npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.24.0 → 0.25.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.24.0 → 0.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/src/custom-fields/web/i18n.ts ADDED Viewed

@@ -0,0 +1,30 @@
+// @runtime client
+// Default translation bundle for the custom-fields UI. customFieldsClient()
+// hangs it into the LocaleProvider as a fallback bundle — apps override
+// individual keys via `customFieldsClient({ translations: { de: { ... } } })`.
+//
+// Keys follow `custom-fields.<area>.<slug>`. `custom-fields.errors.*` mirror
+// the i18nKeys the server-side handlers emit (e.g. `custom-fields:save-failed`).
+import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+export const defaultTranslations: TranslationsByLocale = {
+  de: {
+    "custom-fields.form.createMode": "Speichere zuerst den Eintrag, um Custom-Felder zu setzen.",
+    "custom-fields.form.loading": "Lädt…",
+    "custom-fields.form.empty": 'Keine Custom-Felder für "{entityName}" definiert.',
+    "custom-fields.form.save": "Custom-Felder speichern",
+    "custom-fields.form.saving": "Speichert…",
+    "custom-fields.errors.loadFailed": "Custom-Felder konnten nicht geladen werden.",
+    "custom-fields.errors.saveFailed": "Speichern fehlgeschlagen.",
+  },
+  en: {
+    "custom-fields.form.createMode": "Save the entity first to add custom field values.",
+    "custom-fields.form.loading": "Loading…",
+    "custom-fields.form.empty": 'No custom fields defined for "{entityName}".',
+    "custom-fields.form.save": "Save custom fields",
+    "custom-fields.form.saving": "Saving…",
+    "custom-fields.errors.loadFailed": "Could not load custom fields.",
+    "custom-fields.errors.saveFailed": "Save failed.",
+  },
+};

package/src/custom-fields/wire-for-entity.ts CHANGED Viewed

@@ -114,6 +114,7 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
           payload.fieldKey,
           payload.value,
           event.aggregateId,
+          event.tenantId,
         );
       },
       [clearedEventType]: async (event, tx) => {
@@ -124,7 +125,13 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
         // jsonb minus operator (`-`) entfernt key aus jsonb-object.
         const tableName = getTableName(entityTable);
-        await clearCustomFieldKey(tx, tableName, payload.fieldKey, event.aggregateId);
+        await clearCustomFieldKey(
+          tx,
+          tableName,
+          payload.fieldKey,
+          event.aggregateId,
+          event.tenantId,
+        );
       },
       [fieldDefDeletedType]: async (event, tx) => {
         // fieldDefinition.deleted fires nur einmal pro fieldDef-delete
@@ -164,8 +171,8 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
       const customFields = row["customFields"];
       if (customFields && typeof customFields === "object" && !Array.isArray(customFields)) {
         return {
-          ...row,
           ...(customFields as Record<string, unknown>), // @cast-boundary db-row jsonb runtime-untyped
+          ...row, // base fields win: a custom fieldKey named `id`/`name` must not shadow the real column
         };
       }
       return row;

package/src/custom-fields/wire-user-data-rights.ts CHANGED Viewed

@@ -40,6 +40,14 @@ function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
   return { id: value.id, customFields: Object.fromEntries(Object.entries(cf)) };
 }
+// The anonymize strip filters rows by `WHERE userIdColumn = userId`. A host
+// anonymize hook on the SAME entity that nulls that column (e.g. inserted_by_id
+// = NULL) would, if it ran first, leave the strip matching 0 rows → sensitive
+// jsonb PII silently retained (DSGVO Art. 17 violation). A negative order makes
+// runForgetCleanup run this strip before any default-order (0) owner-nulling
+// hook, independent of feature registration order.
+const ORDER_REDACT_BEFORE_OWNER_MUTATION = -100;
 export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<string>>(
   r: TReg,
   opts: WireCustomFieldsUserDataRightsOptions,
@@ -88,6 +96,7 @@ export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<
   r.useExtension(EXT_USER_DATA, opts.entityName, {
     export: exportHook,
     delete: deleteHook,
+    order: ORDER_REDACT_BEFORE_OWNER_MUTATION,
   });
 }

package/src/feature-toggles/handlers/set.write.ts CHANGED Viewed

@@ -42,6 +42,17 @@ export function createSetWriteHandler(getRuntime: (() => GlobalFeatureToggleRunt
     handler: async (event, ctx) => {
       const { featureName, enabled } = event.payload;
+      // Guard 0: fail fast on a misconfigured app BEFORE any DB write or event
+      // append — otherwise the row + toggle-set event commit and the operator
+      // only sees the error, leaving the in-memory snapshot stale until reboot.
+      if (!getRuntime) {
+        throw new Error(
+          "[feature-toggles] set-handler called but createFeatureTogglesFeature " +
+            "was wired up without `getRuntime`. Wire the accessor in your app-config " +
+            "(production: `() => runtime` after buildServer; tests: createLateBoundHolder.get).",
+        );
+      }
       // Guard 1: featureName must be a registered feature. Otherwise we'd
       // pile up orphan rows from typos that the gate would silently apply
       // (if someone ever added a feature with that name later).
@@ -153,14 +164,8 @@ export function createSetWriteHandler(getRuntime: (() => GlobalFeatureToggleRunt
       // for a dispatcher tick. Other instances learn the change through
       // the `toggle-cache-sync` MSP (see feature-toggles-feature.ts). Both
       // paths are idempotent — Map.set is last-write-wins and the DB is
-      // the source of truth after boot-time initialize().
-      if (!getRuntime) {
-        throw new Error(
-          "[feature-toggles] set-handler called but createFeatureTogglesFeature " +
-            "was wired up without `getRuntime`. Wire the accessor in your app-config " +
-            "(production: `() => runtime` after buildServer; tests: createLateBoundHolder.get).",
-        );
-      }
+      // the source of truth after boot-time initialize(). getRuntime presence
+      // is enforced at Guard 0, so it is non-undefined here.
       getRuntime().apply(featureName, enabled);
       return {

package/src/secrets/feature.ts CHANGED Viewed

@@ -23,21 +23,14 @@ import { tenantSecretEntity } from "./table";
 export const secretsEnvSchema = z.object({
   KUMIKO_SECRETS_MASTER_KEY_V1: z
     .string()
-    .refine(
-      (v) => {
-        try {
-          return Buffer.from(v, "base64").length === 32;
-        } catch {
-          return false;
-        }
-      },
-      { message: "must be base64-encoded 32 bytes (AES-256 KEK)" },
-    )
+    .refine((v) => Buffer.from(v, "base64").length === 32, {
+      message: "must be base64-encoded 32 bytes (AES-256 KEK)",
+    })
     .describe("AES-256 master-key (KEK) for tenant-secrets encryption.")
     .meta({ kumiko: { pulumi: { generator: "openssl rand -base64 32", secret: true } } }),
   KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: z
     .string()
-    .regex(/^\d+$/, "must be a positive integer (V<n> selector)")
+    .regex(/^[1-9]\d*$/, "must be a positive integer (V<n> selector)")
     .default("1")
     .describe(
       "Pins the active KEK version. Default '1'. Bump after writing a higher KUMIKO_SECRETS_MASTER_KEY_V<n>.",

package/src/subscription-stripe/feature.ts CHANGED Viewed

@@ -60,12 +60,12 @@ import { verifyAndParseStripeWebhook } from "./verify-webhook";
 export const subscriptionStripeEnvSchema = z.object({
   STRIPE_WEBHOOK_SECRET: z
     .string()
-    .min(1, "STRIPE_WEBHOOK_SECRET must not be empty")
+    .regex(/^whsec_/, "STRIPE_WEBHOOK_SECRET must start with 'whsec_'")
     .describe("Stripe webhook-signing secret (`whsec_...` from the Stripe dashboard).")
     .meta({ kumiko: { pulumi: { secret: true } } }),
   STRIPE_API_KEY: z
     .string()
-    .min(1, "STRIPE_API_KEY must not be empty")
+    .regex(/^sk_(test|live)_/, "STRIPE_API_KEY must start with 'sk_test_' or 'sk_live_'")
     .describe("Stripe API key (`sk_live_...` / `sk_test_...`).")
     .meta({ kumiko: { pulumi: { secret: true } } }),
 });

package/src/template-resolver/handlers/list.query.ts CHANGED Viewed

@@ -20,15 +20,11 @@ export const listQuery = defineQueryHandler({
     const isSystemAdmin = query.user.roles.includes("SystemAdmin");
     const where: Record<string, unknown> = {};
-    // Tenant-Scope: SystemAdmin sieht alles, andere nur eigener Tenant + System
-    if (!isSystemAdmin) {
-      if (query.payload.includeSystem) {
-        where["tenantId"] = [query.user.tenantId, SYSTEM_TENANT_ID];
-      } else {
-        where["tenantId"] = query.user.tenantId;
-      }
-    } else if (!query.payload.includeSystem) {
-      // SystemAdmin mit includeSystem=false → nur eigener Tenant
+    // TenantDb scopes non-SystemAdmin reads to [own tenant, SYSTEM reference] and
+    // refuses a caller-narrowed where.tenantId (enforced isolation). SystemAdmin
+    // uses a system-scoped db that sees every tenant, so narrow to own explicitly
+    // when they don't want the cross-tenant view.
+    if (isSystemAdmin && !query.payload.includeSystem) {
       where["tenantId"] = query.user.tenantId;
     }
@@ -48,7 +44,13 @@ export const listQuery = defineQueryHandler({
       limit: 500,
     })) as TemplateResourceRow[];
-    return rows.map((row) => ({
+    // TenantDb always surfaces SYSTEM reference rows alongside the tenant's own;
+    // includeSystem=false drops them here since they can't be excluded at the DB.
+    const visible = query.payload.includeSystem
+      ? rows
+      : rows.filter((row) => row.tenantId !== SYSTEM_TENANT_ID);
+    return visible.map((row) => ({
       id: String(row.id),
       tenantId: row.tenantId,
       slug: row.slug,

package/src/tenant/__tests__/seed-testing.integration.test.ts CHANGED Viewed

@@ -173,6 +173,32 @@ describe("seedTenantMembership", () => {
     expect(events.filter((e) => e.type === "tenant-membership.created")).toHaveLength(1);
   });
+  test("returns the membership-row id — identical across create + no-op re-seed", async () => {
+    // Both return paths (create via extractMembershipId, no-op via fetched row)
+    // must yield the same valid uuid string that the projection actually holds.
+    // Previously the return was never asserted; a no-op returning the wrong /
+    // undefined id would have gone unnoticed.
+    const created = await seedTenantMembership(stack.db, {
+      userId: ALICE_ID,
+      tenantId: TENANT_A,
+      roles: ["User"],
+    });
+    const reSeeded = await seedTenantMembership(stack.db, {
+      userId: ALICE_ID,
+      tenantId: TENANT_A,
+      roles: ["User"],
+    });
+    expect(created.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i);
+    expect(reSeeded.id).toBe(created.id);
+    const [row] = await selectMany(stack.db, tenantMembershipsTable, {
+      userId: ALICE_ID,
+      tenantId: TENANT_A,
+    });
+    expect(row?.["id"]).toBe(created.id);
+  });
   test("records the `by` user as insertedById on the projection", async () => {
     // Audit-queries that join events → users need a stable actor. Default
     // `by` is TestUsers.systemAdmin; override to a custom test user and

package/src/tenant/seeding.ts CHANGED Viewed

@@ -141,9 +141,9 @@ export async function seedTenantMembership(
     tenantId: options.tenantId,
   });
   if (existing) {
-    // @cast-boundary db-row: membership-row id is uuid (string) per
-    // entity definition; fetchOne returns the raw projection row.
-    return { id: existing["id"] as string };
+    // Same validation as the create-path — a missing/non-string id throws
+    // instead of silently returning `undefined as string`.
+    return { id: extractMembershipId(existing) };
   }
   const result = await executor.create(

package/src/user-data-rights/__tests__/cross-data-matrix.integration.test.ts CHANGED Viewed

@@ -14,6 +14,7 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { asRawClient, deleteMany, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { defineUnmanagedTable } from "@cosmicdrift/kumiko-framework/db";
 import {
   defineFeature,
   EXT_USER_DATA,
@@ -60,17 +61,16 @@ type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 const NOW = (): Instant => getTemporal().Now.instant();
 const PAST = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
-const KUMIKO_NAME = Symbol.for("kumiko:schema:Name");
-const KUMIKO_COLUMNS = Symbol.for("kumiko:schema:Columns");
-/** Minimal bun-db table descriptor for the synthetic test_notes table. */
-const testNotesTable = {
-  [KUMIKO_NAME]: "test_notes",
-  [KUMIKO_COLUMNS]: {
-    tenantId: { name: "tenant_id", getSQLType: () => "uuid" },
-    authorId: { name: "author_id", getSQLType: () => "text" },
-  },
-};
+// Synthetic third-party "note" table — unmanaged (no entity-system base
+// columns). deleteMany only filters on tenant_id + author_id, so those are the
+// only columns the query layer needs to know about.
+const testNotesTable = defineUnmanagedTable({
+  tableName: "test_notes",
+  columns: [
+    { name: "tenant_id", pgType: "uuid", notNull: true },
+    { name: "author_id", pgType: "text", notNull: true },
+  ],
+});
 // Synthetic third-party Domain-Feature: "note" mit export- + delete-Hook.
 // Stellvertretend fuer App-spezifische Entities (Chat-Message, Blog-Post

package/src/user-data-rights/__tests__/file-binary-forget-cleanup.integration.test.ts CHANGED Viewed

@@ -6,7 +6,7 @@
 // Datei ihre Bytes dauerhaft auf Disk (Issue gefunden im Review zu #177).
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
-import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import {
   createInMemoryFileProvider,
@@ -20,31 +20,32 @@ import {
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
-import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { createComplianceProfilesFeature } from "../../compliance-profiles";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
 import { createFilesFeature } from "../../files";
 import { createSessionsFeature } from "../../sessions";
-import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserFeature, userEntity, userTable } from "../../user";
 import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
 import { createUserDataRightsFeature } from "../feature";
 import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  type ForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
 let stack: TestStack;
 let db: DbConnection;
 let provider: InMemoryFileProvider;
+let seed: ForgetSeeders;
 const TENANT = "00000000-0000-4000-8000-00000000000c";
-const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
 function uuid(suffix: number): string {
   return `bbbbbbbb-bbbb-4bbb-8bbb-${suffix.toString(16).padStart(12, "0")}`;
 }
-type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
-const NOW = (): Instant => getTemporal().Now.instant();
-const pastInstant = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
 beforeAll(async () => {
   provider = createInMemoryFileProvider();
   stack = await setupTestStack({
@@ -60,27 +61,12 @@ beforeAll(async () => {
     files: { storageProvider: provider },
   });
   db = stack.db;
+  seed = createForgetSeeders(db, provider);
   await unsafeCreateEntityTable(db, userEntity);
   await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
   await unsafePushTables(db, { fileRefsTable });
-  await asRawClient(db).unsafe(`
-    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
-      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-      tenant_id UUID NOT NULL,
-      user_id TEXT NOT NULL,
-      version INTEGER NOT NULL DEFAULT 0,
-      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
-      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
-      inserted_by_id TEXT,
-      modified_by_id TEXT,
-      is_deleted BOOLEAN NOT NULL DEFAULT false,
-      deleted_at TIMESTAMPTZ,
-      deleted_by_id TEXT,
-      roles TEXT NOT NULL DEFAULT '[]',
-      UNIQUE(user_id, tenant_id)
-    )
-  `);
+  await asRawClient(db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
 });
 afterAll(async () => {
@@ -92,49 +78,15 @@ beforeEach(async () => {
   await resetTestTables(db, [userTable, "read_tenant_memberships", fileRefsTable]);
 });
-async function seedForgetUser(id: string): Promise<void> {
-  await insertOne(db, userTable, {
-    id,
-    tenantId: TENANT_SYSTEM,
-    email: `user-${id}@example.com`,
-    passwordHash: "hashed",
-    displayName: `User ${id}`,
-    locale: "de",
-    emailVerified: true,
-    roles: '["Member"]',
-    status: USER_STATUS.DeletionRequested,
-    gracePeriodEnd: pastInstant(),
-  });
-}
-async function seedMembership(userId: string, tenantId: string): Promise<void> {
-  await asRawClient(db).unsafe(
-    `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
-     VALUES ($1, $2, '["Member"]') ON CONFLICT (user_id, tenant_id) DO NOTHING`,
-    [tenantId, userId],
-  );
-}
-async function seedFile(id: string, tenantId: string, insertedById: string): Promise<string> {
-  const storageKey = `storage/${id}`;
-  await provider.write(storageKey, new Uint8Array([1, 2, 3, 4]), "application/pdf");
-  await asRawClient(db).unsafe(
-    `INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
-     VALUES ($1, $2, $3, $4, 'application/pdf', 4, $5) ON CONFLICT (id) DO NOTHING`,
-    [id, tenantId, storageKey, `${id}.pdf`, insertedById],
-  );
-  return storageKey;
-}
 describe("forget-binary-cleanup :: storage.delete fires before row hard-delete", () => {
   test("Forget deletes the binary from the storage provider", async () => {
     const userId = uuid(1);
-    await seedForgetUser(userId);
-    await seedMembership(userId, TENANT);
-    const key = await seedFile(uuid(101), TENANT, userId);
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile(uuid(101), TENANT, userId);
     expect(await provider.exists(key)).toBe(true);
-    const result = await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
     expect(result.processedUserIds).toContain(userId);
     expect(await provider.exists(key)).toBe(false);
@@ -143,16 +95,16 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
   test("Multiple files from the same user — all binaries cleaned up", async () => {
     const userId = uuid(2);
-    await seedForgetUser(userId);
-    await seedMembership(userId, TENANT);
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
     const keys = await Promise.all([
-      seedFile(uuid(201), TENANT, userId),
-      seedFile(uuid(202), TENANT, userId),
-      seedFile(uuid(203), TENANT, userId),
+      seed.seedFile(uuid(201), TENANT, userId),
+      seed.seedFile(uuid(202), TENANT, userId),
+      seed.seedFile(uuid(203), TENANT, userId),
     ]);
     expect(provider.keys()).toHaveLength(3);
-    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+    await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
     for (const key of keys) {
       expect(await provider.exists(key)).toBe(false);
@@ -163,14 +115,14 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
   test("Other tenants' files stay untouched", async () => {
     const userId = uuid(3);
     const otherTenant = "00000000-0000-4000-8000-00000000000d";
-    await seedForgetUser(userId);
-    await seedMembership(userId, TENANT);
-    const myKey = await seedFile(uuid(301), TENANT, userId);
-    const otherKey = await seedFile(uuid(302), otherTenant, "another-user");
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const myKey = await seed.seedFile(uuid(301), TENANT, userId);
+    const otherKey = await seed.seedFile(uuid(302), otherTenant, "another-user");
     // The other-tenant file is owned by a different user; the forget run for
     // userId must NOT touch it.
-    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+    await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
     expect(await provider.exists(myKey)).toBe(false);
     expect(await provider.exists(otherKey)).toBe(true);