@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/tenant/__tests__/tenant.integration.ts

@@ -0,0 +1,347 @@
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider, type DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createEntityTable,
+  createTestUser,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { expectErrorIncludes, rolesOf } from "@cosmicdrift/kumiko-framework/testing";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createConfigAccessor, createConfigFeature } from "../../config";
+import { ConfigHandlers, ConfigQueries } from "../../config/constants";
+import { type ConfigResolver, createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { TenantHandlers, TenantQueries } from "../constants";
+import { createTenantFeature } from "../feature";
+import { tenantEntity } from "../schema/tenant";
+
+// --- Setup ---
+
+let stack: TestStack;
+let db: DbConnection;
+let resolver: ConfigResolver;
+
+const systemAdmin = TestUsers.systemAdmin;
+const tenantAdmin = createTestUser({ id: 2 });
+
+const configFeature = createConfigFeature();
+const tenantFeature = createTenantFeature();
+const testEncryptionKey = randomBytes(32).toString("base64");
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(testEncryptionKey);
+  resolver = createConfigResolver({ encryption });
+
+  stack = await setupTestStack({
+    features: [configFeature, tenantFeature],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+  });
+  db = stack.db;
+
+  await createEntityTable(db, tenantEntity);
+  await pushTables(db, { configValuesTable });
+  await createEventsTable(db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+// --- Scenario 1: SystemAdmin erstellt Tenant ---
+
+describe("scenario 1: tenant.create", () => {
+  test("SystemAdmin can create a tenant", async () => {
+    // Explicit id so the following scenarios (tenant.me, update, disable) run
+    // against THIS tenant — systemAdmin.tenantId is a fixed UUID in tests.
+    const data = await stack.http.writeOk(
+      TenantHandlers.create,
+      { id: systemAdmin.tenantId, key: "acme", name: "ACME Corp" },
+      systemAdmin,
+    );
+    expect(data!["data"]).toMatchObject({
+      key: "acme",
+      name: "ACME Corp",
+      isEnabled: true,
+    });
+    expect(data!["isNew"]).toBe(true);
+  });
+
+  test("normal User cannot create a tenant", async () => {
+    const error = await stack.http.writeErr(
+      TenantHandlers.create,
+      { key: "hacked", name: "Hacked" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "access_denied");
+  });
+});
+
+// --- Scenario 2: tenant.me ---
+
+describe("scenario 2: tenant.me", () => {
+  test("returns the current user's tenant", async () => {
+    const tenant = await stack.http.queryOk<Record<string, unknown>>(
+      TenantQueries.me,
+      {},
+      systemAdmin,
+    );
+    expect(tenant["key"]).toBe("acme");
+    expect(tenant["name"]).toBe("ACME Corp");
+  });
+
+  test("returns null for non-existent tenant", async () => {
+    const otherUser = createTestUser({ id: 99, tenantId: "00000000-0000-4000-8000-000000000999" });
+    const result = await stack.http.queryOk(TenantQueries.me, {}, otherUser);
+    expect(result).toBeNull();
+  });
+});
+
+// --- Scenario 3: Admin updates Tenant-Stammdaten ---
+
+describe("scenario 3: tenant.update", () => {
+  test("Admin can update tenant name", async () => {
+    const me = await stack.http.queryOk<Record<string, unknown>>(TenantQueries.me, {}, systemAdmin);
+    const tenantId = me["id"] as string;
+
+    const data = await stack.http.writeOk(
+      TenantHandlers.update,
+      { id: tenantId, changes: { name: "ACME Corporation" }, version: 1 },
+      tenantAdmin,
+    );
+    expect(data!["data"]).toMatchObject({
+      name: "ACME Corporation",
+    });
+    expect(data!["changes"]).toEqual({ name: "ACME Corporation" });
+    expect(data!["isNew"]).toBe(false);
+  });
+
+  test("update handler requires Admin or SystemAdmin role", async () => {
+    expect(rolesOf(stack.registry.getWriteHandler(TenantHandlers.update)?.access)).toEqual([
+      "Admin",
+      "SystemAdmin",
+    ]);
+  });
+});
+
+// --- Scenario 4: SystemAdmin disables Tenant ---
+
+describe("scenario 4: tenant.disable", () => {
+  test("SystemAdmin can disable a tenant", async () => {
+    const me = await stack.http.queryOk<Record<string, unknown>>(TenantQueries.me, {}, systemAdmin);
+    const tenantId = me["id"] as string;
+
+    const data = await stack.http.writeOk(TenantHandlers.disable, { id: tenantId }, systemAdmin);
+    expect(data!["data"]).toMatchObject({
+      isEnabled: false,
+    });
+  });
+
+  test("disable handler requires SystemAdmin role", async () => {
+    expect(rolesOf(stack.registry.getWriteHandler(TenantHandlers.disable)?.access)).toEqual([
+      "SystemAdmin",
+    ]);
+  });
+});
+
+// --- Scenario 5: tenant.list ---
+
+describe("scenario 5: tenant.list", () => {
+  test("returns all tenants", async () => {
+    await stack.http.writeOk(TenantHandlers.create, { key: "beta", name: "Beta Inc" }, systemAdmin);
+
+    const result = await stack.http.queryOk<{
+      rows: Record<string, unknown>[];
+      nextCursor: string | null;
+    }>(TenantQueries.list, {}, systemAdmin);
+
+    expect(result.rows.length).toBeGreaterThanOrEqual(2);
+    const keys = result.rows.map((r) => r["key"]);
+    expect(keys).toContain("acme");
+    expect(keys).toContain("beta");
+  });
+
+  test("list handler requires SystemAdmin role", async () => {
+    expect(rolesOf(stack.registry.getQueryHandler(TenantQueries.list)?.access)).toEqual([
+      "SystemAdmin",
+    ]);
+  });
+});
+
+// --- Scenario 6: Config integration ---
+
+describe("scenario 6: config integration with tenant", () => {
+  test("SystemAdmin sets smtpHost for tenant", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "tenant:config:smtp-host", value: "smtp.acme.com" },
+      systemAdmin,
+    );
+
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      systemAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:smtp-host")).toBe("smtp.acme.com");
+  });
+
+  test("Admin cannot set smtpHost (only SystemAdmin)", async () => {
+    const error = await stack.http.writeErr(
+      ConfigHandlers.set,
+      { key: "tenant:config:smtp-host", value: "smtp.hacked.com" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "access_denied");
+  });
+
+  test("smtpPass is encrypted and accessible via ctx.config()", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "tenant:config:smtp-pass", value: "super-secret-pw" },
+      systemAdmin,
+    );
+
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      systemAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:smtp-pass")).toBe("super-secret-pw");
+
+    // Admin cannot see smtpPass in config.values (no read access)
+    const values = await stack.http.queryOk<Record<string, unknown>>(
+      ConfigQueries.values,
+      {},
+      tenantAdmin,
+    );
+    expect(values["tenant:config:smtp-pass"]).toBeUndefined();
+  });
+
+  test("maxUsers is system-only, returns default 50", async () => {
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      tenantAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:max-users")).toBe(50);
+  });
+
+  test("maxUsers cannot be set by Admin (system-only)", async () => {
+    const error = await stack.http.writeErr(
+      ConfigHandlers.set,
+      { key: "tenant:config:max-users", value: 100 },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "config_key_is_system_only");
+  });
+
+  test("maxUsers cannot be set by SystemAdmin either (system-only)", async () => {
+    const error = await stack.http.writeErr(
+      ConfigHandlers.set,
+      { key: "tenant:config:max-users", value: 100 },
+      systemAdmin,
+    );
+    expectErrorIncludes(error, "config_key_is_system_only");
+  });
+
+  test("companyName: Tenant-Admin sets, all read", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "tenant:config:company-name", value: "ACME GmbH" },
+      tenantAdmin,
+    );
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      tenantAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:company-name")).toBe("ACME GmbH");
+  });
+
+  test("locale: select with valid option succeeds, invalid option rejected", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "tenant:config:locale", value: "fr" },
+      tenantAdmin,
+    );
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      tenantAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:locale")).toBe("fr");
+
+    const invalid = await stack.http.writeErr(
+      ConfigHandlers.set,
+      { key: "tenant:config:locale", value: "klingon" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(invalid, "invalid_option");
+  });
+
+  test("timezone: defaults to Europe/Berlin when unset", async () => {
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      tenantAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:timezone")).toBe("Europe/Berlin");
+  });
+
+  test("priceModel: system-only, defaults to basic, Admin cannot override", async () => {
+    const configFn = createConfigAccessor(
+      stack.registry,
+      resolver,
+      "00000000-0000-4000-8000-000000000001",
+      tenantAdmin.id,
+      db,
+    );
+    expect(await configFn("tenant:config:price-model")).toBe("basic");
+
+    const error = await stack.http.writeErr(
+      ConfigHandlers.set,
+      { key: "tenant:config:price-model", value: "pro" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "config_key_is_system_only");
+  });
+});
+
+// --- Scenario 7: Access denial ---
+
+describe("scenario 7: access rules on handlers", () => {
+  test("all handlers have correct access rules", async () => {
+    expect(rolesOf(stack.registry.getWriteHandler(TenantHandlers.create)?.access)).toEqual([
+      "SystemAdmin",
+    ]);
+    expect(rolesOf(stack.registry.getWriteHandler(TenantHandlers.update)?.access)).toEqual([
+      "Admin",
+      "SystemAdmin",
+    ]);
+    expect(rolesOf(stack.registry.getWriteHandler(TenantHandlers.disable)?.access)).toEqual([
+      "SystemAdmin",
+    ]);
+    expect(rolesOf(stack.registry.getQueryHandler(TenantQueries.list)?.access)).toEqual([
+      "SystemAdmin",
+    ]);
+    expect(stack.registry.getQueryHandler(TenantQueries.me)?.access).toEqual({
+      openToAll: true,
+    });
+  });
+});

package/src/tenant/command-schemas.ts

@@ -0,0 +1,37 @@
+// Command-input schemas for the tenant write handlers, re-exposed for
+// external consumers — primarily migration mappers that need to write events
+// directly into core streams via `eventStore.appendRaw` (Marten-bypass) and
+// must validate their payloads against the exact handler contract.
+//
+// IMPORTANT — schema vs. event payload:
+//   The schema below describes the **command input** (what `dispatch()` accepts).
+//   The actual event payload that lands in the `events` table is derived from
+//   it by the CrudExecutor (see `db/event-store-executor.ts`):
+//     - `tenant.created` payload   = command minus the optional `id` field,
+//                                    `applyDefaults` applied, sensitive fields
+//                                    stripped, compound types flattened
+//                                    (locatedTimestamp → 2 cols, money → cents).
+//     - `tenant.updated` payload   = `{ changes, previous, version }` (different shape)
+//     - `tenant.archived/disabled` = `{ previous }`
+//
+//   Migration mappers writing `tenant.created` directly via `appendRaw` MUST
+//   replicate strip-id themselves — `aggregateId` lives on the event row, not
+//   in `payload`. Tenant + user have no compound types or sensitive fields
+//   today, but new fields could change that — keep the executor as the
+//   reference if the mapper output ever diverges from a replayed read-model.
+
+import { addMemberWrite } from "./handlers/add-member.write";
+import { createWrite } from "./handlers/create.write";
+import { disableWrite } from "./handlers/disable.write";
+import { removeMemberWrite } from "./handlers/remove-member.write";
+import { updateWrite } from "./handlers/update.write";
+import { updateMemberRolesWrite } from "./handlers/update-member-roles.write";
+
+export const TenantCommandSchemas = {
+  create: createWrite.schema,
+  update: updateWrite.schema,
+  disable: disableWrite.schema,
+  addMember: addMemberWrite.schema,
+  removeMember: removeMemberWrite.schema,
+  updateMemberRoles: updateMemberRolesWrite.schema,
+} as const;

package/src/tenant/constants.ts

@@ -0,0 +1,37 @@
+// @runtime client
+// Pure string-Konstanten — `@runtime client` damit auch Browser-Code
+// (Members-Screen) sie importieren kann (siehe auth-email-password/
+// constants.ts für die Begründung). Runtime importiert client → server
+// kann sie weiter nutzen.
+
+// Feature name
+export const TENANT_FEATURE = "tenant" as const;
+
+// Qualified write handler names (QN format: scope:type:name)
+export const TenantHandlers = {
+  create: "tenant:write:create",
+  update: "tenant:write:update",
+  disable: "tenant:write:disable",
+  addMember: "tenant:write:add-member",
+  removeMember: "tenant:write:remove-member",
+  updateMemberRoles: "tenant:write:update-member-roles",
+  cancelInvitation: "tenant:write:cancel-invitation",
+} as const;
+
+// Qualified query handler names (QN format: scope:type:name)
+export const TenantQueries = {
+  me: "tenant:query:me",
+  list: "tenant:query:list",
+  memberships: "tenant:query:memberships",
+  members: "tenant:query:members",
+  activeTenantIds: "tenant:query:active-tenant-ids",
+  resolveUserIds: "tenant:query:resolve-user-ids",
+  // Pending Invitations für den aktuellen Tenant (Admin-UI-Liste).
+  invitations: "tenant:query:invitations",
+} as const;
+
+// Error codes
+export const TenantErrors = {
+  membershipNotFound: "membership_not_found",
+  membershipAlreadyExists: "membership_already_exists",
+} as const;

package/src/tenant/feature.ts

@@ -0,0 +1,109 @@
+import {
+  access,
+  createSystemConfig,
+  createTenantConfig,
+  defineFeature,
+  type FeatureDefinition,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { activeTenantIdsQuery } from "./handlers/active-tenant-ids.query";
+import { addMemberWrite } from "./handlers/add-member.write";
+import { cancelInvitationWrite } from "./handlers/cancel-invitation.write";
+import { createWrite } from "./handlers/create.write";
+import { disableWrite } from "./handlers/disable.write";
+import { invitationsQuery } from "./handlers/invitations.query";
+import { listQuery } from "./handlers/list.query";
+import { meQuery } from "./handlers/me.query";
+import { membersQuery } from "./handlers/members.query";
+import { membershipsQuery } from "./handlers/memberships.query";
+import { removeMemberWrite } from "./handlers/remove-member.write";
+import { resolveUserIdsQuery } from "./handlers/resolve-user-ids.query";
+import { updateWrite } from "./handlers/update.write";
+import { updateMemberRolesWrite } from "./handlers/update-member-roles.write";
+import { tenantInvitationEntity } from "./invitation-table";
+import { tenantMembershipEntity } from "./membership-table";
+import { tenantEntity } from "./schema/tenant";
+
+export { tenantEntity, tenantTable } from "./schema/tenant";
+
+// --- Feature ---
+
+export function createTenantFeature(): FeatureDefinition {
+  return defineFeature("tenant", (r) => {
+    r.systemScope();
+    r.requires("config");
+    r.entity("tenant", tenantEntity);
+    r.entity("tenant-membership", tenantMembershipEntity);
+    r.entity("tenant-invitation", tenantInvitationEntity);
+
+    r.config({
+      keys: {
+        // Stammdaten-Settings — Tenant-Admin darf ändern, alle dürfen lesen.
+        companyName: createTenantConfig("text", { default: "" }),
+        // Pragmatisch kuratierte Liste — IANA hat hunderte, hier die in der
+        // Praxis relevantesten. Erweiterung später wenn echter Bedarf.
+        timezone: createTenantConfig("select", {
+          default: "Europe/Berlin",
+          options: [
+            "UTC",
+            "Europe/Berlin",
+            "Europe/London",
+            "Europe/Paris",
+            "Europe/Madrid",
+            "Europe/Rome",
+            "America/New_York",
+            "America/Los_Angeles",
+            "America/Sao_Paulo",
+            "Asia/Tokyo",
+            "Asia/Singapore",
+            "Australia/Sydney",
+          ],
+        }),
+        locale: createTenantConfig("select", {
+          default: "de",
+          options: ["de", "en", "fr", "es"],
+        }),
+
+        // SMTP — nur SystemAdmin (Plattform-Operator) ändert; smtpPass ist
+        // verschlüsselt + nur für SystemAdmin lesbar.
+        smtpHost: createTenantConfig("text", { write: access.systemAdmin, read: access.admin }),
+        smtpPass: createTenantConfig("text", {
+          write: access.systemAdmin,
+          read: access.systemAdmin,
+          encrypted: true,
+        }),
+
+        // System-Settings — nur programmatisch (SYSTEM_USER) änderbar,
+        // Tenant-Admin sieht readonly.
+        priceModel: createSystemConfig("select", {
+          default: "basic",
+          options: ["basic", "pro", "enterprise"],
+        }),
+        maxUsers: createSystemConfig("number", { default: 50 }),
+      },
+    });
+
+    // Tenant CRUD
+    const handlers = {
+      create: r.writeHandler(createWrite),
+      update: r.writeHandler(updateWrite),
+      disable: r.writeHandler(disableWrite),
+      addMember: r.writeHandler(addMemberWrite),
+      removeMember: r.writeHandler(removeMemberWrite),
+      updateMemberRoles: r.writeHandler(updateMemberRolesWrite),
+      cancelInvitation: r.writeHandler(cancelInvitationWrite),
+    };
+
+    // Queries
+    const queries = {
+      me: r.queryHandler(meQuery),
+      list: r.queryHandler(listQuery),
+      memberships: r.queryHandler(membershipsQuery),
+      members: r.queryHandler(membersQuery),
+      activeTenantIds: r.queryHandler(activeTenantIdsQuery),
+      resolveUserIds: r.queryHandler(resolveUserIdsQuery),
+      invitations: r.queryHandler(invitationsQuery),
+    };
+
+    return { handlers, queries };
+  });
+}

package/src/tenant/handlers/active-tenant-ids.query.ts

@@ -0,0 +1,19 @@
+import type { DbRow } from "@cosmicdrift/kumiko-framework/db";
+import { defineQueryHandler, SYSTEM_ROLE } from "@cosmicdrift/kumiko-framework/engine";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { tenantTable } from "../schema/tenant";
+
+export const activeTenantIdsQuery = defineQueryHandler({
+  name: "activeTenantIds",
+  schema: z.object({}),
+  access: { roles: [SYSTEM_ROLE, "SystemAdmin"] },
+  handler: async (_query, ctx) => {
+    const rows = await ctx.db
+      ?.select({ id: tenantTable["id"] })
+      .from(tenantTable)
+      .where(eq(tenantTable["isEnabled"], true));
+
+    return rows.map((row) => (row as DbRow)["id"] as number);
+  },
+});

package/src/tenant/handlers/add-member.write.ts

@@ -0,0 +1,53 @@
+import { createEventStoreExecutor, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { ConflictError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { TenantErrors } from "../constants";
+import { tenantMembershipEntity, tenantMembershipsTable } from "../membership-table";
+
+const executor = createEventStoreExecutor(tenantMembershipsTable, tenantMembershipEntity, {
+  entityName: "tenant-membership",
+});
+
+export const addMemberWrite = defineWriteHandler({
+  name: "addMember",
+  schema: z.object({
+    userId: z.string(),
+    tenantId: z.string(),
+    roles: z.array(z.string()).min(1),
+  }),
+  access: { roles: ["SystemAdmin"] },
+  handler: async (event, ctx) => {
+    const db = ctx.db;
+    const existing = await fetchOne(
+      db,
+      tenantMembershipsTable,
+      eq(tenantMembershipsTable.userId, event.payload.userId),
+      eq(tenantMembershipsTable.tenantId, event.payload.tenantId),
+    );
+    if (existing) {
+      return writeFailure(
+        new ConflictError({
+          message: "membership already exists",
+          i18nKey: "tenant.errors.membershipAlreadyExists",
+          details: {
+            reason: TenantErrors.membershipAlreadyExists,
+            userId: event.payload.userId,
+            tenantId: event.payload.tenantId,
+          },
+        }),
+      );
+    }
+
+    return executor.create(
+      {
+        userId: event.payload.userId,
+        tenantId: event.payload.tenantId,
+        roles: JSON.stringify(event.payload.roles),
+      },
+      event.user,
+      db,
+    );
+  },
+});

package/src/tenant/handlers/cancel-invitation.write.ts

@@ -0,0 +1,87 @@
+// Cancel-Handler für pending Invitations.
+//
+// Admin sieht eine pending Invitation und entscheidet sie zurückzu-
+// nehmen (User soll doch nicht beitreten, falsche Email getippt etc.).
+// Effekt:
+//   - DB-row.status → "cancelled"
+//   - Token aus Redis gelöscht (gemerkt im invite-token-store)
+//
+// Idempotent: cancellen einer schon-cancelled / accepted / expired
+// invitation = no-op + 200. Cancellen einer non-existent invitation
+// = invitation_not_found.
+
+import { createEventStoreExecutor, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { NotFoundError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+// kumiko-lint-ignore cross-feature-import cancel needs invite-token-store für Redis-cleanup
+import {
+  deleteInviteToken,
+  getTokenForInvitation,
+} from "../../auth-email-password/invite-token-store";
+import {
+  INVITATION_STATUS,
+  tenantInvitationEntity,
+  tenantInvitationsTable,
+} from "../invitation-table";
+
+const CancelInvitationSchema = z.object({
+  invitationId: z.string(),
+});
+
+const executor = createEventStoreExecutor(tenantInvitationsTable, tenantInvitationEntity, {
+  entityName: "tenant-invitation",
+});
+
+export const cancelInvitationWrite = defineWriteHandler({
+  name: "cancel-invitation",
+  schema: CancelInvitationSchema,
+  access: { roles: ["Admin"] },
+  handler: async (event, ctx) => {
+    const invitation = await fetchOne(
+      ctx.db.raw,
+      tenantInvitationsTable,
+      eq(tenantInvitationsTable.id, event.payload.invitationId),
+    );
+    if (!invitation || invitation["tenantId"] !== event.user.tenantId) {
+      return writeFailure(
+        new NotFoundError("tenantInvitation", event.payload.invitationId, {
+          i18nKey: "tenant.errors.invitationNotFound",
+        }),
+      );
+    }
+
+    // Idempotent: schon !pending → no-op success.
+    if (invitation["status"] !== INVITATION_STATUS.pending) {
+      return { isSuccess: true, data: { id: event.payload.invitationId, alreadyDone: true } };
+    }
+
+    // Status update via event-store
+    const updateResult = await executor.update(
+      {
+        id: event.payload.invitationId,
+        version: invitation["version"] as number,
+        changes: { status: INVITATION_STATUS.cancelled },
+      },
+      event.user,
+      ctx.db,
+    );
+    if (!updateResult.isSuccess) return updateResult;
+
+    // Token aus Redis löschen (falls noch da). Wenn Redis nicht
+    // verfügbar oder Token schon expired: kein Problem, DB-row ist
+    // die Single-Source für UI.
+    if (ctx.redis) {
+      const token = await getTokenForInvitation(ctx.redis, event.payload.invitationId);
+      if (token) {
+        await deleteInviteToken(ctx.redis, {
+          invitationId: event.payload.invitationId,
+          token,
+        });
+      }
+    }
+
+    return { isSuccess: true, data: { id: event.payload.invitationId, alreadyDone: false } };
+  },
+});