npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.14.0 → 0.16.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.14.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/src/secrets/__tests__/secrets-events.integration.ts CHANGED Viewed

@@ -5,7 +5,9 @@
 // pins both paths so a silent rename breaks here, not in a compliance
 // audit query.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createEnvMasterKeyProvider,
@@ -17,8 +19,6 @@ import {
   type TestStack,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { eq } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createSecretsFeature } from "../feature";
 import {
   createSecretsContext,
@@ -59,8 +59,8 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(eventsTable);
-  await stack.db.delete(tenantSecretsTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${eventsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantSecretsTable.tableName}"`);
 });
 describe("tenantSecret lifecycle events", () => {
@@ -71,10 +71,7 @@ describe("tenantSecret lifecycle events", () => {
       admin,
     );
-    const created = await stack.db
-      .select()
-      .from(eventsTable)
-      .where(eq(eventsTable.type, "tenant-secret.created"));
+    const created = await selectMany(stack.db, eventsTable, { type: "tenant-secret.created" });
     expect(created.length).toBe(1);
     // aggregateType stable; downstream MSPs filter by this.
     expect(created[0]?.aggregateType).toBe("tenant-secret");
@@ -91,10 +88,7 @@ describe("tenantSecret lifecycle events", () => {
     );
     await stack.http.writeOk("secrets:write:delete", { key: "example.to.delete" }, admin);
-    const events = await stack.db
-      .select()
-      .from(eventsTable)
-      .where(eq(eventsTable.aggregateType, "tenant-secret"));
+    const events = await selectMany(stack.db, eventsTable, { aggregateType: "tenant-secret" });
     // Exactly 2 events on the same aggregate-stream: created + deleted.
     expect(events.length).toBe(2);

package/src/secrets/__tests__/secrets.integration.ts CHANGED Viewed

@@ -4,7 +4,9 @@
 // (samples/secrets-demo) shows the broader rotation + cross-feature flow;
 // this test covers just the feature's own handlers.
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createEnvMasterKeyProvider,
@@ -16,8 +18,6 @@ import {
   type TestStack,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { and, eq } from "drizzle-orm";
-import { afterAll, beforeAll, describe, expect, test } from "vitest";
 import { createSecretsFeature } from "../feature";
 import { createSecretsContext } from "../secrets-context";
 import { type StoredEnvelope, tenantSecretsTable } from "../table";
@@ -76,15 +76,10 @@ describe("secrets feature — CRUD round-trip", () => {
     expect(row?.kekVersion).toBe(1);
     // DB row holds an envelope, no plaintext
-    const [dbRow] = await stack.db
-      .select()
-      .from(tenantSecretsTable)
-      .where(
-        and(
-          eq(tenantSecretsTable.tenantId, admin.tenantId),
-          eq(tenantSecretsTable.key, "api.key.x"),
-        ),
-      );
+    const [dbRow] = await selectMany(stack.db, tenantSecretsTable, {
+      tenantId: admin.tenantId,
+      key: "api.key.x",
+    });
     if (!dbRow) throw new Error("row missing");
     const env = dbRow.envelope as StoredEnvelope;
     expect(env.ciphertext).toBeTruthy();

package/src/secrets/db/queries/read.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import type { StoredEnvelope } from "../../table";
+export async function selectTenantSecretEnvelope(
+  db: DbRunner,
+  tenantId: TenantId,
+  key: string,
+): Promise<StoredEnvelope | undefined> {
+  const rows = await asRawClient(db).unsafe<{ envelope: StoredEnvelope }>(
+    `SELECT envelope FROM read_tenant_secrets WHERE tenant_id = $1 AND key = $2 LIMIT 1`,
+    [tenantId, key],
+  );
+  return rows[0]?.envelope;
+}

package/src/secrets/handlers/list.query.ts CHANGED Viewed

@@ -1,5 +1,5 @@
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { eq } from "drizzle-orm";
 import { z } from "zod";
 import { tenantSecretsTable } from "../table";
@@ -11,28 +11,27 @@ export const listQuery = defineQueryHandler({
   schema: z.object({}),
   access: { roles: ["TenantAdmin"] },
   handler: async (event, ctx) => {
-    const rows = await ctx.db.raw
-      .select({
-        key: tenantSecretsTable.key,
-        kekVersion: tenantSecretsTable.kekVersion,
-        metadata: tenantSecretsTable.metadata,
-        lastRotatedAt: tenantSecretsTable.lastRotatedAt,
-        // Post-ES the projection uses the framework base-columns — `inserted_at`
-        // replaces the legacy `created_at`. Response stays on the `createdAt`
-        // key so Admin-UIs don't have to re-map.
-        createdAt: tenantSecretsTable.insertedAt,
-      })
-      .from(tenantSecretsTable)
-      .where(eq(tenantSecretsTable.tenantId, event.user.tenantId))
-      .orderBy(tenantSecretsTable.key);
+    const rows = await selectMany<{
+      key: string;
+      kekVersion: number;
+      metadata: { redactedPreview?: string; hint?: string };
+      lastRotatedAt: unknown;
+      insertedAt: unknown;
+    }>(
+      ctx.db.raw,
+      tenantSecretsTable,
+      { tenantId: event.user.tenantId },
+      {
+        orderBy: { col: "key", direction: "asc" },
+      },
+    );
     return rows.map((r) => ({
       key: r.key,
       redactedPreview: r.metadata.redactedPreview ?? null,
       hint: r.metadata.hint ?? null,
       kekVersion: r.kekVersion,
       lastRotatedAt: r.lastRotatedAt,
-      createdAt: r.createdAt,
+      createdAt: r.insertedAt,
     }));
   },
 });

package/src/secrets/handlers/rotate.job.ts CHANGED Viewed

@@ -17,6 +17,7 @@
 // that landed the row on the new kekVersion first surfaces here as a
 // version_conflict error (counted as "skipped", not "failed").
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createEventStoreExecutor,
   createTenantDb,
@@ -26,7 +27,6 @@ import {
 import type { JobHandlerFn, SessionUser, TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
 import { rewrapDek } from "@cosmicdrift/kumiko-framework/secrets";
-import { ne } from "drizzle-orm";
 import { type StoredEnvelope, tenantSecretEntity, tenantSecretsTable } from "../table";
 const DEFAULT_BATCH_SIZE = 100;
@@ -100,17 +100,13 @@ export const rotateJob: JobHandlerFn = async (rawPayload, ctx): Promise<void> =>
     }
     const targetVersion = provider.currentVersion();
-    const batch = await db
-      .select({
-        id: tenantSecretsTable.id,
-        tenantId: tenantSecretsTable.tenantId,
-        version: tenantSecretsTable.version,
-        envelope: tenantSecretsTable.envelope,
-        kekVersion: tenantSecretsTable.kekVersion,
-      })
-      .from(tenantSecretsTable)
-      .where(ne(tenantSecretsTable.kekVersion, targetVersion))
-      .limit(batchSize);
+    const batch = await selectMany<{
+      id: string;
+      tenantId: string;
+      version: number;
+      envelope: StoredEnvelope;
+      kekVersion: number;
+    }>(db, tenantSecretsTable, { kekVersion: { ne: targetVersion } }, { limit: batchSize });
     if (batch.length === 0) break;

package/src/secrets/secrets-context.ts CHANGED Viewed

@@ -12,11 +12,11 @@
 //           read logged") now sits on the events-table instead of a
 //           dedicated audit-table.
+import { fetchOne, transaction } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createEventStoreExecutor,
   createTenantDb,
   type DbConnection,
-  fetchOne,
 } from "@cosmicdrift/kumiko-framework/db";
 import type { SessionUser } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, type WriteErrorInfo } from "@cosmicdrift/kumiko-framework/errors";
@@ -31,8 +31,8 @@ import {
   type SecretsContext,
 } from "@cosmicdrift/kumiko-framework/secrets";
 import { generateId } from "@cosmicdrift/kumiko-framework/utils";
-import { and, eq } from "drizzle-orm";
 import { z } from "zod";
+import { selectTenantSecretEnvelope } from "./db/queries/read";
 import {
   type StoredEnvelope,
   type StoredMetadata,
@@ -118,12 +118,7 @@ export function createSecretsContext(opts: SecretsContextOptions): SecretsContex
   };
   async function lookup(tenantId: string, key: string): Promise<SecretLookupRow | undefined> {
-    return fetchOne<SecretLookupRow>(
-      db,
-      tenantSecretsTable,
-      eq(tenantSecretsTable.tenantId, tenantId),
-      eq(tenantSecretsTable.key, key),
-    );
+    return fetchOne<SecretLookupRow>(db, tenantSecretsTable, { tenantId, key });
   }
   return {
@@ -142,18 +137,11 @@ export function createSecretsContext(opts: SecretsContextOptions): SecretsContex
         return createSecret(plaintext);
       }
-      const plaintext = await db.transaction(async (tx) => {
-        // Inline select inside the TX — fetchOne's SelectChainDb shape
-        // doesn't widen to drizzle's tx-object cleanly. Structurally
-        // identical; the one-off repeat beats a double-cast at the
-        // call site.
-        const [row] = await tx
-          .select({ envelope: tenantSecretsTable.envelope })
-          .from(tenantSecretsTable)
-          .where(and(eq(tenantSecretsTable.tenantId, tenantId), eq(tenantSecretsTable.key, key)))
-          .limit(1);
-        if (!row) return undefined;
-        const envelope = row.envelope;
+      const plaintext = await transaction(db, async (tx) => {
+        // Inline select inside the TX via raw client — fetchOne's connection
+        // type doesn't widen to the transaction object cleanly.
+        const envelope = await selectTenantSecretEnvelope(tx, tenantId, key);
+        if (!envelope) return undefined;
         const pt = await decryptValue(decodeEnvelope(envelope), provider);
         // One event per read on its own aggregate-stream (fresh UUID as
@@ -173,7 +161,7 @@ export function createSecretsContext(opts: SecretsContextOptions): SecretsContex
           userId: auditCtx.userId,
           handlerName: auditCtx.handlerName,
         });
-        await append(tx, {
+        await append(tx as unknown as Parameters<typeof append>[0], {
           aggregateId: readId,
           aggregateType: "tenantSecretRead",
           tenantId,

package/src/secrets/table.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import {
   instant,
   integer,
   jsonb,
+  sql,
   table,
   text,
   uniqueIndex,
@@ -12,7 +13,6 @@ import {
   createNumberField,
   createTextField,
 } from "@cosmicdrift/kumiko-framework/engine";
-import { sql } from "drizzle-orm";
 // Envelope stored as a single jsonb blob. All ops are upsert-by-(tenantId, key)
 // so there's no value in decomposing the envelope into separate columns —

package/src/sessions/__tests__/cleanup.integration.ts CHANGED Viewed

@@ -4,6 +4,9 @@
 // exercised by the framework's job tests. Here we pin the semantics: old
 // expired/revoked rows go, live rows stay, batching + signal work.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { insertOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { sql } from "@cosmicdrift/kumiko-framework/db";
 import type { AppContext } from "@cosmicdrift/kumiko-framework/engine";
 import {
   setupTestStack,
@@ -11,8 +14,7 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { sql } from "drizzle-orm";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { createSessionsFeature } from "../feature";
 import { cleanupJob } from "../handlers/cleanup.job";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
@@ -46,7 +48,7 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userSessionTable);
+  await resetTestTables(stack.db, [userSessionTable]);
 });
 type JobCtx = Pick<AppContext, "db" | "registry" | "log">;
@@ -74,7 +76,7 @@ async function seedSession(opts: {
   const past = sql`now() - ${sql.raw(`interval '${opts.ageDays} days'`)}`;
   const future = sql`now() + ${sql.raw(`interval '30 days'`)}`;
-  await stack.db.insert(userSessionTable).values({
+  await insertOne(stack.db, userSessionTable, {
     id: opts.id,
     tenantId: TENANT,
     userId: opts.userId,
@@ -88,7 +90,7 @@ async function seedSession(opts: {
 }
 async function countSessions(): Promise<number> {
-  const rows = await stack.db.select().from(userSessionTable);
+  const rows = await selectMany(stack.db, userSessionTable);
   return rows.length;
 }
@@ -111,7 +113,7 @@ describe("sessions cleanup job — purge expired/revoked rows", () => {
     await cleanupJob({}, jobCtx());
     expect(await countSessions()).toBe(1);
-    const [remaining] = await stack.db.select().from(userSessionTable);
+    const [remaining] = await selectMany(stack.db, userSessionTable);
     expect(remaining?.["revokedAt"]).toBeNull();
   });

package/src/sessions/__tests__/password-auto-revoke.integration.ts CHANGED Viewed

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, mock, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -9,7 +11,6 @@ import {
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { createLateBoundHolder } from "@cosmicdrift/kumiko-framework/testing";
-import { afterAll, beforeAll, beforeEach, describe, expect, test, vi } from "vitest";
 import { AuthHandlers } from "../../auth-email-password/constants";
 import { createAuthEmailPasswordFeature } from "../../auth-email-password/feature";
 import { createConfigFeature } from "../../config";
@@ -38,7 +39,7 @@ const callbacks = createLateBoundHolder<SessionCallbacks>("session-callbacks");
 // vi.fn spy for the revoker — lets us assert exact call counts and arguments
 // per test without leaking module-level mutable state across suites.
-const massRevokeSpy = vi.fn<(userId: string) => Promise<number>>();
+const massRevokeSpy = mock<(userId: string) => Promise<number>>();
 const encryptionKey = randomBytes(32).toString("base64");
@@ -88,9 +89,9 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
-  await stack.db.delete(userSessionTable);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${tenantMembershipsTable.tableName}"`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM "${userSessionTable.tableName}"`);
   massRevokeSpy.mockClear();
 });
@@ -143,7 +144,7 @@ describe("password change mass-revokes every live session", () => {
     ).toBe(401);
     // DB state confirms: zero live rows for this user
-    const liveRows = await stack.db.select().from(userSessionTable);
+    const liveRows = await selectMany(stack.db, userSessionTable);
     const stillLive = liveRows.filter((r) => r["revokedAt"] === null);
     expect(stillLive).toHaveLength(0);

package/src/sessions/__tests__/sessions.integration.ts CHANGED Viewed

@@ -1,4 +1,6 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
+import { deleteMany, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import {
@@ -8,10 +10,8 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
-import { createLateBoundHolder } from "@cosmicdrift/kumiko-framework/testing";
-import { and, eq } from "drizzle-orm";
+import { createLateBoundHolder, resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { Temporal } from "temporal-polyfill";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { AuthHandlers } from "../../auth-email-password/constants";
 import { createAuthEmailPasswordFeature } from "../../auth-email-password/feature";
 import { createConfigFeature } from "../../config";
@@ -75,9 +75,7 @@ afterAll(async () => {
 });
 beforeEach(async () => {
-  await stack.db.delete(userTable);
-  await stack.db.delete(tenantMembershipsTable);
-  await stack.db.delete(userSessionTable);
+  await resetTestTables(stack.db, [userTable, tenantMembershipsTable, userSessionTable]);
 });
 describe("sessions feature — login → check → revoke → rejected", () => {
@@ -85,7 +83,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     await h.seedUser("persist@example.com", "pw-long-enough");
     const { sid } = await h.login("persist@example.com", "pw-long-enough");
-    const rows = await stack.db.select().from(userSessionTable);
+    const rows = await selectMany(stack.db, userSessionTable);
     expect(rows).toHaveLength(1);
     expect(rows[0]?.["id"]).toBe(sid);
     expect(rows[0]?.["revokedAt"]).toBeNull();
@@ -126,7 +124,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     const logoutRes = await h.authedPost("/api/auth/logout", token);
     expect(logoutRes.status).toBe(200);
-    const rows = await stack.db.select().from(userSessionTable);
+    const rows = await selectMany(stack.db, userSessionTable);
     expect(rows[0]?.["id"]).toBe(sid);
     expect(rows[0]?.["revokedAt"]).not.toBeNull();
@@ -153,10 +151,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     });
     expect(firstRevoke.status).toBe(200);
-    const [rowAfterFirst] = await stack.db
-      .select()
-      .from(userSessionTable)
-      .where(eq(userSessionTable["id"], first.sid));
+    const [rowAfterFirst] = await selectMany(stack.db, userSessionTable, { id: first.sid });
     const originalRevokedAt = rowAfterFirst?.["revokedAt"] as Temporal.Instant | null;
     expect(originalRevokedAt).not.toBeNull();
@@ -173,10 +168,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     expect(body.error?.details?.reason).toBe("session_already_revoked");
     // Audit: the retry must NOT have touched the row. Same timestamp as t1.
-    const [rowAfterRetry] = await stack.db
-      .select()
-      .from(userSessionTable)
-      .where(eq(userSessionTable["id"], first.sid));
+    const [rowAfterRetry] = await selectMany(stack.db, userSessionTable, { id: first.sid });
     const preservedRevokedAt = rowAfterRetry?.["revokedAt"] as Temporal.Instant | null;
     expect(preservedRevokedAt?.epochMilliseconds).toBe(originalRevokedAt?.epochMilliseconds);
   });
@@ -340,10 +332,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     // not a bypass hack). If the audit-guard were missing, the second
     // readout would move forward because one of the late racers would
     // have overwritten t1.
-    const [row] = await stack.db
-      .select()
-      .from(userSessionTable)
-      .where(eq(userSessionTable["id"], sid));
+    const [row] = await selectMany(stack.db, userSessionTable, { id: sid });
     const tAfterRace = row?.["revokedAt"] as Temporal.Instant | null;
     expect(tAfterRace).not.toBeNull();
@@ -356,10 +345,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     });
     expect(retry.status).toBe(422);
-    const [rowAfterRetry] = await stack.db
-      .select()
-      .from(userSessionTable)
-      .where(eq(userSessionTable["id"], sid));
+    const [rowAfterRetry] = await selectMany(stack.db, userSessionTable, { id: sid });
     const tAfterRetry = rowAfterRetry?.["revokedAt"] as Temporal.Instant | null;
     expect(tAfterRetry?.epochMilliseconds).toBe(tAfterRace?.epochMilliseconds);
@@ -381,7 +367,7 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     // Hard-delete the session row so it's gone from the store (as opposed to
     // soft-revoked). The JWT stays syntactically valid.
-    await stack.db.delete(userSessionTable).where(eq(userSessionTable["id"], sid));
+    await deleteMany(stack.db, userSessionTable, { id: sid });
     const res = await h.authedPost("/api/query", token, {
       type: "user:query:user:me",
@@ -398,10 +384,12 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     // Back-date expiresAt so the row is still present + not revoked, just
     // past its window. Simulates what a long-lived JWT would hit.
-    await stack.db
-      .update(userSessionTable)
-      .set({ expiresAt: Temporal.Instant.from("2020-01-01T00:00:00Z") })
-      .where(eq(userSessionTable["id"], sid));
+    await updateMany(
+      stack.db,
+      userSessionTable,
+      { expiresAt: Temporal.Instant.from("2020-01-01T00:00:00Z") },
+      { id: sid },
+    );
     const res = await h.authedPost("/api/query", token, {
       type: "user:query:user:me",
@@ -434,15 +422,12 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     // so she gets a fresh JWT with the new role in its claims. This is the
     // actual production path — roles are tenant-membership data, not JWT
     // metadata we can fiddle with directly.
-    await stack.db
-      .update(tenantMembershipsTable)
-      .set({ roles: JSON.stringify(["Admin"]) })
-      .where(
-        and(
-          eq(tenantMembershipsTable.userId, aliceId),
-          eq(tenantMembershipsTable.tenantId, TENANT),
-        ),
-      );
+    await updateMany(
+      stack.db,
+      tenantMembershipsTable,
+      { roles: JSON.stringify(["Admin"]) },
+      { userId: aliceId, tenantId: TENANT },
+    );
     const aliceAsAdmin = await h.login("alice2@example.com", "pw-long-enough");
     const asAdmin = await h.authedPost("/api/query", aliceAsAdmin.token, {

package/src/sessions/__tests__/test-helpers.ts CHANGED Viewed

@@ -8,10 +8,10 @@
 //   const { token, sid } = await h.login("x@example.com", "pw");
 //   const res = await h.authedPost("/api/query", token, { type, payload });
+import { expect } from "bun:test";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { type TestStack, TestUsers } from "@cosmicdrift/kumiko-framework/stack";
 import * as jose from "jose";
-import { expect } from "vitest";
 import { hashPassword } from "../../auth-email-password/password-hashing";
 import { seedTenantMembership } from "../../tenant/seeding";
 import { UserHandlers } from "../../user";

package/src/sessions/db/queries/cleanup.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+export async function deleteStaleSessionsBatch(
+  db: DbConnection,
+  olderThanDays: number,
+  batchSize: number,
+): Promise<number> {
+  const rows = (await asRawClient(db).unsafe(
+    `DELETE FROM "read_user_sessions"
+     WHERE "id" IN (
+       SELECT "id" FROM "read_user_sessions"
+       WHERE "expires_at" < now() - ($1::int * interval '1 day')
+          OR "revoked_at" < now() - ($1::int * interval '1 day')
+       LIMIT $2
+     )
+     RETURNING "id"`,
+    [olderThanDays, batchSize],
+  )) as readonly { id: string }[];
+  return rows.length;
+}

package/src/sessions/handlers/cleanup.job.ts CHANGED Viewed

@@ -20,8 +20,7 @@
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import type { JobHandlerFn } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
-import { or, sql } from "drizzle-orm";
-import { userSessionTable } from "../schema/user-session";
+import { deleteStaleSessionsBatch } from "../db/queries/cleanup";
 const DEFAULT_OLDER_THAN_DAYS = 30;
 const DEFAULT_BATCH_SIZE = 1000;
@@ -45,10 +44,8 @@ export const cleanupJob: JobHandlerFn = async (rawPayload, ctx): Promise<void> =
       message: "[sessions:cleanup] ctx.db missing — job context requires a database connection.",
     });
   }
-  const db = ctx.db as DbConnection; // @cast-boundary db-operator
+  const db = ctx.db as DbConnection;
-  // Coerce-and-validate: BullMQ payloads arrive as opaque JSON, so TS types
-  // don't survive. Guard before the value is interpolated into SQL.
   const olderThanDaysRaw = payload.olderThanDays ?? DEFAULT_OLDER_THAN_DAYS;
   const olderThanDays = Number(olderThanDaysRaw);
   if (!Number.isFinite(olderThanDays) || olderThanDays < 0 || !Number.isInteger(olderThanDays)) {
@@ -61,8 +58,6 @@ export const cleanupJob: JobHandlerFn = async (rawPayload, ctx): Promise<void> =
     ? Date.now() + payload.maxDurationMs
     : Number.POSITIVE_INFINITY;
-  const cutoff = sql`now() - (${olderThanDays} * interval '1 day')`;
   let deleted = 0;
   let batchesProcessed = 0;
   let stoppedReason: SessionCleanupResult["stoppedReason"] = "empty";
@@ -77,31 +72,13 @@ export const cleanupJob: JobHandlerFn = async (rawPayload, ctx): Promise<void> =
       break;
     }
-    // DELETE-by-id-subquery with an explicit LIMIT so the lock stays short.
-    // The WHERE clause is the safety net: we only touch rows that are
-    // PAST-CUTOFF (expired OR revoked), never currently-live sessions. A
-    // null-check in PG semantics: `x < cutoff` already excludes null.
-    const rows = await db
-      .delete(userSessionTable)
-      .where(
-        sql`${userSessionTable["id"]} in (
-          select ${userSessionTable["id"]}
-          from ${userSessionTable}
-          where ${or(
-            sql`${userSessionTable["expiresAt"]} < ${cutoff}`,
-            sql`${userSessionTable["revokedAt"]} < ${cutoff}`,
-          )}
-          limit ${batchSize}
-        )`,
-      )
-      .returning({ id: userSessionTable["id"] });
-    if (rows.length === 0) break;
+    const batchDeleted = await deleteStaleSessionsBatch(db, olderThanDays, batchSize);
+    if (batchDeleted === 0) break;
-    deleted += rows.length;
+    deleted += batchDeleted;
     batchesProcessed++;
-    if (rows.length < batchSize) break;
+    if (batchDeleted < batchSize) break;
   }
   const result: SessionCleanupResult = { deleted, batchesProcessed, stoppedReason };