korext 0.1.0 → 0.3.0

package/CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+
+## 0.3.0
+- **New:** Version bump to match extension releases
+- **Improved:** CLI now reports version 0.3.0
+
+## 0.2.0
+- Initial release
+- `korext login` — browser-based authentication
+- `korext init` — initialize Korext project
+- `korext extract` — extract rules from PDF/Markdown policy documents
+- `korext review` — review extracted rules
+- `korext publish` — activate custom policy packs

package/README.md

@@ -0,0 +1,88 @@
+# Korext CLI
+
+**The Korext Node.js Command Line Interface.**
+Real-time policy enforcement and compliance proof for AI-generated code.
+
+[![NPM Version](https://img.shields.io/npm/v/korext)](https://www.npmjs.com/package/korext)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+---
+
+## Installation
+
+Install the CLI globally using NPM to access the `korext` command from anywhere:
+
+```bash
+npm install -g korext
+```
+
+## Authentication
+
+Before running analysis, you must authenticate the CLI against your Korext account.
+
+```bash
+# Login via browser (Recommended)
+korext login
+
+# Headless CI/CD Login via environment variable
+export KOREXT_API_TOKEN="your_personal_access_token"
+```
+
+## Commands
+
+### `korext enforce [path]`
+Scans a target directory or file and cross-references it against your active Korext Policy Pack in real-time.
+
+```bash
+# Run against the current directory
+korext enforce .
+
+# Run against a specific file
+korext enforce ./src/auth.ts
+```
+
+### `korext status`
+View your current authentication state, active Cloud storage tier, and active Policy Pack ID.
+
+```bash
+korext status
+```
+
+### `korext packs list`
+Retrieves and lists all available internal Policy Packs available for your organization.
+
+```bash
+korext packs list
+```
+
+---
+
+## CI/CD Pipeline Integration
+
+The Korext CLI is built to run headless inside GitHub Actions, GitLab CI, and isolated Docker environments. When a violation is detected during an enforcement run (`korext enforce`), the CLI intentionally exits with a non-zero code (`exit 1`) to fail the build automatically.
+
+**Example GitHub Action:**
+```yaml
+name: Korext Policy Pipeline
+on: [push, pull_request]
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          
+      - name: Install Korext globally
+        run: npm install -g korext
+        
+      - name: Korext Enforce
+        env:
+          KOREXT_API_TOKEN: ${{ secrets.KOREXT_API_TOKEN }}
+        run: korext enforce .
+```
+
+## Need Help?
+Visit the official documentation at [Korext.com](https://www.korext.com) or reach out to your Account Executive for Enterprise Support.

package/bin/korext.js

@@ -159,49 +159,62 @@ program
   .command('enforce [dir]')
   .description('Statically analyze files in a directory against Korext policies')
   .option('-p, --pack <packId>', 'Policy Pack ID to enforce', 'web')
+  .option('-f, --format <format>', 'Output format (text, json, sarif)', 'text')
   .action(async (dirArg, options) => {
     const dir = dirArg || '.';
     const pack = options.pack;
-    
-    console.log(`\n${chalk.bold.hex('#F27D26')('▲ KOREXT CLI ENFORCEMENT ENGINE')} v${version}`);
-    console.log(chalk.dim('======================================='));
+    const format = options.format.toLowerCase();
+    const isText = format === 'text';
+
+    if (isText) {
+      console.log(`\n${chalk.bold.hex('#F27D26')('▲ KOREXT CLI ENFORCEMENT ENGINE')} v${version}`);
+      console.log(chalk.dim('======================================='));
+    }
 
     const token = getToken();
-    if (!token) {
+    if (!token && isText) {
       console.log(chalk.yellow('\n⚠ Warning: No authentication token found.'));
       console.log(chalk.dim('Anonymous evaluation runs are limited to 20 requests per hour per IP.'));
       console.log(chalk.dim(`Run ${chalk.green('korext login')} to authenticate for unlimited CI/CD analytics.\n`));
     }
 
-    const spinner = ora(`Scanning directory '${dir}' for supported files...`).start();
+    const report = {
+      version,
+      packId: pack,
+      directory: dir,
+      summary: { totalFiles: 0, scannedFiles: 0, skippedFiles: 0, errorFiles: 0, critical: 0, high: 0, medium: 0, low: 0, totalViolations: 0 },
+      results: []
+    };
+
     let files;
     try {
       files = findFiles(dir);
     } catch (e) {
-      spinner.fail(chalk.red(`Error reading directory: ${e.message}`));
+      if (isText) console.error(chalk.red(`Error reading directory: ${e.message}`));
       process.exit(1);
     }
 
+    report.summary.totalFiles = files.length;
+
     if (files.length === 0) {
-      spinner.succeed('Done. No supported files found.');
+      if (isText) console.log('Done. No supported files found.');
+      else console.log(JSON.stringify(report, null, 2));
       process.exit(0);
     }
 
-    spinner.succeed(`Found ${files.length} files. Starting analysis with pack: ${chalk.cyan(pack)}...\n`);
-
-    let totalViolations = 0;
-    let criticalCount = 0;
-    let highCount = 0;
+    if (isText) console.log(`Found ${files.length} files. Starting analysis with pack: ${chalk.cyan(pack)}...\n`);
 
     for (let i = 0; i < files.length; i++) {
       const file = files[i];
       const displayPath = path.relative(process.cwd(), file);
       
-      const fileSpinner = ora(`Analyzing ${displayPath} (${i + 1}/${files.length})...`).start();
+      let fileSpinner = null;
+      if (isText) fileSpinner = ora(`Analyzing ${displayPath} (${i + 1}/${files.length})...`).start();
       
       const fileContent = fs.readFileSync(file, 'utf-8');
       if (fileContent.length > 500000) {
-        fileSpinner.info(chalk.yellow(`Skipped ${displayPath} (File too large)`));
+        if (fileSpinner) fileSpinner.info(chalk.yellow(`Skipped ${displayPath} (File too large)`));
+        report.summary.skippedFiles++;
         continue;
       }
 
@@ -225,54 +238,756 @@ program
         });
 
         if (!res.ok) {
-          fileSpinner.fail(chalk.red(`Server error analyzing ${displayPath}: HTTP ${res.status}`));
+          if (fileSpinner) fileSpinner.fail(chalk.red(`Server error analyzing ${displayPath}: HTTP ${res.status}`));
+          report.summary.errorFiles++;
           continue;
         }
 
         const result = await res.json();
         
         if (result.skipped) {
-          fileSpinner.info(chalk.yellow(`Skipped ${displayPath}: ${result.reason}`));
+          if (fileSpinner) fileSpinner.info(chalk.yellow(`Skipped ${displayPath}: ${result.reason}`));
+          report.summary.skippedFiles++;
           continue;
         }
 
-        if (result.summary && result.summary.total > 0) {
-          fileSpinner.stop();
-          console.log(`\n📄 ${chalk.bold.underline(displayPath)}`);
+        report.summary.scannedFiles++;
+        const fileViolations = result.violations || [];
+        report.summary.totalViolations += fileViolations.length;
+
+        if (fileViolations.length > 0) {
+          if (fileSpinner) fileSpinner.stop();
+          if (isText) console.log(`\n📄 ${chalk.bold.underline(displayPath)}`);
           
-          for (const v of result.violations) {
-            totalViolations++;
+          const storedV = [];
+          for (const v of fileViolations) {
             let severityTag = chalk.blue('LOW');
-            if (v.severity === 'critical') { severityTag = chalk.bgRed.white.bold(' CRITICAL '); criticalCount++; }
-            else if (v.severity === 'high') { severityTag = chalk.red.bold('HIGH'); highCount++; }
-            else if (v.severity === 'medium') { severityTag = chalk.yellow.bold('MED'); }
+            if (v.severity === 'critical') { severityTag = chalk.bgRed.white.bold(' CRITICAL '); report.summary.critical++; }
+            else if (v.severity === 'high') { severityTag = chalk.red.bold('HIGH'); report.summary.high++; }
+            else if (v.severity === 'medium') { severityTag = chalk.yellow.bold('MED'); report.summary.medium++; }
+            else { report.summary.low++; }
 
-            console.log(`   ${chalk.dim(v.line + ':' + (v.column || 0))}  ${severityTag}  ${v.ruleName}`);
-            console.log(`   ${chalk.dim('↳')} ${chalk.italic(v.explanation)} `);
+            if (isText) {
+              console.log(`   ${chalk.dim(v.line + ':' + (v.column || 0))}  ${severityTag}  ${v.ruleName}`);
+              console.log(`   ${chalk.dim('↳')} ${chalk.italic(v.explanation)} `);
+            }
+            storedV.push(v);
           }
+          report.results.push({ file: displayPath, violations: storedV });
         } else {
-          fileSpinner.stop();
+          if (fileSpinner) fileSpinner.stop();
+          report.results.push({ file: displayPath, violations: [] });
         }
       } catch (e) {
-        fileSpinner.fail(chalk.red(`Failed to analyze ${displayPath}: ${e.message}`));
+        if (fileSpinner) fileSpinner.fail(chalk.red(`Failed to analyze ${displayPath}: ${e.message}`));
+        report.summary.errorFiles++;
       }
     }
 
-    console.log('\n' + chalk.dim('======================================='));
-    
-    if (totalViolations === 0) {
-      console.log(chalk.green.bold('✔ Success! Found 0 policy violations. Your code is clean.\n'));
+    if (format === 'json') {
+      console.log(JSON.stringify(report, null, 2));
+    } else if (format === 'sarif') {
+      const sarif = {
+        version: "2.1.0",
+        $schema: "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json",
+        runs: [{
+          tool: { driver: { name: "Korext", version } },
+          results: []
+        }]
+      };
+      for (const res of report.results) {
+        for (const v of res.violations) {
+          sarif.runs[0].results.push({
+            ruleId: v.ruleName,
+            level: v.severity === 'critical' || v.severity === 'high' ? "error" : v.severity === 'medium' ? "warning" : "note",
+            message: { text: v.explanation },
+            locations: [{
+              physicalLocation: {
+                artifactLocation: { uri: res.file },
+                region: { startLine: v.line, startColumn: v.column || 1 }
+              }
+            }]
+          });
+        }
+      }
+      console.log(JSON.stringify(sarif, null, 2));
+    } else {
+      console.log('\n' + chalk.dim('======================================='));
+      if (report.summary.totalViolations === 0 && report.summary.errorFiles === 0) {
+        console.log(chalk.green.bold('✔ Success! Found 0 policy violations. Your code is clean.\n'));
+      } else {
+        console.log(chalk.red.bold(`✖ Analysis complete. Found ${report.summary.totalViolations} total policy violations.`));
+      }
+    }
+
+    if (process.env.GITHUB_STEP_SUMMARY) {
+      let md = `## 🛡️ Korext Code Governance Report\n\n`;
+      md += `**Scanned:** ${report.summary.scannedFiles} files | **Violations:** ${report.summary.totalViolations}\n\n`;
+      md += `| Severity | Count |\n| --- | --- |\n`;
+      md += `| 🔴 CRITICAL | ${report.summary.critical} |\n`;
+      md += `| 🟠 HIGH | ${report.summary.high} |\n`;
+      md += `| 🟡 MEDIUM | ${report.summary.medium} |\n`;
+      md += `| 🔵 LOW | ${report.summary.low} |\n\n`;
+
+      if (report.summary.totalViolations > 0) {
+        md += `### Violations Found:\n\n`;
+        report.results.forEach(res => {
+          if (res.violations.length > 0) {
+            md += `**\`${res.file}\`**\n`;
+            res.violations.forEach(v => {
+              md += `- \`Line ${v.line}\` **[${v.severity.toUpperCase()}]** ${v.ruleName}: *${v.explanation}*\n`;
+            });
+            md += '\n';
+          }
+        });
+      }
+      try {
+        fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, md, 'utf-8');
+      } catch (e) {
+        // fail silently if runner volume is unmountable
+      }
+    }
+
+    if (report.summary.errorFiles > 0) process.exit(2);
+    if (report.summary.critical > 0 || report.summary.high > 0) {
+      if (isText) console.log(chalk.red('Quality Gate Failed: Critical or High severity violations detected.\n'));
+      process.exit(1);
+    } else if (report.summary.totalViolations > 0) {
+      if (isText) console.log(chalk.yellow('Warnings present, but no critical/high gates triggered. Passing build.\n'));
       process.exit(0);
+    }
+    process.exit(0);
+  });
+
+// ─── POLICY COMMANDS ─────────────────────────────────────────────────────────
+
+const LOCAL_DRAFT_DIR = path.join(process.cwd(), '.korext');
+const APPROVED_PACK_FILE = path.join(LOCAL_DRAFT_DIR, 'approved-pack.json');
+const REVIEW_PORT = 3847;
+
+function ensureKorextDir() {
+  if (!fs.existsSync(LOCAL_DRAFT_DIR)) {
+    fs.mkdirSync(LOCAL_DRAFT_DIR, { mode: 0o700, recursive: true });
+  }
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  if (fs.existsSync(gitignorePath)) {
+    const content = fs.readFileSync(gitignorePath, 'utf-8');
+    if (!content.includes('.korext/')) {
+      fs.appendFileSync(gitignorePath, '\n# Korext policy drafts (may contain sensitive extracted policy text)\n.korext/\n');
+    }
+  } else {
+    fs.writeFileSync(gitignorePath, '# Korext policy drafts\n.korext/\n');
+  }
+}
+
+function getLatestDraft() {
+  if (!fs.existsSync(LOCAL_DRAFT_DIR)) {
+    console.error(chalk.red('✖ No draft found. Run: korext policy init --file <path> --name <name>'));
+    process.exit(1);
+  }
+  const files = fs.readdirSync(LOCAL_DRAFT_DIR)
+    .filter(f => f.startsWith('draft-') && f.endsWith('.json') && f !== 'draft-pack.json')
+    .sort()
+    .reverse();
+  // Fallback to legacy draft-pack.json
+  if (files.length === 0 && fs.existsSync(path.join(LOCAL_DRAFT_DIR, 'draft-pack.json'))) {
+    return JSON.parse(fs.readFileSync(path.join(LOCAL_DRAFT_DIR, 'draft-pack.json'), 'utf-8'));
+  }
+  if (files.length === 0) {
+    console.error(chalk.red('✖ No draft found. Run: korext policy init --file <path> --name <name>'));
+    process.exit(1);
+  }
+  const latest = path.join(LOCAL_DRAFT_DIR, files[0]);
+  return { ...JSON.parse(fs.readFileSync(latest, 'utf-8')), _draftPath: latest };
+}
+
+function saveLatestDraft(draft) {
+  const draftPath = draft._draftPath || path.join(LOCAL_DRAFT_DIR, 'draft-pack.json');
+  const toSave = { ...draft };
+  delete toSave._draftPath;
+  fs.writeFileSync(draftPath, JSON.stringify(toSave, null, 2), { mode: 0o600 });
+}
+
+function parseMarkdownSections(content) {
+  // Strip YAML front matter
+  const stripped = content.replace(/^---[\s\S]*?---\s*\n/, '');
+  const lines = stripped.split('\n');
+  const sections = [];
+  let currentHeading = 'Document Start';
+  let currentContent = [];
+
+  for (const line of lines) {
+    const headingMatch = line.match(/^(#{1,6})\s+(.*)/);
+    if (headingMatch) {
+      if (currentContent.length > 0) {
+        sections.push({ heading: currentHeading, content: currentContent.join('\n').trim() });
+      }
+      currentHeading = headingMatch[2].trim();
+      currentContent = [];
     } else {
-      console.log(chalk.red.bold(`✖ Analysis complete. Found ${totalViolations} total policy violations.`));
-      if (criticalCount > 0 || highCount > 0) {
-        console.log(chalk.red('Quality Gate Failed: Critical or High severity violations detected.\n'));
+      currentContent.push(line);
+    }
+  }
+  if (currentContent.length > 0) {
+    sections.push({ heading: currentHeading, content: currentContent.join('\n').trim() });
+  }
+  // Filter out empty sections
+  return sections.filter(s => s.content.length > 0);
+}
+
+const policyCmd = program.command('policy').description('Local policy document processing commands');
+
+// ── korext policy init ─────────────────────────────────────────────────────
+policyCmd
+  .command('init')
+  .description('Process a policy document locally (zero network calls)')
+  .requiredOption('--file <path>', 'Path to policy document (.md, .pdf)')
+  .requiredOption('--name <name>', 'Name for this policy pack')
+  .option('--description <text>', 'Description for this policy pack', '')
+  .action((options) => {
+    const filePath = path.resolve(options.file);
+
+    if (!fs.existsSync(filePath)) {
+      console.error(chalk.red(`File not found at ${filePath}.\nCheck the path and try again.`));
+      process.exit(1);
+    }
+
+    const ext = path.extname(filePath).toLowerCase();
+    if (!['.md', '.markdown', '.mdx', '.pdf'].includes(ext)) {
+      console.error(chalk.red(`Only .pdf and .md files are supported. Got ${ext}.`));
+      process.exit(1);
+    }
+
+    const stats = fs.statSync(filePath);
+    if (stats.size === 0) {
+      console.error(chalk.red('The file appears to be empty.'));
+      process.exit(1);
+    }
+    if (stats.size > 50 * 1024 * 1024) {
+      console.error(chalk.red('File is too large. Maximum size is 50MB.'));
+      process.exit(1);
+    }
+
+    ensureKorextDir();
+
+    let sections = [];
+    let wordCount = 0;
+    const isPdf = ext === '.pdf';
+
+    if (!isPdf) {
+      const raw = fs.readFileSync(filePath, 'utf-8');
+      sections = parseMarkdownSections(raw);
+      const allText = sections.map(s => s.content).join(' ');
+      wordCount = allText.split(/\s+/).filter(w => w.length > 0).length;
+      if (wordCount < 20) {
+        console.error(chalk.red('The file appears to be empty.'));
+        process.exit(1);
+      }
+    }
+
+    const timestamp = Date.now();
+    const draftFilename = `draft-${timestamp}.json`;
+    const draftPath = path.join(LOCAL_DRAFT_DIR, draftFilename);
+
+    const draft = {
+      packName: options.name,
+      packDescription: options.description,
+      sourceFile: path.basename(filePath),
+      fileType: isPdf ? 'pdf' : 'markdown',
+      wordCount,
+      extractedAt: new Date().toISOString(),
+      sections,
+      // Internal metadata for extract step
+      _sourceFullPath: filePath,
+      _sourceExt: ext,
+      rules: [],
+      status: 'init'
+    };
+
+    fs.writeFileSync(draftPath, JSON.stringify(draft, null, 2), { mode: 0o600 });
+
+    console.log(chalk.green('\nDocument processed locally.'));
+    console.log(chalk.green(`Nothing was sent to Korext servers.\n`));
+    console.log(`  ${chalk.bold(sections.length)} sections extracted.`);
+    console.log(`  ${chalk.bold(wordCount)} words found.`);
+    console.log(`  Ready to extract rules.\n`);
+    console.log(`  Run: ${chalk.cyan('korext policy extract')}`);
+  });
+
+// ── korext policy extract ──────────────────────────────────────────────────
+policyCmd
+  .command('extract')
+  .description('Extract enforceable coding rules from your policy document')
+  .option('--airgap', 'Airgap mode: skip API call, prepare manual template', false)
+  .action(async (options) => {
+    const draft = getLatestDraft();
+    const token = getToken();
+
+    if (options.airgap) {
+      draft.rules = [];
+      draft.status = 'airgap-review';
+      const templateRule = {
+        ruleText: 'Paste the exact text from your policy document here',
+        plainEnglish: 'What developers should avoid or do',
+        severity: 'high',
+        category: 'Security',
+        codePatterns: ['pattern_to_detect_violation'],
+        sourceSection: 'Section name',
+        regulatoryBasis: null
+      };
+      draft.templateRule = templateRule;
+      saveLatestDraft(draft);
+      console.log(chalk.yellow('⚡ Airgap mode — no network calls made'));
+      console.log(chalk.dim('\nNext: korext policy review'));
+      return;
+    }
+
+    if (!token) {
+      console.error(chalk.red('✖ Authentication required for rule extraction.'));
+      console.error(chalk.dim('  Run: korext login <token>'));
+      console.error(chalk.dim('  Or use: korext policy extract --airgap for offline mode'));
+      process.exit(1);
+    }
+
+    const spinner = ora('Extracting rules from your policy document...').start();
+
+    // Build text from sections (ONLY text, never raw file)
+    let textPayload = null;
+    if (draft.sections && draft.sections.length > 0) {
+      textPayload = draft.sections.map(s => `[Section: ${s.heading}]\n${s.content}`).join('\n\n');
+    } else if (draft.extractedText) {
+      // Legacy fallback
+      textPayload = draft.extractedText;
+    }
+
+    if (!textPayload && draft.fileType === 'pdf') {
+      spinner.info('PDF detected — uploading for server-side text extraction only');
+      textPayload = null;
+    }
+
+    try {
+      const body = JSON.stringify({
+        packName: draft.packName,
+        packDescription: draft.packDescription || '',
+        extractedText: textPayload,
+        mode: 'extract-only'
+        // NOTE: No sourceFilename, no file path, no raw file
+      });
+
+      const res = await fetch(`${API_URL}/api/packs/extract`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${token}`
+        },
+        body
+      });
+
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({}));
+        spinner.fail(chalk.red(`Extraction failed: ${err.error || `HTTP ${res.status}`}`));
         process.exit(1);
-      } else {
-        console.log(chalk.yellow('Warnings present, but no critical/high gates triggered. Passing build.\n'));
-        process.exit(0);
       }
+
+      const data = await res.json();
+      draft.rules = data.rules || [];
+      draft.status = 'pending-review';
+      saveLatestDraft(draft);
+
+      spinner.succeed(chalk.green(`${draft.rules.length} rules identified.`));
+      console.log(`Run: ${chalk.cyan('korext policy review')}`);
+    } catch (e) {
+      spinner.fail(chalk.red(`Network error: ${e.message}`));
+      process.exit(1);
     }
   });
 
+// ── korext policy review ───────────────────────────────────────────────────
+policyCmd
+  .command('review')
+  .description('Open a local browser UI to review extracted rules (zero network calls)')
+  .action(async () => {
+    const draft = getLatestDraft();
+
+    if (!draft.rules || draft.rules.length === 0) {
+      console.error(chalk.red('No rules found.\nRun: korext policy extract first.'));
+      process.exit(1);
+    }
+
+    // Assign IDs if missing
+    draft.rules.forEach((r, i) => {
+      if (!r.id) r.id = `rule-${i}`;
+      if (!r.status) r.status = 'pending';
+    });
+    saveLatestDraft(draft);
+
+    const http = await import('http');
+
+    const reviewHTML = generateReviewHTML(draft);
+
+    const server = http.createServer((req, res) => {
+      if (req.method === 'GET' && (req.url === '/' || req.url === '/index.html')) {
+        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(reviewHTML);
+        return;
+      }
+
+      if (req.method === 'GET' && req.url === '/api/rules') {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ packName: draft.packName, rules: draft.rules }));
+        return;
+      }
+
+      if (req.method === 'POST' && req.url === '/api/rules/update') {
+        let body = '';
+        req.on('data', c => body += c);
+        req.on('end', () => {
+          try {
+            const { id, status, plainEnglish, severity } = JSON.parse(body);
+            const rule = draft.rules.find(r => r.id === id);
+            if (rule) {
+              if (status) rule.status = status;
+              if (plainEnglish !== undefined) { rule.plainEnglish = plainEnglish; rule.editedByUser = true; }
+              if (severity) rule.severity = severity;
+              saveLatestDraft(draft);
+            }
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ ok: true }));
+          } catch (e) {
+            res.writeHead(400, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: e.message }));
+          }
+        });
+        return;
+      }
+
+      if (req.method === 'POST' && req.url === '/api/finish') {
+        const approved = draft.rules.filter(r => r.status === 'approved');
+        if (approved.length === 0) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'No rules approved' }));
+          return;
+        }
+        // Save approved-pack.json
+        const approvedPack = {
+          packName: draft.packName,
+          packDescription: draft.packDescription || '',
+          extractedAt: new Date().toISOString(),
+          rules: approved
+        };
+        fs.writeFileSync(APPROVED_PACK_FILE, JSON.stringify(approvedPack, null, 2), { mode: 0o600 });
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ok: true, approved: approved.length }));
+        // Shut down the review server after a brief delay
+        setTimeout(() => {
+          server.close();
+          console.log(chalk.green(`\n${approved.length} rules approved.`));
+          console.log(`Run: ${chalk.cyan('korext policy publish --org <org-id>')}`);
+          process.exit(0);
+        }, 500);
+        return;
+      }
+
+      res.writeHead(404);
+      res.end('Not found');
+    });
+
+    server.listen(REVIEW_PORT, '127.0.0.1', async () => {
+      const url = `http://localhost:${REVIEW_PORT}`;
+      console.log(chalk.bold.hex('#F27D26')('\n▲ KOREXT POLICY REVIEW'));
+      console.log(chalk.dim('======================================='));
+      console.log(`Pack: ${chalk.cyan(draft.packName)}`);
+      console.log(`Rules: ${chalk.bold(draft.rules.length)} total`);
+      console.log(`\nOpening review interface at: ${chalk.cyan(url)}\n`);
+      console.log(chalk.dim('All review happens locally. Zero network calls.\nPress Ctrl+C to cancel.\n'));
+
+      // Auto-open browser
+      const platform = os.platform();
+      try {
+        const { execSync } = await import('child_process');
+        if (platform === 'darwin') execSync(`open ${url}`);
+        else if (platform === 'linux') execSync(`xdg-open ${url}`);
+        else if (platform === 'win32') execSync(`start ${url}`);
+      } catch (_) {
+        console.log(`Open your browser at: ${chalk.cyan(url)}`);
+      }
+    });
+
+    server.on('error', (e) => {
+      if (e.code === 'EADDRINUSE') {
+        console.error(chalk.red(`Port ${REVIEW_PORT} is already in use. Stop the other process and try again.`));
+        process.exit(1);
+      }
+      throw e;
+    });
+  });
+
+function generateReviewHTML(draft) {
+  const rulesJSON = JSON.stringify(draft.rules).replace(/</g, '\\u003c').replace(/>/g, '\\u003e');
+  const packName = (draft.packName || '').replace(/"/g, '&quot;').replace(/</g, '&lt;');
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Korext Policy Review — ${packName}</title>
+<style>
+  :root {
+    --bg: #0d1117; --surface: #161b22; --border: #30363d;
+    --text: #e6edf3; --dim: #8b949e; --accent: #F27D26;
+    --green: #3fb950; --red: #f85149; --yellow: #d29922; --blue: #58a6ff;
+    --card-radius: 12px;
+  }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: var(--bg); color: var(--text); min-height: 100vh; }
+  .header { background: var(--surface); border-bottom: 1px solid var(--border); padding: 20px 24px; display: flex; align-items: center; justify-content: space-between; position: sticky; top: 0; z-index: 100; }
+  .header h1 { font-size: 18px; color: var(--accent); }
+  .header .pack-name { color: var(--dim); font-size: 14px; margin-top: 4px; }
+  .counters { display: flex; gap: 16px; font-size: 14px; font-weight: 600; }
+  .counters .approved { color: var(--green); } .counters .rejected { color: var(--red); } .counters .remaining { color: var(--yellow); }
+  .container { max-width: 800px; margin: 24px auto; padding: 0 16px; }
+  .card { background: var(--surface); border: 1px solid var(--border); border-radius: var(--card-radius); padding: 20px; margin-bottom: 16px; transition: border-color 0.3s, opacity 0.3s; }
+  .card.card-approved { border-color: var(--green); background: #0d1f0d; }
+  .card.card-rejected { border-color: var(--border); opacity: 0.5; }
+  .card-header { display: flex; align-items: center; gap: 10px; margin-bottom: 12px; }
+  .badge { padding: 3px 10px; border-radius: 6px; font-size: 11px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.5px; }
+  .badge-critical { background: #f85149; color: #fff; } .badge-high { background: #da3633; color: #fff; }
+  .badge-medium { background: #d29922; color: #000; } .badge-low { background: #388bfd26; color: var(--blue); }
+  .card-category { color: var(--dim); font-size: 12px; }
+  .rule-text { color: var(--dim); font-style: italic; font-size: 13px; margin-bottom: 8px; border-left: 3px solid var(--border); padding-left: 12px; }
+  .plain-english { font-size: 15px; font-weight: 500; margin-bottom: 8px; }
+  .source-section { color: var(--dim); font-size: 12px; margin-bottom: 12px; }
+  .actions { display: flex; gap: 8px; flex-wrap: wrap; }
+  .btn { padding: 8px 18px; border-radius: 8px; border: 1px solid var(--border); background: var(--surface); color: var(--text); cursor: pointer; font-size: 13px; font-weight: 600; transition: all 0.2s; }
+  .btn:hover { filter: brightness(1.2); }
+  .btn-approve { background: #238636; border-color: #2ea043; color: #fff; }
+  .btn-reject { background: #21262d; border-color: var(--border); color: var(--red); }
+  .btn-edit { background: #21262d; border-color: var(--border); color: var(--blue); }
+  .btn-undo { background: #21262d; font-size: 12px; padding: 6px 12px; }
+  .edit-area { margin-top: 12px; display: none; }
+  .edit-area.open { display: block; }
+  .edit-area textarea { width: 100%; background: var(--bg); color: var(--text); border: 1px solid var(--border); border-radius: 8px; padding: 10px; font-size: 14px; resize: vertical; min-height: 60px; }
+  .edit-area select { background: var(--bg); color: var(--text); border: 1px solid var(--border); border-radius: 6px; padding: 6px 10px; margin-top: 8px; font-size: 13px; }
+  .edit-area .edit-actions { display: flex; gap: 8px; margin-top: 10px; }
+  .finish-bar { position: fixed; bottom: 0; left: 0; right: 0; background: var(--surface); border-top: 1px solid var(--border); padding: 16px 24px; display: flex; align-items: center; justify-content: center; gap: 16px; z-index: 100; }
+  .btn-finish { background: linear-gradient(135deg, #F27D26, #e85d04); color: #fff; border: none; padding: 12px 32px; font-size: 15px; font-weight: 700; border-radius: 10px; cursor: pointer; transition: transform 0.15s; }
+  .btn-finish:hover { transform: scale(1.03); }
+  .btn-finish:disabled { opacity: 0.4; cursor: not-allowed; transform: none; }
+  .done-overlay { display: none; position: fixed; inset: 0; background: rgba(0,0,0,.85); z-index: 200; align-items: center; justify-content: center; flex-direction: column; }
+  .done-overlay.show { display: flex; }
+  .done-overlay h2 { font-size: 28px; color: var(--green); margin-bottom: 8px; }
+  .done-overlay p { color: var(--dim); font-size: 16px; }
+  .privacy-note { text-align: center; color: var(--dim); font-size: 12px; padding: 8px; margin-bottom: 80px; }
+  @media (max-width: 600px) {
+    .header { flex-direction: column; gap: 10px; align-items: flex-start; }
+    .actions { flex-direction: column; }
+    .btn { width: 100%; text-align: center; }
+  }
+</style>
+</head>
+<body>
+<div class="header">
+  <div>
+    <h1>▲ Korext Policy Review</h1>
+    <div class="pack-name">${packName}</div>
+  </div>
+  <div class="counters">
+    <span class="approved" id="c-approved">0 approved</span>
+    <span class="rejected" id="c-rejected">0 rejected</span>
+    <span class="remaining" id="c-remaining">0 remaining</span>
+  </div>
+</div>
+<div class="container" id="rules-container"></div>
+<p class="privacy-note">🔒 All review is happening locally. Zero network requests are made during this session.</p>
+<div class="finish-bar">
+  <button class="btn-finish" id="finish-btn" disabled onclick="finishReview()">Finish Review</button>
+</div>
+<div class="done-overlay" id="done-overlay">
+  <h2>✔ Review Complete</h2>
+  <p id="done-msg"></p>
+  <p style="margin-top:12px;color:#8b949e;">You can close this tab now.</p>
+</div>
+<script>
+const rules = ${rulesJSON};
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3 };
+
+function updateCounters() {
+  const approved = rules.filter(r => r.status === 'approved').length;
+  const rejected = rules.filter(r => r.status === 'rejected').length;
+  const remaining = rules.length - approved - rejected;
+  document.getElementById('c-approved').textContent = approved + ' approved';
+  document.getElementById('c-rejected').textContent = rejected + ' rejected';
+  document.getElementById('c-remaining').textContent = remaining + ' remaining';
+  document.getElementById('finish-btn').disabled = approved === 0;
+}
+
+function renderCards() {
+  const container = document.getElementById('rules-container');
+  container.innerHTML = '';
+  rules.forEach((rule, i) => {
+    const card = document.createElement('div');
+    card.className = 'card' + (rule.status === 'approved' ? ' card-approved' : '') + (rule.status === 'rejected' ? ' card-rejected' : '');
+    card.id = 'card-' + i;
+    card.innerHTML = \`
+      <div class="card-header">
+        <span class="badge badge-\${rule.severity}">\${rule.severity}</span>
+        <span class="card-category">\${rule.category || ''}</span>
+      </div>
+      <div class="plain-english">\${esc(rule.plainEnglish)}</div>
+      <div class="rule-text">\${esc(rule.ruleText)}</div>
+      \${rule.sourceSection ? '<div class="source-section">📄 ' + esc(rule.sourceSection) + '</div>' : ''}
+      <div class="actions" id="actions-\${i}">
+        \${rule.status === 'approved' ? '<button class="btn btn-undo" onclick="setStatus('+i+',\\'pending\\')">↩ Undo Approve</button>' :
+          rule.status === 'rejected' ? '<button class="btn btn-undo" onclick="setStatus('+i+',\\'pending\\')">↩ Undo Reject</button>' :
+          '<button class="btn btn-approve" onclick="setStatus('+i+',\\'approved\\')">✔ Approve</button>' +
+          '<button class="btn btn-edit" onclick="toggleEdit('+i+')">✎ Edit</button>' +
+          '<button class="btn btn-reject" onclick="setStatus('+i+',\\'rejected\\')">✖ Reject</button>'}
+      </div>
+      <div class="edit-area" id="edit-\${i}">
+        <textarea id="edit-text-\${i}">\${esc(rule.plainEnglish)}</textarea>
+        <select id="edit-sev-\${i}">
+          <option value="critical" \${rule.severity==='critical'?'selected':''}>Critical</option>
+          <option value="high" \${rule.severity==='high'?'selected':''}>High</option>
+          <option value="medium" \${rule.severity==='medium'?'selected':''}>Medium</option>
+          <option value="low" \${rule.severity==='low'?'selected':''}>Low</option>
+        </select>
+        <div class="edit-actions">
+          <button class="btn btn-approve" onclick="saveEdit(\${i})">Save & Approve</button>
+          <button class="btn btn-undo" onclick="toggleEdit(\${i})">Cancel</button>
+        </div>
+      </div>
+    \`;
+    container.appendChild(card);
+  });
+  updateCounters();
+}
+
+function esc(s) { if (!s) return ''; const d = document.createElement('div'); d.textContent = s; return d.innerHTML; }
+
+async function setStatus(i, status) {
+  rules[i].status = status;
+  await fetch('/api/rules/update', { method: 'POST', headers: {'Content-Type':'application/json'}, body: JSON.stringify({ id: rules[i].id, status }) });
+  renderCards();
+}
+
+function toggleEdit(i) {
+  const el = document.getElementById('edit-' + i);
+  el.classList.toggle('open');
+}
+
+async function saveEdit(i) {
+  const plainEnglish = document.getElementById('edit-text-' + i).value.trim();
+  const severity = document.getElementById('edit-sev-' + i).value;
+  rules[i].plainEnglish = plainEnglish;
+  rules[i].severity = severity;
+  rules[i].status = 'approved';
+  rules[i].editedByUser = true;
+  await fetch('/api/rules/update', { method: 'POST', headers: {'Content-Type':'application/json'}, body: JSON.stringify({ id: rules[i].id, status: 'approved', plainEnglish, severity }) });
+  renderCards();
+}
+
+async function finishReview() {
+  const res = await fetch('/api/finish', { method: 'POST' });
+  const data = await res.json();
+  if (data.ok) {
+    document.getElementById('done-msg').textContent = data.approved + ' rules approved. Run: korext policy publish --org <org-id>';
+    document.getElementById('done-overlay').classList.add('show');
+  } else {
+    alert(data.error || 'Failed to finish');
+  }
+}
+
+renderCards();
+</script>
+</body>
+</html>`;
+}
+
+// ── korext policy publish ──────────────────────────────────────────────────
+policyCmd
+  .command('publish')
+  .description('Publish approved rules to the Korext platform (sends rules only, never file content)')
+  .requiredOption('--org <orgId>', 'Your organisation ID')
+  .action(async (options) => {
+    if (!fs.existsSync(APPROVED_PACK_FILE)) {
+      console.error(chalk.red('No approved rules found.\nRun: korext policy review first.'));
+      process.exit(1);
+    }
+
+    const approved = JSON.parse(fs.readFileSync(APPROVED_PACK_FILE, 'utf-8'));
+    const token = getToken();
+
+    if (!token) {
+      console.error(chalk.red('✖ Authentication required for publishing.'));
+      console.error(chalk.dim('  Run: korext login <token>'));
+      process.exit(1);
+    }
+
+    const approvedRules = approved.rules.filter(r => r.status === 'approved');
+    if (approvedRules.length === 0) {
+      console.error(chalk.red('No approved rules found.\nRun: korext policy review first.'));
+      process.exit(1);
+    }
+
+    const spinner = ora(`Publishing ${approvedRules.length} rules to Korext (rules only — no document text)...`).start();
+
+    // CRITICAL DATA PROTECTION: Only send rule definitions
+    const publishPayload = {
+      packName: approved.packName,
+      packDescription: approved.packDescription || '',
+      orgId: options.org,
+      approvedRules: approvedRules.map(r => ({
+        ruleText: r.ruleText,
+        plainEnglish: r.plainEnglish,
+        severity: r.severity,
+        category: r.category,
+        codePatterns: r.codePatterns,
+        sourceSection: r.sourceSection || '',
+        regulatoryBasis: r.regulatoryBasis || null,
+        editedByUser: r.editedByUser || false
+      }))
+      // NOTE: No extractedText, no sourceFile path, no file contents
+    };
+
+    try {
+      const res = await fetch(`${API_URL}/api/packs/publish`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${token}`
+        },
+        body: JSON.stringify(publishPayload)
+      });
+
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({}));
+        spinner.fail(chalk.red(`Publish failed: ${err.error || `HTTP ${res.status}`}`));
+        process.exit(1);
+      }
+
+      const data = await res.json();
+      spinner.succeed(chalk.green('Policy pack published successfully.'));
+      console.log(`  Pack ID: ${chalk.cyan(data.packId)}`);
+      console.log(`  ${chalk.bold(approvedRules.length)} rules are now enforcing on your organisation.`);
+      console.log(`  Developers will see violations on their next file save.\n`);
+
+      // Clean up local draft files
+      try {
+        const files = fs.readdirSync(LOCAL_DRAFT_DIR);
+        for (const f of files) {
+          if (f.startsWith('draft-') || f === 'approved-pack.json') {
+            fs.unlinkSync(path.join(LOCAL_DRAFT_DIR, f));
+          }
+        }
+        console.log(chalk.dim('  Local draft files cleaned up.'));
+      } catch (_) {}
+    } catch (e) {
+      spinner.fail(chalk.red(`Network error: ${e.message}`));
+      process.exit(1);
+    }
+  });
+
+// ─── END POLICY COMMANDS ──────────────────────────────────────────────────
+
 program.parse(process.argv);
+

package/korext.json

@@ -0,0 +1,11 @@
+{
+  "project": "my-app",
+  "targetPacks": [
+    "security-strict-v1",
+    "web-platform-v2"
+  ],
+  "exclude": [
+    "node_modules/**",
+    "dist/**"
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "korext",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Korext Command Line Interface",
   "type": "module",
   "main": "bin/korext.js",
@@ -12,6 +12,7 @@
   "dependencies": {
     "chalk": "^4.1.2",
     "commander": "^14.0.3",
+    "form-data": "^4.0.5",
     "glob": "^13.0.6",
     "node-fetch": "^3.3.2",
     "ora": "^5.4.1"
@@ -22,5 +23,12 @@
     "glob",
     "node-fetch",
     "ora"
+  ],
+  "bundleDependencies": [
+    "chalk",
+    "commander",
+    "glob",
+    "node-fetch",
+    "ora"
   ]
 }

package/src/commands/policy.ts

@@ -0,0 +1,146 @@
+import { Command } from 'commander';
+import fs from 'fs';
+import path from 'path';
+import fetch from 'node-fetch'; // Real-world implementations would bundle a client
+import FormData from 'form-data';
+
+const policyCmd = new Command('policy');
+
+// CLI configuration assumptions based on enterprise integrations
+const API_BASE = process.env.KOREXT_API_URL || 'http://localhost:3000/api';
+const getToken = () => {
+  const tokenFile = path.join(process.env.HOME || '', '.korext', 'token');
+  if (fs.existsSync(tokenFile)) return fs.readFileSync(tokenFile, 'utf8').trim();
+  return null;
+};
+
+// =========================================================================
+// init: Generate boilerplate for configuration
+// =========================================================================
+policyCmd
+  .command('init')
+  .description('Initialize a local korext policy configuration')
+  .action(() => {
+    const defaultCfg = {
+      project: "my-app",
+      targetPacks: ["security-strict-v1", "web-platform-v2"],
+      exclude: ["node_modules/**", "dist/**"]
+    };
+    fs.writeFileSync('korext.json', JSON.stringify(defaultCfg, null, 2));
+    console.log('✅ Created korext.json configuration');
+  });
+
+// =========================================================================
+// extract: Local extraction proxy to upload endoint
+// =========================================================================
+policyCmd
+  .command('extract <filePath>')
+  .description('Send a local PDF or MD to Korext to extract enforceable rules')
+  .option('-n, --name <name>', 'Name the custom policy pack')
+  .action(async (filePath, options) => {
+    const token = getToken();
+    if (!token) {
+      console.error('❌ Authentication required. Run `korext login` first.');
+      process.exit(1);
+    }
+    
+    if (!fs.existsSync(filePath)) {
+      console.error(`❌ File not found: ${filePath}`);
+      process.exit(1);
+    }
+
+    const form = new FormData();
+    form.append('document', fs.createReadStream(filePath));
+    form.append('packName', options.name || path.basename(filePath));
+
+    try {
+      console.log(`📡 Uploading ${filePath} to Korext extractor...`);
+      const res = await fetch(`${API_BASE}/packs/upload`, {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${token}`
+        },
+        body: form
+      });
+      
+      const data = await res.json() as any;
+      if (!res.ok) throw new Error(data.error || 'Upload failed');
+      
+      console.log('✅ Extraction complete.');
+      console.log(`📦 Policy Pack ID: ${data.pack.id}`);
+      console.log(`🔎 Found ${data.rules.length} extractable rules.`);
+      console.log('Run `korext policy review` to approve or reject these rules.');
+      
+      // Cache the active pending pack ID for the next command locally
+      fs.writeFileSync('.korext-policy-pending', data.pack.id);
+    } catch (e: any) {
+      console.error(`❌ Extraction Error: ${e.message}`);
+    }
+  });
+
+// =========================================================================
+// review: Interactive CLI rule approval
+// =========================================================================
+policyCmd
+  .command('review [packId]')
+  .description('Review and approve rules pending in a custom policy pack')
+  .action(async (packId) => {
+    let targetPack = packId;
+    if (!targetPack) {
+      if (fs.existsSync('.korext-policy-pending')) {
+        targetPack = fs.readFileSync('.korext-policy-pending', 'utf8').trim();
+      } else {
+        console.error('❌ You must specify a Pack ID, or run `extract` first.');
+        process.exit(1);
+      }
+    }
+    console.log(`🌍 Opening local interface for review: https://app.korext.com/packs/${targetPack}/review`);
+    console.log(`✅ Please review and approve your extracted rules in the dashboard before publishing.`);
+  });
+
+// =========================================================================
+// publish: Activate a reviewed custom pack
+// =========================================================================
+policyCmd
+  .command('publish [packId]')
+  .description('Activate the policy pack, distributing it to your organization')
+  .option('-o, --org <orgId>', 'Organization ID to publish to')
+  .action(async (packId, options) => {
+    const token = getToken();
+    let targetPack = packId;
+    if (!targetPack) {
+      if (fs.existsSync('.korext-policy-pending')) {
+        targetPack = fs.readFileSync('.korext-policy-pending', 'utf8').trim();
+      } else {
+        console.error('❌ You must specify a Pack ID');
+        process.exit(1);
+      }
+    }
+    
+    // Simulate sending only rules or metadata scoped to an org
+    const orgQuery = options.org ? `?orgId=${options.org}` : '';
+
+    try {
+      console.log(`🚀 Activating pack ${targetPack} ${options.org ? `for org ${options.org}` : ''}...`);
+      const res = await fetch(`${API_BASE}/packs/${targetPack}/activate${orgQuery}`, {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${token}`
+        }
+      });
+      
+      if (!res.ok) {
+        const d = await res.json() as any;
+        throw new Error(d.error || 'Failed activation');
+      }
+      
+      console.log(`🎉 Pack ${targetPack} is now ACTIVE globally.`);
+      if (fs.existsSync('.korext-policy-pending')) {
+        fs.unlinkSync('.korext-policy-pending');
+      }
+    } catch (e: any) {
+      console.error(`❌ Activation Error: ${e.message}`);
+    }
+  });
+
+export { policyCmd };

package/test-policy.md

@@ -0,0 +1,55 @@
+# Internal Security Policy
+
+## Password Requirements
+
+All applications must enforce the following password standards:
+
+- Minimum password length of 12 characters
+- Passwords must include uppercase, lowercase, numbers, and special characters
+- Passwords must never be stored in plain text — use bcrypt or argon2 with a cost factor of at least 12
+- Developers must not hardcode passwords, API keys, or secrets in source code
+
+## Data Encryption
+
+All sensitive data must be encrypted at rest and in transit:
+
+- Use AES-256 for encryption at rest
+- TLS 1.2 or higher required for all network communication
+- Do not use MD5 or SHA-1 for cryptographic purposes — they are considered broken
+- All database connections must use encrypted transport
+
+## Input Validation
+
+All user input must be validated before processing:
+
+- Never concatenate user input directly into SQL queries — use parameterized queries
+- Sanitize all HTML output to prevent cross-site scripting (XSS)
+- Validate file upload types using magic bytes, not just file extension
+- Limit request body size to prevent denial of service
+
+## Authentication and Session Management
+
+Authentication systems must follow these rules:
+
+- Implement rate limiting on login endpoints — maximum 10 attempts per minute
+- Session tokens must be regenerated after successful authentication
+- Set HttpOnly, Secure, and SameSite flags on all session cookies
+- Session timeout must not exceed 30 minutes of inactivity
+
+## Dependency Management
+
+All project dependencies must be managed securely:
+
+- Do not use deprecated or abandoned libraries
+- Run automated vulnerability scanning on all dependencies weekly
+- Lock dependency versions in production builds
+- Review all new dependencies for license compliance before adoption
+
+## Logging and Monitoring
+
+Application logging must follow these standards:
+
+- Never log sensitive data including passwords, tokens, PII, or credit card numbers
+- All authentication events must be logged with timestamps and source IP
+- Log retention period must be at least 90 days
+- Implement alerting for repeated failed login attempts

package/test_cli.ts

@@ -0,0 +1,16 @@
+import { Command } from 'commander';
+import { policyCmd } from './src/commands/policy.ts';
+import fs from 'fs';
+
+const program = new Command();
+program.addCommand(policyCmd);
+
+// Mock process.argv structure
+const args = process.argv.slice(2);
+
+// Run the interactive CLI inside the test environment
+try {
+  program.parseAsync(['node', 'test_cli.ts', 'policy', ...args]);
+} catch (e) {
+  console.error("CLI Execution failed", e);
+}