stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

docs(timeline): audit retention + erasure dossier

Browse Source 
Sprint SPRINT_20260408_004 AUDIT-004 documentation criterion.

docs/modules/timeline/audit-retention.md covers:
- Four-rung classification ladder and the "narrowest wins" rule
- Retention table structure, platform defaults, per-tenant overrides,
  and legal holds via compliance_hold
- AuditRetentionPurgeService config + operator recommendations
- Right-to-erasure endpoint contract, hash-chain integrity guarantees,
  and the idempotency semantics via pii_redacted_at
- Sequence-chain gap behaviour after purge and how chain verification
  should window its checks
- Compliance checklist for operators

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-19 23:39:28 +03:00
parent 7e0819179b
commit 44195cd7af
2 changed files with 163 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md
View File

@@ -199,7 +199,7 @@ Completion criteria:
- [x] Data classification applied to all ingested events — migration 005 adds `data_classification` column with CHECK constraint; `PostgresUnifiedAuditEventStore` populates it at insert time via `AuditDataClassifier` (none|personal|sensitive|restricted ladder with 16 passing tests).
- [x] Retention purge runs on schedule without breaking hash chains — `AuditRetentionPurgeService` background host iterates tenants and calls `timeline.purge_expired_audit_events`; the SQL function respects `compliance_hold` and drops expired rows per classification. The hash chain is left intact for non-purged rows; purged rows leave chain-external gaps, which is acceptable because `verify_unified_audit_chain` only asserts contiguous-chain integrity *within* a queried sequence range.
- [x] Right-to-erasure redacts PII without invalidating chain verification — `timeline.redact_actor_pii` replaces email/ip/user-agent (plus name for personal/sensitive) with `[REDACTED]`, preserves `actor_id` and `content_hash`; `PostgresUnifiedAuditEventStore.RedactActorPiiAsync` + `DELETE /api/v1/audit/actors/{actorId}/pii` expose the operation under the new `Timeline.Admin` scope.
- [ ] Documentation updated: `docs/modules/timeline/audit-retention.md` — deferred.
- [x] Documentation updated: `docs/modules/timeline/audit-retention.md` — dossier shipped covering classifications, retention table + overrides, scheduled purge config, right-to-erasure contract, chain-gap handling, and the operator compliance checklist.
- [ ] Doctor `AuditReadinessCheck` updated to verify retention configuration — deferred.
### AUDIT-005 - Deprecate per-service audit DB tables (Phase 2)