@cosmicdrift/kumiko-bundled-features 0.14.0 → 0.15.0

package/src/auth-email-password/__tests__/multi-roles.integration.ts

@@ -8,6 +8,8 @@
 // Gegen-Beweis: User OHNE globale Rollen verhält sich wie vorher
 // (nur tenant-membership-roles in der Session).
 
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
   setupTestStack,
@@ -17,7 +19,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -71,8 +72,8 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
 });
 
 async function seedUser(
@@ -101,7 +102,7 @@ async function addMembership(
   tenantId: TenantId,
   roles: readonly string[],
 ): Promise<void> {
-  await stack.db.insert(tenantMembershipsTable).values({
+  await insertOne(stack.db, tenantMembershipsTable, {
     userId,
     tenantId,
     roles: JSON.stringify(roles),
@@ -129,11 +130,7 @@ describe("multi-roles: login mergt globale + membership-roles", () => {
     // Pin write-path: roles MUSS in DB landen, sonst ist der session-merge
     // nur Zufall (z.B. wenn login-handler hardcoded SystemAdmin reinpacken
     // würde). Direct DB-read schließt das aus.
-    const { eq } = await import("drizzle-orm");
-    const dbRow = await stack.db
-      .select({ roles: userTable["roles"] })
-      .from(userTable)
-      .where(eq(userTable["id"], userId));
+    const dbRow = await selectMany(stack.db, userTable, { id: userId });
     expect(dbRow[0]?.roles).toBe(JSON.stringify(["SystemAdmin"]));
 
     const { user } = await login("syadmin@example.com", "pw-long-enough");

package/src/auth-email-password/__tests__/password-reset.integration.ts

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -9,7 +11,6 @@ import {
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { Temporal } from "temporal-polyfill";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -93,9 +94,9 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
-  await stack.db.delete(userSessionTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userSessionTable.tableName}"`);
   capturedEmails.length = 0;
   autoRevokeCalls.length = 0;
 });
@@ -182,7 +183,7 @@ describe("POST /auth/reset-password", () => {
 
     // Proof: the new password actually hashes in. Read the row, verify the
     // hash matches the new plaintext.
-    const row = (await stack.db.select().from(userTable)).find((r) => r["id"] === seed.id);
+    const row = (await selectMany(stack.db, userTable)).find((r) => r["id"] === seed.id);
     if (!row?.["passwordHash"]) throw new Error("user row / hash missing");
     expect(await verifyPassword(row["passwordHash"] as string, "brand-new-pw-9876")).toBe(true);
     expect(await verifyPassword(row["passwordHash"] as string, "old-pw-1234")).toBe(false);
@@ -203,7 +204,7 @@ describe("POST /auth/reset-password", () => {
     expect(body.error?.details?.reason).toBe(AuthErrors.invalidResetToken);
 
     // Old password still wins.
-    const row = (await stack.db.select().from(userTable)).find((r) => r["id"] === seed.id);
+    const row = (await selectMany(stack.db, userTable)).find((r) => r["id"] === seed.id);
     if (!row?.["passwordHash"]) throw new Error("user row / hash missing");
     expect(await verifyPassword(row["passwordHash"] as string, "keep-me!")).toBe(true);
   });
@@ -262,7 +263,7 @@ describe("POST /auth/reset-password", () => {
     const seed = await seedUser({ email: "retry@example.com", password: "pw-retry-1234" });
     const { token } = signResetToken(seed.id, 15, resetSecret);
 
-    await stack.db.delete(tenantMembershipsTable);
+    await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
     const firstAttempt = await post("/api/auth/reset-password", {
       token,
       newPassword: "never-lands-1234",

package/src/auth-email-password/__tests__/public-routes-rate-limit.integration.ts

@@ -4,7 +4,9 @@
 // comment — a regression that silently moves the routes out of /api/auth/*
 // or tightens loginRateLimit but forgets these would sail through.
 
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import {
   setupTestStack,
@@ -12,7 +14,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -77,8 +78,8 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
 });
 
 // Unique IP per test so buckets don't cross-contaminate. L2 default bucket

package/src/auth-email-password/__tests__/seed-admin.integration.ts

@@ -10,6 +10,8 @@
 //   4. Rollen pro Tenant landen korrekt (unterschiedliche Rollen-Listen
 //      pro Membership).
 
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
@@ -18,8 +20,6 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { and, eq } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config/feature";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -53,10 +53,10 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await stack.db.delete(tenantMembershipsTable);
-  await stack.db.delete(tenantTable);
-  await stack.db.delete(userTable);
-  await stack.db.delete(eventsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${eventsTable.tableName}"`);
 });
 
 describe("seedAdmin", () => {
@@ -82,14 +82,11 @@ describe("seedAdmin", () => {
     });
 
     // Tenants angelegt
-    const tenants = await stack.db.select().from(tenantTable);
+    const tenants = await selectMany(stack.db, tenantTable);
     expect(tenants.map((t) => t["id"]).sort()).toEqual([TENANT_DEV, TENANT_BETA].sort());
 
     // User angelegt mit Hash (NICHT plain-Password)
-    const [user] = await stack.db
-      .select()
-      .from(userTable)
-      .where(eq(userTable["email"], "admin@example.com"));
+    const [user] = await selectMany(stack.db, userTable, { email: "admin@example.com" });
     expect(user?.["id"]).toBe(userId);
     expect(user?.["passwordHash"]).not.toBe("secret-pw");
     expect(user?.["passwordHash"]).toMatch(/^\$argon2/);
@@ -101,26 +98,16 @@ describe("seedAdmin", () => {
     expect(invalid).toBe(false);
 
     // Memberships pro Tenant mit unterschiedlichen Rollen
-    const devMembership = await stack.db
-      .select()
-      .from(tenantMembershipsTable)
-      .where(
-        and(
-          eq(tenantMembershipsTable.userId, userId),
-          eq(tenantMembershipsTable.tenantId, TENANT_DEV),
-        ),
-      );
+    const devMembership = await selectMany(stack.db, tenantMembershipsTable, {
+      userId: userId,
+      tenantId: TENANT_DEV,
+    });
     expect(devMembership[0]?.["roles"]).toBe(JSON.stringify(["Admin"]));
 
-    const betaMembership = await stack.db
-      .select()
-      .from(tenantMembershipsTable)
-      .where(
-        and(
-          eq(tenantMembershipsTable.userId, userId),
-          eq(tenantMembershipsTable.tenantId, TENANT_BETA),
-        ),
-      );
+    const betaMembership = await selectMany(stack.db, tenantMembershipsTable, {
+      userId: userId,
+      tenantId: TENANT_BETA,
+    });
     expect(betaMembership[0]?.["roles"]).toBe(JSON.stringify(["User"]));
   });
 
@@ -148,7 +135,7 @@ describe("seedAdmin", () => {
     expect(userId2).toBe(userId1);
 
     // Genau ein User-Row, original-Hash (passt zu pw1, nicht pw2).
-    const users = await stack.db.select().from(userTable);
+    const users = await selectMany(stack.db, userTable);
     expect(users).toHaveLength(1);
     const valid = await verifyPassword(users[0]?.["passwordHash"] as string, "pw1");
     expect(valid).toBe(true);
@@ -156,11 +143,11 @@ describe("seedAdmin", () => {
     expect(invalid).toBe(false);
 
     // Genau ein Membership-Row.
-    const memberships = await stack.db.select().from(tenantMembershipsTable);
+    const memberships = await selectMany(stack.db, tenantMembershipsTable);
     expect(memberships).toHaveLength(1);
 
     // Genau ein .created-Event pro Aggregat-Typ.
-    const events = await stack.db.select().from(eventsTable);
+    const events = await selectMany(stack.db, eventsTable);
     const createdByType = events
       .filter((e) => e.type.endsWith(".created"))
       .reduce<Record<string, number>>((acc, e) => {

package/src/auth-email-password/__tests__/session-callbacks.integration.ts

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -9,7 +11,6 @@ import {
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import * as jose from "jose";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -126,8 +127,8 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
   // Reset the in-memory store but KEEP sidStream running — otherwise a test
   // that leaks a sid into another test would produce confusing collisions.
   store.live.clear();
@@ -235,7 +236,7 @@ describe("logout routes through sessionRevoker", () => {
     expect(logoutRes.status).toBe(200);
 
     // Revoker was called with exactly the sid from the caller's JWT
-    expect(store.revoked).toEqual([sidBefore]);
+    expect(store.revoked).toEqual([sidBefore!]);
     expect(store.live.has(sidBefore ?? "")).toBe(false);
   });
 
@@ -279,7 +280,7 @@ describe("switch-tenant rotates the session", () => {
     expect(sidB).not.toBe(sidA);
 
     // Old sid is revoked; new sid is live
-    expect(store.revoked).toContain(sidA);
+    expect(store.revoked).toContain(sidA!);
     expect(store.live.has(sidA ?? "")).toBe(false);
     expect(store.live.has(sidB ?? "")).toBe(true);
 

package/src/auth-email-password/__tests__/session-strict-mode.integration.ts

@@ -4,6 +4,7 @@
 // so legacy stateless tokens are expected to have expired. Default false
 // keeps pre-upgrade tokens working; this suite flips it on and asserts.
 
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
   setupTestStack,
@@ -11,7 +12,6 @@ import {
   TestUsers,
   testTenantId,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createTenantFeature } from "../../tenant";
 import { createUserFeature } from "../../user";

package/src/auth-email-password/__tests__/signed-token.test.ts

@@ -1,5 +1,5 @@
+import { describe, expect, test } from "bun:test";
 import { Temporal } from "temporal-polyfill";
-import { describe, expect, test } from "vitest";
 import { signToken, TokenPurpose, verifyToken } from "../signed-token";
 
 const SECRET = "test-hmac-secret-32-bytes-minimum!!";

package/src/auth-email-password/__tests__/signup-flow.integration.ts

@@ -24,14 +24,14 @@
 //      via DB-unique-index + generateUniqueName-isAvailable-check
 //      zusammen).
 
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   setupTestStack,
   type TestStack,
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { eq } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
@@ -80,7 +80,7 @@ beforeAll(async () => {
   await unsafeCreateEntityTable(stack.db, userEntity);
   // tenant-entity hat den unique-constraint auf .key (siehe
   // tenant.schema.indexes). unsafeCreateEntityTable baut das via
-  // buildDrizzleTable nach — pinst den TOCTOU-Schutz für signup-confirm.
+  // buildEntityTable nach — pinst den TOCTOU-Schutz für signup-confirm.
   await unsafeCreateEntityTable(stack.db, tenantEntity);
   await unsafePushTables(stack.db, { configValuesTable, tenantMembershipsTable });
 });
@@ -90,9 +90,9 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
-  await stack.db.delete(tenantTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantTable.tableName}"`);
   capturedActivationEmails.length = 0;
   // Redis-cleanup damit Resend-Tests keine state-leaks haben.
   const allKeys = await stack.redis.redis.keys("signup:*");
@@ -185,22 +185,18 @@ describe("POST /api/auth/signup-confirm", () => {
     expect(setCookies).toContain("kumiko_csrf=");
 
     // DB-State pinst
-    const userRows = await stack.db.select().from(userTable).where(eq(userTable.email, email));
+    const userRows = await selectMany(stack.db, userTable, { email: email });
     expect(userRows).toHaveLength(1);
     expect(userRows[0]?.["emailVerified"]).toBe(true);
     expect(userRows[0]?.["passwordHash"]).toBeTruthy();
 
-    const tenantRows = await stack.db
-      .select()
-      .from(tenantTable)
-      .where(eq(tenantTable.id, body.user?.tenantId ?? ""));
+    const tenantRows = await selectMany(stack.db, tenantTable, { id: body.user?.tenantId ?? "" });
     expect(tenantRows).toHaveLength(1);
     expect(tenantRows[0]?.["key"]).toBe(body.tenantKey);
 
-    const memberships = await stack.db
-      .select()
-      .from(tenantMembershipsTable)
-      .where(eq(tenantMembershipsTable.userId, body.user?.id ?? ""));
+    const memberships = await selectMany(stack.db, tenantMembershipsTable, {
+      userId: body.user?.id ?? "",
+    });
     expect(memberships).toHaveLength(1);
     const rolesRaw = memberships[0]?.["roles"];
     if (typeof rolesRaw === "string") {

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts

@@ -17,12 +17,8 @@
 // User entsteht — beide existieren bereits. Magic ist die kombinierte
 // Login+Accept-Operation in einem Roundtrip.
 
-import {
-  createEventStoreExecutor,
-  createTenantDb,
-  type DbConnection,
-  fetchOne,
-} from "@cosmicdrift/kumiko-framework/db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { createEventStoreExecutor, createTenantDb } from "@cosmicdrift/kumiko-framework/db";
 import {
   createSystemUser,
   defineWriteHandler,
@@ -34,7 +30,6 @@ import {
   UnprocessableError,
   writeFailure,
 } from "@cosmicdrift/kumiko-framework/errors";
-import { eq } from "drizzle-orm";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -104,20 +99,27 @@ export function createInviteAcceptWithLoginHandler() {
       const burn = await burnInviteToken(ctx.redis, event.payload.token);
       if (burn === "already-used") return invalidInviteToken();
 
+      type InvitationRow = {
+        readonly status: string;
+        readonly tenantId: TenantId;
+        readonly email: string;
+        readonly role: string;
+        readonly version: number;
+      };
+      type UserAuthRow = { readonly id: string; readonly passwordHash: string | null };
+
       let committed = false;
       try {
-        const invitation = await fetchOne(
-          ctx.db.raw,
-          tenantInvitationsTable,
-          eq(tenantInvitationsTable.id, invitationId),
-        );
-        if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
+        const invitation = await fetchOne<InvitationRow>(ctx.db.raw, tenantInvitationsTable, {
+          id: invitationId,
+        });
+        if (!invitation || invitation.status !== INVITATION_STATUS.pending)
           return invalidInviteToken();
 
-        const invitationTenantId = invitation["tenantId"] as TenantId; // @cast-boundary db-row
-        const invitationEmail = invitation["email"] as string; // @cast-boundary db-row
-        const invitationRole = invitation["role"] as string; // @cast-boundary db-row
-        const invitationVersion = invitation["version"] as number; // @cast-boundary db-row
+        const invitationTenantId = invitation.tenantId;
+        const invitationEmail = invitation.email;
+        const invitationRole = invitation.role;
+        const invitationVersion = invitation.version;
 
         // Email-Match vom User-Input (nicht aus session — User ist anon)
         if (event.payload.email.toLowerCase() !== invitationEmail) {
@@ -131,15 +133,14 @@ export function createInviteAcceptWithLoginHandler() {
         // Password-Check gegen userTable. Anti-enumeration: bei
         // user-not-found ODER wrong-password collapsed beides auf
         // invalidInviteToken (gleicher anti-enum-Trade-off wie reset).
-        const userRow = await fetchOne(ctx.db.raw, userTable, eq(userTable.email, invitationEmail));
-        if (!userRow?.["passwordHash"]) return invalidInviteToken();
-        const passwordValid = await verifyPassword(
-          userRow["passwordHash"] as string, // @cast-boundary db-row
-          event.payload.password,
-        );
+        const userRow = await fetchOne<UserAuthRow>(ctx.db.raw, userTable, {
+          email: invitationEmail,
+        });
+        if (!userRow?.passwordHash) return invalidInviteToken();
+        const passwordValid = await verifyPassword(userRow.passwordHash, event.payload.password);
         if (!passwordValid) return invalidInviteToken();
 
-        const userId = userRow["id"] as string; // @cast-boundary db-row
+        const userId = userRow.id;
 
         // Already-Member-Check (idempotent)
         const memberships = (await ctx.queryAs(
@@ -149,8 +150,7 @@ export function createInviteAcceptWithLoginHandler() {
         )) as Array<{ tenantId: string }>; // @cast-boundary db-row
         const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
 
-        // @cast-boundary db-runner — TenantDb.raw is DbRunner
-        const dbConn = ctx.db.raw as DbConnection;
+        const dbConn = ctx.db.raw;
 
         if (!alreadyMember) {
           await seedTenantMembership(dbConn, {

package/src/auth-email-password/handlers/invite-accept.write.ts

@@ -15,12 +15,8 @@
 // Session"-Flow. Branch 2 (anon + existing email) und Branch 3 (anon +
 // new email) kommen als separate Handler.
 
-import {
-  createEventStoreExecutor,
-  createTenantDb,
-  type DbConnection,
-  fetchOne,
-} from "@cosmicdrift/kumiko-framework/db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { createEventStoreExecutor, createTenantDb } from "@cosmicdrift/kumiko-framework/db";
 import {
   createSystemUser,
   defineWriteHandler,
@@ -31,7 +27,6 @@ import {
   UnprocessableError,
   writeFailure,
 } from "@cosmicdrift/kumiko-framework/errors";
-import { eq } from "drizzle-orm";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link), DB-row-owner ist tenant-feature
 import {
@@ -97,26 +92,35 @@ export function createInviteAcceptHandler() {
       const burn = await burnInviteToken(ctx.redis, event.payload.token);
       if (burn === "already-used") return invalidInviteToken();
 
+      type InvitationRow = {
+        readonly status: string;
+        readonly tenantId: TenantId;
+        readonly email: string;
+        readonly role: string;
+        readonly version: number;
+      };
+      type UserEmailRow = { readonly email: string };
+
       let committed = false;
       try {
-        const invitation = await fetchOne(
-          ctx.db.raw,
-          tenantInvitationsTable,
-          eq(tenantInvitationsTable.id, invitationId),
-        );
-        if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
+        const invitation = await fetchOne<InvitationRow>(ctx.db.raw, tenantInvitationsTable, {
+          id: invitationId,
+        });
+        if (!invitation || invitation.status !== INVITATION_STATUS.pending)
           return invalidInviteToken();
 
-        const invitationTenantId = invitation["tenantId"] as TenantId; // @cast-boundary db-row
-        const invitationEmail = invitation["email"] as string; // @cast-boundary db-row
-        const invitationRole = invitation["role"] as string; // @cast-boundary db-row
-        const invitationVersion = invitation["version"] as number; // @cast-boundary db-row
+        const invitationTenantId = invitation.tenantId;
+        const invitationEmail = invitation.email;
+        const invitationRole = invitation.role;
+        const invitationVersion = invitation.version;
 
         // Email-Match: User muss mit der eingeladenen Email matchen.
         // Sonst kann ein Angreifer mit Zugriff zur invitee-Mail seinen
         // eigenen Account dem Tenant zuschlagen.
-        const userRow = await fetchOne(ctx.db.raw, userTable, eq(userTable.id, event.user.id));
-        const userEmail = userRow?.["email"] as string | undefined; // @cast-boundary db-row
+        const userRow = await fetchOne<UserEmailRow>(ctx.db.raw, userTable, {
+          id: event.user.id,
+        });
+        const userEmail = userRow?.email;
         if (!userRow || !userEmail || userEmail.toLowerCase() !== invitationEmail) {
           return writeFailure(
             new UnprocessableError(AuthErrors.inviteEmailMismatch, {
@@ -135,8 +139,7 @@ export function createInviteAcceptHandler() {
         )) as Array<{ tenantId: string }>; // @cast-boundary db-row
         const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
 
-        // @cast-boundary db-runner — TenantDb.raw is DbRunner
-        const dbConn = ctx.db.raw as DbConnection;
+        const dbConn = ctx.db.raw;
 
         if (!alreadyMember) {
           // Membership-Add via seedTenantMembership-helper (event-store-

package/src/auth-email-password/handlers/invite-create.write.ts

@@ -15,10 +15,10 @@
 // invite-create.
 
 import { generateToken } from "@cosmicdrift/kumiko-framework/api";
-import { createEventStoreExecutor, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
-import { eq } from "drizzle-orm";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link-Pattern), DB-row-owner ist tenant-feature
@@ -77,12 +77,7 @@ export function createInviteCreateHandler(opts: InviteCreateOptions = {}) {
       // max. eine Row. Status egal (cancelled/accepted/expired/pending);
       // wir setzen sie auf pending zurück und vergeben einen frischen
       // Token wenn der bisherige nicht mehr lebt.
-      const existing = await fetchOne(
-        ctx.db.raw,
-        tenantInvitationsTable,
-        eq(tenantInvitationsTable.tenantId, tenantId),
-        eq(tenantInvitationsTable.email, email),
-      );
+      const existing = await fetchOne(ctx.db.raw, tenantInvitationsTable, { tenantId, email });
 
       let invitationId: string;
       let token: string;

package/src/auth-email-password/handlers/invite-signup-complete.write.ts

@@ -17,11 +17,11 @@
 //      e. Invitation → accepted, Token gelöscht
 //   5. Response: SessionUser + tenantId für Auto-Login
 
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createEventStoreExecutor,
   createTenantDb,
   type DbConnection,
-  fetchOne,
 } from "@cosmicdrift/kumiko-framework/db";
 import {
   createSystemUser,
@@ -34,7 +34,6 @@ import {
   UnprocessableError,
   writeFailure,
 } from "@cosmicdrift/kumiko-framework/errors";
-import { eq } from "drizzle-orm";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -104,30 +103,34 @@ export function createInviteSignupCompleteHandler() {
       const burn = await burnInviteToken(ctx.redis, event.payload.token);
       if (burn === "already-used") return invalidInviteToken();
 
+      type InvitationRow = {
+        readonly status: string;
+        readonly tenantId: TenantId;
+        readonly email: string;
+        readonly role: string;
+        readonly version: number;
+      };
+
       let committed = false;
       try {
-        const invitation = await fetchOne(
-          ctx.db.raw,
-          tenantInvitationsTable,
-          eq(tenantInvitationsTable.id, invitationId),
-        );
-        if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
+        const invitation = await fetchOne<InvitationRow>(ctx.db.raw, tenantInvitationsTable, {
+          id: invitationId,
+        });
+        if (!invitation || invitation.status !== INVITATION_STATUS.pending)
           return invalidInviteToken();
 
-        const invitationTenantId = invitation["tenantId"] as TenantId; // @cast-boundary db-row
-        const invitationEmail = invitation["email"] as string; // @cast-boundary db-row
-        const invitationRole = invitation["role"] as string; // @cast-boundary db-row
-        const invitationVersion = invitation["version"] as number; // @cast-boundary db-row
+        const invitationTenantId = invitation.tenantId;
+        const invitationEmail = invitation.email;
+        const invitationRole = invitation.role;
+        const invitationVersion = invitation.version;
 
         // User-Not-Exists-Check: wenn die Email schon registriert ist,
         // muss der User Branch 2 (acceptWithLogin) nutzen. Hier ist
         // explizit "neue Email" — sonst hätten wir zwei Wege ein
         // Password zu setzen für denselben User.
-        const existingUser = await fetchOne(
-          ctx.db.raw,
-          userTable,
-          eq(userTable.email, invitationEmail),
-        );
+        const existingUser = await fetchOne(ctx.db.raw, userTable, {
+          email: invitationEmail,
+        });
         if (existingUser) return invalidInviteToken();
 
         // User anlegen via seedUserWithPassword (gleiches Pattern wie