@cosmicdrift/kumiko-bundled-features 0.56.0 → 0.57.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.56.0",
+  "version": "0.57.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/config/__tests__/config.integration.test.ts

@@ -1,6 +1,6 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { randomBytes } from "node:crypto";
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { asRawClient, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   createEncryptionProvider,
   type DbConnection,
@@ -370,6 +370,61 @@ describe("Settings-Hub system-scope write by a human SystemAdmin", () => {
     expect(await sysAccessor()("integration:config:system-secret")).toBe("sk_live_roundtrip");
   });
 
+  // Prod scenario: the value already EXISTS (Stripe screen with stored keys),
+  // SystemAdmin clicks Speichern → set.write takes the executor.update path,
+  // not create. That path was never covered → version-conflict surfaced only
+  // in prod. Three consecutive re-saves catch a stale-version regression.
+  test("re-saving an existing plain config key (update path) does not version-conflict", async () => {
+    for (const value of [false, true, false]) {
+      await stack.http.writeOk(
+        ConfigHandlers.set,
+        { key: "integration:config:billing-live", value, scope: "system" },
+        systemAdmin,
+      );
+      expect(await sysAccessor()("integration:config:billing-live")).toBe(value);
+    }
+  });
+
+  test("re-saving an existing secrets-backed key (update path) does not version-conflict", async () => {
+    for (const value of ["sk_live_v2", "sk_live_v3"]) {
+      await stack.http.writeOk(
+        ConfigHandlers.set,
+        { key: "integration:config:system-secret", value, scope: "system" },
+        systemAdmin,
+      );
+      expect(await sysAccessor()("integration:config:system-secret")).toBe(value);
+    }
+  });
+
+  test("save survives a projection/stream version desync (the prod cut-over symptom)", async () => {
+    // Reproduces admin.publicstatus.eu: a config value whose read-row version
+    // drifted from its event-stream version (migration wrote the row outside
+    // the event flow). With optimistic locking this version-conflicts on every
+    // save. The handler now skips the lock and appends at the real stream
+    // version, so the save succeeds AND the projection resyncs.
+    await stack.http.writeOk(
+      ConfigHandlers.set,
+      { key: "integration:config:billing-live", value: true, scope: "system" },
+      systemAdmin,
+    );
+    // Corrupt the projection version so it no longer matches the stream.
+    await asRawClient(db).unsafe(
+      "UPDATE read_config_values SET version = version + 5 WHERE key = 'integration:config:billing-live'",
+    );
+
+    // Two consecutive saves: the first proves the lock is bypassed, the second
+    // proves the projection actually resynced (a stale version wouldn't drift
+    // back into conflict).
+    for (const value of [false, true]) {
+      await stack.http.writeOk(
+        ConfigHandlers.set,
+        { key: "integration:config:billing-live", value, scope: "system" },
+        systemAdmin,
+      );
+      expect(await sysAccessor()("integration:config:billing-live")).toBe(value);
+    }
+  });
+
   test("a plain tenant Admin is denied the privileged key (not via system-only)", async () => {
     const error = await stack.http.writeErr(
       ConfigHandlers.set,

package/src/config/handlers/__tests__/prepare-config-write.test.ts

@@ -211,6 +211,69 @@ describe("prepareConfigWrite", () => {
     if (!result.ok) throw new Error("unreachable");
     expect(result.scope).toBe(ConfigScopes.system);
   });
+
+  // #396: a tenant self-service key (admin-editable) that provisioning /
+  // migration must ALSO set via ctx.systemWriteAs. access.withSystem(admin)
+  // adds SYSTEM_ROLE without collapsing the key to system-only.
+  describe("access.withSystem (provisionable tenant key)", () => {
+    const provisionableKey = createTenantConfig("text", {
+      write: access.withSystem(access.admin),
+    });
+    const registry = registryStub({ "ns:config:branding-title": provisionableKey });
+
+    test("the system actor (systemWriteAs roles) may provision it", () => {
+      const result = prepareConfigWrite({
+        registry,
+        user: userStub([SYSTEM_ROLE]),
+        key: "ns:config:branding-title",
+      });
+      expect(result.ok).toBe(true);
+      if (!result.ok) throw new Error("unreachable");
+      expect(result.keyDef).toBe(provisionableKey);
+    });
+
+    test("a tenant admin still self-services it (NOT collapsed to system-only)", () => {
+      const result = prepareConfigWrite({
+        registry,
+        user: userStub(["TenantAdmin"]),
+        key: "ns:config:branding-title",
+      });
+      expect(result.ok).toBe(true);
+      if (!result.ok) throw new Error("unreachable");
+      expect(result.scope).toBe(ConfigScopes.tenant);
+    });
+
+    test("an unrelated role is still denied (generic, not system-only)", () => {
+      const result = prepareConfigWrite({
+        registry,
+        user: userStub(["ReadOnly"]),
+        key: "ns:config:branding-title",
+      });
+      expect(result.ok).toBe(false);
+      if (result.ok) throw new Error("unreachable");
+      expect(result.failure.error.code).toBe("access_denied");
+      expect(result.failure.error.i18nKey).not.toBe("config.errors.systemOnly");
+    });
+  });
+});
+
+describe("access.withSystem", () => {
+  test("prepends SYSTEM_ROLE and preserves the composed roles", () => {
+    expect(access.withSystem(access.admin)).toEqual([
+      SYSTEM_ROLE,
+      "TenantAdmin",
+      "Admin",
+      "SystemAdmin",
+    ]);
+  });
+
+  test("composes arbitrary custom roles (studio's own role lists)", () => {
+    expect(access.withSystem(access.roles("Editor", "Owner"))).toEqual([
+      SYSTEM_ROLE,
+      "Editor",
+      "Owner",
+    ]);
+  });
 });
 
 describe("validateBounds", () => {

package/src/config/handlers/set.write.ts

@@ -95,6 +95,14 @@ export const setWrite = defineWriteHandler({
     const existing = await findConfigRow(db, event.payload.key, tenantId, userId);
 
     if (existing) {
+      // skipOptimisticLock: config is single-writer operator state, not a
+      // collaboratively-edited aggregate — last-write-wins is the intended
+      // semantics. More importantly, the optimistic check compares the
+      // PROJECTION version (existing.version) against the event-stream
+      // version; if those drift (a migration/seed that wrote the read-row
+      // outside the normal event flow — e.g. the Stripe config cut-over),
+      // every save would version-conflict forever. Appending at the real
+      // stream version resyncs the projection and self-heals the drift.
       const result = await executor.update(
         {
           id: existing.id,
@@ -103,6 +111,7 @@ export const setWrite = defineWriteHandler({
         },
         event.user,
         db,
+        { skipOptimisticLock: true },
       );
       if (!result.isSuccess) return result;
     } else {

package/src/managed-pages/__tests__/managed-pages.integration.test.ts

@@ -1,4 +1,5 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { createSystemUser } from "@cosmicdrift/kumiko-framework/engine";
 import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
@@ -396,6 +397,30 @@ describe("managed-pages :: Branding (Config + Render)", () => {
     expect(htmlB).not.toContain("cdn-a.example.com");
     expect(htmlB).not.toContain("Acme A");
   });
+
+  // #396 — the actual gate: a provisioning/migration seed sets a tenant
+  // branding key via the system executor. createSystemUser(tenant) is the
+  // exact identity ctx.systemWriteAs injects (roles=[SYSTEM_ROLE]); stack.
+  // dispatcher is the same command path systemWriteAs drives. Before the
+  // access.withSystem(access.admin) write-role, this returned access_denied
+  // (forcing the publicstatus migration onto raw SQL). Drives the REAL
+  // config:write:set handler end-to-end and reads the value back per tenant —
+  // a unit test on checkWriteAccess alone wouldn't prove the handler accepts it.
+  test("system executor provisions a branding key (systemWriteAs path), read back per tenant", async () => {
+    const res = await stack.dispatcher.write(
+      "config:write:set",
+      { key: BRANDING_QN.title, value: "Provisioned by system" },
+      createSystemUser(TENANT_A),
+    );
+    expect(res.isSuccess).toBe(true);
+
+    const branding = await stack.http.queryOk<{ title: string }>(BRANDING_QUERY_QN, {}, adminA);
+    expect(branding.title).toBe("Provisioned by system");
+
+    // The provisioned value lands on TENANT_A only — not leaked to TENANT_B.
+    const brandingB = await stack.http.queryOk<{ title: string }>(BRANDING_QUERY_QN, {}, adminB);
+    expect(brandingB.title).not.toBe("Provisioned by system");
+  });
 });
 
 // Eigener Stack mit allowCustomCss:true + dem Companion-Toggle-Feature. Der

package/src/managed-pages/branding.ts

@@ -1,4 +1,5 @@
 import {
+  access,
   type ConfigAccessor,
   type ConfigKeyDefinition,
   createTenantConfig,
@@ -14,8 +15,14 @@ import { type BrandingTokens, EMPTY_BRANDING } from "../page-render";
 // Write-validated: accent-color must be a CSS hex, logo/site URLs must be
 // https. The configEdit screen dispatches `config:write:set` per key, which
 // runs the keyDef.pattern gate (set.write.ts → validatePattern). `read: all`
-// (scope default) so the anonymous public-render path can read them;
-// `write: admin` (TenantAdmin/Admin/SystemAdmin, also the scope default).
+// (scope default) so the anonymous public-render path can read them.
+//
+// `write: access.withSystem(access.admin)` — tenant admins self-service via
+// configEdit AND the system actor (ctx.systemWriteAs) may provision/migrate
+// these keys. The scope default (`access.admin`, admin-only) has no system
+// path, so a continuity migration could not set them (issue #396). Adding
+// SYSTEM_ROLE keeps the keys human-writable (checkWriteAccess collapses to
+// system-only only when system is the SOLE writer), so self-service survives.
 //
 // CONTINUITY (Phase 5 — Prod trap): these keys land under
 // `managed-pages:config:branding-*`, NOT the live `publicstatus:config:
@@ -55,15 +62,39 @@ export const MANAGED_PAGES_CSS_FEATURE = "managed-pages-css";
 // site-url`. BRANDING_QN below is the single source those QN strings are read
 // from (configEdit screen + render read); the integration test pins write-
 // target == read-source end-to-end.
+// Admin self-service + system provisioning (see write-access note above, #396).
+const BRANDING_WRITE = access.withSystem(access.admin);
+
 export const BRANDING_KEYS = {
-  brandingTitle: createTenantConfig("text", { default: "", pattern: TITLE_PATTERN }),
-  brandingDescription: createTenantConfig("text", { default: "", pattern: DESCRIPTION_PATTERN }),
-  brandingSiteUrl: createTenantConfig("text", { default: "", pattern: HTTPS_PATTERN }),
-  brandingAccentColor: createTenantConfig("text", { default: "", pattern: HEX_PATTERN }),
-  brandingLogoUrl: createTenantConfig("text", { default: "", pattern: HTTPS_PATTERN }),
+  brandingTitle: createTenantConfig("text", {
+    default: "",
+    pattern: TITLE_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingDescription: createTenantConfig("text", {
+    default: "",
+    pattern: DESCRIPTION_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingSiteUrl: createTenantConfig("text", {
+    default: "",
+    pattern: HTTPS_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingAccentColor: createTenantConfig("text", {
+    default: "",
+    pattern: HEX_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingLogoUrl: createTenantConfig("text", {
+    default: "",
+    pattern: HTTPS_PATTERN,
+    write: BRANDING_WRITE,
+  }),
   brandingLayoutPreset: createTenantConfig("select", {
     default: "centered",
     options: LAYOUT_PRESETS,
+    write: BRANDING_WRITE,
   }),
 } satisfies Record<string, ConfigKeyDefinition>;
 

package/src/subscription-stripe/__tests__/runtime.test.ts

@@ -20,7 +20,7 @@ const WEBHOOK_SECRET_HANDLE: ConfigKeyHandle<"text"> = {
   type: "text",
 };
 const BILLING_LIVE_HANDLE: ConfigKeyHandle<"boolean"> = {
-  name: "subscription-stripe:config:billingLive",
+  name: "subscription-stripe:config:billing-live",
   type: "boolean",
 };