📌 Description
src/pii/policy.ts defines a complete RETENTION_SCHEDULE array but the only public-facing privacy endpoint is GET /api/privacy (in src/routes/privacy.ts). There is no dedicated route for the machine-readable retention schedule, making it hard for data-controller integrations and privacy audits to programmatically retrieve retention windows without parsing the full privacy document. A new endpoint GET /api/privacy/retention should return the RETENTION_SCHEDULE wrapped in the standard success envelope from src/utils/response.ts.
💡 Why it matters: A machine-readable retention endpoint enables automated compliance tooling and GDPR data-controller integrations to query retention policies without screen-scraping.
🧩 Requirements and context
- Add route
GET /api/privacy/retention to src/routes/privacy.ts
- Return
successResponse(res, RETENTION_SCHEDULE) with a 200 status
- Document the endpoint in
src/openapi/spec.ts with a typed response schema
- Add the route to the OpenAPI schema alongside existing privacy paths
- Update
tests/routes/privacy.test.ts to cover the new endpoint
Non-functional requirements
- Must be secure, tested, and documented.
- Should be efficient and easy to review.
🛠️ Suggested execution
1. Fork the repo and create a branch
git checkout -b feat/privacy-retention-endpoint
2. Implement changes
- Write/modify the relevant source:
src/routes/privacy.ts, src/openapi/spec.ts
- Write comprehensive tests:
tests/routes/privacy.test.ts
- Add documentation: OpenAPI schema for
RetentionRule array response
- Include TSDoc on the new route handler
- Validate security assumptions: the endpoint must not reveal internal storage layer details that could aid reconnaissance
3. Test and commit
npm test -- --testPathPattern=privacy
- Cover edge cases: no auth required, response body matches
RETENTION_SCHEDULE exactly, Content-Type: application/json
- Include test output and security notes in the PR description.
Example commit message
feat(privacy): add GET /api/privacy/retention endpoint for machine-readable retention schedule
✅ Acceptance criteria
🔒 Security notes
The storageLayer field in RETENTION_SCHEDULE must not expose hostnames or connection string fragments. Review the policy module to ensure no internal infrastructure details are included.
📋 Guidelines
- Minimum 95% test coverage
- Clear documentation
- Timeframe: 96 hours
📌 Description
src/pii/policy.tsdefines a completeRETENTION_SCHEDULEarray but the only public-facing privacy endpoint isGET /api/privacy(insrc/routes/privacy.ts). There is no dedicated route for the machine-readable retention schedule, making it hard for data-controller integrations and privacy audits to programmatically retrieve retention windows without parsing the full privacy document. A new endpointGET /api/privacy/retentionshould return theRETENTION_SCHEDULEwrapped in the standard success envelope fromsrc/utils/response.ts.🧩 Requirements and context
GET /api/privacy/retentiontosrc/routes/privacy.tssuccessResponse(res, RETENTION_SCHEDULE)with a200statussrc/openapi/spec.tswith a typed response schematests/routes/privacy.test.tsto cover the new endpointNon-functional requirements
🛠️ Suggested execution
1. Fork the repo and create a branch
2. Implement changes
src/routes/privacy.ts,src/openapi/spec.tstests/routes/privacy.test.tsRetentionRulearray response3. Test and commit
npm test -- --testPathPattern=privacyRETENTION_SCHEDULEexactly,Content-Type: application/jsonExample commit message
✅ Acceptance criteria
GET /api/privacy/retentionreturns200withRETENTION_SCHEDULEarray in standard envelopesrc/openapi/spec.tswith a typedRetentionRuleschema🔒 Security notes
The
storageLayerfield inRETENTION_SCHEDULEmust not expose hostnames or connection string fragments. Review the policy module to ensure no internal infrastructure details are included.📋 Guidelines