fix(gdpr): lift paid-plan gate on Full Organization Reset (Article 17)

Pre-fix: the only self-serve right-to-erasure path in the dashboard was
the "Reset Everything" button under Settings → Danger Zone, and it was
gated behind `_require_active_paid_plan(user, db)` on the backend +
admin-feature check on the frontend.  Free-tier admins who wanted to
exercise their GDPR Article 17 right had no in-app path — they had to
file a GitHub issue and wait for operator intervention.  /legal/privacy
§6 explicitly promised the action was self-serve, so the gate was both
a compliance hazard and a contradiction of our own published policy.

Right-to-erasure is a legal obligation we cannot gate behind a paid
subscription.  Lifted the gate.

Done split, not blanket-lift: the sibling `/settings/danger/wipe-logs`
endpoint is operator-convenience (selective stream + MCP-activity log
purge while keeping nodes/cameras/settings intact) — that's not a
right-to-erasure operation and stays Pro / Pro Plus.

Changes:

  Backend
  - `app/api/cameras.py::full_reset` — removed the
    `_require_active_paid_plan(user, db)` call.  Docstring rewritten
    to explicitly call out the GDPR Article 17 framing + why the gate
    was wrong + what stays paid-only (wipe-logs).
  - `app/api/cameras.py::wipe_stream_logs` — docstring tightened to
    explain why this one IS still paid-only and to point at full-reset
    as the Free-tier erasure path.
  - `tests/test_cameras.py` — flipped the negative test:
    `test_full_reset_requires_paid_plan_in_db_not_just_jwt` (expected
    403 on free_org) replaced with `test_full_reset_works_on_free_plan`
    (expected 200 on free_org).  Companion `…_works_on_pro_plus_too`
    pins the happy path didn't regress.
  - `tests/test_gdpr.py::test_full_reset_clears_every_org_scoped_table`
    — dropped the `_require_active_paid_plan` monkeypatch; the helper
    no longer needs stubbing because it's no longer called.

  Frontend
  - `SettingsPage.jsx` — per-item gating instead of section-level:
    Full Organization Reset is always shown (with a paragraph
    explicitly identifying it as the GDPR Article 17 right-to-erasure
    action); Wipe All Logs is locked behind a 🔒 Pro / Pro Plus badge
    + Upgrade button for free-tier admins.
  - `index.css` — added `.danger-item-locked` + `.plan-locked-badge`
    rules for the per-item lock state.  Kept legacy `.danger-locked`
    class for back-compat.
  - `LegalPage.jsx` §6 — added explicit "Reset Everything is
    available on every plan, including Free" sentence so the privacy
    policy matches the now-actual behaviour.

  Docs
  - `docs/Plans.jsx` — split the "Danger-zone tools" row into two:
    Full reset = Yes/Yes/Yes (every plan), Selective log wipe =
    —/Yes/Yes (Pro+).
  - `docs/Dashboard.jsx` — Danger Zone bullet rewritten with the same
    split.
  - `AGENTS.md` — API Routes table for both endpoints now spells out
    the plan tier ("every plan" vs "Pro/Pro Plus") + the framing
    rationale.

Refreshed `backend/static/` from a clean build.  612 backend tests
pass; frontend build clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Sbussiso

AGENTS.md

@@ -338,8 +338,8 @@ Validation constants (also in `models.py`):
 - `GET /settings/motion-ingestion` — read motion-event ingestion toggle (admin)
 - `POST /settings/motion-ingestion` — toggle motion-event ingestion org-wide (admin, 30/min)
 - `GET /audit-logs` — audit logs (admin, 120/min)
-- `POST /settings/danger/wipe-logs` — permanently delete all stream + MCP + audit logs (admin + Pro/Pro Plus, 5/hour)
-- `POST /settings/danger/full-reset` — wipe all nodes/cameras/logs/settings for the org (admin + Pro/Pro Plus, 3/hour)
+- `POST /settings/danger/wipe-logs` — selectively delete stream + MCP activity logs while keeping the org running (admin + **Pro/Pro Plus**, 5/hour).  Operator-convenience feature, *not* a right-to-erasure obligation.
+- `POST /settings/danger/full-reset` — GDPR Article 17 right-to-erasure: wipe all nodes/cameras/recordings/snapshots/incidents/logs/settings for the org (admin, **every plan**, 3/hour).  Routes through the shared `app.core.gdpr.delete_org_data` helper so this end-state matches what `organization.deleted` Clerk webhook produces.
 
 **nodes.py** (prefix `/api/nodes`):
 - `POST /validate` — validate node_id + API key pair, used by CloudNode setup wizard (10/min)

backend/app/api/cameras.py

@@ -785,7 +785,18 @@ async def wipe_stream_logs(
     user: AuthUser = Depends(require_admin),
     db: Session = Depends(get_db),
 ):
-    """Permanently delete all stream access logs for this organization."""
+    """Permanently delete all stream access + MCP activity logs for
+    this organization.
+
+    Plan gate: Pro / Pro Plus.  This is operator-convenience —
+    selective audit-log hygiene that keeps the org otherwise running.
+    It is **not** the GDPR right-to-erasure endpoint (that's
+    ``/full-reset`` below, which is available on every plan); a Free
+    -tier customer who wants to purge their stream-access history
+    can always use Full Reset and re-add their cameras after.  The
+    paid gate here is the same JWT + DB double-check pattern used
+    on every Pro-only operation; see ``_require_active_paid_plan``.
+    """
     _require_active_paid_plan(user, db)
     from app.models import StreamAccessLog
 
@@ -817,7 +828,7 @@ async def full_reset(
     db: Session = Depends(get_db),
 ):
     """
-    Full organization reset.
+    Full organization reset — the GDPR Article 17 right-to-erasure path.
 
     Behaviour:
       1. Send each CloudNode a ``wipe_data`` command so the per-node
@@ -835,8 +846,18 @@ async def full_reset(
     events, notifications, incidents, email logs, monthly usage,
     etc.) silently persisted, which was both an Article 17 violation
     and a quiet way for stale data to leak across cancellations.
+
+    Plan gate: **none**.  Every plan (Free included) can self-serve
+    full erasure of their organization's data — this is the GDPR
+    Article 17 right-to-erasure path, which is a legal requirement
+    we cannot gate behind a paid plan.  The sibling ``wipe-logs``
+    endpoint *is* still paid-only because it's an operator-convenience
+    feature (selective audit-log hygiene that keeps the org running),
+    not a right-to-erasure obligation.  Admin-only via
+    ``require_admin``, typed-confirmation in the UI, audit-logged
+    before the cascade runs, and rate-limited to 3/hour so a
+    runaway script can't repeatedly nuke an org by accident.
     """
-    _require_active_paid_plan(user, db)
     from app.api.hls import cleanup_camera_cache
     from app.api.ws import manager
     from app.core.gdpr import delete_org_data

…ckend/static/assets/DocsPage-D8wIfef_.js …ckend/static/assets/DocsPage-DsI8I6A5.jsbackend/static/assets/DocsPage-D8wIfef_.js renamed to backend/static/assets/DocsPage-DsI8I6A5.js backend/static/assets/DocsPage-D8wIfef_.js renamed to backend/static/assets/DocsPage-DsI8I6A5.js

@@ -24,7 +24,7 @@
     <meta name="twitter:image:alt" content="A close-up of a USB security webcam with a green LED indicator, set against a dark background with green and purple dashboard bokeh." />
 
     <title>Sentinel by SourceBox — Private Security Camera System</title>
-    <script type="module" crossorigin src="/assets/index-DEzyi58d.js"></script>
+    <script type="module" crossorigin src="/assets/index-BpnzKESq.js"></script>
     <link rel="modulepreload" crossorigin href="/assets/jsx-runtime-Bg_NI1en.js">
     <link rel="modulepreload" crossorigin href="/assets/preload-helper-D4M6sveU.js">
     <link rel="modulepreload" crossorigin href="/assets/dist-DoOXorMg.js">
@@ -33,7 +33,7 @@
     <link rel="modulepreload" crossorigin href="/assets/usePlanInfo-CHbYbInD.js">
     <link rel="modulepreload" crossorigin href="/assets/useSharedToken-6h071G3c.js">
     <link rel="modulepreload" crossorigin href="/assets/useToasts-By-oVKTA.js">
-    <link rel="stylesheet" crossorigin href="/assets/index-DWf8tzZp.css">
+    <link rel="stylesheet" crossorigin href="/assets/index-Chpn3Q6c.css">
   </head>
   <body>
     <div id="root"></div>

…kend/static/assets/LegalPage-Crmyp3a3.js …kend/static/assets/LegalPage-vtV2hTXu.jsbackend/static/assets/LegalPage-Crmyp3a3.js renamed to backend/static/assets/LegalPage-vtV2hTXu.js backend/static/assets/LegalPage-Crmyp3a3.js renamed to backend/static/assets/LegalPage-vtV2hTXu.js

@@ -440,20 +440,31 @@ def test_wipe_logs_succeeds_when_db_plan_is_paid(admin_client, monkeypatch):
     assert "deleted_logs" in body
 
 
-def test_full_reset_requires_paid_plan_in_db_not_just_jwt(
-    admin_client, monkeypatch
-):
-    """Same exploit window as wipe-logs but for full_reset, which is
-    the more destructive of the two — wipes nodes, cameras, settings,
-    audit log."""
+def test_full_reset_works_on_free_plan(admin_client, monkeypatch):
+    """Full reset is the GDPR Article 17 right-to-erasure path and is
+    NOT gated on plan tier — every plan (Free included) can self-serve
+    full erasure of their organization's data.
+
+    Pins the negative direction of the previous test (which required a
+    paid plan): downgrading to Free must NOT block the customer from
+    deleting their data.  The legal obligation outranks the SaaS plan
+    tier.  Sibling ``wipe-logs`` endpoint is still paid-only because
+    it's selective audit hygiene, not erasure — see
+    test_wipe_logs_requires_paid_plan_in_db_not_just_jwt above.
+    """
     _force_org_plan(monkeypatch, "free_org")
 
     resp = admin_client.post("/api/settings/danger/full-reset")
-    assert resp.status_code == 403
-    assert "paid" in resp.json()["detail"].lower()
+    assert resp.status_code == 200
+    body = resp.json()
+    assert body["success"] is True
+    assert "nodes_deleted" in body
 
 
-def test_full_reset_succeeds_when_db_plan_is_paid(admin_client, monkeypatch):
+def test_full_reset_works_on_pro_plus_too(admin_client, monkeypatch):
+    """Mirror of the free-plan test — same endpoint, paid plan, same
+    success shape.  Pins that lifting the gate didn't break the
+    happy-path-for-paid customer."""
     _force_org_plan(monkeypatch, "pro_plus")
 
     resp = admin_client.post("/api/settings/danger/full-reset")