@cosmicdrift/kumiko-bundled-features 0.21.0 → 0.22.0

package/src/files/feature.ts

@@ -1,34 +1,7 @@
-import { defineFeature, type FeatureDefinition } from "@cosmicdrift/kumiko-framework/engine";
-import { fileUploadedPayloadSchema } from "@cosmicdrift/kumiko-framework/files";
-import { fileRefEntity } from "./schema/file-ref";
-
-export { fileRefEntity } from "./schema/file-ref";
-
-// files — Schema-Sicht der framework-internen file_refs-Tabelle als
-// bundled-feature, damit Cross-Feature-Hooks (userData, tenantData) sich
-// an die "fileRef"-Entity hängen können.
-//
-// Sprint 1.5 (this commit):
-//   - r.entity("fileRef", fileRefEntity) — Schema-Surface
-//   - r.defineEvent("uploaded", schema)  — Event-Marker
-//
-// Sprint 2 (kommt):
-//   - r.useExtension(EXT_USER_DATA, "fileRef", { export, delete })
-//
-// Sprint 5 (kommt):
-//   - r.useExtension(EXT_TENANT_DATA, "fileRef", { destroy })
-//
-// Routes bleiben framework-internal (multipart-Upload + binary-Streaming
-// passen nicht in das Handler-Pattern; siehe schema/file-ref.ts für
-// Architektur-Note).
-//
-// Sprint-1.5-Plan-Roadmap-Wille: "fileRefsTable bleibt in framework
-// (kein Daten-Move), aber r.entity('fileRef') deklariert sie für das
-// Feature." — diese Datei IST die Umsetzung.
-export function createFilesFeature(): FeatureDefinition {
-  return defineFeature("files", (r) => {
-    r.entity("fileRef", fileRefEntity);
-
-    r.defineEvent("uploaded", fileUploadedPayloadSchema);
-  });
-}
+// files — full Event-Sourcing für File-Metadata. Die Implementierung (Entity,
+// files:event:*-Events, Inline-Projektion) lebt seit dem ES-Umbau im
+// Framework neben file-routes + fileRefsTable, weil file-routes hart davon
+// abhängt (appendDomainEventCore verlangt registrierte Events + Projektion).
+// Dieses Modul re-exportiert nur, damit der App-Import-Pfad
+// `@cosmicdrift/kumiko-bundled-features/files` stabil bleibt.
+export { createFilesFeature, fileRefEntity } from "@cosmicdrift/kumiko-framework/files";

package/src/files-provider-s3/__tests__/s3-provider.integration.test.ts

@@ -110,6 +110,33 @@ describe("s3-provider (Minio)", () => {
     const key = uniqueKey("never-existed.bin");
     await expect(provider.read(key)).rejects.toThrow();
   });
+
+  test("writeStream round-trip via multipart writer preserves bytes", async () => {
+    // Pinst die idiomatic Bun-S3-writer-Form (write + end, kein manual
+    // flush). Chunks summieren absichtlich auf > 5 MiB (partSize) UND auf
+    // einen krummen Rest, damit der multipart-finalizer auch dann greift,
+    // wenn die Source-Chunks nicht auf die Part-Boundary aufgehen.
+    const key = uniqueKey("stream-multipart.bin");
+    const partSize = 5 * 1024 * 1024;
+    const chunk = new Uint8Array(1024 * 1024);
+    for (let i = 0; i < chunk.length; i++) chunk[i] = i % 251;
+    const chunks: Uint8Array[] = [];
+    for (let i = 0; i < 7; i++) chunks.push(chunk);
+
+    if (!provider.writeStream) throw new Error("s3 provider should implement writeStream");
+    await provider.writeStream(
+      key,
+      (async function* () {
+        for (const c of chunks) yield c;
+      })(),
+    );
+
+    const readBack = await provider.read(key);
+    expect(readBack.byteLength).toBe(chunks.length * chunk.length);
+    expect(readBack.byteLength).toBeGreaterThan(partSize);
+    expect(readBack[0]).toBe(0);
+    expect(readBack[readBack.byteLength - 1]).toBe(chunk[chunk.length - 1]);
+  });
 });
 
 describe("createS3ProviderFromEnv", () => {

package/src/files-provider-s3/s3-provider.ts

@@ -1,29 +1,15 @@
-import { Readable } from "node:stream";
-import {
-  DeleteObjectCommand,
-  GetObjectCommand,
-  HeadObjectCommand,
-  PutObjectCommand,
-  S3Client,
-} from "@aws-sdk/client-s3";
-import { Upload } from "@aws-sdk/lib-storage";
-import { getSignedUrl as presign } from "@aws-sdk/s3-request-presigner";
 import type { FileStorageProvider, SignedUrlOptions } from "@cosmicdrift/kumiko-framework/files";
 
 // =============================================================================
 // Operator-Pflicht-Setup (Multipart-Upload-Cleanup)
 // =============================================================================
 //
-// `writeStream` nutzt @aws-sdk/lib-storage's Upload-class fuer echtes
-// multipart-streaming. S3 created dabei eine Multipart-Upload-Session mit
-// einer Upload-ID; bei normaler Completion wird sie via Complete-
-// MultipartUpload geschlossen.
-//
-// **Edge-Case bei Worker-Abort:** wenn der Export-Worker mid-write gecancelt
-// wird (Pod-Restart, K8s-OOM-Kill, Process-Signal), bleibt die Multipart-
-// Upload-Session in S3 OFFEN. S3 behaelt die bereits hochgeladenen Parts
-// und berechnet Storage-Kosten dafuer — bis sie manuell oder via Lifecycle-
-// Rule abgebrochen werden.
+// `writeStream` nutzt Bun's S3-Writer fuer echtes multipart-streaming. S3
+// created dabei eine Multipart-Upload-Session mit einer Upload-ID; bei
+// normaler Completion wird sie geschlossen. Wird der Export-Worker mid-write
+// gecancelt (Pod-Restart, K8s-OOM-Kill, Process-Signal), bleibt die Session
+// in S3 OFFEN und berechnet Storage-Kosten fuer die bereits hochgeladenen
+// Parts — bis sie via Lifecycle-Rule abgebrochen werden.
 //
 // **Pflicht-Operator-Setup auf jedem Bucket:**
 //
@@ -39,16 +25,9 @@ import type { FileStorageProvider, SignedUrlOptions } from "@cosmicdrift/kumiko-
 // AWS-CLI: `aws s3api put-bucket-lifecycle-configuration --bucket <name>
 // --lifecycle-configuration file://lifecycle.json`. Hetzner Object Storage
 // + R2 + Minio supporten dieselbe Syntax.
-//
-// **Code-side abort()** fuer graceful Worker-Shutdown ist follow-up. Das
-// braucht Worker-Cancel-Semantik (AbortSignal-Propagation durch r.job),
-// die im framework noch nicht existiert. Bis dahin ist die Lifecycle-
-// Rule die einzige Garantie gegen Storage-Leakage.
 
-// Minimal config surface — everything the SDK needs, nothing framework-
-// specific. Apps wire this into `buildServer({ files: { storageProvider } })`
-// the same way they'd pass createLocalProvider in dev.
-//
+const STREAM_PART_SIZE = 5 * 1024 * 1024;
+
 // `endpoint` + `forcePathStyle` are the R2/Minio knobs: AWS-S3 uses
 // virtual-host-style URLs (bucket.s3.region.amazonaws.com), Minio and many
 // S3-compat providers need path-style (endpoint/bucket/key). Default
@@ -67,8 +46,7 @@ export type S3ProviderConfig = {
 
 // Exported for unit testing — the branch logic (explicit override vs.
 // auto-detect from endpoint) is small but load-bearing: Minio/R2 break
-// silently if the virtual-host-style is picked. Keeping it testable
-// without constructing an S3Client means the rule stays honest.
+// silently if the virtual-host-style is picked.
 export function resolveForcePathStyle(config: S3ProviderConfig): boolean {
   // Explicit override wins; otherwise: custom endpoint → path-style
   // (that's the shape every non-AWS S3-compatible provider expects),
@@ -77,85 +55,53 @@ export function resolveForcePathStyle(config: S3ProviderConfig): boolean {
 }
 
 export function createS3Provider(config: S3ProviderConfig): FileStorageProvider {
-  const client = new S3Client({
+  const client = new Bun.S3Client({
     region: config.region,
-    credentials: {
-      accessKeyId: config.accessKeyId,
-      secretAccessKey: config.secretAccessKey,
-    },
+    accessKeyId: config.accessKeyId,
+    secretAccessKey: config.secretAccessKey,
+    bucket: config.bucket,
     ...(config.endpoint !== undefined && { endpoint: config.endpoint }),
-    forcePathStyle: resolveForcePathStyle(config),
+    // Bun's virtualHostedStyle is the inverse of the AWS-SDK forcePathStyle
+    // knob this config exposes: path-style ⇔ virtualHostedStyle=false.
+    virtualHostedStyle: !resolveForcePathStyle(config),
   });
 
   return {
     async write(key, data, mimeType): Promise<void> {
-      await client.send(
-        new PutObjectCommand({
-          Bucket: config.bucket,
-          Key: key,
-          Body: data,
-          ...(mimeType !== undefined && { ContentType: mimeType }),
-        }),
-      );
+      await client.write(key, data, mimeType !== undefined ? { type: mimeType } : undefined);
     },
 
     async writeStream(key, source, options): Promise<void> {
-      // Echtes multipart-streaming via @aws-sdk/lib-storage.Upload —
-      // der Source-AsyncIterable wird chunk-weise zu S3 hochgeladen,
-      // niemals alles im Memory aggregiert. lib-storage handled
-      // automatisch chunking (5MB-Parts default), parallel-uploads
-      // (4 concurrent default), und retry bei Part-Failures.
-      //
-      // Memory-Footprint: ~5MB pro in-flight-part × 4 concurrent =
-      // ~20MB Heap-Bound, unabhaengig von der Total-Bundle-Size. Macht
-      // 1GB+ Bundles moeglich ohne OOM.
-      //
-      // Readable.from(source) adapiert AsyncIterable → node:Readable —
-      // lib-storage's Body-Type akzeptiert Web-ReadableStream + node-
-      // Readable, nicht direkt AsyncIterable. Adapter ist zero-copy.
-      const body = Readable.from(source);
-      const upload = new Upload({
-        client,
-        params: {
-          Bucket: config.bucket,
-          Key: key,
-          Body: body,
-          ...(options?.mimeType !== undefined && { ContentType: options.mimeType }),
-        },
+      // Echtes multipart-streaming via Bun's S3-Writer — partSize steuert die
+      // Part-Boundary intern (AWS/R2 verlangen non-final Parts >= 5 MiB,
+      // sonst EntityTooSmall beim CompleteMultipartUpload). Manuelles flush()
+      // hier wuerde genau diese Garantie brechen, sobald die Source-Chunks
+      // nicht auf partSize aufgehen.
+      const writer = client.file(key).writer({
+        ...(options?.mimeType !== undefined && { type: options.mimeType }),
+        retry: 3,
+        queueSize: 4,
+        partSize: STREAM_PART_SIZE,
       });
-      await upload.done();
+      for await (const chunk of source) {
+        // Await applies Backpressure und bounded die in-flight Queue auf
+        // queueSize, statt unbegrenzt zu puffern.
+        await writer.write(chunk);
+      }
+      await writer.end();
     },
 
     async read(key): Promise<Uint8Array> {
-      const response = await client.send(new GetObjectCommand({ Bucket: config.bucket, Key: key }));
-      if (!response.Body) {
-        throw new Error(`s3_read_empty_body: ${key}`);
-      }
-      // transformToByteArray is the stream-to-bytes helper the v3 SDK ships
-      // with — avoids us reinventing a ReadableStream reader. Returns a
-      // Uint8Array, which is what FileStorageProvider.read() promises.
-      return response.Body.transformToByteArray();
+      return new Uint8Array(await client.file(key).arrayBuffer());
     },
 
     readStream(key): AsyncIterable<Uint8Array> {
-      // S3 GetObject.Body ist ein StreamingBlobPayloadOutputTypes — auf
-      // node ist das ein Readable-Stream der bereits AsyncIterable<Buffer>
-      // ist. Wir wrappen lazy: erst beim ersten chunk-pull wird der
-      // GetObject-Request abgesetzt. Wenn der Key nicht existiert, faellt
-      // der Error genau dort (nicht beim readStream-Aufruf) — gleiches
-      // Lazy-Verhalten wie inmemory + local.
+      // Lazy: erst beim ersten chunk-pull wird der GET-Request abgesetzt.
+      // Existiert der Key nicht, faellt der Error genau dort (nicht beim
+      // readStream-Aufruf) — gleiches Lazy-Verhalten wie inmemory + local.
       return {
         async *[Symbol.asyncIterator]() {
-          const response = await client.send(
-            new GetObjectCommand({ Bucket: config.bucket, Key: key }),
-          );
-          if (!response.Body) {
-            throw new Error(`s3_read_empty_body: ${key}`);
-          }
-          // SdkStream is AsyncIterable<Buffer> on node. Buffer extends
-          // Uint8Array; cast sichert die Surface ohne neue runtime-deps.
-          const body = response.Body as AsyncIterable<Uint8Array>; // @cast-boundary engine-bridge
-          for await (const chunk of body) {
+          for await (const chunk of client.file(key).stream()) {
             yield chunk;
           }
         },
@@ -163,23 +109,11 @@ export function createS3Provider(config: S3ProviderConfig): FileStorageProvider
     },
 
     async delete(key): Promise<void> {
-      await client.send(new DeleteObjectCommand({ Bucket: config.bucket, Key: key }));
+      await client.delete(key);
     },
 
     async exists(key): Promise<boolean> {
-      try {
-        await client.send(new HeadObjectCommand({ Bucket: config.bucket, Key: key }));
-        return true;
-      } catch (error) {
-        // S3 SDK throws either NotFound or a generic 404. Check both the
-        // `.name` property (newer SDKs) and the `$metadata.httpStatusCode`
-        // (what the SDK guarantees on every error).
-        const err = error as { name?: string; $metadata?: { httpStatusCode?: number } }; // @cast-boundary error-details
-        if (err.name === "NotFound" || err.$metadata?.httpStatusCode === 404) {
-          return false;
-        }
-        throw error;
-      }
+      return client.exists(key);
     },
 
     async getSignedUrl(
@@ -187,17 +121,16 @@ export function createS3Provider(config: S3ProviderConfig): FileStorageProvider
       expiresInSeconds: number,
       options?: SignedUrlOptions,
     ): Promise<string> {
-      // ResponseContentDisposition is the S3 mechanism for overriding the
-      // Content-Disposition header on the presigned GET — the browser sees
-      // the original filename instead of the UUID storage key.
-      const command = new GetObjectCommand({
-        Bucket: config.bucket,
-        Key: key,
+      // contentDisposition wird von Bun als response-content-disposition
+      // Query-Param signiert (Response-Override fuer den GET-Download) —
+      // der Browser sieht den Original-Dateinamen statt des UUID-Keys.
+      return client.presign(key, {
+        expiresIn: expiresInSeconds,
+        method: "GET",
         ...(options?.contentDisposition !== undefined && {
-          ResponseContentDisposition: options.contentDisposition,
+          contentDisposition: options.contentDisposition,
         }),
       });
-      return presign(client, command, { expiresIn: expiresInSeconds });
     },
   };
 }

package/src/user-data-rights/__tests__/cross-data-matrix.integration.test.ts

@@ -25,6 +25,7 @@ import {
   setupTestStack,
   type TestStack,
   unsafeCreateEntityTable,
+  unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
@@ -145,21 +146,9 @@ beforeAll(async () => {
       UNIQUE(user_id, tenant_id)
     )
   `);
-  await asRawClient(stack.db).unsafe(`
-    CREATE TABLE IF NOT EXISTS file_refs (
-      id UUID PRIMARY KEY,
-      tenant_id UUID NOT NULL,
-      storage_key TEXT NOT NULL,
-      file_name TEXT NOT NULL,
-      mime_type TEXT NOT NULL,
-      size INTEGER NOT NULL,
-      entity_type TEXT,
-      entity_id TEXT,
-      field_name TEXT,
-      inserted_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-      inserted_by_id TEXT
-    )
-  `);
+  // fileRef ist buildEntityTable-getrieben (softDelete) — echte Entity-Tabelle
+  // pushen statt hand-CREATE, damit is_deleted/deleted_at/deleted_by_id da sind.
+  await unsafePushTables(stack.db, { fileRefsTable });
   await asRawClient(stack.db).unsafe(`
     CREATE TABLE IF NOT EXISTS test_notes (
       id UUID PRIMARY KEY,

package/src/user-data-rights/__tests__/file-retention.integration.test.ts

@@ -0,0 +1,231 @@
+// File-Retention Integration-Test.
+//
+// Beweist, dass die BESTEHENDE data-retention + Forget-Pipeline auch für
+// `fileRef` greift — kein file-spezifischer Retention-Mechanismus. fileRef ist
+// ein normales softDelete-ES-Entity; sein Forget-/Retention-Verhalten kommt
+// aus genau derselben Kette wie bei jedem anderen Entity:
+//
+//   runForgetCleanup → resolveRetentionPolicyForTenant(entityName="fileRef")
+//   → policyToStrategy → fileRef userData delete-Hook (delete | anonymize)
+//
+// Abgedeckt:
+//   1. Default (keine Override-Policy) → Forget HARD-löscht die Datei (Art. 17).
+//   2. Tenant-Retention-Override fileRef→anonymize → Forget anonymisiert
+//      (insertedById=null, Row bleibt) statt zu löschen.
+//   3. Per-Tenant: derselbe User, anonymize in Tenant A, delete in Tenant B —
+//      die Policy entscheidet pro Tenant.
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+} from "@cosmicdrift/kumiko-framework/db";
+import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
+import {
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { tenantRetentionOverrideTable } from "../../data-retention/schema/tenant-retention-override";
+import { createFilesFeature } from "../../files";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+
+let stack: TestStack;
+let db: DbConnection;
+
+const TENANT_A = "00000000-0000-4000-8000-00000000000a";
+const TENANT_B = "00000000-0000-4000-8000-00000000000b";
+const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+
+function uuid(suffix: number): string {
+  return `aaaaaaaa-aaaa-4aaa-8aaa-${suffix.toString(16).padStart(12, "0")}`;
+}
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+const NOW = (): Instant => getTemporal().Now.instant();
+function pastInstant(): Instant {
+  return getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+}
+
+let overrideExecutor: ReturnType<typeof createEventStoreExecutor>;
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createFilesFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createSessionsFeature(),
+      createUserDataRightsFeature(),
+      createUserDataRightsDefaultsFeature(),
+    ],
+  });
+  db = stack.db;
+
+  await unsafeCreateEntityTable(db, userEntity);
+  await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
+  await unsafePushTables(db, { fileRefsTable });
+  await asRawClient(db).unsafe(`
+    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      tenant_id UUID NOT NULL,
+      user_id TEXT NOT NULL,
+      version INTEGER NOT NULL DEFAULT 0,
+      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      inserted_by_id TEXT,
+      modified_by_id TEXT,
+      is_deleted BOOLEAN NOT NULL DEFAULT false,
+      deleted_at TIMESTAMPTZ,
+      deleted_by_id TEXT,
+      roles TEXT NOT NULL DEFAULT '[]',
+      UNIQUE(user_id, tenant_id)
+    )
+  `);
+
+  overrideExecutor = createEventStoreExecutor(
+    tenantRetentionOverrideTable,
+    tenantRetentionOverrideEntity,
+    { entityName: "tenant-retention-override" },
+  );
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await resetTestTables(db, [
+    userTable,
+    "read_tenant_memberships",
+    fileRefsTable,
+    tenantRetentionOverrideTable,
+  ]);
+});
+
+async function seedForgetUser(id: string): Promise<void> {
+  await insertOne(db, userTable, {
+    id,
+    tenantId: TENANT_SYSTEM,
+    email: `user-${id}@example.com`,
+    passwordHash: "hashed",
+    displayName: `User ${id}`,
+    locale: "de",
+    emailVerified: true,
+    roles: '["Member"]',
+    status: USER_STATUS.DeletionRequested,
+    gracePeriodEnd: pastInstant(),
+  });
+}
+
+async function seedMembership(userId: string, tenantId: string): Promise<void> {
+  await asRawClient(db).unsafe(
+    `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
+     VALUES ($1, $2, '["Member"]') ON CONFLICT (user_id, tenant_id) DO NOTHING`,
+    [tenantId, userId],
+  );
+}
+
+async function seedFileRef(id: string, tenantId: string, insertedById: string): Promise<void> {
+  await asRawClient(db).unsafe(
+    `INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
+     VALUES ($1, $2, $3, $4, 'application/pdf', 1024, $5) ON CONFLICT (id) DO NOTHING`,
+    [id, tenantId, `storage/${id}`, `${id}.pdf`, insertedById],
+  );
+}
+
+// Setzt einen Tenant-Retention-Override über die GLEICHE API die der
+// Forget-Resolver liest — kein Test-Sonderpfad.
+async function seedFileRetentionOverride(
+  tenantId: string,
+  config: { keepFor: string; strategy: string; reference?: string },
+): Promise<void> {
+  const by = { ...TestUsers.systemAdmin, tenantId };
+  const result = await overrideExecutor.create(
+    { entityName: "fileRef", config: JSON.stringify(config), reason: "test", tenantId },
+    by,
+    createTenantDb(db, tenantId, "system"),
+  );
+  if (!result.isSuccess)
+    throw new Error(`seedFileRetentionOverride failed: ${JSON.stringify(result)}`);
+}
+
+async function fetchFileRow(
+  id: string,
+): Promise<{ id: string; inserted_by_id: string | null; is_deleted: boolean } | null> {
+  const result = await asRawClient(db).unsafe(
+    `SELECT id, inserted_by_id, is_deleted FROM file_refs WHERE id = $1`,
+    [id],
+  );
+  // biome-ignore lint/suspicious/noExplicitAny: drizzle execute typing
+  const rows = ((result as any).rows ?? result) as Array<{
+    id: string;
+    inserted_by_id: string | null;
+    is_deleted: boolean;
+  }>;
+  return rows[0] ?? null;
+}
+
+describe("file-retention :: Forget-Pipeline greift für fileRef", () => {
+  test("Default (keine Override-Policy) → Datei wird hart gelöscht (Art. 17)", async () => {
+    const userId = uuid(1);
+    await seedForgetUser(userId);
+    await seedMembership(userId, TENANT_B);
+    await seedFileRef(uuid(101), TENANT_B, userId);
+
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+
+    expect(result.processedUserIds).toContain(userId);
+    // Hard-Delete: Row weg.
+    expect(await fetchFileRow(uuid(101))).toBeNull();
+  });
+
+  test("Retention-Override fileRef→anonymize → Datei wird anonymisiert, Row bleibt", async () => {
+    const userId = uuid(2);
+    await seedForgetUser(userId);
+    await seedMembership(userId, TENANT_A);
+    await seedFileRef(uuid(201), TENANT_A, userId);
+    await seedFileRetentionOverride(TENANT_A, { keepFor: "30d", strategy: "anonymize" });
+
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+
+    expect(result.processedUserIds).toContain(userId);
+    const row = await fetchFileRow(uuid(201));
+    // Anonymize: Row existiert weiter, aber ohne Personenbezug (insertedById null).
+    expect(row).not.toBeNull();
+    expect(row?.inserted_by_id).toBeNull();
+    expect(row?.is_deleted).toBe(false);
+  });
+
+  test("Per-Tenant: derselbe User → anonymize in A, hard-delete in B", async () => {
+    const userId = uuid(3);
+    await seedForgetUser(userId);
+    await seedMembership(userId, TENANT_A);
+    await seedMembership(userId, TENANT_B);
+    await seedFileRef(uuid(301), TENANT_A, userId);
+    await seedFileRef(uuid(302), TENANT_B, userId);
+    await seedFileRetentionOverride(TENANT_A, { keepFor: "30d", strategy: "anonymize" });
+    // TENANT_B: kein Override → Default-Delete.
+
+    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+
+    const aRow = await fetchFileRow(uuid(301));
+    expect(aRow).not.toBeNull();
+    expect(aRow?.inserted_by_id).toBeNull();
+
+    expect(await fetchFileRow(uuid(302))).toBeNull();
+  });
+});

package/src/user-data-rights/__tests__/run-forget-cleanup.integration.test.ts

@@ -22,6 +22,7 @@ import {
   setupTestStack,
   type TestStack,
   unsafeCreateEntityTable,
+  unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
@@ -92,21 +93,9 @@ beforeAll(async () => {
       UNIQUE(user_id, tenant_id)
     )
   `);
-  await asRawClient(stack.db).unsafe(`
-    CREATE TABLE IF NOT EXISTS file_refs (
-      id UUID PRIMARY KEY,
-      tenant_id UUID NOT NULL,
-      storage_key TEXT NOT NULL,
-      file_name TEXT NOT NULL,
-      mime_type TEXT NOT NULL,
-      size INTEGER NOT NULL,
-      entity_type TEXT,
-      entity_id TEXT,
-      field_name TEXT,
-      inserted_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-      inserted_by_id TEXT
-    )
-  `);
+  // fileRef ist buildEntityTable-getrieben (softDelete) — echte Entity-Tabelle
+  // pushen statt hand-CREATE, damit is_deleted/deleted_at/deleted_by_id da sind.
+  await unsafePushTables(stack.db, { fileRefsTable });
 });
 
 afterAll(async () => {

package/src/user-data-rights/__tests__/run-user-export.integration.test.ts

@@ -21,6 +21,7 @@ import {
   setupTestStack,
   type TestStack,
   unsafeCreateEntityTable,
+  unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
@@ -79,21 +80,9 @@ beforeAll(async () => {
       UNIQUE(user_id, tenant_id)
     )
   `);
-  await asRawClient(stack.db).unsafe(`
-    CREATE TABLE IF NOT EXISTS file_refs (
-      id UUID PRIMARY KEY,
-      tenant_id UUID NOT NULL,
-      storage_key TEXT NOT NULL,
-      file_name TEXT NOT NULL,
-      mime_type TEXT NOT NULL,
-      size INTEGER NOT NULL,
-      entity_type TEXT,
-      entity_id TEXT,
-      field_name TEXT,
-      inserted_at TIMESTAMPTZ DEFAULT now() NOT NULL,
-      inserted_by_id TEXT
-    )
-  `);
+  // fileRef ist buildEntityTable-getrieben (softDelete) — echte Entity-Tabelle
+  // pushen statt hand-CREATE, damit is_deleted/deleted_at/deleted_by_id da sind.
+  await unsafePushTables(stack.db, { fileRefsTable });
 });
 
 afterAll(async () => {