Appearance
Utility Service (UTL)
UTL — Utility Service
Contract-only documentation for tenant offboarding and export-only snapshots.
Status
- Implementation: implemented (offboarding request/approval, export window + freeze, export/purge/archive flows; export-only snapshots)
- OpenAPI:
/utl/openapi.yaml
Scope
- Org-scoped offboarding with a request stage followed by operator approval.
- Request stage: primary owner via API Gateway or direct Lambda; cancel allowed until export begins.
- Export-only: any owner can request a non-disruptive export; no freeze required.
- Export window: org access is frozen (reads and writes blocked) once the window opens.
- Export formats: JSONL or Parquet (request preference; operator can override at export start).
- Retention: export retained 90 days in standard storage, then archived for 7 years unless deleted by operator.
- Legal hold: operator flag blocks purge and archive deletion.
- Notifications (policy): lifecycle and legal-hold changes emit
utl.offboarding.*events; delivery is handled by the notification service and logged innotification_log. - Purge verification (policy): post-purge verification is required with a stored verification report (implemented via operator direct Lambda).
Clarifications (B16)
- Offboarding lifecycle: request → approved → export_window_open → exporting → exported → purge_pending → purged (plus archive/restore states).
- Export-only snapshot: generates a manifest + download links without freezing writes.
- Post-offboarding access: reads are blocked after freeze; only audit/manifest access remains (operator-only).