npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.64.0 → 0.66.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.64.0 → 0.66.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/src/tier-engine/feature.ts CHANGED Viewed

@@ -62,6 +62,7 @@ import {
   type TierResolverPlugin,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { getAggregateStreamMaxVersion } from "@cosmicdrift/kumiko-framework/event-store";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { z } from "zod";
 import { tierAssignmentAggregateId } from "./aggregate-id";
 import type { TierMap } from "./compose-app";
@@ -70,6 +71,7 @@ import { tierAssignmentEntity } from "./entity";
 import { getActiveTierQuery } from "./handlers/active-tier.query";
 import { getTenantTierQuery } from "./handlers/get-tenant-tier.query";
 import { createSetTenantTierWrite } from "./handlers/set-tenant-tier.write";
+import { isTrialActive, type TrialPolicy } from "./trial";
 // Drizzle-table for the tier-assignment-entity. Built once at module-load
 // from the entity definition — same shape buildEntityTable would produce
@@ -115,6 +117,15 @@ export type CreateTierEngineOptions<TCaps extends Readonly<Record<string, unknow
    * oder eigene resolution-logic nutzen (legacy-pattern).
    */
   readonly tierMap?: TierMap<TCaps>;
+  /**
+   * Optionale Trial-Phase: jeder Tenant bekommt für `durationHours` ab seinem
+   * Anlage-Datum zusätzlich die Features von `trial.tier` freigeschaltet,
+   * danach fällt er automatisch auf sein gespeichertes Tier zurück. Erfordert
+   * `tierMap` (der Trial-Tier muss ein Key sein). Zeit-abgeleitet aus
+   * inserted_at — kein Stored-Flag, kein Scheduler.
+   */
+  readonly trial?: TrialPolicy;
 };
 /**
@@ -242,6 +253,17 @@ export function createTierEngineFeature<
     // Requests (build läuft pre-listen via runDevApp/runProdApp-pickup).
     const alwaysOnHolder: { set: ReadonlySet<string> } = { set: new Set() };
+    // Trial-State: tenantId → inserted_at als epochMilliseconds (Anlage-Datum
+    // der Assignment ≈ Signup, rebuild-stabil). Trial wird at-resolve-time aus
+    // (jetzt vs startedAt + durationHours) berechnet, NICHT gecacht — anders als
+    // das Feature-Set ändert sich der Trial-Status mit der Zeit. trialFeatures
+    // ist die fixe Feature-Menge des Trial-Tiers (einmal aufgelöst).
+    const trialClock = new Map<TenantId, number>();
+    const trialFeatures: ReadonlySet<string> = opts.trial
+      ? featuresForTier(tierMap, opts.trial.tier)
+      : new Set();
+    const nowMs = (): number => getTemporal().Now.instant().epochMilliseconds;
     // set-tenant-tier schreibt direkt über den Executor → der postSave-Hook
     // unten feuert dabei NICHT. Diese Funktion repliziert den Cache-Update
     // des Hooks, damit ein manueller Grant das effektive Feature-Set sofort
@@ -249,6 +271,9 @@ export function createTierEngineFeature<
     // Semantik wie der Hook.
     onTierAssigned.fn = (tenantId, tier) => {
       cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, tier)));
+      // Trial-Uhr nur setzen, wenn unbekannt: ein manueller Grant ändert nicht
+      // das Signup-Datum eines bestehenden Tenants (build() hat es bereits).
+      if (!trialClock.has(tenantId)) trialClock.set(tenantId, nowMs());
     };
     // Invalidation: tier-assignment events update the cache.
@@ -261,10 +286,12 @@ export function createTierEngineFeature<
       // throwing — der lifecycle-pipeline darf nicht durch hook-fehler
       // blocken (afterCommit-pattern, side-effect-best-effort).
       if (typeof data.tenantId !== "string" || typeof data.tier !== "string") return;
-      cache.set(
-        data.tenantId as TenantId,
-        mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, data.tier)),
-      );
+      const tenantId = data.tenantId as TenantId;
+      cache.set(tenantId, mergeAlwaysOn(alwaysOnHolder.set, featuresForTier(tierMap, data.tier)));
+      // Erstes Assignment eines Tenants = Signup → Trial-Uhr startet jetzt
+      // (inserted_at der frisch erzeugten Row ≈ now). Spätere Tier-Wechsel
+      // lassen die Uhr unberührt, sonst würde ein Upgrade das Fenster verlängern.
+      if (!trialClock.has(tenantId)) trialClock.set(tenantId, nowMs());
     });
     r.entityHook("postDelete", "tier-assignment", async (payload) => {
       const data = payload.data as { tenantId?: unknown }; // @cast-boundary engine-payload
@@ -385,15 +412,18 @@ export function createTierEngineFeature<
         // typischerweise <100k tenants — single-pass scan akzeptabel.
         // Skalierungs-Pfad (lazy-load + LRU) ist Sprint-8b wenn echtes
         // Bedürfnis entsteht.
-        type AssignmentRow = { tenantId: string; tier: string };
+        type AssignmentRow = { tenantId: string; tier: string; insertedAt: Temporal.Instant };
         const rows = await selectMany<AssignmentRow>(deps.db, tierAssignmentTable);
         for (const row of rows) {
           cache.set(
             row.tenantId as TenantId,
             mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, row.tier)),
           );
+          trialClock.set(row.tenantId as TenantId, row.insertedAt.epochMilliseconds);
         }
+        const trial = opts.trial;
         // Synchronous resolver-callback for dispatcher hot-path.
         return (tenantId: TenantId): ReadonlySet<string> => {
           // Operator-tooling + async-event-dispatch convention: SYSTEM_TENANT_ID
@@ -401,15 +431,25 @@ export function createTierEngineFeature<
           if (tenantId === SYSTEM_TENANT_ID) {
             return mergeAlwaysOn(computedAlwaysOn, unionAllTierFeatures(tierMap));
           }
-          const cached = cache.get(tenantId);
-          if (cached !== undefined) return cached;
           // Cache-miss: tenant ist noch nicht im cache (z.B. brandneu nach
           // boot, oder defaultTier-hook hat noch nicht gefired). Default-Set
           // ist least-privileged — typisch Free-Tier-features. Memory
           // `feedback_security_default_on`: secure-by-default.
           const fallbackTier = opts.defaultTier;
-          if (fallbackTier === undefined) return computedAlwaysOn;
-          return mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, fallbackTier));
+          const base =
+            cache.get(tenantId) ??
+            (fallbackTier === undefined
+              ? computedAlwaysOn
+              : mergeAlwaysOn(computedAlwaysOn, featuresForTier(tierMap, fallbackTier)));
+          // Trial: innerhalb des Fensters ab Signup zusätzlich die Trial-Tier-
+          // Features. Zeit-abgeleitet → pro Request geprüft, nie gecacht.
+          if (trial !== undefined) {
+            const startedMs = trialClock.get(tenantId);
+            if (startedMs !== undefined && isTrialActive(startedMs, nowMs(), trial.durationHours)) {
+              return mergeAlwaysOn(base, trialFeatures);
+            }
+          }
+          return base;
         };
       },
     };

package/src/tier-engine/handlers/get-tenant-tier.query.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import {
 } from "@cosmicdrift/kumiko-framework/db";
 import { defineQueryHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
-import { tierAssignmentEntity } from "../entity";
+import { type TierAssignmentRow, tierAssignmentEntity } from "../entity";
 // Liest das Tier-Assignment eines BELIEBIGEN Tenants (cross-tenant) für den
 // tier-admin-Screen. SystemAdmin-only. get-active-tier liest nur den eigenen
@@ -15,14 +15,6 @@ import { tierAssignmentEntity } from "../entity";
 const tierAssignmentTable = buildEntityTable("tier-assignment", tierAssignmentEntity);
-type TierAssignmentRow = {
-  readonly id: string;
-  readonly version: number;
-  readonly tier: string;
-  readonly source: string | null;
-  readonly tenantId: string;
-};
 export const getTenantTierQuery = defineQueryHandler({
   name: "get-tenant-tier",
   schema: z.object({ tenantId: z.string().min(1) }),

package/src/tier-engine/handlers/set-tenant-tier.write.ts CHANGED Viewed

@@ -8,7 +8,7 @@ import {
 import { defineWriteHandler, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { tierAssignmentAggregateId } from "../aggregate-id";
-import { tierAssignmentEntity } from "../entity";
+import { type TierAssignmentRow, tierAssignmentEntity } from "../entity";
 // SystemAdmin setzt das Tier eines BELIEBIGEN Tenants — manueller Grant ohne
 // Billing. Cross-tenant, daher SystemAdmin-only (kein TenantAdmin: sonst
@@ -39,14 +39,6 @@ const executor = createEventStoreExecutor(tierAssignmentTable, tierAssignmentEnt
   entityName: "tier-assignment",
 });
-type TierAssignmentRow = {
-  readonly id: string;
-  readonly version: number;
-  readonly tier: string;
-  readonly source: string | null;
-  readonly tenantId: string;
-};
 export type SetTenantTierOptions = {
   /** Nach erfolgreichem Write aufgerufen, damit feature.ts den Resolver-
    *  Cache aktualisieren kann (der Executor-Write feuert den postSave-Hook

package/src/tier-engine/index.ts CHANGED Viewed

@@ -24,3 +24,4 @@ export {
   createTierEngineFeature,
   tierEngineFeature,
 } from "./feature";
+export { isTrialActive, type TrialPolicy } from "./trial";

package/src/tier-engine/trial.ts ADDED Viewed

@@ -0,0 +1,26 @@
+// Trial-Phase: ein neuer Tenant bekommt für eine Karenzzeit ab seinem
+// Anlage-Datum (inserted_at der tier-assignment-Row — rebuild-stabil aus dem
+// Create-Event) zusätzlich die Features eines höheren Tiers, unabhängig vom
+// gespeicherten Tier. Rein zeit-abgeleitet: kein Stored-Flag, kein Scheduler,
+// automatischer Ablauf. Die App definiert die Policy (welcher Tier, wie lange);
+// die tier-engine wendet sie im Resolver an.
+export interface TrialPolicy {
+  // Tier, dessen Features während der Trial-Phase zusätzlich freigeschaltet
+  // werden (muss ein Key der tierMap sein, sonst greift kein Feature).
+  readonly tier: string;
+  // Länge der Trial-Phase ab inserted_at, in Stunden (720 = 30 Tage). Stunden
+  // statt Tage: Temporal.Instant kennt keine Kalender-Tage, 720h ist die
+  // ehrliche, DST-unabhängige Dauer.
+  readonly durationHours: number;
+}
+// Reine Millis-Arithmetik auf epochMilliseconds (die beide Seiten — Projektions-
+// Row und Now — liefern). Kein Date, keine TZ.
+export function isTrialActive(
+  startedAtEpochMs: number,
+  nowEpochMs: number,
+  durationHours: number,
+): boolean {
+  return nowEpochMs < startedAtEpochMs + durationHours * 3_600_000;
+}

package/src/user-data-rights/__tests__/read-users-rebuild-survives-lifecycle.integration.test.ts ADDED Viewed

@@ -0,0 +1,233 @@
+// #494 — ein read_users-Projection-Rebuild darf den Lifecycle-State nicht
+// wegwischen. Die user-Entity ist event-sourced bei CREATE (user.created),
+// aber Lifecycle-Mutationen (restrict/grace-period/cancel/...) waren rohe
+// updateMany OHNE Event. Ein Rebuild replayt damit nur user.created und setzt
+// status zurueck auf den Default (Active) — Datenverlust auf einem DSGVO-Pfad.
+//
+// Diskriminierend: T_create (Stream des user.created — Signup-Tenant) MUSS
+// ungleich T_active (aktiver Tenant zur Lifecycle-Zeit) sein. Nur so wird der
+// Prod-Zustand reproduziert und das Stream-Rescope eingelockt. Ein
+// same-tenant-Test gaebe falsches GREEN: er liefe sogar mit `event.user`
+// durch (gleicher Tenant -> gleicher Stream) und liesse einen Rueckbau auf
+// `event.user` unentdeckt — genau die Naht, an der prod bricht.
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { randomBytes } from "node:crypto";
+import { selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import { createRegistry, type Registry, type TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable, eventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  createProjectionStateTable,
+  rebuildProjection,
+} from "@cosmicdrift/kumiko-framework/pipeline";
+import {
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+  testTenantId,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createLateBoundHolder, resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { AuthHandlers } from "../../auth-email-password/constants";
+import { createAuthEmailPasswordFeature } from "../../auth-email-password/feature";
+import { hashPassword } from "../../auth-email-password/password-hashing";
+import {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+  tenantComplianceProfileTable,
+} from "../../compliance-profiles";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createDataRetentionFeature } from "../../data-retention";
+import { createSessionsFeature } from "../../sessions";
+import { userSessionEntity, userSessionTable } from "../../sessions/schema/user-session";
+import { createSessionCallbacks, type SessionCallbacks } from "../../sessions/session-callbacks";
+import { sessionCallbacksFromLateBound } from "../../sessions/testing";
+import { createTenantFeature, tenantMembershipsTable } from "../../tenant";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/seeding";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { UserHandlers } from "../../user/constants";
+import { createUserDataRightsFeature } from "../feature";
+import { backfillUserLifecycleEvents, updateUserLifecycle } from "../lib/update-user-lifecycle";
+const RESTRICT = "user-data-rights:write:restrict-account";
+const USER_PROJECTION = "user:projection:user-entity";
+// T_create: Stream auf den user.created landet (systemAdmin-Signup-Tenant).
+const T_CREATE: TenantId = testTenantId(1);
+// T_active: aktiver Tenant des Users zur Lifecycle-Zeit — bewusst ungleich.
+const T_ACTIVE: TenantId = testTenantId(2);
+const ALICE_EMAIL = "alice.rebuild@example.com";
+const ALICE_PW = "alice-pw-long-enough";
+let stack: TestStack;
+let registry: Registry;
+const callbacks = createLateBoundHolder<SessionCallbacks>("session-callbacks");
+const encryptionKey = randomBytes(32).toString("base64");
+function buildFeatures() {
+  return [
+    createConfigFeature(),
+    createUserFeature(),
+    createTenantFeature(),
+    createDataRetentionFeature(),
+    createComplianceProfilesFeature(),
+    createAuthEmailPasswordFeature(),
+    createSessionsFeature(),
+    createUserDataRightsFeature(),
+  ];
+}
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+  const bound = sessionCallbacksFromLateBound(callbacks);
+  stack = await setupTestStack({
+    features: buildFeatures(),
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      ...bound.asAuthConfig(),
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+    },
+  });
+  callbacks.set(createSessionCallbacks({ db: stack.db }));
+  // Eigene Registry fuer den Rebuild — enthaelt die implicit read_users-Projektion.
+  registry = createRegistry(buildFeatures());
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantEntity);
+  await unsafeCreateEntityTable(stack.db, userSessionEntity);
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await createEventsTable(stack.db);
+  await createProjectionStateTable(stack.db);
+  await unsafePushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+afterAll(async () => {
+  await stack.cleanup();
+});
+beforeEach(async () => {
+  await resetTestTables(stack.db, [
+    userSessionTable,
+    userTable,
+    tenantMembershipsTable,
+    tenantComplianceProfileTable,
+    eventsTable,
+  ]);
+});
+describe("#494 :: read_users-Rebuild bewahrt Lifecycle-State", () => {
+  test("Restricted-Status ueberlebt einen Projection-Rebuild (T_create != T_active)", async () => {
+    // Diskriminierende Praemisse: user.created landet auf systemAdmin.tenantId
+    // (= T_CREATE), Lifecycle laeuft spaeter auf T_ACTIVE. Beide ungleich.
+    expect(TestUsers.systemAdmin.tenantId).toBe(T_CREATE);
+    expect(T_ACTIVE).not.toBe(T_CREATE);
+    // user.created landet auf T_CREATE (systemAdmin-Signup-Stream).
+    const hash = await hashPassword(ALICE_PW);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      { email: ALICE_EMAIL, passwordHash: hash, displayName: "Alice" },
+      TestUsers.systemAdmin,
+    );
+    // Mitgliedschaft + Lifecycle auf einem ANDEREN, aktiven Tenant.
+    await seedTenantMembership(stack.db, {
+      userId: created.id,
+      tenantId: T_ACTIVE,
+      roles: ["Member"],
+    });
+    const aliceActive = { id: created.id, tenantId: T_ACTIVE, roles: ["Member"] };
+    const restricted = await stack.http.writeOk<{ status: string }>(RESTRICT, {}, aliceActive);
+    expect(restricted.status).toBe(USER_STATUS.Restricted);
+    // Live-Row ist Restricted (sanity).
+    const before = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(before[0]?.status).toBe(USER_STATUS.Restricted);
+    // ECHTER Rebuild der read_users-Projektion aus dem Event-Log.
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+    // RED auf aktuellem Code: restrict schrieb roh ohne Event -> der Rebuild
+    // replayt nur user.created -> status faellt auf Active zurueck.
+    // GREEN nach Stream-Rescope der Lifecycle-Handler.
+    const after = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(after[0]?.status).toBe(USER_STATUS.Restricted);
+  });
+  test("DeletionRequested + gracePeriodEnd (Date-Spalte) ueberleben den Rebuild", async () => {
+    // Direkt via Helper, ohne compliance-profile-Setup — der Fokus ist die
+    // Serialisierung der Date-Spalte durch das Event + den Reducer.
+    const hash = await hashPassword(ALICE_PW);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      { email: "grace.rebuild@example.com", passwordHash: hash, displayName: "Grace" },
+      TestUsers.systemAdmin,
+    );
+    const T = getTemporal();
+    const gracePeriodEnd = T.Now.instant().add({ hours: 24 });
+    await updateUserLifecycle(stack.db, created.id, {
+      status: USER_STATUS.DeletionRequested,
+      gracePeriodEnd,
+    });
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+    const after = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+      gracePeriodEnd: unknown;
+    }>;
+    expect(after[0]?.status).toBe(USER_STATUS.DeletionRequested);
+    // gracePeriodEnd ueberlebt — nicht null nach Replay.
+    expect(after[0]?.gracePeriodEnd).not.toBeNull();
+    expect(after[0]?.gracePeriodEnd).toBeDefined();
+  });
+  // Ehrlicher Spiegel zum Forward-Test: Bestandsdaten, deren Status der ALTE
+  // raw-Pfad (ohne Event) gesetzt hat, ueberleben einen Rebuild NICHT — bis der
+  // einmalige Backfill ihren Live-State als user.updated ins Event-Log spiegelt.
+  test("Bestandsdaten: alt-roh gesetzter Status wird ohne Backfill weggewischt, mit Backfill bewahrt", async () => {
+    const hash = await hashPassword(ALICE_PW);
+    const created = await stack.http.writeOk<{ id: string }>(
+      UserHandlers.create,
+      { email: "legacy.rebuild@example.com", passwordHash: hash, displayName: "Legacy" },
+      TestUsers.systemAdmin,
+    );
+    // Prae-Fix-Zustand simulieren: roher Write OHNE Event.
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Restricted }, { id: created.id });
+    // Ohne Backfill replayt der Rebuild nur user.created -> Status weggewischt.
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+    const wiped = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(wiped[0]?.status).toBe(USER_STATUS.Active);
+    // Bestand wieder in den divergenten Live-State bringen (der Rebuild hat ihn
+    // auf Active gesetzt) und den Reconcile laufen lassen.
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Restricted }, { id: created.id });
+    const backfilled = await backfillUserLifecycleEvents(stack.db);
+    expect(backfilled).toBeGreaterThanOrEqual(1);
+    // Jetzt traegt das Event-Log den State -> Rebuild bewahrt ihn.
+    await rebuildProjection(USER_PROJECTION, { db: stack.db, registry });
+    const survived = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
+      status: string;
+    }>;
+    expect(survived[0]?.status).toBe(USER_STATUS.Restricted);
+  });
+});

package/src/user-data-rights/constants.ts ADDED Viewed

@@ -0,0 +1,48 @@
+// @runtime client
+// Reine String-Konstanten — client-markiert, damit der PrivacyCenterScreen
+// (web/) sie importieren darf, ohne das runtime-Barrel des Features (und
+// damit dessen Server-/DOM-freien Code) zu ziehen. Runtime-Code
+// (feature.ts) darf client-Dateien ohnehin importieren.
+export const USER_DATA_RIGHTS_FEATURE = "user-data-rights" as const;
+// Dormant registriert (kein r.nav im Feature); Apps platzieren ihn via
+// r.nav. Qualifiziert: `user-data-rights:screen:privacy-center`.
+export const PRIVACY_CENTER_SCREEN_ID = "privacy-center" as const;
+export const UserDataRightsQueries = {
+  exportStatus: "user-data-rights:query:export-status",
+  myAuditLog: "user-data-rights:query:my-audit-log",
+} as const;
+export const UserDataRightsHandlers = {
+  requestExport: "user-data-rights:write:request-export",
+  requestDeletion: "user-data-rights:write:request-deletion",
+  cancelDeletion: "user-data-rights:write:cancel-deletion",
+  restrictAccount: "user-data-rights:write:restrict-account",
+} as const;
+// Fremde QN: der Lifecycle-Status (active / deletionRequested / restricted)
+// kommt aus dem user-Feature. Lokal gepinnt statt das user-runtime-Barrel zu
+// importieren (Runtime-Isolation, wie user-profile). Drift-Schutz: der
+// Screen-Test vergleicht gegen UserQueries.me.
+export const USER_ME_QUERY = "user:query:user:me" as const;
+// Download-Pfad des fertigen Export-Bundles: der dokumentierte UI-Klick-Pfad
+// (r.httpRoute in feature.ts), der per 302 auf die signed Storage-URL
+// weiterleitet. Anchor-navigierbar (Cookie-Auth wird mitgesendet).
+export function userExportByJobPath(jobId: string): string {
+  return `/user-export/by-job/${jobId}`;
+}
+// Client-safe Mirror von EXPORT_JOB_STATUS (schema/export-job.ts ist
+// server-only via Drizzle-Import). Drift-Schutz: der Screen-Test vergleicht
+// gegen die Schema-Originale.
+export const EXPORT_JOB_STATUS = {
+  Pending: "pending",
+  Running: "running",
+  Done: "done",
+  Failed: "failed",
+} as const;
+export type ExportJobStatus = (typeof EXPORT_JOB_STATUS)[keyof typeof EXPORT_JOB_STATUS];

package/src/user-data-rights/feature.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   SYSTEM_USER_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
 import { createFileProviderForTenant } from "../file-foundation";
+import { PRIVACY_CENTER_SCREEN_ID } from "./constants";
 import { cancelDeletionWrite } from "./handlers/cancel-deletion.write";
 import { createConfirmDeletionByTokenHandler } from "./handlers/confirm-deletion-by-token.write";
 import { downloadByJobQuery } from "./handlers/download-by-job.query";
@@ -199,6 +200,20 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
     r.queryHandler(myAuditLogQuery);
     r.queryHandler(listDownloadAttemptsQuery);
+    // Dormant Self-Service-Screen (Art. 15/17/18/20): Export, Aktivitäts-
+    // protokoll, Einschränkung, Löschung in einem Screen. Kein r.nav — die
+    // App platziert ihn im eingeloggten Bereich. Die React-Component kommt
+    // client-seitig aus userDataRightsClient() (web/). access openToAll, weil
+    // kein App-Rollenname portabel ist; die per-User-Handler erzwingen Auth
+    // server-seitig, und der Screen ist ohne r.nav nirgends sichtbar bis die
+    // App ihn aktiv im authed-Bereich verlinkt.
+    r.screen({
+      id: PRIVACY_CENTER_SCREEN_ID,
+      type: "custom",
+      renderer: { react: { __component: "PrivacyCenterScreen" } },
+      access: { openToAll: true },
+    });
     // r.httpRoute-Wrapper: Magic-Link-Pfad (anonymous) + UI-Klick-Pfad.
     //
     // Beide rufen via app.fetch /api/query → wenn success: 302-Redirect

package/src/user-data-rights/handlers/cancel-deletion.write.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 // POST /api/user/cancel-deletion (S2.U5).
 //
@@ -61,19 +62,14 @@ export const cancelDeletionWrite = defineWriteHandler({
       );
     }
-    await updateMany(
-      ctx.db.raw,
-      userTable,
-      {
-        status: USER_STATUS.Active,
-        gracePeriodEnd: null,
-        // #354/1: schließt das replay-after-cancel-Fenster — ein noch
-        // TTL-gültiges email-Token verifiziert gegen die genullte requestId
-        // nicht mehr und kann keine zweite Grace-Period armen.
-        pendingDeletionRequestId: null,
-      },
-      { id: event.user.id },
-    );
+    await updateUserLifecycle(ctx.db.raw, event.user.id, {
+      status: USER_STATUS.Active,
+      gracePeriodEnd: null,
+      // #354/1: schließt das replay-after-cancel-Fenster — ein noch
+      // TTL-gültiges email-Token verifiziert gegen die genullte requestId
+      // nicht mehr und kann keine zweite Grace-Period armen.
+      pendingDeletionRequestId: null,
+    });
     // gracePeriodEnd=null im Response symmetrisch zu request-deletion's
     // ISO-Timestamp — Frontend kann beide Endpoints uniform behandeln.

package/src/user-data-rights/handlers/deletion-grace-period.ts CHANGED Viewed

@@ -1,9 +1,10 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { addDurationSpec, type DurationSpec } from "@cosmicdrift/kumiko-framework/compliance";
 import { createSystemUser, type HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError } from "@cosmicdrift/kumiko-framework/errors";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
@@ -57,12 +58,10 @@ export async function startDeletionGracePeriod(
   const T = getTemporal();
   const gracePeriodEnd = addDurationSpec(T.Now.instant(), gracePeriod);
-  await updateMany(
-    ctx.db.raw,
-    userTable,
-    { status: USER_STATUS.DeletionRequested, gracePeriodEnd },
-    { id: userId },
-  );
+  await updateUserLifecycle(ctx.db.raw, userId, {
+    status: USER_STATUS.DeletionRequested,
+    gracePeriodEnd,
+  });
   return { ok: true, gracePeriodEnd, userEmail: userRow["email"] ?? "" };
 }

package/src/user-data-rights/handlers/lift-restriction.write.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 // POST /api/user/lift-restriction (S2.U6) — DSGVO Art. 18 Reverse.
 //
@@ -50,7 +51,7 @@ export const liftRestrictionWrite = defineWriteHandler({
       );
     }
-    await updateMany(ctx.db.raw, userTable, { status: USER_STATUS.Active }, { id: event.user.id });
+    await updateUserLifecycle(ctx.db.raw, event.user.id, { status: USER_STATUS.Active });
     return {
       isSuccess: true as const,

package/src/user-data-rights/handlers/request-deletion-by-email.write.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
 import { signDeletionToken } from "../deletion-token";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 // TTL des Verify-Links. 60 min — lang genug für einen Mail-Roundtrip,
 // kurz genug dass ein abgefangener Link nicht ewig gültig ist.
@@ -79,12 +80,9 @@ export function createRequestDeletionByEmailHandler(opts: RequestDeletionByEmail
       // user-Row landet und in die Token-HMAC-Purpose gefaltet wird. cancel
       // nullt sie → ein nach Cancel nachgespieltes Token verifiziert nicht mehr.
       const requestId = crypto.randomUUID();
-      await updateMany(
-        ctx.db.raw,
-        userTable,
-        { pendingDeletionRequestId: requestId },
-        { id: userRow["id"] },
-      );
+      await updateUserLifecycle(ctx.db.raw, userRow["id"], {
+        pendingDeletionRequestId: requestId,
+      });
       const { token, expiresAt } = signDeletionToken(
         userRow["id"],

package/src/user-data-rights/handlers/restrict-account.write.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import { fetchOne, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import { createSystemUser, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { UnprocessableError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS, userTable } from "../../user";
+import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 // POST /api/user/restrict (S2.U6) — DSGVO Art. 18 Account-Freeze.
 // Flippt status=Active → Restricted und revoked alle live sessions
@@ -54,12 +55,7 @@ export const restrictAccountWrite = defineWriteHandler({
       );
     }
-    await updateMany(
-      ctx.db.raw,
-      userTable,
-      { status: USER_STATUS.Restricted },
-      { id: event.user.id },
-    );
+    await updateUserLifecycle(ctx.db.raw, event.user.id, { status: USER_STATUS.Restricted });
     // Cross-Feature: alle live sessions revoken — sonst koennte der User
     // mit existierendem JWT bis zur Token-Expiry weiter schreiben.