All Posts
February 11, 20260.1.20Jugg.ai

v0.1.20 — feat: enterprise compliance suite (audit, consent, deletion, legal, rate limiting)

Release v0.1.20: Enterprise Compliance Suite

Date: 2026-02-11

This release adds 1,110 lines of compliance infrastructure across 12 files.

What changed

  • Audit logging — New audit_logs table with JSONB metadata. Fire-and-forget writeAuditLog() utility. Clerk webhooks now log user.created, user.updated, and user.deleted events. Queryable via new audit tRPC router with filtering by resource type, action, and time range.
  • GDPR consent management — Append-only consent_records table tracking essential, analytics, and marketing consent. New consent tRPC router with getStatus, update, updateBulk, and history endpoints. Essential consent cannot be withdrawn.
  • Cascading data deletion — New data_deletion_requests table with 30-day grace period. executeUserDeletion() cascades deletes across all 15 tables. Clerk user.deleted webhook now triggers full cascade instead of just removing the user row.
  • Legal pages — New /privacy and /terms pages added as public routes. Footer updated with links to both.
  • Rate limiting — In-memory sliding-window rate limiter in Edge middleware. Tiered: API (100/min), tRPC mutations (30/min), webhooks (60/min), billing (10/hr), SSE (5/min). Returns 429 with Retry-After and X-RateLimit-* headers.

Why it matters

These are table-stakes requirements for enterprise customers evaluating SOC 2, GDPR, and ISO 27001 compliance. Users now get audit trails, consent tracking, right-to-erasure support, legal pages, and abuse protection out of the box.

Technical notes

  • Three new database tables: audit_logs, consent_records, data_deletion_requests
  • Three new tRPC routers registered in root: audit, consent, dataDeletion
  • Rate limiter uses separately typed RateLimitConfig variables to avoid TypeScript literal type inference issues with as const records

Release Notes

Successfully merged PR #59 and created release v0.1.20.

PR #59 — Enterprise Compliance Suite was squash-merged to main (SHA: f5d38290).

Release v0.1.20 published at: https://github.com/dwdavies/AnyApp/releases/tag/v0.1.20

What was released:

A comprehensive enterprise compliance suite with 1,110 lines of code across 12 files, implementing five critical features:

  1. Audit Logging (SOC 2 CC7.2/CC7.3) — New audit_logs table, fire-and-forget logging utility, tRPC router, and Clerk webhook integration
  2. GDPR Consent Management (Articles 6, 7, 8) — Append-only consent_records table with full tRPC router for consent tracking
  3. Cascading Data Deletion (GDPR Right to Erasure) — 30-day grace period deletion requests with cascading delete across all 15 database tables
  4. Privacy Policy & Terms of Service (GDPR Article 13) — New /privacy and /terms pages with footer links
  5. Rate Limiting (ISO 27001) — Edge-compatible sliding-window rate limiter with tiered limits and proper 429 responses

More Posts

v0.1.33 — perf: replace N sequential UPDATEs in bulkUpdateOrder with single batch SQL0.1.33
Feb 15
v0.1.32 — feat: add dark-aware brand color injection to template globals.css0.1.32
Feb 15
v0.1.31 — feat(billing): add billing guard to competitorMonitor cron0.1.31
Feb 15