npm - @cosmicdrift/kumiko-bundled-features - Versions diffs - 0.87.3 → 0.89.0 - Mend

@cosmicdrift/kumiko-bundled-features 0.87.3 → 0.89.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/src/user-data-rights/feature.ts CHANGED Viewed

@@ -8,8 +8,11 @@ import {
 import { PRIVACY_CENTER_SCREEN_ID } from "./constants";
 import { cancelDeletionWrite } from "./handlers/cancel-deletion.write";
 import { createConfirmDeletionByTokenHandler } from "./handlers/confirm-deletion-by-token.write";
+import { downloadAttemptListQuery } from "./handlers/download-attempt-list.query";
 import { downloadByJobQuery } from "./handlers/download-by-job.query";
 import { downloadByTokenQuery } from "./handlers/download-by-token.query";
+import { exportJobDetailQuery } from "./handlers/export-job-detail.query";
+import { exportJobListQuery } from "./handlers/export-job-list.query";
 import { exportStatusQuery } from "./handlers/export-status.query";
 import { liftRestrictionWrite } from "./handlers/lift-restriction.write";
 import { listDownloadAttemptsQuery } from "./handlers/list-download-attempts.query";
@@ -25,6 +28,14 @@ import {
 import { requestExportWrite } from "./handlers/request-export.write";
 import { restrictAccountWrite } from "./handlers/restrict-account.write";
 import { createRunForgetCleanupHandler } from "./handlers/run-forget-cleanup.write";
+import {
+  type GdprMailDefaults,
+  isMailTransportAvailable,
+  makeDefaultDeletionExecutedEmail,
+  makeDefaultExportFailedEmail,
+  makeDefaultExportReadyEmail,
+} from "./lib/default-mailers";
+import { makeTenantMailTransportResolver } from "./lib/mail-transport-resolver";
 import { resolveAppTenantModel } from "./lib/resolve-tenant-model";
 import { makeTenantStorageProviderResolver } from "./lib/storage-provider-resolver";
 import {
@@ -36,6 +47,7 @@ import { runForgetCleanup, type SendDeletionExecutedEmailFn } from "./run-forget
 import { downloadAttemptEntity } from "./schema/download-attempt";
 import { exportDownloadTokenEntity } from "./schema/download-token";
 import { exportJobEntity } from "./schema/export-job";
+import { downloadAttemptListScreen, exportJobDetailScreen, exportJobListScreen } from "./screens";
 // user-data-rights — DSGVO Art. 15 (Auskunft) + Art. 17 (Löschung) +
 // Art. 18 (Restriction) + Art. 20 (Portabilität) als Core-Feature.
@@ -100,11 +112,25 @@ export type UserDataRightsOptions = {
   /** Versand des Verify-Magic-Links (Schritt 1 des anonymen Flows).
    *  Best-effort, app-author-wired. MUSS non-blocking sein (enqueue, z.B.
    *  delivery.notify) — ein synchroner Send reintroduziert ein Timing-Oracle
-   *  für Account-Enumeration (siehe SendDeletionVerificationEmailFn-Doc). */
+   *  für Account-Enumeration (siehe SendDeletionVerificationEmailFn-Doc).
+   *  Bewusst KEINE mail-foundation-Default: ein synchroner Default-Send
+   *  brächte genau dieses Enumeration-Oracle zurück, deshalb app-wired. */
   readonly sendDeletionVerificationEmail?: SendDeletionVerificationEmailFn;
+  /** C6 — Zero-Callback-GDPR-Mails: ist mail-foundation + ein mail-transport-*
+   *  gemountet, versendet user-data-rights die Export-/Loesch-Notifications
+   *  selbst (Export-ready/-failed, Deletion-requested/-executed) ueber die
+   *  Default-Templates (email-templates.ts) — die App schreibt keinen Callback.
+   *  `mailDefaults` brandet diese Default-Mails (Locale + App-Name). Greift NUR
+   *  wenn der jeweilige send*Email-Opt NICHT gesetzt ist; Export-ready braucht
+   *  zusaetzlich appExportDownloadUrl. */
+  readonly mailDefaults?: GdprMailDefaults;
 };
 export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): FeatureDefinition {
+  // One-shot operator warning (the export cron fires every minute — warn once
+  // per process, not every run). Lives in the factory scope so the cron closure
+  // shares it across runs.
+  let warnedMissingExportUrl = false;
   return defineFeature("user-data-rights", (r) => {
     r.describe(
       'Implements GDPR Art. 15 (access / `my-audit-log` query), Art. 17 (erasure / `request-deletion` + `cancel-deletion`, plus the anonymous email-verified `request-deletion-by-email` + `confirm-deletion-by-token` flow for lockout-safe self-service, + cron cleanup with grace period), Art. 18 (restriction / `restrict-account` + `lift-restriction`), and Art. 20 (portability / async `request-export` \u2192 ZIP via `file-foundation`, Magic-Link download) as first-class HTTP handlers and cron jobs. Each domain feature opts in by calling `r.useExtension(EXT_USER_DATA, "<entity>", { export, delete })` \u2014 the feature then orchestrates the export and forget pipelines across all registered hooks automatically. Requires `user`, `data-retention`, `compliance-profiles`, and `sessions`.',
@@ -162,11 +188,12 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
     // S2.U5a — Endpoints fuer DSGVO Art. 17 Forget-Pfad mit Grace.
     r.writeHandler(
-      createRequestDeletionHandler(
-        opts.sendDeletionRequestedEmail
-          ? { sendDeletionRequestedEmail: opts.sendDeletionRequestedEmail }
-          : {},
-      ),
+      createRequestDeletionHandler({
+        ...(opts.sendDeletionRequestedEmail && {
+          sendDeletionRequestedEmail: opts.sendDeletionRequestedEmail,
+        }),
+        ...(opts.mailDefaults && { mailDefaults: opts.mailDefaults }),
+      }),
     );
     r.writeHandler(cancelDeletionWrite);
@@ -222,6 +249,16 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
     r.queryHandler(myAuditLogQuery);
     r.queryHandler(listDownloadAttemptsQuery);
+    // Read-only operator inspector over the GDPR read-models (SystemAdmin).
+    // Convention list/detail handlers so entityList/entityEdit resolve by QN;
+    // the screens stay inert until an app navs them (opt-in at wire time).
+    r.queryHandler(exportJobListQuery);
+    r.queryHandler(exportJobDetailQuery);
+    r.queryHandler(downloadAttemptListQuery);
+    r.screen(exportJobListScreen);
+    r.screen(exportJobDetailScreen);
+    r.screen(downloadAttemptListScreen);
     // Dormant Self-Service-Screen (Art. 15/17/18/20): Export, Aktivitäts-
     // protokoll, Einschränkung, Löschung in einem Screen. Kein r.nav — die
     // App platziert ihn im eingeloggten Bereich. Die React-Component kommt
@@ -289,6 +326,44 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         const exportUserId = ctx._userId ?? SYSTEM_USER_ID;
         const exportDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
         const exportRegistry = ctx.registry;
+        // C6 — ohne eigene send*Email-Opts aber mit gemountetem mail-transport
+        // versendet der Cron die Export-Notifications selbst (Default-Templates).
+        // Der Resolver baut den per-Tenant-Transport aus configResolver — gleiche
+        // Bruecke wie buildStorageProvider.
+        const exportMailResolver = isMailTransportAvailable(exportRegistry)
+          ? makeTenantMailTransportResolver({
+              registry: exportRegistry,
+              configResolver: ctx.configResolver,
+              secrets: ctx.secrets,
+              db: exportDb,
+              userId: exportUserId,
+              handlerName: "user-data-rights:run-export-jobs",
+            })
+          : undefined;
+        const sendExportReadyEmail =
+          opts.sendExportReadyEmail ??
+          (exportMailResolver && opts.appExportDownloadUrl !== undefined
+            ? makeDefaultExportReadyEmail(exportMailResolver, opts.mailDefaults)
+            : undefined);
+        const sendExportFailedEmail =
+          opts.sendExportFailedEmail ??
+          (exportMailResolver
+            ? makeDefaultExportFailedEmail(exportMailResolver, opts.mailDefaults)
+            : undefined);
+        if (
+          exportMailResolver &&
+          !opts.sendExportReadyEmail &&
+          opts.appExportDownloadUrl === undefined &&
+          !warnedMissingExportUrl
+        ) {
+          warnedMissingExportUrl = true;
+          // biome-ignore lint/suspicious/noConsole: one-shot operator visibility for misconfig
+          console.warn(
+            "[user-data-rights:run-export-jobs] mail transport mounted but appExportDownloadUrl unset — default export-ready emails disabled (export-failed + deletion mails still send)",
+          );
+        }
         await runExportJobs({
           db: exportDb,
           registry: exportRegistry,
@@ -305,15 +380,11 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
             handlerName: "user-data-rights:run-export-jobs",
           }),
           now: T.Now.instant(),
-          // Atom 5 — App-Author-Callbacks fuer Email-Notification.
-          // Optional: wenn nicht gesetzt, kein Email; User pollt
-          // export-status.query + UI-Klick.
-          ...(opts.sendExportReadyEmail && {
-            sendExportReadyEmail: opts.sendExportReadyEmail,
-          }),
-          ...(opts.sendExportFailedEmail && {
-            sendExportFailedEmail: opts.sendExportFailedEmail,
-          }),
+          // App-Author-Callbacks haben Vorrang; sonst greift die mail-foundation-
+          // Default oben. Beide optional: ohne mail-transport + ohne Callback
+          // bleibt es bei Polling via export-status.query.
+          ...(sendExportReadyEmail && { sendExportReadyEmail }),
+          ...(sendExportFailedEmail && { sendExportFailedEmail }),
           ...(opts.appExportDownloadUrl !== undefined && {
             appExportDownloadUrl: opts.appExportDownloadUrl,
           }),
@@ -338,30 +409,48 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         const T = (await import("@cosmicdrift/kumiko-framework/time")).getTemporal();
         const forgetUserId = ctx._userId ?? SYSTEM_USER_ID;
         const forgetDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
+        const forgetRegistry = ctx.registry;
         const tenantModel = await resolveAppTenantModel({
-          registry: ctx.registry,
+          registry: forgetRegistry,
           configResolver: ctx.configResolver,
           db: forgetDb,
           userId: forgetUserId,
         });
+        // C6 — Default-Mail beim delete-flip wenn kein Callback gesetzt + ein
+        // mail-transport gemountet ist (gleiche per-Tenant-Bruecke wie Export).
+        const forgetMailResolver = isMailTransportAvailable(forgetRegistry)
+          ? makeTenantMailTransportResolver({
+              registry: forgetRegistry,
+              configResolver: ctx.configResolver,
+              secrets: ctx.secrets,
+              db: forgetDb,
+              userId: forgetUserId,
+              handlerName: "user-data-rights:run-forget-cleanup",
+            })
+          : undefined;
+        const sendDeletionExecutedEmail =
+          opts.sendDeletionExecutedEmail ??
+          (forgetMailResolver
+            ? makeDefaultDeletionExecutedEmail(forgetMailResolver, opts.mailDefaults)
+            : undefined);
         await runForgetCleanup({
           db: forgetDb,
-          registry: ctx.registry,
+          registry: forgetRegistry,
           now: T.Now.instant(),
           tenantModel,
           // Same per-tenant provider resolution as the export cron — forget
           // deletes binaries from the store upload + export use.
           buildStorageProvider: makeTenantStorageProviderResolver({
-            registry: ctx.registry,
+            registry: forgetRegistry,
             configResolver: ctx.configResolver,
             secrets: ctx.secrets,
             db: forgetDb,
             userId: forgetUserId,
             handlerName: "user-data-rights:run-forget-cleanup",
           }),
-          ...(opts.sendDeletionExecutedEmail && {
-            sendDeletionExecutedEmail: opts.sendDeletionExecutedEmail,
-          }),
+          ...(sendDeletionExecutedEmail && { sendDeletionExecutedEmail }),
         });
       },
     );

package/src/user-data-rights/handlers/deletion-grace-period.ts CHANGED Viewed

@@ -9,7 +9,12 @@ import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 export type StartGracePeriodResult =
-  | { readonly ok: true; readonly gracePeriodEnd: Instant; readonly userEmail: string }
+  | {
+      readonly ok: true;
+      readonly gracePeriodEnd: Instant;
+      readonly userEmail: string;
+      readonly userLocale: string | null;
+    }
   | { readonly ok: false; readonly error: UnprocessableError };
 // Flippt einen aktiven User auf DeletionRequested + setzt gracePeriodEnd aus
@@ -26,9 +31,11 @@ export async function startDeletionGracePeriod(
   userId: string,
   complianceTenantId: string,
 ): Promise<StartGracePeriodResult> {
-  const userRow = await fetchOne<{ status: string; email: string }>(ctx.db.raw, userTable, {
-    id: userId,
-  });
+  const userRow = await fetchOne<{ status: string; email: string; locale: string | null }>(
+    ctx.db.raw,
+    userTable,
+    { id: userId },
+  );
   if (!userRow) {
     return {
       ok: false,
@@ -63,5 +70,10 @@ export async function startDeletionGracePeriod(
     gracePeriodEnd,
   });
-  return { ok: true, gracePeriodEnd, userEmail: userRow["email"] ?? "" };
+  return {
+    ok: true,
+    gracePeriodEnd,
+    userEmail: userRow["email"] ?? "",
+    userLocale: userRow["locale"] ?? null,
+  };
 }

package/src/user-data-rights/handlers/download-attempt-list.query.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { access, defineEntityListHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { downloadAttemptEntity } from "../schema/download-attempt";
+// SystemAdmin operator view of invalid download attempts (DPO brute-force
+// triage). A bespoke list-download-attempts query already exists but sits on a
+// non-convention QN; entityList needs the convention `download-attempt:list`.
+export const downloadAttemptListQuery = defineEntityListHandler(
+  "download-attempt",
+  downloadAttemptEntity,
+  { access: { roles: access.systemAdmin } },
+);

package/src/user-data-rights/handlers/export-job-detail.query.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { access, defineEntityDetailHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { exportJobEntity } from "../schema/export-job";
+// Detail fetch backing the read-only export-job inspector screen.
+export const exportJobDetailQuery = defineEntityDetailHandler("export-job", exportJobEntity, {
+  access: { roles: access.systemAdmin },
+});

package/src/user-data-rights/handlers/export-job-list.query.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { access, defineEntityListHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { exportJobEntity } from "../schema/export-job";
+// SystemAdmin operator view of GDPR Art. 20 export jobs. Read-only inspector —
+// rows are created by the user's request-export flow, never through this handler.
+export const exportJobListQuery = defineEntityListHandler("export-job", exportJobEntity, {
+  access: { roles: access.systemAdmin },
+});

package/src/user-data-rights/handlers/request-deletion.write.ts CHANGED Viewed

@@ -1,7 +1,13 @@
+import { createTransportForTenant } from "@cosmicdrift/kumiko-bundled-features/mail-foundation";
 import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
 import { writeFailure } from "@cosmicdrift/kumiko-framework/errors";
 import { z } from "zod";
 import { USER_STATUS } from "../../user";
+import {
+  type GdprMailDefaults,
+  isMailTransportAvailable,
+  makeDefaultDeletionRequestedEmail,
+} from "../lib/default-mailers";
 import { startDeletionGracePeriod } from "./deletion-grace-period";
 // Atom 5b — Email-Notification beim deletion-requested-flip. Pattern:
@@ -14,12 +20,18 @@ import { startDeletionGracePeriod } from "./deletion-grace-period";
 export type SendDeletionRequestedEmailFn = (args: {
   readonly userId: string;
   readonly userEmail: string;
+  /** Stored user.locale (free-form) — lets the default mailer render in the
+   *  recipient's language. */
+  readonly userLocale: string | null;
   readonly tenantId: string;
   readonly gracePeriodEnd: string;
 }) => Promise<void>;
 export type RequestDeletionOptions = {
   readonly sendDeletionRequestedEmail?: SendDeletionRequestedEmailFn;
+  /** Branding fuer die Default-Mail wenn kein sendDeletionRequestedEmail
+   *  gesetzt ist + mail-foundation gemountet ist. */
+  readonly mailDefaults?: GdprMailDefaults;
 };
 // POST /api/user/request-deletion (S2.U5a) — DSGVO Art. 17 Forget-Antrag.
@@ -35,15 +47,29 @@ export function createRequestDeletionHandler(opts: RequestDeletionOptions = {})
     handler: async (event, ctx) => {
       const res = await startDeletionGracePeriod(ctx, event.user.id, event.user.tenantId);
       if (!res.ok) return writeFailure(res.error);
-      const { gracePeriodEnd, userEmail } = res;
+      const { gracePeriodEnd, userEmail, userLocale } = res;
+      // App-Callback hat Vorrang; sonst greift die mail-foundation-Default-Mail
+      // (Request-Lane → ctx.config vorhanden, createTransportForTenant direkt).
+      // Ohne gemounteten mail-transport bleibt send undefined → keine Mail.
+      const send =
+        opts.sendDeletionRequestedEmail ??
+        (isMailTransportAvailable(ctx.registry)
+          ? makeDefaultDeletionRequestedEmail(
+              (tenantId) =>
+                createTransportForTenant(ctx, tenantId, "user-data-rights:request-deletion"),
+              opts.mailDefaults,
+            )
+          : undefined);
       // Best-effort Email-Notification. Send-Failure darf das Write nicht
       // killen — siehe Type-Doc oben.
-      if (opts.sendDeletionRequestedEmail && userEmail.length > 0) {
+      if (send && userEmail.length > 0) {
         try {
-          await opts.sendDeletionRequestedEmail({
+          await send({
             userId: event.user.id,
             userEmail,
+            userLocale,
             tenantId: event.user.tenantId,
             gracePeriodEnd: gracePeriodEnd.toString(),
           });

package/src/user-data-rights/lib/default-mailers.ts ADDED Viewed

@@ -0,0 +1,116 @@
+// Default send*Email-Callbacks fuer die GDPR-Notifications, backed by einem
+// mail-transport (mail-foundation). Damit muss eine App keinen Callback-Code
+// schreiben: sie mountet mail-foundation + einen mail-transport-* und setzt
+// fuer Export-Mails appExportDownloadUrl — fertig. Uebergibt sie eigene
+// send*Email-Opts, greifen diese Defaults nicht (Opt-Override im feature.ts).
+//
+// Jeder Callback rendert das Template (email-templates.ts) und versendet ueber
+// den per-Tenant aufgeloesten EmailTransport. `resolveTransport` kommt im Job-
+// Lane aus makeTenantMailTransportResolver, im Request-Lane direkt aus
+// createTransportForTenant(ctx, ...).
+import type { EmailTransport } from "@cosmicdrift/kumiko-bundled-features/channel-email";
+import type { Registry } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  type GdprMailLocale,
+  normalizeGdprMailLocale,
+  renderDeletionExecutedEmail,
+  renderDeletionRequestedEmail,
+  renderExportFailedEmail,
+  renderExportReadyEmail,
+} from "../email-templates";
+import type { SendDeletionRequestedEmailFn } from "../handlers/request-deletion.write";
+import type { SendExportFailedEmailFn, SendExportReadyEmailFn } from "../run-export-jobs";
+import type { SendDeletionExecutedEmailFn } from "../run-forget-cleanup";
+export type GdprMailDefaults = {
+  readonly locale?: GdprMailLocale;
+  readonly appName?: string;
+};
+// mail-foundation ist eine Soft-Dep von user-data-rights. Die Default-Mailer
+// greifen nur wenn mindestens ein mail-transport-* registriert ist — sonst
+// kann ohnehin nichts versendet werden und die App bleibt beim bisherigen
+// "kein Callback → keine Email"-Verhalten.
+export function isMailTransportAvailable(registry: Registry): boolean {
+  return registry.getExtensionUsages("mailTransport").length > 0;
+}
+type TransportResolver = (tenantId: string) => Promise<EmailTransport>;
+// Per-recipient locale wins (user.locale); mailDefaults.locale is the fallback
+// for unknown/unsupported user.locale values; the template itself defaults to en.
+function localeFor(
+  userLocale: string | null,
+  defaults: GdprMailDefaults,
+): GdprMailLocale | undefined {
+  return normalizeGdprMailLocale(userLocale) ?? defaults.locale;
+}
+export function makeDefaultExportReadyEmail(
+  resolveTransport: TransportResolver,
+  defaults: GdprMailDefaults = {},
+): SendExportReadyEmailFn {
+  return async (args) => {
+    const transport = await resolveTransport(args.tenantId);
+    const { subject, html } = renderExportReadyEmail({
+      downloadUrl: args.downloadUrl,
+      expiresAt: args.expiresAt,
+      locale: localeFor(args.userLocale, defaults),
+      appName: defaults.appName,
+    });
+    await transport.send({ to: args.userEmail, subject, html });
+  };
+}
+export function makeDefaultExportFailedEmail(
+  resolveTransport: TransportResolver,
+  defaults: GdprMailDefaults = {},
+): SendExportFailedEmailFn {
+  return async (args) => {
+    const transport = await resolveTransport(args.tenantId);
+    const { subject, html } = renderExportFailedEmail({
+      locale: localeFor(args.userLocale, defaults),
+      appName: defaults.appName,
+    });
+    await transport.send({ to: args.userEmail, subject, html });
+  };
+}
+export function makeDefaultDeletionRequestedEmail(
+  resolveTransport: TransportResolver,
+  defaults: GdprMailDefaults = {},
+): SendDeletionRequestedEmailFn {
+  return async (args) => {
+    const transport = await resolveTransport(args.tenantId);
+    const { subject, html } = renderDeletionRequestedEmail({
+      gracePeriodEnd: args.gracePeriodEnd,
+      locale: localeFor(args.userLocale, defaults),
+      appName: defaults.appName,
+    });
+    await transport.send({ to: args.userEmail, subject, html });
+  };
+}
+export function makeDefaultDeletionExecutedEmail(
+  resolveTransport: TransportResolver,
+  defaults: GdprMailDefaults = {},
+): SendDeletionExecutedEmailFn {
+  return async (args) => {
+    // Der User ist global, der Mail-Transport per-Tenant — wir senden ueber den
+    // Transport des ersten Memberships. Orphan-User (0 Memberships) liefert
+    // keine Tenant-Identitaet → kein Transport aufloesbar, Mail entfaellt.
+    const tenantId = args.tenantIds[0];
+    if (tenantId === undefined) {
+      // skip: orphan user has no tenant whose transport could send the mail
+      return;
+    }
+    const transport = await resolveTransport(tenantId);
+    const { subject, html } = renderDeletionExecutedEmail({
+      executedAt: args.executedAt,
+      locale: localeFor(args.userLocale, defaults),
+      appName: defaults.appName,
+    });
+    await transport.send({ to: args.userEmail, subject, html });
+  };
+}

package/src/user-data-rights/lib/mail-transport-resolver.ts ADDED Viewed

@@ -0,0 +1,50 @@
+// Builds a per-tenant mail-transport resolver from a job/handler context, so
+// the GDPR notification crons reach the SAME mounted mail-foundation transport
+// the request path uses. Mirrors makeTenantStorageProviderResolver — the cron
+// ctx carries `configResolver` (the per-request ConfigAccessor exists only in
+// the HTTP dispatcher), so the resolver builds a per-tenant accessor from it.
+// Without that bridge createTransportForTenant throws "ctx.config is missing"
+// in the worker lane (the prod-bug class the file-provider resolver already fixed).
+import type { EmailTransport } from "@cosmicdrift/kumiko-bundled-features/channel-email";
+import { createTransportForTenant } from "@cosmicdrift/kumiko-bundled-features/mail-foundation";
+import type { DbConnection } from "@cosmicdrift/kumiko-framework/db";
+import type { ConfigResolver, Registry } from "@cosmicdrift/kumiko-framework/engine";
+import type { SecretsContext } from "@cosmicdrift/kumiko-framework/secrets";
+import { createConfigAccessor } from "../../config";
+export interface TenantMailResolverCtx {
+  readonly registry: Registry;
+  // Job-context carries configResolver (per-request ConfigAccessor exists only
+  // in the HTTP dispatcher); the resolver builds a per-tenant accessor from it.
+  // Undefined → the returned resolver throws (callers gate on mail-availability).
+  readonly configResolver: ConfigResolver | undefined;
+  readonly secrets: SecretsContext | undefined;
+  readonly db: DbConnection;
+  readonly userId: string;
+  readonly handlerName: string;
+}
+export function makeTenantMailTransportResolver(
+  ctx: TenantMailResolverCtx,
+): (tenantId: string) => Promise<EmailTransport> {
+  return async (tenantId) => {
+    if (!ctx.configResolver) {
+      throw new Error(
+        `${ctx.handlerName}: ctx.configResolver missing — cannot resolve the mail transport for tenant ${tenantId}`,
+      );
+    }
+    const config = createConfigAccessor(
+      ctx.registry,
+      ctx.configResolver,
+      tenantId as Parameters<typeof createConfigAccessor>[2], // @cast-boundary engine-payload: TenantId brand
+      ctx.userId,
+      ctx.db,
+    );
+    return createTransportForTenant(
+      { config, registry: ctx.registry, secrets: ctx.secrets, _userId: ctx.userId },
+      tenantId,
+      ctx.handlerName,
+    );
+  };
+}

package/src/user-data-rights/run-export-jobs.ts CHANGED Viewed

@@ -110,6 +110,9 @@ export const tokenCrud = createEventStoreExecutor(
 export type SendExportReadyEmailFn = (args: {
   readonly userId: string;
   readonly userEmail: string;
+  /** Stored user.locale (free-form, e.g. "de"/"en"/"de-DE"/null) — lets the
+   *  default mailer render in the recipient's language. */
+  readonly userLocale: string | null;
   readonly tenantId: TenantId;
   readonly jobId: string;
   readonly downloadUrl: string;
@@ -120,6 +123,7 @@ export type SendExportReadyEmailFn = (args: {
 export type SendExportFailedEmailFn = (args: {
   readonly userId: string;
   readonly userEmail: string;
+  readonly userLocale: string | null;
   readonly tenantId: TenantId;
   readonly jobId: string;
   readonly errorMessage: string;
@@ -753,12 +757,17 @@ function countingStream(source: AsyncIterable<Uint8Array>): {
 // (Alice in Tenant A+B) hat trotzdem nur 1 user-Row mit ihrer
 // Heim-Tenant als tenantId. Lookup ohne tenantId-filter findet sie
 // aus jedem Worker-Tenant-Context.
-async function lookupUserEmail(db: DbConnection, userId: string): Promise<string | null> {
+async function lookupUserContact(
+  db: DbConnection,
+  userId: string,
+): Promise<{ email: string; locale: string | null } | null> {
   // @cast-boundary db-row.
   const row = (await fetchOne(db, userTable, { id: userId })) as {
     email: string | null;
+    locale: string | null;
   } | null;
-  return row?.email ?? null;
+  if (!row?.email) return null;
+  return { email: row.email, locale: row.locale ?? null };
 }
 // Atom 5 — Email-Notification beim done-flip. Best-effort:
@@ -776,8 +785,8 @@ async function fireExportReadyCallback(args: {
   readonly appExportDownloadUrl: string | undefined;
   readonly send: SendExportReadyEmailFn;
 }): Promise<void> {
-  const userEmail = await lookupUserEmail(args.db, args.job.userId);
-  if (!userEmail) {
+  const contact = await lookupUserContact(args.db, args.job.userId);
+  if (!contact) {
     // User-Row fehlt (z.B. forget-Pfad mid-export). Skip-Notification mit
     // Operator-Alert via job-run-Log statt Throw — Job bleibt done, User
     // hat ja seinen Token via export-status.query erreichbar (UI-Pfad).
@@ -802,7 +811,8 @@ async function fireExportReadyCallback(args: {
   const downloadUrl = `${baseUrl}?token=${encodeURIComponent(args.plainToken)}`;
   await args.send({
     userId: args.job.userId,
-    userEmail,
+    userEmail: contact.email,
+    userLocale: contact.locale,
     tenantId: args.job.requestedFromTenantId,
     jobId: args.job.id,
     downloadUrl,
@@ -818,8 +828,8 @@ async function fireExportFailedCallback(args: {
   readonly errorMessage: string;
   readonly send: SendExportFailedEmailFn;
 }): Promise<void> {
-  const userEmail = await lookupUserEmail(args.db, args.job.userId);
-  if (!userEmail) {
+  const contact = await lookupUserContact(args.db, args.job.userId);
+  if (!contact) {
     // biome-ignore lint/suspicious/noConsole: operator-visibility
     console.warn(
       `[user-data-rights:run-export-jobs] userId=${args.job.userId} hat kein userEmail — sendExportFailedEmail skipped`,
@@ -829,7 +839,8 @@ async function fireExportFailedCallback(args: {
   }
   await args.send({
     userId: args.job.userId,
-    userEmail,
+    userEmail: contact.email,
+    userLocale: contact.locale,
     tenantId: args.job.requestedFromTenantId,
     jobId: args.job.id,
     errorMessage: args.errorMessage,

package/src/user-data-rights/run-forget-cleanup.ts CHANGED Viewed

@@ -70,6 +70,9 @@ type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 export type SendDeletionExecutedEmailFn = (args: {
   readonly userId: string;
   readonly userEmail: string;
+  /** Stored user.locale (free-form, cached PRE-tx alongside the email) — lets
+   *  the default mailer render in the recipient's language. */
+  readonly userLocale: string | null;
   readonly tenantIds: readonly TenantId[];
   readonly executedAt: string;
 }) => Promise<void>;
@@ -207,6 +210,7 @@ export async function runForgetCleanup(
           await sendDeletionExecutedEmail({
             userId: user.id,
             userEmail: userResult.userEmailBeforeDelete,
+            userLocale: userResult.userLocaleBeforeDelete,
             tenantIds: userResult.tenantIdsBeforeDelete,
             executedAt: now.toString(),
           });
@@ -231,6 +235,8 @@ interface ProcessUserResult {
    *  null wenn user-Row beim Pre-Tx-Lookup nicht (mehr) existiert oder
    *  email leer ist. */
   readonly userEmailBeforeDelete: string | null;
+  /** user.locale VOR Tx gecacht — Default-Mailer rendert in Empfaenger-Sprache. */
+  readonly userLocaleBeforeDelete: string | null;
   /** Tenant-Memberships VOR Tx — Email-Template kann das nutzen. */
   readonly tenantIdsBeforeDelete: readonly TenantId[];
 }
@@ -252,9 +258,12 @@ async function processUser(args: {
   // Nach der Tx ist email = "deleted-{id}@{tenant}.example" oder NULL.
   // Memory-cache laesst Atom-5b-Callback nach success-flip den
   // ORIGINAL-email an App-Author-Callback geben.
-  const userPreTx = await fetchOne<{ email: string | null }>(db, userTable, { id: userId });
+  const userPreTx = await fetchOne<{ email: string | null; locale: string | null }>(db, userTable, {
+    id: userId,
+  });
   const userEmailBeforeDelete =
     userPreTx?.email && userPreTx.email.length > 0 ? userPreTx.email : null;
+  const userLocaleBeforeDelete = userPreTx?.locale ?? null;
   // Memberships fuer diesen User holen — alle Tenants in denen er Mitglied ist.
   const memberships = await selectMany<{ tenantId: TenantId }>(db, tenantMembershipsTable, {
@@ -335,6 +344,7 @@ async function processUser(args: {
     hookCallsAttempted,
     errors,
     userEmailBeforeDelete,
+    userLocaleBeforeDelete,
     tenantIdsBeforeDelete,
   };
 }