@cosmicdrift/kumiko-bundled-features 0.24.0 → 0.25.0

package/src/user-data-rights/__tests__/file-binary-forget-failure.integration.test.ts

@@ -0,0 +1,211 @@
+// Forget-Hook fail-closed Integration-Test.
+//
+// Beweist den Vertrag von runForgetCleanup für den fileRef-delete-Hook: wenn
+// `storageProvider.delete()` fehlschlägt, wirft der Hook → die per-User-Sub-Tx
+// rollt zurück → der User bleibt `DeletionRequested`, die Row + Binary bleiben,
+// der Fehler landet im `errors`-Array. Der nächste Run (Storage wieder ok)
+// konvergiert sauber, weil `delete` idempotent ist. Ohne den Throw würde ein
+// transienter Storage-Fehler die Row permanent hard-löschen, den User auf
+// `Deleted` flippen und die Binary dauerhaft verwaisen lassen (Art.-17-Erasure
+// still unvollständig).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createInMemoryFileProvider,
+  fileRefsTable,
+  type InMemoryFileProvider,
+} from "@cosmicdrift/kumiko-framework/files";
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { createFilesFeature } from "../../files";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  type ForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
+
+let stack: TestStack;
+let db: DbConnection;
+let base: InMemoryFileProvider;
+let seed: ForgetSeeders;
+// `delete` throws while set; flip off to simulate storage recovery on retry.
+let failDeletes = true;
+
+const TENANT = "00000000-0000-4000-8000-00000000000e";
+
+beforeAll(async () => {
+  base = createInMemoryFileProvider();
+  // Spread the real provider (all methods bound to its store) and override
+  // only `delete` to fail on demand — lets one test prove abort + retry-convergence.
+  const flakyProvider: InMemoryFileProvider = {
+    ...base,
+    async delete(key) {
+      if (failDeletes) throw new Error("storage unavailable (test)");
+      return base.delete(key);
+    },
+  };
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createFilesFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createSessionsFeature(),
+      createUserDataRightsFeature(),
+      createUserDataRightsDefaultsFeature({ storageProvider: flakyProvider }),
+    ],
+    files: { storageProvider: flakyProvider },
+  });
+  db = stack.db;
+  // Seeders write binaries through the real store (`base`), not the flaky
+  // wrapper — the wrapper's `delete` failure is what the test exercises.
+  seed = createForgetSeeders(db, base);
+
+  await unsafeCreateEntityTable(db, userEntity);
+  await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
+  await unsafePushTables(db, { fileRefsTable });
+  await asRawClient(db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  failDeletes = true;
+  base.clear();
+  await resetTestTables(db, [userTable, "read_tenant_memberships", fileRefsTable]);
+});
+
+async function fileRowCount(tenantId: string, insertedById: string): Promise<number> {
+  const rows = await asRawClient(db).unsafe(
+    `SELECT 1 FROM file_refs WHERE tenant_id = $1 AND inserted_by_id = $2`,
+    [tenantId, insertedById],
+  );
+  return (rows as ReadonlyArray<unknown>).length;
+}
+
+describe("forget fail-closed :: storage.delete failure aborts the row hard-delete", () => {
+  test("storage delete fails → user stays DeletionRequested, row + binary remain, error surfaced", async () => {
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000001";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000001", TENANT, userId);
+
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+
+    // NOT flipped to Deleted — the sub-tx rolled back.
+    expect(result.processedUserIds).not.toContain(userId);
+    // Failure surfaced for operator visibility.
+    expect(result.errors.some((e) => e.userId === userId && e.entityName === "fileRef")).toBe(true);
+    // Row NOT hard-deleted; binary NOT orphaned.
+    expect(await fileRowCount(TENANT, userId)).toBe(1);
+    expect(await base.exists(key)).toBe(true);
+    // User still pending deletion in the DB.
+    const row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.DeletionRequested);
+  });
+
+  test("next run with storage healthy converges (idempotent delete) — user deleted, binary gone", async () => {
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000002";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000002", TENANT, userId);
+
+    // First run: storage down → abort.
+    const first = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    expect(first.processedUserIds).not.toContain(userId);
+    expect(await base.exists(key)).toBe(true);
+
+    // Storage recovers; retry converges.
+    failDeletes = false;
+    const second = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+
+    expect(second.processedUserIds).toContain(userId);
+    expect(await base.exists(key)).toBe(false);
+    expect(await fileRowCount(TENANT, userId)).toBe(0);
+    const row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+  });
+});
+
+// Same contract, but driven through the REAL dispatcher (POST run-forget-cleanup)
+// rather than calling runForgetCleanup with a top-level connection. The
+// dispatcher wraps the handler in an outer transaction, so ctx.db.raw is a
+// TransactionSql — which has `.savepoint`, not `.begin`. The per-user sub-tx
+// must open as a SAVEPOINT here; the previous `.begin`-only path threw on every
+// user when invoked this way (the cron path), so production deleted nobody while
+// these direct-connection tests stayed green. #214.
+describe("forget-cleanup through the real dispatcher :: per-user savepoint nests under the handler tx", () => {
+  const systemUser = {
+    id: "00000000-0000-4000-8000-0000000000ff",
+    tenantId: TENANT,
+    roles: ["SystemAdmin"],
+  };
+  type CleanupResult = {
+    readonly processedUserIds: readonly string[];
+    readonly hookCallsAttempted: number;
+    readonly errorCount: number;
+    readonly errors: ReadonlyArray<{ readonly userId: string; readonly entityName: string }>;
+  };
+  const RUN_FORGET = "user-data-rights:write:run-forget-cleanup";
+
+  test("dispatcher POST flips a due user to Deleted (SAVEPOINT inside the outer handler tx)", async () => {
+    failDeletes = false;
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000003";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000003", TENANT, userId);
+
+    const result = await stack.http.writeOk<CleanupResult>(RUN_FORGET, {}, systemUser);
+
+    // Pre-fix this list was always empty — `.begin` is absent on the
+    // dispatcher's TransactionSql, so the per-user sub-tx threw for every user.
+    expect(result.processedUserIds).toContain(userId);
+    expect(result.errorCount).toBe(0);
+    expect(await base.exists(key)).toBe(false);
+    expect(await fileRowCount(TENANT, userId)).toBe(0);
+    const row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+  });
+
+  test("fail-closed + retry-convergence through the dispatcher (savepoint rolls back one user)", async () => {
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000004";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000004", TENANT, userId);
+
+    // Storage down → fileRef hook throws → ROLLBACK TO SAVEPOINT undoes just
+    // this user; the outer handler tx still commits the run. User stays pending.
+    failDeletes = true;
+    const failed = await stack.http.writeOk<CleanupResult>(RUN_FORGET, {}, systemUser);
+    expect(failed.processedUserIds).not.toContain(userId);
+    expect(failed.errors.some((e) => e.userId === userId && e.entityName === "fileRef")).toBe(true);
+    expect(await base.exists(key)).toBe(true);
+    let row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.DeletionRequested);
+
+    // Storage recovers → retry converges (idempotent delete).
+    failDeletes = false;
+    const ok = await stack.http.writeOk<CleanupResult>(RUN_FORGET, {}, systemUser);
+    expect(ok.processedUserIds).toContain(userId);
+    expect(await base.exists(key)).toBe(false);
+    row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+  });
+});

package/src/user-data-rights/__tests__/forget-cleanup-hook-ordering.integration.test.ts

@@ -0,0 +1,272 @@
+// DSGVO forget hook-ordering — the custom-fields anonymize strip must run
+// before any host hook that nulls the owner column it filters on, regardless
+// of feature registration order.
+//
+// Two host entities are wired with the OPPOSITE EXT_USER_DATA registration
+// order: one registers the custom-fields strip first (the order that happened
+// to be safe), the other registers the owner-nulling host hook first (the
+// order that exposed the bug). Both run through the real `runForgetCleanup`
+// with strategy=anonymize. With the order-sentinel fix both strip the
+// sensitive jsonb key; without it the host-first entity would leave it behind
+// (the strip matches 0 rows after the owner column is nulled).
+//
+// This drives the full runner on purpose: the existing custom-fields
+// user-data-rights test invokes the strip hook in isolation
+// (getExtensionUsages + direct call) and is structurally blind to ordering.
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createTextField,
+  defineFeature,
+  EXT_USER_DATA,
+  type UserDataDeleteHook,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  resetEventStore,
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { fieldDefinitionEntity } from "../../custom-fields/entity";
+import { createCustomFieldsFeature } from "../../custom-fields/feature";
+import { customFieldsField } from "../../custom-fields/wire-for-entity";
+import { wireCustomFieldsUserDataRightsFor } from "../../custom-fields/wire-user-data-rights";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { tenantRetentionOverrideTable } from "../../data-retention/schema/tenant-retention-override";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, userEntity } from "../../user";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
+
+const TENANT = "00000000-0000-4000-8000-0000000000aa";
+
+// Owner-nulling host anonymize hook (the canonical "anonymize keeps the row,
+// clears the owner" pattern — same shape as file-ref/user host hooks).
+function makeHostDeleteHook(tableName: string): UserDataDeleteHook {
+  return async (ctx, strategy) => {
+    if (strategy === "delete") {
+      await asRawClient(ctx.db).unsafe(
+        `DELETE FROM ${tableName} WHERE inserted_by_id = $1 AND tenant_id = $2`,
+        [ctx.userId, ctx.tenantId],
+      );
+      return;
+    }
+    await asRawClient(ctx.db).unsafe(
+      `UPDATE ${tableName} SET inserted_by_id = NULL WHERE inserted_by_id = $1 AND tenant_id = $2`,
+      [ctx.userId, ctx.tenantId],
+    );
+  };
+}
+
+interface HostSpec {
+  readonly entityName: string;
+  readonly tableName: string;
+  readonly featureName: string;
+}
+
+const CF_FIRST: HostSpec = {
+  entityName: "cf-first-prop",
+  tableName: "read_dsgvo_cf_first",
+  featureName: "dsgvo-cf-first",
+};
+const HOST_FIRST: HostSpec = {
+  entityName: "host-first-prop",
+  tableName: "read_dsgvo_host_first",
+  featureName: "dsgvo-host-first",
+};
+
+function makeEntity(tableName: string) {
+  return createEntity({
+    table: tableName,
+    fields: {
+      name: createTextField({ required: true }),
+      customFields: customFieldsField(),
+    },
+  });
+}
+
+const cfFirstEntity = makeEntity(CF_FIRST.tableName);
+const hostFirstEntity = makeEntity(HOST_FIRST.tableName);
+const cfFirstTable = buildEntityTable(CF_FIRST.entityName, cfFirstEntity);
+const hostFirstTable = buildEntityTable(HOST_FIRST.entityName, hostFirstEntity);
+
+// Registration order is the whole point: cfFirst registers the strip BEFORE the
+// owner-nulling host hook; hostFirst registers the host hook FIRST (the order
+// that exposed the bug). The order-sentinel must make both correct.
+const cfFirstFeature = defineFeature(CF_FIRST.featureName, (r) => {
+  r.entity(CF_FIRST.entityName, cfFirstEntity);
+  r.requires("custom-fields");
+  wireCustomFieldsUserDataRightsFor(r, {
+    entityName: CF_FIRST.entityName,
+    entityTable: cfFirstTable,
+    userIdColumn: "inserted_by_id",
+  });
+  r.useExtension(EXT_USER_DATA, CF_FIRST.entityName, {
+    export: async () => null,
+    delete: makeHostDeleteHook(CF_FIRST.tableName),
+  });
+});
+
+const hostFirstFeature = defineFeature(HOST_FIRST.featureName, (r) => {
+  r.entity(HOST_FIRST.entityName, hostFirstEntity);
+  r.requires("custom-fields");
+  r.useExtension(EXT_USER_DATA, HOST_FIRST.entityName, {
+    export: async () => null,
+    delete: makeHostDeleteHook(HOST_FIRST.tableName),
+  });
+  wireCustomFieldsUserDataRightsFor(r, {
+    entityName: HOST_FIRST.entityName,
+    entityTable: hostFirstTable,
+    userIdColumn: "inserted_by_id",
+  });
+});
+
+const admin = createTestUser({ id: 1, roles: ["TenantAdmin"], tenantId: TENANT });
+const FORGET_USER = "cccccccc-cccc-4ccc-8ccc-0000000000a1";
+
+let stack: TestStack;
+// biome-ignore lint/suspicious/noExplicitAny: dummy file-writer; these seeders never write binaries.
+const seed = (db: unknown) => createForgetSeeders(db as any, { write: async () => {} });
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createSessionsFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createCustomFieldsFeature(),
+      createUserDataRightsFeature(),
+      cfFirstFeature,
+      hostFirstFeature,
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, fieldDefinitionEntity);
+  await unsafeCreateEntityTable(stack.db, tenantRetentionOverrideEntity);
+  await unsafeCreateEntityTable(stack.db, cfFirstEntity);
+  await unsafeCreateEntityTable(stack.db, hostFirstEntity);
+  await createEventsTable(stack.db);
+  await asRawClient(stack.db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+async function defineSensitiveField(entityName: string, fieldKey: string, sensitive: boolean) {
+  await stack.http.writeOk(
+    "custom-fields:write:define-tenant-field",
+    {
+      entityName,
+      fieldKey,
+      serializedField: { type: "text", sensitive },
+      required: false,
+      searchable: false,
+      displayOrder: 0,
+    },
+    admin,
+  );
+}
+
+async function seedAnonymizeOverride(entityName: string) {
+  await insertOne(stack.db, tenantRetentionOverrideTable, {
+    entityName,
+    config: JSON.stringify({ keepFor: "0d", strategy: "anonymize" }),
+    reason: "test: force anonymize strategy",
+    tenantId: TENANT,
+  });
+}
+
+async function seedRow(spec: HostSpec, rowId: string) {
+  // Inline jsonb literal — binding the JSON as a `$n::jsonb` param double-encodes
+  // it into a jsonb *string* scalar (jsonb_typeof='string'), which the strip's
+  // object-guard skips. A literal stores a real object, matching what the
+  // set-custom-field projection writes in production.
+  await asRawClient(stack.db).unsafe(
+    `INSERT INTO ${spec.tableName} (id, tenant_id, name, inserted_by_id, custom_fields)
+     VALUES ($1, $2, $3, $4, '{"ssn":"123-45-6789","safe":"keep-me"}'::jsonb)`,
+    [rowId, TENANT, `Row for ${spec.entityName}`, FORGET_USER],
+  );
+}
+
+async function readRow(
+  spec: HostSpec,
+  rowId: string,
+): Promise<Record<string, unknown> | undefined> {
+  const rows = await asRawClient(stack.db).unsafe(
+    `SELECT id, inserted_by_id, custom_fields FROM ${spec.tableName} WHERE id = $1`,
+    [rowId],
+  );
+  return (rows as ReadonlyArray<Record<string, unknown>>)[0];
+}
+
+beforeEach(async () => {
+  await resetEventStore(stack);
+  await asRawClient(stack.db).unsafe(`DELETE FROM ${CF_FIRST.tableName}`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM ${HOST_FIRST.tableName}`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_custom_field_definitions`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_retention_overrides`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_memberships`);
+});
+
+describe("forget hook-ordering :: redaction runs before owner-nulling regardless of registration order", () => {
+  test("both registration orders strip the sensitive jsonb key and null the owner column", async () => {
+    // Field defs (sensitive ssn, non-sensitive safe) for both entities.
+    for (const spec of [CF_FIRST, HOST_FIRST]) {
+      await defineSensitiveField(spec.entityName, "ssn", true);
+      await defineSensitiveField(spec.entityName, "safe", false);
+      await seedAnonymizeOverride(spec.entityName);
+    }
+    // Project the field definitions. Assert the pass had no failures: a silent
+    // projection failure would leave read_custom_field_definitions empty, make
+    // loadSensitiveFieldKeys return [], and turn the strip into a no-op —
+    // verifying the test exercises the strip for the right reason.
+    const pass = await stack.eventDispatcher?.runOnce();
+    expect(pass?.failed ?? 0).toBe(0);
+
+    const cfRowId = "dddddddd-dddd-4ddd-8ddd-000000000001";
+    const hostRowId = "dddddddd-dddd-4ddd-8ddd-000000000002";
+    await seedRow(CF_FIRST, cfRowId);
+    await seedRow(HOST_FIRST, hostRowId);
+
+    await seed(stack.db).seedForgetUser(FORGET_USER);
+    await seed(stack.db).seedMembership(FORGET_USER, TENANT);
+
+    const result = await runForgetCleanup({
+      db: stack.db,
+      registry: stack.registry,
+      now: nowInstant(),
+    });
+
+    expect(result.errors).toHaveLength(0);
+    expect(result.processedUserIds).toContain(FORGET_USER);
+
+    for (const [spec, rowId] of [
+      [CF_FIRST, cfRowId],
+      [HOST_FIRST, hostRowId],
+    ] as const) {
+      const row = await readRow(spec, rowId);
+      // Owner column nulled by the host anonymize hook.
+      expect(row?.["inserted_by_id"]).toBeNull();
+      const cf = row?.["custom_fields"] as Record<string, unknown>;
+      // Sensitive key stripped (the strip ran while the owner column still
+      // pointed to the user) — this is the assertion that fails for the
+      // host-first entity without the order-sentinel fix.
+      expect(cf).not.toHaveProperty("ssn");
+      // Non-sensitive key preserved.
+      expect(cf["safe"]).toBe("keep-me");
+    }
+  });
+});

package/src/user-data-rights/__tests__/forget-test-helpers.ts

@@ -0,0 +1,86 @@
+// Shared seeders for the forget-cleanup integration tests
+// (file-binary-forget-cleanup + file-binary-forget-failure). Both drive
+// runForgetCleanup against the same fileRef + membership shape — keeping the
+// DDL and seed logic in one place so a file_refs/user-schema change updates
+// both at once instead of drifting.
+
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { USER_STATUS, userTable } from "../../user";
+
+export const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+export const nowInstant = (): Instant => getTemporal().Now.instant();
+export const pastInstant = (): Instant =>
+  getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+
+export const READ_TENANT_MEMBERSHIPS_DDL = `
+  CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    user_id TEXT NOT NULL,
+    version INTEGER NOT NULL DEFAULT 0,
+    inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    inserted_by_id TEXT,
+    modified_by_id TEXT,
+    is_deleted BOOLEAN NOT NULL DEFAULT false,
+    deleted_at TIMESTAMPTZ,
+    deleted_by_id TEXT,
+    roles TEXT NOT NULL DEFAULT '[]',
+    UNIQUE(user_id, tenant_id)
+  )
+`;
+
+interface FileWriter {
+  write(key: string, bytes: Uint8Array, mimeType: string): Promise<void>;
+}
+
+export interface ForgetSeeders {
+  seedForgetUser(id: string): Promise<void>;
+  seedMembership(userId: string, tenantId: string): Promise<void>;
+  seedFile(id: string, tenantId: string, insertedById: string): Promise<string>;
+}
+
+// `writer` is taken separately from the feature's storageProvider so the
+// failure test can seed binaries through the real backing store while the
+// feature runs against a delete-failing wrapper.
+export function createForgetSeeders(db: DbConnection, writer: FileWriter): ForgetSeeders {
+  return {
+    async seedForgetUser(id) {
+      await insertOne(db, userTable, {
+        id,
+        tenantId: TENANT_SYSTEM,
+        email: `user-${id}@example.com`,
+        passwordHash: "hashed",
+        displayName: `User ${id}`,
+        locale: "de",
+        emailVerified: true,
+        roles: '["Member"]',
+        status: USER_STATUS.DeletionRequested,
+        gracePeriodEnd: pastInstant(),
+      });
+    },
+
+    async seedMembership(userId, tenantId) {
+      await asRawClient(db).unsafe(
+        `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
+         VALUES ($1, $2, '["Member"]') ON CONFLICT (user_id, tenant_id) DO NOTHING`,
+        [tenantId, userId],
+      );
+    },
+
+    async seedFile(id, tenantId, insertedById) {
+      const storageKey = `storage/${id}`;
+      await writer.write(storageKey, new Uint8Array([1, 2, 3, 4]), "application/pdf");
+      await asRawClient(db).unsafe(
+        `INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
+         VALUES ($1, $2, $3, $4, 'application/pdf', 4, $5) ON CONFLICT (id) DO NOTHING`,
+        [id, tenantId, storageKey, `${id}.pdf`, insertedById],
+      );
+      return storageKey;
+    },
+  };
+}

package/src/user-data-rights/db/queries/export-jobs.ts

@@ -1,6 +1,7 @@
 import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import type { Temporal } from "temporal-polyfill";
 import { exportJobsTable } from "../../schema/export-job";
 
 export type ExportJobCleanupCandidate = {