npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/subscription-mollie/verify-webhook.ts ADDED Viewed

@@ -0,0 +1,244 @@
+// verifyAndParseMollieWebhook — Mollie-spezifische lazy-fetch +
+// event-type-Heuristik. Wird vom Plugin-Build (feature.ts) als
+// `verifyAndParseWebhook` registriert.
+//
+// Mollie's classic-webhook sendet nur eine `id` (form-urlencoded oder
+// JSON). Wir lazy-fetchen payment + subscription via Mollie-API. Sub-
+// xxx-events werden NICHT supported — App-Builder bekommt sie indirekt
+// via tr_xxx-payment-events (Mollie sendet beide parallel bei normalen
+// Lifecycle-Events).
+//
+// **Mandate-setup-flow:** first-payment-paid kommt mit
+// `payment.subscriptionId === null` (Mollie's Pattern: App-Builder
+// muss `customerSubscriptions.create` selbst aufrufen). Wir machen
+// das im Plugin (idempotent via list-check), damit Foundation einen
+// Created-Event mit subscription-id bekommt.
+import {
+  type SubscriptionEvent,
+  type SubscriptionEventType,
+  SubscriptionEventTypes,
+  type SubscriptionStatus,
+  SubscriptionStatuses,
+} from "@cosmicdrift/kumiko-bundled-features/billing-foundation";
+import type {
+  Payment as MolliePayment,
+  Subscription as MollieSubscription,
+} from "@mollie/api-client";
+import { MOLLIE_PROVIDER_NAME } from "./constants";
+import type { MolliePriceConfig } from "./plugin-methods";
+/** Minimal-Subset des Mollie-Clients, das der Plugin nutzt — separat
+ *  damit Tests ohne den vollen MollieClient mocken können. Adapter in
+ *  feature.ts bridged das gegen den echten SDK. */
+export type MollieClientShape = {
+  readonly payments: { readonly get: (id: string) => Promise<MolliePayment> };
+  readonly customerSubscriptions: {
+    readonly get: (subId: string, customerId: string) => Promise<MollieSubscription>;
+    readonly list: (customerId: string) => Promise<readonly MollieSubscription[]>;
+    readonly create: (
+      customerId: string,
+      params: {
+        amount: { currency: string; value: string };
+        interval: string;
+        description: string;
+        metadata: Record<string, string>;
+      },
+    ) => Promise<MollieSubscription>;
+  };
+};
+export type MollieWebhookOptions = {
+  /** priceId (= virtueller Schlüssel aus subscription.metadata) → tier-name. */
+  readonly priceToTier: Readonly<Record<string, string>>;
+  /** priceId → amount/interval/description. Wird beim mandate-setup-
+   *  flow zum `customerSubscriptions.create`-Call gebraucht. App-
+   *  Builder pflegt die Map einmal in den factory-options. */
+  readonly priceToConfig: Readonly<Record<string, MolliePriceConfig>>;
+};
+export function verifyAndParseMollieWebhook(
+  client: MollieClientShape,
+  options: MollieWebhookOptions,
+): (rawBody: string, headers: Record<string, string>) => Promise<SubscriptionEvent | null> {
+  return async (rawBody, headers) => {
+    const id = extractMollieId(rawBody, headers);
+    if (!id) {
+      throw new Error("subscription-mollie: webhook body has no `id` field");
+    }
+    let subscription: MollieSubscription | null = null;
+    let triggerPayment: MolliePayment | null = null;
+    if (id.startsWith("tr_")) {
+      let payment: MolliePayment;
+      try {
+        payment = await client.payments.get(id);
+      } catch {
+        // Garbage-id → Mollie 404 → Foundation 200 ignored.
+        return null;
+      }
+      triggerPayment = payment;
+      const customerId = payment.customerId;
+      if (!customerId) return null;
+      if (payment.subscriptionId) {
+        try {
+          subscription = await client.customerSubscriptions.get(payment.subscriptionId, customerId);
+        } catch {
+          return null;
+        }
+      } else if (payment.sequenceType === "first" && payment.status === "paid") {
+        subscription = await ensureSubscriptionForMandate(client, options, payment);
+        if (!subscription) return null;
+      } else {
+        // One-shot oder first-payment-failed → nicht unsere Domain.
+        return null;
+      }
+    } else if (id.startsWith("sub_")) {
+      // sub_xxx-events kommen indirekt via parallele tr_xxx-events.
+      return null;
+    } else {
+      return null;
+    }
+    const metadata = (subscription.metadata as Record<string, string> | null) ?? {};
+    const tenantId = metadata["tenantId"];
+    if (!tenantId || tenantId.length === 0) return null;
+    const priceId = metadata["priceId"];
+    if (!priceId) return null;
+    const tier = options.priceToTier[priceId];
+    if (!tier) return null;
+    const type = mapMollieEventType(subscription, triggerPayment);
+    if (!type) return null;
+    const status = mapMollieStatus(subscription.status);
+    const periodEndSource = subscription.nextPaymentDate ?? subscription.startDate;
+    if (!periodEndSource) {
+      // Mollie-API-Drift: valid Subs haben mindestens startDate. Loud-
+      // fail damit App-Owner's monitoring den drift sieht.
+      throw new Error(
+        `subscription-mollie: subscription ${subscription.id} has neither nextPaymentDate nor startDate`,
+      );
+    }
+    const currentPeriodEnd = mollieDateStringToInstantIso(periodEndSource);
+    return {
+      providerEventId: id,
+      providerName: MOLLIE_PROVIDER_NAME,
+      type,
+      tenantId,
+      providerCustomerId: subscription.customerId,
+      providerSubscriptionId: subscription.id,
+      status,
+      tier,
+      currentPeriodEnd,
+      rawPayload: JSON.stringify({ webhookId: id, subscription, triggerPayment }),
+    };
+  };
+}
+// =============================================================================
+// Mandate-setup: subscription on-the-fly erstellen
+// =============================================================================
+/** first-payment-paid OHNE subscriptionId → Mollie-Sub erstellen.
+ *  Idempotent via list-check (replay-safe). Returns null bei
+ *  unvollständiger metadata oder unbekanntem priceId. */
+async function ensureSubscriptionForMandate(
+  client: MollieClientShape,
+  options: MollieWebhookOptions,
+  payment: MolliePayment,
+): Promise<MollieSubscription | null> {
+  const customerId = payment.customerId;
+  if (!customerId) return null;
+  const paymentMetadata = (payment.metadata as Record<string, string> | null) ?? {};
+  const tenantId = paymentMetadata["tenantId"];
+  const priceId = paymentMetadata["priceId"];
+  if (!tenantId || !priceId) return null;
+  const priceCfg = options.priceToConfig[priceId];
+  if (!priceCfg) return null;
+  const existing = await client.customerSubscriptions.list(customerId);
+  const matchingExisting = existing.find(
+    (sub) =>
+      (sub.metadata as Record<string, string> | null)?.["priceId"] === priceId &&
+      (sub.status === "active" || sub.status === "pending"),
+  );
+  if (matchingExisting) return matchingExisting;
+  return await client.customerSubscriptions.create(customerId, {
+    amount: { currency: priceCfg.amountCurrency, value: priceCfg.amountValue },
+    interval: priceCfg.interval,
+    description: priceCfg.description,
+    metadata: { tenantId, priceId },
+  });
+}
+// =============================================================================
+// Helpers (exported für Tests)
+// =============================================================================
+/** Extract `id` aus rawBody — handelt form-urlencoded + JSON. */
+export function extractMollieId(rawBody: string, headers: Record<string, string>): string | null {
+  const contentType = headers["content-type"] ?? "";
+  if (contentType.includes("application/json")) {
+    try {
+      const parsed = JSON.parse(rawBody) as { id?: unknown };
+      return typeof parsed.id === "string" ? parsed.id : null;
+    } catch {
+      return null;
+    }
+  }
+  const params = new URLSearchParams(rawBody);
+  return params.get("id");
+}
+/** Mollie-subscription + optional payment → SubscriptionEventType.
+ *  Heuristik (Mollie hat keine explicit-typed events). */
+export function mapMollieEventType(
+  subscription: MollieSubscription,
+  triggerPayment: MolliePayment | null,
+): SubscriptionEventType | null {
+  if (subscription.status === "canceled" || subscription.status === "completed") {
+    return SubscriptionEventTypes.canceled;
+  }
+  if (triggerPayment) {
+    const seq = triggerPayment.sequenceType;
+    const paid = triggerPayment.status === "paid";
+    const failed = triggerPayment.status === "failed" || triggerPayment.status === "expired";
+    if (seq === "first" && paid) return SubscriptionEventTypes.created;
+    if (seq === "recurring" && paid) return SubscriptionEventTypes.invoicePaid;
+    if (seq === "recurring" && failed) return SubscriptionEventTypes.invoicePaymentFailed;
+  }
+  if (subscription.status === "active") return SubscriptionEventTypes.updated;
+  return null;
+}
+/** Mollie-status → normalized. */
+export function mapMollieStatus(mollieStatus: MollieSubscription["status"]): SubscriptionStatus {
+  switch (mollieStatus) {
+    case "active":
+      return SubscriptionStatuses.active;
+    case "canceled":
+    case "completed":
+      // completed = alle `times`-charges durchgelaufen → wie canceled.
+      return SubscriptionStatuses.canceled;
+    case "suspended":
+      // Mandate ungültig / payment-method failed → grace-period.
+      return SubscriptionStatuses.pastDue;
+    case "pending":
+      return SubscriptionStatuses.incomplete;
+    default:
+      return SubscriptionStatuses.incomplete;
+  }
+}
+/** Mollie liefert dates als YYYY-MM-DD; foundation will ISO-Instant.
+ *  Throws bei malformed input (= Mollie-API-Drift, soll loud-fail). */
+function mollieDateStringToInstantIso(dateString: string): string {
+  return Temporal.Instant.from(`${dateString.slice(0, 10)}T00:00:00Z`).toString();
+}

package/src/subscription-stripe/__tests__/feature.test.ts ADDED Viewed

@@ -0,0 +1,98 @@
+// feature.ts contract tests for subscription-stripe.
+import { describe, expect, test } from "vitest";
+import { STRIPE_PROVIDER_NAME, StripeEventTypes, SUBSCRIPTION_STRIPE_FEATURE } from "../constants";
+import { createSubscriptionStripeFeature } from "../feature";
+const VALID_OPTIONS = {
+  webhookSecret: "whsec_test_dummy",
+  apiKey: "sk_test_dummy",
+  priceToTier: { price_test: "pro" },
+};
+describe("createSubscriptionStripeFeature — shape", () => {
+  test("has the expected name", () => {
+    const feature = createSubscriptionStripeFeature(VALID_OPTIONS);
+    expect(feature.name).toBe(SUBSCRIPTION_STRIPE_FEATURE);
+    expect(feature.name).toBe("subscription-stripe");
+  });
+  test("requires only subscription-foundation (NICHT config/secrets — alles app-wide via factory-options)", () => {
+    const feature = createSubscriptionStripeFeature(VALID_OPTIONS);
+    expect(feature.requires).toContain("billing-foundation");
+    // Drift-Pin: webhook-secret + apiKey kommen aus factory-options
+    // (= module-load-Closure), NICHT aus tenant-config/-secrets.
+    expect(feature.requires).not.toContain("config");
+    expect(feature.requires).not.toContain("secrets");
+  });
+});
+describe("createSubscriptionStripeFeature — module-load validation", () => {
+  test("throws bei empty webhookSecret (= App-Owner hat sub-stripe gemountet aber Stripe-Account nicht konfiguriert)", () => {
+    expect(() =>
+      createSubscriptionStripeFeature({
+        ...VALID_OPTIONS,
+        webhookSecret: "",
+      }),
+    ).toThrow(/webhookSecret is empty/);
+  });
+  test("throws bei empty apiKey", () => {
+    expect(() =>
+      createSubscriptionStripeFeature({
+        ...VALID_OPTIONS,
+        apiKey: "",
+      }),
+    ).toThrow(/apiKey is empty/);
+  });
+});
+describe("subscription-stripe — plugin-registration", () => {
+  test("registers itself under entityName 'stripe' for subscription-foundation's extension", () => {
+    const feature = createSubscriptionStripeFeature(VALID_OPTIONS);
+    const usages = feature.extensionUsages;
+    expect(
+      usages.some(
+        (u) => u.extensionName === "subscriptionProvider" && u.entityName === STRIPE_PROVIDER_NAME,
+      ),
+    ).toBe(true);
+  });
+  test("plugin-options have a valid SubscriptionProviderPlugin shape (drift-pin alle 4 methods)", () => {
+    // Stärker als nur "extension-usage existiert": wenn jemand eine der
+    // plugin-methods aus dem plugin-build entfernt, würde der
+    // entsprechende Foundation-write-handler zur Laufzeit als
+    // "method not supported"-error brechen — type-check würde es nicht
+    // fangen weil die useExtension-options als `unknown` durchgereicht
+    // werden.
+    const feature = createSubscriptionStripeFeature(VALID_OPTIONS);
+    const usage = feature.extensionUsages.find((u) => u.entityName === STRIPE_PROVIDER_NAME);
+    expect(usage).toBeDefined();
+    const options = usage?.options as {
+      verifyAndParseWebhook?: unknown;
+      createCheckoutSession?: unknown;
+      createPortalSession?: unknown;
+      cancelSubscription?: unknown;
+    };
+    expect(typeof options?.verifyAndParseWebhook).toBe("function");
+    expect(typeof options?.createCheckoutSession).toBe("function");
+    expect(typeof options?.createPortalSession).toBe("function");
+    expect(typeof options?.cancelSubscription).toBe("function");
+  });
+});
+describe("constants — Stripe-event-types die wir mappen", () => {
+  test("StripeEventTypes whitelist — was die Foundation verarbeitet", () => {
+    // Drift-Pin: ein Refactor das einen event-type rauswirft (z.B.
+    // invoice.paid weil "wir nutzen das nicht") würde tier-grace-period-
+    // tracking brechen. Plus: ein Refactor der einen NICHT-existing
+    // Stripe-event-type reinschreibt (typo) würde silent ignored werden.
+    expect(Object.values(StripeEventTypes)).toEqual([
+      "customer.subscription.created",
+      "customer.subscription.updated",
+      "customer.subscription.deleted",
+      "invoice.paid",
+      "invoice.payment_failed",
+    ]);
+  });
+});

package/src/subscription-stripe/__tests__/plugin-methods.test.ts ADDED Viewed

@@ -0,0 +1,161 @@
+// Unit-Tests für die Stripe-Plugin-Methoden (createCheckoutSession,
+// createPortalSession, cancelSubscription). Stripe-SDK-calls werden via
+// vi.spyOn gemockt — wir testen unsere Mapping-Logik (Argumente die wir
+// an Stripe schicken + Antwort-Parsing), NICHT Stripe selbst.
+import type { HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
+import Stripe from "stripe";
+import { describe, expect, test, vi } from "vitest";
+import {
+  createStripeCancelSubscription,
+  createStripeCheckoutSession,
+  createStripePortalSession,
+} from "../plugin-methods";
+const TEST_API_KEY = "sk_test_dummy";
+function buildStripe(): Stripe {
+  return new Stripe(TEST_API_KEY, { apiVersion: "2026-04-22.dahlia" });
+}
+const stubCtx = {} as HandlerContext;
+// =============================================================================
+// createCheckoutSession
+// =============================================================================
+describe("createStripeCheckoutSession", () => {
+  test("ruft stripe.checkout.sessions.create mit mode=subscription + tenant-metadata", async () => {
+    const stripe = buildStripe();
+    const createMock = vi
+      .spyOn(stripe.checkout.sessions, "create")
+      // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
+      .mockResolvedValue({ url: "https://checkout.stripe.com/c/pay/test" } as any);
+    const checkout = createStripeCheckoutSession(stripe);
+    const result = await checkout(stubCtx, {
+      priceId: "price_pro_monthly",
+      tenantId: "tenant-001",
+      successUrl: "https://example.com/success",
+      cancelUrl: "https://example.com/cancel",
+    });
+    expect(result).toEqual({ url: "https://checkout.stripe.com/c/pay/test" });
+    expect(createMock).toHaveBeenCalledExactlyOnceWith({
+      mode: "subscription",
+      line_items: [{ price: "price_pro_monthly", quantity: 1 }],
+      success_url: "https://example.com/success",
+      cancel_url: "https://example.com/cancel",
+      // Drift-Pin: metadata.tenantId LANDET auf der subscription, NICHT
+      // auf der checkout-session direkt — sonst kann verifyAndParse-
+      // Webhook den tenant beim subsequent webhook nicht resolven.
+      subscription_data: {
+        metadata: { tenantId: "tenant-001" },
+      },
+    });
+  });
+  test("passes existing customer-id wenn gesetzt (Plan-Wechsel-Flow)", async () => {
+    const stripe = buildStripe();
+    const createMock = vi
+      .spyOn(stripe.checkout.sessions, "create")
+      // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
+      .mockResolvedValue({ url: "https://x" } as any);
+    const checkout = createStripeCheckoutSession(stripe);
+    await checkout(stubCtx, {
+      priceId: "price_x",
+      tenantId: "tenant-002",
+      successUrl: "https://x/s",
+      cancelUrl: "https://x/c",
+      providerCustomerId: "cus_existing_123",
+    });
+    expect(createMock).toHaveBeenCalledWith(
+      expect.objectContaining({ customer: "cus_existing_123" }),
+    );
+  });
+  test("throws wenn Stripe keine url returnt (defensive — sollte nie passieren bei mode=subscription)", async () => {
+    const stripe = buildStripe();
+    vi.spyOn(stripe.checkout.sessions, "create")
+      // biome-ignore lint/suspicious/noExplicitAny: SDK-Drift-Test
+      .mockResolvedValue({ url: null } as any);
+    const checkout = createStripeCheckoutSession(stripe);
+    await expect(
+      checkout(stubCtx, {
+        priceId: "p",
+        tenantId: "t",
+        successUrl: "https://x/s",
+        cancelUrl: "https://x/c",
+      }),
+    ).rejects.toThrow(/returned no url/);
+  });
+  test("Stripe-API-failure (z.B. 500 / network) → propagated zum Caller (Foundation mapped auf 500)", async () => {
+    // Drift-Pin: Plugin schluckt KEINE Stripe-Errors. Foundation
+    // verlässt sich darauf dass create-checkout-session-handler einen
+    // throw kriegt + zur HTTP 500 mapped (transient — Provider/Stripe
+    // soll retried werden statt silent-success-mit-leerer-URL).
+    const stripe = buildStripe();
+    vi.spyOn(stripe.checkout.sessions, "create").mockRejectedValue(
+      new Error("Stripe API: Internal server error"),
+    );
+    const checkout = createStripeCheckoutSession(stripe);
+    await expect(
+      checkout(stubCtx, {
+        priceId: "p",
+        tenantId: "t",
+        successUrl: "https://x/s",
+        cancelUrl: "https://x/c",
+      }),
+    ).rejects.toThrow(/Internal server error/);
+  });
+});
+// =============================================================================
+// createPortalSession
+// =============================================================================
+describe("createStripePortalSession", () => {
+  test("ruft stripe.billingPortal.sessions.create mit customer + return_url", async () => {
+    const stripe = buildStripe();
+    const createMock = vi
+      .spyOn(stripe.billingPortal.sessions, "create")
+      // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
+      .mockResolvedValue({ url: "https://billing.stripe.com/p/session/test" } as any);
+    const portal = createStripePortalSession(stripe);
+    const result = await portal(stubCtx, {
+      providerCustomerId: "cus_001",
+      returnUrl: "https://example.com/return",
+    });
+    expect(result).toEqual({ url: "https://billing.stripe.com/p/session/test" });
+    expect(createMock).toHaveBeenCalledExactlyOnceWith({
+      customer: "cus_001",
+      return_url: "https://example.com/return",
+    });
+  });
+});
+// =============================================================================
+// cancelSubscription
+// =============================================================================
+describe("createStripeCancelSubscription", () => {
+  test("ruft stripe.subscriptions.cancel mit subscription-id", async () => {
+    const stripe = buildStripe();
+    const cancelMock = vi
+      .spyOn(stripe.subscriptions, "cancel")
+      // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
+      .mockResolvedValue({ id: "sub_001", status: "canceled" } as any);
+    const cancel = createStripeCancelSubscription(stripe);
+    await cancel(stubCtx, "sub_001");
+    expect(cancelMock).toHaveBeenCalledExactlyOnceWith("sub_001");
+  });
+});