- ConsentLog.user_id: nullable=True + ondelete='SET NULL' for Loi 25 art. 28.1
right-to-erasure (audit row survives user deletion, user_id nulled out).
Matches existing pattern in auth_log.py / access_log.py.
- Add ConsentLog.@validates('consent_type') to reject typos at ORM level
(silent typos in audit data are very hard to detect later).
- Rename User.totp_secret -> totp_secret_encrypted (size 64->255 for Fernet
envelope). Self-documenting contract: never assign plaintext to this column.
- init_db.py: drop NOT NULL from totp_enabled migration string for consistency
with every other Boolean column in the file (model-side nullable=False is
sufficient).
- Docs: User class docstring updated to reflect MFA/billing/ordre context;
webauthn_credentials shape documented; version column policy documented.
- Tests: cleaner IntegrityError catch; add survives_user_deletion test
(right-to-erasure); add rejects_invalid_consent_type test (validator).
8792ffb8a4