@cosmicdrift/kumiko-bundled-features 0.70.0 → 0.72.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.70.0",
+  "version": "0.72.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -84,11 +84,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.70.0",
-    "@cosmicdrift/kumiko-framework": "0.70.0",
-    "@cosmicdrift/kumiko-headless": "0.70.0",
-    "@cosmicdrift/kumiko-renderer": "0.70.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.70.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.72.0",
+    "@cosmicdrift/kumiko-framework": "0.72.0",
+    "@cosmicdrift/kumiko-headless": "0.72.0",
+    "@cosmicdrift/kumiko-renderer": "0.72.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.72.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/feature.ts

@@ -128,6 +128,22 @@ export function createAuthEmailPasswordFeature(
     r.describe(
       "Provides email+password authentication: the always-on handlers are `login`, `changePassword`, and `logout`; optional flows \u2014 password reset, email verification, magic-link self-signup, and tenant invite \u2014 are registered only when you pass their respective option objects (`passwordReset`, `emailVerification`, `signup`, `invite`) to `createAuthEmailPasswordFeature(opts)`. Each opt-in flow uses HMAC-signed or opaque-random tokens delivered via callback (e.g. `sendResetEmail`) so the feature stays transport-agnostic. Requires the `user` and `tenant` features, and declares `JWT_SECRET` (\u2265 32 chars) in `authEmailPasswordEnvSchema` so a missing secret surfaces at boot validation rather than on the first login attempt.",
     );
+    r.uiHints({
+      displayLabel: "Auth \u00b7 Email + Password",
+      category: "identity",
+      recommended: true,
+      configurableOptions: [
+        { key: "passwordReset", label: "Password-Reset-Flow", type: "boolean", default: true },
+        {
+          key: "emailVerification",
+          label: "Email-Verification-Flow",
+          type: "boolean",
+          default: true,
+        },
+        { key: "signup", label: "Self-Signup-Flow", type: "boolean", default: false },
+        { key: "invite", label: "Tenant-Invite-Flow", type: "boolean", default: false },
+      ],
+    });
     r.requires("user");
     r.requires("tenant");
     r.envSchema(authEmailPasswordEnvSchema);

package/src/billing-foundation/feature.ts

@@ -74,6 +74,11 @@ export const billingFoundationFeature = defineFeature(BILLING_FOUNDATION_FEATURE
   r.describe(
     "Plugin host for subscription billing \u2014 manages the `read_subscriptions` projection table and exposes 5 domain events (subscription created/updated/canceled, invoice paid/failed) appended by the foundation's own `billing-foundation:write:process-event` write-handler after provider plugins verify and normalize each webhook. Also ships `billing-foundation:write:create-checkout-session` and `billing-foundation:write:create-portal-session` write-handlers, a `billing-foundation:query:subscription:list` query handler, and a `createSubscriptionWebhookHandler` factory for the `/api/subscription/webhook/:providerName` route. Low-level building block \u2014 use `subscription-stripe` or `subscription-mollie` unless you are writing a new payment provider.",
   );
+  r.uiHints({
+    displayLabel: "Billing \u00b7 Foundation",
+    category: "billing",
+    recommended: false,
+  });
   // 5 fine-grained domain-events. Alle 5 nutzen denselben payload-
   // shape (= subscription-state-snapshot); der event-type taggt was
   // passiert ist. Future-consumer (billing-history, accounting)

package/src/delivery/feature.ts

@@ -18,6 +18,11 @@ export function createDeliveryFeature(): FeatureDefinition {
     r.describe(
       "The notification dispatch core: call `ctx.notify(notificationType, { to, route, data, priority, idempotencyKey })` from any handler to fan out a notification across all registered channels (email, in-app, push). It stores per-user channel preferences in the `notification-preference` entity, logs every attempt to `read_delivery_attempts`, and enforces idempotency and rate-limiting \u2014 add `channel-email`, `channel-in-app`, or `channel-push` on top to actually send anything.",
     );
+    r.uiHints({
+      displayLabel: "Notifications \u00b7 Dispatch Core",
+      category: "notifications",
+      recommended: true,
+    });
     r.systemScope();
     // Backing table: the (tenant,user,type,channel) uniqueIndex lives only on
     // the physical table, not on the entity fields, so the generator would

package/src/feature-toggles/feature.ts

@@ -40,6 +40,11 @@ export function createFeatureTogglesFeature(
     r.describe(
       'Persists per-feature enabled/disabled state in the `read_global_feature_state` table and exposes a `set` write-handler plus `list`/`registered` query-handlers so operators can flip features at runtime without redeploying. Each API instance keeps an in-memory `GlobalFeatureToggleRuntime` snapshot (initialize it via `createFeatureToggleRuntime`, pass a `() => runtime` accessor to `createFeatureTogglesFeature`) that the dispatcher gate reads on every request; a `toggle-cache-sync` multi-stream projection with `delivery: "per-instance"` syncs the snapshot across instances whenever a `toggle-set` event is appended.',
     );
+    r.uiHints({
+      displayLabel: "Feature Toggles · Operator Switches",
+      category: "operations",
+      recommended: false,
+    });
     r.systemScope();
 
     // Toggle-change domain event. The event ends up in the events-table

package/src/mail-foundation/__tests__/mail-foundation.integration.test.ts

@@ -32,6 +32,7 @@ import { ConfigHandlers } from "../../config/constants";
 import { createConfigAccessorFactory } from "../../config/feature";
 import { type ConfigResolver, createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
+import { clearInbox, getInbox, mailTransportInMemoryFeature } from "../../mail-transport-inmemory";
 import { mailTransportSmtpFeature, SMTP_PASSWORD } from "../../mail-transport-smtp";
 import { createSecretsContext, createSecretsFeature, tenantSecretsTable } from "../../secrets";
 import { createTenantFeature } from "../../tenant/feature";
@@ -58,6 +59,22 @@ const testProbeFeature = defineFeature("mail-test", (r) => {
       },
     }),
   );
+  r.writeHandler(
+    defineWriteHandler({
+      name: "send",
+      schema: z.object({ to: z.string(), subject: z.string(), html: z.string() }),
+      access: { roles: ["TenantAdmin", "SystemAdmin"] },
+      handler: async (event, ctx) => {
+        const transport = await createTransportForTenant(
+          ctx,
+          event.user.tenantId,
+          "mail-test:write:send",
+        );
+        await transport.send(event.payload);
+        return { isSuccess: true, data: {} };
+      },
+    }),
+  );
 });
 
 // --- Setup ---
@@ -91,6 +108,7 @@ beforeAll(async () => {
       createSecretsFeature(),
       mailFoundationFeature,
       mailTransportSmtpFeature,
+      mailTransportInMemoryFeature,
       testProbeFeature,
     ],
     masterKeyProvider: providerRef,
@@ -251,3 +269,18 @@ describe("scenario 3: tenant isolation", () => {
     expect(b["hasSend"]).toBe(true);
   });
 });
+
+// --- Scenario 4: the in-memory transport plugin actually delivers ---
+
+describe("scenario 4: in-memory transport dispatch", () => {
+  test("provider=inmemory → a sent mail lands in that tenant's inbox", async () => {
+    const admin = adminFor(406);
+    clearInbox(admin.tenantId);
+    await setConfig(admin, "mail-foundation:config:provider", "inmemory");
+
+    const message = { to: "user@acme.test", subject: "Hi", html: "<p>hello</p>" };
+    await stack.http.writeOk("mail-test:write:send", message, admin);
+
+    expect(getInbox(admin.tenantId)).toEqual([message]);
+  });
+});

package/src/rate-limiting/__tests__/rate-limiting.integration.test.ts

@@ -71,6 +71,17 @@ describe("rate-limiting feature — status query", () => {
     expect(status.remaining).toBe(2);
   });
 
+  test("blocks with 429 once the bucket is drained", async () => {
+    // The status query only *reports* state; this proves enforcement —
+    // the L3 hook actually rejects traffic over the limit, not just counts.
+    for (let i = 0; i < 5; i++) {
+      const ok = await stack.http.query("rl-probe:query:ping", {}, admin);
+      expect(ok.status).toBe(200);
+    }
+    const blocked = await stack.http.query("rl-probe:query:ping", {}, admin);
+    expect(blocked.status).toBe(429);
+  });
+
   test("status access requires Admin/SystemAdmin", async () => {
     const guest = TestUsers.user;
     const res = await stack.http.query(

package/src/sessions/__tests__/cleanup.integration.test.ts

@@ -15,6 +15,8 @@ import {
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { createUserFeature } from "../../user/feature";
+import { userEntity } from "../../user/schema/user";
 import { createSessionsFeature } from "../feature";
 import { cleanupJob } from "../handlers/cleanup.job";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
@@ -38,9 +40,10 @@ let stack: TestStack;
 
 beforeAll(async () => {
   stack = await setupTestStack({
-    features: [createSessionsFeature()],
+    features: [createSessionsFeature(), createUserFeature()],
   });
   await unsafeCreateEntityTable(stack.db, userSessionEntity);
+  await unsafeCreateEntityTable(stack.db, userEntity);
 });
 
 afterAll(async () => {

package/src/sessions/__tests__/rebuild-survival.integration.test.ts

@@ -19,6 +19,7 @@ import {
   unsafeCreateEntityTable,
 } from "@cosmicdrift/kumiko-framework/stack";
 import { Temporal } from "temporal-polyfill";
+import { createUserFeature } from "../../user/feature";
 import { createSessionsFeature } from "../feature";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
 
@@ -75,14 +76,14 @@ async function insertRevokedSession(db: DbConnection): Promise<void> {
 
 describe("sessions / read_user_sessions survives projection rebuild", () => {
   test("is NOT registered as a rebuildable implicit projection", () => {
-    const registry = createRegistry([createSessionsFeature()]);
+    const registry = createRegistry([createSessionsFeature(), createUserFeature()]);
     expect(registry.getAllProjections().has(IMPLICIT_PROJECTION)).toBe(false);
   });
 
   test("direct-written rows (incl. revoked state) survive a rebuild", async () => {
     await insertRevokedSession(createTenantDb(testDb.db, TENANT));
 
-    const registry = createRegistry([createSessionsFeature()]);
+    const registry = createRegistry([createSessionsFeature(), createUserFeature()]);
     // Pre-fix: the implicit projection exists → rebuild swaps an empty shadow
     // → rows wiped. Post-fix: absent → no rebuild → rows untouched. Either way
     // a regression (re-adding r.entity) makes this fail.

package/src/sessions/__tests__/sessions.integration.test.ts

@@ -21,7 +21,7 @@ import { createTenantFeature } from "../../tenant";
 import { tenantMembershipsTable } from "../../tenant/membership-table";
 import { tenantEntity } from "../../tenant/schema/tenant";
 import { createUserFeature } from "../../user/feature";
-import { userEntity, userTable } from "../../user/schema/user";
+import { USER_STATUS, userEntity, userTable } from "../../user/schema/user";
 import { SessionHandlers, SessionQueries } from "../constants";
 import { createSessionsFeature } from "../feature";
 import { userSessionEntity, userSessionTable } from "../schema/user-session";
@@ -455,3 +455,65 @@ describe("sessions feature — login → check → revoke → rejected", () => {
     expect(body.data[0]?.id).toBe(aliceAsAdmin.sid);
   });
 });
+
+// Defense-in-depth: the sessionChecker refuses a live sid once the user it
+// belongs to is locked, independent of whether session-revoke ran. Each case
+// logs in WHILE active (login itself blocks locked users) and then flips the
+// status, mirroring "user got restricted while a session was open".
+describe("sessions feature — locked accounts blocked on a live session", () => {
+  test("active user passes — the gate leaves the happy path untouched", async () => {
+    await h.seedUser("active@example.com", "pw-long-enough");
+    const { token } = await h.login("active@example.com", "pw-long-enough");
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(200);
+  });
+
+  test("restricted after login → 401 reason=blocked", async () => {
+    const { userId } = await h.seedUser("restrict@example.com", "pw-long-enough");
+    const { token } = await h.login("restrict@example.com", "pw-long-enough");
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Restricted }, { id: userId });
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe("blocked");
+  });
+
+  test("deleted after login → 401 reason=blocked", async () => {
+    const { userId } = await h.seedUser("gone@example.com", "pw-long-enough");
+    const { token } = await h.login("gone@example.com", "pw-long-enough");
+    await updateMany(stack.db, userTable, { status: USER_STATUS.Deleted }, { id: userId });
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error?: { details?: { reason?: string } } };
+    expect(body.error?.details?.reason).toBe("blocked");
+  });
+
+  test("deletionRequested keeps its session live — reversible grace period", async () => {
+    const { userId } = await h.seedUser("leaving@example.com", "pw-long-enough");
+    const { token } = await h.login("leaving@example.com", "pw-long-enough");
+    await updateMany(
+      stack.db,
+      userTable,
+      { status: USER_STATUS.DeletionRequested },
+      { id: userId },
+    );
+
+    const res = await h.authedPost("/api/query", token, {
+      type: "user:query:user:me",
+      payload: {},
+    });
+    expect(res.status).toBe(200);
+  });
+});

package/src/sessions/feature.ts

@@ -43,6 +43,15 @@ export function createSessionsFeature(options?: SessionsFeatureOptions): Feature
     r.describe(
       "Tracks signed-in clients in the `read_user_sessions` table (one row per JWT, keyed by the `sid`/`jti` claim) and exposes handlers for `mine` (list your sessions), `revoke`, and `revokeAllOthers`. Session creation and revocation on the hot auth path are handled by `createSessionCallbacks()`, wired into `buildServer({ auth: { ... } })` outside the dispatcher; the feature also ships a manual-trigger cleanup job for pruning expired rows and an optional `autoRevokeOnPasswordChange` hook that mass-revokes all sessions for a user whenever their `passwordHash` changes.",
     );
+    r.uiHints({
+      displayLabel: "Sessions · Server-side Logout",
+      category: "identity",
+      recommended: false,
+    });
+    // sessionChecker reads read_users on every authenticated request (status
+    // gate for locked accounts) — make that a boot-time dependency so a
+    // sessions-without-user wiring fails validateBoot instead of 500ing live.
+    r.requires("user");
     // read_user_sessions is a hot-path direct-write store: sessionCreator
     // inserts and the revoke handlers update rows WITHOUT emitting lifecycle
     // events (the row columns ARE the audit trail). Registering it as

package/src/sessions/session-callbacks.ts

@@ -10,9 +10,18 @@ import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
 import type { SessionUser } from "@cosmicdrift/kumiko-framework/engine";
 import { generateId } from "@cosmicdrift/kumiko-framework/utils";
 import { Temporal } from "temporal-polyfill";
+import { USER_STATUS, userTable } from "../user";
 import { DEFAULT_SESSION_EXPIRY_MS } from "./constants";
 import { userSessionTable } from "./schema/user-session";
 
+// Locked accounts whose live sessions must be refused. deletionRequested is
+// intentionally absent — it's a reversible grace period and the user needs
+// their session to reach cancel-deletion.
+const BLOCKED_STATUSES: ReadonlySet<string> = new Set([
+  USER_STATUS.Restricted,
+  USER_STATUS.Deleted,
+]);
+
 // Why the callbacks live at the raw-DB level rather than going through the
 // dispatcher: session-create/revoke/check run on the hot path of every
 // login and every request. The (createdAt/revokedAt/ip/userAgent) columns
@@ -90,6 +99,13 @@ export function createSessionCallbacks(opts: SessionCallbacksOptions): SessionCa
       if (row.expiresAt.epochMilliseconds <= Temporal.Now.instant().epochMilliseconds) {
         return "expired";
       }
+      // Defense-in-depth: status flips (Art. 18 restrict, forget) revoke
+      // sessions, but a missed revoke must not keep a locked account alive on
+      // a stale sid. Fail-OPEN on a lookup miss — this is the second layer,
+      // revocation is primary; never turn a user-row miss into a global
+      // lockout. (+1 PK read on read_users per authenticated request.)
+      const user = await fetchOne<{ status: string }>(db, userTable, { id: expectedUserId });
+      if (user && BLOCKED_STATUSES.has(user.status)) return "blocked";
       return "live";
     },
 

package/src/tags/handlers/assign-tag.write.ts

@@ -40,7 +40,7 @@ export function createAssignTagHandler(access: AccessRule = DEFAULT_TAG_ACCESS):
       }
 
       const restored = await tagAssignmentExecutor.restore({ id }, event.user, ctx.db);
-      if (restored.isSuccess) return restored;
+      if (restored.isSuccess) return { isSuccess: true as const, data: { id } };
       if (restored.error.code !== "not_found") return restored;
 
       const tag = await tagExecutor.detail({ id: payload.tagId }, event.user, ctx.db);

package/src/tags/web/__tests__/tag-section.test.tsx

@@ -1,4 +1,4 @@
-import { describe, expect, mock, test } from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
 import {
   createStaticLocaleResolver,
   LocaleProvider,
@@ -17,6 +17,13 @@ type AssignmentRow = { tagId: string; entityType: string; entityId: string };
 let catalogRows: readonly TagRow[] = [];
 let assignmentRows: readonly AssignmentRow[] = [];
 
+// Each test sets its own rows; reset so a forgotten setup can't inherit the
+// previous test's data (order-dependent shared state).
+beforeEach(() => {
+  catalogRows = [];
+  assignmentRows = [];
+});
+
 const dispatchSpy = mock(async (type: string) =>
   type === TagsHandlers.createTag
     ? { isSuccess: true, data: { id: "tag-new" } }
@@ -45,6 +52,46 @@ function Wrapper({ children }: { readonly children: ReactNode }): ReactNode {
   );
 }
 
+// The real combobox is cmdk + Radix — its popover is e2e/primitive-test
+// territory (see note above). To pin the onSelectionChange → assign/remove
+// wiring we swap in a headless stub that renders one toggle button per option
+// and fires onChange with the toggled selection — same contract, no popover.
+const StubInput: typeof defaultPrimitives.Input = (props) => {
+  if (props.kind === "combobox" && props.multiple === true) {
+    const value = props.value;
+    return (
+      <div data-testid="stub-combobox">
+        {props.options.map((o) => {
+          const selected = value.includes(o.value);
+          return (
+            <button
+              key={o.value}
+              type="button"
+              data-testid={`tag-opt-${o.value}`}
+              onClick={() =>
+                props.onChange(selected ? value.filter((v) => v !== o.value) : [...value, o.value])
+              }
+            >
+              {o.label}
+            </button>
+          );
+        })}
+      </div>
+    );
+  }
+  return <input data-testid={`stub-${props.id}`} />;
+};
+
+function StubComboboxWrapper({ children }: { readonly children: ReactNode }): ReactNode {
+  return (
+    <LocaleProvider resolver={createStaticLocaleResolver()} fallbackBundles={[defaultTranslations]}>
+      <PrimitivesProvider value={{ ...defaultPrimitives, Input: StubInput }}>
+        {children}
+      </PrimitivesProvider>
+    </LocaleProvider>
+  );
+}
+
 // The combobox's assign/remove toggle drives onChange with the full new
 // selection; the component diffs it against the current tags via this helper.
 // Popover interaction itself (cmdk + Radix in jsdom) is covered by the
@@ -113,6 +160,41 @@ describe("TagSection", () => {
     );
   });
 
+  test("#524/3: selection change dispatches assign for additions, remove for removals", async () => {
+    catalogRows = [
+      { id: "t1", name: "important" },
+      { id: "t2", name: "project-x" },
+    ];
+    assignmentRows = [{ tagId: "t1", entityType: "note", entityId: "note-1" }];
+    dispatchSpy.mockClear();
+
+    render(
+      <StubComboboxWrapper>
+        <TagSection entityName="note" entityId="note-1" />
+      </StubComboboxWrapper>,
+    );
+
+    // t2 is unselected → toggling it on adds it → assign-tag with t2
+    fireEvent.click(screen.getByTestId("tag-opt-t2"));
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.assignTag, {
+        tagId: "t2",
+        entityType: "note",
+        entityId: "note-1",
+      }),
+    );
+
+    // t1 is selected → toggling it off removes it → remove-tag with t1
+    fireEvent.click(screen.getByTestId("tag-opt-t1"));
+    await waitFor(() =>
+      expect(dispatchSpy).toHaveBeenCalledWith(TagsHandlers.removeTag, {
+        tagId: "t1",
+        entityType: "note",
+        entityId: "note-1",
+      }),
+    );
+  });
+
   test("create-mode (no entityId yet) shows the save-first hint instead of the manager", () => {
     render(
       <Wrapper>

package/src/tenant/feature.ts

@@ -32,6 +32,11 @@ export function createTenantFeature(): FeatureDefinition {
     r.describe(
       "Registers the three core multi-tenancy entities \u2014 `tenant`, `tenant-membership`, and `tenant-invitation` (DB tables `read_tenants`, `read_tenant_memberships`, and `read_tenant_invitations`) \u2014 along with write handlers for create/update/disable/enable/addMember/removeMember/updateMemberRoles and the matching queries. It also declares a set of per-tenant config keys (companyName, timezone, locale, SMTP credentials) and system-only keys (priceModel, maxUsers) via `r.config({ keys: { ... } })`. Use this feature in every multi-tenant app; membership resolution and invitation flows depend on it, and `auth-email-password` requires it.",
     );
+    r.uiHints({
+      displayLabel: "Multi-Tenant Core",
+      category: "identity",
+      recommended: true,
+    });
     r.systemScope();
     r.requires("config");
     r.entity("tenant", tenantEntity);

package/src/user/feature.ts

@@ -15,6 +15,11 @@ export function createUserFeature(): FeatureDefinition {
     r.describe(
       "Manages the cross-tenant user identity: the `read_users` table holds each user's email, `displayName`, global `roles`, `emailVerified` flag, and lifecycle `status` (active / restricted / deletionRequested / deleted). Because users exist above any individual tenant, the feature runs with `r.systemScope()` \u2014 membership and tenant-specific roles live in the `tenant` feature instead. Add this feature whenever your app needs a persistent, tenant-agnostic user record that auth and GDPR pipelines can reference.",
     );
+    r.uiHints({
+      displayLabel: "User Identity",
+      category: "identity",
+      recommended: true,
+    });
     r.systemScope();
     r.entity("user", userEntity);
 

package/src/user/schema/user.ts

@@ -113,15 +113,16 @@ export const userEntity = createEntity({
 
     // S2.U1: User-Lifecycle-Status für user-data-rights (Sprint 2).
     //   - "active":            Normaler State, alle Operationen erlaubt
-    //   - "restricted":        Art. 18 Restriction — Auth-Middleware blockiert
-    //                          Schreib-Endpoints, Read bleibt erlaubt damit
-    //                          User das Banner sieht + lift-restriction klicken kann
-    //   - "deletionRequested": delete-account aufgerufen, gracePeriodEnd
-    //                          gesetzt, User kann via cancel-deletion zurueck
-    //                          auf "active". Auth-Middleware blockiert wie
-    //                          "restricted".
+    //   - "restricted":        Art. 18 Restriction — Login blockiert + jede
+    //                          Live-Session wird vom sessionChecker abgewiesen
+    //                          ("blocked"). Recovery via lift-restriction
+    //                          (openToAll, session-unabhängig).
+    //   - "deletionRequested": delete-account aufgerufen, gracePeriodEnd gesetzt,
+    //                          Login blockiert. Bestehende Session bleibt LIVE
+    //                          (reversibel) — User kann via cancel-deletion
+    //                          zurück auf "active".
     //   - "deleted":           Forget executed nach Grace, Row anonymisiert via
-    //                          softDelete. Auth-Middleware blockt Login.
+    //                          softDelete. Login blockiert + Session "blocked".
     //
     // Schreibrecht privileged: nur die request-deletion / restrict / lift /
     // execute-forget-Handler (alle SYSTEM-context) duerfen status flippen.

package/src/user-data-rights/__tests__/read-users-rebuild-survives-lifecycle.integration.test.ts

@@ -188,12 +188,13 @@ describe("#494 :: read_users-Rebuild bewahrt Lifecycle-State", () => {
 
     const after = (await selectMany(stack.db, userTable, { id: created.id })) as Array<{
       status: string;
-      gracePeriodEnd: unknown;
+      gracePeriodEnd: typeof gracePeriodEnd | null;
     }>;
     expect(after[0]?.status).toBe(USER_STATUS.DeletionRequested);
-    // gracePeriodEnd ueberlebt — nicht null nach Replay.
-    expect(after[0]?.gracePeriodEnd).not.toBeNull();
-    expect(after[0]?.gracePeriodEnd).toBeDefined();
+    // gracePeriodEnd ueberlebt den Replay WERT-genau, nicht nur non-null: ein
+    // Timezone-/Roundtrip-Fehler liefert non-null aber den falschen Instant.
+    // epoch-ms toleriert die DB-Präzision (µs) ohne sub-ms-Drift zu prüfen.
+    expect(after[0]?.gracePeriodEnd?.epochMilliseconds).toBe(gracePeriodEnd.epochMilliseconds);
   });
 
   // Ehrlicher Spiegel zum Forward-Test: Bestandsdaten, deren Status der ALTE

package/src/user-data-rights/web/__tests__/public-deletion-gate.test.tsx

@@ -0,0 +1,96 @@
+// Gate path-routing: requestPath → request screen, confirmPath → confirm
+// screen, sonst durch zu children. Bewusst SYNCHRON (kein fireEvent/waitFor) —
+// der #457-CI-Flake trifft nur await-Assertions auf dem geteilten happy-dom-
+// document; ein Render + Sync-Assert im selben Tick ist nicht exponiert.
+// Provider-Wrapper lokal (Dependency-Richtung renderer-web → bundled-features
+// verbietet test-utils-Import).
+
+import { describe, expect, test } from "bun:test";
+import type { Dispatcher } from "@cosmicdrift/kumiko-headless";
+import {
+  createStaticLocaleResolver,
+  DispatcherProvider,
+  kumikoDefaultTranslations,
+  LocaleProvider,
+  PrimitivesProvider,
+} from "@cosmicdrift/kumiko-renderer";
+import { defaultPrimitives } from "@cosmicdrift/kumiko-renderer-web";
+import { render, within } from "@testing-library/react";
+import type { ReactNode } from "react";
+import { defaultTranslations } from "../i18n";
+import { makePublicDeletionGate } from "../public-deletion-gate";
+
+const resolver = createStaticLocaleResolver({ locale: "de" });
+const stubDispatcher = {
+  write: async () => ({ isSuccess: true, data: {} }),
+} as unknown as Dispatcher;
+
+const ROUTES = { requestPath: "/account/delete", confirmPath: "/account/delete/confirm" };
+
+function renderGate(path: string, gate: ReactNode): ReturnType<typeof within> {
+  window.history.replaceState({}, "", path);
+  const { container } = render(
+    <PrimitivesProvider value={defaultPrimitives}>
+      <LocaleProvider
+        resolver={resolver}
+        fallbackBundles={[defaultTranslations, kumikoDefaultTranslations]}
+      >
+        <DispatcherProvider dispatcher={stubDispatcher}>{gate}</DispatcherProvider>
+      </LocaleProvider>
+    </PrimitivesProvider>,
+  );
+  return within(container);
+}
+
+describe("makePublicDeletionGate", () => {
+  test("requestPath → request screen, children short-circuited", () => {
+    const Gate = makePublicDeletionGate(ROUTES);
+    const ui = renderGate(
+      "/account/delete",
+      <Gate>
+        <div data-testid="app">APP</div>
+      </Gate>,
+    );
+    expect(ui.getByText(/beantragen/)).toBeTruthy();
+    expect(ui.queryByTestId("app")).toBeNull();
+  });
+
+  test("confirmPath → confirm screen, children short-circuited", () => {
+    const Gate = makePublicDeletionGate(ROUTES);
+    const ui = renderGate(
+      "/account/delete/confirm",
+      <Gate>
+        <div data-testid="app">APP</div>
+      </Gate>,
+    );
+    expect(ui.getByText(/bestätigen/)).toBeTruthy();
+    expect(ui.queryByTestId("app")).toBeNull();
+  });
+
+  test("other path → children pass through, no deletion screen", () => {
+    const Gate = makePublicDeletionGate(ROUTES);
+    const ui = renderGate(
+      "/dashboard",
+      <Gate>
+        <div data-testid="app">APP</div>
+      </Gate>,
+    );
+    expect(ui.getByTestId("app")).toBeTruthy();
+    expect(ui.queryByText(/beantragen/)).toBeNull();
+  });
+
+  test("custom shell wraps the matched screen", () => {
+    const Gate = makePublicDeletionGate({
+      ...ROUTES,
+      shell: (screen) => <div data-testid="shell">{screen}</div>,
+    });
+    const ui = renderGate(
+      "/account/delete",
+      <Gate>
+        <span>APP</span>
+      </Gate>,
+    );
+    const shell = ui.getByTestId("shell");
+    expect(within(shell).getByText(/beantragen/)).toBeTruthy();
+  });
+});

package/src/user-data-rights/web/client-plugin.tsx

@@ -11,20 +11,28 @@ import type { ClientFeatureDefinition } from "@cosmicdrift/kumiko-renderer-web";
 import { PRIVACY_CENTER_SCREEN_ID, USER_DATA_RIGHTS_FEATURE } from "../constants";
 import { defaultTranslations } from "./i18n";
 import { PrivacyCenterScreen } from "./privacy-center-screen";
+import { makePublicDeletionGate, type PublicDeletionRoutes } from "./public-deletion-gate";
 
 export type UserDataRightsClientOptions = {
   /** Key-weise Overrides über die Default-Bundles (de/en). */
   readonly translations?: TranslationsByLocale;
+  /** Wenn gesetzt: registriert die anonymen (login-freien) Lösch-Screens als
+   *  Gate auf den angegebenen Pfaden. Weglassen → nur der eingeloggte
+   *  privacy-center-Screen. Den Client VOR dem Auth-Client listen, sonst
+   *  landet der anonyme Besucher auf der Login-Maske. */
+  readonly publicDeletion?: PublicDeletionRoutes;
 };
 
 export function userDataRightsClient(
   options?: UserDataRightsClientOptions,
 ): ClientFeatureDefinition {
-  return {
+  const base: ClientFeatureDefinition = {
     name: USER_DATA_RIGHTS_FEATURE,
     translations: mergeTranslations(defaultTranslations, options?.translations ?? {}),
     components: {
       [PRIVACY_CENTER_SCREEN_ID]: PrivacyCenterScreen,
     },
   };
+  if (options?.publicDeletion === undefined) return base;
+  return { ...base, gates: [makePublicDeletionGate(options.publicDeletion)] };
 }

package/src/user-data-rights/web/index.ts

@@ -10,5 +10,6 @@ export type { ConfirmAccountDeletionScreenProps } from "./confirm-deletion-scree
 export { ConfirmAccountDeletionScreen } from "./confirm-deletion-screen";
 export { defaultTranslations } from "./i18n";
 export { formatDate, PrivacyCenterScreen } from "./privacy-center-screen";
+export { makePublicDeletionGate, type PublicDeletionRoutes } from "./public-deletion-gate";
 export type { RequestAccountDeletionScreenProps } from "./request-deletion-screen";
 export { RequestAccountDeletionScreen } from "./request-deletion-screen";

package/src/user-data-rights/web/public-deletion-gate.tsx

@@ -0,0 +1,42 @@
+// @runtime client
+// Public-Gate für die anonyme Account-Löschung. Matcht window.location.pathname:
+// requestPath → RequestAccountDeletionScreen, confirmPath →
+// ConfirmAccountDeletionScreen, sonst durch zur App. Spiegelt makeAuthGate
+// (auth-email-password) — userDataRightsClient hängt es als Gate ein, die App
+// listet den Client VOR dem Auth-Client, damit ein anonymer Besucher die Lösch-
+// Maske statt der Login-Maske sieht. Path-Match beim Render: Apex-Übergänge
+// (der Verify-Link) sind Full-Page-Loads, kein Client-Router.
+//
+// confirmPath MUSS dem Pfad der server-seitigen deletionVerifyUrl entsprechen —
+// der ConfirmScreen liest das ?token aus eben dieser URL.
+
+import type { ComponentType, ReactNode } from "react";
+import { ConfirmAccountDeletionScreen } from "./confirm-deletion-screen";
+import { RequestAccountDeletionScreen } from "./request-deletion-screen";
+
+export type PublicDeletionRoutes = {
+  /** Login-freie Route für die Email-Antrags-Maske (z.B. "/account/delete"). */
+  readonly requestPath: string;
+  /** Login-freie Route für die Token-Bestätigung; = Pfad der deletionVerifyUrl. */
+  readonly confirmPath: string;
+  /** Chrome um die Screen-Card. Default: vollflächig zentriert (wie der Auth-
+   *  defaultShell). Apps reichen ihre eigene Shell (z.B. Marketing-Header). */
+  readonly shell?: (screen: ReactNode) => ReactNode;
+};
+
+const centeredShell = (screen: ReactNode): ReactNode => (
+  <div className="min-h-screen flex items-center justify-center bg-background px-4">{screen}</div>
+);
+
+export function makePublicDeletionGate(
+  routes: PublicDeletionRoutes,
+): ComponentType<{ children: ReactNode }> {
+  const shell = routes.shell ?? centeredShell;
+  function PublicDeletionGate({ children }: { readonly children: ReactNode }): ReactNode {
+    const path = window.location.pathname;
+    if (path === routes.requestPath) return shell(<RequestAccountDeletionScreen />);
+    if (path === routes.confirmPath) return shell(<ConfirmAccountDeletionScreen />);
+    return <>{children}</>;
+  }
+  return PublicDeletionGate;
+}

package/src/user-profile/__tests__/profile-screen.test.tsx

@@ -146,6 +146,44 @@ describe("ProfileScreen", () => {
       fetchSpy.mockRestore();
     }
   });
+
+  // #472/1: der Server antwortet auf den Verification-Versand mit ok:false
+  // (z.B. 4xx) OHNE zu werfen. Das ist ein anderer Zweig als das catch oben —
+  // er muss eigenständig geloggt werden, der Wechsel bleibt erfolgreich.
+  test("email change: verification-send rejected by server (ok:false) is surfaced", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchSpy = spyOn(globalThis, "fetch").mockResolvedValue(
+      new Response("{}", { status: 400 }),
+    );
+    try {
+      const view = renderProfile(activeMe);
+      await waitFor(() => {
+        if (view.queryByTestId("profile-email") === null) throw new Error("not mounted yet");
+      });
+
+      const emailInput = view.container.querySelector<HTMLInputElement>("#profile-new-email");
+      const pwInput = view.container.querySelector<HTMLInputElement>("#profile-email-password");
+      if (!emailInput || !pwInput) throw new Error("email form inputs not found");
+      fireEvent.change(emailInput, { target: { value: "new@example.com" } });
+      fireEvent.change(pwInput, { target: { value: "current-pw" } });
+      fireEvent.click(view.getByTestId("profile-email-submit"));
+
+      // Der ok:false-Zweig loggt SEINE Message ("could not be sent"),
+      // nicht die des catch-Zweigs ("send threw").
+      await waitFor(() => {
+        const hit = warnSpy.mock.calls.some((c) => String(c[0]).includes("could not be sent"));
+        if (!hit) throw new Error("ok:false verification failure not surfaced");
+      });
+      expect(warnSpy.mock.calls.some((c) => String(c[0]).includes("send threw"))).toBe(false);
+      // Wechsel bleibt erfolgreich: das Eingabefeld wird zurückgesetzt.
+      await waitFor(() => {
+        if (emailInput.value !== "") throw new Error("email input not cleared after success");
+      });
+    } finally {
+      warnSpy.mockRestore();
+      fetchSpy.mockRestore();
+    }
+  });
 });
 
 describe("formatDeletionDate", () => {