@cosmicdrift/kumiko-dev-server 0.26.0 → 0.28.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-dev-server",
-  "version": "0.26.0",
+  "version": "0.28.0",
   "description": "Development server bootstrap for Kumiko apps. Bundles the client, mints dev-JWTs, injects the resolved AppSchema, and seeds an admin. Not for production.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/__tests__/run-prod-app.integration.test.ts

@@ -68,6 +68,19 @@ const widgetFeature = defineFeature("prod-probe", (r) => {
     access: { roles: ["anonymous"] },
     handler: async () => ({ pong: true }),
   });
+  // SystemAdmin-gated write — Ziel des extraRoutes.dispatchSystemWrite-
+  // Tests: Echo von user.tenantId + roles beweist, dass der Dispatch
+  // durch den echten Dispatcher (Zod + Access-Check) läuft und der
+  // auto-konstruierte SystemUser den Ziel-Tenant trägt.
+  r.writeHandler({
+    name: "probe-write",
+    schema: z.object({ note: z.string() }),
+    access: { roles: ["SystemAdmin"] },
+    handler: async (event) => ({
+      isSuccess: true as const,
+      data: { tenantSeen: event.user.tenantId, roles: event.user.roles },
+    }),
+  });
 });
 
 const TENANT_ID = "00000000-0000-4000-8000-000000000001";
@@ -206,6 +219,41 @@ describe("runProdApp", () => {
     expect(body).toContain('<probe ok="true" />');
   });
 
+  test("extraRoutes-deps: dispatchSystemWrite schreibt als SystemAdmin des Ziel-Tenants, registry verfügbar", async () => {
+    // Das ist das Wiring für Provider-Webhook-Routes (billing-foundation
+    // createSubscriptionWebhookHandler): die Route authentifiziert via
+    // Provider-Signatur und schreibt dann am JWT-Pfad vorbei durch den
+    // Command-Dispatcher. Beweist: (a) registry liegt in den deps,
+    // (b) dispatchSystemWrite geht durch Zod + Access-Check des Handlers,
+    // (c) der SystemUser trägt den Ziel-Tenant (Event-Store-Konsistenz).
+    let registryHasProbe = false;
+    const handle = await boot(undefined, {
+      extraRoutes: (app, deps) => {
+        registryHasProbe = deps.registry.features.has("prod-probe");
+        app.post("/webhook-probe", async (c) => {
+          const result = await deps.dispatchSystemWrite({
+            handlerQn: "prod-probe:write:probe-write",
+            payload: { note: "from-webhook" },
+            tenantId: TENANT_ID as import("@cosmicdrift/kumiko-framework/engine").TenantId,
+          });
+          return c.json(result);
+        });
+      },
+    });
+
+    expect(registryHasProbe).toBe(true);
+
+    const res = await handle.fetch(new Request("http://test/webhook-probe", { method: "POST" }));
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      isSuccess: boolean;
+      data?: { tenantSeen: string; roles: string[] };
+    };
+    expect(body.isSuccess).toBe(true);
+    expect(body.data?.tenantSeen).toBe(TENANT_ID);
+    expect(body.data?.roles).toContain("SystemAdmin");
+  });
+
   test("static-fallback: extraRoute beats Disk-File at colliding path (Hono-First)", async () => {
     // Regression-Test für den static-fallback-Bug von Phase 2 Step 1:
     // wenn ein extraRoute (z.B. /feed.xml) UND eine gleichnamige Disk-

package/src/create-kumiko-server.ts

@@ -20,7 +20,11 @@ import { readFile, watch } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join, resolve } from "node:path";
 import { type AuthRoutesConfig, generateToken } from "@cosmicdrift/kumiko-framework/api";
-import { buildAppSchema, type FeatureDefinition } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  buildAppSchema,
+  createSystemUser,
+  type FeatureDefinition,
+} from "@cosmicdrift/kumiko-framework/engine";
 import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   pushEntityProjectionTables,
@@ -190,7 +194,21 @@ export type CreateKumikoServerOptions = {
    *  `ctx` weil dies kein HandlerContext ist — kein user/tenant. */
   readonly extraRoutes?: (
     app: import("hono").Hono,
-    deps: { db: TestStack["db"]; redis: TestStack["redis"] },
+    deps: {
+      db: TestStack["db"];
+      redis: TestStack["redis"];
+      /** Feature-registry — z.B. für Plugin-Lookups via
+       *  `registry.getExtensionUsages("subscriptionProvider")`. */
+      registry: TestStack["registry"];
+      /** System-Write durch den Command-Dispatcher — Semantik identisch zu
+       *  runProdApp.extraRoutes (SystemAdmin des Ziel-Tenants, kein
+       *  Access-Check; nur für signatur-authentifizierte Pfade). */
+      dispatchSystemWrite: (args: {
+        readonly handlerQn: string;
+        readonly payload: unknown;
+        readonly tenantId: import("@cosmicdrift/kumiko-framework/engine").TenantId;
+      }) => Promise<import("@cosmicdrift/kumiko-framework/engine").WriteResult>;
+    },
   ) => void;
 };
 
@@ -681,7 +699,13 @@ export async function createKumikoServer(
   // (HTML/JS/CSS-Serving via handleFetch unten) registriert, damit
   // explizite Routen wie /feed.xml den Asset-Pfad schlagen.
   if (options.extraRoutes !== undefined) {
-    options.extraRoutes(stack.app, { db: stack.db, redis: stack.redis });
+    options.extraRoutes(stack.app, {
+      db: stack.db,
+      redis: stack.redis,
+      registry: stack.registry,
+      dispatchSystemWrite: ({ handlerQn, payload, tenantId }) =>
+        stack.dispatcher.write(handlerQn, payload, createSystemUser(tenantId, ["SystemAdmin"])),
+    });
   }
 
   // setupTestStack konfiguriert den eventDispatcher, startet ihn aber

package/src/run-prod-app.ts

@@ -45,12 +45,15 @@ import { createDbConnection, type DbRunner } from "@cosmicdrift/kumiko-framework
 import {
   buildAppSchema,
   createRegistry,
+  createSystemUser,
   type EffectiveFeaturesResolver,
   type FeatureDefinition,
   findTierResolverUsage,
+  type Registry,
   type TenantId,
   type TierResolverPlugin,
   validateBoot,
+  type WriteResult,
 } from "@cosmicdrift/kumiko-framework/engine";
 import {
   type ApiEntrypoint,
@@ -421,6 +424,19 @@ export type RunProdAppOptions = {
     deps: {
       db: import("@cosmicdrift/kumiko-framework/db").DbConnection;
       redis: import("ioredis").default;
+      /** Feature-registry — z.B. für Plugin-Lookups via
+       *  `registry.getExtensionUsages("subscriptionProvider")`. */
+      registry: Registry;
+      /** Schreibt durch den /api/*-Command-Dispatcher (gleiche Idempotency/
+       *  Job-Hooks) — aber als auto-konstruierter SystemAdmin des Ziel-
+       *  Tenants, OHNE Access-Check der Route. Nur für Pfade, die ihre
+       *  Authentizität selbst beweisen (Provider-Webhook-Signaturen,
+       *  createSubscriptionWebhookHandler et al.). */
+      dispatchSystemWrite: (args: {
+        readonly handlerQn: string;
+        readonly payload: unknown;
+        readonly tenantId: TenantId;
+      }) => Promise<WriteResult>;
     },
   ) => void;
   /** When true (default), Bun.serve is started before runProdApp resolves —
@@ -808,7 +824,17 @@ export async function runProdApp(options: RunProdAppOptions): Promise<ProdAppHan
   //     belegt; extraRoutes sollte die nicht überschreiben (kein
   //     enforce, das ist Author-Verantwortung).
   if (options.extraRoutes) {
-    options.extraRoutes(entrypoint.app, { db, redis });
+    options.extraRoutes(entrypoint.app, {
+      db,
+      redis,
+      registry,
+      dispatchSystemWrite: ({ handlerQn, payload, tenantId }) =>
+        entrypoint.dispatcher.write(
+          handlerQn,
+          payload,
+          createSystemUser(tenantId, ["SystemAdmin"]),
+        ),
+    });
   }
 
   // 11. Build the fetch-handler. Static-fallback for non-/api/ paths