intermittent commit
This commit is contained in:
@@ -117,6 +117,57 @@ Optional consumers:
|
|||||||
key epochs, recipient device references, and external capability tokens even
|
key epochs, recipient device references, and external capability tokens even
|
||||||
before full E2EE ships.
|
before full E2EE ships.
|
||||||
|
|
||||||
|
### Retention, Audit, And Privacy
|
||||||
|
|
||||||
|
Postbox retention is owned by the postbox module because postbox messages are
|
||||||
|
platform-native communication records, not mailbox folders and not ordinary file
|
||||||
|
shares. Retention policies may reference provenance from campaign, file, portal,
|
||||||
|
mail, or workflow modules, but those modules should pass stable ids and typed
|
||||||
|
evidence references through capabilities instead of giving postbox direct access
|
||||||
|
to their internals.
|
||||||
|
|
||||||
|
The postbox module should emit audit events for:
|
||||||
|
|
||||||
|
- postbox creation, archival, and destructive retirement
|
||||||
|
- binding creation, changes, expiry, and removal
|
||||||
|
- sensitive access checks when an actor gains or loses visibility
|
||||||
|
- message creation, read/download of sensitive content, attachment linking, and
|
||||||
|
delivery handoff
|
||||||
|
- retention holds, retention expiry, export, and destruction decisions
|
||||||
|
|
||||||
|
Privacy behavior must separate current access from historical evidence. Losing
|
||||||
|
a role removes future visibility, but it does not rewrite the fact that a person
|
||||||
|
previously accessed a message or that a message existed. Deletion and
|
||||||
|
destructive retention actions must preserve legally required audit/evidence
|
||||||
|
records while removing or redacting content according to the effective policy.
|
||||||
|
|
||||||
|
When E2EE is enabled later, retention and audit metadata must remain operable
|
||||||
|
without decrypting message content. UI copy should be honest: expiry,
|
||||||
|
withdrawal, or revocation can prevent future platform access, but it cannot
|
||||||
|
guarantee removal of plaintext already fetched, exported, printed, or delivered
|
||||||
|
outside the platform.
|
||||||
|
|
||||||
|
### Migration And Compatibility Ownership
|
||||||
|
|
||||||
|
Postbox-owned tables, DTOs, migrations, and capability names belong in
|
||||||
|
`govoplan-postbox`. Core may temporarily contain compatibility imports or
|
||||||
|
legacy migration references only when needed to keep existing installations
|
||||||
|
upgradable while code is being extracted.
|
||||||
|
|
||||||
|
Compatibility code must be narrow and documented:
|
||||||
|
|
||||||
|
- new postbox behavior is implemented in `govoplan-postbox`
|
||||||
|
- old import paths may re-export postbox DTOs or helpers during a transition,
|
||||||
|
but must not become active owners of postbox logic
|
||||||
|
- migrations that move tables to postbox ownership must preserve existing data
|
||||||
|
and have explicit downgrade/retirement notes
|
||||||
|
- optional integrations with campaign, files, portal, or mail remain capability
|
||||||
|
contracts, not direct imports
|
||||||
|
|
||||||
|
Once supported release migrations have crossed the compatibility window, legacy
|
||||||
|
core import aliases and old table ownership comments should be removed through
|
||||||
|
a normal cleanup issue.
|
||||||
|
|
||||||
## First Implementation Shape
|
## First Implementation Shape
|
||||||
|
|
||||||
The first implementation should define the backend manifest, permissions, DTOs, and migrations before building rich UI. A minimal API can then support directory lookup, access checks, message creation, message listing, and binding administration.
|
The first implementation should define the backend manifest, permissions, DTOs, and migrations before building rich UI. A minimal API can then support directory lookup, access checks, message creation, message listing, and binding administration.
|
||||||
|
|||||||
Reference in New Issue
Block a user