@cosmicdrift/kumiko-bundled-features 0.57.2 → 0.60.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.57.2",
+  "version": "0.60.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -26,9 +26,11 @@
     "./readiness": "./src/readiness/index.ts",
     "./jobs": "./src/jobs/index.ts",
     "./tier-engine": "./src/tier-engine/index.ts",
+    "./tier-engine/web": "./src/tier-engine/web/index.ts",
     "./cap-counter": "./src/cap-counter/index.ts",
     "./custom-fields": "./src/custom-fields/index.ts",
     "./custom-fields/web": "./src/custom-fields/web/index.ts",
+    "./tags": "./src/tags/index.ts",
     "./billing-foundation": "./src/billing-foundation/index.ts",
     "./subscription-stripe": "./src/subscription-stripe/index.ts",
     "./subscription-mollie": "./src/subscription-mollie/index.ts",
@@ -72,6 +74,7 @@
     "./text-content/seeding": "./src/text-content/seeding.ts",
     "./text-content/web": "./src/text-content/web/index.ts",
     "./template-resolver": "./src/template-resolver/index.ts",
+    "./template-resolver/testing": "./src/template-resolver/testing.ts",
     "./renderer-foundation": "./src/renderer-foundation/index.ts",
     "./legal-pages": "./src/legal-pages/index.ts",
     "./legal-pages/web": "./src/legal-pages/web/index.ts",
@@ -80,18 +83,18 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.55.1",
-    "@cosmicdrift/kumiko-framework": "0.55.1",
-    "@cosmicdrift/kumiko-headless": "0.55.1",
-    "@cosmicdrift/kumiko-renderer": "0.55.1",
-    "@cosmicdrift/kumiko-renderer-web": "0.55.1",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.57.2",
+    "@cosmicdrift/kumiko-framework": "0.57.2",
+    "@cosmicdrift/kumiko-headless": "0.57.2",
+    "@cosmicdrift/kumiko-renderer": "0.57.2",
+    "@cosmicdrift/kumiko-renderer-web": "0.57.2",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",
     "clsx": "^2.1.1",
     "lucide-react": "^1.14.0",
     "marked": "^18.0.3",
-    "nodemailer": "^8.0.7",
+    "nodemailer": "^9.0.1",
     "react": "^19.2.6",
     "stripe": "^22.1.1",
     "tailwind-merge": "^3.6.0"

package/src/auth-email-password/i18n.ts

@@ -40,6 +40,7 @@ export const defaultTranslations: TranslationsByLocale = {
     "auth.errors.signupEmailAlreadyRegistered":
       "Für diese E-Mail-Adresse existiert bereits ein Konto. Bitte logge dich ein oder setze dein Passwort zurück.",
     "auth.errors.unknownError": "Etwas ist schief gegangen. Bitte erneut versuchen.",
+    "auth.errors.originNotAllowed": "Zugriff von dieser Herkunft ist nicht erlaubt.",
     "auth.forgotPassword.title": "Passwort zurücksetzen",
     "auth.forgotPassword.intro":
       "Gib deine E-Mail-Adresse ein. Falls ein Konto existiert, schicken wir dir einen Reset-Link.",
@@ -140,6 +141,7 @@ export const defaultTranslations: TranslationsByLocale = {
     "auth.errors.signupEmailAlreadyRegistered":
       "An account already exists for this email. Please sign in or reset your password.",
     "auth.errors.unknownError": "Something went wrong. Please try again.",
+    "auth.errors.originNotAllowed": "Requests from this origin are not allowed.",
     "auth.forgotPassword.title": "Reset password",
     "auth.forgotPassword.intro":
       "Enter your email. If an account exists, we'll send you a reset link.",

package/src/config/__tests__/app-override-visibility.integration.test.ts

@@ -100,8 +100,14 @@ describe("ENV→app-override bridge — config:query:values", () => {
 
   test("leak guard: inheritedToTenant:false hides the ENV app-override from a tenant", async () => {
     const res = await stack.http.queryOk<Values>(ConfigQueries.values, {}, tenantAdmin);
+    expect(res[API_BASE]).toBeDefined();
     expect(res[API_BASE]?.value).not.toBe("https://internal.example.com");
     expect(res[API_BASE]?.source).not.toBe("app-override");
+    // Positive anchor: API_BASE has no keyDef.default → after redaction the key
+    // resolves as genuinely unset ("missing"), NOT absent for some other reason
+    // (e.g. an access-deny would drop the key entirely and leave the negative
+    // asserts above vacuously green).
+    expect(res[API_BASE]?.source).toBe("missing");
   });
 });
 

package/src/config/__tests__/backing-secrets.integration.test.ts

@@ -167,6 +167,44 @@ describe("config backing=secrets — read dispatch", () => {
   });
 });
 
+describe("config backing=secrets — fail-loud when secrets unwired", () => {
+  // The PR's central safety promise: a backing="secrets" key throws loudly at
+  // request time when ctx.secrets is absent — it never silently degrades into
+  // a config_values write. One write exercises the set.write throw site; the
+  // resolver and reset.write guards share the identical `!ctx.secrets` shape.
+  test("set on a backing=secrets key throws internal_error when ctx.secrets is absent", async () => {
+    const unwired = await setupTestStack({
+      features: [createConfigFeature(), billingFeature],
+      extraContext: ({ registry }) => {
+        const resolver = createConfigResolver();
+        return {
+          configResolver: resolver,
+          _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+          // No `secrets` — the backing="secrets" path must fail loudly.
+        };
+      },
+    });
+    await unsafePushTables(unwired.db, { configValuesTable, tenantSecretsTable });
+    await createEventsTable(unwired.db);
+
+    try {
+      const err = await unwired.http.writeErr(
+        ConfigHandlers.set,
+        { key: API_KEY, value: "sk-live-should-not-persist", scope: "system" },
+        systemAdmin,
+      );
+      expect(err.code).toBe("internal_error");
+      expect(err.httpStatus).toBe(500);
+
+      // It must NOT have silently fallen back to a config_values row.
+      const configRows = await selectMany(unwired.db, configValuesTable, { key: API_KEY });
+      expect(configRows).toHaveLength(0);
+    } finally {
+      await unwired.cleanup();
+    }
+  });
+});
+
 describe("config backing=secrets — reset dispatch", () => {
   test("reset clears the secret; the key falls back to unset", async () => {
     await stack.http.writeOk(ConfigHandlers.reset, { key: API_KEY, scope: "system" }, systemAdmin);

package/src/config/__tests__/inherited-redaction.integration.test.ts

@@ -34,6 +34,7 @@ const tenantAdmin = createTestUser({ id: 2 }); // roles ["Admin"], same tenant
 const SMTP_HOST = "platform:config:smtp-host";
 const SMTP_PASS = "platform:config:smtp-pass";
 const LIST_HITS = "platform:config:list-hits";
+const LIST_CAP = "platform:config:list-cap";
 
 const configFeature = createConfigFeature();
 
@@ -60,6 +61,16 @@ const platformFeature = defineFeature("platform", (r) => {
         write: access.systemAdmin,
         read: access.admin,
       }),
+      // Control: default inheritance WITH a set system-row value — proves a
+      // tenant receives the inherited system-row value (not just the
+      // keyDef.default fallback). The default (5) differs from the seeded
+      // system-row (42) so a broken pass-through can't masquerade as the
+      // default.
+      listCap: createSystemConfig("number", {
+        default: 5,
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
     },
   });
 });
@@ -90,6 +101,11 @@ beforeAll(async () => {
     { key: SMTP_PASS, value: "s3cr3t-password", scope: "system" },
     systemAdmin,
   );
+  await stack.http.writeOk(
+    ConfigHandlers.set,
+    { key: LIST_CAP, value: 42, scope: "system" },
+    systemAdmin,
+  );
 });
 
 afterAll(async () => {
@@ -152,6 +168,19 @@ describe("inheritedToTenant redaction — config:query:cascade", () => {
     );
     expect(res[LIST_HITS]?.value).toBe(10);
   });
+
+  test("control: a SET system-row value is inherited by tenants (not the default)", async () => {
+    const res = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [LIST_CAP] },
+      tenantAdmin,
+    );
+    // 42 = seeded system-row value; would be 5 (keyDef.default) if pass-through
+    // for non-redacted keys were broken.
+    expect(res[LIST_CAP]?.value).toBe(42);
+    expect(systemLevel(res, LIST_CAP)?.value).toBe(42);
+    expect(systemLevel(res, LIST_CAP)?.hasValue).toBe(true);
+  });
 });
 
 describe("inheritedToTenant redaction — config:query:values", () => {

package/src/config/handlers/cascade.query.ts

@@ -5,11 +5,9 @@ import {
 } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { requireConfigResolver } from "../feature";
-import { redactInheritedCascade, shouldRedactInherited } from "../read-redaction";
+import { MASKED, redactInheritedCascade, shouldRedactInherited } from "../read-redaction";
 import { hasConfigAccess } from "../write-helpers";
 
-const MASKED = "••••••";
-
 export const cascadeQuery = defineQueryHandler({
   name: "cascade",
   schema: z.object({

package/src/config/handlers/readiness.query.ts

@@ -101,6 +101,12 @@ export async function collectMissingRequiredConfig(
     ctx.secrets,
   );
   for (const [qualifiedKey, keyDef] of candidates) {
+    // Deliberately the unredacted cascade value: readiness asks "does this
+    // tenant functionally have the value?", and an inheritedToTenant:false key
+    // set only at system-level IS inherited (the resolver ignores
+    // inheritedToTenant — that flag only redacts the value queries' display).
+    // Redacting here would report a working key as missing. The is-set bit this
+    // exposes is intentional; see read-redaction.ts.
     const value = cascades.get(qualifiedKey)?.value;
     if (isUnset(value, keyDef.type)) {
       missing.push({ key: qualifiedKey, scope: keyDef.scope, type: keyDef.type });

package/src/config/handlers/values.query.ts

@@ -6,11 +6,9 @@ import {
 } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { requireConfigResolver } from "../feature";
-import { redactInheritedCascade, shouldRedactInherited } from "../read-redaction";
+import { MASKED, redactInheritedCascade, shouldRedactInherited } from "../read-redaction";
 import { hasConfigAccess } from "../write-helpers";
 
-const MASKED = "••••••";
-
 export const valuesQuery = defineQueryHandler({
   name: "values",
   schema: z.object({}),

package/src/config/read-redaction.ts

@@ -14,8 +14,19 @@ const OWN_SOURCES: ReadonlySet<ConfigValueSource> = new Set(["user-row", "tenant
 
 // A SystemAdmin owns the platform-level values and may always see them. Every
 // other viewer (TenantAdmin, User) is tenant-side — for an
-// inheritedToTenant:false key they must learn neither the inherited platform
-// value nor that it is set.
+// inheritedToTenant:false key the value-returning read handlers (cascade +
+// values) hide both the inherited platform value and that it is set.
+//
+// Scope note: redaction is display-only. The resolver does NOT consult
+// inheritedToTenant (zero reads in resolver.ts), so the tenant still
+// functionally inherits and uses the value, and config:query:readiness
+// deliberately reports such a key as satisfied (is-set) rather than missing —
+// flagging a working key as missing would nag tenants to set already-
+// functioning config. So "nor that it is set" holds for the value queries, not
+// for the functional readiness rollup. See readiness.query.ts.
+// Shared mask for redacted config values across the read handlers (cascade + values).
+export const MASKED = "••••••";
+
 export function mayViewInheritedValue(roles: readonly string[]): boolean {
   return roles.includes(SYSTEM_ADMIN_ROLE);
 }

package/src/custom-fields/__tests__/feature.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, test } from "bun:test";
 import { fieldDefinitionAggregateId } from "../aggregate-id";
 import { SUPPORTED_FIELD_TYPES } from "../constants";
-import { createCustomFieldsFeature } from "../feature";
+import { createCustomFieldsFeature, resolveFieldDefinitionListRoles } from "../feature";
 import { defineFieldPayloadSchema, deleteFieldPayloadSchema } from "../schemas";
 
 // B1 unit-tests: feature-shape, schema-validation, aggregate-id determinism.
@@ -156,14 +156,67 @@ describe("createCustomFieldsFeature access-options", () => {
     expect(writeAccess(feature, "define-tenant-field")).toEqual(["TenantAdmin"]);
   });
 
-  test("fieldDefinitionListRoles überschreibt den List-Query (FormSection-Lade-Pfad)", () => {
-    const feature = createCustomFieldsFeature({ fieldDefinitionListRoles: ["Admin", "Editor"] });
+  function listAccess(feature: ReturnType<typeof createCustomFieldsFeature>): readonly string[] {
     const entry = Object.entries(feature.queryHandlers).find(([qn]) =>
       qn.includes("field-definition:list"),
     );
     if (!entry) throw new Error("field-definition:list not registered");
     const access = entry[1].access;
     if (!access || !("roles" in access)) throw new Error("list-query has no roles");
-    expect(access.roles).toEqual(["Admin", "Editor"]);
+    return access.roles;
+  }
+
+  test("fieldDefinitionListRoles überschreibt den List-Query (FormSection-Lade-Pfad)", () => {
+    const feature = createCustomFieldsFeature({ fieldDefinitionListRoles: ["Admin", "Editor"] });
+    expect(listAccess(feature)).toEqual(["Admin", "Editor"]);
+  });
+
+  // #334/2: valueWriteRoles ohne fieldDefinitionListRoles brach asymmetrisch —
+  // Save offen für App-Rollen, aber der List-Lade-Pfad blieb ["TenantAdmin"] →
+  // App-User bekamen access_denied, die FormSection lud nie. Die Value-Rollen
+  // erben jetzt in den List-Default (Union mit dem Default).
+  test("valueWriteRoles erbt in den List-Default wenn fieldDefinitionListRoles fehlt", () => {
+    const feature = createCustomFieldsFeature({ valueWriteRoles: ["Admin", "Editor"] });
+    const roles = listAccess(feature);
+    // Value-Writer können laden …
+    expect(roles).toContain("Admin");
+    expect(roles).toContain("Editor");
+    // … und Admins behalten den List-Zugriff.
+    expect(roles).toContain("TenantAdmin");
+  });
+
+  test("explizite fieldDefinitionListRoles gewinnen über die valueWriteRoles-Vererbung", () => {
+    const feature = createCustomFieldsFeature({
+      valueWriteRoles: ["Admin", "Editor"],
+      fieldDefinitionListRoles: ["Viewer"],
+    });
+    expect(listAccess(feature)).toEqual(["Viewer"]);
+  });
+});
+
+describe("resolveFieldDefinitionListRoles", () => {
+  test("nichts gesetzt → reiner Default", () => {
+    expect(resolveFieldDefinitionListRoles({})).toEqual(["TenantAdmin"]);
+  });
+
+  test("valueWriteRoles gesetzt, list ungesetzt → Union mit Default, dedupliziert", () => {
+    expect(resolveFieldDefinitionListRoles({ valueWriteRoles: ["Admin", "Editor"] })).toEqual([
+      "Admin",
+      "Editor",
+      "TenantAdmin",
+    ]);
+    // TenantAdmin schon in valueWriteRoles → keine Dublette.
+    expect(resolveFieldDefinitionListRoles({ valueWriteRoles: ["TenantAdmin", "Editor"] })).toEqual(
+      ["TenantAdmin", "Editor"],
+    );
+  });
+
+  test("explizite list-Rollen gewinnen immer (auch über valueWriteRoles)", () => {
+    expect(
+      resolveFieldDefinitionListRoles({
+        valueWriteRoles: ["Admin"],
+        fieldDefinitionListRoles: ["Viewer"],
+      }),
+    ).toEqual(["Viewer"]);
   });
 });

package/src/custom-fields/feature.ts

@@ -171,11 +171,27 @@ export type CustomFieldsFeatureOptions = {
    *  das setzen, sonst ist der Value-Save für jeden App-User
    *  access_denied (Role-Naming-Drift). */
   readonly valueWriteRoles?: readonly string[];
-  /** Rollen für custom-fields:query:field-definition:list — der
-   *  Lade-Pfad der CustomFieldsFormSection. Default ["TenantAdmin"]. */
+  /** Rollen für custom-fields:query:field-definition:list — der Lade-Pfad
+   *  der CustomFieldsFormSection. Default ["TenantAdmin"]. Wird valueWriteRoles
+   *  gesetzt, dies aber NICHT, erben die Value-Rollen hier hinein (Union mit
+   *  dem Default, damit Admins den List-Zugriff behalten) — sonst lädt die
+   *  FormSection für Value-Writer nie (access_denied), während der Save-Pfad
+   *  offen wäre (#334/2, asymmetrischer Bruch). */
   readonly fieldDefinitionListRoles?: readonly string[];
 };
 
+// Der List-Pfad muss jeden abdecken, der Values schreiben darf — sonst lädt die
+// FormSection nie. Explizite fieldDefinitionListRoles gewinnen; sonst: gesetzte
+// valueWriteRoles erben in den List-Default (Union mit dem Default), ungesetzte
+// → reiner Default.
+export function resolveFieldDefinitionListRoles(
+  opts: Pick<CustomFieldsFeatureOptions, "valueWriteRoles" | "fieldDefinitionListRoles">,
+): readonly string[] {
+  if (opts.fieldDefinitionListRoles !== undefined) return opts.fieldDefinitionListRoles;
+  if (opts.valueWriteRoles === undefined) return DEFAULT_FIELD_DEFINITION_LIST_ROLES;
+  return [...new Set([...opts.valueWriteRoles, ...DEFAULT_FIELD_DEFINITION_LIST_ROLES])];
+}
+
 // Backwards-compat-wrapper. Bestehende Caller (z.B. integration-tests,
 // host-apps) nutzen weiterhin `createCustomFieldsFeature()`. Returnt den
 // module-level-Singleton — kein neuer build pro Aufruf, was für consumer
@@ -200,8 +216,7 @@ export function createCustomFieldsFeature(
           : defineTenantFieldHandler,
       setHandler: createSetCustomFieldHandler(opts.valueWriteRoles),
       clearHandler: createClearCustomFieldHandler(opts.valueWriteRoles),
-      fieldDefinitionListRoles:
-        opts.fieldDefinitionListRoles ?? DEFAULT_FIELD_DEFINITION_LIST_ROLES,
+      fieldDefinitionListRoles: resolveFieldDefinitionListRoles(opts),
     }),
   );
 }

package/src/files-provider-s3/__tests__/s3-provider.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, test } from "bun:test";
 import type { S3ProviderConfig } from "../s3-provider";
-import { resolveForcePathStyle } from "../s3-provider";
+import { createS3Provider, resolveForcePathStyle, resolveVirtualHostedStyle } from "../s3-provider";
 
 const baseConfig: S3ProviderConfig = {
   bucket: "b",
@@ -34,3 +34,63 @@ describe("resolveForcePathStyle", () => {
     ).toBe(false);
   });
 });
+
+// virtualHostedStyle ist die Inversion, die createS3Provider an Bun.S3Client
+// durchreicht (#175/2). Der `!` ist die stille Drift-Stelle: kippt er, picken
+// Minio/R2 die falsche URL-Form ohne Compile- oder Runtime-Fehler.
+describe("resolveVirtualHostedStyle (inverse of forcePathStyle)", () => {
+  const cases: ReadonlyArray<{ name: string; config: S3ProviderConfig }> = [
+    { name: "no endpoint + no override", config: baseConfig },
+    { name: "custom endpoint", config: { ...baseConfig, endpoint: "http://localhost:9000" } },
+    { name: "explicit forcePathStyle true", config: { ...baseConfig, forcePathStyle: true } },
+    {
+      name: "custom endpoint + explicit false",
+      config: { ...baseConfig, endpoint: "http://localhost:9000", forcePathStyle: false },
+    },
+  ];
+
+  for (const { name, config } of cases) {
+    test(`${name} → strict inverse of resolveForcePathStyle`, () => {
+      expect(resolveVirtualHostedStyle(config)).toBe(!resolveForcePathStyle(config));
+    });
+  }
+
+  test("AWS default (no endpoint) → virtual-host-style true", () => {
+    expect(resolveVirtualHostedStyle(baseConfig)).toBe(true);
+  });
+
+  test("Minio/R2 (custom endpoint) → virtual-host-style false (= path-style)", () => {
+    expect(resolveVirtualHostedStyle({ ...baseConfig, endpoint: "http://localhost:9000" })).toBe(
+      false,
+    );
+  });
+});
+
+// presign ist eine reine lokale Signier-Operation (HMAC, kein Netzwerk) →
+// hermetisch testbar mit Dummy-Credentials. Beweist, dass Bun das
+// contentDisposition-Feld tatsächlich als response-content-disposition-Query-
+// Param signiert (#175/3) — sonst lieferte ein Download den UUID-Key statt des
+// Dateinamens, lautlos.
+describe("getSignedUrl contentDisposition", () => {
+  const provider = createS3Provider({
+    bucket: "b",
+    region: "us-east-1",
+    accessKeyId: "AKIAEXAMPLE",
+    secretAccessKey: "secret",
+  });
+
+  test("signs response-content-disposition into the presigned URL", async () => {
+    const url = await provider.getSignedUrl?.("uuid-key.bin", 60, {
+      contentDisposition: 'attachment; filename="report.pdf"',
+    });
+    expect(url).toBeDefined();
+    const params = new URL(url ?? "").searchParams;
+    expect(params.get("response-content-disposition")).toBe('attachment; filename="report.pdf"');
+  });
+
+  test("omits the param when no contentDisposition is passed", async () => {
+    const url = await provider.getSignedUrl?.("uuid-key.bin", 60);
+    expect(url).toBeDefined();
+    expect(new URL(url ?? "").searchParams.has("response-content-disposition")).toBe(false);
+  });
+});

package/src/files-provider-s3/s3-provider.ts

@@ -54,6 +54,14 @@ export function resolveForcePathStyle(config: S3ProviderConfig): boolean {
   return config.forcePathStyle ?? config.endpoint !== undefined;
 }
 
+// Bun's `virtualHostedStyle` is the inverse of the AWS-SDK `forcePathStyle`
+// knob this config exposes: path-style ⇔ virtualHostedStyle=false. Exported +
+// tested alongside resolveForcePathStyle because the inversion is exactly the
+// seam that silently breaks Minio/R2 if the `!` ever drifts.
+export function resolveVirtualHostedStyle(config: S3ProviderConfig): boolean {
+  return !resolveForcePathStyle(config);
+}
+
 export function createS3Provider(config: S3ProviderConfig): FileStorageProvider {
   const client = new Bun.S3Client({
     region: config.region,
@@ -61,9 +69,7 @@ export function createS3Provider(config: S3ProviderConfig): FileStorageProvider
     secretAccessKey: config.secretAccessKey,
     bucket: config.bucket,
     ...(config.endpoint !== undefined && { endpoint: config.endpoint }),
-    // Bun's virtualHostedStyle is the inverse of the AWS-SDK forcePathStyle
-    // knob this config exposes: path-style ⇔ virtualHostedStyle=false.
-    virtualHostedStyle: !resolveForcePathStyle(config),
+    virtualHostedStyle: resolveVirtualHostedStyle(config),
   });
 
   return {

package/src/managed-pages/__tests__/managed-pages.integration.test.ts

@@ -1,4 +1,5 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createSystemUser } from "@cosmicdrift/kumiko-framework/engine";
 import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
@@ -16,7 +17,7 @@ import { BRANDING_QN, BRANDING_QUERY_QN } from "../branding";
 import { createManagedPagesCssFeature } from "../css-gate";
 import { createManagedPagesFeature } from "../feature";
 import { seedPage } from "../seeding";
-import { pageEntity } from "../table";
+import { type PageRow, pageEntity, pagesTable } from "../table";
 
 const TENANT_A = "11111111-1111-4111-8111-111111111111";
 const TENANT_B = "22222222-2222-4222-8222-222222222222";
@@ -286,6 +287,96 @@ describe("managed-pages :: set (Provisioning-API)", () => {
   });
 });
 
+// The SystemAdmin-only `tenantIdOverride` cross-tenant write path had zero
+// coverage (#382/2): not the happy path, not the access guard, not the
+// documented `executorUser`-rebase fix (the override must rebase the executor's
+// tenant or getStreamVersion runs against the wrong tenant → version_conflict
+// on the second write).
+describe("managed-pages :: set with tenantIdOverride (cross-tenant, SystemAdmin)", () => {
+  const sysAdmin = createTestUser({ id: 40, roles: ["SystemAdmin"] }); // distinct tenant
+
+  test("(a) SystemAdmin override writes the row under the TARGET tenant", async () => {
+    const res = await stack.http.writeOk<{ isNew: boolean }>(
+      "managed-pages:write:set",
+      {
+        slug: "sys-cross",
+        lang: "en",
+        title: "Cross-tenant by system",
+        body: "x",
+        published: true,
+        tenantIdOverride: TENANT_A,
+      },
+      sysAdmin,
+    );
+    expect(res).toMatchObject({ isNew: true });
+
+    // The persisted row carries TENANT_A — not the SystemAdmin's own tenant.
+    const row = await fetchOne<PageRow>(stack.db, pagesTable, {
+      tenantId: TENANT_A,
+      slug: "sys-cross",
+      lang: "en",
+    });
+    expect(row?.tenantId).toBe(TENANT_A);
+    expect(row?.title).toBe("Cross-tenant by system");
+
+    // End-to-end: it renders under a.* (TENANT_A) and is absent under b.*.
+    const aHtml = await (await stack.app.request("http://a.example.com/p/sys-cross")).text();
+    expect(aHtml).toContain("Cross-tenant by system");
+    const bRes = await stack.app.request("http://b.example.com/p/sys-cross");
+    expect(bRes.status).toBe(404);
+  });
+
+  test("(b) non-SystemAdmin with tenantIdOverride → access_denied", async () => {
+    const error = await stack.http.writeErr(
+      "managed-pages:write:set",
+      { slug: "sneak", lang: "en", title: "x", body: "y", tenantIdOverride: TENANT_B },
+      tenantAdmin, // TenantAdmin, NOT SystemAdmin
+    );
+    expectErrorIncludes(error, "access_denied");
+    expect(JSON.stringify(error)).toContain("tenant_override_requires_system_admin");
+
+    // The write was rejected — no row leaked into TENANT_B.
+    const leaked = await fetchOne<PageRow>(stack.db, pagesTable, {
+      tenantId: TENANT_B,
+      slug: "sneak",
+      lang: "en",
+    });
+    expect(leaked).toBeFalsy();
+  });
+
+  test("(c) SystemAdmin override on an EXISTING page updates it — no version_conflict", async () => {
+    // First override-write creates the row under TENANT_A.
+    await stack.http.writeOk(
+      "managed-pages:write:set",
+      {
+        slug: "sys-rebase",
+        lang: "en",
+        title: "v1",
+        body: "a",
+        published: true,
+        tenantIdOverride: TENANT_A,
+      },
+      sysAdmin,
+    );
+
+    // Second override-write must hit the UPDATE path. Two prior bugs broke this:
+    // (1) the existing-check used the tenant-scoped ctx.db → blind to the target
+    // tenant's row → create → unique_violation; (2) even reaching update,
+    // getStreamVersion ran against the executor's tenant → version_conflict.
+    // The fix reads the existing row through the unscoped runner AND rebases the
+    // executor user to the override tenant.
+    const second = await stack.http.writeOk<{ isNew: boolean }>(
+      "managed-pages:write:set",
+      { slug: "sys-rebase", lang: "en", title: "v2", body: "b", tenantIdOverride: TENANT_A },
+      sysAdmin,
+    );
+    expect(second).toMatchObject({ isNew: false });
+
+    const html = await (await stack.app.request("http://a.example.com/p/sys-rebase")).text();
+    expect(html).toContain("v2");
+  });
+});
+
 describe("managed-pages :: Branding (Config + Render)", () => {
   // config:write:set leitet tenantId aus user.tenantId ab → tenant-spezifische
   // Admins, damit das Branding auf TENANT_A bzw. TENANT_B landet (Host a.*/b.*).

package/src/managed-pages/handlers/set.write.ts

@@ -1,5 +1,5 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
-import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
+import { createEventStoreExecutor, createTenantDb } from "@cosmicdrift/kumiko-framework/db";
 import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { AccessDeniedError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
@@ -57,7 +57,17 @@ export const setWrite = defineWriteHandler({
     const executorUser =
       override !== undefined ? { ...event.user, tenantId: override as TenantId } : event.user; // @cast-boundary engine-bridge
 
-    const existing = await fetchOne<PageRow>(db, pagesTable, {
+    // ctx.db is tenant-scoped to the EXECUTING user (createTenantDb "tenant"
+    // mode). For a cross-tenant override that scope is wrong on BOTH the
+    // existing-check (blind to the target tenant's projection row → every
+    // re-provision retries as a create → unique_violation) AND the executor's
+    // stream reads (getStreamVersion/loadAggregate filtered to the executor's
+    // tenant → not_found/version_conflict). Re-scope a TenantDb to the resolved
+    // target tenant so reads and writes both land there. Safe: the override
+    // branch is SystemAdmin-gated above.
+    const scopedDb =
+      override !== undefined ? createTenantDb(db.raw, override as TenantId, "tenant") : db; // @cast-boundary engine-bridge
+    const existing = await fetchOne<PageRow>(scopedDb, pagesTable, {
       tenantId,
       slug: event.payload.slug,
       lang: event.payload.lang,
@@ -81,7 +91,7 @@ export const setWrite = defineWriteHandler({
           },
         },
         executorUser,
-        db,
+        scopedDb,
       );
       if (!result.isSuccess) return result;
       return {
@@ -102,7 +112,7 @@ export const setWrite = defineWriteHandler({
         tenantId,
       },
       executorUser,
-      db,
+      scopedDb,
     );
     if (!result.isSuccess) return result;
     return {