Removes PII from a receipt’s payload while preserving the cryptographic proof. The receipt’s signature, transparency log entry, and Merkle inclusion proof remain intact — only the payload_json is replaced with a redaction marker.
Use this for GDPR right-to-erasure requests on receipts containing personal data.
Redaction is permanent. The original payload cannot be restored. The cryptographic proof remains valid for audit purposes.
What changes after redaction
status → redactedpayload_json → {"redacted": true, "redacted_by": "tenant_request"}- A
RECEIPT_REDACT event is anchored in the transparency log
- All other fields (signature, log proof, receipt_type) are preserved
