npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.2.2 → 0.3.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/CHANGELOG.md +91 -0
package/package.json +22 -13
package/src/auth-email-password/auth-user-row.ts +6 -0
package/src/auth-email-password/constants.ts +11 -0
package/src/auth-email-password/handlers/change-password.write.ts +1 -1
package/src/auth-email-password/handlers/confirm-token-flow.ts +1 -1
package/src/auth-email-password/handlers/invite-accept-with-login.write.ts +7 -7
package/src/auth-email-password/handlers/invite-accept.write.ts +7 -6
package/src/auth-email-password/handlers/invite-create.write.ts +3 -3
package/src/auth-email-password/handlers/invite-signup-complete.write.ts +4 -4
package/src/auth-email-password/handlers/login.write.ts +32 -2
package/src/auth-email-password/handlers/logout.write.ts +2 -2
package/src/auth-email-password/handlers/signup-confirm.write.ts +1 -1
package/src/auth-email-password/i18n.ts +4 -0
package/src/auth-email-password/web/auth-client.ts +1 -1
package/src/billing-foundation/events.ts +1 -1
package/src/billing-foundation/feature.ts +44 -47
package/src/billing-foundation/handlers/create-portal-session.write.ts +3 -3
package/src/billing-foundation/handlers/process-event.write.ts +3 -3
package/src/billing-foundation/projection.ts +1 -1
package/src/billing-foundation/webhook-handler.ts +1 -1
package/src/cap-counter/constants.ts +1 -1
package/src/cap-counter/enforce-cap.ts +1 -1
package/src/cap-counter/feature.ts +3 -7
package/src/cap-counter/handlers/get-counter.query.ts +1 -1
package/src/cap-counter/handlers/increment-rolling.write.ts +2 -2
package/src/cap-counter/handlers/increment.write.ts +3 -3
package/src/cap-counter/handlers/mark-soft-warned.write.ts +2 -2
package/src/channel-email/email-channel.ts +1 -1
package/src/channel-email/types.ts +1 -1
package/src/compliance-profiles/README.md +88 -0
package/src/compliance-profiles/__tests__/compliance-profiles.integration.ts +308 -0
package/src/compliance-profiles/__tests__/seeding.integration.ts +93 -0
package/src/compliance-profiles/feature.ts +51 -0
package/src/compliance-profiles/handlers/for-tenant.query.ts +64 -0
package/src/compliance-profiles/handlers/list-profiles.query.ts +44 -0
package/src/compliance-profiles/handlers/needs-profile.query.ts +56 -0
package/src/compliance-profiles/handlers/set-profile.write.ts +144 -0
package/src/compliance-profiles/handlers/sub-processors.query.ts +43 -0
package/src/compliance-profiles/index.ts +6 -0
package/src/compliance-profiles/resolve-for-tenant.ts +63 -0
package/src/compliance-profiles/schema/profile-selection.ts +52 -0
package/src/compliance-profiles/seeding.ts +96 -0
package/src/config/resolver.ts +1 -1
package/src/data-retention/__tests__/data-retention.integration.ts +49 -0
package/src/data-retention/__tests__/keep-for.test.ts +77 -0
package/src/data-retention/__tests__/override-schema.test.ts +96 -0
package/src/data-retention/__tests__/policy-for.integration.ts +172 -0
package/src/data-retention/__tests__/resolver.test.ts +201 -0
package/src/data-retention/_internal/parse-override.ts +34 -0
package/src/data-retention/feature.ts +57 -0
package/src/data-retention/handlers/policy-for.query.ts +57 -0
package/src/data-retention/index.ts +18 -0
package/src/data-retention/keep-for.ts +75 -0
package/src/data-retention/override-schema.ts +37 -0
package/src/data-retention/presets.ts +72 -0
package/src/data-retention/resolve-for-tenant.ts +50 -0
package/src/data-retention/resolver.ts +107 -0
package/src/data-retention/schema/tenant-retention-override.ts +47 -0
package/src/delivery/feature.ts +1 -1
package/src/delivery/testing.ts +1 -2
package/src/delivery/upsert-preference.ts +1 -1
package/src/feature-toggles/feature.ts +1 -1
package/src/feature-toggles/handlers/list.query.ts +1 -1
package/src/feature-toggles/handlers/registered.query.ts +9 -2
package/src/feature-toggles/handlers/set.write.ts +3 -3
package/src/file-foundation/feature.ts +44 -4
package/src/file-foundation/index.ts +1 -0
package/src/file-provider-inmemory/feature.ts +6 -3
package/src/file-provider-s3/feature.ts +10 -12
package/src/files/README.md +50 -0
package/src/files/__tests__/files.integration.ts +157 -0
package/src/files/feature.ts +34 -0
package/src/files/index.ts +1 -0
package/src/files/schema/file-ref.ts +58 -0
package/src/files-provider-s3/s3-provider.ts +90 -1
package/src/jobs/handlers/list.query.ts +3 -3
package/src/jobs/handlers/trigger.write.ts +1 -1
package/src/legal-pages/constants.ts +1 -0
package/src/legal-pages/web/client-plugin.ts +42 -0
package/src/legal-pages/web/index.ts +4 -0
package/src/mail-foundation/feature.ts +1 -1
package/src/mail-transport-smtp/feature.ts +2 -2
package/src/renderer-simple/simple-renderer.ts +1 -1
package/src/secrets/__tests__/require-secrets-context.test.ts +81 -0
package/src/secrets/feature.ts +10 -6
package/src/secrets/handlers/rotate.job.ts +2 -2
package/src/sessions/constants.ts +4 -0
package/src/sessions/feature.ts +3 -0
package/src/sessions/handlers/cleanup.job.ts +2 -2
package/src/sessions/handlers/revoke-all-for-user.write.ts +42 -0
package/src/step-dispatcher/feature.ts +62 -0
package/src/step-dispatcher/index.ts +16 -0
package/src/step-dispatcher/mail-runner.ts +32 -0
package/src/step-dispatcher/webhook-runner.ts +67 -0
package/src/subscription-mollie/plugin-methods.ts +1 -1
package/src/subscription-mollie/verify-webhook.ts +9 -5
package/src/subscription-stripe/verify-webhook.ts +3 -3
package/src/tenant/handlers/active-tenant-ids.query.ts +1 -1
package/src/tenant/handlers/cancel-invitation.write.ts +1 -1
package/src/tenant/handlers/remove-member.write.ts +1 -1
package/src/tenant/handlers/resolve-user-ids.query.ts +1 -1
package/src/tenant/handlers/update-member-roles.write.ts +3 -3
package/src/text-content/constants.ts +2 -0
package/src/text-content/feature.ts +20 -4
package/src/text-content/handlers/by-tenant.query.ts +56 -0
package/src/text-content/handlers/set.write.ts +1 -1
package/src/text-content/web/client-plugin.ts +113 -0
package/src/text-content/web/index.ts +8 -0
package/src/tier-engine/__tests__/auto-default-tier.integration.ts +118 -0
package/src/tier-engine/feature.ts +23 -13
package/src/user/__tests__/user-status.test.ts +39 -0
package/src/user/handlers/find-for-auth.query.ts +1 -1
package/src/user/index.ts +11 -1
package/src/user/schema/user.ts +76 -0
package/src/user/seeding.ts +2 -2
package/src/user-data-rights/COMPLIANCE.md +182 -0
package/src/user-data-rights/README.md +109 -0
package/src/user-data-rights/__tests__/audit-log.integration.ts +199 -0
package/src/user-data-rights/__tests__/cross-data-matrix.integration.ts +349 -0
package/src/user-data-rights/__tests__/download.integration.ts +565 -0
package/src/user-data-rights/__tests__/export-job-idempotency.integration.ts +244 -0
package/src/user-data-rights/__tests__/export-job-schema.test.ts +163 -0
package/src/user-data-rights/__tests__/policy-to-strategy.test.ts +30 -0
package/src/user-data-rights/__tests__/request-cancel-deletion.integration.ts +370 -0
package/src/user-data-rights/__tests__/request-deletion-callback.integration.ts +179 -0
package/src/user-data-rights/__tests__/request-export.integration.ts +269 -0
package/src/user-data-rights/__tests__/restriction-flow.integration.ts +309 -0
package/src/user-data-rights/__tests__/run-export-jobs.integration.ts +1124 -0
package/src/user-data-rights/__tests__/run-forget-cleanup.integration.ts +703 -0
package/src/user-data-rights/__tests__/run-user-export.integration.ts +291 -0
package/src/user-data-rights/__tests__/token-helpers.test.ts +63 -0
package/src/user-data-rights/__tests__/user-data-rights.integration.ts +57 -0
package/src/user-data-rights/__tests__/zip-path.test.ts +119 -0
package/src/user-data-rights/audit-download.ts +125 -0
package/src/user-data-rights/feature.ts +310 -0
package/src/user-data-rights/handlers/cancel-deletion.write.ts +84 -0
package/src/user-data-rights/handlers/download-by-job.query.ts +206 -0
package/src/user-data-rights/handlers/download-by-token.query.ts +255 -0
package/src/user-data-rights/handlers/export-status.query.ts +76 -0
package/src/user-data-rights/handlers/lift-restriction.write.ts +68 -0
package/src/user-data-rights/handlers/list-download-attempts.query.ts +53 -0
package/src/user-data-rights/handlers/my-audit-log.query.ts +63 -0
package/src/user-data-rights/handlers/request-deletion.write.ts +123 -0
package/src/user-data-rights/handlers/request-export.write.ts +155 -0
package/src/user-data-rights/handlers/restrict-account.write.ts +81 -0
package/src/user-data-rights/handlers/run-forget-cleanup.write.ts +61 -0
package/src/user-data-rights/i18n.ts +37 -0
package/src/user-data-rights/index.ts +19 -0
package/src/user-data-rights/run-export-jobs.ts +878 -0
package/src/user-data-rights/run-forget-cleanup.ts +333 -0
package/src/user-data-rights/run-user-export.ts +211 -0
package/src/user-data-rights/schema/download-attempt.ts +37 -0
package/src/user-data-rights/schema/download-token.ts +111 -0
package/src/user-data-rights/schema/export-job.ts +166 -0
package/src/user-data-rights/token-helpers.ts +67 -0
package/src/user-data-rights/zip-path.ts +94 -0
package/src/user-data-rights-defaults/__tests__/user-data-rights-defaults.integration.ts +337 -0
package/src/user-data-rights-defaults/feature.ts +40 -0
package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts +109 -0
package/src/user-data-rights-defaults/hooks/user.userdata-hook.ts +91 -0
package/src/user-data-rights-defaults/index.ts +6 -0

package/src/user-data-rights/__tests__/export-job-idempotency.integration.ts ADDED Viewed

@@ -0,0 +1,244 @@
+// ExportJob Partial-UNIQUE-Index Integration-Test (S2.U3 Atom 1b).
+//
+// Pinst die DB-Constraint die Atom-2's request-export-Handler nutzt:
+// `UNIQUE(userId) WHERE status IN ('pending', 'running')`. Pro User
+// kann es maximal EINEN aktiven Job geben — done/failed-Historie ist
+// unbeschraenkt.
+//
+// Plus DB-Roundtrip-Test fuer bigInt-Spalte (bytesWritten >2^31), der
+// in Atom 1a's pure unit-Test absichtlich ausgelassen wurde weil er
+// reale Postgres + Drizzle-customType-Codec-Path braucht.
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { eq, sql } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createDataRetentionFeature } from "../../data-retention";
+import { createUserFeature } from "../../user";
+import { createUserDataRightsFeature } from "../feature";
+import {
+  ACTIVE_JOB_CONSTRAINT,
+  EXPORT_JOB_STATUS,
+  exportJobEntity,
+  exportJobsTable,
+} from "../schema/export-job";
+let stack: TestStack;
+const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+const ALICE_ID = "aaaaaaaa-aaaa-4aaa-8aaa-000000000001";
+const BOB_ID = "aaaaaaaa-aaaa-4aaa-8aaa-000000000002";
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createUserDataRightsFeature(),
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, exportJobEntity);
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await stack.db.delete(exportJobsTable);
+});
+const NOW = () => getTemporal().Now.instant();
+// Drizzle wraps PostgresError mit "Failed query: ..."; die original
+// PG-Message ist im `cause`. Unique-Violation hat sqlstate 23505.
+//
+// Constraint-Name pinnen damit der Test nur unsere Idempotency-
+// Constraint pinst, nicht zufaellig eine andere unique-violation
+// (z.B. UUID-Kollision auf id-PK durch wiederholtes Test-Setup) —
+// silent-Pass durch fremden Constraint waere falsche Bestaetigung.
+async function expectUniqueViolation(
+  promise: Promise<unknown>,
+  expectedConstraint: string,
+): Promise<void> {
+  let caught: unknown;
+  try {
+    await promise;
+  } catch (e) {
+    caught = e;
+  }
+  expect(caught).toBeDefined();
+  const cause = (caught as { cause?: { code?: string; constraint_name?: string } }).cause;
+  expect(cause?.code).toBe("23505");
+  expect(cause?.constraint_name).toBe(expectedConstraint);
+}
+// Re-Export aus dem Schema — Single source of truth, Rename hier
+// braeuche kein Test-Edit.
+const IDEMPOTENCY_CONSTRAINT = ACTIVE_JOB_CONSTRAINT;
+async function insertJob(
+  userId: string,
+  status: string,
+  overrides: { bytesWritten?: number } = {},
+): Promise<string> {
+  const id = crypto.randomUUID();
+  const values: Record<string, unknown> = {
+    id,
+    tenantId: TENANT_SYSTEM,
+    userId,
+    requestedFromTenantId: TENANT_SYSTEM,
+    status,
+    requestedAt: NOW(),
+  };
+  if (overrides.bytesWritten !== undefined) {
+    values["bytesWritten"] = overrides.bytesWritten;
+  }
+  await stack.db.insert(exportJobsTable).values(values);
+  return id;
+}
+describe("ExportJob :: Partial-UNIQUE-Index", () => {
+  test("zwei pending-Jobs fuer denselben User → DB lehnt zweiten ab", async () => {
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    await expectUniqueViolation(
+      insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending),
+      IDEMPOTENCY_CONSTRAINT,
+    );
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(1);
+  });
+  test("pending + running fuer denselben User → DB lehnt running ab", async () => {
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    // Zweiter "aktiver" Status (running) ist auch gesperrt — der Index
+    // greift fuer alle Status-Werte im WHERE-Set.
+    await expectUniqueViolation(
+      insertJob(ALICE_ID, EXPORT_JOB_STATUS.Running),
+      IDEMPOTENCY_CONSTRAINT,
+    );
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(1);
+  });
+  test("pending fuer User A + pending fuer User B → beide erlaubt (per-User-scoped)", async () => {
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    await insertJob(BOB_ID, EXPORT_JOB_STATUS.Pending);
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(2);
+  });
+  test("done + neuer pending fuer denselben User → erlaubt (Done ausserhalb des Index-Filters)", async () => {
+    // Erster Job done (Audit-Historie)
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Done);
+    // Zweiter pending-Job fuer denselben User — neue Anfrage nach
+    // erfolgreichem Download
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(2);
+  });
+  test("failed + neuer pending fuer denselben User → erlaubt (Retry-Pfad)", async () => {
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Failed);
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(2);
+  });
+  test("zwei done-Jobs fuer denselben User → erlaubt (Audit-Historie)", async () => {
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Done);
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Done);
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(2);
+  });
+  test("Lifecycle: pending → running blockt weitere pending-Inserts; nach running → done wieder erlaubt", async () => {
+    // Alice pending insert
+    const aliceJobId = await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    // Worker pickt auf — Status flip
+    await stack.db
+      .update(exportJobsTable)
+      .set({ status: EXPORT_JOB_STATUS.Running })
+      .where(eq(exportJobsTable.id, aliceJobId));
+    // Zweiter pending-Insert fuer Alice → faellt weiter, weil bestehender
+    // Job in running auch im Index-Filter ist.
+    await expectUniqueViolation(
+      insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending),
+      IDEMPOTENCY_CONSTRAINT,
+    );
+    // Aber wenn der running-Job fertig wird (done), darf User wieder pending starten
+    await stack.db
+      .update(exportJobsTable)
+      .set({ status: EXPORT_JOB_STATUS.Done })
+      .where(eq(exportJobsTable.id, aliceJobId));
+    await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Pending);
+    const rows = await stack.db.select().from(exportJobsTable);
+    expect(rows).toHaveLength(2);
+  });
+});
+describe("ExportJob :: bigInt bytesWritten DB-Roundtrip", () => {
+  test("bytesWritten >2^31 schreibt + liest identisch zurueck", async () => {
+    const TWO_GB_PLUS = 3_000_000_000; // ~2.8 GB, weit ueber integer-Cap
+    const id = await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Done, {
+      bytesWritten: TWO_GB_PLUS,
+    });
+    const [row] = await stack.db
+      .select({ bytesWritten: exportJobsTable["bytesWritten"] })
+      .from(exportJobsTable)
+      .where(eq(exportJobsTable["id"], id));
+    expect(row?.bytesWritten).toBe(TWO_GB_PLUS);
+  });
+  test("bytesWritten 2^50 (~1 PB) schreibt + liest identisch zurueck", async () => {
+    const ONE_PB_PLUS = 2 ** 50;
+    const id = await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Done, {
+      bytesWritten: ONE_PB_PLUS,
+    });
+    const [row] = await stack.db
+      .select({ bytesWritten: exportJobsTable["bytesWritten"] })
+      .from(exportJobsTable)
+      .where(eq(exportJobsTable["id"], id));
+    expect(row?.bytesWritten).toBe(ONE_PB_PLUS);
+  });
+  test("bytesWritten als raw-SQL geprueft → DB-Spalte ist tatsaechlich BIGINT", async () => {
+    const id = await insertJob(ALICE_ID, EXPORT_JOB_STATUS.Done, {
+      bytesWritten: 1,
+    });
+    // information_schema-Lookup pinst den DB-Typ unabhaengig vom JS-
+    // Driver-Mapping — wenn jemand `case "bigInt"` zu `integer` zurueck-
+    // refactored, faellt dieser Test um obwohl die JS-Werte sich
+    // numerisch verhalten.
+    const result = await stack.db.execute(sql`
+      SELECT data_type FROM information_schema.columns
+      WHERE table_name = 'read_export_jobs' AND column_name = 'bytes_written'
+    `);
+    // biome-ignore lint/suspicious/noExplicitAny: drizzle-execute typing
+    const rows = ((result as any).rows ?? result) as Array<{ data_type: string }>;
+    expect(rows[0]?.data_type).toBe("bigint");
+    void id;
+  });
+});

package/src/user-data-rights/__tests__/export-job-schema.test.ts ADDED Viewed

@@ -0,0 +1,163 @@
+// Drift-Guard fuer ExportJob-Schema (S2.U3+U4 Atom 1).
+//
+// Pinst dass:
+//   - EXPORT_JOB_STATUS Constants stabil bleiben (Worker-State-Machine
+//     + UI-Polling lesen die Werte als Magic-Strings, jede Aenderung
+//     ist ein Breaking-Change).
+//   - Export-Konstanten haben sinnvolle Werte (TTL > 0, Stale-Timeout
+//     > 0, Cleanup-Grace > 0).
+//   - exportJobEntity hat alle Felder die Worker + Handler erwarten —
+//     wenn jemand `expiresAt` umbenennt, faellt dieser Test um statt
+//     der Worker erst in Production.
+//
+// Schema-Snapshot, kein Behavior-Test. Behavior-Tests kommen mit Atom 2
+// (request-export.write.ts) + Atom 3 (Worker).
+import { COMPLIANCE_PROFILES } from "@cosmicdrift/kumiko-framework/compliance";
+import { describe, expect, test } from "vitest";
+import { EXPORT_JOB_STATUS, exportJobEntity } from "../schema/export-job";
+describe("EXPORT_JOB_STATUS Drift-Guard", () => {
+  test("hat genau 4 Werte (pending/running/done/failed)", () => {
+    const values = Object.values(EXPORT_JOB_STATUS);
+    expect(values).toHaveLength(4);
+    expect(values).toContain("pending");
+    expect(values).toContain("running");
+    expect(values).toContain("done");
+    expect(values).toContain("failed");
+  });
+  test("Status-Strings sind lowercase + nur a-z (Convention-Check, keine Sortier-Aussage)", () => {
+    // Test-Name ist bewusst praezise: wir checken Format, NICHT
+    // alphabetische Sortierung — die State-Machine kuemmert sich nicht
+    // um Sort-Order, ein Re-Order der Konstanten waere kein Bug.
+    for (const value of Object.values(EXPORT_JOB_STATUS)) {
+      expect(value).toBe(value.toLowerCase());
+      expect(value).toMatch(/^[a-z]+$/);
+    }
+  });
+});
+describe("Export-Konfig in compliance-profiles", () => {
+  // Atom 1c: TTL-Konstanten wandern aus user-data-rights/constants.ts
+  // ins compliance-profile.userRights — pro Profile konfigurierbar +
+  // per-Tenant-Override. Tests pinnen dass die Defaults pro Profile
+  // sinnvoll sind.
+  for (const profileKey of [
+    "eu-dsgvo",
+    "swiss-dsg",
+    "de-hr-dsgvo-hgb",
+    "minimal-no-region",
+  ] as const) {
+    test(`${profileKey}: exportDownloadTtl gesetzt + > 0`, () => {
+      const profile = COMPLIANCE_PROFILES[profileKey];
+      const ttl = profile.userRights.exportDownloadTtl;
+      expect(ttl).toBeDefined();
+      // DurationSpec hat entweder days oder hours.
+      const hasDuration = ("days" in ttl && ttl.days > 0) || ("hours" in ttl && ttl.hours > 0);
+      expect(hasDuration).toBe(true);
+    });
+    test(`${profileKey}: exportStaleTimeoutMinutes > 0`, () => {
+      expect(COMPLIANCE_PROFILES[profileKey].userRights.exportStaleTimeoutMinutes).toBeGreaterThan(
+        0,
+      );
+    });
+    test(`${profileKey}: exportStorageCleanupGraceHours > 0`, () => {
+      expect(
+        COMPLIANCE_PROFILES[profileKey].userRights.exportStorageCleanupGraceHours,
+      ).toBeGreaterThan(0);
+    });
+  }
+  test("eu-dsgvo Default-TTL ist 7 Tage (sanity-Pin)", () => {
+    expect(COMPLIANCE_PROFILES["eu-dsgvo"].userRights.exportDownloadTtl).toEqual({
+      days: 7,
+    });
+  });
+  test("Download-TTL <= 30d in jedem Profile (DSGVO-Auskunftsfrist als sanity-cap)", () => {
+    // Auskunftsfrist ist 30d — Download laenger zu halten als die
+    // Antwort-Pflicht macht keinen Sinn.
+    for (const profileKey of [
+      "eu-dsgvo",
+      "swiss-dsg",
+      "de-hr-dsgvo-hgb",
+      "minimal-no-region",
+    ] as const) {
+      const ttl = COMPLIANCE_PROFILES[profileKey].userRights.exportDownloadTtl;
+      const days = "days" in ttl ? ttl.days : Math.ceil(ttl.hours / 24);
+      expect(days).toBeLessThanOrEqual(30);
+    }
+  });
+});
+describe("exportJobEntity Schema-Shape", () => {
+  test("hat alle Worker-relevanten Felder", () => {
+    const fieldNames = Object.keys(exportJobEntity.fields);
+    expect(fieldNames).toEqual(
+      expect.arrayContaining([
+        "userId",
+        "requestedFromTenantId",
+        "status",
+        "requestedAt",
+        "startedAt",
+        "completedAt",
+        "downloadStorageKey",
+        "expiresAt",
+        "errorMessage",
+        "bytesWritten",
+      ]),
+    );
+  });
+  test("Tabellen-Name ist read_export_jobs (snake_case-Convention)", () => {
+    expect(exportJobEntity.table).toBe("read_export_jobs");
+  });
+  test("status-Default ist pending (neue Job-Rows starten dort)", () => {
+    const statusField = exportJobEntity.fields["status"];
+    expect(statusField).toBeDefined();
+    if (statusField && "default" in statusField) {
+      expect(statusField.default).toBe(EXPORT_JOB_STATUS.Pending);
+    }
+  });
+  test("status-Optionen matchen die EXPORT_JOB_STATUS-Constants", () => {
+    const statusField = exportJobEntity.fields["status"];
+    if (statusField && "options" in statusField) {
+      const options = (statusField as { options: readonly string[] }).options;
+      expect([...options].sort()).toEqual(Object.values(EXPORT_JOB_STATUS).slice().sort());
+    }
+  });
+  test("bytesWritten ist bigInt-Field (NICHT number) — pinst Atom-1b-Migration", () => {
+    // Drift-Guard: wenn jemand zurueck auf createNumberField refactored,
+    // faellt der DB-Roundtrip-Test um (gut), aber das dauert >1s. Hier
+    // <1s + klare Fehlermeldung was das Problem ist.
+    expect(exportJobEntity.fields.bytesWritten.type).toBe("bigInt");
+  });
+  test("userId + requestedFromTenantId + status + requestedAt sind required", () => {
+    expect(exportJobEntity.fields["userId"]?.required).toBe(true);
+    // requestedFromTenantId ist load-bearing: Atom 3b's Worker liest es
+    // fuer Profile-Resolution. Ohne required wuerde ein Insert ohne
+    // Wert silent NULL setzen + der Worker crashed bei queryAs(systemUserOf(null), ...).
+    expect(exportJobEntity.fields["requestedFromTenantId"]?.required).toBe(true);
+    expect(exportJobEntity.fields["status"]?.required).toBe(true);
+    expect(exportJobEntity.fields["requestedAt"]?.required).toBe(true);
+  });
+  test("Lifecycle-Felder sind nullable (startedAt/completedAt/expiresAt/errorMessage/bytesWritten/downloadStorageKey)", () => {
+    // Diese Felder werden vom Worker gesetzt, sind beim Insert null.
+    // required ist undefined oder false — beides bedeutet nullable.
+    expect(exportJobEntity.fields.startedAt.required).not.toBe(true);
+    expect(exportJobEntity.fields.completedAt.required).not.toBe(true);
+    expect(exportJobEntity.fields.expiresAt.required).not.toBe(true);
+    expect(exportJobEntity.fields.errorMessage.required).not.toBe(true);
+    expect(exportJobEntity.fields.bytesWritten.required).not.toBe(true);
+    expect(exportJobEntity.fields.downloadStorageKey.required).not.toBe(true);
+  });
+});

package/src/user-data-rights/__tests__/policy-to-strategy.test.ts ADDED Viewed

@@ -0,0 +1,30 @@
+// Unit-Test fuer policyToStrategy — die Mapping-Tafel zwischen
+// retention-strategy und user-data-rights-Forget-Strategy. Load-bearing
+// weil es entscheidet ob Daten physisch geloescht oder anonymisiert
+// werden. Memory `feedback_no_fake_tests`: das Mapping IST die Logik,
+// nicht ein Detail.
+import { describe, expect, test } from "vitest";
+import { policyToStrategy } from "../run-forget-cleanup";
+describe("policyToStrategy", () => {
+  test("hardDelete → delete (Default-Pfad: Row physisch entfernen)", () => {
+    expect(policyToStrategy("hardDelete")).toBe("delete");
+  });
+  test("softDelete → delete (Row markieren via softDelete-Mechanik des Frameworks)", () => {
+    expect(policyToStrategy("softDelete")).toBe("delete");
+  });
+  test("anonymize → anonymize (Row bleibt, PII raus)", () => {
+    expect(policyToStrategy("anonymize")).toBe("anonymize");
+  });
+  test("blockDelete → anonymize (Aufbewahrungs-Pflicht respektieren, Row bleibt physisch)", () => {
+    expect(policyToStrategy("blockDelete")).toBe("anonymize");
+  });
+  test("null (keine Policy konfiguriert) → delete (Default = Row weg)", () => {
+    expect(policyToStrategy(null)).toBe("delete");
+  });
+});