npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.2.3 → 0.4.0 - Mend

@cosmicdrift/kumiko-framework 0.2.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

package/CHANGELOG.md +93 -0
package/package.json +124 -39
package/src/__tests__/full-stack.integration.ts +2 -2
package/src/api/auth-routes.ts +5 -5
package/src/api/jwt.ts +2 -2
package/src/api/route-registrars.ts +1 -1
package/src/api/routes.ts +3 -3
package/src/api/server.ts +6 -7
package/src/compliance/profiles.ts +8 -8
package/src/db/assert-exists-in.ts +2 -2
package/src/db/cursor.ts +3 -3
package/src/db/event-store-executor.ts +19 -13
package/src/db/located-timestamp.ts +1 -1
package/src/db/money.ts +12 -2
package/src/db/pg-error.ts +1 -1
package/src/db/row-helpers.ts +1 -1
package/src/db/table-builder.ts +3 -5
package/src/db/tenant-db.ts +9 -9
package/src/engine/__tests__/_pipeline-test-utils.ts +23 -0
package/src/engine/__tests__/build-target.test.ts +135 -0
package/src/engine/__tests__/codemod-pipeline.test.ts +551 -0
package/src/engine/__tests__/entity-handlers.test.ts +3 -3
package/src/engine/__tests__/event-helpers.test.ts +4 -4
package/src/engine/__tests__/pipeline-engine.test.ts +215 -0
package/src/engine/__tests__/pipeline-handler.integration.ts +894 -0
package/src/engine/__tests__/pipeline-observability.integration.ts +142 -0
package/src/engine/__tests__/pipeline-performance.integration.ts +152 -0
package/src/engine/__tests__/pipeline-sub-pipelines.test.ts +288 -0
package/src/engine/__tests__/raw-table.test.ts +2 -2
package/src/engine/__tests__/steps-aggregate-append-event.test.ts +115 -0
package/src/engine/__tests__/steps-aggregate-create.test.ts +92 -0
package/src/engine/__tests__/steps-aggregate-update.test.ts +127 -0
package/src/engine/__tests__/steps-call-feature.test.ts +123 -0
package/src/engine/__tests__/steps-mail-send.test.ts +136 -0
package/src/engine/__tests__/steps-read.test.ts +142 -0
package/src/engine/__tests__/steps-resolver-utils.test.ts +50 -0
package/src/engine/__tests__/steps-unsafe-projection-delete.test.ts +69 -0
package/src/engine/__tests__/steps-unsafe-projection-upsert.test.ts +117 -0
package/src/engine/__tests__/steps-webhook-send.test.ts +135 -0
package/src/engine/__tests__/steps-workflow.test.ts +198 -0
package/src/engine/__tests__/validate-projection-allowlist.test.ts +491 -0
package/src/engine/__tests__/visual-tree-patterns.test.ts +251 -0
package/src/engine/boot-validator/api-ext.ts +77 -0
package/src/engine/boot-validator/config-deps.ts +163 -0
package/src/engine/boot-validator/entity-handler.ts +466 -0
package/src/engine/boot-validator/index.ts +159 -0
package/src/engine/boot-validator/ownership.ts +198 -0
package/src/engine/boot-validator/pii-retention.ts +155 -0
package/src/engine/boot-validator/screens-nav.ts +624 -0
package/src/engine/boot-validator.ts +1 -1804
package/src/engine/build-app-schema.ts +1 -1
package/src/engine/build-target.ts +99 -0
package/src/engine/codemod/index.ts +15 -0
package/src/engine/codemod/pipeline-codemod.ts +641 -0
package/src/engine/config-helpers.ts +9 -19
package/src/engine/constants.ts +1 -1
package/src/engine/define-feature.ts +88 -9
package/src/engine/define-handler.ts +89 -3
package/src/engine/define-roles.ts +2 -2
package/src/engine/define-step.ts +28 -0
package/src/engine/define-workflow.ts +110 -0
package/src/engine/entity-handlers.ts +10 -9
package/src/engine/event-helpers.ts +4 -4
package/src/engine/factories.ts +12 -12
package/src/engine/feature-ast/__tests__/visual-tree-parse.test.ts +184 -0
package/src/engine/feature-ast/extractors/index.ts +74 -0
package/src/engine/feature-ast/extractors/round1.ts +110 -0
package/src/engine/feature-ast/extractors/round2.ts +253 -0
package/src/engine/feature-ast/extractors/round3.ts +471 -0
package/src/engine/feature-ast/extractors/round4.ts +1365 -0
package/src/engine/feature-ast/extractors/round5.ts +72 -0
package/src/engine/feature-ast/extractors/round6.ts +66 -0
package/src/engine/feature-ast/extractors/shared.ts +177 -0
package/src/engine/feature-ast/parse.ts +7 -0
package/src/engine/feature-ast/patch.ts +9 -1
package/src/engine/feature-ast/patcher.ts +10 -3
package/src/engine/feature-ast/patterns.ts +49 -1
package/src/engine/feature-ast/render.ts +17 -1
package/src/engine/index.ts +44 -2
package/src/engine/pattern-library/__tests__/library.test.ts +6 -0
package/src/engine/pattern-library/library.ts +42 -2
package/src/engine/pipeline.ts +88 -0
package/src/engine/projection-helpers.ts +1 -1
package/src/engine/read-claim.ts +1 -1
package/src/engine/registry.ts +30 -2
package/src/engine/resolve-config-or-param.ts +4 -0
package/src/engine/run-pipeline.ts +162 -0
package/src/engine/schema-builder.ts +2 -4
package/src/engine/state-machine.ts +1 -1
package/src/engine/steps/_drizzle-boundary.ts +19 -0
package/src/engine/steps/_duration-utils.ts +33 -0
package/src/engine/steps/_no-return-guard.ts +21 -0
package/src/engine/steps/_resolver-utils.ts +42 -0
package/src/engine/steps/_step-dispatch-constants.ts +38 -0
package/src/engine/steps/aggregate-append-event.ts +56 -0
package/src/engine/steps/aggregate-create.ts +56 -0
package/src/engine/steps/aggregate-update.ts +68 -0
package/src/engine/steps/branch.ts +84 -0
package/src/engine/steps/call-feature.ts +49 -0
package/src/engine/steps/compute.ts +41 -0
package/src/engine/steps/for-each.ts +111 -0
package/src/engine/steps/mail-send.ts +44 -0
package/src/engine/steps/read-find-many.ts +51 -0
package/src/engine/steps/read-find-one.ts +58 -0
package/src/engine/steps/retry.ts +87 -0
package/src/engine/steps/return.ts +34 -0
package/src/engine/steps/unsafe-projection-delete.ts +46 -0
package/src/engine/steps/unsafe-projection-upsert.ts +69 -0
package/src/engine/steps/wait-for-event.ts +71 -0
package/src/engine/steps/wait.ts +69 -0
package/src/engine/steps/webhook-send.ts +71 -0
package/src/engine/system-user.ts +1 -1
package/src/engine/types/feature.ts +93 -1
package/src/engine/types/handlers.ts +18 -10
package/src/engine/types/index.ts +11 -1
package/src/engine/types/step.ts +334 -0
package/src/engine/types/target-ref.ts +21 -0
package/src/engine/types/tree-node.ts +132 -0
package/src/engine/types/workspace.ts +7 -0
package/src/engine/validate-projection-allowlist.ts +161 -0
package/src/event-store/snapshot.ts +1 -1
package/src/event-store/upcaster-dead-letter.ts +1 -1
package/src/event-store/upcaster.ts +1 -1
package/src/files/file-routes.ts +1 -1
package/src/files/types.ts +2 -2
package/src/jobs/job-runner.ts +10 -10
package/src/lifecycle/lifecycle.ts +0 -3
package/src/logging/index.ts +1 -0
package/src/logging/pino-logger.ts +11 -7
package/src/logging/utils.ts +24 -0
package/src/observability/prometheus-meter.ts +7 -5
package/src/pipeline/__tests__/archive-stream.integration.ts +1 -1
package/src/pipeline/__tests__/causation-chain.integration.ts +1 -1
package/src/pipeline/__tests__/domain-events-projections.integration.ts +3 -3
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +4 -4
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +1 -1
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +3 -3
package/src/pipeline/__tests__/msp-rebuild.integration.ts +3 -3
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +2 -2
package/src/pipeline/__tests__/query-projection.integration.ts +5 -5
package/src/pipeline/append-event-core.ts +22 -6
package/src/pipeline/dispatcher-utils.ts +188 -0
package/src/pipeline/dispatcher.ts +63 -283
package/src/pipeline/distributed-lock.ts +1 -1
package/src/pipeline/entity-cache.ts +2 -2
package/src/pipeline/event-consumer-state.ts +0 -13
package/src/pipeline/event-dispatcher.ts +4 -4
package/src/pipeline/index.ts +0 -2
package/src/pipeline/lifecycle-pipeline.ts +6 -12
package/src/pipeline/msp-rebuild.ts +5 -5
package/src/pipeline/multi-stream-apply-context.ts +6 -7
package/src/pipeline/projection-rebuild.ts +2 -2
package/src/pipeline/projection-state.ts +0 -12
package/src/rate-limit/__tests__/resolver.integration.ts +8 -4
package/src/rate-limit/resolver.ts +1 -1
package/src/search/in-memory-adapter.ts +1 -1
package/src/search/meilisearch-adapter.ts +3 -3
package/src/search/types.ts +1 -1
package/src/secrets/leak-guard.ts +2 -2
package/src/stack/request-helper.ts +9 -5
package/src/stack/test-stack.ts +1 -1
package/src/testing/handler-context.ts +4 -4
package/src/testing/http-cookies.ts +1 -1
package/src/time/tz-context.ts +1 -2
package/src/ui-types/index.ts +4 -0
package/src/engine/feature-ast/extractors.ts +0 -2602

package/src/engine/boot-validator/screens-nav.ts ADDED Viewed

@@ -0,0 +1,624 @@
+import { qualifyEntityName } from "../qualified-name";
+import { getAllowedFilterOps, isFieldFilterable } from "../screen-filter-ops";
+import type { FeatureDefinition, NavDefinition, WorkspaceDefinition } from "../types";
+import { normalizeEditField, normalizeListColumn } from "../types/screen";
+// --- Screen validation ---
+//
+// For every r.screen() declaration check what's locally knowable at boot:
+//   - entityList / entityEdit: the referenced entity must exist in the
+//     feature (cross-feature entity-refs aren't allowed — a feature owns
+//     the screens over its own entities) and every column/field ref must
+//     name a real field on that entity
+//   - custom: the renderer must at least have one platform component set
+//     (react OR native), otherwise the screen is structurally empty
+//
+// Field-level renderer QN strings (cross-feature `component:` references)
+// are NOT validated here — the r.uiComponent registry that would resolve
+// them ships in M4/M5. Until then those are kept opaque on purpose.
+export function validateScreens(
+  feature: FeatureDefinition,
+  featureMap: ReadonlyMap<string, FeatureDefinition>,
+  allWriteHandlerQns: ReadonlySet<string>,
+  allScreenQns: ReadonlySet<string>,
+  allConfigKeyQns: ReadonlySet<string>,
+): void {
+  for (const [screenId, screen] of Object.entries(feature.screens)) {
+    if (screen.type === "custom") {
+      if (!screen.renderer.react && !screen.renderer.native) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" has type="custom" but the renderer ` +
+            `declares neither a react nor a native component — at least one platform must be set.`,
+        );
+      }
+      continue;
+    }
+    if (screen.type === "configEdit") {
+      // configEdit: layout/fields wie actionForm validieren, plus
+      // Cross-Check dass jeder qualifizierte Config-Key registriert
+      // ist und der scope mit dem Key matcht.
+      const fieldNames = new Set(Object.keys(screen.fields));
+      if (fieldNames.size === 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (configEdit) has empty fields map — ` +
+            `declare at least one field.`,
+        );
+      }
+      for (const [fname, fdef] of Object.entries(screen.fields)) {
+        // @cast-boundary schema-walk — feature-config inspection
+        const ftype = (fdef as { type?: unknown }).type;
+        if (typeof ftype !== "string" || ftype.length === 0) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (configEdit) field "${fname}" has no ` +
+              `\`type\` set. Each field must declare a type (e.g. "text", "number", "select").`,
+          );
+        }
+      }
+      if (screen.layout.sections.length === 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (configEdit) has an empty sections list — ` +
+            `declare at least one section.`,
+        );
+      }
+      for (const section of screen.layout.sections) {
+        if (section.fields.length === 0) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (configEdit) has a section "${section.title}" ` +
+              `with zero fields — drop the section or add fields to it.`,
+          );
+        }
+        for (const fieldSpec of section.fields) {
+          const normalized = normalizeEditField(fieldSpec);
+          if (!fieldNames.has(normalized.field)) {
+            throw new Error(
+              `[Feature ${feature.name}] Screen "${screenId}" (configEdit) layout references unknown ` +
+                `field "${normalized.field}". Known fields: ${[...fieldNames].sort().join(", ")}`,
+            );
+          }
+        }
+      }
+      // configKeys: jeder fieldName muss einen Mapping-Eintrag haben,
+      // jeder qualifizierte Key muss in der Registry existieren.
+      for (const fname of fieldNames) {
+        const qualified = screen.configKeys[fname];
+        if (qualified === undefined) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (configEdit) field "${fname}" hat ` +
+              `keinen Eintrag in configKeys-Map. Jedes deklarierte Field braucht ein Mapping zu ` +
+              `einem qualifizierten Config-Key (\`<feature>:config:<short>\`).`,
+          );
+        }
+        if (!allConfigKeyQns.has(qualified)) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (configEdit) field "${fname}" → ` +
+              `Config-Key "${qualified}" ist in keiner Feature-Registry deklariert. Tippfehler? ` +
+              `Erwartetes Format: "<feature>:config:<short>". Bekannte Keys: ${
+                [...allConfigKeyQns].sort().join(", ") || "(keine)"
+              }`,
+          );
+        }
+      }
+      continue;
+    }
+    if (screen.type === "actionForm") {
+      // Tier 2.7d: Action-Form-Screens haben keinen entity-Link, nur
+      // einen Write-Handler-QN + Inline-Fields. Sechs Author-Code-
+      // Checks am Boot:
+      //   1) handler ist non-empty String.
+      //   2) handler ist als Write-Handler registriert (cross-feature-
+      //      Lookup gegen die collected QN-Map). Tippfehler/umbenannte
+      //      Handler fallen sonst erst beim ersten Klick als 404 auf.
+      //   3) fields-Map ist non-empty.
+      //   4) Jeder Field-Eintrag hat einen `type`-Discriminator
+      //      (Tippfehler in Schema → Renderer crasht stumm sonst).
+      //   5) layout.sections + jedes referenced field existiert in
+      //      fields.
+      //   6) redirect (wenn gesetzt) verweist auf einen registrierten
+      //      Screen-QN (Cross-Feature ok).
+      if (!screen.handler || typeof screen.handler !== "string") {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (actionForm) has empty or non-string handler.`,
+        );
+      }
+      if (!allWriteHandlerQns.has(screen.handler)) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (actionForm) handler "${screen.handler}" ` +
+            `is not a registered write-handler. Check the QN spelling (expected ` +
+            `"<feature>:write:<short>") and that the handler is declared via r.writeHandler(...).`,
+        );
+      }
+      const fieldNames = new Set(Object.keys(screen.fields));
+      if (fieldNames.size === 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (actionForm) has empty fields map — ` +
+            `declare at least one field.`,
+        );
+      }
+      // Jeder Field-Eintrag muss einen `type`-Discriminator haben.
+      // Author-Tippfehler (`title: { required: true }` ohne type) →
+      // RenderField fällt zur Laufzeit auf den Default-Renderer und
+      // schickt einen leeren String — silent broken. Boot-Fail ist
+      // klarer. `type as unknown` weil FieldDefinition als Union nur
+      // bekannte Strings erlaubt; wir prüfen Author-Code, der ggf.
+      // den Type-Check umgangen hat.
+      for (const [fname, fdef] of Object.entries(screen.fields)) {
+        // @cast-boundary schema-walk — feature-config inspection (Author may circumvent type-check)
+        const ftype = (fdef as { type?: unknown }).type;
+        if (typeof ftype !== "string" || ftype.length === 0) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (actionForm) field "${fname}" has no ` +
+              `\`type\` set. Each field must declare a type (e.g. "text", "number", "select").`,
+          );
+        }
+      }
+      if (screen.layout.sections.length === 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (actionForm) has an empty sections list — ` +
+            `declare at least one section.`,
+        );
+      }
+      for (const section of screen.layout.sections) {
+        if (section.fields.length === 0) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (actionForm) has a section "${section.title}" ` +
+              `with zero fields — drop the section or add fields to it.`,
+          );
+        }
+        for (const fieldSpec of section.fields) {
+          const normalized = normalizeEditField(fieldSpec);
+          if (!fieldNames.has(normalized.field)) {
+            throw new Error(
+              `[Feature ${feature.name}] Screen "${screenId}" (actionForm) layout references unknown field ` +
+                `"${normalized.field}". Known fields: ${[...fieldNames].sort().join(", ")}`,
+            );
+          }
+        }
+      }
+      if (screen.redirect !== undefined) {
+        // redirect ist die kurze Screen-ID (z.B. "item-list"); der
+        // nav-Router resolved sie beim Mount gegen die Schema-Map.
+        // Cross-Feature-Redirect ist nicht supported — der nav-Router
+        // baut die URL aus screenId direkt, eine voll-QN würde als
+        // `/shop:screen:foo/` landen und nirgendwo greifen.
+        const candidateQn = qualifyEntityName(feature.name, "screen", screen.redirect);
+        if (!allScreenQns.has(candidateQn)) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (actionForm) redirect "${screen.redirect}" ` +
+              `does not resolve to a registered screen in this feature. Known screens: ${
+                [...Object.keys(feature.screens)].sort().join(", ") || "(none)"
+              }.`,
+          );
+        }
+      }
+      continue;
+    }
+    // entityList / entityEdit: entity-refs are feature-local.
+    const entityDef = feature.entities[screen.entity];
+    if (!entityDef) {
+      const known = Object.keys(feature.entities).sort().join(", ") || "(none)";
+      const crossFeature = findEntityFeature(screen.entity, featureMap);
+      const hint = crossFeature
+        ? ` Entity "${screen.entity}" is owned by feature "${crossFeature}" — cross-feature screen ownership is not supported.`
+        : "";
+      throw new Error(
+        `[Feature ${feature.name}] Screen "${screenId}" references entity "${screen.entity}" ` +
+          `which is not declared in this feature (known: ${known}).${hint}`,
+      );
+    }
+    const fieldNames = new Set(Object.keys(entityDef.fields));
+    if (screen.type === "entityList") {
+      // Empty column list would render as a blank table — almost always the
+      // sign of an in-progress screen the author forgot to fill in. Fail
+      // loud: ui-core's computeListViewModel can't do anything useful with
+      // zero columns either.
+      if (screen.columns.length === 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (entityList) has an empty columns list — ` +
+            `declare at least one column.`,
+        );
+      }
+      for (const col of screen.columns) {
+        const normalized = normalizeListColumn(col);
+        if (!fieldNames.has(normalized.field)) {
+          throw new Error(
+            buildUnknownFieldMessage(
+              feature.name,
+              screenId,
+              normalized.field,
+              screen.entity,
+              fieldNames,
+            ),
+          );
+        }
+        validateColumnRendererForm(feature.name, screenId, normalized);
+      }
+      // Pagination/Sort/Search-Validierung: Author-Fehler beim Boot
+      // fangen, damit kein "warum kommt die Liste leer / falsch
+      // sortiert"-Debug-Cycle zur Laufzeit losgeht.
+      if (screen.pageSize !== undefined && screen.pageSize <= 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (entityList) has pageSize=${screen.pageSize} — ` +
+            `must be a positive integer.`,
+        );
+      }
+      if (screen.defaultSort !== undefined) {
+        const sortField = screen.defaultSort.field;
+        if (!fieldNames.has(sortField)) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (entityList) defaultSort references unknown ` +
+              `field "${sortField}". Known fields: ${[...fieldNames].sort().join(", ")}`,
+          );
+        }
+        // sortable: true Pflicht — verhindert dass das UI auf einer
+        // Spalte sortiert, die Server-Side gar keinen DB-Index hat
+        // oder im Schema absichtlich nicht sortiert werden soll
+        // (Audit-Felder, Computed-Werte). `sortable` lebt heute nur
+        // auf TextFieldDef; "in"-narrow lässt das auch für andere
+        // Field-Types ohne explizites Flag durchfallen, was ok ist:
+        // Number/Date sind natürlich sortierbar, der Author kann sie
+        // im Author-Code als sortable markieren wenn das Field-Type
+        // es trägt (Erweiterung folgt).
+        const fieldDef = entityDef.fields[sortField];
+        const isSortable =
+          fieldDef !== undefined && "sortable" in fieldDef && fieldDef.sortable === true;
+        if (!isSortable) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (entityList) defaultSort.field "${sortField}" ` +
+              `is not sortable. Set sortable: true on the field definition or pick another field.`,
+          );
+        }
+      }
+      // Screen-Filter (Tier 2.7c) — drei Layer Author-Code-Check:
+      //   1) Field existiert auf der Entity (Tippfehler = leere Liste
+      //      statt Crash; Boot-Fail ist deutlich besser).
+      //   2) Field hat `filterable: true` (Author opt-in, analog zu
+      //      `sortable`). Verhindert dass Audit-/Computed-/encrypted-
+      //      Felder unbeabsichtigt filterbar werden.
+      //   3) Op passt zum Field-Type. Lt/gt auf text-Feldern → Boot-
+      //      Fail mit Hinweis statt String-Sort-Surprise zur Laufzeit.
+      // Außerdem: "in" verlangt readonly Array.
+      if (screen.filter !== undefined) {
+        const filterField = screen.filter.field;
+        if (!fieldNames.has(filterField)) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (entityList) filter references unknown ` +
+              `field "${filterField}". Known fields: ${[...fieldNames].sort().join(", ")}`,
+          );
+        }
+        const fieldDef = entityDef.fields[filterField];
+        if (fieldDef !== undefined && !isFieldFilterable(fieldDef)) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (entityList) filter references field ` +
+              `"${filterField}" which is not filterable. Set filterable: true on the field ` +
+              `definition or pick another field.`,
+          );
+        }
+        if (fieldDef !== undefined) {
+          const allowedOps = getAllowedFilterOps(fieldDef);
+          if (!allowedOps.includes(screen.filter.op)) {
+            throw new Error(
+              `[Feature ${feature.name}] Screen "${screenId}" (entityList) filter.op ` +
+                `"${screen.filter.op}" is not allowed on field "${filterField}" ` +
+                `(type "${fieldDef.type}"). Allowed ops: ${allowedOps.join(", ") || "(none)"}.`,
+            );
+          }
+        }
+        if (screen.filter.op === "in" && !Array.isArray(screen.filter.value)) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (entityList) filter.op "in" requires ` +
+              `filter.value to be a readonly array.`,
+          );
+        }
+      }
+      // Tier 2.7e-1: rowActions mit kind:"navigate" pinst dass das
+      // referenced screen tatsächlich existiert (selbes Feature). Ein
+      // typo'd target landet sonst beim Klick als "Screen not found"-
+      // Banner.
+      if (screen.rowActions !== undefined) {
+        for (const action of screen.rowActions) {
+          if (action.kind !== "navigate") continue;
+          const candidateQn = qualifyEntityName(feature.name, "screen", action.screen);
+          if (!allScreenQns.has(candidateQn)) {
+            throw new Error(
+              `[Feature ${feature.name}] Screen "${screenId}" (entityList) rowAction "${action.id}" ` +
+                `navigate-target "${action.screen}" does not resolve to a registered screen in this feature.`,
+            );
+          }
+        }
+      }
+    } else {
+      // Same rationale as the columns check: an entityEdit layout with zero
+      // sections (or sections without any fields) renders as nothing — reject
+      // at boot so the author sees it before the blank form surprises them.
+      if (screen.layout.sections.length === 0) {
+        throw new Error(
+          `[Feature ${feature.name}] Screen "${screenId}" (entityEdit) has an empty sections list — ` +
+            `declare at least one section.`,
+        );
+      }
+      for (const section of screen.layout.sections) {
+        if (section.fields.length === 0) {
+          throw new Error(
+            `[Feature ${feature.name}] Screen "${screenId}" (entityEdit) has a section "${section.title}" ` +
+              `with zero fields — drop the section or add fields to it.`,
+          );
+        }
+        for (const fieldSpec of section.fields) {
+          const normalized = normalizeEditField(fieldSpec);
+          if (!fieldNames.has(normalized.field)) {
+            throw new Error(
+              buildUnknownFieldMessage(
+                feature.name,
+                screenId,
+                normalized.field,
+                screen.entity,
+                fieldNames,
+              ),
+            );
+          }
+        }
+      }
+    }
+  }
+}
+// Form-check für ListColumn-Renderer in der PlatformComponent-Form
+// (`{ react: { __component: "Name" } }`). Der Server kennt die client-
+// seitige columnRenderers-Map nicht — also nur prüfen ob die Struktur
+// stimmt: wenn `react` als Object gesetzt ist, MUSS `__component` ein
+// nicht-leerer String sein. Ein client-seitig ausgelassener Key löst
+// nur eine Warnung aus, kein Boot-Fail.
+export function validateColumnRendererForm(
+  featureName: string,
+  screenId: string,
+  column: { readonly field: string; readonly renderer?: unknown },
+): void {
+  const renderer = column.renderer;
+  // skip: nur die PlatformComponent-Form ({ react: { __component: "..." } })
+  // wird strukturell validiert. Funktions-, String-QN- und null/undefined-
+  // Renderer sind alle gültige andere Formen — kein Form-Fehler.
+  if (renderer === null || typeof renderer !== "object") return;
+  // @cast-boundary schema-walk — feature-config renderer-shape introspection
+  const react = (renderer as { react?: unknown }).react;
+  // skip: kein react-Branch → entweder native-only oder kein
+  // PlatformComponent — beides außerhalb dieses Checks.
+  if (react === undefined || react === null) return;
+  if (typeof react !== "object") {
+    throw new Error(
+      `[Feature ${featureName}] Screen "${screenId}" column "${column.field}" has a renderer with ` +
+        `a non-object \`react\` branch — expected \`{ react: { __component: "Name" } }\`.`,
+    );
+  }
+  // @cast-boundary schema-walk — feature-config react-branch introspection
+  const component = (react as { __component?: unknown }).__component;
+  // skip: ohne __component-Schlüssel ist das keine String-Key-Form
+  // (z.B. ein zukünftiger direkter Component-Ref); nicht unsere Domäne.
+  if (component === undefined) return;
+  if (typeof component !== "string" || component.length === 0) {
+    throw new Error(
+      `[Feature ${featureName}] Screen "${screenId}" column "${column.field}" has a renderer with ` +
+        `\`react.__component\` = ${JSON.stringify(component)} — expected a non-empty string identifying ` +
+        `a client-side columnRenderers entry.`,
+    );
+  }
+}
+export function findEntityFeature(
+  entityName: string,
+  featureMap: ReadonlyMap<string, FeatureDefinition>,
+): string | undefined {
+  for (const [name, feature] of featureMap) {
+    if (feature.entities[entityName]) return name;
+  }
+  return undefined;
+}
+export function buildUnknownFieldMessage(
+  featureName: string,
+  screenId: string,
+  fieldName: string,
+  entityName: string,
+  knownFields: ReadonlySet<string>,
+): string {
+  const known = [...knownFields].sort().join(", ");
+  return (
+    `[Feature ${featureName}] Screen "${screenId}" references field "${fieldName}" ` +
+    `which does not exist on entity "${entityName}" (known: ${known}).`
+  );
+}
+// --- Nav validation ---
+//
+// The boot-validator runs BEFORE createRegistry builds the final maps, so we
+// pre-build the qualified name sets for screens + navs here. `qualifyEntityName`
+// is the shared helper with the registry — changing the qualification rule
+// in one place flows through both ingest paths.
+export function collectScreenQns(features: readonly FeatureDefinition[]): Set<string> {
+  const set = new Set<string>();
+  for (const f of features) {
+    for (const screenId of Object.keys(f.screens)) {
+      set.add(qualifyEntityName(f.name, "screen", screenId));
+    }
+  }
+  return set;
+}
+// Sammelt alle qualifizierten Write-Handler-QNs (`<feature>:write:<short>`).
+// Wird vom actionForm-Screen-Validator genutzt um zu prüfen ob der
+// im Schema deklarierte handler tatsächlich registriert ist —
+// Tippfehler/umbenannte Handler fallen sonst erst zur Laufzeit auf.
+export function collectWriteHandlerQns(features: readonly FeatureDefinition[]): Set<string> {
+  const set = new Set<string>();
+  for (const f of features) {
+    for (const handlerName of Object.keys(f.writeHandlers)) {
+      set.add(qualifyEntityName(f.name, "write", handlerName));
+    }
+  }
+  return set;
+}
+export function collectNavQns(
+  features: readonly FeatureDefinition[],
+): Map<string, NavDefinition & { readonly featureName: string }> {
+  const map = new Map<string, NavDefinition & { readonly featureName: string }>();
+  for (const f of features) {
+    for (const [navId, navDef] of Object.entries(f.navs)) {
+      const qualified = qualifyEntityName(f.name, "nav", navId);
+      map.set(qualified, { ...navDef, featureName: f.name });
+    }
+  }
+  return map;
+}
+// Per-feature ref validation: screen + parent refs point at real QNs. Cycle
+// detection runs once globally afterwards (it's cheaper to do a single DFS
+// over the merged graph than restart it per feature).
+export function validateNavs(
+  feature: FeatureDefinition,
+  allScreenQns: ReadonlySet<string>,
+  allNavQns: ReadonlyMap<string, NavDefinition & { readonly featureName: string }>,
+  allWorkspaceQns: ReadonlyMap<string, WorkspaceDefinition & { readonly featureName: string }>,
+): void {
+  for (const [navId, navDef] of Object.entries(feature.navs)) {
+    if (navDef.screen !== undefined && !allScreenQns.has(navDef.screen)) {
+      throw new Error(
+        `[Feature ${feature.name}] Nav entry "${navId}" references screen "${navDef.screen}" ` +
+          `which is not registered. Expected a qualified name of the form ` +
+          `"<feature>:screen:<id>" pointing at an r.screen() declaration.`,
+      );
+    }
+    if (navDef.parent !== undefined && !allNavQns.has(navDef.parent)) {
+      throw new Error(
+        `[Feature ${feature.name}] Nav entry "${navId}" references parent "${navDef.parent}" ` +
+          `which is not a registered nav entry. Expected a qualified name of the form ` +
+          `"<feature>:nav:<id>".`,
+      );
+    }
+    if (navDef.workspaces !== undefined) {
+      for (const wsQn of navDef.workspaces) {
+        if (!allWorkspaceQns.has(wsQn)) {
+          throw new Error(
+            `[Feature ${feature.name}] Nav entry "${navId}" self-assigns to workspace "${wsQn}" ` +
+              `which is not registered. Expected a qualified name of the form ` +
+              `"<feature>:workspace:<id>" pointing at an r.workspace() declaration.`,
+          );
+        }
+      }
+    }
+  }
+}
+// Walks parent-refs across ALL nav entries (cross-feature). A cycle here
+// would crash client-side tree assembly — easier to fail loud at boot than
+// to debug a React "Maximum update depth exceeded" stack trace.
+export function validateNavCycles(
+  allNavQns: ReadonlyMap<string, NavDefinition & { readonly featureName: string }>,
+): void {
+  const visited = new Set<string>();
+  const stack = new Set<string>();
+  function visit(qualified: string, path: string[]): void {
+    if (stack.has(qualified)) {
+      throw new Error(
+        `[Kumiko Nav] Nav entry parent cycle detected: ${[...path, qualified].join(" → ")}`,
+      );
+    }
+    // skip: already visited — cycle-detection only needs to traverse each
+    // node once, and the `stack` check above catches any actual cycles
+    // reached via a different path.
+    if (visited.has(qualified)) return;
+    visited.add(qualified);
+    stack.add(qualified);
+    const navDef = allNavQns.get(qualified);
+    if (navDef?.parent) {
+      visit(navDef.parent, [...path, qualified]);
+    }
+    stack.delete(qualified);
+  }
+  for (const qualified of allNavQns.keys()) {
+    visit(qualified, []);
+  }
+}
+// Roles we recognise at boot time. The framework has no explicit
+// role-registry (r.defineRoles is a type helper only), so we synthesise
+// one from every handler-access rule plus the "all"/"system" built-ins.
+export function collectKnownRoles(features: readonly FeatureDefinition[]): Set<string> {
+  const roles = new Set<string>(["all", "system"]);
+  for (const f of features) {
+    for (const def of Object.values(f.writeHandlers)) {
+      if (def.access && "roles" in def.access) {
+        for (const r of def.access.roles) roles.add(r);
+      }
+    }
+    for (const def of Object.values(f.queryHandlers)) {
+      if (def.access && "roles" in def.access) {
+        for (const r of def.access.roles) roles.add(r);
+      }
+    }
+  }
+  return roles;
+}
+// --- Workspace validation ---
+//
+// Per-app workspace registry, built once up front. Carries `featureName`
+// alongside the definition so error messages can point at the offending
+// feature without a parallel reverse index.
+export function collectWorkspaceQns(
+  features: readonly FeatureDefinition[],
+): Map<string, WorkspaceDefinition & { readonly featureName: string }> {
+  const map = new Map<string, WorkspaceDefinition & { readonly featureName: string }>();
+  for (const f of features) {
+    for (const [wsId, wsDef] of Object.entries(f.workspaces)) {
+      const qualified = qualifyEntityName(f.name, "workspace", wsId);
+      map.set(qualified, { ...wsDef, featureName: f.name });
+    }
+  }
+  return map;
+}
+export function validateWorkspaces(
+  feature: FeatureDefinition,
+  allNavQns: ReadonlyMap<string, NavDefinition & { readonly featureName: string }>,
+): void {
+  for (const [wsId, wsDef] of Object.entries(feature.workspaces)) {
+    if (wsDef.nav !== undefined) {
+      for (const navQn of wsDef.nav) {
+        if (!allNavQns.has(navQn)) {
+          throw new Error(
+            `[Feature ${feature.name}] Workspace "${wsId}" references nav "${navQn}" ` +
+              `which is not registered. Expected a qualified name of the form ` +
+              `"<feature>:nav:<id>" pointing at an r.nav() declaration.`,
+          );
+        }
+      }
+    }
+  }
+}
+// Single-default rule across the entire app. Mirrors how createApp validates
+// roles up front — a second `default: true` is a configuration error, not a
+// runtime fallback. Apps without any default fall back to "first workspace
+// the user has access to" at render time (handled by shellWorkspaces).
+export function validateDefaultWorkspaceUniqueness(
+  allWorkspaceQns: ReadonlyMap<string, WorkspaceDefinition & { readonly featureName: string }>,
+): void {
+  const defaults: string[] = [];
+  for (const [qn, ws] of allWorkspaceQns) {
+    if (ws.default === true) defaults.push(qn);
+  }
+  if (defaults.length > 1) {
+    throw new Error(
+      `[Kumiko Workspaces] Multiple workspaces declare default: true — ` +
+        `${defaults.join(", ")}. At most one workspace per app may be the default.`,
+    );
+  }
+}