@cosmicdrift/kumiko-bundled-features 0.22.0 → 0.24.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.22.0",
+  "version": "0.24.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",

package/src/auth-email-password/__tests__/invite-flow.integration.test.ts

@@ -138,12 +138,12 @@ beforeEach(async () => {
   });
 
   // Alice = Admin von Tenant-A
-  aliceId = await seedUser(stack.db, {
+  ({ id: aliceId } = await seedUser(stack.db, {
     email: ALICE_EMAIL,
     displayName: "Alice",
     passwordHash: await hashPassword("alice-pw-1234"),
     emailVerified: true,
-  });
+  }));
   await seedTenantMembership(stack.db, {
     userId: aliceId,
     tenantId: TENANT_A_ID,
@@ -151,12 +151,12 @@ beforeEach(async () => {
   });
 
   // Bob = Member von Tenant-B (für Branch 1 + 2 tests)
-  bobId = await seedUser(stack.db, {
+  ({ id: bobId } = await seedUser(stack.db, {
     email: BOB_EMAIL,
     displayName: "Bob",
     passwordHash: await hashPassword(BOB_PASSWORD),
     emailVerified: true,
-  });
+  }));
   await seedTenantMembership(stack.db, {
     userId: bobId,
     tenantId: TENANT_B_ID,

package/src/auth-email-password/__tests__/seed-admin.integration.test.ts

@@ -61,7 +61,7 @@ beforeEach(async () => {
 
 describe("seedAdmin", () => {
   test("legt Tenants, User mit gehashtem Password und Memberships an — Login-Roundtrip funktioniert", async () => {
-    const userId = await seedAdmin(stack.db, {
+    const { id: userId } = await seedAdmin(stack.db, {
       email: "admin@example.com",
       password: "secret-pw",
       displayName: "Admin",
@@ -113,7 +113,7 @@ describe("seedAdmin", () => {
 
   test("idempotent: zweiter Aufruf no-op (kein Crash, Stand bleibt)", async () => {
     // Erstaufruf
-    const userId1 = await seedAdmin(stack.db, {
+    const { id: userId1 } = await seedAdmin(stack.db, {
       email: "admin@example.com",
       password: "pw1",
       displayName: "Admin",
@@ -124,7 +124,7 @@ describe("seedAdmin", () => {
     // Zweiter Aufruf — gleicher Email, anderes Password (würde theoretisch
     // einen neuen Hash erzeugen und neu schreiben, der idempotent-Check
     // greift VOR dem Insert).
-    const userId2 = await seedAdmin(stack.db, {
+    const { id: userId2 } = await seedAdmin(stack.db, {
       email: "admin@example.com",
       password: "pw2",
       displayName: "Admin",

package/src/auth-email-password/handlers/invite-signup-complete.write.ts

@@ -138,7 +138,7 @@ export function createInviteSignupCompleteHandler() {
         // @cast-boundary db-runner — TenantDb.raw is DbRunner; seed-helpers
         // operate on plain drizzle-API which both shapes expose identically.
         const dbConn = ctx.db.raw as DbConnection;
-        const userId = await seedUserWithPassword(dbConn, {
+        const { id: userId } = await seedUserWithPassword(dbConn, {
           email: invitationEmail,
           password: event.payload.password,
           displayName: invitationEmail.split("@")[0] ?? invitationEmail,

package/src/auth-email-password/seeding.ts

@@ -46,12 +46,12 @@ export type SeedUserWithPasswordOptions = {
 
 /**
  * Seed a user mit Plain-Password (wird vor dem Insert mit argon2
- * gehasht). Liefert userId, idempotent über email.
+ * gehasht). Liefert die userId, idempotent über email.
  */
 export async function seedUserWithPassword(
   db: DbConnection,
   options: SeedUserWithPasswordOptions,
-): Promise<string> {
+): Promise<{ id: string }> {
   const passwordHash = await hashPassword(options.password);
   return seedUser(db, {
     email: options.email,
@@ -114,7 +114,7 @@ export async function provisionSignupAccount(
     key: options.tenantKey,
     name: options.tenantName,
   });
-  const userId = await seedUserWithPassword(db, {
+  const { id: userId } = await seedUserWithPassword(db, {
     email: options.email,
     password: options.password,
     displayName: options.displayName,
@@ -155,14 +155,17 @@ export type SeedAdminOptions = {
  * Password + N Tenants + N Memberships. Alles idempotent (Re-Run im
  * persistent-DB-Modus läuft durch). Liefert die userId zurück.
  */
-export async function seedAdmin(db: DbConnection, options: SeedAdminOptions): Promise<string> {
+export async function seedAdmin(
+  db: DbConnection,
+  options: SeedAdminOptions,
+): Promise<{ id: string }> {
   const by = options.by ?? TestUsers.systemAdmin;
 
   for (const m of options.memberships) {
     await seedTenant(db, { id: m.tenantId, key: m.tenantKey, name: m.tenantName, by });
   }
 
-  const userId = await seedUserWithPassword(db, {
+  const { id: userId } = await seedUserWithPassword(db, {
     email: options.email,
     password: options.password,
     displayName: options.displayName,
@@ -179,5 +182,5 @@ export async function seedAdmin(db: DbConnection, options: SeedAdminOptions): Pr
     });
   }
 
-  return userId;
+  return { id: userId };
 }

package/src/compliance-profiles/seeding.ts

@@ -45,7 +45,7 @@ export type SeedComplianceProfileOptions = {
 export async function seedComplianceProfile(
   db: DbConnection,
   opts: SeedComplianceProfileOptions,
-): Promise<{ id: string | number }> {
+): Promise<{ id: string }> {
   // user.tenantId muss === opts.tenantId sein damit Event-Store-Stream
   // + Projection im selben Tenant-Bucket landen (Memory:
   // feedback_event_store_tenant_consistency).
@@ -73,6 +73,9 @@ export async function seedComplianceProfile(
       if (!result.isSuccess) {
         throw new Error(`seedComplianceProfile create failed: ${JSON.stringify(result)}`);
       }
+      // @cast-boundary db-row: executor.create result.data ist die
+      // inserted Projection-Row (Record<string, unknown>); id ist nach
+      // INSERT garantiert (Runtime-Check direkt darunter).
       const data = result.data as { id?: string };
       if (data.id === undefined) {
         throw new Error("seedComplianceProfile: executor.create did not return an id");

package/src/tenant/__tests__/seed-testing.integration.test.ts

@@ -62,7 +62,7 @@ beforeEach(async () => {
 
 describe("seedTenant", () => {
   test("schreibt Projection-Row mit id/key/name", async () => {
-    const id = await seedTenant(stack.db, {
+    const { id } = await seedTenant(stack.db, {
       id: TENANT_A,
       key: "tenant-a",
       name: "Tenant A",

package/src/tenant/seeding.ts

@@ -24,8 +24,9 @@
 // IS a test fixture, not a user request) while still producing the
 // correct event + projection.
 //
-// Idempotent: calling twice for the same (userId, tenantId) is a no-op on
-// the second call (ifExists="skip", siehe @cosmicdrift/kumiko-framework/seeding).
+// Idempotent (add-only): calling twice for the same (userId, tenantId) is
+// a no-op on the second call. Memberships have no update-semantic — to
+// change roles, write a new event via the regular handler path.
 
 import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import {
@@ -73,12 +74,15 @@ export type SeedTenantOptions = {
 };
 
 /**
- * Seed a tenant through the event-store executor. Idempotent (ifExists="skip"):
- * a second call for the same `id` is a no-op. Same TX-semantics as the real
- * `TenantHandlers.create`, minus the SystemAdmin-access-check and minus
- * ConflictError-on-duplicate.
+ * Seed a tenant through the event-store executor. Idempotent add-only:
+ * a second call for the same `id` is a no-op (no update path). Same
+ * TX-semantics as the real `TenantHandlers.create`, minus the SystemAdmin-
+ * access-check and minus ConflictError-on-duplicate.
  */
-export async function seedTenant(db: DbRunner, options: SeedTenantOptions): Promise<TenantId> {
+export async function seedTenant(
+  db: DbRunner,
+  options: SeedTenantOptions,
+): Promise<{ id: TenantId }> {
   const by = options.by ?? TestUsers.systemAdmin;
   // executor.create erwartet eine TenantDb (mit .insert()-API), nicht
   // die rohe DbConnection. Auch wenn das Tenant-Aggregat selbst NICHT
@@ -88,14 +92,14 @@ export async function seedTenant(db: DbRunner, options: SeedTenantOptions): Prom
   const tdb = createTenantDb(db, by.tenantId, "system");
 
   const existing = await fetchOne(db, tenantTable, { id: options.id });
-  if (existing) return options.id;
+  if (existing) return { id: options.id };
 
   // Idempotenz: Aggregate kann im Event-Store existieren ohne Projection-Row
   // (Projection-Drift nach rebuild, manuellem DELETE, oder async-lag). Wenn
   // Stream-Version > 0 → kein create() — wäre version_conflict. Caller
   // bekommt die ID, Projection wird beim nächsten Dispatcher-Cycle aufgebaut.
   const streamVersion = await getAggregateStreamMaxVersion(db, options.id);
-  if (streamVersion > 0) return options.id;
+  if (streamVersion > 0) return { id: options.id };
 
   const result = await tenantExecutor.create(
     { id: options.id, key: options.key, name: options.name },
@@ -107,7 +111,7 @@ export async function seedTenant(db: DbRunner, options: SeedTenantOptions): Prom
       `seedTenant failed: ${result.error.code} — ${JSON.stringify(result.error.details ?? {})}`,
     );
   }
-  return options.id;
+  return { id: options.id };
 }
 
 /**
@@ -116,11 +120,13 @@ export async function seedTenant(db: DbRunner, options: SeedTenantOptions): Prom
  * projection row in one transaction — identical effect to
  * `TenantHandlers.addMember`, minus the access-check and minus the
  * ConflictError on duplicates (duplicate calls no-op).
+ *
+ * Returns the membership-row id (existing on no-op, freshly minted on create).
  */
 export async function seedTenantMembership(
   db: DbRunner,
   options: SeedTenantMembershipOptions,
-): Promise<void> {
+): Promise<{ id: string }> {
   const by = options.by ?? TestUsers.systemAdmin;
   // Wrap into a system-scoped TenantDb so the insert respects the tenant-
   // override (we write into options.tenantId, which may differ from by.tenantId).
@@ -134,10 +140,11 @@ export async function seedTenantMembership(
     userId: options.userId,
     tenantId: options.tenantId,
   });
-  // skip: idempotent no-op — duplicate seed is expected across beforeEach-
-  // resets that don't truncate this table. Cheaper than try/catch on the
-  // unique-index, and documented in the function JSDoc above.
-  if (existing) return;
+  if (existing) {
+    // @cast-boundary db-row: membership-row id is uuid (string) per
+    // entity definition; fetchOne returns the raw projection row.
+    return { id: existing["id"] as string };
+  }
 
   const result = await executor.create(
     {
@@ -153,4 +160,17 @@ export async function seedTenantMembership(
       `seedTenantMembership failed: ${result.error.code} — ${JSON.stringify(result.error.details ?? {})}`,
     );
   }
+  return { id: extractMembershipId(result.data) };
+}
+
+function extractMembershipId(data: unknown): string {
+  if (typeof data === "object" && data !== null && "id" in data) {
+    // @cast-boundary engine-bridge: executor.create returns the projection
+    // row as Record<string, unknown>; id is uuid per entity definition.
+    const id = (data as { id: unknown }).id;
+    if (typeof id === "string") return id;
+  }
+  throw new Error(
+    `seedTenantMembership: executor.create returned no string id (got ${JSON.stringify(data)})`,
+  );
 }

package/src/text-content/seeding.ts

@@ -36,7 +36,7 @@ export type SeedTextBlockOptions = {
 export async function seedTextBlock(
   db: DbConnection,
   opts: SeedTextBlockOptions,
-): Promise<{ id: string | number }> {
+): Promise<{ id: string }> {
   // Default-user muss user.tenantId === opts.tenantId haben, sonst
   // landet der event-store-stream im user.tenantId-bucket aber die
   // projection-row im opts.tenantId-bucket. Spätere echte writes via
@@ -75,6 +75,9 @@ export async function seedTextBlock(
       if (!result.isSuccess) {
         throw new Error(`seedTextBlock create failed: ${JSON.stringify(result)}`);
       }
+      // @cast-boundary db-row: executor.create result.data ist die
+      // inserted Drizzle-Row (Record<string, unknown>), projected
+      // nach INSERT/RETURNING auf TextBlockRow. Runtime-Check unten.
       const data = result.data as Partial<TextBlockRow>;
       if (data.id === undefined) {
         throw new Error("seedTextBlock: executor.create did not return an id");

package/src/text-content/table.ts

@@ -38,7 +38,7 @@ export const textBlocksTable = buildEntityTable("text-block", textBlockEntity);
 // createdAt, updatedAt, createdBy, updatedBy) die buildBaseColumns
 // erzwingt.
 export type TextBlockRow = {
-  readonly id: string | number;
+  readonly id: string;
   readonly version: number;
   readonly tenantId: string;
   readonly slug: string;

package/src/user/__tests__/seed-testing.integration.test.ts

@@ -47,7 +47,7 @@ beforeEach(async () => {
 
 describe("seedUser", () => {
   test("schreibt Projection-Row mit email/displayName/passwordHash", async () => {
-    const userId = await seedUser(stack.db, {
+    const { id: userId } = await seedUser(stack.db, {
       email: "alice@example.com",
       displayName: "Alice",
       passwordHash: "$argon2id$test-hash",
@@ -62,7 +62,7 @@ describe("seedUser", () => {
   });
 
   test("emittiert user.created-Event auf den Aggregate-Stream", async () => {
-    const userId = await seedUser(stack.db, {
+    const { id: userId } = await seedUser(stack.db, {
       email: "bob@example.com",
       displayName: "Bob",
     });
@@ -84,7 +84,7 @@ describe("seedUser", () => {
       email: "carol@example.com",
       displayName: "Carol Updated",
     });
-    expect(second).toBe(first);
+    expect(second.id).toBe(first.id);
 
     const rows = await selectMany(stack.db, userTable, { email: "carol@example.com" });
     expect(rows).toHaveLength(1);
@@ -96,7 +96,7 @@ describe("seedUser", () => {
   });
 
   test("passwordHash optional — User ohne Hash anlegbar (z.B. SSO-Federation)", async () => {
-    const userId = await seedUser(stack.db, {
+    const { id: userId } = await seedUser(stack.db, {
       email: "dave@example.com",
       displayName: "Dave",
     });
@@ -105,7 +105,7 @@ describe("seedUser", () => {
   });
 
   test("default `by` ist TestUsers.systemAdmin (für audit-trail)", async () => {
-    const userId = await seedUser(stack.db, {
+    const { id: userId } = await seedUser(stack.db, {
       email: "eve@example.com",
       displayName: "Eve",
     });

package/src/user/seeding.ts

@@ -1,9 +1,9 @@
 // Testing-Helper fürs user-Feature. `seedUser` legt einen User direkt
 // über den Event-Store-Executor an — gleicher Pfad wie der echte
 // `UserHandlers.create`, aber ohne Access-Check und ohne ConflictError
-// bei Duplikaten. Verhält sich wie ifExists="skip" (siehe
-// @cosmicdrift/kumiko-framework/seeding): existierende Email → return
-// ohne Event.
+// bei Duplikaten. Idempotent add-only über die `email`-Spalte: ein
+// existierender User → return ohne Event. Kein update-Pfad — Profilfelder
+// ändern läuft über den regulären Handler.
 //
 // Warum nicht direkt `db.insert(userTable)`: das würde den Event-Store
 // umgehen, also kein `user.created`-Event und keine MSP-Konsumenten
@@ -46,10 +46,13 @@ export type SeedUserOptions = {
 
 /**
  * Seed a user. Returns the userId (existing oder neu angelegt).
- * Idempotent über die `email`-Spalte: wenn ein User mit dieser Email
- * existiert, kommt seine ID zurück ohne neuen Insert.
+ * Idempotent add-only über die `email`-Spalte: wenn ein User mit dieser
+ * Email existiert, kommt seine ID zurück ohne neuen Insert.
  */
-export async function seedUser(db: DbConnection, options: SeedUserOptions): Promise<string> {
+export async function seedUser(
+  db: DbConnection,
+  options: SeedUserOptions,
+): Promise<{ id: string }> {
   const by = options.by ?? TestUsers.systemAdmin;
   // executor.create erwartet eine TenantDb (mit .insert()-API). User
   // ist zwar tenant-agnostic (kein tenant_id-Spalte), aber das runtime-
@@ -57,7 +60,9 @@ export async function seedUser(db: DbConnection, options: SeedUserOptions): Prom
   const tdb = createTenantDb(db, by.tenantId, "system");
 
   const existing = await fetchOne(db, userTable, { email: options.email });
-  if (existing) return existing["id"] as string; // @cast-boundary db-row
+  // @cast-boundary db-row: users.id ist uuid-Spalte (string), fetchOne
+  // liefert die Projection-Row als Record<string, unknown>.
+  if (existing) return { id: existing["id"] as string };
 
   const result = await userExecutor.create(
     {
@@ -76,7 +81,7 @@ export async function seedUser(db: DbConnection, options: SeedUserOptions): Prom
       `seedUser failed: ${result.error.code} — ${JSON.stringify(result.error.details ?? {})}`,
     );
   }
-  return extractId(result.data, "seedUser");
+  return { id: extractId(result.data, "seedUser") };
 }
 
 // Extrahiert die `id`-Spalte aus dem executor.create-Result. Der

package/src/user-data-rights/__tests__/file-binary-forget-cleanup.integration.test.ts

@@ -0,0 +1,178 @@
+// Forget-Hook binary-Cleanup Integration-Test.
+//
+// Beweist, dass der `fileRef`-Forget-Hook bei strategy="delete" die
+// Storage-Binaries via `storageProvider.delete()` entfernt, BEVOR die
+// row hard-gelöscht wird — ohne provider leakt sonst jede gelöschte
+// Datei ihre Bytes dauerhaft auf Disk (Issue gefunden im Review zu #177).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createInMemoryFileProvider,
+  fileRefsTable,
+  type InMemoryFileProvider,
+} from "@cosmicdrift/kumiko-framework/files";
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { createFilesFeature } from "../../files";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+
+let stack: TestStack;
+let db: DbConnection;
+let provider: InMemoryFileProvider;
+
+const TENANT = "00000000-0000-4000-8000-00000000000c";
+const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+
+function uuid(suffix: number): string {
+  return `bbbbbbbb-bbbb-4bbb-8bbb-${suffix.toString(16).padStart(12, "0")}`;
+}
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+const NOW = (): Instant => getTemporal().Now.instant();
+const pastInstant = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+
+beforeAll(async () => {
+  provider = createInMemoryFileProvider();
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createFilesFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createSessionsFeature(),
+      createUserDataRightsFeature(),
+      createUserDataRightsDefaultsFeature({ storageProvider: provider }),
+    ],
+    files: { storageProvider: provider },
+  });
+  db = stack.db;
+
+  await unsafeCreateEntityTable(db, userEntity);
+  await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
+  await unsafePushTables(db, { fileRefsTable });
+  await asRawClient(db).unsafe(`
+    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      tenant_id UUID NOT NULL,
+      user_id TEXT NOT NULL,
+      version INTEGER NOT NULL DEFAULT 0,
+      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      inserted_by_id TEXT,
+      modified_by_id TEXT,
+      is_deleted BOOLEAN NOT NULL DEFAULT false,
+      deleted_at TIMESTAMPTZ,
+      deleted_by_id TEXT,
+      roles TEXT NOT NULL DEFAULT '[]',
+      UNIQUE(user_id, tenant_id)
+    )
+  `);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  provider.clear();
+  await resetTestTables(db, [userTable, "read_tenant_memberships", fileRefsTable]);
+});
+
+async function seedForgetUser(id: string): Promise<void> {
+  await insertOne(db, userTable, {
+    id,
+    tenantId: TENANT_SYSTEM,
+    email: `user-${id}@example.com`,
+    passwordHash: "hashed",
+    displayName: `User ${id}`,
+    locale: "de",
+    emailVerified: true,
+    roles: '["Member"]',
+    status: USER_STATUS.DeletionRequested,
+    gracePeriodEnd: pastInstant(),
+  });
+}
+
+async function seedMembership(userId: string, tenantId: string): Promise<void> {
+  await asRawClient(db).unsafe(
+    `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
+     VALUES ($1, $2, '["Member"]') ON CONFLICT (user_id, tenant_id) DO NOTHING`,
+    [tenantId, userId],
+  );
+}
+
+async function seedFile(id: string, tenantId: string, insertedById: string): Promise<string> {
+  const storageKey = `storage/${id}`;
+  await provider.write(storageKey, new Uint8Array([1, 2, 3, 4]), "application/pdf");
+  await asRawClient(db).unsafe(
+    `INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
+     VALUES ($1, $2, $3, $4, 'application/pdf', 4, $5) ON CONFLICT (id) DO NOTHING`,
+    [id, tenantId, storageKey, `${id}.pdf`, insertedById],
+  );
+  return storageKey;
+}
+
+describe("forget-binary-cleanup :: storage.delete fires before row hard-delete", () => {
+  test("Forget deletes the binary from the storage provider", async () => {
+    const userId = uuid(1);
+    await seedForgetUser(userId);
+    await seedMembership(userId, TENANT);
+    const key = await seedFile(uuid(101), TENANT, userId);
+    expect(await provider.exists(key)).toBe(true);
+
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+
+    expect(result.processedUserIds).toContain(userId);
+    expect(await provider.exists(key)).toBe(false);
+    expect(provider.keys()).not.toContain(key);
+  });
+
+  test("Multiple files from the same user — all binaries cleaned up", async () => {
+    const userId = uuid(2);
+    await seedForgetUser(userId);
+    await seedMembership(userId, TENANT);
+    const keys = await Promise.all([
+      seedFile(uuid(201), TENANT, userId),
+      seedFile(uuid(202), TENANT, userId),
+      seedFile(uuid(203), TENANT, userId),
+    ]);
+    expect(provider.keys()).toHaveLength(3);
+
+    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+
+    for (const key of keys) {
+      expect(await provider.exists(key)).toBe(false);
+    }
+    expect(provider.keys()).toHaveLength(0);
+  });
+
+  test("Other tenants' files stay untouched", async () => {
+    const userId = uuid(3);
+    const otherTenant = "00000000-0000-4000-8000-00000000000d";
+    await seedForgetUser(userId);
+    await seedMembership(userId, TENANT);
+    const myKey = await seedFile(uuid(301), TENANT, userId);
+    const otherKey = await seedFile(uuid(302), otherTenant, "another-user");
+    // The other-tenant file is owned by a different user; the forget run for
+    // userId must NOT touch it.
+
+    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+
+    expect(await provider.exists(myKey)).toBe(false);
+    expect(await provider.exists(otherKey)).toBe(true);
+  });
+});

package/src/user-data-rights-defaults/feature.ts

@@ -3,9 +3,20 @@ import {
   EXT_USER_DATA,
   type FeatureDefinition,
 } from "@cosmicdrift/kumiko-framework/engine";
-import { fileRefDeleteHook, fileRefExportHook } from "./hooks/file-ref.userdata-hook";
+import type { FileStorageProvider } from "@cosmicdrift/kumiko-framework/files";
+import { createFileRefDeleteHook, fileRefExportHook } from "./hooks/file-ref.userdata-hook";
 import { userDeleteHook, userExportHook } from "./hooks/user.userdata-hook";
 
+export interface UserDataRightsDefaultsOptions {
+  /**
+   * Wired into the fileRef delete-hook: on strategy="delete" the hook
+   * calls `storageProvider.delete(key)` per row before hard-deleting
+   * the row. Without it, file binaries leak on forget (Art. 17) — the
+   * hook logs a one-shot warning so misconfiguration stays visible.
+   */
+  readonly storageProvider?: FileStorageProvider;
+}
+
 // user-data-rights-defaults — Default-Hooks für die Core-Entities
 // `user` (S2.H1) und `fileRef` (S2.H2).
 //
@@ -23,7 +34,10 @@ import { userDeleteHook, userExportHook } from "./hooks/user.userdata-hook";
 // Pattern matched file-foundation + file-provider-s3 (separate Plugin-
 // Feature), nicht user/files schreiben ihre eigenen Hooks selbst weil
 // das circular-requires waere.
-export function createUserDataRightsDefaultsFeature(): FeatureDefinition {
+export function createUserDataRightsDefaultsFeature(
+  options: UserDataRightsDefaultsOptions = {},
+): FeatureDefinition {
+  const fileRefDeleteHook = createFileRefDeleteHook(options.storageProvider);
   return defineFeature("user-data-rights-defaults", (r) => {
     r.requires("user", "files", "user-data-rights");
 

package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts

@@ -1,6 +1,6 @@
 import { deleteMany, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { UserDataDeleteHook, UserDataExportHook } from "@cosmicdrift/kumiko-framework/engine";
-import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
+import { type FileStorageProvider, fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
 
 // userData-Hook fuer fileRef-entity (S2.H2).
 //
@@ -9,10 +9,9 @@ import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
 // NICHT direkt — sie werden via signed-Download-URLs separat ins ZIP
 // gepackt (S2.U3 Export-Job-Pipeline orchestriert das).
 //
-// Delete-Hook entfernt FileRef-Zeile + Storage-Binary. Plan-Roadmap
-// docs/plans/datenschutz/storage-encryption.md hat das Subject-
-// Resolver-Pattern fuer File-Encryption als Sprint 4 — bis dahin:
-//   "delete":    Row hard-delete + storageProvider.delete() pro File
+// Delete-Hook entfernt FileRef-Zeile via factory
+// `createFileRefDeleteHook(storageProvider)`:
+//   "delete":    storageProvider.delete() pro File (best-effort) + Row hard-delete
 //   "anonymize": insertedById=null, Row + binary bleiben (FK-Refs
 //                koennen weiter zeigen; Personenbezug raus)
 //
@@ -22,12 +21,17 @@ import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
 // idempotent, KEIN globaler Rollback — wenn ein File-Delete failt,
 // bleibt der User-Row trotzdem anonymisiert.
 //
-// Storage-Provider kommt aus dem App-Bootstrap (createBunServer-
-// options.files.storageProvider). Wir greifen darauf via ctx — der
-// Hook-ctx hat aktuell nur db/tenantId/userId, also fuer Storage-
-// Calls braucht es eine Erweiterung. S2.U3 Export-Job-Pipeline regelt
-// das (Job-ctx hat ctx.files.ref(key)). Hier lassen wir Storage-
-// Cleanup als TODO und faellen das in S2.U5 nochmal an.
+// `storageProvider` ist optional. App-Author wired es beim
+// Feature-Mount rein (`createUserDataRightsDefaultsFeature({
+// storageProvider })`). Ohne Provider macht der Hook row-only-delete,
+// die Bytes leaken — der Caller bekommt EINEN Warn beim ersten Lauf
+// pro Process, damit die Konfiguration sichtbar fehlerhaft ist.
+//
+// Caveat: hard-delete via deleteMany emittiert KEIN fileRef.deleted —
+// die storage-tracking-MSP dekrementiert nicht. Wenn die zu loeschenden
+// Files vorher nicht soft-deleted waren, bleibt `tenant_storage_usage`
+// inflated. Forget-Flows sind selten (per-User-Art.-17) und damit
+// bounded; ein executor.purge-API folgt mit dem trashed-files-GC.
 
 export const fileRefExportHook: UserDataExportHook = async (ctx) => {
   // isDeleted:false — soft-deleted (trashed) Files gehören nicht ins
@@ -76,22 +80,54 @@ export const fileRefExportHook: UserDataExportHook = async (ctx) => {
   };
 };
 
-export const fileRefDeleteHook: UserDataDeleteHook = async (ctx, strategy) => {
-  if (strategy === "delete") {
-    // Hard-delete der FileRef-Rows fuer diesen User in diesem Tenant.
-    // Storage-Binary-Cleanup folgt in S2.U5 wenn der Forget-Job-Ctx
-    // den Storage-Provider exposed.
-    await deleteMany(ctx.db, fileRefsTable, { tenantId: ctx.tenantId, insertedById: ctx.userId });
-  } else {
-    // anonymize: insertedById=null, FileRef + binary bleiben.
-    // Use-case: shared chat-Attachment in einem Multi-User-Channel —
-    // Author-Identifikation raus, Datei bleibt fuer andere User
-    // sichtbar.
-    await updateMany(
-      ctx.db,
-      fileRefsTable,
-      { insertedById: null },
-      { tenantId: ctx.tenantId, insertedById: ctx.userId },
-    );
-  }
-};
+let missingStorageWarned = false;
+
+export function createFileRefDeleteHook(
+  storageProvider: FileStorageProvider | undefined,
+): UserDataDeleteHook {
+  return async (ctx, strategy) => {
+    if (strategy === "delete") {
+      if (storageProvider) {
+        const rows = await selectMany(ctx.db, fileRefsTable, {
+          tenantId: ctx.tenantId,
+          insertedById: ctx.userId,
+        });
+        for (const row of rows) {
+          const key = (row as Record<string, unknown>)["storageKey"]; // @cast-boundary db-row
+          if (typeof key !== "string" || key.length === 0) continue;
+          try {
+            await storageProvider.delete(key);
+          } catch (err) {
+            // biome-ignore lint/suspicious/noConsole: operator-visibility for binary-cleanup-failure
+            console.warn(
+              `[user-data-rights-defaults:fileRef] storage delete failed key=${key} err=${err instanceof Error ? err.message : String(err)}`,
+            );
+          }
+        }
+      } else if (!missingStorageWarned) {
+        missingStorageWarned = true;
+        // biome-ignore lint/suspicious/noConsole: misconfiguration visibility — disk-leak in forget-flow
+        console.warn(
+          "[user-data-rights-defaults:fileRef] no storageProvider configured — file binaries are NOT deleted on forget. Pass createUserDataRightsDefaultsFeature({ storageProvider }) to fix.",
+        );
+      }
+      await deleteMany(ctx.db, fileRefsTable, { tenantId: ctx.tenantId, insertedById: ctx.userId });
+    } else {
+      // anonymize: insertedById=null, FileRef + binary bleiben.
+      // Use-case: shared chat-Attachment in einem Multi-User-Channel —
+      // Author-Identifikation raus, Datei bleibt fuer andere User
+      // sichtbar.
+      await updateMany(
+        ctx.db,
+        fileRefsTable,
+        { insertedById: null },
+        { tenantId: ctx.tenantId, insertedById: ctx.userId },
+      );
+    }
+  };
+}
+
+// Legacy export: storage-less hook for callers that haven't migrated.
+// Binaries are NOT cleaned up — disk leak. Migrate to
+// createUserDataRightsDefaultsFeature({ storageProvider }).
+export const fileRefDeleteHook: UserDataDeleteHook = createFileRefDeleteHook(undefined);