@cosmicdrift/kumiko-bundled-features 0.15.0 → 0.18.0

package/src/custom-fields/db/queries/projection.ts

@@ -5,18 +5,27 @@ function quoteTable(tableName: string): string {
   return `"${tableName.replace(/"/g, '""')}"`;
 }
 
+function bindJsonbParam(value: unknown): { sql: string; bound: unknown } {
+  // postgres-js infers boolean params as boolean[] candidates — route via text::jsonb.
+  if (typeof value === "boolean") {
+    return { sql: "$1::text::jsonb", bound: JSON.stringify(value) };
+  }
+  return { sql: "$1::jsonb", bound: value };
+}
+
 export async function setCustomFieldValue(
   db: DbRunner,
   tableName: string,
   fieldKey: string,
-  valueJson: string,
+  value: unknown,
   aggregateId: string,
 ): Promise<void> {
   const tbl = quoteTable(tableName);
   const escapedKey = fieldKey.replace(/'/g, "''");
+  const jsonb = bindJsonbParam(value);
   await asRawClient(db).unsafe(
-    `UPDATE ${tbl} SET custom_fields = jsonb_set(custom_fields, '{${escapedKey}}', $1::jsonb, true) WHERE id = $2`,
-    [valueJson, aggregateId],
+    `UPDATE ${tbl} SET custom_fields = jsonb_set(custom_fields, '{${escapedKey}}', ${jsonb.sql}, true) WHERE id = $2`,
+    [jsonb.bound, aggregateId],
   );
 }
 
@@ -33,7 +42,27 @@ export async function clearCustomFieldKey(
   );
 }
 
-export async function removeCustomFieldKeyFromAllRows(
+// Tenant-scoped orphan-cleanup: removes the jsonb key only from the deleting
+// tenant's rows. This is the default path for tenant-field deletions — without
+// the tenant_id filter, deleting tenant A's field strips the same kebab key
+// from every tenant's rows (cross-tenant data loss).
+export async function removeCustomFieldKeyForTenant(
+  db: DbRunner,
+  tableName: string,
+  fieldKey: string,
+  tenantId: string,
+): Promise<void> {
+  const tbl = quoteTable(tableName);
+  await asRawClient(db).unsafe(
+    `UPDATE ${tbl} SET custom_fields = custom_fields - $1 WHERE tenant_id = $2`,
+    [fieldKey, tenantId],
+  );
+}
+
+// Cross-tenant cleanup: strips the key from EVERY tenant's rows. Only valid for
+// system-scope field-definition deletions (the field applied to all tenants).
+// Never call this for a tenant-scoped deletion — use removeCustomFieldKeyForTenant.
+export async function removeCustomFieldKeyFromAllTenants(
   db: DbRunner,
   tableName: string,
   fieldKey: string,

package/src/custom-fields/db/queries/retention.ts

@@ -28,12 +28,12 @@ export async function selectHostRowsWithCustomFields(
 export async function updateHostRowCustomFields(
   db: DbRunner,
   tableName: string,
-  customFieldsJson: string,
+  customFields: Record<string, unknown>,
   rowId: string,
 ): Promise<void> {
   const quoted = `"${tableName.replace(/"/g, '""')}"`;
   await asRawClient(db).unsafe(`UPDATE ${quoted} SET custom_fields = $1::jsonb WHERE id = $2`, [
-    customFieldsJson,
+    customFields,
     rowId,
   ]);
 }

package/src/custom-fields/db/queries/user-data-rights.ts

@@ -35,10 +35,13 @@ export async function stripSensitiveCustomFieldKeys(
 ): Promise<void> {
   const tbl = quoteTable(tableName);
   const userCol = quoteColumn(userIdColumn);
-  const placeholders = sensitiveKeys.map((_, i) => `$${i + 1}`).join(" - ");
   await asRawClient(db).unsafe(
-    `UPDATE ${tbl} SET custom_fields = custom_fields - ${placeholders} WHERE ${userCol} = $${sensitiveKeys.length + 1} AND tenant_id = $${sensitiveKeys.length + 2}`,
-    [...sensitiveKeys, userId, tenantId],
+    `UPDATE ${tbl} SET custom_fields = CASE
+       WHEN jsonb_typeof(custom_fields) = 'object' THEN custom_fields - $1::text[]
+       ELSE custom_fields
+     END
+     WHERE ${userCol} = $2 AND tenant_id = $3`,
+    [sensitiveKeys, userId, tenantId],
   );
 }
 

package/src/custom-fields/feature.ts

@@ -30,12 +30,12 @@
 //   hand-gebauten Template-Literals mehr (T1 hat den toKebab-collapse-drift
 //   aufgedeckt, siehe Memory feedback_event_def_exports_pattern).
 //
-// **Out-of-B2 (future iterations)**:
+// **Noch offen (future iterations)**:
 //   - Cross-scope-conflict-Detection (Tenant überschreibt system fieldKey)
-//   - cap-counter quota-Check beim fieldDefinition-create
-//   - user-data-rights anonymization-Wiring für sensitive customFields
-//   - Value-Validation gegen fieldDefinition.serializedField
 //   - Cross-Scope-Read-UNION (system + tenant fieldDefinitions in einem List)
+//   (cap-counter-quota → T1.5e, user-data-rights-anonymization → T1.5c,
+//    Value-Validation gegen serializedField → set-custom-field via fieldToZod —
+//    alle erledigt.)
 
 import { defineEntityListHandler, defineFeature } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
@@ -63,6 +63,12 @@ const tenantAdminAccess = { access: { roles: ["TenantAdmin"] } } as const;
 const fieldDefinitionDeletedSchema = z.object({
   entityName: z.string(),
   fieldKey: z.string(),
+  // Owning tenant of the deleted definition: a specific tenant for tenant-scope
+  // deletions, SYSTEM_TENANT_ID for system-scope. The cascade-MSP scopes its
+  // orphan-cleanup by this so a tenant deletion never touches other tenants'
+  // rows. Optional for backward-compat with events appended before this field
+  // existed — the MSP falls back to the event's stream tenantId.
+  tenantId: z.string().optional(),
 });
 
 // Singleton feature-definition mit typed exports. Handler + wire-for-entity

package/src/custom-fields/handlers/delete-system-field.write.ts

@@ -38,7 +38,11 @@ export const deleteSystemFieldHandler: WriteHandlerDef = {
         aggregateId,
         aggregateType: "field-definition",
         type: customFieldsFeature.exports.fieldDefinitionDeletedEvent.name,
-        payload: { entityName: payload.entityName, fieldKey: payload.fieldKey },
+        payload: {
+          entityName: payload.entityName,
+          fieldKey: payload.fieldKey,
+          tenantId: SYSTEM_TENANT_ID,
+        },
       });
     }
 

package/src/custom-fields/handlers/delete-tenant-field.write.ts

@@ -46,7 +46,7 @@ export const deleteTenantFieldHandler: WriteHandlerDef = {
         aggregateId,
         aggregateType: "field-definition",
         type: customFieldsFeature.exports.fieldDefinitionDeletedEvent.name,
-        payload: { entityName: payload.entityName, fieldKey: payload.fieldKey },
+        payload: { entityName: payload.entityName, fieldKey: payload.fieldKey, tenantId },
       });
     }
 

package/src/custom-fields/handlers/set-custom-field.write.ts

@@ -2,7 +2,8 @@ import type { WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { failNotFound, failUnprocessable } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { customFieldsFeature } from "../feature";
-import { checkFieldAccessForWrite } from "../lib/field-access";
+import { fieldWriteAccessDeniedRoles, loadFieldDefinition } from "../lib/field-access";
+import { buildCustomFieldValueSchema } from "../lib/value-schema";
 
 export const setCustomFieldPayloadSchema = z.object({
   entityName: z.string().min(1).max(64),
@@ -24,16 +25,18 @@ export type SetCustomFieldPayload = z.infer<typeof setCustomFieldPayloadSchema>;
 // concurrent writes auf gleiches Field gehen beide durch (Plan-Doc v2
 // Concurrency-Tabelle).
 //
-// **WAS DIESER HANDLER NICHT MACHT (yet)**:
-//   - Validation des Werts gegen fieldDefinition-type (B2-todo: rehydriere
-//     r.field.X() aus serializedField, .schema.safeParse(value))
-//   - cap-counter-quota-Check (T1.5e)
-// → Diese Aspekte kommen als Folgekommits oder durch consumer-side hooks.
+// **Write-Pfad (Single-Fetch)** — eine fieldDefinition-Ladung, drei Gates:
+//   1. Definition fehlt → 404.
+//   2. field-access (T1.5b): fieldAccess.write-Rollen müssen intersecten, sonst
+//      403/422. Handler-level RBAC (TenantAdmin/Member) bleibt zusätzlich.
+//   3. Value-Validation (Builder-Reuse): der Wert wird gegen das aus
+//      serializedField rehydrierte fieldToZod-Schema geparst. Type-Mismatch →
+//      422, KEIN Event entsteht (Projection bleibt typed — Plan-Doc
+//      Stammfeld-Identität). `value: null` auf einem typisierten Feld ist ein
+//      Type-Mismatch → 422; zum Entfernen eines Werts dient clear-custom-field.
 //
-// **WAS NEU IST (T1.5b)**:
-//   - field-access-check: wenn fieldDefinition.serializedField.fieldAccess.write
-//     gesetzt ist, muss der calling user mindestens eine der Rollen halten.
-//     Handler-level RBAC (TenantAdmin/Member) bleibt zusätzlich.
+// Scope: NUR Type-Validation. Required-on-set + Default-Application sind
+// out-of-scope (Plan-Doc "Stammfeld-Identität" listet sie als eigene Zeilen).
 export const setCustomFieldHandler: WriteHandlerDef = {
   name: "set-custom-field",
   schema: setCustomFieldPayloadSchema,
@@ -41,23 +44,36 @@ export const setCustomFieldHandler: WriteHandlerDef = {
   handler: async (event, ctx) => {
     const payload = event.payload as SetCustomFieldPayload; // @cast-boundary engine-payload
 
-    const accessCheck = await checkFieldAccessForWrite(
+    const loaded = await loadFieldDefinition(
       ctx.db,
       event.user.tenantId,
       payload.entityName,
       payload.fieldKey,
-      event.user.roles,
     );
-    if (!accessCheck.ok) {
-      if (accessCheck.reason === "field_definition_not_found") {
-        return failNotFound("fieldDefinition", payload.fieldKey);
-      }
+    if (!loaded.found) {
+      return failNotFound("fieldDefinition", payload.fieldKey);
+    }
+
+    const deniedRoles = fieldWriteAccessDeniedRoles(loaded.field, event.user.roles);
+    if (deniedRoles) {
       return failUnprocessable("field_access_denied", {
         fieldKey: payload.fieldKey,
-        requiredRoles: accessCheck.requiredRoles ?? [],
+        requiredRoles: deniedRoles,
       });
     }
 
+    const valueSchema = buildCustomFieldValueSchema(loaded.field);
+    if (valueSchema) {
+      const parsed = valueSchema.safeParse(payload.value);
+      if (!parsed.success) {
+        return failUnprocessable("custom_field_value_invalid", {
+          fieldKey: payload.fieldKey,
+          fieldType: loaded.field?.type,
+          issues: parsed.error.issues.map((i) => i.message),
+        });
+      }
+    }
+
     // Emit customField.set on host-aggregate stream. unsafeAppendEvent
     // (statt strict appendEvent) weil event-type-map keine cross-feature-
     // augmentation für diesen event-typ hat — wir nutzen den qualified

package/src/custom-fields/lib/field-access.ts

@@ -1,8 +1,10 @@
 // T1.5b — per-field write access-check for the set/clear handlers.
+// Plus single-fetch loader so set-custom-field can run access-check AND
+// value-validation off one DB read (no double fetch).
 
 import type { TenantDb } from "@cosmicdrift/kumiko-framework/db";
 import { selectSerializedFieldDefinition } from "../db/queries/field-access";
-import { parseSerializedField } from "./parse-serialized-field";
+import { parseSerializedField, type SerializedFieldShape } from "./parse-serialized-field";
 
 export type FieldAccessCheckResult =
   | { ok: true }
@@ -12,6 +14,37 @@ export type FieldAccessCheckResult =
       requiredRoles?: ReadonlyArray<string>;
     };
 
+export type LoadedFieldDefinition =
+  | { found: false }
+  // `field` is null when the row exists but its serialized_field is corrupt —
+  // callers treat that as "no restriction / no schema" (lenient), distinct
+  // from `found: false` (no definition → 404).
+  | { found: true; field: SerializedFieldShape | null };
+
+export async function loadFieldDefinition(
+  db: TenantDb,
+  tenantId: string,
+  entityName: string,
+  fieldKey: string,
+): Promise<LoadedFieldDefinition> {
+  const serialized = await selectSerializedFieldDefinition(db, tenantId, entityName, fieldKey);
+  if (serialized === null) return { found: false };
+  return { found: true, field: parseSerializedField(serialized) };
+}
+
+// Pure access-check on an already-loaded definition. Returns the required
+// roles when the caller is denied, or `null` when access is allowed.
+export function fieldWriteAccessDeniedRoles(
+  field: SerializedFieldShape | null,
+  userRoles: ReadonlyArray<string>,
+): ReadonlyArray<string> | null {
+  const required = field?.fieldAccess?.write;
+  if (!required || required.length === 0) return null;
+  return userRoles.some((role) => required.includes(role)) ? null : required;
+}
+
+// Convenience wrapper retained for clear-custom-field (no value-validation
+// needed there) — does the load + access-check in one call.
 export async function checkFieldAccessForWrite(
   db: TenantDb,
   tenantId: string,
@@ -19,18 +52,10 @@ export async function checkFieldAccessForWrite(
   fieldKey: string,
   userRoles: ReadonlyArray<string>,
 ): Promise<FieldAccessCheckResult> {
-  const serialized = await selectSerializedFieldDefinition(db, tenantId, entityName, fieldKey);
-  if (serialized === null) {
-    return { ok: false, reason: "field_definition_not_found" };
-  }
-
-  const parsed = parseSerializedField(serialized);
-  if (!parsed) return { ok: true };
+  const loaded = await loadFieldDefinition(db, tenantId, entityName, fieldKey);
+  if (!loaded.found) return { ok: false, reason: "field_definition_not_found" };
 
-  const required = parsed.fieldAccess?.write;
-  if (!required || required.length === 0) {
-    return { ok: true };
-  }
-  const hit = userRoles.some((role) => required.includes(role));
-  return hit ? { ok: true } : { ok: false, reason: "field_access_denied", requiredRoles: required };
+  const deniedRoles = fieldWriteAccessDeniedRoles(loaded.field, userRoles);
+  if (!deniedRoles) return { ok: true };
+  return { ok: false, reason: "field_access_denied", requiredRoles: deniedRoles };
 }

package/src/custom-fields/lib/value-schema.ts

@@ -0,0 +1,45 @@
+import {
+  DEFAULT_CURRENCIES,
+  type FieldDefinition,
+  fieldToZod,
+} from "@cosmicdrift/kumiko-framework/engine";
+import type { z } from "zod";
+
+// Builds a Zod schema that validates a custom-field VALUE against its
+// fieldDefinition. Reuses the framework's `fieldToZod` (Builder-Reuse /
+// Stammfeld-Identität, Plan-Doc) — one field-type-schema source, no drift
+// between Stammfeld- and Custom-Field-validation.
+//
+// Vocabulary bridge: custom-fields expose `enum` (Plan + `r.field.enum([...])`)
+// where the framework's FieldDefinition calls the equivalent type `select`
+// with an `options` array. This single boundary translates it; everything
+// else is already FieldDefinition-shaped (the serialized dehydrated builder).
+//
+// Returns `null` when the serialized field is unparseable or names a type
+// `fieldToZod` cannot interpret — callers then skip value-validation rather
+// than hard-rejecting a field they cannot understand.
+export function buildCustomFieldValueSchema(parsedField: unknown): z.ZodTypeAny | null {
+  if (!parsedField || typeof parsedField !== "object") return null;
+  const obj = parsedField as Record<string, unknown>;
+  if (typeof obj["type"] !== "string") return null;
+
+  const fieldDef =
+    obj["type"] === "enum"
+      ? { ...obj, type: "select", options: obj["values"] ?? obj["options"] ?? [] }
+      : obj;
+
+  // fieldToZod's money case validates `currency` against the passed list, not
+  // a field-level key — so surface the field's own currency when it declares
+  // one, else fall back to the framework defaults.
+  const currencies =
+    typeof obj["currency"] === "string" ? [obj["currency"] as string] : DEFAULT_CURRENCIES;
+
+  try {
+    // @cast-boundary serialized-field is the dehydrated r.field.X() output =
+    // a FieldDefinition; fieldToZod reads only its type-specific keys (the
+    // extra fieldAccess/sensitive/retention/label keys are ignored).
+    return fieldToZod(fieldDef as unknown as FieldDefinition, currencies);
+  } catch {
+    return null;
+  }
+}

package/src/custom-fields/run-retention.ts

@@ -132,7 +132,7 @@ export async function runCustomFieldsRetention(
       removalsByFieldKey[key] = (removalsByFieldKey[key] ?? 0) + 1;
     }
 
-    await updateHostRowCustomFields(opts.db, tableName, JSON.stringify(mutated), row.id);
+    await updateHostRowCustomFields(opts.db, tableName, mutated, row.id);
     rowsUpdated++;
   }
 

package/src/custom-fields/wire-for-entity.ts

@@ -1,12 +1,15 @@
 import {
   createJsonbField,
   type FeatureRegistrar,
+  isSystemTenant,
   type JsonbFieldDef,
+  type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { CUSTOM_FIELDS_EXTENSION } from "./constants";
 import {
   clearCustomFieldKey,
-  removeCustomFieldKeyFromAllRows,
+  removeCustomFieldKeyForTenant,
+  removeCustomFieldKeyFromAllTenants,
   setCustomFieldValue,
 } from "./db/queries/projection";
 
@@ -109,7 +112,7 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
           tx,
           tableName,
           payload.fieldKey,
-          JSON.stringify(payload.value),
+          payload.value,
           event.aggregateId,
         );
       },
@@ -127,14 +130,29 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
         // fieldDefinition.deleted fires nur einmal pro fieldDef-delete
         // (NICHT per-entity). Wir entfernen den key aus ALLEN rows der host-
         // entity falls die deleted-fieldDef für diese entity galt.
-        const payload = event.payload as { entityName: string; fieldKey: string }; // @cast-boundary engine-payload
+        const payload = event.payload as {
+          entityName: string;
+          fieldKey: string;
+          tenantId?: TenantId;
+        }; // @cast-boundary engine-payload
         // skip: fieldDefinition.deleted feuert für ALLE fieldDefs cross-entity;
         // nur wenn die deleted-fieldDef diese host-entity betraf, cleanen wir
         // ihre Rows.
         if (payload.entityName !== entityName) return;
 
         const tableName = getTableName(entityTable);
-        await removeCustomFieldKeyFromAllRows(tx, tableName, payload.fieldKey);
+        // Scope cleanup to the deleted definition's owning tenant. System-scope
+        // definitions apply to every tenant → cascade across all rows; tenant-
+        // scope deletions must only touch that tenant's rows, else deleting one
+        // tenant's field strips the same kebab key from every tenant (data loss).
+        // Fallback to the event's stream tenantId for events appended before the
+        // payload carried tenantId.
+        const defTenantId = payload.tenantId ?? event.tenantId;
+        if (isSystemTenant(defTenantId)) {
+          await removeCustomFieldKeyFromAllTenants(tx, tableName, payload.fieldKey);
+        } else {
+          await removeCustomFieldKeyForTenant(tx, tableName, payload.fieldKey, defTenantId);
+        }
       },
     },
   });

package/src/custom-fields/wire-user-data-rights.ts

@@ -32,8 +32,9 @@ interface CustomFieldsHostRow {
 function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
   if (!value || typeof value !== "object" || Array.isArray(value)) return null;
   if (!("id" in value) || typeof value.id !== "string") return null;
-  if (!("custom_fields" in value)) return null;
-  const cf = value.custom_fields;
+  const record = value as Record<string, unknown>;
+  const cf = record["custom_fields"] ?? record["customFields"];
+  if (cf === undefined) return null;
   if (cf === null) return { id: value.id, customFields: null };
   if (!cf || typeof cf !== "object" || Array.isArray(cf)) return null;
   return { id: value.id, customFields: Object.fromEntries(Object.entries(cf)) };

package/src/delivery/delivery-service.ts

@@ -153,7 +153,7 @@ export function createDeliveryService(options: DeliveryServiceOptions): Delivery
   }
 
   function buildChannelContext(tenantId: TenantId): ChannelContext {
-    return { db, registry, sseBroker, tenantId };
+    return { db: createTenantDb(db, tenantId), registry, sseBroker, tenantId };
   }
 
   async function logDelivery(entry: DeliveryLogEntry): Promise<void> {

package/src/delivery/feature.ts

@@ -6,12 +6,19 @@ import { deliveryAttemptSchema } from "./events";
 import { logQuery } from "./handlers/log.query";
 import { preferencesQuery } from "./handlers/preferences.query";
 import { setPreferenceWrite } from "./handlers/set-preference.write";
-import { deliveryAttemptsTable, notificationPreferenceEntity } from "./tables";
+import {
+  deliveryAttemptsTable,
+  deliveryAttemptsTableMeta,
+  notificationPreferenceEntity,
+} from "./tables";
 
 export function createDeliveryFeature(): FeatureDefinition {
   return defineFeature("delivery", (r) => {
     r.systemScope();
     r.entity("notification-preference", notificationPreferenceEntity);
+    r.unmanagedTable(deliveryAttemptsTableMeta, {
+      reason: "read_side.delivery_attempt_log",
+    });
 
     // Events-only projection source: "deliveryAttempt" is the aggregate-
     // type on the events-table, but there's no r.entity for it — each

package/src/delivery/types.ts

@@ -1,5 +1,5 @@
 import type { SseBroker } from "@cosmicdrift/kumiko-framework/api";
-import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantDb } from "@cosmicdrift/kumiko-framework/db";
 import type {
   NotifyOptions,
   Registry,
@@ -10,7 +10,7 @@ import type {
 // --- Channel Interface ---
 
 export type ChannelContext = {
-  readonly db: DbConnection;
+  readonly db: TenantDb;
   readonly registry: Registry;
   readonly sseBroker: SseBroker | undefined;
   readonly tenantId: TenantId;

package/src/feature-toggles/__tests__/{feature-toggles.integration.ts → feature-toggles.integration.test.ts}

@@ -16,6 +16,7 @@ import {
   type FeatureDefinition,
   SYSTEM_TENANT_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
+import { eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import { createEventDispatcher, type EventConsumer } from "@cosmicdrift/kumiko-framework/pipeline";
 import {
   createTestUser,
@@ -517,12 +518,11 @@ describe("feature-toggles queries + audit automation", () => {
       admin,
     );
 
-    const events = (await asRawClient(stack.db).unsafe(
-      `SELECT type, payload FROM kumiko_events WHERE type = 'feature-toggles:event:toggle-set'`,
-    )) as unknown as readonly {
-      type: string;
-      payload: Record<string, unknown>;
-    }[];
+    const events = await selectMany<{ type: string; payload: Record<string, unknown> }>(
+      stack.db,
+      eventsTable,
+      { type: "feature-toggles:event:toggle-set" },
+    );
 
     expect(events).toHaveLength(1);
     expect(events[0]?.payload).toMatchObject({

package/src/feature-toggles/handlers/set.write.ts

@@ -12,7 +12,6 @@ import {
   FEATURE_TOGGLE_SET_EVENT_NAME,
   FeatureToggleErrors,
 } from "../constants";
-import { updateFeatureToggleOptimistic } from "../db/queries/toggle-state";
 import { globalFeatureStateTable } from "../global-feature-state-table";
 import type { GlobalFeatureToggleRuntime } from "../toggle-runtime";
 
@@ -101,13 +100,16 @@ export function createSetWriteHandler(getRuntime: (() => GlobalFeatureToggleRunt
         // Upsert with optimistic lock. Two operators flipping the same
         // toggle simultaneously is rare but possible — the version-WHERE
         // ensures only one wins; the loser sees VersionConflictError.
-        const updated = await updateFeatureToggleOptimistic(ctx.db, {
-          enabled,
-          updatedBy: event.user.id,
-          updatedAt: Temporal.Now.instant(),
-          featureName,
-          expectedVersion: existing.version,
-        });
+        const updated = await ctx.db.updateMany(
+          globalFeatureStateTable,
+          {
+            enabled,
+            updatedBy: event.user.id,
+            updatedAt: Temporal.Now.instant(),
+            version: existing.version + 1,
+          },
+          { featureName, version: existing.version },
+        );
 
         if (updated.length === 0) {
           return writeFailure(

package/src/jobs/feature.ts

@@ -19,11 +19,14 @@ import {
   JOB_RUN_FAILED_EVENT,
   JOB_RUN_STARTED_EVENT,
 } from "./job-run-logger";
-import { jobRunLogsTable, jobRunsTable } from "./job-run-table";
+import { jobRunLogsTable, jobRunLogsTableMeta, jobRunsTable } from "./job-run-table";
 
 export function createJobsFeature(): FeatureDefinition {
   return defineFeature("jobs", (r) => {
     r.systemScope();
+    r.unmanagedTable(jobRunLogsTableMeta, {
+      reason: "read_side.job_run_logs",
+    });
     // Events-only aggregate: "jobRun" has no r.entity registration, because
     // the entire lifecycle is driven by BullMQ-callback → r.defineEvent
     // (no executor, no CRUD). The boot-validator accepts the two

package/src/subscription-stripe/__tests__/{stripe-foundation.integration.ts → stripe-foundation.integration.test.ts}

@@ -142,10 +142,10 @@ function buildStripeSubscriptionEvent(overrides: {
   };
 }
 
-function signEvent(payload: string): string {
-  return stripeForFixtures.webhooks.generateTestHeaderString({
+async function signEvent(payload: string, secret = TEST_SECRET): Promise<string> {
+  return stripeForFixtures.webhooks.generateTestHeaderStringAsync({
     payload,
-    secret: TEST_SECRET,
+    secret,
   });
 }
 
@@ -172,7 +172,7 @@ describe("scenario 1: Stripe-event → DB happy path", () => {
       priceId: "price_business_yearly",
     });
     const payload = JSON.stringify(stripeEvent);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
 
     const res = await postStripeWebhook(payload, sig);
     expect(res.status).toBe(200);
@@ -225,10 +225,7 @@ describe("scenario 2: invalid sig → 401, kein DB-write", () => {
     });
     const payload = JSON.stringify(stripeEvent);
     // Wrong secret = invalid sig.
-    const wrongSig = stripeForFixtures.webhooks.generateTestHeaderString({
-      payload,
-      secret: "whsec_wrong_secret",
-    });
+    const wrongSig = await signEvent(payload, "whsec_wrong_secret");
 
     const res = await postStripeWebhook(payload, wrongSig);
     expect(res.status).toBe(401);
@@ -260,7 +257,7 @@ describe("scenario 3: idempotency via Stripe-retry", () => {
       subscriptionId: "sub_4003",
     });
     const payload = JSON.stringify(stripeEvent);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
 
     const res1 = await postStripeWebhook(payload, sig);
     expect(res1.status).toBe(200);
@@ -292,7 +289,7 @@ describe("scenario 4: ignored event-types pass through", () => {
       tenantId: tenantStringId,
     });
     const payload = JSON.stringify(stripeEvent);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
 
     const res = await postStripeWebhook(payload, sig);
     expect(res.status).toBe(200);

package/src/tier-engine/__tests__/{resolver.integration.ts → resolver.integration.test.ts}

@@ -52,6 +52,7 @@ const TEST_TIER_MAP: TierMap<TestCaps> = {
 // Toy-feature mit einem tenantadmin-only-handler. Wenn das feature im
 // effective-Set ist, dispatcher passt durch — wenn nicht, 403 feature_disabled.
 const featProFeature = defineFeature("feat-pro", (r) => {
+  r.toggleable({ default: false });
   r.queryHandler(
     "ping",
     {
@@ -174,10 +175,10 @@ describe("createTierEngineFeature — per-tenant resolver", () => {
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
     const systemSet = resolver(SYSTEM_TENANT_ID);
 
-    // Union: feat-pro (in pro+business) + feat-business (in business only).
+    // Union of tier-map features (feat-pro in pro+business, feat-business in business).
     expect(systemSet.has("feat-pro")).toBe(true);
     expect(systemSet.has("feat-business")).toBe(true);
-    // free has no features → nothing extra
-    expect(systemSet.size).toBe(2);
+    // SYSTEM tenant also receives always-on non-toggleable features from includeBundled.
+    expect(systemSet.size).toBeGreaterThanOrEqual(2);
   });
 });