@cosmicdrift/kumiko-bundled-features 0.35.0 → 0.38.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.35.0",
+  "version": "0.38.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -74,10 +74,10 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.21.0",
-    "@cosmicdrift/kumiko-framework": "0.21.0",
-    "@cosmicdrift/kumiko-renderer": "0.21.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.21.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.37.0",
+    "@cosmicdrift/kumiko-framework": "0.37.0",
+    "@cosmicdrift/kumiko-renderer": "0.37.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.37.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/__tests__/auth-mailer.test.ts

@@ -0,0 +1,138 @@
+import { describe, expect, test } from "bun:test";
+import { createInMemoryTransport } from "../../channel-email";
+import { createAuthMailerConfig } from "../auth-mailer";
+
+function makeArgs(overrides?: Record<string, unknown>) {
+  const mailSender = createInMemoryTransport();
+  return {
+    mailSender,
+    hmacSecret: "test-hmac-secret",
+    baseUrl: "https://admin.example.com",
+    paths: {
+      resetPassword: "/reset-password",
+      verifyEmail: "/verify-email",
+      signupComplete: "/signup/complete",
+      inviteAccept: "/invite/accept",
+    },
+    appName: "TestApp",
+    locale: "en" as const,
+    ...overrides,
+  };
+}
+
+describe("createAuthMailerConfig", () => {
+  test("returns all 4 setups", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect(config.passwordReset).toBeDefined();
+    expect(config.emailVerification).toBeDefined();
+    expect(config.signup).toBeDefined();
+    expect(config.invite).toBeDefined();
+  });
+
+  test("constructs URLs from baseUrl + paths", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect(config.passwordReset.appResetUrl).toBe("https://admin.example.com/reset-password");
+    expect(config.emailVerification.appVerifyUrl).toBe("https://admin.example.com/verify-email");
+    expect(config.signup.appActivationUrl).toBe("https://admin.example.com/signup/complete");
+    expect(config.invite.appAcceptUrl).toBe("https://admin.example.com/invite/accept");
+  });
+
+  test("forwards hmacSecret", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect(config.passwordReset.hmacSecret).toBe("test-hmac-secret");
+    expect(config.emailVerification.hmacSecret).toBe("test-hmac-secret");
+  });
+
+  test("sendResetEmail calls mailSender.send with rendered content", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.passwordReset.sendResetEmail({
+      email: "user@example.com",
+      resetUrl: "https://admin.example.com/reset?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+    expect(args.mailSender.sent[0]!.subject).toContain("Reset");
+    expect(args.mailSender.sent[0]!.html).toContain("https://admin.example.com/reset?token=abc");
+  });
+
+  test("sendVerificationEmail calls mailSender.send", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.emailVerification.sendVerificationEmail({
+      email: "user@example.com",
+      verificationUrl: "https://admin.example.com/verify?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+    expect(args.mailSender.sent[0]!.subject).toContain("Verify");
+  });
+
+  test("sendActivationEmail calls mailSender.send", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.signup.sendActivationEmail({
+      email: "user@example.com",
+      activationUrl: "https://admin.example.com/signup/complete?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+  });
+
+  test("sendInviteEmail calls mailSender.send with role", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.invite.sendInviteEmail({
+      email: "user@example.com",
+      inviteUrl: "https://admin.example.com/invite/accept?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+      role: "Admin",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+    expect(args.mailSender.sent[0]!.html).toContain("Admin");
+  });
+
+  test("uses defaults when appName is omitted", () => {
+    const config = createAuthMailerConfig(makeArgs({ appName: undefined }));
+    expect(config.passwordReset.appResetUrl).toBeDefined();
+  });
+
+  test("emailVerificationMode is absent when not provided", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect("mode" in config.emailVerification).toBe(false);
+  });
+
+  test("emailVerificationMode is set when provided", () => {
+    const config = createAuthMailerConfig(makeArgs({ emailVerificationMode: "strict" }));
+    expect(config.emailVerification).toHaveProperty("mode", "strict");
+  });
+
+  test("locale 'de' renders German subject", async () => {
+    const args = makeArgs({ locale: "de" });
+    const config = createAuthMailerConfig(args);
+
+    await config.passwordReset.sendResetEmail({
+      email: "user@example.com",
+      resetUrl: "https://example.com/reset?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent[0]!.subject).toContain("Passwort");
+  });
+});

package/src/auth-email-password/auth-mailer.ts

@@ -0,0 +1,137 @@
+import type { EmailTransport } from "../channel-email";
+import type { AuthMailLocale } from "./email-templates";
+import {
+  renderActivationEmail,
+  renderInviteEmail,
+  renderResetPasswordEmail,
+  renderVerifyEmail,
+} from "./email-templates";
+import type {
+  EmailVerificationOptions,
+  InviteOptions,
+  PasswordResetOptions,
+  SignupOptions,
+} from "./feature";
+
+/**
+ * Komplette Konfiguration für die 4 Auth-Mail-Flows einer App.
+ *
+ * Strukturell kompatibel mit den `*Setup`-Typen aus
+ * `@cosmicdrift/kumiko-dev-server` (`PasswordResetSetup`,
+ * `EmailVerificationSetup`, `SignupSetup`, `InviteSetup`).
+ */
+export type AuthMailerConfig = {
+  readonly passwordReset: PasswordResetOptions & {
+    readonly appResetUrl: string;
+    readonly sendResetEmail: (args: {
+      email: string;
+      resetUrl: string;
+      expiresAt: string;
+    }) => Promise<void>;
+  };
+  readonly emailVerification: EmailVerificationOptions & {
+    readonly appVerifyUrl: string;
+    readonly sendVerificationEmail: (args: {
+      email: string;
+      verificationUrl: string;
+      expiresAt: string;
+    }) => Promise<void>;
+  };
+  readonly signup: SignupOptions & {
+    readonly appActivationUrl: string;
+    readonly sendActivationEmail: (args: {
+      email: string;
+      activationUrl: string;
+      expiresAt: string;
+    }) => Promise<void>;
+  };
+  readonly invite: InviteOptions & {
+    readonly appAcceptUrl: string;
+    readonly sendInviteEmail: (args: {
+      email: string;
+      inviteUrl: string;
+      expiresAt: string;
+      role: string;
+    }) => Promise<void>;
+  };
+};
+
+export type CreateAuthMailerConfigArgs = {
+  readonly mailSender: EmailTransport;
+  readonly hmacSecret: string;
+  /** Basis-URL der App inkl. Schema (z.B. "https://admin.example.com").
+   *  Die factory hängt paths.resetPassword etc. an. */
+  readonly baseUrl: string;
+  /** Pfad-Konstanten für die Auth-Seiten — jede App hat ihre eigenen
+   *  in `./auth-paths.ts`. */
+  readonly paths: {
+    readonly resetPassword: string;
+    readonly verifyEmail: string;
+    readonly signupComplete: string;
+    readonly inviteAccept: string;
+  };
+  /** App-Name für Mail-Subject + Body. Default "Account". */
+  readonly appName?: string;
+  /** Locale für die Mail-Templates. Default "de". */
+  readonly locale?: AuthMailLocale;
+  /** Email-verification mode. Default undefined (kein Gate).
+   *  "strict" blockt Login solange `emailVerified=false`.
+   *  "off" mountet die Routes ohne login-gating. */
+  readonly emailVerificationMode?: "strict" | "off";
+};
+
+/**
+ * Factory für `AuthMailerConfig` — baut die 4 Auth-Mail-Setups
+ * (passwordReset / emailVerification / signup / invite) inklusive
+ * `send*Email`-Wrapper + URL-Konstruktion.
+ *
+ * Jede App ruft das einmal auf und spreadet das Resultat in die
+ * `auth`-Option von `runProdApp` / `runDevApp`.
+ */
+export function createAuthMailerConfig(args: CreateAuthMailerConfigArgs): AuthMailerConfig {
+  const appName = args.appName ?? "Account";
+  const locale = args.locale ?? "de";
+  return {
+    passwordReset: {
+      hmacSecret: args.hmacSecret,
+      appResetUrl: `${args.baseUrl}${args.paths.resetPassword}`,
+      sendResetEmail: async ({ email, resetUrl, expiresAt }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderResetPasswordEmail({ resetUrl, expiresAt, locale, appName }),
+        });
+      },
+    },
+    emailVerification: {
+      hmacSecret: args.hmacSecret,
+      ...(args.emailVerificationMode !== undefined && {
+        mode: args.emailVerificationMode,
+      }),
+      appVerifyUrl: `${args.baseUrl}${args.paths.verifyEmail}`,
+      sendVerificationEmail: async ({ email, verificationUrl, expiresAt }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderVerifyEmail({ verificationUrl, expiresAt, locale, appName }),
+        });
+      },
+    },
+    signup: {
+      appActivationUrl: `${args.baseUrl}${args.paths.signupComplete}`,
+      sendActivationEmail: async ({ email, activationUrl, expiresAt }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderActivationEmail({ activationUrl, expiresAt, locale, appName }),
+        });
+      },
+    },
+    invite: {
+      appAcceptUrl: `${args.baseUrl}${args.paths.inviteAccept}`,
+      sendInviteEmail: async ({ email, inviteUrl, expiresAt, role }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderInviteEmail({ inviteUrl, expiresAt, role, locale, appName }),
+        });
+      },
+    },
+  };
+}

package/src/auth-email-password/email-templates.ts

@@ -20,6 +20,7 @@
 //
 // Locale: de + en. Apps mit anderen Sprachen rendern selbst.
 
+import { escapeHtml, escapeHtmlAttr } from "@cosmicdrift/kumiko-headless";
 import { Temporal } from "temporal-polyfill";
 
 export type AuthMailLocale = "de" | "en";
@@ -63,6 +64,7 @@ const STRINGS = {
   de: {
     resetSubject: (app: string) => `${app} — Passwort zurücksetzen`,
     resetGreeting: "Hallo,",
+    // guard:dup-ok — false positive: i18n-String-Template, gleiche Arrow-Struktur wie anonymous fn in collect-table-metas
     resetIntro: (app: string) =>
       `du hast den Reset deines Passworts für ${app} angefordert. Klicke auf den folgenden Link, um ein neues Passwort zu setzen:`,
     resetButton: "Passwort zurücksetzen",
@@ -159,6 +161,7 @@ function renderTokenEmail(spec: TokenEmailSpec): RenderedEmail {
 
 // Plain inline-styled HTML — funktioniert in Gmail/Outlook/Apple-Mail
 // ohne dass wir Tailwind oder eine HTML-mail-Lib reinziehen müssen.
+// guard:dup-ok — Email-HTML (table-layout, inline CSS) ≠ Web-HTML (legal-pages/markdown.ts)
 function renderShell(args: { title: string; bodyHtml: string }): string {
   return `<!DOCTYPE html>
 <html lang="en">
@@ -181,12 +184,14 @@ function renderShell(args: { title: string; bodyHtml: string }): string {
 </html>`;
 }
 
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie wrapInLayout (legal-pages), verschiedene Semantik
 function renderButton(args: { url: string; label: string }): string {
-  return `<a href="${escapeAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
+  return `<a href="${escapeHtmlAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
 }
 
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie wrapInLayout (legal-pages), verschiedene Semantik
 function renderFallbackUrl(args: { url: string; label: string }): string {
-  return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
+  return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeHtmlAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
 }
 
 export function renderResetPasswordEmail(args: RenderResetPasswordEmailArgs): RenderedEmail {
@@ -270,14 +275,3 @@ function formatExpiry(iso: string): string {
 function pad2(n: number): string {
   return String(n).padStart(2, "0");
 }
-
-function escapeHtml(s: string): string {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-function escapeAttr(s: string): string {
-  return s
-    .replace(/&/g, "&amp;")
-    .replace(/"/g, "&quot;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;");
-}

package/src/auth-email-password/errors.ts

@@ -0,0 +1,84 @@
+import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { AuthErrors } from "./constants";
+
+export function invalidCredentials() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidCredentials, {
+      i18nKey: "auth.errors.invalidCredentials",
+    }),
+  );
+}
+
+export function invalidInviteToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidInviteToken, {
+      i18nKey: "auth.errors.invalidInviteToken",
+    }),
+  );
+}
+
+export function inviteEmailMismatch() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.inviteEmailMismatch, {
+      i18nKey: "auth.errors.inviteEmailMismatch",
+    }),
+  );
+}
+
+export function invalidResetToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidResetToken, {
+      i18nKey: "auth.errors.invalidResetToken",
+    }),
+  );
+}
+
+export function invalidVerificationToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidVerificationToken, {
+      i18nKey: "auth.errors.invalidVerificationToken",
+    }),
+  );
+}
+
+export function invalidSignupToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidSignupToken, {
+      i18nKey: "auth.errors.invalidSignupToken",
+    }),
+  );
+}
+
+export function noMembership() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.noMembership, {
+      i18nKey: "auth.errors.noMembership",
+    }),
+  );
+}
+
+export function emailNotVerified() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.emailNotVerified, {
+      i18nKey: "auth.errors.emailNotVerified",
+    }),
+  );
+}
+
+// retryAfterSeconds drives the login/signup UI countdown — must stay > 0.
+export function accountLocked(retryAfterSeconds: number) {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountLocked, {
+      i18nKey: "auth.errors.accountLocked",
+      details: { retryAfterSeconds },
+    }),
+  );
+}
+
+export function accountRestricted() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountRestricted, {
+      i18nKey: "auth.errors.accountRestricted",
+    }),
+  );
+}

package/src/auth-email-password/handlers/change-password.write.ts

@@ -1,19 +1,10 @@
 import { access, createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { getAggregateStreamTenant } from "@cosmicdrift/kumiko-framework/event-store";
 import { z } from "zod";
 import { USER_FEATURE, UserHandlers, UserQueries } from "../../user";
-import { AuthErrors } from "../constants";
+import { invalidCredentials } from "../errors";
 import { hashPassword, verifyPassword } from "../password-hashing";
 
-function invalidCredentials() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidCredentials, {
-      i18nKey: "auth.errors.invalidCredentials",
-    }),
-  );
-}
-
 // Change-password — authenticated. The user supplies their current password
 // (re-auth) and the new one. The new hash is written via ctx.writeAs(system)
 // against the user feature's update handler; field-access on passwordHash

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts

@@ -25,11 +25,7 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -41,7 +37,7 @@ import {
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import login-style password-check
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken, inviteEmailMismatch } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -69,14 +65,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
 
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
-
 export function createInviteAcceptWithLoginHandler() {
   return defineWriteHandler<
     "invite-accept-with-login",
@@ -123,11 +111,7 @@ export function createInviteAcceptWithLoginHandler() {
 
         // Email-Match vom User-Input (nicht aus session — User ist anon)
         if (event.payload.email.toLowerCase() !== invitationEmail) {
-          return writeFailure(
-            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
-              i18nKey: "auth.errors.inviteEmailMismatch",
-            }),
-          );
+          return inviteEmailMismatch();
         }
 
         // Password-Check gegen userTable. Anti-enumeration: bei

package/src/auth-email-password/handlers/invite-accept.write.ts

@@ -22,11 +22,7 @@ import {
   defineWriteHandler,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link), DB-row-owner ist tenant-feature
 import {
@@ -34,11 +30,13 @@ import {
   tenantInvitationEntity,
   tenantInvitationsTable,
 } from "../../tenant/invitation-table";
+// kumiko-lint-ignore cross-feature-import direkter membership-Lookup (ungefiltert, s. alreadyMember-Kommentar)
+import { tenantMembershipsTable } from "../../tenant/membership-table";
 // kumiko-lint-ignore cross-feature-import membership-seed-helper für privilegierten cross-tenant-add (analog provisionSignupAccount)
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import auth handler reads user-row für email-match
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken, inviteEmailMismatch } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -63,14 +61,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
 
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
-
 export function createInviteAcceptHandler() {
   return defineWriteHandler<"invite-accept", typeof InviteAcceptSchema, InviteAcceptData>({
     name: "invite-accept",
@@ -122,22 +112,19 @@ export function createInviteAcceptHandler() {
         });
         const userEmail = userRow?.email;
         if (!userRow || !userEmail || userEmail.toLowerCase() !== invitationEmail) {
-          return writeFailure(
-            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
-              i18nKey: "auth.errors.inviteEmailMismatch",
-            }),
-          );
+          return inviteEmailMismatch();
         }
 
-        // Already-Member-Check via memberships-query. Wenn der User schon
-        // im invited Tenant Member ist, kein Error — no-op + 200 mit
-        // alreadyMember=true (advisor-Constraint #4: idempotent).
-        const memberships = (await ctx.queryAs(
-          createSystemUser(invitationTenantId),
-          "tenant:query:memberships",
-          { userId: event.user.id },
-        )) as Array<{ tenantId: string }>; // @cast-boundary db-row
-        const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
+        // Already-Member-Check direkt gegen die memberships-Projektion —
+        // NICHT via tenant:query:memberships, die disabled Tenants filtert:
+        // ein Re-Invite in einen (vorübergehend) disabled Tenant würde dort
+        // alreadyMember=false sehen und am Unique-Constraint scheitern.
+        // Idempotenz: schon Member → no-op + 200 mit alreadyMember=true.
+        const membershipRow = await fetchOne(ctx.db.raw, tenantMembershipsTable, {
+          userId: event.user.id,
+          tenantId: invitationTenantId,
+        });
+        const alreadyMember = membershipRow !== undefined;
 
         const dbConn = ctx.db.raw;
 

package/src/auth-email-password/handlers/invite-signup-complete.write.ts

@@ -29,11 +29,7 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -45,7 +41,7 @@ import {
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import existence-check
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -73,14 +69,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
 
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
-
 export function createInviteSignupCompleteHandler() {
   return defineWriteHandler<
     "invite-signup-complete",