@cosmicdrift/kumiko-bundled-features 0.2.2 → 0.3.0

package/src/cap-counter/constants.ts

@@ -12,7 +12,7 @@ export const CAP_COUNTER_ROLLING_AGGREGATE_TYPE = "cap-counter-rolling" as const
 // Custom event-type für Rolling-Window-Counter. Symmetrisches Paar:
 //   _SHORT  — passt zu `r.defineEvent(short, schema)` im Registrar
 //             (Framework prefixt automatisch zu QN)
-//   _QN     — qualifizierte Form für `ctx.appendEventUnsafe({type})`
+//   _QN     — qualifizierte Form für `ctx.unsafeAppendEvent({type})`
 //             + `events.type`-Spalte + `registry.getEvent(qn)`-Lookup
 // Beide MÜSSEN konsistent sein (drift-pin im feature-test).
 export const ROLLING_INCREMENTED_EVENT_SHORT = "rolling-incremented" as const;

package/src/cap-counter/enforce-cap.ts

@@ -118,7 +118,7 @@ export async function enforceCap(
     .limit(1);
 
   const row = rows[0];
-  const value = row ? (row["value"] as number) : 0;
+  const value = row ? (row["value"] as number) : 0; // @cast-boundary db-row
 
   if (value >= hardThreshold) {
     throw new CapExceededError(options.capName, options.limit, value, tolerance);

package/src/cap-counter/feature.ts

@@ -46,11 +46,7 @@
 // config, kein secrets, kein tenant-feature nötig. Tenant-Scoping kommt
 // vom Framework-Default (Base-Column tenantId).
 
-import {
-  defineEntityListHandler,
-  defineFeature,
-  type FeatureDefinition,
-} from "@cosmicdrift/kumiko-framework/engine";
+import { defineEntityListHandler, defineFeature } from "@cosmicdrift/kumiko-framework/engine";
 import { CAP_COUNTER_FEATURE, ROLLING_INCREMENTED_EVENT_SHORT } from "./constants";
 import { capCounterEntity } from "./entity";
 import { getCounterQuery } from "./handlers/get-counter.query";
@@ -63,11 +59,11 @@ import { markSoftWarnedHandler } from "./handlers/mark-soft-warned.write";
 
 const sysadminAccess = { access: { roles: ["SystemAdmin"] } } as const;
 
-export const capCounterFeature: FeatureDefinition = defineFeature(CAP_COUNTER_FEATURE, (r) => {
+export const capCounterFeature = defineFeature(CAP_COUNTER_FEATURE, (r) => {
   r.entity("cap-counter", capCounterEntity);
 
   // Custom Domain-Event für Rolling-Counter. r.defineEvent registriert
-  // das Schema beim Registry; ctx.appendEventUnsafe im Handler nutzt
+  // das Schema beim Registry; ctx.unsafeAppendEvent im Handler nutzt
   // dasselbe Schema für Append-Time-Validation. QN nach Prefixing:
   // "cap-counter:event:rolling-incremented" (siehe
   // ROLLING_INCREMENTED_EVENT_QN).

package/src/cap-counter/handlers/get-counter.query.ts

@@ -22,7 +22,7 @@ export const getCounterQuery: QueryHandlerDef = {
   schema: getCounterSchema,
   access: { roles: ["TenantAdmin", "SystemAdmin"] },
   handler: async (query, ctx) => {
-    const { capName, periodStartIso } = query.payload as z.infer<typeof getCounterSchema>;
+    const { capName, periodStartIso } = query.payload as z.infer<typeof getCounterSchema>; // @cast-boundary engine-payload
 
     // ctx.db is tenant-scoped; filter by capName + periodStart explicitly.
     const rows = await ctx.db

package/src/cap-counter/handlers/increment-rolling.write.ts

@@ -60,11 +60,11 @@ export const incrementRollingCapHandler: WriteHandlerDef = {
     const payload = event.payload as IncrementRollingPayload;
     const aggregateId = rollingCapAggregateId(event.user.tenantId, payload.capName);
 
-    // appendEventUnsafe — bundled-features-Pfad (apps mit yarn kumiko
+    // unsafeAppendEvent — bundled-features-Pfad (apps mit yarn kumiko
     // codegen kriegen den strict-typed appendEvent-Wrapper). Schema-
     // Validation läuft trotzdem, weil r.defineEvent das Schema
     // registriert hat.
-    await ctx.appendEventUnsafe({
+    await ctx.unsafeAppendEvent({
       aggregateId,
       aggregateType: CAP_COUNTER_ROLLING_AGGREGATE_TYPE,
       type: ROLLING_INCREMENTED_EVENT_QN,

package/src/cap-counter/handlers/increment.write.ts

@@ -46,7 +46,7 @@ export const incrementCapHandler: WriteHandlerDef = {
   // which subsystem incremented.
   access: { roles: ["SystemAdmin"] },
   handler: async (event, ctx) => {
-    const payload = event.payload as IncrementPayload;
+    const payload = event.payload as IncrementPayload; // @cast-boundary engine-payload
     const aggregateId = capCounterAggregateId(
       event.user.tenantId,
       payload.capName,
@@ -77,8 +77,8 @@ export const incrementCapHandler: WriteHandlerDef = {
       // clearer than a possibly-null deref later.
       throw new Error("cap-counter:increment: row vanished between length-check and read");
     }
-    const currentValue = currentRow["value"] as number;
-    const currentVersion = currentRow["version"] as number;
+    const currentValue = currentRow["value"] as number; // @cast-boundary db-row
+    const currentVersion = currentRow["version"] as number; // @cast-boundary db-row
     return executor.update(
       {
         id: aggregateId,

package/src/cap-counter/handlers/mark-soft-warned.write.ts

@@ -25,7 +25,7 @@ export const markSoftWarnedHandler: WriteHandlerDef = {
   schema: markSoftWarnedSchema,
   access: { roles: ["SystemAdmin"] },
   handler: async (event, ctx) => {
-    const payload = event.payload as z.infer<typeof markSoftWarnedSchema>;
+    const payload = event.payload as z.infer<typeof markSoftWarnedSchema>; // @cast-boundary engine-payload
     const aggregateId = capCounterAggregateId(
       event.user.tenantId,
       payload.capName,
@@ -42,7 +42,7 @@ export const markSoftWarnedHandler: WriteHandlerDef = {
     if (!row) {
       throw new Error("cap-counter:mark-soft-warned: row vanished between length-check and read");
     }
-    const currentVersion = row["version"] as number;
+    const currentVersion = row["version"] as number; // @cast-boundary db-row
 
     return executor.update(
       {

package/src/channel-email/email-channel.ts

@@ -34,7 +34,7 @@ export function createEmailChannel(options: EmailChannelOptions): DeliveryChanne
         template: message.notificationType,
         variables,
       });
-      const subject = (variables["subject"] as string) ?? message.title;
+      const subject = (variables["subject"] as string) ?? message.title; // @cast-boundary dynamic-key
 
       await transport.send({
         to: address,

package/src/channel-email/types.ts

@@ -20,7 +20,7 @@ export function createInMemoryTransport(): EmailTransport & {
   const sent: EmailMessage[] = [];
   const transport = {
     sent,
-    failNext: null as null | { message: string },
+    failNext: null as null | { message: string }, // @cast-boundary generic-record
     async send(message: EmailMessage) {
       if (transport.failNext) {
         const err = new Error(transport.failNext.message);

package/src/compliance-profiles/README.md

@@ -0,0 +1,88 @@
+# compliance-profiles
+
+Tenant-weite DSGVO/Compliance-Profile-Wahl. Pflicht beim Tenant-Onboarding —
+Profile bündelt User-Rights-Grace, Notification-Sprachen, Breach-
+Disclosure, Audit-Retention und Sub-Processor-Anforderungen in eine
+Auswahl.
+
+**Status:** Sprint 1 (S1.1 + S1.3). Sub-Processor-Endpoint (S1.4) und
+Onboarding-Banner-API (S1.5) folgen in derselben Sprint-Iteration.
+
+## MVP-Set: 3 Profile
+
+- **`eu-dsgvo`** — Foundation-Profile, DSGVO Standard, BlnBDI Berlin
+- **`swiss-dsg`** — extends `eu-dsgvo` mit DE/FR/IT/EN-Sprachen + EDÖB
+- **`de-hr-dsgvo-hgb`** — extends `eu-dsgvo` mit HR-Spezifika (HGB
+  10y-Audit-Retention, Betriebsrat-Notification, 60d-Tenant-Destroy)
+
+Plus `minimal-no-region` als Default-Fallback (NICHT auswählbar) bis
+Tenant-Admin eine Wahl trifft.
+
+Erweiterungen wie `uk-gdpr`, `ca-pipeda`, `ca-quebec-l25`, `us-ccpa`,
+`hipaa-healthcare` kommen on-demand wenn Customer fragt — der
+`extends`-Mechanismus macht sie zu 30-Zeilen-Adds.
+
+## API
+
+### Queries
+
+- `compliance-profiles:query:list-profiles` — `openToAll`. Liefert die
+  3 wählbaren Profile mit Region + Aufsicht + Sprachen, für Onboarding-UI.
+- `compliance-profiles:query:for-tenant` — `openToAll`. Liefert das
+  effektive Profile für den aktuellen Tenant inkl. Override (deep-merge).
+  Wenn kein Profile gesetzt: `minimal-no-region` + `warning="no-profile-selected"`.
+
+### Writes
+
+- `compliance-profiles:write:set-profile` — `roles=[TenantAdmin]`.
+  Upsert: setzt `profileKey` (+ optional `override`-JSON) für den
+  aktuellen Tenant. Idempotent, zweiter Call updated.
+
+### Cross-Feature (`r.exposesApi`)
+
+- `compliance.forTenant` — Marker. Andere Features (Sprint 2
+  `user-data-rights`, Sprint 5 `tenant-lifecycle`) rufen den Resolver via
+  QN-Pattern (`app.fetch("/api/query")` mit `type=compliance-profiles:query:for-tenant`).
+  Boot-Validator checkt dass jeder `r.usesApi("compliance.forTenant")`-
+  Caller das Feature in `requires/optionalRequires` hat.
+
+## Override-Semantik
+
+`override` wird als JSON-String gespeichert und beim Resolver
+deep-merged auf das gewählte Profile. Atomic-Paths (gracePeriod /
+auskunftFrist / retention / authorityNotificationDeadline /
+tenantDestroyGracePeriod) ersetzen komplett statt rekursiv zu mergen,
+weil sie diskriminierte Union-Objects sind (`{ months } | { years }` vs
+`{ days } | { hours }`).
+
+```typescript
+// Tenant-Admin override:
+{
+  "userRights": { "gracePeriod": { "days": 60 } }
+}
+// Effekt auf eu-dsgvo:
+//   userRights.gracePeriod = { days: 60 }     (overridden)
+//   userRights.restrictionAllowed = true       (geerbt)
+//   userRights.portabilityFormat = ["json"]    (geerbt)
+//   ...alle anderen userRights-Felder unverändert
+```
+
+## Architektur-Note
+
+Profile-Selection lebt als **separate Entity** (`tenantComplianceProfileEntity`)
+im compliance-profiles-Feature, nicht als config-key im tenant-Feature.
+Begründung in `schema/profile-selection.ts` — kurz: Override ist
+strukturiertes JSON, Profile-Wechsel ist audit-relevant (Event-Store
+liefert das automatisch für Entity-Writes), Plan-Files nennen sie
+explizit als eigene Entity.
+
+## Tests
+
+`__tests__/compliance-profiles.integration.ts` — 9 full-stack Tests via
+`setupTestStack` + echte HTTP-Calls (Memory: `feedback_no_fake_dispatcher`):
+list-profiles, for-tenant ohne/mit Setting, set-profile als TenantAdmin /
+Member (403) / mit Override / mit invalidem JSON / mit Array statt Object /
+idempotent-Update.
+
+Plus Unit-Tests für Profile-Constants + Override-Resolver in
+`framework/src/compliance/__tests__/profiles.test.ts` (16 Tests).

package/src/compliance-profiles/__tests__/compliance-profiles.integration.ts

@@ -0,0 +1,308 @@
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createComplianceProfilesFeature, tenantComplianceProfileEntity } from "../feature";
+
+const SET_PROFILE = "compliance-profiles:write:set-profile";
+const FOR_TENANT = "compliance-profiles:query:for-tenant";
+const LIST_PROFILES = "compliance-profiles:query:list-profiles";
+const SUB_PROCESSORS = "compliance-profiles:query:sub-processors";
+const NEEDS_PROFILE = "compliance-profiles:query:needs-profile";
+
+// S1.8 N5: Isolierten Tenant-Admin pro Test bauen — verhindert
+// Cross-Test-Interferenz uber gemeinsamen Default-tenantId aus
+// TestUsers.admin. Eindeutige numerische ID + parallele tenantId.
+function createIsolatedTenantAdmin(n: number, roles: string[] = ["TenantAdmin"]) {
+  return createTestUser({ id: n, tenantId: testTenantId(n), roles });
+}
+
+let stack: TestStack;
+let db: DbConnection;
+
+const tenantAdmin = createTestUser({ id: 2, roles: ["TenantAdmin"] });
+const normalUser = createTestUser({ id: 3, roles: ["Member"] });
+
+const feature = createComplianceProfilesFeature();
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [feature] });
+  db = stack.db;
+  await unsafeCreateEntityTable(db, tenantComplianceProfileEntity);
+  await createEventsTable(db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+describe("compliance-profiles :: list-profiles", () => {
+  test("liefert die 3 wählbaren Profile mit Region + Sprachen", async () => {
+    const result = await stack.http.queryOk<{
+      profiles: Array<{ key: string; region: string; languages: string[] }>;
+    }>(LIST_PROFILES, {}, tenantAdmin);
+    expect(result.profiles).toHaveLength(3);
+    const keys = result.profiles.map((p) => p.key);
+    expect(keys).toEqual(["eu-dsgvo", "swiss-dsg", "de-hr-dsgvo-hgb"]);
+    const swiss = result.profiles.find((p) => p.key === "swiss-dsg");
+    expect(swiss?.region).toBe("CH");
+    expect(swiss?.languages).toContain("fr");
+  });
+
+  test("minimal-no-region ist NICHT in der Liste (kein Production-Default)", async () => {
+    const result = await stack.http.queryOk<{ profiles: Array<{ key: string }> }>(
+      LIST_PROFILES,
+      {},
+      tenantAdmin,
+    );
+    expect(result.profiles.find((p) => p.key === "minimal-no-region")).toBeUndefined();
+  });
+});
+
+describe("compliance-profiles :: for-tenant", () => {
+  test("ohne Setting → minimal-no-region + warning=no-profile-selected", async () => {
+    const result = await stack.http.queryOk<{
+      profile: { key: string };
+      warning?: string;
+    }>(FOR_TENANT, {}, normalUser);
+    expect(result.profile.key).toBe("minimal-no-region");
+    expect(result.warning).toBe("no-profile-selected");
+  });
+});
+
+describe("compliance-profiles :: set-profile", () => {
+  test("TenantAdmin kann Profile auf eu-dsgvo setzen", async () => {
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, tenantAdmin);
+
+    const result = await stack.http.queryOk<{
+      profile: { key: string; region: string; breach: { authorityContact: string } };
+      warning?: string;
+    }>(FOR_TENANT, {}, tenantAdmin);
+    expect(result.profile.key).toBe("eu-dsgvo");
+    expect(result.profile.region).toBe("EU");
+    expect(result.profile.breach.authorityContact).toBe("BlnBDI Berlin");
+    expect(result.warning).toBeUndefined();
+  });
+
+  test("set-profile ist idempotent — zweiter Call wechselt Profile", async () => {
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, tenantAdmin);
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "swiss-dsg" }, tenantAdmin);
+
+    const result = await stack.http.queryOk<{
+      profile: { key: string; region: string; breach: { authorityContact: string } };
+    }>(FOR_TENANT, {}, tenantAdmin);
+    expect(result.profile.key).toBe("swiss-dsg");
+    expect(result.profile.breach.authorityContact).toBe("EDÖB Bern");
+  });
+
+  test("set-profile mit Override merged auf base-profile", async () => {
+    await stack.http.writeOk(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({
+          userRights: { gracePeriod: { days: 60 } },
+        }),
+      },
+      tenantAdmin,
+    );
+
+    const result = await stack.http.queryOk<{
+      profile: { userRights: { gracePeriod: { days: number }; portabilityFormat: string[] } };
+    }>(FOR_TENANT, {}, tenantAdmin);
+    expect(result.profile.userRights.gracePeriod).toEqual({ days: 60 });
+    // Andere userRights-Felder bleiben aus eu-dsgvo
+    expect(result.profile.userRights.portabilityFormat).toEqual(["json"]);
+  });
+
+  test("Member ohne TenantAdmin-Rolle bekommt 403 beim set-profile", async () => {
+    const result = await stack.http.write(SET_PROFILE, { profileKey: "eu-dsgvo" }, normalUser);
+    expect(result.status).toBe(403);
+  });
+
+  test("set-profile mit invalid JSON-Override wirft Error", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "eu-dsgvo", override: "not-valid-json" },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  test("set-profile mit Array statt Object als Override wirft Error", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "eu-dsgvo", override: JSON.stringify([{ foo: 1 }]) },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  // S1.7 X1: Schema engt sich auf SELECTABLE_PROFILE_KEYS
+  test("set-profile mit minimal-no-region wird abgelehnt (X1)", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "minimal-no-region" },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  // S1.7 X2: Override mit unbekannten Top-Level-Keys
+  test("set-profile mit unbekanntem Top-Level-Override-Key wirft Error (X2)", async () => {
+    const result = await stack.http.write(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({ userrights: { gracePeriod: { days: 60 } } }), // typo lowercase
+      },
+      tenantAdmin,
+    );
+    expect(result.status).toBeGreaterThanOrEqual(400);
+  });
+
+  // S1.9 Z3 + S1.10 M3: Override-Sub-Level-Tippfehler (Schema-Strict)
+  // mit path-spezifischer Assertion via ValidationError.details.fields.
+  test("set-profile mit Sub-Level-Tippfehler liefert validation_error mit Path (Z3+M3)", async () => {
+    const err = await stack.http.writeErr(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({ userRights: { weeks: 3 } }), // weeks gibt's nicht
+      },
+      tenantAdmin,
+    );
+    expect(err.code).toBe("validation_error");
+    expect(err.httpStatus).toBe(400);
+    const fields = (err.details as { fields: Array<{ path: string }> })?.fields;
+    expect(fields).toBeDefined();
+    // Schema-strict wirft auf "userRights.weeks" als unrecognized_keys — ODER
+    // generelle "userRights" wenn Zod das so reportet. Beide Pfade decken den
+    // Bug ab.
+    expect(fields?.some((f) => f.path.includes("userRights"))).toBe(true);
+  });
+
+  test("set-profile mit invalid retention-shape liefert validation_error mit Path (Z3+M3)", async () => {
+    const err = await stack.http.writeErr(
+      SET_PROFILE,
+      {
+        profileKey: "eu-dsgvo",
+        override: JSON.stringify({
+          userRights: { gracePeriod: { days: 30, hours: 24 } }, // strict-disjunction
+        }),
+      },
+      tenantAdmin,
+    );
+    expect(err.code).toBe("validation_error");
+    const fields = (err.details as { fields: Array<{ path: string }> })?.fields;
+    expect(fields?.some((f) => f.path.includes("gracePeriod"))).toBe(true);
+  });
+
+  // S1.7 F2: SystemAdmin kann Profile setzen
+  test("SystemAdmin kann Profile setzen (Plattform-Operator-Pfad)", async () => {
+    const sysAdmin = createIsolatedTenantAdmin(50, ["SystemAdmin"]);
+    const result = await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, sysAdmin);
+    expect(result).toMatchObject({ profileKey: "eu-dsgvo", isNew: true });
+  });
+
+  // S1.7 F3: tenantIdOverride als SystemAdmin → für Customer-Tenant
+  test("SystemAdmin kann mit tenantIdOverride für anderen Tenant Profile setzen (F3)", async () => {
+    const sysAdmin = createIsolatedTenantAdmin(51, ["SystemAdmin"]);
+    const targetTenantAdmin = createIsolatedTenantAdmin(52);
+
+    await stack.http.writeOk(
+      SET_PROFILE,
+      { profileKey: "swiss-dsg", tenantIdOverride: targetTenantAdmin.tenantId },
+      sysAdmin,
+    );
+
+    const result = await stack.http.queryOk<{ profile: { key: string; region: string } }>(
+      FOR_TENANT,
+      {},
+      targetTenantAdmin,
+    );
+    expect(result.profile.key).toBe("swiss-dsg");
+    expect(result.profile.region).toBe("CH");
+  });
+
+  // S1.7 F3: tenantIdOverride als TenantAdmin → 403
+  test("TenantAdmin mit tenantIdOverride bekommt 403 (F3)", async () => {
+    const someTenantAdmin = createIsolatedTenantAdmin(53);
+    const result = await stack.http.write(
+      SET_PROFILE,
+      { profileKey: "eu-dsgvo", tenantIdOverride: testTenantId(54) },
+      someTenantAdmin,
+    );
+    expect(result.status).toBe(403);
+  });
+});
+
+describe("compliance-profiles :: sub-processors (S1.4)", () => {
+  test("liefert active + planned Sub-Processors mit Pflicht-Feldern", async () => {
+    const result = await stack.http.queryOk<{
+      active: Array<{ name: string; region: string; dpa: string; sccRequired?: boolean }>;
+      planned: Array<{ name: string; status: string }>;
+      total: number;
+      generatedAt: string;
+    }>(SUB_PROCESSORS, {}, normalUser);
+
+    expect(result.active.length).toBeGreaterThan(0);
+    const hetzner = result.active.find((s) => s.name.includes("Hetzner"));
+    expect(hetzner).toBeDefined();
+    expect(hetzner?.dpa).toMatch(/^https:\/\//);
+    expect(hetzner?.region).toContain("Germany");
+
+    const cloudflare = result.active.find((s) => s.name.includes("Cloudflare"));
+    expect(cloudflare?.sccRequired).toBe(true);
+
+    expect(result.planned.length).toBeGreaterThan(0);
+    expect(result.planned.every((p) => p.status === "planned")).toBe(true);
+
+    expect(result.total).toBe(result.active.length + result.planned.length);
+    expect(result.generatedAt).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+  });
+});
+
+describe("compliance-profiles :: needs-profile (S1.5 — Onboarding-Banner)", () => {
+  test("Tenant ohne Profile-Wahl → needsSelection=true, reason=no_profile_selected", async () => {
+    // Frischer Tenant-Admin (eigener Tenant ID damit kein Profile gesetzt
+    // ist — sonst sieht er den Eintrag aus den vorherigen set-profile-Tests).
+    const freshTenantAdmin = createIsolatedTenantAdmin(99);
+    const result = await stack.http.queryOk<{
+      needsSelection: boolean;
+      currentProfile: string | null;
+      reason?: string;
+    }>(NEEDS_PROFILE, {}, freshTenantAdmin);
+    expect(result.needsSelection).toBe(true);
+    expect(result.currentProfile).toBeNull();
+    expect(result.reason).toBe("no_profile_selected");
+  });
+
+  test("Tenant mit eu-dsgvo-Wahl → needsSelection=false", async () => {
+    const setupAdmin = createIsolatedTenantAdmin(100);
+    await stack.http.writeOk(SET_PROFILE, { profileKey: "eu-dsgvo" }, setupAdmin);
+
+    const result = await stack.http.queryOk<{
+      needsSelection: boolean;
+      currentProfile: string | null;
+    }>(NEEDS_PROFILE, {}, setupAdmin);
+    expect(result.needsSelection).toBe(false);
+    expect(result.currentProfile).toBe("eu-dsgvo");
+  });
+
+  // S1.8 O3: minimal-no-region-Defensiv-Pfad in needs-profile.query.ts
+  // entfernt (toter Code nach S1.7 X1 — Zod blockt minimal-no-region).
+  // Wenn Sprint 2 einen seedComplianceProfile-Helper bringt der den
+  // Migration-Edge-Case einführt, kommt hier ein neuer Test rein.
+
+  test("Member-Rolle bekommt 403 (Banner ist Admin-only)", async () => {
+    const result = await stack.http.query(NEEDS_PROFILE, {}, normalUser);
+    expect(result.status).toBe(403);
+  });
+});

package/src/compliance-profiles/__tests__/seeding.integration.ts

@@ -0,0 +1,93 @@
+// seedComplianceProfile-Helper-Tests (S1.9 Z2).
+//
+// Beweist:
+//   1. Helper umgeht set-profile-Zod-Engung (kann minimal-no-region
+//      setzen für Migration-Edge-Case-Tests in Sprint 2+)
+//   2. Idempotent: zweiter Call mit gleichem tenantId updated den
+//      bestehenden Eintrag
+//   3. Override wird als JSON-String persistiert + via for-tenant
+//      korrekt zurueckgelesen
+
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  setupTestStack,
+  type TestStack,
+  testTenantId,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createComplianceProfilesFeature, tenantComplianceProfileEntity } from "../feature";
+import { seedComplianceProfile } from "../seeding";
+
+const FOR_TENANT = "compliance-profiles:query:for-tenant";
+
+let stack: TestStack;
+
+const feature = createComplianceProfilesFeature();
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [feature] });
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await createEventsTable(stack.db);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+describe("seedComplianceProfile", () => {
+  test("kann eu-dsgvo direkt seeden, for-tenant liefert das Profile", async () => {
+    const tenantId = testTenantId(200);
+    const user = createTestUser({ id: 200, tenantId, roles: ["TenantAdmin"] });
+
+    await seedComplianceProfile(stack.db, { tenantId, profileKey: "eu-dsgvo" });
+
+    const result = await stack.http.queryOk<{ profile: { key: string } }>(FOR_TENANT, {}, user);
+    expect(result.profile.key).toBe("eu-dsgvo");
+  });
+
+  test("idempotent: zweiter Call updated den bestehenden Eintrag", async () => {
+    const tenantId = testTenantId(201);
+    const user = createTestUser({ id: 201, tenantId, roles: ["TenantAdmin"] });
+
+    await seedComplianceProfile(stack.db, { tenantId, profileKey: "eu-dsgvo" });
+    await seedComplianceProfile(stack.db, { tenantId, profileKey: "swiss-dsg" });
+
+    const result = await stack.http.queryOk<{ profile: { key: string } }>(FOR_TENANT, {}, user);
+    expect(result.profile.key).toBe("swiss-dsg");
+  });
+
+  test("kann minimal-no-region direkt seeden (Migration-Edge-Case, ohne set-profile-Zod-Engung)", async () => {
+    const tenantId = testTenantId(202);
+    const user = createTestUser({ id: 202, tenantId, roles: ["TenantAdmin"] });
+
+    // set-profile (Sprint 1.7 X1) wuerde minimal-no-region rejecten —
+    // seedComplianceProfile umgeht das fuer Test-Migration-Szenarien.
+    await seedComplianceProfile(stack.db, {
+      tenantId,
+      profileKey: "minimal-no-region",
+    });
+
+    const result = await stack.http.queryOk<{ profile: { key: string } }>(FOR_TENANT, {}, user);
+    expect(result.profile.key).toBe("minimal-no-region");
+  });
+
+  test("Override wird persistiert + im for-tenant deep-merged zurueckgelesen", async () => {
+    const tenantId = testTenantId(203);
+    const user = createTestUser({ id: 203, tenantId, roles: ["TenantAdmin"] });
+
+    await seedComplianceProfile(stack.db, {
+      tenantId,
+      profileKey: "eu-dsgvo",
+      override: { userRights: { gracePeriod: { days: 90 } } },
+    });
+
+    const result = await stack.http.queryOk<{
+      profile: { userRights: { gracePeriod: { days: number }; portabilityFormat: string[] } };
+    }>(FOR_TENANT, {}, user);
+    expect(result.profile.userRights.gracePeriod).toEqual({ days: 90 });
+    // Andere userRights bleiben aus eu-dsgvo
+    expect(result.profile.userRights.portabilityFormat).toEqual(["json"]);
+  });
+});

package/src/compliance-profiles/feature.ts

@@ -0,0 +1,51 @@
+import { defineFeature, type FeatureDefinition } from "@cosmicdrift/kumiko-framework/engine";
+import { forTenantQuery } from "./handlers/for-tenant.query";
+import { listProfilesQuery } from "./handlers/list-profiles.query";
+import { needsProfileQuery } from "./handlers/needs-profile.query";
+import { setProfileWrite } from "./handlers/set-profile.write";
+import { subProcessorsQuery } from "./handlers/sub-processors.query";
+import { tenantComplianceProfileEntity } from "./schema/profile-selection";
+
+export {
+  tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
+} from "./schema/profile-selection";
+
+// compliance-profiles — Tenant-weite DSGVO/Compliance-Profile-Wahl.
+//
+// Pflicht beim Tenant-Onboarding (Sprint 1.5 Banner-API). Profile
+// buendelt User-Rights-Grace, Notification-Sprache, Breach-Disclosure,
+// Audit-Retention und Sub-Processor-Anforderungen.
+//
+// Cross-Feature-API: r.exposesApi("compliance.forTenant") — andere
+// Features (user-data-rights in Sprint 2, tenant-lifecycle in Sprint 5)
+// rufen den Profile-Resolver via QN-Pattern (siehe legal-pages →
+// text-content fuer Pattern-Beispiel).
+//
+// Architektur-Note: Profile-Selection lebt als separate Entity
+// (tenantComplianceProfile), nicht als config-key im tenant-Feature.
+// Begruendung in schema/profile-selection.ts.
+export function createComplianceProfilesFeature(): FeatureDefinition {
+  return defineFeature("compliance-profiles", (r) => {
+    // Standalone — kein r.requires noetig: tenantId kommt aus dem User-
+    // Context, Profile-Selection ist eigene Entity, sub-processor-Liste
+    // sind Constants. Wenn S1.4+ Cross-Feature-Reads dazukommen, kommt
+    // r.requires hier rein.
+    r.entity("tenant-compliance-profile", tenantComplianceProfileEntity);
+
+    r.exposesApi("compliance.forTenant");
+
+    const handlers = {
+      setProfile: r.writeHandler(setProfileWrite),
+    };
+
+    const queries = {
+      forTenant: r.queryHandler(forTenantQuery),
+      listProfiles: r.queryHandler(listProfilesQuery),
+      subProcessors: r.queryHandler(subProcessorsQuery),
+      needsProfile: r.queryHandler(needsProfileQuery),
+    };
+
+    return { handlers, queries };
+  });
+}