npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.24.1 → 0.26.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.24.1 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/src/tier-engine/__tests__/tier-engine.integration.test.ts CHANGED Viewed

@@ -223,6 +223,61 @@ describe("scenario 6: access control", () => {
     expectErrorIncludes(error, "access_denied");
   });
+  test("TenantAdmin (ohne SystemAdmin) cannot create a tier-assignment — Self-Upgrade-Schutz", async () => {
+    // Tier-Wechsel ist Plattform-/Billing-Hoheit: ein Tenant-Admin darf
+    // seinen eigenen Tier NICHT setzen (sonst Gratis-Self-Upgrade).
+    const tenantAdmin = createTestUser({
+      id: 310,
+      tenantId: testTenantId(310),
+      roles: ["TenantAdmin"],
+    });
+    const error = await stack.http.writeErr(
+      TierEngineHandlers.create,
+      { tier: "pro" },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "access_denied");
+  });
+  test("TenantAdmin cannot update a tier-assignment", async () => {
+    const sysadmin = createTestUser({
+      id: 311,
+      tenantId: testTenantId(311),
+      roles: ["SystemAdmin"],
+    });
+    const created = await stack.http.writeOk(TierEngineHandlers.create, { tier: "free" }, sysadmin);
+    const id = (created!["data"] as Record<string, unknown>)["id"] as string;
+    // Selber Tenant, aber reiner TenantAdmin → darf den Tier nicht ändern.
+    const tenantAdmin = createTestUser({
+      id: 312,
+      tenantId: testTenantId(311),
+      roles: ["TenantAdmin"],
+    });
+    const error = await stack.http.writeErr(
+      TierEngineHandlers.update,
+      { id, version: 1, changes: { tier: "agency" } },
+      tenantAdmin,
+    );
+    expectErrorIncludes(error, "access_denied");
+  });
+  test("SystemAdmin (ohne TenantAdmin) CAN create a tier-assignment", async () => {
+    const sysadmin = createTestUser({
+      id: 313,
+      tenantId: testTenantId(313),
+      roles: ["SystemAdmin"],
+    });
+    const result = await stack.http.writeOk(TierEngineHandlers.create, { tier: "team" }, sysadmin);
+    expect((result!["data"] as Record<string, unknown>)["tier"]).toBe("team");
+  });
   test("query handlers carry the admin-only access rule (config-level check)", () => {
     // Read-access is enforced by the same role-rule set on the query handler.
     // We assert the rule is registered correctly — covers regression when

package/src/tier-engine/feature.ts CHANGED Viewed

@@ -81,6 +81,12 @@ const tierAssignmentExecutor = createEventStoreExecutor(tierAssignmentTable, tie
 });
 const adminAccess = { access: { roles: ["TenantAdmin", "SystemAdmin"] } } as const;
+// Tier-Wechsel ist Plattform-/Billing-Hoheit — ein Tenant-Admin darf den
+// eigenen Tier NIE setzen (sonst Gratis-Self-Upgrade). Daher sind die
+// Writes SystemAdmin-only; Reads (list, get-active-tier) bleiben
+// TenantAdmin-sichtbar. Auto-default-Hook + Billing schreiben als System,
+// hängen also nicht an diesem Handler-Access.
+const writeAccess = { access: { roles: ["SystemAdmin"] } } as const;
 /**
  * Options for createTierEngineFeature. Both fields optional — wenn beide
@@ -167,8 +173,8 @@ export function createTierEngineFeature<
     r.entity("tier-assignment", tierAssignmentEntity);
     // Standard-CRUD via Helper.
-    r.writeHandler(defineEntityCreateHandler("tier-assignment", tierAssignmentEntity, adminAccess));
-    r.writeHandler(defineEntityUpdateHandler("tier-assignment", tierAssignmentEntity, adminAccess));
+    r.writeHandler(defineEntityCreateHandler("tier-assignment", tierAssignmentEntity, writeAccess));
+    r.writeHandler(defineEntityUpdateHandler("tier-assignment", tierAssignmentEntity, writeAccess));
     // Reads.
     r.queryHandler(defineEntityListHandler("tier-assignment", tierAssignmentEntity, adminAccess));

package/src/user-data-rights/__tests__/file-binary-forget-cleanup.integration.test.ts CHANGED Viewed

@@ -6,7 +6,7 @@
 // Datei ihre Bytes dauerhaft auf Disk (Issue gefunden im Review zu #177).
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
-import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import {
   createInMemoryFileProvider,
@@ -20,31 +20,32 @@ import {
   unsafePushTables,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
-import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { createComplianceProfilesFeature } from "../../compliance-profiles";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
 import { createFilesFeature } from "../../files";
 import { createSessionsFeature } from "../../sessions";
-import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserFeature, userEntity, userTable } from "../../user";
 import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
 import { createUserDataRightsFeature } from "../feature";
 import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  type ForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
 let stack: TestStack;
 let db: DbConnection;
 let provider: InMemoryFileProvider;
+let seed: ForgetSeeders;
 const TENANT = "00000000-0000-4000-8000-00000000000c";
-const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
 function uuid(suffix: number): string {
   return `bbbbbbbb-bbbb-4bbb-8bbb-${suffix.toString(16).padStart(12, "0")}`;
 }
-type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
-const NOW = (): Instant => getTemporal().Now.instant();
-const pastInstant = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
 beforeAll(async () => {
   provider = createInMemoryFileProvider();
   stack = await setupTestStack({
@@ -60,27 +61,12 @@ beforeAll(async () => {
     files: { storageProvider: provider },
   });
   db = stack.db;
+  seed = createForgetSeeders(db, provider);
   await unsafeCreateEntityTable(db, userEntity);
   await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
   await unsafePushTables(db, { fileRefsTable });
-  await asRawClient(db).unsafe(`
-    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
-      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-      tenant_id UUID NOT NULL,
-      user_id TEXT NOT NULL,
-      version INTEGER NOT NULL DEFAULT 0,
-      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
-      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
-      inserted_by_id TEXT,
-      modified_by_id TEXT,
-      is_deleted BOOLEAN NOT NULL DEFAULT false,
-      deleted_at TIMESTAMPTZ,
-      deleted_by_id TEXT,
-      roles TEXT NOT NULL DEFAULT '[]',
-      UNIQUE(user_id, tenant_id)
-    )
-  `);
+  await asRawClient(db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
 });
 afterAll(async () => {
@@ -92,49 +78,15 @@ beforeEach(async () => {
   await resetTestTables(db, [userTable, "read_tenant_memberships", fileRefsTable]);
 });
-async function seedForgetUser(id: string): Promise<void> {
-  await insertOne(db, userTable, {
-    id,
-    tenantId: TENANT_SYSTEM,
-    email: `user-${id}@example.com`,
-    passwordHash: "hashed",
-    displayName: `User ${id}`,
-    locale: "de",
-    emailVerified: true,
-    roles: '["Member"]',
-    status: USER_STATUS.DeletionRequested,
-    gracePeriodEnd: pastInstant(),
-  });
-}
-async function seedMembership(userId: string, tenantId: string): Promise<void> {
-  await asRawClient(db).unsafe(
-    `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles)
-     VALUES ($1, $2, '["Member"]') ON CONFLICT (user_id, tenant_id) DO NOTHING`,
-    [tenantId, userId],
-  );
-}
-async function seedFile(id: string, tenantId: string, insertedById: string): Promise<string> {
-  const storageKey = `storage/${id}`;
-  await provider.write(storageKey, new Uint8Array([1, 2, 3, 4]), "application/pdf");
-  await asRawClient(db).unsafe(
-    `INSERT INTO file_refs (id, tenant_id, storage_key, file_name, mime_type, size, inserted_by_id)
-     VALUES ($1, $2, $3, $4, 'application/pdf', 4, $5) ON CONFLICT (id) DO NOTHING`,
-    [id, tenantId, storageKey, `${id}.pdf`, insertedById],
-  );
-  return storageKey;
-}
 describe("forget-binary-cleanup :: storage.delete fires before row hard-delete", () => {
   test("Forget deletes the binary from the storage provider", async () => {
     const userId = uuid(1);
-    await seedForgetUser(userId);
-    await seedMembership(userId, TENANT);
-    const key = await seedFile(uuid(101), TENANT, userId);
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile(uuid(101), TENANT, userId);
     expect(await provider.exists(key)).toBe(true);
-    const result = await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
     expect(result.processedUserIds).toContain(userId);
     expect(await provider.exists(key)).toBe(false);
@@ -143,16 +95,16 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
   test("Multiple files from the same user — all binaries cleaned up", async () => {
     const userId = uuid(2);
-    await seedForgetUser(userId);
-    await seedMembership(userId, TENANT);
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
     const keys = await Promise.all([
-      seedFile(uuid(201), TENANT, userId),
-      seedFile(uuid(202), TENANT, userId),
-      seedFile(uuid(203), TENANT, userId),
+      seed.seedFile(uuid(201), TENANT, userId),
+      seed.seedFile(uuid(202), TENANT, userId),
+      seed.seedFile(uuid(203), TENANT, userId),
     ]);
     expect(provider.keys()).toHaveLength(3);
-    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+    await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
     for (const key of keys) {
       expect(await provider.exists(key)).toBe(false);
@@ -163,14 +115,14 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
   test("Other tenants' files stay untouched", async () => {
     const userId = uuid(3);
     const otherTenant = "00000000-0000-4000-8000-00000000000d";
-    await seedForgetUser(userId);
-    await seedMembership(userId, TENANT);
-    const myKey = await seedFile(uuid(301), TENANT, userId);
-    const otherKey = await seedFile(uuid(302), otherTenant, "another-user");
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const myKey = await seed.seedFile(uuid(301), TENANT, userId);
+    const otherKey = await seed.seedFile(uuid(302), otherTenant, "another-user");
     // The other-tenant file is owned by a different user; the forget run for
     // userId must NOT touch it.
-    await runForgetCleanup({ db, registry: stack.registry, now: NOW() });
+    await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
     expect(await provider.exists(myKey)).toBe(false);
     expect(await provider.exists(otherKey)).toBe(true);

package/src/user-data-rights/__tests__/file-binary-forget-failure.integration.test.ts ADDED Viewed

@@ -0,0 +1,211 @@
+// Forget-Hook fail-closed Integration-Test.
+//
+// Beweist den Vertrag von runForgetCleanup für den fileRef-delete-Hook: wenn
+// `storageProvider.delete()` fehlschlägt, wirft der Hook → die per-User-Sub-Tx
+// rollt zurück → der User bleibt `DeletionRequested`, die Row + Binary bleiben,
+// der Fehler landet im `errors`-Array. Der nächste Run (Storage wieder ok)
+// konvergiert sauber, weil `delete` idempotent ist. Ohne den Throw würde ein
+// transienter Storage-Fehler die Row permanent hard-löschen, den User auf
+// `Deleted` flippen und die Binary dauerhaft verwaisen lassen (Art.-17-Erasure
+// still unvollständig).
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  createInMemoryFileProvider,
+  fileRefsTable,
+  type InMemoryFileProvider,
+} from "@cosmicdrift/kumiko-framework/files";
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { createFilesFeature } from "../../files";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
+import { createUserDataRightsFeature } from "../feature";
+import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  type ForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
+let stack: TestStack;
+let db: DbConnection;
+let base: InMemoryFileProvider;
+let seed: ForgetSeeders;
+// `delete` throws while set; flip off to simulate storage recovery on retry.
+let failDeletes = true;
+const TENANT = "00000000-0000-4000-8000-00000000000e";
+beforeAll(async () => {
+  base = createInMemoryFileProvider();
+  // Spread the real provider (all methods bound to its store) and override
+  // only `delete` to fail on demand — lets one test prove abort + retry-convergence.
+  const flakyProvider: InMemoryFileProvider = {
+    ...base,
+    async delete(key) {
+      if (failDeletes) throw new Error("storage unavailable (test)");
+      return base.delete(key);
+    },
+  };
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createFilesFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createSessionsFeature(),
+      createUserDataRightsFeature(),
+      createUserDataRightsDefaultsFeature({ storageProvider: flakyProvider }),
+    ],
+    files: { storageProvider: flakyProvider },
+  });
+  db = stack.db;
+  // Seeders write binaries through the real store (`base`), not the flaky
+  // wrapper — the wrapper's `delete` failure is what the test exercises.
+  seed = createForgetSeeders(db, base);
+  await unsafeCreateEntityTable(db, userEntity);
+  await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
+  await unsafePushTables(db, { fileRefsTable });
+  await asRawClient(db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  failDeletes = true;
+  base.clear();
+  await resetTestTables(db, [userTable, "read_tenant_memberships", fileRefsTable]);
+});
+async function fileRowCount(tenantId: string, insertedById: string): Promise<number> {
+  const rows = await asRawClient(db).unsafe(
+    `SELECT 1 FROM file_refs WHERE tenant_id = $1 AND inserted_by_id = $2`,
+    [tenantId, insertedById],
+  );
+  return (rows as ReadonlyArray<unknown>).length;
+}
+describe("forget fail-closed :: storage.delete failure aborts the row hard-delete", () => {
+  test("storage delete fails → user stays DeletionRequested, row + binary remain, error surfaced", async () => {
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000001";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000001", TENANT, userId);
+    const result = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    // NOT flipped to Deleted — the sub-tx rolled back.
+    expect(result.processedUserIds).not.toContain(userId);
+    // Failure surfaced for operator visibility.
+    expect(result.errors.some((e) => e.userId === userId && e.entityName === "fileRef")).toBe(true);
+    // Row NOT hard-deleted; binary NOT orphaned.
+    expect(await fileRowCount(TENANT, userId)).toBe(1);
+    expect(await base.exists(key)).toBe(true);
+    // User still pending deletion in the DB.
+    const row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.DeletionRequested);
+  });
+  test("next run with storage healthy converges (idempotent delete) — user deleted, binary gone", async () => {
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000002";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000002", TENANT, userId);
+    // First run: storage down → abort.
+    const first = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    expect(first.processedUserIds).not.toContain(userId);
+    expect(await base.exists(key)).toBe(true);
+    // Storage recovers; retry converges.
+    failDeletes = false;
+    const second = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    expect(second.processedUserIds).toContain(userId);
+    expect(await base.exists(key)).toBe(false);
+    expect(await fileRowCount(TENANT, userId)).toBe(0);
+    const row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+  });
+});
+// Same contract, but driven through the REAL dispatcher (POST run-forget-cleanup)
+// rather than calling runForgetCleanup with a top-level connection. The
+// dispatcher wraps the handler in an outer transaction, so ctx.db.raw is a
+// TransactionSql — which has `.savepoint`, not `.begin`. The per-user sub-tx
+// must open as a SAVEPOINT here; the previous `.begin`-only path threw on every
+// user when invoked this way (the cron path), so production deleted nobody while
+// these direct-connection tests stayed green. #214.
+describe("forget-cleanup through the real dispatcher :: per-user savepoint nests under the handler tx", () => {
+  const systemUser = {
+    id: "00000000-0000-4000-8000-0000000000ff",
+    tenantId: TENANT,
+    roles: ["SystemAdmin"],
+  };
+  type CleanupResult = {
+    readonly processedUserIds: readonly string[];
+    readonly hookCallsAttempted: number;
+    readonly errorCount: number;
+    readonly errors: ReadonlyArray<{ readonly userId: string; readonly entityName: string }>;
+  };
+  const RUN_FORGET = "user-data-rights:write:run-forget-cleanup";
+  test("dispatcher POST flips a due user to Deleted (SAVEPOINT inside the outer handler tx)", async () => {
+    failDeletes = false;
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000003";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000003", TENANT, userId);
+    const result = await stack.http.writeOk<CleanupResult>(RUN_FORGET, {}, systemUser);
+    // Pre-fix this list was always empty — `.begin` is absent on the
+    // dispatcher's TransactionSql, so the per-user sub-tx threw for every user.
+    expect(result.processedUserIds).toContain(userId);
+    expect(result.errorCount).toBe(0);
+    expect(await base.exists(key)).toBe(false);
+    expect(await fileRowCount(TENANT, userId)).toBe(0);
+    const row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+  });
+  test("fail-closed + retry-convergence through the dispatcher (savepoint rolls back one user)", async () => {
+    const userId = "cccccccc-cccc-4ccc-8ccc-000000000004";
+    await seed.seedForgetUser(userId);
+    await seed.seedMembership(userId, TENANT);
+    const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000004", TENANT, userId);
+    // Storage down → fileRef hook throws → ROLLBACK TO SAVEPOINT undoes just
+    // this user; the outer handler tx still commits the run. User stays pending.
+    failDeletes = true;
+    const failed = await stack.http.writeOk<CleanupResult>(RUN_FORGET, {}, systemUser);
+    expect(failed.processedUserIds).not.toContain(userId);
+    expect(failed.errors.some((e) => e.userId === userId && e.entityName === "fileRef")).toBe(true);
+    expect(await base.exists(key)).toBe(true);
+    let row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.DeletionRequested);
+    // Storage recovers → retry converges (idempotent delete).
+    failDeletes = false;
+    const ok = await stack.http.writeOk<CleanupResult>(RUN_FORGET, {}, systemUser);
+    expect(ok.processedUserIds).toContain(userId);
+    expect(await base.exists(key)).toBe(false);
+    row = await fetchOne<{ status: string }>(db, userTable, { id: userId });
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+  });
+});