CASE FILE EF-ROADMAP RE: WHAT SHIPS WHEN DEMAND SHOWS SCHEDULE: NONE

A roadmap, not a schedule.

effaced grows where real usage pulls it. Everything below is scoped and tracked in the open — shipped mechanisms first, then the next release, then explorations that earn a milestone only when someone actually needs them. Want something sooner? Say so on the issue tracker.

01

NOW

v0.1.0 · pre-alpha

The ruthlessly narrow first release: four mechanisms, one resolver, proven by a property-based and fault-injection suite.

SHIPPED

Declarative data map

Annotate the SQLAlchemy models you already have — PII categories, subject links, retention. The annotations are the manifest.

 SHIPPED ART. 15

Export

One structured bundle of everything a subject touches — local tables and resolvers. Failures are recorded, never silently dropped.

 SHIPPED ART. 17

Erasure saga

FK-safe delete or anonymize, retained records skipped with the reason recorded, external deletions enqueued durably in the same transaction.

 SHIPPED ART. 7

Consent ledger

Versioned, timestamped, append-only consent records — withdrawing is exactly as easy as granting.

 SHIPPED ART. 5(2)

Append-only audit trail

Every export, erasure, and consent change leaves a PII-free record. No update or delete surface exists to misuse.

 SHIPPED

Stripe resolver

First first-party resolver — billing PII reached, erased idempotently, and conformance-tested.

 SHIPPED

Completeness linter

Flags columns that look like PII but were never annotated — your unavoidable responsibility, made visible and CI-gateable.

 IN PROGRESS #53

Saga operator surface

Read-only visibility into the outbox: what is pending, retrying, abandoned.

 IN PROGRESS #20

Release 0.1.0 to PyPI

First tagged pre-alpha through the automated release pipeline.
02

NEXT

v0.2.0 · demand-pulled

Seeded from the 0.1.0 retro. Items get pulled when real usage demands them — and dropped when nobody asks.

SHIPPED #45

S3 resolver

Erase and export subject-owned objects in S3 buckets.

 SHIPPED #56

Supabase Auth resolver

Reach the subject’s auth.users record via the Admin API — idempotent, conformance-tested.

 SHIPPED #57

Supabase Storage resolver

Subject-owned storage objects, sharing machinery with the S3 resolver.

 SHIPPED ART. 16

Rectification mechanism

Correct a subject’s data across the mapped schema, auditably.

 SHIPPED ART. 18

Restriction of processing

Mark a subject restricted and make that state queryable and auditable.

 SHIPPED #48

Retention-expiry sweep

Surface records whose declared retention window has lapsed — report-only and audited, per ADR 0012.

 SHIPPED #58

Settings-driven resolver registration

Build the resolver registry from configuration — registration stays explicit and auditable, just declarative.

 SHIPPED #90

Requeue of abandoned outbox entries

Operator API to safely re-run an abandoned external deletion, per ADR 0015.

 SHIPPED #107

Retention-only erasure

Systems with no per-subject delete (recordings, transcripts, vendor retention windows): schedule expiry, audit the horizon honestly, verify after it passes — per ADR 0022.

 SHIPPED

FastAPI integration layer

The data-subject endpoints as one router over an app-supplied auth dependency — the starter wiring compressed from fifty lines to five, per ADR 0020.

 IN PROGRESS #49

Versioned docs + custom domain

Docs that match the release you actually run; custom domain still ahead.
03

LATER

on the road to 1.0

v1.0.0 is a stability promise, not a feature list — the gate is a real DSAR-style export and erasure executed and audited end-to-end in a production system.

PLANNED #51

Production dogfood DSAR

A real subject exported and erased in a real product, with the audit trail to show for it. The 1.0 gate.

 SHIPPED #59

Backup-replay log

Backups resurrect erased subjects; replay the erasures committed since the backup point after a restore.

 PLANNED #60

Email-provider resolver

Resend or SendGrid — whichever real users ask for first. Contact and suppression data is PII.

 SHIPPED #61

Intercom resolver

Contact profile and conversation metadata, built on Intercom’s own deletion endpoint.

 IN PROGRESS #62

Second ORM adapter

The core is already storage-agnostic; a second adapter proves it. A Django adapter authors PII on Django models and runs the same engine, resolving the subject graph from foreign keys.

 PLANNED

1.0 stability promise

Manifest format and resolver protocol stable enough to support for a year, under widened SemVer.
04

EXPLORING

scope notes, not commitments

No dates, no order. These graduate to a milestone only when real usage asks for them.

EXPLORING #63

Framework-agnostic core

A language-neutral manifest + engine, so new languages become thin authoring layers over the same semantics instead of rewrites.

 EXPLORING #64

EU AI Act module

Event-logging (Art. 12) and AI-disclosure (Art. 50) mechanisms — the regulation’s transparency obligations apply from August 2026.

 EXPLORING #65

DSAR intake portal

The smallest hostable intake surface — request, verify, execute, evidence — without becoming a DSR platform.

 EXPLORING #66

Multi-app aggregation

One subject, several of your products: aggregate exports, fan out erasure.

EXPLORING

Hosted tamper-evident audit ledger

A possible commercial service on top of the audit trail — opaque identifiers and metadata only, never the rich PII. The library stays Apache-2.0, fully usable standalone.

NOT A SCHEDULE

Order here is demand-pulled and no dates are promised — an item moves up when real usage asks for it, and gets dropped when nobody does.

And shipping any of it never makes anyone compliant: effaced ships mechanisms, not determinations — whether your processing is lawful is a call only you and your counsel can make. See stability & widened SemVer.