@cosmicdrift/kumiko-framework 0.2.2 → 0.3.0

package/src/compliance/__tests__/profiles.test.ts

@@ -0,0 +1,308 @@
+// Tests fuer Compliance-Profile-Constants + extends-Resolver.
+//
+// Edge-Cases (advisor-pinned 2026-05-06):
+//   1. Default-Fallback bei selection=undefined → minimal-no-region + warning
+//   2. extends-Chain max 1 Level (Cycle-/Tiefe-Schutz)
+//   3. Deep-merge-Semantik beim Override (rekursiv, Top-Level-Replace nicht)
+//   4. Override darf einzelne Felder gezielt setzen ohne Required-Drops
+
+import { describe, expect, test } from "vitest";
+import { complianceProfileOverrideSchema } from "../override-schema";
+import {
+  COMPLIANCE_PROFILES,
+  OVERRIDABLE_PROFILE_KEYS,
+  resolveComplianceProfile,
+  SELECTABLE_PROFILE_KEYS,
+} from "../profiles";
+
+// Identifikations-Keys die ein Override NICHT modifizieren darf — sie
+// definieren die Profile-Identität. Werden vom Drift-Test ausgeschlossen.
+const IDENTIFICATION_KEYS = new Set(["key", "region", "label", "extends"]);
+
+describe("COMPLIANCE_PROFILES — Pre-baked", () => {
+  test("eu-dsgvo hat alle Required-Felder", () => {
+    const p = COMPLIANCE_PROFILES["eu-dsgvo"];
+    expect(p.key).toBe("eu-dsgvo");
+    expect(p.region).toBe("EU");
+    expect(p.userRights.gracePeriod).toEqual({ days: 30 });
+    expect(p.notifications.languages).toContain("de");
+    expect(p.breach.authorityContact).toBe("BlnBDI Berlin");
+    expect(p.tenantDestroyGracePeriod).toEqual({ days: 30 });
+  });
+
+  test("swiss-dsg extends eu-dsgvo — übernimmt Base-Felder", () => {
+    const p = COMPLIANCE_PROFILES["swiss-dsg"];
+    expect(p.key).toBe("swiss-dsg");
+    expect(p.region).toBe("CH");
+    // Override: andere Sprachen + andere Aufsicht
+    expect(p.notifications.languages).toEqual(["de", "fr", "it", "en"]);
+    expect(p.breach.authorityContact).toBe("EDÖB Bern");
+    // Geerbt von eu-dsgvo
+    expect(p.userRights.gracePeriod).toEqual({ days: 30 });
+    expect(p.userRights.restrictionAllowed).toBe(true);
+    expect(p.tenantDestroyGracePeriod).toEqual({ days: 30 });
+  });
+
+  test("de-hr-dsgvo-hgb extends eu-dsgvo — HR-Override greift, Base bleibt", () => {
+    const p = COMPLIANCE_PROFILES["de-hr-dsgvo-hgb"];
+    expect(p.region).toBe("DE");
+    expect(p.userRights.employeeAccessRight).toBe(true);
+    expect(p.breach.worksCouncilNotificationRequired).toBe(true);
+    expect(p.subProcessor.worksCouncilApprovalRequired).toBe(true);
+    expect(p.auditLog.retention).toEqual({ years: 10 });
+    expect(p.tenantDestroyGracePeriod).toEqual({ days: 60 });
+    // Geerbt: portabilityFormat aus eu-dsgvo bleibt
+    expect(p.userRights.portabilityFormat).toEqual(["json"]);
+  });
+
+  test("minimal-no-region ist eigenständig (kein extends)", () => {
+    const p = COMPLIANCE_PROFILES["minimal-no-region"];
+    expect(p.region).toBe("—");
+    expect(p.notifications.mandatoryBreachNotification).toBe(false);
+    expect(p.breach.authorityNotificationDeadline).toBe("manual");
+  });
+});
+
+describe("SELECTABLE_PROFILE_KEYS", () => {
+  test('enthält 3 Profile, ohne "minimal-no-region" (kein Production-Default)', () => {
+    expect(SELECTABLE_PROFILE_KEYS).toEqual(["eu-dsgvo", "swiss-dsg", "de-hr-dsgvo-hgb"]);
+    expect(SELECTABLE_PROFILE_KEYS).not.toContain("minimal-no-region");
+  });
+});
+
+describe("OVERRIDABLE_PROFILE_KEYS — Drift-Guard (S1.8 N2)", () => {
+  // Wenn ein neues Top-Level-Property zu ComplianceProfile kommt
+  // (oder eines wegfaellt), muss OVERRIDABLE_PROFILE_KEYS synchron
+  // gehalten werden — sonst lehnt set-profile valide Overrides ab
+  // ODER akzeptiert ungueltige. Dieser Test detektiert den Drift in
+  // beide Richtungen anhand des voll aufgeloesten eu-dsgvo-Profile.
+  test("Override-Whitelist matched die uebrigen Top-Level-Keys von eu-dsgvo (minus Identifikations-Felder)", () => {
+    const allTopLevelKeys = new Set(Object.keys(COMPLIANCE_PROFILES["eu-dsgvo"]));
+    for (const idKey of IDENTIFICATION_KEYS) {
+      allTopLevelKeys.delete(idKey);
+    }
+    const expected = [...allTopLevelKeys].sort();
+    const actual = [...OVERRIDABLE_PROFILE_KEYS].sort();
+    expect(actual).toEqual(expected);
+  });
+
+  test("Identifikations-Keys (key, region, label, extends) sind NICHT in OVERRIDABLE_PROFILE_KEYS", () => {
+    for (const idKey of IDENTIFICATION_KEYS) {
+      expect(OVERRIDABLE_PROFILE_KEYS.has(idKey)).toBe(false);
+    }
+  });
+});
+
+describe("complianceProfileOverrideSchema — Schema↔Profile-Konsistenz (S1.10 M2)", () => {
+  // Wenn Profile-Type erweitert wird (neues Sub-Property in userRights /
+  // breach / auditLog / etc.) ohne dass override-schema.ts mitgepflegt
+  // wird, fail dieser Test. Prinzip: ein voll aufgelöstes Profile ist
+  // ein triviales valides Override-Object — wenn Schema das ablehnt, ist
+  // entweder Schema oder Profile out of sync.
+  test("Schema akzeptiert ein vollständig aufgelöstes Profile als Override (Drift-Guard)", () => {
+    // Identifikations-Felder rausnehmen weil die nicht override-bar sind.
+    const fullProfile = COMPLIANCE_PROFILES["eu-dsgvo"];
+    const {
+      key: _key,
+      region: _region,
+      label: _label,
+      extends: _extends,
+      ...overridable
+    } = fullProfile;
+
+    const result = complianceProfileOverrideSchema.safeParse(overridable);
+    if (!result.success) {
+      throw new Error(
+        `Schema↔Profile-Drift: vollständig aufgelöstes eu-dsgvo wird vom Override-Schema abgelehnt. ` +
+          `Issue at "${result.error.issues[0]?.path.join(".")}": ${result.error.issues[0]?.message}. ` +
+          "Entweder ComplianceProfile-Type erweitert ohne Schema-Update, oder Schema strikter als Profile-Type.",
+      );
+    }
+    expect(result.success).toBe(true);
+  });
+
+  test("Schema akzeptiert auch swiss-dsg + de-hr-dsgvo-hgb (extends-Profile mit Override-Feldern)", () => {
+    for (const key of ["swiss-dsg", "de-hr-dsgvo-hgb"] as const) {
+      const fullProfile = COMPLIANCE_PROFILES[key];
+      const {
+        key: _key,
+        region: _region,
+        label: _label,
+        extends: _extends,
+        ...overridable
+      } = fullProfile;
+      const result = complianceProfileOverrideSchema.safeParse(overridable);
+      expect(result.success, `Schema lehnt voll aufgelöstes ${key} ab`).toBe(true);
+    }
+  });
+});
+
+describe("resolveComplianceProfile — Default-Fallback", () => {
+  test("selection=undefined → minimal-no-region + warning=no-profile-selected", () => {
+    const result = resolveComplianceProfile({});
+    expect(result.profile.key).toBe("minimal-no-region");
+    expect(result.warning).toBe("no-profile-selected");
+  });
+
+  test("selection=minimal-no-region (DB-Edge-Case) → kein warning, fallback aktiv", () => {
+    // Sprint 1.7 X1: minimal-no-region ist ueber set-profile nicht mehr
+    // setzbar. Wer den State trotzdem in der DB hat (Migration, Direct-
+    // Insert) bekommt das minimal-Profile zurueck — der needs-profile-
+    // Banner-Endpoint markiert ihn separat als "needsSelection=true".
+    // Resolver selber zieht keine warning, weil "explicit selection".
+    const result = resolveComplianceProfile({ selection: "minimal-no-region" });
+    expect(result.profile.key).toBe("minimal-no-region");
+    expect(result.warning).toBeUndefined();
+  });
+
+  test("selection=eu-dsgvo + kein override → keine warning", () => {
+    const result = resolveComplianceProfile({ selection: "eu-dsgvo" });
+    expect(result.profile.key).toBe("eu-dsgvo");
+    expect(result.warning).toBeUndefined();
+  });
+});
+
+describe("resolveComplianceProfile — Override deep-merge", () => {
+  test("Override gracePeriod.days überschreibt rekursiv, andere userRights bleiben", () => {
+    const result = resolveComplianceProfile({
+      selection: "eu-dsgvo",
+      override: {
+        userRights: { gracePeriod: { days: 60 } },
+      },
+    });
+    expect(result.profile.userRights.gracePeriod).toEqual({ days: 60 });
+    // Andere userRights-Felder unverändert
+    expect(result.profile.userRights.restrictionAllowed).toBe(true);
+    expect(result.profile.userRights.objectionAllowed).toBe(true);
+    expect(result.profile.userRights.portabilityFormat).toEqual(["json"]);
+    expect(result.profile.userRights.auskunftFrist).toEqual({ days: 30 });
+  });
+
+  test("Override breach.authorityContact ändert nur diesen einen Pfad", () => {
+    const result = resolveComplianceProfile({
+      selection: "eu-dsgvo",
+      override: {
+        breach: { authorityContact: "Hamburgischer DSB" },
+      },
+    });
+    expect(result.profile.breach.authorityContact).toBe("Hamburgischer DSB");
+    // Rest des breach-Objects unverändert
+    expect(result.profile.breach.authorityNotificationDeadline).toEqual({ hours: 72 });
+    expect(result.profile.breach.userNotificationRequired).toBe("if-high-risk");
+  });
+
+  test("Override mehrerer Top-Level-Pfade gleichzeitig", () => {
+    const result = resolveComplianceProfile({
+      selection: "swiss-dsg",
+      override: {
+        userRights: { gracePeriod: { days: 45 } },
+        tenantDestroyGracePeriod: { days: 90 },
+      },
+    });
+    expect(result.profile.userRights.gracePeriod).toEqual({ days: 45 });
+    expect(result.profile.tenantDestroyGracePeriod).toEqual({ days: 90 });
+    // swiss-dsg extends eu-dsgvo war drin
+    expect(result.profile.region).toBe("CH");
+    expect(result.profile.breach.authorityContact).toBe("EDÖB Bern");
+  });
+
+  test("Atomic path: retention {months} → {years} ersetzt komplett (kein object-merge)", () => {
+    // Bug-Regression: deepMerge auf Diskriminierten-Union-Objects
+    // wuerde sonst { months: 24, years: 10 } produzieren — semantisch
+    // Nonsense, retention ist EINE Wahl.
+    const result = resolveComplianceProfile({
+      selection: "eu-dsgvo",
+      override: {
+        auditLog: { retention: { years: 10 } },
+      },
+    });
+    expect(result.profile.auditLog.retention).toEqual({ years: 10 });
+    // reportFrequency darf NICHT mit ersetzt werden — auditLog ist
+    // nicht atomic, nur retention darunter.
+    expect(result.profile.auditLog.reportFrequency).toBe("quarterly");
+  });
+
+  test("Atomic path: gracePeriod {days} → {hours} ersetzt komplett", () => {
+    const result = resolveComplianceProfile({
+      selection: "eu-dsgvo",
+      override: {
+        userRights: { gracePeriod: { hours: 24 } },
+      },
+    });
+    expect(result.profile.userRights.gracePeriod).toEqual({ hours: 24 });
+    expect(result.profile.userRights.gracePeriod).not.toHaveProperty("days");
+  });
+
+  test("Array-Property im Override ersetzt komplett (Top-Level-Replace, kein concat)", () => {
+    const result = resolveComplianceProfile({
+      selection: "eu-dsgvo",
+      override: {
+        notifications: { languages: ["en"] },
+      },
+    });
+    // Replace, nicht append: ["de", "en"] wird zu ["en"]
+    expect(result.profile.notifications.languages).toEqual(["en"]);
+    // Andere notifications-Felder bleiben
+    expect(result.profile.notifications.mandatoryBreachNotification).toBe(true);
+  });
+});
+
+describe("Profile-Definition-Snapshots — fängt Drift ab", () => {
+  test("eu-dsgvo voll-resolved", () => {
+    expect(COMPLIANCE_PROFILES["eu-dsgvo"]).toMatchInlineSnapshot(`
+      {
+        "auditLog": {
+          "reportFrequency": "quarterly",
+          "retention": {
+            "months": 24,
+          },
+        },
+        "breach": {
+          "authorityContact": "BlnBDI Berlin",
+          "authorityNotificationDeadline": {
+            "hours": 72,
+          },
+          "userNotificationRequired": "if-high-risk",
+        },
+        "forgetDiscovery": {
+          "enabled": false,
+        },
+        "key": "eu-dsgvo",
+        "label": "EU — DSGVO Standard",
+        "notifications": {
+          "languages": [
+            "de",
+            "en",
+          ],
+          "mandatoryBreachNotification": true,
+        },
+        "region": "EU",
+        "subProcessor": {
+          "changeNotificationLeadDays": 30,
+          "consentRequired": false,
+        },
+        "tenantDestroyGracePeriod": {
+          "days": 30,
+        },
+        "userRights": {
+          "auskunftFrist": {
+            "days": 30,
+          },
+          "exportDownloadTtl": {
+            "days": 7,
+          },
+          "exportStaleTimeoutMinutes": 30,
+          "exportStorageCleanupGraceHours": 24,
+          "gracePeriod": {
+            "days": 30,
+          },
+          "objectionAllowed": true,
+          "portabilityFormat": [
+            "json",
+          ],
+          "restrictionAllowed": true,
+        },
+      }
+    `);
+  });
+});

package/src/compliance/__tests__/sub-processors.test.ts

@@ -0,0 +1,139 @@
+// Snapshot-Tests fuer KUMIKO_SUB_PROCESSORS. Fangen still-Drift ab —
+// jede Aenderung an der Liste muss bewusst durch ein Snapshot-Update
+// gehen, damit niemand versehentlich einen Sub-Processor entfernt
+// oder hinzufuegt ohne dass die DPA/Tenant-Notification-Pipeline das
+// mitbekommt.
+
+import { describe, expect, test } from "vitest";
+import {
+  getActiveSubProcessors,
+  getPlannedSubProcessors,
+  KUMIKO_SUB_PROCESSORS,
+} from "../sub-processors";
+
+describe("KUMIKO_SUB_PROCESSORS", () => {
+  test("Liste ist nicht leer (Plattform hat mindestens Hetzner+Cloudflare)", () => {
+    expect(KUMIKO_SUB_PROCESSORS.length).toBeGreaterThan(0);
+  });
+
+  test("Alle Eintraege haben Pflicht-Felder (name, purpose, region, dpa, addedAt, appliesTo)", () => {
+    for (const sp of KUMIKO_SUB_PROCESSORS) {
+      expect(sp.name).toBeTruthy();
+      expect(sp.purpose).toBeTruthy();
+      expect(sp.region).toBeTruthy();
+      expect(sp.dpa).toMatch(/^https?:\/\//);
+      expect(sp.addedAt).toMatch(/^\d{4}-\d{2}-\d{2}$/);
+      expect(sp.appliesTo.length).toBeGreaterThan(0);
+    }
+  });
+
+  test("US-Sub-Processors haben sccRequired: true (DSGVO Art. 44+ Drittland)", () => {
+    const usProcessors = KUMIKO_SUB_PROCESSORS.filter(
+      (sp) => sp.region.includes("US") && !sp.region.startsWith("EU"),
+    );
+    for (const sp of usProcessors) {
+      expect(
+        sp.sccRequired,
+        `Sub-Processor "${sp.name}" with US-region should have sccRequired: true`,
+      ).toBe(true);
+    }
+  });
+
+  test("Snapshot — explizit zu updaten bei jeder Liste-Aenderung", () => {
+    const summary = KUMIKO_SUB_PROCESSORS.map((sp) => ({
+      name: sp.name,
+      region: sp.region,
+      status: sp.status ?? "active",
+      appliesTo: sp.appliesTo,
+      sccRequired: sp.sccRequired ?? false,
+      optInOnly: sp.optInOnly ?? false,
+    }));
+    expect(summary).toMatchInlineSnapshot(`
+      [
+        {
+          "appliesTo": [
+            "all-tiers",
+          ],
+          "name": "Hetzner Online GmbH",
+          "optInOnly": false,
+          "region": "EU (Germany)",
+          "sccRequired": false,
+          "status": "active",
+        },
+        {
+          "appliesTo": [
+            "all-tiers",
+          ],
+          "name": "Cloudflare, Inc.",
+          "optInOnly": false,
+          "region": "Global (US-headquartered)",
+          "sccRequired": true,
+          "status": "active",
+        },
+        {
+          "appliesTo": [
+            "standard",
+            "business",
+            "enterprise",
+          ],
+          "name": "Sendinblue SAS (Brevo)",
+          "optInOnly": false,
+          "region": "EU (France)",
+          "sccRequired": false,
+          "status": "active",
+        },
+        {
+          "appliesTo": [
+            "all-tiers",
+          ],
+          "name": "Heinlein Hosting (Mailbox.org)",
+          "optInOnly": false,
+          "region": "EU (Germany)",
+          "sccRequired": false,
+          "status": "active",
+        },
+        {
+          "appliesTo": [
+            "business",
+            "enterprise",
+          ],
+          "name": "Anthropic PBC",
+          "optInOnly": true,
+          "region": "US",
+          "sccRequired": true,
+          "status": "planned",
+        },
+        {
+          "appliesTo": [
+            "all-tiers",
+          ],
+          "name": "Stripe, Inc.",
+          "optInOnly": false,
+          "region": "Global (US-headquartered)",
+          "sccRequired": true,
+          "status": "planned",
+        },
+      ]
+    `);
+  });
+});
+
+describe("getActiveSubProcessors / getPlannedSubProcessors", () => {
+  test("active + planned partitionieren die Gesamt-Liste vollstaendig", () => {
+    const active = getActiveSubProcessors();
+    const planned = getPlannedSubProcessors();
+    expect(active.length + planned.length).toBe(KUMIKO_SUB_PROCESSORS.length);
+  });
+
+  test("kein Sub-Processor in active hat status=planned", () => {
+    for (const sp of getActiveSubProcessors()) {
+      expect(sp.status).not.toBe("planned");
+    }
+  });
+
+  test("alle planned-Eintraege haben status=planned", () => {
+    for (const sp of getPlannedSubProcessors()) {
+      expect(sp.status).toBe("planned");
+    }
+  });
+});

package/src/compliance/duration-spec.ts

@@ -0,0 +1,44 @@
+// DurationSpec ↔ SQL-Interval ↔ Temporal.Duration converter.
+//
+// Hintergrund: ComplianceProfile.userRights.gracePeriod ist
+// `{ days: number } | { hours: number }` (Discriminated Union). Caller
+// die das in eine Postgres-`interval`-SQL einsetzen brauchen einen
+// einzigen vertrauenswuerdigen Punkt, sonst springt ein
+// `{ hours: 6 }`-Override stillschweigend auf einen days-Default.
+//
+// Single source of truth: hier. Andere Spec-Forms (months/years) im
+// retention-Pfad gehen ueber den breiteren `keep-for`-Parser, sind hier
+// bewusst nicht abgedeckt — das engt den Type ein und macht die SQL-
+// Renderung total.
+
+import { getTemporal } from "../time";
+import type { DurationSpec } from "./profiles";
+
+type Instant = InstanceType<ReturnType<typeof getTemporal>["Instant"]>;
+
+// Spec in Millisekunden. Source of truth fuer alle Konvertierungen
+// (Instant-add, optional fuer JS-Datumsrechnung).
+export function durationSpecToMs(spec: DurationSpec): number {
+  if ("days" in spec) return spec.days * 24 * 60 * 60 * 1000;
+  return spec.hours * 60 * 60 * 1000;
+}
+
+// Frist berechnen ohne DB-now() — der App-Server-Clock ist
+// authoritative. Fuer Forget-Grace, Token-TTLs und Frist-Setzungen
+// where eine Toleranz von wenigen ms zwischen App und DB irrelevant
+// ist (Grace-Periods >= 6h, Tokens >= Minuten).
+//
+// Schreibt direkt in `instant()`-customType-Spalten — kein interval-
+// SQL-Fragment, kein Codec-Bypass.
+export function addDurationSpec(now: Instant, spec: DurationSpec): Instant {
+  return getTemporal().Instant.fromEpochMilliseconds(
+    now.epochMilliseconds + durationSpecToMs(spec),
+  );
+}
+
+// Lesbare Beschreibung fuer Logs / Error-Messages. Nicht i18n —
+// English-only-Operator-Output.
+export function describeDurationSpec(spec: DurationSpec): string {
+  if ("days" in spec) return `${spec.days} day${spec.days === 1 ? "" : "s"}`;
+  return `${spec.hours} hour${spec.hours === 1 ? "" : "s"}`;
+}

package/src/compliance/index.ts

@@ -0,0 +1,31 @@
+// `@cosmicdrift/kumiko-framework/compliance` — Datenschutz/Compliance-
+// Foundation. Wird von Sprint-1+ Features genutzt (compliance-profiles,
+// data-retention, user-data-rights, ...).
+
+export {
+  addDurationSpec,
+  describeDurationSpec,
+  durationSpecToMs,
+} from "./duration-spec";
+export { complianceProfileOverrideSchema } from "./override-schema";
+export type {
+  AuthorityNotificationDeadline,
+  ComplianceProfile,
+  ComplianceProfileKey,
+  ComplianceProfileOverride,
+  DurationSpec,
+  EffectiveComplianceProfile,
+  UserNotificationRequiredPolicy,
+} from "./profiles";
+export {
+  COMPLIANCE_PROFILES,
+  OVERRIDABLE_PROFILE_KEYS,
+  resolveComplianceProfile,
+  SELECTABLE_PROFILE_KEYS,
+} from "./profiles";
+export type { BundleTier, SubProcessor } from "./sub-processors";
+export {
+  getActiveSubProcessors,
+  getPlannedSubProcessors,
+  KUMIKO_SUB_PROCESSORS,
+} from "./sub-processors";

package/src/compliance/override-schema.ts

@@ -0,0 +1,136 @@
+// Zod-Schema fuer ComplianceProfileOverride mit .strict() rekursiv —
+// Sprint 1.9 Z3.
+//
+// Vorher: set-profile.write.ts pruefte nur Top-Level-Keys gegen
+// OVERRIDABLE_PROFILE_KEYS. Sub-Level-Tippfehler (z.B.
+// `{ userRights: { weeks: 3 } }` statt `{ userRights: { gracePeriod: { days: 30 } } }`)
+// kamen durch — der deepMerge spliced das nonsense ins effektive
+// Profile, und ein Caller der `userRights.gracePeriod.days` liest
+// crashed mit `undefined`.
+//
+// Lösung: Zod-Schema das die ComplianceProfile-Struktur in DeepPartial-
+// Form abbildet, mit .strict() auf jedem Object damit unbekannte Keys
+// werfen. Single source of truth wie OVERRIDABLE_PROFILE_KEYS, plus
+// Sub-Level-Coverage.
+//
+// Identifikations-Felder (key, region, label, extends) sind NICHT im
+// Schema — wer die overriden will, würde die Profile-Identitaet
+// zerstören.
+
+import { z } from "zod";
+
+// DurationSpec: { days } | { hours } — strict bedeutet beide Forms
+// muessen exakt 1 property haben (kein "{ days: 30, hours: 1 }").
+const durationSpecSchema = z.union([
+  z.object({ days: z.number().int().nonnegative() }).strict(),
+  z.object({ hours: z.number().int().nonnegative() }).strict(),
+]);
+
+// retention.* erlaubt zusaetzlich "months" und "years". Wieder eine
+// strikte Disjunktion.
+const auditRetentionSchema = z.union([
+  durationSpecSchema,
+  z.object({ months: z.number().int().nonnegative() }).strict(),
+  z.object({ years: z.number().int().nonnegative() }).strict(),
+]);
+
+const authorityNotificationDeadlineSchema = z.union([
+  durationSpecSchema,
+  z.literal("as-soon-as-feasible"),
+  z.literal("in-most-expedient-time"),
+  z.literal("manual"),
+]);
+
+const userNotificationRequiredSchema = z.union([
+  z.literal("if-high-risk"),
+  z.literal("if-real-risk-of-significant-harm"),
+  z.literal("if-serious-risk-of-injury"),
+  z.literal("always-if-encrypted-data-or-pii"),
+  z.literal("always-without-undue-delay"),
+  z.literal("manual"),
+]);
+
+const userRightsOverrideSchema = z
+  .object({
+    gracePeriod: durationSpecSchema.optional(),
+    restrictionAllowed: z.boolean().optional(),
+    objectionAllowed: z.boolean().optional(),
+    portabilityFormat: z.array(z.string()).optional(),
+    auskunftFrist: durationSpecSchema.optional(),
+    employeeAccessRight: z.boolean().optional(),
+    explicitConsentForAutomatedDecision: z.boolean().optional(),
+    doNotSellRequired: z.boolean().optional(),
+    // Async-Export-Pipeline (S2.U3+U4) — TTL Compliance-relevant,
+    // Stale/Cleanup Operations-Settings.
+    exportDownloadTtl: durationSpecSchema.optional(),
+    exportStaleTimeoutMinutes: z.number().int().nonnegative().optional(),
+    exportStorageCleanupGraceHours: z.number().int().nonnegative().optional(),
+  })
+  .strict();
+
+const notificationsOverrideSchema = z
+  .object({
+    languages: z.array(z.string()).optional(),
+    languageDefault: z.string().optional(),
+    mandatoryBreachNotification: z.boolean().optional(),
+  })
+  .strict();
+
+const breachOverrideSchema = z
+  .object({
+    authorityNotificationDeadline: authorityNotificationDeadlineSchema.optional(),
+    authorityContact: z.string().optional(),
+    userNotificationRequired: userNotificationRequiredSchema.optional(),
+    worksCouncilNotificationRequired: z.boolean().optional(),
+    mandatoryRegisterOfBreaches: z.boolean().optional(),
+  })
+  .strict();
+
+const auditLogOverrideSchema = z
+  .object({
+    retention: auditRetentionSchema.optional(),
+    reportFrequency: z
+      .union([
+        z.literal("quarterly"),
+        z.literal("yearly"),
+        z.literal("annual-required"),
+        z.literal("manual"),
+      ])
+      .optional(),
+  })
+  .strict();
+
+const subProcessorOverrideSchema = z
+  .object({
+    consentRequired: z.boolean().optional(),
+    changeNotificationLeadDays: z.number().int().nonnegative().optional(),
+    mandatoryBaaWithSubProcessors: z.boolean().optional(),
+    worksCouncilApprovalRequired: z.boolean().optional(),
+    tierFilter: z.array(z.string()).optional(),
+  })
+  .strict();
+
+const forgetDiscoveryOverrideSchema = z
+  .object({
+    enabled: z.boolean().optional(),
+    mode: z.union([z.literal("manual-redact"), z.literal("auto-redact-strict")]).optional(),
+  })
+  .strict();
+
+/**
+ * Komplett-Schema fuer ComplianceProfileOverride. Alle Top-Level- UND
+ * Sub-Level-Keys sind gewhitelisted via .strict() — Tippfehler werfen
+ * sofort. Set-profile-Handler (Sprint 1.9 Z3) validiert das Override
+ * gegen dieses Schema vor dem Persist.
+ */
+export const complianceProfileOverrideSchema = z
+  .object({
+    userRights: userRightsOverrideSchema.optional(),
+    notifications: notificationsOverrideSchema.optional(),
+    breach: breachOverrideSchema.optional(),
+    auditLog: auditLogOverrideSchema.optional(),
+    subProcessor: subProcessorOverrideSchema.optional(),
+    tenantDestroyGracePeriod: durationSpecSchema.optional(),
+    forgetDiscovery: forgetDiscoveryOverrideSchema.optional(),
+  })
+  .strict();