npm - @objectstack/runtime - Versions diffs - 7.3.0 → 7.4.1 - Mend

@objectstack/runtime 7.3.0 → 7.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -32,13 +32,6 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/load-artifact-bundle.ts
-var load_artifact_bundle_exports = {};
-__export(load_artifact_bundle_exports, {
-  isHttpUrl: () => isHttpUrl,
-  loadArtifactBundle: () => loadArtifactBundle,
-  mergeRuntimeModule: () => mergeRuntimeModule,
-  readArtifactSource: () => readArtifactSource
-});
 function isHttpUrl(pathOrUrl) {
   return /^https?:\/\//i.test(pathOrUrl);
 }
@@ -294,17 +287,37 @@ var init_seed_loader = __esm({
         }
         const objectRefs = refMap.get(objectName) || [];
         const seedNow = /* @__PURE__ */ new Date();
+        const seedIdentity = config.identity;
+        const baseEvalCtx = {
+          now: seedNow,
+          user: seedIdentity?.user,
+          // Fall back to the per-tenant organizationId so `os.org.id` resolves
+          // during per-org replay even without an explicit identity.org.
+          org: seedIdentity?.org ?? (config.organizationId ? { id: config.organizationId } : void 0),
+          env: config.env
+        };
         for (let i = 0; i < dataset.records.length; i++) {
           const seedResult = (0, import_formula.resolveSeedRecord)(
             dataset.records[i],
-            { now: seedNow }
+            baseEvalCtx
           );
-          const record = seedResult.ok ? { ...seedResult.value } : { ...dataset.records[i] };
           if (!seedResult.ok) {
-            this.logger.warn(
-              `[SeedLoader] Failed to resolve dynamic values for ${objectName} record #${i}: ${seedResult.error.message}`
-            );
+            errored++;
+            const error = {
+              sourceObject: objectName,
+              field: "(expression)",
+              targetObject: objectName,
+              targetField: "(expression)",
+              attemptedValue: dataset.records[i],
+              recordIndex: i,
+              message: `Cannot resolve dynamic seed values for ${objectName} record #${i}: ${seedResult.error.message}. Records using cel\`os.user.id\` / cel\`os.org.id\` require a seed identity \u2014 ensure a system/admin user exists before seeding (see SeedLoaderConfig.identity).`
+            };
+            errors.push(error);
+            allErrors.push(error);
+            this.logger.warn(`[SeedLoader] ${error.message}`);
+            continue;
           }
+          const record = { ...seedResult.value };
           if (config.organizationId && record["organization_id"] == null) {
             record["organization_id"] = config.organizationId;
           }
@@ -383,10 +396,18 @@ var init_seed_loader = __esm({
               }
             } catch (err) {
               errored++;
-              this.logger.warn(`[SeedLoader] Failed to write ${objectName} record`, {
-                error: err.message,
-                recordIndex: i
-              });
+              const error = {
+                sourceObject: objectName,
+                field: "(write)",
+                targetObject: objectName,
+                targetField: externalId,
+                attemptedValue: record[externalId] ?? null,
+                recordIndex: i,
+                message: `Failed to write ${objectName} record #${i} (${externalId}=${String(record[externalId] ?? "")}): ${err.message}`
+              };
+              errors.push(error);
+              allErrors.push(error);
+              this.logger.warn(`[SeedLoader] ${error.message}`, { recordIndex: i });
             }
           } else {
             const externalIdValue = String(record[externalId] ?? "");
@@ -1330,13 +1351,14 @@ function collectBundleFunctions(bundle) {
   merge(bundle?.manifest?.functions);
   return out;
 }
-var import_types, AppPlugin;
+var import_types, import_system, AppPlugin;
 var init_app_plugin = __esm({
   "src/app-plugin.ts"() {
     "use strict";
     import_types = require("@objectstack/types");
     init_seed_loader();
     init_package_state_store();
+    import_system = require("@objectstack/spec/system");
     init_quickjs_runner();
     init_body_runner();
     AppPlugin = class {
@@ -1411,6 +1433,27 @@ var init_app_plugin = __esm({
             });
             ql.setDatasourceMapping(this.bundle.datasourceMapping);
           }
+          try {
+            const dsDefs = this.bundle.datasources;
+            const dsList = Array.isArray(dsDefs) ? dsDefs : dsDefs && typeof dsDefs === "object" ? Object.entries(dsDefs).map(([name, def]) => ({ name, ...def })) : [];
+            if (dsList.length > 0) {
+              const metadata = ctx.getService("metadata");
+              if (typeof metadata?.registerInMemory === "function") {
+                for (const ds of dsList) {
+                  if (!ds?.name) continue;
+                  metadata.registerInMemory("datasource", ds.name, { ...ds, origin: "code" });
+                }
+                ctx.logger.info("Registered code-defined datasources in metadata registry", {
+                  appId,
+                  count: dsList.length
+                });
+              }
+            }
+          } catch (err) {
+            ctx.logger.warn("[AppPlugin] failed to register code-defined datasources", {
+              error: err?.message ?? String(err)
+            });
+          }
           const stackBundle = this.bundle.default || this.bundle;
           const runtime = stackBundle && typeof stackBundle.onEnable === "function" ? stackBundle : this.bundle;
           if (runtime && typeof runtime.onEnable === "function") {
@@ -1505,49 +1548,6 @@ var init_app_plugin = __esm({
               appId
             });
           }
-          try {
-            const approvals = Array.isArray(this.bundle.approvals) ? this.bundle.approvals : Array.isArray((this.bundle.manifest || {}).approvals) ? this.bundle.manifest.approvals : [];
-            if (approvals.length > 0) {
-              ctx.hook("kernel:ready", async () => {
-                let svc;
-                try {
-                  svc = ctx.getService("approvals");
-                } catch {
-                }
-                if (!svc || typeof svc.defineProcess !== "function") {
-                  ctx.logger.warn("[AppPlugin] approvals service not registered \u2014 skipping declarative processes", {
-                    appId,
-                    processCount: approvals.length
-                  });
-                  return;
-                }
-                const sysCtx = { isSystem: true, roles: [], permissions: [] };
-                let ok = 0;
-                for (const proc of approvals) {
-                  try {
-                    await svc.defineProcess({
-                      name: proc.name,
-                      label: proc.label,
-                      object: proc.object,
-                      description: proc.description,
-                      active: proc.active !== false,
-                      definition: proc
-                    }, sysCtx);
-                    ok++;
-                  } catch (err) {
-                    ctx.logger.warn("[AppPlugin] Failed to register approval process", {
-                      appId,
-                      process: proc?.name,
-                      error: err?.message ?? String(err)
-                    });
-                  }
-                }
-                ctx.logger.info("[AppPlugin] Registered approval processes", { appId, count: ok });
-              });
-            }
-          } catch (err) {
-            ctx.logger.error("[AppPlugin] Failed to schedule approval-process registration", err, { appId });
-          }
           try {
             const jobs = Array.isArray(this.bundle.jobs) ? this.bundle.jobs : Array.isArray((this.bundle.manifest || {}).jobs) ? this.bundle.manifest.jobs : [];
             if (jobs.length > 0) {
@@ -1624,6 +1624,7 @@ var init_app_plugin = __esm({
               ...d,
               object: d.object
             }));
+            const seedIdentity = await this.ensureSeedIdentity(ql, ctx.logger);
             try {
               const kernel = ctx.kernel;
               const existing = (() => {
@@ -1665,7 +1666,12 @@ var init_app_plugin = __esm({
                   config: {
                     defaultMode: "upsert",
                     multiPass: true,
-                    organizationId
+                    organizationId,
+                    // Bind os.user (system identity) and os.org (this
+                    // tenant) so identity-derived seed values resolve
+                    // per-org. org.id falls back to organizationId
+                    // inside the loader when identity.org is absent.
+                    identity: seedIdentity
                   }
                 });
                 const result = await seedLoader.load(request);
@@ -1693,14 +1699,34 @@ var init_app_plugin = __esm({
                     const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
                     const request = SeedLoaderRequestSchema.parse({
                       datasets: normalizedDatasets,
-                      config: { defaultMode: "upsert", multiPass: true }
+                      config: { defaultMode: "upsert", multiPass: true, identity: seedIdentity }
                     });
                     const result = await seedLoader.load(request);
-                    ctx.logger.info("[Seeder] Seed loading complete", {
-                      inserted: result.summary.totalInserted,
-                      updated: result.summary.totalUpdated,
-                      errors: result.errors.length
-                    });
+                    const { totalInserted, totalUpdated, totalSkipped, totalErrored } = result.summary;
+                    if (result.success) {
+                      ctx.logger.info("[Seeder] Seed loading complete", {
+                        inserted: totalInserted,
+                        updated: totalUpdated,
+                        skipped: totalSkipped,
+                        errored: totalErrored
+                      });
+                    } else {
+                      ctx.logger.warn(
+                        `[Seeder] Seed loading completed with ${totalErrored} dropped record(s) and ${result.errors.length} error(s) for ${appId}`,
+                        {
+                          inserted: totalInserted,
+                          updated: totalUpdated,
+                          skipped: totalSkipped,
+                          errored: totalErrored
+                        }
+                      );
+                      for (const e of result.errors.slice(0, 20)) {
+                        ctx.logger.warn(`[Seeder]   \u2717 ${e.message}`);
+                      }
+                      if (result.errors.length > 20) {
+                        ctx.logger.warn(`[Seeder]   \u2026and ${result.errors.length - 20} more error(s)`);
+                      }
+                    }
                   } else {
                     ctx.logger.debug("[Seeder] No metadata service; using basic insert fallback");
                     for (const dataset of normalizedDatasets) {
@@ -1802,6 +1828,64 @@ var init_app_plugin = __esm({
         this.name = `plugin.app.${appId}`;
         this.version = sys?.version;
       }
+      /**
+       * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
+       *
+       * On a fresh boot there are zero users until the first human sign-up
+       * (which the SeedLoader runs *before*), so identity-derived seeds like
+       * `owner_id: cel`os.user.id`` had nothing to resolve against and were
+       * dropped silently. To make seeds deterministic and self-sufficient we
+       * upsert a single non-loginable **system user** (`usr_system`) and bind
+       * it as `os.user`.
+       *
+       * Why a dedicated system user rather than the login admin:
+       *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
+       *    password lives in `sys_account`, so a *loginable* admin can only be
+       *    minted through better-auth (the CLI does this via HTTP sign-up after
+       *    boot). A raw insert here would bypass those invariants.
+       *  - `usr_system` is an owner identity only (no credential row), analogous
+       *    to Salesforce's "Automated Process" user. The human admin is created
+       *    independently and need not be the seed owner.
+       *
+       * Idempotent: matches by the stable id, inserts once, reuses thereafter.
+       * Failures are non-fatal (logged) — records that actually need `os.user`
+       * then fail loudly in the loader with an actionable message.
+       */
+      async ensureSeedIdentity(ql, logger) {
+        const SYSTEM_USER_ID = import_system.SystemUserId.SYSTEM;
+        const SYSTEM_USER_EMAIL = "system@objectstack.local";
+        const identity = { user: { id: SYSTEM_USER_ID, role: "system", email: SYSTEM_USER_EMAIL } };
+        const opts = { context: { isSystem: true } };
+        try {
+          const existing = await ql.find(
+            "sys_user",
+            { where: { id: SYSTEM_USER_ID }, limit: 1 },
+            opts
+          );
+          if (Array.isArray(existing) && existing.length > 0) {
+            return identity;
+          }
+          await ql.insert(
+            "sys_user",
+            {
+              id: SYSTEM_USER_ID,
+              name: "System",
+              email: SYSTEM_USER_EMAIL,
+              email_verified: true,
+              role: "system"
+            },
+            opts
+          );
+          logger.info(
+            `[Seeder] Provisioned deterministic system user (${SYSTEM_USER_ID}) as seed owner \u2014 binds os.user for identity-derived seed values`
+          );
+        } catch (err) {
+          logger.warn("[Seeder] Failed to ensure system seed user; os.user-dependent seeds may be dropped", {
+            error: err?.message ?? String(err)
+          });
+        }
+        return identity;
+      }
       /**
        * Emit a kernel hook so the control-plane `AppCatalogService` can
        * upsert / delete the corresponding `sys_app` row. Silently no-ops
@@ -2088,294 +2172,88 @@ var init_standalone_stack = __esm({
   }
 });
-// src/cloud/platform-sso.ts
-var platform_sso_exports = {};
-__export(platform_sso_exports, {
-  PLATFORM_SSO_PROVIDER_ID: () => PLATFORM_SSO_PROVIDER_ID,
-  backfillPlatformSsoClients: () => backfillPlatformSsoClients,
-  buildPlatformSsoRedirectUri: () => buildPlatformSsoRedirectUri,
-  derivePlatformSsoClientId: () => derivePlatformSsoClientId,
-  derivePlatformSsoClientSecret: () => derivePlatformSsoClientSecret,
-  hashPlatformSsoClientSecret: () => hashPlatformSsoClientSecret,
-  seedPlatformSsoClient: () => seedPlatformSsoClient
+// src/cloud/environment-org-seed.ts
+var environment_org_seed_exports = {};
+__export(environment_org_seed_exports, {
+  seedProjectMember: () => seedProjectMember,
+  seedProjectOrganization: () => seedProjectOrganization
 });
-function derivePlatformSsoClientId(environmentId) {
-  return `project_${environmentId}`;
-}
-function derivePlatformSsoClientSecret(baseSecret, environmentId) {
-  return (0, import_node_crypto.createHmac)("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
-}
-function hashPlatformSsoClientSecret(plaintext) {
-  return (0, import_node_crypto.createHash)("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
-  let host;
-  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
-    host = hostname;
-  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
-    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
-    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
-    host = `http://${hostWithPort}`;
-  } else {
-    host = `https://${hostname}`;
-  }
-  const trimmed = host.replace(/\/+$/, "");
-  const path = basePath.replace(/\/+$/, "");
-  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
-}
-async function seedPlatformSsoClient(opts) {
-  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
-    return;
-  }
-  const clientId = derivePlatformSsoClientId(environmentId);
-  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
-  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
-  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
-  let existing = null;
+async function seedProjectOrganization(kernel, seed, logger) {
+  if (!seed?.id || !seed?.name) return "skipped";
   try {
-    const rows = await ql.find("sys_oauth_application", {
-      where: { client_id: clientId },
-      limit: 1
-    }, { context: { isSystem: true } });
-    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-    existing = list[0] ?? null;
+    const ql = kernel.getService("objectql");
+    if (!ql?.insert || !ql?.find) {
+      logger?.warn?.("[seedProjectOrganization] objectql service unavailable", { orgId: seed.id });
+      return "skipped";
+    }
+    try {
+      const existing = await ql.find(SYS_ORG, { where: { id: seed.id } });
+      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
+      if (Array.isArray(rows) && rows.length > 0) return "exists";
+    } catch {
+    }
+    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+    await ql.insert(SYS_ORG, {
+      id: seed.id,
+      name: seed.name,
+      slug: seed.slug ?? null,
+      logo: seed.logo ?? null,
+      metadata: null,
+      created_at: nowIso
+    });
+    logger?.info?.("[seedProjectOrganization] org seeded", {
+      orgId: seed.id,
+      name: seed.name
+    });
+    return "inserted";
   } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
-      environmentId,
+    logger?.warn?.("[seedProjectOrganization] failed (non-fatal)", {
+      orgId: seed.id,
       error: err?.message
     });
-    return;
+    return "error";
   }
-  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  if (!existing) {
-    const redirects = desiredRedirect ? [desiredRedirect] : [];
+}
+async function seedProjectMember(kernel, args, logger) {
+  const { userId, organizationId } = args;
+  const role = args.role ?? "member";
+  if (!userId || !organizationId) return "skipped";
+  try {
+    const ql = kernel.getService("objectql");
+    if (!ql?.insert || !ql?.find) {
+      logger?.warn?.("[seedProjectMember] objectql service unavailable", { userId, organizationId });
+      return "skipped";
+    }
     try {
-      await ql.insert("sys_oauth_application", {
-        id: `oauthc_${environmentId}`,
-        name: `Project ${environmentId}`,
-        client_id: clientId,
-        client_secret: clientSecretStored,
-        type: "web",
-        redirect_uris: JSON.stringify(redirects),
-        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-        response_types: JSON.stringify(["code"]),
-        scopes: JSON.stringify(["openid", "email", "profile"]),
-        token_endpoint_auth_method: "client_secret_basic",
-        require_pkce: false,
-        skip_consent: true,
-        disabled: false,
-        subject_type: "public",
-        created_at: nowIso,
-        updated_at: nowIso
-      }, { context: { isSystem: true } });
-      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
-    } catch (err) {
-      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
-        environmentId,
-        error: err?.message
+      const existing = await ql.find("sys_member", {
+        where: { user_id: userId, organization_id: organizationId }
       });
-      if (throwOnError) throw err;
+      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
+      if (Array.isArray(rows) && rows.length > 0) return "exists";
+    } catch {
     }
-    return;
-  }
-  let currentRedirects = [];
-  try {
-    const raw = existing.redirect_uris;
-    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
-    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
-  } catch {
-  }
-  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
-  const repairPatch = {
-    name: existing.name || `Project ${environmentId}`,
-    client_secret: clientSecretStored,
-    type: existing.type || "web",
-    redirect_uris: JSON.stringify(mergedRedirects),
-    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-    response_types: JSON.stringify(["code"]),
-    scopes: JSON.stringify(["openid", "email", "profile"]),
-    token_endpoint_auth_method: "client_secret_basic",
-    require_pkce: false,
-    skip_consent: true,
-    disabled: false,
-    subject_type: "public",
-    updated_at: nowIso
-  };
-  try {
-    await ql.update(
-      "sys_oauth_application",
-      repairPatch,
-      { where: { id: existing.id } },
-      { context: { isSystem: true } }
-    );
-    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
-      environmentId,
-      clientId,
-      redirect_uris: mergedRedirects
+    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+    const memId = `mem_${Math.random().toString(36).slice(2, 14)}`;
+    await ql.insert("sys_member", {
+      id: memId,
+      organization_id: organizationId,
+      user_id: userId,
+      role,
+      created_at: nowIso
+    });
+    logger?.info?.("[seedProjectMember] member seeded", {
+      userId,
+      organizationId,
+      role
     });
+    return "inserted";
   } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
-      environmentId,
+    logger?.warn?.("[seedProjectMember] failed (non-fatal)", {
+      userId,
+      organizationId,
       error: err?.message
     });
-    if (throwOnError) throw err;
-  }
-}
-async function backfillPlatformSsoClients(opts) {
-  const { ql, baseSecret, logger, limit = 1e3 } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
-  }
-  let projects = [];
-  try {
-    const rows = await ql.find("sys_environment", {
-      limit,
-      fields: ["id", "hostname", "status"]
-    }, { context: { isSystem: true } });
-    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-  } catch (err) {
-    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
-      error: err?.message
-    });
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
-  }
-  let seeded = 0;
-  let alreadyExisted = 0;
-  const failures = [];
-  for (const p of projects) {
-    if (!p?.id) continue;
-    const before = await (async () => {
-      try {
-        const r = await ql.find("sys_oauth_application", {
-          where: { client_id: derivePlatformSsoClientId(p.id) },
-          limit: 1
-        }, { context: { isSystem: true } });
-        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-        return list[0] ?? null;
-      } catch {
-        return null;
-      }
-    })();
-    try {
-      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
-      if (before) alreadyExisted++;
-      else {
-        const after = await (async () => {
-          try {
-            const r = await ql.find("sys_oauth_application", {
-              where: { client_id: derivePlatformSsoClientId(p.id) },
-              limit: 1
-            }, { context: { isSystem: true } });
-            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-            return list[0] ?? null;
-          } catch (err) {
-            return { _readErr: err?.message };
-          }
-        })();
-        if (after && !after._readErr) seeded++;
-        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
-      }
-    } catch (err) {
-      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
-    }
-  }
-  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
-  return { scanned: projects.length, seeded, alreadyExisted, failures };
-}
-var import_node_crypto, PLATFORM_SSO_PROVIDER_ID;
-var init_platform_sso = __esm({
-  "src/cloud/platform-sso.ts"() {
-    "use strict";
-    import_node_crypto = require("crypto");
-    PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
-  }
-});
-// src/cloud/environment-org-seed.ts
-var environment_org_seed_exports = {};
-__export(environment_org_seed_exports, {
-  seedProjectMember: () => seedProjectMember,
-  seedProjectOrganization: () => seedProjectOrganization
-});
-async function seedProjectOrganization(kernel, seed, logger) {
-  if (!seed?.id || !seed?.name) return "skipped";
-  try {
-    const ql = kernel.getService("objectql");
-    if (!ql?.insert || !ql?.find) {
-      logger?.warn?.("[seedProjectOrganization] objectql service unavailable", { orgId: seed.id });
-      return "skipped";
-    }
-    try {
-      const existing = await ql.find(SYS_ORG, { where: { id: seed.id } });
-      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
-      if (Array.isArray(rows) && rows.length > 0) return "exists";
-    } catch {
-    }
-    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-    await ql.insert(SYS_ORG, {
-      id: seed.id,
-      name: seed.name,
-      slug: seed.slug ?? null,
-      logo: seed.logo ?? null,
-      metadata: null,
-      created_at: nowIso
-    });
-    logger?.info?.("[seedProjectOrganization] org seeded", {
-      orgId: seed.id,
-      name: seed.name
-    });
-    return "inserted";
-  } catch (err) {
-    logger?.warn?.("[seedProjectOrganization] failed (non-fatal)", {
-      orgId: seed.id,
-      error: err?.message
-    });
-    return "error";
-  }
-}
-async function seedProjectMember(kernel, args, logger) {
-  const { userId, organizationId } = args;
-  const role = args.role ?? "member";
-  if (!userId || !organizationId) return "skipped";
-  try {
-    const ql = kernel.getService("objectql");
-    if (!ql?.insert || !ql?.find) {
-      logger?.warn?.("[seedProjectMember] objectql service unavailable", { userId, organizationId });
-      return "skipped";
-    }
-    try {
-      const existing = await ql.find("sys_member", {
-        where: { user_id: userId, organization_id: organizationId }
-      });
-      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
-      if (Array.isArray(rows) && rows.length > 0) return "exists";
-    } catch {
-    }
-    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-    const memId = `mem_${Math.random().toString(36).slice(2, 14)}`;
-    await ql.insert("sys_member", {
-      id: memId,
-      organization_id: organizationId,
-      user_id: userId,
-      role,
-      created_at: nowIso
-    });
-    logger?.info?.("[seedProjectMember] member seeded", {
-      userId,
-      organizationId,
-      role
-    });
-    return "inserted";
-  } catch (err) {
-    logger?.warn?.("[seedProjectMember] failed (non-fatal)", {
-      userId,
-      organizationId,
-      error: err?.message
-    });
-    return "error";
+    return "error";
   }
 }
 var SYS_ORG;
@@ -2451,6 +2329,7 @@ __export(index_exports, {
   DEFAULT_CLOUD_URL: () => DEFAULT_CLOUD_URL,
   DEFAULT_RATE_LIMITS: () => DEFAULT_RATE_LIMITS,
   DriverPlugin: () => DriverPlugin,
+  ExternalValidationPlugin: () => ExternalValidationPlugin,
   FileArtifactApiClient: () => FileArtifactApiClient,
   HttpDispatcher: () => HttpDispatcher,
   HttpServer: () => HttpServer,
@@ -2479,7 +2358,7 @@ __export(index_exports, {
   SandboxError: () => SandboxError,
   SeedLoaderService: () => SeedLoaderService,
   UnimplementedScriptRunner: () => UnimplementedScriptRunner,
-  _resetEnvDeprecationWarnings: () => import_types6._resetEnvDeprecationWarnings,
+  _resetEnvDeprecationWarnings: () => import_types5._resetEnvDeprecationWarnings,
   actionBodyRunnerFactory: () => actionBodyRunnerFactory,
   backfillPlatformSsoClients: () => backfillPlatformSsoClients,
   buildPlatformSsoRedirectUri: () => buildPlatformSsoRedirectUri,
@@ -2489,6 +2368,7 @@ __export(index_exports, {
   collectBundleHooks: () => collectBundleHooks,
   createDefaultHostConfig: () => createDefaultHostConfig,
   createDispatcherPlugin: () => createDispatcherPlugin,
+  createExternalValidationPlugin: () => createExternalValidationPlugin,
   createObjectOSStack: () => createObjectOSStack,
   createRestApiPlugin: () => import_rest.createRestApiPlugin,
   createStandaloneStack: () => createStandaloneStack,
@@ -2504,7 +2384,7 @@ __export(index_exports, {
   mergeRuntimeModule: () => mergeRuntimeModule,
   parseTraceparent: () => parseTraceparent,
   readArtifactSource: () => readArtifactSource,
-  readEnvWithDeprecation: () => import_types6.readEnvWithDeprecation,
+  readEnvWithDeprecation: () => import_types5.readEnvWithDeprecation,
   resolveCloudUrl: () => resolveCloudUrl,
   resolveDefaultArtifactPath: () => resolveDefaultArtifactPath,
   resolveErrorReporter: () => resolveErrorReporter,
@@ -2625,11 +2505,170 @@ init_driver_plugin();
 init_app_plugin();
 init_seed_loader();
+// src/external-validation-plugin.ts
+var import_shared = require("@objectstack/spec/shared");
+var ExternalValidationPlugin = class {
+  constructor() {
+    this.name = "com.objectstack.external-validation";
+    this.type = "standard";
+    this.version = "1.0.0";
+    /** Active background drift-check timers, keyed by datasource name. */
+    this.driftTimers = /* @__PURE__ */ new Map();
+    this.init = (_ctx) => {
+    };
+    this.start = (ctx) => {
+      ctx.hook("kernel:ready", async () => {
+        await this.runValidation(ctx);
+        await this.scheduleDriftChecks(ctx);
+      });
+    };
+    /** Tear down background drift-check timers (idempotent). */
+    this.stop = () => {
+      for (const timer of this.driftTimers.values()) clearInterval(timer);
+      this.driftTimers.clear();
+    };
+  }
+  /** Exposed for testing; invoked from the kernel:ready handler. */
+  async runValidation(ctx) {
+    const svc = safeGet(ctx, "external-datasource");
+    if (!svc?.validateAll) {
+      ctx.logger?.debug?.("[external-validation] service not registered; skipping");
+      return;
+    }
+    const metadata = safeGet(ctx, "metadata");
+    let report;
+    try {
+      report = await svc.validateAll();
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] validateAll failed", { err });
+      return;
+    }
+    const failures = report.results.filter((r) => !r.ok);
+    if (failures.length === 0) {
+      ctx.logger?.info?.("[external-validation] all federated objects match their remote schema", {
+        objects: report.results.length
+      });
+      return;
+    }
+    for (const r of failures) {
+      const mode = await resolveOnMismatch(metadata, r.datasource);
+      if (mode === "ignore") continue;
+      if (mode === "warn") {
+        ctx.logger?.warn?.("[external-validation] external schema drift", {
+          datasource: r.datasource,
+          object: r.object,
+          diffs: r.diffs
+        });
+        continue;
+      }
+      throw new import_shared.ExternalSchemaMismatchError(r.datasource, r.object, r.diffs);
+    }
+  }
+  /**
+   * Arm a background drift checker for every federated datasource that declares
+   * `external.validation.checkIntervalMs`. Each fires on its own interval and
+   * emits `external.schema.drift` events — it never throws or aborts the
+   * process, since drift past boot is observational, not fatal.
+   *
+   * No-op when metadata can't be enumerated or no datasource opts in. Re-arming
+   * (e.g. a second `kernel:ready`) first clears existing timers so intervals
+   * don't accumulate.
+   */
+  async scheduleDriftChecks(ctx) {
+    this.stop();
+    const metadata = safeGet(ctx, "metadata");
+    if (!metadata?.list) return;
+    let datasources;
+    try {
+      datasources = await metadata.list("datasource");
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] could not list datasources for drift checks", { err });
+      return;
+    }
+    for (const def of datasources) {
+      const interval = def?.external?.validation?.checkIntervalMs;
+      const name = def?.name;
+      if (!name || typeof interval !== "number" || interval <= 0) continue;
+      const timer = setInterval(() => {
+        void this.runDriftCheck(ctx, name);
+      }, interval);
+      timer.unref?.();
+      this.driftTimers.set(name, timer);
+      ctx.logger?.info?.("[external-validation] armed background drift check", {
+        datasource: name,
+        intervalMs: interval
+      });
+    }
+  }
+  /**
+   * Re-validate one datasource's federated objects and emit an
+   * `external.schema.drift` event per mismatch. Exposed for testing; invoked
+   * from the interval armed by {@link scheduleDriftChecks}. Never throws.
+   *
+   * @returns the number of drift events emitted.
+   */
+  async runDriftCheck(ctx, datasource) {
+    const svc = safeGet(ctx, "external-datasource");
+    if (!svc?.validateAll) return 0;
+    let report;
+    try {
+      report = await svc.validateAll();
+    } catch (err) {
+      ctx.logger?.warn?.("[external-validation] drift check validateAll failed", {
+        datasource,
+        err
+      });
+      return 0;
+    }
+    const drifted = report.results.filter((r) => !r.ok && r.datasource === datasource);
+    for (const r of drifted) {
+      const event = {
+        datasource: r.datasource,
+        object: r.object,
+        diffs: r.diffs
+      };
+      try {
+        await ctx.trigger("external.schema.drift", event);
+      } catch (err) {
+        ctx.logger?.warn?.("[external-validation] failed to emit drift event", {
+          datasource,
+          object: r.object,
+          err
+        });
+      }
+    }
+    if (drifted.length > 0) {
+      ctx.logger?.warn?.("[external-validation] background drift detected", {
+        datasource,
+        objects: drifted.map((r) => r.object)
+      });
+    }
+    return drifted.length;
+  }
+};
+function createExternalValidationPlugin() {
+  return new ExternalValidationPlugin();
+}
+async function resolveOnMismatch(metadata, datasource) {
+  try {
+    const ds = await metadata?.get?.("datasource", datasource);
+    return ds?.external?.validation?.onMismatch ?? "fail";
+  } catch {
+    return "fail";
+  }
+}
+function safeGet(ctx, name) {
+  try {
+    return ctx.getService(name);
+  } catch {
+    return void 0;
+  }
+}
 // src/http-dispatcher.ts
 var import_core2 = require("@objectstack/core");
-var import_types3 = require("@objectstack/types");
-var import_system = require("@objectstack/spec/system");
-var import_shared = require("@objectstack/spec/shared");
+var import_system2 = require("@objectstack/spec/system");
+var import_shared2 = require("@objectstack/spec/shared");
 init_package_state_store();
 // src/security/resolve-execution-context.ts
@@ -3092,7 +3131,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         }
       }
       try {
-        const authService = await this.getService(import_system.CoreServiceName.enum.auth);
+        const authService = await this.getService(import_system2.CoreServiceName.enum.auth);
         const sessionData = await authService?.api?.getSession?.({
           headers: context.request?.headers
         });
@@ -3173,7 +3212,7 @@ var _HttpDispatcher = class _HttpDispatcher {
     let userId;
     let activeOrganizationId;
     try {
-      const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
+      const authService = await this.resolveService(import_system2.CoreServiceName.enum.auth);
       const sessionData = await authService?.api?.getSession?.({
         headers: context.request?.headers
       });
@@ -3242,21 +3281,21 @@ var _HttpDispatcher = class _HttpDispatcher {
       queueSvc,
       jobSvc
     ] = await Promise.all([
-      this.resolveService(import_system.CoreServiceName.enum.auth),
-      this.resolveService(import_system.CoreServiceName.enum.graphql),
-      this.resolveService(import_system.CoreServiceName.enum.search),
-      this.resolveService(import_system.CoreServiceName.enum.realtime),
-      this.resolveService(import_system.CoreServiceName.enum["file-storage"]),
-      this.resolveService(import_system.CoreServiceName.enum.analytics),
-      this.resolveService(import_system.CoreServiceName.enum.workflow),
-      this.resolveService(import_system.CoreServiceName.enum.ai),
-      this.resolveService(import_system.CoreServiceName.enum.notification),
-      this.resolveService(import_system.CoreServiceName.enum.i18n),
-      this.resolveService(import_system.CoreServiceName.enum.ui),
-      this.resolveService(import_system.CoreServiceName.enum.automation),
-      this.resolveService(import_system.CoreServiceName.enum.cache),
-      this.resolveService(import_system.CoreServiceName.enum.queue),
-      this.resolveService(import_system.CoreServiceName.enum.job)
+      this.resolveService(import_system2.CoreServiceName.enum.auth),
+      this.resolveService(import_system2.CoreServiceName.enum.graphql),
+      this.resolveService(import_system2.CoreServiceName.enum.search),
+      this.resolveService(import_system2.CoreServiceName.enum.realtime),
+      this.resolveService(import_system2.CoreServiceName.enum["file-storage"]),
+      this.resolveService(import_system2.CoreServiceName.enum.analytics),
+      this.resolveService(import_system2.CoreServiceName.enum.workflow),
+      this.resolveService(import_system2.CoreServiceName.enum.ai),
+      this.resolveService(import_system2.CoreServiceName.enum.notification),
+      this.resolveService(import_system2.CoreServiceName.enum.i18n),
+      this.resolveService(import_system2.CoreServiceName.enum.ui),
+      this.resolveService(import_system2.CoreServiceName.enum.automation),
+      this.resolveService(import_system2.CoreServiceName.enum.cache),
+      this.resolveService(import_system2.CoreServiceName.enum.queue),
+      this.resolveService(import_system2.CoreServiceName.enum.job)
     ]);
     const hasAuth = !!authSvc;
     const hasGraphQL = !!(graphqlSvc || this.kernel.graphql);
@@ -3373,7 +3412,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    * path: sub-path after /auth/
    */
   async handleAuth(path, method, body, context) {
-    const authService = await this.getService(import_system.CoreServiceName.enum.auth);
+    const authService = await this.getService(import_system2.CoreServiceName.enum.auth);
     if (authService && typeof authService.handler === "function") {
       const response = await authService.handler(context.request, context.response);
       return { handled: true, result: response };
@@ -3457,10 +3496,21 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       return { handled: true, response: this.success({ types: ["object", "app", "plugin"] }) };
     }
+    if (parts.length === 4 && (parts[0] === "objects" || parts[0] === "object") && parts[2] === "state" && (!method || method === "GET")) {
+      const name = parts[1];
+      const field = parts[3];
+      const from = query?.from !== void 0 ? String(query.from) : void 0;
+      const qlService = await this.getObjectQLService();
+      const schema = qlService?.registry?.getObject(name);
+      if (!schema) return { handled: true, response: this.error("Object not found", 404) };
+      const { legalNextStates } = await import("@objectstack/objectql");
+      const next = from === void 0 ? null : legalNextStates(schema, field, from);
+      return { handled: true, response: this.success({ object: name, field, from: from ?? null, next }) };
+    }
     if (parts.length >= 3 && parts[parts.length - 1] === "published" && (!method || method === "GET")) {
       const type = parts[0];
       const name = parts.slice(1, -1).join("/");
-      const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+      const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
       if (metadataService && typeof metadataService.getPublished === "function") {
         const data = await metadataService.getPublished(type, name);
         if (data === void 0) return { handled: true, response: this.error("Not found", 404) };
@@ -3534,7 +3584,7 @@ var _HttpDispatcher = class _HttpDispatcher {
           }
           return { handled: true, response: this.error("Not found", 404) };
         }
-        const singularType = (0, import_shared.pluralToSingular)(type);
+        const singularType = (0, import_shared2.pluralToSingular)(type);
         const protocol = await this.resolveService("protocol");
         if (protocol && typeof protocol.getMetaItem === "function") {
           try {
@@ -3571,7 +3621,7 @@ var _HttpDispatcher = class _HttpDispatcher {
         } catch {
         }
       }
-      const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+      const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
       if (metadataService && typeof metadataService.list === "function") {
         try {
           let items = await metadataService.list(typeOrName);
@@ -3705,7 +3755,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    * path: sub-path after /analytics/
    */
   async handleAnalytics(path, method, body, _context) {
-    const analyticsService = await this.getService(import_system.CoreServiceName.enum.analytics);
+    const analyticsService = await this.getService(import_system2.CoreServiceName.enum.analytics);
     if (!analyticsService) return { handled: false };
     const m = method.toUpperCase();
     const subPath = path.replace(/^\/+/, "");
@@ -3735,7 +3785,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    *   GET /labels/:object?locale=xx   → getFieldLabels  (locale from query)
    */
   async handleI18n(path, method, query, _context) {
-    const i18nService = await this.getService(import_system.CoreServiceName.enum.i18n);
+    const i18nService = await this.getService(import_system2.CoreServiceName.enum.i18n);
     if (!i18nService) return { handled: true, response: this.error("i18n service not available", 501) };
     const m = method.toUpperCase();
     const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
@@ -3845,7 +3895,7 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       if (parts.length === 2 && parts[1] === "publish" && m === "POST") {
         const id = decodeURIComponent(parts[0]);
-        const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+        const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
         if (metadataService && typeof metadataService.publishPackage === "function") {
           const result = await metadataService.publishPackage(id, body || {});
           return { handled: true, response: this.success(result) };
@@ -3854,7 +3904,7 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       if (parts.length === 2 && parts[1] === "revert" && m === "POST") {
         const id = decodeURIComponent(parts[0]);
-        const metadataService = await this.getService(import_system.CoreServiceName.enum.metadata);
+        const metadataService = await this.getService(import_system2.CoreServiceName.enum.metadata);
         if (metadataService && typeof metadataService.revertPackage === "function") {
           await metadataService.revertPackage(id);
           return { handled: true, response: this.success({ success: true }) };
@@ -3929,13 +3979,13 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       return out;
     };
-    const exportPluralKeys = Object.keys(import_shared.PLURAL_TO_SINGULAR).filter(
+    const exportPluralKeys = Object.keys(import_shared2.PLURAL_TO_SINGULAR).filter(
       (k) => k !== "datasources" && k !== "emailTemplates"
     );
     const manifest = {};
     let total = 0;
     for (const plural of exportPluralKeys) {
-      const singular = import_shared.PLURAL_TO_SINGULAR[plural];
+      const singular = import_shared2.PLURAL_TO_SINGULAR[plural];
       let items = [];
       try {
         const res = await protocol.getMetaItems({ type: singular, packageId, organizationId });
@@ -4007,7 +4057,7 @@ var _HttpDispatcher = class _HttpDispatcher {
    */
   async resolveActiveOrganizationId(context) {
     try {
-      const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
+      const authService = await this.resolveService(import_system2.CoreServiceName.enum.auth);
       const rawHeaders = context.request?.headers;
       let headers = rawHeaders;
       if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
@@ -4030,1305 +4080,14 @@ var _HttpDispatcher = class _HttpDispatcher {
       return void 0;
     }
   }
-  async resolveCallerUserId(context) {
-    try {
-      const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
-      const rawHeaders = context.request?.headers;
-      let headers = rawHeaders;
-      if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-        try {
-          const h = new Headers();
-          for (const [k, v] of Object.entries(rawHeaders)) {
-            if (v == null) continue;
-            h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-          }
-          headers = h;
-        } catch {
-          headers = rawHeaders;
-        }
-      }
-      const sessionData = await (authService?.auth?.api?.getSession ?? authService?.api?.getSession)?.call(
-        authService?.auth?.api ?? authService?.api,
-        { headers }
-      );
-      return sessionData?.user?.id ?? sessionData?.session?.userId;
-    } catch (e) {
-      return void 0;
-    }
-  }
-  async handleCloud(path, method, body, query, _context) {
-    const m = method.toUpperCase();
-    const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
-    const qlService = await this.getObjectQLService();
-    const ql = qlService ?? await this.resolveService("objectql");
-    if (!ql) {
-      return { handled: true, response: this.error("Project service not available (ObjectQL missing)", 503) };
-    }
-    const ENV = "sys_environment";
-    const CRED = "sys_environment_credential";
-    const MEM = "sys_environment_member";
-    const PKG_INSTALL = "sys_package_installation";
-    const PKG = "sys_package";
-    const PKG_VERSION = "sys_package_version";
-    const ensureSysPackage = async (manifestId, ownerOrgId, createdBy, manifest) => {
-      const existing = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
-      if (existing?.id) return existing.id;
-      const id = randomUUID();
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      await ql.insert(PKG, {
-        id,
-        manifest_id: manifestId,
-        owner_org_id: ownerOrgId,
-        display_name: manifest?.name ?? manifestId,
-        description: manifest?.description ?? null,
-        visibility: "private",
-        created_by: createdBy,
-        created_at: nowIso,
-        updated_at: nowIso
-      });
-      return id;
-    };
-    const ensureSysPackageVersion = async (packageId, version, createdBy, manifest) => {
-      const existing = await ql.findOne(PKG_VERSION, {
-        where: { package_id: packageId, version }
-      });
-      if (existing?.id) return existing.id;
-      const id = randomUUID();
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      await ql.insert(PKG_VERSION, {
-        id,
-        package_id: packageId,
-        version,
-        status: "published",
-        manifest_json: manifest ? JSON.stringify(manifest) : null,
-        is_pre_release: false,
-        published_at: nowIso,
-        published_by: createdBy,
-        created_by: createdBy,
-        created_at: nowIso,
-        updated_at: nowIso
-      });
-      return id;
-    };
-    const findInstallByManifestId = async (envId, manifestId) => {
-      const pkgRow = await ql.findOne(PKG, { where: { manifest_id: manifestId } });
-      if (!pkgRow?.id) return null;
-      return await ql.findOne(PKG_INSTALL, {
-        where: { environment_id: envId, package_id: pkgRow.id }
-      });
-    };
-    const toShortName = (driverId) => {
-      const prefix = "com.objectstack.driver.";
-      return driverId.startsWith(prefix) ? driverId.slice(prefix.length) : driverId;
-    };
-    const listRegisteredDrivers = () => {
-      const services = this.getServicesMap();
-      const registry = services["project-provisioning-adapters"];
-      if (registry && typeof registry.list === "function") {
-        try {
-          const adapters = registry.list();
-          const seen = /* @__PURE__ */ new Set();
-          const drivers2 = [];
-          for (const adapter of adapters ?? []) {
-            const name = adapter?.driver;
-            if (!name || seen.has(name)) continue;
-            seen.add(name);
-            drivers2.push({ name, driverId: `com.objectstack.driver.${name}` });
-          }
-          if (drivers2.length > 0) return drivers2;
-        } catch {
-        }
-      }
-      const drivers = [];
-      for (const [serviceKey, svc] of Object.entries(services)) {
-        if (!serviceKey.startsWith("driver.")) continue;
-        const raw = serviceKey.slice("driver.".length);
-        if (!raw || raw === "unknown") continue;
-        const driverId = svc?.name ?? raw;
-        drivers.push({ name: toShortName(driverId), driverId });
-      }
-      return drivers;
-    };
-    const resolveDriver = (requested) => {
-      const registered = listRegisteredDrivers();
-      if (requested) {
-        const wanted = String(requested).toLowerCase();
-        return registered.find((d) => d.name === wanted || d.driverId === wanted);
-      }
-      return registered.find((d) => d.name === "turso") ?? registered.find((d) => d.name === "memory") ?? registered[0];
-    };
-    const buildDatabaseUrl = (driverName, environmentId) => {
-      const dbName = `env-${environmentId}`;
-      switch (driverName) {
-        case "memory":
-          return `memory://${dbName}`;
-        case "turso":
-          return `libsql://${dbName}.mock-turso.local`;
-        default:
-          return `${driverName}://${dbName}`;
-      }
-    };
-    const getRealAdapter = async (driverName) => {
-      try {
-        const registry = await this.resolveService("project-provisioning-adapters");
-        const aliases = { sql: "sqlite" };
-        const effective = aliases[driverName] ?? driverName;
-        return registry?.get?.(effective) ?? registry?.get?.(driverName);
-      } catch {
-        return void 0;
-      }
-    };
-    const findOne = async (obj, where) => {
-      let rows = await ql.find(obj, { where });
-      if (rows && rows.value) rows = rows.value;
-      if (!Array.isArray(rows)) return void 0;
-      return rows[0];
-    };
-    const cleanProjectRow = (row) => {
-      if (!row) return row;
-      let metadata = row.metadata;
-      if (typeof metadata === "string") {
-        try {
-          metadata = JSON.parse(metadata);
-        } catch {
-        }
-      }
-      return { ...row, metadata };
-    };
-    try {
-      if (parts.length === 1 && parts[0] === "drivers" && m === "GET") {
-        const drivers = listRegisteredDrivers();
-        return { handled: true, response: this.success({ drivers, total: drivers.length }) };
-      }
-      if (parts.length === 1 && parts[0] === "templates" && m === "GET") {
-        try {
-          const seeder = await this.resolveService("template-seeder");
-          const templates = seeder?.listTemplates?.() ?? [];
-          return { handled: true, response: this.success({ templates, total: templates.length }) };
-        } catch (err) {
-          try {
-            console.error("[HttpDispatcher] /cloud/templates: failed to resolve template-seeder:", err?.message ?? err);
-          } catch {
-          }
-          return { handled: true, response: this.success({ templates: [], total: 0 }) };
-        }
-      }
-      if (parts.length === 3 && parts[0] === "admin" && parts[1] === "platform-sso" && parts[2] === "backfill" && m === "POST") {
-        const baseSecret = ((0, import_types3.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-        if (!baseSecret) {
-          return { handled: true, response: this.error("OS_AUTH_SECRET not configured on this worker", 503) };
-        }
-        const rawHeaders = _context?.request?.headers;
-        let authHeader;
-        if (rawHeaders && typeof rawHeaders.get === "function") {
-          authHeader = rawHeaders.get("authorization") ?? void 0;
-        } else if (rawHeaders && typeof rawHeaders === "object") {
-          authHeader = rawHeaders["authorization"] ?? rawHeaders["Authorization"];
-        }
-        const presented = typeof authHeader === "string" && authHeader.startsWith("Bearer ") ? authHeader.slice(7).trim() : "";
-        if (!presented || presented !== baseSecret) {
-          return { handled: true, response: this.error("forbidden: Bearer token must match OS_AUTH_SECRET", 403) };
-        }
-        try {
-          const { backfillPlatformSsoClients: backfillPlatformSsoClients2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
-          const result = await backfillPlatformSsoClients2({
-            ql,
-            baseSecret,
-            logger: console
-          });
-          let sample = [];
-          let total = 0;
-          try {
-            const rows = await ql.find("sys_oauth_application", { limit: 5 }, { context: { isSystem: true } });
-            const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-            sample = list;
-            total = typeof rows?.total === "number" ? rows.total : list.length;
-          } catch (e) {
-            sample = [{ _readErr: e?.message ?? String(e) }];
-          }
-          return { handled: true, response: this.success({ ...result, total, sample }) };
-        } catch (err) {
-          return { handled: true, response: this.error(`backfill failed: ${err?.message ?? String(err)}`, 500) };
-        }
-      }
-      if (parts.length === 1 && parts[0] === "projects" && m === "GET") {
-        const where = {};
-        if (query?.organizationId) where.organization_id = query.organizationId;
-        if (query?.status) where.status = query.status;
-        let rows = await ql.find(ENV, Object.keys(where).length ? { where } : void 0);
-        if (rows && rows.value) rows = rows.value;
-        const projects = (Array.isArray(rows) ? rows : []).map(cleanProjectRow);
-        return { handled: true, response: this.success({ projects, total: projects.length }) };
-      }
-      if (parts.length === 1 && parts[0] === "projects" && m === "POST") {
-        const req = body || {};
-        if (req.organization_id === "__session__" || req.created_by === "__session__") {
-          try {
-            const userId = await this.resolveCallerUserId(_context);
-            if (req.created_by === "__session__") {
-              req.created_by = userId ?? "system";
-            }
-            if (req.organization_id === "__session__") {
-              const authService = await this.resolveService(import_system.CoreServiceName.enum.auth);
-              const rawHeaders = _context?.request?.headers;
-              let headers = rawHeaders;
-              if (rawHeaders && typeof rawHeaders === "object" && typeof rawHeaders.get !== "function") {
-                const h = new Headers();
-                for (const [k, v] of Object.entries(rawHeaders)) {
-                  if (v == null) continue;
-                  h.set(k, Array.isArray(v) ? v.join(", ") : String(v));
-                }
-                headers = h;
-              }
-              const apiObj = authService?.auth?.api ?? authService?.api;
-              const sessionData = await apiObj?.getSession?.call(apiObj, { headers });
-              req.organization_id = sessionData?.session?.activeOrganizationId ?? void 0;
-            }
-          } catch {
-          }
-        }
-        if (!req.organization_id || !req.display_name) {
-          return { handled: true, response: this.error("organization_id and display_name are required", 400) };
-        }
-        const environmentId = randomUUID();
-        const credentialId = randomUUID();
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        const resolved = resolveDriver(req.driver);
-        if (!resolved) {
-          const available = listRegisteredDrivers().map((d) => d.name);
-          if (req.driver) {
-            return {
-              handled: true,
-              response: this.error(
-                `Unknown driver '${req.driver}'. Available drivers: [${available.join(", ") || "none"}]`,
-                400
-              )
-            };
-          }
-          return {
-            handled: true,
-            response: this.error(
-              "No ObjectQL driver is registered. Register at least one DriverPlugin (e.g. InMemoryDriver or SqlDriver).",
-              503
-            )
-          };
-        }
-        const driver = resolved.name;
-        let plaintextSecret = `mock-token-${environmentId}`;
-        let computedHostname = req.hostname;
-        if (!computedHostname) {
-          const shortId = environmentId.slice(0, 8);
-          try {
-            const orgRow = await findOne("sys_organization", { id: req.organization_id });
-            const orgSlug = orgRow?.slug || req.organization_id;
-            const rootDomain = (0, import_core2.getEnv)("OS_ROOT_DOMAIN") ?? (0, import_core2.getEnv)("ROOT_DOMAIN", "objectstack.app");
-            computedHostname = `${orgSlug}-${shortId}.${rootDomain}`;
-          } catch {
-            computedHostname = `${req.organization_id}-${shortId}.objectstack.app`;
-          }
-        }
-        try {
-          const existing = await findOne("sys_environment", {
-            hostname: computedHostname
-          });
-          if (existing && existing.id !== environmentId) {
-            return {
-              handled: true,
-              response: this.error(
-                `Hostname '${computedHostname}' is already in use by another project.`,
-                409,
-                { code: "HOSTNAME_TAKEN", hostname: computedHostname }
-              )
-            };
-          }
-        } catch {
-        }
-        const baseMetadata = { ...req.metadata ?? {} };
-        const simulateFailure = Boolean(baseMetadata.__simulateFailure);
-        const simulateDelayMs = Number(baseMetadata.__simulateDelayMs ?? 1500);
-        try {
-          let ownerUserId = req.created_by && req.created_by !== "system" ? String(req.created_by) : void 0;
-          if (!ownerUserId) {
-            ownerUserId = await this.resolveCallerUserId(_context);
-          }
-          if (ownerUserId) {
-            const userRow = await ql.find("sys_user", { where: { id: ownerUserId } });
-            const userRows = Array.isArray(userRow) ? userRow : userRow?.value ?? [];
-            const u = Array.isArray(userRows) && userRows.length > 0 ? userRows[0] : null;
-            if (u?.email) {
-              baseMetadata.ownerSeed = {
-                userId: String(ownerUserId),
-                email: String(u.email),
-                name: u.name ? String(u.name) : null,
-                image: u.image ? String(u.image) : null
-              };
-            }
-          }
-        } catch {
-        }
-        try {
-          const orgRow = await ql.find("sys_organization", { where: { id: req.organization_id } });
-          const orgRows = Array.isArray(orgRow) ? orgRow : orgRow?.value ?? [];
-          const org = Array.isArray(orgRows) && orgRows.length > 0 ? orgRows[0] : null;
-          if (org?.id && org?.name) {
-            baseMetadata.orgSeed = {
-              id: String(org.id),
-              name: String(org.name),
-              slug: org.slug ? String(org.slug) : null,
-              logo: org.logo ? String(org.logo) : null
-            };
-          }
-        } catch {
-        }
-        await ql.insert(ENV, {
-          id: environmentId,
-          organization_id: req.organization_id,
-          display_name: req.display_name,
-          is_default: req.is_default ?? false,
-          is_system: req.is_system ?? false,
-          plan: req.plan ?? "free",
-          status: "provisioning",
-          created_by: req.created_by ?? "system",
-          metadata: JSON.stringify(baseMetadata),
-          created_at: nowIso,
-          updated_at: nowIso,
-          database_url: null,
-          database_driver: driver,
-          storage_limit_mb: req.storage_limit_mb ?? 1024,
-          provisioned_at: null,
-          hostname: computedHostname,
-          visibility: (() => {
-            const raw = String(req.visibility ?? "private");
-            return raw === "unlisted" ? "private" : raw;
-          })()
-        });
-        try {
-          const { seedPlatformSsoClient: seedPlatformSsoClient2 } = await Promise.resolve().then(() => (init_platform_sso(), platform_sso_exports));
-          const baseSecret = ((0, import_types3.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-          if (baseSecret) {
-            await seedPlatformSsoClient2({
-              ql,
-              environmentId,
-              hostname: computedHostname,
-              baseSecret,
-              logger: console
-            });
-          }
-        } catch (ssoErr) {
-          console.warn?.("[http-dispatcher] platform SSO seed failed (non-fatal)", {
-            environmentId,
-            error: ssoErr?.message
-          });
-        }
-        const runProvisioning = async () => {
-          try {
-            if (simulateDelayMs > 0) {
-              await new Promise((r) => setTimeout(r, simulateDelayMs));
-            }
-            if (simulateFailure) {
-              throw new Error("Simulated provisioning failure (metadata.__simulateFailure=true)");
-            }
-            let databaseUrl;
-            try {
-              const adapter = await getRealAdapter(driver);
-              if (adapter) {
-                const result = await adapter.createDatabase({
-                  environmentId,
-                  databaseName: `p-${environmentId.replace(/-/g, "").slice(0, 24)}`,
-                  region: "us-east-1",
-                  storageLimitMb: req.storage_limit_mb ?? 1024
-                });
-                databaseUrl = result.databaseUrl;
-                if (result.plaintextSecret) plaintextSecret = result.plaintextSecret;
-              } else {
-                databaseUrl = buildDatabaseUrl(driver, environmentId);
-              }
-            } catch (adapterErr) {
-              throw adapterErr instanceof Error ? adapterErr : new Error(String(adapterErr));
-            }
-            const seedStartedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                database_url: databaseUrl,
-                updated_at: seedStartedAt
-              },
-              { where: { id: environmentId } }
-            );
-            await ql.insert(CRED, {
-              id: credentialId,
-              environment_id: environmentId,
-              secret_ciphertext: plaintextSecret,
-              encryption_key_id: "noop",
-              authorization: "full_access",
-              status: "active",
-              created_at: seedStartedAt,
-              updated_at: seedStartedAt
-            });
-            const templateId = req.template_id ?? "blank";
-            if (templateId !== "blank") {
-              try {
-                const seeder = await this.resolveService("template-seeder");
-                if (seeder) {
-                  await seeder.seed({ environmentId, templateId });
-                }
-              } catch (seedErr) {
-                const seedMessage = seedErr instanceof Error ? seedErr.message : String(seedErr);
-                try {
-                  const existing = await findOne(ENV, { id: environmentId });
-                  const existingMeta = typeof existing?.metadata === "string" ? JSON.parse(existing.metadata) : existing?.metadata ?? {};
-                  await ql.update(
-                    ENV,
-                    {
-                      metadata: JSON.stringify({
-                        ...existingMeta,
-                        templateSeedError: { message: seedMessage, templateId }
-                      })
-                    },
-                    { where: { id: environmentId } }
-                  );
-                } catch {
-                }
-              }
-            }
-            const artifactPathRaw = baseMetadata.artifact_path;
-            if (typeof artifactPathRaw === "string" && artifactPathRaw.length > 0) {
-              try {
-                const path2 = await import("path");
-                const { isHttpUrl: isHttpUrl2, loadArtifactBundle: loadArtifactBundle2 } = await Promise.resolve().then(() => (init_load_artifact_bundle(), load_artifact_bundle_exports));
-                const root = process.env.OS_PROJECT_ARTIFACT_ROOT ?? process.cwd();
-                const resolved2 = isHttpUrl2(artifactPathRaw) ? artifactPathRaw : path2.isAbsolute(artifactPathRaw) ? artifactPathRaw : path2.resolve(root, artifactPathRaw);
-                const bundle = await loadArtifactBundle2(resolved2, { tag: "[bind-artifact]" });
-                if (!bundle) {
-                  throw new Error(`failed to load artifact bundle at '${resolved2}'`);
-                }
-                const seeder = await this.resolveService("template-seeder");
-                if (seeder?.seedBundle) {
-                  await seeder.seedBundle({ environmentId, bundle });
-                } else {
-                  throw new Error("template-seeder.seedBundle is unavailable");
-                }
-              } catch (bindErr) {
-                const bindMessage = bindErr instanceof Error ? bindErr.message : String(bindErr);
-                try {
-                  const existing = await findOne(ENV, { id: environmentId });
-                  const existingMeta = typeof existing?.metadata === "string" ? JSON.parse(existing.metadata) : existing?.metadata ?? {};
-                  await ql.update(
-                    ENV,
-                    {
-                      metadata: JSON.stringify({
-                        ...existingMeta,
-                        artifactBindError: { message: bindMessage, artifactPath: artifactPathRaw }
-                      })
-                    },
-                    { where: { id: environmentId } }
-                  );
-                } catch {
-                }
-              }
-            }
-            const finishedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "active",
-                provisioned_at: finishedAt,
-                updated_at: finishedAt
-              },
-              { where: { id: environmentId } }
-            );
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            const failedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "failed",
-                metadata: JSON.stringify({
-                  ...baseMetadata,
-                  provisioningError: { message, failedAt }
-                }),
-                updated_at: failedAt
-              },
-              { where: { id: environmentId } }
-            );
-          }
-        };
-        const provisionSyncEnv = process.env.OS_PROVISION_SYNC;
-        const onServerless = !!(process.env.VERCEL || process.env.AWS_LAMBDA_FUNCTION_NAME || process.env.NETLIFY || process.env.CF_PAGES);
-        const syncProvisioning = provisionSyncEnv === void 0 ? onServerless : provisionSyncEnv !== "0" && provisionSyncEnv !== "false";
-        if (syncProvisioning) {
-          await runProvisioning();
-        } else {
-          void runProvisioning();
-        }
-        const project = cleanProjectRow(await findOne(ENV, { id: environmentId }));
-        const res = this.success({ project });
-        res.status = syncProvisioning ? 201 : 202;
-        return { handled: true, response: res };
-      }
-      if (parts.length === 2 && parts[0] === "projects") {
-        const id = decodeURIComponent(parts[1]);
-        if (m === "GET") {
-          const envRow = await findOne(ENV, { id });
-          if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          const credRow = await findOne(CRED, { environment_id: id, status: "active" });
-          const callerUserId = await this.resolveCallerUserId(_context);
-          const membership = callerUserId ? await findOne(MEM, { environment_id: id, user_id: callerUserId }) : await findOne(MEM, { environment_id: id });
-          const credMeta = credRow ? {
-            id: credRow.id,
-            status: credRow.status,
-            authorization: credRow.authorization,
-            activatedAt: credRow.created_at,
-            expiresAt: credRow.expires_at
-          } : void 0;
-          const project = cleanProjectRow(envRow);
-          const database = project.database_url ? {
-            driver: project.database_driver,
-            database_name: `env-${project.id}`,
-            database_url: project.database_url,
-            storage_limit_mb: project.storage_limit_mb,
-            provisioned_at: project.provisioned_at
-          } : void 0;
-          return {
-            handled: true,
-            response: this.success({ project, database, credential: credMeta, membership })
-          };
-        }
-        if (m === "PATCH") {
-          const patch = {};
-          if (body?.display_name !== void 0) patch.display_name = body.display_name;
-          if (body?.plan !== void 0) patch.plan = body.plan;
-          if (body?.status !== void 0) patch.status = body.status;
-          if (body?.is_default !== void 0) patch.is_default = body.is_default;
-          if (body?.visibility !== void 0) {
-            let v = String(body.visibility);
-            if (v === "unlisted") v = "private";
-            if (!["private", "public"].includes(v)) {
-              return { handled: true, response: this.error(`Invalid visibility '${v}' (expected private | public)`, 400) };
-            }
-            patch.visibility = v;
-          }
-          if (body?.metadata !== void 0) patch.metadata = JSON.stringify(body.metadata);
-          patch.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-          await ql.update(ENV, patch, { where: { id } });
-          const envRow = await findOne(ENV, { id });
-          if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-          return { handled: true, response: this.success({ project: cleanProjectRow(envRow) }) };
-        }
-        if (m === "DELETE") {
-          const force = query?.force === "1" || query?.force === "true" || body?.force === true;
-          const result = await this.deleteProjectCascade(id, { ql, findOne, getRealAdapter, force });
-          if (!result.ok) {
-            return { handled: true, response: this.error(result.error ?? "Delete failed", result.status ?? 500) };
-          }
-          return { handled: true, response: this.success({ deleted: true, environmentId: id, warnings: result.warnings }) };
-        }
-      }
-      if (parts.length === 2 && parts[0] === "organizations" && m === "DELETE") {
-        const orgId = decodeURIComponent(parts[1]);
-        let projectRows = [];
-        try {
-          let rows = await ql.find(ENV, { where: { organization_id: orgId } });
-          if (rows && rows.value) rows = rows.value;
-          projectRows = Array.isArray(rows) ? rows : [];
-        } catch {
-          projectRows = [];
-        }
-        const warnings = [];
-        let deletedProjects = 0;
-        for (const row of projectRows) {
-          const pid = row?.id;
-          if (!pid) continue;
-          try {
-            const r = await this.deleteProjectCascade(pid, { ql, findOne, getRealAdapter, force: true });
-            if (r.ok) deletedProjects++;
-            if (r.warnings?.length) warnings.push(...r.warnings);
-            if (!r.ok && r.error) warnings.push(`Project ${pid}: ${r.error}`);
-          } catch (err) {
-            warnings.push(
-              `Failed to delete project ${pid}: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-        }
-        let orgDeleted = false;
-        try {
-          const authService = await this.getService(import_system.CoreServiceName.enum.auth);
-          const fn = authService?.api?.deleteOrganization;
-          if (typeof fn === "function") {
-            await fn.call(authService.api, {
-              body: { organizationId: orgId },
-              headers: _context?.request?.headers
-            });
-            orgDeleted = true;
-          }
-        } catch (err) {
-          warnings.push(
-            `auth.deleteOrganization failed: ${err instanceof Error ? err.message : String(err)}`
-          );
-        }
-        if (!orgDeleted) {
-          try {
-            await ql.delete("sys_organization", { where: { id: orgId } });
-            orgDeleted = true;
-          } catch (err) {
-            warnings.push(
-              `Failed to delete sys_organization row: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-        }
-        return {
-          handled: true,
-          response: this.success({
-            deleted: orgDeleted,
-            organizationId: orgId,
-            deletedProjects,
-            warnings
-          })
-        };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "hostname" && (m === "POST" || m === "PUT")) {
-        const id = decodeURIComponent(parts[1]);
-        const hostname = body?.hostname;
-        if (!hostname || typeof hostname !== "string") {
-          return { handled: true, response: this.error("hostname is required", 400) };
-        }
-        const normalized = hostname.trim().toLowerCase();
-        if (!/^[a-z0-9]([a-z0-9\-\.]*[a-z0-9])?$/.test(normalized)) {
-          return { handled: true, response: this.error("Invalid hostname format", 400) };
-        }
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        let existing;
-        try {
-          const rows = await ql.find(ENV, { where: { hostname: normalized } });
-          const arr = Array.isArray(rows) ? rows : rows?.value ?? [];
-          existing = arr.find((r) => r.id !== id);
-        } catch {
-        }
-        if (existing) {
-          return {
-            handled: true,
-            response: this.error(
-              `Hostname '${normalized}' is already in use by another project.`,
-              409,
-              { code: "HOSTNAME_TAKEN", hostname: normalized }
-            )
-          };
-        }
-        const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(ENV, { hostname: normalized, updated_at: updatedAt }, { where: { id } });
-        if (this.envRegistry?.invalidate) {
-          try {
-            await this.envRegistry.invalidate(id);
-          } catch {
-          }
-        }
-        const updated = cleanProjectRow(await findOne(ENV, { id }));
-        return { handled: true, response: this.success({ project: updated }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "retry" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        if (envRow.status !== "failed" && envRow.status !== "provisioning") {
-          return {
-            handled: true,
-            response: this.error(
-              `Project '${id}' is '${envRow.status}'; only failed or provisioning projects can be retried.`,
-              409
-            )
-          };
-        }
-        const driverName = envRow.database_driver;
-        const resolved = resolveDriver(driverName);
-        if (!resolved) {
-          return {
-            handled: true,
-            response: this.error(
-              `Driver '${driverName}' is no longer registered; retry aborted.`,
-              503
-            )
-          };
-        }
-        let metadata = {};
-        if (envRow.metadata) {
-          if (typeof envRow.metadata === "string") {
-            try {
-              metadata = JSON.parse(envRow.metadata);
-            } catch {
-              metadata = {};
-            }
-          } else if (typeof envRow.metadata === "object") {
-            metadata = { ...envRow.metadata };
-          }
-        }
-        delete metadata.provisioningError;
-        const retryStartedAt = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(
-          ENV,
-          {
-            status: "provisioning",
-            metadata: JSON.stringify(metadata),
-            updated_at: retryStartedAt
-          },
-          { where: { id } }
-        );
-        const simulateRetryFailure = Boolean(metadata.__simulateFailure);
-        const simulateRetryDelay = Number(metadata.__simulateDelayMs ?? 1500);
-        const runRetry = async () => {
-          try {
-            if (simulateRetryDelay > 0) {
-              await new Promise((r) => setTimeout(r, simulateRetryDelay));
-            }
-            if (simulateRetryFailure) {
-              throw new Error("Simulated provisioning failure (metadata.__simulateFailure=true)");
-            }
-            let databaseUrl;
-            let retrySecret = `mock-token-${id}`;
-            try {
-              const adapter = await getRealAdapter(resolved.name);
-              if (adapter) {
-                const result = await adapter.createDatabase({
-                  environmentId: id,
-                  databaseName: `p-${id.replace(/-/g, "").slice(0, 24)}`,
-                  region: "us-east-1",
-                  storageLimitMb: envRow.storage_limit_mb ?? 1024
-                });
-                databaseUrl = result.databaseUrl;
-                if (result.plaintextSecret) retrySecret = result.plaintextSecret;
-              } else {
-                databaseUrl = buildDatabaseUrl(resolved.name, id);
-              }
-            } catch (adapterErr) {
-              throw adapterErr instanceof Error ? adapterErr : new Error(String(adapterErr));
-            }
-            const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "active",
-                database_url: databaseUrl,
-                database_driver: resolved.name,
-                provisioned_at: nowIso,
-                updated_at: nowIso
-              },
-              { where: { id } }
-            );
-            const existingCred = await findOne(CRED, { environment_id: id, status: "active" });
-            if (!existingCred) {
-              await ql.insert(CRED, {
-                id: randomUUID(),
-                environment_id: id,
-                secret_ciphertext: retrySecret,
-                encryption_key_id: "noop",
-                authorization: "full_access",
-                status: "active",
-                created_at: nowIso,
-                updated_at: nowIso
-              });
-            }
-          } catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            const failedAt = (/* @__PURE__ */ new Date()).toISOString();
-            await ql.update(
-              ENV,
-              {
-                status: "failed",
-                metadata: JSON.stringify({
-                  ...metadata,
-                  provisioningError: { message, failedAt }
-                }),
-                updated_at: failedAt
-              },
-              { where: { id } }
-            );
-          }
-        };
-        void runRetry();
-        const envAfter = cleanProjectRow(await findOne(ENV, { id }));
-        const retryRes = this.success({ project: envAfter });
-        retryRes.status = 202;
-        return { handled: true, response: retryRes };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "activate" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        return { handled: true, response: this.success({ project: cleanProjectRow(envRow), sessionUpdated: false }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "credentials" && parts[3] === "rotate" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const plaintext = body?.plaintext;
-        if (!plaintext || typeof plaintext !== "string") {
-          return { handled: true, response: this.error("plaintext is required", 400) };
-        }
-        const envRow = await findOne(ENV, { id });
-        if (!envRow) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        let existing = await ql.find(CRED, { where: { environment_id: id, status: "active" } });
-        if (existing && existing.value) existing = existing.value;
-        for (const row of Array.isArray(existing) ? existing : []) {
-          await ql.update(CRED, {
-            status: "revoked",
-            revoked_at: nowIso,
-            updated_at: nowIso
-          }, { where: { id: row.id } });
-        }
-        const credentialId = randomUUID();
-        await ql.insert(CRED, {
-          id: credentialId,
-          environment_id: id,
-          secret_ciphertext: plaintext,
-          encryption_key_id: "noop",
-          authorization: "full_access",
-          status: "active",
-          created_at: nowIso,
-          updated_at: nowIso
-        });
-        const credential = await findOne(CRED, { id: credentialId });
-        const credMeta = credential ? {
-          id: credential.id,
-          status: credential.status,
-          authorization: credential.authorization,
-          activatedAt: credential.created_at
-        } : void 0;
-        return { handled: true, response: this.success({ credential: credMeta }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "GET") {
-        const id = decodeURIComponent(parts[1]);
-        let rows = await ql.find(MEM, { where: { environment_id: id } });
-        if (rows && rows.value) rows = rows.value;
-        const members = Array.isArray(rows) ? rows : [];
-        const userIds = Array.from(new Set(members.map((mem) => mem.user_id).filter(Boolean)));
-        const userMap = /* @__PURE__ */ new Map();
-        for (const uid of userIds) {
-          let row = null;
-          for (const tableName of ["sys_user", "user"]) {
-            try {
-              const u = await ql.findOne(tableName, { where: { id: uid } });
-              row = u?.value ?? u;
-              if (row) break;
-            } catch {
-            }
-          }
-          if (row) userMap.set(String(uid), {
-            id: row.id,
-            name: row.name ?? row.display_name,
-            email: row.email,
-            image: row.image ?? row.avatar_url
-          });
-        }
-        const enriched = members.map((mem) => ({
-          ...mem,
-          user: userMap.get(String(mem.user_id)) ?? void 0
-        }));
-        return { handled: true, response: this.success({ members: enriched }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "members" && m === "POST") {
-        const id = decodeURIComponent(parts[1]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        const email = typeof body?.email === "string" ? String(body.email).trim().toLowerCase() : null;
-        let inviteUserId = typeof body?.user_id === "string" ? String(body.user_id).trim() : null;
-        let role = String(body?.role ?? "member").trim().toLowerCase();
-        if (!["owner", "admin", "member", "viewer"].includes(role)) {
-          return { handled: true, response: this.error(`Invalid role '${role}' (expected owner | admin | member | viewer)`, 400) };
-        }
-        if (!email && !inviteUserId) {
-          return { handled: true, response: this.error("email or user_id is required", 400) };
-        }
-        if (!inviteUserId && email) {
-          let row = null;
-          for (const tableName of ["sys_user", "user"]) {
-            try {
-              const u = await ql.findOne(tableName, { where: { email } });
-              row = u?.value ?? u;
-              if (row) break;
-            } catch {
-            }
-          }
-          if (!row?.id) {
-            return { handled: true, response: this.error(`No user found with email '${email}'`, 404) };
-          }
-          inviteUserId = String(row.id);
-        }
-        const existing = await findOne(MEM, { environment_id: id, user_id: inviteUserId });
-        if (existing) {
-          return { handled: true, response: this.success({ member: existing, alreadyMember: true }) };
-        }
-        try {
-          const memberId = randomUUID();
-          await ql.insert(MEM, {
-            id: memberId,
-            environment_id: id,
-            user_id: inviteUserId,
-            role,
-            invited_by: callerId,
-            organization_id: project.organization_id ?? null
-          });
-          const created = await findOne(MEM, { id: memberId });
-          return { handled: true, response: this.success({ member: created, alreadyMember: false }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to add member", 500) };
-        }
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "PATCH") {
-        const id = decodeURIComponent(parts[1]);
-        const memberId = decodeURIComponent(parts[3]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        if (!callerMem || !["owner", "admin"].includes(String(callerMem.role))) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        const target = await findOne(MEM, { id: memberId, environment_id: id });
-        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
-        const newRole = String(body?.role ?? "").trim().toLowerCase();
-        if (!["owner", "admin", "member", "viewer"].includes(newRole)) {
-          return { handled: true, response: this.error(`Invalid role '${newRole}'`, 400) };
-        }
-        if (target.role === "owner" && newRole !== "owner") {
-          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
-          if (owners && owners.value) owners = owners.value;
-          const ownerCount = Array.isArray(owners) ? owners.length : 0;
-          if (ownerCount <= 1) {
-            return { handled: true, response: this.error("Cannot demote the last owner", 409) };
-          }
-        }
-        try {
-          await ql.update(MEM, { role: newRole, updated_at: (/* @__PURE__ */ new Date()).toISOString() }, { where: { id: memberId } });
-          const updated = await findOne(MEM, { id: memberId });
-          return { handled: true, response: this.success({ member: updated }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to update role", 500) };
-        }
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "members" && m === "DELETE") {
-        const id = decodeURIComponent(parts[1]);
-        const memberId = decodeURIComponent(parts[3]);
-        const project = await findOne(ENV, { id });
-        if (!project) return { handled: true, response: this.error(`Project '${id}' not found`, 404) };
-        const callerId = await this.resolveCallerUserId(_context);
-        if (!callerId) return { handled: true, response: this.error("Authentication required", 401) };
-        const target = await findOne(MEM, { id: memberId, environment_id: id });
-        if (!target) return { handled: true, response: this.error(`Member '${memberId}' not found`, 404) };
-        const callerMem = await findOne(MEM, { environment_id: id, user_id: callerId });
-        const isSelf = String(target.user_id) === String(callerId);
-        const isPrivileged = callerMem && ["owner", "admin"].includes(String(callerMem.role));
-        if (!isSelf && !isPrivileged) {
-          return { handled: true, response: this.error("Forbidden \u2014 owner or admin required", 403) };
-        }
-        if (target.role === "owner") {
-          let owners = await ql.find(MEM, { where: { environment_id: id, role: "owner" } });
-          if (owners && owners.value) owners = owners.value;
-          const ownerCount = Array.isArray(owners) ? owners.length : 0;
-          if (ownerCount <= 1) {
-            return { handled: true, response: this.error("Cannot remove the last owner", 409) };
-          }
-        }
-        try {
-          await ql.delete(MEM, { where: { id: memberId } });
-          return { handled: true, response: this.success({ removed: true, memberId }) };
-        } catch (e) {
-          return { handled: true, response: this.error(e?.message ?? "Failed to remove member", 500) };
-        }
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
-        const envId = decodeURIComponent(parts[1]);
-        let rows = await ql.find(PKG_INSTALL, { where: { environment_id: envId } });
-        if (rows && rows.value) rows = rows.value;
-        const installs = Array.isArray(rows) ? rows : [];
-        const packages = await Promise.all(
-          installs.map(async (r) => {
-            let manifestId = null;
-            let versionStr = null;
-            try {
-              if (r.package_id) {
-                const pkg = await ql.findOne(PKG, { where: { id: r.package_id } });
-                manifestId = pkg?.manifest_id ?? null;
-              }
-              if (r.package_version_id) {
-                const ver = await ql.findOne(PKG_VERSION, { where: { id: r.package_version_id } });
-                versionStr = ver?.version ?? null;
-              }
-            } catch {
-            }
-            return {
-              ...r,
-              // Surface user-facing identifiers expected by client SDK
-              packageId: manifestId,
-              package_id: manifestId ?? r.package_id,
-              version: versionStr ?? r.version ?? null
-            };
-          })
-        );
-        return { handled: true, response: this.success({ packages, total: packages.length }) };
-      }
-      if (parts.length === 3 && parts[0] === "projects" && parts[2] === "packages" && m === "POST") {
-        const envId = decodeURIComponent(parts[1]);
-        const { packageId, version, settings, enableOnInstall } = body ?? {};
-        if (!packageId) return { handled: true, response: this.error("packageId is required", 400) };
-        const qlSvc = await this.getObjectQLService();
-        const pkgRegistry = qlSvc?.registry;
-        const allPkgs = pkgRegistry?.getAllPackages?.() ?? [];
-        const manifestEntry = allPkgs.find((p) => (p?.manifest?.id ?? p?.id) === packageId);
-        const manifest = manifestEntry?.manifest ?? manifestEntry;
-        if (!manifest) {
-          return { handled: true, response: this.error(`Package '${packageId}' is not registered on this server`, 404) };
-        }
-        const CLOUD_SCOPES = /* @__PURE__ */ new Set(["cloud", "system", "platform"]);
-        if (CLOUD_SCOPES.has(manifest?.scope)) {
-          return { handled: true, response: this.error(`Package '${packageId}' has scope=${manifest.scope} and cannot be installed per-project`, 403) };
-        }
-        const projectRow = await findOne(ENV, { id: envId });
-        if (!projectRow) {
-          return { handled: true, response: this.error(`Project '${envId}' not found`, 404) };
-        }
-        const ownerOrgId = projectRow.organization_id ?? "system";
-        let userId = "system";
-        try {
-          const authService = await this.getService(import_system.CoreServiceName.enum.auth);
-          const sessionData = await authService?.api?.getSession?.({
-            headers: _context?.request?.headers
-          });
-          userId = sessionData?.user?.id ?? sessionData?.session?.userId ?? "system";
-        } catch {
-        }
-        const resolvedVersion = version ?? manifest?.version ?? "1.0.0";
-        const dup = await ql.findOne(PKG_INSTALL, {
-          where: { environment_id: envId, package_id: packageId }
-        });
-        if (dup?.id) {
-          return { handled: true, response: this.error(`Package '${packageId}' is already installed in this project`, 409) };
-        }
-        const sysPackageId = await ensureSysPackage(packageId, ownerOrgId, userId, manifest);
-        const sysPackageVersionId = await ensureSysPackageVersion(sysPackageId, resolvedVersion, userId, manifest);
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        const recordId = randomUUID();
-        await ql.insert(PKG_INSTALL, {
-          id: recordId,
-          environment_id: envId,
-          package_id: sysPackageId,
-          package_version_id: sysPackageVersionId,
-          status: "installed",
-          enabled: enableOnInstall !== false,
-          installed_at: nowIso,
-          installed_by: userId,
-          updated_at: nowIso,
-          settings: settings ? JSON.stringify(settings) : null
-        });
-        const record = await ql.findOne(PKG_INSTALL, { where: { id: recordId } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: record }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "GET") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await ql.findOne(PKG_INSTALL, { where: { environment_id: envId, package_id: pkgId } });
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        return { handled: true, response: this.success({ package: record }) };
-      }
-      if (parts.length === 4 && parts[0] === "projects" && parts[2] === "packages" && m === "DELETE") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const allPkgs0 = this.kernel.packages?.getAll?.() ?? [];
-        const m0 = allPkgs0.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        if (m0?.scope && ["cloud", "system", "platform"].includes(m0.scope)) {
-          return { handled: true, response: this.error(`Package '${pkgId}' with scope=${m0.scope} cannot be uninstalled`, 403) };
-        }
-        await ql.delete(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ id: record.id, success: true }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "enable" && m === "PATCH") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, { enabled: true, status: "installed", updated_at: nowIso }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "disable" && m === "PATCH") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const allPkgs1 = this.kernel.packages?.getAll?.() ?? [];
-        const m1 = allPkgs1.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        if (m1?.scope && ["cloud", "system", "platform"].includes(m1.scope)) {
-          return { handled: true, response: this.error(`Package '${pkgId}' with scope=${m1.scope} cannot be disabled`, 403) };
-        }
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, { enabled: false, status: "disabled", updated_at: nowIso }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-      if (parts.length === 5 && parts[0] === "projects" && parts[2] === "packages" && parts[4] === "upgrade" && m === "POST") {
-        const envId = decodeURIComponent(parts[1]);
-        const pkgId = decodeURIComponent(parts[3]);
-        const record = await findInstallByManifestId(envId, pkgId);
-        if (!record) return { handled: true, response: this.error(`Package '${pkgId}' is not installed in this project`, 404) };
-        const { targetVersion } = body ?? {};
-        const allPkgs2 = this.kernel.packages?.getAll?.() ?? [];
-        const manifest2 = allPkgs2.find((p) => (p.manifest?.id ?? p.id) === pkgId)?.manifest;
-        const currentVer = await ql.findOne(PKG_VERSION, { where: { id: record.package_version_id } });
-        const newVersion = targetVersion ?? manifest2?.version ?? currentVer?.version ?? "1.0.0";
-        if (newVersion === currentVer?.version) {
-          return { handled: true, response: this.success({ package: record, message: "Already at target version" }) };
-        }
-        let userId = "system";
-        try {
-          const authService = await this.getService(import_system.CoreServiceName.enum.auth);
-          const sessionData = await authService?.api?.getSession?.({
-            headers: _context?.request?.headers
-          });
-          userId = sessionData?.user?.id ?? "system";
-        } catch {
-        }
-        const newVersionId = await ensureSysPackageVersion(record.package_id, newVersion, userId, manifest2);
-        const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-        await ql.update(PKG_INSTALL, {
-          package_version_id: newVersionId,
-          status: "installed",
-          updated_at: nowIso
-        }, { where: { id: record.id } });
-        const updated = await ql.findOne(PKG_INSTALL, { where: { id: record.id } });
-        try {
-          await this.kernelManager?.evict(envId);
-        } catch {
-        }
-        return { handled: true, response: this.success({ package: updated }) };
-      }
-    } catch (e) {
-      return { handled: true, response: this.error(e.message, e.statusCode || 500) };
-    }
-    return { handled: false };
-  }
-  /**
-   * Cascade-delete a project: cred / member / package_installation rows,
-   * then the physical database via the provisioning adapter, then the
-   * `sys_environment` row itself. Used by both `DELETE /cloud/environments/:id`
-   * and the org-cascade in `DELETE /cloud/organizations/:id`.
-   *
-   * Idempotent and best-effort: missing rows / unreachable adapters
-   * become warnings rather than hard failures, so a half-provisioned
-   * project can still be cleaned out.
-   */
-  async deleteProjectCascade(environmentId, deps) {
-    const { ql, findOne, getRealAdapter, force } = deps;
-    const ENV = "sys_environment";
-    const warnings = [];
-    const row = await findOne(ENV, { id: environmentId });
-    if (!row) {
-      return { ok: false, status: 404, error: `Project '${environmentId}' not found`, warnings };
-    }
-    if (row.is_system === true || row.is_system === 1) {
-      return { ok: false, status: 409, error: `Project '${environmentId}' is a system project and cannot be deleted`, warnings };
-    }
-    if ((row.is_default === true || row.is_default === 1) && !force) {
-      return {
-        ok: false,
-        status: 409,
-        error: `Project '${environmentId}' is the default project for its organization. Pass ?force=1 to delete it.`,
-        warnings
-      };
-    }
-    const cascade = [
-      { object: "sys_environment_credential", field: "environment_id" },
-      { object: "sys_environment_member", field: "environment_id" },
-      { object: "sys_package_installation", field: "environment_id" }
-    ];
-    for (const { object, field } of cascade) {
-      try {
-        let rows = await ql.find(object, { where: { [field]: environmentId } });
-        if (rows && rows.value) rows = rows.value;
-        if (Array.isArray(rows)) {
-          for (const r of rows) {
-            if (r?.id != null) {
-              try {
-                await ql.delete(object, { where: { id: r.id } });
-              } catch (innerErr) {
-                warnings.push(
-                  `Failed to delete ${object} ${r.id}: ${innerErr instanceof Error ? innerErr.message : String(innerErr)}`
-                );
-              }
-            }
-          }
-        }
-      } catch (err) {
-        warnings.push(
-          `Failed to enumerate ${object} for project ${environmentId}: ${err instanceof Error ? err.message : String(err)}`
-        );
-      }
-    }
-    const driver = row.database_driver ?? "memory";
-    const databaseUrl = row.database_url;
-    const databaseName = `p-${String(environmentId).replace(/-/g, "").slice(0, 24)}`;
-    try {
-      const adapter = await getRealAdapter(driver);
-      if (adapter?.deleteDatabase) {
-        await adapter.deleteDatabase({ environmentId, databaseName, databaseUrl });
-      } else {
-        warnings.push(`No adapter for driver '${driver}'; physical DB for project ${environmentId} not released.`);
-      }
-    } catch (err) {
-      warnings.push(
-        `Failed to delete physical database for project ${environmentId}: ${err instanceof Error ? err.message : String(err)}`
-      );
-    }
-    try {
-      await ql.delete(ENV, { where: { id: environmentId } });
-    } catch (err) {
-      return {
-        ok: false,
-        status: 500,
-        error: `Failed to delete sys_environment row: ${err instanceof Error ? err.message : String(err)}`,
-        warnings
-      };
-    }
-    if (this.envRegistry?.invalidate) {
-      try {
-        await this.envRegistry.invalidate(environmentId);
-      } catch {
-      }
-    }
-    return { ok: true, warnings };
-  }
-  /**
-   * Handles Storage requests
-   * path: sub-path after /storage/
-   */
-  async handleStorage(path, method, file, context) {
-    const storageService = await this.getService(import_system.CoreServiceName.enum["file-storage"]) || this.kernel.services?.["file-storage"];
-    if (!storageService) {
-      return { handled: true, response: this.error("File storage not configured", 501) };
+  /**
+   * Handles Storage requests
+   * path: sub-path after /storage/
+   */
+  async handleStorage(path, method, file, context) {
+    const storageService = await this.getService(import_system2.CoreServiceName.enum["file-storage"]) || this.kernel.services?.["file-storage"];
+    if (!storageService) {
+      return { handled: true, response: this.error("File storage not configured", 501) };
     }
     const m = method.toUpperCase();
     const parts = path.replace(/^\/+/, "").split("/");
@@ -5391,6 +4150,8 @@ var _HttpDispatcher = class _HttpDispatcher {
    *
    * Routes:
    *   GET    /                     → listFlows
+   *   GET    /actions              → getActionDescriptors (ADR-0018; ?paradigm/?source/?category filters)
+   *   GET    /connectors           → getConnectorDescriptors (ADR-0022; ?type filter)
    *   GET    /:name                → getFlow
    *   POST   /                     → createFlow (registerFlow)
    *   PUT    /:name                → updateFlow
@@ -5399,9 +4160,11 @@ var _HttpDispatcher = class _HttpDispatcher {
    *   POST   /:name/toggle         → toggleFlow
    *   GET    /:name/runs           → listRuns
    *   GET    /:name/runs/:runId    → getRun
+   *   POST   /:name/runs/:runId/resume → resume a paused run (screen input / ADR-0019)
+   *   GET    /:name/runs/:runId/screen → the screen a paused run awaits
    */
   async handleAutomation(path, method, body, context, query) {
-    const automationService = await this.getService(import_system.CoreServiceName.enum.automation);
+    const automationService = await this.getService(import_system2.CoreServiceName.enum.automation);
     if (!automationService) return { handled: false };
     const m = method.toUpperCase();
     const parts = path.replace(/^\/+/, "").split("/").filter(Boolean);
@@ -5428,6 +4191,32 @@ var _HttpDispatcher = class _HttpDispatcher {
         return { handled: true, response: this.success(body) };
       }
     }
+    if (parts[0] === "actions" && parts.length === 1 && m === "GET") {
+      if (typeof automationService.getActionDescriptors === "function") {
+        let actions = automationService.getActionDescriptors() ?? [];
+        if (query?.paradigm) {
+          actions = actions.filter((a) => Array.isArray(a?.paradigms) && a.paradigms.includes(query.paradigm));
+        }
+        if (query?.source) {
+          actions = actions.filter((a) => a?.source === query.source);
+        }
+        if (query?.category) {
+          actions = actions.filter((a) => a?.category === query.category);
+        }
+        return { handled: true, response: this.success({ actions, total: actions.length }) };
+      }
+      return { handled: true, response: this.success({ actions: [], total: 0 }) };
+    }
+    if (parts[0] === "connectors" && parts.length === 1 && m === "GET") {
+      if (typeof automationService.getConnectorDescriptors === "function") {
+        let connectors = automationService.getConnectorDescriptors() ?? [];
+        if (query?.type) {
+          connectors = connectors.filter((c) => c?.type === query.type);
+        }
+        return { handled: true, response: this.success({ connectors, total: connectors.length }) };
+      }
+      return { handled: true, response: this.success({ connectors: [], total: 0 }) };
+    }
     if (parts.length >= 1) {
       const name = parts[0];
       if (parts[1] === "trigger" && m === "POST") {
@@ -5467,7 +4256,28 @@ var _HttpDispatcher = class _HttpDispatcher {
           return { handled: true, response: this.success({ name, enabled: body?.enabled ?? true }) };
         }
       }
-      if (parts[1] === "runs" && parts[2] && m === "GET") {
+      if (parts[1] === "runs" && parts[2] && parts[3] === "resume" && m === "POST") {
+        if (typeof automationService.resume === "function") {
+          const b = body && typeof body === "object" ? body : {};
+          const inputs = b.inputs ?? b.variables;
+          const signal = {};
+          if (inputs && typeof inputs === "object") signal.variables = inputs;
+          if (b.output && typeof b.output === "object") signal.output = b.output;
+          if (typeof b.branchLabel === "string") signal.branchLabel = b.branchLabel;
+          const result = await automationService.resume(parts[2], signal);
+          return { handled: true, response: this.success(result) };
+        }
+        return { handled: true, response: this.error("Resume not supported", 501) };
+      }
+      if (parts[1] === "runs" && parts[2] && parts[3] === "screen" && m === "GET") {
+        if (typeof automationService.getSuspendedScreen === "function") {
+          const screen = automationService.getSuspendedScreen(parts[2]);
+          if (!screen) return { handled: true, response: this.error("No pending screen for run", 404) };
+          return { handled: true, response: this.success({ runId: parts[2], screen }) };
+        }
+        return { handled: true, response: this.error("Screen lookup not supported", 501) };
+      }
+      if (parts[1] === "runs" && parts[2] && !parts[3] && m === "GET") {
         if (typeof automationService.getRun === "function") {
           const run = await automationService.getRun(parts[2]);
           if (!run) return { handled: true, response: this.error("Execution not found", 404) };
@@ -5793,11 +4603,9 @@ var _HttpDispatcher = class _HttpDispatcher {
     if (forbidden) {
       return { handled: true, response: forbidden };
     }
-    if (!cleanPath.startsWith("/cloud/")) {
-      const scopedMatch = cleanPath.match(/^\/projects\/[^/]+(\/.*)?$/);
-      if (scopedMatch) {
-        cleanPath = scopedMatch[1] ?? "";
-      }
+    const scopedMatch = cleanPath.match(/^\/projects\/[^/]+(\/.*)?$/);
+    if (scopedMatch) {
+      cleanPath = scopedMatch[1] ?? "";
     }
     try {
       if ((cleanPath === "/discovery" || cleanPath === "") && method === "GET") {
@@ -5848,9 +4656,6 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (cleanPath.startsWith("/packages")) {
         return this.handlePackages(cleanPath.substring(9), method, body, query, context);
       }
-      if (cleanPath.startsWith("/cloud")) {
-        return this.handleCloud(cleanPath.substring(6), method, body, query, context);
-      }
       if (cleanPath.startsWith("/i18n")) {
         return this.handleI18n(cleanPath.substring(5), method, query, context);
       }
@@ -6466,344 +5271,136 @@ function createDispatcherPlugin(config = {}) {
             res.header(k, v);
           }
         }
-        res.json({ data: await dispatcher.getDiscoveryInfo(prefix) });
-      });
-      server.get(`${prefix}/discovery`, async (_req, res) => {
-        if (securityHeaders) {
-          for (const [k, v] of Object.entries(securityHeaders)) {
-            res.header(k, v);
-          }
-        }
-        res.json({ data: await dispatcher.getDiscoveryInfo(prefix) });
-      });
-      server.get(`${prefix}/health`, async (_req, res) => {
-        try {
-          const result = await dispatcher.dispatch("GET", "/health", void 0, {}, { request: _req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/auth/login`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleAuth("login", "POST", req.body, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/graphql`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleGraphQL(req.body, { request: req });
-          if (securityHeaders) {
-            for (const [k, v] of Object.entries(securityHeaders)) {
-              res.header(k, v);
-            }
-          }
-          res.json(result);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/analytics/query`, async (req, res) => {
-        try {
-          const result = await dispatcher.dispatch("POST", "/analytics/query", req.body, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/analytics/meta`, async (req, res) => {
-        try {
-          const result = await dispatcher.dispatch("GET", "/analytics/meta", void 0, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/analytics/sql`, async (req, res) => {
-        try {
-          const result = await dispatcher.dispatch("POST", "/analytics/sql", req.body, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/packages`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages("", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/packages`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages("", "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/packages/:id/export`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/export`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/packages/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/packages/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}`, "DELETE", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/packages/:id/enable`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/enable`, "PATCH", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/packages/:id/disable`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/disable`, "PATCH", {}, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/packages/:id/publish`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/publish`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/packages/:id/revert`, async (req, res) => {
-        try {
-          const result = await dispatcher.handlePackages(`/${req.params.id}/revert`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/drivers`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/drivers", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/admin/platform-sso/backfill`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/admin/platform-sso/backfill", "POST", req.body, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/templates`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/templates", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/projects", "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud("/projects", "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.get(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "GET", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.patch(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "PATCH", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/environments/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, "DELETE", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.delete(`${prefix}/cloud/organizations/:id`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/organizations/${req.params.id}`, "DELETE", {}, req.query, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.post(`${prefix}/cloud/environments/:id/hostname`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/hostname`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
-      });
-      server.put(`${prefix}/cloud/environments/:id/hostname`, async (req, res) => {
-        try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/hostname`, "PUT", req.body, {}, { request: req });
-          sendResult(result, res);
-        } catch (err) {
-          errorResponse(err, res);
-        }
+        res.json({ data: await dispatcher.getDiscoveryInfo(prefix) });
+      });
+      server.get(`${prefix}/discovery`, async (_req, res) => {
+        if (securityHeaders) {
+          for (const [k, v] of Object.entries(securityHeaders)) {
+            res.header(k, v);
+          }
+        }
+        res.json({ data: await dispatcher.getDiscoveryInfo(prefix) });
       });
-      server.post(`${prefix}/cloud/environments/:id/rotate-credential`, async (req, res) => {
+      server.get(`${prefix}/health`, async (_req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/rotate-credential`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.dispatch("GET", "/health", void 0, {}, { request: _req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/credentials/rotate`, async (req, res) => {
+      server.post(`${prefix}/auth/login`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/credentials/rotate`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.handleAuth("login", "POST", req.body, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/activate`, async (req, res) => {
+      server.post(`${prefix}/graphql`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/activate`, "POST", req.body, {}, { request: req });
-          sendResult(result, res);
+          const result = await dispatcher.handleGraphQL(req.body, { request: req });
+          if (securityHeaders) {
+            for (const [k, v] of Object.entries(securityHeaders)) {
+              res.header(k, v);
+            }
+          }
+          res.json(result);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/retry`, async (req, res) => {
+      server.post(`${prefix}/analytics/query`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/retry`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.dispatch("POST", "/analytics/query", req.body, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.get(`${prefix}/cloud/environments/:id/members`, async (req, res) => {
+      server.get(`${prefix}/analytics/meta`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "GET", {}, req.query, { request: req });
+          const result = await dispatcher.dispatch("GET", "/analytics/meta", void 0, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/members`, async (req, res) => {
+      server.post(`${prefix}/analytics/sql`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.dispatch("POST", "/analytics/sql", req.body, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.patch(`${prefix}/cloud/environments/:id/members/:memberId`, async (req, res) => {
+      server.get(`${prefix}/packages`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "PATCH", req.body, {}, { request: req });
+          const result = await dispatcher.handlePackages("", "GET", {}, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.delete(`${prefix}/cloud/environments/:id/members/:memberId`, async (req, res) => {
+      server.post(`${prefix}/packages`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/members/${req.params.memberId}`, "DELETE", req.body ?? {}, {}, { request: req });
+          const result = await dispatcher.handlePackages("", "POST", req.body, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.get(`${prefix}/cloud/environments/:id/packages`, async (req, res) => {
+      server.get(`${prefix}/packages/:id/export`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "GET", {}, req.query, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/export`, "GET", {}, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/packages`, async (req, res) => {
+      server.get(`${prefix}/packages/:id`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}`, "GET", {}, req.query, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.get(`${prefix}/cloud/environments/:id/packages/:pkgId`, async (req, res) => {
+      server.delete(`${prefix}/packages/:id`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}`, "GET", {}, req.query, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}`, "DELETE", {}, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.delete(`${prefix}/cloud/environments/:id/packages/:pkgId`, async (req, res) => {
+      server.patch(`${prefix}/packages/:id/enable`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}`, "DELETE", {}, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/enable`, "PATCH", {}, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.patch(`${prefix}/cloud/environments/:id/packages/:pkgId/enable`, async (req, res) => {
+      server.patch(`${prefix}/packages/:id/disable`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/enable`, "PATCH", {}, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/disable`, "PATCH", {}, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.patch(`${prefix}/cloud/environments/:id/packages/:pkgId/disable`, async (req, res) => {
+      server.post(`${prefix}/packages/:id/publish`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/disable`, "PATCH", {}, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/publish`, "POST", req.body, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
         }
       });
-      server.post(`${prefix}/cloud/environments/:id/packages/:pkgId/upgrade`, async (req, res) => {
+      server.post(`${prefix}/packages/:id/revert`, async (req, res) => {
         try {
-          const result = await dispatcher.handleCloud(`/projects/${req.params.id}/packages/${req.params.pkgId}/upgrade`, "POST", req.body, {}, { request: req });
+          const result = await dispatcher.handlePackages(`/${req.params.id}/revert`, "POST", req.body, {}, { request: req });
           sendResult(result, res);
         } catch (err) {
           errorResponse(err, res);
@@ -6930,6 +5527,22 @@ function createDispatcherPlugin(config = {}) {
             errorResponse(err, res);
           }
         });
+        server.post(`${base}/automation/:name/runs/:runId/resume`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch("POST", `/automation/${req.params.name}/runs/${req.params.runId}/resume`, req.body, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
+        server.get(`${base}/automation/:name/runs/:runId/screen`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch("GET", `/automation/${req.params.name}/runs/${req.params.runId}/screen`, void 0, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
       };
       const registerAIRoutes = (base) => {
         const wildcards = [
@@ -7870,21 +6483,17 @@ async function createDriver(driverType, databaseUrl, authToken) {
 // src/cloud/artifact-kernel-factory.ts
 var import_node_crypto2 = require("crypto");
 var import_core3 = require("@objectstack/core");
-var import_types4 = require("@objectstack/types");
+var import_types3 = require("@objectstack/types");
 init_driver_plugin();
 init_app_plugin();
 // src/cloud/capability-loader.ts
 var CAPABILITY_PROVIDERS = {
   automation: {
+    // Self-contained: AutomationServicePlugin seeds all built-in node
+    // executors itself (ADR-0018), so no companion node-pack plugins.
     pkg: "@objectstack/service-automation",
-    export: "AutomationServicePlugin",
-    extras: [
-      { pkg: "@objectstack/service-automation", export: "CrudNodesPlugin" },
-      { pkg: "@objectstack/service-automation", export: "LogicNodesPlugin" },
-      { pkg: "@objectstack/service-automation", export: "HttpConnectorPlugin" },
-      { pkg: "@objectstack/service-automation", export: "ScreenNodesPlugin" }
-    ]
+    export: "AutomationServicePlugin"
   },
   ai: {
     pkg: "@objectstack/service-ai",
@@ -7915,6 +6524,19 @@ var CAPABILITY_PROVIDERS = {
     pkg: "@objectstack/service-job",
     export: "JobServicePlugin"
   },
+  messaging: {
+    // Backs the `notify` flow node (ADR-0012): delivers to a user's
+    // channels (inbox by default → `sys_inbox_message` rows).
+    pkg: "@objectstack/service-messaging",
+    export: "MessagingServicePlugin"
+  },
+  triggers: {
+    // Concrete flow triggers — record-change (ObjectQL hooks) + schedule
+    // (cron/interval via the job service; pair `triggers` with `job`).
+    pkg: "@objectstack/plugin-trigger-record-change",
+    export: "RecordChangeTriggerPlugin",
+    extras: [{ pkg: "@objectstack/plugin-trigger-schedule", export: "ScheduleTriggerPlugin" }]
+  },
   realtime: {
     pkg: "@objectstack/service-realtime",
     export: "RealtimeServicePlugin"
@@ -7932,7 +6554,11 @@ async function loadCapabilities(opts) {
   const { kernel, requires, bundle, environmentId } = opts;
   const logger = opts.logger ?? console;
   const installed = [];
-  for (const cap of requires) {
+  const resolved = [...new Set(requires)];
+  if (resolved.includes("audit") && !resolved.includes("messaging")) {
+    resolved.push("messaging");
+  }
+  for (const cap of resolved) {
     const spec = CAPABILITY_PROVIDERS[cap];
     if (!spec) {
       continue;
@@ -7999,8 +6625,197 @@ async function loadCapabilities(opts) {
   return installed;
 }
+// src/cloud/platform-sso.ts
+var import_node_crypto = require("crypto");
+var PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
+function derivePlatformSsoClientId(environmentId) {
+  return `project_${environmentId}`;
+}
+function derivePlatformSsoClientSecret(baseSecret, environmentId) {
+  return (0, import_node_crypto.createHmac)("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
+}
+function hashPlatformSsoClientSecret(plaintext) {
+  return (0, import_node_crypto.createHash)("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
+  let host;
+  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
+    host = hostname;
+  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
+    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
+    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
+    host = `http://${hostWithPort}`;
+  } else {
+    host = `https://${hostname}`;
+  }
+  const trimmed = host.replace(/\/+$/, "");
+  const path = basePath.replace(/\/+$/, "");
+  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
+}
+async function seedPlatformSsoClient(opts) {
+  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
+    return;
+  }
+  const clientId = derivePlatformSsoClientId(environmentId);
+  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
+  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
+  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
+  let existing = null;
+  try {
+    const rows = await ql.find("sys_oauth_application", {
+      where: { client_id: clientId },
+      limit: 1
+    }, { context: { isSystem: true } });
+    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+    existing = list[0] ?? null;
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
+      environmentId,
+      error: err?.message
+    });
+    return;
+  }
+  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
+  if (!existing) {
+    const redirects = desiredRedirect ? [desiredRedirect] : [];
+    try {
+      await ql.insert("sys_oauth_application", {
+        id: `oauthc_${environmentId}`,
+        name: `Project ${environmentId}`,
+        client_id: clientId,
+        client_secret: clientSecretStored,
+        type: "web",
+        redirect_uris: JSON.stringify(redirects),
+        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+        response_types: JSON.stringify(["code"]),
+        scopes: JSON.stringify(["openid", "email", "profile"]),
+        token_endpoint_auth_method: "client_secret_basic",
+        require_pkce: false,
+        skip_consent: true,
+        disabled: false,
+        subject_type: "public",
+        created_at: nowIso,
+        updated_at: nowIso
+      }, { context: { isSystem: true } });
+      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
+    } catch (err) {
+      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
+        environmentId,
+        error: err?.message
+      });
+      if (throwOnError) throw err;
+    }
+    return;
+  }
+  let currentRedirects = [];
+  try {
+    const raw = existing.redirect_uris;
+    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
+    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
+  } catch {
+  }
+  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
+  const repairPatch = {
+    name: existing.name || `Project ${environmentId}`,
+    client_secret: clientSecretStored,
+    type: existing.type || "web",
+    redirect_uris: JSON.stringify(mergedRedirects),
+    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
+    response_types: JSON.stringify(["code"]),
+    scopes: JSON.stringify(["openid", "email", "profile"]),
+    token_endpoint_auth_method: "client_secret_basic",
+    require_pkce: false,
+    skip_consent: true,
+    disabled: false,
+    subject_type: "public",
+    updated_at: nowIso
+  };
+  try {
+    await ql.update(
+      "sys_oauth_application",
+      repairPatch,
+      { where: { id: existing.id } },
+      { context: { isSystem: true } }
+    );
+    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
+      environmentId,
+      clientId,
+      redirect_uris: mergedRedirects
+    });
+  } catch (err) {
+    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
+      environmentId,
+      error: err?.message
+    });
+    if (throwOnError) throw err;
+  }
+}
+async function backfillPlatformSsoClients(opts) {
+  const { ql, baseSecret, logger, limit = 1e3 } = opts;
+  if (!baseSecret) {
+    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
+  }
+  let projects = [];
+  try {
+    const rows = await ql.find("sys_environment", {
+      limit,
+      fields: ["id", "hostname", "status"]
+    }, { context: { isSystem: true } });
+    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+  } catch (err) {
+    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
+      error: err?.message
+    });
+    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
+  }
+  let seeded = 0;
+  let alreadyExisted = 0;
+  const failures = [];
+  for (const p of projects) {
+    if (!p?.id) continue;
+    const before = await (async () => {
+      try {
+        const r = await ql.find("sys_oauth_application", {
+          where: { client_id: derivePlatformSsoClientId(p.id) },
+          limit: 1
+        }, { context: { isSystem: true } });
+        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+        return list[0] ?? null;
+      } catch {
+        return null;
+      }
+    })();
+    try {
+      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
+      if (before) alreadyExisted++;
+      else {
+        const after = await (async () => {
+          try {
+            const r = await ql.find("sys_oauth_application", {
+              where: { client_id: derivePlatformSsoClientId(p.id) },
+              limit: 1
+            }, { context: { isSystem: true } });
+            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
+            return list[0] ?? null;
+          } catch (err) {
+            return { _readErr: err?.message };
+          }
+        })();
+        if (after && !after._readErr) seeded++;
+        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
+      }
+    } catch (err) {
+      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
+    }
+  }
+  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
+  return { scanned: projects.length, seeded, alreadyExisted, failures };
+}
 // src/cloud/artifact-kernel-factory.ts
-init_platform_sso();
 function deriveProjectAuthSecret(baseSecret, environmentId) {
   return (0, import_node_crypto2.createHmac)("sha256", baseSecret).update(`project:${environmentId}`).digest("hex");
 }
@@ -8010,7 +6825,7 @@ var ArtifactKernelFactory = class {
     this.envRegistry = config.envRegistry;
     this.logger = config.logger ?? console;
     this.kernelConfig = config.kernelConfig;
-    this.authBaseSecret = (config.authBaseSecret ?? (0, import_types4.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
+    this.authBaseSecret = (config.authBaseSecret ?? (0, import_types3.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
   }
   async create(environmentId) {
     let cached = this.envRegistry.peekById(environmentId);
@@ -8123,7 +6938,7 @@ var ArtifactKernelFactory = class {
       this.logger.warn?.("[ArtifactKernelFactory] OS_AUTH_SECRET not set \u2014 per-project AuthPlugin skipped (auth endpoints will return 404)", { environmentId });
     }
     try {
-      const multiTenant = String((0, import_types4.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+      const multiTenant = String((0, import_types3.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
       if (multiTenant) {
         try {
           const { OrgScopingPlugin } = await import("@objectstack/plugin-org-scoping");
@@ -9326,7 +8141,7 @@ async function createObjectOSStack(config) {
 // src/cloud/marketplace-install-local-plugin.ts
 var import_node_fs4 = require("fs");
 var import_node_path7 = require("path");
-var import_types5 = require("@objectstack/types");
+var import_types4 = require("@objectstack/types");
 var ROUTE_BASE = "/api/v1/marketplace/install-local";
 var DEFAULT_DIR = ".objectstack/installed-packages";
 function safeFilename(manifestId) {
@@ -9870,7 +8685,7 @@ var MarketplaceInstallLocalPlugin = class {
         }
       }
       if (opts.seedNow && datasets.length > 0) {
-        const multiTenant = String((0, import_types5.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+        const multiTenant = String((0, import_types4.readEnvWithDeprecation)("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
         try {
           const ql = ctx.getService("objectql");
           let metadata;
@@ -9988,9 +8803,6 @@ var MarketplaceInstallLocalPlugin = class {
   }
 };
-// src/index.ts
-init_platform_sso();
 // src/sandbox/script-runner.ts
 var UnimplementedScriptRunner = class {
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -10016,7 +8828,7 @@ init_body_runner();
 // src/index.ts
 var import_rest = require("@objectstack/rest");
 __reExport(index_exports, require("@objectstack/core"), module.exports);
-var import_types6 = require("@objectstack/types");
+var import_types5 = require("@objectstack/types");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AppPlugin,
@@ -10027,6 +8839,7 @@ var import_types6 = require("@objectstack/types");
   DEFAULT_CLOUD_URL,
   DEFAULT_RATE_LIMITS,
   DriverPlugin,
+  ExternalValidationPlugin,
   FileArtifactApiClient,
   HttpDispatcher,
   HttpServer,
@@ -10065,6 +8878,7 @@ var import_types6 = require("@objectstack/types");
   collectBundleHooks,
   createDefaultHostConfig,
   createDispatcherPlugin,
+  createExternalValidationPlugin,
   createObjectOSStack,
   createRestApiPlugin,
   createStandaloneStack,