@cosmicdrift/kumiko-bundled-features 0.59.1 → 0.60.0

package/src/tier-engine/feature.ts

@@ -52,6 +52,7 @@ import {
   defineEntityListHandler,
   defineEntityUpdateHandler,
   defineFeature,
+  defineQueryHandler,
   type FeatureDefinition,
   HookPhases,
   type SessionUser,
@@ -61,11 +62,14 @@ import {
   type TierResolverPlugin,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { getAggregateStreamMaxVersion } from "@cosmicdrift/kumiko-framework/event-store";
+import { z } from "zod";
 import { tierAssignmentAggregateId } from "./aggregate-id";
 import type { TierMap } from "./compose-app";
-import { TIER_ENGINE_FEATURE } from "./constants";
+import { TIER_ADMIN_SCREEN_ID, TIER_ENGINE_FEATURE } from "./constants";
 import { tierAssignmentEntity } from "./entity";
 import { getActiveTierQuery } from "./handlers/active-tier.query";
+import { getTenantTierQuery } from "./handlers/get-tenant-tier.query";
+import { createSetTenantTierWrite } from "./handlers/set-tenant-tier.write";
 
 // Drizzle-table for the tier-assignment-entity. Built once at module-load
 // from the entity definition — same shape buildEntityTable would produce
@@ -168,7 +172,7 @@ export function createTierEngineFeature<
 >(opts: CreateTierEngineOptions<TCaps> = {}): FeatureDefinition {
   return defineFeature(TIER_ENGINE_FEATURE, (r) => {
     r.describe(
-      "Stores a `tier-assignment` entity per tenant (which pricing tier is active) and, when configured with a `TierMap`, registers itself as the `tenantTierResolver` extension so the dispatcher automatically gates `r.toggleable()` features per tenant based on their assigned tier. Call `createTierEngineFeature({ defaultTier, tierMap })` to get full tier composition \u2014 including an `inTransaction` entity hook that atomically writes the default tier when a new tenant is created \u2014 or use `createTierEngineFeature()` without options for storage-only mode when you manage tier assignment yourself via `composeApp`.",
+      'Stores a `tier-assignment` entity per tenant (which pricing tier is active) and, when configured with a `TierMap`, registers itself as the `tenantTierResolver` extension so the dispatcher automatically gates `r.toggleable()` features per tenant based on their assigned tier. Call `createTierEngineFeature({ defaultTier, tierMap })` to get full tier composition \u2014 including an `inTransaction` entity hook that atomically writes the default tier when a new tenant is created \u2014 or use `createTierEngineFeature()` without options for storage-only mode when you manage tier assignment yourself via `composeApp`. A SystemAdmin-only `set-tenant-tier` write plus `get-tenant-tier`/`tier-options` reads let an operator assign a tier to ANY tenant manually \u2014 without a billing purchase \u2014 stamping `source: "manual"` so a future Stripe\u2192tier sync won\'t overwrite the grant. Apps surface this via the `tier-admin` screen.',
     );
     r.requires("config");
     r.requires("tenant");
@@ -183,6 +187,41 @@ export function createTierEngineFeature<
     r.queryHandler(defineEntityListHandler("tier-assignment", tierAssignmentEntity, adminAccess));
     r.queryHandler(getActiveTierQuery);
 
+    // \u2500\u2500 Manueller Tier-Grant (SystemAdmin, ohne Billing) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Cross-tenant set + read f\u00fcr den tier-admin-Screen. tier-options liefert
+    // dem Client die App-Tier-Namen aus der tierMap-Closure (sonst hartkodiert).
+    //
+    // onAssigned h\u00e4lt den Resolver-Cache nach einem direkten Executor-Write
+    // warm (der den postSave-Hook NICHT feuert). Late-bind via Holder: ohne
+    // tierMap bleibt es no-op (kein Resolver), im tierMap-Block unten wird
+    // die echte Cache-Update-Funktion eingeh\u00e4ngt \u2014 analog alwaysOnHolder.
+    const onTierAssigned: { fn: (tenantId: TenantId, tier: string) => void } = { fn: () => {} };
+    r.writeHandler(
+      createSetTenantTierWrite({
+        onAssigned: (tenantId, tier) => onTierAssigned.fn(tenantId, tier),
+      }),
+    );
+    r.queryHandler(getTenantTierQuery);
+    r.queryHandler(
+      defineQueryHandler({
+        name: "tier-options",
+        schema: z.object({}),
+        access: { roles: ["SystemAdmin"] },
+        handler: async () => ({ tiers: opts.tierMap ? Object.keys(opts.tierMap) : [] }),
+      }),
+    );
+
+    // Custom React-Screen für den manuellen Grant. SystemAdmin-only fest
+    // verdrahtet (Platform-Admin-Hoheit, nicht App-konfigurierbar). App
+    // platziert ihn nur via r.nav("tier-engine:screen:tier-admin"); die
+    // Komponente liefert tierEngineClient() aus dem ./web-subpath.
+    r.screen({
+      id: TIER_ADMIN_SCREEN_ID,
+      type: "custom",
+      renderer: { react: { __component: "TierAdminScreen" } },
+      access: { roles: ["SystemAdmin"] },
+    });
+
     // ───────────────────────────────────────────────────────────────────
     // Resolver-extension (only when tierMap is configured)
     // ───────────────────────────────────────────────────────────────────
@@ -203,6 +242,15 @@ export function createTierEngineFeature<
     // Requests (build läuft pre-listen via runDevApp/runProdApp-pickup).
     const alwaysOnHolder: { set: ReadonlySet<string> } = { set: new Set() };
 
+    // set-tenant-tier schreibt direkt über den Executor → der postSave-Hook
+    // unten feuert dabei NICHT. Diese Funktion repliziert den Cache-Update
+    // des Hooks, damit ein manueller Grant das effektive Feature-Set sofort
+    // ändert (nicht nur die Projektion). Selber Cache, selbe mergeAlwaysOn-
+    // Semantik wie der Hook.
+    onTierAssigned.fn = (tenantId, tier) => {
+      cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, tier)));
+    };
+
     // Invalidation: tier-assignment events update the cache.
     r.entityHook("postSave", "tier-assignment", async (result) => {
       // result.data has tenantId + tier (after entity-update merge)
@@ -299,7 +347,7 @@ export function createTierEngineFeature<
           const tdb = createTenantDb(rawDb, newTenantId, "system");
 
           await tierAssignmentExecutor.create(
-            { id: aggregateId, tier: defaultTier },
+            { id: aggregateId, tier: defaultTier, source: "default" },
             systemUser,
             tdb,
           );

package/src/tier-engine/handlers/get-tenant-tier.query.ts

@@ -0,0 +1,36 @@
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  buildEntityTable,
+  createTenantDb,
+  type DbConnection,
+} from "@cosmicdrift/kumiko-framework/db";
+import { defineQueryHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { tierAssignmentEntity } from "../entity";
+
+// Liest das Tier-Assignment eines BELIEBIGEN Tenants (cross-tenant) für den
+// tier-admin-Screen. SystemAdmin-only. get-active-tier liest nur den eigenen
+// Tenant — hier ein "system"-mode TenantDb auf den Ziel-Tenant (kein Filter),
+// damit der Admin das Tier fremder Tenants sehen kann. null wenn noch keins.
+
+const tierAssignmentTable = buildEntityTable("tier-assignment", tierAssignmentEntity);
+
+type TierAssignmentRow = {
+  readonly id: string;
+  readonly version: number;
+  readonly tier: string;
+  readonly source: string | null;
+  readonly tenantId: string;
+};
+
+export const getTenantTierQuery = defineQueryHandler({
+  name: "get-tenant-tier",
+  schema: z.object({ tenantId: z.string().min(1) }),
+  access: { roles: ["SystemAdmin"] },
+  handler: async (query, ctx) => {
+    const tenantId = query.payload.tenantId as TenantId; // @cast-boundary engine-bridge
+    const tdb = createTenantDb(ctx.db.raw as DbConnection, tenantId, "system"); // @cast-boundary db-runner
+    const row = await fetchOne<TierAssignmentRow>(tdb, tierAssignmentTable, { tenantId });
+    return row ?? null;
+  },
+});

package/src/tier-engine/handlers/set-tenant-tier.write.ts

@@ -0,0 +1,99 @@
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  buildEntityTable,
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+} from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { z } from "zod";
+import { tierAssignmentAggregateId } from "../aggregate-id";
+import { tierAssignmentEntity } from "../entity";
+
+// SystemAdmin setzt das Tier eines BELIEBIGEN Tenants — manueller Grant ohne
+// Billing. Cross-tenant, daher SystemAdmin-only (kein TenantAdmin: sonst
+// Gratis-Self-Upgrade).
+//
+// **Cross-tenant-Mechanik:** ein "system"-mode TenantDb auf den Ziel-Tenant legt
+// KEINEN Tenant-Filter an (tenant-db.ts:141 — mode==="system" überspringt ihn);
+// der executor-user wird ebenfalls auf den Ziel-Tenant gestellt, sonst landet das
+// Event im Stream des Admins (Memory feedback_event_store_tenant_consistency).
+// Das set.write-"override-user"-Muster trägt NICHT für beliebige Tenants — es
+// funktioniert nur für SYSTEM_TENANT_ID (immer im IN-Filter). Dies ist das
+// auto-default-Hook-Muster (feature.ts), generalisiert auf einen Request-Handler.
+//
+// `source: "manual"` markiert den Grant, damit ein späterer Stripe→Tier-Sync ihn
+// nicht plättet. Upsert: ein Aggregat pro Tenant (deterministische aggregate-id).
+//
+// **Effective-Set-Invalidation (kritisch):** der Executor-Write feuert NICHT
+// den `tier-assignment:postSave`-entityHook (Hooks laufen nur im Entity-
+// Handler-Pfad, nicht bei direktem executor.create/update). Ohne Cache-Update
+// bliebe das Feature-Gate auf dem alten Tier hängen — die Projektion zeigt
+// "pro", das Gate verhält sich weiter wie "free", bis der Prozess neu startet.
+// Daher ruft der Handler nach erfolgreichem Write `opts.onAssigned(tenantId,
+// tier)`; feature.ts verdrahtet das auf denselben Cache-Update wie der Hook
+// (storage-only ohne tierMap = no-op).
+
+const tierAssignmentTable = buildEntityTable("tier-assignment", tierAssignmentEntity);
+const executor = createEventStoreExecutor(tierAssignmentTable, tierAssignmentEntity, {
+  entityName: "tier-assignment",
+});
+
+type TierAssignmentRow = {
+  readonly id: string;
+  readonly version: number;
+  readonly tier: string;
+  readonly source: string | null;
+  readonly tenantId: string;
+};
+
+export type SetTenantTierOptions = {
+  /** Nach erfolgreichem Write aufgerufen, damit feature.ts den Resolver-
+   *  Cache aktualisieren kann (der Executor-Write feuert den postSave-Hook
+   *  nicht). Ohne tierMap kein Resolver → no-op. */
+  readonly onAssigned?: (tenantId: TenantId, tier: string) => void;
+};
+
+export function createSetTenantTierWrite(opts: SetTenantTierOptions = {}) {
+  return defineWriteHandler({
+    name: "set-tenant-tier",
+    schema: z.object({
+      tenantId: z.string().min(1),
+      tier: z.string().min(1).max(50),
+    }),
+    access: { roles: ["SystemAdmin"] },
+    handler: async (event, ctx) => {
+      const tenantId = event.payload.tenantId as TenantId; // @cast-boundary engine-bridge
+      const rawDb = ctx.db.raw as DbConnection; // @cast-boundary db-runner
+      const tdb = createTenantDb(rawDb, tenantId, "system");
+      const systemUser = { ...event.user, tenantId };
+      const tier = event.payload.tier;
+
+      const existing = await fetchOne<TierAssignmentRow>(tdb, tierAssignmentTable, { tenantId });
+
+      if (existing) {
+        const result = await executor.update(
+          {
+            id: existing.id,
+            version: existing.version,
+            changes: { tier, source: "manual" },
+          },
+          systemUser,
+          tdb,
+        );
+        if (!result.isSuccess) return result;
+        opts.onAssigned?.(tenantId, tier);
+        return { isSuccess: true as const, data: { tenantId, tier, isNew: false } };
+      }
+
+      const result = await executor.create(
+        { id: tierAssignmentAggregateId(tenantId), tier, source: "manual", tenantId },
+        systemUser,
+        tdb,
+      );
+      if (!result.isSuccess) return result;
+      opts.onAssigned?.(tenantId, tier);
+      return { isSuccess: true as const, data: { tenantId, tier, isNew: true } };
+    },
+  });
+}

package/src/tier-engine/i18n.ts

@@ -0,0 +1,39 @@
+// @runtime client
+// Default-Bundles für den TierAdminScreen. Werden vom tierEngineClient()
+// als Fallback-Bundle in den LocaleProvider gehängt — Apps überschreiben
+// einzelne Keys via `tierEngineClient({ translations: { de: { … } } })`.
+
+import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+
+export const defaultTranslations: TranslationsByLocale = {
+  de: {
+    "tier-admin.title": "Tier manuell zuweisen",
+    "tier-admin.explainer":
+      "Weise einem Tenant ein Tier ohne Kauf zu. Der Grant wird als „manuell“ markiert und von einem späteren Billing-Sync nicht überschrieben.",
+    "tier-admin.tenant.label": "Tenant",
+    "tier-admin.current.label": "Aktuelles Tier",
+    "tier-admin.current.none": "— noch keins —",
+    "tier-admin.tier.label": "Neues Tier",
+    "tier-admin.submit": "Tier zuweisen",
+    "tier-admin.success": "Tier „{tier}“ zugewiesen.",
+    "tier-admin.error.generic": "Konnte das Tier nicht zuweisen.",
+    "tier-admin.error.load": "Tenants konnten nicht geladen werden.",
+    "tier-admin.error.noTiers":
+      "Diese App hat keine TierMap konfiguriert — es gibt keine zuweisbaren Tiers.",
+  },
+  en: {
+    "tier-admin.title": "Assign tier manually",
+    "tier-admin.explainer":
+      "Grant a tenant a tier without a purchase. The grant is marked as “manual” and a later billing sync won't overwrite it.",
+    "tier-admin.tenant.label": "Tenant",
+    "tier-admin.current.label": "Current tier",
+    "tier-admin.current.none": "— none yet —",
+    "tier-admin.tier.label": "New tier",
+    "tier-admin.submit": "Assign tier",
+    "tier-admin.success": "Assigned tier “{tier}”.",
+    "tier-admin.error.generic": "Could not assign the tier.",
+    "tier-admin.error.load": "Failed to load tenants.",
+    "tier-admin.error.noTiers":
+      "This app has no TierMap configured — there are no assignable tiers.",
+  },
+};

package/src/tier-engine/web/client-plugin.tsx

@@ -0,0 +1,27 @@
+// @runtime client
+// Client-Feature-Factory für tier-engine. Liefert den TierAdminScreen
+// (gemappt auf die Screen-id "tier-admin") + Default-Translations. Apps
+// hängen es in createKumikoApp({ clientFeatures: [tierEngineClient()] }) ein;
+// der Screen selbst wird server-seitig vom Feature als custom-Screen
+// registriert (r.screen), die App platziert ihn nur via r.nav.
+
+import { mergeTranslations, type TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+import type { ClientFeatureDefinition } from "@cosmicdrift/kumiko-renderer-web";
+import { TIER_ADMIN_SCREEN_ID, TIER_ENGINE_FEATURE } from "../constants";
+import { defaultTranslations } from "../i18n";
+import { TierAdminScreen } from "./tier-admin-screen";
+
+export type TierEngineClientOptions = {
+  /** Key-weise Overrides über die Default-Bundles (de/en). */
+  readonly translations?: TranslationsByLocale;
+};
+
+export function tierEngineClient(options?: TierEngineClientOptions): ClientFeatureDefinition {
+  return {
+    name: TIER_ENGINE_FEATURE,
+    translations: mergeTranslations(defaultTranslations, options?.translations ?? {}),
+    components: {
+      [TIER_ADMIN_SCREEN_ID]: TierAdminScreen,
+    },
+  };
+}

package/src/tier-engine/web/index.ts

@@ -0,0 +1,8 @@
+// @runtime client
+// Public exports für die Browser-Seite des tier-engine Features. Konsumiert
+// über `@cosmicdrift/kumiko-bundled-features/tier-engine/web` — die
+// Server-Seite (createTierEngineFeature) lebt unter
+// `@cosmicdrift/kumiko-bundled-features/tier-engine` und hat keine React-Deps.
+
+export { type TierEngineClientOptions, tierEngineClient } from "./client-plugin";
+export { TierAdminScreen } from "./tier-admin-screen";

package/src/tier-engine/web/tier-admin-screen.tsx

@@ -0,0 +1,161 @@
+// @runtime client
+// TierAdminScreen — SystemAdmin weist einem beliebigen Tenant ein Tier zu,
+// ohne Billing-Kauf. Tenant-Picker (tenant:query:list) → aktuelles Tier
+// (get-tenant-tier) → Tier-Dropdown (tier-options) → Speichern
+// (set-tenant-tier). Apps registrieren die Komponente als custom-Screen:
+//   r.screen({ id: "tier-admin", type: "custom",
+//     renderer: { react: { __component: "TierAdminScreen" } },
+//     access: { roles: ["SystemAdmin"] } })
+
+import {
+  useDispatcher,
+  usePrimitives,
+  useQuery,
+  useTranslation,
+} from "@cosmicdrift/kumiko-renderer";
+import { type ReactNode, useEffect, useState } from "react";
+import { TierEngineHandlers, TierEngineQueries } from "../constants";
+
+const TENANT_LIST_QUERY = "tenant:query:list";
+
+type TenantRow = { readonly id: string; readonly name: string };
+type TenantListResponse = { readonly rows: readonly TenantRow[] };
+type TierAssignmentRow = { readonly tier: string; readonly source: string | null };
+type TierOptionsResponse = { readonly tiers: readonly string[] };
+type SetTenantTierResponse = {
+  readonly tenantId: string;
+  readonly tier: string;
+  readonly isNew: boolean;
+};
+
+type Status =
+  | { kind: "idle" }
+  | { kind: "submitting" }
+  | { kind: "success"; tier: string }
+  | { kind: "error"; messageKey: string };
+
+export function TierAdminScreen(): ReactNode {
+  const t = useTranslation();
+  const { Section, Field, Input, Button, Banner, Heading } = usePrimitives();
+  const dispatcher = useDispatcher();
+
+  // ponytail: nur die erste Seite (default-limit, nextCursor ignoriert) —
+  // reicht für Apps mit wenigen Tenants (cashcolt). Pagination/Suche
+  // nachrüsten, wenn ein Operator mit vielen Tenants nicht alle sieht.
+  const tenantsQuery = useQuery<TenantListResponse | null>(TENANT_LIST_QUERY, {});
+  const tierOptionsQuery = useQuery<TierOptionsResponse | null>(TierEngineQueries.tierOptions, {});
+
+  const [tenantId, setTenantId] = useState("");
+  const [tier, setTier] = useState("");
+  const [status, setStatus] = useState<Status>({ kind: "idle" });
+
+  const currentTierQuery = useQuery<TierAssignmentRow | null>(
+    TierEngineQueries.getTenantTier,
+    { tenantId },
+    { enabled: tenantId !== "" },
+  );
+
+  // Tenant-Wechsel: Auswahl + Status zurücksetzen, damit kein Tier eines
+  // anderen Tenants stehen bleibt (Mis-Grant-Schutz auf UI-Ebene). tenantId
+  // ist hier reiner Trigger (Body liest es nicht) — Biome's "extra dep"-
+  // Autofix würde die Deps leeren und den Reset auf den Mount beschränken.
+  // biome-ignore lint/correctness/useExhaustiveDependencies: tenantId ist der gewollte Reset-Trigger, nicht entfernen.
+  useEffect(() => {
+    setTier("");
+    setStatus({ kind: "idle" });
+  }, [tenantId]);
+
+  const tenantOptions = (tenantsQuery.data?.rows ?? []).map((row) => ({
+    value: row.id,
+    label: row.name,
+  }));
+  const tierOptions = tierOptionsQuery.data?.tiers ?? [];
+  const currentTier = currentTierQuery.data?.tier ?? null;
+
+  const onSave = async (): Promise<void> => {
+    if (tenantId === "" || tier === "") return;
+    setStatus({ kind: "submitting" });
+    const res = await dispatcher.write<SetTenantTierResponse>(TierEngineHandlers.setTenantTier, {
+      tenantId,
+      tier,
+    });
+    if (!res.isSuccess) {
+      setStatus({ kind: "error", messageKey: "tier-admin.error.generic" });
+      return;
+    }
+    setStatus({ kind: "success", tier: res.data.tier });
+    void currentTierQuery.refetch();
+  };
+
+  const submitting = status.kind === "submitting";
+  const canSubmit = tenantId !== "" && tier !== "" && !submitting;
+
+  return (
+    <div className="p-6 flex flex-col gap-6 max-w-xl" data-testid="tier-admin-screen">
+      <Heading variant="page">{t("tier-admin.title")}</Heading>
+      <p className="text-sm text-muted-foreground">{t("tier-admin.explainer")}</p>
+
+      {tenantsQuery.error !== null && (
+        <Banner variant="error" testId="tier-admin-load-error">
+          {t("tier-admin.error.load")}
+        </Banner>
+      )}
+      {tierOptions.length === 0 && tierOptionsQuery.loading !== true && (
+        <Banner variant="info" testId="tier-admin-no-tiers">
+          {t("tier-admin.error.noTiers")}
+        </Banner>
+      )}
+
+      <Section>
+        <Field id="tier-admin-tenant" label={t("tier-admin.tenant.label")} required>
+          <Input
+            kind="select"
+            id="tier-admin-tenant"
+            name="tier-admin-tenant"
+            value={tenantId}
+            onChange={setTenantId}
+            options={tenantOptions}
+          />
+        </Field>
+
+        {tenantId !== "" && (
+          <p className="text-sm text-muted-foreground" data-testid="tier-admin-current">
+            {t("tier-admin.current.label")}: {currentTier ?? t("tier-admin.current.none")}
+          </p>
+        )}
+
+        <Field id="tier-admin-tier" label={t("tier-admin.tier.label")} required>
+          <Input
+            kind="select"
+            id="tier-admin-tier"
+            name="tier-admin-tier"
+            value={tier}
+            onChange={setTier}
+            options={tierOptions}
+            disabled={tierOptions.length === 0}
+          />
+        </Field>
+
+        {status.kind === "success" && (
+          <Banner variant="info" testId="tier-admin-success">
+            {t("tier-admin.success", { tier: status.tier })}
+          </Banner>
+        )}
+        {status.kind === "error" && (
+          <Banner variant="error" testId="tier-admin-error">
+            {t(status.messageKey)}
+          </Banner>
+        )}
+
+        <Button
+          onClick={() => void onSave()}
+          disabled={!canSubmit}
+          loading={submitting}
+          testId="tier-admin-submit"
+        >
+          {t("tier-admin.submit")}
+        </Button>
+      </Section>
+    </div>
+  );
+}

package/src/user-data-rights/__tests__/anonymous-deletion.integration.test.ts

@@ -174,6 +174,17 @@ describe("anonymous deletion flow", () => {
     });
     expect(second.status).toBe(422);
     expect(await statusOf()).toBe(USER_STATUS.DeletionRequested);
+
+    // #354/2: der anonyme Endpoint gibt einen generischen reason zurück und
+    // leakt NICHT den konkreten User-Status (currentStatus), den ein
+    // Token-Inhaber sonst proben könnte.
+    const body = (await second.json()) as {
+      error: { details?: { reason?: string } };
+    };
+    expect(body.error.details?.reason).toBe("cannot_process_deletion");
+    const serialized = JSON.stringify(body.error);
+    expect(serialized).not.toContain("currentStatus");
+    expect(serialized).not.toContain(USER_STATUS.DeletionRequested);
   });
 
   test("request-by-email für nicht-existente Email → success, KEINE Mail (enumeration-safe)", async () => {

package/src/user-data-rights/deletion-token.ts

@@ -2,9 +2,15 @@
 // purpose to "deletion-request". Mirrors auth-email-password/reset-token.ts —
 // email-verified account deletion is an auth-adjacent proof-of-email-ownership
 // flow, so it reuses the same self-contained token mechanism (no DB row, no
-// Redis: the userId + expiry are baked into the signed token, single-use is
-// not required because the grace-period flip is idempotent on a non-active
-// user).
+// Redis: the userId + expiry are baked into the signed token).
+//
+// The token is NOT single-use: replaying it on a still-pending (non-active)
+// user is a no-op (confirm hits non-active → cannot_process_deletion). That
+// idempotency is only bounded though — after a cancel-deletion the user is
+// active again and a still-valid token re-arms a second grace period. The
+// replay window is bounded by the TTL; the full fix (per-request requestId
+// bound into the token + the user row, nulled on cancel) is deferred as review
+// finding #354/1 (needs a shared user-entity migration).
 
 import type { Temporal } from "temporal-polyfill";
 import { signToken, verifyToken } from "../auth-email-password";

package/src/user-data-rights/handlers/confirm-deletion-by-token.write.ts

@@ -19,8 +19,16 @@ function invalidToken(): UnprocessableError {
 
 // Anonymer Apex-Flow Schritt 2: Verify-Link-Target. Verifiziert das
 // HMAC-Token, extrahiert die userId und startet die Grace-Period über die
-// geteilte Logik. Idempotent: ein zweites Confirm trifft auf den bereits
-// geflippten (non-active) User → user_not_in_active_state, kein Schaden.
+// geteilte Logik.
+//
+// Idempotenz ist NUR bounded: ein zweites Confirm auf einen noch-pending
+// (DeletionRequested) User trifft non-active → cannot_process_deletion. ABER
+// nach einem cancel-deletion (status → Active, gracePeriodEnd → null) ist der
+// User wieder aktiv; ein noch-gültiges Token (TTL aus request-deletion-by-email)
+// re-armt dann eine zweite Grace-Period (replay-after-cancel). Das Risiko ist
+// durch die Token-TTL begrenzt; der vollständige Fix (requestId pro Request im
+// Token + auf der User-Row, vom cancel genullt) ist als review-finding #354/1
+// deferred — er braucht eine Migration der geteilten user-Entity.
 export function createConfirmDeletionByTokenHandler(opts: ConfirmDeletionByTokenOptions = {}) {
   return defineWriteHandler({
     name: "confirm-deletion-by-token",
@@ -34,7 +42,18 @@ export function createConfirmDeletionByTokenHandler(opts: ConfirmDeletionByToken
       if (!verified.ok) return writeFailure(invalidToken());
 
       const res = await startDeletionGracePeriod(ctx, verified.userId, event.user.tenantId);
-      if (!res.ok) return writeFailure(res.error);
+      if (!res.ok) {
+        // Generischer 422 statt res.error: dieser Endpoint ist anonym-öffentlich,
+        // res.error trägt den konkreten User-Status (currentStatus aus
+        // user_not_in_active_state) und würde einem Token-Inhaber das Proben des
+        // Account-Status erlauben (#354/2). Der authentifizierte request-deletion-
+        // Pfad zeigt dem User legitim seinen eigenen Status.
+        return writeFailure(
+          new UnprocessableError("cannot_process_deletion", {
+            details: { reason: "cannot_process_deletion" },
+          }),
+        );
+      }
 
       return {
         isSuccess: true as const,

package/src/user-profile/__tests__/profile-screen.test.tsx

@@ -3,7 +3,7 @@
 // Wrapper analog renderer-web/test-utils, hier lokal weil die
 // Dependency-Richtung renderer-web → bundled-features verbietet.
 
-import { describe, expect, test } from "bun:test";
+import { describe, expect, spyOn, test } from "bun:test";
 import { createStore, type Dispatcher, type DispatcherStatus } from "@cosmicdrift/kumiko-headless";
 import {
   createStaticLocaleResolver,
@@ -16,10 +16,10 @@ import {
   TokensProvider,
 } from "@cosmicdrift/kumiko-renderer";
 import { defaultPrimitives, defaultTokens } from "@cosmicdrift/kumiko-renderer-web";
-import { render, waitFor } from "@testing-library/react";
+import { fireEvent, render, waitFor } from "@testing-library/react";
 import type { ReactNode } from "react";
 import { defaultTranslations } from "../i18n";
-import { ProfileScreen } from "../web/profile-screen";
+import { formatDeletionDate, ProfileScreen } from "../web/profile-screen";
 
 const stubLiveEvents: LiveEventSubscriber = () => () => {};
 const stubTokens = {
@@ -94,8 +94,66 @@ describe("ProfileScreen", () => {
     const banner = view.getByTestId("profile-danger-requested");
     expect(banner.textContent).toContain("2026-07-11");
     expect(banner.textContent).not.toContain("{date}");
+    // #322/2: nur der Datums-Teil, kein roher ISO-Zeitstempel mehr.
+    expect(banner.textContent).not.toContain("T00:00");
+    expect(banner.textContent).not.toContain(":00:00");
     expect(view.queryByTestId("profile-danger-delete")).toBeNull();
     expect(view.getByTestId("profile-danger-cancel")).toBeTruthy();
     expect(view.container.textContent).not.toContain("profile.");
   });
+
+  // #322/3: nach erfolgreichem Email-Wechsel triggert der Screen den
+  // Verification-Versand. Schlägt der fehl, darf der Erfolg nicht umkehren —
+  // aber der Fehler wird nicht mehr stumm verschluckt (sonst wartet der User
+  // auf eine Mail, die nie kommt) und die Success-Message verspricht keinen
+  // Versand mehr.
+  test("email change: verification-send failure is surfaced (not swallowed), change still succeeds", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchSpy = spyOn(globalThis, "fetch").mockRejectedValue(new Error("no network in test"));
+    try {
+      const view = renderProfile(activeMe);
+      await waitFor(() => {
+        if (view.queryByTestId("profile-email-form") === null) throw new Error("not mounted yet");
+      });
+
+      const emailInput = view.container.querySelector<HTMLInputElement>("#profile-new-email");
+      const pwInput = view.container.querySelector<HTMLInputElement>("#profile-email-password");
+      if (!emailInput || !pwInput) throw new Error("email form inputs not found");
+      fireEvent.change(emailInput, { target: { value: "new@example.com" } });
+      fireEvent.change(pwInput, { target: { value: "current-pw" } });
+      fireEvent.submit(view.getByTestId("profile-email-form"));
+
+      // De-Swallow: der fehlgeschlagene Verification-Versand wird geloggt.
+      await waitFor(() => {
+        const warned = warnSpy.mock.calls.some((c) => String(c[0]).includes("[user-profile]"));
+        if (!warned) throw new Error("verification-send failure not surfaced");
+      });
+      // Wechsel bleibt erfolgreich: das Eingabefeld wird zurückgesetzt.
+      await waitFor(() => {
+        if (emailInput.value !== "") throw new Error("email input not cleared after success");
+      });
+      // Die Success-Message verspricht keinen Link-Versand mehr.
+      expect(view.container.textContent).not.toContain("verification link");
+      expect(view.container.textContent).not.toContain("Bestätigungslink");
+    } finally {
+      warnSpy.mockRestore();
+      fetchSpy.mockRestore();
+    }
+  });
+});
+
+describe("formatDeletionDate", () => {
+  test("ISO instant → date part only (strips time + Z)", () => {
+    expect(formatDeletionDate("2026-07-11T00:00:00.000Z")).toBe("2026-07-11");
+  });
+
+  test("null / undefined / empty → em dash", () => {
+    expect(formatDeletionDate(null)).toBe("—");
+    expect(formatDeletionDate(undefined)).toBe("—");
+    expect(formatDeletionDate("")).toBe("—");
+  });
+
+  test("date-only string without time → returned as-is", () => {
+    expect(formatDeletionDate("2026-07-11")).toBe("2026-07-11");
+  });
 });

package/src/user-profile/i18n.ts

@@ -17,8 +17,7 @@ export const defaultTranslations: TranslationsByLocale = {
     "profile.email.new": "Neue E-Mail",
     "profile.email.currentPassword": "Aktuelles Passwort",
     "profile.email.submit": "E-Mail ändern",
-    "profile.email.success":
-      "E-Mail geändert. Wir haben einen Bestätigungslink an die neue Adresse geschickt.",
+    "profile.email.success": "E-Mail geändert. Bitte bestätige deine neue Adresse.",
 
     "profile.password.title": "Passwort",
     "profile.password.old": "Aktuelles Passwort",
@@ -53,7 +52,7 @@ export const defaultTranslations: TranslationsByLocale = {
     "profile.email.new": "New email",
     "profile.email.currentPassword": "Current password",
     "profile.email.submit": "Change email",
-    "profile.email.success": "Email changed. We sent a verification link to the new address.",
+    "profile.email.success": "Email changed. Please confirm your new address.",
 
     "profile.password.title": "Password",
     "profile.password.old": "Current password",