feat(scripts): add emit-data-map compliance script + tests

Adds scripts/compliance/emit-data-map.mjs which walks Payload collection configs (packages/*/integrations/cms/collections/*.ts), applies PAYLOAD_AUTH_PII_DEFAULTS + custom.authPii overrides, and emits a deterministic YAML PII inventory at compliance/data-map.yml. Supports --print (stdout) and --check (diff vs committed, exit 1 on mismatch) modes. Ships with 26 unit tests covering happy path, auth defaults, authPii overrides, --check match/mismatch, and empty collections. Wired as `compliance:data-map` root package script. Adds @typescript-eslint/parser to root devDependencies (already in workspace via core-eslint, now made explicit for scripts/ usage). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 19:44:55 +00:00
parent 3a73634d71
commit cc2bf44fd2
5 changed files with 817 additions and 14 deletions
--- a/compliance/data-map.yml
+++ b/compliance/data-map.yml
@@ -0,0 +1,35 @@
+# compliance/data-map.yml — PII field inventory
+# Generated by scripts/compliance/emit-data-map.mjs — do not edit manually.
+# Run `pnpm compliance:data-map` to regenerate.
+collections:
+  articles:
+    auth: false
+    piiFields: []
+    slug: articles
+  media:
+    auth: false
+    piiFields: []
+    slug: media
+  pages:
+    auth: false
+    piiFields: []
+    slug: pages
+  users:
+    auth: true
+    piiFields:
+      - category: identification-username
+        exportable: true
+        field: displayName
+        purpose:
+          - service-delivery
+        restrictable: true
+        source: field-tag
+      - category: contact-email
+        exportable: true
+        field: email
+        purpose:
+          - account-authentication
+          - transactional-notifications
+        restrictable: true
+        source: auth-default
+    slug: users