npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/secrets/handlers/rotate.job.ts ADDED Viewed

@@ -0,0 +1,193 @@
+// Rotation job. Scans tenant_secrets for rows whose kekVersion is older
+// than provider.currentVersion() and rewraps their DEK under the new KEK
+// — the ciphertext itself never changes, only the 60-byte DEK wrapper
+// and the kek_version column. See architecture/core-secrets.md for the
+// full rotation story.
+//
+// The job is idempotent: re-running it after a partial failure picks up
+// the remaining old-version rows. Consumers that want a time-bound run
+// pass a maxDurationMs in the payload.
+//
+// Post-ES pivot: each rotation is an executor.update against the
+// tenantSecret aggregate. The resulting `.updated` event carries
+// {changes, previous} with BOTH envelopes — useful for a full rotation
+// audit trail (when did row X flip from v1 to v2, who triggered it).
+// Concurrency-guard shifts from the pre-ES `WHERE kek_version = old`
+// check to the executor's stream-version check; a parallel secrets.set
+// that landed the row on the new kekVersion first surfaces here as a
+// version_conflict error (counted as "skipped", not "failed").
+import {
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+  type TenantDb,
+} from "@cosmicdrift/kumiko-framework/db";
+import type { JobHandlerFn, SessionUser, TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
+import { rewrapDek } from "@cosmicdrift/kumiko-framework/secrets";
+import { ne } from "drizzle-orm";
+import { type StoredEnvelope, tenantSecretEntity, tenantSecretsTable } from "../table";
+const DEFAULT_BATCH_SIZE = 100;
+const DEFAULT_MAX_FAILURES = 10;
+const SYSTEM_ROLES = ["system"] as const;
+const executor = createEventStoreExecutor(tenantSecretsTable, tenantSecretEntity, {
+  entityName: "tenant-secret",
+});
+export type RotateJobPayload = {
+  readonly batchSize?: number;
+  readonly maxDurationMs?: number;
+  readonly maxFailures?: number;
+};
+export type RotateJobResult = {
+  readonly migrated: number;
+  readonly failed: number;
+  readonly batchesProcessed: number;
+  readonly stoppedReason: "empty" | "timeout" | "signal" | "too_many_failures";
+};
+export const rotateJob: JobHandlerFn = async (rawPayload, ctx): Promise<void> => {
+  const payload = rawPayload as RotateJobPayload;
+  if (!ctx.masterKeyProvider) {
+    throw new InternalError({
+      message:
+        "[secrets:rotate] ctx.masterKeyProvider missing — wire it via extraContext.masterKeyProvider at boot.",
+    });
+  }
+  const provider = ctx.masterKeyProvider;
+  if (!ctx.db) {
+    throw new InternalError({
+      message: "[secrets:rotate] ctx.db missing — job context requires a database connection.",
+    });
+  }
+  const db = ctx.db as DbConnection;
+  const batchSize = payload.batchSize ?? DEFAULT_BATCH_SIZE;
+  const maxFailures = payload.maxFailures ?? DEFAULT_MAX_FAILURES;
+  const deadline = payload.maxDurationMs
+    ? Date.now() + payload.maxDurationMs
+    : Number.POSITIVE_INFINITY;
+  let migrated = 0;
+  let failed = 0;
+  let batchesProcessed = 0;
+  let stoppedReason: RotateJobResult["stoppedReason"] = "empty";
+  // Reuse a TenantDb-per-tenant map so we don't rebuild the wrapper for
+  // each row in the same tenant. Rotation typically hits one tenant in a
+  // batch; the map trims an allocation without adding complexity.
+  const tdbCache = new Map<TenantId, TenantDb>();
+  function tdbFor(tenantId: TenantId): TenantDb {
+    let existing = tdbCache.get(tenantId);
+    if (!existing) {
+      existing = createTenantDb(db, tenantId, "system");
+      tdbCache.set(tenantId, existing);
+    }
+    return existing;
+  }
+  while (true) {
+    if (ctx.signal?.aborted) {
+      stoppedReason = "signal";
+      break;
+    }
+    if (Date.now() >= deadline) {
+      stoppedReason = "timeout";
+      break;
+    }
+    const targetVersion = provider.currentVersion();
+    const batch = await db
+      .select({
+        id: tenantSecretsTable.id,
+        tenantId: tenantSecretsTable.tenantId,
+        version: tenantSecretsTable.version,
+        envelope: tenantSecretsTable.envelope,
+        kekVersion: tenantSecretsTable.kekVersion,
+      })
+      .from(tenantSecretsTable)
+      .where(ne(tenantSecretsTable.kekVersion, targetVersion))
+      .limit(batchSize);
+    if (batch.length === 0) break;
+    batchesProcessed++;
+    if (failed >= maxFailures) {
+      stoppedReason = "too_many_failures";
+      break;
+    }
+    for (const row of batch) {
+      if (failed >= maxFailures) {
+        stoppedReason = "too_many_failures";
+        break;
+      }
+      try {
+        const oldEnvelope = {
+          ciphertext: Buffer.from(row.envelope.ciphertext, "base64"),
+          iv: Buffer.from(row.envelope.iv, "base64"),
+          authTag: Buffer.from(row.envelope.authTag, "base64"),
+          encryptedDek: Buffer.from(row.envelope.encryptedDek, "base64"),
+          kekVersion: row.envelope.kekVersion,
+        };
+        const rotated = await rewrapDek(oldEnvelope, provider);
+        if (rotated.kekVersion === row.kekVersion) continue;
+        const newEnvelope: StoredEnvelope = {
+          ciphertext: rotated.ciphertext.toString("base64"),
+          iv: rotated.iv.toString("base64"),
+          authTag: rotated.authTag.toString("base64"),
+          encryptedDek: rotated.encryptedDek.toString("base64"),
+          kekVersion: rotated.kekVersion,
+        };
+        const actor: SessionUser = {
+          id: "system",
+          tenantId: row.tenantId as TenantId,
+          roles: SYSTEM_ROLES,
+        };
+        const result = await executor.update(
+          {
+            id: row.id,
+            version: row.version,
+            changes: {
+              envelope: newEnvelope,
+              kekVersion: rotated.kekVersion,
+            },
+          },
+          actor,
+          tdbFor(row.tenantId as TenantId),
+        );
+        // version_conflict == another writer (secrets.set or a parallel
+        // rotation worker) beat us. Count as "skipped" and move on — the
+        // row is already in a valid state, potentially even past target.
+        if (!result.isSuccess) {
+          if (result.error.code === "version_conflict") continue;
+          failed++;
+          ctx.log?.warn?.(`[secrets:rotate] executor rejected row ${row.id}`, {
+            code: result.error.code,
+          });
+          continue;
+        }
+      } catch (err) {
+        failed++;
+        ctx.log?.warn?.(`[secrets:rotate] failed to rotate row ${row.id}`, { err });
+        continue;
+      }
+      migrated++;
+    }
+    if (stoppedReason === "too_many_failures") break;
+    if (batch.length < batchSize) break;
+  }
+  const result: RotateJobResult = { migrated, failed, batchesProcessed, stoppedReason };
+  ctx.log?.info?.(`[secrets:rotate] complete: ${JSON.stringify(result)}`);
+};

package/src/secrets/handlers/set.write.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { requireSecretsContext } from "../feature";
+export const setWrite = defineWriteHandler({
+  name: "set",
+  schema: z.object({
+    key: z.string().min(1).max(100),
+    value: z.string(),
+    // Optional fixed-length preview — if the caller's UI wants a domain-
+    // specific redaction ("sk_live_abc…xyz") it can send it here; else the
+    // handler derives a generic one (first-3-chars + bullets).
+    redactedPreview: z.string().max(50).optional(),
+    hint: z.string().max(200).optional(),
+  }),
+  access: { roles: ["TenantAdmin"] },
+  handler: async (event, ctx) => {
+    const secrets = requireSecretsContext(ctx, "secrets:write:set");
+    const { key, value, redactedPreview, hint } = event.payload;
+    // Preview-priority: explicit payload param > feature-declared redact
+    // (via r.secret()) > generic default. A feature that declared a
+    // domain-aware redact (Stripe keys: "sk_test...2345") wins over the
+    // framework default unless the caller sent a specific preview.
+    const keyDef = ctx.registry.getSecretKey(key);
+    const featureRedact = keyDef?.redact;
+    const redactFn: (v: string) => string = redactedPreview
+      ? () => redactedPreview
+      : (featureRedact ?? defaultRedact);
+    await secrets.set(event.user.tenantId, key, value, {
+      redact: redactFn,
+      ...(hint ? { hint } : {}),
+      updatedBy: event.user.id,
+    });
+    return {
+      isSuccess: true,
+      data: { key, redactedPreview: redactedPreview ?? redactFn(value) },
+    };
+  },
+});
+// Fallback redaction: show at most the first 3 chars + trailing bullets.
+// Deliberately conservative — a too-generous preview defeats the point.
+function defaultRedact(value: string): string {
+  if (value.length === 0) return "";
+  const prefix = value.slice(0, Math.min(3, value.length));
+  return `${prefix}${"•".repeat(Math.max(1, value.length - 3))}`;
+}

package/src/secrets/index.ts ADDED Viewed

@@ -0,0 +1,16 @@
+export {
+  createSecretsContext,
+  createSecretsFeature,
+  requireSecretsContext,
+  type SecretsContext,
+  type SecretsContextOptions,
+  type StoredEnvelope,
+  type StoredMetadata,
+  TENANT_SECRET_READ_EVENT,
+  tenantSecretsTable,
+} from "./feature";
+export {
+  type RotateJobPayload,
+  type RotateJobResult,
+  rotateJob,
+} from "./handlers/rotate.job";

package/src/secrets/secrets-context.ts ADDED Viewed

@@ -0,0 +1,296 @@
+// Feature-level accessor injected as `ctx.secrets` at boot. Not a HTTP API —
+// feature code that needs a plaintext secret (SMTP-connect, Stripe-call, …)
+// pulls it via ctx.secrets.get. Cleartext never crosses the wire.
+//
+// Post-ES pivot: all three ops (get/set/delete) flow through the events-
+// table.
+//   - set → executor.create / .update on the tenantSecret aggregate
+//   - delete → executor.delete
+//   - get → low-level append of tenantSecretRead-event on a fresh
+//           aggregate-stream (one-event-per-read, so parallel reads never
+//           race on the secret's own version). The audit invariant ("every
+//           read logged") now sits on the events-table instead of a
+//           dedicated audit-table.
+import {
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+  fetchOne,
+} from "@cosmicdrift/kumiko-framework/db";
+import type { SessionUser } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError, type WriteErrorInfo } from "@cosmicdrift/kumiko-framework/errors";
+import { append, type EventMetadata } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createDekCache,
+  createSecret,
+  type DekCache,
+  decryptValue,
+  encryptValue,
+  type MasterKeyProvider,
+  type SecretsContext,
+} from "@cosmicdrift/kumiko-framework/secrets";
+import { generateId } from "@cosmicdrift/kumiko-framework/utils";
+import { and, eq } from "drizzle-orm";
+import { z } from "zod";
+import {
+  type StoredEnvelope,
+  type StoredMetadata,
+  tenantSecretEntity,
+  tenantSecretsTable,
+} from "./table";
+// Re-export the framework interface so consumers of bundled-features/secrets
+// don't need to reach into @cosmicdrift/kumiko-framework/secrets separately.
+export type { Secret, SecretsContext } from "@cosmicdrift/kumiko-framework/secrets";
+export type SecretsContextOptions = {
+  readonly db: DbConnection;
+  readonly masterKeyProvider: MasterKeyProvider;
+  // Shared DEK cache. Default: a fresh 5-min TTL cache. Pass in a shared
+  // instance if several features decrypt overlapping secret sets — lowers
+  // provider-call count across the app.
+  readonly dekCache?: DekCache;
+};
+// Synthetic actor identity for set/delete — the executor wants a full
+// SessionUser, but the secrets-context API takes only a user-id string
+// (via opts.updatedBy / opts.deletedBy). `system`-role mirrors how jobs
+// and seeds attribute out-of-band writes: non-admin paths stay blocked,
+// framework-internal ops keep working.
+const SYSTEM_ROLES = ["system"] as const;
+// Secret-read audit-event type name + schema. Colocated here instead of
+// in secrets-feature.ts because the feature file imports the context
+// (via createSecretsContext), so schema-in-feature-file would cycle.
+// secrets-feature.ts re-exports `secretReadSchema` for r.defineEvent.
+export const TENANT_SECRET_READ_EVENT = "secrets:event:read";
+export const secretReadSchema = z.object({
+  key: z.string(),
+  userId: z.string(),
+  handlerName: z.string(),
+});
+const executor = createEventStoreExecutor(tenantSecretsTable, tenantSecretEntity, {
+  entityName: "tenant-secret",
+});
+function resolveKey(keyOrHandle: string | { readonly name: string }): string {
+  return typeof keyOrHandle === "string" ? keyOrHandle : keyOrHandle.name;
+}
+// Wrap a provider so its unwrapDek goes through the cache. Lets decryptValue
+// use the full provider contract without knowing about caching — separation
+// of concerns: decryptValue handles crypto, cache handles cost.
+function cachedProvider(provider: MasterKeyProvider, cache: DekCache): MasterKeyProvider {
+  return {
+    wrapDek: provider.wrapDek.bind(provider),
+    unwrapDek: (encryptedDek, version) => cache.unwrapDek(encryptedDek, version, provider),
+    currentVersion: provider.currentVersion.bind(provider),
+    isAvailable: provider.isAvailable.bind(provider),
+  };
+}
+function decodeEnvelope(stored: StoredEnvelope): {
+  ciphertext: Buffer;
+  iv: Buffer;
+  authTag: Buffer;
+  encryptedDek: Buffer;
+  kekVersion: number;
+} {
+  return {
+    ciphertext: Buffer.from(stored.ciphertext, "base64"),
+    iv: Buffer.from(stored.iv, "base64"),
+    authTag: Buffer.from(stored.authTag, "base64"),
+    encryptedDek: Buffer.from(stored.encryptedDek, "base64"),
+    kekVersion: stored.kekVersion,
+  };
+}
+export function createSecretsContext(opts: SecretsContextOptions): SecretsContext {
+  const { db, masterKeyProvider } = opts;
+  const provider = cachedProvider(masterKeyProvider, opts.dekCache ?? createDekCache());
+  type SecretLookupRow = {
+    readonly id: string;
+    readonly version: number;
+    readonly envelope: StoredEnvelope;
+  };
+  async function lookup(tenantId: string, key: string): Promise<SecretLookupRow | undefined> {
+    return fetchOne<SecretLookupRow>(
+      db,
+      tenantSecretsTable,
+      eq(tenantSecretsTable.tenantId, tenantId),
+      eq(tenantSecretsTable.key, key),
+    );
+  }
+  return {
+    async get(tenantId, keyOrHandle, auditCtx) {
+      const key = resolveKey(keyOrHandle);
+      // Atomic audit + read: a decrypt that "escaped" the audit trail
+      // (because the audit-append threw) would violate the compliance
+      // promise "every read is logged". Wrapping both in a TX means
+      // either the caller gets the plaintext AND a read-event row, or
+      // neither. Reads without audit (framework-internal, rotation job)
+      // skip the TX — there's nothing to couple.
+      if (!auditCtx) {
+        const existing = await lookup(tenantId, key);
+        if (!existing) return undefined;
+        const plaintext = await decryptValue(decodeEnvelope(existing.envelope), provider);
+        return createSecret(plaintext);
+      }
+      const plaintext = await db.transaction(async (tx) => {
+        // Inline select inside the TX — fetchOne's SelectChainDb shape
+        // doesn't widen to drizzle's tx-object cleanly. Structurally
+        // identical; the one-off repeat beats a double-cast at the
+        // call site.
+        const [row] = await tx
+          .select({ envelope: tenantSecretsTable.envelope })
+          .from(tenantSecretsTable)
+          .where(and(eq(tenantSecretsTable.tenantId, tenantId), eq(tenantSecretsTable.key, key)))
+          .limit(1);
+        if (!row) return undefined;
+        const envelope = row.envelope;
+        const pt = await decryptValue(decodeEnvelope(envelope), provider);
+        // One event per read on its own aggregate-stream (fresh UUID as
+        // aggregateId). Avoids version-conflicts between parallel reads —
+        // a shared stream on the tenantSecret-aggregate would force
+        // serialization and turn read-amplification into lock-amplification.
+        // MSP consumers still group by payload.key if they want per-secret
+        // read counts.
+        const readId = generateId();
+        const metadata: EventMetadata = { userId: auditCtx.userId };
+        // Parse against the registered schema so the low-level append
+        // here gets the same validation guarantee as ctx.appendEvent.
+        // A payload-shape drift between schema + call-site fails at the
+        // source instead of landing on the events-stream.
+        const payload = secretReadSchema.parse({
+          key,
+          userId: auditCtx.userId,
+          handlerName: auditCtx.handlerName,
+        });
+        await append(tx, {
+          aggregateId: readId,
+          aggregateType: "tenantSecretRead",
+          tenantId,
+          expectedVersion: 0,
+          type: TENANT_SECRET_READ_EVENT,
+          payload,
+          metadata,
+        });
+        return pt;
+      });
+      if (plaintext === undefined) return undefined;
+      // Brand the plaintext only after audit committed. The response
+      // serializer rejects any Secret<> it finds on the response path.
+      return createSecret(plaintext);
+    },
+    async set(tenantId, keyOrHandle, value, setOpts = {}) {
+      const key = resolveKey(keyOrHandle);
+      const envelope = await encryptValue(value, masterKeyProvider);
+      const stored: StoredEnvelope = {
+        ciphertext: envelope.ciphertext.toString("base64"),
+        iv: envelope.iv.toString("base64"),
+        authTag: envelope.authTag.toString("base64"),
+        encryptedDek: envelope.encryptedDek.toString("base64"),
+        kekVersion: envelope.kekVersion,
+      };
+      const metadata: StoredMetadata = {
+        ...(setOpts.redact ? { redactedPreview: setOpts.redact(value) } : {}),
+        ...(setOpts.hint ? { hint: setOpts.hint } : {}),
+      };
+      const actor: SessionUser = {
+        id: setOpts.updatedBy ?? "system",
+        tenantId,
+        roles: SYSTEM_ROLES,
+      };
+      const tdb = createTenantDb(db, tenantId, "system");
+      const existing = await lookup(tenantId, key);
+      const commonFields = {
+        envelope: stored,
+        kekVersion: envelope.kekVersion,
+        metadata,
+        lastRotatedAt: Temporal.Now.instant(),
+      };
+      if (existing) {
+        const result = await executor.update(
+          {
+            id: existing.id,
+            version: existing.version,
+            changes: commonFields,
+          },
+          actor,
+          tdb,
+        );
+        if (!result.isSuccess) throw wrapSetFailure(result.error);
+        // skip: update path done — don't fall through into the create branch below.
+        return;
+      }
+      try {
+        const result = await executor.create(
+          {
+            key,
+            tenantId,
+            ...commonFields,
+          },
+          actor,
+          tdb,
+        );
+        if (!result.isSuccess) throw wrapSetFailure(result.error);
+      } catch (err) {
+        // Race-fallback: a concurrent set won the insert. Re-lookup and
+        // convert to an update. The unique-index on (tenant, key) is what
+        // triggers this path.
+        const afterRace = await lookup(tenantId, key);
+        if (!afterRace) throw err;
+        const result = await executor.update(
+          {
+            id: afterRace.id,
+            version: afterRace.version,
+            changes: commonFields,
+          },
+          actor,
+          tdb,
+        );
+        if (!result.isSuccess) throw wrapSetFailure(result.error);
+      }
+    },
+    async delete(tenantId, keyOrHandle, deleteOpts = {}) {
+      const key = resolveKey(keyOrHandle);
+      const existing = await lookup(tenantId, key);
+      if (!existing) return false;
+      const actor: SessionUser = {
+        id: deleteOpts.deletedBy ?? "system",
+        tenantId,
+        roles: SYSTEM_ROLES,
+      };
+      const tdb = createTenantDb(db, tenantId, "system");
+      const result = await executor.delete({ id: existing.id }, actor, tdb);
+      return result.isSuccess;
+    },
+  };
+}
+// Wrap an executor-level write failure into a KumikoError so callers of
+// ctx.secrets.set / .delete can still branch on .code / details / i18nKey
+// after it propagates up. Plain `new Error(...)` would have stripped the
+// structured payload the error-contract promises.
+function wrapSetFailure(err: WriteErrorInfo): InternalError {
+  return new InternalError({
+    message: `[secrets.set] executor returned failure: ${err.code}`,
+    i18nKey: "secrets.errors.set_failed",
+    details: { executorCode: err.code, executorDetails: err.details ?? {} },
+  });
+}

package/src/secrets/table.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import {
+  buildBaseColumns,
+  instant,
+  integer,
+  jsonb,
+  table,
+  text,
+  uniqueIndex,
+} from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createNumberField,
+  createTextField,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { sql } from "drizzle-orm";
+// Envelope stored as a single jsonb blob. All ops are upsert-by-(tenantId, key)
+// so there's no value in decomposing the envelope into separate columns —
+// we never query or index on any sub-field of the envelope itself.
+//
+// kekVersion IS broken out as its own column so the rotation job can filter
+// `WHERE kek_version != currentVersion()` with an index on just that column
+// without deserializing the jsonb. Duplicated inside envelope too — the two
+// always stay in sync via the write path.
+export type StoredEnvelope = {
+  readonly ciphertext: string; // base64
+  readonly iv: string; // base64
+  readonly authTag: string; // base64
+  readonly encryptedDek: string; // base64
+  readonly kekVersion: number;
+};
+export type StoredMetadata = {
+  readonly redactedPreview?: string;
+  readonly hint?: string;
+};
+// Entity registration for the ES pivot. Only `key` + `kekVersion` are
+// declared as business-validated fields; the jsonb columns (envelope,
+// metadata) and the instant column (lastRotatedAt) ride along as extra
+// table-columns. The executor writes whatever keys land in `flatData`
+// into both the projection row AND the event payload, so the whole
+// envelope round-trips through events.
+//
+// The envelope is cipher-safe by construction (AES-GCM ciphertext + authTag
+// + DEK encrypted under the KEK). A leaked event row can't recover the
+// plaintext without the master key — so shipping it into the events-table
+// doesn't weaken the threat model vs. the pre-ES tenant_secrets column.
+export const tenantSecretEntity = createEntity({
+  table: "read_tenant_secrets",
+  fields: {
+    key: createTextField({ required: true }),
+    kekVersion: createNumberField({ required: true }),
+  },
+});
+export const tenantSecretsTable = table(
+  "read_tenant_secrets",
+  {
+    ...buildBaseColumns(false, "uuid"),
+    key: text("key").notNull(),
+    envelope: jsonb("envelope").$type<StoredEnvelope>().notNull(),
+    kekVersion: integer("kek_version").notNull(),
+    metadata: jsonb("metadata").$type<StoredMetadata>().default({}).notNull(),
+    lastRotatedAt: instant("last_rotated_at").default(sql`now()`).notNull(),
+  },
+  (t) => [uniqueIndex("read_tenant_secrets_tenant_key_unique").on(t.tenantId, t.key)],
+);