@cosmicdrift/kumiko-bundled-features 0.2.2 → 0.3.0

package/src/compliance-profiles/handlers/for-tenant.query.ts

@@ -0,0 +1,64 @@
+import {
+  type ComplianceProfileKey,
+  type ComplianceProfileOverride,
+  type EffectiveComplianceProfile,
+  resolveComplianceProfile,
+} from "@cosmicdrift/kumiko-framework/compliance";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { tenantComplianceProfileTable } from "../schema/profile-selection";
+
+// Liefert das effektive Compliance-Profile fuer den aktuellen Tenant.
+// Macht den exposesApi-Marker aus feature.ts mit echtem Inhalt.
+//
+// Default-Verhalten (Edge-Case-Decision aus S1.1): kein Profile-
+// Eintrag → minimal-no-region + warning="no-profile-selected".
+// Caller (z.B. user-data-rights in Sprint 2) sieht das warning und
+// kann Onboarding-Banner triggern.
+export const forTenantQuery = defineQueryHandler({
+  name: "for-tenant",
+  schema: z.object({}),
+  access: { openToAll: true },
+  handler: async (query, ctx): Promise<EffectiveComplianceProfile> => {
+    const row = (await fetchOne(
+      ctx.db,
+      tenantComplianceProfileTable,
+      eq(tenantComplianceProfileTable["tenantId"], query.user.tenantId),
+    )) as { profileKey: string; override: string | null } | null; // @cast-boundary db-runner
+
+    if (!row) {
+      return resolveComplianceProfile({});
+    }
+
+    const override = parseOverride(row.override, query.user.tenantId);
+    return resolveComplianceProfile({
+      selection: row.profileKey as ComplianceProfileKey, // @cast-boundary engine-payload
+      override,
+    });
+  },
+});
+
+function parseOverride(
+  raw: string | null,
+  tenantId: string,
+): ComplianceProfileOverride | undefined {
+  if (!raw || raw.trim() === "") return undefined;
+  try {
+    const parsed: unknown = JSON.parse(raw);
+    return parsed as ComplianceProfileOverride; // @cast-boundary engine-payload
+  } catch (e: unknown) {
+    const reason = e instanceof Error ? e.message : String(e);
+    // Defensiv: ungültiges JSON wird als "kein Override" behandelt. Der
+    // set-profile-Handler validiert Zod das Override schon — invalides
+    // JSON in der DB ist also nur möglich bei manueller DB-Manipulation
+    // oder Migration-Bug. Resolver-Caller darf trotzdem nicht crashen.
+    // Operator-Sichtbarkeit via console.warn — Telemetry-Hook spaeter.
+    // biome-ignore lint/suspicious/noConsole: operator visibility for DB-corruption edge-case
+    console.warn(
+      `[compliance-profiles:for-tenant] tenant ${tenantId}: stored override is not valid JSON, falling back to base profile. Reason: ${reason}`,
+    );
+    return undefined;
+  }
+}

package/src/compliance-profiles/handlers/list-profiles.query.ts

@@ -0,0 +1,44 @@
+import {
+  COMPLIANCE_PROFILES,
+  type ComplianceProfile,
+  type ComplianceProfileKey,
+  SELECTABLE_PROFILE_KEYS,
+} from "@cosmicdrift/kumiko-framework/compliance";
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+
+// Liefert alle waehlbaren Compliance-Profile fuer das Tenant-Onboarding.
+// Pure In-Memory-Read der Constants — keine DB-Abfrage. Kein Caching
+// noetig (modulo Pre-Boot bereits aufgeloest).
+//
+// Filtert minimal-no-region raus — das ist Default-Fallback, nicht
+// auswählbar (Production soll explizite Wahl treffen).
+export const listProfilesQuery = defineQueryHandler({
+  name: "list-profiles",
+  schema: z.object({}),
+  access: { openToAll: true },
+  handler: async (): Promise<{ profiles: readonly ComplianceProfileSummary[] }> => {
+    return {
+      profiles: SELECTABLE_PROFILE_KEYS.map(toSummary),
+    };
+  },
+});
+
+interface ComplianceProfileSummary {
+  readonly key: ComplianceProfileKey;
+  readonly region: string;
+  readonly label: string;
+  readonly authorityContact: string;
+  readonly languages: readonly string[];
+}
+
+function toSummary(key: ComplianceProfileKey): ComplianceProfileSummary {
+  const p: ComplianceProfile = COMPLIANCE_PROFILES[key];
+  return {
+    key: p.key,
+    region: p.region,
+    label: p.label,
+    authorityContact: p.breach.authorityContact,
+    languages: p.notifications.languages,
+  };
+}

package/src/compliance-profiles/handlers/needs-profile.query.ts

@@ -0,0 +1,56 @@
+import { ROLES } from "@cosmicdrift/kumiko-framework/auth";
+import type { ComplianceProfileKey } from "@cosmicdrift/kumiko-framework/compliance";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import { tenantComplianceProfileTable } from "../schema/profile-selection";
+
+// Onboarding-Banner-Trigger fuer Tenant-Admin.
+//
+// Sprint 1.5 — minimaler API-Endpoint, UI-Banner kommt in einem
+// spaeteren UI-Sprint. Reine Read-Query: gibt es einen Eintrag in
+// tenantComplianceProfile fuer den aktuellen Tenant?
+//
+// Wenn nein → Tenant-Admin muss Profile waehlen (Pflicht beim
+// Onboarding). Bis zur Wahl laeuft minimal-no-region mit warning,
+// das in der Tenant-Dashboard-Banner sichtbar gemacht werden soll.
+//
+// Access: TenantAdmin only — der Banner ist nur fuer Tenant-Admins
+// relevant, nicht fuer normale Member.
+export const needsProfileQuery = defineQueryHandler({
+  name: "needs-profile",
+  schema: z.object({}),
+  access: { roles: [ROLES.TenantAdmin] },
+  handler: async (query, ctx): Promise<NeedsProfileResponse> => {
+    const row = (await fetchOne(
+      ctx.db,
+      tenantComplianceProfileTable,
+      eq(tenantComplianceProfileTable["tenantId"], query.user.tenantId),
+    )) as { profileKey: ComplianceProfileKey } | null; // @cast-boundary db-runner
+
+    if (!row) {
+      return {
+        needsSelection: true,
+        currentProfile: null,
+        reason: "no_profile_selected",
+      };
+    }
+
+    // S1.7 X1: minimal-no-region ist via set-profile (Zod) nicht mehr
+    // setzbar. Wenn Sprint 2 einen seedComplianceProfile-Helper liefert
+    // der den Migration-Edge-Case einführt, kommt hier wieder ein
+    // defensiver Pfad rein — bis dahin: jeder existierende Eintrag ist
+    // ein bewusst gewähltes Production-Profile.
+    return {
+      needsSelection: false,
+      currentProfile: row.profileKey,
+    };
+  },
+});
+
+interface NeedsProfileResponse {
+  readonly needsSelection: boolean;
+  readonly currentProfile: ComplianceProfileKey | null;
+  readonly reason?: "no_profile_selected";
+}

package/src/compliance-profiles/handlers/set-profile.write.ts

@@ -0,0 +1,144 @@
+import { ROLES } from "@cosmicdrift/kumiko-framework/auth";
+import {
+  complianceProfileOverrideSchema,
+  SELECTABLE_PROFILE_KEYS,
+} from "@cosmicdrift/kumiko-framework/compliance";
+import { createEventStoreExecutor, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  AccessDeniedError,
+  UnprocessableError,
+  validationErrorFromZod,
+  writeFailure,
+} from "@cosmicdrift/kumiko-framework/errors";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+import {
+  tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
+} from "../schema/profile-selection";
+
+const crud = createEventStoreExecutor(tenantComplianceProfileTable, tenantComplianceProfileEntity, {
+  entityName: "tenant-compliance-profile",
+});
+
+// Schema engt sich auf die 3 oeffentlich waehlbaren Profile (Sprint 1.7
+// X1) — minimal-no-region ist Default-Fallback fuer "noch keine Wahl",
+// nicht eine waehlbare Production-Option. Symmetrisch zu
+// SELECTABLE_PROFILE_KEYS aus der framework/compliance-Liste.
+const profileKeySchema = z.enum(SELECTABLE_PROFILE_KEYS);
+
+// Tenant-Admin setzt Profile-Key + optional Override-JSON.
+//
+// Upsert-Verhalten: erste Wahl insert, weitere update. Idempotent —
+// wer mit gleichen Werten zweimal aufruft, kriegt das gleiche Ergebnis
+// (modulo aktualisierte Audit-Events im Event-Store).
+//
+// Cross-Tenant-Pfad: SystemAdmin kann via `tenantIdOverride` fuer einen
+// anderen Tenant schreiben (Plattform-Operator-Setup, Customer-
+// Onboarding-Migrationen). TenantAdmin's Override-Versuch → 403.
+// executorUser.tenantId muss = ziel-tenant sein damit der event-store-
+// Stream-Lookup nicht miss → version_conflict gibt (Memory:
+// feedback_event_store_tenant_consistency).
+//
+// Validation:
+//   - profileKey muss in SELECTABLE_PROFILE_KEYS sein (Zod-checked)
+//   - override (optional) muss valides JSON-Object sein
+//   - override Top-Level-Keys muessen in ALLOWED_OVERRIDE_KEYS sein
+//     — verhindert Tippfehler die deepMerge stillschweigend ignoriert
+export const setProfileWrite = defineWriteHandler({
+  name: "set-profile",
+  schema: z.object({
+    profileKey: profileKeySchema,
+    override: z.string().nullable().optional(),
+    tenantIdOverride: z.string().min(1).optional(),
+  }),
+  // SystemAdmin kann Profile fuer Customer-Setup setzen (Plattform-
+  // Operator-Pfad). TenantAdmin nur fuer eigenen Tenant.
+  access: { roles: [ROLES.TenantAdmin, ROLES.SystemAdmin] },
+  handler: async (event, ctx) => {
+    const tenantOverride = event.payload.tenantIdOverride;
+    if (tenantOverride !== undefined && !event.user.roles.includes(ROLES.SystemAdmin)) {
+      return writeFailure(
+        new AccessDeniedError({
+          i18nKey: "complianceProfiles.errors.tenantOverrideRequiresSystemAdmin",
+          details: { reason: "tenant_override_requires_system_admin" },
+        }),
+      );
+    }
+    const tenantId = (tenantOverride ?? event.user.tenantId) as TenantId; // @cast-boundary engine-payload
+    const executorUser = tenantOverride !== undefined ? { ...event.user, tenantId } : event.user;
+
+    // Override-Validation: muss parseables JSON-Object sein UND dem
+    // ComplianceProfileOverride-Schema entsprechen (S1.9 Z3 — strict-Zod
+    // mit Top-Level + Sub-Level-Whitelist via .strict()). Tippfehler
+    // wie `{ userRights: { weeks: 3 } }` werden hier rejected statt vom
+    // deepMerge silent ins Profile gespliced.
+    //
+    // Errors via writeFailure + Kumiko-Error-Klassen (S1.10 M3) statt
+    // throw — landen so mit Path-Detail im response-body statt als
+    // generic internal_error.
+    if (event.payload.override) {
+      let parsed: unknown;
+      try {
+        parsed = JSON.parse(event.payload.override);
+      } catch (e: unknown) {
+        const parseError = e instanceof Error ? e.message : String(e);
+        return writeFailure(
+          new UnprocessableError("compliance_override_invalid_json", {
+            details: {
+              reason: "compliance_override_invalid_json",
+              parseError,
+            },
+          }),
+        );
+      }
+      const validation = complianceProfileOverrideSchema.safeParse(parsed);
+      if (!validation.success) {
+        return writeFailure(validationErrorFromZod(validation.error));
+      }
+    }
+
+    // Upsert: existierenden Eintrag suchen
+    const existing = (await fetchOne(
+      ctx.db,
+      tenantComplianceProfileTable,
+      eq(tenantComplianceProfileTable["tenantId"], tenantId),
+    )) as { id: string; version: number } | null; // @cast-boundary db-runner
+
+    if (existing) {
+      const result = await crud.update(
+        {
+          id: existing.id,
+          version: existing.version,
+          changes: {
+            profileKey: event.payload.profileKey,
+            override: event.payload.override ?? null,
+          },
+        },
+        executorUser,
+        ctx.db,
+      );
+      if (!result.isSuccess) return result;
+      return {
+        isSuccess: true as const,
+        data: { profileKey: event.payload.profileKey, isNew: false },
+      };
+    }
+
+    const result = await crud.create(
+      {
+        profileKey: event.payload.profileKey,
+        override: event.payload.override ?? null,
+        tenantId,
+      },
+      executorUser,
+      ctx.db,
+    );
+    if (!result.isSuccess) return result;
+    return {
+      isSuccess: true as const,
+      data: { profileKey: event.payload.profileKey, isNew: true },
+    };
+  },
+});

package/src/compliance-profiles/handlers/sub-processors.query.ts

@@ -0,0 +1,43 @@
+import {
+  getActiveSubProcessors,
+  getPlannedSubProcessors,
+  KUMIKO_SUB_PROCESSORS,
+  type SubProcessor,
+} from "@cosmicdrift/kumiko-framework/compliance";
+import { defineQueryHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { z } from "zod";
+
+// Public Sub-Processor-Liste — anonymous accessible (Memory:
+// project_anonymous_access). Matched die DSGVO Art. 28(2) Pflicht
+// dass die Liste der Auftragsverarbeiter oeffentlich einsehbar ist
+// (typisch verlinkt aus Datenschutzerklaerung + AVV).
+//
+// Format: JSON mit getrennten active/planned-Sektionen. Tenant-Admins
+// kriegen Notification ueber Aenderungen via Cron-Job (Sprint 1.5+
+// oder S9 compliance-as-product). RSS-Feed kommt in S9.
+//
+// Zwei Auflistungen statt einer flachen Liste:
+//   - `active`: aktuell eingesetzte Sub-Processors
+//   - `planned`: bekannte zukünftige Sub-Processors (Tenant-Admin-
+//     Lead-Time bevor sie aktiv werden — typisch bei AI/Stripe)
+export const subProcessorsQuery = defineQueryHandler({
+  name: "sub-processors",
+  schema: z.object({}),
+  access: { roles: ["anonymous", "Member", "User", "TenantAdmin", "SystemAdmin"] },
+  handler: async (): Promise<SubProcessorListResponse> => {
+    return {
+      active: [...getActiveSubProcessors()],
+      planned: [...getPlannedSubProcessors()],
+      generatedAt: getTemporal().Now.instant().toString(),
+      total: KUMIKO_SUB_PROCESSORS.length,
+    };
+  },
+});
+
+interface SubProcessorListResponse {
+  readonly active: readonly SubProcessor[];
+  readonly planned: readonly SubProcessor[];
+  readonly generatedAt: string;
+  readonly total: number;
+}

package/src/compliance-profiles/index.ts

@@ -0,0 +1,6 @@
+export {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
+} from "./feature";
+export { resolveProfileForTenant } from "./resolve-for-tenant";

package/src/compliance-profiles/resolve-for-tenant.ts

@@ -0,0 +1,63 @@
+// Direkter Resolver-Helper fuer Bulk-Iteration ohne dispatcher-Roundtrip.
+//
+// `for-tenant`-Query (handlers/for-tenant.query.ts) ist die Cross-Feature-
+// API fuer Handler-Pfade. Worker (S2.U3 Atom 3b) lebt im JobContext
+// ohne `queryAs` — braucht direkten DB-Lookup + resolveComplianceProfile.
+//
+// Pattern matched data-retention's `resolveRetentionPolicyForTenant`.
+// Beide Pfade nutzen `resolveComplianceProfile` aus framework/compliance,
+// also kein Drift zwischen Query-API und Worker-Pfad.
+
+import {
+  type ComplianceProfileKey,
+  type ComplianceProfileOverride,
+  type EffectiveComplianceProfile,
+  resolveComplianceProfile,
+} from "@cosmicdrift/kumiko-framework/compliance";
+import { type DbRunner, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { eq } from "drizzle-orm";
+import { tenantComplianceProfileTable } from "./schema/profile-selection";
+
+export interface ResolveProfileForTenantArgs {
+  readonly db: DbRunner;
+  readonly tenantId: TenantId;
+}
+
+export async function resolveProfileForTenant(
+  args: ResolveProfileForTenantArgs,
+): Promise<EffectiveComplianceProfile> {
+  const row = (await fetchOne(
+    args.db,
+    tenantComplianceProfileTable,
+    eq(tenantComplianceProfileTable["tenantId"], args.tenantId),
+  )) as { profileKey: string; override: string | null } | null; // @cast-boundary db-runner
+
+  if (!row) {
+    return resolveComplianceProfile({});
+  }
+
+  const override = parseOverride(row.override, args.tenantId);
+  return resolveComplianceProfile({
+    selection: row.profileKey as ComplianceProfileKey, // @cast-boundary engine-payload
+    override,
+  });
+}
+
+function parseOverride(
+  raw: string | null,
+  tenantId: string,
+): ComplianceProfileOverride | undefined {
+  if (!raw || raw.trim() === "") return undefined;
+  try {
+    const parsed: unknown = JSON.parse(raw);
+    return parsed as ComplianceProfileOverride; // @cast-boundary engine-payload
+  } catch (e: unknown) {
+    const reason = e instanceof Error ? e.message : String(e);
+    // biome-ignore lint/suspicious/noConsole: operator visibility for DB-corruption edge-case
+    console.warn(
+      `[compliance-profiles:resolve-for-tenant] tenant ${tenantId}: stored override is not valid JSON, ignoring. Reason: ${reason}`,
+    );
+    return undefined;
+  }
+}

package/src/compliance-profiles/schema/profile-selection.ts

@@ -0,0 +1,52 @@
+import { buildDrizzleTable } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createLongTextField,
+  createSelectField,
+} from "@cosmicdrift/kumiko-framework/engine";
+
+// Tenant-1-zu-1: Pro Tenant genau eine Profile-Wahl.
+//
+// Architektur-Entscheidung (2026-05-06): Profile-Selection lebt als
+// separate Entity im compliance-profiles-Feature, NICHT als config-key
+// im tenant-Feature. Begruendung:
+//   (a) override ist strukturiertes JSON, config-key-Pattern (timezone/
+//       locale) ist key-value-flach
+//   (b) Profile-Wechsel ist audit-relevant — Event-Store gibt das
+//       automatisch fuer Entity-Writes
+//   (c) Plan-Files in docs/plans/datenschutz/compliance-profiles.md
+//       nennen sie explizit als tenantComplianceProfile-Entity
+//
+// Wer in 6 Monaten zweifelt warum nicht config-key: siehe oben.
+//
+// override als JSON-String in longText: kein dedizierter jsonField-Typ
+// im Framework; embedded hat festes Schema, das hier dynamisch ist.
+// Zod-Validation beim set-profile-Handler stellt Schema-Konformitaet
+// sicher.
+export const tenantComplianceProfileEntity = createEntity({
+  table: "read_tenant_compliance_profiles",
+  fields: {
+    profileKey: createSelectField({
+      required: true,
+      options: ["eu-dsgvo", "swiss-dsg", "de-hr-dsgvo-hgb", "minimal-no-region"] as const,
+    }),
+    // override: JSON-String mit Partial-ComplianceProfile. NULL/leer
+    // bedeutet "Default-Profile, keine Override". Validiert beim
+    // set-profile-Handler via Zod.
+    override: createLongTextField({
+      allowPlaintext: "is-business-data",
+    }),
+  },
+  indexes: [
+    // Pro Tenant nur EIN Profile-Datensatz. Boot-Validator-Comment in
+    // EntityIndexDef warnt vor single-column-tenantId-Index als redundant
+    // — UNIQUE-Constraint ist hier aber semantisch noetig (1:1-Relation)
+    // und nicht nur Performance-Hint, daher explizit deklariert.
+    { unique: true, columns: ["tenantId"] },
+  ],
+});
+
+export const tenantComplianceProfileTable = buildDrizzleTable(
+  "tenantComplianceProfile",
+  tenantComplianceProfileEntity,
+);

package/src/compliance-profiles/seeding.ts

@@ -0,0 +1,96 @@
+// Test-Helper für compliance-profiles. Legt einen Profile-Eintrag direkt
+// über den Event-Store-Executor an — gleicher Pfad wie der echte
+// set-profile-Handler, aber ohne Zod-Schema-Engung (akzeptiert
+// minimal-no-region für Migration-Edge-Case-Tests) und ohne Access-
+// Check. Idempotent: zweiter Call mit gleichem tenantId updated.
+//
+// Sprint 2 user-data-rights nutzt das fuer Test-Setup ("user kann
+// Daten exportieren mit profile X" — pro Test ein frischer Tenant +
+// Profile-Wahl in einem Helper-Call).
+//
+// Pattern matched seedTextBlock aus text-content.
+
+import type {
+  ComplianceProfileKey,
+  ComplianceProfileOverride,
+} from "@cosmicdrift/kumiko-framework/compliance";
+import {
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+  fetchOne,
+} from "@cosmicdrift/kumiko-framework/db";
+import type { SessionUser, TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { TestUsers } from "@cosmicdrift/kumiko-framework/stack";
+import { eq } from "drizzle-orm";
+import {
+  tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
+} from "./schema/profile-selection";
+
+const executor = createEventStoreExecutor(
+  tenantComplianceProfileTable,
+  tenantComplianceProfileEntity,
+  { entityName: "tenant-compliance-profile" },
+);
+
+export type SeedComplianceProfileOptions = {
+  readonly tenantId: TenantId;
+  readonly profileKey: ComplianceProfileKey;
+  readonly override?: ComplianceProfileOverride;
+  readonly by?: SessionUser;
+};
+
+export async function seedComplianceProfile(
+  db: DbConnection,
+  opts: SeedComplianceProfileOptions,
+): Promise<{ id: string | number }> {
+  // user.tenantId muss === opts.tenantId sein damit Event-Store-Stream
+  // + Projection im selben Tenant-Bucket landen (Memory:
+  // feedback_event_store_tenant_consistency).
+  const by = opts.by ?? { ...TestUsers.systemAdmin, tenantId: opts.tenantId };
+  const tdb = createTenantDb(db, opts.tenantId, "system");
+  const overrideJson = opts.override !== undefined ? JSON.stringify(opts.override) : null;
+
+  const existing = (await fetchOne(
+    db,
+    tenantComplianceProfileTable,
+    eq(tenantComplianceProfileTable["tenantId"], opts.tenantId),
+  )) as { id: string; version: number } | null; // @cast-boundary db-runner
+
+  if (existing) {
+    const result = await executor.update(
+      {
+        id: existing.id,
+        version: existing.version,
+        changes: { profileKey: opts.profileKey, override: overrideJson },
+      },
+      by,
+      tdb,
+    );
+    if (!result.isSuccess) {
+      throw new Error(`seedComplianceProfile update failed: ${JSON.stringify(result)}`);
+    }
+    return { id: existing.id };
+  }
+
+  const result = await executor.create(
+    {
+      profileKey: opts.profileKey,
+      override: overrideJson,
+      tenantId: opts.tenantId,
+    },
+    by,
+    tdb,
+  );
+  if (!result.isSuccess) {
+    throw new Error(`seedComplianceProfile create failed: ${JSON.stringify(result)}`);
+  }
+  // @cast-boundary db-row: executor.create-result enthält die inserted
+  // Row als Record<string, unknown>; id ist nach INSERT garantiert.
+  const data = result.data as { id?: string };
+  if (data.id === undefined) {
+    throw new Error("seedComplianceProfile: executor.create did not return an id");
+  }
+  return { id: data.id };
+}

package/src/config/resolver.ts

@@ -179,7 +179,7 @@ export function createConfigResolver(options: ConfigResolverOptions = {}): Confi
 
       const result = new Map<string, ConfigRow>();
       for (const row of rows) {
-        const r = row as ConfigRow;
+        const r = row as ConfigRow; // @cast-boundary db-row
         // Higher specificity wins: user > tenant > system. Under the ES
         // schema system rows carry SYSTEM_TENANT_ID instead of NULL, so the
         // "tenant set" check compares against the sentinel rather than null.

package/src/data-retention/__tests__/data-retention.integration.ts

@@ -0,0 +1,49 @@
+// Boot-Smoke-Test (S2.D2.5 M4) — verifiziert dass das data-retention-
+// Feature im setupTestStack hochfaehrt + Entity-Schema valide ist.
+//
+// Tiefere Integration (Cleanup-Job mit DB-Operations + Strategy-Dispatch
+// + Cron-Trigger) kommt in S2.D2b. Dieser Smoke-Test fanngt frueh ab
+// ob Boot-Validation oder Entity-Definition gebrochen ist — pre-S2.D2b
+// Sicherheitsnetz.
+
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { afterAll, beforeAll, describe, expect, test } from "vitest";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../feature";
+
+let stack: TestStack;
+
+const feature = createDataRetentionFeature();
+
+beforeAll(async () => {
+  stack = await setupTestStack({ features: [feature] });
+  await unsafeCreateEntityTable(stack.db, tenantRetentionOverrideEntity);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+describe("data-retention :: feature-definition smoke", () => {
+  test("Feature laedt clean (Boot-Validation passed)", () => {
+    // setupTestStack hat das Feature im beforeAll geladen — wenn Boot-
+    // Validation fehlschlaegt, waere dieser Block nie gelaufen.
+    expect(stack).toBeDefined();
+    expect(feature.name).toBe("data-retention");
+  });
+
+  test("tenantRetentionOverride-Entity ist registriert", () => {
+    expect(feature.entities["tenant-retention-override"]).toBeDefined();
+  });
+
+  test("Entity-Definition hat UNIQUE(tenantId, entityName) als 1:1-Constraint", () => {
+    const entity = feature.entities["tenant-retention-override"];
+    const indexes = entity?.indexes ?? [];
+    const uniqueIndex = indexes.find((i) => i.unique === true);
+    expect(uniqueIndex).toBeDefined();
+    expect(uniqueIndex?.columns).toEqual(["tenantId", "entityName"]);
+  });
+});