@cosmicdrift/kumiko-bundled-features 0.48.0 → 0.50.0

package/src/config/__tests__/cascade.integration.test.ts

@@ -23,7 +23,7 @@ import {
 } from "@cosmicdrift/kumiko-framework/stack";
 import { ConfigHandlers, ConfigQueries } from "../constants";
 import { createConfigAccessorFactory, createConfigFeature } from "../feature";
-import { type ConfigResolver, createConfigResolver } from "../resolver";
+import { buildEnvConfigOverrides, type ConfigResolver, createConfigResolver } from "../resolver";
 import { configValueEntity, configValuesTable } from "../table";
 
 let stack: TestStack;
@@ -47,6 +47,13 @@ const cascadeFeature = defineFeature("cascade-test", (r) => {
         read: access.all,
         write: access.all,
       }),
+      // User-scope key whose only stored row is a system-row (via seed).
+      // Exercises the user → tenant → SYSTEM_TENANT_ID cascade rung.
+      userInheritKey: createUserConfig("text", {
+        default: "DEFAULT_USER_INHERIT",
+        read: access.all,
+        write: access.all,
+      }),
       systemKey: createSystemConfig("text", {
         default: "DEFAULT_SYSTEM",
         read: access.systemAdmin,
@@ -69,10 +76,20 @@ const cascadeFeature = defineFeature("cascade-test", (r) => {
         read: access.all,
         write: access.all,
       }),
+      // End-to-end seam key: a plain scope factory carrying an `env` binding
+      // so buildEnvConfigOverrides reads it off the real registry under the
+      // qualified name define-feature assigns.
+      envKey: createSystemConfig("text", {
+        env: "CASCADE_ENV_VALUE",
+        default: "DEFAULT_ENV",
+        read: access.all,
+        write: access.all,
+      }),
     },
     seeds: {
       tenantKey: createTenantSeed({ value: "SEED_TENANT" }),
       systemKey: createSystemSeed({ value: "SEED_SYSTEM" }),
+      userInheritKey: createSystemSeed({ value: "SEED_SYSTEM_FOR_USER" }),
     },
   });
 });
@@ -81,10 +98,12 @@ const configFeature = createConfigFeature();
 
 const TENANT_KEY = "cascade-test:config:tenant-key";
 const USER_KEY = "cascade-test:config:user-key";
+const USER_INHERIT_KEY = "cascade-test:config:user-inherit-key";
 const SYSTEM_KEY = "cascade-test:config:system-key";
 const NUMBER_KEY = "cascade-test:config:number-key";
 const BOOLEAN_KEY = "cascade-test:config:boolean-key";
 const COMPUTED_KEY = "cascade-test:config:computed-key";
+const ENV_KEY = "cascade-test:config:env-key";
 
 beforeAll(async () => {
   resolver = createConfigResolver();
@@ -225,6 +244,36 @@ describe("getCascade", () => {
     expect(tenantLevel?.isActive).toBe(false);
   });
 
+  test("user-scope key falls through to system-row when no user/tenant row exists", async () => {
+    // No user-row, no tenant-row for this key — only a seeded system-row.
+    // Before the user-cascade gained a SYSTEM_TENANT_ID rung, this resolved
+    // straight to the static default, skipping the operator-set system value.
+    const keyDef = stack.registry.getConfigKey(USER_INHERIT_KEY);
+    expect(keyDef).toBeDefined();
+
+    const cascade = await resolver.getCascade(
+      USER_INHERIT_KEY,
+      keyDef!,
+      tenantAdmin.tenantId,
+      tenantAdmin.id,
+      db,
+    );
+
+    const userLevel = cascade.levels.find((l) => l.source === "user-row");
+    expect(userLevel?.hasValue).toBe(false);
+    const tenantLevel = cascade.levels.find((l) => l.source === "tenant-row");
+    expect(tenantLevel?.hasValue).toBe(false);
+
+    const systemLevel = cascade.levels.find((l) => l.source === "system-row");
+    expect(systemLevel).toBeDefined();
+    expect(systemLevel?.hasValue).toBe(true);
+    expect(systemLevel?.value).toBe("SEED_SYSTEM_FOR_USER");
+    expect(systemLevel?.isActive).toBe(true);
+
+    expect(cascade.value).toBe("SEED_SYSTEM_FOR_USER");
+    expect(cascade.source).toBe("system-row");
+  });
+
   test("system-scope key with system-row + default", async () => {
     const keyDef = stack.registry.getConfigKey(SYSTEM_KEY);
     expect(keyDef).toBeDefined();
@@ -279,6 +328,35 @@ describe("getCascadeBatch", () => {
     );
     expect(cascades.size).toBe(0);
   });
+
+  test("user-scope key resolves its system-row via the batch preload", async () => {
+    // The batch path preloads rows with selectConfigRowsForKeys (no scope
+    // gate) and matches them per (tenantId, userId) in buildCascade. This
+    // pins that a user-scope key's system-row is preloaded AND surfaced —
+    // the single-key path proves the lookup, this proves the preload feeds it.
+    const keyDef = stack.registry.getConfigKey(USER_INHERIT_KEY);
+    expect(keyDef).toBeDefined();
+    const keyDefs = new Map<string, ConfigKeyDefinition<ConfigKeyType>>([
+      [USER_INHERIT_KEY, keyDef!],
+    ]);
+
+    const cascades = await resolver.getCascadeBatch(
+      [USER_INHERIT_KEY],
+      keyDefs,
+      tenantAdmin.tenantId,
+      tenantAdmin.id,
+      db,
+    );
+
+    const cascade = cascades.get(USER_INHERIT_KEY);
+    expect(cascade).toBeDefined();
+    const systemLevel = cascade?.levels.find((l) => l.source === "system-row");
+    expect(systemLevel?.hasValue).toBe(true);
+    expect(systemLevel?.value).toBe("SEED_SYSTEM_FOR_USER");
+    expect(systemLevel?.isActive).toBe(true);
+    expect(cascade?.value).toBe("SEED_SYSTEM_FOR_USER");
+    expect(cascade?.source).toBe("system-row");
+  });
 });
 
 describe("cascade levels — non-DB sources", () => {
@@ -330,6 +408,38 @@ describe("cascade levels — non-DB sources", () => {
     expect(cascade.value).toBe(true);
     expect(cascade.source).toBe("app-override");
   });
+
+  test("end-to-end: env-declared key bridges through the real registry to the resolver", async () => {
+    // The single flow none of the per-layer tests cover: a key declared via
+    // createSystemConfig({ env }) on the REAL registry → its qualified
+    // name (define-feature-assigned) → buildEnvConfigOverrides emits exactly
+    // that key off getAllConfigKeys → resolver resolves it as app-override.
+    // A mismatch in key-qualification across registry/bridge/resolver would
+    // leave the per-layer stub/registry tests green and only break on the
+    // first real consumer. This pins the seam at a real qualified string.
+    const keyDef = stack.registry.getConfigKey(ENV_KEY);
+    expect(keyDef).toBeDefined();
+    expect(keyDef?.env).toBe("CASCADE_ENV_VALUE");
+
+    const overrides = buildEnvConfigOverrides(stack.registry, {
+      CASCADE_ENV_VALUE: "from-env",
+    });
+    expect(overrides.get(ENV_KEY)).toBe("from-env");
+
+    const envResolver = createConfigResolver({ appOverrides: overrides });
+    const result = await envResolver.getWithSource(
+      ENV_KEY,
+      keyDef!,
+      tenantAdmin.tenantId,
+      tenantAdmin.id,
+      db,
+    );
+
+    // No stored rows for this key → the env-bridged override wins over the
+    // declared default ("DEFAULT_ENV").
+    expect(result.source).toBe("app-override");
+    expect(result.value).toBe("from-env");
+  });
 });
 
 describe("reset cycle regression", () => {

package/src/config/__tests__/env-overrides.test.ts

@@ -0,0 +1,134 @@
+import { describe, expect, test } from "bun:test";
+import {
+  type ConfigKeyDefinition,
+  createSystemConfig,
+  createTenantConfig,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { buildEnvConfigOverrides } from "../resolver";
+
+// Registry stub exposing the two methods buildEnvConfigOverrides reads:
+// getAllConfigKeys (iterate declared keys) + getConfigKey (validate).
+function registryStub(keys: Record<string, ConfigKeyDefinition>) {
+  const map: ReadonlyMap<string, ConfigKeyDefinition> = new Map(Object.entries(keys));
+  return {
+    getAllConfigKeys: () => map,
+    getConfigKey: (key: string) => keys[key],
+  };
+}
+
+describe("buildEnvConfigOverrides", () => {
+  test("bridges a set env var into the override map (number, coerced)", () => {
+    const reg = registryStub({
+      "billing:config:timeout": createSystemConfig("number", {
+        env: "BILLING_TIMEOUT",
+      }),
+    });
+    const result = buildEnvConfigOverrides(reg, { BILLING_TIMEOUT: "42" });
+    expect(result.get("billing:config:timeout")).toBe(42);
+    expect(result.size).toBe(1);
+  });
+
+  test("text value passes through verbatim", () => {
+    const reg = registryStub({
+      "app:config:url": createSystemConfig("text", { env: "SERVICE_URL" }),
+    });
+    const result = buildEnvConfigOverrides(reg, { SERVICE_URL: "https://x.test" });
+    expect(result.get("app:config:url")).toBe("https://x.test");
+  });
+
+  test("boolean coercion accepts true/false/1/0 case-insensitively", () => {
+    const reg = registryStub({
+      "a:config:flag": createSystemConfig("boolean", { env: "FLAG" }),
+    });
+    expect(buildEnvConfigOverrides(reg, { FLAG: "true" }).get("a:config:flag")).toBe(true);
+    expect(buildEnvConfigOverrides(reg, { FLAG: "1" }).get("a:config:flag")).toBe(true);
+    expect(buildEnvConfigOverrides(reg, { FLAG: "TRUE" }).get("a:config:flag")).toBe(true);
+    expect(buildEnvConfigOverrides(reg, { FLAG: "false" }).get("a:config:flag")).toBe(false);
+    expect(buildEnvConfigOverrides(reg, { FLAG: "0" }).get("a:config:flag")).toBe(false);
+  });
+
+  test("boolean coercion rejects a non-boolean string (fail-fast at boot)", () => {
+    const reg = registryStub({
+      "a:config:flag": createSystemConfig("boolean", { env: "FLAG" }),
+    });
+    expect(() => buildEnvConfigOverrides(reg, { FLAG: "maybe" })).toThrow(
+      /expects a boolean.*got "maybe"/i,
+    );
+  });
+
+  test("number coercion rejects a non-numeric string", () => {
+    const reg = registryStub({
+      "a:config:n": createSystemConfig("number", { env: "N" }),
+    });
+    expect(() => buildEnvConfigOverrides(reg, { N: "abc" })).toThrow(
+      /expects a number.*got "abc"/i,
+    );
+  });
+
+  test("number coercion trims whitespace", () => {
+    const reg = registryStub({
+      "a:config:n": createSystemConfig("number", { env: "N" }),
+    });
+    expect(buildEnvConfigOverrides(reg, { N: "  5 " }).get("a:config:n")).toBe(5);
+  });
+
+  test("undefined env var → key skipped (falls through to its cascade)", () => {
+    const reg = registryStub({
+      "a:config:x": createSystemConfig("text", { env: "MISSING" }),
+    });
+    const result = buildEnvConfigOverrides(reg, {});
+    expect(result.size).toBe(0);
+  });
+
+  test("empty-string env var → skipped (must not clobber a declared default)", () => {
+    const reg = registryStub({
+      "a:config:x": createSystemConfig("text", { env: "EMPTY" }),
+    });
+    const result = buildEnvConfigOverrides(reg, { EMPTY: "" });
+    expect(result.size).toBe(0);
+  });
+
+  test("keys without an env field are ignored even if a same-named var exists", () => {
+    const reg = registryStub({
+      "a:config:no-env": createSystemConfig("text", {}),
+    });
+    // No env declared → never bridged, regardless of the environment.
+    const result = buildEnvConfigOverrides(reg, {
+      A_CONFIG_NO_ENV: "value",
+      "a:config:no-env": "v",
+    });
+    expect(result.size).toBe(0);
+  });
+
+  test("select value must be one of the declared options", () => {
+    const reg = registryStub({
+      "a:config:theme": createSystemConfig("select", {
+        env: "THEME",
+        options: ["light", "dark"],
+      }),
+    });
+    expect(buildEnvConfigOverrides(reg, { THEME: "dark" }).get("a:config:theme")).toBe("dark");
+    expect(() => buildEnvConfigOverrides(reg, { THEME: "purple" })).toThrow(/not in options/i);
+  });
+
+  test("number env value outside bounds fails (validateAppOverrides gate)", () => {
+    const reg = registryStub({
+      "a:config:n": createSystemConfig("number", {
+        env: "N",
+        bounds: { min: 1, max: 100 },
+      }),
+    });
+    expect(() => buildEnvConfigOverrides(reg, { N: "999" })).toThrow(/above bounds\.max/i);
+  });
+
+  test("bridges only the env-declaring keys out of a mixed registry", () => {
+    const reg = registryStub({
+      "a:config:bridged": createSystemConfig("number", { env: "BRIDGED" }),
+      "a:config:plain": createTenantConfig("text", {}),
+      "a:config:unset": createSystemConfig("text", { env: "UNSET" }),
+    });
+    const result = buildEnvConfigOverrides(reg, { BRIDGED: "7" });
+    expect(result.size).toBe(1);
+    expect(result.get("a:config:bridged")).toBe(7);
+  });
+});

package/src/config/__tests__/inherited-redaction.integration.test.ts

@@ -0,0 +1,180 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider, type DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  access,
+  type ConfigCascade,
+  createSystemConfig,
+  defineFeature,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { ConfigHandlers, ConfigQueries } from "../constants";
+import { createConfigAccessorFactory, createConfigFeature } from "../feature";
+import { type ConfigResolver, createConfigResolver } from "../resolver";
+import { configValuesTable } from "../table";
+
+// Proves the inheritedToTenant:false redaction end-to-end over real HTTP: a
+// tenant-side admin who is allowed to READ the key (access.admin) must never
+// receive the inherited system value through either config read handler, while
+// the SystemAdmin who owns the platform default still sees it.
+
+let stack: TestStack;
+let db: DbConnection;
+let resolver: ConfigResolver;
+
+const systemAdmin = TestUsers.systemAdmin; // roles ["SystemAdmin"]
+const tenantAdmin = createTestUser({ id: 2 }); // roles ["Admin"], same tenant
+
+const SMTP_HOST = "platform:config:smtp-host";
+const SMTP_PASS = "platform:config:smtp-pass";
+const LIST_HITS = "platform:config:list-hits";
+
+const configFeature = createConfigFeature();
+
+const platformFeature = defineFeature("platform", (r) => {
+  r.requires("config");
+  return r.config({
+    keys: {
+      // Hidden, plaintext: a tenant may read the key but not its system value.
+      smtpHost: createSystemConfig("text", {
+        inheritedToTenant: false,
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
+      // Hidden + encrypted: composition — neither value nor "is set" may leak.
+      smtpPass: createSystemConfig("text", {
+        inheritedToTenant: false,
+        encrypted: true,
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
+      // Control: default inheritance — a tenant sees the platform value.
+      listHits: createSystemConfig("number", {
+        default: 10,
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
+    },
+  });
+});
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(randomBytes(32).toString("base64"));
+  resolver = createConfigResolver({ encryption });
+
+  stack = await setupTestStack({
+    features: [configFeature, platformFeature],
+    extraContext: ({ registry }) => ({
+      configResolver: resolver,
+      configEncryption: encryption,
+      _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+    }),
+  });
+  db = stack.db;
+  await unsafePushTables(db, { configValuesTable });
+
+  // Seed the platform (system-row) values via the real write path.
+  await stack.http.writeOk(
+    ConfigHandlers.set,
+    { key: SMTP_HOST, value: "smtp.internal.example.com", scope: "system" },
+    systemAdmin,
+  );
+  await stack.http.writeOk(
+    ConfigHandlers.set,
+    { key: SMTP_PASS, value: "s3cr3t-password", scope: "system" },
+    systemAdmin,
+  );
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+type Cascades = Record<string, ConfigCascade>;
+const systemLevel = (c: Cascades, key: string) =>
+  c[key]?.levels.find((l) => l.source === "system-row");
+
+describe("inheritedToTenant redaction — config:query:cascade", () => {
+  test("SystemAdmin sees the inherited system value", async () => {
+    const res = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [SMTP_HOST] },
+      systemAdmin,
+    );
+    expect(systemLevel(res, SMTP_HOST)?.value).toBe("smtp.internal.example.com");
+    expect(res[SMTP_HOST]?.value).toBe("smtp.internal.example.com");
+  });
+
+  test("tenant-side admin gets the system value redacted (value AND hasValue)", async () => {
+    const res = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [SMTP_HOST] },
+      tenantAdmin,
+    );
+    const sys = systemLevel(res, SMTP_HOST);
+    expect(sys?.value).toBeUndefined();
+    expect(sys?.hasValue).toBe(false);
+    expect(res[SMTP_HOST]?.value).not.toBe("smtp.internal.example.com");
+  });
+
+  test("composition: encrypted + inheritedToTenant:false leaks neither value nor 'is set'", async () => {
+    const tenant = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [SMTP_PASS] },
+      tenantAdmin,
+    );
+    const tenantSys = systemLevel(tenant, SMTP_PASS);
+    expect(tenantSys?.value).toBeUndefined(); // not even the "••••••" mask
+    expect(tenantSys?.hasValue).toBe(false);
+
+    // SystemAdmin still sees it as set, value hidden by encryption masking.
+    const sa = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [SMTP_PASS] },
+      systemAdmin,
+    );
+    const saSys = systemLevel(sa, SMTP_PASS);
+    expect(saSys?.value).toBe("••••••");
+    expect(saSys?.hasValue).toBe(true);
+  });
+
+  test("control: a transparently-inherited system key stays visible to tenants", async () => {
+    const res = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [LIST_HITS] },
+      tenantAdmin,
+    );
+    expect(res[LIST_HITS]?.value).toBe(10);
+  });
+});
+
+describe("inheritedToTenant redaction — config:query:values", () => {
+  test("SystemAdmin sees the inherited system value", async () => {
+    const res = await stack.http.queryOk<Record<string, { value: unknown; source: string }>>(
+      ConfigQueries.values,
+      {},
+      systemAdmin,
+    );
+    expect(res[SMTP_HOST]?.value).toBe("smtp.internal.example.com");
+  });
+
+  test("tenant-side admin sees the key as unset, not the inherited value", async () => {
+    const res = await stack.http.queryOk<Record<string, { value: unknown; source: string }>>(
+      ConfigQueries.values,
+      {},
+      tenantAdmin,
+    );
+    expect(res[SMTP_HOST]?.value).not.toBe("smtp.internal.example.com");
+    // No keyDef.default on SMTP_HOST → after redaction the key is genuinely
+    // unset. values.query now resolves through the cascade (same path as
+    // config:query:cascade), so the source is "missing", matching cascade.query
+    // instead of the old values.query-only synthesized "default".
+    expect(res[SMTP_HOST]?.source).toBe("missing");
+  });
+});

package/src/config/__tests__/read-redaction.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, test } from "bun:test";
+import type { ConfigCascade, ConfigCascadeLevel } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  mayViewInheritedValue,
+  redactInheritedCascade,
+  shouldRedactInherited,
+} from "../read-redaction";
+
+function level(
+  source: ConfigCascadeLevel["source"],
+  value: string | number | boolean | undefined,
+  isActive = false,
+): ConfigCascadeLevel {
+  return { label: source, source, value, isActive, hasValue: value !== undefined };
+}
+
+function cascade(levels: ConfigCascadeLevel[]): ConfigCascade {
+  const active = levels.find((l) => l.isActive);
+  return { value: active?.value, source: active?.source ?? "missing", levels };
+}
+
+describe("read-redaction — viewer predicate", () => {
+  test("only SystemAdmin may view the inherited platform value", () => {
+    expect(mayViewInheritedValue(["SystemAdmin"])).toBe(true);
+    expect(mayViewInheritedValue(["Admin", "TenantAdmin"])).toBe(false);
+    expect(mayViewInheritedValue([])).toBe(false);
+  });
+
+  test("shouldRedactInherited requires inheritedToTenant:false AND a tenant-side viewer", () => {
+    expect(shouldRedactInherited({ inheritedToTenant: false }, ["Admin"])).toBe(true);
+    expect(shouldRedactInherited({ inheritedToTenant: false }, ["SystemAdmin"])).toBe(false);
+    expect(shouldRedactInherited({ inheritedToTenant: undefined }, ["Admin"])).toBe(false);
+    expect(shouldRedactInherited({ inheritedToTenant: true }, ["Admin"])).toBe(false);
+  });
+});
+
+describe("read-redaction — cascade redaction strips every inherited platform rung", () => {
+  test("strips system-row and falls through to missing", () => {
+    const out = redactInheritedCascade(
+      cascade([level("system-row", "smtp.internal", true), level("default", undefined)]),
+    );
+    const sys = out.levels.find((l) => l.source === "system-row");
+    expect(sys?.value).toBeUndefined();
+    expect(sys?.hasValue).toBe(false);
+    expect(out.value).toBeUndefined();
+    expect(out.source).toBe("missing");
+  });
+
+  test("strips the app-override rung too — the #376 leak via ENV-bridged value", () => {
+    const out = redactInheritedCascade(
+      cascade([
+        level("system-row", "secret", true),
+        level("app-override", "from-env"),
+        level("default", undefined),
+      ]),
+    );
+    // The platform env value must NOT become the new winner.
+    expect(out.value).toBeUndefined();
+    expect(out.source).toBe("missing");
+    expect(out.levels.find((l) => l.source === "app-override")?.value).toBeUndefined();
+    expect(out.levels.find((l) => l.source === "app-override")?.hasValue).toBe(false);
+  });
+
+  test("strips computed and static default rungs", () => {
+    const out = redactInheritedCascade(
+      cascade([
+        level("system-row", "sys", true),
+        level("computed", "plan-derived"),
+        level("default", "schema-default"),
+      ]),
+    );
+    expect(out.value).toBeUndefined();
+    expect(out.source).toBe("missing");
+    expect(out.levels.find((l) => l.source === "computed")?.hasValue).toBe(false);
+    expect(out.levels.find((l) => l.source === "default")?.hasValue).toBe(false);
+  });
+
+  test("a tenant's own override survives; every platform rung is hidden", () => {
+    const out = redactInheritedCascade(
+      cascade([
+        level("tenant-row", "tenant-value", true),
+        level("system-row", "platform-default"),
+        level("app-override", "from-env"),
+        level("default", "schema-default"),
+      ]),
+    );
+    expect(out.value).toBe("tenant-value");
+    expect(out.source).toBe("tenant-row");
+    expect(out.levels.find((l) => l.source === "tenant-row")?.isActive).toBe(true);
+    for (const source of ["system-row", "app-override", "default"] as const) {
+      expect(out.levels.find((l) => l.source === source)?.hasValue).toBe(false);
+    }
+  });
+
+  test("a user's own override survives over tenant-row", () => {
+    const out = redactInheritedCascade(
+      cascade([
+        level("user-row", "user-value", true),
+        level("tenant-row", "tenant-value"),
+        level("system-row", "platform"),
+      ]),
+    );
+    expect(out.value).toBe("user-value");
+    expect(out.source).toBe("user-row");
+    expect(out.levels.find((l) => l.source === "tenant-row")?.value).toBe("tenant-value");
+  });
+
+  test("no-op when no platform rung carries a value", () => {
+    const input = cascade([level("tenant-row", "x", true), level("default", undefined)]);
+    expect(redactInheritedCascade(input)).toEqual(input);
+  });
+});

package/src/config/__tests__/settings-hub-feature-name.test.ts

@@ -0,0 +1,14 @@
+import { describe, expect, test } from "bun:test";
+import { SETTINGS_HUB_FEATURE } from "@cosmicdrift/kumiko-framework/engine";
+import { CONFIG_FEATURE } from "../constants";
+
+// Cross-package pin: buildAppSchema merges the generated Settings-Hub into the
+// FeatureSchema named SETTINGS_HUB_FEATURE. The framework hard-codes that name
+// because it cannot import bundled-features (dependency points the other way).
+// This test lives where BOTH constants are visible — if the config feature is
+// ever renamed, the hub would silently land in a phantom feature; this fails first.
+describe("Settings-Hub feature-name pin", () => {
+  test("framework's SETTINGS_HUB_FEATURE equals the config feature's name", () => {
+    expect(SETTINGS_HUB_FEATURE).toBe(CONFIG_FEATURE);
+  });
+});

package/src/config/constants.ts

@@ -1,4 +1,6 @@
-// Feature name
+// @runtime client
+// Pure name/string constants — browser-safe, importable from web client code
+// (configClient() pins its feature name to CONFIG_FEATURE).
 export const CONFIG_FEATURE = "config" as const;
 
 // Qualified write handler names (QN format: scope:type:name)

package/src/config/handlers/cascade.query.ts

@@ -5,6 +5,7 @@ import {
 } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { requireConfigResolver } from "../feature";
+import { redactInheritedCascade, shouldRedactInherited } from "../read-redaction";
 import { hasConfigAccess } from "../write-helpers";
 
 const MASKED = "••••••";
@@ -46,10 +47,17 @@ export const cascadeQuery = defineQueryHandler({
     );
 
     const result: Record<string, ConfigCascade> = {};
-    for (const [key, cascade] of cascades) {
+    for (const [key, rawCascade] of cascades) {
       const keyDef = keyDefs.get(key);
       if (!keyDef) continue;
 
+      // Redact the inherited platform value (system-row, app-override,
+      // computed, default) BEFORE masking — masking alone leaves hasValue=true
+      // and would still leak "it is set" to a tenant.
+      const cascade = shouldRedactInherited(keyDef, query.user.roles)
+        ? redactInheritedCascade(rawCascade)
+        : rawCascade;
+
       if (keyDef.encrypted) {
         const maskedLevels: ConfigCascadeLevel[] = cascade.levels.map((l) => ({
           ...l,