dpdp-erasure-cli 1.0.12 → 1.1.1

package/README.md

@@ -1,31 +1,51 @@
-# Operator CLI Reference Guide (`dpdp-erasure-cli`)
+# dpdp-erasure-cli
 
-[![npm version](https://badge.fury.io/js/dpdp-erasure-cli.svg)](https://badge.fury.io/js/dpdp-erasure-cli)
+[![npm version](https://img.shields.io/npm/v/dpdp-erasure-cli?color=14b8a6&style=flat-square)](https://www.npmjs.com/package/dpdp-erasure-cli)
 
-The **Operator CLI** (`dpdp-erasure-cli`) is the primary interface for data engineers, DevOps, and privacy operators to manage the DPDP Erasure Engine. 
+**The DPDP Erasure Engine CLI** is an automated, AI-assisted privacy toolkit that helps you securely discover, map, and cryptographically shred PII (Personally Identifiable Information) in your database. 
 
-It is used to introspect databases, classify PII, manage compliance manifests, sign them cryptographically, and simulate safe erasure operations locally.
+It acts as the control plane for the [DPDP Erasure Engine](https://github.com/devxdh/dpdp-erasure-engine), allowing Data Protection Officers (DPOs) and Software Engineers to effortlessly comply with global privacy laws (DPDP, GDPR, CCPA) without writing manual SQL deletion scripts.
+
+---
+
+## 🎯 What does it do?
+
+Manually deleting a user across dozens of microservice tables is dangerous and prone to failure. `dpdp-erasure-cli` solves this by:
+
+1. **Introspection & NLP Mapping:** Safely scans your live database (using `TABLESAMPLE` block sampling) to find hidden PII in text columns, JSON blobs, and orphaned tables.
+2. **DAG Compilation:** Maps your entire Foreign Key graph to figure out the exact order tables must be deleted to avoid database constraint violations.
+3. **Drafting a Manifest:** Automatically generates a `compliance.worker.yml` erasure plan that handles HMAC redaction vs. hard deletion.
+4. **Cryptographic Signatures:** Locks the manifest using Ed25519 signatures so production deletion rules cannot be silently altered.
+5. **Dry-Run Simulations:** Tests the erasure locally in a rolled-back PostgreSQL transaction to prove it works before you deploy.
+
+---
+
+## ⚠️ Introspector Limitations (100% Transparency)
+
+While our Introspector is incredibly powerful at analyzing metadata, foreign keys, and block-sampling text to find common identifiers (like Emails, Phone Numbers, Aadhaar, PAN, SSN, Credit Cards), it is fundamentally a regex and heuristic engine—not a sentient AI. 
+
+**What we CANNOT do:**
+1. **Generic Column Names:** If your production database has a column named `info` or `data` and it happens to contain a user's *First Name* or *Last Name* embedded inside a generic string, our engine cannot confidently flag it as PII. We can only guess "Name" PII if the column is named descriptively (e.g., `full_name`, `first_name`, `last_name`).
+2. **Passwords, Tokens, and Secrets:** We cannot differentiate a random SHA-256 password hash or an API token from an ordinary ID string unless the column has a clear name like `password`, `secret`, `token`, or `api_key`.
+3. **Roles and Permissions:** Similarly, we cannot guess if an integer or string denotes an administrative permission unless the column gives us a hint (like `role_id` or `access_level`).
+
+**The Solution:** The Introspector is designed to do 95% of the heavy lifting. **The remaining 5% requires a human DPO or Developer.** You must always review the generated `compliance.worker.yml` and manually add any deeply hidden sensitive columns before deploying.
 
 ---
 
 ## 🚀 Installation
 
-This CLI requires [Bun](https://bun.sh/) for native cryptographic bindings and high-performance execution. Ensure you have Bun installed, then install the package globally:
+This CLI relies on [Bun](https://bun.sh/) for native cryptographic bindings and high-performance execution.
 
 ```bash
 npm install -g dpdp-erasure-cli
 ```
 
-*Alternatively, if running from the monorepo root:*
-```bash
-bun run --cwd ./apps/worker cli <command>
-```
-
 ---
 
-## 🛠️ Interactive Console
+## 🛠️ Interactive Setup
 
-If you run the CLI without any arguments, it will launch an interactive wizard to guide you through the available operations:
+Don't want to memorize commands? Just run the CLI with no arguments to launch the interactive wizard:
 
 ```bash
 dpdp-cli
@@ -33,108 +53,56 @@ dpdp-cli
 
 ---
 
-## 📚 Core Commands & Configuration Guide
+## 📚 Quick Start Guide
+
+Setting up your database for privacy compliance follows this simple 5-step workflow:
 
-### 1. `introspect` (The Core Command)
-Safely analyze your database's Foreign Key (FK) Directed Acyclic Graph (DAG) offline and draft a comprehensive PII mapping manifest (`compliance.worker.yml`). This is the first step in setting up the engine.
+### 1. Introspect Your Database
+Safely analyze your schema to discover PII and draft the deletion manifest. The AI will even find logical links if you don't use strict Foreign Keys!
 
 ```bash
 dpdp-cli introspect \
-  --url postgres://user:pass@localhost:5432/app_db \
+  --url "postgres://user:pass@localhost:5432/app_db" \
   --root public.users \
   --schema public \
-  --output ./compliance.worker.yml.draft
+  --output ./compliance.worker.yml
 ```
 
-**Options:**
-*   `-u, --url <url>`: PostgreSQL Connection DSN.
-*   `-r, --root <table>`: The root table containing the user/subject identifier (e.g., `public.users`).
-*   `-s, --schema <schema>`: The target PostgreSQL schema (defaults to `public`).
-*   `-o, --output <path>`: Where to write the generated YAML draft (defaults to `compliance.worker.yml.draft`).
-*   `-d, --max-depth <depth>`: Limit for recursive Foreign Key traversal (default: `32`).
-*   `--sample-percent <percent>`: Percentage of data to sample using `TABLESAMPLE` for PII detection (default: `1`).
-*   `--threshold <score>`: Confidence score required to flag a column as PII (default: `0.75`).
-*   `--report <path>`: Write a readable Markdown report of the findings.
-
----
-
-### 2. `scan` (Quick PII Check)
-A lightweight, metadata-only schema scan that looks for potential PII columns based purely on naming conventions, without the heavy block sampling used by `introspect`.
-
-```bash
-dpdp-cli scan --url "postgres://user:pass@localhost:5432/app_db" --schema public
-```
-
----
-
-### 3. `keygen` (Security Provisioning)
-Provisions secure Ed25519 cryptographic keys required to sign your configuration manifest.
+### 2. Review and Attest
+Open the generated `compliance.worker.yml`. Review the `targets` and `join` conditions. Once you are confident, sign off by updating the `legal_attestation` block.
 
+### 3. Generate Security Keys
+Create a private/public keypair to securely sign your manifest for production environments.
 ```bash
 dpdp-cli keygen
 ```
-*This generates a private key file (e.g., `worker.pkcs8.key`) and a public key.*
-
----
-
-### 4. `sign` (Cryptographic Manifest Lock)
-To prevent unauthorized changes to data erasure rules in production, the manifest must be cryptographically signed by a Data Protection Officer (DPO) or Lead Engineer.
 
+### 4. Cryptographically Sign the Manifest
+Lock down the rules to prevent unauthorized changes in your CI/CD pipeline.
 ```bash
 dpdp-cli sign --config ./compliance.worker.yml --key ./worker.pkcs8.key
 ```
-*This generates a detached signature file (e.g., `compliance.worker.yml.sig`). The worker will fail to boot if this signature does not match the manifest.*
-
----
-
-### 5. `check-integrity` & `verify-schema` (CI/CD Gates)
-These commands are designed for CI/CD pipelines to ensure the live database schema matches the legal attestation hash stored in the signed manifest.
 
+### 5. Simulate an Erasure (Dry-Run)
+Test the erasure on a specific user. This command runs entirely within an isolated transaction that is automatically rolled back, so it is 100% safe.
 ```bash
-# Verify the compiled DAG and live schema hash
-dpdp-cli check-integrity --url "postgres://.../app_db" --config ./compliance.worker.yml
-
-# Check only the live schema hash against the legal attestation
-dpdp-cli verify-schema --url "postgres://.../app_db" --config ./compliance.worker.yml
+dpdp-cli dry-run --id "user_12345" --url "postgres://user:pass@localhost:5432/app_db" --config ./compliance.worker.yml
 ```
-*If a developer adds a new column to the database without updating and re-signing the manifest, these commands will exit with a non-zero status.*
 
 ---
 
-### 6. `dry-run` (Safe Erasure Simulation)
-Simulates a PII vault and redaction operation for a specific user. It runs inside an isolated transaction that is automatically rolled back.
+## 🔒 CI/CD Integrity Checks
 
-```bash
-dpdp-cli dry-run --id "user_12345" --url "postgres://.../app_db" --config ./compliance.worker.yml
-```
-*This is the recommended safety check to help ensure your configuration captures related PII without breaking foreign keys.*
-
----
-
-### 7. `graph` (Dependency Visualization)
-Visualizes the recursive table dependencies (FK DAG) for a specific root table, helping you understand how data cascades down from a user.
+You can use the CLI in your GitHub Actions or GitLab CI to fail builds if a developer modifies the database schema without updating the signed compliance manifest:
 
 ```bash
-dpdp-cli graph --table public.users --url "postgres://.../app_db"
+dpdp-cli check-integrity --url "postgres://..." --config ./compliance.worker.yml
 ```
 
 ---
 
-## ⚙️ Standard Workflow Example
-
-Setting up the engine generally follows this workflow:
+## 📖 Deep Dive
 
-1.  **Introspect** the database to generate a draft manifest:
-    `dpdp-cli introspect -u postgres://... -r public.users -s public -o compliance.worker.yml`
-2.  **Review & Tweak** the `compliance.worker.yml` manually (fix false positives, add missing logical links, select masking actions like `HMAC` or `SET NULL`).
-3.  **Generate Keys** for signing:
-    `dpdp-cli keygen`
-4.  **Sign** the finalized manifest:
-    `dpdp-cli sign -c compliance.worker.yml -k worker.pkcs8.key`
-5.  **Dry-Run** an erasure to verify it behaves as expected:
-    `dpdp-cli dry-run -i "test_user_id" -u postgres://... -c compliance.worker.yml`
-6.  **Deploy** the signed manifest and the detached `.sig` file to your production Worker.
-
----
+Want to understand the cryptographic shredding architecture under the hood? Read our full documentation at the main repository:
 
-For architectural details and deep-dives into how the cryptographic shredding works, refer to the [Main Documentation](https://github.com/devxdh/dpdp-erasure-engine/tree/main/apps/docs).
+**[DPDP Erasure Engine GitHub Repository](https://github.com/devxdh/dpdp-erasure-engine)**

package/compliance.worker.yml

@@ -1,6 +1,6 @@
 # AUTO-GENERATED BY INTROSPECTOR
 # REVIEW REQUIRED: DPO must validate every table, join condition, and PII column before production use.
-# Generated At: 2026-06-12T05:19:07.235Z
+# Generated At: 2026-06-12T08:15:53.497Z
 
 legal_attestation:
   dpo_identifier: PENDING_REVIEW
@@ -13,6 +13,20 @@ legal_attestation:
 legal_disclaimer:
   text: "Auto-generated by Compliance Worker. The DPO/Developer is responsible for verifying all logical links and PII mappings."
 
+# ===================================================================================
+# HOW TO READ THIS MANIFEST:
+# - 'targets': The list of tables the worker will delete/redact from.
+# - 'parent': The table that owns this data. The worker deletes parent-first or child-first depending on the DB constraints.
+# - 'join': The SQL condition used to link the child table to the parent table.
+# - 'pii_columns': Columns identified as containing Personal Identifiable Information.
+# - 'action': 'redact' (anonymizes the row but keeps it) or implicitly 'delete' (removes the row entirely).
+#
+# IMPORTANT:
+# 1. Review all 'join' conditions. If the Introspector guessed a join for an orphaned table, verify it.
+# 2. Review all 'pii_columns' to ensure no sensitive columns were missed.
+# 3. Replace 'PENDING_REVIEW' in legal_attestation once verified.
+# ===================================================================================
+
 rules:
   - id: dpdp_standard
     root_table: public.users
@@ -98,14 +112,14 @@ rules:
           message_body: HMAC
       - table: public.abandoned_carts
         parent: public.users
-        join: "LOGICAL_LINK (customer_id)"
-        parent_columns: [customer_id]
+        join: "public.users.id = public.abandoned_carts.customer_id"
+        parent_columns: [id]
         child_columns: [customer_id]
         pii_columns: []
       - table: public.audit_logs
         parent: public.users
-        join: "LOGICAL_LINK (actor_id)"
-        parent_columns: [actor_id]
+        join: "public.users.id = public.audit_logs.actor_id"
+        parent_columns: [id]
         child_columns: [actor_id]
         # Introspector Confidence: 0.820 (ipv4)
         pii_columns: [ip_address]
@@ -115,8 +129,8 @@ rules:
           ip_address: HMAC
       - table: public.legacy_crm_notes
         parent: public.users
-        join: "LOGICAL_LINK (client_id)"
-        parent_columns: [client_id]
+        join: "public.users.id = public.legacy_crm_notes.client_id"
+        parent_columns: [id]
         child_columns: [client_id]
         # Introspector Confidence: 0.950 (email, indian_mobile)
         pii_columns: [agent_notes]
@@ -126,8 +140,8 @@ rules:
           agent_notes: HMAC
       - table: public.marketing_campaign_clicks
         parent: public.users
-        join: "LOGICAL_LINK (target_email)"
-        parent_columns: [target_email]
+        join: "public.users.email = public.marketing_campaign_clicks.target_email"
+        parent_columns: [email]
         child_columns: [target_email]
         # Introspector Confidence: 0.950 (email)
         pii_columns: [target_email]
@@ -137,8 +151,8 @@ rules:
           target_email: HMAC
       - table: public.third_party_telemetry
         parent: public.users
-        join: "LOGICAL_LINK (user_uuid)"
-        parent_columns: [user_uuid]
+        join: "public.users.id = public.third_party_telemetry.user_uuid"
+        parent_columns: [id]
         child_columns: [user_uuid]
         pii_columns: []
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dpdp-erasure-cli",
-  "version": "1.0.12",
+  "version": "1.1.1",
   "license": "Apache-2.0",
   "keywords": [
     "dpdp",
@@ -54,4 +54,4 @@
     "postgres": "^3.4.9",
     "zod": "^4.4.2"
   }
-}
+}

package/report.json

@@ -1,7 +1,7 @@
 {
   "summary": {
     "rootTable": "public.users",
-    "generatedAt": "2026-06-12T05:19:07.235Z",
+    "generatedAt": "2026-06-12T08:15:53.497Z",
     "schemaHash": "ea9e816d30fcee6bd4f322f1fb769e853c2e7ee5b19263aaa54f5ef80189212c",
     "targetCount": 15,
     "tablesWithPii": 8,

package/report.md

@@ -3,7 +3,7 @@
 ## Summary
 
 - Root table: `public.users`
-- Generated at: `2026-06-12T05:19:07.235Z`
+- Generated at: `2026-06-12T08:15:53.497Z`
 - Schema hash: `ea9e816d30fcee6bd4f322f1fb769e853c2e7ee5b19263aaa54f5ef80189212c`
 - DAG targets: 15
 - Tables with PII: 8

package/src/modules/cli/ui.ts

@@ -10,18 +10,18 @@ import boxen from "boxen";
 export const UI = {
   header: (title: string) => {
     console.log(
-      boxen(pc.bold(pc.blue(`COMPLIANCE WORKER — ${title.toUpperCase()}`)), {
+      boxen(pc.bold(pc.cyan(`COMPLIANCE WORKER — ${title.toUpperCase()}`)), {
         padding: { top: 0, bottom: 0, left: 2, right: 2 },
         margin: { top: 1, bottom: 1 },
         borderStyle: "round",
-        borderColor: "blue",
+        borderColor: "cyan",
       })
     );
   },
 
   divider: () => console.log(pc.gray("─".repeat(process.stdout.columns || 60))),
 
-  spinner: (text: string): Ora => ora({ text, color: "blue" }).start(),
+  spinner: (text: string): Ora => ora({ text, color: "cyan" }).start(),
 
   success: (msg: string) => console.log(`\n${pc.green("✔")} ${pc.bold(msg)}`),
   error: (msg: string) => console.error(`\n${pc.red("✖")} ${pc.bold(msg)}`),

package/src/modules/engine/vault/satellite-mutation.ts

@@ -52,9 +52,9 @@ async function hardDeleteSatelliteRows(
 
   while (true) {
     const tenantFilter = tenantId ? tx` AND tenant_id = ${tenantId}` : tx``;
-    const deletedRows = await tx<{ id: string | number }[]>`
+    const deletedRows = await tx<{ ctid: string }[]>`
       WITH batch AS (
-        SELECT id
+        SELECT ctid
         FROM ${tx(appSchema)}.${tx(tableName)}
         WHERE ${tx(lookupColumn)} = ${lookupValue}
         ${tenantFilter}
@@ -62,8 +62,8 @@ async function hardDeleteSatelliteRows(
         FOR UPDATE SKIP LOCKED
       )
       DELETE FROM ${tx(appSchema)}.${tx(tableName)}
-      WHERE id IN (SELECT id FROM batch)
-      RETURNING id
+      WHERE ctid IN (SELECT ctid FROM batch)
+      RETURNING ctid
     `;
 
     if (deletedRows.length === 0) {

package/src/modules/engine/vault/satellite.ts

@@ -3,7 +3,7 @@ import type { Tsql } from "@/types";
 import { assertIdentifier } from "@/utils";
 
 interface SatelliteRowId {
-  id: number;
+  ctid: string;
 }
 
 async function yieldWorkerEventLoop(): Promise<void> {
@@ -78,7 +78,7 @@ export async function redactSatelliteTable(
     const tenantFilter = tenantId ? tx` AND tenant_id = ${tenantId}` : tx``;
     const updatedRows = await tx<SatelliteRowId[]>`
       WITH batch AS (
-        SELECT id
+        SELECT ctid
         FROM ${tx(schema)}.${tx(table)}
         WHERE ${tx(safeLookupColumn)} = ${lookupValue}
         ${tenantFilter}
@@ -87,8 +87,8 @@ export async function redactSatelliteTable(
       )
       UPDATE ${tx(schema)}.${tx(table)}
       SET ${tx(safeLookupColumn)} = ${newHmacValue}
-      WHERE id IN (SELECT id FROM batch)
-      RETURNING id
+      WHERE ctid IN (SELECT ctid FROM batch)
+      RETURNING ctid
     `;
 
     if (updatedRows.length === 0) {

package/src/modules/introspector/classifier.ts

@@ -121,6 +121,10 @@ const CONTENT_SIGNATURES: ContentSignature[] = [
 ];
 
 const METADATA_PATTERNS: Array<{ pattern: RegExp; score: number }> = [
+  { pattern: /(^|_)(full_name|first_name|last_name|middle_name|surname|given_name|display_name)($|_)/i, score: STRONG_METADATA_SCORE },
+  { pattern: /(^|_)name($|_)/i, score: MEDIUM_METADATA_SCORE },
+  { pattern: /(^|_)(password|passwd|pwd|secret|token|api_key|access_token|refresh_token|auth_token|hash|salt)($|_)/i, score: STRONG_METADATA_SCORE },
+  { pattern: /(^|_)(role|roles|permission|permissions|group|groups|acl|access_level)($|_)/i, score: WEAK_METADATA_SCORE },
   { pattern: /(^|_)(email|e_mail|email_address|mail_address|contact_email)($|_)/i, score: STRONG_METADATA_SCORE },
   { pattern: /(^|_)(phone|mobile|msisdn|telephone|contact_number|whatsapp)(_number|_no)?($|_)/i, score: STRONG_METADATA_SCORE },
   { pattern: /(^|_)(aadhaar|aadhar|uidai)(_number|_no|_id)?($|_)/i, score: STRONG_METADATA_SCORE },

package/src/modules/introspector/run.ts

@@ -57,16 +57,24 @@ export async function runIntrospector(options: RunIntrospectorOptions): Promise<
     const sourceKey = targetKey(link.sourceTable.schema, link.sourceTable.table);
     const targetKeyStr = targetKey(link.targetTable.schema, link.targetTable.table);
 
+    let parentCol = link.column;
+    let childCol = link.column;
+    
+    // Attempt intelligent primary key mapping for orphaned root links
+    if (link.sourceTable.schema === root.schema && link.sourceTable.table === root.table) {
+      parentCol = ["target_email", "user_email", "email_address"].includes(link.column) ? "email" : "id";
+    }
+
     if (dagTableKeys.has(sourceKey) && !dagTableKeys.has(targetKeyStr)) {
       dagTableKeys.add(targetKeyStr);
       logicalTargets.push({
         table: link.targetTable,
         parentTable: link.sourceTable,
         constraintName: null,
-        childColumns: [link.column],
-        parentColumns: [link.column],
+        childColumns: [childCol],
+        parentColumns: [parentCol],
         depth: maxDepth,
-        fkCondition: `LOGICAL_LINK (${link.column})`,
+        fkCondition: `${formatQualifiedTable(link.sourceTable)}.${parentCol} = ${formatQualifiedTable(link.targetTable)}.${childCol}`,
       });
     } else if (dagTableKeys.has(targetKeyStr) && !dagTableKeys.has(sourceKey)) {
       dagTableKeys.add(sourceKey);
@@ -74,10 +82,10 @@ export async function runIntrospector(options: RunIntrospectorOptions): Promise<
         table: link.sourceTable,
         parentTable: link.targetTable,
         constraintName: null,
-        childColumns: [link.column],
-        parentColumns: [link.column],
+        childColumns: [childCol],
+        parentColumns: [parentCol],
         depth: maxDepth,
-        fkCondition: `LOGICAL_LINK (${link.column})`,
+        fkCondition: `${formatQualifiedTable(link.targetTable)}.${parentCol} = ${formatQualifiedTable(link.sourceTable)}.${childCol}`,
       });
     }
   }

package/src/modules/introspector/yaml.ts

@@ -83,6 +83,20 @@ export function renderIntrospectorYaml(draft: IntrospectorDraft): string {
     "legal_disclaimer:",
     "  text: \"Auto-generated by Compliance Worker. The DPO/Developer is responsible for verifying all logical links and PII mappings.\"",
     "",
+    "# ===================================================================================",
+    "# HOW TO READ THIS MANIFEST:",
+    "# - 'targets': The list of tables the worker will delete/redact from.",
+    "# - 'parent': The table that owns this data. The worker deletes parent-first or child-first depending on the DB constraints.",
+    "# - 'join': The SQL condition used to link the child table to the parent table.",
+    "# - 'pii_columns': Columns identified as containing Personal Identifiable Information.",
+    "# - 'action': 'redact' (anonymizes the row but keeps it) or implicitly 'delete' (removes the row entirely).",
+    "#",
+    "# IMPORTANT:",
+    "# 1. Review all 'join' conditions. If the Introspector guessed a join for an orphaned table, verify it.",
+    "# 2. Review all 'pii_columns' to ensure no sensitive columns were missed.",
+    "# 3. Replace 'PENDING_REVIEW' in legal_attestation once verified.",
+    "# ===================================================================================",
+    "",
     "rules:",
     "  - id: dpdp_standard",
     `    root_table: ${yamlScalar(formatQualifiedTable(draft.root))}`,

package/tests/introspector-classifier.test.ts

@@ -53,10 +53,10 @@ describe("Introspector PII classifier", () => {
     expect(classifyLeaf("560001", "postal_code")).toContain("indian_pin_code");
   });
 
-  it("does not infer personal names without a dedicated NER model", () => {
-    expect(metadataScore("full_name")).toBe(0);
-    expect(metadataScore("first_name")).toBe(0);
-    expect(metadataScore("customer_name")).toBe(0);
+  it("infers personal names based on standard developer metadata patterns", () => {
+    expect(metadataScore("full_name")).toBe(0.92);
+    expect(metadataScore("first_name")).toBe(0.92);
+    expect(metadataScore("customer_name")).toBe(0.82);
     expect(classifyLeaf("Priya Sharma")).toEqual([]);
   });
 });

package/tests/introspector.test.ts

@@ -201,6 +201,7 @@ describe("Offline Introspector", () => {
     expect(users?.piiColumns.map((column) => column.column).sort()).toEqual([
       "card_number",
       "email",
+      "full_name",
       "gstin",
       "phone",
       "upi_id",
@@ -215,7 +216,6 @@ describe("Offline Introspector", () => {
     expect(yaml).toContain(`root_table: ${schema}.users`);
     expect(yaml).toContain(`table: ${schema}.profiles`);
     expect(yaml).toContain("pii_columns: [pan, aadhaar_payload, nested_payload]");
-    expect(yaml).not.toContain("full_name");
     expect(yaml).toContain("schema_hash:");
     expect(yaml).toContain("generated_by: compliance-introspector-v1");
     expect(yaml).toContain("legal_disclaimer:");