@cosmicdrift/kumiko-bundled-features 0.66.0 → 0.67.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.66.0",
+  "version": "0.67.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -84,11 +84,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.66.0",
-    "@cosmicdrift/kumiko-framework": "0.66.0",
-    "@cosmicdrift/kumiko-headless": "0.66.0",
-    "@cosmicdrift/kumiko-renderer": "0.66.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.66.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.67.0",
+    "@cosmicdrift/kumiko-framework": "0.67.0",
+    "@cosmicdrift/kumiko-headless": "0.67.0",
+    "@cosmicdrift/kumiko-renderer": "0.67.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.67.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/tier-engine/__tests__/resolver.integration.test.ts

@@ -18,6 +18,7 @@ import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:tes
 import { configValuesTable } from "@cosmicdrift/kumiko-bundled-features/config";
 import { tenantSecretsTable } from "@cosmicdrift/kumiko-bundled-features/secrets";
 import { tenantMembershipsTable, tenantTable } from "@cosmicdrift/kumiko-bundled-features/tenant";
+import { seedTenant } from "@cosmicdrift/kumiko-bundled-features/tenant/seeding";
 import { userTable } from "@cosmicdrift/kumiko-bundled-features/user";
 import { composeFeatures } from "@cosmicdrift/kumiko-dev-server/compose-features";
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
@@ -112,7 +113,7 @@ afterAll(async () => stack?.cleanup());
 
 beforeEach(async () => {
   await asRawClient(stack.db).unsafe(
-    `TRUNCATE read_tier_assignments, kumiko_events RESTART IDENTITY CASCADE`,
+    `TRUNCATE read_tier_assignments, read_tenants, kumiko_events RESTART IDENTITY CASCADE`,
   );
 });
 
@@ -227,55 +228,53 @@ describe("createTierEngineFeature — per-tenant resolver", () => {
   });
 });
 
-describe("createTierEngineFeature — Trial-Phase (zeit-abgeleitet)", () => {
-  function sysUser(tenantId: TenantId, id: string) {
-    return createTestUser({ id, tenantId, roles: ["SystemAdmin", "TenantAdmin"] });
+describe("createTierEngineFeature — Trial-Phase (zeit-abgeleitet, Live-Gate)", () => {
+  // Der Trial lebt NICHT mehr im Resolver-Feature-Set (sync/boot-cached sieht
+  // weder frische Signups noch den Zeitablauf), sondern als async trialGate,
+  // der tenant.inserted_at LIVE liest. Diese Tenants entstehen über den ECHTEN
+  // seedTenant-Pfad (= auth-signup) — OHNE tier-assignment-Row. Genau dieser
+  // Pfad war der Prod-Bug: die alte gecachte Trial-Uhr sah seedTenant-Signups
+  // nie (seedTenant umgeht den dispatcher-postSave-Hook).
+  async function seedSignup(tenantId: TenantId, key: string) {
+    await seedTenant(stack.db, { id: tenantId, key, name: key });
   }
 
-  test("neuer 'free'-Tenant sieht im Fenster die Trial-Features (feat-pro)", async () => {
+  test("seedTenant-Signup ohne tier-assignment: trialGate schaltet feat-pro im Fenster frei", async () => {
     const usage = findTierResolverUsage(featuresWithTrial);
     if (!usage) throw new Error("setup failure: no trial resolver");
     const plugin = usage.options as TierResolverPlugin;
 
-    // Gespeicherter Tier ist free (keine feat-pro), inserted_at = jetzt → Trial aktiv.
-    await stack.http.writeOk(
-      "tier-engine:write:tier-assignment:create",
-      { tier: "free" },
-      sysUser(tenantA, "trial-sys-1"),
-    );
+    await seedSignup(tenantA, "trial-a");
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
-    expect(resolver(tenantA).has("feat-pro")).toBe(true);
+
+    // Trial sitzt am Gate, nicht im Resolver-Feature-Set.
+    expect(resolver(tenantA).has("feat-pro")).toBe(false);
+    expect(resolver.trialGate).toBeDefined();
+    expect(await resolver.trialGate?.(tenantA, "feat-pro")).toBe(true);
+    // Feature außerhalb des Trial-Tiers ("business") bleibt zu.
+    expect(await resolver.trialGate?.(tenantA, "feat-business")).toBe(false);
   });
 
-  test("Tenant außerhalb des Fensters (inserted_at > 30 Tage) fällt auf free zurück", async () => {
+  test("inserted_at > 30 Tage: trialGate schließt", async () => {
     const usage = findTierResolverUsage(featuresWithTrial);
     if (!usage) throw new Error("setup failure: no trial resolver");
     const plugin = usage.options as TierResolverPlugin;
 
-    await stack.http.writeOk(
-      "tier-engine:write:tier-assignment:create",
-      { tier: "free" },
-      sysUser(tenantB, "trial-sys-2"),
-    );
+    await seedSignup(tenantB, "trial-b");
     // Anlage-Datum künstlich 31 Tage zurückdrehen → Trial abgelaufen. tenantB ist
     // eine fixe Test-UUID (kein User-Input) → inline-Interpolation unkritisch.
     await asRawClient(stack.db).unsafe(
-      `UPDATE read_tier_assignments SET inserted_at = now() - interval '31 days' WHERE tenant_id = '${tenantB}'::uuid`,
+      `UPDATE read_tenants SET inserted_at = now() - interval '31 days' WHERE id = '${tenantB}'::uuid`,
     );
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
-    expect(resolver(tenantB).has("feat-pro")).toBe(false);
+    expect(await resolver.trialGate?.(tenantB, "feat-pro")).toBe(false);
   });
 
-  test("ohne Trial-Option ist der Resolver unverändert (free = keine feat-pro)", async () => {
+  test("ohne Trial-Option gibt es keinen trialGate", async () => {
     const usage = findTierResolverUsage(features);
     if (!usage) throw new Error("setup failure");
     const plugin = usage.options as TierResolverPlugin;
-    await stack.http.writeOk(
-      "tier-engine:write:tier-assignment:create",
-      { tier: "free" },
-      sysUser(tenantA, "no-trial-sys"),
-    );
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
-    expect(resolver(tenantA).has("feat-pro")).toBe(false);
+    expect(resolver.trialGate).toBeUndefined();
   });
 });

package/src/tier-engine/feature.ts

@@ -40,7 +40,7 @@
 //
 // **Boot-Dependencies:** config + tenant.
 
-import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   buildEntityTable,
   createEventStoreExecutor,
@@ -60,10 +60,12 @@ import {
   TENANT_TIER_RESOLVER_EXT,
   type TenantId,
   type TierResolverPlugin,
+  type TrialGate,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { getAggregateStreamMaxVersion } from "@cosmicdrift/kumiko-framework/event-store";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { z } from "zod";
+import { tenantTable } from "../tenant";
 import { tierAssignmentAggregateId } from "./aggregate-id";
 import type { TierMap } from "./compose-app";
 import { TIER_ADMIN_SCREEN_ID, TIER_ENGINE_FEATURE } from "./constants";
@@ -253,12 +255,13 @@ export function createTierEngineFeature<
     // Requests (build läuft pre-listen via runDevApp/runProdApp-pickup).
     const alwaysOnHolder: { set: ReadonlySet<string> } = { set: new Set() };
 
-    // Trial-State: tenantId → inserted_at als epochMilliseconds (Anlage-Datum
-    // der Assignment ≈ Signup, rebuild-stabil). Trial wird at-resolve-time aus
-    // (jetzt vs startedAt + durationHours) berechnet, NICHT gecacht — anders als
-    // das Feature-Set ändert sich der Trial-Status mit der Zeit. trialFeatures
-    // ist die fixe Feature-Menge des Trial-Tiers (einmal aufgelöst).
-    const trialClock = new Map<TenantId, number>();
+    // Trial: zeit-abgeleitet aus tenant.inserted_at (≈ Signup), live am
+    // Feature-Gate geprüft — NICHT im Resolver-Cache. Der Resolver ist
+    // boot-cached + synchron und sieht weder frische Signups noch den
+    // Zeitablauf; der Trial-Status ändert sich aber mit der Zeit und gilt ab
+    // Sekunde 1 nach Signup. Darum lebt er als async trialGate (unten, am
+    // build-Ende angehängt), den der dispatcher nur auf dem disabled-Pfad
+    // konsultiert. trialFeatures = fixe Feature-Menge des Trial-Tiers.
     const trialFeatures: ReadonlySet<string> = opts.trial
       ? featuresForTier(tierMap, opts.trial.tier)
       : new Set();
@@ -271,9 +274,6 @@ export function createTierEngineFeature<
     // Semantik wie der Hook.
     onTierAssigned.fn = (tenantId, tier) => {
       cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, tier)));
-      // Trial-Uhr nur setzen, wenn unbekannt: ein manueller Grant ändert nicht
-      // das Signup-Datum eines bestehenden Tenants (build() hat es bereits).
-      if (!trialClock.has(tenantId)) trialClock.set(tenantId, nowMs());
     };
 
     // Invalidation: tier-assignment events update the cache.
@@ -288,10 +288,6 @@ export function createTierEngineFeature<
       if (typeof data.tenantId !== "string" || typeof data.tier !== "string") return;
       const tenantId = data.tenantId as TenantId;
       cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, data.tier)));
-      // Erstes Assignment eines Tenants = Signup → Trial-Uhr startet jetzt
-      // (inserted_at der frisch erzeugten Row ≈ now). Spätere Tier-Wechsel
-      // lassen die Uhr unberührt, sonst würde ein Upgrade das Fenster verlängern.
-      if (!trialClock.has(tenantId)) trialClock.set(tenantId, nowMs());
     });
     r.entityHook("postDelete", "tier-assignment", async (payload) => {
       const data = payload.data as { tenantId?: unknown }; // @cast-boundary engine-payload
@@ -412,20 +408,17 @@ export function createTierEngineFeature<
         // typischerweise <100k tenants — single-pass scan akzeptabel.
         // Skalierungs-Pfad (lazy-load + LRU) ist Sprint-8b wenn echtes
         // Bedürfnis entsteht.
-        type AssignmentRow = { tenantId: string; tier: string; insertedAt: Temporal.Instant };
+        type AssignmentRow = { tenantId: string; tier: string };
         const rows = await selectMany<AssignmentRow>(deps.db, tierAssignmentTable);
         for (const row of rows) {
           cache.set(
             row.tenantId as TenantId,
             mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, row.tier)),
           );
-          trialClock.set(row.tenantId as TenantId, row.insertedAt.epochMilliseconds);
         }
 
-        const trial = opts.trial;
-
         // Synchronous resolver-callback for dispatcher hot-path.
-        return (tenantId: TenantId): ReadonlySet<string> => {
+        const resolver = (tenantId: TenantId): ReadonlySet<string> => {
           // Operator-tooling + async-event-dispatch convention: SYSTEM_TENANT_ID
           // gets the union of all tier-features (siehe DispatcherOptions doc).
           if (tenantId === SYSTEM_TENANT_ID) {
@@ -434,23 +427,43 @@ export function createTierEngineFeature<
           // Cache-miss: tenant ist noch nicht im cache (z.B. brandneu nach
           // boot, oder defaultTier-hook hat noch nicht gefired). Default-Set
           // ist least-privileged — typisch Free-Tier-features. Memory
-          // `feedback_security_default_on`: secure-by-default.
+          // `feedback_security_default_on`: secure-by-default. Der Trial wird
+          // hier NICHT addiert (sync/boot-cached sieht den Zeitablauf nicht) —
+          // das macht der trialGate unten am disabled-Gate-Pfad.
           const fallbackTier = opts.defaultTier;
-          const base =
+          return (
             cache.get(tenantId) ??
             (fallbackTier === undefined
               ? computedAlwaysOn
-              : mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, fallbackTier)));
-          // Trial: innerhalb des Fensters ab Signup zusätzlich die Trial-Tier-
-          // Features. Zeit-abgeleitet → pro Request geprüft, nie gecacht.
-          if (trial !== undefined) {
-            const startedMs = trialClock.get(tenantId);
-            if (startedMs !== undefined && isTrialActive(startedMs, nowMs(), trial.durationHours)) {
-              return mergeAlwaysOn(base, trialFeatures);
-            }
+              : mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, fallbackTier)))
+          );
+        };
+
+        const trial = opts.trial;
+        if (trial === undefined) return resolver;
+
+        // Live-Trial-Gate: liest tenant.inserted_at (≈ Signup, existiert für
+        // JEDEN Tenant inkl. auth-signup via seedTenant — anders als die
+        // tier-assignment-Row, die der seed-Pfad nicht anlegt) und prüft das
+        // Fenster gegen die aktuelle Zeit. Nur auf dem disabled-Gate-Pfad
+        // konsultiert. inserted_at ist immutable → pro Tenant einmal lesen.
+        const startedMemo = new Map<TenantId, number>();
+        const trialGate: TrialGate = async (tenantId, featureName) => {
+          if (!trialFeatures.has(featureName)) return false;
+          let startedMs = startedMemo.get(tenantId);
+          if (startedMs === undefined) {
+            const row = await fetchOne<{ insertedAt?: Temporal.Instant }>(deps.db, tenantTable, {
+              id: tenantId,
+            });
+            // Tenant-Row noch nicht projiziert (Replay-Race) → keinen Miss
+            // memoizen, beim nächsten Request neu lesen.
+            if (row?.insertedAt === undefined) return false;
+            startedMs = row.insertedAt.epochMilliseconds;
+            startedMemo.set(tenantId, startedMs);
           }
-          return base;
+          return isTrialActive(startedMs, nowMs(), trial.durationHours);
         };
+        return Object.assign(resolver, { trialGate });
       },
     };
     // biome-ignore lint/correctness/useHookAtTopLevel: r.useExtension is a framework registrar method, not a React hook.