@cosmicdrift/kumiko-bundled-features 0.12.2 → 0.14.0

package/src/custom-fields/run-retention.ts

@@ -0,0 +1,215 @@
+// T1.5d — per-field retention sweep for the customFields jsonb.
+//
+// Iterates one host entity's rows, looks up every fieldDefinition with a
+// `retention` policy, and strips/nulls customField values whose host-row
+// `modified_at` is older than the policy's `keepFor`.
+//
+// Typically invoked by a daily cron in the consumer app — alongside (or
+// inside) the data-retention bundle's own cleanup job. We don't auto-
+// register a cron here because the consumer chooses the schedule, and
+// because some apps want to sweep multiple host entities in one run.
+//
+// Caveat: the reference timestamp is the *host row's* `modified_at`, not
+// a per-customField timestamp. A row's customField hasn't been touched
+// in `keepFor` only when the entire row hasn't been touched in `keepFor`
+// — for value-level granularity, future work needs a value-timestamp
+// jsonb shape, which would be a breaking schema change.
+
+import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { getTableName, sql } from "drizzle-orm";
+import type { PgTable } from "drizzle-orm/pg-core";
+import { parseSerializedField } from "./lib/parse-serialized-field";
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+
+// Lifted from data-retention/keep-for.ts because the helper isn't re-exported
+// from the bundle's public index. Same parser semantics: "/^\\d+[hdwmy]$/",
+// month = 30d, year = 365d, hour as exact unit. If data-retention exports it
+// in a future minor we can switch the import back.
+const KEEP_FOR_PATTERN = /^(\d+)([hdwmy])$/;
+const UNIT_TO_DAYS: Record<string, number> = { d: 1, w: 7, m: 30, y: 365 };
+
+function isPastCutoff(args: {
+  readonly referenceTimestamp: Instant;
+  readonly keepFor: string;
+  readonly now: Instant;
+}): boolean {
+  const match = args.keepFor.match(KEEP_FOR_PATTERN);
+  if (!match) return false;
+  const amount = Number.parseInt(match[1] ?? "0", 10);
+  const unit = match[2] ?? "";
+  const hours = unit === "h" ? amount : amount * (UNIT_TO_DAYS[unit] ?? 0) * 24;
+  const cutoff = args.now.subtract({ hours });
+  return getTemporal().Instant.compare(args.referenceTimestamp, cutoff) < 0;
+}
+
+export interface RunCustomFieldsRetentionOptions {
+  readonly db: DbRunner;
+  readonly tenantId: string;
+  readonly entityName: string;
+  readonly entityTable: PgTable;
+  /** Current time, injected for time-travel-tests. */
+  readonly now: Instant;
+}
+
+export interface CustomFieldsRetentionReport {
+  /** How many host rows were scanned (any customFields content). */
+  readonly rowsScanned: number;
+  /** How many host rows were updated because at least one key expired. */
+  readonly rowsUpdated: number;
+  /** Per-fieldKey count of expired-and-removed values. */
+  readonly removalsByFieldKey: Record<string, number>;
+}
+
+interface RetentionPolicy {
+  readonly keepFor: string;
+  readonly strategy: "delete" | "anonymize";
+}
+
+export async function runCustomFieldsRetention(
+  opts: RunCustomFieldsRetentionOptions,
+): Promise<CustomFieldsRetentionReport> {
+  const policies = await loadRetentionPolicies(opts.db, opts.tenantId, opts.entityName);
+  if (policies.size === 0) {
+    return { rowsScanned: 0, rowsUpdated: 0, removalsByFieldKey: {} };
+  }
+
+  const tableName = sql.identifier(getTableName(opts.entityTable));
+  const rowsResult = await opts.db.execute(sql`
+    SELECT id, modified_at, custom_fields
+    FROM ${tableName}
+    WHERE tenant_id = ${opts.tenantId} AND custom_fields IS NOT NULL
+  `);
+
+  const removalsByFieldKey: Record<string, number> = {};
+  let rowsUpdated = 0;
+  let rowsScanned = 0;
+
+  const rows: ReadonlyArray<unknown> = Array.isArray(rowsResult) ? rowsResult : [];
+  for (const raw of rows) {
+    rowsScanned++;
+    const row = asHostRow(raw);
+    // skip: see asHostRow rationale — defense in depth for driver shape drift.
+    if (!row) continue;
+    if (Object.keys(row.customFields).length === 0) continue;
+
+    const modifiedAt = parseInstant(row.modifiedAt);
+    // skip: rows without a parseable modified_at can't be aged against any
+    // cutoff, leave them untouched.
+    if (!modifiedAt) continue;
+
+    const removals: Array<{ key: string; strategy: "delete" | "anonymize" }> = [];
+    for (const [fieldKey, policy] of policies) {
+      if (!(fieldKey in row.customFields)) continue;
+      const expired = isPastCutoff({
+        referenceTimestamp: modifiedAt,
+        keepFor: policy.keepFor,
+        now: opts.now,
+      });
+      if (expired) {
+        removals.push({ key: fieldKey, strategy: policy.strategy });
+      }
+    }
+
+    // skip: nothing on this row aged out — no UPDATE needed.
+    if (removals.length === 0) continue;
+
+    const mutated: Record<string, unknown> = { ...row.customFields };
+    for (const { key, strategy } of removals) {
+      if (strategy === "delete") {
+        delete mutated[key];
+      } else {
+        mutated[key] = null;
+      }
+      removalsByFieldKey[key] = (removalsByFieldKey[key] ?? 0) + 1;
+    }
+
+    await opts.db.execute(sql`
+      UPDATE ${tableName}
+      SET custom_fields = ${JSON.stringify(mutated)}::jsonb
+      WHERE id = ${row.id}
+    `);
+    rowsUpdated++;
+  }
+
+  return { rowsScanned, rowsUpdated, removalsByFieldKey };
+}
+
+interface HostRow {
+  readonly id: string;
+  readonly modifiedAt: unknown;
+  readonly customFields: Record<string, unknown>;
+}
+
+function asHostRow(value: unknown): HostRow | null {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  if (!("id" in value) || typeof value.id !== "string") return null;
+  if (!("custom_fields" in value)) return null;
+  const cf = value.custom_fields;
+  if (!cf || typeof cf !== "object" || Array.isArray(cf)) return null;
+  return {
+    id: value.id,
+    modifiedAt: "modified_at" in value ? value.modified_at : null,
+    customFields: Object.fromEntries(Object.entries(cf)),
+  };
+}
+
+interface FieldDefinitionRow {
+  readonly field_key: string;
+  readonly serialized_field: unknown;
+}
+
+function isFieldDefinitionRow(value: unknown): value is FieldDefinitionRow {
+  if (!value || typeof value !== "object") return false;
+  if (!("field_key" in value)) return false;
+  return typeof value.field_key === "string";
+}
+
+async function loadRetentionPolicies(
+  db: DbRunner,
+  tenantId: string,
+  entityName: string,
+): Promise<Map<string, RetentionPolicy>> {
+  const rowsResult = await db.execute(sql`
+    SELECT field_key, serialized_field
+    FROM read_custom_field_definitions
+    WHERE entity_name = ${entityName} AND tenant_id = ${tenantId}
+  `);
+  const rows: ReadonlyArray<unknown> = Array.isArray(rowsResult) ? rowsResult : [];
+  const out = new Map<string, RetentionPolicy>();
+  for (const raw of rows) {
+    // skip: see asHostRow rationale.
+    if (!isFieldDefinitionRow(raw)) continue;
+    const parsed = parseSerializedField(raw.serialized_field);
+    if (parsed?.retention) {
+      out.set(raw.field_key, parsed.retention);
+    }
+  }
+  return out;
+}
+
+interface InstantLike {
+  readonly epochMilliseconds: number;
+}
+
+function isInstantLike(value: unknown): value is InstantLike {
+  if (!value || typeof value !== "object") return false;
+  if (!("epochMilliseconds" in value)) return false;
+  return typeof value.epochMilliseconds === "number";
+}
+
+function parseInstant(value: unknown): Instant | null {
+  if (value == null) return null;
+  const T = getTemporal();
+  try {
+    if (typeof value === "string") return T.Instant.from(value);
+    // `Number(date)` on a Date instance returns epoch-ms — matches getTime()
+    // without tripping the no-date-api guard.
+    if (value instanceof Date) return T.Instant.fromEpochMilliseconds(Number(value));
+    if (isInstantLike(value)) return T.Instant.fromEpochMilliseconds(value.epochMilliseconds);
+    return null;
+  } catch {
+    return null;
+  }
+}

package/src/custom-fields/schemas.ts

@@ -4,6 +4,21 @@ import { SUPPORTED_FIELD_TYPES } from "./constants";
 // Field-Type-Validator — pinnt valid type-Werte für fieldDefinition.
 const fieldTypeSchema = z.enum(SUPPORTED_FIELD_TYPES);
 
+// Per-field access-control. When set, `set/clear-custom-field` handlers
+// require the calling user to hold at least one of the listed roles —
+// in addition to the handler-level RBAC. Absent or empty `write` means
+// the handler-level RBAC is the only gate.
+//
+// `read` is reserved for the postQuery-flatten pipeline (T1.5c+); not
+// enforced in T1.5b.
+export const customFieldAccessSchema = z
+  .object({
+    read: z.array(z.string()).optional(),
+    write: z.array(z.string()).optional(),
+  })
+  .optional();
+export type CustomFieldAccess = z.infer<typeof customFieldAccessSchema>;
+
 // Serialized-field-jsonb — was als `serializedField`-Spalte gespeichert wird.
 // In v1 noch nicht strict-typed pro field-type (das kommt in B2 wenn die
 // Stammfeld-Builder-Schemas exposed sind). Hier nur die Struktur-Garantie.
@@ -18,13 +33,31 @@ const fieldTypeSchema = z.enum(SUPPORTED_FIELD_TYPES);
 //   money:    { type: "money", required: false, currency: "EUR" }
 //   embedded: { type: "embedded", required: false, schema: { ... } }
 //
-// In B1 akzeptieren wir alle Variants als Generic-jsonb-Payload mit nur dem
-// `type`-Pflichtfeld validiert. B2 wird die volle discriminated-union mit
-// per-type-options anschließen — sobald die Stammfeld-Field-Builder-Schemas
-// exportiert sind.
+// `fieldAccess` (T1.5b) and `sensitive` (T1.5c) are the structured keys
+// recognised by the handlers / user-data-rights wiring. Everything else
+// stays loose pending B2's per-type discriminated-union.
 const serializedFieldSchema = z
   .looseObject({
     type: fieldTypeSchema,
+    fieldAccess: customFieldAccessSchema,
+    // `sensitive: true` marks the field as PII — the user-data-rights
+    // wiring (wireCustomFieldsUserDataRightsFor) removes its value from
+    // the host row's customFields jsonb on user-forget when the strategy
+    // is "anonymize". Non-sensitive fields are untouched.
+    sensitive: z.boolean().optional(),
+    // `retention` (T1.5d): per-field expiry. The retention-cron strips
+    // values whose host-row `modified_at` is older than `keepFor`. Strategy
+    // `delete` removes the key from the customFields jsonb; `anonymize`
+    // sets it to `null` (key stays, value gone — preserves the schema
+    // shape for downstream consumers).
+    retention: z
+      .object({
+        keepFor: z
+          .string()
+          .regex(/^\d+[hdwmy]$/, "keepFor must match /^\\d+[hdwmy]$/ (e.g. '30d', '10y')"),
+        strategy: z.enum(["delete", "anonymize"]),
+      })
+      .optional(),
   })
   .refine((v) => typeof v["type"] === "string", "serializedField must have a string `type`");
 

package/src/custom-fields/wire-for-entity.ts

@@ -0,0 +1,162 @@
+import {
+  createJsonbField,
+  type FeatureRegistrar,
+  type JsonbFieldDef,
+} from "@cosmicdrift/kumiko-framework/engine";
+import type { AnyColumn } from "drizzle-orm";
+import { eq, sql } from "drizzle-orm";
+import type { PgTable } from "drizzle-orm/pg-core";
+import { CUSTOM_FIELDS_EXTENSION } from "./constants";
+import type { CustomFieldClearedPayload, CustomFieldSetPayload } from "./events";
+import { customFieldsFeature } from "./feature";
+
+// Helper für entity-definitions — fügt eine `customFields jsonb`-Spalte
+// hinzu. Consumer:
+//
+//   const propertyEntity = createEntity({
+//     fields: {
+//       name: createTextField({ required: true }),
+//       customFields: customFieldsField(),
+//     },
+//   });
+//
+// Spec-Promise: customFields verhält sich wie Stammfelder. Default `{}`,
+// NOT NULL — analog zu embedded-Spalten.
+export function customFieldsField(): JsonbFieldDef {
+  return createJsonbField();
+}
+
+// Vollständige integration der custom-fields-Bundle für eine spezifische
+// host-entity. Eine einzige Aufruf-Stelle pro consumer registriert ALLE
+// wiring-Aspekte: extension-tracking, MSP für value-projection, postQuery-
+// hook für API-flatten, search-payload-extension für indexable customFields.
+//
+// Consumer-side:
+//
+//   defineFeature("property-mgmt", (r) => {
+//     r.entity("property", propertyEntity);  // muss customFieldsField() haben
+//     r.requires(CUSTOM_FIELDS_FEATURE_NAME);
+//     wireCustomFieldsFor(r, "property", propertyTable);
+//   });
+//
+// Der `entityTable`-Parameter ist die Drizzle-Table-Instance (typically
+// `buildDrizzleTable(name, entity)`-Output). Die Closure über `entityTable`
+// erspart der MSP-apply-fn einen runtime-table-lookup über die Registry.
+//
+// **Was registriert wird**:
+//
+//   1. r.useExtension("customFields", entityName) — opt-in marker,
+//      ermöglicht boot-validation und usage-tracking via Registry.
+//
+//   2. r.multiStreamProjection — consumes customField.set/.cleared events
+//      die customer's set-custom-field / clear-custom-field write-handlers
+//      emittiert haben. Updated entityTable.customFields jsonb über
+//      jsonb_set / jsonb-key-removal.
+//
+//   3. r.entityHook("postQuery", entity, flatten-fn) — bei JEDEM Read auf
+//      diese entity wird `row.customFields` jsonb auf root-level expanded
+//      damit die API-response wie Stammfelder aussieht.
+//
+//   4. r.searchPayloadExtension(entity, contributor) — searchable
+//      customFields-keys werden flach ins Meilisearch-Index-Doc beigetragen
+//      (F3-wiring).
+//
+//   5. fieldDefinition.deleted-Event-Handler im selben MSP — bei delete
+//      einer fieldDefinition werden orphan values aus allen entity-rows
+//      entfernt (key-removal pro fieldKey).
+export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
+  r: TReg,
+  entityName: string,
+  entityTable: PgTable,
+): void {
+  // biome-ignore lint/correctness/useHookAtTopLevel: r.useExtension is a registrar-API method, not a React hook — false positive on the "use"-prefix heuristic.
+  r.useExtension(CUSTOM_FIELDS_EXTENSION, entityName);
+
+  // Qualified event-type-names — sourced from typed EventDef.name handles
+  // (compile-time literal-typed, no Template-Literal-Drift à la toKebab-
+  // collapse-bug die T1 aufgedeckt hat).
+  const setEventType = customFieldsFeature.exports.setEvent.name;
+  const clearedEventType = customFieldsFeature.exports.clearedEvent.name;
+  const fieldDefDeletedType = customFieldsFeature.exports.fieldDefinitionDeletedEvent.name;
+
+  r.multiStreamProjection({
+    name: `custom-fields-${entityName}-projection`,
+    apply: {
+      [setEventType]: async (event, tx) => {
+        // skip: MSP feuert für ALLE aggregate-types die customField.set
+        // emittieren — wir wollen nur die unserer wired host-entity.
+        // Andere consumers haben eigene MSPs für ihre Entities.
+        if (event.aggregateType !== entityName) return;
+        const payload = event.payload as CustomFieldSetPayload; // @cast-boundary engine-payload
+
+        // jsonb_set: setze key auf value. Wenn key noch nicht existiert →
+        // wird angelegt (create_missing=true ist default). value muss als
+        // jsonb-literal kommen — Drizzle sql-template stringifiziert für uns.
+        const idCol = (entityTable as unknown as Record<string, AnyColumn>)["id"] as AnyColumn; // @cast-boundary db-row
+        await tx
+          .update(entityTable)
+          .set({
+            customFields: sql`jsonb_set(${sql.identifier("custom_fields")}, ${sql.raw(`'{${payload.fieldKey.replace(/'/g, "''")}}'`)}, ${JSON.stringify(payload.value)}::jsonb, true)`,
+          })
+          .where(eq(idCol, event.aggregateId));
+      },
+      [clearedEventType]: async (event, tx) => {
+        // skip: MSP feuert für alle aggregate-types — nur unsere host-entity
+        // verarbeiten.
+        if (event.aggregateType !== entityName) return;
+        const payload = event.payload as CustomFieldClearedPayload; // @cast-boundary engine-payload
+
+        // jsonb minus operator (`-`) entfernt key aus jsonb-object.
+        const idCol = (entityTable as unknown as Record<string, AnyColumn>)["id"] as AnyColumn; // @cast-boundary db-row
+        await tx
+          .update(entityTable)
+          .set({
+            customFields: sql`${sql.identifier("custom_fields")} - ${payload.fieldKey}`,
+          })
+          .where(eq(idCol, event.aggregateId));
+      },
+      [fieldDefDeletedType]: async (event, tx) => {
+        // fieldDefinition.deleted fires nur einmal pro fieldDef-delete
+        // (NICHT per-entity). Wir entfernen den key aus ALLEN rows der host-
+        // entity falls die deleted-fieldDef für diese entity galt.
+        const payload = event.payload as { entityName: string; fieldKey: string }; // @cast-boundary engine-payload
+        // skip: fieldDefinition.deleted feuert für ALLE fieldDefs cross-entity;
+        // nur wenn die deleted-fieldDef diese host-entity betraf, cleanen wir
+        // ihre Rows.
+        if (payload.entityName !== entityName) return;
+
+        await tx.update(entityTable).set({
+          customFields: sql`${sql.identifier("custom_fields")} - ${payload.fieldKey}`,
+        });
+      },
+    },
+  });
+
+  // postQuery-hook: flatten row.customFields jsonb auf root-level der
+  // API-response. Spec-Promise Z.4 "indistinguishable von Stammfeldern".
+  r.entityHook("postQuery", entityName, async ({ rows }) => ({
+    rows: rows.map((row) => {
+      const customFields = row["customFields"];
+      if (customFields && typeof customFields === "object" && !Array.isArray(customFields)) {
+        return {
+          ...row,
+          ...(customFields as Record<string, unknown>), // @cast-boundary db-row jsonb runtime-untyped
+        };
+      }
+      return row;
+    }),
+  }));
+
+  // Search-Payload-Extension: customFields-keys flach ins Index-Doc.
+  // Anders als postQuery-hook (der ALLE keys merged) trägt der Search-
+  // Contributor nur die als searchable=true definierten fields bei. v1
+  // ist conservatively: ALLES contribuieren — B2-follow-up filtert
+  // per fieldDefinition.searchable-flag.
+  r.searchPayloadExtension(entityName, ({ state }) => {
+    const customFields = state["customFields"];
+    if (customFields && typeof customFields === "object" && !Array.isArray(customFields)) {
+      return customFields as Record<string, unknown>; // @cast-boundary db-row jsonb runtime-untyped
+    }
+    return {};
+  });
+}

package/src/custom-fields/wire-user-data-rights.ts

@@ -0,0 +1,169 @@
+// T1.5c — user-data-rights wiring for custom-fields.
+//
+// A consumer that wires `customFields` onto a user-owned host entity
+// (e.g. `comment`, `note`, anything with an inserted_by_id column) calls
+// this in addition to `wireCustomFieldsFor`:
+//
+//   wireCustomFieldsFor(r, "comment", commentTable);
+//   wireCustomFieldsUserDataRightsFor(r, {
+//     entityName: "comment",
+//     entityTable: commentTable,
+//     userIdColumn: "inserted_by_id",
+//   });
+//
+// Result: a second `r.useExtension(EXT_USER_DATA, "comment", { export, delete })`
+// registration whose hooks read/write the customFields jsonb column.
+//
+// **Export** — every row owned by the user is included; the full customFields
+// jsonb travels into the user's export bundle so they can see *all* their
+// custom-field data, sensitive or not (DSGVO Art. 15+20 — completeness wins).
+//
+// **Forget (strategy=anonymize)** — only `sensitive=true` customField keys are
+// stripped from the jsonb (`customFields - 'sensitiveKey1' - 'sensitiveKey2'`).
+// Non-sensitive customFields stay so the row remains useful to other tenants
+// / co-authors. Matches the host-entity anonymize-then-keep contract.
+//
+// **Forget (strategy=delete)** — no-op. The host entity's own user-data-rights
+// hook will delete the row entirely; jsonb goes with it.
+//
+// Side-step: this wiring requires `user-data-rights` to be installed in the
+// composed feature set; if it's not, the boot-validator will reject the
+// extension as unknown. That is the consumer's call — it's explicitly opt-in
+// (call this function or don't), exactly because some consumers wire custom-
+// fields onto tenant-owned entities (e.g. `property`) where DSGVO forget
+// doesn't apply per-user.
+
+import type { UserDataDeleteHook, UserDataExportHook } from "@cosmicdrift/kumiko-framework/engine";
+import { EXT_USER_DATA, type FeatureRegistrar } from "@cosmicdrift/kumiko-framework/engine";
+import { getTableName, sql } from "drizzle-orm";
+import type { PgTable } from "drizzle-orm/pg-core";
+import { parseSerializedField } from "./lib/parse-serialized-field";
+
+export interface WireCustomFieldsUserDataRightsOptions {
+  /** Host entity name as registered with wireCustomFieldsFor. */
+  readonly entityName: string;
+  /** Drizzle table for the host entity. Must have a `customFields` jsonb column. */
+  readonly entityTable: PgTable;
+  /**
+   * Snake-case DB column that holds the owning user's id (e.g. `inserted_by_id`,
+   * `author_id`, `assignee_id`). The hooks filter rows on this + tenant_id.
+   */
+  readonly userIdColumn: string;
+}
+
+interface CustomFieldsHostRow {
+  readonly id: string;
+  readonly customFields: Record<string, unknown> | null;
+}
+
+// Drizzle's raw `execute(sql\`SELECT id, custom_fields\`)` returns rows
+// keyed in db-column casing (snake_case), not the field-mapping casing.
+// The typeguard normalises into the camel-cased internal shape so the
+// rest of the hook can stay JS-idiomatic. `in` + `instanceof Object` keep
+// the narrowing cast-free.
+function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  if (!("id" in value) || typeof value.id !== "string") return null;
+  if (!("custom_fields" in value)) return null;
+  const cf = value.custom_fields;
+  if (cf === null) return { id: value.id, customFields: null };
+  if (!cf || typeof cf !== "object" || Array.isArray(cf)) return null;
+  // Object.entries on a narrowed `object` returns `[string, unknown][]` —
+  // fromEntries widens that back into a typed Record without a cast.
+  return { id: value.id, customFields: Object.fromEntries(Object.entries(cf)) };
+}
+
+export function wireCustomFieldsUserDataRightsFor<TReg extends FeatureRegistrar<string>>(
+  r: TReg,
+  opts: WireCustomFieldsUserDataRightsOptions,
+): void {
+  const tableName = sql.identifier(getTableName(opts.entityTable));
+  const userCol = sql.identifier(opts.userIdColumn);
+
+  const exportHook: UserDataExportHook = async (ctx) => {
+    const rowsResult = await ctx.db.execute(sql`
+      SELECT id, custom_fields
+      FROM ${tableName}
+      WHERE ${userCol} = ${ctx.userId} AND tenant_id = ${ctx.tenantId}
+    `);
+    const rows: ReadonlyArray<unknown> = Array.isArray(rowsResult) ? rowsResult : [];
+    const snippetRows: Array<{ id: string; customFields: Record<string, unknown> }> = [];
+    for (const raw of rows) {
+      const row = asCustomFieldsHostRow(raw);
+      // skip: drizzle-execute can hand back loosely-typed rows from raw
+      // queries; if a row's shape doesn't fit, skip rather than guess.
+      // Real schemas always match — this is defense in depth.
+      if (!row) continue;
+      const customFields = row.customFields;
+      if (customFields && Object.keys(customFields).length > 0) {
+        snippetRows.push({ id: row.id, customFields });
+      }
+    }
+    if (snippetRows.length === 0) return null;
+    return { entity: `${opts.entityName}.customFields`, rows: snippetRows };
+  };
+
+  const deleteHook: UserDataDeleteHook = async (ctx, strategy) => {
+    // skip: strategy=delete is handled by the host entity's own user-
+    // data-rights hook (it removes the row; customFields jsonb travels
+    // with it). Nothing left for this layer to do.
+    if (strategy === "delete") return;
+    const sensitiveKeys = await loadSensitiveFieldKeys(ctx.db, ctx.tenantId, opts.entityName);
+    // skip: no sensitive keys declared for this entity → anonymize is a
+    // no-op. Avoids a useless UPDATE statement.
+    if (sensitiveKeys.length === 0) return;
+
+    // Build the chain of jsonb minus operators: customFields - 'k1' - 'k2' - ...
+    const minusChain = sensitiveKeys.reduce<ReturnType<typeof sql>>(
+      (acc, key) => sql`${acc} - ${key}`,
+      sql`custom_fields`,
+    );
+    await ctx.db.execute(sql`
+      UPDATE ${tableName}
+      SET custom_fields = ${minusChain}
+      WHERE ${userCol} = ${ctx.userId} AND tenant_id = ${ctx.tenantId}
+    `);
+  };
+
+  // r.useExtension's options-bag accepts a structural object — pass the
+  // hooks inline so TS sees the literal-typed shape and Drizzle's strict
+  // mode doesn't reject the nominal UserDataExtensionHooks branding.
+  // biome-ignore lint/correctness/useHookAtTopLevel: r.useExtension is a registrar API, not a React hook.
+  r.useExtension(EXT_USER_DATA, opts.entityName, {
+    export: exportHook,
+    delete: deleteHook,
+  });
+}
+
+interface FieldDefinitionRow {
+  readonly field_key: string;
+  readonly serialized_field: unknown;
+}
+
+function isFieldDefinitionRow(value: unknown): value is FieldDefinitionRow {
+  if (!value || typeof value !== "object") return false;
+  if (!("field_key" in value)) return false;
+  return typeof value.field_key === "string";
+}
+
+async function loadSensitiveFieldKeys(
+  db: Parameters<UserDataExportHook>[0]["db"],
+  tenantId: string,
+  entityName: string,
+): Promise<string[]> {
+  const rowsResult = await db.execute(sql`
+    SELECT field_key, serialized_field
+    FROM read_custom_field_definitions
+    WHERE entity_name = ${entityName} AND tenant_id = ${tenantId}
+  `);
+  const rows: ReadonlyArray<unknown> = Array.isArray(rowsResult) ? rowsResult : [];
+  const keys: string[] = [];
+  for (const raw of rows) {
+    // skip: see isCustomFieldsHostRow rationale — defense in depth against
+    // driver shape drift.
+    if (!isFieldDefinitionRow(raw)) continue;
+    const parsed = parseSerializedField(raw.serialized_field);
+    if (parsed?.sensitive === true) keys.push(raw.field_key);
+  }
+  return keys;
+}

package/src/rate-limiting/constants.ts

@@ -1,4 +1,4 @@
-export const RATE_LIMITING_FEATURE = "rateLimiting" as const;
+export const RATE_LIMITING_FEATURE = "rate-limiting" as const;
 
 export const RateLimitQueries = {
   status: "rate-limiting:query:status",

package/src/rate-limiting/feature.ts

@@ -10,7 +10,7 @@ import { rateLimitStatus } from "./handlers/status.query";
 // only use L3 (handler-opt-in) and don't need ops introspection can
 // skip this feature entirely — the resolver still runs.
 export function createRateLimitingFeature() {
-  return defineFeature("rateLimiting", (r) => {
+  return defineFeature("rate-limiting", (r) => {
     r.queryHandler(rateLimitStatus);
   });
 }

package/src/renderer-simple/feature.ts

@@ -26,7 +26,7 @@ export async function adaptToFoundation(req: RenderRequest): Promise<RenderRespo
 }
 
 export function createRendererSimpleFeature(): FeatureDefinition {
-  return defineFeature("rendererSimple", (r) => {
+  return defineFeature("renderer-simple", (r) => {
     r.requires("renderer-foundation");
 
     r.useExtension("renderer", "simple", {

package/src/template-resolver/table.ts

@@ -21,7 +21,9 @@ export const templateResourceEntity = createEntity({
     slug: createTextField({ required: true }),
     kind: createSelectField({ required: true, options: [...RENDER_KINDS] }),
     locale: createTextField({ required: true }),
-    content: createLongTextField({}),
+    // Template-body is authored by TenantAdmin/Operator (email-templates etc.),
+    // business data — kein end-user UGC.
+    content: createLongTextField({ allowPlaintext: "is-business-data" }),
     contentFormat: createSelectField({ required: true, options: [...CONTENT_FORMATS] }),
     variableSchema: createLongTextField({}),
     linkedResources: createLongTextField({}),

package/src/tenant/invitation-table.ts

@@ -57,7 +57,8 @@ export const tenantInvitationEntity = createEntity({
   table: "read_tenant_invitations",
   fields: {
     // Eingeladene Email — case-insensitive normalisiert beim Insert.
-    email: createTextField({ required: true, maxLength: 320 }),
+    // PII bis zur Annahme (danach hat der User selbst seine email in users).
+    email: createTextField({ required: true, maxLength: 320, pii: true }),
     // Membership-Rolle die dem User nach Accept gegeben wird. Default
     // im handler ist "Admin" (Co-Admin-Pattern für kleine Teams).
     role: createTextField({ required: true, maxLength: 50 }),

package/src/text-content/table.ts

@@ -15,7 +15,9 @@ export const textBlockEntity = createEntity({
     slug: createTextField({ required: true }),
     lang: createTextField({ required: true }),
     title: createTextField({ required: true }),
-    body: createTextField({}),
+    // Body is CMS-content authored by TenantAdmin/SystemAdmin (legal pages,
+    // FAQ, ToS, marketing) — business data, not user-generated content.
+    body: createTextField({ allowPlaintext: "is-business-data" }),
     // V.1.4: explicit folder-Hierarchie statt `:`-Encoding im Slug.
     // Visual-Tree gruppiert nach diesem Field; null/undefined → root.
     // Pflicht-Constraint im set.write-Schema (kebab-only wie slug,