npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/package.json +90 -0
package/src/audit/__tests__/audit.integration.ts +328 -0
package/src/audit/constants.ts +7 -0
package/src/audit/feature.ts +23 -0
package/src/audit/handlers/list.query.ts +98 -0
package/src/audit/index.ts +2 -0
package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts +149 -0
package/src/auth-email-password/__tests__/account-lockout.integration.ts +308 -0
package/src/auth-email-password/__tests__/auth-claims.integration.ts +512 -0
package/src/auth-email-password/__tests__/auth.integration.ts +610 -0
package/src/auth-email-password/__tests__/confirm-token-flow.test.ts +67 -0
package/src/auth-email-password/__tests__/email-templates.test.ts +106 -0
package/src/auth-email-password/__tests__/email-verification.integration.ts +327 -0
package/src/auth-email-password/__tests__/identity-v3-hash.test.ts +174 -0
package/src/auth-email-password/__tests__/identity-v3-login.integration.ts +150 -0
package/src/auth-email-password/__tests__/invite-flow.integration.ts +458 -0
package/src/auth-email-password/__tests__/multi-roles.integration.ts +256 -0
package/src/auth-email-password/__tests__/password-reset.integration.ts +346 -0
package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts +144 -0
package/src/auth-email-password/__tests__/seed-admin.integration.ts +176 -0
package/src/auth-email-password/__tests__/session-callbacks.integration.ts +310 -0
package/src/auth-email-password/__tests__/session-strict-mode.integration.ts +101 -0
package/src/auth-email-password/__tests__/signed-token.test.ts +78 -0
package/src/auth-email-password/__tests__/signup-flow.integration.ts +259 -0
package/src/auth-email-password/auth-user-row.ts +41 -0
package/src/auth-email-password/constants.ts +101 -0
package/src/auth-email-password/email-templates.ts +283 -0
package/src/auth-email-password/feature.ts +140 -0
package/src/auth-email-password/handlers/change-password.write.ts +58 -0
package/src/auth-email-password/handlers/confirm-token-flow.ts +191 -0
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +203 -0
package/src/auth-email-password/handlers/invite-accept.write.ts +189 -0
package/src/auth-email-password/handlers/invite-create.write.ts +145 -0
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +192 -0
package/src/auth-email-password/handlers/login.write.ts +208 -0
package/src/auth-email-password/handlers/logout.write.ts +12 -0
package/src/auth-email-password/handlers/request-email-verification.write.ts +29 -0
package/src/auth-email-password/handlers/request-password-reset.write.ts +31 -0
package/src/auth-email-password/handlers/reset-password.write.ts +61 -0
package/src/auth-email-password/handlers/signup-confirm.write.ts +170 -0
package/src/auth-email-password/handlers/signup-request.write.ts +104 -0
package/src/auth-email-password/handlers/token-request-handler.ts +114 -0
package/src/auth-email-password/handlers/verify-email.write.ts +62 -0
package/src/auth-email-password/i18n.ts +211 -0
package/src/auth-email-password/identity-v3-hash.ts +97 -0
package/src/auth-email-password/index.ts +35 -0
package/src/auth-email-password/invite-token-store.ts +92 -0
package/src/auth-email-password/lockout-store.ts +118 -0
package/src/auth-email-password/password-hashing.ts +43 -0
package/src/auth-email-password/reset-token.ts +28 -0
package/src/auth-email-password/seeding.ts +183 -0
package/src/auth-email-password/signed-token.ts +85 -0
package/src/auth-email-password/signup-token-store.ts +104 -0
package/src/auth-email-password/stream-tenant.ts +31 -0
package/src/auth-email-password/testing.ts +5 -0
package/src/auth-email-password/token-burn-store.ts +57 -0
package/src/auth-email-password/verification-token.ts +27 -0
package/src/auth-email-password/web/__tests__/auth-gate.test.tsx +51 -0
package/src/auth-email-password/web/__tests__/forgot-password-screen.test.tsx +80 -0
package/src/auth-email-password/web/__tests__/login-screen.test.tsx +94 -0
package/src/auth-email-password/web/__tests__/reset-password-screen.test.tsx +108 -0
package/src/auth-email-password/web/__tests__/session-roles.test.ts +54 -0
package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx +100 -0
package/src/auth-email-password/web/__tests__/test-utils.tsx +73 -0
package/src/auth-email-password/web/__tests__/user-menu.test.tsx +55 -0
package/src/auth-email-password/web/__tests__/verify-email-screen.test.tsx +59 -0
package/src/auth-email-password/web/auth-client.ts +350 -0
package/src/auth-email-password/web/auth-form-primitives.tsx +70 -0
package/src/auth-email-password/web/auth-gate.tsx +33 -0
package/src/auth-email-password/web/client-plugin.ts +48 -0
package/src/auth-email-password/web/default-topbar-actions.tsx +47 -0
package/src/auth-email-password/web/forgot-password-screen.tsx +110 -0
package/src/auth-email-password/web/index.ts +56 -0
package/src/auth-email-password/web/invite-accept-screen.tsx +220 -0
package/src/auth-email-password/web/login-screen.tsx +150 -0
package/src/auth-email-password/web/reset-password-screen.tsx +152 -0
package/src/auth-email-password/web/session.tsx +171 -0
package/src/auth-email-password/web/signup-complete-screen.tsx +150 -0
package/src/auth-email-password/web/signup-screen.tsx +130 -0
package/src/auth-email-password/web/tenant-switcher.tsx +116 -0
package/src/auth-email-password/web/use-shell-user.ts +34 -0
package/src/auth-email-password/web/user-menu.tsx +89 -0
package/src/auth-email-password/web/verify-email-screen.tsx +102 -0
package/src/billing-foundation/__tests__/billing-foundation.integration.ts +568 -0
package/src/billing-foundation/__tests__/feature.test.ts +110 -0
package/src/billing-foundation/__tests__/webhook-handler.test.ts +199 -0
package/src/billing-foundation/aggregate-id.ts +21 -0
package/src/billing-foundation/constants.ts +70 -0
package/src/billing-foundation/entities.ts +50 -0
package/src/billing-foundation/events.ts +71 -0
package/src/billing-foundation/feature.ts +122 -0
package/src/billing-foundation/get-subscription-for-tenant.ts +39 -0
package/src/billing-foundation/handlers/create-checkout-session.write.ts +79 -0
package/src/billing-foundation/handlers/create-portal-session.write.ts +73 -0
package/src/billing-foundation/handlers/list-subscriptions.query.ts +20 -0
package/src/billing-foundation/handlers/process-event.write.ts +160 -0
package/src/billing-foundation/index.ts +42 -0
package/src/billing-foundation/projection.ts +135 -0
package/src/billing-foundation/types.ts +157 -0
package/src/billing-foundation/webhook-handler.ts +184 -0
package/src/cap-counter/__tests__/cap-counter.integration.ts +566 -0
package/src/cap-counter/__tests__/enforce-cap.test.ts +422 -0
package/src/cap-counter/__tests__/with-cap-enforcement.integration.ts +265 -0
package/src/cap-counter/aggregate-id.ts +61 -0
package/src/cap-counter/constants.ts +32 -0
package/src/cap-counter/enforce-cap.ts +404 -0
package/src/cap-counter/entity.ts +48 -0
package/src/cap-counter/feature.ts +90 -0
package/src/cap-counter/handlers/get-counter.query.ts +43 -0
package/src/cap-counter/handlers/increment-rolling.write.ts +79 -0
package/src/cap-counter/handlers/increment.write.ts +92 -0
package/src/cap-counter/handlers/mark-soft-warned.write.ts +57 -0
package/src/cap-counter/index.ts +34 -0
package/src/cap-counter/with-cap-enforcement.ts +179 -0
package/src/channel-email/email-channel.ts +48 -0
package/src/channel-email/feature.ts +15 -0
package/src/channel-email/index.ts +4 -0
package/src/channel-email/smtp-transport.ts +65 -0
package/src/channel-email/types.ts +34 -0
package/src/channel-in-app/constants.ts +11 -0
package/src/channel-in-app/feature.ts +30 -0
package/src/channel-in-app/handlers/inbox.query.ts +28 -0
package/src/channel-in-app/handlers/mark-all-read.write.ts +21 -0
package/src/channel-in-app/handlers/mark-read.write.ts +32 -0
package/src/channel-in-app/handlers/unread-count.query.ts +20 -0
package/src/channel-in-app/in-app-channel.ts +44 -0
package/src/channel-in-app/index.ts +4 -0
package/src/channel-in-app/tables.ts +22 -0
package/src/channel-push/feature.ts +15 -0
package/src/channel-push/index.ts +3 -0
package/src/channel-push/push-channel.ts +33 -0
package/src/channel-push/types.ts +22 -0
package/src/config/__tests__/app-overrides.test.ts +118 -0
package/src/config/__tests__/config.integration.ts +1246 -0
package/src/config/constants.ts +23 -0
package/src/config/feature.ts +117 -0
package/src/config/handlers/__tests__/prepare-config-write.test.ts +209 -0
package/src/config/handlers/reset.write.ts +45 -0
package/src/config/handlers/schema.query.ts +22 -0
package/src/config/handlers/set.write.ts +93 -0
package/src/config/handlers/values.query.ts +43 -0
package/src/config/index.ts +15 -0
package/src/config/resolver.ts +283 -0
package/src/config/table.ts +35 -0
package/src/config/write-helpers.ts +268 -0
package/src/delivery/__tests__/delivery-events.integration.ts +166 -0
package/src/delivery/__tests__/delivery.integration.ts +1405 -0
package/src/delivery/constants.ts +33 -0
package/src/delivery/delivery-service.ts +489 -0
package/src/delivery/events.ts +18 -0
package/src/delivery/feature.ts +70 -0
package/src/delivery/handlers/log.query.ts +21 -0
package/src/delivery/handlers/preferences.query.ts +18 -0
package/src/delivery/handlers/set-preference.write.ts +28 -0
package/src/delivery/index.ts +35 -0
package/src/delivery/tables.ts +74 -0
package/src/delivery/testing.ts +47 -0
package/src/delivery/types.ts +71 -0
package/src/delivery/unsubscribe.ts +99 -0
package/src/delivery/upsert-preference.ts +145 -0
package/src/feature-toggles/__tests__/feature-toggles.integration.ts +687 -0
package/src/feature-toggles/constants.ts +20 -0
package/src/feature-toggles/events.ts +18 -0
package/src/feature-toggles/feature.ts +98 -0
package/src/feature-toggles/global-feature-state-table.ts +28 -0
package/src/feature-toggles/handlers/list.query.ts +26 -0
package/src/feature-toggles/handlers/registered.query.ts +56 -0
package/src/feature-toggles/handlers/set.write.ts +158 -0
package/src/feature-toggles/index.ts +9 -0
package/src/feature-toggles/toggle-runtime.ts +73 -0
package/src/file-foundation/__tests__/feature.test.ts +35 -0
package/src/file-foundation/__tests__/file-foundation.integration.ts +235 -0
package/src/file-foundation/feature.ts +123 -0
package/src/file-foundation/index.ts +7 -0
package/src/file-provider-inmemory/__tests__/feature.test.ts +35 -0
package/src/file-provider-inmemory/feature.ts +73 -0
package/src/file-provider-inmemory/index.ts +3 -0
package/src/file-provider-s3/__tests__/feature.test.ts +54 -0
package/src/file-provider-s3/feature.ts +169 -0
package/src/file-provider-s3/index.ts +3 -0
package/src/files-provider-s3/__tests__/env-helper.test.ts +161 -0
package/src/files-provider-s3/__tests__/s3-provider.integration.ts +134 -0
package/src/files-provider-s3/__tests__/s3-provider.test.ts +36 -0
package/src/files-provider-s3/env-helper.ts +49 -0
package/src/files-provider-s3/index.ts +3 -0
package/src/files-provider-s3/s3-provider.ts +114 -0
package/src/foundation-shared/config-helpers.ts +67 -0
package/src/foundation-shared/index.ts +4 -0
package/src/jobs/__tests__/job-system-user.integration.ts +194 -0
package/src/jobs/__tests__/jobs-events.integration.ts +143 -0
package/src/jobs/__tests__/jobs-feature.integration.ts +342 -0
package/src/jobs/constants.ts +21 -0
package/src/jobs/events.ts +39 -0
package/src/jobs/feature.ts +150 -0
package/src/jobs/handlers/detail.query.ts +30 -0
package/src/jobs/handlers/list.query.ts +36 -0
package/src/jobs/handlers/retry.write.ts +69 -0
package/src/jobs/handlers/trigger.write.ts +39 -0
package/src/jobs/index.ts +5 -0
package/src/jobs/job-run-logger.ts +213 -0
package/src/jobs/job-run-table.ts +55 -0
package/src/legal-pages/README.md +195 -0
package/src/legal-pages/__tests__/legal-pages.integration.ts +361 -0
package/src/legal-pages/constants.ts +36 -0
package/src/legal-pages/feature.ts +187 -0
package/src/legal-pages/index.ts +13 -0
package/src/legal-pages/markdown.ts +69 -0
package/src/mail-foundation/__tests__/feature.test.ts +46 -0
package/src/mail-foundation/__tests__/mail-foundation.integration.ts +247 -0
package/src/mail-foundation/feature.ts +160 -0
package/src/mail-foundation/index.ts +14 -0
package/src/mail-transport-inmemory/__tests__/feature.test.ts +37 -0
package/src/mail-transport-inmemory/feature.ts +90 -0
package/src/mail-transport-inmemory/index.ts +3 -0
package/src/mail-transport-smtp/__tests__/feature.test.ts +61 -0
package/src/mail-transport-smtp/feature.ts +182 -0
package/src/mail-transport-smtp/index.ts +3 -0
package/src/rate-limiting/__tests__/rate-limiting.integration.ts +84 -0
package/src/rate-limiting/constants.ts +9 -0
package/src/rate-limiting/feature.ts +16 -0
package/src/rate-limiting/handlers/status.query.ts +52 -0
package/src/rate-limiting/index.ts +2 -0
package/src/renderer-simple/__tests__/simple-renderer.test.ts +97 -0
package/src/renderer-simple/feature.ts +12 -0
package/src/renderer-simple/index.ts +2 -0
package/src/renderer-simple/simple-renderer.ts +72 -0
package/src/secrets/__tests__/rotate.integration.ts +176 -0
package/src/secrets/__tests__/secrets-events.integration.ts +125 -0
package/src/secrets/__tests__/secrets.integration.ts +118 -0
package/src/secrets/feature.ts +84 -0
package/src/secrets/handlers/delete.write.ts +20 -0
package/src/secrets/handlers/list.query.ts +38 -0
package/src/secrets/handlers/rotate.job.ts +193 -0
package/src/secrets/handlers/set.write.ts +50 -0
package/src/secrets/index.ts +16 -0
package/src/secrets/secrets-context.ts +296 -0
package/src/secrets/table.ts +68 -0
package/src/sessions/__tests__/cleanup.integration.ts +175 -0
package/src/sessions/__tests__/password-auto-revoke.integration.ts +202 -0
package/src/sessions/__tests__/sessions.integration.ts +472 -0
package/src/sessions/__tests__/test-helpers.ts +66 -0
package/src/sessions/constants.ts +43 -0
package/src/sessions/feature.ts +84 -0
package/src/sessions/handlers/cleanup.job.ts +109 -0
package/src/sessions/handlers/list.query.ts +35 -0
package/src/sessions/handlers/mine.query.ts +37 -0
package/src/sessions/handlers/revoke-all-others.write.ts +42 -0
package/src/sessions/handlers/revoke.write.ts +76 -0
package/src/sessions/index.ts +17 -0
package/src/sessions/schema/index.ts +5 -0
package/src/sessions/schema/user-session.ts +67 -0
package/src/sessions/session-callbacks.ts +110 -0
package/src/sessions/testing.ts +42 -0
package/src/subscription-mollie/__tests__/feature.test.ts +106 -0
package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts +421 -0
package/src/subscription-mollie/__tests__/verify-webhook.test.ts +388 -0
package/src/subscription-mollie/constants.ts +33 -0
package/src/subscription-mollie/feature.ts +144 -0
package/src/subscription-mollie/index.ts +13 -0
package/src/subscription-mollie/plugin-methods.ts +79 -0
package/src/subscription-mollie/verify-webhook.ts +244 -0
package/src/subscription-stripe/__tests__/feature.test.ts +98 -0
package/src/subscription-stripe/__tests__/plugin-methods.test.ts +161 -0
package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts +315 -0
package/src/subscription-stripe/__tests__/verify-webhook.test.ts +306 -0
package/src/subscription-stripe/constants.ts +20 -0
package/src/subscription-stripe/feature.ts +120 -0
package/src/subscription-stripe/index.ts +14 -0
package/src/subscription-stripe/plugin-methods.ts +91 -0
package/src/subscription-stripe/verify-webhook.ts +235 -0
package/src/tenant/__tests__/multi-tenant.integration.ts +278 -0
package/src/tenant/__tests__/seed-testing.integration.ts +229 -0
package/src/tenant/__tests__/tenant.integration.ts +347 -0
package/src/tenant/command-schemas.ts +37 -0
package/src/tenant/constants.ts +37 -0
package/src/tenant/feature.ts +109 -0
package/src/tenant/handlers/active-tenant-ids.query.ts +19 -0
package/src/tenant/handlers/add-member.write.ts +53 -0
package/src/tenant/handlers/cancel-invitation.write.ts +87 -0
package/src/tenant/handlers/create.write.ts +21 -0
package/src/tenant/handlers/disable.write.ts +18 -0
package/src/tenant/handlers/invitations.query.ts +31 -0
package/src/tenant/handlers/list.query.ts +17 -0
package/src/tenant/handlers/me.query.ts +17 -0
package/src/tenant/handlers/members.query.ts +22 -0
package/src/tenant/handlers/memberships.query.ts +24 -0
package/src/tenant/handlers/remove-member.write.ts +40 -0
package/src/tenant/handlers/resolve-user-ids.query.ts +43 -0
package/src/tenant/handlers/update-member-roles.write.ts +54 -0
package/src/tenant/handlers/update.write.ts +20 -0
package/src/tenant/index.ts +12 -0
package/src/tenant/invitation-table.ts +93 -0
package/src/tenant/membership-table.ts +35 -0
package/src/tenant/schema/index.ts +5 -0
package/src/tenant/schema/tenant.ts +27 -0
package/src/tenant/seeding.ts +155 -0
package/src/tenant/testing.ts +8 -0
package/src/text-content/README.md +190 -0
package/src/text-content/__tests__/text-content.integration.ts +415 -0
package/src/text-content/api.ts +92 -0
package/src/text-content/constants.ts +19 -0
package/src/text-content/feature.ts +29 -0
package/src/text-content/handlers/by-slug.query.ts +55 -0
package/src/text-content/handlers/set.write.ts +118 -0
package/src/text-content/index.ts +14 -0
package/src/text-content/seeding.ts +91 -0
package/src/text-content/table.ts +45 -0
package/src/tier-engine/__tests__/compose-app.test.ts +182 -0
package/src/tier-engine/__tests__/drift.test.ts +42 -0
package/src/tier-engine/__tests__/tier-engine.integration.ts +241 -0
package/src/tier-engine/aggregate-id.ts +27 -0
package/src/tier-engine/compose-app.ts +150 -0
package/src/tier-engine/constants.ts +15 -0
package/src/tier-engine/entity.ts +30 -0
package/src/tier-engine/feature.ts +72 -0
package/src/tier-engine/handlers/active-tier.query.ts +23 -0
package/src/tier-engine/index.ts +22 -0
package/src/user/__tests__/seed-testing.integration.ts +127 -0
package/src/user/__tests__/user.integration.ts +198 -0
package/src/user/command-schemas.ts +15 -0
package/src/user/constants.ts +23 -0
package/src/user/feature.ts +32 -0
package/src/user/handlers/create.write.ts +54 -0
package/src/user/handlers/detail.query.ts +9 -0
package/src/user/handlers/find-for-auth.query.ts +38 -0
package/src/user/handlers/list.query.ts +8 -0
package/src/user/handlers/me.query.ts +15 -0
package/src/user/handlers/update.write.ts +54 -0
package/src/user/index.ts +4 -0
package/src/user/schema/index.ts +5 -0
package/src/user/schema/user.ts +69 -0
package/src/user/seeding.ts +93 -0
package/src/user/testing.ts +5 -0

package/src/auth-email-password/__tests__/identity-v3-login.integration.ts ADDED Viewed

@@ -0,0 +1,150 @@
+// End-to-end: ein migrierter User mit ASP.NET-Identity-V3-passwordHash kann
+// sich über den normalen `auth-email-password.login`-Handler einloggen, ohne
+// vorher Password-Reset durchlaufen zu müssen.
+//
+// Das ist der Kern-Use-Case der BMC-Migration — Legacy-Hashes 1:1
+// übernommen, Login funktioniert weiter.
+import { pbkdf2Sync, randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/testing";
+import { UserHandlers } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+let stack: TestStack;
+const systemAdmin = TestUsers.systemAdmin;
+const encryptionKey = randomBytes(32).toString("base64");
+// Build a V3-format hash with the BMC profile (HMACSHA256, 10000 iter,
+// 16-byte salt). Mirrors the encoding in identity-v3-hash.test.ts — kept
+// inline so this integration test stands alone.
+function buildBmcStyleV3Hash(password: string, salt: Buffer): string {
+  const subkey = pbkdf2Sync(password, salt, 10_000, 32, "sha256");
+  const header = Buffer.alloc(13);
+  header.writeUInt8(0x01, 0); // V3 format marker
+  header.writeUInt32BE(1, 1); // PRF = HMACSHA256
+  header.writeUInt32BE(10_000, 5); // iterations
+  header.writeUInt32BE(salt.length, 9); // salt length
+  return Buffer.concat([header, salt, subkey]).toString("base64");
+}
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature(),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      loginErrorStatusMap: {
+        [AuthErrors.invalidCredentials]: 401,
+        [AuthErrors.noMembership]: 403,
+      },
+    },
+  });
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+});
+describe("Identity-V3 password-hash compatibility", () => {
+  test("legacy V3-hashed user can log in with the right password", async () => {
+    const password = "Migrated!Password-2025";
+    const salt = randomBytes(16);
+    const v3Hash = buildBmcStyleV3Hash(password, salt);
+    // Seed the migrated user with the legacy hash 1:1 — no rehash, no reset.
+    const tenantId = "00000000-0000-4000-8000-000000000099" as TenantId;
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      {
+        email: "alice@legacy.example",
+        passwordHash: v3Hash,
+        displayName: "Alice Migrated",
+      },
+      systemAdmin,
+    );
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId,
+      roles: ["User"],
+    });
+    // Login: same /api/auth/login route the BMC frontend will hit
+    // post-migration. Public route — no JWT, no authenticated caller.
+    const res = await stack.http.raw("POST", "/api/auth/login", {
+      email: "alice@legacy.example",
+      password,
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.isSuccess).toBe(true);
+    expect(body.user).toMatchObject({ id: created.id, tenantId });
+  });
+  test("legacy V3-hashed user is rejected with the wrong password", async () => {
+    const password = "right-password";
+    const salt = randomBytes(16);
+    const v3Hash = buildBmcStyleV3Hash(password, salt);
+    const tenantId = "00000000-0000-4000-8000-000000000098" as TenantId;
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      {
+        email: "bob@legacy.example",
+        passwordHash: v3Hash,
+        displayName: "Bob Migrated",
+      },
+      systemAdmin,
+    );
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId,
+      roles: ["User"],
+    });
+    const res = await stack.http.raw("POST", "/api/auth/login", {
+      email: "bob@legacy.example",
+      password: "wrong-password",
+    });
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
+  });
+});

package/src/auth-email-password/__tests__/invite-flow.integration.ts ADDED Viewed

@@ -0,0 +1,458 @@
+// Tenant-Invite-Flow Full-Stack Integration-Test. Spec für die 3
+// Accept-Branches via stack.http (echte HTTP-Routes durch).
+//
+// Setup:
+//   - Tenant-A mit Admin "alice@" als Admin-Member
+//   - Tenant-B mit User "bob@" als Member (für Branch 1: Bob ist
+//     eingeloggt in Tenant-B und akzeptiert ein Tenant-A-Invite)
+//   - "carol@" existiert NICHT (für Branch 3: neue Email)
+//
+// Flow pro Test:
+//   1. Admin invitet email → invite-create (Admin-Auth)
+//   2. Mail captured durch sendInviteEmail-callback
+//   3. Token aus Activation-URL extrahieren
+//   4. Branch-spezifischer Accept-Endpoint
+//   5. DB-State + Membership + Cookies/JWT verifizieren
+import {
+  createSystemUser,
+  type SessionUser,
+  SYSTEM_TENANT_ID,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { eq } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantInvitationEntity, tenantInvitationsTable } from "../../tenant/invitation-table";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity, tenantTable } from "../../tenant/schema/tenant";
+import { seedTenant, seedTenantMembership } from "../../tenant/seeding";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+import { hashPassword } from "../password-hashing";
+import { seedUser } from "../seeding";
+const APP_ACCEPT_URL = "https://app.example.com/invite/accept";
+const ALICE_EMAIL = "alice@example.com";
+const BOB_EMAIL = "bob@example.com";
+const CAROL_EMAIL = "carol@example.com";
+const BOB_PASSWORD = "bob-existing-pw-1234";
+const CAROL_PASSWORD = "carol-new-pw-1234";
+const capturedInviteEmails: Array<{
+  email: string;
+  inviteUrl: string;
+  expiresAt: string;
+  role: string;
+}> = [];
+let stack: TestStack;
+let aliceId: string;
+let bobId: string;
+// Pro Test frische Tenant-IDs damit der event-store-stream beim
+// db.delete-cleanup nicht mit version_conflict beim Re-seed feuert.
+let TENANT_A_ID: TenantId;
+let TENANT_B_ID: TenantId;
+function newTenantId(_suffix: string): TenantId {
+  // UUIDv4 + suffix für Lesbarkeit in Logs.
+  const rand = crypto.randomUUID();
+  return rand as TenantId;
+}
+const GUEST: SessionUser = {
+  id: "00000000-0000-0000-0000-000000000000",
+  tenantId: SYSTEM_TENANT_ID,
+  roles: ["all"],
+};
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature({
+        invite: { tokenTtlMinutes: 60 },
+      }),
+    ],
+    extraContext: { configResolver: createConfigResolver() },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      invite: {
+        acceptHandler: AuthHandlers.inviteAccept,
+        acceptWithLoginHandler: AuthHandlers.inviteAcceptWithLogin,
+        signupCompleteHandler: AuthHandlers.inviteSignupComplete,
+        appAcceptUrl: APP_ACCEPT_URL,
+        sendInviteEmail: async (args) => {
+          capturedInviteEmails.push(args);
+        },
+      },
+    },
+  });
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await createEntityTable(stack.db, tenantInvitationEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  await stack.db.delete(tenantInvitationsTable);
+  await stack.db.delete(tenantTable);
+  capturedInviteEmails.length = 0;
+  const allKeys = await stack.redis.redis.keys("invite:*");
+  if (allKeys.length > 0) await stack.redis.redis.del(...allKeys);
+  // Pro Test frische Tenant-IDs + tenant.key (sonst unique-violation
+  // auf read_tenants_key_unique beim 2. Run).
+  TENANT_A_ID = newTenantId("a");
+  TENANT_B_ID = newTenantId("b");
+  await seedTenant(stack.db, {
+    id: TENANT_A_ID,
+    key: `tenant-a-${TENANT_A_ID.slice(0, 8)}`,
+    name: "Tenant A",
+  });
+  await seedTenant(stack.db, {
+    id: TENANT_B_ID,
+    key: `tenant-b-${TENANT_B_ID.slice(0, 8)}`,
+    name: "Tenant B",
+  });
+  // Alice = Admin von Tenant-A
+  aliceId = await seedUser(stack.db, {
+    email: ALICE_EMAIL,
+    displayName: "Alice",
+    passwordHash: await hashPassword("alice-pw-1234"),
+    emailVerified: true,
+  });
+  await seedTenantMembership(stack.db, {
+    userId: aliceId,
+    tenantId: TENANT_A_ID,
+    roles: ["Admin"],
+  });
+  // Bob = Member von Tenant-B (für Branch 1 + 2 tests)
+  bobId = await seedUser(stack.db, {
+    email: BOB_EMAIL,
+    displayName: "Bob",
+    passwordHash: await hashPassword(BOB_PASSWORD),
+    emailVerified: true,
+  });
+  await seedTenantMembership(stack.db, {
+    userId: bobId,
+    tenantId: TENANT_B_ID,
+    roles: ["User"],
+  });
+});
+function aliceSession(): SessionUser {
+  return { id: aliceId, tenantId: TENANT_A_ID, roles: ["Admin"] };
+}
+function bobSession(): SessionUser {
+  return { id: bobId, tenantId: TENANT_B_ID, roles: ["User"] };
+}
+async function authedRaw(
+  method: string,
+  path: string,
+  body: unknown,
+  user: SessionUser,
+): Promise<Response> {
+  const token = await stack.jwt.sign(user);
+  return stack.http.raw(method, path, body, { Authorization: `Bearer ${token}` });
+}
+async function inviteEmail(email: string, role: string): Promise<string> {
+  // invite-create geht via /api/write (Admin-Auth via JWT). Token kommt
+  // direkt aus dem handler-result; sendInviteEmail-callback ist die
+  // optionale Mail-Side, die in production-Setups separat von der
+  // Sample-App aufgerufen wird (NICHT framework-route — invite-create
+  // ist Admin-only und somit kein Magic-Link-Pattern wie signup-request).
+  const result = (await stack.http.writeOk(
+    AuthHandlers.inviteCreate,
+    { email, role },
+    aliceSession(),
+  )) as { token: string };
+  return result.token;
+}
+describe("invite-create", () => {
+  test("Admin invitet → invitation row + token in result", async () => {
+    const result = (await stack.http.writeOk(
+      AuthHandlers.inviteCreate,
+      { email: BOB_EMAIL, role: "Admin" },
+      aliceSession(),
+    )) as { invitationId: string; email: string; role: string; token: string };
+    expect(result.email).toBe(BOB_EMAIL);
+    expect(result.role).toBe("Admin");
+    expect(result.token).toBeTruthy();
+    expect(result.token.length).toBeGreaterThanOrEqual(16);
+    const rows = await stack.db
+      .select()
+      .from(tenantInvitationsTable)
+      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    expect(rows).toHaveLength(1);
+    expect(rows[0]?.["status"]).toBe("pending");
+    expect(rows[0]?.["role"]).toBe("Admin");
+    expect(rows[0]?.["tenantId"]).toBe(TENANT_A_ID);
+  });
+  test("Resend: zweiter invite für selbe email → existing row updated, gleicher token", async () => {
+    const firstToken = await inviteEmail(BOB_EMAIL, "Admin");
+    const secondToken = await inviteEmail(BOB_EMAIL, "Editor");
+    expect(secondToken).toBe(firstToken);
+    // Eine Row, role updated
+    const rows = await stack.db
+      .select()
+      .from(tenantInvitationsTable)
+      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    expect(rows).toHaveLength(1);
+    expect(rows[0]?.["role"]).toBe("Editor");
+  });
+});
+describe("invite-accept (Branch 1: logged-in)", () => {
+  test("Bob (logged-in in Tenant-B) accepts Tenant-A invite → membership added", async () => {
+    const token = await inviteEmail(BOB_EMAIL, "Admin");
+    const result = (await stack.http.writeOk(
+      AuthHandlers.inviteAccept,
+      { token },
+      bobSession(),
+    )) as { tenantId: string; role: string; alreadyMember: boolean };
+    expect(result.tenantId).toBe(TENANT_A_ID);
+    expect(result.role).toBe("Admin");
+    expect(result.alreadyMember).toBe(false);
+    // Bob hat jetzt 2 Memberships
+    const memberships = await stack.db
+      .select()
+      .from(tenantMembershipsTable)
+      .where(eq(tenantMembershipsTable.userId, bobId));
+    expect(memberships).toHaveLength(2);
+    const tenantIds = memberships.map((m) => m["tenantId"]).sort();
+    expect(tenantIds).toEqual([TENANT_A_ID, TENANT_B_ID].sort());
+    // Invitation status = accepted
+    const inv = await stack.db
+      .select()
+      .from(tenantInvitationsTable)
+      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    expect(inv[0]?.["status"]).toBe("accepted");
+  });
+  test("Email-Mismatch: Bob klickt Carol's Invite-Link → inviteEmailMismatch", async () => {
+    const token = await inviteEmail(CAROL_EMAIL, "Admin");
+    const res = await authedRaw("POST", "/api/auth/invite-accept", { token }, bobSession());
+    expect(res.status).toBe(422);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.inviteEmailMismatch);
+  });
+  test("Already-Member: Bob ist schon Member → idempotent no-op + alreadyMember=true", async () => {
+    // Bob direkt zu Tenant-A hinzufügen
+    await seedTenantMembership(stack.db, {
+      userId: bobId,
+      tenantId: TENANT_A_ID,
+      roles: ["User"],
+      by: createSystemUser(TENANT_A_ID),
+    });
+    const token = await inviteEmail(BOB_EMAIL, "Admin");
+    const result = (await stack.http.writeOk(
+      AuthHandlers.inviteAccept,
+      { token },
+      bobSession(),
+    )) as { alreadyMember: boolean };
+    expect(result.alreadyMember).toBe(true);
+  });
+});
+describe("invite-accept-with-login (Branch 2: anon + existing email)", () => {
+  test("Bob (nicht eingeloggt) accepts mit email+password → JWT + membership", async () => {
+    const token = await inviteEmail(BOB_EMAIL, "Editor");
+    const res = await stack.http.raw("POST", "/api/auth/invite-accept-with-login", {
+      token,
+      email: BOB_EMAIL,
+      password: BOB_PASSWORD,
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      isSuccess: boolean;
+      tenantId: string;
+      role: string;
+      token?: string;
+    };
+    expect(body.isSuccess).toBe(true);
+    expect(body.tenantId).toBe(TENANT_A_ID);
+    expect(body.role).toBe("Editor");
+    expect(body.token).toBeTruthy();
+    const setCookies = res.headers.get("set-cookie") ?? "";
+    expect(setCookies).toContain("kumiko_auth=");
+    // Membership added
+    const memberships = await stack.db
+      .select()
+      .from(tenantMembershipsTable)
+      .where(eq(tenantMembershipsTable.userId, bobId));
+    expect(memberships).toHaveLength(2);
+  });
+  test("Wrong password → 422 invalid_invite_token (anti-enum)", async () => {
+    const token = await inviteEmail(BOB_EMAIL, "Editor");
+    const res = await stack.http.raw("POST", "/api/auth/invite-accept-with-login", {
+      token,
+      email: BOB_EMAIL,
+      password: "wrong-pw-1234",
+    });
+    expect(res.status).toBe(422);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidInviteToken);
+  });
+});
+describe("invite-signup-complete (Branch 3: anon + new email)", () => {
+  test("Carol (no account) accepts → user + membership entstehen, JWT", async () => {
+    const token = await inviteEmail(CAROL_EMAIL, "Admin");
+    const res = await stack.http.raw("POST", "/api/auth/invite-signup-complete", {
+      token,
+      password: CAROL_PASSWORD,
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      isSuccess: boolean;
+      user: { id: string };
+      tenantId: string;
+      role: string;
+    };
+    expect(body.isSuccess).toBe(true);
+    expect(body.tenantId).toBe(TENANT_A_ID);
+    expect(body.role).toBe("Admin");
+    // Carol entstanden in users
+    const carolRows = await stack.db
+      .select()
+      .from(userTable)
+      .where(eq(userTable.email, CAROL_EMAIL));
+    expect(carolRows).toHaveLength(1);
+    expect(carolRows[0]?.["emailVerified"]).toBe(true);
+    expect(carolRows[0]?.["id"]).toBe(body.user.id);
+    // Login funktioniert
+    const loginRes = await stack.http.raw("POST", "/api/auth/login", {
+      email: CAROL_EMAIL,
+      password: CAROL_PASSWORD,
+    });
+    expect(loginRes.status).toBe(200);
+  });
+  test("Existing email → invalid_invite_token (User soll Branch 2 nutzen)", async () => {
+    const token = await inviteEmail(BOB_EMAIL, "Admin");
+    const res = await stack.http.raw("POST", "/api/auth/invite-signup-complete", {
+      token,
+      password: "new-pw-1234",
+    });
+    expect(res.status).toBe(422);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidInviteToken);
+    // Bob hat keine zweite Membership erworben
+    const memberships = await stack.db
+      .select()
+      .from(tenantMembershipsTable)
+      .where(eq(tenantMembershipsTable.userId, bobId));
+    expect(memberships).toHaveLength(1);
+    void GUEST;
+  });
+});
+describe("Single-Use-Burn (alle Branches)", () => {
+  test("Branch 1: zweiter accept mit gleichem Token → invalid", async () => {
+    const token = await inviteEmail(BOB_EMAIL, "Admin");
+    await stack.http.writeOk(AuthHandlers.inviteAccept, { token }, bobSession());
+    const res = await authedRaw("POST", "/api/auth/invite-accept", { token }, bobSession());
+    expect(res.status).toBe(422);
+  });
+});
+describe("cancel-invitation", () => {
+  test("Admin cancellt → status=cancelled + token weg, accept wird invalid", async () => {
+    const token = await inviteEmail(BOB_EMAIL, "Admin");
+    // Find invitationId
+    const rows = await stack.db
+      .select()
+      .from(tenantInvitationsTable)
+      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    const invitationId = rows[0]?.["id"] as string;
+    await stack.http.writeOk("tenant:write:cancel-invitation", { invitationId }, aliceSession());
+    const updated = await stack.db
+      .select()
+      .from(tenantInvitationsTable)
+      .where(eq(tenantInvitationsTable.id, invitationId));
+    expect(updated[0]?.["status"]).toBe("cancelled");
+    // Accept mit dem gecancelten Token → invalid
+    const res = await authedRaw("POST", "/api/auth/invite-accept", { token }, bobSession());
+    expect(res.status).toBe(422);
+  });
+});
+describe("invitations-query (pending list)", () => {
+  test("Admin sieht nur pending invitations", async () => {
+    await inviteEmail(BOB_EMAIL, "Admin");
+    await inviteEmail(CAROL_EMAIL, "Editor");
+    // Cancel das erste
+    const allRows = await stack.db.select().from(tenantInvitationsTable);
+    const bobInv = allRows.find((r) => r["email"] === BOB_EMAIL);
+    if (!bobInv) throw new Error("bob invitation missing");
+    await stack.http.writeOk(
+      "tenant:write:cancel-invitation",
+      { invitationId: bobInv["id"] },
+      aliceSession(),
+    );
+    const list = (await stack.http.queryOk(
+      "tenant:query:invitations",
+      {},
+      aliceSession(),
+    )) as Array<{ email: string; status: string }>;
+    expect(list).toHaveLength(1);
+    expect(list[0]?.email).toBe(CAROL_EMAIL);
+    expect(list[0]?.status).toBe("pending");
+  });
+});