Skip to content

πŸ”’ GDPR ErasureRequest ledger β€” write-before-destroy, replay-readyΒ #3938

Description

@PierreBrisorgueil

Durable erasure record β€” written before the first destructive call, survives the erasure, makes retry + restore-replay + accountability (Art 5(2)) possible.

Scope β€” modules/users (ledger model + repository)

  • ErasureRequest model: { emailHash (salted, no clear-text identifier), requestedAt, completedAt, axesSnapshot: { soleOwnedOrgIds, sharedOrgIds }, providers: [{ key, status: pending|done|retained|failed, itemsRemoved, itemsRetained, messages }], retainedCategories: [{ key, ground, duration }] }.
  • Written by the orchestrator BEFORE any provider runs; updated after each provider; kept AFTER the User doc is deleted (PII-minimal by design β€” hashed identifier only, never profile data).
  • Retry support: an incomplete request re-runs from its snapshot (org list re-resolution is never needed twice β€” memberships may already be gone).
  • Replay support: query requests newer than a given date β†’ re-run their erasures (idempotent providers make this safe). This is the restore-time re-erasure mechanism the consumer guide documents for database backups.
  • Excluded from the coverage gate via an explicit waiver (it IS the compliance record); never exposed through any provider.

DoD

  • Unit: write-before-destroy ordering, per-provider status updates, survives user deletion, replay query.
  • PII-minimal assertion (no clear-text email/name persisted).
  • /verify green.

Depends on: registry leaf v2.

Created via /dev:issue Β· contract v2 2026-07-03

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions