ENG-2755: Add DELETE /dsr/policy/{policy_key} endpoint with in-use guard

[JadeCara]

Ticket ENG-2755

Description Of Changes

Add a DELETE /api/v1/dsr/policy/{policy_key} endpoint that allows users to remove DSR policies they no longer need. The endpoint guards against deleting policies that are actively referenced by privacy requests — returning a 409 Conflict in that case to prevent orphaned records. Child Rule and RuleTarget records are cascade-deleted via the existing Policy.delete() method.

Code Changes

• src/fides/api/api/v1/endpoints/policy_endpoints.py - Add delete_policy DELETE handler with 404/409/204 responses, secured by POLICY_DELETE scope
• tests/ops/api/v1/endpoints/test_policy_endpoints.py - Add TestDeletePolicy class with 5 tests covering auth, not found, in-use conflict, and successful cascade deletion

Steps to Confirm

1. Create a test policy via PATCH /api/v1/dsr/policy with a rule and target
2. DELETE /api/v1/dsr/policy/{policy_key} → expect 204 No Content, verify policy, rules, and targets are removed
3. Attempt to delete a nonexistent policy → expect 404 Not Found
4. Create a policy and associate a privacy request with it, then attempt deletion → expect 409 Conflict
5. Attempt deletion without POLICY_DELETE scope → expect 403 Forbidden

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • Documentation issue created in fidesdocs
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 23, 2026 11:00pm
fides-privacy-center	Ignored		Feb 23, 2026 11:00pm

[greptile-apps]

Greptile Summary

Adds a DELETE /api/v1/dsr/policy/{policy_key} endpoint that removes a DSR policy and cascade-deletes its child Rule and RuleTarget records, with a 409 Conflict guard when the policy is referenced by existing privacy requests.

• The endpoint implementation is correct: it uses the existing POLICY_DELETE scope, reuses get_policy_or_error for 404 handling, and leverages Policy.delete() which already cascade-deletes rules and targets
• Tests provide solid coverage across auth (401/403), not-found (404), in-use conflict (409), and successful cascade deletion (204)
• Style issues: PrivacyRequest import inside the endpoint function and test methods should be moved to the top of respective modules (no circular dependency exists). A redundant DataCategory import and unnecessary manual DB cleanup in tests should be removed

Confidence Score: 4/5

• This PR is safe to merge with minor style cleanup; no functional or security issues found.
• The endpoint logic is correct: proper scope authorization, 404/409 guards, and cascade deletion via the existing Policy.delete() method. Test coverage is thorough. The only issues are style-related (import placement and unnecessary manual cleanup), which don't affect correctness.
• No files require special attention — the style issues are straightforward to fix.

Important Files Changed

Filename	Overview
src/fides/api/api/v1/endpoints/policy_endpoints.py	Adds DELETE handler with proper 404/409/204 responses and POLICY_DELETE scope. The in-function import of PrivacyRequest should be moved to the top of the module.
tests/ops/api/v1/endpoints/test_policy_endpoints.py	Good test coverage (auth, not found, in-use conflict, cascade deletion). Has in-function imports and unnecessary manual cleanup that should be addressed.
changelog/7459.yaml	Standard changelog entry for the new endpoint.

_{Last reviewed commit: 9301db7}

[greptile-apps]

_{3 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}