npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.2.2 → 0.3.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/CHANGELOG.md +91 -0
package/package.json +22 -13
package/src/auth-email-password/auth-user-row.ts +6 -0
package/src/auth-email-password/constants.ts +11 -0
package/src/auth-email-password/handlers/change-password.write.ts +1 -1
package/src/auth-email-password/handlers/confirm-token-flow.ts +1 -1
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +7 -7
package/src/auth-email-password/handlers/invite-accept.write.ts +7 -6
package/src/auth-email-password/handlers/invite-create.write.ts +3 -3
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +4 -4
package/src/auth-email-password/handlers/login.write.ts +32 -2
package/src/auth-email-password/handlers/logout.write.ts +2 -2
package/src/auth-email-password/handlers/signup-confirm.write.ts +1 -1
package/src/auth-email-password/i18n.ts +4 -0
package/src/auth-email-password/web/auth-client.ts +1 -1
package/src/billing-foundation/events.ts +1 -1
package/src/billing-foundation/feature.ts +44 -47
package/src/billing-foundation/handlers/create-portal-session.write.ts +3 -3
package/src/billing-foundation/handlers/process-event.write.ts +3 -3
package/src/billing-foundation/projection.ts +1 -1
package/src/billing-foundation/webhook-handler.ts +1 -1
package/src/cap-counter/constants.ts +1 -1
package/src/cap-counter/enforce-cap.ts +1 -1
package/src/cap-counter/feature.ts +3 -7
package/src/cap-counter/handlers/get-counter.query.ts +1 -1
package/src/cap-counter/handlers/increment-rolling.write.ts +2 -2
package/src/cap-counter/handlers/increment.write.ts +3 -3
package/src/cap-counter/handlers/mark-soft-warned.write.ts +2 -2
package/src/channel-email/email-channel.ts +1 -1
package/src/channel-email/types.ts +1 -1
package/src/compliance-profiles/README.md +88 -0
package/src/compliance-profiles/__tests__/compliance-profiles.integration.ts +308 -0
package/src/compliance-profiles/__tests__/seeding.integration.ts +93 -0
package/src/compliance-profiles/feature.ts +51 -0
package/src/compliance-profiles/handlers/for-tenant.query.ts +64 -0
package/src/compliance-profiles/handlers/list-profiles.query.ts +44 -0
package/src/compliance-profiles/handlers/needs-profile.query.ts +56 -0
package/src/compliance-profiles/handlers/set-profile.write.ts +144 -0
package/src/compliance-profiles/handlers/sub-processors.query.ts +43 -0
package/src/compliance-profiles/index.ts +6 -0
package/src/compliance-profiles/resolve-for-tenant.ts +63 -0
package/src/compliance-profiles/schema/profile-selection.ts +52 -0
package/src/compliance-profiles/seeding.ts +96 -0
package/src/config/resolver.ts +1 -1
package/src/data-retention/__tests__/data-retention.integration.ts +49 -0
package/src/data-retention/__tests__/keep-for.test.ts +77 -0
package/src/data-retention/__tests__/override-schema.test.ts +96 -0
package/src/data-retention/__tests__/policy-for.integration.ts +172 -0
package/src/data-retention/__tests__/resolver.test.ts +201 -0
package/src/data-retention/_internal/parse-override.ts +34 -0
package/src/data-retention/feature.ts +57 -0
package/src/data-retention/handlers/policy-for.query.ts +57 -0
package/src/data-retention/index.ts +18 -0
package/src/data-retention/keep-for.ts +75 -0
package/src/data-retention/override-schema.ts +37 -0
package/src/data-retention/presets.ts +72 -0
package/src/data-retention/resolve-for-tenant.ts +50 -0
package/src/data-retention/resolver.ts +107 -0
package/src/data-retention/schema/tenant-retention-override.ts +47 -0
package/src/delivery/feature.ts +1 -1
package/src/delivery/testing.ts +1 -2
package/src/delivery/upsert-preference.ts +1 -1
package/src/feature-toggles/feature.ts +1 -1
package/src/feature-toggles/handlers/list.query.ts +1 -1
package/src/feature-toggles/handlers/registered.query.ts +9 -2
package/src/feature-toggles/handlers/set.write.ts +3 -3
package/src/file-foundation/feature.ts +44 -4
package/src/file-foundation/index.ts +1 -0
package/src/file-provider-inmemory/feature.ts +6 -3
package/src/file-provider-s3/feature.ts +10 -12
package/src/files/README.md +50 -0
package/src/files/__tests__/files.integration.ts +157 -0
package/src/files/feature.ts +34 -0
package/src/files/index.ts +1 -0
package/src/files/schema/file-ref.ts +58 -0
package/src/files-provider-s3/s3-provider.ts +90 -1
package/src/jobs/handlers/list.query.ts +3 -3
package/src/jobs/handlers/trigger.write.ts +1 -1
package/src/legal-pages/constants.ts +1 -0
package/src/legal-pages/web/client-plugin.ts +42 -0
package/src/legal-pages/web/index.ts +4 -0
package/src/mail-foundation/feature.ts +1 -1
package/src/mail-transport-smtp/feature.ts +2 -2
package/src/renderer-simple/simple-renderer.ts +1 -1
package/src/secrets/__tests__/require-secrets-context.test.ts +81 -0
package/src/secrets/feature.ts +10 -6
package/src/secrets/handlers/rotate.job.ts +2 -2
package/src/sessions/constants.ts +4 -0
package/src/sessions/feature.ts +3 -0
package/src/sessions/handlers/cleanup.job.ts +2 -2
package/src/sessions/handlers/revoke-all-for-user.write.ts +42 -0
package/src/step-dispatcher/feature.ts +62 -0
package/src/step-dispatcher/index.ts +16 -0
package/src/step-dispatcher/mail-runner.ts +32 -0
package/src/step-dispatcher/webhook-runner.ts +67 -0
package/src/subscription-mollie/plugin-methods.ts +1 -1
package/src/subscription-mollie/verify-webhook.ts +9 -5
package/src/subscription-stripe/verify-webhook.ts +3 -3
package/src/tenant/handlers/active-tenant-ids.query.ts +1 -1
package/src/tenant/handlers/cancel-invitation.write.ts +1 -1
package/src/tenant/handlers/remove-member.write.ts +1 -1
package/src/tenant/handlers/resolve-user-ids.query.ts +1 -1
package/src/tenant/handlers/update-member-roles.write.ts +3 -3
package/src/text-content/constants.ts +2 -0
package/src/text-content/feature.ts +20 -4
package/src/text-content/handlers/by-tenant.query.ts +56 -0
package/src/text-content/handlers/set.write.ts +1 -1
package/src/text-content/web/client-plugin.ts +113 -0
package/src/text-content/web/index.ts +8 -0
package/src/tier-engine/__tests__/auto-default-tier.integration.ts +118 -0
package/src/tier-engine/feature.ts +23 -13
package/src/user/__tests__/user-status.test.ts +39 -0
package/src/user/handlers/find-for-auth.query.ts +1 -1
package/src/user/index.ts +11 -1
package/src/user/schema/user.ts +76 -0
package/src/user/seeding.ts +2 -2
package/src/user-data-rights/COMPLIANCE.md +182 -0
package/src/user-data-rights/README.md +109 -0
package/src/user-data-rights/__tests__/audit-log.integration.ts +199 -0
package/src/user-data-rights/__tests__/cross-data-matrix.integration.ts +349 -0
package/src/user-data-rights/__tests__/download.integration.ts +565 -0
package/src/user-data-rights/__tests__/export-job-idempotency.integration.ts +244 -0
package/src/user-data-rights/__tests__/export-job-schema.test.ts +163 -0
package/src/user-data-rights/__tests__/policy-to-strategy.test.ts +30 -0
package/src/user-data-rights/__tests__/request-cancel-deletion.integration.ts +370 -0
package/src/user-data-rights/__tests__/request-deletion-callback.integration.ts +179 -0
package/src/user-data-rights/__tests__/request-export.integration.ts +269 -0
package/src/user-data-rights/__tests__/restriction-flow.integration.ts +309 -0
package/src/user-data-rights/__tests__/run-export-jobs.integration.ts +1124 -0
package/src/user-data-rights/__tests__/run-forget-cleanup.integration.ts +703 -0
package/src/user-data-rights/__tests__/run-user-export.integration.ts +291 -0
package/src/user-data-rights/__tests__/token-helpers.test.ts +63 -0
package/src/user-data-rights/__tests__/user-data-rights.integration.ts +57 -0
package/src/user-data-rights/__tests__/zip-path.test.ts +119 -0
package/src/user-data-rights/audit-download.ts +125 -0
package/src/user-data-rights/feature.ts +310 -0
package/src/user-data-rights/handlers/cancel-deletion.write.ts +84 -0
package/src/user-data-rights/handlers/download-by-job.query.ts +206 -0
package/src/user-data-rights/handlers/download-by-token.query.ts +255 -0
package/src/user-data-rights/handlers/export-status.query.ts +76 -0
package/src/user-data-rights/handlers/lift-restriction.write.ts +68 -0
package/src/user-data-rights/handlers/list-download-attempts.query.ts +53 -0
package/src/user-data-rights/handlers/my-audit-log.query.ts +63 -0
package/src/user-data-rights/handlers/request-deletion.write.ts +123 -0
package/src/user-data-rights/handlers/request-export.write.ts +155 -0
package/src/user-data-rights/handlers/restrict-account.write.ts +81 -0
package/src/user-data-rights/handlers/run-forget-cleanup.write.ts +61 -0
package/src/user-data-rights/i18n.ts +37 -0
package/src/user-data-rights/index.ts +19 -0
package/src/user-data-rights/run-export-jobs.ts +878 -0
package/src/user-data-rights/run-forget-cleanup.ts +333 -0
package/src/user-data-rights/run-user-export.ts +211 -0
package/src/user-data-rights/schema/download-attempt.ts +37 -0
package/src/user-data-rights/schema/download-token.ts +111 -0
package/src/user-data-rights/schema/export-job.ts +166 -0
package/src/user-data-rights/token-helpers.ts +67 -0
package/src/user-data-rights/zip-path.ts +94 -0
package/src/user-data-rights-defaults/__tests__/user-data-rights-defaults.integration.ts +337 -0
package/src/user-data-rights-defaults/feature.ts +40 -0
package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts +109 -0
package/src/user-data-rights-defaults/hooks/user.userdata-hook.ts +91 -0
package/src/user-data-rights-defaults/index.ts +6 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,96 @@
 # @cosmicdrift/kumiko-bundled-features
+## 0.3.0
+### Minor Changes
+- 0.3.0 bringt zwei neue Subsysteme (Step-Engine Tier-3 + Visual-Tree) plus
+  eine AST-Codemod-Pipeline als Vorarbeit für den L2-AI-Layer.
+  ### Breaking Changes
+  - `skipTransitionGuard` → `unsafeSkipTransitionGuard` (Rename in
+    feature-ast + engine). Der `unsafe`-Prefix macht die Tragweite des
+    Casts sichtbar und ist konsistent zur `unsafeProjectionUpsert`- und
+    `r.rawTable`-Konvention. Migration: 1:1-Ersetzung, keine Verhaltens-Änderung.
+  ### Features
+  - **Step-Engine M.4 — Tier-3 Workflow-Engine.** Neue Step-Vocabulary
+    `wait`, `waitForEvent`, `retry` ermöglicht persistierte Long-Running-Flows
+    über Job-Boundaries hinweg. Q7 Snapshot-at-Start hängt jedem Step-Run
+    einen SHA-256-Fingerprint des Aggregat-Zustands an, sodass Replays
+    deterministisch gegen den ursprünglichen Eingangszustand laufen.
+  - **Visual-Tree V.1.x — Tree-API + Editor-Panel.** Neue `VisualTree`-
+    Component plus TreeProvider-Pattern; erste TreeProviders für
+    `text-content` und `legal-pages` (CMS-light + Impressum/Privacy).
+    Fundament für den späteren No-Code-Designer (~3000 LOC, 98 Tests).
+  - **Codemod-Pipeline.** AST-basierte Patcher-Module für strukturelle
+    Feature-Edits — wird vom kommenden L2-AI-Layer als Tool-Surface
+    verwendet, ist aber eigenständig nutzbar für ts-morph-style Migrationen.
+  - **user-data-rights Sample-Recipe.** DSGVO Art. 15/17/18/20 vollständig
+    als Sample-Recipe (`samples/recipes/`) inklusive README — zeigt die
+    Export- und Forget-Pipeline gegen den `compliance-profiles`-Default
+    (`eu-dsgvo`).
+  ### Fixes
+  - `tier-engine`: auto-default-tier-Hook benutzt jetzt `ctx.db.raw` für
+    Event-Store-Operationen (#37, vorher: stiller Bug, 22 Tage live).
+  - `engine`: unsafe-projection-upsert nutzt `as never` statt `as any` —
+    schmaler Cast-Surface, weniger Compiler-Knebel.
+  - `visual-tree`: runtime-isolation marker für client-konsumierte Files,
+    damit der Multi-Entry-Build den richtigen Bundle-Split bekommt.
+  - `feature-ast`: vollständiger `unsafeSkipTransitionGuard`-Rename (war
+    in zwei Modulen noch der alte Name).
+  - `framework`: Error-Reasons + `noConsole`-Lint + No-Date-API-Guard
+    wieder push-ready.
+  ### Library-Updates
+  hono 4.12, jose 6.2, stripe 22.1, meilisearch 0.58, marked 18,
+  bun-types 1.3.13, lucide-react 1.14, bullmq 5.76, ioredis 5.10,
+  i18next 26.0, react + radix-ui-primitives auf aktuelle Minors.
+### Patch Changes
+- Updated dependencies
+  - @cosmicdrift/kumiko-framework@0.3.0
+  - @cosmicdrift/kumiko-dispatcher-live@0.3.0
+  - @cosmicdrift/kumiko-renderer@0.3.0
+  - @cosmicdrift/kumiko-renderer-web@0.3.0
+## 0.2.3
+### Patch Changes
+- 1dbd038: Fix `db.execute is not a function` crash in `createTierEngineFeature`'s
+  auto-default-tier postSave-hook when called via the dispatcher path
+  (`tenant:write:create`). The hook used `ctx.db as DbConnection` — a
+  type-lie. AppContext.db in the inTransaction-phase is a TenantDb, which
+  exposes select/insert/update/delete but not execute(). The event-store-
+  append (event-store.ts:102) calls `db.execute(sql\`SELECT pg_notify(...)\`)`,
+  which crashed at runtime.
+  Fix: typeguard via `if (!("raw" in ctx.db)) return` then use `ctx.db.raw
+as DbConnection` (pattern matched signup-confirm.write.ts:107).
+  Plus: regression integration-test in `tier-engine/__tests__/auto-default-
+tier.integration.ts` covering the dispatcher path (sysadmin →
+  tenant:write:create → tier_assignments-row + idempotency on tenant-update).
+  **Known production gap (separate from this fix):** Self-Signup goes through
+  `provisionSignupAccount → seedTenant` (event-store-direct), which bypasses
+  the dispatcher → postSave-hooks never fire in production self-signup. This
+  fix makes the dispatcher path coherent. Real-signup auto-default needs
+  follow-up work (either seedTenant fires hooks or signup-confirm calls
+  explicit seed-helpers).
+  - @cosmicdrift/kumiko-framework@0.2.3
+  - @cosmicdrift/kumiko-dispatcher-live@0.2.3
+  - @cosmicdrift/kumiko-renderer@0.2.3
+  - @cosmicdrift/kumiko-renderer-web@0.2.3
 ## 0.2.2
 ### Patch Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -19,7 +19,9 @@
   },
   "exports": {
     "./audit": "./src/audit/index.ts",
+    "./compliance-profiles": "./src/compliance-profiles/index.ts",
     "./config": "./src/config/index.ts",
+    "./data-retention": "./src/data-retention/index.ts",
     "./jobs": "./src/jobs/index.ts",
     "./tier-engine": "./src/tier-engine/index.ts",
     "./cap-counter": "./src/cap-counter/index.ts",
@@ -33,6 +35,9 @@
     "./file-foundation": "./src/file-foundation/index.ts",
     "./file-provider-s3": "./src/file-provider-s3/index.ts",
     "./file-provider-inmemory": "./src/file-provider-inmemory/index.ts",
+    "./files": "./src/files/index.ts",
+    "./user-data-rights": "./src/user-data-rights/index.ts",
+    "./user-data-rights-defaults": "./src/user-data-rights-defaults/index.ts",
     "./tenant": "./src/tenant/index.ts",
     "./tenant/constants": "./src/tenant/constants.ts",
     "./tenant/seeding": "./src/tenant/seeding.ts",
@@ -58,25 +63,29 @@
     "./feature-toggles": "./src/feature-toggles/index.ts",
     "./text-content": "./src/text-content/index.ts",
     "./text-content/seeding": "./src/text-content/seeding.ts",
-    "./legal-pages": "./src/legal-pages/index.ts"
+    "./text-content/web": "./src/text-content/web/index.ts",
+    "./legal-pages": "./src/legal-pages/index.ts",
+    "./legal-pages/web": "./src/legal-pages/web/index.ts",
+    "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.700.0",
-    "@aws-sdk/s3-request-presigner": "^3.700.0",
-    "@cosmicdrift/kumiko-dispatcher-live": "0.2.2",
-    "@cosmicdrift/kumiko-framework": "0.2.2",
-    "@cosmicdrift/kumiko-renderer": "0.2.2",
-    "@cosmicdrift/kumiko-renderer-web": "0.2.2",
+    "@aws-sdk/client-s3": "^3.1045.0",
+    "@aws-sdk/lib-storage": "^3.1045.0",
+    "@aws-sdk/s3-request-presigner": "^3.1045.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.3.0",
+    "@cosmicdrift/kumiko-framework": "0.3.0",
+    "@cosmicdrift/kumiko-renderer": "0.3.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.3.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",
     "clsx": "^2.1.1",
-    "lucide-react": "^1.11.0",
-    "marked": "^14.1.3",
+    "lucide-react": "^1.14.0",
+    "marked": "^18.0.3",
     "nodemailer": "^8.0.7",
-    "react": "^19.2.0",
-    "stripe": "^22.1.0",
-    "tailwind-merge": "^3.0.2"
+    "react": "^19.2.6",
+    "stripe": "^22.1.1",
+    "tailwind-merge": "^3.6.0"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org",

package/src/auth-email-password/auth-user-row.ts CHANGED Viewed

@@ -21,6 +21,12 @@ export type AuthUserRow = {
   // roles gelten (z.B. SystemAdmin, BillingAdmin). Caller deserialisiert via
   // parseRoles() vor dem Merge in die Session.
   readonly roles?: string | null;
+  // user.status (S2.U1) — "active" | "restricted" | "deletion_requested" |
+  // "deleted". Login.write.ts blockt Restricted (DSGVO Art. 18) sowie
+  // DeletionRequested + Deleted. Untyped string hier weil die Quelle
+  // user-feature-internes Enum ist; auth importiert den Constants-Wert
+  // an der Verwendungsstelle.
+  readonly status?: string | null;
 };
 // Returns the narrowed row or null — mirrors findForAuth's contract where

package/src/auth-email-password/constants.ts CHANGED Viewed

@@ -73,6 +73,17 @@ export const AuthErrors = {
   // deliberate enumeration trade-off: the lockout event itself is already
   // observable to the attacker, and legit users benefit from a clear signal.
   accountLocked: "account_locked",
+  // S2.U6 (DSGVO Art. 18) — Account ist im Restricted-Status. Login wird
+  // explicit verweigert mit eigenem Code (nicht zu invalid_credentials
+  // collapsen) damit UI sagen kann "Account ist aktuell pausiert, hier
+  // klicken zum Aufheben". Enumeration-leak akzeptiert: Restriction ist
+  // user-initiiert, der User weiss dass sein Konto restricted ist.
+  accountRestricted: "account_restricted",
+  // Account ist im DeletionRequested- oder Deleted-Status. Anders als
+  // Restricted ist das nicht reversibel via Login → wir collapsen auf
+  // invalid_credentials damit Forget-Pfad nicht via Login enumerierbar
+  // wird (User der "Konto loeschen" geklickt hat soll nicht erneut sehen
+  // dass die Email-Adresse noch in der DB existiert).
 } as const;
 // Account-lockout defaults — overridable via

package/src/auth-email-password/handlers/change-password.write.ts CHANGED Viewed

@@ -30,7 +30,7 @@ export const changePasswordWrite = defineWriteHandler({
     // Load self with passwordHash — only visible to the privileged caller.
     const me = (await ctx.queryAs(systemUser, UserQueries.findForAuth, {
       id: event.user.id,
-    })) as { id: number; passwordHash: string | null; version: number } | null;
+    })) as { id: number; passwordHash: string | null; version: number } | null; // @cast-boundary db-runner
     if (!me?.passwordHash) {
       return invalidCredentials();

package/src/auth-email-password/handlers/confirm-token-flow.ts CHANGED Viewed

@@ -152,7 +152,7 @@ async function resolveStreamTenants(
 ): Promise<readonly TenantId[]> {
   const memberships = (await ctx.queryAs(systemUser, "tenant:query:memberships", {
     userId: me.id,
-  })) as Array<{ tenantId: TenantId }>;
+  })) as Array<{ tenantId: TenantId }>; // @cast-boundary db-runner
   return orderTenantsByPreference(memberships, me.lastActiveTenantId);
 }

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts CHANGED Viewed

@@ -114,10 +114,10 @@ export function createInviteAcceptWithLoginHandler() {
         if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
           return invalidInviteToken();
-        const invitationTenantId = invitation["tenantId"] as TenantId;
-        const invitationEmail = invitation["email"] as string;
-        const invitationRole = invitation["role"] as string;
-        const invitationVersion = invitation["version"] as number;
+        const invitationTenantId = invitation["tenantId"] as TenantId; // @cast-boundary db-row
+        const invitationEmail = invitation["email"] as string; // @cast-boundary db-row
+        const invitationRole = invitation["role"] as string; // @cast-boundary db-row
+        const invitationVersion = invitation["version"] as number; // @cast-boundary db-row
         // Email-Match vom User-Input (nicht aus session — User ist anon)
         if (event.payload.email.toLowerCase() !== invitationEmail) {
@@ -134,19 +134,19 @@ export function createInviteAcceptWithLoginHandler() {
         const userRow = await fetchOne(ctx.db.raw, userTable, eq(userTable.email, invitationEmail));
         if (!userRow?.["passwordHash"]) return invalidInviteToken();
         const passwordValid = await verifyPassword(
-          userRow["passwordHash"] as string,
+          userRow["passwordHash"] as string, // @cast-boundary db-row
           event.payload.password,
         );
         if (!passwordValid) return invalidInviteToken();
-        const userId = userRow["id"] as string;
+        const userId = userRow["id"] as string; // @cast-boundary db-row
         // Already-Member-Check (idempotent)
         const memberships = (await ctx.queryAs(
           createSystemUser(invitationTenantId),
           "tenant:query:memberships",
           { userId },
-        )) as Array<{ tenantId: string }>;
+        )) as Array<{ tenantId: string }>; // @cast-boundary db-row
         const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
         // @cast-boundary db-runner — TenantDb.raw is DbRunner

package/src/auth-email-password/handlers/invite-accept.write.ts CHANGED Viewed

@@ -107,16 +107,17 @@ export function createInviteAcceptHandler() {
         if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
           return invalidInviteToken();
-        const invitationTenantId = invitation["tenantId"] as TenantId;
-        const invitationEmail = invitation["email"] as string;
-        const invitationRole = invitation["role"] as string;
-        const invitationVersion = invitation["version"] as number;
+        const invitationTenantId = invitation["tenantId"] as TenantId; // @cast-boundary db-row
+        const invitationEmail = invitation["email"] as string; // @cast-boundary db-row
+        const invitationRole = invitation["role"] as string; // @cast-boundary db-row
+        const invitationVersion = invitation["version"] as number; // @cast-boundary db-row
         // Email-Match: User muss mit der eingeladenen Email matchen.
         // Sonst kann ein Angreifer mit Zugriff zur invitee-Mail seinen
         // eigenen Account dem Tenant zuschlagen.
         const userRow = await fetchOne(ctx.db.raw, userTable, eq(userTable.id, event.user.id));
-        if (!userRow || (userRow["email"] as string).toLowerCase() !== invitationEmail) {
+        const userEmail = userRow?.["email"] as string | undefined; // @cast-boundary db-row
+        if (!userRow || !userEmail || userEmail.toLowerCase() !== invitationEmail) {
           return writeFailure(
             new UnprocessableError(AuthErrors.inviteEmailMismatch, {
               i18nKey: "auth.errors.inviteEmailMismatch",
@@ -131,7 +132,7 @@ export function createInviteAcceptHandler() {
           createSystemUser(invitationTenantId),
           "tenant:query:memberships",
           { userId: event.user.id },
-        )) as Array<{ tenantId: string }>;
+        )) as Array<{ tenantId: string }>; // @cast-boundary db-row
         const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
         // @cast-boundary db-runner — TenantDb.raw is DbRunner

package/src/auth-email-password/handlers/invite-create.write.ts CHANGED Viewed

@@ -87,8 +87,8 @@ export function createInviteCreateHandler(opts: InviteCreateOptions = {}) {
       let invitationId: string;
       let token: string;
       if (existing) {
-        invitationId = existing["id"] as string;
-        const existingVersion = existing["version"] as number;
+        invitationId = existing["id"] as string; // @cast-boundary db-row
+        const existingVersion = existing["version"] as number; // @cast-boundary db-row
         // Resend-Idempotenz: Token aus Redis re-use wenn noch lebend.
         // Sonst neuen mintinen (alter ist abgelaufen).
         const existingToken = await getTokenForInvitation(ctx.redis, invitationId);
@@ -122,7 +122,7 @@ export function createInviteCreateHandler(opts: InviteCreateOptions = {}) {
           ctx.db,
         );
         if (!createResult.isSuccess) return createResult;
-        invitationId = (createResult.data as { id: string }).id;
+        invitationId = (createResult.data as { id: string }).id; // @cast-boundary engine-payload
         token = generateToken();
       }

package/src/auth-email-password/handlers/invite-signup-complete.write.ts CHANGED Viewed

@@ -114,10 +114,10 @@ export function createInviteSignupCompleteHandler() {
         if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
           return invalidInviteToken();
-        const invitationTenantId = invitation["tenantId"] as TenantId;
-        const invitationEmail = invitation["email"] as string;
-        const invitationRole = invitation["role"] as string;
-        const invitationVersion = invitation["version"] as number;
+        const invitationTenantId = invitation["tenantId"] as TenantId; // @cast-boundary db-row
+        const invitationEmail = invitation["email"] as string; // @cast-boundary db-row
+        const invitationRole = invitation["role"] as string; // @cast-boundary db-row
+        const invitationVersion = invitation["version"] as number; // @cast-boundary db-row
         // User-Not-Exists-Check: wenn die Email schon registriert ist,
         // muss der User Branch 2 (acceptWithLogin) nutzen. Hier ist

package/src/auth-email-password/handlers/login.write.ts CHANGED Viewed

@@ -7,7 +7,7 @@ import {
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
-import { UserQueries } from "../../user";
+import { USER_STATUS, UserQueries } from "../../user";
 import { parseAuthUserRow } from "../auth-user-row";
 import {
   AUTH_LOCKOUT_DEFAULT_DURATION_MINUTES,
@@ -53,6 +53,19 @@ function accountLocked(retryAfterSeconds: number) {
   );
 }
+// S2.U6 — DSGVO Art. 18 Account-Freeze. Distinct error code (nicht zu
+// invalid_credentials collapsen) damit UI klar sagen kann "Account ist
+// pausiert, hier klicken zum Aufheben". User weiss schon dass sein Konto
+// restricted ist (er hat selbst die Restriction gesetzt), also kein
+// Enumeration-Leak.
+function accountRestricted() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountRestricted, {
+      i18nKey: "auth.errors.accountRestricted",
+    }),
+  );
+}
 export type LoginHandlerOptions = {
   // When true, a valid (email + password) login fails with email_not_verified
   // if the user row's emailVerified flag is false. Enumeration-leak is
@@ -145,12 +158,29 @@ export function createLoginHandler(opts: LoginHandlerOptions = {}) {
         return emailNotVerified();
       }
+      // S2.U6 — DSGVO Art. 18 Account-Freeze. Restricted users koennen sich
+      // nicht einloggen; lift-restriction-Endpoint ist der einzige Ausgang
+      // (siehe lift-restriction.write.ts Header — typisch via Magic-Link
+      // oder Operator-Tool, da Login geblockt). Auth-side Block ist hard-
+      // requirement; ohne den koennte der User mit Login-Sessions trotz
+      // Restriction-Flag durchschreiben.
+      //
+      // DeletionRequested + Deleted kollabieren bewusst auf invalid_creds
+      // (anti-enumeration im Forget-Pfad) — Restricted ist user-initiiert,
+      // distinct error ist hier safe.
+      if (found.status === USER_STATUS.Restricted) {
+        return accountRestricted();
+      }
+      if (found.status === USER_STATUS.DeletionRequested || found.status === USER_STATUS.Deleted) {
+        return invalidCredentials();
+      }
       // Resolve tenant + roles via the tenant feature's memberships query.
       // Returns [] if the user has no memberships — MVP: no login without an
       // invitation, so we refuse with a dedicated error.
       const memberships = (await ctx.queryAs(systemUser, "tenant:query:memberships", {
         userId: found.id,
-      })) as Array<{ tenantId: TenantId; roles: readonly string[] }>;
+      })) as Array<{ tenantId: TenantId; roles: readonly string[] }>; // @cast-boundary db-runner
       if (memberships.length === 0) {
         return noMembership();

package/src/auth-email-password/handlers/logout.write.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { access, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { access, defineWriteHandler, pipeline } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 // Logout — JWT is stateless, so server-side we only return OK. A future
@@ -8,5 +8,5 @@ export const logoutWrite = defineWriteHandler({
   name: "logout",
   schema: z.object({}),
   access: { roles: access.authenticated },
-  handler: async () => ({ isSuccess: true, data: { kind: "logged-out" } }),
+  perform: pipeline(({ r }) => [r.step.return({ isSuccess: true, data: { kind: "logged-out" } })]),
 });

package/src/auth-email-password/handlers/signup-confirm.write.ts CHANGED Viewed

@@ -117,7 +117,7 @@ export function createSignupConfirmHandler() {
           },
         });
-        const tenantId = generateId() as TenantId;
+        const tenantId = generateId() as TenantId; // @cast-boundary engine-payload
         // Display-Name aus email-prefix als sinnvolles Default; User kann
         // den Tenant-Namen + sein eigenes displayName später ändern.
         const displayName = email.split("@")[0] ?? email;

package/src/auth-email-password/i18n.ts CHANGED Viewed

@@ -23,6 +23,8 @@ export const defaultTranslations: TranslationsByLocale = {
     "auth.errors.accountLocked": "Konto vorübergehend gesperrt.",
     "auth.errors.accountLockedRetry": "Konto gesperrt. Neuer Versuch in {minutes} Minuten.",
     "auth.errors.emailNotVerified": "E-Mail-Adresse noch nicht bestätigt.",
+    "auth.errors.accountRestricted":
+      "Konto pausiert (Datenschutz Art. 18). Bitte Pause aufheben um wieder einzuloggen.",
     "auth.errors.rateLimited": "Zu viele Login-Versuche. Bitte kurz warten.",
     "auth.errors.invalidBody": "Ungültige Eingabe.",
     "auth.errors.loginFailed": "Login fehlgeschlagen.",
@@ -116,6 +118,8 @@ export const defaultTranslations: TranslationsByLocale = {
     "auth.errors.accountLocked": "Account temporarily locked.",
     "auth.errors.accountLockedRetry": "Account locked. Try again in {minutes} minutes.",
     "auth.errors.emailNotVerified": "Email address not yet verified.",
+    "auth.errors.accountRestricted":
+      "Account paused (GDPR Art. 18). Please lift the restriction to sign in again.",
     "auth.errors.rateLimited": "Too many login attempts. Please wait briefly.",
     "auth.errors.invalidBody": "Invalid input.",
     "auth.errors.loginFailed": "Login failed.",

package/src/auth-email-password/web/auth-client.ts CHANGED Viewed

@@ -244,7 +244,7 @@ export async function confirmSignup(
     body: JSON.stringify({ token, password }),
   });
   if (res.ok) {
-    const body = (await res.json()) as SignupConfirmSuccess;
+    const body = (await res.json()) as SignupConfirmSuccess; // @cast-boundary engine-payload
     return { ok: true, data: body };
   }
   return { ok: false, error: await parseTokenFailure(res) };

package/src/billing-foundation/events.ts CHANGED Viewed

@@ -18,7 +18,7 @@ import { BILLING_FOUNDATION_FEATURE, SubscriptionStatuses } from "./constants";
 export const SUBSCRIPTION_AGGREGATE_TYPE = "subscription" as const;
 // Event-name-Konstanten — short-form (für r.defineEvent) + qualifizierte
-// FQN (für ctx.appendEventUnsafe + projection-apply-keys).
+// FQN (für ctx.unsafeAppendEvent + projection-apply-keys).
 export const SUBSCRIPTION_CREATED_EVENT_SHORT = "subscription-created" as const;
 export const SUBSCRIPTION_UPDATED_EVENT_SHORT = "subscription-updated" as const;
 export const SUBSCRIPTION_CANCELED_EVENT_SHORT = "subscription-canceled" as const;

package/src/billing-foundation/feature.ts CHANGED Viewed

@@ -41,7 +41,7 @@
 // (z.B. für analytics: "wie viele Wechsel im Monat?"), kommt ein
 // `subscription-provider-changed`-event-type später.
-import { defineFeature, type FeatureDefinition } from "@cosmicdrift/kumiko-framework/engine";
+import { defineFeature } from "@cosmicdrift/kumiko-framework/engine";
 import { BILLING_FOUNDATION_FEATURE, SUBSCRIPTION_PROVIDER_EXTENSION } from "./constants";
 import {
   INVOICE_PAID_EVENT_QN,
@@ -70,53 +70,50 @@ import {
   subscriptionsProjectionTable,
 } from "./projection";
-export const billingFoundationFeature: FeatureDefinition = defineFeature(
-  BILLING_FOUNDATION_FEATURE,
-  (r) => {
-    // 5 fine-grained domain-events. Alle 5 nutzen denselben payload-
-    // shape (= subscription-state-snapshot); der event-type taggt was
-    // passiert ist. Future-consumer (billing-history, accounting)
-    // listenen direkt auf den event-type ohne payload-discriminator.
-    r.defineEvent(SUBSCRIPTION_CREATED_EVENT_SHORT, subscriptionEventPayloadSchema);
-    r.defineEvent(SUBSCRIPTION_UPDATED_EVENT_SHORT, subscriptionEventPayloadSchema);
-    r.defineEvent(SUBSCRIPTION_CANCELED_EVENT_SHORT, subscriptionEventPayloadSchema);
-    r.defineEvent(INVOICE_PAID_EVENT_SHORT, subscriptionEventPayloadSchema);
-    r.defineEvent(INVOICE_PAYMENT_FAILED_EVENT_SHORT, subscriptionEventPayloadSchema);
+export const billingFoundationFeature = defineFeature(BILLING_FOUNDATION_FEATURE, (r) => {
+  // 5 fine-grained domain-events. Alle 5 nutzen denselben payload-
+  // shape (= subscription-state-snapshot); der event-type taggt was
+  // passiert ist. Future-consumer (billing-history, accounting)
+  // listenen direkt auf den event-type ohne payload-discriminator.
+  r.defineEvent(SUBSCRIPTION_CREATED_EVENT_SHORT, subscriptionEventPayloadSchema);
+  r.defineEvent(SUBSCRIPTION_UPDATED_EVENT_SHORT, subscriptionEventPayloadSchema);
+  r.defineEvent(SUBSCRIPTION_CANCELED_EVENT_SHORT, subscriptionEventPayloadSchema);
+  r.defineEvent(INVOICE_PAID_EVENT_SHORT, subscriptionEventPayloadSchema);
+  r.defineEvent(INVOICE_PAYMENT_FAILED_EVENT_SHORT, subscriptionEventPayloadSchema);
-    // Inline projection: materialized current state in `read_subscriptions`.
-    // Apply läuft in derselben TX wie ctx.appendEventUnsafe — read-your-
-    // own-write ohne dispatcher-tick.
-    r.projection({
-      name: "subscription",
-      source: SUBSCRIPTION_AGGREGATE_TYPE,
-      table: subscriptionsProjectionTable,
-      apply: {
-        [SUBSCRIPTION_CREATED_EVENT_QN]: applySubscriptionCreated,
-        [SUBSCRIPTION_UPDATED_EVENT_QN]: applySubscriptionUpdated,
-        [SUBSCRIPTION_CANCELED_EVENT_QN]: applySubscriptionCanceled,
-        [INVOICE_PAID_EVENT_QN]: applyInvoicePaid,
-        [INVOICE_PAYMENT_FAILED_EVENT_QN]: applyInvoicePaymentFailed,
-      },
-    });
+  // Inline projection: materialized current state in `read_subscriptions`.
+  // Apply läuft in derselben TX wie ctx.unsafeAppendEvent — read-your-
+  // own-write ohne dispatcher-tick.
+  r.projection({
+    name: "subscription",
+    source: SUBSCRIPTION_AGGREGATE_TYPE,
+    table: subscriptionsProjectionTable,
+    apply: {
+      [SUBSCRIPTION_CREATED_EVENT_QN]: applySubscriptionCreated,
+      [SUBSCRIPTION_UPDATED_EVENT_QN]: applySubscriptionUpdated,
+      [SUBSCRIPTION_CANCELED_EVENT_QN]: applySubscriptionCanceled,
+      [INVOICE_PAID_EVENT_QN]: applyInvoicePaid,
+      [INVOICE_PAYMENT_FAILED_EVENT_QN]: applyInvoicePaymentFailed,
+    },
+  });
-    // Plugin extension-point. Provider-Plugins registrieren sich hier.
-    r.extendsRegistrar(SUBSCRIPTION_PROVIDER_EXTENSION, {
-      onRegister: () => {
-        // No side-effects at register-time.
-      },
-    });
+  // Plugin extension-point. Provider-Plugins registrieren sich hier.
+  r.extendsRegistrar(SUBSCRIPTION_PROVIDER_EXTENSION, {
+    onRegister: () => {
+      // No side-effects at register-time.
+    },
+  });
-    // Custom write-handlers:
-    //   - process-event: programmatic entry-point vom webhook-handler;
-    //     dispatcht zu type-passendem appendEvent
-    //   - create-checkout-session: Tenant-Admin "Upgrade to Pro"-flow
-    //   - create-portal-session: Tenant-Admin "Manage Subscription"-flow
-    r.writeHandler(processEventHandler);
-    r.writeHandler(createCheckoutSessionHandler);
-    r.writeHandler(createPortalSessionHandler);
+  // Custom write-handlers:
+  //   - process-event: programmatic entry-point vom webhook-handler;
+  //     dispatcht zu type-passendem appendEvent
+  //   - create-checkout-session: Tenant-Admin "Upgrade to Pro"-flow
+  //   - create-portal-session: Tenant-Admin "Manage Subscription"-flow
+  r.writeHandler(processEventHandler);
+  r.writeHandler(createCheckoutSessionHandler);
+  r.writeHandler(createPortalSessionHandler);
-    // Custom list-query auf der subscription-projection (raw drizzle-
-    // table; kein r.entity weil Schreiben via projection-apply läuft).
-    r.queryHandler(listSubscriptionsQuery);
-  },
-);
+  // Custom list-query auf der subscription-projection (raw drizzle-
+  // table; kein r.entity weil Schreiben via projection-apply läuft).
+  r.queryHandler(listSubscriptionsQuery);
+});

package/src/billing-foundation/handlers/create-portal-session.write.ts CHANGED Viewed

@@ -28,7 +28,7 @@ export const createPortalSessionHandler: WriteHandlerDef = {
   schema: createPortalSessionSchema,
   access: { roles: ["TenantAdmin", "SystemAdmin"] },
   handler: async (event, ctx) => {
-    const payload = event.payload as CreatePortalSessionPayload;
+    const payload = event.payload as CreatePortalSessionPayload; // @cast-boundary engine-payload
     const tenantId = event.user.tenantId;
     // 1. Hol current subscription-row für den Tenant. Aggregate-id ist
@@ -41,8 +41,8 @@ export const createPortalSessionHandler: WriteHandlerDef = {
         "subscription-foundation: no active subscription for this tenant. Create one via create-checkout-session first.",
       );
     }
-    const providerName = row["providerName"] as string;
-    const providerCustomerId = row["providerCustomerId"] as string;
+    const providerName = row["providerName"] as string; // @cast-boundary db-row
+    const providerCustomerId = row["providerCustomerId"] as string; // @cast-boundary db-row
     // 2. Plugin-Lookup
     const usages = ctx.registry.getExtensionUsages(SUBSCRIPTION_PROVIDER_EXTENSION);

package/src/billing-foundation/handlers/process-event.write.ts CHANGED Viewed

@@ -9,7 +9,7 @@
 //      kein zweiter append.
 //   2. Type-mapping: SubscriptionEvent.type (= normalisiert vom Plugin)
 //      → einer der 5 ES-event-typen.
-//   3. ctx.appendEventUnsafe — Inline-projection materialisiert die
+//   3. ctx.unsafeAppendEvent — Inline-projection materialisiert die
 //      `read_subscriptions`-row in derselben TX.
 import type { WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
@@ -69,7 +69,7 @@ const NORMALIZED_TO_ES_EVENT: Readonly<Record<string, string>> = {
   [SubscriptionEventTypes.canceled]: SUBSCRIPTION_CANCELED_EVENT_QN,
   [SubscriptionEventTypes.invoicePaid]: INVOICE_PAID_EVENT_QN,
   [SubscriptionEventTypes.invoicePaymentFailed]: INVOICE_PAYMENT_FAILED_EVENT_QN,
-};
+} satisfies Readonly<Record<string, string>>;
 // =============================================================================
 // Handler
@@ -141,7 +141,7 @@ export const processEventHandler: WriteHandlerDef = {
       providerName: payload.providerName,
       rawPayload: payload.rawPayload,
     };
-    await ctx.appendEventUnsafe({
+    await ctx.unsafeAppendEvent({
       aggregateId: aggId,
       aggregateType: SUBSCRIPTION_AGGREGATE_TYPE,
       type: esEventType,

package/src/billing-foundation/projection.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 // Inline-projection für `read_subscriptions`. Materialisiert die 5
 // subscription-events in eine row pro Tenant.
 //
-// Apply läuft in derselben TX wie ctx.appendEventUnsafe — Caller sieht
+// Apply läuft in derselben TX wie ctx.unsafeAppendEvent — Caller sieht
 // seinen Schreib-State sofort (kein dispatcher-tick nötig). PK = event.
 // aggregateId (= deterministic uuidv5 pro Tenant) → replays kollidieren
 // auf der PK statt doppelte rows zu erzeugen.

package/src/billing-foundation/webhook-handler.ts CHANGED Viewed

@@ -169,7 +169,7 @@ export function createSubscriptionWebhookHandler(deps: SubscriptionWebhookDeps)
       );
     }
-    return c.json({ processed: true, ...((dispatched.data as object) ?? {}) }, 200);
+    return c.json({ processed: true, ...((dispatched.data as object) ?? {}) }, 200); // @cast-boundary engine-bridge
   };
 }