npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.37.0 → 0.38.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.37.0 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.37.0",
+  "version": "0.38.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -74,10 +74,10 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.35.0",
-    "@cosmicdrift/kumiko-framework": "0.35.0",
-    "@cosmicdrift/kumiko-renderer": "0.35.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.35.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.37.0",
+    "@cosmicdrift/kumiko-framework": "0.37.0",
+    "@cosmicdrift/kumiko-renderer": "0.37.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.37.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/email-templates.ts CHANGED Viewed

@@ -64,6 +64,7 @@ const STRINGS = {
   de: {
     resetSubject: (app: string) => `${app} — Passwort zurücksetzen`,
     resetGreeting: "Hallo,",
+    // guard:dup-ok — false positive: i18n-String-Template, gleiche Arrow-Struktur wie anonymous fn in collect-table-metas
     resetIntro: (app: string) =>
       `du hast den Reset deines Passworts für ${app} angefordert. Klicke auf den folgenden Link, um ein neues Passwort zu setzen:`,
     resetButton: "Passwort zurücksetzen",
@@ -160,6 +161,7 @@ function renderTokenEmail(spec: TokenEmailSpec): RenderedEmail {
 // Plain inline-styled HTML — funktioniert in Gmail/Outlook/Apple-Mail
 // ohne dass wir Tailwind oder eine HTML-mail-Lib reinziehen müssen.
+// guard:dup-ok — Email-HTML (table-layout, inline CSS) ≠ Web-HTML (legal-pages/markdown.ts)
 function renderShell(args: { title: string; bodyHtml: string }): string {
   return `<!DOCTYPE html>
 <html lang="en">
@@ -182,10 +184,12 @@ function renderShell(args: { title: string; bodyHtml: string }): string {
 </html>`;
 }
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie wrapInLayout (legal-pages), verschiedene Semantik
 function renderButton(args: { url: string; label: string }): string {
   return `<a href="${escapeHtmlAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
 }
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie wrapInLayout (legal-pages), verschiedene Semantik
 function renderFallbackUrl(args: { url: string; label: string }): string {
   return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeHtmlAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
 }

package/src/auth-email-password/errors.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { AuthErrors } from "./constants";
+export function invalidCredentials() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidCredentials, {
+      i18nKey: "auth.errors.invalidCredentials",
+    }),
+  );
+}
+export function invalidInviteToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidInviteToken, {
+      i18nKey: "auth.errors.invalidInviteToken",
+    }),
+  );
+}
+export function inviteEmailMismatch() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.inviteEmailMismatch, {
+      i18nKey: "auth.errors.inviteEmailMismatch",
+    }),
+  );
+}
+export function invalidResetToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidResetToken, {
+      i18nKey: "auth.errors.invalidResetToken",
+    }),
+  );
+}
+export function invalidVerificationToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidVerificationToken, {
+      i18nKey: "auth.errors.invalidVerificationToken",
+    }),
+  );
+}
+export function invalidSignupToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidSignupToken, {
+      i18nKey: "auth.errors.invalidSignupToken",
+    }),
+  );
+}
+export function noMembership() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.noMembership, {
+      i18nKey: "auth.errors.noMembership",
+    }),
+  );
+}
+export function emailNotVerified() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.emailNotVerified, {
+      i18nKey: "auth.errors.emailNotVerified",
+    }),
+  );
+}
+// retryAfterSeconds drives the login/signup UI countdown — must stay > 0.
+export function accountLocked(retryAfterSeconds: number) {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountLocked, {
+      i18nKey: "auth.errors.accountLocked",
+      details: { retryAfterSeconds },
+    }),
+  );
+}
+export function accountRestricted() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountRestricted, {
+      i18nKey: "auth.errors.accountRestricted",
+    }),
+  );
+}

package/src/auth-email-password/handlers/change-password.write.ts CHANGED Viewed

@@ -1,19 +1,10 @@
 import { access, createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { getAggregateStreamTenant } from "@cosmicdrift/kumiko-framework/event-store";
 import { z } from "zod";
 import { USER_FEATURE, UserHandlers, UserQueries } from "../../user";
-import { AuthErrors } from "../constants";
+import { invalidCredentials } from "../errors";
 import { hashPassword, verifyPassword } from "../password-hashing";
-function invalidCredentials() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidCredentials, {
-      i18nKey: "auth.errors.invalidCredentials",
-    }),
-  );
-}
 // Change-password — authenticated. The user supplies their current password
 // (re-auth) and the new one. The new hash is written via ctx.writeAs(system)
 // against the user feature's update handler; field-access on passwordHash

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts CHANGED Viewed

@@ -25,11 +25,7 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -41,7 +37,7 @@ import {
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import login-style password-check
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken, inviteEmailMismatch } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -69,14 +65,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
 export function createInviteAcceptWithLoginHandler() {
   return defineWriteHandler<
     "invite-accept-with-login",
@@ -123,11 +111,7 @@ export function createInviteAcceptWithLoginHandler() {
         // Email-Match vom User-Input (nicht aus session — User ist anon)
         if (event.payload.email.toLowerCase() !== invitationEmail) {
-          return writeFailure(
-            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
-              i18nKey: "auth.errors.inviteEmailMismatch",
-            }),
-          );
+          return inviteEmailMismatch();
         }
         // Password-Check gegen userTable. Anti-enumeration: bei

package/src/auth-email-password/handlers/invite-accept.write.ts CHANGED Viewed

@@ -22,11 +22,7 @@ import {
   defineWriteHandler,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link), DB-row-owner ist tenant-feature
 import {
@@ -34,11 +30,13 @@ import {
   tenantInvitationEntity,
   tenantInvitationsTable,
 } from "../../tenant/invitation-table";
+// kumiko-lint-ignore cross-feature-import direkter membership-Lookup (ungefiltert, s. alreadyMember-Kommentar)
+import { tenantMembershipsTable } from "../../tenant/membership-table";
 // kumiko-lint-ignore cross-feature-import membership-seed-helper für privilegierten cross-tenant-add (analog provisionSignupAccount)
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import auth handler reads user-row für email-match
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken, inviteEmailMismatch } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -63,14 +61,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
 export function createInviteAcceptHandler() {
   return defineWriteHandler<"invite-accept", typeof InviteAcceptSchema, InviteAcceptData>({
     name: "invite-accept",
@@ -122,22 +112,19 @@ export function createInviteAcceptHandler() {
         });
         const userEmail = userRow?.email;
         if (!userRow || !userEmail || userEmail.toLowerCase() !== invitationEmail) {
-          return writeFailure(
-            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
-              i18nKey: "auth.errors.inviteEmailMismatch",
-            }),
-          );
+          return inviteEmailMismatch();
         }
-        // Already-Member-Check via memberships-query. Wenn der User schon
-        // im invited Tenant Member ist, kein Error — no-op + 200 mit
-        // alreadyMember=true (advisor-Constraint #4: idempotent).
-        const memberships = (await ctx.queryAs(
-          createSystemUser(invitationTenantId),
-          "tenant:query:memberships",
-          { userId: event.user.id },
-        )) as Array<{ tenantId: string }>; // @cast-boundary db-row
-        const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
+        // Already-Member-Check direkt gegen die memberships-Projektion —
+        // NICHT via tenant:query:memberships, die disabled Tenants filtert:
+        // ein Re-Invite in einen (vorübergehend) disabled Tenant würde dort
+        // alreadyMember=false sehen und am Unique-Constraint scheitern.
+        // Idempotenz: schon Member → no-op + 200 mit alreadyMember=true.
+        const membershipRow = await fetchOne(ctx.db.raw, tenantMembershipsTable, {
+          userId: event.user.id,
+          tenantId: invitationTenantId,
+        });
+        const alreadyMember = membershipRow !== undefined;
         const dbConn = ctx.db.raw;

package/src/auth-email-password/handlers/invite-signup-complete.write.ts CHANGED Viewed

@@ -29,11 +29,7 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -45,7 +41,7 @@ import {
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import existence-check
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -73,14 +69,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
 export function createInviteSignupCompleteHandler() {
   return defineWriteHandler<
     "invite-signup-complete",

package/src/auth-email-password/handlers/login.write.ts CHANGED Viewed

@@ -4,7 +4,6 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
 import { USER_STATUS, UserQueries } from "../../user";
@@ -12,60 +11,17 @@ import { parseAuthUserRow } from "../auth-user-row";
 import {
   AUTH_LOCKOUT_DEFAULT_DURATION_MINUTES,
   AUTH_LOCKOUT_DEFAULT_MAX_FAILED_ATTEMPTS,
-  AuthErrors,
 } from "../constants";
+import {
+  accountLocked,
+  accountRestricted,
+  emailNotVerified,
+  invalidCredentials,
+  noMembership,
+} from "../errors";
 import { clearLockoutState, getLockoutState, recordFailedAttempt } from "../lockout-store";
 import { verifyPassword } from "../password-hashing";
-function invalidCredentials() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidCredentials, {
-      i18nKey: "auth.errors.invalidCredentials",
-    }),
-  );
-}
-function noMembership() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.noMembership, {
-      i18nKey: "auth.errors.noMembership",
-    }),
-  );
-}
-function emailNotVerified() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.emailNotVerified, {
-      i18nKey: "auth.errors.emailNotVerified",
-    }),
-  );
-}
-function accountLocked(retryAfterSeconds: number) {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.accountLocked, {
-      i18nKey: "auth.errors.accountLocked",
-      // Seconds until auto-unlock — UI renders a countdown, clients can
-      // schedule a retry. Rounded up so the UI never shows 0 while the
-      // lock is still active.
-      details: { retryAfterSeconds },
-    }),
-  );
-}
-// S2.U6 — DSGVO Art. 18 Account-Freeze. Distinct error code (nicht zu
-// invalid_credentials collapsen) damit UI klar sagen kann "Account ist
-// pausiert, hier klicken zum Aufheben". User weiss schon dass sein Konto
-// restricted ist (er hat selbst die Restriction gesetzt), also kein
-// Enumeration-Leak.
-function accountRestricted() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.accountRestricted, {
-      i18nKey: "auth.errors.accountRestricted",
-    }),
-  );
-}
 export type LoginHandlerOptions = {
   // When true, a valid (email + password) login fails with email_not_verified
   // if the user row's emailVerified flag is false. Enumeration-leak is

package/src/auth-email-password/handlers/reset-password.write.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { AuthErrors } from "../constants";
+import { invalidResetToken } from "../errors";
 import { hashPassword } from "../password-hashing";
 import { verifyResetToken } from "../reset-token";
 import { runConfirmTokenFlow } from "./confirm-token-flow";
@@ -10,14 +11,6 @@ export type ResetPasswordOptions = {
   readonly hmacSecret: string;
 };
-function invalidToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidResetToken, {
-      i18nKey: "auth.errors.invalidResetToken",
-    }),
-  );
-}
 // Confirm step of the reset flow. Token-verify happens inline; the
 // post-verify pipeline (burn, load user, memberships, try-all-tenants,
 // burn-release-on-failure) lives in confirm-token-flow to stay in sync
@@ -45,12 +38,12 @@ export function createResetPasswordHandler(opts: ResetPasswordOptions) {
       // the same invalid_reset_token error — a probing caller can't
       // distinguish tampered from stale from random-string.
       const verify = verifyResetToken(event.payload.token, opts.hmacSecret);
-      if (!verify.ok) return invalidToken();
+      if (!verify.ok) return invalidResetToken();
       return runConfirmTokenFlow(ctx, verify.userId, verify.expiresAtMs, {
         purpose: "reset",
         redisRequiredMessage: "password-reset requires ctx.redis to enforce token single-use",
-        invalidToken,
+        invalidToken: invalidResetToken,
         buildChanges: async () => ({
           passwordHash: await hashPassword(event.payload.newPassword),
         }),

package/src/auth-email-password/handlers/signup-confirm.write.ts CHANGED Viewed

@@ -26,17 +26,13 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { generateUniqueName } from "@cosmicdrift/kumiko-framework/random";
 import { generateId } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import signup-confirm reads tenants.key for slug-uniqueness check (TOCTOU + DB-unique-index zusammen)
 import { tenantTable } from "../../tenant/schema/tenant";
-import { AuthErrors } from "../constants";
+import { invalidSignupToken } from "../errors";
 // kumiko-lint-ignore cross-feature-import provisioning needs cross-feature seeding helpers
 import { INITIAL_SIGNUP_ROLES, provisionSignupAccount } from "../seeding";
 import {
@@ -63,14 +59,6 @@ export type SignupConfirmData = {
   readonly tenantKey: string;
 };
-function invalidSignupToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidSignupToken, {
-      i18nKey: "auth.errors.invalidSignupToken",
-    }),
-  );
-}
 export function createSignupConfirmHandler() {
   return defineWriteHandler<"signup-confirm", typeof SignupConfirmSchema, SignupConfirmData>({
     name: "signup-confirm",

package/src/auth-email-password/handlers/verify-email.write.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { AuthErrors } from "../constants";
+import { invalidVerificationToken } from "../errors";
 import { verifyVerificationToken } from "../verification-token";
 import { runConfirmTokenFlow } from "./confirm-token-flow";
@@ -15,14 +16,6 @@ const VerifyEmailSchema = z.object({
 export type VerifyEmailData = { readonly kind: "verified" } | { readonly kind: "already-verified" };
-function invalidToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidVerificationToken, {
-      i18nKey: "auth.errors.invalidVerificationToken",
-    }),
-  );
-}
 // Sets user.emailVerified = true on a valid token. Idempotent via the
 // `alreadyDone` short-circuit — when the row already reads verified
 // (reached through another flow), we skip the write but keep the burn
@@ -44,12 +37,12 @@ export function createVerifyEmailHandler(opts: VerifyEmailOptions) {
       }
       const verify = verifyVerificationToken(event.payload.token, opts.hmacSecret);
-      if (!verify.ok) return invalidToken();
+      if (!verify.ok) return invalidVerificationToken();
       return runConfirmTokenFlow<VerifyEmailData>(ctx, verify.userId, verify.expiresAtMs, {
         purpose: "verify",
         redisRequiredMessage: "email-verification requires ctx.redis to enforce token single-use",
-        invalidToken,
+        invalidToken: invalidVerificationToken,
         buildChanges: async () => ({ emailVerified: true }),
         successData: { kind: "verified" },
         alreadyDone: {

package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx CHANGED Viewed

@@ -111,3 +111,27 @@ describe("TenantSwitcher", () => {
     expect(session.switchTenant).not.toHaveBeenCalled();
   });
 });
+describe("TenantSwitcher — key-only-Fallback im geöffneten Dropdown", () => {
+  test("Membership ohne name rendert ihren key als Dropdown-Label", async () => {
+    const user = userEvent.setup();
+    const session = makeSessionApi({
+      activeTenantId: "00000000-0000-4000-8000-000000000001",
+      tenants: [
+        {
+          tenantId: "00000000-0000-4000-8000-000000000001",
+          roles: ["Admin"],
+          name: "Status",
+          key: "status",
+        },
+        { tenantId: "00000000-0000-4000-8000-000000000002", roles: ["Admin"], key: "demo" },
+      ],
+    });
+    renderWithProviders(<TenantSwitcher />, { session });
+    await user.click(screen.getByRole("button", { name: /Status/ }));
+    // Der key-only-Pfad (kein name) muss im Dropdown sichtbar werden —
+    // nicht das UUID-Präfix "00000000".
+    expect(screen.getByText("demo")).toBeTruthy();
+    expect(screen.queryByText("00000000")).toBeNull();
+  });
+});

package/src/auth-email-password/web/forgot-password-screen.tsx CHANGED Viewed

@@ -34,6 +34,7 @@ export function ForgotPasswordScreen({
   const [done, setDone] = useState(false);
   const [error, setError] = useState<string | null>(null);
+  // guard:dup-ok — gleiches Submit-Muster wie signup-screen, aber verschiedene API-Endpoints und State
   const doSubmit = async (): Promise<void> => {
     setSubmitting(true);
     setError(null);

package/src/auth-email-password/web/tenant-switcher.tsx CHANGED Viewed

@@ -63,7 +63,8 @@ export function TenantSwitcher({ tenantName }: TenantSwitcherProps): ReactNode {
   const nameOf = (tenantId: string): string => {
     if (tenantName !== undefined) return tenantName(tenantId);
     const membership = tenants.find((m) => m.tenantId === tenantId);
-    return membership?.name ?? membership?.key ?? tenantId.slice(0, 8);
+    // || statt ??: ein leerer name/key-String darf nicht als Label durchrutschen.
+    return membership?.name || membership?.key || tenantId.slice(0, 8);
   };
   // Rendering-Gate: kein User → nix; nur ein Tenant → auch nix

package/src/cap-counter/enforce-cap.ts CHANGED Viewed

@@ -413,6 +413,11 @@ export type StockCapResult =
  * (ein Delete gibt den Slot sofort frei), braucht keine Counter-Tabelle und
  * kein Increment/Decrement-Bookkeeping. Misst einen Bestand, keinen Fluss.
  *
+ * **TOCTOU-Caveat:** Zählen und Schreiben sind nicht atomar — zwei parallele
+ * Creates können beide `ok` sehen und das Limit um eins überschreiten (gleiche
+ * Race wie bei {@link enforceCap}). Exakt harte Slots brauchen zusätzliche
+ * Serialisierung im Create-Pfad (z.B. Unique-Index auf tenantId+slot).
+ *
  * Reine Funktion — wirft NICHT und mappt KEINEN HTTP-Status. Ein erreichtes
  * Stock-Limit heißt „Upgrade nötig", nicht „retry later" (429): der Caller
  * entscheidet die Reaktion, typisch ein app-eigener 422/`upgrade_required`

package/src/compliance-profiles/README.md CHANGED Viewed

@@ -78,7 +78,7 @@ explizit als eigene Entity.
 ## Tests
-`__tests__/compliance-profiles.integration.ts` — 9 full-stack Tests via
+`__tests__/compliance-profiles.integration.test.ts` — 9 full-stack Tests via
 `setupTestStack` + echte HTTP-Calls (Memory: `feedback_no_fake_dispatcher`):
 list-profiles, for-tenant ohne/mit Setting, set-profile als TenantAdmin /
 Member (403) / mit Override / mit invalidem JSON / mit Array statt Object /

package/src/custom-fields/__tests__/feature.test.ts CHANGED Viewed

@@ -12,7 +12,7 @@ describe("createCustomFieldsFeature shape", () => {
   test("registers field-definition entity + 6 write-handlers + 1 query-handler", () => {
     const feature = createCustomFieldsFeature();
-    expect(Object.keys(feature.entities)).toContain("field-definition");
+    expect(Object.keys(feature.entities ?? {})).toContain("field-definition");
     const writeHandlerNames = Object.keys(feature.writeHandlers);
     expect(writeHandlerNames).toEqual(

package/src/custom-fields/__tests__/wire-for-entity.test.ts CHANGED Viewed

@@ -40,7 +40,7 @@ describe("wireCustomFieldsFor", () => {
     );
     // 3. postQuery entity-hook on "property"
-    expect(feature.entityHooks.postQuery["property"]).toHaveLength(1);
+    expect(feature.entityHooks?.postQuery?.["property"]).toHaveLength(1);
     // 4. search-payload-extension on "property"
     expect(feature.searchPayloadExtensions!["property"]).toHaveLength(1);
@@ -52,7 +52,7 @@ describe("wireCustomFieldsFor", () => {
       wireCustomFieldsFor(r, "property", propertyTable);
     });
-    const hook = feature.entityHooks.postQuery["property"]?.[0]?.fn;
+    const hook = feature.entityHooks?.postQuery?.["property"]?.[0]?.fn;
     expect(hook).toBeDefined();
     const result = await hook?.(
       {
@@ -82,7 +82,7 @@ describe("wireCustomFieldsFor", () => {
       wireCustomFieldsFor(r, "property", propertyTable);
     });
-    const hook = feature.entityHooks.postQuery["property"]?.[0]?.fn;
+    const hook = feature.entityHooks?.postQuery?.["property"]?.[0]?.fn;
     const result = await hook?.(
       {
         entityName: "property",
@@ -111,7 +111,7 @@ describe("wireCustomFieldsFor", () => {
       wireCustomFieldsFor(r, "property", propertyTable);
     });
-    const hook = feature.entityHooks.postQuery["property"]?.[0]?.fn;
+    const hook = feature.entityHooks?.postQuery?.["property"]?.[0]?.fn;
     const result = await hook?.(
       {
         entityName: "property",

package/src/custom-fields/db/queries/retention.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
+// guard:dup-ok — andere SQL als selectFieldDefinitionsForEntity; gleiche Bezeichner, verschiedene Queries
 export async function selectFieldDefinitionsWithSerialized(
   db: DbRunner,
   entityName: string,

package/src/custom-fields/lib/parse-serialized-field.ts CHANGED Viewed

@@ -43,3 +43,14 @@ export function parseSerializedField(raw: unknown): SerializedFieldShape | null
   const parsed = typeof raw === "string" ? parseJsonSafe<unknown>(raw, null) : raw;
   return isShape(parsed) ? parsed : null;
 }
+export interface FieldDefinitionRow {
+  readonly field_key: string;
+  readonly serialized_field: unknown;
+}
+export function isFieldDefinitionRow(value: unknown): value is FieldDefinitionRow {
+  if (!value || typeof value !== "object") return false;
+  if (!("field_key" in value)) return false;
+  return typeof value.field_key === "string";
+}