ENG-2213: Remove deprecated DSR 2.0 code

[galvana]

Ticket ENG-2213

Description Of Changes

Remove all deprecated DSR 2.0 code, making DSR 3.0 the sole execution path for data subject requests. DSR 2.0 was a sequential, in-memory execution model using Dask with Redis caching. It has been deprecated since DSR 3.0 (task-based async execution via RequestTasks) became the default.

This is a purely subtractive change — no new functionality is introduced. The use_dsr_3_0 fixture is kept as a no-op for backward compatibility with fidesplus tests.

Code Changes

Deleted modules:

• src/fides/api/task/deprecated_graph_task.py - Core DSR 2.0 sequential execution logic
• src/fides/api/task/scheduler_utils.py - DSR 2.0/3.0 routing logic (use_dsr_3_0_scheduler())

Deleted test files:

• tests/ops/task/test_deprecated_graph_task.py
• tests/ops/task/test_task_resources.py
• tests/test_dsr_3_0_default.py

Simplified source files:

• src/fides/api/task/graph_runners.py - Unconditionally delegates to DSR 3.0 and raises PrivacyRequestExit
• src/fides/api/task/task_resources.py - Removed DSR 2.0 Redis caching methods (cache_results_with_placeholders, cache_object, get_all_cached_objects, cache_erasure, get_all_cached_erasures)
• src/fides/api/task/graph_task.py - Removed DSR 2.0 caching calls and conditional blocks
• src/fides/api/task/create_request_tasks.py - Received format_data_use_map_for_caching() relocated from deprecated_graph_task (still used by DSR 3.0)
• src/fides/api/models/privacy_request/privacy_request.py - Removed DSR 2.0 Redis cache fallback paths
• src/fides/api/graph/traversal.py - Removed to_mock_execution_node() (DSR 2.0 only)
• .fides/redis_dataset.yml - Removed DSR 2.0 cache key documentation

Test updates (~40 files):

• Removed use_dsr_2_0 fixture and all "use_dsr_2_0" parametrization
• Removed dead if dsr_version == "use_dsr_2_0" conditional branches
• Replaced get_cached_data_for_erasures(...) calls with {}
• Converted use_dsr_3_0 to a no-op fixture for backward compatibility

Steps to Confirm

1. Verify nox -s static_checks passes (ruff check, ruff format, mypy)
2. Verify all imports resolve correctly: python -c "from fides.api.task.graph_runners import access_runner; from fides.api.task.create_request_tasks import format_data_use_map_for_caching"
3. Verify deleted modules are gone: python -c "import fides.api.task.deprecated_graph_task" should raise ImportError
4. Run DSR-related test suites in CI

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

Made with Cursor

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	Feb 26, 2026 10:58pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fides-privacy-center	Ignored		Feb 26, 2026 10:58pm

[greptile-apps]

Greptile Summary

This PR successfully removes all deprecated DSR 2.0 code, making DSR 3.0 the sole execution path for data subject requests. The changes are purely subtractive (3,737 deletions vs 537 additions), with the additions being primarily relocated code and test cleanup.

Key changes:

• Deleted core DSR 2.0 modules: deprecated_graph_task.py (403 lines), scheduler_utils.py (53 lines)
• Removed DSR 2.0 Redis caching methods from task_resources.py (5 methods)
• Simplified graph_runners.py to unconditionally use DSR 3.0 and raise PrivacyRequestExit
• Removed DSR 2.0 conditional logic throughout graph_task.py
• Removed DSR 2.0 Redis cache fallbacks from privacy_request.py
• Relocated format_data_use_map_for_caching() to create_request_tasks.py (still used by DSR 3.0)
• Deleted 3 test files and removed dsr_version parametrization from ~40 test files
• Removed use_dsr_2_0 and use_dsr_3_0 test fixtures (no longer needed)

PR description minor inaccuracy:
The description states "use_dsr_3_0 fixture is kept as a no-op for backward compatibility" but it was actually removed entirely in commit ecb4dad. This is the correct approach since no tests reference it anymore after the parametrization removal.

All imports have been verified clean - no references to deleted modules remain. The changes are well-structured and maintain backward compatibility where needed (DSR 3.0 execution path unchanged).

Confidence Score: 5/5

• This PR is safe to merge - it's a clean removal of deprecated code with no new functionality
• Score reflects the purely subtractive nature of the changes, thorough test cleanup, successful verification that no imports of deleted modules remain, and clear separation between DSR 2.0 (deleted) and DSR 3.0 (retained) code paths
• No files require special attention - all changes follow expected patterns for deprecation removal

Important Files Changed

Filename	Overview
src/fides/api/task/deprecated_graph_task.py	Deleted entire deprecated DSR 2.0 sequential execution logic (403 lines). This was the core Dask-based in-memory execution model that has been replaced by DSR 3.0's task-based async execution.
src/fides/api/task/scheduler_utils.py	Deleted DSR 2.0/3.0 routing logic. The use_dsr_3_0_scheduler() function that determined which execution path to use is no longer needed.
src/fides/api/task/graph_runners.py	Simplified to only call DSR 3.0 functions and raise PrivacyRequestExit. Removed all DSR 2.0 conditional logic and imports of deprecated functions.
src/fides/api/task/task_resources.py	Removed 5 DSR 2.0 Redis caching methods: cache_results_with_placeholders, cache_object, get_all_cached_objects, cache_erasure, get_all_cached_erasures. Also removed cache instance variable.
src/fides/api/task/graph_task.py	Removed DSR 2.0 conditional caching logic throughout. Deleted get_cached_data_for_erasures() function. Simplified to only save data directly on RequestTask objects.
src/fides/api/task/create_request_tasks.py	Added format_data_use_map_for_caching() function relocated from deleted deprecated_graph_task.py. This function is still used by DSR 3.0.
src/fides/api/models/privacy_request/privacy_request.py	Removed DSR 2.0 Redis cache fallback logic from get_raw_access_results(), get_raw_masking_counts(), and get_consent_results(). Now only queries RequestTask data.
tests/ops/integration_tests/test_execution.py	Removed all dsr_version parametrization and conditional logic. Tests now only run with DSR 3.0. Reduced from ~800 to ~500 lines.
tests/ops/task/test_graph_task.py	Removed TestUpdateErasureMappingFromCache class (97 lines) testing DSR 2.0 erasure caching. Updated imports to use format_data_use_map_for_caching from create_request_tasks.

_{Last reviewed commit: 38ffb72}

[greptile-apps]

_{61 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[JadeCara]

A few comments etc

• This one is from claude - I think its reasobable though:

The || has lower precedence than &&, so if isVerificationRequired is false and data.succeeded is empty, data.succeeded[0].status === DUPLICATE will throw a TypeError. Fix: wrap the second branch in a
length guard.

(Pre-existing bug from PR #7238, but the surrounding code changes make this path more reachable.)

• There are still a few docstrings where 3.0 is referenced. Do we want to keep that since it is TheWay ™️ now?

• Codegraph found some dead code left over - please verify since I am still finding edges.

Codegraph Dead Code Report
Confirmed Dead Code (safe to delete)
Function: PrivacyRequest.get_results
Location: privacy_request.py:825
Callers: 0 callers
Impact (dependents): 0 dependents
Neighbourhood: Outbound only: calls get_cache() → FidesopsRedis. No inbound edges from any fides or fidesplus code.
Verdict: Dead code. Docstring even says "Just used in testing" but no tests call it anymore.
────────────────────────────────────────
Function: extract_key_for_address
Location: collection_util.py:107
Callers: 0 callers
Impact (dependents): 0 dependents
Neighbourhood: No neighbours at all (completely isolated node).
Verdict: Dead code. Total orphan - zero inbound, zero outbound connections.
────────────────────────────────────────
Function: start_function
Location: graph_task.py:936
Callers: 0 callers
Impact (dependents): 0 dependents
Neighbourhood: No neighbours at all (completely isolated node).
Verdict: Dead code. Was used for Dask graph seed nodes. Total orphan.

[JadeCara]

Can we drop the 3.0 from the docstring here as well?

[galvana]

Done — removed "DSR 3.0" from all three runner docstrings in b5212b5.

[JadeCara]

I think its safe to remove this here now

Suggested change

request,

[galvana]

Investigated — these two tests cover live behavior (enabled_actions filtering on manual webhooks within run_privacy_request). No other integration test covers this path; the model-level unit test in test_manual_webhook.py only tests AccessManualWebhook.get_enabled() directly, not the full pipeline pause/skip. Kept the tests but removed the unused request fixture param left over from DSR version parameterization.

[JadeCara]

I think its safe to remove this here now as well.

Suggested change

request,

[galvana]

Same as above — kept the test since it covers unique behavior, but cleaned up the unused request fixture param.

[JadeCara]

Stray 2.0 ref!

[galvana]

Removed in b5212b5.

[JadeCara]

Stray 2.0 reference

[galvana]

Removed in b5212b5 — simplified to just "Restart from the checkpoint".

[JadeCara]

looks like this comment got cut off - we can probably remove the reference to 3.0 since that is TheWay ™️ now

[galvana]

Fixed — replaced the cut-off comment with "Saved as part of the request task" in b5212b5.

[JadeCara]

I havent fully verified this admittedly - but claude and the graph called this out

  Finding #7: Unused parameters — Confirmed
                                                                                                                                                                                                               
  erasure_runner — 5 unused params confirmed. graph_file for create_request_tasks.py shows run_erasure_request (line 646) has edges only to:                                                                 
  - PrivacyRequest (REFERENCES)
  - RequestTask (REFERENCES)
  - queue_request_task (CALLS)
  - log_task_queued (CALLS)

  No edges to Policy, DatasetGraph, ConnectionConfig, or any identity-related node. The runner passes only privacy_request, session, and privacy_request_proceed — the other 5 params (policy, graph,
  connection_configs, identity, access_request_data) are accepted but never forwarded.

  consent_runner — 2 unused params confirmed. run_consent_request (line 669) has edges to:
  - DatasetGraph (REFERENCES) — uses graph param
  - PrivacyRequest (REFERENCES)
  - RequestTask (REFERENCES)
  - TraversalNode (CALLS)
  - get_connection_configs_with_manual_tasks (CALLS) — fetches its own configs
  - queue_request_task (CALLS)
  - log_task_queued (CALLS)

  No edges to Policy or ConnectionConfig. The runner accepts policy and connection_configs but never passes them through.

  access_runner — clean. run_access_request (line 539) references Policy, DatasetGraph, ConnectionConfig, PrivacyRequest, RequestTask, and Traversal — all params are used.

  Cross-repo impact: graph_context confirmed callers in fidesplus — erasure_runner_tester and consent_runner_tester in test helpers, plus ConnectorRunner methods. Any signature cleanup would need coordinated
   changes.

  ---
  Finding #8: Misleading return types — Confirmed

  All three runners unconditionally raise PrivacyRequestExit() after delegating to run_*_request. The declared return types are unreachable:
  - access_runner → Dict[str, List[Row]] (never returned)
  - erasure_runner → Dict[str, int] (never returned)
  - consent_runner → Dict[str, bool] (never returned)

  The test wrappers in tests/conftest.py (lines 930, 960, 989) catch PrivacyRequestExit and return actual results from the database, which is why tests still work. The return types on the runners themselves
  are vestigial from the DSR 2.0 era when these functions returned results directly.

  A more accurate signature would be -> NoReturn from typing, since the functions always raise.

  ---
  Both findings are solid and codegraph-verified. Neither is a bug per se — they're cleanup opportunities left behind by the DSR 2.0 removal. The unused params are kept for call-site compatibility
  (especially cross-repo), and the return types are harmless but misleading.

[galvana]

Addressed in two parts:

Dead code — deleted in b5212b5:

• PrivacyRequest.get_results — confirmed zero callers
• extract_key_for_address — confirmed zero callers
• start_function — confirmed zero callers

Unused params / misleading return types — deferring to follow-up PR:
The erasure_runner (5 unused params) and consent_runner (2 unused params) cleanup requires coordinated changes across fides (request_runner_service.py, tests/conftest.py) and fidesplus (saas_test_utils.py + ~20 SaaS test files). Same for updating return types to NoReturn. Will track as a separate cleanup ticket.

[galvana]

All inline comments addressed in b5212b5. Summary:

• DSR 3.0/2.0 references: Removed from all flagged docstrings and comments
• Dead code: Deleted get_results, extract_key_for_address, start_function (all confirmed zero callers)
• Manual webhook tests: Kept — they cover live enabled_actions filtering behavior with no other integration test covering this path. Removed unused request fixture param.
• Unused runner params / return types: Deferring to follow-up PR due to cross-repo blast radius (~20 fidesplus test files affected)

[JadeCara]

This looks so clean! 🧹