npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/api/__tests__/body-limit.test.ts ADDED Viewed

@@ -0,0 +1,88 @@
+import { describe, expect, test } from "vitest";
+import { z } from "zod";
+import { createEntity, createRegistry, createTextField, defineFeature } from "../../engine";
+import { buildServer } from "../server";
+const JWT_SECRET = "test-secret-at-least-32-chars-long!!";
+const testFeature = defineFeature("blob", (r) => {
+  r.entity("note", createEntity({ table: "Notes", fields: { body: createTextField() } }));
+  r.writeHandler(
+    "note:create",
+    z.object({ body: z.string() }),
+    async (event) => ({ isSuccess: true, data: { body: event.payload.body } }),
+    { access: { openToAll: true } },
+  );
+});
+function buildApp(maxRequestBytes?: number) {
+  const registry = createRegistry([testFeature]);
+  return buildServer({
+    registry,
+    context: {},
+    jwtSecret: JWT_SECRET,
+    maxRequestBytes,
+  }).app;
+}
+function postJson(app: ReturnType<typeof buildApp>, path: string, bytes: number) {
+  const body = JSON.stringify({ body: "x".repeat(bytes) });
+  return app.request(path, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Content-Length": String(body.length),
+    },
+    body,
+  });
+}
+describe("request body limit", () => {
+  test("rejects POST with body larger than maxRequestBytes with 413", async () => {
+    const app = buildApp(1024);
+    const res = await postJson(app, "/api/write", 2048);
+    expect(res.status).toBe(413);
+  });
+  test("accepts POST with body within the limit (reaches auth layer)", async () => {
+    const app = buildApp(10_000);
+    const res = await postJson(app, "/api/write", 100);
+    // No JWT → 401. Point is: NOT 413.
+    expect(res.status).toBe(401);
+  });
+  test("default limit rejects absurdly large payloads", async () => {
+    const app = buildApp(); // default 1 MB
+    const res = await postJson(app, "/api/write", 2_000_000); // 2 MB
+    expect(res.status).toBe(413);
+  });
+  test("default limit accepts small payloads", async () => {
+    const app = buildApp();
+    const res = await postJson(app, "/api/write", 500);
+    expect(res.status).toBe(401); // auth required, but size is fine
+  });
+  test("limit is not applied to /api/files (uploads have their own cap)", async () => {
+    // /api/files isn't mounted on this test app (no storageProvider), so a POST
+    // results in 404 — the point is: NOT 413. A payload that exceeds the JSON
+    // cap must still reach the route layer for the files router to decide.
+    const app = buildApp(1024);
+    const body = JSON.stringify({ body: "x".repeat(4096) });
+    const res = await app.request("/api/files", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": String(body.length),
+      },
+      body,
+    });
+    expect(res.status).not.toBe(413);
+  });
+  test("maxRequestBytes=0 disables the cap entirely", async () => {
+    const app = buildApp(0);
+    const res = await postJson(app, "/api/write", 50_000);
+    expect(res.status).toBe(401); // passes body-limit, reaches auth
+  });
+});

package/src/api/__tests__/csrf-middleware.test.ts ADDED Viewed

@@ -0,0 +1,97 @@
+// csrf-middleware: double-submit token check against a Hono app that
+// layers authMiddleware → csrfMiddleware → handler. Covers the paths that
+// matter in production: cookie + state-changing, cookie + safe, bearer.
+import { Hono } from "hono";
+import { describe, expect, test } from "vitest";
+import { TestUsers } from "../../stack";
+import {
+  AUTH_COOKIE_NAME,
+  authMiddleware,
+  CSRF_COOKIE_NAME,
+  CSRF_HEADER_NAME,
+} from "../auth-middleware";
+import { csrfMiddleware } from "../csrf-middleware";
+import { createJwtHelper } from "../jwt";
+const JWT_SECRET = "csrf-middleware-test-secret-min-32-characters-long";
+const CSRF = "csrf-token-fixed-for-test";
+async function buildApp(): Promise<{ app: Hono; token: string }> {
+  const jwt = createJwtHelper(JWT_SECRET);
+  const token = await jwt.sign(TestUsers.user);
+  const app = new Hono();
+  app.use("/api/*", authMiddleware(jwt));
+  app.use("/api/*", csrfMiddleware());
+  app.get("/api/ping", (c) => c.json({ ok: true }));
+  app.post("/api/write", (c) => c.json({ ok: true }));
+  return { app, token };
+}
+describe("csrf-middleware", () => {
+  test("bearer transport skips csrf check even on POST", async () => {
+    const { app, token } = await buildApp();
+    const res = await app.request("/api/write", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(200);
+  });
+  test("cookie transport + GET → no csrf check (safe method)", async () => {
+    const { app, token } = await buildApp();
+    const res = await app.request("/api/ping", {
+      headers: { Cookie: `${AUTH_COOKIE_NAME}=${token}` },
+    });
+    expect(res.status).toBe(200);
+  });
+  test("cookie transport + POST + matching csrf → ok", async () => {
+    const { app, token } = await buildApp();
+    const res = await app.request("/api/write", {
+      method: "POST",
+      headers: {
+        Cookie: `${AUTH_COOKIE_NAME}=${token}; ${CSRF_COOKIE_NAME}=${CSRF}`,
+        [CSRF_HEADER_NAME]: CSRF,
+      },
+    });
+    expect(res.status).toBe(200);
+  });
+  test("cookie transport + POST + missing header → 403", async () => {
+    const { app, token } = await buildApp();
+    const res = await app.request("/api/write", {
+      method: "POST",
+      headers: {
+        Cookie: `${AUTH_COOKIE_NAME}=${token}; ${CSRF_COOKIE_NAME}=${CSRF}`,
+      },
+    });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("csrf_token_mismatch");
+  });
+  test("cookie transport + POST + wrong header → 403", async () => {
+    const { app, token } = await buildApp();
+    const res = await app.request("/api/write", {
+      method: "POST",
+      headers: {
+        Cookie: `${AUTH_COOKIE_NAME}=${token}; ${CSRF_COOKIE_NAME}=${CSRF}`,
+        [CSRF_HEADER_NAME]: "wrong-value",
+      },
+    });
+    expect(res.status).toBe(403);
+  });
+  test("cookie transport + POST + missing csrf cookie → 403", async () => {
+    const { app, token } = await buildApp();
+    const res = await app.request("/api/write", {
+      method: "POST",
+      headers: {
+        Cookie: `${AUTH_COOKIE_NAME}=${token}`,
+        [CSRF_HEADER_NAME]: CSRF,
+      },
+    });
+    expect(res.status).toBe(403);
+  });
+});

package/src/api/__tests__/dispatcher-live.integration.ts ADDED Viewed

@@ -0,0 +1,216 @@
+import { createLiveDispatcher } from "@cosmicdrift/kumiko-dispatcher-live";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { z } from "zod";
+import { generateToken } from "../../api/tokens";
+import { createEventStoreExecutor } from "../../db/event-store-executor";
+import { buildDrizzleTable } from "../../db/table-builder";
+import { createEntity, createTextField, defineFeature } from "../../engine";
+import { createEntityTable, setupTestStack, type TestStack, TestUsers } from "../../stack";
+import { generateId } from "../../utils";
+// End-to-end: UI code would call `dispatcher.write("feat:write:item:create", ...)`.
+// This test wires dispatcher-live against the real Kumiko HTTP stack via
+// Hono's `app.request()` (in-memory, no port) and proves the whole path:
+//   dispatcher-live → JSON body + headers → Hono route → dispatcher →
+//   write-handler → crud-executor → DB → response → dispatcher-live →
+//   typed WriteResult.
+//
+// Server-side CSRF middleware is enabled by the normal server config, so
+// the dispatcher must carry X-CSRF-Token correctly or these writes would
+// land as 403. The test proves that wiring end-to-end.
+const itemEntity = createEntity({
+  table: "dispatcher_live_items",
+  fields: { name: createTextField({ required: true }) },
+});
+const itemTable = buildDrizzleTable("item", itemEntity);
+const itemFeature = defineFeature("dlive", (r) => {
+  r.entity("item", itemEntity);
+  r.writeHandler(
+    "item:create",
+    z.object({ name: z.string().min(1) }),
+    async (event, ctx) => {
+      const crud = createEventStoreExecutor(itemTable, itemEntity, { entityName: "item" });
+      return crud.create(event.payload, event.user, ctx.db);
+    },
+    { access: { roles: ["Admin"] } },
+  );
+  r.queryHandler(
+    "item:list",
+    z.object({}).optional(),
+    async (_event, ctx) => {
+      return ctx.db.select().from(itemTable);
+    },
+    { access: { roles: ["Admin"] } },
+  );
+});
+let stack: TestStack;
+const admin = TestUsers.admin;
+// Wire dispatcher-live's `fetch` to Hono's in-memory `app.request`. Also
+// synthesizes the auth + CSRF cookies a real browser would send: the stack
+// exposes the Hono app, but the normal login-flow-based session-cookie
+// setup isn't in play here — we sign a JWT directly and set both the
+// `kumiko_auth` (HttpOnly JWT) and `kumiko_csrf` cookies by hand. A
+// real browser login does the same server-side via auth-routes.ts.
+//
+// GAP: this means the real POST /auth/login round-trip (Set-Cookie
+// headers, CSRF-cookie generation on the server, SameSite/HttpOnly
+// flags as actually emitted) is NOT exercised here. If we ever change
+// the login endpoint's cookie-setting code, this file will not catch
+// regressions — the dedicated auth-routes integration test owns that
+// coverage. Keep this test focused on dispatcher-live's request-side
+// behaviour (envelope parsing, error mapping, CSRF-header echo).
+//
+// The fetch wrapper echoes the csrf cookie back into the X-CSRF-Token
+// header — that's the real dispatcher-live code path; the test just
+// stages the cookies first.
+async function buildFetch(): Promise<{
+  readonly fetch: typeof fetch;
+  readonly csrfToken: string;
+  readonly authJwt: string;
+}> {
+  const authJwt = await stack.jwt.sign(admin);
+  const csrfToken = generateToken();
+  const cookieHeader = `kumiko_auth=${authJwt}; kumiko_csrf=${csrfToken}`;
+  // Cast via unknown: the native fetch interface (Bun's typing) includes a
+  // `preconnect` method we don't need and can't meaningfully implement
+  // against Hono's in-memory request handler. dispatcher-live calls the
+  // functional shape only — preconnect is a hint, not load-bearing.
+  const fetchImpl = (async (url: unknown, init: RequestInit | undefined) => {
+    const reqInit: RequestInit = {
+      ...(init ?? {}),
+      headers: {
+        ...(init?.headers ?? {}),
+        Cookie: cookieHeader,
+      },
+    };
+    return stack.app.request(String(url), reqInit);
+  }) as unknown as typeof fetch;
+  return { fetch: fetchImpl, csrfToken, authJwt };
+}
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [itemFeature] });
+  await createEntityTable(stack.db, itemEntity);
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await stack.db.delete(itemTable);
+});
+describe("dispatcher-live (integration) — full path against Kumiko server", () => {
+  test("write: dispatches HTTP, server persists, response maps to typed WriteResult", async () => {
+    const { fetch, csrfToken } = await buildFetch();
+    const dispatcher = createLiveDispatcher({
+      fetch,
+      readCsrf: () => csrfToken,
+    });
+    const result = await dispatcher.write<{ data?: { name?: string } }>("dlive:write:item:create", {
+      name: "hello-live",
+    });
+    expect(result.isSuccess).toBe(true);
+    // Prove the server actually persisted.
+    const rows = await stack.db.select().from(itemTable);
+    expect(rows).toHaveLength(1);
+    expect(rows[0]?.["name"]).toBe("hello-live");
+  });
+  test("write: validation failure surfaces as typed DispatcherError with field issues", async () => {
+    const { fetch, csrfToken } = await buildFetch();
+    const dispatcher = createLiveDispatcher({ fetch, readCsrf: () => csrfToken });
+    const result = await dispatcher.write("dlive:write:item:create", { name: "" });
+    expect(result.isSuccess).toBe(false);
+    if (!result.isSuccess) {
+      expect(result.error.code).toBe("validation_error");
+      const fieldPaths = (result.error.details?.fields ?? []).map((f) => f.path);
+      expect(fieldPaths).toContain("name");
+    }
+  });
+  test("missing CSRF token: server rejects — exercises Vorarbeit-A wiring", async () => {
+    const { fetch } = await buildFetch();
+    // Dispatcher with no csrf reader — the header won't be sent.
+    const dispatcher = createLiveDispatcher({ fetch, readCsrf: () => undefined });
+    const result = await dispatcher.write("dlive:write:item:create", { name: "no-csrf" });
+    expect(result.isSuccess).toBe(false);
+    if (!result.isSuccess) {
+      // The CSRF middleware raises with code "csrf_token_mismatch".
+      expect(result.error.code).toBe("csrf_token_mismatch");
+    }
+  });
+  test("query: dispatches GET-style-POST (Kumiko uses POST for query too), returns data", async () => {
+    // Seed a row first.
+    await stack.db.insert(itemTable).values({
+      id: generateId(),
+      tenantId: admin.tenantId,
+      name: "seed",
+    });
+    const { fetch, csrfToken } = await buildFetch();
+    const dispatcher = createLiveDispatcher({ fetch, readCsrf: () => csrfToken });
+    const result = await dispatcher.query<unknown[]>("dlive:query:item:list", {});
+    expect(result.isSuccess).toBe(true);
+    if (result.isSuccess) {
+      expect(Array.isArray(result.data)).toBe(true);
+      expect(result.data).toHaveLength(1);
+    }
+  });
+  test("batch: multiple writes go through one HTTP call, atomic on the server", async () => {
+    const { fetch, csrfToken } = await buildFetch();
+    const dispatcher = createLiveDispatcher({ fetch, readCsrf: () => csrfToken });
+    const result = await dispatcher.batch([
+      { type: "dlive:write:item:create", payload: { name: "a" } },
+      { type: "dlive:write:item:create", payload: { name: "b" } },
+      { type: "dlive:write:item:create", payload: { name: "c" } },
+    ]);
+    expect(result.isSuccess).toBe(true);
+    const rows = await stack.db.select().from(itemTable);
+    expect(rows).toHaveLength(3);
+    const names = rows.map((r) => r["name"]).sort();
+    expect(names).toEqual(["a", "b", "c"]);
+  });
+  test("batch: mid-batch failure rolls back the prior writes — atomic guarantee preserved", async () => {
+    const { fetch, csrfToken } = await buildFetch();
+    const dispatcher = createLiveDispatcher({ fetch, readCsrf: () => csrfToken });
+    const result = await dispatcher.batch([
+      { type: "dlive:write:item:create", payload: { name: "ok-1" } },
+      { type: "dlive:write:item:create", payload: { name: "" } }, // fails validation
+      { type: "dlive:write:item:create", payload: { name: "never-runs" } },
+    ]);
+    expect(result.isSuccess).toBe(false);
+    if (!result.isSuccess) {
+      expect(result.failedIndex).toBe(1);
+    }
+    // DB must be empty — prior success within a failed batch rolls back.
+    const rows = await stack.db.select().from(itemTable);
+    expect(rows).toHaveLength(0);
+  });
+});

package/src/api/__tests__/metrics-endpoint.test.ts ADDED Viewed

@@ -0,0 +1,126 @@
+import { describe, expect, test } from "vitest";
+import { createEntity, createRegistry, createTextField, defineFeature } from "../../engine";
+import {
+  createNoopProvider,
+  createPrometheusMeter,
+  type ObservabilityProvider,
+} from "../../observability";
+import { buildServer } from "../server";
+const JWT = "metrics-endpoint-test-secret-minimum-32-chars!!";
+const noopFeature = defineFeature("m", (r) => {
+  r.entity("widget", createEntity({ table: "Widgets", fields: { name: createTextField() } }));
+});
+// Swap the NoopProvider's meter for a PrometheusMeter. Tracer + lifecycle
+// stay noop — /metrics only reads the meter.
+function makeProvider(): {
+  provider: ObservabilityProvider;
+  meter: ReturnType<typeof createPrometheusMeter>;
+} {
+  const meter = createPrometheusMeter();
+  const base = createNoopProvider();
+  const provider: ObservabilityProvider = { ...base, meter };
+  return { provider, meter };
+}
+function makeApp(opts: {
+  metrics?: { token?: string; path?: string };
+  meter?: ReturnType<typeof createPrometheusMeter>;
+  provider?: ObservabilityProvider;
+}) {
+  const registry = createRegistry([noopFeature]);
+  const build = opts.provider
+    ? { provider: opts.provider, meter: opts.meter ?? null }
+    : makeProvider();
+  const args = {
+    registry,
+    context: {},
+    jwtSecret: JWT,
+    observability: build.provider,
+    ...(opts.metrics ? { metrics: opts.metrics } : {}),
+  };
+  return { ...buildServer(args), meter: build.meter };
+}
+describe("/metrics endpoint", () => {
+  test("returns 404 when `metrics` option is not wired (opt-in)", async () => {
+    const { app } = makeApp({});
+    const res = await app.request("/metrics");
+    expect(res.status).toBe(404);
+  });
+  test("returns OpenMetrics text when wired and meter is a PrometheusMeter", async () => {
+    const { app, meter } = makeApp({ metrics: {} });
+    if (!meter) throw new Error("meter missing");
+    // Seed a single metric so the output isn't empty.
+    meter.registerMetric({
+      name: "kumiko_test_total",
+      type: "counter",
+      description: "probe counter",
+    });
+    meter.counter("kumiko_test_total").inc(3);
+    const res = await app.request("/metrics");
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toMatch(/openmetrics-text/);
+    const body = await res.text();
+    expect(body).toContain("# HELP kumiko_test_total probe counter");
+    expect(body).toContain("# TYPE kumiko_test_total counter");
+    expect(body).toContain("kumiko_test_total 3");
+    expect(body).toMatch(/# EOF\n$/);
+  });
+  test("token-protected: rejects missing header with 401", async () => {
+    const { app } = makeApp({ metrics: { token: "scrape-secret-xyz" } });
+    const res = await app.request("/metrics");
+    expect(res.status).toBe(401);
+  });
+  test("token-protected: rejects wrong token with 401", async () => {
+    const { app } = makeApp({ metrics: { token: "scrape-secret-xyz" } });
+    const res = await app.request("/metrics", {
+      headers: { Authorization: "Bearer wrong-token" },
+    });
+    expect(res.status).toBe(401);
+  });
+  test("token-protected: accepts matching Bearer token", async () => {
+    const { app, meter } = makeApp({ metrics: { token: "scrape-secret-xyz" } });
+    if (!meter) throw new Error("meter missing");
+    meter.registerMetric({ name: "kumiko_probe", type: "counter" });
+    meter.counter("kumiko_probe").inc();
+    const res = await app.request("/metrics", {
+      headers: { Authorization: "Bearer scrape-secret-xyz" },
+    });
+    expect(res.status).toBe(200);
+  });
+  test("custom path: /internal/metrics", async () => {
+    const { app, meter } = makeApp({ metrics: { path: "/internal/metrics" } });
+    if (!meter) throw new Error("meter missing");
+    meter.registerMetric({ name: "kumiko_probe", type: "counter" });
+    const atDefault = await app.request("/metrics");
+    expect(atDefault.status).toBe(404);
+    const atCustom = await app.request("/internal/metrics");
+    expect(atCustom.status).toBe(200);
+  });
+  test("503 when meter lacks snapshot() (misconfig — non-Prometheus provider)", async () => {
+    // Build a provider whose meter is a raw non-Prometheus implementation —
+    // pretend it's a ConsoleProvider or an OTLP bridge without snapshot().
+    const { createNoopProvider } = await import("../../observability");
+    const provider = createNoopProvider();
+    // NoopProvider is "empty by design", register a metric so definitions
+    // isn't hollow, but snapshot() is still absent on the meter shape.
+    provider.meter.registerMetric({ name: "kumiko_noop", type: "counter" });
+    const { app } = makeApp({ provider, metrics: {} });
+    const res = await app.request("/metrics");
+    expect(res.status).toBe(503);
+    expect(await res.text()).toContain("PrometheusMeter");
+  });
+});