@cosmicdrift/kumiko-bundled-features 0.78.0 → 0.79.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.78.0",
+  "version": "0.79.2",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -84,11 +84,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.78.0",
-    "@cosmicdrift/kumiko-framework": "0.78.0",
-    "@cosmicdrift/kumiko-headless": "0.78.0",
-    "@cosmicdrift/kumiko-renderer": "0.78.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.78.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.79.2",
+    "@cosmicdrift/kumiko-framework": "0.79.2",
+    "@cosmicdrift/kumiko-headless": "0.79.2",
+    "@cosmicdrift/kumiko-renderer": "0.79.2",
+    "@cosmicdrift/kumiko-renderer-web": "0.79.2",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/user-data-rights/__tests__/run-export-jobs-cron-context.integration.test.ts

@@ -0,0 +1,148 @@
+// Treibt den ECHTEN registrierten Export-Cron-Job (r.job "run-export-jobs")
+// über seinen Job-Kontext — so wie der Job-Runner ihn in prod aufruft:
+// `ctx.configResolver` gesetzt (App-Override provider=inmemory), aber KEIN
+// per-request `ctx.config` (das baut nur der HTTP-Dispatcher).
+//
+// Der bestehende run-export-jobs-Test reicht `buildStorageProvider` MANUELL —
+// und übersprang damit genau diesen Pfad: der Wrapper baut providerCtx aus dem
+// Job-Kontext. Ohne den configResolver→ConfigAccessor-Bau wirft
+// createFileProviderForTenant "ctx.config is missing" (genau der prod-Bug, der
+// jeden Export auf "failed" setzte).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import { SYSTEM_USER_ID } from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import {
+  createComplianceProfilesFeature,
+  tenantComplianceProfileEntity,
+} from "../../compliance-profiles";
+import { configValuesTable, createConfigFeature, createConfigResolver } from "../../config";
+import { createDataRetentionFeature } from "../../data-retention";
+import { fileFoundationFeature } from "../../file-foundation";
+import { fileProviderInMemoryFeature } from "../../file-provider-inmemory";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsFeature } from "../feature";
+import { exportDownloadTokenEntity } from "../schema/download-token";
+import { EXPORT_JOB_STATUS, exportJobEntity, exportJobsTable } from "../schema/export-job";
+
+const TENANT = "00000000-0000-4000-8000-0000000009a1";
+const USER_ID = "00000000-0000-4000-8000-0000000009b1";
+const JOB_QN = "user-data-rights:job:run-export-jobs";
+
+// App-weiter Override wie money-horse's cashColtConfigResolver — provider=inmemory
+// ohne per-Tenant-config-Row. Der Job-Kontext trägt DIESEN resolver, kein config.
+const configResolver = createConfigResolver({
+  appOverrides: new Map([["file-foundation:config:provider", "inmemory"]]),
+});
+
+let stack: TestStack;
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      fileFoundationFeature,
+      fileProviderInMemoryFeature,
+      createSessionsFeature(),
+      createUserDataRightsFeature(),
+    ],
+  });
+  await createEventsTable(stack.db);
+  await unsafePushTables(stack.db, { configValuesTable });
+  await unsafeCreateEntityTable(stack.db, exportJobEntity);
+  await unsafeCreateEntityTable(stack.db, exportDownloadTokenEntity);
+  await unsafeCreateEntityTable(stack.db, tenantComplianceProfileEntity);
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await asRawClient(stack.db).unsafe(`
+    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      tenant_id UUID NOT NULL,
+      user_id TEXT NOT NULL,
+      version INTEGER NOT NULL DEFAULT 0,
+      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      inserted_by_id TEXT,
+      modified_by_id TEXT,
+      is_deleted BOOLEAN NOT NULL DEFAULT false,
+      deleted_at TIMESTAMPTZ,
+      deleted_by_id TEXT,
+      roles TEXT NOT NULL DEFAULT '[]',
+      UNIQUE(user_id, tenant_id)
+    )
+  `);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  const raw = asRawClient(stack.db);
+  await raw.unsafe("DELETE FROM read_export_jobs");
+  await raw.unsafe("DELETE FROM read_users");
+  await raw.unsafe("DELETE FROM read_tenant_memberships");
+  await insertOne(stack.db, userTable, {
+    id: USER_ID,
+    tenantId: TENANT,
+    email: "export-cron@example.test",
+    passwordHash: "hashed",
+    displayName: "Cron Export",
+    locale: "de",
+    emailVerified: true,
+    roles: '["Member"]',
+    status: USER_STATUS.Active,
+  });
+  await raw.unsafe(
+    `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles) VALUES ('${TENANT}', '${USER_ID}', '["Member"]')`,
+  );
+});
+
+// Seedet einen pending Export-Job über den echten request-export-Handler.
+async function seedPendingJob(): Promise<string> {
+  const res = await stack.http.writeOk<{ jobId: string }>(
+    "user-data-rights:write:request-export",
+    {},
+    { id: USER_ID, tenantId: TENANT, roles: ["Member"] },
+  );
+  return res.jobId;
+}
+
+describe("run-export-jobs cron-context", () => {
+  test("Cron-Job-Kontext (configResolver, KEIN config) → Export läuft durch, bytesWritten > 0", async () => {
+    const jobId = await seedPendingJob();
+    const job = stack.registry.getJob(JOB_QN);
+    expect(job).toBeDefined();
+
+    // EXAKT der prod-Job-Kontext: configResolver gesetzt, config undefined.
+    const jobCtx = {
+      db: stack.db,
+      registry: stack.registry,
+      configResolver,
+      _userId: SYSTEM_USER_ID,
+      now: getTemporal().Now.instant(),
+    };
+    // Vor dem Fix wirft der Wrapper hier "ctx.config is missing".
+    await job?.handler({}, jobCtx as never);
+
+    const [row] = (await selectMany(stack.db, exportJobsTable, { id: jobId })) as Array<{
+      status: string;
+      bytesWritten: number | null;
+      errorMessage: string | null;
+    }>;
+    expect(row?.errorMessage).toBeNull();
+    expect(row?.status).toBe(EXPORT_JOB_STATUS.Done);
+    expect(row?.bytesWritten ?? 0).toBeGreaterThan(0);
+  });
+});

package/src/user-data-rights/feature.ts

@@ -4,6 +4,7 @@ import {
   type FeatureDefinition,
   SYSTEM_USER_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
+import { createConfigAccessor } from "../config";
 import { createFileProviderForTenant } from "../file-foundation";
 import { PRIVACY_CENTER_SCREEN_ID } from "./constants";
 import { cancelDeletionWrite } from "./handlers/cancel-deletion.write";
@@ -295,17 +296,35 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         // SYSTEM_USER_ID ist die framework-weite Konvention. Der job-
         // Discriminator wird via handlerName="user-data-rights:run-export-
         // jobs" im Secret-Read-Audit erfasst.
-        const providerCtx = {
-          config: ctx.config,
-          registry: ctx.registry,
-          secrets: ctx.secrets,
-          _userId: ctx._userId ?? SYSTEM_USER_ID,
-        };
+        const exportUserId = ctx._userId ?? SYSTEM_USER_ID;
+        const exportDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
+        const exportRegistry = ctx.registry;
         await runExportJobs({
-          db: ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection, // @cast-boundary db-operator
-          registry: ctx.registry,
-          buildStorageProvider: async (tenantId) =>
-            createFileProviderForTenant(providerCtx, tenantId, "user-data-rights:run-export-jobs"), // @wrapper-known semantic-alias
+          db: exportDb,
+          registry: exportRegistry,
+          buildStorageProvider: async (tenantId) => {
+            // ctx.config (per-request ConfigAccessor) existiert nur im HTTP-
+            // Dispatcher; der Cron-Job-Kontext trägt ctx.configResolver. Den
+            // per-Tenant-Accessor daraus bauen (wie der HTTP-Pfad via
+            // _configAccessorFactory) — sonst wirft createFileProviderForTenant
+            // "ctx.config is missing" und jeder Export landet auf failed.
+            const config =
+              ctx.config ??
+              (ctx.configResolver
+                ? createConfigAccessor(
+                    exportRegistry,
+                    ctx.configResolver,
+                    tenantId as Parameters<typeof createConfigAccessor>[2],
+                    exportUserId,
+                    exportDb,
+                  )
+                : undefined);
+            return createFileProviderForTenant(
+              { config, registry: exportRegistry, secrets: ctx.secrets, _userId: exportUserId },
+              tenantId,
+              "user-data-rights:run-export-jobs",
+            );
+          },
           now: T.Now.instant(),
           // Atom 5 — App-Author-Callbacks fuer Email-Notification.
           // Optional: wenn nicht gesetzt, kein Email; User pollt

package/src/user-data-rights/web/__tests__/privacy-center-screen.test.tsx

@@ -127,15 +127,13 @@ async function waitForMount(view: ReturnType<typeof render>): Promise<void> {
 // sobald das framework-weite Test-Isolation-Problem (#457) gelöst ist. Die
 // QN-Drift-Pins + formatDate unten decken die CI-stabile Verdrahtungs-Korrektheit ab.
 describe.skip("PrivacyCenterScreen", () => {
-  test("aktiver User: alle vier Sektionen, Texte übersetzt (keine rohen Keys)", async () => {
+  test("aktiver User: Export/Einschränken/Löschen-Sektionen, Texte übersetzt (keine rohen Keys)", async () => {
     const { view } = renderCenter({ me: activeMe });
     await waitForMount(view);
     expect(view.getByTestId("privacy-export")).toBeTruthy();
-    expect(view.getByTestId("privacy-audit")).toBeTruthy();
     expect(view.getByTestId("privacy-restriction")).toBeTruthy();
     expect(view.getByTestId("privacy-deletion")).toBeTruthy();
     expect(view.getByTestId("privacy-export-request")).toBeTruthy();
-    expect(view.getByTestId("privacy-audit-empty")).toBeTruthy();
     expect(view.getByTestId("privacy-restriction-restrict")).toBeTruthy();
     expect(view.getByTestId("privacy-deletion-delete")).toBeTruthy();
     expect(view.container.textContent).not.toContain("userDataRights.privacyCenter");
@@ -177,27 +175,6 @@ describe.skip("PrivacyCenterScreen", () => {
     expect(view.queryByTestId("privacy-export-request")).toBeNull();
   });
 
-  test("audit rows rendern mit type + datum", async () => {
-    const { view } = renderCenter({
-      me: activeMe,
-      auditLog: {
-        rows: [
-          {
-            id: "ev-1",
-            type: "user.created",
-            aggregateType: "user",
-            createdAt: "2026-06-01T08:00:00Z",
-          },
-        ],
-      },
-    });
-    await waitForMount(view);
-    const rows = view.getAllByTestId("privacy-audit-row");
-    expect(rows.length).toBe(1);
-    expect(rows[0]?.textContent).toContain("user.created");
-    expect(rows[0]?.textContent).toContain("2026-06-01");
-  });
-
   test("deletionRequested: Frist-Banner + Abbrechen statt Lösch-Button", async () => {
     const { view } = renderCenter({
       me: { ...activeMe, status: "deletionRequested", gracePeriodEnd: "2026-07-11T00:00:00Z" },

package/src/user-data-rights/web/client-plugin.tsx

@@ -21,16 +21,27 @@ export type UserDataRightsClientOptions = {
    *  privacy-center-Screen. Den Client VOR dem Auth-Client listen, sonst
    *  landet der anonyme Besucher auf der Login-Maske. */
   readonly publicDeletion?: PublicDeletionRoutes;
+  /** Konfiguration des eingeloggten privacy-center-Screens. */
+  readonly privacyCenter?: {
+    /** `false` blendet die Konto-Lösch-Sektion aus — für Apps, die die Löschung
+     *  schon woanders anbieten (z.B. Profil-DangerZone), gegen Doppelung.
+     *  Default `true`. */
+    readonly showDeletion?: boolean;
+  };
 };
 
 export function userDataRightsClient(
   options?: UserDataRightsClientOptions,
 ): ClientFeatureDefinition {
+  const showDeletion = options?.privacyCenter?.showDeletion ?? true;
+  const privacyCenter = showDeletion
+    ? PrivacyCenterScreen
+    : () => <PrivacyCenterScreen showDeletion={false} />;
   const base: ClientFeatureDefinition = {
     name: USER_DATA_RIGHTS_FEATURE,
     translations: mergeTranslations(defaultTranslations, options?.translations ?? {}),
     components: {
-      [PRIVACY_CENTER_SCREEN_ID]: PrivacyCenterScreen,
+      [PRIVACY_CENTER_SCREEN_ID]: privacyCenter,
     },
   };
   if (options?.publicDeletion === undefined) return base;

package/src/user-data-rights/web/privacy-center-screen.tsx

@@ -1,13 +1,17 @@
 // @runtime client
 // PrivacyCenterScreen — eingeloggte DSGVO-Self-Service-Seite: Datenexport
-// (Art. 20), Aktivitätsprotokoll (Art. 15), Verarbeitung einschränken
-// (Art. 18) und Konto löschen (Art. 17) in einem Screen. Das Feature
-// registriert ihn dormant als custom-Screen (r.screen, kein r.nav); die App
-// platziert ihn via r.nav im eingeloggten Bereich.
+// (Art. 20), Verarbeitung einschränken (Art. 18) und Konto löschen (Art. 17)
+// in einem Screen. Das Feature registriert ihn dormant als custom-Screen
+// (r.screen, kein r.nav); die App platziert ihn via r.nav im eingeloggten
+// Bereich.
 //
-// Art. 18 Lift ist hier bewusst NICHT actionbar: ein eingeschränktes Konto
-// ist vom Login geblockt und erreicht diesen Screen gar nicht erst — das
-// Aufheben läuft über Support / Magic-Link, nicht über die Self-Service-UI.
+// `showDeletion=false` blendet die Lösch-Sektion aus — für Apps, die die
+// Konto-Löschung bereits an anderer Stelle anbieten (z.B. Profil-DangerZone),
+// damit sie nicht doppelt erscheint.
+//
+// Art. 18 Lift ist hier bewusst NICHT actionbar: ein eingeschränktes Konto ist
+// vom Login geblockt und erreicht diesen Screen gar nicht erst — das Aufheben
+// läuft über Support / Magic-Link, nicht über die Self-Service-UI.
 
 import {
   useDispatcher,
@@ -15,7 +19,7 @@ import {
   useQuery,
   useTranslation,
 } from "@cosmicdrift/kumiko-renderer";
-import { type ReactNode, useState } from "react";
+import { type ReactNode, useEffect, useState } from "react";
 import {
   EXPORT_JOB_STATUS,
   type ExportJobStatus,
@@ -27,6 +31,10 @@ import {
 
 const STATUS_DELETION_REQUESTED = "deletionRequested";
 const STATUS_RESTRICTED = "restricted";
+// Export-Job läuft async (worker-Lane-Cron, ~1 Min). Solange er pending/running
+// ist, pollt der Screen den Status, damit der Download ohne manuellen Reload
+// erscheint.
+const EXPORT_POLL_MS = 4000;
 
 type MeRow = {
   readonly id: string;
@@ -45,14 +53,6 @@ type ExportStatusResult =
   | { readonly hasJob: false }
   | { readonly hasJob: true; readonly job: ExportJob };
 
-type AuditRow = {
-  readonly id: string;
-  readonly type: string;
-  readonly aggregateType: string;
-  readonly createdAt: string;
-};
-type AuditLogResult = { readonly rows: readonly AuditRow[] };
-
 type SectionStatus =
   | { kind: "idle" }
   | { kind: "submitting" }
@@ -88,7 +88,7 @@ function StatusBanner({ status }: { readonly status: SectionStatus }): ReactNode
 
 function ExportSection(): ReactNode {
   const t = useTranslation();
-  const { Button, Banner, Heading } = usePrimitives();
+  const { Section, Button, Banner } = usePrimitives();
   const dispatcher = useDispatcher();
   const statusQuery = useQuery<ExportStatusResult | null>(UserDataRightsQueries.exportStatus, {});
   const [status, setStatus] = useState<SectionStatus>({ kind: "idle" });
@@ -112,12 +112,16 @@ function ExportSection(): ReactNode {
   const done = job?.status === EXPORT_JOB_STATUS.Done;
   const failed = job?.status === EXPORT_JOB_STATUS.Failed;
 
+  // Solange der Job läuft: pollen bis Done/Failed, dann auto-Stop.
+  const refetch = statusQuery.refetch;
+  useEffect(() => {
+    if (!inProgress || !refetch) return;
+    const id = setInterval(() => void refetch(), EXPORT_POLL_MS);
+    return () => clearInterval(id);
+  }, [inProgress, refetch]);
+
   return (
-    <section
-      data-testid="privacy-export"
-      className="flex flex-col gap-4 rounded-lg border bg-card p-6"
-    >
-      <Heading variant="section">{t("userDataRights.privacyCenter.export.title")}</Heading>
+    <Section title={t("userDataRights.privacyCenter.export.title")} testId="privacy-export">
       <p className="text-sm text-muted-foreground">
         {t("userDataRights.privacyCenter.export.intro")}
       </p>
@@ -170,48 +174,7 @@ function ExportSection(): ReactNode {
               : t("userDataRights.privacyCenter.export.request")}
         </Button>
       )}
-    </section>
-  );
-}
-
-function AuditSection(): ReactNode {
-  const t = useTranslation();
-  const { Banner, Heading } = usePrimitives();
-  const logQuery = useQuery<AuditLogResult | null>(UserDataRightsQueries.myAuditLog, {});
-  const rows = logQuery.data?.rows ?? [];
-
-  return (
-    <section
-      data-testid="privacy-audit"
-      className="flex flex-col gap-4 rounded-lg border bg-card p-6"
-    >
-      <Heading variant="section">{t("userDataRights.privacyCenter.audit.title")}</Heading>
-      <p className="text-sm text-muted-foreground">
-        {t("userDataRights.privacyCenter.audit.intro")}
-      </p>
-      {logQuery.error && (
-        <Banner variant="error">{t("userDataRights.privacyCenter.errors.generic")}</Banner>
-      )}
-      {logQuery.error ? null : rows.length === 0 ? (
-        <p className="text-sm text-muted-foreground" data-testid="privacy-audit-empty">
-          {t("userDataRights.privacyCenter.audit.empty")}
-        </p>
-      ) : (
-        <ul className="flex flex-col divide-y text-sm" data-testid="privacy-audit-list">
-          {rows.map((row) => (
-            <li
-              key={row.id}
-              data-testid="privacy-audit-row"
-              className="flex items-center justify-between gap-4 py-2"
-            >
-              <span className="font-medium">{row.type}</span>
-              <span className="text-muted-foreground">{row.aggregateType}</span>
-              <span className="text-muted-foreground">{formatDate(row.createdAt)}</span>
-            </li>
-          ))}
-        </ul>
-      )}
-    </section>
+    </Section>
   );
 }
 
@@ -223,7 +186,7 @@ function RestrictionSection({
   readonly onChanged: () => void;
 }): ReactNode {
   const t = useTranslation();
-  const { Button, Banner, Dialog, Heading } = usePrimitives();
+  const { Section, Button, Banner, Dialog } = usePrimitives();
   const dispatcher = useDispatcher();
   const [dialogOpen, setDialogOpen] = useState(false);
   const [status, setStatus] = useState<SectionStatus>({ kind: "idle" });
@@ -242,11 +205,10 @@ function RestrictionSection({
   };
 
   return (
-    <section
-      data-testid="privacy-restriction"
-      className="flex flex-col gap-4 rounded-lg border border-destructive/40 bg-card p-6"
+    <Section
+      title={t("userDataRights.privacyCenter.restriction.title")}
+      testId="privacy-restriction"
     >
-      <Heading variant="section">{t("userDataRights.privacyCenter.restriction.title")}</Heading>
       {restricted ? (
         <Banner variant="error" testId="privacy-restriction-active">
           {t("userDataRights.privacyCenter.restriction.restricted")}
@@ -276,7 +238,7 @@ function RestrictionSection({
           />
         </>
       )}
-    </section>
+    </Section>
   );
 }
 
@@ -288,7 +250,7 @@ function DeletionSection({
   readonly onChanged: () => void;
 }): ReactNode {
   const t = useTranslation();
-  const { Button, Banner, Dialog, Heading } = usePrimitives();
+  const { Section, Button, Banner, Dialog } = usePrimitives();
   const dispatcher = useDispatcher();
   const [dialogOpen, setDialogOpen] = useState(false);
   const [status, setStatus] = useState<SectionStatus>({ kind: "idle" });
@@ -318,11 +280,7 @@ function DeletionSection({
   };
 
   return (
-    <section
-      data-testid="privacy-deletion"
-      className="flex flex-col gap-4 rounded-lg border border-destructive/40 bg-card p-6"
-    >
-      <Heading variant="section">{t("userDataRights.privacyCenter.deletion.title")}</Heading>
+    <Section title={t("userDataRights.privacyCenter.deletion.title")} testId="privacy-deletion">
       {deletionRequested ? (
         <>
           <Banner variant="error" testId="privacy-deletion-requested">
@@ -364,11 +322,15 @@ function DeletionSection({
           />
         </>
       )}
-    </section>
+    </Section>
   );
 }
 
-export function PrivacyCenterScreen(): ReactNode {
+export function PrivacyCenterScreen({
+  showDeletion = true,
+}: {
+  readonly showDeletion?: boolean;
+} = {}): ReactNode {
   const t = useTranslation();
   const { Banner, Heading } = usePrimitives();
   const meQuery = useQuery<MeRow | null>(USER_ME_QUERY, {});
@@ -398,9 +360,8 @@ export function PrivacyCenterScreen(): ReactNode {
       <Heading variant="page">{t("userDataRights.privacyCenter.title")}</Heading>
       <p className="text-sm text-muted-foreground">{t("userDataRights.privacyCenter.intro")}</p>
       <ExportSection />
-      <AuditSection />
       <RestrictionSection me={me} onChanged={refetch} />
-      <DeletionSection me={me} onChanged={refetch} />
+      {showDeletion && <DeletionSection me={me} onChanged={refetch} />}
     </div>
   );
 }