dpdp-erasure-cli 1.0.0

package/src/modules/cli/index.ts

@@ -0,0 +1,184 @@
+#!/usr/bin/env bun
+import { Command } from "commander";
+import pc from "picocolors";
+
+const pkgPath = new URL("../../../package.json", import.meta.url);
+const pkg = await Bun.file(pkgPath).json();
+
+const program = new Command();
+
+program
+  .name("worker")
+  .description("Compliance Engine Operator CLI - Safe & Professional Data Auditing.")
+  .version(pkg.version);
+
+program
+  .command("init")
+  .description("Interactively provision a legal compliance manifest.")
+  .action(async () => {
+    const { initAction } = await import("./init")
+  });
+
+program
+  .command("scan")
+  .description("Metadata-only schema scan for potential PII columns.")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .option("-s, --schema <schema>", "Database schema to target")
+  .option("--threshold <score>", "Metadata confidence threshold", "0.6")
+  .option("--json <path>", "Write machine-readable scan findings")
+  .action(async (options) => {
+    const { scanAction } = await import("./scan");
+    await scanAction(options);
+  });
+
+program
+  .command("introspect")
+  .description("Offline compile FK DAG and draft PII mappings without mutating data.")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .option("-r, --root <table>", "Root table, e.g. public.users")
+  .option("-s, --schema <schema>", "Default database schema")
+  .option("-o, --output <path>", "Draft YAML output path", "compliance.worker.yml.draft")
+  .option("-d, --max-depth <depth>", "Recursive FK depth breaker", "32")
+  .option("--sample-percent <percent>", "Postgres TABLESAMPLE SYSTEM percentage", "1")
+  .option("--sample-limit <rows>", "Maximum sampled rows per column", "100")
+  .option("--threshold <score>", "PII confidence threshold", "0.75")
+  .option("--report <path>", "Markdown review report path")
+  .option("--json-report <path>", "Machine-readable JSON review report path")
+  .option("--fail-on-review", "Exit non-zero when findings need human review")
+  .option("-c, --config <path>", "Manifest path for --verify-only", "compliance.worker.yml")
+  .option("--verify-only", "Verify schema hash instead of generating a draft")
+  .action(async (options) => {
+    const { introspectAction } = await import("./introspector");
+    await introspectAction(options);
+  });
+
+program
+  .command("verify-schema")
+  .description("CI/CD gate: fail when live schema differs from legal attestation hash.")
+  .option("-c, --config <path>", "Manifest path", "compliance.worker.yml")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .action(async (options) => {
+    const { verifySchemaAction } = await import("./verify-schema");
+    await verifySchemaAction(options);
+  });
+
+program
+  .command("graph")
+  .description("Visualize recursive table dependencies for a specific root.")
+  .requiredOption("-t, --table <table>", "Root table name")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .option("-s, --schema <schema>", "Database schema to target")
+  .option("-d, --max-depth <depth>", "Safety recursion limit", "32")
+  .action(async (options) => {
+    const { graphAction } = await import("./graph");
+    await graphAction(options);
+  });
+
+program
+  .command("inspect")
+  .description("Inspect a worker manifest and summarize legal/configuration coverage.")
+  .option("-c, --config <path>", "Manifest path", "compliance.worker.yml")
+  .action(async (options) => {
+    const { inspectAction } = await import("./inspect");
+    await inspectAction(options);
+  });
+
+program
+  .command("check-integrity")
+  .description("Fail closed unless schema hash and compiled DAG match the live database.")
+  .option("-c, --config <path>", "Manifest path", "compliance.worker.yml")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .action(async (options) => {
+    const { checkIntegrityAction } = await import("./check-integrity");
+    await checkIntegrityAction(options);
+  });
+
+program
+  .command("verify")
+  .description("Perform integrity checks and compute mandatory schema hashes.")
+  .option("-c, --config <path>", "Manifest path", "compliance.worker.yml")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .action(async (options) => {
+    const { verifyAction } = await import("./verify");
+    await verifyAction(options);
+  });
+
+program
+  .command("dry-run")
+  .description("Simulate a vault operation without mutating production data.")
+  .requiredOption("-i, --id <id>", "Root subject ID (e.g. 1042)")
+  .option("-c, --config <path>", "Manifest path", "compliance.worker.yml")
+  .option("-u, --url <url>", "PostgreSQL Connection DSN")
+  .action(async (options) => {
+    const { dryRunAction } = await import("./dry-run");
+    await dryRunAction(options);
+  });
+
+program
+  .command("keygen")
+  .description("Provision Ed25519 keys for configuration signing.")
+  .action(async () => {
+    const { keygenAction } = await import("./keygen");
+    await keygenAction();
+  });
+
+program
+  .command("sign")
+  .description("Apply a cryptographically secure signature to the manifest.")
+  .option("-c, --config <path>", "Manifest path", "compliance.worker.yml")
+  .option("-k, --key <path>", "Private key file path")
+  .action(async (options) => {
+    const { signAction } = await import("./sign");
+    await signAction(options);
+  });
+
+program.on("command:*", () => {
+  console.error(pc.red(`\nInvalid command: ${pc.bold(program.args.join(" "))}`));
+  console.error(`Refer to ${pc.cyan("compliance-worker --help")} for available utilities.\n`);
+  process.exit(1);
+});
+
+const rawArgs = process.argv.slice(2);
+
+if (rawArgs.length === 0) {
+  if (process.stdout.isTTY) {
+    try {
+      const { select } = await import("@inquirer/prompts");
+      console.log(pc.cyan(`\n💼 Compliance Engine Operator Interactive Console [v${pkg.version}]`));
+
+      const choice = await select({
+        message: "Select a compliance operation utility to run:",
+        choices: [
+          { name: "Initialize legal compliance manifest (init)", value: "init" },
+          { name: "Metadata-only schema scan for PII (scan)", value: "scan" },
+          { name: "Offline compile FK DAG and draft mappings (introspect)", value: "introspect" },
+          { name: "CI/CD check: Verify schema integrity (verify-schema)", value: "verify-schema" },
+          { name: "Visualize recursive table dependencies (graph)", value: "graph" },
+          { name: "Simulate an erasure/mutation safely (dry-run)", value: "dry-run" },
+          { name: "Exit Console", value: "exit" },
+        ],
+      });
+
+      if (choice === "exit") {
+        process.exit(0);
+      }
+
+      const simulatedArgv: string[] = [
+        Bun.argv[0] ?? "bun",
+        Bun.argv[1] ?? import.meta.path,
+        choice
+      ];
+      program.parse(simulatedArgv);
+
+    } catch {
+      process.exit(0);
+    }
+  } else {
+    program.outputHelp();
+    process.exit(0);
+  }
+} else {
+  program.parse(process.argv);
+}
+
+program.parse();

package/src/modules/cli/init.ts

@@ -0,0 +1,115 @@
+import { input, number } from "@inquirer/prompts";
+import yaml from "js-yaml";
+import { UI, exitWithError } from "./ui";
+
+/**
+ * Interactive Configuration Wizard.
+ * Forces explicit data entry for critical legal fields to ensure liability shift.
+ */
+export async function initAction() {
+  UI.header("Configuration Setup");
+
+  UI.info("This wizard will help you generate 'compliance.worker.yml'.");
+  UI.info("This manifest acts as the legal contract for your Data Plane Worker.");
+
+  try {
+    const appSchema = await input({
+      message: "Application Schema (e.g. 'public'):",
+      validate: (v) => v.trim().length > 0 || "Required.",
+    });
+
+    const engineSchema = await input({
+      message: "Compliance Engine Schema (e.g. 'compliance_engine'):",
+      default: "compliance_engine",
+    });
+
+    const rootTable = await input({
+      message: "Root Table for Graph Discovery (e.g. 'users'):",
+      validate: (v) => v.trim().length > 0 || "Required.",
+    });
+
+    const rootIdColumn = await input({
+      message: "Root Primary Key Column (e.g. 'id'):",
+      default: "id",
+    });
+
+    const dpoIdentifier = await input({
+      message: "DPO Identifier (Email or UID):",
+      validate: (v) => v.trim().length > 0 || "Required for legal audit trail.",
+    });
+
+    const defaultRetention = await number({
+      message: "Default Retention Period (years):",
+      validate: (v) => (v !== undefined && v >= 0) || "Must be 0 or greater.",
+    });
+
+    const config = {
+      version: "1.0",
+      database: {
+        app_schema: appSchema.trim(),
+        engine_schema: engineSchema.trim(),
+      },
+      compliance_policy: {
+        default_retention_years: defaultRetention,
+        notice_window_hours: 48,
+        retention_rules: [
+          {
+            rule_name: "PMLA_FINANCIAL_EXAMPLE",
+            legal_citation: "E.g. Sec 12 of PMLA 2002",
+            if_has_data_in: ["transactions"],
+            retention_years: 10
+          }
+        ],
+      },
+      graph: {
+        root_table: rootTable.trim(),
+        root_id_column: rootIdColumn.trim(),
+        max_depth: 32,
+        root_pii_columns: {
+          email: "HMAC",
+          full_name: "STATIC_MASK"
+        },
+      },
+      satellite_targets: [],
+      blob_targets: [],
+      outbox: {
+        batch_size: 10,
+        lease_seconds: 60,
+        max_attempts: 10,
+        base_backoff_ms: 1000,
+      },
+      security: {
+        notification_lease_seconds: 120,
+      },
+      integrity: {
+        expected_schema_hash: "0".repeat(64),
+      },
+      legal_attestation: {
+        dpo_identifier: dpoIdentifier.trim(),
+        configuration_version: "1.0.0",
+        legal_review_date: new Date().toISOString().split("T")[0],
+        acknowledgment: "I confirm this configuration accurately reflects our legal data retention obligations.",
+      },
+    };
+
+    const yamlText = yaml.dump(config, {
+      indent: 2,
+      lineWidth: -1,
+      quotingType: '"',
+    });
+
+    await Bun.write("compliance.worker.yml", yamlText);
+
+    UI.success("Manifest generated: compliance.worker.yml");
+
+    UI.info("\nRECOMMENDED NEXT STEPS:");
+    UI.step(1, "PII Discovery: Run 'compliance-worker scan' to identify sensitive columns.");
+    UI.step(2, "Integrity Check: Run 'compliance-worker verify' to compute the schema hash.");
+    UI.step(3, "Simulation: Run 'compliance-worker dry-run --id <id>' to preview effects.");
+  } catch (err) {
+    if (err instanceof Error && err.name === "ExitPromptError") {
+      process.exit(0);
+    }
+    exitWithError("Initialization failed", err instanceof Error ? err.message : String(err));
+  }
+}

package/src/modules/cli/inspect.ts

@@ -0,0 +1,86 @@
+import { readWorkerConfig, type CompiledExecutionTarget, type WorkerConfig } from "@modules/config";
+import pc from "picocolors";
+import { exitWithError, UI } from "./ui";
+
+function countCompiledTargets(config: WorkerConfig): number {
+  return (config.rules ?? []).reduce((count, rule) => count + rule.targets.length, 0);
+}
+
+function countCompiledPiiColumns(config: WorkerConfig): number {
+  return (config.rules ?? []).reduce(
+    (count, rule) => count + rule.targets.reduce((targetCount, target) => targetCount + target.pii_columns.length, 0),
+    0
+  );
+}
+
+function renderTarget(target: CompiledExecutionTarget): string {
+  const pii = target.pii_columns.length > 0 ? target.pii_columns.join(", ") : "none";
+  const action = target.action ?? "none";
+  return `${target.table} | action=${action} | pii=${pii}`;
+}
+
+/**
+ * Inspects a worker manifest without connecting to the database.
+ *
+ * The command is intentionally read-only. It validates YAML shape, resolves local key material using
+ * placeholder keys when needed, and prints the legal/configuration coverage developers must review
+ * before running `check-integrity` against a live database.
+ *
+ * @param options - CLI options containing the manifest path.
+ * @returns Resolves after printing the manifest summary.
+ */
+export async function inspectAction(options: { config: string }): Promise<void> {
+  UI.header("Manifest Inspection");
+
+  const mockEnv = {
+    ...process.env,
+    DPDP_MASTER_KEY: process.env.DPDP_MASTER_KEY || "0".repeat(64),
+    DPDP_HMAC_KEY: process.env.DPDP_HMAC_KEY || "0".repeat(64),
+  };
+
+  let config: WorkerConfig;
+  try {
+    config = await readWorkerConfig(mockEnv, options.config);
+  } catch (error) {
+    exitWithError("Manifest inspection failed", error instanceof Error ? error.message : String(error));
+  }
+
+  UI.step(1, "Legal Attestation");
+  UI.keyValue("DPO", config.legal_attestation.dpo_identifier);
+  UI.keyValue("Version", config.legal_attestation.configuration_version);
+  UI.keyValue("Review Date", config.legal_attestation.legal_review_date);
+  UI.keyValue("Schema Hash", config.legal_attestation.schema_hash ?? config.integrity.expected_schema_hash);
+  UI.keyValue("Generated By", config.legal_attestation.generated_by ?? "manual");
+
+  UI.step(2, "Database Boundary");
+  UI.keyValue("App Schema", config.database.app_schema);
+  UI.keyValue("Engine Schema", config.database.engine_schema);
+  UI.keyValue("Root Table", config.graph.root_table);
+  UI.keyValue("Root ID Column", config.graph.root_id_column);
+  UI.keyValue("Root PII Columns", Object.keys(config.graph.root_pii_columns).join(", "));
+
+  UI.step(3, "Execution Coverage");
+  UI.keyValue("Compiled Rules", String((config.rules ?? []).length));
+  UI.keyValue("Compiled Targets", String(countCompiledTargets(config)));
+  UI.keyValue("Compiled PII Columns", String(countCompiledPiiColumns(config)));
+  UI.keyValue("Satellite Targets", String(config.satellite_targets.length));
+  UI.keyValue("Blob Targets", String(config.blob_targets.length));
+  UI.keyValue("Retention Rules", String(config.compliance_policy.retention_rules.length));
+
+  if ((config.rules ?? []).length === 0) {
+    UI.warn("No compiled DAG rules found. Run compliance-worker introspect and review the generated targets.");
+  } else {
+    const table = UI.table(["Rule", "Target"]);
+    for (const rule of config.rules ?? []) {
+      for (const target of rule.targets) {
+        table.push([pc.bold(rule.id), renderTarget(target)]);
+      }
+    }
+    console.log(table.toString());
+  }
+
+  UI.step(4, "Next Checks");
+  UI.subStep("Run compliance-worker check-integrity --config <path> against the target database.");
+  UI.subStep("Run compliance-worker sign --config <path> after DPO approval.");
+  UI.subStep("Deploy only signed manifests with matching schema hashes.");
+}

package/src/modules/cli/introspector.ts

@@ -0,0 +1,117 @@
+import postgres from "postgres";
+import pc from "picocolors";
+import type { IntrospectorCliOptions } from "../introspector/types";
+import { exitWithError, UI } from "./ui";
+import { runIntrospector, verifySchemaIntegrity } from "../introspector";
+import { readWorkerConfig } from "../config";
+import { buildIntrospectorReport, renderIntrospectorJson, renderIntrospectorMarkdown } from "../introspector/report";
+
+function parseNumber(value: string | undefined, fallback: number): number {
+  if (value === undefined) {
+    return fallback;
+  }
+
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed)) {
+    exitWithError("Invalid numeric option.", `${value} is not a finite number.`);
+  }
+  return parsed;
+}
+
+/**
+ * Executes the offline Introspector CLI and writes `compliance.worker.yml.draft`.
+ *
+ * @param options - CLI flags provided by Commander.
+ */
+export async function introspectAction(options: IntrospectorCliOptions): Promise<void> {
+  UI.header("Offline Introspector");
+
+  const dbUrl = options.url ?? process.env.DATABASE_URL;
+  if (!dbUrl) {
+    exitWithError("Database URL required.", "Pass --url or set DATABASE_URL env");
+  }
+
+  if (options.verifyOnly) {
+    const sql = postgres(dbUrl);
+    const configPath = options.config ?? "compliance.worker.yml";
+    const spinner = UI.spinner(`Verifying schema hash against ${configPath}`);
+    try {
+      const liveHash = await verifySchemaIntegrity({ sql, configPath });
+      spinner.succeed("Schema hash matches legal attestation");
+      UI.keyValue("Live Schema Hash", liveHash);
+      return;
+    } catch (err) {
+      spinner.fail("Schema verification failed");
+      exitWithError("Privacy-as-Code gate failed", err instanceof Error ? err.message : String(err));
+    } finally {
+      await sql.end();
+    }
+  }
+
+  let rootTable = options.root;
+  let appSchema = options.schema;
+  if (!rootTable || !appSchema) {
+    try {
+      const config = await readWorkerConfig(process.env);
+      rootTable = rootTable ?? `${config.database.app_schema}.${config.graph.root_table}`;
+      appSchema = appSchema ?? config.database.app_schema;
+      UI.info(`Detected root table from manifest: ${pc.bold(rootTable)}`);
+    } catch (err) {
+      if (!rootTable) {
+        exitWithError("Root table required.", "Pass --root public.users or provide compliance.worker.yml");
+      }
+      appSchema = appSchema ?? "public";
+    }
+  }
+
+  const output = options.output ?? "compliance.worker.yml.draft";
+  const sql = postgres(dbUrl, { max: 1 });
+  const spinner = UI.spinner(`Compiling static DAG and bounded PII taxomony for ${rootTable}...`);
+
+  try {
+    const { draft, yaml } = await runIntrospector({
+      sql,
+      rootTable,
+      defaultSchema: appSchema,
+      maxDepth: parseNumber(options.maxDepth, 32),
+      samplePercent: parseNumber(options.samplePercent, 1),
+      sampleLimit: parseNumber(options.sampleLimit, 100),
+      threshold: parseNumber(options.threshold, 0.75),
+    });
+
+    await Bun.write(output, yaml);
+    const report = await buildIntrospectorReport(draft);
+    const markdownReportPath = options.report ?? `${output}.report.md`;
+    await Bun.write(markdownReportPath, renderIntrospectorMarkdown(report));
+    if (options.jsonReport) {
+      await Bun.write(options.jsonReport, renderIntrospectorJson(report));
+    }
+
+    spinner.succeed("Introspector draft generated");
+    UI.keyValue("Output", output);
+    UI.keyValue("Report", markdownReportPath);
+    if (options.jsonReport) {
+      UI.keyValue("JSON Report", options.jsonReport);
+    }
+    UI.keyValue("Root", `${draft.root.schema}.${draft.root.table}`);
+    UI.keyValue("Targets", String(draft.targets.length));
+    UI.keyValue("PII Columns", String(report.summary.piiColumnCount));
+    UI.keyValue("Review Findings", String(report.summary.reviewRequiredCount));
+    UI.keyValue("Logical Links", String(report.summary.potentialLogicalLinkCount));
+    UI.warn("Draft is not a production manifest. DPO review and legal attestation are mandatory before use.");
+    if (
+      options.failOnReview &&
+      (report.summary.reviewRequiredCount > 0 || report.summary.potentialLogicalLinkCount > 0)
+    ) {
+      exitWithError(
+        "Manual review required.",
+        "The draft contains lower-confidence PII findings or potential logical links. Review the report before CI promotion."
+      );
+    }
+  } catch (err) {
+    spinner.fail("Introspector failed");
+    exitWithError("Offline introspection error", err instanceof Error ? err.message : String(err));
+  } finally {
+    await sql.end();
+  }
+}

package/src/modules/cli/keygen.ts

@@ -0,0 +1,38 @@
+import pc from "picocolors";
+import { bytesToBase64 } from "@/lib";
+import { UI, exitWithError } from "./ui";
+
+/**
+ * Generates an Ed25519 keypair for manifest signing.
+ */
+export async function keygenAction() {
+  UI.header("Key Generation");
+  UI.info("Generating cryptographically secure Ed25519 keypair...");
+
+  try {
+    const keyPair = (await globalThis.crypto.subtle.generateKey(
+      { name: "Ed25519" },
+      true,
+      ["sign", "verify"],
+    )) as unknown as CryptoKeyPair;
+
+    const privateKeyRaw = await globalThis.crypto.subtle.exportKey("pkcs8", keyPair.privateKey);
+    const publicKeyRaw = await globalThis.crypto.subtle.exportKey("pkcs8", keyPair.publicKey);
+
+    const privateKeyBase64 = bytesToBase64(new Uint8Array(privateKeyRaw));
+    const publicKeyBase64 = bytesToBase64(new Uint8Array(publicKeyRaw));
+
+    await Bun.write("worker.pkcs8.key", privateKeyBase64);
+    await Bun.write("worker.spki.pub", publicKeyBase64);
+
+    UI.success("Keypair provisioned successfully.");
+    UI.info("FILES GENERATED:");
+    UI.keyValue("Private Key", pc.red("worker.pkcs8.key") + " (SECRET)");
+    UI.keyValue("Public Key ", pc.green("worker.spki.pub") + " (AUDIT)");
+
+    UI.warn("Never share your private key or commit it to version control.");
+    UI.hint("Configuration signing provides tamper-evidence for your legal mandates.");
+  } catch (err) {
+    exitWithError("Key generation failed", err instanceof Error ? err.message : String(err));
+  }
+}

package/src/modules/cli/scan.ts

@@ -0,0 +1,126 @@
+import postgres from "postgres";
+import pc from "picocolors";
+import { readWorkerConfig } from "@modules/config";
+import { metadataScore } from "@modules/introspector";
+import { UI, exitWithError } from "./ui";
+
+interface ScanOptions {
+  url?: string;
+  schema?: string;
+  threshold?: string;
+  json?: string;
+}
+
+interface ScanColumnRow {
+  table_name: string;
+  column_name: string;
+  data_type: string;
+}
+
+interface ScanFinding {
+  table: string;
+  column: string;
+  dataType: string;
+  metadataScore: number;
+}
+
+function parseThreshold(value: string | undefined): number {
+  const threshold = Number(value ?? "0.6");
+  if (!Number.isFinite(threshold) || threshold < 0 || threshold > 1) {
+    exitWithError("Invalid metadata threshold.", "Use a numeric value between 0 and 1.");
+  }
+
+  return threshold;
+}
+
+function groupFindings(findings: readonly ScanFinding[]): Map<string, ScanFinding[]> {
+  const grouped = new Map<string, ScanFinding[]>();
+  for (const finding of findings) {
+    const existing = grouped.get(finding.table) ?? [];
+    existing.push(finding);
+    grouped.set(finding.table, existing);
+  }
+
+  return grouped;
+}
+
+/**
+ * Scans column names with the same metadata taxonomy used by the full Introspector.
+ *
+ * @param options - Database URL, schema, threshold, and optional JSON output path.
+ * @returns Resolves after printing or writing metadata-only findings.
+ */
+export async function scanAction(options: ScanOptions): Promise<void> {
+  UI.header("Metadata PII Scanner");
+
+  const dbUrl = options.url || process.env.DATABASE_URL;
+  if (!dbUrl) exitWithError("Database URL required.", "Pass --url or set DATABASE_URL env.");
+
+  let appSchema = options.schema;
+  if (!appSchema) {
+    try {
+      const config = await readWorkerConfig(process.env);
+      appSchema = config.database.app_schema;
+      UI.info(`Target schema detected: ${pc.bold(appSchema)}`);
+    } catch (error) {
+      exitWithError("Application schema missing.", "Provide --schema or ensure compliance.worker.yml exists");
+    }
+  }
+
+  const threshold = parseThreshold(options.threshold);
+  const spinner = UI.spinner(`Scanning information_schema for ${appSchema}...`);
+  const sql = postgres(dbUrl);
+
+  try {
+    const columns = await sql<ScanColumnRow[]>`
+      SELECT table_name, column_name, data_type
+      FROM information_schema.columns
+      WHERE table_schema = ${appSchema}
+      ORDER BY table_name, column_name
+    `;
+    spinner.stop();
+
+    const table = UI.table(["Table Name", "Sensitive Column Candidates"]);
+    const findings = columns
+      .map((column): ScanFinding => ({
+        table: column.table_name,
+        column: column.column_name,
+        dataType: column.data_type,
+        metadataScore: metadataScore(column.column_name)
+      }))
+      .filter((finding) => finding.metadataScore >= threshold)
+      .sort((left, right) => {
+        const byScore = right.metadataScore - left.metadataScore;
+        if (byScore !== 0) return byScore;
+        return `${left.table}.${left.column}`.localeCompare(`${right.table}.${right.column}`);
+      });
+
+    if (options.json) {
+      await Bun.write(options.json, `${JSON.stringify({ schema: appSchema, threshold, findings }, null, 2)}\n`)
+      UI.keyValue("JSON Output", options.json);
+    }
+
+    const grouped = groupFindings(findings);
+    if (grouped.size === 0) {
+      UI.success("Audit complete: Zero potention PII columns found.");
+    } else {
+      for (const [tableName, tableFindings] of grouped.entries()) {
+        table.push([
+          tableName,
+          tableFindings
+            .map((finding) => `${finding.column} (${finding.metadataScore.toFixed(2)})`)
+            .join(","),
+        ]);
+      }
+      console.log(table.toString());
+      UI.warn(`${grouped.size} tables contain metadata-level sensitive data candidates.`);
+      UI.info("Run compliance-worker introspect for bounded content sampling and YAML generation.");
+    }
+
+  } catch (err) {
+    spinner.fail("Scan failed");
+    exitWithError("Database audit error", err instanceof Error ? err.message : String(err));
+  } finally {
+    await sql.end();
+  }
+}