultHostConfigOptions, type DefaultHostConfigResult, type DispatcherPluginConfig, DriverPlugin, type EnvironmentArtifactResponse, type EnvironmentDriverRegistry, type EnvironmentKernelFactory, type EnvironmentRuntimeConfig, type ExternalSchemaDriftEvent, ExternalValidationPlugin, FileArtifactApiClient, type FileArtifactApiClientConfig, HttpDispatcher, type HttpDispatcherResult, type HttpProtocolContext, HttpServer, KernelManager, type KernelManagerConfig, type LoadArtifactBundleOptions, MarketplaceInstallLocalPlugin, type MarketplaceInstallLocalPluginConfig, MarketplaceProxyPlugin, type MarketplaceProxyPluginConfig, MiddlewareManager, type ObjectOSStackConfig, type ObjectOSStackResult, ObservabilityServicePlugin, type ObservabilityServicePluginOptions, PLATFORM_SSO_PROVIDER_ID, QuickJSScriptRunner, type QuickJSScriptRunnerOptions, type RateLimitBucketConfig, type RateLimitDecision, type RateLimitDefaults, type RateLimitStore, RateLimiter, type ResolvedHostname, Runtime, type RuntimeConfig, RuntimeConfigPlugin, type RuntimeConfigPluginConfig, SYSTEM_ENVIRONMENT_ID, SandboxError, type ScriptContext, type ScriptOrigin, type ScriptResult, type ScriptRunOptions, type ScriptRunner, type SecurityHeadersOptions, SeedLoaderService, type SeedPlatformSsoClientOptions, type StandaloneStackConfig, type StandaloneStackResult, type SystemEnvironmentPluginConfig, type TraceContext, UnimplementedScriptRunner, actionBodyRunnerFactory, backfillPlatformSsoClients, buildPlatformSsoRedirectUri, buildSecurityHeaders, collectBundleActions, collectBundleFunctions, collectBundleHooks, createDefaultHostConfig, createDispatcherPlugin, createExternalValidationPlugin, createObjectOSStack, createStandaloneStack, createSystemEnvironmentPlugin, derivePlatformSsoClientId, derivePlatformSsoClientSecret, extractRequestId, formatTraceparent, generateRequestId, hookBodyRunnerFactory, isHttpUrl, loadArtifactBundle, mergeRuntimeModule, parseTraceparent, readArtifactSource, resolveCloudUrl, resolveDefaultArtifactPath, resolveErrorReporter, resolveMetrics, resolveObjectStackHome, resolveRequestId, seedPlatformSsoClient };