@cosmicdrift/kumiko-bundled-features 0.79.3 → 0.81.0

package/src/user-data-rights/handlers/run-forget-cleanup.write.ts

@@ -10,10 +10,12 @@
 //
 // Rueckgabe: Stats fuer Operator-Monitoring (processed-count, error-list).
 
-import { access, defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import { access, defineWriteHandler, SYSTEM_USER_ID } from "@cosmicdrift/kumiko-framework/engine";
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { z } from "zod";
+import { makeTenantStorageProviderResolver } from "../lib/storage-provider-resolver";
 import { runForgetCleanup, type SendDeletionExecutedEmailFn } from "../run-forget-cleanup";
 
 export type RunForgetCleanupOptions = {
@@ -36,12 +38,25 @@ export function createRunForgetCleanupHandler(opts: RunForgetCleanupOptions = {}
 
       // ctx.db.raw ist DbRunner. runForgetCleanup oeffnet pro User eine
       // Sub-Tx (SAVEPOINT wenn Outer-Dispatcher-Tx aktiv) — siehe
-      // run-forget-cleanup.ts Header. Kein DbConnection-Cast noetig.
+      // run-forget-cleanup.ts Header.
       const T = getTemporal();
+      // Operator-triggered forget must also erase binaries, not just rows —
+      // it flips users to Deleted, after which the cron never re-processes
+      // them, so a row-only delete here would permanently leak the binaries.
+      // Resolve through the same file-foundation path the cron uses.
+      const forgetDb = ctx.db.raw as DbConnection; // @cast-boundary db-operator: config reads tolerate the outer tx
       const result = await runForgetCleanup({
         db: ctx.db.raw,
         registry: ctx.registry,
         now: T.Now.instant(),
+        buildStorageProvider: makeTenantStorageProviderResolver({
+          registry: ctx.registry,
+          configResolver: ctx.configResolver,
+          secrets: ctx.secrets,
+          db: forgetDb,
+          userId: ctx._userId ?? SYSTEM_USER_ID,
+          handlerName: "user-data-rights:run-forget-cleanup",
+        }),
         ...(opts.sendDeletionExecutedEmail && {
           sendDeletionExecutedEmail: opts.sendDeletionExecutedEmail,
         }),

package/src/user-data-rights/lib/storage-provider-resolver.ts

@@ -0,0 +1,48 @@
+// Builds a per-tenant file-storage-provider resolver from a job/handler
+// context, so the export pipeline and the forget pipeline resolve binaries
+// through the SAME mounted file-foundation (delete-target == upload-target by
+// construction). Extracted from the export cron so both crons + the manual
+// forget handler share one construction site instead of inlining it three times.
+
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import type { ConfigResolver, Registry, TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import type { FileStorageProvider } from "@cosmicdrift/kumiko-framework/files";
+import type { SecretsContext } from "@cosmicdrift/kumiko-framework/secrets";
+import { createConfigAccessor } from "../../config";
+import { createFileProviderForTenant } from "../../file-foundation";
+
+export interface TenantStorageResolverCtx {
+  readonly registry: Registry;
+  // Job-context carries configResolver (per-request ConfigAccessor exists only
+  // in the HTTP dispatcher); the resolver builds a per-tenant accessor from it.
+  // Undefined → the returned resolver throws (callers decide fail-loud vs skip).
+  readonly configResolver: ConfigResolver | undefined;
+  readonly secrets: SecretsContext | undefined;
+  readonly db: DbConnection;
+  readonly userId: string;
+  readonly handlerName: string;
+}
+
+export function makeTenantStorageProviderResolver(
+  ctx: TenantStorageResolverCtx,
+): (tenantId: TenantId) => Promise<FileStorageProvider> {
+  return async (tenantId) => {
+    if (!ctx.configResolver) {
+      throw new Error(
+        `${ctx.handlerName}: ctx.configResolver missing — cannot resolve the file provider for tenant ${tenantId}`,
+      );
+    }
+    const config = createConfigAccessor(
+      ctx.registry,
+      ctx.configResolver,
+      tenantId as Parameters<typeof createConfigAccessor>[2], // @cast-boundary engine-payload: TenantId brand
+      ctx.userId,
+      ctx.db,
+    );
+    return createFileProviderForTenant(
+      { config, registry: ctx.registry, secrets: ctx.secrets, _userId: ctx.userId },
+      tenantId,
+      ctx.handlerName,
+    );
+  };
+}

package/src/user-data-rights/run-forget-cleanup.ts

@@ -41,6 +41,7 @@ import {
   type TenantId,
   type UserDataDeleteHook,
   type UserDataDeleteStrategy,
+  type UserDataStorageProvider,
 } from "@cosmicdrift/kumiko-framework/engine";
 import type { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { resolveRetentionPolicyForTenant } from "../data-retention";
@@ -85,6 +86,16 @@ export interface RunForgetCleanupArgs {
    *  ohne Callback laeuft Worker still (User hatte schon
    *  request-deletion-Email + grace-period-Erinnerung). */
   readonly sendDeletionExecutedEmail?: SendDeletionExecutedEmailFn;
+
+  /**
+   * Per-tenant file-storage-provider resolver (the forget cron builds it from
+   * the mounted file-foundation, mirroring the export cron). Threaded into
+   * every delete-hook's ctx so file-aware hooks erase binaries from the same
+   * store the upload/export path uses. Omitted → hooks skip binary cleanup.
+   */
+  readonly buildStorageProvider?: (
+    tenantId: TenantId,
+  ) => Promise<UserDataStorageProvider | undefined>;
 }
 
 export interface ForgetCleanupError {
@@ -119,7 +130,7 @@ const HOOK_ORDER_DEFAULT = EXT_USER_DATA_ORDER.DEFAULT;
 export async function runForgetCleanup(
   args: RunForgetCleanupArgs,
 ): Promise<RunForgetCleanupResult> {
-  const { db, registry, now, sendDeletionExecutedEmail } = args;
+  const { db, registry, now, sendDeletionExecutedEmail, buildStorageProvider } = args;
 
   // Step 1: Find users with expired grace period.
   const dueUsers = await selectUsersDueForForgetCleanup(
@@ -161,6 +172,7 @@ export async function runForgetCleanup(
       registry,
       userId: user.id,
       hookEntries,
+      buildStorageProvider,
     });
     hookCallsAttempted += userResult.hookCallsAttempted;
     errors.push(...userResult.errors);
@@ -216,8 +228,9 @@ async function processUser(args: {
   registry: Registry;
   userId: string;
   hookEntries: readonly HookEntry[];
+  buildStorageProvider?: (tenantId: TenantId) => Promise<UserDataStorageProvider | undefined>;
 }): Promise<ProcessUserResult> {
-  const { db, registry, userId, hookEntries } = args;
+  const { db, registry, userId, hookEntries, buildStorageProvider } = args;
   const errors: ForgetCleanupError[] = [];
   let hookCallsAttempted = 0;
 
@@ -274,7 +287,7 @@ async function processUser(args: {
           const strategy = policyToStrategy(policy.policy?.strategy ?? null);
 
           hookCallsAttempted++;
-          await entry.deleteHook({ db: tx, tenantId, userId }, strategy);
+          await entry.deleteHook({ db: tx, tenantId, userId, buildStorageProvider }, strategy);
         }
       }
 

package/src/user-data-rights/web/confirm-deletion-screen.tsx

@@ -27,7 +27,7 @@ export function ConfirmAccountDeletionScreen({
 }: ConfirmAccountDeletionScreenProps): ReactNode {
   const t = useTranslation();
   const dispatcher = useDispatcher();
-  const { Button, Banner } = usePrimitives();
+  const { Button, Banner, Card } = usePrimitives();
   const [token] = useState(readToken);
   const [phase, setPhase] = useState<Phase>(token.length > 0 ? "idle" : "missing");
 
@@ -42,12 +42,19 @@ export function ConfirmAccountDeletionScreen({
   };
 
   return (
-    <div className="w-full max-w-sm mx-auto rounded-lg border bg-card text-card-foreground shadow-sm">
-      <div className="flex flex-col space-y-1.5 p-6 pb-4">
-        <h1 className="text-xl font-semibold tracking-tight">
-          {title ?? t("userDataRights.deletion.confirm.title")}
-        </h1>
-      </div>
+    <Card
+      className="w-full max-w-sm mx-auto"
+      options={{ padded: false }}
+      slots={{
+        header: (
+          <div className="flex flex-col space-y-1.5 p-6 pb-4">
+            <h1 className="text-xl font-semibold tracking-tight">
+              {title ?? t("userDataRights.deletion.confirm.title")}
+            </h1>
+          </div>
+        ),
+      }}
+    >
       <div className="p-6 pt-0 flex flex-col gap-4">
         {phase === "success" ? (
           <Banner variant="info">
@@ -83,6 +90,6 @@ export function ConfirmAccountDeletionScreen({
           </>
         )}
       </div>
-    </div>
+    </Card>
   );
 }

package/src/user-data-rights/web/privacy-center-screen.tsx

@@ -130,7 +130,26 @@ function ExportSection(): ReactNode {
   }, [inProgress, refetch]);
 
   return (
-    <Section title={t("userDataRights.privacyCenter.export.title")} testId="privacy-export">
+    <Section
+      title={t("userDataRights.privacyCenter.export.title")}
+      testId="privacy-export"
+      actions={
+        !inProgress ? (
+          <Button
+            onClick={() => void request()}
+            disabled={submitting}
+            loading={submitting}
+            testId="privacy-export-request"
+          >
+            {done
+              ? t("userDataRights.privacyCenter.export.requestNew")
+              : submitting
+                ? t("userDataRights.privacyCenter.export.requesting")
+                : t("userDataRights.privacyCenter.export.request")}
+          </Button>
+        ) : undefined
+      }
+    >
       <p className="text-sm text-muted-foreground">
         {t("userDataRights.privacyCenter.export.intro")}
       </p>
@@ -171,20 +190,6 @@ function ExportSection(): ReactNode {
         </Banner>
       )}
       <StatusBanner status={status} />
-      {!inProgress && (
-        <Button
-          onClick={() => void request()}
-          disabled={submitting}
-          loading={submitting}
-          testId="privacy-export-request"
-        >
-          {done
-            ? t("userDataRights.privacyCenter.export.requestNew")
-            : submitting
-              ? t("userDataRights.privacyCenter.export.requesting")
-              : t("userDataRights.privacyCenter.export.request")}
-        </Button>
-      )}
     </Section>
   );
 }
@@ -219,6 +224,17 @@ function RestrictionSection({
     <Section
       title={t("userDataRights.privacyCenter.restriction.title")}
       testId="privacy-restriction"
+      actions={
+        restricted ? undefined : (
+          <Button
+            variant="danger"
+            onClick={() => setDialogOpen(true)}
+            testId="privacy-restriction-restrict"
+          >
+            {t("userDataRights.privacyCenter.restriction.restrict")}
+          </Button>
+        )
+      }
     >
       {restricted ? (
         <Banner variant="error" testId="privacy-restriction-active">
@@ -230,13 +246,6 @@ function RestrictionSection({
             {t("userDataRights.privacyCenter.restriction.explainer")}
           </p>
           <StatusBanner status={status} />
-          <Button
-            variant="danger"
-            onClick={() => setDialogOpen(true)}
-            testId="privacy-restriction-restrict"
-          >
-            {t("userDataRights.privacyCenter.restriction.restrict")}
-          </Button>
           <Dialog
             open={dialogOpen}
             onOpenChange={setDialogOpen}
@@ -291,7 +300,29 @@ function DeletionSection({
   };
 
   return (
-    <Section title={t("userDataRights.privacyCenter.deletion.title")} testId="privacy-deletion">
+    <Section
+      title={t("userDataRights.privacyCenter.deletion.title")}
+      testId="privacy-deletion"
+      actions={
+        deletionRequested ? (
+          <Button
+            variant="secondary"
+            onClick={() => void cancelDeletion()}
+            testId="privacy-deletion-cancel"
+          >
+            {t("userDataRights.privacyCenter.deletion.cancel")}
+          </Button>
+        ) : (
+          <Button
+            variant="danger"
+            onClick={() => setDialogOpen(true)}
+            testId="privacy-deletion-delete"
+          >
+            {t("userDataRights.privacyCenter.deletion.delete")}
+          </Button>
+        )
+      }
+    >
       {deletionRequested ? (
         <>
           <Banner variant="error" testId="privacy-deletion-requested">
@@ -300,13 +331,6 @@ function DeletionSection({
             })}
           </Banner>
           <StatusBanner status={status} />
-          <Button
-            variant="secondary"
-            onClick={() => void cancelDeletion()}
-            testId="privacy-deletion-cancel"
-          >
-            {t("userDataRights.privacyCenter.deletion.cancel")}
-          </Button>
         </>
       ) : (
         <>
@@ -314,13 +338,6 @@ function DeletionSection({
             {t("userDataRights.privacyCenter.deletion.explainer")}
           </p>
           <StatusBanner status={status} />
-          <Button
-            variant="danger"
-            onClick={() => setDialogOpen(true)}
-            testId="privacy-deletion-delete"
-          >
-            {t("userDataRights.privacyCenter.deletion.delete")}
-          </Button>
           <Dialog
             open={dialogOpen}
             onOpenChange={setDialogOpen}

package/src/user-data-rights/web/request-deletion-screen.tsx

@@ -21,7 +21,7 @@ export function RequestAccountDeletionScreen({
 }: RequestAccountDeletionScreenProps): ReactNode {
   const t = useTranslation();
   const dispatcher = useDispatcher();
-  const { Form, Field, Input, Button, Banner } = usePrimitives();
+  const { Form, Field, Input, Button, Banner, Card } = usePrimitives();
   const [email, setEmail] = useState("");
   const [submitting, setSubmitting] = useState(false);
   const [done, setDone] = useState(false);
@@ -50,12 +50,19 @@ export function RequestAccountDeletionScreen({
   };
 
   return (
-    <div className="w-full max-w-sm mx-auto rounded-lg border bg-card text-card-foreground shadow-sm">
-      <div className="flex flex-col space-y-1.5 p-6 pb-4">
-        <h1 className="text-xl font-semibold tracking-tight">
-          {title ?? t("userDataRights.deletion.request.title")}
-        </h1>
-      </div>
+    <Card
+      className="w-full max-w-sm mx-auto"
+      options={{ padded: false }}
+      slots={{
+        header: (
+          <div className="flex flex-col space-y-1.5 p-6 pb-4">
+            <h1 className="text-xl font-semibold tracking-tight">
+              {title ?? t("userDataRights.deletion.request.title")}
+            </h1>
+          </div>
+        ),
+      }}
+    >
       {done ? (
         <div className="p-6 pt-0">
           <Banner variant="info">
@@ -91,6 +98,6 @@ export function RequestAccountDeletionScreen({
           </Form>
         </div>
       )}
-    </div>
+    </Card>
   );
 }

package/src/user-data-rights-defaults/feature.ts

@@ -3,20 +3,9 @@ import {
   EXT_USER_DATA,
   type FeatureDefinition,
 } from "@cosmicdrift/kumiko-framework/engine";
-import type { FileStorageProvider } from "@cosmicdrift/kumiko-framework/files";
-import { createFileRefDeleteHook, fileRefExportHook } from "./hooks/file-ref.userdata-hook";
+import { fileRefDeleteHook, fileRefExportHook } from "./hooks/file-ref.userdata-hook";
 import { userDeleteHook, userExportHook } from "./hooks/user.userdata-hook";
 
-export interface UserDataRightsDefaultsOptions {
-  /**
-   * Wired into the fileRef delete-hook: on strategy="delete" the hook
-   * calls `storageProvider.delete(key)` per row before hard-deleting
-   * the row. Without it, file binaries leak on forget (Art. 17) — the
-   * hook logs a one-shot warning so misconfiguration stays visible.
-   */
-  readonly storageProvider?: FileStorageProvider;
-}
-
 // user-data-rights-defaults — Default-Hooks für die Core-Entities
 // `user` (S2.H1) und `fileRef` (S2.H2).
 //
@@ -34,10 +23,12 @@ export interface UserDataRightsDefaultsOptions {
 // Pattern matched file-foundation + file-provider-s3 (separate Plugin-
 // Feature), nicht user/files schreiben ihre eigenen Hooks selbst weil
 // das circular-requires waere.
-export function createUserDataRightsDefaultsFeature(
-  options: UserDataRightsDefaultsOptions = {},
-): FeatureDefinition {
-  const fileRefDeleteHook = createFileRefDeleteHook(options.storageProvider);
+// Binary storage for the fileRef delete-hook is resolved at run time from the
+// mounted file-foundation via ctx.buildStorageProvider (injected by the forget
+// orchestrator) — no provider is captured here, so a single app-wide store and
+// per-tenant stores both work, and forget deletes from the same store upload +
+// export use. See hooks/file-ref.userdata-hook.ts.
+export function createUserDataRightsDefaultsFeature(): FeatureDefinition {
   return defineFeature("user-data-rights-defaults", (r) => {
     r.describe(
       "Registers ready-made `EXT_USER_DATA` export and delete hooks for the two core entities: `user` (delete strategy sets email to `deleted-<id>@anonymized.invalid`, nulls `passwordHash`, sets status to `Deleted`; anonymize strategy sets email to `anonymized-<id>@anonymized.invalid` without touching `passwordHash`) and `fileRef` (delete removes both the DB row and the storage binary). Mount this alongside `user-data-rights` for standard GDPR compliance; omit it only if your app needs custom anonymization logic for these entities.",

package/src/user-data-rights-defaults/hooks/file-ref.userdata-hook.ts

@@ -1,6 +1,11 @@
 import { deleteMany, selectMany, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
-import type { UserDataDeleteHook, UserDataExportHook } from "@cosmicdrift/kumiko-framework/engine";
-import { type FileStorageProvider, fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
+import type {
+  UserDataDeleteHook,
+  UserDataExportHook,
+  UserDataHookCtx,
+  UserDataStorageProvider,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
 
 // userData-Hook fuer fileRef-entity (S2.H2).
 //
@@ -9,29 +14,32 @@ import { type FileStorageProvider, fileRefsTable } from "@cosmicdrift/kumiko-fra
 // NICHT direkt — sie werden via signed-Download-URLs separat ins ZIP
 // gepackt (S2.U3 Export-Job-Pipeline orchestriert das).
 //
-// Delete-Hook entfernt FileRef-Zeile via factory
-// `createFileRefDeleteHook(storageProvider)`:
+// Delete-Hook entfernt FileRef-Zeile + Binary:
 //   "delete":    storageProvider.delete() pro File + Row hard-delete
 //   "anonymize": insertedById=null, Row + binary bleiben (FK-Refs
 //                koennen weiter zeigen; Personenbezug raus)
 //
-// Delete-Pfad ist FAIL-CLOSED, sobald ein Provider gewired ist: schlaegt ein
-// binary-delete fehl, wirft der Hook
-// NACH dem Loop — die per-User-Sub-Tx von runForgetCleanup rollt zurueck, der
-// User bleibt DeletionRequested, der naechste Run retried (storageProvider.delete
-// ist idempotent, schon-geloeschte Keys sind no-op). Den Fehler zu schlucken und
-// die Row trotzdem hard-zu-loeschen wuerde Art.-17-Erasure als "done" markieren
-// waehrend die Bytes auf Disk bleiben — eine falsche Compliance-Aussage. Das
-// "KEIN globaler Rollback" der Sprint-2-Atomicity-Decision bleibt gewahrt: nur
-// DIESE User-Sub-Tx rollt zurueck (= der Retry-Mechanismus), andere User des
-// Laufs committen. Der anonymize-Pfad behaelt Row+binary bewusst, hat also
-// nichts zu schlucken.
+// **Provider-Resolution:** der Provider kommt zur Lauf-Zeit aus
+// `ctx.buildStorageProvider(ctx.tenantId)` — der Forget-Orchestrator
+// (run-forget-cleanup) baut ihn aus dem gemounteten file-foundation, also aus
+// DEMSELBEN Store den Upload + Export nutzen (delete-target == upload-target by
+// construction). Kein bei-Mount captured Provider mehr.
 //
-// `storageProvider` ist optional. App-Author wired es beim
-// Feature-Mount rein (`createUserDataRightsDefaultsFeature({
-// storageProvider })`). Ohne Provider macht der Hook row-only-delete,
-// die Bytes leaken — der Caller bekommt EINEN Warn beim ersten Lauf
-// pro Process, damit die Konfiguration sichtbar fehlerhaft ist.
+// **Zwei Fehlerklassen, bewusst verschieden behandelt:**
+//   1. Resolution schlaegt fehl (kein Provider konfiguriert / configResolver
+//      fehlt) → NICHT fail-closed: EIN Warn pro Process + row-only-delete. Ein
+//      fehlkonfigurierter Store darf die Art.-17-Loeschung nicht DAUERHAFT
+//      blockieren (sonst haengt jeder User fuer immer in DeletionRequested);
+//      der Boot-Guard macht die Fehlkonfiguration sichtbar, Binaries werden
+//      nachgeholt sobald ein Provider existiert.
+//   2. Binary-DELETE schlaegt fehl, OBWOHL ein Provider da ist → FAIL-CLOSED:
+//      der Hook wirft NACH dem Loop, die per-User-Sub-Tx von runForgetCleanup
+//      rollt zurueck, der User bleibt DeletionRequested, der naechste Run
+//      retried (delete ist idempotent → konvergiert). Den Fehler zu schlucken +
+//      die Row trotzdem zu loeschen wuerde Erasure als "done" markieren waehrend
+//      die Bytes liegen bleiben — falsche Compliance-Aussage. Das "KEIN globaler
+//      Rollback" der Sprint-2-Atomicity bleibt gewahrt: nur DIESE Sub-Tx rollt
+//      zurueck. Der anonymize-Pfad behaelt Row+binary, hat nichts zu schlucken.
 //
 // Caveat: hard-delete via deleteMany emittiert KEIN fileRef.deleted —
 // die storage-tracking-MSP dekrementiert nicht. Wenn die zu loeschenden
@@ -88,61 +96,69 @@ export const fileRefExportHook: UserDataExportHook = async (ctx) => {
 
 let missingStorageWarned = false;
 
-export function createFileRefDeleteHook(
-  storageProvider: FileStorageProvider | undefined,
-): UserDataDeleteHook {
-  return async (ctx, strategy) => {
-    if (strategy === "delete") {
-      if (storageProvider) {
-        const rows = await selectMany(ctx.db, fileRefsTable, {
-          tenantId: ctx.tenantId,
-          insertedById: ctx.userId,
-        });
-        const failedKeys: string[] = [];
-        for (const row of rows) {
-          const key = (row as Record<string, unknown>)["storageKey"]; // @cast-boundary db-row
-          if (typeof key !== "string" || key.length === 0) continue;
-          try {
-            await storageProvider.delete(key);
-          } catch (err) {
-            // biome-ignore lint/suspicious/noConsole: operator-visibility for binary-cleanup-failure
-            console.warn(
-              `[user-data-rights-defaults:fileRef] storage delete failed key=${key} err=${err instanceof Error ? err.message : String(err)}`,
-            );
-            failedKeys.push(key);
-          }
-        }
-        // Fail-closed: abort before the row hard-delete so the sub-tx rolls back
-        // and the next forget run retries (delete is idempotent → converges).
-        if (failedKeys.length > 0) {
-          throw new Error(
-            `[user-data-rights-defaults:fileRef] ${failedKeys.length} binary delete(s) failed — aborting forget so the rows are retried next run (keys: ${failedKeys.join(", ")})`,
+// Resolve the per-tenant provider the forget orchestrator injected. A
+// resolution failure (no provider configured / configResolver absent) collapses
+// to `undefined` so the hook degrades to a row-only delete instead of throwing —
+// see error-class 1 in the header. A working-provider binary-delete failure is
+// handled separately (fail-closed) below.
+async function resolveProvider(ctx: UserDataHookCtx): Promise<UserDataStorageProvider | undefined> {
+  if (!ctx.buildStorageProvider) return undefined;
+  try {
+    return await ctx.buildStorageProvider(ctx.tenantId);
+  } catch {
+    // skip: provider unresolvable (not configured) → fall through to row-only
+    // delete; warn-once below gives operator visibility, boot guard catches it.
+    return undefined;
+  }
+}
+
+export const fileRefDeleteHook: UserDataDeleteHook = async (ctx, strategy) => {
+  if (strategy === "delete") {
+    const storageProvider = await resolveProvider(ctx);
+    if (storageProvider) {
+      const rows = await selectMany(ctx.db, fileRefsTable, {
+        tenantId: ctx.tenantId,
+        insertedById: ctx.userId,
+      });
+      const failedKeys: string[] = [];
+      for (const row of rows) {
+        const key = (row as Record<string, unknown>)["storageKey"]; // @cast-boundary db-row
+        if (typeof key !== "string" || key.length === 0) continue;
+        try {
+          await storageProvider.delete(key);
+        } catch (err) {
+          // biome-ignore lint/suspicious/noConsole: operator-visibility for binary-cleanup-failure
+          console.warn(
+            `[user-data-rights-defaults:fileRef] storage delete failed key=${key} err=${err instanceof Error ? err.message : String(err)}`,
           );
+          failedKeys.push(key);
         }
-      } else if (!missingStorageWarned) {
-        missingStorageWarned = true;
-        // biome-ignore lint/suspicious/noConsole: misconfiguration visibility — disk-leak in forget-flow
-        console.warn(
-          "[user-data-rights-defaults:fileRef] no storageProvider configured — file binaries are NOT deleted on forget. Pass createUserDataRightsDefaultsFeature({ storageProvider }) to fix.",
+      }
+      // Fail-closed: abort before the row hard-delete so the sub-tx rolls back
+      // and the next forget run retries (delete is idempotent → converges).
+      if (failedKeys.length > 0) {
+        throw new Error(
+          `[user-data-rights-defaults:fileRef] ${failedKeys.length} binary delete(s) failed — aborting forget so the rows are retried next run (keys: ${failedKeys.join(", ")})`,
         );
       }
-      await deleteMany(ctx.db, fileRefsTable, { tenantId: ctx.tenantId, insertedById: ctx.userId });
-    } else {
-      // anonymize: insertedById=null, FileRef + binary bleiben.
-      // Use-case: shared chat-Attachment in einem Multi-User-Channel —
-      // Author-Identifikation raus, Datei bleibt fuer andere User
-      // sichtbar.
-      await updateMany(
-        ctx.db,
-        fileRefsTable,
-        { insertedById: null },
-        { tenantId: ctx.tenantId, insertedById: ctx.userId },
+    } else if (!missingStorageWarned) {
+      missingStorageWarned = true;
+      // biome-ignore lint/suspicious/noConsole: misconfiguration visibility — disk-leak in forget-flow
+      console.warn(
+        "[user-data-rights-defaults:fileRef] no file provider resolvable from ctx.buildStorageProvider — file binaries are NOT deleted on forget (row-only delete). Mount file-foundation + a file-provider-* feature and set the provider config so erasure can reach the binaries.",
       );
     }
-  };
-}
-
-// Legacy export: storage-less hook for callers that haven't migrated.
-// Binaries are NOT cleaned up — disk leak. Migrate to
-// createUserDataRightsDefaultsFeature({ storageProvider }).
-export const fileRefDeleteHook: UserDataDeleteHook = createFileRefDeleteHook(undefined);
+    await deleteMany(ctx.db, fileRefsTable, { tenantId: ctx.tenantId, insertedById: ctx.userId });
+  } else {
+    // anonymize: insertedById=null, FileRef + binary bleiben.
+    // Use-case: shared chat-Attachment in einem Multi-User-Channel —
+    // Author-Identifikation raus, Datei bleibt fuer andere User
+    // sichtbar.
+    await updateMany(
+      ctx.db,
+      fileRefsTable,
+      { insertedById: null },
+      { tenantId: ctx.tenantId, insertedById: ctx.userId },
+    );
+  }
+};