@cosmicdrift/kumiko-bundled-features 0.81.1 → 0.83.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.81.1",
+  "version": "0.83.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -85,11 +85,11 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.81.1",
-    "@cosmicdrift/kumiko-framework": "0.81.1",
-    "@cosmicdrift/kumiko-headless": "0.81.1",
-    "@cosmicdrift/kumiko-renderer": "0.81.1",
-    "@cosmicdrift/kumiko-renderer-web": "0.81.1",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.83.0",
+    "@cosmicdrift/kumiko-framework": "0.83.0",
+    "@cosmicdrift/kumiko-headless": "0.83.0",
+    "@cosmicdrift/kumiko-renderer": "0.83.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.83.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/tags/__tests__/feature.test.ts

@@ -1,7 +1,12 @@
 import { describe, expect, test } from "bun:test";
 import { DEFAULT_TAG_ROLES } from "../constants";
 import { createTagsFeature } from "../feature";
-import { assignTagPayloadSchema, createTagPayloadSchema, removeTagPayloadSchema } from "../schemas";
+import {
+  assignTagPayloadSchema,
+  createTagPayloadSchema,
+  removeTagPayloadSchema,
+  renameTagPayloadSchema,
+} from "../schemas";
 
 // Unit tests: feature-shape, role-options, schema-validation. The ES-loop
 // behaviour (idempotent assign/remove, projection, tenant-isolation, read
@@ -42,7 +47,7 @@ function rawQueryAccess(feature: ReturnType<typeof createTagsFeature>, nameMatch
 }
 
 describe("createTagsFeature shape", () => {
-  test("registers tag + tag-assignment entities, 3 write-handlers, 2 query-handlers", () => {
+  test("registers tag + tag-assignment entities, 4 write-handlers, 2 query-handlers", () => {
     const feature = createTagsFeature();
 
     expect(Object.keys(feature.entities ?? {})).toEqual(
@@ -52,11 +57,12 @@ describe("createTagsFeature shape", () => {
     expect(Object.keys(feature.writeHandlers)).toEqual(
       expect.arrayContaining([
         expect.stringMatching(/create-tag/),
+        expect.stringMatching(/rename-tag/),
         expect.stringMatching(/assign-tag/),
         expect.stringMatching(/remove-tag/),
       ]),
     );
-    expect(Object.keys(feature.writeHandlers)).toHaveLength(3);
+    expect(Object.keys(feature.writeHandlers)).toHaveLength(4);
 
     expect(Object.keys(feature.queryHandlers)).toEqual(
       expect.arrayContaining([
@@ -73,6 +79,7 @@ describe("createTagsFeature access-options", () => {
     const feature = createTagsFeature();
     expect(feature).toBe(createTagsFeature());
     expect(writeAccess(feature, "create-tag")).toEqual([...DEFAULT_TAG_ROLES]);
+    expect(writeAccess(feature, "rename-tag")).toEqual([...DEFAULT_TAG_ROLES]);
     expect(writeAccess(feature, "assign-tag")).toEqual([...DEFAULT_TAG_ROLES]);
     expect(writeAccess(feature, "remove-tag")).toEqual([...DEFAULT_TAG_ROLES]);
     expect(queryAccess(feature, "tag:list")).toEqual([...DEFAULT_TAG_ROLES]);
@@ -82,6 +89,7 @@ describe("createTagsFeature access-options", () => {
   test("roles option overrides every write- and query-path", () => {
     const feature = createTagsFeature({ roles: ["Admin", "Editor"] });
     expect(writeAccess(feature, "create-tag")).toEqual(["Admin", "Editor"]);
+    expect(writeAccess(feature, "rename-tag")).toEqual(["Admin", "Editor"]);
     expect(writeAccess(feature, "assign-tag")).toEqual(["Admin", "Editor"]);
     expect(writeAccess(feature, "remove-tag")).toEqual(["Admin", "Editor"]);
     expect(queryAccess(feature, "tag:list")).toEqual(["Admin", "Editor"]);
@@ -90,7 +98,7 @@ describe("createTagsFeature access-options", () => {
 
   test("access:{openToAll} applies to every write- and query-path", () => {
     const feature = createTagsFeature({ access: { openToAll: true } });
-    for (const path of ["create-tag", "assign-tag", "remove-tag"]) {
+    for (const path of ["create-tag", "rename-tag", "assign-tag", "remove-tag"]) {
       expect(rawWriteAccess(feature, path)).toEqual({ openToAll: true });
     }
     for (const query of ["tag:list", "tag-assignment:list"]) {
@@ -155,6 +163,28 @@ describe("createTagPayloadSchema", () => {
   });
 });
 
+describe("renameTagPayloadSchema", () => {
+  const valid = { id: "tag-1", version: 0, name: "Neu" };
+
+  test("accepts id + version + name", () => {
+    expect(renameTagPayloadSchema.safeParse(valid).success).toBe(true);
+  });
+
+  test("rejects a missing version (optimistic lock is mandatory)", () => {
+    expect(renameTagPayloadSchema.safeParse({ id: "tag-1", name: "Neu" }).success).toBe(false);
+  });
+
+  test("rejects an empty name", () => {
+    expect(renameTagPayloadSchema.safeParse({ ...valid, name: "" }).success).toBe(false);
+  });
+
+  test("rejects a name over 64 chars", () => {
+    expect(renameTagPayloadSchema.safeParse({ ...valid, name: "x".repeat(65) }).success).toBe(
+      false,
+    );
+  });
+});
+
 describe("assign/remove payload schemas", () => {
   const valid = { tagId: "tag-1", entityType: "credit", entityId: "c-1" };
 

package/src/tags/__tests__/tags.integration.test.ts

@@ -61,6 +61,10 @@ async function remove(tagId: string, entityType: string, entityId: string, user
   return stack.http.writeOk(TagsHandlers.removeTag, { tagId, entityType, entityId }, user);
 }
 
+async function tagById(id: string, user = admin): Promise<Record<string, unknown> | undefined> {
+  return (await listTags(user)).find((t) => t["id"] === id);
+}
+
 async function listTags(user = admin): Promise<Array<Record<string, unknown>>> {
   const res = await stack.http.queryOk<{ rows: Array<Record<string, unknown>> }>(
     TagsQueries.tagList,
@@ -129,6 +133,64 @@ describe("tags integration — catalog + assignment roundtrip", () => {
   });
 });
 
+describe("tags integration — rename", () => {
+  test("rename-tag updates name, preserves color, bumps version", async () => {
+    const { id } = await stack.http.writeOk<{ id: string }>(
+      TagsHandlers.createTag,
+      { name: "Mandant Alt", color: "#abc" },
+      admin,
+    );
+    const before = await tagById(id);
+    expect(before?.["name"]).toBe("Mandant Alt");
+    // The rename UI passes the list-row version as the optimistic-lock base —
+    // assert it's actually there (tags are CRUD-only, so it's authoritative).
+    expect(typeof before?.["version"]).toBe("number");
+    const version = before?.["version"] as number;
+
+    await stack.http.writeOk(TagsHandlers.renameTag, { id, version, name: "Mandant Neu" }, admin);
+
+    const after = await tagById(id);
+    expect(after?.["name"]).toBe("Mandant Neu");
+    expect(after?.["color"]).toBe("#abc"); // shallow merge keeps non-renamed fields
+    expect(after?.["version"]).toBe(version + 1);
+  });
+
+  test("rename-tag with a stale version is rejected (409), name unchanged", async () => {
+    const { id } = await stack.http.writeOk<{ id: string }>(
+      TagsHandlers.createTag,
+      { name: "Konflikt" },
+      admin,
+    );
+    const stale = (await tagById(id))?.["version"] as number;
+    await stack.http.writeOk(TagsHandlers.renameTag, { id, version: stale, name: "Erster" }, admin);
+
+    const err = await stack.http.writeErr(
+      TagsHandlers.renameTag,
+      { id, version: stale, name: "Zweiter" }, // stale: the row already moved to stale+1
+      admin,
+    );
+    expect(err.httpStatus).toBe(409);
+    expect((await tagById(id))?.["name"]).toBe("Erster");
+  });
+
+  test("tenant B cannot rename tenant A's tag (404, A untouched)", async () => {
+    const { id } = await stack.http.writeOk<{ id: string }>(
+      TagsHandlers.createTag,
+      { name: "A privat" },
+      admin,
+    );
+    const version = (await tagById(id, admin))?.["version"] as number;
+
+    const err = await stack.http.writeErr(
+      TagsHandlers.renameTag,
+      { id, version, name: "B-Übernahme" },
+      otherTenant,
+    );
+    expect(err.httpStatus).toBe(404);
+    expect((await tagById(id, admin))?.["name"]).toBe("A privat");
+  });
+});
+
 describe("tags integration — many-to-many composition", () => {
   test("one entity carries multiple tags", async () => {
     const a = await createTag("rot");

package/src/tags/constants.ts

@@ -18,6 +18,7 @@ export const TAGS_SECTION_EXTENSION_NAME = "TagSection";
 // object instead of magic strings (mirror custom-fields' Handlers/Queries).
 export const TagsHandlers = {
   createTag: "tags:write:create-tag",
+  renameTag: "tags:write:rename-tag",
   assignTag: "tags:write:assign-tag",
   removeTag: "tags:write:remove-tag",
 } as const;

package/src/tags/feature.ts

@@ -12,8 +12,8 @@
 // tag-assignments filtered on entityId (tags of an entity) or tagId (entities
 // with a tag). See entity.ts.
 //
-// v1 scope: create-tag, assign-tag, remove-tag, list tags, list assignments.
-// Deferred: rename/delete-tag, optional host-projection decoration
+// Scope: create-tag, rename-tag, assign-tag, remove-tag, list tags, list assignments.
+// Deferred: delete-tag, optional host-projection decoration
 // (`wireTagsFor`), search indexing, user-data-rights anonymization.
 
 import {
@@ -27,6 +27,7 @@ import { tagAssignmentEntity, tagEntity } from "./entity";
 import { createAssignTagHandler } from "./handlers/assign-tag.write";
 import { createCreateTagHandler } from "./handlers/create-tag.write";
 import { createRemoveTagHandler } from "./handlers/remove-tag.write";
+import { createRenameTagHandler } from "./handlers/rename-tag.write";
 
 // Opt-in tier-gating: when set, the feature declares itself r.toggleable so the
 // dispatcher gate + feature-toggles + tier-engine can switch the WHOLE feature
@@ -42,7 +43,7 @@ function registerTags(
   toggleable: TagsToggleable | undefined,
 ): void {
   r.describe(
-    "Generic, host-agnostic tagging for any entity. Owns two event-sourced entities — the per-tenant `tag` catalog (`read_tags`) and `tag-assignment` join rows keyed by (entityType, entityId) (`read_tag_assignments`) — so tagging adds NO column to the host entity and needs no relational pivot or JOIN. Provides write-handlers `create-tag`, `assign-tag` (idempotent), `remove-tag` (idempotent) and list queries for the catalog and the assignments. Read which tags an entity has, or which entities carry a tag, by listing `tag-assignment` filtered on `entityId` or `tagId` and composing in the read-layer. Every path uses one access rule — adopt the host's model with createTagsFeature({ access: { openToAll: true } }) or pin roles with createTagsFeature({ roles }). Pass { toggleable: { default: false } } to make the whole feature tier-gatable via the tier-engine (no host hook).",
+    "Generic, host-agnostic tagging for any entity. Owns two event-sourced entities — the per-tenant `tag` catalog (`read_tags`) and `tag-assignment` join rows keyed by (entityType, entityId) (`read_tag_assignments`) — so tagging adds NO column to the host entity and needs no relational pivot or JOIN. Provides write-handlers `create-tag`, `rename-tag` (optimistic-locked), `assign-tag` (idempotent), `remove-tag` (idempotent) and list queries for the catalog and the assignments. Read which tags an entity has, or which entities carry a tag, by listing `tag-assignment` filtered on `entityId` or `tagId` and composing in the read-layer. Every path uses one access rule — adopt the host's model with createTagsFeature({ access: { openToAll: true } }) or pin roles with createTagsFeature({ roles }). Pass { toggleable: { default: false } } to make the whole feature tier-gatable via the tier-engine (no host hook).",
   );
   r.uiHints({
     displayLabel: "Tags",
@@ -58,6 +59,7 @@ function registerTags(
   r.entity("tag-assignment", tagAssignmentEntity);
 
   r.writeHandler(createCreateTagHandler(access));
+  r.writeHandler(createRenameTagHandler(access));
   r.writeHandler(createAssignTagHandler(access));
   r.writeHandler(createRemoveTagHandler(access));
 

package/src/tags/handlers/create-tag.write.ts

@@ -6,8 +6,7 @@ import { type CreateTagPayload, createTagPayloadSchema } from "../schemas";
 // create-tag — adds a tag to the tenant's catalog. The framework mints a fresh
 // UUIDv7 id (no explicit id passed). Tag names are not unique by design: the
 // catalog is a free list and dedup is a UI concern (autocomplete from existing
-// tags). Rename/delete are deferred to a later iteration (v1 scope: create,
-// assign, remove, list).
+// tags). Rename is rename-tag.write.ts; delete is still deferred.
 export function createCreateTagHandler(access: AccessRule = DEFAULT_TAG_ACCESS): WriteHandlerDef {
   return {
     name: "create-tag",

package/src/tags/handlers/rename-tag.write.ts

@@ -0,0 +1,26 @@
+import type { AccessRule, WriteHandlerDef } from "@cosmicdrift/kumiko-framework/engine";
+import { DEFAULT_TAG_ACCESS } from "../constants";
+import { tagExecutor } from "../executor";
+import { type RenameTagPayload, renameTagPayloadSchema } from "../schemas";
+
+// rename-tag — renames a tag in the tenant's catalog. Optimistic-locked: the
+// client sends the `version` it read (mirrors tenant:update). The executor
+// merges shallowly so only `name` changes — `color` is preserved. A stale
+// version returns version_conflict; the UI refetches and retries.
+export function createRenameTagHandler(access: AccessRule = DEFAULT_TAG_ACCESS): WriteHandlerDef {
+  return {
+    name: "rename-tag",
+    schema: renameTagPayloadSchema,
+    access,
+    handler: async (event, ctx) => {
+      const payload = event.payload as RenameTagPayload; // @cast-boundary engine-payload
+      return tagExecutor.update(
+        { id: payload.id, version: payload.version, changes: { name: payload.name } },
+        event.user,
+        ctx.db,
+      );
+    },
+  };
+}
+
+export const renameTagHandler: WriteHandlerDef = createRenameTagHandler();

package/src/tags/index.ts

@@ -20,11 +20,17 @@ export {
   createRemoveTagHandler,
   removeTagHandler,
 } from "./handlers/remove-tag.write";
+export {
+  createRenameTagHandler,
+  renameTagHandler,
+} from "./handlers/rename-tag.write";
 export {
   type AssignTagPayload,
   assignTagPayloadSchema,
   type CreateTagPayload,
   createTagPayloadSchema,
   type RemoveTagPayload,
+  type RenameTagPayload,
   removeTagPayloadSchema,
+  renameTagPayloadSchema,
 } from "./schemas";

package/src/tags/schemas.ts

@@ -6,6 +6,15 @@ export const createTagPayloadSchema = z.object({
 });
 export type CreateTagPayload = z.infer<typeof createTagPayloadSchema>;
 
+// rename-tag — id + the version the client read (optimistic lock, mirrors
+// tenant:update) + the new name. The executor merges shallowly, so color stays.
+export const renameTagPayloadSchema = z.object({
+  id: z.string().min(1),
+  version: z.number().int().nonnegative(),
+  name: z.string().min(1).max(64),
+});
+export type RenameTagPayload = z.infer<typeof renameTagPayloadSchema>;
+
 // assign + remove share the (tag, entity) reference shape.
 const entityTagRef = {
   tagId: z.string().min(1).max(64),

package/src/user-data-rights/__tests__/tenant-model-erasure.integration.test.ts

@@ -0,0 +1,201 @@
+// Configurable tenant-occupancy model for GDPR forget (Art. 17).
+//
+// A tenant-scoped contributor (e.g. credit) has no per-user column to anonymize,
+// so per-user erasure of tenant data is only safe when the tenant has exactly
+// one user. The app declares that via the `tenantModel` config; the forget
+// pipeline refines it per-tenant with a runtime sole-member check before handing
+// `ctx.tenantModel` to each delete-hook.
+//
+// This drives the REAL config resolution (appOverride → resolveAppTenantModel)
+// and the REAL forget pipeline (sole-member refinement → ctx.tenantModel →
+// contributor delete) — NOT a hand-set ctx, which would prove the hook's `if`
+// but not that the config string + system-scope resolution actually carry the
+// value (the failure mode that shipped the ctx.config export bug).
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  createEntity,
+  createTextField,
+  defineFeature,
+  EXT_USER_DATA,
+  SYSTEM_USER_ID,
+  type UserDataDeleteHook,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createEventsTable } from "@cosmicdrift/kumiko-framework/event-store";
+import {
+  resetEventStore,
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValueEntity } from "../../config/table";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, userEntity } from "../../user";
+import { TENANT_MODEL_CONFIG_KEY } from "../constants";
+import { createUserDataRightsFeature } from "../feature";
+import { resolveAppTenantModel } from "../lib/resolve-tenant-model";
+import { runForgetCleanup } from "../run-forget-cleanup";
+import {
+  createForgetSeeders,
+  nowInstant,
+  READ_TENANT_MEMBERSHIPS_DDL,
+} from "./forget-test-helpers";
+
+const TENANT = "00000000-0000-4000-8000-0000000000c1";
+const FORGET_USER = "cccccccc-cccc-4ccc-8ccc-0000000000c1";
+const CO_MEMBER = "cccccccc-cccc-4ccc-8ccc-0000000000c2";
+const TABLE = "read_dsgvo_tenant_scoped";
+
+// Tenant-scoped contributor with NO per-user column — deletes by tenant only,
+// and ONLY when this tenant is effectively single-user (mirrors credit).
+const tenantScopedDeleteHook: UserDataDeleteHook = async (ctx) => {
+  if (ctx.tenantModel !== "single-user") return; // shared tenant: erasing would hit co-members
+  await asRawClient(ctx.db).unsafe(`DELETE FROM ${TABLE} WHERE tenant_id = $1`, [ctx.tenantId]);
+};
+
+const scopedEntity = createEntity({
+  table: TABLE,
+  fields: { name: createTextField({ required: true }) },
+});
+
+const contributorFeature = defineFeature("dsgvo-tenant-scoped", (r) => {
+  r.entity("tenant-scoped", scopedEntity);
+  r.useExtension(EXT_USER_DATA, "tenant-scoped", {
+    export: async () => null,
+    delete: tenantScopedDeleteHook,
+  });
+});
+
+let stack: TestStack;
+const seed = (db: unknown) =>
+  // biome-ignore lint/suspicious/noExplicitAny: dummy writer; this contributor has no binaries.
+  createForgetSeeders(db as any, { write: async () => {} });
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createUserFeature(),
+      createSessionsFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createConfigFeature(),
+      createUserDataRightsFeature(),
+      contributorFeature,
+    ],
+  });
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantRetentionOverrideEntity);
+  await unsafeCreateEntityTable(stack.db, configValueEntity);
+  await unsafeCreateEntityTable(stack.db, scopedEntity);
+  await createEventsTable(stack.db);
+  await asRawClient(stack.db).unsafe(READ_TENANT_MEMBERSHIPS_DDL);
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await resetEventStore(stack);
+  await asRawClient(stack.db).unsafe(`DELETE FROM ${TABLE}`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_tenant_memberships`);
+  await asRawClient(stack.db).unsafe(`DELETE FROM read_users`);
+});
+
+async function seedScopedRow(rowId: string): Promise<void> {
+  await asRawClient(stack.db).unsafe(
+    `INSERT INTO ${TABLE} (id, tenant_id, name) VALUES ($1, $2, 'loan')`,
+    [rowId, TENANT],
+  );
+}
+
+async function rowCount(): Promise<number> {
+  const rows = await asRawClient(stack.db).unsafe(`SELECT id FROM ${TABLE} WHERE tenant_id = $1`, [
+    TENANT,
+  ]);
+  return (rows as ReadonlyArray<unknown>).length;
+}
+
+describe("tenant-model config resolution (seam)", () => {
+  test("appOverride single-user resolves through the real config resolver", async () => {
+    const model = await resolveAppTenantModel({
+      registry: stack.registry,
+      configResolver: createConfigResolver({
+        appOverrides: new Map([[TENANT_MODEL_CONFIG_KEY, "single-user"]]),
+      }),
+      db: stack.db,
+      userId: SYSTEM_USER_ID,
+    });
+    expect(model).toBe("single-user");
+  });
+
+  test("no override falls back to the feature default (multi-user)", async () => {
+    const model = await resolveAppTenantModel({
+      registry: stack.registry,
+      configResolver: createConfigResolver({ appOverrides: new Map() }),
+      db: stack.db,
+      userId: SYSTEM_USER_ID,
+    });
+    expect(model).toBe("multi-user");
+  });
+});
+
+describe("forget pipeline honours the effective tenant model", () => {
+  test("single-user + sole member → tenant-scoped rows erased", async () => {
+    await seedScopedRow("dddddddd-dddd-4ddd-8ddd-0000000000c1");
+    await seed(stack.db).seedForgetUser(FORGET_USER);
+    await seed(stack.db).seedMembership(FORGET_USER, TENANT);
+
+    const result = await runForgetCleanup({
+      db: stack.db,
+      registry: stack.registry,
+      now: nowInstant(),
+      tenantModel: "single-user",
+    });
+
+    expect(result.errors).toHaveLength(0);
+    expect(result.processedUserIds).toContain(FORGET_USER);
+    expect(await rowCount()).toBe(0);
+  });
+
+  test("single-user but a co-member exists → rows preserved (sole-member guard)", async () => {
+    await seedScopedRow("dddddddd-dddd-4ddd-8ddd-0000000000c2");
+    await seed(stack.db).seedForgetUser(FORGET_USER);
+    await seed(stack.db).seedMembership(FORGET_USER, TENANT);
+    await seed(stack.db).seedMembership(CO_MEMBER, TENANT);
+
+    const result = await runForgetCleanup({
+      db: stack.db,
+      registry: stack.registry,
+      now: nowInstant(),
+      tenantModel: "single-user",
+    });
+
+    expect(result.errors).toHaveLength(0);
+    expect(result.processedUserIds).toContain(FORGET_USER);
+    // A stray invite made the config's claim false at runtime — the co-member's
+    // loan book must survive even though the user was forgotten.
+    expect(await rowCount()).toBe(1);
+  });
+
+  test("multi-user → tenant-scoped rows preserved", async () => {
+    await seedScopedRow("dddddddd-dddd-4ddd-8ddd-0000000000c3");
+    await seed(stack.db).seedForgetUser(FORGET_USER);
+    await seed(stack.db).seedMembership(FORGET_USER, TENANT);
+
+    const result = await runForgetCleanup({
+      db: stack.db,
+      registry: stack.registry,
+      now: nowInstant(),
+      tenantModel: "multi-user",
+    });
+
+    expect(result.errors).toHaveLength(0);
+    expect(await rowCount()).toBe(1);
+  });
+});

package/src/user-data-rights/constants.ts

@@ -16,6 +16,13 @@ export const UserDataRightsQueries = {
   downloadByJob: "user-data-rights:query:download-by-job",
 } as const;
 
+// App-level config: tenant-occupancy model. "single-user" tells the forget
+// pipeline that each tenant has exactly one user, so tenant-scoped contributors
+// (e.g. credit) may erase the tenant's data as that user's personal data.
+// Default "multi-user" (declared in feature.ts). Apps set it via appOverrides:
+// `overrides.set(TENANT_MODEL_CONFIG_KEY, "single-user")`.
+export const TENANT_MODEL_CONFIG_KEY = "user-data-rights:config:tenant-model" as const;
+
 export const UserDataRightsHandlers = {
   requestExport: "user-data-rights:write:request-export",
   requestDeletion: "user-data-rights:write:request-deletion",

package/src/user-data-rights/feature.ts

@@ -1,4 +1,5 @@
 import {
+  createSystemConfig,
   defineFeature,
   EXT_USER_DATA,
   type FeatureDefinition,
@@ -24,6 +25,7 @@ import {
 import { requestExportWrite } from "./handlers/request-export.write";
 import { restrictAccountWrite } from "./handlers/restrict-account.write";
 import { createRunForgetCleanupHandler } from "./handlers/run-forget-cleanup.write";
+import { resolveAppTenantModel } from "./lib/resolve-tenant-model";
 import { makeTenantStorageProviderResolver } from "./lib/storage-provider-resolver";
 import {
   runExportJobs,
@@ -126,6 +128,21 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
 
     r.extendsRegistrar(EXT_USER_DATA, {});
 
+    // App-level tenant-occupancy model. Default "multi-user" → tenant-scoped
+    // contributors (e.g. credit) NEVER erase tenant data on a per-user forget
+    // (would harm co-members). An app with one user per tenant sets this to
+    // "single-user" via appOverrides (TENANT_MODEL_CONFIG_KEY) so the forget
+    // pipeline may erase the tenant's data as that user's personal data — still
+    // gated by a runtime sole-member check in run-forget-cleanup.
+    r.config({
+      keys: {
+        tenantModel: createSystemConfig("select", {
+          default: "multi-user",
+          options: ["single-user", "multi-user"],
+        }),
+      },
+    });
+
     // S2.U3 Atom 1b — ExportJob-Lifecycle-Entity.
     r.entity("export-job", exportJobEntity);
 
@@ -321,10 +338,17 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         const T = (await import("@cosmicdrift/kumiko-framework/time")).getTemporal();
         const forgetUserId = ctx._userId ?? SYSTEM_USER_ID;
         const forgetDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
+        const tenantModel = await resolveAppTenantModel({
+          registry: ctx.registry,
+          configResolver: ctx.configResolver,
+          db: forgetDb,
+          userId: forgetUserId,
+        });
         await runForgetCleanup({
           db: forgetDb,
           registry: ctx.registry,
           now: T.Now.instant(),
+          tenantModel,
           // Same per-tenant provider resolution as the export cron — forget
           // deletes binaries from the store upload + export use.
           buildStorageProvider: makeTenantStorageProviderResolver({

package/src/user-data-rights/handlers/run-forget-cleanup.write.ts

@@ -15,6 +15,7 @@ import { access, defineWriteHandler, SYSTEM_USER_ID } from "@cosmicdrift/kumiko-
 import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
 import { z } from "zod";
+import { resolveAppTenantModel } from "../lib/resolve-tenant-model";
 import { makeTenantStorageProviderResolver } from "../lib/storage-provider-resolver";
 import { runForgetCleanup, type SendDeletionExecutedEmailFn } from "../run-forget-cleanup";
 
@@ -45,10 +46,17 @@ export function createRunForgetCleanupHandler(opts: RunForgetCleanupOptions = {}
       // them, so a row-only delete here would permanently leak the binaries.
       // Resolve through the same file-foundation path the cron uses.
       const forgetDb = ctx.db.raw as DbConnection; // @cast-boundary db-operator: config reads tolerate the outer tx
+      const tenantModel = await resolveAppTenantModel({
+        registry: ctx.registry,
+        configResolver: ctx.configResolver,
+        db: forgetDb,
+        userId: ctx._userId ?? SYSTEM_USER_ID,
+      });
       const result = await runForgetCleanup({
         db: ctx.db.raw,
         registry: ctx.registry,
         now: T.Now.instant(),
+        tenantModel,
         buildStorageProvider: makeTenantStorageProviderResolver({
           registry: ctx.registry,
           configResolver: ctx.configResolver,

package/src/user-data-rights/lib/resolve-tenant-model.ts

@@ -0,0 +1,34 @@
+// Resolves the app-level `tenantModel` config once for a forget run. The
+// forget cron + manual handler both call this and pass the scalar into the
+// pure pipeline (which refines it per-tenant with a sole-member check). The key
+// is system-scoped, so the tenantId used for resolution is irrelevant —
+// SYSTEM_TENANT_ID reads the system/appOverride value.
+
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import {
+  type ConfigResolver,
+  type Registry,
+  SYSTEM_TENANT_ID,
+  type TenantUserModel,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { createConfigAccessor } from "../../config";
+import { TENANT_MODEL_CONFIG_KEY } from "../constants";
+
+export async function resolveAppTenantModel(args: {
+  readonly registry: Registry;
+  readonly configResolver: ConfigResolver | undefined;
+  readonly db: DbConnection;
+  readonly userId: string;
+}): Promise<TenantUserModel> {
+  // No resolver (e.g. a unit context) → safe default: never erase tenant-scoped data.
+  if (!args.configResolver) return "multi-user";
+  const config = createConfigAccessor(
+    args.registry,
+    args.configResolver,
+    SYSTEM_TENANT_ID,
+    args.userId,
+    args.db,
+  );
+  const raw = await config(TENANT_MODEL_CONFIG_KEY);
+  return raw === "single-user" ? "single-user" : "multi-user";
+}

package/src/user-data-rights/run-forget-cleanup.ts

@@ -39,6 +39,7 @@ import {
   EXT_USER_DATA_ORDER,
   type Registry,
   type TenantId,
+  type TenantUserModel,
   type UserDataDeleteHook,
   type UserDataDeleteStrategy,
   type UserDataStorageProvider,
@@ -96,6 +97,15 @@ export interface RunForgetCleanupArgs {
   readonly buildStorageProvider?: (
     tenantId: TenantId,
   ) => Promise<UserDataStorageProvider | undefined>;
+
+  /**
+   * App-level tenant-occupancy model (resolved from the `tenantModel` config by
+   * the cron/handler). The pipeline refines it PER TENANT with a sole-member
+   * check before handing `tenantModel` to each delete-hook, so tenant-scoped
+   * erasure only happens where it's actually safe. Omitted → `"multi-user"`
+   * (no tenant-scoped erasure).
+   */
+  readonly tenantModel?: TenantUserModel;
 }
 
 export interface ForgetCleanupError {
@@ -131,6 +141,7 @@ export async function runForgetCleanup(
   args: RunForgetCleanupArgs,
 ): Promise<RunForgetCleanupResult> {
   const { db, registry, now, sendDeletionExecutedEmail, buildStorageProvider } = args;
+  const appTenantModel: TenantUserModel = args.tenantModel ?? "multi-user";
 
   // Step 1: Find users with expired grace period.
   const dueUsers = await selectUsersDueForForgetCleanup(
@@ -173,6 +184,7 @@ export async function runForgetCleanup(
       userId: user.id,
       hookEntries,
       buildStorageProvider,
+      appTenantModel,
     });
     hookCallsAttempted += userResult.hookCallsAttempted;
     errors.push(...userResult.errors);
@@ -229,8 +241,9 @@ async function processUser(args: {
   userId: string;
   hookEntries: readonly HookEntry[];
   buildStorageProvider?: (tenantId: TenantId) => Promise<UserDataStorageProvider | undefined>;
+  appTenantModel: TenantUserModel;
 }): Promise<ProcessUserResult> {
-  const { db, registry, userId, hookEntries, buildStorageProvider } = args;
+  const { db, registry, userId, hookEntries, buildStorageProvider, appTenantModel } = args;
   const errors: ForgetCleanupError[] = [];
   let hookCallsAttempted = 0;
 
@@ -276,6 +289,10 @@ async function processUser(args: {
     await runInSubTransaction(db, async (tx) => {
       for (const tenantId of tenantList) {
         currentTenantId = tenantId;
+        // Refine the app-level model to THIS tenant: "single-user" only if the
+        // tenant truly has one member, so a stray invite can't let a per-user
+        // forget erase a co-member's tenant-scoped data (money-path safety).
+        const tenantModel = await resolveEffectiveTenantModel(tx, tenantId, appTenantModel);
         for (const entry of hookEntries) {
           currentEntityName = entry.entityName;
           const policy = await resolveRetentionPolicyForTenant({
@@ -287,7 +304,10 @@ async function processUser(args: {
           const strategy = policyToStrategy(policy.policy?.strategy ?? null);
 
           hookCallsAttempted++;
-          await entry.deleteHook({ db: tx, tenantId, userId, buildStorageProvider }, strategy);
+          await entry.deleteHook(
+            { db: tx, tenantId, userId, buildStorageProvider, tenantModel },
+            strategy,
+          );
         }
       }
 
@@ -362,6 +382,21 @@ async function runInSubTransaction(
 // User-Row und ignorieren tenantId.
 const SYSTEM_TENANT_ID_FOR_ORPHANS = "00000000-0000-0000-0000-000000000000" as TenantId;
 
+// "single-user" requires BOTH the app config AND a runtime sole-member check —
+// the config asserts the deployment model, the count guards against a stray
+// invite that would make a per-user forget delete a co-member's tenant-scoped
+// data. Only queried when the app opted into "single-user" (multi-user apps
+// never reach the destructive path, so no extra query for them).
+async function resolveEffectiveTenantModel(
+  db: DbRunner,
+  tenantId: TenantId,
+  appTenantModel: TenantUserModel,
+): Promise<TenantUserModel> {
+  if (appTenantModel !== "single-user") return "multi-user";
+  const members = await selectMany<{ userId: string }>(db, tenantMembershipsTable, { tenantId });
+  return members.length === 1 ? "single-user" : "multi-user";
+}
+
 // Mapping retention.strategy → user-data-rights.UserDataDeleteStrategy.
 //   - "anonymize" / "blockDelete" → "anonymize" (Aufbewahrungs-Pflicht
 //     blockDelete: Daten muessen physisch bleiben, nur Personen-Bezug raus)