feat(gdpr): author erasure (PR5 of #6701) (#7550)

* docs: PR5 GDPR author erasure design spec

* docs: PR5 GDPR author erasure implementation plan

* feat(gdpr): AuthorManager.anonymizeAuthor — Art. 17 erasure

* test(gdpr): AuthorManager.anonymizeAuthor unit tests

* feat(gdpr): REST anonymizeAuthor on API version 1.3.1

* test(gdpr): REST anonymizeAuthor end-to-end

* docs(gdpr): right-to-erasure section + anonymizeAuthor example

* fix(gdpr): make anonymizeAuthor resumable on partial failure

Qodo review: the `erased: true` sentinel was written before the chat
scrub loop, so a throw during scrub left chat messages untouched
while subsequent calls short-circuited on `existing.erased` and never
finished. Split the write: zero the display identity first (still
hides the name), run the chat scrub, and only then stamp
`erased: true` so a retry resumes the sweep. Regression test
covers the partial-run → retry path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
John McLear 2026-05-03 19:30:49 +08:00 committed by GitHub
parent 487842006c
commit 69bb1e19c5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 1093 additions and 6 deletions

View file

@ -224,6 +224,18 @@
"keepRevisions": 5
},
/*
* GDPR Art. 17 author erasure REST endpoint (anonymizeAuthor).
*
* Disabled by default — enable only when an operator process exists to
* authorise erasure requests. While disabled, calls to anonymizeAuthor
* return an apierror and the AuthorManager helper is not exposed via
* the public API.
*/
"gdprAuthorErasure": {
"enabled": false
},
/*
* Node native SSL support
*