Remediation backlog
| Title | Priority | Effort | Owner | Exact files to change |
|---|---|---|---|---|
| Enforce admin auth in code (Access JWT or ADMIN_TOKEN) for ingest + public admin routes | P0 | S | Eng | apps/pulse-ingest/src/index.ts, apps/pulse-public/src/index.ts, infra/ADMIN_UPLOAD.md |
| Remove PII from logs and AI prompts (pseudonymize senders, sanitize logs) | P0 | S | Eng | apps/pulse-ingest/src/lib/whatsapp/parser.ts, apps/pulse-ingest/src/lib/whatsapp/dedupe.ts, apps/pulse-ingest/src/lib/ai/guards.ts, apps/pulse-ingest/src/lib/ai/digest.ts, apps/pulse-public/src/index.ts |
| Restrict /pulse/daily.json to admin or return counts-only | P1 | S | Eng | apps/pulse-public/src/index.ts, docs/privacy.md |
| Add retention policy and cleanup job for D1/R2 with env-configured TTL | P1 | M | Eng/Ops | apps/pulse-ingest/src/index.ts, packages/db/schema.sql, infra/CLEANUP_GUIDE.md |
| DSAR endpoints (admin-only) to export/delete by sender hash or identifier + audit log | P1 | M | Eng | apps/pulse-ingest/src/index.ts (new routes), new helper module |
| Public privacy notice page and link from UI | P1 | S | Eng/Legal | apps/pulse-public/src/index.ts (route + template), proposal in IHNYC-Remote |
| Subprocessor list and DPA references | P2 | S | Legal/Ops | IHNYC-Remote (proposal only) |
| Incident response checklist | P2 | S | Ops | IHNYC-Remote (proposal only) |
| Rate limiting/WAF rules for admin endpoints | P2 | S | Ops | Cloudflare config + infra/ADMIN_UPLOAD.md |
Sources: beacon-platform/REMEDIATION_PLAN.md
Phased plan
- Phase 0 (P0): Admin auth guard + remove PII from logs/AI prompts.
- Phase 1 (P1): Retention enforcement + DSAR endpoints + restrict daily digests.
- Phase 2 (P2): Privacy notice, subprocessors list, incident response, WAF rules.
Sources: beacon-platform/REMEDIATION_PLAN.md
Definition of done (GDPR readiness)
- Admin endpoints require Access JWT or admin token at code level.
- PII removed from logs and AI prompt sender names are pseudonymized.
- /pulse/daily.json access restricted or returns counts-only.
- Retention policy enforced in R2 and D1 with configurable TTL.
- DSAR endpoints for export/delete by identifier exist and are audited.
- Public privacy notice includes controller contact, lawful basis, rights, retention, subprocessors, transfers.
- Subprocessor list and DPA references are maintained.
- Incident response checklist exists and references log access.
Sources: beacon-platform/REMEDIATION_PLAN.md