npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/event-store/snapshot.ts ADDED Viewed

@@ -0,0 +1,210 @@
+import { and, desc, eq, sql } from "drizzle-orm";
+import type { DbConnection, DbRunner } from "../db/connection";
+import {
+  index,
+  instant,
+  integer,
+  jsonb,
+  table as pgTable,
+  primaryKey,
+  text,
+  uuid,
+} from "../db/dialect";
+import { tableExists } from "../db/schema-inspection";
+import type { TenantId } from "../engine/types";
+import { pushTables } from "../stack";
+import { isStreamArchived } from "./archive";
+import { loadEventsAfterVersion, type StoredEvent } from "./event-store";
+// Marten-aligned snapshot store. A snapshot is a point-in-time materialised
+// state of an aggregate at a specific version, cached so rehydrating the
+// aggregate doesn't require replaying every historical event.
+//
+// Read path (loadAggregateWithSnapshot):
+//   1. isStreamArchived? → honour same semantics as loadAggregate
+//   2. loadLatestSnapshot → state + version N (or null)
+//   3. loadEventsAfterVersion(aggregate, N) → only the delta
+//   4. reducer(snapshot, delta) → current state
+//
+// Write path: feature authors opt in via ctx.snapshotAggregate. Policy
+// (every N events, every M minutes, on-demand) is a feature-level decision
+// — the framework only offers the storage primitive.
+//
+// Schema-migration policy: NO built-in snapshot versioning. A snapshot stores
+// the aggregate state in the reducer's current shape. When the reducer's
+// shape changes (added field, renamed property, moved compound), invalidate
+// the cache — DELETE from kumiko_snapshots WHERE aggregate_type = '...'.
+// The read path then falls back to full replay (which runs the upcaster
+// chain on events) until the next snapshotAggregate call. Cheaper than a
+// second migration mechanism; snapshots are a perf optimisation, not a
+// source of truth.
+//
+// Upcaster interaction: the raw API (loadAggregateWithSnapshot below) does
+// NOT apply the upcaster chain on delta events — same layering as raw
+// loadAggregate. The Dispatcher wraps this into ctx.loadAggregateWithSnapshot
+// and runs upcastStoredEvents on the delta before calling the reducer, so
+// feature authors always see current-version payloads.
+export const snapshotsTable = pgTable(
+  "kumiko_snapshots",
+  {
+    aggregateId: uuid("aggregate_id").notNull(),
+    tenantId: uuid("tenant_id").notNull(),
+    // Kept even though (aggregate_id, version) is globally unique: the
+    // schema-migration invalidation mechanism (see file header) filters by
+    // aggregate_type, so storing it avoids a join on events just to
+    // invalidate snapshots.
+    aggregateType: text("aggregate_type").notNull(),
+    // The version covered by this snapshot. `loadEventsAfterVersion`
+    // returns events with version > this value.
+    version: integer("version").notNull(),
+    state: jsonb("state").$type<Record<string, unknown>>().notNull(),
+    createdAt: instant("created_at", { precision: 3 }).notNull().default(sql`now()`),
+  },
+  (t) => ({
+    pk: primaryKey({ columns: [t.aggregateId, t.version] }),
+    // Latest-snapshot lookup: WHERE aggregate_id = ? ORDER BY version DESC
+    // LIMIT 1. With this index the planner does one seek + backward scan
+    // instead of sort-and-limit.
+    latestIdx: index("kumiko_snapshots_latest_idx").on(t.aggregateId, t.tenantId, t.version),
+  }),
+);
+export async function createSnapshotsTable(db: DbConnection): Promise<void> {
+  // skip: table already exists — idempotent boot + test-setup call
+  if (await tableExists(db, "public.kumiko_snapshots")) return;
+  await pushTables(db, { kumikoSnapshots: snapshotsTable });
+}
+export type Snapshot<TState extends Record<string, unknown> = Record<string, unknown>> = {
+  readonly aggregateId: string;
+  readonly tenantId: TenantId;
+  readonly aggregateType: string;
+  readonly version: number;
+  readonly state: TState;
+  readonly createdAt: Temporal.Instant;
+};
+export type SaveSnapshotArgs = {
+  readonly aggregateId: string;
+  readonly tenantId: TenantId;
+  readonly aggregateType: string;
+  readonly version: number;
+  readonly state: Record<string, unknown>;
+};
+// Upsert-style save so re-snapshotting the same (aggregateId, version) is
+// idempotent. Caller can retake a snapshot at the same version without
+// bespoke error handling — useful when a feature's snapshot policy runs
+// during a concurrent retake.
+export async function saveSnapshot(db: DbRunner, args: SaveSnapshotArgs): Promise<void> {
+  await db
+    .insert(snapshotsTable)
+    .values({
+      aggregateId: args.aggregateId,
+      tenantId: args.tenantId,
+      aggregateType: args.aggregateType,
+      version: args.version,
+      state: args.state,
+    })
+    .onConflictDoUpdate({
+      target: [snapshotsTable.aggregateId, snapshotsTable.version],
+      set: {
+        state: args.state,
+        aggregateType: args.aggregateType,
+        createdAt: sql`now()`,
+      },
+    });
+}
+// Latest snapshot lookup. Tenant filter is belt-and-suspenders — the
+// aggregate_id should already scope uniquely, but an accidentally-reused
+// UUID across tenants would otherwise silently leak.
+export async function loadLatestSnapshot<
+  TState extends Record<string, unknown> = Record<string, unknown>,
+>(db: DbRunner, aggregateId: string, tenantId: TenantId): Promise<Snapshot<TState> | null> {
+  const rows = await db
+    .select()
+    .from(snapshotsTable)
+    .where(and(eq(snapshotsTable.aggregateId, aggregateId), eq(snapshotsTable.tenantId, tenantId)))
+    .orderBy(desc(snapshotsTable.version))
+    .limit(1);
+  const row = rows[0];
+  if (!row) return null;
+  return {
+    aggregateId: row.aggregateId,
+    tenantId: row.tenantId,
+    aggregateType: row.aggregateType,
+    version: row.version,
+    state: row.state as TState,
+    createdAt: row.createdAt,
+  };
+}
+// Reducer used to fold events onto a state. Kept narrow and pure — the
+// caller supplies the shape and update rules. Mirrors the reducer shape
+// feature authors already write for r.projection.apply.
+export type SnapshotReducer<TState extends Record<string, unknown>> = (
+  state: TState,
+  event: StoredEvent,
+) => TState;
+export type LoadAggregateWithSnapshotResult<TState extends Record<string, unknown>> = {
+  readonly state: TState;
+  readonly version: number;
+  readonly snapshotHit: boolean;
+};
+export type LoadAggregateWithSnapshotOptions = {
+  // Opt-in: include archived streams in the rehydrate. Default false — same
+  // semantics as loadAggregate / loadAggregateAsOf. Archive check is a
+  // single indexed lookup, so the cost stays negligible on the hot path.
+  readonly includeArchived?: boolean;
+  // Optional upcaster step: every delta event goes through this transform
+  // BEFORE the reducer sees it. The dispatcher wires this up with
+  // r.eventMigration so feature code always sees current-version payloads.
+  // Async to support Marten-style AsyncOnlyEventUpcaster (DB lookups).
+  readonly upcastEvent?: (event: StoredEvent) => Promise<StoredEvent>;
+};
+// Snapshot-aware rehydrate. Loads the latest snapshot (if any), applies
+// events strictly newer than snapshot.version, and returns the fold.
+// Callers that want strictly-event-sourced loading should stick with
+// loadAggregate + reduce — this path exists for perf-critical aggregates.
+//
+// Archive behaviour mirrors loadAggregate: an archived stream returns
+// `initial` with version=0, snapshotHit=false, unless
+// { includeArchived: true } is passed. This keeps snapshot and raw
+// loadAggregate interchangeable from the caller's point of view.
+export async function loadAggregateWithSnapshot<TState extends Record<string, unknown>>(
+  db: DbRunner,
+  aggregateId: string,
+  tenantId: TenantId,
+  reducer: SnapshotReducer<TState>,
+  initial: TState,
+  options?: LoadAggregateWithSnapshotOptions,
+): Promise<LoadAggregateWithSnapshotResult<TState>> {
+  if (!options?.includeArchived) {
+    const archived = await isStreamArchived(db, tenantId, aggregateId);
+    if (archived) {
+      return { state: initial, version: 0, snapshotHit: false };
+    }
+  }
+  const snapshot = await loadLatestSnapshot<TState>(db, aggregateId, tenantId);
+  const baseState = snapshot ? snapshot.state : initial;
+  const afterVersion = snapshot ? snapshot.version : 0;
+  const delta = await loadEventsAfterVersion(db, aggregateId, tenantId, afterVersion);
+  let state = baseState;
+  for (const event of delta) {
+    const effective = options?.upcastEvent ? await options.upcastEvent(event) : event;
+    state = reducer(state, effective);
+  }
+  const lastDelta = delta[delta.length - 1];
+  const latestVersion = lastDelta ? lastDelta.version : afterVersion;
+  return {
+    state,
+    version: latestVersion,
+    snapshotHit: snapshot !== null,
+  };
+}

package/src/event-store/upcaster-dead-letter.ts ADDED Viewed

@@ -0,0 +1,119 @@
+// Dead-letter storage for failed event upcasters.
+//
+// Background: upcastStoredEvent walks a stored event's payload through
+// r.eventMigration transforms until it matches the current schema. A
+// migration that throws (malformed legacy payload, DB-dependent
+// enrichment that fails) propagates to the dispatcher and kills the
+// pass — one bad event in a million can stall every projection behind
+// it. The same applies to MSP rebuild.
+//
+// Quarantine mode captures the failure into `kumiko_upcaster_dead_letters`,
+// lets the dispatcher skip the event, and surfaces the row count via
+// ops tooling. Replay (re-apply the migration after a code fix) is a
+// separate CLI step — not implemented here, tracked as follow-up.
+import { bigint, index, integer, jsonb, pgTable, text, timestamp, uuid } from "drizzle-orm/pg-core";
+import type { DbConnection, DbRunner } from "../db/connection";
+import { tableExists } from "../db/schema-inspection";
+import { pushTables } from "../stack";
+import type { StoredEvent } from "./event-store";
+export const upcasterDeadLetterTable = pgTable(
+  "kumiko_upcaster_dead_letters",
+  {
+    // Surrogate PK. We don't reuse eventId so a single event can land
+    // here multiple times (retry attempts across deploys before the fix
+    // lands) without unique-violation noise.
+    id: bigint("id", { mode: "bigint" }).primaryKey().generatedAlwaysAsIdentity(),
+    // StoredEvent.id is surfaced as `string` (bigint serialised for JSON
+    // safety). Storing as text keeps the round-trip identity without a
+    // coerce step at every write site.
+    eventId: text("event_id").notNull(),
+    tenantId: uuid("tenant_id").notNull(),
+    aggregateId: text("aggregate_id").notNull(),
+    aggregateType: text("aggregate_type").notNull(),
+    eventType: text("event_type").notNull(),
+    fromVersion: integer("from_version").notNull(),
+    targetVersion: integer("target_version").notNull(),
+    errorMessage: text("error_message").notNull(),
+    originalPayload: jsonb("original_payload").notNull(),
+    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+  },
+  (t) => ({
+    eventTypeIdx: index("upcaster_dead_letters_event_type_idx").on(t.eventType),
+    createdAtIdx: index("upcaster_dead_letters_created_at_idx").on(t.createdAt),
+  }),
+);
+// Idempotent table-create. Called from setupTestStack for suites that
+// exercise the quarantine path; production boot uses drizzle-kit push.
+export async function createUpcasterDeadLetterTable(db: DbConnection): Promise<void> {
+  // skip: table already exists — bootstrap called from multiple paths
+  if (await tableExists(db, "public.kumiko_upcaster_dead_letters")) return;
+  await pushTables(db, { kumikoUpcasterDeadLetters: upcasterDeadLetterTable });
+}
+// Writes a dead-letter row. Called by upcastStoredEvent when errorPolicy
+// is "quarantine" and a transform threw. Returns the inserted row id —
+// ops tooling uses it for correlate-and-replay flows.
+export async function recordUpcasterDeadLetter(
+  db: DbRunner,
+  args: {
+    event: StoredEvent;
+    fromVersion: number;
+    targetVersion: number;
+    error: unknown;
+  },
+): Promise<void> {
+  const message = args.error instanceof Error ? args.error.message : String(args.error);
+  await db.insert(upcasterDeadLetterTable).values({
+    eventId: args.event.id,
+    tenantId: args.event.tenantId,
+    aggregateId: args.event.aggregateId,
+    aggregateType: args.event.aggregateType,
+    eventType: args.event.type,
+    fromVersion: args.fromVersion,
+    targetVersion: args.targetVersion,
+    errorMessage: message,
+    originalPayload: args.event.payload,
+  });
+}
+export type DeadLetterRow = {
+  readonly id: bigint;
+  readonly eventId: string;
+  readonly tenantId: string;
+  readonly aggregateId: string;
+  readonly aggregateType: string;
+  readonly eventType: string;
+  readonly fromVersion: number;
+  readonly targetVersion: number;
+  readonly errorMessage: string;
+  readonly originalPayload: Record<string, unknown>;
+  readonly createdAt: Date;
+};
+// Ops-side query. Loads recent failures, optionally scoped by event-type
+// to triage a single broken migration without pulling the full table.
+export async function listDeadLetters(
+  db: DbConnection,
+  options: { eventType?: string; limit?: number } = {},
+): Promise<readonly DeadLetterRow[]> {
+  const { desc, eq } = await import("drizzle-orm");
+  const limit = options.limit ?? 100;
+  const eventType = options.eventType;
+  const rows =
+    eventType !== undefined
+      ? await db
+          .select()
+          .from(upcasterDeadLetterTable)
+          .where(eq(upcasterDeadLetterTable.eventType, eventType))
+          .orderBy(desc(upcasterDeadLetterTable.createdAt))
+          .limit(limit)
+      : await db
+          .select()
+          .from(upcasterDeadLetterTable)
+          .orderBy(desc(upcasterDeadLetterTable.createdAt))
+          .limit(limit);
+  return rows as readonly DeadLetterRow[];
+}

package/src/event-store/upcaster.ts ADDED Viewed

@@ -0,0 +1,147 @@
+import type { DbRunner } from "../db";
+import type { EventUpcastCtx, EventUpcastFn, TenantId } from "../engine/types";
+import type { StoredEvent } from "./event-store";
+import { recordUpcasterDeadLetter } from "./upcaster-dead-letter";
+// Error-handling contract for the upcast pass.
+//
+//   throw     — legacy behaviour: the pass aborts, the dispatcher retries,
+//               a permanently broken payload eventually dead-letters at
+//               the consumer level after maxAttempts retries. Pick this
+//               when every event must land exactly once and "skip" is
+//               never acceptable.
+//
+//   quarantine — the failing event is written to
+//               `kumiko_upcaster_dead_letters` with the error + original
+//               payload and REMOVED from the returned list. The
+//               dispatcher skips it cleanly; ops tooling replays after
+//               the code fix. Pick this for projections where a single
+//               unrenderable historic event shouldn't block the rest
+//               of the stream.
+export type UpcasterErrorPolicy = "throw" | "quarantine";
+export type UpcastOptions = {
+  readonly errorPolicy?: UpcasterErrorPolicy;
+};
+// Event schema evolution (Marten-style upcaster). An event's stored payload
+// stays immutable on disk; when a feature bumps the event version and
+// registers step-wise r.eventMigration transforms, reads walk older events
+// through the chain until the payload matches the current shape.
+//
+// Sync transforms cost O(version_gap) plain JSON rewrites — hot path on
+// projection rebuild stays cheap. Async transforms (Marten's
+// AsyncOnlyEventUpcaster) for DB-enrichment are supported via the same
+// signature: return Promise<unknown>, the framework awaits unconditionally.
+// Sync transforms still pay only the await-microtask overhead.
+export type EventUpcasters = ReadonlyMap<
+  string,
+  { readonly currentVersion: number; readonly chain: ReadonlyMap<number, EventUpcastFn> }
+>;
+// Upcast a single stored event through however many registered migrations
+// separate its stored eventVersion from the current schema version.
+//
+// Contract:
+//   - Event types with no registered upcaster pass through unchanged.
+//   - Event types whose stored version equals currentVersion pass through
+//     unchanged (fast path — hot on projection rebuild).
+//   - Gaps in the chain are a hard error. The registry validates chain
+//     completeness at boot, so this throw is a belt-and-suspenders signal
+//     that something wrote a version number the registry doesn't expect.
+//
+// `ctx` carries db + tenantId for async upcasters that need DB enrichment.
+// Sync transforms ignore ctx entirely.
+// Legacy throw-on-error API — preserved so existing callers (projection-
+// rebuild, msp-rebuild, feature tests) stay unchanged. Returns a
+// StoredEvent (never null); quarantine mode lives on the bulk helper.
+export async function upcastStoredEvent(
+  event: StoredEvent,
+  upcasters: EventUpcasters,
+  ctx: EventUpcastCtx,
+): Promise<StoredEvent> {
+  const result = await upcastStoredEventWithPolicy(event, upcasters, ctx, {
+    errorPolicy: "throw",
+  });
+  // `throw` mode can never return null — the catch-block rethrows. Narrow
+  // the type for callers without an `if (result === null)` check at every
+  // callsite.
+  if (result === null) {
+    throw new Error(
+      `unreachable: upcastStoredEvent with errorPolicy="throw" returned null for "${event.type}"`,
+    );
+  }
+  return result;
+}
+// Underlying policy-aware worker. Returns null when the transform threw
+// AND errorPolicy="quarantine" — the event gets recorded in dead-letters
+// and the bulk helper filters it out.
+async function upcastStoredEventWithPolicy(
+  event: StoredEvent,
+  upcasters: EventUpcasters,
+  ctx: EventUpcastCtx,
+  options: UpcastOptions,
+): Promise<StoredEvent | null> {
+  const info = upcasters.get(event.type);
+  if (!info) return event;
+  if (event.eventVersion >= info.currentVersion) return event;
+  let payload = event.payload as unknown;
+  let v = event.eventVersion;
+  const startVersion = event.eventVersion;
+  while (v < info.currentVersion) {
+    const transform = info.chain.get(v);
+    if (!transform) {
+      // Missing chain is a boot-validator bug, not a data problem —
+      // always throw regardless of policy so the gap gets fixed rather
+      // than silently rotting every affected event into dead-letters.
+      throw new Error(
+        `Missing upcaster for event "${event.type}" v${v} → v${v + 1}. ` +
+          `The registry should have caught this at boot — check the eventUpcasterMap wiring.`,
+      );
+    }
+    try {
+      payload = await transform(payload, ctx);
+      v++;
+    } catch (err) {
+      if (options.errorPolicy === "quarantine") {
+        await recordUpcasterDeadLetter(ctx.db, {
+          event,
+          fromVersion: startVersion,
+          targetVersion: info.currentVersion,
+          error: err,
+        });
+        return null;
+      }
+      throw err;
+    }
+  }
+  return {
+    ...event,
+    payload: payload as Record<string, unknown>, // @cast-boundary engine-payload
+    eventVersion: v,
+  };
+}
+export async function upcastStoredEvents(
+  events: readonly StoredEvent[],
+  upcasters: EventUpcasters,
+  ctx: EventUpcastCtx,
+  options: UpcastOptions = {},
+): Promise<readonly StoredEvent[]> {
+  // skip: no upcasters registered anywhere — common case when a project
+  // hasn't bumped any event version yet. Short-circuit keeps replay fast.
+  if (upcasters.size === 0) return events;
+  const results = await Promise.all(
+    events.map((e) => upcastStoredEventWithPolicy(e, upcasters, ctx, options)),
+  );
+  return results.filter((e): e is StoredEvent => e !== null);
+}
+// Convenience builder for callers that have db + tenantId at hand and want
+// to construct the ctx-arg without restating the field names everywhere.
+export function makeUpcastCtx(db: DbRunner, tenantId: TenantId): EventUpcastCtx {
+  return { db, tenantId };
+}

package/src/files/__tests__/content-disposition.test.ts ADDED Viewed

@@ -0,0 +1,123 @@
+import { describe, expect, test } from "vitest";
+import {
+  buildContentDispositionHeader,
+  encodeRFC5987,
+  toAsciiFallback,
+} from "../content-disposition";
+describe("toAsciiFallback", () => {
+  test("keeps ASCII letters, digits, dot, dash, underscore, parens", () => {
+    expect(toAsciiFallback("photo_2024-01.png")).toBe("photo_2024-01.png");
+    expect(toAsciiFallback("report(v2).pdf")).toBe("report(v2).pdf");
+  });
+  test("collapses spaces, commas, and other non-safe chars to underscore", () => {
+    expect(toAsciiFallback("my photo, v2.png")).toBe("my_photo__v2.png");
+  });
+  test("strips quote characters — the core injection protection", () => {
+    const evil = `safe.png"; filename*=utf-8''evil.exe`;
+    const out = toAsciiFallback(evil);
+    expect(out).not.toContain('"');
+    expect(out).not.toContain(";");
+  });
+  test("strips backslash and path separators (directory-traversal guard)", () => {
+    // Dots survive (whitelisted); `/` and `\` collapse to underscore.
+    expect(toAsciiFallback("../../../etc/passwd")).toBe(".._.._.._etc_passwd");
+    expect(toAsciiFallback("C:\\Windows\\evil.exe")).toBe("C__Windows_evil.exe");
+  });
+  test("collapses non-ASCII (unicode) to underscore — one char per code unit", () => {
+    // 測 + 試 = 2 BMP code units → 2 underscores, then `.png` passes through.
+    expect(toAsciiFallback("測試.png")).toBe("__.png");
+    expect(toAsciiFallback("café.pdf")).toBe("caf_.pdf");
+  });
+  test("truncates at 100 chars to bound header size", () => {
+    const longName = `${"a".repeat(200)}.png`;
+    const out = toAsciiFallback(longName);
+    expect(out.length).toBe(100);
+    expect(out.startsWith("aaaa")).toBe(true);
+  });
+  test("returns 'download' for empty input or when no alphanumerics survive", () => {
+    // Empty stripped.
+    expect(toAsciiFallback("")).toBe("download");
+    // All non-safe chars collapsed → 12 underscores → readable default.
+    expect(toAsciiFallback("@@@###$$$%%%")).toBe("download");
+    // Mix of symbols + dots (dots whitelisted) → still no alphanumerics.
+    expect(toAsciiFallback("@.#.$")).toBe("download");
+  });
+});
+describe("encodeRFC5987", () => {
+  test("passes pure ASCII through (letters, digits)", () => {
+    expect(encodeRFC5987("photo.png")).toBe("photo.png");
+  });
+  test("percent-encodes UTF-8 bytes for non-ASCII", () => {
+    // 測 = UTF-8 E6 B8 AC → %E6%B8%AC
+    const out = encodeRFC5987("測");
+    expect(out).toBe("%E6%B8%AC");
+  });
+  test("escapes the RFC-5987 extras that encodeURIComponent leaves alone", () => {
+    // encodeURIComponent doesn't escape ' ( ) * — RFC 5987 requires we do.
+    // Each char maps to its uppercase hex code.
+    expect(encodeRFC5987("a'b")).toBe("a%27b");
+    expect(encodeRFC5987("a(b)")).toBe("a%28b%29");
+    expect(encodeRFC5987("a*b")).toBe("a%2Ab");
+  });
+  test("uses uppercase hex for consistency (matches RFC sample output)", () => {
+    expect(encodeRFC5987(" ")).toBe("%20");
+    expect(encodeRFC5987(";")).toBe("%3B");
+  });
+});
+describe("buildContentDispositionHeader", () => {
+  test("pure ASCII input produces both parameters", () => {
+    const header = buildContentDispositionHeader("photo.png");
+    expect(header).toBe(`attachment; filename="photo.png"; filename*=UTF-8''photo.png`);
+  });
+  test("unicode input survives losslessly in filename*, stripped in fallback", () => {
+    const header = buildContentDispositionHeader("測試.png");
+    // 2 BMP code units → 2 underscores in fallback, then `.png`.
+    expect(header).toContain(`filename="__.png"`);
+    // filename* carries the full UTF-8 bytes percent-encoded.
+    expect(header).toContain("filename*=UTF-8''%E6%B8%AC%E8%A9%A6.png");
+  });
+  test("injection attempt — header has exactly 3 semicolon-separated parts", () => {
+    // `"; filename*=utf-8''evil.exe` injection — sanitised header must
+    // still parse as a single attachment with exactly two parameters.
+    const header = buildContentDispositionHeader(`normal.png"; filename*=utf-8''evil.exe`);
+    const parts = header.split(";");
+    expect(parts).toHaveLength(3);
+    expect(parts[0]).toBe("attachment");
+    expect(parts[1]?.trim().startsWith("filename=")).toBe(true);
+    expect(parts[2]?.trim().startsWith("filename*=")).toBe(true);
+  });
+  test("fallback never leaks unquoted double-quote", () => {
+    // Any quote inside filename="..." would close the string early and
+    // let the tail parse as new parameters. Proof: the fallback value
+    // (the chars between the first two quotes after "filename=") has
+    // no further quotes.
+    const header = buildContentDispositionHeader(`a"b"c.png`);
+    const match = header.match(/filename="([^"]*)"/);
+    expect(match).not.toBeNull();
+    expect(match?.[1]).not.toContain('"');
+    // All 3 quotes collapsed to underscore in the fallback.
+    expect(match?.[1]).toBe("a_b_c.png");
+  });
+  test("empty filename falls back to 'download'", () => {
+    const header = buildContentDispositionHeader("");
+    expect(header).toContain(`filename="download"`);
+    // Empty filename*: encodeRFC5987("") → "", so filename*=UTF-8''
+    expect(header).toContain(`filename*=UTF-8''`);
+  });
+});