npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.14.0 → 0.15.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.14.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/src/custom-fields/wire-user-data-rights.ts CHANGED Viewed

@@ -1,53 +1,26 @@
 // T1.5c — user-data-rights wiring for custom-fields.
-//
-// A consumer that wires `customFields` onto a user-owned host entity
-// (e.g. `comment`, `note`, anything with an inserted_by_id column) calls
-// this in addition to `wireCustomFieldsFor`:
-//
-//   wireCustomFieldsFor(r, "comment", commentTable);
-//   wireCustomFieldsUserDataRightsFor(r, {
-//     entityName: "comment",
-//     entityTable: commentTable,
-//     userIdColumn: "inserted_by_id",
-//   });
-//
-// Result: a second `r.useExtension(EXT_USER_DATA, "comment", { export, delete })`
-// registration whose hooks read/write the customFields jsonb column.
-//
-// **Export** — every row owned by the user is included; the full customFields
-// jsonb travels into the user's export bundle so they can see *all* their
-// custom-field data, sensitive or not (DSGVO Art. 15+20 — completeness wins).
-//
-// **Forget (strategy=anonymize)** — only `sensitive=true` customField keys are
-// stripped from the jsonb (`customFields - 'sensitiveKey1' - 'sensitiveKey2'`).
-// Non-sensitive customFields stay so the row remains useful to other tenants
-// / co-authors. Matches the host-entity anonymize-then-keep contract.
-//
-// **Forget (strategy=delete)** — no-op. The host entity's own user-data-rights
-// hook will delete the row entirely; jsonb goes with it.
-//
-// Side-step: this wiring requires `user-data-rights` to be installed in the
-// composed feature set; if it's not, the boot-validator will reject the
-// extension as unknown. That is the consumer's call — it's explicitly opt-in
-// (call this function or don't), exactly because some consumers wire custom-
-// fields onto tenant-owned entities (e.g. `property`) where DSGVO forget
-// doesn't apply per-user.
 import type { UserDataDeleteHook, UserDataExportHook } from "@cosmicdrift/kumiko-framework/engine";
 import { EXT_USER_DATA, type FeatureRegistrar } from "@cosmicdrift/kumiko-framework/engine";
-import { getTableName, sql } from "drizzle-orm";
-import type { PgTable } from "drizzle-orm/pg-core";
+import {
+  selectCustomFieldsHostRows,
+  selectFieldDefinitionsForEntity,
+  stripSensitiveCustomFieldKeys,
+} from "./db/queries/user-data-rights";
 import { parseSerializedField } from "./lib/parse-serialized-field";
+const KUMIKO_NAME_SYMBOL = Symbol.for("kumiko:schema:Name");
+function getTableName(table: unknown): string {
+  if (typeof table === "object" && table !== null) {
+    const sym = (table as Record<symbol, unknown>)[KUMIKO_NAME_SYMBOL];
+    if (typeof sym === "string") return sym;
+  }
+  throw new Error("wire-user-data-rights: table missing kumiko:schema:Name symbol");
+}
 export interface WireCustomFieldsUserDataRightsOptions {
-  /** Host entity name as registered with wireCustomFieldsFor. */
   readonly entityName: string;
-  /** Drizzle table for the host entity. Must have a `customFields` jsonb column. */
-  readonly entityTable: PgTable;
-  /**
-   * Snake-case DB column that holds the owning user's id (e.g. `inserted_by_id`,
-   * `author_id`, `assignee_id`). The hooks filter rows on this + tenant_id.
-   */
+  readonly entityTable: unknown;
   readonly userIdColumn: string;
 }
@@ -56,11 +29,6 @@ interface CustomFieldsHostRow {
   readonly customFields: Record<string, unknown> | null;
 }
-// Drizzle's raw `execute(sql\`SELECT id, custom_fields\`)` returns rows
-// keyed in db-column casing (snake_case), not the field-mapping casing.
-// The typeguard normalises into the camel-cased internal shape so the
-// rest of the hook can stay JS-idiomatic. `in` + `instanceof Object` keep
-// the narrowing cast-free.
 function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
   if (!value || typeof value !== "object" || Array.isArray(value)) return null;
   if (!("id" in value) || typeof value.id !== "string") return null;
@@ -68,8 +36,6 @@ function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
   const cf = value.custom_fields;
   if (cf === null) return { id: value.id, customFields: null };
   if (!cf || typeof cf !== "object" || Array.isArray(cf)) return null;
-  // Object.entries on a narrowed `object` returns `[string, unknown][]` —
-  // fromEntries widens that back into a typed Record without a cast.
   return { id: value.id, customFields: Object.fromEntries(Object.entries(cf)) };
 }
@@ -77,22 +43,19 @@ export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<
   r: TReg,
   opts: WireCustomFieldsUserDataRightsOptions,
 ): void {
-  const tableName = sql.identifier(getTableName(opts.entityTable));
-  const userCol = sql.identifier(opts.userIdColumn);
+  const tableName = getTableName(opts.entityTable);
   const exportHook: UserDataExportHook = async (ctx) => {
-    const rowsResult = await ctx.db.execute(sql`
-      SELECT id, custom_fields
-      FROM ${tableName}
-      WHERE ${userCol} = ${ctx.userId} AND tenant_id = ${ctx.tenantId}
-    `);
-    const rows: ReadonlyArray<unknown> = Array.isArray(rowsResult) ? rowsResult : [];
+    const rows = await selectCustomFieldsHostRows(
+      ctx.db,
+      tableName,
+      opts.userIdColumn,
+      ctx.userId,
+      ctx.tenantId,
+    );
     const snippetRows: Array<{ id: string; customFields: Record<string, unknown> }> = [];
     for (const raw of rows) {
       const row = asCustomFieldsHostRow(raw);
-      // skip: drizzle-execute can hand back loosely-typed rows from raw
-      // queries; if a row's shape doesn't fit, skip rather than guess.
-      // Real schemas always match — this is defense in depth.
       if (!row) continue;
       const customFields = row.customFields;
       if (customFields && Object.keys(customFields).length > 0) {
@@ -104,30 +67,22 @@ export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<
   };
   const deleteHook: UserDataDeleteHook = async (ctx, strategy) => {
-    // skip: strategy=delete is handled by the host entity's own user-
-    // data-rights hook (it removes the row; customFields jsonb travels
-    // with it). Nothing left for this layer to do.
+    // skip: delete strategy removes rows wholesale — custom-field redaction N/A.
     if (strategy === "delete") return;
     const sensitiveKeys = await loadSensitiveFieldKeys(ctx.db, ctx.tenantId, opts.entityName);
-    // skip: no sensitive keys declared for this entity → anonymize is a
-    // no-op. Avoids a useless UPDATE statement.
+    // skip: no sensitive custom fields configured for this entity.
     if (sensitiveKeys.length === 0) return;
-    // Build the chain of jsonb minus operators: customFields - 'k1' - 'k2' - ...
-    const minusChain = sensitiveKeys.reduce<ReturnType<typeof sql>>(
-      (acc, key) => sql`${acc} - ${key}`,
-      sql`custom_fields`,
+    await stripSensitiveCustomFieldKeys(
+      ctx.db,
+      tableName,
+      opts.userIdColumn,
+      sensitiveKeys,
+      ctx.userId,
+      ctx.tenantId,
     );
-    await ctx.db.execute(sql`
-      UPDATE ${tableName}
-      SET custom_fields = ${minusChain}
-      WHERE ${userCol} = ${ctx.userId} AND tenant_id = ${ctx.tenantId}
-    `);
   };
-  // r.useExtension's options-bag accepts a structural object — pass the
-  // hooks inline so TS sees the literal-typed shape and Drizzle's strict
-  // mode doesn't reject the nominal UserDataExtensionHooks branding.
   // biome-ignore lint/correctness/useHookAtTopLevel: r.useExtension is a registrar API, not a React hook.
   r.useExtension(EXT_USER_DATA, opts.entityName, {
     export: exportHook,
@@ -151,16 +106,9 @@ async function loadSensitiveFieldKeys(
   tenantId: string,
   entityName: string,
 ): Promise<string[]> {
-  const rowsResult = await db.execute(sql`
-    SELECT field_key, serialized_field
-    FROM read_custom_field_definitions
-    WHERE entity_name = ${entityName} AND tenant_id = ${tenantId}
-  `);
-  const rows: ReadonlyArray<unknown> = Array.isArray(rowsResult) ? rowsResult : [];
+  const rows = await selectFieldDefinitionsForEntity(db, entityName, tenantId);
   const keys: string[] = [];
   for (const raw of rows) {
-    // skip: see isCustomFieldsHostRow rationale — defense in depth against
-    // driver shape drift.
     if (!isFieldDefinitionRow(raw)) continue;
     const parsed = parseSerializedField(raw.serialized_field);
     if (parsed?.sensitive === true) keys.push(raw.field_key);

package/src/data-retention/__tests__/data-retention.integration.ts CHANGED Viewed

@@ -6,12 +6,12 @@
 // ob Boot-Validation oder Entity-Definition gebrochen ist — pre-S2.D2b
 // Sicherheitsnetz.
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import {
   setupTestStack,
   type TestStack,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, describe, expect, test } from "vitest";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../feature";
 let stack: TestStack;

package/src/data-retention/__tests__/keep-for.test.ts CHANGED Viewed

@@ -1,5 +1,5 @@
+import { beforeAll, describe, expect, test } from "bun:test";
 import { ensureTemporalPolyfill, getTemporal } from "@cosmicdrift/kumiko-framework/time";
-import { beforeAll, describe, expect, test } from "vitest";
 import { computeCutoff, InvalidKeepForError, isPastCutoff } from "../keep-for";
 beforeAll(async () => {

package/src/data-retention/__tests__/override-schema.test.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 // Tests fuer retentionOverrideSchema (S2.D2.5 M2+M3) — strict-Zod
 // faengt Sub-Level-Tippfehler + Strategy-Enum-Drift + keepFor-Format-Drift.
-import { describe, expect, test } from "vitest";
+import { describe, expect, test } from "bun:test";
 import { retentionOverrideSchema } from "../override-schema";
 describe("retentionOverrideSchema — accept-Faelle", () => {

package/src/data-retention/__tests__/policy-for.integration.ts CHANGED Viewed

@@ -2,6 +2,7 @@
 // API für Forget-Flow + Cleanup-Job. Round-trip: Override in DB seeden,
 // Query rufen, verify dass resolver Override greift.
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import {
   createEventStoreExecutor,
   createTenantDb,
@@ -15,7 +16,6 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { afterAll, beforeAll, describe, expect, test } from "vitest";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../feature";
 import { tenantRetentionOverrideTable } from "../schema/tenant-retention-override";

package/src/data-retention/__tests__/resolver.test.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 // Unit-Tests für resolveRetentionPolicy — pure function, keine
 // Test-Stack-Abhängigkeit.
+import { describe, expect, test } from "bun:test";
 import { createEntity, createTextField } from "@cosmicdrift/kumiko-framework/engine";
-import { describe, expect, test } from "vitest";
 import { resolveRetentionPolicy } from "../resolver";
 describe("resolveRetentionPolicy — Layer-Resolution", () => {

package/src/data-retention/handlers/policy-for.query.ts CHANGED Viewed

@@ -1,6 +1,5 @@
-import { fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { eq } from "drizzle-orm";
 import { z } from "zod";
 import { parseRetentionOverrideOrNull } from "../_internal/parse-override";
 import { type EffectiveRetentionPolicy, resolveRetentionPolicy } from "../resolver";
@@ -28,12 +27,10 @@ export const policyForQuery = defineQueryHandler({
     const entityName = query.payload.entityName;
     // Layer 3: Tenant-Override aus DB laden (UNIQUE(tenantId, entityName))
-    const overrideRow = (await fetchOne(
-      ctx.db,
-      tenantRetentionOverrideTable,
-      eq(tenantRetentionOverrideTable["tenantId"], query.user.tenantId),
-      eq(tenantRetentionOverrideTable["entityName"], entityName),
-    )) as { config: string | null } | null; // @cast-boundary db-runner
+    const overrideRow = (await fetchOne(ctx.db, tenantRetentionOverrideTable, {
+      tenantId: query.user.tenantId,
+      entityName,
+    })) as { config: string | null } | null; // @cast-boundary db-runner
     const tenantOverride = parseRetentionOverrideOrNull(
       overrideRow?.config ?? null,

package/src/data-retention/resolve-for-tenant.ts CHANGED Viewed

@@ -6,9 +6,9 @@
 // HandlerContext. Beide Pfade nutzen denselben `parseRetentionOverrideOrNull`
 // + `resolveRetentionPolicy`, also kein Drift-Risiko.
-import { type DbRunner, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import type { Registry, TenantId } from "@cosmicdrift/kumiko-framework/engine";
-import { eq } from "drizzle-orm";
 import { parseRetentionOverrideOrNull } from "./_internal/parse-override";
 import { type EffectiveRetentionPolicy, resolveRetentionPolicy } from "./resolver";
 import { tenantRetentionOverrideTable } from "./schema/tenant-retention-override";
@@ -23,12 +23,10 @@ export interface ResolveForTenantArgs {
 export async function resolveRetentionPolicyForTenant(
   args: ResolveForTenantArgs,
 ): Promise<EffectiveRetentionPolicy> {
-  const overrideRow = (await fetchOne(
-    args.db,
-    tenantRetentionOverrideTable,
-    eq(tenantRetentionOverrideTable["tenantId"], args.tenantId),
-    eq(tenantRetentionOverrideTable["entityName"], args.entityName),
-  )) as { config: string | null } | null; // @cast-boundary db-runner
+  const overrideRow = (await fetchOne(args.db, tenantRetentionOverrideTable, {
+    tenantId: args.tenantId,
+    entityName: args.entityName,
+  })) as { config: string | null } | null; // @cast-boundary db-runner
   const tenantOverride = parseRetentionOverrideOrNull(
     overrideRow?.config ?? null,

package/src/data-retention/schema/tenant-retention-override.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { buildDrizzleTable } from "@cosmicdrift/kumiko-framework/db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
 import {
   createEntity,
   createLongTextField,
@@ -41,7 +41,7 @@ export const tenantRetentionOverrideEntity = createEntity({
   indexes: [{ unique: true, columns: ["tenantId", "entityName"] }],
 });
-export const tenantRetentionOverrideTable = buildDrizzleTable(
+export const tenantRetentionOverrideTable = buildEntityTable(
   "tenantRetentionOverride",
   tenantRetentionOverrideEntity,
 );

package/src/delivery/__tests__/delivery-events.integration.ts CHANGED Viewed

@@ -6,6 +6,8 @@
 // aggregateType) fails loudly instead of breaking downstream consumers
 // (MSPs, audit-feature, event-replays) who subscribe by name.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import { eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
@@ -16,8 +18,7 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { eq } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { createChannelInAppFeature } from "../../channel-in-app/feature";
 import { inAppMessagesTable } from "../../channel-in-app/tables";
 import { createConfigFeature, createConfigResolver } from "../../config";
@@ -75,9 +76,7 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  // Fresh state per test so event-count assertions are deterministic.
-  await db.delete(eventsTable);
-  await db.delete(deliveryAttemptsTable);
+  await resetTestTables(db, [eventsTable, deliveryAttemptsTable]);
 });
 describe("delivery event shape", () => {
@@ -89,10 +88,7 @@ describe("delivery event shape", () => {
       admin.tenantId,
     );
-    const events = await db
-      .select()
-      .from(eventsTable)
-      .where(eq(eventsTable.aggregateType, "deliveryAttempt"));
+    const events = await selectMany(db, eventsTable, { aggregateType: "deliveryAttempt" });
     // One channel registered (in-app) → one delivery attempt → one event.
     expect(events).toHaveLength(1);
@@ -121,10 +117,7 @@ describe("delivery event shape", () => {
       admin.tenantId,
     );
-    const [event] = await db
-      .select()
-      .from(eventsTable)
-      .where(eq(eventsTable.aggregateType, "deliveryAttempt"));
+    const [event] = await selectMany(db, eventsTable, { aggregateType: "deliveryAttempt" });
     if (!event) throw new Error("expected one event");
     // The service schema-parses before append (see logDelivery), but we
@@ -145,10 +138,7 @@ describe("delivery event shape", () => {
       admin.tenantId,
     );
-    const [event] = await db
-      .select()
-      .from(eventsTable)
-      .where(eq(eventsTable.aggregateType, "deliveryAttempt"));
+    const [event] = await selectMany(db, eventsTable, { aggregateType: "deliveryAttempt" });
     if (!event) throw new Error("expected one event");
     // PK is unique — a matching row on `id === aggregateId` is already the
@@ -156,10 +146,7 @@ describe("delivery event shape", () => {
     // + tenantSecretsTable: projection-row PK IS the event aggregateId, so
     // a replay of the same event conflicts on the PK rather than
     // duplicating the log row.
-    const [row] = await db
-      .select()
-      .from(deliveryAttemptsTable)
-      .where(eq(deliveryAttemptsTable.id, event.aggregateId));
+    const [row] = await selectMany(db, deliveryAttemptsTable, { id: event.aggregateId });
     expect(row).toBeDefined();
     expect(row?.notificationType).toBe("example:notify:pk-link");
   });