@cosmicdrift/kumiko-bundled-features 0.2.1 → 0.2.3

package/CHANGELOG.md

@@ -0,0 +1,108 @@
+# @cosmicdrift/kumiko-bundled-features
+
+## 0.2.3
+
+### Patch Changes
+
+- 1dbd038: Fix `db.execute is not a function` crash in `createTierEngineFeature`'s
+  auto-default-tier postSave-hook when called via the dispatcher path
+  (`tenant:write:create`). The hook used `ctx.db as DbConnection` — a
+  type-lie. AppContext.db in the inTransaction-phase is a TenantDb, which
+  exposes select/insert/update/delete but not execute(). The event-store-
+  append (event-store.ts:102) calls `db.execute(sql\`SELECT pg_notify(...)\`)`,
+  which crashed at runtime.
+
+  Fix: typeguard via `if (!("raw" in ctx.db)) return` then use `ctx.db.raw
+as DbConnection` (pattern matched signup-confirm.write.ts:107).
+
+  Plus: regression integration-test in `tier-engine/__tests__/auto-default-
+tier.integration.ts` covering the dispatcher path (sysadmin →
+  tenant:write:create → tier_assignments-row + idempotency on tenant-update).
+
+  **Known production gap (separate from this fix):** Self-Signup goes through
+  `provisionSignupAccount → seedTenant` (event-store-direct), which bypasses
+  the dispatcher → postSave-hooks never fire in production self-signup. This
+  fix makes the dispatcher path coherent. Real-signup auto-default needs
+  follow-up work (either seedTenant fires hooks or signup-confirm calls
+  explicit seed-helpers).
+
+  - @cosmicdrift/kumiko-framework@0.2.3
+  - @cosmicdrift/kumiko-dispatcher-live@0.2.3
+  - @cosmicdrift/kumiko-renderer@0.2.3
+  - @cosmicdrift/kumiko-renderer-web@0.2.3
+
+## 0.2.2
+
+### Patch Changes
+
+- 7a7da3e: Re-publish 0.2.1 → 0.2.2 mit korrekt aufgelösten cross-package-Versionen.
+  0.2.1 hatte `workspace:*` als Wert in den dependencies (npm publish ohne
+  yarn-pack rewrite), Konsumenten bekamen "Workspace not found".
+
+  publish-with-oidc.sh nutzt jetzt `yarn pack` (rewrited workspace:\*) +
+  `npm publish <tarball>` (OIDC + provenance).
+
+- Updated dependencies [7a7da3e]
+  - @cosmicdrift/kumiko-framework@0.2.2
+  - @cosmicdrift/kumiko-dispatcher-live@0.2.2
+  - @cosmicdrift/kumiko-renderer@0.2.2
+  - @cosmicdrift/kumiko-renderer-web@0.2.2
+
+## 0.2.1
+
+### Patch Changes
+
+- 48b7f6a: CI: switch publish to npm-CLI with OIDC Trusted Publishing + provenance.
+  No source changes — verifies the new publish path produces a verified-
+  provenance attestation on npmjs.com instead of token-based publish.
+- Updated dependencies [48b7f6a]
+  - @cosmicdrift/kumiko-framework@0.2.1
+  - @cosmicdrift/kumiko-dispatcher-live@0.2.1
+  - @cosmicdrift/kumiko-renderer@0.2.1
+  - @cosmicdrift/kumiko-renderer-web@0.2.1
+
+## 0.2.0
+
+### Minor Changes
+
+- 6c70b6f: fix(tenant): seedTenant idempotent gegen Event-Store-Projection-Drift.
+
+  Verhindert version_conflict beim App-Boot wenn Aggregat existiert aber
+  Projection-Row fehlt (rebuild-drift, async-lag, manueller DB-Eingriff).
+
+### Patch Changes
+
+- Updated dependencies [6c70b6f]
+  - @cosmicdrift/kumiko-framework@0.2.0
+  - @cosmicdrift/kumiko-dispatcher-live@0.2.0
+  - @cosmicdrift/kumiko-renderer@0.2.0
+  - @cosmicdrift/kumiko-renderer-web@0.2.0
+
+## 0.1.0
+
+### Minor Changes
+
+- 59ba6d7: Initial public release of Kumiko — AI-native backend builder.
+
+  What ships in 0.1.0:
+
+  - **Engine** (`@cosmicdrift/kumiko-framework`): `defineFeature`, `r.entity`, `r.writeHandler`, `r.queryHandler`, `r.projection`, `r.multiStreamProjection`, `r.hook`, `r.translations`, `r.crud`, `r.referenceData`, `r.screen`, `r.nav`, `r.authClaims`, full lifecycle pipeline with field-level access checks
+  - **Pipeline** (`@cosmicdrift/kumiko-framework`): `createDispatcher`, JWT auth via jose, Zod schema validation, role-based access checks, command/write/query split
+  - **DB** (`@cosmicdrift/kumiko-framework`): Drizzle helpers (`buildDrizzleTable`, `applyCursorQuery`), CRUD executor, Postgres dialect, optimistic locking, soft delete, multi-tenant scoping
+  - **Event sourcing** (`@cosmicdrift/kumiko-framework`): aggregate streams, single + multi-stream projections, event upcasters, asOf queries, archive support, AsyncDaemon-pattern dispatcher
+  - **Bundled features** (`@cosmicdrift/kumiko-bundled-features`): auth-email-password, sessions, tenants, users, jobs, secrets, file-provider-s3, mail-transport-smtp/inmemory, billing-foundation, cap-counter, channel-in-app, delivery, feature-toggles, legal-pages
+  - **Renderer** (`@cosmicdrift/kumiko-renderer`, `@cosmicdrift/kumiko-renderer-web`): schema-driven CRUD UI for React + Expo Web, override paths, list debounce, theme tokens
+  - **Headless** (`@cosmicdrift/kumiko-headless`): view-models for list/edit screens, locale-aware
+  - **Dev server** (`@cosmicdrift/kumiko-dev-server`): `runDevApp`, `runProdApp`, `kumiko-build` for production bundles (client + server), Docker-ready
+  - **Realtime** (`@cosmicdrift/kumiko-dispatcher-live`): SSE broadcast across tenants, Redis Pub/Sub backend
+  - **CLI** (`bin/kumiko.ts`): interactive dev menu, test runners, check pipeline (Biome + TypeScript + 18 guards + Vitest)
+
+  This is a pre-1.0 release — APIs may change between minor versions. Breaking changes will be documented per release.
+
+### Patch Changes
+
+- Updated dependencies [59ba6d7]
+  - @cosmicdrift/kumiko-framework@0.1.0
+  - @cosmicdrift/kumiko-dispatcher-live@0.1.0
+  - @cosmicdrift/kumiko-renderer@0.1.0
+  - @cosmicdrift/kumiko-renderer-web@0.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -19,7 +19,9 @@
   },
   "exports": {
     "./audit": "./src/audit/index.ts",
+    "./compliance-profiles": "./src/compliance-profiles/index.ts",
     "./config": "./src/config/index.ts",
+    "./data-retention": "./src/data-retention/index.ts",
     "./jobs": "./src/jobs/index.ts",
     "./tier-engine": "./src/tier-engine/index.ts",
     "./cap-counter": "./src/cap-counter/index.ts",
@@ -33,6 +35,9 @@
     "./file-foundation": "./src/file-foundation/index.ts",
     "./file-provider-s3": "./src/file-provider-s3/index.ts",
     "./file-provider-inmemory": "./src/file-provider-inmemory/index.ts",
+    "./files": "./src/files/index.ts",
+    "./user-data-rights": "./src/user-data-rights/index.ts",
+    "./user-data-rights-defaults": "./src/user-data-rights-defaults/index.ts",
     "./tenant": "./src/tenant/index.ts",
     "./tenant/constants": "./src/tenant/constants.ts",
     "./tenant/seeding": "./src/tenant/seeding.ts",
@@ -62,11 +67,12 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.700.0",
+    "@aws-sdk/lib-storage": "^3.700.0",
     "@aws-sdk/s3-request-presigner": "^3.700.0",
-    "@cosmicdrift/kumiko-dispatcher-live": "workspace:*",
-    "@cosmicdrift/kumiko-framework": "workspace:*",
-    "@cosmicdrift/kumiko-renderer": "workspace:*",
-    "@cosmicdrift/kumiko-renderer-web": "workspace:*",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.2.3",
+    "@cosmicdrift/kumiko-framework": "0.2.3",
+    "@cosmicdrift/kumiko-renderer": "0.2.3",
+    "@cosmicdrift/kumiko-renderer-web": "0.2.3",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",
@@ -87,4 +93,4 @@
     "README.md",
     "LICENSE"
   ]
-}
+}

package/src/auth-email-password/auth-user-row.ts

@@ -21,6 +21,12 @@ export type AuthUserRow = {
   // roles gelten (z.B. SystemAdmin, BillingAdmin). Caller deserialisiert via
   // parseRoles() vor dem Merge in die Session.
   readonly roles?: string | null;
+  // user.status (S2.U1) — "active" | "restricted" | "deletion_requested" |
+  // "deleted". Login.write.ts blockt Restricted (DSGVO Art. 18) sowie
+  // DeletionRequested + Deleted. Untyped string hier weil die Quelle
+  // user-feature-internes Enum ist; auth importiert den Constants-Wert
+  // an der Verwendungsstelle.
+  readonly status?: string | null;
 };
 
 // Returns the narrowed row or null — mirrors findForAuth's contract where

package/src/auth-email-password/constants.ts

@@ -73,6 +73,17 @@ export const AuthErrors = {
   // deliberate enumeration trade-off: the lockout event itself is already
   // observable to the attacker, and legit users benefit from a clear signal.
   accountLocked: "account_locked",
+  // S2.U6 (DSGVO Art. 18) — Account ist im Restricted-Status. Login wird
+  // explicit verweigert mit eigenem Code (nicht zu invalid_credentials
+  // collapsen) damit UI sagen kann "Account ist aktuell pausiert, hier
+  // klicken zum Aufheben". Enumeration-leak akzeptiert: Restriction ist
+  // user-initiiert, der User weiss dass sein Konto restricted ist.
+  accountRestricted: "account_restricted",
+  // Account ist im DeletionRequested- oder Deleted-Status. Anders als
+  // Restricted ist das nicht reversibel via Login → wir collapsen auf
+  // invalid_credentials damit Forget-Pfad nicht via Login enumerierbar
+  // wird (User der "Konto loeschen" geklickt hat soll nicht erneut sehen
+  // dass die Email-Adresse noch in der DB existiert).
 } as const;
 
 // Account-lockout defaults — overridable via

package/src/auth-email-password/handlers/login.write.ts

@@ -7,7 +7,7 @@ import {
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { parseRoles } from "@cosmicdrift/kumiko-framework/utils";
 import { z } from "zod";
-import { UserQueries } from "../../user";
+import { USER_STATUS, UserQueries } from "../../user";
 import { parseAuthUserRow } from "../auth-user-row";
 import {
   AUTH_LOCKOUT_DEFAULT_DURATION_MINUTES,
@@ -53,6 +53,19 @@ function accountLocked(retryAfterSeconds: number) {
   );
 }
 
+// S2.U6 — DSGVO Art. 18 Account-Freeze. Distinct error code (nicht zu
+// invalid_credentials collapsen) damit UI klar sagen kann "Account ist
+// pausiert, hier klicken zum Aufheben". User weiss schon dass sein Konto
+// restricted ist (er hat selbst die Restriction gesetzt), also kein
+// Enumeration-Leak.
+function accountRestricted() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.accountRestricted, {
+      i18nKey: "auth.errors.accountRestricted",
+    }),
+  );
+}
+
 export type LoginHandlerOptions = {
   // When true, a valid (email + password) login fails with email_not_verified
   // if the user row's emailVerified flag is false. Enumeration-leak is
@@ -145,6 +158,23 @@ export function createLoginHandler(opts: LoginHandlerOptions = {}) {
         return emailNotVerified();
       }
 
+      // S2.U6 — DSGVO Art. 18 Account-Freeze. Restricted users koennen sich
+      // nicht einloggen; lift-restriction-Endpoint ist der einzige Ausgang
+      // (siehe lift-restriction.write.ts Header — typisch via Magic-Link
+      // oder Operator-Tool, da Login geblockt). Auth-side Block ist hard-
+      // requirement; ohne den koennte der User mit Login-Sessions trotz
+      // Restriction-Flag durchschreiben.
+      //
+      // DeletionRequested + Deleted kollabieren bewusst auf invalid_creds
+      // (anti-enumeration im Forget-Pfad) — Restricted ist user-initiiert,
+      // distinct error ist hier safe.
+      if (found.status === USER_STATUS.Restricted) {
+        return accountRestricted();
+      }
+      if (found.status === USER_STATUS.DeletionRequested || found.status === USER_STATUS.Deleted) {
+        return invalidCredentials();
+      }
+
       // Resolve tenant + roles via the tenant feature's memberships query.
       // Returns [] if the user has no memberships — MVP: no login without an
       // invitation, so we refuse with a dedicated error.

package/src/auth-email-password/i18n.ts

@@ -23,6 +23,8 @@ export const defaultTranslations: TranslationsByLocale = {
     "auth.errors.accountLocked": "Konto vorübergehend gesperrt.",
     "auth.errors.accountLockedRetry": "Konto gesperrt. Neuer Versuch in {minutes} Minuten.",
     "auth.errors.emailNotVerified": "E-Mail-Adresse noch nicht bestätigt.",
+    "auth.errors.accountRestricted":
+      "Konto pausiert (Datenschutz Art. 18). Bitte Pause aufheben um wieder einzuloggen.",
     "auth.errors.rateLimited": "Zu viele Login-Versuche. Bitte kurz warten.",
     "auth.errors.invalidBody": "Ungültige Eingabe.",
     "auth.errors.loginFailed": "Login fehlgeschlagen.",
@@ -116,6 +118,8 @@ export const defaultTranslations: TranslationsByLocale = {
     "auth.errors.accountLocked": "Account temporarily locked.",
     "auth.errors.accountLockedRetry": "Account locked. Try again in {minutes} minutes.",
     "auth.errors.emailNotVerified": "Email address not yet verified.",
+    "auth.errors.accountRestricted":
+      "Account paused (GDPR Art. 18). Please lift the restriction to sign in again.",
     "auth.errors.rateLimited": "Too many login attempts. Please wait briefly.",
     "auth.errors.invalidBody": "Invalid input.",
     "auth.errors.loginFailed": "Login failed.",

package/src/compliance-profiles/README.md

@@ -0,0 +1,88 @@
+# compliance-profiles
+
+Tenant-weite DSGVO/Compliance-Profile-Wahl. Pflicht beim Tenant-Onboarding —
+Profile bündelt User-Rights-Grace, Notification-Sprachen, Breach-
+Disclosure, Audit-Retention und Sub-Processor-Anforderungen in eine
+Auswahl.
+
+**Status:** Sprint 1 (S1.1 + S1.3). Sub-Processor-Endpoint (S1.4) und
+Onboarding-Banner-API (S1.5) folgen in derselben Sprint-Iteration.
+
+## MVP-Set: 3 Profile
+
+- **`eu-dsgvo`** — Foundation-Profile, DSGVO Standard, BlnBDI Berlin
+- **`swiss-dsg`** — extends `eu-dsgvo` mit DE/FR/IT/EN-Sprachen + EDÖB
+- **`de-hr-dsgvo-hgb`** — extends `eu-dsgvo` mit HR-Spezifika (HGB
+  10y-Audit-Retention, Betriebsrat-Notification, 60d-Tenant-Destroy)
+
+Plus `minimal-no-region` als Default-Fallback (NICHT auswählbar) bis
+Tenant-Admin eine Wahl trifft.
+
+Erweiterungen wie `uk-gdpr`, `ca-pipeda`, `ca-quebec-l25`, `us-ccpa`,
+`hipaa-healthcare` kommen on-demand wenn Customer fragt — der
+`extends`-Mechanismus macht sie zu 30-Zeilen-Adds.
+
+## API
+
+### Queries
+
+- `compliance-profiles:query:list-profiles` — `openToAll`. Liefert die
+  3 wählbaren Profile mit Region + Aufsicht + Sprachen, für Onboarding-UI.
+- `compliance-profiles:query:for-tenant` — `openToAll`. Liefert das
+  effektive Profile für den aktuellen Tenant inkl. Override (deep-merge).
+  Wenn kein Profile gesetzt: `minimal-no-region` + `warning="no-profile-selected"`.
+
+### Writes
+
+- `compliance-profiles:write:set-profile` — `roles=[TenantAdmin]`.
+  Upsert: setzt `profileKey` (+ optional `override`-JSON) für den
+  aktuellen Tenant. Idempotent, zweiter Call updated.
+
+### Cross-Feature (`r.exposesApi`)
+
+- `compliance.forTenant` — Marker. Andere Features (Sprint 2
+  `user-data-rights`, Sprint 5 `tenant-lifecycle`) rufen den Resolver via
+  QN-Pattern (`app.fetch("/api/query")` mit `type=compliance-profiles:query:for-tenant`).
+  Boot-Validator checkt dass jeder `r.usesApi("compliance.forTenant")`-
+  Caller das Feature in `requires/optionalRequires` hat.
+
+## Override-Semantik
+
+`override` wird als JSON-String gespeichert und beim Resolver
+deep-merged auf das gewählte Profile. Atomic-Paths (gracePeriod /
+auskunftFrist / retention / authorityNotificationDeadline /
+tenantDestroyGracePeriod) ersetzen komplett statt rekursiv zu mergen,
+weil sie diskriminierte Union-Objects sind (`{ months } | { years }` vs
+`{ days } | { hours }`).
+
+```typescript
+// Tenant-Admin override:
+{
+  "userRights": { "gracePeriod": { "days": 60 } }
+}
+// Effekt auf eu-dsgvo:
+//   userRights.gracePeriod = { days: 60 }     (overridden)
+//   userRights.restrictionAllowed = true       (geerbt)
+//   userRights.portabilityFormat = ["json"]    (geerbt)
+//   ...alle anderen userRights-Felder unverändert
+```
+
+## Architektur-Note
+
+Profile-Selection lebt als **separate Entity** (`tenantComplianceProfileEntity`)
+im compliance-profiles-Feature, nicht als config-key im tenant-Feature.
+Begründung in `schema/profile-selection.ts` — kurz: Override ist
+strukturiertes JSON, Profile-Wechsel ist audit-relevant (Event-Store
+liefert das automatisch für Entity-Writes), Plan-Files nennen sie
+explizit als eigene Entity.
+
+## Tests
+
+`__tests__/compliance-profiles.integration.ts` — 9 full-stack Tests via
+`setupTestStack` + echte HTTP-Calls (Memory: `feedback_no_fake_dispatcher`):
+list-profiles, for-tenant ohne/mit Setting, set-profile als TenantAdmin /
+Member (403) / mit Override / mit invalidem JSON / mit Array statt Object /
+idempotent-Update.
+
+Plus Unit-Tests für Profile-Constants + Override-Resolver in
+`framework/src/compliance/__tests__/profiles.test.ts` (16 Tests).

package/src/compliance-profiles/__tests__/compliance-profiles.integration.ts

@@ -0,0 +1,308 @@
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createComplianceProfilesFeature, tenantComplianceProfileEntity } from "../feature";
+
+const SET_PROFILE = "compliance-profiles:write:set-profile";
+const FOR_TENANT = "compliance-profiles:query:for-tenant";
+const LIST_PROFILES = "compliance-profiles:query:list-profiles";
+const SUB_PROCESSORS = "compliance-profiles:query:sub-processors";
+const NEEDS_PROFILE = "compliance-profiles:query:needs-profile";
+
+// S1.8 N5: Isolierten Tenant-Admin pro Test bauen — verhindert
+// Cross-Test-Interferenz uber gemeinsamen Default-tenantId aus
+// TestUsers.admin. Eindeutige numerische ID + parallele tenantId.
+function createIsolatedTenantAdmin(n: number, roles: string[] = ["TenantAdmin"]) {
+  return createTestUser({ id: n, tenantId: testTenantId(n), roles });
+}
+
+let stack: TestStack;
+let db: DbConnection;
+
+const tenantAdmin = createTestUser({ id: 2, roles: ["TenantAdmin"] });
+const normalUser = createTestUser({ id: 3, roles: ["Member"] });
+
+const feature = createComplianceProfilesFeature();
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [feature] });
+  db = stack.db;
+  await unsafeCreateEntityTable(db, tenantComplianceProfileEntity);
+  await createEventsTable(db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+describe("compliance-profiles :: list-profiles", () => {
+  test("liefert die 3 wählbaren Profile mit Region + Sprachen", async () => {
+    const result = await stack.http.queryOk<{
+      profiles: Array<{ key: string; region: string; languages: string[] }>;
+    }>(LIST_PROFILES, {}, tenantAdmin);
+    expect(result.profiles).toHaveLength(3);
+    const keys = result.profiles.map((p) => p.key);
+    expect(keys).toEqual(["eu-dsgvo", "swiss-dsg", "de-hr-dsgvo-hgb"]);
+    const swiss = result.profiles.find((p) => p.key === "swiss-dsg");
+    expect(swiss?.region).toBe("CH");
+    expect(swiss?.languages).toContain("fr");
+  });
+
+  test("minimal-no-region ist NICHT in der Liste (kein Production-Default)", async () => {
+    const result = await stack.http.queryOk<{ profiles: Array<{ key: string }> }>(
+      LIST_PROFILES,
+      {},
+      tenantAdmin,
+    );
+    expect(result.profiles.find((p) => p.key === "minimal-no-region")).toBeUndefined();
+  });
+});
+
+describe("compliance-profiles :: for-tenant", () => {
+  test("ohne Setting → minimal-no-region + warning=no-profile-selected", async () => {
+    const result = await stack.http.queryOk<{
+      profile: { key: string };
+      warning?: string;
+    }>(FOR_TENANT, {}, normalUser);
+    expect(result.profile.key).toBe("minimal-no-region");
+    expect(result.warning).toBe("no-profile-selected");
+  });
+});
+
+describe("compliance-profiles :: set-profile", () => {
+  test("TenantAdmin kann Profile auf eu-dsgvo setzen", async () => {
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, tenantAdmin);
+
+    const result = await stack.http.queryOk<{
+      profile: { key: string; region: string; breach: { authorityContact: string } };
+      warning?: string;
+    }>(FOR_TENANT, {}, tenantAdmin);
+    expect(result.profile.key).toBe("eu-dsgvo");
+    expect(result.profile.region).toBe("EU");
+    expect(result.profile.breach.authorityContact).toBe("BlnBDI Berlin");
+    expect(result.warning).toBeUndefined();
+  });
+
+  test("set-profile ist idempotent — zweiter Call wechselt Profile", async () => {
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, tenantAdmin);
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "swiss-dsg" }, tenantAdmin);
+
+    const result = await stack.http.queryOk<{
+      profile: { key: string; region: string; breach: { authorityContact: string } };
+    }>(FOR_TENANT, {}, tenantAdmin);
+    expect(result.profile.key).toBe("swiss-dsg");
+    expect(result.profile.breach.authorityContact).toBe("EDÖB Bern");
+  });
+
+  test("set-profile mit Override merged auf base-profile", async () => {
+    await stack.http.writeOk(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({
+          userRights: { gracePeriod: { days: 60 } },
+        }),
+      },
+      tenantAdmin,
+    );
+
+    const result = await stack.http.queryOk<{
+      profile: { userRights: { gracePeriod: { days: number }; portabilityFormat: string[] } };
+    }>(FOR_TENANT, {}, tenantAdmin);
+    expect(result.profile.userRights.gracePeriod).toEqual({ days: 60 });
+    // Andere userRights-Felder bleiben aus eu-dsgvo
+    expect(result.profile.userRights.portabilityFormat).toEqual(["json"]);
+  });
+
+  test("Member ohne TenantAdmin-Rolle bekommt 403 beim set-profile", async () => {
+    const result = await stack.http.write(SET_PROFILE, { profileKey: "eu-dsgvo" }, normalUser);
+    expect(result.status).toBe(403);
+  });
+
+  test("set-profile mit invalid JSON-Override wirft Error", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "eu-dsgvo", override: "not-valid-json" },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  test("set-profile mit Array statt Object als Override wirft Error", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "eu-dsgvo", override: JSON.stringify([{ foo: 1 }]) },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  // S1.7 X1: Schema engt sich auf SELECTABLE_PROFILE_KEYS
+  test("set-profile mit minimal-no-region wird abgelehnt (X1)", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "minimal-no-region" },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  // S1.7 X2: Override mit unbekannten Top-Level-Keys
+  test("set-profile mit unbekanntem Top-Level-Override-Key wirft Error (X2)", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({ userrights: { gracePeriod: { days: 60 } } }), // typo lowercase
+      },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  // S1.9 Z3 + S1.10 M3: Override-Sub-Level-Tippfehler (Schema-Strict)
+  // mit path-spezifischer Assertion via ValidationError.details.fields.
+  test("set-profile mit Sub-Level-Tippfehler liefert validation_error mit Path (Z3+M3)", async () => {
+    const err = await stack.http.writeErr(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({ userRights: { weeks: 3 } }), // weeks gibt's nicht
+      },
+      tenantAdmin,
+    );
+    expect(err.code).toBe("validation_error");
+    expect(err.httpStatus).toBe(400);
+    const fields = (err.details as { fields: Array<{ path: string }> })?.fields;
+    expect(fields).toBeDefined();
+    // Schema-strict wirft auf "userRights.weeks" als unrecognized_keys — ODER
+    // generelle "userRights" wenn Zod das so reportet. Beide Pfade decken den
+    // Bug ab.
+    expect(fields?.some((f) => f.path.includes("userRights"))).toBe(true);
+  });
+
+  test("set-profile mit invalid retention-shape liefert validation_error mit Path (Z3+M3)", async () => {
+    const err = await stack.http.writeErr(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({
+          userRights: { gracePeriod: { days: 30, hours: 24 } }, // strict-disjunction
+        }),
+      },
+      tenantAdmin,
+    );
+    expect(err.code).toBe("validation_error");
+    const fields = (err.details as { fields: Array<{ path: string }> })?.fields;
+    expect(fields?.some((f) => f.path.includes("gracePeriod"))).toBe(true);
+  });
+
+  // S1.7 F2: SystemAdmin kann Profile setzen
+  test("SystemAdmin kann Profile setzen (Plattform-Operator-Pfad)", async () => {
+    const sysAdmin = createIsolatedTenantAdmin(50, ["SystemAdmin"]);
+    const result = await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, sysAdmin);
+    expect(result).toMatchObject({ profileKey: "eu-dsgvo", isNew: true });
+  });
+
+  // S1.7 F3: tenantIdOverride als SystemAdmin → für Customer-Tenant
+  test("SystemAdmin kann mit tenantIdOverride für anderen Tenant Profile setzen (F3)", async () => {
+    const sysAdmin = createIsolatedTenantAdmin(51, ["SystemAdmin"]);
+    const targetTenantAdmin = createIsolatedTenantAdmin(52);
+
+    await stack.http.writeOk(
+      SET_PROFILE,
+      { profileKey: "swiss-dsg", tenantIdOverride: targetTenantAdmin.tenantId },
+      sysAdmin,
+    );
+
+    const result = await stack.http.queryOk<{ profile: { key: string; region: string } }>(
+      FOR_TENANT,
+      {},
+      targetTenantAdmin,
+    );
+    expect(result.profile.key).toBe("swiss-dsg");
+    expect(result.profile.region).toBe("CH");
+  });
+
+  // S1.7 F3: tenantIdOverride als TenantAdmin → 403
+  test("TenantAdmin mit tenantIdOverride bekommt 403 (F3)", async () => {
+    const someTenantAdmin = createIsolatedTenantAdmin(53);
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "eu-dsgvo", tenantIdOverride: testTenantId(54) },
+      someTenantAdmin,
+    );
+    expect(result.status).toBe(403);
+  });
+});
+
+describe("compliance-profiles :: sub-processors (S1.4)", () => {
+  test("liefert active + planned Sub-Processors mit Pflicht-Feldern", async () => {
+    const result = await stack.http.queryOk<{
+      active: Array<{ name: string; region: string; dpa: string; sccRequired?: boolean }>;
+      planned: Array<{ name: string; status: string }>;
+      total: number;
+      generatedAt: string;
+    }>(SUB_PROCESSORS, {}, normalUser);
+
+    expect(result.active.length).toBeGreaterThan(0);
+    const hetzner = result.active.find((s) => s.name.includes("Hetzner"));
+    expect(hetzner).toBeDefined();
+    expect(hetzner?.dpa).toMatch(/^https:\/\//);
+    expect(hetzner?.region).toContain("Germany");
+
+    const cloudflare = result.active.find((s) => s.name.includes("Cloudflare"));
+    expect(cloudflare?.sccRequired).toBe(true);
+
+    expect(result.planned.length).toBeGreaterThan(0);
+    expect(result.planned.every((p) => p.status === "planned")).toBe(true);
+
+    expect(result.total).toBe(result.active.length + result.planned.length);
+    expect(result.generatedAt).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+  });
+});
+
+describe("compliance-profiles :: needs-profile (S1.5 — Onboarding-Banner)", () => {
+  test("Tenant ohne Profile-Wahl → needsSelection=true, reason=no_profile_selected", async () => {
+    // Frischer Tenant-Admin (eigener Tenant ID damit kein Profile gesetzt
+    // ist — sonst sieht er den Eintrag aus den vorherigen set-profile-Tests).
+    const freshTenantAdmin = createIsolatedTenantAdmin(99);
+    const result = await stack.http.queryOk<{
+      needsSelection: boolean;
+      currentProfile: string | null;
+      reason?: string;
+    }>(NEEDS_PROFILE, {}, freshTenantAdmin);
+    expect(result.needsSelection).toBe(true);
+    expect(result.currentProfile).toBeNull();
+    expect(result.reason).toBe("no_profile_selected");
+  });
+
+  test("Tenant mit eu-dsgvo-Wahl → needsSelection=false", async () => {
+    const setupAdmin = createIsolatedTenantAdmin(100);
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, setupAdmin);
+
+    const result = await stack.http.queryOk<{
+      needsSelection: boolean;
+      currentProfile: string | null;
+    }>(NEEDS_PROFILE, {}, setupAdmin);
+    expect(result.needsSelection).toBe(false);
+    expect(result.currentProfile).toBe("eu-dsgvo");
+  });
+
+  // S1.8 O3: minimal-no-region-Defensiv-Pfad in needs-profile.query.ts
+  // entfernt (toter Code nach S1.7 X1 — Zod blockt minimal-no-region).
+  // Wenn Sprint 2 einen seedComplianceProfile-Helper bringt der den
+  // Migration-Edge-Case einführt, kommt hier ein neuer Test rein.
+
+  test("Member-Rolle bekommt 403 (Banner ist Admin-only)", async () => {
+    const result = await stack.http.query(NEEDS_PROFILE, {}, normalUser);
+    expect(result.status).toBe(403);
+  });
+});