@cosmicdrift/kumiko-bundled-features 0.60.3 → 0.63.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.60.3",
+  "version": "0.63.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -31,6 +31,7 @@
     "./custom-fields": "./src/custom-fields/index.ts",
     "./custom-fields/web": "./src/custom-fields/web/index.ts",
     "./tags": "./src/tags/index.ts",
+    "./tags/web": "./src/tags/web/index.ts",
     "./billing-foundation": "./src/billing-foundation/index.ts",
     "./subscription-stripe": "./src/subscription-stripe/index.ts",
     "./subscription-mollie": "./src/subscription-mollie/index.ts",

package/src/tags/__tests__/feature.test.ts

@@ -111,6 +111,32 @@ describe("createTagsFeature access-options", () => {
   });
 });
 
+describe("createTagsFeature toggleable-option (tier-gating)", () => {
+  test("without toggleable: feature is always-on (toggleableDefault undefined)", () => {
+    expect(createTagsFeature().toggleableDefault).toBeUndefined();
+    expect(createTagsFeature({ access: { openToAll: true } }).toggleableDefault).toBeUndefined();
+  });
+
+  test("toggleable:{default:false} makes the feature tier-gatable, fail-closed", () => {
+    const feature = createTagsFeature({
+      access: { openToAll: true },
+      toggleable: { default: false },
+    });
+    expect(feature.toggleableDefault).toBe(false);
+  });
+
+  test("toggleable:{default:true} declares toggleable, enabled-by-default", () => {
+    expect(createTagsFeature({ toggleable: { default: true } }).toggleableDefault).toBe(true);
+  });
+
+  test("toggleable alone (no access/roles) builds a fresh, non-singleton feature", () => {
+    const feature = createTagsFeature({ toggleable: { default: false } });
+    expect(feature).not.toBe(createTagsFeature());
+    // access still defaults when only toggleable is set
+    expect(writeAccess(feature, "create-tag")).toEqual([...DEFAULT_TAG_ROLES]);
+  });
+});
+
 describe("createTagPayloadSchema", () => {
   test("accepts name only", () => {
     expect(createTagPayloadSchema.safeParse({ name: "Kunde Müller" }).success).toBe(true);

package/src/tags/constants.ts

@@ -8,6 +8,12 @@ import type { AccessRule } from "@cosmicdrift/kumiko-framework/engine";
 
 export const TAGS_FEATURE_NAME = "tags";
 
+// Registry name for the drop-in <TagSection> component. Apps reference it in a
+// screen schema via `component: { react: { __component: TAGS_SECTION_EXTENSION_NAME } }`
+// after mounting tagsClient(); the component is also importable directly for
+// standalone use from `@cosmicdrift/kumiko-bundled-features/tags/web`.
+export const TAGS_SECTION_EXTENSION_NAME = "TagSection";
+
 // Qualified handler names (QN format: scope:type:name). Clients reference the
 // object instead of magic strings (mirror custom-fields' Handlers/Queries).
 export const TagsHandlers = {

package/src/tags/feature.ts

@@ -28,11 +28,27 @@ import { createAssignTagHandler } from "./handlers/assign-tag.write";
 import { createCreateTagHandler } from "./handlers/create-tag.write";
 import { createRemoveTagHandler } from "./handlers/remove-tag.write";
 
-function registerTags(r: FeatureRegistrar<typeof TAGS_FEATURE_NAME>, access: AccessRule): void {
+// Opt-in tier-gating: when set, the feature declares itself r.toggleable so the
+// dispatcher gate + feature-toggles + tier-engine can switch the WHOLE feature
+// (handlers, queries, hooks) on/off per tenant — no host-side hook. `default`
+// is the enablement when no toggle row / tier override exists. For a tier-gated
+// feature use { default: false } (fail-closed) and list the feature name in the
+// entitling tiers' TierMap; tenants below it get every tag path disabled.
+type TagsToggleable = { readonly default: boolean };
+
+function registerTags(
+  r: FeatureRegistrar<typeof TAGS_FEATURE_NAME>,
+  access: AccessRule,
+  toggleable: TagsToggleable | undefined,
+): void {
   r.describe(
-    "Generic, host-agnostic tagging for any entity. Owns two event-sourced entities — the per-tenant `tag` catalog (`read_tags`) and `tag-assignment` join rows keyed by (entityType, entityId) (`read_tag_assignments`) — so tagging adds NO column to the host entity and needs no relational pivot or JOIN. Provides write-handlers `create-tag`, `assign-tag` (idempotent), `remove-tag` (idempotent) and list queries for the catalog and the assignments. Read which tags an entity has, or which entities carry a tag, by listing `tag-assignment` filtered on `entityId` or `tagId` and composing in the read-layer. Every path uses one access rule — adopt the host's model with createTagsFeature({ access: { openToAll: true } }) or pin roles with createTagsFeature({ roles }).",
+    "Generic, host-agnostic tagging for any entity. Owns two event-sourced entities — the per-tenant `tag` catalog (`read_tags`) and `tag-assignment` join rows keyed by (entityType, entityId) (`read_tag_assignments`) — so tagging adds NO column to the host entity and needs no relational pivot or JOIN. Provides write-handlers `create-tag`, `assign-tag` (idempotent), `remove-tag` (idempotent) and list queries for the catalog and the assignments. Read which tags an entity has, or which entities carry a tag, by listing `tag-assignment` filtered on `entityId` or `tagId` and composing in the read-layer. Every path uses one access rule — adopt the host's model with createTagsFeature({ access: { openToAll: true } }) or pin roles with createTagsFeature({ roles }). Pass { toggleable: { default: false } } to make the whole feature tier-gatable via the tier-engine (no host hook).",
   );
 
+  // Tier-gating is a framework concern, not a per-app hook: declaring the
+  // feature toggleable lets tier-engine/feature-toggles cut it per tenant.
+  if (toggleable !== undefined) r.toggleable(toggleable);
+
   r.entity("tag", tagEntity);
   r.entity("tag-assignment", tagAssignmentEntity);
 
@@ -45,7 +61,7 @@ function registerTags(r: FeatureRegistrar<typeof TAGS_FEATURE_NAME>, access: Acc
 }
 
 export const tagsFeature = defineFeature(TAGS_FEATURE_NAME, (r) =>
-  registerTags(r, DEFAULT_TAG_ACCESS),
+  registerTags(r, DEFAULT_TAG_ACCESS, undefined),
 );
 
 export type TagsFeatureOptions = {
@@ -56,6 +72,11 @@ export type TagsFeatureOptions = {
   readonly access?: AccessRule;
   /** Shorthand for { access: { roles } }. Ignored when `access` is set. */
   readonly roles?: readonly string[];
+  /** Make the whole feature tier-gatable: declares r.toggleable so the
+   *  tier-engine/feature-toggles can enable/disable every tag path per tenant.
+   *  `default` applies when no toggle/tier override exists — use { default: false }
+   *  for fail-closed tier-gating. Omit to keep tags always-on (default). */
+  readonly toggleable?: TagsToggleable;
 };
 
 function resolveAccess(opts: TagsFeatureOptions): AccessRule {
@@ -65,11 +86,11 @@ function resolveAccess(opts: TagsFeatureOptions): AccessRule {
 }
 
 // Backwards-compat / options wrapper. Without options returns the module-level
-// singleton (no rebuild). access/roles build a fresh feature-definition.
+// singleton (no rebuild). access/roles/toggleable build a fresh feature-definition.
 export function createTagsFeature(opts: TagsFeatureOptions = {}): typeof tagsFeature {
-  if (opts.access === undefined && opts.roles === undefined) {
+  if (opts.access === undefined && opts.roles === undefined && opts.toggleable === undefined) {
     return tagsFeature;
   }
   const access = resolveAccess(opts);
-  return defineFeature(TAGS_FEATURE_NAME, (r) => registerTags(r, access));
+  return defineFeature(TAGS_FEATURE_NAME, (r) => registerTags(r, access, opts.toggleable));
 }

package/src/tags/web/__tests__/tag-section.test.tsx

@@ -0,0 +1,126 @@
+import { describe, expect, mock, test } from "bun:test";
+import {
+  createStaticLocaleResolver,
+  LocaleProvider,
+  PrimitivesProvider,
+} from "@cosmicdrift/kumiko-renderer";
+import { defaultPrimitives } from "@cosmicdrift/kumiko-renderer-web";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import type { ReactNode } from "react";
+import { TagsHandlers, TagsQueries } from "../../constants";
+import { defaultTranslations } from "../i18n";
+import { TagSection } from "../tag-section";
+
+type TagRow = { id: string; name: string };
+type AssignmentRow = { tagId: string; entityType: string; entityId: string };
+
+let catalogRows: readonly TagRow[] = [];
+let assignmentRows: readonly AssignmentRow[] = [];
+
+// createTag returns the new id; assign/remove return data-less success.
+const dispatchSpy = mock(async (type: string) =>
+  type === TagsHandlers.createTag
+    ? { isSuccess: true, data: { id: "tag-new" } }
+    : { isSuccess: true, data: undefined },
+);
+
+// useQuery is called twice (catalog + assignments) — branch on the QN.
+const useQuerySpy = mock((type: string) => ({
+  data: type === TagsQueries.tagList ? { rows: catalogRows } : { rows: assignmentRows },
+  loading: false,
+  error: null,
+  refetch: mock(async () => {}),
+}));
+
+const actual_renderer = await import("@cosmicdrift/kumiko-renderer");
+mock.module("@cosmicdrift/kumiko-renderer", () => ({
+  ...actual_renderer,
+  useDispatcher: mock(() => ({ write: dispatchSpy, query: mock(), batch: mock() })),
+  useQuery: useQuerySpy,
+}));
+
+function Wrapper({ children }: { readonly children: ReactNode }): ReactNode {
+  return (
+    <LocaleProvider resolver={createStaticLocaleResolver()} fallbackBundles={[defaultTranslations]}>
+      <PrimitivesProvider value={defaultPrimitives}>{children}</PrimitivesProvider>
+    </LocaleProvider>
+  );
+}
+
+describe("TagSection", () => {
+  test("shows assigned + available tags and dispatches assign/remove with the right QN + payload", async () => {
+    catalogRows = [
+      { id: "t1", name: "important" },
+      { id: "t2", name: "project-x" },
+    ];
+    assignmentRows = [{ tagId: "t1", entityType: "note", entityId: "note-1" }];
+    dispatchSpy.mockClear();
+
+    render(
+      <Wrapper>
+        <TagSection entityName="note" entityId="note-1" />
+      </Wrapper>,
+    );
+
+    // Assigned tag → remove button; unassigned catalog tag → assign button.
+    expect(screen.getByTestId("tags-section-remove-t1")).toBeTruthy();
+    expect(screen.getByTestId("tags-section-assign-t2")).toBeTruthy();
+    expect(screen.queryByTestId("tags-section-assign-t1")).toBeNull();
+
+    fireEvent.click(screen.getByTestId("tags-section-assign-t2"));
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.assignTag, {
+        tagId: "t2",
+        entityType: "note",
+        entityId: "note-1",
+      }),
+    );
+
+    fireEvent.click(screen.getByTestId("tags-section-remove-t1"));
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.removeTag, {
+        tagId: "t1",
+        entityType: "note",
+        entityId: "note-1",
+      }),
+    );
+  });
+
+  test("create-and-attach dispatches create-tag, then assign-tag with the new id", async () => {
+    catalogRows = [];
+    assignmentRows = [];
+    dispatchSpy.mockClear();
+
+    render(
+      <Wrapper>
+        <TagSection entityName="note" entityId="note-9" />
+      </Wrapper>,
+    );
+
+    fireEvent.change(document.getElementById("tags-section-new") as HTMLInputElement, {
+      target: { value: "urgent" },
+    });
+    fireEvent.click(screen.getByTestId("tags-section-create"));
+
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.createTag, { name: "urgent" }),
+    );
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.assignTag, {
+        tagId: "tag-new",
+        entityType: "note",
+        entityId: "note-9",
+      }),
+    );
+  });
+
+  test("create-mode (no entityId yet) shows the save-first hint instead of the manager", () => {
+    render(
+      <Wrapper>
+        <TagSection entityName="note" entityId={null} />
+      </Wrapper>,
+    );
+    expect(screen.getByTestId("tags-section-create-mode")).toBeTruthy();
+    expect(screen.queryByTestId("tags-section")).toBeNull();
+  });
+});

package/src/tags/web/client-plugin.tsx

@@ -0,0 +1,21 @@
+// @runtime client
+// Client-feature factory for tags. Mounted via
+// createKumikoApp({ clientFeatures: [tagsClient()] }) — registers TagSection
+// under TAGS_SECTION_EXTENSION_NAME and contributes the default translations.
+// Required even for standalone <TagSection> use, otherwise its i18n keys render
+// raw.
+
+import type { ClientFeatureDefinition } from "@cosmicdrift/kumiko-renderer-web";
+import { TAGS_FEATURE_NAME, TAGS_SECTION_EXTENSION_NAME } from "../constants";
+import { defaultTranslations } from "./i18n";
+import { TagSection } from "./tag-section";
+
+export function tagsClient(): ClientFeatureDefinition {
+  return {
+    name: TAGS_FEATURE_NAME,
+    extensionSectionComponents: {
+      [TAGS_SECTION_EXTENSION_NAME]: TagSection,
+    },
+    translations: defaultTranslations,
+  };
+}

package/src/tags/web/i18n.ts

@@ -0,0 +1,25 @@
+// @runtime client
+// Default translation bundle for the tags UI. tagsClient() hangs it into the
+// LocaleProvider as a fallback bundle — apps override individual keys via
+// tagsClient({ translations: { de: { ... } } }). Keys follow `tags.<area>.<slug>`.
+
+import type { TranslationsByLocale } from "@cosmicdrift/kumiko-renderer";
+
+export const defaultTranslations: TranslationsByLocale = {
+  de: {
+    "tags.section.createMode": "Speichere zuerst den Eintrag, um Tags zu setzen.",
+    "tags.section.loading": "Lädt…",
+    "tags.section.none": "Keine Tags.",
+    "tags.section.newLabel": "Neuer Tag",
+    "tags.section.create": "Tag anlegen & zuweisen",
+    "tags.section.working": "Speichert…",
+  },
+  en: {
+    "tags.section.createMode": "Save the entity first to add tags.",
+    "tags.section.loading": "Loading…",
+    "tags.section.none": "No tags.",
+    "tags.section.newLabel": "New tag",
+    "tags.section.create": "Create & attach tag",
+    "tags.section.working": "Saving…",
+  },
+};

package/src/tags/web/index.ts

@@ -0,0 +1,4 @@
+// @runtime client
+export { TAGS_SECTION_EXTENSION_NAME, TagsHandlers, TagsQueries } from "../constants";
+export { tagsClient } from "./client-plugin";
+export { TagSection } from "./tag-section";

package/src/tags/web/tag-section.tsx

@@ -0,0 +1,204 @@
+// @runtime client
+// TagSection — drop-in tag manager for ANY entity. Given an entityName +
+// entityId it shows the entity's current tags and lets the user attach an
+// existing tag, create-and-attach a new one, or detach a tag. Tag writes are
+// immediate (assign/remove are idempotent), so the section owns its own state
+// and refetches after each action — it is NOT part of a host form's save.
+//
+// Two ways to mount (both need tagsClient() registered once, for i18n):
+//   - standalone:   <TagSection entityName="note" entityId={noteId} />
+//   - extension:    a screen-schema section with
+//                   component: { react: { __component: TAGS_SECTION_EXTENSION_NAME } }
+//                   (RenderEdit passes { entityName, entityId }).
+
+import {
+  useDispatcher,
+  usePrimitives,
+  useQuery,
+  useTranslation,
+} from "@cosmicdrift/kumiko-renderer";
+import { type ReactNode, useState } from "react";
+import { TagsHandlers, TagsQueries } from "../constants";
+
+type TagRow = { readonly id: string; readonly name: string; readonly color?: string | null };
+type AssignmentRow = {
+  readonly tagId: string;
+  readonly entityType: string;
+  readonly entityId: string;
+};
+type TagListResponse = { readonly rows: readonly TagRow[] };
+type AssignmentListResponse = { readonly rows: readonly AssignmentRow[] };
+
+// Structural shape of a dispatcher write result for the generic action wrapper.
+// The real WriteResult (a discriminated union) is assignable to this; narrowing
+// on `isSuccess` reaches `error.i18nKey` without importing server-side types.
+type ActionResult =
+  | { readonly isSuccess: true }
+  | { readonly isSuccess: false; readonly error: { readonly i18nKey: string } };
+
+export function TagSection({
+  entityName,
+  entityId,
+}: {
+  readonly entityName: string;
+  readonly entityId: string | null;
+}): ReactNode {
+  const { Banner, Button, Field, Input, Text } = usePrimitives();
+  const t = useTranslation();
+  const dispatcher = useDispatcher();
+  const enabled = entityId !== null;
+  const catalog = useQuery<TagListResponse>(TagsQueries.tagList, {}, { enabled });
+  const assignments = useQuery<AssignmentListResponse>(
+    TagsQueries.assignmentList,
+    { filter: { field: "entityId", op: "eq", value: entityId } },
+    { enabled },
+  );
+  const [newName, setNewName] = useState("");
+  const [busy, setBusy] = useState(false);
+  const [errorKey, setErrorKey] = useState<string | null>(null);
+
+  if (entityId === null) {
+    return (
+      <Banner variant="info" testId="tags-section-create-mode">
+        <Text>{t("tags.section.createMode")}</Text>
+      </Banner>
+    );
+  }
+  if (
+    (catalog.loading && catalog.data === null) ||
+    (assignments.loading && assignments.data === null)
+  ) {
+    return (
+      <Banner variant="loading" testId="tags-section-loading">
+        <Text>{t("tags.section.loading")}</Text>
+      </Banner>
+    );
+  }
+  const queryError = catalog.error ?? assignments.error;
+  if (queryError) {
+    return (
+      <Banner variant="error" testId="tags-section-error">
+        <Text>{t(queryError.i18nKey, queryError.i18nParams)}</Text>
+      </Banner>
+    );
+  }
+
+  const catalogTags = catalog.data?.rows ?? [];
+  const byId = new Map(catalogTags.map((tg) => [tg.id, tg]));
+  const assignedRows = (assignments.data?.rows ?? []).filter((r) => r.entityType === entityName);
+  const assignedIds = new Set(assignedRows.map((r) => r.tagId));
+  const assignedTags = assignedRows.map((r) => byId.get(r.tagId) ?? { id: r.tagId, name: r.tagId });
+  const available = catalogTags.filter((tg) => !assignedIds.has(tg.id));
+
+  const refetch = async (): Promise<void> => {
+    await Promise.all([catalog.refetch(), assignments.refetch()]);
+  };
+
+  const run = async (action: () => Promise<ActionResult>): Promise<void> => {
+    setBusy(true);
+    setErrorKey(null);
+    try {
+      const result = await action();
+      if (!result.isSuccess) {
+        setErrorKey(result.error.i18nKey);
+        return;
+      }
+      await refetch();
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  const assign = (tagId: string): Promise<void> =>
+    run(() =>
+      dispatcher.write(TagsHandlers.assignTag, { tagId, entityType: entityName, entityId }),
+    );
+
+  const detach = (tagId: string): Promise<void> =>
+    run(() =>
+      dispatcher.write(TagsHandlers.removeTag, { tagId, entityType: entityName, entityId }),
+    );
+
+  const createAndAssign = async (): Promise<void> => {
+    const name = newName.trim();
+    if (name === "") return;
+    setBusy(true);
+    setErrorKey(null);
+    try {
+      const created = await dispatcher.write<{ id: string }>(TagsHandlers.createTag, { name });
+      if (!created.isSuccess) {
+        setErrorKey(created.error.i18nKey);
+        return;
+      }
+      const assigned = await dispatcher.write(TagsHandlers.assignTag, {
+        tagId: created.data.id,
+        entityType: entityName,
+        entityId,
+      });
+      if (!assigned.isSuccess) {
+        setErrorKey(assigned.error.i18nKey);
+        return;
+      }
+      setNewName("");
+      await refetch();
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <div data-testid="tags-section">
+      {assignedTags.length === 0 ? (
+        <Text>{t("tags.section.none")}</Text>
+      ) : (
+        assignedTags.map((tg) => (
+          <Button
+            key={tg.id}
+            variant="secondary"
+            disabled={busy}
+            onClick={() => void detach(tg.id)}
+            testId={`tags-section-remove-${tg.id}`}
+          >
+            {`${tg.name} ✕`}
+          </Button>
+        ))
+      )}
+
+      {available.map((tg) => (
+        <Button
+          key={tg.id}
+          variant="secondary"
+          disabled={busy}
+          onClick={() => void assign(tg.id)}
+          testId={`tags-section-assign-${tg.id}`}
+        >
+          {`+ ${tg.name}`}
+        </Button>
+      ))}
+
+      <Field id="tags-section-new" label={t("tags.section.newLabel")}>
+        <Input
+          kind="text"
+          id="tags-section-new"
+          name="newTag"
+          value={newName}
+          onChange={setNewName}
+        />
+      </Field>
+      <Button
+        variant="primary"
+        disabled={busy || newName.trim() === ""}
+        onClick={() => void createAndAssign()}
+        testId="tags-section-create"
+      >
+        {busy ? t("tags.section.working") : t("tags.section.create")}
+      </Button>
+
+      {errorKey !== null && (
+        <Banner variant="error" testId="tags-section-action-error">
+          <Text>{t(errorKey)}</Text>
+        </Banner>
+      )}
+    </div>
+  );
+}

package/src/user/schema/user.ts

@@ -141,6 +141,17 @@ export const userEntity = createEntity({
     gracePeriodEnd: createTimestampField({
       access: { write: access.privileged },
     }),
+
+    // Replay-Schutz für den anonymen email-Token-Deletion-Flow (#354/1).
+    // Gesetzt von request-deletion-by-email (eine UUID pro Mail-Antrag),
+    // genullt von cancel-deletion. confirm-deletion-by-token faltet diese ID
+    // in die HMAC-Purpose des Tokens — ein nach einem Cancel nachgespieltes
+    // (noch TTL-gültiges) Token verifiziert gegen die genullte/erneuerte ID
+    // nicht mehr. NULL solange kein email-Antrag offen ist.
+    pendingDeletionRequestId: createTextField({
+      maxLength: 36,
+      access: { write: access.privileged },
+    }),
   },
 });
 

package/src/user-data-rights/__tests__/anonymous-deletion.integration.test.ts

@@ -31,6 +31,7 @@ import type { SendDeletionVerificationEmailFn } from "../handlers/request-deleti
 
 const REQUEST_BY_EMAIL = "user-data-rights:write:request-deletion-by-email";
 const CONFIRM_BY_TOKEN = "user-data-rights:write:confirm-deletion-by-token";
+const CANCEL_DELETION = "user-data-rights:write:cancel-deletion";
 const DELETION_SECRET = "test-deletion-secret-0123456789abcdef";
 const VERIFY_URL = "https://app.example.test/delete-account/confirm";
 
@@ -166,8 +167,9 @@ describe("anonymous deletion flow", () => {
     expect(first.status).toBe(200);
     expect(await statusOf()).toBe(USER_STATUS.DeletionRequested);
 
-    // Token ist bewusst replaybar (kein single-use); die Replay-Sicherheit kommt
-    // allein aus dem Active-State-Guard — zweites Confirm trifft non-active → 422.
+    // Pre-cancel-Replay: zweites Confirm trifft den noch-pending User
+    // (DeletionRequested) → der Active-State-Guard schlägt zu → 422. (Den
+    // post-cancel-Replay deckt der requestId-Test darunter ab.)
     const second = await stack.http.raw("POST", "/api/write", {
       type: CONFIRM_BY_TOKEN,
       payload: { token },
@@ -187,6 +189,82 @@ describe("anonymous deletion flow", () => {
     expect(serialized).not.toContain(USER_STATUS.DeletionRequested);
   });
 
+  test("replay-after-cancel (#354/1): Token nach cancel-deletion re-armt NICHT → 422, bleibt Active", async () => {
+    await seedAlice();
+    await stack.http.raw("POST", "/api/write", {
+      type: REQUEST_BY_EMAIL,
+      payload: { email: ALICE_EMAIL },
+    });
+    const token = tokenFromLastVerifyCall();
+
+    // 1. Confirm armt die Grace-Period.
+    expect(
+      (await stack.http.raw("POST", "/api/write", { type: CONFIRM_BY_TOKEN, payload: { token } }))
+        .status,
+    ).toBe(200);
+    expect(await statusOf()).toBe(USER_STATUS.DeletionRequested);
+
+    // 2. User loggt sich (innerhalb der Grace) ein und bricht ab → Active,
+    //    pendingDeletionRequestId genullt.
+    await stack.http.writeOk(CANCEL_DELETION, {}, aliceUser);
+    expect(await statusOf()).toBe(USER_STATUS.Active);
+
+    // 3. Dasselbe, noch TTL-gültige Token nachspielen → die genullte requestId
+    //    lässt die HMAC-Purpose nicht mehr aufgehen → 422, kein re-arm.
+    const replay = await stack.http.raw("POST", "/api/write", {
+      type: CONFIRM_BY_TOKEN,
+      payload: { token },
+    });
+    expect(replay.status).toBe(422);
+    expect(await statusOf()).toBe(USER_STATUS.Active);
+  });
+
+  test("supersede (#354/1): altes Token re-armt NICHT, nachdem ein zweiter Antrag eine neue requestId setzt", async () => {
+    // Der diskriminierende Fall gegen einen presence-only-Check: nach cancel
+    // macht ein FRISCHER Antrag den marker wieder non-null (neue requestId).
+    // Ein presence-only-Guard würde das alte Token jetzt fälschlich akzeptieren;
+    // der requestId-Match lehnt es ab (token1 trägt R1, Row hält R2).
+    await seedAlice();
+
+    await stack.http.raw("POST", "/api/write", {
+      type: REQUEST_BY_EMAIL,
+      payload: { email: ALICE_EMAIL },
+    });
+    const token1 = tokenFromLastVerifyCall();
+
+    await stack.http.raw("POST", "/api/write", {
+      type: CONFIRM_BY_TOKEN,
+      payload: { token: token1 },
+    });
+    await stack.http.writeOk(CANCEL_DELETION, {}, aliceUser);
+    expect(await statusOf()).toBe(USER_STATUS.Active);
+
+    // Zweiter Antrag → neue requestId R2 auf der Row + token2.
+    verifyCalls.length = 0;
+    await stack.http.raw("POST", "/api/write", {
+      type: REQUEST_BY_EMAIL,
+      payload: { email: ALICE_EMAIL },
+    });
+    const token2 = tokenFromLastVerifyCall();
+    expect(token2).not.toBe(token1);
+
+    // Altes token1 (R1) gegen Row mit R2 → bad_signature → 422, kein re-arm.
+    const replayOld = await stack.http.raw("POST", "/api/write", {
+      type: CONFIRM_BY_TOKEN,
+      payload: { token: token1 },
+    });
+    expect(replayOld.status).toBe(422);
+    expect(await statusOf()).toBe(USER_STATUS.Active);
+
+    // Gegenprobe: das aktuelle token2 (R2) armt regulär.
+    const confirmNew = await stack.http.raw("POST", "/api/write", {
+      type: CONFIRM_BY_TOKEN,
+      payload: { token: token2 },
+    });
+    expect(confirmNew.status).toBe(200);
+    expect(await statusOf()).toBe(USER_STATUS.DeletionRequested);
+  });
+
   test("request-by-email für nicht-existente Email → success, KEINE Mail (enumeration-safe)", async () => {
     await seedAlice();
     const res = await stack.http.raw("POST", "/api/write", {
@@ -221,7 +299,19 @@ describe("anonymous deletion flow", () => {
 
   test("confirm mit falsch-signiertem Token → 422", async () => {
     await seedAlice();
-    const { token } = signDeletionToken(aliceUser.id, 60, "the-wrong-secret-totally-different");
+    // Erst einen echten Antrag stellen, damit eine requestId auf der Row liegt
+    // — sonst greift schon der no-outstanding-request-Guard und der Bad-
+    // Signature-Pfad würde nie erreicht.
+    await stack.http.raw("POST", "/api/write", {
+      type: REQUEST_BY_EMAIL,
+      payload: { email: ALICE_EMAIL },
+    });
+    const { token } = signDeletionToken(
+      aliceUser.id,
+      "forged-request-id",
+      60,
+      "the-wrong-secret-totally-different",
+    );
     const res = await stack.http.raw("POST", "/api/write", {
       type: CONFIRM_BY_TOKEN,
       payload: { token },
@@ -282,7 +372,7 @@ describe("anonymous deletion flow — not configured (kein Secret)", () => {
   });
 
   test("confirm ohne Secret → 422", async () => {
-    const { token } = signDeletionToken(aliceUser.id, 60, DELETION_SECRET);
+    const { token } = signDeletionToken(aliceUser.id, "req-id", 60, DELETION_SECRET);
     const res = await bareStack.http.raw("POST", "/api/write", {
       type: CONFIRM_BY_TOKEN,
       payload: { token },

package/src/user-data-rights/deletion-token.ts

@@ -4,13 +4,13 @@
 // flow, so it reuses the same self-contained token mechanism (no DB row, no
 // Redis: the userId + expiry are baked into the signed token).
 //
-// The token is NOT single-use: replaying it on a still-pending (non-active)
-// user is a no-op (confirm hits non-active → cannot_process_deletion). That
-// idempotency is only bounded though — after a cancel-deletion the user is
-// active again and a still-valid token re-arms a second grace period. The
-// replay window is bounded by the TTL; the full fix (per-request requestId
-// bound into the token + the user row, nulled on cancel) is deferred as review
-// finding #354/1 (needs a shared user-entity migration).
+// Replay-after-cancel (#354/1): the per-request `requestId` is folded INTO the
+// HMAC purpose (`deletion-request:<requestId>`), not carried in the token body.
+// The same id is stored on the user row when the request is minted and nulled
+// on cancel. confirm recomputes the HMAC with the row's CURRENT id, so a token
+// from a cancelled cycle (row id nulled) or a superseded one (row holds a newer
+// id) fails verification — the bounded-TTL replay window is closed without
+// touching the shared signToken/verifyToken primitive.
 
 import type { Temporal } from "temporal-polyfill";
 import { signToken, verifyToken } from "../auth-email-password";
@@ -21,21 +21,42 @@ export type VerifyResult =
   | { readonly ok: true; readonly userId: string; readonly expiresAtMs: number }
   | { readonly ok: false; readonly reason: "malformed" | "bad_signature" | "expired" };
 
-// @wrapper-known semantic-alias
+function deletionPurpose(requestId: string): string {
+  return `${DELETION_REQUEST_PURPOSE}:${requestId}`;
+}
+
 export function signDeletionToken(
   userId: string,
+  requestId: string,
   ttlMinutes: number,
   secret: string,
   now?: Temporal.Instant,
 ): { token: string; expiresAt: Temporal.Instant } {
-  return signToken(userId, DELETION_REQUEST_PURPOSE, ttlMinutes, secret, now);
+  return signToken(userId, deletionPurpose(requestId), ttlMinutes, secret, now);
 }
 
-// @wrapper-known semantic-alias
 export function verifyDeletionToken(
   token: string,
+  requestId: string,
   secret: string,
   now?: Temporal.Instant,
 ): VerifyResult {
-  return verifyToken(token, DELETION_REQUEST_PURPOSE, secret, now);
+  return verifyToken(token, deletionPurpose(requestId), secret, now);
+}
+
+// Reads the userId from the token body WITHOUT verifying the HMAC — used only
+// to look up the row's current requestId, which is itself an input to the
+// verification below. The signature is still the gate; this peek never grants
+// trust. Token format is `<userId>.<expiresAtMs>.<sig>`.
+//
+// Mirrors verifyToken's structural malformed-checks so an obviously-bogus token
+// returns null here (→ generic reject) instead of reaching the DB lookup.
+export function peekDeletionTokenUserId(token: string): string | null {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [userId, expiresAtRaw, sig] = parts;
+  if (!userId || !expiresAtRaw || !sig) return null;
+  const expiresAtMs = Number(expiresAtRaw);
+  if (!Number.isFinite(expiresAtMs) || String(expiresAtMs) !== expiresAtRaw) return null;
+  return userId;
 }

package/src/user-data-rights/handlers/cancel-deletion.write.ts

@@ -67,6 +67,10 @@ export const cancelDeletionWrite = defineWriteHandler({
       {
         status: USER_STATUS.Active,
         gracePeriodEnd: null,
+        // #354/1: schließt das replay-after-cancel-Fenster — ein noch
+        // TTL-gültiges email-Token verifiziert gegen die genullte requestId
+        // nicht mehr und kann keine zweite Grace-Period armen.
+        pendingDeletionRequestId: null,
       },
       { id: event.user.id },
     );

package/src/user-data-rights/handlers/confirm-deletion-by-token.write.ts

@@ -1,8 +1,9 @@
-import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { defineWriteHandler, type HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
-import { USER_STATUS } from "../../user";
-import { verifyDeletionToken } from "../deletion-token";
+import { USER_STATUS, userTable } from "../../user";
+import { peekDeletionTokenUserId, verifyDeletionToken } from "../deletion-token";
 import { startDeletionGracePeriod } from "./deletion-grace-period";
 
 export type ConfirmDeletionByTokenOptions = {
@@ -17,18 +18,35 @@ function invalidToken(): UnprocessableError {
   });
 }
 
+// userId stammt aus dem noch-unverifizierten Token (Angreifer-Eingabe). Ein
+// fehlgeschlagener Lookup — z.B. eine typfremde id auf einer int/uuid-Spalte —
+// darf nicht als 500 durchschlagen; null behandelt der Caller wie "kein offener
+// Antrag" (generischer 422). Die HMAC-Prüfung bleibt der eigentliche Gate.
+async function readPendingDeletionRequestId(
+  ctx: HandlerContext,
+  userId: string,
+): Promise<string | null> {
+  try {
+    const row = await fetchOne<{ pendingDeletionRequestId: string | null }>(ctx.db.raw, userTable, {
+      id: userId,
+    });
+    return row?.["pendingDeletionRequestId"] ?? null;
+  } catch {
+    return null;
+  }
+}
+
 // Anonymer Apex-Flow Schritt 2: Verify-Link-Target. Verifiziert das
 // HMAC-Token, extrahiert die userId und startet die Grace-Period über die
 // geteilte Logik.
 //
-// Idempotenz ist NUR bounded: ein zweites Confirm auf einen noch-pending
-// (DeletionRequested) User trifft non-active → cannot_process_deletion. ABER
-// nach einem cancel-deletion (status → Active, gracePeriodEnd → null) ist der
-// User wieder aktiv; ein noch-gültiges Token (TTL aus request-deletion-by-email)
-// re-armt dann eine zweite Grace-Period (replay-after-cancel). Das Risiko ist
-// durch die Token-TTL begrenzt; der vollständige Fix (requestId pro Request im
-// Token + auf der User-Row, vom cancel genullt) ist als review-finding #354/1
-// deferred — er braucht eine Migration der geteilten user-Entity.
+// Replay-Schutz (#354/1): die requestId der Row ist Teil des Verify-Keys. Wir
+// lesen sie über die (unverifizierte, nur-Lookup) userId aus dem Token, lehnen
+// einen fehlenden Eintrag ab und verifizieren das Token gegen die CURRENT
+// requestId. Ein zweites Confirm auf einen noch-pending User trifft zudem
+// non-active → cannot_process_deletion. Nach einem cancel-deletion (status →
+// Active, pendingDeletionRequestId → null) schlägt ein nachgespieltes Token an
+// der genullten/erneuerten requestId fehl — kein re-arm mehr.
 export function createConfirmDeletionByTokenHandler(opts: ConfirmDeletionByTokenOptions = {}) {
   return defineWriteHandler({
     name: "confirm-deletion-by-token",
@@ -38,7 +56,22 @@ export function createConfirmDeletionByTokenHandler(opts: ConfirmDeletionByToken
     handler: async (event, ctx) => {
       if (!opts.deletionTokenSecret) return writeFailure(invalidToken());
 
-      const verified = verifyDeletionToken(event.payload.token, opts.deletionTokenSecret);
+      const peekedUserId = peekDeletionTokenUserId(event.payload.token);
+      if (!peekedUserId) return writeFailure(invalidToken());
+
+      // Die requestId der Row ist Teil des Verify-Keys (HMAC-Purpose). Kein
+      // offener Antrag (null) → das Token gehört zu einem abgebrochenen Zyklus
+      // → Reject ohne weitere Signal-Preisgabe (gleicher generischer 422). Der
+      // peekedUserId ist unverifizierte Angreifer-Eingabe — ein Lookup-Fehler
+      // (z.B. typfremde id) wird zu demselben generischen 422, nie zu einem 500.
+      const requestId = await readPendingDeletionRequestId(ctx, peekedUserId);
+      if (!requestId) return writeFailure(invalidToken());
+
+      const verified = verifyDeletionToken(
+        event.payload.token,
+        requestId,
+        opts.deletionTokenSecret,
+      );
       if (!verified.ok) return writeFailure(invalidToken());
 
       const res = await startDeletionGracePeriod(ctx, verified.userId, event.user.tenantId);

package/src/user-data-rights/handlers/request-deletion-by-email.write.ts

@@ -1,4 +1,4 @@
-import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
@@ -75,8 +75,20 @@ export function createRequestDeletionByEmailHandler(opts: RequestDeletionByEmail
         return success;
       }
 
+      // Replay-Schutz (#354/1): pro Antrag eine frische requestId, die auf der
+      // user-Row landet und in die Token-HMAC-Purpose gefaltet wird. cancel
+      // nullt sie → ein nach Cancel nachgespieltes Token verifiziert nicht mehr.
+      const requestId = crypto.randomUUID();
+      await updateMany(
+        ctx.db.raw,
+        userTable,
+        { pendingDeletionRequestId: requestId },
+        { id: userRow["id"] },
+      );
+
       const { token, expiresAt } = signDeletionToken(
         userRow["id"],
+        requestId,
         DELETION_VERIFY_TTL_MINUTES,
         opts.deletionTokenSecret,
       );