npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/engine/resolve-config-or-param.ts ADDED Viewed

@@ -0,0 +1,153 @@
+import type { Registry } from "./types";
+import type {
+  ConfigAccessor,
+  ConfigBounds,
+  ConfigKeyHandle,
+  ConfigKeyType,
+  ConfigValue,
+} from "./types/config";
+// Per-Request Config-Resolver für Routes.
+//
+// Use-case (aus configuration-layers.md, Ebene 7): der Caller will pro
+// Request einen Wert setzen, den Tenant-Admin aber den Max-Bound festlegen.
+// Beispiel: `GET /files/:id/download-url?expiresSeconds=3600` — Client
+// wählt 3600s, aber wenn Tenant-Admin Max=1800 gesetzt hat, clampt der
+// Helper auf 1800.
+//
+// Clamp-Regel: hard-clamp für number mit bounds. Silent — im Gegensatz zu
+// tenant-admin-SET (dort ist reject richtig). Caller hat oft keine Kontrolle
+// über den genauen Wert (voreingestellt im Client-SDK), und ein 422 pro
+// Download-Klick wäre UX-Gift.
+//
+// Fallback-Cascade:
+//   1. paramValue valide → clamp + return
+//   2. paramValue fehlt / nicht parseable → ctx.config(handle)
+//
+// Bei select: nur valide Options werden akzeptiert, sonst Fallback.
+// Bei boolean: "true"/"1" → true, sonst false.
+//
+// ### text-Keys sind gesperrt
+//
+// Per-Request-Overrides für `type="text"` werden HART ABGELEHNT. Grund:
+// Query-Param-Strings können XSS/SQL/Command-Fragmente enthalten, und
+// dieser Helper ist ein *Parser*, kein *Sanitizer*. Ein silent-pass-through
+// wäre ein Footgun — App-Dev würde denken "param ist aktiv" und der
+// unsanitized Wert landet in HTML/SQL/Shell-Kontext.
+//
+// Die Sperre gilt nur beim tatsächlichen Override-Versuch (paramValue
+// gesetzt). Wenn paramValue undefined/null/"" ist, gibt der Helper den
+// Config-Wert zurück — dann liefert die Funktion für text-Keys einfach
+// denselben Wert wie `ctx.config(handle)`.
+//
+// Wer für text pro Request tatsächlich einen Wert akzeptieren will, baut
+// das explizit in der Route mit eigener Escape-Strategie für den Consumer
+// (HTML-Encoder, SQL-Parameter-Binding, Shell-Quoter).
+type ResolveCtx = {
+  readonly config: ConfigAccessor;
+  readonly registry: Registry;
+};
+// Fires for every number-case clamp with the before/after values. Consumers
+// typically wire this into a structured logger or a metric counter:
+//   resolveConfigOrParam(ctx, handle, raw, {
+//     onClamp: ({ key, original, clamped, max }) =>
+//       ctx.logger?.warn("config.clamp", { key, original, clamped, max }),
+//   });
+// Without this hook a clamp is invisible — the caller just sees 1000 instead
+// of the 9999 they sent, and debugging becomes guesswork.
+export type ClampInfo = {
+  readonly key: string;
+  readonly original: number;
+  readonly clamped: number;
+  readonly min?: number;
+  readonly max?: number;
+};
+export type ResolveOptions = {
+  readonly onClamp?: (info: ClampInfo) => void;
+};
+export async function resolveConfigOrParam<T extends ConfigKeyType>(
+  ctx: ResolveCtx,
+  handle: ConfigKeyHandle<T>,
+  paramValue: unknown,
+  options?: ResolveOptions,
+): Promise<ConfigValue<T> | undefined> {
+  if (paramValue === undefined || paramValue === null || paramValue === "") {
+    return ctx.config(handle);
+  }
+  const keyDef = ctx.registry.getConfigKey(handle.name);
+  // skip: key isn't in the registry — unlikely because the caller holds a
+  // typed handle, but defence-in-depth for hand-built handles.
+  if (!keyDef) return ctx.config(handle);
+  // Explicit opt-in required. A config key without `allowPerRequest: true`
+  // on its declaration cannot be overridden via a query-param, even if the
+  // route-handler forwards one. This is a deny-by-default policy: without
+  // it, a future feature-dev could accidentally route a sensitive key
+  // (rate-limits, quotas) through a public query-param without noticing.
+  if (!keyDef.allowPerRequest) {
+    throw new Error(
+      `resolveConfigOrParam: per-request override not enabled for config key "${handle.name}". Set allowPerRequest: true on the declaration to opt in — or drop the paramValue if the route-handler forwards it by mistake.`,
+    );
+  }
+  switch (keyDef.type) {
+    case "number": {
+      const parsed = typeof paramValue === "number" ? paramValue : Number(paramValue);
+      if (Number.isNaN(parsed) || !Number.isFinite(parsed)) {
+        return ctx.config(handle);
+      }
+      const clamped = clampToBounds(parsed, keyDef.bounds);
+      // Fire onClamp only when the value actually moved. No bounds + within
+      // bounds = silent; crossing a bound = audit event.
+      if (clamped !== parsed && options?.onClamp) {
+        const info: ClampInfo = {
+          key: handle.name,
+          original: parsed,
+          clamped,
+          ...(keyDef.bounds?.min !== undefined && { min: keyDef.bounds.min }),
+          ...(keyDef.bounds?.max !== undefined && { max: keyDef.bounds.max }),
+        };
+        options.onClamp(info);
+      }
+      return clamped as ConfigValue<T>; // @cast-boundary engine-bridge
+    }
+    case "boolean": {
+      if (typeof paramValue === "boolean") return paramValue as ConfigValue<T>; // @cast-boundary engine-bridge
+      const str = String(paramValue).toLowerCase();
+      return (str === "true" || str === "1") as ConfigValue<T>; // @cast-boundary engine-bridge
+    }
+    case "text": {
+      // Hard-reject any attempt to override a text key via query-param.
+      // See the module-level comment for why this is strict. App-devs
+      // that see this error should either (a) remove the paramValue from
+      // their route — the config value still flows through ctx.config —
+      // or (b) build their own sanitised parser outside this helper.
+      throw new Error(
+        `resolveConfigOrParam: per-request override is not allowed for type="text" config key "${handle.name}" — query-params would bypass sanitisation. Remove the paramValue or build a feature-specific sanitiser.`,
+      );
+    }
+    case "select": {
+      const str = String(paramValue);
+      if (keyDef.options?.includes(str)) return str as ConfigValue<T>; // @cast-boundary engine-bridge
+      // Invalid option → fall back to the configured value rather than 400.
+      // The caller is signalling intent; we honour the constraint instead.
+      return ctx.config(handle);
+    }
+  }
+}
+function clampToBounds(value: number, bounds: ConfigBounds | undefined): number {
+  if (!bounds) return value;
+  let v = value;
+  if (bounds.min !== undefined && v < bounds.min) v = bounds.min;
+  if (bounds.max !== undefined && v > bounds.max) v = bounds.max;
+  return v;
+}

package/src/engine/run-in.ts ADDED Viewed

@@ -0,0 +1,29 @@
+// runIn lane-routing helpers. Tiny module on purpose: both buildServer
+// (MSP-consumer filter) and the boot-validator (Welle 2.6.c coverage
+// check) need the same resolution rule, and duplicating it in two places
+// invites drift — when the default changes, one site gets updated and
+// the other silently doesn't.
+//
+// Resolution rule:
+//   - `runIn: undefined` resolves to "worker" — that's the prod default
+//     for async work (API instances stay request-focused, heavy async
+//     work lives on the worker fleet).
+//   - `runIn: "both"` means "eligible on any lane" — SKIP LOCKED on the
+//     consumer cursor handles the race between processes that want the
+//     same event. Used for cross-lane load-balancing and for MSPs that
+//     have no reason to pin to a specific process shape.
+//   - `runIn: "api"` / `runIn: "worker"` pin to one lane.
+//
+// processLane describes the CURRENT process's role:
+//   - "api" / "worker" — single-role deploy, filter strictly.
+//   - "both"           — all-in-one, no filtering (one process does it all).
+import type { RunIn } from "./types";
+// Does a consumer with `runIn` want to run on a process of the given lane?
+export function runsInLane(runIn: RunIn | undefined, processLane: RunIn): boolean {
+  if (processLane === "both") return true;
+  const resolved = runIn ?? "worker";
+  if (resolved === "both") return true;
+  return resolved === processLane;
+}

package/src/engine/schema-builder.ts ADDED Viewed

@@ -0,0 +1,175 @@
+import { z } from "zod";
+import { assertUnreachable } from "../utils";
+import type { EmbeddedSubFieldDef, EntityDefinition, FieldDefinition } from "./types";
+import { DEFAULT_CURRENCIES } from "./types";
+function embeddedSubFieldToZod(subField: EmbeddedSubFieldDef): z.ZodTypeAny {
+  switch (subField.type) {
+    case "text":
+      return subField.required ? z.string().min(1) : z.string();
+    case "number":
+      return z.number();
+    case "boolean":
+      return z.boolean();
+    case "date":
+      return z.string().date();
+    default:
+      assertUnreachable(subField.type, "embedded sub-field type");
+  }
+}
+function fieldToZod(field: FieldDefinition, currencies: readonly string[]): z.ZodTypeAny {
+  switch (field.type) {
+    case "text": {
+      let schema = z.string();
+      if (field.maxLength) schema = schema.max(field.maxLength);
+      if (field.format === "email") schema = schema.email();
+      if (field.format === "url") schema = schema.url();
+      if (field.required) schema = schema.min(1);
+      return field.default !== undefined ? schema.default(field.default) : schema;
+    }
+    case "longText": {
+      // longText hat keine `format`-Variante (per type-design). Nur
+      // optional maxLength + required, sonst ein offener z.string().
+      let schema = z.string();
+      if (field.maxLength) schema = schema.max(field.maxLength);
+      if (field.required) schema = schema.min(1);
+      return field.default !== undefined ? schema.default(field.default) : schema;
+    }
+    case "boolean": {
+      const schema = z.boolean();
+      return field.default !== undefined ? schema.default(field.default) : schema;
+    }
+    case "select": {
+      const [first, ...rest] = field.options;
+      if (!first) return z.string();
+      const schema = z.enum([first, ...rest]);
+      return field.default !== undefined ? schema.default(field.default) : schema;
+    }
+    case "multiSelect": {
+      const [first, ...rest] = field.options;
+      if (!first) return z.array(z.string());
+      // `required: true` heißt non-empty — Analogie zu `text`-Field.
+      // Leeres Array wird rejected; das globale `.optional()`-Wrapping
+      // in buildInsertSchema kümmert sich um „darf fehlen".
+      let schema = z.array(z.enum([first, ...rest]));
+      if (field.required) schema = schema.min(1);
+      return field.default !== undefined ? schema.default([...field.default]) : schema;
+    }
+    case "number": {
+      const schema = z.number();
+      return field.default !== undefined ? schema.default(field.default) : schema;
+    }
+    case "money": {
+      const [first, ...rest] = currencies;
+      if (!first) throw new Error("No currencies configured");
+      return z.object({
+        amount: z.number(),
+        currency: z.enum([first, ...rest]),
+      });
+    }
+    case "embedded": {
+      const shape: Record<string, z.ZodTypeAny> = {};
+      for (const [subName, subField] of Object.entries(field.schema)) {
+        const zodSub = embeddedSubFieldToZod(subField);
+        shape[subName] = subField.required ? zodSub : zodSub.optional();
+      }
+      return z.object(shape);
+    }
+    case "date": {
+      return z.string().date();
+    }
+    case "timestamp": {
+      // Wenn locatedBy gesetzt: Wall-Clock OHNE Offset (ISO-Datetime ohne `Z`).
+      // Sonst: ISO-UTC-Datetime (mit `Z`). Beide werden über z.iso.datetime
+      // gegen das ISO-8601-Schema validiert; die Präzision (mit/ohne Offset)
+      // hängt von locatedBy ab.
+      return field.locatedBy !== undefined ? z.iso.datetime({ local: true }) : z.iso.datetime();
+    }
+    case "tz": {
+      // IANA-Zonenname. Validierung gegen Intl.supportedValuesOf("timeZone")
+      // ist genau aber teuer (~600 Strings) — wir akzeptieren den freien
+      // String und prüfen via try/catch im Boot-Validator (kommt in
+      // späterer Iteration).
+      return z.string().min(1);
+    }
+    case "locatedTimestamp": {
+      // Combined Wall-Clock+TZ Object. Beim Write akzeptieren wir entweder
+      // { at, tz } (typisch UI-Form, utc wird berechnet) oder { utc, tz }
+      // (typisch Server-zu-Server, at wird berechnet). Beim Read liefert
+      // der Read-Wrapper alle drei Felder (siehe Phase D in MIGRATION.md).
+      //
+      // Hier nur die Schema-Garantie: mindestens tz + (at ODER utc).
+      const at = z.iso.datetime({ local: true });
+      const tz = z.string().min(1);
+      const utc = z.iso.datetime();
+      return z.union([
+        z.object({ at, tz, utc: utc.optional() }),
+        z.object({ utc, tz, at: at.optional() }),
+      ]);
+    }
+    case "file":
+    case "image": {
+      // Single file: stores a fileRef UUID — must match fileRefsTable.id
+      // (uuid column). Pre-fix this was z.number() from an era when the
+      // column was (wrongly) integer; the table-builder fix to uuid needs
+      // a matching validation-layer fix here or the CRUD pipeline rejects
+      // every valid UUID with "expected number".
+      return z.uuid();
+    }
+    case "files":
+    case "images": {
+      // Multi file: array of fileRef UUIDs. Same story as the singular
+      // variant — the element type has to match the UUID column on
+      // fileRefsTable.id.
+      return z.array(z.uuid());
+    }
+    case "reference":
+      // Tier 2.7e-3: Validiert UUID-shape. Existenz-Check der Reference
+      // (Row im referenced Table existiert + Tenant-Scope) ist Server-
+      // side-Verantwortung im Handler / Foreign-Key-Constraint, nicht
+      // im Schema-Validator (würde sonst Round-trip zur DB beim Parse).
+      // Multi-Mode (Tier 2.7e-Multi): Array von UUIDs.
+      return field.multiple === true ? z.array(z.uuid()) : z.uuid();
+    default:
+      assertUnreachable(field, "field type");
+  }
+}
+export function buildInsertSchema(
+  entity: EntityDefinition,
+  currencies: readonly string[] = [...DEFAULT_CURRENCIES],
+): z.ZodObject<Record<string, z.ZodTypeAny>> {
+  const shape: Record<string, z.ZodTypeAny> = {};
+  for (const [name, field] of Object.entries(entity.fields)) {
+    const zodField = fieldToZod(field, currencies);
+    const hasDefault = "default" in field && field.default !== undefined;
+    const isRequired = "required" in field && field.required === true;
+    shape[name] = isRequired || hasDefault ? zodField : zodField.optional();
+  }
+  return z.object(shape);
+}
+export function buildUpdateSchema(
+  entity: EntityDefinition,
+  currencies: readonly string[] = [...DEFAULT_CURRENCIES],
+): z.ZodObject<Record<string, z.ZodTypeAny>> {
+  const shape: Record<string, z.ZodTypeAny> = {};
+  for (const [name, field] of Object.entries(entity.fields)) {
+    // Update schemas never apply defaults — a user that sends only
+    // `{ title }` means "only change title"; zod defaults would silently
+    // inject default values for every omitted field and clobber existing
+    // data via the event-store-executor's `changes` payload.
+    // Cast widens the discriminated union so destructure works for variants
+    // without a `default` field; remainder is structurally a FieldDefinition.
+    const { default: _default, ...stripped } = field as FieldDefinition & {
+      default?: unknown;
+    };
+    shape[name] = fieldToZod(stripped as FieldDefinition, currencies).optional();
+  }
+  return z.object(shape);
+}

package/src/engine/screen-filter-ops.ts ADDED Viewed

@@ -0,0 +1,51 @@
+// Screen-Filter (Tier 2.7c) — Op-vs-Field-Type-Compatibility.
+//
+// Wer darf was filtern?
+//   - text/select/multiSelect: nur equality-Ops (eq, ne, in). lt/gt
+//     auf Strings ist semantisch fast immer Tippfehler (lexicographic
+//     compare nutzt der Author selten bewusst); Author kann den
+//     Filter dann einfach nicht setzen.
+//   - boolean: eq, ne (in/lt/gt sinnlos für 2-Werte-Type).
+//   - number/money/date/timestamp/locatedTimestamp: alle 5 Ops —
+//     die Felder sind natürlich vergleichbar.
+//
+// Boot-Validator nutzt diese Map um Author-Fehler früh zu fangen
+// ("filter mit op:lt auf einem text-Feld" → Boot-Fail). Erweitert sich
+// transparent: neuer Field-Type → hier eintragen + sortable/filterable-
+// Flag im Type-Def, sonst lehnt der Validator das Field generell ab.
+import type { FieldDefinition, ScreenFilterOp } from "./types";
+const EQUALITY_ONLY = ["eq", "ne", "in"] as const satisfies readonly ScreenFilterOp[];
+const COMPARABLE = ["eq", "ne", "lt", "gt", "in"] as const satisfies readonly ScreenFilterOp[];
+const BOOL_OPS = ["eq", "ne"] as const satisfies readonly ScreenFilterOp[];
+export function getAllowedFilterOps(field: FieldDefinition): readonly ScreenFilterOp[] {
+  switch (field.type) {
+    case "text":
+    case "select":
+    case "multiSelect":
+      return EQUALITY_ONLY;
+    case "boolean":
+      return BOOL_OPS;
+    case "number":
+    case "money":
+    case "date":
+    case "timestamp":
+    case "locatedTimestamp":
+      return COMPARABLE;
+    // tz/embedded/file/image/files/images: nicht filterbar — Author
+    // kann das Feld nicht als filterable: true markieren (Boot-
+    // Validator weist `filterable: true` auf den Types ohnehin schon
+    // ab, weil das Flag dort gar nicht im Type-Def steht).
+    default:
+      return [];
+  }
+}
+// Author hat das Feld als filterable markiert? Tz/Embedded/File-Types
+// haben das Flag gar nicht im Type-Def, also fangen wir das per
+// `"filterable" in field`-Narrow ab.
+export function isFieldFilterable(field: FieldDefinition): boolean {
+  return "filterable" in field && field.filterable === true;
+}

package/src/engine/state-machine.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import { buildInvalidTransitionDetails, FrameworkReasons, UnprocessableError } from "../errors";
+/**
+ * Type-safe transition graph. Wraps the underlying Map so callers don't
+ * accidentally fall into the `transitions[from]?.includes(to)` footgun
+ * (Object-Index-Access auf einer Map returnt undefined und der ganze
+ * Check kollabiert silently). Stattdessen forciert die API explizite
+ * Methoden — kein Map-shape mehr extern sichtbar.
+ *
+ * - `canTransition(from, to)` → boolean
+ * - `allowedFrom(from)` → readonly string[] (leer wenn `from` unbekannt
+ *   oder terminaler Zustand)
+ * - `assertTransition(from, to)` → wirft UnprocessableError(invalid_transition)
+ */
+export type TransitionGraph<TStates extends string = string> = {
+  readonly canTransition: (from: TStates, to: TStates) => boolean;
+  readonly allowedFrom: (from: TStates) => readonly TStates[];
+  readonly assertTransition: (from: TStates, to: TStates) => void;
+};
+/**
+ * Defines allowed state transitions. Returns a typed graph (see
+ * TransitionGraph) — nicht eine Map. Damit ist `transitions[x]`-Zugriff
+ * type-error statt silent undefined.
+ */
+export function defineTransitions<const TMap extends Record<string, readonly string[]>>(
+  map: TMap,
+): TransitionGraph<keyof TMap & string> {
+  type TStates = keyof TMap & string;
+  const internal = new Map<string, ReadonlySet<string>>();
+  for (const [from, targets] of Object.entries(map)) {
+    internal.set(from, new Set(targets));
+  }
+  return {
+    canTransition: (from, to) => internal.get(from)?.has(to) === true,
+    allowedFrom: (from) => {
+      const set = internal.get(from);
+      return set ? ([...set] as TStates[]) : [];
+    },
+    assertTransition: (from, to) => {
+      const set = internal.get(from);
+      // skip: erlaubter Übergang — kein Throw, fall through.
+      if (set?.has(to) === true) return;
+      const allowed = set ? [...set] : [];
+      throw new UnprocessableError(FrameworkReasons.invalidTransition, {
+        i18nKey: "errors.invalidTransition",
+        details: buildInvalidTransitionDetails(from, to, allowed),
+      });
+    },
+  };
+}
+/**
+ * Asserts a state transition is allowed. Throws UnprocessableError with
+ * reason="invalid_transition" if not — the 422 status lets the client
+ * distinguish a logical rejection from a validation or auth failure.
+ *
+ * Convenience-Wrapper um `transitions.assertTransition(from, to)` —
+ * existiert weil bestehende Aufrufer `guardTransition(graph, ...)`-Form
+ * nutzen. Beides ist erlaubt; die Method-Form auf dem Graph ist die
+ * idiomatische API für neuen Code.
+ */
+export function guardTransition<TStates extends string>(
+  transitions: TransitionGraph<TStates>,
+  from: TStates,
+  to: TStates,
+): void {
+  transitions.assertTransition(from, to);
+}

package/src/engine/system-user.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import type { SessionUser } from "./types";
+// Stringified so it round-trips through SessionUser.id (string UUID-shape).
+// Not a real UUID — SYSTEM acts as an alias for "no human caller" and event-
+// store createdBy is text, so the literal suffices.
+export const SYSTEM_USER_ID = "00000000-0000-0000-0000-000000000000";
+export const SYSTEM_ROLE = "system" as const;
+export function createSystemUser(tenantId: TenantId): SessionUser {
+  return {
+    id: SYSTEM_USER_ID,
+    tenantId,
+    roles: [SYSTEM_ROLE],
+  };
+}
+// Anonymous = unauthenticated caller on a public endpoint. id is a stable
+// literal (not a UUID) so audit-trails and event-store rows stay readable —
+// `actor: "anonymous"` is more useful than a random UUID-bucket. Reserved
+// like SYSTEM_ROLE: the boot-validator rejects apps that declare these as
+// custom roles.
+export const ANONYMOUS_USER_ID = "anonymous";
+export const ANONYMOUS_ROLE = "anonymous" as const;
+export function createAnonymousUser(tenantId: TenantId): SessionUser {
+  return {
+    id: ANONYMOUS_USER_ID,
+    tenantId,
+    roles: [ANONYMOUS_ROLE],
+  };
+}