npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.2.1 → 0.2.3 - Mend

@cosmicdrift/kumiko-bundled-features 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/CHANGELOG.md +108 -0
package/package.json +12 -6
package/src/auth-email-password/auth-user-row.ts +6 -0
package/src/auth-email-password/constants.ts +11 -0
package/src/auth-email-password/handlers/login.write.ts +31 -1
package/src/auth-email-password/i18n.ts +4 -0
package/src/compliance-profiles/README.md +88 -0
package/src/compliance-profiles/__tests__/compliance-profiles.integration.ts +308 -0
package/src/compliance-profiles/__tests__/seeding.integration.ts +93 -0
package/src/compliance-profiles/feature.ts +51 -0
package/src/compliance-profiles/handlers/for-tenant.query.ts +63 -0
package/src/compliance-profiles/handlers/list-profiles.query.ts +44 -0
package/src/compliance-profiles/handlers/needs-profile.query.ts +56 -0
package/src/compliance-profiles/handlers/set-profile.write.ts +146 -0
package/src/compliance-profiles/handlers/sub-processors.query.ts +43 -0
package/src/compliance-profiles/index.ts +6 -0
package/src/compliance-profiles/resolve-for-tenant.ts +61 -0
package/src/compliance-profiles/schema/profile-selection.ts +52 -0
package/src/compliance-profiles/seeding.ts +96 -0
package/src/data-retention/__tests__/data-retention.integration.ts +49 -0
package/src/data-retention/__tests__/keep-for.test.ts +77 -0
package/src/data-retention/__tests__/override-schema.test.ts +96 -0
package/src/data-retention/__tests__/policy-for.integration.ts +172 -0
package/src/data-retention/__tests__/resolver.test.ts +201 -0
package/src/data-retention/_internal/parse-override.ts +33 -0
package/src/data-retention/feature.ts +57 -0
package/src/data-retention/handlers/policy-for.query.ts +57 -0
package/src/data-retention/index.ts +18 -0
package/src/data-retention/keep-for.ts +75 -0
package/src/data-retention/override-schema.ts +37 -0
package/src/data-retention/presets.ts +72 -0
package/src/data-retention/resolve-for-tenant.ts +50 -0
package/src/data-retention/resolver.ts +107 -0
package/src/data-retention/schema/tenant-retention-override.ts +47 -0
package/src/file-foundation/feature.ts +43 -3
package/src/file-foundation/index.ts +1 -0
package/src/file-provider-inmemory/feature.ts +6 -3
package/src/file-provider-s3/feature.ts +8 -10
package/src/files/README.md +50 -0
package/src/files/__tests__/files.integration.ts +157 -0
package/src/files/feature.ts +34 -0
package/src/files/index.ts +1 -0
package/src/files/schema/file-ref.ts +58 -0
package/src/files-provider-s3/s3-provider.ts +89 -0
package/src/secrets/__tests__/require-secrets-context.test.ts +81 -0
package/src/secrets/feature.ts +10 -6
package/src/sessions/constants.ts +4 -0
package/src/sessions/feature.ts +3 -0
package/src/sessions/handlers/revoke-all-for-user.write.ts +42 -0
package/src/tier-engine/__tests__/auto-default-tier.integration.ts +118 -0
package/src/tier-engine/feature.ts +16 -6
package/src/user/__tests__/user-status.test.ts +39 -0
package/src/user/index.ts +11 -1
package/src/user/schema/user.ts +76 -0
package/src/user-data-rights/COMPLIANCE.md +182 -0
package/src/user-data-rights/README.md +109 -0
package/src/user-data-rights/__tests__/audit-log.integration.ts +199 -0
package/src/user-data-rights/__tests__/cross-data-matrix.integration.ts +349 -0
package/src/user-data-rights/__tests__/download.integration.ts +565 -0
package/src/user-data-rights/__tests__/export-job-idempotency.integration.ts +244 -0
package/src/user-data-rights/__tests__/export-job-schema.test.ts +163 -0
package/src/user-data-rights/__tests__/policy-to-strategy.test.ts +30 -0
package/src/user-data-rights/__tests__/request-cancel-deletion.integration.ts +370 -0
package/src/user-data-rights/__tests__/request-deletion-callback.integration.ts +179 -0
package/src/user-data-rights/__tests__/request-export.integration.ts +269 -0
package/src/user-data-rights/__tests__/restriction-flow.integration.ts +309 -0
package/src/user-data-rights/__tests__/run-export-jobs.integration.ts +1124 -0
package/src/user-data-rights/__tests__/run-forget-cleanup.integration.ts +703 -0
package/src/user-data-rights/__tests__/run-user-export.integration.ts +291 -0
package/src/user-data-rights/__tests__/token-helpers.test.ts +63 -0
package/src/user-data-rights/__tests__/user-data-rights.integration.ts +57 -0
package/src/user-data-rights/__tests__/zip-path.test.ts +119 -0
package/src/user-data-rights/audit-download.ts +125 -0
package/src/user-data-rights/feature.ts +309 -0
package/src/user-data-rights/handlers/cancel-deletion.write.ts +84 -0
package/src/user-data-rights/handlers/download-by-job.query.ts +209 -0
package/src/user-data-rights/handlers/download-by-token.query.ts +257 -0
package/src/user-data-rights/handlers/export-status.query.ts +76 -0
package/src/user-data-rights/handlers/lift-restriction.write.ts +68 -0
package/src/user-data-rights/handlers/list-download-attempts.query.ts +53 -0
package/src/user-data-rights/handlers/my-audit-log.query.ts +63 -0
package/src/user-data-rights/handlers/request-deletion.write.ts +123 -0
package/src/user-data-rights/handlers/request-export.write.ts +155 -0
package/src/user-data-rights/handlers/restrict-account.write.ts +81 -0
package/src/user-data-rights/handlers/run-forget-cleanup.write.ts +61 -0
package/src/user-data-rights/i18n.ts +37 -0
package/src/user-data-rights/index.ts +19 -0
package/src/user-data-rights/run-export-jobs.ts +878 -0
package/src/user-data-rights/run-forget-cleanup.ts +334 -0
package/src/user-data-rights/run-user-export.ts +211 -0
package/src/user-data-rights/schema/download-attempt.ts +37 -0
package/src/user-data-rights/schema/download-token.ts +111 -0
package/src/user-data-rights/schema/export-job.ts +166 -0
package/src/user-data-rights/token-helpers.ts +67 -0
package/src/user-data-rights/zip-path.ts +94 -0
package/src/user-data-rights-defaults/__tests__/user-data-rights-defaults.integration.ts +337 -0
package/src/user-data-rights-defaults/feature.ts +40 -0
package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts +109 -0
package/src/user-data-rights-defaults/hooks/user.userdata-hook.ts +91 -0
package/src/user-data-rights-defaults/index.ts +6 -0

package/src/user-data-rights/__tests__/audit-log.integration.ts ADDED Viewed

@@ -0,0 +1,199 @@
+// S2.U7 — my-audit-log + invalid-attempt-audit + list-download-attempts.
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { sql } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+} from "../../compliance-profiles";
+import { createDataRetentionFeature } from "../../data-retention";
+import { USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { createUserDataRightsFeature } from "../feature";
+import { downloadAttemptEntity, downloadAttemptsTable } from "../schema/download-attempt";
+const MY_AUDIT = "user-data-rights:query:my-audit-log";
+const LIST_ATTEMPTS = "user-data-rights:query:list-download-attempts";
+let stack: TestStack;
+const tenantA = testTenantId(1);
+const alice = createTestUser({ id: 42, tenantId: tenantA, roles: ["Member"] });
+const bob = createTestUser({ id: 43, tenantId: tenantA, roles: ["Member"] });
+const admin = createTestUser({ id: 1, tenantId: tenantA, roles: ["Admin"] });
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createUserDataRightsFeature(),
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await unsafeCreateEntityTable(stack.db, downloadAttemptEntity);
+  await createEventsTable(stack.db);
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.execute(sql`DELETE FROM read_tenant_compliance_profiles`);
+  await stack.db.execute(sql`DELETE FROM read_download_attempts`);
+  await stack.db.execute(sql`DELETE FROM kumiko_events`);
+});
+async function seedUser(u: typeof alice, email: string): Promise<void> {
+  await stack.db.insert(userTable).values({
+    id: u.id,
+    tenantId: u.tenantId,
+    email,
+    passwordHash: "h",
+    displayName: email,
+    locale: "de",
+    emailVerified: true,
+    roles: '["Member"]',
+    status: USER_STATUS.Active,
+  });
+}
+let _eventVersion = 0;
+async function seedEvent(
+  createdBy: string,
+  tenantId: string,
+  type: string,
+  payload: object,
+): Promise<void> {
+  _eventVersion += 1;
+  await stack.db.execute(sql`
+    INSERT INTO kumiko_events
+    (tenant_id, aggregate_type, aggregate_id, version, type, payload, metadata, created_at, created_by)
+    VALUES (${tenantId}, ${"test-aggregate"}, ${"00000000-0000-4000-8000-00000000aaaa"},
+            ${_eventVersion}, ${type}, ${JSON.stringify(payload)}, ${"{}"}, now(), ${createdBy})
+  `);
+}
+describe("my-audit-log", () => {
+  test("user sieht nur seine eigenen events (cross-user-Isolation)", async () => {
+    await seedEvent(alice.id, tenantA, "user.requested-deletion", { foo: "alice" });
+    await seedEvent(bob.id, tenantA, "user.requested-deletion", { foo: "bob" });
+    const aliceLog = await stack.http.queryOk<{ rows: Array<{ payload: unknown }> }>(
+      MY_AUDIT,
+      {},
+      alice,
+    );
+    const bobLog = await stack.http.queryOk<{ rows: Array<{ payload: unknown }> }>(
+      MY_AUDIT,
+      {},
+      bob,
+    );
+    expect(aliceLog.rows.length).toBe(1);
+    expect(bobLog.rows.length).toBe(1);
+    // Payload-pinning beweist die Cross-User-Filterung: alice sieht nur
+    // ihre Payload, bob nur seine.
+    expect((aliceLog.rows[0]?.payload as { foo: string }).foo).toBe("alice");
+    expect((bobLog.rows[0]?.payload as { foo: string }).foo).toBe("bob");
+  });
+  test("Account-weite Sicht: User sieht events aus anderen Tenants (DSGVO Art. 15)", async () => {
+    const tenantB = testTenantId(2);
+    await seedEvent(alice.id, tenantA, "user.x", { from: "tenantA" });
+    await seedEvent(alice.id, tenantB, "user.y", { from: "tenantB" });
+    const log = await stack.http.queryOk<{
+      rows: Array<{ payload: { from: string } }>;
+    }>(MY_AUDIT, {}, alice);
+    expect(log.rows.length).toBe(2);
+    const fromTenants = log.rows.map((r) => r.payload.from).sort();
+    expect(fromTenants).toEqual(["tenantA", "tenantB"]);
+  });
+  test("filter eventType + payload kommt mit", async () => {
+    await seedEvent(alice.id, tenantA, "user.requested-deletion", { gracePeriodEnd: "2026-06-01" });
+    await seedEvent(alice.id, tenantA, "user.lifted-restriction", {});
+    const filtered = await stack.http.queryOk<{ rows: Array<{ type: string }> }>(
+      MY_AUDIT,
+      { eventType: "user.requested-deletion" },
+      alice,
+    );
+    expect(filtered.rows.length).toBe(1);
+    expect(filtered.rows[0]?.type).toBe("user.requested-deletion");
+  });
+});
+describe("download-attempt retention :: disk-bomb-Schutz bei Brute-Force", () => {
+  test("Entity-Default ist 90d hardDelete (kein unbounded growth)", () => {
+    expect(downloadAttemptEntity.retention).toBeDefined();
+    expect(downloadAttemptEntity.retention?.keepFor).toBe("90d");
+    expect(downloadAttemptEntity.retention?.strategy).toBe("hardDelete");
+    expect(downloadAttemptEntity.retention?.reference).toBe("attemptedAt");
+  });
+});
+describe("list-download-attempts (DPO operator-query)", () => {
+  test("Admin kann queryen, Member nicht", async () => {
+    await seedUser(alice, "alice@example.com");
+    // Admin allowed
+    const ok = await stack.http.queryOk<{ rows: unknown[] }>(LIST_ATTEMPTS, {}, admin);
+    expect(Array.isArray(ok.rows)).toBe(true);
+    // Member blocked
+    const res = await stack.http.query(LIST_ATTEMPTS, {}, alice);
+    expect([401, 403]).toContain(res.status);
+  });
+  test("filter result=notFound", async () => {
+    // Direct-INSERT in attempts (simuliert was die download-handler schreiben).
+    const T = await import("@cosmicdrift/kumiko-framework/time");
+    const now = T.getTemporal().Now.instant();
+    await stack.db.insert(downloadAttemptsTable).values([
+      {
+        id: "11111111-1111-4111-8111-111111111111",
+        tenantId: tenantA,
+        result: "notFound",
+        via: "token",
+        tokenHash: "abc",
+        jobId: null,
+        attemptedByUserId: null,
+        ip: "1.2.3.4",
+        userAgent: "test",
+        attemptedAt: now,
+      },
+      {
+        id: "22222222-2222-4222-8222-222222222222",
+        tenantId: tenantA,
+        result: "expired",
+        via: "token",
+        tokenHash: "def",
+        jobId: null,
+        attemptedByUserId: null,
+        ip: "1.2.3.4",
+        userAgent: "test",
+        attemptedAt: now,
+      },
+    ]);
+    const filtered = await stack.http.queryOk<{ rows: Array<{ result: string }> }>(
+      LIST_ATTEMPTS,
+      { result: "notFound" },
+      admin,
+    );
+    expect(filtered.rows.length).toBe(1);
+    expect(filtered.rows[0]?.result).toBe("notFound");
+  });
+});

package/src/user-data-rights/__tests__/cross-data-matrix.integration.ts ADDED Viewed

@@ -0,0 +1,349 @@
+// Cross-Data-Matrix Integration-Test (S2.T1).
+//
+// Pinst dass eine App-eigene Domain-Entity ueber EXT_USER_DATA sauber in
+// Export- + Forget-Pipeline integriert. Synthetic "note"-Entity steht
+// stellvertretend fuer "Chat-Message", "Blog-Post", "Order-Line" etc.
+//
+// Matrix:
+//   - Export bundelt user + fileRef + note (3 Provider-Features) cross-
+//     tenant fuer einen User.
+//   - Forget cleant user (anonymized) + fileRef (deleted) + note
+//     (deleted) cross-tenant fuer denselben User.
+//   - Other-User-Isolation: Bobs notes/files bleiben unangetastet bei
+//     Alices Forget; Bobs Daten landen NICHT in Alices Export-Bundle.
+import {
+  defineFeature,
+  EXT_USER_DATA,
+  type UserDataDeleteHook,
+  type UserDataExportHook,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { sql } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+} from "../../compliance-profiles";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { createFilesFeature } from "../../files";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+import { runUserExport } from "../run-user-export";
+let stack: TestStack;
+const TENANT_A = "00000000-0000-4000-8000-00000000000a";
+const TENANT_B = "00000000-0000-4000-8000-00000000000b";
+const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+function uuid(suffix: number): string {
+  return `cccccccc-cccc-4ccc-8ccc-${suffix.toString(16).padStart(12, "0")}`;
+}
+const ALICE_ID = uuid(1);
+const BOB_ID = uuid(2);
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+const NOW = (): Instant => getTemporal().Now.instant();
+const PAST = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+// Synthetic third-party Domain-Feature: "note" mit export- + delete-Hook.
+// Stellvertretend fuer App-spezifische Entities (Chat-Message, Blog-Post
+// etc.), die ueber EXT_USER_DATA sauber in die Pipeline integrieren.
+const exportNotes: UserDataExportHook = async (ctx) => {
+  const result = await ctx.db.execute(sql`
+    SELECT id, title, body
+    FROM test_notes
+    WHERE tenant_id = ${ctx.tenantId} AND author_id = ${ctx.userId}
+  `);
+  // biome-ignore lint/suspicious/noExplicitAny: drizzle execute typing
+  const rows = ((result as any).rows ?? result) as Array<{
+    id: string;
+    title: string;
+    body: string;
+  }>;
+  if (rows.length === 0) return null;
+  return {
+    entity: "note",
+    rows: rows.map((r) => ({ id: r.id, title: r.title, body: r.body })),
+  };
+};
+const deleteNotes: UserDataDeleteHook = async (ctx, _strategy) => {
+  await ctx.db.execute(sql`
+    DELETE FROM test_notes
+    WHERE tenant_id = ${ctx.tenantId} AND author_id = ${ctx.userId}
+  `);
+};
+const testNotesFeature = defineFeature("test-notes", (r) => {
+  r.useExtension(EXT_USER_DATA, "note", {
+    export: exportNotes,
+    delete: deleteNotes,
+  });
+});
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createFilesFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createUserDataRightsFeature(),
+      createUserDataRightsDefaultsFeature(),
+      testNotesFeature,
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantRetentionOverrideEntity);
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await stack.db.execute(sql`
+    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      tenant_id UUID NOT NULL,
+      user_id TEXT NOT NULL,
+      version INTEGER NOT NULL DEFAULT 0,
+      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      inserted_by_id TEXT,
+      modified_by_id TEXT,
+      is_deleted BOOLEAN NOT NULL DEFAULT false,
+      deleted_at TIMESTAMPTZ,
+      deleted_by_id TEXT,
+      roles TEXT NOT NULL DEFAULT '[]',
+      UNIQUE(user_id, tenant_id)
+    )
+  `);
+  await stack.db.execute(sql`
+    CREATE TABLE IF NOT EXISTS file_refs (
+      id UUID PRIMARY KEY,
+      tenant_id UUID NOT NULL,
+      storage_key TEXT NOT NULL,
+      file_name TEXT NOT NULL,
+      mime_type TEXT NOT NULL,
+      size INTEGER NOT NULL,
+      entity_type TEXT,
+      entity_id TEXT,
+      field_name TEXT,
+      inserted_at TIMESTAMPTZ DEFAULT now() NOT NULL,
+      inserted_by_id TEXT
+    )
+  `);
+  await stack.db.execute(sql`
+    CREATE TABLE IF NOT EXISTS test_notes (
+      id UUID PRIMARY KEY,
+      tenant_id UUID NOT NULL,
+      author_id TEXT NOT NULL,
+      title TEXT NOT NULL,
+      body TEXT NOT NULL
+    )
+  `);
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.execute(sql`DELETE FROM read_tenant_memberships`);
+  await stack.db.execute(sql`DELETE FROM file_refs`);
+  await stack.db.execute(sql`DELETE FROM test_notes`);
+});
+async function seedUser(
+  id: string,
+  overrides: {
+    status?: string;
+    gracePeriodEnd?: Instant | null;
+    email?: string;
+    displayName?: string;
+  } = {},
+): Promise<void> {
+  await stack.db.insert(userTable).values({
+    id,
+    tenantId: TENANT_SYSTEM,
+    email: overrides.email ?? `user-${id}@example.com`,
+    passwordHash: "hashed",
+    displayName: overrides.displayName ?? `User ${id}`,
+    locale: "de",
+    emailVerified: true,
+    roles: '["Member"]',
+    status: overrides.status ?? USER_STATUS.Active,
+    gracePeriodEnd: overrides.gracePeriodEnd ?? null,
+  });
+}
+async function seedMembership(userId: string, tenantId: string): Promise<void> {
+  await stack.db.execute(sql`
+    INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
+    VALUES (${tenantId}, ${userId}, '["Member"]')
+    ON CONFLICT (user_id, tenant_id) DO NOTHING
+  `);
+}
+async function seedFileRef(
+  id: string,
+  tenantId: string,
+  userId: string,
+  name: string,
+): Promise<void> {
+  await stack.db.execute(sql`
+    INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
+    VALUES (${id}, ${tenantId}, ${`storage/${id}`}, ${name}, 'application/pdf', 1024, ${userId})
+  `);
+}
+async function seedNote(
+  id: string,
+  tenantId: string,
+  userId: string,
+  title: string,
+): Promise<void> {
+  await stack.db.execute(sql`
+    INSERT INTO test_notes (id, tenant_id, author_id, title, body)
+    VALUES (${id}, ${tenantId}, ${userId}, ${title}, ${`body for ${title}`})
+  `);
+}
+async function fetchNotes(tenantId: string, userId: string): Promise<unknown[]> {
+  const result = await stack.db.execute(sql`
+    SELECT id, title FROM test_notes WHERE tenant_id = ${tenantId} AND author_id = ${userId}
+  `);
+  // biome-ignore lint/suspicious/noExplicitAny: drizzle execute typing
+  return ((result as any).rows ?? result) as unknown[];
+}
+describe("Cross-Data-Matrix :: Export bundelt 3 Provider-Features (user + fileRef + note)", () => {
+  test("Alice (Tenant A + B) → Bundle hat alle 3 Entitaeten cross-tenant", async () => {
+    await seedUser(ALICE_ID, { email: "alice@example.com", displayName: "Alice" });
+    await seedMembership(ALICE_ID, TENANT_A);
+    await seedMembership(ALICE_ID, TENANT_B);
+    await seedFileRef(uuid(101), TENANT_A, ALICE_ID, "alice-a.pdf");
+    await seedFileRef(uuid(102), TENANT_B, ALICE_ID, "alice-b.pdf");
+    await seedNote(uuid(201), TENANT_A, ALICE_ID, "note-A-1");
+    await seedNote(uuid(202), TENANT_A, ALICE_ID, "note-A-2");
+    await seedNote(uuid(203), TENANT_B, ALICE_ID, "note-B-1");
+    const bundle = await runUserExport({
+      db: stack.db,
+      registry: stack.registry,
+      userId: ALICE_ID,
+      now: NOW(),
+    });
+    expect(bundle.tenants).toHaveLength(2);
+    const tenantA = bundle.tenants.find((t) => t.tenantId === TENANT_A);
+    const tenantB = bundle.tenants.find((t) => t.tenantId === TENANT_B);
+    expect(tenantA).toBeDefined();
+    expect(tenantB).toBeDefined();
+    // Tenant A: user + fileRef + 2 notes
+    const entitiesA = (tenantA?.entities ?? []).map((e) => e.entity);
+    expect(entitiesA).toContain("user");
+    expect(entitiesA).toContain("fileRef");
+    expect(entitiesA).toContain("note");
+    const noteSnippetA = tenantA?.entities.find((e) => e.entity === "note");
+    expect(noteSnippetA?.rows).toHaveLength(2);
+    // Tenant B: user + fileRef + 1 note
+    const noteSnippetB = tenantB?.entities.find((e) => e.entity === "note");
+    expect(noteSnippetB?.rows).toHaveLength(1);
+    expect(String(noteSnippetB?.rows[0]?.["title"])).toBe("note-B-1");
+  });
+  test("Other-User-Isolation: Bobs notes nicht in Alices Bundle", async () => {
+    await seedUser(ALICE_ID, { email: "alice@example.com" });
+    await seedUser(BOB_ID, { email: "bob@example.com" });
+    await seedMembership(ALICE_ID, TENANT_A);
+    await seedMembership(BOB_ID, TENANT_A);
+    await seedNote(uuid(301), TENANT_A, ALICE_ID, "alice-secret");
+    await seedNote(uuid(302), TENANT_A, BOB_ID, "bob-secret");
+    const bundle = await runUserExport({
+      db: stack.db,
+      registry: stack.registry,
+      userId: ALICE_ID,
+      now: NOW(),
+    });
+    const serialized = JSON.stringify(bundle);
+    expect(serialized).toContain("alice-secret");
+    expect(serialized).not.toContain("bob-secret");
+  });
+});
+describe("Cross-Data-Matrix :: Forget cleant 3 Provider-Features cross-tenant", () => {
+  test("Alice DeletionRequested + grace expired → notes weg in beiden Tenants, Bobs Daten unangetastet", async () => {
+    await seedUser(ALICE_ID, {
+      status: USER_STATUS.DeletionRequested,
+      gracePeriodEnd: PAST(),
+      email: "alice@example.com",
+    });
+    await seedUser(BOB_ID, { email: "bob@example.com" });
+    await seedMembership(ALICE_ID, TENANT_A);
+    await seedMembership(ALICE_ID, TENANT_B);
+    await seedMembership(BOB_ID, TENANT_A);
+    await seedFileRef(uuid(401), TENANT_A, ALICE_ID, "alice-a.pdf");
+    await seedFileRef(uuid(402), TENANT_A, BOB_ID, "bob-a.pdf");
+    await seedNote(uuid(501), TENANT_A, ALICE_ID, "alice-A");
+    await seedNote(uuid(502), TENANT_B, ALICE_ID, "alice-B");
+    await seedNote(uuid(503), TENANT_A, BOB_ID, "bob-A");
+    const result = await runForgetCleanup({
+      db: stack.db,
+      registry: stack.registry,
+      now: NOW(),
+    });
+    expect(result.processedUserIds).toContain(ALICE_ID);
+    expect(result.errors).toHaveLength(0);
+    // Alices notes in beiden Tenants weg
+    expect(await fetchNotes(TENANT_A, ALICE_ID)).toHaveLength(0);
+    expect(await fetchNotes(TENANT_B, ALICE_ID)).toHaveLength(0);
+    // Alices fileRef in Tenant A weg
+    const aliceFiles = await stack.db.execute(sql`
+      SELECT id FROM file_refs WHERE tenant_id = ${TENANT_A} AND inserted_by_id = ${ALICE_ID}
+    `);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle execute typing
+    expect((((aliceFiles as any).rows ?? aliceFiles) as unknown[]).length).toBe(0);
+    // Bobs notes + files unangetastet
+    expect(await fetchNotes(TENANT_A, BOB_ID)).toHaveLength(1);
+    const bobFiles = await stack.db.execute(sql`
+      SELECT id FROM file_refs WHERE tenant_id = ${TENANT_A} AND inserted_by_id = ${BOB_ID}
+    `);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle execute typing
+    expect((((bobFiles as any).rows ?? bobFiles) as unknown[]).length).toBe(1);
+    // Alice-User-Row anonymisiert (DSGVO-Kern: PII raus, Sentinel-Email).
+    const aliceRow = await stack.db.execute(sql`
+      SELECT email, status FROM read_users WHERE id = ${ALICE_ID}
+    `);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle execute typing
+    const aliceRows = ((aliceRow as any).rows ?? aliceRow) as Array<{
+      email: string;
+      status: string;
+    }>;
+    expect(aliceRows[0]?.status).toBe(USER_STATUS.Deleted);
+    expect(aliceRows[0]?.email).toMatch(/^deleted-.*@anonymized\.invalid$/);
+    expect(aliceRows[0]?.email).not.toContain("alice@example.com");
+  });
+});