npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.24.0 → 0.25.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.24.0 → 0.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/src/user-data-rights/run-forget-cleanup.ts CHANGED Viewed

@@ -104,8 +104,16 @@ export interface RunForgetCleanupResult {
 interface HookEntry {
   readonly entityName: string;
   readonly deleteHook: UserDataDeleteHook;
+  /** Lower runs first. Owner-column-preserving redaction declares a negative
+   * order so it precedes owner-nulling hooks on the same entity (see sort below). */
+  readonly order: number;
 }
+// EXT_USER_DATA delete-hooks default here; a hook that redacts data keyed on an
+// owner column it doesn't own must register a lower order so it runs BEFORE any
+// hook that nulls that column. See custom-fields wire-user-data-rights.ts.
+const HOOK_ORDER_DEFAULT = 0;
 export async function runForgetCleanup(
   args: RunForgetCleanupArgs,
 ): Promise<RunForgetCleanupResult> {
@@ -127,10 +135,18 @@ export async function runForgetCleanup(
   const usages = registry.getExtensionUsages(EXT_USER_DATA);
   const hookEntries: HookEntry[] = usages
     .map((u): HookEntry | null => {
-      const opts = (u.options ?? {}) as { delete?: UserDataDeleteHook }; // @cast-boundary engine-payload
-      return opts.delete ? { entityName: u.entityName, deleteHook: opts.delete } : null;
+      const opts = (u.options ?? {}) as { delete?: UserDataDeleteHook; order?: number }; // @cast-boundary engine-payload
+      if (!opts.delete) return null;
+      const order = typeof opts.order === "number" ? opts.order : HOOK_ORDER_DEFAULT;
+      return { entityName: u.entityName, deleteHook: opts.delete, order };
     })
-    .filter((x): x is HookEntry => x !== null);
+    .filter((x): x is HookEntry => x !== null)
+    // Order ascending. Array.sort is ES2019-stable, so equal orders keep
+    // registration order; correctness here needs only distinct orders, not
+    // stability. Guarantees owner-preserving redaction (negative order) runs
+    // before owner-nulling hooks on the same entity, independent of feature
+    // registration order.
+    .sort((a, b) => a.order - b.order);
   const errors: ForgetCleanupError[] = [];
   const processedUserIds: string[] = [];
@@ -233,46 +249,40 @@ async function processUser(args: {
     memberships.length > 0 ? memberships.map((m) => m.tenantId) : [SYSTEM_TENANT_ID_FOR_ORPHANS];
   // Per-User-Sub-Tx: hooks + status-flip atomar. Bei Hook-Throw rollt
-  // nur dieser User zurueck, andere User bleiben commit-fest. Drizzle
-  // mappt das in nested-Tx auf SAVEPOINT, in top-level auf BEGIN — die
-  // `transaction()`-API ist auf DbRunner uniform.
-  //
-  // Cast `db as {transaction: ...}` ist eine TS-Limitation: DbRunner ist
-  // `DbConnection | DbTx`, beide haben `.transaction()`, aber TS kann
-  // die Signaturen ueber die Union nicht unifizieren (PgDatabase vs
-  // PgTransaction haben unterschiedliche Generics). Cast macht das
-  // Strukturelle explizit, kein Hack.
+  // nur dieser User zurueck, andere User bleiben commit-fest. Die Sub-Tx
+  // nestet korrekt: eine Top-Level-Connection oeffnet sie via `.begin`
+  // (BEGIN), eine TransactionSql — der Fall im Dispatcher, wo jeder
+  // writeHandler bereits IN der Outer-Tx laeuft — via `.savepoint`
+  // (SAVEPOINT). Siehe runInSubTransaction.
   let txSucceeded = false;
   let currentTenantId: TenantId | null = null;
   let currentEntityName: string | null = null;
   try {
-    await (db as { begin: (fn: (tx: DbRunner) => Promise<void>) => Promise<void> }).begin(
-      async (tx) => {
-        for (const tenantId of tenantList) {
-          currentTenantId = tenantId;
-          for (const entry of hookEntries) {
-            currentEntityName = entry.entityName;
-            const policy = await resolveRetentionPolicyForTenant({
-              db: tx,
-              registry,
-              tenantId,
-              entityName: entry.entityName,
-            });
-            const strategy = policyToStrategy(policy.policy?.strategy ?? null);
+    await runInSubTransaction(db, async (tx) => {
+      for (const tenantId of tenantList) {
+        currentTenantId = tenantId;
+        for (const entry of hookEntries) {
+          currentEntityName = entry.entityName;
+          const policy = await resolveRetentionPolicyForTenant({
+            db: tx,
+            registry,
+            tenantId,
+            entityName: entry.entityName,
+          });
+          const strategy = policyToStrategy(policy.policy?.strategy ?? null);
-            hookCallsAttempted++;
-            await entry.deleteHook({ db: tx, tenantId, userId }, strategy);
-          }
+          hookCallsAttempted++;
+          await entry.deleteHook({ db: tx, tenantId, userId }, strategy);
         }
+      }
-        // Status-Flip in derselben Sub-Tx. Falls einer der Hooks oben
-        // geworfen hat, kommen wir hier nicht an — die Tx rollback'd
-        // alles, der User bleibt im DeletionRequested-Status, naechster
-        // Run retried.
-        await updateMany(tx, userTable, { status: USER_STATUS.Deleted }, { id: userId });
-        txSucceeded = true;
-      },
-    );
+      // Status-Flip in derselben Sub-Tx. Falls einer der Hooks oben
+      // geworfen hat, kommen wir hier nicht an — die Tx rollback'd
+      // alles, der User bleibt im DeletionRequested-Status, naechster
+      // Run retried.
+      await updateMany(tx, userTable, { status: USER_STATUS.Deleted }, { id: userId });
+      txSucceeded = true;
+    });
   } catch (e) {
     // currentTenantId/currentEntityName tracken den Failing-Hook —
     // Operator sieht "Hook fileRef in Tenant A failed for user X" statt
@@ -294,6 +304,37 @@ async function processUser(args: {
   };
 }
+// Per-user sub-transaction, nesting-aware across both db shapes:
+//   - top-level connection (Bun.SQL / postgres-js Sql) → `.begin` (BEGIN)
+//   - TransactionSql (inside the dispatcher's outer tx, where every
+//     writeHandler already runs) → `.savepoint` (SAVEPOINT)
+// A TransactionSql has no `.begin`, so the previous unconditional `.begin`
+// threw "is not a function" on every user when invoked through the dispatcher
+// (the cron path) → zero deletions in production, while direct-connection tests
+// stayed green. Selecting the available method makes the sub-tx work in both
+// contexts; on throw the savepoint rolls back just this user (others survive).
+async function runInSubTransaction(
+  db: DbRunner,
+  fn: (tx: DbRunner) => Promise<void>,
+): Promise<void> {
+  // `db` is already the raw runner (the handler passes ctx.db.raw, the tests a
+  // top-level connection) — cast to read the transaction surface directly,
+  // without asRawClient (a test-only escape hatch). A top-level connection
+  // exposes `.begin`; a TransactionSql only `.savepoint`. They are mutually
+  // exclusive, so prefer whichever is present.
+  const runner = db as {
+    begin?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
+    savepoint?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
+  };
+  const open = runner.begin ?? runner.savepoint;
+  if (!open) {
+    throw new Error(
+      "runForgetCleanup: db exposes neither .begin nor .savepoint — cannot open a per-user sub-transaction",
+    );
+  }
+  await open.call(runner, fn);
+}
 // Pseudo-Tenant fuer User ohne aktive Memberships. RFC4122-konforme
 // Null-UUID. Tenant-scoped Hooks finden hier nichts (no-op),
 // tenant-agnostische Hooks (z.B. user) operieren auf der globalen

package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts CHANGED Viewed

@@ -11,15 +11,21 @@ import { type FileStorageProvider, fileRefsTable } from "@cosmicdrift/kumiko-fra
 //
 // Delete-Hook entfernt FileRef-Zeile via factory
 // `createFileRefDeleteHook(storageProvider)`:
-//   "delete":    storageProvider.delete() pro File (best-effort) + Row hard-delete
+//   "delete":    storageProvider.delete() pro File + Row hard-delete
 //   "anonymize": insertedById=null, Row + binary bleiben (FK-Refs
 //                koennen weiter zeigen; Personenbezug raus)
 //
-// Storage-Provider-Cleanup ist BEST-EFFORT — wenn S3-delete failt,
-// log + skip (Cron-Job kann es retry). Memory: Forget-Atomicity-
-// Decision aus Sprint-2-Architektur (advisor-pinned): per-Hook
-// idempotent, KEIN globaler Rollback — wenn ein File-Delete failt,
-// bleibt der User-Row trotzdem anonymisiert.
+// Delete-Pfad ist FAIL-CLOSED, sobald ein Provider gewired ist: schlaegt ein
+// binary-delete fehl, wirft der Hook
+// NACH dem Loop — die per-User-Sub-Tx von runForgetCleanup rollt zurueck, der
+// User bleibt DeletionRequested, der naechste Run retried (storageProvider.delete
+// ist idempotent, schon-geloeschte Keys sind no-op). Den Fehler zu schlucken und
+// die Row trotzdem hard-zu-loeschen wuerde Art.-17-Erasure als "done" markieren
+// waehrend die Bytes auf Disk bleiben — eine falsche Compliance-Aussage. Das
+// "KEIN globaler Rollback" der Sprint-2-Atomicity-Decision bleibt gewahrt: nur
+// DIESE User-Sub-Tx rollt zurueck (= der Retry-Mechanismus), andere User des
+// Laufs committen. Der anonymize-Pfad behaelt Row+binary bewusst, hat also
+// nichts zu schlucken.
 //
 // `storageProvider` ist optional. App-Author wired es beim
 // Feature-Mount rein (`createUserDataRightsDefaultsFeature({
@@ -92,6 +98,7 @@ export function createFileRefDeleteHook(
           tenantId: ctx.tenantId,
           insertedById: ctx.userId,
         });
+        const failedKeys: string[] = [];
         for (const row of rows) {
           const key = (row as Record<string, unknown>)["storageKey"]; // @cast-boundary db-row
           if (typeof key !== "string" || key.length === 0) continue;
@@ -102,8 +109,16 @@ export function createFileRefDeleteHook(
             console.warn(
               `[user-data-rights-defaults:fileRef] storage delete failed key=${key} err=${err instanceof Error ? err.message : String(err)}`,
             );
+            failedKeys.push(key);
           }
         }
+        // Fail-closed: abort before the row hard-delete so the sub-tx rolls back
+        // and the next forget run retries (delete is idempotent → converges).
+        if (failedKeys.length > 0) {
+          throw new Error(
+            `[user-data-rights-defaults:fileRef] ${failedKeys.length} binary delete(s) failed — aborting forget so the rows are retried next run (keys: ${failedKeys.join(", ")})`,
+          );
+        }
       } else if (!missingStorageWarned) {
         missingStorageWarned = true;
         // biome-ignore lint/suspicious/noConsole: misconfiguration visibility — disk-leak in forget-flow