npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/auth-email-password/handlers/signup-confirm.write.ts ADDED Viewed

@@ -0,0 +1,170 @@
+// Magic-Link-Signup, Step 2 (confirm).
+//
+// Token aus URL + Password vom User → wir lösen den Token in Redis ein
+// und legen Tenant + User + Admin-Membership atomar an. emailVerified
+// wird sofort auf true gesetzt — der Magic-Link IST der Beweis.
+//
+// Pipeline:
+//   1. Redis check: token → email lookup
+//   2. Single-Use-Burn (SETNX) — gleichzeitiger Klick aus zwei Tabs
+//      gewinnt nur einer
+//   3. Tenant-Key generieren (generateUniqueName mit DB-isAvailable-
+//      check gegen tenants.key)
+//   4. provisionSignupAccount: Tenant + User + Membership in einem
+//      Rutsch (durch event-store-executor; events + projection +
+//      MSPs sehen das wie einen regulären create)
+//   5. Token-Keys löschen (burn-key bleibt für TTL-Replay-Protection)
+//
+// Failure-Recovery: jeder Pfad nach dem burn checked `committed`-Flag;
+// bei !committed wird der burn released damit ein legitimer Retry
+// nicht durch einen stale Marker geblockt wird (wie reset/verify).
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  defineWriteHandler,
+  type SessionUser,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
+  InternalError,
+  UnprocessableError,
+  writeFailure,
+} from "@cosmicdrift/kumiko-framework/errors";
+import { generateUniqueName } from "@cosmicdrift/kumiko-framework/random";
+import { generateId } from "@cosmicdrift/kumiko-framework/utils";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+// kumiko-lint-ignore cross-feature-import signup-confirm reads tenants.key for slug-uniqueness check (TOCTOU + DB-unique-index zusammen)
+import { tenantTable } from "../../tenant/schema/tenant";
+import { AuthErrors } from "../constants";
+// kumiko-lint-ignore cross-feature-import provisioning needs cross-feature seeding helpers
+import { INITIAL_SIGNUP_ROLES, provisionSignupAccount } from "../seeding";
+import {
+  burnSignupToken,
+  deleteSignupToken,
+  getEmailForSignupToken,
+  unburnSignupToken,
+} from "../signup-token-store";
+const SignupConfirmSchema = z.object({
+  token: z.string().min(8),
+  password: z.string().min(8).max(200),
+});
+// Mirror der login-handler-Shape (kind: "auth-session", session: SessionUser)
+// damit die Route-Layer den signup-confirm-success genauso behandeln kann
+// wie einen erfolgreichen login: JWT-Mint, Cookies setzen, Session-Body
+// returnen. Der zusätzliche tenantKey landet als sibling am data-objekt
+// (NICHT in SessionUser — der ist generic, tenantKey ist signup-spezifisch
+// für den Post-Signup-Redirect zu /<tenantKey>/).
+export type SignupConfirmData = {
+  readonly kind: "auth-session";
+  readonly session: SessionUser;
+  readonly tenantKey: string;
+};
+function invalidSignupToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidSignupToken, {
+      i18nKey: "auth.errors.invalidSignupToken",
+    }),
+  );
+}
+export function createSignupConfirmHandler() {
+  return defineWriteHandler<"signup-confirm", typeof SignupConfirmSchema, SignupConfirmData>({
+    name: "signup-confirm",
+    schema: SignupConfirmSchema,
+    access: { roles: ["all"] },
+    handler: async (event, ctx) => {
+      if (!ctx.redis) {
+        return writeFailure(
+          new InternalError({
+            message: "signup-confirm requires ctx.redis for token consumption",
+          }),
+        );
+      }
+      // Token-Lookup: nicht-existent / abgelaufen / schon konsumiert →
+      // alle collapsen auf invalid_signup_token. Anti-enumeration.
+      const email = await getEmailForSignupToken(ctx.redis, event.payload.token);
+      if (!email) return invalidSignupToken();
+      // Single-Use-Burn: zwei parallele Confirms aus verschiedenen
+      // Tabs — einer wins, der andere kriegt invalid_signup_token.
+      const burn = await burnSignupToken(ctx.redis, event.payload.token);
+      if (burn === "already-used") return invalidSignupToken();
+      let committed = false;
+      try {
+        // Tenant-Key: 2-Wort-Slug aus framework/random, mit DB-Conflict-
+        // Check gegen tenants.key. 22.500 Default-Combos + Suffix-
+        // Fallback bei Kollision (siehe generateUniqueName).
+        // @cast-boundary db-runner — TenantDb.raw is DbRunner (Connection|Tx);
+        // provisioning helpers operate on plain drizzle-API that both shapes
+        // expose identically. Inside an event-store transaction the cast lands
+        // on the Tx flavor — same drizzle calls, same behavior.
+        const dbConn = ctx.db.raw as DbConnection;
+        const tenantKey = await generateUniqueName({
+          isAvailable: async (slug) => {
+            const existing = await dbConn
+              .select({ id: tenantTable.id })
+              .from(tenantTable)
+              .where(eq(tenantTable.key, slug))
+              .limit(1);
+            return existing.length === 0;
+          },
+        });
+        const tenantId = generateId() as TenantId;
+        // Display-Name aus email-prefix als sinnvolles Default; User kann
+        // den Tenant-Namen + sein eigenes displayName später ändern.
+        const displayName = email.split("@")[0] ?? email;
+        const provisioned = await provisionSignupAccount(dbConn, {
+          email,
+          password: event.payload.password,
+          displayName,
+          tenantId,
+          tenantKey,
+          // Tenant-Display-Name als Default = Email. User wechselt das im
+          // Settings-Screen. Konzept "Tenant" leakt nicht in die Signup-UI.
+          tenantName: email,
+        });
+        // Cleanup beider Token-Lookup-Keys. Burn-Key bleibt für die
+        // restliche Burn-TTL als Replay-Schutz.
+        await deleteSignupToken(ctx.redis, { email, token: event.payload.token });
+        // SessionUser für JWT-Mint. Roles aus INITIAL_SIGNUP_ROLES
+        // damit DB-write (provisionSignupAccount) und Session-claim
+        // dieselbe Quelle teilen — sonst hätten zwei Stellen "Admin"
+        // hardcoded und ein Refactor würde role-mismatch zwischen DB
+        // und JWT erzeugen.
+        const session: SessionUser = {
+          id: provisioned.userId,
+          tenantId: provisioned.tenantId,
+          roles: [...INITIAL_SIGNUP_ROLES],
+        };
+        committed = true;
+        return {
+          isSuccess: true,
+          data: {
+            kind: "auth-session",
+            session,
+            tenantKey,
+          },
+        };
+      } finally {
+        if (!committed && ctx.redis) {
+          // Burn-release damit ein retry nach DB-Hiccup nicht blockt.
+          // Token-Lookup-Keys bleiben — der User kann seinen Mail-Link
+          // erneut klicken.
+          await unburnSignupToken(ctx.redis, event.payload.token);
+        }
+      }
+    },
+  });
+}

package/src/auth-email-password/handlers/signup-request.write.ts ADDED Viewed

@@ -0,0 +1,104 @@
+// Magic-Link-Signup, Step 1 (request).
+//
+// User gibt Email ein → wir minten einen opaken Random-Token, speichern
+// ihn bidirektional in Redis (token↔email), und der Route-Layer schickt
+// die Activation-Mail. Anders als reset/verify-Flows existiert der User
+// HIER NOCH NICHT — daher kein userId-lookup, kein HMAC-signing (wofür
+// gäbe es kein Subject), kein "skip if user already exists in DB"-pattern.
+//
+// Resend-Idempotenz: wenn für die Email bereits ein lebender Token in
+// Redis liegt, geben wir denselben Token zurück (und refreshen TTL auf
+// beiden Keys). Der User bekommt dann eine zweite Mail mit dem GLEICHEN
+// Activation-Link. Erste Mail bleibt gültig — kein "old link broken"-
+// annoyance.
+//
+// Always-200 (enumeration-safe): das Response sieht für jede Email
+// gleich aus, egal ob sie schon registriert ist oder nicht. Anders als
+// reset (das ein "no-op" zurückgibt wenn User nicht existiert) gibt's
+// hier nichts zu enumerieren — eine Email kann nicht "schon registriert
+// sein" weil bei Magic-Link der User-Row erst beim Confirm entsteht.
+// Was es geben könnte: dieselbe Email versucht es zum N-ten Mal —
+// Resend-Pfad ist by-design idempotent.
+import { generateToken } from "@cosmicdrift/kumiko-framework/api";
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { Temporal } from "temporal-polyfill";
+import { z } from "zod";
+import { AUTH_SIGNUP_DEFAULT_TTL_MINUTES } from "../constants";
+import { getTokenForSignupEmail, normalizeEmail, storeSignupToken } from "../signup-token-store";
+const SignupRequestSchema = z.object({
+  email: z.email(),
+});
+export type SignupRequestData =
+  | {
+      readonly kind: "signup-requested";
+      readonly email: string;
+      readonly token: string;
+      readonly expiresAt: string;
+    }
+  | { readonly kind: "no-op" };
+export type SignupRequestOptions = {
+  /** TTL für den Activation-Token. Default 24 h — lang genug damit User
+   *  "morgen aktivieren" können ohne Resend-Spam. */
+  readonly tokenTtlMinutes?: number;
+};
+export function createSignupRequestHandler(opts: SignupRequestOptions = {}) {
+  const ttlMinutes = opts.tokenTtlMinutes ?? AUTH_SIGNUP_DEFAULT_TTL_MINUTES;
+  const ttlSeconds = ttlMinutes * 60;
+  return defineWriteHandler<"signup-request", typeof SignupRequestSchema, SignupRequestData>({
+    name: "signup-request",
+    schema: SignupRequestSchema,
+    access: { roles: ["all"] },
+    handler: async (event, ctx) => {
+      if (!ctx.redis) {
+        return writeFailure(
+          new InternalError({
+            message: "signup-request requires ctx.redis for the activation-token store",
+          }),
+        );
+      }
+      // Email-Normalisierung lebt im Store (signup-token-store). Der
+      // Handler reicht die raw email durch — eine Quelle, kein Drift
+      // zwischen Lookup-Pfaden die unterschiedlich (oder gar nicht)
+      // lowercased haben.
+      const email = event.payload.email;
+      // Resend-Idempotenz: wenn ein Token für diese Email noch lebt,
+      // re-use ihn und refreshe beide Keys. Der User kriegt eine zweite
+      // Mail mit dem GLEICHEN Link.
+      const existingToken = await getTokenForSignupEmail(ctx.redis, email);
+      // 32 random bytes = 256 bits unguessable randomness, base64url
+      // encoded zu 43 chars. Math.random war früher ein Bug:
+      // xorshift128+ hat ~128 Bit State der nach ~5 beobachteten
+      // Outputs rekonstruierbar ist — Angreifer könnte eigene
+      // signup-requests triggern und die Tokens fremder User
+      // vorhersagen. generateToken nutzt randomBytes aus node:crypto,
+      // dieselbe Quelle wie CSRF/Session-Tokens.
+      const token = existingToken ?? generateToken();
+      const expiresAt = Temporal.Now.instant().add({ seconds: ttlSeconds });
+      await storeSignupToken(ctx.redis, { email, token, ttlSeconds });
+      return {
+        isSuccess: true,
+        data: {
+          kind: "signup-requested",
+          // normalizeEmail aus dem Store — eine Quelle für die
+          // Normalisierungs-Verantwortung; Mail-Callback kriegt
+          // konsistent das gleiche Format wie der Lookup-Pfad.
+          email: normalizeEmail(email),
+          token,
+          expiresAt: expiresAt.toString(),
+        },
+      };
+    },
+  });
+}

package/src/auth-email-password/handlers/token-request-handler.ts ADDED Viewed

@@ -0,0 +1,114 @@
+// Shared factory for the request-side of out-of-band token flows
+// (password-reset, email-verification). Both follow the same shape:
+//
+//   POST email
+//     → resolve user (system-scoped query)
+//     → skip silently if user doesn't exist / is deleted / already done
+//     → mint an HMAC-signed token
+//     → return { kind: <successKind>, email, token, expiresAt }
+//
+// Differences between the flows are four parameters (successKind, sign fn,
+// default TTL, extra skip condition) + two error codes — encoded on the
+// spec rather than duplicated across two near-identical handler bodies.
+import { createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import type { Temporal } from "temporal-polyfill";
+import { z } from "zod";
+import { UserQueries } from "../../user";
+import { type AuthUserRow, parseAuthUserRow } from "../auth-user-row";
+const RequestTokenSchema = z.object({
+  email: z.email(),
+});
+// What the route layer reads off `result.data` after dispatching. Identical
+// shape for both flows; only the `kind` discriminator differs so the route
+// knows whether to forward to sendResetEmail or sendVerificationEmail.
+export type TokenRequestSuccess<K extends string> = {
+  readonly kind: K;
+  readonly email: string;
+  readonly token: string;
+  readonly expiresAt: string;
+};
+export type TokenRequestNoOp = { readonly kind: "no-op" };
+export type TokenRequestData<K extends string> = TokenRequestSuccess<K> | TokenRequestNoOp;
+export type TokenRequestSpec<TName extends string, TSuccessKind extends string> = {
+  readonly handlerName: TName;
+  readonly successKind: TSuccessKind;
+  readonly defaultTtlMinutes: number;
+  // Feature-specific sign function. Signature matches both signResetToken
+  // and signVerificationToken (thin wrappers over signed-token.ts).
+  readonly sign: (
+    userId: string,
+    ttlMinutes: number,
+    secret: string,
+  ) => { token: string; expiresAt: Temporal.Instant };
+  // Error code + i18nKey returned when the feature-factory wasn't given a
+  // working hmacSecret. Should never happen — feature-factory validates at
+  // boot — but defensive coverage for lazy secret-providers.
+  readonly notConfiguredError: string;
+  readonly notConfiguredI18nKey: string;
+  // Extra silent-skip predicate on top of "user doesn't exist or is
+  // soft-deleted". Verification skips when emailVerified is already true;
+  // password-reset has no extra condition (returns false).
+  readonly extraSilentSkip: (user: AuthUserRow) => boolean;
+};
+export type TokenRequestOptions = {
+  readonly hmacSecret: string;
+  readonly tokenTtlMinutes?: number;
+};
+export function createTokenRequestHandler<TName extends string, TSuccessKind extends string>(
+  spec: TokenRequestSpec<TName, TSuccessKind>,
+  opts: TokenRequestOptions,
+) {
+  const ttl = opts.tokenTtlMinutes ?? spec.defaultTtlMinutes;
+  return defineWriteHandler<TName, typeof RequestTokenSchema, TokenRequestData<TSuccessKind>>({
+    name: spec.handlerName,
+    schema: RequestTokenSchema,
+    access: { roles: ["all"] },
+    handler: async (event, ctx) => {
+      if (!opts.hmacSecret) {
+        // Feature-factory guards this at boot; defensive here for lazy-
+        // provided secrets that show up empty at runtime.
+        return writeFailure(
+          new UnprocessableError(spec.notConfiguredError, {
+            i18nKey: spec.notConfiguredI18nKey,
+          }),
+        );
+      }
+      const systemUser = createSystemUser(event.user.tenantId);
+      const user = parseAuthUserRow(
+        await ctx.queryAs(systemUser, UserQueries.findForAuth, {
+          email: event.payload.email,
+        }),
+      );
+      // Silent-success branches all return the SAME shape with kind="no-op".
+      // Response-level timing stays uniform (200 / isSuccess: true); the
+      // small difference in handler-internal work is accepted — no probing
+      // client can observe it through the HTTP surface.
+      if (!user || user.isDeleted || !user.email || spec.extraSilentSkip(user)) {
+        const data: TokenRequestData<TSuccessKind> = { kind: "no-op" };
+        return { isSuccess: true, data };
+      }
+      const { token, expiresAt } = spec.sign(user.id, ttl, opts.hmacSecret);
+      const data: TokenRequestData<TSuccessKind> = {
+        kind: spec.successKind,
+        email: user.email,
+        token,
+        expiresAt: expiresAt.toString(),
+      };
+      return { isSuccess: true, data };
+    },
+  });
+}

package/src/auth-email-password/handlers/verify-email.write.ts ADDED Viewed

@@ -0,0 +1,62 @@
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { z } from "zod";
+import { AuthErrors } from "../constants";
+import { verifyVerificationToken } from "../verification-token";
+import { runConfirmTokenFlow } from "./confirm-token-flow";
+export type VerifyEmailOptions = {
+  readonly hmacSecret: string;
+};
+const VerifyEmailSchema = z.object({
+  token: z.string().min(1),
+});
+export type VerifyEmailData = { readonly kind: "verified" } | { readonly kind: "already-verified" };
+function invalidToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidVerificationToken, {
+      i18nKey: "auth.errors.invalidVerificationToken",
+    }),
+  );
+}
+// Sets user.emailVerified = true on a valid token. Idempotent via the
+// `alreadyDone` short-circuit — when the row already reads verified
+// (reached through another flow), we skip the write but keep the burn
+// so replays still see invalid_verification_token on the burn check.
+// Sessions are NOT revoked on verification — no security reason to
+// nuke active logins when a user finally confirms their address.
+export function createVerifyEmailHandler(opts: VerifyEmailOptions) {
+  return defineWriteHandler<"verify-email", typeof VerifyEmailSchema, VerifyEmailData>({
+    name: "verify-email",
+    schema: VerifyEmailSchema,
+    access: { roles: ["all"] },
+    handler: async (event, ctx) => {
+      if (!opts.hmacSecret) {
+        return writeFailure(
+          new UnprocessableError(AuthErrors.verificationNotConfigured, {
+            i18nKey: "auth.errors.verificationNotConfigured",
+          }),
+        );
+      }
+      const verify = verifyVerificationToken(event.payload.token, opts.hmacSecret);
+      if (!verify.ok) return invalidToken();
+      return runConfirmTokenFlow<VerifyEmailData>(ctx, verify.userId, verify.expiresAtMs, {
+        purpose: "verify",
+        redisRequiredMessage: "email-verification requires ctx.redis to enforce token single-use",
+        invalidToken,
+        buildChanges: async () => ({ emailVerified: true }),
+        successData: { kind: "verified" },
+        alreadyDone: {
+          check: (me) => me.emailVerified === true,
+          data: { kind: "already-verified" },
+        },
+      });
+    },
+  });
+}

package/src/auth-email-password/i18n.ts ADDED Viewed

@@ -0,0 +1,211 @@
+// @runtime client
+// Default-Bundles für die Feature-UI. Werden vom emailPasswordClient()
+// als Fallback-Bundle in den LocaleProvider gehängt — Apps können
+// einzelne Keys via `emailPasswordClient({ translations: { de: { ... } } })`
+// überschreiben, ohne das ganze Bundle kopieren zu müssen.
+//
+// Keys folgen dem Schema `auth.<area>.<slug>` — `auth.login.*` für die
+// Formular-UI, `auth.errors.*` für Reason-Codes aus dem Login-Handler
+// (1:1 gespiegelt zu AuthErrors im server-side Feature).
+import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+export const defaultTranslations: TranslationsByLocale = {
+  de: {
+    "auth.login.title": "Anmelden",
+    "auth.login.email": "E-Mail",
+    "auth.login.password": "Passwort",
+    "auth.login.submit": "Einloggen",
+    "auth.login.submitting": "…",
+    "auth.login.forgotPassword": "Passwort vergessen?",
+    "auth.errors.invalidCredentials": "E-Mail oder Passwort falsch.",
+    "auth.errors.noMembership": "Dieses Konto hat keinen Tenant-Zugang.",
+    "auth.errors.accountLocked": "Konto vorübergehend gesperrt.",
+    "auth.errors.accountLockedRetry": "Konto gesperrt. Neuer Versuch in {minutes} Minuten.",
+    "auth.errors.emailNotVerified": "E-Mail-Adresse noch nicht bestätigt.",
+    "auth.errors.rateLimited": "Zu viele Login-Versuche. Bitte kurz warten.",
+    "auth.errors.invalidBody": "Ungültige Eingabe.",
+    "auth.errors.loginFailed": "Login fehlgeschlagen.",
+    "auth.errors.invalidResetToken":
+      "Der Link ist ungültig oder abgelaufen. Bitte fordere einen neuen an.",
+    "auth.errors.invalidVerificationToken": "Der Bestätigungs-Link ist ungültig oder abgelaufen.",
+    "auth.errors.invalidSignupToken":
+      "Der Aktivierungs-Link ist ungültig oder abgelaufen. Bitte fordere einen neuen an.",
+    "auth.errors.unknownError": "Etwas ist schief gegangen. Bitte erneut versuchen.",
+    "auth.forgotPassword.title": "Passwort zurücksetzen",
+    "auth.forgotPassword.intro":
+      "Gib deine E-Mail-Adresse ein. Falls ein Konto existiert, schicken wir dir einen Reset-Link.",
+    "auth.forgotPassword.email": "E-Mail",
+    "auth.forgotPassword.submit": "Link anfordern",
+    "auth.forgotPassword.submitting": "…",
+    "auth.forgotPassword.successTitle": "Mail gesendet",
+    "auth.forgotPassword.successBody":
+      "Falls die E-Mail in unserem System existiert, ist eine Nachricht mit einem Reset-Link unterwegs. Bitte schau in deinen Posteingang.",
+    "auth.forgotPassword.backToLogin": "Zurück zum Login",
+    "auth.resetPassword.title": "Neues Passwort setzen",
+    "auth.resetPassword.intro": "Wähle ein neues Passwort (mindestens 8 Zeichen).",
+    "auth.resetPassword.newPassword": "Neues Passwort",
+    "auth.resetPassword.confirmPassword": "Passwort bestätigen",
+    "auth.resetPassword.mismatch": "Die Passwörter stimmen nicht überein.",
+    "auth.resetPassword.tooShort": "Passwort muss mindestens 8 Zeichen lang sein.",
+    "auth.resetPassword.submit": "Passwort speichern",
+    "auth.resetPassword.submitting": "…",
+    "auth.resetPassword.successTitle": "Passwort gesetzt",
+    "auth.resetPassword.successBody": "Du kannst dich jetzt mit deinem neuen Passwort anmelden.",
+    "auth.resetPassword.goToLogin": "Zum Login",
+    "auth.resetPassword.missingToken":
+      "Der Reset-Link enthält keinen Token. Bitte fordere einen neuen an.",
+    "auth.verifyEmail.verifying": "E-Mail wird bestätigt …",
+    "auth.verifyEmail.successTitle": "E-Mail bestätigt",
+    "auth.verifyEmail.successBody": "Danke! Du kannst dich jetzt anmelden.",
+    "auth.verifyEmail.errorTitle": "Bestätigung fehlgeschlagen",
+    "auth.verifyEmail.errorBody":
+      "Der Link ist ungültig oder abgelaufen. Bitte fordere eine neue Bestätigungs-Mail an.",
+    "auth.verifyEmail.goToLogin": "Zum Login",
+    "auth.verifyEmail.missingToken": "Der Bestätigungs-Link enthält keinen Token.",
+    "auth.signup.title": "Account erstellen",
+    "auth.signup.intro":
+      "Gib deine E-Mail-Adresse ein. Wir schicken dir einen Aktivierungs-Link, mit dem du dein Passwort setzt.",
+    "auth.signup.email": "E-Mail",
+    "auth.signup.submit": "Aktivierungs-Link senden",
+    "auth.signup.submitting": "…",
+    "auth.signup.successTitle": "Mail gesendet",
+    "auth.signup.successBody":
+      "Wir haben dir einen Aktivierungs-Link an deine E-Mail-Adresse geschickt. Klicke ihn an, um dein Passwort zu setzen und dich einzuloggen.",
+    "auth.signup.resend": "Mail erneut senden",
+    "auth.signup.haveAccount": "Bereits einen Account? Anmelden",
+    "auth.signupComplete.title": "Passwort setzen",
+    "auth.signupComplete.intro":
+      "Wähle ein Passwort (mindestens 8 Zeichen) für deinen neuen Account.",
+    "auth.signupComplete.password": "Passwort",
+    "auth.signupComplete.confirmPassword": "Passwort bestätigen",
+    "auth.signupComplete.tooShort": "Passwort muss mindestens 8 Zeichen lang sein.",
+    "auth.signupComplete.mismatch": "Die Passwörter stimmen nicht überein.",
+    "auth.signupComplete.submit": "Account aktivieren",
+    "auth.signupComplete.submitting": "…",
+    "auth.signupComplete.missingToken":
+      "Der Aktivierungs-Link enthält keinen Token. Bitte fordere einen neuen an.",
+    "auth.inviteAccept.title": "Einladung annehmen",
+    "auth.inviteAccept.intro":
+      "Du wurdest zu einem Workspace eingeladen. Klicke auf 'Annehmen' um Mitglied zu werden.",
+    "auth.inviteAccept.loggedInAs": "Du bist eingeloggt — klicke 'Annehmen' um Mitglied zu werden.",
+    "auth.inviteAccept.email": "E-Mail",
+    "auth.inviteAccept.password": "Passwort",
+    "auth.inviteAccept.acceptButton": "Annehmen",
+    "auth.inviteAccept.submit": "Annehmen + Anmelden",
+    "auth.inviteAccept.submitting": "…",
+    "auth.inviteAccept.useOtherAccount": "Mit anderem Account anmelden",
+    "auth.inviteAccept.toggleNew": "Ich habe noch keinen Account",
+    "auth.inviteAccept.toggleExisting": "Ich habe schon einen Account",
+    "auth.inviteAccept.missingToken": "Der Einladungs-Link enthält keinen Token oder ist ungültig.",
+    "auth.inviteAccept.goToLogin": "Zum Login",
+    "auth.user.menu.label": "Konto",
+    "auth.user.menu.logout": "Abmelden",
+    "auth.tenant.switcher.label": "Tenant",
+    "auth.tenant.switcher.none": "Kein Tenant",
+  },
+  en: {
+    "auth.login.title": "Sign in",
+    "auth.login.email": "Email",
+    "auth.login.password": "Password",
+    "auth.login.submit": "Sign in",
+    "auth.login.submitting": "…",
+    "auth.login.forgotPassword": "Forgot password?",
+    "auth.errors.invalidCredentials": "Invalid email or password.",
+    "auth.errors.noMembership": "This account has no tenant access.",
+    "auth.errors.accountLocked": "Account temporarily locked.",
+    "auth.errors.accountLockedRetry": "Account locked. Try again in {minutes} minutes.",
+    "auth.errors.emailNotVerified": "Email address not yet verified.",
+    "auth.errors.rateLimited": "Too many login attempts. Please wait briefly.",
+    "auth.errors.invalidBody": "Invalid input.",
+    "auth.errors.loginFailed": "Login failed.",
+    "auth.errors.invalidResetToken": "Link is invalid or expired. Please request a new one.",
+    "auth.errors.invalidVerificationToken": "Verification link is invalid or expired.",
+    "auth.errors.invalidSignupToken":
+      "Activation link is invalid or expired. Please request a new one.",
+    "auth.errors.unknownError": "Something went wrong. Please try again.",
+    "auth.forgotPassword.title": "Reset password",
+    "auth.forgotPassword.intro":
+      "Enter your email. If an account exists, we'll send you a reset link.",
+    "auth.forgotPassword.email": "Email",
+    "auth.forgotPassword.submit": "Request link",
+    "auth.forgotPassword.submitting": "…",
+    "auth.forgotPassword.successTitle": "Email sent",
+    "auth.forgotPassword.successBody":
+      "If your email exists in our system, a reset link is on its way. Please check your inbox.",
+    "auth.forgotPassword.backToLogin": "Back to sign in",
+    "auth.resetPassword.title": "Set new password",
+    "auth.resetPassword.intro": "Choose a new password (at least 8 characters).",
+    "auth.resetPassword.newPassword": "New password",
+    "auth.resetPassword.confirmPassword": "Confirm password",
+    "auth.resetPassword.mismatch": "Passwords do not match.",
+    "auth.resetPassword.tooShort": "Password must be at least 8 characters.",
+    "auth.resetPassword.submit": "Save password",
+    "auth.resetPassword.submitting": "…",
+    "auth.resetPassword.successTitle": "Password set",
+    "auth.resetPassword.successBody": "You can now sign in with your new password.",
+    "auth.resetPassword.goToLogin": "Go to sign in",
+    "auth.resetPassword.missingToken": "Reset link is missing a token. Please request a new one.",
+    "auth.verifyEmail.verifying": "Verifying email …",
+    "auth.verifyEmail.successTitle": "Email verified",
+    "auth.verifyEmail.successBody": "Thanks! You can sign in now.",
+    "auth.verifyEmail.errorTitle": "Verification failed",
+    "auth.verifyEmail.errorBody":
+      "Link is invalid or expired. Please request a new verification email.",
+    "auth.verifyEmail.goToLogin": "Go to sign in",
+    "auth.verifyEmail.missingToken": "Verification link is missing a token.",
+    "auth.signup.title": "Create account",
+    "auth.signup.intro":
+      "Enter your email. We'll send you an activation link to set your password.",
+    "auth.signup.email": "Email",
+    "auth.signup.submit": "Send activation link",
+    "auth.signup.submitting": "…",
+    "auth.signup.successTitle": "Email sent",
+    "auth.signup.successBody":
+      "We've sent you an activation link. Click it to set your password and sign in.",
+    "auth.signup.resend": "Send email again",
+    "auth.signup.haveAccount": "Already have an account? Sign in",
+    "auth.signupComplete.title": "Set password",
+    "auth.signupComplete.intro": "Choose a password (at least 8 characters) for your new account.",
+    "auth.signupComplete.password": "Password",
+    "auth.signupComplete.confirmPassword": "Confirm password",
+    "auth.signupComplete.tooShort": "Password must be at least 8 characters.",
+    "auth.signupComplete.mismatch": "Passwords do not match.",
+    "auth.signupComplete.submit": "Activate account",
+    "auth.signupComplete.submitting": "…",
+    "auth.signupComplete.missingToken":
+      "Activation link is missing a token. Please request a new one.",
+    "auth.inviteAccept.title": "Accept invitation",
+    "auth.inviteAccept.intro": "You've been invited to a workspace. Click 'Accept' to join.",
+    "auth.inviteAccept.loggedInAs": "Signed in as {email}",
+    "auth.inviteAccept.email": "Email",
+    "auth.inviteAccept.password": "Password",
+    "auth.inviteAccept.acceptButton": "Accept",
+    "auth.inviteAccept.submit": "Accept + sign in",
+    "auth.inviteAccept.submitting": "…",
+    "auth.inviteAccept.useOtherAccount": "Sign in with a different account",
+    "auth.inviteAccept.toggleNew": "I don't have an account yet",
+    "auth.inviteAccept.toggleExisting": "I already have an account",
+    "auth.inviteAccept.missingToken": "The invitation link is missing or invalid.",
+    "auth.inviteAccept.goToLogin": "Go to sign in",
+    "auth.user.menu.label": "Account",
+    "auth.user.menu.logout": "Sign out",
+    "auth.tenant.switcher.label": "Tenant",
+    "auth.tenant.switcher.none": "No tenant",
+  },
+};
+/** Merged zwei TranslationsByLocale-Maps — der override gewinnt pro Key,
+ *  die Locales werden zusammengeführt. Wird von emailPasswordClient()
+ *  benutzt, um App-Overrides über die Defaults zu legen. */
+export function mergeTranslations(
+  base: TranslationsByLocale,
+  override: TranslationsByLocale,
+): TranslationsByLocale {
+  const locales = new Set([...Object.keys(base), ...Object.keys(override)]);
+  const merged: Record<string, Record<string, string>> = {};
+  for (const locale of locales) {
+    merged[locale] = { ...(base[locale] ?? {}), ...(override[locale] ?? {}) };
+  }
+  return merged;
+}