npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.39.0 → 0.40.1 - Mend

@cosmicdrift/kumiko-bundled-features 0.39.0 → 0.40.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.39.0",
+  "version": "0.40.1",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -78,6 +78,7 @@
   "dependencies": {
     "@cosmicdrift/kumiko-dispatcher-live": "0.38.0",
     "@cosmicdrift/kumiko-framework": "0.38.0",
+    "@cosmicdrift/kumiko-headless": "0.38.0",
     "@cosmicdrift/kumiko-renderer": "0.38.0",
     "@cosmicdrift/kumiko-renderer-web": "0.38.0",
     "@mollie/api-client": "^4.5.0",

package/src/auth-email-password/__tests__/identity-v3-login.integration.test.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import { pbkdf2Sync, randomBytes } from "node:crypto";
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   setupTestStack,
   type TestStack,
@@ -20,7 +21,7 @@ import {
 import { createConfigFeature } from "../../config";
 import { createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
-import { createTenantFeature } from "../../tenant";
+import { createTenantFeature, TenantHandlers } from "../../tenant";
 import { tenantMembershipsTable } from "../../tenant/membership-table";
 import { tenantEntity } from "../../tenant/schema/tenant";
 import { seedTenantMembership } from "../../tenant/testing";
@@ -73,6 +74,7 @@ beforeAll(async () => {
   await unsafeCreateEntityTable(stack.db, userEntity);
   await unsafeCreateEntityTable(stack.db, tenantEntity);
   await unsafePushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+  await createEventsTable(stack.db);
 });
 afterAll(async () => {
@@ -149,3 +151,57 @@ describe("Identity-V3 password-hash compatibility", () => {
     expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
   });
 });
+// 273/2: Changeset-Zusage "disabled Tenants verschwinden aus der
+// Login-Tenant-Wahl" — der Auto-Select (chosen = preferred ?? memberships[0])
+// darf nie auf einem disabled Tenant landen. Der disabled Tenant ist hier
+// bewusst die ERSTE Membership, also genau der memberships[0]-Kandidat.
+describe("login auto-select skips disabled tenants", () => {
+  test("first membership disabled → login lands on the active tenant", async () => {
+    const password = "Active!Tenant-2026";
+    const salt = randomBytes(16);
+    const v3Hash = buildBmcStyleV3Hash(password, salt);
+    const disabledTenantId = "00000000-0000-4000-8000-000000000301" as TenantId;
+    const activeTenantId = "00000000-0000-4000-8000-000000000302" as TenantId;
+    await stack.http.writeOk(
+      TenantHandlers.create,
+      { id: disabledTenantId, key: "ghost", name: "Ghost Corp" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TenantHandlers.create,
+      { id: activeTenantId, key: "alive", name: "Alive Corp" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(TenantHandlers.disable, { id: disabledTenantId }, systemAdmin);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      {
+        email: "carol@autoselect.example",
+        passwordHash: v3Hash,
+        displayName: "Carol Two-Tenants",
+      },
+      systemAdmin,
+    );
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: disabledTenantId,
+      roles: ["User"],
+    });
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: activeTenantId,
+      roles: ["User"],
+    });
+    const res = await stack.http.raw("POST", "/api/auth/login", {
+      email: "carol@autoselect.example",
+      password,
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.user).toMatchObject({ id: created.id, tenantId: activeTenantId });
+  });
+});

package/src/config/__tests__/config.integration.test.ts CHANGED Viewed

@@ -727,8 +727,21 @@ describe("config.schema query handler", () => {
 describe("config.readiness query handler", () => {
   type Missing = { missing: Array<{ key: string; scope: string; type: string }> };
+  // Pro Test ein frischer Tenant — die Tests mutieren required-Keys und
+  // dürfen sich nicht über Reihenfolge-Kopplung gegenseitig sehen (272/3).
+  function readinessAdminFor(n: number) {
+    return createTestUser({
+      id: 700 + n,
+      tenantId: `00000000-0000-4000-8000-0000000007${String(n).padStart(2, "0")}`,
+    });
+  }
   test("lists required keys without a usable value — and only those", async () => {
-    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, tenantAdmin);
+    const { missing } = await stack.http.queryOk<Missing>(
+      ConfigQueries.readiness,
+      {},
+      readinessAdminFor(1),
+    );
     const keys = missing.map((m) => m.key);
     expect(keys).toContain("transport:config:smtp-host");
@@ -740,29 +753,31 @@ describe("config.readiness query handler", () => {
   });
   test("whitespace-only text value still counts as missing (requireNonEmpty-Parität)", async () => {
+    const admin = readinessAdminFor(2);
     await stack.http.writeOk(
       ConfigHandlers.set,
       { key: "transport:config:api-url", value: "   " },
-      tenantAdmin,
+      admin,
     );
-    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, tenantAdmin);
+    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, admin);
     expect(missing.map((m) => m.key)).toContain("transport:config:api-url");
   });
   test("a real value clears the key from the missing list", async () => {
+    const admin = readinessAdminFor(3);
     await stack.http.writeOk(
       ConfigHandlers.set,
       { key: "transport:config:api-url", value: "https://api.example.com" },
-      tenantAdmin,
+      admin,
     );
     await stack.http.writeOk(
       ConfigHandlers.set,
       { key: "transport:config:timeout", value: 30 },
-      tenantAdmin,
+      admin,
     );
-    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, tenantAdmin);
+    const { missing } = await stack.http.queryOk<Missing>(ConfigQueries.readiness, {}, admin);
     const keys = missing.map((m) => m.key);
     expect(keys).not.toContain("transport:config:api-url");
     expect(keys).not.toContain("transport:config:timeout");

package/src/config/handlers/readiness.query.ts CHANGED Viewed

@@ -66,15 +66,41 @@ export async function collectMissingRequiredConfig(
   callerQn: string,
   user: SessionUser,
   gate?: RequiredKeyGate,
+  options?: {
+    /** Verdict-Pfade (Rollup, selbst role-gated) MÜSSEN ungefiltert zählen:
+     *  der Per-Key-read-Filter ist Info-Disclosure-Schutz für den
+     *  openToAll-Handler — im Verdict droppte er SystemAdmin-gated
+     *  required-Keys still und meldete ready:true trotz Lücke. */
+    readonly skipAccessFilter?: boolean;
+  },
 ): Promise<ReadinessMissingKey[]> {
   const resolver = requireConfigResolver(ctx, callerQn);
   const effectiveGate = gate ?? (await buildProviderSelectionGate(ctx, callerQn, user));
-  const missing: ReadinessMissingKey[] = [];
+  // Kandidaten erst sammeln, dann EIN Batch-Resolve — die sequentielle
+  // resolver.get-Schleife war ein N+1 über alle required Keys (272/1).
+  type KeyDef =
+    ReturnType<typeof ctx.registry.getAllConfigKeys> extends ReadonlyMap<string, infer D>
+      ? D
+      : never;
+  const candidates = new Map<string, KeyDef>();
   for (const [qualifiedKey, keyDef] of ctx.registry.getAllConfigKeys()) {
     if (keyDef.required !== true) continue;
     if (!effectiveGate(qualifiedKey)) continue;
-    if (!hasConfigAccess(keyDef.access.read, user.roles)) continue;
-    const value = await resolver.get(qualifiedKey, keyDef, user.tenantId, user.id, ctx.db);
+    if (options?.skipAccessFilter !== true && !hasConfigAccess(keyDef.access.read, user.roles)) {
+      continue;
+    }
+    candidates.set(qualifiedKey, keyDef);
+  }
+  const missing: ReadinessMissingKey[] = [];
+  const cascades = await resolver.getCascadeBatch(
+    [...candidates.keys()],
+    candidates,
+    user.tenantId,
+    user.id,
+    ctx.db,
+  );
+  for (const [qualifiedKey, keyDef] of candidates) {
+    const value = cascades.get(qualifiedKey)?.value;
     if (isUnset(value, keyDef.type)) {
       missing.push({ key: qualifiedKey, scope: keyDef.scope, type: keyDef.type });
     }

package/src/custom-fields/__tests__/custom-fields.integration.test.ts CHANGED Viewed

@@ -614,6 +614,20 @@ describe("custom-fields integration — update-tenant-field (Bug-Bash D2)", () =
     expect(sf["label"]).toEqual({ de: "Priorität", en: "Priority" });
   });
+  test("update ohne label entfernt ein bestehendes Label (Vollersatz-Semantik)", async () => {
+    await defineField("property", "weight", "number");
+    await updateField("weight", {
+      serializedField: { type: "number" },
+      label: { de: "Gewicht", en: "Weight" },
+    });
+    await updateField("weight", { serializedField: { type: "number" } });
+    const row = await fetchDefinitionRow(admin.tenantId, "weight");
+    const sf = JSON.parse(String(row?.["serialized_field"])) as Record<string, unknown>;
+    expect(sf["label"]).toBeUndefined();
+  });
   test("zwei sequentielle Updates ohne version_conflict (skipOptimisticLock)", async () => {
     await defineField("property", "stage", "text");
     await updateField("stage", { displayOrder: 1 });

package/src/custom-fields/__tests__/user-data-rights.integration.test.ts CHANGED Viewed

@@ -63,7 +63,7 @@ import { wireCustomFieldsUserDataRightsFor } from "../wire-user-data-rights";
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 const NOW = (): Instant => getTemporal().Now.instant();
-const PAST = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+const PAST = (): Instant => getTemporal().Now.instant().subtract({ minutes: 1 });
 const propertyEntity = createEntity({
   table: "read_t15c_properties",

package/src/custom-fields/db/queries/retention.ts CHANGED Viewed

@@ -1,18 +1,6 @@
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
-// guard:dup-ok — andere SQL als selectFieldDefinitionsForEntity; gleiche Bezeichner, verschiedene Queries
-export async function selectFieldDefinitionsWithSerialized(
-  db: DbRunner,
-  entityName: string,
-  tenantId: string,
-): Promise<readonly { field_key: string; serialized_field: unknown }[]> {
-  return asRawClient(db).unsafe(
-    "SELECT field_key, serialized_field FROM read_custom_field_definitions WHERE entity_name = $1 AND tenant_id = $2",
-    [entityName, tenantId],
-  ) as Promise<readonly { field_key: string; serialized_field: unknown }[]>;
-}
 export async function selectHostRowsWithCustomFields(
   db: DbRunner,
   tableName: string,

package/src/custom-fields/handlers/update-tenant-field.write.ts CHANGED Viewed

@@ -18,6 +18,14 @@ import { type UpdateFieldPayload, updateFieldPayloadSchema } from "../schemas";
 // delete+redefine im update — das würde Event-Historie + Field-Ids
 // zerstören, aber ein Type-Wechsel will genau diese Zäsur).
 //
+// **Bekannte MVP-Grenze (bewusst):** der Edit reconciled bestehende
+// Host-Werte NICHT gegen die neue Definition — Constraint-Narrowing
+// (enum-Wert weg, min/max enger) lässt alte Werte still non-conformant,
+// required false→true macht Bestands-Rows unvollständig, searchable-Toggle
+// re-indexed nicht. Werte werden beim NÄCHSTEN Write der Host-Row gegen
+// die aktuelle Def validiert; eine Reject-mit-Konflikt-Liste-Variante
+// wäre der Ausbau, wenn der Bedarf real wird.
+//
 // **skipOptimisticLock:** Definition-Edits sind admin-only + low-frequency
 // (gleiche Abwägung wie der Quota-soft-cap in define). Last-write-wins
 // statt version-Roundtrip durch den Edit-Screen.

package/src/custom-fields/index.ts CHANGED Viewed

@@ -23,6 +23,10 @@ export {
   type SetCustomFieldPayload,
   setCustomFieldPayloadSchema,
 } from "./handlers/set-custom-field.write";
+export {
+  isFieldDefinitionRow,
+  parseSerializedField,
+} from "./lib/parse-serialized-field";
 export {
   type DefineFieldPayload,
   type DeleteFieldPayload,

package/src/custom-fields/run-retention.ts CHANGED Viewed

@@ -18,11 +18,8 @@
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import { extractTableName } from "@cosmicdrift/kumiko-framework/db";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
-import {
-  applyRetentionRemovals,
-  selectFieldDefinitionsWithSerialized,
-  selectHostRowsWithCustomFields,
-} from "./db/queries/retention";
+import { applyRetentionRemovals, selectHostRowsWithCustomFields } from "./db/queries/retention";
+import { selectFieldDefinitionsForEntity } from "./db/queries/user-data-rights";
 import { isFieldDefinitionRow, parseSerializedField } from "./lib/parse-serialized-field";
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
@@ -156,7 +153,7 @@ async function loadRetentionPolicies(
   tenantId: string,
   entityName: string,
 ): Promise<Map<string, RetentionPolicy>> {
-  const rows = await selectFieldDefinitionsWithSerialized(db, entityName, tenantId);
+  const rows = await selectFieldDefinitionsForEntity(db, entityName, tenantId);
   const out = new Map<string, RetentionPolicy>();
   for (const raw of rows) {
     // skip: see asHostRow rationale.

package/src/custom-fields/web/i18n.ts CHANGED Viewed

@@ -3,8 +3,10 @@
 // hangs it into the LocaleProvider as a fallback bundle — apps override
 // individual keys via `customFieldsClient({ translations: { de: { ... } } })`.
 //
-// Keys follow `custom-fields.<area>.<slug>`. `custom-fields.errors.*` mirror
-// the i18nKeys the server-side handlers emit (e.g. `custom-fields:save-failed`).
+// Keys follow `custom-fields.<area>.<slug>`. `custom-fields.errors.saveFailed`
+// is a LOCAL fallback only — server handlers emit generic error i18nKeys
+// (errors.unprocessable / errors.notFound via fail* defaults), never a
+// custom-fields-specific key; the form prefers the server key when present.
 import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
@@ -15,7 +17,6 @@ export const defaultTranslations: TranslationsByLocale = {
     "custom-fields.form.empty": 'Keine Custom-Felder für "{entityName}" definiert.',
     "custom-fields.form.save": "Custom-Felder speichern",
     "custom-fields.form.saving": "Speichert…",
-    "custom-fields.errors.loadFailed": "Custom-Felder konnten nicht geladen werden.",
     "custom-fields.errors.saveFailed": "Speichern fehlgeschlagen.",
   },
   en: {
@@ -24,7 +25,6 @@ export const defaultTranslations: TranslationsByLocale = {
     "custom-fields.form.empty": 'No custom fields defined for "{entityName}".',
     "custom-fields.form.save": "Save custom fields",
     "custom-fields.form.saving": "Saving…",
-    "custom-fields.errors.loadFailed": "Could not load custom fields.",
     "custom-fields.errors.saveFailed": "Save failed.",
   },
 };

package/src/custom-fields/wire-user-data-rights.ts CHANGED Viewed

@@ -2,7 +2,11 @@
 import { extractTableName } from "@cosmicdrift/kumiko-framework/db";
 import type { UserDataDeleteHook, UserDataExportHook } from "@cosmicdrift/kumiko-framework/engine";
-import { EXT_USER_DATA, type FeatureRegistrar } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  EXT_USER_DATA,
+  EXT_USER_DATA_ORDER,
+  type FeatureRegistrar,
+} from "@cosmicdrift/kumiko-framework/engine";
 import {
   selectCustomFieldsHostRows,
   selectFieldDefinitionsForEntity,
@@ -38,7 +42,7 @@ function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
 // jsonb PII silently retained (DSGVO Art. 17 violation). A negative order makes
 // runForgetCleanup run this strip before any default-order (0) owner-nulling
 // hook, independent of feature registration order.
-const ORDER_REDACT_BEFORE_OWNER_MUTATION = -100;
+const ORDER_REDACT_BEFORE_OWNER_MUTATION = EXT_USER_DATA_ORDER.REDACT_BEFORE_OWNER;
 export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<string>>(
   r: TReg,

package/src/mail-foundation/feature.ts CHANGED Viewed

@@ -91,6 +91,10 @@ export const mailFoundationFeature = defineFeature(FEATURE_NAME, (r) => {
       // ("mailTransport").map(u => u.entityName)` as the option-list.
       provider: createTenantConfig("text", {
         default: "",
+        // required: ohne gewählten Provider wirft createTransportForTenant —
+        // readiness meldete vorher ready:true und der erste Mail-Send
+        // lieferte den UnconfiguredError (280/1).
+        required: true,
         write: access.roles("TenantAdmin", "SystemAdmin"),
         read: access.roles("TenantAdmin", "SystemAdmin", "User"),
       }),

package/src/readiness/__tests__/readiness.integration.test.ts CHANGED Viewed

@@ -51,6 +51,15 @@ const probeFeature = defineFeature("readiness-probe", (r) => {
         default: 30,
         write: access.roles("TenantAdmin", "SystemAdmin"),
       }),
+      // Operator-Key: required, aber read/write über dem TenantAdmin —
+      // der Verdict muss ihn TROTZDEM zählen (277/1: der Per-Key-read-
+      // Filter droppte ihn still und log ready:true).
+      operatorEndpoint: createTenantConfig("text", {
+        required: true,
+        default: "",
+        write: access.roles("SystemAdmin"),
+        read: access.roles("SystemAdmin"),
+      }),
     },
   });
@@ -169,6 +178,16 @@ function adminFor(tenantNumber: number) {
   });
 }
+// Der 277/1-Probe-Key ist SystemAdmin-gated — Tests, die ready:true
+// erwarten, setzen ihn über diesen Helper (gleicher Tenant, Operator-Rolle).
+async function setOperatorEndpoint(admin: ReturnType<typeof adminFor>): Promise<void> {
+  await stack.http.writeOk(
+    "config:write:set",
+    { key: "readiness-probe:config:operator-endpoint", value: "https://op.example.test" },
+    { ...admin, roles: ["SystemAdmin"] },
+  );
+}
 async function statusFor(admin: ReturnType<typeof adminFor>): Promise<StatusResult> {
   return stack.http.queryOk<StatusResult>(ReadinessQueries.status, {}, admin);
 }
@@ -206,6 +225,7 @@ describe("readiness:query:status", () => {
       { key: REQUIRED_SECRET_KEY, value: "token-xyz" },
       admin,
     );
+    await setOperatorEndpoint(admin);
     const status = await statusFor(admin);
     expect(status.missingConfig.map((k) => k.key)).not.toContain(REQUIRED_CONFIG_KEY);
@@ -213,6 +233,19 @@ describe("readiness:query:status", () => {
     expect(status.ready).toBe(true);
   });
+  test("SystemAdmin-gated required Key zählt im Verdict des TenantAdmin (277/1)", async () => {
+    const admin = adminFor(605);
+    const status = await statusFor(admin);
+    // Der Caller darf den Key nicht LESEN — fürs Verdict muss er trotzdem
+    // als missing erscheinen, sonst lügt ready:true.
+    expect(status.missingConfig.map((k) => k.key)).toContain(
+      "readiness-probe:config:operator-endpoint",
+    );
+    expect(status.ready).toBe(false);
+  });
   test("tenant isolation: tenant A's values don't make tenant B ready", async () => {
     const adminA = adminFor(603);
     const adminB = adminFor(604);
@@ -227,6 +260,7 @@ describe("readiness:query:status", () => {
       { key: REQUIRED_SECRET_KEY, value: "token-a" },
       adminA,
     );
+    await setOperatorEndpoint(adminA);
     expect((await statusFor(adminA)).ready).toBe(true);
     const statusB = await statusFor(adminB);
@@ -288,6 +322,7 @@ describe("readiness:query:status", () => {
       { key: REQUIRED_SECRET_KEY, value: "token-609" },
       admin,
     );
+    await setOperatorEndpoint(admin);
     const status = await statusFor(admin);
     expect(status.missingConfig).toEqual([]);

package/src/readiness/handlers/status.query.ts CHANGED Viewed

@@ -20,11 +20,15 @@ export const statusQuery = defineQueryHandler({
     // One gate for both halves: required keys/secrets of provider-features
     // count only while their provider is the selected one (r.extensionSelector).
     const gate = await buildProviderSelectionGate(ctx, ReadinessQueries.status, query.user);
+    // skipAccessFilter: das Verdict muss ALLE required Keys zählen — der
+    // Handler selbst ist TenantAdmin-gated, der Per-Key-Filter wäre hier
+    // eine ready:true-Lüge für SystemAdmin-gated Keys (277/1).
     const missingConfig = await collectMissingRequiredConfig(
       ctx,
       ReadinessQueries.status,
       query.user,
       gate,
+      { skipAccessFilter: true },
     );
     // has() is metadata-only: no decryption, no read-audit event — a

package/src/template-resolver/__tests__/handlers.integration.test.ts CHANGED Viewed

@@ -358,6 +358,65 @@ describe("template-resolver :: list query", () => {
     expect(slugs).not.toContain("list-system-2");
   });
+  // Regressions-Pin 230/2 — SystemAdmin-Zweige der list-Query. Empirisch
+  // (und gewollt): auch SystemAdmin sieht über die TenantDb nur den
+  // [own, SYSTEM]-Scope — es gibt KEINE Cross-Tenant-Sicht auf fremde
+  // Tenant-Templates. TestUsers.systemAdmin lebt in testTenantId(1),
+  // NICHT im System-Tenant.
+  test("SystemAdmin + includeSystem=false → nur eigener Tenant, weder System- noch Fremd-Templates", async () => {
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertSystem,
+      { ...basePayload, slug: "sysown-system", locale: "pl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "sysown-own", locale: "pl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "sysown-tenant-a", locale: "pl", kind: "mail-html" },
+      tenantA_Admin,
+    );
+    const result = (await stack.http.queryOk(
+      TemplateResolverQueries.list,
+      { kind: "mail-html", locale: "pl", includeSystem: false },
+      systemAdmin,
+    )) as Array<{ slug: string }>;
+    const slugs = result.map((r) => r.slug);
+    expect(slugs).toContain("sysown-own");
+    expect(slugs).not.toContain("sysown-system");
+    expect(slugs).not.toContain("sysown-tenant-a");
+  });
+  test("SystemAdmin + includeSystem=true → eigene + System-Templates, Fremd-Tenant bleibt unsichtbar", async () => {
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertSystem,
+      { ...basePayload, slug: "syscross-system", locale: "nl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "syscross-own", locale: "nl", kind: "mail-html" },
+      systemAdmin,
+    );
+    await stack.http.writeOk(
+      TemplateResolverHandlers.upsertTenant,
+      { ...basePayload, slug: "syscross-tenant-b", locale: "nl", kind: "mail-html" },
+      tenantB_Admin,
+    );
+    const result = (await stack.http.queryOk(
+      TemplateResolverQueries.list,
+      { kind: "mail-html", locale: "nl", includeSystem: true },
+      systemAdmin,
+    )) as Array<{ slug: string }>;
+    const slugs = result.map((r) => r.slug);
+    expect(slugs).toContain("syscross-system");
+    expect(slugs).toContain("syscross-own");
+    expect(slugs).not.toContain("syscross-tenant-b");
+  });
   test("tenant-isolation: TenantA's templates nicht für TenantB", async () => {
     await stack.http.writeOk(
       TemplateResolverHandlers.upsertTenant,

package/src/user-data-rights/run-forget-cleanup.ts CHANGED Viewed

@@ -36,6 +36,7 @@ import { fetchOne, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import {
   EXT_USER_DATA,
+  EXT_USER_DATA_ORDER,
   type Registry,
   type TenantId,
   type UserDataDeleteHook,
@@ -112,7 +113,7 @@ interface HookEntry {
 // EXT_USER_DATA delete-hooks default here; a hook that redacts data keyed on an
 // owner column it doesn't own must register a lower order so it runs BEFORE any
 // hook that nulls that column. See custom-fields wire-user-data-rights.ts.
-const HOOK_ORDER_DEFAULT = 0;
+const HOOK_ORDER_DEFAULT = EXT_USER_DATA_ORDER.DEFAULT;
 export async function runForgetCleanup(
   args: RunForgetCleanupArgs,
@@ -326,7 +327,13 @@ async function runInSubTransaction(
     begin?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
     savepoint?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
   };
-  const open = runner.begin ?? runner.savepoint;
+  // savepoint-FIRST — empirisch (Bun 1.3.14) sind die Flächen NICHT
+  // mutually exclusive: eine TransactionSql exposed begin UND savepoint,
+  // nur die Top-Level-Connection hat ausschließlich begin. begin-first
+  // wählte im Tx-Fall das nested BEGIN (Prod-Incident-Klasse, s. Header);
+  // savepoint-first trifft im Tx-Fall den Savepoint und fällt top-level
+  // sauber auf begin zurück.
+  const open = runner.savepoint ?? runner.begin;
   if (!open) {
     throw new Error(
       "runForgetCleanup: db exposes neither .begin nor .savepoint — cannot open a per-user sub-transaction",