ADR 0012: Diagnostics Safety and Privacy Governance
Status
Accepted
Date
2026-06-08
Context
Diagnostics, support bundles, exports, and evidence files pose a high risk of leaking sensitive subscriber identifiers (SUPI, IMSI, MSISDN), secrets, cryptographic credentials, database internals, and local filesystem paths. The SDK required a structured, fail-closed diagnostics and privacy boundary to satisfy RFC 010.
Decision
Establish a clear, multi-crate boundary for diagnostics safety and privacy governance:
-
Structured, Redacted Support Bundles:
- Diagnostic data is collected as structured
DiagnosticEntryvariants. - Support bundles are redacted prior to serialization using
redact_support_bundle. - The engine cleans sensitive subscriber identifiers, IPs, SPIFFE IDs, JWTs, paths, database errors, and secrets, producing a
RedactionSummary. - Unknown or unsafe attachments fail closed in Production mode.
- Diagnostic data is collected as structured
-
Declarative Retention & Legal Holds:
RetentionPolicyschema inopc-data-governancedictates retention duration, data class, and disposal action.- Policies validate durational boundaries and block deletion/disposal decisions when a legal hold flag is active.
-
Classification-Preserving Exports:
ExportedIteminopc-exportencapsulates the payload andExportMetadata.- Production validation rejects raw sensitive payloads unless they are encrypted.
-
Analytics Minimization:
MinimizationPolicyinopc-privacyenforces k-anonymity cohort sizing thresholds, binning, and subscriber ID digest hashing.- Cohorts below the threshold or direct identifiers are rejected.
-
Data-Governance Evidence Gating:
- Release gates require
DataGovernanceEvidenceReportvalidation. - The evaluator parses the report and scans it to ensure no absolute paths, credentials, or raw IPs are present.
- Release gates require
Consequences
- Diagnostic attachments and support bundles cannot silently leak raw sensitive identifiers or secrets in Production mode.
- Downstream CNFs can safely collect support bundles and perform analytics exports without violating privacy regulations.
- Data-governance compliance is automatically checked and enforced at release compile/gate time.
Evidence
crates/opc-redaction/src/support_bundle.rscrates/opc-data-governance/src/retention.rscrates/opc-export/src/lib.rscrates/opc-privacy/src/lib.rscrates/opc-evidence/src/data_governance.rscrates/opc-sdk-integration/tests/privacy_governance.rs