@cosmicdrift/kumiko-bundled-features 0.16.0 → 0.18.0

package/src/custom-fields/handlers/set-custom-field.write.ts

@@ -2,7 +2,8 @@ import type { WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
 import { failNotFound, failUnprocessable } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { customFieldsFeature } from "../feature";
-import { checkFieldAccessForWrite } from "../lib/field-access";
+import { fieldWriteAccessDeniedRoles, loadFieldDefinition } from "../lib/field-access";
+import { buildCustomFieldValueSchema } from "../lib/value-schema";
 
 export const setCustomFieldPayloadSchema = z.object({
   entityName: z.string().min(1).max(64),
@@ -24,16 +25,18 @@ export type SetCustomFieldPayload = z.infer<typeof setCustomFieldPayloadSchema>;
 // concurrent writes auf gleiches Field gehen beide durch (Plan-Doc v2
 // Concurrency-Tabelle).
 //
-// **WAS DIESER HANDLER NICHT MACHT (yet)**:
-//   - Validation des Werts gegen fieldDefinition-type (B2-todo: rehydriere
-//     r.field.X() aus serializedField, .schema.safeParse(value))
-//   - cap-counter-quota-Check (T1.5e)
-// → Diese Aspekte kommen als Folgekommits oder durch consumer-side hooks.
+// **Write-Pfad (Single-Fetch)** — eine fieldDefinition-Ladung, drei Gates:
+//   1. Definition fehlt → 404.
+//   2. field-access (T1.5b): fieldAccess.write-Rollen müssen intersecten, sonst
+//      403/422. Handler-level RBAC (TenantAdmin/Member) bleibt zusätzlich.
+//   3. Value-Validation (Builder-Reuse): der Wert wird gegen das aus
+//      serializedField rehydrierte fieldToZod-Schema geparst. Type-Mismatch →
+//      422, KEIN Event entsteht (Projection bleibt typed — Plan-Doc
+//      Stammfeld-Identität). `value: null` auf einem typisierten Feld ist ein
+//      Type-Mismatch → 422; zum Entfernen eines Werts dient clear-custom-field.
 //
-// **WAS NEU IST (T1.5b)**:
-//   - field-access-check: wenn fieldDefinition.serializedField.fieldAccess.write
-//     gesetzt ist, muss der calling user mindestens eine der Rollen halten.
-//     Handler-level RBAC (TenantAdmin/Member) bleibt zusätzlich.
+// Scope: NUR Type-Validation. Required-on-set + Default-Application sind
+// out-of-scope (Plan-Doc "Stammfeld-Identität" listet sie als eigene Zeilen).
 export const setCustomFieldHandler: WriteHandlerDef = {
   name: "set-custom-field",
   schema: setCustomFieldPayloadSchema,
@@ -41,23 +44,36 @@ export const setCustomFieldHandler: WriteHandlerDef = {
   handler: async (event, ctx) => {
     const payload = event.payload as SetCustomFieldPayload; // @cast-boundary engine-payload
 
-    const accessCheck = await checkFieldAccessForWrite(
+    const loaded = await loadFieldDefinition(
       ctx.db,
       event.user.tenantId,
       payload.entityName,
       payload.fieldKey,
-      event.user.roles,
     );
-    if (!accessCheck.ok) {
-      if (accessCheck.reason === "field_definition_not_found") {
-        return failNotFound("fieldDefinition", payload.fieldKey);
-      }
+    if (!loaded.found) {
+      return failNotFound("fieldDefinition", payload.fieldKey);
+    }
+
+    const deniedRoles = fieldWriteAccessDeniedRoles(loaded.field, event.user.roles);
+    if (deniedRoles) {
       return failUnprocessable("field_access_denied", {
         fieldKey: payload.fieldKey,
-        requiredRoles: accessCheck.requiredRoles ?? [],
+        requiredRoles: deniedRoles,
       });
     }
 
+    const valueSchema = buildCustomFieldValueSchema(loaded.field);
+    if (valueSchema) {
+      const parsed = valueSchema.safeParse(payload.value);
+      if (!parsed.success) {
+        return failUnprocessable("custom_field_value_invalid", {
+          fieldKey: payload.fieldKey,
+          fieldType: loaded.field?.type,
+          issues: parsed.error.issues.map((i) => i.message),
+        });
+      }
+    }
+
     // Emit customField.set on host-aggregate stream. unsafeAppendEvent
     // (statt strict appendEvent) weil event-type-map keine cross-feature-
     // augmentation für diesen event-typ hat — wir nutzen den qualified

package/src/custom-fields/lib/field-access.ts

@@ -1,8 +1,10 @@
 // T1.5b — per-field write access-check for the set/clear handlers.
+// Plus single-fetch loader so set-custom-field can run access-check AND
+// value-validation off one DB read (no double fetch).
 
 import type { TenantDb } from "@cosmicdrift/kumiko-framework/db";
 import { selectSerializedFieldDefinition } from "../db/queries/field-access";
-import { parseSerializedField } from "./parse-serialized-field";
+import { parseSerializedField, type SerializedFieldShape } from "./parse-serialized-field";
 
 export type FieldAccessCheckResult =
   | { ok: true }
@@ -12,6 +14,37 @@ export type FieldAccessCheckResult =
       requiredRoles?: ReadonlyArray<string>;
     };
 
+export type LoadedFieldDefinition =
+  | { found: false }
+  // `field` is null when the row exists but its serialized_field is corrupt —
+  // callers treat that as "no restriction / no schema" (lenient), distinct
+  // from `found: false` (no definition → 404).
+  | { found: true; field: SerializedFieldShape | null };
+
+export async function loadFieldDefinition(
+  db: TenantDb,
+  tenantId: string,
+  entityName: string,
+  fieldKey: string,
+): Promise<LoadedFieldDefinition> {
+  const serialized = await selectSerializedFieldDefinition(db, tenantId, entityName, fieldKey);
+  if (serialized === null) return { found: false };
+  return { found: true, field: parseSerializedField(serialized) };
+}
+
+// Pure access-check on an already-loaded definition. Returns the required
+// roles when the caller is denied, or `null` when access is allowed.
+export function fieldWriteAccessDeniedRoles(
+  field: SerializedFieldShape | null,
+  userRoles: ReadonlyArray<string>,
+): ReadonlyArray<string> | null {
+  const required = field?.fieldAccess?.write;
+  if (!required || required.length === 0) return null;
+  return userRoles.some((role) => required.includes(role)) ? null : required;
+}
+
+// Convenience wrapper retained for clear-custom-field (no value-validation
+// needed there) — does the load + access-check in one call.
 export async function checkFieldAccessForWrite(
   db: TenantDb,
   tenantId: string,
@@ -19,18 +52,10 @@ export async function checkFieldAccessForWrite(
   fieldKey: string,
   userRoles: ReadonlyArray<string>,
 ): Promise<FieldAccessCheckResult> {
-  const serialized = await selectSerializedFieldDefinition(db, tenantId, entityName, fieldKey);
-  if (serialized === null) {
-    return { ok: false, reason: "field_definition_not_found" };
-  }
-
-  const parsed = parseSerializedField(serialized);
-  if (!parsed) return { ok: true };
+  const loaded = await loadFieldDefinition(db, tenantId, entityName, fieldKey);
+  if (!loaded.found) return { ok: false, reason: "field_definition_not_found" };
 
-  const required = parsed.fieldAccess?.write;
-  if (!required || required.length === 0) {
-    return { ok: true };
-  }
-  const hit = userRoles.some((role) => required.includes(role));
-  return hit ? { ok: true } : { ok: false, reason: "field_access_denied", requiredRoles: required };
+  const deniedRoles = fieldWriteAccessDeniedRoles(loaded.field, userRoles);
+  if (!deniedRoles) return { ok: true };
+  return { ok: false, reason: "field_access_denied", requiredRoles: deniedRoles };
 }

package/src/custom-fields/lib/value-schema.ts

@@ -0,0 +1,45 @@
+import {
+  DEFAULT_CURRENCIES,
+  type FieldDefinition,
+  fieldToZod,
+} from "@cosmicdrift/kumiko-framework/engine";
+import type { z } from "zod";
+
+// Builds a Zod schema that validates a custom-field VALUE against its
+// fieldDefinition. Reuses the framework's `fieldToZod` (Builder-Reuse /
+// Stammfeld-Identität, Plan-Doc) — one field-type-schema source, no drift
+// between Stammfeld- and Custom-Field-validation.
+//
+// Vocabulary bridge: custom-fields expose `enum` (Plan + `r.field.enum([...])`)
+// where the framework's FieldDefinition calls the equivalent type `select`
+// with an `options` array. This single boundary translates it; everything
+// else is already FieldDefinition-shaped (the serialized dehydrated builder).
+//
+// Returns `null` when the serialized field is unparseable or names a type
+// `fieldToZod` cannot interpret — callers then skip value-validation rather
+// than hard-rejecting a field they cannot understand.
+export function buildCustomFieldValueSchema(parsedField: unknown): z.ZodTypeAny | null {
+  if (!parsedField || typeof parsedField !== "object") return null;
+  const obj = parsedField as Record<string, unknown>;
+  if (typeof obj["type"] !== "string") return null;
+
+  const fieldDef =
+    obj["type"] === "enum"
+      ? { ...obj, type: "select", options: obj["values"] ?? obj["options"] ?? [] }
+      : obj;
+
+  // fieldToZod's money case validates `currency` against the passed list, not
+  // a field-level key — so surface the field's own currency when it declares
+  // one, else fall back to the framework defaults.
+  const currencies =
+    typeof obj["currency"] === "string" ? [obj["currency"] as string] : DEFAULT_CURRENCIES;
+
+  try {
+    // @cast-boundary serialized-field is the dehydrated r.field.X() output =
+    // a FieldDefinition; fieldToZod reads only its type-specific keys (the
+    // extra fieldAccess/sensitive/retention/label keys are ignored).
+    return fieldToZod(fieldDef as unknown as FieldDefinition, currencies);
+  } catch {
+    return null;
+  }
+}

package/src/custom-fields/run-retention.ts

@@ -132,7 +132,7 @@ export async function runCustomFieldsRetention(
       removalsByFieldKey[key] = (removalsByFieldKey[key] ?? 0) + 1;
     }
 
-    await updateHostRowCustomFields(opts.db, tableName, JSON.stringify(mutated), row.id);
+    await updateHostRowCustomFields(opts.db, tableName, mutated, row.id);
     rowsUpdated++;
   }
 

package/src/custom-fields/wire-for-entity.ts

@@ -1,12 +1,15 @@
 import {
   createJsonbField,
   type FeatureRegistrar,
+  isSystemTenant,
   type JsonbFieldDef,
+  type TenantId,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { CUSTOM_FIELDS_EXTENSION } from "./constants";
 import {
   clearCustomFieldKey,
-  removeCustomFieldKeyFromAllRows,
+  removeCustomFieldKeyForTenant,
+  removeCustomFieldKeyFromAllTenants,
   setCustomFieldValue,
 } from "./db/queries/projection";
 
@@ -109,7 +112,7 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
           tx,
           tableName,
           payload.fieldKey,
-          JSON.stringify(payload.value),
+          payload.value,
           event.aggregateId,
         );
       },
@@ -127,14 +130,29 @@ export function wireCustomFieldsFor<TReg extends FeatureRegistrar<string>>(
         // fieldDefinition.deleted fires nur einmal pro fieldDef-delete
         // (NICHT per-entity). Wir entfernen den key aus ALLEN rows der host-
         // entity falls die deleted-fieldDef für diese entity galt.
-        const payload = event.payload as { entityName: string; fieldKey: string }; // @cast-boundary engine-payload
+        const payload = event.payload as {
+          entityName: string;
+          fieldKey: string;
+          tenantId?: TenantId;
+        }; // @cast-boundary engine-payload
         // skip: fieldDefinition.deleted feuert für ALLE fieldDefs cross-entity;
         // nur wenn die deleted-fieldDef diese host-entity betraf, cleanen wir
         // ihre Rows.
         if (payload.entityName !== entityName) return;
 
         const tableName = getTableName(entityTable);
-        await removeCustomFieldKeyFromAllRows(tx, tableName, payload.fieldKey);
+        // Scope cleanup to the deleted definition's owning tenant. System-scope
+        // definitions apply to every tenant → cascade across all rows; tenant-
+        // scope deletions must only touch that tenant's rows, else deleting one
+        // tenant's field strips the same kebab key from every tenant (data loss).
+        // Fallback to the event's stream tenantId for events appended before the
+        // payload carried tenantId.
+        const defTenantId = payload.tenantId ?? event.tenantId;
+        if (isSystemTenant(defTenantId)) {
+          await removeCustomFieldKeyFromAllTenants(tx, tableName, payload.fieldKey);
+        } else {
+          await removeCustomFieldKeyForTenant(tx, tableName, payload.fieldKey, defTenantId);
+        }
       },
     },
   });

package/src/custom-fields/wire-user-data-rights.ts

@@ -32,8 +32,9 @@ interface CustomFieldsHostRow {
 function asCustomFieldsHostRow(value: unknown): CustomFieldsHostRow | null {
   if (!value || typeof value !== "object" || Array.isArray(value)) return null;
   if (!("id" in value) || typeof value.id !== "string") return null;
-  if (!("custom_fields" in value)) return null;
-  const cf = value.custom_fields;
+  const record = value as Record<string, unknown>;
+  const cf = record["custom_fields"] ?? record["customFields"];
+  if (cf === undefined) return null;
   if (cf === null) return { id: value.id, customFields: null };
   if (!cf || typeof cf !== "object" || Array.isArray(cf)) return null;
   return { id: value.id, customFields: Object.fromEntries(Object.entries(cf)) };

package/src/delivery/delivery-service.ts

@@ -153,7 +153,7 @@ export function createDeliveryService(options: DeliveryServiceOptions): Delivery
   }
 
   function buildChannelContext(tenantId: TenantId): ChannelContext {
-    return { db, registry, sseBroker, tenantId };
+    return { db: createTenantDb(db, tenantId), registry, sseBroker, tenantId };
   }
 
   async function logDelivery(entry: DeliveryLogEntry): Promise<void> {

package/src/delivery/types.ts

@@ -1,5 +1,5 @@
 import type { SseBroker } from "@cosmicdrift/kumiko-framework/api";
-import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantDb } from "@cosmicdrift/kumiko-framework/db";
 import type {
   NotifyOptions,
   Registry,
@@ -10,7 +10,7 @@ import type {
 // --- Channel Interface ---
 
 export type ChannelContext = {
-  readonly db: DbConnection;
+  readonly db: TenantDb;
   readonly registry: Registry;
   readonly sseBroker: SseBroker | undefined;
   readonly tenantId: TenantId;

package/src/feature-toggles/__tests__/{feature-toggles.integration.ts → feature-toggles.integration.test.ts}

@@ -16,6 +16,7 @@ import {
   type FeatureDefinition,
   SYSTEM_TENANT_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
+import { eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import { createEventDispatcher, type EventConsumer } from "@cosmicdrift/kumiko-framework/pipeline";
 import {
   createTestUser,
@@ -517,12 +518,11 @@ describe("feature-toggles queries + audit automation", () => {
       admin,
     );
 
-    const events = (await asRawClient(stack.db).unsafe(
-      `SELECT type, payload FROM kumiko_events WHERE type = 'feature-toggles:event:toggle-set'`,
-    )) as unknown as readonly {
-      type: string;
-      payload: Record<string, unknown>;
-    }[];
+    const events = await selectMany<{ type: string; payload: Record<string, unknown> }>(
+      stack.db,
+      eventsTable,
+      { type: "feature-toggles:event:toggle-set" },
+    );
 
     expect(events).toHaveLength(1);
     expect(events[0]?.payload).toMatchObject({

package/src/feature-toggles/handlers/set.write.ts

@@ -12,7 +12,6 @@ import {
   FEATURE_TOGGLE_SET_EVENT_NAME,
   FeatureToggleErrors,
 } from "../constants";
-import { updateFeatureToggleOptimistic } from "../db/queries/toggle-state";
 import { globalFeatureStateTable } from "../global-feature-state-table";
 import type { GlobalFeatureToggleRuntime } from "../toggle-runtime";
 
@@ -101,13 +100,16 @@ export function createSetWriteHandler(getRuntime: (() => GlobalFeatureToggleRunt
         // Upsert with optimistic lock. Two operators flipping the same
         // toggle simultaneously is rare but possible — the version-WHERE
         // ensures only one wins; the loser sees VersionConflictError.
-        const updated = await updateFeatureToggleOptimistic(ctx.db, {
-          enabled,
-          updatedBy: event.user.id,
-          updatedAt: Temporal.Now.instant(),
-          featureName,
-          expectedVersion: existing.version,
-        });
+        const updated = await ctx.db.updateMany(
+          globalFeatureStateTable,
+          {
+            enabled,
+            updatedBy: event.user.id,
+            updatedAt: Temporal.Now.instant(),
+            version: existing.version + 1,
+          },
+          { featureName, version: existing.version },
+        );
 
         if (updated.length === 0) {
           return writeFailure(

package/src/subscription-stripe/__tests__/{stripe-foundation.integration.ts → stripe-foundation.integration.test.ts}

@@ -142,10 +142,10 @@ function buildStripeSubscriptionEvent(overrides: {
   };
 }
 
-function signEvent(payload: string): string {
-  return stripeForFixtures.webhooks.generateTestHeaderString({
+async function signEvent(payload: string, secret = TEST_SECRET): Promise<string> {
+  return stripeForFixtures.webhooks.generateTestHeaderStringAsync({
     payload,
-    secret: TEST_SECRET,
+    secret,
   });
 }
 
@@ -172,7 +172,7 @@ describe("scenario 1: Stripe-event → DB happy path", () => {
       priceId: "price_business_yearly",
     });
     const payload = JSON.stringify(stripeEvent);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
 
     const res = await postStripeWebhook(payload, sig);
     expect(res.status).toBe(200);
@@ -225,10 +225,7 @@ describe("scenario 2: invalid sig → 401, kein DB-write", () => {
     });
     const payload = JSON.stringify(stripeEvent);
     // Wrong secret = invalid sig.
-    const wrongSig = stripeForFixtures.webhooks.generateTestHeaderString({
-      payload,
-      secret: "whsec_wrong_secret",
-    });
+    const wrongSig = await signEvent(payload, "whsec_wrong_secret");
 
     const res = await postStripeWebhook(payload, wrongSig);
     expect(res.status).toBe(401);
@@ -260,7 +257,7 @@ describe("scenario 3: idempotency via Stripe-retry", () => {
       subscriptionId: "sub_4003",
     });
     const payload = JSON.stringify(stripeEvent);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
 
     const res1 = await postStripeWebhook(payload, sig);
     expect(res1.status).toBe(200);
@@ -292,7 +289,7 @@ describe("scenario 4: ignored event-types pass through", () => {
       tenantId: tenantStringId,
     });
     const payload = JSON.stringify(stripeEvent);
-    const sig = signEvent(payload);
+    const sig = await signEvent(payload);
 
     const res = await postStripeWebhook(payload, sig);
     expect(res.status).toBe(200);

package/src/tier-engine/__tests__/{resolver.integration.ts → resolver.integration.test.ts}

@@ -52,6 +52,7 @@ const TEST_TIER_MAP: TierMap<TestCaps> = {
 // Toy-feature mit einem tenantadmin-only-handler. Wenn das feature im
 // effective-Set ist, dispatcher passt durch — wenn nicht, 403 feature_disabled.
 const featProFeature = defineFeature("feat-pro", (r) => {
+  r.toggleable({ default: false });
   r.queryHandler(
     "ping",
     {
@@ -174,10 +175,10 @@ describe("createTierEngineFeature — per-tenant resolver", () => {
     const resolver = await plugin.build({ db: stack.db, registry: stack.registry });
     const systemSet = resolver(SYSTEM_TENANT_ID);
 
-    // Union: feat-pro (in pro+business) + feat-business (in business only).
+    // Union of tier-map features (feat-pro in pro+business, feat-business in business).
     expect(systemSet.has("feat-pro")).toBe(true);
     expect(systemSet.has("feat-business")).toBe(true);
-    // free has no features → nothing extra
-    expect(systemSet.size).toBe(2);
+    // SYSTEM tenant also receives always-on non-toggleable features from includeBundled.
+    expect(systemSet.size).toBeGreaterThanOrEqual(2);
   });
 });

package/src/user-data-rights/__tests__/{audit-log.integration.ts → audit-log.integration.test.ts}

@@ -2,7 +2,7 @@
 
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { asRawClient, insertMany, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
-import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createTestUser,
   setupTestStack,
@@ -10,11 +10,14 @@ import {
   testTenantId,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import {
   createComplianceProfilesFeature,
   tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
 } from "../../compliance-profiles";
 import { createDataRetentionFeature } from "../../data-retention";
+import { createSessionsFeature } from "../../sessions";
 import { USER_STATUS, userEntity, userTable } from "../../user";
 import { createUserFeature } from "../../user/feature";
 import { createUserDataRightsFeature } from "../feature";
@@ -36,6 +39,8 @@ beforeAll(async () => {
       createUserFeature(),
       createDataRetentionFeature(),
       createComplianceProfilesFeature(),
+      createSessionsFeature(),
+
       createUserDataRightsFeature(),
     ],
   });
@@ -50,10 +55,12 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_compliance_profiles`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM read_download_attempts`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM kumiko_events`);
+  await resetTestTables(stack.db, [
+    userTable,
+    tenantComplianceProfileTable,
+    downloadAttemptsTable,
+    eventsTable,
+  ]);
 });
 
 async function seedUser(u: typeof alice, email: string): Promise<void> {

package/src/user-data-rights/__tests__/{cross-data-matrix.integration.ts → cross-data-matrix.integration.test.ts}

@@ -13,18 +13,20 @@
 //     Alices Forget; Bobs Daten landen NICHT in Alices Export-Bundle.
 
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
-import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { asRawClient, deleteMany, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
   defineFeature,
   EXT_USER_DATA,
   type UserDataDeleteHook,
   type UserDataExportHook,
 } from "@cosmicdrift/kumiko-framework/engine";
+import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
 import {
   setupTestStack,
   type TestStack,
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import {
   createComplianceProfilesFeature,
@@ -32,6 +34,8 @@ import {
 } from "../../compliance-profiles";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
 import { createFilesFeature } from "../../files";
+import { createSessionsFeature } from "../../sessions";
+import { tenantMembershipsTable } from "../../tenant";
 import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
 import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
 import { createUserDataRightsFeature } from "../feature";
@@ -55,6 +59,18 @@ type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 const NOW = (): Instant => getTemporal().Now.instant();
 const PAST = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
 
+const KUMIKO_NAME = Symbol.for("kumiko:schema:Name");
+const KUMIKO_COLUMNS = Symbol.for("kumiko:schema:Columns");
+
+/** Minimal bun-db table descriptor for the synthetic test_notes table. */
+const testNotesTable = {
+  [KUMIKO_NAME]: "test_notes",
+  [KUMIKO_COLUMNS]: {
+    tenantId: { name: "tenant_id", getSQLType: () => "uuid" },
+    authorId: { name: "author_id", getSQLType: () => "text" },
+  },
+};
+
 // Synthetic third-party Domain-Feature: "note" mit export- + delete-Hook.
 // Stellvertretend fuer App-spezifische Entities (Chat-Message, Blog-Post
 // etc.), die ueber EXT_USER_DATA sauber in die Pipeline integrieren.
@@ -81,13 +97,10 @@ const exportNotes: UserDataExportHook = async (ctx) => {
 };
 
 const deleteNotes: UserDataDeleteHook = async (ctx, _strategy) => {
-  await asRawClient(ctx.db).unsafe(
-    `
-    DELETE FROM test_notes
-    WHERE tenant_id = $1 AND author_id = $2
-  `,
-    [ctx.tenantId, ctx.userId],
-  );
+  await deleteMany(ctx.db, testNotesTable, {
+    tenantId: ctx.tenantId,
+    authorId: ctx.userId,
+  });
 };
 
 const testNotesFeature = defineFeature("test-notes", (r) => {
@@ -104,6 +117,8 @@ beforeAll(async () => {
       createFilesFeature(),
       createDataRetentionFeature(),
       createComplianceProfilesFeature(),
+      createSessionsFeature(),
+
       createUserDataRightsFeature(),
       createUserDataRightsDefaultsFeature(),
       testNotesFeature,
@@ -161,10 +176,12 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await asRawClient(stack.db).unsafe(`DELETE FROM "${userTable.tableName}"`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_memberships`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM file_refs`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM test_notes`);
+  await resetTestTables(stack.db, [
+    userTable,
+    tenantMembershipsTable,
+    fileRefsTable,
+    testNotesTable,
+  ]);
 });
 
 async function seedUser(

package/src/user-data-rights/__tests__/{download.integration.ts → download.integration.test.ts}

@@ -12,7 +12,7 @@ import { randomBytes } from "node:crypto";
 import { asRawClient, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
 import { defineFeature } from "@cosmicdrift/kumiko-framework/engine";
-import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
 import {
   createInMemoryFileProvider,
   type FileStorageProvider,
@@ -25,10 +25,12 @@ import {
   unsafeCreateEntityTable,
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import {
   createComplianceProfilesFeature,
   tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
 } from "../../compliance-profiles";
 import { createConfigFeature } from "../../config";
 import { ConfigHandlers } from "../../config/constants";
@@ -38,6 +40,8 @@ import { configValuesTable } from "../../config/table";
 import { createDataRetentionFeature } from "../../data-retention";
 import { fileFoundationFeature } from "../../file-foundation";
 import { fileProviderInMemoryFeature } from "../../file-provider-inmemory";
+import { createSessionsFeature } from "../../sessions";
+import { tenantMembershipsTable } from "../../tenant";
 import { createUserFeature } from "../../user";
 import { createUserDataRightsFeature } from "../feature";
 import { runExportJobs } from "../run-export-jobs";
@@ -108,6 +112,8 @@ beforeAll(async () => {
       fileFoundationFeature,
       fileProviderInMemoryFeature,
       noSignedUrlProviderFeature,
+      createSessionsFeature(),
+
       createUserDataRightsFeature(),
     ],
     extraContext: ({ registry }) => ({
@@ -151,12 +157,14 @@ afterAll(async () => {
 });
 
 beforeEach(async () => {
-  await asRawClient(stack.db).unsafe(`DELETE FROM "${exportDownloadTokensTable.tableName}"`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM "${exportJobsTable.tableName}"`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM kumiko_events`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_compliance_profiles`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_memberships`);
-  await asRawClient(stack.db).unsafe(`DELETE FROM $1`, [configValuesTable]);
+  await resetTestTables(stack.db, [
+    exportDownloadTokensTable,
+    exportJobsTable,
+    eventsTable,
+    tenantComplianceProfileTable,
+    tenantMembershipsTable,
+    configValuesTable,
+  ]);
   providerPerTenant = new Map();
 
   // Setup file-foundation provider="inmemory" pro Tenant.