feat: integrate service-tenant plugin and update related configurations

Author: hotlong

apps/server/objectstack.config.ts

@@ -23,6 +23,7 @@ import { AIServicePlugin } from '@objectstack/service-ai';
 import { AutomationServicePlugin } from '@objectstack/service-automation';
 import { AnalyticsServicePlugin } from '@objectstack/service-analytics';
 import { PackageServicePlugin } from '@objectstack/service-package';
+import { createTenantPlugin } from '@objectstack/service-tenant';
 import CrmApp from '../../examples/app-crm/objectstack.config';
 import TodoApp from '../../examples/app-todo/objectstack.config';
 import BiPluginManifest from '../../examples/plugin-bi/objectstack.config';
@@ -75,6 +76,7 @@ export default defineStack({
     new DriverPlugin(new InMemoryDriver(), 'memory'),
     new DriverPlugin(tursoDriver, 'turso'),
     new PackageServicePlugin(), // Package management service
+    createTenantPlugin({ registerSystemObjects: true, registerLegacyTenantDatabase: false }),
     new AppPlugin(CrmApp),
     new AppPlugin(TodoApp),
     new AppPlugin(BiPluginManifest),

apps/server/package.json

@@ -36,6 +36,7 @@
     "@objectstack/service-automation": "workspace:*",
     "@objectstack/service-feed": "workspace:*",
     "@objectstack/service-package": "workspace:*",
+    "@objectstack/service-tenant": "workspace:*",
     "@objectstack/spec": "workspace:*",
     "hono": "^4.12.12",
     "pino": "^10.3.1",

apps/studio/package.json

@@ -42,6 +42,7 @@
     "@objectstack/service-analytics": "workspace:*",
     "@objectstack/service-automation": "workspace:*",
     "@objectstack/service-feed": "workspace:*",
+    "@objectstack/service-tenant": "workspace:*",
     "@objectstack/spec": "workspace:*",
     "@tanstack/react-router": "^1.91.6",
     "@radix-ui/react-avatar": "^1.1.11",

apps/studio/server/index.ts

@@ -31,6 +31,7 @@ import { SecurityPlugin } from '@objectstack/plugin-security';
 import { AuditPlugin } from '@objectstack/plugin-audit';
 import { SetupPlugin } from '@objectstack/plugin-setup';
 import { FeedServicePlugin } from '@objectstack/service-feed';
+import { createTenantPlugin } from '@objectstack/service-tenant';
 import { MetadataPlugin } from '@objectstack/metadata';
 import { AIServicePlugin } from '@objectstack/service-ai';
 import { AutomationServicePlugin } from '@objectstack/service-automation';
@@ -128,6 +129,7 @@ async function ensureKernel(): Promise<ObjectKernel> {
             await kernel.use(new SecurityPlugin());
             await kernel.use(new AuditPlugin());
             await kernel.use(new FeedServicePlugin());
+            await kernel.use(createTenantPlugin({ registerSystemObjects: true, registerLegacyTenantDatabase: false }));
             await kernel.use(new MetadataPlugin({ watch: false }));
             await kernel.use(new AIServicePlugin());
             await kernel.use(new AutomationServicePlugin());

apps/studio/src/routes/environments.$environmentId.index.tsx

@@ -60,7 +60,11 @@ function EnvironmentOverviewComponent() {
     if (!ok) return;
     setRotating(true);
     try {
-      await client?.environments?.rotateCredential?.(env.id);
+      const newToken =
+        typeof crypto !== 'undefined' && 'randomUUID' in crypto
+          ? crypto.randomUUID()
+          : `tok_${Math.random().toString(36).slice(2)}${Date.now().toString(36)}`;
+      await client?.environments?.rotateCredential?.(env.id, newToken);
       toast({
         title: 'Credential rotation started',
         description: 'The new credential will propagate to all runtimes.',

packages/runtime/src/dispatcher-plugin.ts

@@ -317,6 +317,70 @@ export function createDispatcherPlugin(config: DispatcherPluginConfig = {}): Plu
                 }
             });
 
+            // ── Cloud (Environments) ─────────────────────────────────────
+            server.get(`${prefix}/cloud/environments`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud('/environments', 'GET', {}, req.query, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.post(`${prefix}/cloud/environments`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud('/environments', 'POST', req.body, {}, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.get(`${prefix}/cloud/environments/:id`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud(`/environments/${req.params.id}`, 'GET', {}, req.query, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.patch(`${prefix}/cloud/environments/:id`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud(`/environments/${req.params.id}`, 'PATCH', req.body, {}, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.delete(`${prefix}/cloud/environments/:id`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud(`/environments/${req.params.id}`, 'DELETE', {}, {}, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.post(`${prefix}/cloud/environments/:id/rotate-credential`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud(`/environments/${req.params.id}/rotate-credential`, 'POST', req.body, {}, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.get(`${prefix}/cloud/environments/:id/members`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud(`/environments/${req.params.id}/members`, 'GET', {}, req.query, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
             // ── Storage ─────────────────────────────────────────────────
             server.post(`${prefix}/storage/upload`, async (req: any, res: any) => {
                 try {

packages/runtime/src/http-dispatcher.ts

@@ -936,6 +936,231 @@ export class HttpDispatcher {
         return { handled: false };
     }
 
+    /**
+     * Cloud / Environment Control-Plane routes.
+     *
+     *  - GET    /cloud/environments                            → list
+     *  - POST   /cloud/environments                            → provision
+     *  - GET    /cloud/environments/:id                        → detail (+ db, credential, membership)
+     *  - PATCH  /cloud/environments/:id                        → update displayName / plan / status / isDefault / metadata
+     *  - POST   /cloud/environments/:id/activate               → mark as active for session (stub)
+     *  - POST   /cloud/environments/:id/credentials/rotate     → rotate credential
+     *  - GET    /cloud/environments/:id/members                → list members
+     *
+     * Backed by ObjectQL sys__environment / sys__environment_database /
+     * sys__database_credential / sys__environment_member tables (registered
+     * by `@objectstack/service-tenant`'s `createTenantPlugin`).
+     */
+    async handleCloud(path: string, method: string, body: any, query: any, _context: HttpProtocolContext): Promise<HttpDispatcherResult> {
+        const m = method.toUpperCase();
+        const parts = path.replace(/^\/+/, '').split('/').filter(Boolean);
+
+        const qlService = await this.getObjectQLService();
+        const ql = qlService ?? await this.resolveService('objectql');
+        if (!ql) {
+            return { handled: true, response: this.error('Environment service not available (ObjectQL missing)', 503) };
+        }
+
+        const ENV = 'sys__environment';
+        const DB = 'sys__environment_database';
+        const CRED = 'sys__database_credential';
+        const MEM = 'sys__environment_member';
+
+        const findOne = async (obj: string, where: Record<string, unknown>): Promise<any | undefined> => {
+            let rows = await ql.find(obj, { where } as any);
+            if (rows && (rows as any).value) rows = (rows as any).value;
+            if (!Array.isArray(rows)) return undefined;
+            return rows[0];
+        };
+
+        try {
+            // ----- /cloud/environments collection routes -----
+            if (parts.length === 1 && parts[0] === 'environments' && m === 'GET') {
+                const where: Record<string, unknown> = {};
+                if (query?.organizationId) where.organization_id = query.organizationId;
+                if (query?.envType) where.env_type = query.envType;
+                if (query?.status) where.status = query.status;
+                let rows = await ql.find(ENV, Object.keys(where).length ? ({ where } as any) : undefined);
+                if (rows && (rows as any).value) rows = (rows as any).value;
+                const environments = Array.isArray(rows) ? rows : [];
+                return { handled: true, response: this.success({ environments, total: environments.length }) };
+            }
+
+            if (parts.length === 1 && parts[0] === 'environments' && m === 'POST') {
+                const req = body || {};
+                if (!req.organizationId || !req.slug || !req.displayName || !req.envType) {
+                    return { handled: true, response: this.error('organizationId, slug, displayName, envType are required', 400) };
+                }
+                const environmentId = randomUUID();
+                const environmentDatabaseId = randomUUID();
+                const credentialId = randomUUID();
+                const nowIso = new Date().toISOString();
+                const driver = req.driver ?? 'turso';
+                const region = req.region ?? 'us-east-1';
+                const databaseName = `env-${environmentId}`;
+                const databaseUrl = `libsql://${databaseName}.mock-${driver}.local`;
+                const plaintextSecret = `mock-token-${environmentId}`;
+
+                await ql.insert(ENV, {
+                    id: environmentId,
+                    organization_id: req.organizationId,
+                    slug: req.slug,
+                    display_name: req.displayName,
+                    env_type: req.envType,
+                    is_default: req.isDefault ?? false,
+                    region,
+                    plan: req.plan ?? 'free',
+                    status: 'active',
+                    created_by: req.createdBy ?? 'system',
+                    metadata: req.metadata ? JSON.stringify(req.metadata) : null,
+                    created_at: nowIso,
+                    updated_at: nowIso,
+                });
+
+                await ql.insert(DB, {
+                    id: environmentDatabaseId,
+                    environment_id: environmentId,
+                    database_name: databaseName,
+                    database_url: databaseUrl,
+                    driver,
+                    region,
+                    storage_limit_mb: req.storageLimitMb ?? 1024,
+                    provisioned_at: nowIso,
+                    created_at: nowIso,
+                    updated_at: nowIso,
+                });
+
+                await ql.insert(CRED, {
+                    id: credentialId,
+                    environment_database_id: environmentDatabaseId,
+                    secret_ciphertext: plaintextSecret,
+                    encryption_key_id: 'noop',
+                    authorization: 'full_access',
+                    status: 'active',
+                    created_at: nowIso,
+                    updated_at: nowIso,
+                });
+
+                const environment = await findOne(ENV, { id: environmentId });
+                const database = await findOne(DB, { id: environmentDatabaseId });
+                const res = this.success({ environment, database });
+                res.status = 201;
+                return { handled: true, response: res };
+            }
+
+            // ----- /cloud/environments/:id -----
+            if (parts.length === 2 && parts[0] === 'environments') {
+                const id = decodeURIComponent(parts[1]);
+
+                if (m === 'GET') {
+                    const environment = await findOne(ENV, { id });
+                    if (!environment) return { handled: true, response: this.error(`Environment '${id}' not found`, 404) };
+                    const database = await findOne(DB, { environment_id: id });
+                    const credential = database
+                        ? await findOne(CRED, { environment_database_id: database.id, status: 'active' })
+                        : undefined;
+                    const membership = await findOne(MEM, { environment_id: id });
+                    // Omit the ciphertext from responses — metadata only.
+                    const credMeta = credential
+                        ? {
+                              id: credential.id,
+                              status: credential.status,
+                              authorization: credential.authorization,
+                              activatedAt: credential.created_at,
+                              expiresAt: credential.expires_at,
+                          }
+                        : undefined;
+                    return {
+                        handled: true,
+                        response: this.success({ environment, database, credential: credMeta, membership }),
+                    };
+                }
+
+                if (m === 'PATCH') {
+                    const patch: Record<string, unknown> = {};
+                    if (body?.displayName !== undefined) patch.display_name = body.displayName;
+                    if (body?.plan !== undefined) patch.plan = body.plan;
+                    if (body?.status !== undefined) patch.status = body.status;
+                    if (body?.isDefault !== undefined) patch.is_default = body.isDefault;
+                    if (body?.metadata !== undefined) patch.metadata = JSON.stringify(body.metadata);
+                    patch.updated_at = new Date().toISOString();
+                    await ql.update(ENV, patch, { where: { id } } as any);
+                    const environment = await findOne(ENV, { id });
+                    if (!environment) return { handled: true, response: this.error(`Environment '${id}' not found`, 404) };
+                    return { handled: true, response: this.success({ environment }) };
+                }
+            }
+
+            // ----- /cloud/environments/:id/activate -----
+            if (parts.length === 3 && parts[0] === 'environments' && parts[2] === 'activate' && m === 'POST') {
+                const id = decodeURIComponent(parts[1]);
+                const environment = await findOne(ENV, { id });
+                if (!environment) return { handled: true, response: this.error(`Environment '${id}' not found`, 404) };
+                // TODO: persist active_environment_id on the session once session service is wired.
+                return { handled: true, response: this.success({ environment, sessionUpdated: false }) };
+            }
+
+            // ----- /cloud/environments/:id/credentials/rotate -----
+            if (parts.length === 4 && parts[0] === 'environments' && parts[2] === 'credentials' && parts[3] === 'rotate' && m === 'POST') {
+                const id = decodeURIComponent(parts[1]);
+                const plaintext = body?.plaintext;
+                if (!plaintext || typeof plaintext !== 'string') {
+                    return { handled: true, response: this.error('plaintext is required', 400) };
+                }
+                const database = await findOne(DB, { environment_id: id });
+                if (!database) return { handled: true, response: this.error(`No database for environment '${id}'`, 404) };
+
+                const nowIso = new Date().toISOString();
+                // Revoke existing active credentials
+                let existing = await ql.find(CRED, { where: { environment_database_id: database.id, status: 'active' } } as any);
+                if (existing && (existing as any).value) existing = (existing as any).value;
+                for (const row of (Array.isArray(existing) ? existing : [])) {
+                    await ql.update(CRED, {
+                        status: 'revoked',
+                        revoked_at: nowIso,
+                        updated_at: nowIso,
+                    }, { where: { id: row.id } } as any);
+                }
+
+                const credentialId = randomUUID();
+                await ql.insert(CRED, {
+                    id: credentialId,
+                    environment_database_id: database.id,
+                    secret_ciphertext: plaintext,
+                    encryption_key_id: 'noop',
+                    authorization: 'full_access',
+                    status: 'active',
+                    created_at: nowIso,
+                    updated_at: nowIso,
+                });
+
+                const credential = await findOne(CRED, { id: credentialId });
+                const credMeta = credential
+                    ? {
+                          id: credential.id,
+                          status: credential.status,
+                          authorization: credential.authorization,
+                          activatedAt: credential.created_at,
+                      }
+                    : undefined;
+                return { handled: true, response: this.success({ credential: credMeta }) };
+            }
+
+            // ----- /cloud/environments/:id/members -----
+            if (parts.length === 3 && parts[0] === 'environments' && parts[2] === 'members' && m === 'GET') {
+                const id = decodeURIComponent(parts[1]);
+                let rows = await ql.find(MEM, { where: { environment_id: id } } as any);
+                if (rows && (rows as any).value) rows = (rows as any).value;
+                const members = Array.isArray(rows) ? rows : [];
+                return { handled: true, response: this.success({ members }) };
+            }
+        } catch (e: any) {
+            return { handled: true, response: this.error(e.message, e.statusCode || 500) };
+        }
+
+        return { handled: false };
+    }
+
 
 
     /**
@@ -1370,6 +1595,10 @@ export class HttpDispatcher {
              return this.handlePackages(cleanPath.substring(9), method, body, query, context);
         }
 
+        if (cleanPath.startsWith('/cloud')) {
+             return this.handleCloud(cleanPath.substring(6), method, body, query, context);
+        }
+
         if (cleanPath.startsWith('/i18n')) {
              return this.handleI18n(cleanPath.substring(5), method, query, context);
         }