@cosmicdrift/kumiko-bundled-features 0.50.0 → 0.52.0

package/src/config/write-helpers.ts

@@ -16,6 +16,7 @@ import {
 } from "@cosmicdrift/kumiko-framework/engine";
 import {
   AccessDeniedError,
+  InternalError,
   type KumikoError,
   NotFoundError,
   UnprocessableError,
@@ -262,3 +263,39 @@ export function validateBounds(
 
   return null;
 }
+
+// Regex enforcement for text config keys (keyDef.pattern). Hard-reject on
+// mismatch (same posture as validateBounds — never silent-coerce). The value
+// is tenant-supplied, so this is the write-side gate behind the configEdit
+// screen (which dispatches config:write:set per key). A malformed author-
+// supplied regex is surfaced as an InternalError instead of throwing
+// unhandled in the write path.
+export function validatePattern(
+  value: string | number | boolean,
+  keyDef: ConfigKeyDefinition,
+): KumikoError | null {
+  if (keyDef.type !== "text" || !keyDef.pattern) return null;
+  // skip: validateType runs first and guarantees a string for type==="text"
+  if (typeof value !== "string") return null;
+
+  let re: RegExp;
+  try {
+    re = new RegExp(keyDef.pattern.regex, keyDef.pattern.flags);
+  } catch {
+    return new InternalError({
+      message: `config key pattern is not a valid RegExp: ${keyDef.pattern.regex}`,
+    });
+  }
+  if (re.test(value)) return null;
+
+  return new ValidationError({
+    fields: [
+      {
+        path: "value",
+        code: "invalid_format",
+        i18nKey: "errors.validation.invalid_format",
+        params: { value, pattern: keyDef.pattern.regex },
+      },
+    ],
+  });
+}

package/src/jobs/__tests__/projection-rebuild-job.integration.test.ts

@@ -0,0 +1,162 @@
+// #362: das `jobs`-Feature registriert den framework-eigenen Single-Run-Job
+// `jobs:job:projection-rebuild`. Sobald jobs komponiert ist, dispatcht
+// `enqueueProjectionRebuild` einen getrackten, retrybaren Rebuild über BullMQ;
+// der Worker ruft `rebuildProjection`. Ohne jobs fällt der Helper auf einen
+// inline-Rebuild zurück (in migrations/__tests__/pending-rebuilds.* abgedeckt).
+
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import {
+  asRawClient,
+  buildEntityTable,
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+  integer,
+  table as pgTable,
+  selectMany,
+  type TenantDb,
+  uuid,
+} from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createRegistry,
+  createTextField,
+  defineApply,
+  defineFeature,
+  type ProjectionDefinition,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import { createJobRunner, type JobRunner } from "@cosmicdrift/kumiko-framework/jobs";
+import {
+  enqueueProjectionRebuild,
+  PROJECTION_REBUILD_JOB,
+} from "@cosmicdrift/kumiko-framework/migrations";
+import { createProjectionStateTable } from "@cosmicdrift/kumiko-framework/pipeline";
+import {
+  createTestDb,
+  createTestRedis,
+  type TestDb,
+  type TestRedis,
+  TestUsers,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { sleep } from "@cosmicdrift/kumiko-framework/testing";
+import { createJobsFeature } from "../feature";
+import { createJobRunLogger } from "../job-run-logger";
+import { jobRunLogsTable, jobRunsTable } from "../job-run-table";
+
+const itemEntity = createEntity({
+  table: "read_rebuild_items",
+  fields: {
+    groupId: createTextField({ required: true }),
+    name: createTextField({ required: true }),
+  },
+});
+const itemTable = buildEntityTable("rebuild-item", itemEntity);
+const executor = createEventStoreExecutor(itemTable, itemEntity, { entityName: "rebuild-item" });
+
+const countsTable = pgTable("read_rebuild_counts", {
+  groupId: uuid("group_id").primaryKey(),
+  tenantId: uuid("tenant_id").notNull(),
+  itemCount: integer("item_count").notNull().default(0),
+});
+
+// Eigene (explizite) Projektion — der Executor füllt sie NICHT live, sie wird
+// ausschließlich vom Rebuild materialisiert. Count==2 nach dem Job beweist also
+// den Replay, nicht den Live-Write.
+const countsProjection: ProjectionDefinition = {
+  name: "rebuild-counts",
+  source: "rebuild-item",
+  table: countsTable,
+  apply: {
+    "rebuild-item.created": defineApply<{ groupId: string }>(async (event, tx) => {
+      await asRawClient(tx).unsafe(
+        `INSERT INTO "read_rebuild_counts" (group_id, tenant_id, item_count) VALUES ($1::uuid, $2::uuid, 1)
+         ON CONFLICT (group_id) DO UPDATE SET item_count = read_rebuild_counts.item_count + 1`,
+        [event.payload.groupId, event.tenantId],
+      );
+    }),
+  },
+};
+
+const PROJECTION = "rebuildtest:projection:rebuild-counts";
+const GROUP = "00000000-0000-4000-8000-000000000001";
+
+const appFeature = defineFeature("rebuildtest", (r) => {
+  r.entity("rebuild-item", itemEntity);
+  r.projection(countsProjection);
+});
+
+const admin = TestUsers.admin;
+const registry = createRegistry([appFeature, createJobsFeature()]);
+
+let testDb: TestDb;
+let testRedis: TestRedis;
+let db: DbConnection;
+let tdb: TenantDb;
+let jobRunner: JobRunner;
+
+beforeAll(async () => {
+  testDb = await createTestDb();
+  testRedis = await createTestRedis();
+  db = testDb.db;
+
+  await unsafeCreateEntityTable(db, itemEntity, "rebuild-item");
+  await createEventsTable(db);
+  await createProjectionStateTable(db);
+  await unsafePushTables(db, { readRebuildCounts: countsTable, jobRunsTable, jobRunLogsTable });
+  tdb = createTenantDb(db, admin.tenantId);
+
+  const redisUrl = `redis://${testRedis.redis.options.host}:${testRedis.redis.options.port}/${testRedis.redis.options.db}`;
+  const logger = createJobRunLogger({ db, registry });
+  jobRunner = createJobRunner({
+    registry,
+    context: { db },
+    redisUrl,
+    consumerLane: "worker",
+    queueNamePrefix: `kumiko-projrebuild-test-${Date.now()}`,
+    ...logger,
+  });
+  await jobRunner.start();
+});
+
+afterAll(async () => {
+  await jobRunner.stop();
+  await testDb.cleanup();
+  await testRedis.cleanup();
+});
+
+async function getCount(): Promise<number | undefined> {
+  const [row] = await selectMany<{ itemCount: number }>(db, countsTable, { groupId: GROUP });
+  return row?.itemCount;
+}
+
+describe("projection-rebuild job (jobs feature composed)", () => {
+  test("jobs feature registers the framework rebuild job under its qualified name", () => {
+    expect(registry.getJob(PROJECTION_REBUILD_JOB)).toBeDefined();
+  });
+
+  test("enqueueProjectionRebuild dispatches a tracked job that refills the projection", async () => {
+    await executor.create({ groupId: GROUP, name: "a" }, admin, tdb);
+    await executor.create({ groupId: GROUP, name: "b" }, admin, tdb);
+    // Live executor füllt die explizite Projektion nicht — Rebuild ist der einzige Weg.
+    expect(await getCount()).toBeUndefined();
+
+    const outcome = await enqueueProjectionRebuild(PROJECTION, { db, registry, jobRunner });
+    expect(outcome.mode).toBe("dispatched");
+    if (outcome.mode === "dispatched") {
+      expect(outcome.bullJobId).toBeTruthy();
+    }
+
+    // Poll until the worker drained the queue and the rebuild refilled.
+    for (let i = 0; i < 40 && (await getCount()) !== 2; i++) await sleep(200);
+    expect(await getCount()).toBe(2);
+
+    const runs = await selectMany<{ jobName: string; status: string }>(db, jobRunsTable, {
+      jobName: PROJECTION_REBUILD_JOB,
+    });
+    expect(runs.length).toBeGreaterThanOrEqual(1);
+    expect(runs.some((r) => r.status === "completed")).toBe(true);
+  }, 30000);
+});

package/src/jobs/feature.ts

@@ -12,6 +12,10 @@ import type { z } from "zod";
 import { runCompletedSchema, runFailedSchema, runStartedSchema } from "./events";
 import { detailQuery } from "./handlers/detail.query";
 import { listQuery } from "./handlers/list.query";
+import {
+  projectionRebuildJob,
+  projectionRebuildPayloadSchema,
+} from "./handlers/projection-rebuild.job";
 import { retryWrite } from "./handlers/retry.write";
 import { triggerWrite } from "./handlers/trigger.write";
 import {
@@ -149,6 +153,15 @@ export function createJobsFeature(): FeatureDefinition {
       },
     });
 
+    // Framework-provided single-run rebuild job (QN `jobs:job:projection-rebuild`).
+    // Available whenever `jobs` is composed — `enqueueProjectionRebuild` dispatches
+    // it; every run is tracked in read_job_runs + retryable via jobs:write:retry.
+    r.job(
+      "projectionRebuild",
+      { trigger: { manual: true }, schema: projectionRebuildPayloadSchema },
+      projectionRebuildJob,
+    );
+
     const handlers = {
       trigger: r.writeHandler(triggerWrite),
       retry: r.writeHandler(retryWrite),

package/src/jobs/handlers/projection-rebuild.job.ts

@@ -0,0 +1,36 @@
+// Single-run projection-rebuild worker (QN `jobs:job:projection-rebuild`).
+// Replays the event log into one projection via the framework's
+// `rebuildProjection`. Triggered manually — typically through
+// `enqueueProjectionRebuild` (migrations) as the self-service repair for an
+// emptied projection, a deliberate manual rebuild, or a post-upcaster refill.
+// Run-tracking (read_job_runs + read_job_run_logs) and retry come for free
+// from the jobs feature that registers this worker.
+
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import type { JobHandlerFn } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
+import { rebuildProjection } from "@cosmicdrift/kumiko-framework/pipeline";
+import { z } from "zod";
+
+export const projectionRebuildPayloadSchema = z.object({ projection: z.string().min(1) });
+
+export const projectionRebuildJob: JobHandlerFn = async (rawPayload, ctx): Promise<void> => {
+  const { projection } = projectionRebuildPayloadSchema.parse(rawPayload);
+  if (!ctx.db) {
+    throw new InternalError({
+      message:
+        "[jobs:projection-rebuild] ctx.db missing — job context requires a database connection.",
+    });
+  }
+  if (!ctx.registry) {
+    throw new InternalError({
+      message:
+        "[jobs:projection-rebuild] ctx.registry missing — job context requires the registry.",
+    });
+  }
+  const db = ctx.db as DbConnection; // @cast-boundary db-operator
+  const result = await rebuildProjection(projection, { db, registry: ctx.registry });
+  ctx.log?.info?.(
+    `[jobs:projection-rebuild] rebuilt ${projection}: ${result.eventsProcessed} events in ${result.durationMs}ms`,
+  );
+};

package/src/legal-pages/README.md

@@ -156,19 +156,22 @@ datenschutz-generator.de).
 
 ---
 
-## XSS — currently not secured by design
-
-`marked` renders HTML tags 1:1, so a malicious tenant admin could in
-theory put `<script>` into the body.
-
-Currently accepted because:
-- only `roles: ["TenantAdmin"]` may set texts
-- multi-author setups don't exist yet
-- self-hosted tier without unknown tenant admins
-
-**Phase-2 hardening:** `DOMPurify` or `isomorphic-dompurify`
-sanitization step between `marked.parse()` and the response.
-Documented when a customer with a multi-author setup shows up.
+## XSS hardening (untrusted authors)
+
+The server-render path is hardened for untrusted tenant authors —
+no DOMPurify dependency needed:
+
+- **Raw HTML is escaped, not passed through.** `renderMarkdownToHtml`
+  (`markdown.ts`) configures `marked` so block- and inline-level HTML
+  tokens are emitted as escaped text (`<script>` → `&lt;script&gt;`).
+  Markdown structure (headings, lists, links, code) stays intact.
+- **Link/image hrefs are scheme-restricted** to `http(s)`/`mailto`/
+  relative; `javascript:`/`data:` hrefs are neutralised to `#`.
+- **Defense-in-depth headers** on every response (`security-headers.ts`):
+  `content-security-policy: script-src 'none'; object-src 'none';
+  base-uri 'none'` (no script can run even if injection slips through),
+  plus `x-content-type-options`, `x-frame-options`, `referrer-policy`.
+  No `default-src`, so inline `<style>` layouts stay unaffected.
 
 ---
 

package/src/legal-pages/__tests__/legal-pages.integration.test.ts

@@ -141,12 +141,9 @@ describe("legal-pages :: edge-cases", () => {
     expect(body).toContain("Tenant-Admin");
   });
 
-  test("Markdown-Body mit <script> wird NICHT escaped (dokumentiertes XSS-Verhalten, siehe README)", async () => {
-    // Bewusstes Verhalten: marked.parse rendered HTML 1:1, kein
-    // DOMPurify-Layer aktuell. Dokumentiert in legal-pages/README.md
-    // ('XSS — bewusst aktuell nicht gesichert'). Test pinnt das
-    // Verhalten — wenn es sich ändert (z.B. DOMPurify dazu), schlägt
-    // dieser Test fehl und der Wechsel ist dokumentiert.
+  test("Markdown-Body mit <script> wird escaped (XSS-Härtung)", async () => {
+    // Server-Render ist gegen untrusted Tenant-Authoren gehärtet:
+    // Raw-HTML im Markdown-Body wird als Text escaped (kein Passthrough).
     await seedTextBlock(db, {
       tenantId: SYSTEM_TENANT_ID,
       slug: "imprint",
@@ -158,8 +155,8 @@ describe("legal-pages :: edge-cases", () => {
     const res = await stack.app.request("/legal/impressum");
     expect(res.status).toBe(200);
     const html = await res.text();
-    // Aktuelles Verhalten: script-tag bleibt unescaped im Output
-    expect(html).toContain("<script>window.x=1</script>");
+    expect(html).not.toContain("<script>window.x=1</script>");
+    expect(html).toContain("&lt;script&gt;");
   });
 });
 
@@ -170,6 +167,16 @@ describe("legal-pages :: cache-control", () => {
   });
 });
 
+describe("legal-pages :: security headers", () => {
+  test("server-gerenderte Pages tragen CSP + Hardening-Header", async () => {
+    const res = await stack.app.request("/legal/impressum");
+    expect(res.headers.get("content-security-policy")).toContain("script-src 'none'");
+    expect(res.headers.get("x-content-type-options")).toBe("nosniff");
+    expect(res.headers.get("x-frame-options")).toBe("SAMEORIGIN");
+    expect(res.headers.get("referrer-policy")).toBe("strict-origin-when-cross-origin");
+  });
+});
+
 describe("markdown render helpers", () => {
   test("renderMarkdownToHtml converts markdown to HTML", () => {
     const html = renderMarkdownToHtml("# Title\n\n**bold**");

package/src/legal-pages/feature.ts

@@ -9,6 +9,7 @@ import {
 } from "@cosmicdrift/kumiko-framework/engine";
 import { LEGAL_REQUIRED_BLOCKS, LEGAL_ROUTES } from "./constants";
 import { renderMarkdownToHtml, wrapInLayout } from "./markdown";
+import { securePageHeaders } from "./security-headers";
 
 // QN-Konstante als dokumentierter Public-Contract des text-content-
 // Features. Ein magic-string statt eines Code-Imports ist hier explizit
@@ -113,10 +114,14 @@ export function createLegalPagesFeature(opts: LegalPagesOptions = {}): FeatureDe
             lang: route.lang,
           });
 
-          return c.body(html, 200, {
-            "content-type": "text/html; charset=utf-8",
-            "cache-control": "public, max-age=300",
-          });
+          return c.body(
+            html,
+            200,
+            securePageHeaders({
+              "content-type": "text/html; charset=utf-8",
+              "cache-control": "public, max-age=300",
+            }),
+          );
         },
       });
     }

package/src/legal-pages/markdown.ts

@@ -1,57 +1,7 @@
-import { escapeHtml, escapeHtmlAttr } from "@cosmicdrift/kumiko-headless";
-import { Marked } from "marked";
+// Re-export aus dem geteilten page-render-Kern (managed-pages nutzt
+// denselben gehärteten Renderer + Default-Layout). Namen bleiben stabil
+// für legal-pages' Public-API (index.ts exportiert renderMarkdownToHtml +
+// wrapInLayout).
 
-// Markdown→HTML mit eigener `marked`-Instance. GFM aus, breaks aus —
-// Legal-Pages sind strukturiert genug dass GFM-Tables/Strikethrough/
-// Task-Lists nicht nötig sind. Headers + Listen + Links + Code reichen.
-//
-// Instance statt globaler `marked.setOptions()` damit andere Features
-// die `marked` als runtime-dep nutzen ihre eigenen Optionen behalten —
-// modul-level side-effect auf shared library wäre brittle bei mehreren
-// Konsumenten.
-//
-// XSS-Schutz: marked rendered tags 1:1, also kann ein böswilliger Text-
-// Editor (TenantAdmin) <script>-Tags reinschreiben. Aktuell akzeptiert
-// weil nur trusted Roles (TenantAdmin/SystemAdmin) Texte setzen können —
-// bei einem Multi-Author-Setup müsste DOMPurify oder isomorphic-dompurify
-// dazu. Dokumentiert in README, Phase-2-Hardening.
-const markdownRenderer = new Marked({
-  gfm: false,
-  breaks: false,
-});
-
-export function renderMarkdownToHtml(markdown: string): string {
-  // @cast-boundary render-helper marked.parse return-type ist
-  // `string | Promise<string>` — mit `{ async: false }` runtime-garantiert
-  // sync (string). Cast nur API-Vertragsfix, kein Type-Loss.
-  return markdownRenderer.parse(markdown, { async: false }) as string;
-}
-
-// Layout-Wrapper für Legal-Pages — minimaler HTML-Skeleton mit Inline-
-// CSS damit die Pages auch ohne App-Layout sauber aussehen. Apps die
-// das in ihr eigenes Layout integrieren wollen, nutzen text-content's
-// by-slug-query direkt und rendern selbst.
-export function wrapInLayout(opts: { title: string; bodyHtml: string; lang: string }): string {
-  return `<!doctype html>
-<html lang="${escapeHtmlAttr(opts.lang)}">
-<head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<title>${escapeHtml(opts.title)}</title>
-<style>
-  body { font-family: system-ui, -apple-system, sans-serif; max-width: 720px;
-         margin: 2rem auto; padding: 0 1rem; line-height: 1.6; color: #222; }
-  h1, h2, h3 { line-height: 1.2; margin-top: 2rem; }
-  h1 { font-size: 1.8rem; } h2 { font-size: 1.4rem; } h3 { font-size: 1.15rem; }
-  a { color: #0066cc; }
-  code { background: #f4f4f4; padding: 0.1rem 0.3rem; border-radius: 3px; }
-  hr { border: 0; border-top: 1px solid #ddd; margin: 2rem 0; }
-</style>
-</head>
-<body>
-<main>
-${opts.bodyHtml}
-</main>
-</body>
-</html>`;
-}
+export { wrapInLayout } from "../page-render/layout";
+export { renderSafeMarkdown as renderMarkdownToHtml } from "../page-render/markdown";

package/src/legal-pages/security-headers.ts

@@ -0,0 +1 @@
+export { securePageHeaders } from "../page-render/security-headers";