@cosmicdrift/kumiko-bundled-features 0.59.1 → 0.60.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.59.1",
+  "version": "0.60.1",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -26,6 +26,7 @@
     "./readiness": "./src/readiness/index.ts",
     "./jobs": "./src/jobs/index.ts",
     "./tier-engine": "./src/tier-engine/index.ts",
+    "./tier-engine/web": "./src/tier-engine/web/index.ts",
     "./cap-counter": "./src/cap-counter/index.ts",
     "./custom-fields": "./src/custom-fields/index.ts",
     "./custom-fields/web": "./src/custom-fields/web/index.ts",

package/src/config/__tests__/app-override-visibility.integration.test.ts

@@ -100,8 +100,14 @@ describe("ENV→app-override bridge — config:query:values", () => {
 
   test("leak guard: inheritedToTenant:false hides the ENV app-override from a tenant", async () => {
     const res = await stack.http.queryOk<Values>(ConfigQueries.values, {}, tenantAdmin);
+    expect(res[API_BASE]).toBeDefined();
     expect(res[API_BASE]?.value).not.toBe("https://internal.example.com");
     expect(res[API_BASE]?.source).not.toBe("app-override");
+    // Positive anchor: API_BASE has no keyDef.default → after redaction the key
+    // resolves as genuinely unset ("missing"), NOT absent for some other reason
+    // (e.g. an access-deny would drop the key entirely and leave the negative
+    // asserts above vacuously green).
+    expect(res[API_BASE]?.source).toBe("missing");
   });
 });
 

package/src/config/__tests__/backing-secrets.integration.test.ts

@@ -167,6 +167,44 @@ describe("config backing=secrets — read dispatch", () => {
   });
 });
 
+describe("config backing=secrets — fail-loud when secrets unwired", () => {
+  // The PR's central safety promise: a backing="secrets" key throws loudly at
+  // request time when ctx.secrets is absent — it never silently degrades into
+  // a config_values write. One write exercises the set.write throw site; the
+  // resolver and reset.write guards share the identical `!ctx.secrets` shape.
+  test("set on a backing=secrets key throws internal_error when ctx.secrets is absent", async () => {
+    const unwired = await setupTestStack({
+      features: [createConfigFeature(), billingFeature],
+      extraContext: ({ registry }) => {
+        const resolver = createConfigResolver();
+        return {
+          configResolver: resolver,
+          _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+          // No `secrets` — the backing="secrets" path must fail loudly.
+        };
+      },
+    });
+    await unsafePushTables(unwired.db, { configValuesTable, tenantSecretsTable });
+    await createEventsTable(unwired.db);
+
+    try {
+      const err = await unwired.http.writeErr(
+        ConfigHandlers.set,
+        { key: API_KEY, value: "sk-live-should-not-persist", scope: "system" },
+        systemAdmin,
+      );
+      expect(err.code).toBe("internal_error");
+      expect(err.httpStatus).toBe(500);
+
+      // It must NOT have silently fallen back to a config_values row.
+      const configRows = await selectMany(unwired.db, configValuesTable, { key: API_KEY });
+      expect(configRows).toHaveLength(0);
+    } finally {
+      await unwired.cleanup();
+    }
+  });
+});
+
 describe("config backing=secrets — reset dispatch", () => {
   test("reset clears the secret; the key falls back to unset", async () => {
     await stack.http.writeOk(ConfigHandlers.reset, { key: API_KEY, scope: "system" }, systemAdmin);

package/src/config/__tests__/inherited-redaction.integration.test.ts

@@ -34,6 +34,7 @@ const tenantAdmin = createTestUser({ id: 2 }); // roles ["Admin"], same tenant
 const SMTP_HOST = "platform:config:smtp-host";
 const SMTP_PASS = "platform:config:smtp-pass";
 const LIST_HITS = "platform:config:list-hits";
+const LIST_CAP = "platform:config:list-cap";
 
 const configFeature = createConfigFeature();
 
@@ -60,6 +61,16 @@ const platformFeature = defineFeature("platform", (r) => {
         write: access.systemAdmin,
         read: access.admin,
       }),
+      // Control: default inheritance WITH a set system-row value — proves a
+      // tenant receives the inherited system-row value (not just the
+      // keyDef.default fallback). The default (5) differs from the seeded
+      // system-row (42) so a broken pass-through can't masquerade as the
+      // default.
+      listCap: createSystemConfig("number", {
+        default: 5,
+        write: access.systemAdmin,
+        read: access.admin,
+      }),
     },
   });
 });
@@ -90,6 +101,11 @@ beforeAll(async () => {
     { key: SMTP_PASS, value: "s3cr3t-password", scope: "system" },
     systemAdmin,
   );
+  await stack.http.writeOk(
+    ConfigHandlers.set,
+    { key: LIST_CAP, value: 42, scope: "system" },
+    systemAdmin,
+  );
 });
 
 afterAll(async () => {
@@ -152,6 +168,19 @@ describe("inheritedToTenant redaction — config:query:cascade", () => {
     );
     expect(res[LIST_HITS]?.value).toBe(10);
   });
+
+  test("control: a SET system-row value is inherited by tenants (not the default)", async () => {
+    const res = await stack.http.queryOk<Cascades>(
+      ConfigQueries.cascade,
+      { keys: [LIST_CAP] },
+      tenantAdmin,
+    );
+    // 42 = seeded system-row value; would be 5 (keyDef.default) if pass-through
+    // for non-redacted keys were broken.
+    expect(res[LIST_CAP]?.value).toBe(42);
+    expect(systemLevel(res, LIST_CAP)?.value).toBe(42);
+    expect(systemLevel(res, LIST_CAP)?.hasValue).toBe(true);
+  });
 });
 
 describe("inheritedToTenant redaction — config:query:values", () => {

package/src/custom-fields/__tests__/feature.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, test } from "bun:test";
 import { fieldDefinitionAggregateId } from "../aggregate-id";
 import { SUPPORTED_FIELD_TYPES } from "../constants";
-import { createCustomFieldsFeature } from "../feature";
+import { createCustomFieldsFeature, resolveFieldDefinitionListRoles } from "../feature";
 import { defineFieldPayloadSchema, deleteFieldPayloadSchema } from "../schemas";
 
 // B1 unit-tests: feature-shape, schema-validation, aggregate-id determinism.
@@ -156,14 +156,67 @@ describe("createCustomFieldsFeature access-options", () => {
     expect(writeAccess(feature, "define-tenant-field")).toEqual(["TenantAdmin"]);
   });
 
-  test("fieldDefinitionListRoles überschreibt den List-Query (FormSection-Lade-Pfad)", () => {
-    const feature = createCustomFieldsFeature({ fieldDefinitionListRoles: ["Admin", "Editor"] });
+  function listAccess(feature: ReturnType<typeof createCustomFieldsFeature>): readonly string[] {
     const entry = Object.entries(feature.queryHandlers).find(([qn]) =>
       qn.includes("field-definition:list"),
     );
     if (!entry) throw new Error("field-definition:list not registered");
     const access = entry[1].access;
     if (!access || !("roles" in access)) throw new Error("list-query has no roles");
-    expect(access.roles).toEqual(["Admin", "Editor"]);
+    return access.roles;
+  }
+
+  test("fieldDefinitionListRoles überschreibt den List-Query (FormSection-Lade-Pfad)", () => {
+    const feature = createCustomFieldsFeature({ fieldDefinitionListRoles: ["Admin", "Editor"] });
+    expect(listAccess(feature)).toEqual(["Admin", "Editor"]);
+  });
+
+  // #334/2: valueWriteRoles ohne fieldDefinitionListRoles brach asymmetrisch —
+  // Save offen für App-Rollen, aber der List-Lade-Pfad blieb ["TenantAdmin"] →
+  // App-User bekamen access_denied, die FormSection lud nie. Die Value-Rollen
+  // erben jetzt in den List-Default (Union mit dem Default).
+  test("valueWriteRoles erbt in den List-Default wenn fieldDefinitionListRoles fehlt", () => {
+    const feature = createCustomFieldsFeature({ valueWriteRoles: ["Admin", "Editor"] });
+    const roles = listAccess(feature);
+    // Value-Writer können laden …
+    expect(roles).toContain("Admin");
+    expect(roles).toContain("Editor");
+    // … und Admins behalten den List-Zugriff.
+    expect(roles).toContain("TenantAdmin");
+  });
+
+  test("explizite fieldDefinitionListRoles gewinnen über die valueWriteRoles-Vererbung", () => {
+    const feature = createCustomFieldsFeature({
+      valueWriteRoles: ["Admin", "Editor"],
+      fieldDefinitionListRoles: ["Viewer"],
+    });
+    expect(listAccess(feature)).toEqual(["Viewer"]);
+  });
+});
+
+describe("resolveFieldDefinitionListRoles", () => {
+  test("nichts gesetzt → reiner Default", () => {
+    expect(resolveFieldDefinitionListRoles({})).toEqual(["TenantAdmin"]);
+  });
+
+  test("valueWriteRoles gesetzt, list ungesetzt → Union mit Default, dedupliziert", () => {
+    expect(resolveFieldDefinitionListRoles({ valueWriteRoles: ["Admin", "Editor"] })).toEqual([
+      "Admin",
+      "Editor",
+      "TenantAdmin",
+    ]);
+    // TenantAdmin schon in valueWriteRoles → keine Dublette.
+    expect(resolveFieldDefinitionListRoles({ valueWriteRoles: ["TenantAdmin", "Editor"] })).toEqual(
+      ["TenantAdmin", "Editor"],
+    );
+  });
+
+  test("explizite list-Rollen gewinnen immer (auch über valueWriteRoles)", () => {
+    expect(
+      resolveFieldDefinitionListRoles({
+        valueWriteRoles: ["Admin"],
+        fieldDefinitionListRoles: ["Viewer"],
+      }),
+    ).toEqual(["Viewer"]);
   });
 });

package/src/custom-fields/feature.ts

@@ -171,11 +171,27 @@ export type CustomFieldsFeatureOptions = {
    *  das setzen, sonst ist der Value-Save für jeden App-User
    *  access_denied (Role-Naming-Drift). */
   readonly valueWriteRoles?: readonly string[];
-  /** Rollen für custom-fields:query:field-definition:list — der
-   *  Lade-Pfad der CustomFieldsFormSection. Default ["TenantAdmin"]. */
+  /** Rollen für custom-fields:query:field-definition:list — der Lade-Pfad
+   *  der CustomFieldsFormSection. Default ["TenantAdmin"]. Wird valueWriteRoles
+   *  gesetzt, dies aber NICHT, erben die Value-Rollen hier hinein (Union mit
+   *  dem Default, damit Admins den List-Zugriff behalten) — sonst lädt die
+   *  FormSection für Value-Writer nie (access_denied), während der Save-Pfad
+   *  offen wäre (#334/2, asymmetrischer Bruch). */
   readonly fieldDefinitionListRoles?: readonly string[];
 };
 
+// Der List-Pfad muss jeden abdecken, der Values schreiben darf — sonst lädt die
+// FormSection nie. Explizite fieldDefinitionListRoles gewinnen; sonst: gesetzte
+// valueWriteRoles erben in den List-Default (Union mit dem Default), ungesetzte
+// → reiner Default.
+export function resolveFieldDefinitionListRoles(
+  opts: Pick<CustomFieldsFeatureOptions, "valueWriteRoles" | "fieldDefinitionListRoles">,
+): readonly string[] {
+  if (opts.fieldDefinitionListRoles !== undefined) return opts.fieldDefinitionListRoles;
+  if (opts.valueWriteRoles === undefined) return DEFAULT_FIELD_DEFINITION_LIST_ROLES;
+  return [...new Set([...opts.valueWriteRoles, ...DEFAULT_FIELD_DEFINITION_LIST_ROLES])];
+}
+
 // Backwards-compat-wrapper. Bestehende Caller (z.B. integration-tests,
 // host-apps) nutzen weiterhin `createCustomFieldsFeature()`. Returnt den
 // module-level-Singleton — kein neuer build pro Aufruf, was für consumer
@@ -200,8 +216,7 @@ export function createCustomFieldsFeature(
           : defineTenantFieldHandler,
       setHandler: createSetCustomFieldHandler(opts.valueWriteRoles),
       clearHandler: createClearCustomFieldHandler(opts.valueWriteRoles),
-      fieldDefinitionListRoles:
-        opts.fieldDefinitionListRoles ?? DEFAULT_FIELD_DEFINITION_LIST_ROLES,
+      fieldDefinitionListRoles: resolveFieldDefinitionListRoles(opts),
     }),
   );
 }

package/src/files-provider-s3/__tests__/s3-provider.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, test } from "bun:test";
 import type { S3ProviderConfig } from "../s3-provider";
-import { resolveForcePathStyle } from "../s3-provider";
+import { createS3Provider, resolveForcePathStyle, resolveVirtualHostedStyle } from "../s3-provider";
 
 const baseConfig: S3ProviderConfig = {
   bucket: "b",
@@ -34,3 +34,63 @@ describe("resolveForcePathStyle", () => {
     ).toBe(false);
   });
 });
+
+// virtualHostedStyle ist die Inversion, die createS3Provider an Bun.S3Client
+// durchreicht (#175/2). Der `!` ist die stille Drift-Stelle: kippt er, picken
+// Minio/R2 die falsche URL-Form ohne Compile- oder Runtime-Fehler.
+describe("resolveVirtualHostedStyle (inverse of forcePathStyle)", () => {
+  const cases: ReadonlyArray<{ name: string; config: S3ProviderConfig }> = [
+    { name: "no endpoint + no override", config: baseConfig },
+    { name: "custom endpoint", config: { ...baseConfig, endpoint: "http://localhost:9000" } },
+    { name: "explicit forcePathStyle true", config: { ...baseConfig, forcePathStyle: true } },
+    {
+      name: "custom endpoint + explicit false",
+      config: { ...baseConfig, endpoint: "http://localhost:9000", forcePathStyle: false },
+    },
+  ];
+
+  for (const { name, config } of cases) {
+    test(`${name} → strict inverse of resolveForcePathStyle`, () => {
+      expect(resolveVirtualHostedStyle(config)).toBe(!resolveForcePathStyle(config));
+    });
+  }
+
+  test("AWS default (no endpoint) → virtual-host-style true", () => {
+    expect(resolveVirtualHostedStyle(baseConfig)).toBe(true);
+  });
+
+  test("Minio/R2 (custom endpoint) → virtual-host-style false (= path-style)", () => {
+    expect(resolveVirtualHostedStyle({ ...baseConfig, endpoint: "http://localhost:9000" })).toBe(
+      false,
+    );
+  });
+});
+
+// presign ist eine reine lokale Signier-Operation (HMAC, kein Netzwerk) →
+// hermetisch testbar mit Dummy-Credentials. Beweist, dass Bun das
+// contentDisposition-Feld tatsächlich als response-content-disposition-Query-
+// Param signiert (#175/3) — sonst lieferte ein Download den UUID-Key statt des
+// Dateinamens, lautlos.
+describe("getSignedUrl contentDisposition", () => {
+  const provider = createS3Provider({
+    bucket: "b",
+    region: "us-east-1",
+    accessKeyId: "AKIAEXAMPLE",
+    secretAccessKey: "secret",
+  });
+
+  test("signs response-content-disposition into the presigned URL", async () => {
+    const url = await provider.getSignedUrl?.("uuid-key.bin", 60, {
+      contentDisposition: 'attachment; filename="report.pdf"',
+    });
+    expect(url).toBeDefined();
+    const params = new URL(url ?? "").searchParams;
+    expect(params.get("response-content-disposition")).toBe('attachment; filename="report.pdf"');
+  });
+
+  test("omits the param when no contentDisposition is passed", async () => {
+    const url = await provider.getSignedUrl?.("uuid-key.bin", 60);
+    expect(url).toBeDefined();
+    expect(new URL(url ?? "").searchParams.has("response-content-disposition")).toBe(false);
+  });
+});

package/src/files-provider-s3/s3-provider.ts

@@ -54,6 +54,14 @@ export function resolveForcePathStyle(config: S3ProviderConfig): boolean {
   return config.forcePathStyle ?? config.endpoint !== undefined;
 }
 
+// Bun's `virtualHostedStyle` is the inverse of the AWS-SDK `forcePathStyle`
+// knob this config exposes: path-style ⇔ virtualHostedStyle=false. Exported +
+// tested alongside resolveForcePathStyle because the inversion is exactly the
+// seam that silently breaks Minio/R2 if the `!` ever drifts.
+export function resolveVirtualHostedStyle(config: S3ProviderConfig): boolean {
+  return !resolveForcePathStyle(config);
+}
+
 export function createS3Provider(config: S3ProviderConfig): FileStorageProvider {
   const client = new Bun.S3Client({
     region: config.region,
@@ -61,9 +69,7 @@ export function createS3Provider(config: S3ProviderConfig): FileStorageProvider
     secretAccessKey: config.secretAccessKey,
     bucket: config.bucket,
     ...(config.endpoint !== undefined && { endpoint: config.endpoint }),
-    // Bun's virtualHostedStyle is the inverse of the AWS-SDK forcePathStyle
-    // knob this config exposes: path-style ⇔ virtualHostedStyle=false.
-    virtualHostedStyle: !resolveForcePathStyle(config),
+    virtualHostedStyle: resolveVirtualHostedStyle(config),
   });
 
   return {

package/src/managed-pages/__tests__/managed-pages.integration.test.ts

@@ -1,4 +1,5 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createSystemUser } from "@cosmicdrift/kumiko-framework/engine";
 import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
@@ -16,7 +17,7 @@ import { BRANDING_QN, BRANDING_QUERY_QN } from "../branding";
 import { createManagedPagesCssFeature } from "../css-gate";
 import { createManagedPagesFeature } from "../feature";
 import { seedPage } from "../seeding";
-import { pageEntity } from "../table";
+import { type PageRow, pageEntity, pagesTable } from "../table";
 
 const TENANT_A = "11111111-1111-4111-8111-111111111111";
 const TENANT_B = "22222222-2222-4222-8222-222222222222";
@@ -286,6 +287,96 @@ describe("managed-pages :: set (Provisioning-API)", () => {
   });
 });
 
+// The SystemAdmin-only `tenantIdOverride` cross-tenant write path had zero
+// coverage (#382/2): not the happy path, not the access guard, not the
+// documented `executorUser`-rebase fix (the override must rebase the executor's
+// tenant or getStreamVersion runs against the wrong tenant → version_conflict
+// on the second write).
+describe("managed-pages :: set with tenantIdOverride (cross-tenant, SystemAdmin)", () => {
+  const sysAdmin = createTestUser({ id: 40, roles: ["SystemAdmin"] }); // distinct tenant
+
+  test("(a) SystemAdmin override writes the row under the TARGET tenant", async () => {
+    const res = await stack.http.writeOk<{ isNew: boolean }>(
+      "managed-pages:write:set",
+      {
+        slug: "sys-cross",
+        lang: "en",
+        title: "Cross-tenant by system",
+        body: "x",
+        published: true,
+        tenantIdOverride: TENANT_A,
+      },
+      sysAdmin,
+    );
+    expect(res).toMatchObject({ isNew: true });
+
+    // The persisted row carries TENANT_A — not the SystemAdmin's own tenant.
+    const row = await fetchOne<PageRow>(stack.db, pagesTable, {
+      tenantId: TENANT_A,
+      slug: "sys-cross",
+      lang: "en",
+    });
+    expect(row?.tenantId).toBe(TENANT_A);
+    expect(row?.title).toBe("Cross-tenant by system");
+
+    // End-to-end: it renders under a.* (TENANT_A) and is absent under b.*.
+    const aHtml = await (await stack.app.request("http://a.example.com/p/sys-cross")).text();
+    expect(aHtml).toContain("Cross-tenant by system");
+    const bRes = await stack.app.request("http://b.example.com/p/sys-cross");
+    expect(bRes.status).toBe(404);
+  });
+
+  test("(b) non-SystemAdmin with tenantIdOverride → access_denied", async () => {
+    const error = await stack.http.writeErr(
+      "managed-pages:write:set",
+      { slug: "sneak", lang: "en", title: "x", body: "y", tenantIdOverride: TENANT_B },
+      tenantAdmin, // TenantAdmin, NOT SystemAdmin
+    );
+    expectErrorIncludes(error, "access_denied");
+    expect(JSON.stringify(error)).toContain("tenant_override_requires_system_admin");
+
+    // The write was rejected — no row leaked into TENANT_B.
+    const leaked = await fetchOne<PageRow>(stack.db, pagesTable, {
+      tenantId: TENANT_B,
+      slug: "sneak",
+      lang: "en",
+    });
+    expect(leaked).toBeFalsy();
+  });
+
+  test("(c) SystemAdmin override on an EXISTING page updates it — no version_conflict", async () => {
+    // First override-write creates the row under TENANT_A.
+    await stack.http.writeOk(
+      "managed-pages:write:set",
+      {
+        slug: "sys-rebase",
+        lang: "en",
+        title: "v1",
+        body: "a",
+        published: true,
+        tenantIdOverride: TENANT_A,
+      },
+      sysAdmin,
+    );
+
+    // Second override-write must hit the UPDATE path. Two prior bugs broke this:
+    // (1) the existing-check used the tenant-scoped ctx.db → blind to the target
+    // tenant's row → create → unique_violation; (2) even reaching update,
+    // getStreamVersion ran against the executor's tenant → version_conflict.
+    // The fix reads the existing row through the unscoped runner AND rebases the
+    // executor user to the override tenant.
+    const second = await stack.http.writeOk<{ isNew: boolean }>(
+      "managed-pages:write:set",
+      { slug: "sys-rebase", lang: "en", title: "v2", body: "b", tenantIdOverride: TENANT_A },
+      sysAdmin,
+    );
+    expect(second).toMatchObject({ isNew: false });
+
+    const html = await (await stack.app.request("http://a.example.com/p/sys-rebase")).text();
+    expect(html).toContain("v2");
+  });
+});
+
 describe("managed-pages :: Branding (Config + Render)", () => {
   // config:write:set leitet tenantId aus user.tenantId ab → tenant-spezifische
   // Admins, damit das Branding auf TENANT_A bzw. TENANT_B landet (Host a.*/b.*).

package/src/managed-pages/handlers/set.write.ts

@@ -1,5 +1,5 @@
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
-import { createEventStoreExecutor } from "@cosmicdrift/kumiko-framework/db";
+import { createEventStoreExecutor, createTenantDb } from "@cosmicdrift/kumiko-framework/db";
 import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { AccessDeniedError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
@@ -57,7 +57,17 @@ export const setWrite = defineWriteHandler({
     const executorUser =
       override !== undefined ? { ...event.user, tenantId: override as TenantId } : event.user; // @cast-boundary engine-bridge
 
-    const existing = await fetchOne<PageRow>(db, pagesTable, {
+    // ctx.db is tenant-scoped to the EXECUTING user (createTenantDb "tenant"
+    // mode). For a cross-tenant override that scope is wrong on BOTH the
+    // existing-check (blind to the target tenant's projection row → every
+    // re-provision retries as a create → unique_violation) AND the executor's
+    // stream reads (getStreamVersion/loadAggregate filtered to the executor's
+    // tenant → not_found/version_conflict). Re-scope a TenantDb to the resolved
+    // target tenant so reads and writes both land there. Safe: the override
+    // branch is SystemAdmin-gated above.
+    const scopedDb =
+      override !== undefined ? createTenantDb(db.raw, override as TenantId, "tenant") : db; // @cast-boundary engine-bridge
+    const existing = await fetchOne<PageRow>(scopedDb, pagesTable, {
       tenantId,
       slug: event.payload.slug,
       lang: event.payload.lang,
@@ -81,7 +91,7 @@ export const setWrite = defineWriteHandler({
           },
         },
         executorUser,
-        db,
+        scopedDb,
       );
       if (!result.isSuccess) return result;
       return {
@@ -102,7 +112,7 @@ export const setWrite = defineWriteHandler({
         tenantId,
       },
       executorUser,
-      db,
+      scopedDb,
     );
     if (!result.isSuccess) return result;
     return {

package/src/subscription-stripe/__tests__/runtime.test.ts

@@ -5,22 +5,40 @@
 // (das deckt der Integration-Test ab).
 
 import { describe, expect, test } from "bun:test";
-import type { ConfigKeyHandle, HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  type ConfigKeyHandle,
+  type HandlerContext,
+  qn,
+  toKebab,
+} from "@cosmicdrift/kumiko-framework/engine";
 import { FeatureDisabledError, UnconfiguredError } from "@cosmicdrift/kumiko-framework/errors";
 import { createSecret, type SecretsContext } from "@cosmicdrift/kumiko-framework/secrets";
 import Stripe from "stripe";
+import {
+  STRIPE_API_KEY_CONFIG,
+  STRIPE_BILLING_LIVE_CONFIG,
+  STRIPE_WEBHOOK_SECRET_CONFIG,
+  SUBSCRIPTION_STRIPE_FEATURE,
+} from "../constants";
 import { createStripeClientCache, createStripeRuntimes } from "../runtime";
 
+// Handle-Namen aus den kanonischen Konstanten + demselben Qualifier ableiten,
+// den r.config zur Build-Zeit anwendet (define-feature.ts: qn(toKebab(feature),
+// "config", toKebab(shortKey))). Eine hand-redeklarierte Fixture konnte still
+// von der Produktion driften (#421/2) — diese Ableitung macht das unmöglich.
+const configHandleName = (shortKey: string): string =>
+  qn(toKebab(SUBSCRIPTION_STRIPE_FEATURE), "config", toKebab(shortKey));
+
 const API_KEY_HANDLE: ConfigKeyHandle<"text"> = {
-  name: "subscription-stripe:config:api-key",
+  name: configHandleName(STRIPE_API_KEY_CONFIG),
   type: "text",
 };
 const WEBHOOK_SECRET_HANDLE: ConfigKeyHandle<"text"> = {
-  name: "subscription-stripe:config:webhook-secret",
+  name: configHandleName(STRIPE_WEBHOOK_SECRET_CONFIG),
   type: "text",
 };
 const BILLING_LIVE_HANDLE: ConfigKeyHandle<"boolean"> = {
-  name: "subscription-stripe:config:billing-live",
+  name: configHandleName(STRIPE_BILLING_LIVE_CONFIG),
   type: "boolean",
 };
 
@@ -42,13 +60,36 @@ function stubSecrets(values: Record<string, string>): SecretsContext {
   };
 }
 
+/** Wie stubSecrets, aber speichert den Wert ROH (kein JSON.stringify) — um
+ *  parseStoredSecret's Fehlerpfad zu treffen: ein Credential, das der Store
+ *  un-JSON-kodiert zurückgibt (Korruption oder ein außerhalb des
+ *  backing:"secrets"-Roundtrips geschriebener Wert) muss laut failen, nicht
+ *  still Müll liefern. */
+function rawSecretsStub(values: Record<string, string>): SecretsContext {
+  const nameOf = (k: string | { readonly name: string }): string =>
+    typeof k === "string" ? k : k.name;
+  return {
+    get: async (_tenantId, key) => {
+      const value = values[nameOf(key)];
+      return value === undefined ? undefined : createSecret(value); // RAW, not JSON
+    },
+    has: async (_tenantId, key) => values[nameOf(key)] !== undefined,
+    set: async () => undefined,
+    delete: async () => false,
+  };
+}
+
 /** Minimaler HandlerContext-Stub mit nur den Feldern, die die ctx-
  *  Resolution liest (secrets, _userId für audit, config). */
 function stubCtx(opts: { secrets?: SecretsContext; billingLive?: boolean }): HandlerContext {
   return {
     secrets: opts.secrets,
     _userId: "tester",
-    config: async () => opts.billingLive,
+    // Key-aware: antwortet NUR auf das billing-live-Handle. Liest
+    // assertBillingLive versehentlich einen anderen Config-Key, kommt undefined
+    // zurück → Gate schließt → der "passes when true"-Test schlägt fehl (#421/3).
+    config: async (handle: ConfigKeyHandle<"boolean">) =>
+      handle.name === BILLING_LIVE_HANDLE.name ? opts.billingLive : undefined,
   } as unknown as HandlerContext; // @cast-boundary test-stub — partial ctx
 }
 
@@ -116,6 +157,19 @@ describe("StripeCtxRuntime.clientForCtx", () => {
     const ctx = stubCtx({ secrets: stubSecrets({}) });
     await expect(rt.ctx.clientForCtx(ctx)).rejects.toBeInstanceOf(UnconfiguredError);
   });
+
+  test("throws loudly on a malformed (non-JSON) stored credential (#393/2)", async () => {
+    // The store round-trips backing:"secrets" values JSON-encoded; a raw,
+    // un-quoted value reaching parseStoredSecret means corruption — it must
+    // throw, not silently fall through to undefined/fallback.
+    const rt = makeRuntimes({ apiKey: "sk_test_fallback" });
+    const ctx = stubCtx({
+      secrets: rawSecretsStub({ [API_KEY_HANDLE.name]: "sk_test_raw_unquoted" }),
+    });
+    await expect(rt.ctx.clientForCtx(ctx)).rejects.toThrow(
+      /Invalid JSON in subscription-stripe credential/,
+    );
+  });
 });
 
 // =============================================================================