Documents at sensitivityLabel='regulated' (the highest tier) require dual-control before deletion. The "Delete" button on /doc/[id] becomes "Request deletion" — clicking it creates a pending_deletions row with your reason and a 14-day expiry, then waits for a second admin to approve.
**On the requester side**, the doc's Danger zone now shows "Pending two-person delete approval" with the requester, request date, expiry, and reason. You can cancel your own request before a reviewer acts on it (cancellation emits a delete-rejected event with cancelledByRequester: true so the audit can distinguish self-cancel from reviewer-rejection).
**On the reviewer side**, /pending-deletions is the admin queue. Owner / admin only; lists every active pending request with the doc name, the requester, the reason, and Approve / Reject affordances. The Approve button is server-side enforced as "approver ≠ requester" — you can't approve your own request even if you toggle the UI. Rejection takes an optional rejection note that lands on the audit chain.
**The audit-log narrative is two events, not one.** Approval stamps document.delete-approved BEFORE invoking the tombstone path so the chain captures the human decision separately from the resulting destruction. If the tombstone fails (e.g. a legal hold was applied between request and approval), the approval is still recorded — the operator sees a clean "approval recorded but tombstone blocked by hold X" trail rather than a torn record.
**Legal-hold deny-wins still applies post-approval.** Approval does NOT bypass holds. If a hold was applied between request and approval, the tombstone refuses and the operator sees the diagnostic. This protects against using dual-control as a workaround for the deny-wins invariant.
**Other sensitivity tiers** (public / internal / confidential / restricted) keep the existing single-person delete flow. Two-person is scoped to regulated only because that's where the governance ask is — extending it to all tiers would add friction without proportional security gain. Revisit if a customer needs configurable per-tier approval requirements.