@cosmicdrift/kumiko-bundled-features 0.79.3 → 0.81.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.79.3",
+  "version": "0.81.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -41,6 +41,7 @@
     "./mail-transport-inmemory": "./src/mail-transport-inmemory/index.ts",
     "./file-foundation": "./src/file-foundation/index.ts",
     "./file-provider-s3": "./src/file-provider-s3/index.ts",
+    "./file-provider-s3-env": "./src/file-provider-s3-env/index.ts",
     "./file-provider-inmemory": "./src/file-provider-inmemory/index.ts",
     "./files": "./src/files/index.ts",
     "./user-data-rights": "./src/user-data-rights/index.ts",
@@ -84,11 +85,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.79.3",
-    "@cosmicdrift/kumiko-framework": "0.79.3",
-    "@cosmicdrift/kumiko-headless": "0.79.3",
-    "@cosmicdrift/kumiko-renderer": "0.79.3",
-    "@cosmicdrift/kumiko-renderer-web": "0.79.3",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.81.0",
+    "@cosmicdrift/kumiko-framework": "0.81.0",
+    "@cosmicdrift/kumiko-headless": "0.81.0",
+    "@cosmicdrift/kumiko-renderer": "0.81.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.81.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/web/auth-form-primitives.tsx

@@ -15,6 +15,7 @@
 //   authMutedLinkClass  — Subtle-Link-Style.
 //   parseUrlToken       — URL-Param-Helper (window.location.search).
 
+import { usePrimitives } from "@cosmicdrift/kumiko-renderer";
 import { BareFormProvider, cn } from "@cosmicdrift/kumiko-renderer-web";
 import { createContext, type ReactNode, useContext } from "react";
 
@@ -51,17 +52,30 @@ export type AuthCardProps = {
 };
 
 export function AuthCard({ title, subtitle, children }: AuthCardProps): ReactNode {
+  const { Card } = usePrimitives();
   const shell = useAuthShell() ?? defaultAuthShell;
+  // h1 (Seiten-Hauptüberschrift) via Header-Slot erhalten — die Card-Default-
+  // Header wäre h3. padded:false = Form sitzt randlos wie bisher (bare form).
   const card = (
-    <div className="w-full max-w-sm rounded-lg border bg-card text-card-foreground shadow-sm">
-      {(title !== undefined || subtitle !== undefined) && (
-        <div className="flex flex-col space-y-1.5 p-6 pb-4">
-          {title !== undefined && <h1 className="text-xl font-semibold tracking-tight">{title}</h1>}
-          {subtitle !== undefined && <p className="text-sm text-muted-foreground">{subtitle}</p>}
-        </div>
-      )}
+    <Card
+      className="w-full max-w-sm"
+      options={{ padded: false }}
+      slots={{
+        header:
+          title !== undefined || subtitle !== undefined ? (
+            <div className="flex flex-col space-y-1.5 p-6 pb-4">
+              {title !== undefined && (
+                <h1 className="text-xl font-semibold tracking-tight">{title}</h1>
+              )}
+              {subtitle !== undefined && (
+                <p className="text-sm text-muted-foreground">{subtitle}</p>
+              )}
+            </div>
+          ) : undefined,
+      }}
+    >
       <BareFormProvider>{children}</BareFormProvider>
-    </div>
+    </Card>
   );
   return shell(card);
 }

package/src/file-foundation/__tests__/file-foundation.integration.test.ts

@@ -27,6 +27,7 @@ import { createConfigAccessorFactory } from "../../config/feature";
 import { type ConfigResolver, createConfigResolver } from "../../config/resolver";
 import { configValuesTable } from "../../config/table";
 import { fileProviderS3Feature, S3_SECRET_ACCESS_KEY } from "../../file-provider-s3";
+import { fileProviderS3EnvFeature } from "../../file-provider-s3-env";
 import { createSecretsContext, createSecretsFeature, tenantSecretsTable } from "../../secrets";
 import { createTenantFeature } from "../../tenant/feature";
 import { tenantEntity } from "../../tenant/schema/tenant";
@@ -90,6 +91,7 @@ beforeAll(async () => {
       createSecretsFeature(),
       fileFoundationFeature,
       fileProviderS3Feature,
+      fileProviderS3EnvFeature,
       testProbeFeature,
     ],
     masterKeyProvider: providerRef,
@@ -243,3 +245,40 @@ describe("scenario 3: tenant isolation", () => {
     expect(b["hasWrite"]).toBe(true);
   });
 });
+
+// --- Scenario 4: s3-env provider builds from env, NO per-tenant secret ---
+//
+// The "wire-into-any-app" proof for file-provider-s3-env: select the
+// "s3-env" provider, set the S3_* env vars, and the factory builds a working
+// provider WITHOUT any secrets:write:set call. This is the single-bucket /
+// Hetzner deploy path — no admin seeding, no secrets store.
+
+const S3_ENV_KEYS = ["S3_BUCKET", "S3_REGION", "S3_ACCESS_KEY", "S3_SECRET_KEY"] as const;
+
+describe("scenario 4: s3-env provider (app-wide env, no secrets)", () => {
+  test("env vars set + provider=s3-env → factory builds provider without a per-tenant secret", async () => {
+    const admin = adminFor(504);
+    const saved = S3_ENV_KEYS.map((k) => [k, process.env[k]] as const);
+    Object.assign(process.env, {
+      S3_BUCKET: "shared-bucket",
+      S3_REGION: "fsn1",
+      S3_ACCESS_KEY: "AKIAENV",
+      S3_SECRET_KEY: "env-secret-not-real",
+    });
+    try {
+      await setConfig(admin, "file-foundation:config:provider", "s3-env");
+      const result = (await stack.http.writeOk(TEST_HANDLER_QN, {}, admin)) as Record<
+        string,
+        unknown
+      >;
+      expect(result["hasWrite"]).toBe(true);
+      expect(result["hasRead"]).toBe(true);
+      expect(result["hasDelete"]).toBe(true);
+    } finally {
+      for (const [k, v] of saved) {
+        if (v === undefined) delete process.env[k];
+        else process.env[k] = v;
+      }
+    }
+  });
+});

package/src/file-provider-s3-env/feature.ts

@@ -0,0 +1,58 @@
+// kumiko-feature-version: 1
+//
+// file-provider-s3-env — S3 file provider configured entirely from
+// process.env. ONE shared bucket for ALL tenants: wire it by setting the
+// `S3_*` env vars + mounting — no per-tenant admin seeding and no
+// `secrets`-feature dependency.
+//
+// **vs file-provider-s3:** the config-based `"s3"` provider owns per-tenant
+// config keys + an encrypted `s3.secretAccessKey` secret (per-tenant
+// buckets, admin-seeded). This `"s3-env"` provider reads one credential set
+// from env and serves every tenant from one bucket — the
+// Hetzner-Object-Storage / single-bucket deploy case. Tenant isolation
+// still holds: file keys are tenant-prefixed (export ZIPs:
+// `<tenantId>/exports/<jobId>.zip`) or globally-unique UUIDs (fileRefs).
+//
+// **Pattern-Vorbild:** mirrors file-provider-inmemory (zero admin seeding,
+// only the file-foundation plugin-point required).
+//
+// **Env vars** (read by createS3ProviderFromEnv, prefix `S3_`):
+//   required — S3_BUCKET, S3_REGION, S3_ACCESS_KEY, S3_SECRET_KEY
+//   optional — S3_ENDPOINT (S3-compat stores incl. Hetzner Object Storage),
+//              S3_FORCE_PATH_STYLE
+// Missing required vars throw on the FIRST file op (inside the export cron).
+// The user-data-rights boot guard surfaces that at boot instead.
+
+import type {
+  FileProviderContext,
+  FileProviderPlugin,
+} from "@cosmicdrift/kumiko-bundled-features/file-foundation";
+import { createS3ProviderFromEnv } from "@cosmicdrift/kumiko-bundled-features/files-provider-s3";
+import { defineFeature } from "@cosmicdrift/kumiko-framework/engine";
+import type { FileStorageProvider } from "@cosmicdrift/kumiko-framework/files";
+
+const FEATURE_NAME = "file-provider-s3-env";
+
+export const fileProviderS3EnvFeature = defineFeature(FEATURE_NAME, (r) => {
+  r.describe(
+    'Registers an `"s3-env"` provider for `file-foundation` that reads one S3 credential set from `process.env` (`S3_BUCKET`/`S3_REGION`/`S3_ACCESS_KEY`/`S3_SECRET_KEY`, optional `S3_ENDPOINT`/`S3_FORCE_PATH_STYLE`) and serves every tenant from one shared bucket — no per-tenant config or secret seeding. Use this for single-bucket S3-compatible deploys (e.g. Hetzner Object Storage); use `file-provider-s3` instead when each tenant needs its own bucket/credentials.',
+  );
+  r.uiHints({
+    displayLabel: "File Provider · S3 (env)",
+    category: "storage",
+    recommended: false,
+  });
+  // No r.requires("config") / r.requires("secrets") — credentials come from
+  // env, not the per-tenant config + secrets store. Only the file-foundation
+  // plugin-extension-point must be mounted.
+  r.requires("file-foundation");
+
+  const plugin: FileProviderPlugin = {
+    // tenantId ignored: one shared bucket serves all tenants (isolation via
+    // tenant-prefixed / UUID keys). Built fresh per call like file-provider-s3;
+    // the S3 client opens no connection at construction.
+    build: async (_ctx: FileProviderContext, _tenantId: string): Promise<FileStorageProvider> =>
+      createS3ProviderFromEnv(), // @wrapper-known semantic-alias
+  };
+  r.useExtension("fileProvider", "s3-env", plugin);
+});

package/src/file-provider-s3-env/index.ts

@@ -0,0 +1,3 @@
+// Public API of the file-provider-s3-env bundled-feature.
+
+export { fileProviderS3EnvFeature } from "./feature";

package/src/user-data-rights/__tests__/file-binary-forget-cleanup.integration.test.ts

@@ -8,8 +8,10 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { SYSTEM_USER_ID } from "@cosmicdrift/kumiko-framework/engine";
 import {
   createInMemoryFileProvider,
+  type FileStorageProvider,
   fileRefsTable,
   type InMemoryFileProvider,
 } from "@cosmicdrift/kumiko-framework/files";
@@ -21,24 +23,36 @@ import {
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createConfigFeature } from "../../config";
+import { createConfigAccessorFactory } from "../../config/feature";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { fileFoundationFeature } from "../../file-foundation";
 import { createFilesFeature } from "../../files";
 import { createSessionsFeature } from "../../sessions";
 import { createUserFeature, userEntity, userTable } from "../../user";
 import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
 import { createUserDataRightsFeature } from "../feature";
+import { makeTenantStorageProviderResolver } from "../lib/storage-provider-resolver";
 import { runForgetCleanup } from "../run-forget-cleanup";
 import {
   createForgetSeeders,
+  createTestFileProviderFeature,
   type ForgetSeeders,
   nowInstant,
   READ_TENANT_MEMBERSHIPS_DDL,
 } from "./forget-test-helpers";
 
+const FILE_PROVIDER_CONFIG_KEY = "file-foundation:config:provider";
+
 let stack: TestStack;
 let db: DbConnection;
 let provider: InMemoryFileProvider;
 let seed: ForgetSeeders;
+// Per-tenant resolver the forget pipeline uses — built from the stack's
+// configResolver, resolves "test" → the test provider plugin → `provider`.
+let buildStorageProvider: (tenantId: string) => Promise<FileStorageProvider>;
 
 const TENANT = "00000000-0000-4000-8000-00000000000c";
 
@@ -48,24 +62,44 @@ function uuid(suffix: number): string {
 
 beforeAll(async () => {
   provider = createInMemoryFileProvider();
+  // Forget resolves the binary store through file-foundation (the production
+  // path) — mount it + a test plugin returning THIS provider, selected app-wide
+  // via a config app-override (no admin write needed).
+  const appOverrides = new Map<string, string>([[FILE_PROVIDER_CONFIG_KEY, "test"]]);
+  const resolver = createConfigResolver({ appOverrides });
   stack = await setupTestStack({
     features: [
+      createConfigFeature(),
       createUserFeature(),
       createFilesFeature(),
+      fileFoundationFeature,
+      createTestFileProviderFeature(provider, "test"),
       createDataRetentionFeature(),
       createComplianceProfilesFeature(),
       createSessionsFeature(),
       createUserDataRightsFeature(),
-      createUserDataRightsDefaultsFeature({ storageProvider: provider }),
+      createUserDataRightsDefaultsFeature(),
     ],
     files: { storageProvider: provider },
+    extraContext: ({ registry }) => ({
+      configResolver: resolver,
+      _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+    }),
   });
   db = stack.db;
   seed = createForgetSeeders(db, provider);
+  buildStorageProvider = makeTenantStorageProviderResolver({
+    registry: stack.registry,
+    configResolver: resolver,
+    secrets: undefined,
+    db,
+    userId: SYSTEM_USER_ID,
+    handlerName: "test-forget-cleanup",
+  });
 
   await unsafeCreateEntityTable(db, userEntity);
   await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
-  await unsafePushTables(db, { fileRefsTable });
+  await unsafePushTables(db, { fileRefsTable, configValuesTable });
   await asRawClient(db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
 });
 
@@ -86,7 +120,12 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
     const key = await seed.seedFile(uuid(101), TENANT, userId);
     expect(await provider.exists(key)).toBe(true);
 
-    const result = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    const result = await runForgetCleanup({
+      db,
+      registry: stack.registry,
+      now: nowInstant(),
+      buildStorageProvider,
+    });
 
     expect(result.processedUserIds).toContain(userId);
     expect(await provider.exists(key)).toBe(false);
@@ -104,7 +143,12 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
     ]);
     expect(provider.keys()).toHaveLength(3);
 
-    await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    await runForgetCleanup({
+      db,
+      registry: stack.registry,
+      now: nowInstant(),
+      buildStorageProvider,
+    });
 
     for (const key of keys) {
       expect(await provider.exists(key)).toBe(false);
@@ -122,7 +166,12 @@ describe("forget-binary-cleanup :: storage.delete fires before row hard-delete",
     // The other-tenant file is owned by a different user; the forget run for
     // userId must NOT touch it.
 
-    await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    await runForgetCleanup({
+      db,
+      registry: stack.registry,
+      now: nowInstant(),
+      buildStorageProvider,
+    });
 
     expect(await provider.exists(myKey)).toBe(false);
     expect(await provider.exists(otherKey)).toBe(true);

package/src/user-data-rights/__tests__/file-binary-forget-failure.integration.test.ts

@@ -12,8 +12,10 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { asRawClient, fetchOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { SYSTEM_USER_ID } from "@cosmicdrift/kumiko-framework/engine";
 import {
   createInMemoryFileProvider,
+  type FileStorageProvider,
   fileRefsTable,
   type InMemoryFileProvider,
 } from "@cosmicdrift/kumiko-framework/files";
@@ -25,24 +27,36 @@ import {
 } from "@cosmicdrift/kumiko-framework/stack";
 import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
 import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createConfigFeature } from "../../config";
+import { createConfigAccessorFactory } from "../../config/feature";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
 import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { fileFoundationFeature } from "../../file-foundation";
 import { createFilesFeature } from "../../files";
 import { createSessionsFeature } from "../../sessions";
 import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
 import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
 import { createUserDataRightsFeature } from "../feature";
+import { makeTenantStorageProviderResolver } from "../lib/storage-provider-resolver";
 import { runForgetCleanup } from "../run-forget-cleanup";
 import {
   createForgetSeeders,
+  createTestFileProviderFeature,
   type ForgetSeeders,
   nowInstant,
   READ_TENANT_MEMBERSHIPS_DDL,
 } from "./forget-test-helpers";
 
+const FILE_PROVIDER_CONFIG_KEY = "file-foundation:config:provider";
+
 let stack: TestStack;
 let db: DbConnection;
 let base: InMemoryFileProvider;
 let seed: ForgetSeeders;
+// Per-tenant resolver for the direct runForgetCleanup calls — resolves through
+// file-foundation to the flaky provider, same path the dispatcher handler uses.
+let buildStorageProvider: (tenantId: string) => Promise<FileStorageProvider>;
 // `delete` throws while set; flip off to simulate storage recovery on retry.
 let failDeletes = true;
 
@@ -59,26 +73,45 @@ beforeAll(async () => {
       return base.delete(key);
     },
   };
+  // Forget resolves the binary store through file-foundation (production path).
+  // The test plugin returns the flaky provider; selected app-wide via override.
+  const appOverrides = new Map<string, string>([[FILE_PROVIDER_CONFIG_KEY, "test"]]);
+  const resolver = createConfigResolver({ appOverrides });
   stack = await setupTestStack({
     features: [
+      createConfigFeature(),
       createUserFeature(),
       createFilesFeature(),
+      fileFoundationFeature,
+      createTestFileProviderFeature(flakyProvider, "test"),
       createDataRetentionFeature(),
       createComplianceProfilesFeature(),
       createSessionsFeature(),
       createUserDataRightsFeature(),
-      createUserDataRightsDefaultsFeature({ storageProvider: flakyProvider }),
+      createUserDataRightsDefaultsFeature(),
     ],
     files: { storageProvider: flakyProvider },
+    extraContext: ({ registry }) => ({
+      configResolver: resolver,
+      _configAccessorFactory: createConfigAccessorFactory(registry, resolver),
+    }),
   });
   db = stack.db;
   // Seeders write binaries through the real store (`base`), not the flaky
   // wrapper — the wrapper's `delete` failure is what the test exercises.
   seed = createForgetSeeders(db, base);
+  buildStorageProvider = makeTenantStorageProviderResolver({
+    registry: stack.registry,
+    configResolver: resolver,
+    secrets: undefined,
+    db,
+    userId: SYSTEM_USER_ID,
+    handlerName: "test-forget-failure",
+  });
 
   await unsafeCreateEntityTable(db, userEntity);
   await unsafeCreateEntityTable(db, tenantRetentionOverrideEntity);
-  await unsafePushTables(db, { fileRefsTable });
+  await unsafePushTables(db, { fileRefsTable, configValuesTable });
   await asRawClient(db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
 });
 
@@ -107,7 +140,12 @@ describe("forget fail-closed :: storage.delete failure aborts the row hard-delet
     await seed.seedMembership(userId, TENANT);
     const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000001", TENANT, userId);
 
-    const result = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    const result = await runForgetCleanup({
+      db,
+      registry: stack.registry,
+      now: nowInstant(),
+      buildStorageProvider,
+    });
 
     // NOT flipped to Deleted — the sub-tx rolled back.
     expect(result.processedUserIds).not.toContain(userId);
@@ -128,13 +166,23 @@ describe("forget fail-closed :: storage.delete failure aborts the row hard-delet
     const key = await seed.seedFile("dddddddd-dddd-4ddd-8ddd-000000000002", TENANT, userId);
 
     // First run: storage down → abort.
-    const first = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    const first = await runForgetCleanup({
+      db,
+      registry: stack.registry,
+      now: nowInstant(),
+      buildStorageProvider,
+    });
     expect(first.processedUserIds).not.toContain(userId);
     expect(await base.exists(key)).toBe(true);
 
     // Storage recovers; retry converges.
     failDeletes = false;
-    const second = await runForgetCleanup({ db, registry: stack.registry, now: nowInstant() });
+    const second = await runForgetCleanup({
+      db,
+      registry: stack.registry,
+      now: nowInstant(),
+      buildStorageProvider,
+    });
 
     expect(second.processedUserIds).toContain(userId);
     expect(await base.exists(key)).toBe(false);

package/src/user-data-rights/__tests__/forget-test-helpers.ts

@@ -6,11 +6,27 @@
 
 import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
 import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { defineFeature, type FeatureDefinition } from "@cosmicdrift/kumiko-framework/engine";
+import type { FileStorageProvider } from "@cosmicdrift/kumiko-framework/files";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { USER_STATUS, userTable } from "../../user";
 
 export const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
 
+// Test file-provider plugin: registers `provider` under the file-foundation
+// `fileProvider` extension point so the forget pipeline resolves THIS instance
+// through createFileProviderForTenant — the same path production uses. Set
+// `file-foundation:config:provider` to `name` to select it.
+export function createTestFileProviderFeature(
+  provider: FileStorageProvider,
+  name = "test",
+): FeatureDefinition {
+  return defineFeature(`test-file-provider-${name}`, (r) => {
+    r.requires("file-foundation");
+    r.useExtension("fileProvider", name, { build: async () => provider });
+  });
+}
+
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 export const nowInstant = (): Instant => getTemporal().Now.instant();
 export const pastInstant = (): Instant =>

package/src/user-data-rights/__tests__/run-forget-cleanup.integration.test.ts

@@ -269,6 +269,35 @@ describe("runForgetCleanup :: happy path (Cross-Tenant Account-Deletion)", () =>
   });
 });
 
+describe("run-forget-cleanup :: registered cron (autonomous Art.17)", () => {
+  // Beweist C1: der Forget-Cleanup ist als autonomer Cron registriert, nicht
+  // nur als manueller runForget-API. Ohne die r.job-Registrierung liefert
+  // getJob undefined und die Loeschung laeuft nach Grace-Ablauf NIE. Wir
+  // treiben den ECHTEN registrierten Job durch den echten JobContext (db +
+  // registry, kein config) — nicht den inneren runForgetCleanup-Helper.
+  test("registered job exists + erases through the real JobContext", async () => {
+    const job = stack.registry.getJob("user-data-rights:job:run-forget-cleanup");
+    expect(job).toBeTruthy();
+
+    const CRON_USER = uuid(7);
+    await seedUser(CRON_USER, {
+      status: USER_STATUS.DeletionRequested,
+      gracePeriodEnd: instantFromOffsetMs(-60 * 1000),
+      email: "cron-delete@example.com",
+      displayName: "CronDelete",
+    });
+    await seedMembership(CRON_USER, TENANT_A);
+
+    const jobCtx = { db: stack.db, registry: stack.registry };
+    await job?.handler({}, jobCtx as never);
+
+    const row = await fetchUser(CRON_USER);
+    expect(row?.status).toBe(USER_STATUS.Deleted);
+    expect(row?.email).not.toContain("cron-delete@example.com");
+    expect(row?.email).toContain("anonymized.invalid");
+  });
+});
+
 describe("runForgetCleanup :: time-window guards", () => {
   test("Future-grace User wird NICHT bearbeitet", async () => {
     await seedUser(FUTURE_USER_ID, {

package/src/user-data-rights/feature.ts

@@ -4,8 +4,6 @@ import {
   type FeatureDefinition,
   SYSTEM_USER_ID,
 } from "@cosmicdrift/kumiko-framework/engine";
-import { createConfigAccessor } from "../config";
-import { createFileProviderForTenant } from "../file-foundation";
 import { PRIVACY_CENTER_SCREEN_ID } from "./constants";
 import { cancelDeletionWrite } from "./handlers/cancel-deletion.write";
 import { createConfirmDeletionByTokenHandler } from "./handlers/confirm-deletion-by-token.write";
@@ -26,12 +24,13 @@ import {
 import { requestExportWrite } from "./handlers/request-export.write";
 import { restrictAccountWrite } from "./handlers/restrict-account.write";
 import { createRunForgetCleanupHandler } from "./handlers/run-forget-cleanup.write";
+import { makeTenantStorageProviderResolver } from "./lib/storage-provider-resolver";
 import {
   runExportJobs,
   type SendExportFailedEmailFn,
   type SendExportReadyEmailFn,
 } from "./run-export-jobs";
-import type { SendDeletionExecutedEmailFn } from "./run-forget-cleanup";
+import { runForgetCleanup, type SendDeletionExecutedEmailFn } from "./run-forget-cleanup";
 import { downloadAttemptEntity } from "./schema/download-attempt";
 import { exportDownloadTokenEntity } from "./schema/download-token";
 import { exportJobEntity } from "./schema/export-job";
@@ -276,29 +275,18 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         await runExportJobs({
           db: exportDb,
           registry: exportRegistry,
-          buildStorageProvider: async (tenantId) => {
-            // ctx.config (per-request ConfigAccessor) existiert nur im HTTP-
-            // Dispatcher; der Cron-Job-Kontext trägt ctx.configResolver. Den
-            // per-Tenant-Accessor daraus bauen (wie der HTTP-Pfad via
-            // _configAccessorFactory) — sonst wirft createFileProviderForTenant
-            // "ctx.config is missing" und jeder Export landet auf failed.
-            const config =
-              ctx.config ??
-              (ctx.configResolver
-                ? createConfigAccessor(
-                    exportRegistry,
-                    ctx.configResolver,
-                    tenantId as Parameters<typeof createConfigAccessor>[2],
-                    exportUserId,
-                    exportDb,
-                  )
-                : undefined);
-            return createFileProviderForTenant(
-              { config, registry: exportRegistry, secrets: ctx.secrets, _userId: exportUserId },
-              tenantId,
-              "user-data-rights:run-export-jobs",
-            );
-          },
+          // Per-tenant provider from the mounted file-foundation. The cron
+          // context carries configResolver (not the per-request ConfigAccessor),
+          // so the resolver builds a per-tenant accessor from it — otherwise
+          // createFileProviderForTenant throws and every export lands on failed.
+          buildStorageProvider: makeTenantStorageProviderResolver({
+            registry: exportRegistry,
+            configResolver: ctx.configResolver,
+            secrets: ctx.secrets,
+            db: exportDb,
+            userId: exportUserId,
+            handlerName: "user-data-rights:run-export-jobs",
+          }),
           now: T.Now.instant(),
           // Atom 5 — App-Author-Callbacks fuer Email-Notification.
           // Optional: wenn nicht gesetzt, kein Email; User pollt
@@ -315,6 +303,44 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         });
       },
     );
+
+    // Autonomer Art.17-Forget-Cron. Spiegelt run-export-jobs: nach Ablauf der
+    // Grace-Period laeuft runForgetCleanup unbeaufsichtigt (der manuelle
+    // userDataRights.runForget-API bleibt fuer Operator-Runs). Ohne diesen
+    // Cron bleibt jeder Loesch-Antrag fuer immer in DeletionRequested haengen
+    // — Art.17 wuerde nie ausgefuehrt.
+    r.job(
+      "run-forget-cleanup",
+      { trigger: { cron: "0 * * * * *" }, concurrency: "skip" },
+      async (_payload, ctx) => {
+        if (!ctx.db || !ctx.registry) {
+          throw new Error(
+            "run-forget-cleanup: ctx.db + ctx.registry required (JobContext incomplete)",
+          );
+        }
+        const T = (await import("@cosmicdrift/kumiko-framework/time")).getTemporal();
+        const forgetUserId = ctx._userId ?? SYSTEM_USER_ID;
+        const forgetDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
+        await runForgetCleanup({
+          db: forgetDb,
+          registry: ctx.registry,
+          now: T.Now.instant(),
+          // Same per-tenant provider resolution as the export cron — forget
+          // deletes binaries from the store upload + export use.
+          buildStorageProvider: makeTenantStorageProviderResolver({
+            registry: ctx.registry,
+            configResolver: ctx.configResolver,
+            secrets: ctx.secrets,
+            db: forgetDb,
+            userId: forgetUserId,
+            handlerName: "user-data-rights:run-forget-cleanup",
+          }),
+          ...(opts.sendDeletionExecutedEmail && {
+            sendDeletionExecutedEmail: opts.sendDeletionExecutedEmail,
+          }),
+        });
+      },
+    );
   });
 }