@cosmicdrift/kumiko-bundled-features 0.88.0 → 0.90.0

package/src/user-data-rights/__tests__/mail-default-bridge.integration.test.ts

@@ -0,0 +1,154 @@
+// C6 Autonomie-Beweis: mountet user-data-rights OHNE send*Email-Opts +
+// mail-foundation + mail-transport-inmemory, und treibt den ECHTEN
+// registrierten Forget-Cron durch einen echten Job-Kontext — `configResolver`
+// gesetzt (App-Override provider=inmemory), KEIN per-request `config`.
+//
+// Das beweist die kritische Naht: der Cron baut den per-Tenant-Mail-Transport
+// aus `ctx.configResolver` (makeTenantMailTransportResolver). Ein hand-
+// gefuetterter Callback oder Fake-Resolver wuerde genau diese Bruecke
+// ueberspringen (vgl. project_export_cron_config_accessor_fix). Akzeptanz von
+// #624: "App mountet mail-foundation+transport → GDPR-Mails ohne Callback-Code".
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { asRawClient, insertOne } from "@cosmicdrift/kumiko-framework/bun-db";
+import { fileRefsTable } from "@cosmicdrift/kumiko-framework/files";
+import {
+  setupTestStack,
+  type TestStack,
+  unsafeCreateEntityTable,
+  unsafePushTables,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { resetTestTables } from "@cosmicdrift/kumiko-framework/testing";
+import { getTemporal } from "@cosmicdrift/kumiko-framework/time";
+import { createComplianceProfilesFeature } from "../../compliance-profiles";
+import { configValuesTable, createConfigFeature, createConfigResolver } from "../../config";
+import { createDataRetentionFeature, tenantRetentionOverrideEntity } from "../../data-retention";
+import { createFilesFeature } from "../../files";
+import { mailFoundationFeature } from "../../mail-foundation";
+import { clearInbox, getInbox, mailTransportInMemoryFeature } from "../../mail-transport-inmemory";
+import { createSessionsFeature } from "../../sessions";
+import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
+import { createUserDataRightsDefaultsFeature } from "../../user-data-rights-defaults";
+import { createUserDataRightsFeature } from "../feature";
+
+const TENANT_A = "00000000-0000-4000-8000-0000000006a1";
+const TENANT_SYSTEM = "00000000-0000-4000-8000-000000000001";
+const USER_ID = "00000000-0000-4000-8000-0000000006b1";
+const ORIGINAL_EMAIL = "bridge-delete@example.test";
+const FORGET_JOB = "user-data-rights:job:run-forget-cleanup";
+
+// App-weiter Override (wie money-horse's Config-Resolver): provider=inmemory
+// ohne per-Tenant-config-Row. Der Job-Kontext traegt DIESEN resolver, kein config.
+const configResolver = createConfigResolver({
+  appOverrides: new Map([["mail-foundation:config:provider", "inmemory"]]),
+});
+
+let stack: TestStack;
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+const past = (): Instant => getTemporal().Instant.fromEpochMilliseconds(Date.now() - 60_000);
+
+beforeAll(async () => {
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createFilesFeature(),
+      createDataRetentionFeature(),
+      createComplianceProfilesFeature(),
+      createSessionsFeature(),
+      mailFoundationFeature,
+      mailTransportInMemoryFeature,
+      // KEINE send*Email-Opts — die mail-foundation-Defaults muessen greifen.
+      createUserDataRightsFeature(),
+      createUserDataRightsDefaultsFeature(),
+    ],
+  });
+
+  await unsafePushTables(stack.db, { configValuesTable });
+  await unsafeCreateEntityTable(stack.db, userEntity);
+  await unsafeCreateEntityTable(stack.db, tenantRetentionOverrideEntity);
+  await asRawClient(stack.db).unsafe(`
+    CREATE TABLE IF NOT EXISTS read_tenant_memberships (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      tenant_id UUID NOT NULL,
+      user_id TEXT NOT NULL,
+      version INTEGER NOT NULL DEFAULT 0,
+      inserted_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      modified_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+      inserted_by_id TEXT,
+      modified_by_id TEXT,
+      is_deleted BOOLEAN NOT NULL DEFAULT false,
+      deleted_at TIMESTAMPTZ,
+      deleted_by_id TEXT,
+      roles TEXT NOT NULL DEFAULT '[]',
+      UNIQUE(user_id, tenant_id)
+    )
+  `);
+  await unsafePushTables(stack.db, { fileRefsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await resetTestTables(stack.db, [userTable, "read_tenant_memberships", fileRefsTable]);
+  clearInbox(TENANT_A);
+});
+
+describe("C6 default mail bridge :: forget cron sends deletion-executed without app callback", () => {
+  test("registered cron + configResolver(provider=inmemory) → user deleted + mail in inbox", async () => {
+    await insertOne(stack.db, userTable, {
+      id: USER_ID,
+      tenantId: TENANT_SYSTEM,
+      email: ORIGINAL_EMAIL,
+      passwordHash: "hashed",
+      displayName: "Bridge Delete",
+      locale: "de",
+      emailVerified: true,
+      roles: '["Member"]',
+      status: USER_STATUS.DeletionRequested,
+      gracePeriodEnd: past(),
+    });
+    await asRawClient(stack.db).unsafe(
+      `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles) VALUES ($1, $2, '["Member"]')`,
+      [TENANT_A, USER_ID],
+    );
+
+    const job = stack.registry.getJob(FORGET_JOB);
+    expect(job).toBeDefined();
+
+    // EXAKT der prod-Job-Kontext: configResolver gesetzt, config undefined.
+    const jobCtx = { db: stack.db, registry: stack.registry, configResolver };
+    await job?.handler({}, jobCtx as never);
+
+    // Loeschung lief autonom durch.
+    const rows = (await asRawClient(stack.db).unsafe(
+      "SELECT status, email FROM read_users WHERE id = $1",
+      [USER_ID],
+    )) as unknown as { rows?: Array<{ status: string; email: string }> };
+    const userRow = (rows.rows ?? (rows as unknown as Array<{ status: string; email: string }>))[0];
+    expect(userRow?.status).toBe(USER_STATUS.Deleted);
+
+    // Die Default-Mail wurde ueber den aus configResolver gebauten inmemory-
+    // Transport versendet — keine App-seitige Callback-Verdrahtung.
+    const inbox = getInbox(TENANT_A);
+    expect(inbox).toHaveLength(1);
+    expect(inbox[0]?.to).toBe(ORIGINAL_EMAIL);
+    // Der User ist mit locale="de" geseedet → die Default-Mail rendert DEUTSCH
+    // (per-recipient locale, KEIN App-Callback). Vorher rendete sie still en —
+    // der Advisor-Befund, den dieser Assert jetzt einfaengt.
+    expect(inbox[0]?.subject).toContain("Dein Konto wurde geloescht");
+    expect(inbox[0]?.html).toContain("endgueltig");
+  });
+
+  test("no mail transport mounted is NOT this stack — sanity: provider really is inmemory", () => {
+    // Pinnt dass der Stack den inmemory-Transport registriert hat (sonst waere
+    // der obige Beweis vacuously true: ohne mailTransport-Usage greift die
+    // Default gar nicht).
+    expect(stack.registry.getExtensionUsages("mailTransport").map((u) => u.entityName)).toContain(
+      "inmemory",
+    );
+  });
+});

package/src/user-data-rights/__tests__/run-export-jobs-cron-context.integration.test.ts

@@ -28,6 +28,8 @@ import { configValuesTable, createConfigFeature, createConfigResolver } from "..
 import { createDataRetentionFeature } from "../../data-retention";
 import { fileFoundationFeature } from "../../file-foundation";
 import { fileProviderInMemoryFeature } from "../../file-provider-inmemory";
+import { mailFoundationFeature } from "../../mail-foundation";
+import { clearInbox, getInbox, mailTransportInMemoryFeature } from "../../mail-transport-inmemory";
 import { createSessionsFeature } from "../../sessions";
 import { createUserFeature, USER_STATUS, userEntity, userTable } from "../../user";
 import { createUserDataRightsFeature } from "../feature";
@@ -41,9 +43,14 @@ const JOB_QN = "user-data-rights:job:run-export-jobs";
 // App-weiter Override wie money-horse's cashColtConfigResolver — provider=inmemory
 // ohne per-Tenant-config-Row. Der Job-Kontext trägt DIESEN resolver, kein config.
 const configResolver = createConfigResolver({
-  appOverrides: new Map([["file-foundation:config:provider", "inmemory"]]),
+  appOverrides: new Map([
+    ["file-foundation:config:provider", "inmemory"],
+    ["mail-foundation:config:provider", "inmemory"],
+  ]),
 });
 
+const EXPORT_DOWNLOAD_URL = "https://app.test/user-export/by-token";
+
 let stack: TestStack;
 
 beforeAll(async () => {
@@ -55,8 +62,12 @@ beforeAll(async () => {
       createComplianceProfilesFeature(),
       fileFoundationFeature,
       fileProviderInMemoryFeature,
+      mailFoundationFeature,
+      mailTransportInMemoryFeature,
       createSessionsFeature(),
-      createUserDataRightsFeature(),
+      // appExportDownloadUrl set → the default export-ready mail is enabled, so
+      // this also proves the export cron's mail bridge end-to-end (C6).
+      createUserDataRightsFeature({ appExportDownloadUrl: EXPORT_DOWNLOAD_URL }),
     ],
   });
   await createEventsTable(stack.db);
@@ -107,6 +118,7 @@ beforeEach(async () => {
   await raw.unsafe(
     `INSERT INTO read_tenant_memberships (tenant_id, user_id, roles) VALUES ('${TENANT}', '${USER_ID}', '["Member"]')`,
   );
+  clearInbox(TENANT);
 });
 
 // Seedet einen pending Export-Job über den echten request-export-Handler.
@@ -144,5 +156,14 @@ describe("run-export-jobs cron-context", () => {
     expect(row?.errorMessage).toBeNull();
     expect(row?.status).toBe(EXPORT_JOB_STATUS.Done);
     expect(row?.bytesWritten ?? 0).toBeGreaterThan(0);
+
+    // C6 — der echte Export-Cron versendet die Default-Export-ready-Mail ueber
+    // den aus configResolver gebauten inmemory-Transport (kein App-Callback).
+    // user.locale="de" → deutsches Subject; downloadUrl traegt den Magic-Link.
+    const inbox = getInbox(TENANT);
+    expect(inbox).toHaveLength(1);
+    expect(inbox[0]?.to).toBe("export-cron@example.test");
+    expect(inbox[0]?.subject).toContain("Dein Datenexport ist bereit");
+    expect(inbox[0]?.html).toContain(EXPORT_DOWNLOAD_URL);
   });
 });

package/src/user-data-rights/email-templates.ts

@@ -0,0 +1,211 @@
+// Default-HTML-Renderer fuer die GDPR-Notification-Mails (Export-bereit,
+// Export-fehlgeschlagen, Loeschung-angefordert, Loeschung-ausgefuehrt).
+// Damit eine App keine eigenen send*Email-Callbacks schreiben muss: sie
+// mountet mail-foundation + einen mail-transport-* und user-data-rights
+// rendert + versendet ueber diese Templates (siehe lib/default-mailers.ts).
+//
+// Apps die ihr eigenes Branding wollen, uebergeben eigene send*Email-Opts —
+// dann greifen diese Defaults nicht. Pattern + plain-inline-HTML gespiegelt
+// von auth-email-password/email-templates.ts (kein CSS-Framework, kein
+// Bild-Asset; Mail-Clients rendern table-layout + inline-CSS verlaesslich).
+//
+// Locale: de + en. Apps mit anderen Sprachen uebergeben eigene Callbacks.
+
+import { escapeHtml, escapeHtmlAttr } from "@cosmicdrift/kumiko-headless";
+import { Temporal } from "temporal-polyfill";
+
+export type GdprMailLocale = "de" | "en";
+
+// user.locale ist Freitext ("de", "en", "de-DE", "fr", null). Die Templates
+// koennen nur de/en — alles andere (inkl. unbekannte Sprachen) faellt auf
+// undefined zurueck, sodass der Caller auf mailDefaults.locale bzw. "en" geht.
+export function normalizeGdprMailLocale(
+  raw: string | null | undefined,
+): GdprMailLocale | undefined {
+  if (!raw) return undefined;
+  const lower = raw.toLowerCase();
+  if (lower.startsWith("de")) return "de";
+  if (lower.startsWith("en")) return "en";
+  return undefined;
+}
+
+export type RenderedEmail = {
+  readonly subject: string;
+  readonly html: string;
+};
+
+export type RenderExportReadyEmailArgs = {
+  readonly downloadUrl: string;
+  readonly expiresAt: string;
+  readonly locale?: GdprMailLocale;
+  readonly appName?: string;
+};
+
+export type RenderExportFailedEmailArgs = {
+  readonly locale?: GdprMailLocale;
+  readonly appName?: string;
+};
+
+export type RenderDeletionRequestedEmailArgs = {
+  readonly gracePeriodEnd: string;
+  readonly locale?: GdprMailLocale;
+  readonly appName?: string;
+};
+
+export type RenderDeletionExecutedEmailArgs = {
+  readonly executedAt: string;
+  readonly locale?: GdprMailLocale;
+  readonly appName?: string;
+};
+
+const STRINGS = {
+  de: {
+    greeting: "Hallo,",
+    exportReadySubject: (app: string) => `${app} — Dein Datenexport ist bereit`,
+    exportReadyIntro: (app: string) =>
+      `dein angeforderter Datenexport fuer ${app} ist fertig. Lade ihn ueber den folgenden Link herunter:`,
+    exportReadyButton: "Datenexport herunterladen",
+    exportReadyExpiry: (when: string) => `Der Download-Link laeuft am ${when} ab.`,
+    exportFailedSubject: (app: string) => `${app} — Dein Datenexport ist fehlgeschlagen`,
+    exportFailedIntro: (app: string) =>
+      `dein angeforderter Datenexport fuer ${app} konnte leider nicht erstellt werden. Bitte fordere den Export erneut an.`,
+    deletionRequestedSubject: (app: string) => `${app} — Loeschung deines Kontos angefordert`,
+    deletionRequestedIntro: (app: string, when: string) =>
+      `wir haben deinen Antrag zur Loeschung deines ${app}-Kontos erhalten. Dein Konto und die zugehoerigen Daten werden am ${when} endgueltig geloescht.`,
+    deletionRequestedCancel:
+      "Falls du das nicht angefordert hast, melde dich an und brich die Loeschung in den Kontoeinstellungen ab, bevor die Frist ablaeuft.",
+    deletionExecutedSubject: (app: string) => `${app} — Dein Konto wurde geloescht`,
+    deletionExecutedIntro: (app: string, when: string) =>
+      `dein ${app}-Konto und die zugehoerigen personenbezogenen Daten wurden am ${when} geloescht. Diese Aktion ist endgueltig.`,
+    fallbackUrl: "Falls der Button nicht funktioniert, kopiere diesen Link in den Browser:",
+  },
+  en: {
+    greeting: "Hi,",
+    exportReadySubject: (app: string) => `${app} — Your data export is ready`,
+    exportReadyIntro: (app: string) =>
+      `your requested data export for ${app} is ready. Download it using the link below:`,
+    exportReadyButton: "Download data export",
+    exportReadyExpiry: (when: string) => `The download link expires on ${when}.`,
+    exportFailedSubject: (app: string) => `${app} — Your data export failed`,
+    exportFailedIntro: (app: string) =>
+      `your requested data export for ${app} could not be created. Please request the export again.`,
+    deletionRequestedSubject: (app: string) => `${app} — Account deletion requested`,
+    deletionRequestedIntro: (app: string, when: string) =>
+      `we received your request to delete your ${app} account. Your account and associated data will be permanently deleted on ${when}.`,
+    deletionRequestedCancel:
+      "If you didn't request this, sign in and cancel the deletion in your account settings before the deadline.",
+    deletionExecutedSubject: (app: string) => `${app} — Your account has been deleted`,
+    deletionExecutedIntro: (app: string, when: string) =>
+      `your ${app} account and the associated personal data were deleted on ${when}. This action is permanent.`,
+    fallbackUrl: "If the button doesn't work, copy this link into your browser:",
+  },
+} as const;
+
+function appNameFor(args: { locale?: GdprMailLocale; appName?: string }): string {
+  const locale = args.locale ?? "en";
+  return args.appName ?? (locale === "de" ? "Konto" : "Account");
+}
+
+export function renderExportReadyEmail(args: RenderExportReadyEmailArgs): RenderedEmail {
+  const locale = args.locale ?? "en";
+  const app = appNameFor(args);
+  const t = STRINGS[locale];
+  const subject = t.exportReadySubject(app);
+  const body = `
+    <p style="margin: 0 0 16px; font-size: 16px;">${escapeHtml(t.greeting)}</p>
+    <p style="margin: 0 0 24px; font-size: 14px; line-height: 1.5;">${escapeHtml(t.exportReadyIntro(app))}</p>
+    <p style="margin: 0 0 24px;">${renderButton({ url: args.downloadUrl, label: t.exportReadyButton })}</p>
+    <p style="margin: 0 0 8px; font-size: 13px; color: #555;">${escapeHtml(t.exportReadyExpiry(formatTimestamp(args.expiresAt)))}</p>
+    ${renderFallbackUrl({ url: args.downloadUrl, label: t.fallbackUrl })}`;
+  return { subject, html: renderShell({ title: subject, bodyHtml: wrapCell(body) }) };
+}
+
+export function renderExportFailedEmail(args: RenderExportFailedEmailArgs): RenderedEmail {
+  const locale = args.locale ?? "en";
+  const app = appNameFor(args);
+  const t = STRINGS[locale];
+  const subject = t.exportFailedSubject(app);
+  const body = `
+    <p style="margin: 0 0 16px; font-size: 16px;">${escapeHtml(t.greeting)}</p>
+    <p style="margin: 0; font-size: 14px; line-height: 1.5;">${escapeHtml(t.exportFailedIntro(app))}</p>`;
+  return { subject, html: renderShell({ title: subject, bodyHtml: wrapCell(body) }) };
+}
+
+export function renderDeletionRequestedEmail(
+  args: RenderDeletionRequestedEmailArgs,
+): RenderedEmail {
+  const locale = args.locale ?? "en";
+  const app = appNameFor(args);
+  const t = STRINGS[locale];
+  const subject = t.deletionRequestedSubject(app);
+  const body = `
+    <p style="margin: 0 0 16px; font-size: 16px;">${escapeHtml(t.greeting)}</p>
+    <p style="margin: 0 0 16px; font-size: 14px; line-height: 1.5;">${escapeHtml(t.deletionRequestedIntro(app, formatTimestamp(args.gracePeriodEnd)))}</p>
+    <p style="margin: 0; font-size: 13px; color: #555;">${escapeHtml(t.deletionRequestedCancel)}</p>`;
+  return { subject, html: renderShell({ title: subject, bodyHtml: wrapCell(body) }) };
+}
+
+export function renderDeletionExecutedEmail(args: RenderDeletionExecutedEmailArgs): RenderedEmail {
+  const locale = args.locale ?? "en";
+  const app = appNameFor(args);
+  const t = STRINGS[locale];
+  const subject = t.deletionExecutedSubject(app);
+  const body = `
+    <p style="margin: 0 0 16px; font-size: 16px;">${escapeHtml(t.greeting)}</p>
+    <p style="margin: 0; font-size: 14px; line-height: 1.5;">${escapeHtml(t.deletionExecutedIntro(app, formatTimestamp(args.executedAt)))}</p>`;
+  return { subject, html: renderShell({ title: subject, bodyHtml: wrapCell(body) }) };
+}
+
+function wrapCell(bodyHtml: string): string {
+  return `<tr><td>${bodyHtml}</td></tr>`;
+}
+
+// Plain inline-styled HTML — gespiegelt von auth-email-password.
+// guard:dup-ok — Email-HTML (table-layout, inline CSS) ≠ Web-HTML (legal-pages/markdown.ts)
+function renderShell(args: { title: string; bodyHtml: string }): string {
+  return `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${escapeHtml(args.title)}</title>
+  </head>
+  <body style="margin: 0; padding: 0; background: #f7f7f7; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; color: #1a1a1a;">
+    <table width="100%" cellpadding="0" cellspacing="0" style="padding: 24px 0;">
+      <tr>
+        <td align="center">
+          <table width="560" cellpadding="0" cellspacing="0" style="max-width: 560px; background: #ffffff; border-radius: 8px; padding: 32px;">
+            ${args.bodyHtml}
+          </table>
+        </td>
+      </tr>
+    </table>
+  </body>
+</html>`;
+}
+
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie auth-email-password, verschiedene Semantik
+function renderButton(args: { url: string; label: string }): string {
+  return `<a href="${escapeHtmlAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
+}
+
+// guard:dup-ok — Email-HTML-Helper; selbe normalisierte AST-Form wie auth-email-password, verschiedene Semantik
+function renderFallbackUrl(args: { url: string; label: string }): string {
+  return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeHtmlAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
+}
+
+// ISO-Timestamp → "2026-05-04 13:45 UTC". Locale-unabhaengig + UTC-Suffix
+// damit der User unabhaengig von seiner Tz sieht wann etwas passiert; bei
+// un-parsbarem Input faellt's auf den raw-string zurueck.
+function formatTimestamp(iso: string): string {
+  try {
+    const z = Temporal.Instant.from(iso).toZonedDateTimeISO("UTC");
+    return `${z.year}-${pad2(z.month)}-${pad2(z.day)} ${pad2(z.hour)}:${pad2(z.minute)} UTC`;
+  } catch {
+    return iso;
+  }
+}
+
+function pad2(n: number): string {
+  return String(n).padStart(2, "0");
+}

package/src/user-data-rights/feature.ts

@@ -28,6 +28,14 @@ import {
 import { requestExportWrite } from "./handlers/request-export.write";
 import { restrictAccountWrite } from "./handlers/restrict-account.write";
 import { createRunForgetCleanupHandler } from "./handlers/run-forget-cleanup.write";
+import {
+  type GdprMailDefaults,
+  isMailTransportAvailable,
+  makeDefaultDeletionExecutedEmail,
+  makeDefaultExportFailedEmail,
+  makeDefaultExportReadyEmail,
+} from "./lib/default-mailers";
+import { makeTenantMailTransportResolver } from "./lib/mail-transport-resolver";
 import { resolveAppTenantModel } from "./lib/resolve-tenant-model";
 import { makeTenantStorageProviderResolver } from "./lib/storage-provider-resolver";
 import {
@@ -104,11 +112,25 @@ export type UserDataRightsOptions = {
   /** Versand des Verify-Magic-Links (Schritt 1 des anonymen Flows).
    *  Best-effort, app-author-wired. MUSS non-blocking sein (enqueue, z.B.
    *  delivery.notify) — ein synchroner Send reintroduziert ein Timing-Oracle
-   *  für Account-Enumeration (siehe SendDeletionVerificationEmailFn-Doc). */
+   *  für Account-Enumeration (siehe SendDeletionVerificationEmailFn-Doc).
+   *  Bewusst KEINE mail-foundation-Default: ein synchroner Default-Send
+   *  brächte genau dieses Enumeration-Oracle zurück, deshalb app-wired. */
   readonly sendDeletionVerificationEmail?: SendDeletionVerificationEmailFn;
+  /** C6 — Zero-Callback-GDPR-Mails: ist mail-foundation + ein mail-transport-*
+   *  gemountet, versendet user-data-rights die Export-/Loesch-Notifications
+   *  selbst (Export-ready/-failed, Deletion-requested/-executed) ueber die
+   *  Default-Templates (email-templates.ts) — die App schreibt keinen Callback.
+   *  `mailDefaults` brandet diese Default-Mails (Locale + App-Name). Greift NUR
+   *  wenn der jeweilige send*Email-Opt NICHT gesetzt ist; Export-ready braucht
+   *  zusaetzlich appExportDownloadUrl. */
+  readonly mailDefaults?: GdprMailDefaults;
 };
 
 export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): FeatureDefinition {
+  // One-shot operator warning (the export cron fires every minute — warn once
+  // per process, not every run). Lives in the factory scope so the cron closure
+  // shares it across runs.
+  let warnedMissingExportUrl = false;
   return defineFeature("user-data-rights", (r) => {
     r.describe(
       'Implements GDPR Art. 15 (access / `my-audit-log` query), Art. 17 (erasure / `request-deletion` + `cancel-deletion`, plus the anonymous email-verified `request-deletion-by-email` + `confirm-deletion-by-token` flow for lockout-safe self-service, + cron cleanup with grace period), Art. 18 (restriction / `restrict-account` + `lift-restriction`), and Art. 20 (portability / async `request-export` \u2192 ZIP via `file-foundation`, Magic-Link download) as first-class HTTP handlers and cron jobs. Each domain feature opts in by calling `r.useExtension(EXT_USER_DATA, "<entity>", { export, delete })` \u2014 the feature then orchestrates the export and forget pipelines across all registered hooks automatically. Requires `user`, `data-retention`, `compliance-profiles`, and `sessions`.',
@@ -166,11 +188,12 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
 
     // S2.U5a — Endpoints fuer DSGVO Art. 17 Forget-Pfad mit Grace.
     r.writeHandler(
-      createRequestDeletionHandler(
-        opts.sendDeletionRequestedEmail
-          ? { sendDeletionRequestedEmail: opts.sendDeletionRequestedEmail }
-          : {},
-      ),
+      createRequestDeletionHandler({
+        ...(opts.sendDeletionRequestedEmail && {
+          sendDeletionRequestedEmail: opts.sendDeletionRequestedEmail,
+        }),
+        ...(opts.mailDefaults && { mailDefaults: opts.mailDefaults }),
+      }),
     );
     r.writeHandler(cancelDeletionWrite);
 
@@ -303,6 +326,44 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         const exportUserId = ctx._userId ?? SYSTEM_USER_ID;
         const exportDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
         const exportRegistry = ctx.registry;
+
+        // C6 — ohne eigene send*Email-Opts aber mit gemountetem mail-transport
+        // versendet der Cron die Export-Notifications selbst (Default-Templates).
+        // Der Resolver baut den per-Tenant-Transport aus configResolver — gleiche
+        // Bruecke wie buildStorageProvider.
+        const exportMailResolver = isMailTransportAvailable(exportRegistry)
+          ? makeTenantMailTransportResolver({
+              registry: exportRegistry,
+              configResolver: ctx.configResolver,
+              secrets: ctx.secrets,
+              db: exportDb,
+              userId: exportUserId,
+              handlerName: "user-data-rights:run-export-jobs",
+            })
+          : undefined;
+        const sendExportReadyEmail =
+          opts.sendExportReadyEmail ??
+          (exportMailResolver && opts.appExportDownloadUrl !== undefined
+            ? makeDefaultExportReadyEmail(exportMailResolver, opts.mailDefaults)
+            : undefined);
+        const sendExportFailedEmail =
+          opts.sendExportFailedEmail ??
+          (exportMailResolver
+            ? makeDefaultExportFailedEmail(exportMailResolver, opts.mailDefaults)
+            : undefined);
+        if (
+          exportMailResolver &&
+          !opts.sendExportReadyEmail &&
+          opts.appExportDownloadUrl === undefined &&
+          !warnedMissingExportUrl
+        ) {
+          warnedMissingExportUrl = true;
+          // biome-ignore lint/suspicious/noConsole: one-shot operator visibility for misconfig
+          console.warn(
+            "[user-data-rights:run-export-jobs] mail transport mounted but appExportDownloadUrl unset — default export-ready emails disabled (export-failed + deletion mails still send)",
+          );
+        }
+
         await runExportJobs({
           db: exportDb,
           registry: exportRegistry,
@@ -319,15 +380,11 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
             handlerName: "user-data-rights:run-export-jobs",
           }),
           now: T.Now.instant(),
-          // Atom 5 — App-Author-Callbacks fuer Email-Notification.
-          // Optional: wenn nicht gesetzt, kein Email; User pollt
-          // export-status.query + UI-Klick.
-          ...(opts.sendExportReadyEmail && {
-            sendExportReadyEmail: opts.sendExportReadyEmail,
-          }),
-          ...(opts.sendExportFailedEmail && {
-            sendExportFailedEmail: opts.sendExportFailedEmail,
-          }),
+          // App-Author-Callbacks haben Vorrang; sonst greift die mail-foundation-
+          // Default oben. Beide optional: ohne mail-transport + ohne Callback
+          // bleibt es bei Polling via export-status.query.
+          ...(sendExportReadyEmail && { sendExportReadyEmail }),
+          ...(sendExportFailedEmail && { sendExportFailedEmail }),
           ...(opts.appExportDownloadUrl !== undefined && {
             appExportDownloadUrl: opts.appExportDownloadUrl,
           }),
@@ -352,30 +409,48 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
         const T = (await import("@cosmicdrift/kumiko-framework/time")).getTemporal();
         const forgetUserId = ctx._userId ?? SYSTEM_USER_ID;
         const forgetDb = ctx.db as import("@cosmicdrift/kumiko-framework/db").DbConnection; // @cast-boundary db-operator
+        const forgetRegistry = ctx.registry;
         const tenantModel = await resolveAppTenantModel({
-          registry: ctx.registry,
+          registry: forgetRegistry,
           configResolver: ctx.configResolver,
           db: forgetDb,
           userId: forgetUserId,
         });
+
+        // C6 — Default-Mail beim delete-flip wenn kein Callback gesetzt + ein
+        // mail-transport gemountet ist (gleiche per-Tenant-Bruecke wie Export).
+        const forgetMailResolver = isMailTransportAvailable(forgetRegistry)
+          ? makeTenantMailTransportResolver({
+              registry: forgetRegistry,
+              configResolver: ctx.configResolver,
+              secrets: ctx.secrets,
+              db: forgetDb,
+              userId: forgetUserId,
+              handlerName: "user-data-rights:run-forget-cleanup",
+            })
+          : undefined;
+        const sendDeletionExecutedEmail =
+          opts.sendDeletionExecutedEmail ??
+          (forgetMailResolver
+            ? makeDefaultDeletionExecutedEmail(forgetMailResolver, opts.mailDefaults)
+            : undefined);
+
         await runForgetCleanup({
           db: forgetDb,
-          registry: ctx.registry,
+          registry: forgetRegistry,
           now: T.Now.instant(),
           tenantModel,
           // Same per-tenant provider resolution as the export cron — forget
           // deletes binaries from the store upload + export use.
           buildStorageProvider: makeTenantStorageProviderResolver({
-            registry: ctx.registry,
+            registry: forgetRegistry,
             configResolver: ctx.configResolver,
             secrets: ctx.secrets,
             db: forgetDb,
             userId: forgetUserId,
             handlerName: "user-data-rights:run-forget-cleanup",
           }),
-          ...(opts.sendDeletionExecutedEmail && {
-            sendDeletionExecutedEmail: opts.sendDeletionExecutedEmail,
-          }),
+          ...(sendDeletionExecutedEmail && { sendDeletionExecutedEmail }),
         });
       },
     );

package/src/user-data-rights/handlers/deletion-grace-period.ts

@@ -9,7 +9,12 @@ import { updateUserLifecycle } from "../lib/update-user-lifecycle";
 type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
 
 export type StartGracePeriodResult =
-  | { readonly ok: true; readonly gracePeriodEnd: Instant; readonly userEmail: string }
+  | {
+      readonly ok: true;
+      readonly gracePeriodEnd: Instant;
+      readonly userEmail: string;
+      readonly userLocale: string | null;
+    }
   | { readonly ok: false; readonly error: UnprocessableError };
 
 // Flippt einen aktiven User auf DeletionRequested + setzt gracePeriodEnd aus
@@ -26,9 +31,11 @@ export async function startDeletionGracePeriod(
   userId: string,
   complianceTenantId: string,
 ): Promise<StartGracePeriodResult> {
-  const userRow = await fetchOne<{ status: string; email: string }>(ctx.db.raw, userTable, {
-    id: userId,
-  });
+  const userRow = await fetchOne<{ status: string; email: string; locale: string | null }>(
+    ctx.db.raw,
+    userTable,
+    { id: userId },
+  );
   if (!userRow) {
     return {
       ok: false,
@@ -63,5 +70,10 @@ export async function startDeletionGracePeriod(
     gracePeriodEnd,
   });
 
-  return { ok: true, gracePeriodEnd, userEmail: userRow["email"] ?? "" };
+  return {
+    ok: true,
+    gracePeriodEnd,
+    userEmail: userRow["email"] ?? "",
+    userLocale: userRow["locale"] ?? null,
+  };
 }