@cosmicdrift/kumiko-dev-server 0.37.0 → 0.39.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-dev-server",
-  "version": "0.37.0",
+  "version": "0.39.0",
   "description": "Development server bootstrap for Kumiko apps. Bundles the client, mints dev-JWTs, injects the resolved AppSchema, and seeds an admin. Not for production.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -46,8 +46,8 @@
     "kumiko-schema-check": "./bin/kumiko-schema-check.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-bundled-features": "0.35.0",
-    "@cosmicdrift/kumiko-framework": "0.35.0",
+    "@cosmicdrift/kumiko-bundled-features": "0.38.0",
+    "@cosmicdrift/kumiko-framework": "0.38.0",
     "ts-morph": "^28.0.0"
   },
   "publishConfig": {

package/src/__tests__/env-schema.test.ts

@@ -3,6 +3,20 @@ import { composeEnvSchema, KumikoBootError, parseEnv } from "@cosmicdrift/kumiko
 import { z } from "zod";
 import { type FrameworkCoreEnv, frameworkCoreEnvSchema } from "../env-schema";
 
+// Statt Sentinel-throw IM try (ein nicht-werfender parseEnv ließe den
+// Sentinel in den catch fallen und produziert eine irreführende
+// instanceOf-Failure): laufen lassen, danach unconditional asserten.
+function expectBootError(run: () => void): KumikoBootError {
+  let thrown: unknown;
+  try {
+    run();
+  } catch (err) {
+    thrown = err;
+  }
+  expect(thrown).toBeInstanceOf(KumikoBootError);
+  return thrown as KumikoBootError;
+}
+
 describe("frameworkCoreEnvSchema", () => {
   it("accepts a valid minimal env", () => {
     const env = parseEnv(frameworkCoreEnvSchema, {
@@ -18,32 +32,23 @@ describe("frameworkCoreEnvSchema", () => {
   });
 
   it("aggregates missing required vars (DATABASE_URL + REDIS_URL)", () => {
-    try {
-      parseEnv(frameworkCoreEnvSchema, {});
-      throw new Error("should have thrown");
-    } catch (err) {
-      expect(err).toBeInstanceOf(KumikoBootError);
-      const boot = err as KumikoBootError;
-      const names = boot.errors.map((e) => e.name).sort();
-      expect(names).toContain("DATABASE_URL");
-      expect(names).toContain("REDIS_URL");
-      // PORT has a default → not in the error set
-      expect(names).not.toContain("PORT");
-    }
+    const boot = expectBootError(() => parseEnv(frameworkCoreEnvSchema, {}));
+    const names = boot.errors.map((e) => e.name).sort();
+    expect(names).toContain("DATABASE_URL");
+    expect(names).toContain("REDIS_URL");
+    // PORT has a default → not in the error set
+    expect(names).not.toContain("PORT");
   });
 
   it("rejects a non-postgres DATABASE_URL even when it is a valid WHATWG URL", () => {
-    try {
+    const boot = expectBootError(() =>
       parseEnv(frameworkCoreEnvSchema, {
         DATABASE_URL: "https://example.com/db",
         REDIS_URL: "redis://localhost:6379",
-      });
-      throw new Error("should have thrown");
-    } catch (err) {
-      expect(err).toBeInstanceOf(KumikoBootError);
-      const db = (err as KumikoBootError).errors.find((e) => e.name === "DATABASE_URL");
-      expect(db?.kind).toBe("invalid");
-    }
+      }),
+    );
+    const db = boot.errors.find((e) => e.name === "DATABASE_URL");
+    expect(db?.kind).toBe("invalid");
   });
 
   it("accepts postgres:// and postgresql:// for DATABASE_URL", () => {
@@ -57,17 +62,14 @@ describe("frameworkCoreEnvSchema", () => {
   });
 
   it("rejects a non-redis REDIS_URL and accepts redis:// + rediss://", () => {
-    try {
+    const boot = expectBootError(() =>
       parseEnv(frameworkCoreEnvSchema, {
         DATABASE_URL: "postgres://localhost:5432/db",
         REDIS_URL: "https://example.com/cache",
-      });
-      throw new Error("should have thrown");
-    } catch (err) {
-      expect(err).toBeInstanceOf(KumikoBootError);
-      const redis = (err as KumikoBootError).errors.find((e) => e.name === "REDIS_URL");
-      expect(redis?.kind).toBe("invalid");
-    }
+      }),
+    );
+    const redis = boot.errors.find((e) => e.name === "REDIS_URL");
+    expect(redis?.kind).toBe("invalid");
     for (const url of ["redis://localhost:6379", "rediss://localhost:6379"]) {
       const env = parseEnv(frameworkCoreEnvSchema, {
         DATABASE_URL: "postgres://localhost:5432/db",
@@ -78,18 +80,15 @@ describe("frameworkCoreEnvSchema", () => {
   });
 
   it("rejects an invalid PORT (non-numeric)", () => {
-    try {
+    const boot = expectBootError(() =>
       parseEnv(frameworkCoreEnvSchema, {
         DATABASE_URL: "postgres://localhost:5432/db",
         REDIS_URL: "redis://localhost:6379",
         PORT: "not-a-port",
-      });
-      throw new Error("should have thrown");
-    } catch (err) {
-      expect(err).toBeInstanceOf(KumikoBootError);
-      const port = (err as KumikoBootError).errors.find((e) => e.name === "PORT");
-      expect(port?.kind).toBe("invalid");
-    }
+      }),
+    );
+    const port = boot.errors.find((e) => e.name === "PORT");
+    expect(port?.kind).toBe("invalid");
   });
 
   it("KUMIKO_SKIP_ES_OPS accepts any string (matches runtime semantics)", () => {
@@ -112,17 +111,11 @@ describe("frameworkCoreEnvSchema", () => {
     expect(sources["DATABASE_URL"]).toBe("framework-core");
     expect(sources["PORT"]).toBe("framework-core");
     expect(sources["STUDIO_ADMIN_EMAIL"]).toBe("app");
-
-    try {
-      parseEnv(schema, {}, { sources });
-      throw new Error("should have thrown");
-    } catch (err) {
-      const boot = err as KumikoBootError;
-      const formatted = boot.format();
-      expect(formatted).toContain("✗ DATABASE_URL (framework-core, required, missing)");
-      expect(formatted).toContain("✗ REDIS_URL (framework-core, required, missing)");
-      expect(formatted).toContain("✗ STUDIO_ADMIN_EMAIL (app, required, missing)");
-    }
+    const boot = expectBootError(() => parseEnv(schema, {}, { sources }));
+    const formatted = boot.format();
+    expect(formatted).toContain("✗ DATABASE_URL (framework-core, required, missing)");
+    expect(formatted).toContain("✗ REDIS_URL (framework-core, required, missing)");
+    expect(formatted).toContain("✗ STUDIO_ADMIN_EMAIL (app, required, missing)");
   });
 
   it("z.infer<typeof frameworkCoreEnvSchema> typechecks the expected shape", () => {

package/src/__tests__/kumiko-schema-check.test.ts

@@ -4,7 +4,6 @@ import { describe, expect, test } from "bun:test";
 import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { composeFeatures } from "../compose-features";
 import { implicitAuthModeFeatureNames, resolveGeneratePath } from "../schema-check-core";
 
 describe("resolveGeneratePath", () => {
@@ -43,10 +42,10 @@ describe("resolveGeneratePath", () => {
 });
 
 describe("implicitAuthModeFeatureNames", () => {
-  test("matches composeFeatures' auth-mode prepend exactly (no hardcoded drift)", () => {
-    const fromCompose = composeFeatures([], { includeBundled: true }).map((f) => f.name);
-    expect(implicitAuthModeFeatureNames()).toEqual(fromCompose);
-    // Sanity: the current bundled-foundation set.
+  test("liefert exakt das bundled-foundation-Set", () => {
+    // Bewusst hartkodierte Erwartung: ein Vergleich gegen composeFeatures
+    // wäre tautologisch (die Funktion IST dieser Ausdruck). Ändert sich das
+    // Foundation-Set, muss dieser Test bewusst angefasst werden.
     expect([...implicitAuthModeFeatureNames()].sort()).toEqual([
       "auth-email-password",
       "config",

package/src/create-kumiko-server.ts

@@ -20,6 +20,7 @@ import { readFile, watch } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join, resolve } from "node:path";
 import { type AuthRoutesConfig, generateToken } from "@cosmicdrift/kumiko-framework/api";
+import { ROLES } from "@cosmicdrift/kumiko-framework/auth";
 import {
   buildAppSchema,
   createSystemUser,
@@ -704,7 +705,7 @@ export async function createKumikoServer(
       redis: stack.redis,
       registry: stack.registry,
       dispatchSystemWrite: ({ handlerQn, payload, tenantId }) =>
-        stack.dispatcher.write(handlerQn, payload, createSystemUser(tenantId, ["SystemAdmin"])),
+        stack.dispatcher.write(handlerQn, payload, createSystemUser(tenantId, [ROLES.SystemAdmin])),
     });
   }
 
@@ -868,7 +869,9 @@ export async function createKumikoServer(
     // staticDir-fallback") und macht r.httpRoute mit non-/api paths im
     // dev-server symmetrisch zu prod.
     if (
-      req.method === "GET" &&
+      // HEAD mitnehmen — prod (runProdApp) fällt für GET UND HEAD auf die
+      // SPA zurück; ohne das liefert dev 404 wo prod 200 liefert.
+      (req.method === "GET" || req.method === "HEAD") &&
       !url.pathname.startsWith("/api/") &&
       !url.pathname.startsWith("/sse") &&
       !url.pathname.includes(".")

package/src/kebab.ts

@@ -0,0 +1,7 @@
+// Segment-strict: rejects trailing/double hyphen so the name is a valid
+// package-name + folder (`my-shop`, not `my-` or `my--shop`).
+const KEBAB_RE = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
+
+export function isKebabSegment(value: string): boolean {
+  return KEBAB_RE.test(value);
+}

package/src/run-dev-app.ts

@@ -90,6 +90,9 @@ export type RunDevAppAuthOptions = {
   readonly signup?: SignupSetup;
   /** Tenant-Invite flow (Magic-Link). Symmetric. */
   readonly invite?: InviteSetup;
+  /** Domain attribute for both auth cookies (see
+   *  AuthRoutesConfig.cookieDomain). Symmetric zu RunProdAppAuthOptions. */
+  readonly cookieDomain?: string;
 };
 
 /** Hook for app-specific seeding (demo data, fixtures). Runs after the
@@ -268,6 +271,9 @@ export async function runDevApp(options: RunDevAppOptions): Promise<KumikoServer
           [AuthErrors.invalidCredentials]: 401,
           [AuthErrors.noMembership]: 403,
         },
+        ...(options.auth.cookieDomain !== undefined && {
+          cookieDomain: options.auth.cookieDomain,
+        }),
         ...sessionAuthFragment,
         ...(options.auth.passwordReset && {
           passwordReset: {

package/src/run-prod-app.ts

@@ -41,6 +41,7 @@ import { createSessionCallbacks } from "@cosmicdrift/kumiko-bundled-features/ses
 import { TenantQueries } from "@cosmicdrift/kumiko-bundled-features/tenant";
 import { UserQueries } from "@cosmicdrift/kumiko-bundled-features/user";
 import { createSseBroker, type SseBroker } from "@cosmicdrift/kumiko-framework/api";
+import { ROLES } from "@cosmicdrift/kumiko-framework/auth";
 import { createDbConnection, type DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import {
   buildAppSchema,
@@ -275,6 +276,10 @@ export type RunProdAppAuthOptions = {
    *  /api/auth/invite-accept-with-login, /api/auth/invite-signup-complete
    *  are mounted. */
   readonly invite?: InviteSetup;
+  /** Domain attribute for both auth cookies (see
+   *  AuthRoutesConfig.cookieDomain). Set to the registrable parent
+   *  domain when login and app live on different subdomains. */
+  readonly cookieDomain?: string;
 };
 
 /** Hook for app-specific seeding — runs after the admin (when auth is
@@ -333,6 +338,10 @@ export type HostDispatchResult =
 export type HostDispatchFn = (req: {
   readonly host: string;
   readonly path: string;
+  /** Query-String inkl. führendem `?`, `""` wenn keiner. Redirects die
+   *  den Pfad auf einen anderen Host umbiegen (z.B. Auth-Routen mit
+   *  `?token=` aus alten Mail-Links) MÜSSEN ihn an `to` anhängen. */
+  readonly search: string;
 }) => HostDispatchResult;
 
 export type RunProdAppOptions = {
@@ -713,6 +722,9 @@ export async function runProdApp(options: RunProdAppOptions): Promise<ProdAppHan
           [AuthErrors.invalidCredentials]: 401,
           [AuthErrors.noMembership]: 403,
         },
+        ...(options.auth.cookieDomain !== undefined && {
+          cookieDomain: options.auth.cookieDomain,
+        }),
         ...sessionAuthFragment,
         ...(options.auth.passwordReset && {
           passwordReset: {
@@ -832,7 +844,7 @@ export async function runProdApp(options: RunProdAppOptions): Promise<ProdAppHan
         entrypoint.dispatcher.write(
           handlerQn,
           payload,
-          createSystemUser(tenantId, ["SystemAdmin"]),
+          createSystemUser(tenantId, [ROLES.SystemAdmin]),
         ),
     });
   }
@@ -1026,7 +1038,7 @@ function buildStaticFallback(
     if (!hostDispatch) return null;
     const url = new URL(req.url);
     const host = req.headers.get("host") ?? url.host;
-    const result = hostDispatch({ host, path: url.pathname });
+    const result = hostDispatch({ host, path: url.pathname, search: url.search });
     if (result.kind === "not-found") {
       return new Response("Not Found", { status: 404 });
     }

package/src/scaffold-app-feature.ts

@@ -14,6 +14,7 @@
 import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { Project, SyntaxKind } from "ts-morph";
+import { isKebabSegment } from "./kebab";
 
 export type ScaffoldAppFeatureOptions = {
   /** kebab-case feature name (e.g. "product-catalog"). */
@@ -31,13 +32,10 @@ export type ScaffoldAppFeatureResult = {
   readonly autoMounted: boolean;
 };
 
-// Segment-strict: rejects trailing/double hyphen (`product-`, `foo--bar`),
-// which kebabToCamel would otherwise turn into an invalid identifier
-// (`productFeature` vs the broken `product-Feature`).
-const KEBAB_RE = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
-
 export function scaffoldAppFeature(options: ScaffoldAppFeatureOptions): ScaffoldAppFeatureResult {
-  if (!KEBAB_RE.test(options.name)) {
+  // Segment-strict guard: a trailing/double hyphen (`product-`, `foo--bar`)
+  // would make kebabToCamel produce an invalid identifier.
+  if (!isKebabSegment(options.name)) {
     throw new Error(
       `scaffoldAppFeature: name must be kebab-case (a-z, 0-9, -); got "${options.name}"`,
     );

package/src/scaffold-app.ts

@@ -14,6 +14,7 @@
 import { existsSync, mkdirSync, writeFileSync } from "node:fs";
 import { join, resolve } from "node:path";
 import { IndentationText, Project, VariableDeclarationKind } from "ts-morph";
+import { isKebabSegment } from "./kebab";
 
 export type ScaffoldAppOptions = {
   /** kebab-case app name (e.g. "my-shop"). Becomes package-name + folder. */
@@ -35,12 +36,8 @@ export type ScaffoldAppResult = {
   readonly appName: string;
 };
 
-// Segment-strict: rejects trailing/double hyphen so the name is a valid
-// package-name + folder (`my-shop`, not `my-` or `my--shop`).
-const KEBAB_RE = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
-
 export function scaffoldApp(options: ScaffoldAppOptions): ScaffoldAppResult {
-  if (!KEBAB_RE.test(options.name)) {
+  if (!isKebabSegment(options.name)) {
     throw new Error(`scaffoldApp: name must be kebab-case (a-z, 0-9, -); got "${options.name}"`);
   }
   const cwd = options.cwd ?? process.cwd();

package/src/scaffold-deploy.ts

@@ -10,6 +10,7 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
+import { isKebabSegment } from "./kebab";
 
 export type ScaffoldDeployOptions = {
   /** App name, kebab-case (e.g. "publicstatus", "kumiko-studio"). */
@@ -64,12 +65,8 @@ const TEMPLATE_FILES = [
   { template: "migrate-step.sh.template", output: "migrate-step.sh" },
 ] as const;
 
-// Segment-strict: rejects trailing/double hyphen so the appName is a valid
-// image-tag + folder segment (`kumiko-studio`, not `kumiko-` / `kumiko--x`).
-const KEBAB_RE = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
-
 export function scaffoldDeploy(options: ScaffoldDeployOptions): ScaffoldDeployResult {
-  if (!KEBAB_RE.test(options.appName)) {
+  if (!isKebabSegment(options.appName)) {
     throw new Error(
       `scaffoldDeploy: appName must be kebab-case (a-z, 0-9, -); got "${options.appName}"`,
     );