orion/.audit-rules/data_governance.yaml

# Data Governance Rules
# =====================
# Ensures proper handling of PII, data classification, and retention.
# Critical for GDPR, CCPA, and data privacy compliance.

rules:
  # ===================
  # PII IDENTIFICATION
  # ===================

  - id: DATA-PII-001
    name: "PII fields must be identified"
    description: "Personal Identifiable Information fields must be marked/documented"
    severity: high
    check:
      type: pattern_recommended
      paths:
        - "models/database/*.py"
      patterns:
        - "# PII|pii.*=.*True|sensitive.*=.*True"
      message: "Consider marking PII fields with comments or metadata"

  - id: DATA-PII-002
    name: "Email addresses are PII"
    description: "Email fields must be treated as PII"
    severity: medium
    check:
      type: documentation
      message: "Document email as PII in data classification"

  - id: DATA-PII-003
    name: "PII must not be logged"
    description: "Sensitive data must not appear in logs"
    severity: critical
    check:
      type: pattern_forbidden
      paths:
        - "app/**/*.py"
        - "middleware/**/*.py"
      patterns:
        - "logger.*password|log.*password"
        - "logger.*credit.*card|log.*ssn"
        - "print\\(.*password"
      message: "PII/sensitive data must not be logged"

  # ===================
  # DATA CLASSIFICATION
  # ===================

  - id: DATA-CLASS-001
    name: "Data classification scheme"
    description: "System must have documented data classification"
    severity: medium
    check:
      type: file_exists
      paths:
        - "docs/**/data-classification.md"
        - "docs/**/data-governance.md"
        - "docs/**/security*.md"
      message: "Document data classification scheme"

  - id: DATA-CLASS-002
    name: "Sensitive data encryption at rest"
    description: "Highly sensitive data should be encrypted in database"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - "models/database/*.py"
      patterns:
        - "encrypt|EncryptedType|Fernet"
      message: "Consider encryption for highly sensitive fields"

  - id: DATA-CLASS-003
    name: "Data masking in non-production"
    description: "PII should be masked in development/test environments"
    severity: medium
    check:
      type: documentation
      message: "Document data masking procedures for non-production"

  # ===================
  # DATA RETENTION
  # ===================

  - id: DATA-RET-001
    name: "Soft delete for audit trail"
    description: "Records should use soft delete to maintain audit trail"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - "models/database/*.py"
      patterns:
        - "deleted_at|is_deleted|soft_delete"
      message: "Consider soft delete for audit trail preservation"

  - id: DATA-RET-002
    name: "Data retention policy"
    description: "System must have documented data retention policy"
    severity: high
    check:
      type: file_exists
      paths:
        - "docs/**/retention*.md"
        - "docs/**/data*.md"
      message: "Document data retention policy"

  - id: DATA-RET-003
    name: "Automated data cleanup"
    description: "Old data should be automatically purged per retention policy"
    severity: low
    check:
      type: pattern_recommended
      paths:
        - "app/tasks/*.py"
        - "scripts/*.py"
      patterns:
        - "cleanup|purge|archive|retention"
      message: "Consider automated data retention enforcement"

  # ===================
  # DATA PRIVACY RIGHTS
  # ===================

  - id: DATA-PRIV-001
    name: "Right to access (GDPR Art. 15)"
    description: "Users must be able to access their personal data"
    severity: high
    check:
      type: pattern_required
      paths:
        - "app/api/v1/users.py"
      patterns:
        - "/me|/current|get_current_user"
      message: "Endpoint for users to access their data required"

  - id: DATA-PRIV-002
    name: "Right to erasure (GDPR Art. 17)"
    description: "System must support user data deletion requests"
    severity: high
    check:
      type: pattern_recommended
      paths:
        - "app/api/v1/users.py"
        - "app/services/user_service.py"
      patterns:
        - "delete|remove|erase|anonymize"
      message: "Support for user data deletion required"

  - id: DATA-PRIV-003
    name: "Right to portability (GDPR Art. 20)"
    description: "Users should be able to export their data"
    severity: medium
    check:
      type: pattern_recommended
      paths:
        - "app/api/v1/*.py"
      patterns:
        - "export|download|portable"
      message: "Consider data export functionality for portability"

  # ===================
  # DATA INTEGRITY
  # ===================

  - id: DATA-INT-001
    name: "Input validation"
    description: "All input data must be validated"
    severity: high
    check:
      type: pattern_required
      paths:
        - "models/schema/*.py"
      patterns:
        - "Field|validator|field_validator"
      message: "Pydantic validation required for data integrity"

  - id: DATA-INT-002
    name: "Database constraints"
    description: "Database should enforce data integrity constraints"
    severity: medium
    check:
      type: pattern_required
      paths:
        - "models/database/*.py"
      patterns:
        - "nullable|unique|ForeignKey|CheckConstraint"
      message: "Database constraints should enforce data integrity"

  - id: DATA-INT-003
    name: "Referential integrity"
    description: "Foreign key relationships must be properly defined"
    severity: medium
    check:
      type: pattern_required
      paths:
        - "models/database/*.py"
      patterns:
        - "ForeignKey|relationship"
      message: "Define foreign key relationships for referential integrity"