fix(rest+runtime): plug anonymous /data/* leak and decouple runtime from service-cloud

Two related fixes that together close the CRM cross-account data leak
reported at crm.objectos.app.

## Phase R - runtime ↔ service-cloud decoupling

`packages/runtime` no longer depends on `@objectstack/service-cloud`.
Cloud-side runtime helpers physically moved to `packages/runtime/src/cloud/`:

- artifact-api-client / file-artifact-api-client
- artifact-environment-registry / environment-registry
- artifact-kernel-factory
- auth-proxy-plugin
- kernel-manager (+ tests)
- objectos-stack

apps/objectos/server/{ensure-local-identity, fs-app-bundle-resolver,
single-project-plugin}.ts removed (logic absorbed into runtime/cloud
or the per-project stack).

apps/cloud and apps/objectos `objectstack.config.ts` updated to import
the cloud helpers from `@objectstack/runtime/cloud` instead of
`@objectstack/service-cloud`.

## Phase S - REST requireAuth gate (CF leak root fix)

Anonymous requests to `/api/v1/data/*` were bypassing security checks
entirely because plugin-security short-circuits when userId/roles are
absent (kept for standalone public demos). Added an opt-in REST-layer
gate so deployments that mount the auth tier reject anon callers
*before* hitting ObjectQL.

- `RestApiConfigSchema.requireAuth: z.boolean().default(false)`
  (packages/spec/src/api/rest-server.zod.ts)
- `RestServer.enforceAuth(req, res, ctx)` returns 401
  `{error: "unauthenticated"}` (OPTIONS preflight excluded)
  (packages/rest/src/rest-server.ts)
- All 9 `/data/*` routes gated: list, read, create, update, delete,
  batch, createMany, updateMany, deleteMany. The 4 batch routes also
  now resolve and forward exec context, so authenticated batch ops
  finally get proper RBAC enforcement.
- CLI auto-enables `requireAuth` whenever `tierEnabled('auth')` is
  true; stack-level `api.requireAuth` overrides
  (packages/cli/src/commands/serve.ts).

Verified locally:
- anon GET  /api/v1/data/account        -> 401 (was leaking data)
- anon POST /api/v1/data/account/createMany -> 401
- authed cloud GET /data/sys_project    -> 200
- authed cloud GET /cloud/projects      -> 200
- packages/rest test suite (53 tests)   -> all pass

ROADMAP updated with S1 entry.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: hotlong

.gitignore

@@ -104,3 +104,4 @@ playwright-report/
 test-results/
 playwright/.cache/
 apps/cloud/artifacts/
+studio-crm.png

ROADMAP.md

@@ -39,9 +39,9 @@ Code that exists and matches the intended architecture. Do not regress these.
 |:---|:---|
 | Organization CRUD + member/invitation system | [apps/studio/src/hooks/useSession.ts](apps/studio/src/hooks/useSession.ts) |
 | Project CRUD + per-project Turso/memory DB provisioning | [packages/services/service-tenant/](packages/services/service-tenant/) |
-| Per-project ObjectKernel with LRU cache | [packages/runtime/src/project-kernel-factory.ts](packages/runtime/src/project-kernel-factory.ts) |
-| Hostname-based routing: `sys_project.hostname` -> kernel resolution | [packages/runtime/src/environment-registry.ts](packages/runtime/src/environment-registry.ts) |
-| `ControlPlaneProxyDriver` - org-scoped data isolation | [packages/runtime/src/control-plane-proxy-driver.ts](packages/runtime/src/control-plane-proxy-driver.ts) |
+| Per-project ObjectKernel with LRU cache | [packages/runtime/src/cloud/kernel-manager.ts](packages/runtime/src/cloud/kernel-manager.ts) |
+| Hostname-based routing: `sys_project.hostname` -> kernel resolution | [packages/runtime/src/cloud/artifact-environment-registry.ts](packages/runtime/src/cloud/artifact-environment-registry.ts) |
+| `ControlPlaneProxyDriver` - org-scoped data isolation | [apps/cloud/src/control-plane-proxy-driver.ts](apps/cloud/src/control-plane-proxy-driver.ts) |
 | `AppCatalogService` - per-project app events -> org-scoped `sys_app` catalog | [packages/services/service-tenant/src/services/app-catalog.service.ts](packages/services/service-tenant/src/services/app-catalog.service.ts) |
 | TS -> JSON compile pipeline (`objectstack compile`) | [packages/cli/src/commands/compile.ts](packages/cli/src/commands/compile.ts) |
 | Zod -> JSON Schema publishing (`z.toJSONSchema`) - TS/JSON bridge | [packages/spec/scripts/build-schemas.ts](packages/spec/scripts/build-schemas.ts) |
@@ -56,6 +56,7 @@ Code that exists and matches the intended architecture. Do not regress these.
 | Studio Flow Viewer + Flow Test Runner + Flow Runs panel | [apps/studio/src/components/FlowViewer.tsx](apps/studio/src/components/FlowViewer.tsx) |
 | Automation: flow auto-discovery from ObjectQL registry | [packages/services/service-automation/src/plugin.ts](packages/services/service-automation/src/plugin.ts) |
 | **D1** ObjectOS metadata DB bridge removed - `MetadataPlugin` no longer registers `sys_metadata` / `sys_metadata_history` or auto-bridges ObjectQL to `DatabaseLoader` | [packages/metadata/src/plugin.ts](packages/metadata/src/plugin.ts) |
+| **S1** REST `requireAuth` gate (resolved 2026-05-17) — anonymous `/api/v1/data/*` returns 401 when `auth` tier is enabled (CRUD + batch routes both gated); auto-enabled by CLI when `tierEnabled('auth')`. Plugs the CF data-leak reported via crm.objectos.app. | [packages/rest/src/rest-server.ts](packages/rest/src/rest-server.ts), [packages/cli/src/commands/serve.ts](packages/cli/src/commands/serve.ts) |
 
 ---
 
@@ -111,6 +112,24 @@ The deprecated `'platform'` and `'environment'` aliases have been removed
 
 `ScopedServiceManager` and `SharedProjectPlugin` were added but their integration into the request path is incomplete. Either finish them or remove them.
 
+### D6b - `packages/services/service-cloud` mixes runtime + control-plane (resolved 2026-05-17 — Phase R)
+
+The package historically housed three unrelated concerns under one name:
+
+1. **ObjectOS runtime** (artifact-fetching, per-project kernel manager, auth proxy) — used by `apps/objectos`
+2. **Cloud control plane** (multi-project orchestration, templates, local-identity seeding) — used by `apps/cloud`
+3. **Legacy single-project shells** (`single-project-plugin`, `shared-project-plugin`, `multi-project-plugin`) — pre-artifact-API code
+
+This forced `apps/objectos` to depend on `@objectstack/service-cloud` — a "cloud service" package — even though objectos only needs a runtime that pulls compiled artifacts over HTTP. The dispatcher (`boot-stack.ts`) that bridged the two was an `if/else` over `OS_MODE`.
+
+**Phase R — completed:**
+
+- Runtime-side files (`artifact-api-client`, `artifact-environment-registry`, `artifact-kernel-factory`, `auth-proxy-plugin`, `kernel-manager`, `objectos-stack`, plus new `file-artifact-api-client`) live in [`packages/runtime/src/cloud/`](packages/runtime/src/cloud/) and are exported from `@objectstack/runtime`.
+- `apps/objectos/objectstack.config.ts` now imports `createObjectOSStack` from `@objectstack/runtime` directly. No `@objectstack/service-cloud` dependency.
+- `apps/cloud/objectstack.config.ts` calls `createCloudStack` from `@objectstack/service-cloud` directly. The `createBootStack` dispatcher is removed.
+- Dead duplicates (`packages/runtime/src/{kernel-manager,multi-project-plugin,project-kernel-factory,environment-registry,control-plane-proxy-driver}.ts`) and legacy plugins in `service-cloud` (`single-project-plugin`, `shared-project-plugin`, `multi-project-plugin`, …) are deleted.
+- Result: `service-cloud` shrinks from 5 294 LOC / 27 files to the cloud-only control-plane core; the runtime no longer has a "cloud" dependency.
+
 ### D7 - ✅ Plugin-config churn converged (resolved 2026-04-26)
 
 Each plugin's manifest header + objects list now lives in a single canonical

apps/cloud/objectstack.config.ts

@@ -4,28 +4,36 @@
  * ObjectStack Cloud — Host Configuration
  *
  * Booted by `objectstack dev` / `objectstack serve` (see `package.json`)
- * and by the Vercel serverless entrypoint (`server/index.ts`).
+ * and by the Vercel / Cloudflare serverless entrypoints.
  *
- * ## Boot mode
- *
- * This config is **cloud-only** — multi-project, control-plane connected,
- * with the Studio template registry and filesystem-backed app bundle
- * resolver wired in. Local single-project / standalone modes live in
- * `apps/objectos`. All boot orchestration lives in
- * `@objectstack/service-cloud`; this file only supplies the
- * apps/cloud-specific knobs (templates, app bundle resolution).
+ * This config is **cloud-only** — multi-project control plane with the
+ * Studio template registry and filesystem-backed app bundle resolver
+ * wired in. `apps/objectos` is the runtime that talks to this control
+ * plane; their boot configs are now fully independent (no shared
+ * `createBootStack` dispatcher).
  */
 
-import { createBootStack } from '@objectstack/service-cloud';
+import { createCloudStack } from '@objectstack/service-cloud';
 import { createFsAppBundleResolver } from './server/fs-app-bundle-resolver.js';
 import { templateRegistry } from './server/templates/registry.js';
 
-const config = await createBootStack({
-    mode: 'cloud',
-    cloud: {
-        templates: templateRegistry,
-        appBundles: createFsAppBundleResolver(),
-    },
+const authSecret = process.env.AUTH_SECRET
+    ?? process.env.BETTER_AUTH_SECRET
+    ?? process.env.OS_AUTH_SECRET
+    ?? '';
+if (!authSecret) {
+    throw new Error('apps/cloud: AUTH_SECRET (or BETTER_AUTH_SECRET / OS_AUTH_SECRET) is required.');
+}
+
+const baseUrl = process.env.OS_BASE_URL
+    ?? process.env.BETTER_AUTH_URL
+    ?? `http://localhost:${process.env.PORT ?? '4000'}`;
+
+const config = await createCloudStack({
+    authSecret,
+    baseUrl,
+    templates: templateRegistry,
+    appBundles: createFsAppBundleResolver(),
 });
 
 export default config;

apps/objectos/objectstack.config.ts

@@ -1,58 +1,50 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 /**
- * ObjectStack Server — Host Configuration (runtime node)
+ * ObjectStack ObjectOS — Host Configuration (runtime node)
  *
  * Booted by `objectstack dev` / `objectstack serve` (see `package.json`).
  *
+ * ObjectOS is a **stateless multi-tenant runtime**. The host kernel here is
+ * a routing shell: every incoming request is resolved by hostname to a
+ * project, the project's compiled artifact is fetched (either from a
+ * control plane over HTTP or from a local file), and a per-project
+ * ObjectKernel is built on demand and cached.
+ *
  * ## Boot modes
  *
- * Default: single-project **local** mode. `pnpm dev` runs a self-contained
- * server with one control DB on disk and Studio UI in single-project mode
- * (no org/project picker — platform metadata only).
+ * Default (no env): connects to a locally-running `apps/cloud` on
+ * `http://localhost:4000`. Spin both up side-by-side for the natural
+ * dev loop (`apps/cloud` for control plane + Studio, `apps/objectos`
+ * for the actual runtime that serves project data).
  *
  * Override via env:
- *   - `OS_CLOUD_URL=http://localhost:4000`         — connect to a
- *     locally-running `apps/cloud` (multi-project control plane).
- *   - `OS_CLOUD_URL=https://cloud.objectstack.ai`  — hosted
- *     control plane.
- *   - `OS_MODE=cloud`                              — boot the
- *     multi-project control plane in this very process (lives in
- *     `apps/cloud`).
+ *   - `OS_CLOUD_URL=https://cloud.objectstack.ai` — point at the
+ *     hosted ObjectStack Cloud (or any other control plane).
+ *   - `OS_CLOUD_URL=file` — file-backed single-project mode. Reads one
+ *     compiled artifact from `dist/objectstack.json` (or
+ *     `OS_ARTIFACT_PATH`) and serves it on every hostname. Use this
+ *     for smoke tests / one-shot demos where bringing up a separate
+ *     control plane is overkill.
  *
- * All boot orchestration lives in `@objectstack/service-cloud`. This file
- * only supplies the apps/objectos-specific knobs (filesystem app bundle
- * resolution).
+ * No `@objectstack/service-cloud` dependency — `apps/objectos` only
+ * needs the runtime + the artifact loader, both of which live in
+ * `@objectstack/runtime`.
  */
 
-import { resolve as resolvePath, dirname } from 'node:path';
-import { fileURLToPath } from 'node:url';
-import { createBootStack } from '@objectstack/service-cloud';
-import { createFsAppBundleResolver } from './server/fs-app-bundle-resolver.js';
+import { createObjectOSStack } from '@objectstack/runtime';
 
-const serverDir = dirname(fileURLToPath(import.meta.url));
-const dataDir = resolvePath(serverDir, '.objectstack/data');
-const localArtifactPath = process.env.OS_ARTIFACT_PATH
-    ?? resolvePath(serverDir, 'dist/objectstack.json');
+const cloudUrl = process.env.OS_CLOUD_URL?.trim() || 'http://localhost:4000';
 
-const config = await createBootStack({
-    runtime: {
-        dataDir,
-        artifactPath: localArtifactPath,
-        appBundles: createFsAppBundleResolver(),
-        // Default to single-project local mode (`cloudUrl: 'local'`) so
-        // `pnpm dev` boots a self-contained server: one project, one
-        // control DB on disk, Studio UI in single-project mode (no
-        // org/project picker — platform metadata only).
-        //
-        // Override with:
-        //   - `OS_CLOUD_URL=http://localhost:4000` to connect to
-        //     a locally-running `apps/cloud` (multi-project control plane)
-        //   - `OS_CLOUD_URL=https://cloud.objectstack.ai` for the
-        //     hosted control plane
-        cloudUrl: process.env.OS_CLOUD_URL ?? 'local',
-        cloudApiKey: process.env.OS_CLOUD_API_KEY,
-    },
+const config = await createObjectOSStack({
+    controlPlaneUrl: cloudUrl,
+    controlPlaneApiKey: process.env.OS_CLOUD_API_KEY,
+    fileConfig: cloudUrl === 'file'
+        ? {
+            artifactPath: process.env.OS_ARTIFACT_PATH,
+            projectId: process.env.OS_PROJECT_ID,
+        }
+        : undefined,
 });
 
 export default config;

apps/objectos/package.json

@@ -46,7 +46,6 @@
     "@objectstack/service-ai": "workspace:*",
     "@objectstack/service-analytics": "workspace:*",
     "@objectstack/service-automation": "workspace:*",
-    "@objectstack/service-cloud": "workspace:*",
     "@objectstack/service-feed": "workspace:*",
     "@objectstack/service-i18n": "workspace:*",
     "@objectstack/service-package": "workspace:*",

apps/objectos/server/ensure-local-identity.ts

@@ -765,11 +765,17 @@ export default class Serve extends Command {
         const apiConfig = (config as any).api ?? {};
         const enableProjectScoping = apiConfig.enableProjectScoping ?? false;
         const projectResolution = apiConfig.projectResolution ?? 'auto';
+        // `requireAuth: true` rejects anonymous requests on `/api/v1/data/*`
+        // with HTTP 401 before they reach ObjectQL. Default-on when the
+        // stack opts in OR when the resolved tier set includes `auth`
+        // (because anonymous data access is almost never desirable when
+        // auth is enabled). Apps can override via stack `api.requireAuth`.
+        const requireAuth = apiConfig.requireAuth ?? (tierEnabled('auth') ? true : false);
 
         try {
           const { createRestApiPlugin } = await import('@objectstack/rest');
           await kernel.use(
-            createRestApiPlugin({ api: { api: { enableProjectScoping, projectResolution } } as any }),
+            createRestApiPlugin({ api: { api: { enableProjectScoping, projectResolution, requireAuth } } as any }),
           );
           trackPlugin('RestAPI');
         } catch (e: any) {