@objectstack/runtime 7.2.1 → 7.4.0

package/dist/index.cjs

@@ -32,13 +32,6 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/load-artifact-bundle.ts
-var load_artifact_bundle_exports = {};
-__export(load_artifact_bundle_exports, {
-  isHttpUrl: () => isHttpUrl,
-  loadArtifactBundle: () => loadArtifactBundle,
-  mergeRuntimeModule: () => mergeRuntimeModule,
-  readArtifactSource: () => readArtifactSource
-});
 function isHttpUrl(pathOrUrl) {
   return /^https?:\/\//i.test(pathOrUrl);
 }
@@ -294,17 +287,37 @@ var init_seed_loader = __esm({
         }
         const objectRefs = refMap.get(objectName) || [];
         const seedNow = /* @__PURE__ */ new Date();
+        const seedIdentity = config.identity;
+        const baseEvalCtx = {
+          now: seedNow,
+          user: seedIdentity?.user,
+          // Fall back to the per-tenant organizationId so `os.org.id` resolves
+          // during per-org replay even without an explicit identity.org.
+          org: seedIdentity?.org ?? (config.organizationId ? { id: config.organizationId } : void 0),
+          env: config.env
+        };
         for (let i = 0; i < dataset.records.length; i++) {
           const seedResult = (0, import_formula.resolveSeedRecord)(
             dataset.records[i],
-            { now: seedNow }
+            baseEvalCtx
           );
-          const record = seedResult.ok ? { ...seedResult.value } : { ...dataset.records[i] };
           if (!seedResult.ok) {
-            this.logger.warn(
-              `[SeedLoader] Failed to resolve dynamic values for ${objectName} record #${i}: ${seedResult.error.message}`
-            );
+            errored++;
+            const error = {
+              sourceObject: objectName,
+              field: "(expression)",
+              targetObject: objectName,
+              targetField: "(expression)",
+              attemptedValue: dataset.records[i],
+              recordIndex: i,
+              message: `Cannot resolve dynamic seed values for ${objectName} record #${i}: ${seedResult.error.message}. Records using cel\`os.user.id\` / cel\`os.org.id\` require a seed identity \u2014 ensure a system/admin user exists before seeding (see SeedLoaderConfig.identity).`
+            };
+            errors.push(error);
+            allErrors.push(error);
+            this.logger.warn(`[SeedLoader] ${error.message}`);
+            continue;
           }
+          const record = { ...seedResult.value };
           if (config.organizationId && record["organization_id"] == null) {
             record["organization_id"] = config.organizationId;
           }
@@ -383,10 +396,18 @@ var init_seed_loader = __esm({
               }
             } catch (err) {
               errored++;
-              this.logger.warn(`[SeedLoader] Failed to write ${objectName} record`, {
-                error: err.message,
-                recordIndex: i
-              });
+              const error = {
+                sourceObject: objectName,
+                field: "(write)",
+                targetObject: objectName,
+                targetField: externalId,
+                attemptedValue: record[externalId] ?? null,
+                recordIndex: i,
+                message: `Failed to write ${objectName} record #${i} (${externalId}=${String(record[externalId] ?? "")}): ${err.message}`
+              };
+              errors.push(error);
+              allErrors.push(error);
+              this.logger.warn(`[SeedLoader] ${error.message}`, { recordIndex: i });
             }
           } else {
             const externalIdValue = String(record[externalId] ?? "");
@@ -726,6 +747,52 @@ var init_seed_loader = __esm({
   }
 });
 
+// src/package-state-store.ts
+function sanitizeEnvironmentId(environmentId) {
+  const raw = (environmentId ?? process.env.OS_ENVIRONMENT_ID ?? DEFAULT_ENVIRONMENT_ID).trim();
+  const safe = raw.replace(/[^a-zA-Z0-9._-]/g, "_");
+  return safe.length > 0 ? safe : DEFAULT_ENVIRONMENT_ID;
+}
+function stateFilePath(environmentId) {
+  return (0, import_node_path2.join)(resolveObjectStackHome(), "package-state", `${sanitizeEnvironmentId(environmentId)}.json`);
+}
+function readState(environmentId) {
+  const file = stateFilePath(environmentId);
+  if (!(0, import_node_fs.existsSync)(file)) return {};
+  try {
+    const parsed = JSON.parse((0, import_node_fs.readFileSync)(file, "utf8"));
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function writeState(environmentId, state) {
+  const file = stateFilePath(environmentId);
+  (0, import_node_fs.mkdirSync)((0, import_node_path2.dirname)(file), { recursive: true });
+  (0, import_node_fs.writeFileSync)(file, `${JSON.stringify(state, null, 2)}
+`, "utf8");
+}
+function loadDisabledPackageIds(environmentId) {
+  const disabled = readState(environmentId).disabled;
+  return new Set(Array.isArray(disabled) ? disabled.filter((id) => typeof id === "string") : []);
+}
+function setPackageDisabled(environmentId, packageId, disabled) {
+  const ids = loadDisabledPackageIds(environmentId);
+  if (disabled) ids.add(packageId);
+  else ids.delete(packageId);
+  writeState(environmentId, { disabled: Array.from(ids).sort() });
+}
+var import_node_fs, import_node_path2, DEFAULT_ENVIRONMENT_ID;
+var init_package_state_store = __esm({
+  "src/package-state-store.ts"() {
+    "use strict";
+    import_node_fs = require("fs");
+    import_node_path2 = require("path");
+    init_standalone_stack();
+    DEFAULT_ENVIRONMENT_ID = "default";
+  }
+});
+
 // src/sandbox/quickjs-runner.ts
 function installApiMethod(vm, parent, method, objectName, ctx, caps, required, origin) {
   const fn = vm.newAsyncifiedFunction(method, async (...argHandles) => {
@@ -1284,12 +1351,14 @@ function collectBundleFunctions(bundle) {
   merge(bundle?.manifest?.functions);
   return out;
 }
-var import_types, AppPlugin;
+var import_types, import_system, AppPlugin;
 var init_app_plugin = __esm({
   "src/app-plugin.ts"() {
     "use strict";
     import_types = require("@objectstack/types");
     init_seed_loader();
+    init_package_state_store();
+    import_system = require("@objectstack/spec/system");
     init_quickjs_runner();
     init_body_runner();
     AppPlugin = class {
@@ -1315,6 +1384,24 @@ var init_app_plugin = __esm({
           console.warn(
             `[AppPlugin:init] appId=${appId} keys=${Object.keys(servicePayload).join(",")} flows=${Array.isArray(servicePayload.flows) ? servicePayload.flows.length : "n/a"}`
           );
+          try {
+            const ql = ctx.getService("objectql");
+            const setter = ql?.registry?.setInitialDisabledPackageIds;
+            if (typeof setter === "function") {
+              const disabled = loadDisabledPackageIds(this.projectContext?.environmentId);
+              if (disabled.size > 0) {
+                setter.call(ql.registry, disabled);
+                ctx.logger.info("[AppPlugin] seeded persisted disabled packages", {
+                  environmentId: this.projectContext?.environmentId,
+                  disabled: Array.from(disabled)
+                });
+              }
+            }
+          } catch (err) {
+            ctx.logger.warn("[AppPlugin] failed to seed persisted package state", {
+              error: err?.message ?? String(err)
+            });
+          }
           ctx.getService("manifest").register(servicePayload);
         };
         this.start = async (ctx) => {
@@ -1346,6 +1433,27 @@ var init_app_plugin = __esm({
             });
             ql.setDatasourceMapping(this.bundle.datasourceMapping);
           }
+          try {
+            const dsDefs = this.bundle.datasources;
+            const dsList = Array.isArray(dsDefs) ? dsDefs : dsDefs && typeof dsDefs === "object" ? Object.entries(dsDefs).map(([name, def]) => ({ name, ...def })) : [];
+            if (dsList.length > 0) {
+              const metadata = ctx.getService("metadata");
+              if (typeof metadata?.registerInMemory === "function") {
+                for (const ds of dsList) {
+                  if (!ds?.name) continue;
+                  metadata.registerInMemory("datasource", ds.name, { ...ds, origin: "code" });
+                }
+                ctx.logger.info("Registered code-defined datasources in metadata registry", {
+                  appId,
+                  count: dsList.length
+                });
+              }
+            }
+          } catch (err) {
+            ctx.logger.warn("[AppPlugin] failed to register code-defined datasources", {
+              error: err?.message ?? String(err)
+            });
+          }
           const stackBundle = this.bundle.default || this.bundle;
           const runtime = stackBundle && typeof stackBundle.onEnable === "function" ? stackBundle : this.bundle;
           if (runtime && typeof runtime.onEnable === "function") {
@@ -1440,49 +1548,6 @@ var init_app_plugin = __esm({
               appId
             });
           }
-          try {
-            const approvals = Array.isArray(this.bundle.approvals) ? this.bundle.approvals : Array.isArray((this.bundle.manifest || {}).approvals) ? this.bundle.manifest.approvals : [];
-            if (approvals.length > 0) {
-              ctx.hook("kernel:ready", async () => {
-                let svc;
-                try {
-                  svc = ctx.getService("approvals");
-                } catch {
-                }
-                if (!svc || typeof svc.defineProcess !== "function") {
-                  ctx.logger.warn("[AppPlugin] approvals service not registered \u2014 skipping declarative processes", {
-                    appId,
-                    processCount: approvals.length
-                  });
-                  return;
-                }
-                const sysCtx = { isSystem: true, roles: [], permissions: [] };
-                let ok = 0;
-                for (const proc of approvals) {
-                  try {
-                    await svc.defineProcess({
-                      name: proc.name,
-                      label: proc.label,
-                      object: proc.object,
-                      description: proc.description,
-                      active: proc.active !== false,
-                      definition: proc
-                    }, sysCtx);
-                    ok++;
-                  } catch (err) {
-                    ctx.logger.warn("[AppPlugin] Failed to register approval process", {
-                      appId,
-                      process: proc?.name,
-                      error: err?.message ?? String(err)
-                    });
-                  }
-                }
-                ctx.logger.info("[AppPlugin] Registered approval processes", { appId, count: ok });
-              });
-            }
-          } catch (err) {
-            ctx.logger.error("[AppPlugin] Failed to schedule approval-process registration", err, { appId });
-          }
           try {
             const jobs = Array.isArray(this.bundle.jobs) ? this.bundle.jobs : Array.isArray((this.bundle.manifest || {}).jobs) ? this.bundle.manifest.jobs : [];
             if (jobs.length > 0) {
@@ -1559,6 +1624,7 @@ var init_app_plugin = __esm({
               ...d,
               object: d.object
             }));
+            const seedIdentity = await this.ensureSeedIdentity(ql, ctx.logger);
             try {
               const kernel = ctx.kernel;
               const existing = (() => {
@@ -1600,7 +1666,12 @@ var init_app_plugin = __esm({
                   config: {
                     defaultMode: "upsert",
                     multiPass: true,
-                    organizationId
+                    organizationId,
+                    // Bind os.user (system identity) and os.org (this
+                    // tenant) so identity-derived seed values resolve
+                    // per-org. org.id falls back to organizationId
+                    // inside the loader when identity.org is absent.
+                    identity: seedIdentity
                   }
                 });
                 const result = await seedLoader.load(request);
@@ -1628,14 +1699,34 @@ var init_app_plugin = __esm({
                     const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
                     const request = SeedLoaderRequestSchema.parse({
                       datasets: normalizedDatasets,
-                      config: { defaultMode: "upsert", multiPass: true }
+                      config: { defaultMode: "upsert", multiPass: true, identity: seedIdentity }
                     });
                     const result = await seedLoader.load(request);
-                    ctx.logger.info("[Seeder] Seed loading complete", {
-                      inserted: result.summary.totalInserted,
-                      updated: result.summary.totalUpdated,
-                      errors: result.errors.length
-                    });
+                    const { totalInserted, totalUpdated, totalSkipped, totalErrored } = result.summary;
+                    if (result.success) {
+                      ctx.logger.info("[Seeder] Seed loading complete", {
+                        inserted: totalInserted,
+                        updated: totalUpdated,
+                        skipped: totalSkipped,
+                        errored: totalErrored
+                      });
+                    } else {
+                      ctx.logger.warn(
+                        `[Seeder] Seed loading completed with ${totalErrored} dropped record(s) and ${result.errors.length} error(s) for ${appId}`,
+                        {
+                          inserted: totalInserted,
+                          updated: totalUpdated,
+                          skipped: totalSkipped,
+                          errored: totalErrored
+                        }
+                      );
+                      for (const e of result.errors.slice(0, 20)) {
+                        ctx.logger.warn(`[Seeder]   \u2717 ${e.message}`);
+                      }
+                      if (result.errors.length > 20) {
+                        ctx.logger.warn(`[Seeder]   \u2026and ${result.errors.length - 20} more error(s)`);
+                      }
+                    }
                   } else {
                     ctx.logger.debug("[Seeder] No metadata service; using basic insert fallback");
                     for (const dataset of normalizedDatasets) {
@@ -1737,6 +1828,64 @@ var init_app_plugin = __esm({
         this.name = `plugin.app.${appId}`;
         this.version = sys?.version;
       }
+      /**
+       * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
+       *
+       * On a fresh boot there are zero users until the first human sign-up
+       * (which the SeedLoader runs *before*), so identity-derived seeds like
+       * `owner_id: cel`os.user.id`` had nothing to resolve against and were
+       * dropped silently. To make seeds deterministic and self-sufficient we
+       * upsert a single non-loginable **system user** (`usr_system`) and bind
+       * it as `os.user`.
+       *
+       * Why a dedicated system user rather than the login admin:
+       *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
+       *    password lives in `sys_account`, so a *loginable* admin can only be
+       *    minted through better-auth (the CLI does this via HTTP sign-up after
+       *    boot). A raw insert here would bypass those invariants.
+       *  - `usr_system` is an owner identity only (no credential row), analogous
+       *    to Salesforce's "Automated Process" user. The human admin is created
+       *    independently and need not be the seed owner.
+       *
+       * Idempotent: matches by the stable id, inserts once, reuses thereafter.
+       * Failures are non-fatal (logged) — records that actually need `os.user`
+       * then fail loudly in the loader with an actionable message.
+       */
+      async ensureSeedIdentity(ql, logger) {
+        const SYSTEM_USER_ID = import_system.SystemUserId.SYSTEM;
+        const SYSTEM_USER_EMAIL = "system@objectstack.local";
+        const identity = { user: { id: SYSTEM_USER_ID, role: "system", email: SYSTEM_USER_EMAIL } };
+        const opts = { context: { isSystem: true } };
+        try {
+          const existing = await ql.find(
+            "sys_user",
+            { where: { id: SYSTEM_USER_ID }, limit: 1 },
+            opts
+          );
+          if (Array.isArray(existing) && existing.length > 0) {
+            return identity;
+          }
+          await ql.insert(
+            "sys_user",
+            {
+              id: SYSTEM_USER_ID,
+              name: "System",
+              email: SYSTEM_USER_EMAIL,
+              email_verified: true,
+              role: "system"
+            },
+            opts
+          );
+          logger.info(
+            `[Seeder] Provisioned deterministic system user (${SYSTEM_USER_ID}) as seed owner \u2014 binds os.user for identity-derived seed values`
+          );
+        } catch (err) {
+          logger.warn("[Seeder] Failed to ensure system seed user; os.user-dependent seeds may be dropped", {
+            error: err?.message ?? String(err)
+          });
+        }
+        return identity;
+      }
       /**
        * Emit a kernel hook so the control-plane `AppCatalogService` can
        * upsert / delete the corresponding `sys_app` row. Silently no-ops
@@ -1859,209 +2008,167 @@ var init_app_plugin = __esm({
   }
 });
 
-// src/cloud/platform-sso.ts
-var platform_sso_exports = {};
-__export(platform_sso_exports, {
-  PLATFORM_SSO_PROVIDER_ID: () => PLATFORM_SSO_PROVIDER_ID,
-  backfillPlatformSsoClients: () => backfillPlatformSsoClients,
-  buildPlatformSsoRedirectUri: () => buildPlatformSsoRedirectUri,
-  derivePlatformSsoClientId: () => derivePlatformSsoClientId,
-  derivePlatformSsoClientSecret: () => derivePlatformSsoClientSecret,
-  hashPlatformSsoClientSecret: () => hashPlatformSsoClientSecret,
-  seedPlatformSsoClient: () => seedPlatformSsoClient
-});
-function derivePlatformSsoClientId(environmentId) {
-  return `project_${environmentId}`;
-}
-function derivePlatformSsoClientSecret(baseSecret, environmentId) {
-  return (0, import_node_crypto.createHmac)("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
+// src/standalone-stack.ts
+function resolveObjectStackHome() {
+  const raw = process.env.OS_HOME?.trim();
+  if (raw && raw.length > 0) {
+    if (raw.startsWith("~")) return (0, import_node_path3.resolve)((0, import_node_os.homedir)(), raw.slice(1).replace(/^[/\\]/, ""));
+    return (0, import_node_path3.resolve)(raw);
+  }
+  return (0, import_node_path3.resolve)((0, import_node_os.homedir)(), ".objectstack");
 }
-function hashPlatformSsoClientSecret(plaintext) {
-  return (0, import_node_crypto.createHash)("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+function detectDriverFromUrl(dbUrl) {
+  if (/^memory:\/\//i.test(dbUrl)) return "memory";
+  if (/^(postgres(ql)?|pg):\/\//i.test(dbUrl)) return "postgres";
+  if (/^mongodb(\+srv)?:\/\//i.test(dbUrl)) return "mongodb";
+  if (/^wasm-sqlite:\/\//i.test(dbUrl)) return "sqlite-wasm";
+  if (/\.wasm\.db$/i.test(dbUrl)) return "sqlite-wasm";
+  if (/^file:/i.test(dbUrl)) return "sqlite";
+  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(dbUrl)) return "sqlite";
+  throw new Error(
+    `[StandaloneStack] Unsupported database URL scheme: ${dbUrl}. Supported schemes: memory://, postgres://, pg://, mongodb://, mongodb+srv://, file:`
+  );
 }
-function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
-  let host;
-  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
-    host = hostname;
-  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
-    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
-    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
-    host = `http://${hostWithPort}`;
+async function createStandaloneStack(config) {
+  const cfg = StandaloneStackConfigSchema.parse(config ?? {});
+  const { ObjectQLPlugin } = await import("@objectstack/objectql");
+  const { MetadataPlugin } = await import("@objectstack/metadata");
+  const { DriverPlugin: DriverPlugin2 } = await Promise.resolve().then(() => (init_driver_plugin(), driver_plugin_exports));
+  const { AppPlugin: AppPlugin2 } = await Promise.resolve().then(() => (init_app_plugin(), app_plugin_exports));
+  const cwd = process.cwd();
+  const environmentId = cfg.environmentId ?? process.env.OS_ENVIRONMENT_ID ?? "proj_local";
+  const artifactPathInput = cfg.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? (0, import_node_path3.resolve)(cwd, "dist/objectstack.json");
+  const artifactPath = isHttpUrl(artifactPathInput) ? artifactPathInput : artifactPathInput.startsWith("/") ? artifactPathInput : (0, import_node_path3.resolve)(cwd, artifactPathInput);
+  const dbUrl = cfg.databaseUrl ?? (0, import_types2.readEnvWithDeprecation)("OS_DATABASE_URL", "DATABASE_URL")?.trim() ?? process.env.TURSO_DATABASE_URL?.trim() ?? (process.env.OS_HOME?.trim() ? `file:${(0, import_node_path3.resolve)(resolveObjectStackHome(), "data/standalone.db")}` : cfg.projectRoot ? `file:${(0, import_node_path3.resolve)(cfg.projectRoot, ".objectstack/data/standalone.db")}` : `file:${(0, import_node_path3.resolve)(resolveObjectStackHome(), "data/standalone.db")}`);
+  const explicitDriver = cfg.databaseDriver ?? process.env.OS_DATABASE_DRIVER?.trim();
+  const dbDriver = explicitDriver ?? detectDriverFromUrl(dbUrl);
+  let driverPlugin;
+  if (dbDriver === "memory") {
+    const { InMemoryDriver } = await import("@objectstack/driver-memory");
+    driverPlugin = new DriverPlugin2(new InMemoryDriver());
+  } else if (dbDriver === "postgres") {
+    const { SqlDriver } = await import("@objectstack/driver-sql");
+    driverPlugin = new DriverPlugin2(
+      new SqlDriver({
+        client: "pg",
+        connection: dbUrl,
+        pool: { min: 0, max: 5 }
+      })
+    );
+  } else if (dbDriver === "mongodb") {
+    let MongoDBDriver;
+    try {
+      ({ MongoDBDriver } = await import("@objectstack/driver-mongodb"));
+    } catch (err) {
+      throw new Error(
+        `[StandaloneStack] mongodb URL detected but @objectstack/driver-mongodb is not installed. Add it as a dependency or pass an explicit driverPlugin. (${err?.message ?? err})`
+      );
+    }
+    driverPlugin = new DriverPlugin2(new MongoDBDriver({ url: dbUrl }));
+  } else if (dbDriver === "sqlite-wasm") {
+    const { SqliteWasmDriver } = await import("@objectstack/driver-sqlite-wasm");
+    const filename = dbUrl.replace(/^wasm-sqlite:(\/\/)?/i, "").replace(/^file:(\/\/)?/i, "");
+    if (filename && filename !== ":memory:") {
+      (0, import_node_fs2.mkdirSync)((0, import_node_path3.resolve)(filename, ".."), { recursive: true });
+    }
+    driverPlugin = new DriverPlugin2(
+      new SqliteWasmDriver({
+        filename: filename || ":memory:",
+        persist: filename && filename !== ":memory:" ? "on-write" : void 0
+      })
+    );
   } else {
-    host = `https://${hostname}`;
+    const { SqlDriver } = await import("@objectstack/driver-sql");
+    const filename = dbUrl.replace(/^file:(\/\/)?/, "");
+    if (!filename || /^[a-z][a-z0-9+.-]*:\/\//i.test(filename)) {
+      throw new Error(
+        `[StandaloneStack] sqlite driver was selected but the URL does not look like a file path: "${dbUrl}". Use file:/path/to/db.sqlite, or set OS_DATABASE_DRIVER explicitly.`
+      );
+    }
+    (0, import_node_fs2.mkdirSync)((0, import_node_path3.resolve)(filename, ".."), { recursive: true });
+    driverPlugin = new DriverPlugin2(
+      new SqlDriver({
+        client: "better-sqlite3",
+        connection: { filename },
+        useNullAsDefault: true
+      })
+    );
   }
-  const trimmed = host.replace(/\/+$/, "");
-  const path = basePath.replace(/\/+$/, "");
-  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
-}
-async function seedPlatformSsoClient(opts) {
-  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
-    return;
+  const artifactBundle = await loadArtifactBundle(artifactPath, {
+    tag: "[StandaloneStack]",
+    unwrapEnvelope: true
+  });
+  if (artifactBundle) {
+    const flowsCount = Array.isArray(artifactBundle?.flows) ? artifactBundle.flows.length : "n/a";
+    console.warn(
+      `[StandaloneStack] artifact loaded: path=${artifactPath} keys=${Object.keys(artifactBundle).join(",")} flows=${flowsCount}`
+    );
   }
-  const clientId = derivePlatformSsoClientId(environmentId);
-  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
-  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
-  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
-  let existing = null;
-  try {
-    const rows = await ql.find("sys_oauth_application", {
-      where: { client_id: clientId },
-      limit: 1
-    }, { context: { isSystem: true } });
-    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-    existing = list[0] ?? null;
-  } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
+  const plugins = [
+    driverPlugin,
+    new MetadataPlugin({
+      // Source-file scanner OFF — declarative metadata is loaded
+      // from the compiled artifact, not from yaml/json files on
+      // disk. Scanning would also recursively watch the project
+      // root (incl. node_modules), which is expensive and prone
+      // to EMFILE.
+      watch: false,
+      // Artifact-file HMR ON in non-production so edits to
+      // `*.view.ts` / `*.flow.ts` (which the CLI dev-mode watcher
+      // recompiles into `dist/objectstack.json`) are picked up by
+      // the running server WITHOUT requiring a manual restart.
+      // Uses polling under the hood (see plugin.ts) to avoid
+      // `fs.watch` EMFILE on macOS / busy dev hosts.
+      artifactWatch: process.env.NODE_ENV !== "production",
       environmentId,
-      error: err?.message
+      artifactSource: { mode: "local-file", path: artifactPath }
+    }),
+    new ObjectQLPlugin({ environmentId })
+  ];
+  if (artifactBundle) plugins.push(new AppPlugin2(artifactBundle));
+  const requires = Array.isArray(artifactBundle?.requires) ? artifactBundle.requires.filter((c) => typeof c === "string") : void 0;
+  const objects = Array.isArray(artifactBundle?.objects) ? artifactBundle.objects : void 0;
+  const manifest = artifactBundle?.manifest;
+  return {
+    plugins,
+    api: {
+      enableProjectScoping: false,
+      projectResolution: "none"
+    },
+    ...requires ? { requires } : {},
+    ...objects ? { objects } : {},
+    ...manifest ? { manifest } : {}
+  };
+}
+var import_node_path3, import_node_fs2, import_node_os, import_zod, import_types2, StandaloneStackConfigSchema;
+var init_standalone_stack = __esm({
+  "src/standalone-stack.ts"() {
+    "use strict";
+    import_node_path3 = require("path");
+    import_node_fs2 = require("fs");
+    import_node_os = require("os");
+    import_zod = require("zod");
+    import_types2 = require("@objectstack/types");
+    init_load_artifact_bundle();
+    StandaloneStackConfigSchema = import_zod.z.object({
+      databaseUrl: import_zod.z.string().optional(),
+      databaseAuthToken: import_zod.z.string().optional(),
+      databaseDriver: import_zod.z.enum(["sqlite", "sqlite-wasm", "memory", "postgres", "mongodb"]).optional(),
+      environmentId: import_zod.z.string().optional(),
+      artifactPath: import_zod.z.string().optional(),
+      /**
+       * Project root directory. When set (typically by the CLI after locating
+       * `objectstack.config.ts`), the default sqlite database is placed under
+       * `<projectRoot>/.objectstack/data/standalone.db` instead of the global
+       * `~/.objectstack/data/standalone.db`. This keeps per-project data
+       * scoped to the project folder so different examples / apps don't
+       * share a single database by accident.
+       *
+       * Explicit `databaseUrl` / `OS_DATABASE_URL` / `OS_HOME` still take
+       * precedence over this default.
+       */
+      projectRoot: import_zod.z.string().optional()
     });
-    return;
-  }
-  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  if (!existing) {
-    const redirects = desiredRedirect ? [desiredRedirect] : [];
-    try {
-      await ql.insert("sys_oauth_application", {
-        id: `oauthc_${environmentId}`,
-        name: `Project ${environmentId}`,
-        client_id: clientId,
-        client_secret: clientSecretStored,
-        type: "web",
-        redirect_uris: JSON.stringify(redirects),
-        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-        response_types: JSON.stringify(["code"]),
-        scopes: JSON.stringify(["openid", "email", "profile"]),
-        token_endpoint_auth_method: "client_secret_basic",
-        require_pkce: false,
-        skip_consent: true,
-        disabled: false,
-        subject_type: "public",
-        created_at: nowIso,
-        updated_at: nowIso
-      }, { context: { isSystem: true } });
-      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
-    } catch (err) {
-      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
-        environmentId,
-        error: err?.message
-      });
-      if (throwOnError) throw err;
-    }
-    return;
-  }
-  let currentRedirects = [];
-  try {
-    const raw = existing.redirect_uris;
-    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
-    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
-  } catch {
-  }
-  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
-  const repairPatch = {
-    name: existing.name || `Project ${environmentId}`,
-    client_secret: clientSecretStored,
-    type: existing.type || "web",
-    redirect_uris: JSON.stringify(mergedRedirects),
-    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-    response_types: JSON.stringify(["code"]),
-    scopes: JSON.stringify(["openid", "email", "profile"]),
-    token_endpoint_auth_method: "client_secret_basic",
-    require_pkce: false,
-    skip_consent: true,
-    disabled: false,
-    subject_type: "public",
-    updated_at: nowIso
-  };
-  try {
-    await ql.update(
-      "sys_oauth_application",
-      repairPatch,
-      { where: { id: existing.id } },
-      { context: { isSystem: true } }
-    );
-    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
-      environmentId,
-      clientId,
-      redirect_uris: mergedRedirects
-    });
-  } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
-      environmentId,
-      error: err?.message
-    });
-    if (throwOnError) throw err;
-  }
-}
-async function backfillPlatformSsoClients(opts) {
-  const { ql, baseSecret, logger, limit = 1e3 } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
-  }
-  let projects = [];
-  try {
-    const rows = await ql.find("sys_environment", {
-      limit,
-      fields: ["id", "hostname", "status"]
-    }, { context: { isSystem: true } });
-    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-  } catch (err) {
-    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
-      error: err?.message
-    });
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
-  }
-  let seeded = 0;
-  let alreadyExisted = 0;
-  const failures = [];
-  for (const p of projects) {
-    if (!p?.id) continue;
-    const before = await (async () => {
-      try {
-        const r = await ql.find("sys_oauth_application", {
-          where: { client_id: derivePlatformSsoClientId(p.id) },
-          limit: 1
-        }, { context: { isSystem: true } });
-        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-        return list[0] ?? null;
-      } catch {
-        return null;
-      }
-    })();
-    try {
-      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
-      if (before) alreadyExisted++;
-      else {
-        const after = await (async () => {
-          try {
-            const r = await ql.find("sys_oauth_application", {
-              where: { client_id: derivePlatformSsoClientId(p.id) },
-              limit: 1
-            }, { context: { isSystem: true } });
-            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-            return list[0] ?? null;
-          } catch (err) {
-            return { _readErr: err?.message };
-          }
-        })();
-        if (after && !after._readErr) seeded++;
-        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
-      }
-    } catch (err) {
-      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
-    }
-  }
-  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
-  return { scanned: projects.length, seeded, alreadyExisted, failures };
-}
-var import_node_crypto, PLATFORM_SSO_PROVIDER_ID;
-var init_platform_sso = __esm({
-  "src/cloud/platform-sso.ts"() {
-    "use strict";
-    import_node_crypto = require("crypto");
-    PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
   }
 });
 
@@ -2222,6 +2329,7 @@ __export(index_exports, {
   DEFAULT_CLOUD_URL: () => DEFAULT_CLOUD_URL,
   DEFAULT_RATE_LIMITS: () => DEFAULT_RATE_LIMITS,
   DriverPlugin: () => DriverPlugin,
+  ExternalValidationPlugin: () => ExternalValidationPlugin,
   FileArtifactApiClient: () => FileArtifactApiClient,
   HttpDispatcher: () => HttpDispatcher,
   HttpServer: () => HttpServer,
@@ -2250,7 +2358,7 @@ __export(index_exports, {
   SandboxError: () => SandboxError,
   SeedLoaderService: () => SeedLoaderService,
   UnimplementedScriptRunner: () => UnimplementedScriptRunner,
-  _resetEnvDeprecationWarnings: () => import_types6._resetEnvDeprecationWarnings,
+  _resetEnvDeprecationWarnings: () => import_types5._resetEnvDeprecationWarnings,
   actionBodyRunnerFactory: () => actionBodyRunnerFactory,
   backfillPlatformSsoClients: () => backfillPlatformSsoClients,
   buildPlatformSsoRedirectUri: () => buildPlatformSsoRedirectUri,
@@ -2260,6 +2368,7 @@ __export(index_exports, {
   collectBundleHooks: () => collectBundleHooks,
   createDefaultHostConfig: () => createDefaultHostConfig,
   createDispatcherPlugin: () => createDispatcherPlugin,
+  createExternalValidationPlugin: () => createExternalValidationPlugin,
   createObjectOSStack: () => createObjectOSStack,
   createRestApiPlugin: () => import_rest.createRestApiPlugin,
   createStandaloneStack: () => createStandaloneStack,
@@ -2275,7 +2384,7 @@ __export(index_exports, {
   mergeRuntimeModule: () => mergeRuntimeModule,
   parseTraceparent: () => parseTraceparent,
   readArtifactSource: () => readArtifactSource,
-  readEnvWithDeprecation: () => import_types6.readEnvWithDeprecation,
+  readEnvWithDeprecation: () => import_types5.readEnvWithDeprecation,
   resolveCloudUrl: () => resolveCloudUrl,
   resolveDefaultArtifactPath: () => resolveDefaultArtifactPath,
   resolveErrorReporter: () => resolveErrorReporter,
@@ -2333,228 +2442,234 @@ var Runtime = class {
   }
 };
 
-// src/standalone-stack.ts
-var import_node_path2 = require("path");
-var import_node_fs = require("fs");
-var import_node_os = require("os");
-var import_zod = require("zod");
-var import_types2 = require("@objectstack/types");
+// src/index.ts
+init_standalone_stack();
+
+// src/default-host.ts
+var import_node_path4 = require("path");
+var import_node_fs3 = require("fs");
+init_standalone_stack();
 init_load_artifact_bundle();
-function resolveObjectStackHome() {
-  const raw = process.env.OS_HOME?.trim();
-  if (raw && raw.length > 0) {
-    if (raw.startsWith("~")) return (0, import_node_path2.resolve)((0, import_node_os.homedir)(), raw.slice(1).replace(/^[/\\]/, ""));
-    return (0, import_node_path2.resolve)(raw);
+function resolveDefaultArtifactPath(explicitPath, cwd = process.cwd()) {
+  const candidate = explicitPath ?? process.env.OS_ARTIFACT_PATH ?? (0, import_node_path4.resolve)(cwd, "dist/objectstack.json");
+  if (isHttpUrl(candidate)) return candidate;
+  if (explicitPath || process.env.OS_ARTIFACT_PATH) return candidate;
+  return (0, import_node_fs3.existsSync)(candidate) ? candidate : void 0;
+}
+async function createDefaultHostConfig(options = {}) {
+  const { requireArtifact = true, ...standaloneOpts } = options;
+  let resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
+  if (!resolvedArtifact && requireArtifact) {
+    throw new Error(
+      "[createDefaultHostConfig] No artifact source available. Set OS_ARTIFACT_PATH (file path or http(s):// URL), place the artifact at <cwd>/dist/objectstack.json, or pass `{ artifactPath: ... }` explicitly. To boot an empty kernel anyway, pass `{ requireArtifact: false }`."
+    );
+  }
+  if (!resolvedArtifact && !requireArtifact) {
+    const home = resolveObjectStackHome();
+    const stubPath = (0, import_node_path4.resolve)(home, "dist/objectstack.json");
+    if (!(0, import_node_fs3.existsSync)(stubPath)) {
+      (0, import_node_fs3.mkdirSync)((0, import_node_path4.resolve)(stubPath, ".."), { recursive: true });
+      (0, import_node_fs3.writeFileSync)(
+        stubPath,
+        JSON.stringify(
+          {
+            manifest: {
+              id: "com.objectstack.empty",
+              name: "empty",
+              version: "0.0.0",
+              type: "app",
+              description: "Empty starter kernel \u2014 install apps via the Studio marketplace."
+            },
+            objects: [],
+            views: [],
+            apps: [],
+            flows: [],
+            requires: []
+          },
+          null,
+          2
+        ),
+        "utf8"
+      );
+    }
+    resolvedArtifact = stubPath;
   }
-  return (0, import_node_path2.resolve)((0, import_node_os.homedir)(), ".objectstack");
+  return createStandaloneStack({
+    ...standaloneOpts,
+    artifactPath: resolvedArtifact
+  });
 }
-var StandaloneStackConfigSchema = import_zod.z.object({
-  databaseUrl: import_zod.z.string().optional(),
-  databaseAuthToken: import_zod.z.string().optional(),
-  databaseDriver: import_zod.z.enum(["sqlite", "sqlite-wasm", "memory", "postgres", "mongodb"]).optional(),
-  environmentId: import_zod.z.string().optional(),
-  artifactPath: import_zod.z.string().optional(),
+
+// src/index.ts
+init_driver_plugin();
+init_app_plugin();
+init_seed_loader();
+
+// src/external-validation-plugin.ts
+var import_shared = require("@objectstack/spec/shared");
+var ExternalValidationPlugin = class {
+  constructor() {
+    this.name = "com.objectstack.external-validation";
+    this.type = "standard";
+    this.version = "1.0.0";
+    /** Active background drift-check timers, keyed by datasource name. */
+    this.driftTimers = /* @__PURE__ */ new Map();
+    this.init = (_ctx) => {
+    };
+    this.start = (ctx) => {
+      ctx.hook("kernel:ready", async () => {
+        await this.runValidation(ctx);
+        await this.scheduleDriftChecks(ctx);
+      });
+    };
+    /** Tear down background drift-check timers (idempotent). */
+    this.stop = () => {
+      for (const timer of this.driftTimers.values()) clearInterval(timer);
+      this.driftTimers.clear();
+    };
+  }
+  /** Exposed for testing; invoked from the kernel:ready handler. */
+  async runValidation(ctx) {
+    const svc = safeGet(ctx, "external-datasource");
+    if (!svc?.validateAll) {
+      ctx.logger?.debug?.("[external-validation] service not registered; skipping");
+      return;
+    }
+    const metadata = safeGet(ctx, "metadata");
+    let report;
+    try {
+      report = await svc.validateAll();
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] validateAll failed", { err });
+      return;
+    }
+    const failures = report.results.filter((r) => !r.ok);
+    if (failures.length === 0) {
+      ctx.logger?.info?.("[external-validation] all federated objects match their remote schema", {
+        objects: report.results.length
+      });
+      return;
+    }
+    for (const r of failures) {
+      const mode = await resolveOnMismatch(metadata, r.datasource);
+      if (mode === "ignore") continue;
+      if (mode === "warn") {
+        ctx.logger?.warn?.("[external-validation] external schema drift", {
+          datasource: r.datasource,
+          object: r.object,
+          diffs: r.diffs
+        });
+        continue;
+      }
+      throw new import_shared.ExternalSchemaMismatchError(r.datasource, r.object, r.diffs);
+    }
+  }
   /**
-   * Project root directory. When set (typically by the CLI after locating
-   * `objectstack.config.ts`), the default sqlite database is placed under
-   * `<projectRoot>/.objectstack/data/standalone.db` instead of the global
-   * `~/.objectstack/data/standalone.db`. This keeps per-project data
-   * scoped to the project folder so different examples / apps don't
-   * share a single database by accident.
+   * Arm a background drift checker for every federated datasource that declares
+   * `external.validation.checkIntervalMs`. Each fires on its own interval and
+   * emits `external.schema.drift` events — it never throws or aborts the
+   * process, since drift past boot is observational, not fatal.
    *
-   * Explicit `databaseUrl` / `OS_DATABASE_URL` / `OS_HOME` still take
-   * precedence over this default.
+   * No-op when metadata can't be enumerated or no datasource opts in. Re-arming
+   * (e.g. a second `kernel:ready`) first clears existing timers so intervals
+   * don't accumulate.
    */
-  projectRoot: import_zod.z.string().optional()
-});
-function detectDriverFromUrl(dbUrl) {
-  if (/^memory:\/\//i.test(dbUrl)) return "memory";
-  if (/^(postgres(ql)?|pg):\/\//i.test(dbUrl)) return "postgres";
-  if (/^mongodb(\+srv)?:\/\//i.test(dbUrl)) return "mongodb";
-  if (/^wasm-sqlite:\/\//i.test(dbUrl)) return "sqlite-wasm";
-  if (/\.wasm\.db$/i.test(dbUrl)) return "sqlite-wasm";
-  if (/^file:/i.test(dbUrl)) return "sqlite";
-  if (!/^[a-z][a-z0-9+.-]*:\/\//i.test(dbUrl)) return "sqlite";
-  throw new Error(
-    `[StandaloneStack] Unsupported database URL scheme: ${dbUrl}. Supported schemes: memory://, postgres://, pg://, mongodb://, mongodb+srv://, file:`
-  );
-}
-async function createStandaloneStack(config) {
-  const cfg = StandaloneStackConfigSchema.parse(config ?? {});
-  const { ObjectQLPlugin } = await import("@objectstack/objectql");
-  const { MetadataPlugin } = await import("@objectstack/metadata");
-  const { DriverPlugin: DriverPlugin2 } = await Promise.resolve().then(() => (init_driver_plugin(), driver_plugin_exports));
-  const { AppPlugin: AppPlugin2 } = await Promise.resolve().then(() => (init_app_plugin(), app_plugin_exports));
-  const cwd = process.cwd();
-  const environmentId = cfg.environmentId ?? process.env.OS_ENVIRONMENT_ID ?? "proj_local";
-  const artifactPathInput = cfg.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? (0, import_node_path2.resolve)(cwd, "dist/objectstack.json");
-  const artifactPath = isHttpUrl(artifactPathInput) ? artifactPathInput : artifactPathInput.startsWith("/") ? artifactPathInput : (0, import_node_path2.resolve)(cwd, artifactPathInput);
-  const dbUrl = cfg.databaseUrl ?? (0, import_types2.readEnvWithDeprecation)("OS_DATABASE_URL", "DATABASE_URL")?.trim() ?? process.env.TURSO_DATABASE_URL?.trim() ?? (process.env.OS_HOME?.trim() ? `file:${(0, import_node_path2.resolve)(resolveObjectStackHome(), "data/standalone.db")}` : cfg.projectRoot ? `file:${(0, import_node_path2.resolve)(cfg.projectRoot, ".objectstack/data/standalone.db")}` : `file:${(0, import_node_path2.resolve)(resolveObjectStackHome(), "data/standalone.db")}`);
-  const explicitDriver = cfg.databaseDriver ?? process.env.OS_DATABASE_DRIVER?.trim();
-  const dbDriver = explicitDriver ?? detectDriverFromUrl(dbUrl);
-  let driverPlugin;
-  if (dbDriver === "memory") {
-    const { InMemoryDriver } = await import("@objectstack/driver-memory");
-    driverPlugin = new DriverPlugin2(new InMemoryDriver());
-  } else if (dbDriver === "postgres") {
-    const { SqlDriver } = await import("@objectstack/driver-sql");
-    driverPlugin = new DriverPlugin2(
-      new SqlDriver({
-        client: "pg",
-        connection: dbUrl,
-        pool: { min: 0, max: 5 }
-      })
-    );
-  } else if (dbDriver === "mongodb") {
-    let MongoDBDriver;
+  async scheduleDriftChecks(ctx) {
+    this.stop();
+    const metadata = safeGet(ctx, "metadata");
+    if (!metadata?.list) return;
+    let datasources;
     try {
-      ({ MongoDBDriver } = await import("@objectstack/driver-mongodb"));
+      datasources = await metadata.list("datasource");
     } catch (err) {
-      throw new Error(
-        `[StandaloneStack] mongodb URL detected but @objectstack/driver-mongodb is not installed. Add it as a dependency or pass an explicit driverPlugin. (${err?.message ?? err})`
-      );
-    }
-    driverPlugin = new DriverPlugin2(new MongoDBDriver({ url: dbUrl }));
-  } else if (dbDriver === "sqlite-wasm") {
-    const { SqliteWasmDriver } = await import("@objectstack/driver-sqlite-wasm");
-    const filename = dbUrl.replace(/^wasm-sqlite:(\/\/)?/i, "").replace(/^file:(\/\/)?/i, "");
-    if (filename && filename !== ":memory:") {
-      (0, import_node_fs.mkdirSync)((0, import_node_path2.resolve)(filename, ".."), { recursive: true });
+      ctx.logger?.warn?.("[external-validation] could not list datasources for drift checks", { err });
+      return;
     }
-    driverPlugin = new DriverPlugin2(
-      new SqliteWasmDriver({
-        filename: filename || ":memory:",
-        persist: filename && filename !== ":memory:" ? "on-write" : void 0
-      })
-    );
-  } else {
-    const { SqlDriver } = await import("@objectstack/driver-sql");
-    const filename = dbUrl.replace(/^file:(\/\/)?/, "");
-    if (!filename || /^[a-z][a-z0-9+.-]*:\/\//i.test(filename)) {
-      throw new Error(
-        `[StandaloneStack] sqlite driver was selected but the URL does not look like a file path: "${dbUrl}". Use file:/path/to/db.sqlite, or set OS_DATABASE_DRIVER explicitly.`
-      );
+    for (const def of datasources) {
+      const interval = def?.external?.validation?.checkIntervalMs;
+      const name = def?.name;
+      if (!name || typeof interval !== "number" || interval <= 0) continue;
+      const timer = setInterval(() => {
+        void this.runDriftCheck(ctx, name);
+      }, interval);
+      timer.unref?.();
+      this.driftTimers.set(name, timer);
+      ctx.logger?.info?.("[external-validation] armed background drift check", {
+        datasource: name,
+        intervalMs: interval
+      });
     }
-    (0, import_node_fs.mkdirSync)((0, import_node_path2.resolve)(filename, ".."), { recursive: true });
-    driverPlugin = new DriverPlugin2(
-      new SqlDriver({
-        client: "better-sqlite3",
-        connection: { filename },
-        useNullAsDefault: true
-      })
-    );
   }
-  const artifactBundle = await loadArtifactBundle(artifactPath, {
-    tag: "[StandaloneStack]",
-    unwrapEnvelope: true
-  });
-  if (artifactBundle) {
-    const flowsCount = Array.isArray(artifactBundle?.flows) ? artifactBundle.flows.length : "n/a";
-    console.warn(
-      `[StandaloneStack] artifact loaded: path=${artifactPath} keys=${Object.keys(artifactBundle).join(",")} flows=${flowsCount}`
-    );
+  /**
+   * Re-validate one datasource's federated objects and emit an
+   * `external.schema.drift` event per mismatch. Exposed for testing; invoked
+   * from the interval armed by {@link scheduleDriftChecks}. Never throws.
+   *
+   * @returns the number of drift events emitted.
+   */
+  async runDriftCheck(ctx, datasource) {
+    const svc = safeGet(ctx, "external-datasource");
+    if (!svc?.validateAll) return 0;
+    let report;
+    try {
+      report = await svc.validateAll();
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] drift check validateAll failed", {
+        datasource,
+        err
+      });
+      return 0;
+    }
+    const drifted = report.results.filter((r) => !r.ok && r.datasource === datasource);
+    for (const r of drifted) {
+      const event = {
+        datasource: r.datasource,
+        object: r.object,
+        diffs: r.diffs
+      };
+      try {
+        await ctx.trigger("external.schema.drift", event);
+      } catch (err) {
+        ctx.logger?.warn?.("[external-validation] failed to emit drift event", {
+          datasource,
+          object: r.object,
+          err
+        });
+      }
+    }
+    if (drifted.length > 0) {
+      ctx.logger?.warn?.("[external-validation] background drift detected", {
+        datasource,
+        objects: drifted.map((r) => r.object)
+      });
+    }
+    return drifted.length;
   }
-  const plugins = [
-    driverPlugin,
-    new MetadataPlugin({
-      // Source-file scanner OFF — declarative metadata is loaded
-      // from the compiled artifact, not from yaml/json files on
-      // disk. Scanning would also recursively watch the project
-      // root (incl. node_modules), which is expensive and prone
-      // to EMFILE.
-      watch: false,
-      // Artifact-file HMR ON in non-production so edits to
-      // `*.view.ts` / `*.flow.ts` (which the CLI dev-mode watcher
-      // recompiles into `dist/objectstack.json`) are picked up by
-      // the running server WITHOUT requiring a manual restart.
-      // Uses polling under the hood (see plugin.ts) to avoid
-      // `fs.watch` EMFILE on macOS / busy dev hosts.
-      artifactWatch: process.env.NODE_ENV !== "production",
-      environmentId,
-      artifactSource: { mode: "local-file", path: artifactPath }
-    }),
-    new ObjectQLPlugin({ environmentId })
-  ];
-  if (artifactBundle) plugins.push(new AppPlugin2(artifactBundle));
-  const requires = Array.isArray(artifactBundle?.requires) ? artifactBundle.requires.filter((c) => typeof c === "string") : void 0;
-  const objects = Array.isArray(artifactBundle?.objects) ? artifactBundle.objects : void 0;
-  const manifest = artifactBundle?.manifest;
-  return {
-    plugins,
-    api: {
-      enableProjectScoping: false,
-      projectResolution: "none"
-    },
-    ...requires ? { requires } : {},
-    ...objects ? { objects } : {},
-    ...manifest ? { manifest } : {}
-  };
-}
-
-// src/default-host.ts
-var import_node_path3 = require("path");
-var import_node_fs2 = require("fs");
-init_load_artifact_bundle();
-function resolveDefaultArtifactPath(explicitPath, cwd = process.cwd()) {
-  const candidate = explicitPath ?? process.env.OS_ARTIFACT_PATH ?? (0, import_node_path3.resolve)(cwd, "dist/objectstack.json");
-  if (isHttpUrl(candidate)) return candidate;
-  if (explicitPath || process.env.OS_ARTIFACT_PATH) return candidate;
-  return (0, import_node_fs2.existsSync)(candidate) ? candidate : void 0;
+};
+function createExternalValidationPlugin() {
+  return new ExternalValidationPlugin();
 }
-async function createDefaultHostConfig(options = {}) {
-  const { requireArtifact = true, ...standaloneOpts } = options;
-  let resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
-  if (!resolvedArtifact && requireArtifact) {
-    throw new Error(
-      "[createDefaultHostConfig] No artifact source available. Set OS_ARTIFACT_PATH (file path or http(s):// URL), place the artifact at <cwd>/dist/objectstack.json, or pass `{ artifactPath: ... }` explicitly. To boot an empty kernel anyway, pass `{ requireArtifact: false }`."
-    );
+async function resolveOnMismatch(metadata, datasource) {
+  try {
+    const ds = await metadata?.get?.("datasource", datasource);
+    return ds?.external?.validation?.onMismatch ?? "fail";
+  } catch {
+    return "fail";
   }
-  if (!resolvedArtifact && !requireArtifact) {
-    const home = resolveObjectStackHome();
-    const stubPath = (0, import_node_path3.resolve)(home, "dist/objectstack.json");
-    if (!(0, import_node_fs2.existsSync)(stubPath)) {
-      (0, import_node_fs2.mkdirSync)((0, import_node_path3.resolve)(stubPath, ".."), { recursive: true });
-      (0, import_node_fs2.writeFileSync)(
-        stubPath,
-        JSON.stringify(
-          {
-            manifest: {
-              id: "com.objectstack.empty",
-              name: "empty",
-              version: "0.0.0",
-              type: "app",
-              description: "Empty starter kernel \u2014 install apps via the Studio marketplace."
-            },
-            objects: [],
-            views: [],
-            apps: [],
-            flows: [],
-            requires: []
-          },
-          null,
-          2
-        ),
-        "utf8"
-      );
-    }
-    resolvedArtifact = stubPath;
+}
+function safeGet(ctx, name) {
+  try {
+    return ctx.getService(name);
+  } catch {
+    return void 0;
   }
-  return createStandaloneStack({
-    ...standaloneOpts,
-    artifactPath: resolvedArtifact
-  });
 }
 
-// src/index.ts
-init_driver_plugin();
-init_app_plugin();
-init_seed_loader();
-
 // src/http-dispatcher.ts
 var import_core2 = require("@objectstack/core");
-var import_types3 = require("@objectstack/types");
-var import_system = require("@objectstack/spec/system");
-var import_shared = require("@objectstack/spec/shared");
+var import_system2 = require("@objectstack/spec/system");
+var import_shared2 = require("@objectstack/spec/shared");
+init_package_state_store();
 
 // src/security/resolve-execution-context.ts
 function readHeader(headers, name) {
@@ -3016,7 +3131,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         }
       }
       try {
-        const authService = await this.getService(import_system.CoreServiceName.enum.auth);
+        const authService = await this.getService(import_system2.CoreServiceName.enum.auth);
         const sessionData = await authService?.api?.getSession?.({
           headers: context.request?.headers
         });
@@ -3097,7 +3212,7 @@ var _HttpDispatcher = class _HttpDispatcher {
     let userId;
     let activeOrganizationId;
     try {
-      const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
+      const authService = await this.resolveService(import_system2.CoreServiceName.enum.auth);
       const sessionData = await authService?.api?.getSession?.({
         headers: context.request?.headers
       });
@@ -3166,21 +3281,21 @@ var _HttpDispatcher = class _HttpDispatcher {
       queueSvc,
       jobSvc
     ] = await Promise.all([
-      this.resolveService(import_system.CoreServiceName.enum.auth),
-      this.resolveService(import_system.CoreServiceName.enum.graphql),
-      this.resolveService(import_system.CoreServiceName.enum.search),
-      this.resolveService(import_system.CoreServiceName.enum.realtime),
-      this.resolveService(import_system.CoreServiceName.enum["file-storage"]),
-      this.resolveService(import_system.CoreServiceName.enum.analytics),
-      this.resolveService(import_system.CoreServiceName.enum.workflow),
-      this.resolveService(import_system.CoreServiceName.enum.ai),
-      this.resolveService(import_system.CoreServiceName.enum.notification),
-      this.resolveService(import_system.CoreServiceName.enum.i18n),
-      this.resolveService(import_system.CoreServiceName.enum.ui),
-      this.resolveService(import_system.CoreServiceName.enum.automation),
-      this.resolveService(import_system.CoreServiceName.enum.cache),
-      this.resolveService(import_system.CoreServiceName.enum.queue),
-      this.resolveService(import_system.CoreServiceName.enum.job)
+      this.resolveService(import_system2.CoreServiceName.enum.auth),
+      this.resolveService(import_system2.CoreServiceName.enum.graphql),
+      this.resolveService(import_system2.CoreServiceName.enum.search),
+      this.resolveService(import_system2.CoreServiceName.enum.realtime),
+      this.resolveService(import_system2.CoreServiceName.enum["file-storage"]),
+      this.resolveService(import_system2.CoreServiceName.enum.analytics),
+      this.resolveService(import_system2.CoreServiceName.enum.workflow),
+      this.resolveService(import_system2.CoreServiceName.enum.ai),
+      this.resolveService(import_system2.CoreServiceName.enum.notification),
+      this.resolveService(import_system2.CoreServiceName.enum.i18n),
+      this.resolveService(import_system2.CoreServiceName.enum.ui),
+      this.resolveService(import_system2.CoreServiceName.enum.automation),
+      this.resolveService(import_system2.CoreServiceName.enum.cache),
+      this.resolveService(import_system2.CoreServiceName.enum.queue),
+      this.resolveService(import_system2.CoreServiceName.enum.job)
     ]);
     const hasAuth = !!authSvc;
     const hasGraphQL = !!(graphqlSvc || this.kernel.graphql);
@@ -3297,7 +3412,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    * path: sub-path after /auth/
    */
   async handleAuth(path, method, body, context) {
-    const authService = await this.getService(import_system.CoreServiceName.enum.auth);
+    const authService = await this.getService(import_system2.CoreServiceName.enum.auth);
     if (authService && typeof authService.handler === "function") {
       const response = await authService.handler(context.request, context.response);
       return { handled: true, result: response };
@@ -3381,10 +3496,21 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       return { handled: true, response: this.success({ types: ["object", "app", "plugin"] }) };
     }
+    if (parts.length === 4 && (parts[0] === "objects" || parts[0] === "object") && parts[2] === "state" && (!method || method === "GET")) {
+      const name = parts[1];
+      const field = parts[3];
+      const from = query?.from !== void 0 ? String(query.from) : void 0;
+      const qlService = await this.getObjectQLService();
+      const schema = qlService?.registry?.getObject(name);
+      if (!schema) return { handled: true, response: this.error("Object not found", 404) };
+      const { legalNextStates } = await import("@objectstack/objectql");
+      const next = from === void 0 ? null : legalNextStates(schema, field, from);
+      return { handled: true, response: this.success({ object: name, field, from: from ?? null, next }) };
+    }
     if (parts.length >= 3 && parts[parts.length - 1] === "published" && (!method || method === "GET")) {
       const type = parts[0];
       const name = parts.slice(1, -1).join("/");
-      const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+      const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
       if (metadataService && typeof metadataService.getPublished === "function") {
         const data = await metadataService.getPublished(type, name);
         if (data === void 0) return { handled: true, response: this.error("Not found", 404) };
@@ -3409,7 +3535,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         if (protocol && typeof protocol.saveMetaItem === "function") {
           try {
             const organizationId = await this.resolveActiveOrganizationId(_context);
-            const result = await protocol.saveMetaItem({ type, name, item: body, organizationId });
+            const result = await protocol.saveMetaItem({ type, name, item: body, organizationId, ...packageId ? { packageId } : {} });
             return { handled: true, response: this.success(result) };
           } catch (e) {
             return { handled: true, response: this.error(e.message, 400) };
@@ -3458,7 +3584,7 @@ var _HttpDispatcher = class _HttpDispatcher {
           }
           return { handled: true, response: this.error("Not found", 404) };
         }
-        const singularType = (0, import_shared.pluralToSingular)(type);
+        const singularType = (0, import_shared2.pluralToSingular)(type);
         const protocol = await this.resolveService("protocol");
         if (protocol && typeof protocol.getMetaItem === "function") {
           try {
@@ -3495,7 +3621,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         } catch {
         }
       }
-      const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+      const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
       if (metadataService && typeof metadataService.list === "function") {
         try {
           let items = await metadataService.list(typeOrName);
@@ -3629,7 +3755,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    * path: sub-path after /analytics/
    */
   async handleAnalytics(path, method, body, _context) {
-    const analyticsService = await this.getService(import_system.CoreServiceName.enum.analytics);
+    const analyticsService = await this.getService(import_system2.CoreServiceName.enum.analytics);
     if (!analyticsService) return { handled: false };
     const m = method.toUpperCase();
     const subPath = path.replace(/^\/+/, "");
@@ -3659,7 +3785,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    *   GET /labels/:object?locale=xx   → getFieldLabels  (locale from query)
    */
   async handleI18n(path, method, query, _context) {
-    const i18nService = await this.getService(import_system.CoreServiceName.enum.i18n);
+    const i18nService = await this.getService(import_system2.CoreServiceName.enum.i18n);
     if (!i18nService) return { handled: true, response: this.error("i18n service not available", 501) };
     const m = method.toUpperCase();
     const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
@@ -3749,17 +3875,27 @@ var _HttpDispatcher = class _HttpDispatcher {
         const id = decodeURIComponent(parts[0]);
         const pkg = registry.enablePackage(id);
         if (!pkg) return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        try {
+          setPackageDisabled(_context?.environmentId, id, false);
+        } catch (err) {
+          console.warn("[handlePackages] failed to persist enable state", { id, error: err?.message });
+        }
         return { handled: true, response: this.success(pkg) };
       }
       if (parts.length === 2 && parts[1] === "disable" && m === "PATCH") {
         const id = decodeURIComponent(parts[0]);
         const pkg = registry.disablePackage(id);
         if (!pkg) return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        try {
+          setPackageDisabled(_context?.environmentId, id, true);
+        } catch (err) {
+          console.warn("[handlePackages] failed to persist disable state", { id, error: err?.message });
+        }
         return { handled: true, response: this.success(pkg) };
       }
       if (parts.length === 2 && parts[1] === "publish" && m === "POST") {
         const id = decodeURIComponent(parts[0]);
-        const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+        const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
         if (metadataService && typeof metadataService.publishPackage === "function") {
           const result = await metadataService.publishPackage(id, body || {});
           return { handled: true, response: this.success(result) };
@@ -3768,13 +3904,21 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       if (parts.length === 2 && parts[1] === "revert" && m === "POST") {
         const id = decodeURIComponent(parts[0]);
-        const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+        const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
         if (metadataService && typeof metadataService.revertPackage === "function") {
           await metadataService.revertPackage(id);
           return { handled: true, response: this.success({ success: true }) };
         }
         return { handled: true, response: this.error("Metadata service not available", 503) };
       }
+      if (parts.length === 2 && parts[1] === "export" && m === "GET") {
+        const id = decodeURIComponent(parts[0]);
+        const manifest = await this.assemblePackageManifest(id, registry, _context);
+        if (!manifest) {
+          return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        }
+        return { handled: true, response: this.success(manifest) };
+      }
       if (parts.length === 1 && m === "GET") {
         const id = decodeURIComponent(parts[0]);
         const pkg = registry.getPackage(id);
@@ -3792,6 +3936,83 @@ var _HttpDispatcher = class _HttpDispatcher {
     }
     return { handled: false };
   }
+  /**
+   * Assemble a portable, offline-installable package manifest from the
+   * `sys_metadata` overlay rows bound to `packageId`.
+   *
+   * The resulting shape mirrors what `marketplace-install-local` →
+   * `manifestService.register()` → `engine.registerApp()` consumes:
+   *   `{ id, name, version, objects:[…], views:[…], flows:[…], … }`
+   * where each category key is the PLURAL manifest name and its value is
+   * an array of clean metadata bodies (provenance decorations stripped).
+   *
+   * Only the metadata categories that `registerApp` can actually consume
+   * are exported. `datasources` and `emailTemplates` are intentionally
+   * excluded (not registered by the import path). `tools` / `skills` ARE
+   * round-tripped: they are registered by `registerApp` on import and
+   * surfaced by `getMetaItems('tool' | 'skill')` on export.
+   *
+   * @returns the manifest object, or `null` if the package id is unknown
+   *          AND has no overlay-authored metadata.
+   */
+  async assemblePackageManifest(packageId, registry, context) {
+    const protocol = await this.resolveService("protocol");
+    if (!protocol || typeof protocol.getMetaItems !== "function") return null;
+    const organizationId = await this.resolveActiveOrganizationId(context);
+    const PROVENANCE_KEYS = /* @__PURE__ */ new Set([
+      "_packageId",
+      "_packageVersionId",
+      "_provenance",
+      "_state",
+      "_version",
+      "_organizationId",
+      "_source",
+      "_id",
+      "_rowId"
+    ]);
+    const clean = (item) => {
+      if (!item || typeof item !== "object") return item;
+      const out = {};
+      for (const [k, v] of Object.entries(item)) {
+        if (k.startsWith("_") || PROVENANCE_KEYS.has(k)) continue;
+        out[k] = v;
+      }
+      return out;
+    };
+    const exportPluralKeys = Object.keys(import_shared2.PLURAL_TO_SINGULAR).filter(
+      (k) => k !== "datasources" && k !== "emailTemplates"
+    );
+    const manifest = {};
+    let total = 0;
+    for (const plural of exportPluralKeys) {
+      const singular = import_shared2.PLURAL_TO_SINGULAR[plural];
+      let items = [];
+      try {
+        const res = await protocol.getMetaItems({ type: singular, packageId, organizationId });
+        items = Array.isArray(res?.items) ? res.items : [];
+      } catch {
+        continue;
+      }
+      if (items.length === 0) continue;
+      manifest[plural] = items.map(clean);
+      total += items.length;
+    }
+    const pkg = (() => {
+      try {
+        return registry?.getPackage?.(packageId);
+      } catch {
+        return void 0;
+      }
+    })();
+    if (total === 0 && !pkg) return null;
+    manifest.id = packageId;
+    manifest.name = pkg?.manifest?.name ?? pkg?.name ?? packageId;
+    manifest.version = pkg?.manifest?.version ?? pkg?.version ?? "1.0.0";
+    if (pkg?.manifest?.label ?? pkg?.label) {
+      manifest.label = pkg?.manifest?.label ?? pkg?.label;
+    }
+    return manifest;
+  }
   /**
    * Cloud / Environment Control-Plane routes.
    *
@@ -3814,1348 +4035,57 @@ var _HttpDispatcher = class _HttpDispatcher {
    *  - DELETE /cloud/environments/:id/packages/:pkgId        → uninstall (scope=platform forbidden)
    *  - POST   /cloud/environments/:id/packages/:pkgId/upgrade → upgrade to newer version
    *
-   * Driver binding
-   * --------------
-   * Environments are not tied to any specific driver. At provisioning time the
-   * caller passes `driver` (a short name such as `memory`, `turso`, or any
-   * future `sql` / `postgres` driver). The dispatcher validates the name
-   * against the kernel's registered driver services (`driver.<name>`) and
-   * derives an appropriate placeholder `database_url` for the chosen driver.
-   * If `driver` is omitted, the dispatcher auto-selects the first available
-   * in preference order: turso → memory → any other registered driver.
-   *
-   * Backed by ObjectQL sys_environment / sys_environment_credential /
-   * sys_environment_member tables (registered by
-   * `@objectstack/service-tenant`'s `createTenantPlugin`).
-   * Physical database addressing (database_url, database_driver, etc.)
-   * is stored directly on the sys_environment row.
-   */
-  /**
-   * Resolve the calling user id from the request session, if any.
-   * Returns `undefined` for anonymous calls or when auth is not wired up.
-   */
-  async resolveActiveOrganizationId(context) {
-    try {
-      const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
-      const rawHeaders = context.request?.headers;
-      let headers = rawHeaders;
-      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-        try {
-          const h = new Headers();
-          for (const [k, v] of Object.entries(rawHeaders)) {
-            if (v == null) continue;
-            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-          }
-          headers = h;
-        } catch {
-          headers = rawHeaders;
-        }
-      }
-      const apiObj = authService?.auth?.api ?? authService?.api;
-      const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
-      const oid = sessionData?.session?.activeOrganizationId;
-      return typeof oid === "string" && oid.length > 0 ? oid : void 0;
-    } catch {
-      return void 0;
-    }
-  }
-  async resolveCallerUserId(context) {
-    try {
-      const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
-      const rawHeaders = context.request?.headers;
-      let headers = rawHeaders;
-      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-        try {
-          const h = new Headers();
-          for (const [k, v] of Object.entries(rawHeaders)) {
-            if (v == null) continue;
-            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-          }
-          headers = h;
-        } catch {
-          headers = rawHeaders;
-        }
-      }
-      const sessionData = await (authService?.auth?.api?.getSession ?? authService?.api?.getSession)?.call(
-        authService?.auth?.api ?? authService?.api,
-        { headers }
-      );
-      return sessionData?.user?.id ?? sessionData?.session?.userId;
-    } catch (e) {
-      return void 0;
-    }
-  }
-  async handleCloud(path, method, body, query, _context) {
-    const m = method.toUpperCase();
-    const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
-    const qlService = await this.getObjectQLService();
-    const ql = qlService ?? await this.resolveService("objectql");
-    if (!ql) {
-      return { handled: true, response: this.error("Project service not available (ObjectQL missing)", 503) };
-    }
-    const ENV = "sys_environment";
-    const CRED = "sys_environment_credential";
-    const MEM = "sys_environment_member";
-    const PKG_INSTALL = "sys_package_installation";
-    const PKG = "sys_package";
-    const PKG_VERSION = "sys_package_version";
-    const ensureSysPackage = async (manifestId, ownerOrgId, createdBy, manifest) => {
-      const existing = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
-      if (existing?.id) return existing.id;
-      const id = randomUUID();
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      await ql.insert(PKG, {
-        id,
-        manifest_id: manifestId,
-        owner_org_id: ownerOrgId,
-        display_name: manifest?.name ?? manifestId,
-        description: manifest?.description ?? null,
-        visibility: "private",
-        created_by: createdBy,
-        created_at: nowIso,
-        updated_at: nowIso
-      });
-      return id;
-    };
-    const ensureSysPackageVersion = async (packageId, version, createdBy, manifest) => {
-      const existing = await ql.findOne(PKG_VERSION, {
-        where: { package_id: packageId, version }
-      });
-      if (existing?.id) return existing.id;
-      const id = randomUUID();
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      await ql.insert(PKG_VERSION, {
-        id,
-        package_id: packageId,
-        version,
-        status: "published",
-        manifest_json: manifest ? JSON.stringify(manifest) : null,
-        is_pre_release: false,
-        published_at: nowIso,
-        published_by: createdBy,
-        created_by: createdBy,
-        created_at: nowIso,
-        updated_at: nowIso
-      });
-      return id;
-    };
-    const findInstallByManifestId = async (envId, manifestId) => {
-      const pkgRow = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
-      if (!pkgRow?.id) return null;
-      return await ql.findOne(PKG_INSTALL, {
-        where: { environment_id: envId, package_id: pkgRow.id }
-      });
-    };
-    const toShortName = (driverId) => {
-      const prefix = "com.objectstack.driver.";
-      return driverId.startsWith(prefix) ? driverId.slice(prefix.length) : driverId;
-    };
-    const listRegisteredDrivers = () => {
-      const services = this.getServicesMap();
-      const registry = services["project-provisioning-adapters"];
-      if (registry && typeof registry.list === "function") {
-        try {
-          const adapters = registry.list();
-          const seen = /* @__PURE__ */ new Set();
-          const drivers2 = [];
-          for (const adapter of adapters ?? []) {
-            const name = adapter?.driver;
-            if (!name || seen.has(name)) continue;
-            seen.add(name);
-            drivers2.push({ name, driverId: `com.objectstack.driver.${name}` });
-          }
-          if (drivers2.length > 0) return drivers2;
-        } catch {
-        }
-      }
-      const drivers = [];
-      for (const [serviceKey, svc] of Object.entries(services)) {
-        if (!serviceKey.startsWith("driver.")) continue;
-        const raw = serviceKey.slice("driver.".length);
-        if (!raw || raw === "unknown") continue;
-        const driverId = svc?.name ?? raw;
-        drivers.push({ name: toShortName(driverId), driverId });
-      }
-      return drivers;
-    };
-    const resolveDriver = (requested) => {
-      const registered = listRegisteredDrivers();
-      if (requested) {
-        const wanted = String(requested).toLowerCase();
-        return registered.find((d) => d.name === wanted || d.driverId === wanted);
-      }
-      return registered.find((d) => d.name === "turso") ?? registered.find((d) => d.name === "memory") ?? registered[0];
-    };
-    const buildDatabaseUrl = (driverName, environmentId) => {
-      const dbName = `env-${environmentId}`;
-      switch (driverName) {
-        case "memory":
-          return `memory://${dbName}`;
-        case "turso":
-          return `libsql://${dbName}.mock-turso.local`;
-        default:
-          return `${driverName}://${dbName}`;
-      }
-    };
-    const getRealAdapter = async (driverName) => {
-      try {
-        const registry = await this.resolveService("project-provisioning-adapters");
-        const aliases = { sql: "sqlite" };
-        const effective = aliases[driverName] ?? driverName;
-        return registry?.get?.(effective) ?? registry?.get?.(driverName);
-      } catch {
-        return void 0;
-      }
-    };
-    const findOne = async (obj, where) => {
-      let rows = await ql.find(obj, { where });
-      if (rows && rows.value) rows = rows.value;
-      if (!Array.isArray(rows)) return void 0;
-      return rows[0];
-    };
-    const cleanProjectRow = (row) => {
-      if (!row) return row;
-      let metadata = row.metadata;
-      if (typeof metadata === "string") {
-        try {
-          metadata = JSON.parse(metadata);
-        } catch {
-        }
-      }
-      return { ...row, metadata };
-    };
-    try {
-      if (parts.length === 1 && parts[0] === "drivers" && m === "GET") {
-        const drivers = listRegisteredDrivers();
-        return { handled: true, response: this.success({ drivers, total: drivers.length }) };
-      }
-      if (parts.length === 1 && parts[0] === "templates" && m === "GET") {
-        try {
-          const seeder = await this.resolveService("template-seeder");
-          const templates = seeder?.listTemplates?.() ?? [];
-          return { handled: true, response: this.success({ templates, total: templates.length }) };
-        } catch (err) {
-          try {
-            console.error("[HttpDispatcher] /cloud/templates: failed to resolve template-seeder:", err?.message ?? err);
-          } catch {
-          }
-          return { handled: true, response: this.success({ templates: [], total: 0 }) };
-        }
-      }
-      if (parts.length === 3 && parts[0] === "admin" && parts[1] === "platform-sso" && parts[2] === "backfill" && m === "POST") {
-        const baseSecret = ((0, import_types3.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-        if (!baseSecret) {
-          return { handled: true, response: this.error("OS_AUTH_SECRET not configured on this worker", 503) };
-        }
-        const rawHeaders = _context?.request?.headers;
-        let authHeader;
-        if (rawHeaders && typeof rawHeaders.get === "function") {
-          authHeader = rawHeaders.get("authorization") ?? void 0;
-        } else if (rawHeaders && typeof rawHeaders === "object") {
-          authHeader = rawHeaders["authorization"] ?? rawHeaders["Authorization"];
-        }
-        const presented = typeof authHeader === "string" && authHeader.startsWith("Bearer ") ? authHeader.slice(7).trim() : "";
-        if (!presented || presented !== baseSecret) {
-          return { handled: true, response: this.error("forbidden: Bearer token must match OS_AUTH_SECRET", 403) };
-        }
-        try {
-          const { backfillPlatformSsoClients: backfillPlatformSsoClients2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
-          const result = await backfillPlatformSsoClients2({
-            ql,
-            baseSecret,
-            logger: console
-          });
-          let sample = [];
-          let total = 0;
-          try {
-            const rows = await ql.find("sys_oauth_application", { limit: 5 }, { context: { isSystem: true } });
-            const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-            sample = list;
-            total = typeof rows?.total === "number" ? rows.total : list.length;
-          } catch (e) {
-            sample = [{ _readErr: e?.message ?? String(e) }];
-          }
-          return { handled: true, response: this.success({ ...result, total, sample }) };
-        } catch (err) {
-          return { handled: true, response: this.error(`backfill failed: ${err?.message ?? String(err)}`, 500) };
-        }
-      }
-      if (parts.length === 1 && parts[0] === "projects" && m === "GET") {
-        const where = {};
-        if (query?.organizationId) where.organization_id = query.organizationId;
-        if (query?.status) where.status = query.status;
-        let rows = await ql.find(ENV, Object.keys(where).length ? { where } : void 0);
-        if (rows && rows.value) rows = rows.value;
-        const projects = (Array.isArray(rows) ? rows : []).map(cleanProjectRow);
-        return { handled: true, response: this.success({ projects, total: projects.length }) };
-      }
-      if (parts.length === 1 && parts[0] === "projects" && m === "POST") {
-        const req = body || {};
-        if (req.organization_id === "__session__" || req.created_by === "__session__") {
-          try {
-            const userId = await this.resolveCallerUserId(_context);
-            if (req.created_by === "__session__") {
-              req.created_by = userId ?? "system";
-            }
-            if (req.organization_id === "__session__") {
-              const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
-              const rawHeaders = _context?.request?.headers;
-              let headers = rawHeaders;
-              if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-                const h = new Headers();
-                for (const [k, v] of Object.entries(rawHeaders)) {
-                  if (v == null) continue;
-                  h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-                }
-                headers = h;
-              }
-              const apiObj = authService?.auth?.api ?? authService?.api;
-              const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
-              req.organization_id = sessionData?.session?.activeOrganizationId ?? void 0;
-            }
-          } catch {
-          }
-        }
-        if (!req.organization_id || !req.display_name) {
-          return { handled: true, response: this.error("organization_id and display_name are required", 400) };
-        }
-        const environmentId = randomUUID();
-        const credentialId = randomUUID();
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        const resolved = resolveDriver(req.driver);
-        if (!resolved) {
-          const available = listRegisteredDrivers().map((d) => d.name);
-          if (req.driver) {
-            return {
-              handled: true,
-              response: this.error(
-                `Unknown driver '${req.driver}'. Available drivers: [${available.join(", ") || "none"}]`,
-                400
-              )
-            };
-          }
-          return {
-            handled: true,
-            response: this.error(
-              "No ObjectQL driver is registered. Register at least one DriverPlugin (e.g. InMemoryDriver or SqlDriver).",
-              503
-            )
-          };
-        }
-        const driver = resolved.name;
-        let plaintextSecret = `mock-token-${environmentId}`;
-        let computedHostname = req.hostname;
-        if (!computedHostname) {
-          const shortId = environmentId.slice(0, 8);
-          try {
-            const orgRow = await findOne("sys_organization", { id: req.organization_id });
-            const orgSlug = orgRow?.slug || req.organization_id;
-            const rootDomain = (0, import_core2.getEnv)("OS_ROOT_DOMAIN") ?? (0, import_core2.getEnv)("ROOT_DOMAIN", "objectstack.app");
-            computedHostname = `${orgSlug}-${shortId}.${rootDomain}`;
-          } catch {
-            computedHostname = `${req.organization_id}-${shortId}.objectstack.app`;
-          }
-        }
-        try {
-          const existing = await findOne("sys_environment", {
-            hostname: computedHostname
-          });
-          if (existing && existing.id !== environmentId) {
-            return {
-              handled: true,
-              response: this.error(
-                `Hostname '${computedHostname}' is already in use by another project.`,
-                409,
-                { code: "HOSTNAME_TAKEN", hostname: computedHostname }
-              )
-            };
-          }
-        } catch {
-        }
-        const baseMetadata = { ...req.metadata ?? {} };
-        const simulateFailure = Boolean(baseMetadata.__simulateFailure);
-        const simulateDelayMs = Number(baseMetadata.__simulateDelayMs ?? 1500);
-        try {
-          let ownerUserId = req.created_by && req.created_by !== "system" ? String(req.created_by) : void 0;
-          if (!ownerUserId) {
-            ownerUserId = await this.resolveCallerUserId(_context);
-          }
-          if (ownerUserId) {
-            const userRow = await ql.find("sys_user", { where: { id: ownerUserId } });
-            const userRows = Array.isArray(userRow) ? userRow : userRow?.value ?? [];
-            const u = Array.isArray(userRows) && userRows.length > 0 ? userRows[0] : null;
-            if (u?.email) {
-              baseMetadata.ownerSeed = {
-                userId: String(ownerUserId),
-                email: String(u.email),
-                name: u.name ? String(u.name) : null,
-                image: u.image ? String(u.image) : null
-              };
-            }
-          }
-        } catch {
-        }
-        try {
-          const orgRow = await ql.find("sys_organization", { where: { id: req.organization_id } });
-          const orgRows = Array.isArray(orgRow) ? orgRow : orgRow?.value ?? [];
-          const org = Array.isArray(orgRows) && orgRows.length > 0 ? orgRows[0] : null;
-          if (org?.id && org?.name) {
-            baseMetadata.orgSeed = {
-              id: String(org.id),
-              name: String(org.name),
-              slug: org.slug ? String(org.slug) : null,
-              logo: org.logo ? String(org.logo) : null
-            };
-          }
-        } catch {
-        }
-        await ql.insert(ENV, {
-          id: environmentId,
-          organization_id: req.organization_id,
-          display_name: req.display_name,
-          is_default: req.is_default ?? false,
-          is_system: req.is_system ?? false,
-          plan: req.plan ?? "free",
-          status: "provisioning",
-          created_by: req.created_by ?? "system",
-          metadata: JSON.stringify(baseMetadata),
-          created_at: nowIso,
-          updated_at: nowIso,
-          database_url: null,
-          database_driver: driver,
-          storage_limit_mb: req.storage_limit_mb ?? 1024,
-          provisioned_at: null,
-          hostname: computedHostname,
-          visibility: (() => {
-            const raw = String(req.visibility ?? "private");
-            return raw === "unlisted" ? "private" : raw;
-          })()
-        });
-        try {
-          const { seedPlatformSsoClient: seedPlatformSsoClient2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
-          const baseSecret = ((0, import_types3.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-          if (baseSecret) {
-            await seedPlatformSsoClient2({
-              ql,
-              environmentId,
-              hostname: computedHostname,
-              baseSecret,
-              logger: console
-            });
-          }
-        } catch (ssoErr) {
-          console.warn?.("[http-dispatcher] platform SSO seed failed (non-fatal)", {
-            environmentId,
-            error: ssoErr?.message
-          });
-        }
-        const runProvisioning = async () => {
-          try {
-            if (simulateDelayMs > 0) {
-              await new Promise((r) => setTimeout(r, simulateDelayMs));
-            }
-            if (simulateFailure) {
-              throw new Error("Simulated provisioning failure (metadata.__simulateFailure=true)");
-            }
-            let databaseUrl;
-            try {
-              const adapter = await getRealAdapter(driver);
-              if (adapter) {
-                const result = await adapter.createDatabase({
-                  environmentId,
-                  databaseName: `p-${environmentId.replace(/-/g, "").slice(0, 24)}`,
-                  region: "us-east-1",
-                  storageLimitMb: req.storage_limit_mb ?? 1024
-                });
-                databaseUrl = result.databaseUrl;
-                if (result.plaintextSecret) plaintextSecret = result.plaintextSecret;
-              } else {
-                databaseUrl = buildDatabaseUrl(driver, environmentId);
-              }
-            } catch (adapterErr) {
-              throw adapterErr instanceof Error ? adapterErr : new Error(String(adapterErr));
-            }
-            const seedStartedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                database_url: databaseUrl,
-                updated_at: seedStartedAt
-              },
-              { where: { id: environmentId } }
-            );
-            await ql.insert(CRED, {
-              id: credentialId,
-              environment_id: environmentId,
-              secret_ciphertext: plaintextSecret,
-              encryption_key_id: "noop",
-              authorization: "full_access",
-              status: "active",
-              created_at: seedStartedAt,
-              updated_at: seedStartedAt
-            });
-            const templateId = req.template_id ?? "blank";
-            if (templateId !== "blank") {
-              try {
-                const seeder = await this.resolveService("template-seeder");
-                if (seeder) {
-                  await seeder.seed({ environmentId, templateId });
-                }
-              } catch (seedErr) {
-                const seedMessage = seedErr instanceof Error ? seedErr.message : String(seedErr);
-                try {
-                  const existing = await findOne(ENV, { id: environmentId });
-                  const existingMeta = typeof existing?.metadata === "string" ? JSON.parse(existing.metadata) : existing?.metadata ?? {};
-                  await ql.update(
-                    ENV,
-                    {
-                      metadata: JSON.stringify({
-                        ...existingMeta,
-                        templateSeedError: { message: seedMessage, templateId }
-                      })
-                    },
-                    { where: { id: environmentId } }
-                  );
-                } catch {
-                }
-              }
-            }
-            const artifactPathRaw = baseMetadata.artifact_path;
-            if (typeof artifactPathRaw === "string" && artifactPathRaw.length > 0) {
-              try {
-                const path2 = await import("path");
-                const { isHttpUrl: isHttpUrl2, loadArtifactBundle: loadArtifactBundle2 } = await Promise.resolve().then(() => (init_load_artifact_bundle(), load_artifact_bundle_exports));
-                const root = process.env.OS_PROJECT_ARTIFACT_ROOT ?? process.cwd();
-                const resolved2 = isHttpUrl2(artifactPathRaw) ? artifactPathRaw : path2.isAbsolute(artifactPathRaw) ? artifactPathRaw : path2.resolve(root, artifactPathRaw);
-                const bundle = await loadArtifactBundle2(resolved2, { tag: "[bind-artifact]" });
-                if (!bundle) {
-                  throw new Error(`failed to load artifact bundle at '${resolved2}'`);
-                }
-                const seeder = await this.resolveService("template-seeder");
-                if (seeder?.seedBundle) {
-                  await seeder.seedBundle({ environmentId, bundle });
-                } else {
-                  throw new Error("template-seeder.seedBundle is unavailable");
-                }
-              } catch (bindErr) {
-                const bindMessage = bindErr instanceof Error ? bindErr.message : String(bindErr);
-                try {
-                  const existing = await findOne(ENV, { id: environmentId });
-                  const existingMeta = typeof existing?.metadata === "string" ? JSON.parse(existing.metadata) : existing?.metadata ?? {};
-                  await ql.update(
-                    ENV,
-                    {
-                      metadata: JSON.stringify({
-                        ...existingMeta,
-                        artifactBindError: { message: bindMessage, artifactPath: artifactPathRaw }
-                      })
-                    },
-                    { where: { id: environmentId } }
-                  );
-                } catch {
-                }
-              }
-            }
-            const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "active",
-                provisioned_at: finishedAt,
-                updated_at: finishedAt
-              },
-              { where: { id: environmentId } }
-            );
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            const failedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "failed",
-                metadata: JSON.stringify({
-                  ...baseMetadata,
-                  provisioningError: { message, failedAt }
-                }),
-                updated_at: failedAt
-              },
-              { where: { id: environmentId } }
-            );
-          }
-        };
-        const provisionSyncEnv = process.env.OS_PROVISION_SYNC;
-        const onServerless = !!(process.env.VERCEL || process.env.AWS_LAMBDA_FUNCTION_NAME || process.env.NETLIFY || process.env.CF_PAGES);
-        const syncProvisioning = provisionSyncEnv === void 0 ? onServerless : provisionSyncEnv !== "0" && provisionSyncEnv !== "false";
-        if (syncProvisioning) {
-          await runProvisioning();
-        } else {
-          void runProvisioning();
-        }
-        const project = cleanProjectRow(await findOne(ENV, { id: environmentId }));
-        const res = this.success({ project });
-        res.status = syncProvisioning ? 201 : 202;
-        return { handled: true, response: res };
-      }
-      if (parts.length === 2 && parts[0] === "projects") {
-        const id = decodeURIComponent(parts[1]);
-        if (m === "GET") {
-          const envRow = await findOne(ENV, { id });
-          if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          const credRow = await findOne(CRED, { environment_id: id, status: "active" });
-          const callerUserId = await this.resolveCallerUserId(_context);
-          const membership = callerUserId ? await findOne(MEM, { environment_id: id, user_id: callerUserId }) : await findOne(MEM, { environment_id: id });
-          const credMeta = credRow ? {
-            id: credRow.id,
-            status: credRow.status,
-            authorization: credRow.authorization,
-            activatedAt: credRow.created_at,
-            expiresAt: credRow.expires_at
-          } : void 0;
-          const project = cleanProjectRow(envRow);
-          const database = project.database_url ? {
-            driver: project.database_driver,
-            database_name: `env-${project.id}`,
-            database_url: project.database_url,
-            storage_limit_mb: project.storage_limit_mb,
-            provisioned_at: project.provisioned_at
-          } : void 0;
-          return {
-            handled: true,
-            response: this.success({ project, database, credential: credMeta, membership })
-          };
-        }
-        if (m === "PATCH") {
-          const patch = {};
-          if (body?.display_name !== void 0) patch.display_name = body.display_name;
-          if (body?.plan !== void 0) patch.plan = body.plan;
-          if (body?.status !== void 0) patch.status = body.status;
-          if (body?.is_default !== void 0) patch.is_default = body.is_default;
-          if (body?.visibility !== void 0) {
-            let v = String(body.visibility);
-            if (v === "unlisted") v = "private";
-            if (!["private", "public"].includes(v)) {
-              return { handled: true, response: this.error(`Invalid visibility '${v}' (expected private | public)`, 400) };
-            }
-            patch.visibility = v;
-          }
-          if (body?.metadata !== void 0) patch.metadata = JSON.stringify(body.metadata);
-          patch.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-          await ql.update(ENV, patch, { where: { id } });
-          const envRow = await findOne(ENV, { id });
-          if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          return { handled: true, response: this.success({ project: cleanProjectRow(envRow) }) };
-        }
-        if (m === "DELETE") {
-          const force = query?.force === "1" || query?.force === "true" || body?.force === true;
-          const result = await this.deleteProjectCascade(id, { ql, findOne, getRealAdapter, force });
-          if (!result.ok) {
-            return { handled: true, response: this.error(result.error ?? "Delete failed", result.status ?? 500) };
-          }
-          return { handled: true, response: this.success({ deleted: true, environmentId: id, warnings: result.warnings }) };
-        }
-      }
-      if (parts.length === 2 && parts[0] === "organizations" && m === "DELETE") {
-        const orgId = decodeURIComponent(parts[1]);
-        let projectRows = [];
-        try {
-          let rows = await ql.find(ENV, { where: { organization_id: orgId } });
-          if (rows && rows.value) rows = rows.value;
-          projectRows = Array.isArray(rows) ? rows : [];
-        } catch {
-          projectRows = [];
-        }
-        const warnings = [];
-        let deletedProjects = 0;
-        for (const row of projectRows) {
-          const pid = row?.id;
-          if (!pid) continue;
-          try {
-            const r = await this.deleteProjectCascade(pid, { ql, findOne, getRealAdapter, force: true });
-            if (r.ok) deletedProjects++;
-            if (r.warnings?.length) warnings.push(...r.warnings);
-            if (!r.ok && r.error) warnings.push(`Project ${pid}: ${r.error}`);
-          } catch (err) {
-            warnings.push(
-              `Failed to delete project ${pid}: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-        }
-        let orgDeleted = false;
-        try {
-          const authService = await this.getService(import_system.CoreServiceName.enum.auth);
-          const fn = authService?.api?.deleteOrganization;
-          if (typeof fn === "function") {
-            await fn.call(authService.api, {
-              body: { organizationId: orgId },
-              headers: _context?.request?.headers
-            });
-            orgDeleted = true;
-          }
-        } catch (err) {
-          warnings.push(
-            `auth.deleteOrganization failed: ${err instanceof Error ? err.message : String(err)}`
-          );
-        }
-        if (!orgDeleted) {
-          try {
-            await ql.delete("sys_organization", { where: { id: orgId } });
-            orgDeleted = true;
-          } catch (err) {
-            warnings.push(
-              `Failed to delete sys_organization row: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-        }
-        return {
-          handled: true,
-          response: this.success({
-            deleted: orgDeleted,
-            organizationId: orgId,
-            deletedProjects,
-            warnings
-          })
-        };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "hostname" && (m === "POST" || m === "PUT")) {
-        const id = decodeURIComponent(parts[1]);
-        const hostname = body?.hostname;
-        if (!hostname || typeof hostname !== "string") {
-          return { handled: true, response: this.error("hostname is required", 400) };
-        }
-        const normalized = hostname.trim().toLowerCase();
-        if (!/^[a-z0-9]([a-z0-9\-\.]*[a-z0-9])?$/.test(normalized)) {
-          return { handled: true, response: this.error("Invalid hostname format", 400) };
-        }
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        let existing;
-        try {
-          const rows = await ql.find(ENV, { where: { hostname: normalized } });
-          const arr = Array.isArray(rows) ? rows : rows?.value ?? [];
-          existing = arr.find((r) => r.id !== id);
-        } catch {
-        }
-        if (existing) {
-          return {
-            handled: true,
-            response: this.error(
-              `Hostname '${normalized}' is already in use by another project.`,
-              409,
-              { code: "HOSTNAME_TAKEN", hostname: normalized }
-            )
-          };
-        }
-        const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(ENV, { hostname: normalized, updated_at: updatedAt }, { where: { id } });
-        if (this.envRegistry?.invalidate) {
-          try {
-            await this.envRegistry.invalidate(id);
-          } catch {
-          }
-        }
-        const updated = cleanProjectRow(await findOne(ENV, { id }));
-        return { handled: true, response: this.success({ project: updated }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "retry" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        if (envRow.status !== "failed" && envRow.status !== "provisioning") {
-          return {
-            handled: true,
-            response: this.error(
-              `Project '${id}' is '${envRow.status}'; only failed or provisioning projects can be retried.`,
-              409
-            )
-          };
-        }
-        const driverName = envRow.database_driver;
-        const resolved = resolveDriver(driverName);
-        if (!resolved) {
-          return {
-            handled: true,
-            response: this.error(
-              `Driver '${driverName}' is no longer registered; retry aborted.`,
-              503
-            )
-          };
-        }
-        let metadata = {};
-        if (envRow.metadata) {
-          if (typeof envRow.metadata === "string") {
-            try {
-              metadata = JSON.parse(envRow.metadata);
-            } catch {
-              metadata = {};
-            }
-          } else if (typeof envRow.metadata === "object") {
-            metadata = { ...envRow.metadata };
-          }
-        }
-        delete metadata.provisioningError;
-        const retryStartedAt = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(
-          ENV,
-          {
-            status: "provisioning",
-            metadata: JSON.stringify(metadata),
-            updated_at: retryStartedAt
-          },
-          { where: { id } }
-        );
-        const simulateRetryFailure = Boolean(metadata.__simulateFailure);
-        const simulateRetryDelay = Number(metadata.__simulateDelayMs ?? 1500);
-        const runRetry = async () => {
-          try {
-            if (simulateRetryDelay > 0) {
-              await new Promise((r) => setTimeout(r, simulateRetryDelay));
-            }
-            if (simulateRetryFailure) {
-              throw new Error("Simulated provisioning failure (metadata.__simulateFailure=true)");
-            }
-            let databaseUrl;
-            let retrySecret = `mock-token-${id}`;
-            try {
-              const adapter = await getRealAdapter(resolved.name);
-              if (adapter) {
-                const result = await adapter.createDatabase({
-                  environmentId: id,
-                  databaseName: `p-${id.replace(/-/g, "").slice(0, 24)}`,
-                  region: "us-east-1",
-                  storageLimitMb: envRow.storage_limit_mb ?? 1024
-                });
-                databaseUrl = result.databaseUrl;
-                if (result.plaintextSecret) retrySecret = result.plaintextSecret;
-              } else {
-                databaseUrl = buildDatabaseUrl(resolved.name, id);
-              }
-            } catch (adapterErr) {
-              throw adapterErr instanceof Error ? adapterErr : new Error(String(adapterErr));
-            }
-            const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "active",
-                database_url: databaseUrl,
-                database_driver: resolved.name,
-                provisioned_at: nowIso,
-                updated_at: nowIso
-              },
-              { where: { id } }
-            );
-            const existingCred = await findOne(CRED, { environment_id: id, status: "active" });
-            if (!existingCred) {
-              await ql.insert(CRED, {
-                id: randomUUID(),
-                environment_id: id,
-                secret_ciphertext: retrySecret,
-                encryption_key_id: "noop",
-                authorization: "full_access",
-                status: "active",
-                created_at: nowIso,
-                updated_at: nowIso
-              });
-            }
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            const failedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "failed",
-                metadata: JSON.stringify({
-                  ...metadata,
-                  provisioningError: { message, failedAt }
-                }),
-                updated_at: failedAt
-              },
-              { where: { id } }
-            );
-          }
-        };
-        void runRetry();
-        const envAfter = cleanProjectRow(await findOne(ENV, { id }));
-        const retryRes = this.success({ project: envAfter });
-        retryRes.status = 202;
-        return { handled: true, response: retryRes };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "activate" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        return { handled: true, response: this.success({ project: cleanProjectRow(envRow), sessionUpdated: false }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "credentials" && parts[3] === "rotate" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const plaintext = body?.plaintext;
-        if (!plaintext || typeof plaintext !== "string") {
-          return { handled: true, response: this.error("plaintext is required", 400) };
-        }
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        let existing = await ql.find(CRED, { where: { environment_id: id, status: "active" } });
-        if (existing && existing.value) existing = existing.value;
-        for (const row of Array.isArray(existing) ? existing : []) {
-          await ql.update(CRED, {
-            status: "revoked",
-            revoked_at: nowIso,
-            updated_at: nowIso
-          }, { where: { id: row.id } });
-        }
-        const credentialId = randomUUID();
-        await ql.insert(CRED, {
-          id: credentialId,
-          environment_id: id,
-          secret_ciphertext: plaintext,
-          encryption_key_id: "noop",
-          authorization: "full_access",
-          status: "active",
-          created_at: nowIso,
-          updated_at: nowIso
-        });
-        const credential = await findOne(CRED, { id: credentialId });
-        const credMeta = credential ? {
-          id: credential.id,
-          status: credential.status,
-          authorization: credential.authorization,
-          activatedAt: credential.created_at
-        } : void 0;
-        return { handled: true, response: this.success({ credential: credMeta }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "GET") {
-        const id = decodeURIComponent(parts[1]);
-        let rows = await ql.find(MEM, { where: { environment_id: id } });
-        if (rows && rows.value) rows = rows.value;
-        const members = Array.isArray(rows) ? rows : [];
-        const userIds = Array.from(new Set(members.map((mem) => mem.user_id).filter(Boolean)));
-        const userMap = /* @__PURE__ */ new Map();
-        for (const uid of userIds) {
-          let row = null;
-          for (const tableName of ["sys_user", "user"]) {
-            try {
-              const u = await ql.findOne(tableName, { where: { id: uid } });
-              row = u?.value ?? u;
-              if (row) break;
-            } catch {
-            }
-          }
-          if (row) userMap.set(String(uid), {
-            id: row.id,
-            name: row.name ?? row.display_name,
-            email: row.email,
-            image: row.image ?? row.avatar_url
-          });
-        }
-        const enriched = members.map((mem) => ({
-          ...mem,
-          user: userMap.get(String(mem.user_id)) ?? void 0
-        }));
-        return { handled: true, response: this.success({ members: enriched }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        const email = typeof body?.email === "string" ? String(body.email).trim().toLowerCase() : null;
-        let inviteUserId = typeof body?.user_id === "string" ? String(body.user_id).trim() : null;
-        let role = String(body?.role ?? "member").trim().toLowerCase();
-        if (!["owner", "admin", "member", "viewer"].includes(role)) {
-          return { handled: true, response: this.error(`Invalid role '${role}' (expected owner | admin | member | viewer)`, 400) };
-        }
-        if (!email && !inviteUserId) {
-          return { handled: true, response: this.error("email or user_id is required", 400) };
-        }
-        if (!inviteUserId && email) {
-          let row = null;
-          for (const tableName of ["sys_user", "user"]) {
-            try {
-              const u = await ql.findOne(tableName, { where: { email } });
-              row = u?.value ?? u;
-              if (row) break;
-            } catch {
-            }
-          }
-          if (!row?.id) {
-            return { handled: true, response: this.error(`No user found with email '${email}'`, 404) };
-          }
-          inviteUserId = String(row.id);
-        }
-        const existing = await findOne(MEM, { environment_id: id, user_id: inviteUserId });
-        if (existing) {
-          return { handled: true, response: this.success({ member: existing, alreadyMember: true }) };
-        }
-        try {
-          const memberId = randomUUID();
-          await ql.insert(MEM, {
-            id: memberId,
-            environment_id: id,
-            user_id: inviteUserId,
-            role,
-            invited_by: callerId,
-            organization_id: project.organization_id ?? null
-          });
-          const created = await findOne(MEM, { id: memberId });
-          return { handled: true, response: this.success({ member: created, alreadyMember: false }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to add member", 500) };
-        }
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "PATCH") {
-        const id = decodeURIComponent(parts[1]);
-        const memberId = decodeURIComponent(parts[3]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        const target = await findOne(MEM, { id: memberId, environment_id: id });
-        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
-        const newRole = String(body?.role ?? "").trim().toLowerCase();
-        if (!["owner", "admin", "member", "viewer"].includes(newRole)) {
-          return { handled: true, response: this.error(`Invalid role '${newRole}'`, 400) };
-        }
-        if (target.role === "owner" && newRole !== "owner") {
-          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
-          if (owners && owners.value) owners = owners.value;
-          const ownerCount = Array.isArray(owners) ? owners.length : 0;
-          if (ownerCount <= 1) {
-            return { handled: true, response: this.error("Cannot demote the last owner", 409) };
-          }
-        }
-        try {
-          await ql.update(MEM, { role: newRole, updated_at: (/* @__PURE__ */ new Date()).toISOString() }, { where: { id: memberId } });
-          const updated = await findOne(MEM, { id: memberId });
-          return { handled: true, response: this.success({ member: updated }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to update role", 500) };
-        }
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "DELETE") {
-        const id = decodeURIComponent(parts[1]);
-        const memberId = decodeURIComponent(parts[3]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const target = await findOne(MEM, { id: memberId, environment_id: id });
-        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        const isSelf = String(target.user_id) === String(callerId);
-        const isPrivileged = callerMem && ["owner", "admin"].includes(String(callerMem.role));
-        if (!isSelf && !isPrivileged) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        if (target.role === "owner") {
-          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
-          if (owners && owners.value) owners = owners.value;
-          const ownerCount = Array.isArray(owners) ? owners.length : 0;
-          if (ownerCount <= 1) {
-            return { handled: true, response: this.error("Cannot remove the last owner", 409) };
-          }
-        }
-        try {
-          await ql.delete(MEM, { where: { id: memberId } });
-          return { handled: true, response: this.success({ removed: true, memberId }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to remove member", 500) };
-        }
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
-        const envId = decodeURIComponent(parts[1]);
-        let rows = await ql.find(PKG_INSTALL, { where: { environment_id: envId } });
-        if (rows && rows.value) rows = rows.value;
-        const installs = Array.isArray(rows) ? rows : [];
-        const packages = await Promise.all(
-          installs.map(async (r) => {
-            let manifestId = null;
-            let versionStr = null;
-            try {
-              if (r.package_id) {
-                const pkg = await ql.findOne(PKG, { where: { id: r.package_id } });
-                manifestId = pkg?.manifest_id ?? null;
-              }
-              if (r.package_version_id) {
-                const ver = await ql.findOne(PKG_VERSION, { where: { id: r.package_version_id } });
-                versionStr = ver?.version ?? null;
-              }
-            } catch {
-            }
-            return {
-              ...r,
-              // Surface user-facing identifiers expected by client SDK
-              packageId: manifestId,
-              package_id: manifestId ?? r.package_id,
-              version: versionStr ?? r.version ?? null
-            };
-          })
-        );
-        return { handled: true, response: this.success({ packages, total: packages.length }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "POST") {
-        const envId = decodeURIComponent(parts[1]);
-        const { packageId, version, settings, enableOnInstall } = body ?? {};
-        if (!packageId) return { handled: true, response: this.error("packageId is required", 400) };
-        const qlSvc = await this.getObjectQLService();
-        const pkgRegistry = qlSvc?.registry;
-        const allPkgs = pkgRegistry?.getAllPackages?.() ?? [];
-        const manifestEntry = allPkgs.find((p) => (p?.manifest?.id ?? p?.id) === packageId);
-        const manifest = manifestEntry?.manifest ?? manifestEntry;
-        if (!manifest) {
-          return { handled: true, response: this.error(`Package '${packageId}' is not registered on this server`, 404) };
-        }
-        const CLOUD_SCOPES = /* @__PURE__ */ new Set(["cloud", "system", "platform"]);
-        if (CLOUD_SCOPES.has(manifest?.scope)) {
-          return { handled: true, response: this.error(`Package '${packageId}' has scope=${manifest.scope} and cannot be installed per-project`, 403) };
-        }
-        const projectRow = await findOne(ENV, { id: envId });
-        if (!projectRow) {
-          return { handled: true, response: this.error(`Project '${envId}' not found`, 404) };
-        }
-        const ownerOrgId = projectRow.organization_id ?? "system";
-        let userId = "system";
-        try {
-          const authService = await this.getService(import_system.CoreServiceName.enum.auth);
-          const sessionData = await authService?.api?.getSession?.({
-            headers: _context?.request?.headers
-          });
-          userId = sessionData?.user?.id ?? sessionData?.session?.userId ?? "system";
-        } catch {
-        }
-        const resolvedVersion = version ?? manifest?.version ?? "1.0.0";
-        const dup = await ql.findOne(PKG_INSTALL, {
-          where: { environment_id: envId, package_id: packageId }
-        });
-        if (dup?.id) {
-          return { handled: true, response: this.error(`Package '${packageId}' is already installed in this project`, 409) };
-        }
-        const sysPackageId = await ensureSysPackage(packageId, ownerOrgId, userId, manifest);
-        const sysPackageVersionId = await ensureSysPackageVersion(sysPackageId, resolvedVersion, userId, manifest);
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        const recordId = randomUUID();
-        await ql.insert(PKG_INSTALL, {
-          id: recordId,
-          environment_id: envId,
-          package_id: sysPackageId,
-          package_version_id: sysPackageVersionId,
-          status: "installed",
-          enabled: enableOnInstall !== false,
-          installed_at: nowIso,
-          installed_by: userId,
-          updated_at: nowIso,
-          settings: settings ? JSON.stringify(settings) : null
-        });
-        const record = await ql.findOne(PKG_INSTALL, { where: { id: recordId } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: record }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await ql.findOne(PKG_INSTALL, { where: { environment_id: envId, package_id: pkgId } });
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        return { handled: true, response: this.success({ package: record }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "DELETE") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const allPkgs0 = this.kernel.packages?.getAll?.() ?? [];
-        const m0 = allPkgs0.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        if (m0?.scope && ["cloud", "system", "platform"].includes(m0.scope)) {
-          return { handled: true, response: this.error(`Package '${pkgId}' with scope=${m0.scope} cannot be uninstalled`, 403) };
-        }
-        await ql.delete(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ id: record.id, success: true }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "enable" && m === "PATCH") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, { enabled: true, status: "installed", updated_at: nowIso }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "disable" && m === "PATCH") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const allPkgs1 = this.kernel.packages?.getAll?.() ?? [];
-        const m1 = allPkgs1.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        if (m1?.scope && ["cloud", "system", "platform"].includes(m1.scope)) {
-          return { handled: true, response: this.error(`Package '${pkgId}' with scope=${m1.scope} cannot be disabled`, 403) };
-        }
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, { enabled: false, status: "disabled", updated_at: nowIso }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "upgrade" && m === "POST") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const { targetVersion } = body ?? {};
-        const allPkgs2 = this.kernel.packages?.getAll?.() ?? [];
-        const manifest2 = allPkgs2.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        const currentVer = await ql.findOne(PKG_VERSION, { where: { id: record.package_version_id } });
-        const newVersion = targetVersion ?? manifest2?.version ?? currentVer?.version ?? "1.0.0";
-        if (newVersion === currentVer?.version) {
-          return { handled: true, response: this.success({ package: record, message: "Already at target version" }) };
-        }
-        let userId = "system";
-        try {
-          const authService = await this.getService(import_system.CoreServiceName.enum.auth);
-          const sessionData = await authService?.api?.getSession?.({
-            headers: _context?.request?.headers
-          });
-          userId = sessionData?.user?.id ?? "system";
-        } catch {
-        }
-        const newVersionId = await ensureSysPackageVersion(record.package_id, newVersion, userId, manifest2);
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, {
-          package_version_id: newVersionId,
-          status: "installed",
-          updated_at: nowIso
-        }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-    } catch (e) {
-      return { handled: true, response: this.error(e.message, e.statusCode || 500) };
-    }
-    return { handled: false };
-  }
-  /**
-   * Cascade-delete a project: cred / member / package_installation rows,
-   * then the physical database via the provisioning adapter, then the
-   * `sys_environment` row itself. Used by both `DELETE /cloud/environments/:id`
-   * and the org-cascade in `DELETE /cloud/organizations/:id`.
-   *
-   * Idempotent and best-effort: missing rows / unreachable adapters
-   * become warnings rather than hard failures, so a half-provisioned
-   * project can still be cleaned out.
+   * Driver binding
+   * --------------
+   * Environments are not tied to any specific driver. At provisioning time the
+   * caller passes `driver` (a short name such as `memory`, `turso`, or any
+   * future `sql` / `postgres` driver). The dispatcher validates the name
+   * against the kernel's registered driver services (`driver.<name>`) and
+   * derives an appropriate placeholder `database_url` for the chosen driver.
+   * If `driver` is omitted, the dispatcher auto-selects the first available
+   * in preference order: turso → memory → any other registered driver.
+   *
+   * Backed by ObjectQL sys_environment / sys_environment_credential /
+   * sys_environment_member tables (registered by
+   * `@objectstack/service-tenant`'s `createTenantPlugin`).
+   * Physical database addressing (database_url, database_driver, etc.)
+   * is stored directly on the sys_environment row.
    */
-  async deleteProjectCascade(environmentId, deps) {
-    const { ql, findOne, getRealAdapter, force } = deps;
-    const ENV = "sys_environment";
-    const warnings = [];
-    const row = await findOne(ENV, { id: environmentId });
-    if (!row) {
-      return { ok: false, status: 404, error: `Project '${environmentId}' not found`, warnings };
-    }
-    if (row.is_system === true || row.is_system === 1) {
-      return { ok: false, status: 409, error: `Project '${environmentId}' is a system project and cannot be deleted`, warnings };
-    }
-    if ((row.is_default === true || row.is_default === 1) && !force) {
-      return {
-        ok: false,
-        status: 409,
-        error: `Project '${environmentId}' is the default project for its organization. Pass ?force=1 to delete it.`,
-        warnings
-      };
-    }
-    const cascade = [
-      { object: "sys_environment_credential", field: "environment_id" },
-      { object: "sys_environment_member", field: "environment_id" },
-      { object: "sys_package_installation", field: "environment_id" }
-    ];
-    for (const { object, field } of cascade) {
-      try {
-        let rows = await ql.find(object, { where: { [field]: environmentId } });
-        if (rows && rows.value) rows = rows.value;
-        if (Array.isArray(rows)) {
-          for (const r of rows) {
-            if (r?.id != null) {
-              try {
-                await ql.delete(object, { where: { id: r.id } });
-              } catch (innerErr) {
-                warnings.push(
-                  `Failed to delete ${object} ${r.id}: ${innerErr instanceof Error ? innerErr.message : String(innerErr)}`
-                );
-              }
-            }
+  /**
+   * Resolve the calling user id from the request session, if any.
+   * Returns `undefined` for anonymous calls or when auth is not wired up.
+   */
+  async resolveActiveOrganizationId(context) {
+    try {
+      const authService = await this.resolveService(import_system2.CoreServiceName.enum.auth);
+      const rawHeaders = context.request?.headers;
+      let headers = rawHeaders;
+      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
+        try {
+          const h = new Headers();
+          for (const [k, v] of Object.entries(rawHeaders)) {
+            if (v == null) continue;
+            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
           }
+          headers = h;
+        } catch {
+          headers = rawHeaders;
         }
-      } catch (err) {
-        warnings.push(
-          `Failed to enumerate ${object} for project ${environmentId}: ${err instanceof Error ? err.message : String(err)}`
-        );
-      }
-    }
-    const driver = row.database_driver ?? "memory";
-    const databaseUrl = row.database_url;
-    const databaseName = `p-${String(environmentId).replace(/-/g, "").slice(0, 24)}`;
-    try {
-      const adapter = await getRealAdapter(driver);
-      if (adapter?.deleteDatabase) {
-        await adapter.deleteDatabase({ environmentId, databaseName, databaseUrl });
-      } else {
-        warnings.push(`No adapter for driver '${driver}'; physical DB for project ${environmentId} not released.`);
-      }
-    } catch (err) {
-      warnings.push(
-        `Failed to delete physical database for project ${environmentId}: ${err instanceof Error ? err.message : String(err)}`
-      );
-    }
-    try {
-      await ql.delete(ENV, { where: { id: environmentId } });
-    } catch (err) {
-      return {
-        ok: false,
-        status: 500,
-        error: `Failed to delete sys_environment row: ${err instanceof Error ? err.message : String(err)}`,
-        warnings
-      };
-    }
-    if (this.envRegistry?.invalidate) {
-      try {
-        await this.envRegistry.invalidate(environmentId);
-      } catch {
       }
+      const apiObj = authService?.auth?.api ?? authService?.api;
+      const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
+      const oid = sessionData?.session?.activeOrganizationId;
+      return typeof oid === "string" && oid.length > 0 ? oid : void 0;
+    } catch {
+      return void 0;
     }
-    return { ok: true, warnings };
   }
   /**
    * Handles Storage requests
    * path: sub-path after /storage/
    */
   async handleStorage(path, method, file, context) {
-    const storageService = await this.getService(import_system.CoreServiceName.enum["file-storage"]) || this.kernel.services?.["file-storage"];
+    const storageService = await this.getService(import_system2.CoreServiceName.enum["file-storage"]) || this.kernel.services?.["file-storage"];
     if (!storageService) {
       return { handled: true, response: this.error("File storage not configured", 501) };
     }
@@ -5220,6 +4150,8 @@ var _HttpDispatcher = class _HttpDispatcher {
    *
    * Routes:
    *   GET    /                     → listFlows
+   *   GET    /actions              → getActionDescriptors (ADR-0018; ?paradigm/?source/?category filters)
+   *   GET    /connectors           → getConnectorDescriptors (ADR-0022; ?type filter)
    *   GET    /:name                → getFlow
    *   POST   /                     → createFlow (registerFlow)
    *   PUT    /:name                → updateFlow
@@ -5228,9 +4160,11 @@ var _HttpDispatcher = class _HttpDispatcher {
    *   POST   /:name/toggle         → toggleFlow
    *   GET    /:name/runs           → listRuns
    *   GET    /:name/runs/:runId    → getRun
+   *   POST   /:name/runs/:runId/resume → resume a paused run (screen input / ADR-0019)
+   *   GET    /:name/runs/:runId/screen → the screen a paused run awaits
    */
   async handleAutomation(path, method, body, context, query) {
-    const automationService = await this.getService(import_system.CoreServiceName.enum.automation);
+    const automationService = await this.getService(import_system2.CoreServiceName.enum.automation);
     if (!automationService) return { handled: false };
     const m = method.toUpperCase();
     const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
@@ -5257,6 +4191,32 @@ var _HttpDispatcher = class _HttpDispatcher {
         return { handled: true, response: this.success(body) };
       }
     }
+    if (parts[0] === "actions" && parts.length === 1 && m === "GET") {
+      if (typeof automationService.getActionDescriptors === "function") {
+        let actions = automationService.getActionDescriptors() ?? [];
+        if (query?.paradigm) {
+          actions = actions.filter((a) => Array.isArray(a?.paradigms) && a.paradigms.includes(query.paradigm));
+        }
+        if (query?.source) {
+          actions = actions.filter((a) => a?.source === query.source);
+        }
+        if (query?.category) {
+          actions = actions.filter((a) => a?.category === query.category);
+        }
+        return { handled: true, response: this.success({ actions, total: actions.length }) };
+      }
+      return { handled: true, response: this.success({ actions: [], total: 0 }) };
+    }
+    if (parts[0] === "connectors" && parts.length === 1 && m === "GET") {
+      if (typeof automationService.getConnectorDescriptors === "function") {
+        let connectors = automationService.getConnectorDescriptors() ?? [];
+        if (query?.type) {
+          connectors = connectors.filter((c) => c?.type === query.type);
+        }
+        return { handled: true, response: this.success({ connectors, total: connectors.length }) };
+      }
+      return { handled: true, response: this.success({ connectors: [], total: 0 }) };
+    }
     if (parts.length >= 1) {
       const name = parts[0];
       if (parts[1] === "trigger" && m === "POST") {
@@ -5296,7 +4256,28 @@ var _HttpDispatcher = class _HttpDispatcher {
           return { handled: true, response: this.success({ name, enabled: body?.enabled ?? true }) };
         }
       }
-      if (parts[1] === "runs" && parts[2] && m === "GET") {
+      if (parts[1] === "runs" && parts[2] && parts[3] === "resume" && m === "POST") {
+        if (typeof automationService.resume === "function") {
+          const b = body && typeof body === "object" ? body : {};
+          const inputs = b.inputs ?? b.variables;
+          const signal = {};
+          if (inputs && typeof inputs === "object") signal.variables = inputs;
+          if (b.output && typeof b.output === "object") signal.output = b.output;
+          if (typeof b.branchLabel === "string") signal.branchLabel = b.branchLabel;
+          const result = await automationService.resume(parts[2], signal);
+          return { handled: true, response: this.success(result) };
+        }
+        return { handled: true, response: this.error("Resume not supported", 501) };
+      }
+      if (parts[1] === "runs" && parts[2] && parts[3] === "screen" && m === "GET") {
+        if (typeof automationService.getSuspendedScreen === "function") {
+          const screen = automationService.getSuspendedScreen(parts[2]);
+          if (!screen) return { handled: true, response: this.error("No pending screen for run", 404) };
+          return { handled: true, response: this.success({ runId: parts[2], screen }) };
+        }
+        return { handled: true, response: this.error("Screen lookup not supported", 501) };
+      }
+      if (parts[1] === "runs" && parts[2] && !parts[3] && m === "GET") {
         if (typeof automationService.getRun === "function") {
           const run = await automationService.getRun(parts[2]);
           if (!run) return { handled: true, response: this.error("Execution not found", 404) };
@@ -5622,11 +4603,9 @@ var _HttpDispatcher = class _HttpDispatcher {
     if (forbidden) {
       return { handled: true, response: forbidden };
     }
-    if (!cleanPath.startsWith("/cloud/")) {
-      const scopedMatch = cleanPath.match(/^\/projects\/[^/]+(\/.*)?$/);
-      if (scopedMatch) {
-        cleanPath = scopedMatch[1] ?? "";
-      }
+    const scopedMatch = cleanPath.match(/^\/projects\/[^/]+(\/.*)?$/);
+    if (scopedMatch) {
+      cleanPath = scopedMatch[1] ?? "";
     }
     try {
       if ((cleanPath === "/discovery" || cleanPath === "") && method === "GET") {
@@ -5677,9 +4656,6 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (cleanPath.startsWith("/packages")) {
         return this.handlePackages(cleanPath.substring(9), method, body, query, context);
       }
-      if (cleanPath.startsWith("/cloud")) {
-        return this.handleCloud(cleanPath.substring(6), method, body, query, context);
-      }
       if (cleanPath.startsWith("/i18n")) {
         return this.handleI18n(cleanPath.substring(5), method, query, context);
       }
@@ -6374,6 +5350,14 @@ function createDispatcherPlugin(config = {}) {
           errorResponse(err, res);
         }
       });
+      server.get(`${prefix}/packages/:id/export`, async (req, res) => {
+        try {
+          const result = await dispatcher.handlePackages(`/${req.params.id}/export`, "GET", {}, req.query, { request: req });
+          sendResult(result, res);
+        } catch (err) {
+          errorResponse(err, res);
+        }
+      });
       server.get(`${prefix}/packages/:id`, async (req, res) => {
         try {
           const result = await dispatcher.handlePackages(`/${req.params.id}`, "GET", {}, req.query, { request: req });
@@ -6422,214 +5406,6 @@ function createDispatcherPlugin(config = {}) {
           errorResponse(err, res);
         }
       });
-      server.get(`${prefix}/cloud/drivers`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/drivers", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/admin/platform-sso/backfill`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/admin/platform-sso/backfill", "POST", req.body, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/templates`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/templates", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/projects", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/projects", "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "PATCH", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "DELETE", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/organizations/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/organizations/${req.params.id}`, "DELETE", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/hostname`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/hostname`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.put(`${prefix}/cloud/environments/:id/hostname`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/hostname`, "PUT", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/rotate-credential`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/rotate-credential`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/credentials/rotate`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/credentials/rotate`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/activate`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/activate`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/retry`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/retry`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id/members`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/members`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id/members/:memberId`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "PATCH", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/environments/:id/members/:memberId`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "DELETE", req.body ?? {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id/packages`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/packages`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id/packages/:pkgId`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/environments/:id/packages/:pkgId`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}`, "DELETE", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id/packages/:pkgId/enable`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/enable`, "PATCH", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id/packages/:pkgId/disable`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/disable`, "PATCH", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/packages/:pkgId/upgrade`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/upgrade`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
       server.post(`${prefix}/storage/upload`, async (req, res) => {
         try {
           const result = await dispatcher.handleStorage("upload", "POST", req.body, { request: req });
@@ -6721,31 +5497,47 @@ function createDispatcherPlugin(config = {}) {
         });
         server.post(`${base}/automation/:name/trigger`, async (req, res) => {
           try {
-            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/trigger`, req.body, req.query, { request: req });
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/trigger`, req.body, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
+        server.post(`${base}/automation/:name/toggle`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/toggle`, req.body, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
+        server.get(`${base}/automation/:name/runs`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
           }
         });
-        server.post(`${base}/automation/:name/toggle`, async (req, res) => {
+        server.get(`${base}/automation/:name/runs/:runId`, async (req, res) => {
           try {
-            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/toggle`, req.body, req.query, { request: req });
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs/${req.params.runId}`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
           }
         });
-        server.get(`${base}/automation/:name/runs`, async (req, res) => {
+        server.post(`${base}/automation/:name/runs/:runId/resume`, async (req, res) => {
           try {
-            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs`, void 0, req.query, { request: req });
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/runs/${req.params.runId}/resume`, req.body, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
           }
         });
-        server.get(`${base}/automation/:name/runs/:runId`, async (req, res) => {
+        server.get(`${base}/automation/:name/runs/:runId/screen`, async (req, res) => {
           try {
-            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs/${req.params.runId}`, void 0, req.query, { request: req });
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs/${req.params.runId}/screen`, void 0, req.query, { request: req });
             sendResult(result, res);
           } catch (err) {
             errorResponse(err, res);
@@ -7481,7 +6273,7 @@ var ArtifactApiClient = class {
 };
 
 // src/cloud/artifact-environment-registry.ts
-var import_node_path4 = require("path");
+var import_node_path5 = require("path");
 var ArtifactEnvironmentRegistry = class {
   constructor(config) {
     this.hostnameCache = /* @__PURE__ */ new Map();
@@ -7653,7 +6445,7 @@ async function createDriver(driverType, databaseUrl, authToken) {
     case "memory": {
       const { InMemoryDriver } = await import("@objectstack/driver-memory");
       const dbName = databaseUrl.replace(/^memory:\/\//, "").trim();
-      const filePath = dbName ? (0, import_node_path4.resolve)(process.cwd(), ".objectstack/data/projects", `${dbName}.json`) : void 0;
+      const filePath = dbName ? (0, import_node_path5.resolve)(process.cwd(), ".objectstack/data/projects", `${dbName}.json`) : void 0;
       return new InMemoryDriver({
         persistence: filePath ? { type: "file", path: filePath } : "file"
       });
@@ -7691,21 +6483,17 @@ async function createDriver(driverType, databaseUrl, authToken) {
 // src/cloud/artifact-kernel-factory.ts
 var import_node_crypto2 = require("crypto");
 var import_core3 = require("@objectstack/core");
-var import_types4 = require("@objectstack/types");
+var import_types3 = require("@objectstack/types");
 init_driver_plugin();
 init_app_plugin();
 
 // src/cloud/capability-loader.ts
 var CAPABILITY_PROVIDERS = {
   automation: {
+    // Self-contained: AutomationServicePlugin seeds all built-in node
+    // executors itself (ADR-0018), so no companion node-pack plugins.
     pkg: "@objectstack/service-automation",
-    export: "AutomationServicePlugin",
-    extras: [
-      { pkg: "@objectstack/service-automation", export: "CrudNodesPlugin" },
-      { pkg: "@objectstack/service-automation", export: "LogicNodesPlugin" },
-      { pkg: "@objectstack/service-automation", export: "HttpConnectorPlugin" },
-      { pkg: "@objectstack/service-automation", export: "ScreenNodesPlugin" }
-    ]
+    export: "AutomationServicePlugin"
   },
   ai: {
     pkg: "@objectstack/service-ai",
@@ -7736,6 +6524,19 @@ var CAPABILITY_PROVIDERS = {
     pkg: "@objectstack/service-job",
     export: "JobServicePlugin"
   },
+  messaging: {
+    // Backs the `notify` flow node (ADR-0012): delivers to a user's
+    // channels (inbox by default → `sys_inbox_message` rows).
+    pkg: "@objectstack/service-messaging",
+    export: "MessagingServicePlugin"
+  },
+  triggers: {
+    // Concrete flow triggers — record-change (ObjectQL hooks) + schedule
+    // (cron/interval via the job service; pair `triggers` with `job`).
+    pkg: "@objectstack/plugin-trigger-record-change",
+    export: "RecordChangeTriggerPlugin",
+    extras: [{ pkg: "@objectstack/plugin-trigger-schedule", export: "ScheduleTriggerPlugin" }]
+  },
   realtime: {
     pkg: "@objectstack/service-realtime",
     export: "RealtimeServicePlugin"
@@ -7753,7 +6554,11 @@ async function loadCapabilities(opts) {
   const { kernel, requires, bundle, environmentId } = opts;
   const logger = opts.logger ?? console;
   const installed = [];
-  for (const cap of requires) {
+  const resolved = [...new Set(requires)];
+  if (resolved.includes("audit") && !resolved.includes("messaging")) {
+    resolved.push("messaging");
+  }
+  for (const cap of resolved) {
     const spec = CAPABILITY_PROVIDERS[cap];
     if (!spec) {
       continue;
@@ -7820,8 +6625,197 @@ async function loadCapabilities(opts) {
   return installed;
 }
 
+// src/cloud/platform-sso.ts
+var import_node_crypto = require("crypto");
+var PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
+function derivePlatformSsoClientId(environmentId) {
+  return `project_${environmentId}`;
+}
+function derivePlatformSsoClientSecret(baseSecret, environmentId) {
+  return (0, import_node_crypto.createHmac)("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
+}
+function hashPlatformSsoClientSecret(plaintext) {
+  return (0, import_node_crypto.createHash)("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
+  let host;
+  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
+    host = hostname;
+  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
+    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
+    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
+    host = `http://${hostWithPort}`;
+  } else {
+    host = `https://${hostname}`;
+  }
+  const trimmed = host.replace(/\/+$/, "");
+  const path = basePath.replace(/\/+$/, "");
+  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
+}
+async function seedPlatformSsoClient(opts) {
+  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
+    return;
+  }
+  const clientId = derivePlatformSsoClientId(environmentId);
+  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
+  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
+  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
+  let existing = null;
+  try {
+    const rows = await ql.find("sys_oauth_application", {
+      where: { client_id: clientId },
+      limit: 1
+    }, { context: { isSystem: true } });
+    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+    existing = list[0] ?? null;
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
+      environmentId,
+      error: err?.message
+    });
+    return;
+  }
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  if (!existing) {
+    const redirects = desiredRedirect ? [desiredRedirect] : [];
+    try {
+      await ql.insert("sys_oauth_application", {
+        id: `oauthc_${environmentId}`,
+        name: `Project ${environmentId}`,
+        client_id: clientId,
+        client_secret: clientSecretStored,
+        type: "web",
+        redirect_uris: JSON.stringify(redirects),
+        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+        response_types: JSON.stringify(["code"]),
+        scopes: JSON.stringify(["openid", "email", "profile"]),
+        token_endpoint_auth_method: "client_secret_basic",
+        require_pkce: false,
+        skip_consent: true,
+        disabled: false,
+        subject_type: "public",
+        created_at: nowIso,
+        updated_at: nowIso
+      }, { context: { isSystem: true } });
+      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
+    } catch (err) {
+      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
+        environmentId,
+        error: err?.message
+      });
+      if (throwOnError) throw err;
+    }
+    return;
+  }
+  let currentRedirects = [];
+  try {
+    const raw = existing.redirect_uris;
+    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
+    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
+  } catch {
+  }
+  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
+  const repairPatch = {
+    name: existing.name || `Project ${environmentId}`,
+    client_secret: clientSecretStored,
+    type: existing.type || "web",
+    redirect_uris: JSON.stringify(mergedRedirects),
+    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+    response_types: JSON.stringify(["code"]),
+    scopes: JSON.stringify(["openid", "email", "profile"]),
+    token_endpoint_auth_method: "client_secret_basic",
+    require_pkce: false,
+    skip_consent: true,
+    disabled: false,
+    subject_type: "public",
+    updated_at: nowIso
+  };
+  try {
+    await ql.update(
+      "sys_oauth_application",
+      repairPatch,
+      { where: { id: existing.id } },
+      { context: { isSystem: true } }
+    );
+    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
+      environmentId,
+      clientId,
+      redirect_uris: mergedRedirects
+    });
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
+      environmentId,
+      error: err?.message
+    });
+    if (throwOnError) throw err;
+  }
+}
+async function backfillPlatformSsoClients(opts) {
+  const { ql, baseSecret, logger, limit = 1e3 } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
+  }
+  let projects = [];
+  try {
+    const rows = await ql.find("sys_environment", {
+      limit,
+      fields: ["id", "hostname", "status"]
+    }, { context: { isSystem: true } });
+    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+  } catch (err) {
+    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
+      error: err?.message
+    });
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
+  }
+  let seeded = 0;
+  let alreadyExisted = 0;
+  const failures = [];
+  for (const p of projects) {
+    if (!p?.id) continue;
+    const before = await (async () => {
+      try {
+        const r = await ql.find("sys_oauth_application", {
+          where: { client_id: derivePlatformSsoClientId(p.id) },
+          limit: 1
+        }, { context: { isSystem: true } });
+        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+        return list[0] ?? null;
+      } catch {
+        return null;
+      }
+    })();
+    try {
+      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
+      if (before) alreadyExisted++;
+      else {
+        const after = await (async () => {
+          try {
+            const r = await ql.find("sys_oauth_application", {
+              where: { client_id: derivePlatformSsoClientId(p.id) },
+              limit: 1
+            }, { context: { isSystem: true } });
+            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+            return list[0] ?? null;
+          } catch (err) {
+            return { _readErr: err?.message };
+          }
+        })();
+        if (after && !after._readErr) seeded++;
+        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
+      }
+    } catch (err) {
+      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
+    }
+  }
+  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
+  return { scanned: projects.length, seeded, alreadyExisted, failures };
+}
+
 // src/cloud/artifact-kernel-factory.ts
-init_platform_sso();
 function deriveProjectAuthSecret(baseSecret, environmentId) {
   return (0, import_node_crypto2.createHmac)("sha256", baseSecret).update(`project:${environmentId}`).digest("hex");
 }
@@ -7831,7 +6825,7 @@ var ArtifactKernelFactory = class {
     this.envRegistry = config.envRegistry;
     this.logger = config.logger ?? console;
     this.kernelConfig = config.kernelConfig;
-    this.authBaseSecret = (config.authBaseSecret ?? (0, import_types4.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
+    this.authBaseSecret = (config.authBaseSecret ?? (0, import_types3.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
   }
   async create(environmentId) {
     let cached = this.envRegistry.peekById(environmentId);
@@ -7944,7 +6938,7 @@ var ArtifactKernelFactory = class {
       this.logger.warn?.("[ArtifactKernelFactory] OS_AUTH_SECRET not set \u2014 per-project AuthPlugin skipped (auth endpoints will return 404)", { environmentId });
     }
     try {
-      const multiTenant = String((0, import_types4.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+      const multiTenant = String((0, import_types3.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
       if (multiTenant) {
         try {
           const { OrgScopingPlugin } = await import("@objectstack/plugin-org-scoping");
@@ -8470,7 +7464,7 @@ var AuthProxyPlugin = class {
 };
 
 // src/cloud/cloud-url.ts
-var DEFAULT_CLOUD_URL = "https://cloud.objectos.app";
+var DEFAULT_CLOUD_URL = "https://cloud.objectos.ai";
 function resolveCloudUrl(explicit) {
   const raw = (explicit ?? process.env.OS_CLOUD_URL ?? "").trim();
   const lower = raw.toLowerCase();
@@ -8892,11 +7886,11 @@ var RuntimeConfigPlugin = class {
 
 // src/cloud/file-artifact-api-client.ts
 var import_promises2 = require("fs/promises");
-var import_node_path5 = require("path");
+var import_node_path6 = require("path");
 var FileArtifactApiClient = class {
   constructor(config = {}) {
     const cwd = process.cwd();
-    this.artifactPath = (0, import_node_path5.resolve)(
+    this.artifactPath = (0, import_node_path6.resolve)(
       cwd,
       config.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? "dist/objectstack.json"
     );
@@ -8992,7 +7986,7 @@ var FileArtifactApiClient = class {
   }
   defaultLocalSqliteRuntime() {
     const cwd = process.cwd();
-    const dbPath = (0, import_node_path5.resolve)(cwd, ".objectstack/data", `${this.environmentId}.db`);
+    const dbPath = (0, import_node_path6.resolve)(cwd, ".objectstack/data", `${this.environmentId}.db`);
     return {
       databaseDriver: "sqlite",
       databaseUrl: `file:${dbPath}`
@@ -9145,9 +8139,9 @@ async function createObjectOSStack(config) {
 }
 
 // src/cloud/marketplace-install-local-plugin.ts
-var import_node_fs3 = require("fs");
-var import_node_path6 = require("path");
-var import_types5 = require("@objectstack/types");
+var import_node_fs4 = require("fs");
+var import_node_path7 = require("path");
+var import_types4 = require("@objectstack/types");
 var ROUTE_BASE = "/api/v1/marketplace/install-local";
 var DEFAULT_DIR = ".objectstack/installed-packages";
 function safeFilename(manifestId) {
@@ -9222,9 +8216,6 @@ var MarketplaceInstallLocalPlugin = class {
       }
     };
     this.handleInstall = async (c, ctx) => {
-      if (!this.cloudUrl) {
-        return c.json({ success: false, error: { code: "marketplace_unavailable", message: "OS_CLOUD_URL not configured." } }, 503);
-      }
       const userId = await this.requireAuthenticatedUser(c, ctx);
       if (!userId) {
         return c.json({ success: false, error: { code: "unauthorized", message: "Authentication required to install packages." } }, 401);
@@ -9234,69 +8225,87 @@ var MarketplaceInstallLocalPlugin = class {
         body = await c.req.json();
       } catch {
       }
-      const packageId = String(body?.packageId ?? "").trim();
-      const versionId = String(body?.versionId ?? "latest").trim() || "latest";
-      if (!packageId) {
-        return c.json({ success: false, error: { code: "bad_request", message: "packageId is required." } }, 400);
-      }
-      let payload;
-      const publicBase = resolveMarketplacePublicBaseUrl();
-      const fetchAttempts = [];
-      if (publicBase) {
+      const inlineManifest = body?.manifest && typeof body.manifest === "object" ? body.manifest : null;
+      let manifest;
+      let resolvedVersionId;
+      let version;
+      let packageId;
+      if (inlineManifest) {
+        manifest = inlineManifest;
+        packageId = String(manifest.id ?? manifest.name ?? "").trim();
+        version = String(manifest.version ?? "unknown");
+        resolvedVersionId = String(body?.versionId ?? version);
+        if (!packageId) {
+          return c.json({ success: false, error: { code: "invalid_manifest", message: 'Inline manifest must have an "id" or "name".' } }, 400);
+        }
+      } else {
+        if (!this.cloudUrl) {
+          return c.json({ success: false, error: { code: "marketplace_unavailable", message: "OS_CLOUD_URL not configured." } }, 503);
+        }
+        packageId = String(body?.packageId ?? "").trim();
+        const versionId = String(body?.versionId ?? "latest").trim() || "latest";
+        if (!packageId) {
+          return c.json({ success: false, error: { code: "bad_request", message: "packageId is required." } }, 400);
+        }
+        let payload;
+        const publicBase = resolveMarketplacePublicBaseUrl();
+        const fetchAttempts = [];
+        if (publicBase) {
+          fetchAttempts.push({
+            label: "public-r2",
+            url: `${publicBase}/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest.json`
+          });
+        }
         fetchAttempts.push({
-          label: "public-r2",
-          url: `${publicBase}/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest.json`
+          label: "cloud",
+          url: `${this.cloudUrl}/api/v1/marketplace/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest`
         });
-      }
-      fetchAttempts.push({
-        label: "cloud",
-        url: `${this.cloudUrl}/api/v1/marketplace/packages/${encodeURIComponent(packageId)}/versions/${encodeURIComponent(versionId)}/manifest`
-      });
-      let lastErrStatus = 0;
-      let lastErrText = "";
-      for (const attempt of fetchAttempts) {
-        try {
-          const resp = await fetch(attempt.url, { headers: { "Accept": "application/json" } });
-          if (!resp.ok) {
-            lastErrStatus = resp.status;
-            lastErrText = (await resp.text().catch(() => "")).slice(0, 200);
-            if (attempt.label === "public-r2" && resp.status === 404) {
-              ctx.logger?.info?.(`[MarketplaceInstallLocal] public-r2 miss for ${packageId}@${versionId}, falling back to cloud`);
-              continue;
+        let lastErrStatus = 0;
+        let lastErrText = "";
+        for (const attempt of fetchAttempts) {
+          try {
+            const resp = await fetch(attempt.url, { headers: { "Accept": "application/json" } });
+            if (!resp.ok) {
+              lastErrStatus = resp.status;
+              lastErrText = (await resp.text().catch(() => "")).slice(0, 200);
+              if (attempt.label === "public-r2" && resp.status === 404) {
+                ctx.logger?.info?.(`[MarketplaceInstallLocal] public-r2 miss for ${packageId}@${versionId}, falling back to cloud`);
+                continue;
+              }
+              if (attempt.label === "public-r2" && resp.status >= 500) {
+                ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 ${resp.status}, falling back to cloud`);
+                continue;
+              }
+              break;
             }
-            if (attempt.label === "public-r2" && resp.status >= 500) {
-              ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 ${resp.status}, falling back to cloud`);
+            payload = await resp.json();
+            lastErrStatus = 0;
+            break;
+          } catch (err) {
+            if (attempt.label === "public-r2") {
+              ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 fetch error: ${err?.message ?? err}, falling back to cloud`);
               continue;
             }
-            break;
-          }
-          payload = await resp.json();
-          lastErrStatus = 0;
-          break;
-        } catch (err) {
-          if (attempt.label === "public-r2") {
-            ctx.logger?.warn?.(`[MarketplaceInstallLocal] public-r2 fetch error: ${err?.message ?? err}, falling back to cloud`);
-            continue;
+            return c.json({
+              success: false,
+              error: { code: "cloud_fetch_failed", message: err?.message ?? String(err) }
+            }, 502);
           }
+        }
+        if (!payload) {
           return c.json({
             success: false,
-            error: { code: "cloud_fetch_failed", message: err?.message ?? String(err) }
-          }, 502);
+            error: { code: "cloud_fetch_failed", message: `Cloud returned ${lastErrStatus}: ${lastErrText}` }
+          }, lastErrStatus === 404 ? 404 : 502);
         }
+        const data = payload?.data ?? payload;
+        manifest = data?.manifest;
+        resolvedVersionId = String(data?.version_id ?? versionId);
+        version = String(data?.version ?? "unknown");
       }
-      if (!payload) {
-        return c.json({
-          success: false,
-          error: { code: "cloud_fetch_failed", message: `Cloud returned ${lastErrStatus}: ${lastErrText}` }
-        }, lastErrStatus === 404 ? 404 : 502);
-      }
-      const data = payload?.data ?? payload;
-      const manifest = data?.manifest;
-      const resolvedVersionId = String(data?.version_id ?? versionId);
-      const version = String(data?.version ?? "unknown");
       const manifestId = String(manifest?.id ?? manifest?.name ?? "");
       if (!manifest || !manifestId) {
-        return c.json({ success: false, error: { code: "invalid_manifest", message: "Cloud returned an invalid manifest payload." } }, 502);
+        return c.json({ success: false, error: { code: "invalid_manifest", message: "Invalid manifest payload." } }, inlineManifest ? 400 : 502);
       }
       const conflict = this.findConflict(ctx, manifestId);
       if (conflict === "user-code") {
@@ -9308,6 +8317,18 @@ var MarketplaceInstallLocalPlugin = class {
           }
         }, 409);
       }
+      try {
+        const manifestService = ctx.getService("manifest");
+        manifestService.register(manifest);
+      } catch (err) {
+        if (inlineManifest) {
+          return c.json({
+            success: false,
+            error: { code: "register_failed", message: `Failed to register imported manifest: ${err?.message ?? err}` }
+          }, 422);
+        }
+        ctx.logger?.warn?.(`[MarketplaceInstallLocal] hot-register failed for ${manifestId} (will load on next restart): ${err?.message ?? err}`);
+      }
       const entry = {
         packageId,
         versionId: resolvedVersionId,
@@ -9319,20 +8340,14 @@ var MarketplaceInstallLocalPlugin = class {
         withSampleData: false
       };
       try {
-        (0, import_node_fs3.mkdirSync)(this.storageDir, { recursive: true });
-        (0, import_node_fs3.writeFileSync)((0, import_node_path6.join)(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
+        (0, import_node_fs4.mkdirSync)(this.storageDir, { recursive: true });
+        (0, import_node_fs4.writeFileSync)((0, import_node_path7.join)(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
       } catch (err) {
         return c.json({
           success: false,
           error: { code: "storage_failed", message: `Failed to persist manifest: ${err?.message ?? err}` }
         }, 500);
       }
-      try {
-        const manifestService = ctx.getService("manifest");
-        manifestService.register(manifest);
-      } catch (err) {
-        ctx.logger?.warn?.(`[MarketplaceInstallLocal] hot-register failed for ${manifestId} (will load on next restart): ${err?.message ?? err}`);
-      }
       try {
         const ql = ctx.getService("objectql");
         if (ql && typeof ql.syncSchemas === "function") {
@@ -9346,7 +8361,7 @@ var MarketplaceInstallLocalPlugin = class {
       if (seededSummary.seeded.mode === "inline" && (seededSummary.seeded.inserted ?? 0) + (seededSummary.seeded.updated ?? 0) > 0) {
         entry.withSampleData = true;
         try {
-          (0, import_node_fs3.writeFileSync)((0, import_node_path6.join)(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
+          (0, import_node_fs4.writeFileSync)((0, import_node_path7.join)(this.storageDir, safeFilename(manifestId)), JSON.stringify(entry, null, 2), "utf8");
         } catch {
         }
       }
@@ -9393,12 +8408,12 @@ var MarketplaceInstallLocalPlugin = class {
       if (!manifestId) {
         return c.json({ success: false, error: { code: "bad_request", message: "manifestId path param required." } }, 400);
       }
-      const file = (0, import_node_path6.join)(this.storageDir, safeFilename(manifestId));
-      if (!(0, import_node_fs3.existsSync)(file)) {
+      const file = (0, import_node_path7.join)(this.storageDir, safeFilename(manifestId));
+      if (!(0, import_node_fs4.existsSync)(file)) {
         return c.json({ success: false, error: { code: "not_found", message: `No marketplace install for ${manifestId}.` } }, 404);
       }
       try {
-        (0, import_node_fs3.unlinkSync)(file);
+        (0, import_node_fs4.unlinkSync)(file);
       } catch (err) {
         return c.json({ success: false, error: { code: "storage_failed", message: err?.message ?? String(err) } }, 500);
       }
@@ -9421,7 +8436,7 @@ var MarketplaceInstallLocalPlugin = class {
      *                    (refuse to avoid silently overwriting authored code)
      */
     this.findConflict = (ctx, manifestId) => {
-      if ((0, import_node_fs3.existsSync)((0, import_node_path6.join)(this.storageDir, safeFilename(manifestId)))) {
+      if ((0, import_node_fs4.existsSync)((0, import_node_path7.join)(this.storageDir, safeFilename(manifestId)))) {
         return "marketplace";
       }
       try {
@@ -9463,13 +8478,13 @@ var MarketplaceInstallLocalPlugin = class {
       if (!manifestId) {
         return c.json({ success: false, error: { code: "bad_request", message: "manifestId path param required." } }, 400);
       }
-      const file = (0, import_node_path6.join)(this.storageDir, safeFilename(manifestId));
-      if (!(0, import_node_fs3.existsSync)(file)) {
+      const file = (0, import_node_path7.join)(this.storageDir, safeFilename(manifestId));
+      if (!(0, import_node_fs4.existsSync)(file)) {
         return c.json({ success: false, error: { code: "not_found", message: `No marketplace install for ${manifestId}.` } }, 404);
       }
       let entry;
       try {
-        entry = JSON.parse((0, import_node_fs3.readFileSync)(file, "utf8"));
+        entry = JSON.parse((0, import_node_fs4.readFileSync)(file, "utf8"));
       } catch (err) {
         return c.json({ success: false, error: { code: "storage_failed", message: `Failed to read manifest cache: ${err?.message ?? err}` } }, 500);
       }
@@ -9485,7 +8500,7 @@ var MarketplaceInstallLocalPlugin = class {
       }
       try {
         entry.withSampleData = true;
-        (0, import_node_fs3.writeFileSync)(file, JSON.stringify(entry, null, 2), "utf8");
+        (0, import_node_fs4.writeFileSync)(file, JSON.stringify(entry, null, 2), "utf8");
       } catch {
       }
       return c.json({
@@ -9517,13 +8532,13 @@ var MarketplaceInstallLocalPlugin = class {
       if (!manifestId) {
         return c.json({ success: false, error: { code: "bad_request", message: "manifestId path param required." } }, 400);
       }
-      const file = (0, import_node_path6.join)(this.storageDir, safeFilename(manifestId));
-      if (!(0, import_node_fs3.existsSync)(file)) {
+      const file = (0, import_node_path7.join)(this.storageDir, safeFilename(manifestId));
+      if (!(0, import_node_fs4.existsSync)(file)) {
         return c.json({ success: false, error: { code: "not_found", message: `No marketplace install for ${manifestId}.` } }, 404);
       }
       let entry;
       try {
-        entry = JSON.parse((0, import_node_fs3.readFileSync)(file, "utf8"));
+        entry = JSON.parse((0, import_node_fs4.readFileSync)(file, "utf8"));
       } catch (err) {
         return c.json({ success: false, error: { code: "storage_failed", message: `Failed to read manifest cache: ${err?.message ?? err}` } }, 500);
       }
@@ -9572,7 +8587,7 @@ var MarketplaceInstallLocalPlugin = class {
       }
       try {
         entry.withSampleData = false;
-        (0, import_node_fs3.writeFileSync)(file, JSON.stringify(entry, null, 2), "utf8");
+        (0, import_node_fs4.writeFileSync)(file, JSON.stringify(entry, null, 2), "utf8");
       } catch {
       }
       ctx.logger?.info?.(`[MarketplaceInstallLocal] purged ${manifestId}: deleted=${deleted} skipped=${skipped} errors=${errors}`);
@@ -9670,7 +8685,7 @@ var MarketplaceInstallLocalPlugin = class {
         }
       }
       if (opts.seedNow && datasets.length > 0) {
-        const multiTenant = String((0, import_types5.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+        const multiTenant = String((0, import_types4.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
         try {
           const ql = ctx.getService("objectql");
           let metadata;
@@ -9771,12 +8786,12 @@ var MarketplaceInstallLocalPlugin = class {
       return null;
     };
     this.readAll = () => {
-      if (!(0, import_node_fs3.existsSync)(this.storageDir)) return [];
+      if (!(0, import_node_fs4.existsSync)(this.storageDir)) return [];
       const out = [];
-      for (const name of (0, import_node_fs3.readdirSync)(this.storageDir)) {
+      for (const name of (0, import_node_fs4.readdirSync)(this.storageDir)) {
         if (!name.endsWith(".json")) continue;
         try {
-          const raw = (0, import_node_fs3.readFileSync)((0, import_node_path6.join)(this.storageDir, name), "utf8");
+          const raw = (0, import_node_fs4.readFileSync)((0, import_node_path7.join)(this.storageDir, name), "utf8");
           out.push(JSON.parse(raw));
         } catch {
         }
@@ -9784,13 +8799,10 @@ var MarketplaceInstallLocalPlugin = class {
       return out;
     };
     this.cloudUrl = resolveCloudUrl(config.controlPlaneUrl);
-    this.storageDir = config.storageDir ? (0, import_node_path6.resolve)(config.storageDir) : (0, import_node_path6.resolve)(process.cwd(), DEFAULT_DIR);
+    this.storageDir = config.storageDir ? (0, import_node_path7.resolve)(config.storageDir) : (0, import_node_path7.resolve)(process.cwd(), DEFAULT_DIR);
   }
 };
 
-// src/index.ts
-init_platform_sso();
-
 // src/sandbox/script-runner.ts
 var UnimplementedScriptRunner = class {
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -9816,7 +8828,7 @@ init_body_runner();
 // src/index.ts
 var import_rest = require("@objectstack/rest");
 __reExport(index_exports, require("@objectstack/core"), module.exports);
-var import_types6 = require("@objectstack/types");
+var import_types5 = require("@objectstack/types");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AppPlugin,
@@ -9827,6 +8839,7 @@ var import_types6 = require("@objectstack/types");
   DEFAULT_CLOUD_URL,
   DEFAULT_RATE_LIMITS,
   DriverPlugin,
+  ExternalValidationPlugin,
   FileArtifactApiClient,
   HttpDispatcher,
   HttpServer,
@@ -9865,6 +8878,7 @@ var import_types6 = require("@objectstack/types");
   collectBundleHooks,
   createDefaultHostConfig,
   createDispatcherPlugin,
+  createExternalValidationPlugin,
   createObjectOSStack,
   createRestApiPlugin,
   createStandaloneStack,