fix(instanda): content-based dedupe, resubmit guards, PII retention

- F-01: derive the dedupe key from submission content (form id + mapped values)
  instead of a per-request token, so identical re-POSTs / retry-after-error
  collapse to the existing quote. Keeps the per-request lock; adds a content lock
  race guard and a 30-min recent_delivered_by_dedupe short-circuit.
- F-12: refuse resubmit of an already-delivered transaction (AJAX + worker).
- F-18: scope the resubmit self-recovery guard to the content dedupe key so a
  customer's different event is no longer skipped.
- F-05: anonymize PII on stale failed/pending rows via the cron; add delete_by_email
  and wire WP's Erase Personal Data eraser.
- F-13: exempt stranded delivered rows (no entry_id) from the retention purge.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 16:06:13 -06:00
co-authored by Claude Fable 5
parent 4d7abdbb3b
commit 2b1c226d46
5 changed files with 127 additions and 19 deletions
@@ -28,5 +28,12 @@ final class Cron_Cleanup {
if ($deleted > 0) {
Logger::debug("Retention purge removed {$deleted} delivered transaction(s) older than {$days} day(s).");
}
// Scrub PII from unresolved (failed/pending) rows past the window; they are never
// timer-deleted, so this bounds how long customer PII is retained on them.
$scrubbed = $store->anonymize_stale_unresolved($days);
if ($scrubbed > 0) {
Logger::debug("Retention scrub anonymized PII on {$scrubbed} unresolved transaction(s) older than {$days} day(s).");
}
}
}