@cosmicdrift/kumiko-bundled-features 0.89.0 → 0.90.2

package/src/folders-user-data/hooks.ts

@@ -0,0 +1,58 @@
+// EXT_USER_DATA hooks for the folder + folder-assignment entities (GDPR Art. 20
+// export / Art. 17 erasure). Lives apart from the folders feature so folders
+// consumers without the user-data-rights pipeline don't pull a hard dependency.
+// Mirrors credit-user-data — standard tenant-scoped pattern, no name-stripping
+// (a folder name is tenant data, not per-user PII).
+
+import { deleteMany, selectMany } from "@cosmicdrift/kumiko-framework/bun-db";
+import {
+  createEntityExecutor,
+  type UserDataDeleteHook,
+  type UserDataExportHook,
+} from "@cosmicdrift/kumiko-framework/engine";
+import { folderAssignmentEntity, folderEntity } from "../folders";
+
+const { table: folderTable } = createEntityExecutor("folder", folderEntity);
+const { table: folderAssignmentTable } = createEntityExecutor(
+  "folder-assignment",
+  folderAssignmentEntity,
+);
+
+// Folders are tenant-scoped (no per-user owner column). Every tenant user reads
+// all tenant folders in-app, so bundling them into the user's export is no new
+// exposure — it gives the data subject the organisation of the loans they work with.
+export const folderExportHook: UserDataExportHook = async (ctx) => {
+  const rows = await selectMany<Record<string, unknown>>(ctx.db, folderTable, {
+    tenantId: ctx.tenantId,
+  });
+  if (rows.length === 0) return null;
+  return { entity: "folder", rows };
+};
+
+export const folderAssignmentExportHook: UserDataExportHook = async (ctx) => {
+  const rows = await selectMany<Record<string, unknown>>(ctx.db, folderAssignmentTable, {
+    tenantId: ctx.tenantId,
+  });
+  if (rows.length === 0) return null;
+  return { entity: "folder-assignment", rows };
+};
+
+// Tenant-scoped erasure is only safe when the tenant is effectively single-user
+// (set by the forget orchestrator from the app's tenantModel + a runtime
+// sole-member check). In a multi-user tenant this stays a no-op: deleting by
+// tenant would destroy co-members' folders. anonymize is also a no-op — folder
+// rows carry no person-link to strip (name is tenant data, not PII), so a
+// retention hold simply keeps them.
+function tenantScopedDelete(table: typeof folderTable): UserDataDeleteHook {
+  return async (ctx, strategy) => {
+    // skip: multi-user tenant — a tenant-wide delete would destroy co-members' folders
+    if (ctx.tenantModel !== "single-user") return;
+    // skip: anonymize is a no-op — folder rows carry no per-user PII to strip
+    if (strategy === "anonymize") return;
+    await deleteMany(ctx.db, table, { tenantId: ctx.tenantId });
+  };
+}
+
+export const folderDeleteHook: UserDataDeleteHook = tenantScopedDelete(folderTable);
+export const folderAssignmentDeleteHook: UserDataDeleteHook =
+  tenantScopedDelete(folderAssignmentTable);

package/src/folders-user-data/index.ts

@@ -0,0 +1,33 @@
+// Provides the EXT_USER_DATA export/delete hooks for the folder + folder-assignment
+// entities as a standalone feature — mount it alongside the folders feature +
+// user-data-rights when an app needs folders in its GDPR export/forget pipeline.
+// Kept separate from the folders feature (which only requires "tenant") so
+// folders stays usable without the user-data-rights stack. Mirrors credit-user-data.
+
+import { defineFeature, EXT_USER_DATA } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  folderAssignmentDeleteHook,
+  folderAssignmentExportHook,
+  folderDeleteHook,
+  folderExportHook,
+} from "./hooks";
+
+export const foldersUserDataFeature = defineFeature("folders-user-data", (r) => {
+  r.describe(
+    "GDPR (Art. 20 export / Art. 17 erasure) coverage for the `folders` feature's `folder` + `folder-assignment` entities. Mounts the EXT_USER_DATA export + delete hooks so a tenant's folder tree and its entity-to-folder assignments are included in the user-data export bundle and erased on a tenant-scoped forget (single-user tenants only; multi-user + anonymize are no-ops since folder rows carry no per-user PII). Kept separate from `folders` so folder consumers without the user-data-rights pipeline don't pull a hard dependency — requires `user-data-rights`, optionalRequires `folders`.",
+  );
+  // user-data-rights ist die harte Abhängigkeit (EXT_USER_DATA-Host). `folders` ist
+  // OPTIONAL: ist es toggleable(default=false) gemountet (z.B. per-Tenant via Tier),
+  // würde ein hartes r.requires eine „effectively disabled"-Boot-Warnung werfen,
+  // obwohl die folder-Entities existieren und die Hooks korrekt greifen.
+  r.requires("user-data-rights");
+  r.optionalRequires("folders");
+  r.useExtension(EXT_USER_DATA, "folder", {
+    export: folderExportHook,
+    delete: folderDeleteHook,
+  });
+  r.useExtension(EXT_USER_DATA, "folder-assignment", {
+    export: folderAssignmentExportHook,
+    delete: folderAssignmentDeleteHook,
+  });
+});

package/src/user-data-rights/feature.ts

@@ -133,7 +133,7 @@ export function createUserDataRightsFeature(opts: UserDataRightsOptions = {}): F
   let warnedMissingExportUrl = false;
   return defineFeature("user-data-rights", (r) => {
     r.describe(
-      'Implements GDPR Art. 15 (access / `my-audit-log` query), Art. 17 (erasure / `request-deletion` + `cancel-deletion`, plus the anonymous email-verified `request-deletion-by-email` + `confirm-deletion-by-token` flow for lockout-safe self-service, + cron cleanup with grace period), Art. 18 (restriction / `restrict-account` + `lift-restriction`), and Art. 20 (portability / async `request-export` \u2192 ZIP via `file-foundation`, Magic-Link download) as first-class HTTP handlers and cron jobs. Each domain feature opts in by calling `r.useExtension(EXT_USER_DATA, "<entity>", { export, delete })` \u2014 the feature then orchestrates the export and forget pipelines across all registered hooks automatically. Requires `user`, `data-retention`, `compliance-profiles`, and `sessions`.',
+      'Implements GDPR Art. 15 (access / `my-audit-log` query), Art. 17 (erasure / `request-deletion` + `cancel-deletion`, plus the anonymous email-verified `request-deletion-by-email` + `confirm-deletion-by-token` flow for lockout-safe self-service, + cron cleanup with grace period), Art. 18 (restriction / `restrict-account` + `lift-restriction`), and Art. 20 (portability / async `request-export` \u2192 ZIP via `file-foundation`, Magic-Link download) as first-class HTTP handlers and cron jobs. Each domain feature opts in by calling `r.useExtension(EXT_USER_DATA, "<entity>", { export, delete })` \u2014 the feature then orchestrates the export and forget pipelines across all registered hooks automatically. When `mail-foundation` and a `mail-transport-*` are mounted, it also sends the four GDPR notifications (export ready/failed, deletion requested/executed) itself with no app callback code, rendered in each recipient’s locale. Requires `user`, `data-retention`, `compliance-profiles`, and `sessions`.',
     );
     r.uiHints({
       displayLabel: "User Data Rights \u00b7 GDPR",