npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/db/event-store-executor.ts ADDED Viewed

@@ -0,0 +1,906 @@
+import { and, asc, desc, eq, gt, inArray, lt, ne, type SQL, sql } from "drizzle-orm";
+import { requestContext } from "../api/request-context";
+import { checkWriteFieldOwnership } from "../engine/field-access";
+import {
+  buildOwnershipClause,
+  userCanCreateFieldRow,
+  userCanWriteFieldRow,
+} from "../engine/ownership";
+import type {
+  DeleteContext,
+  EntityDefinition,
+  EntityId,
+  FieldDefinition,
+  SaveContext,
+  SessionUser,
+  WriteResult,
+} from "../engine/types";
+import {
+  VersionConflictError as FrameworkVersionConflict,
+  InternalError,
+  NotFoundError,
+  UniqueViolationError,
+  UnprocessableError,
+  type WriteFailure,
+  writeFailure,
+} from "../errors";
+import {
+  append,
+  type EventMetadata,
+  VersionConflictError as EventStoreVersionConflict,
+  getStreamVersion,
+} from "../event-store";
+import type { EntityCache } from "../pipeline/entity-cache";
+import type { SearchAdapter } from "../search/types";
+import { generateId } from "../utils";
+import { applyEntityEvent } from "./apply-entity-event";
+import { flattenCompoundTypes, rehydrateCompoundTypes } from "./compound-types";
+import type { DbRow } from "./connection";
+import { decodeCursor, encodeCursor } from "./cursor";
+import type { TableColumns } from "./dialect";
+import type { CursorResult } from "./index";
+import { constraintOf, isUniqueViolation } from "./pg-error";
+import type { TenantDb } from "./tenant-db";
+// biome-ignore lint/suspicious/noExplicitAny: Drizzle dynamic tables
+type Table = TableColumns<any>;
+// Screen-Filter (Tier 2.7c) — Op-Mapping zur Drizzle-WHERE-Clause.
+// Lebt isoliert hier (statt inline im list-Body) damit der einzige
+// Wire-Boundary `as never`-Cast lokal bleibt: payload.filter.value ist
+// `unknown` (Wire-Boundary), Drizzle's eq/ne/lt/gt/inArray verlangen
+// den Column-Type. Type-Mismatch wirft erst der PostgreSQL-Driver zur
+// Laufzeit; Author hat über `filterable: true` + Boot-Validator op-
+// vs-Type-Compat ohnehin Kontrolle was reinkommt.
+//
+// Empty-array IN ist explizit "no match" (SQL false), nicht "match all".
+// biome-ignore lint/suspicious/noExplicitAny: Drizzle-Column ist generic; siehe oben.
+function buildFilterCondition(col: any, op: "eq" | "ne" | "lt" | "gt" | "in", value: unknown): SQL {
+  switch (op) {
+    case "eq":
+      return eq(col, value as never); // @cast-boundary db-operator
+    case "ne":
+      return ne(col, value as never); // @cast-boundary db-operator
+    case "lt":
+      return lt(col, value as never); // @cast-boundary db-operator
+    case "gt":
+      return gt(col, value as never); // @cast-boundary db-operator
+    case "in":
+      if (Array.isArray(value) && value.length > 0) {
+        return inArray(col, value as never); // @cast-boundary db-operator
+      }
+      return sql`false`;
+  }
+}
+// Returns the scalar default of a field, or undefined if the field's type
+// doesn't carry a default or no default was declared. Only scalar types
+// (text/number/boolean/select) support creation-time defaults — money/date/
+// file/embedded fields don't.
+function scalarDefault(field: FieldDefinition): unknown {
+  switch (field.type) {
+    case "text":
+    case "longText":
+    case "number":
+    case "boolean":
+    case "select":
+      return field.default;
+    default:
+      return undefined;
+  }
+}
+// Lifecycle verbs the event-store-executor auto-emits. MSPs that react
+// to entity creates/updates/etc should reference this helper instead of
+// hardcoding the string — a future rename in the executor then surfaces
+// as a type error at every call site rather than a silent miss.
+export type EntityLifecycleVerb = "created" | "updated" | "deleted" | "restored";
+export function entityEventName(entityName: string, verb: EntityLifecycleVerb): string {
+  return `${entityName}.${verb}`;
+}
+export type EventStoreExecutorOptions = {
+  searchAdapter?: SearchAdapter;
+  entityName: string; // required — the aggregateType marker on every event
+  entityCache?: EntityCache;
+};
+// F8 helper: PG-23505 (unique-violation) catched aus applyEntityEvent
+// (create + update Pfade) → WriteFailure(UniqueViolationError 409).
+// Andere Errors propagieren via re-throw. Lokal extrahiert weil das
+// Pattern an zwei Stellen im executor lebt — der Caller wrap't den
+// applyEntityEvent-call in try-catch und delegiert das Mapping hierher.
+//
+// Returns WriteFailure on match, null otherwise (caller re-throws).
+function tryMapUniqueViolation(e: unknown, entityName: string): WriteFailure | null {
+  if (!isUniqueViolation(e)) return null;
+  const constraintName = constraintOf(e);
+  return writeFailure(
+    new UniqueViolationError(
+      {
+        entityName,
+        ...(constraintName !== undefined && { constraintName }),
+      },
+      { cause: e instanceof Error ? e : undefined },
+    ),
+  );
+}
+// Build the metadata envelope for an append. userId always set; requestId +
+// correlation + causation come from the AsyncLocalStorage request-context
+// when present (e.g. HTTP request, MSP-apply, job run). requestId is a pure
+// trace marker — HTTP-level retry idempotency runs separately via
+// pipeline/idempotency.ts (Redis-cached response replay), so a single
+// request can write N events freely without the events-table needing a
+// uniqueness constraint.
+function buildEventMetadata(user: SessionUser): EventMetadata {
+  const reqCtx = requestContext.get();
+  return {
+    userId: String(user.id),
+    ...(reqCtx?.requestId ? { requestId: reqCtx.requestId } : {}),
+    ...(reqCtx?.correlationId ? { correlationId: reqCtx.correlationId } : {}),
+    ...(reqCtx?.causationId ? { causationId: reqCtx.causationId } : {}),
+  };
+}
+// The executor writes events + auto-projection (entity table) in one TX.
+// It no longer knows about user projections — those are driven by the
+// pipeline, which reads the StoredEvent surfaced on SaveContext/DeleteContext
+// and iterates the registry itself. Executor-level `registry` options were
+// removed to close the silent-bypass hole where a caller forgetting to pass
+// one would skip projections without any signal.
+export type EventStoreExecutor = {
+  create: (
+    payload: Record<string, unknown>,
+    user: SessionUser,
+    db: TenantDb,
+  ) => Promise<WriteResult<SaveContext>>;
+  update: (
+    payload: { id: EntityId; version?: number | undefined; changes: Record<string, unknown> },
+    user: SessionUser,
+    db: TenantDb,
+    options?: { skipOptimisticLock?: boolean },
+  ) => Promise<WriteResult<SaveContext>>;
+  delete: (
+    payload: { id: EntityId },
+    user: SessionUser,
+    db: TenantDb,
+  ) => Promise<WriteResult<DeleteContext>>;
+  restore: (
+    payload: { id: EntityId },
+    user: SessionUser,
+    db: TenantDb,
+  ) => Promise<WriteResult<SaveContext>>;
+  list: (
+    payload: {
+      cursor?: string | undefined;
+      limit?: number | undefined;
+      search?: string | undefined;
+      sort?: string | undefined;
+      sortDirection?: "asc" | "desc" | undefined;
+      offset?: number | undefined;
+      totalCount?: boolean | undefined;
+      filter?:
+        | {
+            readonly field: string;
+            readonly op: "eq" | "ne" | "lt" | "gt" | "in";
+            readonly value: unknown;
+          }
+        | undefined;
+    },
+    user: SessionUser,
+    db: TenantDb,
+    /** Tier 2.7e Audit-Fix: per-Call SearchAdapter Override. Wenn der
+     *  Executor beim Build keinen SearchAdapter via Options bekommen
+     *  hat (defaultEntityQueryHandler-Pfad), kann der Caller (Handler)
+     *  hier zur Runtime einen aus ctx.searchAdapter durchreichen.
+     *  options.searchAdapter (build-time) gewinnt — runtime-Override
+     *  ist Fallback für die default-Wrapper. */
+    runtimeOptions?: { readonly searchAdapter?: SearchAdapter },
+  ) => Promise<CursorResult<Record<string, unknown>>>;
+  detail: (
+    payload: { id: EntityId },
+    user: SessionUser,
+    db: TenantDb,
+  ) => Promise<Record<string, unknown> | null>;
+};
+export function createEventStoreExecutor(
+  table: Table,
+  entity: EntityDefinition,
+  options: EventStoreExecutorOptions,
+): EventStoreExecutor {
+  const { searchAdapter, entityName, entityCache } = options;
+  const softDelete = entity.softDelete ?? false;
+  // idType default (undefined) is now "uuid" — the ES-pivot made UUID the
+  // only valid aggregate-id type. Explicit `idType: "serial"` is the only
+  // shape that's incompatible with the event-store and still rejected.
+  if (entity.idType !== undefined && entity.idType !== "uuid") {
+    throw new Error(
+      `event-store-executor requires entity "${entityName}" to declare idType: "uuid" — ` +
+        `got idType: "${entity.idType}". ` +
+        `The events-table keys aggregates by uuid(aggregate_id); non-UUID PKs would ` +
+        `require a schema split the framework does not currently support. ` +
+        `Fix: remove the \`idType\`-override from createEntity({...}) for "${entityName}" ` +
+        `(the default is "uuid"). The framework auto-assigns UUIDs on create — ` +
+        `you do not need to generate them yourself. ` +
+        `See docs/plans/architecture/event-sourcing-pivot.md (section "UUID-only aggregate IDs") for the full rationale.`,
+    );
+  }
+  // Pre-compute defaults once so create() doesn't loop the entity every call.
+  const fieldDefaults: Record<string, unknown> = {};
+  for (const [name, field] of Object.entries(entity.fields)) {
+    const def = scalarDefault(field);
+    if (def !== undefined) fieldDefaults[name] = def;
+  }
+  // Pre-compute the set of sensitive field names once. Every event payload
+  // (create data, update changes + previous, delete previous, restore
+  // previous) strips these before writing to the immutable event log. Keeps
+  // GDPR right-to-be-forgotten tractable — only entity rows hold the
+  // sensitive data, and entity rows can be deleted / re-encrypted.
+  const sensitiveFields = new Set<string>();
+  for (const [name, field] of Object.entries(entity.fields)) {
+    if ("sensitive" in field && field.sensitive === true) {
+      sensitiveFields.add(name);
+    }
+  }
+  function applyDefaults(payload: Record<string, unknown>): Record<string, unknown> {
+    if (Object.keys(fieldDefaults).length === 0) return payload;
+    const result: Record<string, unknown> = { ...payload };
+    for (const [name, def] of Object.entries(fieldDefaults)) {
+      if (result[name] === undefined) result[name] = def;
+    }
+    return result;
+  }
+  function stripSensitive(payload: Record<string, unknown> | undefined): Record<string, unknown> {
+    if (!payload) return {};
+    if (sensitiveFields.size === 0) return payload;
+    const result: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(payload)) {
+      if (sensitiveFields.has(key)) continue;
+      result[key] = value;
+    }
+    return result;
+  }
+  function idFilter(id: EntityId) {
+    const conditions = [eq(table["id"], id)];
+    if (softDelete && table["isDeleted"]) {
+      conditions.push(eq(table["isDeleted"], false));
+    }
+    // Drizzle's variadic `and()` is typed `SQL | undefined`; conditions is
+    // guaranteed non-empty above (we pushed at least one).
+    return and(...conditions) as SQL;
+  }
+  async function loadById(id: EntityId, db: TenantDb): Promise<Record<string, unknown> | null> {
+    const [row] = await db.select().from(table).where(idFilter(id));
+    if (!row) return null;
+    return rehydrateCompoundTypes(row as DbRow, entity);
+  }
+  return {
+    async create(payload, user, db) {
+      // Respect an explicit id in the payload (seed pattern, SCIM import). Without
+      // one the framework mints a fresh UUIDv7 via generateId. Strip it out of the
+      // event payload so defaults + downstream consumers don't see a redundant id field.
+      const explicitId = typeof payload["id"] === "string" ? (payload["id"] as string) : undefined;
+      const aggregateId = explicitId ?? generateId();
+      const { id: _id, ...payloadWithoutId } = payload;
+      const data = applyDefaults(payloadWithoutId);
+      // H.2 — entity-level write-ownership on create. No oldRow exists, so
+      // only the new row is checked. No Straddle concern for creates.
+      if (!userCanCreateFieldRow(user, entity.access?.write, data)) {
+        return writeFailure(
+          new UnprocessableError("ownership_denied", {
+            i18nKey: "errors.ownershipDenied",
+            details: { scope: "entity", entityName, action: "create", userId: user.id },
+          }),
+        );
+      }
+      // Field-level write-ownership on create — mirror of entity-level but
+      // per declared field. Role-level was already checked by the
+      // dispatcher; here we enforce ownership-rules against the new row.
+      const fieldDeniedCreate = checkWriteFieldOwnership(entity, data, user);
+      if (fieldDeniedCreate) {
+        return writeFailure(
+          new UnprocessableError("ownership_denied", {
+            i18nKey: "errors.ownershipDenied",
+            details: {
+              scope: "field",
+              entityName,
+              action: "create",
+              field: fieldDeniedCreate,
+              userId: user.id,
+            },
+          }),
+        );
+      }
+      // Alle Compound-Types (locatedTimestamp, money, ...) gehen durch
+      // dieselbe Pipeline. Caller schickt combined API-Form, Framework
+      // speichert flat DB-Form. Siehe db/compound-types.ts.
+      const flatData = flattenCompoundTypes(data, entity);
+      // 1. Append event (same TX as the projection write — both must succeed
+      //    or both roll back; the dispatcher wraps both in one transaction).
+      //    Sensitive fields are stripped from the event payload; the entity
+      //    row below still receives the full data.
+      //
+      //    `expectedVersion: 0` heißt: stream existiert noch nicht. Bei
+      //    deterministic-aggregate-id-Patterns (z.B. uuidv5(tenantId|naturalKey))
+      //    ist es legitim dass create kollidiert — selbe id, schon vorhandener
+      //    stream → version_conflict statt internal_error. Update hat den
+      //    selben catch (siehe line 493+).
+      let event: Awaited<ReturnType<typeof append>>;
+      try {
+        event = await append(db.raw, {
+          aggregateId,
+          aggregateType: entityName,
+          tenantId: user.tenantId,
+          expectedVersion: 0,
+          type: entityEventName(entityName, "created"),
+          payload: stripSensitive(flatData),
+          metadata: buildEventMetadata(user),
+        });
+      } catch (e) {
+        if (e instanceof EventStoreVersionConflict) {
+          // Try to look up the real stream-version for the diagnostic — but
+          // wrap defensively: when `append` raised the unique-violation, the
+          // current TX is already aborted, and a second query on the same
+          // runner would re-throw "current transaction is aborted". Update-
+          // path doesn't have this problem (it queries getStreamVersion
+          // BEFORE the try-block). Falling back to a sentinel keeps the
+          // version_conflict mapping reliable; the actual current version
+          // is recoverable client-side via a fresh detail-query if needed.
+          let currentVersion = -1;
+          try {
+            currentVersion = await getStreamVersion(db.raw, aggregateId, user.tenantId);
+          } catch {
+            // Aborted TX or any lookup failure — keep the sentinel.
+          }
+          return writeFailure(
+            new FrameworkVersionConflict({
+              entityId: aggregateId,
+              expectedVersion: 0,
+              currentVersion,
+            }),
+          );
+        }
+        throw e;
+      }
+      // 2. Update projection via applyEntityEvent — derselbe Code-Pfad den
+      //    rebuildProjection für Replay nutzt → Live==Rebuild by-construction.
+      //    Wir bauen ein "live event" mit unstripped flatData (damit sensitive
+      //    Felder in der Read-Tabelle landen, aber nicht im Event-Log).
+      //
+      //    F8-Patch: app-level unique-violations (z.B. (tenantId, email)
+      //    auf User-Entity, (tenantId, slug) auf Article) werfen pg-23505
+      //    aus der projection-INSERT. Ohne den catch propagiert das als
+      //    unhandled exception → 500 internal_error. Map auf
+      //    UniqueViolationError 409 damit Designer/Frontend einen sauberen
+      //    "duplicate" zeigen können statt cryptic "internal server error".
+      const liveEvent = { ...event, payload: flatData };
+      let result: Awaited<ReturnType<typeof applyEntityEvent>>;
+      try {
+        result = await applyEntityEvent(liveEvent, table, entity, db.raw);
+      } catch (e) {
+        const mapped = tryMapUniqueViolation(e, entityName);
+        if (mapped) return mapped;
+        throw e;
+      }
+      if (result.kind !== "applied" || result.row === null) {
+        return writeFailure(new InternalError({ message: "projection insert returned no row" }));
+      }
+      const row = result.row;
+      // Read-Side Auto-Convert: DB-Form → API-combined-Form für alle
+      // Compound-Types in einem Pass.
+      const projection = rehydrateCompoundTypes(row as DbRow, entity) as DbRow;
+      if (entityCache && entityName) {
+        await entityCache.del(user.tenantId, entityName, aggregateId);
+      }
+      return {
+        isSuccess: true,
+        data: {
+          kind: "save",
+          id: aggregateId,
+          data: projection,
+          changes: data,
+          previous: {},
+          isNew: true,
+          entityName,
+          event,
+        },
+      };
+    },
+    async update(payload, user, db, updateOptions) {
+      const previous = await loadById(payload.id, db);
+      if (!previous) return writeFailure(new NotFoundError(entityName, payload.id));
+      // H.2 — entity-level write-ownership on update. Load old row (already
+      // done above), build post-change row via shallow merge. Straddle-safe
+      // multi-role check: at least one role must accept BOTH old and new —
+      // prevents the attack where role A passes old, role B passes new and
+      // aggregation would wrongly allow a row-grab.
+      const mergedNew: Record<string, unknown> = { ...previous, ...payload.changes };
+      if (!userCanWriteFieldRow(user, entity.access?.write, previous, mergedNew)) {
+        return writeFailure(
+          new UnprocessableError("ownership_denied", {
+            i18nKey: "errors.ownershipDenied",
+            details: {
+              scope: "entity",
+              entityName,
+              action: "update",
+              userId: user.id,
+              entityId: payload.id,
+            },
+          }),
+        );
+      }
+      // Field-level write-ownership on update — this is the path the
+      // dispatcher could not evaluate (no oldRow). Now that we have
+      // `previous`, we can run the ownership rules per field against both
+      // sides and reject individual fields the user isn't entitled to
+      // touch on this specific row.
+      const fieldDeniedUpdate = checkWriteFieldOwnership(entity, payload.changes, user, previous);
+      if (fieldDeniedUpdate) {
+        return writeFailure(
+          new UnprocessableError("ownership_denied", {
+            i18nKey: "errors.ownershipDenied",
+            details: {
+              scope: "field",
+              entityName,
+              action: "update",
+              field: fieldDeniedUpdate,
+              userId: user.id,
+              entityId: payload.id,
+            },
+          }),
+        );
+      }
+      // Stream-version is authoritative, not row.version. `ctx.appendEvent`
+      // can bump the stream between CRUD writes (domain event on the same
+      // aggregate); a stale row.version here would make the next CRUD write
+      // trip `events_aggregate_version_uq` (tenant_id, aggregate_id, version)
+      // with version_conflict.
+      const currentVersion = await getStreamVersion(db.raw, String(payload.id), user.tenantId);
+      if (!updateOptions?.skipOptimisticLock) {
+        if (payload.version === undefined) {
+          return writeFailure(
+            new FrameworkVersionConflict({
+              entityId: payload.id,
+              expectedVersion: 0,
+              currentVersion,
+            }),
+          );
+        }
+        if (currentVersion !== payload.version) {
+          return writeFailure(
+            new FrameworkVersionConflict({
+              entityId: payload.id,
+              expectedVersion: payload.version,
+              currentVersion,
+            }),
+          );
+        }
+      }
+      try {
+        // Compound-Types Auto-Convert (alle in einem Pass).
+        const flatChanges = flattenCompoundTypes(payload.changes, entity);
+        // The event payload carries BOTH `changes` (what the user asked for) AND
+        // `previous` (the pre-update row). Cross-aggregate projections need the
+        // previous value to decrement/undo when a parent-FK moves — without it
+        // you'd have to snapshot-and-diff on every apply, and replays would
+        // break. Storage cost is acceptable (rows are bounded), correctness is
+        // not negotiable. Sensitive fields are stripped from BOTH halves so
+        // they never reach the immutable event log.
+        const event = await append(db.raw, {
+          aggregateId: String(payload.id),
+          aggregateType: entityName,
+          tenantId: user.tenantId,
+          expectedVersion: currentVersion,
+          type: entityEventName(entityName, "updated"),
+          payload: {
+            changes: stripSensitive(flatChanges),
+            previous: stripSensitive(previous),
+          },
+          metadata: buildEventMetadata(user),
+        });
+        // Live==Rebuild via applyEntityEvent: live-event mit unstripped
+        // flatChanges damit sensitive Felder in der Read-Tabelle landen.
+        //
+        // F8-Patch: dasselbe unique-violation-handling wie im create-Pfad
+        // — ein update das einen unique-Index verletzt (z.B. email-update
+        // auf einen schon-existierenden Wert) wird mit 409 unique_violation
+        // statt 500 internal_error rückgemeldet.
+        const liveEvent = {
+          ...event,
+          payload: { changes: flatChanges, previous },
+        };
+        let result: Awaited<ReturnType<typeof applyEntityEvent>>;
+        try {
+          result = await applyEntityEvent(liveEvent, table, entity, db.raw);
+        } catch (e) {
+          const mapped = tryMapUniqueViolation(e, entityName);
+          if (mapped) return mapped;
+          throw e;
+        }
+        if (result.kind !== "applied" || result.row === null) {
+          return writeFailure(new InternalError({ message: "projection update returned no row" }));
+        }
+        const row = result.row;
+        const data = rehydrateCompoundTypes(row as DbRow, entity) as DbRow;
+        if (entityCache && entityName) {
+          await entityCache.del(user.tenantId, entityName, payload.id);
+        }
+        return {
+          isSuccess: true,
+          data: {
+            kind: "save",
+            id: data["id"] as EntityId,
+            data,
+            changes: payload.changes,
+            previous,
+            isNew: false,
+            entityName,
+            event,
+          },
+        };
+      } catch (e) {
+        // The pre-check above eliminates the common stale-version case; this
+        // branch catches the narrow race where two writers both read version=N
+        // and both pass the local check — the unique index on (aggregate_id,
+        // version) serializes them, one wins, the other lands here.
+        if (e instanceof EventStoreVersionConflict) {
+          return writeFailure(
+            new FrameworkVersionConflict({
+              entityId: payload.id,
+              expectedVersion: payload.version ?? 0,
+              currentVersion,
+            }),
+          );
+        }
+        throw e;
+      }
+    },
+    async delete(payload, user, db) {
+      const existing = await loadById(payload.id, db);
+      if (!existing) return writeFailure(new NotFoundError(entityName, payload.id));
+      // H.2 — entity-level write-ownership on delete. Only the pre-delete
+      // row matters (there's no "new" row for a delete); passing existing
+      // twice to userCanWriteFieldRow makes the Straddle check trivial
+      // (same row on both sides) while keeping the multi-role-atomic shape.
+      if (!userCanWriteFieldRow(user, entity.access?.write, existing, existing)) {
+        return writeFailure(
+          new UnprocessableError("ownership_denied", {
+            i18nKey: "errors.ownershipDenied",
+            details: {
+              scope: "entity",
+              entityName,
+              action: "delete",
+              userId: user.id,
+              entityId: payload.id,
+            },
+          }),
+        );
+      }
+      // Stream-version authoritative (see update() for rationale).
+      const currentVersion = await getStreamVersion(db.raw, String(payload.id), user.tenantId);
+      // Deletes carry the full pre-delete row as `previous`. That's what
+      // projections and downstream consumers need to reverse any aggregates —
+      // a `{}`-payload delete would make cross-aggregate projections impossible
+      // to rebuild from the event log alone. Sensitive fields are stripped.
+      const event = await append(db.raw, {
+        aggregateId: String(payload.id),
+        aggregateType: entityName,
+        tenantId: user.tenantId,
+        expectedVersion: currentVersion,
+        type: entityEventName(entityName, "deleted"),
+        payload: { previous: stripSensitive(existing) },
+        metadata: buildEventMetadata(user),
+      });
+      // Live==Rebuild via applyEntityEvent. Delete-Operation hat keine
+      // sensitive-Drift weil das Event-Payload nur `previous` ist und das
+      // wird vom soft/hard-delete-Code gar nicht in die Tabelle geschrieben
+      // (nur isDeleted/deletedAt/version-Bump). Live + Replay schreiben
+      // dasselbe — kein payload-override nötig.
+      const deleteResult = await applyEntityEvent(event, table, entity, db.raw);
+      if (deleteResult.kind !== "applied") {
+        return writeFailure(
+          new InternalError({ message: "projection delete: applyEntityEvent skipped" }),
+        );
+      }
+      if (entityCache && entityName) {
+        await entityCache.del(user.tenantId, entityName, payload.id);
+      }
+      return {
+        isSuccess: true,
+        data: { kind: "delete", id: payload.id, data: existing, entityName, event },
+      };
+    },
+    async restore(payload, user, db) {
+      if (!softDelete) {
+        return writeFailure(
+          new UnprocessableError("soft_delete_not_enabled", {
+            i18nKey: "errors.softDeleteNotEnabled",
+          }),
+        );
+      }
+      const [row] = await db.select().from(table).where(eq(table["id"], payload.id));
+      if (!row) return writeFailure(new NotFoundError(entityName, payload.id));
+      const data = row as DbRow;
+      if (!data["isDeleted"]) {
+        return writeFailure(
+          new UnprocessableError("not_deleted", { i18nKey: "errors.notDeleted" }),
+        );
+      }
+      // H.2 — entity-level write-ownership on restore. Same shape as delete:
+      // only the stored row matters. Stored row carries pre-soft-delete
+      // teamId/... fields, so the ownership predicate still applies cleanly.
+      if (!userCanWriteFieldRow(user, entity.access?.write, data, data)) {
+        return writeFailure(
+          new UnprocessableError("ownership_denied", {
+            i18nKey: "errors.ownershipDenied",
+            details: {
+              scope: "entity",
+              entityName,
+              action: "restore",
+              userId: user.id,
+              entityId: payload.id,
+            },
+          }),
+        );
+      }
+      // Stream-version authoritative (see update() for rationale).
+      const currentVersion = await getStreamVersion(db.raw, String(payload.id), user.tenantId);
+      // Restore carries the soft-deleted snapshot as `previous` — mirror of
+      // delete for symmetry. Projections that decremented on delete use
+      // `previous` to re-increment on restore without re-querying the entity
+      // table. Sensitive fields are stripped.
+      const event = await append(db.raw, {
+        aggregateId: String(payload.id),
+        aggregateType: entityName,
+        tenantId: user.tenantId,
+        expectedVersion: currentVersion,
+        type: entityEventName(entityName, "restored"),
+        payload: { previous: stripSensitive(data) },
+        metadata: buildEventMetadata(user),
+      });
+      // Live==Rebuild via applyEntityEvent. Restore schreibt nur isDeleted=
+      // false + version-Bump in die Tabelle — keine sensitive-Drift, daher
+      // kein payload-override nötig.
+      const restoreResult = await applyEntityEvent(event, table, entity, db.raw);
+      if (restoreResult.kind !== "applied" || restoreResult.row === null) {
+        return writeFailure(new InternalError({ message: "projection restore returned no row" }));
+      }
+      const restored = restoreResult.row;
+      if (entityCache && entityName) {
+        await entityCache.del(user.tenantId, entityName, payload.id);
+      }
+      // Read-Side Auto-Convert für Compound-Types (parallel zu update/list).
+      const restoredHydrated = rehydrateCompoundTypes(restored as DbRow, entity) as DbRow;
+      return {
+        isSuccess: true,
+        data: {
+          kind: "save",
+          id: payload.id,
+          data: restoredHydrated,
+          changes: { isDeleted: false },
+          previous: data,
+          isNew: false,
+          entityName,
+          event,
+        },
+      };
+    },
+    // list + detail are unchanged from crud-executor — projections are the
+    // read-model and serve these queries directly.
+    async list(payload, user, db, runtimeOptions) {
+      const limit = payload.limit ?? 50;
+      const offset = payload.offset ?? 0;
+      const totalCount = payload.totalCount === true;
+      // H.2 — entity-level read ownership. Decide before touching search or
+      // the DB: `empty` means there's no row the user could ever see, so
+      // skip both paths and return an empty page.
+      const ownership = buildOwnershipClause(user, entity.access?.read, table);
+      if (ownership.kind === "empty") {
+        return { rows: [], nextCursor: null, ...(totalCount && { total: 0 }) };
+      }
+      let filterIds: EntityId[] | undefined;
+      // Build-Time options.searchAdapter gewinnt; runtime-Override ist
+      // Fallback für die defaultEntityQueryHandler-Pipe (die nutzt den
+      // ctx.searchAdapter erst zur Laufzeit weil createEventStoreExecutor
+      // beim Definition-Time noch keinen Server-Context hat).
+      const effectiveSearchAdapter = searchAdapter ?? runtimeOptions?.searchAdapter;
+      if (payload.search && effectiveSearchAdapter && entityName) {
+        const results = await effectiveSearchAdapter.search(user.tenantId, payload.search, {
+          filterType: entityName,
+        });
+        filterIds = results.map((r) => r.entityId);
+        if (filterIds.length === 0) {
+          return { rows: [], nextCursor: null, ...(totalCount && { total: 0 }) };
+        }
+      }
+      const conditions: SQL[] = [];
+      if (softDelete && table["isDeleted"]) {
+        conditions.push(eq(table["isDeleted"], false));
+      }
+      // Cursor und Offset schließen sich aus: Cursor ist DB-stable (gt id),
+      // Offset ist für klassische Page-Navigation. Wenn beide gesetzt sind,
+      // gewinnt Cursor — Caller hätte eh nicht gleichzeitig beide nutzen
+      // sollen, das pinnt die Verteidigung.
+      if (payload.cursor) {
+        conditions.push(gt(table["id"], decodeCursor(payload.cursor)));
+      }
+      if (filterIds) {
+        conditions.push(inArray(table["id"], filterIds));
+      }
+      if (ownership.kind === "sql") {
+        conditions.push(ownership.sql);
+      }
+      // Screen-Filter (Tier 2.7c) — Boot-Validator hat field-Existenz
+      // + filterable + op-vs-Type-Compat schon gepinnt. Runtime-Defense:
+      // undefined-column → silent skip (kein Crash). Op-Mapping läuft
+      // durch buildFilterCondition() — da lebt auch der einzige
+      // `as never`-Cast (Wire-Boundary).
+      if (payload.filter !== undefined) {
+        const col = table[payload.filter.field];
+        if (col !== undefined) {
+          conditions.push(buildFilterCondition(col, payload.filter.op, payload.filter.value));
+        }
+      }
+      const whereClause = conditions.length > 0 ? (and(...conditions) as SQL) : undefined;
+      let query = whereClause
+        ? db.select().from(table).where(whereClause)
+        : db.select().from(table);
+      query = query.limit(limit);
+      // Offset NUR wenn kein Cursor — sonst kombinieren wir zwei
+      // Pagination-Schemes und der Caller bekommt unverhoffte Skips.
+      if (!payload.cursor && offset > 0) {
+        query = query.offset(offset);
+      }
+      if (payload.sort && table[payload.sort]) {
+        const column = table[payload.sort];
+        query =
+          payload.sortDirection === "desc"
+            ? query.orderBy(desc(column))
+            : query.orderBy(asc(column));
+      }
+      const rawRows = (await query) as Record<string, unknown>[]; // @cast-boundary engine-payload
+      // Read-Side rehydrate pro Row. Cache speichert die hydrated Form,
+      // damit Cache-Hits dieselbe API-Form liefern.
+      const rows = rawRows.map((r) => rehydrateCompoundTypes(r, entity));
+      if (entityCache && entityName && rows.length > 0) {
+        await entityCache.mset(
+          user.tenantId,
+          entityName,
+          rows.map((r) => ({ id: r["id"] as EntityId, data: r })),
+        );
+      }
+      const lastRow = rows[rows.length - 1];
+      const nextCursor =
+        rows.length === limit && lastRow ? encodeCursor(lastRow["id"] as string) : null;
+      // total: extra COUNT(*) — nur wenn explizit angefordert (Pager-UI).
+      // Postgres-Cost ist O(table-scan) ohne Filter, mit Filter so teuer
+      // wie der entsprechende WHERE — bei indexed columns billig genug.
+      // Bei Search-Path ist `total = filterIds.length` ohne extra Query.
+      let total: number | undefined;
+      if (totalCount) {
+        if (filterIds) {
+          total = filterIds.length;
+        } else {
+          const countQuery = whereClause
+            ? db.select({ count: sql<number>`count(*)::int` }).from(table).where(whereClause)
+            : db.select({ count: sql<number>`count(*)::int` }).from(table);
+          const countRow = (await countQuery) as Array<{ count: number }>;
+          total = countRow[0]?.count ?? 0;
+        }
+      }
+      return { rows, nextCursor, ...(total !== undefined && { total }) };
+    },
+    async detail(payload, user, db) {
+      // H.2 — ownership check. `empty` → the user can never see this row
+      // regardless of its id. Return null (same shape as "not found", so a
+      // probing attacker can't distinguish "no access" from "doesn't exist").
+      const ownership = buildOwnershipClause(user, entity.access?.read, table);
+      if (ownership.kind === "empty") return null;
+      if (entityCache && entityName) {
+        const cached = await entityCache.get(user.tenantId, entityName, payload.id);
+        if (cached) {
+          // Even with a cache hit the ownership predicate must hold. The
+          // cache is keyed only by tenant + id, not by role, so a cached
+          // row may be visible to caller A but not caller B — re-check
+          // per request.
+          if (ownership.kind === "sql") {
+            // Reuse the clause by querying the row with it. Cheaper than
+            // SQL-parsing the predicate: just re-issue detail-by-id with
+            // the ownership-AND and see if the DB returns it. idFilter()
+            // handles the soft-delete guard.
+            const checked = await db
+              .select()
+              .from(table)
+              .where(and(idFilter(payload.id), ownership.sql) as SQL)
+              .limit(1);
+            if (checked.length === 0) return null;
+          }
+          return cached;
+        }
+      }
+      // Cold path: load the row with the ownership predicate applied so the
+      // DB does the filtering (cheaper than load-then-filter-in-JS). Reuse
+      // idFilter() — it handles the soft-delete guard consistently with
+      // loadById(), which we can't just call directly because it doesn't
+      // thread the ownership clause.
+      const baseFilter = idFilter(payload.id);
+      const whereClause =
+        ownership.kind === "sql" ? (and(baseFilter, ownership.sql) as SQL) : baseFilter;
+      const rows = (await db.select().from(table).where(whereClause).limit(1)) as Record<
+        string,
+        unknown
+      >[];
+      const raw = rows[0];
+      if (!raw) return null;
+      const row = rehydrateCompoundTypes(raw, entity);
+      if (entityCache && entityName) {
+        await entityCache.set(user.tenantId, entityName, payload.id, row);
+      }
+      return row;
+    },
+  };
+}