dpdp-erasure-cli 1.0.12 → 1.1.0

package/README.md

@@ -1,31 +1,38 @@
-# Operator CLI Reference Guide (`dpdp-erasure-cli`)
+# dpdp-erasure-cli
 
 [![npm version](https://badge.fury.io/js/dpdp-erasure-cli.svg)](https://badge.fury.io/js/dpdp-erasure-cli)
 
-The **Operator CLI** (`dpdp-erasure-cli`) is the primary interface for data engineers, DevOps, and privacy operators to manage the DPDP Erasure Engine. 
+**The DPDP Erasure Engine CLI** is an automated, AI-assisted privacy toolkit that helps you securely discover, map, and cryptographically shred PII (Personally Identifiable Information) in your database. 
 
-It is used to introspect databases, classify PII, manage compliance manifests, sign them cryptographically, and simulate safe erasure operations locally.
+It acts as the control plane for the [DPDP Erasure Engine](https://github.com/devxdh/dpdp-erasure-engine), allowing Data Protection Officers (DPOs) and Software Engineers to effortlessly comply with global privacy laws (DPDP, GDPR, CCPA) without writing manual SQL deletion scripts.
+
+---
+
+## 🎯 What does it do?
+
+Manually deleting a user across dozens of microservice tables is dangerous and prone to failure. `dpdp-erasure-cli` solves this by:
+
+1. **Introspection & NLP Mapping:** Safely scans your live database (using `TABLESAMPLE` block sampling) to find hidden PII in text columns, JSON blobs, and orphaned tables.
+2. **DAG Compilation:** Maps your entire Foreign Key graph to figure out the exact order tables must be deleted to avoid database constraint violations.
+3. **Drafting a Manifest:** Automatically generates a `compliance.worker.yml` erasure plan that handles HMAC redaction vs. hard deletion.
+4. **Cryptographic Signatures:** Locks the manifest using Ed25519 signatures so production deletion rules cannot be silently altered.
+5. **Dry-Run Simulations:** Tests the erasure locally in a rolled-back PostgreSQL transaction to prove it works before you deploy.
 
 ---
 
 ## 🚀 Installation
 
-This CLI requires [Bun](https://bun.sh/) for native cryptographic bindings and high-performance execution. Ensure you have Bun installed, then install the package globally:
+This CLI relies on [Bun](https://bun.sh/) for native cryptographic bindings and high-performance execution.
 
 ```bash
 npm install -g dpdp-erasure-cli
 ```
 
-*Alternatively, if running from the monorepo root:*
-```bash
-bun run --cwd ./apps/worker cli <command>
-```
-
 ---
 
-## 🛠️ Interactive Console
+## 🛠️ Interactive Setup
 
-If you run the CLI without any arguments, it will launch an interactive wizard to guide you through the available operations:
+Don't want to memorize commands? Just run the CLI with no arguments to launch the interactive wizard:
 
 ```bash
 dpdp-cli
@@ -33,108 +40,56 @@ dpdp-cli
 
 ---
 
-## 📚 Core Commands & Configuration Guide
+## 📚 Quick Start Guide
+
+Setting up your database for privacy compliance follows this simple 5-step workflow:
 
-### 1. `introspect` (The Core Command)
-Safely analyze your database's Foreign Key (FK) Directed Acyclic Graph (DAG) offline and draft a comprehensive PII mapping manifest (`compliance.worker.yml`). This is the first step in setting up the engine.
+### 1. Introspect Your Database
+Safely analyze your schema to discover PII and draft the deletion manifest. The AI will even find logical links if you don't use strict Foreign Keys!
 
 ```bash
 dpdp-cli introspect \
-  --url postgres://user:pass@localhost:5432/app_db \
+  --url "postgres://user:pass@localhost:5432/app_db" \
   --root public.users \
   --schema public \
-  --output ./compliance.worker.yml.draft
+  --output ./compliance.worker.yml
 ```
 
-**Options:**
-*   `-u, --url <url>`: PostgreSQL Connection DSN.
-*   `-r, --root <table>`: The root table containing the user/subject identifier (e.g., `public.users`).
-*   `-s, --schema <schema>`: The target PostgreSQL schema (defaults to `public`).
-*   `-o, --output <path>`: Where to write the generated YAML draft (defaults to `compliance.worker.yml.draft`).
-*   `-d, --max-depth <depth>`: Limit for recursive Foreign Key traversal (default: `32`).
-*   `--sample-percent <percent>`: Percentage of data to sample using `TABLESAMPLE` for PII detection (default: `1`).
-*   `--threshold <score>`: Confidence score required to flag a column as PII (default: `0.75`).
-*   `--report <path>`: Write a readable Markdown report of the findings.
-
----
-
-### 2. `scan` (Quick PII Check)
-A lightweight, metadata-only schema scan that looks for potential PII columns based purely on naming conventions, without the heavy block sampling used by `introspect`.
-
-```bash
-dpdp-cli scan --url "postgres://user:pass@localhost:5432/app_db" --schema public
-```
-
----
-
-### 3. `keygen` (Security Provisioning)
-Provisions secure Ed25519 cryptographic keys required to sign your configuration manifest.
+### 2. Review and Attest
+Open the generated `compliance.worker.yml`. Review the `targets` and `join` conditions. Once you are confident, sign off by updating the `legal_attestation` block.
 
+### 3. Generate Security Keys
+Create a private/public keypair to securely sign your manifest for production environments.
 ```bash
 dpdp-cli keygen
 ```
-*This generates a private key file (e.g., `worker.pkcs8.key`) and a public key.*
-
----
-
-### 4. `sign` (Cryptographic Manifest Lock)
-To prevent unauthorized changes to data erasure rules in production, the manifest must be cryptographically signed by a Data Protection Officer (DPO) or Lead Engineer.
 
+### 4. Cryptographically Sign the Manifest
+Lock down the rules to prevent unauthorized changes in your CI/CD pipeline.
 ```bash
 dpdp-cli sign --config ./compliance.worker.yml --key ./worker.pkcs8.key
 ```
-*This generates a detached signature file (e.g., `compliance.worker.yml.sig`). The worker will fail to boot if this signature does not match the manifest.*
-
----
-
-### 5. `check-integrity` & `verify-schema` (CI/CD Gates)
-These commands are designed for CI/CD pipelines to ensure the live database schema matches the legal attestation hash stored in the signed manifest.
 
+### 5. Simulate an Erasure (Dry-Run)
+Test the erasure on a specific user. This command runs entirely within an isolated transaction that is automatically rolled back, so it is 100% safe.
 ```bash
-# Verify the compiled DAG and live schema hash
-dpdp-cli check-integrity --url "postgres://.../app_db" --config ./compliance.worker.yml
-
-# Check only the live schema hash against the legal attestation
-dpdp-cli verify-schema --url "postgres://.../app_db" --config ./compliance.worker.yml
+dpdp-cli dry-run --id "user_12345" --url "postgres://user:pass@localhost:5432/app_db" --config ./compliance.worker.yml
 ```
-*If a developer adds a new column to the database without updating and re-signing the manifest, these commands will exit with a non-zero status.*
 
 ---
 
-### 6. `dry-run` (Safe Erasure Simulation)
-Simulates a PII vault and redaction operation for a specific user. It runs inside an isolated transaction that is automatically rolled back.
+## 🔒 CI/CD Integrity Checks
 
-```bash
-dpdp-cli dry-run --id "user_12345" --url "postgres://.../app_db" --config ./compliance.worker.yml
-```
-*This is the recommended safety check to help ensure your configuration captures related PII without breaking foreign keys.*
-
----
-
-### 7. `graph` (Dependency Visualization)
-Visualizes the recursive table dependencies (FK DAG) for a specific root table, helping you understand how data cascades down from a user.
+You can use the CLI in your GitHub Actions or GitLab CI to fail builds if a developer modifies the database schema without updating the signed compliance manifest:
 
 ```bash
-dpdp-cli graph --table public.users --url "postgres://.../app_db"
+dpdp-cli check-integrity --url "postgres://..." --config ./compliance.worker.yml
 ```
 
 ---
 
-## ⚙️ Standard Workflow Example
-
-Setting up the engine generally follows this workflow:
+## 📖 Deep Dive
 
-1.  **Introspect** the database to generate a draft manifest:
-    `dpdp-cli introspect -u postgres://... -r public.users -s public -o compliance.worker.yml`
-2.  **Review & Tweak** the `compliance.worker.yml` manually (fix false positives, add missing logical links, select masking actions like `HMAC` or `SET NULL`).
-3.  **Generate Keys** for signing:
-    `dpdp-cli keygen`
-4.  **Sign** the finalized manifest:
-    `dpdp-cli sign -c compliance.worker.yml -k worker.pkcs8.key`
-5.  **Dry-Run** an erasure to verify it behaves as expected:
-    `dpdp-cli dry-run -i "test_user_id" -u postgres://... -c compliance.worker.yml`
-6.  **Deploy** the signed manifest and the detached `.sig` file to your production Worker.
-
----
+Want to understand the cryptographic shredding architecture under the hood? Read our full documentation at the main repository:
 
-For architectural details and deep-dives into how the cryptographic shredding works, refer to the [Main Documentation](https://github.com/devxdh/dpdp-erasure-engine/tree/main/apps/docs).
+**[DPDP Erasure Engine GitHub Repository](https://github.com/devxdh/dpdp-erasure-engine)**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dpdp-erasure-cli",
-  "version": "1.0.12",
+  "version": "1.1.0",
   "license": "Apache-2.0",
   "keywords": [
     "dpdp",

package/src/modules/engine/vault/satellite-mutation.ts

@@ -52,9 +52,9 @@ async function hardDeleteSatelliteRows(
 
   while (true) {
     const tenantFilter = tenantId ? tx` AND tenant_id = ${tenantId}` : tx``;
-    const deletedRows = await tx<{ id: string | number }[]>`
+    const deletedRows = await tx<{ ctid: string }[]>`
       WITH batch AS (
-        SELECT id
+        SELECT ctid
         FROM ${tx(appSchema)}.${tx(tableName)}
         WHERE ${tx(lookupColumn)} = ${lookupValue}
         ${tenantFilter}
@@ -62,8 +62,8 @@ async function hardDeleteSatelliteRows(
         FOR UPDATE SKIP LOCKED
       )
       DELETE FROM ${tx(appSchema)}.${tx(tableName)}
-      WHERE id IN (SELECT id FROM batch)
-      RETURNING id
+      WHERE ctid IN (SELECT ctid FROM batch)
+      RETURNING ctid
     `;
 
     if (deletedRows.length === 0) {

package/src/modules/engine/vault/satellite.ts

@@ -3,7 +3,7 @@ import type { Tsql } from "@/types";
 import { assertIdentifier } from "@/utils";
 
 interface SatelliteRowId {
-  id: number;
+  ctid: string;
 }
 
 async function yieldWorkerEventLoop(): Promise<void> {
@@ -78,7 +78,7 @@ export async function redactSatelliteTable(
     const tenantFilter = tenantId ? tx` AND tenant_id = ${tenantId}` : tx``;
     const updatedRows = await tx<SatelliteRowId[]>`
       WITH batch AS (
-        SELECT id
+        SELECT ctid
         FROM ${tx(schema)}.${tx(table)}
         WHERE ${tx(safeLookupColumn)} = ${lookupValue}
         ${tenantFilter}
@@ -87,8 +87,8 @@ export async function redactSatelliteTable(
       )
       UPDATE ${tx(schema)}.${tx(table)}
       SET ${tx(safeLookupColumn)} = ${newHmacValue}
-      WHERE id IN (SELECT id FROM batch)
-      RETURNING id
+      WHERE ctid IN (SELECT ctid FROM batch)
+      RETURNING ctid
     `;
 
     if (updatedRows.length === 0) {

package/src/modules/introspector/run.ts

@@ -57,16 +57,24 @@ export async function runIntrospector(options: RunIntrospectorOptions): Promise<
     const sourceKey = targetKey(link.sourceTable.schema, link.sourceTable.table);
     const targetKeyStr = targetKey(link.targetTable.schema, link.targetTable.table);
 
+    let parentCol = link.column;
+    let childCol = link.column;
+    
+    // Attempt intelligent primary key mapping for orphaned root links
+    if (link.sourceTable.schema === root.schema && link.sourceTable.table === root.table) {
+      parentCol = ["target_email", "user_email", "email_address"].includes(link.column) ? "email" : "id";
+    }
+
     if (dagTableKeys.has(sourceKey) && !dagTableKeys.has(targetKeyStr)) {
       dagTableKeys.add(targetKeyStr);
       logicalTargets.push({
         table: link.targetTable,
         parentTable: link.sourceTable,
         constraintName: null,
-        childColumns: [link.column],
-        parentColumns: [link.column],
+        childColumns: [childCol],
+        parentColumns: [parentCol],
         depth: maxDepth,
-        fkCondition: `LOGICAL_LINK (${link.column})`,
+        fkCondition: `${formatQualifiedTable(link.sourceTable)}.${parentCol} = ${formatQualifiedTable(link.targetTable)}.${childCol}`,
       });
     } else if (dagTableKeys.has(targetKeyStr) && !dagTableKeys.has(sourceKey)) {
       dagTableKeys.add(sourceKey);
@@ -74,10 +82,10 @@ export async function runIntrospector(options: RunIntrospectorOptions): Promise<
         table: link.sourceTable,
         parentTable: link.targetTable,
         constraintName: null,
-        childColumns: [link.column],
-        parentColumns: [link.column],
+        childColumns: [childCol],
+        parentColumns: [parentCol],
         depth: maxDepth,
-        fkCondition: `LOGICAL_LINK (${link.column})`,
+        fkCondition: `${formatQualifiedTable(link.targetTable)}.${parentCol} = ${formatQualifiedTable(link.sourceTable)}.${childCol}`,
       });
     }
   }

package/src/modules/introspector/yaml.ts

@@ -83,6 +83,20 @@ export function renderIntrospectorYaml(draft: IntrospectorDraft): string {
     "legal_disclaimer:",
     "  text: \"Auto-generated by Compliance Worker. The DPO/Developer is responsible for verifying all logical links and PII mappings.\"",
     "",
+    "# ===================================================================================",
+    "# HOW TO READ THIS MANIFEST:",
+    "# - 'targets': The list of tables the worker will delete/redact from.",
+    "# - 'parent': The table that owns this data. The worker deletes parent-first or child-first depending on the DB constraints.",
+    "# - 'join': The SQL condition used to link the child table to the parent table.",
+    "# - 'pii_columns': Columns identified as containing Personal Identifiable Information.",
+    "# - 'action': 'redact' (anonymizes the row but keeps it) or implicitly 'delete' (removes the row entirely).",
+    "#",
+    "# IMPORTANT:",
+    "# 1. Review all 'join' conditions. If the Introspector guessed a join for an orphaned table, verify it.",
+    "# 2. Review all 'pii_columns' to ensure no sensitive columns were missed.",
+    "# 3. Replace 'PENDING_REVIEW' in legal_attestation once verified.",
+    "# ===================================================================================",
+    "",
     "rules:",
     "  - id: dpdp_standard",
     `    root_table: ${yamlScalar(formatQualifiedTable(draft.root))}`,