-
Add three write controllers behind @RequirePermission("admin.metadata.write"): - FormDefinitionController (PUT/DELETE /api/v1/_meta/metadata/forms/{slug}) - ListViewDefinitionController (PUT/DELETE /api/v1/_meta/metadata/list-views/{slug}) - CustomFieldWriteController (POST/PUT/DELETE /api/v1/_meta/metadata/custom-fields) All three enforce source='user' immutability: rows seeded by core or plug-in YAMLs cannot be modified or deleted through the REST surface. CustomFieldWriteController calls CustomFieldRegistry.refresh() after every successful write so the in-memory index stays current. MetadataController gains GET endpoints for forms, list views (including by-slug lookup), and the aggregate /metadata response now includes forms and listViews sections. Ships platform-metadata.yml declaring admin.metadata.read/write permissions and a Metadata Admin menu entry. 22 unit tests cover the full CRUD + source-enforcement matrix.
