Auditor Export & Redaction Contracts
ADR-0014 accepts the auditor export/redaction contract. OP-010 implements the first auditor read redaction seam. OP-037R implements the first synchronous runtime for redacted CSV and visible-watermark PDF exports.
Guardrails
- Auditor access is read-only and tenant-scoped.
- Auditor sessions default to 90 days and are tenant-configurable from 30 to 365 days.
- Every auditor read creates audit evidence.
- CSV exports require metadata header fields and a SHA-256 contents hash.
- PDF exports require visible text-overlay watermarking.
- PII/PHI redaction happens before export generation.
- Tenant redaction rules can only configure within platform-defined bounds.
- CSV and PDF hashes are stored on the tenant export record.
- Artifact reads are tenant-scoped and audited.
Events
compliance.export.requestedcompliance.export.completed
API Surfaces
GET /api/v1/compliance/exportsPOST /api/v1/compliance/exportsGET /api/v1/compliance/exports/{export_id}GET /api/v1/compliance/exports/{export_id}/artifacts/{artifact_format}
The current runtime stores already-redacted demo artifacts in the tenant-scoped
compliance_exports record. S3/KMS object storage and short-lived signed URLs
remain future scoped work.
References
docs/adr/ADR-0014-auditor-export-redaction-controls.mddocs/architecture/auditor-export-redaction-contracts.mdspecs/events/compliance.export.requested.v1.schema.jsonspecs/events/compliance.export.completed.v1.schema.jsonspecs/openapi.yamlspecs/asyncapi.yaml