npm - @objectstack/runtime - Versions diffs - 7.2.1 → 7.4.0 - Mend

@objectstack/runtime 7.2.1 → 7.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -9,13 +9,6 @@ var __export = (target, all) => {
 };
 // src/load-artifact-bundle.ts
-var load_artifact_bundle_exports = {};
-__export(load_artifact_bundle_exports, {
-  isHttpUrl: () => isHttpUrl,
-  loadArtifactBundle: () => loadArtifactBundle,
-  mergeRuntimeModule: () => mergeRuntimeModule,
-  readArtifactSource: () => readArtifactSource
-});
 import { readFile } from "fs/promises";
 import { resolve as resolvePath, isAbsolute, dirname } from "path";
 import { pathToFileURL } from "url";
@@ -270,17 +263,37 @@ var init_seed_loader = __esm({
         }
         const objectRefs = refMap.get(objectName) || [];
         const seedNow = /* @__PURE__ */ new Date();
+        const seedIdentity = config.identity;
+        const baseEvalCtx = {
+          now: seedNow,
+          user: seedIdentity?.user,
+          // Fall back to the per-tenant organizationId so `os.org.id` resolves
+          // during per-org replay even without an explicit identity.org.
+          org: seedIdentity?.org ?? (config.organizationId ? { id: config.organizationId } : void 0),
+          env: config.env
+        };
         for (let i = 0; i < dataset.records.length; i++) {
           const seedResult = resolveSeedRecord(
             dataset.records[i],
-            { now: seedNow }
+            baseEvalCtx
           );
-          const record = seedResult.ok ? { ...seedResult.value } : { ...dataset.records[i] };
           if (!seedResult.ok) {
-            this.logger.warn(
-              `[SeedLoader] Failed to resolve dynamic values for ${objectName} record #${i}: ${seedResult.error.message}`
-            );
+            errored++;
+            const error = {
+              sourceObject: objectName,
+              field: "(expression)",
+              targetObject: objectName,
+              targetField: "(expression)",
+              attemptedValue: dataset.records[i],
+              recordIndex: i,
+              message: `Cannot resolve dynamic seed values for ${objectName} record #${i}: ${seedResult.error.message}. Records using cel\`os.user.id\` / cel\`os.org.id\` require a seed identity \u2014 ensure a system/admin user exists before seeding (see SeedLoaderConfig.identity).`
+            };
+            errors.push(error);
+            allErrors.push(error);
+            this.logger.warn(`[SeedLoader] ${error.message}`);
+            continue;
           }
+          const record = { ...seedResult.value };
           if (config.organizationId && record["organization_id"] == null) {
             record["organization_id"] = config.organizationId;
           }
@@ -359,10 +372,18 @@ var init_seed_loader = __esm({
               }
             } catch (err) {
               errored++;
-              this.logger.warn(`[SeedLoader] Failed to write ${objectName} record`, {
-                error: err.message,
-                recordIndex: i
-              });
+              const error = {
+                sourceObject: objectName,
+                field: "(write)",
+                targetObject: objectName,
+                targetField: externalId,
+                attemptedValue: record[externalId] ?? null,
+                recordIndex: i,
+                message: `Failed to write ${objectName} record #${i} (${externalId}=${String(record[externalId] ?? "")}): ${err.message}`
+              };
+              errors.push(error);
+              allErrors.push(error);
+              this.logger.warn(`[SeedLoader] ${error.message}`, { recordIndex: i });
             }
           } else {
             const externalIdValue = String(record[externalId] ?? "");
@@ -702,6 +723,52 @@ var init_seed_loader = __esm({
   }
 });
+// src/package-state-store.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname as dirname2, join } from "path";
+function sanitizeEnvironmentId(environmentId) {
+  const raw = (environmentId ?? process.env.OS_ENVIRONMENT_ID ?? DEFAULT_ENVIRONMENT_ID).trim();
+  const safe = raw.replace(/[^a-zA-Z0-9._-]/g, "_");
+  return safe.length > 0 ? safe : DEFAULT_ENVIRONMENT_ID;
+}
+function stateFilePath(environmentId) {
+  return join(resolveObjectStackHome(), "package-state", `${sanitizeEnvironmentId(environmentId)}.json`);
+}
+function readState(environmentId) {
+  const file = stateFilePath(environmentId);
+  if (!existsSync(file)) return {};
+  try {
+    const parsed = JSON.parse(readFileSync(file, "utf8"));
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function writeState(environmentId, state) {
+  const file = stateFilePath(environmentId);
+  mkdirSync(dirname2(file), { recursive: true });
+  writeFileSync(file, `${JSON.stringify(state, null, 2)}
+`, "utf8");
+}
+function loadDisabledPackageIds(environmentId) {
+  const disabled = readState(environmentId).disabled;
+  return new Set(Array.isArray(disabled) ? disabled.filter((id) => typeof id === "string") : []);
+}
+function setPackageDisabled(environmentId, packageId, disabled) {
+  const ids = loadDisabledPackageIds(environmentId);
+  if (disabled) ids.add(packageId);
+  else ids.delete(packageId);
+  writeState(environmentId, { disabled: Array.from(ids).sort() });
+}
+var DEFAULT_ENVIRONMENT_ID;
+var init_package_state_store = __esm({
+  "src/package-state-store.ts"() {
+    "use strict";
+    init_standalone_stack();
+    DEFAULT_ENVIRONMENT_ID = "default";
+  }
+});
 // src/sandbox/quickjs-runner.ts
 import {
   newAsyncContext
@@ -1203,6 +1270,7 @@ __export(app_plugin_exports, {
   collectBundleHooks: () => collectBundleHooks
 });
 import { readEnvWithDeprecation } from "@objectstack/types";
+import { SystemUserId } from "@objectstack/spec/system";
 function collectBundleHooks(bundle) {
   const out = [];
   const seen = /* @__PURE__ */ new Set();
@@ -1267,6 +1335,7 @@ var init_app_plugin = __esm({
   "src/app-plugin.ts"() {
     "use strict";
     init_seed_loader();
+    init_package_state_store();
     init_quickjs_runner();
     init_body_runner();
     AppPlugin = class {
@@ -1292,6 +1361,24 @@ var init_app_plugin = __esm({
           console.warn(
             `[AppPlugin:init] appId=${appId} keys=${Object.keys(servicePayload).join(",")} flows=${Array.isArray(servicePayload.flows) ? servicePayload.flows.length : "n/a"}`
           );
+          try {
+            const ql = ctx.getService("objectql");
+            const setter = ql?.registry?.setInitialDisabledPackageIds;
+            if (typeof setter === "function") {
+              const disabled = loadDisabledPackageIds(this.projectContext?.environmentId);
+              if (disabled.size > 0) {
+                setter.call(ql.registry, disabled);
+                ctx.logger.info("[AppPlugin] seeded persisted disabled packages", {
+                  environmentId: this.projectContext?.environmentId,
+                  disabled: Array.from(disabled)
+                });
+              }
+            }
+          } catch (err) {
+            ctx.logger.warn("[AppPlugin] failed to seed persisted package state", {
+              error: err?.message ?? String(err)
+            });
+          }
           ctx.getService("manifest").register(servicePayload);
         };
         this.start = async (ctx) => {
@@ -1323,6 +1410,27 @@ var init_app_plugin = __esm({
             });
             ql.setDatasourceMapping(this.bundle.datasourceMapping);
           }
+          try {
+            const dsDefs = this.bundle.datasources;
+            const dsList = Array.isArray(dsDefs) ? dsDefs : dsDefs && typeof dsDefs === "object" ? Object.entries(dsDefs).map(([name, def]) => ({ name, ...def })) : [];
+            if (dsList.length > 0) {
+              const metadata = ctx.getService("metadata");
+              if (typeof metadata?.registerInMemory === "function") {
+                for (const ds of dsList) {
+                  if (!ds?.name) continue;
+                  metadata.registerInMemory("datasource", ds.name, { ...ds, origin: "code" });
+                }
+                ctx.logger.info("Registered code-defined datasources in metadata registry", {
+                  appId,
+                  count: dsList.length
+                });
+              }
+            }
+          } catch (err) {
+            ctx.logger.warn("[AppPlugin] failed to register code-defined datasources", {
+              error: err?.message ?? String(err)
+            });
+          }
           const stackBundle = this.bundle.default || this.bundle;
           const runtime = stackBundle && typeof stackBundle.onEnable === "function" ? stackBundle : this.bundle;
           if (runtime && typeof runtime.onEnable === "function") {
@@ -1417,49 +1525,6 @@ var init_app_plugin = __esm({
               appId
             });
           }
-          try {
-            const approvals = Array.isArray(this.bundle.approvals) ? this.bundle.approvals : Array.isArray((this.bundle.manifest || {}).approvals) ? this.bundle.manifest.approvals : [];
-            if (approvals.length > 0) {
-              ctx.hook("kernel:ready", async () => {
-                let svc;
-                try {
-                  svc = ctx.getService("approvals");
-                } catch {
-                }
-                if (!svc || typeof svc.defineProcess !== "function") {
-                  ctx.logger.warn("[AppPlugin] approvals service not registered \u2014 skipping declarative processes", {
-                    appId,
-                    processCount: approvals.length
-                  });
-                  return;
-                }
-                const sysCtx = { isSystem: true, roles: [], permissions: [] };
-                let ok = 0;
-                for (const proc of approvals) {
-                  try {
-                    await svc.defineProcess({
-                      name: proc.name,
-                      label: proc.label,
-                      object: proc.object,
-                      description: proc.description,
-                      active: proc.active !== false,
-                      definition: proc
-                    }, sysCtx);
-                    ok++;
-                  } catch (err) {
-                    ctx.logger.warn("[AppPlugin] Failed to register approval process", {
-                      appId,
-                      process: proc?.name,
-                      error: err?.message ?? String(err)
-                    });
-                  }
-                }
-                ctx.logger.info("[AppPlugin] Registered approval processes", { appId, count: ok });
-              });
-            }
-          } catch (err) {
-            ctx.logger.error("[AppPlugin] Failed to schedule approval-process registration", err, { appId });
-          }
           try {
             const jobs = Array.isArray(this.bundle.jobs) ? this.bundle.jobs : Array.isArray((this.bundle.manifest || {}).jobs) ? this.bundle.manifest.jobs : [];
             if (jobs.length > 0) {
@@ -1536,6 +1601,7 @@ var init_app_plugin = __esm({
               ...d,
               object: d.object
             }));
+            const seedIdentity = await this.ensureSeedIdentity(ql, ctx.logger);
             try {
               const kernel = ctx.kernel;
               const existing = (() => {
@@ -1577,7 +1643,12 @@ var init_app_plugin = __esm({
                   config: {
                     defaultMode: "upsert",
                     multiPass: true,
-                    organizationId
+                    organizationId,
+                    // Bind os.user (system identity) and os.org (this
+                    // tenant) so identity-derived seed values resolve
+                    // per-org. org.id falls back to organizationId
+                    // inside the loader when identity.org is absent.
+                    identity: seedIdentity
                   }
                 });
                 const result = await seedLoader.load(request);
@@ -1605,14 +1676,34 @@ var init_app_plugin = __esm({
                     const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
                     const request = SeedLoaderRequestSchema.parse({
                       datasets: normalizedDatasets,
-                      config: { defaultMode: "upsert", multiPass: true }
+                      config: { defaultMode: "upsert", multiPass: true, identity: seedIdentity }
                     });
                     const result = await seedLoader.load(request);
-                    ctx.logger.info("[Seeder] Seed loading complete", {
-                      inserted: result.summary.totalInserted,
-                      updated: result.summary.totalUpdated,
-                      errors: result.errors.length
-                    });
+                    const { totalInserted, totalUpdated, totalSkipped, totalErrored } = result.summary;
+                    if (result.success) {
+                      ctx.logger.info("[Seeder] Seed loading complete", {
+                        inserted: totalInserted,
+                        updated: totalUpdated,
+                        skipped: totalSkipped,
+                        errored: totalErrored
+                      });
+                    } else {
+                      ctx.logger.warn(
+                        `[Seeder] Seed loading completed with ${totalErrored} dropped record(s) and ${result.errors.length} error(s) for ${appId}`,
+                        {
+                          inserted: totalInserted,
+                          updated: totalUpdated,
+                          skipped: totalSkipped,
+                          errored: totalErrored
+                        }
+                      );
+                      for (const e of result.errors.slice(0, 20)) {
+                        ctx.logger.warn(`[Seeder]   \u2717 ${e.message}`);
+                      }
+                      if (result.errors.length > 20) {
+                        ctx.logger.warn(`[Seeder]   \u2026and ${result.errors.length - 20} more error(s)`);
+                      }
+                    }
                   } else {
                     ctx.logger.debug("[Seeder] No metadata service; using basic insert fallback");
                     for (const dataset of normalizedDatasets) {
@@ -1714,6 +1805,64 @@ var init_app_plugin = __esm({
         this.name = `plugin.app.${appId}`;
         this.version = sys?.version;
       }
+      /**
+       * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
+       *
+       * On a fresh boot there are zero users until the first human sign-up
+       * (which the SeedLoader runs *before*), so identity-derived seeds like
+       * `owner_id: cel`os.user.id`` had nothing to resolve against and were
+       * dropped silently. To make seeds deterministic and self-sufficient we
+       * upsert a single non-loginable **system user** (`usr_system`) and bind
+       * it as `os.user`.
+       *
+       * Why a dedicated system user rather than the login admin:
+       *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
+       *    password lives in `sys_account`, so a *loginable* admin can only be
+       *    minted through better-auth (the CLI does this via HTTP sign-up after
+       *    boot). A raw insert here would bypass those invariants.
+       *  - `usr_system` is an owner identity only (no credential row), analogous
+       *    to Salesforce's "Automated Process" user. The human admin is created
+       *    independently and need not be the seed owner.
+       *
+       * Idempotent: matches by the stable id, inserts once, reuses thereafter.
+       * Failures are non-fatal (logged) — records that actually need `os.user`
+       * then fail loudly in the loader with an actionable message.
+       */
+      async ensureSeedIdentity(ql, logger) {
+        const SYSTEM_USER_ID = SystemUserId.SYSTEM;
+        const SYSTEM_USER_EMAIL = "system@objectstack.local";
+        const identity = { user: { id: SYSTEM_USER_ID, role: "system", email: SYSTEM_USER_EMAIL } };
+        const opts = { context: { isSystem: true } };
+        try {
+          const existing = await ql.find(
+            "sys_user",
+            { where: { id: SYSTEM_USER_ID }, limit: 1 },
+            opts
+          );
+          if (Array.isArray(existing) && existing.length > 0) {
+            return identity;
+          }
+          await ql.insert(
+            "sys_user",
+            {
+              id: SYSTEM_USER_ID,
+              name: "System",
+              email: SYSTEM_USER_EMAIL,
+              email_verified: true,
+              role: "system"
+            },
+            opts
+          );
+          logger.info(
+            `[Seeder] Provisioned deterministic system user (${SYSTEM_USER_ID}) as seed owner \u2014 binds os.user for identity-derived seed values`
+          );
+        } catch (err) {
+          logger.warn("[Seeder] Failed to ensure system seed user; os.user-dependent seeds may be dropped", {
+            error: err?.message ?? String(err)
+          });
+        }
+        return identity;
+      }
       /**
        * Emit a kernel hook so the control-plane `AppCatalogService` can
        * upsert / delete the corresponding `sys_app` row. Silently no-ops
@@ -1836,209 +1985,167 @@ var init_app_plugin = __esm({
   }
 });
-// src/cloud/platform-sso.ts
-var platform_sso_exports = {};
-__export(platform_sso_exports, {
-  PLATFORM_SSO_PROVIDER_ID: () => PLATFORM_SSO_PROVIDER_ID,
-  backfillPlatformSsoClients: () => backfillPlatformSsoClients,
-  buildPlatformSsoRedirectUri: () => buildPlatformSsoRedirectUri,
-  derivePlatformSsoClientId: () => derivePlatformSsoClientId,
-  derivePlatformSsoClientSecret: () => derivePlatformSsoClientSecret,
-  hashPlatformSsoClientSecret: () => hashPlatformSsoClientSecret,
-  seedPlatformSsoClient: () => seedPlatformSsoClient
-});
-import { createHmac, createHash } from "crypto";
-function derivePlatformSsoClientId(environmentId) {
-  return `project_${environmentId}`;
-}
-function derivePlatformSsoClientSecret(baseSecret, environmentId) {
-  return createHmac("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
-}
-function hashPlatformSsoClientSecret(plaintext) {
-  return createHash("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
-  let host;
-  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
-    host = hostname;
-  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
-    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
-    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
-    host = `http://${hostWithPort}`;
-  } else {
-    host = `https://${hostname}`;
+// src/standalone-stack.ts
+import { resolve as resolvePath2 } from "path";
+import { mkdirSync as mkdirSync2 } from "fs";
+import { homedir } from "os";
+import { z } from "zod";
+import { readEnvWithDeprecation as readEnvWithDeprecation2 } from "@objectstack/types";
+function resolveObjectStackHome() {
+  const raw = process.env.OS_HOME?.trim();
+  if (raw && raw.length > 0) {
+    if (raw.startsWith("~")) return resolvePath2(homedir(), raw.slice(1).replace(/^[/\\]/, ""));
+    return resolvePath2(raw);
   }
-  const trimmed = host.replace(/\/+$/, "");
-  const path = basePath.replace(/\/+$/, "");
-  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
+  return resolvePath2(homedir(), ".objectstack");
 }
-async function seedPlatformSsoClient(opts) {
-  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
-    return;
-  }
-  const clientId = derivePlatformSsoClientId(environmentId);
-  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
-  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
-  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
-  let existing = null;
-  try {
-    const rows = await ql.find("sys_oauth_application", {
-      where: { client_id: clientId },
-      limit: 1
-    }, { context: { isSystem: true } });
-    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-    existing = list[0] ?? null;
-  } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
-      environmentId,
-      error: err?.message
-    });
-    return;
-  }
-  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  if (!existing) {
-    const redirects = desiredRedirect ? [desiredRedirect] : [];
+function detectDriverFromUrl(dbUrl) {
+  if (/^memory:\/\//i.test(dbUrl)) return "memory";
+  if (/^(postgres(ql)?|pg):\/\//i.test(dbUrl)) return "postgres";
+  if (/^mongodb(\+srv)?:\/\//i.test(dbUrl)) return "mongodb";
+  if (/^wasm-sqlite:\/\//i.test(dbUrl)) return "sqlite-wasm";
+  if (/\.wasm\.db$/i.test(dbUrl)) return "sqlite-wasm";
+  if (/^file:/i.test(dbUrl)) return "sqlite";
+  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(dbUrl)) return "sqlite";
+  throw new Error(
+    `[StandaloneStack] Unsupported database URL scheme: ${dbUrl}. Supported schemes: memory://, postgres://, pg://, mongodb://, mongodb+srv://, file:`
+  );
+}
+async function createStandaloneStack(config) {
+  const cfg = StandaloneStackConfigSchema.parse(config ?? {});
+  const { ObjectQLPlugin } = await import("@objectstack/objectql");
+  const { MetadataPlugin } = await import("@objectstack/metadata");
+  const { DriverPlugin: DriverPlugin2 } = await Promise.resolve().then(() => (init_driver_plugin(), driver_plugin_exports));
+  const { AppPlugin: AppPlugin2 } = await Promise.resolve().then(() => (init_app_plugin(), app_plugin_exports));
+  const cwd = process.cwd();
+  const environmentId = cfg.environmentId ?? process.env.OS_ENVIRONMENT_ID ?? "proj_local";
+  const artifactPathInput = cfg.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? resolvePath2(cwd, "dist/objectstack.json");
+  const artifactPath = isHttpUrl(artifactPathInput) ? artifactPathInput : artifactPathInput.startsWith("/") ? artifactPathInput : resolvePath2(cwd, artifactPathInput);
+  const dbUrl = cfg.databaseUrl ?? readEnvWithDeprecation2("OS_DATABASE_URL", "DATABASE_URL")?.trim() ?? process.env.TURSO_DATABASE_URL?.trim() ?? (process.env.OS_HOME?.trim() ? `file:${resolvePath2(resolveObjectStackHome(), "data/standalone.db")}` : cfg.projectRoot ? `file:${resolvePath2(cfg.projectRoot, ".objectstack/data/standalone.db")}` : `file:${resolvePath2(resolveObjectStackHome(), "data/standalone.db")}`);
+  const explicitDriver = cfg.databaseDriver ?? process.env.OS_DATABASE_DRIVER?.trim();
+  const dbDriver = explicitDriver ?? detectDriverFromUrl(dbUrl);
+  let driverPlugin;
+  if (dbDriver === "memory") {
+    const { InMemoryDriver } = await import("@objectstack/driver-memory");
+    driverPlugin = new DriverPlugin2(new InMemoryDriver());
+  } else if (dbDriver === "postgres") {
+    const { SqlDriver } = await import("@objectstack/driver-sql");
+    driverPlugin = new DriverPlugin2(
+      new SqlDriver({
+        client: "pg",
+        connection: dbUrl,
+        pool: { min: 0, max: 5 }
+      })
+    );
+  } else if (dbDriver === "mongodb") {
+    let MongoDBDriver;
     try {
-      await ql.insert("sys_oauth_application", {
-        id: `oauthc_${environmentId}`,
-        name: `Project ${environmentId}`,
-        client_id: clientId,
-        client_secret: clientSecretStored,
-        type: "web",
-        redirect_uris: JSON.stringify(redirects),
-        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-        response_types: JSON.stringify(["code"]),
-        scopes: JSON.stringify(["openid", "email", "profile"]),
-        token_endpoint_auth_method: "client_secret_basic",
-        require_pkce: false,
-        skip_consent: true,
-        disabled: false,
-        subject_type: "public",
-        created_at: nowIso,
-        updated_at: nowIso
-      }, { context: { isSystem: true } });
-      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
+      ({ MongoDBDriver } = await import("@objectstack/driver-mongodb"));
     } catch (err) {
-      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
-        environmentId,
-        error: err?.message
-      });
-      if (throwOnError) throw err;
+      throw new Error(
+        `[StandaloneStack] mongodb URL detected but @objectstack/driver-mongodb is not installed. Add it as a dependency or pass an explicit driverPlugin. (${err?.message ?? err})`
+      );
     }
-    return;
+    driverPlugin = new DriverPlugin2(new MongoDBDriver({ url: dbUrl }));
+  } else if (dbDriver === "sqlite-wasm") {
+    const { SqliteWasmDriver } = await import("@objectstack/driver-sqlite-wasm");
+    const filename = dbUrl.replace(/^wasm-sqlite:(\/\/)?/i, "").replace(/^file:(\/\/)?/i, "");
+    if (filename && filename !== ":memory:") {
+      mkdirSync2(resolvePath2(filename, ".."), { recursive: true });
+    }
+    driverPlugin = new DriverPlugin2(
+      new SqliteWasmDriver({
+        filename: filename || ":memory:",
+        persist: filename && filename !== ":memory:" ? "on-write" : void 0
+      })
+    );
+  } else {
+    const { SqlDriver } = await import("@objectstack/driver-sql");
+    const filename = dbUrl.replace(/^file:(\/\/)?/, "");
+    if (!filename || /^[a-z][a-z0-9+.-]*:\/\//i.test(filename)) {
+      throw new Error(
+        `[StandaloneStack] sqlite driver was selected but the URL does not look like a file path: "${dbUrl}". Use file:/path/to/db.sqlite, or set OS_DATABASE_DRIVER explicitly.`
+      );
+    }
+    mkdirSync2(resolvePath2(filename, ".."), { recursive: true });
+    driverPlugin = new DriverPlugin2(
+      new SqlDriver({
+        client: "better-sqlite3",
+        connection: { filename },
+        useNullAsDefault: true
+      })
+    );
   }
-  let currentRedirects = [];
-  try {
-    const raw = existing.redirect_uris;
-    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
-    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
-  } catch {
+  const artifactBundle = await loadArtifactBundle(artifactPath, {
+    tag: "[StandaloneStack]",
+    unwrapEnvelope: true
+  });
+  if (artifactBundle) {
+    const flowsCount = Array.isArray(artifactBundle?.flows) ? artifactBundle.flows.length : "n/a";
+    console.warn(
+      `[StandaloneStack] artifact loaded: path=${artifactPath} keys=${Object.keys(artifactBundle).join(",")} flows=${flowsCount}`
+    );
   }
-  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
-  const repairPatch = {
-    name: existing.name || `Project ${environmentId}`,
-    client_secret: clientSecretStored,
-    type: existing.type || "web",
-    redirect_uris: JSON.stringify(mergedRedirects),
-    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-    response_types: JSON.stringify(["code"]),
-    scopes: JSON.stringify(["openid", "email", "profile"]),
-    token_endpoint_auth_method: "client_secret_basic",
-    require_pkce: false,
-    skip_consent: true,
-    disabled: false,
-    subject_type: "public",
-    updated_at: nowIso
-  };
-  try {
-    await ql.update(
-      "sys_oauth_application",
-      repairPatch,
-      { where: { id: existing.id } },
-      { context: { isSystem: true } }
-    );
-    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
-      environmentId,
-      clientId,
-      redirect_uris: mergedRedirects
-    });
-  } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
+  const plugins = [
+    driverPlugin,
+    new MetadataPlugin({
+      // Source-file scanner OFF — declarative metadata is loaded
+      // from the compiled artifact, not from yaml/json files on
+      // disk. Scanning would also recursively watch the project
+      // root (incl. node_modules), which is expensive and prone
+      // to EMFILE.
+      watch: false,
+      // Artifact-file HMR ON in non-production so edits to
+      // `*.view.ts` / `*.flow.ts` (which the CLI dev-mode watcher
+      // recompiles into `dist/objectstack.json`) are picked up by
+      // the running server WITHOUT requiring a manual restart.
+      // Uses polling under the hood (see plugin.ts) to avoid
+      // `fs.watch` EMFILE on macOS / busy dev hosts.
+      artifactWatch: process.env.NODE_ENV !== "production",
       environmentId,
-      error: err?.message
-    });
-    if (throwOnError) throw err;
-  }
-}
-async function backfillPlatformSsoClients(opts) {
-  const { ql, baseSecret, logger, limit = 1e3 } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
-  }
-  let projects = [];
-  try {
-    const rows = await ql.find("sys_environment", {
-      limit,
-      fields: ["id", "hostname", "status"]
-    }, { context: { isSystem: true } });
-    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-  } catch (err) {
-    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
-      error: err?.message
-    });
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
-  }
-  let seeded = 0;
-  let alreadyExisted = 0;
-  const failures = [];
-  for (const p of projects) {
-    if (!p?.id) continue;
-    const before = await (async () => {
-      try {
-        const r = await ql.find("sys_oauth_application", {
-          where: { client_id: derivePlatformSsoClientId(p.id) },
-          limit: 1
-        }, { context: { isSystem: true } });
-        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-        return list[0] ?? null;
-      } catch {
-        return null;
-      }
-    })();
-    try {
-      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
-      if (before) alreadyExisted++;
-      else {
-        const after = await (async () => {
-          try {
-            const r = await ql.find("sys_oauth_application", {
-              where: { client_id: derivePlatformSsoClientId(p.id) },
-              limit: 1
-            }, { context: { isSystem: true } });
-            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-            return list[0] ?? null;
-          } catch (err) {
-            return { _readErr: err?.message };
-          }
-        })();
-        if (after && !after._readErr) seeded++;
-        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
-      }
-    } catch (err) {
-      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
-    }
-  }
-  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
-  return { scanned: projects.length, seeded, alreadyExisted, failures };
+      artifactSource: { mode: "local-file", path: artifactPath }
+    }),
+    new ObjectQLPlugin({ environmentId })
+  ];
+  if (artifactBundle) plugins.push(new AppPlugin2(artifactBundle));
+  const requires = Array.isArray(artifactBundle?.requires) ? artifactBundle.requires.filter((c) => typeof c === "string") : void 0;
+  const objects = Array.isArray(artifactBundle?.objects) ? artifactBundle.objects : void 0;
+  const manifest = artifactBundle?.manifest;
+  return {
+    plugins,
+    api: {
+      enableProjectScoping: false,
+      projectResolution: "none"
+    },
+    ...requires ? { requires } : {},
+    ...objects ? { objects } : {},
+    ...manifest ? { manifest } : {}
+  };
 }
-var PLATFORM_SSO_PROVIDER_ID;
-var init_platform_sso = __esm({
-  "src/cloud/platform-sso.ts"() {
+var StandaloneStackConfigSchema;
+var init_standalone_stack = __esm({
+  "src/standalone-stack.ts"() {
     "use strict";
-    PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
+    init_load_artifact_bundle();
+    StandaloneStackConfigSchema = z.object({
+      databaseUrl: z.string().optional(),
+      databaseAuthToken: z.string().optional(),
+      databaseDriver: z.enum(["sqlite", "sqlite-wasm", "memory", "postgres", "mongodb"]).optional(),
+      environmentId: z.string().optional(),
+      artifactPath: z.string().optional(),
+      /**
+       * Project root directory. When set (typically by the CLI after locating
+       * `objectstack.config.ts`), the default sqlite database is placed under
+       * `<projectRoot>/.objectstack/data/standalone.db` instead of the global
+       * `~/.objectstack/data/standalone.db`. This keeps per-project data
+       * scoped to the project folder so different examples / apps don't
+       * share a single database by accident.
+       *
+       * Explicit `databaseUrl` / `OS_DATABASE_URL` / `OS_HOME` still take
+       * precedence over this default.
+       */
+      projectRoot: z.string().optional()
+    });
   }
 });
@@ -2240,228 +2347,236 @@ var Runtime = class {
   }
 };
-// src/standalone-stack.ts
+// src/index.ts
+init_standalone_stack();
+// src/default-host.ts
+init_standalone_stack();
 init_load_artifact_bundle();
-import { resolve as resolvePath2 } from "path";
-import { mkdirSync } from "fs";
-import { homedir } from "os";
-import { z } from "zod";
-import { readEnvWithDeprecation as readEnvWithDeprecation2 } from "@objectstack/types";
-function resolveObjectStackHome() {
-  const raw = process.env.OS_HOME?.trim();
-  if (raw && raw.length > 0) {
-    if (raw.startsWith("~")) return resolvePath2(homedir(), raw.slice(1).replace(/^[/\\]/, ""));
-    return resolvePath2(raw);
+import { resolve as resolvePath3 } from "path";
+import { existsSync as existsSync2, mkdirSync as mkdirSync3, writeFileSync as writeFileSync2 } from "fs";
+function resolveDefaultArtifactPath(explicitPath, cwd = process.cwd()) {
+  const candidate = explicitPath ?? process.env.OS_ARTIFACT_PATH ?? resolvePath3(cwd, "dist/objectstack.json");
+  if (isHttpUrl(candidate)) return candidate;
+  if (explicitPath || process.env.OS_ARTIFACT_PATH) return candidate;
+  return existsSync2(candidate) ? candidate : void 0;
+}
+async function createDefaultHostConfig(options = {}) {
+  const { requireArtifact = true, ...standaloneOpts } = options;
+  let resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
+  if (!resolvedArtifact && requireArtifact) {
+    throw new Error(
+      "[createDefaultHostConfig] No artifact source available. Set OS_ARTIFACT_PATH (file path or http(s):// URL), place the artifact at <cwd>/dist/objectstack.json, or pass `{ artifactPath: ... }` explicitly. To boot an empty kernel anyway, pass `{ requireArtifact: false }`."
+    );
   }
-  return resolvePath2(homedir(), ".objectstack");
+  if (!resolvedArtifact && !requireArtifact) {
+    const home = resolveObjectStackHome();
+    const stubPath = resolvePath3(home, "dist/objectstack.json");
+    if (!existsSync2(stubPath)) {
+      mkdirSync3(resolvePath3(stubPath, ".."), { recursive: true });
+      writeFileSync2(
+        stubPath,
+        JSON.stringify(
+          {
+            manifest: {
+              id: "com.objectstack.empty",
+              name: "empty",
+              version: "0.0.0",
+              type: "app",
+              description: "Empty starter kernel \u2014 install apps via the Studio marketplace."
+            },
+            objects: [],
+            views: [],
+            apps: [],
+            flows: [],
+            requires: []
+          },
+          null,
+          2
+        ),
+        "utf8"
+      );
+    }
+    resolvedArtifact = stubPath;
+  }
+  return createStandaloneStack({
+    ...standaloneOpts,
+    artifactPath: resolvedArtifact
+  });
 }
-var StandaloneStackConfigSchema = z.object({
-  databaseUrl: z.string().optional(),
-  databaseAuthToken: z.string().optional(),
-  databaseDriver: z.enum(["sqlite", "sqlite-wasm", "memory", "postgres", "mongodb"]).optional(),
-  environmentId: z.string().optional(),
-  artifactPath: z.string().optional(),
+// src/index.ts
+init_driver_plugin();
+init_app_plugin();
+init_seed_loader();
+// src/external-validation-plugin.ts
+import {
+  ExternalSchemaMismatchError
+} from "@objectstack/spec/shared";
+var ExternalValidationPlugin = class {
+  constructor() {
+    this.name = "com.objectstack.external-validation";
+    this.type = "standard";
+    this.version = "1.0.0";
+    /** Active background drift-check timers, keyed by datasource name. */
+    this.driftTimers = /* @__PURE__ */ new Map();
+    this.init = (_ctx) => {
+    };
+    this.start = (ctx) => {
+      ctx.hook("kernel:ready", async () => {
+        await this.runValidation(ctx);
+        await this.scheduleDriftChecks(ctx);
+      });
+    };
+    /** Tear down background drift-check timers (idempotent). */
+    this.stop = () => {
+      for (const timer of this.driftTimers.values()) clearInterval(timer);
+      this.driftTimers.clear();
+    };
+  }
+  /** Exposed for testing; invoked from the kernel:ready handler. */
+  async runValidation(ctx) {
+    const svc = safeGet(ctx, "external-datasource");
+    if (!svc?.validateAll) {
+      ctx.logger?.debug?.("[external-validation] service not registered; skipping");
+      return;
+    }
+    const metadata = safeGet(ctx, "metadata");
+    let report;
+    try {
+      report = await svc.validateAll();
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] validateAll failed", { err });
+      return;
+    }
+    const failures = report.results.filter((r) => !r.ok);
+    if (failures.length === 0) {
+      ctx.logger?.info?.("[external-validation] all federated objects match their remote schema", {
+        objects: report.results.length
+      });
+      return;
+    }
+    for (const r of failures) {
+      const mode = await resolveOnMismatch(metadata, r.datasource);
+      if (mode === "ignore") continue;
+      if (mode === "warn") {
+        ctx.logger?.warn?.("[external-validation] external schema drift", {
+          datasource: r.datasource,
+          object: r.object,
+          diffs: r.diffs
+        });
+        continue;
+      }
+      throw new ExternalSchemaMismatchError(r.datasource, r.object, r.diffs);
+    }
+  }
   /**
-   * Project root directory. When set (typically by the CLI after locating
-   * `objectstack.config.ts`), the default sqlite database is placed under
-   * `<projectRoot>/.objectstack/data/standalone.db` instead of the global
-   * `~/.objectstack/data/standalone.db`. This keeps per-project data
-   * scoped to the project folder so different examples / apps don't
-   * share a single database by accident.
+   * Arm a background drift checker for every federated datasource that declares
+   * `external.validation.checkIntervalMs`. Each fires on its own interval and
+   * emits `external.schema.drift` events — it never throws or aborts the
+   * process, since drift past boot is observational, not fatal.
    *
-   * Explicit `databaseUrl` / `OS_DATABASE_URL` / `OS_HOME` still take
-   * precedence over this default.
+   * No-op when metadata can't be enumerated or no datasource opts in. Re-arming
+   * (e.g. a second `kernel:ready`) first clears existing timers so intervals
+   * don't accumulate.
    */
-  projectRoot: z.string().optional()
-});
-function detectDriverFromUrl(dbUrl) {
-  if (/^memory:\/\//i.test(dbUrl)) return "memory";
-  if (/^(postgres(ql)?|pg):\/\//i.test(dbUrl)) return "postgres";
-  if (/^mongodb(\+srv)?:\/\//i.test(dbUrl)) return "mongodb";
-  if (/^wasm-sqlite:\/\//i.test(dbUrl)) return "sqlite-wasm";
-  if (/\.wasm\.db$/i.test(dbUrl)) return "sqlite-wasm";
-  if (/^file:/i.test(dbUrl)) return "sqlite";
-  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(dbUrl)) return "sqlite";
-  throw new Error(
-    `[StandaloneStack] Unsupported database URL scheme: ${dbUrl}. Supported schemes: memory://, postgres://, pg://, mongodb://, mongodb+srv://, file:`
-  );
-}
-async function createStandaloneStack(config) {
-  const cfg = StandaloneStackConfigSchema.parse(config ?? {});
-  const { ObjectQLPlugin } = await import("@objectstack/objectql");
-  const { MetadataPlugin } = await import("@objectstack/metadata");
-  const { DriverPlugin: DriverPlugin2 } = await Promise.resolve().then(() => (init_driver_plugin(), driver_plugin_exports));
-  const { AppPlugin: AppPlugin2 } = await Promise.resolve().then(() => (init_app_plugin(), app_plugin_exports));
-  const cwd = process.cwd();
-  const environmentId = cfg.environmentId ?? process.env.OS_ENVIRONMENT_ID ?? "proj_local";
-  const artifactPathInput = cfg.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? resolvePath2(cwd, "dist/objectstack.json");
-  const artifactPath = isHttpUrl(artifactPathInput) ? artifactPathInput : artifactPathInput.startsWith("/") ? artifactPathInput : resolvePath2(cwd, artifactPathInput);
-  const dbUrl = cfg.databaseUrl ?? readEnvWithDeprecation2("OS_DATABASE_URL", "DATABASE_URL")?.trim() ?? process.env.TURSO_DATABASE_URL?.trim() ?? (process.env.OS_HOME?.trim() ? `file:${resolvePath2(resolveObjectStackHome(), "data/standalone.db")}` : cfg.projectRoot ? `file:${resolvePath2(cfg.projectRoot, ".objectstack/data/standalone.db")}` : `file:${resolvePath2(resolveObjectStackHome(), "data/standalone.db")}`);
-  const explicitDriver = cfg.databaseDriver ?? process.env.OS_DATABASE_DRIVER?.trim();
-  const dbDriver = explicitDriver ?? detectDriverFromUrl(dbUrl);
-  let driverPlugin;
-  if (dbDriver === "memory") {
-    const { InMemoryDriver } = await import("@objectstack/driver-memory");
-    driverPlugin = new DriverPlugin2(new InMemoryDriver());
-  } else if (dbDriver === "postgres") {
-    const { SqlDriver } = await import("@objectstack/driver-sql");
-    driverPlugin = new DriverPlugin2(
-      new SqlDriver({
-        client: "pg",
-        connection: dbUrl,
-        pool: { min: 0, max: 5 }
-      })
-    );
-  } else if (dbDriver === "mongodb") {
-    let MongoDBDriver;
+  async scheduleDriftChecks(ctx) {
+    this.stop();
+    const metadata = safeGet(ctx, "metadata");
+    if (!metadata?.list) return;
+    let datasources;
     try {
-      ({ MongoDBDriver } = await import("@objectstack/driver-mongodb"));
+      datasources = await metadata.list("datasource");
     } catch (err) {
-      throw new Error(
-        `[StandaloneStack] mongodb URL detected but @objectstack/driver-mongodb is not installed. Add it as a dependency or pass an explicit driverPlugin. (${err?.message ?? err})`
-      );
-    }
-    driverPlugin = new DriverPlugin2(new MongoDBDriver({ url: dbUrl }));
-  } else if (dbDriver === "sqlite-wasm") {
-    const { SqliteWasmDriver } = await import("@objectstack/driver-sqlite-wasm");
-    const filename = dbUrl.replace(/^wasm-sqlite:(\/\/)?/i, "").replace(/^file:(\/\/)?/i, "");
-    if (filename && filename !== ":memory:") {
-      mkdirSync(resolvePath2(filename, ".."), { recursive: true });
+      ctx.logger?.warn?.("[external-validation] could not list datasources for drift checks", { err });
+      return;
     }
-    driverPlugin = new DriverPlugin2(
-      new SqliteWasmDriver({
-        filename: filename || ":memory:",
-        persist: filename && filename !== ":memory:" ? "on-write" : void 0
-      })
-    );
-  } else {
-    const { SqlDriver } = await import("@objectstack/driver-sql");
-    const filename = dbUrl.replace(/^file:(\/\/)?/, "");
-    if (!filename || /^[a-z][a-z0-9+.-]*:\/\//i.test(filename)) {
-      throw new Error(
-        `[StandaloneStack] sqlite driver was selected but the URL does not look like a file path: "${dbUrl}". Use file:/path/to/db.sqlite, or set OS_DATABASE_DRIVER explicitly.`
-      );
+    for (const def of datasources) {
+      const interval = def?.external?.validation?.checkIntervalMs;
+      const name = def?.name;
+      if (!name || typeof interval !== "number" || interval <= 0) continue;
+      const timer = setInterval(() => {
+        void this.runDriftCheck(ctx, name);
+      }, interval);
+      timer.unref?.();
+      this.driftTimers.set(name, timer);
+      ctx.logger?.info?.("[external-validation] armed background drift check", {
+        datasource: name,
+        intervalMs: interval
+      });
     }
-    mkdirSync(resolvePath2(filename, ".."), { recursive: true });
-    driverPlugin = new DriverPlugin2(
-      new SqlDriver({
-        client: "better-sqlite3",
-        connection: { filename },
-        useNullAsDefault: true
-      })
-    );
   }
-  const artifactBundle = await loadArtifactBundle(artifactPath, {
-    tag: "[StandaloneStack]",
-    unwrapEnvelope: true
-  });
-  if (artifactBundle) {
-    const flowsCount = Array.isArray(artifactBundle?.flows) ? artifactBundle.flows.length : "n/a";
-    console.warn(
-      `[StandaloneStack] artifact loaded: path=${artifactPath} keys=${Object.keys(artifactBundle).join(",")} flows=${flowsCount}`
-    );
+  /**
+   * Re-validate one datasource's federated objects and emit an
+   * `external.schema.drift` event per mismatch. Exposed for testing; invoked
+   * from the interval armed by {@link scheduleDriftChecks}. Never throws.
+   *
+   * @returns the number of drift events emitted.
+   */
+  async runDriftCheck(ctx, datasource) {
+    const svc = safeGet(ctx, "external-datasource");
+    if (!svc?.validateAll) return 0;
+    let report;
+    try {
+      report = await svc.validateAll();
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] drift check validateAll failed", {
+        datasource,
+        err
+      });
+      return 0;
+    }
+    const drifted = report.results.filter((r) => !r.ok && r.datasource === datasource);
+    for (const r of drifted) {
+      const event = {
+        datasource: r.datasource,
+        object: r.object,
+        diffs: r.diffs
+      };
+      try {
+        await ctx.trigger("external.schema.drift", event);
+      } catch (err) {
+        ctx.logger?.warn?.("[external-validation] failed to emit drift event", {
+          datasource,
+          object: r.object,
+          err
+        });
+      }
+    }
+    if (drifted.length > 0) {
+      ctx.logger?.warn?.("[external-validation] background drift detected", {
+        datasource,
+        objects: drifted.map((r) => r.object)
+      });
+    }
+    return drifted.length;
   }
-  const plugins = [
-    driverPlugin,
-    new MetadataPlugin({
-      // Source-file scanner OFF — declarative metadata is loaded
-      // from the compiled artifact, not from yaml/json files on
-      // disk. Scanning would also recursively watch the project
-      // root (incl. node_modules), which is expensive and prone
-      // to EMFILE.
-      watch: false,
-      // Artifact-file HMR ON in non-production so edits to
-      // `*.view.ts` / `*.flow.ts` (which the CLI dev-mode watcher
-      // recompiles into `dist/objectstack.json`) are picked up by
-      // the running server WITHOUT requiring a manual restart.
-      // Uses polling under the hood (see plugin.ts) to avoid
-      // `fs.watch` EMFILE on macOS / busy dev hosts.
-      artifactWatch: process.env.NODE_ENV !== "production",
-      environmentId,
-      artifactSource: { mode: "local-file", path: artifactPath }
-    }),
-    new ObjectQLPlugin({ environmentId })
-  ];
-  if (artifactBundle) plugins.push(new AppPlugin2(artifactBundle));
-  const requires = Array.isArray(artifactBundle?.requires) ? artifactBundle.requires.filter((c) => typeof c === "string") : void 0;
-  const objects = Array.isArray(artifactBundle?.objects) ? artifactBundle.objects : void 0;
-  const manifest = artifactBundle?.manifest;
-  return {
-    plugins,
-    api: {
-      enableProjectScoping: false,
-      projectResolution: "none"
-    },
-    ...requires ? { requires } : {},
-    ...objects ? { objects } : {},
-    ...manifest ? { manifest } : {}
-  };
-}
-// src/default-host.ts
-import { resolve as resolvePath3 } from "path";
-import { existsSync, mkdirSync as mkdirSync2, writeFileSync } from "fs";
-init_load_artifact_bundle();
-function resolveDefaultArtifactPath(explicitPath, cwd = process.cwd()) {
-  const candidate = explicitPath ?? process.env.OS_ARTIFACT_PATH ?? resolvePath3(cwd, "dist/objectstack.json");
-  if (isHttpUrl(candidate)) return candidate;
-  if (explicitPath || process.env.OS_ARTIFACT_PATH) return candidate;
-  return existsSync(candidate) ? candidate : void 0;
+};
+function createExternalValidationPlugin() {
+  return new ExternalValidationPlugin();
 }
-async function createDefaultHostConfig(options = {}) {
-  const { requireArtifact = true, ...standaloneOpts } = options;
-  let resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
-  if (!resolvedArtifact && requireArtifact) {
-    throw new Error(
-      "[createDefaultHostConfig] No artifact source available. Set OS_ARTIFACT_PATH (file path or http(s):// URL), place the artifact at <cwd>/dist/objectstack.json, or pass `{ artifactPath: ... }` explicitly. To boot an empty kernel anyway, pass `{ requireArtifact: false }`."
-    );
+async function resolveOnMismatch(metadata, datasource) {
+  try {
+    const ds = await metadata?.get?.("datasource", datasource);
+    return ds?.external?.validation?.onMismatch ?? "fail";
+  } catch {
+    return "fail";
   }
-  if (!resolvedArtifact && !requireArtifact) {
-    const home = resolveObjectStackHome();
-    const stubPath = resolvePath3(home, "dist/objectstack.json");
-    if (!existsSync(stubPath)) {
-      mkdirSync2(resolvePath3(stubPath, ".."), { recursive: true });
-      writeFileSync(
-        stubPath,
-        JSON.stringify(
-          {
-            manifest: {
-              id: "com.objectstack.empty",
-              name: "empty",
-              version: "0.0.0",
-              type: "app",
-              description: "Empty starter kernel \u2014 install apps via the Studio marketplace."
-            },
-            objects: [],
-            views: [],
-            apps: [],
-            flows: [],
-            requires: []
-          },
-          null,
-          2
-        ),
-        "utf8"
-      );
-    }
-    resolvedArtifact = stubPath;
+}
+function safeGet(ctx, name) {
+  try {
+    return ctx.getService(name);
+  } catch {
+    return void 0;
   }
-  return createStandaloneStack({
-    ...standaloneOpts,
-    artifactPath: resolvedArtifact
-  });
 }
-// src/index.ts
-init_driver_plugin();
-init_app_plugin();
-init_seed_loader();
 // src/http-dispatcher.ts
+init_package_state_store();
 import { getEnv, resolveLocale } from "@objectstack/core";
-import { readEnvWithDeprecation as readEnvWithDeprecation3 } from "@objectstack/types";
 import { CoreServiceName } from "@objectstack/spec/system";
-import { pluralToSingular } from "@objectstack/spec/shared";
+import { pluralToSingular, PLURAL_TO_SINGULAR } from "@objectstack/spec/shared";
 // src/security/resolve-execution-context.ts
 function readHeader(headers, name) {
@@ -3288,6 +3403,17 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       return { handled: true, response: this.success({ types: ["object", "app", "plugin"] }) };
     }
+    if (parts.length === 4 && (parts[0] === "objects" || parts[0] === "object") && parts[2] === "state" && (!method || method === "GET")) {
+      const name = parts[1];
+      const field = parts[3];
+      const from = query?.from !== void 0 ? String(query.from) : void 0;
+      const qlService = await this.getObjectQLService();
+      const schema = qlService?.registry?.getObject(name);
+      if (!schema) return { handled: true, response: this.error("Object not found", 404) };
+      const { legalNextStates } = await import("@objectstack/objectql");
+      const next = from === void 0 ? null : legalNextStates(schema, field, from);
+      return { handled: true, response: this.success({ object: name, field, from: from ?? null, next }) };
+    }
     if (parts.length >= 3 && parts[parts.length - 1] === "published" && (!method || method === "GET")) {
       const type = parts[0];
       const name = parts.slice(1, -1).join("/");
@@ -3316,7 +3442,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         if (protocol && typeof protocol.saveMetaItem === "function") {
           try {
             const organizationId = await this.resolveActiveOrganizationId(_context);
-            const result = await protocol.saveMetaItem({ type, name, item: body, organizationId });
+            const result = await protocol.saveMetaItem({ type, name, item: body, organizationId, ...packageId ? { packageId } : {} });
             return { handled: true, response: this.success(result) };
           } catch (e) {
             return { handled: true, response: this.error(e.message, 400) };
@@ -3656,12 +3782,22 @@ var _HttpDispatcher = class _HttpDispatcher {
         const id = decodeURIComponent(parts[0]);
         const pkg = registry.enablePackage(id);
         if (!pkg) return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        try {
+          setPackageDisabled(_context?.environmentId, id, false);
+        } catch (err) {
+          console.warn("[handlePackages] failed to persist enable state", { id, error: err?.message });
+        }
         return { handled: true, response: this.success(pkg) };
       }
       if (parts.length === 2 && parts[1] === "disable" && m === "PATCH") {
         const id = decodeURIComponent(parts[0]);
         const pkg = registry.disablePackage(id);
         if (!pkg) return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        try {
+          setPackageDisabled(_context?.environmentId, id, true);
+        } catch (err) {
+          console.warn("[handlePackages] failed to persist disable state", { id, error: err?.message });
+        }
         return { handled: true, response: this.success(pkg) };
       }
       if (parts.length === 2 && parts[1] === "publish" && m === "POST") {
@@ -3682,6 +3818,14 @@ var _HttpDispatcher = class _HttpDispatcher {
         }
         return { handled: true, response: this.error("Metadata service not available", 503) };
       }
+      if (parts.length === 2 && parts[1] === "export" && m === "GET") {
+        const id = decodeURIComponent(parts[0]);
+        const manifest = await this.assemblePackageManifest(id, registry, _context);
+        if (!manifest) {
+          return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        }
+        return { handled: true, response: this.success(manifest) };
+      }
       if (parts.length === 1 && m === "GET") {
         const id = decodeURIComponent(parts[0]);
         const pkg = registry.getPackage(id);
@@ -3699,6 +3843,83 @@ var _HttpDispatcher = class _HttpDispatcher {
     }
     return { handled: false };
   }
+  /**
+   * Assemble a portable, offline-installable package manifest from the
+   * `sys_metadata` overlay rows bound to `packageId`.
+   *
+   * The resulting shape mirrors what `marketplace-install-local` →
+   * `manifestService.register()` → `engine.registerApp()` consumes:
+   *   `{ id, name, version, objects:[…], views:[…], flows:[…], … }`
+   * where each category key is the PLURAL manifest name and its value is
+   * an array of clean metadata bodies (provenance decorations stripped).
+   *
+   * Only the metadata categories that `registerApp` can actually consume
+   * are exported. `datasources` and `emailTemplates` are intentionally
+   * excluded (not registered by the import path). `tools` / `skills` ARE
+   * round-tripped: they are registered by `registerApp` on import and
+   * surfaced by `getMetaItems('tool' | 'skill')` on export.
+   *
+   * @returns the manifest object, or `null` if the package id is unknown
+   *          AND has no overlay-authored metadata.
+   */
+  async assemblePackageManifest(packageId, registry, context) {
+    const protocol = await this.resolveService("protocol");
+    if (!protocol || typeof protocol.getMetaItems !== "function") return null;
+    const organizationId = await this.resolveActiveOrganizationId(context);
+    const PROVENANCE_KEYS = /* @__PURE__ */ new Set([
+      "_packageId",
+      "_packageVersionId",
+      "_provenance",
+      "_state",
+      "_version",
+      "_organizationId",
+      "_source",
+      "_id",
+      "_rowId"
+    ]);
+    const clean = (item) => {
+      if (!item || typeof item !== "object") return item;
+      const out = {};
+      for (const [k, v] of Object.entries(item)) {
+        if (k.startsWith("_") || PROVENANCE_KEYS.has(k)) continue;
+        out[k] = v;
+      }
+      return out;
+    };
+    const exportPluralKeys = Object.keys(PLURAL_TO_SINGULAR).filter(
+      (k) => k !== "datasources" && k !== "emailTemplates"
+    );
+    const manifest = {};
+    let total = 0;
+    for (const plural of exportPluralKeys) {
+      const singular = PLURAL_TO_SINGULAR[plural];
+      let items = [];
+      try {
+        const res = await protocol.getMetaItems({ type: singular, packageId, organizationId });
+        items = Array.isArray(res?.items) ? res.items : [];
+      } catch {
+        continue;
+      }
+      if (items.length === 0) continue;
+      manifest[plural] = items.map(clean);
+      total += items.length;
+    }
+    const pkg = (() => {
+      try {
+        return registry?.getPackage?.(packageId);
+      } catch {
+        return void 0;
+      }
+    })();
+    if (total === 0 && !pkg) return null;
+    manifest.id = packageId;
+    manifest.name = pkg?.manifest?.name ?? pkg?.name ?? packageId;
+    manifest.version = pkg?.manifest?.version ?? pkg?.version ?? "1.0.0";
+    if (pkg?.manifest?.label ?? pkg?.label) {
+      manifest.label = pkg?.manifest?.label ?? pkg?.label;
+    }
+    return manifest;
+  }
   /**
    * Cloud / Environment Control-Plane routes.
    *
@@ -3712,1350 +3933,59 @@ var _HttpDispatcher = class _HttpDispatcher {
    *  - POST   /cloud/environments/:id/retry                  → re-run provisioning for a failed environment
    *  - POST   /cloud/environments/:id/activate               → mark as active for session (stub)
    *  - POST   /cloud/environments/:id/credentials/rotate     → rotate credential
-   *  - GET    /cloud/environments/:id/members                → list members
-   *  - GET    /cloud/environments/:id/packages               → list installed packages
-   *  - POST   /cloud/environments/:id/packages               → install package into env
-   *  - GET    /cloud/environments/:id/packages/:pkgId        → get installation detail
-   *  - PATCH  /cloud/environments/:id/packages/:pkgId/enable  → enable package
-   *  - PATCH  /cloud/environments/:id/packages/:pkgId/disable → disable package
-   *  - DELETE /cloud/environments/:id/packages/:pkgId        → uninstall (scope=platform forbidden)
-   *  - POST   /cloud/environments/:id/packages/:pkgId/upgrade → upgrade to newer version
-   *
-   * Driver binding
-   * --------------
-   * Environments are not tied to any specific driver. At provisioning time the
-   * caller passes `driver` (a short name such as `memory`, `turso`, or any
-   * future `sql` / `postgres` driver). The dispatcher validates the name
-   * against the kernel's registered driver services (`driver.<name>`) and
-   * derives an appropriate placeholder `database_url` for the chosen driver.
-   * If `driver` is omitted, the dispatcher auto-selects the first available
-   * in preference order: turso → memory → any other registered driver.
-   *
-   * Backed by ObjectQL sys_environment / sys_environment_credential /
-   * sys_environment_member tables (registered by
-   * `@objectstack/service-tenant`'s `createTenantPlugin`).
-   * Physical database addressing (database_url, database_driver, etc.)
-   * is stored directly on the sys_environment row.
-   */
-  /**
-   * Resolve the calling user id from the request session, if any.
-   * Returns `undefined` for anonymous calls or when auth is not wired up.
-   */
-  async resolveActiveOrganizationId(context) {
-    try {
-      const authService = await this.resolveService(CoreServiceName.enum.auth);
-      const rawHeaders = context.request?.headers;
-      let headers = rawHeaders;
-      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-        try {
-          const h = new Headers();
-          for (const [k, v] of Object.entries(rawHeaders)) {
-            if (v == null) continue;
-            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-          }
-          headers = h;
-        } catch {
-          headers = rawHeaders;
-        }
-      }
-      const apiObj = authService?.auth?.api ?? authService?.api;
-      const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
-      const oid = sessionData?.session?.activeOrganizationId;
-      return typeof oid === "string" && oid.length > 0 ? oid : void 0;
-    } catch {
-      return void 0;
-    }
-  }
-  async resolveCallerUserId(context) {
-    try {
-      const authService = await this.resolveService(CoreServiceName.enum.auth);
-      const rawHeaders = context.request?.headers;
-      let headers = rawHeaders;
-      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-        try {
-          const h = new Headers();
-          for (const [k, v] of Object.entries(rawHeaders)) {
-            if (v == null) continue;
-            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-          }
-          headers = h;
-        } catch {
-          headers = rawHeaders;
-        }
-      }
-      const sessionData = await (authService?.auth?.api?.getSession ?? authService?.api?.getSession)?.call(
-        authService?.auth?.api ?? authService?.api,
-        { headers }
-      );
-      return sessionData?.user?.id ?? sessionData?.session?.userId;
-    } catch (e) {
-      return void 0;
-    }
-  }
-  async handleCloud(path, method, body, query, _context) {
-    const m = method.toUpperCase();
-    const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
-    const qlService = await this.getObjectQLService();
-    const ql = qlService ?? await this.resolveService("objectql");
-    if (!ql) {
-      return { handled: true, response: this.error("Project service not available (ObjectQL missing)", 503) };
-    }
-    const ENV = "sys_environment";
-    const CRED = "sys_environment_credential";
-    const MEM = "sys_environment_member";
-    const PKG_INSTALL = "sys_package_installation";
-    const PKG = "sys_package";
-    const PKG_VERSION = "sys_package_version";
-    const ensureSysPackage = async (manifestId, ownerOrgId, createdBy, manifest) => {
-      const existing = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
-      if (existing?.id) return existing.id;
-      const id = randomUUID();
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      await ql.insert(PKG, {
-        id,
-        manifest_id: manifestId,
-        owner_org_id: ownerOrgId,
-        display_name: manifest?.name ?? manifestId,
-        description: manifest?.description ?? null,
-        visibility: "private",
-        created_by: createdBy,
-        created_at: nowIso,
-        updated_at: nowIso
-      });
-      return id;
-    };
-    const ensureSysPackageVersion = async (packageId, version, createdBy, manifest) => {
-      const existing = await ql.findOne(PKG_VERSION, {
-        where: { package_id: packageId, version }
-      });
-      if (existing?.id) return existing.id;
-      const id = randomUUID();
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      await ql.insert(PKG_VERSION, {
-        id,
-        package_id: packageId,
-        version,
-        status: "published",
-        manifest_json: manifest ? JSON.stringify(manifest) : null,
-        is_pre_release: false,
-        published_at: nowIso,
-        published_by: createdBy,
-        created_by: createdBy,
-        created_at: nowIso,
-        updated_at: nowIso
-      });
-      return id;
-    };
-    const findInstallByManifestId = async (envId, manifestId) => {
-      const pkgRow = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
-      if (!pkgRow?.id) return null;
-      return await ql.findOne(PKG_INSTALL, {
-        where: { environment_id: envId, package_id: pkgRow.id }
-      });
-    };
-    const toShortName = (driverId) => {
-      const prefix = "com.objectstack.driver.";
-      return driverId.startsWith(prefix) ? driverId.slice(prefix.length) : driverId;
-    };
-    const listRegisteredDrivers = () => {
-      const services = this.getServicesMap();
-      const registry = services["project-provisioning-adapters"];
-      if (registry && typeof registry.list === "function") {
-        try {
-          const adapters = registry.list();
-          const seen = /* @__PURE__ */ new Set();
-          const drivers2 = [];
-          for (const adapter of adapters ?? []) {
-            const name = adapter?.driver;
-            if (!name || seen.has(name)) continue;
-            seen.add(name);
-            drivers2.push({ name, driverId: `com.objectstack.driver.${name}` });
-          }
-          if (drivers2.length > 0) return drivers2;
-        } catch {
-        }
-      }
-      const drivers = [];
-      for (const [serviceKey, svc] of Object.entries(services)) {
-        if (!serviceKey.startsWith("driver.")) continue;
-        const raw = serviceKey.slice("driver.".length);
-        if (!raw || raw === "unknown") continue;
-        const driverId = svc?.name ?? raw;
-        drivers.push({ name: toShortName(driverId), driverId });
-      }
-      return drivers;
-    };
-    const resolveDriver = (requested) => {
-      const registered = listRegisteredDrivers();
-      if (requested) {
-        const wanted = String(requested).toLowerCase();
-        return registered.find((d) => d.name === wanted || d.driverId === wanted);
-      }
-      return registered.find((d) => d.name === "turso") ?? registered.find((d) => d.name === "memory") ?? registered[0];
-    };
-    const buildDatabaseUrl = (driverName, environmentId) => {
-      const dbName = `env-${environmentId}`;
-      switch (driverName) {
-        case "memory":
-          return `memory://${dbName}`;
-        case "turso":
-          return `libsql://${dbName}.mock-turso.local`;
-        default:
-          return `${driverName}://${dbName}`;
-      }
-    };
-    const getRealAdapter = async (driverName) => {
-      try {
-        const registry = await this.resolveService("project-provisioning-adapters");
-        const aliases = { sql: "sqlite" };
-        const effective = aliases[driverName] ?? driverName;
-        return registry?.get?.(effective) ?? registry?.get?.(driverName);
-      } catch {
-        return void 0;
-      }
-    };
-    const findOne = async (obj, where) => {
-      let rows = await ql.find(obj, { where });
-      if (rows && rows.value) rows = rows.value;
-      if (!Array.isArray(rows)) return void 0;
-      return rows[0];
-    };
-    const cleanProjectRow = (row) => {
-      if (!row) return row;
-      let metadata = row.metadata;
-      if (typeof metadata === "string") {
-        try {
-          metadata = JSON.parse(metadata);
-        } catch {
-        }
-      }
-      return { ...row, metadata };
-    };
-    try {
-      if (parts.length === 1 && parts[0] === "drivers" && m === "GET") {
-        const drivers = listRegisteredDrivers();
-        return { handled: true, response: this.success({ drivers, total: drivers.length }) };
-      }
-      if (parts.length === 1 && parts[0] === "templates" && m === "GET") {
-        try {
-          const seeder = await this.resolveService("template-seeder");
-          const templates = seeder?.listTemplates?.() ?? [];
-          return { handled: true, response: this.success({ templates, total: templates.length }) };
-        } catch (err) {
-          try {
-            console.error("[HttpDispatcher] /cloud/templates: failed to resolve template-seeder:", err?.message ?? err);
-          } catch {
-          }
-          return { handled: true, response: this.success({ templates: [], total: 0 }) };
-        }
-      }
-      if (parts.length === 3 && parts[0] === "admin" && parts[1] === "platform-sso" && parts[2] === "backfill" && m === "POST") {
-        const baseSecret = (readEnvWithDeprecation3("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-        if (!baseSecret) {
-          return { handled: true, response: this.error("OS_AUTH_SECRET not configured on this worker", 503) };
-        }
-        const rawHeaders = _context?.request?.headers;
-        let authHeader;
-        if (rawHeaders && typeof rawHeaders.get === "function") {
-          authHeader = rawHeaders.get("authorization") ?? void 0;
-        } else if (rawHeaders && typeof rawHeaders === "object") {
-          authHeader = rawHeaders["authorization"] ?? rawHeaders["Authorization"];
-        }
-        const presented = typeof authHeader === "string" && authHeader.startsWith("Bearer ") ? authHeader.slice(7).trim() : "";
-        if (!presented || presented !== baseSecret) {
-          return { handled: true, response: this.error("forbidden: Bearer token must match OS_AUTH_SECRET", 403) };
-        }
-        try {
-          const { backfillPlatformSsoClients: backfillPlatformSsoClients2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
-          const result = await backfillPlatformSsoClients2({
-            ql,
-            baseSecret,
-            logger: console
-          });
-          let sample = [];
-          let total = 0;
-          try {
-            const rows = await ql.find("sys_oauth_application", { limit: 5 }, { context: { isSystem: true } });
-            const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-            sample = list;
-            total = typeof rows?.total === "number" ? rows.total : list.length;
-          } catch (e) {
-            sample = [{ _readErr: e?.message ?? String(e) }];
-          }
-          return { handled: true, response: this.success({ ...result, total, sample }) };
-        } catch (err) {
-          return { handled: true, response: this.error(`backfill failed: ${err?.message ?? String(err)}`, 500) };
-        }
-      }
-      if (parts.length === 1 && parts[0] === "projects" && m === "GET") {
-        const where = {};
-        if (query?.organizationId) where.organization_id = query.organizationId;
-        if (query?.status) where.status = query.status;
-        let rows = await ql.find(ENV, Object.keys(where).length ? { where } : void 0);
-        if (rows && rows.value) rows = rows.value;
-        const projects = (Array.isArray(rows) ? rows : []).map(cleanProjectRow);
-        return { handled: true, response: this.success({ projects, total: projects.length }) };
-      }
-      if (parts.length === 1 && parts[0] === "projects" && m === "POST") {
-        const req = body || {};
-        if (req.organization_id === "__session__" || req.created_by === "__session__") {
-          try {
-            const userId = await this.resolveCallerUserId(_context);
-            if (req.created_by === "__session__") {
-              req.created_by = userId ?? "system";
-            }
-            if (req.organization_id === "__session__") {
-              const authService = await this.resolveService(CoreServiceName.enum.auth);
-              const rawHeaders = _context?.request?.headers;
-              let headers = rawHeaders;
-              if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-                const h = new Headers();
-                for (const [k, v] of Object.entries(rawHeaders)) {
-                  if (v == null) continue;
-                  h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-                }
-                headers = h;
-              }
-              const apiObj = authService?.auth?.api ?? authService?.api;
-              const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
-              req.organization_id = sessionData?.session?.activeOrganizationId ?? void 0;
-            }
-          } catch {
-          }
-        }
-        if (!req.organization_id || !req.display_name) {
-          return { handled: true, response: this.error("organization_id and display_name are required", 400) };
-        }
-        const environmentId = randomUUID();
-        const credentialId = randomUUID();
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        const resolved = resolveDriver(req.driver);
-        if (!resolved) {
-          const available = listRegisteredDrivers().map((d) => d.name);
-          if (req.driver) {
-            return {
-              handled: true,
-              response: this.error(
-                `Unknown driver '${req.driver}'. Available drivers: [${available.join(", ") || "none"}]`,
-                400
-              )
-            };
-          }
-          return {
-            handled: true,
-            response: this.error(
-              "No ObjectQL driver is registered. Register at least one DriverPlugin (e.g. InMemoryDriver or SqlDriver).",
-              503
-            )
-          };
-        }
-        const driver = resolved.name;
-        let plaintextSecret = `mock-token-${environmentId}`;
-        let computedHostname = req.hostname;
-        if (!computedHostname) {
-          const shortId = environmentId.slice(0, 8);
-          try {
-            const orgRow = await findOne("sys_organization", { id: req.organization_id });
-            const orgSlug = orgRow?.slug || req.organization_id;
-            const rootDomain = getEnv("OS_ROOT_DOMAIN") ?? getEnv("ROOT_DOMAIN", "objectstack.app");
-            computedHostname = `${orgSlug}-${shortId}.${rootDomain}`;
-          } catch {
-            computedHostname = `${req.organization_id}-${shortId}.objectstack.app`;
-          }
-        }
-        try {
-          const existing = await findOne("sys_environment", {
-            hostname: computedHostname
-          });
-          if (existing && existing.id !== environmentId) {
-            return {
-              handled: true,
-              response: this.error(
-                `Hostname '${computedHostname}' is already in use by another project.`,
-                409,
-                { code: "HOSTNAME_TAKEN", hostname: computedHostname }
-              )
-            };
-          }
-        } catch {
-        }
-        const baseMetadata = { ...req.metadata ?? {} };
-        const simulateFailure = Boolean(baseMetadata.__simulateFailure);
-        const simulateDelayMs = Number(baseMetadata.__simulateDelayMs ?? 1500);
-        try {
-          let ownerUserId = req.created_by && req.created_by !== "system" ? String(req.created_by) : void 0;
-          if (!ownerUserId) {
-            ownerUserId = await this.resolveCallerUserId(_context);
-          }
-          if (ownerUserId) {
-            const userRow = await ql.find("sys_user", { where: { id: ownerUserId } });
-            const userRows = Array.isArray(userRow) ? userRow : userRow?.value ?? [];
-            const u = Array.isArray(userRows) && userRows.length > 0 ? userRows[0] : null;
-            if (u?.email) {
-              baseMetadata.ownerSeed = {
-                userId: String(ownerUserId),
-                email: String(u.email),
-                name: u.name ? String(u.name) : null,
-                image: u.image ? String(u.image) : null
-              };
-            }
-          }
-        } catch {
-        }
-        try {
-          const orgRow = await ql.find("sys_organization", { where: { id: req.organization_id } });
-          const orgRows = Array.isArray(orgRow) ? orgRow : orgRow?.value ?? [];
-          const org = Array.isArray(orgRows) && orgRows.length > 0 ? orgRows[0] : null;
-          if (org?.id && org?.name) {
-            baseMetadata.orgSeed = {
-              id: String(org.id),
-              name: String(org.name),
-              slug: org.slug ? String(org.slug) : null,
-              logo: org.logo ? String(org.logo) : null
-            };
-          }
-        } catch {
-        }
-        await ql.insert(ENV, {
-          id: environmentId,
-          organization_id: req.organization_id,
-          display_name: req.display_name,
-          is_default: req.is_default ?? false,
-          is_system: req.is_system ?? false,
-          plan: req.plan ?? "free",
-          status: "provisioning",
-          created_by: req.created_by ?? "system",
-          metadata: JSON.stringify(baseMetadata),
-          created_at: nowIso,
-          updated_at: nowIso,
-          database_url: null,
-          database_driver: driver,
-          storage_limit_mb: req.storage_limit_mb ?? 1024,
-          provisioned_at: null,
-          hostname: computedHostname,
-          visibility: (() => {
-            const raw = String(req.visibility ?? "private");
-            return raw === "unlisted" ? "private" : raw;
-          })()
-        });
-        try {
-          const { seedPlatformSsoClient: seedPlatformSsoClient2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
-          const baseSecret = (readEnvWithDeprecation3("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-          if (baseSecret) {
-            await seedPlatformSsoClient2({
-              ql,
-              environmentId,
-              hostname: computedHostname,
-              baseSecret,
-              logger: console
-            });
-          }
-        } catch (ssoErr) {
-          console.warn?.("[http-dispatcher] platform SSO seed failed (non-fatal)", {
-            environmentId,
-            error: ssoErr?.message
-          });
-        }
-        const runProvisioning = async () => {
-          try {
-            if (simulateDelayMs > 0) {
-              await new Promise((r) => setTimeout(r, simulateDelayMs));
-            }
-            if (simulateFailure) {
-              throw new Error("Simulated provisioning failure (metadata.__simulateFailure=true)");
-            }
-            let databaseUrl;
-            try {
-              const adapter = await getRealAdapter(driver);
-              if (adapter) {
-                const result = await adapter.createDatabase({
-                  environmentId,
-                  databaseName: `p-${environmentId.replace(/-/g, "").slice(0, 24)}`,
-                  region: "us-east-1",
-                  storageLimitMb: req.storage_limit_mb ?? 1024
-                });
-                databaseUrl = result.databaseUrl;
-                if (result.plaintextSecret) plaintextSecret = result.plaintextSecret;
-              } else {
-                databaseUrl = buildDatabaseUrl(driver, environmentId);
-              }
-            } catch (adapterErr) {
-              throw adapterErr instanceof Error ? adapterErr : new Error(String(adapterErr));
-            }
-            const seedStartedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                database_url: databaseUrl,
-                updated_at: seedStartedAt
-              },
-              { where: { id: environmentId } }
-            );
-            await ql.insert(CRED, {
-              id: credentialId,
-              environment_id: environmentId,
-              secret_ciphertext: plaintextSecret,
-              encryption_key_id: "noop",
-              authorization: "full_access",
-              status: "active",
-              created_at: seedStartedAt,
-              updated_at: seedStartedAt
-            });
-            const templateId = req.template_id ?? "blank";
-            if (templateId !== "blank") {
-              try {
-                const seeder = await this.resolveService("template-seeder");
-                if (seeder) {
-                  await seeder.seed({ environmentId, templateId });
-                }
-              } catch (seedErr) {
-                const seedMessage = seedErr instanceof Error ? seedErr.message : String(seedErr);
-                try {
-                  const existing = await findOne(ENV, { id: environmentId });
-                  const existingMeta = typeof existing?.metadata === "string" ? JSON.parse(existing.metadata) : existing?.metadata ?? {};
-                  await ql.update(
-                    ENV,
-                    {
-                      metadata: JSON.stringify({
-                        ...existingMeta,
-                        templateSeedError: { message: seedMessage, templateId }
-                      })
-                    },
-                    { where: { id: environmentId } }
-                  );
-                } catch {
-                }
-              }
-            }
-            const artifactPathRaw = baseMetadata.artifact_path;
-            if (typeof artifactPathRaw === "string" && artifactPathRaw.length > 0) {
-              try {
-                const path2 = await import("path");
-                const { isHttpUrl: isHttpUrl2, loadArtifactBundle: loadArtifactBundle2 } = await Promise.resolve().then(() => (init_load_artifact_bundle(), load_artifact_bundle_exports));
-                const root = process.env.OS_PROJECT_ARTIFACT_ROOT ?? process.cwd();
-                const resolved2 = isHttpUrl2(artifactPathRaw) ? artifactPathRaw : path2.isAbsolute(artifactPathRaw) ? artifactPathRaw : path2.resolve(root, artifactPathRaw);
-                const bundle = await loadArtifactBundle2(resolved2, { tag: "[bind-artifact]" });
-                if (!bundle) {
-                  throw new Error(`failed to load artifact bundle at '${resolved2}'`);
-                }
-                const seeder = await this.resolveService("template-seeder");
-                if (seeder?.seedBundle) {
-                  await seeder.seedBundle({ environmentId, bundle });
-                } else {
-                  throw new Error("template-seeder.seedBundle is unavailable");
-                }
-              } catch (bindErr) {
-                const bindMessage = bindErr instanceof Error ? bindErr.message : String(bindErr);
-                try {
-                  const existing = await findOne(ENV, { id: environmentId });
-                  const existingMeta = typeof existing?.metadata === "string" ? JSON.parse(existing.metadata) : existing?.metadata ?? {};
-                  await ql.update(
-                    ENV,
-                    {
-                      metadata: JSON.stringify({
-                        ...existingMeta,
-                        artifactBindError: { message: bindMessage, artifactPath: artifactPathRaw }
-                      })
-                    },
-                    { where: { id: environmentId } }
-                  );
-                } catch {
-                }
-              }
-            }
-            const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "active",
-                provisioned_at: finishedAt,
-                updated_at: finishedAt
-              },
-              { where: { id: environmentId } }
-            );
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            const failedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "failed",
-                metadata: JSON.stringify({
-                  ...baseMetadata,
-                  provisioningError: { message, failedAt }
-                }),
-                updated_at: failedAt
-              },
-              { where: { id: environmentId } }
-            );
-          }
-        };
-        const provisionSyncEnv = process.env.OS_PROVISION_SYNC;
-        const onServerless = !!(process.env.VERCEL || process.env.AWS_LAMBDA_FUNCTION_NAME || process.env.NETLIFY || process.env.CF_PAGES);
-        const syncProvisioning = provisionSyncEnv === void 0 ? onServerless : provisionSyncEnv !== "0" && provisionSyncEnv !== "false";
-        if (syncProvisioning) {
-          await runProvisioning();
-        } else {
-          void runProvisioning();
-        }
-        const project = cleanProjectRow(await findOne(ENV, { id: environmentId }));
-        const res = this.success({ project });
-        res.status = syncProvisioning ? 201 : 202;
-        return { handled: true, response: res };
-      }
-      if (parts.length === 2 && parts[0] === "projects") {
-        const id = decodeURIComponent(parts[1]);
-        if (m === "GET") {
-          const envRow = await findOne(ENV, { id });
-          if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          const credRow = await findOne(CRED, { environment_id: id, status: "active" });
-          const callerUserId = await this.resolveCallerUserId(_context);
-          const membership = callerUserId ? await findOne(MEM, { environment_id: id, user_id: callerUserId }) : await findOne(MEM, { environment_id: id });
-          const credMeta = credRow ? {
-            id: credRow.id,
-            status: credRow.status,
-            authorization: credRow.authorization,
-            activatedAt: credRow.created_at,
-            expiresAt: credRow.expires_at
-          } : void 0;
-          const project = cleanProjectRow(envRow);
-          const database = project.database_url ? {
-            driver: project.database_driver,
-            database_name: `env-${project.id}`,
-            database_url: project.database_url,
-            storage_limit_mb: project.storage_limit_mb,
-            provisioned_at: project.provisioned_at
-          } : void 0;
-          return {
-            handled: true,
-            response: this.success({ project, database, credential: credMeta, membership })
-          };
-        }
-        if (m === "PATCH") {
-          const patch = {};
-          if (body?.display_name !== void 0) patch.display_name = body.display_name;
-          if (body?.plan !== void 0) patch.plan = body.plan;
-          if (body?.status !== void 0) patch.status = body.status;
-          if (body?.is_default !== void 0) patch.is_default = body.is_default;
-          if (body?.visibility !== void 0) {
-            let v = String(body.visibility);
-            if (v === "unlisted") v = "private";
-            if (!["private", "public"].includes(v)) {
-              return { handled: true, response: this.error(`Invalid visibility '${v}' (expected private | public)`, 400) };
-            }
-            patch.visibility = v;
-          }
-          if (body?.metadata !== void 0) patch.metadata = JSON.stringify(body.metadata);
-          patch.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-          await ql.update(ENV, patch, { where: { id } });
-          const envRow = await findOne(ENV, { id });
-          if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          return { handled: true, response: this.success({ project: cleanProjectRow(envRow) }) };
-        }
-        if (m === "DELETE") {
-          const force = query?.force === "1" || query?.force === "true" || body?.force === true;
-          const result = await this.deleteProjectCascade(id, { ql, findOne, getRealAdapter, force });
-          if (!result.ok) {
-            return { handled: true, response: this.error(result.error ?? "Delete failed", result.status ?? 500) };
-          }
-          return { handled: true, response: this.success({ deleted: true, environmentId: id, warnings: result.warnings }) };
-        }
-      }
-      if (parts.length === 2 && parts[0] === "organizations" && m === "DELETE") {
-        const orgId = decodeURIComponent(parts[1]);
-        let projectRows = [];
-        try {
-          let rows = await ql.find(ENV, { where: { organization_id: orgId } });
-          if (rows && rows.value) rows = rows.value;
-          projectRows = Array.isArray(rows) ? rows : [];
-        } catch {
-          projectRows = [];
-        }
-        const warnings = [];
-        let deletedProjects = 0;
-        for (const row of projectRows) {
-          const pid = row?.id;
-          if (!pid) continue;
-          try {
-            const r = await this.deleteProjectCascade(pid, { ql, findOne, getRealAdapter, force: true });
-            if (r.ok) deletedProjects++;
-            if (r.warnings?.length) warnings.push(...r.warnings);
-            if (!r.ok && r.error) warnings.push(`Project ${pid}: ${r.error}`);
-          } catch (err) {
-            warnings.push(
-              `Failed to delete project ${pid}: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-        }
-        let orgDeleted = false;
-        try {
-          const authService = await this.getService(CoreServiceName.enum.auth);
-          const fn = authService?.api?.deleteOrganization;
-          if (typeof fn === "function") {
-            await fn.call(authService.api, {
-              body: { organizationId: orgId },
-              headers: _context?.request?.headers
-            });
-            orgDeleted = true;
-          }
-        } catch (err) {
-          warnings.push(
-            `auth.deleteOrganization failed: ${err instanceof Error ? err.message : String(err)}`
-          );
-        }
-        if (!orgDeleted) {
-          try {
-            await ql.delete("sys_organization", { where: { id: orgId } });
-            orgDeleted = true;
-          } catch (err) {
-            warnings.push(
-              `Failed to delete sys_organization row: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-        }
-        return {
-          handled: true,
-          response: this.success({
-            deleted: orgDeleted,
-            organizationId: orgId,
-            deletedProjects,
-            warnings
-          })
-        };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "hostname" && (m === "POST" || m === "PUT")) {
-        const id = decodeURIComponent(parts[1]);
-        const hostname = body?.hostname;
-        if (!hostname || typeof hostname !== "string") {
-          return { handled: true, response: this.error("hostname is required", 400) };
-        }
-        const normalized = hostname.trim().toLowerCase();
-        if (!/^[a-z0-9]([a-z0-9\-\.]*[a-z0-9])?$/.test(normalized)) {
-          return { handled: true, response: this.error("Invalid hostname format", 400) };
-        }
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        let existing;
-        try {
-          const rows = await ql.find(ENV, { where: { hostname: normalized } });
-          const arr = Array.isArray(rows) ? rows : rows?.value ?? [];
-          existing = arr.find((r) => r.id !== id);
-        } catch {
-        }
-        if (existing) {
-          return {
-            handled: true,
-            response: this.error(
-              `Hostname '${normalized}' is already in use by another project.`,
-              409,
-              { code: "HOSTNAME_TAKEN", hostname: normalized }
-            )
-          };
-        }
-        const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(ENV, { hostname: normalized, updated_at: updatedAt }, { where: { id } });
-        if (this.envRegistry?.invalidate) {
-          try {
-            await this.envRegistry.invalidate(id);
-          } catch {
-          }
-        }
-        const updated = cleanProjectRow(await findOne(ENV, { id }));
-        return { handled: true, response: this.success({ project: updated }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "retry" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        if (envRow.status !== "failed" && envRow.status !== "provisioning") {
-          return {
-            handled: true,
-            response: this.error(
-              `Project '${id}' is '${envRow.status}'; only failed or provisioning projects can be retried.`,
-              409
-            )
-          };
-        }
-        const driverName = envRow.database_driver;
-        const resolved = resolveDriver(driverName);
-        if (!resolved) {
-          return {
-            handled: true,
-            response: this.error(
-              `Driver '${driverName}' is no longer registered; retry aborted.`,
-              503
-            )
-          };
-        }
-        let metadata = {};
-        if (envRow.metadata) {
-          if (typeof envRow.metadata === "string") {
-            try {
-              metadata = JSON.parse(envRow.metadata);
-            } catch {
-              metadata = {};
-            }
-          } else if (typeof envRow.metadata === "object") {
-            metadata = { ...envRow.metadata };
-          }
-        }
-        delete metadata.provisioningError;
-        const retryStartedAt = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(
-          ENV,
-          {
-            status: "provisioning",
-            metadata: JSON.stringify(metadata),
-            updated_at: retryStartedAt
-          },
-          { where: { id } }
-        );
-        const simulateRetryFailure = Boolean(metadata.__simulateFailure);
-        const simulateRetryDelay = Number(metadata.__simulateDelayMs ?? 1500);
-        const runRetry = async () => {
-          try {
-            if (simulateRetryDelay > 0) {
-              await new Promise((r) => setTimeout(r, simulateRetryDelay));
-            }
-            if (simulateRetryFailure) {
-              throw new Error("Simulated provisioning failure (metadata.__simulateFailure=true)");
-            }
-            let databaseUrl;
-            let retrySecret = `mock-token-${id}`;
-            try {
-              const adapter = await getRealAdapter(resolved.name);
-              if (adapter) {
-                const result = await adapter.createDatabase({
-                  environmentId: id,
-                  databaseName: `p-${id.replace(/-/g, "").slice(0, 24)}`,
-                  region: "us-east-1",
-                  storageLimitMb: envRow.storage_limit_mb ?? 1024
-                });
-                databaseUrl = result.databaseUrl;
-                if (result.plaintextSecret) retrySecret = result.plaintextSecret;
-              } else {
-                databaseUrl = buildDatabaseUrl(resolved.name, id);
-              }
-            } catch (adapterErr) {
-              throw adapterErr instanceof Error ? adapterErr : new Error(String(adapterErr));
-            }
-            const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "active",
-                database_url: databaseUrl,
-                database_driver: resolved.name,
-                provisioned_at: nowIso,
-                updated_at: nowIso
-              },
-              { where: { id } }
-            );
-            const existingCred = await findOne(CRED, { environment_id: id, status: "active" });
-            if (!existingCred) {
-              await ql.insert(CRED, {
-                id: randomUUID(),
-                environment_id: id,
-                secret_ciphertext: retrySecret,
-                encryption_key_id: "noop",
-                authorization: "full_access",
-                status: "active",
-                created_at: nowIso,
-                updated_at: nowIso
-              });
-            }
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            const failedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "failed",
-                metadata: JSON.stringify({
-                  ...metadata,
-                  provisioningError: { message, failedAt }
-                }),
-                updated_at: failedAt
-              },
-              { where: { id } }
-            );
-          }
-        };
-        void runRetry();
-        const envAfter = cleanProjectRow(await findOne(ENV, { id }));
-        const retryRes = this.success({ project: envAfter });
-        retryRes.status = 202;
-        return { handled: true, response: retryRes };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "activate" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        return { handled: true, response: this.success({ project: cleanProjectRow(envRow), sessionUpdated: false }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "credentials" && parts[3] === "rotate" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const plaintext = body?.plaintext;
-        if (!plaintext || typeof plaintext !== "string") {
-          return { handled: true, response: this.error("plaintext is required", 400) };
-        }
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        let existing = await ql.find(CRED, { where: { environment_id: id, status: "active" } });
-        if (existing && existing.value) existing = existing.value;
-        for (const row of Array.isArray(existing) ? existing : []) {
-          await ql.update(CRED, {
-            status: "revoked",
-            revoked_at: nowIso,
-            updated_at: nowIso
-          }, { where: { id: row.id } });
-        }
-        const credentialId = randomUUID();
-        await ql.insert(CRED, {
-          id: credentialId,
-          environment_id: id,
-          secret_ciphertext: plaintext,
-          encryption_key_id: "noop",
-          authorization: "full_access",
-          status: "active",
-          created_at: nowIso,
-          updated_at: nowIso
-        });
-        const credential = await findOne(CRED, { id: credentialId });
-        const credMeta = credential ? {
-          id: credential.id,
-          status: credential.status,
-          authorization: credential.authorization,
-          activatedAt: credential.created_at
-        } : void 0;
-        return { handled: true, response: this.success({ credential: credMeta }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "GET") {
-        const id = decodeURIComponent(parts[1]);
-        let rows = await ql.find(MEM, { where: { environment_id: id } });
-        if (rows && rows.value) rows = rows.value;
-        const members = Array.isArray(rows) ? rows : [];
-        const userIds = Array.from(new Set(members.map((mem) => mem.user_id).filter(Boolean)));
-        const userMap = /* @__PURE__ */ new Map();
-        for (const uid of userIds) {
-          let row = null;
-          for (const tableName of ["sys_user", "user"]) {
-            try {
-              const u = await ql.findOne(tableName, { where: { id: uid } });
-              row = u?.value ?? u;
-              if (row) break;
-            } catch {
-            }
-          }
-          if (row) userMap.set(String(uid), {
-            id: row.id,
-            name: row.name ?? row.display_name,
-            email: row.email,
-            image: row.image ?? row.avatar_url
-          });
-        }
-        const enriched = members.map((mem) => ({
-          ...mem,
-          user: userMap.get(String(mem.user_id)) ?? void 0
-        }));
-        return { handled: true, response: this.success({ members: enriched }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        const email = typeof body?.email === "string" ? String(body.email).trim().toLowerCase() : null;
-        let inviteUserId = typeof body?.user_id === "string" ? String(body.user_id).trim() : null;
-        let role = String(body?.role ?? "member").trim().toLowerCase();
-        if (!["owner", "admin", "member", "viewer"].includes(role)) {
-          return { handled: true, response: this.error(`Invalid role '${role}' (expected owner | admin | member | viewer)`, 400) };
-        }
-        if (!email && !inviteUserId) {
-          return { handled: true, response: this.error("email or user_id is required", 400) };
-        }
-        if (!inviteUserId && email) {
-          let row = null;
-          for (const tableName of ["sys_user", "user"]) {
-            try {
-              const u = await ql.findOne(tableName, { where: { email } });
-              row = u?.value ?? u;
-              if (row) break;
-            } catch {
-            }
-          }
-          if (!row?.id) {
-            return { handled: true, response: this.error(`No user found with email '${email}'`, 404) };
-          }
-          inviteUserId = String(row.id);
-        }
-        const existing = await findOne(MEM, { environment_id: id, user_id: inviteUserId });
-        if (existing) {
-          return { handled: true, response: this.success({ member: existing, alreadyMember: true }) };
-        }
-        try {
-          const memberId = randomUUID();
-          await ql.insert(MEM, {
-            id: memberId,
-            environment_id: id,
-            user_id: inviteUserId,
-            role,
-            invited_by: callerId,
-            organization_id: project.organization_id ?? null
-          });
-          const created = await findOne(MEM, { id: memberId });
-          return { handled: true, response: this.success({ member: created, alreadyMember: false }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to add member", 500) };
-        }
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "PATCH") {
-        const id = decodeURIComponent(parts[1]);
-        const memberId = decodeURIComponent(parts[3]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        const target = await findOne(MEM, { id: memberId, environment_id: id });
-        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
-        const newRole = String(body?.role ?? "").trim().toLowerCase();
-        if (!["owner", "admin", "member", "viewer"].includes(newRole)) {
-          return { handled: true, response: this.error(`Invalid role '${newRole}'`, 400) };
-        }
-        if (target.role === "owner" && newRole !== "owner") {
-          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
-          if (owners && owners.value) owners = owners.value;
-          const ownerCount = Array.isArray(owners) ? owners.length : 0;
-          if (ownerCount <= 1) {
-            return { handled: true, response: this.error("Cannot demote the last owner", 409) };
-          }
-        }
-        try {
-          await ql.update(MEM, { role: newRole, updated_at: (/* @__PURE__ */ new Date()).toISOString() }, { where: { id: memberId } });
-          const updated = await findOne(MEM, { id: memberId });
-          return { handled: true, response: this.success({ member: updated }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to update role", 500) };
-        }
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "DELETE") {
-        const id = decodeURIComponent(parts[1]);
-        const memberId = decodeURIComponent(parts[3]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const target = await findOne(MEM, { id: memberId, environment_id: id });
-        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        const isSelf = String(target.user_id) === String(callerId);
-        const isPrivileged = callerMem && ["owner", "admin"].includes(String(callerMem.role));
-        if (!isSelf && !isPrivileged) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        if (target.role === "owner") {
-          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
-          if (owners && owners.value) owners = owners.value;
-          const ownerCount = Array.isArray(owners) ? owners.length : 0;
-          if (ownerCount <= 1) {
-            return { handled: true, response: this.error("Cannot remove the last owner", 409) };
-          }
-        }
-        try {
-          await ql.delete(MEM, { where: { id: memberId } });
-          return { handled: true, response: this.success({ removed: true, memberId }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to remove member", 500) };
-        }
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
-        const envId = decodeURIComponent(parts[1]);
-        let rows = await ql.find(PKG_INSTALL, { where: { environment_id: envId } });
-        if (rows && rows.value) rows = rows.value;
-        const installs = Array.isArray(rows) ? rows : [];
-        const packages = await Promise.all(
-          installs.map(async (r) => {
-            let manifestId = null;
-            let versionStr = null;
-            try {
-              if (r.package_id) {
-                const pkg = await ql.findOne(PKG, { where: { id: r.package_id } });
-                manifestId = pkg?.manifest_id ?? null;
-              }
-              if (r.package_version_id) {
-                const ver = await ql.findOne(PKG_VERSION, { where: { id: r.package_version_id } });
-                versionStr = ver?.version ?? null;
-              }
-            } catch {
-            }
-            return {
-              ...r,
-              // Surface user-facing identifiers expected by client SDK
-              packageId: manifestId,
-              package_id: manifestId ?? r.package_id,
-              version: versionStr ?? r.version ?? null
-            };
-          })
-        );
-        return { handled: true, response: this.success({ packages, total: packages.length }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "POST") {
-        const envId = decodeURIComponent(parts[1]);
-        const { packageId, version, settings, enableOnInstall } = body ?? {};
-        if (!packageId) return { handled: true, response: this.error("packageId is required", 400) };
-        const qlSvc = await this.getObjectQLService();
-        const pkgRegistry = qlSvc?.registry;
-        const allPkgs = pkgRegistry?.getAllPackages?.() ?? [];
-        const manifestEntry = allPkgs.find((p) => (p?.manifest?.id ?? p?.id) === packageId);
-        const manifest = manifestEntry?.manifest ?? manifestEntry;
-        if (!manifest) {
-          return { handled: true, response: this.error(`Package '${packageId}' is not registered on this server`, 404) };
-        }
-        const CLOUD_SCOPES = /* @__PURE__ */ new Set(["cloud", "system", "platform"]);
-        if (CLOUD_SCOPES.has(manifest?.scope)) {
-          return { handled: true, response: this.error(`Package '${packageId}' has scope=${manifest.scope} and cannot be installed per-project`, 403) };
-        }
-        const projectRow = await findOne(ENV, { id: envId });
-        if (!projectRow) {
-          return { handled: true, response: this.error(`Project '${envId}' not found`, 404) };
-        }
-        const ownerOrgId = projectRow.organization_id ?? "system";
-        let userId = "system";
-        try {
-          const authService = await this.getService(CoreServiceName.enum.auth);
-          const sessionData = await authService?.api?.getSession?.({
-            headers: _context?.request?.headers
-          });
-          userId = sessionData?.user?.id ?? sessionData?.session?.userId ?? "system";
-        } catch {
-        }
-        const resolvedVersion = version ?? manifest?.version ?? "1.0.0";
-        const dup = await ql.findOne(PKG_INSTALL, {
-          where: { environment_id: envId, package_id: packageId }
-        });
-        if (dup?.id) {
-          return { handled: true, response: this.error(`Package '${packageId}' is already installed in this project`, 409) };
-        }
-        const sysPackageId = await ensureSysPackage(packageId, ownerOrgId, userId, manifest);
-        const sysPackageVersionId = await ensureSysPackageVersion(sysPackageId, resolvedVersion, userId, manifest);
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        const recordId = randomUUID();
-        await ql.insert(PKG_INSTALL, {
-          id: recordId,
-          environment_id: envId,
-          package_id: sysPackageId,
-          package_version_id: sysPackageVersionId,
-          status: "installed",
-          enabled: enableOnInstall !== false,
-          installed_at: nowIso,
-          installed_by: userId,
-          updated_at: nowIso,
-          settings: settings ? JSON.stringify(settings) : null
-        });
-        const record = await ql.findOne(PKG_INSTALL, { where: { id: recordId } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: record }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await ql.findOne(PKG_INSTALL, { where: { environment_id: envId, package_id: pkgId } });
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        return { handled: true, response: this.success({ package: record }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "DELETE") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const allPkgs0 = this.kernel.packages?.getAll?.() ?? [];
-        const m0 = allPkgs0.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        if (m0?.scope && ["cloud", "system", "platform"].includes(m0.scope)) {
-          return { handled: true, response: this.error(`Package '${pkgId}' with scope=${m0.scope} cannot be uninstalled`, 403) };
-        }
-        await ql.delete(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ id: record.id, success: true }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "enable" && m === "PATCH") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, { enabled: true, status: "installed", updated_at: nowIso }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "disable" && m === "PATCH") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const allPkgs1 = this.kernel.packages?.getAll?.() ?? [];
-        const m1 = allPkgs1.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        if (m1?.scope && ["cloud", "system", "platform"].includes(m1.scope)) {
-          return { handled: true, response: this.error(`Package '${pkgId}' with scope=${m1.scope} cannot be disabled`, 403) };
-        }
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, { enabled: false, status: "disabled", updated_at: nowIso }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "upgrade" && m === "POST") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const { targetVersion } = body ?? {};
-        const allPkgs2 = this.kernel.packages?.getAll?.() ?? [];
-        const manifest2 = allPkgs2.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        const currentVer = await ql.findOne(PKG_VERSION, { where: { id: record.package_version_id } });
-        const newVersion = targetVersion ?? manifest2?.version ?? currentVer?.version ?? "1.0.0";
-        if (newVersion === currentVer?.version) {
-          return { handled: true, response: this.success({ package: record, message: "Already at target version" }) };
-        }
-        let userId = "system";
-        try {
-          const authService = await this.getService(CoreServiceName.enum.auth);
-          const sessionData = await authService?.api?.getSession?.({
-            headers: _context?.request?.headers
-          });
-          userId = sessionData?.user?.id ?? "system";
-        } catch {
-        }
-        const newVersionId = await ensureSysPackageVersion(record.package_id, newVersion, userId, manifest2);
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, {
-          package_version_id: newVersionId,
-          status: "installed",
-          updated_at: nowIso
-        }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-    } catch (e) {
-      return { handled: true, response: this.error(e.message, e.statusCode || 500) };
-    }
-    return { handled: false };
-  }
-  /**
-   * Cascade-delete a project: cred / member / package_installation rows,
-   * then the physical database via the provisioning adapter, then the
-   * `sys_environment` row itself. Used by both `DELETE /cloud/environments/:id`
-   * and the org-cascade in `DELETE /cloud/organizations/:id`.
+   *  - GET    /cloud/environments/:id/members                → list members
+   *  - GET    /cloud/environments/:id/packages               → list installed packages
+   *  - POST   /cloud/environments/:id/packages               → install package into env
+   *  - GET    /cloud/environments/:id/packages/:pkgId        → get installation detail
+   *  - PATCH  /cloud/environments/:id/packages/:pkgId/enable  → enable package
+   *  - PATCH  /cloud/environments/:id/packages/:pkgId/disable → disable package
+   *  - DELETE /cloud/environments/:id/packages/:pkgId        → uninstall (scope=platform forbidden)
+   *  - POST   /cloud/environments/:id/packages/:pkgId/upgrade → upgrade to newer version
+   *
+   * Driver binding
+   * --------------
+   * Environments are not tied to any specific driver. At provisioning time the
+   * caller passes `driver` (a short name such as `memory`, `turso`, or any
+   * future `sql` / `postgres` driver). The dispatcher validates the name
+   * against the kernel's registered driver services (`driver.<name>`) and
+   * derives an appropriate placeholder `database_url` for the chosen driver.
+   * If `driver` is omitted, the dispatcher auto-selects the first available
+   * in preference order: turso → memory → any other registered driver.
    *
-   * Idempotent and best-effort: missing rows / unreachable adapters
-   * become warnings rather than hard failures, so a half-provisioned
-   * project can still be cleaned out.
+   * Backed by ObjectQL sys_environment / sys_environment_credential /
+   * sys_environment_member tables (registered by
+   * `@objectstack/service-tenant`'s `createTenantPlugin`).
+   * Physical database addressing (database_url, database_driver, etc.)
+   * is stored directly on the sys_environment row.
    */
-  async deleteProjectCascade(environmentId, deps) {
-    const { ql, findOne, getRealAdapter, force } = deps;
-    const ENV = "sys_environment";
-    const warnings = [];
-    const row = await findOne(ENV, { id: environmentId });
-    if (!row) {
-      return { ok: false, status: 404, error: `Project '${environmentId}' not found`, warnings };
-    }
-    if (row.is_system === true || row.is_system === 1) {
-      return { ok: false, status: 409, error: `Project '${environmentId}' is a system project and cannot be deleted`, warnings };
-    }
-    if ((row.is_default === true || row.is_default === 1) && !force) {
-      return {
-        ok: false,
-        status: 409,
-        error: `Project '${environmentId}' is the default project for its organization. Pass ?force=1 to delete it.`,
-        warnings
-      };
-    }
-    const cascade = [
-      { object: "sys_environment_credential", field: "environment_id" },
-      { object: "sys_environment_member", field: "environment_id" },
-      { object: "sys_package_installation", field: "environment_id" }
-    ];
-    for (const { object, field } of cascade) {
-      try {
-        let rows = await ql.find(object, { where: { [field]: environmentId } });
-        if (rows && rows.value) rows = rows.value;
-        if (Array.isArray(rows)) {
-          for (const r of rows) {
-            if (r?.id != null) {
-              try {
-                await ql.delete(object, { where: { id: r.id } });
-              } catch (innerErr) {
-                warnings.push(
-                  `Failed to delete ${object} ${r.id}: ${innerErr instanceof Error ? innerErr.message : String(innerErr)}`
-                );
-              }
-            }
+  /**
+   * Resolve the calling user id from the request session, if any.
+   * Returns `undefined` for anonymous calls or when auth is not wired up.
+   */
+  async resolveActiveOrganizationId(context) {
+    try {
+      const authService = await this.resolveService(CoreServiceName.enum.auth);
+      const rawHeaders = context.request?.headers;
+      let headers = rawHeaders;
+      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
+        try {
+          const h = new Headers();
+          for (const [k, v] of Object.entries(rawHeaders)) {
+            if (v == null) continue;
+            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
           }
+          headers = h;
+        } catch {
+          headers = rawHeaders;
         }
-      } catch (err) {
-        warnings.push(
-          `Failed to enumerate ${object} for project ${environmentId}: ${err instanceof Error ? err.message : String(err)}`
-        );
-      }
-    }
-    const driver = row.database_driver ?? "memory";
-    const databaseUrl = row.database_url;
-    const databaseName = `p-${String(environmentId).replace(/-/g, "").slice(0, 24)}`;
-    try {
-      const adapter = await getRealAdapter(driver);
-      if (adapter?.deleteDatabase) {
-        await adapter.deleteDatabase({ environmentId, databaseName, databaseUrl });
-      } else {
-        warnings.push(`No adapter for driver '${driver}'; physical DB for project ${environmentId} not released.`);
-      }
-    } catch (err) {
-      warnings.push(
-        `Failed to delete physical database for project ${environmentId}: ${err instanceof Error ? err.message : String(err)}`
-      );
-    }
-    try {
-      await ql.delete(ENV, { where: { id: environmentId } });
-    } catch (err) {
-      return {
-        ok: false,
-        status: 500,
-        error: `Failed to delete sys_environment row: ${err instanceof Error ? err.message : String(err)}`,
-        warnings
-      };
-    }
-    if (this.envRegistry?.invalidate) {
-      try {
-        await this.envRegistry.invalidate(environmentId);
-      } catch {
       }
+      const apiObj = authService?.auth?.api ?? authService?.api;
+      const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
+      const oid = sessionData?.session?.activeOrganizationId;
+      return typeof oid === "string" && oid.length > 0 ? oid : void 0;
+    } catch {
+      return void 0;
     }
-    return { ok: true, warnings };
   }
   /**
    * Handles Storage requests
@@ -5127,6 +4057,8 @@ var _HttpDispatcher = class _HttpDispatcher {
    *
    * Routes:
    *   GET    /                     → listFlows
+   *   GET    /actions              → getActionDescriptors (ADR-0018; ?paradigm/?source/?category filters)
+   *   GET    /connectors           → getConnectorDescriptors (ADR-0022; ?type filter)
    *   GET    /:name                → getFlow
    *   POST   /                     → createFlow (registerFlow)
    *   PUT    /:name                → updateFlow
@@ -5135,6 +4067,8 @@ var _HttpDispatcher = class _HttpDispatcher {
    *   POST   /:name/toggle         → toggleFlow
    *   GET    /:name/runs           → listRuns
    *   GET    /:name/runs/:runId    → getRun
+   *   POST   /:name/runs/:runId/resume → resume a paused run (screen input / ADR-0019)
+   *   GET    /:name/runs/:runId/screen → the screen a paused run awaits
    */
   async handleAutomation(path, method, body, context, query) {
     const automationService = await this.getService(CoreServiceName.enum.automation);
@@ -5164,6 +4098,32 @@ var _HttpDispatcher = class _HttpDispatcher {
         return { handled: true, response: this.success(body) };
       }
     }
+    if (parts[0] === "actions" && parts.length === 1 && m === "GET") {
+      if (typeof automationService.getActionDescriptors === "function") {
+        let actions = automationService.getActionDescriptors() ?? [];
+        if (query?.paradigm) {
+          actions = actions.filter((a) => Array.isArray(a?.paradigms) && a.paradigms.includes(query.paradigm));
+        }
+        if (query?.source) {
+          actions = actions.filter((a) => a?.source === query.source);
+        }
+        if (query?.category) {
+          actions = actions.filter((a) => a?.category === query.category);
+        }
+        return { handled: true, response: this.success({ actions, total: actions.length }) };
+      }
+      return { handled: true, response: this.success({ actions: [], total: 0 }) };
+    }
+    if (parts[0] === "connectors" && parts.length === 1 && m === "GET") {
+      if (typeof automationService.getConnectorDescriptors === "function") {
+        let connectors = automationService.getConnectorDescriptors() ?? [];
+        if (query?.type) {
+          connectors = connectors.filter((c) => c?.type === query.type);
+        }
+        return { handled: true, response: this.success({ connectors, total: connectors.length }) };
+      }
+      return { handled: true, response: this.success({ connectors: [], total: 0 }) };
+    }
     if (parts.length >= 1) {
       const name = parts[0];
       if (parts[1] === "trigger" && m === "POST") {
@@ -5203,7 +4163,28 @@ var _HttpDispatcher = class _HttpDispatcher {
           return { handled: true, response: this.success({ name, enabled: body?.enabled ?? true }) };
         }
       }
-      if (parts[1] === "runs" && parts[2] && m === "GET") {
+      if (parts[1] === "runs" && parts[2] && parts[3] === "resume" && m === "POST") {
+        if (typeof automationService.resume === "function") {
+          const b = body && typeof body === "object" ? body : {};
+          const inputs = b.inputs ?? b.variables;
+          const signal = {};
+          if (inputs && typeof inputs === "object") signal.variables = inputs;
+          if (b.output && typeof b.output === "object") signal.output = b.output;
+          if (typeof b.branchLabel === "string") signal.branchLabel = b.branchLabel;
+          const result = await automationService.resume(parts[2], signal);
+          return { handled: true, response: this.success(result) };
+        }
+        return { handled: true, response: this.error("Resume not supported", 501) };
+      }
+      if (parts[1] === "runs" && parts[2] && parts[3] === "screen" && m === "GET") {
+        if (typeof automationService.getSuspendedScreen === "function") {
+          const screen = automationService.getSuspendedScreen(parts[2]);
+          if (!screen) return { handled: true, response: this.error("No pending screen for run", 404) };
+          return { handled: true, response: this.success({ runId: parts[2], screen }) };
+        }
+        return { handled: true, response: this.error("Screen lookup not supported", 501) };
+      }
+      if (parts[1] === "runs" && parts[2] && !parts[3] && m === "GET") {
         if (typeof automationService.getRun === "function") {
           const run = await automationService.getRun(parts[2]);
           if (!run) return { handled: true, response: this.error("Execution not found", 404) };
@@ -5529,11 +4510,9 @@ var _HttpDispatcher = class _HttpDispatcher {
     if (forbidden) {
       return { handled: true, response: forbidden };
     }
-    if (!cleanPath.startsWith("/cloud/")) {
-      const scopedMatch = cleanPath.match(/^\/projects\/[^/]+(\/.*)?$/);
-      if (scopedMatch) {
-        cleanPath = scopedMatch[1] ?? "";
-      }
+    const scopedMatch = cleanPath.match(/^\/projects\/[^/]+(\/.*)?$/);
+    if (scopedMatch) {
+      cleanPath = scopedMatch[1] ?? "";
     }
     try {
       if ((cleanPath === "/discovery" || cleanPath === "") && method === "GET") {
@@ -5584,9 +4563,6 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (cleanPath.startsWith("/packages")) {
         return this.handlePackages(cleanPath.substring(9), method, body, query, context);
       }
-      if (cleanPath.startsWith("/cloud")) {
-        return this.handleCloud(cleanPath.substring(6), method, body, query, context);
-      }
       if (cleanPath.startsWith("/i18n")) {
         return this.handleI18n(cleanPath.substring(5), method, query, context);
       }
@@ -6291,257 +5267,57 @@ function createDispatcherPlugin(config = {}) {
           errorResponse(err, res);
         }
       });
-      server.get(`${prefix}/packages/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/packages/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}`, "DELETE", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/packages/:id/enable`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/enable`, "PATCH", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/packages/:id/disable`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/disable`, "PATCH", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/packages/:id/publish`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/publish`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/packages/:id/revert`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/revert`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/drivers`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/drivers", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/admin/platform-sso/backfill`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/admin/platform-sso/backfill", "POST", req.body, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/templates`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/templates", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/projects", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/projects", "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "PATCH", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "DELETE", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/organizations/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/organizations/${req.params.id}`, "DELETE", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/hostname`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/hostname`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.put(`${prefix}/cloud/environments/:id/hostname`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/hostname`, "PUT", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/rotate-credential`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/rotate-credential`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/credentials/rotate`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/credentials/rotate`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/activate`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/activate`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/retry`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/retry`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id/members`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/members`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id/members/:memberId`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "PATCH", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/environments/:id/members/:memberId`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "DELETE", req.body ?? {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id/packages`, async (req, res) => {
+      server.get(`${prefix}/packages/:id/export`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "GET", {}, req.query, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/export`, "GET", {}, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/packages`, async (req, res) => {
+      server.get(`${prefix}/packages/:id`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}`, "GET", {}, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.get(`${prefix}/cloud/environments/:id/packages/:pkgId`, async (req, res) => {
+      server.delete(`${prefix}/packages/:id`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}`, "GET", {}, req.query, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}`, "DELETE", {}, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.delete(`${prefix}/cloud/environments/:id/packages/:pkgId`, async (req, res) => {
+      server.patch(`${prefix}/packages/:id/enable`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}`, "DELETE", {}, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/enable`, "PATCH", {}, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.patch(`${prefix}/cloud/environments/:id/packages/:pkgId/enable`, async (req, res) => {
+      server.patch(`${prefix}/packages/:id/disable`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/enable`, "PATCH", {}, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/disable`, "PATCH", {}, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.patch(`${prefix}/cloud/environments/:id/packages/:pkgId/disable`, async (req, res) => {
+      server.post(`${prefix}/packages/:id/publish`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/disable`, "PATCH", {}, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/publish`, "POST", req.body, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/packages/:pkgId/upgrade`, async (req, res) => {
+      server.post(`${prefix}/packages/:id/revert`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/upgrade`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/revert`, "POST", req.body, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -6668,6 +5444,22 @@ function createDispatcherPlugin(config = {}) {
             errorResponse(err, res);
           }
         });
+        server.post(`${base}/automation/:name/runs/:runId/resume`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/runs/${req.params.runId}/resume`, req.body, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
+        server.get(`${base}/automation/:name/runs/:runId/screen`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs/${req.params.runId}/screen`, void 0, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
       };
       const registerAIRoutes = (base) => {
         const wildcards = [
@@ -7610,19 +6402,15 @@ init_driver_plugin();
 init_app_plugin();
 import { createHmac as createHmac2 } from "crypto";
 import { ObjectKernel as ObjectKernel3 } from "@objectstack/core";
-import { readEnvWithDeprecation as readEnvWithDeprecation4 } from "@objectstack/types";
+import { readEnvWithDeprecation as readEnvWithDeprecation3 } from "@objectstack/types";
 // src/cloud/capability-loader.ts
 var CAPABILITY_PROVIDERS = {
   automation: {
+    // Self-contained: AutomationServicePlugin seeds all built-in node
+    // executors itself (ADR-0018), so no companion node-pack plugins.
     pkg: "@objectstack/service-automation",
-    export: "AutomationServicePlugin",
-    extras: [
-      { pkg: "@objectstack/service-automation", export: "CrudNodesPlugin" },
-      { pkg: "@objectstack/service-automation", export: "LogicNodesPlugin" },
-      { pkg: "@objectstack/service-automation", export: "HttpConnectorPlugin" },
-      { pkg: "@objectstack/service-automation", export: "ScreenNodesPlugin" }
-    ]
+    export: "AutomationServicePlugin"
   },
   ai: {
     pkg: "@objectstack/service-ai",
@@ -7653,6 +6441,19 @@ var CAPABILITY_PROVIDERS = {
     pkg: "@objectstack/service-job",
     export: "JobServicePlugin"
   },
+  messaging: {
+    // Backs the `notify` flow node (ADR-0012): delivers to a user's
+    // channels (inbox by default → `sys_inbox_message` rows).
+    pkg: "@objectstack/service-messaging",
+    export: "MessagingServicePlugin"
+  },
+  triggers: {
+    // Concrete flow triggers — record-change (ObjectQL hooks) + schedule
+    // (cron/interval via the job service; pair `triggers` with `job`).
+    pkg: "@objectstack/plugin-trigger-record-change",
+    export: "RecordChangeTriggerPlugin",
+    extras: [{ pkg: "@objectstack/plugin-trigger-schedule", export: "ScheduleTriggerPlugin" }]
+  },
   realtime: {
     pkg: "@objectstack/service-realtime",
     export: "RealtimeServicePlugin"
@@ -7670,7 +6471,11 @@ async function loadCapabilities(opts) {
   const { kernel, requires, bundle, environmentId } = opts;
   const logger = opts.logger ?? console;
   const installed = [];
-  for (const cap of requires) {
+  const resolved = [...new Set(requires)];
+  if (resolved.includes("audit") && !resolved.includes("messaging")) {
+    resolved.push("messaging");
+  }
+  for (const cap of resolved) {
     const spec = CAPABILITY_PROVIDERS[cap];
     if (!spec) {
       continue;
@@ -7737,8 +6542,197 @@ async function loadCapabilities(opts) {
   return installed;
 }
+// src/cloud/platform-sso.ts
+import { createHmac, createHash } from "crypto";
+var PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
+function derivePlatformSsoClientId(environmentId) {
+  return `project_${environmentId}`;
+}
+function derivePlatformSsoClientSecret(baseSecret, environmentId) {
+  return createHmac("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
+}
+function hashPlatformSsoClientSecret(plaintext) {
+  return createHash("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
+  let host;
+  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
+    host = hostname;
+  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
+    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
+    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
+    host = `http://${hostWithPort}`;
+  } else {
+    host = `https://${hostname}`;
+  }
+  const trimmed = host.replace(/\/+$/, "");
+  const path = basePath.replace(/\/+$/, "");
+  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
+}
+async function seedPlatformSsoClient(opts) {
+  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
+    return;
+  }
+  const clientId = derivePlatformSsoClientId(environmentId);
+  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
+  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
+  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
+  let existing = null;
+  try {
+    const rows = await ql.find("sys_oauth_application", {
+      where: { client_id: clientId },
+      limit: 1
+    }, { context: { isSystem: true } });
+    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+    existing = list[0] ?? null;
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
+      environmentId,
+      error: err?.message
+    });
+    return;
+  }
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  if (!existing) {
+    const redirects = desiredRedirect ? [desiredRedirect] : [];
+    try {
+      await ql.insert("sys_oauth_application", {
+        id: `oauthc_${environmentId}`,
+        name: `Project ${environmentId}`,
+        client_id: clientId,
+        client_secret: clientSecretStored,
+        type: "web",
+        redirect_uris: JSON.stringify(redirects),
+        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+        response_types: JSON.stringify(["code"]),
+        scopes: JSON.stringify(["openid", "email", "profile"]),
+        token_endpoint_auth_method: "client_secret_basic",
+        require_pkce: false,
+        skip_consent: true,
+        disabled: false,
+        subject_type: "public",
+        created_at: nowIso,
+        updated_at: nowIso
+      }, { context: { isSystem: true } });
+      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
+    } catch (err) {
+      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
+        environmentId,
+        error: err?.message
+      });
+      if (throwOnError) throw err;
+    }
+    return;
+  }
+  let currentRedirects = [];
+  try {
+    const raw = existing.redirect_uris;
+    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
+    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
+  } catch {
+  }
+  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
+  const repairPatch = {
+    name: existing.name || `Project ${environmentId}`,
+    client_secret: clientSecretStored,
+    type: existing.type || "web",
+    redirect_uris: JSON.stringify(mergedRedirects),
+    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+    response_types: JSON.stringify(["code"]),
+    scopes: JSON.stringify(["openid", "email", "profile"]),
+    token_endpoint_auth_method: "client_secret_basic",
+    require_pkce: false,
+    skip_consent: true,
+    disabled: false,
+    subject_type: "public",
+    updated_at: nowIso
+  };
+  try {
+    await ql.update(
+      "sys_oauth_application",
+      repairPatch,
+      { where: { id: existing.id } },
+      { context: { isSystem: true } }
+    );
+    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
+      environmentId,
+      clientId,
+      redirect_uris: mergedRedirects
+    });
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
+      environmentId,
+      error: err?.message
+    });
+    if (throwOnError) throw err;
+  }
+}
+async function backfillPlatformSsoClients(opts) {
+  const { ql, baseSecret, logger, limit = 1e3 } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
+  }
+  let projects = [];
+  try {
+    const rows = await ql.find("sys_environment", {
+      limit,
+      fields: ["id", "hostname", "status"]
+    }, { context: { isSystem: true } });
+    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+  } catch (err) {
+    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
+      error: err?.message
+    });
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
+  }
+  let seeded = 0;
+  let alreadyExisted = 0;
+  const failures = [];
+  for (const p of projects) {
+    if (!p?.id) continue;
+    const before = await (async () => {
+      try {
+        const r = await ql.find("sys_oauth_application", {
+          where: { client_id: derivePlatformSsoClientId(p.id) },
+          limit: 1
+        }, { context: { isSystem: true } });
+        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+        return list[0] ?? null;
+      } catch {
+        return null;
+      }
+    })();
+    try {
+      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
+      if (before) alreadyExisted++;
+      else {
+        const after = await (async () => {
+          try {
+            const r = await ql.find("sys_oauth_application", {
+              where: { client_id: derivePlatformSsoClientId(p.id) },
+              limit: 1
+            }, { context: { isSystem: true } });
+            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+            return list[0] ?? null;
+          } catch (err) {
+            return { _readErr: err?.message };
+          }
+        })();
+        if (after && !after._readErr) seeded++;
+        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
+      }
+    } catch (err) {
+      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
+    }
+  }
+  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
+  return { scanned: projects.length, seeded, alreadyExisted, failures };
+}
 // src/cloud/artifact-kernel-factory.ts
-init_platform_sso();
 function deriveProjectAuthSecret(baseSecret, environmentId) {
   return createHmac2("sha256", baseSecret).update(`project:${environmentId}`).digest("hex");
 }
@@ -7748,7 +6742,7 @@ var ArtifactKernelFactory = class {
     this.envRegistry = config.envRegistry;
     this.logger = config.logger ?? console;
     this.kernelConfig = config.kernelConfig;
-    this.authBaseSecret = (config.authBaseSecret ?? readEnvWithDeprecation4("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
+    this.authBaseSecret = (config.authBaseSecret ?? readEnvWithDeprecation3("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
   }
   async create(environmentId) {
     let cached = this.envRegistry.peekById(environmentId);
@@ -7861,7 +6855,7 @@ var ArtifactKernelFactory = class {
       this.logger.warn?.("[ArtifactKernelFactory] OS_AUTH_SECRET not set \u2014 per-project AuthPlugin skipped (auth endpoints will return 404)", { environmentId });
     }
     try {
-      const multiTenant = String(readEnvWithDeprecation4("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+      const multiTenant = String(readEnvWithDeprecation3("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
       if (multiTenant) {
         try {
           const { OrgScopingPlugin } = await import("@objectstack/plugin-org-scoping");
@@ -8387,7 +7381,7 @@ var AuthProxyPlugin = class {
 };
 // src/cloud/cloud-url.ts
-var DEFAULT_CLOUD_URL = "https://cloud.objectos.app";
+var DEFAULT_CLOUD_URL = "https://cloud.objectos.ai";
 function resolveCloudUrl(explicit) {
   const raw = (explicit ?? process.env.OS_CLOUD_URL ?? "").trim();
   const lower = raw.toLowerCase();
@@ -9062,9 +8056,9 @@ async function createObjectOSStack(config) {
 }
 // src/cloud/marketplace-install-local-plugin.ts
-import { existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync, readdirSync, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
-import { join, resolve } from "path";
-import { readEnvWithDeprecation as readEnvWithDeprecation5 } from "@objectstack/types";
+import { existsSync as existsSync3, mkdirSync as mkdirSync4, readFileSync as readFileSync2, readdirSync, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
+import { join as join2, resolve } from "path";
+import { readEnvWithDeprecation as readEnvWithDeprecation4 } from "@objectstack/types";
 var ROUTE_BASE = "/api/v1/marketplace/install-local";
 var DEFAULT_DIR = ".objectstack/installed-packages";
 function safeFilename(manifestId) {
@@ -9139,9 +8133,6 @@ var MarketplaceInstallLocalPlugin = class {
       }
     };
     this.handleInstall = async (c, ctx) => {
-      if (!this.cloudUrl) {
-        return c.json({ success: false, error: { code: "marketplace_unavailable", message: "OS_CLOUD_URL not configured." } }, 503);
-      }
       const userId = await this.requireAuthenticatedUser(c, ctx);
       if (!userId) {
         return c.json({ success: false, error: { code: "unauthorized", message: "Authentication required to install packages." } }, 401);
@@ -9151,69 +8142,87 @@ var MarketplaceInstallLocalPlugin = class {
         body = await c.req.json();
       } catch {
       }
-      const packageId = String(body?.packageId ?? "").trim();
-      const versionId = String(body?.versionId ?? "latest").trim() || "latest";
-      if (!packageId) {
-        return c.json({ success: false, error: { code: "bad_request", message: "packageId is required." } }, 400);
-      }
-      let payload;
-      const publicBase = resolveMarketplacePublicBaseUrl();
-      const fetchAttempts = [];
-      if (publicBase) {
+      const inlineManifest = body?.manifest && typeof body.manifest === "object" ? body.manifest : null;
+      let manifest;
+      let resolvedVersionId;
+      let version;
+      let packageId;
+      if (inlineManifest) {
+        manifest = inlineManifest;
+        packageId = String(manifest.id ?? manifest.name ?? "").trim();
+        version = String(manifest.version ?? "unknown");
+        resolvedVersionId = String(body?.versionId ?? version);
+        if (!packageId) {
+          return c.json({ success: false, error: { code: "invalid_manifest", message: 'Inline manifest must have an "id" or "name".' } }, 400);
+        }
+      } else {
+        if (!this.cloudUrl) {
+          return c.json({ success: false, error: { code: "marketplace_unavailable", message: "OS_CLOUD_URL not configured." } }, 503);
+        }
+        packageId = String(body?.packageId ?? "").trim();
+        const versionId = String(body?.versionId ?? "latest").trim() || "latest";
+        if (!packageId) {
+          return c.json({ success: false, error: { code: "bad_request", message: "packageId is required." } }, 400);
+        }
+        let payload;
+        const publicBase = resolveMarketplacePublicBaseUrl();
+        const fetchAttempts = [];
+        if (publicBase) {
+          fetchAttempts.push({
+            label: "public-r2",
+            url: `${publicBase}/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest.json`
+          });
+        }
         fetchAttempts.push({
-          label: "public-r2",
-          url: `${publicBase}/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest.json`
+          label: "cloud",
+          url: `${this.cloudUrl}/api/v1/marketplace/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest`
         });
-      }
-      fetchAttempts.push({
-        label: "cloud",
-        url: `${this.cloudUrl}/api/v1/marketplace/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest`
-      });
-      let lastErrStatus = 0;
-      let lastErrText = "";
-      for (const attempt of fetchAttempts) {
-        try {
-          const resp = await fetch(attempt.url, { headers: { "Accept": "application/json" } });
-          if (!resp.ok) {
-            lastErrStatus = resp.status;
-            lastErrText = (await resp.text().catch(() => "")).slice(0, 200);
-            if (attempt.label === "public-r2" && resp.status === 404) {
-              ctx.logger?.info?.(`[MarketplaceInstallLocal] public-r2 miss for ${packageId}@${versionId}, falling back to cloud`);
-              continue;
+        let lastErrStatus = 0;
+        let lastErrText = "";
+        for (const attempt of fetchAttempts) {
+          try {
+            const resp = await fetch(attempt.url, { headers: { "Accept": "application/json" } });
+            if (!resp.ok) {
+              lastErrStatus = resp.status;
+              lastErrText = (await resp.text().catch(() => "")).slice(0, 200);
+              if (attempt.label === "public-r2" && resp.status === 404) {
+                ctx.logger?.info?.(`[MarketplaceInstallLocal] public-r2 miss for ${packageId}@${versionId}, falling back to cloud`);
+                continue;
+              }
+              if (attempt.label === "public-r2" && resp.status >= 500) {
+                ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 ${resp.status}, falling back to cloud`);
+                continue;
+              }
+              break;
             }
-            if (attempt.label === "public-r2" && resp.status >= 500) {
-              ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 ${resp.status}, falling back to cloud`);
+            payload = await resp.json();
+            lastErrStatus = 0;
+            break;
+          } catch (err) {
+            if (attempt.label === "public-r2") {
+              ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 fetch error: ${err?.message ?? err}, falling back to cloud`);
               continue;
             }
-            break;
-          }
-          payload = await resp.json();
-          lastErrStatus = 0;
-          break;
-        } catch (err) {
-          if (attempt.label === "public-r2") {
-            ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 fetch error: ${err?.message ?? err}, falling back to cloud`);
-            continue;
+            return c.json({
+              success: false,
+              error: { code: "cloud_fetch_failed", message: err?.message ?? String(err) }
+            }, 502);
           }
+        }
+        if (!payload) {
           return c.json({
             success: false,
-            error: { code: "cloud_fetch_failed", message: err?.message ?? String(err) }
-          }, 502);
+            error: { code: "cloud_fetch_failed", message: `Cloud returned ${lastErrStatus}: ${lastErrText}` }
+          }, lastErrStatus === 404 ? 404 : 502);
         }
+        const data = payload?.data ?? payload;
+        manifest = data?.manifest;
+        resolvedVersionId = String(data?.version_id ?? versionId);
+        version = String(data?.version ?? "unknown");
       }
-      if (!payload) {
-        return c.json({
-          success: false,
-          error: { code: "cloud_fetch_failed", message: `Cloud returned ${lastErrStatus}: ${lastErrText}` }
-        }, lastErrStatus === 404 ? 404 : 502);
-      }
-      const data = payload?.data ?? payload;
-      const manifest = data?.manifest;
-      const resolvedVersionId = String(data?.version_id ?? versionId);
-      const version = String(data?.version ?? "unknown");
       const manifestId = String(manifest?.id ?? manifest?.name ?? "");
       if (!manifest || !manifestId) {
-        return c.json({ success: false, error: { code: "invalid_manifest", message: "Cloud returned an invalid manifest payload." } }, 502);
+        return c.json({ success: false, error: { code: "invalid_manifest", message: "Invalid manifest payload." } }, inlineManifest ? 400 : 502);
       }
       const conflict = this.findConflict(ctx, manifestId);
       if (conflict === "user-code") {
@@ -9225,6 +8234,18 @@ var MarketplaceInstallLocalPlugin = class {
           }
         }, 409);
       }
+      try {
+        const manifestService = ctx.getService("manifest");
+        manifestService.register(manifest);
+      } catch (err) {
+        if (inlineManifest) {
+          return c.json({
+            success: false,
+            error: { code: "register_failed", message: `Failed to register imported manifest: ${err?.message ?? err}` }
+          }, 422);
+        }
+        ctx.logger?.warn?.(`[MarketplaceInstallLocal] hot-register failed for ${manifestId} (will load on next restart): ${err?.message ?? err}`);
+      }
       const entry = {
         packageId,
         versionId: resolvedVersionId,
@@ -9236,20 +8257,14 @@ var MarketplaceInstallLocalPlugin = class {
         withSampleData: false
       };
       try {
-        mkdirSync3(this.storageDir, { recursive: true });
-        writeFileSync2(join(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
+        mkdirSync4(this.storageDir, { recursive: true });
+        writeFileSync3(join2(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
       } catch (err) {
         return c.json({
           success: false,
           error: { code: "storage_failed", message: `Failed to persist manifest: ${err?.message ?? err}` }
         }, 500);
       }
-      try {
-        const manifestService = ctx.getService("manifest");
-        manifestService.register(manifest);
-      } catch (err) {
-        ctx.logger?.warn?.(`[MarketplaceInstallLocal] hot-register failed for ${manifestId} (will load on next restart): ${err?.message ?? err}`);
-      }
       try {
         const ql = ctx.getService("objectql");
         if (ql && typeof ql.syncSchemas === "function") {
@@ -9263,7 +8278,7 @@ var MarketplaceInstallLocalPlugin = class {
       if (seededSummary.seeded.mode === "inline" && (seededSummary.seeded.inserted ?? 0) + (seededSummary.seeded.updated ?? 0) > 0) {
         entry.withSampleData = true;
         try {
-          writeFileSync2(join(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
+          writeFileSync3(join2(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
         } catch {
         }
       }
@@ -9310,8 +8325,8 @@ var MarketplaceInstallLocalPlugin = class {
       if (!manifestId) {
         return c.json({ success: false, error: { code: "bad_request", message: "manifestId path param required." } }, 400);
       }
-      const file = join(this.storageDir, safeFilename(manifestId));
-      if (!existsSync2(file)) {
+      const file = join2(this.storageDir, safeFilename(manifestId));
+      if (!existsSync3(file)) {
         return c.json({ success: false, error: { code: "not_found", message: `No marketplace install for ${manifestId}.` } }, 404);
       }
       try {
@@ -9338,7 +8353,7 @@ var MarketplaceInstallLocalPlugin = class {
      *                    (refuse to avoid silently overwriting authored code)
      */
     this.findConflict = (ctx, manifestId) => {
-      if (existsSync2(join(this.storageDir, safeFilename(manifestId)))) {
+      if (existsSync3(join2(this.storageDir, safeFilename(manifestId)))) {
         return "marketplace";
       }
       try {
@@ -9380,13 +8395,13 @@ var MarketplaceInstallLocalPlugin = class {
       if (!manifestId) {
         return c.json({ success: false, error: { code: "bad_request", message: "manifestId path param required." } }, 400);
       }
-      const file = join(this.storageDir, safeFilename(manifestId));
-      if (!existsSync2(file)) {
+      const file = join2(this.storageDir, safeFilename(manifestId));
+      if (!existsSync3(file)) {
         return c.json({ success: false, error: { code: "not_found", message: `No marketplace install for ${manifestId}.` } }, 404);
       }
       let entry;
       try {
-        entry = JSON.parse(readFileSync(file, "utf8"));
+        entry = JSON.parse(readFileSync2(file, "utf8"));
       } catch (err) {
         return c.json({ success: false, error: { code: "storage_failed", message: `Failed to read manifest cache: ${err?.message ?? err}` } }, 500);
       }
@@ -9402,7 +8417,7 @@ var MarketplaceInstallLocalPlugin = class {
       }
       try {
         entry.withSampleData = true;
-        writeFileSync2(file, JSON.stringify(entry, null, 2), "utf8");
+        writeFileSync3(file, JSON.stringify(entry, null, 2), "utf8");
       } catch {
       }
       return c.json({
@@ -9434,13 +8449,13 @@ var MarketplaceInstallLocalPlugin = class {
       if (!manifestId) {
         return c.json({ success: false, error: { code: "bad_request", message: "manifestId path param required." } }, 400);
       }
-      const file = join(this.storageDir, safeFilename(manifestId));
-      if (!existsSync2(file)) {
+      const file = join2(this.storageDir, safeFilename(manifestId));
+      if (!existsSync3(file)) {
         return c.json({ success: false, error: { code: "not_found", message: `No marketplace install for ${manifestId}.` } }, 404);
       }
       let entry;
       try {
-        entry = JSON.parse(readFileSync(file, "utf8"));
+        entry = JSON.parse(readFileSync2(file, "utf8"));
       } catch (err) {
         return c.json({ success: false, error: { code: "storage_failed", message: `Failed to read manifest cache: ${err?.message ?? err}` } }, 500);
       }
@@ -9489,7 +8504,7 @@ var MarketplaceInstallLocalPlugin = class {
       }
       try {
         entry.withSampleData = false;
-        writeFileSync2(file, JSON.stringify(entry, null, 2), "utf8");
+        writeFileSync3(file, JSON.stringify(entry, null, 2), "utf8");
       } catch {
       }
       ctx.logger?.info?.(`[MarketplaceInstallLocal] purged ${manifestId}: deleted=${deleted} skipped=${skipped} errors=${errors}`);
@@ -9587,7 +8602,7 @@ var MarketplaceInstallLocalPlugin = class {
         }
       }
       if (opts.seedNow && datasets.length > 0) {
-        const multiTenant = String(readEnvWithDeprecation5("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+        const multiTenant = String(readEnvWithDeprecation4("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
         try {
           const ql = ctx.getService("objectql");
           let metadata;
@@ -9688,12 +8703,12 @@ var MarketplaceInstallLocalPlugin = class {
       return null;
     };
     this.readAll = () => {
-      if (!existsSync2(this.storageDir)) return [];
+      if (!existsSync3(this.storageDir)) return [];
       const out = [];
       for (const name of readdirSync(this.storageDir)) {
         if (!name.endsWith(".json")) continue;
         try {
-          const raw = readFileSync(join(this.storageDir, name), "utf8");
+          const raw = readFileSync2(join2(this.storageDir, name), "utf8");
           out.push(JSON.parse(raw));
         } catch {
         }
@@ -9705,9 +8720,6 @@ var MarketplaceInstallLocalPlugin = class {
   }
 };
-// src/index.ts
-init_platform_sso();
 // src/sandbox/script-runner.ts
 var UnimplementedScriptRunner = class {
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -9738,7 +8750,7 @@ import {
   createRestApiPlugin
 } from "@objectstack/rest";
 export * from "@objectstack/core";
-import { readEnvWithDeprecation as readEnvWithDeprecation6, _resetEnvDeprecationWarnings } from "@objectstack/types";
+import { readEnvWithDeprecation as readEnvWithDeprecation5, _resetEnvDeprecationWarnings } from "@objectstack/types";
 export {
   AppPlugin,
   ArtifactApiClient,
@@ -9748,6 +8760,7 @@ export {
   DEFAULT_CLOUD_URL,
   DEFAULT_RATE_LIMITS,
   DriverPlugin,
+  ExternalValidationPlugin,
   FileArtifactApiClient,
   HttpDispatcher,
   HttpServer,
@@ -9786,6 +8799,7 @@ export {
   collectBundleHooks,
   createDefaultHostConfig,
   createDispatcherPlugin,
+  createExternalValidationPlugin,
   createObjectOSStack,
   createRestApiPlugin,
   createStandaloneStack,
@@ -9801,7 +8815,7 @@ export {
   mergeRuntimeModule,
   parseTraceparent,
   readArtifactSource,
-  readEnvWithDeprecation6 as readEnvWithDeprecation,
+  readEnvWithDeprecation5 as readEnvWithDeprecation,
   resolveCloudUrl,
   resolveDefaultArtifactPath,
   resolveErrorReporter,