npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/config/constants.ts ADDED Viewed

@@ -0,0 +1,23 @@
+// Feature name
+export const CONFIG_FEATURE = "config" as const;
+// Qualified write handler names (QN format: scope:type:name)
+export const ConfigHandlers = {
+  set: "config:write:set",
+  reset: "config:write:reset",
+} as const;
+// Qualified query handler names (QN format: scope:type:name)
+export const ConfigQueries = {
+  values: "config:query:values",
+  schema: "config:query:schema",
+} as const;
+// Error codes
+export const ConfigErrors = {
+  unknownKey: "unknown_config_key",
+  systemOnly: "config_key_is_system_only",
+  invalidScope: "invalid_scope",
+  typeError: "type_error",
+  invalidOption: "invalid_option",
+} as const;

package/src/config/feature.ts ADDED Viewed

@@ -0,0 +1,117 @@
+import type { DbConnection, EncryptionProvider, TenantDb } from "@cosmicdrift/kumiko-framework/db";
+import {
+  type ConfigAccessor,
+  type ConfigAccessorFactory,
+  type ConfigKeyHandle,
+  type ConfigKeyType,
+  type ConfigValue,
+  defineFeature,
+  type FeatureDefinition,
+  type HandlerContext,
+  type Registry,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
+import { resetWrite } from "./handlers/reset.write";
+import { schemaQuery } from "./handlers/schema.query";
+import { setWrite } from "./handlers/set.write";
+import { valuesQuery } from "./handlers/values.query";
+import type { ConfigResolver } from "./resolver";
+import { configValueEntity } from "./table";
+export type ConfigContext = { readonly config: ConfigAccessor };
+export function createConfigFeature(): FeatureDefinition {
+  return defineFeature("config", (r) => {
+    r.systemScope();
+    // One aggregate stream per (key, scope) pair — the executor handles the
+    // lifecycle events `configValue.created / .updated / .deleted` plus the
+    // projection write in one TX. Subscribers that need config-change
+    // semantics listen to those auto-events via r.multiStreamProjection
+    // (see docs/plans/architecture/event-sourcing-pivot.md §4.7).
+    r.entity("config-value", configValueEntity);
+    const handlers = {
+      set: r.writeHandler(setWrite),
+      reset: r.writeHandler(resetWrite),
+    };
+    const queries = {
+      values: r.queryHandler(valuesQuery),
+      schema: r.queryHandler(schemaQuery),
+    };
+    return { handlers, queries };
+  });
+}
+export function createConfigAccessor(
+  registry: Registry,
+  resolver: ConfigResolver,
+  tenantId: TenantId,
+  userId: string,
+  db: DbConnection | TenantDb,
+): ConfigAccessor {
+  async function configAccessor(
+    qualifiedKey: string,
+  ): Promise<string | number | boolean | undefined>;
+  async function configAccessor<T extends ConfigKeyType>(
+    handle: ConfigKeyHandle<T>,
+  ): Promise<ConfigValue<T> | undefined>;
+  async function configAccessor(
+    keyOrHandle: string | ConfigKeyHandle<ConfigKeyType>,
+  ): Promise<string | number | boolean | undefined> {
+    const qualifiedKey = typeof keyOrHandle === "string" ? keyOrHandle : keyOrHandle.name;
+    const keyDef = registry.getConfigKey(qualifiedKey);
+    if (!keyDef) return undefined;
+    return resolver.get(qualifiedKey, keyDef, tenantId, userId, db);
+  }
+  return configAccessor;
+}
+// Pass to the test-stack / server-boot as `_configAccessorFactory` —
+// `buildHandlerContext` mints a per-user `ctx.config` from this.
+export function createConfigAccessorFactory(
+  registry: Registry,
+  resolver: ConfigResolver,
+): ConfigAccessorFactory {
+  return ({ user, db }) => createConfigAccessor(registry, resolver, user.tenantId, user.id, db);
+}
+// Single point of truth for "this handler needs the resolver". Throws a
+// proper InternalError (with i18n) instead of bare Error, and points the
+// caller at the boot wiring step that's missing — so a future debug
+// session reads "config feature not wired into AppContext" instead of a
+// generic "configResolver missing".
+export function requireConfigResolver(ctx: HandlerContext, handlerName: string): ConfigResolver {
+  if (!ctx.configResolver) {
+    throw new InternalError({
+      message:
+        `[${handlerName}] ctx.configResolver missing — pass createConfigAccessorFactory's ` +
+        `output via extraContext._configAccessorFactory and the resolver via ` +
+        `extraContext.configResolver at boot.`,
+    });
+  }
+  return ctx.configResolver;
+}
+// Mirror of requireConfigResolver for the encryption round-trip side.
+// Only keys declared `encrypted: true` need this — the setter calls it
+// lazily so apps that never wire encryption still boot (and only crash
+// if a handler tries to write an encrypted key without the provider in
+// place, pointing at the exact wiring gap).
+export function requireConfigEncryption(
+  ctx: HandlerContext,
+  handlerName: string,
+): EncryptionProvider {
+  if (!ctx.configEncryption) {
+    throw new InternalError({
+      message:
+        `[${handlerName}] ctx.configEncryption missing — at least one config key declares ` +
+        `encrypted: true, so the boot wiring must pass an EncryptionProvider via ` +
+        `extraContext.configEncryption (same instance the resolver was built with).`,
+    });
+  }
+  return ctx.configEncryption;
+}

package/src/config/handlers/__tests__/prepare-config-write.test.ts ADDED Viewed

@@ -0,0 +1,209 @@
+import {
+  access,
+  type ConfigKeyDefinition,
+  ConfigScopes,
+  createSystemConfig,
+  createTenantConfig,
+  createUserConfig,
+  type Registry,
+  type SessionUser,
+  SYSTEM_ROLE,
+  SYSTEM_TENANT_ID,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { describe, expect, test } from "vitest";
+import { prepareConfigWrite, validateBounds } from "../../write-helpers";
+// Minimal Registry stub — only getConfigKey is exercised by prepareConfigWrite.
+function registryStub(keys: Record<string, unknown>): Registry {
+  return {
+    getConfigKey: (name: string) => keys[name] as never,
+    // biome-ignore lint/suspicious/noExplicitAny: the other Registry methods aren't touched by prepareConfigWrite — cast documents the intent.
+  } as any;
+}
+// Minimal user shape — prepareConfigWrite reads roles / tenantId / id.
+function userStub(
+  roles: readonly string[],
+  tenantId = "tenant-1" as TenantId,
+  id = "user-1",
+): SessionUser {
+  return { id, tenantId, roles } as SessionUser;
+}
+// Built via the public factory (same path a feature-dev takes in r.config).
+// Kept const so a test that asserts `result.keyDef === TENANT_KEY_DEF`
+// actually compares to the stable reference.
+const TENANT_KEY_DEF = createTenantConfig("text", { write: access.roles("Admin") });
+describe("prepareConfigWrite", () => {
+  test("returns NotFound failure when the key is not registered", () => {
+    const result = prepareConfigWrite({
+      registry: registryStub({}),
+      user: userStub(["Admin"]),
+      key: "unknown:key",
+    });
+    expect(result.ok).toBe(false);
+    if (result.ok) throw new Error("unreachable");
+    expect(result.failure.isSuccess).toBe(false);
+    expect(result.failure.error.code).toBe("not_found");
+    expect(result.failure.error.i18nKey).toBe("config.errors.unknownKey");
+  });
+  test("returns AccessDenied when the user's roles do not include the key's write roles", () => {
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:foo": TENANT_KEY_DEF }),
+      user: userStub(["ReadOnly"]),
+      key: "ns:config:foo",
+    });
+    expect(result.ok).toBe(false);
+    if (result.ok) throw new Error("unreachable");
+    expect(result.failure.error.code).toBe("access_denied");
+  });
+  test("returns AccessDenied (system-only) when the key's write access is SYSTEM_ROLE", () => {
+    const systemKey = createTenantConfig("text", { write: access.system });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:secret": systemKey }),
+      user: userStub(["SystemAdmin"]),
+      key: "ns:config:secret",
+    });
+    expect(result.ok).toBe(false);
+    if (result.ok) throw new Error("unreachable");
+    expect(result.failure.error.i18nKey).toBe("config.errors.systemOnly");
+  });
+  test("system-only key is writable by a caller that actually carries SYSTEM_ROLE", () => {
+    // Post-ES escape hatch: out-of-band writes (jobs, seeds, framework-
+    // internal flows) used to bypass checkWriteAccess via resolver.set.
+    // The handler is the only write path now, so SYSTEM_ROLE must flow
+    // through — otherwise billing/quota/session-cleanup jobs can't touch
+    // system-only config anymore. Non-system roles stay blocked by the
+    // test above.
+    const systemKey = createTenantConfig("text", { write: access.system });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:secret": systemKey }),
+      user: userStub([SYSTEM_ROLE]),
+      key: "ns:config:secret",
+    });
+    expect(result.ok).toBe(true);
+    if (!result.ok) throw new Error("unreachable");
+    expect(result.keyDef).toBe(systemKey);
+  });
+  test("system-only key stays blocked for Admin even when they also carry other roles", () => {
+    // Regression guard: don't let "Admin + Billing" accidentally pass the
+    // system-only gate because role aggregation loosens the check.
+    const systemKey = createTenantConfig("text", { write: access.system });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:secret": systemKey }),
+      user: userStub(["Admin", "Billing"]),
+      key: "ns:config:secret",
+    });
+    expect(result.ok).toBe(false);
+    if (result.ok) throw new Error("unreachable");
+    expect(result.failure.error.i18nKey).toBe("config.errors.systemOnly");
+  });
+  test("ok-path falls back to the key's declared scope when no scope is passed", () => {
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:foo": TENANT_KEY_DEF }),
+      user: userStub(["Admin"]),
+      key: "ns:config:foo",
+    });
+    expect(result.ok).toBe(true);
+    if (!result.ok) throw new Error("unreachable");
+    expect(result.scope).toBe(ConfigScopes.tenant);
+    expect(result.tenantId).toBe("tenant-1");
+    expect(result.userId).toBeNull();
+    expect(result.keyDef).toBe(TENANT_KEY_DEF);
+  });
+  test("ok-path: scope=system maps tenantId to SYSTEM_TENANT_ID, userId to null", () => {
+    // Default system-scope write role is "system" (programmatic-only) —
+    // override to admin so a SystemAdmin can actually trigger this path.
+    // System-scope rows carry the SYSTEM_TENANT_ID sentinel on tenant_id
+    // (the projection column is NOT NULL post-ES).
+    const systemKey = createSystemConfig("text", { write: access.admin });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:foo": systemKey }),
+      user: userStub(["SystemAdmin"]),
+      key: "ns:config:foo",
+      scope: ConfigScopes.system,
+    });
+    expect(result.ok).toBe(true);
+    if (!result.ok) throw new Error("unreachable");
+    expect(result.tenantId).toBe(SYSTEM_TENANT_ID);
+    expect(result.userId).toBeNull();
+  });
+  test("ok-path: scope=user maps both tenantId and userId from the caller", () => {
+    const userKey = createUserConfig("text");
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:foo": userKey }),
+      user: userStub(["Admin"], "t-99" as TenantId, "u-99"),
+      key: "ns:config:foo",
+      scope: ConfigScopes.user,
+    });
+    expect(result.ok).toBe(true);
+    if (!result.ok) throw new Error("unreachable");
+    expect(result.tenantId).toBe("t-99");
+    expect(result.userId).toBe("u-99");
+  });
+});
+describe("validateBounds", () => {
+  const numberKey = createTenantConfig("number", {
+    default: 10,
+    bounds: { min: 1, max: 100 },
+  });
+  test("returns null for value inside bounds", () => {
+    expect(validateBounds(50, numberKey)).toBeNull();
+    expect(validateBounds(1, numberKey)).toBeNull(); // boundary min
+    expect(validateBounds(100, numberKey)).toBeNull(); // boundary max
+  });
+  test("returns out_of_bounds error when value is below min", () => {
+    const err = validateBounds(0, numberKey);
+    expect(err).not.toBeNull();
+    expect(err?.code).toBe("validation_error");
+    const details = err?.details as { fields: Array<{ code: string; params: unknown }> };
+    expect(details.fields[0]?.code).toBe("out_of_bounds");
+    expect(details.fields[0]?.params).toMatchObject({ value: 0, min: 1, max: 100 });
+  });
+  test("returns out_of_bounds error when value is above max", () => {
+    const err = validateBounds(101, numberKey);
+    expect(err).not.toBeNull();
+    const details = err?.details as { fields: Array<{ params: unknown }> };
+    expect(details.fields[0]?.params).toMatchObject({ value: 101, min: 1, max: 100 });
+  });
+  test("returns null when bounds declared with only min (no max)", () => {
+    // Spread on a factory-produced def is the idiomatic way to tweak a
+    // single field without re-stating the whole declaration.
+    const minOnly: ConfigKeyDefinition = { ...numberKey, bounds: { min: 1 } };
+    expect(validateBounds(9999, minOnly)).toBeNull();
+    expect(validateBounds(0, minOnly)).not.toBeNull();
+  });
+  test("returns null when bounds declared with only max (no min)", () => {
+    const maxOnly: ConfigKeyDefinition = { ...numberKey, bounds: { max: 100 } };
+    expect(validateBounds(-9999, maxOnly)).toBeNull();
+    expect(validateBounds(101, maxOnly)).not.toBeNull();
+  });
+  test("returns null for keys without bounds declared (unrestricted)", () => {
+    const { bounds: _bounds, ...unrestricted } = numberKey;
+    expect(validateBounds(99999, unrestricted)).toBeNull();
+    expect(validateBounds(-99999, unrestricted)).toBeNull();
+  });
+  test("returns null for non-number key types (bounds only applies to number)", () => {
+    const textKey = createTenantConfig("text");
+    // Even if bounds were somehow present on a text key, non-number values
+    // are unreachable here — validateType runs first and rejects them.
+    expect(validateBounds("any", textKey)).toBeNull();
+  });
+});

package/src/config/handlers/reset.write.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
+import { ConfigScopes, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { configValueEntity, configValuesTable } from "../table";
+import { findConfigRow, prepareConfigWrite } from "../write-helpers";
+const scopeEnum = z.enum([ConfigScopes.system, ConfigScopes.tenant, ConfigScopes.user]);
+const executor = createEventStoreExecutor(configValuesTable, configValueEntity, {
+  entityName: "config-value",
+});
+export const resetWrite = defineWriteHandler({
+  name: "reset",
+  schema: z.object({
+    key: z.string(),
+    scope: scopeEnum.optional(),
+  }),
+  // Per-key access enforcement lives inside the handler via checkWriteAccess.
+  access: { openToAll: true },
+  handler: async (event, ctx) => {
+    const db = ctx.db;
+    const prep = prepareConfigWrite({
+      registry: ctx.registry,
+      user: event.user,
+      key: event.payload.key,
+      scope: event.payload.scope,
+    });
+    if (!prep.ok) return prep.failure;
+    const { scope, tenantId, userId } = prep;
+    const existing = await findConfigRow(db, event.payload.key, tenantId, userId);
+    // No-op when there is nothing to reset. Pre-ES this path silently did
+    // nothing too — keep the contract intact so callers can reset
+    // idempotently without a 404 dance.
+    if (existing) {
+      const result = await executor.delete({ id: existing.id }, event.user, db);
+      if (!result.isSuccess) return result;
+    }
+    return { isSuccess: true, data: { key: event.payload.key, scope } };
+  },
+});

package/src/config/handlers/schema.query.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import { type ConfigKeyDefinition, defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { hasConfigAccess } from "../write-helpers";
+export const schemaQuery = defineQueryHandler({
+  name: "schema",
+  schema: z.object({}),
+  // Per-key read access enforced via hasConfigAccess inside the handler.
+  access: { openToAll: true },
+  handler: async (query, ctx) => {
+    const registry = ctx.registry;
+    const allKeys = registry.getAllConfigKeys();
+    const result: Record<string, ConfigKeyDefinition> = {};
+    for (const [qualifiedKey, keyDef] of allKeys) {
+      if (!hasConfigAccess(keyDef.access.read, query.user.roles)) continue;
+      result[qualifiedKey] = keyDef;
+    }
+    return result;
+  },
+});

package/src/config/handlers/set.write.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
+import { ConfigScopes, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { z } from "zod";
+import { requireConfigEncryption } from "../feature";
+import { configValueEntity, configValuesTable } from "../table";
+import {
+  findConfigRow,
+  prepareConfigWrite,
+  validateBounds,
+  validateScope,
+  validateType,
+} from "../write-helpers";
+const scopeEnum = z.enum([ConfigScopes.system, ConfigScopes.tenant, ConfigScopes.user]);
+const executor = createEventStoreExecutor(configValuesTable, configValueEntity, {
+  entityName: "config-value",
+});
+export const setWrite = defineWriteHandler({
+  name: "set",
+  schema: z.object({
+    key: z.string(),
+    value: z.union([z.string(), z.number(), z.boolean()]),
+    scope: scopeEnum.optional(),
+  }),
+  // Per-key access enforcement lives inside the handler via checkWriteAccess.
+  access: { openToAll: true },
+  handler: async (event, ctx) => {
+    const db = ctx.db;
+    const prep = prepareConfigWrite({
+      registry: ctx.registry,
+      user: event.user,
+      key: event.payload.key,
+      scope: event.payload.scope,
+    });
+    if (!prep.ok) return prep.failure;
+    const { keyDef, scope, tenantId, userId } = prep;
+    const scopeError = validateScope(scope, keyDef.scope, event.payload.key);
+    if (scopeError) return writeFailure(scopeError);
+    const typeError = validateType(event.payload.value, keyDef);
+    if (typeError) return writeFailure(typeError);
+    // Bounds enforcement: hard-reject (not silent-clamp). A caller that
+    // sends 9999 for a bounds.max=1000 key should see a 422 and fix their
+    // input — silent clamping would make `get` return a different value
+    // than what was sent, which is a UX trap with no upside.
+    const boundsError = validateBounds(event.payload.value, keyDef);
+    if (boundsError) return writeFailure(boundsError);
+    let serialized = JSON.stringify(event.payload.value);
+    if (keyDef.encrypted) {
+      const encryption = requireConfigEncryption(ctx, "config:write:set");
+      serialized = encryption.encrypt(serialized);
+    }
+    const existing = await findConfigRow(db, event.payload.key, tenantId, userId);
+    if (existing) {
+      const result = await executor.update(
+        {
+          id: existing.id,
+          version: existing.version,
+          changes: { value: serialized },
+        },
+        event.user,
+        db,
+      );
+      if (!result.isSuccess) return result;
+    } else {
+      const result = await executor.create(
+        {
+          key: event.payload.key,
+          value: serialized,
+          tenantId,
+          userId,
+        },
+        event.user,
+        db,
+      );
+      if (!result.isSuccess) return result;
+    }
+    return {
+      isSuccess: true,
+      data: { key: event.payload.key, value: event.payload.value, scope },
+    };
+  },
+});

package/src/config/handlers/values.query.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import { type ConfigScope, defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { requireConfigResolver } from "../feature";
+import { deserializeValue } from "../resolver";
+import { hasConfigAccess } from "../write-helpers";
+export const valuesQuery = defineQueryHandler({
+  name: "values",
+  schema: z.object({}),
+  // Per-key read access enforced via hasConfigAccess inside the handler.
+  access: { openToAll: true },
+  handler: async (query, ctx) => {
+    const db = ctx.db;
+    const registry = ctx.registry;
+    const resolver = requireConfigResolver(ctx, "config:query:values");
+    const allKeys = registry.getAllConfigKeys();
+    const storedValues = await resolver.getAll(query.user.tenantId, query.user.id, db);
+    const result: Record<
+      string,
+      { value: string | number | boolean | undefined; scope: ConfigScope }
+    > = {};
+    for (const [qualifiedKey, keyDef] of allKeys) {
+      if (!hasConfigAccess(keyDef.access.read, query.user.roles)) continue;
+      const stored = storedValues.get(qualifiedKey);
+      let value: string | number | boolean | undefined;
+      if (keyDef.encrypted) {
+        value = stored ? "••••••" : undefined;
+      } else if (stored?.value !== null && stored?.value !== undefined) {
+        value = deserializeValue(stored.value, keyDef.type);
+      } else {
+        value = keyDef.default;
+      }
+      result[qualifiedKey] = { value, scope: keyDef.scope };
+    }
+    return result;
+  },
+});

package/src/config/index.ts ADDED Viewed

@@ -0,0 +1,15 @@
+export {
+  CONFIG_FEATURE,
+  ConfigErrors,
+  ConfigHandlers,
+  ConfigQueries,
+} from "./constants";
+export type { ConfigContext } from "./feature";
+export {
+  createConfigAccessor,
+  createConfigAccessorFactory,
+  createConfigFeature,
+} from "./feature";
+export type { AppConfigOverrides, ConfigResolver } from "./resolver";
+export { createConfigResolver, validateAppOverrides } from "./resolver";
+export { configValuesTable } from "./table";