refactor: apply PR #33 Review Round 2 fixes

Addresses Review Round 2 feedback for variable model refactor:

1. Remove create() method - set() is now the unified entry point
2. Remove VariableDuplicateError class (only used by create())
3. Clean up dead code: Array.isArray(existing) checks in update()/remove()/tag()
4. Add tag/label conflict validation to set() update path
5. Migrate gc.test.ts from create() to set()

Changes:
- Delete create() method (lines 381-467) and VariableDuplicateError class
- Remove Array.isArray checks from 3 methods (always null, never array)
- Remove orphaned delete() JSDoc comment
- Add 3 new tests for set() update path tag/label conflict validation
- Replace 10 create() calls with set() in gc.test.ts

Test results: 193 pass (190 existing + 3 new)
Build: clean, Lint: clean

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.workflows/retrospect-workflow.yaml

@@ -0,0 +1,220 @@
+name: "retrospect-workflow"
+description: "Post-execution retrospective: analyze a completed thread, find inefficiencies, and improve the workflow definition."
+roles:
+  analyst:
+    description: "Scans thread execution for anomalies and produces a findings report"
+    goal: "You are a workflow execution analyst. You review completed thread data to find inefficiencies, wasted effort, and procedure gaps."
+    capabilities:
+      - data-analysis
+    procedure: |
+      You receive a completed thread ID in your task prompt.
+
+      Phase 0 — Validation (must pass before any analysis):
+      1. Run `uwf step list <thread-id>` to get thread metadata including the workflow hash
+      2. Run `uwf workflow show <workflow-hash>` to get the workflow name
+      3. Verify the workflow exists locally: check `.workflows/<name>.yaml` in the current repo
+         - If NOT found: output $status=wrong_project with the workflow name. Do NOT proceed.
+      4. Compare the thread's workflow hash against the current registered version:
+         - Run `uwf workflow show <name>` to get the current hash
+         - If hashes differ: the thread ran on an older version. Note this — you will need to diff versions after analysis.
+
+      Phase 1 — Overview scan:
+      5. From the step list, compute a health signal for each step:
+         - Duration: flag if >2x the median of other steps
+         - Output tokens: flag if >2x the median
+         - Status flow: flag non-happy-path transitions (rejected, fix_code, fix_spec, hook_failed)
+         - Step count: flag if the same role appears more than expected (indicates loops)
+      6. If no anomalies found AND versions match: output $status=clean
+      7. If no anomalies found BUT versions differ:
+         - Diff the two workflow versions to check if any procedure changes are relevant
+         - If the current version already addresses potential concerns: output $status=clean with a note
+         - Otherwise: proceed to Phase 2
+
+      Phase 2 — Targeted deep-dive (only for flagged steps):
+      8. For each flagged step, run `uwf step show <hash>` to get the detail with turns
+      9. Analyze the turn sequence for:
+         - Repeated tool calls with the same or similar input (blind retries)
+         - Tool errors followed by no strategy change (same approach retried)
+         - Unnecessary exploration (reading files or running commands unrelated to the task)
+         - Hallucinated commands or flags (commands that don't exist or wrong syntax)
+         - Excessive turns before reaching the goal
+      10. For each finding, record:
+          - Which role and step hash
+          - What happened (specific turn indices and commands)
+          - Root cause hypothesis (procedure gap, missing pitfall, unclear instruction)
+          - Suggested fix (what to add/change in the procedure)
+      11. If versions differ: compare findings against the version diff.
+          Mark any finding that is already fixed in the current version as "resolved_in_current".
+          Only report findings that are NOT yet addressed.
+
+      Output a structured findings report. Set $status=clean if nothing actionable, $status=findings if unresolved issues exist, or $status=wrong_project if the workflow doesn't belong here.
+    output: "A findings report with per-issue root cause and suggested procedure fixes. Set $status to clean or findings (with report hash)."
+    frontmatter:
+      oneOf:
+        - properties:
+            $status: { const: "clean" }
+            summary: { type: string }
+          required: [$status, summary]
+        - properties:
+            $status: { const: "findings" }
+            report: { type: string }
+            targetWorkflow: { type: string }
+          required: [$status, report, targetWorkflow]
+        - properties:
+            $status: { const: "wrong_project" }
+            workflowName: { type: string }
+          required: [$status, workflowName]
+  proposer:
+    description: "Translates findings into concrete workflow edits"
+    goal: "You are a workflow improvement proposer. You read the analyst's findings and produce specific, minimal edits to the workflow YAML."
+    capabilities:
+      - planning
+    procedure: |
+      1. Read the analyst's findings report from your task prompt
+      2. Locate the target workflow YAML:
+         - Workflow definitions live in the WORKFLOW ENGINE repo (where `uwf` is developed), NOT in the repo that was analyzed.
+         - Find it via: `uwf workflow show <targetWorkflow> --format yaml` to read the current definition
+         - The physical file is `.workflows/<targetWorkflow>.yaml` in the workflow engine repo
+         - Use `git rev-parse --show-toplevel` in the current directory to find the workflow engine repo root
+      3. Read the current workflow YAML to understand existing procedures
+      4. For each finding, draft a minimal edit:
+         - Prefer adding a pitfall note or clarifying instruction over restructuring
+         - If a procedure step is ambiguous, make it explicit
+         - If a tool usage pattern is wrong, add a "Do NOT" or "IMPORTANT" note
+         - Keep edits surgical — don't rewrite procedures that work fine
+      5. Check if existing tests need updating (search for test files referencing the workflow)
+      6. Produce a change plan as CAS text node via `uwf cas put-text "<plan>"`
+
+      The plan should list each edit with:
+      - File path
+      - What to change (old text → new text, or addition)
+      - Why (linked to which finding)
+      - Any test updates needed
+    output: "A change plan stored in CAS. Set $status to ready (with plan hash and repoPath) or no_action (if findings don't warrant changes)."
+    frontmatter:
+      oneOf:
+        - properties:
+            $status: { const: "ready" }
+            plan: { type: string }
+            repoPath: { type: string }
+          required: [$status, plan, repoPath]
+        - properties:
+            $status: { const: "no_action" }
+            reason: { type: string }
+          required: [$status, reason]
+  developer:
+    description: "Applies the proposed workflow edits"
+    goal: "You are a developer agent. You apply workflow YAML edits and update related tests."
+    capabilities:
+      - coding
+    procedure: |
+      IMPORTANT: Always work in a git worktree, NEVER modify the main working directory directly.
+      The workflow definitions live in THIS repo (the workflow engine), not the repo that was analyzed.
+
+      Before starting any work, set up an isolated worktree:
+      1. Use `git rev-parse --show-toplevel` to find the repo root (do NOT use repoPath from proposer — that's the analyzed repo)
+      2. `git fetch origin` to get latest refs
+      3. `git worktree add .worktrees/retrospect/<short-slug> -b retrospect/<short-slug> origin/main`
+      4. `cd .worktrees/retrospect/<short-slug> && bun install`
+      5. ALL subsequent work must happen inside the worktree directory.
+
+      Then apply changes:
+      6. Read the change plan from CAS: `uwf cas get <plan hash>`
+      7. Apply each edit from the plan to the workflow YAML
+      8. Update or add tests as specified in the plan
+      9. Run `bun run build` and `bun test` to verify
+      10. Run `bun run check` for lint
+      11. Commit with message: `improve: <workflow-name> — <brief summary>`
+    output: "List all files changed and provide a summary. Set $status to done (with branch/worktree), or failed (with reason)."
+    frontmatter:
+      oneOf:
+        - properties:
+            $status: { const: "done" }
+            branch: { type: string }
+            worktree: { type: string }
+          required: [$status, branch, worktree]
+        - properties:
+            $status: { const: "failed" }
+            reason: { type: string }
+          required: [$status, reason]
+  reviewer:
+    description: "Reviews the workflow edits for correctness"
+    goal: "You are a reviewer. You verify that workflow edits are minimal, correct, and actually address the findings."
+    capabilities:
+      - code-review
+    procedure: |
+      The worktree path is provided in your task prompt. cd into it first.
+
+      Review criteria:
+      1. Each edit must trace back to a specific finding — no drive-by changes
+      2. Edits should be minimal — don't rewrite working procedures
+      3. New pitfall notes or instructions must be clear and actionable
+      4. Tests must be updated if assertions changed
+      5. `bun run build` and `bun test` must pass
+      6. `bunx biome check` must pass
+
+      IMPORTANT: `tea pr create` must run from the MAIN repo directory (not a worktree), because tea cannot detect the repo from worktree `.git` files.
+    output: "Explain your decision. Set $status to approved (with branch/worktree) or rejected (with comments)."
+    frontmatter:
+      oneOf:
+        - properties:
+            $status: { const: "approved" }
+            branch: { type: string }
+            worktree: { type: string }
+          required: [$status, branch, worktree]
+        - properties:
+            $status: { const: "rejected" }
+            comments: { type: string }
+            worktree: { type: string }
+          required: [$status, comments, worktree]
+  committer:
+    description: "Commits and creates PR"
+    goal: "You are a committer agent. You create a clean commit and push a PR."
+    capabilities: []
+    procedure: |
+      The worktree path, branch name, and repo info are provided in your task prompt.
+      cd into the worktree first.
+
+      Note: You inherit the developer's worktree and branch. Do NOT create a new branch.
+      1. Stage all changes: `git add -A`
+      2. Commit with a descriptive message: `git commit -m "improve: <workflow> — <summary>"`
+      3. Push the branch: `git push -u origin <branch-name>`
+         - If push hook fails: capture the error log in your output, mark hook_failed
+      4. On push success: create a PR via `tea pr create --title "..." --description "..."`
+         - IMPORTANT: `tea pr create` must run from the MAIN repo directory (not a worktree), because tea cannot detect the repo from worktree `.git` files. cd to the repo root first.
+         - Do NOT pass `--repo` — let tea auto-detect from the main repo's git remote.
+         - PR description must include: What / Why / Findings / Changes sections
+         - On tea failure: capture stderr/stdout, include PR details for manual creation, mark hook_failed
+      5. After PR creation, clean up the worktree:
+         - cd to the repo root (parent of .worktrees)
+         - `git worktree remove <worktree-path>`
+    output: "Include PR URL on success or error log on failure. Set $status to committed (with prUrl) or hook_failed (with error)."
+    frontmatter:
+      oneOf:
+        - properties:
+            $status: { const: "committed" }
+            prUrl: { type: string }
+          required: [$status, prUrl]
+        - properties:
+            $status: { const: "hook_failed" }
+            error: { type: string }
+          required: [$status, error]
+graph:
+  $START:
+    _: { role: "analyst", prompt: "Analyze completed thread {{{threadId}}} for execution anomalies." }
+  analyst:
+    clean: { role: "$END", prompt: "No issues found. Thread executed cleanly." }
+    findings: { role: "proposer", prompt: "Findings report: {{{report}}}. Target workflow: {{{targetWorkflow}}}. Propose minimal edits." }
+    wrong_project: { role: "$END", prompt: "Thread uses workflow '{{{workflowName}}}' which does not exist in this project. Run retrospect from the correct repo." }
+  proposer:
+    no_action: { role: "$END", prompt: "No actionable changes needed: {{{reason}}}." }
+    ready: { role: "developer", prompt: "Apply the change plan (CAS hash: {{{plan}}}) to the workflow definitions in this repo." }
+  developer:
+    done: { role: "reviewer", prompt: "Review workflow edits on branch {{{branch}}} at {{{worktree}}}." }
+    failed: { role: "$END", prompt: "Developer failed: {{{reason}}}. Ending workflow." }
+  reviewer:
+    rejected: { role: "developer", prompt: "Reviewer rejected: {{{comments}}}. Fix the issues in {{{worktree}}}." }
+    approved: { role: "committer", prompt: "Approved. Commit and push branch {{{branch}}} from {{{worktree}}}." }
+  committer:
+    hook_failed: { role: "developer", prompt: "Push hook failed: {{{error}}}. Fix and re-submit." }
+    committed: { role: "$END", prompt: "PR created: {{{prUrl}}}. Workflow improved." }

bun.lock

@@ -10,11 +10,12 @@
         "@changesets/cli": "^2.31.0",
         "bun-types": "^1.3.14",
         "typescript": "^5.8.0",
+        "ulidx": "^2.4.1",
       },
     },
     "packages/cli-json-cas": {
       "name": "@uncaged/cli-json-cas",
-      "version": "0.5.0",
+      "version": "0.5.3",
       "bin": {
         "json-cas": "./src/index.ts",
       },
@@ -25,7 +26,7 @@
     },
     "packages/json-cas": {
       "name": "@uncaged/json-cas",
-      "version": "0.5.0",
+      "version": "0.5.3",
       "dependencies": {
         "ajv": "^8.20.0",
         "cborg": "^4.2.3",
@@ -34,19 +35,12 @@
     },
     "packages/json-cas-fs": {
       "name": "@uncaged/json-cas-fs",
-      "version": "0.5.0",
+      "version": "0.5.3",
       "dependencies": {
         "@uncaged/json-cas": "workspace:^",
         "cborg": "^4.2.3",
       },
     },
-    "packages/json-cas-workflow": {
-      "name": "@uncaged/json-cas-workflow",
-      "version": "0.5.0",
-      "dependencies": {
-        "@uncaged/json-cas": "workspace:^",
-      },
-    },
   },
   "packages": {
     "@babel/runtime": ["@babel/runtime@7.29.2", "", {}, "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g=="],
@@ -127,8 +121,6 @@
 
     "@uncaged/json-cas-fs": ["@uncaged/json-cas-fs@workspace:packages/json-cas-fs"],
 
-    "@uncaged/json-cas-workflow": ["@uncaged/json-cas-workflow@workspace:packages/json-cas-workflow"],
-
     "ajv": ["ajv@8.20.0", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA=="],
 
     "ansi-colors": ["ansi-colors@4.1.3", "", {}, "sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw=="],
@@ -209,6 +201,8 @@
 
     "jsonfile": ["jsonfile@4.0.0", "", { "optionalDependencies": { "graceful-fs": "^4.1.6" } }, "sha512-m6F1R3z8jjlf2imQHS2Qez5sjKWQzbuuhuJ/FKYFRZvPE3PuHcSMVZzfsLhGVOkfd20obL5SWEBew5ShlquNxg=="],
 
+    "layerr": ["layerr@3.0.0", "", {}, "sha512-tv754Ki2dXpPVApOrjTyRo4/QegVb9eVFq4mjqp4+NM5NaX7syQvN5BBNfV/ZpAHCEHV24XdUVrBAoka4jt3pA=="],
+
     "locate-path": ["locate-path@5.0.0", "", { "dependencies": { "p-locate": "^4.1.0" } }, "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g=="],
 
     "lodash.startcase": ["lodash.startcase@4.4.0", "", {}, "sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg=="],
@@ -291,6 +285,8 @@
 
     "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
 
+    "ulidx": ["ulidx@2.4.1", "", { "dependencies": { "layerr": "^3.0.0" } }, "sha512-xY7c8LPyzvhvew0Fn+Ek3wBC9STZAuDI/Y5andCKi9AX6/jvfaX45PhsDX8oxgPL0YFp0Jhr8qWMbS/p9375Xg=="],
+
     "undici-types": ["undici-types@7.24.6", "", {}, "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg=="],
 
     "universalify": ["universalify@0.1.2", "", {}, "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg=="],

package.json

@@ -9,7 +9,8 @@
     "@changesets/changelog-github": "^0.7.0",
     "@changesets/cli": "^2.31.0",
     "bun-types": "^1.3.14",
-    "typescript": "^5.8.0"
+    "typescript": "^5.8.0",
+    "ulidx": "^2.4.1"
   },
   "scripts": {
     "build": "tsc --build packages/json-cas packages/json-cas-fs",

packages/cli-json-cas/package.json

@@ -3,7 +3,8 @@
   "version": "0.5.3",
   "type": "module",
   "bin": {
-    "json-cas": "./src/index.ts"
+    "json-cas": "./src/index.ts",
+    "ucas": "./src/index.ts"
   },
   "scripts": {
     "test": "bun test",

packages/cli-json-cas/src/cli.test.ts

@@ -0,0 +1,33 @@
+import { describe, expect, test } from "bun:test";
+import { resolve } from "node:path";
+
+const pkgPath = resolve(import.meta.dir, "../package.json");
+
+describe("ucas command alias", () => {
+  test("T1: ucas bin entry exists in package.json", async () => {
+    const pkg = await Bun.file(pkgPath).json();
+    expect(pkg.bin.ucas).toBe("./src/index.ts");
+  });
+
+  test("T2: json-cas bin entry is preserved in package.json", async () => {
+    const pkg = await Bun.file(pkgPath).json();
+    expect(pkg.bin["json-cas"]).toBe("./src/index.ts");
+  });
+
+  test("T3: ucas command is executable and shows help", async () => {
+    const entrypoint = resolve(import.meta.dir, "index.ts");
+    const proc = Bun.spawn(["bun", entrypoint, "--help"], {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const exitCode = await proc.exited;
+    const stdout = await new Response(proc.stdout).text();
+    expect(exitCode).toBe(0);
+    expect(stdout.length).toBeGreaterThan(0);
+  });
+
+  test("T4: both commands point to the same entrypoint", async () => {
+    const pkg = await Bun.file(pkgPath).json();
+    expect(pkg.bin.ucas).toBe(pkg.bin["json-cas"]);
+  });
+});

packages/cli-json-cas/src/index.ts

@@ -3,13 +3,21 @@
 import { mkdirSync, readFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join, resolve } from "node:path";
-import type { Hash, JSONSchema, Store } from "@uncaged/json-cas";
+import type { Hash, JSONSchema, Store, VariableStore } from "@uncaged/json-cas";
 import {
   bootstrap,
+  CasNodeNotFoundError,
   computeHash,
+  createVariableStore,
+  gc,
   getSchema,
+  InvalidScopeError,
+  InvalidTagFormatError,
   putSchema,
   refs,
+  SchemaMismatchError,
+  TagLabelConflictError,
+  VariableNotFoundError,
   validate,
   verify,
   walk,
@@ -18,10 +26,17 @@ import { createFsStore } from "@uncaged/json-cas-fs";
 
 // ---- Argument parsing ----
 
-type Flags = Record<string, string | boolean>;
+type Flags = Record<string, string | boolean | string[]>;
 
 /** Flags that consume the next token as their value. All others are boolean. */
-const VALUE_FLAGS = new Set(["store", "format"]);
+const VALUE_FLAGS = new Set([
+  "store",
+  "format",
+  "scope",
+  "value",
+  "var-db",
+  "tag",
+]);
 
 function parseArgs(argv: string[]): { flags: Flags; positional: string[] } {
   const flags: Flags = {};
@@ -34,7 +49,19 @@ function parseArgs(argv: string[]): { flags: Flags; positional: string[] } {
       if (VALUE_FLAGS.has(key)) {
         const next = argv[i + 1];
         if (next !== undefined && !next.startsWith("--")) {
-          flags[key] = next;
+          // Handle repeatable flags (like --tag)
+          if (key === "tag") {
+            const existing = flags[key];
+            if (Array.isArray(existing)) {
+              existing.push(next);
+            } else if (typeof existing === "string") {
+              flags[key] = [existing, next];
+            } else {
+              flags[key] = [next];
+            }
+          } else {
+            flags[key] = next;
+          }
           i++;
         } else {
           flags[key] = true;
@@ -57,6 +84,10 @@ const storePath =
   typeof flags.store === "string" ? flags.store : defaultStorePath;
 const compact = flags.json === true;
 
+const defaultVarDbPath = join(storePath, "variables.db");
+const varDbPath =
+  typeof flags["var-db"] === "string" ? flags["var-db"] : defaultVarDbPath;
+
 // ---- Helpers ----
 
 function out(data: unknown): void {
@@ -80,6 +111,95 @@ function openStore(): Store {
   return createFsStore(resolve(storePath));
 }
 
+function openVarStore(): VariableStore {
+  const store = openStore();
+  mkdirSync(resolve(storePath), { recursive: true });
+  return createVariableStore(resolve(varDbPath), store);
+}
+
+/**
+ * Get the Variable schema's CAS hash
+ * This is the type hash used in JSON envelopes
+ */
+async function getVariableSchemaHash(): Promise<Hash> {
+  const store = openStore();
+
+  // Define the Variable JSON Schema (simple version for envelope)
+  const variableSchema: JSONSchema = {
+    title: "Variable",
+    type: "object",
+    properties: {
+      id: { type: "string" },
+      scope: { type: "string" },
+      value: { type: "string" },
+      schema: { type: "string" },
+      created: { type: "number" },
+      updated: { type: "number" },
+      tags: { type: "object" },
+      labels: { type: "array", items: { type: "string" } },
+    },
+    required: [
+      "id",
+      "scope",
+      "value",
+      "schema",
+      "created",
+      "updated",
+      "tags",
+      "labels",
+    ],
+  };
+
+  // Compute hash or retrieve from store
+  const hash = await putSchema(store, variableSchema);
+  return hash;
+}
+
+/**
+ * Wrap Variable output in JSON envelope
+ */
+async function wrapVariableEnvelope(
+  variable: unknown,
+): Promise<{ type: Hash; value: unknown }> {
+  const typeHash = await getVariableSchemaHash();
+  return {
+    type: typeHash,
+    value: variable,
+  };
+}
+
+/**
+ * Parse tag/label arguments
+ * Returns: { tags: Record<string, string>, labels: string[], deleteNames: string[] }
+ */
+function parseTagsLabels(args: string[]): {
+  tags: Record<string, string>;
+  labels: string[];
+  deleteNames: string[];
+} {
+  const tags: Record<string, string> = {};
+  const labels: string[] = [];
+  const deleteNames: string[] = [];
+
+  for (const arg of args) {
+    if (arg.startsWith(":")) {
+      // Deletion syntax: :name
+      deleteNames.push(arg.slice(1));
+    } else if (arg.includes(":")) {
+      // Tag: key:value (split on first colon)
+      const colonIdx = arg.indexOf(":");
+      const key = arg.slice(0, colonIdx);
+      const value = arg.slice(colonIdx + 1);
+      tags[key] = value;
+    } else {
+      // Label: bare identifier
+      labels.push(arg);
+    }
+  }
+
+  return { tags, labels, deleteNames };
+}
+
 // ---- Commands ----
 
 async function cmdInit(): Promise<void> {
@@ -250,6 +370,201 @@ async function cmdCat(args: string[]): Promise<void> {
   }
 }
 
+async function cmdVarCreate(_args: string[]): Promise<void> {
+  const scope = flags.scope as string | undefined;
+  const value = flags.value as string | undefined;
+  const tagFlags = flags.tag;
+
+  if (!scope) die("Usage: json-cas var create --scope <scope> --value <hash>");
+  if (!value) die("Usage: json-cas var create --scope <scope> --value <hash>");
+
+  const varStore = openVarStore();
+
+  try {
+    // Parse tags/labels from --tag flags
+    const tagArgs = Array.isArray(tagFlags)
+      ? tagFlags
+      : typeof tagFlags === "string"
+        ? [tagFlags]
+        : [];
+    const { tags, labels, deleteNames } = parseTagsLabels(tagArgs);
+
+    // Check for conflicts in initial tags/labels
+    if (deleteNames.length > 0) {
+      die("Error: Cannot use deletion syntax (:name) in var create");
+    }
+
+    const variable = varStore.create(scope, value, {
+      tags: Object.keys(tags).length > 0 ? tags : undefined,
+      labels: labels.length > 0 ? labels : undefined,
+    });
+    const envelope = await wrapVariableEnvelope(variable);
+    out(envelope);
+  } catch (e) {
+    if (
+      e instanceof InvalidScopeError ||
+      e instanceof CasNodeNotFoundError ||
+      e instanceof TagLabelConflictError
+    ) {
+      die(`Error: ${e.message}`);
+    }
+    throw e;
+  } finally {
+    varStore.close();
+  }
+}
+
+async function cmdVarGet(args: string[]): Promise<void> {
+  const id = args[0];
+  if (!id) die("Usage: json-cas var get <id>");
+
+  const varStore = openVarStore();
+
+  try {
+    const variable = varStore.get(id);
+    if (variable === null) {
+      die(`Error: Variable not found: ${id}`);
+    }
+    const envelope = await wrapVariableEnvelope(variable);
+    out(envelope);
+  } finally {
+    varStore.close();
+  }
+}
+
+async function cmdVarUpdate(args: string[]): Promise<void> {
+  const id = args[0];
+  const value = args[1];
+
+  if (!id || !value) {
+    die("Usage: json-cas var update <id> <hash>");
+  }
+
+  const varStore = openVarStore();
+
+  try {
+    const variable = varStore.update(id, value);
+    const envelope = await wrapVariableEnvelope(variable);
+    out(envelope);
+  } catch (e) {
+    if (
+      e instanceof VariableNotFoundError ||
+      e instanceof SchemaMismatchError ||
+      e instanceof CasNodeNotFoundError
+    ) {
+      die(`Error: ${e.message}`);
+    }
+    throw e;
+  } finally {
+    varStore.close();
+  }
+}
+
+async function cmdVarDelete(args: string[]): Promise<void> {
+  const id = args[0];
+  if (!id) die("Usage: json-cas var delete <id>");
+
+  const varStore = openVarStore();
+
+  try {
+    const variable = varStore.delete(id);
+    const envelope = await wrapVariableEnvelope(variable);
+    out(envelope);
+  } catch (e) {
+    if (e instanceof VariableNotFoundError) {
+      die(`Error: ${e.message}`);
+    }
+    throw e;
+  } finally {
+    varStore.close();
+  }
+}
+
+async function cmdVarTag(args: string[]): Promise<void> {
+  const id = args[0];
+  if (!id) die("Usage: json-cas var tag <id> <tag>...");
+
+  const tagArgs = args.slice(1);
+  if (tagArgs.length === 0) {
+    die("Usage: json-cas var tag <id> <tag>...");
+  }
+
+  const varStore = openVarStore();
+
+  try {
+    const { tags, labels, deleteNames } = parseTagsLabels(tagArgs);
+
+    const variable = varStore.tag(id, {
+      add: Object.keys(tags).length > 0 ? tags : undefined,
+      addLabels: labels.length > 0 ? labels : undefined,
+      delete: deleteNames.length > 0 ? deleteNames : undefined,
+    });
+
+    const envelope = await wrapVariableEnvelope(variable);
+    out(envelope);
+  } catch (e) {
+    if (
+      e instanceof VariableNotFoundError ||
+      e instanceof TagLabelConflictError ||
+      e instanceof InvalidTagFormatError
+    ) {
+      die(`Error: ${e.message}`);
+    }
+    throw e;
+  } finally {
+    varStore.close();
+  }
+}
+
+async function cmdVarList(_args: string[]): Promise<void> {
+  const scope = (flags.scope as string | undefined) ?? "";
+  const tagFlags = flags.tag;
+
+  const varStore = openVarStore();
+
+  try {
+    // Parse tags/labels from --tag flags
+    const tagArgs = Array.isArray(tagFlags)
+      ? tagFlags
+      : typeof tagFlags === "string"
+        ? [tagFlags]
+        : [];
+    const { tags, labels, deleteNames } = parseTagsLabels(tagArgs);
+
+    // Check for invalid deletion syntax in filters
+    if (deleteNames.length > 0) {
+      die("Error: Cannot use deletion syntax (:name) in var list filters");
+    }
+
+    const variables = varStore.list({
+      scope,
+      tags: Object.keys(tags).length > 0 ? tags : undefined,
+      labels: labels.length > 0 ? labels : undefined,
+    });
+    const envelope = await wrapVariableEnvelope(variables);
+    out(envelope);
+  } catch (e) {
+    if (e instanceof InvalidScopeError) {
+      die(`Error: ${e.message}`);
+    }
+    throw e;
+  } finally {
+    varStore.close();
+  }
+}
+
+async function cmdGc(_args: string[]): Promise<void> {
+  const store = createFsStore(storePath);
+  const varStore = createVariableStore(varDbPath, store);
+
+  try {
+    const stats = gc(store, varStore);
+    out(stats);
+  } finally {
+    varStore.close();
+  }
+}
+
 function printUsage(): void {
   console.log(`\
 Usage: json-cas [--store <path>] [--json] <command> [args]
@@ -269,10 +584,19 @@ Commands:
   walk <hash> [--format tree]       Recursive traversal
   hash <type-hash> <file.json>      Compute hash without storing (dry run)
   cat <hash> [--payload]            Output node (--payload for payload only)
+  var create --scope <s> --value <h> [--tag <tag>...] Create a variable
+  var get <id>                      Get a variable by ID
+  var update <id> <hash>            Update variable value
+  var delete <id>                   Delete a variable
+  var tag <id> <tag>...             Add/update/delete tags and labels
+  var list [--scope <prefix>] [--tag <tag>...] List variables (filter by scope/tags/labels)
+  gc                                Run garbage collection
 
 Flags:
   --store <path>   Store directory (default: ~/.uncaged/json-cas)
-  --json           Compact JSON output`);
+  --var-db <path>  Variable database path (default: <store>/variables.db)
+  --json           Compact JSON output
+  --tag <tag>      Tag/label (can be repeated): key:value (tag), name (label), :name (delete)`);
 }
 
 // ---- Dispatch ----
@@ -346,6 +670,37 @@ switch (cmd) {
     await cmdCat(rest);
     break;
 
+  case "var": {
+    const [sub, ...subRest] = rest;
+    switch (sub) {
+      case "create":
+        await cmdVarCreate(subRest);
+        break;
+      case "get":
+        await cmdVarGet(subRest);
+        break;
+      case "update":
+        await cmdVarUpdate(subRest);
+        break;
+      case "delete":
+        await cmdVarDelete(subRest);
+        break;
+      case "tag":
+        await cmdVarTag(subRest);
+        break;
+      case "list":
+        await cmdVarList(subRest);
+        break;
+      default:
+        die(`Unknown var subcommand: ${sub ?? "(none)"}`);
+    }
+    break;
+  }
+
+  case "gc":
+    await cmdGc(rest);
+    break;
+
   default:
     die(`Unknown command: ${cmd}`);
 }

packages/json-cas-fs/src/store.ts

@@ -5,6 +5,7 @@ import {
   readdirSync,
   readFileSync,
   renameSync,
+  unlinkSync,
   writeFileSync,
 } from "node:fs";
 import { join } from "node:path";
@@ -175,6 +176,44 @@ export function createFsStore(dir: string): BootstrapCapableStore {
       return typeIndex.get(typeHash) ?? [];
     },
 
+    listAll(): Hash[] {
+      return Array.from(data.keys());
+    },
+
+    delete(hash: Hash): void {
+      const node = data.get(hash);
+      if (node) {
+        data.delete(hash);
+        // Delete file
+        try {
+          unlinkSync(join(dir, `${hash}.bin`));
+        } catch {
+          // ignore if file doesn't exist
+        }
+        // Remove from type index
+        const list = typeIndex.get(node.type);
+        if (list) {
+          const idx = list.indexOf(hash);
+          if (idx !== -1) {
+            list.splice(idx, 1);
+          }
+          if (list.length === 0) {
+            typeIndex.delete(node.type);
+            // Delete empty index file
+            try {
+              unlinkSync(join(indexDir, node.type));
+            } catch {
+              // ignore
+            }
+          } else {
+            // Rewrite index file
+            const body = `${list.join("\n")}\n`;
+            writeFileSync(join(indexDir, node.type), body, "utf8");
+          }
+        }
+      }
+    },
+
     [BOOTSTRAP_STORE]: putSelfReferencing,
   };
 

packages/json-cas/src/gc.test.ts

@@ -0,0 +1,179 @@
+import { afterEach, describe, expect, test } from "bun:test";
+import { unlinkSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { bootstrap } from "./bootstrap.js";
+import { gc } from "./gc.js";
+import { putSchema } from "./schema.js";
+import { createMemoryStore } from "./store.js";
+import type { Store } from "./types.js";
+import { VariableStore } from "./variable-store.js";
+
+const tmpDbPath = () =>
+  join(
+    tmpdir(),
+    `test-gc-${Date.now()}-${Math.random().toString(36).slice(2)}.db`,
+  );
+
+describe("GC - Variable Model Refactoring", () => {
+  let store: Store;
+  let dbPath: string;
+
+  afterEach(() => {
+    try {
+      unlinkSync(dbPath);
+    } catch {
+      // Ignore cleanup errors
+    }
+  });
+
+  test("GC preserves variable-referenced nodes", async () => {
+    store = createMemoryStore();
+    await bootstrap(store);
+    const schema = { type: "object", properties: { name: { type: "string" } } };
+    const schemaHash = await putSchema(store, schema);
+
+    const hashRef = await store.put(schemaHash, { name: "referenced" });
+    const hashOrphan = await store.put(schemaHash, { name: "orphan" });
+
+    dbPath = tmpDbPath();
+    const varStore = new VariableStore(dbPath, store);
+
+    varStore.set("config", hashRef);
+
+    const stats = gc(store, varStore);
+
+    expect(store.has(hashRef)).toBe(true);
+    expect(store.has(hashOrphan)).toBe(false);
+    expect(stats.scanned).toBe(1);
+    expect(stats.collected).toBeGreaterThanOrEqual(1);
+
+    varStore.close();
+  });
+
+  test("GC preserves nodes from variables with same name, different schemas", async () => {
+    store = createMemoryStore();
+    await bootstrap(store);
+    const schemaA = { type: "object", properties: { x: { type: "number" } } };
+    const schemaB = { type: "object", properties: { y: { type: "string" } } };
+    const schemaAHash = await putSchema(store, schemaA);
+    const schemaBHash = await putSchema(store, schemaB);
+
+    const hashA = await store.put(schemaAHash, { x: 42 });
+    const hashB = await store.put(schemaBHash, { y: "hello" });
+    const hashOrphan = await store.put(schemaAHash, { x: 99 });
+
+    dbPath = tmpDbPath();
+    const varStore = new VariableStore(dbPath, store);
+
+    varStore.set("config", hashA);
+    varStore.set("config", hashB);
+
+    const stats = gc(store, varStore);
+
+    expect(store.has(hashA)).toBe(true);
+    expect(store.has(hashB)).toBe(true);
+    expect(store.has(hashOrphan)).toBe(false);
+    expect(stats.scanned).toBe(2);
+
+    varStore.close();
+  });
+
+  test("GC removes nodes after variable deletion", async () => {
+    store = createMemoryStore();
+    await bootstrap(store);
+    const schema = { type: "object", properties: { name: { type: "string" } } };
+    const schemaHash = await putSchema(store, schema);
+
+    const hashRef = await store.put(schemaHash, { name: "referenced" });
+
+    dbPath = tmpDbPath();
+    const varStore = new VariableStore(dbPath, store);
+
+    varStore.set("config", hashRef);
+    varStore.remove("config", schemaHash);
+
+    const stats = gc(store, varStore);
+
+    expect(store.has(hashRef)).toBe(false);
+    expect(stats.scanned).toBe(0);
+
+    varStore.close();
+  });
+
+  test("GC is global across all variables", async () => {
+    store = createMemoryStore();
+    await bootstrap(store);
+    const schemaA = { type: "object", properties: { x: { type: "number" } } };
+    const schemaB = { type: "object", properties: { y: { type: "string" } } };
+    const schemaAHash = await putSchema(store, schemaA);
+    const schemaBHash = await putSchema(store, schemaB);
+
+    const hash1 = await store.put(schemaAHash, { x: 1 });
+    const hash2 = await store.put(schemaAHash, { x: 2 });
+    const hash3 = await store.put(schemaBHash, { y: "a" });
+    const hashOrphan = await store.put(schemaAHash, { x: 999 });
+
+    dbPath = tmpDbPath();
+    const varStore = new VariableStore(dbPath, store);
+
+    varStore.set("uwf.thread", hash1);
+    varStore.set("uwf.workflow", hash2);
+    varStore.set("app.config", hash3);
+
+    const stats = gc(store, varStore);
+
+    expect(store.has(hash1)).toBe(true);
+    expect(store.has(hash2)).toBe(true);
+    expect(store.has(hash3)).toBe(true);
+    expect(store.has(hashOrphan)).toBe(false);
+    expect(stats.scanned).toBe(3);
+
+    varStore.close();
+  });
+
+  test("GC integration with refactored variable store", async () => {
+    store = createMemoryStore();
+    await bootstrap(store);
+
+    const schemaA = { type: "object", properties: { x: { type: "number" } } };
+    const schemaB = { type: "object", properties: { y: { type: "string" } } };
+    const schemaAHash = await putSchema(store, schemaA);
+    const schemaBHash = await putSchema(store, schemaB);
+
+    const hashA1 = await store.put(schemaAHash, { x: 1 });
+    const hashA2 = await store.put(schemaAHash, { x: 2 });
+    const hashB = await store.put(schemaBHash, { y: "hello" });
+    const hashOrphan1 = await store.put(schemaAHash, { x: 999 });
+    const hashOrphan2 = await store.put(schemaBHash, { y: "orphan" });
+
+    dbPath = tmpDbPath();
+    const varStore = new VariableStore(dbPath, store);
+
+    // Create variables
+    varStore.set("var1", hashA1);
+    varStore.set("var2", hashA2);
+    varStore.set("var3", hashB);
+
+    // First GC: orphans removed
+    let stats = gc(store, varStore);
+    expect(store.has(hashA1)).toBe(true);
+    expect(store.has(hashA2)).toBe(true);
+    expect(store.has(hashB)).toBe(true);
+    expect(store.has(hashOrphan1)).toBe(false);
+    expect(store.has(hashOrphan2)).toBe(false);
+    expect(stats.scanned).toBe(3);
+
+    // Delete one variable
+    varStore.remove("var2", schemaAHash);
+
+    // Second GC: hashA2 removed
+    stats = gc(store, varStore);
+    expect(store.has(hashA1)).toBe(true);
+    expect(store.has(hashA2)).toBe(false);
+    expect(store.has(hashB)).toBe(true);
+    expect(stats.scanned).toBe(2);
+
+    varStore.close();
+  });
+});

packages/json-cas/src/gc.ts

@@ -0,0 +1,94 @@
+import { walk } from "./schema.js";
+import type { Hash, Store } from "./types.js";
+import type { VariableStore } from "./variable-store.js";
+
+export interface GcStats {
+  total: number; // Total CAS nodes before GC
+  reachable: number; // Nodes marked as reachable
+  collected: number; // Nodes deleted (swept)
+  scanned: number; // Variables scanned as roots
+}
+
+/**
+ * Garbage collection: mark-and-sweep algorithm
+ * - Roots: all variable values (global, not scoped)
+ * - Mark: recursively walk refs from roots
+ * - Sweep: delete unmarked nodes
+ * - Schema preservation: schemas of reachable nodes are also marked
+ */
+export function gc(store: Store, varStore: VariableStore): GcStats {
+  // Get all variables (no filters → global)
+  const variables = varStore.list();
+  const scanned = variables.length;
+
+  // Collect unique root hashes from all variables
+  const roots = new Set<Hash>();
+  for (const variable of variables) {
+    roots.add(variable.value);
+  }
+
+  // Mark phase: walk from all roots
+  const reachable = new Set<Hash>();
+
+  for (const rootHash of roots) {
+    walk(store, rootHash, (hash, node) => {
+      // Mark the node itself
+      reachable.add(hash);
+      // Mark the schema (type) of the node
+      reachable.add(node.type);
+    });
+  }
+
+  // Walk the schema chain to ensure bootstrap meta-schema is preserved
+  // For each reachable schema, walk its schema chain (not its references)
+  const schemasToWalk = new Set<Hash>();
+  for (const hash of reachable) {
+    const node = store.get(hash);
+    if (node) {
+      schemasToWalk.add(node.type);
+    }
+  }
+
+  for (const schemaHash of schemasToWalk) {
+    // Walk the schema's type chain (meta-schema, etc.)
+    let current: Hash | null = schemaHash;
+    while (current !== null && !reachable.has(current)) {
+      reachable.add(current);
+      const node = store.get(current);
+      if (!node || node.type === current) {
+        // Self-referencing or missing node, stop
+        break;
+      }
+      current = node.type;
+    }
+  }
+
+  // Preserve all self-referencing nodes (bootstrap meta-schema)
+  // These are nodes where type === hash
+  const allHashes = store.listAll();
+  for (const hash of allHashes) {
+    const node = store.get(hash);
+    if (node && node.type === hash) {
+      reachable.add(hash);
+    }
+  }
+
+  // Count total nodes
+  const total = allHashes.length;
+
+  // Sweep phase: delete unmarked nodes
+  let collected = 0;
+  for (const hash of allHashes) {
+    if (!reachable.has(hash)) {
+      store.delete(hash);
+      collected++;
+    }
+  }
+
+  return {
+    total,
+    reachable: reachable.size,
+    collected,
+    scanned,
+  };
+}

packages/json-cas/src/index.ts

@@ -2,6 +2,7 @@ export { bootstrap } from "./bootstrap.js";
 export type { BootstrapCapableStore } from "./bootstrap-capable.js";
 export { BOOTSTRAP_STORE } from "./bootstrap-capable.js";
 export { cborEncode } from "./cbor.js";
+export { type GcStats, gc } from "./gc.js";
 export { computeHash, computeSelfHash } from "./hash.js";
 export type { JSONSchema } from "./schema.js";
 export {
@@ -14,4 +15,15 @@ export {
 } from "./schema.js";
 export { createMemoryStore } from "./store.js";
 export type { CasNode, Hash, Store } from "./types.js";
+export type { Variable } from "./variable.js";
+export {
+  CasNodeNotFoundError,
+  createVariableStore,
+  InvalidTagFormatError,
+  InvalidVariableNameError,
+  SchemaMismatchError,
+  TagLabelConflictError,
+  VariableNotFoundError,
+  VariableStore,
+} from "./variable-store.js";
 export { verify } from "./verify.js";

packages/json-cas/src/mem-store.ts

@@ -27,6 +27,14 @@ export class MemStore implements BootstrapCapableStore {
     return this.#inner.listByType(typeHash);
   }
 
+  listAll(): Hash[] {
+    return this.#inner.listAll();
+  }
+
+  delete(hash: Hash): void {
+    this.#inner.delete(hash);
+  }
+
   [BOOTSTRAP_STORE](payload: unknown): Promise<Hash> {
     return this.#inner[BOOTSTRAP_STORE](payload);
   }

packages/json-cas/src/store.ts

@@ -52,6 +52,25 @@ export function createMemoryStore(): BootstrapCapableStore {
       return set ? [...set] : [];
     },
 
+    listAll(): Hash[] {
+      return Array.from(data.keys());
+    },
+
+    delete(hash: Hash): void {
+      const node = data.get(hash);
+      if (node) {
+        data.delete(hash);
+        // Remove from type index
+        const set = byType.get(node.type);
+        if (set) {
+          set.delete(hash);
+          if (set.size === 0) {
+            byType.delete(node.type);
+          }
+        }
+      }
+    },
+
     [BOOTSTRAP_STORE]: putSelfReferencing,
   };
 

packages/json-cas/src/types.ts

@@ -24,4 +24,6 @@ export type Store = {
   get(hash: Hash): CasNode | null;
   has(hash: Hash): boolean;
   listByType(typeHash: Hash): Hash[];
+  listAll(): Hash[];
+  delete(hash: Hash): void;
 };

packages/json-cas/src/variable-store.ts

@@ -0,0 +1,719 @@
+import { Database } from "bun:sqlite";
+import type { Hash, Store } from "./types.js";
+import type { Variable } from "./variable.js";
+
+/**
+ * Custom error types for variable operations
+ */
+export class VariableNotFoundError extends Error {
+  constructor(
+    public variableName: string,
+    public variableSchema: Hash,
+  ) {
+    super(`Variable not found: name=${variableName}, schema=${variableSchema}`);
+    this.name = "VariableNotFoundError";
+  }
+}
+
+export class InvalidVariableNameError extends Error {
+  constructor(
+    public variableName: string,
+    public reason: string,
+  ) {
+    super(`Invalid variable name "${variableName}": ${reason}`);
+    this.name = "InvalidVariableNameError";
+  }
+}
+
+export class SchemaMismatchError extends Error {
+  constructor(
+    public expected: string,
+    public actual: string,
+  ) {
+    super(`Schema mismatch: expected ${expected}, got ${actual}`);
+    this.name = "SchemaMismatchError";
+  }
+}
+
+export class CasNodeNotFoundError extends Error {
+  constructor(hash: string) {
+    super(`CAS node not found: ${hash}`);
+    this.name = "CasNodeNotFoundError";
+  }
+}
+
+export class TagLabelConflictError extends Error {
+  constructor(
+    public conflictName: string,
+    public existingType: "tag" | "label",
+    public attemptedType: "tag" | "label",
+  ) {
+    super(`Conflict: '${conflictName}' already exists as a ${existingType}`);
+    this.name = "TagLabelConflictError";
+  }
+}
+
+export class InvalidTagFormatError extends Error {
+  constructor(tag: string) {
+    super(`Invalid tag format: ${tag}`);
+    this.name = "InvalidTagFormatError";
+  }
+}
+
+/**
+ * Variable store with SQLite backend
+ */
+export class VariableStore {
+  private db: Database;
+
+  constructor(
+    dbPath: string,
+    private casStore: Store,
+  ) {
+    this.db = new Database(dbPath, { create: true });
+    // Enable foreign keys
+    this.db.exec("PRAGMA foreign_keys = ON");
+    this.initDb();
+  }
+
+  private initDb(): void {
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS variables (
+        name TEXT NOT NULL,
+        schema TEXT NOT NULL,
+        value TEXT NOT NULL,
+        created INTEGER NOT NULL,
+        updated INTEGER NOT NULL,
+        PRIMARY KEY (name, schema)
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_var_name ON variables(name);
+      CREATE INDEX IF NOT EXISTS idx_var_value ON variables(value);
+      CREATE INDEX IF NOT EXISTS idx_var_schema ON variables(schema);
+
+      CREATE TABLE IF NOT EXISTS variable_tags (
+        variable_name TEXT NOT NULL,
+        variable_schema TEXT NOT NULL,
+        key TEXT NOT NULL,
+        value TEXT NOT NULL,
+        PRIMARY KEY (variable_name, variable_schema, key),
+        FOREIGN KEY (variable_name, variable_schema) REFERENCES variables(name, schema) ON DELETE CASCADE
+      );
+
+      CREATE TABLE IF NOT EXISTS variable_labels (
+        variable_name TEXT NOT NULL,
+        variable_schema TEXT NOT NULL,
+        name TEXT NOT NULL,
+        PRIMARY KEY (variable_name, variable_schema, name),
+        FOREIGN KEY (variable_name, variable_schema) REFERENCES variables(name, schema) ON DELETE CASCADE
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_var_tag_key ON variable_tags(key);
+      CREATE INDEX IF NOT EXISTS idx_var_tag_key_value ON variable_tags(key, value);
+      CREATE INDEX IF NOT EXISTS idx_var_label_name ON variable_labels(name);
+    `);
+  }
+
+  /**
+   * Validate variable name format
+   */
+  private validateName(name: string): void {
+    // Rule 1: Cannot be empty
+    if (name === "") {
+      throw new InvalidVariableNameError(name, "Name cannot be empty");
+    }
+
+    // Rule 2: No leading slash
+    if (name.startsWith("/")) {
+      throw new InvalidVariableNameError(
+        name,
+        "Name cannot start with leading slash",
+      );
+    }
+
+    // Rule 3: No trailing slash
+    if (name.endsWith("/")) {
+      throw new InvalidVariableNameError(
+        name,
+        "Name cannot end with trailing slash",
+      );
+    }
+
+    // Rule 4: Each segment must match [a-zA-Z0-9._-]+ and no empty segments
+    const segments = name.split("/");
+    for (const segment of segments) {
+      if (segment === "") {
+        throw new InvalidVariableNameError(
+          name,
+          "Name contains empty segment (consecutive slashes //)",
+        );
+      }
+
+      // Check for invalid characters
+      if (!/^[a-zA-Z0-9._-]+$/.test(segment)) {
+        throw new InvalidVariableNameError(
+          name,
+          `Segment "${segment}" contains invalid characters (only a-z, A-Z, 0-9, ., _, - allowed)`,
+        );
+      }
+    }
+  }
+
+  /**
+   * Extract schema hash from CAS node
+   */
+  private extractSchema(hash: string): string {
+    const node = this.casStore.get(hash);
+    if (node === null) {
+      throw new CasNodeNotFoundError(hash);
+    }
+    return node.type;
+  }
+
+  /**
+   * Load tags for a variable
+   */
+  private loadTags(name: string, schema: Hash): Record<string, string> {
+    const stmt = this.db.prepare(`
+      SELECT key, value
+      FROM variable_tags
+      WHERE variable_name = ? AND variable_schema = ?
+    `);
+
+    const rows = stmt.all(name, schema) as Array<{
+      key: string;
+      value: string;
+    }>;
+    const tags: Record<string, string> = {};
+    for (const row of rows) {
+      tags[row.key] = row.value;
+    }
+    return tags;
+  }
+
+  /**
+   * Load labels for a variable
+   */
+  private loadLabels(name: string, schema: Hash): string[] {
+    const stmt = this.db.prepare(`
+      SELECT name
+      FROM variable_labels
+      WHERE variable_name = ? AND variable_schema = ?
+      ORDER BY name ASC
+    `);
+
+    const rows = stmt.all(name, schema) as Array<{ name: string }>;
+    return rows.map((row) => row.name);
+  }
+
+  /**
+   * Set a variable (upsert: create or update)
+   */
+  set(
+    name: string,
+    value: string,
+    options?: {
+      tags?: Record<string, string>;
+      labels?: string[];
+    },
+  ): Variable {
+    // Validate name format
+    this.validateName(name);
+
+    const schema = this.extractSchema(value);
+
+    // Check if variable exists
+    const existing = this.get(name, schema);
+
+    if (existing !== null) {
+      // Update existing variable
+      const now = Date.now();
+
+      // If options provided, use them; otherwise preserve existing
+      const tags = options?.tags ?? existing.tags;
+      const labels = options?.labels ?? existing.labels;
+
+      // Check for tag/label conflicts when updating with new options
+      if (options !== undefined) {
+        const tagKeys = Object.keys(tags);
+        for (const key of tagKeys) {
+          if (labels.includes(key)) {
+            throw new TagLabelConflictError(key, "label", "tag");
+          }
+        }
+      }
+
+      this.db.exec("BEGIN TRANSACTION");
+
+      try {
+        // Update value and timestamp
+        const updateStmt = this.db.prepare(`
+          UPDATE variables
+          SET value = ?, updated = ?
+          WHERE name = ? AND schema = ?
+        `);
+        updateStmt.run(value, now, name, schema);
+
+        // If options provided, update tags/labels
+        if (options !== undefined) {
+          // Delete existing tags and labels
+          this.db
+            .prepare(`
+            DELETE FROM variable_tags WHERE variable_name = ? AND variable_schema = ?
+          `)
+            .run(name, schema);
+
+          this.db
+            .prepare(`
+            DELETE FROM variable_labels WHERE variable_name = ? AND variable_schema = ?
+          `)
+            .run(name, schema);
+
+          // Insert new tags
+          const tagKeys = Object.keys(tags);
+          if (tagKeys.length > 0) {
+            const tagStmt = this.db.prepare(`
+              INSERT INTO variable_tags (variable_name, variable_schema, key, value)
+              VALUES (?, ?, ?, ?)
+            `);
+            for (const [key, val] of Object.entries(tags)) {
+              tagStmt.run(name, schema, key, val);
+            }
+          }
+
+          // Insert new labels
+          if (labels.length > 0) {
+            const labelStmt = this.db.prepare(`
+              INSERT INTO variable_labels (variable_name, variable_schema, name)
+              VALUES (?, ?, ?)
+            `);
+            for (const labelName of labels) {
+              labelStmt.run(name, schema, labelName);
+            }
+          }
+        }
+
+        this.db.exec("COMMIT");
+      } catch (e) {
+        this.db.exec("ROLLBACK");
+        throw e;
+      }
+
+      return {
+        name,
+        schema,
+        value,
+        created: existing.created,
+        updated: now,
+        tags,
+        labels: [...labels],
+      };
+    }
+
+    // Create new variable
+    const tags = options?.tags ?? {};
+    const labels = options?.labels ?? [];
+
+    // Check for tag/label conflicts
+    const tagKeys = Object.keys(tags);
+    for (const key of tagKeys) {
+      if (labels.includes(key)) {
+        throw new TagLabelConflictError(key, "label", "tag");
+      }
+    }
+
+    const now = Date.now();
+
+    this.db.exec("BEGIN TRANSACTION");
+
+    try {
+      const stmt = this.db.prepare(`
+        INSERT INTO variables (name, schema, value, created, updated)
+        VALUES (?, ?, ?, ?, ?)
+      `);
+
+      stmt.run(name, schema, value, now, now);
+
+      // Insert tags
+      if (tagKeys.length > 0) {
+        const tagStmt = this.db.prepare(`
+          INSERT INTO variable_tags (variable_name, variable_schema, key, value)
+          VALUES (?, ?, ?, ?)
+        `);
+        for (const [key, val] of Object.entries(tags)) {
+          tagStmt.run(name, schema, key, val);
+        }
+      }
+
+      // Insert labels
+      if (labels.length > 0) {
+        const labelStmt = this.db.prepare(`
+          INSERT INTO variable_labels (variable_name, variable_schema, name)
+          VALUES (?, ?, ?)
+        `);
+        for (const labelName of labels) {
+          labelStmt.run(name, schema, labelName);
+        }
+      }
+
+      this.db.exec("COMMIT");
+    } catch (e) {
+      this.db.exec("ROLLBACK");
+      throw e;
+    }
+
+    return {
+      name,
+      schema,
+      value,
+      created: now,
+      updated: now,
+      tags,
+      labels: [...labels],
+    };
+  }
+
+  /**
+   * Get a variable by name, optionally with schema
+   */
+  /**
+   * Get a variable by name and schema
+   * @param name - Variable name
+   * @param schema - Schema hash (required)
+   * @returns Variable if found, null otherwise
+   */
+  get(name: string, schema: Hash): Variable | null {
+    // Precise match with schema
+    const stmt = this.db.prepare(`
+      SELECT name, schema, value, created, updated
+      FROM variables
+      WHERE name = ? AND schema = ?
+    `);
+
+    const row = stmt.get(name, schema) as
+      | {
+          name: string;
+          schema: string;
+          value: string;
+          created: number;
+          updated: number;
+        }
+      | undefined
+      | null;
+
+    if (row === undefined || row === null) {
+      return null;
+    }
+
+    const tags = this.loadTags(row.name, row.schema);
+    const labels = this.loadLabels(row.name, row.schema);
+
+    return {
+      name: row.name,
+      schema: row.schema,
+      value: row.value,
+      created: row.created,
+      updated: row.updated,
+      tags,
+      labels,
+    };
+  }
+
+  /**
+   * Update a variable's value (with schema validation)
+   */
+  update(name: string, schema: Hash, value: string): Variable {
+    // Validate name format
+    this.validateName(name);
+
+    const existing = this.get(name, schema);
+    if (existing === null) {
+      throw new VariableNotFoundError(name, schema);
+    }
+
+    const newSchema = this.extractSchema(value);
+    if (newSchema !== existing.schema) {
+      throw new SchemaMismatchError(existing.schema, newSchema);
+    }
+
+    const now = Date.now();
+
+    const stmt = this.db.prepare(`
+      UPDATE variables
+      SET value = ?, updated = ?
+      WHERE name = ? AND schema = ?
+    `);
+
+    stmt.run(value, now, name, schema);
+
+    return {
+      ...existing,
+      value,
+      updated: now,
+    };
+  }
+
+  /**
+   * Remove a variable (or all variants if schema omitted)
+   */
+  remove(name: string): Variable[];
+  remove(name: string, schema: Hash): Variable;
+  remove(name: string, schema?: Hash): Variable | Variable[] {
+    if (schema !== undefined) {
+      // Remove specific (name, schema) variant
+      const existing = this.get(name, schema);
+      if (existing === null) {
+        throw new VariableNotFoundError(name, schema);
+      }
+
+      const stmt = this.db.prepare(`
+        DELETE FROM variables WHERE name = ? AND schema = ?
+      `);
+
+      stmt.run(name, schema);
+
+      return existing;
+    }
+
+    // Remove all schema variants for this name
+    const variants = this.list({ exactName: name });
+
+    if (variants.length === 0) {
+      return [];
+    }
+
+    const stmt = this.db.prepare(`
+      DELETE FROM variables WHERE name = ?
+    `);
+
+    stmt.run(name);
+
+    return variants;
+  }
+
+  /**
+   * List variables with optional filters
+   */
+  list(options?: {
+    namePrefix?: string;
+    exactName?: string;
+    schema?: Hash;
+    tags?: Record<string, string>;
+    labels?: string[];
+  }): Variable[] {
+    // Validate mutually exclusive options
+    if (options?.namePrefix !== undefined && options?.exactName !== undefined) {
+      throw new Error(
+        "namePrefix and exactName are mutually exclusive - cannot specify both",
+      );
+    }
+
+    const namePrefix = options?.namePrefix ?? "";
+    const exactName = options?.exactName;
+    const schema = options?.schema;
+    const filterTags = options?.tags ?? {};
+    const filterLabels = options?.labels ?? [];
+
+    // Build query with filters
+    let query = `
+      SELECT DISTINCT v.name, v.schema, v.value, v.created, v.updated
+      FROM variables v
+    `;
+
+    const params: (string | number)[] = [];
+
+    // Tag filters (AND logic)
+    const tagKeys = Object.keys(filterTags);
+    for (let i = 0; i < tagKeys.length; i++) {
+      const key = tagKeys[i] as string;
+      const value = filterTags[key] as string;
+      query += `
+        INNER JOIN variable_tags t${i} ON v.name = t${i}.variable_name
+          AND v.schema = t${i}.variable_schema
+          AND t${i}.key = ? AND t${i}.value = ?
+      `;
+      params.push(key, value);
+    }
+
+    // Label filters (AND logic)
+    for (let i = 0; i < filterLabels.length; i++) {
+      const label = filterLabels[i] as string;
+      query += `
+        INNER JOIN variable_labels l${i} ON v.name = l${i}.variable_name
+          AND v.schema = l${i}.variable_schema
+          AND l${i}.name = ?
+      `;
+      params.push(label);
+    }
+
+    // WHERE clause for name filters and schema
+    const whereClauses: string[] = [];
+
+    if (exactName !== undefined) {
+      whereClauses.push("v.name = ?");
+      params.push(exactName);
+    } else if (namePrefix !== "") {
+      whereClauses.push("v.name LIKE ? || '%'");
+      params.push(namePrefix);
+    }
+
+    if (schema !== undefined) {
+      whereClauses.push("v.schema = ?");
+      params.push(schema);
+    }
+
+    if (whereClauses.length > 0) {
+      query += ` WHERE ${whereClauses.join(" AND ")}`;
+    }
+
+    query += " ORDER BY v.created ASC";
+
+    const stmt = this.db.prepare(query);
+    const rows = stmt.all(...params) as Array<{
+      name: string;
+      schema: string;
+      value: string;
+      created: number;
+      updated: number;
+    }>;
+
+    return rows.map((row) => ({
+      name: row.name,
+      schema: row.schema,
+      value: row.value,
+      created: row.created,
+      updated: row.updated,
+      tags: this.loadTags(row.name, row.schema),
+      labels: this.loadLabels(row.name, row.schema),
+    }));
+  }
+
+  /**
+   * Add/update/delete tags and labels
+   */
+  tag(
+    name: string,
+    schema: Hash,
+    operations: {
+      add?: Record<string, string>; // tags to add/update
+      addLabels?: string[]; // labels to add
+      delete?: string[]; // tag keys or label names to delete
+    },
+  ): Variable {
+    // Validate name format
+    this.validateName(name);
+
+    const existing = this.get(name, schema);
+    if (existing === null) {
+      throw new VariableNotFoundError(name, schema);
+    }
+
+    const addTags = operations.add ?? {};
+    const addLabels = operations.addLabels ?? [];
+    const deleteNames = operations.delete ?? [];
+
+    // Check for conflicts between tags and labels
+    const newTagKeys = Object.keys(addTags);
+    for (const key of newTagKeys) {
+      // Check if this key is being added as a label in the same operation
+      if (addLabels.includes(key)) {
+        throw new TagLabelConflictError(key, "label", "tag");
+      }
+      // Check if this key already exists as a label (and not being deleted)
+      if (existing.labels.includes(key) && !deleteNames.includes(key)) {
+        throw new TagLabelConflictError(key, "label", "tag");
+      }
+    }
+
+    for (const labelName of addLabels) {
+      // Check if this name is being added as a tag in the same operation
+      if (newTagKeys.includes(labelName)) {
+        throw new TagLabelConflictError(labelName, "tag", "label");
+      }
+      // Check if this name already exists as a tag key (and not being deleted)
+      if (
+        existing.tags[labelName] !== undefined &&
+        !deleteNames.includes(labelName)
+      ) {
+        throw new TagLabelConflictError(labelName, "tag", "label");
+      }
+    }
+
+    const now = Date.now();
+
+    this.db.exec("BEGIN TRANSACTION");
+
+    try {
+      // Update timestamp
+      const updateStmt = this.db.prepare(`
+        UPDATE variables SET updated = ? WHERE name = ? AND schema = ?
+      `);
+      updateStmt.run(now, name, schema);
+
+      // Delete tags and labels
+      if (deleteNames.length > 0) {
+        const deleteTagStmt = this.db.prepare(`
+          DELETE FROM variable_tags WHERE variable_name = ? AND variable_schema = ? AND key = ?
+        `);
+        const deleteLabelStmt = this.db.prepare(`
+          DELETE FROM variable_labels WHERE variable_name = ? AND variable_schema = ? AND name = ?
+        `);
+        for (const deleteName of deleteNames) {
+          deleteTagStmt.run(name, schema, deleteName);
+          deleteLabelStmt.run(name, schema, deleteName);
+        }
+      }
+
+      // Add or update tags
+      if (newTagKeys.length > 0) {
+        const tagStmt = this.db.prepare(`
+          INSERT OR REPLACE INTO variable_tags (variable_name, variable_schema, key, value)
+          VALUES (?, ?, ?, ?)
+        `);
+        for (const [key, value] of Object.entries(addTags)) {
+          tagStmt.run(name, schema, key, value);
+        }
+      }
+
+      // Add labels (with conflict handling)
+      if (addLabels.length > 0) {
+        const labelStmt = this.db.prepare(`
+          INSERT OR IGNORE INTO variable_labels (variable_name, variable_schema, name)
+          VALUES (?, ?, ?)
+        `);
+        for (const labelName of addLabels) {
+          labelStmt.run(name, schema, labelName);
+        }
+      }
+
+      this.db.exec("COMMIT");
+    } catch (e) {
+      this.db.exec("ROLLBACK");
+      throw e;
+    }
+
+    // Return updated variable
+    const updated = this.get(name, schema);
+    if (updated === null) {
+      throw new VariableNotFoundError(name, schema);
+    }
+    return updated;
+  }
+
+  /**
+   * Close the database connection
+   */
+  close(): void {
+    this.db.close();
+  }
+}
+
+/**
+ * Create a variable store
+ */
+export function createVariableStore(
+  dbPath: string,
+  casStore: Store,
+): VariableStore {
+  return new VariableStore(dbPath, casStore);
+}

packages/json-cas/src/variable.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, test } from "bun:test";
+import type { Variable } from "./variable.js";
+
+describe("Variable Type", () => {
+  test("Variable type uses (name, schema) composite key", () => {
+    const variable: Variable = {
+      name: "config",
+      schema: "ABC123DEF4567",
+      value: "XYZ789GHI0123",
+      created: 1234567890000,
+      updated: 1234567890000,
+      tags: { env: "prod" },
+      labels: ["critical"],
+    };
+
+    expect(variable.name).toBe("config");
+    expect(variable.schema).toBe("ABC123DEF4567");
+    // id and scope should not exist
+    expect((variable as unknown as { id?: unknown }).id).toBeUndefined();
+    expect((variable as unknown as { scope?: unknown }).scope).toBeUndefined();
+  });
+});

packages/json-cas/src/variable.ts

@@ -0,0 +1,15 @@
+import type { Hash } from "./types.js";
+
+/**
+ * Variable: mutable binding to an immutable CAS node
+ * Identified by composite key (name, schema)
+ */
+export type Variable = {
+  name: string; // variable name (unique per schema)
+  schema: Hash; // schema hash (part of composite key)
+  value: Hash; // CAS node hash
+  created: number; // epoch ms
+  updated: number; // epoch ms
+  tags: Record<string, string>; // key-value pairs
+  labels: string[]; // bare identifiers
+};