docs: align deeper how-to docs with current code state

The previous docs commit fixed README + CLAUDE + the three "scope note" guides but explicitly left the deeper how-to docs as-is, claiming the architecture hadn't changed. That was wrong on closer reading: those docs still described the pre-single-tenant world (tenant_id columns, two-wall isolation, per-tenant routing) and the pre-implementation plug-in API (class-based @PluginEndpoint controllers, ResponseBuilder, context.log instead of context.logger, plugin.yml entryClass field). A reader following any of those guides would write code that doesn't compile. This commit aligns them with what the framework actually does today. What changed: * docs/architecture/overview.md - Guardrail #5 rewritten from "Multi-tenant in spirit from day one" to "Single-tenant per instance, isolated database" matching CLAUDE.md. - The api.v1 package layout updated to match the actual current surface: dropped `Tenant`, added `PrincipalId`, `PersistenceExceptions`, the full plug-in package (PluginContext, PluginEndpointRegistrar, PluginRequest/Response, PluginJdbc, PluginRow), and the two live cross-PBC facades (IdentityApi, CatalogApi). - The whole "Multi-tenancy" section replaced with "Single-tenant per instance" — drops the two-wall framing, drops per-region routing, drops tenant_id columns and RLS. The single-tenant rationale is explained in line with the rest of the framework. - Custom fields and metadata store sections drop "per tenant" and tenant_id from their column lists. - Audit row in the cross-cutting table drops tenant_id from the column list and adds the PrincipalContext bridge note that's actually live as of P4.1. - "Tier 1 — Key user, no-code" intro drops "scoped to their tenant". * docs/plugin-api/overview.md - api.v1 package layout updated to match the real current surface (same set of additions and deletions as the architecture overview). - Per-package orientation table rewritten to describe what is actually in each package today, including which parts are live (event/, plugin/, http/) and which are stubbed (i18n/, workflow/, form/) with the relevant implementation-plan unit referenced. * docs/plugin-author/getting-started.md — full rewrite. The previous version walked an author through APIs that don't exist: • `Plugin.start(context: PluginContext)` and `Plugin.stop(context: PluginContext)` — actual API is `start(context)` and `stop()` (no arg), with the Pf4jPlugin + VibeErpPlugin dual-supertype trick using import aliases. • `context.log` — actual is `context.logger` (PluginLogger interface). • `plugin.yml` with `entryClass:` field and a structured `metadata.i18n:` subkey — actual schema has no entryClass (PF4J reads `Plugin-Class` from MANIFEST.MF) and `metadata:` is a flat list of paths. • Class-based `@PluginEndpoint` controllers with `ResponseBuilder` — actual is lambda-based registration via `context.endpoints.register(method, path, handler)` returning `PluginResponse`. • `request.translator.format(...)` — translator currently throws UnsupportedOperationException; the example would crash. The new version walks through: 1. The compileOnly api.v1 + pf4j dependency setup. 2. The dual-supertype Pf4jPlugin + VibeErpPlugin trick with import aliases (matches the actual reference plug-in). 3. The real JAR layout (META-INF/MANIFEST.MF for PF4J, plugin.yml for human metadata, META-INF/vibe-erp/db/changelog.xml for Liquibase, META-INF/vibe-erp/metadata/<id>.yml for the metadata loader). 4. Liquibase changelog at the unique META-INF path (not the host's `db/changelog/master.xml` path which would collide on parent-first classloader lookup — the bug we hit and fixed in commit 1ead32d7). 5. Lambda-based endpoint registration with real working examples (path templates, queryForObject, update, JSON body parsing). 6. Metadata YAML shape matching what MetadataLoader actually parses. 7. The boot-log sequence the operator will see, taken from a real smoke run. 8. An honest "what this guide does not yet cover" list with implementation-plan unit references. * docs/i18n/guide.md - Added a "Status" callout at the top: the api.v1 contract is locked, the ICU4J implementation is P1.6 and not yet wired, `context.translator` currently throws. - Bundle filename convention corrected from `<locale>.properties` to `messages_<locale>.properties` (matches what the reference plug-in actually ships). - plugin.yml example updated to show the flat `metadata:` array that PluginManifest actually parses (the previous structured `metadata.i18n:` subkey doesn't exist in the schema). - Merge precedence renamed "tenant overrides" → "operator overrides" since vibe_erp is single-tenant per instance. - LocaleProvider resolution chain updated to drop "tenant default" and reference `vibeerp.i18n.default-locale` configuration. - "Time zones are per-tenant" → "per-user with an instance default". - Locale-add reference to "i18n-overrides volume" annotated as "once P1.6 lands". * docs/customer-onboarding/guide.md - Section 3 "Create a tenant" deleted; replaced with "Configure the instance" pointing at vibeerp.instance.* config. - First-boot bullet list rewritten to drop the bogus "create default tenant row in identity__tenant" step (no such table) and add the real metadata-loader and per-plug-in lifecycle steps that happen. - Mounted-volume table updated: `i18n-overrides/` is "operator translation overrides", not "tenant-level". - "Bind users to roles, bind roles to tenants" simplified; OIDC group claims annotated as P4.2 (not yet wired). - Go-live checklist drops "non-production tenant" wording and "tenant locale defaults" (now instance-level config). - "Hosted multi-tenant operations" deferred-list item rewritten to "hosted operations: provisioning many independent vibe_erp instances", matching the new single-tenant deployment model. * docs/form-authoring/guide.md - Tier 1 section drops "scoped to the tenant", "tweaking for a specific tenant", "tenant-specific custom field". * docs/workflow-authoring/guide.md - "Approval chains that vary per tenant" → "Approval chains the customer wants to author themselves". * docs/index.md - Architecture overview row description updated from "multi-tenancy" to "single-tenant deployment model". - i18n guide row description updated from "tenant overrides" to "operator overrides". Build: ./gradlew build still green (no source touched). The remaining `tenant` references in docs are now ALL intentional — they appear in sentences like "vibe_erp is single-tenant per instance", "there is no create-a-tenant step", "no per-tenant bundles". The historical specs under docs/superpowers/specs/ were intentionally NOT touched: those are dated design records, and the implementation plan already had the single-tenant refactor noted at the top.

docs: align deeper how-to docs with current code state
The previous docs commit fixed README + CLAUDE + the three "scope note" guides but explicitly left the deeper how-to docs as-is, claiming the architecture hadn't changed. That was wrong on closer reading: those docs still described the pre-single-tenant world (tenant_id columns, two-wall isolation, per-tenant routing) and the pre-implementation plug-in API (class-based @PluginEndpoint controllers, ResponseBuilder, context.log instead of context.logger, plugin.yml entryClass field). A reader following any of those guides would write code that doesn't compile. This commit aligns them with what the framework actually does today. What changed: * docs/architecture/overview.md - Guardrail #5 rewritten from "Multi-tenant in spirit from day one" to "Single-tenant per instance, isolated database" matching CLAUDE.md. - The api.v1 package layout updated to match the actual current surface: dropped `Tenant`, added `PrincipalId`, `PersistenceExceptions`, the full plug-in package (PluginContext, PluginEndpointRegistrar, PluginRequest/Response, PluginJdbc, PluginRow), and the two live cross-PBC facades (IdentityApi, CatalogApi). - The whole "Multi-tenancy" section replaced with "Single-tenant per instance" — drops the two-wall framing, drops per-region routing, drops tenant_id columns and RLS. The single-tenant rationale is explained in line with the rest of the framework. - Custom fields and metadata store sections drop "per tenant" and tenant_id from their column lists. - Audit row in the cross-cutting table drops tenant_id from the column list and adds the PrincipalContext bridge note that's actually live as of P4.1. - "Tier 1 — Key user, no-code" intro drops "scoped to their tenant". * docs/plugin-api/overview.md - api.v1 package layout updated to match the real current surface (same set of additions and deletions as the architecture overview). - Per-package orientation table rewritten to describe what is actually in each package today, including which parts are live (event/, plugin/, http/) and which are stubbed (i18n/, workflow/, form/) with the relevant implementation-plan unit referenced. * docs/plugin-author/getting-started.md — full rewrite. The previous version walked an author through APIs that don't exist: • `Plugin.start(context: PluginContext)` and `Plugin.stop(context: PluginContext)` — actual API is `start(context)` and `stop()` (no arg), with the Pf4jPlugin + VibeErpPlugin dual-supertype trick using import aliases. • `context.log` — actual is `context.logger` (PluginLogger interface). • `plugin.yml` with `entryClass:` field and a structured `metadata.i18n:` subkey — actual schema has no entryClass (PF4J reads `Plugin-Class` from MANIFEST.MF) and `metadata:` is a flat list of paths. • Class-based `@PluginEndpoint` controllers with `ResponseBuilder` — actual is lambda-based registration via `context.endpoints.register(method, path, handler)` returning `PluginResponse`. • `request.translator.format(...)` — translator currently throws UnsupportedOperationException; the example would crash. The new version walks through: 1. The compileOnly api.v1 + pf4j dependency setup. 2. The dual-supertype Pf4jPlugin + VibeErpPlugin trick with import aliases (matches the actual reference plug-in). 3. The real JAR layout (META-INF/MANIFEST.MF for PF4J, plugin.yml for human metadata, META-INF/vibe-erp/db/changelog.xml for Liquibase, META-INF/vibe-erp/metadata/<id>.yml for the metadata loader). 4. Liquibase changelog at the unique META-INF path (not the host's `db/changelog/master.xml` path which would collide on parent-first classloader lookup — the bug we hit and fixed in commit 1ead32d7). 5. Lambda-based endpoint registration with real working examples (path templates, queryForObject, update, JSON body parsing). 6. Metadata YAML shape matching what MetadataLoader actually parses. 7. The boot-log sequence the operator will see, taken from a real smoke run. 8. An honest "what this guide does not yet cover" list with implementation-plan unit references. * docs/i18n/guide.md - Added a "Status" callout at the top: the api.v1 contract is locked, the ICU4J implementation is P1.6 and not yet wired, `context.translator` currently throws. - Bundle filename convention corrected from `<locale>.properties` to `messages_<locale>.properties` (matches what the reference plug-in actually ships). - plugin.yml example updated to show the flat `metadata:` array that PluginManifest actually parses (the previous structured `metadata.i18n:` subkey doesn't exist in the schema). - Merge precedence renamed "tenant overrides" → "operator overrides" since vibe_erp is single-tenant per instance. - LocaleProvider resolution chain updated to drop "tenant default" and reference `vibeerp.i18n.default-locale` configuration. - "Time zones are per-tenant" → "per-user with an instance default". - Locale-add reference to "i18n-overrides volume" annotated as "once P1.6 lands". * docs/customer-onboarding/guide.md - Section 3 "Create a tenant" deleted; replaced with "Configure the instance" pointing at vibeerp.instance.* config. - First-boot bullet list rewritten to drop the bogus "create default tenant row in identity__tenant" step (no such table) and add the real metadata-loader and per-plug-in lifecycle steps that happen. - Mounted-volume table updated: `i18n-overrides/` is "operator translation overrides", not "tenant-level". - "Bind users to roles, bind roles to tenants" simplified; OIDC group claims annotated as P4.2 (not yet wired). - Go-live checklist drops "non-production tenant" wording and "tenant locale defaults" (now instance-level config). - "Hosted multi-tenant operations" deferred-list item rewritten to "hosted operations: provisioning many independent vibe_erp instances", matching the new single-tenant deployment model. * docs/form-authoring/guide.md - Tier 1 section drops "scoped to the tenant", "tweaking for a specific tenant", "tenant-specific custom field". * docs/workflow-authoring/guide.md - "Approval chains that vary per tenant" → "Approval chains the customer wants to author themselves". * docs/index.md - Architecture overview row description updated from "multi-tenancy" to "single-tenant deployment model". - i18n guide row description updated from "tenant overrides" to "operator overrides". Build: ./gradlew build still green (no source touched). The remaining `tenant` references in docs are now ALL intentional — they appear in sentences like "vibe_erp is single-tenant per instance", "there is no create-a-tenant step", "no per-tenant bundles". The historical specs under docs/superpowers/specs/ were intentionally NOT touched: those are dated design records, and the implementation plan already had the single-tenant refactor noted at the top.
vibe_erp
1 parent 95b26a88
Showing 8 changed files with 363 additions and 226 deletions
docs/architecture/overview.md
docs/customer-onboarding/guide.md
docs/form-authoring/guide.md
docs/i18n/guide.md
docs/index.md
docs/plugin-api/overview.md
docs/plugin-author/getting-started.md
docs/workflow-authoring/guide.md
@@ -16,7 +16,7 @@ vibe_erp adopts SAP S/4HANA&#39;s **Clean Core** vocabulary: **extensions never modi
 2. **Workflows are data, not code.** State machines, approval chains, and form definitions are declarative, so a new customer is onboarded by editing definitions, not source.
 3. **Extensibility seams come first.** Before any feature is added, the extension point it hangs off of must exist. If no seam exists, the seam is designed first.
 4. **The reference customer is a test, not a requirement.** Anything implemented for the reference plug-in must be expressible by a different printing shop with different rules, without code changes.
-5. **Multi-tenant in spirit from day one.** Even single-tenant deployments use the same multi-tenant code path.
+5. **Single-tenant per instance, isolated database.** vibe_erp deliberately does NOT support multiple companies in one process. Each running instance serves exactly one company against an isolated Postgres database. Hosting many customers means provisioning many independent instances, not multiplexing them. There are no `tenant_id` columns, no row-level filters, no Postgres Row-Level Security policies anywhere in the framework. Customer isolation is a deployment concern, not a code concern.
 6. **Global / i18n from day one.** No hard-coded user-facing strings, currencies, date formats, time zones, address shapes, or tax models.
  
 ## Two-tier extensibility
@@ -25,7 +25,7 @@ vibe_erp offers **two extension paths**, both first-class. The same outcome can 
  
 ### Tier 1 — Key user, no-code
  
-Business analysts customize the system through the web UI. Everything they create is stored as **rows in the metadata tables**, scoped to their tenant, tagged `source = 'user'`, and preserved across plug-in install/uninstall and core upgrades.
+Business analysts customize the system through the web UI. Everything they create is stored as **rows in the metadata tables**, tagged `source = 'user'`, and preserved across plug-in install/uninstall and core upgrades.
  
 | Capability | Stored in |
 |---|---|
@@ -120,18 +120,20 @@ Package layout:
  
 ```
 org.vibeerp.api.v1
-├── core/         Tenant, Locale, Money, Quantity, Id<T>, Result<T,E>
-├── entity/       Entity, Field, FieldType, EntityRegistry
-├── persistence/  Repository<T>, Query, Page, Transaction
-├── workflow/     WorkflowTask, WorkflowEvent, TaskHandler
-├── form/         FormSchema, UiSchema
-├── http/         @PluginEndpoint, RequestContext, ResponseBuilder
-├── event/        DomainEvent, EventListener, EventBus
-├── security/     Principal, Permission, PermissionCheck
+├── core/         Id<T>, Money, Currency, Quantity, UnitOfMeasure, Result<T,E>
+├── entity/       Entity, AuditedEntity, FieldType, CustomField, EntityRegistry
+├── persistence/  Repository<T>, Query, Page, Transaction, PersistenceExceptions
+├── workflow/     WorkflowTask, TaskHandler, TaskContext
+├── form/         FormSchema
+├── http/         @PluginEndpoint, RequestContext
+├── event/        DomainEvent, EventListener, EventBus (with Subscription)
+├── security/     Principal, PrincipalId, Permission, PermissionCheck
 ├── i18n/         MessageKey, Translator, LocaleProvider
-├── reporting/    ReportTemplate, ReportContext
-├── plugin/       Plugin, PluginManifest, ExtensionPoint
-└── ext/          Typed extension interfaces a plug-in implements
+├── plugin/       Plugin, PluginContext, PluginManifest, ExtensionPoint,
+│                 PluginEndpointRegistrar, HttpMethod, PluginRequest,
+│                 PluginResponse, PluginEndpointHandler, PluginJdbc, PluginRow
+└── ext/          Typed cross-PBC facades (ext.identity.IdentityApi,
+                  ext.catalog.CatalogApi)
 ```
  
 `api.v1` is published as `api-v1.jar` to **Maven Central**, so plug-in authors can build against it without pulling the entire vibe_erp source tree.
@@ -185,41 +187,35 @@ One Spring Boot process per instance, one Docker image per release, one mounted 
  
 The only mandatory external dependency is **PostgreSQL**. Optional sidecars for larger deployments — Keycloak, Redis, OpenSearch, SMTP relay — are off by default.
  
-## Multi-tenancy
+## Single-tenant per instance
  
-vibe_erp is **multi-tenant in spirit from day one**, even when deployed for a single customer. The same code path serves self-hosted single-tenant and hosted multi-tenant deployments.
+vibe_erp is **deliberately single-tenant per instance**. One running process serves exactly one company against an isolated Postgres database. Hosting many customers means provisioning many independent instances, each with its own DB. There are no `tenant_id` columns, no row-level filters, no Postgres Row-Level Security policies anywhere in the framework. Customer isolation is a deployment concern, not a code concern.
+
+This is the choice in CLAUDE.md guardrail #5. The rationale: most ERP/EBC customers will not accept a SaaS where their data shares a database with other companies, and per-instance isolation is dramatically simpler than per-row tenant filtering. The cost is that hosting many customers requires real provisioning infrastructure (one container + one DB per customer); the benefit is that the framework itself stays simple, the audit story is trivial, and GDPR data residency is automatic — the customer chose where Postgres lives.
  
 ### Schema namespacing
  
 PBCs and plug-ins use **table name prefixes**, not Postgres schemas:
  
 ```
-identity__user, identity__role
-catalog__item, catalog__item_attribute
-inventory__stock_item, inventory__movement
-orders_sales__order, orders_sales__order_line
-production__work_order, production__operation
-plugin_printingshop__plate_spec  (reference plug-in)
-metadata__custom_field, metadata__form, metadata__workflow
-flowable_*  (Flowable's own tables, untouched)
+identity__user, identity__role, identity__user_credential
+catalog__item, catalog__uom
+inventory__stock_item, inventory__movement   (future PBC)
+orders_sales__order, orders_sales__order_line   (future PBC)
+plugin_printingshop__plate, plugin_printingshop__ink_recipe  (reference plug-in)
+metadata__entity, metadata__permission, metadata__menu, metadata__custom_field, ...
+platform__event_outbox
+flowable_*  (Flowable's own tables, untouched, when wired)
 ```
  
-This keeps Hibernate, RLS policies, and migrations all in one logical schema (`public`), avoids `search_path` traps, and gives clean uninstall semantics.
-
-### Tenant isolation — two independent walls
-
-- Every business table has `tenant_id`, NOT NULL.
-- Hibernate `@TenantId` filters every query at the application layer.
-- Postgres Row-Level Security policies filter every query at the database layer.
-
-Two independent walls. A bug in one is not a data leak. Self-hosted single-customer deployments use one tenant row called `default`. Hosted multi-tenant deployments use many tenant rows. **Same code path.**
+This keeps Hibernate and migrations all in one logical schema (`public`), avoids `search_path` traps, and gives clean plug-in uninstall semantics: drop everything matching `plugin_<id>__*`.
  
 ### Data sovereignty
  
-- Self-hosted is automatically compliant — the customer chose where Postgres lives.
-- Hosted supports per-region tenant routing: each tenant row carries a region; connections are routed to the right regional Postgres cluster.
-- PII tagging on field metadata drives auto-generated DSAR exports and erasure jobs (GDPR Articles 15/17).
-- Append-only audit log records access to PII fields when audit-strict mode is on.
+- **Self-hosted is automatically compliant** — the customer chose where Postgres lives.
+- **Hosted** is a separate "operator console" concern (post-v1.0): provision a fresh vibe_erp instance + dedicated Postgres per customer. The framework code is unchanged.
+- **PII tagging** on field metadata drives auto-generated DSAR exports and erasure jobs (GDPR Articles 15/17). The metadata seeder ships the tag; the eraser is future work (P3.x).
+- **Append-only audit log** records the principal and timestamp of every save via the JPA listener.
  
 ## Custom fields via JSONB
  
@@ -230,7 +226,7 @@ ext       jsonb   not null  default &#39;{}&#39;,
 ext_meta  text    generated
 ```
  
-Custom fields are JSON keys inside `ext`. A GIN index on `ext` makes them queryable. The `metadata__custom_field` table describes the JSON shape per entity per tenant. The form designer, list views, OpenAPI generator, and AI-agent function catalog all read from this table.
+Custom fields are JSON keys inside `ext`. A GIN index on `ext` makes them queryable. The `metadata__custom_field` table describes the JSON shape per entity. The form designer, list views, OpenAPI generator, and AI-agent function catalog all read from this table.
  
 Why JSONB and not EAV: one row, one read, indexable, no migrations needed for additions, no joins. EAV is the wrong tool.
  
@@ -245,7 +241,7 @@ metadata__workflow       metadata__rule           metadata__menu
 metadata__report         metadata__translation    metadata__plugin_config
 ```
  
-Every row carries `tenant_id`, `source` (`core` / `plugin:<id>` / `user`), `version`, `is_active`. The `source` column makes uninstall and upgrade safe: removing a plug-in cleans up its metadata, and user-created metadata is sacred and never touched by an upgrade.
+Every row carries `source` (`core` / `plugin:<id>` / `user`) plus timestamps. The `source` column makes uninstall and upgrade safe: removing a plug-in cleans up its metadata via a single `DELETE WHERE source = 'plugin:<id>'`, and user-created metadata is sacred and never touched by core or plug-in upgrades. The current metadata loader (P1.5) implements `loadCore()` and `loadFromPluginJar(pluginId, jarPath)` and exposes the seeded data at the public `GET /api/v1/_meta/metadata` endpoint.
  
 Every consumer reads from this store: the form renderer, list views, OpenAPI generator, AI-agent function catalog, role editor. There are no parallel sources of truth.
  
@@ -269,7 +265,7 @@ The temptation to invent a vibe_erp-only workflow language must be rejected. BPM
 |---|---|
 | Security | `PermissionCheck` declared in `api.v1.security`; plug-ins register their own permissions, auto-listed in the role editor |
 | Transactions | Spring `@Transactional` at the application-service layer; plug-ins use `api.v1.persistence.Transaction`, never Spring directly |
-| Audit | `created_at`, `created_by`, `updated_at`, `updated_by`, `tenant_id` on every entity, applied by a JPA listener |
+| Audit | `created_at`, `created_by`, `updated_at`, `updated_by`, `version` on every entity, applied by a JPA listener that reads `created_by` from `PrincipalContext` (bound by the JWT auth filter) |
 | Events | Typed `DomainEvent`s on every state change; in-process bus by default; outbox table in Postgres for cross-crash reliability and as the seam where Kafka/NATS plugs in later |
 | AI-agent surface | Same business operations exposed through REST are exposable through an MCP server; v1.1 ships the MCP endpoint, v1.0 architects the seam |
 | Reporting | JasperReports; templates shipped by core or by plug-ins, customer-skinnable |
@@ -27,10 +27,11 @@ docker run -d --name vibe-erp \
 What happens on first boot:
  
 1. The host connects to Postgres.
-2. Liquibase runs every core PBC's migrations and creates the `flowable_*` tables.
-3. A `default` tenant row is created in `identity__tenant`.
-4. A bootstrap admin user is created and its one-time password is printed to the boot log.
-5. The host is ready in under 30 seconds.
+2. Liquibase runs every core PBC's migrations (plus `flowable_*` once that lands).
+3. A bootstrap admin user is created and its one-time password is printed to the boot log.
+4. The metadata loader walks the host classpath and seeds `metadata__entity` / `metadata__permission` / `metadata__menu` from each PBC's YAML file.
+5. Each plug-in JAR is linted, migrated, metadata-loaded, and started in turn.
+6. The host is ready in under 30 seconds.
  
 The mounted volume `/srv/vibeerp` (mapped to `/opt/vibe-erp` inside the container) holds:
  
@@ -38,32 +39,24 @@ The mounted volume `/srv/vibeerp` (mapped to `/opt/vibe-erp` inside the containe
 /opt/vibe-erp/
 ├── config/vibe-erp.yaml      single config file (closed key set)
 ├── plugins/                  drop *.jar to install
-├── i18n-overrides/           tenant-level translation overrides
+├── i18n-overrides/           operator translation overrides
 ├── files/                    file store (if not using S3)
 └── logs/
 ```
  
-Customer extensions live entirely outside the image. Upgrading the host is `docker rm` plus `docker run` with the new image tag — extensions and config stay put.
+Customer extensions live entirely outside the image. Upgrading the host is `docker rm` plus `docker run` with the new image tag — extensions and config stay put. **vibe_erp is single-tenant per instance: this container serves exactly one company. Hosting a second customer means provisioning a second container with its own Postgres.**
  
 ## 2. Log in as the bootstrap admin
  
-Open `http://<host>:8080/`, log in with `admin` and the one-time password from the boot log, and change the password immediately. Configure OIDC (Keycloak-compatible) at this point if the customer has an existing identity provider — built-in JWT auth and OIDC SSO are both shipped from day one.
+Open `http://<host>:8080/`, log in with `admin` and the one-time password from the boot log, and change the password immediately. Configure OIDC (Keycloak-compatible) at this point if the customer has an existing identity provider — built-in JWT auth is live today; OIDC is P4.2 in the implementation plan and not yet wired.
  
-## 3. Create a tenant (hosted only)
+## 3. Configure the instance
  
-For a self-hosted single-customer deployment, the `default` tenant is everything you need. Skip this step.
-
-For a hosted multi-tenant deployment, create one tenant row per customer. Each tenant carries:
-
-- A unique tenant id.
-- A region (used by the per-region routing layer in hosted mode).
-- A default locale, currency, and time zone.
-
-Tenant onboarding is an `INSERT` plus seed metadata, not a migration — sub-second per tenant.
+Set the company name, default locale, default currency, and default time zone in `vibe-erp.yaml` under `vibeerp.instance.*`. There is no "create a tenant" step — this entire instance belongs to one company.
  
 ## 4. Use the Customize UI to model the customer's reality
  
-This is where most of the integrator's time is spent. Everything here is **Tier 1**: rows in `metadata__*` tables, tagged `source = 'user'`, scoped to the tenant. No build, no restart, no deploy. **(current: API only — POST to the metadata endpoints; the UIs ship in v1.0.)**
+This is where most of the integrator's time is spent. Everything here is **Tier 1**: rows in `metadata__*` tables, tagged `source = 'user'`. No build, no restart, no deploy. **(current: API only — POST to the metadata endpoints; the UIs ship in v1.0.)**
  
 ### Custom fields
  
@@ -101,7 +94,7 @@ Define the customer&#39;s roles (e.g. *sales clerk*, *production planner*, *warehous
 - Plug-ins (each plug-in registers its own permissions through `api.v1.security.PermissionCheck`).
 - Custom entities (each generates a standard CRUD permission set).
  
-Bind users to roles, bind roles to tenants. Hosted deployments can also bind roles via OIDC group claims.
+Bind users to roles. Once OIDC (P4.2) lands, roles can also be bound via the identity provider's group claims.
  
 ## 7. Add Tier 2 plug-ins as needed
  
@@ -122,14 +115,14 @@ A guiding principle: **anything a Tier 2 plug-in does should also become possibl
  
 - [ ] Backups configured against the Postgres instance. Customer data lives there exclusively (plus the file store).
 - [ ] Audit log enabled for PII fields if the customer is subject to GDPR or equivalent.
-- [ ] DSAR export and erasure jobs tested against a non-production tenant.
-- [ ] Locale, currency, time zone defaults set for the tenant.
-- [ ] OIDC integration tested with the customer's identity provider.
+- [ ] DSAR export and erasure jobs tested against a non-production copy.
+- [ ] Locale, currency, time zone defaults set in `vibe-erp.yaml`.
+- [ ] OIDC integration tested with the customer's identity provider (once P4.2 lands).
 - [ ] Health check (`/actuator/health`) wired into the customer's monitoring.
 - [ ] Documented upgrade procedure for the operator: `docker rm` plus `docker run` with the new image tag, plug-ins and config stay put.
  
 ## What this guide deliberately does not cover
  
 - **Plug-in development.** That is the [plug-in author getting-started guide](../plugin-author/getting-started.md).
-- **Hosted multi-tenant operations** (per-region routing, billing, tenant provisioning UI). Hosted mode is a v2 deliverable; the data model and routing layer are architected for it from day one but the operations UI is not in v1.0.
-- **MCP / AI-agent endpoint.** v1.1 deliverable. The seam exists in v1.0; the endpoint does not.
+- **Hosted operations** (provisioning many independent vibe_erp instances, one per customer; billing; an operator console). vibe_erp is single-tenant per instance — hosting many customers means running many independent containers with their own databases. The provisioning console is a post-v1.0 deliverable.
+- **MCP / AI-agent endpoint.** v1.1 deliverable. The seam exists today; the endpoint does not.
@@ -55,12 +55,12 @@ Both paths are first-class. The renderer does not know which one produced a give
  
 ### Tier 1 — Form designer in the web UI (v1.0)
  
-Business analysts build forms in the form designer that ships in the web SPA. The result is stored as a row in `metadata__form`, scoped to the tenant, tagged `source = 'user'` so it survives plug-in install/uninstall and core upgrades. No build, no restart.
+Business analysts build forms in the form designer that ships in the web SPA. The result is stored as a row in `metadata__form`, tagged `source = 'user'` so it survives plug-in install/uninstall and core upgrades. No build, no restart.
  
 This path is the right one for:
  
-- Tweaking the layout of an existing entity for a specific tenant.
-- Adding a tenant-specific custom field to an existing form.
+- Tweaking the layout of an existing entity for the customer's specific needs.
+- Adding a custom field to an existing form.
 - Building a form for a Tier 1 custom entity.
  
 The form designer is a **v1.0 deliverable**.
@@ -2,6 +2,14 @@
  
 vibe_erp is built to be sold worldwide. There are no hard-coded user-facing strings, currencies, date formats, time zones, number formats, address shapes, or tax models in the framework — everything user-facing flows through the i18n and formatting layers from day one. This is guardrail #6 in `CLAUDE.md`, and it applies to the core, every PBC, and every plug-in.
  
+> **Status (current build).** The api.v1 contract for i18n (`Translator`,
+> `LocaleProvider`, `MessageKey`) is locked in and present. The host
+> implementation backed by ICU4J is **P1.6** in the implementation plan
+> and is **not yet wired** — `context.translator` currently throws
+> `UnsupportedOperationException`. This guide describes the design that
+> P1.6 will deliver. See [`../../PROGRESS.md`](../../PROGRESS.md) for
+> the live status of every feature.
+
 For the architectural placement of i18n, see [`../architecture/overview.md`](../architecture/overview.md) and the full spec at [`../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md`](../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md).
  
 ## ICU MessageFormat is the backbone
@@ -23,25 +31,24 @@ The same key produces correct output in English, German, Japanese, Chinese, and 
  
 ## Plug-ins ship message bundles
  
-Each plug-in (and each PBC) ships its message bundles inside its JAR under `i18n/<locale>.properties`. The locale tag follows BCP 47:
+Each plug-in (and each PBC) ships its message bundles inside its JAR under `i18n/messages_<locale>.properties`. The locale tag follows BCP 47:
  
 ```
 src/main/resources/
 └── i18n/
-    ├── en-US.properties
-    ├── zh-CN.properties
-    ├── de-DE.properties
-    ├── ja-JP.properties
-    └── es-ES.properties
+    ├── messages_en-US.properties
+    ├── messages_zh-CN.properties
+    ├── messages_de-DE.properties
+    ├── messages_ja-JP.properties
+    └── messages_es-ES.properties
 ```
  
-The `plugin.yml` manifest lists the bundles so the loader knows to pick them up:
+The `plugin.yml` manifest lists the bundle paths under its flat `metadata:` array so the loader knows to pick them up:
  
 ```yaml
 metadata:
-  i18n:
-    - i18n/en-US.properties
-    - i18n/de-DE.properties
+  - i18n/messages_en-US.properties
+  - i18n/messages_zh-CN.properties
 ```
  
 ## How the host merges bundles
@@ -49,16 +56,16 @@ metadata:
 On boot, and on every plug-in install, the host builds a merged `MessageSource` per locale. The merge order, from lowest precedence to highest:
  
 1. **Core bundles** shipped inside the vibe_erp image.
-2. **Plug-in bundles** picked up from `./plugins/*.jar` in plug-in load order. A plug-in may override a core key with the same key in its own bundle, but is not encouraged to.
-3. **Tenant overrides** stored in `metadata__translation` rows tagged with the tenant id. These are entered through the Tier 1 customization UI and let an integrator rewrite any string for any tenant without rebuilding anything.
+2. **Plug-in bundles** picked up from each plug-in's JAR in plug-in load order. A plug-in may override a core key with the same key in its own bundle, but is not encouraged to.
+3. **Operator overrides** stored as `metadata__translation` rows tagged `source = 'user'`. These will be entered through the Tier 1 customization UI (P3.x) and let an integrator rewrite any string for the instance without rebuilding anything.
  
 ```
-tenant overrides   ← highest precedence
+operator overrides   ← highest precedence
    plug-in bundles
-   core bundles    ← lowest precedence
+   core bundles      ← lowest precedence
 ```
  
-The merged `MessageSource` is per-locale and per-tenant. Switching the user's locale or switching tenants picks the right merged bundle without restarting anything.
+The merged `MessageSource` is per-locale. Switching the user's locale picks the right merged bundle without restarting anything. (vibe_erp is single-tenant per instance, so there are no per-tenant bundles — every user of the same instance shares the same merge result for a given locale.)
  
 ## Shipping locales for v1.0
  
@@ -72,7 +79,7 @@ vibe_erp v1.0 ships with five locales:
 | `ja-JP` | Japanese |
 | `es-ES` | Spanish (Spain) |
  
-Adding a sixth locale is a Tier 1 operation: drop a `<locale>.properties` file into `i18n-overrides/` on the mounted volume, or add `metadata__translation` rows through the customization UI. No rebuild.
+Adding a sixth locale (once P1.6 lands) is a Tier 1 operation: drop a `<locale>.properties` file into `i18n-overrides/` on the mounted volume, or add `metadata__translation` rows through the customization UI. No rebuild.
  
 The reference business documentation under `raw/业务流程设计文档/` is in Chinese. **That does not make Chinese the default.** Chinese is one supported locale among the five.
  
@@ -116,7 +123,7 @@ What this means in practice:
 - A reviewer who sees a `String.format` against a hard-coded format string rejects the PR.
 - A reviewer who sees `if (locale == "en") "..." else "..."` rejects the PR with prejudice.
  
-The `Translator` is locale-aware: it picks up the request's resolved locale from the `LocaleProvider`, which in turn resolves from (in order) the user's profile preference, the request's `Accept-Language`, the tenant default, and the system default.
+The `Translator` is locale-aware: it picks up the request's resolved locale from the `LocaleProvider`, which in turn resolves from (in order) the user's profile preference, the request's `Accept-Language`, and the instance default configured in `vibeerp.i18n.default-locale`.
  
 ## PII, dates, numbers, currency
  
@@ -125,7 +132,7 @@ Locale handling does not stop at strings:
 - **Dates and times** are formatted through the locale, not through hard-coded patterns. The host exposes locale-aware formatters; plug-ins use them.
 - **Numbers** use the locale's grouping and decimal separators.
 - **Currency** values are `Money` (from `api.v1.core`) — an amount plus an ISO 4217 code — and the formatter renders them in the user's locale (e.g. `$1,234.56` vs. `1.234,56 €` vs. `¥1,235`).
-- **Time zones** are per-tenant and per-user, not per-server.
+- **Time zones** are per-user (with an instance default configured in `vibeerp.instance.*`), not per-server.
 - **PII fields** are tagged in the field metadata. Tagged fields drive auto-generated DSAR exports and erasure jobs (GDPR Articles 15/17), and the audit log records access to them when audit-strict mode is on.
 - **Address shapes** are not assumed. There is no "state/province" or "ZIP code" hard-coded in the core; address fields are configurable via metadata so a Japanese address can have prefecture/city/ward and a French address can have arrondissement.
  
@@ -6,10 +6,10 @@ vibe_erp is an ERP/EBC framework for the printing industry, designed so customer
  
 | Guide | What it covers |
 |---|---|
-| [Architecture overview](architecture/overview.md) | Clean Core philosophy, two-tier extensibility, PBCs, the dependency rule, multi-tenancy, custom fields, the workflow engine. |
+| [Architecture overview](architecture/overview.md) | Clean Core philosophy, two-tier extensibility, PBCs, the dependency rule, single-tenant deployment model, custom fields, the workflow engine. |
 | [Plug-in API overview](plugin-api/overview.md) | What `api.v1` is, the package layout, the stability contract, the A/B/C/D extension grading. |
 | [Plug-in author getting started](plugin-author/getting-started.md) | A concrete walkthrough for building, packaging, and loading your first vibe_erp plug-in. |
 | [Workflow authoring guide](workflow-authoring/guide.md) | BPMN 2.0 workflows on embedded Flowable: visual designer (Tier 1) and `.bpmn` files in plug-ins (Tier 2). |
 | [Form authoring guide](form-authoring/guide.md) | JSON Schema + UI Schema forms: visual designer (Tier 1) and JSON files in plug-ins (Tier 2). |
-| [i18n guide](i18n/guide.md) | ICU MessageFormat, message bundles, locale resolution, tenant overrides, shipping locales. |
+| [i18n guide](i18n/guide.md) | ICU MessageFormat, message bundles, locale resolution, operator overrides, shipping locales. |
 | [Customer onboarding guide](customer-onboarding/guide.md) | Integrator's checklist for standing up a new vibe_erp customer end-to-end. |
@@ -15,34 +15,37 @@ For the architectural reasoning behind `api.v1`, see [`../architecture/overview.
  
 ```
 org.vibeerp.api.v1
-├── core/         Tenant, Locale, Money, Quantity, Id<T>, Result<T,E>
-├── entity/       Entity, Field, FieldType, EntityRegistry
-├── persistence/  Repository<T>, Query, Page, Transaction
-├── event/        DomainEvent, EventListener, EventBus
-├── security/     Principal, Permission, PermissionCheck
+├── core/         Id<T>, Money, Currency, Quantity, UnitOfMeasure, Result<T,E>
+├── entity/       Entity, AuditedEntity, FieldType, CustomField, EntityRegistry
+├── persistence/  Repository<T>, Query, Page, Transaction, PersistenceExceptions
+├── event/        DomainEvent, EventListener, EventBus (with Subscription)
+├── security/     Principal, PrincipalId, Permission, PermissionCheck
 ├── i18n/         MessageKey, Translator, LocaleProvider
-├── http/         @PluginEndpoint, RequestContext, ResponseBuilder
-├── plugin/       Plugin, PluginManifest, ExtensionPoint
-├── ext/          Typed extension interfaces a plug-in implements
-├── workflow/     WorkflowTask, WorkflowEvent, TaskHandler
-└── form/         FormSchema, UiSchema
+├── http/         @PluginEndpoint, RequestContext
+├── plugin/       Plugin, PluginContext, PluginManifest, ExtensionPoint,
+│                 PluginEndpointRegistrar, HttpMethod, PluginRequest,
+│                 PluginResponse, PluginEndpointHandler, PluginJdbc, PluginRow
+├── ext/          Typed cross-PBC facades: ext.identity.IdentityApi,
+│                 ext.catalog.CatalogApi
+├── workflow/     WorkflowTask, TaskHandler, TaskContext
+└── form/         FormSchema
 ```
  
 A short orientation:
  
 | Package | What it gives you |
 |---|---|
-| `core/` | The primitive value types every plug-in needs: `Tenant`, `Locale`, `Money`, `Quantity`, typed `Id<T>`, `Result<T,E>`. No printing concepts. |
-| `entity/` | Declarative entity model. Plug-ins describe entities, fields, and field types through `EntityRegistry`; the platform handles persistence and OpenAPI. |
-| `persistence/` | `Repository<T>`, `Query`, `Page`, `Transaction`. Plug-ins never see Hibernate or Spring `@Transactional` directly. |
-| `event/` | `DomainEvent`, `EventListener`, `EventBus`. The primary cross-PBC and cross-plug-in communication channel. |
-| `security/` | `Principal`, `Permission`, `PermissionCheck`. Plug-ins register their own permissions; the role editor auto-discovers them. |
-| `i18n/` | `MessageKey`, `Translator`, `LocaleProvider`. The only sanctioned way for a plug-in to produce user-facing text. |
-| `http/` | `@PluginEndpoint` and the request/response abstractions for adding REST endpoints from a plug-in. |
-| `plugin/` | `Plugin`, `PluginManifest`, `ExtensionPoint`, and the `@Extension` annotation. The plug-in lifecycle entry points. |
-| `ext/` | Typed extension interfaces that PBCs declare and plug-ins implement (e.g. `api.v1.ext.inventory.StockReservationStrategy`). The cross-PBC interaction surface. |
-| `workflow/` | `WorkflowTask`, `WorkflowEvent`, `TaskHandler`. The hooks BPMN service tasks call into. |
-| `form/` | `FormSchema`, `UiSchema`. JSON Schema and UI Schema as Kotlin types, for plug-ins shipping form definitions. |
+| `core/` | The primitive value types every plug-in needs: typed `Id<T>`, `Money` + `Currency`, `Quantity` + `UnitOfMeasure`, `Result<T,E>`. No printing concepts. |
+| `entity/` | Declarative entity model. `Entity` and `AuditedEntity` markers, `FieldType` sealed hierarchy, `CustomField` and `EntityRegistry` for the metadata-driven custom fields story. |
+| `persistence/` | `Repository<T>`, `Query`, `Page`, `Transaction`, plus the closed `PersistenceException` hierarchy (`OptimisticLockConflictException`, `UniqueConstraintViolationException`, `EntityValidationException`, `EntityNotFoundException`). Plug-ins never see Hibernate, JPA, or Spring `@Transactional` directly. |
+| `event/` | `DomainEvent`, `EventListener`, `EventBus` with `Subscription` (closeable) and topic-string + class-keyed subscribe overloads. The primary cross-PBC communication channel. **Live as of P1.7.** |
+| `security/` | `Principal` (sealed: `User`, `System`, `PluginPrincipal`), `PrincipalId`, `Permission`, `PermissionCheck`. Plug-ins register their own permissions; the role editor auto-discovers them. |
+| `i18n/` | `MessageKey`, `Translator`, `LocaleProvider`. The only sanctioned way for a plug-in to produce user-facing text. (Real ICU4J `Translator` impl is P1.6 — the api.v1 contract is locked, the host implementation throws `UnsupportedOperationException` until then.) |
+| `http/` | `@PluginEndpoint` annotation and `RequestContext` for plug-in HTTP handlers. |
+| `plugin/` | The plug-in lifecycle: `Plugin` interface, `PluginContext` (with live accessors for `logger`, `endpoints`, `eventBus`, `jdbc`), `PluginManifest`, `ExtensionPoint`/`@Extension`, and the endpoint types: `PluginEndpointRegistrar`, `HttpMethod`, `PluginRequest`, `PluginResponse`, `PluginEndpointHandler`, plus the typed-SQL surface `PluginJdbc`/`PluginRow`. |
+| `ext/` | Typed cross-PBC facades. Two are live today: `ext.identity.IdentityApi` (with `UserRef`) and `ext.catalog.CatalogApi` (with `ItemRef`/`UomRef`). Future PBCs will add their own under the same pattern. |
+| `workflow/` | `WorkflowTask`, `TaskHandler`, `TaskContext` (with `tenantId` removed — single-tenant — and `principal()`, `locale()`, `correlationId()` accessors). The hooks BPMN service tasks call into when Flowable lands (P2.1). |
+| `form/` | `FormSchema` — JSON Schema string + UI Schema string + version. Form parsing and rendering happens in the host (server) and the SPA (client). |
  
 ## The stability contract
  
 # Plug-in author: getting started
  
-This walkthrough is for a developer building their first vibe_erp plug-in. By the end you will have a JAR that drops into `./plugins/`, registers an extension, exposes a REST endpoint, and shows up in the plug-in loader log on the next restart.
+This walkthrough is for a developer building their first vibe_erp plug-in. By the end you will have a JAR that drops into `./plugins/`, owns its own database tables, registers HTTP endpoints, and shows up in the host's boot log.
  
-For the conceptual overview of the plug-in API, read [`../plugin-api/overview.md`](../plugin-api/overview.md) first. For the architectural reasoning behind the constraints, see [`../architecture/overview.md`](../architecture/overview.md) and the full spec at [`../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md`](../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md).
+For the conceptual overview of the plug-in API, read [`../plugin-api/overview.md`](../plugin-api/overview.md) first. For the architectural reasoning behind the constraints, see [`../architecture/overview.md`](../architecture/overview.md). The most up-to-date worked example is the **reference printing-shop plug-in** at `reference-customer/plugin-printing-shop/` in this repo — it exercises everything described below.
  
 ## 1. The only dependency you need
  
-Add `org.vibeerp:api-v1` from Maven Central. **This is the only vibe_erp dependency a plug-in is allowed to declare.** Importing anything from `org.vibeerp.platform.*` or any PBC's internal package will fail the plug-in linter at install time.
+Add `org.vibeerp:api-v1` and PF4J's `Plugin` base class. **`api-v1` is the only vibe_erp dependency a plug-in is allowed to declare** — the host's `PluginLinter` will scan your JAR's bytecode at install time and reject it if it references anything in `org.vibeerp.platform.*` or `org.vibeerp.pbc.*`.
  
 In Gradle (`build.gradle.kts`):
  
 ```kotlin
 plugins {
-    kotlin("jvm") version "2.0.0"
+    kotlin("jvm") version "1.9.24"
 }
  
 repositories {
@@ -20,185 +20,323 @@ repositories {
 }
  
 dependencies {
+    // The only vibe_erp dependency. Use `compileOnly` so it isn't bundled
+    // into your JAR — the host provides api-v1 at runtime via parent-first
+    // classloading.
     compileOnly("org.vibeerp:api-v1:1.0.0")
-    // Test against the same artifact at runtime
-    testImplementation("org.vibeerp:api-v1:1.0.0")
+
+    // PF4J's Plugin base class — also `compileOnly`. The host provides it.
+    compileOnly("org.pf4j:pf4j:3.12.0")
+}
+
+// PF4J expects manifest entries to identify the plug-in.
+tasks.jar {
+    duplicatesStrategy = DuplicatesStrategy.EXCLUDE
+    manifest {
+        attributes(
+            "Plugin-Id" to "hello-print",
+            "Plugin-Version" to project.version,
+            "Plugin-Provider" to "Example Print Co.",
+            "Plugin-Class" to "com.example.helloprint.HelloPrintPlugin",
+            "Plugin-Description" to "Hello-print example plug-in",
+            "Plugin-Requires" to "1.x",
+        )
+    }
 }
 ```
  
-`compileOnly` is correct: at runtime the plug-in classloader is given `api.v1` from the host. Bundling it inside your plug-in JAR causes classloader confusion.
+`compileOnly` is correct for both deps: at runtime the host's parent-first classloader serves them. Bundling either one inside your JAR causes ClassCastException at the host/plug-in boundary.
+
+## 2. Implement the plug-in entry class
  
-## 2. Implement `org.vibeerp.api.v1.plugin.Plugin`
+Your plug-in's main class needs to do two things at once:
  
-The plug-in's entry class is the single point where the host hands you a context and asks you to wire yourself up.
+- **Extend `org.pf4j.Plugin`** so PF4J's loader can instantiate it from the `Plugin-Class` manifest entry.
+- **Implement `org.vibeerp.api.v1.plugin.Plugin`** so vibe_erp's lifecycle hook can call `start(context)` after PF4J's no-arg `start()` runs.
+
+The two have the same simple name `Plugin` but live in different packages, so use Kotlin import aliases:
  
 ```kotlin
 package com.example.helloprint
  
-import org.vibeerp.api.v1.plugin.Plugin
+import org.pf4j.PluginWrapper
+import org.vibeerp.api.v1.plugin.HttpMethod
 import org.vibeerp.api.v1.plugin.PluginContext
+import org.vibeerp.api.v1.plugin.PluginRequest
+import org.vibeerp.api.v1.plugin.PluginResponse
+import org.pf4j.Plugin as Pf4jPlugin
+import org.vibeerp.api.v1.plugin.Plugin as VibeErpPlugin
+
+class HelloPrintPlugin(wrapper: PluginWrapper) : Pf4jPlugin(wrapper), VibeErpPlugin {
+
+    private var context: PluginContext? = null
  
-class HelloPrintPlugin : Plugin {
+    override fun id(): String = "hello-print"
+    override fun version(): String = "0.1.0"
  
     override fun start(context: PluginContext) {
-        context.log.info("hello-print plug-in starting")
-        // Register listeners, seed metadata, etc.
+        this.context = context
+        context.logger.info("hello-print plug-in starting")
+
+        // Register HTTP handlers, subscribe to events, etc., here.
     }
  
-    override fun stop(context: PluginContext) {
-        context.log.info("hello-print plug-in stopping")
+    override fun stop() {
+        context?.logger?.info("hello-print plug-in stopping")
+        context = null
     }
 }
 ```
  
-The host calls `start` after the plug-in's classloader, Spring child context, and Liquibase migrations are ready. Anything the plug-in needs from the host (event bus, translator, repositories, configuration) comes through `PluginContext`.
+The host's lifecycle order is **load → lint → migrate → metadata → start**. By the time your `start(context)` runs:
  
-## 3. Write a `plugin.yml` manifest
+- PF4J has loaded your JAR.
+- The plug-in linter has scanned your bytecode for forbidden imports.
+- The host has applied your `META-INF/vibe-erp/db/changelog.xml` against the shared Postgres datasource.
+- The host has loaded your `META-INF/vibe-erp/metadata/*.yml` files.
+- A real `PluginContext` is wired with `logger`, `endpoints`, `eventBus`, and `jdbc` accessors.
  
-The manifest sits at the root of the JAR (`src/main/resources/plugin.yml`). It tells the host who you are, what API version you target, and what permissions you need.
+## 3. The plug-in JAR layout
  
-```yaml
-id: com.example.helloprint
-version: 0.1.0
-requiresApi: "1.x"
-name: Hello Print
-entryClass: com.example.helloprint.HelloPrintPlugin
+```
+src/main/
+├── kotlin/
+│   └── com/example/helloprint/
+│       └── HelloPrintPlugin.kt
+└── resources/
+    ├── plugin.yml                              ← human-readable manifest
+    └── META-INF/
+        └── vibe-erp/
+            ├── db/
+            │   └── changelog.xml               ← Liquibase, applied at start
+            └── metadata/
+                └── hello-print.yml             ← entities, perms, menus
+```
  
-description: >
-  A minimal worked example for the vibe_erp plug-in author guide.
-  Registers one extension and exposes one REST endpoint.
+Two manifest files:
  
-vendor:
-  name: Example Print Co.
-  url: https://example.com
+- **`META-INF/MANIFEST.MF`** is what PF4J reads to discover the plug-in (set via Gradle's `tasks.jar.manifest { attributes(...) }`).
+- **`plugin.yml`** is human-readable metadata used by the SPA and the operator console. It's parsed by `org.vibeerp.api.v1.plugin.PluginManifest`.
  
+A minimal `plugin.yml`:
+
+```yaml
+id: hello-print
+version: 0.1.0
+requiresApi: "1.x"
+name:
+  en-US: Hello Print
+  zh-CN: 你好印刷
 permissions:
-  - hello_print.greet.read
-
-metadata:
-  forms:
-    - metadata/forms/greeting.json
-  i18n:
-    - i18n/en-US.properties
-    - i18n/de-DE.properties
+  - hello.print.greet
+dependencies: []
 ```
  
-Field notes:
+`requiresApi: "1.x"` means "any 1.y.z release of api.v1". A mismatch fails the plug-in at install time, never at runtime.
+
+## 4. Own your own database tables
+
+Plug-ins use the same Liquibase that the host uses, applied via `PluginLiquibaseRunner` against the shared host datasource. The host looks for the changelog at exactly `META-INF/vibe-erp/db/changelog.xml`. **The unique `META-INF/vibe-erp/db/` path matters**: if you put your changelog at `db/changelog/master.xml` (the host's path), the parent-first classloader will find both files and Liquibase will throw `ChangeLogParseException` at install time.
+
+Convention: every table you create is prefixed `plugin_<your-id>__`. The host doesn't enforce this in v0.6, but a future linter will, and the prefix is the only thing that lets a future "uninstall plug-in" cleanly drop your tables.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+                                       https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.27.xsd">
+
+    <changeSet id="hello-print-001" author="hello-print">
+        <sql>
+            CREATE TABLE plugin_helloprint__greeting (
+                id         uuid PRIMARY KEY,
+                name       varchar(128) NOT NULL,
+                greeting   text         NOT NULL,
+                created_at timestamptz  NOT NULL DEFAULT now()
+            );
+            CREATE UNIQUE INDEX plugin_helloprint__greeting_name_uk
+                ON plugin_helloprint__greeting (name);
+        </sql>
+        <rollback>
+            DROP TABLE plugin_helloprint__greeting;
+        </rollback>
+    </changeSet>
+
+</databaseChangeLog>
+```
  
-- `id` is globally unique. Use a reverse-DNS style. The host uses it as the plug-in's schema namespace (`plugin_helloprint__*`) and as the `source` tag (`plugin:com.example.helloprint`) on every metadata row the plug-in seeds.
-- `version` is your plug-in's version, not the host's.
-- `requiresApi: "1.x"` means "any 1.x release of `api.v1`". A mismatch fails at install time, not at runtime. Across a major version, the host loads `api.v1` and `api.v2` side by side for at least one major release window.
-- `permissions` are auto-registered with the role editor. Plug-ins should not invent permissions outside their own namespace.
-- `metadata` lists files inside the JAR that the host should pick up on plug-in start: form definitions, BPMN files, message bundles, seed rules.
+## 5. Register HTTP endpoints
  
-## 4. Register an extension via `@Extension`
+Plug-ins do NOT use Spring annotations. The host exposes a **lambda-based registrar** through `context.endpoints` that mounts your handlers under `/api/v1/plugins/<plugin-id>/<path>`. The handler receives a `PluginRequest` (path parameters, query parameters, raw body string) and returns a `PluginResponse` (status + body, serialized as JSON by the host).
  
-Extensions are how a plug-in plugs into a typed seam declared by the core or another PBC. Every seam lives in `org.vibeerp.api.v1.ext.<area>`.
+Inside your `start(context)`:
  
 ```kotlin
-package com.example.helloprint
-
-import org.vibeerp.api.v1.plugin.Extension
-import org.vibeerp.api.v1.workflow.TaskHandler
-import org.vibeerp.api.v1.workflow.WorkflowTask
+override fun start(context: PluginContext) {
+    this.context = context
+    context.logger.info("hello-print plug-in starting")
+
+    // GET /api/v1/plugins/hello-print/ping
+    context.endpoints.register(HttpMethod.GET, "/ping") { _: PluginRequest ->
+        PluginResponse(
+            status = 200,
+            body = mapOf("plugin" to "hello-print", "ok" to true),
+        )
+    }
  
-@Extension(point = TaskHandler::class)
-class GreetCustomerHandler : TaskHandler {
+    // GET /api/v1/plugins/hello-print/greetings
+    context.endpoints.register(HttpMethod.GET, "/greetings") { _ ->
+        val rows = context.jdbc.query(
+            "SELECT id, name, greeting FROM plugin_helloprint__greeting ORDER BY name",
+        ) { row ->
+            mapOf(
+                "id" to row.uuid("id").toString(),
+                "name" to row.string("name"),
+                "greeting" to row.string("greeting"),
+            )
+        }
+        PluginResponse(body = rows)
+    }
  
-    override val id: String = "hello_print.greet_customer"
+    // POST /api/v1/plugins/hello-print/greetings
+    context.endpoints.register(HttpMethod.POST, "/greetings") { request ->
+        // Plug-ins parse JSON themselves. The reference plug-in uses the
+        // host's Jackson via reflection; a real plug-in author would
+        // ship their own JSON library or use kotlinx.serialization.
+        val body = parseJsonObject(request.body.orEmpty())
+        val name = body["name"] as? String
+            ?: return@register PluginResponse(400, mapOf("detail" to "name is required"))
+
+        val id = java.util.UUID.randomUUID()
+        context.jdbc.update(
+            """
+            INSERT INTO plugin_helloprint__greeting (id, name, greeting)
+            VALUES (:id, :name, :greeting)
+            """.trimIndent(),
+            mapOf(
+                "id" to id,
+                "name" to name,
+                "greeting" to "hello, $name",
+            ),
+        )
+        PluginResponse(
+            status = 201,
+            body = mapOf("id" to id.toString(), "name" to name),
+        )
+    }
  
-    override fun handle(task: WorkflowTask) {
-        val name = task.variable<String>("customerName") ?: "world"
-        task.setVariable("greeting", "hello, $name")
-        task.complete()
+    // GET /api/v1/plugins/hello-print/greetings/{name} — path variable
+    context.endpoints.register(HttpMethod.GET, "/greetings/{name}") { request ->
+        val name = request.pathParameters["name"]
+            ?: return@register PluginResponse(400, mapOf("detail" to "name is required"))
+        val row = context.jdbc.queryForObject(
+            "SELECT name, greeting FROM plugin_helloprint__greeting WHERE name = :name",
+            mapOf("name" to name),
+        ) { r -> mapOf("name" to r.string("name"), "greeting" to r.string("greeting")) }
+        if (row == null) {
+            PluginResponse(404, mapOf("detail" to "no greeting for '$name'"))
+        } else {
+            PluginResponse(body = row)
+        }
     }
 }
 ```
  
-The host scans `@Extension`-annotated classes inside the plug-in JAR and registers them against the declared extension point. A BPMN service task referencing `hello_print.greet_customer` will now be routed to this handler.
+A few things this is doing on purpose:
  
-## 5. Add a `@PluginEndpoint` controller
+- **Path templates** with `{var}` placeholders. Spring's `AntPathMatcher` extracts the values into `PluginRequest.pathParameters`.
+- **`context.jdbc`** is the api.v1 typed-SQL surface. It wraps Spring's `NamedParameterJdbcTemplate` behind a small interface that hides every JDBC and Spring type. Plug-ins use named parameters only — positional `?` is not supported.
+- **`PluginResponse`** is serialized as JSON by the host. A `Map<String, Any?>` round-trips through Jackson without you doing anything.
+- **Spring Security still applies.** Every plug-in endpoint inherits the `anyRequest().authenticated()` rule, so callers need a valid Bearer token. The public allowlist (actuator health, `/api/v1/_meta/**`, `/api/v1/auth/login`, `/api/v1/auth/refresh`) does NOT include plug-in endpoints.
  
-Plug-ins add REST endpoints through `@PluginEndpoint`. The endpoint runs inside the plug-in's Spring child context and is auto-listed in the OpenAPI document under the plug-in's namespace.
+## 6. Ship metadata about your plug-in
  
-```kotlin
-package com.example.helloprint
+Drop a YAML file at `META-INF/vibe-erp/metadata/hello-print.yml`:
  
-import org.vibeerp.api.v1.http.PluginEndpoint
-import org.vibeerp.api.v1.http.RequestContext
-import org.vibeerp.api.v1.http.ResponseBuilder
-import org.vibeerp.api.v1.i18n.MessageKey
-import org.vibeerp.api.v1.security.Permission
-
-@PluginEndpoint(
-    path = "/api/plugin/hello-print/greet",
-    method = "GET",
-    permission = "hello_print.greet.read",
-)
-class GreetEndpoint {
-
-    fun handle(request: RequestContext): ResponseBuilder {
-        val name = request.query("name") ?: "world"
-        val greeting = request.translator.format(
-            MessageKey("hello_print.greet.message"),
-            mapOf("name" to name),
-        )
-        return ResponseBuilder.ok(mapOf("greeting" to greeting))
-    }
-}
-```
+```yaml
+entities:
+  - name: Greeting
+    pbc: hello-print
+    table: plugin_helloprint__greeting
+    description: A personalized greeting record
  
-A few things this snippet is doing on purpose:
+permissions:
+  - key: hello.print.greet.read
+    description: Read greetings
+  - key: hello.print.greet.create
+    description: Create greetings
+
+menus:
+  - path: /plugins/hello-print/greetings
+    label: Greetings
+    icon: message-circle
+    section: Hello Print
+    order: 100
+```
  
-- The endpoint declares a `permission`. The plug-in loader registers `hello_print.greet.read` with the role editor; an admin grants it before the endpoint becomes callable.
-- The greeting goes through the `Translator`. There is **no** string concatenation in user-facing code. See the [i18n guide](../i18n/guide.md).
-- The handler returns through `ResponseBuilder`, not through Spring's `ResponseEntity`. Plug-ins do not see Spring directly.
+The host's `MetadataLoader` will pick up this file at plug-in start, tag every row with `source = 'plugin:hello-print'`, and expose it at `GET /api/v1/_meta/metadata`. The future SPA reads that endpoint to discover what entities and menus exist.
  
-## 6. Loading the plug-in
+## 7. Building, deploying, loading
  
 Build the JAR and drop it into the host's plug-in directory:
  
 ```bash
-./gradlew :jar
+./gradlew jar
 cp build/libs/hello-print-0.1.0.jar /opt/vibe-erp/plugins/
-# or, for a Docker deployment
-docker cp build/libs/hello-print-0.1.0.jar vibe-erp:/opt/vibe-erp/plugins/
+docker restart vibe-erp
 ```
  
-Restart the host:
+For local development against this repo, the reference plug-in uses an `installToDev` Gradle task that stages the JAR into `./plugins-dev/` so `:distribution:bootRun` finds it on boot. The same pattern works for any plug-in.
  
-```bash
-docker restart vibe-erp
-```
+Hot reload of plug-ins without a restart is not in v1.0 — it is on the v1.2+ roadmap.
+
+## 8. What you'll see in the boot log
+
+A successfully-loading plug-in produces a sequence like this:
  
-Hot reload of plug-ins without a restart is not in v1.0 — it is on the v1.2+ roadmap. For v1.0 and v1.1, install and uninstall require a restart.
+```
+PF4J: Plugin 'hello-print@0.1.0' resolved
+PF4J: Start plugin 'hello-print@0.1.0'
+PluginLiquibaseRunner: plug-in 'hello-print' has META-INF/vibe-erp/db/changelog.xml — running plug-in Liquibase migrations
+liquibase.changelog: ChangeSet META-INF/vibe-erp/db/changelog.xml::hello-print-001::hello-print ran successfully
+PluginLiquibaseRunner: plug-in 'hello-print' Liquibase migrations applied successfully
+MetadataLoader: source='plugin:hello-print' loaded 1 entities, 2 permissions, 1 menus from 1 file(s)
+VibeErpPluginManager: vibe_erp plug-in loaded: id=hello-print version=0.1.0 state=STARTED
+plugin.hello-print: hello-print plug-in starting
+VibeErpPluginManager: vibe_erp plug-in 'hello-print' started successfully
+```
  
-On boot, the host scans `./plugins/`, validates each manifest, runs the plug-in linter, creates a classloader and Spring child context per plug-in, runs the plug-in's Liquibase changesets in `plugin_<id>__*`, seeds metadata, and finally calls `Plugin.start`. The lifecycle in full is described in section 7 of [`../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md`](../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md).
+If anything goes wrong, the host logs the per-plug-in failure loudly and continues with the other plug-ins. A failed lint, a failed migration, or a failed `start()` does NOT bring the framework down.
  
-## 7. Where to find logs and errors
+## 9. Where to find logs and errors
  
-- **Boot log:** `/opt/vibe-erp/logs/vibe-erp.log`. Filter on the `platform-plugins` logger to see exactly which plug-ins were scanned, accepted, rejected, and why.
-- **Linter rejections:** if your JAR imports a class outside `org.vibeerp.api.v1.*`, the linter rejects it at install time and logs the offending import. Fix the import; never work around the linter.
-- **Migration failures:** Liquibase output is logged under the `platform-persistence` logger, scoped to your plug-in id.
-- **Runtime errors inside your plug-in:** logged under the plug-in's id (`com.example.helloprint`). Use the `PluginContext.log` handed to you in `start`; do not pull in your own logging framework.
-- **Health endpoint:** `/actuator/health` reports per-plug-in status. A plug-in stuck in a half-loaded state shows up here before it shows up in user-visible failures.
+- **Boot log:** `/opt/vibe-erp/logs/vibe-erp.log` (or stdout for `bootRun`). Filter on `o.v.p.plugins` for the plug-in lifecycle, `o.v.p.p.lint` for the linter, `o.v.p.p.migration` for Liquibase, `o.v.platform.metadata` for the metadata loader, and `plugin.<your-id>` for your own messages routed through `context.logger`.
+- **Linter rejections** print every offending class + the forbidden type referenced. Fix the import; never work around the linter — it will catch you again.
+- **Migration failures** abort the plug-in's start step but don't stop the framework. Read the Liquibase output carefully.
+- **Runtime errors inside your handler lambdas** are caught by the dispatcher, logged with a full stack trace, and returned to the caller as a 500 with a generic body. Use `context.logger` (not your own SLF4J binding) so your messages get the per-plug-in tag.
  
-## 8. The reference printing-shop plug-in is your worked example
+## 10. The reference printing-shop plug-in is your worked example
  
-`reference-customer/plugin-printing-shop/` is a real, production-shaped plug-in built and CI-tested on every PR. It expresses the workflows in `raw/业务流程设计文档/` using **only `api.v1`**. When this guide leaves a question unanswered, the answer is almost always "look at how `plugin-printing-shop` does it":
+`reference-customer/plugin-printing-shop/` is a real, CI-tested plug-in. When this guide leaves a question unanswered, the answer is almost always "look at how `plugin-printing-shop` does it":
  
-- The shape of `plugin.yml` for a non-trivial plug-in.
-- How a plug-in declares a brand-new entity (printing plates, presses, color proofs) without touching any PBC.
-- How a multi-step BPMN workflow is shipped inside a JAR and wired up to typed `TaskHandler` implementations.
-- How form definitions reference custom fields.
-- How i18n bundles are organized for a plug-in that ships in five locales.
+- The shape of `plugin.yml` and the `META-INF/MANIFEST.MF` attributes.
+- A real Liquibase changelog with multiple changesets at `META-INF/vibe-erp/db/changelog.xml`.
+- A real metadata YAML at `META-INF/vibe-erp/metadata/printing-shop.yml`.
+- Seven HTTP endpoints, including path-variable extraction and POST handlers that parse JSON bodies.
+- The dual-supertype trick (`Pf4jPlugin` + `VibeErpPlugin`) with import aliases.
+- A working `installToDev` Gradle task for local development.
  
-The plug-in is built by the main Gradle build but **not loaded by default**. Drop its JAR into `./plugins/` to load it locally.
+The plug-in is built by the main Gradle build but **not loaded by default**. Drop its JAR into `./plugins/` (or use `installToDev` for development against this repo) to load it.
  
 ## What this guide does not yet cover
  
-- Publishing a plug-in to a marketplace — the marketplace and signed plug-ins are a v2 deliverable.
-- Hot reload without restart — v1.2+.
-- Calling the MCP endpoint as an AI agent — v1.1.
+- **Subscribing to events.** `context.eventBus.subscribe(...)` is wired and live, but no worked example yet — see `EventBusImpl` and `EventBus` in api.v1 for the contract.
+- **Workflow handlers.** `TaskHandler` is in api.v1 but Flowable isn't wired yet (P2.1, deferred). Plug-ins that try to register handlers today have nothing to call them.
+- **Translator.** `context.translator` currently throws `UnsupportedOperationException` until P1.6 lands.
+- **Custom permission enforcement.** Your declared permissions are stored in `metadata__permission` but `@RequirePermission`-style checks aren't enforced yet (P4.3).
+- **Publishing a plug-in to a marketplace** — v2 deliverable.
+- **Hot reload without restart** — v1.2+.
+- **Calling the MCP endpoint as an AI agent** — v1.1.
  
-For everything else, the source of truth is [`../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md`](../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md).
+For everything else, the source of truth is [`../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md`](../superpowers/specs/2026-04-07-vibe-erp-architecture-design.md), and the live status of every feature is in [`../../PROGRESS.md`](../../PROGRESS.md).
@@ -20,7 +20,7 @@ Business analysts draw workflows in the BPMN designer that ships in the web SPA.
  
 This path is the right one for:
  
-- Approval chains that vary per tenant.
+- Approval chains the customer wants to author themselves.
 - Document routing rules that the customer wants to tune themselves.
 - Workflows that compose existing typed task handlers in a new order.