G3N Retail Stack Story

Appearance

Utility Service (UTL)

Status: implemented (tenant offboarding request, export window freeze, export, purge, and archive flows).

Purpose

Provide a controlled offboarding path that protects data integrity while giving owners time to export.

  • Owners submit a request and schedule an export window (30–90 days out).
  • Operators approve and execute export/purge steps via direct Lambda calls.
  • Org access is frozen once the export window opens (reads and writes blocked).

System-of-record boundaries

  • UTL owns the offboarding request, status history, and export manifest pointers.
  • Domain data remains owned by each service; UTL exports are derived copies.

Core workflows

  • Request: primary owner submits offboarding request with reason and export window.
  • Cancel: owners can cancel until export begins.
  • Approve: operator approves and sets latest-start guardrail.
  • Export window: system sweep opens window and freezes org access.
  • Export: operator starts export; worker iterates services and writes manifests.
  • Purge: operator starts purge; worker removes org data per registry.
  • Archive: after 90 days, exports are archived; retained for 7 years unless deleted.
  • Restore: operator can restore archive for a limited window and mark completion.
  • Legal hold: operator can set/clear legal hold to block purge/archive deletion.
  • Export-only: any owner can request a non-disruptive export snapshot; no access freeze.

Data contracts

  • Request requires orgcode, session_guid, requested_export_at, and reason.
  • Export format is JSONL or Parquet (request preference; operator override at export start).
  • Export summary includes per-service counts, bytes, and cost summary totals for org-level attribution.
  • Export-only records include exported_at_utc and source_revision (when present) on every exported row.

Performance posture

  • Request/cancel are Tier D; status is Tier B; stat is Tier A.

Failure posture

  • Export/purge workers are checkpointed and re-invoked until completion.
  • Overdue exports are flagged and require an explicit force_overdue override.