@cosmicdrift/kumiko-bundled-features 0.64.0 → 0.66.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.64.0",
+  "version": "0.66.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -84,11 +84,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.57.2",
-    "@cosmicdrift/kumiko-framework": "0.57.2",
-    "@cosmicdrift/kumiko-headless": "0.57.2",
-    "@cosmicdrift/kumiko-renderer": "0.57.2",
-    "@cosmicdrift/kumiko-renderer-web": "0.57.2",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.66.0",
+    "@cosmicdrift/kumiko-framework": "0.66.0",
+    "@cosmicdrift/kumiko-headless": "0.66.0",
+    "@cosmicdrift/kumiko-renderer": "0.66.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.66.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/handlers/token-request-handler.ts

@@ -98,6 +98,7 @@ export function createTokenRequestHandler<TName extends string, TSuccessKind ext
       // client can observe it through the HTTP surface.
       if (!user || user.isDeleted || !user.email || spec.extraSilentSkip(user)) {
         const data: TokenRequestData<TSuccessKind> = { kind: "no-op" };
+        // skip: silent no-op — uniform response prevents user-enumeration probing
         return { isSuccess: true, data };
       }
 

package/src/config/__tests__/write-helpers.test.ts

@@ -0,0 +1,152 @@
+import { describe, expect, test } from "bun:test";
+import {
+  ConfigScopes,
+  createTenantConfig,
+  SYSTEM_ROLE,
+  SYSTEM_TENANT_ID,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import type { KumikoError } from "@cosmicdrift/kumiko-framework/errors";
+import {
+  checkScopeWriteAccess,
+  hasConfigAccess,
+  resolveScopeIds,
+  validatePattern,
+  validateScope,
+  validateType,
+} from "../write-helpers";
+
+// Reading the field-level code at a test boundary — KumikoError.details is
+// per-error `unknown`, so one documented cast beats per-assertion narrowing.
+function fieldCode(err: KumikoError | null): string | undefined {
+  const d = err?.details as { fields?: ReadonlyArray<{ code: string }> } | undefined;
+  return d?.fields?.[0]?.code;
+}
+
+describe("hasConfigAccess", () => {
+  test('"all" grants every caller, including one with no roles', () => {
+    expect(hasConfigAccess(["all"], [])).toBe(true);
+    expect(hasConfigAccess(["all"], ["whatever"])).toBe(true);
+  });
+
+  test("grants when a user role intersects the access list", () => {
+    expect(hasConfigAccess(["Admin", "Editor"], ["Viewer", "Editor"])).toBe(true);
+  });
+
+  test('denies when no role intersects and "all" is absent', () => {
+    expect(hasConfigAccess(["Admin"], ["Viewer"])).toBe(false);
+    expect(hasConfigAccess([], ["Admin"])).toBe(false);
+  });
+});
+
+describe("checkScopeWriteAccess", () => {
+  test("non-system scope is always allowed (no level gate)", () => {
+    expect(checkScopeWriteAccess(ConfigScopes.tenant, [])).toBeNull();
+    expect(checkScopeWriteAccess(ConfigScopes.user, ["Viewer"])).toBeNull();
+  });
+
+  test("system scope allows the machine actor (SYSTEM_ROLE)", () => {
+    expect(checkScopeWriteAccess(ConfigScopes.system, [SYSTEM_ROLE])).toBeNull();
+  });
+
+  test("system scope allows SystemAdmin", () => {
+    expect(checkScopeWriteAccess(ConfigScopes.system, ["SystemAdmin"])).toBeNull();
+  });
+
+  test("system scope denies a TenantAdmin", () => {
+    const err = checkScopeWriteAccess(ConfigScopes.system, ["TenantAdmin"]);
+    expect(err?.code).toBe("access_denied");
+    expect(err?.i18nKey).toBe("config.errors.systemScopeWriteDenied");
+  });
+});
+
+describe("validateScope", () => {
+  test("a scope at or below the defined level is allowed", () => {
+    // defined = user (most specific): system + tenant + user all fit under it.
+    expect(validateScope(ConfigScopes.system, ConfigScopes.user, "k")).toBeNull();
+    expect(validateScope(ConfigScopes.tenant, ConfigScopes.user, "k")).toBeNull();
+    expect(validateScope(ConfigScopes.user, ConfigScopes.user, "k")).toBeNull();
+  });
+
+  test("requesting a more specific scope than defined is rejected", () => {
+    // defined = tenant, requested = user (more specific) -> reject.
+    const err = validateScope(ConfigScopes.user, ConfigScopes.tenant, "my:key");
+    expect(err?.code).toBe("unprocessable");
+    expect(err?.i18nKey).toBe("config.errors.invalidScope");
+  });
+});
+
+describe("resolveScopeIds", () => {
+  const tenant = "tenant-9" as TenantId;
+
+  test("system scope pins SYSTEM_TENANT_ID and drops the user", () => {
+    expect(resolveScopeIds(ConfigScopes.system, tenant, "user-1")).toEqual({
+      tenantId: SYSTEM_TENANT_ID,
+      userId: null,
+    });
+  });
+
+  test("tenant scope keeps the tenant, drops the user", () => {
+    expect(resolveScopeIds(ConfigScopes.tenant, tenant, "user-1")).toEqual({
+      tenantId: tenant,
+      userId: null,
+    });
+  });
+
+  test("user scope keeps both tenant and user", () => {
+    expect(resolveScopeIds(ConfigScopes.user, tenant, "user-1")).toEqual({
+      tenantId: tenant,
+      userId: "user-1",
+    });
+  });
+});
+
+describe("validateType", () => {
+  const numberKey = createTenantConfig("number", {});
+  const boolKey = createTenantConfig("boolean", {});
+  const textKey = createTenantConfig("text", {});
+  const selectKey = createTenantConfig("select", { options: ["a", "b"] });
+
+  test("accepts a matching primitive for each type", () => {
+    expect(validateType(5, numberKey)).toBeNull();
+    expect(validateType(true, boolKey)).toBeNull();
+    expect(validateType("x", textKey)).toBeNull();
+    expect(validateType("a", selectKey)).toBeNull();
+  });
+
+  test("rejects a mismatching primitive with invalid_type", () => {
+    const err = validateType("5", numberKey);
+    expect(err?.code).toBe("validation_error");
+    expect(fieldCode(err)).toBe("invalid_type");
+  });
+
+  test("select rejects a value outside its options with invalid_option", () => {
+    const err = validateType("c", selectKey);
+    expect(err?.code).toBe("validation_error");
+    expect(fieldCode(err)).toBe("invalid_option");
+  });
+});
+
+describe("validatePattern", () => {
+  const textKey = createTenantConfig("text", { pattern: { regex: "^[a-z]+$" } });
+
+  test("returns null when the value matches the pattern", () => {
+    expect(validatePattern("abc", textKey)).toBeNull();
+  });
+
+  test("rejects a non-matching value with invalid_format", () => {
+    const err = validatePattern("AB1", textKey);
+    expect(err?.code).toBe("validation_error");
+    expect(fieldCode(err)).toBe("invalid_format");
+  });
+
+  test("a malformed author regex surfaces as InternalError, not a throw", () => {
+    const badKey = createTenantConfig("text", { pattern: { regex: "(" } });
+    const err = validatePattern("abc", badKey);
+    expect(err?.code).toBe("internal_error");
+  });
+
+  test("non-text keys (no pattern applicable) are skipped", () => {
+    expect(validatePattern(5, createTenantConfig("number", {}))).toBeNull();
+  });
+});

package/src/config/handlers/readiness.query.ts

@@ -87,6 +87,7 @@ export async function collectMissingRequiredConfig(
     if (keyDef.required !== true) continue;
     if (!effectiveGate(qualifiedKey)) continue;
     if (options?.skipAccessFilter !== true && !hasConfigAccess(keyDef.access.read, user.roles)) {
+      // skip: key not visible to this user's roles (access-filtered listing)
       continue;
     }
     candidates.set(qualifiedKey, keyDef);

package/src/config/read-redaction.ts

@@ -24,7 +24,6 @@ const OWN_SOURCES: ReadonlySet<ConfigValueSource> = new Set(["user-row", "tenant
 // flagging a working key as missing would nag tenants to set already-
 // functioning config. So "nor that it is set" holds for the value queries, not
 // for the functional readiness rollup. See readiness.query.ts.
-// Shared mask for redacted config values across the read handlers (cascade + values).
 export const MASKED = "••••••";
 
 export function mayViewInheritedValue(roles: readonly string[]): boolean {

package/src/custom-fields/__tests__/custom-fields.integration.test.ts

@@ -105,9 +105,11 @@ beforeEach(async () => {
 const admin = createTestUser({ roles: ["TenantAdmin"] });
 const systemAdmin = createTestUser({ roles: ["SystemAdmin"] });
 
+// Active definitions only — delete soft-deletes (the deterministic stream is
+// kept so a re-define can restore it), so isDeleted rows must not count.
 async function countDefinitions(tenantId: string, fieldKey: string): Promise<number> {
   const rows = await asRawClient(stack.db).unsafe(
-    "SELECT count(*)::int AS n FROM read_custom_field_definitions WHERE tenant_id = $1 AND field_key = $2",
+    "SELECT count(*)::int AS n FROM read_custom_field_definitions WHERE tenant_id = $1 AND field_key = $2 AND is_deleted = FALSE",
     [tenantId, fieldKey],
   );
   return (rows as ReadonlyArray<{ n: number }>)[0]?.n ?? 0;
@@ -124,6 +126,22 @@ async function fetchDefinitionRow(
   return (rows as ReadonlyArray<Record<string, unknown>>)[0];
 }
 
+// The persisted customField.set event payload for a (host aggregate, fieldKey),
+// or undefined if none. Used to assert what did / didn't land in kumiko_events.
+async function fetchSetEventPayload(
+  aggregateId: string,
+  fieldKey: string,
+): Promise<Record<string, unknown> | undefined> {
+  const rows = await asRawClient(stack.db).unsafe(
+    "SELECT payload FROM kumiko_events WHERE aggregate_id = $1",
+    [aggregateId],
+  );
+  const payloads = (rows as ReadonlyArray<{ payload: unknown }>).map((r) =>
+    typeof r.payload === "string" ? JSON.parse(r.payload) : r.payload,
+  ) as Array<Record<string, unknown>>;
+  return payloads.find((p) => p?.["fieldKey"] === fieldKey);
+}
+
 async function defineField(entityName: string, fieldKey: string, type = "text") {
   return stack.http.writeOk(
     "custom-fields:write:define-tenant-field",
@@ -359,6 +377,182 @@ describe("custom-fields integration — define/delete handler coverage (B1)", ()
   });
 });
 
+describe("custom-fields integration — define resurrection (B1)", () => {
+  test("tenant: define → delete → re-define same fieldKey succeeds with the new payload", async () => {
+    await defineField("property", "recur", "text");
+    expect(await countDefinitions(admin.tenantId, "recur")).toBe(1);
+
+    await stack.http.writeOk(
+      "custom-fields:write:delete-tenant-field",
+      { entityName: "property", fieldKey: "recur" },
+      admin,
+    );
+    expect(await countDefinitions(admin.tenantId, "recur")).toBe(0);
+
+    // Re-defining the same (entity, fieldKey) — deterministic id, the stream was
+    // deleted — must succeed (resurrect) AND reflect the new definition payload.
+    await stack.http.writeOk(
+      "custom-fields:write:define-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "recur",
+        serializedField: { type: "number" },
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      admin,
+    );
+    expect(await countDefinitions(admin.tenantId, "recur")).toBe(1);
+    const row = await fetchDefinitionRow(admin.tenantId, "recur");
+    expect(row?.["type"]).toBe("number");
+  });
+
+  test("system: define → delete → re-define same fieldKey succeeds", async () => {
+    const def = {
+      entityName: "property",
+      fieldKey: "vendorRecur",
+      serializedField: { type: "text" },
+      required: false,
+      searchable: false,
+      displayOrder: 0,
+    };
+    await stack.http.writeOk("custom-fields:write:define-system-field", def, systemAdmin);
+    await stack.http.writeOk(
+      "custom-fields:write:delete-system-field",
+      { entityName: "property", fieldKey: "vendorRecur" },
+      systemAdmin,
+    );
+    expect(await countDefinitions(SYSTEM_TENANT_ID, "vendorRecur")).toBe(0);
+
+    await stack.http.writeOk("custom-fields:write:define-system-field", def, systemAdmin);
+    expect(await countDefinitions(SYSTEM_TENANT_ID, "vendorRecur")).toBe(1);
+  });
+});
+
+describe("custom-fields integration — sensitive value self-projected, kept out of the event log (#2)", () => {
+  test("sensitive field: value reaches the projection but NOT kumiko_events", async () => {
+    await stack.http.writeOk(
+      "custom-fields:write:define-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "taxId",
+        serializedField: { type: "text", sensitive: true },
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      admin,
+    );
+    const propId = "aaaaaaaa-aaaa-4000-8000-0000000000a1";
+    await createProperty(propId, "Sensitive Prop");
+    await setCustomField("property", propId, "taxId", "DE-TAX-999");
+
+    // Read model HAS the value — self-projected directly into the host row.
+    const props = await listProperties();
+    const row = props.rows.find((r) => r["id"] === propId);
+    expect(row?.["taxId"]).toBe("DE-TAX-999");
+
+    // The immutable event log does NOT carry the value (erasable by design).
+    const payload = await fetchSetEventPayload(propId, "taxId");
+    expect(payload).toBeDefined();
+    expect(payload?.["fieldKey"]).toBe("taxId");
+    expect(payload && "value" in payload).toBe(false);
+  });
+
+  test("non-sensitive field: value IS in the event log (control)", async () => {
+    const propId = "aaaaaaaa-aaaa-4000-8000-0000000000a2";
+    await defineField("property", "publicNote", "text");
+    await createProperty(propId, "Public Prop");
+    await setCustomField("property", propId, "publicNote", "visible");
+
+    const payload = await fetchSetEventPayload(propId, "publicNote");
+    expect(payload?.["value"]).toBe("visible");
+  });
+
+  test("rebuild replay: re-applying logged events restores non-sensitive, not sensitive", async () => {
+    await defineField("property", "publicTag", "text");
+    await stack.http.writeOk(
+      "custom-fields:write:define-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "secret",
+        serializedField: { type: "text", sensitive: true },
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      admin,
+    );
+    const propId = "aaaaaaaa-aaaa-4000-8000-0000000000a3";
+    await createProperty(propId, "Rebuild Prop");
+    await setCustomField("property", propId, "publicTag", "keepme");
+    await setCustomField("property", propId, "secret", "DE-TAX-777");
+    await stack.eventDispatcher?.runOnce();
+
+    // Wipe the read model, then replay the logged events through the REAL MSP
+    // apply fn — exactly the derivation a rebuild performs — without mutating
+    // consumer state (which would pollute the shared stack).
+    await asRawClient(stack.db).unsafe(
+      "UPDATE read_t1_properties SET custom_fields = '{}'::jsonb WHERE id = $1",
+      [propId],
+    );
+    const mspEntry = [...stack.registry.getAllMultiStreamProjections().entries()].find(([name]) =>
+      name.includes("property"),
+    );
+    expect(mspEntry).toBeDefined();
+    const apply = mspEntry?.[1].apply ?? {};
+    const events = (await asRawClient(stack.db).unsafe(
+      "SELECT type, payload FROM kumiko_events WHERE aggregate_id = $1 ORDER BY id ASC",
+      [propId],
+    )) as ReadonlyArray<{ type: string; payload: unknown }>;
+    // The MSP apply value-type declares a 3rd rebuild-context arg; custom-fields'
+    // apply only reads (event, tx), so narrow the call to those two for replay.
+    type ReplayApplyFn = (event: Record<string, unknown>, tx: unknown) => Promise<void>;
+    for (const e of events) {
+      const fn = apply[e.type] as ReplayApplyFn | undefined;
+      if (!fn) continue;
+      const payload = typeof e.payload === "string" ? JSON.parse(e.payload) : e.payload;
+      await fn(
+        {
+          type: e.type,
+          payload,
+          aggregateId: propId,
+          aggregateType: "property",
+          tenantId: admin.tenantId,
+        },
+        asRawClient(stack.db),
+      );
+    }
+
+    const row = (await listProperties()).rows.find((r) => r["id"] === propId);
+    // Non-sensitive: restored from its value-bearing event.
+    expect(row?.["publicTag"]).toBe("keepme");
+    // Sensitive: the logged event carried no value → gone. The accepted, DURABLE
+    // rebuild-loss — and why a forget can't be undone by a rebuild.
+    expect(row?.["secret"]).toBeUndefined();
+  });
+
+  test("update-tenant-field rejects flipping `sensitive` (would orphan logged PII)", async () => {
+    await defineField("property", "maybePii", "text"); // non-sensitive at definition
+    const err = await stack.http.writeErr(
+      "custom-fields:write:update-tenant-field",
+      {
+        entityName: "property",
+        fieldKey: "maybePii",
+        serializedField: { type: "text", sensitive: true }, // attempt the flip
+        required: false,
+        searchable: false,
+        displayOrder: 0,
+      },
+      admin,
+    );
+    expect(err.httpStatus).toBe(422);
+    expect(err.code).toBe("unprocessable");
+    expect(err.details).toMatchObject({ reason: "field_sensitive_immutable" });
+  });
+});
+
 describe("custom-fields integration — value validation (Builder-Reuse)", () => {
   async function setErr(entityId: string, fieldKey: string, value: unknown) {
     return stack.http.writeErr(

package/src/custom-fields/__tests__/feature.test.ts

@@ -171,10 +171,7 @@ describe("createCustomFieldsFeature access-options", () => {
     expect(listAccess(feature)).toEqual(["Admin", "Editor"]);
   });
 
-  // #334/2: valueWriteRoles ohne fieldDefinitionListRoles brach asymmetrisch —
-  // Save offen für App-Rollen, aber der List-Lade-Pfad blieb ["TenantAdmin"] →
-  // App-User bekamen access_denied, die FormSection lud nie. Die Value-Rollen
-  // erben jetzt in den List-Default (Union mit dem Default).
+  // valueWriteRoles without fieldDefinitionListRoles broke asymmetrically (save open, list closed) — value roles now inherit into the list default.
   test("valueWriteRoles erbt in den List-Default wenn fieldDefinitionListRoles fehlt", () => {
     const feature = createCustomFieldsFeature({ valueWriteRoles: ["Admin", "Editor"] });
     const roles = listAccess(feature);

package/src/custom-fields/__tests__/field-write-access.test.ts

@@ -0,0 +1,34 @@
+import { describe, expect, test } from "bun:test";
+import { fieldWriteAccessDeniedRoles } from "../lib/field-access";
+import type { SerializedFieldShape } from "../lib/parse-serialized-field";
+
+function field(write?: ReadonlyArray<string>): SerializedFieldShape {
+  return { type: "text", ...(write ? { fieldAccess: { write } } : {}) };
+}
+
+describe("fieldWriteAccessDeniedRoles", () => {
+  test("allows (null) when the definition is absent", () => {
+    expect(fieldWriteAccessDeniedRoles(null, ["Viewer"])).toBeNull();
+  });
+
+  test("allows (null) when no write restriction is declared", () => {
+    expect(fieldWriteAccessDeniedRoles(field(), ["Viewer"])).toBeNull();
+    expect(fieldWriteAccessDeniedRoles(field([]), ["Viewer"])).toBeNull();
+  });
+
+  test("allows when a user role intersects the required roles", () => {
+    expect(
+      fieldWriteAccessDeniedRoles(field(["TenantAdmin"]), ["Viewer", "TenantAdmin"]),
+    ).toBeNull();
+  });
+
+  test("returns the required roles when the user lacks them", () => {
+    expect(fieldWriteAccessDeniedRoles(field(["TenantAdmin"]), ["Viewer"])).toEqual([
+      "TenantAdmin",
+    ]);
+  });
+
+  test("match is exact — a drifted role name (Admin vs TenantAdmin) denies", () => {
+    expect(fieldWriteAccessDeniedRoles(field(["TenantAdmin"]), ["Admin"])).toEqual(["TenantAdmin"]);
+  });
+});

package/src/custom-fields/__tests__/parse-serialized-field.test.ts

@@ -0,0 +1,45 @@
+import { describe, expect, test } from "bun:test";
+import { isFieldDefinitionRow, parseSerializedField } from "../lib/parse-serialized-field";
+
+describe("parseSerializedField", () => {
+  test("parses a valid JSON string into the typed shape", () => {
+    const parsed = parseSerializedField('{"type":"text","sensitive":true}');
+    expect(parsed).toEqual({ type: "text", sensitive: true });
+  });
+
+  test("accepts an already-parsed object (jsonb-tolerant driver path)", () => {
+    const obj = { type: "select", fieldAccess: { write: ["TenantAdmin"] } };
+    expect(parseSerializedField(obj)).toBe(obj);
+  });
+
+  test("returns null for a corrupt JSON string", () => {
+    expect(parseSerializedField("{not json")).toBeNull();
+  });
+
+  test("returns null when the shape lacks a string type", () => {
+    expect(parseSerializedField('{"sensitive":true}')).toBeNull();
+    expect(parseSerializedField({ type: 42 })).toBeNull();
+  });
+
+  test("returns null for non-object inputs", () => {
+    expect(parseSerializedField(null)).toBeNull();
+    expect(parseSerializedField(undefined)).toBeNull();
+    expect(parseSerializedField(7)).toBeNull();
+  });
+});
+
+describe("isFieldDefinitionRow", () => {
+  test("true for a row with a string field_key", () => {
+    expect(isFieldDefinitionRow({ field_key: "code", serialized_field: "{}" })).toBe(true);
+  });
+
+  test("false when field_key is missing or not a string", () => {
+    expect(isFieldDefinitionRow({ serialized_field: "{}" })).toBe(false);
+    expect(isFieldDefinitionRow({ field_key: 1 })).toBe(false);
+  });
+
+  test("false for non-object inputs", () => {
+    expect(isFieldDefinitionRow(null)).toBe(false);
+    expect(isFieldDefinitionRow("field_key")).toBe(false);
+  });
+});

package/src/custom-fields/__tests__/user-data-rights.integration.test.ts

@@ -355,6 +355,23 @@ describe("T1.5c: custom-fields user-data-rights through the real runners", () =>
     expect(customFields).toBeDefined();
     expect(customFields).not.toHaveProperty("email");
     expect(customFields).toMatchObject({ vipFlag: true });
+
+    // The other half of erasure: the sensitive value was self-projected and the
+    // customField.set event was persisted value-less — so PII never entered the
+    // immutable log. Without this, the strip above would be undone by a rebuild.
+    const eventRows = await asRawClient(stack.db).unsafe(
+      "SELECT payload FROM kumiko_events WHERE aggregate_id = $1",
+      [propertyId],
+    );
+    const setPayloads = (eventRows as ReadonlyArray<{ payload: unknown }>).map((r) =>
+      typeof r.payload === "string" ? JSON.parse(r.payload) : r.payload,
+    ) as Array<Record<string, unknown>>;
+    const emailSet = setPayloads.find((p) => p?.["fieldKey"] === "email");
+    expect(emailSet).toBeDefined();
+    expect(emailSet && "value" in emailSet).toBe(false);
+    // Control: the non-sensitive value DID go through the log (normal path).
+    const vipSet = setPayloads.find((p) => p?.["fieldKey"] === "vipFlag");
+    expect(vipSet?.["value"]).toBe(true);
   });
 
   test("forget delete (no override → strategy delete): host removes the row, strip is a no-op", async () => {

package/src/custom-fields/db/queries/quota.ts

@@ -2,8 +2,10 @@ import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { TenantDb } from "@cosmicdrift/kumiko-framework/db";
 
 export async function countTenantFieldDefinitions(db: TenantDb, tenantId: string): Promise<number> {
+  // Active definitions only — delete soft-deletes (the deterministic stream is
+  // kept so a re-define can restore it), so isDeleted rows must not consume quota.
   const rowsResult = await asRawClient(db.raw).unsafe(
-    "SELECT COUNT(*)::int AS n FROM read_custom_field_definitions WHERE tenant_id = $1",
+    "SELECT COUNT(*)::int AS n FROM read_custom_field_definitions WHERE tenant_id = $1 AND is_deleted = FALSE",
     [tenantId],
   );
   const rows = rowsResult as ReadonlyArray<Record<string, unknown>>; // @cast-boundary db-row

package/src/custom-fields/entity.ts

@@ -36,11 +36,18 @@ import {
 //     columns + events.
 export const fieldDefinitionEntity = createEntity({
   table: "read_custom_field_definitions",
+  // softDelete is required, NOT cosmetic: the aggregate-id is deterministic
+  // (uuidv5(tenantId|entityName|fieldKey)), so deleting a definition leaves a
+  // (created+deleted) event stream under that id. A hard delete would force the
+  // next define to create() at version 0 onto that stream → version_conflict —
+  // a deleted (entity, fieldKey) could never be re-defined. With softDelete the
+  // define handlers resurrect via restore()+update() (see define-or-resurrect).
+  // NB: `retention.strategy` below is the data-retention purge policy, a
+  // SEPARATE knob from this executor flag — it does not drive executor.delete.
+  softDelete: true,
   // B1.5 retention-policy — fieldDefinitions sind tenant-Schema-Metadaten,
   // keine PII-Daten. Lange Retention für Audit (Compliance kann "wann hat
-  // Tenant das Feld definiert / geändert / gelöscht" fragen). Strategy
-  // softDelete: row bleibt als marker, value-cleanup (in B2's MSP) macht
-  // die eigentliche Anonymisierung wenn customFields PII enthielten.
+  // Tenant das Feld definiert / geändert / gelöscht" fragen).
   //
   // 10-Jahre keepFor ist konservativer Default; per-Tenant kann via
   // tenantRetentionOverride für eigene Edge-Cases gesetzt werden

package/src/custom-fields/events.ts

@@ -11,7 +11,10 @@ import { z } from "zod";
 
 export const customFieldSetSchema = z.object({
   fieldKey: z.string().min(1).max(64),
-  value: z.unknown(),
+  // Optional: a `sensitive`-field set persists a VALUE-LESS event — the value is
+  // self-projected into the host row by the write handler and must never enter
+  // the immutable log. Non-sensitive sets always carry the value.
+  value: z.unknown().optional(),
 });
 export type CustomFieldSetPayload = z.infer<typeof customFieldSetSchema>;
 

package/src/custom-fields/feature.ts

@@ -176,14 +176,10 @@ export type CustomFieldsFeatureOptions = {
    *  gesetzt, dies aber NICHT, erben die Value-Rollen hier hinein (Union mit
    *  dem Default, damit Admins den List-Zugriff behalten) — sonst lädt die
    *  FormSection für Value-Writer nie (access_denied), während der Save-Pfad
-   *  offen wäre (#334/2, asymmetrischer Bruch). */
+   *  offen wäre (asymmetrischer Bruch). */
   readonly fieldDefinitionListRoles?: readonly string[];
 };
 
-// Der List-Pfad muss jeden abdecken, der Values schreiben darf — sonst lädt die
-// FormSection nie. Explizite fieldDefinitionListRoles gewinnen; sonst: gesetzte
-// valueWriteRoles erben in den List-Default (Union mit dem Default), ungesetzte
-// → reiner Default.
 export function resolveFieldDefinitionListRoles(
   opts: Pick<CustomFieldsFeatureOptions, "valueWriteRoles" | "fieldDefinitionListRoles">,
 ): readonly string[] {

package/src/custom-fields/handlers/define-system-field.write.ts

@@ -1,6 +1,6 @@
 import { SYSTEM_TENANT_ID, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { fieldDefinitionAggregateId } from "../aggregate-id";
-import { fieldDefinitionExecutor } from "../executor";
+import { defineOrResurrectFieldDefinition } from "../lib/define-or-resurrect";
 import { buildFieldDefinitionColumns } from "../lib/field-definition-row";
 import { type DefineFieldPayload, defineFieldPayloadSchema } from "../schemas";
 
@@ -33,8 +33,9 @@ export const defineSystemFieldHandler: WriteHandlerDef = {
     // — the row lives in the system-scope-stream.
     const systemUser = { ...event.user, tenantId: SYSTEM_TENANT_ID };
 
-    return fieldDefinitionExecutor.create(
-      { id: aggregateId, ...buildFieldDefinitionColumns(payload) },
+    return defineOrResurrectFieldDefinition(
+      aggregateId,
+      buildFieldDefinitionColumns(payload),
       systemUser,
       ctx.db,
     );

package/src/custom-fields/handlers/define-tenant-field.write.ts

@@ -1,7 +1,7 @@
 import { isSystemTenant, type WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { failUnprocessable } from "@cosmicdrift/kumiko-framework/errors";
 import { fieldDefinitionAggregateId } from "../aggregate-id";
-import { fieldDefinitionExecutor } from "../executor";
+import { defineOrResurrectFieldDefinition } from "../lib/define-or-resurrect";
 import { buildFieldDefinitionColumns } from "../lib/field-definition-row";
 import { countTenantFieldDefinitions } from "../lib/quota";
 import { type DefineFieldPayload, defineFieldPayloadSchema } from "../schemas";
@@ -75,8 +75,9 @@ export function createDefineTenantFieldHandler(
         payload.fieldKey,
       );
 
-      return fieldDefinitionExecutor.create(
-        { id: aggregateId, ...buildFieldDefinitionColumns(payload) },
+      return defineOrResurrectFieldDefinition(
+        aggregateId,
+        buildFieldDefinitionColumns(payload),
         event.user,
         ctx.db,
       );