@cosmicdrift/kumiko-bundled-features 0.87.3 → 0.89.0

package/src/data-retention/run-retention-cleanup.ts

@@ -0,0 +1,151 @@
+// Retention-Cleanup-Runner (S2.D2b) — pure Function, vom retention-cleanup-Cron
+// pro fan-out-Tenant aufgerufen.
+//
+// Iteriert alle implicit-Entity-Projektionen, loest pro Entity die effektive
+// Retention-Policy (3-Schicht-Resolver, siehe resolver.ts) und wendet die
+// Strategy auf Rows an deren reference-Timestamp aelter als der keepFor-Cutoff
+// ist:
+//
+//   - hardDelete  → deleteManyBatched (selbst-begrenzt, kein Full-Table-Scan)
+//   - softDelete  → isDeleted=true/deletedAt=now, nur auf noch-nicht-geloeschte
+//   - anonymize   → DEFERRED (siehe unten)
+//   - blockDelete → ignoriert (Aufbewahrungs-Pflicht; user-forget loest anonymize)
+//
+// **Schaerfer als soft-delete-cleanup:** dieser Cron hardDeleted LIVE Rows
+// (keyed auf reference, Default createdAt), nicht bereits-soft-geloeschte.
+// Darum die Spalten-Existenz-Pruefung vor jedem WHERE — eine fehlende/vertippte
+// reference-Spalte wuerde sonst ein malformed/all-matching WHERE ergeben und
+// pauschal loeschen.
+//
+// **anonymize deferred:** anonymize behaelt die Row. Ohne Idempotenz-Marker
+// wuerde der taegliche UPDATE jede past-cutoff Row endlos neu treffen — genau
+// der Full-Table-Scan den die Strategie vermeiden soll (hardDelete begrenzt
+// sich selbst, softDelete via isDeleted:false). Kein bundled-Entity nutzt
+// zeitgesteuertes anonymize; der user-forget-Flow (run-forget-cleanup) deckt
+// anonymize keyed auf userId ab. Follow-up fuer den Marker.
+
+import { deleteManyBatched, updateMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import type { DbRunner, WhereObject } from "@cosmicdrift/kumiko-framework/db";
+import type { Registry, TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import { computeCutoff, type Instant } from "./keep-for";
+import type { RetentionPresetKey } from "./presets";
+import { resolveRetentionPolicyForTenant } from "./resolve-for-tenant";
+
+const DEFAULT_BATCH_LIMIT = 1000;
+const DEFAULT_REFERENCE_FIELD = "createdAt";
+
+// Der Boot-Validator (boot-validator/pii-retention.ts FRAMEWORK_TIMESTAMP_FIELDS)
+// erlaubt diese Aliase als retention.reference, auch wenn sie nicht in
+// entity.fields deklariert sind — die physischen Spalten heissen aber anders
+// (table-builder.ts: inserted_at/modified_at). Hier zur Cleanup-Zeit auf das
+// echte Entity-Feld mappen, sonst trifft die Spalten-Existenz-Pruefung unten
+// und der Cron wuerde lautlos nichts tun. deletedAt/lastSeenAt sind echte
+// Felder (softDelete bzw. session) und brauchen keine Uebersetzung.
+const FRAMEWORK_REFERENCE_ALIAS: Readonly<Record<string, string>> = {
+  createdAt: "insertedAt",
+  updatedAt: "modifiedAt",
+};
+
+export interface RunRetentionCleanupArgs {
+  readonly db: DbRunner;
+  readonly registry: Registry;
+  readonly tenantId: TenantId;
+  /** Layer-2 Preset (aus resolveTenantRetentionPreset). null = nur Layer 1/3. */
+  readonly tenantPreset: RetentionPresetKey | null;
+  /** Now-Injection — Tests pinnen den Wert ohne Date-Mock (Pattern keep-for.ts). */
+  readonly now: Instant;
+  readonly batchLimit?: number;
+}
+
+export interface RetentionCleanupSkip {
+  readonly entityName: string;
+  readonly reason: "missing_reference_column" | "missing_softdelete_columns";
+}
+
+export interface RunRetentionCleanupResult {
+  readonly hardDeleted: number;
+  readonly softDeleted: number;
+  /** Entities mit anonymize-Strategy — deferred (Header). Cron logt sie. */
+  readonly anonymizeDeferred: readonly string[];
+  /** Anomalien: Policy referenziert eine Spalte die die Tabelle nicht hat. */
+  readonly skipped: readonly RetentionCleanupSkip[];
+}
+
+export async function runRetentionCleanup(
+  args: RunRetentionCleanupArgs,
+): Promise<RunRetentionCleanupResult> {
+  const { db, registry, tenantId, tenantPreset, now } = args;
+  const batchLimit = args.batchLimit ?? DEFAULT_BATCH_LIMIT;
+
+  let hardDeleted = 0;
+  let softDeleted = 0;
+  const anonymizeDeferred: string[] = [];
+  const skipped: RetentionCleanupSkip[] = [];
+
+  for (const proj of registry.getAllProjections().values()) {
+    // Nur implicit-Entity-Projektionen mit Tabelle — wie soft-delete-cleanup.
+    // Custom-Projektionen + unmanaged-Tables (z.B. sessions) sind kein Target.
+    if (proj.isImplicit !== true || typeof proj.source !== "string" || !proj.table) continue;
+    const entityName = proj.source;
+
+    const resolved = await resolveRetentionPolicyForTenant({
+      db,
+      registry,
+      tenantId,
+      entityName,
+      tenantPreset,
+    });
+    const policy = resolved.policy;
+    if (!policy) continue;
+
+    const table = proj.table as Record<string, unknown>; // @cast-boundary column-presence probe
+    const declaredReference = policy.reference ?? DEFAULT_REFERENCE_FIELD;
+    const referenceField = FRAMEWORK_REFERENCE_ALIAS[declaredReference] ?? declaredReference;
+
+    if (table[referenceField] === undefined) {
+      skipped.push({ entityName, reason: "missing_reference_column" });
+      continue;
+    }
+
+    const cutoff = computeCutoff(policy.keepFor, now);
+    const where: WhereObject = { [referenceField]: { lt: cutoff } };
+    // Tenant-Scope nur wenn die Tabelle eine tenantId-Spalte hat — identisch zu
+    // soft-delete-cleanup. Ohne diesen Filter wuerde ein Tenant die Rows eines
+    // anderen treffen.
+    if (table["tenantId"] !== undefined) {
+      where["tenantId"] = tenantId;
+    }
+
+    switch (policy.strategy) {
+      case "hardDelete": {
+        const res = await deleteManyBatched(db, proj.table, where, { limit: batchLimit });
+        hardDeleted += res.deleted;
+        break;
+      }
+      case "softDelete": {
+        if (table["isDeleted"] === undefined || table["deletedAt"] === undefined) {
+          skipped.push({ entityName, reason: "missing_softdelete_columns" });
+          break;
+        }
+        const updated = await updateMany(
+          db,
+          proj.table,
+          { isDeleted: true, deletedAt: now },
+          { ...where, isDeleted: false },
+        );
+        softDeleted += updated.length;
+        break;
+      }
+      case "anonymize": {
+        anonymizeDeferred.push(entityName);
+        break;
+      }
+      case "blockDelete": {
+        // skip: Aufbewahrungs-Pflicht — Cleanup ignoriert, user-forget anonymisiert
+        break;
+      }
+    }
+  }
+
+  return { hardDeleted, softDeleted, anonymizeDeferred, skipped };
+}

package/src/legal-pages/__tests__/legal-pages.integration.test.ts

@@ -163,7 +163,7 @@ describe("legal-pages :: edge-cases", () => {
 describe("legal-pages :: cache-control", () => {
   test("sets revalidate cache header + etag", async () => {
     const res = await stack.app.request("/legal/impressum");
-    expect(res.headers.get("cache-control")).toBe("public, max-age=0, must-revalidate");
+    expect(res.headers.get("cache-control")).toBe("public, max-age=60, must-revalidate");
     expect(res.headers.get("etag")).toBeTruthy();
   });
 
@@ -176,6 +176,13 @@ describe("legal-pages :: cache-control", () => {
     });
     expect(second.status).toBe(304);
   });
+
+  test("HEAD → 200 without body, etag present", async () => {
+    const res = await stack.app.request("/legal/impressum", { method: "HEAD" });
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe("");
+    expect(res.headers.get("etag")).toBeTruthy();
+  });
 });
 
 describe("legal-pages :: security headers", () => {

package/src/legal-pages/feature.ts

@@ -2,7 +2,7 @@ import {
   requireTextContent,
   type TextContentApi,
 } from "@cosmicdrift/kumiko-bundled-features/text-content";
-import { computeRevisionEtag } from "@cosmicdrift/kumiko-framework/api";
+import { computeRevisionEtag, etagMatches } from "@cosmicdrift/kumiko-framework/api";
 import {
   defineFeature,
   type FeatureDefinition,
@@ -26,6 +26,11 @@ type ByslugQueryBody = {
   data: { title: string; body: string | null; updatedAt: string } | null;
 };
 
+// Legal-Content ändert sich selten — ein 60s-Shared-Cache-Fenster spart den
+// Origin-Revalidate-Roundtrip (jeder 304 re-runt sonst die Content-Query),
+// ohne dass Edits spürbar stale wirken.
+const PUBLIC_PAGE_CACHE = { kind: "revalidate", maxAgeSeconds: 60 } as const;
+
 // legal-pages — Opt-in-Wrapper um text-content für DACH-Compliance.
 // Liefert vier feste Public-HTML-Routes (/legal/impressum,
 // /legal/datenschutz, /legal/imprint, /legal/privacy) mit
@@ -120,13 +125,20 @@ export function createLegalPagesFeature(opts: LegalPagesOptions = {}): FeatureDe
             route.lang,
             data.updatedAt,
           ]);
-          const notModified = cachedSecurePageResponse(c.req.raw, {
-            body: null,
-            etag,
-            cache: { kind: "revalidate" },
-            extra: { "content-type": "text/html; charset=utf-8" },
-          });
-          if (notModified.status === 304) return notModified;
+          const extra = { "content-type": "text/html; charset=utf-8" };
+          // 304 (Revision unverändert) und HEAD überspringen beide das
+          // Markdown-Rendern — der Body wird ohnehin verworfen.
+          if (
+            etagMatches(c.req.raw.headers.get("if-none-match"), etag) ||
+            c.req.method === "HEAD"
+          ) {
+            return cachedSecurePageResponse(c.req.raw, {
+              body: null,
+              etag,
+              cache: PUBLIC_PAGE_CACHE,
+              extra,
+            });
+          }
 
           const html = wrapLayout({
             title: data.title || route.titleFallback,
@@ -137,8 +149,8 @@ export function createLegalPagesFeature(opts: LegalPagesOptions = {}): FeatureDe
           return cachedSecurePageResponse(c.req.raw, {
             body: html,
             etag,
-            cache: { kind: "revalidate" },
-            extra: { "content-type": "text/html; charset=utf-8" },
+            cache: PUBLIC_PAGE_CACHE,
+            extra,
           });
         },
       });

package/src/mail-foundation/feature.ts

@@ -35,9 +35,10 @@ import type { EmailTransport } from "@cosmicdrift/kumiko-bundled-features/channe
 import { requireDefined } from "@cosmicdrift/kumiko-bundled-features/foundation-shared";
 import {
   access,
+  type ConfigAccessor,
   createTenantConfig,
   defineFeature,
-  type HandlerContext,
+  type Registry,
 } from "@cosmicdrift/kumiko-framework/engine";
 
 const FEATURE_NAME = "mail-foundation";
@@ -46,6 +47,37 @@ const FEATURE_NAME = "mail-foundation";
 // Plugin-Interface — what a Provider-Plugin must implement
 // =============================================================================
 
+/**
+ * Schmaler Surface-Type fuer Transport-Plugins — gespiegelt von
+ * file-foundation's FileProviderContext. HandlerContext ist zu fett
+ * (haelt tx, actor, signal etc.); Plugins beschraenken sich auf die
+ * read-Felder die fuer Tenant-Config + Secret-Lookup noetig sind.
+ *
+ * **Warum nicht voller HandlerContext?** Im Worker-Pfad (r.job-getriggerte
+ * Transport-Builds, z.B. der user-data-rights forget/export-Cron) gibt es
+ * keinen per-request `config`/`tx`/`actor` — der Wrapper baut den per-Tenant-
+ * ConfigAccessor aus `ctx.configResolver`. Ein Plugin das `ctx.tx` oder
+ * andere request-only-Felder liest, wuerde den Worker-Pfad zur Runtime
+ * brechen — und das fiele NUR mit echtem SMTP und nur in production auf.
+ * Cast `ctx as unknown as HandlerContext` macht den Compiler happy, fliegt
+ * aber zur Runtime im Worker. Plugin das mehr braucht: MailTransportContext
+ * explizit erweitern (sichtbarer breaking change) statt ctx-cast.
+ *
+ * **Felder:**
+ *   config   — tenant-config-reads (host/port/from/... der Plugins)
+ *   registry — extension-Lookup in der Factory (nicht plugin-intern)
+ *   secrets  — tenant-secret-reads (smtp.password)
+ *   _userId  — Audit-Identity fuer secret-reads. Handler-Pfad: dispatcher
+ *              setzt Caller-User-ID; Worker-Pfad: r.job-Wrap setzt eine
+ *              System-Identity.
+ */
+export type MailTransportContext = {
+  readonly config?: ConfigAccessor;
+  readonly registry?: Registry;
+  readonly secrets?: import("@cosmicdrift/kumiko-framework/secrets").SecretsContext;
+  readonly _userId?: string | undefined;
+};
+
 /**
  * Mail-Transport-Plugin contract. Each provider-feature (mail-transport-
  * smtp, mail-transport-brevo-api, ...) registers an implementation via
@@ -55,11 +87,20 @@ const FEATURE_NAME = "mail-foundation";
  * (the plugin owns its provider-specific config schema) and constructs
  * an EmailTransport. Per-call construction so a tenant editing config
  * sees the change on the next mail.
+ *
+ * **Plugin-Author-Warnung:** `ctx` ist EXPLIZIT ein MailTransportContext,
+ * nicht ein voller HandlerContext (siehe MailTransportContext-Doc).
  */
 export type MailTransportPlugin = {
-  readonly build: (ctx: HandlerContext, tenantId: string) => Promise<EmailTransport>;
+  readonly build: (ctx: MailTransportContext, tenantId: string) => Promise<EmailTransport>;
 };
 
+// extension-usage `options` is engine-payload (unknown) — structurally validate
+// instead of casting blind. Mirrors file-foundation's isFileProviderPlugin.
+export function isMailTransportPlugin(o: unknown): o is MailTransportPlugin {
+  return typeof o === "object" && o !== null && "build" in o && typeof o.build === "function";
+}
+
 // =============================================================================
 // Feature-definition
 // =============================================================================
@@ -129,7 +170,7 @@ export const mailFoundationFeature = defineFeature(FEATURE_NAME, (r) => {
  *   await transport.send({ to, subject, html });
  */
 export async function createTransportForTenant(
-  ctx: HandlerContext,
+  ctx: MailTransportContext,
   tenantId: string,
   handlerName = "mail-foundation:transport-factory",
 ): Promise<EmailTransport> {
@@ -169,7 +210,11 @@ export async function createTransportForTenant(
     );
   }
 
-  // @cast-boundary engine-payload — extension-usage carries unknown options
-  const plugin = usage.options as MailTransportPlugin;
-  return plugin.build(ctx, tenantId);
+  if (!isMailTransportPlugin(usage.options)) {
+    throw new Error(
+      `${FEATURE_NAME}: provider "${provider}" registered without a build() — ` +
+        `extension options must be a MailTransportPlugin.`,
+    );
+  }
+  return usage.options.build(ctx, tenantId);
 }

package/src/mail-foundation/index.ts

@@ -9,6 +9,8 @@
 
 export {
   createTransportForTenant,
+  isMailTransportPlugin,
+  type MailTransportContext,
   type MailTransportPlugin,
   mailFoundationFeature,
 } from "./feature";

package/src/mail-transport-inmemory/feature.ts

@@ -26,8 +26,11 @@ import type {
   EmailTransport,
 } from "@cosmicdrift/kumiko-bundled-features/channel-email";
 import { createInMemoryTransport } from "@cosmicdrift/kumiko-bundled-features/channel-email";
-import type { MailTransportPlugin } from "@cosmicdrift/kumiko-bundled-features/mail-foundation";
-import { defineFeature, type HandlerContext } from "@cosmicdrift/kumiko-framework/engine";
+import type {
+  MailTransportContext,
+  MailTransportPlugin,
+} from "@cosmicdrift/kumiko-bundled-features/mail-foundation";
+import { defineFeature } from "@cosmicdrift/kumiko-framework/engine";
 
 const FEATURE_NAME = "mail-transport-inmemory";
 
@@ -83,7 +86,7 @@ export const mailTransportInMemoryFeature = defineFeature(FEATURE_NAME, (r) => {
   r.requires("mail-foundation");
 
   const plugin: MailTransportPlugin = {
-    build: async (_ctx: HandlerContext, tenantId: string): Promise<EmailTransport> => {
+    build: async (_ctx: MailTransportContext, tenantId: string): Promise<EmailTransport> => {
       // Returnt den per-tenant Buffer. Identitätsstabil zwischen calls
       // damit die Demo-Inbox accumulated bleibt.
       return getOrCreateTransportForTenant(tenantId);

package/src/mail-transport-smtp/feature.ts

@@ -34,14 +34,12 @@ import {
   requireNonEmpty,
   requireSecretSet,
 } from "@cosmicdrift/kumiko-bundled-features/foundation-shared";
-import type { MailTransportPlugin } from "@cosmicdrift/kumiko-bundled-features/mail-foundation";
+import type {
+  MailTransportContext,
+  MailTransportPlugin,
+} from "@cosmicdrift/kumiko-bundled-features/mail-foundation";
 import { requireSecretsContext } from "@cosmicdrift/kumiko-bundled-features/secrets";
-import {
-  access,
-  createTenantConfig,
-  defineFeature,
-  type HandlerContext,
-} from "@cosmicdrift/kumiko-framework/engine";
+import { access, createTenantConfig, defineFeature } from "@cosmicdrift/kumiko-framework/engine";
 
 const FEATURE_NAME = "mail-transport-smtp";
 
@@ -115,7 +113,7 @@ export const mailTransportSmtpFeature = defineFeature(FEATURE_NAME, (r) => {
   // `entityName` "smtp" is what tenants set in mail-foundation's
   // `provider` config-key to pick this transport.
   const plugin: MailTransportPlugin = {
-    build: async (ctx: HandlerContext, tenantId: string) => buildSmtpTransport(ctx, tenantId), // @wrapper-known semantic-alias
+    build: async (ctx: MailTransportContext, tenantId: string) => buildSmtpTransport(ctx, tenantId), // @wrapper-known semantic-alias
   };
   r.useExtension("mailTransport", "smtp", plugin);
 
@@ -136,7 +134,10 @@ export const SMTP_PASSWORD = mailTransportSmtpFeature.exports.password;
 // Internal: build the EmailTransport from tenant config + secret
 // =============================================================================
 
-async function buildSmtpTransport(ctx: HandlerContext, tenantId: string): Promise<EmailTransport> {
+async function buildSmtpTransport(
+  ctx: MailTransportContext,
+  tenantId: string,
+): Promise<EmailTransport> {
   const ctxConfig = ctx.config;
   if (!ctxConfig) {
     throw new Error(
@@ -185,7 +186,7 @@ async function buildSmtpTransport(ctx: HandlerContext, tenantId: string): Promis
   });
 }
 
-async function readPassword(ctx: HandlerContext, tenantId: string): Promise<string> {
+async function readPassword(ctx: MailTransportContext, tenantId: string): Promise<string> {
   const secrets = requireSecretsContext(ctx, FEATURE_NAME);
   const branded = await secrets.get(tenantId, SMTP_PASSWORD);
   return requireSecretSet(branded, FEATURE_NAME, SMTP_PASSWORD.name).reveal();

package/src/managed-pages/__tests__/managed-pages.integration.test.ts

@@ -145,7 +145,7 @@ describe("managed-pages :: Cache + Security-Header", () => {
   test("Vary: Host + CSP/Hardening-Header + revalidate cache", async () => {
     const res = await stack.app.request("http://a.example.com/p/about");
     expect(res.headers.get("vary")).toBe("Host");
-    expect(res.headers.get("cache-control")).toBe("public, max-age=0, must-revalidate");
+    expect(res.headers.get("cache-control")).toBe("public, max-age=60, must-revalidate");
     expect(res.headers.get("etag")).toBeTruthy();
     expect(res.headers.get("content-security-policy")).toContain("script-src 'none'");
     expect(res.headers.get("x-content-type-options")).toBe("nosniff");

package/src/managed-pages/feature.ts

@@ -1,4 +1,4 @@
-import { computeRevisionEtag } from "@cosmicdrift/kumiko-framework/api";
+import { computeRevisionEtag, etagMatches } from "@cosmicdrift/kumiko-framework/api";
 import {
   defineEntityCreateHandler,
   defineEntityDeleteHandler,
@@ -28,6 +28,11 @@ import { pageEntity } from "./table";
 // Alias (publicstatus = "Admin") müssen TenantAdmin granten/mappen.
 const ADMIN_ACCESS = { roles: ["TenantAdmin", "SystemAdmin"] } as const;
 
+// Published CMS-Content ändert sich selten — ein 60s-Shared-Cache-Fenster
+// spart den Origin-Revalidate-Roundtrip (jeder 304 re-runt sonst Page- +
+// Branding-Query), Edits sind nach spätestens 60s live.
+const PUBLIC_PAGE_CACHE = { kind: "revalidate", maxAgeSeconds: 60 } as const;
+
 // QN-Konstante als dokumentierter Public-Contract — der Render-Pfad ruft
 // die by-slug-Query via internem app.fetch (kein Code-Import des Handlers,
 // symmetrisch zum legal-pages-Muster).
@@ -248,13 +253,16 @@ export function createManagedPagesFeature(opts: ManagedPagesOptions): FeatureDef
           "content-type": "text/html; charset=utf-8",
           vary: "Host",
         } as const;
-        const notModified = cachedSecurePageResponse(c.req.raw, {
-          body: null,
-          etag,
-          cache: { kind: "revalidate" },
-          extra: pageHeaders,
-        });
-        if (notModified.status === 304) return notModified;
+        // 304 (Revision unverändert) und HEAD überspringen beide das
+        // Markdown-Rendern — der Body wird ohnehin verworfen.
+        if (etagMatches(c.req.raw.headers.get("if-none-match"), etag) || c.req.method === "HEAD") {
+          return cachedSecurePageResponse(c.req.raw, {
+            body: null,
+            etag,
+            cache: PUBLIC_PAGE_CACHE,
+            extra: pageHeaders,
+          });
+        }
 
         const html = wrapLayout({
           title: data.title,
@@ -269,7 +277,7 @@ export function createManagedPagesFeature(opts: ManagedPagesOptions): FeatureDef
         return cachedSecurePageResponse(c.req.raw, {
           body: html,
           etag,
-          cache: { kind: "revalidate" },
+          cache: PUBLIC_PAGE_CACHE,
           extra: pageHeaders,
         });
       },

package/src/user-data-rights/__tests__/default-mailers.test.ts

@@ -0,0 +1,135 @@
+// Unit-Tests fuer die Dispatch-Logik der Default-Mailer: rendert das richtige
+// Template + sendet ueber den aufgeloesten Transport an die User-Email. Die
+// echte Job-Lane-Bruecke (configResolver → Transport) wird NICHT hier, sondern
+// in mail-default-bridge.integration.test.ts gegen den echten Cron bewiesen —
+// ein Fake-Resolver wuerde genau diese Naht ueberspringen.
+
+import { describe, expect, test } from "bun:test";
+import type {
+  EmailMessage,
+  EmailTransport,
+} from "@cosmicdrift/kumiko-bundled-features/channel-email";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  makeDefaultDeletionExecutedEmail,
+  makeDefaultExportReadyEmail,
+} from "../lib/default-mailers";
+
+function capturingTransport(): { transport: EmailTransport; sent: EmailMessage[] } {
+  const sent: EmailMessage[] = [];
+  const transport: EmailTransport = {
+    send: async (m) => {
+      sent.push(m);
+    },
+  };
+  return { transport, sent };
+}
+
+const TENANT_A = "00000000-0000-4000-8000-00000000000a" as TenantId;
+
+describe("default-mailers dispatch", () => {
+  test("export-ready: rendert Template + sendet an userEmail ueber tenant-transport", async () => {
+    const cap = capturingTransport();
+    const resolved: string[] = [];
+    // Kein defaults.locale → die per-User-Locale (user.locale="de") muss die
+    // Sprache bestimmen. Das ist der Advisor-Befund: en-Default an de-User.
+    const send = makeDefaultExportReadyEmail(
+      async (tenantId) => {
+        resolved.push(tenantId);
+        return cap.transport;
+      },
+      { appName: "Acme" },
+    );
+
+    await send({
+      userId: "u1",
+      userEmail: "u1@example.com",
+      userLocale: "de",
+      tenantId: TENANT_A,
+      jobId: "j1",
+      downloadUrl: "https://app.test/x?token=tok",
+      expiresAt: "2026-07-01T13:45:00Z",
+      bytesWritten: 1234,
+    });
+
+    expect(resolved).toEqual([TENANT_A]);
+    expect(cap.sent).toHaveLength(1);
+    expect(cap.sent[0]?.to).toBe("u1@example.com");
+    // user.locale="de" → deutsches Subject, obwohl kein defaults.locale gesetzt.
+    expect(cap.sent[0]?.subject).toBe("Acme — Dein Datenexport ist bereit");
+    expect(cap.sent[0]?.html).toContain("https://app.test/x?token=tok");
+  });
+
+  test("locale precedence: user.locale wins, mailDefaults is fallback for unknown", async () => {
+    const cap = capturingTransport();
+    const resolve = async () => cap.transport;
+
+    // null user.locale + defaults.locale "en" → English fallback.
+    await makeDefaultExportReadyEmail(resolve, { locale: "en", appName: "Acme" })({
+      userId: "u1",
+      userEmail: "u1@example.com",
+      userLocale: null,
+      tenantId: TENANT_A,
+      jobId: "j1",
+      downloadUrl: "u",
+      expiresAt: "x",
+      bytesWritten: null,
+    });
+    expect(cap.sent[0]?.subject).toBe("Acme — Your data export is ready");
+
+    // unsupported user.locale "fr" + defaults.locale "de" → falls back to de.
+    await makeDefaultExportReadyEmail(resolve, { locale: "de", appName: "Acme" })({
+      userId: "u2",
+      userEmail: "u2@example.com",
+      userLocale: "fr",
+      tenantId: TENANT_A,
+      jobId: "j2",
+      downloadUrl: "u",
+      expiresAt: "x",
+      bytesWritten: null,
+    });
+    expect(cap.sent[1]?.subject).toBe("Acme — Dein Datenexport ist bereit");
+  });
+
+  test("deletion-executed: sendet ueber den ersten Membership-Tenant", async () => {
+    const cap = capturingTransport();
+    const resolved: string[] = [];
+    const send = makeDefaultDeletionExecutedEmail(async (tenantId) => {
+      resolved.push(tenantId);
+      return cap.transport;
+    });
+
+    await send({
+      userId: "u1",
+      userEmail: "u1@example.com",
+      userLocale: "de",
+      tenantIds: [TENANT_A, "00000000-0000-4000-8000-00000000000b" as TenantId],
+      executedAt: "2026-07-30T09:05:00Z",
+    });
+
+    expect(resolved).toEqual([TENANT_A]);
+    expect(cap.sent).toHaveLength(1);
+    expect(cap.sent[0]?.to).toBe("u1@example.com");
+    expect(cap.sent[0]?.subject).toBe("Konto — Dein Konto wurde geloescht");
+  });
+
+  test("deletion-executed orphan (0 Memberships): kein Transport aufgeloest, keine Mail", async () => {
+    const cap = capturingTransport();
+    let resolverCalled = false;
+    const send = makeDefaultDeletionExecutedEmail(async () => {
+      resolverCalled = true;
+      return cap.transport;
+    });
+
+    await send({
+      userId: "u1",
+      userEmail: "u1@example.com",
+      userLocale: null,
+      tenantIds: [],
+      executedAt: "2026-07-30T09:05:00Z",
+    });
+
+    expect(resolverCalled).toBe(false);
+    expect(cap.sent).toHaveLength(0);
+  });
+});