@cosmicdrift/kumiko-bundled-features 0.55.0 → 0.55.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.55.0",
+  "version": "0.55.1",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/config/__tests__/config.integration.test.ts

@@ -175,6 +175,20 @@ const integrationFeature = defineFeature("integration", (r) => {
         default: "initial",
         write: access.roles("Admin"),
       }),
+      // Settings-Hub system-scope proxies for the derived Stripe screen: a
+      // privileged boolean (billing-live = machine OR human-SystemAdmin) and
+      // an encrypted system secret (api-key). Both are surfaced to a human
+      // SystemAdmin by build-config-feature-schema and must be SET-able by them.
+      billingLive: createSystemConfig("boolean", {
+        default: false,
+        write: access.privileged,
+        read: access.admin,
+      }),
+      systemSecret: createSystemConfig("text", {
+        write: access.systemAdmin,
+        read: access.systemAdmin,
+        encrypted: true,
+      }),
     },
   });
 });
@@ -330,6 +344,42 @@ describe("scenario 1: system-scoped service URL", () => {
   });
 });
 
+// Settings-Hub round-trip: a human SystemAdmin saves the system-scope keys
+// the derived configEdit screen surfaces (privileged boolean + encrypted
+// secret), then reads them back. Regression for the checkWriteAccess bug
+// that rejected the operator on a `privileged` key with config.errors.systemOnly.
+describe("Settings-Hub system-scope write by a human SystemAdmin", () => {
+  const sysAccessor = () =>
+    createConfigAccessor(stack.registry, resolver, systemAdmin.tenantId, systemAdmin.id, db);
+
+  test("saves a privileged boolean (billing-live) and reads it back", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "integration:config:billing-live", value: true, scope: "system" },
+      systemAdmin,
+    );
+    expect(await sysAccessor()("integration:config:billing-live")).toBe(true);
+  });
+
+  test("saves an encrypted system secret (api-key) and reads it back decrypted", async () => {
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "integration:config:system-secret", value: "sk_live_roundtrip", scope: "system" },
+      systemAdmin,
+    );
+    expect(await sysAccessor()("integration:config:system-secret")).toBe("sk_live_roundtrip");
+  });
+
+  test("a plain tenant Admin is denied the privileged key (not via system-only)", async () => {
+    const error = await stack.http.writeErr(
+      ConfigHandlers.set,
+      { key: "integration:config:billing-live", value: false, scope: "system" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "access_denied");
+  });
+});
+
 // --- Scenario 2: Mail Server — system default + tenant override ---
 
 describe("scenario 2: tenant-scoped mail server with system fallback", () => {

package/src/config/handlers/__tests__/prepare-config-write.test.ts

@@ -105,6 +105,40 @@ describe("prepareConfigWrite", () => {
     expect(result.failure.error.i18nKey).toBe("config.errors.systemOnly");
   });
 
+  test("privileged key (system + SystemAdmin) is writable by a human SystemAdmin", () => {
+    // The derived configEdit screen surfaces a `access.privileged`
+    // (`["system","SystemAdmin"]`) key to a human SystemAdmin (e.g. Stripe
+    // billing-live). The write must succeed — "system in the write-set"
+    // means machine-OR-operator, not machine-only.
+    const privilegedKey = createSystemConfig("boolean", { write: access.privileged });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:billing-live": privilegedKey }),
+      user: userStub(["SystemAdmin"], SYSTEM_TENANT_ID, "sysadmin-1"),
+      key: "ns:config:billing-live",
+      scope: ConfigScopes.system,
+    });
+    expect(result.ok).toBe(true);
+    if (!result.ok) throw new Error("unreachable");
+    expect(result.keyDef).toBe(privilegedKey);
+  });
+
+  test("privileged key stays blocked for a non-SystemAdmin human (generic denied, not system-only)", () => {
+    // Security: the human half of `privileged` is SystemAdmin only — a plain
+    // Admin must NOT inherit it. And the error is the generic access-denied,
+    // not systemOnly (the key has a human writer, it just isn't this user).
+    const privilegedKey = createSystemConfig("boolean", { write: access.privileged });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:billing-live": privilegedKey }),
+      user: userStub(["Admin"]),
+      key: "ns:config:billing-live",
+      scope: ConfigScopes.system,
+    });
+    expect(result.ok).toBe(false);
+    if (result.ok) throw new Error("unreachable");
+    expect(result.failure.error.code).toBe("access_denied");
+    expect(result.failure.error.i18nKey).not.toBe("config.errors.systemOnly");
+  });
+
   test("ok-path falls back to the key's declared scope when no scope is passed", () => {
     const result = prepareConfigWrite({
       registry: registryStub({ "ns:config:foo": TENANT_KEY_DEF }),

package/src/config/web/i18n.ts

@@ -15,11 +15,17 @@ export const defaultTranslations: TranslationsByLocale = {
     "config.settings.system": "Plattform",
     "config.settings.tenant": "Organisation",
     "config.settings.user": "Persönlich",
+    "config.errors.systemOnly": "Dieser Wert kann nur vom System gesetzt werden.",
+    "config.errors.invalidScope": "Diese Ebene ist für diesen Schlüssel nicht zulässig.",
+    "config.errors.unknownKey": "Unbekannter Konfigurationsschlüssel.",
   },
   en: {
     "config.settings.title": "Settings",
     "config.settings.system": "Platform",
     "config.settings.tenant": "Organization",
     "config.settings.user": "Personal",
+    "config.errors.systemOnly": "This value can only be set by the system.",
+    "config.errors.invalidScope": "This scope is not allowed for this key.",
+    "config.errors.unknownKey": "Unknown configuration key.",
   },
 };

package/src/config/write-helpers.ts

@@ -117,26 +117,28 @@ export function checkWriteAccess(
   keyDef: ConfigKeyDefinition,
   userRoles: readonly string[],
 ): KumikoError | null {
-  if (keyDef.access.write.includes(SYSTEM_ROLE)) {
-    // Pre-ES the system-only block was absolute — out-of-band writes went
-    // through resolver.set, bypassing the whole access layer. Post-ES
-    // every write flows through this handler + executor, so the escape
-    // hatch becomes explicit: SYSTEM_ROLE (jobs / seeds / framework-
-    // internal work) may write; everyone else is rejected.
-    if (userRoles.includes(SYSTEM_ROLE)) return null;
+  // Direct grant first: matches SYSTEM_ROLE for the machine actor (jobs /
+  // seeds / framework-internal work) AND a human role (e.g. SystemAdmin)
+  // that the write-set lists. A privileged key (`["system", "SystemAdmin"]`)
+  // is therefore writable by BOTH — the escape hatch and the operator —
+  // which is what the derived configEdit screen (build-config-feature-schema
+  // scopedKeysAt) already assumes when it surfaces the key to a human.
+  if (hasConfigAccess(keyDef.access.write, userRoles)) return null;
+  // No direct grant. A key whose only writer is SYSTEM_ROLE is machine-only
+  // (the `access.system` preset): no human may write it, distinct error so
+  // the UI can explain "operator/job-only".
+  const humanWriters = keyDef.access.write.filter((role) => role !== SYSTEM_ROLE);
+  if (humanWriters.length === 0) {
     return new AccessDeniedError({
       message: "config key is system-only",
       i18nKey: "config.errors.systemOnly",
       details: { reason: ConfigErrors.systemOnly },
     });
   }
-  if (!hasConfigAccess(keyDef.access.write, userRoles)) {
-    return new AccessDeniedError({
-      message: "config write access denied",
-      details: { requiredRoles: keyDef.access.write },
-    });
-  }
-  return null;
+  return new AccessDeniedError({
+    message: "config write access denied",
+    details: { requiredRoles: keyDef.access.write },
+  });
 }
 
 export function validateScope(