Chia-Network
diff --git a/‎docs/cadt_rpc_api_v2.md‎
Lines changed: 80 additions & 8 deletions b/‎docs/cadt_rpc_api_v2.md‎
Lines changed: 80 additions & 8 deletions
diff --git a/‎src/controllers/v2/label-v2.controller.js‎
Lines changed: 10 additions & 3 deletions b/‎src/controllers/v2/label-v2.controller.js‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎src/controllers/v2/methodology-v2.controller.js‎
Lines changed: 9 additions & 2 deletions b/‎src/controllers/v2/methodology-v2.controller.js‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎src/controllers/v2/program-v2.controller.js‎
Lines changed: 10 additions & 3 deletions b/‎src/controllers/v2/program-v2.controller.js‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎src/controllers/v2/stakeholder-v2.controller.js‎
Lines changed: 10 additions & 3 deletions b/‎src/controllers/v2/stakeholder-v2.controller.js‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎src/utils/v2-cascade-delete.js‎
Lines changed: 49 additions & 0 deletions b/‎src/utils/v2-cascade-delete.js‎
Lines changed: 49 additions & 0 deletions
@@ -1890,20 +1890,38 @@ Response
 
 **Note**: The ID in the URL path is the `cadTrustMethodologyId`.
 
+**Referential integrity**: If any committed or staged (`INSERT`/`UPDATE`) `project_methodology` records reference this methodology, the request returns `409 Conflict`. Pass `?force=true` to bypass the guard and stage the delete anyway.
+
 Request
 ```shell
 curl --location --request DELETE 'localhost:31310/v2/methodology/9b9bb857-c71b-4649-b805-a289db27dc1c' \
 --header 'Content-Type: application/json'
 ```
 
-Response
+Response (success — no references)
 ```json
 {
-  "message": "Methodology deletion staged successfully",
+  "message": "Methodology delete staged successfully",
   "success": true
 }
 ```
 
+Response (409 — references exist)
+```json
+{
+  "success": false,
+  "message": "Cannot delete methodology: referenced by 2 project-methodology links",
+  "references": [{ "table": "project_methodology", "count": 2 }],
+  "hint": "Remove all references first, or use ?force=true to delete anyway"
+}
+```
+
+Force delete (bypass guard)
+```shell
+curl --location --request DELETE 'localhost:31310/v2/methodology/9b9bb857-c71b-4649-b805-a289db27dc1c?force=true' \
+--header 'Content-Type: application/json'
+```
+
 ---
 
 ## `program`
@@ -2058,20 +2076,38 @@ Response
 
 **Note**: The ID in the URL path is the `cadTrustProgramId`.
 
+**Referential integrity**: If any committed or staged (`INSERT`/`UPDATE`) `project` records reference this program via `cadTrustProgramId`, the request returns `409 Conflict`. Pass `?force=true` to bypass the guard and stage the delete anyway.
+
 Request
 ```shell
 curl --location --request DELETE 'localhost:31310/v2/program/51ca9638-22b0-4e14-ae7a-c09d23b37b58' \
 --header 'Content-Type: application/json'
 ```
 
-Response
+Response (success — no references)
 ```json
 {
-  "message": "Program deletion staged successfully",
+  "message": "Program delete staged successfully",
   "success": true
 }
 ```
 
+Response (409 — references exist)
+```json
+{
+  "success": false,
+  "message": "Cannot delete program: referenced by 3 projects",
+  "references": [{ "table": "project", "count": 3 }],
+  "hint": "Remove all references first, or use ?force=true to delete anyway"
+}
+```
+
+Force delete (bypass guard)
+```shell
+curl --location --request DELETE 'localhost:31310/v2/program/51ca9638-22b0-4e14-ae7a-c09d23b37b58?force=true' \
+--header 'Content-Type: application/json'
+```
+
 ---
 
 ## `project`
@@ -4527,20 +4563,38 @@ Response
 
 **Note**: The ID in the URL path is the `cadTrustStakeholderId`.
 
+**Referential integrity**: If any committed or staged (`INSERT`/`UPDATE`) `stakeholder_projects` records reference this stakeholder, the request returns `409 Conflict`. Pass `?force=true` to bypass the guard and stage the delete anyway.
+
 Request
 ```shell
 curl --location --request DELETE 'localhost:31310/v2/stakeholder/e880047e-cdf4-45bb-a9df-e706fa427713' \
 --header 'Content-Type: application/json'
 ```
 
-Response
+Response (success — no references)
 ```json
 {
-  "message": "Stakeholder deletion staged successfully",
+  "message": "Stakeholder delete staged successfully",
   "success": true
 }
 ```
 
+Response (409 — references exist)
+```json
+{
+  "success": false,
+  "message": "Cannot delete stakeholder: referenced by 1 stakeholder-project links",
+  "references": [{ "table": "stakeholder_projects", "count": 1 }],
+  "hint": "Remove all references first, or use ?force=true to delete anyway"
+}
+```
+
+Force delete (bypass guard)
+```shell
+curl --location --request DELETE 'localhost:31310/v2/stakeholder/e880047e-cdf4-45bb-a9df-e706fa427713?force=true' \
+--header 'Content-Type: application/json'
+```
+
 ---
 
 ## `stakeholder-projects`
@@ -4837,20 +4891,38 @@ Response
 
 **Note**: The ID in the URL path is the `cadTrustLabelId`.
 
+**Referential integrity**: If any committed or staged (`INSERT`/`UPDATE`) `unit_label` records reference this label, the request returns `409 Conflict`. Pass `?force=true` to bypass the guard and stage the delete anyway.
+
 Request
 ```shell
 curl --location --request DELETE 'localhost:31310/v2/label/dcacd68e-1cfb-4f06-9798-efa0aacda42c' \
 --header 'Content-Type: application/json'
 ```
 
-Response
+Response (success — no references)
 ```json
 {
-  "message": "Label deletion staged successfully",
+  "message": "Label delete staged successfully",
   "success": true
 }
 ```
 
+Response (409 — references exist)
+```json
+{
+  "success": false,
+  "message": "Cannot delete label: referenced by 4 unit-label links",
+  "references": [{ "table": "unit_label", "count": 4 }],
+  "hint": "Remove all references first, or use ?force=true to delete anyway"
+}
+```
+
+Force delete (bypass guard)
+```shell
+curl --location --request DELETE 'localhost:31310/v2/label/dcacd68e-1cfb-4f06-9798-efa0aacda42c?force=true' \
+--header 'Content-Type: application/json'
+```
+
 ---
 
 ## `unit-label`
 
@@ -4,6 +4,7 @@ import _ from 'lodash';
 import { v4 as uuidv4 } from 'uuid';
 
 import { StagingV2, LabelV2, OrganizationsV2 } from '../../models/v2/index.js';
+import { checkReferences, buildReferenceConflictBody } from '../../utils/v2-reference-guards.js';
 import { labelV2Schema } from '../../validations/v2/label-v2.validations.js';
 import {
   assertV2IfReadOnlyMode,
@@ -263,7 +264,6 @@ export const deleteLabelV2 = async (req, res) => {
 
     const { id } = req.params;
 
-    // Verify record exists
     const existingRecord = await LabelV2.findByPk(id);
     if (!existingRecord) {
       return res.status(404).json({
@@ -272,12 +272,19 @@ export const deleteLabelV2 = async (req, res) => {
       });
     }
 
-    // Stage the delete
+    const force = req.query.force === 'true';
+    if (!force) {
+      const refResult = await checkReferences('label', id);
+      if (refResult.hasReferences) {
+        return res.status(409).json(buildReferenceConflictBody('label', refResult));
+      }
+    }
+
     await StagingV2.create({
       uuid: uuidv4(),
       table: 'label',
       action: 'DELETE',
-      data: JSON.stringify([{ cad_trust_label_id: id }]), // Use UUID string directly
+      data: JSON.stringify([{ cad_trust_label_id: id }]),
       committed: false,
       failed_commit: false,
       is_transfer: false,
 
@@ -5,6 +5,7 @@ import { v4 as uuidv4 } from 'uuid';
 import { Sequelize } from 'sequelize';
 
 import { StagingV2, MethodologyV2, OrganizationsV2 } from '../../models/v2/index.js';
+import { checkReferences, buildReferenceConflictBody } from '../../utils/v2-reference-guards.js';
 
 import {
   optionallyPaginatedResponse,
@@ -267,7 +268,6 @@ export const destroy = async (req, res) => {
 
     const { id } = req.params;
 
-    // Verify record exists
     const existingRecord = await MethodologyV2.findByPk(id);
     if (!existingRecord) {
       return res.status(404).json({
@@ -276,7 +276,14 @@ export const destroy = async (req, res) => {
       });
     }
 
-    // Stage the delete
+    const force = req.query.force === 'true';
+    if (!force) {
+      const refResult = await checkReferences('methodology', id);
+      if (refResult.hasReferences) {
+        return res.status(409).json(buildReferenceConflictBody('methodology', refResult));
+      }
+    }
+
     await StagingV2.create({
       uuid: uuidv4(),
       table: 'methodology',
 
@@ -5,6 +5,7 @@ import { v4 as uuidv4 } from 'uuid';
 import { Sequelize } from 'sequelize';
 
 import { StagingV2, ProgramV2, OrganizationsV2 } from '../../models/v2/index.js';
+import { checkReferences, buildReferenceConflictBody } from '../../utils/v2-reference-guards.js';
 
 import {
   optionallyPaginatedResponse,
@@ -256,7 +257,6 @@ export const destroy = async (req, res) => {
 
     const { id } = req.params;
 
-    // Verify record exists
     const existingRecord = await ProgramV2.findByPk(id);
     if (!existingRecord) {
       return res.status(404).json({
@@ -265,12 +265,19 @@ export const destroy = async (req, res) => {
       });
     }
 
-    // Stage the delete
+    const force = req.query.force === 'true';
+    if (!force) {
+      const refResult = await checkReferences('program', id);
+      if (refResult.hasReferences) {
+        return res.status(409).json(buildReferenceConflictBody('program', refResult));
+      }
+    }
+
     await StagingV2.create({
       uuid: uuidv4(),
       table: 'program',
       action: 'DELETE',
-      data: JSON.stringify([{ cad_trust_program_id: id }]), // Use UUID string directly
+      data: JSON.stringify([{ cad_trust_program_id: id }]),
       committed: false,
       failed_commit: false,
       is_transfer: false,
 
@@ -4,6 +4,7 @@ import _ from 'lodash';
 import { v4 as uuidv4 } from 'uuid';
 
 import { StagingV2, StakeholderV2, OrganizationsV2 } from '../../models/v2/index.js';
+import { checkReferences, buildReferenceConflictBody } from '../../utils/v2-reference-guards.js';
 import { stakeholderV2Schema } from '../../validations/v2/stakeholder-v2.validations.js';
 import {
   assertV2IfReadOnlyMode,
@@ -254,7 +255,6 @@ export const deleteStakeholderV2 = async (req, res) => {
 
     const { id } = req.params;
 
-    // Verify record exists
     const existingRecord = await StakeholderV2.findByPk(id);
     if (!existingRecord) {
       return res.status(404).json({
@@ -263,12 +263,19 @@ export const deleteStakeholderV2 = async (req, res) => {
       });
     }
 
-    // Stage the delete
+    const force = req.query.force === 'true';
+    if (!force) {
+      const refResult = await checkReferences('stakeholder', id);
+      if (refResult.hasReferences) {
+        return res.status(409).json(buildReferenceConflictBody('stakeholder', refResult));
+      }
+    }
+
     await StagingV2.create({
       uuid: uuidv4(),
       table: 'stakeholder',
       action: 'DELETE',
-      data: JSON.stringify([{ cad_trust_stakeholder_id: id }]), // Use UUID string directly
+      data: JSON.stringify([{ cad_trust_stakeholder_id: id }]),
       committed: false,
       failed_commit: false,
       is_transfer: false,
 
@@ -1,5 +1,54 @@
 'use strict';
 
+/**
+ * V2 Cascade Delete — Design Rationale
+ *
+ * CADT records fall into two categories with fundamentally different deletion
+ * strategies. Understanding this distinction is critical before modifying any
+ * delete logic.
+ *
+ * ## 1. Project-scoped records — CASCADE on delete
+ *
+ * These are exclusively owned by a single project (or by a single unit in the
+ * case of unit_label). No other project or registry can reference them, so they
+ * are safe to cascade-delete when their parent is removed.
+ *
+ *   project → location, estimation, rating, co_benefit, validation,
+ *             verification, project_methodology (link), stakeholder_projects (link)
+ *   verification → issuance
+ *   issuance → unit
+ *   unit → unit_label
+ *
+ * When a project is deleted, the full chain above is traversed and every child
+ * gets a staged DELETE entry. When a unit is deleted, its unit_label rows are
+ * cascade-staged. The same applies to mid-chain deletes of verification or
+ * issuance — their downstream children must also be staged.
+ *
+ * ## 2. Shared / standalone records — DO NOT cascade
+ *
+ * These exist independently with their own org_uid and can be cross-referenced
+ * by any registry on the network:
+ *
+ *   methodology  — referenced via project_methodology from any project
+ *   stakeholder  — referenced via stakeholder_projects from any project
+ *   program      — referenced via cad_trust_program_id from any project
+ *   label        — referenced via unit_label from any unit
+ *
+ * Hard-deleting a shared record propagates through DataLayer sync to every
+ * subscriber, silently breaking referential integrity for any registry that
+ * still references it. There is no mechanism to notify affected registries.
+ *
+ * These records intentionally do NOT cascade. The correct approaches (in order
+ * of priority) are:
+ *   - Tier 2: Block delete with 409 if local references exist (or allow with
+ *             ?force=true after showing impact)
+ *   - Tier 3: Soft delete / deprecation (the only truly safe distributed
+ *             systems answer — tombstones over hard deletes)
+ *   - Tier 4: Orphan cleanup endpoint for records with zero local references
+ *
+ * See: docs/orphaned-records-analysis.md for the full analysis.
+ */
+
 import { v4 as uuidv4 } from 'uuid';
 import {
   StagingV2,