@cosmicdrift/kumiko-bundled-features 0.2.2 → 0.2.3

package/src/user-data-rights/__tests__/request-export.integration.ts

@@ -0,0 +1,269 @@
+// request-export.write + export-status.query Integration-Test (S2.U3 Atom 2).
+//
+// Pinst die User-Touchpoints des Async-Export-Pipeline. Atom 3b (Worker)
+// + Atom 4b (Download) sind separate Sprints — hier nur der Trigger
+// + das Polling.
+//
+// Test-Pflichten aus Plan-Doc + advisor-Review:
+//   - Happy path: User klickt → Job pending entsteht
+//   - App-side-Idempotency: 2nd Klick sieht existing → isExisting=true,
+//     KEIN neuer Job + KEIN neues Event
+//   - DB-Constraint Race-Schutz: zwischen fetchOne + crud.create
+//     erscheint ein paralleler Job (simuliert durch direct-INSERT) →
+//     2nd Klick catched 23505 + return existing
+//   - Cross-Tenant: Alice in 2 Tenants, Tenant A click → Tenant B click
+//     sieht via App-side-Check den A-Job (DB-Constraint matcht nur auf
+//     userId, App-side-Check nutzt ctx.db.raw fuer Cross-Tenant-Lookup)
+//   - Status-Polling: User sieht eigene Jobs, Cross-User-Isolation,
+//     hasJob=false wenn nichts da
+
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { sql } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createDataRetentionFeature } from "../../data-retention";
+import { createUserFeature } from "../../user";
+import { createUserDataRightsFeature } from "../feature";
+import { EXPORT_JOB_STATUS, exportJobEntity, exportJobsTable } from "../schema/export-job";
+
+const REQUEST_EXPORT = "user-data-rights:write:request-export";
+const EXPORT_STATUS = "user-data-rights:query:export-status";
+
+let stack: TestStack;
+
+const tenantA = testTenantId(1);
+const tenantB = testTenantId(2);
+const aliceUser = createTestUser({ id: 42, tenantId: tenantA, roles: ["Member"] });
+const aliceFromB = createTestUser({ id: 42, tenantId: tenantB, roles: ["Member"] });
+const bobUser = createTestUser({ id: 43, tenantId: tenantA, roles: ["Member"] });
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createUserDataRightsFeature(),
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, exportJobEntity);
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(exportJobsTable);
+  await stack.db.execute(sql`DELETE FROM kumiko_events`);
+});
+
+type RequestExportResponse = {
+  jobId: string;
+  status: string;
+  isExisting: boolean;
+};
+
+describe("request-export :: happy path", () => {
+  test("erster Klick erzeugt pending Job mit requestedFromTenantId=Caller-Tenant", async () => {
+    const result = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+
+    expect(result.isExisting).toBe(false);
+    expect(result.status).toBe(EXPORT_JOB_STATUS.Pending);
+    expect(result.jobId).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-/);
+
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(1);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-row typing
+    expect((rows[0] as any).userId).toBe(aliceUser.id);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-row typing
+    expect((rows[0] as any).requestedFromTenantId).toBe(tenantA);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-row typing
+    expect((rows[0] as any).status).toBe(EXPORT_JOB_STATUS.Pending);
+  });
+
+  test("Event 'export-job.created' im Stream", async () => {
+    await stack.http.writeOk(REQUEST_EXPORT, {}, aliceUser);
+
+    const events = await stack.db.execute(sql`
+      SELECT type FROM kumiko_events WHERE aggregate_type = 'export-job'
+    `);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-execute typing
+    const rows = ((events as any).rows ?? events) as Array<{ type: string }>;
+    expect(rows).toHaveLength(1);
+    expect(rows[0]?.type).toBe("export-job.created");
+  });
+});
+
+describe("request-export :: App-side-Idempotency (primaerer Pfad)", () => {
+  test("2nd Klick sieht existing Job → isExisting=true, KEIN neuer Job, KEIN neues Event", async () => {
+    const first = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+    expect(first.isExisting).toBe(false);
+
+    const second = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+    expect(second.isExisting).toBe(true);
+    expect(second.jobId).toBe(first.jobId);
+    expect(second.status).toBe(EXPORT_JOB_STATUS.Pending);
+
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(1);
+
+    const events = await stack.db.execute(sql`
+      SELECT type FROM kumiko_events WHERE aggregate_type = 'export-job'
+    `);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-execute typing
+    const evRows = ((events as any).rows ?? events) as Array<{ type: string }>;
+    expect(evRows).toHaveLength(1); // 1 Klick = 1 Event, nicht 2
+  });
+
+  test("Klick nach done-Job ist NEUER Job (Audit-Historie wird nicht blockiert)", async () => {
+    const first = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+    // Worker-Simulation: status auf done flippen (direct-update OK in Test)
+    await stack.db
+      .update(exportJobsTable)
+      .set({ status: EXPORT_JOB_STATUS.Done })
+      .where(sql`id = ${first.jobId}`);
+
+    const second = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+    expect(second.isExisting).toBe(false);
+    expect(second.jobId).not.toBe(first.jobId);
+
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(2);
+  });
+});
+
+describe("request-export :: Cross-Tenant (Plan-Doc-Pflicht-Test)", () => {
+  test("Alice klickt aus Tenant A → Tenant B Klick sieht den A-Job (kein 2. Job)", async () => {
+    const fromA = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+    expect(fromA.isExisting).toBe(false);
+
+    // Alice klickt aus Tenant B (anderer executorUser.tenantId, gleicher
+    // userId). App-side-Pre-Check via ctx.db.raw findet den A-Job.
+    const fromB = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceFromB);
+    expect(fromB.isExisting).toBe(true);
+    expect(fromB.jobId).toBe(fromA.jobId);
+
+    // Genau 1 Job (kein 2. fuer Tenant B)
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(1);
+    // requestedFromTenantId = Tenant aus 1. Klick (= A), nicht B
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-row typing
+    expect((rows[0] as any).requestedFromTenantId).toBe(tenantA);
+  });
+});
+
+describe("request-export :: Race-Schutz (Promise.all parallel)", () => {
+  test("zwei parallele Klicks → 1 Job, beide Caller sehen denselben jobId", async () => {
+    // Promise.all parallelisiert die Handler. PG-Layer macht die
+    // Serialisierung im Tx-Scheduling — einer wird crud.create-Race-
+    // Loser und nimmt den 23505-Catch-Pfad, der andere wins.
+    // Welcher konkret welchen Pfad nimmt haengt vom DB-Scheduling +
+    // App-side-Pre-Check-Timing — beide sind correctness-aequivalent.
+    // Test pinst die Invariante: 2 parallele Klicks → 1 Row, beide
+    // Caller sehen denselben jobId.
+    const [a, b] = await Promise.all([
+      stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser),
+      stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser),
+    ]);
+
+    expect(a.jobId).toBe(b.jobId);
+    // Genau einer ist isExisting=false (winner). Der andere kann via
+    // App-side-Check ODER via 23505-Race-Catch isExisting=true returnen
+    // — beides ist funktional korrekt.
+    const winners = [a, b].filter((r) => r.isExisting === false);
+    expect(winners).toHaveLength(1);
+
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(1);
+  });
+
+  // 10+ parallele Klicks bewusst NICHT getestet: das triggert event-
+  // store-stream-version-conflicts (separate Schicht ueber dem Projection-
+  // Index, Memory feedback_event_store_tenant_consistency). High-
+  // Concurrency-Race ist orthogonal zu unserem App-side+DB-Constraint-
+  // Schutz — sollte in framework/event-store-Tests gepinnt werden,
+  // nicht hier. 2-paralleler-Test reicht fuer die "Race-Schutz greift"-
+  // Invariante.
+});
+
+describe("export-status :: User-Polling", () => {
+  type StatusResponse =
+    | { hasJob: false }
+    | {
+        hasJob: true;
+        job: {
+          id: string;
+          status: string;
+          requestedAt: string | null;
+          completedAt: string | null;
+          expiresAt: string | null;
+          errorMessage: string | null;
+          bytesWritten: number | null;
+        };
+      };
+
+  test("hasJob=false wenn User noch nichts requestet hat", async () => {
+    const result = await stack.http.queryOk<StatusResponse>(EXPORT_STATUS, {}, aliceUser);
+    expect(result.hasJob).toBe(false);
+  });
+
+  test("hasJob=true mit pending-Job nach request-export", async () => {
+    await stack.http.writeOk(REQUEST_EXPORT, {}, aliceUser);
+
+    const result = await stack.http.queryOk<StatusResponse>(EXPORT_STATUS, {}, aliceUser);
+    expect(result.hasJob).toBe(true);
+    if (!result.hasJob) throw new Error("expected job");
+    expect(result.job.status).toBe(EXPORT_JOB_STATUS.Pending);
+    expect(result.job.requestedAt).not.toBeNull();
+    expect(result.job.completedAt).toBeNull();
+    expect(result.job.expiresAt).toBeNull();
+    expect(result.job.errorMessage).toBeNull();
+  });
+
+  test("Cross-User-Isolation: Bob sieht Alice's Job NICHT", async () => {
+    await stack.http.writeOk(REQUEST_EXPORT, {}, aliceUser);
+
+    const bobResult = await stack.http.queryOk<StatusResponse>(EXPORT_STATUS, {}, bobUser);
+    expect(bobResult.hasJob).toBe(false);
+  });
+
+  test("liefert NEUESTEN Job zurueck (orderBy desc requestedAt)", async () => {
+    const T = getTemporal();
+    // 1. Job done in der Vergangenheit
+    const oldJobId = "11111111-1111-4111-8111-111111111111";
+    await stack.db.insert(exportJobsTable).values({
+      id: oldJobId,
+      tenantId: tenantA,
+      userId: aliceUser.id,
+      requestedFromTenantId: tenantA,
+      status: EXPORT_JOB_STATUS.Done,
+      requestedAt: T.Instant.fromEpochMilliseconds(Date.now() - 60_000),
+    });
+
+    // 2. neuer pending-Job
+    const newJob = await stack.http.writeOk<RequestExportResponse>(REQUEST_EXPORT, {}, aliceUser);
+
+    const result = await stack.http.queryOk<StatusResponse>(EXPORT_STATUS, {}, aliceUser);
+    expect(result.hasJob).toBe(true);
+    if (!result.hasJob) throw new Error("expected job");
+    expect(result.job.id).toBe(newJob.jobId);
+    expect(result.job.status).toBe(EXPORT_JOB_STATUS.Pending);
+  });
+
+  test("Cross-Tenant: Polling aus Tenant B sieht den Job aus Tenant A", async () => {
+    await stack.http.writeOk(REQUEST_EXPORT, {}, aliceUser);
+
+    const fromB = await stack.http.queryOk<StatusResponse>(EXPORT_STATUS, {}, aliceFromB);
+    expect(fromB.hasJob).toBe(true);
+  });
+});

package/src/user-data-rights/__tests__/restriction-flow.integration.ts

@@ -0,0 +1,309 @@
+// S2.U6 — DSGVO Art. 18 Account-Freeze. End-to-End-Test ueber drei
+// Features (sessions + auth-email-password + user-data-rights):
+//
+//   - restrict-account flippt Status + revoked alle Sessions cross-feature
+//   - lift-restriction flippt zurueck
+//   - Login-Pfad blockt Restricted (eigener error code) und collapsed
+//     DeletionRequested/Deleted auf invalid_credentials (anti-enum)
+//   - Existing JWTs einer restricted-User werden via sessionChecker
+//     abgelehnt (session-revocation greift)
+//   - State-Transition-Matrix: Active↔Restricted, andere Uebergaenge
+//     fehlgeschlagen mit klaren error codes
+
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  testTenantId,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createLateBoundHolder } from "@cosmicdrift/kumiko-framework/testing";
+import { eq, sql } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { AuthErrors, AuthHandlers } from "../../auth-email-password/constants";
+import { createAuthEmailPasswordFeature } from "../../auth-email-password/feature";
+import { hashPassword } from "../../auth-email-password/password-hashing";
+import {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+} from "../../compliance-profiles";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createDataRetentionFeature } from "../../data-retention";
+import { createSessionsFeature } from "../../sessions";
+import { SessionHandlers } from "../../sessions/constants";
+import { userSessionEntity, userSessionTable } from "../../sessions/schema/user-session";
+import { createSessionCallbacks, type SessionCallbacks } from "../../sessions/session-callbacks";
+import { sessionCallbacksFromLateBound } from "../../sessions/testing";
+import { createTenantFeature, tenantMembershipsTable } from "../../tenant";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/seeding";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { UserHandlers } from "../../user/constants";
+import { createUserDataRightsFeature } from "../feature";
+
+const RESTRICT = "user-data-rights:write:restrict-account";
+const LIFT = "user-data-rights:write:lift-restriction";
+
+let stack: TestStack;
+const callbacks = createLateBoundHolder<SessionCallbacks>("session-callbacks");
+const encryptionKey = randomBytes(32).toString("base64");
+const TENANT: TenantId = testTenantId(1);
+
+const ALICE_EMAIL = "alice.restrict@example.com";
+const ALICE_PW = "alice-pw-long-enough";
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+  const bound = sessionCallbacksFromLateBound(callbacks);
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createAuthEmailPasswordFeature(),
+      createSessionsFeature(),
+      createUserDataRightsFeature(),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      ...bound.asAuthConfig(),
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+    },
+  });
+  callbacks.set(createSessionCallbacks({ db: stack.db }));
+
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantEntity);
+  await unsafeCreateEntityTable(stack.db, userSessionEntity);
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await createEventsTable(stack.db);
+  await unsafePushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userSessionTable);
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  await stack.db.execute(sql`DELETE FROM read_tenant_compliance_profiles`);
+  await stack.db.execute(sql`DELETE FROM kumiko_events`);
+});
+
+async function seedAliceWithMembership(
+  status: string = USER_STATUS.Active,
+): Promise<{ userId: string }> {
+  const hash = await hashPassword(ALICE_PW);
+  const created = await stack.http.writeOk<{ id: string }>(
+    UserHandlers.create,
+    { email: ALICE_EMAIL, passwordHash: hash, displayName: "Alice" },
+    TestUsers.systemAdmin,
+  );
+  if (status !== USER_STATUS.Active) {
+    await stack.db.update(userTable).set({ status }).where(eq(userTable["id"], created.id));
+  }
+  await seedTenantMembership(stack.db, {
+    userId: created.id,
+    tenantId: TENANT,
+    roles: ["Member"],
+  });
+  return { userId: created.id };
+}
+
+async function login(email: string, password: string): Promise<{ status: number; body: unknown }> {
+  const res = await stack.http.raw("POST", "/api/auth/login", { email, password });
+  return { status: res.status, body: await res.json() };
+}
+
+function reasonOf(err: { details?: unknown }): string | undefined {
+  return (err.details as { reason?: string } | undefined)?.reason;
+}
+
+describe("S2.U6 :: restrict-account state-transitions", () => {
+  test("Active → Restricted: status flippt + alle Sessions revoked", async () => {
+    const { userId } = await seedAliceWithMembership();
+    // Login um eine Session zu erzeugen.
+    const loginRes = await login(ALICE_EMAIL, ALICE_PW);
+    expect(loginRes.status).toBe(200);
+
+    // Session-Row vorhanden + live (revokedAt=null).
+    const sessionsBefore = (await stack.db
+      .select({ id: userSessionTable["id"], revokedAt: userSessionTable["revokedAt"] })
+      .from(userSessionTable)
+      .where(eq(userSessionTable["userId"], userId))) as Array<{
+      id: string;
+      revokedAt: unknown;
+    }>;
+    expect(sessionsBefore.length).toBeGreaterThanOrEqual(1);
+    expect(sessionsBefore.every((s) => s.revokedAt === null)).toBe(true);
+
+    // Restrict-Account.
+    const aliceUser = {
+      id: userId,
+      tenantId: TENANT,
+      roles: ["Member"],
+    };
+    const result = await stack.http.writeOk<{ userId: string; status: string }>(
+      RESTRICT,
+      {},
+      aliceUser,
+    );
+    expect(result.status).toBe(USER_STATUS.Restricted);
+    expect(result.userId).toBe(userId);
+
+    // DB-State: status=Restricted.
+    const userRow = (await stack.db
+      .select({ status: userTable["status"] })
+      .from(userTable)
+      .where(eq(userTable["id"], userId))) as Array<{ status: string }>;
+    expect(userRow[0]?.status).toBe(USER_STATUS.Restricted);
+
+    // Alle Sessions revoked (revokedAt != null).
+    const sessionsAfter = (await stack.db
+      .select({ revokedAt: userSessionTable["revokedAt"] })
+      .from(userSessionTable)
+      .where(eq(userSessionTable["userId"], userId))) as Array<{ revokedAt: unknown }>;
+    expect(sessionsAfter.every((s) => s.revokedAt !== null)).toBe(true);
+  });
+
+  test("Restricted → Restricted (Idempotenz-Guard): 422 already_restricted", async () => {
+    const { userId } = await seedAliceWithMembership(USER_STATUS.Restricted);
+    const aliceUser = { id: userId, tenantId: TENANT, roles: ["Member"] };
+    const err = await stack.http.writeErr(RESTRICT, {}, aliceUser);
+    expect(err.httpStatus).toBe(422);
+    expect(reasonOf(err)).toBe("already_restricted");
+  });
+
+  test("DeletionRequested → restrict-account: 422 user_not_in_active_state", async () => {
+    const { userId } = await seedAliceWithMembership(USER_STATUS.DeletionRequested);
+    const aliceUser = { id: userId, tenantId: TENANT, roles: ["Member"] };
+    const err = await stack.http.writeErr(RESTRICT, {}, aliceUser);
+    expect(reasonOf(err)).toBe("user_not_in_active_state");
+  });
+});
+
+describe("S2.U6 :: lift-restriction state-transitions", () => {
+  test("Restricted → Active: status flippt zurueck", async () => {
+    const { userId } = await seedAliceWithMembership(USER_STATUS.Restricted);
+    const aliceUser = { id: userId, tenantId: TENANT, roles: ["Member"] };
+
+    const result = await stack.http.writeOk<{ status: string }>(LIFT, {}, aliceUser);
+    expect(result.status).toBe(USER_STATUS.Active);
+
+    const userRow = (await stack.db
+      .select({ status: userTable["status"] })
+      .from(userTable)
+      .where(eq(userTable["id"], userId))) as Array<{ status: string }>;
+    expect(userRow[0]?.status).toBe(USER_STATUS.Active);
+  });
+
+  test("Active → lift-restriction: 422 not_restricted (Idempotenz-Guard)", async () => {
+    const { userId } = await seedAliceWithMembership(USER_STATUS.Active);
+    const aliceUser = { id: userId, tenantId: TENANT, roles: ["Member"] };
+    const err = await stack.http.writeErr(LIFT, {}, aliceUser);
+    expect(reasonOf(err)).toBe("not_restricted");
+  });
+
+  test("DeletionRequested → lift-restriction: 422 not_restricted", async () => {
+    const { userId } = await seedAliceWithMembership(USER_STATUS.DeletionRequested);
+    const aliceUser = { id: userId, tenantId: TENANT, roles: ["Member"] };
+    const err = await stack.http.writeErr(LIFT, {}, aliceUser);
+    expect(reasonOf(err)).toBe("not_restricted");
+  });
+});
+
+describe("S2.U6 :: Login-Block fuer Restricted/DeletionRequested/Deleted", () => {
+  test("Active user login: 200 (regression check)", async () => {
+    await seedAliceWithMembership(USER_STATUS.Active);
+    const res = await login(ALICE_EMAIL, ALICE_PW);
+    expect(res.status).toBe(200);
+  });
+
+  test("Restricted user login: 422 account_restricted (eigener Code, kein collapse)", async () => {
+    await seedAliceWithMembership(USER_STATUS.Restricted);
+    const res = await login(ALICE_EMAIL, ALICE_PW);
+    expect(res.status).toBe(422);
+    const body = res.body as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.accountRestricted);
+  });
+
+  test("DeletionRequested user login: 422 invalid_credentials (anti-enum collapse)", async () => {
+    await seedAliceWithMembership(USER_STATUS.DeletionRequested);
+    const res = await login(ALICE_EMAIL, ALICE_PW);
+    expect(res.status).toBe(422);
+    const body = res.body as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
+  });
+
+  test("Deleted user login: 422 invalid_credentials (anti-enum collapse)", async () => {
+    await seedAliceWithMembership(USER_STATUS.Deleted);
+    const res = await login(ALICE_EMAIL, ALICE_PW);
+    expect(res.status).toBe(422);
+    const body = res.body as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
+  });
+
+  test("Wrong password vor Status-Check (timing-equivalence): 422 invalid_credentials, NICHT account_restricted", async () => {
+    // Restricted User mit FALSCHEM Passwort darf NICHT account_restricted
+    // erfahren — invalid_credentials kommt zuerst (siehe login.write.ts:
+    // Status-Check ist NACH password-verify). Sonst koennte ein Angreifer
+    // ohne valid Credentials den Restricted-Status enumerieren.
+    await seedAliceWithMembership(USER_STATUS.Restricted);
+    const res = await login(ALICE_EMAIL, "wrong-password-here");
+    expect(res.status).toBe(422);
+    const body = res.body as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
+  });
+});
+
+describe("S2.U6 :: Cross-Feature sessions.revokeAllForUser direct", () => {
+  test("Privileged-Caller revoked alle live sessions eines Users", async () => {
+    const { userId } = await seedAliceWithMembership();
+    // 2 Sessions erzeugen via Login + zweiter Login.
+    const a = await login(ALICE_EMAIL, ALICE_PW);
+    const b = await login(ALICE_EMAIL, ALICE_PW);
+    expect(a.status).toBe(200);
+    expect(b.status).toBe(200);
+
+    const liveBefore = (await stack.db
+      .select({ id: userSessionTable["id"] })
+      .from(userSessionTable)
+      .where(eq(userSessionTable["userId"], userId))) as Array<{ id: string }>;
+    expect(liveBefore.length).toBe(2);
+
+    // System-Caller.
+    const systemUser = {
+      id: "00000000-0000-4000-8000-000000000000",
+      tenantId: TENANT,
+      roles: ["SystemAdmin"],
+    };
+    const result = await stack.http.writeOk<{ count: number; userId: string }>(
+      SessionHandlers.revokeAllForUser,
+      { userId },
+      systemUser,
+    );
+    expect(result.count).toBe(2);
+    expect(result.userId).toBe(userId);
+
+    // Alle revoked.
+    const revoked = (await stack.db
+      .select({ revokedAt: userSessionTable["revokedAt"] })
+      .from(userSessionTable)
+      .where(eq(userSessionTable["userId"], userId))) as Array<{ revokedAt: unknown }>;
+    expect(revoked.every((s) => s.revokedAt !== null)).toBe(true);
+  });
+});