@cosmicdrift/kumiko-framework 0.37.0 → 0.38.0

package/src/engine/boot-validator/ownership.ts

@@ -13,7 +13,7 @@ export function validateOwnershipRules(
   allClaimKeys: ReadonlyMap<string, ClaimKeyDefinition>,
   knownRoles: ReadonlySet<string>,
 ): void {
-  for (const [entityName, entity] of Object.entries(feature.entities)) {
+  for (const [entityName, entity] of Object.entries(feature.entities ?? {})) {
     const columnNames = new Set<string>(Object.keys(entity.fields));
     // Framework-managed columns that rules are allowed to reference too.
     // These are the base columns buildEntityTable adds unconditionally.

package/src/engine/boot-validator/pii-retention.ts

@@ -42,7 +42,7 @@ const KEEP_FOR_PATTERN = /^\d+[hdwmy]$/;
 // Encrypt/Decrypt-Mechanik landet in Sprint 3 (crypto-shredding); diese
 // Validation greift schon ab Sprint 0 damit Schema-Drift früh auffällt.
 export function validatePiiAndRetention(feature: FeatureDefinition): void {
-  for (const [entityName, entity] of Object.entries(feature.entities)) {
+  for (const [entityName, entity] of Object.entries(feature.entities ?? {})) {
     const fieldsByName = entity.fields;
 
     for (const [fieldName, field] of Object.entries(fieldsByName)) {

package/src/engine/boot-validator/screens-nav.ts

@@ -63,7 +63,7 @@ export function validateScreens(
       }
       for (const section of screen.layout.sections) {
         if (isExtensionEditSection(section)) {
-          if (section.component.react === undefined && section.component.native === undefined) {
+          if (section.component?.react === undefined && section.component?.native === undefined) {
             throw new Error(
               `[Feature ${feature.name}] Screen "${screenId}" (configEdit) extension section ` +
                 `"${section.title}" has no component — declare a react/native component marker.`,
@@ -170,7 +170,7 @@ export function validateScreens(
       }
       for (const section of screen.layout.sections) {
         if (isExtensionEditSection(section)) {
-          if (section.component.react === undefined && section.component.native === undefined) {
+          if (section.component?.react === undefined && section.component?.native === undefined) {
             throw new Error(
               `[Feature ${feature.name}] Screen "${screenId}" (actionForm) extension section ` +
                 `"${section.title}" has no component — declare a react/native component marker.`,
@@ -227,9 +227,12 @@ export function validateScreens(
     }
 
     // entityList / entityEdit: entity-refs are feature-local.
-    const entityDef = feature.entities[screen.entity];
+    const entityDef = feature.entities?.[screen.entity];
     if (!entityDef) {
-      const known = Object.keys(feature.entities).sort().join(", ") || "(none)";
+      const known =
+        Object.keys(feature.entities ?? {})
+          .sort()
+          .join(", ") || "(none)";
       const crossFeature = findEntityFeature(screen.entity, featureMap);
       const hint = crossFeature
         ? ` Entity "${screen.entity}" is owned by feature "${crossFeature}" — cross-feature screen ownership is not supported.`
@@ -405,7 +408,7 @@ export function validateScreens(
       }
       for (const section of screen.layout.sections) {
         if (isExtensionEditSection(section)) {
-          if (section.component.react === undefined && section.component.native === undefined) {
+          if (section.component?.react === undefined && section.component?.native === undefined) {
             throw new Error(
               `[Feature ${feature.name}] Screen "${screenId}" (entityEdit) extension section ` +
                 `"${section.title}" has no component — declare a react/native component marker.`,
@@ -484,7 +487,7 @@ export function findEntityFeature(
   featureMap: ReadonlyMap<string, FeatureDefinition>,
 ): string | undefined {
   for (const [name, feature] of featureMap) {
-    if (feature.entities[entityName]) return name;
+    if (feature.entities?.[entityName]) return name;
   }
   return undefined;
 }

package/src/engine/build-app-schema.ts

@@ -35,7 +35,7 @@ export function buildAppSchema(registry: Registry): AppSchema {
     const navs = Object.values(feature.navs);
     const featureSchema: FeatureSchema = {
       featureName,
-      entities: projectEntities(feature.entities),
+      entities: projectEntities(feature.entities ?? {}),
       screens: Object.values(feature.screens),
       ...(navs.length > 0 && { navs }),
     };
@@ -65,19 +65,14 @@ export function buildAppSchema(registry: Registry): AppSchema {
   };
 
   if (typeof process !== "undefined" && process.env.NODE_ENV !== "production") {
-    try {
-      const roundTripped = JSON.parse(JSON.stringify(schema));
-      if (JSON.stringify(roundTripped) !== JSON.stringify(schema)) {
-        // biome-ignore lint/suspicious/noConsole: dev-only assertion
-        console.error(
-          "[kumiko] buildAppSchema: Output ist nicht JSON-safe — ein Funktions-Renderer oder nicht-serialisierbarer Wert ist in das Schema gerutscht. Details im Diff:",
-          schema,
-        );
-      }
-    } catch {
+    // A stringify-roundtrip comparison can never fire here: JSON.stringify
+    // drops functions/undefined identically on both sides. Walk the value
+    // instead so a leaked function renderer is actually caught.
+    const offender = findNonJsonSafePath(schema, "schema");
+    if (offender !== null) {
       // biome-ignore lint/suspicious/noConsole: dev-only assertion
       console.error(
-        "[kumiko] buildAppSchema: JSON.stringify fehlgeschlagen — Schema enthält nicht-serialisierbare Werte.",
+        `[kumiko] buildAppSchema: Output ist nicht JSON-safe — nicht-serialisierbarer Wert bei "${offender}" (Funktions-Renderer oder Klassen-Instanz im Schema?).`,
         schema,
       );
     }
@@ -86,6 +81,41 @@ export function buildAppSchema(registry: Registry): AppSchema {
   return schema;
 }
 
+// PlatformComponent slots ({ react, native }) legitimately hold component
+// functions — JSON.stringify drops them at inject-time and the client
+// re-resolves by name, so the walker treats them as opaque.
+function isPlatformComponentShape(value: object): boolean {
+  const keys = Object.keys(value);
+  return keys.length > 0 && keys.every((k) => k === "react" || k === "native");
+}
+
+// Returns the path of the first value JSON.stringify would drop or distort
+// (function, undefined, symbol, bigint, non-finite number, class instance) —
+// or null when the value is JSON-safe apart from PlatformComponent slots.
+export function findNonJsonSafePath(value: unknown, path: string): string | null {
+  if (value === null || typeof value === "string" || typeof value === "boolean") return null;
+  if (typeof value === "number") return Number.isFinite(value) ? null : path;
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i++) {
+      const hit = findNonJsonSafePath(value[i], `${path}[${i}]`);
+      if (hit !== null) return hit;
+    }
+    return null;
+  }
+  if (typeof value === "object") {
+    const proto = Object.getPrototypeOf(value);
+    if (proto !== Object.prototype && proto !== null) return path;
+    if (isPlatformComponentShape(value)) return null;
+    for (const [key, entry] of Object.entries(value)) {
+      const hit = findNonJsonSafePath(entry, `${path}.${key}`);
+      if (hit !== null) return hit;
+    }
+    return null;
+  }
+  // function, symbol, bigint, undefined
+  return path;
+}
+
 function projectEntities(
   entities: Readonly<Record<string, EntityDefinition>>,
 ): Readonly<Record<string, EntityDefinition>> {

package/src/engine/create-app.ts

@@ -71,7 +71,7 @@ export function createApp(config: AppConfig): App {
 
   // Validate defaultCurrency on entities that have money fields
   for (const feature of config.features) {
-    for (const [entityName, entity] of Object.entries(feature.entities)) {
+    for (const [entityName, entity] of Object.entries(feature.entities ?? {})) {
       const hasMoneyField = Object.values(entity.fields).some((f) => f.type === "money");
       if (entity.defaultCurrency && !currencies.includes(entity.defaultCurrency)) {
         throw new Error(

package/src/engine/define-feature.ts

@@ -935,7 +935,11 @@ export function defineFeature<const TName extends string, TExports = undefined>(
       postDelete: phasedLifecycleHooks.postDelete,
       preQuery: lifecycleHooks["preQuery"] ?? {},
       postQuery: lifecycleHooks["postQuery"] ?? {},
-    } as HookMap, // @cast-boundary engine-payload
+      // @cast-boundary engine-bridge — die Hook-Registrierung erased die
+      // per-Slot-Signaturen zu LifecycleHookFn (Union, s. Cast in
+      // addLifecycleHook); die Branches dort sind die einzigen Producer und
+      // schreiben pro Slot typrichtig.
+    } as HookMap,
     entityHooks: {
       postSave: entityPostSave,
       preDelete: entityPreDelete,

package/src/engine/feature-ast/extractors/round4.ts

@@ -378,6 +378,7 @@ export function extractEntityHook(
   });
 }
 
+// guard:dup-ok — intentionale Parallele zu extractTree (round6); verschiedene Feature-AST-Extraktoren by design
 export function extractAuthClaims(
   call: CallExpression,
   sourceFile: SourceFile,

package/src/engine/index.ts

@@ -293,6 +293,7 @@ export type {
   QueryEvent,
   QueryHandlerDef,
   QueryHandlerFn,
+  ReferenceDataDef,
   Registry,
   RelationDefinition,
   RetentionDef,
@@ -300,6 +301,7 @@ export type {
   SaveContext,
   ScreenDefinition,
   ScreenSlots,
+  SecretKeyHandle,
   SelectFieldDef,
   SessionUser,
   Subscribe,

package/src/engine/registry.ts

@@ -306,9 +306,10 @@ export function createRegistry(features: readonly FeatureDefinition[]): Registry
     featureName: string,
     hookQnType: QnType,
   ): void {
-    // skip: optionaler hook-slot — defineFeature lässt das slot undefined
-    // wenn das feature keine hooks dieses typs hat. Behandeln wie leeres
-    // record statt Object.entries(undefined)-crash.
+    // skip: optionaler hook-slot — defineFeature materialisiert zwar alle
+    // Slots, aber hand-gebaute Definitionen an System-Grenzen (Fixtures,
+    // Partial-Boots, s. registry.test.ts) lassen sie weg. Leeres Record
+    // statt Object.entries(undefined)-Crash.
     if (!source) return;
     for (const [name, fns] of Object.entries(source)) {
       const qualified = qualify(featureName, hookQnType, name);

package/src/engine/steps/unsafe-projection-upsert.ts

@@ -11,6 +11,7 @@
 // rejected by boot-validation — domain mutation MUST go through
 // r.step.aggregate.*.
 
+import { extractTableName } from "../../db";
 import { executeRawQuery } from "../../db/queries/raw-sql";
 import { defineStep } from "../define-step";
 import type { PipelineCtx, StepInstance, StepResolver } from "../types/step";
@@ -22,22 +23,10 @@ type UnsafeProjectionUpsertArgs = {
   readonly row: StepResolver<Record<string, unknown>>;
 };
 
-// @cast-boundary drizzle-bridge — reads table name + column snake_case
-// names from drizzle Symbol-based metadata without importing drizzle-orm.
-const KUMIKO_NAME_SYMBOL = Symbol.for("kumiko:schema:Name");
+// @cast-boundary drizzle-bridge — reads column snake_case names from
+// drizzle Symbol-based metadata without importing drizzle-orm.
 const KUMIKO_COLUMNS_SYMBOL = Symbol.for("kumiko:schema:Columns");
 
-function resolveTableName(table: unknown): string {
-  if (typeof table !== "object" || table === null) {
-    throw new Error("unsafeProjectionUpsert: table is not an object");
-  }
-  const name = (table as Record<symbol, unknown>)[KUMIKO_NAME_SYMBOL];
-  if (typeof name !== "string") {
-    throw new Error("unsafeProjectionUpsert: table has no kumiko:schema:Name symbol");
-  }
-  return name;
-}
-
 function resolveColumnName(table: unknown, field: string): string {
   if (typeof table !== "object" || table === null) return field;
   const cols = (table as Record<symbol, unknown>)[KUMIKO_COLUMNS_SYMBOL];
@@ -67,7 +56,7 @@ defineStep<UnsafeProjectionUpsertArgs, void>({
       }
     }
 
-    const tableName = resolveTableName(args.table);
+    const tableName = extractTableName(args.table, "unsafeProjectionUpsert");
     const entries = Object.entries(resolvedRow);
     const params: unknown[] = [];
 

package/src/engine/types/feature.ts

@@ -197,13 +197,17 @@ export type FeatureDefinition = {
   // means the feature is always-on (e.g. auth, tenant, user — core infra
   // that would brick the system if switchable).
   readonly toggleableDefault?: boolean;
-  readonly entities: Readonly<Record<string, EntityDefinition>>;
+  // entities/hooks/entityHooks are optional: defineFeature always
+  // materializes them, but hand-built definitions at system boundaries
+  // (test fixtures, partial boots — see registry.test.ts "slot robustness")
+  // omit them and the registry guards against that. Type follows runtime.
+  readonly entities?: Readonly<Record<string, EntityDefinition>>;
   readonly relations: Readonly<Record<string, EntityRelations>>;
   readonly writeHandlers: Readonly<Record<string, WriteHandlerDef>>;
   readonly queryHandlers: Readonly<Record<string, QueryHandlerDef>>;
   readonly translations: TranslationKeys;
-  readonly hooks: HookMap;
-  readonly entityHooks: EntityHookMap;
+  readonly hooks?: HookMap;
+  readonly entityHooks?: EntityHookMap;
   // F3 search-payload-extension — per-entity contributors that add flat fields
   // to the search-index payload during indexing. Keyed by entityName. Wrapped
   // in OwnedFn for feature-toggle filtering (consistent with postQuery-Hooks).

package/src/engine/types/hooks.ts

@@ -143,21 +143,25 @@ export type OwnedFn<TFn> = {
 
 // --- Hook Maps ---
 
+// Slots are optional: defineFeature materializes every slot, but hand-built
+// FeatureDefinitions at system boundaries (test fixtures, partial boots —
+// see registry.test.ts "slot robustness") legitimately omit them, and the
+// registry merge paths tolerate undefined. The type mirrors that contract.
 export type HookMap = {
-  readonly validation: Readonly<Record<string, ValidationHookFn>>;
-  readonly preSave: Readonly<Record<string, readonly OwnedFn<PreSaveHookFn>[]>>;
-  readonly postSave: Readonly<Record<string, readonly PhasedHook<PostSaveHookFn>[]>>;
-  readonly preDelete: Readonly<Record<string, readonly PhasedHook<PreDeleteHookFn>[]>>;
-  readonly postDelete: Readonly<Record<string, readonly PhasedHook<PostDeleteHookFn>[]>>;
-  readonly preQuery: Readonly<Record<string, readonly OwnedFn<PreQueryHookFn>[]>>;
-  readonly postQuery: Readonly<Record<string, readonly OwnedFn<PostQueryHookFn>[]>>;
+  readonly validation?: Readonly<Record<string, ValidationHookFn>>;
+  readonly preSave?: Readonly<Record<string, readonly OwnedFn<PreSaveHookFn>[]>>;
+  readonly postSave?: Readonly<Record<string, readonly PhasedHook<PostSaveHookFn>[]>>;
+  readonly preDelete?: Readonly<Record<string, readonly PhasedHook<PreDeleteHookFn>[]>>;
+  readonly postDelete?: Readonly<Record<string, readonly PhasedHook<PostDeleteHookFn>[]>>;
+  readonly preQuery?: Readonly<Record<string, readonly OwnedFn<PreQueryHookFn>[]>>;
+  readonly postQuery?: Readonly<Record<string, readonly OwnedFn<PostQueryHookFn>[]>>;
 };
 
 export type EntityHookMap = {
-  readonly postSave: Readonly<Record<string, readonly PhasedHook<PostSaveHookFn>[]>>;
-  readonly preDelete: Readonly<Record<string, readonly PhasedHook<PreDeleteHookFn>[]>>;
-  readonly postDelete: Readonly<Record<string, readonly PhasedHook<PostDeleteHookFn>[]>>;
-  readonly postQuery: Readonly<Record<string, readonly OwnedFn<PostQueryHookFn>[]>>;
+  readonly postSave?: Readonly<Record<string, readonly PhasedHook<PostSaveHookFn>[]>>;
+  readonly preDelete?: Readonly<Record<string, readonly PhasedHook<PreDeleteHookFn>[]>>;
+  readonly postDelete?: Readonly<Record<string, readonly PhasedHook<PostDeleteHookFn>[]>>;
+  readonly postQuery?: Readonly<Record<string, readonly OwnedFn<PostQueryHookFn>[]>>;
 };
 
 // Search-Payload-Extension (F3) — contributor function that adds flat

package/src/engine/types/screen.ts

@@ -25,7 +25,7 @@ export type PlatformComponent = {
 };
 
 // Built-in value formatters. Apps extend via module augmentation:
-//   declare module "@cosmicdrift/kumiko-framework" {
+//   declare module "@cosmicdrift/kumiko-framework/engine/types" {
 //     interface FieldFormatRegistry { myFormat: { myOption?: string } }
 //   }
 // renderer-web handles all built-in keys; unknown app-specific keys fall back
@@ -489,12 +489,7 @@ export type ScreenDefinition =
 // authors who branch on the three FieldRenderer variants without manual
 // "format" in renderer checks.
 export function isFormatSpec(r: unknown): r is FormatSpec {
-  return (
-    typeof r === "object" &&
-    r !== null &&
-    "format" in r &&
-    typeof (r as Record<string, unknown>)["format"] === "string"
-  );
+  return typeof r === "object" && r !== null && "format" in r && typeof r.format === "string";
 }
 
 // Collapse the string-shorthand into the object form. Both the boot-validator

package/src/engine/validate-projection-allowlist.ts

@@ -112,7 +112,7 @@ export function validateProjectionAllowlist(features: readonly FeatureDefinition
   // Followup #8.
   const aggregateTables = new Map<string, string>();
   for (const f of features) {
-    for (const [entityName, entity] of Object.entries(f.entities)) {
+    for (const [entityName, entity] of Object.entries(f.entities ?? {})) {
       const tableName = entity.table ?? entityName;
       const existing = aggregateTables.get(tableName);
       if (existing && existing !== f.name) {

package/src/engine/validation.ts

@@ -17,7 +17,7 @@ export function runValidation(
   for (const [featureName, feature] of registry.features) {
     if (toKebab(featureName) !== parsed.scope) continue;
 
-    const validationHooks = feature.hooks.validation;
+    const validationHooks = feature.hooks?.validation;
     if (!validationHooks) continue;
 
     // Find the hook by matching the QN name segment against the stored short name.

package/src/errors/index.ts

@@ -29,10 +29,10 @@ export type { FrameworkReason } from "./reasons";
 export { FrameworkReasons } from "./reasons";
 export type { ErrorLogEntry, ErrorResponseBody } from "./serialize";
 export { buildErrorLog, serializeError } from "./serialize";
+export { toKumikoError } from "./to-kumiko-error";
 export type { InvalidTransitionDetails } from "./transition-details";
 export { buildInvalidTransitionDetails } from "./transition-details";
 export type { WriteErrorInfo, WriteFailure } from "./write-error-info";
-
 export {
   failNotFound,
   failTransition,

package/src/errors/to-kumiko-error.ts

@@ -0,0 +1,8 @@
+import { InternalError } from "./classes";
+import { isKumikoError, type KumikoError } from "./kumiko-error";
+
+export function toKumikoError(e: unknown): KumikoError {
+  if (isKumikoError(e)) return e;
+  if (e instanceof Error) return new InternalError({ cause: e });
+  return new InternalError({ message: String(e) });
+}

package/src/event-store/archive.ts

@@ -31,6 +31,7 @@ export const archivedStreamsTable = pgTable(
   }),
 );
 
+// guard:dup-ok — intentionale Parallele zu createSnapshotsTable; verschiedene Tabellen-Schemas by design
 export async function createArchivedStreamsTable(db: DbConnection): Promise<void> {
   // skip: table already exists — idempotent boot + test-setup call
   if (await tableExists(db, "public.kumiko_archived_streams")) return;

package/src/event-store/event-store.ts

@@ -14,6 +14,7 @@ import { stringifyJson } from "../utils/safe-json";
 import { isStreamArchived } from "./archive";
 import { VersionConflictError } from "./errors";
 import { eventsTable } from "./events-schema";
+import { toStoredEvent } from "./row-to-stored-event";
 
 export type EventMetadata = {
   readonly userId: string;
@@ -409,19 +410,3 @@ export async function* streamAllEventsByType(
     cursorId = nextCursor;
   }
 }
-
-function toStoredEvent(row: SelectedEvent): StoredEvent {
-  return {
-    id: String(row.id),
-    aggregateId: row.aggregateId,
-    aggregateType: row.aggregateType,
-    tenantId: row.tenantId,
-    version: row.version,
-    type: row.type,
-    eventVersion: row.eventVersion,
-    payload: row.payload,
-    metadata: row.metadata,
-    createdAt: row.createdAt,
-    createdBy: row.createdBy,
-  };
-}

package/src/event-store/index.ts

@@ -24,6 +24,7 @@ export {
   streamAllEventsByType,
 } from "./event-store";
 export { createEventsTable, eventsTable } from "./events-schema";
+export { toStoredEvent } from "./row-to-stored-event";
 export {
   createSnapshotsTable,
   type LoadAggregateWithSnapshotResult,

package/src/event-store/row-to-stored-event.ts

@@ -0,0 +1,34 @@
+import type { TenantId } from "../engine/types";
+import type { EventMetadata, StoredEvent } from "./event-store";
+
+// Minimal row shape accepted by toStoredEvent. Both SelectedEvent
+// (event-store) and StoredEventRow (event-dispatcher) satisfy it.
+type EventRow = {
+  readonly id: bigint;
+  readonly aggregateId: string;
+  readonly aggregateType: string;
+  readonly tenantId: TenantId;
+  readonly version: number;
+  readonly type: string;
+  readonly eventVersion: number;
+  readonly payload: Record<string, unknown>;
+  readonly metadata: EventMetadata;
+  readonly createdAt: Temporal.Instant;
+  readonly createdBy: string;
+};
+
+export function toStoredEvent(row: EventRow): StoredEvent {
+  return {
+    id: String(row.id),
+    aggregateId: row.aggregateId,
+    aggregateType: row.aggregateType,
+    tenantId: row.tenantId,
+    version: row.version,
+    type: row.type,
+    eventVersion: row.eventVersion,
+    payload: row.payload,
+    metadata: row.metadata,
+    createdAt: row.createdAt,
+    createdBy: row.createdBy,
+  };
+}

package/src/logging/__tests__/fallback-logger.test.ts

@@ -1,8 +1,8 @@
 // createFallbackLogger Unit-Tests (Phase 1, test-luecken-integration).
 //
-// Pinnt beide Pfade des Fallback-Loggers — inkl. des non-obvious
-// Format-Unterschieds: der wrapped-Pfad schreibt "[ns] msg", der
-// console-Fallback "[ns] msg:" (trailing colon).
+// Pinnt beide Pfade des Fallback-Loggers auf das identische
+// "[ns] msg"-Format — wrapped logger und console-Fallback dürfen
+// nicht divergieren (Log-Parser/Grep-Konsistenz).
 
 import { describe, expect, mock, spyOn, test } from "bun:test";
 import { createFallbackLogger } from "../utils";
@@ -30,7 +30,7 @@ describe("createFallbackLogger", () => {
   });
 
   describe("ohne logger (console-Fallback)", () => {
-    test("schreibt auf console.error mit [namespace]-Prefix UND trailing colon", () => {
+    test("schreibt auf console.error mit [namespace]-Prefix im selben Format wie wrapped", () => {
       const spy = spyOn(console, "error").mockImplementation(() => {});
       try {
         const fallback = createFallbackLogger("boot");
@@ -38,7 +38,7 @@ describe("createFallbackLogger", () => {
         fallback.error("no logger wired", { phase: "init" });
 
         expect(spy).toHaveBeenCalledTimes(1);
-        expect(spy).toHaveBeenCalledWith("[boot] no logger wired:", { phase: "init" });
+        expect(spy).toHaveBeenCalledWith("[boot] no logger wired", { phase: "init" });
       } finally {
         spy.mockRestore();
       }

package/src/logging/utils.ts

@@ -18,7 +18,7 @@ export function createFallbackLogger(
   return {
     error(msg, data) {
       // biome-ignore lint/suspicious/noConsole: ops-visible fallback when no logger is wired
-      console.error(`[${namespace}] ${msg}:`, data);
+      console.error(`[${namespace}] ${msg}`, data);
     },
   };
 }

package/src/migrations/projection-table-index.ts

@@ -5,31 +5,19 @@
 // Drizzle-frei: der Tabellen-Name kommt aus dem kumiko-Symbol das
 // buildEntityTable/buildEntityTableMeta an die Table-Definition hängt.
 
+import { extractTableName } from "../db";
 import type { Registry } from "../engine/types/feature";
 
-const KUMIKO_NAME_SYMBOL = Symbol.for("kumiko:schema:Name");
-
-function getTableName(table: unknown): string {
-  if (typeof table !== "object" || table === null) {
-    throw new Error("projection-table-index: table is not a table object");
-  }
-  const name = (table as Record<symbol, unknown>)[KUMIKO_NAME_SYMBOL];
-  if (typeof name !== "string") {
-    throw new Error("projection-table-index: table missing kumiko name symbol");
-  }
-  return name;
-}
-
 /** Index `tableName → projection-name` aus der Registry. Nur Projections mit
  *  table-Definition (single-stream + multi-stream-with-table) zählen.
  *  Side-effect-only MSPs (table omitted) haben keinen Rebuild-Sinn. */
 export function buildProjectionTableIndex(registry: Registry): ReadonlyMap<string, string> {
   const index = new Map<string, string>();
   for (const [name, def] of registry.getAllProjections()) {
-    index.set(getTableName(def.table), name);
+    index.set(extractTableName(def.table, `projection-table-index(${name})`), name);
   }
   for (const [name, def] of registry.getAllMultiStreamProjections()) {
-    if (def.table) index.set(getTableName(def.table), name);
+    if (def.table) index.set(extractTableName(def.table, `projection-table-index(${name})`), name);
   }
   return index;
 }

package/src/pipeline/__tests__/archive-stream.integration.test.ts

@@ -83,6 +83,26 @@ const archFeature = defineFeature("archtest", (r) => {
     { access: { roles: ["Admin"] } },
   );
 
+  r.writeHandler(
+    "item:update",
+    z.object({ id: z.uuid(), label: z.string() }),
+    async (event, ctx) =>
+      executor.update(
+        { id: event.payload.id, changes: { label: event.payload.label } },
+        event.user,
+        ctx.db,
+        { skipOptimisticLock: true },
+      ),
+    { access: { roles: ["Admin"] } },
+  );
+
+  r.writeHandler(
+    "item:delete",
+    z.object({ id: z.uuid() }),
+    async (event, ctx) => executor.delete({ id: event.payload.id }, event.user, ctx.db),
+    { access: { roles: ["Admin"] } },
+  );
+
   r.queryHandler(
     "item:events",
     z.object({ id: z.uuid() }),
@@ -217,4 +237,59 @@ describe("archiveStream — Marten ArchiveStream equivalent", () => {
     expect(err.tenantId).toBe(admin.tenantId);
     expect(err.name).toBe("ArchivedStreamError");
   });
+
+  // The CRUD executor appends via append() + getStreamVersion(), neither of
+  // which consults the archive flag. Without the executor-level guard a
+  // PATCH/DELETE would silently land an event on an archived stream — the
+  // read-only contract honoured by ctx.appendEvent would not extend to
+  // entity-CRUD writes. These prove the guard closes that gap on both paths.
+  describe("CRUD writes honour the archive guard", () => {
+    test("executor.update on an archived stream is rejected, no event lands", async () => {
+      const { id } = await stack.http.writeOk<{ id: string }>(
+        "archtest:write:item:create",
+        { label: "before-archive" },
+        admin,
+      );
+      await stack.http.writeOk("archtest:write:item:archive", { id }, admin);
+
+      const res = await stack.http.write(
+        "archtest:write:item:update",
+        { id, label: "too-late" },
+        admin,
+      );
+      expect(res.status).toBe(500);
+
+      const raw = await loadAggregateRaw(stack.db, id, admin.tenantId, { includeArchived: true });
+      expect(raw.map((e) => e.type)).not.toContain("arch-item.updated");
+    });
+
+    test("executor.delete on an archived stream is rejected, no event lands", async () => {
+      const { id } = await stack.http.writeOk<{ id: string }>(
+        "archtest:write:item:create",
+        { label: "keep-me" },
+        admin,
+      );
+      await stack.http.writeOk("archtest:write:item:archive", { id }, admin);
+
+      const res = await stack.http.write("archtest:write:item:delete", { id }, admin);
+      expect(res.status).toBe(500);
+
+      const raw = await loadAggregateRaw(stack.db, id, admin.tenantId, { includeArchived: true });
+      expect(raw.map((e) => e.type)).not.toContain("arch-item.deleted");
+    });
+
+    test("restoreStream re-opens the stream for CRUD updates", async () => {
+      const { id } = await stack.http.writeOk<{ id: string }>(
+        "archtest:write:item:create",
+        { label: "v1" },
+        admin,
+      );
+      await stack.http.writeOk("archtest:write:item:archive", { id }, admin);
+      await stack.http.writeOk("archtest:write:item:restore", { id }, admin);
+
+      await stack.http.writeOk("archtest:write:item:update", { id, label: "v2" }, admin);
+      const raw = await loadAggregateRaw(stack.db, id, admin.tenantId);
+      expect(raw.map((e) => e.type)).toEqual(["arch-item.created", "arch-item.updated"]);
+    });
+  });
 });