@cosmicdrift/kumiko-bundled-features 0.87.2 → 0.88.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.87.2",
+  "version": "0.88.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -86,11 +86,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.87.2",
-    "@cosmicdrift/kumiko-framework": "0.87.2",
-    "@cosmicdrift/kumiko-headless": "0.87.2",
-    "@cosmicdrift/kumiko-renderer": "0.87.2",
-    "@cosmicdrift/kumiko-renderer-web": "0.87.2",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.88.0",
+    "@cosmicdrift/kumiko-framework": "0.88.0",
+    "@cosmicdrift/kumiko-headless": "0.88.0",
+    "@cosmicdrift/kumiko-renderer": "0.88.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.88.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/__tests__/multi-roles.integration.test.ts

@@ -251,3 +251,46 @@ describe("multi-roles: switch-tenant erhält globale rollen", () => {
     expect(switchBody.roles).toEqual(["User"]);
   });
 });
+
+// Read-time backstop (engine/membership-roles): the write paths reject reserved
+// roles at command time, but a projection rebuild replays stored membership
+// events through the apply path, bypassing that check. addMembership inserts
+// straight into the projection table — the same shape a rebuild would produce —
+// so a forbidden role lands in the membership without going through a handler.
+// Every JWT mint must strip it; globalRoles must survive untouched.
+describe("multi-roles: reserved membership role stripped at the mint", () => {
+  test("login: resurrected ['SystemAdmin'] in membership → stripped, ['Admin'] survives", async () => {
+    const userId = await seedUser("resurrect@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["SystemAdmin", "Admin"]);
+
+    const { user } = await login("resurrect@example.com", "pw-long-enough");
+    expect(user.roles).toEqual(["Admin"]);
+    expect(user.roles).not.toContain("SystemAdmin");
+  });
+
+  test("login: global SystemAdmin survives even when membership repeats it", async () => {
+    const userId = await seedUser("realadmin@example.com", "pw-long-enough", ["SystemAdmin"]);
+    await addMembership(userId, tenantA, ["SystemAdmin", "Admin"]);
+
+    const { user } = await login("realadmin@example.com", "pw-long-enough");
+    expect(user.roles.sort()).toEqual(["Admin", "SystemAdmin"]);
+  });
+
+  test("switch-tenant: resurrected ['SystemAdmin'] on target tenant → stripped", async () => {
+    const userId = await seedUser("resurrect2@example.com", "pw-long-enough");
+    await addMembership(userId, tenantA, ["Admin"]);
+    await addMembership(userId, tenantB, ["SystemAdmin", "User"]);
+
+    const { token } = await login("resurrect2@example.com", "pw-long-enough");
+    const switchRes = await stack.http.raw(
+      "POST",
+      "/api/auth/switch-tenant",
+      { tenantId: tenantB },
+      { authorization: `Bearer ${token}` },
+    );
+    expect(switchRes.status).toBe(200);
+    const switchBody = (await switchRes.json()) as { roles: string[] };
+    expect(switchBody.roles).toEqual(["User"]);
+    expect(switchBody.roles).not.toContain("SystemAdmin");
+  });
+});

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts

@@ -23,6 +23,7 @@ import {
   createSystemUser,
   defineWriteHandler,
   type SessionUser,
+  stripForbiddenMembershipRoles,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
@@ -164,7 +165,7 @@ export function createInviteAcceptWithLoginHandler() {
         const session: SessionUser = {
           id: userId,
           tenantId: invitationTenantId,
-          roles: [invitationRole],
+          roles: stripForbiddenMembershipRoles([invitationRole]),
         };
 
         committed = true;

package/src/auth-email-password/handlers/invite-signup-complete.write.ts

@@ -27,6 +27,7 @@ import {
   createSystemUser,
   defineWriteHandler,
   type SessionUser,
+  stripForbiddenMembershipRoles,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
@@ -160,7 +161,7 @@ export function createInviteSignupCompleteHandler() {
         const session: SessionUser = {
           id: userId,
           tenantId: invitationTenantId,
-          roles: [invitationRole],
+          roles: stripForbiddenMembershipRoles([invitationRole]),
         };
 
         committed = true;

package/src/auth-email-password/handlers/login.write.ts

@@ -2,6 +2,7 @@ import {
   createSystemUser,
   defineWriteHandler,
   type SessionUser,
+  stripForbiddenMembershipRoles,
   type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
@@ -165,7 +166,11 @@ export function createLoginHandler(opts: LoginHandlerOptions = {}) {
       // membership. Dedupe via Set damit eine Rolle die in beiden Quellen
       // steht nicht doppelt im Session-Roles landet.
       const globalRoles = parseRoles(found.roles ?? null);
-      const mergedRoles = Array.from(new Set([...globalRoles, ...chosen.roles]));
+      // Strip reserved roles from the membership portion only (globalRoles keeps
+      // SystemAdmin) — read-time backstop against a rebuild-resurrected role.
+      const mergedRoles = Array.from(
+        new Set([...globalRoles, ...stripForbiddenMembershipRoles(chosen.roles)]),
+      );
       const baseSession: SessionUser = {
         id: found.id,
         tenantId: chosen.tenantId,

package/src/tenant/membership-roles.ts

@@ -6,18 +6,10 @@
 // this validator makes every membership-role write path enforce the same
 // invariant. Derived from the framework presets so it tracks access.privileged.
 
-import { access } from "@cosmicdrift/kumiko-framework/engine";
+import { findForbiddenMembershipRole } from "@cosmicdrift/kumiko-framework/engine";
 import { AccessDeniedError } from "@cosmicdrift/kumiko-framework/errors";
 
-const FORBIDDEN_MEMBERSHIP_ROLES: ReadonlySet<string> = new Set<string>([
-  ...access.privileged, // system, SystemAdmin
-  ...access.all, // all
-  ...access.anonymous, // anonymous
-]);
-
-export function findForbiddenMembershipRole(roles: readonly string[]): string | undefined {
-  return roles.find((role) => FORBIDDEN_MEMBERSHIP_ROLES.has(role));
-}
+export { findForbiddenMembershipRole };
 
 export function reservedMembershipRoleError(role: string): AccessDeniedError {
   return new AccessDeniedError({

package/src/user-data-rights/__tests__/inspector-screens.boot.test.ts

@@ -0,0 +1,65 @@
+import { describe, expect, test } from "bun:test";
+import { validateBoot } from "@cosmicdrift/kumiko-framework/engine";
+import { createComplianceProfilesFeature } from "../../compliance-profiles/feature";
+import { createConfigFeature } from "../../config/feature";
+import { createDataRetentionFeature } from "../../data-retention/feature";
+import { createSessionsFeature } from "../../sessions/feature";
+import { createUserFeature } from "../../user/feature";
+import { createUserDataRightsFeature } from "../feature";
+
+// Read-only GDPR inspector screens live IN user-data-rights (the boot-validator
+// forbids cross-feature screen ownership). The validator checks screen structure
+// — entity-local binding, columns/fields exist on the entity, rowAction targets
+// resolve — so a clean boot proves the entityList/entityEdit defs bind to the
+// real event-sourced entities and the convention list/detail QNs exist. The
+// entities (export-job, download-attempt) are r.entity, not direct-write stores,
+// so an entityList binding is rebuild-safe (unlike jobs/sessions read-models).
+
+describe("user-data-rights read-only inspector screens", () => {
+  const features = [
+    createConfigFeature(),
+    createUserFeature(),
+    createSessionsFeature(),
+    createDataRetentionFeature(),
+    createComplianceProfilesFeature(),
+    createUserDataRightsFeature(),
+  ];
+
+  test("the assembled feature set boot-validates", () => {
+    expect(() => validateBoot(features)).not.toThrow();
+  });
+
+  test("ships SystemAdmin-gated list + detail screens", () => {
+    const f = createUserDataRightsFeature();
+    expect(Object.keys(f.screens)).toEqual(
+      expect.arrayContaining(["export-job-list", "export-job-detail", "download-attempt-list"]),
+    );
+    const list = f.screens["export-job-list"];
+    expect(list?.type).toBe("entityList");
+    expect(list?.access).toEqual({ roles: ["SystemAdmin"] });
+  });
+
+  test("export-job detail is strictly read-only (no create/delete, every field readOnly)", () => {
+    const f = createUserDataRightsFeature();
+    const edit = f.screens["export-job-detail"];
+    expect(edit?.type).toBe("entityEdit");
+    if (edit?.type === "entityEdit") {
+      expect(edit.allowCreate).toBe(false);
+      expect(edit.allowDelete).toBe(false);
+      const fields = edit.layout.sections.flatMap((s) => ("fields" in s ? s.fields : []));
+      expect(fields.length).toBeGreaterThan(0);
+      expect(fields.every((field) => typeof field === "object" && field.readOnly === true)).toBe(
+        true,
+      );
+    }
+  });
+
+  test("convention list/detail handlers resolve the screen QNs", () => {
+    const f = createUserDataRightsFeature();
+    // entityList → user-data-rights:query:export-job:list; entityEdit detail →
+    // :export-job:detail; download-attempt list → :download-attempt:list.
+    expect(Object.keys(f.queryHandlers)).toEqual(
+      expect.arrayContaining(["export-job:list", "export-job:detail", "download-attempt:list"]),
+    );
+  });
+});

package/src/user-data-rights/feature.ts

@@ -8,8 +8,11 @@ import {
 import { PRIVACY_CENTER_SCREEN_ID } from "./constants";
 import { cancelDeletionWrite } from "./handlers/cancel-deletion.write";
 import { createConfirmDeletionByTokenHandler } from "./handlers/confirm-deletion-by-token.write";
+import { downloadAttemptListQuery } from "./handlers/download-attempt-list.query";
 import { downloadByJobQuery } from "./handlers/download-by-job.query";
 import { downloadByTokenQuery } from "./handlers/download-by-token.query";
+import { exportJobDetailQuery } from "./handlers/export-job-detail.query";
+import { exportJobListQuery } from "./handlers/export-job-list.query";
 import { exportStatusQuery } from "./handlers/export-status.query";
 import { liftRestrictionWrite } from "./handlers/lift-restriction.write";
 import { listDownloadAttemptsQuery } from "./handlers/list-download-attempts.query";
@@ -36,6 +39,7 @@ import { runForgetCleanup, type SendDeletionExecutedEmailFn } from "./run-forget
 import { downloadAttemptEntity } from "./schema/download-attempt";
 import { exportDownloadTokenEntity } from "./schema/download-token";
 import { exportJobEntity } from "./schema/export-job";
+import { downloadAttemptListScreen, exportJobDetailScreen, exportJobListScreen } from "./screens";
 
 // user-data-rights — DSGVO Art. 15 (Auskunft) + Art. 17 (Löschung) +
 // Art. 18 (Restriction) + Art. 20 (Portabilität) als Core-Feature.
@@ -222,6 +226,16 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
     r.queryHandler(myAuditLogQuery);
     r.queryHandler(listDownloadAttemptsQuery);
 
+    // Read-only operator inspector over the GDPR read-models (SystemAdmin).
+    // Convention list/detail handlers so entityList/entityEdit resolve by QN;
+    // the screens stay inert until an app navs them (opt-in at wire time).
+    r.queryHandler(exportJobListQuery);
+    r.queryHandler(exportJobDetailQuery);
+    r.queryHandler(downloadAttemptListQuery);
+    r.screen(exportJobListScreen);
+    r.screen(exportJobDetailScreen);
+    r.screen(downloadAttemptListScreen);
+
     // Dormant Self-Service-Screen (Art. 15/17/18/20): Export, Aktivitäts-
     // protokoll, Einschränkung, Löschung in einem Screen. Kein r.nav — die
     // App platziert ihn im eingeloggten Bereich. Die React-Component kommt

package/src/user-data-rights/handlers/download-attempt-list.query.ts

@@ -0,0 +1,11 @@
+import { access, defineEntityListHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { downloadAttemptEntity } from "../schema/download-attempt";
+
+// SystemAdmin operator view of invalid download attempts (DPO brute-force
+// triage). A bespoke list-download-attempts query already exists but sits on a
+// non-convention QN; entityList needs the convention `download-attempt:list`.
+export const downloadAttemptListQuery = defineEntityListHandler(
+  "download-attempt",
+  downloadAttemptEntity,
+  { access: { roles: access.systemAdmin } },
+);

package/src/user-data-rights/handlers/export-job-detail.query.ts

@@ -0,0 +1,7 @@
+import { access, defineEntityDetailHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { exportJobEntity } from "../schema/export-job";
+
+// Detail fetch backing the read-only export-job inspector screen.
+export const exportJobDetailQuery = defineEntityDetailHandler("export-job", exportJobEntity, {
+  access: { roles: access.systemAdmin },
+});

package/src/user-data-rights/handlers/export-job-list.query.ts

@@ -0,0 +1,8 @@
+import { access, defineEntityListHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { exportJobEntity } from "../schema/export-job";
+
+// SystemAdmin operator view of GDPR Art. 20 export jobs. Read-only inspector —
+// rows are created by the user's request-export flow, never through this handler.
+export const exportJobListQuery = defineEntityListHandler("export-job", exportJobEntity, {
+  access: { roles: access.systemAdmin },
+});

package/src/user-data-rights/screens.ts

@@ -0,0 +1,71 @@
+import type {
+  EntityEditScreenDefinition,
+  EntityListScreenDefinition,
+} from "@cosmicdrift/kumiko-framework/engine";
+
+// Read-only operator inspector for the GDPR data-rights read-models. All
+// screens are SystemAdmin-gated and inert until an app navs them — the feature
+// only registers them, the app opts in per screen via r.nav (see the
+// mount-inspector-screens guide). The entities are event-sourced r.entity rows,
+// so binding entityList/entityEdit to them is safe (no direct-write rebuild
+// hazard like jobs/sessions).
+
+// Read-only field shorthand for the detail screens — every field is display-only.
+const ro = (field: string) => ({ field, readOnly: true });
+
+export const exportJobListScreen: EntityListScreenDefinition = {
+  id: "export-job-list",
+  type: "entityList",
+  entity: "export-job",
+  columns: ["userId", "status", "requestedAt", "completedAt", "expiresAt"],
+  rowActions: [
+    {
+      kind: "navigate",
+      id: "view",
+      label: "kumiko.actions.view",
+      screen: "export-job-detail",
+      entityId: "id",
+    },
+  ],
+  searchable: false,
+  access: { roles: ["SystemAdmin"] },
+};
+
+export const exportJobDetailScreen: EntityEditScreenDefinition = {
+  id: "export-job-detail",
+  type: "entityEdit",
+  entity: "export-job",
+  layout: {
+    sections: [
+      {
+        columns: 2,
+        fields: [
+          ro("userId"),
+          ro("requestedFromTenantId"),
+          ro("status"),
+          ro("requestedAt"),
+          ro("startedAt"),
+          ro("completedAt"),
+          ro("expiresAt"),
+          ro("downloadStorageKey"),
+          ro("bytesWritten"),
+          ro("errorMessage"),
+        ],
+      },
+    ],
+  },
+  // Inspector is strictly read-only: no export-job:create/update/delete handler
+  // exists, and the export lifecycle is driven by the worker, not an operator.
+  allowCreate: false,
+  allowDelete: false,
+  access: { roles: ["SystemAdmin"] },
+};
+
+export const downloadAttemptListScreen: EntityListScreenDefinition = {
+  id: "download-attempt-list",
+  type: "entityList",
+  entity: "download-attempt",
+  columns: ["attemptedAt", "result", "via", "ip", "attemptedByUserId", "jobId"],
+  searchable: false,
+  access: { roles: ["SystemAdmin"] },
+};