Chia-Network
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/models/organizations/organizations.model.js‎
Lines changed: 57 additions & 8 deletions b/‎src/models/organizations/organizations.model.js‎
Lines changed: 57 additions & 8 deletions
diff --git a/‎src/models/v2/organizations-v2.model.js‎
Lines changed: 75 additions & 23 deletions b/‎src/models/v2/organizations-v2.model.js‎
Lines changed: 75 additions & 23 deletions
diff --git a/‎src/tasks/sync-default-organizations-v2.js‎
Lines changed: 8 additions & 2 deletions b/‎src/tasks/sync-default-organizations-v2.js‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎src/tasks/sync-default-organizations.js‎
Lines changed: 10 additions & 2 deletions b/‎src/tasks/sync-default-organizations.js‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎src/utils/defaultConfig.js‎
Lines changed: 2 additions & 1 deletion b/‎src/utils/defaultConfig.js‎
Lines changed: 2 additions & 1 deletion
@@ -277,7 +277,7 @@ In the `CHIA_ROOT` directory (usually `~/.chia/mainnet` on Linux), CADT will add
   * **DATALAYER_FILE_SERVER_URL**: Publicly available URL and port where Chia Datalayer [files are served](#datalayer-http-file-serving), including schema (http:// or https://). If serving DataLayer files from S3, this would be the public URL of the S3 bucket. Port can be omitted if using standard ports for http or https requests.
   * **AUTO_SUBSCRIBE_FILESTORE**: Subscribing to the filestore for any organization is optional. To automatically subscribe and sync the filestore to every organization you subscribe to, set this to `true`.
   * **AUTO_MIRROR_EXTERNAL_STORES**: When set to true (the default), CADT will automatically create mirrors for each store you are subscribed to. Mirroring all subscriptions using the `DATALAYER_FILE_SERVER_URL` will make the entire CADT network more resilient and distributed. Note: `DATALAYER_FILE_SERVER_URL` must also be set to a valid URL or IP address for mirrors to be created. Both settings are required for external store mirroring to function.
-  * **ONLY_CADT_SUBSCRIPTIONS**: When `true` (the default), CADT keeps DataLayer subscriptions aligned with the governance **orgList** in both directions. Organizations removed from the orgList are unsubscribed from DataLayer (`subscribed: false`); already-synced registry data on this node is **not** deleted. Organizations on the orgList that are not subscribed are subscribed (including orgs re-added after a prior removal, including orgs previously removed via the API delete flow). The home organization and governance body store are never auto-unsubscribed. Reconciliation runs only when a **non-empty** orgList is present locally (after a successful governance sync); an empty orgList is treated as “not ready” and does not trigger unsubscribes. Set to `false` to disable orglist-driven subscribe/unsubscribe reconciliation. While enabled, a manual unsubscribe of an org still listed on the orgList will be reverted on the next sync cycle.
+  * **ONLY_CADT_SUBSCRIPTIONS**: When `true` (the default), CADT keeps DataLayer subscriptions aligned with the governance **orgList** in both directions. Organizations removed from the orgList are unsubscribed from DataLayer **and completely removed from this node** — the organization record and **all** of its registry data (projects, units, and every related record it created) are deleted from the database. The deletion is unconditional: it does **not** check whether another organization references that data. Organizations on the orgList that are not subscribed are subscribed (including orgs re-added after a prior removal, including orgs previously removed via the API delete flow). The home organization and governance body store are never auto-removed. Reconciliation runs only when a **non-empty** orgList is present locally (after a successful governance sync); an empty orgList is treated as “not ready” and does not trigger removals. Set to `false` to disable orglist-driven subscribe/remove reconciliation. While enabled, a manual unsubscribe of an org still listed on the orgList will be reverted on the next sync cycle.
   * **LOG_LEVEL**: Controls verbosity of logging. Common settings are `info` and `debug`. Setting to `silly` will log all queries.
   * **TASKS**: Section for configuring sync intervals.
     * **GOVERNANCE_SYNC_TASK_INTERVAL**: Syncs picklist, orgList, and glossary from the governance node. Default 30 seconds.
 
@@ -1641,8 +1641,21 @@ class Organization extends Model {
   /**
    * removes all records of an organization from all models with an `orgUid` column
    * @param orgUid
+   * @param {object} [options]
+   * @param {boolean} [options.skipStagingTruncate=false] - When true, the global
+   *   staging table is left untouched. Staging holds only the home org's pending
+   *   (uncommitted) changes and has no orgUid column, so background callers that
+   *   remove a remote org (e.g. orglist subscription reconcile) must pass `true`
+   *   to avoid discarding the operator's own staged work.
+   * @param {boolean} [options.recordUserDeleted=true] - When true, the org is
+   *   recorded in the meta user-deleted list so default-org sync will not
+   *   re-import it. Background orglist reconcile passes `false`: an org removed
+   *   because it left the governance orgList is not a user deletion.
    */
-  static async deleteAllOrganizationData(orgUid) {
+  static async deleteAllOrganizationData(
+    orgUid,
+    { skipStagingTruncate = false, recordUserDeleted = true } = {},
+  ) {
     logger.verbose('[v1]: acquiring add/delete org mutex to delete organization');
     const releaseAddDeleteMutex =
       await addOrDeleteOrganizationRecordMutex.acquire();
@@ -1653,32 +1666,68 @@ class Organization extends Model {
     const releaseAuditTransactionMutex =
       await processingSyncRegistriesTransactionMutex.acquire();
 
-    const transaction = await sequelize.transaction();
+    // Release both mutexes exactly once on every exit path.
+    let mutexesReleased = false;
+    const releaseMutexes = () => {
+      if (mutexesReleased) {
+        return;
+      }
+      mutexesReleased = true;
+      releaseAddDeleteMutex();
+      releaseAuditTransactionMutex();
+    };
+
+    // Create the transaction inside the try so a failure to open it still
+    // routes through releaseMutexes() rather than leaking the locks.
+    let transaction;
     try {
+      transaction = await sequelize.transaction();
       await Organization.destroy({ where: { orgUid }, transaction });
 
       for (const modelKey of Object.keys(ModelKeys)) {
         await ModelKeys[modelKey].destroy({ where: { orgUid }, transaction });
       }
 
-      await Staging.truncate({ transaction });
+      if (!skipStagingTruncate) {
+        await Staging.truncate({ transaction });
+      }
       await FileStore.destroy({ where: { orgUid }, transaction });
       await Audit.destroy({ where: { orgUid }, transaction });
 
       await transaction.commit();
-
-      await Meta.addUserDeletedOrgUid(orgUid);
     } catch (error) {
       logger.error(
         `failed to delete all db records for organization ${orgUid}, rolling back changes. Error: ${error.message}`,
       );
-      await transaction.rollback();
+      // Defensive rollback: a throwing rollback must not bypass the mutex
+      // release and leak the locks. transaction may be undefined if it failed
+      // to open.
+      try {
+        if (transaction) {
+          await transaction.rollback();
+        }
+      } catch (rollbackError) {
+        logger.error(
+          `[v1]: rollback failed while deleting organization ${orgUid}: ${rollbackError.message}`,
+        );
+      }
+      releaseMutexes();
       throw new Error(
         `an error occurred while deleting records corresponding to organization ${orgUid}. no changes have been made`,
       );
+    }
+
+    // Record the deletion after a successful commit, while still holding the
+    // mutexes so the default-org sync cannot re-import the org between the
+    // commit and the meta write. Keep the meta write out of the transaction
+    // try so a post-commit failure never triggers a rollback of an already
+    // committed transaction.
+    try {
+      if (recordUserDeleted) {
+        await Meta.addUserDeletedOrgUid(orgUid);
+      }
     } finally {
-      releaseAddDeleteMutex();
-      releaseAuditTransactionMutex();
+      releaseMutexes();
     }
   }
 
 
@@ -2151,11 +2151,23 @@ class OrganizationsV2 extends Model {
   }
 
   /**
-   * Delete all V2 data for an organization
+   * Delete all V2 data for an organization: the org's full registry data (via
+   * purgeV2OrganizationData) plus its organization and audit rows.
    * @param {string} orgUid - Organization UID
-   * @returns {Promise<void>}
+   * @param {object} [options]
+   * @param {boolean} [options.recordUserDeleted=true] - When true, the org is
+   *   recorded in the meta user-deleted list so default-org sync will not
+   *   re-import it. Background orglist reconcile passes `false`: an org removed
+   *   because it left the governance orgList is not a user deletion and must not
+   *   be suppressed if it is later re-added or ONLY_CADT_SUBSCRIPTIONS is
+   *   disabled.
+   * @param {number} [options.retryCount=0] - Internal: SQLITE_BUSY retry depth.
+   * @returns {Promise<number>} total number of registry rows purged
    */
-  static async deleteAllOrganizationData(orgUid, retryCount = 0) {
+  static async deleteAllOrganizationData(
+    orgUid,
+    { recordUserDeleted = true, retryCount = 0 } = {},
+  ) {
     const maxRetries = 10;
     const baseDelay = 200; // 200ms base delay
     const maxDelay = 5000; // 5 seconds max delay
@@ -2170,9 +2182,34 @@ class OrganizationsV2 extends Model {
     const releaseAuditTransactionMutex =
       await processingSyncRegistriesTransactionMutexV2.acquire();
 
-    const transaction = await sequelizeV2.transaction();
+    // Release both mutexes exactly once on every exit path. Without this, a
+    // throw after commit (e.g. in the post-commit meta write) would leak both
+    // mutexes and permanently wedge all V2 deletes and sync transactions.
+    let mutexesReleased = false;
+    const releaseMutexes = () => {
+      if (mutexesReleased) {
+        return;
+      }
+      mutexesReleased = true;
+      releaseAddDeleteMutex();
+      releaseAuditTransactionMutex();
+    };
+
+    let purgedRowCount;
+    // Create the transaction inside the try so a failure to open it (e.g.
+    // SQLITE_BUSY / pool exhaustion) still routes through releaseMutexes().
+    let transaction;
     try {
+      transaction = await sequelizeV2.transaction();
       const { AuditV2 } = await import('./index.js');
+      const { purgeV2OrganizationData } = await import(
+        '../../utils/v2-org-data-purge.js'
+      );
+
+      // Remove every registry record this org created (projects, units and all
+      // project-scoped child records). No reference guards are applied: the
+      // org's data is purged unconditionally.
+      purgedRowCount = await purgeV2OrganizationData(orgUid, { transaction });
 
       // Delete from organization table
       await OrganizationsV2.destroy({
@@ -2184,15 +2221,26 @@ class OrganizationsV2 extends Model {
       // Staging is temporary and will be cleared on next commit cycle
       // We skip truncating staging here to avoid database locks
 
-      // Delete from audit table (only V2 data model with org_uid)
+      // Delete from audit table
       await AuditV2.destroy({
         where: { org_uid: orgUid },
         transaction,
       });
 
       await transaction.commit();
     } catch (error) {
-      await transaction.rollback();
+      // Roll back defensively: a throwing rollback (e.g. on an already-closed
+      // connection) must not bypass the mutex releases below and leak the locks.
+      // transaction may be undefined if it failed to open.
+      try {
+        if (transaction) {
+          await transaction.rollback();
+        }
+      } catch (rollbackError) {
+        loggerV2.error(
+          `[v2]: rollback failed while deleting organization ${orgUid}: ${rollbackError.message}`,
+        );
+      }
 
       // Check if it's a database lock error and we haven't exceeded max retries
       // Check both error.message and error.original (Sequelize wraps errors)
@@ -2217,38 +2265,42 @@ class OrganizationsV2 extends Model {
         );
 
         // Release mutexes before retry
-        releaseAddDeleteMutex();
-        releaseAuditTransactionMutex();
+        releaseMutexes();
 
         // Wait before retry
         await new Promise((resolve) => setTimeout(resolve, delay));
 
         // Retry the operation
-        return await OrganizationsV2.deleteAllOrganizationData(
-          orgUid,
-          retryCount + 1,
-        );
+        return await OrganizationsV2.deleteAllOrganizationData(orgUid, {
+          recordUserDeleted,
+          retryCount: retryCount + 1,
+        });
       }
 
       // If not a lock error or max retries exceeded, throw the error
       loggerV2.error(
         `[v2]: failed to delete all db records for organization ${orgUid}, rolling back changes. Error: ${error.message}`,
       );
-      releaseAddDeleteMutex();
-      releaseAuditTransactionMutex();
+      releaseMutexes();
       throw new Error(
         `an error occurred while deleting records corresponding to organization ${orgUid}. no changes have been made`,
       );
     }
-    // Record the deletion in the meta table while still holding the mutexes so
-    // sync-default-organizations-v2 cannot slip in between the delete and the
-    // meta write and re-import the org.  addUserDeletedOrgUid does not acquire
-    // either mutex, so this cannot deadlock.
-    const { MetaV2: MetaV2Post } = await import('./index.js');
-    await MetaV2Post.addUserDeletedOrgUid(orgUid);
-
-    releaseAddDeleteMutex();
-    releaseAuditTransactionMutex();
+
+    try {
+      // Record the deletion in the meta table while still holding the mutexes so
+      // sync-default-organizations-v2 cannot slip in between the delete and the
+      // meta write and re-import the org.  addUserDeletedOrgUid does not acquire
+      // either mutex, so this cannot deadlock.
+      if (recordUserDeleted) {
+        const { MetaV2: MetaV2Post } = await import('./index.js');
+        await MetaV2Post.addUserDeletedOrgUid(orgUid);
+      }
+    } finally {
+      releaseMutexes();
+    }
+
+    return purgedRowCount;
   }
 
   /**
 
@@ -9,7 +9,7 @@ import { loggerV2 } from '../config/logger.js';
 import { getConfig, getConfigV2 } from '../utils/config-loader.js';
 import {
   buildOrgListAllowSet,
-  unsubscribeOrgsNotInOrgList,
+  removeOrgsNotInOrgList,
 } from '../utils/orglist-subscription-reconcile.js';
 
 const CONFIG = getConfig().APP;
@@ -123,7 +123,7 @@ const task = new Task('sync-default-organizations-v2', async () => {
       if (onlyCadtSubscriptions) {
         const { GOVERNANCE_BODY_ID } = getConfigV2().GOVERNANCE;
         const allowSet = buildOrgListAllowSet(defaultOrgList, GOVERNANCE_BODY_ID);
-        await unsubscribeOrgsNotInOrgList({
+        await removeOrgsNotInOrgList({
           defaultOrgList,
           allowSet,
           organizationModel: OrganizationsV2,
@@ -134,6 +134,12 @@ const task = new Task('sync-default-organizations-v2', async () => {
           },
           unsubscribeFromOrganizationStores:
             OrganizationsV2.unsubscribeFromOrganizationStores.bind(OrganizationsV2),
+          // Background removal of an off-orglist org is not a user deletion, so
+          // it must not be recorded in the user-deleted suppression list.
+          deleteAllOrganizationData: (orgUid) =>
+            OrganizationsV2.deleteAllOrganizationData(orgUid, {
+              recordUserDeleted: false,
+            }),
           logger: loggerV2,
           apiVersionLabel: 'v2',
         });
 
@@ -9,7 +9,7 @@ import { logger } from '../config/logger.js';
 import { getConfig } from '../utils/config-loader.js';
 import {
   buildOrgListAllowSet,
-  unsubscribeOrgsNotInOrgList,
+  removeOrgsNotInOrgList,
 } from '../utils/orglist-subscription-reconcile.js';
 
 const CONFIG = getConfig();
@@ -112,7 +112,7 @@ const task = new Task('sync-default-organizations', async () => {
       if (onlyCadtSubscriptions) {
         const { GOVERNANCE_BODY_ID } = CONFIG.GOVERNANCE;
         const allowSet = buildOrgListAllowSet(defaultOrgRecords, GOVERNANCE_BODY_ID);
-        await unsubscribeOrgsNotInOrgList({
+        await removeOrgsNotInOrgList({
           defaultOrgList: defaultOrgRecords,
           allowSet,
           organizationModel: Organization,
@@ -123,6 +123,14 @@ const task = new Task('sync-default-organizations', async () => {
           },
           unsubscribeFromOrganizationStores:
             Organization.unsubscribeFromOrganizationStores.bind(Organization),
+          // Background removal of a remote org must not wipe the home org's
+          // pending staged changes (global, un-scoped staging table), and is
+          // not a user deletion so it must not populate the suppression list.
+          deleteAllOrganizationData: (orgUid) =>
+            Organization.deleteAllOrganizationData(orgUid, {
+              skipStagingTruncate: true,
+              recordUserDeleted: false,
+            }),
           logger,
           apiVersionLabel: 'v1',
         });
 
@@ -31,7 +31,8 @@ export const defaultConfig = {
     AUTO_MIRROR_EXTERNAL_STORES: true,
     /**
      * When true, DataLayer subscriptions are kept in sync with the governance
-     * orgList: orgs removed from the list are unsubscribed (data retained);
+     * orgList: orgs removed from the list are unsubscribed AND fully deleted
+     * (the org record plus all of its registry data, with no reference checks);
      * orgs on the list with subscribed=false are re-subscribed. Requires a
      * non-empty orgList from a successful governance sync before any removal.
      */