Improve GDPR implementation

gateway/app/main.py

@@ -21,6 +21,7 @@ from app.middleware.logging import LoggingMiddleware
 from app.middleware.rate_limit import RateLimitMiddleware
 from app.middleware.subscription import SubscriptionMiddleware
 from app.middleware.demo_middleware import DemoMiddleware
+from app.middleware.read_only_mode import ReadOnlyModeMiddleware
 from app.routes import auth, tenant, notification, nominatim, user, subscription, demo, pos
 from shared.monitoring.logging import setup_logging
 from shared.monitoring.metrics import MetricsCollector
@@ -54,10 +55,11 @@ app.add_middleware(
 )
 
 # Custom middleware - Add in REVERSE order (last added = first executed)
-# Execution order: RequestIDMiddleware -> DemoMiddleware -> AuthMiddleware -> SubscriptionMiddleware -> RateLimitMiddleware -> LoggingMiddleware
-app.add_middleware(LoggingMiddleware)          # Executes 6th (outermost)
-app.add_middleware(RateLimitMiddleware, calls_per_minute=300)  # Executes 5th
-app.add_middleware(SubscriptionMiddleware, tenant_service_url=settings.TENANT_SERVICE_URL)  # Executes 4th
+# Execution order: RequestIDMiddleware -> DemoMiddleware -> AuthMiddleware -> ReadOnlyModeMiddleware -> SubscriptionMiddleware -> RateLimitMiddleware -> LoggingMiddleware
+app.add_middleware(LoggingMiddleware)          # Executes 7th (outermost)
+app.add_middleware(RateLimitMiddleware, calls_per_minute=300)  # Executes 6th
+app.add_middleware(SubscriptionMiddleware, tenant_service_url=settings.TENANT_SERVICE_URL)  # Executes 5th
+app.add_middleware(ReadOnlyModeMiddleware, tenant_service_url=settings.TENANT_SERVICE_URL)  # Executes 4th - Enforce read-only mode
 app.add_middleware(AuthMiddleware)             # Executes 3rd - Checks for demo context
 app.add_middleware(DemoMiddleware)             # Executes 2nd - Sets demo user context
 app.add_middleware(RequestIDMiddleware)        # Executes 1st (innermost) - Generates request ID for tracing