npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/README.md ADDED Viewed

@@ -0,0 +1,159 @@
+# @cosmicdrift/kumiko-framework
+[![License: BUSL-1.1](https://img.shields.io/badge/License-BUSL--1.1-blue.svg)](../../LICENSE)
+[![TypeScript](https://img.shields.io/badge/TypeScript-strict-blue.svg)](https://www.typescriptlang.org/)
+Framework core for Kumiko — engine, pipeline, API, DB, event-store, and
+every other bit that makes Kumiko go.
+> Multi-tenant, command-based, event-sourced app framework for Bun + Hono +
+> Drizzle. Define features, register entities, write commands — the framework
+> wires dispatch, persistence, projections, async subscribers, and realtime
+> delivery.
+See the [monorepo root README](../../README.md) for the broader pitch, the
+[docs/plans](../../docs/plans) directory for architecture, and [samples/](../../samples)
+for runnable examples of every feature.
+## Install
+```bash
+yarn add @cosmicdrift/kumiko-framework
+# peers you probably already have:
+yarn add drizzle-orm hono ioredis zod
+```
+Bun is the intended runtime. Node 20+ works for the CLI and tests.
+## At-a-glance
+```typescript
+import { defineFeature, createEntity, createTextField } from "@cosmicdrift/kumiko-framework/engine";
+export const taskEntity = createEntity({
+  fields: {
+    title: createTextField({ required: true, searchable: true }),
+    done: createTextField(),
+  },
+  softDelete: true,
+});
+const taskTable = buildDrizzleTable("task", taskEntity);
+const taskExecutor = createEventStoreExecutor(taskTable, taskEntity, { entityName: "task" });
+export const taskFeature = defineFeature("tasks", (r) => {
+  r.entity("task", taskEntity);
+  // Write handlers go through createEventStoreExecutor — events + projection in one TX,
+  // optimistic locking, access control, all explicit.
+  r.writeHandler(
+    "task:create",
+    z.object({ title: z.string() }),
+    async (event, ctx) => taskExecutor.create(event.payload, event.user, ctx.db),
+    { access: { roles: ["User"] } },
+  );
+  r.writeHandler(
+    "task:update",
+    z.object({ id: z.uuid(), version: z.number(), changes: z.object({ title: z.string().optional() }) }),
+    async (event, ctx) => taskExecutor.update(event.payload, event.user, ctx.db),
+    { access: { roles: ["User"] } },
+  );
+  r.writeHandler(
+    "task:delete",
+    z.object({ id: z.uuid() }),
+    async (event, ctx) => taskExecutor.delete(event.payload, event.user, ctx.db),
+    { access: { roles: ["Admin"] } },
+  );
+  r.queryHandler(
+    "task:list",
+    z.object({}),
+    async (query, ctx) => taskExecutor.list(query.payload, query.user, ctx.db),
+    { access: { openToAll: true } },
+  );
+  r.queryHandler(
+    "task:detail",
+    z.object({ id: z.uuid() }),
+    async (query, ctx) => taskExecutor.detail(query.payload, query.user, ctx.db),
+    { access: { openToAll: true } },
+  );
+  // Read-model fed from task events, rebuildable via the CLI
+  r.projection({
+    name: "tasks-per-day",
+    source: "task",
+    table: tasksPerDayTable,
+    apply: {
+      "task.created": async (event, tx) => {
+        /* count++ */
+      },
+    },
+  });
+  // Async consumer — runs after commit via the event-dispatcher,
+  // cursor-based, at-least-once, per-consumer dead-letter semantics.
+  // Omit `table` for pure side-effect handlers (mail, webhooks, ...).
+  r.multiStreamProjection({
+    name: "notify-new-task",
+    apply: {
+      "task.created": async (event) => {
+        // e.g. push to an external notification service
+      },
+    },
+  });
+});
+```
+## Package exports
+| Entry | What's in it |
+|---|---|
+| `@cosmicdrift/kumiko-framework/engine` | `defineFeature`, `createEntity`, field helpers, access rules, registry |
+| `@cosmicdrift/kumiko-framework/db` | Drizzle re-exports, `createEventStoreExecutor`, table builders, tenant-db |
+| `@cosmicdrift/kumiko-framework/event-store` | `events` table, `append`, `loadAggregate`, `loadAggregateAsOf` |
+| `@cosmicdrift/kumiko-framework/pipeline` | Dispatcher, event-dispatcher (AsyncDaemon), projection-rebuild, SSE + search consumers |
+| `@cosmicdrift/kumiko-framework/api` | `buildServer`, auth middleware, SSE route, error contract |
+| `@cosmicdrift/kumiko-framework/auth` | JWT helper, password hashing, session users |
+| `@cosmicdrift/kumiko-framework/search` | `SearchAdapter` interface, in-memory adapter, Meili wrapper |
+| `@cosmicdrift/kumiko-framework/jobs` | BullMQ-backed job runner, cron scheduling |
+| `@cosmicdrift/kumiko-framework/files` | Signed-URL upload/download, tenant-scoped storage |
+| `@cosmicdrift/kumiko-framework/i18n` | i18next setup, per-feature translation registration |
+| `@cosmicdrift/kumiko-framework/ui` | React hooks (Zustand stores, SSE subscription, optimistic mutations) |
+| `@cosmicdrift/kumiko-framework/testing` | `setupTestStack`, `createTestDb`, request helpers |
+| `@cosmicdrift/kumiko-framework/utils` | Safe JSON, qualified-name helpers |
+| `@cosmicdrift/kumiko-framework/errors` | Error classes, `writeFailure`, reason contracts |
+## Core concepts
+- **Feature as unit of deployment.** `defineFeature` registers entities,
+  write/query handlers, projections, post-event subscribers, lifecycle hooks,
+  access rules, and translations.
+- **Commands in, state out.** Writes are commands dispatched through HTTP;
+  the dispatcher validates, enforces access, runs lifecycle hooks, persists
+  events, and triggers projections in a single TX.
+- **Event-sourced by default.** Every write goes through `createEventStoreExecutor`
+  and appends a domain event to the aggregate stream. Auto-generated CRUD
+  events (`<entity>.created/updated/deleted/restored`) for record writes,
+  explicit `ctx.appendEvent` for domain events with intent. Projections feed
+  off the stream for same-TX read-after-write consistency.
+- **Async side-effects via cursor.** SSE broadcast, search indexing, and
+  feature-registered `r.multiStreamProjection` consumers run on a single
+  cursor-based dispatcher (AsyncDaemon pattern). Per-consumer checkpoints,
+  halt-on-poison, dead-letter after N retries.
+- **Multi-tenant scoping.** Every event, entity, projection, and search
+  index carries `tenantId`. `TenantDb` is a TX-scoped wrapper that refuses
+  writes outside the current tenant.
+- **Optimistic concurrency.** `UNIQUE(aggregate_id, version)` on events
+  gives atomic append + conflict detection; `VersionConflictError` surfaces
+  races as a first-class value.
+- **Idempotency + dedup.** Request-id backed unique index on the events
+  table turns retries into replays. `IdempotencyGuard` caches write
+  outcomes per tenant.
+## Status
+This framework is pre-1.0 and evolves fast. Every feature has a runnable
+sample under `samples/`; the roadmap lives in [docs/plans/uebersicht.md](../../docs/plans/uebersicht.md).
+## License
+BUSL-1.1 — see [LICENSE](../../LICENSE).

package/package.json ADDED Viewed

@@ -0,0 +1,91 @@
+{
+  "name": "@cosmicdrift/kumiko-framework",
+  "version": "0.1.0",
+  "description": "Framework core — engine, pipeline, API, DB, and every other bit that makes Kumiko go.",
+  "license": "BUSL-1.1",
+  "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cosmicdriftgamestudio/kumiko-framework.git",
+    "directory": "packages/framework"
+  },
+  "bugs": {
+    "url": "https://github.com/cosmicdriftgamestudio/kumiko-framework/issues"
+  },
+  "homepage": "https://kumiko.so",
+  "keywords": [
+    "framework",
+    "multi-tenant",
+    "realtime",
+    "command-based",
+    "typescript",
+    "hono",
+    "drizzle",
+    "zod"
+  ],
+  "type": "module",
+  "kumiko": {
+    "runtime": "runtime"
+  },
+  "exports": {
+    "./engine": "./src/engine/index.ts",
+    "./engine/types": "./src/engine/types/index.ts",
+    "./errors": "./src/errors/index.ts",
+    "./db": "./src/db/index.ts",
+    "./event-store": "./src/event-store/index.ts",
+    "./event-store/admin-api": "./src/event-store/admin-api.ts",
+    "./pipeline": "./src/pipeline/index.ts",
+    "./api": "./src/api/index.ts",
+    "./i18n": "./src/i18n/index.ts",
+    "./auth": "./src/auth/index.ts",
+    "./files": "./src/files/index.ts",
+    "./jobs": "./src/jobs/index.ts",
+    "./migrations": "./src/migrations/index.ts",
+    "./entrypoint": "./src/entrypoint/index.ts",
+    "./random": "./src/random/index.ts",
+    "./redis": "./src/redis/index.ts",
+    "./search": "./src/search/index.ts",
+    "./search/meilisearch": "./src/search/meilisearch-adapter.ts",
+    "./secrets": "./src/secrets/index.ts",
+    "./stack": "./src/stack/index.ts",
+    "./testing": "./src/testing/index.ts",
+    "./testing/handler-context": "./src/testing/handler-context.ts",
+    "./testing/e2e-generator": "./src/testing/e2e-generator.ts",
+    "./time": "./src/time/index.ts",
+    "./ui-types": "./src/ui-types/index.ts",
+    "./utils": "./src/utils/index.ts"
+  },
+  "dependencies": {
+    "bullmq": "^5.73.5",
+    "bun-types": "^1.3.12",
+    "drizzle-kit": "^0.31.10",
+    "drizzle-orm": "^0.45.2",
+    "hono": "^4.12.12",
+    "i18next": "^26.0.4",
+    "ioredis": "^5.6.0",
+    "jose": "^6.0.11",
+    "meilisearch": "^0.57.0",
+    "pino": "^10.3.1",
+    "postgres": "^3.4.9",
+    "temporal-polyfill": "^0.3.2",
+    "ts-morph": "^28.0.0",
+    "uuid": "^14.0.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@cosmicdrift/kumiko-dispatcher-live": "workspace:*",
+    "@types/uuid": "^11.0.0",
+    "bun-types": "^1.2.9",
+    "drizzle-kit": "^0.31.0",
+    "pino-pretty": "^13.1.3"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE"
+  ]
+}

package/src/__tests__/anonymous-access.integration.ts ADDED Viewed

@@ -0,0 +1,325 @@
+// Full-stack proof for anonymousAccess: handlers that allow roles=["anonymous"]
+// must be reachable WITHOUT a JWT, while the rest of /api/* still requires
+// authentication. Covers the resolution chain (defaultTenantId, X-Tenant
+// header, kumiko_tenant cookie, custom resolver) plus the rejection paths
+// (no tenant, unknown tenant, openToAll-protected).
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { z } from "zod";
+import { createEventStoreExecutor } from "../db/event-store-executor";
+import { buildDrizzleTable } from "../db/table-builder";
+import {
+  ANONYMOUS_USER_ID,
+  createEntity,
+  createTextField,
+  defineFeature,
+  type TenantId,
+} from "../engine";
+import { createEntityTable, setupTestStack, type TestStack, TestUsers } from "../stack";
+const TENANT_ID = "00000000-0000-4000-8000-000000000001" as TenantId;
+const OTHER_TENANT_ID = "00000000-0000-4000-8000-000000000002" as TenantId;
+// --- Feature ---
+const productEntity = createEntity({
+  table: "anon_products",
+  fields: {
+    name: createTextField({ required: true }),
+  },
+});
+const productTable = buildDrizzleTable("product", productEntity);
+const orderEntity = createEntity({
+  table: "anon_orders",
+  fields: {
+    productName: createTextField({ required: true }),
+    placedBy: createTextField({ default: "" }),
+  },
+});
+const orderTable = buildDrizzleTable("order", orderEntity);
+const shopFeature = defineFeature("anonshop", (r) => {
+  r.entity("product", productEntity);
+  r.entity("order", orderEntity);
+  // Public listing — anonymous + authenticated customers see it.
+  r.queryHandler(
+    "product:list",
+    z.object({}),
+    async (_event, ctx) => {
+      const rows = await ctx.db.select().from(productTable);
+      return rows;
+    },
+    { access: { roles: ["anonymous", "User", "Admin"] } },
+  );
+  // Authenticated-only listing — confirms openToAll still rejects anonymous.
+  r.queryHandler(
+    "product:list-auth-only",
+    z.object({}),
+    async (_event, ctx) => {
+      const rows = await ctx.db.select().from(productTable);
+      return rows;
+    },
+    { access: { openToAll: true } },
+  );
+  // Anonymous can place a guest order.
+  r.writeHandler(
+    "order:guest-checkout",
+    z.object({ productName: z.string().min(1) }),
+    async (event, ctx) => {
+      const crud = createEventStoreExecutor(orderTable, orderEntity, { entityName: "order" });
+      return crud.create(
+        { productName: event.payload.productName, placedBy: event.user.id },
+        event.user,
+        ctx.db,
+      );
+    },
+    { access: { roles: ["anonymous", "User"] } },
+  );
+  // Admin-only — confirms role-gated handlers still reject anonymous.
+  r.writeHandler(
+    "product:create",
+    z.object({ name: z.string().min(1) }),
+    async (event, ctx) => {
+      const crud = createEventStoreExecutor(productTable, productEntity, {
+        entityName: "product",
+      });
+      return crud.create({ name: event.payload.name }, event.user, ctx.db);
+    },
+    { access: { roles: ["Admin"] } },
+  );
+});
+// --- Suite ---
+describe("anonymous access — single-tenant default", () => {
+  let stack: TestStack;
+  beforeAll(async () => {
+    stack = await setupTestStack({
+      features: [shopFeature],
+      anonymousAccess: { defaultTenantId: TENANT_ID },
+    });
+    await createEntityTable(stack.db, productEntity);
+    await createEntityTable(stack.db, orderEntity);
+  });
+  afterAll(() => stack.cleanup());
+  beforeEach(async () => {
+    await stack.db.delete(productTable);
+    await stack.db.delete(orderTable);
+  });
+  test("anonymous query succeeds without any auth headers", async () => {
+    // Seed a product with the admin user so the query has data to return.
+    await stack.http.writeOk(
+      "anonshop:write:product:create",
+      { name: "Espresso Beans" },
+      TestUsers.admin,
+    );
+    const res = await stack.http.raw("POST", "/api/query", {
+      type: "anonshop:query:product:list",
+      payload: {},
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { data: Array<{ name: string }> };
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0]?.name).toBe("Espresso Beans");
+  });
+  test("anonymous write succeeds and records actor=anonymous", async () => {
+    const res = await stack.http.raw("POST", "/api/write", {
+      type: "anonshop:write:order:guest-checkout",
+      payload: { productName: "Espresso Beans" },
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { isSuccess: boolean };
+    expect(body.isSuccess).toBe(true);
+    // Verify the row landed with placedBy=anonymous in the DB. Confirms the
+    // synthesised SessionUser actually flows through to the handler.
+    const rows = await stack.db.select().from(orderTable);
+    expect(rows).toHaveLength(1);
+    expect(rows[0]?.["placedBy"]).toBe(ANONYMOUS_USER_ID);
+  });
+  test("openToAll handler rejects anonymous (regression guard)", async () => {
+    // The advisor-flagged regression: enabling anonymousAccess must NOT
+    // silently expose every existing openToAll endpoint. hasAccess refuses
+    // anonymous on openToAll, so the dispatcher returns AccessDenied.
+    const res = await stack.http.raw("POST", "/api/query", {
+      type: "anonshop:query:product:list-auth-only",
+      payload: {},
+    });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("access_denied");
+  });
+  test("role-gated handler still rejects anonymous", async () => {
+    const res = await stack.http.raw("POST", "/api/write", {
+      type: "anonshop:write:product:create",
+      payload: { name: "Tea Set" },
+    });
+    expect(res.status).toBe(403);
+  });
+  test("authenticated user with JWT bypasses anonymous path entirely", async () => {
+    const res = await stack.http.query("anonshop:query:product:list", {}, TestUsers.admin);
+    expect(res.status).toBe(200);
+  });
+  test("X-Tenant header that disagrees with default → 400 tenant_mismatch", async () => {
+    // Single-tenant mode is locked: a client cannot override defaultTenantId
+    // by sending a different X-Tenant. Silent acceptance would let a
+    // confused client write into the wrong tenant of a single-tenant
+    // deployment that happened to have data for OTHER_TENANT_ID.
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "anonshop:query:product:list", payload: {} },
+      { "X-Tenant": OTHER_TENANT_ID },
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("tenant_mismatch");
+  });
+  test("X-Tenant header matching default → accepted", async () => {
+    // Same default, redundant header — fine.
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "anonshop:query:product:list", payload: {} },
+      { "X-Tenant": TENANT_ID },
+    );
+    expect(res.status).toBe(200);
+  });
+});
+describe("anonymous access — header-supplied tenant", () => {
+  let stack: TestStack;
+  beforeAll(async () => {
+    stack = await setupTestStack({
+      features: [shopFeature],
+      anonymousAccess: {
+        // No defaultTenantId — every anonymous request must declare its tenant.
+        tenantExists: async (id: TenantId) => id === TENANT_ID || id === OTHER_TENANT_ID,
+      },
+    });
+    await createEntityTable(stack.db, productEntity);
+    await createEntityTable(stack.db, orderEntity);
+  });
+  afterAll(() => stack.cleanup());
+  test("X-Tenant header resolves the tenant", async () => {
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "anonshop:query:product:list", payload: {} },
+      { "X-Tenant": TENANT_ID },
+    );
+    expect(res.status).toBe(200);
+  });
+  test("malformed X-Tenant header → 400 invalid_tenant_format", async () => {
+    // Junk strings (SQL fragments, path traversals, plain typos) must never
+    // reach the pipeline as a TenantId. parseTenantId rejects anything that
+    // isn't a UUID-shape, the middleware turns that into a 400 here.
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "anonshop:query:product:list", payload: {} },
+      { "X-Tenant": "not-a-uuid" },
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as {
+      error: { code: string; details: { source: string } };
+    };
+    expect(body.error.code).toBe("invalid_tenant_format");
+    expect(body.error.details.source).toBe("X-Tenant header");
+  });
+  test("missing tenant → 400 tenant_required", async () => {
+    const res = await stack.http.raw("POST", "/api/query", {
+      type: "anonshop:query:product:list",
+      payload: {},
+    });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: { code: string; i18nKey: string } };
+    expect(body.error.code).toBe("tenant_required");
+    expect(body.error.i18nKey).toBe("auth.errors.tenantRequired");
+  });
+  test("/api/auth/* without JWT → 401 missing_token (not 400 tenant_required)", async () => {
+    // Auth-routes (tenants, switch-tenant, logout) brauchen einen JWT,
+    // aber keinen Tenant-Resolve. Vor dem Fix fielen sie in handleAnonymous,
+    // das beim resolveTenant ohne X-Tenant 400 tenant_required wirft —
+    // falsche Diagnose, der Caller ist unauthenticated, nicht ohne Tenant.
+    // Login bleibt davon unberührt (in PUBLIC_API_PATHS, skipped vor auth).
+    const res = await stack.http.raw("GET", "/api/auth/tenants");
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: { code: string; i18nKey: string } };
+    expect(body.error.code).toBe("missing_token");
+    expect(body.error.i18nKey).toBe("auth.errors.missingToken");
+  });
+  test("authenticated request with conflicting X-Tenant header → 400 tenant_mismatch", async () => {
+    // JWT carries tenantId=TENANT_ID, but the client sends X-Tenant for a
+    // different tenant. Silent ignore would let the client think it's
+    // hitting OTHER_TENANT_ID while it's actually on TENANT_ID — defensive
+    // reject, same shape as ambiguous_auth.
+    const token = await stack.jwt.sign(TestUsers.admin);
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "anonshop:query:product:list", payload: {} },
+      { Authorization: `Bearer ${token}`, "X-Tenant": OTHER_TENANT_ID },
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("tenant_mismatch");
+  });
+  test("unknown tenant → 404 tenant_not_found", async () => {
+    const res = await stack.http.raw(
+      "POST",
+      "/api/query",
+      { type: "anonshop:query:product:list", payload: {} },
+      { "X-Tenant": "00000000-0000-4000-8000-deadbeefdead" },
+    );
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("tenant_not_found");
+  });
+});
+describe("anonymous access — disabled by default", () => {
+  let stack: TestStack;
+  beforeAll(async () => {
+    stack = await setupTestStack({ features: [shopFeature] });
+    await createEntityTable(stack.db, productEntity);
+    await createEntityTable(stack.db, orderEntity);
+  });
+  afterAll(() => stack.cleanup());
+  test("missing JWT → 401 (no anonymous fall-through)", async () => {
+    const res = await stack.http.raw("POST", "/api/query", {
+      type: "anonshop:query:product:list",
+      payload: {},
+    });
+    expect(res.status).toBe(401);
+  });
+});