@cosmicdrift/kumiko-bundled-features 0.56.1 → 0.57.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.56.1",
+  "version": "0.57.1",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/config/handlers/__tests__/prepare-config-write.test.ts

@@ -211,6 +211,69 @@ describe("prepareConfigWrite", () => {
     if (!result.ok) throw new Error("unreachable");
     expect(result.scope).toBe(ConfigScopes.system);
   });
+
+  // #396: a tenant self-service key (admin-editable) that provisioning /
+  // migration must ALSO set via ctx.systemWriteAs. access.withSystem(admin)
+  // adds SYSTEM_ROLE without collapsing the key to system-only.
+  describe("access.withSystem (provisionable tenant key)", () => {
+    const provisionableKey = createTenantConfig("text", {
+      write: access.withSystem(access.admin),
+    });
+    const registry = registryStub({ "ns:config:branding-title": provisionableKey });
+
+    test("the system actor (systemWriteAs roles) may provision it", () => {
+      const result = prepareConfigWrite({
+        registry,
+        user: userStub([SYSTEM_ROLE]),
+        key: "ns:config:branding-title",
+      });
+      expect(result.ok).toBe(true);
+      if (!result.ok) throw new Error("unreachable");
+      expect(result.keyDef).toBe(provisionableKey);
+    });
+
+    test("a tenant admin still self-services it (NOT collapsed to system-only)", () => {
+      const result = prepareConfigWrite({
+        registry,
+        user: userStub(["TenantAdmin"]),
+        key: "ns:config:branding-title",
+      });
+      expect(result.ok).toBe(true);
+      if (!result.ok) throw new Error("unreachable");
+      expect(result.scope).toBe(ConfigScopes.tenant);
+    });
+
+    test("an unrelated role is still denied (generic, not system-only)", () => {
+      const result = prepareConfigWrite({
+        registry,
+        user: userStub(["ReadOnly"]),
+        key: "ns:config:branding-title",
+      });
+      expect(result.ok).toBe(false);
+      if (result.ok) throw new Error("unreachable");
+      expect(result.failure.error.code).toBe("access_denied");
+      expect(result.failure.error.i18nKey).not.toBe("config.errors.systemOnly");
+    });
+  });
+});
+
+describe("access.withSystem", () => {
+  test("prepends SYSTEM_ROLE and preserves the composed roles", () => {
+    expect(access.withSystem(access.admin)).toEqual([
+      SYSTEM_ROLE,
+      "TenantAdmin",
+      "Admin",
+      "SystemAdmin",
+    ]);
+  });
+
+  test("composes arbitrary custom roles (studio's own role lists)", () => {
+    expect(access.withSystem(access.roles("Editor", "Owner"))).toEqual([
+      SYSTEM_ROLE,
+      "Editor",
+      "Owner",
+    ]);
+  });
 });
 
 describe("validateBounds", () => {

package/src/managed-pages/__tests__/managed-pages.integration.test.ts

@@ -1,4 +1,5 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { createSystemUser } from "@cosmicdrift/kumiko-framework/engine";
 import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
@@ -396,6 +397,30 @@ describe("managed-pages :: Branding (Config + Render)", () => {
     expect(htmlB).not.toContain("cdn-a.example.com");
     expect(htmlB).not.toContain("Acme A");
   });
+
+  // #396 — the actual gate: a provisioning/migration seed sets a tenant
+  // branding key via the system executor. createSystemUser(tenant) is the
+  // exact identity ctx.systemWriteAs injects (roles=[SYSTEM_ROLE]); stack.
+  // dispatcher is the same command path systemWriteAs drives. Before the
+  // access.withSystem(access.admin) write-role, this returned access_denied
+  // (forcing the publicstatus migration onto raw SQL). Drives the REAL
+  // config:write:set handler end-to-end and reads the value back per tenant —
+  // a unit test on checkWriteAccess alone wouldn't prove the handler accepts it.
+  test("system executor provisions a branding key (systemWriteAs path), read back per tenant", async () => {
+    const res = await stack.dispatcher.write(
+      "config:write:set",
+      { key: BRANDING_QN.title, value: "Provisioned by system" },
+      createSystemUser(TENANT_A),
+    );
+    expect(res.isSuccess).toBe(true);
+
+    const branding = await stack.http.queryOk<{ title: string }>(BRANDING_QUERY_QN, {}, adminA);
+    expect(branding.title).toBe("Provisioned by system");
+
+    // The provisioned value lands on TENANT_A only — not leaked to TENANT_B.
+    const brandingB = await stack.http.queryOk<{ title: string }>(BRANDING_QUERY_QN, {}, adminB);
+    expect(brandingB.title).not.toBe("Provisioned by system");
+  });
 });
 
 // Eigener Stack mit allowCustomCss:true + dem Companion-Toggle-Feature. Der

package/src/managed-pages/branding.ts

@@ -1,4 +1,5 @@
 import {
+  access,
   type ConfigAccessor,
   type ConfigKeyDefinition,
   createTenantConfig,
@@ -14,8 +15,14 @@ import { type BrandingTokens, EMPTY_BRANDING } from "../page-render";
 // Write-validated: accent-color must be a CSS hex, logo/site URLs must be
 // https. The configEdit screen dispatches `config:write:set` per key, which
 // runs the keyDef.pattern gate (set.write.ts → validatePattern). `read: all`
-// (scope default) so the anonymous public-render path can read them;
-// `write: admin` (TenantAdmin/Admin/SystemAdmin, also the scope default).
+// (scope default) so the anonymous public-render path can read them.
+//
+// `write: access.withSystem(access.admin)` — tenant admins self-service via
+// configEdit AND the system actor (ctx.systemWriteAs) may provision/migrate
+// these keys. The scope default (`access.admin`, admin-only) has no system
+// path, so a continuity migration could not set them (issue #396). Adding
+// SYSTEM_ROLE keeps the keys human-writable (checkWriteAccess collapses to
+// system-only only when system is the SOLE writer), so self-service survives.
 //
 // CONTINUITY (Phase 5 — Prod trap): these keys land under
 // `managed-pages:config:branding-*`, NOT the live `publicstatus:config:
@@ -55,15 +62,39 @@ export const MANAGED_PAGES_CSS_FEATURE = "managed-pages-css";
 // site-url`. BRANDING_QN below is the single source those QN strings are read
 // from (configEdit screen + render read); the integration test pins write-
 // target == read-source end-to-end.
+// Admin self-service + system provisioning (see write-access note above, #396).
+const BRANDING_WRITE = access.withSystem(access.admin);
+
 export const BRANDING_KEYS = {
-  brandingTitle: createTenantConfig("text", { default: "", pattern: TITLE_PATTERN }),
-  brandingDescription: createTenantConfig("text", { default: "", pattern: DESCRIPTION_PATTERN }),
-  brandingSiteUrl: createTenantConfig("text", { default: "", pattern: HTTPS_PATTERN }),
-  brandingAccentColor: createTenantConfig("text", { default: "", pattern: HEX_PATTERN }),
-  brandingLogoUrl: createTenantConfig("text", { default: "", pattern: HTTPS_PATTERN }),
+  brandingTitle: createTenantConfig("text", {
+    default: "",
+    pattern: TITLE_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingDescription: createTenantConfig("text", {
+    default: "",
+    pattern: DESCRIPTION_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingSiteUrl: createTenantConfig("text", {
+    default: "",
+    pattern: HTTPS_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingAccentColor: createTenantConfig("text", {
+    default: "",
+    pattern: HEX_PATTERN,
+    write: BRANDING_WRITE,
+  }),
+  brandingLogoUrl: createTenantConfig("text", {
+    default: "",
+    pattern: HTTPS_PATTERN,
+    write: BRANDING_WRITE,
+  }),
   brandingLayoutPreset: createTenantConfig("select", {
     default: "centered",
     options: LAYOUT_PRESETS,
+    write: BRANDING_WRITE,
   }),
 } satisfies Record<string, ConfigKeyDefinition>;