chainlesschain 0.66.0 → 0.132.0

package/src/commands/compliance.js

@@ -16,6 +16,36 @@ import {
   listPolicies,
   addPolicy,
   checkAccess,
+  EVIDENCE_STATUS_V2,
+  POLICY_STATUS_V2,
+  REPORT_STATUS_V2,
+  SEVERITY_V2,
+  FRAMEWORKS_V2,
+  POLICY_TYPES_V2,
+  COMPLIANCE_DEFAULT_MAX_ACTIVE_POLICIES,
+  COMPLIANCE_DEFAULT_EVIDENCE_RETENTION_MS,
+  COMPLIANCE_DEFAULT_REPORT_RETENTION_MS,
+  setMaxActivePolicies,
+  setEvidenceRetentionMs,
+  setReportRetentionMs,
+  getMaxActivePolicies,
+  getEvidenceRetentionMs,
+  getReportRetentionMs,
+  getActivePolicyCount,
+  registerEvidenceV2,
+  getEvidenceStatusV2,
+  setEvidenceStatusV2,
+  autoExpireEvidence,
+  registerPolicyV2,
+  getPolicyStatusV2,
+  setPolicyStatusV2,
+  activatePolicy,
+  registerReportV2,
+  getReportStatusV2,
+  setReportStatusV2,
+  publishReport,
+  autoArchiveStaleReports,
+  getComplianceStatsV2,
 } from "../lib/compliance-manager.js";
 import {
   generateFrameworkReport,
@@ -29,6 +59,38 @@ import {
   matchObservable,
   getStats as getThreatIntelStats,
   removeIndicator,
+  FEED_MATURITY_V2,
+  INDICATOR_LIFECYCLE_V2,
+  getMaxActiveFeedsPerOwnerV2,
+  setMaxActiveFeedsPerOwnerV2,
+  getMaxActiveIndicatorsPerFeedV2,
+  setMaxActiveIndicatorsPerFeedV2,
+  getFeedIdleMsV2,
+  setFeedIdleMsV2,
+  getIndicatorStaleMsV2,
+  setIndicatorStaleMsV2,
+  getActiveFeedCountV2,
+  getActiveIndicatorCountV2,
+  registerFeedV2,
+  getFeedV2,
+  listFeedsV2,
+  setFeedMaturityV2,
+  trustFeedV2,
+  deprecateFeedV2,
+  retireFeedV2,
+  touchFeedV2,
+  createIndicatorV2,
+  getIndicatorV2,
+  listIndicatorsV2,
+  setIndicatorStatusV2,
+  activateIndicatorV2,
+  expireIndicatorV2,
+  revokeIndicatorV2,
+  supersedeIndicatorV2,
+  refreshIndicatorV2,
+  autoDeprecateIdleFeedsV2,
+  autoExpireStaleIndicatorsV2,
+  getThreatIntelStatsV2,
 } from "../lib/threat-intel.js";
 import { IOC_TYPES } from "../lib/stix-parser.js";
 import {
@@ -40,6 +102,37 @@ import {
   detectAnomalies,
   rankEntities,
   scoreEvent,
+  BASELINE_MATURITY_V2,
+  INVESTIGATION_V2,
+  getMaxActiveBaselinesPerOwnerV2,
+  setMaxActiveBaselinesPerOwnerV2,
+  getMaxOpenInvestigationsPerAnalystV2,
+  setMaxOpenInvestigationsPerAnalystV2,
+  getBaselineStaleMsV2,
+  setBaselineStaleMsV2,
+  getInvestigationStuckMsV2,
+  setInvestigationStuckMsV2,
+  getActiveBaselineCountV2,
+  getOpenInvestigationCountV2,
+  createBaselineV2,
+  getBaselineV2,
+  listBaselinesV2,
+  setBaselineMaturityV2,
+  activateBaselineV2,
+  markBaselineStaleV2,
+  archiveBaselineV2,
+  refreshBaselineV2,
+  openInvestigationV2,
+  getInvestigationV2,
+  listInvestigationsV2,
+  setInvestigationStatusV2,
+  startInvestigationV2,
+  closeInvestigationV2,
+  dismissInvestigationV2,
+  escalateInvestigationV2,
+  autoMarkStaleBaselinesV2,
+  autoEscalateStuckInvestigationsV2,
+  getUebaStatsV2,
 } from "../lib/ueba.js";
 
 function _loadEvidenceFromDb(db, framework) {
@@ -545,6 +638,260 @@ export function registerComplianceCommand(program) {
       }
     });
 
+  /* ═══ Threat-Intel V2 — feed maturity + indicator lifecycle ═══ */
+
+  threat
+    .command("feed-maturities-v2")
+    .description("List feed maturity states (V2)")
+    .action(() => {
+      for (const v of Object.values(FEED_MATURITY_V2)) console.log(`  ${v}`);
+    });
+
+  threat
+    .command("indicator-lifecycles-v2")
+    .description("List indicator lifecycle states (V2)")
+    .action(() => {
+      for (const v of Object.values(INDICATOR_LIFECYCLE_V2))
+        console.log(`  ${v}`);
+    });
+
+  threat
+    .command("stats-v2")
+    .description("Show V2 feed/indicator stats")
+    .action(() => {
+      console.log(JSON.stringify(getThreatIntelStatsV2(), null, 2));
+    });
+
+  threat
+    .command("max-active-feeds-per-owner")
+    .argument("[n]", "New cap")
+    .description("Get/set max active feeds per owner (V2)")
+    .action((n) => {
+      if (n !== undefined) setMaxActiveFeedsPerOwnerV2(n);
+      console.log(getMaxActiveFeedsPerOwnerV2());
+    });
+
+  threat
+    .command("max-active-indicators-per-feed")
+    .argument("[n]", "New cap")
+    .description("Get/set max active indicators per feed (V2)")
+    .action((n) => {
+      if (n !== undefined) setMaxActiveIndicatorsPerFeedV2(n);
+      console.log(getMaxActiveIndicatorsPerFeedV2());
+    });
+
+  threat
+    .command("feed-idle-ms")
+    .argument("[ms]", "New idle window")
+    .description("Get/set feed idle window ms (V2)")
+    .action((ms) => {
+      if (ms !== undefined) setFeedIdleMsV2(ms);
+      console.log(getFeedIdleMsV2());
+    });
+
+  threat
+    .command("indicator-stale-ms")
+    .argument("[ms]", "New stale window")
+    .description("Get/set indicator stale window ms (V2)")
+    .action((ms) => {
+      if (ms !== undefined) setIndicatorStaleMsV2(ms);
+      console.log(getIndicatorStaleMsV2());
+    });
+
+  threat
+    .command("active-feed-count-v2 <owner>")
+    .description("Count active feeds for owner (V2)")
+    .action((owner) => {
+      console.log(getActiveFeedCountV2(owner));
+    });
+
+  threat
+    .command("active-indicator-count-v2 <feedId>")
+    .description("Count active indicators for feed (V2)")
+    .action((feedId) => {
+      console.log(getActiveIndicatorCountV2(feedId));
+    });
+
+  threat
+    .command("register-feed-v2 <id>")
+    .requiredOption("-o, --owner <owner>", "Owner")
+    .requiredOption("-n, --name <name>", "Feed name")
+    .description("Register a new pending feed (V2)")
+    .action((id, opts) => {
+      console.log(
+        JSON.stringify(
+          registerFeedV2(id, { owner: opts.owner, name: opts.name }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  threat
+    .command("feed-v2 <id>")
+    .description("Show feed by id (V2)")
+    .action((id) => {
+      const f = getFeedV2(id);
+      if (!f) {
+        console.error(`feed ${id} not found`);
+        process.exit(1);
+      }
+      console.log(JSON.stringify(f, null, 2));
+    });
+
+  threat
+    .command("list-feeds-v2")
+    .option("-o, --owner <owner>", "Filter by owner")
+    .option("-m, --maturity <m>", "Filter by maturity")
+    .description("List feeds (V2)")
+    .action((opts) => {
+      console.log(
+        JSON.stringify(
+          listFeedsV2({ owner: opts.owner, maturity: opts.maturity }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  threat
+    .command("set-feed-maturity-v2 <id> <next>")
+    .description("Transition feed maturity (V2)")
+    .action((id, next) => {
+      console.log(JSON.stringify(setFeedMaturityV2(id, next), null, 2));
+    });
+
+  threat
+    .command("trust-feed-v2 <id>")
+    .description("Trust feed (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(trustFeedV2(id), null, 2));
+    });
+
+  threat
+    .command("deprecate-feed-v2 <id>")
+    .description("Deprecate feed (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(deprecateFeedV2(id), null, 2));
+    });
+
+  threat
+    .command("retire-feed-v2 <id>")
+    .description("Retire feed terminally (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(retireFeedV2(id), null, 2));
+    });
+
+  threat
+    .command("touch-feed-v2 <id>")
+    .description("Update feed lastSeenAt (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(touchFeedV2(id), null, 2));
+    });
+
+  threat
+    .command("create-indicator-v2 <id>")
+    .requiredOption("-f, --feed <feedId>", "Feed id")
+    .requiredOption("-t, --type <iocType>", "IoC type")
+    .requiredOption("-v, --value <value>", "IoC value")
+    .description("Create a pending indicator under a feed (V2)")
+    .action((id, opts) => {
+      console.log(
+        JSON.stringify(
+          createIndicatorV2(id, {
+            feedId: opts.feed,
+            iocType: opts.type,
+            value: opts.value,
+          }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  threat
+    .command("indicator-v2 <id>")
+    .description("Show indicator by id (V2)")
+    .action((id) => {
+      const i = getIndicatorV2(id);
+      if (!i) {
+        console.error(`indicator ${id} not found`);
+        process.exit(1);
+      }
+      console.log(JSON.stringify(i, null, 2));
+    });
+
+  threat
+    .command("list-indicators-v2")
+    .option("-f, --feed <feedId>", "Filter by feedId")
+    .option("-s, --status <s>", "Filter by status")
+    .description("List indicators (V2)")
+    .action((opts) => {
+      console.log(
+        JSON.stringify(
+          listIndicatorsV2({ feedId: opts.feed, status: opts.status }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  threat
+    .command("set-indicator-status-v2 <id> <next>")
+    .description("Transition indicator status (V2)")
+    .action((id, next) => {
+      console.log(JSON.stringify(setIndicatorStatusV2(id, next), null, 2));
+    });
+
+  threat
+    .command("activate-indicator-v2 <id>")
+    .description("Activate indicator (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(activateIndicatorV2(id), null, 2));
+    });
+
+  threat
+    .command("expire-indicator-v2 <id>")
+    .description("Expire indicator terminally (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(expireIndicatorV2(id), null, 2));
+    });
+
+  threat
+    .command("revoke-indicator-v2 <id>")
+    .description("Revoke indicator terminally (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(revokeIndicatorV2(id), null, 2));
+    });
+
+  threat
+    .command("supersede-indicator-v2 <id>")
+    .description("Supersede indicator terminally (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(supersedeIndicatorV2(id), null, 2));
+    });
+
+  threat
+    .command("refresh-indicator-v2 <id>")
+    .description("Update indicator lastSeenAt (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(refreshIndicatorV2(id), null, 2));
+    });
+
+  threat
+    .command("auto-deprecate-idle-feeds")
+    .description("Auto-deprecate trusted feeds idle past window (V2)")
+    .action(() => {
+      console.log(JSON.stringify(autoDeprecateIdleFeedsV2(), null, 2));
+    });
+
+  threat
+    .command("auto-expire-stale-indicators")
+    .description("Auto-expire active indicators stale past window (V2)")
+    .action(() => {
+      console.log(JSON.stringify(autoExpireStaleIndicatorsV2(), null, 2));
+    });
+
   // ── UEBA ────────────────────────────────────────────────────
   const ueba = compliance
     .command("ueba")
@@ -804,4 +1151,692 @@ export function registerComplianceCommand(program) {
         process.exit(1);
       }
     });
+
+  /* ═══════════════════════════════════════════════════════════════
+     V2 SURFACE (Phase 19 canonical) — compliance V2 subcommands
+     ═══════════════════════════════════════════════════════════════ */
+
+  const parseMeta = (s) => {
+    if (!s) return {};
+    try {
+      return JSON.parse(s);
+    } catch {
+      return {};
+    }
+  };
+
+  compliance
+    .command("evidence-statuses-v2")
+    .description("List evidence V2 lifecycle states")
+    .action(() => {
+      for (const v of Object.values(EVIDENCE_STATUS_V2)) console.log("  " + v);
+    });
+
+  compliance
+    .command("policy-statuses-v2")
+    .description("List policy V2 lifecycle states")
+    .action(() => {
+      for (const v of Object.values(POLICY_STATUS_V2)) console.log("  " + v);
+    });
+
+  compliance
+    .command("report-statuses-v2")
+    .description("List report V2 lifecycle states")
+    .action(() => {
+      for (const v of Object.values(REPORT_STATUS_V2)) console.log("  " + v);
+    });
+
+  compliance
+    .command("severities-v2")
+    .description("List V2 severity buckets")
+    .action(() => {
+      for (const v of Object.values(SEVERITY_V2)) console.log("  " + v);
+    });
+
+  compliance
+    .command("frameworks-v2")
+    .description("List V2 supported frameworks")
+    .action(() => {
+      for (const v of FRAMEWORKS_V2) console.log("  " + v);
+    });
+
+  compliance
+    .command("policy-types-v2")
+    .description("List V2 supported policy types")
+    .action(() => {
+      for (const v of POLICY_TYPES_V2) console.log("  " + v);
+    });
+
+  compliance
+    .command("default-max-active-policies")
+    .description("Show default max-active-policies cap")
+    .action(() => console.log(COMPLIANCE_DEFAULT_MAX_ACTIVE_POLICIES));
+
+  compliance
+    .command("max-active-policies")
+    .description("Show current max-active-policies cap")
+    .action(() => console.log(getMaxActivePolicies()));
+
+  compliance
+    .command("set-max-active-policies <n>")
+    .description("Set max-active-policies cap")
+    .action((n) => {
+      try {
+        console.log(setMaxActivePolicies(n));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("default-evidence-retention-ms")
+    .description("Show default evidence retention (ms)")
+    .action(() => console.log(COMPLIANCE_DEFAULT_EVIDENCE_RETENTION_MS));
+
+  compliance
+    .command("evidence-retention-ms")
+    .description("Show current evidence retention (ms)")
+    .action(() => console.log(getEvidenceRetentionMs()));
+
+  compliance
+    .command("set-evidence-retention-ms <ms>")
+    .description("Set evidence retention (ms)")
+    .action((ms) => {
+      try {
+        console.log(setEvidenceRetentionMs(ms));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("default-report-retention-ms")
+    .description("Show default report retention (ms)")
+    .action(() => console.log(COMPLIANCE_DEFAULT_REPORT_RETENTION_MS));
+
+  compliance
+    .command("report-retention-ms")
+    .description("Show current report retention (ms)")
+    .action(() => console.log(getReportRetentionMs()));
+
+  compliance
+    .command("set-report-retention-ms <ms>")
+    .description("Set report retention (ms)")
+    .action((ms) => {
+      try {
+        console.log(setReportRetentionMs(ms));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("active-policy-count")
+    .description("Show current active-policy count")
+    .option("-f, --framework <fw>", "Filter by framework")
+    .action((options) => {
+      console.log(getActivePolicyCount(options.framework));
+    });
+
+  compliance
+    .command("register-evidence-v2 <evidence-id>")
+    .description("Register a new V2 evidence entry (tagged COLLECTED)")
+    .option("-f, --framework <fw>", "Framework (gdpr|soc2|hipaa|iso27001)")
+    .option("-t, --type <type>", "Evidence type", "general")
+    .option("-d, --description <desc>", "Description")
+    .option("-s, --source <source>", "Source", "cli")
+    .option("-m, --metadata <json>", "Metadata JSON")
+    .action((evidenceId, options) => {
+      try {
+        const r = registerEvidenceV2(null, {
+          evidenceId,
+          framework: options.framework,
+          type: options.type,
+          description: options.description,
+          source: options.source,
+          metadata: parseMeta(options.metadata),
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("evidence-status-v2 <evidence-id>")
+    .description("Show V2 evidence lifecycle entry")
+    .action((evidenceId) => {
+      const r = getEvidenceStatusV2(evidenceId);
+      if (!r) {
+        logger.warn("Evidence not found");
+        process.exit(1);
+      }
+      console.log(JSON.stringify(r, null, 2));
+    });
+
+  compliance
+    .command("set-evidence-status-v2 <evidence-id> <status>")
+    .description(
+      "Transition V2 evidence lifecycle (collected/verified/rejected/expired)",
+    )
+    .option("-r, --reason <reason>", "Reason")
+    .option("-m, --metadata <json>", "Metadata patch JSON")
+    .action((evidenceId, status, options) => {
+      try {
+        const r = setEvidenceStatusV2(null, evidenceId, status, {
+          reason: options.reason,
+          metadata: options.metadata ? parseMeta(options.metadata) : undefined,
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("auto-expire-evidence")
+    .description("Bulk-flip stale evidence to EXPIRED")
+    .action(() => {
+      const r = autoExpireEvidence(null, Date.now());
+      console.log(JSON.stringify({ expired: r.length, entries: r }, null, 2));
+    });
+
+  compliance
+    .command("register-policy-v2 <policy-id>")
+    .description("Register a new V2 policy entry (tagged DRAFT)")
+    .option("-n, --name <name>", "Policy name")
+    .option("-t, --type <type>", "Policy type")
+    .option("-f, --framework <fw>", "Framework")
+    .option(
+      "-s, --severity <sev>",
+      "Severity (critical|high|medium|low)",
+      "medium",
+    )
+    .option("-r, --rules <json>", "Rules JSON")
+    .option("-m, --metadata <json>", "Metadata JSON")
+    .action((policyId, options) => {
+      try {
+        const r = registerPolicyV2(null, {
+          policyId,
+          name: options.name,
+          type: options.type,
+          framework: options.framework,
+          severity: options.severity,
+          rules: parseMeta(options.rules),
+          metadata: parseMeta(options.metadata),
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("policy-status-v2 <policy-id>")
+    .description("Show V2 policy lifecycle entry")
+    .action((policyId) => {
+      const r = getPolicyStatusV2(policyId);
+      if (!r) {
+        logger.warn("Policy not found");
+        process.exit(1);
+      }
+      console.log(JSON.stringify(r, null, 2));
+    });
+
+  compliance
+    .command("set-policy-status-v2 <policy-id> <status>")
+    .description(
+      "Transition V2 policy lifecycle (draft/active/suspended/deprecated)",
+    )
+    .option("-r, --reason <reason>", "Reason")
+    .option("-m, --metadata <json>", "Metadata patch JSON")
+    .action((policyId, status, options) => {
+      try {
+        const r = setPolicyStatusV2(null, policyId, status, {
+          reason: options.reason,
+          metadata: options.metadata ? parseMeta(options.metadata) : undefined,
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("activate-policy <policy-id>")
+    .description("Activate a V2 policy (DRAFT→ACTIVE, enforces max-active cap)")
+    .action((policyId) => {
+      try {
+        const r = activatePolicy(null, policyId);
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("register-report-v2 <report-id>")
+    .description("Register a new V2 report entry (tagged PENDING)")
+    .option("-f, --framework <fw>", "Framework")
+    .option("-t, --title <title>", "Title")
+    .option("-m, --metadata <json>", "Metadata JSON")
+    .action((reportId, options) => {
+      try {
+        const r = registerReportV2(null, {
+          reportId,
+          framework: options.framework,
+          title: options.title,
+          metadata: parseMeta(options.metadata),
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("report-status-v2 <report-id>")
+    .description("Show V2 report lifecycle entry")
+    .action((reportId) => {
+      const r = getReportStatusV2(reportId);
+      if (!r) {
+        logger.warn("Report not found");
+        process.exit(1);
+      }
+      console.log(JSON.stringify(r, null, 2));
+    });
+
+  compliance
+    .command("set-report-status-v2 <report-id> <status>")
+    .description(
+      "Transition V2 report lifecycle (pending/generating/published/archived)",
+    )
+    .option("-r, --reason <reason>", "Reason")
+    .option("-s, --score <n>", "Score (on publish)")
+    .option("-y, --summary <text>", "Summary (on publish)")
+    .option("-m, --metadata <json>", "Metadata patch JSON")
+    .action((reportId, status, options) => {
+      try {
+        const r = setReportStatusV2(null, reportId, status, {
+          reason: options.reason,
+          score:
+            options.score !== undefined ? Number(options.score) : undefined,
+          summary: options.summary,
+          metadata: options.metadata ? parseMeta(options.metadata) : undefined,
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("publish-report <report-id>")
+    .description("Publish a V2 report (pending→generating→published)")
+    .option("-s, --score <n>", "Score", "0")
+    .option("-y, --summary <text>", "Summary", "")
+    .action((reportId, options) => {
+      try {
+        const r = publishReport(null, reportId, {
+          score: Number(options.score),
+          summary: options.summary,
+        });
+        console.log(JSON.stringify(r, null, 2));
+      } catch (err) {
+        logger.error(err.message);
+        process.exit(1);
+      }
+    });
+
+  compliance
+    .command("auto-archive-stale-reports")
+    .description("Bulk-flip stale published reports to ARCHIVED")
+    .action(() => {
+      const r = autoArchiveStaleReports(null, Date.now());
+      console.log(JSON.stringify({ archived: r.length, entries: r }, null, 2));
+    });
+
+  compliance
+    .command("stats-v2")
+    .description("V2 compliance stats (all-enum-key zero-initialized)")
+    .action(() => {
+      console.log(JSON.stringify(getComplianceStatsV2(), null, 2));
+    });
+
+  /* ═══ UEBA V2 ═══ */
+
+  function _parseMetaUeba(s) {
+    if (!s) return undefined;
+    try {
+      return JSON.parse(s);
+    } catch {
+      throw new Error("--metadata must be valid JSON");
+    }
+  }
+
+  ueba
+    .command("baseline-maturities-v2")
+    .description("List baseline maturity states (V2)")
+    .action(() => {
+      for (const v of Object.values(BASELINE_MATURITY_V2)) logger.log(`  ${v}`);
+    });
+
+  ueba
+    .command("investigation-lifecycles-v2")
+    .description("List investigation lifecycle states (V2)")
+    .action(() => {
+      for (const v of Object.values(INVESTIGATION_V2)) logger.log(`  ${v}`);
+    });
+
+  ueba
+    .command("stats-v2")
+    .description("UEBA V2 stats")
+    .action(() => {
+      console.log(JSON.stringify(getUebaStatsV2(), null, 2));
+    });
+
+  ueba
+    .command("max-active-baselines-per-owner")
+    .description("Get/set max active baselines per owner (V2)")
+    .option("-s, --set <n>", "Set value", (v) => parseInt(v, 10))
+    .action((o) => {
+      if (typeof o.set === "number")
+        console.log(setMaxActiveBaselinesPerOwnerV2(o.set));
+      else console.log(getMaxActiveBaselinesPerOwnerV2());
+    });
+
+  ueba
+    .command("max-open-investigations-per-analyst")
+    .description("Get/set max open investigations per analyst (V2)")
+    .option("-s, --set <n>", "Set value", (v) => parseInt(v, 10))
+    .action((o) => {
+      if (typeof o.set === "number")
+        console.log(setMaxOpenInvestigationsPerAnalystV2(o.set));
+      else console.log(getMaxOpenInvestigationsPerAnalystV2());
+    });
+
+  ueba
+    .command("baseline-stale-ms")
+    .description("Get/set baseline stale threshold ms (V2)")
+    .option("-s, --set <n>", "Set value", (v) => parseInt(v, 10))
+    .action((o) => {
+      if (typeof o.set === "number") console.log(setBaselineStaleMsV2(o.set));
+      else console.log(getBaselineStaleMsV2());
+    });
+
+  ueba
+    .command("investigation-stuck-ms")
+    .description("Get/set investigation stuck threshold ms (V2)")
+    .option("-s, --set <n>", "Set value", (v) => parseInt(v, 10))
+    .action((o) => {
+      if (typeof o.set === "number")
+        console.log(setInvestigationStuckMsV2(o.set));
+      else console.log(getInvestigationStuckMsV2());
+    });
+
+  ueba
+    .command("active-baseline-count")
+    .description("Count active baselines for owner (V2)")
+    .requiredOption("-o, --owner <owner>", "Owner")
+    .action((o) => {
+      console.log(getActiveBaselineCountV2(o.owner));
+    });
+
+  ueba
+    .command("open-investigation-count")
+    .description("Count open investigations for analyst (V2)")
+    .requiredOption("-a, --analyst <analyst>", "Analyst")
+    .action((o) => {
+      console.log(getOpenInvestigationCountV2(o.analyst));
+    });
+
+  ueba
+    .command("create-baseline-v2 <id>")
+    .description("Create baseline V2 (draft)")
+    .requiredOption("-o, --owner <owner>", "Owner")
+    .requiredOption("-e, --entity <entity>", "Entity")
+    .option("-m, --metadata <json>", "JSON metadata")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(
+          createBaselineV2({
+            id,
+            owner: o.owner,
+            entity: o.entity,
+            metadata: _parseMetaUeba(o.metadata),
+          }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("baseline-v2 <id>")
+    .description("Show baseline V2")
+    .action((id) => {
+      const b = getBaselineV2(id);
+      if (!b) {
+        logger.error(`baseline ${id} not found`);
+        process.exit(1);
+      }
+      console.log(JSON.stringify(b, null, 2));
+    });
+
+  ueba
+    .command("list-baselines-v2")
+    .description("List baselines V2")
+    .option("-o, --owner <owner>", "Filter by owner")
+    .option("-s, --status <status>", "Filter by status")
+    .action((o) => {
+      console.log(
+        JSON.stringify(
+          listBaselinesV2({ owner: o.owner, status: o.status }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("set-baseline-maturity-v2 <id> <status>")
+    .description("Transition baseline V2 to status")
+    .option("-r, --reason <reason>", "Reason")
+    .option("-m, --metadata <json>", "JSON metadata patch")
+    .action((id, status, o) => {
+      console.log(
+        JSON.stringify(
+          setBaselineMaturityV2(id, status, {
+            reason: o.reason,
+            metadata: _parseMetaUeba(o.metadata),
+          }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("activate-baseline-v2 <id>")
+    .description("Baseline → active (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(activateBaselineV2(id, { reason: o.reason }), null, 2),
+      );
+    });
+
+  ueba
+    .command("mark-baseline-stale <id>")
+    .description("Baseline → stale (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(markBaselineStaleV2(id, { reason: o.reason }), null, 2),
+      );
+    });
+
+  ueba
+    .command("archive-baseline-v2 <id>")
+    .description("Baseline → archived (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(archiveBaselineV2(id, { reason: o.reason }), null, 2),
+      );
+    });
+
+  ueba
+    .command("refresh-baseline-v2 <id>")
+    .description("Update lastRefreshedAt (V2)")
+    .action((id) => {
+      console.log(JSON.stringify(refreshBaselineV2(id), null, 2));
+    });
+
+  ueba
+    .command("open-investigation-v2 <id>")
+    .description("Open investigation V2")
+    .requiredOption("-a, --analyst <analyst>", "Analyst")
+    .requiredOption("-b, --baseline <baselineId>", "Baseline id")
+    .option("--summary <summary>", "Summary")
+    .option("-m, --metadata <json>", "JSON metadata")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(
+          openInvestigationV2({
+            id,
+            analyst: o.analyst,
+            baselineId: o.baseline,
+            summary: o.summary,
+            metadata: _parseMetaUeba(o.metadata),
+          }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("investigation-v2 <id>")
+    .description("Show investigation V2")
+    .action((id) => {
+      const i = getInvestigationV2(id);
+      if (!i) {
+        logger.error(`investigation ${id} not found`);
+        process.exit(1);
+      }
+      console.log(JSON.stringify(i, null, 2));
+    });
+
+  ueba
+    .command("list-investigations-v2")
+    .description("List investigations V2")
+    .option("-a, --analyst <analyst>", "Filter by analyst")
+    .option("-s, --status <status>", "Filter by status")
+    .option("-b, --baseline <baselineId>", "Filter by baseline")
+    .action((o) => {
+      console.log(
+        JSON.stringify(
+          listInvestigationsV2({
+            analyst: o.analyst,
+            status: o.status,
+            baselineId: o.baseline,
+          }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("set-investigation-status-v2 <id> <status>")
+    .description("Transition investigation V2 to status")
+    .option("-r, --reason <reason>", "Reason")
+    .option("-m, --metadata <json>", "JSON metadata patch")
+    .action((id, status, o) => {
+      console.log(
+        JSON.stringify(
+          setInvestigationStatusV2(id, status, {
+            reason: o.reason,
+            metadata: _parseMetaUeba(o.metadata),
+          }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("start-investigation-v2 <id>")
+    .description("Investigation → investigating (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(startInvestigationV2(id, { reason: o.reason }), null, 2),
+      );
+    });
+
+  ueba
+    .command("close-investigation-v2 <id>")
+    .description("Investigation → closed (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(closeInvestigationV2(id, { reason: o.reason }), null, 2),
+      );
+    });
+
+  ueba
+    .command("dismiss-investigation-v2 <id>")
+    .description("Investigation → dismissed (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(
+          dismissInvestigationV2(id, { reason: o.reason }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("escalate-investigation-v2 <id>")
+    .description("Investigation → escalated (V2)")
+    .option("-r, --reason <reason>", "Reason")
+    .action((id, o) => {
+      console.log(
+        JSON.stringify(
+          escalateInvestigationV2(id, { reason: o.reason }),
+          null,
+          2,
+        ),
+      );
+    });
+
+  ueba
+    .command("auto-mark-stale-baselines")
+    .description("Bulk auto-flip active→stale past threshold (V2)")
+    .action(() => {
+      console.log(JSON.stringify(autoMarkStaleBaselinesV2(), null, 2));
+    });
+
+  ueba
+    .command("auto-escalate-stuck-investigations")
+    .description(
+      "Bulk auto-escalate investigating → escalated past threshold (V2)",
+    )
+    .action(() => {
+      console.log(JSON.stringify(autoEscalateStuckInvestigationsV2(), null, 2));
+    });
 }