dpdp-erasure-cli 1.0.0

package/tests/adversarial.test.ts

@@ -0,0 +1,464 @@
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import { mkdtemp, rm, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
+import { tmpdir } from "node:os";
+
+const getDependencyGraphMock = vi.hoisted(() => vi.fn<() => Promise<unknown[]>>(() => Promise.resolve([])));
+vi.mock("@modules/db/graph", () => ({
+  getDependencyGraph: getDependencyGraphMock,
+}));
+
+import {
+  TEST_SECRETS,
+  createTestSql,
+  dropSchemas,
+  insertUser,
+  uniqueSchema,
+} from "./helpers";
+import { readWorkerConfig } from "@modules/config";
+import { runMigrations } from "@modules/db";
+import { vaultUser } from "@modules/engine";
+import type { Sql } from "@/types";
+import { decryptGCM, unwrapKey } from "@modules/crypto";
+import { processOutbox } from "@modules/network";
+import { calculateRetryDelayMs } from "@modules/network/outbox/shared";
+
+
+const masterKeyHex = "42".repeat(32);
+const hmacKeyBase64 = Buffer.from(new Uint8Array(32).fill(0x24)).toString("base64");
+
+async function writeTempYaml(contents: string): Promise<string> {
+  const directory = await mkdtemp(join(tmpdir(), "adversarial-config-"));
+  const path = join(directory, "compliance.worker.yml");
+  await writeFile(path, contents, "utf8");
+  return path;
+}
+
+async function deleteTempYaml(path: string) {
+  await rm(path, { force: true });
+  await rm(dirname(path), { recursive: true, force: true });
+}
+
+function buildVaultOptions(appSchema: string, engineSchema: string, now?: Date) {
+  return {
+    appSchema,
+    engineSchema,
+    now,
+    rootTable: "users",
+    rootIdColumn: "id",
+    rootPiiColumns: {
+      email: "HMAC" as const,
+      full_name: "STATIC_MASK" as const,
+    },
+    satelliteTargets: [],
+    compiledTargets: [
+      { table: `${appSchema}.users`, pii_columns: ["email", "full_name"] },
+      {
+        table: `${appSchema}.orders`,
+        parent: `${appSchema}.users`,
+        join: `${appSchema}.users.id = ${appSchema}.orders.user_id`,
+        pii_columns: [],
+      },
+    ],
+  };
+}
+
+describe("Adversarial Worker Suite", () => {
+  let sql: Sql;
+  const schemasToDrop: string[] = [];
+  const configPathsToDelete: string[] = [];
+
+  beforeAll(() => {
+    sql = createTestSql();
+  });
+
+  afterAll(async () => {
+    for (const path of configPathsToDelete.splice(0, configPathsToDelete.length)) {
+      await deleteTempYaml(path);
+    }
+    await dropSchemas(sql, ...schemasToDrop);
+    await sql.end();
+  });
+
+  it("Vector 1: fails closed on toxic config and quoted identifier injection attempts", async () => {
+    const nullRetentionPath = await writeTempYaml(`
+version: "1.0"
+database:
+  app_schema: tenant_app
+  engine_schema: tenant_engine
+compliance_policy:
+  default_retention_years: null
+  notice_window_hours: 48
+  retention_rules:
+    - rule_name: RBI_KYC
+      legal_citation: "RBI KYC Directions, 2016, Sec 38"
+      if_has_data_in:
+        - kyc_documents
+      retention_years: 5
+graph:
+  root_table: users
+  root_id_column: id
+  max_depth: 32
+  root_pii_columns:
+    email: HMAC
+satellite_targets:
+  - table: marketing_leads
+    lookup_column: email
+    action: redact
+    masking_rules:
+      email: HMAC
+outbox:
+  batch_size: 10
+  lease_seconds: 60
+  max_attempts: 10
+  base_backoff_ms: 1000
+security:
+  notification_lease_seconds: 120
+  master_key_env: DPDP_MASTER_KEY
+  hmac_key_env: DPDP_HMAC_KEY
+integrity:
+  expected_schema_hash: "${"1".repeat(64)}"
+legal_attestation:
+  dpo_identifier: "dpo-name@client.com"
+  configuration_version: "v1.2.0"
+  legal_review_date: "2026-04-20"
+  acknowledgment: "I confirm this configuration accurately reflects our obligations."
+`);
+    configPathsToDelete.push(nullRetentionPath);
+
+    await expect(
+      readWorkerConfig(
+        {
+          DPDP_MASTER_KEY: masterKeyHex,
+          DPDP_HMAC_KEY: `base64:${hmacKeyBase64}`,
+        },
+        nullRetentionPath
+      )
+    ).rejects.toThrow(/default_retention_years/i);
+
+    const injectionPath = await writeTempYaml(`
+version: "1.0"
+database:
+  app_schema: tenant_app
+  engine_schema: tenant_engine
+compliance_policy:
+  default_retention_years: 0
+  notice_window_hours: 48
+  retention_rules:
+    - rule_name: RBI_KYC
+      legal_citation: "RBI KYC Directions, 2016, Sec 38"
+      if_has_data_in:
+        - kyc_documents
+      retention_years: 5
+graph:
+  root_table: "users; DROP TABLE clients;--"
+  root_id_column: id
+  max_depth: 32
+  root_pii_columns:
+    email: HMAC
+satellite_targets:
+  - table: marketing_leads
+    lookup_column: email
+    action: redact
+    masking_rules:
+      email: HMAC
+outbox:
+  batch_size: 10
+  lease_seconds: 60
+  max_attempts: 10
+  base_backoff_ms: 1000
+security:
+  notification_lease_seconds: 120
+  master_key_env: DPDP_MASTER_KEY
+  hmac_key_env: DPDP_HMAC_KEY
+integrity:
+  expected_schema_hash: "${"1".repeat(64)}"
+legal_attestation:
+  dpo_identifier: "dpo-name@client.com"
+  configuration_version: "v1.2.0"
+  legal_review_date: "2026-04-20"
+  acknowledgment: "I confirm this configuration accurately reflects our obligations."
+`);
+    configPathsToDelete.push(injectionPath);
+
+    await expect(
+      readWorkerConfig(
+        {
+          DPDP_MASTER_KEY: masterKeyHex,
+          DPDP_HMAC_KEY: `base64:${hmacKeyBase64}`,
+        },
+        injectionPath
+      )
+    ).rejects.toThrow(/invalid graph root table/i);
+
+    const injectionSchema = uniqueSchema("adversarial_identifier");
+    schemasToDrop.push(injectionSchema);
+    await dropSchemas(sql, injectionSchema);
+    await sql`CREATE SCHEMA ${sql(injectionSchema)}`;
+    await sql`CREATE TABLE ${sql(injectionSchema)}.clients (id SERIAL PRIMARY KEY)`;
+
+    await expect(
+      sql`
+        SELECT 1
+        FROM ${sql(injectionSchema)}.${sql("users; DROP TABLE clients;--")}
+      `
+    ).rejects.toThrow();
+
+    const [tableCheck] = await sql<{ regclass: string | null }[]>`
+      SELECT to_regclass(${`${injectionSchema}.clients`}) AS regclass
+    `;
+    expect(tableCheck?.regclass).toBe(`${injectionSchema}.clients`);
+  });
+
+  it("Vector 2: prevents TOCTOU partial mutation under static-plan execution and concurrent FK insert", async () => {
+    const appSchema = uniqueSchema("adversarial_toctou_app");
+    const engineSchema = uniqueSchema("adversarial_toctou_engine");
+    schemasToDrop.push(appSchema, engineSchema);
+
+    await dropSchemas(sql, appSchema, engineSchema);
+    await sql`CREATE SCHEMA ${sql(appSchema)}`;
+    await sql`CREATE TABLE ${sql(appSchema)}.users (id SERIAL PRIMARY KEY, email TEXT NOT NULL, full_name TEXT NOT NULL)`;
+    await sql`
+      CREATE TABLE ${sql(appSchema)}.orders (
+        id SERIAL PRIMARY KEY,
+        user_id INTEGER REFERENCES ${sql(appSchema)}.users(id),
+        amount NUMERIC NOT NULL
+      )
+    `;
+    await sql.unsafe(`
+      CREATE FUNCTION "${appSchema}".slow_user_update()
+      RETURNS trigger
+      LANGUAGE plpgsql
+      AS $$
+      BEGIN
+        PERFORM pg_sleep(1);
+        RETURN NEW;
+      END;
+      $$;
+      CREATE TRIGGER slow_user_update
+      BEFORE UPDATE ON "${appSchema}".users
+      FOR EACH ROW EXECUTE FUNCTION "${appSchema}".slow_user_update();
+    `);
+    await runMigrations(sql, engineSchema);
+
+    const userId = await insertUser(sql, appSchema, "race@example.com", "Race User");
+    getDependencyGraphMock.mockClear();
+    getDependencyGraphMock.mockResolvedValue([]);
+
+    const vaultPromise = vaultUser(sql, userId, TEST_SECRETS, buildVaultOptions(appSchema, engineSchema, new Date()));
+    await new Promise((resolve) => setTimeout(resolve, 120));
+
+    const insertPromise = sql`
+      INSERT INTO ${sql(appSchema)}.orders (user_id, amount)
+      VALUES (${userId}, 10.5)
+      RETURNING id
+    `;
+    const earlyOutcome = await Promise.race([
+      insertPromise.then(() => "done"),
+      new Promise<"blocked">((resolve) => setTimeout(() => resolve("blocked"), 200)),
+    ]);
+
+    expect(earlyOutcome).toBe("blocked");
+    const vaultResult = await vaultPromise;
+    expect(vaultResult.action).toBe("vaulted");
+    expect(getDependencyGraphMock).not.toHaveBeenCalled();
+
+    const insertOutcome = await insertPromise.then(
+      () => "inserted",
+      () => "failed"
+    );
+    expect(["inserted", "failed"]).toContain(insertOutcome);
+
+    const [vaultRow] = await sql`
+      SELECT user_uuid_hash
+      FROM ${sql(engineSchema)}.pii_vault
+      WHERE root_schema = ${appSchema}
+        AND root_table = 'users'
+        AND root_id = ${userId.toString()}
+    `;
+    expect(vaultRow?.user_uuid_hash).toBe(vaultResult.userHash);
+  });
+
+  it("Vector 3: terminates cyclic traversal and trips depth circuit breaker at >32", async () => {
+    const { getDependencyGraph } = await vi.importActual<typeof import("@modules/db/graph")>("@modules/db/graph");
+    const cycleSchema = uniqueSchema("adversarial_cycle");
+    schemasToDrop.push(cycleSchema);
+
+    await dropSchemas(sql, cycleSchema);
+    await sql`CREATE SCHEMA ${sql(cycleSchema)}`;
+    await sql`CREATE TABLE ${sql(cycleSchema)}.circ_a (id SERIAL PRIMARY KEY)`;
+    await sql`
+      CREATE TABLE ${sql(cycleSchema)}.circ_b (
+        id SERIAL PRIMARY KEY,
+        a_id INTEGER REFERENCES ${sql(cycleSchema)}.circ_a(id)
+      )
+    `;
+    await sql`ALTER TABLE ${sql(cycleSchema)}.circ_a ADD COLUMN b_id INTEGER REFERENCES ${sql(cycleSchema)}.circ_b(id)`;
+
+    const cyclicGraph = await getDependencyGraph(sql, cycleSchema, "circ_a", { maxDepth: 32 });
+    const circBRows = cyclicGraph.filter((row) => row.table_name === `${cycleSchema}.circ_b`);
+    expect(circBRows).toHaveLength(1);
+
+    const deepSchema = uniqueSchema("adversarial_depth");
+    schemasToDrop.push(deepSchema);
+    await dropSchemas(sql, deepSchema);
+    await sql`CREATE SCHEMA ${sql(deepSchema)}`;
+    await sql`CREATE TABLE ${sql(deepSchema)}.users (id SERIAL PRIMARY KEY)`;
+
+    let parentTable = "users";
+    for (let depth = 1; depth <= 33; depth += 1) {
+      const table = `level_${depth}`;
+      await sql`
+        CREATE TABLE ${sql(deepSchema)}.${sql(table)} (
+          id SERIAL PRIMARY KEY,
+          parent_id INTEGER REFERENCES ${sql(deepSchema)}.${sql(parentTable)}(id)
+        )
+      `;
+      parentTable = table;
+    }
+
+    await expect(getDependencyGraph(sql, deepSchema, "users", { maxDepth: 32 })).rejects.toThrow(/safety limit/i);
+  });
+
+  it("Vector 4: rejects corrupted AES-GCM auth tags and halts decryption", async () => {
+    const appSchema = uniqueSchema("adversarial_crypto_app");
+    const engineSchema = uniqueSchema("adversarial_crypto_engine");
+    schemasToDrop.push(appSchema, engineSchema);
+
+    await dropSchemas(sql, appSchema, engineSchema);
+    await sql`CREATE SCHEMA ${sql(appSchema)}`;
+    await sql`CREATE TABLE ${sql(appSchema)}.users (id SERIAL PRIMARY KEY, email TEXT NOT NULL, full_name TEXT NOT NULL)`;
+    await sql`
+      CREATE TABLE ${sql(appSchema)}.orders (
+        id SERIAL PRIMARY KEY,
+        user_id INTEGER REFERENCES ${sql(appSchema)}.users(id),
+        amount NUMERIC NOT NULL
+      )
+    `;
+    await runMigrations(sql, engineSchema);
+
+    getDependencyGraphMock.mockClear();
+    getDependencyGraphMock.mockResolvedValue([
+      {
+        table_schema: appSchema,
+        table_name: `${appSchema}.orders`,
+        column_name: "user_id",
+        parent_table: `${appSchema}.users`,
+        depth: 1,
+      },
+    ]);
+
+    const userId = await insertUser(sql, appSchema, "cipher@example.com", "Cipher User");
+    const result = await vaultUser(sql, userId, TEST_SECRETS, buildVaultOptions(appSchema, engineSchema, new Date()));
+    expect(result.action).toBe("vaulted");
+
+    const [vaultRow] = await sql`
+      SELECT encrypted_pii
+      FROM ${sql(engineSchema)}.pii_vault
+      WHERE user_uuid_hash = ${result.userHash}
+    `;
+    const [keyRow] = await sql`
+      SELECT encrypted_dek
+      FROM ${sql(engineSchema)}.user_keys
+      WHERE user_uuid_hash = ${result.userHash}
+    `;
+
+    const wrappedDek = new Uint8Array(keyRow!.encrypted_dek);
+    const dek = await unwrapKey(wrappedDek, TEST_SECRETS.kek);
+    const payload = vaultRow!.encrypted_pii as { data: string };
+    const encryptedBytes = new Uint8Array(Buffer.from(payload.data, "base64"));
+    if (encryptedBytes.length === 0) {
+      throw new Error("Encrypted payload unexpectedly empty.");
+    }
+    const tagByteIndex = encryptedBytes.length - 1;
+    encryptedBytes[tagByteIndex] = encryptedBytes[tagByteIndex]! ^ 0xff;
+
+    await expect(decryptGCM(encryptedBytes, dek)).rejects.toThrow();
+  });
+
+  it("Vector 5: retries with exponential backoff and dead-letters after 10 consecutive 500s", async () => {
+    const engineSchema = uniqueSchema("adversarial_outbox_engine");
+    schemasToDrop.push(engineSchema);
+
+    await dropSchemas(sql, engineSchema);
+    await runMigrations(sql, engineSchema);
+
+    await sql`
+      INSERT INTO ${sql(engineSchema)}.outbox (
+        idempotency_key,
+        user_uuid_hash,
+        event_type,
+        payload,
+        previous_hash,
+        current_hash,
+        status,
+        attempt_count,
+        next_attempt_at,
+        created_at,
+        updated_at
+      )
+      VALUES (
+        'adversarial:event:1',
+        'user-hash-1',
+        'USER_VAULTED',
+        ${sql.json({ rootId: "1" })},
+        'GENESIS',
+        'hash-1',
+        'pending',
+        0,
+        ${new Date("2026-04-18T00:00:00.000Z")},
+        NOW(),
+        NOW()
+      )
+    `;
+
+    let now = new Date("2026-04-18T00:00:00.000Z");
+    let deliveryCalls = 0;
+    const baseBackoffMs = 250;
+
+    for (let attempt = 1; attempt <= 10; attempt += 1) {
+      const result = await processOutbox(
+        sql,
+        async () => {
+          deliveryCalls += 1;
+          throw new Error("Brain API responded with HTTP 500.");
+        },
+        {
+          engineSchema,
+          batchSize: 1,
+          maxAttempts: 10,
+          baseBackoffMs,
+          now,
+        }
+      );
+
+      const [row] = await sql<{
+        status: "pending" | "dead_letter";
+        attempt_count: number;
+        next_attempt_at: Date;
+        last_error: string | null;
+      }[]>`
+        SELECT status, attempt_count, next_attempt_at, last_error
+        FROM ${sql(engineSchema)}.outbox
+        WHERE idempotency_key = 'adversarial:event:1'
+      `;
+
+      expect(result.failed).toBe(1);
+      expect(row?.attempt_count).toBe(attempt);
+      expect(row?.last_error).toContain("HTTP 500");
+
+      if (attempt < 10) {
+        expect(result.deadLettered).toBe(0);
+        expect(row?.status).toBe("pending");
+        const expectedDelay = calculateRetryDelayMs(attempt, baseBackoffMs);
+        expect(new Date(row!.next_attempt_at).getTime()).toBe(now.getTime() + expectedDelay);
+        now = new Date(now.getTime() + expectedDelay);
+      } else {
+        expect(result.deadLettered).toBe(1);
+        expect(row?.status).toBe("dead_letter");
+      }
+    }
+
+    expect(deliveryCalls).toBe(10);
+  });
+});

package/tests/blob-s3.test.ts

@@ -0,0 +1,216 @@
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import type { Sql } from "@/types";
+import { shredUser } from "@modules/engine";
+import { vaultUser } from "@modules/engine";
+import { type S3Client } from "@modules/network";
+import {
+  TEST_SECRETS,
+  createTestSql,
+  dropSchemas,
+  insertUser,
+  prepareWorkerSchemas,
+  uniqueSchema,
+} from "./helpers";
+
+describe("S3 blob compliance provider", () => {
+  let sql: Sql;
+  const schemasToDrop: string[] = [];
+
+  beforeAll(() => {
+    sql = createTestSql();
+  });
+
+  afterAll(async () => {
+    await dropSchemas(sql, ...schemasToDrop);
+    await sql.end();
+  });
+
+  async function prepare() {
+    const appSchema = uniqueSchema("blob_app");
+    const engineSchema = uniqueSchema("blob_engine");
+    schemasToDrop.push(appSchema, engineSchema);
+    await prepareWorkerSchemas(sql, appSchema, engineSchema, { withDependencies: true });
+    await sql`ALTER TABLE ${sql(appSchema)}.users ADD COLUMN kyc_document_url TEXT`;
+    const userId = await insertUser(sql, appSchema, "blob@example.com", "Blob User");
+    await sql`
+      UPDATE ${sql(appSchema)}.users
+      SET kyc_document_url = 's3://kyc-bucket/kyc/john-doe-aadhar.pdf?versionId=v1'
+      WHERE id = ${userId}
+    `;
+
+    return { appSchema, engineSchema, userId };
+  }
+
+  function mockS3Client() {
+    const client: S3Client = {
+      headObject: vi.fn(async (input) => ({
+        bucket: input.bucket,
+        key: input.key,
+        versionId: input.versionId ?? "v1",
+        eTag: "etag-v1",
+      })),
+      putObjectLegalHold: vi.fn(async () => undefined),
+      listObjectVersions: vi.fn(async () => [
+        { key: "kyc/john-doe-aadhar.pdf", versionId: "v1", eTag: "etag-v1", isDeleteMarker: false },
+        { key: "kyc/john-doe-aadhar.pdf", versionId: "v2", eTag: "etag-v2", isDeleteMarker: false },
+        { key: "kyc/john-doe-aadhar.pdf", versionId: "delete-marker", eTag: null, isDeleteMarker: true },
+      ]),
+      deleteObjectVersion: vi.fn(async (input) => ({
+        key: input.key,
+        versionId: input.versionId ?? null,
+        deleteMarker: false,
+        status: 204,
+      })),
+      putObject: vi.fn(async (input) => ({
+        key: input.key,
+        versionId: "sanitized-v1",
+        eTag: "sanitized-etag",
+        status: 200,
+      })),
+    };
+
+    return client;
+  }
+
+  it("applies legal hold, masks the DB URL, and stores raw object coordinates only in the worker schema", async () => {
+    const { appSchema, engineSchema, userId } = await prepare();
+    const s3Client = mockS3Client();
+
+    const result = await vaultUser(sql, userId, TEST_SECRETS, {
+      appSchema,
+      engineSchema,
+      rootTable: "users",
+      rootIdColumn: "id",
+      rootPiiColumns: {
+        email: "HMAC",
+        full_name: "STATIC_MASK",
+      },
+      satelliteTargets: [],
+      blobTargets: [
+        {
+          table: "users",
+          column: "kyc_document_url",
+          provider: "aws_s3",
+          region: "ap-south-1",
+          action: "versioned_hard_delete",
+          retention_mode: "governance",
+          expected_bucket_owner: "123456789012",
+          require_version_id: true,
+        },
+      ],
+      s3Client,
+      now: new Date("2026-01-10T00:00:00.000Z"),
+    });
+
+    expect(result.action).toBe("vaulted");
+    expect(result.blobProtectionCount).toBe(1);
+    expect(s3Client.putObjectLegalHold).toHaveBeenCalledWith(expect.objectContaining({
+      bucket: "kyc-bucket",
+      key: "kyc/john-doe-aadhar.pdf",
+      versionId: "v1",
+      expectedBucketOwner: "123456789012",
+      status: "ON",
+    }));
+
+    const [user] = await sql<{ kyc_document_url: string }[]>`
+      SELECT kyc_document_url
+      FROM ${sql(appSchema)}.users
+      WHERE id = ${userId}
+    `;
+    expect(user?.kyc_document_url).toMatch(/^[0-9a-f]{64}$/);
+
+    const [blobRow] = await sql`
+      SELECT *
+      FROM ${sql(engineSchema)}.blob_objects
+      WHERE user_uuid_hash = ${result.userHash}
+    `;
+    expect(blobRow?.bucket).toBe("kyc-bucket");
+    expect(blobRow?.object_key).toBe("kyc/john-doe-aadhar.pdf");
+    expect(blobRow?.version_id).toBe("v1");
+    expect(blobRow?.expected_bucket_owner).toBe("123456789012");
+
+    const [outboxRow] = await sql<{ payload: { blob_protections: unknown[] } }[]>`
+      SELECT payload
+      FROM ${sql(engineSchema)}.outbox
+      WHERE event_type = 'USER_VAULTED'
+    `;
+    expect(JSON.stringify(outboxRow?.payload)).not.toContain("john-doe-aadhar");
+    expect(outboxRow?.payload.blob_protections).toHaveLength(1);
+  });
+
+  it("removes legal hold and deletes every S3 version during shredding", async () => {
+    const { appSchema, engineSchema, userId } = await prepare();
+    const s3Client = mockS3Client();
+    const now = new Date("2026-01-10T00:00:00.000Z");
+
+    const vaultResult = await vaultUser(sql, userId, TEST_SECRETS, {
+      appSchema,
+      engineSchema,
+      rootTable: "users",
+      rootIdColumn: "id",
+      rootPiiColumns: {
+        email: "HMAC",
+        full_name: "STATIC_MASK",
+      },
+      satelliteTargets: [],
+      blobTargets: [
+        {
+          table: "users",
+          column: "kyc_document_url",
+          provider: "aws_s3",
+          region: "ap-south-1",
+          action: "versioned_hard_delete",
+          retention_mode: "governance",
+          expected_bucket_owner: "123456789012",
+          require_version_id: true,
+        },
+      ],
+      s3Client,
+      now,
+    });
+
+    await sql`
+      UPDATE ${sql(engineSchema)}.pii_vault
+      SET notification_sent_at = ${now},
+          retention_expiry = ${now}
+      WHERE user_uuid_hash = ${vaultResult.userHash}
+    `;
+
+    const shredResult = await shredUser(sql, userId, {
+      appSchema,
+      engineSchema,
+      rootTable: "users",
+      now,
+      hmacKey: TEST_SECRETS.hmacKey,
+      s3Client,
+    });
+
+    expect(shredResult.action).toBe("shredded");
+    expect(shredResult.blobReceiptCount).toBe(1);
+    expect(s3Client.putObjectLegalHold).toHaveBeenCalledWith(expect.objectContaining({
+      versionId: "v1",
+      expectedBucketOwner: "123456789012",
+      status: "OFF",
+    }));
+    expect(s3Client.deleteObjectVersion).toHaveBeenCalledTimes(3);
+    expect(s3Client.deleteObjectVersion).toHaveBeenCalledWith(expect.objectContaining({ versionId: "v1", expectedBucketOwner: "123456789012" }));
+    expect(s3Client.deleteObjectVersion).toHaveBeenCalledWith(expect.objectContaining({ versionId: "v2", expectedBucketOwner: "123456789012" }));
+    expect(s3Client.deleteObjectVersion).toHaveBeenCalledWith(expect.objectContaining({ versionId: "delete-marker", expectedBucketOwner: "123456789012" }));
+
+    const [blobRow] = await sql<{ shred_status: string; shred_receipt: { deletedVersionIdHashes: string[] } }[]>`
+      SELECT shred_status, shred_receipt
+      FROM ${sql(engineSchema)}.blob_objects
+      WHERE user_uuid_hash = ${vaultResult.userHash}
+    `;
+    expect(blobRow?.shred_status).toBe("purged");
+    expect(blobRow?.shred_receipt.deletedVersionIdHashes).toHaveLength(3);
+
+    const [outboxRow] = await sql<{ payload: { blob_receipts: unknown[] } }[]>`
+      SELECT payload
+      FROM ${sql(engineSchema)}.outbox
+      WHERE event_type = 'SHRED_SUCCESS'
+    `;
+    expect(JSON.stringify(outboxRow?.payload)).not.toContain("john-doe-aadhar");
+    expect(outboxRow?.payload.blob_receipts).toHaveLength(1);
+  });
+});