@cosmicdrift/kumiko-bundled-features 0.70.0 → 0.71.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.70.0",
+  "version": "0.71.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -84,11 +84,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.70.0",
-    "@cosmicdrift/kumiko-framework": "0.70.0",
-    "@cosmicdrift/kumiko-headless": "0.70.0",
-    "@cosmicdrift/kumiko-renderer": "0.70.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.70.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.71.0",
+    "@cosmicdrift/kumiko-framework": "0.71.0",
+    "@cosmicdrift/kumiko-headless": "0.71.0",
+    "@cosmicdrift/kumiko-renderer": "0.71.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.71.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/sessions/__tests__/cleanup.integration.test.ts

@@ -15,6 +15,8 @@ import {
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { createUserFeature } from "../../user/feature";
+import { userEntity } from "../../user/schema/user";
 import { createSessionsFeature } from "../feature";
 import { cleanupJob } from "../handlers/cleanup.job";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
@@ -38,9 +40,10 @@ let stack: TestStack;
 
 beforeAll(async () => {
   stack = await setupTestStack({
-    features: [createSessionsFeature()],
+    features: [createSessionsFeature(), createUserFeature()],
   });
   await unsafeCreateEntityTable(stack.db, userSessionEntity);
+  await unsafeCreateEntityTable(stack.db, userEntity);
 });
 
 afterAll(async () => {

package/src/sessions/__tests__/rebuild-survival.integration.test.ts

@@ -19,6 +19,7 @@ import {
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { Temporal } from "temporal-polyfill";
+import { createUserFeature } from "../../user/feature";
 import { createSessionsFeature } from "../feature";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
 
@@ -75,14 +76,14 @@ async function insertRevokedSession(db: DbConnection): Promise<void> {
 
 describe("sessions / read_user_sessions survives projection rebuild", () => {
   test("is NOT registered as a rebuildable implicit projection", () => {
-    const registry = createRegistry([createSessionsFeature()]);
+    const registry = createRegistry([createSessionsFeature(), createUserFeature()]);
     expect(registry.getAllProjections().has(IMPLICIT_PROJECTION)).toBe(false);
   });
 
   test("direct-written rows (incl. revoked state) survive a rebuild", async () => {
     await insertRevokedSession(createTenantDb(testDb.db, TENANT));
 
-    const registry = createRegistry([createSessionsFeature()]);
+    const registry = createRegistry([createSessionsFeature(), createUserFeature()]);
     // Pre-fix: the implicit projection exists → rebuild swaps an empty shadow
     // → rows wiped. Post-fix: absent → no rebuild → rows untouched. Either way
     // a regression (re-adding r.entity) makes this fail.

package/src/sessions/__tests__/sessions.integration.test.ts

@@ -21,7 +21,7 @@ import { createTenantFeature } from "../../tenant";
 import { tenantMembershipsTable } from "../../tenant/membership-table";
 import { tenantEntity } from "../../tenant/schema/tenant";
 import { createUserFeature } from "../../user/feature";
-import { userEntity, userTable } from "../../user/schema/user";
+import { USER_STATUS, userEntity, userTable } from "../../user/schema/user";
 import { SessionHandlers, SessionQueries } from "../constants";
 import { createSessionsFeature } from "../feature";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
@@ -455,3 +455,65 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     expect(body.data[0]?.id).toBe(aliceAsAdmin.sid);
   });
 });
+
+// Defense-in-depth: the sessionChecker refuses a live sid once the user it
+// belongs to is locked, independent of whether session-revoke ran. Each case
+// logs in WHILE active (login itself blocks locked users) and then flips the
+// status, mirroring "user got restricted while a session was open".
+describe("sessions feature — locked accounts blocked on a live session", () => {
+  test("active user passes — the gate leaves the happy path untouched", async () => {
+    await h.seedUser("active@example.com", "pw-long-enough");
+    const { token } = await h.login("active@example.com", "pw-long-enough");
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(200);
+  });
+
+  test("restricted after login → 401 reason=blocked", async () => {
+    const { userId } = await h.seedUser("restrict@example.com", "pw-long-enough");
+    const { token } = await h.login("restrict@example.com", "pw-long-enough");
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Restricted }, { id: userId });
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe("blocked");
+  });
+
+  test("deleted after login → 401 reason=blocked", async () => {
+    const { userId } = await h.seedUser("gone@example.com", "pw-long-enough");
+    const { token } = await h.login("gone@example.com", "pw-long-enough");
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Deleted }, { id: userId });
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe("blocked");
+  });
+
+  test("deletionRequested keeps its session live — reversible grace period", async () => {
+    const { userId } = await h.seedUser("leaving@example.com", "pw-long-enough");
+    const { token } = await h.login("leaving@example.com", "pw-long-enough");
+    await updateMany(
+      stack.db,
+      userTable,
+      { status: USER_STATUS.DeletionRequested },
+      { id: userId },
+    );
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(200);
+  });
+});

package/src/sessions/feature.ts

@@ -43,6 +43,10 @@ export function createSessionsFeature(options?: SessionsFeatureOptions): Feature
     r.describe(
       "Tracks signed-in clients in the `read_user_sessions` table (one row per JWT, keyed by the `sid`/`jti` claim) and exposes handlers for `mine` (list your sessions), `revoke`, and `revokeAllOthers`. Session creation and revocation on the hot auth path are handled by `createSessionCallbacks()`, wired into `buildServer({ auth: { ... } })` outside the dispatcher; the feature also ships a manual-trigger cleanup job for pruning expired rows and an optional `autoRevokeOnPasswordChange` hook that mass-revokes all sessions for a user whenever their `passwordHash` changes.",
     );
+    // sessionChecker reads read_users on every authenticated request (status
+    // gate for locked accounts) — make that a boot-time dependency so a
+    // sessions-without-user wiring fails validateBoot instead of 500ing live.
+    r.requires("user");
     // read_user_sessions is a hot-path direct-write store: sessionCreator
     // inserts and the revoke handlers update rows WITHOUT emitting lifecycle
     // events (the row columns ARE the audit trail). Registering it as

package/src/sessions/session-callbacks.ts

@@ -10,9 +10,18 @@ import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import type { SessionUser } from "@cosmicdrift/kumiko-framework/engine";
 import { generateId } from "@cosmicdrift/kumiko-framework/utils";
 import { Temporal } from "temporal-polyfill";
+import { USER_STATUS, userTable } from "../user";
 import { DEFAULT_SESSION_EXPIRY_MS } from "./constants";
 import { userSessionTable } from "./schema/user-session";
 
+// Locked accounts whose live sessions must be refused. deletionRequested is
+// intentionally absent — it's a reversible grace period and the user needs
+// their session to reach cancel-deletion.
+const BLOCKED_STATUSES: ReadonlySet<string> = new Set([
+  USER_STATUS.Restricted,
+  USER_STATUS.Deleted,
+]);
+
 // Why the callbacks live at the raw-DB level rather than going through the
 // dispatcher: session-create/revoke/check run on the hot path of every
 // login and every request. The (createdAt/revokedAt/ip/userAgent) columns
@@ -90,6 +99,13 @@ export function createSessionCallbacks(opts: SessionCallbacksOptions): SessionCa
       if (row.expiresAt.epochMilliseconds <= Temporal.Now.instant().epochMilliseconds) {
         return "expired";
       }
+      // Defense-in-depth: status flips (Art. 18 restrict, forget) revoke
+      // sessions, but a missed revoke must not keep a locked account alive on
+      // a stale sid. Fail-OPEN on a lookup miss — this is the second layer,
+      // revocation is primary; never turn a user-row miss into a global
+      // lockout. (+1 PK read on read_users per authenticated request.)
+      const user = await fetchOne<{ status: string }>(db, userTable, { id: expectedUserId });
+      if (user && BLOCKED_STATUSES.has(user.status)) return "blocked";
       return "live";
     },
 

package/src/tags/handlers/assign-tag.write.ts

@@ -40,7 +40,7 @@ export function createAssignTagHandler(access: AccessRule = DEFAULT_TAG_ACCESS):
       }
 
       const restored = await tagAssignmentExecutor.restore({ id }, event.user, ctx.db);
-      if (restored.isSuccess) return restored;
+      if (restored.isSuccess) return { isSuccess: true as const, data: { id } };
       if (restored.error.code !== "not_found") return restored;
 
       const tag = await tagExecutor.detail({ id: payload.tagId }, event.user, ctx.db);

package/src/tags/web/__tests__/tag-section.test.tsx

@@ -1,4 +1,4 @@
-import { describe, expect, mock, test } from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
 import {
   createStaticLocaleResolver,
   LocaleProvider,
@@ -17,6 +17,13 @@ type AssignmentRow = { tagId: string; entityType: string; entityId: string };
 let catalogRows: readonly TagRow[] = [];
 let assignmentRows: readonly AssignmentRow[] = [];
 
+// Each test sets its own rows; reset so a forgotten setup can't inherit the
+// previous test's data (order-dependent shared state).
+beforeEach(() => {
+  catalogRows = [];
+  assignmentRows = [];
+});
+
 const dispatchSpy = mock(async (type: string) =>
   type === TagsHandlers.createTag
     ? { isSuccess: true, data: { id: "tag-new" } }
@@ -45,6 +52,46 @@ function Wrapper({ children }: { readonly children: ReactNode }): ReactNode {
   );
 }
 
+// The real combobox is cmdk + Radix — its popover is e2e/primitive-test
+// territory (see note above). To pin the onSelectionChange → assign/remove
+// wiring we swap in a headless stub that renders one toggle button per option
+// and fires onChange with the toggled selection — same contract, no popover.
+const StubInput: typeof defaultPrimitives.Input = (props) => {
+  if (props.kind === "combobox" && props.multiple === true) {
+    const value = props.value;
+    return (
+      <div data-testid="stub-combobox">
+        {props.options.map((o) => {
+          const selected = value.includes(o.value);
+          return (
+            <button
+              key={o.value}
+              type="button"
+              data-testid={`tag-opt-${o.value}`}
+              onClick={() =>
+                props.onChange(selected ? value.filter((v) => v !== o.value) : [...value, o.value])
+              }
+            >
+              {o.label}
+            </button>
+          );
+        })}
+      </div>
+    );
+  }
+  return <input data-testid={`stub-${props.id}`} />;
+};
+
+function StubComboboxWrapper({ children }: { readonly children: ReactNode }): ReactNode {
+  return (
+    <LocaleProvider resolver={createStaticLocaleResolver()} fallbackBundles={[defaultTranslations]}>
+      <PrimitivesProvider value={{ ...defaultPrimitives, Input: StubInput }}>
+        {children}
+      </PrimitivesProvider>
+    </LocaleProvider>
+  );
+}
+
 // The combobox's assign/remove toggle drives onChange with the full new
 // selection; the component diffs it against the current tags via this helper.
 // Popover interaction itself (cmdk + Radix in jsdom) is covered by the
@@ -113,6 +160,41 @@ describe("TagSection", () => {
     );
   });
 
+  test("#524/3: selection change dispatches assign for additions, remove for removals", async () => {
+    catalogRows = [
+      { id: "t1", name: "important" },
+      { id: "t2", name: "project-x" },
+    ];
+    assignmentRows = [{ tagId: "t1", entityType: "note", entityId: "note-1" }];
+    dispatchSpy.mockClear();
+
+    render(
+      <StubComboboxWrapper>
+        <TagSection entityName="note" entityId="note-1" />
+      </StubComboboxWrapper>,
+    );
+
+    // t2 is unselected → toggling it on adds it → assign-tag with t2
+    fireEvent.click(screen.getByTestId("tag-opt-t2"));
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.assignTag, {
+        tagId: "t2",
+        entityType: "note",
+        entityId: "note-1",
+      }),
+    );
+
+    // t1 is selected → toggling it off removes it → remove-tag with t1
+    fireEvent.click(screen.getByTestId("tag-opt-t1"));
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.removeTag, {
+        tagId: "t1",
+        entityType: "note",
+        entityId: "note-1",
+      }),
+    );
+  });
+
   test("create-mode (no entityId yet) shows the save-first hint instead of the manager", () => {
     render(
       <Wrapper>

package/src/user/schema/user.ts

@@ -113,15 +113,16 @@ export const userEntity = createEntity({
 
     // S2.U1: User-Lifecycle-Status für user-data-rights (Sprint 2).
     //   - "active":            Normaler State, alle Operationen erlaubt
-    //   - "restricted":        Art. 18 Restriction — Auth-Middleware blockiert
-    //                          Schreib-Endpoints, Read bleibt erlaubt damit
-    //                          User das Banner sieht + lift-restriction klicken kann
-    //   - "deletionRequested": delete-account aufgerufen, gracePeriodEnd
-    //                          gesetzt, User kann via cancel-deletion zurueck
-    //                          auf "active". Auth-Middleware blockiert wie
-    //                          "restricted".
+    //   - "restricted":        Art. 18 Restriction — Login blockiert + jede
+    //                          Live-Session wird vom sessionChecker abgewiesen
+    //                          ("blocked"). Recovery via lift-restriction
+    //                          (openToAll, session-unabhängig).
+    //   - "deletionRequested": delete-account aufgerufen, gracePeriodEnd gesetzt,
+    //                          Login blockiert. Bestehende Session bleibt LIVE
+    //                          (reversibel) — User kann via cancel-deletion
+    //                          zurück auf "active".
     //   - "deleted":           Forget executed nach Grace, Row anonymisiert via
-    //                          softDelete. Auth-Middleware blockt Login.
+    //                          softDelete. Login blockiert + Session "blocked".
     //
     // Schreibrecht privileged: nur die request-deletion / restrict / lift /
     // execute-forget-Handler (alle SYSTEM-context) duerfen status flippen.

package/src/user-data-rights/__tests__/read-users-rebuild-survives-lifecycle.integration.test.ts

@@ -188,12 +188,13 @@ describe("#494 :: read_users-Rebuild bewahrt Lifecycle-State", () => {
 
     const after = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
       status: string;
-      gracePeriodEnd: unknown;
+      gracePeriodEnd: typeof gracePeriodEnd | null;
     }>;
     expect(after[0]?.status).toBe(USER_STATUS.DeletionRequested);
-    // gracePeriodEnd ueberlebt — nicht null nach Replay.
-    expect(after[0]?.gracePeriodEnd).not.toBeNull();
-    expect(after[0]?.gracePeriodEnd).toBeDefined();
+    // gracePeriodEnd ueberlebt den Replay WERT-genau, nicht nur non-null: ein
+    // Timezone-/Roundtrip-Fehler liefert non-null aber den falschen Instant.
+    // epoch-ms toleriert die DB-Präzision (µs) ohne sub-ms-Drift zu prüfen.
+    expect(after[0]?.gracePeriodEnd?.epochMilliseconds).toBe(gracePeriodEnd.epochMilliseconds);
   });
 
   // Ehrlicher Spiegel zum Forward-Test: Bestandsdaten, deren Status der ALTE

package/src/user-profile/__tests__/profile-screen.test.tsx

@@ -146,6 +146,44 @@ describe("ProfileScreen", () => {
       fetchSpy.mockRestore();
     }
   });
+
+  // #472/1: der Server antwortet auf den Verification-Versand mit ok:false
+  // (z.B. 4xx) OHNE zu werfen. Das ist ein anderer Zweig als das catch oben —
+  // er muss eigenständig geloggt werden, der Wechsel bleibt erfolgreich.
+  test("email change: verification-send rejected by server (ok:false) is surfaced", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchSpy = spyOn(globalThis, "fetch").mockResolvedValue(
+      new Response("{}", { status: 400 }),
+    );
+    try {
+      const view = renderProfile(activeMe);
+      await waitFor(() => {
+        if (view.queryByTestId("profile-email") === null) throw new Error("not mounted yet");
+      });
+
+      const emailInput = view.container.querySelector<HTMLInputElement>("#profile-new-email");
+      const pwInput = view.container.querySelector<HTMLInputElement>("#profile-email-password");
+      if (!emailInput || !pwInput) throw new Error("email form inputs not found");
+      fireEvent.change(emailInput, { target: { value: "new@example.com" } });
+      fireEvent.change(pwInput, { target: { value: "current-pw" } });
+      fireEvent.click(view.getByTestId("profile-email-submit"));
+
+      // Der ok:false-Zweig loggt SEINE Message ("could not be sent"),
+      // nicht die des catch-Zweigs ("send threw").
+      await waitFor(() => {
+        const hit = warnSpy.mock.calls.some((c) => String(c[0]).includes("could not be sent"));
+        if (!hit) throw new Error("ok:false verification failure not surfaced");
+      });
+      expect(warnSpy.mock.calls.some((c) => String(c[0]).includes("send threw"))).toBe(false);
+      // Wechsel bleibt erfolgreich: das Eingabefeld wird zurückgesetzt.
+      await waitFor(() => {
+        if (emailInput.value !== "") throw new Error("email input not cleared after success");
+      });
+    } finally {
+      warnSpy.mockRestore();
+      fetchSpy.mockRestore();
+    }
+  });
 });
 
 describe("formatDeletionDate", () => {