@cosmicdrift/kumiko-bundled-features 0.55.1 → 0.56.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.55.1",
+  "version": "0.56.1",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -80,11 +80,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.50.0",
-    "@cosmicdrift/kumiko-framework": "0.50.0",
-    "@cosmicdrift/kumiko-headless": "0.50.0",
-    "@cosmicdrift/kumiko-renderer": "0.50.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.50.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.55.1",
+    "@cosmicdrift/kumiko-framework": "0.55.1",
+    "@cosmicdrift/kumiko-headless": "0.55.1",
+    "@cosmicdrift/kumiko-renderer": "0.55.1",
+    "@cosmicdrift/kumiko-renderer-web": "0.55.1",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/config/__tests__/config.integration.test.ts

@@ -1,6 +1,6 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createEncryptionProvider,
   type DbConnection,
@@ -370,6 +370,61 @@ describe("Settings-Hub system-scope write by a human SystemAdmin", () => {
     expect(await sysAccessor()("integration:config:system-secret")).toBe("sk_live_roundtrip");
   });
 
+  // Prod scenario: the value already EXISTS (Stripe screen with stored keys),
+  // SystemAdmin clicks Speichern → set.write takes the executor.update path,
+  // not create. That path was never covered → version-conflict surfaced only
+  // in prod. Three consecutive re-saves catch a stale-version regression.
+  test("re-saving an existing plain config key (update path) does not version-conflict", async () => {
+    for (const value of [false, true, false]) {
+      await stack.http.writeOk(
+        ConfigHandlers.set,
+        { key: "integration:config:billing-live", value, scope: "system" },
+        systemAdmin,
+      );
+      expect(await sysAccessor()("integration:config:billing-live")).toBe(value);
+    }
+  });
+
+  test("re-saving an existing secrets-backed key (update path) does not version-conflict", async () => {
+    for (const value of ["sk_live_v2", "sk_live_v3"]) {
+      await stack.http.writeOk(
+        ConfigHandlers.set,
+        { key: "integration:config:system-secret", value, scope: "system" },
+        systemAdmin,
+      );
+      expect(await sysAccessor()("integration:config:system-secret")).toBe(value);
+    }
+  });
+
+  test("save survives a projection/stream version desync (the prod cut-over symptom)", async () => {
+    // Reproduces admin.publicstatus.eu: a config value whose read-row version
+    // drifted from its event-stream version (migration wrote the row outside
+    // the event flow). With optimistic locking this version-conflicts on every
+    // save. The handler now skips the lock and appends at the real stream
+    // version, so the save succeeds AND the projection resyncs.
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "integration:config:billing-live", value: true, scope: "system" },
+      systemAdmin,
+    );
+    // Corrupt the projection version so it no longer matches the stream.
+    await asRawClient(db).unsafe(
+      "UPDATE read_config_values SET version = version + 5 WHERE key = 'integration:config:billing-live'",
+    );
+
+    // Two consecutive saves: the first proves the lock is bypassed, the second
+    // proves the projection actually resynced (a stale version wouldn't drift
+    // back into conflict).
+    for (const value of [false, true]) {
+      await stack.http.writeOk(
+        ConfigHandlers.set,
+        { key: "integration:config:billing-live", value, scope: "system" },
+        systemAdmin,
+      );
+      expect(await sysAccessor()("integration:config:billing-live")).toBe(value);
+    }
+  });
+
   test("a plain tenant Admin is denied the privileged key (not via system-only)", async () => {
     const error = await stack.http.writeErr(
       ConfigHandlers.set,

package/src/config/constants.ts

@@ -22,6 +22,7 @@ export const ConfigErrors = {
   unknownKey: "unknown_config_key",
   systemOnly: "config_key_is_system_only",
   invalidScope: "invalid_scope",
+  systemScopeWriteDenied: "system_scope_write_denied",
   typeError: "type_error",
   invalidOption: "invalid_option",
 } as const;

package/src/config/handlers/__tests__/prepare-config-write.test.ts

@@ -184,6 +184,33 @@ describe("prepareConfigWrite", () => {
     expect(result.tenantId).toBe("t-99");
     expect(result.userId).toBe("u-99");
   });
+
+  test("TenantAdmin cannot write tenant-scoped key at system scope (platform default row)", () => {
+    const tenantKey = createTenantConfig("text", { write: access.admin });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:smtp-host": tenantKey }),
+      user: userStub(["TenantAdmin"]),
+      key: "ns:config:smtp-host",
+      scope: ConfigScopes.system,
+    });
+    expect(result.ok).toBe(false);
+    if (result.ok) throw new Error("unreachable");
+    expect(result.failure.error.code).toBe("access_denied");
+    expect(result.failure.error.i18nKey).toBe("config.errors.systemScopeWriteDenied");
+  });
+
+  test("SystemAdmin can write tenant-scoped key at system scope", () => {
+    const tenantKey = createTenantConfig("text", { write: access.admin });
+    const result = prepareConfigWrite({
+      registry: registryStub({ "ns:config:smtp-host": tenantKey }),
+      user: userStub(["SystemAdmin"], SYSTEM_TENANT_ID, "sys-1"),
+      key: "ns:config:smtp-host",
+      scope: ConfigScopes.system,
+    });
+    expect(result.ok).toBe(true);
+    if (!result.ok) throw new Error("unreachable");
+    expect(result.scope).toBe(ConfigScopes.system);
+  });
 });
 
 describe("validateBounds", () => {

package/src/config/handlers/set.write.ts

@@ -95,6 +95,14 @@ export const setWrite = defineWriteHandler({
     const existing = await findConfigRow(db, event.payload.key, tenantId, userId);
 
     if (existing) {
+      // skipOptimisticLock: config is single-writer operator state, not a
+      // collaboratively-edited aggregate — last-write-wins is the intended
+      // semantics. More importantly, the optimistic check compares the
+      // PROJECTION version (existing.version) against the event-stream
+      // version; if those drift (a migration/seed that wrote the read-row
+      // outside the normal event flow — e.g. the Stripe config cut-over),
+      // every save would version-conflict forever. Appending at the real
+      // stream version resyncs the projection and self-heals the drift.
       const result = await executor.update(
         {
           id: existing.id,
@@ -103,6 +111,7 @@ export const setWrite = defineWriteHandler({
         },
         event.user,
         db,
+        { skipOptimisticLock: true },
       );
       if (!result.isSuccess) return result;
     } else {

package/src/config/write-helpers.ts

@@ -101,6 +101,9 @@ export function prepareConfigWrite(args: PrepareConfigWriteArgs): PrepareConfigW
   if (writeError) return { ok: false, failure: writeFailure(writeError) };
 
   const scope = requestedScope ?? keyDef.scope;
+  const scopeWriteError = checkScopeWriteAccess(scope, user.roles);
+  if (scopeWriteError) return { ok: false, failure: writeFailure(scopeWriteError) };
+
   const { tenantId, userId } = resolveScopeIds(scope, user.tenantId, user.id);
   return { ok: true, keyDef, scope, tenantId, userId };
 }
@@ -141,6 +144,24 @@ export function checkWriteAccess(
   });
 }
 
+/**
+ * Level-aware write gate: writing the system-row (platform default) requires
+ * SystemAdmin even when the key's flat write-set includes TenantAdmin.
+ */
+export function checkScopeWriteAccess(
+  scope: ConfigScope,
+  userRoles: readonly string[],
+): KumikoError | null {
+  if (scope !== ConfigScopes.system) return null;
+  if (userRoles.includes(SYSTEM_ROLE)) return null;
+  if (userRoles.includes("SystemAdmin")) return null;
+  return new AccessDeniedError({
+    message: "system-scope config write requires SystemAdmin",
+    i18nKey: "config.errors.systemScopeWriteDenied",
+    details: { reason: ConfigErrors.systemScopeWriteDenied, scope },
+  });
+}
+
 export function validateScope(
   requestedScope: ConfigScope,
   definedScope: ConfigScope,

package/src/subscription-stripe/__tests__/runtime.test.ts

@@ -20,7 +20,7 @@ const WEBHOOK_SECRET_HANDLE: ConfigKeyHandle<"text"> = {
   type: "text",
 };
 const BILLING_LIVE_HANDLE: ConfigKeyHandle<"boolean"> = {
-  name: "subscription-stripe:config:billingLive",
+  name: "subscription-stripe:config:billing-live",
   type: "boolean",
 };