feat(phase3): project-scoped URLs in Studio + CLI projects commands + RBAC

Phase 3 of the project-scoping rollout. Studio and the CLI now use the
scoped URL shape end-to-end, and scoped data-plane routes enforce
`sys_project_member` membership with a short-lived positive cache.

Studio
- New `useScopedClient(projectId)` hook returns a `ScopedProjectClient`
  bound to the current `/projects/$projectId` route param.
- Migrated `ObjectDataTable`, `MetadataInspector`, `DeveloperOverview`,
  `app-sidebar`, and `projects.$projectId.packages.tsx` to hit
  `/api/v1/projects/:projectId/...` instead of the unscoped fallback.
- Sidebar falls back to the unscoped client on pages with no project
  context (login, organization pages).

Server
- `apps/server/objectstack.config.ts` flips `api.enableProjectScoping`
  to `true` under `projectResolution: 'auto'` and registers
  `createSystemProjectPlugin()` so the well-known system project is
  provisioned on boot.
- CLI `serve` forwards the stack's `api.enableProjectScoping` /
  `projectResolution` into both `createRestApiPlugin` and
  `createDispatcherPlugin`.

CLI — `os projects`
- `list` / `show` / `create` / `switch` sub-commands under
  `packages/cli/src/commands/projects/`, re-exported from index.
- `create` activates the new project by default and persists
  `activeProjectId` into `~/.objectstack/credentials.json`.
- `switch` verifies the project exists, optionally calls `/activate`,
  then writes the id. `createApiClient` reads it back so every
  subsequent command targets the right project.

Runtime RBAC
- New `HttpDispatcher.enforceProjectMembership(context, path)` runs
  after env resolution. Returns 403 for non-members; bypassed for the
  system project, platform-org members, and control-plane paths.
- Positive results cached in-memory for 60s keyed by `(project, user)`.
- Controlled by `DispatcherPluginConfig.enforceProjectMembership`
  (defaults to on when scoping is enabled).

Tests
- `http-dispatcher.test.ts` +5 RBAC cases (403, system-project bypass,
  platform-org bypass, positive-cache hit, enforcement disabled).
- `commands/projects/projects.test.ts` smoke-checks command metadata.

Verification
- Chrome DevTools MCP smoke test confirmed Studio loads
  `/api/v1/projects/<system-uuid>/meta/*` for every metadata type after
  navigating to `/projects/$projectId/...`.
- Discovery endpoint reports `scoping.enabled: true`.
- All `@objectstack/runtime` (165), `@objectstack/client` (99),
  `@objectstack/rest` (46), and `@objectstack/cli` (89) tests pass.

Author: hotlong

apps/server/objectstack.config.ts

@@ -9,7 +9,7 @@
  */
 
 import { defineStack } from '@objectstack/spec';
-import { AppPlugin, DriverPlugin } from '@objectstack/runtime';
+import { AppPlugin, DriverPlugin, createSystemProjectPlugin } from '@objectstack/runtime';
 import { ObjectQLPlugin } from '@objectstack/objectql';
 import { InMemoryDriver } from '@objectstack/driver-memory';
 import { TursoDriver } from '@objectstack/driver-turso';
@@ -63,6 +63,12 @@ export default defineStack({
     description: 'Production server aggregating CRM, Todo and BI plugins',
     type: 'app',
   },
+  // Phase 3: enable project-scoped URLs (/api/v1/projects/:projectId/...)
+  // under 'auto' resolution so legacy unscoped routes continue to work.
+  api: {
+    enableProjectScoping: true,
+    projectResolution: 'auto',
+  },
   plugins: [
     oqlPlugin,
     // Set datasourceMapping right after ObjectQL init — access ql instance directly
@@ -77,6 +83,9 @@ export default defineStack({
     new DriverPlugin(tursoDriver, 'turso'),
     new PackageServicePlugin(), // Package management service
     createTenantPlugin({ registerSystemObjects: true, registerLegacyTenantDatabase: false }),
+    // Provisions the well-known system project (00000000-0000-0000-0000-000000000001)
+    // on startup. Idempotent — safe to register unconditionally.
+    createSystemProjectPlugin(),
     new AppPlugin(CrmApp),
     new AppPlugin(TodoApp),
     new AppPlugin(BiPluginManifest),

apps/studio/src/components/DeveloperOverview.tsx

@@ -1,7 +1,8 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { useState, useEffect, useCallback } from 'react';
-import { useClient } from '@objectstack/client-react';
+import { useParams } from '@tanstack/react-router';
+import { useScopedClient } from '@/hooks/useObjectStackClient';
 import { Card, CardContent, CardHeader, CardTitle, CardDescription } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
@@ -25,14 +26,16 @@ interface SystemStats {
 }
 
 export function DeveloperOverview({ packages, selectedPackage, onNavigate }: DeveloperOverviewProps) {
-  const client = useClient();
+  const params = useParams({ strict: false }) as { projectId?: string };
+  const client = useScopedClient(params.projectId);
   const [stats, setStats] = useState<SystemStats>({
     packages: { total: 0, enabled: 0, disabled: 0, byType: {} },
     metadata: { types: [], counts: {} },
     loading: true,
   });
 
   const loadStats = useCallback(async () => {
+    if (!client) return;
     setStats(prev => ({ ...prev, loading: true }));
     try {
       // Fetch metadata types

apps/studio/src/components/MetadataInspector.tsx

@@ -1,7 +1,8 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { useState, useEffect } from 'react';
-import { useClient } from '@objectstack/client-react';
+import { useParams } from '@tanstack/react-router';
+import { useScopedClient } from '@/hooks/useObjectStackClient';
 import { Card, CardContent, CardHeader, CardTitle, CardDescription } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Input } from "@/components/ui/input";
@@ -191,7 +192,8 @@ function JsonTree({ data, depth = 0 }: { data: any; depth?: number }) {
 
 
 export function MetadataInspector({ metaType, metaName, packageId }: MetadataInspectorProps) {
-  const client = useClient();
+  const params = useParams({ strict: false }) as { projectId?: string };
+  const client = useScopedClient(params.projectId);
   const [item, setItem] = useState<any>(null);
   const [loading, setLoading] = useState(true);
   const [searchQuery, setSearchQuery] = useState('');
@@ -200,13 +202,14 @@ export function MetadataInspector({ metaType, metaName, packageId }: MetadataIns
   const typeLabel = TYPE_LABELS[metaType] || metaType.charAt(0).toUpperCase() + metaType.slice(1);
 
   useEffect(() => {
+    if (!client) return;
     let mounted = true;
     setLoading(true);
     setItem(null);
 
     async function load() {
       try {
-        const result: any = await client.meta.getItem(metaType, metaName, packageId ? { packageId } : undefined);
+        const result: any = await client!.meta.getItem(metaType, metaName, packageId ? { packageId } : undefined);
         if (mounted) {
           setItem(result?.item || result);
         }

apps/studio/src/components/ObjectDataTable.tsx

@@ -1,7 +1,8 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { useState, useEffect } from 'react';
-import { useClient } from '@objectstack/client-react';
+import { useParams } from '@tanstack/react-router';
+import { useScopedClient } from '@/hooks/useObjectStackClient';
 import { Card, CardContent, CardHeader, CardTitle, CardDescription, CardFooter } from "@/components/ui/card";
 import { Button } from "@/components/ui/button";
 import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table";
@@ -80,7 +81,8 @@ function TableSkeleton({ cols }: { cols: number }) {
 }
 
 export function ObjectDataTable({ objectApiName, onEdit, refreshTrigger = 0 }: ObjectDataTableProps) {
-    const client = useClient();
+    const params = useParams({ strict: false }) as { projectId?: string };
+    const client = useScopedClient(params.projectId);
     const [def, setDef] = useState<any>(null);
     const [records, setRecords] = useState<any[]>([]);
     const [loading, setLoading] = useState(false);
@@ -91,10 +93,11 @@ export function ObjectDataTable({ objectApiName, onEdit, refreshTrigger = 0 }: O
 
     // Load Definition
     useEffect(() => {
+        if (!client) return;
         let mounted = true;
         async function loadDef() {
             try {
-                const found: any = await client.meta.getItem('object', objectApiName);
+                const found: any = await client!.meta.getItem('object', objectApiName);
                 if (mounted && found) {
                     // Spec: GetMetaItemResponse = { type, name, item }
                     const def = found.item || found;
@@ -110,11 +113,12 @@ export function ObjectDataTable({ objectApiName, onEdit, refreshTrigger = 0 }: O
 
     // Load Data
     useEffect(() => {
+        if (!client) return;
         let mounted = true;
         async function loadData() {
             setLoading(true);
             try {
-                const result: any = await client.data.find(objectApiName, {
+                const result: any = await client!.data.find(objectApiName, {
                     filters: {
                         top: pageSize,
                         skip: (page - 1) * pageSize,
@@ -140,6 +144,7 @@ export function ObjectDataTable({ objectApiName, onEdit, refreshTrigger = 0 }: O
     }, [client, objectApiName, page, refreshTrigger]);
 
     async function handleDelete(id: string) {
+        if (!client) return;
         if (!confirm('Are you sure you want to delete this record?')) return;
         try {
             await client.data.delete(objectApiName, id);
@@ -161,6 +166,7 @@ export function ObjectDataTable({ objectApiName, onEdit, refreshTrigger = 0 }: O
     }
 
     async function handleRefresh() {
+        if (!client) return;
         setLoading(true);
         try {
             const result: any = await client.data.find(objectApiName, {

apps/studio/src/components/app-sidebar.tsx

@@ -36,6 +36,7 @@ import {
 import { useState, useEffect, useCallback, useMemo } from "react"
 import { useNavigate, useParams, useLocation } from '@tanstack/react-router';
 import { useClient, useMetadataSubscriptionCallback } from '@objectstack/client-react';
+import { useScopedClient } from '@/hooks/useObjectStackClient';
 import type { InstalledPackage } from '@objectstack/spec/kernel';
 
 import {
@@ -166,11 +167,17 @@ export function AppSidebar({
   packages, selectedPackage, onSelectPackage, projectId,
   ...props
 }: AppSidebarProps) {
-  const client = useClient();
+  const unscopedClient = useClient();
   const navigate = useNavigate();
-  const params = useParams({ strict: false });
+  const params = useParams({ strict: false }) as any;
   const location = useLocation();
 
+  // Prefer a project-scoped client when a projectId is present in the URL
+  // (e.g. under /projects/$projectId/...). Falls back to the unscoped client
+  // during login / organization pages that have no project context yet.
+  const scopedClient = useScopedClient(params.projectId);
+  const client = scopedClient ?? unscopedClient;
+
   // Extract current selection from URL params
   const selectedObject = params.name && params.package && !params.type ? params.name : null;
   const selectedMeta = params.type && params.name ? { type: params.type, name: params.name } : null;

apps/studio/src/hooks/useObjectStackClient.ts

@@ -1,7 +1,8 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
-import { useState, useEffect } from 'react';
-import { ObjectStackClient } from '@objectstack/client';
+import { useMemo, useState, useEffect } from 'react';
+import { ObjectStackClient, type ScopedProjectClient } from '@objectstack/client';
+import { useClient } from '@objectstack/client-react';
 import { getApiBaseUrl, config } from '../lib/config';
 import { recallActiveProject } from './useProjects';
 
@@ -27,3 +28,25 @@ export function useObjectStackClient() {
 
   return client;
 }
+
+/**
+ * Hook that returns a {@link ScopedProjectClient} bound to the given
+ * `projectId`. When `projectId` is `undefined` or an empty string, the hook
+ * returns `null` so callers can defer network calls until the route is fully
+ * resolved.
+ *
+ * The scoped client routes every request through
+ * `/api/v1/projects/:projectId/...`, which is the canonical URL shape once
+ * `enableProjectScoping` is enabled on the server. The dual-mode routing in
+ * Phase 2 keeps the unscoped routes working under `projectResolution: 'auto'`,
+ * so this migration is safe to ship incrementally.
+ */
+export function useScopedClient(
+  projectId: string | undefined,
+): ScopedProjectClient | null {
+  const client = useClient();
+  return useMemo(() => {
+    if (!client || !projectId) return null;
+    return client.project(projectId);
+  }, [client, projectId]);
+}

apps/studio/src/routes/projects.$projectId.packages.tsx

@@ -10,7 +10,7 @@
 
 import { createFileRoute, useParams, useNavigate } from '@tanstack/react-router';
 import { useState, useEffect, useCallback } from 'react';
-import { useClient } from '@objectstack/client-react';
+import { useScopedClient } from '@/hooks/useObjectStackClient';
 import { Package, Power, PowerOff, Trash2, Plus, RefreshCw, ArrowRight } from 'lucide-react';
 import { Card, CardContent } from '@/components/ui/card';
 import { Badge } from '@/components/ui/badge';
@@ -22,7 +22,7 @@ import type { InstalledPackage } from '@objectstack/spec/kernel';
 
 function ProjectPackagesComponent() {
   const { projectId } = useParams({ from: '/projects/$projectId' });
-  const client = useClient() as any;
+  const client = useScopedClient(projectId) as any;
   const navigate = useNavigate();
 
   const { packages: installedPkgs, loading, error, install, uninstall, enable, disable, reload } =

packages/cli/src/commands/projects/create.ts

@@ -0,0 +1,98 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { Command, Flags } from '@oclif/core';
+import { printError } from '../../utils/format.js';
+import { createApiClient, requireAuth } from '../../utils/api-client.js';
+import { formatOutput } from '../../utils/output-formatter.js';
+import { readAuthConfig, writeAuthConfig } from '../../utils/auth-config.js';
+
+/**
+ * `os projects create` — provision a new project.
+ *
+ * Delegates to `ProjectProvisioningService.provisionProject` on the server.
+ * On success, optionally activates the new project for the current session
+ * and persists `activeProjectId` into `~/.objectstack/credentials.json`
+ * (unless `--no-activate` is passed).
+ */
+export default class ProjectsCreate extends Command {
+  static override description = 'Provision a new project';
+
+  static override examples = [
+    '$ os projects create --org 00000000-0000-0000-0000-000000000000 --name Staging',
+    '$ os projects create --org $ORG --name Dev --plan free',
+    '$ os projects create --org $ORG --name "Clone" --clone-from <source-id> --no-activate',
+  ];
+
+  static override flags = {
+    url: Flags.string({ char: 'u', description: 'Server URL', env: 'OBJECTSTACK_URL' }),
+    token: Flags.string({ char: 't', description: 'Authentication token', env: 'OBJECTSTACK_TOKEN' }),
+    org: Flags.string({ description: 'Organization id', required: true }),
+    name: Flags.string({ description: 'Display name', required: true }),
+    plan: Flags.string({ description: 'Billing plan', default: 'free' }),
+    driver: Flags.string({ description: 'Data-plane driver id' }),
+    'clone-from': Flags.string({ description: 'Clone schema from an existing project id' }),
+    activate: Flags.boolean({
+      description: 'Activate the new project for subsequent CLI calls',
+      default: true,
+      allowNo: true,
+    }),
+    format: Flags.string({
+      char: 'f',
+      description: 'Output format',
+      options: ['json', 'table', 'yaml'],
+      default: 'table',
+    }),
+  };
+
+  async run(): Promise<void> {
+    const { flags } = await this.parse(ProjectsCreate);
+
+    try {
+      const { client, token } = await createApiClient({ url: flags.url, token: flags.token });
+      requireAuth(token);
+
+      const res = await client.projects.create({
+        organizationId: flags.org,
+        displayName: flags.name,
+        plan: flags.plan,
+        driver: flags.driver,
+        cloneFromProjectId: flags['clone-from'],
+      });
+
+      if (flags.activate && res?.project?.id) {
+        try {
+          await client.projects.activate(res.project.id);
+          const cfg = await readAuthConfig().catch(() => null);
+          if (cfg) {
+            cfg.activeProjectId = res.project.id;
+            cfg.lastUsedAt = new Date().toISOString();
+            await writeAuthConfig(cfg);
+          }
+        } catch (activateError: any) {
+          // Creation succeeded — surface activation failure as a warning
+          console.error(`  ⚠ activation failed: ${activateError.message}`);
+        }
+      }
+
+      if (flags.format === 'json') {
+        formatOutput(res, 'json');
+      } else if (flags.format === 'yaml') {
+        formatOutput(res, 'yaml');
+      } else {
+        const p = res?.project ?? {};
+        console.log(`\n✓ Project created: ${p.displayName ?? p.id} (${p.id})`);
+        if (flags.activate) {
+          console.log(`  active project set to ${p.id}`);
+        }
+        console.log('');
+      }
+    } catch (error: any) {
+      if (flags.format === 'json') {
+        console.log(JSON.stringify({ success: false, error: error.message }, null, 2));
+        this.exit(1);
+      }
+      printError(error.message || String(error));
+      this.exit(1);
+    }
+  }
+}