feat(gdpr): staff-triggered client-data export bundle (Article 15)

Adds a full GDPR Article 15 (right of access) workflow. Staff trigger an export from the client detail; a BullMQ worker assembles every row keyed to that client (profile, contacts, addresses, notes, tags, yachts, company memberships, interests, reservations, invoices, documents, last 500 audit events) into JSON + a self-contained HTML report, ZIPs them, uploads to MinIO, and optionally emails the client a 7-day signed download link. - New table gdpr_exports tracks lifecycle (pending → building → ready → sent / failed) with a 30-day cleanup target - Bundle builder (gdpr-bundle-builder.ts) — pure read-side, tenant- scoped, with HTML escaping to block injection from rogue field values - Worker hook in export queue dispatches on job name 'gdpr-export' - New audit actions: 'request_gdpr_export', 'send_gdpr_export' - API: POST/GET /api/v1/clients/:id/gdpr-export (admin-gated, exports rate-limit, Article-15 audit on POST); GET /:exportId returns a fresh signed URL - UI: <GdprExportButton> dialog on client detail header — admin-only, shows recent exports, supports email-to-client + override recipient, polls every 5s while open - Validation: refuses email-to-client when no primary email + no override (rather than silently dropping the send) Tests: 778/778 vitest (was 771) — +7 covering builder happy path, HTML escaping, tenant isolation, empty client, request-flow validation, and audit / queue interaction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 20:06:31 +02:00
parent 9dfa04094b
commit a3305a94f3
16 changed files with 11786 additions and 5 deletions
--- a/src/lib/db/migrations/0018_stormy_spencer_smythe.sql
+++ b/src/lib/db/migrations/0018_stormy_spencer_smythe.sql
@@ -0,0 +1,21 @@
+CREATE TABLE "gdpr_exports" (
+	"id" text PRIMARY KEY NOT NULL,
+	"port_id" text NOT NULL,
+	"client_id" text NOT NULL,
+	"requested_by" text NOT NULL,
+	"status" text DEFAULT 'pending' NOT NULL,
+	"storage_key" text,
+	"size_bytes" integer,
+	"error" text,
+	"sent_to" text,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"ready_at" timestamp with time zone,
+	"sent_at" timestamp with time zone,
+	"expires_at" timestamp with time zone
+);
+--> statement-breakpoint
+ALTER TABLE "gdpr_exports" ADD CONSTRAINT "gdpr_exports_port_id_ports_id_fk" FOREIGN KEY ("port_id") REFERENCES "public"."ports"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "gdpr_exports" ADD CONSTRAINT "gdpr_exports_client_id_clients_id_fk" FOREIGN KEY ("client_id") REFERENCES "public"."clients"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "gdpr_exports" ADD CONSTRAINT "gdpr_exports_requested_by_user_id_fk" FOREIGN KEY ("requested_by") REFERENCES "public"."user"("id") ON DELETE restrict ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "idx_gdpr_exports_client" ON "gdpr_exports" USING btree ("client_id");--> statement-breakpoint
+CREATE INDEX "idx_gdpr_exports_port_created" ON "gdpr_exports" USING btree ("port_id","created_at");
--- a/src/lib/db/migrations/meta/0018_snapshot.json
+++ b/src/lib/db/migrations/meta/0018_snapshot.json
--- a/src/lib/db/migrations/meta/_journal.json
+++ b/src/lib/db/migrations/meta/_journal.json
@@ -127,6 +127,13 @@
      "when": 1777398450555,
      "tag": "0017_tiny_mercury",
      "breakpoints": true
+    },
+    {
+      "idx": 18,
+      "version": "7",
+      "when": 1777399135032,
+      "tag": "0018_stormy_spencer_smythe",
+      "breakpoints": true
    }
  ]
 }