@cosmicdrift/kumiko-bundled-features 0.50.0 → 0.52.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.50.0",
+  "version": "0.52.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -75,14 +75,16 @@
     "./renderer-foundation": "./src/renderer-foundation/index.ts",
     "./legal-pages": "./src/legal-pages/index.ts",
     "./legal-pages/web": "./src/legal-pages/web/index.ts",
+    "./managed-pages": "./src/managed-pages/index.ts",
+    "./managed-pages/seeding": "./src/managed-pages/seeding.ts",
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.45.0",
-    "@cosmicdrift/kumiko-framework": "0.45.0",
-    "@cosmicdrift/kumiko-headless": "0.45.0",
-    "@cosmicdrift/kumiko-renderer": "0.45.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.45.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.50.0",
+    "@cosmicdrift/kumiko-framework": "0.50.0",
+    "@cosmicdrift/kumiko-headless": "0.50.0",
+    "@cosmicdrift/kumiko-renderer": "0.50.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.50.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/config/__tests__/backing-secrets.integration.test.ts

@@ -0,0 +1,188 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { randomBytes } from "node:crypto";
+import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  access,
+  type ConfigCascade,
+  createSystemConfig,
+  defineFeature,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import { createEnvMasterKeyProvider } from "@cosmicdrift/kumiko-framework/secrets";
+import {
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { z } from "zod";
+import { createSecretsContext } from "../../secrets/secrets-context";
+import { tenantSecretsTable } from "../../secrets/table";
+import { ConfigHandlers, ConfigQueries } from "../constants";
+import { createConfigAccessorFactory, createConfigFeature } from "../feature";
+import { createConfigResolver } from "../resolver";
+import { configValuesTable } from "../table";
+
+// Proves the generic backing="secrets" dispatch end-to-end over real HTTP:
+// a system-scoped config key with backing:"secrets" stores/reads/clears through
+// the secrets store (envelope-encrypted, system tenant) instead of the
+// config_values projection — while the value is masked in the query handlers
+// yet revealed for the owning feature's internal ctx.config read.
+
+const SYSTEM_TENANT = "00000000-0000-4000-8000-000000000000";
+const API_KEY = "billing:config:api-key";
+const PLAIN_KEY = "billing:config:webhook-path";
+
+const systemAdmin = TestUsers.systemAdmin; // roles ["SystemAdmin"]
+
+const billingFeature = defineFeature("billing", (r) => {
+  r.requires("config");
+  r.config({
+    keys: {
+      // backing:"secrets" — value lives in the secrets store, not config_values.
+      apiKey: createSystemConfig("text", {
+        backing: "secrets",
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
+      // Control: a plain system config key (config_values, no secrets dispatch).
+      webhookPath: createSystemConfig("text", {
+        default: "/hooks",
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
+    },
+  });
+  // Internal-read probe: a handler that reads its own secrets-backed key via
+  // ctx.config — must receive the revealed plaintext, not the mask.
+  r.queryHandler(
+    "peek-api-key",
+    z.object({}),
+    async (_query, ctx) => {
+      if (!ctx.config) throw new Error("ctx.config not wired");
+      return { value: await ctx.config(API_KEY) };
+    },
+    { access: { roles: ["SystemAdmin"] } },
+  );
+});
+
+let stack: TestStack;
+
+beforeAll(async () => {
+  const masterKeyProvider = createEnvMasterKeyProvider({
+    env: {
+      KUMIKO_SECRETS_MASTER_KEY_V1: randomBytes(32).toString("base64"),
+      KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: "1",
+    },
+  });
+
+  stack = await setupTestStack({
+    features: [createConfigFeature(), billingFeature],
+    extraContext: ({ db, registry }) => {
+      const resolver = createConfigResolver();
+      return {
+        configResolver: resolver,
+        _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+        secrets: createSecretsContext({ db, masterKeyProvider }),
+      };
+    },
+  });
+  await unsafePushTables(stack.db, { configValuesTable, tenantSecretsTable });
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+type Cascades = Record<string, ConfigCascade>;
+
+describe("config backing=secrets — write dispatch", () => {
+  test("set routes the value into the secrets store, not config_values", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: API_KEY, value: "sk-live-abc123", scope: "system" },
+      systemAdmin,
+    );
+
+    const secretRows = await selectMany(stack.db, tenantSecretsTable, {
+      tenantId: SYSTEM_TENANT,
+      key: API_KEY,
+    });
+    expect(secretRows).toHaveLength(1);
+
+    const configRows = await selectMany(stack.db, configValuesTable, { key: API_KEY });
+    expect(configRows).toHaveLength(0);
+  });
+
+  test("the stored secret is an envelope, never the plaintext", async () => {
+    const [row] = await selectMany(stack.db, tenantSecretsTable, {
+      tenantId: SYSTEM_TENANT,
+      key: API_KEY,
+    });
+    // No column of the stored row may carry the plaintext — the secrets
+    // envelope must have encrypted it.
+    expect(JSON.stringify(row)).not.toContain("sk-live-abc123");
+  });
+});
+
+describe("config backing=secrets — read dispatch", () => {
+  test("the owning feature reads the revealed plaintext via ctx.config", async () => {
+    const res = await stack.http.queryOk<{ value: unknown }>(
+      "billing:query:peek-api-key",
+      {},
+      systemAdmin,
+    );
+    // JSON round-trip: set serialized "sk-live-abc123" → resolver reveals +
+    // deserializes back to the original string.
+    expect(res.value).toBe("sk-live-abc123");
+  });
+
+  test("config:query:cascade masks the value AND every level", async () => {
+    const res = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [API_KEY] },
+      systemAdmin,
+    );
+    const cascade = res[API_KEY];
+    expect(cascade?.value).toBe("••••••");
+    expect(cascade?.source).toBe("system-row");
+    const systemLevel = cascade?.levels.find((l) => l.source === "system-row");
+    expect(systemLevel?.hasValue).toBe(true);
+    expect(systemLevel?.value).toBe("••••••");
+    expect(JSON.stringify(cascade)).not.toContain("sk-live-abc123");
+  });
+
+  test("config:query:values masks the value", async () => {
+    const res = await stack.http.queryOk<Record<string, { value: unknown; source: string }>>(
+      ConfigQueries.values,
+      {},
+      systemAdmin,
+    );
+    expect(res[API_KEY]?.value).toBe("••••••");
+    expect(res[API_KEY]?.source).toBe("system-row");
+    // The plain control key still resolves transparently.
+    expect(res[PLAIN_KEY]?.value).toBe("/hooks");
+    expect(res[PLAIN_KEY]?.source).toBe("default");
+  });
+});
+
+describe("config backing=secrets — reset dispatch", () => {
+  test("reset clears the secret; the key falls back to unset", async () => {
+    await stack.http.writeOk(ConfigHandlers.reset, { key: API_KEY, scope: "system" }, systemAdmin);
+
+    const secretRows = await selectMany(stack.db, tenantSecretsTable, {
+      tenantId: SYSTEM_TENANT,
+      key: API_KEY,
+    });
+    expect(secretRows).toHaveLength(0);
+
+    const res = await stack.http.queryOk<{ value: unknown }>(
+      "billing:query:peek-api-key",
+      {},
+      systemAdmin,
+    );
+    // No keyDef.default on apiKey → genuinely unset after the secret is gone.
+    expect(res.value).toBeUndefined();
+  });
+});

package/src/config/__tests__/config.integration.test.ts

@@ -181,6 +181,22 @@ const integrationFeature = defineFeature("integration", (r) => {
 
 const configFeature = createConfigFeature();
 
+// Pattern-validated text key (managed-cms phase 3 core change): set.write runs
+// keyDef.pattern as a hard-reject gate, same posture as bounds. The regex
+// allows empty (clear) | a CSS hex color.
+const patternFeature = defineFeature("patterned", (r) => {
+  r.requires("config");
+  r.config({
+    keys: {
+      hexColor: createTenantConfig("text", {
+        default: "",
+        write: access.roles("Admin"),
+        pattern: { regex: "^$|^#(?:[0-9a-fA-F]{3}|[0-9a-fA-F]{6}|[0-9a-fA-F]{8})$" },
+      }),
+    },
+  });
+});
+
 // Scenario 11: Config seeding — feature with deploy-time defaults
 const seedFeature = defineFeature("seeddemo", (r) => {
   r.requires("config");
@@ -244,6 +260,7 @@ beforeAll(async () => {
       probeFeature,
       seedFeature,
       transportFeature,
+      patternFeature,
     ],
     // Wire `ctx.config()` for real handlers: pass the resolver-bound factory
     // so the dispatcher can mint a per-user accessor inside buildHandlerContext.
@@ -1460,3 +1477,46 @@ describe("scenario 11: config seeding", () => {
     expect(await configFn(SEED_THEME)).toBe("red");
   });
 });
+
+// --- Pattern validation (text keys) ---
+
+describe("pattern validation", () => {
+  const HEX_KEY = "patterned:config:hex-color";
+  const admin = createTestUser({ id: 99, roles: ["Admin"] });
+
+  test("valid value passes the regex", async () => {
+    const res = await stack.http.writeOk<{ value: string }>(
+      "config:write:set",
+      { key: HEX_KEY, value: "#abc123" },
+      admin,
+    );
+    expect(res).toMatchObject({ value: "#abc123" });
+  });
+
+  test("empty value passes (allow-empty branch)", async () => {
+    const res = await stack.http.writeOk<{ value: string }>(
+      "config:write:set",
+      { key: HEX_KEY, value: "" },
+      admin,
+    );
+    expect(res).toMatchObject({ value: "" });
+  });
+
+  test("non-matching value is hard-rejected with invalid_format", async () => {
+    const error = await stack.http.writeErr(
+      "config:write:set",
+      { key: HEX_KEY, value: "tomato" },
+      admin,
+    );
+    expectErrorIncludes(error, "invalid_format");
+  });
+
+  test("style-breakout attempt is rejected (no CSS injection survives)", async () => {
+    const error = await stack.http.writeErr(
+      "config:write:set",
+      { key: HEX_KEY, value: "#fff;}</style><script>" },
+      admin,
+    );
+    expectErrorIncludes(error, "invalid_format");
+  });
+});

package/src/config/feature.ts

@@ -4,6 +4,7 @@ import {
   type ConfigAccessorFactory,
   type ConfigKeyHandle,
   type ConfigKeyType,
+  type ConfigSecretsReader,
   type ConfigValue,
   defineFeature,
   type FeatureDefinition,
@@ -59,6 +60,7 @@ export function createConfigAccessor(
   tenantId: TenantId,
   userId: string,
   db: DbConnection | TenantDb,
+  secrets?: ConfigSecretsReader,
 ): ConfigAccessor {
   async function configAccessor(
     qualifiedKey: string,
@@ -72,7 +74,7 @@ export function createConfigAccessor(
     const qualifiedKey = typeof keyOrHandle === "string" ? keyOrHandle : keyOrHandle.name;
     const keyDef = registry.getConfigKey(qualifiedKey);
     if (!keyDef) return undefined;
-    return resolver.get(qualifiedKey, keyDef, tenantId, userId, db);
+    return resolver.get(qualifiedKey, keyDef, tenantId, userId, db, secrets);
   }
   return configAccessor;
 }
@@ -83,7 +85,8 @@ export function createConfigAccessorFactory(
   registry: Registry,
   resolver: ConfigResolver,
 ): ConfigAccessorFactory {
-  return ({ user, db }) => createConfigAccessor(registry, resolver, user.tenantId, user.id, db);
+  return ({ user, db, secrets }) =>
+    createConfigAccessor(registry, resolver, user.tenantId, user.id, db, secrets);
 }
 
 // Single point of truth for "this handler needs the resolver". Throws a

package/src/config/handlers/cascade.query.ts

@@ -44,6 +44,7 @@ export const cascadeQuery = defineQueryHandler({
       query.user.tenantId,
       query.user.id,
       db,
+      ctx.secrets,
     );
 
     const result: Record<string, ConfigCascade> = {};
@@ -58,7 +59,9 @@ export const cascadeQuery = defineQueryHandler({
         ? redactInheritedCascade(rawCascade)
         : rawCascade;
 
-      if (keyDef.encrypted) {
+      // backing="secrets" is masked like encrypted — the resolver revealed the
+      // plaintext for internal reads, but it must never reach the cascade UI.
+      if (keyDef.encrypted || keyDef.backing === "secrets") {
         const maskedLevels: ConfigCascadeLevel[] = cascade.levels.map((l) => ({
           ...l,
           value: l.hasValue ? MASKED : l.value,

package/src/config/handlers/readiness.query.ts

@@ -98,6 +98,7 @@ export async function collectMissingRequiredConfig(
     user.tenantId,
     user.id,
     ctx.db,
+    ctx.secrets,
   );
   for (const [qualifiedKey, keyDef] of candidates) {
     const value = cascades.get(qualifiedKey)?.value;

package/src/config/handlers/reset.write.ts

@@ -1,5 +1,10 @@
 import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
-import { ConfigScopes, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  ConfigScopes,
+  defineWriteHandler,
+  SYSTEM_TENANT_ID,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { configValueEntity, configValuesTable } from "../table";
 import { findConfigRow, prepareConfigWrite } from "../write-helpers";
@@ -28,7 +33,23 @@ export const resetWrite = defineWriteHandler({
       scope: event.payload.scope,
     });
     if (!prep.ok) return prep.failure;
-    const { scope, tenantId, userId } = prep;
+    const { keyDef, scope, tenantId, userId } = prep;
+
+    // backing="secrets": clear the secret from the secrets store. delete() is
+    // idempotent (returns false if absent) — mirrors the config no-op contract.
+    if (keyDef.backing === "secrets") {
+      if (!ctx.secrets) {
+        throw new InternalError({
+          message:
+            `[config:write:reset] key "${event.payload.key}" declares backing="secrets" but ` +
+            `ctx.secrets is not wired — provide extraContext.secrets (and a MasterKeyProvider).`,
+        });
+      }
+      await ctx.secrets.delete(SYSTEM_TENANT_ID, event.payload.key, {
+        deletedBy: event.user.id,
+      });
+      return { isSuccess: true, data: { key: event.payload.key, scope } };
+    }
 
     const existing = await findConfigRow(db, event.payload.key, tenantId, userId);
 

package/src/config/handlers/set.write.ts

@@ -1,6 +1,10 @@
 import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
-import { ConfigScopes, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
-import { writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import {
+  ConfigScopes,
+  defineWriteHandler,
+  SYSTEM_TENANT_ID,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { requireConfigEncryption } from "../feature";
 import { configValueEntity, configValuesTable } from "../table";
@@ -8,6 +12,7 @@ import {
   findConfigRow,
   prepareConfigWrite,
   validateBounds,
+  validatePattern,
   validateScope,
   validateType,
 } from "../write-helpers";
@@ -52,6 +57,35 @@ export const setWrite = defineWriteHandler({
     const boundsError = validateBounds(event.payload.value, keyDef);
     if (boundsError) return writeFailure(boundsError);
 
+    const patternError = validatePattern(event.payload.value, keyDef);
+    if (patternError) return writeFailure(patternError);
+
+    // backing="secrets": persist into the secrets store (system tenant, own
+    // envelope encryption + audit) instead of config_values. Same JSON
+    // serialization as a config row so the read path round-trips via
+    // deserializeValue. system-scope is guaranteed by the boot-guard.
+    if (keyDef.backing === "secrets") {
+      if (!ctx.secrets) {
+        throw new InternalError({
+          message:
+            `[config:write:set] key "${event.payload.key}" declares backing="secrets" but ` +
+            `ctx.secrets is not wired — provide extraContext.secrets (and a MasterKeyProvider).`,
+        });
+      }
+      await ctx.secrets.set(
+        SYSTEM_TENANT_ID,
+        event.payload.key,
+        JSON.stringify(event.payload.value),
+        {
+          updatedBy: event.user.id,
+        },
+      );
+      return {
+        isSuccess: true,
+        data: { key: event.payload.key, value: event.payload.value, scope },
+      };
+    }
+
     let serialized = JSON.stringify(event.payload.value);
     if (keyDef.encrypted) {
       const encryption = requireConfigEncryption(ctx, "config:write:set");

package/src/config/handlers/values.query.ts

@@ -39,6 +39,7 @@ export const valuesQuery = defineQueryHandler({
       query.user.tenantId,
       query.user.id,
       db,
+      ctx.secrets,
     );
 
     const result: Record<
@@ -60,8 +61,11 @@ export const valuesQuery = defineQueryHandler({
         ? redactInheritedCascade(rawCascade)
         : rawCascade;
 
+      // backing="secrets" carries a credential — mask it like an encrypted
+      // key so the plaintext (which the resolver revealed for internal reads)
+      // never reaches the UI response.
       let value: string | number | boolean | undefined;
-      if (keyDef.encrypted) {
+      if (keyDef.encrypted || keyDef.backing === "secrets") {
         value = cascade.value !== undefined ? MASKED : undefined;
       } else {
         value = cascade.value;

package/src/config/resolver.ts

@@ -5,11 +5,13 @@ import type {
   ConfigCascadeLevel,
   ConfigKeyDefinition,
   ConfigResolver,
+  ConfigSecretsReader,
   ConfigStoredRowWithSource,
   ConfigValueSource,
   ConfigValueWithSource,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { SYSTEM_TENANT_ID } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
 import { assertUnreachable, parseJsonOrThrow } from "@cosmicdrift/kumiko-framework/utils";
 import { selectConfigRowsForKeys, selectConfigRowsForScope } from "./db/queries/resolver";
 import { configValuesTable } from "./table";
@@ -65,6 +67,26 @@ export type ConfigResolverOptions = {
   appOverrides?: AppConfigOverrides;
 };
 
+// backing="secrets" keys store their value in the secrets store (flat per
+// (tenant,key) at SYSTEM_TENANT_ID), not in config_values. Both read paths
+// (getWithSource + buildCascade) route the system rung here. Missing reader =
+// the app never wired extraContext.secrets → fail loud, never silently miss.
+async function readBackingSecret(
+  secretsReader: ConfigSecretsReader | undefined,
+  qualifiedKey: string,
+): Promise<string | undefined> {
+  if (!secretsReader) {
+    throw new InternalError({
+      message:
+        `[config] backing="secrets" key "${qualifiedKey}" was read without a secrets ` +
+        `reader — wire extraContext.secrets (and a MasterKeyProvider) so the secrets ` +
+        `store is reachable at request time.`,
+    });
+  }
+  const secret = await secretsReader.get(SYSTEM_TENANT_ID, qualifiedKey);
+  return secret?.reveal();
+}
+
 // Shared cascade-builder. Single-key path passes a `findRow`-bound row
 // fetcher (one SQL per lookup); batch path passes a closure over
 // pre-loaded rows. The builder itself is unaware of which.
@@ -80,6 +102,7 @@ async function buildCascade(
   ) => Promise<ConfigRow | null> | ConfigRow | null,
   appOverrides: AppConfigOverrides | undefined,
   encryption: EncryptionProvider | undefined,
+  secretsReader: ConfigSecretsReader | undefined,
 ): Promise<ConfigCascade> {
   type Lookup = {
     tenantId: string;
@@ -125,6 +148,34 @@ async function buildCascade(
   let activeIndex = -1;
 
   for (const lookup of lookups) {
+    // backing="secrets" is system-only (boot-guard), so the single system-row
+    // rung reads from the secrets store instead of config_values. The secret
+    // value is the same JSON-serialized form a config row would hold (set.write
+    // serializes before handing it to secrets), so deserializeValue applies;
+    // no config-level decrypt — the secrets envelope already returned plaintext.
+    if (keyDef.backing === "secrets" && lookup.source === "system-row") {
+      const secret = await readBackingSecret(secretsReader, qualifiedKey);
+      if (secret !== undefined) {
+        if (activeIndex === -1) activeIndex = levels.length;
+        levels.push({
+          label: lookup.label,
+          value: deserializeValue(secret, keyDef.type),
+          source: lookup.source,
+          isActive: false,
+          hasValue: true,
+        });
+      } else {
+        levels.push({
+          label: lookup.label,
+          value: undefined,
+          source: lookup.source,
+          isActive: false,
+          hasValue: false,
+        });
+      }
+      continue;
+    }
+
     const row = await fetchRow(lookup.tenantId, lookup.userId);
     if (row?.value !== null && row?.value !== undefined) {
       let raw = row.value;
@@ -231,10 +282,17 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
   }
 
   return {
-    async get(qualifiedKey, keyDef, tenantId, userId, db) {
+    async get(qualifiedKey, keyDef, tenantId, userId, db, secretsReader) {
       // get() is a thin wrapper around getWithSource that discards the
       // source tag. Keeps the hot-path a single implementation.
-      const result = await this.getWithSource(qualifiedKey, keyDef, tenantId, userId, db);
+      const result = await this.getWithSource(
+        qualifiedKey,
+        keyDef,
+        tenantId,
+        userId,
+        db,
+        secretsReader,
+      );
       return result.value;
     },
 
@@ -244,7 +302,29 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
       tenantId,
       userId,
       db,
+      secretsReader,
     ): Promise<ConfigValueWithSource> {
+      // backing="secrets": the value lives in the secrets store at the system
+      // tenant, not config_values. Read it directly (system-only by boot-guard)
+      // and skip the config-row lookups; app-override/computed/default still
+      // form the fallback ladder when the secret is unset.
+      if (keyDef.backing === "secrets") {
+        const secret = await readBackingSecret(secretsReader, qualifiedKey);
+        if (secret !== undefined) {
+          return { value: deserializeValue(secret, keyDef.type), source: "system-row" };
+        }
+        if (appOverrides?.has(qualifiedKey)) {
+          return { value: appOverrides.get(qualifiedKey), source: "app-override" };
+        }
+        if (keyDef.computed) {
+          const value = await keyDef.computed({ tenantId, userId, db });
+          return { value, source: "computed" };
+        }
+        if (keyDef.default !== undefined) {
+          return { value: keyDef.default, source: "default" };
+        }
+        return { value: undefined, source: "missing" };
+      }
       // Resolution cascade based on scope
       // user:   userId+tenantId → tenantId → SYSTEM_TENANT_ID → default
       // tenant: tenantId → SYSTEM_TENANT_ID → default
@@ -366,7 +446,14 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
       return result;
     },
 
-    async getCascade(qualifiedKey, keyDef, tenantId, userId, db): Promise<ConfigCascade> {
+    async getCascade(
+      qualifiedKey,
+      keyDef,
+      tenantId,
+      userId,
+      db,
+      secretsReader,
+    ): Promise<ConfigCascade> {
       // Single-key path uses findRow per cascade step. The batch path
       // bulk-loads all rows up-front; both build identical levels arrays.
       return buildCascade(
@@ -378,6 +465,7 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
         (tid, uid) => findRow(qualifiedKey, tid, uid, db),
         appOverrides,
         encryption,
+        secretsReader,
       );
     },
 
@@ -387,6 +475,7 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
       tenantId,
       userId,
       db,
+      secretsReader,
     ): Promise<ReadonlyMap<string, ConfigCascade>> {
       if (keys.length === 0) return new Map();
 
@@ -418,6 +507,7 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
             keyRows.find((r) => r.tenantId === tid && (r.userId ?? null) === uid) ?? null,
           appOverrides,
           encryption,
+          secretsReader,
         );
         result.set(key, cascade);
       }