@cosmicdrift/kumiko-bundled-features 0.64.0 → 0.65.0

package/src/user-data-rights/__tests__/read-users-rebuild-survives-lifecycle.integration.test.ts

@@ -0,0 +1,233 @@
+// #494 — ein read_users-Projection-Rebuild darf den Lifecycle-State nicht
+// wegwischen. Die user-Entity ist event-sourced bei CREATE (user.created),
+// aber Lifecycle-Mutationen (restrict/grace-period/cancel/...) waren rohe
+// updateMany OHNE Event. Ein Rebuild replayt damit nur user.created und setzt
+// status zurueck auf den Default (Active) — Datenverlust auf einem DSGVO-Pfad.
+//
+// Diskriminierend: T_create (Stream des user.created — Signup-Tenant) MUSS
+// ungleich T_active (aktiver Tenant zur Lifecycle-Zeit) sein. Nur so wird der
+// Prod-Zustand reproduziert und das Stream-Rescope eingelockt. Ein
+// same-tenant-Test gaebe falsches GREEN: er liefe sogar mit `event.user`
+// durch (gleicher Tenant -> gleicher Stream) und liesse einen Rueckbau auf
+// `event.user` unentdeckt — genau die Naht, an der prod bricht.
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { randomBytes } from "node:crypto";
+import { selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import { createRegistry, type Registry, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createProjectionStateTable,
+  rebuildProjection,
+} from "@cosmicdrift/kumiko-framework/pipeline";
+import {
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  testTenantId,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createLateBoundHolder, resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { AuthHandlers } from "../../auth-email-password/constants";
+import { createAuthEmailPasswordFeature } from "../../auth-email-password/feature";
+import { hashPassword } from "../../auth-email-password/password-hashing";
+import {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
+} from "../../compliance-profiles";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createDataRetentionFeature } from "../../data-retention";
+import { createSessionsFeature } from "../../sessions";
+import { userSessionEntity, userSessionTable } from "../../sessions/schema/user-session";
+import { createSessionCallbacks, type SessionCallbacks } from "../../sessions/session-callbacks";
+import { sessionCallbacksFromLateBound } from "../../sessions/testing";
+import { createTenantFeature, tenantMembershipsTable } from "../../tenant";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/seeding";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { UserHandlers } from "../../user/constants";
+import { createUserDataRightsFeature } from "../feature";
+import { backfillUserLifecycleEvents, updateUserLifecycle } from "../lib/update-user-lifecycle";
+
+const RESTRICT = "user-data-rights:write:restrict-account";
+const USER_PROJECTION = "user:projection:user-entity";
+// T_create: Stream auf den user.created landet (systemAdmin-Signup-Tenant).
+const T_CREATE: TenantId = testTenantId(1);
+// T_active: aktiver Tenant des Users zur Lifecycle-Zeit — bewusst ungleich.
+const T_ACTIVE: TenantId = testTenantId(2);
+
+const ALICE_EMAIL = "alice.rebuild@example.com";
+const ALICE_PW = "alice-pw-long-enough";
+
+let stack: TestStack;
+let registry: Registry;
+const callbacks = createLateBoundHolder<SessionCallbacks>("session-callbacks");
+const encryptionKey = randomBytes(32).toString("base64");
+
+function buildFeatures() {
+  return [
+    createConfigFeature(),
+    createUserFeature(),
+    createTenantFeature(),
+    createDataRetentionFeature(),
+    createComplianceProfilesFeature(),
+    createAuthEmailPasswordFeature(),
+    createSessionsFeature(),
+    createUserDataRightsFeature(),
+  ];
+}
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+  const bound = sessionCallbacksFromLateBound(callbacks);
+
+  stack = await setupTestStack({
+    features: buildFeatures(),
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      ...bound.asAuthConfig(),
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+    },
+  });
+  callbacks.set(createSessionCallbacks({ db: stack.db }));
+  // Eigene Registry fuer den Rebuild — enthaelt die implicit read_users-Projektion.
+  registry = createRegistry(buildFeatures());
+
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantEntity);
+  await unsafeCreateEntityTable(stack.db, userSessionEntity);
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await createEventsTable(stack.db);
+  await createProjectionStateTable(stack.db);
+  await unsafePushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await resetTestTables(stack.db, [
+    userSessionTable,
+    userTable,
+    tenantMembershipsTable,
+    tenantComplianceProfileTable,
+    eventsTable,
+  ]);
+});
+
+describe("#494 :: read_users-Rebuild bewahrt Lifecycle-State", () => {
+  test("Restricted-Status ueberlebt einen Projection-Rebuild (T_create != T_active)", async () => {
+    // Diskriminierende Praemisse: user.created landet auf systemAdmin.tenantId
+    // (= T_CREATE), Lifecycle laeuft spaeter auf T_ACTIVE. Beide ungleich.
+    expect(TestUsers.systemAdmin.tenantId).toBe(T_CREATE);
+    expect(T_ACTIVE).not.toBe(T_CREATE);
+
+    // user.created landet auf T_CREATE (systemAdmin-Signup-Stream).
+    const hash = await hashPassword(ALICE_PW);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      { email: ALICE_EMAIL, passwordHash: hash, displayName: "Alice" },
+      TestUsers.systemAdmin,
+    );
+    // Mitgliedschaft + Lifecycle auf einem ANDEREN, aktiven Tenant.
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: T_ACTIVE,
+      roles: ["Member"],
+    });
+
+    const aliceActive = { id: created.id, tenantId: T_ACTIVE, roles: ["Member"] };
+    const restricted = await stack.http.writeOk<{ status: string }>(RESTRICT, {}, aliceActive);
+    expect(restricted.status).toBe(USER_STATUS.Restricted);
+
+    // Live-Row ist Restricted (sanity).
+    const before = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(before[0]?.status).toBe(USER_STATUS.Restricted);
+
+    // ECHTER Rebuild der read_users-Projektion aus dem Event-Log.
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+
+    // RED auf aktuellem Code: restrict schrieb roh ohne Event -> der Rebuild
+    // replayt nur user.created -> status faellt auf Active zurueck.
+    // GREEN nach Stream-Rescope der Lifecycle-Handler.
+    const after = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(after[0]?.status).toBe(USER_STATUS.Restricted);
+  });
+
+  test("DeletionRequested + gracePeriodEnd (Date-Spalte) ueberleben den Rebuild", async () => {
+    // Direkt via Helper, ohne compliance-profile-Setup — der Fokus ist die
+    // Serialisierung der Date-Spalte durch das Event + den Reducer.
+    const hash = await hashPassword(ALICE_PW);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      { email: "grace.rebuild@example.com", passwordHash: hash, displayName: "Grace" },
+      TestUsers.systemAdmin,
+    );
+
+    const T = getTemporal();
+    const gracePeriodEnd = T.Now.instant().add({ hours: 24 });
+    await updateUserLifecycle(stack.db, created.id, {
+      status: USER_STATUS.DeletionRequested,
+      gracePeriodEnd,
+    });
+
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+
+    const after = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+      gracePeriodEnd: unknown;
+    }>;
+    expect(after[0]?.status).toBe(USER_STATUS.DeletionRequested);
+    // gracePeriodEnd ueberlebt — nicht null nach Replay.
+    expect(after[0]?.gracePeriodEnd).not.toBeNull();
+    expect(after[0]?.gracePeriodEnd).toBeDefined();
+  });
+
+  // Ehrlicher Spiegel zum Forward-Test: Bestandsdaten, deren Status der ALTE
+  // raw-Pfad (ohne Event) gesetzt hat, ueberleben einen Rebuild NICHT — bis der
+  // einmalige Backfill ihren Live-State als user.updated ins Event-Log spiegelt.
+  test("Bestandsdaten: alt-roh gesetzter Status wird ohne Backfill weggewischt, mit Backfill bewahrt", async () => {
+    const hash = await hashPassword(ALICE_PW);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      { email: "legacy.rebuild@example.com", passwordHash: hash, displayName: "Legacy" },
+      TestUsers.systemAdmin,
+    );
+
+    // Prae-Fix-Zustand simulieren: roher Write OHNE Event.
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Restricted }, { id: created.id });
+
+    // Ohne Backfill replayt der Rebuild nur user.created -> Status weggewischt.
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+    const wiped = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(wiped[0]?.status).toBe(USER_STATUS.Active);
+
+    // Bestand wieder in den divergenten Live-State bringen (der Rebuild hat ihn
+    // auf Active gesetzt) und den Reconcile laufen lassen.
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Restricted }, { id: created.id });
+    const backfilled = await backfillUserLifecycleEvents(stack.db);
+    expect(backfilled).toBeGreaterThanOrEqual(1);
+
+    // Jetzt traegt das Event-Log den State -> Rebuild bewahrt ihn.
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+    const survived = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(survived[0]?.status).toBe(USER_STATUS.Restricted);
+  });
+});

package/src/user-data-rights/constants.ts

@@ -0,0 +1,48 @@
+// @runtime client
+// Reine String-Konstanten — client-markiert, damit der PrivacyCenterScreen
+// (web/) sie importieren darf, ohne das runtime-Barrel des Features (und
+// damit dessen Server-/DOM-freien Code) zu ziehen. Runtime-Code
+// (feature.ts) darf client-Dateien ohnehin importieren.
+
+export const USER_DATA_RIGHTS_FEATURE = "user-data-rights" as const;
+
+// Dormant registriert (kein r.nav im Feature); Apps platzieren ihn via
+// r.nav. Qualifiziert: `user-data-rights:screen:privacy-center`.
+export const PRIVACY_CENTER_SCREEN_ID = "privacy-center" as const;
+
+export const UserDataRightsQueries = {
+  exportStatus: "user-data-rights:query:export-status",
+  myAuditLog: "user-data-rights:query:my-audit-log",
+} as const;
+
+export const UserDataRightsHandlers = {
+  requestExport: "user-data-rights:write:request-export",
+  requestDeletion: "user-data-rights:write:request-deletion",
+  cancelDeletion: "user-data-rights:write:cancel-deletion",
+  restrictAccount: "user-data-rights:write:restrict-account",
+} as const;
+
+// Fremde QN: der Lifecycle-Status (active / deletionRequested / restricted)
+// kommt aus dem user-Feature. Lokal gepinnt statt das user-runtime-Barrel zu
+// importieren (Runtime-Isolation, wie user-profile). Drift-Schutz: der
+// Screen-Test vergleicht gegen UserQueries.me.
+export const USER_ME_QUERY = "user:query:user:me" as const;
+
+// Download-Pfad des fertigen Export-Bundles: der dokumentierte UI-Klick-Pfad
+// (r.httpRoute in feature.ts), der per 302 auf die signed Storage-URL
+// weiterleitet. Anchor-navigierbar (Cookie-Auth wird mitgesendet).
+export function userExportByJobPath(jobId: string): string {
+  return `/user-export/by-job/${jobId}`;
+}
+
+// Client-safe Mirror von EXPORT_JOB_STATUS (schema/export-job.ts ist
+// server-only via Drizzle-Import). Drift-Schutz: der Screen-Test vergleicht
+// gegen die Schema-Originale.
+export const EXPORT_JOB_STATUS = {
+  Pending: "pending",
+  Running: "running",
+  Done: "done",
+  Failed: "failed",
+} as const;
+
+export type ExportJobStatus = (typeof EXPORT_JOB_STATUS)[keyof typeof EXPORT_JOB_STATUS];

package/src/user-data-rights/feature.ts

@@ -5,6 +5,7 @@ import {
   SYSTEM_USER_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { createFileProviderForTenant } from "../file-foundation";
+import { PRIVACY_CENTER_SCREEN_ID } from "./constants";
 import { cancelDeletionWrite } from "./handlers/cancel-deletion.write";
 import { createConfirmDeletionByTokenHandler } from "./handlers/confirm-deletion-by-token.write";
 import { downloadByJobQuery } from "./handlers/download-by-job.query";
@@ -199,6 +200,20 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
     r.queryHandler(myAuditLogQuery);
     r.queryHandler(listDownloadAttemptsQuery);
 
+    // Dormant Self-Service-Screen (Art. 15/17/18/20): Export, Aktivitäts-
+    // protokoll, Einschränkung, Löschung in einem Screen. Kein r.nav — die
+    // App platziert ihn im eingeloggten Bereich. Die React-Component kommt
+    // client-seitig aus userDataRightsClient() (web/). access openToAll, weil
+    // kein App-Rollenname portabel ist; die per-User-Handler erzwingen Auth
+    // server-seitig, und der Screen ist ohne r.nav nirgends sichtbar bis die
+    // App ihn aktiv im authed-Bereich verlinkt.
+    r.screen({
+      id: PRIVACY_CENTER_SCREEN_ID,
+      type: "custom",
+      renderer: { react: { __component: "PrivacyCenterScreen" } },
+      access: { openToAll: true },
+    });
+
     // r.httpRoute-Wrapper: Magic-Link-Pfad (anonymous) + UI-Klick-Pfad.
     //
     // Beide rufen via app.fetch /api/query → wenn success: 302-Redirect

package/src/user-data-rights/handlers/cancel-deletion.write.ts

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 
 // POST /api/user/cancel-deletion (S2.U5).
 //
@@ -61,19 +62,14 @@ export const cancelDeletionWrite = defineWriteHandler({
       );
     }
 
-    await updateMany(
-      ctx.db.raw,
-      userTable,
-      {
-        status: USER_STATUS.Active,
-        gracePeriodEnd: null,
-        // #354/1: schließt das replay-after-cancel-Fenster — ein noch
-        // TTL-gültiges email-Token verifiziert gegen die genullte requestId
-        // nicht mehr und kann keine zweite Grace-Period armen.
-        pendingDeletionRequestId: null,
-      },
-      { id: event.user.id },
-    );
+    await updateUserLifecycle(ctx.db.raw, event.user.id, {
+      status: USER_STATUS.Active,
+      gracePeriodEnd: null,
+      // #354/1: schließt das replay-after-cancel-Fenster — ein noch
+      // TTL-gültiges email-Token verifiziert gegen die genullte requestId
+      // nicht mehr und kann keine zweite Grace-Period armen.
+      pendingDeletionRequestId: null,
+    });
 
     // gracePeriodEnd=null im Response symmetrisch zu request-deletion's
     // ISO-Timestamp — Frontend kann beide Endpoints uniform behandeln.

package/src/user-data-rights/handlers/deletion-grace-period.ts

@@ -1,9 +1,10 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { addDurationSpec, type DurationSpec } from "@cosmicdrift/kumiko-framework/compliance";
 import { createSystemUser, type HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError } from "@cosmicdrift/kumiko-framework/errors";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 
@@ -57,12 +58,10 @@ export async function startDeletionGracePeriod(
   const T = getTemporal();
   const gracePeriodEnd = addDurationSpec(T.Now.instant(), gracePeriod);
 
-  await updateMany(
-    ctx.db.raw,
-    userTable,
-    { status: USER_STATUS.DeletionRequested, gracePeriodEnd },
-    { id: userId },
-  );
+  await updateUserLifecycle(ctx.db.raw, userId, {
+    status: USER_STATUS.DeletionRequested,
+    gracePeriodEnd,
+  });
 
   return { ok: true, gracePeriodEnd, userEmail: userRow["email"] ?? "" };
 }

package/src/user-data-rights/handlers/lift-restriction.write.ts

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 
 // POST /api/user/lift-restriction (S2.U6) — DSGVO Art. 18 Reverse.
 //
@@ -50,7 +51,7 @@ export const liftRestrictionWrite = defineWriteHandler({
       );
     }
 
-    await updateMany(ctx.db.raw, userTable, { status: USER_STATUS.Active }, { id: event.user.id });
+    await updateUserLifecycle(ctx.db.raw, event.user.id, { status: USER_STATUS.Active });
 
     return {
       isSuccess: true as const,

package/src/user-data-rights/handlers/request-deletion-by-email.write.ts

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
 import { signDeletionToken } from "../deletion-token";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 
 // TTL des Verify-Links. 60 min — lang genug für einen Mail-Roundtrip,
 // kurz genug dass ein abgefangener Link nicht ewig gültig ist.
@@ -79,12 +80,9 @@ export function createRequestDeletionByEmailHandler(opts: RequestDeletionByEmail
       // user-Row landet und in die Token-HMAC-Purpose gefaltet wird. cancel
       // nullt sie → ein nach Cancel nachgespieltes Token verifiziert nicht mehr.
       const requestId = crypto.randomUUID();
-      await updateMany(
-        ctx.db.raw,
-        userTable,
-        { pendingDeletionRequestId: requestId },
-        { id: userRow["id"] },
-      );
+      await updateUserLifecycle(ctx.db.raw, userRow["id"], {
+        pendingDeletionRequestId: requestId,
+      });
 
       const { token, expiresAt } = signDeletionToken(
         userRow["id"],

package/src/user-data-rights/handlers/restrict-account.write.ts

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 
 // POST /api/user/restrict (S2.U6) — DSGVO Art. 18 Account-Freeze.
 // Flippt status=Active → Restricted und revoked alle live sessions
@@ -54,12 +55,7 @@ export const restrictAccountWrite = defineWriteHandler({
       );
     }
 
-    await updateMany(
-      ctx.db.raw,
-      userTable,
-      { status: USER_STATUS.Restricted },
-      { id: event.user.id },
-    );
+    await updateUserLifecycle(ctx.db.raw, event.user.id, { status: USER_STATUS.Restricted });
 
     // Cross-Feature: alle live sessions revoken — sonst koennte der User
     // mit existierendem JWT bis zur Token-Expiry weiter schreiben.

package/src/user-data-rights/index.ts

@@ -1,5 +1,8 @@
 export { createUserDataRightsFeature, type UserDataRightsOptions } from "./feature";
 export type { SendDeletionVerificationEmailFn } from "./handlers/request-deletion-by-email.write";
+// #494 Bestandsdaten-Reconcile — Apps rufen das einmalig vor dem Re-Enable
+// von read_users-Rebuilds (siehe lib-Doc).
+export { backfillUserLifecycleEvents } from "./lib/update-user-lifecycle";
 export type {
   SendExportFailedEmailFn,
   SendExportReadyEmailFn,

package/src/user-data-rights/lib/update-user-lifecycle.ts

@@ -0,0 +1,100 @@
+import { fetchOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
+import { createEventStoreExecutor, createTenantDb } from "@cosmicdrift/kumiko-framework/db";
+import { createSystemUser, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError } from "@cosmicdrift/kumiko-framework/errors";
+import { USER_STATUS, userEntity, userTable } from "../../user";
+
+// #494 — Lifecycle-Mutationen der user-Entity MUESSEN als `user.updated`-Event
+// laufen. Roh per updateMany geschrieben, wischt ein read_users-Rebuild sie
+// weg (er replayt nur `user.created` -> status faellt auf den Default zurueck;
+// gracePeriodEnd/pendingDeletionRequestId/Deleted gehen verloren = DSGVO-
+// Datenverlust).
+//
+// Das Event MUSS in denselben (tenant_id, aggregate_id)-Stream wie
+// `user.created` landen, sonst splittet das Aggregat ueber Tenants und der
+// Rebuild rekonstruiert nichts. Die user-Entity laeuft `r.systemScope()`, ihre
+// Events landen aber auf einem konkreten Tenant-Stream (siehe
+// auth-email-password/stream-tenant.ts; Root-Cause-Fix tracked in #497). Darum:
+// Rescope auf den Stream-Tenant des Users — den des `user.created`-Events,
+// NICHT `event.user.tenantId` (das ist der aktive Tenant zur Lifecycle-Zeit und
+// kann abweichen).
+const userExecutor = createEventStoreExecutor(userTable, userEntity, { entityName: "user" });
+
+// Stream-Tenant = die framework-injizierte tenant_id der read_users-Row. Der
+// Reducer setzt sie aus `user.created`.tenantId, ein Rebuild rekonstruiert sie
+// daraus — sie IST also der Stream-Key des Aggregats. Die Row direkt zu lesen
+// (statt das created-Event zu joinen) deckt auch direkt-geseedete Rows ab.
+async function streamTenantOf(conn: DbRunner, userId: string): Promise<TenantId | null> {
+  const row = await fetchOne<{ tenantId?: string }>(conn, userTable, { id: userId });
+  // @cast-boundary db-row — tenant_id ist eine TenantId-shaped uuid-Spalte.
+  return row?.tenantId ? (row.tenantId as TenantId) : null;
+}
+
+// `conn` ist ctx.db.raw (regulaere Handler) ODER die offene tx (forget-cleanup
+// Sub-Tx) — so bleibt der Event-Append atomar mit dem umgebenden Write.
+export async function updateUserLifecycle(
+  conn: DbRunner,
+  userId: string,
+  changes: Record<string, unknown>,
+): Promise<void> {
+  const streamTenantId = await streamTenantOf(conn, userId);
+  if (!streamTenantId) {
+    throw new InternalError({
+      message: `read_users row ${userId} has no tenant_id — cannot rescope lifecycle write to its stream tenant`,
+    });
+  }
+
+  // Rescope BEIDE Achsen auf den Stream-Tenant: der db-Arg treibt loadById +
+  // den Stream-Read, der user-Arg die Event-tenantId + Ownership. Nur beide
+  // zusammen halten created + updated auf einem Stream.
+  const tenantDb = createTenantDb(conn, streamTenantId, "tenant");
+  const result = await userExecutor.update(
+    { id: userId, changes },
+    createSystemUser(streamTenantId),
+    tenantDb,
+    { skipOptimisticLock: true },
+  );
+
+  if (!result.isSuccess) {
+    throw new InternalError({
+      message: `user lifecycle update failed for ${userId}: ${result.error.code}`,
+    });
+  }
+}
+
+// #494 Bestandsdaten-Reconcile: Rows, deren Lifecycle-State der alte
+// raw-updateMany-Pfad gesetzt hat, haben kein `user.updated`-Event — ein
+// Rebuild wuerde sie auf die `user.created`-Defaults zuruecksetzen. Diese
+// Funktion emittiert pro divergenter Row ein `user.updated` mit dem aktuellen
+// Live-State, sodass Event-Log und Live-Tabelle wieder uebereinstimmen.
+// MUSS einmalig ueber den Bestand laufen, BEVOR eine App read_users-Rebuilds
+// re-enabled. Idempotent gegen State (ein zweiter Lauf haengt ein identisches
+// user.updated an — harmlos, last-write-wins beim Replay).
+// ponytail: full read_users-Scan, in JS gefiltert — einmalige Migration, kein
+// Index/Streaming noetig. Bei Millionen-Rows: batchen.
+export async function backfillUserLifecycleEvents(conn: DbRunner): Promise<number> {
+  const rows = (await selectMany(conn, userTable, {})) as Array<{
+    id: string;
+    status: string;
+    gracePeriodEnd: unknown;
+    pendingDeletionRequestId: unknown;
+  }>;
+
+  let backfilled = 0;
+  for (const row of rows) {
+    const divergent =
+      row.status !== USER_STATUS.Active ||
+      row.gracePeriodEnd != null ||
+      row.pendingDeletionRequestId != null;
+    if (!divergent) continue;
+
+    await updateUserLifecycle(conn, row.id, {
+      status: row.status,
+      gracePeriodEnd: row.gracePeriodEnd,
+      pendingDeletionRequestId: row.pendingDeletionRequestId,
+    });
+    backfilled++;
+  }
+  return backfilled;
+}

package/src/user-data-rights/run-forget-cleanup.ts

@@ -32,7 +32,7 @@
 // gefailten Hooks bleibt im DeletionRequested-Status (next Lauf
 // retried automatisch).
 
-import { fetchOne, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbRunner } from "@cosmicdrift/kumiko-framework/db";
 import {
   EXT_USER_DATA,
@@ -47,6 +47,7 @@ import { resolveRetentionPolicyForTenant } from "../data-retention";
 import { tenantMembershipsTable } from "../tenant";
 import { USER_STATUS, userTable } from "../user";
 import { selectUsersDueForForgetCleanup } from "./db/queries/forget-cleanup";
+import { updateUserLifecycle } from "./lib/update-user-lifecycle";
 
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 
@@ -281,7 +282,7 @@ async function processUser(args: {
       // geworfen hat, kommen wir hier nicht an — die Tx rollback'd
       // alles, der User bleibt im DeletionRequested-Status, naechster
       // Run retried.
-      await updateMany(tx, userTable, { status: USER_STATUS.Deleted }, { id: userId });
+      await updateUserLifecycle(tx, userId, { status: USER_STATUS.Deleted });
       txSucceeded = true;
     });
   } catch (e) {