npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.2.2 → 0.3.0 - Mend

@cosmicdrift/kumiko-framework 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (191) hide show

package/CHANGELOG.md +54 -0
package/package.json +124 -38
package/src/__tests__/full-stack.integration.ts +2 -2
package/src/api/auth-routes.ts +5 -5
package/src/api/jwt.ts +2 -2
package/src/api/route-registrars.ts +1 -1
package/src/api/routes.ts +3 -3
package/src/api/server.ts +6 -7
package/src/auth/__tests__/roles.test.ts +24 -0
package/src/auth/index.ts +7 -0
package/src/auth/roles.ts +42 -0
package/src/compliance/__tests__/duration-spec.test.ts +72 -0
package/src/compliance/__tests__/profiles.test.ts +308 -0
package/src/compliance/__tests__/sub-processors.test.ts +139 -0
package/src/compliance/duration-spec.ts +44 -0
package/src/compliance/index.ts +31 -0
package/src/compliance/override-schema.ts +136 -0
package/src/compliance/profiles.ts +427 -0
package/src/compliance/sub-processors.ts +152 -0
package/src/db/__tests__/big-int-field.test.ts +131 -0
package/src/db/assert-exists-in.ts +2 -2
package/src/db/cursor.ts +3 -3
package/src/db/event-store-executor.ts +19 -13
package/src/db/located-timestamp.ts +1 -1
package/src/db/money.ts +12 -2
package/src/db/pg-error.ts +1 -1
package/src/db/row-helpers.ts +1 -1
package/src/db/table-builder.ts +20 -5
package/src/db/tenant-db.ts +9 -9
package/src/engine/__tests__/_pipeline-test-utils.ts +23 -0
package/src/engine/__tests__/boot-validator-api-exposure.test.ts +142 -0
package/src/engine/__tests__/boot-validator-pii-retention.test.ts +570 -0
package/src/engine/__tests__/boot-validator-s0-integration.test.ts +160 -0
package/src/engine/__tests__/build-target.test.ts +135 -0
package/src/engine/__tests__/codemod-pipeline.test.ts +551 -0
package/src/engine/__tests__/entity-handlers.test.ts +3 -3
package/src/engine/__tests__/event-helpers.test.ts +4 -4
package/src/engine/__tests__/pipeline-engine.test.ts +215 -0
package/src/engine/__tests__/pipeline-handler.integration.ts +894 -0
package/src/engine/__tests__/pipeline-observability.integration.ts +142 -0
package/src/engine/__tests__/pipeline-performance.integration.ts +152 -0
package/src/engine/__tests__/pipeline-sub-pipelines.test.ts +288 -0
package/src/engine/__tests__/raw-table.test.ts +2 -2
package/src/engine/__tests__/steps-aggregate-append-event.test.ts +115 -0
package/src/engine/__tests__/steps-aggregate-create.test.ts +92 -0
package/src/engine/__tests__/steps-aggregate-update.test.ts +127 -0
package/src/engine/__tests__/steps-call-feature.test.ts +123 -0
package/src/engine/__tests__/steps-mail-send.test.ts +136 -0
package/src/engine/__tests__/steps-read.test.ts +142 -0
package/src/engine/__tests__/steps-resolver-utils.test.ts +50 -0
package/src/engine/__tests__/steps-unsafe-projection-delete.test.ts +69 -0
package/src/engine/__tests__/steps-unsafe-projection-upsert.test.ts +117 -0
package/src/engine/__tests__/steps-webhook-send.test.ts +135 -0
package/src/engine/__tests__/steps-workflow.test.ts +198 -0
package/src/engine/__tests__/validate-projection-allowlist.test.ts +491 -0
package/src/engine/__tests__/visual-tree-patterns.test.ts +251 -0
package/src/engine/boot-validator/api-ext.ts +77 -0
package/src/engine/boot-validator/config-deps.ts +163 -0
package/src/engine/boot-validator/entity-handler.ts +466 -0
package/src/engine/boot-validator/index.ts +159 -0
package/src/engine/boot-validator/ownership.ts +198 -0
package/src/engine/boot-validator/pii-retention.ts +155 -0
package/src/engine/boot-validator/screens-nav.ts +624 -0
package/src/engine/boot-validator.ts +1 -1528
package/src/engine/build-app-schema.ts +1 -1
package/src/engine/build-target.ts +99 -0
package/src/engine/codemod/index.ts +15 -0
package/src/engine/codemod/pipeline-codemod.ts +641 -0
package/src/engine/config-helpers.ts +9 -19
package/src/engine/constants.ts +1 -1
package/src/engine/define-feature.ts +127 -9
package/src/engine/define-handler.ts +89 -3
package/src/engine/define-roles.ts +2 -2
package/src/engine/define-step.ts +28 -0
package/src/engine/define-workflow.ts +110 -0
package/src/engine/entity-handlers.ts +10 -9
package/src/engine/event-helpers.ts +4 -4
package/src/engine/extension-names.ts +105 -0
package/src/engine/extensions/user-data.ts +106 -0
package/src/engine/factories.ts +26 -16
package/src/engine/feature-ast/__tests__/visual-tree-parse.test.ts +184 -0
package/src/engine/feature-ast/extractors/index.ts +74 -0
package/src/engine/feature-ast/extractors/round1.ts +110 -0
package/src/engine/feature-ast/extractors/round2.ts +253 -0
package/src/engine/feature-ast/extractors/round3.ts +471 -0
package/src/engine/feature-ast/extractors/round4.ts +1365 -0
package/src/engine/feature-ast/extractors/round5.ts +72 -0
package/src/engine/feature-ast/extractors/round6.ts +66 -0
package/src/engine/feature-ast/extractors/shared.ts +177 -0
package/src/engine/feature-ast/parse.ts +13 -0
package/src/engine/feature-ast/patch.ts +9 -1
package/src/engine/feature-ast/patcher.ts +10 -3
package/src/engine/feature-ast/patterns.ts +71 -1
package/src/engine/feature-ast/render.ts +31 -1
package/src/engine/index.ts +66 -2
package/src/engine/pattern-library/__tests__/library.test.ts +11 -0
package/src/engine/pattern-library/library.ts +78 -2
package/src/engine/pipeline.ts +88 -0
package/src/engine/projection-helpers.ts +1 -1
package/src/engine/read-claim.ts +1 -1
package/src/engine/registry.ts +30 -2
package/src/engine/resolve-config-or-param.ts +4 -0
package/src/engine/run-pipeline.ts +162 -0
package/src/engine/schema-builder.ts +10 -4
package/src/engine/state-machine.ts +1 -1
package/src/engine/steps/_drizzle-boundary.ts +19 -0
package/src/engine/steps/_duration-utils.ts +33 -0
package/src/engine/steps/_no-return-guard.ts +21 -0
package/src/engine/steps/_resolver-utils.ts +42 -0
package/src/engine/steps/_step-dispatch-constants.ts +38 -0
package/src/engine/steps/aggregate-append-event.ts +56 -0
package/src/engine/steps/aggregate-create.ts +56 -0
package/src/engine/steps/aggregate-update.ts +68 -0
package/src/engine/steps/branch.ts +84 -0
package/src/engine/steps/call-feature.ts +49 -0
package/src/engine/steps/compute.ts +41 -0
package/src/engine/steps/for-each.ts +111 -0
package/src/engine/steps/mail-send.ts +44 -0
package/src/engine/steps/read-find-many.ts +51 -0
package/src/engine/steps/read-find-one.ts +58 -0
package/src/engine/steps/retry.ts +87 -0
package/src/engine/steps/return.ts +34 -0
package/src/engine/steps/unsafe-projection-delete.ts +46 -0
package/src/engine/steps/unsafe-projection-upsert.ts +69 -0
package/src/engine/steps/wait-for-event.ts +71 -0
package/src/engine/steps/wait.ts +69 -0
package/src/engine/steps/webhook-send.ts +71 -0
package/src/engine/system-user.ts +1 -1
package/src/engine/types/feature.ts +143 -1
package/src/engine/types/fields.ts +134 -10
package/src/engine/types/handlers.ts +18 -10
package/src/engine/types/identifiers.ts +1 -0
package/src/engine/types/index.ts +15 -1
package/src/engine/types/step.ts +334 -0
package/src/engine/types/target-ref.ts +21 -0
package/src/engine/types/tree-node.ts +130 -0
package/src/engine/types/workspace.ts +7 -0
package/src/engine/validate-projection-allowlist.ts +161 -0
package/src/event-store/snapshot.ts +1 -1
package/src/event-store/upcaster-dead-letter.ts +1 -1
package/src/event-store/upcaster.ts +1 -1
package/src/files/__tests__/read-stream.test.ts +105 -0
package/src/files/__tests__/write-stream.test.ts +233 -0
package/src/files/__tests__/zip-stream.test.ts +357 -0
package/src/files/file-routes.ts +1 -1
package/src/files/in-memory-provider.ts +38 -0
package/src/files/index.ts +3 -0
package/src/files/local-provider.ts +58 -1
package/src/files/types.ts +36 -8
package/src/files/zip-stream.ts +251 -0
package/src/jobs/job-runner.ts +10 -10
package/src/lifecycle/lifecycle.ts +0 -3
package/src/logging/index.ts +1 -0
package/src/logging/pino-logger.ts +11 -7
package/src/logging/utils.ts +24 -0
package/src/observability/prometheus-meter.ts +7 -5
package/src/pipeline/__tests__/archive-stream.integration.ts +1 -1
package/src/pipeline/__tests__/causation-chain.integration.ts +1 -1
package/src/pipeline/__tests__/domain-events-projections.integration.ts +3 -3
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +4 -4
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +1 -1
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +3 -3
package/src/pipeline/__tests__/msp-rebuild.integration.ts +3 -3
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +2 -2
package/src/pipeline/__tests__/query-projection.integration.ts +5 -5
package/src/pipeline/append-event-core.ts +22 -6
package/src/pipeline/dispatcher-utils.ts +188 -0
package/src/pipeline/dispatcher.ts +63 -283
package/src/pipeline/distributed-lock.ts +1 -1
package/src/pipeline/entity-cache.ts +2 -2
package/src/pipeline/event-consumer-state.ts +0 -13
package/src/pipeline/event-dispatcher.ts +4 -4
package/src/pipeline/index.ts +0 -2
package/src/pipeline/lifecycle-pipeline.ts +6 -12
package/src/pipeline/msp-rebuild.ts +5 -5
package/src/pipeline/multi-stream-apply-context.ts +6 -7
package/src/pipeline/projection-rebuild.ts +2 -2
package/src/pipeline/projection-state.ts +0 -12
package/src/rate-limit/__tests__/resolver.integration.ts +8 -4
package/src/rate-limit/resolver.ts +1 -1
package/src/search/in-memory-adapter.ts +1 -1
package/src/search/meilisearch-adapter.ts +3 -3
package/src/search/types.ts +1 -1
package/src/secrets/leak-guard.ts +2 -2
package/src/stack/request-helper.ts +9 -5
package/src/stack/test-stack.ts +1 -1
package/src/testing/handler-context.ts +4 -4
package/src/testing/http-cookies.ts +1 -1
package/src/time/tz-context.ts +1 -2
package/src/ui-types/index.ts +4 -0
package/src/engine/feature-ast/extractors.ts +0 -2562

package/src/engine/define-feature.ts CHANGED Viewed

@@ -56,15 +56,20 @@ import type {
   SecretOptions,
   TranslationKeys,
   TranslationsDef,
+  TreeActionDef,
+  TreeActionsHandle,
+  TreeChildrenSubscribe,
   ValidationHookFn,
   WriteHandlerDef,
   WriteHandlerFn,
 } from "./types";
 import { HookPhases } from "./types";
+import type { RequiresApi } from "./types/feature";
 import { resolveName } from "./types/handlers";
 import type { HttpRouteDefinition } from "./types/http-route";
 import type { NavDefinition } from "./types/nav";
 import type { ScreenDefinition } from "./types/screen";
+import type { PipelineDef } from "./types/step";
 import type { WorkspaceDefinition } from "./types/workspace";
 const LIFECYCLE_TYPES = Object.values(LifecycleHookTypes);
@@ -87,6 +92,11 @@ export function defineFeature<const TName extends string, TExports = undefined>(
 ): FeatureDefinition & { readonly exports: TExports } {
   const requires: string[] = [];
   const optionalRequires: string[] = [];
+  // Read-side projection-tables declared via r.requires.projection("table").
+  // Boot-validator checks unsafeProjection-* step calls against this set.
+  const requiredProjections = new Set<string>();
+  // Tier-2 step kinds declared via r.requires.step("webhook.send"). Q9.
+  const requiredSteps = new Set<string>();
   const entities: Record<string, EntityDefinition> = {};
   const relations: Record<string, Record<string, RelationDefinition>> = {};
   const writeHandlers: Record<string, WriteHandlerDef> = {};
@@ -112,6 +122,8 @@ export function defineFeature<const TName extends string, TExports = undefined>(
   const notifications: Record<string, NotificationDefinition> = {};
   const registrarExtensions: Record<string, RegistrarExtensionDef> = {};
   const extensionUsages: RegistrarExtensionRegistration[] = [];
+  const exposedApis: Set<string> = new Set();
+  const usedApis: Set<string> = new Set();
   const referenceData: ReferenceDataDef[] = [];
   const handlerEntityMappings: Record<string, string> = {};
   const metrics: Record<string, FeatureMetricDef> = {};
@@ -133,6 +145,14 @@ export function defineFeature<const TName extends string, TExports = undefined>(
   let isSystemScoped = false;
   let toggleableDefault: boolean | undefined;
+  // Visual-Tree-Slots — at-most-one per feature, only-once-guard im
+  // registrar (siehe r.treeActions / r.tree). Undefined wenn das Feature
+  // keinen Visual-Tree-Beitrag liefert (Zero-Whitelist-Filter).
+  // Name-Collision-Sicherheit: object-literal-method-Names im registrar
+  // sind keine bindings im closure-scope, daher kollidiert die `treeActions`
+  // closure-let-var nicht mit der `treeActions(...)` registrar-Methode.
+  let treeActions: Readonly<Record<string, TreeActionDef>> | undefined;
+  let treeProvider: TreeChildrenSubscribe | undefined;
   // Map handler name to entity via colon convention.
   // "task:create" → entity "task". No colon → standalone handler, no mapping.
@@ -151,9 +171,18 @@ export function defineFeature<const TName extends string, TExports = undefined>(
       isSystemScoped = true;
     },
-    requires(...featureNames: string[]): void {
-      requires.push(...featureNames);
-    },
+    requires: (() => {
+      const fn = (...featureNames: string[]) => {
+        requires.push(...featureNames);
+      };
+      fn.projection = (tableName: string) => {
+        requiredProjections.add(tableName);
+      };
+      fn.step = (stepKind: string) => {
+        requiredSteps.add(stepKind);
+      };
+      return fn as RequiresApi;
+    })(),
     optionalRequires(...featureNames: string[]): void {
       optionalRequires.push(...featureNames);
@@ -184,11 +213,27 @@ export function defineFeature<const TName extends string, TExports = undefined>(
         writeHandlers[def.name] = {
           name: def.name,
           schema: def.schema,
-          // @cast-boundary engine-bridge — typed Dev-API → erased internal storage
+          // @cast-boundary engine-bridge — typed Dev-API's handler is
+          // generic over the schema's parsed payload (`WriteEvent<output<TSchema>>`),
+          // the storage form WriteHandlerFn carries `WriteEvent<unknown>`.
+          // Function-arg variance: TS sees the typed handler as stricter
+          // than the loose storage shape and rejects direct assignment.
+          // The runtime value is identical — the cast crosses that boundary.
+          // `satisfies` does not work here (it asserts assignability, which
+          // is what fails). Explicit cast is the right tool.
           handler: def.handler as WriteHandlerFn,
           ...(def.access && { access: def.access }),
-          ...(def.skipTransitionGuard && { skipTransitionGuard: true }),
+          ...(def.unsafeSkipTransitionGuard && { unsafeSkipTransitionGuard: true }),
           ...(def.rateLimit && { rateLimit: def.rateLimit }),
+          // Forward the pipeline-build closure so boot-validators and
+          // Designer/AI tooling can inspect the step list. Absent on
+          // free-form handlers — defineWriteHandler only sets `perform`
+          // when the author used the pipeline form. Variance cast
+          // mirrors the handler-cast above: PipelineDef<output<TSchema>>
+          // is stricter than PipelineDef<unknown> for the same reason.
+          ...(def.perform !== undefined && {
+            perform: def.perform as PipelineDef,
+          }),
         };
         tryMapEntity(def.name);
         return { name: def.name };
@@ -218,7 +263,7 @@ export function defineFeature<const TName extends string, TExports = undefined>(
           name: def.name,
           schema: def.schema,
           // @cast-boundary engine-bridge — typed Dev-API → erased internal storage
-          handler: def.handler as QueryHandlerFn,
+          handler: def.handler as QueryHandlerFn, // @cast-boundary engine-bridge
           ...(def.access && { access: def.access }),
           ...(def.rateLimit && { rateLimit: def.rateLimit }),
         };
@@ -343,7 +388,7 @@ export function defineFeature<const TName extends string, TExports = undefined>(
           ? {
               on: Array.isArray(options.trigger.on)
                 ? options.trigger.on.map(resolveName)
-                : resolveName(options.trigger.on as NameOrRef),
+                : resolveName(options.trigger.on as NameOrRef), // @cast-boundary engine-bridge
             }
           : options.trigger;
       jobs[jobName] = { ...options, trigger, name: jobName, handler };
@@ -464,6 +509,41 @@ export function defineFeature<const TName extends string, TExports = undefined>(
       extensionUsages.push({ extensionName, entityName: resolveName(entityRef), options });
     },
+    /**
+     * Marker-Deklaration: dieses Feature stellt eine Cross-Feature-API
+     * unter dem genannten Namen bereit. Die eigentliche Implementation
+     * wird separat als Query- oder Write-Handler unter dem QN-Pattern
+     * registriert; r.exposesApi ist reine Boot-Check-Surface.
+     *
+     * Beispiel:
+     *   defineFeature("compliance-profiles", (r) => {
+     *     r.exposesApi("compliance.forTenant");
+     *     r.queryHandler({ name: "compliance:query:for-tenant", ... });
+     *   });
+     *   defineFeature("user-data-rights", (r) => {
+     *     r.requires("compliance-profiles");
+     *     r.usesApi("compliance.forTenant");
+     *     // ruft im Handler: ctx.callQuery("compliance:query:for-tenant", ...)
+     *   });
+     */
+    exposesApi(apiName: string): void {
+      if (exposedApis.has(apiName)) {
+        throw new Error(
+          `[Feature ${name}] r.exposesApi("${apiName}") called twice — API names must be unique within a feature.`,
+        );
+      }
+      exposedApis.add(apiName);
+    },
+    /**
+     * Declares that this feature calls a cross-feature API. Boot-Validator
+     * checkt dass irgendein anderes Feature `r.exposesApi(name)` macht und
+     * dass dieses Feature `r.requires` darauf hat.
+     */
+    usesApi(apiName: string): void {
+      usedApis.add(apiName);
+    },
     metric(shortName: string, options: MetricOptions): void {
       if (metrics[shortName]) {
         throw new Error(
@@ -686,9 +766,41 @@ export function defineFeature<const TName extends string, TExports = undefined>(
       };
       return { name: qualifiedName, type: options.type };
     },
+    treeActions<const TActions extends Record<string, TreeActionDef>>(
+      actions: TActions,
+    ): TreeActionsHandle<TName, TActions> {
+      // Only-once-guard: zweiter Aufruf ist Author-Bug, soll am
+      // Feature-File aufschlagen (gleicher Stil wie r.toggleable).
+      if (treeActions !== undefined) {
+        throw new Error(
+          `[Feature ${name}] r.treeActions() already called. ` +
+            `Each feature may declare a single tree-actions schema.`,
+        );
+      }
+      treeActions = actions;
+      // Return typed handle für setup-export. Frozen damit Caller die
+      // Map nicht nachträglich mutieren (würde Pattern-AST + Runtime-
+      // Lookup divergieren lassen).
+      return Object.freeze({
+        id: name,
+        treeActions: actions,
+      });
+    },
+    tree(provider: TreeChildrenSubscribe): void {
+      // Only-once-guard analog zu r.treeActions.
+      if (treeProvider !== undefined) {
+        throw new Error(
+          `[Feature ${name}] r.tree() already called. ` +
+            `Each feature may declare a single tree-provider.`,
+        );
+      }
+      treeProvider = provider;
+    },
   };
-  const exports = setup(registrar) as TExports;
+  const exports = setup(registrar) as TExports; // @cast-boundary engine-bridge
   return {
     name,
@@ -696,6 +808,8 @@ export function defineFeature<const TName extends string, TExports = undefined>(
     exports,
     requires,
     optionalRequires,
+    requiredProjections,
+    requiredSteps,
     ...(toggleableDefault !== undefined && { toggleableDefault }),
     entities,
     relations,
@@ -709,7 +823,7 @@ export function defineFeature<const TName extends string, TExports = undefined>(
       preDelete: phasedLifecycleHooks.preDelete,
       postDelete: phasedLifecycleHooks.postDelete,
       preQuery: lifecycleHooks["preQuery"] ?? {},
-    } as HookMap,
+    } as HookMap, // @cast-boundary engine-payload
     entityHooks: {
       postSave: entityPostSave,
       preDelete: entityPreDelete,
@@ -720,6 +834,8 @@ export function defineFeature<const TName extends string, TExports = undefined>(
     notifications,
     registrarExtensions,
     extensionUsages,
+    exposedApis,
+    usedApis,
     referenceData,
     events,
     eventMigrations,
@@ -736,5 +852,7 @@ export function defineFeature<const TName extends string, TExports = undefined>(
     workspaces,
     httpRoutes,
     rawTables,
+    ...(treeActions !== undefined && { treeActions }),
+    ...(treeProvider !== undefined && { treeProvider }),
   };
 }

package/src/engine/define-handler.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import type { ZodType, z } from "zod";
+import { runPipeline } from "./run-pipeline";
 import type {
   AccessRule,
   HandlerContext,
@@ -8,6 +9,7 @@ import type {
   WriteEvent,
   WriteResult,
 } from "./types";
+import type { PipelineDef } from "./types/step";
 // --- Write Handler Definition ---
 //
@@ -19,6 +21,10 @@ import type {
 // definition-site (framework's compile, where the augmentation isn't
 // visible) and collapse `keyof TMap` to `never`. See the spike-findings
 // memory for the empirical proof.
+//
+// Two authoring forms — `handler` (free-form) or `perform: pipeline(...)`
+// (step-pipeline). A `perform` is compiled to a handler-function at
+// definition time; the dispatcher only ever sees `handler`.
 export type WriteHandlerDefinition<
   TName extends string = string,
@@ -29,23 +35,103 @@ export type WriteHandlerDefinition<
   readonly name: TName;
   readonly schema: TSchema;
   readonly access?: AccessRule;
-  readonly skipTransitionGuard?: boolean;
+  readonly unsafeSkipTransitionGuard?: boolean;
   readonly rateLimit?: RateLimitOption;
   readonly handler: (
     event: WriteEvent<z.infer<TSchema>>,
     context: HandlerContext<TMap>,
   ) => Promise<WriteResult<TData>>;
+  // Preserved when the author wrote a `perform` block — the original
+  // PipelineDef. Designer/AI/AST tools read this when present; the
+  // dispatcher ignores it and just calls `handler`. Absent on free-form
+  // handlers.
+  readonly perform?: PipelineDef<z.infer<TSchema>, TData>;
 };
+// Author-facing input — accepts either the free-form `handler` or the
+// pipeline-form `perform`. defineWriteHandler narrows them to the
+// canonical WriteHandlerDefinition shape.
+export type WriteHandlerInput<
+  TName extends string = string,
+  TSchema extends ZodType = ZodType,
+  TData = unknown,
+  TMap extends object = KumikoEventTypeMap,
+> = {
+  readonly name: TName;
+  readonly schema: TSchema;
+  readonly access?: AccessRule;
+  readonly unsafeSkipTransitionGuard?: boolean;
+  readonly rateLimit?: RateLimitOption;
+} & (
+  | {
+      readonly handler: (
+        event: WriteEvent<z.infer<TSchema>>,
+        context: HandlerContext<TMap>,
+      ) => Promise<WriteResult<TData>>;
+      readonly perform?: never;
+    }
+  | {
+      readonly perform: PipelineDef<z.infer<TSchema>, TData>;
+      readonly handler?: never;
+    }
+);
 export function defineWriteHandler<
   const TName extends string,
   TSchema extends ZodType,
   TData = unknown,
   TMap extends object = KumikoEventTypeMap,
 >(
-  def: WriteHandlerDefinition<TName, TSchema, TData, TMap>,
+  def: WriteHandlerInput<TName, TSchema, TData, TMap>,
 ): WriteHandlerDefinition<TName, TSchema, TData, TMap> {
-  return def;
+  // Runtime-guard against accidentally setting BOTH handler+perform.
+  // The discriminated-union type-error
+  //   "Type 'PipelineDef<...>' is not assignable to type 'undefined'."
+  // is functional but cryptic for less TS-experienced users; this throws
+  // a name-and-explanation error message instead. Followup #3.
+  // The cast is necessary because the discriminated union narrows
+  // `handler` away once `perform` is present (and vice-versa) — at this
+  // boundary we want to read both regardless of the narrowing.
+  const probe = def as {
+    readonly handler?: unknown;
+    readonly perform?: unknown;
+    readonly name: TName;
+  };
+  if (probe.handler !== undefined && probe.perform !== undefined) {
+    throw new Error(
+      `defineWriteHandler("${def.name}"): both \`handler\` and \`perform\` are set. ` +
+        `Pick one — \`handler\` for the free-form async function, ` +
+        `\`perform: pipeline(...)\` for the step-pipeline form. ` +
+        `(See step-vocabulary.md for which form fits.)`,
+    );
+  }
+  // Conditional spreads (`...(def.access && { access: def.access })`)
+  // mirror the existing convention in entity-handlers.ts /
+  // define-feature.ts — optional fields stay absent rather than being
+  // serialised as `key: undefined`.
+  const base = {
+    name: def.name,
+    schema: def.schema,
+    ...(def.access && { access: def.access }),
+    ...(def.unsafeSkipTransitionGuard && {
+      unsafeSkipTransitionGuard: def.unsafeSkipTransitionGuard,
+    }),
+    ...(def.rateLimit && { rateLimit: def.rateLimit }),
+  };
+  if ("perform" in def && def.perform !== undefined) {
+    const performDef = def.perform;
+    const compiledHandler = async (
+      event: WriteEvent<z.infer<TSchema>>,
+      ctx: HandlerContext<TMap>,
+    ): Promise<WriteResult<TData>> => {
+      return runPipeline<z.infer<TSchema>, TData, TMap>(performDef, event, ctx);
+    };
+    return { ...base, handler: compiledHandler, perform: performDef };
+  }
+  return { ...base, handler: def.handler };
 }
 // --- Query Handler Definition ---

package/src/engine/define-roles.ts CHANGED Viewed

@@ -11,9 +11,9 @@ type RoleMap<T extends readonly string[]> = {
 };
 export function defineRoles<const T extends readonly string[]>(roles: T): RoleMap<T> {
-  const map = {} as Record<string, string>;
+  const map = {} as Record<string, string>; // @cast-boundary schema-walk
   for (const role of roles) {
     map[role] = role;
   }
-  return map as RoleMap<T>;
+  return map as RoleMap<T>; // @cast-boundary schema-walk
 }

package/src/engine/define-step.ts ADDED Viewed

@@ -0,0 +1,28 @@
+// Step-Registry + defineStep factory.
+//
+// Steps are registered at module-load time via defineStep(). The runtime
+// (run-pipeline.ts) looks them up by `kind` to dispatch run-calls.
+//
+// The registry is process-global; Tier-2 step opt-in via
+// `r.requires.step("…")` (Q9 in step-vocabulary.md) is a future pass.
+import type { StepDef, StepKind } from "./types/step";
+const stepRegistry = new Map<StepKind, StepDef>();
+export function defineStep<TArgs, TResult>(def: StepDef<TArgs, TResult>): StepDef<TArgs, TResult> {
+  const existing = stepRegistry.get(def.kind);
+  if (existing && existing !== def) {
+    throw new Error(`Step kind "${def.kind}" is already registered with a different definition`);
+  }
+  stepRegistry.set(def.kind, def as StepDef);
+  return def;
+}
+export function getStep(kind: StepKind): StepDef | undefined {
+  return stepRegistry.get(kind);
+}
+export function listStepKinds(): readonly StepKind[] {
+  return Array.from(stepRegistry.keys());
+}

package/src/engine/define-workflow.ts ADDED Viewed

@@ -0,0 +1,110 @@
+// defineWorkflow — define a persistent, suspendable workflow.
+// Tier-3 / Workflow-only mount-point. See step-vocabulary.md Sample 2 for
+// the full lifecycle (run.started → wait → resume → run.completed) and
+// Q7 (Snapshot-at-Start) for the in-flight upgrade story.
+import { createHash } from "node:crypto";
+import type { WriteEvent } from "./types/handlers";
+import type { PipelineDef } from "./types/step";
+/**
+ * Trigger configuration for a workflow. Determines what starts a run.
+ */
+export type WorkflowTrigger =
+  | {
+      readonly kind: "event";
+      readonly eventType: string;
+      readonly filter?: (event: WriteEvent) => boolean;
+    }
+  | {
+      readonly kind: "cron";
+      readonly schedule: string; // cron expression
+    }
+  | {
+      readonly kind: "webhook";
+      readonly path: string;
+    };
+/**
+ * Workflow definition — the result of defineWorkflow().
+ */
+export type WorkflowDefinition<TPayload = unknown, TData = unknown> = {
+  readonly __kind: "workflow";
+  readonly name: string;
+  readonly trigger: WorkflowTrigger;
+  /** The pipeline definition containing the step list closure. */
+  readonly pipelineDef: PipelineDef<TPayload, TData>;
+  /** Idempotency key for deduplication — prevents duplicate runs. */
+  readonly idempotencyKey?: string | ((event: WriteEvent<TPayload>) => string);
+};
+/**
+ * Input shape for defineWorkflow() — the user-facing API.
+ */
+export type WorkflowInput<TPayload = unknown, TData = unknown> = {
+  readonly name: string;
+  readonly trigger: WorkflowTrigger;
+  readonly steps: PipelineDef<TPayload, TData>;
+  readonly idempotencyKey?: string | ((event: WriteEvent<TPayload>) => string);
+  readonly onError?: PipelineDef<unknown>;
+};
+/**
+ * Define a suspendable workflow.
+ *
+ * Example:
+ * ```ts
+ * defineWorkflow({
+ *   name: "user-onboarding",
+ *   trigger: { kind: "event", eventType: "user.signed-up" },
+ *   steps: pipeline(({ event, r }) => [
+ *     r.step.mail.send({ to: () => event.payload.email, subject: "Welcome!", body: "..." }),
+ *     r.step.wait({ for: "P1D" }),
+ *     r.step.read.findOne("user", { table: userTable, where: ... }),
+ *     r.step.branch({ if: ({ steps }) => ..., onTrue: [...], onFalse: [...] }),
+ *     r.step.retry({ times: 3, backoff: "exponential", do: [
+ *       r.step.webhook.send({ url: "...", mode: "deferred" }),
+ *     ]}),
+ *   ]),
+ * });
+ * ```
+ */
+export function defineWorkflow<TPayload = unknown, TData = unknown>(
+  input: WorkflowInput<TPayload, TData>,
+): WorkflowDefinition<TPayload, TData> {
+  return {
+    __kind: "workflow",
+    name: input.name,
+    trigger: input.trigger,
+    pipelineDef: input.steps,
+    idempotencyKey: input.idempotencyKey,
+  };
+}
+/**
+ * Q7 Snapshot-at-Start fingerprint. SHA-256 over the workflow's stable
+ * identity (name + trigger + serialized pipeline-closure source). Persisted
+ * in `workflow.run.started` and re-checked at every resume so a library-
+ * upgrade that changes the closure source surfaces as a loud
+ * `workflow-definition-changed` failure on in-flight runs instead of a
+ * silent semantic drift.
+ *
+ * Limitations (will be tightened in M.5 with the Designer/AST layer):
+ *   - `build.toString()` captures the closure source but not bindings —
+ *     two definitions that import different external helpers with the
+ *     same source bytes would collide. Acceptable for M.4 because the
+ *     fingerprint is a *change-detector*, not a deep semantic identity.
+ *   - Minifiers / source-maps will produce different fingerprints across
+ *     environments. Run-the-fingerprint-in-the-same-environment is the
+ *     contract; cross-env replay is out of scope.
+ */
+export function computeDefinitionFingerprint(
+  workflow: Pick<WorkflowDefinition, "name" | "trigger" | "pipelineDef">,
+): string {
+  const material = JSON.stringify({
+    name: workflow.name,
+    trigger: workflow.trigger,
+    source: workflow.pipelineDef.build.toString(),
+  });
+  return createHash("sha256").update(material).digest("hex");
+}

package/src/engine/entity-handlers.ts CHANGED Viewed

@@ -112,8 +112,8 @@ function parseHandlerName<TVerb extends string>(
   if (!entityName) {
     throw new Error(`Handler name "${name}" is missing the entity part before the colon.`);
   }
-  // @cast-boundary engine-bridge — verbCandidate validated against validVerbs union
-  if (!(validVerbs as readonly string[]).includes(verbCandidate)) {
+  const verbs = validVerbs as readonly string[]; // @cast-boundary engine-bridge
+  if (!verbs.includes(verbCandidate)) {
     throw new Error(
       `Unknown verb "${verbCandidate}" in handler name "${name}". Standard verbs: ${validVerbs.join("/")}. For custom verbs use the explicit r.writeHandler / r.queryHandler form.`,
     );
@@ -151,17 +151,17 @@ export function defineEntityWriteHandler(
         changes: buildUpdateSchema(entity),
       });
       handler = async (event, ctx) =>
-        executor.update(event.payload as UpdatePayload, event.user, ctx.db);
+        executor.update(event.payload as UpdatePayload, event.user, ctx.db); // @cast-boundary engine-payload
       break;
     case "delete":
       schema = idSchema;
       handler = async (event, ctx) =>
-        executor.delete(event.payload as IdPayload, event.user, ctx.db);
+        executor.delete(event.payload as IdPayload, event.user, ctx.db); // @cast-boundary engine-payload
       break;
     case "restore":
       schema = idSchema;
       handler = async (event, ctx) =>
-        executor.restore(event.payload as IdPayload, event.user, ctx.db);
+        executor.restore(event.payload as IdPayload, event.user, ctx.db); // @cast-boundary engine-payload
       break;
     default:
       assertUnreachable(verb, "write verb");
@@ -205,7 +205,8 @@ export function defineEntityQueryHandler(
         // läuft (Remote-Combobox-Search). Der executor wird beim
         // Definition-Time gebaut, kennt den Adapter also nicht —
         // Runtime-Override holt das.
-        const result = await executor.list(query.payload as ListPayload, query.user, ctx.db, {
+        const listPayload = query.payload as ListPayload; // @cast-boundary engine-payload
+        const result = await executor.list(listPayload, query.user, ctx.db, {
           ...(ctx.searchAdapter !== undefined && { searchAdapter: ctx.searchAdapter }),
         });
         if (!hasRefFields) return result;
@@ -221,7 +222,7 @@ export function defineEntityQueryHandler(
     case "detail":
       schema = idSchema;
       handler = async (query, ctx) => {
-        const row = await executor.detail(query.payload as IdPayload, query.user, ctx.db);
+        const row = await executor.detail(query.payload as IdPayload, query.user, ctx.db); // @cast-boundary engine-payload
         if (row === null || !hasRefFields) return row;
         return enrichRowWithReferences(row, entity, (name) => ctx.registry.getEntity(name), ctx.db);
       };
@@ -345,7 +346,7 @@ export function createEntityExecutor(
 export function defineProjectionQueryHandler(
   name: string,
   projectionQualifiedName: string,
-  options?: { access?: AccessRule; allTenants?: boolean },
+  options?: { access?: AccessRule; unsafeAllTenants?: boolean },
 ): QueryHandlerDef {
   return {
     name,
@@ -357,7 +358,7 @@ export function defineProjectionQueryHandler(
     handler: async (_query, ctx) =>
       ctx.queryProjection(
         projectionQualifiedName,
-        options?.allTenants ? { allTenants: true } : undefined,
+        options?.unsafeAllTenants ? { unsafeAllTenants: true } : undefined,
       ),
     ...(options?.access && { access: options.access }),
   };

package/src/engine/event-helpers.ts CHANGED Viewed

@@ -4,11 +4,11 @@ import type { AppendEventArgs, EventDef, HandlerContext } from "./types/handlers
 // MultiStreamApplyContext-style callers pass their own appendEvent without
 // a full HandlerContext. Real handlers just pass `ctx`.
 //
-// Uses appendEventUnsafe internally because EventDef's TPayload comes from
+// Uses unsafeAppendEvent internally because EventDef's TPayload comes from
 // a runtime-defined zod-schema — emitEvent does the type-check itself via
 // the EventDef generic, so it doesn't need the strict KumikoEventTypeMap
 // path. The strict appendEvent is for direct in-handler callsites.
-export type EmitCtx = Pick<HandlerContext, "appendEventUnsafe">;
+export type EmitCtx = Pick<HandlerContext, "unsafeAppendEvent">;
 // Typed wrapper around ctx.appendEvent. Two wins over the raw call:
 //
@@ -42,7 +42,7 @@ export async function emitEvent<TPayload>(
     type: eventDef.name,
     payload: args.payload,
   };
-  await ctx.appendEventUnsafe(appendArgs);
+  await ctx.unsafeAppendEvent(appendArgs);
 }
 // Read-side counterpart: narrow a StoredEvent's `payload` (declared as
@@ -69,5 +69,5 @@ export function typedPayload<TPayload>(
         `Check the projection-apply / reducer mapping — the event was routed to the wrong handler.`,
     );
   }
-  return event.payload as TPayload;
+  return event.payload as TPayload; // @cast-boundary engine-payload
 }