@cosmicdrift/kumiko-bundled-features 0.38.0 → 0.40.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.38.0",
+  "version": "0.40.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -48,6 +48,8 @@
     "./user": "./src/user/index.ts",
     "./user/seeding": "./src/user/seeding.ts",
     "./user/testing": "./src/user/testing.ts",
+    "./user-profile": "./src/user-profile/index.ts",
+    "./user-profile/web": "./src/user-profile/web/index.ts",
     "./auth-email-password": "./src/auth-email-password/index.ts",
     "./auth-email-password/constants": "./src/auth-email-password/constants.ts",
     "./auth-email-password/seeding": "./src/auth-email-password/seeding.ts",
@@ -74,10 +76,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.37.0",
-    "@cosmicdrift/kumiko-framework": "0.37.0",
-    "@cosmicdrift/kumiko-renderer": "0.37.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.37.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.38.0",
+    "@cosmicdrift/kumiko-framework": "0.38.0",
+    "@cosmicdrift/kumiko-headless": "0.38.0",
+    "@cosmicdrift/kumiko-renderer": "0.38.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.38.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/__tests__/identity-v3-login.integration.test.ts

@@ -10,6 +10,7 @@ import { pbkdf2Sync, randomBytes } from "node:crypto";
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   setupTestStack,
   type TestStack,
@@ -20,7 +21,7 @@ import {
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
-import { createTenantFeature } from "../../tenant";
+import { createTenantFeature, TenantHandlers } from "../../tenant";
 import { tenantMembershipsTable } from "../../tenant/membership-table";
 import { tenantEntity } from "../../tenant/schema/tenant";
 import { seedTenantMembership } from "../../tenant/testing";
@@ -73,6 +74,7 @@ beforeAll(async () => {
   await unsafeCreateEntityTable(stack.db, userEntity);
   await unsafeCreateEntityTable(stack.db, tenantEntity);
   await unsafePushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+  await createEventsTable(stack.db);
 });
 
 afterAll(async () => {
@@ -149,3 +151,57 @@ describe("Identity-V3 password-hash compatibility", () => {
     expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
   });
 });
+
+// 273/2: Changeset-Zusage "disabled Tenants verschwinden aus der
+// Login-Tenant-Wahl" — der Auto-Select (chosen = preferred ?? memberships[0])
+// darf nie auf einem disabled Tenant landen. Der disabled Tenant ist hier
+// bewusst die ERSTE Membership, also genau der memberships[0]-Kandidat.
+describe("login auto-select skips disabled tenants", () => {
+  test("first membership disabled → login lands on the active tenant", async () => {
+    const password = "Active!Tenant-2026";
+    const salt = randomBytes(16);
+    const v3Hash = buildBmcStyleV3Hash(password, salt);
+
+    const disabledTenantId = "00000000-0000-4000-8000-000000000301" as TenantId;
+    const activeTenantId = "00000000-0000-4000-8000-000000000302" as TenantId;
+    await stack.http.writeOk(
+      TenantHandlers.create,
+      { id: disabledTenantId, key: "ghost", name: "Ghost Corp" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TenantHandlers.create,
+      { id: activeTenantId, key: "alive", name: "Alive Corp" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(TenantHandlers.disable, { id: disabledTenantId }, systemAdmin);
+
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      {
+        email: "carol@autoselect.example",
+        passwordHash: v3Hash,
+        displayName: "Carol Two-Tenants",
+      },
+      systemAdmin,
+    );
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: disabledTenantId,
+      roles: ["User"],
+    });
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: activeTenantId,
+      roles: ["User"],
+    });
+
+    const res = await stack.http.raw("POST", "/api/auth/login", {
+      email: "carol@autoselect.example",
+      password,
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.user).toMatchObject({ id: created.id, tenantId: activeTenantId });
+  });
+});

package/src/auth-email-password/i18n.ts

@@ -207,17 +207,7 @@ export const defaultTranslations: TranslationsByLocale = {
   },
 };
 
-/** Merged zwei TranslationsByLocale-Maps — der override gewinnt pro Key,
- *  die Locales werden zusammengeführt. Wird von emailPasswordClient()
- *  benutzt, um App-Overrides über die Defaults zu legen. */
-export function mergeTranslations(
-  base: TranslationsByLocale,
-  override: TranslationsByLocale,
-): TranslationsByLocale {
-  const locales = new Set([...Object.keys(base), ...Object.keys(override)]);
-  const merged: Record<string, Record<string, string>> = {};
-  for (const locale of locales) {
-    merged[locale] = { ...(base[locale] ?? {}), ...(override[locale] ?? {}) };
-  }
-  return merged;
-}
+// Kanonische Implementierung lebt jetzt im Renderer (neben
+// TranslationsByLocale) — Re-Export hält die bestehende Import-Surface
+// (auth-email-password/web) stabil.
+export { mergeTranslations } from "@cosmicdrift/kumiko-renderer";

package/src/auth-email-password/web/index.ts

@@ -5,7 +5,7 @@
 // `@cosmicdrift/kumiko-bundled-features/auth-email-password` und hat keine
 // React-/DOM-Deps. Trennung bleibt sauber so wie renderer vs renderer-web.
 
-export { defaultTranslations } from "../i18n";
+export { defaultTranslations, mergeTranslations } from "../i18n";
 export type {
   AuthTokenFailure,
   CurrentUserProfile,

package/src/config/__tests__/config.integration.test.ts

@@ -727,8 +727,21 @@ describe("config.schema query handler", () => {
 describe("config.readiness query handler", () => {
   type Missing = { missing: Array<{ key: string; scope: string; type: string }> };
 
+  // Pro Test ein frischer Tenant — die Tests mutieren required-Keys und
+  // dürfen sich nicht über Reihenfolge-Kopplung gegenseitig sehen (272/3).
+  function readinessAdminFor(n: number) {
+    return createTestUser({
+      id: 700 + n,
+      tenantId: `00000000-0000-4000-8000-0000000007${String(n).padStart(2, "0")}`,
+    });
+  }
+
   test("lists required keys without a usable value — and only those", async () => {
-    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, tenantAdmin);
+    const { missing } = await stack.http.queryOk<Missing>(
+      ConfigQueries.readiness,
+      {},
+      readinessAdminFor(1),
+    );
 
     const keys = missing.map((m) => m.key);
     expect(keys).toContain("transport:config:smtp-host");
@@ -740,29 +753,31 @@ describe("config.readiness query handler", () => {
   });
 
   test("whitespace-only text value still counts as missing (requireNonEmpty-Parität)", async () => {
+    const admin = readinessAdminFor(2);
     await stack.http.writeOk(
       ConfigHandlers.set,
       { key: "transport:config:api-url", value: "   " },
-      tenantAdmin,
+      admin,
     );
 
-    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, tenantAdmin);
+    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, admin);
     expect(missing.map((m) => m.key)).toContain("transport:config:api-url");
   });
 
   test("a real value clears the key from the missing list", async () => {
+    const admin = readinessAdminFor(3);
     await stack.http.writeOk(
       ConfigHandlers.set,
       { key: "transport:config:api-url", value: "https://api.example.com" },
-      tenantAdmin,
+      admin,
     );
     await stack.http.writeOk(
       ConfigHandlers.set,
       { key: "transport:config:timeout", value: 30 },
-      tenantAdmin,
+      admin,
     );
 
-    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, tenantAdmin);
+    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, admin);
     const keys = missing.map((m) => m.key);
     expect(keys).not.toContain("transport:config:api-url");
     expect(keys).not.toContain("transport:config:timeout");

package/src/config/handlers/readiness.query.ts

@@ -66,15 +66,41 @@ export async function collectMissingRequiredConfig(
   callerQn: string,
   user: SessionUser,
   gate?: RequiredKeyGate,
+  options?: {
+    /** Verdict-Pfade (Rollup, selbst role-gated) MÜSSEN ungefiltert zählen:
+     *  der Per-Key-read-Filter ist Info-Disclosure-Schutz für den
+     *  openToAll-Handler — im Verdict droppte er SystemAdmin-gated
+     *  required-Keys still und meldete ready:true trotz Lücke. */
+    readonly skipAccessFilter?: boolean;
+  },
 ): Promise<ReadinessMissingKey[]> {
   const resolver = requireConfigResolver(ctx, callerQn);
   const effectiveGate = gate ?? (await buildProviderSelectionGate(ctx, callerQn, user));
-  const missing: ReadinessMissingKey[] = [];
+  // Kandidaten erst sammeln, dann EIN Batch-Resolve — die sequentielle
+  // resolver.get-Schleife war ein N+1 über alle required Keys (272/1).
+  type KeyDef =
+    ReturnType<typeof ctx.registry.getAllConfigKeys> extends ReadonlyMap<string, infer D>
+      ? D
+      : never;
+  const candidates = new Map<string, KeyDef>();
   for (const [qualifiedKey, keyDef] of ctx.registry.getAllConfigKeys()) {
     if (keyDef.required !== true) continue;
     if (!effectiveGate(qualifiedKey)) continue;
-    if (!hasConfigAccess(keyDef.access.read, user.roles)) continue;
-    const value = await resolver.get(qualifiedKey, keyDef, user.tenantId, user.id, ctx.db);
+    if (options?.skipAccessFilter !== true && !hasConfigAccess(keyDef.access.read, user.roles)) {
+      continue;
+    }
+    candidates.set(qualifiedKey, keyDef);
+  }
+  const missing: ReadinessMissingKey[] = [];
+  const cascades = await resolver.getCascadeBatch(
+    [...candidates.keys()],
+    candidates,
+    user.tenantId,
+    user.id,
+    ctx.db,
+  );
+  for (const [qualifiedKey, keyDef] of candidates) {
+    const value = cascades.get(qualifiedKey)?.value;
     if (isUnset(value, keyDef.type)) {
       missing.push({ key: qualifiedKey, scope: keyDef.scope, type: keyDef.type });
     }

package/src/custom-fields/__tests__/custom-fields.integration.test.ts

@@ -614,6 +614,20 @@ describe("custom-fields integration — update-tenant-field (Bug-Bash D2)", () =
     expect(sf["label"]).toEqual({ de: "Priorität", en: "Priority" });
   });
 
+  test("update ohne label entfernt ein bestehendes Label (Vollersatz-Semantik)", async () => {
+    await defineField("property", "weight", "number");
+    await updateField("weight", {
+      serializedField: { type: "number" },
+      label: { de: "Gewicht", en: "Weight" },
+    });
+
+    await updateField("weight", { serializedField: { type: "number" } });
+
+    const row = await fetchDefinitionRow(admin.tenantId, "weight");
+    const sf = JSON.parse(String(row?.["serialized_field"])) as Record<string, unknown>;
+    expect(sf["label"]).toBeUndefined();
+  });
+
   test("zwei sequentielle Updates ohne version_conflict (skipOptimisticLock)", async () => {
     await defineField("property", "stage", "text");
     await updateField("stage", { displayOrder: 1 });

package/src/custom-fields/__tests__/user-data-rights.integration.test.ts

@@ -63,7 +63,7 @@ import { wireCustomFieldsUserDataRightsFor } from "../wire-user-data-rights";
 
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 const NOW = (): Instant => getTemporal().Now.instant();
-const PAST = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+const PAST = (): Instant => getTemporal().Now.instant().subtract({ minutes: 1 });
 
 const propertyEntity = createEntity({
   table: "read_t15c_properties",

package/src/custom-fields/db/queries/retention.ts

@@ -1,18 +1,6 @@
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 
-// guard:dup-ok — andere SQL als selectFieldDefinitionsForEntity; gleiche Bezeichner, verschiedene Queries
-export async function selectFieldDefinitionsWithSerialized(
-  db: DbRunner,
-  entityName: string,
-  tenantId: string,
-): Promise<readonly { field_key: string; serialized_field: unknown }[]> {
-  return asRawClient(db).unsafe(
-    "SELECT field_key, serialized_field FROM read_custom_field_definitions WHERE entity_name = $1 AND tenant_id = $2",
-    [entityName, tenantId],
-  ) as Promise<readonly { field_key: string; serialized_field: unknown }[]>;
-}
-
 export async function selectHostRowsWithCustomFields(
   db: DbRunner,
   tableName: string,

package/src/custom-fields/handlers/update-tenant-field.write.ts

@@ -18,6 +18,14 @@ import { type UpdateFieldPayload, updateFieldPayloadSchema } from "../schemas";
 // delete+redefine im update — das würde Event-Historie + Field-Ids
 // zerstören, aber ein Type-Wechsel will genau diese Zäsur).
 //
+// **Bekannte MVP-Grenze (bewusst):** der Edit reconciled bestehende
+// Host-Werte NICHT gegen die neue Definition — Constraint-Narrowing
+// (enum-Wert weg, min/max enger) lässt alte Werte still non-conformant,
+// required false→true macht Bestands-Rows unvollständig, searchable-Toggle
+// re-indexed nicht. Werte werden beim NÄCHSTEN Write der Host-Row gegen
+// die aktuelle Def validiert; eine Reject-mit-Konflikt-Liste-Variante
+// wäre der Ausbau, wenn der Bedarf real wird.
+//
 // **skipOptimisticLock:** Definition-Edits sind admin-only + low-frequency
 // (gleiche Abwägung wie der Quota-soft-cap in define). Last-write-wins
 // statt version-Roundtrip durch den Edit-Screen.

package/src/custom-fields/index.ts

@@ -23,6 +23,10 @@ export {
   type SetCustomFieldPayload,
   setCustomFieldPayloadSchema,
 } from "./handlers/set-custom-field.write";
+export {
+  isFieldDefinitionRow,
+  parseSerializedField,
+} from "./lib/parse-serialized-field";
 export {
   type DefineFieldPayload,
   type DeleteFieldPayload,

package/src/custom-fields/run-retention.ts

@@ -18,11 +18,8 @@
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import { extractTableName } from "@cosmicdrift/kumiko-framework/db";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
-import {
-  applyRetentionRemovals,
-  selectFieldDefinitionsWithSerialized,
-  selectHostRowsWithCustomFields,
-} from "./db/queries/retention";
+import { applyRetentionRemovals, selectHostRowsWithCustomFields } from "./db/queries/retention";
+import { selectFieldDefinitionsForEntity } from "./db/queries/user-data-rights";
 import { isFieldDefinitionRow, parseSerializedField } from "./lib/parse-serialized-field";
 
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
@@ -156,7 +153,7 @@ async function loadRetentionPolicies(
   tenantId: string,
   entityName: string,
 ): Promise<Map<string, RetentionPolicy>> {
-  const rows = await selectFieldDefinitionsWithSerialized(db, entityName, tenantId);
+  const rows = await selectFieldDefinitionsForEntity(db, entityName, tenantId);
   const out = new Map<string, RetentionPolicy>();
   for (const raw of rows) {
     // skip: see asHostRow rationale.

package/src/custom-fields/web/i18n.ts

@@ -3,8 +3,10 @@
 // hangs it into the LocaleProvider as a fallback bundle — apps override
 // individual keys via `customFieldsClient({ translations: { de: { ... } } })`.
 //
-// Keys follow `custom-fields.<area>.<slug>`. `custom-fields.errors.*` mirror
-// the i18nKeys the server-side handlers emit (e.g. `custom-fields:save-failed`).
+// Keys follow `custom-fields.<area>.<slug>`. `custom-fields.errors.saveFailed`
+// is a LOCAL fallback only — server handlers emit generic error i18nKeys
+// (errors.unprocessable / errors.notFound via fail* defaults), never a
+// custom-fields-specific key; the form prefers the server key when present.
 
 import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
 
@@ -15,7 +17,6 @@ export const defaultTranslations: TranslationsByLocale = {
     "custom-fields.form.empty": 'Keine Custom-Felder für "{entityName}" definiert.',
     "custom-fields.form.save": "Custom-Felder speichern",
     "custom-fields.form.saving": "Speichert…",
-    "custom-fields.errors.loadFailed": "Custom-Felder konnten nicht geladen werden.",
     "custom-fields.errors.saveFailed": "Speichern fehlgeschlagen.",
   },
   en: {
@@ -24,7 +25,6 @@ export const defaultTranslations: TranslationsByLocale = {
     "custom-fields.form.empty": 'No custom fields defined for "{entityName}".',
     "custom-fields.form.save": "Save custom fields",
     "custom-fields.form.saving": "Saving…",
-    "custom-fields.errors.loadFailed": "Could not load custom fields.",
     "custom-fields.errors.saveFailed": "Save failed.",
   },
 };

package/src/custom-fields/wire-user-data-rights.ts

@@ -2,7 +2,11 @@
 
 import { extractTableName } from "@cosmicdrift/kumiko-framework/db";
 import type { UserDataDeleteHook, UserDataExportHook } from "@cosmicdrift/kumiko-framework/engine";
-import { EXT_USER_DATA, type FeatureRegistrar } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  EXT_USER_DATA,
+  EXT_USER_DATA_ORDER,
+  type FeatureRegistrar,
+} from "@cosmicdrift/kumiko-framework/engine";
 import {
   selectCustomFieldsHostRows,
   selectFieldDefinitionsForEntity,
@@ -38,7 +42,7 @@ function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
 // jsonb PII silently retained (DSGVO Art. 17 violation). A negative order makes
 // runForgetCleanup run this strip before any default-order (0) owner-nulling
 // hook, independent of feature registration order.
-const ORDER_REDACT_BEFORE_OWNER_MUTATION = -100;
+const ORDER_REDACT_BEFORE_OWNER_MUTATION = EXT_USER_DATA_ORDER.REDACT_BEFORE_OWNER;
 
 export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<string>>(
   r: TReg,

package/src/mail-foundation/feature.ts

@@ -91,6 +91,10 @@ export const mailFoundationFeature = defineFeature(FEATURE_NAME, (r) => {
       // ("mailTransport").map(u => u.entityName)` as the option-list.
       provider: createTenantConfig("text", {
         default: "",
+        // required: ohne gewählten Provider wirft createTransportForTenant —
+        // readiness meldete vorher ready:true und der erste Mail-Send
+        // lieferte den UnconfiguredError (280/1).
+        required: true,
         write: access.roles("TenantAdmin", "SystemAdmin"),
         read: access.roles("TenantAdmin", "SystemAdmin", "User"),
       }),

package/src/readiness/__tests__/readiness.integration.test.ts

@@ -51,6 +51,15 @@ const probeFeature = defineFeature("readiness-probe", (r) => {
         default: 30,
         write: access.roles("TenantAdmin", "SystemAdmin"),
       }),
+      // Operator-Key: required, aber read/write über dem TenantAdmin —
+      // der Verdict muss ihn TROTZDEM zählen (277/1: der Per-Key-read-
+      // Filter droppte ihn still und log ready:true).
+      operatorEndpoint: createTenantConfig("text", {
+        required: true,
+        default: "",
+        write: access.roles("SystemAdmin"),
+        read: access.roles("SystemAdmin"),
+      }),
     },
   });
 
@@ -169,6 +178,16 @@ function adminFor(tenantNumber: number) {
   });
 }
 
+// Der 277/1-Probe-Key ist SystemAdmin-gated — Tests, die ready:true
+// erwarten, setzen ihn über diesen Helper (gleicher Tenant, Operator-Rolle).
+async function setOperatorEndpoint(admin: ReturnType<typeof adminFor>): Promise<void> {
+  await stack.http.writeOk(
+    "config:write:set",
+    { key: "readiness-probe:config:operator-endpoint", value: "https://op.example.test" },
+    { ...admin, roles: ["SystemAdmin"] },
+  );
+}
+
 async function statusFor(admin: ReturnType<typeof adminFor>): Promise<StatusResult> {
   return stack.http.queryOk<StatusResult>(ReadinessQueries.status, {}, admin);
 }
@@ -206,6 +225,7 @@ describe("readiness:query:status", () => {
       { key: REQUIRED_SECRET_KEY, value: "token-xyz" },
       admin,
     );
+    await setOperatorEndpoint(admin);
 
     const status = await statusFor(admin);
     expect(status.missingConfig.map((k) => k.key)).not.toContain(REQUIRED_CONFIG_KEY);
@@ -213,6 +233,19 @@ describe("readiness:query:status", () => {
     expect(status.ready).toBe(true);
   });
 
+  test("SystemAdmin-gated required Key zählt im Verdict des TenantAdmin (277/1)", async () => {
+    const admin = adminFor(605);
+
+    const status = await statusFor(admin);
+
+    // Der Caller darf den Key nicht LESEN — fürs Verdict muss er trotzdem
+    // als missing erscheinen, sonst lügt ready:true.
+    expect(status.missingConfig.map((k) => k.key)).toContain(
+      "readiness-probe:config:operator-endpoint",
+    );
+    expect(status.ready).toBe(false);
+  });
+
   test("tenant isolation: tenant A's values don't make tenant B ready", async () => {
     const adminA = adminFor(603);
     const adminB = adminFor(604);
@@ -227,6 +260,7 @@ describe("readiness:query:status", () => {
       { key: REQUIRED_SECRET_KEY, value: "token-a" },
       adminA,
     );
+    await setOperatorEndpoint(adminA);
 
     expect((await statusFor(adminA)).ready).toBe(true);
     const statusB = await statusFor(adminB);
@@ -288,6 +322,7 @@ describe("readiness:query:status", () => {
       { key: REQUIRED_SECRET_KEY, value: "token-609" },
       admin,
     );
+    await setOperatorEndpoint(admin);
 
     const status = await statusFor(admin);
     expect(status.missingConfig).toEqual([]);

package/src/readiness/handlers/status.query.ts

@@ -20,11 +20,15 @@ export const statusQuery = defineQueryHandler({
     // One gate for both halves: required keys/secrets of provider-features
     // count only while their provider is the selected one (r.extensionSelector).
     const gate = await buildProviderSelectionGate(ctx, ReadinessQueries.status, query.user);
+    // skipAccessFilter: das Verdict muss ALLE required Keys zählen — der
+    // Handler selbst ist TenantAdmin-gated, der Per-Key-Filter wäre hier
+    // eine ready:true-Lüge für SystemAdmin-gated Keys (277/1).
     const missingConfig = await collectMissingRequiredConfig(
       ctx,
       ReadinessQueries.status,
       query.user,
       gate,
+      { skipAccessFilter: true },
     );
 
     // has() is metadata-only: no decryption, no read-audit event — a

package/src/template-resolver/__tests__/handlers.integration.test.ts

@@ -358,6 +358,65 @@ describe("template-resolver :: list query", () => {
     expect(slugs).not.toContain("list-system-2");
   });
 
+  // Regressions-Pin 230/2 — SystemAdmin-Zweige der list-Query. Empirisch
+  // (und gewollt): auch SystemAdmin sieht über die TenantDb nur den
+  // [own, SYSTEM]-Scope — es gibt KEINE Cross-Tenant-Sicht auf fremde
+  // Tenant-Templates. TestUsers.systemAdmin lebt in testTenantId(1),
+  // NICHT im System-Tenant.
+  test("SystemAdmin + includeSystem=false → nur eigener Tenant, weder System- noch Fremd-Templates", async () => {
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertSystem,
+      { ...basePayload, slug: "sysown-system", locale: "pl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "sysown-own", locale: "pl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "sysown-tenant-a", locale: "pl", kind: "mail-html" },
+      tenantA_Admin,
+    );
+    const result = (await stack.http.queryOk(
+      TemplateResolverQueries.list,
+      { kind: "mail-html", locale: "pl", includeSystem: false },
+      systemAdmin,
+    )) as Array<{ slug: string }>;
+    const slugs = result.map((r) => r.slug);
+    expect(slugs).toContain("sysown-own");
+    expect(slugs).not.toContain("sysown-system");
+    expect(slugs).not.toContain("sysown-tenant-a");
+  });
+
+  test("SystemAdmin + includeSystem=true → eigene + System-Templates, Fremd-Tenant bleibt unsichtbar", async () => {
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertSystem,
+      { ...basePayload, slug: "syscross-system", locale: "nl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "syscross-own", locale: "nl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "syscross-tenant-b", locale: "nl", kind: "mail-html" },
+      tenantB_Admin,
+    );
+    const result = (await stack.http.queryOk(
+      TemplateResolverQueries.list,
+      { kind: "mail-html", locale: "nl", includeSystem: true },
+      systemAdmin,
+    )) as Array<{ slug: string }>;
+    const slugs = result.map((r) => r.slug);
+    expect(slugs).toContain("syscross-system");
+    expect(slugs).toContain("syscross-own");
+    expect(slugs).not.toContain("syscross-tenant-b");
+  });
+
   test("tenant-isolation: TenantA's templates nicht für TenantB", async () => {
     await stack.http.writeOk(
       TemplateResolverHandlers.upsertTenant,

package/src/user-data-rights/run-forget-cleanup.ts

@@ -36,6 +36,7 @@ import { fetchOne, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import {
   EXT_USER_DATA,
+  EXT_USER_DATA_ORDER,
   type Registry,
   type TenantId,
   type UserDataDeleteHook,
@@ -112,7 +113,7 @@ interface HookEntry {
 // EXT_USER_DATA delete-hooks default here; a hook that redacts data keyed on an
 // owner column it doesn't own must register a lower order so it runs BEFORE any
 // hook that nulls that column. See custom-fields wire-user-data-rights.ts.
-const HOOK_ORDER_DEFAULT = 0;
+const HOOK_ORDER_DEFAULT = EXT_USER_DATA_ORDER.DEFAULT;
 
 export async function runForgetCleanup(
   args: RunForgetCleanupArgs,
@@ -326,7 +327,13 @@ async function runInSubTransaction(
     begin?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
     savepoint?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
   };
-  const open = runner.begin ?? runner.savepoint;
+  // savepoint-FIRST — empirisch (Bun 1.3.14) sind die Flächen NICHT
+  // mutually exclusive: eine TransactionSql exposed begin UND savepoint,
+  // nur die Top-Level-Connection hat ausschließlich begin. begin-first
+  // wählte im Tx-Fall das nested BEGIN (Prod-Incident-Klasse, s. Header);
+  // savepoint-first trifft im Tx-Fall den Savepoint und fällt top-level
+  // sauber auf begin zurück.
+  const open = runner.savepoint ?? runner.begin;
   if (!open) {
     throw new Error(
       "runForgetCleanup: db exposes neither .begin nor .savepoint — cannot open a per-user sub-transaction",