npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts ADDED Viewed

@@ -0,0 +1,315 @@
+// Integration-test: Stripe-Plugin → subscription-foundation → DB.
+//
+// Beweist die echte Verdrahtung:
+//   1. Stripe-event mit valider Signatur kommt am webhook-handler an
+//   2. Stripe-Plugin verifiziert + parsed → SubscriptionEvent
+//   3. webhook-handler dispatched zu process-event-handler
+//   4. process-event-handler schreibt subscription + subscription-event
+//      in die DB
+//
+// Type-checks fangen struct-mismatch, NICHT runtime-mismatches (Zod-
+// validation des process-event-schema könnte stricter sein als der
+// Stripe-output liefert). Dieser Test fängt das Spalten-Mapping +
+// Verdrahtungs-Bugs ab.
+import {
+  billingFoundationFeature,
+  createSubscriptionWebhookHandler,
+  type SubscriptionProviderPlugin,
+  subscriptionAggregateId,
+} from "@cosmicdrift/kumiko-bundled-features/billing-foundation";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, loadAggregate } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { Hono } from "hono";
+import Stripe from "stripe";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createSubscriptionStripeFeature } from "../feature";
+// =============================================================================
+// Setup
+// =============================================================================
+const TEST_SECRET = "whsec_test_integration_secret";
+const TEST_API_KEY = "sk_test_integration_apikey";
+const PRICE_TO_TIER = { price_pro_monthly: "pro", price_business_yearly: "business" };
+let stack: TestStack;
+let db: DbConnection;
+let webhookApp: Hono;
+const stripeForFixtures = new Stripe(TEST_API_KEY, { apiVersion: "2026-04-22.dahlia" });
+beforeAll(async () => {
+  const stripeFeature = createSubscriptionStripeFeature({
+    webhookSecret: TEST_SECRET,
+    apiKey: TEST_API_KEY,
+    priceToTier: PRICE_TO_TIER,
+  });
+  stack = await setupTestStack({
+    features: [billingFoundationFeature, stripeFeature],
+  });
+  db = stack.db;
+  // subscriptionsProjectionTable wird von setupTestStack automatisch
+  // gepusht (r.projection mit `table`-Property → auto-push).
+  await createEventsTable(db);
+  // Webhook-app: Hono mit der webhook-handler-Route.
+  // dispatchWrite ruft `stack.http.write` mit dem System-User des
+  // resolved-Tenants — das ist exakt was der App-Builder im echten
+  // bin/server.ts via extraRoutes wireup macht.
+  webhookApp = new Hono();
+  webhookApp.post(
+    "/api/subscription/webhook/:providerName",
+    createSubscriptionWebhookHandler({
+      dispatchWrite: async ({ handlerQn, payload, tenantId }) => {
+        const systemUser = createTestUser({
+          id: 1,
+          tenantId: tenantId as TenantId,
+          roles: ["SystemAdmin"],
+        });
+        const res = await stack.http.write(handlerQn, payload, systemUser);
+        const body = await res.json();
+        return body.isSuccess
+          ? { isSuccess: true, data: body.data }
+          : { isSuccess: false, error: body.error };
+      },
+      resolveProvider: (providerName) => {
+        const usage = stack.registry
+          .getExtensionUsages("subscriptionProvider")
+          .find((u) => u.entityName === providerName);
+        return usage?.options as SubscriptionProviderPlugin | undefined;
+      },
+    }),
+  );
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+// =============================================================================
+// Fixtures
+// =============================================================================
+function buildStripeSubscriptionEvent(overrides: {
+  eventId?: string;
+  tenantId?: string;
+  priceId?: string;
+  status?: string;
+  customerId?: string;
+  subscriptionId?: string;
+  eventType?: string;
+}) {
+  const eventId = overrides.eventId ?? "evt_integration_001";
+  return {
+    id: eventId,
+    object: "event",
+    api_version: "2026-04-22.dahlia",
+    created: 1_770_000_000,
+    type: overrides.eventType ?? "customer.subscription.created",
+    livemode: false,
+    pending_webhooks: 1,
+    request: { id: null, idempotency_key: null },
+    data: {
+      object: {
+        id: overrides.subscriptionId ?? "sub_integration_001",
+        object: "subscription",
+        customer: overrides.customerId ?? "cus_integration_001",
+        status: overrides.status ?? "active",
+        metadata: { tenantId: overrides.tenantId ?? "tenant-int-1" },
+        items: {
+          object: "list",
+          data: [
+            {
+              id: "si_int",
+              object: "subscription_item",
+              current_period_end: 1_780_000_000,
+              price: { id: overrides.priceId ?? "price_pro_monthly", object: "price" },
+            },
+          ],
+          has_more: false,
+        },
+      },
+    },
+  };
+}
+function signEvent(payload: string): string {
+  return stripeForFixtures.webhooks.generateTestHeaderString({
+    payload,
+    secret: TEST_SECRET,
+  });
+}
+async function postStripeWebhook(payload: string, sig: string) {
+  return webhookApp.request("/api/subscription/webhook/stripe", {
+    method: "POST",
+    body: payload,
+    headers: { "stripe-signature": sig, "content-type": "application/json" },
+  });
+}
+// =============================================================================
+// Scenarios
+// =============================================================================
+describe("scenario 1: Stripe-event → DB happy path", () => {
+  test("valid sig + bekannter event-type → subscription-row + subscription-event-row in DB", async () => {
+    const tenantStringId = testTenantId(4001);
+    const stripeEvent = buildStripeSubscriptionEvent({
+      eventId: "evt_4001_create",
+      tenantId: tenantStringId,
+      subscriptionId: "sub_4001",
+      customerId: "cus_4001",
+      priceId: "price_business_yearly",
+    });
+    const payload = JSON.stringify(stripeEvent);
+    const sig = signEvent(payload);
+    const res = await postStripeWebhook(payload, sig);
+    expect(res.status).toBe(200);
+    // Prüfe DB-state: subscription-row + subscription-event-row für
+    // diesen Tenant.
+    const admin = createTestUser({
+      id: 4001,
+      tenantId: tenantStringId,
+      roles: ["TenantAdmin", "SystemAdmin"],
+    });
+    const subs = (await stack.http.queryOk(
+      "billing-foundation:query:subscription:list",
+      {},
+      admin,
+    )) as { rows: Array<Record<string, unknown>> };
+    expect(subs.rows).toHaveLength(1);
+    expect(subs.rows[0]?.["providerName"]).toBe("stripe");
+    expect(subs.rows[0]?.["providerSubscriptionId"]).toBe("sub_4001");
+    expect(subs.rows[0]?.["providerCustomerId"]).toBe("cus_4001");
+    expect(subs.rows[0]?.["tier"]).toBe("business");
+    expect(subs.rows[0]?.["status"]).toBe("active");
+    // Drift-pin: deterministic aggregate-id matched zwischen Stripe-Plugin
+    // (foundation-side) und expected uuid.
+    expect(subs.rows[0]?.["id"]).toBe(subscriptionAggregateId(tenantStringId));
+    const esEvents = await loadAggregate(
+      db,
+      subscriptionAggregateId(tenantStringId),
+      tenantStringId,
+    );
+    expect(esEvents).toHaveLength(1);
+    expect(esEvents[0]?.type).toBe("billing-foundation:event:subscription-created");
+    expect(esEvents[0]?.metadata.headers?.["providerName"]).toBe("stripe");
+    expect(esEvents[0]?.metadata.headers?.["providerEventId"]).toBe("evt_4001_create");
+    // rawPayload wurde 1:1 in headers archiviert
+    const rawHeader = esEvents[0]?.metadata.headers?.["rawPayload"] as string;
+    const archivedRaw = JSON.parse(rawHeader) as { id: string };
+    expect(archivedRaw.id).toBe("evt_4001_create");
+  });
+});
+describe("scenario 2: invalid sig → 401, kein DB-write", () => {
+  test("wrong webhook-secret → 401, foundation sieht keinen event", async () => {
+    const tenantStringId = testTenantId(4002);
+    const stripeEvent = buildStripeSubscriptionEvent({
+      eventId: "evt_4002_bad",
+      tenantId: tenantStringId,
+      subscriptionId: "sub_4002",
+    });
+    const payload = JSON.stringify(stripeEvent);
+    // Wrong secret = invalid sig.
+    const wrongSig = stripeForFixtures.webhooks.generateTestHeaderString({
+      payload,
+      secret: "whsec_wrong_secret",
+    });
+    const res = await postStripeWebhook(payload, wrongSig);
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("subscription_webhook_signature_invalid");
+    // Drift-pin: foundation-DB ist unberührt — kein subscription-row
+    // für diesen Tenant entstanden.
+    const admin = createTestUser({
+      id: 4002,
+      tenantId: tenantStringId,
+      roles: ["TenantAdmin", "SystemAdmin"],
+    });
+    const subs = (await stack.http.queryOk(
+      "billing-foundation:query:subscription:list",
+      {},
+      admin,
+    )) as { rows: Array<Record<string, unknown>> };
+    expect(subs.rows).toHaveLength(0);
+  });
+});
+describe("scenario 3: idempotency via Stripe-retry", () => {
+  test("derselbe Stripe-event 2× → 2. Mal foundation duplicate=true, kein zweiter event-row", async () => {
+    const tenantStringId = testTenantId(4003);
+    const stripeEvent = buildStripeSubscriptionEvent({
+      eventId: "evt_4003_retry",
+      tenantId: tenantStringId,
+      subscriptionId: "sub_4003",
+    });
+    const payload = JSON.stringify(stripeEvent);
+    const sig = signEvent(payload);
+    const res1 = await postStripeWebhook(payload, sig);
+    expect(res1.status).toBe(200);
+    const body1 = (await res1.json()) as { processed: boolean; duplicate: boolean };
+    expect(body1.duplicate).toBe(false);
+    // Stripe retry-storm — selber event mit selber providerEventId
+    const res2 = await postStripeWebhook(payload, sig);
+    expect(res2.status).toBe(200);
+    const body2 = (await res2.json()) as { processed: boolean; duplicate: boolean };
+    expect(body2.duplicate).toBe(true);
+    // Drift-pin: nur ein event im subscription-stream
+    const esEvents = await loadAggregate(
+      db,
+      subscriptionAggregateId(tenantStringId),
+      tenantStringId,
+    );
+    expect(esEvents).toHaveLength(1);
+  });
+});
+describe("scenario 4: ignored event-types pass through", () => {
+  test("customer.created → 200 ignored, kein dispatch", async () => {
+    const tenantStringId = testTenantId(4004);
+    const stripeEvent = buildStripeSubscriptionEvent({
+      eventId: "evt_4004_ignored",
+      eventType: "customer.created",
+      tenantId: tenantStringId,
+    });
+    const payload = JSON.stringify(stripeEvent);
+    const sig = signEvent(payload);
+    const res = await postStripeWebhook(payload, sig);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { ignored?: boolean; processed?: boolean };
+    expect(body.ignored).toBe(true);
+    expect(body.processed).toBeUndefined();
+    const admin = createTestUser({
+      id: 4004,
+      tenantId: tenantStringId,
+      roles: ["TenantAdmin", "SystemAdmin"],
+    });
+    const subs = (await stack.http.queryOk(
+      "billing-foundation:query:subscription:list",
+      {},
+      admin,
+    )) as { rows: Array<Record<string, unknown>> };
+    expect(subs.rows).toHaveLength(0);
+  });
+});

package/src/subscription-stripe/__tests__/verify-webhook.test.ts ADDED Viewed

@@ -0,0 +1,306 @@
+// Unit-Tests für verifyAndParseStripeWebhook. Nutzt stripe.webhooks.
+// generateTestHeaderString um valid sigs zu erzeugen — kein Mock,
+// echter Stripe-SDK-roundtrip.
+//
+// Stripe-Event-Fixtures sind hier minimale Stripe-payloads die nur
+// die Felder enthalten die der Plugin tatsächlich liest. Real Stripe-
+// events sind >100 Felder; full-fidelity-fixtures wären Maintenance-
+// Aufwand ohne Test-Wert.
+import {
+  SubscriptionEventTypes,
+  SubscriptionStatuses,
+} from "@cosmicdrift/kumiko-bundled-features/billing-foundation";
+import Stripe from "stripe";
+import { describe, expect, test } from "vitest";
+import {
+  mapStripeEventType,
+  mapStripeStatus,
+  verifyAndParseStripeWebhook,
+} from "../verify-webhook";
+const TEST_SECRET = "whsec_test_secret_12345";
+const TEST_API_KEY = "sk_test_dummy_apikey";
+// =============================================================================
+// Test-helpers
+// =============================================================================
+const stripeForFixtures = new Stripe(TEST_API_KEY, { apiVersion: "2026-04-22.dahlia" });
+function buildSubscriptionEvent(overrides: {
+  eventType?: string;
+  eventId?: string;
+  tenantId?: string;
+  status?: string;
+  priceId?: string;
+  customerId?: string;
+  subscriptionId?: string;
+  currentPeriodEndUnix?: number;
+}) {
+  const eventId = overrides.eventId ?? "evt_test_001";
+  const eventType = overrides.eventType ?? "customer.subscription.created";
+  const subscriptionId = overrides.subscriptionId ?? "sub_test_001";
+  const customerId = overrides.customerId ?? "cus_test_001";
+  const periodEnd = overrides.currentPeriodEndUnix ?? 1_780_000_000;
+  return {
+    id: eventId,
+    object: "event",
+    api_version: "2026-04-22.dahlia",
+    created: 1_770_000_000,
+    type: eventType,
+    livemode: false,
+    pending_webhooks: 1,
+    request: { id: null, idempotency_key: null },
+    data: {
+      object: {
+        id: subscriptionId,
+        object: "subscription",
+        customer: customerId,
+        status: overrides.status ?? "active",
+        metadata: {
+          tenantId: overrides.tenantId ?? "tenant-test-1",
+        },
+        items: {
+          object: "list",
+          data: [
+            {
+              id: "si_test",
+              object: "subscription_item",
+              current_period_end: periodEnd,
+              price: {
+                id: overrides.priceId ?? "price_pro_monthly",
+                object: "price",
+              },
+            },
+          ],
+          has_more: false,
+        },
+      },
+    },
+  };
+}
+/** Erstellt einen valid Stripe-signed-Header für ein gegebenes payload. */
+function signEvent(payload: string, secret = TEST_SECRET): string {
+  return stripeForFixtures.webhooks.generateTestHeaderString({
+    payload,
+    secret,
+  });
+}
+// =============================================================================
+// Sig-verify
+// =============================================================================
+describe("verifyAndParseStripeWebhook — sig-verify", () => {
+  const verify = verifyAndParseStripeWebhook(stripeForFixtures, {
+    webhookSecret: TEST_SECRET,
+    priceToTier: { price_pro_monthly: "pro" },
+  });
+  test("happy path: valid sig + bekannter event-type → SubscriptionEvent", async () => {
+    const payload = JSON.stringify(buildSubscriptionEvent({}));
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event).not.toBeNull();
+    expect(event?.providerName).toBe("stripe");
+    expect(event?.providerEventId).toBe("evt_test_001");
+    expect(event?.type).toBe(SubscriptionEventTypes.created);
+    expect(event?.tenantId).toBe("tenant-test-1");
+    expect(event?.tier).toBe("pro");
+  });
+  test("missing stripe-signature header → throws", async () => {
+    const payload = JSON.stringify(buildSubscriptionEvent({}));
+    await expect(verify(payload, {})).rejects.toThrow(/stripe-signature header missing/);
+  });
+  test("wrong secret → sig-verify failed → throws", async () => {
+    const payload = JSON.stringify(buildSubscriptionEvent({}));
+    const sig = signEvent(payload, "whsec_wrong_secret");
+    await expect(verify(payload, { "stripe-signature": sig })).rejects.toThrow(
+      /signature verify failed/,
+    );
+  });
+  test("modified body → sig-verify failed (Replay-Protection)", async () => {
+    const original = JSON.stringify(buildSubscriptionEvent({}));
+    const sig = signEvent(original);
+    // Tamper with body — Stripe-sig matched die exakten bytes.
+    const tampered = original.replace("tenant-test-1", "tenant-attacker");
+    await expect(verify(tampered, { "stripe-signature": sig })).rejects.toThrow(
+      /signature verify failed/,
+    );
+  });
+});
+// =============================================================================
+// Event-filter + payload-extraction
+// =============================================================================
+describe("verifyAndParseStripeWebhook — event-filter", () => {
+  const verify = verifyAndParseStripeWebhook(stripeForFixtures, {
+    webhookSecret: TEST_SECRET,
+    priceToTier: { price_pro_monthly: "pro" },
+  });
+  test("unbekannter event-type → null (foundation 200 ignored)", async () => {
+    // customer.created ist gültiger Stripe-event aber nicht in unserer
+    // 5-types-Whitelist.
+    const payload = JSON.stringify(buildSubscriptionEvent({ eventType: "customer.created" }));
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event).toBeNull();
+  });
+  test("subscription.updated → SubscriptionEventTypes.updated", async () => {
+    const payload = JSON.stringify(
+      buildSubscriptionEvent({ eventType: "customer.subscription.updated" }),
+    );
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event?.type).toBe(SubscriptionEventTypes.updated);
+  });
+  test("subscription.deleted → SubscriptionEventTypes.canceled", async () => {
+    const payload = JSON.stringify(
+      buildSubscriptionEvent({
+        eventType: "customer.subscription.deleted",
+        status: "canceled",
+      }),
+    );
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event?.type).toBe(SubscriptionEventTypes.canceled);
+    expect(event?.status).toBe(SubscriptionStatuses.canceled);
+  });
+  test("invoice-event ohne subscription-reference → null (one-shot-invoice)", async () => {
+    // Drift-Pin: Stripe one-shot-invoice (nicht recurring). Plugin
+    // versucht NICHT zu lazy-fetchen weil's keine sub-id zum fetchen
+    // gibt. Foundation 200 ignored.
+    const ev = {
+      id: "evt_invoice_oneshot",
+      object: "event",
+      api_version: "2026-04-22.dahlia",
+      created: 1_770_000_000,
+      type: "invoice.paid",
+      livemode: false,
+      pending_webhooks: 1,
+      request: { id: null, idempotency_key: null },
+      data: {
+        object: {
+          id: "in_001",
+          object: "invoice",
+          subscription: null,
+        },
+      },
+    };
+    const payload = JSON.stringify(ev);
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event).toBeNull();
+  });
+});
+// =============================================================================
+// Tenant-resolution + price-to-tier
+// =============================================================================
+describe("verifyAndParseStripeWebhook — tenant-resolution + price-to-tier", () => {
+  const verify = verifyAndParseStripeWebhook(stripeForFixtures, {
+    webhookSecret: TEST_SECRET,
+    priceToTier: { price_pro_monthly: "pro", price_business_yearly: "business" },
+  });
+  test("metadata.tenantId fehlt → null (App-Owner-Bug, foundation 200 ignored)", async () => {
+    const ev = buildSubscriptionEvent({});
+    // @ts-expect-error — entferne metadata für Test
+    ev.data.object.metadata = {};
+    const payload = JSON.stringify(ev);
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event).toBeNull();
+  });
+  test("price-id im Mapping → korrekter tier-Wert", async () => {
+    const payload = JSON.stringify(buildSubscriptionEvent({ priceId: "price_business_yearly" }));
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event?.tier).toBe("business");
+  });
+  test("price-id NICHT im Mapping → null", async () => {
+    const payload = JSON.stringify(buildSubscriptionEvent({ priceId: "price_unknown_xyz" }));
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    expect(event).toBeNull();
+  });
+  test("currentPeriodEnd wird aus subscription.items[0].current_period_end (Unix-sec) zu ISO konvertiert", async () => {
+    const periodEndUnix = 1_780_000_000;
+    const payload = JSON.stringify(buildSubscriptionEvent({ currentPeriodEndUnix: periodEndUnix }));
+    const sig = signEvent(payload);
+    const event = await verify(payload, { "stripe-signature": sig });
+    // 1_780_000_000 sec = 2026-05-28T20:26:40Z (in ms: 1.78e12)
+    // Temporal.Instant.toString() droppt Trailing-Zeros — keine .000Z
+    expect(event?.currentPeriodEnd).toBe("2026-05-28T20:26:40Z");
+  });
+});
+// =============================================================================
+// Mapping-helpers (pure functions, kein Stripe-mock nötig)
+// =============================================================================
+describe("mapStripeEventType — drift-pin pro mapping", () => {
+  test("alle 5 Stripe-event-types → SubscriptionEventTypes", () => {
+    expect(mapStripeEventType("customer.subscription.created")).toBe(
+      SubscriptionEventTypes.created,
+    );
+    expect(mapStripeEventType("customer.subscription.updated")).toBe(
+      SubscriptionEventTypes.updated,
+    );
+    expect(mapStripeEventType("customer.subscription.deleted")).toBe(
+      SubscriptionEventTypes.canceled,
+    );
+    expect(mapStripeEventType("invoice.paid")).toBe(SubscriptionEventTypes.invoicePaid);
+    expect(mapStripeEventType("invoice.payment_failed")).toBe(
+      SubscriptionEventTypes.invoicePaymentFailed,
+    );
+  });
+  test("alles andere → null", () => {
+    expect(mapStripeEventType("customer.created")).toBeNull();
+    expect(mapStripeEventType("checkout.session.completed")).toBeNull();
+    expect(mapStripeEventType("ping")).toBeNull();
+  });
+});
+describe("mapStripeStatus — Stripe-status → normalized", () => {
+  test("active/trialing direkt", () => {
+    expect(mapStripeStatus("active")).toBe(SubscriptionStatuses.active);
+    expect(mapStripeStatus("trialing")).toBe(SubscriptionStatuses.trialing);
+  });
+  test("past_due / unpaid / paused → past_due (= grace-period im Plattform-Tier)", () => {
+    // Drift-Pin: alle drei Stripe-grace-Status werden auf den einen
+    // normalisierten "past_due"-Status mapped. Wenn Stripe einen vierten
+    // grace-Status einführt müssen wir den explizit hinzufügen statt
+    // auf "incomplete" fallback'n (= würde tenant downgraden).
+    expect(mapStripeStatus("past_due")).toBe(SubscriptionStatuses.pastDue);
+    expect(mapStripeStatus("unpaid")).toBe(SubscriptionStatuses.pastDue);
+    expect(mapStripeStatus("paused")).toBe(SubscriptionStatuses.pastDue);
+  });
+  test("canceled → canceled", () => {
+    expect(mapStripeStatus("canceled")).toBe(SubscriptionStatuses.canceled);
+  });
+  test("incomplete / incomplete_expired → incomplete", () => {
+    expect(mapStripeStatus("incomplete")).toBe(SubscriptionStatuses.incomplete);
+    expect(mapStripeStatus("incomplete_expired")).toBe(SubscriptionStatuses.incomplete);
+  });
+});

package/src/subscription-stripe/constants.ts ADDED Viewed

@@ -0,0 +1,20 @@
+// Feature name
+export const SUBSCRIPTION_STRIPE_FEATURE = "subscription-stripe" as const;
+// entityName under den der Plugin gegen "subscriptionProvider"
+// registriert. Matcht den path-segment in der webhook-URL
+// `/api/subscription/webhook/stripe`.
+export const STRIPE_PROVIDER_NAME = "stripe" as const;
+// =============================================================================
+// Stripe-event-types die wir auf normalisierte SubscriptionEventTypes
+// mappen. Stripe hat ~80 event-types insgesamt; wir filtern auf 5.
+// =============================================================================
+export const StripeEventTypes = {
+  customerSubscriptionCreated: "customer.subscription.created",
+  customerSubscriptionUpdated: "customer.subscription.updated",
+  customerSubscriptionDeleted: "customer.subscription.deleted",
+  invoicePaid: "invoice.paid",
+  invoicePaymentFailed: "invoice.payment_failed",
+} as const;