npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/db/dialect.ts ADDED Viewed

@@ -0,0 +1,109 @@
+// Central re-export for all PostgreSQL-specific imports.
+// No other file in the framework should import from "drizzle-orm/pg-core" directly.
+import { customType } from "drizzle-orm/pg-core";
+export type {
+  PgSelect as SelectQuery,
+  PgTableWithColumns as TableColumns,
+} from "drizzle-orm/pg-core";
+export {
+  bigint,
+  bigserial,
+  boolean,
+  index,
+  integer,
+  jsonb,
+  numeric,
+  pgTable as table,
+  primaryKey,
+  serial,
+  text,
+  timestamp,
+  uniqueIndex,
+  uuid,
+} from "drizzle-orm/pg-core";
+/**
+ * Money column: BIGINT storing the integer minor unit (cents for EUR, yen
+ * for JPY). Range ±9.2e18 in the DB; JS `number` is safe to 2^53 ≈ 9e15
+ * minor units = ~90 trillion EUR. INTEGER would cap at ~21 million EUR per
+ * row which is too tight for real-world invoices, bank balances, or bills
+ * of sale — hence bigint.
+ */
+export const moneyAmount = customType<{ data: number; driverData: string | number }>({
+  dataType() {
+    return "bigint";
+  },
+  fromDriver(value: string | number): number {
+    // node-postgres returns BIGINT as string by default; Bun's pg returns
+    // number. Cast via Number() either way — safe because we stay under 2^53.
+    return typeof value === "number" ? value : Number(value);
+  },
+  toDriver(value: number): number {
+    return value;
+  },
+});
+/**
+ * Instant column: TIMESTAMPTZ storing a UTC instant, surfaced to JS as
+ * `Temporal.Instant`. Replaces the old dual-mode situation (`mode:"date"`
+ * for base fields vs `mode:"string"` for user-defined timestamp fields)
+ * with a single round-trip type. See sprint-f-temporal.md for the migration.
+ *
+ * Driver-data is the ISO-8601 string the postgres driver actually exchanges.
+ * `fromDriver` reads what the driver returns (postgres-js gives strings for
+ * timestamptz) and parses through Temporal. `toDriver` writes the canonical
+ * Temporal.Instant.toString() — the spike confirmed `eq/lte/gt/orderBy/
+ * returning` accept Temporal.Instant directly without manual `.toString()`
+ * at the call site.
+ *
+ * Boot-order note: `Temporal` must exist on globalThis before any
+ * fromDriver/toDriver call. `ensureTemporalPolyfill()` runs at framework
+ * boot. The closures here are lazy — they fire on read/write, not on
+ * module load — so importing this file before the polyfill is safe.
+ *
+ * Optional `precision` (0..6) — fractional-second digits. Default 6 matches
+ * PG's default `timestamptz`. Pass 3 for the events-table (ms precision —
+ * matches what asOf-queries can compare reliably). Affects only CREATE TABLE
+ * DDL via drizzle-kit; runtime parse handles any precision via Temporal.
+ */
+// Forgiving overload: payloads from custom write-handlers sometimes
+// arrive as ISO strings rather than Temporal.Instant (Zod insert-
+// schemas use z.iso.datetime, not a Temporal validator). Coerce here
+// at the boundary so the DB always sees a normalised string — and
+// Temporal.Instant.from throws on bad input, which is the right failure
+// mode (vs. the obscure "x.toString is not a function" crash that hit
+// feature authors before this overload existed).
+//
+// Date-only strings (YYYY-MM-DD) coercen wir auf start-of-day UTC.
+// Hintergrund: type:"date" ist heute auf instant() aliased (table-
+// builder.ts TODO Sprint G), aber die Zod-Validation akzeptiert nur
+// YYYY-MM-DD. Ohne diesen Coerce wirft Temporal mit "Cannot parse:
+// 2026-04-10" und der Author bekommt einen internal_error 500 statt
+// einen sauberen DB-Roundtrip.
+//
+// Exportiert für Tests; production-call läuft über instantBuilder.
+export function instantToDriver(value: Temporal.Instant | string): string {
+  if (typeof value === "string") {
+    const dateOnly = /^\d{4}-\d{2}-\d{2}$/.test(value);
+    const iso = dateOnly ? `${value}T00:00:00Z` : value;
+    return Temporal.Instant.from(iso).toString();
+  }
+  return value.toString();
+}
+const instantBuilder = (config?: { precision?: 0 | 1 | 2 | 3 | 4 | 5 | 6 }) =>
+  customType<{ data: Temporal.Instant; driverData: string }>({
+    dataType() {
+      const p = config?.precision;
+      return p !== undefined ? `timestamp(${p}) with time zone` : "timestamptz";
+    },
+    fromDriver(value: string): Temporal.Instant {
+      return Temporal.Instant.from(value);
+    },
+    toDriver: instantToDriver,
+  });
+export function instant(name: string, config?: { precision?: 0 | 1 | 2 | 3 | 4 | 5 | 6 }) {
+  return instantBuilder(config)(name);
+}

package/src/db/eagerload.ts ADDED Viewed

@@ -0,0 +1,174 @@
+// Tier 2.7e Server-Side Eagerload für Reference-Felder.
+//
+// Nach `executor.list`/`detail` scannen wir die zurückgelieferten
+// rows nach reference-Field-Values, sammeln pro Reference die UUIDs
+// (deduped), führen einen einzigen WHERE id IN (...)-Lookup pro
+// Referenced-Entity aus, und hängen die resolved Rows als
+// `_refs.<fieldName>` (single) bzw. `_refs.<fieldName>: Row[]`
+// (multiple) an die Original-Rows.
+//
+// Tenant-Scope: TenantDb hat den Tenant-Filter eingebaut (mode:
+// "tenant"); der Lookup erbt das transparent. Cross-Feature-Refs
+// landen automatisch im selben Tenant — falls ein referenced Item
+// dem User nicht gehört, kommt es aus dem Lookup nicht zurück
+// (TenantDb filtert), und der Renderer fällt auf UUID zurück.
+//
+// Limit: kein expliziter limit auf den Lookup-SELECT — wir
+// fragen genau die UUIDs ab die in den main-Rows vorkommen, also
+// O(n) pro Page (bei pageSize:50 mit 2 ref-Spalten = max 100 IDs).
+// Render-Side limit:200-Workaround entfällt damit komplett.
+//
+// Diese Datei lebt im framework/db damit sie an einer Stelle
+// zwischen executor und entity-handlers gemounted ist; sie nutzt
+// keine framework-engine-Internals und kann auch von custom
+// query-handlern manuell aufgerufen werden.
+import { inArray } from "drizzle-orm";
+import type { EntityDefinition, FieldDefinition, ReferenceFieldDef } from "../engine/types";
+import { buildDrizzleTable } from "./table-builder";
+import type { TenantDb } from "./tenant-db";
+// Minimaler Registry-Lookup-Contract: pro entity-name → EntityDefinition.
+// Wir importieren NICHT den ganzen Registry-Type weil das einen
+// circular import zwischen db/ und engine/ erzeugen würde — der
+// Caller (entity-handlers.ts) hat ctx.registry und reicht hier eine
+// Closure rein.
+export type EagerLoadEntityResolver = (entityName: string) => EntityDefinition | undefined;
+// Tier 2.7e Audit-Fix #6: zentral typed Row-Shape mit _refs. Der
+// `_refs`-Property ist Server-Eagerload-Output: pro reference-Field
+// die resolved Row (single) oder ein Array resolved Rows (multiple).
+// Eine reference-Spalte mit value=null hat _refs[fieldName]=undefined.
+//
+// Renderer/Cell-Code liest `row._refs?.[fieldName]` statt inline-Cast;
+// Server-Code stempelt `_refs` über enrichWithReferences. Type ist
+// strukturell — auch Apps die ihre eigenen Refs setzen (Custom-
+// Handler) sollten das hier wiederverwenden.
+export type EagerloadedRow<T extends Record<string, unknown> = Record<string, unknown>> = T & {
+  readonly _refs?: Readonly<
+    Record<string, Record<string, unknown> | ReadonlyArray<Record<string, unknown>> | undefined>
+  >;
+};
+type ReferenceFieldEntry = {
+  readonly fieldName: string;
+  readonly refEntityName: string;
+  readonly multiple: boolean;
+};
+function isReferenceField(field: FieldDefinition): field is ReferenceFieldDef {
+  return field.type === "reference";
+}
+function parseRefEntity(raw: string): string {
+  // Same-feature ("user") oder cross-feature ("users:user") — wir
+  // brauchen nur den entity-name (Names sind global eindeutig in
+  // entityMap). Der feature-prefix dient nur der Author-Klarheit.
+  const idx = raw.indexOf(":");
+  return idx < 0 ? raw : raw.slice(idx + 1);
+}
+export function collectReferenceFields(entity: EntityDefinition): readonly ReferenceFieldEntry[] {
+  const out: ReferenceFieldEntry[] = [];
+  for (const [fieldName, fieldDef] of Object.entries(entity.fields)) {
+    if (!isReferenceField(fieldDef)) continue;
+    out.push({
+      fieldName,
+      refEntityName: parseRefEntity(fieldDef.entity),
+      multiple: fieldDef.multiple === true,
+    });
+  }
+  return out;
+}
+/** Eagerload für eine Liste von Rows. Mutiert nicht — gibt eine
+ *  flache Kopie der Rows mit hinzugefügtem `_refs`-Property zurück. */
+export async function enrichWithReferences(
+  rows: ReadonlyArray<Record<string, unknown>>,
+  entity: EntityDefinition,
+  resolveEntity: EagerLoadEntityResolver,
+  db: TenantDb,
+): Promise<Array<Record<string, unknown>>> {
+  const refFields = collectReferenceFields(entity);
+  if (refFields.length === 0 || rows.length === 0) {
+    return rows.map((r) => ({ ...r }));
+  }
+  // Pro reference-Field: deduped Set der IDs sammeln, dann ein
+  // einziger SELECT WHERE id IN (...). Maps werden parallel gebaut
+  // damit die Lookups nicht serialisieren (Promise.all).
+  const lookupMaps = await Promise.all(
+    refFields.map(async (rf) => {
+      const ids = new Set<string>();
+      for (const row of rows) {
+        const v = row[rf.fieldName];
+        if (rf.multiple) {
+          if (Array.isArray(v)) {
+            for (const item of v) {
+              if (typeof item === "string" && item.length > 0) ids.add(item);
+            }
+          }
+        } else if (typeof v === "string" && v.length > 0) {
+          ids.add(v);
+        }
+      }
+      if (ids.size === 0) return { fieldName: rf.fieldName, multiple: rf.multiple, map: new Map() };
+      const refEntity = resolveEntity(rf.refEntityName);
+      if (refEntity === undefined) {
+        // Author-Fehler oder Race-Condition (entity gerade umbenannt
+        // ohne registry-Reload). Boot-Validator hat das normalerweise
+        // gepinnt; Runtime-Defense: leere Map → Renderer fällt auf
+        // UUID zurück, kein Crash.
+        return { fieldName: rf.fieldName, multiple: rf.multiple, map: new Map() };
+      }
+      const refTable = buildDrizzleTable(rf.refEntityName, refEntity);
+      const idCol = refTable["id"];
+      if (idCol === undefined) {
+        return { fieldName: rf.fieldName, multiple: rf.multiple, map: new Map() };
+      }
+      const idArray = [...ids];
+      const refRows = (await db
+        .select()
+        .from(refTable)
+        .where(inArray(idCol, idArray as never /* @cast-boundary db-operator */))) as Array<
+        Record<string, unknown>
+      >; // @cast-boundary db-row
+      const map = new Map<string, Record<string, unknown>>();
+      for (const r of refRows) {
+        const id = r["id"];
+        if (typeof id === "string") map.set(id, r);
+      }
+      return { fieldName: rf.fieldName, multiple: rf.multiple, map };
+    }),
+  );
+  return rows.map((row) => {
+    const refs: Record<string, unknown> = {};
+    for (const lookup of lookupMaps) {
+      const v = row[lookup.fieldName];
+      if (lookup.multiple) {
+        const ids = Array.isArray(v) ? v : [];
+        const resolved = ids
+          .map((id) => (typeof id === "string" ? lookup.map.get(id) : undefined))
+          .filter((r) => r !== undefined);
+        refs[lookup.fieldName] = resolved;
+      } else if (typeof v === "string" && v.length > 0) {
+        refs[lookup.fieldName] = lookup.map.get(v);
+      } else {
+        refs[lookup.fieldName] = undefined;
+      }
+    }
+    return { ...row, _refs: refs };
+  });
+}
+/** Single-Row-Variante für detail-Calls. */
+export async function enrichRowWithReferences(
+  row: Record<string, unknown>,
+  entity: EntityDefinition,
+  resolveEntity: EagerLoadEntityResolver,
+  db: TenantDb,
+): Promise<Record<string, unknown>> {
+  const enriched = await enrichWithReferences([row], entity, resolveEntity, db);
+  return enriched[0] ?? { ...row, _refs: {} };
+}

package/src/db/encryption.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+export type EncryptionProvider = {
+  encrypt(plaintext: string): string;
+  decrypt(ciphertext: string): string;
+};
+export function createEncryptionProvider(key: string): EncryptionProvider {
+  // Key must be 32 bytes for AES-256
+  const keyBuffer = Buffer.from(key, "base64");
+  if (keyBuffer.length !== 32) {
+    throw new Error("ENCRYPTION_KEY must be 32 bytes (base64 encoded)");
+  }
+  return {
+    encrypt(plaintext: string): string {
+      const iv = randomBytes(IV_LENGTH);
+      const cipher = createCipheriv(ALGORITHM, keyBuffer, iv);
+      const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+      const tag = cipher.getAuthTag();
+      // Format: base64(iv + tag + ciphertext)
+      return Buffer.concat([iv, tag, encrypted]).toString("base64");
+    },
+    decrypt(ciphertext: string): string {
+      const data = Buffer.from(ciphertext, "base64");
+      const iv = data.subarray(0, IV_LENGTH);
+      const tag = data.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+      const encrypted = data.subarray(IV_LENGTH + TAG_LENGTH);
+      const decipher = createDecipheriv(ALGORITHM, keyBuffer, iv);
+      decipher.setAuthTag(tag);
+      return decipher.update(encrypted) + decipher.final("utf8");
+    },
+  };
+}