qzl/eryao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(agent): session deletion anonymization for iOS compliance

Browse Source 
Replace soft-delete with anonymize + hard-delete to meet iOS App Store
data retention requirements. Non-PII fields are preserved in
anonymous_session_snapshots for analytics.

- Add anonymous_session_snapshots table and ORM model
- Implement anonymizer to extract non-PII fields before deletion
- Remove points_ledger.biz_id FK constraint (snapshot-style reference)
- Preserve transaction history while allowing session deletion
- Add 14 unit tests + 1 integration test
This commit is contained in:
qzl
2026-04-15 18:18:39 +08:00
parent a244eaa666
commit c2b726e7bd
10 changed files with 829 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/alembic/versions/20260415_0001_anonymous_session_snapshots.py
+111
View File
@@ -0,0 +1,111 @@
"""add anonymous_session_snapshots table for iOS compliance
Revision ID: 20260415_0001
Revises: 20260413_0004
Create Date: 2026-04-15 00:10:00
"""
from typing import Sequence, Union
from alembic import op
import sqlalchemy as sa
from sqlalchemy.dialects import postgresql
revision: str = "20260415_0001"
down_revision: Union[str, Sequence[str], None] = "20260413_0004"
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None
def upgrade() -> None:
op.create_table(
"anonymous_session_snapshots",
sa.Column("id", sa.UUID(), nullable=False),
sa.Column("anonymous_id", sa.UUID(), nullable=False),
sa.Column("session_type", sa.String(length=20), nullable=False),
sa.Column("message_count", sa.Integer(), nullable=True),
sa.Column("status", sa.String(length=20), nullable=True),
sa.Column("question_type", sa.String(length=50), nullable=True),
sa.Column("tool_name", sa.String(length=100), nullable=True),
sa.Column("gua_name", sa.String(length=50), nullable=True),
sa.Column("gua_name_hant", sa.String(length=50), nullable=True),
sa.Column("target_gua_name", sa.String(length=50), nullable=True),
sa.Column("has_changing_yao", sa.Boolean(), nullable=True),
sa.Column("sign_level", sa.String(length=20), nullable=True),
sa.Column("keywords", postgresql.ARRAY(sa.Text()), nullable=True),
sa.Column("model_code", sa.String(length=50), nullable=True),
sa.Column("total_tokens", sa.Integer(), nullable=True),
sa.Column("total_cost", sa.Numeric(12, 6), nullable=True),
sa.Column("total_latency_ms", sa.Integer(), nullable=True),
sa.Column(
"created_at",
sa.DateTime(timezone=True),
nullable=False,
),
sa.Column("last_activity_at", sa.DateTime(timezone=True), nullable=True),
sa.Column(
"anonymized_at",
sa.DateTime(timezone=True),
server_default=sa.text("now()"),
nullable=False,
),
sa.PrimaryKeyConstraint("id"),
)
op.create_index(
"ix_anonymous_session_snapshots_anonymous_id",
"anonymous_session_snapshots",
["anonymous_id"],
unique=False,
)
op.create_index(
"ix_anonymous_session_snapshots_created_at",
"anonymous_session_snapshots",
["created_at"],
unique=False,
)
op.create_index(
"ix_anonymous_session_snapshots_question_type",
"anonymous_session_snapshots",
["question_type"],
unique=False,
)
_enable_service_role_only_rls("anonymous_session_snapshots")
def downgrade() -> None:
_drop_rls("anonymous_session_snapshots")
op.drop_index(
"ix_anonymous_session_snapshots_question_type",
table_name="anonymous_session_snapshots",
)
op.drop_index(
"ix_anonymous_session_snapshots_created_at",
table_name="anonymous_session_snapshots",
)
op.drop_index(
"ix_anonymous_session_snapshots_anonymous_id",
table_name="anonymous_session_snapshots",
)
op.drop_table("anonymous_session_snapshots")
def _enable_service_role_only_rls(table_name: str) -> None:
for role in ["anon", "authenticated"]:
for action in ["select", "insert", "update", "delete"]:
op.execute(
f"DROP POLICY IF EXISTS {role}_{action}_{table_name} ON {table_name}"
)
op.execute(f"ALTER TABLE {table_name} ENABLE ROW LEVEL SECURITY")
op.execute(
f"CREATE POLICY service_role_all_{table_name} ON {table_name} FOR ALL TO service_role USING (true) WITH CHECK (true)"
)
def _drop_rls(table_name: str) -> None:
for role in ["anon", "authenticated"]:
for action in ["select", "insert", "update", "delete"]:
op.execute(
f"DROP POLICY IF EXISTS {role}_{action}_{table_name} ON {table_name}"
)
op.execute(f"DROP POLICY IF EXISTS service_role_all_{table_name} ON {table_name}")
op.execute(f"ALTER TABLE {table_name} DISABLE ROW LEVEL SECURITY")
backend/alembic/versions/20260415_0002_drop_points_ledger_biz_id_fkey.py
+40
View File
@@ -0,0 +1,40 @@
"""drop points_ledger.biz_id foreign key for snapshot-style reference
Revision ID: 20260415_0002
Revises: 20260415_0001
Create Date: 2026-04-15 10:00:00
points_ledger.biz_id stores a snapshot reference to sessions.id for audit purposes.
This allows sessions to be deleted while preserving the biz_id value in points_ledger
for user-facing transaction history.
The FK constraint is removed because:
1. Users need to see their points transaction history even after session deletion
2. Session deletion (anonymization for iOS compliance) should not cascade delete
points_ledger records
3. biz_id becomes a "snapshot" reference - the value is kept but no FK enforcement
"""
from typing import Sequence, Union
from alembic import op
revision: str = "20260415_0002"
down_revision: Union[str, Sequence[str], None] = "20260415_0001"
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None
def upgrade() -> None:
op.drop_constraint("points_ledger_biz_id_fkey", "points_ledger", type_="foreignkey")
def downgrade() -> None:
op.create_foreign_key(
"points_ledger_biz_id_fkey",
"points_ledger",
"sessions",
["biz_id"],
["id"],
ondelete="SET NULL",
)