# Replay Retention Schema Freeze - 2025-12-10

## Why
- Unblock EvidenceLocker replay ingestion tasks (EVID-REPLAY-187-001) and downstream CLI/runbook work by freezing a retention declaration schema.
- Keep outputs deterministic and tenant-scoped while offline/air-gap friendly.

## Scope & Decisions
- Schema path: `docs/schemas/replay-retention.schema.json`.
- Fields:
  - `retention_policy_id` (string, stable ID for policy version).
  - `tenant_id` (string, required).
  - `dataset` (string; e.g., evidence_bundle, replay_log, advisory_payload).
  - `bundle_type` (enum: portable_bundle, sealed_bundle, replay_log, advisory_payload).
  - `retention_days` (int 1-3650).
  - `legal_hold` (bool).
  - `purge_after` (ISO-8601 UTC; derived from ingest + retention_days unless legal_hold=true).
  - `checksum` (algorithm: sha256/sha512, value hex).
  - `created_at` (ISO-8601 UTC).
- Determinism: no additionalProperties; checksum recorded for audit; UTC timestamps only.
- Tenant isolation: tenant_id mandatory; policy IDs may be per-tenant.

## Impacted Tasks
- EVID-REPLAY-187-001, CLI-REPLAY-187-002, RUNBOOK-REPLAY-187-004 are unblocked on retention shape; implementation still required in corresponding modules.

## Next Steps
- Wire schema validation in EvidenceLocker ingest and CLI replay commands.
- Document retention defaults and legal-hold overrides in `docs/runbooks/replay_ops.md`.