Module privacy 

Privacy-mode migration (ADR-042).

Switches a project’s working .joy/ files between open (cleartext e-mail) and anonymous (opaque ids + encrypted members.yaml). The switch is one atomic, deliberate operation: it rekeys the member map, writes the verifier and the encrypted members file, and rewrites every item and log so no member e-mail remains in any working file. Switching back restores them.

Git commit history is deliberately out of scope: old commits keep their e-mails, which only a history rewrite could change. The guarantee here is about the working tree.

The migration requires the operator’s unlocked identity seed (auth) and the manage capability; both are enforced by the caller (joy project set).

Functions

email_for

The single source of a member’s e-mail (the concept’s email_for).

erase_member

GDPR Art. 17 erasure: remove a member’s e-mail and name from the encrypted members.yaml and re-encrypt, severing the id -> PII resolution. The opaque id, the email_match verifier and the whole audit trail in the versioned files are deliberately left intact (Art. 17(3): the audit trail rests on a legitimate interest). After this, no Joy output can resolve that id to a person. Anonymous mode only; needs an operator seed with members.yaml access. Returns whether an entry was actually removed.

member_key_for_email

Resolve the member-map key for a git e-mail, honoring the privacy mode. In open mode the key is the e-mail itself; in anonymous mode it is the opaque id whose stored email_match verifies against the e-mail. Returns None when the e-mail is not a member.

switch_to_anonymous

Switch a project from open to anonymous.

switch_to_open

Switch a project from anonymous back to open.