Docs & ADRs rules

Changes that create new ePHI stores must also include retention configuration and a scheduled purge job aligned to policy (e.g., 6 years). Document tables/collections covered and add tests for TTL behavior.

When a PR implements or changes a decision, include 'ADR: docs/adr/NNNN-title.md' in the PR description and reference it in the merge commit body.

Keep docs/adr/README.md updated with a table of ADRs (number, title, status, date). Update the index in the same PR that adds/changes an ADR.

Add an 'Alternatives' section listing at least two plausible options with pros/cons and reasons for rejection.

Where relevant, include links to RFCs, regulatory guidance, or benchmarks in the ADR (e.g., RFC 9110 for HTTP, PCI DSS sections), under a 'References' section.

On Sev1/Sev2 incidents, capture timeline, root cause, remediation, and owner in a postmortem within 5 business days; link incident_id in all related commits and changes.

Mark columns and event fields with pii and purpose metadata; prefer hashed or tokenized variants in telemetry. Use these tags to auto-generate Records of Processing Activities (RoPA). (GDPR Art. 30)

If the change affects users or operators, update end-user docs/runbooks and add a concise changelog entry in the PR description or designated file.

Use `///` instead of regular comments to properly document Dart classes, methods, and properties for automatic documentation generation.