posture-schema

privacy specs/privacy/posture-schema.kmd

Privacy posture schema (koder.toml [privacy])

Status

Draft v0.1.0 — written 2026-05-22 alongside COMPL-001 Phase 1.

Scope

Defines the [privacy] block that every Koder Stack Sector that processes user data MUST declare in its koder.toml. The block is purely declarative — services/foundation/compliance aggregates these declarations into a registry without runtime impact.

Block schema

[privacy]
data_collected         = ["email", "name", "device_id", "ip"]
retention_days         = 2555     # 0 = no retention; -1 = retain forever
third_party_sharing    = false
data_residency         = "BR"     # ISO 3166-1 alpha-2; "any" for none
dsr_supported          = true     # subject access + erasure work end-to-end
privacy_policy_url     = "https://<sector>.koder.dev/privacy"
last_reviewed          = "2026-05-22"  # ISO 8601 date

Field reference (R-fields, normative)

  • R1 data_collected — array of strings, required, may be []. Each string identifies a category of personal data per LGPD §5/GDPR §4 (e.g. "email", "phone", "location", "biometric", "financial", "health"). Aggregator MAY validate against an allowlist of known categories — unknown categories are flagged as warnings.
  • R2 retention_days — integer ≥ -1, required. Semantics:
    • 0 — item is not retained server-side (transient processing only)
    • > 0 — items aged beyond this are subject to deletion
    • -1 — retained indefinitely (must align with data_residency
      • a legal-hold escape valve via ediscovery)
  • R3 third_party_sharing — boolean, required. If true, a follow-up [privacy.third_parties] table MUST list each partner (out of scope for v0.1.0; tracked in COMPL-002).
  • R4 data_residency — string, required. ISO 3166-1 alpha-2 country code, or "any" if Sector processes globally.
  • R5 dsr_supported — boolean, required. true means the Sector implements all 4 DSR types end-to-end (access, rectify, erase, portability) and is subscribed to services/foundation/compliance DSR fanout. false means manual DSR handling required.
  • R6 privacy_policy_url — string, required. URL of the published privacy policy section covering this Sector.
  • R7 last_reviewed — string, optional. ISO 8601 date of the last privacy review for the block. Aggregator warns if older than 12 months.

Aggregation contract

The koder-compliance-aggregator binary walks the monorepo, reads every koder.toml that declares a [privacy] block, validates the schema, and emits:

  • meta/docs/stack/registries/privacy-postures.md — human-readable table indexed by Sector
  • non-zero exit code if any block fails validation (R1-R7)
  • warning (non-zero exit only with --strict) if a Sector with [sector] domain="products"|"services" is missing the [privacy] block

Tests (T-suite — must pass in CI)

  • T1 Valid block passes
  • T2 Missing required field fails
  • T3 Unknown data_collected entry warns but doesn't fail
  • T4 retention_days < -1 fails
  • T5 data_residency not in ISO list fails
  • T6 Sector with user data and missing [privacy] block fails in --strict mode
  • T7 Aggregated registry matches golden fixture

References

  • services/foundation/compliance/docs/rfcs/RFC-001-architecture.kmd
  • meta/docs/stack/policies/multi-tenant-by-default.kmd
  • meta/docs/stack/policies/identity-data-retention.kmd
  • LGPD §5, §6, §18 / GDPR §4, §13, §15-22