feat(gdpr): staff-triggered client-data export bundle (Article 15)

Adds a full GDPR Article 15 (right of access) workflow. Staff trigger
an export from the client detail; a BullMQ worker assembles every row
keyed to that client (profile, contacts, addresses, notes, tags,
yachts, company memberships, interests, reservations, invoices,
documents, last 500 audit events) into JSON + a self-contained HTML
report, ZIPs them, uploads to MinIO, and optionally emails the client
a 7-day signed download link.

- New table gdpr_exports tracks lifecycle (pending → building → ready
  → sent / failed) with a 30-day cleanup target
- Bundle builder (gdpr-bundle-builder.ts) — pure read-side, tenant-
  scoped, with HTML escaping to block injection from rogue field values
- Worker hook in export queue dispatches on job name 'gdpr-export'
- New audit actions: 'request_gdpr_export', 'send_gdpr_export'
- API: POST/GET /api/v1/clients/:id/gdpr-export (admin-gated, exports
  rate-limit, Article-15 audit on POST); GET /:exportId returns a
  fresh signed URL
- UI: <GdprExportButton> dialog on client detail header — admin-only,
  shows recent exports, supports email-to-client + override recipient,
  polls every 5s while open
- Validation: refuses email-to-client when no primary email + no
  override (rather than silently dropping the send)

Tests: 778/778 vitest (was 771) — +7 covering builder happy path,
HTML escaping, tenant isolation, empty client, request-flow validation,
and audit / queue interaction.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/migrations/0018_stormy_spencer_smythe.sql

@@ -0,0 +1,21 @@
+CREATE TABLE "gdpr_exports" (
+	"id" text PRIMARY KEY NOT NULL,
+	"port_id" text NOT NULL,
+	"client_id" text NOT NULL,
+	"requested_by" text NOT NULL,
+	"status" text DEFAULT 'pending' NOT NULL,
+	"storage_key" text,
+	"size_bytes" integer,
+	"error" text,
+	"sent_to" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"ready_at" timestamp with time zone,
+	"sent_at" timestamp with time zone,
+	"expires_at" timestamp with time zone
+);
+--> statement-breakpoint
+ALTER TABLE "gdpr_exports" ADD CONSTRAINT "gdpr_exports_port_id_ports_id_fk" FOREIGN KEY ("port_id") REFERENCES "public"."ports"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "gdpr_exports" ADD CONSTRAINT "gdpr_exports_client_id_clients_id_fk" FOREIGN KEY ("client_id") REFERENCES "public"."clients"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "gdpr_exports" ADD CONSTRAINT "gdpr_exports_requested_by_user_id_fk" FOREIGN KEY ("requested_by") REFERENCES "public"."user"("id") ON DELETE restrict ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "idx_gdpr_exports_client" ON "gdpr_exports" USING btree ("client_id");--> statement-breakpoint
+CREATE INDEX "idx_gdpr_exports_port_created" ON "gdpr_exports" USING btree ("port_id","created_at");

src/lib/db/migrations/meta/_journal.json

@@ -127,6 +127,13 @@
       "when": 1777398450555,
       "tag": "0017_tiny_mercury",
       "breakpoints": true
+    },
+    {
+      "idx": 18,
+      "version": "7",
+      "when": 1777399135032,
+      "tag": "0018_stormy_spencer_smythe",
+      "breakpoints": true
     }
   ]
 }

src/lib/db/schema/gdpr.ts

@@ -0,0 +1,56 @@
+/**
+ * GDPR client-data export tracking.
+ *
+ * Each row is one export request. The actual bundle (a ZIP holding
+ * `client.json` + `client.html` and a copy of every attached file)
+ * lives in MinIO; we keep the storage key here plus the lifecycle
+ * markers needed for audit + the "download history" UI.
+ */
+
+import { pgTable, text, timestamp, integer, index } from 'drizzle-orm/pg-core';
+
+import { ports } from './ports';
+import { clients } from './clients';
+import { user } from './users';
+
+export const gdprExports = pgTable(
+  'gdpr_exports',
+  {
+    id: text('id')
+      .primaryKey()
+      .$defaultFn(() => crypto.randomUUID()),
+    portId: text('port_id')
+      .notNull()
+      .references(() => ports.id, { onDelete: 'cascade' }),
+    clientId: text('client_id')
+      .notNull()
+      .references(() => clients.id, { onDelete: 'cascade' }),
+    /** Staff member who requested the export. */
+    requestedBy: text('requested_by')
+      .notNull()
+      .references(() => user.id, { onDelete: 'restrict' }),
+    /** 'pending' | 'building' | 'ready' | 'sent' | 'failed' */
+    status: text('status').notNull().default('pending'),
+    /** MinIO path under the configured bucket — null until the worker uploads. */
+    storageKey: text('storage_key'),
+    sizeBytes: integer('size_bytes'),
+    /** When status='failed', the truncated error message. */
+    error: text('error'),
+    /** Email recipient if the bundle was emailed (typically the client's primary). */
+    sentTo: text('sent_to'),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+    readyAt: timestamp('ready_at', { withTimezone: true }),
+    sentAt: timestamp('sent_at', { withTimezone: true }),
+    /** Cleanup target — bundles are removed from MinIO after this. */
+    expiresAt: timestamp('expires_at', { withTimezone: true }),
+  },
+  (table) => [
+    index('idx_gdpr_exports_client').on(table.clientId),
+    index('idx_gdpr_exports_port_created').on(table.portId, table.createdAt),
+  ],
+);
+
+export type GdprExport = typeof gdprExports.$inferSelect;
+export type NewGdprExport = typeof gdprExports.$inferInsert;
+
+export type GdprExportStatus = 'pending' | 'building' | 'ready' | 'sent' | 'failed';

src/lib/db/schema/index.ts

@@ -53,5 +53,8 @@ export * from './insights';
 // AI usage ledger (Phase 3b)
 export * from './ai-usage';
 
+// GDPR export tracking (Phase 3d)
+export * from './gdpr';
+
 // Relations (must come last — references all tables)
 export * from './relations';