2026-05-29 · Platform
Consent module now actually gates outbound email
- The Consent module shipped as a ledger — record grants, record revocations, audit trail. Marketing copy claimed it gated outbound senders. It didn't. As of migration 0057 it does.
- New org-level toggle `enforce_consent` (default off — opt-in per tenant). Surface lives at the top of `/dashboard/consent`.
- When on, broadcast + workflow email categories require a granted `marketing` consent row for the recipient before dispatching. No record OR most-recent record revoked → `email_sends` row written with `status='failed'`, `provider='suppressed'`, `metadata.suppressed_reason='no_consent'`. Visible in send stats + audit log.
- Transactional, auth, ticket, and inbound-ack categories bypass the gate — those are platform-critical, not customer marketing.
- Consent records gain a `phone` column + 3 partial indexes (`org_id, {email,user_id,phone}, purpose, created_at DESC`) so SMS + push gates are a small follow-up (those modules need a `category` discriminator on their send schemas first).
- Backend tests 750/750 + 11/11 shared drift + 59/59 backend drift green.