npm - dpdp-erasure-cli - Versions diffs - 1.0.0 - Mend

dpdp-erasure-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/.env.example +55 -0
package/Dockerfile +33 -0
package/compliance.worker.yaml +64 -0
package/package.json +41 -0
package/src/constants/index.ts +1 -0
package/src/errors/fail.ts +110 -0
package/src/errors/index.ts +4 -0
package/src/errors/inferer.ts +166 -0
package/src/errors/registry.ts +122 -0
package/src/errors/types.ts +65 -0
package/src/errors/worker.ts +161 -0
package/src/index.ts +328 -0
package/src/lib/crypto/digest.ts +22 -0
package/src/lib/crypto/encoding.ts +78 -0
package/src/lib/crypto/index.ts +2 -0
package/src/lib/index.ts +1 -0
package/src/modules/bootstrap/index.ts +2 -0
package/src/modules/bootstrap/integrity.ts +38 -0
package/src/modules/bootstrap/preflight.ts +296 -0
package/src/modules/cli/check-integrity.ts +48 -0
package/src/modules/cli/dry-run.ts +90 -0
package/src/modules/cli/graph.ts +87 -0
package/src/modules/cli/index.ts +184 -0
package/src/modules/cli/init.ts +115 -0
package/src/modules/cli/inspect.ts +86 -0
package/src/modules/cli/introspector.ts +117 -0
package/src/modules/cli/keygen.ts +38 -0
package/src/modules/cli/scan.ts +126 -0
package/src/modules/cli/sign.ts +50 -0
package/src/modules/cli/ui.ts +61 -0
package/src/modules/cli/verify-schema.ts +31 -0
package/src/modules/cli/verify.ts +85 -0
package/src/modules/config/compatibility.ts +271 -0
package/src/modules/config/index.ts +4 -0
package/src/modules/config/reader.ts +149 -0
package/src/modules/config/signature.ts +69 -0
package/src/modules/config/validation.ts +658 -0
package/src/modules/crypto/aes.ts +158 -0
package/src/modules/crypto/envelope.ts +48 -0
package/src/modules/crypto/hmac.ts +60 -0
package/src/modules/crypto/index.ts +3 -0
package/src/modules/db/drift.ts +36 -0
package/src/modules/db/graph.ts +203 -0
package/src/modules/db/index.ts +4 -0
package/src/modules/db/migrations.ts +254 -0
package/src/modules/db/sql-debug.ts +61 -0
package/src/modules/engine/blob/index.ts +3 -0
package/src/modules/engine/blob/s3.ts +455 -0
package/src/modules/engine/blob/store.ts +236 -0
package/src/modules/engine/blob/types.ts +44 -0
package/src/modules/engine/helpers/identity.ts +47 -0
package/src/modules/engine/helpers/index.ts +4 -0
package/src/modules/engine/helpers/outbox.ts +118 -0
package/src/modules/engine/helpers/runtime.ts +115 -0
package/src/modules/engine/helpers/types.ts +61 -0
package/src/modules/engine/index.ts +6 -0
package/src/modules/engine/notifier/config.ts +147 -0
package/src/modules/engine/notifier/dispatcher.ts +300 -0
package/src/modules/engine/notifier/index.ts +3 -0
package/src/modules/engine/notifier/payload.ts +51 -0
package/src/modules/engine/notifier/reservation.ts +153 -0
package/src/modules/engine/notifier/types.ts +38 -0
package/src/modules/engine/shredder.ts +254 -0
package/src/modules/engine/types.ts +146 -0
package/src/modules/engine/vault/compiled-targets.ts +562 -0
package/src/modules/engine/vault/context.ts +254 -0
package/src/modules/engine/vault/dry-run.ts +94 -0
package/src/modules/engine/vault/execution.ts +485 -0
package/src/modules/engine/vault/index.ts +3 -0
package/src/modules/engine/vault/purge.ts +82 -0
package/src/modules/engine/vault/retention.ts +124 -0
package/src/modules/engine/vault/satellite-mutation.ts +193 -0
package/src/modules/engine/vault/satellite.ts +103 -0
package/src/modules/engine/vault/shadow.ts +36 -0
package/src/modules/engine/vault/static-plan.ts +116 -0
package/src/modules/engine/vault/store.ts +34 -0
package/src/modules/engine/vault/vault.ts +84 -0
package/src/modules/introspector/classifier.ts +502 -0
package/src/modules/introspector/dag.ts +276 -0
package/src/modules/introspector/index.ts +7 -0
package/src/modules/introspector/naming.ts +75 -0
package/src/modules/introspector/report.ts +153 -0
package/src/modules/introspector/run.ts +123 -0
package/src/modules/introspector/s3-sampler.ts +227 -0
package/src/modules/introspector/types.ts +131 -0
package/src/modules/introspector/yaml.ts +101 -0
package/src/modules/network/api/control-plane.ts +275 -0
package/src/modules/network/api/index.ts +1 -0
package/src/modules/network/api/validation.ts +71 -0
package/src/modules/network/index.ts +4 -0
package/src/modules/network/object-store/aws/client.ts +444 -0
package/src/modules/network/object-store/aws/credentials.ts +271 -0
package/src/modules/network/object-store/aws/index.ts +2 -0
package/src/modules/network/object-store/aws/sigv4.ts +190 -0
package/src/modules/network/object-store/aws/type.ts +6 -0
package/src/modules/network/object-store/index.ts +1 -0
package/src/modules/network/outbox/dispatcher.ts +183 -0
package/src/modules/network/outbox/index.ts +3 -0
package/src/modules/network/outbox/process.ts +133 -0
package/src/modules/network/outbox/shared.ts +56 -0
package/src/modules/network/outbox/store.ts +346 -0
package/src/modules/network/outbox/types.ts +54 -0
package/src/modules/network/request-signing.ts +61 -0
package/src/modules/worker/index.ts +2 -0
package/src/modules/worker/tasks.ts +58 -0
package/src/modules/worker/types.ts +89 -0
package/src/modules/worker/worker.ts +243 -0
package/src/secrets/index.ts +4 -0
package/src/secrets/kms/index.ts +2 -0
package/src/secrets/kms/signature.ts +82 -0
package/src/secrets/kms/validation.ts +64 -0
package/src/secrets/reader.ts +42 -0
package/src/secrets/repository/crypto.ts +89 -0
package/src/secrets/repository/index.ts +2 -0
package/src/secrets/repository/methods.ts +37 -0
package/src/secrets/resolvers.ts +247 -0
package/src/secrets/signature.ts +78 -0
package/src/types/index.ts +1 -0
package/src/types/types.ts +23 -0
package/src/utils/identifiers.ts +48 -0
package/src/utils/index.ts +3 -0
package/src/utils/json.ts +35 -0
package/src/utils/logger.ts +161 -0
package/src/validation/zod.ts +70 -0
package/tests/adversarial.test.ts +464 -0
package/tests/blob-s3.test.ts +216 -0
package/tests/config.test.ts +395 -0
package/tests/control-plane-client.test.ts +108 -0
package/tests/crypto.test.ts +106 -0
package/tests/errors.test.ts +69 -0
package/tests/fetch-dispatcher.test.ts +213 -0
package/tests/graph.test.ts +84 -0
package/tests/helpers/index.ts +101 -0
package/tests/index-preflight.test.ts +168 -0
package/tests/introspector-classifier.test.ts +62 -0
package/tests/introspector-report.test.ts +85 -0
package/tests/introspector.test.ts +394 -0
package/tests/kms.test.ts +124 -0
package/tests/logger.test.ts +61 -0
package/tests/notifier.test.ts +303 -0
package/tests/outbox.test.ts +478 -0
package/tests/purge-policy.test.ts +124 -0
package/tests/retention.test.ts +103 -0
package/tests/s3-client.test.ts +110 -0
package/tests/satellite.test.ts +119 -0
package/tests/schema-compatibility.test.ts +237 -0
package/tests/schema-integrity.test.ts +64 -0
package/tests/shredder.test.ts +163 -0
package/tests/vault.compiled-targets.test.ts +243 -0
package/tests/vault.replica.test.ts +59 -0
package/tests/vault.test.ts +279 -0
package/tests/worker.retry.test.ts +291 -0
package/tests/worker.test.ts +200 -0
package/tsconfig.json +19 -0
package/vitest.config.ts +13 -0

package/tests/outbox.test.ts ADDED Viewed

@@ -0,0 +1,478 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import type { Sql } from "@/types";
+import { workerError } from "@/errors";
+import { createTestSql, dropSchemas, uniqueSchema } from "./helpers";
+import { runMigrations } from "@modules/db";
+import { processOutbox, type OutboxEvent } from "@modules/network";
+import { enqueueOutboxEvent } from "@modules/engine";
+import { calculateRetryDelayMs } from "@modules/network/outbox/shared";
+describe("Network Outbox Relay", () => {
+  let sql: Sql;
+  const schemasToDrop: string[] = [];
+  beforeAll(() => {
+    sql = createTestSql();
+  });
+  afterAll(async () => {
+    await dropSchemas(sql, ...schemasToDrop);
+    await sql.end();
+  });
+  async function prepare() {
+    const engineSchema = uniqueSchema("outbox_engine");
+    schemasToDrop.push(engineSchema);
+    await dropSchemas(sql, engineSchema);
+    await runMigrations(sql, engineSchema);
+    return { engineSchema };
+  }
+  function toHex(buffer: ArrayBuffer): string {
+    return Array.from(new Uint8Array(buffer), (byte) => byte.toString(16).padStart(2, "0")).join("");
+  }
+  async function seedEvent(
+    engineSchema: string,
+    idempotencyKey: string,
+    userHash: string,
+    eventType: string,
+    nextAttemptAt: Date = new Date(),
+    createdAt: Date = new Date(),
+    previousHash: string = "GENESIS"
+  ) {
+    await sql`
+      INSERT INTO ${sql(engineSchema)}.outbox (
+        idempotency_key,
+        user_uuid_hash,
+        event_type,
+        payload,
+        previous_hash,
+        current_hash,
+        status,
+        attempt_count,
+        next_attempt_at,
+        created_at,
+        updated_at
+      )
+      VALUES (
+        ${idempotencyKey},
+        ${userHash},
+        ${eventType},
+        '{}'::jsonb,
+        ${previousHash},
+        ${`${idempotencyKey}-hash`},
+        'pending',
+        0,
+        ${nextAttemptAt},
+        ${createdAt},
+        ${createdAt}
+      )
+    `;
+  }
+  it("processes due events and marks them as processed", async () => {
+    const { engineSchema } = await prepare();
+    const baseTime = new Date("2026-04-15T00:00:00.000Z");
+    const laterTime = new Date("2026-04-15T00:00:01.000Z");
+    await seedEvent(engineSchema, "event-1", "user1", "TEST_EVENT", baseTime, baseTime);
+    await seedEvent(engineSchema, "event-2", "user2", "TEST_EVENT", baseTime, laterTime, "event-1-hash");
+    const result = await processOutbox(sql, async () => true, { engineSchema, batchSize: 10 });
+    expect(result).toEqual({
+      claimed: 2,
+      processed: 2,
+      failed: 0,
+      deadLettered: 0,
+    });
+    const rows = await sql`SELECT status, processed_at FROM ${sql(engineSchema)}.outbox ORDER BY idempotency_key ASC`;
+    expect(rows.every((row) => row.status === "processed")).toBe(true);
+    expect(rows.every((row) => row.processed_at !== null)).toBe(true);
+  });
+  it("preserves WORM order instead of prioritizing terminal events ahead of predecessors", async () => {
+    const { engineSchema } = await prepare();
+    const baseTime = new Date("2026-04-15T00:00:00.000Z");
+    const laterTime = new Date("2026-04-15T00:00:01.000Z");
+    await seedEvent(
+      engineSchema,
+      "vault-old",
+      "user-old",
+      "USER_VAULTED",
+      baseTime,
+      baseTime
+    );
+    await seedEvent(
+      engineSchema,
+      "shred-new",
+      "user-new",
+      "SHRED_SUCCESS",
+      baseTime,
+      laterTime,
+      "vault-old-hash"
+    );
+    const delivered: string[] = [];
+    const result = await processOutbox(
+      sql,
+      async (event) => {
+        delivered.push(event.idempotency_key);
+        return true;
+      },
+      { engineSchema, batchSize: 2, now: laterTime }
+    );
+    expect(result.processed).toBe(2);
+    expect(delivered).toEqual(["vault-old", "shred-new"]);
+  });
+  it("chains outbox events with tamper-evident hashes", async () => {
+    const { engineSchema } = await prepare();
+    const now = new Date("2026-04-15T00:00:00.000Z");
+    const next = new Date("2026-04-15T00:00:01.000Z");
+    await sql.begin((tx) =>
+      enqueueOutboxEvent(
+        tx,
+        engineSchema,
+        "user-hash-1",
+        "USER_VAULTED",
+        { rootId: "1", state: "vaulted" },
+        "vault:tenant:users:1",
+        now
+      )
+    );
+    await sql.begin((tx) =>
+      enqueueOutboxEvent(
+        tx,
+        engineSchema,
+        "user-hash-2",
+        "NOTIFICATION_SENT",
+        { rootId: "2", state: "notified" },
+        "notice:tenant:users:2",
+        next
+      )
+    );
+    await processOutbox(sql, async () => true, { engineSchema, batchSize: 10, now: next });
+    const expectedFirstBuffer = await globalThis.crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(
+        `GENESIS${JSON.stringify({ rootId: "1", state: "vaulted" })}vault:tenant:users:1`
+      )
+    );
+    const expectedFirstHash = toHex(expectedFirstBuffer);
+    const expectedSecondBuffer = await globalThis.crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode(
+        `${expectedFirstHash}${JSON.stringify({ rootId: "2", state: "notified" })}notice:tenant:users:2`
+      )
+    );
+    const expectedSecondHash = toHex(expectedSecondBuffer);
+    const rows = await sql`
+      SELECT idempotency_key, previous_hash, current_hash, chain_status
+      FROM ${sql(engineSchema)}.outbox
+      ORDER BY created_at ASC, id ASC
+    `;
+    expect(rows).toEqual([
+      {
+        idempotency_key: "vault:tenant:users:1",
+        previous_hash: "GENESIS",
+        current_hash: expectedFirstHash,
+        chain_status: "finalized",
+      },
+      {
+        idempotency_key: "notice:tenant:users:2",
+        previous_hash: expectedFirstHash,
+        current_hash: expectedSecondHash,
+        chain_status: "finalized",
+      },
+    ]);
+  });
+  it("returns the existing finalized row on idempotent replay without mutating the chain", async () => {
+    const { engineSchema } = await prepare();
+    const now = new Date("2026-04-15T00:00:00.000Z");
+    const first = await sql.begin((tx) =>
+      enqueueOutboxEvent(
+        tx,
+        engineSchema,
+        "user-hash-1",
+        "USER_VAULTED",
+        { rootId: "1", state: "vaulted" },
+        "vault:tenant:users:1",
+        now
+      )
+    );
+    await processOutbox(sql, async () => true, { engineSchema, batchSize: 10, now });
+    const replay = await sql.begin((tx) =>
+      enqueueOutboxEvent(
+        tx,
+        engineSchema,
+        "user-hash-1",
+        "USER_VAULTED",
+        { rootId: "1", state: "mutated" },
+        "vault:tenant:users:1",
+        new Date("2026-04-15T00:00:30.000Z")
+      )
+    );
+    expect(replay.id).toBe(first.id);
+    expect(replay.previous_hash).toBe("GENESIS");
+    expect(replay.chain_status).toBe("finalized");
+    const rows = await sql`
+      SELECT payload, previous_hash, current_hash, chain_status
+      FROM ${sql(engineSchema)}.outbox
+      WHERE idempotency_key = 'vault:tenant:users:1'
+    `;
+    expect(rows).toHaveLength(1);
+    expect(rows[0]?.payload).toEqual({ rootId: "1", state: "vaulted" });
+    expect(rows[0]?.previous_hash).toBe("GENESIS");
+    expect(rows[0]?.current_hash).toBe(replay.current_hash);
+    expect(rows[0]?.chain_status).toBe("finalized");
+  });
+  it("produces identical hashes for semantically equivalent payloads with different key order", async () => {
+    const { engineSchema } = await prepare();
+    const now = new Date("2026-04-15T00:00:00.000Z");
+    const first = await sql.begin((tx) =>
+      enqueueOutboxEvent(
+        tx,
+        engineSchema,
+        "user-hash-1",
+        "USER_VAULTED",
+        { b: "second", a: "first", nested: { y: 2, x: 1 } },
+        "vault:tenant:users:ordered",
+        now
+      )
+    );
+    await processOutbox(sql, async () => true, { engineSchema, batchSize: 10, now });
+    const replay = await sql.begin((tx) =>
+      enqueueOutboxEvent(
+        tx,
+        engineSchema,
+        "user-hash-1",
+        "USER_VAULTED",
+        { nested: { x: 1, y: 2 }, a: "first", b: "second" },
+        "vault:tenant:users:ordered",
+        new Date("2026-04-15T00:00:30.000Z")
+      )
+    );
+    expect(replay.id).toBe(first.id);
+    expect(replay.chain_status).toBe("finalized");
+  });
+  it("requeues failed events with backoff and error context", async () => {
+    const { engineSchema } = await prepare();
+    const now = new Date("2026-04-15T00:00:00.000Z");
+    await seedEvent(engineSchema, "event-3", "user3", "FAIL_EVENT", now);
+    const result = await processOutbox(
+      sql,
+      async () => {
+        throw new Error("Network Error");
+      },
+      {
+        engineSchema,
+        batchSize: 10,
+        now,
+        baseBackoffMs: 500,
+        maxAttempts: 3,
+      }
+    );
+    expect(result).toEqual({
+      claimed: 1,
+      processed: 0,
+      failed: 1,
+      deadLettered: 0,
+    });
+    const [row] = await sql`
+      SELECT status, attempt_count, next_attempt_at, last_error
+      FROM ${sql(engineSchema)}.outbox
+      WHERE idempotency_key = 'event-3'
+    `;
+    expect(row?.status).toBe("pending");
+    expect(row?.attempt_count).toBe(1);
+    expect(row?.last_error).toContain("Network Error");
+    expect(new Date(row!.next_attempt_at).getTime()).toBe(now.getTime() + calculateRetryDelayMs(1, 500));
+  });
+  it("moves an event to dead_letter after the maximum retry count is reached", async () => {
+    const { engineSchema } = await prepare();
+    await seedEvent(engineSchema, "event-4", "user4", "FAIL_EVENT");
+    const result = await processOutbox(
+      sql,
+      async () => {
+        throw new Error("Permanent Failure");
+      },
+      {
+        engineSchema,
+        batchSize: 10,
+        maxAttempts: 1,
+      }
+    );
+    expect(result).toEqual({
+      claimed: 1,
+      processed: 0,
+      failed: 1,
+      deadLettered: 1,
+    });
+    const [row] = await sql`
+      SELECT status, attempt_count, last_error
+      FROM ${sql(engineSchema)}.outbox
+      WHERE idempotency_key = 'event-4'
+    `;
+    expect(row?.status).toBe("dead_letter");
+    expect(row?.attempt_count).toBe(1);
+    expect(row?.last_error).toContain("Permanent Failure");
+  });
+  it("releases the lease and rethrows fatal delivery errors without burning retry attempts", async () => {
+    const { engineSchema } = await prepare();
+    await seedEvent(engineSchema, "event-fatal", "user-fatal", "AUTH_FAIL");
+    await expect(
+      processOutbox(
+        sql,
+        async () => {
+          throw workerError({
+            code: "OUTBOX_AUTH_REJECTED",
+            title: "Control Plane authentication rejected outbox event",
+            detail: "Brain API responded with HTTP 401.",
+            category: "configuration",
+            retryable: false,
+            fatal: true,
+          });
+        },
+        {
+          engineSchema,
+          batchSize: 10,
+        }
+      )
+    ).rejects.toMatchObject({
+      code: "OUTBOX_AUTH_REJECTED",
+      fatal: true,
+    });
+    const [row] = await sql`
+      SELECT status, attempt_count, lease_token, lease_expires_at, last_error
+      FROM ${sql(engineSchema)}.outbox
+      WHERE idempotency_key = 'event-fatal'
+    `;
+    expect(row?.status).toBe("pending");
+    expect(row?.attempt_count).toBe(0);
+    expect(row?.lease_token).toBeNull();
+    expect(row?.lease_expires_at).toBeNull();
+    expect(row?.last_error).toContain("HTTP 401");
+  });
+  it("handles concurrent workers without duplicating event delivery", async () => {
+    const { engineSchema } = await prepare();
+    await enqueueOutboxEvent(sql, engineSchema, "user5", "CONCURRENT", {}, "event-5", new Date());
+    await enqueueOutboxEvent(sql, engineSchema, "user6", "CONCURRENT", {}, "event-6", new Date());
+    await enqueueOutboxEvent(sql, engineSchema, "user7", "CONCURRENT", {}, "event-7", new Date());
+    const deliveredIds = new Set<string>();
+    const syncFn = async (event: OutboxEvent) => {
+      await new Promise((resolve) => setTimeout(resolve, 50));
+      if (deliveredIds.has(event.id)) {
+        throw new Error(`Duplicate delivery for ${event.id}`);
+      }
+      deliveredIds.add(event.id);
+      return true;
+    };
+    let processed = 0;
+    for (let round = 0; round < 10 && processed < 3; round += 1) {
+      const results = await Promise.all([
+        processOutbox(sql, syncFn, { engineSchema, batchSize: 1 }),
+        processOutbox(sql, syncFn, { engineSchema, batchSize: 1 }),
+        processOutbox(sql, syncFn, { engineSchema, batchSize: 1 }),
+      ]);
+      processed += results.reduce((sum, result) => sum + result.processed, 0);
+    }
+    expect(processed).toBe(3);
+    expect(deliveredIds.size).toBe(3);
+    const forkedLinks = await sql`
+      SELECT previous_hash, COUNT(*)::INT AS count
+      FROM ${sql(engineSchema)}.outbox
+      WHERE status = 'processed'
+      GROUP BY previous_hash
+      HAVING COUNT(*) > 1
+    `;
+    expect(forkedLinks).toHaveLength(0);
+  });
+  it("reclaims an event whose lease has already expired", async () => {
+    const { engineSchema } = await prepare();
+    await sql`
+      INSERT INTO ${sql(engineSchema)}.outbox (
+        idempotency_key,
+        user_uuid_hash,
+        event_type,
+        payload,
+        previous_hash,
+        current_hash,
+        status,
+        attempt_count,
+        lease_token,
+        lease_expires_at,
+        next_attempt_at,
+        created_at,
+        updated_at
+      )
+      VALUES (
+        'event-8',
+        'user8',
+        'LEASED_EVENT',
+        '{}'::jsonb,
+        'GENESIS',
+        'event-8-hash',
+        'leased',
+        2,
+        gen_random_uuid(),
+        NOW() - INTERVAL '10 minutes',
+        NOW() - INTERVAL '10 minutes',
+        NOW(),
+        NOW()
+      )
+    `;
+    const result = await processOutbox(sql, async () => true, { engineSchema, batchSize: 10 });
+    expect(result.processed).toBe(1);
+    const [row] = await sql`
+      SELECT status, processed_at
+      FROM ${sql(engineSchema)}.outbox
+      WHERE idempotency_key = 'event-8'
+    `;
+    expect(row?.status).toBe("processed");
+    expect(row?.processed_at).toBeDefined();
+  });
+});

package/tests/purge-policy.test.ts ADDED Viewed

@@ -0,0 +1,124 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { selectPurgeCandidates } from "@modules/engine/vault/purge";
+import { createTestSql, dropSchemas, uniqueSchema } from "./helpers";
+import type { Sql } from "@/types";
+describe("DPO-attested purge policy", () => {
+  let sql: Sql;
+  const schemasToDrop: string[] = [];
+  beforeAll(() => {
+    sql = createTestSql();
+  });
+  afterAll(async () => {
+    await dropSchemas(sql, ...schemasToDrop);
+    await sql.end();
+  });
+  async function createUsers(schema: string): Promise<void> {
+    schemasToDrop.push(schema);
+    await dropSchemas(sql, schema);
+    await sql`CREATE SCHEMA ${sql(schema)}`;
+    await sql`
+      CREATE TABLE ${sql(schema)}.users (
+        id TEXT PRIMARY KEY,
+        purge_eligible BOOLEAN NOT NULL DEFAULT FALSE,
+        account_state TEXT NOT NULL DEFAULT 'active',
+        disabled_at TIMESTAMPTZ
+      )
+    `;
+    await sql`
+      INSERT INTO ${sql(schema)}.users (id, purge_eligible, account_state, disabled_at)
+      VALUES
+        ('usr_001', true, 'deleted', '2026-01-01T00:00:00.000Z'),
+        ('usr_002', false, 'active', NULL),
+        ('usr_003', true, 'deleted', '2026-01-02T00:00:00.000Z'),
+        ('usr_004', false, 'closed', '2026-04-01T00:00:00.000Z')
+    `;
+  }
+  it("selects purge candidates only through the configured boolean selector", async () => {
+    const schema = uniqueSchema("purge_bool");
+    await createUsers(schema);
+    await expect(
+      selectPurgeCandidates(sql, {
+        appSchema: schema,
+        rootTable: "users",
+        rootIdColumn: "id",
+        purgePolicy: {
+          enabled: true,
+          selector: {
+            kind: "boolean_column",
+            column: "purge_eligible",
+            value: true,
+          },
+          max_batch_size: 100,
+          actor_opaque_id: "system:purge",
+          legal_framework: "DPDP_2023",
+        },
+      })
+    ).resolves.toEqual(["usr_001", "usr_003"]);
+  });
+  it("supports enum and timestamp selectors without scanning unbounded rows in application code", async () => {
+    const schema = uniqueSchema("purge_selectors");
+    await createUsers(schema);
+    const enumCandidates = await selectPurgeCandidates(sql, {
+      appSchema: schema,
+      rootTable: "users",
+      rootIdColumn: "id",
+      purgePolicy: {
+        enabled: true,
+        selector: {
+          kind: "enum_column",
+          column: "account_state",
+          values: ["closed", "deleted"],
+        },
+        max_batch_size: 2,
+        actor_opaque_id: "system:purge",
+        legal_framework: "DPDP_2023",
+      },
+    });
+    expect(enumCandidates).toEqual(["usr_001", "usr_003"]);
+    const timestampCandidates = await selectPurgeCandidates(sql, {
+      appSchema: schema,
+      rootTable: "users",
+      rootIdColumn: "id",
+      purgePolicy: {
+        enabled: true,
+        selector: {
+          kind: "timestamp_before",
+          column: "disabled_at",
+          before: "2026-03-01T00:00:00.000Z",
+        },
+        max_batch_size: 100,
+        actor_opaque_id: "system:purge",
+        legal_framework: "DPDP_2023",
+      },
+    });
+    expect(timestampCandidates).toEqual(["usr_001", "usr_003"]);
+  });
+  it("fails closed when purge automation is disabled", async () => {
+    const schema = uniqueSchema("purge_disabled");
+    await createUsers(schema);
+    await expect(
+      selectPurgeCandidates(sql, {
+        appSchema: schema,
+        rootTable: "users",
+        rootIdColumn: "id",
+        purgePolicy: {
+          enabled: false,
+          max_batch_size: 100,
+          actor_opaque_id: "system:purge",
+          legal_framework: "DPDP_2023",
+        },
+      })
+    ).rejects.toThrow(/without an enabled purge_policy selector/i);
+  });
+});

package/tests/retention.test.ts ADDED Viewed

@@ -0,0 +1,103 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { createTestSql, dropSchemas, uniqueSchema } from "./helpers";
+import { evaluateRetention } from "@modules/engine/vault/retention";
+import type { Sql } from "@/types";
+describe("Retention Evaluation Engine", () => {
+  let sql: Sql;
+  const schemasToDrop: string[] = [];
+  beforeAll(() => {
+    sql = createTestSql();
+  });
+  afterAll(async () => {
+    await dropSchemas(sql, ...schemasToDrop);
+    await sql.end();
+  });
+  it("selects the longest retention rule when evidence exists in multiple tables", async () => {
+    const appSchema = uniqueSchema("retention_app");
+    schemasToDrop.push(appSchema);
+    await dropSchemas(sql, appSchema);
+    await sql`CREATE SCHEMA ${sql(appSchema)}`;
+    await sql`CREATE TABLE ${sql(appSchema)}.transactions (id SERIAL PRIMARY KEY, idempotent_user_id TEXT NOT NULL)`;
+    await sql`CREATE TABLE ${sql(appSchema)}.kyc_documents (id SERIAL PRIMARY KEY, idempotent_user_id TEXT NOT NULL)`;
+    await sql`
+      INSERT INTO ${sql(appSchema)}.transactions (idempotent_user_id)
+      VALUES ('usr_multi')
+    `;
+    await sql`
+      INSERT INTO ${sql(appSchema)}.kyc_documents (idempotent_user_id)
+      VALUES ('usr_multi')
+    `;
+    const result = await sql.begin(async (tx) =>
+      evaluateRetention(
+        tx,
+        "usr_multi",
+        {
+          default_retention_years: 0,
+          root_id_column: "idempotent_user_id",
+          retention_rules: [
+            {
+              rule_name: "RBI_KYC",
+              legal_citation: "RBI KYC Directions, 2016, Sec 38",
+              if_has_data_in: ["kyc_documents"],
+              retention_years: 5,
+            },
+            {
+              rule_name: "PMLA_FINANCIAL",
+              legal_citation: "Prevention of Money Laundering Act, 2002, Sec 12",
+              if_has_data_in: ["transactions"],
+              retention_years: 10,
+            },
+          ],
+          app_schema: appSchema,
+        }
+      )
+    );
+    expect(result).toEqual({
+      retentionYears: 10,
+      appliedRuleName: "PMLA_FINANCIAL",
+      appliedRuleCitation: "Prevention of Money Laundering Act, 2002, Sec 12",
+    });
+  });
+  it("falls back to the default retention window when no evidence rule matches", async () => {
+    const appSchema = uniqueSchema("retention_default");
+    schemasToDrop.push(appSchema);
+    await dropSchemas(sql, appSchema);
+    await sql`CREATE SCHEMA ${sql(appSchema)}`;
+    await sql`CREATE TABLE ${sql(appSchema)}.transactions (id SERIAL PRIMARY KEY, subject_id TEXT NOT NULL)`;
+    const result = await sql.begin(async (tx) =>
+      evaluateRetention(
+        tx,
+        "usr_none",
+        {
+          default_retention_years: 1,
+          root_id_column: "subject_id",
+          retention_rules: [
+            {
+              rule_name: "PMLA_FINANCIAL",
+              legal_citation: "Prevention of Money Laundering Act, 2002, Sec 12",
+              if_has_data_in: ["transactions"],
+              retention_years: 10,
+            },
+          ],
+          app_schema: appSchema,
+        }
+      )
+    );
+    expect(result).toEqual({
+      retentionYears: 1,
+      appliedRuleName: "DEFAULT",
+      appliedRuleCitation: "Configured default_retention_years policy",
+    });
+  });
+});