@nestarc/data-subject 0.1.0 → 0.2.0

package/dist/erase-runner.js

@@ -7,11 +7,23 @@ class EraseRunner {
     constructor(registry) {
         this.registry = registry;
     }
-    async run(subjectId, tenantId) {
+    async run(subjectId, tenantId, opts = {}) {
+        const entries = this.registry.list();
+        const preScan = [];
         const entities = [];
         const retained = [];
         const verificationResidual = [];
-        for (const entry of this.registry.list()) {
+        const postScan = [];
+        const actions = [];
+        for (const entry of entries) {
+            const rowsBefore = await entry.executor.select(subjectId, tenantId);
+            preScan.push({
+                entityName: entry.policy.entityName,
+                count: rowsBefore.length,
+            });
+        }
+        await opts.afterPreScan?.(preScan);
+        for (const entry of entries) {
             const outcome = classify(entry.policy);
             let affected = 0;
             if (outcome.rowStrategy === 'delete') {
@@ -28,11 +40,24 @@ class EraseRunner {
                 affected = rows.length;
             }
             const rowsAfter = await entry.executor.select(subjectId, tenantId);
+            postScan.push({
+                entityName: entry.policy.entityName,
+                count: rowsAfter.length,
+            });
+            const retainedFields = [];
             for (const item of outcome.retained) {
-                retained.push({
+                const retainedItem = {
                     entityName: entry.policy.entityName,
                     field: item.field,
                     legalBasis: item.legalBasis,
+                    ...(item.until ? { until: item.until } : {}),
+                    count: rowsAfter.length,
+                };
+                retained.push(retainedItem);
+                retainedFields.push({
+                    field: item.field,
+                    legalBasis: item.legalBasis,
+                    ...(item.until ? { until: item.until } : {}),
                     count: rowsAfter.length,
                 });
             }
@@ -44,6 +69,22 @@ class EraseRunner {
                     count: rowsAfter.length,
                 });
             }
+            const action = {
+                entityName: entry.policy.entityName,
+                affected,
+                strategy: outcome.summaryStrategy,
+                rowLevel: entry.policy.rowLevel,
+            };
+            if (outcome.deleteFields.length > 0) {
+                action.deleteFields = [...outcome.deleteFields];
+            }
+            if (outcome.anonymizedFields.length > 0) {
+                action.anonymizedFields = [...outcome.anonymizedFields];
+            }
+            if (retainedFields.length > 0) {
+                action.retainedFields = retainedFields;
+            }
+            actions.push(action);
             entities.push({
                 entityName: entry.policy.entityName,
                 affected,
@@ -55,13 +96,23 @@ class EraseRunner {
                 .map((entry) => `${entry.entityName}(${entry.count})`)
                 .join(', ')}`);
         }
-        return { stats: { entities, retained, verificationResidual } };
+        return {
+            stats: {
+                entities,
+                retained,
+                verificationResidual,
+                preScan,
+                postScan,
+            },
+            actions,
+        };
     }
 }
 exports.EraseRunner = EraseRunner;
 function classify(policy) {
     const updateMap = {};
     const deleteFields = [];
+    const anonymizedFields = [];
     const retained = [];
     const strategies = new Set();
     for (const [field, entry] of Object.entries(policy.fields)) {
@@ -69,6 +120,7 @@ function classify(policy) {
         strategies.add(normalized.strategy);
         if (normalized.strategy === 'anonymize') {
             updateMap[field] = normalized.replacement;
+            anonymizedFields.push(field);
         }
         if (normalized.strategy === 'delete') {
             deleteFields.push(field);
@@ -78,12 +130,20 @@ function classify(policy) {
             retained.push({
                 field,
                 legalBasis: normalized.legalBasis,
+                ...(normalized.until ? { until: normalized.until } : {}),
             });
         }
     }
     const rowStrategy = chooseRowStrategy(strategies);
     const summaryStrategy = strategies.size > 1 ? 'mixed' : rowStrategy;
-    return { rowStrategy, summaryStrategy, deleteFields, updateMap, retained };
+    return {
+        rowStrategy,
+        summaryStrategy,
+        deleteFields,
+        updateMap,
+        anonymizedFields,
+        retained,
+    };
 }
 function chooseRowStrategy(strategies) {
     if (strategies.size === 1 && strategies.has('delete')) {
@@ -108,6 +168,7 @@ function normalize(entry) {
         return {
             strategy: 'retain',
             legalBasis: entry.legalBasis,
+            ...(entry.until ? { until: entry.until } : {}),
         };
     }
     return { strategy: 'delete' };

package/dist/erasure-evidence.d.ts

@@ -0,0 +1,9 @@
+import type { ErasureEvidenceAction, ErasureEvidenceArtifact, RequestStats } from './types';
+export interface BuildErasureEvidenceInput {
+    requestId: string;
+    tenantId: string;
+    generatedAt: Date;
+    stats: RequestStats;
+    actions: ErasureEvidenceAction[];
+}
+export declare function buildErasureEvidenceArtifact(input: BuildErasureEvidenceInput): ErasureEvidenceArtifact;

package/dist/erasure-evidence.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildErasureEvidenceArtifact = buildErasureEvidenceArtifact;
+function buildErasureEvidenceArtifact(input) {
+    return {
+        schemaVersion: 'data-subject.erasure-evidence.v1',
+        requestId: input.requestId,
+        tenantId: input.tenantId,
+        requestType: 'erase',
+        generatedAt: input.generatedAt.toISOString(),
+        state: 'completed',
+        preScan: input.stats.preScan ?? [],
+        actions: input.actions,
+        postScan: input.stats.postScan ?? [],
+        verificationResidual: input.stats.verificationResidual ?? [],
+        artifactHashAlgorithm: 'sha256',
+    };
+}

package/dist/errors.d.ts

@@ -7,6 +7,9 @@ export declare const DataSubjectErrorCode: {
     readonly EntityAlreadyRegistered: "dsr_entity_already_registered";
     readonly RequestConflict: "dsr_request_conflict";
     readonly RequestNotFound: "dsr_request_not_found";
+    readonly ArtifactWriteFailed: "dsr_artifact_write_failed";
+    readonly InvalidStateTransition: "dsr_invalid_state_transition";
+    readonly EvidenceReportInvalid: "dsr_evidence_report_invalid";
 };
 export type DataSubjectErrorCode = (typeof DataSubjectErrorCode)[keyof typeof DataSubjectErrorCode];
 export declare class DataSubjectError extends Error {

package/dist/errors.js

@@ -10,6 +10,9 @@ exports.DataSubjectErrorCode = {
     EntityAlreadyRegistered: 'dsr_entity_already_registered',
     RequestConflict: 'dsr_request_conflict',
     RequestNotFound: 'dsr_request_not_found',
+    ArtifactWriteFailed: 'dsr_artifact_write_failed',
+    InvalidStateTransition: 'dsr_invalid_state_transition',
+    EvidenceReportInvalid: 'dsr_evidence_report_invalid',
 };
 const HTTP_STATUS = {
     dsr_subject_not_found: 404,
@@ -20,6 +23,9 @@ const HTTP_STATUS = {
     dsr_entity_already_registered: 500,
     dsr_request_conflict: 409,
     dsr_request_not_found: 404,
+    dsr_artifact_write_failed: 500,
+    dsr_invalid_state_transition: 500,
+    dsr_evidence_report_invalid: 500,
 };
 class DataSubjectError extends Error {
     code;

package/dist/export-runner.js

@@ -4,8 +4,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ExportRunner = void 0;
-const node_crypto_1 = require("node:crypto");
 const jszip_1 = __importDefault(require("jszip"));
+const artifacts_1 = require("./artifacts");
 class ExportRunner {
     registry;
     artifacts;
@@ -26,8 +26,8 @@ class ExportRunner {
             });
         }
         const body = await zip.generateAsync({ type: 'nodebuffer' });
-        const artifactHash = (0, node_crypto_1.createHash)('sha256').update(body).digest('hex');
-        const artifactUrl = await this.artifacts.put(`${requestId}.zip`, body, 'application/zip');
+        const artifactHash = (0, artifacts_1.sha256Hex)(body);
+        const artifactUrl = await this.artifacts.put((0, artifacts_1.exportArtifactKey)(tenantId, requestId), body, 'application/zip');
         return { artifactHash, artifactUrl, stats: { entities } };
     }
 }

package/dist/index.d.ts

@@ -12,7 +12,15 @@ export { DATA_SUBJECT_REGISTRY, DataSubjectModule, } from './data-subject.module
 export type { DataSubjectModuleOptions } from './data-subject.module';
 export type { RequestStorage } from './storage/request-storage.interface';
 export { InMemoryRequestStorage } from './storage/in-memory-request-storage';
+export { PrismaRequestStorage } from './storage/prisma-request-storage';
+export type { PrismaDataSubjectRequestDelegate, PrismaRequestStorageOptions, } from './storage/prisma-request-storage';
 export type { ArtifactStorage } from './storage/artifact-storage.interface';
 export { InMemoryArtifactStorage } from './storage/in-memory-artifact-storage';
 export { fromPrisma } from './prisma/from-prisma';
 export type { FromPrismaOptions, PrismaDelegate } from './prisma/from-prisma';
+export { exportArtifactKey, erasureEvidenceArtifactKey, sha256Hex, } from './artifacts';
+export { buildErasureEvidenceArtifact } from './erasure-evidence';
+export { validateRegistry } from './registry-validation';
+export type { RegistryValidationReport } from './registry-validation';
+export { formatLintReport, lintPrismaSchema, parsePrismaSchema, shouldFailLint, } from './lint';
+export type { DataSubjectLintCode, DataSubjectLintConfig, DataSubjectLintFinding, DataSubjectLintRegistryEntry, DataSubjectLintReport, DataSubjectLintSeverity, DataSubjectLintSuppression, } from './lint';

package/dist/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fromPrisma = exports.InMemoryArtifactStorage = exports.InMemoryRequestStorage = exports.DataSubjectModule = exports.DATA_SUBJECT_REGISTRY = exports.DataSubjectService = exports.Registry = exports.compilePolicy = exports.validateLegalBasis = void 0;
+exports.shouldFailLint = exports.parsePrismaSchema = exports.lintPrismaSchema = exports.formatLintReport = exports.validateRegistry = exports.buildErasureEvidenceArtifact = exports.sha256Hex = exports.erasureEvidenceArtifactKey = exports.exportArtifactKey = exports.fromPrisma = exports.InMemoryArtifactStorage = exports.PrismaRequestStorage = exports.InMemoryRequestStorage = exports.DataSubjectModule = exports.DATA_SUBJECT_REGISTRY = exports.DataSubjectService = exports.Registry = exports.compilePolicy = exports.validateLegalBasis = void 0;
 __exportStar(require("./types"), exports);
 __exportStar(require("./errors"), exports);
 var legal_basis_1 = require("./legal-basis");
@@ -30,7 +30,22 @@ Object.defineProperty(exports, "DATA_SUBJECT_REGISTRY", { enumerable: true, get:
 Object.defineProperty(exports, "DataSubjectModule", { enumerable: true, get: function () { return data_subject_module_1.DataSubjectModule; } });
 var in_memory_request_storage_1 = require("./storage/in-memory-request-storage");
 Object.defineProperty(exports, "InMemoryRequestStorage", { enumerable: true, get: function () { return in_memory_request_storage_1.InMemoryRequestStorage; } });
+var prisma_request_storage_1 = require("./storage/prisma-request-storage");
+Object.defineProperty(exports, "PrismaRequestStorage", { enumerable: true, get: function () { return prisma_request_storage_1.PrismaRequestStorage; } });
 var in_memory_artifact_storage_1 = require("./storage/in-memory-artifact-storage");
 Object.defineProperty(exports, "InMemoryArtifactStorage", { enumerable: true, get: function () { return in_memory_artifact_storage_1.InMemoryArtifactStorage; } });
 var from_prisma_1 = require("./prisma/from-prisma");
 Object.defineProperty(exports, "fromPrisma", { enumerable: true, get: function () { return from_prisma_1.fromPrisma; } });
+var artifacts_1 = require("./artifacts");
+Object.defineProperty(exports, "exportArtifactKey", { enumerable: true, get: function () { return artifacts_1.exportArtifactKey; } });
+Object.defineProperty(exports, "erasureEvidenceArtifactKey", { enumerable: true, get: function () { return artifacts_1.erasureEvidenceArtifactKey; } });
+Object.defineProperty(exports, "sha256Hex", { enumerable: true, get: function () { return artifacts_1.sha256Hex; } });
+var erasure_evidence_1 = require("./erasure-evidence");
+Object.defineProperty(exports, "buildErasureEvidenceArtifact", { enumerable: true, get: function () { return erasure_evidence_1.buildErasureEvidenceArtifact; } });
+var registry_validation_1 = require("./registry-validation");
+Object.defineProperty(exports, "validateRegistry", { enumerable: true, get: function () { return registry_validation_1.validateRegistry; } });
+var lint_1 = require("./lint");
+Object.defineProperty(exports, "formatLintReport", { enumerable: true, get: function () { return lint_1.formatLintReport; } });
+Object.defineProperty(exports, "lintPrismaSchema", { enumerable: true, get: function () { return lint_1.lintPrismaSchema; } });
+Object.defineProperty(exports, "parsePrismaSchema", { enumerable: true, get: function () { return lint_1.parsePrismaSchema; } });
+Object.defineProperty(exports, "shouldFailLint", { enumerable: true, get: function () { return lint_1.shouldFailLint; } });

package/dist/lint/index.d.ts

@@ -0,0 +1,3 @@
+export * from './types';
+export { parsePrismaSchema } from './prisma-schema';
+export { formatLintReport, lintPrismaSchema, shouldFailLint, } from './lint';

package/dist/lint/index.js

@@ -0,0 +1,24 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shouldFailLint = exports.lintPrismaSchema = exports.formatLintReport = exports.parsePrismaSchema = void 0;
+__exportStar(require("./types"), exports);
+var prisma_schema_1 = require("./prisma-schema");
+Object.defineProperty(exports, "parsePrismaSchema", { enumerable: true, get: function () { return prisma_schema_1.parsePrismaSchema; } });
+var lint_1 = require("./lint");
+Object.defineProperty(exports, "formatLintReport", { enumerable: true, get: function () { return lint_1.formatLintReport; } });
+Object.defineProperty(exports, "lintPrismaSchema", { enumerable: true, get: function () { return lint_1.lintPrismaSchema; } });
+Object.defineProperty(exports, "shouldFailLint", { enumerable: true, get: function () { return lint_1.shouldFailLint; } });

package/dist/lint/lint.d.ts

@@ -0,0 +1,4 @@
+import type { DataSubjectLintConfig, DataSubjectLintReport, DataSubjectLintSeverity } from './types';
+export declare function lintPrismaSchema(schemaSource: string, config?: DataSubjectLintConfig): DataSubjectLintReport;
+export declare function formatLintReport(report: DataSubjectLintReport): string;
+export declare function shouldFailLint(report: DataSubjectLintReport, failOn: DataSubjectLintSeverity): boolean;

package/dist/lint/lint.js

@@ -0,0 +1,160 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.lintPrismaSchema = lintPrismaSchema;
+exports.formatLintReport = formatLintReport;
+exports.shouldFailLint = shouldFailLint;
+const policy_compiler_1 = require("../policy-compiler");
+const prisma_schema_1 = require("./prisma-schema");
+const DEFAULT_PII_FIELD_PATTERNS = [
+    'email',
+    'phone',
+    'name',
+    'address',
+    'ip',
+    'birth',
+    'birthday',
+    'national',
+    'ssn',
+    'avatar',
+];
+function lintPrismaSchema(schemaSource, config = {}) {
+    const models = (0, prisma_schema_1.parsePrismaSchema)(schemaSource);
+    const findings = [];
+    const registry = new Map((config.registry ?? []).map((entry) => [entry.entityName, entry]));
+    const suppressions = config.suppressions ?? [];
+    const requireTenantField = config.requireTenantField ?? true;
+    for (const suppression of suppressions) {
+        if (!suppression.reason.trim()) {
+            findings.push({
+                severity: 'error',
+                code: 'dsr_lint_empty_suppression_reason',
+                model: suppression.model,
+                field: suppression.field,
+                message: `${formatModelField(suppression.model, suppression.field)} suppression requires a reason`,
+            });
+        }
+    }
+    for (const entry of registry.values()) {
+        const model = models.find((item) => item.name === entry.entityName);
+        try {
+            (0, policy_compiler_1.compilePolicy)({
+                entityName: entry.entityName,
+                subjectField: entry.subjectField,
+                rowLevel: entry.rowLevel,
+                fields: entry.fields,
+            });
+        }
+        catch (error) {
+            findings.push({
+                severity: 'error',
+                code: 'dsr_lint_invalid_policy',
+                model: entry.entityName,
+                message: error instanceof Error
+                    ? error.message
+                    : `${entry.entityName} has an invalid data subject policy`,
+            });
+        }
+        if (!model) {
+            findings.push({
+                severity: 'error',
+                code: 'dsr_lint_unregistered_model',
+                model: entry.entityName,
+                message: `${entry.entityName} is registered but is not present in the Prisma schema`,
+            });
+            continue;
+        }
+        if (!hasField(model, entry.subjectField)) {
+            findings.push({
+                severity: 'error',
+                code: 'dsr_lint_subject_field_missing',
+                model: entry.entityName,
+                field: entry.subjectField,
+                message: `${entry.entityName}.${entry.subjectField} subjectField is missing from the Prisma schema`,
+            });
+        }
+        if (requireTenantField && !entry.tenantField) {
+            findings.push({
+                severity: 'warning',
+                code: 'dsr_lint_missing_tenant_field',
+                model: entry.entityName,
+                message: `${entry.entityName} has no tenantField in the data-subject lint config`,
+            });
+        }
+        for (const field of Object.keys(entry.fields)) {
+            if (!hasField(model, field)) {
+                findings.push({
+                    severity: 'error',
+                    code: 'dsr_lint_missing_policy_field',
+                    model: entry.entityName,
+                    field,
+                    message: `${entry.entityName}.${field} is in the data subject policy but not in the Prisma schema`,
+                });
+            }
+        }
+    }
+    const patterns = config.piiFieldPatterns ?? DEFAULT_PII_FIELD_PATTERNS;
+    for (const model of models) {
+        const candidates = model.fields.filter((field) => isPiiCandidate(field.name, patterns));
+        if (candidates.length === 0 || isSuppressed(suppressions, model.name)) {
+            continue;
+        }
+        const entry = registry.get(model.name);
+        if (!entry) {
+            findings.push({
+                severity: 'error',
+                code: 'dsr_lint_unregistered_model',
+                model: model.name,
+                field: candidates[0]?.name,
+                message: `${model.name} has PII-like fields but is not registered or suppressed`,
+            });
+            continue;
+        }
+        for (const field of candidates) {
+            if (isSuppressed(suppressions, model.name, field.name)) {
+                continue;
+            }
+            if (!(field.name in entry.fields)) {
+                findings.push({
+                    severity: 'error',
+                    code: 'dsr_lint_missing_policy_field',
+                    model: model.name,
+                    field: field.name,
+                    message: `${model.name}.${field.name} looks like PII but is missing from the data subject policy`,
+                });
+            }
+        }
+    }
+    return {
+        ok: !findings.some((finding) => finding.severity === 'error'),
+        findings,
+    };
+}
+function formatLintReport(report) {
+    if (report.findings.length === 0) {
+        return 'data-subject lint: ok';
+    }
+    return report.findings
+        .map((finding) => `[${finding.severity}] ${finding.code} ${formatModelField(finding.model, finding.field)}: ${finding.message}`)
+        .join('\n');
+}
+function shouldFailLint(report, failOn) {
+    if (failOn === 'warning') {
+        return report.findings.length > 0;
+    }
+    return report.findings.some((finding) => finding.severity === 'error');
+}
+function hasField(model, fieldName) {
+    return model.fields.some((field) => field.name === fieldName);
+}
+function isPiiCandidate(fieldName, patterns) {
+    const normalized = fieldName.toLowerCase().replace(/[_-]/g, '');
+    return patterns.some((pattern) => normalized.includes(pattern.toLowerCase().replace(/[_-]/g, '')));
+}
+function isSuppressed(suppressions, model, field) {
+    return suppressions.some((suppression) => suppression.model === model &&
+        suppression.reason.trim().length > 0 &&
+        (field ? suppression.field === field || !suppression.field : true));
+}
+function formatModelField(model, field) {
+    return field ? `${model}.${field}` : model;
+}

package/dist/lint/prisma-schema.d.ts

@@ -0,0 +1,11 @@
+export interface PrismaSchemaField {
+    name: string;
+    type: string;
+    line: number;
+}
+export interface PrismaSchemaModel {
+    name: string;
+    fields: PrismaSchemaField[];
+    line: number;
+}
+export declare function parsePrismaSchema(source: string): PrismaSchemaModel[];

package/dist/lint/prisma-schema.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePrismaSchema = parsePrismaSchema;
+function parsePrismaSchema(source) {
+    const models = [];
+    const lines = source.split(/\r?\n/);
+    let current = null;
+    for (let index = 0; index < lines.length; index += 1) {
+        const lineNumber = index + 1;
+        const line = stripLineComment(lines[index]).trim();
+        if (!line) {
+            continue;
+        }
+        if (!current) {
+            const match = /^model\s+([A-Za-z_][A-Za-z0-9_]*)\s*\{/.exec(line);
+            if (match) {
+                current = { name: match[1], fields: [], line: lineNumber };
+            }
+            continue;
+        }
+        if (line.startsWith('}')) {
+            models.push(current);
+            current = null;
+            continue;
+        }
+        if (line.startsWith('@@') || line.startsWith('@')) {
+            continue;
+        }
+        const fieldMatch = /^([A-Za-z_][A-Za-z0-9_]*)\s+([^\s]+)/.exec(line);
+        if (fieldMatch) {
+            current.fields.push({
+                name: fieldMatch[1],
+                type: fieldMatch[2],
+                line: lineNumber,
+            });
+        }
+    }
+    return models;
+}
+function stripLineComment(line) {
+    const index = line.indexOf('//');
+    return index === -1 ? line : line.slice(0, index);
+}

package/dist/lint/types.d.ts

@@ -0,0 +1,32 @@
+import type { PolicyEntry } from '../types';
+export type DataSubjectLintSeverity = 'warning' | 'error';
+export type DataSubjectLintCode = 'dsr_lint_unregistered_model' | 'dsr_lint_missing_policy_field' | 'dsr_lint_missing_tenant_field' | 'dsr_lint_empty_suppression_reason' | 'dsr_lint_invalid_policy' | 'dsr_lint_subject_field_missing';
+export interface DataSubjectLintFinding {
+    severity: DataSubjectLintSeverity;
+    code: DataSubjectLintCode;
+    model: string;
+    field?: string;
+    message: string;
+}
+export interface DataSubjectLintRegistryEntry {
+    entityName: string;
+    subjectField: string;
+    tenantField?: string;
+    rowLevel?: 'delete-row' | 'delete-fields';
+    fields: Record<string, PolicyEntry>;
+}
+export interface DataSubjectLintSuppression {
+    model: string;
+    field?: string;
+    reason: string;
+}
+export interface DataSubjectLintConfig {
+    registry?: DataSubjectLintRegistryEntry[];
+    piiFieldPatterns?: string[];
+    suppressions?: DataSubjectLintSuppression[];
+    requireTenantField?: boolean;
+}
+export interface DataSubjectLintReport {
+    ok: boolean;
+    findings: DataSubjectLintFinding[];
+}

package/dist/lint/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/registry-validation.d.ts

@@ -0,0 +1,9 @@
+import type { Registry } from './registry';
+import type { DataSubjectLintFinding } from './lint/types';
+export interface RegistryValidationReport {
+    ok: boolean;
+    findings: DataSubjectLintFinding[];
+}
+export declare function validateRegistry(registry: Registry, opts?: {
+    requireTenantField?: boolean;
+}): RegistryValidationReport;

package/dist/registry-validation.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateRegistry = validateRegistry;
+function validateRegistry(registry, opts = {}) {
+    const findings = [];
+    for (const entry of registry.list()) {
+        const { policy } = entry;
+        if (!policy.subjectField.trim()) {
+            findings.push({
+                severity: 'error',
+                code: 'dsr_lint_subject_field_missing',
+                model: policy.entityName,
+                message: `${policy.entityName} has an empty subjectField`,
+            });
+        }
+        if (Object.keys(policy.fields).length === 0) {
+            findings.push({
+                severity: 'warning',
+                code: 'dsr_lint_missing_policy_field',
+                model: policy.entityName,
+                message: `${policy.entityName} has no data subject policy fields`,
+            });
+        }
+        if (opts.requireTenantField) {
+            findings.push({
+                severity: 'warning',
+                code: 'dsr_lint_missing_tenant_field',
+                model: policy.entityName,
+                message: `${policy.entityName} tenantField cannot be verified from runtime registry metadata`,
+            });
+        }
+    }
+    return {
+        ok: !findings.some((finding) => finding.severity === 'error'),
+        findings,
+    };
+}

package/dist/stable-json.d.ts

@@ -0,0 +1 @@
+export declare function stableStringify(value: unknown): string;

package/dist/stable-json.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stableStringify = stableStringify;
+function stableStringify(value) {
+    return JSON.stringify(sortJsonValue(value));
+}
+function sortJsonValue(value) {
+    if (value instanceof Date) {
+        return value.toISOString();
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => sortJsonValue(item));
+    }
+    if (!isPlainObject(value)) {
+        return value;
+    }
+    const sorted = {};
+    for (const key of Object.keys(value).sort()) {
+        const item = value[key];
+        if (item !== undefined) {
+            sorted[key] = sortJsonValue(item);
+        }
+    }
+    return sorted;
+}
+function isPlainObject(value) {
+    return (typeof value === 'object' &&
+        value !== null &&
+        Object.getPrototypeOf(value) === Object.prototype);
+}