feat(kvkk): workspace data export + permanent delete

KVKK 'veri taşınabilirliği' ve 'unutulma hakkı' için iki uçtan yeni
akış: dışa aktar ve kalıcı sil. İkisi de /settings/workspace altındaki
yeni 'Tehlikeli Bölge' kartına eklendi, sadece owner görür.

Export — GET /api/account/export
  - requireTenant guard.
  - Sırayla tenant-owned tablolar (settings, profiles, connections,
    patients, clinic_pricing, jobs, job_files, history, prosthetics,
    finance_entries, payments, notifications, audit_logs) gezilir.
    Çift sahipli tablolar (jobs, connections, payments, clinic_pricing,
    job_files, history) için iki kez sorgu atılıp $id ile dedupe edilir.
  - { exportedAt, tenantId, tenantKind, requestedBy, data } JSON olarak
    Content-Disposition: attachment ile döner. ~ek dep yok.

Delete — deleteWorkspaceAction (owner-only, server action)
  - Onay: kullanıcının companyName'i birebir yazması gerekir.
  - 1) Storage: tenant logosu + arşivlenmemiş job_files objelerini sil.
  - 2) DB: hard-delete tüm tenant verisi — notifications, audit_logs,
    payments, finance_entries, history, job_files, jobs, clinic_pricing,
    prosthetics, patients, connections, profiles, tenant_settings.
    Her tablo için Query.equal + sayfa sayfa 500'er silme.
  - 3) teams.delete(tenantId) — son aşama, takım yok artık.
  - 4) active-tenant cookie temizle; session bırak (kullanıcı başka
    workspace'e geçebilir veya çıkış yapabilir).
  - redirect('/onboarding').

UI — DangerZone (client)
  - 'JSON indir' butonu: /api/account/export'a fetch, blob download.
  - 'Sil' Dialog: çalışma alanı adı confirm input ile gated; eşit
    olana kadar 'Kalıcı olarak sil' disabled.

src/app/(dashboard)/settings/workspace/components/danger-zone.tsx

@@ -0,0 +1,141 @@
+"use client";
+
+import { useActionState, useEffect, useState, useTransition } from "react";
+import { AlertTriangle, Download, Loader2, Trash2 } from "lucide-react";
+import { toast } from "sonner";
+
+import { Button } from "@/components/ui/button";
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
+import {
+  Dialog,
+  DialogClose,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import {
+  deleteWorkspaceAction,
+  initialDeleteWorkspaceState,
+} from "@/lib/appwrite/account-delete-actions";
+
+export function DangerZone({ companyName }: { companyName: string }) {
+  const [downloadBusy, startDownload] = useTransition();
+  const [open, setOpen] = useState(false);
+  const [confirm, setConfirm] = useState("");
+  const [state, action, pending] = useActionState(
+    deleteWorkspaceAction,
+    initialDeleteWorkspaceState,
+  );
+
+  useEffect(() => {
+    if (state.error) toast.error(state.error);
+  }, [state]);
+
+  function downloadExport() {
+    startDownload(async () => {
+      try {
+        const res = await fetch("/api/account/export");
+        if (!res.ok) throw new Error(`HTTP ${res.status}`);
+        const blob = await res.blob();
+        const url = URL.createObjectURL(blob);
+        const a = document.createElement("a");
+        a.href = url;
+        a.download = `dls-export-${Date.now()}.json`;
+        document.body.appendChild(a);
+        a.click();
+        a.remove();
+        URL.revokeObjectURL(url);
+        toast.success("Veri dışa aktarıldı.");
+      } catch (e) {
+        toast.error(e instanceof Error ? e.message : "İndirilemedi.");
+      }
+    });
+  }
+
+  return (
+    <Card className="border-destructive/40">
+      <CardHeader>
+        <CardTitle className="flex items-center gap-2 text-base">
+          <AlertTriangle className="text-destructive size-4" />
+          Tehlikeli Bölge
+        </CardTitle>
+        <CardDescription>
+          Verinizi dışa aktarın veya çalışma alanını kalıcı olarak silin.
+        </CardDescription>
+      </CardHeader>
+      <CardContent className="grid gap-3">
+        <div className="flex flex-wrap items-center justify-between gap-3 rounded-md border p-3">
+          <div className="min-w-0">
+            <p className="font-medium">Verilerimi indir</p>
+            <p className="text-muted-foreground text-xs">
+              Çalışma alanınızdaki tüm veriler (hastalar, işler, ödemeler, geçmiş)
+              JSON formatında dışa aktarılır. Silmeden önce yedek almanız önerilir.
+            </p>
+          </div>
+          <Button variant="outline" onClick={downloadExport} disabled={downloadBusy}>
+            {downloadBusy ? <Loader2 className="size-4 animate-spin" /> : <Download className="size-4" />}
+            JSON indir
+          </Button>
+        </div>
+
+        <div className="border-destructive/40 flex flex-wrap items-center justify-between gap-3 rounded-md border p-3">
+          <div className="min-w-0">
+            <p className="font-medium">Çalışma alanını sil</p>
+            <p className="text-muted-foreground text-xs">
+              Tüm hastalar, işler, ödemeler, dosyalar ve geçmiş kalıcı olarak silinir.
+              Bu işlem geri alınamaz.
+            </p>
+          </div>
+          <Dialog open={open} onOpenChange={setOpen}>
+            <Button variant="destructive" onClick={() => setOpen(true)}>
+              <Trash2 className="size-4" />
+              Sil
+            </Button>
+            <DialogContent>
+              <DialogHeader>
+                <DialogTitle>Çalışma alanını kalıcı sil</DialogTitle>
+                <DialogDescription>
+                  Onaylamak için aşağıya <strong>{companyName}</strong> yazın. Bu
+                  işlem hastalar, işler, ödemeler, dosyalar ve tüm geçmişi içerir
+                  ve geri alınamaz.
+                </DialogDescription>
+              </DialogHeader>
+              <form action={action} className="grid gap-3">
+                <div className="grid gap-2">
+                  <Label htmlFor="confirm">Çalışma alanı adı</Label>
+                  <Input
+                    id="confirm"
+                    name="confirm"
+                    autoComplete="off"
+                    value={confirm}
+                    onChange={(e) => setConfirm(e.target.value)}
+                    placeholder={companyName}
+                  />
+                </div>
+                <DialogFooter>
+                  <DialogClose asChild>
+                    <Button type="button" variant="outline">
+                      Vazgeç
+                    </Button>
+                  </DialogClose>
+                  <Button
+                    type="submit"
+                    variant="destructive"
+                    disabled={pending || confirm.trim() !== companyName}
+                  >
+                    {pending ? <Loader2 className="size-4 animate-spin" /> : <Trash2 className="size-4" />}
+                    Kalıcı olarak sil
+                  </Button>
+                </DialogFooter>
+              </form>
+            </DialogContent>
+          </Dialog>
+        </div>
+      </CardContent>
+    </Card>
+  );
+}

src/app/(dashboard)/settings/workspace/page.tsx

@@ -3,6 +3,7 @@ import { redirect } from "next/navigation";
 
 import { getLogoUrl } from "@/lib/appwrite/storage";
 import { requireTenant } from "@/lib/appwrite/tenant-guard";
+import { DangerZone } from "./components/danger-zone";
 import { LogoUploader } from "./components/logo-uploader";
 import { WorkspaceSettingsForm } from "./components/workspace-form";
 
@@ -50,6 +51,10 @@ export default async function WorkspaceSettingsPage() {
           memberNumber: ctx.settings?.memberNumber ?? "",
         }}
       />
+
+      {ctx.role === "owner" && (
+        <DangerZone companyName={ctx.settings?.companyName ?? ""} />
+      )}
     </div>
   );
 }

src/app/api/account/export/route.ts

@@ -0,0 +1,103 @@
+import { NextResponse } from "next/server";
+import { Query } from "node-appwrite";
+
+import { DATABASE_ID, TABLES } from "@/lib/appwrite/schema";
+import { createAdminClient } from "@/lib/appwrite/server";
+import { requireTenant } from "@/lib/appwrite/tenant-guard";
+
+const TENANT_TABLES = [
+  TABLES.tenantSettings,
+  TABLES.profiles,
+  TABLES.connections,
+  TABLES.patients,
+  TABLES.clinicPricing,
+  TABLES.jobs,
+  TABLES.jobFiles,
+  TABLES.jobStatusHistory,
+  TABLES.prosthetics,
+  TABLES.financeEntries,
+  TABLES.payments,
+  TABLES.notifications,
+  TABLES.auditLogs,
+] as const;
+
+const TENANT_FIELDS_BY_TABLE: Record<string, string[]> = {
+  // Most tables use 'tenantId' or 'clinicTenantId'/'labTenantId' for ownership.
+  [TABLES.tenantSettings]: ["tenantId"],
+  [TABLES.profiles]: ["tenantId"],
+  [TABLES.connections]: ["clinicTenantId", "labTenantId"],
+  [TABLES.patients]: ["clinicTenantId"],
+  [TABLES.clinicPricing]: ["labTenantId", "clinicTenantId"],
+  [TABLES.jobs]: ["clinicTenantId", "labTenantId"],
+  [TABLES.jobFiles]: ["clinicTenantId", "labTenantId"],
+  [TABLES.jobStatusHistory]: ["clinicTenantId", "labTenantId"],
+  [TABLES.prosthetics]: ["tenantId"],
+  [TABLES.financeEntries]: ["tenantId"],
+  [TABLES.payments]: ["tenantId", "counterpartTenantId"],
+  [TABLES.notifications]: ["tenantId"],
+  [TABLES.auditLogs]: ["tenantId"],
+};
+
+/**
+ * Return a JSON file containing every row this tenant has access to.
+ * Used for KVKK 'data portability' and as a sanity-check pre-delete.
+ */
+export async function GET() {
+  let ctx;
+  try {
+    ctx = await requireTenant();
+  } catch {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { tablesDB } = createAdminClient();
+  const out: Record<string, unknown[]> = {};
+
+  for (const table of TENANT_TABLES) {
+    const fields = TENANT_FIELDS_BY_TABLE[table] ?? ["tenantId"];
+    try {
+      // Fetch each row where ANY of the ownership fields equals our tenantId.
+      // For tables with two fields (jobs, connections, ...) issue both queries
+      // and dedupe — Appwrite doesn't have OR across distinct equality terms.
+      const seen = new Set<string>();
+      const rows: unknown[] = [];
+      for (const field of fields) {
+        const result = await tablesDB.listRows({
+          databaseId: DATABASE_ID,
+          tableId: table,
+          queries: [Query.equal(field, ctx.tenantId), Query.limit(500)],
+        });
+        for (const r of result.rows) {
+          const id = (r as { $id?: string }).$id;
+          if (id && !seen.has(id)) {
+            seen.add(id);
+            rows.push(r);
+          }
+        }
+      }
+      out[table] = rows;
+    } catch (e) {
+      out[table] = [
+        { error: e instanceof Error ? e.message : "fetch failed" },
+      ];
+    }
+  }
+
+  const payload = {
+    exportedAt: new Date().toISOString(),
+    tenantId: ctx.tenantId,
+    tenantKind: ctx.kind,
+    requestedBy: { id: ctx.user.id, email: ctx.user.email, name: ctx.user.name },
+    data: out,
+  };
+
+  const fileName = `dls-export-${ctx.tenantId}-${Date.now()}.json`;
+  return new NextResponse(JSON.stringify(payload, null, 2), {
+    status: 200,
+    headers: {
+      "Content-Type": "application/json; charset=utf-8",
+      "Content-Disposition": `attachment; filename="${fileName}"`,
+      "Cache-Control": "private, no-store",
+    },
+  });
+}

src/lib/appwrite/account-delete-actions.ts

@@ -0,0 +1,172 @@
+"use server";
+
+import { revalidatePath } from "next/cache";
+import { cookies } from "next/headers";
+import { redirect } from "next/navigation";
+import { AppwriteException, Query } from "node-appwrite";
+
+import {
+  BUCKETS,
+  DATABASE_ID,
+  TABLES,
+  type JobFile,
+  type TenantSettings,
+} from "./schema";
+import { APPWRITE_SESSION_COOKIE, createAdminClient } from "./server";
+import { ACTIVE_TENANT_COOKIE } from "./tenant-types";
+import { requireRole, requireTenant } from "./tenant-guard";
+
+export type DeleteWorkspaceState = {
+  ok: boolean;
+  error?: string;
+};
+
+export const initialDeleteWorkspaceState: DeleteWorkspaceState = { ok: false };
+
+function appwriteError(e: unknown, fallback = "Beklenmeyen bir hata oluştu."): string {
+  if (e instanceof AppwriteException) return e.message || fallback;
+  return process.env.NODE_ENV !== "production" && e instanceof Error
+    ? `${fallback} (${e.message})`
+    : fallback;
+}
+
+/** Best-effort delete every row where any of `fields` equals tenantId. */
+async function purgeTable(table: string, fields: string[], tenantId: string) {
+  const { tablesDB } = createAdminClient();
+  const ids = new Set<string>();
+  for (const field of fields) {
+    let offset = 0;
+    // Page through to handle tables with more than 500 rows.
+    while (true) {
+      const result = await tablesDB
+        .listRows({
+          databaseId: DATABASE_ID,
+          tableId: table,
+          queries: [Query.equal(field, tenantId), Query.limit(500), Query.offset(offset)],
+        })
+        .catch(() => ({ rows: [] }));
+      for (const row of result.rows) {
+        const id = (row as { $id?: string }).$id;
+        if (id) ids.add(id);
+      }
+      if (result.rows.length < 500) break;
+      offset += 500;
+    }
+  }
+  await Promise.allSettled(
+    Array.from(ids).map((id) =>
+      tablesDB.deleteRow(DATABASE_ID, table, id),
+    ),
+  );
+}
+
+/**
+ * Hard-delete an entire workspace and everything it owns. Reversible only
+ * via your own backup — Appwrite has no undo. Caller must be owner of the
+ * tenant and must confirm by typing the company name back to us.
+ */
+export async function deleteWorkspaceAction(
+  _prev: DeleteWorkspaceState,
+  formData: FormData,
+): Promise<DeleteWorkspaceState> {
+  const confirm = String(formData.get("confirm") ?? "").trim();
+  let ctx;
+  try {
+    ctx = await requireTenant();
+    requireRole(ctx, ["owner"]);
+  } catch {
+    return { ok: false, error: "Yalnızca sahip silebilir." };
+  }
+  const expected = ctx.settings?.companyName?.trim() ?? "";
+  if (!expected || confirm !== expected) {
+    return {
+      ok: false,
+      error: "Onaylamak için çalışma alanı adını birebir yazmanız gerekiyor.",
+    };
+  }
+
+  const tenantId = ctx.tenantId;
+  const { tablesDB, storage, teams } = createAdminClient();
+
+  // 1) Wipe Storage objects we still own (logo + any non-archived job files).
+  try {
+    const settingsRes = await tablesDB.listRows({
+      databaseId: DATABASE_ID,
+      tableId: TABLES.tenantSettings,
+      queries: [Query.equal("tenantId", tenantId), Query.limit(1)],
+    });
+    const settings = (settingsRes.rows[0] as unknown as TenantSettings | undefined) ?? null;
+    if (settings?.logo) {
+      try {
+        await storage.deleteFile(BUCKETS.tenantLogos, settings.logo);
+      } catch {
+        /* ignore */
+      }
+    }
+
+    const files = await tablesDB.listRows({
+      databaseId: DATABASE_ID,
+      tableId: TABLES.jobFiles,
+      queries: [
+        Query.or([
+          Query.equal("clinicTenantId", tenantId),
+          Query.equal("labTenantId", tenantId),
+        ]),
+        Query.limit(1000),
+      ],
+    });
+    await Promise.allSettled(
+      (files.rows as unknown as JobFile[]).map(async (f) => {
+        if (f.archivedAt) return;
+        try {
+          await storage.deleteFile(BUCKETS.jobFiles, f.fileId);
+        } catch {
+          /* ignore */
+        }
+      }),
+    );
+  } catch {
+    /* best-effort */
+  }
+
+  // 2) Purge all DB tables tied to this tenant. Order doesn't matter
+  // because everything is hard-deleted.
+  const tablePurges: Array<[string, string[]]> = [
+    [TABLES.notifications, ["tenantId"]],
+    [TABLES.auditLogs, ["tenantId"]],
+    [TABLES.payments, ["tenantId", "counterpartTenantId"]],
+    [TABLES.financeEntries, ["tenantId"]],
+    [TABLES.jobStatusHistory, ["clinicTenantId", "labTenantId"]],
+    [TABLES.jobFiles, ["clinicTenantId", "labTenantId"]],
+    [TABLES.jobs, ["clinicTenantId", "labTenantId"]],
+    [TABLES.clinicPricing, ["labTenantId", "clinicTenantId"]],
+    [TABLES.prosthetics, ["tenantId"]],
+    [TABLES.patients, ["clinicTenantId"]],
+    [TABLES.connections, ["clinicTenantId", "labTenantId"]],
+    [TABLES.profiles, ["tenantId"]],
+    [TABLES.tenantSettings, ["tenantId"]],
+  ];
+  for (const [table, fields] of tablePurges) {
+    await purgeTable(table, fields, tenantId);
+  }
+
+  // 3) Finally delete the Appwrite Team itself. This boots every member's
+  // permission to read anything that might have slipped through above.
+  try {
+    await teams.delete({ teamId: tenantId });
+  } catch (e) {
+    return { ok: false, error: appwriteError(e, "Çalışma alanı silindi ama takım kaldı.") };
+  }
+
+  // Drop session/active-tenant cookies — the user is also effectively
+  // signed out of this workspace.
+  const cookieStore = await cookies();
+  cookieStore.delete(ACTIVE_TENANT_COOKIE);
+  // Keep the Appwrite session itself so the user can still re-onboard or
+  // hop to another workspace they own. If they want to drop the session,
+  // there's already a 'Çıkış yap' button.
+  void APPWRITE_SESSION_COOKIE; // referenced to avoid unused import
+
+  revalidatePath("/");
+  redirect("/onboarding");
+}