Owner vault export (data portability)

Summary

Let an owner export everything in their vault as a portable, downloadable bundle. This is the data subject right of access and data portability (GDPR Article 15 and Article 20); for a public-sector deployment it is effectively an obligation, not just a convenience.

What it produces

• A ZIP bundle of all the owner items: documents as their real files (typed and named from the vault, the kind.ext naming and MIME the read contract already returns), and records as structured JSON.
• A manifest (JSON index) listing each item: kind, label, filename, size, and timestamps, so the export is machine-readable and portable, not just a pile of files.

Access path

Export is the owner acting on their own vault, not a consumer read: it uses the owner own access (owner-equality), with no grant or trust involved. Distinct from the ConsumerApi read path.

Security and safety

• The bundle is plaintext (the owner own data, decrypted), so it is sensitive: stream it over an authenticated, short-lived download; never leave the ZIP unencrypted on disk (build it in a temporary location and delete it in a finally block), the same discipline as never storing a vaulted file unencrypted.
• Require a fresh confirmation or re-authentication: a bulk export of all of one documents is a high-value action.
• Record the export in the audit trail (a bulk decrypt-and-download is security-relevant) and rate-limit it (the ConsumerFloodGuard equivalent) to prevent abuse.

Large vaults

For a vault with many or large files, generate the bundle asynchronously (queue plus cron) and hand back a one-time, short-lived secure download link when it is ready, rather than building it inline in a request. The "your export is ready" message is a consumer of the notification approach.

Multi-tenant

Export is per vault/tenant: the owner exports the vault they are in, not all tenants at once. Depends on the multi-tenant work in #3593589: Multi-tenant support: per-tenant Master KEK and pluggable tenant resolution.

Tests

• An owner with several items of mixed kinds exports a ZIP containing the right files (typed and named) plus a manifest listing every item.
• Records export as structured JSON; documents export as their files.
• The export uses owner access only; it does not require any consumer grant.
• The temporary bundle is removed after delivery (no unencrypted residue).
• The export is recorded in the audit trail and is rate-limited.

Implementation notes (as built)

• Scope: one bundle covers the owner's current-tenant vault.
• Generation is synchronous: the ZIP is built to a private temporary file, streamed back, then deleted after sending, so no decrypted bundle is left at rest. Asynchronous generation is deferred until a single owner's vault is large enough to need it.
• The action is gated by a confirmation form (the same high-value pattern as the vault purge), not a password re-authentication.
• Rate-limited per owner through the existing flood guard (sharing the consent window), and recorded on a new pdv.export audit channel.