npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.14.0 → 0.15.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.14.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -99,4 +99,4 @@
     "README.md",
     "LICENSE"
   ]
-}
+}

package/src/__tests__/env-schemas.test.ts CHANGED Viewed

@@ -1,10 +1,10 @@
+import { describe, expect, it } from "bun:test";
 import { randomBytes } from "node:crypto";
 import {
   composeEnvSchema,
   type KumikoBootError,
   parseEnv,
 } from "@cosmicdrift/kumiko-framework/env";
-import { describe, expect, it } from "vitest";
 import { authEmailPasswordEnvSchema, createAuthEmailPasswordFeature } from "../auth-email-password";
 import { createSecretsFeature, secretsEnvSchema } from "../secrets";
 import {

package/src/__tests__/es-ops-e2e.integration.ts CHANGED Viewed

@@ -17,9 +17,11 @@
 // updateMemberRoles auf — MUSS tenantIdOverride nutzen sonst
 // version_conflict.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createRegistry, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
   createEsOperationsTable,
@@ -36,8 +38,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { sql } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../config/feature";
 import { createConfigResolver } from "../config/resolver";
 import { configValuesTable } from "../config/table";
@@ -79,7 +79,7 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await testDb.db.execute(sql`
+  await asRawClient(testDb.db).unsafe(`
     TRUNCATE kumiko_es_operations, kumiko_events, read_tenants, read_tenant_memberships
   `);
 });
@@ -144,21 +144,22 @@ describe("es-ops Phase 1.5 — E2E gegen real-Stack", () => {
       expect(result.appliedIds).toEqual(["2026-05-21-add-tenant-admin"]);
       // Verify (a) marker
-      const markers = await testDb.db.select().from(esOperationsTable);
+      const markers = await selectMany(testDb.db, esOperationsTable);
       expect(markers).toHaveLength(1);
       expect(markers[0]?.id).toBe("2026-05-21-add-tenant-admin");
       // Verify (b) event in store mit tenant-membership.updated
-      const events = (await testDb.db.execute(
-        sql`SELECT type, tenant_id::text AS tenant_id FROM kumiko_events ORDER BY id`,
+      const events = (await asRawClient(testDb.db).unsafe(
+        `SELECT type, tenant_id::text AS tenant_id FROM kumiko_events ORDER BY id`,
       )) as unknown as readonly { type: string; tenant_id: string }[];
       const updateEvents = events.filter((e) => e.type === "tenant-membership.updated");
       expect(updateEvents).toHaveLength(1);
       expect(updateEvents[0]?.tenant_id).toBe(demoTenantId);
       // Verify (c) read-model aktualisiert
-      const memberships = (await testDb.db.execute(
-        sql`SELECT roles FROM read_tenant_memberships WHERE user_id = ${adminUserId}`,
+      const memberships = (await asRawClient(testDb.db).unsafe(
+        `SELECT roles FROM read_tenant_memberships WHERE user_id = $1`,
+        [adminUserId],
       )) as unknown as readonly { roles: string }[];
       expect(JSON.parse(memberships[0]?.roles ?? "[]")).toEqual(["Admin", "TenantAdmin"]);
     } finally {
@@ -202,7 +203,7 @@ describe("es-ops Phase 1.5 — E2E gegen real-Stack", () => {
         /dry-run found.*unknown handler-QN/,
       );
-      const markers = await testDb.db.select().from(esOperationsTable);
+      const markers = await selectMany(testDb.db, esOperationsTable);
       expect(markers).toHaveLength(0);
     } finally {
       rmSync(dir, { recursive: true, force: true });

package/src/audit/__tests__/audit.integration.ts CHANGED Viewed

@@ -2,6 +2,8 @@
 // log IS the audit trail; this suite proves the query handler exposes the
 // right slices of it (tenant-isolated, filtered, paginated, content-intact).
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createEntity,
   createTextField,
@@ -18,8 +20,6 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { sql } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { AuditQueries } from "../constants";
 import { createAuditFeature } from "../feature";
@@ -71,7 +71,7 @@ beforeEach(async () => {
   // Fresh event log per test — the audit query reads the events table
   // directly, so stale events from previous tests would leak into results.
   await resetEventStore(stack);
-  await stack.db.execute(sql`TRUNCATE audit_widgets`);
+  await asRawClient(stack.db).unsafe(`TRUNCATE audit_widgets`);
 });
 async function createWidget(user: SessionUser, name: string, color?: string): Promise<string> {

package/src/audit/handlers/list.query.ts CHANGED Viewed

@@ -11,37 +11,23 @@
 // append time (see event-store-executor → stripSensitive), so this query
 // can't surface PII that the entity definition marked as sensitive.
+import { selectMany, type WhereObject } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
-import { and, desc, eq, gte, lt, lte } from "drizzle-orm";
 import { z } from "zod";
-// Per-page cap. 100 keeps a single page payload bounded while being enough
-// for a humans-browse UI — clients that need exports iterate by `before`.
 const MAX_LIMIT = 100;
 export const listQuery = defineQueryHandler({
   name: "list",
   schema: z
     .object({
-      // Cursor-style pagination: pass the `id` from the last row of the
-      // previous page as `before`. bigserial ids are monotonic, so `< before`
-      // reliably returns "the next older page". Beats OFFSET on large tables.
-      // The regex pins the input to digits-only — otherwise an invalid value
-      // would surface as a raw PG `invalid_text_representation` instead of a
-      // clean 400 at the schema gate.
       before: z.string().regex(/^\d+$/, "cursor must be a positive integer").optional(),
       limit: z.number().int().min(1).max(MAX_LIMIT).default(50),
-      // Filters — all optional. Combined via AND.
       aggregateType: z.string().optional(),
       aggregateId: z.uuid().optional(),
       eventType: z.string().optional(),
-      // createdBy is stored as text on the events table (it accepts both UUIDs
-      // and system actor strings like "SYSTEM"), so the filter is a plain
-      // equality check on the raw value.
       userId: z.string().optional(),
-      // Inclusive bounds. Clients pass ISO-8601; we parse to Temporal.Instant
-      // and compare via the `instant()` column type.
       from: z.iso.datetime().optional(),
       to: z.iso.datetime().optional(),
     })
@@ -52,47 +38,49 @@ export const listQuery = defineQueryHandler({
   access: { roles: ["Admin", "SystemAdmin"] },
   handler: async (query, ctx) => {
     const p = query.payload;
-    const tenantId = query.user.tenantId;
+    const where: WhereObject = { tenantId: query.user.tenantId };
+    if (p.aggregateType) where["aggregateType"] = p.aggregateType;
+    if (p.aggregateId) where["aggregateId"] = p.aggregateId;
+    if (p.eventType) where["type"] = p.eventType;
+    if (p.userId) where["createdBy"] = p.userId;
+    if (p.from || p.to) {
+      const range: { gte?: unknown; lte?: unknown } = {};
+      if (p.from) range.gte = Temporal.Instant.from(p.from);
+      if (p.to) range.lte = Temporal.Instant.from(p.to);
+      where["createdAt"] = range;
+    }
+    if (p.before) where["id"] = { lt: BigInt(p.before) };
-    const conditions = [eq(eventsTable.tenantId, tenantId)];
-    if (p.aggregateType) conditions.push(eq(eventsTable.aggregateType, p.aggregateType));
-    if (p.aggregateId) conditions.push(eq(eventsTable.aggregateId, p.aggregateId));
-    if (p.eventType) conditions.push(eq(eventsTable.type, p.eventType));
-    if (p.userId) conditions.push(eq(eventsTable.createdBy, p.userId));
-    if (p.from) conditions.push(gte(eventsTable.createdAt, Temporal.Instant.from(p.from)));
-    if (p.to) conditions.push(lte(eventsTable.createdAt, Temporal.Instant.from(p.to)));
-    // `before` = last seen id from the previous page. bigserial so `<` walks
-    // backwards in chronological order. Schema-regex guarantees the string
-    // is digits-only, so BigInt(...) can't throw.
-    if (p.before) conditions.push(lt(eventsTable.id, BigInt(p.before)));
+    const rows = await selectMany<{
+      id: bigint;
+      aggregateId: string;
+      aggregateType: string;
+      version: number;
+      type: string;
+      payload: Record<string, unknown>;
+      metadata: Record<string, unknown>;
+      createdAt: unknown;
+      createdBy: string;
+    }>(ctx.db, eventsTable, where, {
+      orderBy: { col: "id", direction: "desc" },
+      limit: p.limit,
+    });
-    const rows = await ctx.db
-      .select({
-        id: eventsTable.id,
-        aggregateId: eventsTable.aggregateId,
-        aggregateType: eventsTable.aggregateType,
-        version: eventsTable.version,
-        type: eventsTable.type,
-        payload: eventsTable.payload,
-        metadata: eventsTable.metadata,
-        createdAt: eventsTable.createdAt,
-        createdBy: eventsTable.createdBy,
-      })
-      .from(eventsTable)
-      .where(and(...conditions))
-      .orderBy(desc(eventsTable.id))
-      .limit(p.limit);
-    // bigint ids need serialisation — JSON can't carry a plain BigInt, and
-    // clients pass the cursor back as a string via `before`. Stringified once
-    // here so the response shape matches what the caller will re-submit.
-    const serialised = rows.map((r) => ({ ...r, id: String(r["id"]) }));
+    const serialised = rows.map((r) => ({
+      id: String(r.id),
+      aggregateId: r.aggregateId,
+      aggregateType: r.aggregateType,
+      version: r.version,
+      type: r.type,
+      payload: r.payload,
+      metadata: r.metadata,
+      createdAt: r.createdAt,
+      createdBy: r.createdBy,
+    }));
     const last = serialised[serialised.length - 1];
     return {
       rows: serialised,
-      // Cursor for the NEXT page. Null when this page is partial (we hit
-      // the start of the log) so clients know to stop.
-      nextBefore: serialised.length === p.limit && last ? last["id"] : null,
+      nextBefore: serialised.length === p.limit && last ? last.id : null,
     };
   },
 });

package/src/auth-email-password/__tests__/account-lockout-no-redis.integration.ts CHANGED Viewed

@@ -10,7 +10,9 @@
 // the stack must be built without `context.redis` — shared `beforeAll`
 // can't mix the two.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -20,7 +22,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -84,8 +85,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
 });
 async function seedLoginUser(

package/src/auth-email-password/__tests__/account-lockout.integration.ts CHANGED Viewed

@@ -9,7 +9,9 @@
 //   - Redis unset: handler still works, lockout is silently skipped (degrades
 //     gracefully to the IP-rate-limiter at the edge)
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -19,7 +21,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -84,8 +85,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
   // Clear lockout state between tests — the key prefix is feature-owned, so
   // a scan-and-del is the safe bet even if tests share a Redis namespace.
   await stack.redis.flushNamespace();

package/src/auth-email-password/__tests__/auth-claims.integration.ts CHANGED Viewed

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { defineFeature } from "@cosmicdrift/kumiko-framework/engine";
@@ -10,7 +12,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -101,8 +102,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
   segmentsByUserAndTenant.clear();
   plansByTenant.clear();
 });
@@ -118,7 +119,7 @@ async function seedUser(email: string, password: string): Promise<string> {
 }
 async function addMembership(userId: string, tenantId: TenantId, roles: string[]): Promise<void> {
-  await stack.db.insert(tenantMembershipsTable).values({
+  await insertOne(stack.db, tenantMembershipsTable, {
     userId,
     tenantId,
     roles: JSON.stringify(roles),

package/src/auth-email-password/__tests__/auth.integration.ts CHANGED Viewed

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -15,7 +17,6 @@ import {
   getSetCookieRaw,
   getSetCookieValue,
 } from "@cosmicdrift/kumiko-framework/testing";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -67,8 +68,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
 });
 // Helper: seed a full login-ready user (user row + membership).

package/src/auth-email-password/__tests__/confirm-token-flow.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
+import { describe, expect, test } from "bun:test";
 import type { HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
-import { describe, expect, test } from "vitest";
 import { runConfirmTokenFlow } from "../handlers/confirm-token-flow";
 // Pins the "fail-loud when ctx.redis is missing" branch. Without this

package/src/auth-email-password/__tests__/email-templates.test.ts CHANGED Viewed

@@ -4,7 +4,7 @@
 // expiresAt, HTML escaped XSS-Versuche, beide Locales unterscheiden
 // sich erwartungsgemäß.
-import { describe, expect, test } from "vitest";
+import { describe, expect, test } from "bun:test";
 import { renderResetPasswordEmail, renderVerifyEmail } from "../email-templates";
 describe("renderResetPasswordEmail", () => {

package/src/auth-email-password/__tests__/email-verification.integration.ts CHANGED Viewed

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -8,9 +10,7 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { eq } from "drizzle-orm";
 import { Temporal } from "temporal-polyfill";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -94,8 +94,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
   capturedEmails.length = 0;
 });
@@ -121,10 +121,7 @@ async function seedUser(opts: {
   // it directly via SQL after create. Row.version is left at 1; no
   // subsequent event-store writes happen on this row in these tests.
   if (opts.emailVerified === true) {
-    await stack.db
-      .update(userTable)
-      .set({ emailVerified: true })
-      .where(eq(userTable["id"], created.id));
+    await updateMany(stack.db, userTable, { emailVerified: true }, { id: created.id });
   }
   const tenantId = opts.tenantId ?? "00000000-0000-4000-8000-000000000001";
   await seedTenantMembership(stack.db, {
@@ -191,7 +188,7 @@ describe("POST /auth/verify-email", () => {
     const res = await post("/api/auth/verify-email", { token });
     expect(res.status).toBe(200);
-    const row = (await stack.db.select().from(userTable)).find((r) => r["id"] === seed.id);
+    const row = (await selectMany(stack.db, userTable)).find((r) => r["id"] === seed.id);
     expect(row?.["emailVerified"]).toBe(true);
   });
@@ -214,7 +211,7 @@ describe("POST /auth/verify-email", () => {
     const seed = await seedUser({ email: "retry@example.com", password: "pw-retry-1234" });
     const { token } = signVerificationToken(seed.id, 60, verifySecret);
-    await stack.db.delete(tenantMembershipsTable);
+    await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
     const firstAttempt = await post("/api/auth/verify-email", { token });
     expect(firstAttempt.status).toBe(422);

package/src/auth-email-password/__tests__/identity-v3-hash.test.ts CHANGED Viewed

@@ -13,8 +13,8 @@
 //     blobs, unsupported PRF — all the ways a verifier could leak a 500
 //     instead of returning false.
+import { describe, expect, test } from "bun:test";
 import { pbkdf2Sync } from "node:crypto";
-import { describe, expect, test } from "vitest";
 import { isIdentityV3Hash, verifyIdentityV3Hash } from "../identity-v3-hash";
 import { verifyPassword } from "../password-hashing";

package/src/auth-email-password/__tests__/identity-v3-login.integration.ts CHANGED Viewed

@@ -5,7 +5,9 @@
 // Das ist der Kern-Use-Case der BMC-Migration — Legacy-Hashes 1:1
 // übernommen, Login funktioniert weiter.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { pbkdf2Sync, randomBytes } from "node:crypto";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -15,7 +17,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -79,8 +80,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
 });
 describe("Identity-V3 password-hash compatibility", () => {

package/src/auth-email-password/__tests__/invite-flow.integration.ts CHANGED Viewed

@@ -14,6 +14,8 @@
 //   4. Branch-spezifischer Accept-Endpoint
 //   5. DB-State + Membership + Cookies/JWT verifizieren
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createSystemUser,
   type SessionUser,
@@ -26,8 +28,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { eq } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -114,10 +114,10 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
-  await stack.db.delete(tenantInvitationsTable);
-  await stack.db.delete(tenantTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantInvitationsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantTable.tableName}"`);
   capturedInviteEmails.length = 0;
   const allKeys = await stack.redis.redis.keys("invite:*");
   if (allKeys.length > 0) await stack.redis.redis.del(...allKeys);
@@ -209,10 +209,7 @@ describe("invite-create", () => {
     expect(result.token).toBeTruthy();
     expect(result.token.length).toBeGreaterThanOrEqual(16);
-    const rows = await stack.db
-      .select()
-      .from(tenantInvitationsTable)
-      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    const rows = await selectMany(stack.db, tenantInvitationsTable, { email: BOB_EMAIL });
     expect(rows).toHaveLength(1);
     expect(rows[0]?.["status"]).toBe("pending");
     expect(rows[0]?.["role"]).toBe("Admin");
@@ -226,10 +223,7 @@ describe("invite-create", () => {
     expect(secondToken).toBe(firstToken);
     // Eine Row, role updated
-    const rows = await stack.db
-      .select()
-      .from(tenantInvitationsTable)
-      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    const rows = await selectMany(stack.db, tenantInvitationsTable, { email: BOB_EMAIL });
     expect(rows).toHaveLength(1);
     expect(rows[0]?.["role"]).toBe("Editor");
   });
@@ -250,19 +244,13 @@ describe("invite-accept (Branch 1: logged-in)", () => {
     expect(result.alreadyMember).toBe(false);
     // Bob hat jetzt 2 Memberships
-    const memberships = await stack.db
-      .select()
-      .from(tenantMembershipsTable)
-      .where(eq(tenantMembershipsTable.userId, bobId));
+    const memberships = await selectMany(stack.db, tenantMembershipsTable, { userId: bobId });
     expect(memberships).toHaveLength(2);
     const tenantIds = memberships.map((m) => m["tenantId"]).sort();
     expect(tenantIds).toEqual([TENANT_A_ID, TENANT_B_ID].sort());
     // Invitation status = accepted
-    const inv = await stack.db
-      .select()
-      .from(tenantInvitationsTable)
-      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    const inv = await selectMany(stack.db, tenantInvitationsTable, { email: BOB_EMAIL });
     expect(inv[0]?.["status"]).toBe("accepted");
   });
@@ -319,10 +307,7 @@ describe("invite-accept-with-login (Branch 2: anon + existing email)", () => {
     expect(setCookies).toContain("kumiko_auth=");
     // Membership added
-    const memberships = await stack.db
-      .select()
-      .from(tenantMembershipsTable)
-      .where(eq(tenantMembershipsTable.userId, bobId));
+    const memberships = await selectMany(stack.db, tenantMembershipsTable, { userId: bobId });
     expect(memberships).toHaveLength(2);
   });
@@ -359,10 +344,7 @@ describe("invite-signup-complete (Branch 3: anon + new email)", () => {
     expect(body.role).toBe("Admin");
     // Carol entstanden in users
-    const carolRows = await stack.db
-      .select()
-      .from(userTable)
-      .where(eq(userTable.email, CAROL_EMAIL));
+    const carolRows = await selectMany(stack.db, userTable, { email: CAROL_EMAIL });
     expect(carolRows).toHaveLength(1);
     expect(carolRows[0]?.["emailVerified"]).toBe(true);
     expect(carolRows[0]?.["id"]).toBe(body.user.id);
@@ -387,10 +369,7 @@ describe("invite-signup-complete (Branch 3: anon + new email)", () => {
     expect(body.error?.details?.reason).toBe(AuthErrors.invalidInviteToken);
     // Bob hat keine zweite Membership erworben
-    const memberships = await stack.db
-      .select()
-      .from(tenantMembershipsTable)
-      .where(eq(tenantMembershipsTable.userId, bobId));
+    const memberships = await selectMany(stack.db, tenantMembershipsTable, { userId: bobId });
     expect(memberships).toHaveLength(1);
     void GUEST;
   });
@@ -411,18 +390,12 @@ describe("cancel-invitation", () => {
     const token = await inviteEmail(BOB_EMAIL, "Admin");
     // Find invitationId
-    const rows = await stack.db
-      .select()
-      .from(tenantInvitationsTable)
-      .where(eq(tenantInvitationsTable.email, BOB_EMAIL));
+    const rows = await selectMany(stack.db, tenantInvitationsTable, { email: BOB_EMAIL });
     const invitationId = rows[0]?.["id"] as string;
     await stack.http.writeOk("tenant:write:cancel-invitation", { invitationId }, aliceSession());
-    const updated = await stack.db
-      .select()
-      .from(tenantInvitationsTable)
-      .where(eq(tenantInvitationsTable.id, invitationId));
+    const updated = await selectMany(stack.db, tenantInvitationsTable, { id: invitationId });
     expect(updated[0]?.["status"]).toBe("cancelled");
     // Accept mit dem gecancelten Token → invalid
@@ -437,7 +410,7 @@ describe("invitations-query (pending list)", () => {
     await inviteEmail(CAROL_EMAIL, "Editor");
     // Cancel das erste
-    const allRows = await stack.db.select().from(tenantInvitationsTable);
+    const allRows = await selectMany(stack.db, tenantInvitationsTable);
     const bobInv = allRows.find((r) => r["email"] === BOB_EMAIL);
     if (!bobInv) throw new Error("bob invitation missing");
     await stack.http.writeOk(