npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/engine/ownership.ts ADDED Viewed

@@ -0,0 +1,337 @@
+// Ownership rules — the declarative bridge between Claims and Access.
+//
+// Every ownership rule answers the same question: "May this user see / write
+// this row (or field in this row)?". The rule is evaluated per-role: a user
+// with multiple roles passes if at least one of their roles has a rule that
+// accepts the row. For writes, the check is stricter — see below.
+//
+// Rule forms:
+//
+//   "all"                                → any user with this role passes
+//   { from: "user:id", column: "..." }   → row[column] === user.id
+//   { from: "claim:<featureQn>",
+//     column?: "..." }                   → row[column ?? claim.shortName] === user.claims[claim.qn]
+//                                         (string[] claim → inArray)
+//   { where: (user, table) => SQL }      → escape hatch, arbitrary Drizzle predicate
+//
+// Construction: use the `from(ref, column?)` helper. It returns a FromRule
+// ready to drop into an access map.
+import { eq, inArray, or, type SQL, sql } from "drizzle-orm";
+import type { SessionUser } from "./types";
+// Reference spec supported by `from()`:
+//   "user:id"                  → user.id
+//   "user:tenantId"            → user.tenantId (rarely needed — TenantDb scopes anyway)
+//   "claim:<featureName>:<key>" → user.claims["<featureName>:<key>"]
+//
+// The string form is keyed so the framework can look up the referenced
+// Registry entry at boot (Claim-QN exists? Column type compatible?). A typed
+// object form would force features to import each other's handles — the
+// whole point of H.2's unified path is string-based references, no imports.
+export type OwnershipRef = string;
+// Resolved during `from()` — the parser eagerly splits the prefix so the
+// runtime evaluator avoids string-parsing on every row. `kind` drives the
+// evaluator branch; the rest is the resolved metadata.
+export type FromRuleKind = "user" | "claim";
+export type FromRule = {
+  readonly kind: "from";
+  readonly refKind: FromRuleKind;
+  // For "user:id" → "id"; for "user:tenantId" → "tenantId".
+  // For "claim:<featureName>:<key>" → "<featureName>:<key>" (the full QN,
+  // which is exactly the key under which the JWT stores the value).
+  readonly refPath: string;
+  // Row-column to match against. For claim rules defaults to the claim's
+  // shortName (second segment of the claim QN). For user-rules the column
+  // is always explicit.
+  readonly column: string;
+};
+export type WhereRule<TTable = unknown> = {
+  readonly kind: "where";
+  readonly where: (user: SessionUser, table: TTable) => SQL;
+};
+// "all" collapses to a primitive so map authors can write `Admin: "all"`
+// without importing a helper.
+export type OwnershipRule = "all" | FromRule | WhereRule;
+// Per-role map: every key is a role name, value is the rule that role
+// satisfies to pass the access check.
+export type OwnershipMap = Readonly<Record<string, OwnershipRule>>;
+// Parse an OwnershipRef into kind + resolved path + default column.
+// Throws on malformed input so the error surfaces at `from()`-call-site (in
+// the feature definition), not at request time.
+export function from(ref: OwnershipRef, column?: string): FromRule {
+  const firstColon = ref.indexOf(":");
+  if (firstColon < 0) {
+    throw new Error(
+      `from("${ref}"): expected "user:<field>" or "claim:<featureName>:<key>" — no colon found.`,
+    );
+  }
+  const prefix = ref.slice(0, firstColon);
+  const rest = ref.slice(firstColon + 1);
+  if (prefix === "user") {
+    // "user:id" or "user:tenantId". The rest is the user-property; the
+    // column on the row must be given explicitly (a user.id is rarely
+    // named `id` on a child table — usually `ownerId`, `assigneeId`, ...).
+    if (!column) {
+      throw new Error(
+        `from("${ref}"): user-refs require an explicit column name — e.g. from("user:id", "assigneeId").`,
+      );
+    }
+    if (rest !== "id" && rest !== "tenantId") {
+      throw new Error(
+        `from("${ref}"): user-ref supports only "user:id" or "user:tenantId" (got "user:${rest}").`,
+      );
+    }
+    return { kind: "from", refKind: "user", refPath: rest, column };
+  }
+  if (prefix === "claim") {
+    // "claim:<feature>:<key>" — rest is the 2-segment claim QN.
+    if (!rest.includes(":")) {
+      throw new Error(
+        `from("${ref}"): claim-ref must be "claim:<featureName>:<shortName>" (got "claim:${rest}").`,
+      );
+    }
+    // Default column = claim shortName (second segment).
+    const defaultColumn = rest.slice(rest.indexOf(":") + 1);
+    return {
+      kind: "from",
+      refKind: "claim",
+      refPath: rest, // full QN, matches the key in user.claims
+      column: column ?? defaultColumn,
+    };
+  }
+  throw new Error(
+    `from("${ref}"): unsupported ref prefix "${prefix}". Supported: "user", "claim".`,
+  );
+}
+// Evaluate an ownership rule against a concrete row (plain data, no Drizzle).
+// Used by field-level filters on query responses and by field-level
+// write-checks. Entity-level rules that want SQL predicates go through
+// buildOwnershipClause() (separate path, since that produces Drizzle SQL).
+//
+// Null/undefined claim values evaluate to `false` (no match) — safer than
+// letting them match rows where the column happens to be null.
+export function matchesRule(
+  rule: OwnershipRule,
+  user: SessionUser,
+  row: Readonly<Record<string, unknown>>,
+): boolean {
+  if (rule === "all") return true;
+  if (rule.kind === "where") {
+    // `where` rules produce Drizzle SQL for the DB-side filter. They don't
+    // have a straightforward in-memory evaluator — the feature author owns
+    // the semantics. Field-level filters can't use `{ where }` rules; the
+    // boot-validator rejects them with a clear error at registration time.
+    throw new Error(
+      "where-rules can only be evaluated at the SQL layer; boot-validator should reject them on field-level access.",
+    );
+  }
+  // FromRule — resolve the user-side value, compare to the row's column.
+  const userValue = resolveUserValue(rule, user);
+  if (userValue === undefined) return false;
+  const rowValue = row[rule.column];
+  if (rowValue === undefined || rowValue === null) return false;
+  // Array claim → membership check; scalar claim → equality.
+  if (Array.isArray(userValue)) {
+    return userValue.includes(rowValue);
+  }
+  return userValue === rowValue;
+}
+function resolveUserValue(rule: FromRule, user: SessionUser): unknown {
+  if (rule.refKind === "user") {
+    if (rule.refPath === "id") return user.id;
+    return user.tenantId;
+  }
+  // claim refPath is the full QN ("feature:shortName") — direct key lookup.
+  return user.claims?.[rule.refPath];
+}
+// Multi-role-atomic passer for field-level READ. The caller supplies the
+// user, the access-map for this field, and the concrete row. Returns true
+// if AT LEAST one of the user's roles is in the map and its rule matches
+// the row. Missing roles skip, "all" always passes.
+export function userCanReadFieldRow(
+  user: SessionUser,
+  accessMap: OwnershipMap | undefined,
+  row: Readonly<Record<string, unknown>>,
+): boolean {
+  if (!accessMap || Object.keys(accessMap).length === 0) return true; // public
+  for (const role of user.roles) {
+    const rule = accessMap[role];
+    if (!rule) continue;
+    if (matchesRule(rule, user, row)) return true;
+  }
+  return false;
+}
+// Multi-role-atomic check for field-level WRITE with Straddle-prevention.
+// A user passes iff exactly one of their roles has a rule that accepts
+// BOTH the old and the new row. OR-ing over (any-role passes old) and
+// (any-role passes new) is wrong — a user with two roles could split the
+// check: role A validates the old, role B validates the new, yielding
+// row-grabbing by stitching two rules together. See advisor review 2026-04-19.
+export function userCanWriteFieldRow(
+  user: SessionUser,
+  accessMap: OwnershipMap | undefined,
+  oldRow: Readonly<Record<string, unknown>>,
+  newRow: Readonly<Record<string, unknown>>,
+): boolean {
+  if (!accessMap || Object.keys(accessMap).length === 0) return true; // public
+  for (const role of user.roles) {
+    const rule = accessMap[role];
+    if (!rule) continue;
+    if (rule === "all") return true;
+    if (matchesRule(rule, user, oldRow) && matchesRule(rule, user, newRow)) return true;
+  }
+  return false;
+}
+// Normalize legacy `readonly string[]` field-access into the OwnershipMap
+// shape. Each role in the array becomes a key with rule "all" (unrestricted
+// for that role). Undefined stays undefined. This is a migration shim —
+// long-term every feature-definition writes the map shape directly.
+export function normalizeAccessEntry(
+  entry: OwnershipMap | readonly string[] | undefined,
+): OwnershipMap | undefined {
+  if (!entry) return undefined;
+  if (Array.isArray(entry)) {
+    if (entry.length === 0) return undefined;
+    const map: Record<string, OwnershipRule> = {};
+    for (const role of entry) {
+      map[role] = "all";
+    }
+    return map;
+  }
+  return entry as OwnershipMap; // @cast-boundary schema-walk
+}
+// Create-case: only the new row exists. Same Straddle protection not
+// applicable (no old row to compare), but we still need per-role atomicity
+// to respect "all"-rules and plain from-rules consistently.
+export function userCanCreateFieldRow(
+  user: SessionUser,
+  accessMap: OwnershipMap | undefined,
+  newRow: Readonly<Record<string, unknown>>,
+): boolean {
+  if (!accessMap || Object.keys(accessMap).length === 0) return true;
+  for (const role of user.roles) {
+    const rule = accessMap[role];
+    if (!rule) continue;
+    if (rule === "all") return true;
+    if (matchesRule(rule, user, newRow)) return true;
+  }
+  return false;
+}
+// Result of buildOwnershipClause. The discriminant lets the caller handle
+// the three outcomes without inspecting SQL internals:
+//
+//   "pass"  → user is unrestricted. Run the query as-is.
+//   "empty" → user has a role mapped but no rule accepts any row (missing
+//             claim, empty array, role not in map). Skip the DB call entirely
+//             — returning [] is equivalent and avoids a pointless roundtrip.
+//   "sql"   → apply `.sql` as an AND to the query's where clause.
+//
+// "empty" vs. "pass" is the critical distinction for a safe default:
+// undefined/pass = allow, empty = deny-by-construction. Mixing them up was
+// the exact leak direction advisor flagged; the disjoint type prevents it.
+export type OwnershipClause =
+  | { readonly kind: "pass" }
+  | { readonly kind: "empty" }
+  | { readonly kind: "sql"; readonly sql: SQL };
+const PASS_CLAUSE: OwnershipClause = { kind: "pass" };
+const EMPTY_CLAUSE: OwnershipClause = { kind: "empty" };
+// Build an ownership clause for entity-level READ access. The caller
+// translates the result to its query layer (see above).
+//
+// `table` is the Drizzle table with column objects. Unknown column on a
+// from-rule is a boot-time misconfiguration; at request time we treat it
+// as empty (safe default) rather than passing silently.
+export function buildOwnershipClause(
+  user: SessionUser,
+  accessMap: OwnershipMap | undefined,
+  // biome-ignore lint/suspicious/noExplicitAny: Drizzle tables carry schema-dependent column shapes
+  table: any,
+): OwnershipClause {
+  if (!accessMap || Object.keys(accessMap).length === 0) return PASS_CLAUSE;
+  const clauses: SQL[] = [];
+  let anyRoleMatched = false;
+  let everyRuleCollapsedToEmpty = true;
+  for (const role of user.roles) {
+    const rule = accessMap[role];
+    if (!rule) continue;
+    anyRoleMatched = true;
+    // "all" = no filter at all for this role; short-circuit.
+    if (rule === "all") return PASS_CLAUSE;
+    const resolved = ruleToClause(rule, user, table);
+    if (resolved.kind === "sql") {
+      clauses.push(resolved.sql);
+      everyRuleCollapsedToEmpty = false;
+    }
+    // "empty" contribution from one role doesn't short-circuit: another
+    // role might still contribute an OR-branch. But if ALL branches are
+    // empty, the result is empty.
+  }
+  if (!anyRoleMatched) return EMPTY_CLAUSE;
+  if (everyRuleCollapsedToEmpty && clauses.length === 0) return EMPTY_CLAUSE;
+  if (clauses.length === 1) {
+    const only = clauses[0];
+    if (!only) return EMPTY_CLAUSE;
+    return { kind: "sql", sql: only };
+  }
+  // @cast-boundary db-operator — drizzle or() widened signature
+  // biome-ignore lint/suspicious/noExplicitAny: same reason as above
+  const combined = or(...(clauses as any)) as SQL;
+  return { kind: "sql", sql: combined };
+}
+type RuleClauseResult = { readonly kind: "empty" } | { readonly kind: "sql"; readonly sql: SQL };
+function ruleToClause(
+  rule: OwnershipRule,
+  user: SessionUser,
+  // biome-ignore lint/suspicious/noExplicitAny: Drizzle tables carry schema-dependent column shapes
+  table: any,
+): RuleClauseResult {
+  if (rule === "all") {
+    // Caller handles "all" by short-circuit before reaching here; defensive
+    // fallback.
+    return { kind: "sql", sql: sql`true` };
+  }
+  if (rule.kind === "where") {
+    return { kind: "sql", sql: rule.where(user, table) };
+  }
+  // FromRule
+  const column = table[rule.column];
+  // Unknown column — boot validator should have caught this, but at request
+  // time we treat as empty (fail-closed).
+  if (!column) return { kind: "empty" };
+  const value = resolveUserValue(rule, user);
+  if (value === undefined || value === null) return { kind: "empty" };
+  if (Array.isArray(value)) {
+    if (value.length === 0) return { kind: "empty" };
+    return { kind: "sql", sql: inArray(column, value) };
+  }
+  return { kind: "sql", sql: eq(column, value) };
+}

package/src/engine/parse-ref-target.ts ADDED Viewed

@@ -0,0 +1,22 @@
+// Tier 2.7e Cross-Feature: ReferenceFieldDef.entity-String-Parser.
+//
+// Akzeptiert beide Formen:
+//   - "user"        → same-feature ref (featureName = currentFeature)
+//   - "users:user"  → cross-feature ref (qualifiziert)
+//
+// Lebt im framework-Package damit Server-Validator + Renderer (über
+// Re-Export aus @cosmicdrift/kumiko-headless) denselben Parser nutzen — die
+// Convention darf nicht zweimal implementiert werden.
+export type ParsedRefTarget = {
+  readonly featureName: string;
+  readonly entityName: string;
+};
+export function parseRefTarget(raw: string, currentFeature: string): ParsedRefTarget {
+  const idx = raw.indexOf(":");
+  if (idx < 0) {
+    return { featureName: currentFeature, entityName: raw };
+  }
+  return { featureName: raw.slice(0, idx), entityName: raw.slice(idx + 1) };
+}