@objectstack/runtime 7.8.0 → 8.0.0

package/dist/index.js

@@ -164,7 +164,7 @@ var init_seed_loader = __esm({
         const config = request.config;
         const allErrors = [];
         const allResults = [];
-        const datasets = this.filterByEnv(request.datasets, config.env);
+        const datasets = this.filterByEnv(request.seeds, config.env);
         if (datasets.length === 0) {
           return this.buildEmptyResult(config, Date.now() - startTime);
         }
@@ -234,10 +234,10 @@ var init_seed_loader = __esm({
       }
       async validate(datasets, config) {
         const parsedConfig = SeedLoaderConfigSchema.parse({ ...config, dryRun: true });
-        return this.load({ datasets, config: parsedConfig });
+        return this.load({ seeds: datasets, config: parsedConfig });
       }
       // ==========================================================================
-      // Internal: Dataset Loading
+      // Internal: Seed Loading
       // ==========================================================================
       async loadDataset(dataset, config, refMap, insertedRecords, deferredUpdates, allErrors) {
         const objectName = dataset.object;
@@ -1657,7 +1657,7 @@ var init_app_plugin = __esm({
                 const seedLoader = new SeedLoaderService(ql, md, loggerRef);
                 const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
                 const request = SeedLoaderRequestSchema.parse({
-                  datasets: datasetsNow,
+                  seeds: datasetsNow,
                   config: {
                     defaultMode: "upsert",
                     multiPass: true,
@@ -1677,7 +1677,7 @@ var init_app_plugin = __esm({
                 };
               };
               registerSvc("seed-replayer", replayer);
-              ctx.logger.info(`[Seeder] Registered ${normalizedDatasets.length} datasets + replayer on kernel (total datasets: ${merged.length})`);
+              ctx.logger.info(`[Seeder] Registered ${normalizedDatasets.length} datasets + replayer on kernel (total seeds: ${merged.length})`);
             } catch (e) {
               ctx.logger.warn("[Seeder] Failed to register seed-datasets/seed-replayer service", { error: e?.message });
             }
@@ -1693,7 +1693,7 @@ var init_app_plugin = __esm({
                     const seedLoader = new SeedLoaderService(ql, metadata, ctx.logger);
                     const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
                     const request = SeedLoaderRequestSchema.parse({
-                      datasets: normalizedDatasets,
+                      seeds: normalizedDatasets,
                       config: { defaultMode: "upsert", multiPass: true, identity: seedIdentity }
                     });
                     const result = await seedLoader.load(request);
@@ -2167,154 +2167,8 @@ var init_standalone_stack = __esm({
   }
 });
 
-// src/cloud/environment-org-seed.ts
-var environment_org_seed_exports = {};
-__export(environment_org_seed_exports, {
-  seedProjectMember: () => seedProjectMember,
-  seedProjectOrganization: () => seedProjectOrganization
-});
-async function seedProjectOrganization(kernel, seed, logger) {
-  if (!seed?.id || !seed?.name) return "skipped";
-  try {
-    const ql = kernel.getService("objectql");
-    if (!ql?.insert || !ql?.find) {
-      logger?.warn?.("[seedProjectOrganization] objectql service unavailable", { orgId: seed.id });
-      return "skipped";
-    }
-    try {
-      const existing = await ql.find(SYS_ORG, { where: { id: seed.id } });
-      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
-      if (Array.isArray(rows) && rows.length > 0) return "exists";
-    } catch {
-    }
-    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-    await ql.insert(SYS_ORG, {
-      id: seed.id,
-      name: seed.name,
-      slug: seed.slug ?? null,
-      logo: seed.logo ?? null,
-      metadata: null,
-      created_at: nowIso
-    });
-    logger?.info?.("[seedProjectOrganization] org seeded", {
-      orgId: seed.id,
-      name: seed.name
-    });
-    return "inserted";
-  } catch (err) {
-    logger?.warn?.("[seedProjectOrganization] failed (non-fatal)", {
-      orgId: seed.id,
-      error: err?.message
-    });
-    return "error";
-  }
-}
-async function seedProjectMember(kernel, args, logger) {
-  const { userId, organizationId } = args;
-  const role = args.role ?? "member";
-  if (!userId || !organizationId) return "skipped";
-  try {
-    const ql = kernel.getService("objectql");
-    if (!ql?.insert || !ql?.find) {
-      logger?.warn?.("[seedProjectMember] objectql service unavailable", { userId, organizationId });
-      return "skipped";
-    }
-    try {
-      const existing = await ql.find("sys_member", {
-        where: { user_id: userId, organization_id: organizationId }
-      });
-      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
-      if (Array.isArray(rows) && rows.length > 0) return "exists";
-    } catch {
-    }
-    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-    const memId = `mem_${Math.random().toString(36).slice(2, 14)}`;
-    await ql.insert("sys_member", {
-      id: memId,
-      organization_id: organizationId,
-      user_id: userId,
-      role,
-      created_at: nowIso
-    });
-    logger?.info?.("[seedProjectMember] member seeded", {
-      userId,
-      organizationId,
-      role
-    });
-    return "inserted";
-  } catch (err) {
-    logger?.warn?.("[seedProjectMember] failed (non-fatal)", {
-      userId,
-      organizationId,
-      error: err?.message
-    });
-    return "error";
-  }
-}
-var SYS_ORG;
-var init_environment_org_seed = __esm({
-  "src/cloud/environment-org-seed.ts"() {
-    "use strict";
-    SYS_ORG = "sys_organization";
-  }
-});
-
-// src/cloud/environment-owner-seed.ts
-var environment_owner_seed_exports = {};
-__export(environment_owner_seed_exports, {
-  seedProjectOwner: () => seedProjectOwner
-});
-async function seedProjectOwner(kernel, seed, logger) {
-  if (!seed?.userId || !seed?.email) return "skipped";
-  try {
-    const ql = kernel.getService("objectql");
-    if (!ql?.insert || !ql?.find) {
-      logger?.warn?.("[seedProjectOwner] objectql service unavailable", { userId: seed.userId });
-      return "skipped";
-    }
-    try {
-      const existing = await ql.find(SYS_USER, { where: { id: seed.userId } });
-      const rows = Array.isArray(existing) ? existing : existing?.value ?? [];
-      if (Array.isArray(rows) && rows.length > 0) return "exists";
-    } catch {
-    }
-    const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-    await ql.insert(SYS_USER, {
-      id: seed.userId,
-      email: seed.email,
-      name: seed.name ?? seed.email.split("@")[0] ?? "Owner",
-      image: seed.image ?? null,
-      // Cloud already verified the upstream email. Marking it verified
-      // here is what unblocks better-auth's accountLinking check on
-      // the first SSO callback (alongside the trustedProviders config
-      // in plugin-auth/auth-manager.ts).
-      email_verified: true,
-      created_at: nowIso,
-      updated_at: nowIso
-    });
-    logger?.info?.("[seedProjectOwner] owner seeded", {
-      userId: seed.userId,
-      email: seed.email
-    });
-    return "inserted";
-  } catch (err) {
-    logger?.warn?.("[seedProjectOwner] failed (non-fatal)", {
-      userId: seed.userId,
-      error: err?.message
-    });
-    return "error";
-  }
-}
-var SYS_USER;
-var init_environment_owner_seed = __esm({
-  "src/cloud/environment-owner-seed.ts"() {
-    "use strict";
-    SYS_USER = "sys_user";
-  }
-});
-
 // src/index.ts
-import { ObjectKernel as ObjectKernel4 } from "@objectstack/core";
+import { ObjectKernel as ObjectKernel3 } from "@objectstack/core";
 
 // src/runtime.ts
 import { ObjectKernel } from "@objectstack/core";
@@ -2596,30 +2450,18 @@ import { getEnv, resolveLocale } from "@objectstack/core";
 import { CoreServiceName } from "@objectstack/spec/system";
 import { pluralToSingular, PLURAL_TO_SINGULAR } from "@objectstack/spec/shared";
 
+// src/security/api-key.ts
+import {
+  API_KEY_PREFIX,
+  hashApiKey,
+  generateApiKey,
+  extractApiKey,
+  parseScopes,
+  isExpired,
+  resolveApiKeyPrincipal
+} from "@objectstack/core";
+
 // src/security/resolve-execution-context.ts
-function readHeader(headers, name) {
-  if (!headers) return void 0;
-  const lower = name.toLowerCase();
-  if (typeof headers.get === "function") {
-    const v = headers.get(name) ?? headers.get(lower);
-    return v == null ? void 0 : String(v);
-  }
-  for (const key of Object.keys(headers)) {
-    if (key.toLowerCase() === lower) {
-      const v = headers[key];
-      return Array.isArray(v) ? v[0] : v == null ? void 0 : String(v);
-    }
-  }
-  return void 0;
-}
-function extractApiKey(headers) {
-  const x = readHeader(headers, "x-api-key");
-  if (x) return x.trim();
-  const auth = readHeader(headers, "authorization");
-  if (!auth) return void 0;
-  const m = auth.match(/^ApiKey\s+(.+)$/i);
-  return m ? m[1].trim() : void 0;
-}
 function toHeaders(input) {
   if (!input) return new Headers();
   if (typeof Headers !== "undefined" && input instanceof Headers) return input;
@@ -2662,34 +2504,12 @@ async function resolveExecutionContext(opts) {
   };
   let userId;
   let tenantId;
-  const apiKey = extractApiKey(headers);
-  if (apiKey) {
-    try {
-      const authService = await opts.getService("auth");
-      const verify = authService?.api?.verifyApiKey ?? authService?.api?.apiKey?.verify;
-      if (typeof verify === "function") {
-        const res = await verify({ body: { key: apiKey } });
-        const payload = res?.key ?? res;
-        if (payload?.userId) userId = payload.userId;
-        if (payload?.organizationId) tenantId = payload.organizationId;
-        if (Array.isArray(payload?.permissions)) {
-          ctx.permissions.push(...payload.permissions);
-        }
-        if (Array.isArray(payload?.scopes)) {
-          ctx.permissions.push(...payload.scopes);
-        }
-      }
-    } catch {
-    }
-    if (!userId) {
-      const ql2 = await opts.getQl();
-      const rows = await tryFind(ql2, "sys_api_key", { key: apiKey, active: true }, 1);
-      const row = rows[0];
-      if (row) {
-        userId = row.user_id ?? row.userId;
-        tenantId = row.organization_id ?? row.organizationId;
-        if (Array.isArray(row.scopes)) ctx.permissions.push(...row.scopes);
-      }
+  const keyPrincipal = await resolveApiKeyPrincipal(await opts.getQl(), headers);
+  if (keyPrincipal) {
+    userId = keyPrincipal.userId;
+    tenantId = keyPrincipal.tenantId;
+    for (const scope of keyPrincipal.scopes) {
+      if (!ctx.permissions.includes(scope)) ctx.permissions.push(scope);
     }
   }
   if (!userId) {
@@ -2965,6 +2785,253 @@ var _HttpDispatcher = class _HttpDispatcher {
     }
     throw { statusCode: 400, message: `Unknown data action: ${action}` };
   }
+  /**
+   * Handle an MCP request over the Streamable HTTP transport (`/mcp`).
+   *
+   * Gating + auth (fail-closed):
+   *  - **opt-in**: only served when `OS_MCP_SERVER_ENABLED=true` (single-env
+   *    runtime). Multi-tenant cloud overrides this gate per env. When off we
+   *    return 404 so the surface isn't advertised.
+   *  - **auth**: requires a principal already resolved by
+   *    `resolveExecutionContext` (the `sys_api_key` Bearer/header path or a
+   *    session). Anonymous → 401.
+   *
+   * Execution: the MCP runtime builds a stateless per-request server whose
+   * object-CRUD tools run through {@link callData} bound to THIS request's
+   * ExecutionContext — i.e. the exact permission + RLS path the REST API
+   * uses. An external agent can never exceed the key's authority.
+   */
+  async handleMcp(body, context) {
+    if (!_HttpDispatcher.isMcpEnabled()) {
+      return { handled: true, response: this.error("MCP server is not enabled for this environment", 404) };
+    }
+    const mcp = await this.resolveService("mcp", context.environmentId);
+    if (!mcp || typeof mcp.handleHttpRequest !== "function") {
+      return { handled: true, response: this.error("MCP server is not available", 501) };
+    }
+    const ec = context.executionContext;
+    if (!ec || !ec.userId && !ec.isSystem) {
+      return { handled: true, response: this.error("Unauthorized: a valid API key is required", 401) };
+    }
+    const webRequest = this.toMcpWebRequest(context.request, body);
+    if (!webRequest) {
+      return { handled: true, response: this.error("MCP transport requires a standard HTTP request", 400) };
+    }
+    const bridge = this.buildMcpBridge(context);
+    let webRes;
+    try {
+      webRes = await mcp.handleHttpRequest(webRequest, { bridge, parsedBody: body });
+    } catch (err) {
+      return { handled: true, response: this.error(err?.message ?? "MCP request failed", 500) };
+    }
+    const headers = {};
+    try {
+      webRes.headers.forEach((v, k) => {
+        headers[k] = v;
+      });
+    } catch {
+    }
+    const text = await webRes.text().catch(() => "");
+    let responseBody = null;
+    if (text) {
+      const ct = headers["content-type"] ?? "";
+      if (ct.includes("application/json")) {
+        try {
+          responseBody = JSON.parse(text);
+        } catch {
+          responseBody = text;
+        }
+      } else {
+        responseBody = text;
+      }
+    }
+    return { handled: true, response: { status: webRes.status, headers, body: responseBody } };
+  }
+  /** Whether the MCP HTTP surface is opted in for this single-env runtime. */
+  static isMcpEnabled() {
+    return typeof process !== "undefined" && process.env?.OS_MCP_SERVER_ENABLED === "true";
+  }
+  /**
+   * Normalise the inbound request into a Web-standard `Request` for the MCP
+   * transport. Accepts an already-Web `Request`, or a node/Hono-style req
+   * (plain `headers` object, path-only `url`). Returns undefined only if the
+   * shape is unusable. The body is carried separately via `parsedBody`, so a
+   * GET/DELETE (no body) and a POST (JSON-RPC) both normalise cleanly.
+   */
+  toMcpWebRequest(raw, parsedBody) {
+    if (!raw) return void 0;
+    if (typeof raw.headers?.get === "function" && typeof raw.url === "string" && typeof raw.method === "string") {
+      return raw;
+    }
+    try {
+      const method = String(raw.method ?? "POST").toUpperCase();
+      const headers = new Headers();
+      const h = raw.headers;
+      if (h) {
+        if (typeof h.forEach === "function") {
+          h.forEach((v, k) => {
+            if (v != null) headers.set(String(k), String(v));
+          });
+        } else {
+          for (const k of Object.keys(h)) {
+            const v = h[k];
+            if (v != null) headers.set(k, Array.isArray(v) ? v.join(",") : String(v));
+          }
+        }
+      }
+      let url;
+      try {
+        url = new URL(String(raw.url)).toString();
+      } catch {
+        const host = headers.get("host") || "mcp.local";
+        const path = typeof raw.url === "string" && raw.url ? raw.url : "/api/v1/mcp";
+        url = `https://${host}${path.startsWith("/") ? path : `/${path}`}`;
+      }
+      const init = { method, headers };
+      if (method !== "GET" && method !== "HEAD" && method !== "DELETE") {
+        init.body = typeof parsedBody === "string" ? parsedBody : JSON.stringify(parsedBody ?? {});
+      }
+      return new Request(url, init);
+    } catch {
+      return void 0;
+    }
+  }
+  /**
+   * Build a principal-bound {@link McpDataBridge}: every method runs AS the
+   * request's ExecutionContext through {@link callData} (RLS/permissions) and
+   * the per-env metadata service. Keeps the MCP tool layer free of any direct
+   * engine access.
+   */
+  buildMcpBridge(context) {
+    const ec = context.executionContext;
+    const envId = context.environmentId;
+    const driver = context.dataDriver;
+    const callData = this.callData.bind(this);
+    const getMeta = () => this.resolveService("metadata", envId);
+    return {
+      listObjects: async () => {
+        const meta = await getMeta();
+        const objs = await meta?.listObjects?.() ?? [];
+        return objs.map((o) => ({
+          name: o.name,
+          label: o.label ?? o.name,
+          fieldCount: o.fields ? Object.keys(o.fields).length : void 0
+        }));
+      },
+      describeObject: async (name) => {
+        const meta = await getMeta();
+        const def = await meta?.getObject?.(name);
+        if (!def) return null;
+        const fields = def.fields ?? {};
+        return {
+          name: def.name,
+          label: def.label ?? def.name,
+          fields: Object.entries(fields).map(([k, f]) => ({
+            name: k,
+            type: f?.type,
+            label: f?.label ?? k,
+            required: f?.required ?? false
+          })),
+          enableFeatures: def.enable ?? {}
+        };
+      },
+      query: async (object, o) => {
+        const query = {};
+        if (o?.where) query.where = o.where;
+        if (o?.fields) query.fields = o.fields;
+        if (typeof o?.limit === "number") query.limit = o.limit;
+        if (typeof o?.offset === "number") query.offset = o.offset;
+        if (o?.orderBy) query.orderBy = o.orderBy;
+        return await callData("query", { object, query }, driver, envId, ec);
+      },
+      get: async (object, id) => {
+        const res = await callData("get", { object, id }, driver, envId, ec);
+        return res?.record ?? res ?? null;
+      },
+      create: async (object, data) => await callData("create", { object, data }, driver, envId, ec),
+      update: async (object, id, data) => await callData("update", { object, id, data }, driver, envId, ec),
+      remove: async (object, id) => await callData("delete", { object, id }, driver, envId, ec)
+    };
+  }
+  /**
+   * Generate a `sys_api_key` and return the raw secret EXACTLY ONCE
+   * (`POST /keys`). This is the only mint path — the raw key is never stored
+   * (only its sha256 hash) and never re-displayable.
+   *
+   * Security (zero-tolerance):
+   *  - Requires an authenticated principal; `user_id` is PINNED to that
+   *    caller and is NEVER read from the request body (no impersonation).
+   *  - Body is whitelisted to `name` (+ optional `expires_at`); any
+   *    `key` / `id` / `user_id` / `revoked` in the body is ignored, so a
+   *    caller cannot forge a known-secret or escalate.
+   *  - `scopes` are intentionally NOT accepted from the body in v1: the
+   *    verify path ADDS scopes to the principal's permissions, so honouring
+   *    arbitrary body scopes would be an escalation vector. A generated key
+   *    therefore acts exactly AS the caller (via `user_id` resolution).
+   *    Narrowing/scoped keys need subset-enforcement — deferred.
+   *  - The raw key and its hash never enter logs or error messages.
+   *  - The row is written with an elevated `{ isSystem: true }` context
+   *    because `sys_api_key` is protection-locked; safe because the row's
+   *    contents are fully server-controlled (user_id pinned to caller).
+   */
+  async handleKeys(method, body, context) {
+    if (method !== "POST") {
+      return { handled: true, response: this.error("Method not allowed", 405) };
+    }
+    const ec = context.executionContext;
+    if (!ec || !ec.userId) {
+      return { handled: true, response: this.error("Unauthorized: sign in to generate an API key", 401) };
+    }
+    const rawName = typeof body?.name === "string" ? body.name.trim() : "";
+    const name = rawName || "API Key";
+    let expiresAt;
+    if (body?.expires_at != null && body.expires_at !== "") {
+      const ms = typeof body.expires_at === "number" ? body.expires_at < 1e12 ? body.expires_at * 1e3 : body.expires_at : Date.parse(String(body.expires_at));
+      if (Number.isNaN(ms)) {
+        return { handled: true, response: this.error("Invalid expires_at: must be a parseable date", 400) };
+      }
+      if (ms <= Date.now()) {
+        return { handled: true, response: this.error("Invalid expires_at: must be in the future", 400) };
+      }
+      expiresAt = new Date(ms).toISOString();
+    }
+    const ql = await this.getObjectQLService(context.environmentId) ?? await this.resolveService("objectql", context.environmentId);
+    if (!ql || typeof ql.insert !== "function") {
+      return { handled: true, response: this.error("Data service not available", 503) };
+    }
+    const generated = generateApiKey();
+    const row = {
+      name,
+      key: generated.hash,
+      prefix: generated.prefix,
+      user_id: ec.userId,
+      revoked: false
+    };
+    if (expiresAt) row.expires_at = expiresAt;
+    let inserted;
+    try {
+      inserted = await ql.insert("sys_api_key", row, { context: { isSystem: true } });
+    } catch {
+      return { handled: true, response: this.error("Failed to create API key", 500) };
+    }
+    const id = inserted?.id ?? (Array.isArray(inserted) ? inserted[0]?.id : void 0);
+    return {
+      handled: true,
+      response: {
+        status: 201,
+        body: {
+          success: true,
+          data: {
+            id,
+            name,
+            prefix: generated.prefix,
+            key: generated.raw,
+            ...expiresAt ? { expires_at: expiresAt } : {}
+          }
+        }
+      }
+    };
+  }
   /**
    * Parse a project UUID out of a scoped URL path such as
    * `/api/v1/environments/abc-123/data/task` or `/projects/abc-123/meta`.
@@ -3251,7 +3318,11 @@ var _HttpDispatcher = class _HttpDispatcher {
       realtime: hasWebSockets ? `${prefix}/realtime` : void 0,
       notifications: hasNotification ? `${prefix}/notifications` : void 0,
       ai: hasAi ? `${prefix}/ai` : void 0,
-      i18n: hasI18n ? `${prefix}/i18n` : void 0
+      i18n: hasI18n ? `${prefix}/i18n` : void 0,
+      // MCP (Streamable HTTP) is opt-in per env — only advertised
+      // when OS_MCP_SERVER_ENABLED=true so the surface isn't exposed
+      // by default. The objectui Integrations page reads this.
+      mcp: _HttpDispatcher.isMcpEnabled() ? `${prefix}/mcp` : void 0
     };
     const svcAvailable = (route, provider) => ({
       enabled: true,
@@ -3514,7 +3585,8 @@ var _HttpDispatcher = class _HttpDispatcher {
         if (protocol && typeof protocol.getMetaItem === "function") {
           try {
             const organizationId = await this.resolveActiveOrganizationId(_context);
-            const data = await protocol.getMetaItem({ type: singularType, name, packageId, organizationId });
+            const previewDrafts = query?.preview === "draft";
+            const data = await protocol.getMetaItem({ type: singularType, name, packageId, organizationId, previewDrafts });
             return { handled: true, response: this.success(data) };
           } catch (e) {
           }
@@ -3556,7 +3628,8 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (protocol && typeof protocol.getMetaItems === "function") {
         try {
           const organizationId = await this.resolveActiveOrganizationId(_context);
-          const data = await protocol.getMetaItems({ type: typeOrName, packageId, organizationId });
+          const previewDrafts = query?.preview === "draft";
+          const data = await protocol.getMetaItems({ type: typeOrName, packageId, organizationId, previewDrafts });
           if (data && (data.items !== void 0 || Array.isArray(data))) {
             return { handled: true, response: this.success(data) };
           }
@@ -3903,6 +3976,18 @@ var _HttpDispatcher = class _HttpDispatcher {
               ...organizationId ? { organizationId } : {},
               ...body?.actor ? { actor: body.actor } : {}
             });
+            try {
+              const seedNames = (result?.published ?? []).filter((p) => p?.type === "seed").map((p) => p.name);
+              if (seedNames.length > 0) {
+                result.seedApplied = await this.applyPublishedSeeds(
+                  seedNames,
+                  organizationId,
+                  _context
+                );
+              }
+            } catch (e) {
+              result.seedApplied = { success: false, error: e?.message ?? "seed apply failed" };
+            }
             return { handled: true, response: this.success(result) };
           } catch (e) {
             return { handled: true, response: this.error(e.message, e.statusCode || 500) };
@@ -3910,6 +3995,24 @@ var _HttpDispatcher = class _HttpDispatcher {
         }
         return { handled: true, response: this.error("Draft publishing not supported", 501) };
       }
+      if (parts.length === 2 && parts[1] === "discard-drafts" && m === "POST") {
+        const id = decodeURIComponent(parts[0]);
+        const protocol = await this.resolveService("protocol");
+        if (protocol && typeof protocol.discardPackageDrafts === "function") {
+          try {
+            const organizationId = await this.resolveActiveOrganizationId(_context);
+            const result = await protocol.discardPackageDrafts({
+              packageId: id,
+              ...organizationId ? { organizationId } : {},
+              ...body?.actor ? { actor: body.actor } : {}
+            });
+            return { handled: true, response: this.success(result) };
+          } catch (e) {
+            return { handled: true, response: this.error(e.message, e.statusCode || 500) };
+          }
+        }
+        return { handled: true, response: this.error("Draft discarding not supported", 501) };
+      }
       if (parts.length === 2 && parts[1] === "revert" && m === "POST") {
         const id = decodeURIComponent(parts[0]);
         const metadataService = await this.getService(CoreServiceName.enum.metadata);
@@ -3935,9 +4038,27 @@ var _HttpDispatcher = class _HttpDispatcher {
       }
       if (parts.length === 1 && m === "DELETE") {
         const id = decodeURIComponent(parts[0]);
-        const success = registry.uninstallPackage(id);
-        if (!success) return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
-        return { handled: true, response: this.success({ success: true }) };
+        const registryRemoved = registry.uninstallPackage(id);
+        let persisted = void 0;
+        const protocol = await this.resolveService("protocol");
+        if (protocol && typeof protocol.deletePackage === "function") {
+          try {
+            const organizationId = await this.resolveActiveOrganizationId(_context);
+            const keepData = query?.keepData === "true" || query?.keepData === "1";
+            persisted = await protocol.deletePackage({
+              packageId: id,
+              ...organizationId ? { organizationId } : {},
+              ...keepData ? { keepData: true } : {}
+            });
+          } catch (e) {
+            return { handled: true, response: this.error(e.message, e.statusCode || 500) };
+          }
+        }
+        const deletedCount = persisted?.deletedCount ?? 0;
+        if (!registryRemoved && deletedCount === 0) {
+          return { handled: true, response: this.error(`Package '${id}' not found`, 404) };
+        }
+        return { handled: true, response: this.success({ success: true, registryRemoved, persisted }) };
       }
     } catch (e) {
       return { handled: true, response: this.error(e.message, e.statusCode || 500) };
@@ -4059,6 +4180,66 @@ var _HttpDispatcher = class _HttpDispatcher {
    * Physical database addressing (database_url, database_driver, etc.)
    * is stored directly on the sys_environment row.
    */
+  /**
+   * Apply just-published `seed` metadata: load each seed's rows into its
+   * target object so publishing a seed draft makes the data live (the runtime
+   * counterpart to staging it). Reads each seed body via the protocol, then
+   * runs the {@link SeedLoaderService} for the active org. Best-effort and
+   * idempotent (upsert) — callers must never let this fail the publish.
+   *
+   * Lives at the runtime layer (not in the objectql publish primitive)
+   * because the seed loader needs the data engine + metadata service, which
+   * objectql cannot depend on without a layering cycle.
+   */
+  async applyPublishedSeeds(names, organizationId, _context) {
+    const protocol = await this.resolveService("protocol");
+    const metadata = await this.getService(CoreServiceName.enum.metadata);
+    const ql = await this.resolveService("objectql");
+    if (!protocol || typeof protocol.getMetaItem !== "function" || !ql || !metadata) {
+      return { success: false, error: "seed apply: required services unavailable" };
+    }
+    const datasets = [];
+    const readErrors = [];
+    for (const name of names) {
+      const attempts = organizationId ? [{ type: "seed", name, organizationId }, { type: "seed", name }] : [{ type: "seed", name }];
+      let item;
+      for (const args of attempts) {
+        try {
+          item = await protocol.getMetaItem(args);
+          if (item) break;
+        } catch (e) {
+          readErrors.push(`read ${name}: ${e?.message ?? String(e)}`);
+        }
+      }
+      const seed = item?.object && Array.isArray(item?.records) ? item : item?.item ?? item?.metadata ?? item?.body;
+      if (seed?.object && Array.isArray(seed?.records)) {
+        datasets.push(seed);
+      } else {
+        readErrors.push(`seed "${name}" body unreadable (keys: ${item ? Object.keys(item).join(",") : "none"})`);
+      }
+    }
+    if (datasets.length === 0) {
+      return { success: false, inserted: 0, updated: 0, error: "seed apply: no readable seed bodies", errors: readErrors };
+    }
+    const { SeedLoaderService: SeedLoaderService2 } = await Promise.resolve().then(() => (init_seed_loader(), seed_loader_exports));
+    const { SeedLoaderRequestSchema } = await import("@objectstack/spec/data");
+    const loader = new SeedLoaderService2(ql, metadata, this.logger ?? console);
+    const request = SeedLoaderRequestSchema.parse({
+      seeds: datasets,
+      config: {
+        defaultMode: "upsert",
+        multiPass: true,
+        ...organizationId ? { organizationId } : {}
+      }
+    });
+    const r = await loader.load(request);
+    return {
+      success: r.success,
+      inserted: r.summary.totalInserted,
+      updated: r.summary.totalUpdated,
+      errors: [...readErrors, ...r.errors ?? []]
+    };
+  }
   /**
    * Resolve the calling user id from the request session, if any.
    * Returns `undefined` for anonymous calls or when auth is not wired up.
@@ -4643,6 +4824,12 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (cleanPath.startsWith("/data")) {
         return this.handleData(cleanPath.substring(5), method, body, query, context);
       }
+      if (cleanPath === "/mcp" || cleanPath.startsWith("/mcp/") || cleanPath.startsWith("/mcp?")) {
+        return this.handleMcp(body, context);
+      }
+      if (cleanPath === "/keys" || cleanPath.startsWith("/keys/") || cleanPath.startsWith("/keys?")) {
+        return this.handleKeys(method, body, context);
+      }
       if (cleanPath.startsWith("/graphql")) {
         if (method === "POST") return this.handleGraphQL(body, context);
       }
@@ -5355,6 +5542,28 @@ function createDispatcherPlugin(config = {}) {
           errorResponse(err, res);
         }
       });
+      const mountMcp = (method) => {
+        const register = method === "GET" ? server.get : method === "DELETE" ? server.delete : server.post;
+        register.call(server, `${prefix}/mcp`, async (req, res) => {
+          try {
+            const result = await dispatcher.dispatch(method, "/mcp", req.body, req.query, { request: req });
+            sendResult(result, res);
+          } catch (err) {
+            errorResponse(err, res);
+          }
+        });
+      };
+      mountMcp("POST");
+      mountMcp("GET");
+      mountMcp("DELETE");
+      server.post(`${prefix}/keys`, async (req, res) => {
+        try {
+          const result = await dispatcher.dispatch("POST", "/keys", req.body, req.query, { request: req });
+          sendResult(result, res);
+        } catch (err) {
+          errorResponse(err, res);
+        }
+      });
       server.get(`${prefix}/packages`, async (req, res) => {
         try {
           const result = await dispatcher.handlePackages("", "GET", {}, req.query, { request: req });
@@ -6000,1591 +6209,44 @@ var MiddlewareManager = class {
 // src/index.ts
 init_load_artifact_bundle();
 
-// src/cloud/kernel-manager.ts
-var KernelManager = class {
-  constructor(config) {
-    this.cache = /* @__PURE__ */ new Map();
-    this.pending = /* @__PURE__ */ new Map();
-    this.factory = config.factory;
-    this.maxSize = config.maxSize ?? 32;
-    this.ttlMs = config.ttlMs ?? 15 * 60 * 1e3;
-    this.logger = config.logger ?? console;
-    this.freshnessProbe = config.freshnessProbe;
-    this.staleCheckIntervalMs = config.staleCheckIntervalMs ?? 1e4;
-  }
-  /** Returns the currently cached environmentIds (ordered by insertion). */
-  keys() {
-    return Array.from(this.cache.keys());
-  }
-  /** Cache size for diagnostics. */
-  get size() {
-    return this.cache.size;
+// src/cloud/cloud-url.ts
+var DEFAULT_CLOUD_URL = "https://cloud.objectos.ai";
+function resolveCloudUrl(explicit) {
+  const raw = (explicit ?? process.env.OS_CLOUD_URL ?? "").trim();
+  const lower = raw.toLowerCase();
+  if (lower === "off" || lower === "none" || lower === "local" || lower === "disabled") {
+    return "";
   }
-  /**
-   * Resolve or construct the kernel for `environmentId`.
-   *
-   * - Cache hit (fresh): bumps `lastAccess` and returns immediately.
-   * - Cache hit (TTL expired): evicts then falls through to factory.
-   * - Cache miss: dedupes concurrent callers through `pending`.
-   */
-  async getOrCreate(environmentId) {
-    const existing = this.cache.get(environmentId);
-    if (existing) {
-      if (this.ttlMs > 0 && Date.now() - existing.lastAccess > this.ttlMs) {
-        await this.evict(environmentId);
-      } else {
-        if (this.freshnessProbe) {
-          const now = Date.now();
-          if (now - existing.lastStaleCheckAt >= this.staleCheckIntervalMs) {
-            existing.lastStaleCheckAt = now;
-            let stale = false;
-            try {
-              stale = await this.freshnessProbe(environmentId, existing.createdAt);
-            } catch (err) {
-              this.logger.warn?.("[KernelManager] freshness probe failed", { environmentId, err });
-            }
-            if (stale) {
-              this.logger.info?.("[KernelManager] kernel evicted by freshness probe", { environmentId });
-              await this.evict(environmentId);
-            } else {
-              existing.lastAccess = Date.now();
-              return existing.kernel;
-            }
-          } else {
-            existing.lastAccess = Date.now();
-            return existing.kernel;
-          }
-        } else {
-          existing.lastAccess = Date.now();
-          return existing.kernel;
-        }
-      }
-    }
-    const inflight = this.pending.get(environmentId);
-    if (inflight) return inflight;
-    const promise = (async () => {
-      const kernel = await this.factory.create(environmentId);
-      const now = Date.now();
-      this.cache.set(environmentId, { kernel, createdAt: now, lastAccess: now, lastStaleCheckAt: now });
-      await this.enforceMaxSize();
-      return kernel;
-    })();
-    this.pending.set(environmentId, promise);
-    try {
-      return await promise;
-    } finally {
-      this.pending.delete(environmentId);
-    }
+  const picked = raw || DEFAULT_CLOUD_URL;
+  return picked.replace(/\/+$/, "");
+}
+
+// src/cloud/marketplace-public-url.ts
+function resolveMarketplacePublicBaseUrl(explicit) {
+  const raw = (explicit ?? process.env.OS_MARKETPLACE_PUBLIC_BASE_URL ?? "").trim();
+  const lower = raw.toLowerCase();
+  if (!raw || lower === "off" || lower === "none" || lower === "disabled" || lower === "false") {
+    return "";
   }
-  /**
-   * Evict the kernel for `environmentId` and invoke `kernel.shutdown()`.
-   * No-op when the entry is absent.
-   */
-  async evict(environmentId) {
-    const entry = this.cache.get(environmentId);
-    if (!entry) return;
-    this.cache.delete(environmentId);
-    try {
-      await entry.kernel.shutdown();
-    } catch (err) {
-      this.logger.error?.("[KernelManager] shutdown failed", { environmentId, err });
-    }
+  return raw.replace(/\/+$/, "");
+}
+function publicMarketplaceKeyForApiPath(pathname) {
+  const prefix = "/api/v1/marketplace/packages";
+  if (pathname === prefix) return "packages.json";
+  if (!pathname.startsWith(`${prefix}/`)) return null;
+  const tail = pathname.slice(prefix.length + 1);
+  if (!tail) return null;
+  const parts = tail.split("/");
+  if (parts.length === 1) {
+    const id = decodeURIComponent(parts[0] ?? "");
+    if (!id) return null;
+    return `packages/${encodeURIComponent(id)}.json`;
   }
-  /** Evict all resident kernels. Used on runtime shutdown. */
-  async evictAll() {
-    const ids = Array.from(this.cache.keys());
-    await Promise.all(ids.map((id) => this.evict(id)));
-  }
-  async enforceMaxSize() {
-    while (this.cache.size > this.maxSize) {
-      let oldestKey;
-      let oldestAccess = Infinity;
-      for (const [key, entry] of this.cache) {
-        if (entry.lastAccess < oldestAccess) {
-          oldestAccess = entry.lastAccess;
-          oldestKey = key;
-        }
-      }
-      if (!oldestKey) return;
-      await this.evict(oldestKey);
-    }
-  }
-};
-
-// src/cloud/artifact-api-client.ts
-var ArtifactApiClient = class {
-  constructor(config) {
-    this.hostnameCache = /* @__PURE__ */ new Map();
-    this.artifactCache = /* @__PURE__ */ new Map();
-    this.pendingHostname = /* @__PURE__ */ new Map();
-    this.pendingArtifact = /* @__PURE__ */ new Map();
-    if (!config.controlPlaneUrl) {
-      throw new Error("[ArtifactApiClient] controlPlaneUrl is required");
-    }
-    this.base = config.controlPlaneUrl.replace(/\/+$/, "");
-    this.apiKey = config.apiKey;
-    this.cacheTtlMs = config.cacheTtlMs ?? 5 * 60 * 1e3;
-    this.requestTimeoutMs = config.requestTimeoutMs ?? 1e4;
-    this.fetchImpl = config.fetch ?? globalThis.fetch;
-    this.logger = config.logger ?? console;
-    if (typeof this.fetchImpl !== "function") {
-      throw new Error("[ArtifactApiClient] global fetch is not available \u2014 provide config.fetch");
-    }
-  }
-  /**
-   * Resolve a hostname to its project. Returns `null` on 404 or
-   * malformed responses. Errors (network / 5xx) are thrown so
-   * upstream callers can retry.
-   */
-  async resolveHostname(host) {
-    const cached = this.hostnameCache.get(host);
-    if (cached && cached.expiresAt > Date.now()) return cached.value;
-    const inflight = this.pendingHostname.get(host);
-    if (inflight) return inflight;
-    const promise = (async () => {
-      try {
-        const url = `${this.base}/api/v1/cloud/resolve-hostname?host=${encodeURIComponent(host)}`;
-        const res = await this.request(url);
-        if (res === null) return null;
-        const body = res.success === false ? null : res.data ?? res;
-        if (!body || typeof body.environmentId !== "string" || !body.environmentId) return null;
-        const value = {
-          environmentId: body.environmentId,
-          organizationId: body.organizationId,
-          runtime: body.runtime
-        };
-        this.hostnameCache.set(host, { value, expiresAt: Date.now() + this.cacheTtlMs });
-        return value;
-      } finally {
-        this.pendingHostname.delete(host);
-      }
-    })();
-    this.pendingHostname.set(host, promise);
-    return promise;
-  }
-  /**
-   * Fetch the compiled artifact for a project.
-   *
-   * When `opts.commit` is set, requests that specific revision via the
-   * existing `?commit=` query param. Different commits are cached
-   * independently (the cache key includes the commit id) so the preview
-   * runtime can hold multiple versions in memory simultaneously.
-   */
-  async fetchArtifact(environmentId, opts) {
-    const commit = opts?.commit?.trim() || "";
-    const cacheKey = commit ? `${environmentId}@${commit}` : environmentId;
-    const cached = this.artifactCache.get(cacheKey);
-    if (cached && cached.expiresAt > Date.now()) return cached.value;
-    const inflight = this.pendingArtifact.get(cacheKey);
-    if (inflight) return inflight;
-    const promise = (async () => {
-      try {
-        const qs = commit ? `?commit=${encodeURIComponent(commit)}` : "";
-        const url = `${this.base}/api/v1/cloud/environments/${encodeURIComponent(environmentId)}/artifact${qs}`;
-        const res = await this.request(url);
-        if (res === null) return null;
-        const body = res.success === false ? null : res.data ?? res;
-        if (!body || typeof body !== "object") return null;
-        if (!body.metadata) {
-          this.logger.warn?.("[ArtifactApiClient] artifact response missing `metadata`", { environmentId, commit });
-          return null;
-        }
-        const value = body;
-        this.artifactCache.set(cacheKey, { value, expiresAt: Date.now() + this.cacheTtlMs });
-        return value;
-      } finally {
-        this.pendingArtifact.delete(cacheKey);
-      }
-    })();
-    this.pendingArtifact.set(cacheKey, promise);
-    return promise;
-  }
-  /**
-   * Resolve an 8-hex project short id (first 8 hex chars of the UUID,
-   * dashes stripped) to the full environmentId. Used by the preview
-   * runtime, which encodes project ids in subdomains.
-   *
-   * Returns `null` on 404 or ambiguity (the control plane returns 409
-   * if the prefix matches more than one project).
-   */
-  async lookupProjectByShortId(shortId) {
-    const short = String(shortId ?? "").trim().toLowerCase();
-    if (!/^[0-9a-f]{8,}$/.test(short)) return null;
-    const url = `${this.base}/api/v1/cloud/environments-by-short-id/${encodeURIComponent(short)}`;
-    const res = await this.request(url);
-    if (res === null) return null;
-    const body = res.success === false ? null : res.data ?? res;
-    if (!body || typeof body.environmentId !== "string" || !body.environmentId) return null;
-    return { environmentId: body.environmentId, organizationId: body.organizationId };
-  }
-  /**
-   * Fetch the head commit of a branch. Returns the commit id (and the
-   * matching revision row's `published_at` for cache-validity checks).
-   * Reuses the existing `GET /cloud/environments/:id/branches` endpoint.
-   */
-  async fetchBranchHead(environmentId, branchName) {
-    const url = `${this.base}/api/v1/cloud/environments/${encodeURIComponent(environmentId)}/branches`;
-    const res = await this.request(url);
-    if (res === null) return null;
-    const body = res.success === false ? null : res.data ?? res;
-    const branches = Array.isArray(body?.branches) ? body.branches : [];
-    const target = String(branchName ?? "").trim().toLowerCase();
-    const found = branches.find((b) => String(b?.branch ?? "").toLowerCase() === target);
-    if (!found?.headCommitId) return null;
-    return { commitId: String(found.headCommitId), publishedAt: found.headPublishedAt ?? null };
-  }
-  /**
-   * Cheap freshness probe — returns the env's `last_published_at`
-   * (and best-effort current commit) without rebuilding the artifact.
-   * Used by `KernelManager` on cache hits to detect when a per-env
-   * kernel has been invalidated by an upstream change (marketplace
-   * install/uninstall, artifact publish) so it can be rebuilt
-   * without waiting for the 15-minute LRU TTL to expire.
-   *
-   * Returns `null` on definitive 404 / unknown env. Errors propagate
-   * (caller decides whether to treat unreachable cloud as fresh or
-   * stale — typically fresh, so a brief outage doesn't churn every
-   * cached kernel).
-   */
-  async getFreshness(environmentId) {
-    const url = `${this.base}/api/v1/cloud/environments/${encodeURIComponent(environmentId)}/freshness`;
-    const res = await this.request(url);
-    if (res === null) return null;
-    const body = res.success === false ? null : res.data ?? res;
-    if (!body || typeof body !== "object") return null;
-    const envId = typeof body.environmentId === "string" ? body.environmentId : environmentId;
-    const lastPublishedAt = typeof body.lastPublishedAt === "string" ? body.lastPublishedAt : null;
-    const commitId = typeof body.commitId === "string" ? body.commitId : null;
-    return { environmentId: envId, lastPublishedAt, commitId };
-  }
-  /** Drop cached entries for a project (and any matching hostname). */
-  invalidate(environmentId) {
-    this.artifactCache.delete(environmentId);
-    const prefix = `${environmentId}@`;
-    for (const key of Array.from(this.artifactCache.keys())) {
-      if (key.startsWith(prefix)) this.artifactCache.delete(key);
-    }
-    for (const [host, entry] of this.hostnameCache) {
-      if (entry.value.environmentId === environmentId) this.hostnameCache.delete(host);
-    }
-  }
-  /** Drop everything. Used on shutdown / hot-reload. */
-  clear() {
-    this.hostnameCache.clear();
-    this.artifactCache.clear();
-  }
-  async request(url) {
-    const controller = typeof AbortController !== "undefined" ? new AbortController() : null;
-    const timer = controller ? setTimeout(() => controller.abort(), this.requestTimeoutMs) : null;
-    try {
-      const res = await this.fetchImpl(url, {
-        method: "GET",
-        headers: this.buildHeaders(),
-        signal: controller?.signal
-      });
-      if (res.status === 404) return null;
-      if (!res.ok) {
-        throw new Error(`[ArtifactApiClient] ${url} \u2192 HTTP ${res.status}`);
-      }
-      return await res.json();
-    } finally {
-      if (timer) clearTimeout(timer);
-    }
-  }
-  buildHeaders() {
-    const headers = {
-      "accept": "application/json",
-      "user-agent": "objectos-runtime"
-    };
-    if (this.apiKey) headers["authorization"] = `Bearer ${this.apiKey}`;
-    return headers;
-  }
-};
-
-// src/cloud/artifact-environment-registry.ts
-import { resolve as resolvePathNode } from "path";
-var ArtifactEnvironmentRegistry = class {
-  constructor(config) {
-    this.hostnameCache = /* @__PURE__ */ new Map();
-    this.idCache = /* @__PURE__ */ new Map();
-    this.pending = /* @__PURE__ */ new Map();
-    this.client = config.client;
-    this.cacheTTL = config.cacheTtlMs ?? 5 * 60 * 1e3;
-    this.logger = config.logger ?? console;
-  }
-  async resolveByHostname(host) {
-    const cached = this.hostnameCache.get(host);
-    if (cached && cached.expiresAt > Date.now()) {
-      return { environmentId: cached.environmentId, driver: cached.driver };
-    }
-    const key = `host:${host}`;
-    const inflight = this.pending.get(key);
-    if (inflight) {
-      const result = await inflight;
-      return result ? { environmentId: result.environmentId, driver: result.driver } : null;
-    }
-    const promise = (async () => {
-      try {
-        const resolved = await this.client.resolveHostname(host);
-        if (!resolved) return null;
-        const entry2 = await this.buildCacheEntry(resolved.environmentId, resolved.runtime, resolved.organizationId, host);
-        if (!entry2) return null;
-        this.hostnameCache.set(host, entry2);
-        this.idCache.set(entry2.environmentId, entry2);
-        return entry2;
-      } catch (err) {
-        this.logger.error?.("[ArtifactEnvironmentRegistry] resolveByHostname failed", {
-          host,
-          error: err?.message ?? err
-        });
-        return null;
-      } finally {
-        this.pending.delete(key);
-      }
-    })();
-    this.pending.set(key, promise);
-    const entry = await promise;
-    return entry ? { environmentId: entry.environmentId, driver: entry.driver } : null;
-  }
-  async resolveById(environmentId) {
-    const cached = this.idCache.get(environmentId);
-    if (cached && cached.expiresAt > Date.now()) return cached.driver;
-    const key = `id:${environmentId}`;
-    const inflight = this.pending.get(key);
-    if (inflight) {
-      const result = await inflight;
-      return result?.driver ?? null;
-    }
-    const promise = (async () => {
-      try {
-        const entry2 = await this.buildCacheEntry(environmentId, void 0, void 0, void 0);
-        if (!entry2) return null;
-        this.idCache.set(environmentId, entry2);
-        if (entry2.project?.hostname) this.hostnameCache.set(entry2.project.hostname, entry2);
-        return entry2;
-      } catch (err) {
-        this.logger.error?.("[ArtifactEnvironmentRegistry] resolveById failed", {
-          environmentId,
-          error: err?.message ?? err
-        });
-        return null;
-      } finally {
-        this.pending.delete(key);
-      }
-    })();
-    this.pending.set(key, promise);
-    const entry = await promise;
-    return entry?.driver ?? null;
-  }
-  peekById(environmentId) {
-    const cached = this.idCache.get(environmentId);
-    if (cached && cached.expiresAt > Date.now()) {
-      return { environmentId: cached.environmentId, driver: cached.driver, project: cached.project };
-    }
-    return null;
-  }
-  invalidate(environmentId) {
-    this.idCache.delete(environmentId);
-    for (const [host, entry] of this.hostnameCache) {
-      if (entry.environmentId === environmentId) this.hostnameCache.delete(host);
-    }
-    this.client.invalidate(environmentId);
-  }
-  async buildCacheEntry(environmentId, runtimeFromHostname, orgIdFromHostname, hostname) {
-    let runtime = runtimeFromHostname;
-    let organizationId = orgIdFromHostname;
-    let host = hostname;
-    let artifactProjectId = environmentId;
-    if (!runtime || !organizationId) {
-      const artifact = await this.client.fetchArtifact(environmentId);
-      if (!artifact) {
-        this.logger.warn?.("[ArtifactEnvironmentRegistry] artifact not found", { environmentId });
-        return null;
-      }
-      artifactProjectId = artifact.environmentId ?? environmentId;
-      if (!runtime) runtime = artifact.runtime ?? extractRuntimeFromMetadata(artifact.metadata);
-      if (!organizationId) organizationId = artifact.runtime?.organizationId;
-      if (!host) host = artifact.runtime?.hostname;
-    }
-    if (!runtime || !runtime.databaseUrl || !runtime.databaseDriver) {
-      this.logger.warn?.("[ArtifactEnvironmentRegistry] no runtime config for project", { environmentId });
-      return null;
-    }
-    const driver = await createDriver(runtime.databaseDriver, runtime.databaseUrl, runtime.databaseAuthToken ?? "");
-    const projectRow = {
-      id: artifactProjectId,
-      organization_id: organizationId,
-      hostname: host,
-      database_url: runtime.databaseUrl,
-      database_driver: runtime.databaseDriver,
-      metadata: runtime.metadata
-    };
-    return {
-      environmentId: artifactProjectId,
-      driver,
-      project: projectRow,
-      expiresAt: Date.now() + this.cacheTTL
-    };
-  }
-};
-function extractRuntimeFromMetadata(metadata) {
-  const datasources = metadata?.datasources;
-  if (!Array.isArray(datasources) || datasources.length === 0) return void 0;
-  const mapping = metadata?.datasourceMapping;
-  let preferredName;
-  if (mapping) {
-    const def = mapping.find((m) => m?.default === true);
-    if (def?.datasource) preferredName = def.datasource;
-  }
-  const ds = preferredName ? datasources.find((d) => d?.name === preferredName) : datasources[0];
-  if (!ds || typeof ds !== "object") return void 0;
-  const config = ds.config ?? {};
-  const url = config.url ?? config.connectionString ?? config.connection ?? config.filename;
-  const driver = ds.driver;
-  if (typeof driver !== "string" || typeof url !== "string") return void 0;
-  return {
-    databaseDriver: driver,
-    databaseUrl: url,
-    databaseAuthToken: typeof config.authToken === "string" ? config.authToken : void 0
-  };
-}
-async function createDriver(driverType, databaseUrl, authToken) {
-  switch (driverType) {
-    case "libsql":
-    case "turso": {
-      let TursoDriver;
-      try {
-        ({ TursoDriver } = await import("@objectstack/driver-turso"));
-      } catch (primaryErr) {
-        try {
-          const { createRequire } = await import("module");
-          const path = await import("path");
-          const url = await import("url");
-          const hostRequire = createRequire(path.join(process.cwd(), "noop.js"));
-          const resolved = hostRequire.resolve("@objectstack/driver-turso");
-          ({ TursoDriver } = await import(url.pathToFileURL(resolved).href));
-        } catch (fallbackErr) {
-          throw new Error(
-            `[ArtifactEnvironmentRegistry] libsql/turso driver requested but @objectstack/driver-turso is not resolvable. Install it from the cloud monorepo (cloud/packages/driver-turso) or via npm. (primary: ${primaryErr?.message ?? primaryErr}; fallback: ${fallbackErr?.message ?? fallbackErr})`
-          );
-        }
-      }
-      return new TursoDriver({ url: databaseUrl, authToken });
-    }
-    case "memory": {
-      const { InMemoryDriver } = await import("@objectstack/driver-memory");
-      const dbName = databaseUrl.replace(/^memory:\/\//, "").trim();
-      const filePath = dbName ? resolvePathNode(process.cwd(), ".objectstack/data/projects", `${dbName}.json`) : void 0;
-      return new InMemoryDriver({
-        persistence: filePath ? { type: "file", path: filePath } : "file"
-      });
-    }
-    case "sqlite":
-    case "sql": {
-      const filePath = databaseUrl.replace(/^file:/, "").replace(/^sql:\/\//, "");
-      const { SqlDriver } = await import("@objectstack/driver-sql");
-      return new SqlDriver({
-        client: "better-sqlite3",
-        connection: { filename: filePath },
-        useNullAsDefault: true
-      });
-    }
-    case "postgres":
-    case "postgresql":
-    case "pg": {
-      const { SqlDriver } = await import("@objectstack/driver-sql");
-      return new SqlDriver({
-        client: "pg",
-        connection: databaseUrl,
-        pool: { min: 0, max: 5 }
-      });
-    }
-    case "mongodb":
-    case "mongo": {
-      const { MongoDBDriver } = await import("@objectstack/driver-mongodb");
-      return new MongoDBDriver({ url: databaseUrl });
-    }
-    default:
-      throw new Error(`[ArtifactEnvironmentRegistry] Unsupported driver type: ${driverType}`);
-  }
-}
-
-// src/cloud/artifact-kernel-factory.ts
-init_driver_plugin();
-init_app_plugin();
-import { createHmac as createHmac2 } from "crypto";
-import { ObjectKernel as ObjectKernel3 } from "@objectstack/core";
-import { readEnvWithDeprecation as readEnvWithDeprecation3 } from "@objectstack/types";
-
-// src/cloud/capability-loader.ts
-var CAPABILITY_PROVIDERS = {
-  automation: {
-    // Self-contained: AutomationServicePlugin seeds all built-in node
-    // executors itself (ADR-0018), so no companion node-pack plugins.
-    pkg: "@objectstack/service-automation",
-    export: "AutomationServicePlugin"
-  },
-  ai: {
-    pkg: "@objectstack/service-ai",
-    export: "AIServicePlugin"
-  },
-  analytics: {
-    pkg: "@objectstack/service-analytics",
-    export: "AnalyticsServicePlugin",
-    configKey: "analyticsCubes"
-  },
-  audit: {
-    pkg: "@objectstack/plugin-audit",
-    export: "AuditPlugin"
-  },
-  cache: {
-    pkg: "@objectstack/service-cache",
-    export: "CacheServicePlugin"
-  },
-  storage: {
-    pkg: "@objectstack/service-storage",
-    export: "StorageServicePlugin"
-  },
-  queue: {
-    pkg: "@objectstack/service-queue",
-    export: "QueueServicePlugin"
-  },
-  job: {
-    pkg: "@objectstack/service-job",
-    export: "JobServicePlugin"
-  },
-  messaging: {
-    // Backs the `notify` flow node (ADR-0012): delivers to a user's
-    // channels (inbox by default → `sys_inbox_message` rows).
-    pkg: "@objectstack/service-messaging",
-    export: "MessagingServicePlugin"
-  },
-  triggers: {
-    // Concrete flow triggers — record-change (ObjectQL hooks) + schedule
-    // (cron/interval via the job service; pair `triggers` with `job`).
-    pkg: "@objectstack/plugin-trigger-record-change",
-    export: "RecordChangeTriggerPlugin",
-    extras: [{ pkg: "@objectstack/plugin-trigger-schedule", export: "ScheduleTriggerPlugin" }]
-  },
-  realtime: {
-    pkg: "@objectstack/service-realtime",
-    export: "RealtimeServicePlugin"
-  },
-  feed: {
-    pkg: "@objectstack/service-feed",
-    export: "FeedServicePlugin"
-  },
-  settings: {
-    pkg: "@objectstack/service-settings",
-    export: "SettingsServicePlugin"
-  }
-};
-async function loadCapabilities(opts) {
-  const { kernel, requires, bundle, environmentId } = opts;
-  const logger = opts.logger ?? console;
-  const installed = [];
-  const resolved = [...new Set(requires)];
-  if (resolved.includes("audit") && !resolved.includes("messaging")) {
-    resolved.push("messaging");
-  }
-  for (const cap of resolved) {
-    const spec = CAPABILITY_PROVIDERS[cap];
-    if (!spec) {
-      continue;
-    }
-    try {
-      const mod = await import(
-        /* webpackIgnore: true */
-        spec.pkg
-      );
-      const Ctor = mod[spec.export];
-      if (!Ctor) {
-        logger.warn?.(
-          `[CapabilityLoader] '${cap}': package '${spec.pkg}' did not export '${spec.export}'`,
-          { environmentId }
-        );
-        continue;
-      }
-      let arg;
-      if (spec.configKey) {
-        const v = bundle[spec.configKey];
-        if (spec.configKey === "analyticsCubes") {
-          arg = { cubes: Array.isArray(v) ? v : [] };
-        } else if (v !== void 0) {
-          arg = v;
-        }
-      }
-      await kernel.use(arg !== void 0 ? new Ctor(arg) : new Ctor());
-      installed.push(spec.export);
-      if (spec.extras) {
-        for (const ex of spec.extras) {
-          try {
-            const exMod = await import(
-              /* webpackIgnore: true */
-              ex.pkg
-            );
-            const ExCtor = exMod[ex.export];
-            if (ExCtor) {
-              await kernel.use(new ExCtor());
-              installed.push(ex.export);
-            }
-          } catch {
-          }
-        }
-      }
-      logger.info?.(
-        `[CapabilityLoader] '${cap}' installed (${spec.export}${spec.extras ? " + " + spec.extras.length + " extras" : ""})`,
-        { environmentId }
-      );
-    } catch (err) {
-      const msg = err?.message ?? String(err);
-      if (msg.includes("Cannot find module") || msg.includes("ERR_MODULE_NOT_FOUND")) {
-        logger.warn?.(
-          `[CapabilityLoader] '${cap}' requested but '${spec.pkg}' not installed in host \u2014 skipped`,
-          { environmentId }
-        );
-      } else {
-        logger.error?.(
-          `[CapabilityLoader] '${cap}' load failed: ${msg}`,
-          { environmentId }
-        );
-      }
-    }
-  }
-  return installed;
-}
-
-// src/cloud/platform-sso.ts
-import { createHmac, createHash } from "crypto";
-var PLATFORM_SSO_PROVIDER_ID = "objectstack-cloud";
-function derivePlatformSsoClientId(environmentId) {
-  return `project_${environmentId}`;
-}
-function derivePlatformSsoClientSecret(baseSecret, environmentId) {
-  return createHmac("sha256", baseSecret).update(`oauth-client:${environmentId}`).digest("hex");
-}
-function hashPlatformSsoClientSecret(plaintext) {
-  return createHash("sha256").update(plaintext).digest("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function buildPlatformSsoRedirectUri(hostname, basePath = "/api/v1/auth") {
-  let host;
-  if (hostname.startsWith("http://") || hostname.startsWith("https://")) {
-    host = hostname;
-  } else if (/(\.|^)localhost(:\d+)?$/i.test(hostname)) {
-    const port = (process.env.OS_RUNTIME_PORT ?? "").trim();
-    const hostWithPort = /:\d+$/.test(hostname) || !port ? hostname : `${hostname}:${port}`;
-    host = `http://${hostWithPort}`;
-  } else {
-    host = `https://${hostname}`;
-  }
-  const trimmed = host.replace(/\/+$/, "");
-  const path = basePath.replace(/\/+$/, "");
-  return `${trimmed}${path}/oauth2/callback/${PLATFORM_SSO_PROVIDER_ID}`;
-}
-async function seedPlatformSsoClient(opts) {
-  const { ql, environmentId, hostname, baseSecret, logger, throwOnError } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] OS_AUTH_SECRET not set \u2014 skipping client seed", { environmentId });
-    return;
-  }
-  const clientId = derivePlatformSsoClientId(environmentId);
-  const clientSecretPlaintext = derivePlatformSsoClientSecret(baseSecret, environmentId);
-  const clientSecretStored = hashPlatformSsoClientSecret(clientSecretPlaintext);
-  const desiredRedirect = hostname ? buildPlatformSsoRedirectUri(hostname) : null;
-  let existing = null;
-  try {
-    const rows = await ql.find("sys_oauth_application", {
-      where: { client_id: clientId },
-      limit: 1
-    }, { context: { isSystem: true } });
-    const list = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-    existing = list[0] ?? null;
-  } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application read failed \u2014 skipping seed", {
-      environmentId,
-      error: err?.message
-    });
-    return;
-  }
-  const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-  if (!existing) {
-    const redirects = desiredRedirect ? [desiredRedirect] : [];
-    try {
-      await ql.insert("sys_oauth_application", {
-        id: `oauthc_${environmentId}`,
-        name: `Project ${environmentId}`,
-        client_id: clientId,
-        client_secret: clientSecretStored,
-        type: "web",
-        redirect_uris: JSON.stringify(redirects),
-        grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-        response_types: JSON.stringify(["code"]),
-        scopes: JSON.stringify(["openid", "email", "profile"]),
-        token_endpoint_auth_method: "client_secret_basic",
-        require_pkce: false,
-        skip_consent: true,
-        disabled: false,
-        subject_type: "public",
-        created_at: nowIso,
-        updated_at: nowIso
-      }, { context: { isSystem: true } });
-      logger?.info?.("[platform-sso] sys_oauth_application row created", { environmentId, clientId });
-    } catch (err) {
-      logger?.warn?.("[platform-sso] sys_oauth_application create failed", {
-        environmentId,
-        error: err?.message
-      });
-      if (throwOnError) throw err;
-    }
-    return;
-  }
-  let currentRedirects = [];
-  try {
-    const raw = existing.redirect_uris;
-    const parsed = typeof raw === "string" ? JSON.parse(raw) : raw;
-    if (Array.isArray(parsed)) currentRedirects = parsed.filter((s) => typeof s === "string");
-  } catch {
-  }
-  const mergedRedirects = desiredRedirect && !currentRedirects.includes(desiredRedirect) ? [...currentRedirects, desiredRedirect] : currentRedirects;
-  const repairPatch = {
-    name: existing.name || `Project ${environmentId}`,
-    client_secret: clientSecretStored,
-    type: existing.type || "web",
-    redirect_uris: JSON.stringify(mergedRedirects),
-    grant_types: JSON.stringify(["authorization_code", "refresh_token"]),
-    response_types: JSON.stringify(["code"]),
-    scopes: JSON.stringify(["openid", "email", "profile"]),
-    token_endpoint_auth_method: "client_secret_basic",
-    require_pkce: false,
-    skip_consent: true,
-    disabled: false,
-    subject_type: "public",
-    updated_at: nowIso
-  };
-  try {
-    await ql.update(
-      "sys_oauth_application",
-      repairPatch,
-      { where: { id: existing.id } },
-      { context: { isSystem: true } }
-    );
-    logger?.info?.("[platform-sso] sys_oauth_application repaired", {
-      environmentId,
-      clientId,
-      redirect_uris: mergedRedirects
-    });
-  } catch (err) {
-    logger?.warn?.("[platform-sso] sys_oauth_application repair failed", {
-      environmentId,
-      error: err?.message
-    });
-    if (throwOnError) throw err;
-  }
-}
-async function backfillPlatformSsoClients(opts) {
-  const { ql, baseSecret, logger, limit = 1e3 } = opts;
-  if (!baseSecret) {
-    logger?.warn?.("[platform-sso] backfill skipped \u2014 OS_AUTH_SECRET not set");
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [] };
-  }
-  let projects = [];
-  try {
-    const rows = await ql.find("sys_environment", {
-      limit,
-      fields: ["id", "hostname", "status"]
-    }, { context: { isSystem: true } });
-    projects = Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
-  } catch (err) {
-    logger?.warn?.("[platform-sso] backfill: sys_environment read failed", {
-      error: err?.message
-    });
-    return { scanned: 0, seeded: 0, alreadyExisted: 0, failures: [{ environmentId: "<scan>", error: err?.message ?? String(err) }] };
-  }
-  let seeded = 0;
-  let alreadyExisted = 0;
-  const failures = [];
-  for (const p of projects) {
-    if (!p?.id) continue;
-    const before = await (async () => {
-      try {
-        const r = await ql.find("sys_oauth_application", {
-          where: { client_id: derivePlatformSsoClientId(p.id) },
-          limit: 1
-        }, { context: { isSystem: true } });
-        const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-        return list[0] ?? null;
-      } catch {
-        return null;
-      }
-    })();
-    try {
-      await seedPlatformSsoClient({ ql, environmentId: p.id, hostname: p.hostname, baseSecret, logger, throwOnError: true });
-      if (before) alreadyExisted++;
-      else {
-        const after = await (async () => {
-          try {
-            const r = await ql.find("sys_oauth_application", {
-              where: { client_id: derivePlatformSsoClientId(p.id) },
-              limit: 1
-            }, { context: { isSystem: true } });
-            const list = Array.isArray(r) ? r : Array.isArray(r?.records) ? r.records : [];
-            return list[0] ?? null;
-          } catch (err) {
-            return { _readErr: err?.message };
-          }
-        })();
-        if (after && !after._readErr) seeded++;
-        else failures.push({ environmentId: p.id, error: `post-insert read returned ${after ? JSON.stringify(after) : "null"}` });
-      }
-    } catch (err) {
-      failures.push({ environmentId: p.id, error: err?.message ?? String(err) });
-    }
-  }
-  logger?.info?.("[platform-sso] backfill complete", { scanned: projects.length, seeded, alreadyExisted, failures: failures.length });
-  return { scanned: projects.length, seeded, alreadyExisted, failures };
-}
-
-// src/cloud/artifact-kernel-factory.ts
-function deriveProjectAuthSecret(baseSecret, environmentId) {
-  return createHmac2("sha256", baseSecret).update(`project:${environmentId}`).digest("hex");
-}
-var ArtifactKernelFactory = class {
-  constructor(config) {
-    this.client = config.client;
-    this.envRegistry = config.envRegistry;
-    this.logger = config.logger ?? console;
-    this.kernelConfig = config.kernelConfig;
-    this.authBaseSecret = (config.authBaseSecret ?? readEnvWithDeprecation3("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]) ?? "").trim();
-  }
-  async create(environmentId) {
-    let cached = this.envRegistry.peekById(environmentId);
-    if (!cached) {
-      const driver2 = await this.envRegistry.resolveById(environmentId);
-      if (!driver2) {
-        throw new Error(`[ArtifactKernelFactory] Could not resolve driver for project '${environmentId}'`);
-      }
-      cached = this.envRegistry.peekById(environmentId);
-      if (!cached) {
-        throw new Error(`[ArtifactKernelFactory] envRegistry returned a driver but no cached entry for '${environmentId}'`);
-      }
-    }
-    const driver = cached.driver;
-    const project = cached.project;
-    const artifact = await this.client.fetchArtifact(environmentId);
-    if (!artifact) {
-      throw new Error(`[ArtifactKernelFactory] Artifact not available for project '${environmentId}'`);
-    }
-    const { ObjectQLPlugin } = await import("@objectstack/objectql");
-    const { MetadataPlugin } = await import("@objectstack/metadata");
-    const kernel = new ObjectKernel3(this.kernelConfig);
-    await kernel.use(new DriverPlugin(driver, { datasourceName: "cloud" }));
-    await kernel.use(new ObjectQLPlugin({ environmentId, skipSchemaSync: false }));
-    await kernel.use(new MetadataPlugin({
-      watch: false,
-      environmentId,
-      organizationId: project.organization_id,
-      // ADR-0005: customization overlays (user-created views, dashboards,
-      // edited objects, ...) are persisted by
-      // ObjectStackProtocolImplementation.saveMetaItem on whichever
-      // engine the protocol is attached to. For per-project kernels that
-      // means the project's own DB, so the sys_metadata + history tables
-      // MUST be provisioned here. The previous `false` setting caused
-      // "no such table: sys_metadata" errors on any PUT /api/v1/meta/*
-      // call (e.g. Studio "Create View") against a project deployment.
-      registerSystemObjects: true
-    }));
-    if (this.authBaseSecret) {
-      try {
-        const { AuthPlugin } = await import("@objectstack/plugin-auth");
-        const projectSecret = deriveProjectAuthSecret(this.authBaseSecret, environmentId);
-        const baseUrl = project.hostname ? project.hostname.startsWith("http") ? project.hostname : /(\.|^)localhost(:\d+)?$/i.test(project.hostname) ? (() => {
-          const runtimePort = (process.env.OS_RUNTIME_PORT ?? "").trim();
-          const hasPort = /:\d+$/.test(project.hostname);
-          const hostWithPort = hasPort || !runtimePort ? project.hostname : `${project.hostname}:${runtimePort}`;
-          return `http://${hostWithPort}`;
-        })() : `https://${project.hostname}` : void 0;
-        const trustedOriginsList = [];
-        if (baseUrl) trustedOriginsList.push(baseUrl);
-        const platformOrigins = (process.env.OS_TRUSTED_ORIGINS ?? "").split(",").map((s) => s.trim()).filter(Boolean);
-        for (const o of platformOrigins) {
-          if (!trustedOriginsList.includes(o)) trustedOriginsList.push(o);
-        }
-        const rootDomain = (process.env.OS_ROOT_DOMAIN ?? "").trim().replace(/^https?:\/\//, "");
-        if (rootDomain) {
-          const wildcard = `https://*.${rootDomain}`;
-          if (!trustedOriginsList.includes(wildcard)) trustedOriginsList.push(wildcard);
-        }
-        if (project.hostname) {
-          const bareHost = project.hostname.replace(/^https?:\/\//, "");
-          if (bareHost.endsWith(".localhost") || bareHost === "localhost") {
-            trustedOriginsList.push(`http://${bareHost}`);
-            trustedOriginsList.push(`http://${bareHost}:*`);
-            trustedOriginsList.push(`https://${bareHost}:*`);
-          }
-        }
-        const platformSsoEnabled = String(
-          process.env.OS_PLATFORM_SSO ?? "true"
-        ).toLowerCase() !== "false";
-        const cloudBaseUrl = (process.env.OS_CLOUD_URL ?? "").trim().replace(/\/+$/, "");
-        const oidcProviders = platformSsoEnabled && cloudBaseUrl && /^https?:\/\//.test(cloudBaseUrl) ? [{
-          providerId: PLATFORM_SSO_PROVIDER_ID,
-          name: "ObjectStack",
-          discoveryUrl: `${cloudBaseUrl}/.well-known/openid-configuration`,
-          clientId: derivePlatformSsoClientId(environmentId),
-          clientSecret: derivePlatformSsoClientSecret(this.authBaseSecret, environmentId),
-          scopes: ["openid", "email", "profile"]
-        }] : void 0;
-        await kernel.use(new AuthPlugin({
-          secret: projectSecret,
-          baseUrl,
-          // Project kernel has no http-server (host owns it). The
-          // dispatcher's handleAuth path resolves `auth` via
-          // getService and invokes the handler directly — route
-          // registration is unnecessary and would warn.
-          registerRoutes: false,
-          // Identity tables live in the project's own DB — keep
-          // sys_user/sys_session local to this kernel.
-          manifestDatasource: "default",
-          // Cookie scope: default to the project's own host. We
-          // intentionally do NOT pass crossSubDomainCookies here
-          // so cookies stay isolated per project subdomain.
-          trustedOrigins: trustedOriginsList.length ? trustedOriginsList : void 0,
-          ...oidcProviders ? { oidcProviders } : {}
-        }));
-        if (oidcProviders) {
-          this.logger.info?.("[ArtifactKernelFactory] platform SSO wired", {
-            environmentId,
-            cloudBaseUrl
-          });
-        }
-      } catch (err) {
-        this.logger.warn?.("[ArtifactKernelFactory] AuthPlugin not registered", {
-          environmentId,
-          error: err?.message
-        });
-      }
-    } else {
-      this.logger.warn?.("[ArtifactKernelFactory] OS_AUTH_SECRET not set \u2014 per-project AuthPlugin skipped (auth endpoints will return 404)", { environmentId });
-    }
-    try {
-      const multiTenant = String(readEnvWithDeprecation3("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
-      if (multiTenant) {
-        try {
-          const { OrgScopingPlugin } = await import("@objectstack/plugin-org-scoping");
-          await kernel.use(new OrgScopingPlugin());
-        } catch (err) {
-          this.logger.warn?.("[ArtifactKernelFactory] OrgScopingPlugin not registered (multi-tenant disabled)", {
-            environmentId,
-            error: err?.message
-          });
-        }
-      }
-      const { SecurityPlugin } = await import("@objectstack/plugin-security");
-      await kernel.use(new SecurityPlugin());
-    } catch (err) {
-      this.logger.warn?.("[ArtifactKernelFactory] SecurityPlugin not registered", {
-        environmentId,
-        error: err?.message
-      });
-    }
-    const projectName = project.hostname ?? environmentId;
-    const artifactAny = artifact;
-    const topLevelManifest = artifactAny?.manifest && typeof artifactAny.manifest === "object" ? artifactAny.manifest : null;
-    const topLevelFunctions = Array.isArray(artifactAny?.functions) ? artifactAny.functions : [];
-    const bundle = {
-      ...artifact.metadata ?? {},
-      ...topLevelManifest ? { manifest: topLevelManifest } : {},
-      functions: topLevelFunctions
-    };
-    const sys = bundle.manifest ?? bundle;
-    const packageId = sys?.packageId ?? sys?.package_id ?? bundle?.packageId;
-    const i18nCfg = bundle?.i18n ?? sys?.i18n ?? {};
-    const trArr = Array.isArray(bundle?.translations) ? bundle.translations : Array.isArray(sys?.translations) ? sys.translations : [];
-    try {
-      const { I18nServicePlugin } = await import("@objectstack/service-i18n");
-      await kernel.use(new I18nServicePlugin({
-        defaultLocale: i18nCfg.defaultLocale,
-        fallbackLocale: i18nCfg.fallbackLocale ?? i18nCfg.defaultLocale ?? "en",
-        // Routes are dispatched by HttpDispatcher.handleI18n via
-        // kernel.getService('i18n'); the host worker owns the
-        // HTTP server. Skip self-registration to avoid warnings.
-        registerRoutes: false
-      }));
-      console.warn(
-        `[ArtifactKernelFactory] I18nServicePlugin registered (project=${environmentId}, translations=${trArr.length}, defaultLocale=${i18nCfg.defaultLocale ?? "en"})`
-      );
-    } catch (err) {
-      this.logger.warn?.("[ArtifactKernelFactory] I18nServicePlugin not registered", {
-        environmentId,
-        error: err?.message
-      });
-    }
-    const requiresRaw = (Array.isArray(bundle?.requires) ? bundle.requires : null) ?? (Array.isArray(sys?.requires) ? sys.requires : null) ?? [];
-    const requires = requiresRaw.filter((x) => typeof x === "string" && x.length > 0);
-    if (requires.length > 0) {
-      const installed = await loadCapabilities({
-        kernel,
-        requires,
-        bundle: { ...bundle ?? {}, ...sys ?? {} },
-        logger: this.logger,
-        environmentId
-      });
-      this.logger.info?.("[ArtifactKernelFactory] capabilities loaded", {
-        environmentId,
-        requires,
-        installed
-      });
-    }
-    await kernel.use(new AppPlugin(bundle, {
-      environmentId,
-      organizationId: project.organization_id ?? "",
-      projectName,
-      packageId,
-      source: packageId ? "package" : "user"
-    }));
-    await kernel.bootstrap();
-    try {
-      const projMeta = typeof project?.metadata === "string" ? JSON.parse(project.metadata) : project?.metadata ?? {};
-      const ownerSeed = projMeta?.ownerSeed;
-      const orgSeed = projMeta?.orgSeed;
-      if (orgSeed?.id && orgSeed?.name) {
-        try {
-          const { seedProjectOrganization: seedProjectOrganization2 } = await Promise.resolve().then(() => (init_environment_org_seed(), environment_org_seed_exports));
-          await seedProjectOrganization2(kernel, orgSeed, this.logger);
-        } catch (e) {
-          this.logger.warn?.("[ArtifactKernelFactory] orgSeed threw", {
-            environmentId,
-            error: e?.message
-          });
-        }
-      }
-      if (ownerSeed?.userId && ownerSeed?.email) {
-        try {
-          const { seedProjectOwner: seedProjectOwner2 } = await Promise.resolve().then(() => (init_environment_owner_seed(), environment_owner_seed_exports));
-          await seedProjectOwner2(kernel, ownerSeed, this.logger);
-        } catch (e) {
-          this.logger.warn?.("[ArtifactKernelFactory] ownerSeed threw", {
-            environmentId,
-            error: e?.message
-          });
-        }
-        if (orgSeed?.id) {
-          try {
-            const { seedProjectMember: seedProjectMember2 } = await Promise.resolve().then(() => (init_environment_org_seed(), environment_org_seed_exports));
-            await seedProjectMember2(
-              kernel,
-              { userId: ownerSeed.userId, organizationId: orgSeed.id, role: "owner" },
-              this.logger
-            );
-          } catch (e) {
-            this.logger.warn?.("[ArtifactKernelFactory] memberSeed threw", {
-              environmentId,
-              error: e?.message
-            });
-          }
-        }
-      }
-    } catch (err) {
-      this.logger.warn?.("[ArtifactKernelFactory] owner/org seed skipped", {
-        environmentId,
-        error: err?.message
-      });
-    }
-    try {
-      const datasetsNow = (() => {
-        try {
-          return kernel.getService?.("seed-datasets");
-        } catch {
-          return void 0;
-        }
-      })();
-      const replayer = (() => {
-        try {
-          return kernel.getService?.("seed-replayer");
-        } catch {
-          return void 0;
-        }
-      })();
-      if (Array.isArray(datasetsNow) && datasetsNow.length > 0 && typeof replayer === "function") {
-        const projMetaRaw = project?.metadata;
-        const projMeta = typeof projMetaRaw === "string" ? (() => {
-          try {
-            return JSON.parse(projMetaRaw);
-          } catch {
-            return {};
-          }
-        })() : projMetaRaw ?? {};
-        let primaryOrgId = projMeta?.orgSeed?.id;
-        if (!primaryOrgId) {
-          try {
-            const ql = kernel.getService?.("objectql");
-            if (ql?.find) {
-              const rows = await ql.find("sys_organization", { limit: 5, orderBy: [{ field: "created_at", direction: "asc" }] });
-              const list = Array.isArray(rows) ? rows : rows?.value ?? rows?.records ?? [];
-              if (Array.isArray(list) && list.length > 0 && list[0]?.id) {
-                primaryOrgId = String(list[0].id);
-              }
-            }
-          } catch {
-          }
-        }
-        if (primaryOrgId) {
-          try {
-            const summary = await replayer(primaryOrgId);
-            const inserted = summary?.inserted ?? 0;
-            const updated = summary?.updated ?? 0;
-            const errs = summary?.errors?.length ?? 0;
-            if (inserted > 0 || updated > 0 || errs > 0) {
-              this.logger.info?.("[ArtifactKernelFactory] post-bootstrap seed replay", {
-                environmentId,
-                organizationId: primaryOrgId,
-                datasets: datasetsNow.length,
-                inserted,
-                updated,
-                errors: errs
-              });
-            }
-          } catch (e) {
-            this.logger.warn?.("[ArtifactKernelFactory] post-bootstrap seed replay failed", {
-              environmentId,
-              organizationId: primaryOrgId,
-              error: e?.message
-            });
-          }
-        }
-      }
-    } catch (err) {
-      this.logger.warn?.("[ArtifactKernelFactory] post-bootstrap seed step threw", {
-        environmentId,
-        error: err?.message
-      });
-    }
-    let i18nSvc = null;
-    try {
-      i18nSvc = kernel.getService?.("i18n");
-    } catch {
-      i18nSvc = null;
-    }
-    try {
-      if (i18nSvc && typeof i18nSvc.loadTranslations === "function") {
-        if (i18nCfg.defaultLocale && typeof i18nSvc.setDefaultLocale === "function") {
-          i18nSvc.setDefaultLocale(i18nCfg.defaultLocale);
-        }
-        let loaded = 0;
-        for (const tbundle of trArr) {
-          if (!tbundle || typeof tbundle !== "object") continue;
-          for (const [locale, data] of Object.entries(tbundle)) {
-            if (data && typeof data === "object") {
-              try {
-                i18nSvc.loadTranslations(locale, data);
-                loaded++;
-              } catch (err) {
-                this.logger.warn?.("[ArtifactKernelFactory] i18n loadTranslations failed", {
-                  environmentId,
-                  locale,
-                  error: err?.message
-                });
-              }
-            }
-          }
-        }
-        if (loaded > 0) {
-          this.logger.info?.("[ArtifactKernelFactory] i18n direct-load complete", {
-            environmentId,
-            locales: loaded,
-            bundles: trArr.length
-          });
-        }
-      }
-    } catch (err) {
-      this.logger.warn?.("[ArtifactKernelFactory] i18n direct-load failed", {
-        environmentId,
-        error: err?.message
-      });
-    }
-    this.logger.info?.("[ArtifactKernelFactory] kernel ready", {
-      environmentId,
-      commitId: artifact.commitId,
-      checksum: artifact.checksum,
-      authEnabled: Boolean(this.authBaseSecret)
-    });
-    return kernel;
-  }
-};
-
-// src/cloud/auth-proxy-plugin.ts
-import { createHmac as createHmac3, randomUUID as randomUUID2 } from "crypto";
-var AUTH_PREFIX = "/api/v1/auth";
-function signSessionCookieValue(rawToken, secret) {
-  const signature = createHmac3("sha256", secret).update(rawToken).digest("base64");
-  return encodeURIComponent(`${rawToken}.${signature}`);
-}
-function buildSetCookieHeader(name, encodedValue, attrs, maxAgeSec) {
-  const parts = [`${name}=${encodedValue}`];
-  const a = attrs ?? {};
-  if (a.path) parts.push(`Path=${a.path}`);
-  else parts.push("Path=/");
-  if (Number.isFinite(maxAgeSec) && maxAgeSec > 0) parts.push(`Max-Age=${Math.floor(maxAgeSec)}`);
-  if (a.domain) parts.push(`Domain=${a.domain}`);
-  if (a.sameSite) {
-    const ss = String(a.sameSite);
-    parts.push(`SameSite=${ss.charAt(0).toUpperCase() + ss.slice(1)}`);
-  } else {
-    parts.push("SameSite=Lax");
-  }
-  if (a.secure) parts.push("Secure");
-  if (a.httpOnly !== false) parts.push("HttpOnly");
-  if (a.partitioned) parts.push("Partitioned");
-  return parts.join("; ");
-}
-function pickHandler(svc) {
-  if (!svc) return void 0;
-  if (typeof svc.handleRequest === "function") return svc.handleRequest.bind(svc);
-  if (typeof svc.handler === "function") return svc.handler.bind(svc);
-  if (svc.api && typeof svc.api.handler === "function") return svc.api.handler.bind(svc.api);
-  if (svc.auth && typeof svc.auth.handler === "function") return svc.auth.handler.bind(svc.auth);
-  return void 0;
-}
-async function resolveAuthHandler(svc) {
-  const direct = pickHandler(svc);
-  if (direct) return direct;
-  if (typeof svc?.getApi === "function") {
-    try {
-      const api = await svc.getApi();
-      return pickHandler(api) ?? pickHandler({ api });
-    } catch {
-      return void 0;
-    }
-  }
-  return void 0;
-}
-var AuthProxyPlugin = class {
-  constructor() {
-    this.name = "com.objectstack.runtime.auth-proxy";
-    this.version = "1.0.0";
-    this.init = async (_ctx) => {
-    };
-    this.start = async (ctx) => {
-      ctx.hook("kernel:ready", async () => {
-        let httpServer;
-        try {
-          httpServer = ctx.getService("http-server");
-        } catch {
-          ctx.logger?.warn?.("[AuthProxyPlugin] http-server not available \u2014 auth routes not mounted");
-          return;
-        }
-        if (!httpServer || typeof httpServer.getRawApp !== "function") {
-          ctx.logger?.warn?.("[AuthProxyPlugin] http-server missing getRawApp() \u2014 auth routes not mounted");
-          return;
-        }
-        const rawApp = httpServer.getRawApp();
-        const kernelManager = ctx.getService("kernel-manager");
-        const envRegistry = ctx.getService("env-registry");
-        const handler = async (c) => {
-          try {
-            const url = new URL(c.req.url);
-            const host = url.hostname;
-            let environmentId;
-            try {
-              const env = await envRegistry.resolveByHostname(host);
-              environmentId = env?.environmentId;
-            } catch {
-            }
-            if (!environmentId) {
-              return c.json({ error: "project_not_found", host }, 404);
-            }
-            const projectKernel = await kernelManager.getOrCreate(environmentId);
-            let authSvc;
-            try {
-              authSvc = await projectKernel.getServiceAsync?.("auth");
-            } catch {
-              authSvc = void 0;
-            }
-            if (!authSvc) {
-              try {
-                authSvc = projectKernel.getService?.("auth");
-              } catch {
-              }
-            }
-            const subPath = url.pathname.startsWith(AUTH_PREFIX + "/") ? url.pathname.substring(AUTH_PREFIX.length + 1) : "";
-            if (c.req.method === "GET" && (subPath === "config" || subPath === "bootstrap-status")) {
-              if (subPath === "config") {
-                try {
-                  const config = typeof authSvc?.getPublicConfig === "function" ? authSvc.getPublicConfig() : null;
-                  if (config) {
-                    return c.json({ success: true, data: config });
-                  }
-                  return c.json({ success: false, error: { code: "auth_config_unavailable", message: "AuthManager has no getPublicConfig()" } }, 503);
-                } catch (e) {
-                  return c.json({ success: false, error: { code: "auth_config_error", message: String(e?.message ?? e) } }, 500);
-                }
-              }
-              try {
-                const dataEngine = typeof authSvc?.getDataEngine === "function" ? authSvc.getDataEngine() : null;
-                if (!dataEngine || typeof dataEngine.count !== "function") {
-                  return c.json({ hasOwner: true });
-                }
-                const count = await dataEngine.count("sys_user", {});
-                return c.json({ hasOwner: (count ?? 0) > 0 });
-              } catch {
-                return c.json({ hasOwner: true });
-              }
-            }
-            if (c.req.method === "POST" && subPath === "sso-handoff-issue") {
-              try {
-                const expected = (process.env.OS_CLOUD_API_KEY ?? "").trim();
-                if (!expected) {
-                  return c.json({ error: "sso_handoff_disabled", reason: "OS_CLOUD_API_KEY unset on env runtime" }, 503);
-                }
-                const authz = c.req.header("authorization") ?? "";
-                const provided = authz.toLowerCase().startsWith("bearer ") ? authz.slice(7).trim() : "";
-                if (!provided || provided !== expected) {
-                  return c.json({ error: "unauthorized" }, 401);
-                }
-                if (typeof authSvc?.getAuthContext !== "function") {
-                  return c.json({ error: "auth_service_unavailable" }, 503);
-                }
-                const handoffAuthCtx = await authSvc.getAuthContext();
-                const internal = handoffAuthCtx?.internalAdapter;
-                if (!internal?.createVerificationValue) {
-                  return c.json({ error: "verification_api_unavailable" }, 503);
-                }
-                let body = {};
-                try {
-                  body = await c.req.json();
-                } catch {
-                  body = {};
-                }
-                const email = String(body?.email ?? "").toLowerCase().trim();
-                if (!email) return c.json({ error: "email_required" }, 400);
-                const name = body?.name == null ? null : String(body.name);
-                const by = body?.by == null ? "service" : String(body.by);
-                const envIdInBody = body?.envId == null ? null : String(body.envId);
-                const handoff = randomUUID2().replace(/-/g, "") + randomUUID2().replace(/-/g, "");
-                const ttlSec = 60;
-                const expiresAt = new Date(Date.now() + ttlSec * 1e3);
-                await internal.createVerificationValue({
-                  identifier: `sso-handoff:${handoff}`,
-                  value: JSON.stringify({ email, name, by, envId: envIdInBody ?? environmentId }),
-                  expiresAt
-                });
-                return c.json({
-                  token: handoff,
-                  expiresAt: expiresAt.toISOString(),
-                  ttlSec
-                });
-              } catch (err) {
-                ctx.logger?.error?.("[AuthProxyPlugin] sso-handoff-issue failed", err instanceof Error ? err : new Error(String(err)));
-                return c.json({ error: "sso_handoff_issue_failed", message: String(err?.message ?? err) }, 500);
-              }
-            }
-            if (c.req.method === "GET" && subPath === "sso-exchange") {
-              try {
-                const token = (url.searchParams.get("token") ?? "").trim();
-                const nextRaw = url.searchParams.get("next") ?? "/";
-                const next = nextRaw.startsWith("/") ? nextRaw : "/";
-                if (!token) return c.text("missing token", 400);
-                if (typeof authSvc?.getAuthContext !== "function") {
-                  return c.text("auth service unavailable", 503);
-                }
-                const authCtx = await authSvc.getAuthContext();
-                const internal = authCtx?.internalAdapter;
-                if (!internal?.consumeVerificationValue) {
-                  return c.text("verification API unavailable", 503);
-                }
-                const consumed = await internal.consumeVerificationValue(`sso-handoff:${token}`);
-                if (!consumed) return c.text("invalid or expired token", 401);
-                const expiresAt = consumed?.expiresAt ? new Date(consumed.expiresAt).getTime() : 0;
-                if (!expiresAt || expiresAt < Date.now()) return c.text("expired token", 401);
-                let payload = {};
-                try {
-                  payload = JSON.parse(String(consumed.value));
-                } catch {
-                  payload = { email: String(consumed.value) };
-                }
-                const email = String(payload.email ?? "").toLowerCase().trim();
-                if (!email) return c.text("handoff missing email", 400);
-                const found = await internal.findUserByEmail(email, { includeAccounts: true });
-                let userId = found?.user?.id;
-                let hasCredentialAccount = (found?.accounts ?? []).some((a) => a.providerId === "credential" && a.password);
-                if (!userId) {
-                  const created = await internal.createUser({
-                    email,
-                    name: payload.name ?? email,
-                    emailVerified: true
-                  });
-                  userId = created?.id;
-                  hasCredentialAccount = false;
-                }
-                if (!userId) return c.text("failed to provision user", 500);
-                const session = await internal.createSession(userId, false);
-                const rawToken = session?.token;
-                const sessionExpiresAt = session?.expiresAt ? new Date(session.expiresAt) : new Date(Date.now() + 7 * 24 * 3600 * 1e3);
-                if (!rawToken) return c.text("failed to mint session", 500);
-                const secret = authCtx?.secret ?? "";
-                if (!secret) return c.text("auth secret unavailable", 503);
-                const cookieName = authCtx?.authCookies?.sessionToken?.name ?? "better-auth.session_token";
-                const cookieAttrs = authCtx?.authCookies?.sessionToken?.attributes ?? {};
-                const encoded = signSessionCookieValue(rawToken, secret);
-                const maxAgeSec = Math.max(60, Math.floor((sessionExpiresAt.getTime() - Date.now()) / 1e3));
-                const setCookie = buildSetCookieHeader(cookieName, encoded, cookieAttrs, maxAgeSec);
-                const finalNext = hasCredentialAccount ? next : `/_console/system/profile?recovery_needed=true&next=${encodeURIComponent(next)}`;
-                const headers = new Headers();
-                headers.set("Set-Cookie", setCookie);
-                headers.set("Location", finalNext);
-                headers.set("Cache-Control", "no-store");
-                return new Response(null, { status: 302, headers });
-              } catch (err) {
-                ctx.logger?.error?.("[AuthProxyPlugin] sso-exchange failed", err instanceof Error ? err : new Error(String(err)));
-                return c.text(`sso-exchange failed: ${err?.message ?? String(err)}`, 500);
-              }
-            }
-            if (c.req.method === "POST" && subPath === "set-initial-password") {
-              try {
-                let body = {};
-                try {
-                  body = await c.req.json();
-                } catch {
-                  body = {};
-                }
-                const newPassword = body?.newPassword;
-                if (typeof newPassword !== "string" || newPassword.length === 0) {
-                  return c.json({ success: false, error: { code: "invalid_request", message: "newPassword is required" } }, 400);
-                }
-                if (typeof authSvc?.getAuthContext !== "function") {
-                  return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
-                }
-                let userId;
-                try {
-                  const api = typeof authSvc.getApi === "function" ? await authSvc.getApi() : null;
-                  const session = await api?.getSession?.({ headers: c.req.raw.headers });
-                  userId = session?.user?.id ? String(session.user.id) : void 0;
-                } catch {
-                }
-                if (!userId) {
-                  return c.json({ success: false, error: { code: "unauthorized", message: "Sign in first" } }, 401);
-                }
-                const setPwCtx = await authSvc.getAuthContext();
-                if (!setPwCtx?.internalAdapter || !setPwCtx?.password) {
-                  return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
-                }
-                const minLen = setPwCtx.password?.config?.minPasswordLength ?? 8;
-                const maxLen = setPwCtx.password?.config?.maxPasswordLength ?? 128;
-                if (newPassword.length < minLen) {
-                  return c.json({ success: false, error: { code: "password_too_short", message: `Password must be at least ${minLen} characters` } }, 400);
-                }
-                if (newPassword.length > maxLen) {
-                  return c.json({ success: false, error: { code: "password_too_long", message: `Password must be at most ${maxLen} characters` } }, 400);
-                }
-                const accounts = await setPwCtx.internalAdapter.findAccounts(userId);
-                const existingCredential = accounts?.find?.((a) => a.providerId === "credential" && a.password);
-                if (existingCredential) {
-                  return c.json({ success: false, error: { code: "credential_account_exists", message: "A local password is already set for this account. Use change-password instead." } }, 409);
-                }
-                const passwordHash = await setPwCtx.password.hash(newPassword);
-                await setPwCtx.internalAdapter.createAccount({
-                  userId,
-                  providerId: "credential",
-                  accountId: userId,
-                  password: passwordHash
-                });
-                return c.json({ success: true });
-              } catch (err) {
-                ctx.logger?.error?.("[AuthProxyPlugin] set-initial-password failed", err instanceof Error ? err : new Error(String(err)));
-                return c.json({ success: false, error: { code: "set_password_failed", message: String(err?.message ?? err) } }, 500);
-              }
-            }
-            const fn = await resolveAuthHandler(authSvc);
-            if (!fn) {
-              return c.json({ error: "auth_service_unavailable", environmentId }, 503);
-            }
-            const resp = await fn(c.req.raw);
-            const rootDomain = process.env.OS_ROOT_DOMAIN || "";
-            if (rootDomain) {
-              const leakyDomain = rootDomain.startsWith(".") ? rootDomain : `.${rootDomain}`;
-              const leakyNames = [
-                "__Secure-better-auth.session_token",
-                "better-auth.session_token",
-                "__Secure-better-auth.state",
-                "better-auth.state",
-                "__Secure-better-auth.csrf_token",
-                "better-auth.csrf_token"
-              ];
-              try {
-                for (const n of leakyNames) {
-                  const isSecure = n.startsWith("__Secure-");
-                  const attrs = `Max-Age=0; Path=/; Domain=${leakyDomain}; SameSite=Lax${isSecure ? "; Secure" : ""}`;
-                  resp.headers?.append?.("Set-Cookie", `${n}=; ${attrs}`);
-                }
-              } catch {
-              }
-            }
-            return resp;
-          } catch (err) {
-            ctx.logger?.error?.("[AuthProxyPlugin] auth dispatch failed", {
-              error: err?.message,
-              stack: err?.stack
-            });
-            return c.json({
-              error: "auth_dispatch_failed",
-              message: err?.message ?? String(err)
-            }, 500);
-          }
-        };
-        if (typeof rawApp.all === "function") {
-          rawApp.all(`${AUTH_PREFIX}/*`, handler);
-        } else {
-          for (const m of ["get", "post", "put", "delete", "patch", "options"]) {
-            try {
-              rawApp[m]?.(`${AUTH_PREFIX}/*`, handler);
-            } catch {
-            }
-          }
-        }
-        ctx.logger?.info?.(`[AuthProxyPlugin] auth proxy mounted at ${AUTH_PREFIX}/*`);
-      });
-    };
-  }
-};
-
-// src/cloud/cloud-url.ts
-var DEFAULT_CLOUD_URL = "https://cloud.objectos.ai";
-function resolveCloudUrl(explicit) {
-  const raw = (explicit ?? process.env.OS_CLOUD_URL ?? "").trim();
-  const lower = raw.toLowerCase();
-  if (lower === "off" || lower === "none" || lower === "local" || lower === "disabled") {
-    return "";
-  }
-  const picked = raw || DEFAULT_CLOUD_URL;
-  return picked.replace(/\/+$/, "");
-}
-
-// src/cloud/marketplace-public-url.ts
-function resolveMarketplacePublicBaseUrl(explicit) {
-  const raw = (explicit ?? process.env.OS_MARKETPLACE_PUBLIC_BASE_URL ?? "").trim();
-  const lower = raw.toLowerCase();
-  if (!raw || lower === "off" || lower === "none" || lower === "disabled" || lower === "false") {
-    return "";
-  }
-  return raw.replace(/\/+$/, "");
-}
-function publicMarketplaceKeyForApiPath(pathname) {
-  const prefix = "/api/v1/marketplace/packages";
-  if (pathname === prefix) return "packages.json";
-  if (!pathname.startsWith(`${prefix}/`)) return null;
-  const tail = pathname.slice(prefix.length + 1);
-  if (!tail) return null;
-  const parts = tail.split("/");
-  if (parts.length === 1) {
-    const id = decodeURIComponent(parts[0] ?? "");
-    if (!id) return null;
-    return `packages/${encodeURIComponent(id)}.json`;
-  }
-  if (parts.length === 4 && parts[1] === "versions" && parts[3] === "manifest") {
-    const id = decodeURIComponent(parts[0] ?? "");
-    const versionId = decodeURIComponent(parts[2] ?? "");
-    if (!id || !versionId) return null;
-    return `packages/${encodeURIComponent(id)}/versions/${encodeURIComponent(versionId)}/manifest.json`;
+  if (parts.length === 4 && parts[1] === "versions" && parts[3] === "manifest") {
+    const id = decodeURIComponent(parts[0] ?? "");
+    const versionId = decodeURIComponent(parts[2] ?? "");
+    if (!id || !versionId) return null;
+    return `packages/${encodeURIComponent(id)}/versions/${encodeURIComponent(versionId)}/manifest.json`;
   }
   return null;
 }
@@ -7679,13 +6341,7 @@ var MarketplaceProxyPlugin = class _MarketplaceProxyPlugin {
             }
             const target = `${cloudUrl}${incomingUrl.pathname}${incomingUrl.search}`;
             if (method !== "GET" && method !== "HEAD") {
-              return c.json({
-                success: false,
-                error: {
-                  code: "marketplace_method_not_allowed",
-                  message: `Marketplace proxy only forwards GET/HEAD; install via cloud.`
-                }
-              }, 405);
+              return next();
             }
             const accept = c.req.header("accept") ?? "application/json";
             const acceptLang = c.req.header("accept-language") ?? "";
@@ -7886,356 +6542,10 @@ async function consumeAndMaybeCache(resp, key, pathname, method, cache) {
   return new Response(outBody, { status: resp.status, headers: respHeaders });
 }
 
-// src/cloud/runtime-config-plugin.ts
-var RuntimeConfigPlugin = class {
-  constructor(config = {}) {
-    this.name = "com.objectstack.runtime.runtime-config";
-    this.version = "1.0.0";
-    this.init = async (_ctx) => {
-    };
-    this.start = async (ctx) => {
-      ctx.hook("kernel:ready", async () => {
-        let httpServer;
-        try {
-          httpServer = ctx.getService("http-server");
-        } catch {
-          ctx.logger?.warn?.("[RuntimeConfigPlugin] http-server not available \u2014 runtime/config not mounted");
-          return;
-        }
-        if (!httpServer || typeof httpServer.getRawApp !== "function") {
-          ctx.logger?.warn?.("[RuntimeConfigPlugin] http-server missing getRawApp() \u2014 runtime/config not mounted");
-          return;
-        }
-        const rawApp = httpServer.getRawApp();
-        const features = {
-          installLocal: this.installLocal,
-          marketplace: true
-        };
-        let envRegistry = null;
-        try {
-          envRegistry = ctx.getService("env-registry");
-        } catch {
-        }
-        const handler = async (c) => {
-          const rawHost = c.req.header("host") ?? "";
-          const host = rawHost.split(":")[0].toLowerCase().trim();
-          let defaultEnvironmentId;
-          let defaultOrgId;
-          let resolvedSingleEnv = this.singleEnvironment;
-          const resolveFn = typeof envRegistry?.resolveByHostname === "function" ? envRegistry.resolveByHostname.bind(envRegistry) : typeof envRegistry?.resolveHostname === "function" ? envRegistry.resolveHostname.bind(envRegistry) : null;
-          if (resolveFn && host) {
-            try {
-              const resolved = await resolveFn(host);
-              if (resolved?.environmentId) {
-                defaultEnvironmentId = String(resolved.environmentId);
-                const orgId = resolved.organizationId ?? resolved.organization_id;
-                if (orgId) defaultOrgId = String(orgId);
-                resolvedSingleEnv = true;
-              }
-            } catch {
-            }
-          }
-          return c.json({
-            cloudUrl: this.cloudUrl,
-            singleEnvironment: resolvedSingleEnv,
-            defaultOrgId,
-            defaultEnvironmentId,
-            features,
-            branding: {
-              productName: this.productName,
-              productShortName: this.productShortName
-            }
-          });
-        };
-        rawApp.get("/api/v1/runtime/config", handler);
-        rawApp.get("/api/v1/studio/runtime-config", handler);
-        ctx.logger?.info?.("[RuntimeConfigPlugin] mounted /api/v1/runtime/config", {
-          cloudUrl: this.cloudUrl || "(empty)",
-          installLocal: this.installLocal,
-          perHostEnvResolution: !!envRegistry
-        });
-      });
-    };
-    this.destroy = async () => {
-    };
-    this.cloudUrl = config.controlPlaneUrl === "" ? "" : resolveCloudUrl(config.controlPlaneUrl) ?? "";
-    this.installLocal = !!config.installLocal;
-    this.singleEnvironment = !!config.singleEnvironment;
-    const envName = (typeof process !== "undefined" ? process.env?.OS_PRODUCT_NAME : void 0)?.trim();
-    const envShort = (typeof process !== "undefined" ? process.env?.OS_PRODUCT_SHORT_NAME : void 0)?.trim();
-    this.productName = (config.productName ?? envName ?? "ObjectOS").trim() || "ObjectOS";
-    this.productShortName = (config.productShortName ?? envShort ?? this.productName).trim() || this.productName;
-  }
-};
-
-// src/cloud/file-artifact-api-client.ts
-import { readFile as readFile2, stat } from "fs/promises";
-import { resolve as resolvePath4 } from "path";
-var FileArtifactApiClient = class {
-  constructor(config = {}) {
-    const cwd = process.cwd();
-    this.artifactPath = resolvePath4(
-      cwd,
-      config.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? "dist/objectstack.json"
-    );
-    this.environmentId = config.environmentId ?? process.env.OS_ENVIRONMENT_ID ?? "proj_local";
-    this.organizationId = config.organizationId ?? process.env.OS_ORGANIZATION_ID ?? "org_local";
-    this.overrideRuntime = config.runtime;
-    this.watch = config.watch ?? true;
-    this.logger = config.logger ?? console;
-  }
-  async resolveHostname(_host) {
-    const runtime = this.overrideRuntime ?? await this.readRuntimeFromArtifact();
-    return {
-      environmentId: this.environmentId,
-      organizationId: this.organizationId,
-      ...runtime ? { runtime } : {}
-    };
-  }
-  async fetchArtifact(_environmentId, _opts) {
-    return this.loadArtifact();
-  }
-  async lookupProjectByShortId(_shortId) {
-    return { environmentId: this.environmentId, organizationId: this.organizationId };
-  }
-  async fetchBranchHead(_environmentId, _branchName) {
-    const artifact = await this.loadArtifact();
-    return artifact ? { commitId: artifact.commitId ?? "local", publishedAt: null } : null;
-  }
-  invalidate(_environmentId) {
-    this.cached = void 0;
-  }
-  clear() {
-    this.cached = void 0;
-  }
-  async loadArtifact() {
-    try {
-      const stats = await stat(this.artifactPath);
-      const mtimeMs = stats.mtimeMs;
-      if (!this.watch && this.cached) return this.cached.response;
-      if (this.cached && this.cached.mtimeMs === mtimeMs) return this.cached.response;
-      const raw = await readFile2(this.artifactPath, "utf8");
-      const parsed = JSON.parse(raw);
-      const isEnvelope = parsed && typeof parsed === "object" && typeof parsed.metadata === "object" && parsed.metadata !== null;
-      const metadata = isEnvelope ? parsed.metadata : parsed;
-      const runtime = this.overrideRuntime ?? (isEnvelope ? parsed.runtime : void 0) ?? this.deriveRuntimeFromMetadata(metadata) ?? this.defaultLocalSqliteRuntime();
-      const response = {
-        schemaVersion: parsed.schemaVersion ?? "1",
-        environmentId: parsed.environmentId ?? this.environmentId,
-        commitId: parsed.commitId ?? "local",
-        checksum: parsed.checksum ?? "",
-        publishedAt: parsed.publishedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
-        metadata,
-        functions: parsed.functions,
-        manifest: parsed.manifest,
-        runtime: {
-          organizationId: this.organizationId,
-          ...runtime
-        }
-      };
-      this.cached = { mtimeMs, response };
-      return response;
-    } catch (err) {
-      this.logger.error?.("[FileArtifactApiClient] failed to load artifact", {
-        artifactPath: this.artifactPath,
-        error: err?.message ?? err
-      });
-      return null;
-    }
-  }
-  async readRuntimeFromArtifact() {
-    const artifact = await this.loadArtifact();
-    return artifact?.runtime;
-  }
-  deriveRuntimeFromMetadata(metadata) {
-    const datasources = metadata?.datasources;
-    if (!Array.isArray(datasources) || datasources.length === 0) return void 0;
-    const mapping = metadata?.datasourceMapping;
-    let preferredName;
-    if (mapping) {
-      const def = mapping.find((m) => m?.default === true);
-      if (def?.datasource) preferredName = def.datasource;
-    }
-    const ds = preferredName ? datasources.find((d) => d?.name === preferredName) ?? datasources[0] : datasources[0];
-    if (!ds || typeof ds !== "object") return void 0;
-    const config = ds.config ?? {};
-    const url = config.url ?? config.connectionString ?? config.connection ?? config.filename;
-    const driver = ds.driver;
-    if (typeof driver !== "string" || typeof url !== "string") return void 0;
-    return {
-      databaseDriver: driver,
-      databaseUrl: url,
-      databaseAuthToken: typeof config.authToken === "string" ? config.authToken : void 0
-    };
-  }
-  defaultLocalSqliteRuntime() {
-    const cwd = process.cwd();
-    const dbPath = resolvePath4(cwd, ".objectstack/data", `${this.environmentId}.db`);
-    return {
-      databaseDriver: "sqlite",
-      databaseUrl: `file:${dbPath}`
-    };
-  }
-};
-
-// src/cloud/objectos-stack.ts
-async function createHostEnginePlugins() {
-  const { ObjectQLPlugin } = await import("@objectstack/objectql");
-  const { DriverPlugin: DriverPlugin2 } = await Promise.resolve().then(() => (init_driver_plugin(), driver_plugin_exports));
-  const { MetadataPlugin } = await import("@objectstack/metadata");
-  const { InMemoryDriver } = await import("@objectstack/driver-memory");
-  const driver = new InMemoryDriver();
-  const driverName = "memory";
-  const oqlRef = { ql: null };
-  const objectql = {
-    name: "com.objectstack.engine.objectql",
-    version: "0.0.0",
-    async init(ctx) {
-      const plugin = new ObjectQLPlugin();
-      this._inner = plugin;
-      if (plugin.init) await plugin.init(ctx);
-      oqlRef.ql = plugin.ql ?? plugin;
-    },
-    async start(ctx) {
-      const plugin = this._inner;
-      if (plugin?.start) await plugin.start(ctx);
-    },
-    async destroy() {
-      const plugin = this._inner;
-      if (plugin?.destroy) await plugin.destroy();
-      else if (plugin?.stop) await plugin.stop();
-    }
-  };
-  const datasourceMapping = {
-    name: "objectos-host-datasource-mapping",
-    version: "0.0.0",
-    dependencies: ["com.objectstack.engine.objectql"],
-    async init() {
-      const ql = oqlRef.ql;
-      if (ql?.setDatasourceMapping) {
-        ql.setDatasourceMapping([
-          { default: true, datasource: `com.objectstack.driver.${driverName}` }
-        ]);
-      }
-    }
-  };
-  const driverPlugin = new DriverPlugin2(driver, driverName);
-  const metadata = new MetadataPlugin({
-    watch: false,
-    // The host kernel is a routing shell. It doesn't own metadata —
-    // every per-project kernel registers its own.
-    registerSystemObjects: false
-  });
-  return [objectql, datasourceMapping, driverPlugin, metadata];
-}
-var ObjectOSEnvironmentPlugin = class {
-  constructor(config) {
-    this.name = "com.objectstack.runtime.objectos-environment";
-    this.version = "1.0.0";
-    this.init = async (ctx) => {
-      const client = this.config.client ?? (this.config.controlPlaneUrl === "file" ? new FileArtifactApiClient({
-        ...this.config.fileConfig ?? {},
-        logger: ctx.logger
-      }) : new ArtifactApiClient({
-        controlPlaneUrl: this.config.controlPlaneUrl,
-        apiKey: this.config.controlPlaneApiKey,
-        cacheTtlMs: this.config.artifactCacheTtlMs,
-        logger: ctx.logger
-      }));
-      this.client = client;
-      const envRegistry = new ArtifactEnvironmentRegistry({
-        client,
-        cacheTtlMs: this.config.envCacheTtlMs,
-        logger: ctx.logger
-      });
-      const factory = new ArtifactKernelFactory({
-        client,
-        envRegistry,
-        logger: ctx.logger
-      });
-      const kernelManager = new KernelManager({
-        factory,
-        maxSize: this.config.kernelCacheSize,
-        ttlMs: this.config.kernelTtlMs,
-        logger: ctx.logger,
-        // Only the HTTP client exposes /freshness; file-mode (CLI dev)
-        // has no upstream to probe.
-        freshnessProbe: this.config.controlPlaneUrl === "file" ? void 0 : async (envId, builtAtMs) => {
-          const fresh = await client.getFreshness(envId);
-          if (!fresh) return false;
-          const t = fresh.lastPublishedAt ? Date.parse(fresh.lastPublishedAt) : NaN;
-          if (!Number.isFinite(t)) return false;
-          if (t <= builtAtMs) return false;
-          try {
-            client.invalidate(envId);
-          } catch {
-          }
-          return true;
-        }
-      });
-      this.kernelManager = kernelManager;
-      ctx.registerService("env-registry", envRegistry);
-      ctx.registerService("kernel-manager", kernelManager);
-      ctx.registerService("artifact-api-client", client);
-      ctx.logger.info?.("ObjectOSEnvironmentPlugin: registered env-registry + kernel-manager", {
-        mode: this.config.controlPlaneUrl === "file" ? "file" : "http",
-        controlPlaneUrl: this.config.controlPlaneUrl
-      });
-    };
-    this.destroy = async () => {
-      try {
-        await this.kernelManager?.evictAll();
-      } catch {
-      }
-      try {
-        this.client?.clear();
-      } catch {
-      }
-    };
-    this.config = config;
-  }
-};
-async function createObjectOSStack(config) {
-  if (!config.controlPlaneUrl && !config.client) {
-    throw new Error("[createObjectOSStack] either controlPlaneUrl or client is required");
-  }
-  const merged = {
-    ...config,
-    kernelCacheSize: Number(process.env.OS_KERNEL_CACHE_SIZE ?? config.kernelCacheSize ?? 32),
-    kernelTtlMs: Number(process.env.OS_KERNEL_TTL_MS ?? config.kernelTtlMs ?? 15 * 60 * 1e3),
-    envCacheTtlMs: Number(process.env.OS_ENV_CACHE_TTL_MS ?? config.envCacheTtlMs ?? 5 * 60 * 1e3),
-    artifactCacheTtlMs: Number(process.env.OS_ARTIFACT_CACHE_TTL_MS ?? config.artifactCacheTtlMs ?? 5 * 60 * 1e3)
-  };
-  const enginePlugins = await createHostEnginePlugins();
-  return {
-    plugins: [
-      ...enginePlugins,
-      new ObjectOSEnvironmentPlugin(merged),
-      new AuthProxyPlugin(),
-      new MarketplaceProxyPlugin({ controlPlaneUrl: merged.controlPlaneUrl === "file" ? void 0 : merged.controlPlaneUrl }),
-      new RuntimeConfigPlugin({ controlPlaneUrl: merged.controlPlaneUrl === "file" ? void 0 : merged.controlPlaneUrl, installLocal: false }),
-      // Host-supplied product/policy plugins (the official seam — see
-      // ObjectOSStackConfig.extraPlugins). Appended last so they mount
-      // after the framework defaults.
-      ...config.extraPlugins ?? []
-    ],
-    api: {
-      enableProjectScoping: true,
-      projectResolution: "auto",
-      // ObjectOS is multi-tenant: anonymous /api/v1/data/* must never
-      // leak per-project data across organisations. AuthProxyPlugin
-      // verifies upstream tokens and populates ctx.userId; requireAuth
-      // turns missing userId into 401 at the REST layer before the
-      // request reaches the per-project kernel.
-      requireAuth: true
-    }
-  };
-}
-
 // src/cloud/marketplace-install-local-plugin.ts
 import { existsSync as existsSync3, mkdirSync as mkdirSync4, readFileSync as readFileSync2, readdirSync, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
 import { join as join2, resolve } from "path";
-import { readEnvWithDeprecation as readEnvWithDeprecation4 } from "@objectstack/types";
+import { readEnvWithDeprecation as readEnvWithDeprecation3 } from "@objectstack/types";
 var ROUTE_BASE = "/api/v1/marketplace/install-local";
 var DEFAULT_DIR = ".objectstack/installed-packages";
 function safeFilename(manifestId) {
@@ -8779,7 +7089,7 @@ var MarketplaceInstallLocalPlugin = class {
         }
       }
       if (opts.seedNow && datasets.length > 0) {
-        const multiTenant = String(readEnvWithDeprecation4("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
+        const multiTenant = String(readEnvWithDeprecation3("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
         try {
           const ql = ctx.getService("objectql");
           let metadata;
@@ -8897,6 +7207,90 @@ var MarketplaceInstallLocalPlugin = class {
   }
 };
 
+// src/cloud/runtime-config-plugin.ts
+var RuntimeConfigPlugin = class {
+  constructor(config = {}) {
+    this.name = "com.objectstack.runtime.runtime-config";
+    this.version = "1.0.0";
+    this.init = async (_ctx) => {
+    };
+    this.start = async (ctx) => {
+      ctx.hook("kernel:ready", async () => {
+        let httpServer;
+        try {
+          httpServer = ctx.getService("http-server");
+        } catch {
+          ctx.logger?.warn?.("[RuntimeConfigPlugin] http-server not available \u2014 runtime/config not mounted");
+          return;
+        }
+        if (!httpServer || typeof httpServer.getRawApp !== "function") {
+          ctx.logger?.warn?.("[RuntimeConfigPlugin] http-server missing getRawApp() \u2014 runtime/config not mounted");
+          return;
+        }
+        const rawApp = httpServer.getRawApp();
+        const features = {
+          installLocal: this.installLocal,
+          marketplace: true,
+          aiStudio: this.aiStudio
+        };
+        let envRegistry = null;
+        try {
+          envRegistry = ctx.getService("env-registry");
+        } catch {
+        }
+        const handler = async (c) => {
+          const rawHost = c.req.header("host") ?? "";
+          const host = rawHost.split(":")[0].toLowerCase().trim();
+          let defaultEnvironmentId;
+          let defaultOrgId;
+          let resolvedSingleEnv = this.singleEnvironment;
+          const resolveFn = typeof envRegistry?.resolveByHostname === "function" ? envRegistry.resolveByHostname.bind(envRegistry) : typeof envRegistry?.resolveHostname === "function" ? envRegistry.resolveHostname.bind(envRegistry) : null;
+          if (resolveFn && host) {
+            try {
+              const resolved = await resolveFn(host);
+              if (resolved?.environmentId) {
+                defaultEnvironmentId = String(resolved.environmentId);
+                const orgId = resolved.organizationId ?? resolved.organization_id;
+                if (orgId) defaultOrgId = String(orgId);
+                resolvedSingleEnv = true;
+              }
+            } catch {
+            }
+          }
+          return c.json({
+            cloudUrl: this.cloudUrl,
+            singleEnvironment: resolvedSingleEnv,
+            defaultOrgId,
+            defaultEnvironmentId,
+            features,
+            branding: {
+              productName: this.productName,
+              productShortName: this.productShortName
+            }
+          });
+        };
+        rawApp.get("/api/v1/runtime/config", handler);
+        rawApp.get("/api/v1/studio/runtime-config", handler);
+        ctx.logger?.info?.("[RuntimeConfigPlugin] mounted /api/v1/runtime/config", {
+          cloudUrl: this.cloudUrl || "(empty)",
+          installLocal: this.installLocal,
+          perHostEnvResolution: !!envRegistry
+        });
+      });
+    };
+    this.destroy = async () => {
+    };
+    this.cloudUrl = config.controlPlaneUrl === "" ? "" : resolveCloudUrl(config.controlPlaneUrl) ?? "";
+    this.installLocal = !!config.installLocal;
+    this.aiStudio = config.aiStudio !== false;
+    this.singleEnvironment = !!config.singleEnvironment;
+    const envName = (typeof process !== "undefined" ? process.env?.OS_PRODUCT_NAME : void 0)?.trim();
+    const envShort = (typeof process !== "undefined" ? process.env?.OS_PRODUCT_SHORT_NAME : void 0)?.trim();
+    this.productName = (config.productName ?? envName ?? "ObjectOS").trim() || "ObjectOS";
+    this.productShortName = (config.productShortName ?? envShort ?? this.productName).trim() || this.productName;
+  }
+};
+
 // src/sandbox/script-runner.ts
 var UnimplementedScriptRunner = class {
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -8927,23 +7321,17 @@ import {
   createRestApiPlugin
 } from "@objectstack/rest";
 export * from "@objectstack/core";
-import { readEnvWithDeprecation as readEnvWithDeprecation5, _resetEnvDeprecationWarnings } from "@objectstack/types";
+import { readEnvWithDeprecation as readEnvWithDeprecation4, _resetEnvDeprecationWarnings } from "@objectstack/types";
 export {
   AppPlugin,
-  ArtifactApiClient,
-  ArtifactEnvironmentRegistry,
-  ArtifactKernelFactory,
-  AuthProxyPlugin,
   DEFAULT_CLOUD_URL,
   DEFAULT_RATE_LIMITS,
   DriverPlugin,
   ExternalValidationPlugin,
-  FileArtifactApiClient,
   HttpDispatcher,
   HttpServer,
   InMemoryErrorReporter,
   InMemoryMetricsRegistry,
-  KernelManager,
   MarketplaceInstallLocalPlugin,
   MarketplaceProxyPlugin,
   MiddlewareManager,
@@ -8951,9 +7339,8 @@ export {
   NoopMetricsRegistry,
   OBSERVABILITY_ERRORS_SERVICE,
   OBSERVABILITY_METRICS_SERVICE,
-  ObjectKernel4 as ObjectKernel,
+  ObjectKernel3 as ObjectKernel,
   ObservabilityServicePlugin,
-  PLATFORM_SSO_PROVIDER_ID,
   QuickJSScriptRunner,
   RUNTIME_METRICS,
   RateLimiter,
@@ -8968,8 +7355,6 @@ export {
   UnimplementedScriptRunner,
   _resetEnvDeprecationWarnings,
   actionBodyRunnerFactory,
-  backfillPlatformSsoClients,
-  buildPlatformSsoRedirectUri,
   buildSecurityHeaders,
   collectBundleActions,
   collectBundleFunctions,
@@ -8977,12 +7362,9 @@ export {
   createDefaultHostConfig,
   createDispatcherPlugin,
   createExternalValidationPlugin,
-  createObjectOSStack,
   createRestApiPlugin,
   createStandaloneStack,
   createSystemEnvironmentPlugin,
-  derivePlatformSsoClientId,
-  derivePlatformSsoClientSecret,
   extractRequestId,
   formatTraceparent,
   generateRequestId,
@@ -8992,13 +7374,12 @@ export {
   mergeRuntimeModule,
   parseTraceparent,
   readArtifactSource,
-  readEnvWithDeprecation5 as readEnvWithDeprecation,
+  readEnvWithDeprecation4 as readEnvWithDeprecation,
   resolveCloudUrl,
   resolveDefaultArtifactPath,
   resolveErrorReporter,
   resolveMetrics,
   resolveObjectStackHome,
-  resolveRequestId,
-  seedPlatformSsoClient
+  resolveRequestId
 };
 //# sourceMappingURL=index.js.map