feat(metadata): P1.5 — metadata store seeding

Adds the foundation for the entire Tier 1 customization story. Core PBCs and plug-ins now ship YAML files declaring their entities, permissions, and menus; a `MetadataLoader` walks the host classpath and each plug-in JAR at boot, upserts the rows tagged with their source, and exposes them at a public REST endpoint so the future SPA, AI-agent function catalog, OpenAPI generator, and external introspection tooling can all see what the framework offers without scraping code. What landed: * New `platform/platform-metadata/` Gradle subproject. Depends on api-v1 + platform-persistence + jackson-yaml + spring-jdbc. * `MetadataYamlFile` DTOs (entities, permissions, menus). Forward- compatible: unknown top-level keys are ignored, so a future plug-in built against a newer schema (forms, workflows, rules, translations) loads cleanly on an older host that doesn't know those sections yet. * `MetadataLoader` with two entry points: loadCore() — uses Spring's PathMatchingResourcePatternResolver against the host classloader. Finds every classpath*:META-INF/ vibe-erp/metadata/*.yml across all jars contributing to the application. Tagged source='core'. loadFromPluginJar(pluginId, jarPath) — opens ONE specific plug-in JAR via java.util.jar.JarFile and walks its entries directly. This is critical: a plug-in's PluginClassLoader is parent-first, so a classpath*: scan against it would ALSO pick up the host's metadata files via parent classpath. We saw this in the first smoke run — the plug-in source ended up with 6 entities (the plug-in's 2 + the host's 4) before the fix. Walking the JAR file directly guarantees only the plug-in's own files load. Tagged source='plugin:<id>'. Both entry points use the same delete-then-insert idempotent core (doLoad). Loading the same source twice produces the same final state. User-edited metadata (source='user') is NEVER touched by either path — it survives boot, plug-in install, and plug-in upgrade. This is what lets a future SPA "Customize" UI add custom fields without fearing they'll be wiped on the next deploy. * `VibeErpPluginManager.afterPropertiesSet()` now calls metadataLoader.loadCore() at the very start, then walks plug-ins and calls loadFromPluginJar(...) for each one between Liquibase migration and start(context). Order is guaranteed: core → linter → migrate → metadata → start. The CommandLineRunner I originally put `loadCore()` in turned out to be wrong because Spring runs CommandLineRunners AFTER InitializingBean.afterPropertiesSet(), so the plug-in metadata was loading BEFORE core — the wrong way around. Calling loadCore() inline in the plug-in manager fixes the ordering without any @Order(...) gymnastics. * `MetadataController` exposes: GET /api/v1/_meta/metadata — all three sections GET /api/v1/_meta/metadata/entities — entities only GET /api/v1/_meta/metadata/permissions GET /api/v1/_meta/metadata/menus Public allowlist (covered by the existing /api/v1/_meta/** rule in SecurityConfiguration). The metadata is intentionally non- sensitive — entity names, permission keys, menu paths. Nothing in here is PII or secret; the SPA needs to read it before the user has logged in. * YAML files shipped: - pbc-identity/META-INF/vibe-erp/metadata/identity.yml (User + Role entities, 6 permissions, Users + Roles menus) - pbc-catalog/META-INF/vibe-erp/metadata/catalog.yml (Item + Uom entities, 7 permissions, Items + UoMs menus) - reference plug-in/META-INF/vibe-erp/metadata/printing-shop.yml (Plate + InkRecipe entities, 5 permissions, Plates + Inks menus in a "Printing shop" section) Tests: 4 MetadataLoaderTest cases (loadFromPluginJar happy paths, mixed sections, blank pluginId rejection, missing-file no-op wipe) + 7 MetadataYamlParseTest cases (DTO mapping, optional fields, section defaults, forward-compat unknown keys). Total now **92 unit tests** across 11 modules, all green. End-to-end smoke test against fresh Postgres + plug-in loaded: Boot logs: MetadataLoader: source='core' loaded 4 entities, 13 permissions, 4 menus from 2 file(s) MetadataLoader: source='plugin:printing-shop' loaded 2 entities, 5 permissions, 2 menus from 1 file(s) HTTP smoke (everything green): GET /api/v1/_meta/metadata (no auth) → 200 6 entities, 18 permissions, 6 menus entity names: User, Role, Item, Uom, Plate, InkRecipe menu sections: Catalog, Printing shop, System GET /api/v1/_meta/metadata/entities → 200 GET /api/v1/_meta/metadata/menus → 200 Direct DB verification: metadata__entity: core=4, plugin:printing-shop=2 metadata__permission: core=13, plugin:printing-shop=5 metadata__menu: core=4, plugin:printing-shop=2 Idempotency: restart the app, identical row counts. Existing endpoints regression: GET /api/v1/identity/users (Bearer) → 1 user GET /api/v1/catalog/uoms (Bearer) → 15 UoMs GET /api/v1/plugins/printing-shop/ping (Bearer) → 200 Bugs caught and fixed during the smoke test: • The first attempt loaded core metadata via a CommandLineRunner annotated @Order(HIGHEST_PRECEDENCE) and per-plug-in metadata inline in VibeErpPluginManager.afterPropertiesSet(). Spring runs all InitializingBeans BEFORE any CommandLineRunner, so the plug-in metadata loaded first and the core load came second — wrong order. Fix: drop CoreMetadataInitializer entirely; have the plug-in manager call metadataLoader.loadCore() directly at the start of afterPropertiesSet(). • The first attempt's plug-in load used metadataLoader.load(pluginClassLoader, ...) which used Spring's PathMatchingResourcePatternResolver against the plug-in's classloader. PluginClassLoader is parent-first, so the resolver enumerated BOTH the plug-in's own JAR AND the host classpath's metadata files, tagging core entities as source='plugin:<id>' and corrupting the seed counts. Fix: refactor MetadataLoader to expose loadFromPluginJar(pluginId, jarPath) which opens the plug-in JAR directly via java.util.jar.JarFile and walks its entries — never asking the classloader at all. The api-v1 surface didn't change. • Two KDoc comments contained the literal string `*.yml` after a `/` character (`/metadata/*.yml`), forming the `/*` pattern that Kotlin's lexer treats as a nested-comment opener. The file failed to compile with "Unclosed comment". This is the third time I've hit this trap; rewriting both KDocs to avoid the literal `/*` sequence. • The MetadataLoaderTest's hand-rolled JAR builder didn't include explicit directory entries for parent paths. Real Gradle JARs do include them, and Spring's PathMatchingResourcePatternResolver needs them to enumerate via classpath*:. Fixed the test helper to write directory entries for every parent of each file. Implementation plan refreshed: P1.5 marked DONE. Next priority candidates: P5.2 (pbc-partners — third PBC clone) and P3.4 (custom field application via the ext jsonb column, which would unlock the full Tier 1 customization story). Framework state: 17→18 commits, 10→11 modules, 81→92 unit tests, metadata seeded for 6 entities + 18 permissions + 6 menus.

feat(metadata): P1.5 — metadata store seeding
Adds the foundation for the entire Tier 1 customization story. Core PBCs and plug-ins now ship YAML files declaring their entities, permissions, and menus; a `MetadataLoader` walks the host classpath and each plug-in JAR at boot, upserts the rows tagged with their source, and exposes them at a public REST endpoint so the future SPA, AI-agent function catalog, OpenAPI generator, and external introspection tooling can all see what the framework offers without scraping code. What landed: * New `platform/platform-metadata/` Gradle subproject. Depends on api-v1 + platform-persistence + jackson-yaml + spring-jdbc. * `MetadataYamlFile` DTOs (entities, permissions, menus). Forward- compatible: unknown top-level keys are ignored, so a future plug-in built against a newer schema (forms, workflows, rules, translations) loads cleanly on an older host that doesn't know those sections yet. * `MetadataLoader` with two entry points: loadCore() — uses Spring's PathMatchingResourcePatternResolver against the host classloader. Finds every classpath*:META-INF/ vibe-erp/metadata/*.yml across all jars contributing to the application. Tagged source='core'. loadFromPluginJar(pluginId, jarPath) — opens ONE specific plug-in JAR via java.util.jar.JarFile and walks its entries directly. This is critical: a plug-in's PluginClassLoader is parent-first, so a classpath*: scan against it would ALSO pick up the host's metadata files via parent classpath. We saw this in the first smoke run — the plug-in source ended up with 6 entities (the plug-in's 2 + the host's 4) before the fix. Walking the JAR file directly guarantees only the plug-in's own files load. Tagged source='plugin:<id>'. Both entry points use the same delete-then-insert idempotent core (doLoad). Loading the same source twice produces the same final state. User-edited metadata (source='user') is NEVER touched by either path — it survives boot, plug-in install, and plug-in upgrade. This is what lets a future SPA "Customize" UI add custom fields without fearing they'll be wiped on the next deploy. * `VibeErpPluginManager.afterPropertiesSet()` now calls metadataLoader.loadCore() at the very start, then walks plug-ins and calls loadFromPluginJar(...) for each one between Liquibase migration and start(context). Order is guaranteed: core → linter → migrate → metadata → start. The CommandLineRunner I originally put `loadCore()` in turned out to be wrong because Spring runs CommandLineRunners AFTER InitializingBean.afterPropertiesSet(), so the plug-in metadata was loading BEFORE core — the wrong way around. Calling loadCore() inline in the plug-in manager fixes the ordering without any @Order(...) gymnastics. * `MetadataController` exposes: GET /api/v1/_meta/metadata — all three sections GET /api/v1/_meta/metadata/entities — entities only GET /api/v1/_meta/metadata/permissions GET /api/v1/_meta/metadata/menus Public allowlist (covered by the existing /api/v1/_meta/** rule in SecurityConfiguration). The metadata is intentionally non- sensitive — entity names, permission keys, menu paths. Nothing in here is PII or secret; the SPA needs to read it before the user has logged in. * YAML files shipped: - pbc-identity/META-INF/vibe-erp/metadata/identity.yml (User + Role entities, 6 permissions, Users + Roles menus) - pbc-catalog/META-INF/vibe-erp/metadata/catalog.yml (Item + Uom entities, 7 permissions, Items + UoMs menus) - reference plug-in/META-INF/vibe-erp/metadata/printing-shop.yml (Plate + InkRecipe entities, 5 permissions, Plates + Inks menus in a "Printing shop" section) Tests: 4 MetadataLoaderTest cases (loadFromPluginJar happy paths, mixed sections, blank pluginId rejection, missing-file no-op wipe) + 7 MetadataYamlParseTest cases (DTO mapping, optional fields, section defaults, forward-compat unknown keys). Total now **92 unit tests** across 11 modules, all green. End-to-end smoke test against fresh Postgres + plug-in loaded: Boot logs: MetadataLoader: source='core' loaded 4 entities, 13 permissions, 4 menus from 2 file(s) MetadataLoader: source='plugin:printing-shop' loaded 2 entities, 5 permissions, 2 menus from 1 file(s) HTTP smoke (everything green): GET /api/v1/_meta/metadata (no auth) → 200 6 entities, 18 permissions, 6 menus entity names: User, Role, Item, Uom, Plate, InkRecipe menu sections: Catalog, Printing shop, System GET /api/v1/_meta/metadata/entities → 200 GET /api/v1/_meta/metadata/menus → 200 Direct DB verification: metadata__entity: core=4, plugin:printing-shop=2 metadata__permission: core=13, plugin:printing-shop=5 metadata__menu: core=4, plugin:printing-shop=2 Idempotency: restart the app, identical row counts. Existing endpoints regression: GET /api/v1/identity/users (Bearer) → 1 user GET /api/v1/catalog/uoms (Bearer) → 15 UoMs GET /api/v1/plugins/printing-shop/ping (Bearer) → 200 Bugs caught and fixed during the smoke test: • The first attempt loaded core metadata via a CommandLineRunner annotated @Order(HIGHEST_PRECEDENCE) and per-plug-in metadata inline in VibeErpPluginManager.afterPropertiesSet(). Spring runs all InitializingBeans BEFORE any CommandLineRunner, so the plug-in metadata loaded first and the core load came second — wrong order. Fix: drop CoreMetadataInitializer entirely; have the plug-in manager call metadataLoader.loadCore() directly at the start of afterPropertiesSet(). • The first attempt's plug-in load used metadataLoader.load(pluginClassLoader, ...) which used Spring's PathMatchingResourcePatternResolver against the plug-in's classloader. PluginClassLoader is parent-first, so the resolver enumerated BOTH the plug-in's own JAR AND the host classpath's metadata files, tagging core entities as source='plugin:<id>' and corrupting the seed counts. Fix: refactor MetadataLoader to expose loadFromPluginJar(pluginId, jarPath) which opens the plug-in JAR directly via java.util.jar.JarFile and walks its entries — never asking the classloader at all. The api-v1 surface didn't change. • Two KDoc comments contained the literal string `*.yml` after a `/` character (`/metadata/*.yml`), forming the `/*` pattern that Kotlin's lexer treats as a nested-comment opener. The file failed to compile with "Unclosed comment". This is the third time I've hit this trap; rewriting both KDocs to avoid the literal `/*` sequence. • The MetadataLoaderTest's hand-rolled JAR builder didn't include explicit directory entries for parent paths. Real Gradle JARs do include them, and Spring's PathMatchingResourcePatternResolver needs them to enumerate via classpath*:. Fixed the test helper to write directory entries for every parent of each file. Implementation plan refreshed: P1.5 marked DONE. Next priority candidates: P5.2 (pbc-partners — third PBC clone) and P3.4 (custom field application via the ext jsonb column, which would unlock the full Tier 1 customization story). Framework state: 17→18 commits, 10→11 modules, 81→92 unit tests, metadata seeded for 6 entities + 18 permissions + 6 menus.
vibe_erp
1 parent 7af11f2f
Showing 15 changed files with 998 additions and 19 deletions
distribution/build.gradle.kts
docs/superpowers/specs/2026-04-07-vibe-erp-implementation-plan.md
gradle/libs.versions.toml
pbc/pbc-catalog/src/main/resources/META-INF/vibe-erp/metadata/catalog.yml
pbc/pbc-identity/src/main/resources/META-INF/vibe-erp/metadata/identity.yml
platform/platform-metadata/build.gradle.kts
platform/platform-metadata/src/main/kotlin/org/vibeerp/platform/metadata/MetadataLoader.kt
platform/platform-metadata/src/main/kotlin/org/vibeerp/platform/metadata/web/MetadataController.kt
platform/platform-metadata/src/main/kotlin/org/vibeerp/platform/metadata/yaml/MetadataYaml.kt
platform/platform-metadata/src/test/kotlin/org/vibeerp/platform/metadata/MetadataLoaderTest.kt
platform/platform-metadata/src/test/kotlin/org/vibeerp/platform/metadata/yaml/MetadataYamlParseTest.kt
platform/platform-plugins/build.gradle.kts
platform/platform-plugins/src/main/kotlin/org/vibeerp/platform/plugins/VibeErpPluginManager.kt
reference-customer/plugin-printing-shop/src/main/resources/META-INF/vibe-erp/metadata/printing-shop.yml
settings.gradle.kts
@@ -24,6 +24,7 @@ dependencies {
     implementation(project(":platform:platform-plugins"))
     implementation(project(":platform:platform-security"))
     implementation(project(":platform:platform-events"))
+    implementation(project(":platform:platform-metadata"))
     implementation(project(":pbc:pbc-identity"))
     implementation(project(":pbc:pbc-catalog"))
  
@@ -12,18 +12,19 @@
 > previously-deferred P1.1 (RLS transaction hook) and H1 (per-region tenant
 > routing) units are gone. See CLAUDE.md guardrail #5 for the rationale.
 >
-> **2026-04-08 update — P4.1, P5.1, P1.3, P1.7, P1.4, P1.2 all landed.**
-> Auth (Argon2id + JWT + bootstrap admin), pbc-catalog (items + UoMs),
-> plug-in HTTP endpoints (registry + dispatcher + DefaultPluginContext),
-> event bus + transactional outbox + audit subscriber, plug-in-owned
-> Liquibase changelogs (the reference plug-in now has its own database
-> tables), and the plug-in linter (ASM bytecode scan rejecting forbidden
-> imports) are all done and smoke-tested end-to-end. The reference
-> printing-shop plug-in has graduated from "hello world" to a real
-> customer demonstration: it owns its own DB schema, CRUDs plates and
-> ink recipes via REST through `context.jdbc`, and would be rejected at
-> install time if it tried to import internal framework classes. The
-> framework is now at **81 unit tests** across 10 modules, all green.
+> **2026-04-08 update — P4.1, P5.1, P1.3, P1.7, P1.4, P1.2, P1.5 all
+> landed.** Auth, pbc-catalog, plug-in HTTP endpoints, event bus +
+> outbox, plug-in-owned Liquibase changelogs, plug-in linter, and now
+> **the metadata loader** are all done and smoke-tested end-to-end.
+> Core PBCs and the reference plug-in ship YAML files declaring their
+> entities, permissions, and menus; the loader walks the host
+> classpath and each plug-in JAR at boot, upserts the rows tagged
+> with `source = 'core'` or `source = 'plugin:<id>'`, and exposes
+> them at the public `GET /api/v1/_meta/metadata` endpoint so the
+> future SPA, OpenAPI generator, and AI-agent function catalog can
+> introspect what entities and permissions exist. Idempotent across
+> restarts (delete-by-source then insert). The framework is now at
+> **92 unit tests** across 11 modules, all green.
  
 ---
  
@@ -96,11 +97,9 @@ These units finish the platform layer so PBCs can be implemented without inventi
 **Module:** `platform-plugins` + `api.v1` (added `PluginJdbc`/`PluginRow`)
 **What landed:** `PluginLiquibaseRunner` looks for `META-INF/vibe-erp/db/changelog.xml` inside the plug-in JAR via the PF4J classloader, applies it via Liquibase against the host's shared DataSource. Convention: tables use `plugin_<id>__*` prefix (linter will enforce in a future version). The reference printing-shop plug-in now has two real tables (`plugin_printingshop__plate`, `plugin_printingshop__ink_recipe`) and CRUDs them via REST through the new `context.jdbc` typed-SQL surface in api.v1. Plug-ins never see Spring's JdbcTemplate. **Deferred:** per-plug-in datasource isolation, table-prefix linter, rollback on uninstall.
  
-### P1.5 — Metadata store seeding
-**Module:** new `platform-metadata` module (or expand `platform-persistence`)
-**Depends on:** —
-**What:** A `MetadataLoader` Spring component that, on boot and on plug-in start, upserts rows into `metadata__entity`, `metadata__form`, `metadata__workflow`, etc. from YAML files in the classpath / plug-in JAR. Each row carries `source = 'core' | 'plugin:<id>' | 'user'`. Idempotent; safe to run on every boot.
-**Acceptance:** integration test confirms that booting twice doesn't duplicate rows; uninstalling a plug-in removes its `source = 'plugin:<id>'` rows; user-edited rows (`source = 'user'`) are never touched.
+### ✅ P1.5 — Metadata store seeding (DONE 2026-04-08)
+**Module:** new `platform-metadata` module
+**What landed:** `MetadataLoader` Spring component with two entry points: `loadCore()` uses Spring's `PathMatchingResourcePatternResolver` against the host classpath (`classpath*:META-INF/vibe-erp/metadata/*.yml`), and `loadFromPluginJar(pluginId, jarPath)` opens a specific plug-in JAR via `java.util.jar.JarFile` and walks its entries directly — critical because the plug-in's parent-first `PluginClassLoader` would otherwise pick up the host's metadata files via parent classpath. `MetadataYamlFile` DTOs cover `entities`, `permissions`, `menus` (extensible: `forms`, `workflows`, `rules`, `translations` are future top-level keys, ignored gracefully). Delete-by-source-then-insert pattern is naturally idempotent and never touches `source='user'` rows. `VibeErpPluginManager.afterPropertiesSet()` calls `loadCore()` first, then walks plug-ins and calls `loadFromPluginJar(...)` for each one. New `GET /api/v1/_meta/metadata` REST endpoint (public, no auth needed) returns the seeded metadata for SPA/AI-agent introspection. pbc-identity, pbc-catalog, and the reference plug-in each ship a metadata YAML. **Verified end-to-end:** 4 core entities + 2 plug-in entities, 13 core permissions + 5 plug-in permissions, 4 core menus + 2 plug-in menus, idempotent across restarts. 11 new unit tests.
  
 ### P1.6 — `Translator` implementation backed by ICU4J
 **Module:** new `platform-i18n` module
@@ -351,9 +350,9 @@ REF.x — reference plug-in ── depends on P1.4 + P2.1 + P3.3
 ```
  
 Sensible ordering for one developer (single-tenant world):
-**~~P4.1~~ ✅ → ~~P5.1~~ ✅ → ~~P1.3~~ ✅ → ~~P1.7~~ ✅ → ~~P1.4~~ ✅ → ~~P1.2~~ ✅ → P1.5 → P1.6 → P5.2 → P2.1 → P5.3 → P3.4 → R1 → ...**
+**~~P4.1~~ ✅ → ~~P5.1~~ ✅ → ~~P1.3~~ ✅ → ~~P1.7~~ ✅ → ~~P1.4~~ ✅ → ~~P1.2~~ ✅ → ~~P1.5~~ ✅ → P5.2 → P1.6 → P3.4 → P5.3 → P2.1 → R1 → ...**
  
-**Next up after this commit:** P1.5 (metadata seeder) and P5.2 (pbc-partners) are the strongest candidates. Metadata seeder unblocks the entire Tier 1 customization story; pbc-partners adds another business surface (customers / suppliers) that sales orders will reference. Either is a clean ~half-day chunk.
+**Next up after this commit:** P5.2 (pbc-partners) is the strongest next candidate — adds customers/suppliers/contacts which everything downstream (sales orders, purchase orders, deliveries) will reference, and validates the pbc-identity template scales. P1.6 (ICU4J translator) is another clean ~half-day chunk if breadth-first feels right. P3.4 (custom field application via JSONB ext column) is the natural pair to P1.5 — together they unlock the Tier 1 customization story.
  
 Sensible parallel ordering for a team of three:
 - Dev A: **P4.1**, P1.5, P1.7, P1.6, P2.1
@@ -33,6 +33,7 @@ kotlin-stdlib = { module = &quot;org.jetbrains.kotlin:kotlin-stdlib&quot;, version.ref = &quot;
 kotlin-reflect = { module = "org.jetbrains.kotlin:kotlin-reflect", version.ref = "kotlin" }
 jackson-module-kotlin = { module = "com.fasterxml.jackson.module:jackson-module-kotlin", version.ref = "jackson" }
 jackson-datatype-jsr310 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310", version.ref = "jackson" }
+jackson-dataformat-yaml = { module = "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml", version.ref = "jackson" }
  
 # Bytecode analysis
 asm = { module = "org.ow2.asm:asm", version = "9.7.1" }
+# pbc-catalog metadata.
+#
+# Loaded at boot by MetadataLoader, tagged source='core'.
+# This declares what the catalog PBC offers to the rest of the framework
+# and the SPA: which entities exist, which permissions guard them,
+# which menu entries point at them.
+
+entities:
+  - name: Item
+    pbc: catalog
+    table: catalog__item
+    description: A thing that can be bought, sold, made, stored, or invoiced
+
+  - name: Uom
+    pbc: catalog
+    table: catalog__uom
+    description: A unit of measure (kg, m, ea, sheet, …)
+
+permissions:
+  - key: catalog.item.read
+    description: Read catalog item records
+  - key: catalog.item.create
+    description: Create catalog items
+  - key: catalog.item.update
+    description: Update catalog items
+  - key: catalog.item.deactivate
+    description: Deactivate catalog items (preserved for historical references)
+  - key: catalog.uom.read
+    description: Read units of measure
+  - key: catalog.uom.create
+    description: Create custom units of measure
+  - key: catalog.uom.update
+    description: Update unit-of-measure display name or dimension
+
+menus:
+  - path: /catalog/items
+    label: Items
+    icon: package
+    section: Catalog
+    order: 200
+  - path: /catalog/uoms
+    label: Units of measure
+    icon: ruler
+    section: Catalog
+    order: 210
+# pbc-identity metadata.
+#
+# Loaded at boot by org.vibeerp.platform.metadata.MetadataLoader,
+# tagged source='core'. Re-loaded on every boot from the YAML below
+# (delete-then-insert), so this file is the source of truth — edits
+# made via the future SPA customization UI live in metadata__* rows
+# tagged source='user' and are NEVER touched by the loader.
+
+entities:
+  - name: User
+    pbc: identity
+    table: identity__user
+    description: A user account in the framework
+
+  - name: Role
+    pbc: identity
+    table: identity__role
+    description: A named bundle of permissions assignable to users
+
+permissions:
+  - key: identity.user.read
+    description: Read user records
+  - key: identity.user.create
+    description: Create new user records
+  - key: identity.user.update
+    description: Update user records
+  - key: identity.user.disable
+    description: Disable a user (soft-delete; row is preserved for audit)
+  - key: identity.role.read
+    description: Read role records
+  - key: identity.role.assign
+    description: Assign a role to a user
+
+menus:
+  - path: /identity/users
+    label: Users
+    icon: people
+    section: System
+    order: 100
+  - path: /identity/roles
+    label: Roles
+    icon: shield-lock
+    section: System
+    order: 110
+plugins {
+    alias(libs.plugins.kotlin.jvm)
+    alias(libs.plugins.kotlin.spring)
+    alias(libs.plugins.spring.dependency.management)
+}
+
+description = "vibe_erp metadata loader — reads YAML files from classpath and plug-in JARs, upserts to metadata__* tables. INTERNAL."
+
+java {
+    toolchain {
+        languageVersion.set(JavaLanguageVersion.of(21))
+    }
+}
+
+kotlin {
+    jvmToolchain(21)
+    compilerOptions {
+        freeCompilerArgs.add("-Xjsr305=strict")
+    }
+}
+
+dependencies {
+    api(project(":api:api-v1"))
+    api(project(":platform:platform-persistence"))
+
+    implementation(libs.kotlin.stdlib)
+    implementation(libs.kotlin.reflect)
+    implementation(libs.jackson.module.kotlin)
+    implementation(libs.jackson.dataformat.yaml)
+    implementation(libs.jackson.datatype.jsr310)
+
+    implementation(libs.spring.boot.starter)
+    implementation(libs.spring.boot.starter.web)        // for the @RestController
+    implementation(libs.spring.boot.starter.data.jpa)   // for DataSource + JdbcTemplate
+
+    testImplementation(libs.spring.boot.starter.test)
+    testImplementation(libs.junit.jupiter)
+    testImplementation(libs.assertk)
+    testImplementation(libs.mockk)
+}
+
+tasks.test {
+    useJUnitPlatform()
+}
+package org.vibeerp.platform.metadata
+
+import com.fasterxml.jackson.databind.ObjectMapper
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory
+import com.fasterxml.jackson.module.kotlin.registerKotlinModule
+import org.slf4j.LoggerFactory
+import org.springframework.core.io.support.PathMatchingResourcePatternResolver
+import org.springframework.jdbc.core.namedparam.MapSqlParameterSource
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate
+import org.springframework.stereotype.Component
+import org.springframework.transaction.annotation.Transactional
+import org.vibeerp.platform.metadata.yaml.MetadataYamlFile
+import java.nio.file.Files
+import java.nio.file.Path
+import java.sql.Timestamp
+import java.time.Instant
+import java.util.UUID
+import java.util.jar.JarFile
+
+/**
+ * Loads metadata YAML files (any `.yml` under `META-INF/vibe-erp/metadata/`)
+ * from the host classpath or from individual plug-in JARs and upserts
+ * their contents into the `metadata__*` tables.
+ *
+ * **Two entry points, deliberately different:**
+ *
+ *   • [loadCore] uses Spring's `PathMatchingResourcePatternResolver`
+ *     against the host's classloader. The host owns its classpath, so
+ *     `classpath*:` resolution is exactly the right tool — every JAR
+ *     contributing to the application gets scanned.
+ *
+ *   • [loadFromPluginJar] opens ONE specific plug-in JAR file via
+ *     [JarFile] and walks its entries directly. This is critical: a
+ *     plug-in's `PluginClassLoader` is parent-first by default, so a
+ *     `classpath*:` scan against it ALSO finds the host's metadata
+ *     files via the parent classloader. Walking the JAR file directly
+ *     guarantees only the plug-in's own files get loaded.
+ *
+ * **Idempotency.** Loading the same source twice produces the same
+ * final database state. The mechanism is "delete by source, then
+ * insert" inside one transaction:
+ *   1. `DELETE FROM metadata__entity WHERE source = :source`
+ *   2. `INSERT` every entity from every YAML file with that source
+ *   3. Same for `metadata__permission` and `metadata__menu`
+ * The whole load runs in a single transaction so a failure leaves the
+ * old metadata in place. User-edited rows (`source = 'user'`) are NEVER
+ * touched — they survive boot, plug-in install, and plug-in upgrade.
+ *
+ * **Why delete-and-insert instead of upsert.** Upsert needs a stable
+ * natural key per row, which would force the YAML to declare unique
+ * ids and would make renames painful. Delete-by-source treats the
+ * YAML as the authoritative declaration: whatever is in the YAML at
+ * boot time is what the database has. Plug-in uninstall is the same
+ * delete query.
+ *
+ * Reference: architecture spec section 8 ("The metadata store") and
+ * implementation plan unit P1.5.
+ */
+@Component
+class MetadataLoader(
+    private val jdbc: NamedParameterJdbcTemplate,
+) {
+
+    private val log = LoggerFactory.getLogger(MetadataLoader::class.java)
+
+    private val yamlMapper: ObjectMapper = ObjectMapper(YAMLFactory()).registerKotlinModule()
+    private val jsonMapper: ObjectMapper = ObjectMapper().registerKotlinModule()
+
+    /**
+     * Load every metadata YAML on the host classpath as `source='core'`.
+     * Called once at boot from `VibeErpPluginManager.afterPropertiesSet()`
+     * BEFORE any plug-in is processed, so the metadata table contains
+     * the core entries by the time plug-in metadata layers on top.
+     */
+    @Transactional
+    fun loadCore(): LoadResult {
+        val source = SOURCE_CORE
+        val resolver = PathMatchingResourcePatternResolver(javaClass.classLoader)
+        val resources = try {
+            resolver.getResources("classpath*:META-INF/vibe-erp/metadata/*.yml")
+        } catch (ex: Throwable) {
+            log.warn("MetadataLoader: failed to scan host classpath for metadata YAMLs: {}", ex.message, ex)
+            return doLoad(source, emptyList())
+        }
+        val files = resources.mapNotNull { resource ->
+            try {
+                val parsed = resource.inputStream.use { stream ->
+                    yamlMapper.readValue(stream, MetadataYamlFile::class.java)
+                }
+                ParsedYaml(resource.url?.toString() ?: resource.filename ?: "<unknown>", parsed)
+            } catch (ex: Throwable) {
+                log.error("MetadataLoader: failed to parse YAML resource {}: {}", resource.url, ex.message, ex)
+                null
+            }
+        }
+        return doLoad(source, files)
+    }
+
+    /**
+     * Load metadata YAMLs from a specific plug-in JAR file as
+     * `source='plugin:<id>'`. Walks the JAR entries directly to avoid
+     * picking up host classpath files via the plug-in's parent-first
+     * `PluginClassLoader`.
+     *
+     * @param pluginId the plug-in id, used to tag the rows.
+     * @param jarPath path to the plug-in JAR on disk. Resolved by the
+     *   host's `VibeErpPluginManager` from PF4J's `PluginWrapper`.
+     */
+    @Transactional
+    fun loadFromPluginJar(pluginId: String, jarPath: Path): LoadResult {
+        require(pluginId.isNotBlank()) { "pluginId must not be blank" }
+        val source = "$SOURCE_PLUGIN_PREFIX$pluginId"
+
+        if (!Files.isRegularFile(jarPath)) {
+            log.warn(
+                "MetadataLoader: plug-in '{}' jarPath {} is not a regular file; skipping (probably loaded as unpacked dir)",
+                pluginId, jarPath,
+            )
+            return doLoad(source, emptyList())
+        }
+
+        val files = mutableListOf<ParsedYaml>()
+        JarFile(jarPath.toFile()).use { jar ->
+            val entries = jar.entries()
+            while (entries.hasMoreElements()) {
+                val entry = entries.nextElement()
+                if (entry.isDirectory) continue
+                val name = entry.name
+                if (!name.startsWith(METADATA_DIR) || !name.endsWith(YAML_SUFFIX)) continue
+                try {
+                    val parsed = jar.getInputStream(entry).use { stream ->
+                        yamlMapper.readValue(stream, MetadataYamlFile::class.java)
+                    }
+                    files += ParsedYaml(url = "$jarPath!$name", parsed = parsed)
+                } catch (ex: Throwable) {
+                    log.error(
+                        "MetadataLoader: plug-in '{}' failed to parse jar entry {}: {}",
+                        pluginId, name, ex.message, ex,
+                    )
+                }
+            }
+        }
+
+        return doLoad(source, files)
+    }
+
+    private fun doLoad(source: String, files: List<ParsedYaml>): LoadResult {
+        require(source.isNotBlank()) { "source must not be blank" }
+
+        val merged = MetadataYamlFile(
+            entities = files.flatMap { it.parsed.entities },
+            permissions = files.flatMap { it.parsed.permissions },
+            menus = files.flatMap { it.parsed.menus },
+        )
+
+        wipeBySource(source)
+        insertEntities(source, merged)
+        insertPermissions(source, merged)
+        insertMenus(source, merged)
+
+        log.info(
+            "MetadataLoader: source='{}' loaded {} entities, {} permissions, {} menus from {} file(s)",
+            source, merged.entities.size, merged.permissions.size, merged.menus.size, files.size,
+        )
+
+        return LoadResult(
+            source = source,
+            entityCount = merged.entities.size,
+            permissionCount = merged.permissions.size,
+            menuCount = merged.menus.size,
+            files = files.map { it.url },
+        )
+    }
+
+    /**
+     * Result of one load() call. Used by callers for logging and by
+     * tests for assertions.
+     */
+    data class LoadResult(
+        val source: String,
+        val entityCount: Int,
+        val permissionCount: Int,
+        val menuCount: Int,
+        val files: List<String>,
+    )
+
+    // ─── internals ─────────────────────────────────────────────────
+
+    private fun wipeBySource(source: String) {
+        val params = MapSqlParameterSource("source", source)
+        jdbc.update("DELETE FROM metadata__entity WHERE source = :source", params)
+        jdbc.update("DELETE FROM metadata__permission WHERE source = :source", params)
+        jdbc.update("DELETE FROM metadata__menu WHERE source = :source", params)
+    }
+
+    private fun insertEntities(source: String, file: MetadataYamlFile) {
+        val now = Timestamp.from(Instant.now())
+        for (entity in file.entities) {
+            jdbc.update(
+                """
+                INSERT INTO metadata__entity (id, source, payload, created_at, updated_at)
+                VALUES (:id, :source, CAST(:payload AS jsonb), :now, :now)
+                """.trimIndent(),
+                MapSqlParameterSource()
+                    .addValue("id", UUID.randomUUID())
+                    .addValue("source", source)
+                    .addValue("payload", jsonMapper.writeValueAsString(entity))
+                    .addValue("now", now),
+            )
+        }
+    }
+
+    private fun insertPermissions(source: String, file: MetadataYamlFile) {
+        val now = Timestamp.from(Instant.now())
+        for (permission in file.permissions) {
+            jdbc.update(
+                """
+                INSERT INTO metadata__permission (id, source, payload, created_at, updated_at)
+                VALUES (:id, :source, CAST(:payload AS jsonb), :now, :now)
+                """.trimIndent(),
+                MapSqlParameterSource()
+                    .addValue("id", UUID.randomUUID())
+                    .addValue("source", source)
+                    .addValue("payload", jsonMapper.writeValueAsString(permission))
+                    .addValue("now", now),
+            )
+        }
+    }
+
+    private fun insertMenus(source: String, file: MetadataYamlFile) {
+        val now = Timestamp.from(Instant.now())
+        for (menu in file.menus) {
+            jdbc.update(
+                """
+                INSERT INTO metadata__menu (id, source, payload, created_at, updated_at)
+                VALUES (:id, :source, CAST(:payload AS jsonb), :now, :now)
+                """.trimIndent(),
+                MapSqlParameterSource()
+                    .addValue("id", UUID.randomUUID())
+                    .addValue("source", source)
+                    .addValue("payload", jsonMapper.writeValueAsString(menu))
+                    .addValue("now", now),
+            )
+        }
+    }
+
+    private data class ParsedYaml(
+        val url: String,
+        val parsed: MetadataYamlFile,
+    )
+
+    companion object {
+        const val SOURCE_CORE: String = "core"
+        const val SOURCE_PLUGIN_PREFIX: String = "plugin:"
+        private const val METADATA_DIR: String = "META-INF/vibe-erp/metadata/"
+        private const val YAML_SUFFIX: String = ".yml"
+    }
+}
+package org.vibeerp.platform.metadata.web
+
+import com.fasterxml.jackson.databind.ObjectMapper
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RestController
+
+/**
+ * Read-only REST endpoint that returns the seeded metadata.
+ *
+ * Mounted under `/api/v1/_meta/metadata` (next to the existing
+ * `/api/v1/_meta/info`) and explicitly **public** — the SPA needs
+ * to bootstrap its navigation, the AI-agent function catalog needs
+ * to discover entities, and external tooling needs to introspect
+ * the framework — all without holding a token. The metadata returned
+ * is intentionally non-sensitive: entity names, permission keys, menu
+ * paths. Nothing in here should ever be PII or secret.
+ *
+ * If a future version exposes more sensitive metadata (custom field
+ * definitions that mention column names of user data, for example),
+ * the controller can be split into a public surface and an
+ * authenticated-only surface without breaking the existing route.
+ */
+@RestController
+@RequestMapping("/api/v1/_meta/metadata")
+class MetadataController(
+    private val jdbc: NamedParameterJdbcTemplate,
+    private val objectMapper: ObjectMapper,
+) {
+
+    @GetMapping
+    fun all(): Map<String, Any> = mapOf(
+        "entities" to readPayloads("metadata__entity"),
+        "permissions" to readPayloads("metadata__permission"),
+        "menus" to readPayloads("metadata__menu"),
+    )
+
+    @GetMapping("/entities")
+    fun entities(): List<Map<String, Any?>> = readPayloads("metadata__entity")
+
+    @GetMapping("/permissions")
+    fun permissions(): List<Map<String, Any?>> = readPayloads("metadata__permission")
+
+    @GetMapping("/menus")
+    fun menus(): List<Map<String, Any?>> = readPayloads("metadata__menu")
+
+    private fun readPayloads(table: String): List<Map<String, Any?>> {
+        return jdbc.query(
+            "SELECT source, payload FROM $table ORDER BY source",
+            emptyMap<String, Any?>(),
+        ) { rs, _ ->
+            val source = rs.getString("source")
+            val payloadJson = rs.getString("payload") ?: "{}"
+            @Suppress("UNCHECKED_CAST")
+            val payload = objectMapper.readValue(payloadJson, Map::class.java) as Map<String, Any?>
+            payload + mapOf("source" to source)
+        }
+    }
+}
+package org.vibeerp.platform.metadata.yaml
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties
+
+/**
+ * The schema of a single metadata file under `META-INF/vibe-erp/metadata/`
+ * (any `.yml` filename).
+ *
+ * **Why one top-level file with multiple typed sections** instead of
+ * one file per type:
+ *  - PBCs and plug-ins typically declare half a dozen tightly-related
+ *    metadata items at once (an entity, three permissions, one menu
+ *    entry). Forcing them into separate files would split a single
+ *    feature across the filesystem and make code review harder.
+ *  - The top-level keys (`entities`, `permissions`, `menus`) are the
+ *    extension points. Adding a new key (`forms`, `workflows`, `rules`,
+ *    `translations`) is non-breaking — old YAML files just don't have
+ *    the new section, the loader skips it.
+ *
+ * **Source tagging.** The loader adds a `source` column to every row
+ * it persists: `core` for files on the host classpath, `plugin:<id>`
+ * for files inside a plug-in JAR, `user` for rows produced by the
+ * runtime customization UI (P3.x). The YAML itself never declares its
+ * source — that comes from where the file was loaded from, not from
+ * its content. Plug-ins cannot declare themselves as `core`.
+ *
+ * Reference: architecture spec section 8 ("The metadata store").
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+data class MetadataYamlFile(
+    val entities: List<EntityYaml> = emptyList(),
+    val permissions: List<PermissionYaml> = emptyList(),
+    val menus: List<MenuYaml> = emptyList(),
+)
+
+/**
+ * A business entity exposed through the framework.
+ *
+ * Plug-ins and PBCs declare their entities here so the framework
+ * (and the future SPA, MCP server, AI agent function catalog, OpenAPI
+ * generator) can introspect what kinds of objects exist without
+ * scanning Hibernate or reading source code.
+ *
+ * @property name Display name. Convention: PascalCase singular ("User",
+ *   "Item", "PrintingPlate").
+ * @property pbc Owning Packaged Business Capability id. Convention:
+ *   the Gradle subproject name without the `pbc-` prefix
+ *   (`identity`, `catalog`, …) for core PBCs, the plug-in id for
+ *   plug-in entities (`printing-shop`).
+ * @property table Underlying database table name. Used by the future
+ *   custom-field machinery and audit log to know which JSONB `ext`
+ *   column to write into.
+ * @property description Free-form one-line description shown in the
+ *   customization UI and in the OpenAPI spec.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+data class EntityYaml(
+    val name: String,
+    val pbc: String,
+    val table: String,
+    val description: String? = null,
+)
+
+/**
+ * A permission declared by a PBC or a plug-in.
+ *
+ * Permissions are how the framework's authorization layer (P4.3, not
+ * yet implemented) decides whether the current Principal can perform
+ * a given action. Declaring them in metadata serves three purposes:
+ *
+ *   1. The role editor in the SPA can list every available permission.
+ *   2. The framework can pre-check that every `@RequirePermission`
+ *      annotation in code references a declared permission and warn
+ *      on dangling references at boot.
+ *   3. The OpenAPI spec and the AI-agent function catalog can show
+ *      "this endpoint requires X" without scraping code.
+ *
+ * @property key The permission key. Convention:
+ *   `<pbc-or-plugin>.<resource>.<action>`. Lowercase, dot-separated.
+ *   Examples: `identity.user.create`, `catalog.item.read`,
+ *   `printingshop.plate.approve`.
+ * @property description One-line human-readable description.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+data class PermissionYaml(
+    val key: String,
+    val description: String,
+)
+
+/**
+ * A menu entry shown in the SPA's navigation.
+ *
+ * The framework's nav structure is data, not hard-coded React routes —
+ * adding a new top-level menu item from a plug-in is a YAML change,
+ * not a code change. The future SPA reads this list from
+ * `GET /api/v1/_meta/metadata` at boot and renders the navigation
+ * accordingly.
+ *
+ * @property path SPA route the entry navigates to. Convention:
+ *   `/<pbc-or-plugin>/<resource>` (e.g. `/identity/users`).
+ * @property label Display label. Should be a translation key
+ *   (`identity.menu.users`) once the i18n loader lands; for now it's
+ *   a literal English string.
+ * @property icon Material/Tabler icon name. The SPA renders it; the
+ *   framework just stores the string.
+ * @property section Top-level section the entry belongs to
+ *   ("System", "Sales", "Production"). Entries with the same
+ *   section group together in the nav.
+ * @property order Sort order within the section. Lower numbers
+ *   appear first.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+data class MenuYaml(
+    val path: String,
+    val label: String,
+    val icon: String? = null,
+    val section: String = "Other",
+    val order: Int = 1000,
+)
+package org.vibeerp.platform.metadata
+
+import assertk.assertFailure
+import assertk.assertThat
+import assertk.assertions.contains
+import assertk.assertions.isEqualTo
+import assertk.assertions.isInstanceOf
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.slot
+import io.mockk.verify
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.springframework.jdbc.core.namedparam.MapSqlParameterSource
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate
+import java.nio.file.Files
+import java.nio.file.Path
+import java.util.jar.Attributes
+import java.util.jar.JarEntry
+import java.util.jar.JarOutputStream
+import java.util.jar.Manifest
+
+/**
+ * Unit tests for [MetadataLoader].
+ *
+ * Strategy: build a tiny in-memory JAR containing a single
+ * `META-INF/vibe-erp/metadata/test.yml` file in a temp directory,
+ * load it via a `URLClassLoader`, point the loader at it with a
+ * mocked `NamedParameterJdbcTemplate`, and assert on the SQL the
+ * loader issues. We don't need a real database — the loader's
+ * contract is "given this YAML, issue these statements".
+ */
+class MetadataLoaderTest {
+
+    private lateinit var jdbc: NamedParameterJdbcTemplate
+    private lateinit var loader: MetadataLoader
+
+    @BeforeEach
+    fun setUp() {
+        jdbc = mockk(relaxed = false)
+        every { jdbc.update(any<String>(), any<MapSqlParameterSource>()) } returns 1
+        loader = MetadataLoader(jdbc)
+    }
+
+    @Test
+    fun `loadFromPluginJar on a missing file is a no-op wipe`() {
+        // The plug-in's pluginPath might not be a regular file (e.g.
+        // an unpacked dev directory). The loader should still issue
+        // the three DELETE statements so a previous-boot's leftovers
+        // for this plug-in get cleared, then return a zero result.
+        val nowhere = Path.of("/tmp/does-not-exist-${System.nanoTime()}.jar")
+
+        val result = loader.loadFromPluginJar("ghost", nowhere)
+
+        assertThat(result.entityCount).isEqualTo(0)
+        verify(atLeast = 1) {
+            jdbc.update(match<String> { it.contains("DELETE FROM metadata__entity") }, any<MapSqlParameterSource>())
+        }
+    }
+
+    @Test
+    fun `loadFromPluginJar with one entity issues one INSERT into metadata__entity`() {
+        val tempDir = Files.createTempDirectory("metadata-loader-test")
+        val jar = buildMetadataJar(
+            tempDir,
+            "META-INF/vibe-erp/metadata/test.yml",
+            """
+                entities:
+                  - name: Plate
+                    pbc: printing-shop
+                    table: plugin_printingshop__plate
+                    description: An offset printing plate
+            """.trimIndent(),
+        )
+
+        val captured = slot<MapSqlParameterSource>()
+        every {
+            jdbc.update(match<String> { it.contains("INSERT INTO metadata__entity") }, capture(captured))
+        } returns 1
+
+        val result = loader.loadFromPluginJar("printing-shop", jar)
+
+        assertThat(result.entityCount).isEqualTo(1)
+        assertThat(result.permissionCount).isEqualTo(0)
+        assertThat(result.menuCount).isEqualTo(0)
+        assertThat(result.source).isEqualTo("plugin:printing-shop")
+
+        val params = captured.captured
+        assertThat(params.getValue("source") as String).isEqualTo("plugin:printing-shop")
+        val payload = params.getValue("payload") as String
+        assertThat(payload).contains("Plate")
+        assertThat(payload).contains("printing-shop")
+        assertThat(payload).contains("plugin_printingshop__plate")
+    }
+
+    @Test
+    fun `loadFromPluginJar with mixed sections issues inserts into all three tables`() {
+        val tempDir = Files.createTempDirectory("metadata-loader-test")
+        val jar = buildMetadataJar(
+            tempDir,
+            "META-INF/vibe-erp/metadata/everything.yml",
+            """
+                entities:
+                  - name: User
+                    pbc: identity
+                    table: identity__user
+                permissions:
+                  - key: identity.user.read
+                    description: Read users
+                menus:
+                  - path: /identity/users
+                    label: Users
+                    section: System
+                    order: 100
+            """.trimIndent(),
+        )
+
+        val result = loader.loadFromPluginJar("test-plugin", jar)
+
+        assertThat(result.entityCount).isEqualTo(1)
+        assertThat(result.permissionCount).isEqualTo(1)
+        assertThat(result.menuCount).isEqualTo(1)
+        verify(exactly = 1) {
+            jdbc.update(match<String> { it.contains("INSERT INTO metadata__entity") }, any<MapSqlParameterSource>())
+        }
+        verify(exactly = 1) {
+            jdbc.update(match<String> { it.contains("INSERT INTO metadata__permission") }, any<MapSqlParameterSource>())
+        }
+        verify(exactly = 1) {
+            jdbc.update(match<String> { it.contains("INSERT INTO metadata__menu") }, any<MapSqlParameterSource>())
+        }
+    }
+
+    @Test
+    fun `loadFromPluginJar rejects blank pluginId`() {
+        val nowhere = Path.of("/tmp/dummy.jar")
+        assertFailure { loader.loadFromPluginJar("", nowhere) }
+            .isInstanceOf(IllegalArgumentException::class)
+        assertFailure { loader.loadFromPluginJar("   ", nowhere) }
+            .isInstanceOf(IllegalArgumentException::class)
+    }
+
+    // ─── helpers ───────────────────────────────────────────────────
+
+    private fun buildMetadataJar(
+        tempDir: Path,
+        entryName: String,
+        contents: String,
+    ): Path {
+        val jar = tempDir.resolve("metadata-test-${System.nanoTime()}.jar")
+        val manifest = Manifest().apply {
+            mainAttributes[Attributes.Name.MANIFEST_VERSION] = "1.0"
+        }
+        Files.newOutputStream(jar).use { fos ->
+            JarOutputStream(fos, manifest).use { jos ->
+                // Spring's PathMatchingResourcePatternResolver with the
+                // `classpath*:` + `*.yml` pattern enumerates parent
+                // directories via ClassLoader.getResources(...). JAR files
+                // built by Gradle include explicit directory entries; a
+                // hand-rolled JAR like this one needs them too or the
+                // resolver returns nothing.
+                val segments = entryName.split("/").dropLast(1)
+                val accumulated = StringBuilder()
+                for (segment in segments) {
+                    accumulated.append(segment).append("/")
+                    val dirEntry = JarEntry(accumulated.toString())
+                    jos.putNextEntry(dirEntry)
+                    jos.closeEntry()
+                }
+                jos.putNextEntry(JarEntry(entryName))
+                jos.write(contents.toByteArray(Charsets.UTF_8))
+                jos.closeEntry()
+            }
+        }
+        return jar
+    }
+}
+package org.vibeerp.platform.metadata.yaml
+
+import assertk.assertThat
+import assertk.assertions.containsExactly
+import assertk.assertions.hasSize
+import assertk.assertions.isEmpty
+import assertk.assertions.isEqualTo
+import assertk.assertions.isNotNull
+import com.fasterxml.jackson.databind.ObjectMapper
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory
+import com.fasterxml.jackson.module.kotlin.registerKotlinModule
+import org.junit.jupiter.api.Test
+
+/**
+ * Snapshot tests on the YAML deserialization shape. They run in
+ * milliseconds and protect against accidental schema changes that
+ * would break every plug-in's metadata file.
+ */
+class MetadataYamlParseTest {
+
+    private val mapper = ObjectMapper(YAMLFactory()).registerKotlinModule()
+
+    @Test
+    fun `empty document parses to all-empty file`() {
+        val parsed = mapper.readValue("{}", MetadataYamlFile::class.java)
+        assertThat(parsed.entities).isEmpty()
+        assertThat(parsed.permissions).isEmpty()
+        assertThat(parsed.menus).isEmpty()
+    }
+
+    @Test
+    fun `document with only entities works`() {
+        val yaml = """
+            entities:
+              - name: User
+                pbc: identity
+                table: identity__user
+                description: A user account
+        """.trimIndent()
+
+        val parsed = mapper.readValue(yaml, MetadataYamlFile::class.java)
+
+        assertThat(parsed.entities).hasSize(1)
+        val e = parsed.entities[0]
+        assertThat(e.name).isEqualTo("User")
+        assertThat(e.pbc).isEqualTo("identity")
+        assertThat(e.table).isEqualTo("identity__user")
+        assertThat(e.description).isEqualTo("A user account")
+    }
+
+    @Test
+    fun `entity description is optional`() {
+        val yaml = """
+            entities:
+              - name: Foo
+                pbc: bar
+                table: bar__foo
+        """.trimIndent()
+
+        val parsed = mapper.readValue(yaml, MetadataYamlFile::class.java)
+
+        assertThat(parsed.entities).hasSize(1)
+        assertThat(parsed.entities[0].description).isEqualTo(null)
+    }
+
+    @Test
+    fun `permissions parse with key + description`() {
+        val yaml = """
+            permissions:
+              - key: identity.user.create
+                description: Create a user
+              - key: identity.user.delete
+                description: Delete a user
+        """.trimIndent()
+
+        val parsed = mapper.readValue(yaml, MetadataYamlFile::class.java)
+
+        assertThat(parsed.permissions).hasSize(2)
+        assertThat(parsed.permissions.map { it.key }).containsExactly(
+            "identity.user.create",
+            "identity.user.delete",
+        )
+    }
+
+    @Test
+    fun `menus default section to Other and order to 1000`() {
+        val yaml = """
+            menus:
+              - path: /x
+                label: X
+        """.trimIndent()
+
+        val parsed = mapper.readValue(yaml, MetadataYamlFile::class.java)
+
+        val m = parsed.menus.single()
+        assertThat(m.path).isEqualTo("/x")
+        assertThat(m.label).isEqualTo("X")
+        assertThat(m.section).isEqualTo("Other")
+        assertThat(m.order).isEqualTo(1000)
+        assertThat(m.icon).isEqualTo(null)
+    }
+
+    @Test
+    fun `unknown top-level keys are ignored`() {
+        // Forward-compat: a future plug-in built against a newer YAML
+        // schema (with `forms`, `workflows`, `rules`, …) loads cleanly
+        // on an older host that doesn't know those keys yet.
+        val yaml = """
+            entities:
+              - name: Foo
+                pbc: bar
+                table: bar__foo
+            forms:
+              - id: future-form
+            unknown_section:
+              - foo
+        """.trimIndent()
+
+        val parsed = mapper.readValue(yaml, MetadataYamlFile::class.java)
+
+        assertThat(parsed.entities).hasSize(1)
+    }
+
+    @Test
+    fun `mixed file with all three sections parses`() {
+        val yaml = """
+            entities:
+              - name: Item
+                pbc: catalog
+                table: catalog__item
+            permissions:
+              - key: catalog.item.read
+                description: Read items
+            menus:
+              - path: /catalog/items
+                label: Items
+                section: Catalog
+                order: 200
+        """.trimIndent()
+
+        val parsed = mapper.readValue(yaml, MetadataYamlFile::class.java)
+
+        assertThat(parsed.entities).hasSize(1)
+        assertThat(parsed.permissions).hasSize(1)
+        assertThat(parsed.menus).hasSize(1)
+        assertThat(parsed.menus[0].section).isEqualTo("Catalog")
+        assertThat(parsed.menus[0].order).isEqualTo(200)
+    }
+}
@@ -25,6 +25,7 @@ dependencies {
     implementation(libs.kotlin.reflect)
     implementation(libs.jackson.module.kotlin)
     implementation(project(":platform:platform-events")) // for the real EventBus injected into PluginContext
+    implementation(project(":platform:platform-metadata")) // for per-plug-in MetadataLoader.load(...)
  
     implementation(libs.spring.boot.starter)
     implementation(libs.spring.boot.starter.web) // for @RestController on the dispatcher
@@ -9,6 +9,7 @@ import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.stereotype.Component
 import org.vibeerp.api.v1.event.EventBus
 import org.vibeerp.api.v1.plugin.PluginJdbc
+import org.vibeerp.platform.metadata.MetadataLoader
 import org.vibeerp.platform.plugins.endpoints.PluginEndpointRegistry
 import org.vibeerp.platform.plugins.endpoints.ScopedPluginEndpointRegistrar
 import org.vibeerp.platform.plugins.lint.PluginLinter
@@ -56,6 +57,7 @@ class VibeErpPluginManager(
     private val jdbc: PluginJdbc,
     private val linter: PluginLinter,
     private val liquibaseRunner: PluginLiquibaseRunner,
+    private val metadataLoader: MetadataLoader,
 ) : DefaultPluginManager(Paths.get(properties.directory)), InitializingBean, DisposableBean {
  
     private val log = LoggerFactory.getLogger(VibeErpPluginManager::class.java)
@@ -68,6 +70,18 @@ class VibeErpPluginManager(
     private val started: MutableList<Pair<String, VibeErpPlugin>> = mutableListOf()
  
     override fun afterPropertiesSet() {
+        // Load core (host classpath) metadata FIRST, regardless of plug-in
+        // settings. The metadata table needs the core entries even if no
+        // plug-ins are present, and per-plug-in metadata layers on top.
+        try {
+            metadataLoader.loadCore()
+        } catch (ex: Throwable) {
+            log.error(
+                "VibeErpPluginManager: core metadata load failed; framework will boot without core metadata",
+                ex,
+            )
+        }
+
         if (!properties.autoLoad) {
             log.info("vibe_erp plug-in auto-load disabled — skipping plug-in scan")
             return
@@ -131,6 +145,28 @@ class VibeErpPluginManager(
             if (ok) migrated += wrapper
         }
  
+        // Load the plug-in's metadata YAMLs from inside its JAR file
+        // AFTER migration but BEFORE start. We open the JAR directly
+        // (not via the plug-in's classloader) so a parent-first
+        // PluginClassLoader cannot pollute the plug-in's metadata
+        // with the host's core YAML files. Failure here is logged but
+        // does NOT abort the plug-in — metadata is informational.
+        for (wrapper in migrated) {
+            val jarPath = wrapper.pluginPath
+            if (jarPath == null) {
+                log.debug("plug-in '{}' has no jarPath; skipping metadata load", wrapper.pluginId)
+                continue
+            }
+            try {
+                metadataLoader.loadFromPluginJar(wrapper.pluginId, jarPath)
+            } catch (ex: Throwable) {
+                log.warn(
+                    "plug-in '{}' metadata load failed; the plug-in will still start without metadata",
+                    wrapper.pluginId, ex,
+                )
+            }
+        }
+
         startPlugins()
  
         // PF4J's `startPlugins()` calls each plug-in's PF4J `start()`
+# Printing-shop reference plug-in metadata.
+#
+# Loaded by MetadataLoader at plug-in start, tagged
+# source='plugin:printing-shop'. The framework's REST endpoint at
+# GET /api/v1/_meta/metadata returns these alongside the core entries
+# so the SPA's navigation grows when the plug-in is installed and
+# shrinks when it's uninstalled.
+
+entities:
+  - name: Plate
+    pbc: printing-shop
+    table: plugin_printingshop__plate
+    description: A printing plate (offset, flexo, screen) with dimensions and approval status
+
+  - name: InkRecipe
+    pbc: printing-shop
+    table: plugin_printingshop__ink_recipe
+    description: A CMYK ink recipe used to mix the actual ink for a print run
+
+permissions:
+  - key: printingshop.plate.read
+    description: Read plate records
+  - key: printingshop.plate.create
+    description: Create new plates (initially in DRAFT status)
+  - key: printingshop.plate.approve
+    description: Approve a plate, moving it from DRAFT to APPROVED
+  - key: printingshop.ink.read
+    description: Read ink recipes
+  - key: printingshop.ink.create
+    description: Create new ink recipes
+
+menus:
+  - path: /plugins/printing-shop/plates
+    label: Plates
+    icon: stamp
+    section: Printing shop
+    order: 500
+  - path: /plugins/printing-shop/inks
+    label: Inks
+    icon: palette
+    section: Printing shop
+    order: 510
@@ -36,6 +36,9 @@ project(&quot;:platform:platform-security&quot;).projectDir = file(&quot;platform/platform-secu
 include(":platform:platform-events")
 project(":platform:platform-events").projectDir = file("platform/platform-events")
  
+include(":platform:platform-metadata")
+project(":platform:platform-metadata").projectDir = file("platform/platform-metadata")
+
 // ─── Packaged Business Capabilities (core PBCs) ─────────────────────
 include(":pbc:pbc-identity")
 project(":pbc:pbc-identity").projectDir = file("pbc/pbc-identity")