@cosmicdrift/kumiko-bundled-features 0.24.1 → 0.25.0

package/src/user-data-rights/__tests__/forget-cleanup-hook-ordering.integration.test.ts

@@ -0,0 +1,272 @@
+// DSGVO forget hook-ordering — the custom-fields anonymize strip must run
+// before any host hook that nulls the owner column it filters on, regardless
+// of feature registration order.
+//
+// Two host entities are wired with the OPPOSITE EXT_USER_DATA registration
+// order: one registers the custom-fields strip first (the order that happened
+// to be safe), the other registers the owner-nulling host hook first (the
+// order that exposed the bug). Both run through the real `runForgetCleanup`
+// with strategy=anonymize. With the order-sentinel fix both strip the
+// sensitive jsonb key; without it the host-first entity would leave it behind
+// (the strip matches 0 rows after the owner column is nulled).
+//
+// This drives the full runner on purpose: the existing custom-fields
+// user-data-rights test invokes the strip hook in isolation
+// (getExtensionUsages + direct call) and is structurally blind to ordering.
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { buildEntityTable } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createEntity,
+  createTextField,
+  defineFeature,
+  EXT_USER_DATA,
+  type UserDataDeleteHook,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createTestUser,
+  resetEventStore,
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { fieldDefinitionEntity } from "../../custom-fields/entity";
+import { createCustomFieldsFeature } from "../../custom-fields/feature";
+import { customFieldsField } from "../../custom-fields/wire-for-entity";
+import { wireCustomFieldsUserDataRightsFor } from "../../custom-fields/wire-user-data-rights";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { tenantRetentionOverrideTable } from "../../data-retention/schema/tenant-retention-override";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, userEntity } from "../../user";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
+
+const TENANT = "00000000-0000-4000-8000-0000000000aa";
+
+// Owner-nulling host anonymize hook (the canonical "anonymize keeps the row,
+// clears the owner" pattern — same shape as file-ref/user host hooks).
+function makeHostDeleteHook(tableName: string): UserDataDeleteHook {
+  return async (ctx, strategy) => {
+    if (strategy === "delete") {
+      await asRawClient(ctx.db).unsafe(
+        `DELETE FROM ${tableName} WHERE inserted_by_id = $1 AND tenant_id = $2`,
+        [ctx.userId, ctx.tenantId],
+      );
+      return;
+    }
+    await asRawClient(ctx.db).unsafe(
+      `UPDATE ${tableName} SET inserted_by_id = NULL WHERE inserted_by_id = $1 AND tenant_id = $2`,
+      [ctx.userId, ctx.tenantId],
+    );
+  };
+}
+
+interface HostSpec {
+  readonly entityName: string;
+  readonly tableName: string;
+  readonly featureName: string;
+}
+
+const CF_FIRST: HostSpec = {
+  entityName: "cf-first-prop",
+  tableName: "read_dsgvo_cf_first",
+  featureName: "dsgvo-cf-first",
+};
+const HOST_FIRST: HostSpec = {
+  entityName: "host-first-prop",
+  tableName: "read_dsgvo_host_first",
+  featureName: "dsgvo-host-first",
+};
+
+function makeEntity(tableName: string) {
+  return createEntity({
+    table: tableName,
+    fields: {
+      name: createTextField({ required: true }),
+      customFields: customFieldsField(),
+    },
+  });
+}
+
+const cfFirstEntity = makeEntity(CF_FIRST.tableName);
+const hostFirstEntity = makeEntity(HOST_FIRST.tableName);
+const cfFirstTable = buildEntityTable(CF_FIRST.entityName, cfFirstEntity);
+const hostFirstTable = buildEntityTable(HOST_FIRST.entityName, hostFirstEntity);
+
+// Registration order is the whole point: cfFirst registers the strip BEFORE the
+// owner-nulling host hook; hostFirst registers the host hook FIRST (the order
+// that exposed the bug). The order-sentinel must make both correct.
+const cfFirstFeature = defineFeature(CF_FIRST.featureName, (r) => {
+  r.entity(CF_FIRST.entityName, cfFirstEntity);
+  r.requires("custom-fields");
+  wireCustomFieldsUserDataRightsFor(r, {
+    entityName: CF_FIRST.entityName,
+    entityTable: cfFirstTable,
+    userIdColumn: "inserted_by_id",
+  });
+  r.useExtension(EXT_USER_DATA, CF_FIRST.entityName, {
+    export: async () => null,
+    delete: makeHostDeleteHook(CF_FIRST.tableName),
+  });
+});
+
+const hostFirstFeature = defineFeature(HOST_FIRST.featureName, (r) => {
+  r.entity(HOST_FIRST.entityName, hostFirstEntity);
+  r.requires("custom-fields");
+  r.useExtension(EXT_USER_DATA, HOST_FIRST.entityName, {
+    export: async () => null,
+    delete: makeHostDeleteHook(HOST_FIRST.tableName),
+  });
+  wireCustomFieldsUserDataRightsFor(r, {
+    entityName: HOST_FIRST.entityName,
+    entityTable: hostFirstTable,
+    userIdColumn: "inserted_by_id",
+  });
+});
+
+const admin = createTestUser({ id: 1, roles: ["TenantAdmin"], tenantId: TENANT });
+const FORGET_USER = "cccccccc-cccc-4ccc-8ccc-0000000000a1";
+
+let stack: TestStack;
+// biome-ignore lint/suspicious/noExplicitAny: dummy file-writer; these seeders never write binaries.
+const seed = (db: unknown) => createForgetSeeders(db as any, { write: async () => {} });
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createSessionsFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createCustomFieldsFeature(),
+      createUserDataRightsFeature(),
+      cfFirstFeature,
+      hostFirstFeature,
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, fieldDefinitionEntity);
+  await unsafeCreateEntityTable(stack.db, tenantRetentionOverrideEntity);
+  await unsafeCreateEntityTable(stack.db, cfFirstEntity);
+  await unsafeCreateEntityTable(stack.db, hostFirstEntity);
+  await createEventsTable(stack.db);
+  await asRawClient(stack.db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+async function defineSensitiveField(entityName: string, fieldKey: string, sensitive: boolean) {
+  await stack.http.writeOk(
+    "custom-fields:write:define-tenant-field",
+    {
+      entityName,
+      fieldKey,
+      serializedField: { type: "text", sensitive },
+      required: false,
+      searchable: false,
+      displayOrder: 0,
+    },
+    admin,
+  );
+}
+
+async function seedAnonymizeOverride(entityName: string) {
+  await insertOne(stack.db, tenantRetentionOverrideTable, {
+    entityName,
+    config: JSON.stringify({ keepFor: "0d", strategy: "anonymize" }),
+    reason: "test: force anonymize strategy",
+    tenantId: TENANT,
+  });
+}
+
+async function seedRow(spec: HostSpec, rowId: string) {
+  // Inline jsonb literal — binding the JSON as a `$n::jsonb` param double-encodes
+  // it into a jsonb *string* scalar (jsonb_typeof='string'), which the strip's
+  // object-guard skips. A literal stores a real object, matching what the
+  // set-custom-field projection writes in production.
+  await asRawClient(stack.db).unsafe(
+    `INSERT INTO ${spec.tableName} (id, tenant_id, name, inserted_by_id, custom_fields)
+     VALUES ($1, $2, $3, $4, '{"ssn":"123-45-6789","safe":"keep-me"}'::jsonb)`,
+    [rowId, TENANT, `Row for ${spec.entityName}`, FORGET_USER],
+  );
+}
+
+async function readRow(
+  spec: HostSpec,
+  rowId: string,
+): Promise<Record<string, unknown> | undefined> {
+  const rows = await asRawClient(stack.db).unsafe(
+    `SELECT id, inserted_by_id, custom_fields FROM ${spec.tableName} WHERE id = $1`,
+    [rowId],
+  );
+  return (rows as ReadonlyArray<Record<string, unknown>>)[0];
+}
+
+beforeEach(async () => {
+  await resetEventStore(stack);
+  await asRawClient(stack.db).unsafe(`DELETE FROM ${CF_FIRST.tableName}`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM ${HOST_FIRST.tableName}`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_custom_field_definitions`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_retention_overrides`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_memberships`);
+});
+
+describe("forget hook-ordering :: redaction runs before owner-nulling regardless of registration order", () => {
+  test("both registration orders strip the sensitive jsonb key and null the owner column", async () => {
+    // Field defs (sensitive ssn, non-sensitive safe) for both entities.
+    for (const spec of [CF_FIRST, HOST_FIRST]) {
+      await defineSensitiveField(spec.entityName, "ssn", true);
+      await defineSensitiveField(spec.entityName, "safe", false);
+      await seedAnonymizeOverride(spec.entityName);
+    }
+    // Project the field definitions. Assert the pass had no failures: a silent
+    // projection failure would leave read_custom_field_definitions empty, make
+    // loadSensitiveFieldKeys return [], and turn the strip into a no-op —
+    // verifying the test exercises the strip for the right reason.
+    const pass = await stack.eventDispatcher?.runOnce();
+    expect(pass?.failed ?? 0).toBe(0);
+
+    const cfRowId = "dddddddd-dddd-4ddd-8ddd-000000000001";
+    const hostRowId = "dddddddd-dddd-4ddd-8ddd-000000000002";
+    await seedRow(CF_FIRST, cfRowId);
+    await seedRow(HOST_FIRST, hostRowId);
+
+    await seed(stack.db).seedForgetUser(FORGET_USER);
+    await seed(stack.db).seedMembership(FORGET_USER, TENANT);
+
+    const result = await runForgetCleanup({
+      db: stack.db,
+      registry: stack.registry,
+      now: nowInstant(),
+    });
+
+    expect(result.errors).toHaveLength(0);
+    expect(result.processedUserIds).toContain(FORGET_USER);
+
+    for (const [spec, rowId] of [
+      [CF_FIRST, cfRowId],
+      [HOST_FIRST, hostRowId],
+    ] as const) {
+      const row = await readRow(spec, rowId);
+      // Owner column nulled by the host anonymize hook.
+      expect(row?.["inserted_by_id"]).toBeNull();
+      const cf = row?.["custom_fields"] as Record<string, unknown>;
+      // Sensitive key stripped (the strip ran while the owner column still
+      // pointed to the user) — this is the assertion that fails for the
+      // host-first entity without the order-sentinel fix.
+      expect(cf).not.toHaveProperty("ssn");
+      // Non-sensitive key preserved.
+      expect(cf["safe"]).toBe("keep-me");
+    }
+  });
+});

package/src/user-data-rights/__tests__/forget-test-helpers.ts

@@ -0,0 +1,86 @@
+// Shared seeders for the forget-cleanup integration tests
+// (file-binary-forget-cleanup + file-binary-forget-failure). Both drive
+// runForgetCleanup against the same fileRef + membership shape — keeping the
+// DDL and seed logic in one place so a file_refs/user-schema change updates
+// both at once instead of drifting.
+
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { USER_STATUS, userTable } from "../../user";
+
+export const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+export const nowInstant = (): Instant => getTemporal().Now.instant();
+export const pastInstant = (): Instant =>
+  getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+
+export const READ_TENANT_MEMBERSHIPS_DDL = `
+  CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    user_id TEXT NOT NULL,
+    version INTEGER NOT NULL DEFAULT 0,
+    inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    inserted_by_id TEXT,
+    modified_by_id TEXT,
+    is_deleted BOOLEAN NOT NULL DEFAULT false,
+    deleted_at TIMESTAMPTZ,
+    deleted_by_id TEXT,
+    roles TEXT NOT NULL DEFAULT '[]',
+    UNIQUE(user_id, tenant_id)
+  )
+`;
+
+interface FileWriter {
+  write(key: string, bytes: Uint8Array, mimeType: string): Promise<void>;
+}
+
+export interface ForgetSeeders {
+  seedForgetUser(id: string): Promise<void>;
+  seedMembership(userId: string, tenantId: string): Promise<void>;
+  seedFile(id: string, tenantId: string, insertedById: string): Promise<string>;
+}
+
+// `writer` is taken separately from the feature's storageProvider so the
+// failure test can seed binaries through the real backing store while the
+// feature runs against a delete-failing wrapper.
+export function createForgetSeeders(db: DbConnection, writer: FileWriter): ForgetSeeders {
+  return {
+    async seedForgetUser(id) {
+      await insertOne(db, userTable, {
+        id,
+        tenantId: TENANT_SYSTEM,
+        email: `user-${id}@example.com`,
+        passwordHash: "hashed",
+        displayName: `User ${id}`,
+        locale: "de",
+        emailVerified: true,
+        roles: '["Member"]',
+        status: USER_STATUS.DeletionRequested,
+        gracePeriodEnd: pastInstant(),
+      });
+    },
+
+    async seedMembership(userId, tenantId) {
+      await asRawClient(db).unsafe(
+        `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
+         VALUES ($1, $2, '["Member"]') ON CONFLICT (user_id, tenant_id) DO NOTHING`,
+        [tenantId, userId],
+      );
+    },
+
+    async seedFile(id, tenantId, insertedById) {
+      const storageKey = `storage/${id}`;
+      await writer.write(storageKey, new Uint8Array([1, 2, 3, 4]), "application/pdf");
+      await asRawClient(db).unsafe(
+        `INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
+         VALUES ($1, $2, $3, $4, 'application/pdf', 4, $5) ON CONFLICT (id) DO NOTHING`,
+        [id, tenantId, storageKey, `${id}.pdf`, insertedById],
+      );
+      return storageKey;
+    },
+  };
+}

package/src/user-data-rights/db/queries/export-jobs.ts

@@ -1,6 +1,7 @@
 import { selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import type { Temporal } from "temporal-polyfill";
 import { exportJobsTable } from "../../schema/export-job";
 
 export type ExportJobCleanupCandidate = {

package/src/user-data-rights/run-forget-cleanup.ts

@@ -104,8 +104,16 @@ export interface RunForgetCleanupResult {
 interface HookEntry {
   readonly entityName: string;
   readonly deleteHook: UserDataDeleteHook;
+  /** Lower runs first. Owner-column-preserving redaction declares a negative
+   * order so it precedes owner-nulling hooks on the same entity (see sort below). */
+  readonly order: number;
 }
 
+// EXT_USER_DATA delete-hooks default here; a hook that redacts data keyed on an
+// owner column it doesn't own must register a lower order so it runs BEFORE any
+// hook that nulls that column. See custom-fields wire-user-data-rights.ts.
+const HOOK_ORDER_DEFAULT = 0;
+
 export async function runForgetCleanup(
   args: RunForgetCleanupArgs,
 ): Promise<RunForgetCleanupResult> {
@@ -127,10 +135,18 @@ export async function runForgetCleanup(
   const usages = registry.getExtensionUsages(EXT_USER_DATA);
   const hookEntries: HookEntry[] = usages
     .map((u): HookEntry | null => {
-      const opts = (u.options ?? {}) as { delete?: UserDataDeleteHook }; // @cast-boundary engine-payload
-      return opts.delete ? { entityName: u.entityName, deleteHook: opts.delete } : null;
+      const opts = (u.options ?? {}) as { delete?: UserDataDeleteHook; order?: number }; // @cast-boundary engine-payload
+      if (!opts.delete) return null;
+      const order = typeof opts.order === "number" ? opts.order : HOOK_ORDER_DEFAULT;
+      return { entityName: u.entityName, deleteHook: opts.delete, order };
     })
-    .filter((x): x is HookEntry => x !== null);
+    .filter((x): x is HookEntry => x !== null)
+    // Order ascending. Array.sort is ES2019-stable, so equal orders keep
+    // registration order; correctness here needs only distinct orders, not
+    // stability. Guarantees owner-preserving redaction (negative order) runs
+    // before owner-nulling hooks on the same entity, independent of feature
+    // registration order.
+    .sort((a, b) => a.order - b.order);
 
   const errors: ForgetCleanupError[] = [];
   const processedUserIds: string[] = [];
@@ -233,46 +249,40 @@ async function processUser(args: {
     memberships.length > 0 ? memberships.map((m) => m.tenantId) : [SYSTEM_TENANT_ID_FOR_ORPHANS];
 
   // Per-User-Sub-Tx: hooks + status-flip atomar. Bei Hook-Throw rollt
-  // nur dieser User zurueck, andere User bleiben commit-fest. Drizzle
-  // mappt das in nested-Tx auf SAVEPOINT, in top-level auf BEGIN — die
-  // `transaction()`-API ist auf DbRunner uniform.
-  //
-  // Cast `db as {transaction: ...}` ist eine TS-Limitation: DbRunner ist
-  // `DbConnection | DbTx`, beide haben `.transaction()`, aber TS kann
-  // die Signaturen ueber die Union nicht unifizieren (PgDatabase vs
-  // PgTransaction haben unterschiedliche Generics). Cast macht das
-  // Strukturelle explizit, kein Hack.
+  // nur dieser User zurueck, andere User bleiben commit-fest. Die Sub-Tx
+  // nestet korrekt: eine Top-Level-Connection oeffnet sie via `.begin`
+  // (BEGIN), eine TransactionSql — der Fall im Dispatcher, wo jeder
+  // writeHandler bereits IN der Outer-Tx laeuft — via `.savepoint`
+  // (SAVEPOINT). Siehe runInSubTransaction.
   let txSucceeded = false;
   let currentTenantId: TenantId | null = null;
   let currentEntityName: string | null = null;
   try {
-    await (db as { begin: (fn: (tx: DbRunner) => Promise<void>) => Promise<void> }).begin(
-      async (tx) => {
-        for (const tenantId of tenantList) {
-          currentTenantId = tenantId;
-          for (const entry of hookEntries) {
-            currentEntityName = entry.entityName;
-            const policy = await resolveRetentionPolicyForTenant({
-              db: tx,
-              registry,
-              tenantId,
-              entityName: entry.entityName,
-            });
-            const strategy = policyToStrategy(policy.policy?.strategy ?? null);
+    await runInSubTransaction(db, async (tx) => {
+      for (const tenantId of tenantList) {
+        currentTenantId = tenantId;
+        for (const entry of hookEntries) {
+          currentEntityName = entry.entityName;
+          const policy = await resolveRetentionPolicyForTenant({
+            db: tx,
+            registry,
+            tenantId,
+            entityName: entry.entityName,
+          });
+          const strategy = policyToStrategy(policy.policy?.strategy ?? null);
 
-            hookCallsAttempted++;
-            await entry.deleteHook({ db: tx, tenantId, userId }, strategy);
-          }
+          hookCallsAttempted++;
+          await entry.deleteHook({ db: tx, tenantId, userId }, strategy);
         }
+      }
 
-        // Status-Flip in derselben Sub-Tx. Falls einer der Hooks oben
-        // geworfen hat, kommen wir hier nicht an — die Tx rollback'd
-        // alles, der User bleibt im DeletionRequested-Status, naechster
-        // Run retried.
-        await updateMany(tx, userTable, { status: USER_STATUS.Deleted }, { id: userId });
-        txSucceeded = true;
-      },
-    );
+      // Status-Flip in derselben Sub-Tx. Falls einer der Hooks oben
+      // geworfen hat, kommen wir hier nicht an — die Tx rollback'd
+      // alles, der User bleibt im DeletionRequested-Status, naechster
+      // Run retried.
+      await updateMany(tx, userTable, { status: USER_STATUS.Deleted }, { id: userId });
+      txSucceeded = true;
+    });
   } catch (e) {
     // currentTenantId/currentEntityName tracken den Failing-Hook —
     // Operator sieht "Hook fileRef in Tenant A failed for user X" statt
@@ -294,6 +304,37 @@ async function processUser(args: {
   };
 }
 
+// Per-user sub-transaction, nesting-aware across both db shapes:
+//   - top-level connection (Bun.SQL / postgres-js Sql) → `.begin` (BEGIN)
+//   - TransactionSql (inside the dispatcher's outer tx, where every
+//     writeHandler already runs) → `.savepoint` (SAVEPOINT)
+// A TransactionSql has no `.begin`, so the previous unconditional `.begin`
+// threw "is not a function" on every user when invoked through the dispatcher
+// (the cron path) → zero deletions in production, while direct-connection tests
+// stayed green. Selecting the available method makes the sub-tx work in both
+// contexts; on throw the savepoint rolls back just this user (others survive).
+async function runInSubTransaction(
+  db: DbRunner,
+  fn: (tx: DbRunner) => Promise<void>,
+): Promise<void> {
+  // `db` is already the raw runner (the handler passes ctx.db.raw, the tests a
+  // top-level connection) — cast to read the transaction surface directly,
+  // without asRawClient (a test-only escape hatch). A top-level connection
+  // exposes `.begin`; a TransactionSql only `.savepoint`. They are mutually
+  // exclusive, so prefer whichever is present.
+  const runner = db as {
+    begin?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
+    savepoint?: (f: (tx: DbRunner) => Promise<void>) => Promise<void>;
+  };
+  const open = runner.begin ?? runner.savepoint;
+  if (!open) {
+    throw new Error(
+      "runForgetCleanup: db exposes neither .begin nor .savepoint — cannot open a per-user sub-transaction",
+    );
+  }
+  await open.call(runner, fn);
+}
+
 // Pseudo-Tenant fuer User ohne aktive Memberships. RFC4122-konforme
 // Null-UUID. Tenant-scoped Hooks finden hier nichts (no-op),
 // tenant-agnostische Hooks (z.B. user) operieren auf der globalen

package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts

@@ -11,15 +11,21 @@ import { type FileStorageProvider, fileRefsTable } from "@cosmicdrift/kumiko-fra
 //
 // Delete-Hook entfernt FileRef-Zeile via factory
 // `createFileRefDeleteHook(storageProvider)`:
-//   "delete":    storageProvider.delete() pro File (best-effort) + Row hard-delete
+//   "delete":    storageProvider.delete() pro File + Row hard-delete
 //   "anonymize": insertedById=null, Row + binary bleiben (FK-Refs
 //                koennen weiter zeigen; Personenbezug raus)
 //
-// Storage-Provider-Cleanup ist BEST-EFFORT — wenn S3-delete failt,
-// log + skip (Cron-Job kann es retry). Memory: Forget-Atomicity-
-// Decision aus Sprint-2-Architektur (advisor-pinned): per-Hook
-// idempotent, KEIN globaler Rollback — wenn ein File-Delete failt,
-// bleibt der User-Row trotzdem anonymisiert.
+// Delete-Pfad ist FAIL-CLOSED, sobald ein Provider gewired ist: schlaegt ein
+// binary-delete fehl, wirft der Hook
+// NACH dem Loop — die per-User-Sub-Tx von runForgetCleanup rollt zurueck, der
+// User bleibt DeletionRequested, der naechste Run retried (storageProvider.delete
+// ist idempotent, schon-geloeschte Keys sind no-op). Den Fehler zu schlucken und
+// die Row trotzdem hard-zu-loeschen wuerde Art.-17-Erasure als "done" markieren
+// waehrend die Bytes auf Disk bleiben — eine falsche Compliance-Aussage. Das
+// "KEIN globaler Rollback" der Sprint-2-Atomicity-Decision bleibt gewahrt: nur
+// DIESE User-Sub-Tx rollt zurueck (= der Retry-Mechanismus), andere User des
+// Laufs committen. Der anonymize-Pfad behaelt Row+binary bewusst, hat also
+// nichts zu schlucken.
 //
 // `storageProvider` ist optional. App-Author wired es beim
 // Feature-Mount rein (`createUserDataRightsDefaultsFeature({
@@ -92,6 +98,7 @@ export function createFileRefDeleteHook(
           tenantId: ctx.tenantId,
           insertedById: ctx.userId,
         });
+        const failedKeys: string[] = [];
         for (const row of rows) {
           const key = (row as Record<string, unknown>)["storageKey"]; // @cast-boundary db-row
           if (typeof key !== "string" || key.length === 0) continue;
@@ -102,8 +109,16 @@ export function createFileRefDeleteHook(
             console.warn(
               `[user-data-rights-defaults:fileRef] storage delete failed key=${key} err=${err instanceof Error ? err.message : String(err)}`,
             );
+            failedKeys.push(key);
           }
         }
+        // Fail-closed: abort before the row hard-delete so the sub-tx rolls back
+        // and the next forget run retries (delete is idempotent → converges).
+        if (failedKeys.length > 0) {
+          throw new Error(
+            `[user-data-rights-defaults:fileRef] ${failedKeys.length} binary delete(s) failed — aborting forget so the rows are retried next run (keys: ${failedKeys.join(", ")})`,
+          );
+        }
       } else if (!missingStorageWarned) {
         missingStorageWarned = true;
         // biome-ignore lint/suspicious/noConsole: misconfiguration visibility — disk-leak in forget-flow