@cosmicdrift/kumiko-bundled-features 0.37.0 → 0.39.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.37.0",
+  "version": "0.39.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -48,6 +48,8 @@
     "./user": "./src/user/index.ts",
     "./user/seeding": "./src/user/seeding.ts",
     "./user/testing": "./src/user/testing.ts",
+    "./user-profile": "./src/user-profile/index.ts",
+    "./user-profile/web": "./src/user-profile/web/index.ts",
     "./auth-email-password": "./src/auth-email-password/index.ts",
     "./auth-email-password/constants": "./src/auth-email-password/constants.ts",
     "./auth-email-password/seeding": "./src/auth-email-password/seeding.ts",
@@ -74,10 +76,10 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.35.0",
-    "@cosmicdrift/kumiko-framework": "0.35.0",
-    "@cosmicdrift/kumiko-renderer": "0.35.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.35.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.38.0",
+    "@cosmicdrift/kumiko-framework": "0.38.0",
+    "@cosmicdrift/kumiko-renderer": "0.38.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.38.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/email-templates.ts

@@ -64,6 +64,7 @@ const STRINGS = {
   de: {
     resetSubject: (app: string) => `${app} — Passwort zurücksetzen`,
     resetGreeting: "Hallo,",
+    // guard:dup-ok — false positive: i18n-String-Template, gleiche Arrow-Struktur wie anonymous fn in collect-table-metas
     resetIntro: (app: string) =>
       `du hast den Reset deines Passworts für ${app} angefordert. Klicke auf den folgenden Link, um ein neues Passwort zu setzen:`,
     resetButton: "Passwort zurücksetzen",
@@ -160,6 +161,7 @@ function renderTokenEmail(spec: TokenEmailSpec): RenderedEmail {
 
 // Plain inline-styled HTML — funktioniert in Gmail/Outlook/Apple-Mail
 // ohne dass wir Tailwind oder eine HTML-mail-Lib reinziehen müssen.
+// guard:dup-ok — Email-HTML (table-layout, inline CSS) ≠ Web-HTML (legal-pages/markdown.ts)
 function renderShell(args: { title: string; bodyHtml: string }): string {
   return `<!DOCTYPE html>
 <html lang="en">
@@ -182,10 +184,12 @@ function renderShell(args: { title: string; bodyHtml: string }): string {
 </html>`;
 }
 
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie wrapInLayout (legal-pages), verschiedene Semantik
 function renderButton(args: { url: string; label: string }): string {
   return `<a href="${escapeHtmlAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
 }
 
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie wrapInLayout (legal-pages), verschiedene Semantik
 function renderFallbackUrl(args: { url: string; label: string }): string {
   return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeHtmlAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
 }

package/src/auth-email-password/errors.ts

@@ -0,0 +1,84 @@
+import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { AuthErrors } from "./constants";
+
+export function invalidCredentials() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidCredentials, {
+      i18nKey: "auth.errors.invalidCredentials",
+    }),
+  );
+}
+
+export function invalidInviteToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidInviteToken, {
+      i18nKey: "auth.errors.invalidInviteToken",
+    }),
+  );
+}
+
+export function inviteEmailMismatch() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.inviteEmailMismatch, {
+      i18nKey: "auth.errors.inviteEmailMismatch",
+    }),
+  );
+}
+
+export function invalidResetToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidResetToken, {
+      i18nKey: "auth.errors.invalidResetToken",
+    }),
+  );
+}
+
+export function invalidVerificationToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidVerificationToken, {
+      i18nKey: "auth.errors.invalidVerificationToken",
+    }),
+  );
+}
+
+export function invalidSignupToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidSignupToken, {
+      i18nKey: "auth.errors.invalidSignupToken",
+    }),
+  );
+}
+
+export function noMembership() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.noMembership, {
+      i18nKey: "auth.errors.noMembership",
+    }),
+  );
+}
+
+export function emailNotVerified() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.emailNotVerified, {
+      i18nKey: "auth.errors.emailNotVerified",
+    }),
+  );
+}
+
+// retryAfterSeconds drives the login/signup UI countdown — must stay > 0.
+export function accountLocked(retryAfterSeconds: number) {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountLocked, {
+      i18nKey: "auth.errors.accountLocked",
+      details: { retryAfterSeconds },
+    }),
+  );
+}
+
+export function accountRestricted() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountRestricted, {
+      i18nKey: "auth.errors.accountRestricted",
+    }),
+  );
+}

package/src/auth-email-password/handlers/change-password.write.ts

@@ -1,19 +1,10 @@
 import { access, createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { getAggregateStreamTenant } from "@cosmicdrift/kumiko-framework/event-store";
 import { z } from "zod";
 import { USER_FEATURE, UserHandlers, UserQueries } from "../../user";
-import { AuthErrors } from "../constants";
+import { invalidCredentials } from "../errors";
 import { hashPassword, verifyPassword } from "../password-hashing";
 
-function invalidCredentials() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidCredentials, {
-      i18nKey: "auth.errors.invalidCredentials",
-    }),
-  );
-}
-
 // Change-password — authenticated. The user supplies their current password
 // (re-auth) and the new one. The new hash is written via ctx.writeAs(system)
 // against the user feature's update handler; field-access on passwordHash

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts

@@ -25,11 +25,7 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -41,7 +37,7 @@ import {
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import login-style password-check
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken, inviteEmailMismatch } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -69,14 +65,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
 
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
-
 export function createInviteAcceptWithLoginHandler() {
   return defineWriteHandler<
     "invite-accept-with-login",
@@ -123,11 +111,7 @@ export function createInviteAcceptWithLoginHandler() {
 
         // Email-Match vom User-Input (nicht aus session — User ist anon)
         if (event.payload.email.toLowerCase() !== invitationEmail) {
-          return writeFailure(
-            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
-              i18nKey: "auth.errors.inviteEmailMismatch",
-            }),
-          );
+          return inviteEmailMismatch();
         }
 
         // Password-Check gegen userTable. Anti-enumeration: bei

package/src/auth-email-password/handlers/invite-accept.write.ts

@@ -22,11 +22,7 @@ import {
   defineWriteHandler,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link), DB-row-owner ist tenant-feature
 import {
@@ -34,11 +30,13 @@ import {
   tenantInvitationEntity,
   tenantInvitationsTable,
 } from "../../tenant/invitation-table";
+// kumiko-lint-ignore cross-feature-import direkter membership-Lookup (ungefiltert, s. alreadyMember-Kommentar)
+import { tenantMembershipsTable } from "../../tenant/membership-table";
 // kumiko-lint-ignore cross-feature-import membership-seed-helper für privilegierten cross-tenant-add (analog provisionSignupAccount)
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import auth handler reads user-row für email-match
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken, inviteEmailMismatch } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -63,14 +61,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
 
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
-
 export function createInviteAcceptHandler() {
   return defineWriteHandler<"invite-accept", typeof InviteAcceptSchema, InviteAcceptData>({
     name: "invite-accept",
@@ -122,22 +112,19 @@ export function createInviteAcceptHandler() {
         });
         const userEmail = userRow?.email;
         if (!userRow || !userEmail || userEmail.toLowerCase() !== invitationEmail) {
-          return writeFailure(
-            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
-              i18nKey: "auth.errors.inviteEmailMismatch",
-            }),
-          );
+          return inviteEmailMismatch();
         }
 
-        // Already-Member-Check via memberships-query. Wenn der User schon
-        // im invited Tenant Member ist, kein Error — no-op + 200 mit
-        // alreadyMember=true (advisor-Constraint #4: idempotent).
-        const memberships = (await ctx.queryAs(
-          createSystemUser(invitationTenantId),
-          "tenant:query:memberships",
-          { userId: event.user.id },
-        )) as Array<{ tenantId: string }>; // @cast-boundary db-row
-        const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
+        // Already-Member-Check direkt gegen die memberships-Projektion —
+        // NICHT via tenant:query:memberships, die disabled Tenants filtert:
+        // ein Re-Invite in einen (vorübergehend) disabled Tenant würde dort
+        // alreadyMember=false sehen und am Unique-Constraint scheitern.
+        // Idempotenz: schon Member → no-op + 200 mit alreadyMember=true.
+        const membershipRow = await fetchOne(ctx.db.raw, tenantMembershipsTable, {
+          userId: event.user.id,
+          tenantId: invitationTenantId,
+        });
+        const alreadyMember = membershipRow !== undefined;
 
         const dbConn = ctx.db.raw;
 

package/src/auth-email-password/handlers/invite-signup-complete.write.ts

@@ -29,11 +29,7 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import invite-flow
 import {
@@ -45,7 +41,7 @@ import {
 import { seedTenantMembership } from "../../tenant/seeding";
 // kumiko-lint-ignore cross-feature-import existence-check
 import { userTable } from "../../user/schema/user";
-import { AuthErrors } from "../constants";
+import { invalidInviteToken } from "../errors";
 import {
   burnInviteToken,
   deleteInviteToken,
@@ -73,14 +69,6 @@ const invitationExecutor = createEventStoreExecutor(
   { entityName: "tenant-invitation" },
 );
 
-function invalidInviteToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidInviteToken, {
-      i18nKey: "auth.errors.invalidInviteToken",
-    }),
-  );
-}
-
 export function createInviteSignupCompleteHandler() {
   return defineWriteHandler<
     "invite-signup-complete",

package/src/auth-email-password/handlers/login.write.ts

@@ -4,7 +4,6 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
 import { USER_STATUS, UserQueries } from "../../user";
@@ -12,60 +11,17 @@ import { parseAuthUserRow } from "../auth-user-row";
 import {
   AUTH_LOCKOUT_DEFAULT_DURATION_MINUTES,
   AUTH_LOCKOUT_DEFAULT_MAX_FAILED_ATTEMPTS,
-  AuthErrors,
 } from "../constants";
+import {
+  accountLocked,
+  accountRestricted,
+  emailNotVerified,
+  invalidCredentials,
+  noMembership,
+} from "../errors";
 import { clearLockoutState, getLockoutState, recordFailedAttempt } from "../lockout-store";
 import { verifyPassword } from "../password-hashing";
 
-function invalidCredentials() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidCredentials, {
-      i18nKey: "auth.errors.invalidCredentials",
-    }),
-  );
-}
-
-function noMembership() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.noMembership, {
-      i18nKey: "auth.errors.noMembership",
-    }),
-  );
-}
-
-function emailNotVerified() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.emailNotVerified, {
-      i18nKey: "auth.errors.emailNotVerified",
-    }),
-  );
-}
-
-function accountLocked(retryAfterSeconds: number) {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.accountLocked, {
-      i18nKey: "auth.errors.accountLocked",
-      // Seconds until auto-unlock — UI renders a countdown, clients can
-      // schedule a retry. Rounded up so the UI never shows 0 while the
-      // lock is still active.
-      details: { retryAfterSeconds },
-    }),
-  );
-}
-
-// S2.U6 — DSGVO Art. 18 Account-Freeze. Distinct error code (nicht zu
-// invalid_credentials collapsen) damit UI klar sagen kann "Account ist
-// pausiert, hier klicken zum Aufheben". User weiss schon dass sein Konto
-// restricted ist (er hat selbst die Restriction gesetzt), also kein
-// Enumeration-Leak.
-function accountRestricted() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.accountRestricted, {
-      i18nKey: "auth.errors.accountRestricted",
-    }),
-  );
-}
-
 export type LoginHandlerOptions = {
   // When true, a valid (email + password) login fails with email_not_verified
   // if the user row's emailVerified flag is false. Enumeration-leak is

package/src/auth-email-password/handlers/reset-password.write.ts

@@ -2,6 +2,7 @@ import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { AuthErrors } from "../constants";
+import { invalidResetToken } from "../errors";
 import { hashPassword } from "../password-hashing";
 import { verifyResetToken } from "../reset-token";
 import { runConfirmTokenFlow } from "./confirm-token-flow";
@@ -10,14 +11,6 @@ export type ResetPasswordOptions = {
   readonly hmacSecret: string;
 };
 
-function invalidToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidResetToken, {
-      i18nKey: "auth.errors.invalidResetToken",
-    }),
-  );
-}
-
 // Confirm step of the reset flow. Token-verify happens inline; the
 // post-verify pipeline (burn, load user, memberships, try-all-tenants,
 // burn-release-on-failure) lives in confirm-token-flow to stay in sync
@@ -45,12 +38,12 @@ export function createResetPasswordHandler(opts: ResetPasswordOptions) {
       // the same invalid_reset_token error — a probing caller can't
       // distinguish tampered from stale from random-string.
       const verify = verifyResetToken(event.payload.token, opts.hmacSecret);
-      if (!verify.ok) return invalidToken();
+      if (!verify.ok) return invalidResetToken();
 
       return runConfirmTokenFlow(ctx, verify.userId, verify.expiresAtMs, {
         purpose: "reset",
         redisRequiredMessage: "password-reset requires ctx.redis to enforce token single-use",
-        invalidToken,
+        invalidToken: invalidResetToken,
         buildChanges: async () => ({
           passwordHash: await hashPassword(event.payload.newPassword),
         }),

package/src/auth-email-password/handlers/signup-confirm.write.ts

@@ -26,17 +26,13 @@ import {
   type SessionUser,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
-import {
-  InternalError,
-  UnprocessableError,
-  writeFailure,
-} from "@cosmicdrift/kumiko-framework/errors";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { generateUniqueName } from "@cosmicdrift/kumiko-framework/random";
 import { generateId } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
 // kumiko-lint-ignore cross-feature-import signup-confirm reads tenants.key for slug-uniqueness check (TOCTOU + DB-unique-index zusammen)
 import { tenantTable } from "../../tenant/schema/tenant";
-import { AuthErrors } from "../constants";
+import { invalidSignupToken } from "../errors";
 // kumiko-lint-ignore cross-feature-import provisioning needs cross-feature seeding helpers
 import { INITIAL_SIGNUP_ROLES, provisionSignupAccount } from "../seeding";
 import {
@@ -63,14 +59,6 @@ export type SignupConfirmData = {
   readonly tenantKey: string;
 };
 
-function invalidSignupToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidSignupToken, {
-      i18nKey: "auth.errors.invalidSignupToken",
-    }),
-  );
-}
-
 export function createSignupConfirmHandler() {
   return defineWriteHandler<"signup-confirm", typeof SignupConfirmSchema, SignupConfirmData>({
     name: "signup-confirm",

package/src/auth-email-password/handlers/verify-email.write.ts

@@ -2,6 +2,7 @@ import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { AuthErrors } from "../constants";
+import { invalidVerificationToken } from "../errors";
 import { verifyVerificationToken } from "../verification-token";
 import { runConfirmTokenFlow } from "./confirm-token-flow";
 
@@ -15,14 +16,6 @@ const VerifyEmailSchema = z.object({
 
 export type VerifyEmailData = { readonly kind: "verified" } | { readonly kind: "already-verified" };
 
-function invalidToken() {
-  return writeFailure(
-    new UnprocessableError(AuthErrors.invalidVerificationToken, {
-      i18nKey: "auth.errors.invalidVerificationToken",
-    }),
-  );
-}
-
 // Sets user.emailVerified = true on a valid token. Idempotent via the
 // `alreadyDone` short-circuit — when the row already reads verified
 // (reached through another flow), we skip the write but keep the burn
@@ -44,12 +37,12 @@ export function createVerifyEmailHandler(opts: VerifyEmailOptions) {
       }
 
       const verify = verifyVerificationToken(event.payload.token, opts.hmacSecret);
-      if (!verify.ok) return invalidToken();
+      if (!verify.ok) return invalidVerificationToken();
 
       return runConfirmTokenFlow<VerifyEmailData>(ctx, verify.userId, verify.expiresAtMs, {
         purpose: "verify",
         redisRequiredMessage: "email-verification requires ctx.redis to enforce token single-use",
-        invalidToken,
+        invalidToken: invalidVerificationToken,
         buildChanges: async () => ({ emailVerified: true }),
         successData: { kind: "verified" },
         alreadyDone: {

package/src/auth-email-password/i18n.ts

@@ -207,17 +207,7 @@ export const defaultTranslations: TranslationsByLocale = {
   },
 };
 
-/** Merged zwei TranslationsByLocale-Maps — der override gewinnt pro Key,
- *  die Locales werden zusammengeführt. Wird von emailPasswordClient()
- *  benutzt, um App-Overrides über die Defaults zu legen. */
-export function mergeTranslations(
-  base: TranslationsByLocale,
-  override: TranslationsByLocale,
-): TranslationsByLocale {
-  const locales = new Set([...Object.keys(base), ...Object.keys(override)]);
-  const merged: Record<string, Record<string, string>> = {};
-  for (const locale of locales) {
-    merged[locale] = { ...(base[locale] ?? {}), ...(override[locale] ?? {}) };
-  }
-  return merged;
-}
+// Kanonische Implementierung lebt jetzt im Renderer (neben
+// TranslationsByLocale) — Re-Export hält die bestehende Import-Surface
+// (auth-email-password/web) stabil.
+export { mergeTranslations } from "@cosmicdrift/kumiko-renderer";

package/src/auth-email-password/web/__tests__/tenant-switcher.test.tsx

@@ -111,3 +111,27 @@ describe("TenantSwitcher", () => {
     expect(session.switchTenant).not.toHaveBeenCalled();
   });
 });
+
+describe("TenantSwitcher — key-only-Fallback im geöffneten Dropdown", () => {
+  test("Membership ohne name rendert ihren key als Dropdown-Label", async () => {
+    const user = userEvent.setup();
+    const session = makeSessionApi({
+      activeTenantId: "00000000-0000-4000-8000-000000000001",
+      tenants: [
+        {
+          tenantId: "00000000-0000-4000-8000-000000000001",
+          roles: ["Admin"],
+          name: "Status",
+          key: "status",
+        },
+        { tenantId: "00000000-0000-4000-8000-000000000002", roles: ["Admin"], key: "demo" },
+      ],
+    });
+    renderWithProviders(<TenantSwitcher />, { session });
+    await user.click(screen.getByRole("button", { name: /Status/ }));
+    // Der key-only-Pfad (kein name) muss im Dropdown sichtbar werden —
+    // nicht das UUID-Präfix "00000000".
+    expect(screen.getByText("demo")).toBeTruthy();
+    expect(screen.queryByText("00000000")).toBeNull();
+  });
+});

package/src/auth-email-password/web/forgot-password-screen.tsx

@@ -34,6 +34,7 @@ export function ForgotPasswordScreen({
   const [done, setDone] = useState(false);
   const [error, setError] = useState<string | null>(null);
 
+  // guard:dup-ok — gleiches Submit-Muster wie signup-screen, aber verschiedene API-Endpoints und State
   const doSubmit = async (): Promise<void> => {
     setSubmitting(true);
     setError(null);

package/src/auth-email-password/web/index.ts

@@ -5,7 +5,7 @@
 // `@cosmicdrift/kumiko-bundled-features/auth-email-password` und hat keine
 // React-/DOM-Deps. Trennung bleibt sauber so wie renderer vs renderer-web.
 
-export { defaultTranslations } from "../i18n";
+export { defaultTranslations, mergeTranslations } from "../i18n";
 export type {
   AuthTokenFailure,
   CurrentUserProfile,

package/src/auth-email-password/web/tenant-switcher.tsx

@@ -63,7 +63,8 @@ export function TenantSwitcher({ tenantName }: TenantSwitcherProps): ReactNode {
   const nameOf = (tenantId: string): string => {
     if (tenantName !== undefined) return tenantName(tenantId);
     const membership = tenants.find((m) => m.tenantId === tenantId);
-    return membership?.name ?? membership?.key ?? tenantId.slice(0, 8);
+    // || statt ??: ein leerer name/key-String darf nicht als Label durchrutschen.
+    return membership?.name || membership?.key || tenantId.slice(0, 8);
   };
 
   // Rendering-Gate: kein User → nix; nur ein Tenant → auch nix

package/src/cap-counter/enforce-cap.ts

@@ -413,6 +413,11 @@ export type StockCapResult =
  * (ein Delete gibt den Slot sofort frei), braucht keine Counter-Tabelle und
  * kein Increment/Decrement-Bookkeeping. Misst einen Bestand, keinen Fluss.
  *
+ * **TOCTOU-Caveat:** Zählen und Schreiben sind nicht atomar — zwei parallele
+ * Creates können beide `ok` sehen und das Limit um eins überschreiten (gleiche
+ * Race wie bei {@link enforceCap}). Exakt harte Slots brauchen zusätzliche
+ * Serialisierung im Create-Pfad (z.B. Unique-Index auf tenantId+slot).
+ *
  * Reine Funktion — wirft NICHT und mappt KEINEN HTTP-Status. Ein erreichtes
  * Stock-Limit heißt „Upgrade nötig", nicht „retry later" (429): der Caller
  * entscheidet die Reaktion, typisch ein app-eigener 422/`upgrade_required`

package/src/compliance-profiles/README.md

@@ -78,7 +78,7 @@ explizit als eigene Entity.
 
 ## Tests
 
-`__tests__/compliance-profiles.integration.ts` — 9 full-stack Tests via
+`__tests__/compliance-profiles.integration.test.ts` — 9 full-stack Tests via
 `setupTestStack` + echte HTTP-Calls (Memory: `feedback_no_fake_dispatcher`):
 list-profiles, for-tenant ohne/mit Setting, set-profile als TenantAdmin /
 Member (403) / mit Override / mit invalidem JSON / mit Array statt Object /

package/src/custom-fields/__tests__/feature.test.ts

@@ -12,7 +12,7 @@ describe("createCustomFieldsFeature shape", () => {
   test("registers field-definition entity + 6 write-handlers + 1 query-handler", () => {
     const feature = createCustomFieldsFeature();
 
-    expect(Object.keys(feature.entities)).toContain("field-definition");
+    expect(Object.keys(feature.entities ?? {})).toContain("field-definition");
 
     const writeHandlerNames = Object.keys(feature.writeHandlers);
     expect(writeHandlerNames).toEqual(