@cosmicdrift/kumiko-bundled-features 0.65.0 → 0.67.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.65.0",
+  "version": "0.67.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -84,11 +84,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.65.0",
-    "@cosmicdrift/kumiko-framework": "0.65.0",
-    "@cosmicdrift/kumiko-headless": "0.65.0",
-    "@cosmicdrift/kumiko-renderer": "0.65.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.65.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.67.0",
+    "@cosmicdrift/kumiko-framework": "0.67.0",
+    "@cosmicdrift/kumiko-headless": "0.67.0",
+    "@cosmicdrift/kumiko-renderer": "0.67.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.67.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/handlers/token-request-handler.ts

@@ -98,6 +98,7 @@ export function createTokenRequestHandler<TName extends string, TSuccessKind ext
       // client can observe it through the HTTP surface.
       if (!user || user.isDeleted || !user.email || spec.extraSilentSkip(user)) {
         const data: TokenRequestData<TSuccessKind> = { kind: "no-op" };
+        // skip: silent no-op — uniform response prevents user-enumeration probing
         return { isSuccess: true, data };
       }
 

package/src/config/handlers/readiness.query.ts

@@ -87,6 +87,7 @@ export async function collectMissingRequiredConfig(
     if (keyDef.required !== true) continue;
     if (!effectiveGate(qualifiedKey)) continue;
     if (options?.skipAccessFilter !== true && !hasConfigAccess(keyDef.access.read, user.roles)) {
+      // skip: key not visible to this user's roles (access-filtered listing)
       continue;
     }
     candidates.set(qualifiedKey, keyDef);

package/src/custom-fields/web/__tests__/custom-fields-form-section.test.tsx

@@ -334,11 +334,13 @@ describe("CustomFieldsFormSection — boolean/date-Pfade", () => {
       </Wrapper>,
     );
 
-    // boolean rendert als Checkbox — Bestand steckt in checked, nicht value.
-    const input = document.getElementById("custom-field-active") as HTMLInputElement;
-    expect(input.checked).toBe(true);
+    // boolean = vendored Radix-Checkbox → button[role=checkbox], Bestand steckt
+    // in aria-checked (kein natives .checked).
+    const checkbox = document.getElementById("custom-field-active");
+    if (checkbox === null) throw new Error("boolean checkbox not rendered");
+    expect(checkbox.getAttribute("aria-checked")).toBe("true");
 
-    fireEvent.click(input);
+    fireEvent.click(checkbox);
     fireEvent.click(screen.getByTestId("custom-fields-form-save"));
     await Promise.resolve();
     await Promise.resolve();

package/src/legal-pages/web/__tests__/client-plugin.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, test } from "bun:test";
+import type { TreeNode } from "@cosmicdrift/kumiko-framework/engine";
+import { legalPagesClient } from "../client-plugin";
+
+// Deckt die drei neuen Migrations-Pfade (advisor-Gap): navId-Attach,
+// no-leak ohne navId, und der Unwrap (Provider emittiert die slug-Folder
+// direkt, NICHT mehr unter einem "Legal"-Wrapper — der App-r.nav-Knoten
+// IST der Container). legal-pages ist fetch-frei → Provider direkt aufrufbar.
+
+function collect(
+  provider: () => (emit: (n: readonly TreeNode[]) => void) => () => void,
+): readonly TreeNode[] {
+  let emitted: readonly TreeNode[] | undefined;
+  const unsub = provider()((nodes) => {
+    emitted = nodes;
+  });
+  unsub();
+  if (emitted === undefined) throw new Error("provider emitted nothing");
+  return emitted;
+}
+
+describe("legalPagesClient", () => {
+  test("ohne navId: kein navProvider (server-only-Consumer leaken keinen Node)", () => {
+    const def = legalPagesClient();
+    expect(def.name).toBe("legal-pages");
+    expect(def.navProviders).toBeUndefined();
+  });
+
+  test("mit navId: Provider hängt unter exakt dieser (pass-through) QN", () => {
+    const navId = "publicstatus:nav:legal";
+    const def = legalPagesClient({ navId });
+    expect(Object.keys(def.navProviders ?? {})).toEqual([navId]);
+  });
+
+  test("Provider unwrappt den Legal-Container: Top-Level sind die slug-Folder", () => {
+    const navId = "publicstatus:nav:legal";
+    const provider = legalPagesClient({ navId }).navProviders?.[navId];
+    if (provider === undefined) throw new Error("provider missing");
+    const emitted = collect(provider);
+
+    // Kein "Legal"-Wrapper mehr — der App-Knoten ist der Container.
+    expect(emitted.some((n) => n.label === "Legal")).toBe(false);
+    expect(emitted.length).toBeGreaterThan(0);
+
+    // Jeder Top-Level-Knoten ist ein slug-Folder mit lang-Leaves, die per
+    // Cross-Link auf text-content:edit zeigen.
+    const folder = emitted[0];
+    expect(Array.isArray(folder?.children)).toBe(true);
+    const langLeaf = Array.isArray(folder?.children) ? folder?.children[0] : undefined;
+    expect(langLeaf?.target?.featureId).toBe("text-content");
+    expect(langLeaf?.target?.action).toBe("edit");
+  });
+});

package/src/legal-pages/web/client-plugin.ts

@@ -63,20 +63,19 @@ const treeProvider: TreeChildrenSubscribe = () => (emit) => {
     });
   }
 
-  emit([
-    {
-      label: "Legal",
-      icon: "folder",
-      state: "filled",
-      children: slugFolders,
-    },
-  ]);
+  // Der App-seitige r.nav-Knoten IST der "Legal"-Container → der Provider
+  // emittiert die slug-Folder direkt darunter.
+  emit(slugFolders);
   return () => {};
 };
 
-export function legalPagesClient(): ClientFeatureDefinition {
+// `navId` = QN des r.nav({ provider: true })-Knotens den die App registriert.
+// Statisch (kein Fetch, keine Entities) → kein SSE-Refresh nötig. Ohne navId:
+// kein Sidebar-Knoten (server-only-Consumer leaken nichts).
+export function legalPagesClient(opts?: { readonly navId?: string }): ClientFeatureDefinition {
+  const navId = opts?.navId;
   return {
     name: "legal-pages",
-    treeProvider,
+    ...(navId !== undefined && { navProviders: { [navId]: treeProvider } }),
   };
 }

package/src/text-content/web/__tests__/client-plugin.test.tsx

@@ -0,0 +1,65 @@
+import { afterEach, describe, expect, mock, test } from "bun:test";
+import type { TreeNode } from "@cosmicdrift/kumiko-framework/engine";
+import { textContentClient } from "../client-plugin";
+
+// Deckt die drei neuen Migrations-Pfade (advisor-Gap): navId-Attach + SSE-
+// Entities, no-leak ohne navId (conditional-spread), und der Unwrap (Provider
+// emittiert die Folder/Leaves direkt, NICHT unter dem "Content"-Wrapper).
+// Der Provider fetcht → fetch wird gemockt.
+
+describe("textContentClient — shape", () => {
+  test("ohne navId: kein navProvider/navEntities (no-leak), aber Resolver bleibt", () => {
+    const def = textContentClient();
+    expect(def.name).toBe("text-content");
+    expect(def.navProviders).toBeUndefined();
+    expect(def.navEntities).toBeUndefined();
+    expect(def.resolvers?.["text-content:edit"]).toBeDefined();
+  });
+
+  test("mit navId: Provider + SSE-Entities unter exakt dieser QN", () => {
+    const navId = "publicstatus:nav:content";
+    const def = textContentClient({ navId });
+    expect(Object.keys(def.navProviders ?? {})).toEqual([navId]);
+    expect(def.navEntities?.[navId]).toEqual(["text-block"]);
+  });
+});
+
+describe("textContentClient — Provider unwrappt den Content-Container", () => {
+  const origFetch = globalThis.fetch;
+  afterEach(() => {
+    globalThis.fetch = origFetch;
+  });
+
+  test("emittiert Folder/Leaves direkt, kein 'Content'-Wrapper-Knoten", async () => {
+    const blocks = [
+      { slug: "imprint", lang: "de", title: "Imprint", body: "x", folder: null, updatedAt: "" },
+      { slug: "hero", lang: "de", title: "Hero", body: null, folder: "page", updatedAt: "" },
+    ];
+    // Test-Mock-Grenze: bun-Mock deckt nicht die volle fetch-Signatur
+    // (preconnect etc.) — Double-Cast bewusst, nur dieser Test ruft fetch.
+    globalThis.fetch = mock(
+      async () =>
+        new Response(JSON.stringify({ data: { blocks } }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        }),
+    ) as unknown as typeof fetch;
+
+    const navId = "x:nav:content";
+    const provider = textContentClient({ navId }).navProviders?.[navId];
+    if (provider === undefined) throw new Error("provider missing");
+
+    let emitted: readonly TreeNode[] | undefined;
+    provider()((nodes) => {
+      emitted = nodes;
+    });
+    // fetch().then(...) ist async → eine Makrotask abwarten bis emit lief.
+    await new Promise((r) => setTimeout(r, 0));
+
+    expect(emitted).toBeDefined();
+    const labels = (emitted ?? []).map((n) => n.label).sort();
+    // Kein "Content"-Wrapper — root-leaf "Imprint" + folder "page" direkt.
+    expect(labels).not.toContain("Content");
+    expect(labels).toEqual(["Imprint", "page"]);
+  });
+});

package/src/text-content/web/client-plugin.tsx

@@ -157,8 +157,10 @@ const treeProvider: TreeChildrenSubscribe = () => (emit, emitError) => {
       return r.json();
     })
     .then((data: ByTenantResponse) => {
-      const nodes = groupBlocksByFolder(data.data.blocks);
-      emit(nodes);
+      // Der App-seitige r.nav-Knoten IST der "Content"-Container → die
+      // Provider-Kinder sind die Folder/Leaves darunter, nicht der Wrapper.
+      const content = groupBlocksByFolder(data.data.blocks)[0];
+      emit(content !== undefined && Array.isArray(content.children) ? content.children : []);
     })
     .catch((e) => {
       // V.1.4: explicit error-Signal via emitError. ProviderBranch zeigt
@@ -346,19 +348,20 @@ function TextContentEditor({
   );
 }
 
-export function textContentClient(): ClientFeatureDefinition {
+// `navId` = die QN des r.nav({ provider: true })-Knotens, den die App für den
+// Content-Tree registriert (z.B. "publicstatus:nav:content"). Die App besitzt
+// Label/Icon/Access des Knotens (managed-pages-Konvention) — das Feature
+// liefert nur die Kinder + den Editor. Ohne navId: nur der Resolver, kein
+// Sidebar-Knoten (server-only-Consumer wie money-horse leaken nichts).
+export function textContentClient(opts?: { readonly navId?: string }): ClientFeatureDefinition {
+  const navId = opts?.navId;
   return {
     name: "text-content",
-    treeProvider,
-    // V.1.5b: SSE-driven Tree-Refresh. Bei jedem text-block-Event
-    // (created/updated/deleted) ruft ProviderBranch den treeProvider
-    // neu auf → Tree-State spiegelt save sofort wider (Stale-Tree-Fix).
-    treeEntities: ["text-block"],
-    treeActions: {
-      edit: { args: { slug: "" as string, lang: "" as string } },
-      list: {},
-      create: { args: { folder: "" as string } },
-    },
+    ...(navId !== undefined && {
+      navProviders: { [navId]: treeProvider },
+      // SSE-Refresh: jedes text-block-Event re-fired den Provider → Tree live.
+      navEntities: { [navId]: ["text-block"] },
+    }),
     resolvers: {
       "text-content:edit": TextContentEditor,
     },

package/src/tier-engine/__tests__/resolver.integration.test.ts

@@ -18,6 +18,7 @@ import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:tes
 import { configValuesTable } from "@cosmicdrift/kumiko-bundled-features/config";
 import { tenantSecretsTable } from "@cosmicdrift/kumiko-bundled-features/secrets";
 import { tenantMembershipsTable, tenantTable } from "@cosmicdrift/kumiko-bundled-features/tenant";
+import { seedTenant } from "@cosmicdrift/kumiko-bundled-features/tenant/seeding";
 import { userTable } from "@cosmicdrift/kumiko-bundled-features/user";
 import { composeFeatures } from "@cosmicdrift/kumiko-dev-server/compose-features";
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
@@ -112,7 +113,7 @@ afterAll(async () => stack?.cleanup());
 
 beforeEach(async () => {
   await asRawClient(stack.db).unsafe(
-    `TRUNCATE read_tier_assignments, kumiko_events RESTART IDENTITY CASCADE`,
+    `TRUNCATE read_tier_assignments, read_tenants, kumiko_events RESTART IDENTITY CASCADE`,
   );
 });
 
@@ -227,55 +228,53 @@ describe("createTierEngineFeature — per-tenant resolver", () => {
   });
 });
 
-describe("createTierEngineFeature — Trial-Phase (zeit-abgeleitet)", () => {
-  function sysUser(tenantId: TenantId, id: string) {
-    return createTestUser({ id, tenantId, roles: ["SystemAdmin", "TenantAdmin"] });
+describe("createTierEngineFeature — Trial-Phase (zeit-abgeleitet, Live-Gate)", () => {
+  // Der Trial lebt NICHT mehr im Resolver-Feature-Set (sync/boot-cached sieht
+  // weder frische Signups noch den Zeitablauf), sondern als async trialGate,
+  // der tenant.inserted_at LIVE liest. Diese Tenants entstehen über den ECHTEN
+  // seedTenant-Pfad (= auth-signup) — OHNE tier-assignment-Row. Genau dieser
+  // Pfad war der Prod-Bug: die alte gecachte Trial-Uhr sah seedTenant-Signups
+  // nie (seedTenant umgeht den dispatcher-postSave-Hook).
+  async function seedSignup(tenantId: TenantId, key: string) {
+    await seedTenant(stack.db, { id: tenantId, key, name: key });
   }
 
-  test("neuer 'free'-Tenant sieht im Fenster die Trial-Features (feat-pro)", async () => {
+  test("seedTenant-Signup ohne tier-assignment: trialGate schaltet feat-pro im Fenster frei", async () => {
     const usage = findTierResolverUsage(featuresWithTrial);
     if (!usage) throw new Error("setup failure: no trial resolver");
     const plugin = usage.options as TierResolverPlugin;
 
-    // Gespeicherter Tier ist free (keine feat-pro), inserted_at = jetzt → Trial aktiv.
-    await stack.http.writeOk(
-      "tier-engine:write:tier-assignment:create",
-      { tier: "free" },
-      sysUser(tenantA, "trial-sys-1"),
-    );
+    await seedSignup(tenantA, "trial-a");
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
-    expect(resolver(tenantA).has("feat-pro")).toBe(true);
+
+    // Trial sitzt am Gate, nicht im Resolver-Feature-Set.
+    expect(resolver(tenantA).has("feat-pro")).toBe(false);
+    expect(resolver.trialGate).toBeDefined();
+    expect(await resolver.trialGate?.(tenantA, "feat-pro")).toBe(true);
+    // Feature außerhalb des Trial-Tiers ("business") bleibt zu.
+    expect(await resolver.trialGate?.(tenantA, "feat-business")).toBe(false);
   });
 
-  test("Tenant außerhalb des Fensters (inserted_at > 30 Tage) fällt auf free zurück", async () => {
+  test("inserted_at > 30 Tage: trialGate schließt", async () => {
     const usage = findTierResolverUsage(featuresWithTrial);
     if (!usage) throw new Error("setup failure: no trial resolver");
     const plugin = usage.options as TierResolverPlugin;
 
-    await stack.http.writeOk(
-      "tier-engine:write:tier-assignment:create",
-      { tier: "free" },
-      sysUser(tenantB, "trial-sys-2"),
-    );
+    await seedSignup(tenantB, "trial-b");
     // Anlage-Datum künstlich 31 Tage zurückdrehen → Trial abgelaufen. tenantB ist
     // eine fixe Test-UUID (kein User-Input) → inline-Interpolation unkritisch.
     await asRawClient(stack.db).unsafe(
-      `UPDATE read_tier_assignments SET inserted_at = now() - interval '31 days' WHERE tenant_id = '${tenantB}'::uuid`,
+      `UPDATE read_tenants SET inserted_at = now() - interval '31 days' WHERE id = '${tenantB}'::uuid`,
     );
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
-    expect(resolver(tenantB).has("feat-pro")).toBe(false);
+    expect(await resolver.trialGate?.(tenantB, "feat-pro")).toBe(false);
   });
 
-  test("ohne Trial-Option ist der Resolver unverändert (free = keine feat-pro)", async () => {
+  test("ohne Trial-Option gibt es keinen trialGate", async () => {
     const usage = findTierResolverUsage(features);
     if (!usage) throw new Error("setup failure");
     const plugin = usage.options as TierResolverPlugin;
-    await stack.http.writeOk(
-      "tier-engine:write:tier-assignment:create",
-      { tier: "free" },
-      sysUser(tenantA, "no-trial-sys"),
-    );
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
-    expect(resolver(tenantA).has("feat-pro")).toBe(false);
+    expect(resolver.trialGate).toBeUndefined();
   });
 });

package/src/tier-engine/feature.ts

@@ -40,7 +40,7 @@
 //
 // **Boot-Dependencies:** config + tenant.
 
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   buildEntityTable,
   createEventStoreExecutor,
@@ -60,10 +60,12 @@ import {
   TENANT_TIER_RESOLVER_EXT,
   type TenantId,
   type TierResolverPlugin,
+  type TrialGate,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { getAggregateStreamMaxVersion } from "@cosmicdrift/kumiko-framework/event-store";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { z } from "zod";
+import { tenantTable } from "../tenant";
 import { tierAssignmentAggregateId } from "./aggregate-id";
 import type { TierMap } from "./compose-app";
 import { TIER_ADMIN_SCREEN_ID, TIER_ENGINE_FEATURE } from "./constants";
@@ -253,12 +255,13 @@ export function createTierEngineFeature<
     // Requests (build läuft pre-listen via runDevApp/runProdApp-pickup).
     const alwaysOnHolder: { set: ReadonlySet<string> } = { set: new Set() };
 
-    // Trial-State: tenantId → inserted_at als epochMilliseconds (Anlage-Datum
-    // der Assignment ≈ Signup, rebuild-stabil). Trial wird at-resolve-time aus
-    // (jetzt vs startedAt + durationHours) berechnet, NICHT gecacht — anders als
-    // das Feature-Set ändert sich der Trial-Status mit der Zeit. trialFeatures
-    // ist die fixe Feature-Menge des Trial-Tiers (einmal aufgelöst).
-    const trialClock = new Map<TenantId, number>();
+    // Trial: zeit-abgeleitet aus tenant.inserted_at (≈ Signup), live am
+    // Feature-Gate geprüft — NICHT im Resolver-Cache. Der Resolver ist
+    // boot-cached + synchron und sieht weder frische Signups noch den
+    // Zeitablauf; der Trial-Status ändert sich aber mit der Zeit und gilt ab
+    // Sekunde 1 nach Signup. Darum lebt er als async trialGate (unten, am
+    // build-Ende angehängt), den der dispatcher nur auf dem disabled-Pfad
+    // konsultiert. trialFeatures = fixe Feature-Menge des Trial-Tiers.
     const trialFeatures: ReadonlySet<string> = opts.trial
       ? featuresForTier(tierMap, opts.trial.tier)
       : new Set();
@@ -271,9 +274,6 @@ export function createTierEngineFeature<
     // Semantik wie der Hook.
     onTierAssigned.fn = (tenantId, tier) => {
       cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, tier)));
-      // Trial-Uhr nur setzen, wenn unbekannt: ein manueller Grant ändert nicht
-      // das Signup-Datum eines bestehenden Tenants (build() hat es bereits).
-      if (!trialClock.has(tenantId)) trialClock.set(tenantId, nowMs());
     };
 
     // Invalidation: tier-assignment events update the cache.
@@ -288,10 +288,6 @@ export function createTierEngineFeature<
       if (typeof data.tenantId !== "string" || typeof data.tier !== "string") return;
       const tenantId = data.tenantId as TenantId;
       cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, data.tier)));
-      // Erstes Assignment eines Tenants = Signup → Trial-Uhr startet jetzt
-      // (inserted_at der frisch erzeugten Row ≈ now). Spätere Tier-Wechsel
-      // lassen die Uhr unberührt, sonst würde ein Upgrade das Fenster verlängern.
-      if (!trialClock.has(tenantId)) trialClock.set(tenantId, nowMs());
     });
     r.entityHook("postDelete", "tier-assignment", async (payload) => {
       const data = payload.data as { tenantId?: unknown }; // @cast-boundary engine-payload
@@ -412,20 +408,17 @@ export function createTierEngineFeature<
         // typischerweise <100k tenants — single-pass scan akzeptabel.
         // Skalierungs-Pfad (lazy-load + LRU) ist Sprint-8b wenn echtes
         // Bedürfnis entsteht.
-        type AssignmentRow = { tenantId: string; tier: string; insertedAt: Temporal.Instant };
+        type AssignmentRow = { tenantId: string; tier: string };
         const rows = await selectMany<AssignmentRow>(deps.db, tierAssignmentTable);
         for (const row of rows) {
           cache.set(
             row.tenantId as TenantId,
             mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, row.tier)),
           );
-          trialClock.set(row.tenantId as TenantId, row.insertedAt.epochMilliseconds);
         }
 
-        const trial = opts.trial;
-
         // Synchronous resolver-callback for dispatcher hot-path.
-        return (tenantId: TenantId): ReadonlySet<string> => {
+        const resolver = (tenantId: TenantId): ReadonlySet<string> => {
           // Operator-tooling + async-event-dispatch convention: SYSTEM_TENANT_ID
           // gets the union of all tier-features (siehe DispatcherOptions doc).
           if (tenantId === SYSTEM_TENANT_ID) {
@@ -434,23 +427,43 @@ export function createTierEngineFeature<
           // Cache-miss: tenant ist noch nicht im cache (z.B. brandneu nach
           // boot, oder defaultTier-hook hat noch nicht gefired). Default-Set
           // ist least-privileged — typisch Free-Tier-features. Memory
-          // `feedback_security_default_on`: secure-by-default.
+          // `feedback_security_default_on`: secure-by-default. Der Trial wird
+          // hier NICHT addiert (sync/boot-cached sieht den Zeitablauf nicht) —
+          // das macht der trialGate unten am disabled-Gate-Pfad.
           const fallbackTier = opts.defaultTier;
-          const base =
+          return (
             cache.get(tenantId) ??
             (fallbackTier === undefined
               ? computedAlwaysOn
-              : mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, fallbackTier)));
-          // Trial: innerhalb des Fensters ab Signup zusätzlich die Trial-Tier-
-          // Features. Zeit-abgeleitet → pro Request geprüft, nie gecacht.
-          if (trial !== undefined) {
-            const startedMs = trialClock.get(tenantId);
-            if (startedMs !== undefined && isTrialActive(startedMs, nowMs(), trial.durationHours)) {
-              return mergeAlwaysOn(base, trialFeatures);
-            }
+              : mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, fallbackTier)))
+          );
+        };
+
+        const trial = opts.trial;
+        if (trial === undefined) return resolver;
+
+        // Live-Trial-Gate: liest tenant.inserted_at (≈ Signup, existiert für
+        // JEDEN Tenant inkl. auth-signup via seedTenant — anders als die
+        // tier-assignment-Row, die der seed-Pfad nicht anlegt) und prüft das
+        // Fenster gegen die aktuelle Zeit. Nur auf dem disabled-Gate-Pfad
+        // konsultiert. inserted_at ist immutable → pro Tenant einmal lesen.
+        const startedMemo = new Map<TenantId, number>();
+        const trialGate: TrialGate = async (tenantId, featureName) => {
+          if (!trialFeatures.has(featureName)) return false;
+          let startedMs = startedMemo.get(tenantId);
+          if (startedMs === undefined) {
+            const row = await fetchOne<{ insertedAt?: Temporal.Instant }>(deps.db, tenantTable, {
+              id: tenantId,
+            });
+            // Tenant-Row noch nicht projiziert (Replay-Race) → keinen Miss
+            // memoizen, beim nächsten Request neu lesen.
+            if (row?.insertedAt === undefined) return false;
+            startedMs = row.insertedAt.epochMilliseconds;
+            startedMemo.set(tenantId, startedMs);
           }
-          return base;
+          return isTrialActive(startedMs, nowMs(), trial.durationHours);
         };
+        return Object.assign(resolver, { trialGate });
       },
     };
     // biome-ignore lint/correctness/useHookAtTopLevel: r.useExtension is a framework registrar method, not a React hook.