Package com.babelqueue.gdpr


package com.babelqueue.gdpr
Optional runtime GDPR field encryption (ADR-0030): the SDK-enforcement half of the registry's x-gdpr-sensitive declaration.

babelqueue-registry only DECLARES and AUDITS which fields are personal data (and offers a one-way mask for safe logging). This package ENFORCES it on the wire: a producer encrypts each marked data leaf before publish (Gdpr.protect(java.util.Map<java.lang.String, java.lang.Object>, java.util.Map<java.lang.String, java.lang.Object>, com.babelqueue.gdpr.Cipher)), a consumer decrypts it after decode (Gdpr.unprotect(java.util.Map<java.lang.String, java.lang.Object>, java.util.Map<java.lang.String, java.lang.Object>, com.babelqueue.gdpr.Cipher)). It is the Java mirror of the Go gdpr reference, so every SDK round-trips byte-for-byte.

The pieces:

  • Cipher — the caller-provided encryption primitive (a seam onto KMS/Vault/HSM/tokenisation); keeping it an interface holds GR-7 (the core pulls no crypto dependency). AesGcmCipher is the JDK-only reference (AES-GCM via javax.crypto, random 12-byte IV prepended, Base64).
  • Gdprprotect/unprotect: standalone, opt-in helpers that rewrite each marked leaf in place. The sensitive paths come from the same per-URN schema the validation path already loads (SensitivePaths).

The wire envelope stays frozen (GR-1): only values inside data change — a sensitive leaf's value becomes a ciphertext string, data remains pure JSON (GR-3), meta.schema_version stays 1 and trace_id is untouched (GR-4). Validate cleartext BEFORE protect / AFTER unprotect. See .ssot/architecture/adr/0030-gdpr-sensitive-field-governance.md.