Skip to content

Add a PII retention schedule endpoint GET /api/privacy/retention returning RETENTION_SCHEDULE from src/pii/policy.ts #568

Description

@Jagadeeshftw

📌 Description

src/pii/policy.ts defines a complete RETENTION_SCHEDULE array but the only public-facing privacy endpoint is GET /api/privacy (in src/routes/privacy.ts). There is no dedicated route for the machine-readable retention schedule, making it hard for data-controller integrations and privacy audits to programmatically retrieve retention windows without parsing the full privacy document. A new endpoint GET /api/privacy/retention should return the RETENTION_SCHEDULE wrapped in the standard success envelope from src/utils/response.ts.

💡 Why it matters: A machine-readable retention endpoint enables automated compliance tooling and GDPR data-controller integrations to query retention policies without screen-scraping.

🧩 Requirements and context

  • Add route GET /api/privacy/retention to src/routes/privacy.ts
  • Return successResponse(res, RETENTION_SCHEDULE) with a 200 status
  • Document the endpoint in src/openapi/spec.ts with a typed response schema
  • Add the route to the OpenAPI schema alongside existing privacy paths
  • Update tests/routes/privacy.test.ts to cover the new endpoint

Non-functional requirements

  • Must be secure, tested, and documented.
  • Should be efficient and easy to review.

🛠️ Suggested execution

1. Fork the repo and create a branch

git checkout -b feat/privacy-retention-endpoint

2. Implement changes

  • Write/modify the relevant source: src/routes/privacy.ts, src/openapi/spec.ts
  • Write comprehensive tests: tests/routes/privacy.test.ts
  • Add documentation: OpenAPI schema for RetentionRule array response
  • Include TSDoc on the new route handler
  • Validate security assumptions: the endpoint must not reveal internal storage layer details that could aid reconnaissance

3. Test and commit

  • Run tests:
npm test -- --testPathPattern=privacy
  • Cover edge cases: no auth required, response body matches RETENTION_SCHEDULE exactly, Content-Type: application/json
  • Include test output and security notes in the PR description.

Example commit message

feat(privacy): add GET /api/privacy/retention endpoint for machine-readable retention schedule

✅ Acceptance criteria

  • GET /api/privacy/retention returns 200 with RETENTION_SCHEDULE array in standard envelope
  • Route documented in src/openapi/spec.ts with a typed RetentionRule schema
  • Tests assert response shape matches policy module export exactly
  • Endpoint requires no authentication (public information)
  • CI passes with no type errors

🔒 Security notes

The storageLayer field in RETENTION_SCHEDULE must not expose hostnames or connection string fragments. Review the policy module to ensure no internal infrastructure details are included.

📋 Guidelines

  • Minimum 95% test coverage
  • Clear documentation
  • Timeframe: 96 hours

Metadata

Metadata

Assignees

Labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions