npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.14.0 → 0.16.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.14.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/src/sessions/handlers/list.query.ts CHANGED Viewed

@@ -1,35 +1,35 @@
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { access, defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { desc } from "drizzle-orm";
 import { z } from "zod";
 import { userSessionTable } from "../schema/user-session";
-// Admin view of every session in the active tenant. Tenant admins use this
-// to investigate "who is logged in right now" or revoke a suspicious
-// device. Unlike `session:mine` this does NOT filter by userId — it's the
-// whole tenant. Tenant-scoping comes from ctx.db (TenantDb applies a tenant
-// filter automatically on select from tables with a tenantId column), so
-// cross-tenant bleed is impossible.
-//
-// Includes revoked rows too — distinct column in the response tells the UI
-// which entries are historical vs. live. The default ordering puts the
-// newest first so a security review starts at the recent activity.
+// Admin view of every session in the active tenant. ctx.db (TenantDb)
+// applies tenant-scoping automatically on selects from tables with a
+// tenantId column. Includes revoked rows; UI shows revokedAt distinct.
 export const listQuery = defineQueryHandler({
   name: "user-session:list",
   schema: z.object({}),
   access: { roles: access.admin },
   handler: async (_query, ctx) => {
-    const rows = await ctx.db
-      .select({
-        id: userSessionTable["id"],
-        userId: userSessionTable["userId"],
-        createdAt: userSessionTable["createdAt"],
-        expiresAt: userSessionTable["expiresAt"],
-        revokedAt: userSessionTable["revokedAt"],
-        ip: userSessionTable["ip"],
-        userAgent: userSessionTable["userAgent"],
-      })
-      .from(userSessionTable)
-      .orderBy(desc(userSessionTable["createdAt"]));
-    return rows;
+    const rows = await selectMany<{
+      id: string;
+      userId: string;
+      createdAt: unknown;
+      expiresAt: unknown;
+      revokedAt: unknown;
+      ip: string | null;
+      userAgent: string | null;
+    }>(ctx.db, userSessionTable, undefined, {
+      orderBy: { col: "createdAt", direction: "desc" },
+    });
+    return rows.map((r) => ({
+      id: r.id,
+      userId: r.userId,
+      createdAt: r.createdAt,
+      expiresAt: r.expiresAt,
+      revokedAt: r.revokedAt,
+      ip: r.ip,
+      userAgent: r.userAgent,
+    }));
   },
 });

package/src/sessions/handlers/mine.query.ts CHANGED Viewed

@@ -1,37 +1,38 @@
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { and, desc, eq, isNull } from "drizzle-orm";
 import { z } from "zod";
 import { userSessionTable } from "../schema/user-session";
 // "My live sessions" — the backing data for a devices/sessions UI. Returns
 // ONLY the current user's own, currently-live sessions, ordered by most-
-// recently-used first. Revoked rows are excluded (they survive in DB for
-// audit but the UI shouldn't show them as active).
-//
-// Note the `current` marker: we compare against the caller's `user.sid` so
-// the UI can label the entry the user is looking at ("this device"). A user
-// without a sid (stateless-JWT deployment) will simply see `current: false`
-// on every row — the feature still works, just without the marker.
+// recently-used first. Revoked rows excluded (revokedAt IS NULL).
 export const mineQuery = defineQueryHandler({
   name: "user-session:mine",
   schema: z.object({}),
   access: { openToAll: true },
   handler: async (query, ctx) => {
-    const rows = await ctx.db
-      .select({
-        id: userSessionTable["id"],
-        createdAt: userSessionTable["createdAt"],
-        expiresAt: userSessionTable["expiresAt"],
-        ip: userSessionTable["ip"],
-        userAgent: userSessionTable["userAgent"],
-      })
-      .from(userSessionTable)
-      .where(
-        and(eq(userSessionTable["userId"], query.user.id), isNull(userSessionTable["revokedAt"])),
-      )
-      .orderBy(desc(userSessionTable["createdAt"]));
+    const rows = await selectMany<{
+      id: string;
+      createdAt: unknown;
+      expiresAt: unknown;
+      ip: string | null;
+      userAgent: string | null;
+    }>(
+      ctx.db,
+      userSessionTable,
+      { userId: query.user.id, revokedAt: null },
+      {
+        orderBy: { col: "createdAt", direction: "desc" },
+      },
+    );
     const currentSid = query.user.sid;
-    return rows.map((r) => ({ ...r, current: currentSid === r["id"] }));
+    return rows.map((r) => ({
+      id: r.id,
+      createdAt: r.createdAt,
+      expiresAt: r.expiresAt,
+      ip: r.ip,
+      userAgent: r.userAgent,
+      current: currentSid === r.id,
+    }));
   },
 });

package/src/sessions/handlers/revoke-all-for-user.write.ts CHANGED Viewed

@@ -1,5 +1,5 @@
+import { updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { access, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { and, eq, isNull } from "drizzle-orm";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
 import { userSessionTable } from "../schema/user-session";
@@ -23,16 +23,12 @@ export const revokeAllForUserWrite = defineWriteHandler({
   }),
   access: { roles: access.privileged },
   handler: async (event, ctx) => {
-    const updated = await ctx.db.raw
-      .update(userSessionTable)
-      .set({ revokedAt: Temporal.Now.instant() })
-      .where(
-        and(
-          eq(userSessionTable["userId"], event.payload.userId),
-          isNull(userSessionTable["revokedAt"]),
-        ),
-      )
-      .returning();
+    const updated = await updateMany(
+      ctx.db.raw,
+      userSessionTable,
+      { revokedAt: Temporal.Now.instant() },
+      { userId: event.payload.userId, revokedAt: null },
+    );
     return {
       isSuccess: true as const,

package/src/sessions/handlers/revoke-all-others.write.ts CHANGED Viewed

@@ -1,6 +1,6 @@
+import { updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
-import { and, eq, isNull, ne } from "drizzle-orm";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
 import { SessionErrors } from "../constants";
@@ -25,17 +25,12 @@ export const revokeAllOthersWrite = defineWriteHandler({
       );
     }
-    const updated = await ctx.db
-      .update(userSessionTable)
-      .set({ revokedAt: Temporal.Now.instant() })
-      .where(
-        and(
-          eq(userSessionTable["userId"], event.user.id),
-          isNull(userSessionTable["revokedAt"]),
-          ne(userSessionTable["id"], keepSid),
-        ),
-      )
-      .returning();
+    const updated = await updateMany(
+      ctx.db,
+      userSessionTable,
+      { revokedAt: Temporal.Now.instant() },
+      { userId: event.user.id, revokedAt: null, id: { ne: keepSid } },
+    );
     return { isSuccess: true, data: { count: updated.length } };
   },

package/src/sessions/handlers/revoke.write.ts CHANGED Viewed

@@ -1,6 +1,6 @@
+import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
-import { and, eq, isNull } from "drizzle-orm";
 import { Temporal } from "temporal-polyfill";
 import { z } from "zod";
 import { SessionErrors } from "../constants";
@@ -28,17 +28,12 @@ export const revokeWrite = defineWriteHandler({
   }),
   access: { openToAll: true },
   handler: async (event, ctx) => {
-    const updated = await ctx.db
-      .update(userSessionTable)
-      .set({ revokedAt: Temporal.Now.instant() })
-      .where(
-        and(
-          eq(userSessionTable["id"], event.payload.id),
-          eq(userSessionTable["userId"], event.user.id),
-          isNull(userSessionTable["revokedAt"]),
-        ),
-      )
-      .returning();
+    const updated = await updateMany(
+      ctx.db,
+      userSessionTable,
+      { revokedAt: Temporal.Now.instant() },
+      { id: event.payload.id, userId: event.user.id, revokedAt: null },
+    );
     if (updated.length > 0) {
       return { isSuccess: true, data: { id: event.payload.id } };
@@ -46,13 +41,11 @@ export const revokeWrite = defineWriteHandler({
     // Zero rows touched — disambiguate between "not yours" and "already
     // revoked" via a point-read. Only hits on the error path.
-    const [row] = await ctx.db
-      .select({ userId: userSessionTable["userId"], revokedAt: userSessionTable["revokedAt"] })
-      .from(userSessionTable)
-      .where(eq(userSessionTable["id"], event.payload.id))
-      .limit(1);
+    const row = await fetchOne<{ userId: string; revokedAt: unknown }>(ctx.db, userSessionTable, {
+      id: event.payload.id,
+    });
-    if (row && row["userId"] === event.user.id && row["revokedAt"] !== null) {
+    if (row && row.userId === event.user.id && row.revokedAt !== null) {
       return writeFailure(
         new UnprocessableError(SessionErrors.alreadyRevoked, {
           i18nKey: "sessions.errors.alreadyRevoked",

package/src/sessions/schema/user-session.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { buildDrizzleTable } from "@cosmicdrift/kumiko-framework/db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
 import {
   access,
   createEntity,
@@ -64,4 +64,4 @@ export const userSessionEntity = createEntity({
   },
 });
-export const userSessionTable = buildDrizzleTable("user_session", userSessionEntity);
+export const userSessionTable = buildEntityTable("user_session", userSessionEntity);

package/src/sessions/session-callbacks.ts CHANGED Viewed

@@ -5,10 +5,10 @@ import type {
   SessionMetadata,
   SessionRevoker,
 } from "@cosmicdrift/kumiko-framework/api";
+import { fetchOne, insertOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import type { SessionUser } from "@cosmicdrift/kumiko-framework/engine";
 import { generateId } from "@cosmicdrift/kumiko-framework/utils";
-import { and, eq, isNull } from "drizzle-orm";
 import { Temporal } from "temporal-polyfill";
 import { DEFAULT_SESSION_EXPIRY_MS } from "./constants";
 import { userSessionTable } from "./schema/user-session";
@@ -46,7 +46,7 @@ export function createSessionCallbacks(opts: SessionCallbacksOptions): SessionCa
       const sid = generateId();
       const now = Temporal.Now.instant();
       const expiresAt = now.add({ milliseconds: ttlMs });
-      await db.insert(userSessionTable).values({
+      await insertOne(db, userSessionTable, {
         id: sid,
         tenantId: user.tenantId,
         userId: user.id,
@@ -64,23 +64,20 @@ export function createSessionCallbacks(opts: SessionCallbacksOptions): SessionCa
       // original timestamp. Double-revoke races land here via logout +
       // switch-tenant on the same sid. (Password-change uses a different
       // callback — sessionMassRevoker — and isn't in scope for this guard.)
-      await db
-        .update(userSessionTable)
-        .set({ revokedAt: Temporal.Now.instant() })
-        .where(and(eq(userSessionTable.id, sid), isNull(userSessionTable.revokedAt)));
+      await updateMany(
+        db,
+        userSessionTable,
+        { revokedAt: Temporal.Now.instant() },
+        { id: sid, revokedAt: null },
+      );
     },
     async sessionChecker(sid: string, expectedUserId: string): Promise<AuthSessionStatus> {
-      const rows = await db
-        .select({
-          userId: userSessionTable.userId,
-          revokedAt: userSessionTable.revokedAt,
-          expiresAt: userSessionTable.expiresAt,
-        })
-        .from(userSessionTable)
-        .where(eq(userSessionTable.id, sid))
-        .limit(1);
-      const row = rows[0];
+      const row = await fetchOne<{
+        userId: string;
+        revokedAt: unknown;
+        expiresAt: { epochMilliseconds: number };
+      }>(db, userSessionTable, { id: sid });
       if (!row) return "missing";
       // Cross-user check: if the sid belongs to someone else, treat it
       // identically to "missing" so a compromised sid paired with a valid
@@ -99,11 +96,12 @@ export function createSessionCallbacks(opts: SessionCallbacksOptions): SessionCa
     async sessionMassRevoker(userId: string): Promise<number> {
       // Count is accurate because we only touch live rows — a previously
       // revoked row stays in its state and isn't double-counted.
-      const result = await db
-        .update(userSessionTable)
-        .set({ revokedAt: Temporal.Now.instant() })
-        .where(and(eq(userSessionTable.userId, userId), isNull(userSessionTable.revokedAt)))
-        .returning({ id: userSessionTable.id });
+      const result = await updateMany(
+        db,
+        userSessionTable,
+        { revokedAt: Temporal.Now.instant() },
+        { userId, revokedAt: null },
+      );
       return result.length;
     },
   };

package/src/subscription-mollie/__tests__/feature.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 // feature.ts contract tests for subscription-mollie.
-import { describe, expect, test } from "vitest";
+import { describe, expect, test } from "bun:test";
 import { MOLLIE_PROVIDER_NAME, SUBSCRIPTION_MOLLIE_FEATURE } from "../constants";
 import { createSubscriptionMollieFeature } from "../feature";

package/src/subscription-mollie/__tests__/mollie-foundation.integration.ts CHANGED Viewed

@@ -18,6 +18,7 @@
 // Unit-Tests (verify-webhook.test.ts) abgedeckt, aber die Verdrahtung
 // von factory bis foundation-DB-row beweist nur dieser Test.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import {
   billingFoundationFeature,
   createSubscriptionWebhookHandler,
@@ -38,7 +39,6 @@ import type {
   Subscription as MollieSubscription,
 } from "@mollie/api-client";
 import { Hono } from "hono";
-import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
 import { createSubscriptionMollieFeature } from "../feature";
 import type { MollieClientShape } from "../verify-webhook";

package/src/subscription-mollie/__tests__/verify-webhook.test.ts CHANGED Viewed

@@ -3,11 +3,11 @@
 // als minimal-mock-shape (`MollieClientShape`) injiziert; Plugin-
 // Verhalten ist vom konkreten Mollie-SDK entkoppelt.
+import { describe, expect, mock, test } from "bun:test";
 import {
   SubscriptionEventTypes,
   SubscriptionStatuses,
 } from "@cosmicdrift/kumiko-bundled-features/billing-foundation";
-import { describe, expect, test, vi } from "vitest";
 import {
   extractMollieId,
   type MollieClientShape,
@@ -61,18 +61,18 @@ function buildClient(
 ): MollieClientShape {
   return {
     payments: {
-      get: vi.fn(async () => {
+      get: mock(async () => {
         if (overrides.paymentReject) throw overrides.paymentReject;
         return overrides.paymentResolve ?? buildMockPayment();
       }),
     },
     customerSubscriptions: {
-      get: vi.fn(async () => {
+      get: mock(async () => {
         if (overrides.subReject) throw overrides.subReject;
         return overrides.subResolve ?? buildMockSubscription();
       }),
-      list: vi.fn(async () => overrides.listResolve ?? []),
-      create: vi.fn(
+      list: mock(async () => overrides.listResolve ?? []),
+      create: mock(
         async () => overrides.createResolve ?? buildMockSubscription({ id: "sub_just_created" }),
       ),
     },
@@ -197,7 +197,8 @@ describe("verifyAndParseMollieWebhook — mandate-setup-flow (= first-payment-pa
     expect(event).not.toBeNull();
     expect(event?.type).toBe(SubscriptionEventTypes.created);
     expect(event?.providerSubscriptionId).toBe("sub_just_created");
-    expect(client.customerSubscriptions.create).toHaveBeenCalledExactlyOnceWith("cst_test_001", {
+    expect(client.customerSubscriptions.create).toHaveBeenCalledTimes(1);
+    expect(client.customerSubscriptions.create).toHaveBeenCalledWith("cst_test_001", {
       amount: { currency: "EUR", value: "9.99" },
       interval: "1 month",
       description: "Pro-Abo monatlich",
@@ -250,7 +251,7 @@ describe("verifyAndParseMollieWebhook — mandate-setup-flow (= first-payment-pa
     const event = await verify(client)("id=tr_upgrade", {});
     expect(event?.providerSubscriptionId).toBe("sub_pro_new");
-    expect(client.customerSubscriptions.create).toHaveBeenCalledOnce();
+    expect(client.customerSubscriptions.create).toHaveBeenCalledTimes(1);
   });
 });

package/src/subscription-stripe/__tests__/feature.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 // feature.ts contract tests for subscription-stripe.
-import { describe, expect, test } from "vitest";
+import { describe, expect, test } from "bun:test";
 import { STRIPE_PROVIDER_NAME, StripeEventTypes, SUBSCRIPTION_STRIPE_FEATURE } from "../constants";
 import { createSubscriptionStripeFeature } from "../feature";

package/src/subscription-stripe/__tests__/plugin-methods.test.ts CHANGED Viewed

@@ -1,11 +1,11 @@
 // Unit-Tests für die Stripe-Plugin-Methoden (createCheckoutSession,
 // createPortalSession, cancelSubscription). Stripe-SDK-calls werden via
-// vi.spyOn gemockt — wir testen unsere Mapping-Logik (Argumente die wir
+// spyOn gemockt — wir testen unsere Mapping-Logik (Argumente die wir
 // an Stripe schicken + Antwort-Parsing), NICHT Stripe selbst.
+import { describe, expect, spyOn, test } from "bun:test";
 import type { HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import Stripe from "stripe";
-import { describe, expect, test, vi } from "vitest";
 import {
   createStripeCancelSubscription,
   createStripeCheckoutSession,
@@ -27,8 +27,7 @@ const stubCtx = {} as HandlerContext;
 describe("createStripeCheckoutSession", () => {
   test("ruft stripe.checkout.sessions.create mit mode=subscription + tenant-metadata", async () => {
     const stripe = buildStripe();
-    const createMock = vi
-      .spyOn(stripe.checkout.sessions, "create")
+    const createMock = spyOn(stripe.checkout.sessions, "create")
       // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
       .mockResolvedValue({ url: "https://checkout.stripe.com/c/pay/test" } as any);
@@ -41,7 +40,8 @@ describe("createStripeCheckoutSession", () => {
     });
     expect(result).toEqual({ url: "https://checkout.stripe.com/c/pay/test" });
-    expect(createMock).toHaveBeenCalledExactlyOnceWith({
+    expect(createMock).toHaveBeenCalledTimes(1);
+    expect(createMock).toHaveBeenCalledWith({
       mode: "subscription",
       line_items: [{ price: "price_pro_monthly", quantity: 1 }],
       success_url: "https://example.com/success",
@@ -57,8 +57,7 @@ describe("createStripeCheckoutSession", () => {
   test("passes existing customer-id wenn gesetzt (Plan-Wechsel-Flow)", async () => {
     const stripe = buildStripe();
-    const createMock = vi
-      .spyOn(stripe.checkout.sessions, "create")
+    const createMock = spyOn(stripe.checkout.sessions, "create")
       // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
       .mockResolvedValue({ url: "https://x" } as any);
@@ -78,7 +77,7 @@ describe("createStripeCheckoutSession", () => {
   test("throws wenn Stripe keine url returnt (defensive — sollte nie passieren bei mode=subscription)", async () => {
     const stripe = buildStripe();
-    vi.spyOn(stripe.checkout.sessions, "create")
+    spyOn(stripe.checkout.sessions, "create")
       // biome-ignore lint/suspicious/noExplicitAny: SDK-Drift-Test
       .mockResolvedValue({ url: null } as any);
@@ -99,7 +98,7 @@ describe("createStripeCheckoutSession", () => {
     // throw kriegt + zur HTTP 500 mapped (transient — Provider/Stripe
     // soll retried werden statt silent-success-mit-leerer-URL).
     const stripe = buildStripe();
-    vi.spyOn(stripe.checkout.sessions, "create").mockRejectedValue(
+    spyOn(stripe.checkout.sessions, "create").mockRejectedValue(
       new Error("Stripe API: Internal server error"),
     );
@@ -122,8 +121,7 @@ describe("createStripeCheckoutSession", () => {
 describe("createStripePortalSession", () => {
   test("ruft stripe.billingPortal.sessions.create mit customer + return_url", async () => {
     const stripe = buildStripe();
-    const createMock = vi
-      .spyOn(stripe.billingPortal.sessions, "create")
+    const createMock = spyOn(stripe.billingPortal.sessions, "create")
       // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
       .mockResolvedValue({ url: "https://billing.stripe.com/p/session/test" } as any);
@@ -134,7 +132,8 @@ describe("createStripePortalSession", () => {
     });
     expect(result).toEqual({ url: "https://billing.stripe.com/p/session/test" });
-    expect(createMock).toHaveBeenCalledExactlyOnceWith({
+    expect(createMock).toHaveBeenCalledTimes(1);
+    expect(createMock).toHaveBeenCalledWith({
       customer: "cus_001",
       return_url: "https://example.com/return",
     });
@@ -148,14 +147,14 @@ describe("createStripePortalSession", () => {
 describe("createStripeCancelSubscription", () => {
   test("ruft stripe.subscriptions.cancel mit subscription-id", async () => {
     const stripe = buildStripe();
-    const cancelMock = vi
-      .spyOn(stripe.subscriptions, "cancel")
+    const cancelMock = spyOn(stripe.subscriptions, "cancel")
       // biome-ignore lint/suspicious/noExplicitAny: Stripe-SDK-typed mock-return
       .mockResolvedValue({ id: "sub_001", status: "canceled" } as any);
     const cancel = createStripeCancelSubscription(stripe);
     await cancel(stubCtx, "sub_001");
-    expect(cancelMock).toHaveBeenCalledExactlyOnceWith("sub_001");
+    expect(cancelMock).toHaveBeenCalledTimes(1);
+    expect(cancelMock).toHaveBeenCalledWith("sub_001");
   });
 });

package/src/subscription-stripe/__tests__/stripe-foundation.integration.ts CHANGED Viewed

@@ -12,6 +12,7 @@
 // Stripe-output liefert). Dieser Test fängt das Spalten-Mapping +
 // Verdrahtungs-Bugs ab.
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import {
   billingFoundationFeature,
   createSubscriptionWebhookHandler,
@@ -29,7 +30,6 @@ import {
 } from "@cosmicdrift/kumiko-framework/stack";
 import { Hono } from "hono";
 import Stripe from "stripe";
-import { afterAll, beforeAll, describe, expect, test } from "vitest";
 import { createSubscriptionStripeFeature } from "../feature";
 // =============================================================================

package/src/subscription-stripe/__tests__/verify-webhook.test.ts CHANGED Viewed

@@ -7,12 +7,12 @@
 // events sind >100 Felder; full-fidelity-fixtures wären Maintenance-
 // Aufwand ohne Test-Wert.
+import { describe, expect, test } from "bun:test";
 import {
   SubscriptionEventTypes,
   SubscriptionStatuses,
 } from "@cosmicdrift/kumiko-bundled-features/billing-foundation";
 import Stripe from "stripe";
-import { describe, expect, test } from "vitest";
 import {
   mapStripeEventType,
   mapStripeStatus,
@@ -83,8 +83,8 @@ function buildSubscriptionEvent(overrides: {
 }
 /** Erstellt einen valid Stripe-signed-Header für ein gegebenes payload. */
-function signEvent(payload: string, secret = TEST_SECRET): string {
-  return stripeForFixtures.webhooks.generateTestHeaderString({
+async function signEvent(payload: string, secret = TEST_SECRET): Promise<string> {
+  return stripeForFixtures.webhooks.generateTestHeaderStringAsync({
     payload,
     secret,
   });
@@ -102,7 +102,7 @@ describe("verifyAndParseStripeWebhook — sig-verify", () => {
   test("happy path: valid sig + bekannter event-type → SubscriptionEvent", async () => {
     const payload = JSON.stringify(buildSubscriptionEvent({}));
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event).not.toBeNull();
@@ -120,7 +120,7 @@ describe("verifyAndParseStripeWebhook — sig-verify", () => {
   test("wrong secret → sig-verify failed → throws", async () => {
     const payload = JSON.stringify(buildSubscriptionEvent({}));
-    const sig = signEvent(payload, "whsec_wrong_secret");
+    const sig = await signEvent(payload, "whsec_wrong_secret");
     await expect(verify(payload, { "stripe-signature": sig })).rejects.toThrow(
       /signature verify failed/,
     );
@@ -128,7 +128,7 @@ describe("verifyAndParseStripeWebhook — sig-verify", () => {
   test("modified body → sig-verify failed (Replay-Protection)", async () => {
     const original = JSON.stringify(buildSubscriptionEvent({}));
-    const sig = signEvent(original);
+    const sig = await signEvent(original);
     // Tamper with body — Stripe-sig matched die exakten bytes.
     const tampered = original.replace("tenant-test-1", "tenant-attacker");
     await expect(verify(tampered, { "stripe-signature": sig })).rejects.toThrow(
@@ -151,7 +151,7 @@ describe("verifyAndParseStripeWebhook — event-filter", () => {
     // customer.created ist gültiger Stripe-event aber nicht in unserer
     // 5-types-Whitelist.
     const payload = JSON.stringify(buildSubscriptionEvent({ eventType: "customer.created" }));
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event).toBeNull();
   });
@@ -160,7 +160,7 @@ describe("verifyAndParseStripeWebhook — event-filter", () => {
     const payload = JSON.stringify(
       buildSubscriptionEvent({ eventType: "customer.subscription.updated" }),
     );
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event?.type).toBe(SubscriptionEventTypes.updated);
   });
@@ -172,7 +172,7 @@ describe("verifyAndParseStripeWebhook — event-filter", () => {
         status: "canceled",
       }),
     );
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event?.type).toBe(SubscriptionEventTypes.canceled);
     expect(event?.status).toBe(SubscriptionStatuses.canceled);
@@ -200,7 +200,7 @@ describe("verifyAndParseStripeWebhook — event-filter", () => {
       },
     };
     const payload = JSON.stringify(ev);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event).toBeNull();
   });
@@ -221,21 +221,21 @@ describe("verifyAndParseStripeWebhook — tenant-resolution + price-to-tier", ()
     // @ts-expect-error — entferne metadata für Test
     ev.data.object.metadata = {};
     const payload = JSON.stringify(ev);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event).toBeNull();
   });
   test("price-id im Mapping → korrekter tier-Wert", async () => {
     const payload = JSON.stringify(buildSubscriptionEvent({ priceId: "price_business_yearly" }));
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event?.tier).toBe("business");
   });
   test("price-id NICHT im Mapping → null", async () => {
     const payload = JSON.stringify(buildSubscriptionEvent({ priceId: "price_unknown_xyz" }));
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     expect(event).toBeNull();
   });
@@ -243,7 +243,7 @@ describe("verifyAndParseStripeWebhook — tenant-resolution + price-to-tier", ()
   test("currentPeriodEnd wird aus subscription.items[0].current_period_end (Unix-sec) zu ISO konvertiert", async () => {
     const periodEndUnix = 1_780_000_000;
     const payload = JSON.stringify(buildSubscriptionEvent({ currentPeriodEndUnix: periodEndUnix }));
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
     const event = await verify(payload, { "stripe-signature": sig });
     // 1_780_000_000 sec = 2026-05-28T20:26:40Z (in ms: 1.78e12)
     // Temporal.Instant.toString() droppt Trailing-Zeros — keine .000Z