Package com.babelqueue.gdpr
x-gdpr-sensitive declaration.
babelqueue-registry only DECLARES and AUDITS which fields are personal data (and offers a
one-way mask for safe logging). This package ENFORCES it on the wire: a producer encrypts each
marked data leaf before publish (Gdpr.protect(java.util.Map<java.lang.String, java.lang.Object>, java.util.Map<java.lang.String, java.lang.Object>, com.babelqueue.gdpr.Cipher)), a consumer
decrypts it after decode (Gdpr.unprotect(java.util.Map<java.lang.String, java.lang.Object>, java.util.Map<java.lang.String, java.lang.Object>, com.babelqueue.gdpr.Cipher)). It is the Java mirror of
the Go gdpr reference, so every SDK round-trips byte-for-byte.
The pieces:
Cipher— the caller-provided encryption primitive (a seam onto KMS/Vault/HSM/tokenisation); keeping it an interface holds GR-7 (the core pulls no crypto dependency).AesGcmCipheris the JDK-only reference (AES-GCM viajavax.crypto, random 12-byte IV prepended, Base64).Gdpr—protect/unprotect: standalone, opt-in helpers that rewrite each marked leaf in place. The sensitive paths come from the same per-URN schema the validation path already loads (SensitivePaths).
The wire envelope stays frozen (GR-1): only values inside data change — a
sensitive leaf's value becomes a ciphertext string, data remains pure JSON (GR-3),
meta.schema_version stays 1 and trace_id is untouched (GR-4). Validate
cleartext BEFORE protect / AFTER unprotect. See
.ssot/architecture/adr/0030-gdpr-sensitive-field-governance.md.
-
ClassDescriptionA reference
Cipherbuilt ONLY on the JDK'sjavax.crypto(AES/GCM/NoPadding): AES-GCM authenticated encryption with a fresh random 12-byte IV per call, the IV prepended to the ciphertext, the whole thing Base64-encoded so it drops straight into a JSON string.The field-level protection primitive that the caller provides — a seam onto a KMS, a Vault transit engine, an HSM, a tokenisation service, or the referenceAesGcmCipherbelow.Raised byGdpr.unprotect(java.util.Map<java.lang.String, java.lang.Object>, java.util.Map<java.lang.String, java.lang.Object>, com.babelqueue.gdpr.Cipher)when a protected field cannot be restored on the consume side — a wrong key, a tampered/garbled ciphertext, or a value that is not the stringGdpr.protect(java.util.Map<java.lang.String, java.lang.Object>, java.util.Map<java.lang.String, java.lang.Object>, com.babelqueue.gdpr.Cipher)produced.The RUNTIME half of ADR-0030: SDK-side field-level encryption of thedatafields a registry declaredx-gdpr-sensitive.Thrown byAesGcmCipher(byte[])when the key is not 16, 24, or 32 bytes (AES-128/192/256).Thrown byAesGcmCipher.decrypt(String)when the input is not valid Base64 or is too short to contain an IV — i.e.