@cosmicdrift/kumiko-bundled-features 0.24.1 → 0.26.0

package/src/custom-fields/web/custom-fields-form-section.tsx

@@ -10,7 +10,12 @@
 // `component: { react: { __component: CUSTOM_FIELDS_FORM_EXTENSION_NAME } }`
 // referenziert.
 
-import { useDispatcher, usePrimitives, useQuery } from "@cosmicdrift/kumiko-renderer";
+import {
+  useDispatcher,
+  usePrimitives,
+  useQuery,
+  useTranslation,
+} from "@cosmicdrift/kumiko-renderer";
 import { type ReactNode, useState } from "react";
 import { CustomFieldsHandlers, CustomFieldsQueries } from "../constants";
 
@@ -35,8 +40,13 @@ export function CustomFieldsFormSection({
   readonly entityId: string | null;
 }): ReactNode {
   const { Banner, Button, Field, Input, Text } = usePrimitives();
+  const t = useTranslation();
   const dispatcher = useDispatcher();
-  const query = useQuery<FieldDefinitionListResponse>(CustomFieldsQueries.fieldDefinitionList, {});
+  const query = useQuery<FieldDefinitionListResponse>(
+    CustomFieldsQueries.fieldDefinitionList,
+    {},
+    { enabled: entityId !== null },
+  );
   const [pending, setPending] = useState<Readonly<Record<string, string>>>({});
   const [saving, setSaving] = useState(false);
   const [errorKey, setErrorKey] = useState<string | null>(null);
@@ -44,21 +54,21 @@ export function CustomFieldsFormSection({
   if (entityId === null) {
     return (
       <Banner variant="info" testId="custom-fields-form-create-mode">
-        <Text>Save the entity first to add custom field values.</Text>
+        <Text>{t("custom-fields.form.createMode")}</Text>
       </Banner>
     );
   }
   if (query.loading && query.data === null) {
     return (
       <Banner variant="loading" testId="custom-fields-form-loading">
-        <Text>Loading…</Text>
+        <Text>{t("custom-fields.form.loading")}</Text>
       </Banner>
     );
   }
   if (query.error) {
     return (
       <Banner variant="error" testId="custom-fields-form-error">
-        <Text>{query.error.i18nKey}</Text>
+        <Text>{t(query.error.i18nKey, query.error.i18nParams)}</Text>
       </Banner>
     );
   }
@@ -71,7 +81,7 @@ export function CustomFieldsFormSection({
   if (matchingFields.length === 0) {
     return (
       <Banner variant="info" testId="custom-fields-form-empty">
-        <Text>No custom fields defined for "{entityName}".</Text>
+        <Text>{t("custom-fields.form.empty", { entityName })}</Text>
       </Banner>
     );
   }
@@ -91,7 +101,7 @@ export function CustomFieldsFormSection({
           value,
         });
         if (!result.isSuccess) {
-          setErrorKey(result.error?.i18nKey ?? "custom-fields:save-failed");
+          setErrorKey(result.error?.i18nKey ?? "custom-fields.errors.saveFailed");
           return;
         }
       }
@@ -123,11 +133,11 @@ export function CustomFieldsFormSection({
         disabled={saving || !dirty}
         testId="custom-fields-form-save"
       >
-        {saving ? "Saving…" : "Save custom fields"}
+        {saving ? t("custom-fields.form.saving") : t("custom-fields.form.save")}
       </Button>
       {errorKey !== null && (
         <Banner variant="error" testId="custom-fields-form-save-error">
-          <Text>{errorKey}</Text>
+          <Text>{t(errorKey)}</Text>
         </Banner>
       )}
     </div>

package/src/custom-fields/web/i18n.ts

@@ -0,0 +1,30 @@
+// @runtime client
+// Default translation bundle for the custom-fields UI. customFieldsClient()
+// hangs it into the LocaleProvider as a fallback bundle — apps override
+// individual keys via `customFieldsClient({ translations: { de: { ... } } })`.
+//
+// Keys follow `custom-fields.<area>.<slug>`. `custom-fields.errors.*` mirror
+// the i18nKeys the server-side handlers emit (e.g. `custom-fields:save-failed`).
+
+import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+
+export const defaultTranslations: TranslationsByLocale = {
+  de: {
+    "custom-fields.form.createMode": "Speichere zuerst den Eintrag, um Custom-Felder zu setzen.",
+    "custom-fields.form.loading": "Lädt…",
+    "custom-fields.form.empty": 'Keine Custom-Felder für "{entityName}" definiert.',
+    "custom-fields.form.save": "Custom-Felder speichern",
+    "custom-fields.form.saving": "Speichert…",
+    "custom-fields.errors.loadFailed": "Custom-Felder konnten nicht geladen werden.",
+    "custom-fields.errors.saveFailed": "Speichern fehlgeschlagen.",
+  },
+  en: {
+    "custom-fields.form.createMode": "Save the entity first to add custom field values.",
+    "custom-fields.form.loading": "Loading…",
+    "custom-fields.form.empty": 'No custom fields defined for "{entityName}".',
+    "custom-fields.form.save": "Save custom fields",
+    "custom-fields.form.saving": "Saving…",
+    "custom-fields.errors.loadFailed": "Could not load custom fields.",
+    "custom-fields.errors.saveFailed": "Save failed.",
+  },
+};

package/src/custom-fields/wire-for-entity.ts

@@ -171,8 +171,8 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
       const customFields = row["customFields"];
       if (customFields && typeof customFields === "object" && !Array.isArray(customFields)) {
         return {
-          ...row,
           ...(customFields as Record<string, unknown>), // @cast-boundary db-row jsonb runtime-untyped
+          ...row, // base fields win: a custom fieldKey named `id`/`name` must not shadow the real column
         };
       }
       return row;

package/src/custom-fields/wire-user-data-rights.ts

@@ -40,6 +40,14 @@ function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
   return { id: value.id, customFields: Object.fromEntries(Object.entries(cf)) };
 }
 
+// The anonymize strip filters rows by `WHERE userIdColumn = userId`. A host
+// anonymize hook on the SAME entity that nulls that column (e.g. inserted_by_id
+// = NULL) would, if it ran first, leave the strip matching 0 rows → sensitive
+// jsonb PII silently retained (DSGVO Art. 17 violation). A negative order makes
+// runForgetCleanup run this strip before any default-order (0) owner-nulling
+// hook, independent of feature registration order.
+const ORDER_REDACT_BEFORE_OWNER_MUTATION = -100;
+
 export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<string>>(
   r: TReg,
   opts: WireCustomFieldsUserDataRightsOptions,
@@ -88,6 +96,7 @@ export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<
   r.useExtension(EXT_USER_DATA, opts.entityName, {
     export: exportHook,
     delete: deleteHook,
+    order: ORDER_REDACT_BEFORE_OWNER_MUTATION,
   });
 }
 

package/src/feature-toggles/handlers/set.write.ts

@@ -42,6 +42,17 @@ export function createSetWriteHandler(getRuntime: (() => GlobalFeatureToggleRunt
     handler: async (event, ctx) => {
       const { featureName, enabled } = event.payload;
 
+      // Guard 0: fail fast on a misconfigured app BEFORE any DB write or event
+      // append — otherwise the row + toggle-set event commit and the operator
+      // only sees the error, leaving the in-memory snapshot stale until reboot.
+      if (!getRuntime) {
+        throw new Error(
+          "[feature-toggles] set-handler called but createFeatureTogglesFeature " +
+            "was wired up without `getRuntime`. Wire the accessor in your app-config " +
+            "(production: `() => runtime` after buildServer; tests: createLateBoundHolder.get).",
+        );
+      }
+
       // Guard 1: featureName must be a registered feature. Otherwise we'd
       // pile up orphan rows from typos that the gate would silently apply
       // (if someone ever added a feature with that name later).
@@ -153,14 +164,8 @@ export function createSetWriteHandler(getRuntime: (() => GlobalFeatureToggleRunt
       // for a dispatcher tick. Other instances learn the change through
       // the `toggle-cache-sync` MSP (see feature-toggles-feature.ts). Both
       // paths are idempotent — Map.set is last-write-wins and the DB is
-      // the source of truth after boot-time initialize().
-      if (!getRuntime) {
-        throw new Error(
-          "[feature-toggles] set-handler called but createFeatureTogglesFeature " +
-            "was wired up without `getRuntime`. Wire the accessor in your app-config " +
-            "(production: `() => runtime` after buildServer; tests: createLateBoundHolder.get).",
-        );
-      }
+      // the source of truth after boot-time initialize(). getRuntime presence
+      // is enforced at Guard 0, so it is non-undefined here.
       getRuntime().apply(featureName, enabled);
 
       return {

package/src/file-provider-inmemory/__tests__/feature.test.ts

@@ -1,6 +1,7 @@
 // feature.ts contract tests for file-provider-inmemory.
 
 import { describe, expect, test } from "bun:test";
+import type { FileProviderPlugin } from "@cosmicdrift/kumiko-bundled-features/file-foundation";
 import { clearStorage, fileProviderInMemoryFeature, listKeys } from "../feature";
 
 describe("fileProviderInMemoryFeature — shape", () => {
@@ -33,3 +34,57 @@ describe("listKeys / clearStorage — per-tenant store helpers", () => {
     expect(() => clearStorage("never-touched")).not.toThrow();
   });
 });
+
+// extension-usage `options` is engine-payload (unknown) — structurally validate
+// instead of casting blind.
+function isFileProviderPlugin(o: unknown): o is FileProviderPlugin {
+  return typeof o === "object" && o !== null && "build" in o && typeof o.build === "function";
+}
+
+function inmemoryPlugin(): FileProviderPlugin {
+  const options = fileProviderInMemoryFeature.extensionUsages.find(
+    (u) => u.extensionName === "fileProvider" && u.entityName === "inmemory",
+  )?.options;
+  if (!isFileProviderPlugin(options)) {
+    throw new Error("file-provider-inmemory: inmemory plugin not registered with a build()");
+  }
+  return options;
+}
+
+const bytes = (s: string) => new TextEncoder().encode(s);
+
+describe("file-provider-inmemory — build() + per-tenant store", () => {
+  test("build liefert Provider; Write erscheint in listKeys(tenant)", async () => {
+    const provider = await inmemoryPlugin().build({}, "tenant-build-1");
+    await provider.write("doc.txt", bytes("x"));
+    expect(listKeys("tenant-build-1")).toContain("doc.txt");
+    clearStorage("tenant-build-1");
+  });
+
+  test("selber Tenant: zwei builds liefern identitätsstabilen Storage (State bleibt)", async () => {
+    const a = await inmemoryPlugin().build({}, "tenant-stable");
+    await a.write("first.txt", bytes("1"));
+    const b = await inmemoryPlugin().build({}, "tenant-stable");
+    expect(await b.exists("first.txt")).toBe(true);
+    clearStorage("tenant-stable");
+  });
+
+  test("Tenant-Isolation: Write in A erscheint nicht in B", async () => {
+    const a = await inmemoryPlugin().build({}, "tenant-iso-a");
+    const b = await inmemoryPlugin().build({}, "tenant-iso-b");
+    await a.write("only-in-a.txt", bytes("a"));
+    expect(listKeys("tenant-iso-a")).toContain("only-in-a.txt");
+    expect(listKeys("tenant-iso-b")).not.toContain("only-in-a.txt");
+    expect(await b.exists("only-in-a.txt")).toBe(false);
+    clearStorage("tenant-iso-a");
+    clearStorage("tenant-iso-b");
+  });
+
+  test("clearStorage leert den Tenant-Store", async () => {
+    const p = await inmemoryPlugin().build({}, "tenant-clear");
+    await p.write("gone.txt", bytes("x"));
+    expect(listKeys("tenant-clear")).toHaveLength(1);
+    clearStorage("tenant-clear");
+    expect(listKeys("tenant-clear")).toEqual([]);
+  });
+});

package/src/file-provider-s3/__tests__/feature.test.ts

@@ -1,6 +1,7 @@
 // feature.ts contract tests for file-provider-s3.
 
 import { describe, expect, test } from "bun:test";
+import type { FileProviderPlugin } from "@cosmicdrift/kumiko-bundled-features/file-foundation";
 import { fileProviderS3Feature, S3_SECRET_ACCESS_KEY } from "../feature";
 
 describe("fileProviderS3Feature — shape", () => {
@@ -52,3 +53,29 @@ describe("fileProviderS3Feature — plugin-registration", () => {
     );
   });
 });
+
+// extension-usage `options` is engine-payload (unknown) — structurally validate.
+function isFileProviderPlugin(o: unknown): o is FileProviderPlugin {
+  return typeof o === "object" && o !== null && "build" in o && typeof o.build === "function";
+}
+
+function s3Plugin(): FileProviderPlugin {
+  const options = fileProviderS3Feature.extensionUsages.find(
+    (u) => u.extensionName === "fileProvider" && u.entityName === "s3",
+  )?.options;
+  if (!isFileProviderPlugin(options)) {
+    throw new Error("file-provider-s3: s3 plugin not registered with a build()");
+  }
+  return options;
+}
+
+describe("fileProviderS3Feature — build() guard", () => {
+  test("build ohne ctx.config wirft (config-feature nicht gemountet)", async () => {
+    // Die tieferen Value-/Secret-Pfade (bucket/region/accessKeyId leer,
+    // secret fehlt, Happy-Path) hängen an der echten Config-/Secrets-
+    // Pipeline → S3-Integration-Test (setupTestStack + MinIO), nicht hier.
+    // Die requireNonEmpty-Werteprüfung selbst ist über
+    // foundation-shared/config-helpers abgedeckt.
+    await expect(s3Plugin().build({}, "tenant-x")).rejects.toThrow("ctx.config is missing");
+  });
+});

package/src/files-provider-s3/__tests__/s3-provider.integration.test.ts

@@ -111,17 +111,45 @@ describe("s3-provider (Minio)", () => {
     await expect(provider.read(key)).rejects.toThrow();
   });
 
-  test("writeStream round-trip via multipart writer preserves bytes", async () => {
-    // Pinst die idiomatic Bun-S3-writer-Form (write + end, kein manual
-    // flush). Chunks summieren absichtlich auf > 5 MiB (partSize) UND auf
-    // einen krummen Rest, damit der multipart-finalizer auch dann greift,
-    // wenn die Source-Chunks nicht auf die Part-Boundary aufgehen.
+  test("writeStream round-trip via multipart writer preserves byte-exact ordering", async () => {
+    // Regression guard for the multipart-flush bug: the source chunks are
+    // deliberately NON-ALIGNED to the 5 MiB part boundary ([3,3,2] MiB → the
+    // internal part split at 5 MiB lands mid-chunk #2). The old
+    // `buffered >= STREAM_PART_SIZE` flush would emit a non-final part of an
+    // odd size at that boundary; the Bun-writer (partSize) path produces the
+    // correct part topology. Either way we verify END-TO-END byte integrity,
+    // not just total size + first/last byte.
+    //
+    // Each chunk carries a chunk-distinct content pattern (incl. a per-chunk
+    // marker in byte[0]). A re-order, dropped, or duplicated part therefore
+    // changes the readback SHA256 — a same-pattern-per-part test would not
+    // catch that. We assert both the SHA256 over the whole stream AND the
+    // per-chunk-offset marker bytes.
+    //
+    // NOTE: MinIO does NOT enforce the AWS `MinPartSize` (5 MiB non-final
+    // part) rule, so this test cannot reproduce the genuine S3 `EntityTooSmall`
+    // rejection — that needs a manual smoke against AWS/R2. What it DOES guard
+    // is byte-ordering/integrity of the multipart round-trip, which is
+    // provider-agnostic.
     const key = uniqueKey("stream-multipart.bin");
     const partSize = 5 * 1024 * 1024;
-    const chunk = new Uint8Array(1024 * 1024);
-    for (let i = 0; i < chunk.length; i++) chunk[i] = i % 251;
-    const chunks: Uint8Array[] = [];
-    for (let i = 0; i < 7; i++) chunks.push(chunk);
+    const MiB = 1024 * 1024;
+    const chunkSizes = [3 * MiB, 3 * MiB, 2 * MiB]; // 8 MiB total, non-aligned to 5 MiB
+
+    function makeChunk(index: number, size: number): Uint8Array {
+      const c = new Uint8Array(size);
+      // byte[0] = chunk marker; remaining bytes mix index + position so each
+      // chunk's body is distinct (reorder/duplicate changes the hash).
+      c[0] = index;
+      for (let i = 1; i < size; i++) c[i] = (index * 31 + i) % 251;
+      return c;
+    }
+    const chunks = chunkSizes.map((size, i) => makeChunk(i, size));
+
+    // Expected hash over the concatenated source.
+    const sourceHasher = new Bun.CryptoHasher("sha256");
+    for (const c of chunks) sourceHasher.update(c);
+    const expectedHash = sourceHasher.digest("hex");
 
     if (!provider.writeStream) throw new Error("s3 provider should implement writeStream");
     await provider.writeStream(
@@ -132,10 +160,24 @@ describe("s3-provider (Minio)", () => {
     );
 
     const readBack = await provider.read(key);
-    expect(readBack.byteLength).toBe(chunks.length * chunk.length);
+    const totalSize = chunkSizes.reduce((a, b) => a + b, 0);
+    expect(readBack.byteLength).toBe(totalSize);
     expect(readBack.byteLength).toBeGreaterThan(partSize);
-    expect(readBack[0]).toBe(0);
-    expect(readBack[readBack.byteLength - 1]).toBe(chunk[chunk.length - 1]);
+
+    // Byte-exact integrity over the full stream — catches any mid-stream
+    // corruption / reorder / off-by-part the size+endpoints check would miss.
+    const readHasher = new Bun.CryptoHasher("sha256");
+    readHasher.update(readBack);
+    expect(readHasher.digest("hex")).toBe(expectedHash);
+
+    // Explicit per-chunk marker check at the expected source offsets — proves
+    // the parts landed in order (not just that the bytes are collectively
+    // present).
+    let offset = 0;
+    for (let i = 0; i < chunks.length; i++) {
+      expect(readBack[offset]).toBe(i);
+      offset += chunkSizes[i] ?? 0;
+    }
   });
 });
 

package/src/foundation-shared/__tests__/config-helpers.test.ts

@@ -0,0 +1,72 @@
+// config-helpers Unit-Tests (Phase 1, test-luecken-integration).
+//
+// Pinnt das Verhalten der von ai-/mail-/file-foundation geteilten
+// Narrowing-Helfer — inkl. der non-obvious Grenzfälle: requireDefined
+// narrowt NUR `undefined` (nicht falsy), und requireNonEmpty hat zwei
+// getrennte Fehlerpfade (undefined vs leer), die über die Error-Message
+// unterschieden werden.
+
+import { describe, expect, test } from "bun:test";
+import { requireDefined, requireNonEmpty } from "../config-helpers";
+
+describe("requireDefined", () => {
+  test("undefined → wirft mit featureName + label + Misconfig-Hinweis", () => {
+    expect(() => requireDefined(undefined, "ai-foundation", "apiKey")).toThrow(
+      "ai-foundation: 'apiKey' config key resolved to undefined — registry misconfigured (no value + no default)",
+    );
+  });
+
+  test("defined Wert → unverändert zurück", () => {
+    expect(requireDefined("sk-123", "ai-foundation", "apiKey")).toBe("sk-123");
+  });
+
+  test("falsy-aber-defined Werte passieren (Check ist === undefined, nicht falsy)", () => {
+    // Würde hier ein falsy-Check stehen, bräche ein numerischer Key mit Wert 0
+    // oder ein leerer-String-Default. requireNonEmpty ist der strengere Helfer.
+    expect(requireDefined(0, "f", "n")).toBe(0);
+    expect(requireDefined("", "f", "n")).toBe("");
+    expect(requireDefined(false, "f", "n")).toBe(false);
+    expect(requireDefined(null, "f", "n")).toBeNull();
+  });
+
+  test("Objekt-Wert → identische Referenz zurück (generischer Typ erhalten)", () => {
+    const cfg = { host: "smtp.example.com", port: 587 };
+    expect(requireDefined(cfg, "mail-foundation", "smtp")).toBe(cfg);
+  });
+});
+
+describe("requireNonEmpty", () => {
+  test("undefined → wirft die requireDefined-Message (delegiert, NICHT empty-Pfad)", () => {
+    expect(() => requireNonEmpty(undefined, "mail-foundation", "host")).toThrow(
+      "config key resolved to undefined",
+    );
+  });
+
+  test("leerer String → wirft empty-Message mit Default-uiHint", () => {
+    expect(() => requireNonEmpty("", "file-foundation", "bucket")).toThrow(
+      "file-foundation: 'bucket' is empty — tenant must configure it before use. Set via tenant-admin UI or seed-handler.",
+    );
+  });
+
+  test("leerer String mit custom uiHint → Hint landet in der Message", () => {
+    expect(() =>
+      requireNonEmpty("", "ai-foundation", "model", "Choose a model in Settings → AI."),
+    ).toThrow("is empty — tenant must configure it before use. Choose a model in Settings → AI.");
+  });
+
+  test("non-empty Wert → unverändert zurück", () => {
+    expect(requireNonEmpty("smtp.example.com", "mail-foundation", "host")).toBe("smtp.example.com");
+  });
+
+  test("reiner Whitespace → wirft empty-Message (getrimmt, gilt als leer)", () => {
+    expect(() => requireNonEmpty("   ", "mail-foundation", "host")).toThrow(
+      "mail-foundation: 'host' is empty — tenant must configure it before use.",
+    );
+  });
+
+  test("umgebender Whitespace wird vom Rückgabewert getrimmt", () => {
+    expect(requireNonEmpty("  smtp.example.com  ", "mail-foundation", "host")).toBe(
+      "smtp.example.com",
+    );
+  });
+});

package/src/foundation-shared/config-helpers.ts

@@ -50,6 +50,10 @@ export function requireDefined<T>(value: T | undefined, featureName: string, lab
  * Typical use: SMTP host, S3 bucket, model id — values without which the
  * downstream SDK would 400 with a cryptic message. The clearer "tenant
  * must configure X via tenant-admin UI" lands at the call-site instead.
+ *
+ * Whitespace is trimmed: a whitespace-only value counts as empty, and the
+ * returned string has surrounding whitespace removed — so a stray " host "
+ * never reaches the SDK as-is.
  */
 export function requireNonEmpty(
   value: string | undefined,
@@ -57,11 +61,11 @@ export function requireNonEmpty(
   label: string,
   uiHint = "Set via tenant-admin UI or seed-handler.",
 ): string {
-  const defined = requireDefined(value, featureName, label);
-  if (defined.length === 0) {
+  const trimmed = requireDefined(value, featureName, label).trim();
+  if (trimmed.length === 0) {
     throw new Error(
       `${featureName}: '${label}' is empty — tenant must configure it before use. ${uiHint}`,
     );
   }
-  return defined;
+  return trimmed;
 }

package/src/secrets/feature.ts

@@ -23,21 +23,14 @@ import { tenantSecretEntity } from "./table";
 export const secretsEnvSchema = z.object({
   KUMIKO_SECRETS_MASTER_KEY_V1: z
     .string()
-    .refine(
-      (v) => {
-        try {
-          return Buffer.from(v, "base64").length === 32;
-        } catch {
-          return false;
-        }
-      },
-      { message: "must be base64-encoded 32 bytes (AES-256 KEK)" },
-    )
+    .refine((v) => Buffer.from(v, "base64").length === 32, {
+      message: "must be base64-encoded 32 bytes (AES-256 KEK)",
+    })
     .describe("AES-256 master-key (KEK) for tenant-secrets encryption.")
     .meta({ kumiko: { pulumi: { generator: "openssl rand -base64 32", secret: true } } }),
   KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: z
     .string()
-    .regex(/^\d+$/, "must be a positive integer (V<n> selector)")
+    .regex(/^[1-9]\d*$/, "must be a positive integer (V<n> selector)")
     .default("1")
     .describe(
       "Pins the active KEK version. Default '1'. Bump after writing a higher KUMIKO_SECRETS_MASTER_KEY_V<n>.",

package/src/subscription-stripe/feature.ts

@@ -60,12 +60,12 @@ import { verifyAndParseStripeWebhook } from "./verify-webhook";
 export const subscriptionStripeEnvSchema = z.object({
   STRIPE_WEBHOOK_SECRET: z
     .string()
-    .min(1, "STRIPE_WEBHOOK_SECRET must not be empty")
+    .regex(/^whsec_/, "STRIPE_WEBHOOK_SECRET must start with 'whsec_'")
     .describe("Stripe webhook-signing secret (`whsec_...` from the Stripe dashboard).")
     .meta({ kumiko: { pulumi: { secret: true } } }),
   STRIPE_API_KEY: z
     .string()
-    .min(1, "STRIPE_API_KEY must not be empty")
+    .regex(/^sk_(test|live)_/, "STRIPE_API_KEY must start with 'sk_test_' or 'sk_live_'")
     .describe("Stripe API key (`sk_live_...` / `sk_test_...`).")
     .meta({ kumiko: { pulumi: { secret: true } } }),
 });

package/src/template-resolver/handlers/list.query.ts

@@ -20,15 +20,11 @@ export const listQuery = defineQueryHandler({
     const isSystemAdmin = query.user.roles.includes("SystemAdmin");
     const where: Record<string, unknown> = {};
 
-    // Tenant-Scope: SystemAdmin sieht alles, andere nur eigener Tenant + System
-    if (!isSystemAdmin) {
-      if (query.payload.includeSystem) {
-        where["tenantId"] = [query.user.tenantId, SYSTEM_TENANT_ID];
-      } else {
-        where["tenantId"] = query.user.tenantId;
-      }
-    } else if (!query.payload.includeSystem) {
-      // SystemAdmin mit includeSystem=false → nur eigener Tenant
+    // TenantDb scopes non-SystemAdmin reads to [own tenant, SYSTEM reference] and
+    // refuses a caller-narrowed where.tenantId (enforced isolation). SystemAdmin
+    // uses a system-scoped db that sees every tenant, so narrow to own explicitly
+    // when they don't want the cross-tenant view.
+    if (isSystemAdmin && !query.payload.includeSystem) {
       where["tenantId"] = query.user.tenantId;
     }
 
@@ -48,7 +44,13 @@ export const listQuery = defineQueryHandler({
       limit: 500,
     })) as TemplateResourceRow[];
 
-    return rows.map((row) => ({
+    // TenantDb always surfaces SYSTEM reference rows alongside the tenant's own;
+    // includeSystem=false drops them here since they can't be excluded at the DB.
+    const visible = query.payload.includeSystem
+      ? rows
+      : rows.filter((row) => row.tenantId !== SYSTEM_TENANT_ID);
+
+    return visible.map((row) => ({
       id: String(row.id),
       tenantId: row.tenantId,
       slug: row.slug,

package/src/tenant/__tests__/seed-testing.integration.test.ts

@@ -173,6 +173,32 @@ describe("seedTenantMembership", () => {
     expect(events.filter((e) => e.type === "tenant-membership.created")).toHaveLength(1);
   });
 
+  test("returns the membership-row id — identical across create + no-op re-seed", async () => {
+    // Both return paths (create via extractMembershipId, no-op via fetched row)
+    // must yield the same valid uuid string that the projection actually holds.
+    // Previously the return was never asserted; a no-op returning the wrong /
+    // undefined id would have gone unnoticed.
+    const created = await seedTenantMembership(stack.db, {
+      userId: ALICE_ID,
+      tenantId: TENANT_A,
+      roles: ["User"],
+    });
+    const reSeeded = await seedTenantMembership(stack.db, {
+      userId: ALICE_ID,
+      tenantId: TENANT_A,
+      roles: ["User"],
+    });
+
+    expect(created.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i);
+    expect(reSeeded.id).toBe(created.id);
+
+    const [row] = await selectMany(stack.db, tenantMembershipsTable, {
+      userId: ALICE_ID,
+      tenantId: TENANT_A,
+    });
+    expect(row?.["id"]).toBe(created.id);
+  });
+
   test("records the `by` user as insertedById on the projection", async () => {
     // Audit-queries that join events → users need a stable actor. Default
     // `by` is TestUsers.systemAdmin; override to a custom test user and

package/src/tenant/seeding.ts

@@ -141,9 +141,9 @@ export async function seedTenantMembership(
     tenantId: options.tenantId,
   });
   if (existing) {
-    // @cast-boundary db-row: membership-row id is uuid (string) per
-    // entity definition; fetchOne returns the raw projection row.
-    return { id: existing["id"] as string };
+    // Same validation as the create-path — a missing/non-string id throws
+    // instead of silently returning `undefined as string`.
+    return { id: extractMembershipId(existing) };
   }
 
   const result = await executor.create(