Durable erasure record β written before the first destructive call, survives the erasure, makes retry + restore-replay + accountability (Art 5(2)) possible.
Scope β modules/users (ledger model + repository)
ErasureRequest model: { emailHash (salted, no clear-text identifier), requestedAt, completedAt, axesSnapshot: { soleOwnedOrgIds, sharedOrgIds }, providers: [{ key, status: pending|done|retained|failed, itemsRemoved, itemsRetained, messages }], retainedCategories: [{ key, ground, duration }] }.
- Written by the orchestrator BEFORE any provider runs; updated after each provider; kept AFTER the User doc is deleted (PII-minimal by design β hashed identifier only, never profile data).
- Retry support: an incomplete request re-runs from its snapshot (org list re-resolution is never needed twice β memberships may already be gone).
- Replay support: query requests newer than a given date β re-run their erasures (idempotent providers make this safe). This is the restore-time re-erasure mechanism the consumer guide documents for database backups.
- Excluded from the coverage gate via an explicit waiver (it IS the compliance record); never exposed through any provider.
DoD
Depends on: registry leaf v2.
Created via /dev:issue Β· contract v2 2026-07-03
Durable erasure record β written before the first destructive call, survives the erasure, makes retry + restore-replay + accountability (Art 5(2)) possible.
Scope β
modules/users(ledger model + repository)ErasureRequestmodel:{ emailHash (salted, no clear-text identifier), requestedAt, completedAt, axesSnapshot: { soleOwnedOrgIds, sharedOrgIds }, providers: [{ key, status: pending|done|retained|failed, itemsRemoved, itemsRetained, messages }], retainedCategories: [{ key, ground, duration }] }.DoD
/verifygreen.Depends on: registry leaf v2.
Created via /dev:issue Β· contract v2 2026-07-03