@cosmicdrift/kumiko-bundled-features 0.57.2 → 0.60.0

package/src/tier-engine/__tests__/resolver.integration.test.ts

@@ -167,6 +167,36 @@ describe("createTierEngineFeature — per-tenant resolver", () => {
     expect(resolver(tenantA).has("feat-pro")).toBe(true);
   });
 
+  test("(4) set-tenant-tier reflects in resolver — effective gating, not just projection", async () => {
+    // Kern-Zweck von #434: ein manueller Grant muss das EFFEKTIVE Feature-Set
+    // ändern (Resolver-Cache), nicht nur die Projektion. set-tenant-tier
+    // schreibt direkt über den Executor — feuert das den postSave-Hook, der
+    // den Cache aktualisiert? Stale-Upgrade free→pro deckt den Fall ab, den
+    // der cache-miss-Fallback NICHT rettet.
+    const usage = findTierResolverUsage(features);
+    if (!usage) throw new Error("setup failure");
+    const plugin = usage.options as TierResolverPlugin;
+
+    const sysA = createTestUser({
+      id: "sys-4",
+      tenantId: tenantA,
+      roles: ["SystemAdmin", "TenantAdmin"],
+    });
+    await stack.http.writeOk("tier-engine:write:tier-assignment:create", { tier: "free" }, sysA);
+
+    const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
+    expect(resolver(tenantA).has("feat-pro")).toBe(false);
+
+    // Manueller Grant via set-tenant-tier (cross-tenant-fähig, hier eigener Tenant).
+    await stack.http.writeOk(
+      "tier-engine:write:set-tenant-tier",
+      { tenantId: tenantA, tier: "pro" },
+      sysA,
+    );
+
+    expect(resolver(tenantA).has("feat-pro")).toBe(true);
+  });
+
   test("(3) SYSTEM_TENANT_ID returns union of all tier-features", async () => {
     const usage = findTierResolverUsage(features);
     if (!usage) throw new Error("setup failure");

package/src/tier-engine/__tests__/tier-engine.integration.test.ts

@@ -279,6 +279,7 @@ describe("scenario 6: access control", () => {
   });
 
   test("query handlers carry the admin-only access rule (config-level check)", () => {
+    // (siehe Scenario 7 für die set-tenant-tier/get-tenant-tier Reads)
     // Read-access is enforced by the same role-rule set on the query handler.
     // We assert the rule is registered correctly — covers regression when
     // someone changes adminAccess to openToAll without noticing.
@@ -294,3 +295,120 @@ describe("scenario 6: access control", () => {
     expect(JSON.stringify(activeTierRule)).toMatch(/SystemAdmin/);
   });
 });
+
+// --- Scenario 7: manueller cross-tenant Tier-Grant (set-tenant-tier) ---
+//
+// Kern-Sicherheitsgrenze von #434: ein SystemAdmin sitzt in seinem eigenen
+// Tenant, setzt aber das Tier eines FREMDEN Tenants — ohne Billing-Kauf.
+// Der Event muss im Stream des Ziel-Tenants landen (nicht im Admin-Tenant),
+// `source: "manual"` tragen und nur für SystemAdmin erreichbar sein.
+
+type SetTenantTierResult = { tenantId: string; tier: string; isNew: boolean };
+
+describe("scenario 7: cross-tenant manual grant", () => {
+  test("SystemAdmin sets a FOREIGN tenant's tier — lands in the target stream, source=manual", async () => {
+    const adminTenant = testTenantId(401);
+    const targetTenant = testTenantId(402);
+    const sysadmin = createTestUser({ id: 401, tenantId: adminTenant, roles: ["SystemAdmin"] });
+
+    const result = await stack.http.writeOk<SetTenantTierResult>(
+      TierEngineHandlers.setTenantTier,
+      { tenantId: targetTenant, tier: "pro" },
+      sysadmin,
+    );
+    expect(result.tenantId).toBe(targetTenant);
+    expect(result.tier).toBe("pro");
+    expect(result.isNew).toBe(true);
+
+    // Beweis, dass der Event im Ziel-Stream liegt: ein Admin IM Ziel-Tenant
+    // liest sein eigenes get-active-tier (own-tenant-scoped) und sieht "pro".
+    const targetAdmin = createTestUser({ id: 402, tenantId: targetTenant, roles: ["TenantAdmin"] });
+    const seenByTarget = await stack.http.queryOk<Record<string, unknown> | null>(
+      TierEngineQueries.getActiveTier,
+      {},
+      targetAdmin,
+    );
+    expect(seenByTarget!["tier"]).toBe("pro");
+
+    // get-tenant-tier (cross-tenant Read, SystemAdmin) liefert source=manual.
+    const grant = await stack.http.queryOk<Record<string, unknown> | null>(
+      TierEngineQueries.getTenantTier,
+      { tenantId: targetTenant },
+      sysadmin,
+    );
+    expect(grant!["tier"]).toBe("pro");
+    expect(grant!["source"]).toBe("manual");
+
+    // Der Admin-eigene Tenant bleibt unberührt — kein Tier dort geleakt.
+    const seenByAdmin = await stack.http.queryOk<Record<string, unknown> | null>(
+      TierEngineQueries.getActiveTier,
+      {},
+      sysadmin,
+    );
+    expect(seenByAdmin).toBeNull();
+  });
+
+  test("upsert is idempotent — second set updates the same aggregate (isNew:false)", async () => {
+    const sysadmin = createTestUser({
+      id: 410,
+      tenantId: testTenantId(410),
+      roles: ["SystemAdmin"],
+    });
+    const target = testTenantId(411);
+
+    const first = await stack.http.writeOk<SetTenantTierResult>(
+      TierEngineHandlers.setTenantTier,
+      { tenantId: target, tier: "pro" },
+      sysadmin,
+    );
+    expect(first.isNew).toBe(true);
+
+    const second = await stack.http.writeOk<SetTenantTierResult>(
+      TierEngineHandlers.setTenantTier,
+      { tenantId: target, tier: "business" },
+      sysadmin,
+    );
+    expect(second.isNew).toBe(false);
+    expect(second.tier).toBe("business");
+
+    const grant = await stack.http.queryOk<Record<string, unknown> | null>(
+      TierEngineQueries.getTenantTier,
+      { tenantId: target },
+      sysadmin,
+    );
+    expect(grant!["tier"]).toBe("business");
+  });
+
+  test("TenantAdmin cannot set a foreign tenant's tier — fail-closed", async () => {
+    const tenantAdmin = createTestUser({
+      id: 420,
+      tenantId: testTenantId(420),
+      roles: ["TenantAdmin"],
+    });
+
+    const error = await stack.http.writeErr(
+      TierEngineHandlers.setTenantTier,
+      { tenantId: testTenantId(421), tier: "pro" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "access_denied");
+  });
+
+  test("normal User cannot set a tier and cannot read get-tenant-tier", async () => {
+    const normalUser = TestUsers.user;
+
+    const writeError = await stack.http.writeErr(
+      TierEngineHandlers.setTenantTier,
+      { tenantId: testTenantId(431), tier: "pro" },
+      normalUser,
+    );
+    expectErrorIncludes(writeError, "access_denied");
+
+    const res = await stack.http.query(
+      TierEngineQueries.getTenantTier,
+      { tenantId: testTenantId(431) },
+      normalUser,
+    );
+    expect(res.status).toBe(403);
+  });
+});

package/src/tier-engine/constants.ts

@@ -1,3 +1,9 @@
+// @runtime client
+// Pure string-literal QNs/ids — von Server (feature.ts) UND Client
+// (web/tier-admin-screen, client-plugin) importiert. Als `client` markiert,
+// die im kumiko-Isolation-Modell permissivste Kategorie (runtime darf
+// client importieren, client nur client) — sonst wirft der Runtime-
+// Isolation-Guard auf den Client-Imports. Muster wie text-content/constants.
 // Feature name
 export const TIER_ENGINE_FEATURE = "tier-engine" as const;
 
@@ -6,10 +12,17 @@ export const TIER_ENGINE_FEATURE = "tier-engine" as const;
 export const TierEngineHandlers = {
   create: "tier-engine:write:tier-assignment:create",
   update: "tier-engine:write:tier-assignment:update",
+  setTenantTier: "tier-engine:write:set-tenant-tier",
 } as const;
 
 // Qualified query handler names.
 export const TierEngineQueries = {
   list: "tier-engine:query:tier-assignment:list",
   getActiveTier: "tier-engine:query:get-active-tier",
+  getTenantTier: "tier-engine:query:get-tenant-tier",
+  tierOptions: "tier-engine:query:tier-options",
 } as const;
+
+// Screen-id für den manuellen Tier-Grant-Screen. Apps referenzieren ihn
+// qualifiziert in r.nav: `tier-engine:screen:tier-admin`.
+export const TIER_ADMIN_SCREEN_ID = "tier-admin" as const;

package/src/tier-engine/entity.ts

@@ -26,5 +26,10 @@ export const tierAssignmentEntity = createEntity({
   table: "read_tier_assignments",
   fields: {
     tier: createTextField({ required: true, maxLength: 50 }),
+    // Woher das Assignment stammt: "manual" (Admin-Grant via tier-admin-Screen),
+    // "stripe" (future Billing-Sync), "default" (auto-default-on-signup-Hook).
+    // Optional für Back-Compat zu bestehenden Rows ohne source. Schützt manuelle
+    // Grants davor, von einem späteren Stripe→Tier-Sync geplättet zu werden.
+    source: createTextField({ required: false, maxLength: 20 }),
   },
 });

package/src/tier-engine/feature.ts

@@ -52,6 +52,7 @@ import {
   defineEntityListHandler,
   defineEntityUpdateHandler,
   defineFeature,
+  defineQueryHandler,
   type FeatureDefinition,
   HookPhases,
   type SessionUser,
@@ -61,11 +62,14 @@ import {
   type TierResolverPlugin,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { getAggregateStreamMaxVersion } from "@cosmicdrift/kumiko-framework/event-store";
+import { z } from "zod";
 import { tierAssignmentAggregateId } from "./aggregate-id";
 import type { TierMap } from "./compose-app";
-import { TIER_ENGINE_FEATURE } from "./constants";
+import { TIER_ADMIN_SCREEN_ID, TIER_ENGINE_FEATURE } from "./constants";
 import { tierAssignmentEntity } from "./entity";
 import { getActiveTierQuery } from "./handlers/active-tier.query";
+import { getTenantTierQuery } from "./handlers/get-tenant-tier.query";
+import { createSetTenantTierWrite } from "./handlers/set-tenant-tier.write";
 
 // Drizzle-table for the tier-assignment-entity. Built once at module-load
 // from the entity definition — same shape buildEntityTable would produce
@@ -168,7 +172,7 @@ export function createTierEngineFeature<
 >(opts: CreateTierEngineOptions<TCaps> = {}): FeatureDefinition {
   return defineFeature(TIER_ENGINE_FEATURE, (r) => {
     r.describe(
-      "Stores a `tier-assignment` entity per tenant (which pricing tier is active) and, when configured with a `TierMap`, registers itself as the `tenantTierResolver` extension so the dispatcher automatically gates `r.toggleable()` features per tenant based on their assigned tier. Call `createTierEngineFeature({ defaultTier, tierMap })` to get full tier composition \u2014 including an `inTransaction` entity hook that atomically writes the default tier when a new tenant is created \u2014 or use `createTierEngineFeature()` without options for storage-only mode when you manage tier assignment yourself via `composeApp`.",
+      'Stores a `tier-assignment` entity per tenant (which pricing tier is active) and, when configured with a `TierMap`, registers itself as the `tenantTierResolver` extension so the dispatcher automatically gates `r.toggleable()` features per tenant based on their assigned tier. Call `createTierEngineFeature({ defaultTier, tierMap })` to get full tier composition \u2014 including an `inTransaction` entity hook that atomically writes the default tier when a new tenant is created \u2014 or use `createTierEngineFeature()` without options for storage-only mode when you manage tier assignment yourself via `composeApp`. A SystemAdmin-only `set-tenant-tier` write plus `get-tenant-tier`/`tier-options` reads let an operator assign a tier to ANY tenant manually \u2014 without a billing purchase \u2014 stamping `source: "manual"` so a future Stripe\u2192tier sync won\'t overwrite the grant. Apps surface this via the `tier-admin` screen.',
     );
     r.requires("config");
     r.requires("tenant");
@@ -183,6 +187,41 @@ export function createTierEngineFeature<
     r.queryHandler(defineEntityListHandler("tier-assignment", tierAssignmentEntity, adminAccess));
     r.queryHandler(getActiveTierQuery);
 
+    // \u2500\u2500 Manueller Tier-Grant (SystemAdmin, ohne Billing) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Cross-tenant set + read f\u00fcr den tier-admin-Screen. tier-options liefert
+    // dem Client die App-Tier-Namen aus der tierMap-Closure (sonst hartkodiert).
+    //
+    // onAssigned h\u00e4lt den Resolver-Cache nach einem direkten Executor-Write
+    // warm (der den postSave-Hook NICHT feuert). Late-bind via Holder: ohne
+    // tierMap bleibt es no-op (kein Resolver), im tierMap-Block unten wird
+    // die echte Cache-Update-Funktion eingeh\u00e4ngt \u2014 analog alwaysOnHolder.
+    const onTierAssigned: { fn: (tenantId: TenantId, tier: string) => void } = { fn: () => {} };
+    r.writeHandler(
+      createSetTenantTierWrite({
+        onAssigned: (tenantId, tier) => onTierAssigned.fn(tenantId, tier),
+      }),
+    );
+    r.queryHandler(getTenantTierQuery);
+    r.queryHandler(
+      defineQueryHandler({
+        name: "tier-options",
+        schema: z.object({}),
+        access: { roles: ["SystemAdmin"] },
+        handler: async () => ({ tiers: opts.tierMap ? Object.keys(opts.tierMap) : [] }),
+      }),
+    );
+
+    // Custom React-Screen für den manuellen Grant. SystemAdmin-only fest
+    // verdrahtet (Platform-Admin-Hoheit, nicht App-konfigurierbar). App
+    // platziert ihn nur via r.nav("tier-engine:screen:tier-admin"); die
+    // Komponente liefert tierEngineClient() aus dem ./web-subpath.
+    r.screen({
+      id: TIER_ADMIN_SCREEN_ID,
+      type: "custom",
+      renderer: { react: { __component: "TierAdminScreen" } },
+      access: { roles: ["SystemAdmin"] },
+    });
+
     // ───────────────────────────────────────────────────────────────────
     // Resolver-extension (only when tierMap is configured)
     // ───────────────────────────────────────────────────────────────────
@@ -203,6 +242,15 @@ export function createTierEngineFeature<
     // Requests (build läuft pre-listen via runDevApp/runProdApp-pickup).
     const alwaysOnHolder: { set: ReadonlySet<string> } = { set: new Set() };
 
+    // set-tenant-tier schreibt direkt über den Executor → der postSave-Hook
+    // unten feuert dabei NICHT. Diese Funktion repliziert den Cache-Update
+    // des Hooks, damit ein manueller Grant das effektive Feature-Set sofort
+    // ändert (nicht nur die Projektion). Selber Cache, selbe mergeAlwaysOn-
+    // Semantik wie der Hook.
+    onTierAssigned.fn = (tenantId, tier) => {
+      cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, tier)));
+    };
+
     // Invalidation: tier-assignment events update the cache.
     r.entityHook("postSave", "tier-assignment", async (result) => {
       // result.data has tenantId + tier (after entity-update merge)
@@ -299,7 +347,7 @@ export function createTierEngineFeature<
           const tdb = createTenantDb(rawDb, newTenantId, "system");
 
           await tierAssignmentExecutor.create(
-            { id: aggregateId, tier: defaultTier },
+            { id: aggregateId, tier: defaultTier, source: "default" },
             systemUser,
             tdb,
           );

package/src/tier-engine/handlers/get-tenant-tier.query.ts

@@ -0,0 +1,36 @@
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  buildEntityTable,
+  createTenantDb,
+  type DbConnection,
+} from "@cosmicdrift/kumiko-framework/db";
+import { defineQueryHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { tierAssignmentEntity } from "../entity";
+
+// Liest das Tier-Assignment eines BELIEBIGEN Tenants (cross-tenant) für den
+// tier-admin-Screen. SystemAdmin-only. get-active-tier liest nur den eigenen
+// Tenant — hier ein "system"-mode TenantDb auf den Ziel-Tenant (kein Filter),
+// damit der Admin das Tier fremder Tenants sehen kann. null wenn noch keins.
+
+const tierAssignmentTable = buildEntityTable("tier-assignment", tierAssignmentEntity);
+
+type TierAssignmentRow = {
+  readonly id: string;
+  readonly version: number;
+  readonly tier: string;
+  readonly source: string | null;
+  readonly tenantId: string;
+};
+
+export const getTenantTierQuery = defineQueryHandler({
+  name: "get-tenant-tier",
+  schema: z.object({ tenantId: z.string().min(1) }),
+  access: { roles: ["SystemAdmin"] },
+  handler: async (query, ctx) => {
+    const tenantId = query.payload.tenantId as TenantId; // @cast-boundary engine-bridge
+    const tdb = createTenantDb(ctx.db.raw as DbConnection, tenantId, "system"); // @cast-boundary db-runner
+    const row = await fetchOne<TierAssignmentRow>(tdb, tierAssignmentTable, { tenantId });
+    return row ?? null;
+  },
+});

package/src/tier-engine/handlers/set-tenant-tier.write.ts

@@ -0,0 +1,99 @@
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  buildEntityTable,
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+} from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { tierAssignmentAggregateId } from "../aggregate-id";
+import { tierAssignmentEntity } from "../entity";
+
+// SystemAdmin setzt das Tier eines BELIEBIGEN Tenants — manueller Grant ohne
+// Billing. Cross-tenant, daher SystemAdmin-only (kein TenantAdmin: sonst
+// Gratis-Self-Upgrade).
+//
+// **Cross-tenant-Mechanik:** ein "system"-mode TenantDb auf den Ziel-Tenant legt
+// KEINEN Tenant-Filter an (tenant-db.ts:141 — mode==="system" überspringt ihn);
+// der executor-user wird ebenfalls auf den Ziel-Tenant gestellt, sonst landet das
+// Event im Stream des Admins (Memory feedback_event_store_tenant_consistency).
+// Das set.write-"override-user"-Muster trägt NICHT für beliebige Tenants — es
+// funktioniert nur für SYSTEM_TENANT_ID (immer im IN-Filter). Dies ist das
+// auto-default-Hook-Muster (feature.ts), generalisiert auf einen Request-Handler.
+//
+// `source: "manual"` markiert den Grant, damit ein späterer Stripe→Tier-Sync ihn
+// nicht plättet. Upsert: ein Aggregat pro Tenant (deterministische aggregate-id).
+//
+// **Effective-Set-Invalidation (kritisch):** der Executor-Write feuert NICHT
+// den `tier-assignment:postSave`-entityHook (Hooks laufen nur im Entity-
+// Handler-Pfad, nicht bei direktem executor.create/update). Ohne Cache-Update
+// bliebe das Feature-Gate auf dem alten Tier hängen — die Projektion zeigt
+// "pro", das Gate verhält sich weiter wie "free", bis der Prozess neu startet.
+// Daher ruft der Handler nach erfolgreichem Write `opts.onAssigned(tenantId,
+// tier)`; feature.ts verdrahtet das auf denselben Cache-Update wie der Hook
+// (storage-only ohne tierMap = no-op).
+
+const tierAssignmentTable = buildEntityTable("tier-assignment", tierAssignmentEntity);
+const executor = createEventStoreExecutor(tierAssignmentTable, tierAssignmentEntity, {
+  entityName: "tier-assignment",
+});
+
+type TierAssignmentRow = {
+  readonly id: string;
+  readonly version: number;
+  readonly tier: string;
+  readonly source: string | null;
+  readonly tenantId: string;
+};
+
+export type SetTenantTierOptions = {
+  /** Nach erfolgreichem Write aufgerufen, damit feature.ts den Resolver-
+   *  Cache aktualisieren kann (der Executor-Write feuert den postSave-Hook
+   *  nicht). Ohne tierMap kein Resolver → no-op. */
+  readonly onAssigned?: (tenantId: TenantId, tier: string) => void;
+};
+
+export function createSetTenantTierWrite(opts: SetTenantTierOptions = {}) {
+  return defineWriteHandler({
+    name: "set-tenant-tier",
+    schema: z.object({
+      tenantId: z.string().min(1),
+      tier: z.string().min(1).max(50),
+    }),
+    access: { roles: ["SystemAdmin"] },
+    handler: async (event, ctx) => {
+      const tenantId = event.payload.tenantId as TenantId; // @cast-boundary engine-bridge
+      const rawDb = ctx.db.raw as DbConnection; // @cast-boundary db-runner
+      const tdb = createTenantDb(rawDb, tenantId, "system");
+      const systemUser = { ...event.user, tenantId };
+      const tier = event.payload.tier;
+
+      const existing = await fetchOne<TierAssignmentRow>(tdb, tierAssignmentTable, { tenantId });
+
+      if (existing) {
+        const result = await executor.update(
+          {
+            id: existing.id,
+            version: existing.version,
+            changes: { tier, source: "manual" },
+          },
+          systemUser,
+          tdb,
+        );
+        if (!result.isSuccess) return result;
+        opts.onAssigned?.(tenantId, tier);
+        return { isSuccess: true as const, data: { tenantId, tier, isNew: false } };
+      }
+
+      const result = await executor.create(
+        { id: tierAssignmentAggregateId(tenantId), tier, source: "manual", tenantId },
+        systemUser,
+        tdb,
+      );
+      if (!result.isSuccess) return result;
+      opts.onAssigned?.(tenantId, tier);
+      return { isSuccess: true as const, data: { tenantId, tier, isNew: true } };
+    },
+  });
+}

package/src/tier-engine/i18n.ts

@@ -0,0 +1,39 @@
+// @runtime client
+// Default-Bundles für den TierAdminScreen. Werden vom tierEngineClient()
+// als Fallback-Bundle in den LocaleProvider gehängt — Apps überschreiben
+// einzelne Keys via `tierEngineClient({ translations: { de: { … } } })`.
+
+import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+
+export const defaultTranslations: TranslationsByLocale = {
+  de: {
+    "tier-admin.title": "Tier manuell zuweisen",
+    "tier-admin.explainer":
+      "Weise einem Tenant ein Tier ohne Kauf zu. Der Grant wird als „manuell“ markiert und von einem späteren Billing-Sync nicht überschrieben.",
+    "tier-admin.tenant.label": "Tenant",
+    "tier-admin.current.label": "Aktuelles Tier",
+    "tier-admin.current.none": "— noch keins —",
+    "tier-admin.tier.label": "Neues Tier",
+    "tier-admin.submit": "Tier zuweisen",
+    "tier-admin.success": "Tier „{tier}“ zugewiesen.",
+    "tier-admin.error.generic": "Konnte das Tier nicht zuweisen.",
+    "tier-admin.error.load": "Tenants konnten nicht geladen werden.",
+    "tier-admin.error.noTiers":
+      "Diese App hat keine TierMap konfiguriert — es gibt keine zuweisbaren Tiers.",
+  },
+  en: {
+    "tier-admin.title": "Assign tier manually",
+    "tier-admin.explainer":
+      "Grant a tenant a tier without a purchase. The grant is marked as “manual” and a later billing sync won't overwrite it.",
+    "tier-admin.tenant.label": "Tenant",
+    "tier-admin.current.label": "Current tier",
+    "tier-admin.current.none": "— none yet —",
+    "tier-admin.tier.label": "New tier",
+    "tier-admin.submit": "Assign tier",
+    "tier-admin.success": "Assigned tier “{tier}”.",
+    "tier-admin.error.generic": "Could not assign the tier.",
+    "tier-admin.error.load": "Failed to load tenants.",
+    "tier-admin.error.noTiers":
+      "This app has no TierMap configured — there are no assignable tiers.",
+  },
+};

package/src/tier-engine/web/client-plugin.tsx

@@ -0,0 +1,27 @@
+// @runtime client
+// Client-Feature-Factory für tier-engine. Liefert den TierAdminScreen
+// (gemappt auf die Screen-id "tier-admin") + Default-Translations. Apps
+// hängen es in createKumikoApp({ clientFeatures: [tierEngineClient()] }) ein;
+// der Screen selbst wird server-seitig vom Feature als custom-Screen
+// registriert (r.screen), die App platziert ihn nur via r.nav.
+
+import { mergeTranslations, type TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+import type { ClientFeatureDefinition } from "@cosmicdrift/kumiko-renderer-web";
+import { TIER_ADMIN_SCREEN_ID, TIER_ENGINE_FEATURE } from "../constants";
+import { defaultTranslations } from "../i18n";
+import { TierAdminScreen } from "./tier-admin-screen";
+
+export type TierEngineClientOptions = {
+  /** Key-weise Overrides über die Default-Bundles (de/en). */
+  readonly translations?: TranslationsByLocale;
+};
+
+export function tierEngineClient(options?: TierEngineClientOptions): ClientFeatureDefinition {
+  return {
+    name: TIER_ENGINE_FEATURE,
+    translations: mergeTranslations(defaultTranslations, options?.translations ?? {}),
+    components: {
+      [TIER_ADMIN_SCREEN_ID]: TierAdminScreen,
+    },
+  };
+}

package/src/tier-engine/web/index.ts

@@ -0,0 +1,8 @@
+// @runtime client
+// Public exports für die Browser-Seite des tier-engine Features. Konsumiert
+// über `@cosmicdrift/kumiko-bundled-features/tier-engine/web` — die
+// Server-Seite (createTierEngineFeature) lebt unter
+// `@cosmicdrift/kumiko-bundled-features/tier-engine` und hat keine React-Deps.
+
+export { type TierEngineClientOptions, tierEngineClient } from "./client-plugin";
+export { TierAdminScreen } from "./tier-admin-screen";