@cosmicdrift/kumiko-bundled-features 0.28.0 → 0.31.1

package/src/readiness/__tests__/readiness.integration.test.ts

@@ -0,0 +1,338 @@
+// Full-stack integration test for the readiness rollup. Drives
+// readiness:query:status through the dispatcher so the real config-cascade
+// + secrets-metadata-lookup are exercised — including the no-read-audit
+// guarantee of the has() probe.
+
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { randomBytes } from "node:crypto";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { createEncryptionProvider, type DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { access, createTenantConfig, defineFeature } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import { createEnvMasterKeyProvider } from "@cosmicdrift/kumiko-framework/secrets";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createConfigFeature } from "../../config";
+import { createConfigAccessorFactory } from "../../config/feature";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import {
+  createSecretsContext,
+  createSecretsFeature,
+  TENANT_SECRET_READ_EVENT,
+  tenantSecretsTable,
+} from "../../secrets";
+import { createTenantFeature } from "../../tenant/feature";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { ReadinessQueries } from "../constants";
+import { readinessFeature } from "../feature";
+
+// Probe-feature: one required + one optional config key, one required +
+// one optional secret — the rollup must list exactly the required gaps.
+const probeFeature = defineFeature("readiness-probe", (r) => {
+  r.requires("config");
+  r.requires("secrets");
+
+  r.config({
+    keys: {
+      apiUrl: createTenantConfig("text", {
+        required: true,
+        default: "",
+        write: access.roles("TenantAdmin", "SystemAdmin"),
+        read: access.roles("TenantAdmin", "SystemAdmin"),
+      }),
+      timeout: createTenantConfig("number", {
+        default: 30,
+        write: access.roles("TenantAdmin", "SystemAdmin"),
+      }),
+    },
+  });
+
+  r.secret("probe.apiToken", {
+    label: { de: "API-Token", en: "API token" },
+    scope: "tenant",
+    required: true,
+  });
+  r.secret("probe.optionalToken", {
+    label: { de: "Optionales Token", en: "Optional token" },
+    scope: "tenant",
+  });
+});
+
+// Provider-gating fixture: foundation declares the selector, two providers
+// register under the point. The smtp-ish one carries required key + secret —
+// they must count ONLY while "smtp" is the selected provider.
+const probeMailFoundation = defineFeature("probe-mail-foundation", (r) => {
+  r.requires("config");
+  r.extendsRegistrar("probeMailTransport", { onRegister: () => undefined });
+  const configKeys = r.config({
+    keys: {
+      provider: createTenantConfig("text", {
+        default: "",
+        write: access.roles("TenantAdmin", "SystemAdmin"),
+      }),
+    },
+  });
+  r.extensionSelector("probeMailTransport", configKeys.provider);
+  return { configKeys };
+});
+
+const probeSmtpProvider = defineFeature("probe-smtp", (r) => {
+  r.requires("config");
+  r.requires("secrets");
+  r.useExtension("probeMailTransport", "smtp");
+  r.config({
+    keys: {
+      host: createTenantConfig("text", {
+        required: true,
+        default: "",
+        write: access.roles("TenantAdmin", "SystemAdmin"),
+        read: access.roles("TenantAdmin", "SystemAdmin"),
+      }),
+    },
+  });
+  r.secret("smtp.password", {
+    label: { de: "SMTP-Passwort", en: "SMTP password" },
+    scope: "tenant",
+    required: true,
+  });
+});
+
+const probeInMemoryProvider = defineFeature("probe-inmemory", (r) => {
+  r.useExtension("probeMailTransport", "inmemory");
+});
+
+const REQUIRED_CONFIG_KEY = "readiness-probe:config:api-url";
+const REQUIRED_SECRET_KEY = "readiness-probe:secret:probe-api-token";
+const PROVIDER_SELECTOR_KEY = "probe-mail-foundation:config:provider";
+const GATED_CONFIG_KEY = "probe-smtp:config:host";
+const GATED_SECRET_KEY = "probe-smtp:secret:smtp-password";
+
+type StatusResult = {
+  missingConfig: ReadonlyArray<{ key: string; scope: string; type: string }>;
+  missingSecrets: ReadonlyArray<{ key: string }>;
+  ready: boolean;
+};
+
+let stack: TestStack;
+let db: DbConnection;
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(randomBytes(32).toString("base64"));
+  const resolver = createConfigResolver({ encryption });
+  const masterKeyProvider = createEnvMasterKeyProvider({
+    env: {
+      KUMIKO_SECRETS_MASTER_KEY_V1: randomBytes(32).toString("base64"),
+      KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: "1",
+    },
+  });
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createTenantFeature(),
+      createSecretsFeature(),
+      readinessFeature,
+      probeFeature,
+      probeMailFoundation,
+      probeSmtpProvider,
+      probeInMemoryProvider,
+    ],
+    extraContext: ({ db, registry }) => ({
+      configResolver: resolver,
+      configEncryption: encryption,
+      _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+      secrets: createSecretsContext({ db, masterKeyProvider }),
+    }),
+  });
+  db = stack.db;
+  await unsafeCreateEntityTable(db, tenantEntity);
+  await unsafePushTables(db, { configValuesTable, tenant_secrets: tenantSecretsTable });
+  await createEventsTable(db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+function adminFor(tenantNumber: number) {
+  return createTestUser({
+    id: tenantNumber,
+    tenantId: testTenantId(tenantNumber),
+    roles: ["TenantAdmin"],
+  });
+}
+
+async function statusFor(admin: ReturnType<typeof adminFor>): Promise<StatusResult> {
+  return stack.http.queryOk<StatusResult>(ReadinessQueries.status, {}, admin);
+}
+
+describe("readiness:query:status", () => {
+  test("fresh tenant → required config + secret listed as missing, ready false", async () => {
+    const admin = adminFor(601);
+
+    const status = await statusFor(admin);
+
+    expect(status.ready).toBe(false);
+    expect(status.missingConfig).toContainEqual({
+      key: REQUIRED_CONFIG_KEY,
+      scope: "tenant",
+      type: "text",
+    });
+    expect(status.missingSecrets).toContainEqual({ key: REQUIRED_SECRET_KEY });
+    // Optional keys must not appear — they have usable defaults / aren't required.
+    expect(status.missingConfig.map((k) => k.key)).not.toContain("readiness-probe:config:timeout");
+    expect(status.missingSecrets.map((s) => s.key)).not.toContain(
+      "readiness-probe:secret:probe-optional-token",
+    );
+  });
+
+  test("setting required config + secret flips ready to true", async () => {
+    const admin = adminFor(602);
+
+    await stack.http.writeOk(
+      "config:write:set",
+      { key: REQUIRED_CONFIG_KEY, value: "https://api.example.test" },
+      admin,
+    );
+    await stack.http.writeOk(
+      "secrets:write:set",
+      { key: REQUIRED_SECRET_KEY, value: "token-xyz" },
+      admin,
+    );
+
+    const status = await statusFor(admin);
+    expect(status.missingConfig.map((k) => k.key)).not.toContain(REQUIRED_CONFIG_KEY);
+    expect(status.missingSecrets).toEqual([]);
+    expect(status.ready).toBe(true);
+  });
+
+  test("tenant isolation: tenant A's values don't make tenant B ready", async () => {
+    const adminA = adminFor(603);
+    const adminB = adminFor(604);
+
+    await stack.http.writeOk(
+      "config:write:set",
+      { key: REQUIRED_CONFIG_KEY, value: "https://a.example.test" },
+      adminA,
+    );
+    await stack.http.writeOk(
+      "secrets:write:set",
+      { key: REQUIRED_SECRET_KEY, value: "token-a" },
+      adminA,
+    );
+
+    expect((await statusFor(adminA)).ready).toBe(true);
+    const statusB = await statusFor(adminB);
+    expect(statusB.ready).toBe(false);
+    expect(statusB.missingSecrets).toContainEqual({ key: REQUIRED_SECRET_KEY });
+  });
+
+  test("non-TenantAdmin → access denied (same gate as secrets:query:list)", async () => {
+    const member = createTestUser({
+      id: 605,
+      tenantId: testTenantId(605),
+      roles: ["Member"],
+    });
+
+    const res = await stack.http.query(ReadinessQueries.status, {}, member);
+    expect(res.status).toBe(403);
+  });
+
+  test("provider-gated keys don't count while no provider is selected", async () => {
+    const admin = adminFor(607);
+
+    const status = await statusFor(admin);
+    expect(status.missingConfig.map((k) => k.key)).not.toContain(GATED_CONFIG_KEY);
+    expect(status.missingSecrets.map((s) => s.key)).not.toContain(GATED_SECRET_KEY);
+  });
+
+  test("selecting the provider pulls its required key + secret into missing", async () => {
+    const admin = adminFor(608);
+
+    await stack.http.writeOk(
+      "config:write:set",
+      { key: PROVIDER_SELECTOR_KEY, value: "smtp" },
+      admin,
+    );
+
+    const status = await statusFor(admin);
+    expect(status.missingConfig.map((k) => k.key)).toContain(GATED_CONFIG_KEY);
+    expect(status.missingSecrets).toContainEqual({ key: GATED_SECRET_KEY });
+    expect(status.ready).toBe(false);
+  });
+
+  test("tenant on the inmemory provider is ready despite unset smtp keys", async () => {
+    const admin = adminFor(609);
+
+    // The advisor scenario: smtp + inmemory both mounted, tenant runs
+    // inmemory — unset smtp keys must not block ready.
+    await stack.http.writeOk(
+      "config:write:set",
+      { key: PROVIDER_SELECTOR_KEY, value: "inmemory" },
+      admin,
+    );
+    await stack.http.writeOk(
+      "config:write:set",
+      { key: REQUIRED_CONFIG_KEY, value: "https://api.example.test" },
+      admin,
+    );
+    await stack.http.writeOk(
+      "secrets:write:set",
+      { key: REQUIRED_SECRET_KEY, value: "token-609" },
+      admin,
+    );
+
+    const status = await statusFor(admin);
+    expect(status.missingConfig).toEqual([]);
+    expect(status.missingSecrets).toEqual([]);
+    expect(status.ready).toBe(true);
+  });
+
+  test("config:query:readiness applies the same provider gating", async () => {
+    const admin = adminFor(610);
+
+    const before = await stack.http.queryOk<{ missing: ReadonlyArray<{ key: string }> }>(
+      "config:query:readiness",
+      {},
+      admin,
+    );
+    expect(before.missing.map((k) => k.key)).not.toContain(GATED_CONFIG_KEY);
+
+    await stack.http.writeOk(
+      "config:write:set",
+      { key: PROVIDER_SELECTOR_KEY, value: "smtp" },
+      admin,
+    );
+    const after = await stack.http.queryOk<{ missing: ReadonlyArray<{ key: string }> }>(
+      "config:query:readiness",
+      {},
+      admin,
+    );
+    expect(after.missing.map((k) => k.key)).toContain(GATED_CONFIG_KEY);
+  });
+
+  test("status probe writes NO secret-read audit events", async () => {
+    const admin = adminFor(606);
+    await stack.http.writeOk(
+      "secrets:write:set",
+      { key: REQUIRED_SECRET_KEY, value: "token-606" },
+      admin,
+    );
+    await asRawClient(db).unsafe(
+      `DELETE FROM "${eventsTable.tableName}" WHERE type = '${TENANT_SECRET_READ_EVENT}'`,
+    );
+
+    // Probes both branches: set secret (has → true) + missing optional.
+    await statusFor(admin);
+
+    const readEvents = await selectMany(db, eventsTable, { type: TENANT_SECRET_READ_EVENT });
+    expect(readEvents).toEqual([]);
+  });
+});

package/src/readiness/constants.ts

@@ -0,0 +1,7 @@
+// Feature name
+export const READINESS_FEATURE = "readiness" as const;
+
+// Qualified query handler names (QN format: scope:type:name)
+export const ReadinessQueries = {
+  status: "readiness:query:status",
+} as const;

package/src/readiness/feature.ts

@@ -0,0 +1,26 @@
+// kumiko-feature-version: 1
+//
+// readiness — one-call tenant-onboarding rollup above config + secrets.
+//
+// `config:query:readiness` lists required config keys without a usable
+// value; `secrets:query:list` lists set secrets. Neither can verdict
+// "tenant is ready" alone. This feature requires both, so its status
+// query may roll up missing config + missing required secrets + a single
+// `ready` boolean — the settings-checklist call for admin UIs.
+
+import { defineFeature } from "@cosmicdrift/kumiko-framework/engine";
+import { statusQuery } from "./handlers/status.query";
+
+export const readinessFeature = defineFeature("readiness", (r) => {
+  r.describe(
+    "One-call tenant-onboarding probe: `readiness:query:status` rolls up every config key and secret declared `required: true` across all mounted features and reports which still lack a usable value for the calling tenant, plus a single `ready` boolean. Provider-features under an `r.extensionSelector`-declared extension point count only while their provider is the selected one — a tenant on the inmemory mail transport is not blocked by unset SMTP keys. Mount it (together with `config` and `secrets`) when an admin UI needs a settings checklist before the first mail-send or file-write; the per-concern lists stay available via `config:query:readiness` and `secrets:query:list`.",
+  );
+  r.requires("config");
+  r.requires("secrets");
+
+  const queries = {
+    status: r.queryHandler(statusQuery),
+  };
+
+  return { queries };
+});

package/src/readiness/handlers/status.query.ts

@@ -0,0 +1,48 @@
+import {
+  buildProviderSelectionGate,
+  collectMissingRequiredConfig,
+} from "@cosmicdrift/kumiko-bundled-features/config";
+import { requireSecretsContext } from "@cosmicdrift/kumiko-bundled-features/secrets";
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { ReadinessQueries } from "../constants";
+
+export type ReadinessMissingSecret = { readonly key: string };
+
+// The one-call rollup config:query:readiness deliberately refused: that
+// query can't see secrets, this feature requires both — so it may verdict.
+export const statusQuery = defineQueryHandler({
+  name: "status",
+  schema: z.object({}),
+  // Same gate as secrets:query:list — the response names missing secrets.
+  access: { roles: ["TenantAdmin"] },
+  handler: async (query, ctx) => {
+    // One gate for both halves: required keys/secrets of provider-features
+    // count only while their provider is the selected one (r.extensionSelector).
+    const gate = await buildProviderSelectionGate(ctx, ReadinessQueries.status, query.user);
+    const missingConfig = await collectMissingRequiredConfig(
+      ctx,
+      ReadinessQueries.status,
+      query.user,
+      gate,
+    );
+
+    // has() is metadata-only: no decryption, no read-audit event — a
+    // readiness probe must not pollute the credential-read trail.
+    const secrets = requireSecretsContext(ctx, ReadinessQueries.status);
+    const missingSecrets: ReadinessMissingSecret[] = [];
+    for (const [qualifiedName, keyDef] of ctx.registry.getAllSecretKeys()) {
+      if (keyDef.required !== true) continue;
+      if (!gate(qualifiedName)) continue;
+      if (!(await secrets.has(query.user.tenantId, qualifiedName))) {
+        missingSecrets.push({ key: qualifiedName });
+      }
+    }
+
+    return {
+      missingConfig,
+      missingSecrets,
+      ready: missingConfig.length === 0 && missingSecrets.length === 0,
+    };
+  },
+});

package/src/readiness/index.ts

@@ -0,0 +1,3 @@
+export { READINESS_FEATURE, ReadinessQueries } from "./constants";
+export { readinessFeature } from "./feature";
+export type { ReadinessMissingSecret } from "./handlers/status.query";

package/src/secrets/__tests__/require-secrets-context.test.ts

@@ -20,6 +20,7 @@ import { requireSecretsContext } from "../feature";
 function makeRawSecretsContext(): SecretsContext {
   return {
     get: mock(),
+    has: mock(),
     set: mock(),
     delete: mock(),
   };

package/src/secrets/feature.ts

@@ -75,6 +75,8 @@ export function requireSecretsContext(
   return {
     get: (tenantId, key, overrideAudit) =>
       raw.get(tenantId, key, overrideAudit ?? { userId, handlerName }),
+    // No audit injection: has() is metadata-only and never logs a read.
+    has: raw.has.bind(raw),
     set: raw.set.bind(raw),
     delete: raw.delete.bind(raw),
   };

package/src/secrets/secrets-context.ts

@@ -179,6 +179,14 @@ export function createSecretsContext(opts: SecretsContextOptions): SecretsContex
       return createSecret(plaintext);
     },
 
+    async has(tenantId, keyOrHandle) {
+      // Row-existence only — no decrypt, no DEK unwrap, no read-audit
+      // event. The audit table logs credential reads; a readiness probe
+      // never sees the value, so logging it would dilute the trail.
+      const existing = await lookup(tenantId, resolveKey(keyOrHandle));
+      return existing !== undefined;
+    },
+
     async set(tenantId, keyOrHandle, value, setOpts = {}) {
       const key = resolveKey(keyOrHandle);
       const envelope = await encryptValue(value, masterKeyProvider);

package/src/tenant/__tests__/multi-tenant.integration.test.ts

@@ -205,6 +205,14 @@ describe("multi-tenant user", () => {
     const tenantIds = memberships.map((m: Record<string, unknown>) => m["tenantId"]);
     expect(tenantIds).toContain(testTenantId(1));
     expect(tenantIds).toContain(testTenantId(2));
+
+    // tenantName/tenantKey machen die Memberships im UI unterscheidbar
+    // (Tenant-Switcher) — die Query reichert sie aus der tenants-Tabelle an.
+    const acme = memberships.find(
+      (m: Record<string, unknown>) => m["tenantId"] === testTenantId(1),
+    );
+    expect(acme["tenantName"]).toBe("ACME");
+    expect(acme["tenantKey"]).toBe("acme");
   });
 
   test("user has different roles per tenant", async () => {
@@ -231,6 +239,14 @@ describe("multi-tenant user", () => {
     const body = await res.json();
     expect(body.tenants.length).toBe(2);
     expect(body.activeTenantId).toBe(testTenantId(1));
+
+    // name/key kommen bis in die HTTP-Response durch (Tenant-Switcher-Label).
+    const names = body.tenants.map((t: Record<string, unknown>) => t["name"]);
+    expect(names).toContain("ACME");
+    expect(names).toContain("Beta Inc");
+    const keys = body.tenants.map((t: Record<string, unknown>) => t["key"]);
+    expect(keys).toContain("acme");
+    expect(keys).toContain("beta");
   });
 
   test("POST /auth/switch-tenant issues new JWT with different tenant", async () => {
@@ -276,3 +292,55 @@ describe("perTenant jobs", () => {
     }
   });
 });
+
+// --- Scenario 6: disabled tenant verschwindet aus allen Auth-Flächen ---
+//
+// tenant:write:disable legt den Tenant still: memberships-Query filtert ihn,
+// damit listet /auth/tenants ihn nicht mehr (Switcher), switch-tenant lehnt
+// ab (not_a_member) und der Login wählt ihn nicht. active-tenant-ids lässt
+// ihn ebenfalls aus (perTenant-Jobs). enable macht alles rückgängig.
+// Läuft bewusst NACH den perTenant-Job-Tests — die erwarten 2 aktive Tenants.
+
+describe("disabled tenant", () => {
+  const user = createTestUser({ id: 10 });
+
+  test("disable removes the tenant from memberships, /auth/tenants and switch-tenant", async () => {
+    const r = await writeApi(systemAdmin, TenantHandlers.disable, { id: testTenantId(2) });
+    expect(r.isSuccess).toBe(true);
+
+    const result = await queryApi(systemAdmin, TenantQueries.memberships, {
+      userId: "11111111-0000-4000-8000-000000000010",
+    });
+    const tenantIds = result.data.map((m: Record<string, unknown>) => m["tenantId"]);
+    expect(tenantIds).toEqual([testTenantId(1)]);
+
+    const res = await getApi(user, "/auth/tenants");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.tenants.map((t: Record<string, unknown>) => t["tenantId"])).toEqual([
+      testTenantId(1),
+    ]);
+
+    const switchRes = await postApi(user, "/auth/switch-tenant", { tenantId: testTenantId(2) });
+    expect(switchRes.status).toBe(403);
+
+    const activeIds = await queryApi(systemAdmin, TenantQueries.activeTenantIds, {});
+    expect(activeIds.data).toEqual([testTenantId(1)]);
+  });
+
+  test("enable restores membership, switcher and active-tenant-ids", async () => {
+    const r = await writeApi(systemAdmin, TenantHandlers.enable, { id: testTenantId(2) });
+    expect(r.isSuccess).toBe(true);
+
+    const result = await queryApi(systemAdmin, TenantQueries.memberships, {
+      userId: "11111111-0000-4000-8000-000000000010",
+    });
+    expect(result.data.length).toBe(2);
+
+    const switchRes = await postApi(user, "/auth/switch-tenant", { tenantId: testTenantId(2) });
+    expect(switchRes.status).toBe(200);
+
+    const activeIds = await queryApi(systemAdmin, TenantQueries.activeTenantIds, {});
+    expect(activeIds.data).toContain(testTenantId(2));
+  });
+});

package/src/tenant/__tests__/tenant.integration.test.ts

@@ -145,6 +145,22 @@ describe("scenario 4: tenant.disable", () => {
       "SystemAdmin",
     ]);
   });
+
+  test("SystemAdmin can re-enable a disabled tenant", async () => {
+    const me = await stack.http.queryOk<Record<string, unknown>>(TenantQueries.me, {}, systemAdmin);
+    const tenantId = me["id"] as string;
+
+    const data = await stack.http.writeOk(TenantHandlers.enable, { id: tenantId }, systemAdmin);
+    expect(data!["data"]).toMatchObject({
+      isEnabled: true,
+    });
+  });
+
+  test("enable handler requires SystemAdmin role", async () => {
+    expect(rolesOf(stack.registry.getWriteHandler(TenantHandlers.enable)?.access)).toEqual([
+      "SystemAdmin",
+    ]);
+  });
 });
 
 // --- Scenario 5: tenant.list ---

package/src/tenant/constants.ts

@@ -12,6 +12,7 @@ export const TenantHandlers = {
   create: "tenant:write:create",
   update: "tenant:write:update",
   disable: "tenant:write:disable",
+  enable: "tenant:write:enable",
   addMember: "tenant:write:add-member",
   removeMember: "tenant:write:remove-member",
   updateMemberRoles: "tenant:write:update-member-roles",

package/src/tenant/feature.ts

@@ -10,6 +10,7 @@ import { addMemberWrite } from "./handlers/add-member.write";
 import { cancelInvitationWrite } from "./handlers/cancel-invitation.write";
 import { createWrite } from "./handlers/create.write";
 import { disableWrite } from "./handlers/disable.write";
+import { enableWrite } from "./handlers/enable.write";
 import { invitationsQuery } from "./handlers/invitations.query";
 import { listQuery } from "./handlers/list.query";
 import { meQuery } from "./handlers/me.query";
@@ -30,7 +31,7 @@ export { tenantEntity, tenantTable } from "./schema/tenant";
 export function createTenantFeature(): FeatureDefinition {
   return defineFeature("tenant", (r) => {
     r.describe(
-      "Registers the three core multi-tenancy entities \u2014 `tenant`, `tenant-membership`, and `tenant-invitation` (DB tables `read_tenants`, `read_tenant_memberships`, and `read_tenant_invitations`) \u2014 along with write handlers for create/update/disable/addMember/removeMember/updateMemberRoles and the matching queries. It also declares a set of per-tenant config keys (companyName, timezone, locale, SMTP credentials) and system-only keys (priceModel, maxUsers) via `r.config({ keys: { ... } })`. Use this feature in every multi-tenant app; membership resolution and invitation flows depend on it, and `auth-email-password` requires it.",
+      "Registers the three core multi-tenancy entities \u2014 `tenant`, `tenant-membership`, and `tenant-invitation` (DB tables `read_tenants`, `read_tenant_memberships`, and `read_tenant_invitations`) \u2014 along with write handlers for create/update/disable/enable/addMember/removeMember/updateMemberRoles and the matching queries. It also declares a set of per-tenant config keys (companyName, timezone, locale, SMTP credentials) and system-only keys (priceModel, maxUsers) via `r.config({ keys: { ... } })`. Use this feature in every multi-tenant app; membership resolution and invitation flows depend on it, and `auth-email-password` requires it.",
     );
     r.systemScope();
     r.requires("config");
@@ -90,6 +91,7 @@ export function createTenantFeature(): FeatureDefinition {
       create: r.writeHandler(createWrite),
       update: r.writeHandler(updateWrite),
       disable: r.writeHandler(disableWrite),
+      enable: r.writeHandler(enableWrite),
       addMember: r.writeHandler(addMemberWrite),
       removeMember: r.writeHandler(removeMemberWrite),
       updateMemberRoles: r.writeHandler(updateMemberRolesWrite),

package/src/tenant/handlers/enable.write.ts

@@ -0,0 +1,20 @@
+import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { tenantEntity, tenantTable } from "../schema/tenant";
+
+const crud = createEventStoreExecutor(tenantTable, tenantEntity, { entityName: "tenant" });
+
+// Recovery-Gegenstück zu disable — ohne enable wäre ein Fehlklick des
+// Operators nur per Event-Hack reversibel.
+export const enableWrite = defineWriteHandler({
+  name: "enable",
+  schema: z.object({ id: z.uuid() }),
+  access: { roles: ["SystemAdmin"] },
+  // Admin flip: last-writer-wins is fine. SystemAdmin is the only caller and
+  // there's no meaningful concurrent-edit race on this single boolean.
+  handler: async (event, ctx) =>
+    crud.update({ id: event.payload.id, changes: { isEnabled: true } }, event.user, ctx.db, {
+      skipOptimisticLock: true,
+    }),
+});

package/src/tenant/handlers/memberships.query.ts

@@ -1,8 +1,9 @@
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineQueryHandler, SYSTEM_ROLE } from "@cosmicdrift/kumiko-framework/engine";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
 import { tenantMembershipsTable } from "../membership-table";
+import { tenantTable } from "../schema/tenant";
 
 export const membershipsQuery = defineQueryHandler({
   name: "memberships",
@@ -13,9 +14,31 @@ export const membershipsQuery = defineQueryHandler({
   handler: async (query, ctx) => {
     const rows = await selectMany(ctx.db, tenantMembershipsTable, { userId: query.payload.userId });
 
-    return rows.map((row) => ({
-      ...row,
-      roles: parseRoles(row["roles"]),
-    }));
+    // tenantName/tenantKey machen Memberships in der UI unterscheidbar
+    // (Tenant-Switcher zeigte sonst nur das UUID-Präfix — bei Seed-Tenants
+    // mit 00000000-…-Präfix sind die ununterscheidbar). Eine Handvoll
+    // Memberships pro User → Einzel-Fetches sind ok.
+    const enriched = await Promise.all(
+      rows.map(async (row) => {
+        const tenant = await fetchOne<{ name?: unknown; key?: unknown; isEnabled?: unknown }>(
+          ctx.db,
+          tenantTable,
+          { id: row["tenantId"] },
+        );
+        // Disabled Tenants (tenant:write:disable) zählen nicht als Membership:
+        // Login wählt sie nicht, /auth/tenants listet sie nicht, switch-tenant
+        // antwortet not_a_member. Nur das explizite false filtert — eine
+        // fehlende tenant-Row (Projektions-Drift) soll keinen Login-Lockout
+        // aller Member auslösen.
+        if (tenant !== undefined && tenant.isEnabled === false) return null;
+        return {
+          ...row,
+          roles: parseRoles(row["roles"]),
+          ...(typeof tenant?.name === "string" && { tenantName: tenant.name }),
+          ...(typeof tenant?.key === "string" && { tenantKey: tenant.key }),
+        };
+      }),
+    );
+    return enriched.filter((m) => m !== null);
   },
 });