CLI reference
heddle purge
Shippedheddle purge <subcommand> Physically remove the bytes of a previously-redacted blob from local storage. Irreversible. The Redaction tombstone stays in the DAG forever — only the underlying bytes leave.
Redaction (heddle redact) is the soft form — bytes leave materialized views, the Redaction object (tombstone) and the underlying blob bytes stay on disk. Purge is the hard form: the loose blob is deleted, and an OpRecord::Purge is appended to the oplog. The Redaction tombstone is unchanged and continues to record who, what, when, and why.
Purge refuses to run without --force because the operation is irreversible. It also refuses if no redaction has been declared for the (state, path) — purge can only act on what redact has already marked.
Three honest gotchas. First, if the blob lives inside a pack file, purge can remove the loose copy but the packed copy persists until you repack — purge warns when this happens. Second, cross-replica propagation requires signing: a purge ships over the wire as a Redaction with purged_at set, and receivers refuse unsigned, tampered, or untrusted-key records. Operators must --sign-with the purge and the receiving replicas must have the signer's key in [redact] trusted_keys (managed via heddle redact trust add). Unsigned purges still apply locally; they just don't propagate. Third, the workspace-owner capability check is wired through Biscuit as the capability surface lands; today --force is the explicit confirmation step.
Examples
Physically remove the bytes of a prior redaction
bash# redaction r0a1b2c3 already declared by heddle redact apply$ heddle purge apply HEAD --path src/test-fixtures/auth.json --forcepurged blob b3a8e201 at src/test-fixtures/auth.json in d01a8b4e (1 redaction(s) marked)List every purge that's happened in this repo
bash$ heddle purge list1 purge(s): r0a1b2c3 blob=b3a8e201 state=d01a8b4e path=src/test-fixtures/auth.json at 2026-05-11T14:34:11Z