korext 0.3.0 → 0.6.0

package/CHANGELOG.md

@@ -1,13 +1,65 @@
 # Changelog
 
+## 0.6.0 - 2026-03-19
+
+### Added
+- Three-layer governance context on every
+  violation: regulatory compliance, technical
+  standards, and security intelligence
+- Per-violation AI explanations with
+  individual reasoning for each finding
+- Code snippet extraction showing the exact
+  lines around each violation
+- Real Shadow Test verification on dashboard
+  fixes for Team and Enterprise tiers
+- Diff preview before applying fixes: see
+  exactly what changed before accepting
+- Undo support: restore original code after
+  applying a fix
+- Git context (repository, branch, commit)
+  included in proof bundles from IDE and CLI
+- Organisation ID on proof bundles for
+  enterprise filtering
+- Honest hash type labelling: deterministic
+  replay hash for IDE and CLI, session
+  identifier for dashboard
+- Publication-quality proof bundle PDF export
+  with QR verification, governance coverage
+  tables, and three-layer compliance mapping
+- Enterprise branding on proof bundle PDFs
+- Public bundle verification page
+- Expanded knowledge graph sources: MITRE
+  ATLAS, CISA KEV, NIST AI RMF, ISO 42001,
+  EU AI Act, OWASP Top 10 for LLMs, OSV,
+  FIRST EPSS
+
+### Changed
+- HMAC signing consolidated to server-side
+  for all paths
+- Governance mappings restructured from flat
+  citations to three layer context covering
+  US, EU, UK, Canadian, and Australian
+  regulatory frameworks
+- Security hardening: environment-aware HMAC
+  key validation, Zod validation on all
+  endpoints, typed request interfaces
+
+### Fixed
+- Original code preserved in dashboard state
+  after applying fixes
+- Shadow Test Protocol section on dashboard
+  now shows real results instead of static UI
+- Em dashes removed across entire codebase
+  and AI-generated outputs
+
 ## 0.3.0
 - **New:** Version bump to match extension releases
 - **Improved:** CLI now reports version 0.3.0
 
 ## 0.2.0
 - Initial release
-- `korext login` — browser-based authentication
-- `korext init` — initialize Korext project
-- `korext extract` — extract rules from PDF/Markdown policy documents
-- `korext review` — review extracted rules
-- `korext publish` — activate custom policy packs
+- `korext login` - browser-based authentication
+- `korext init` - initialize Korext project
+- `korext extract` - extract rules from PDF/Markdown policy documents
+- `korext review` - review extracted rules
+- `korext publish` - activate custom policy packs

package/README.md

@@ -1,88 +1,41 @@
-# Korext CLI
+# KOREXT - AI Code Governance
 
-**The Korext Node.js Command Line Interface.**
-Real-time policy enforcement and compliance proof for AI-generated code.
+Real time policy enforcement and compliance proof for AI-generated code.
 
-[![NPM Version](https://img.shields.io/npm/v/korext)](https://www.npmjs.com/package/korext)
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+## What It Does
 
----
+KOREXT enforces your compliance policies at the point of code generation. Every file is checked against your selected policy pack. Violations appear as CLI-based error logs with severity, governance context (regulatory, technical standards, security intelligence), and an AI-powered explanation. One click applies a verified fix with diff preview. Every enforcement decision generates a cryptographically signed proof bundle your compliance team can verify.
 
-## Installation
+## Core Commands
 
-Install the CLI globally using NPM to access the `korext` command from anywhere:
+- `korext login`: Login via browser (recommended)
+- `korext status`: View your current authentication state and active Policy Pack
+- `korext enforce`: Scan a target directory or file and cross-reference it against your policy pack
+- `korext packs list`: Retrieve and list all available internal Policy Packs
+- `korext policy init`: Initialize a new custom policy workflow
+- `korext policy extract`: Extract rules from a PDF/Markdown policy document
+- `korext policy review`: Interactively review extracted rules
+- `korext policy publish`: Deploy and activate custom policy packs
 
-```bash
-npm install -g korext
-```
+## Features
 
-## Authentication
+- CLI violation detection
+- Three-layer governance context: regulatory compliance, technical standards, security intelligence
+- Command line verified code fixes via Shadow Test Protocol
+- Cryptographically signed proof bundles
+- Publication-quality PDF export for auditors
+- Covers PCI-DSS, HIPAA, GDPR, SOC 2, OWASP, NIST, CIS, and more
+- Custom policy packs on Team plan
+- Air-gapped deployment for Enterprise
 
-Before running analysis, you must authenticate the CLI against your Korext account.
+## Getting Started
 
-```bash
-# Login via browser (Recommended)
-korext login
+Install the CLI via `npm install -g korext` and sign in. Select a policy pack. Run `korext enforce`. KOREXT runs in the terminal and surfaces violations instantly.
 
-# Headless CI/CD Login via environment variable
-export KOREXT_API_TOKEN="your_personal_access_token"
-```
+Free tier available. Team and Enterprise plans for organisations that need signed proof bundles, PDF export, and compliance reporting.
 
-## Commands
+## Links
 
-### `korext enforce [path]`
-Scans a target directory or file and cross-references it against your active Korext Policy Pack in real-time.
-
-```bash
-# Run against the current directory
-korext enforce .
-
-# Run against a specific file
-korext enforce ./src/auth.ts
-```
-
-### `korext status`
-View your current authentication state, active Cloud storage tier, and active Policy Pack ID.
-
-```bash
-korext status
-```
-
-### `korext packs list`
-Retrieves and lists all available internal Policy Packs available for your organization.
-
-```bash
-korext packs list
-```
-
----
-
-## CI/CD Pipeline Integration
-
-The Korext CLI is built to run headless inside GitHub Actions, GitLab CI, and isolated Docker environments. When a violation is detected during an enforcement run (`korext enforce`), the CLI intentionally exits with a non-zero code (`exit 1`) to fail the build automatically.
-
-**Example GitHub Action:**
-```yaml
-name: Korext Policy Pipeline
-on: [push, pull_request]
-
-jobs:
-  audit:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          
-      - name: Install Korext globally
-        run: npm install -g korext
-        
-      - name: Korext Enforce
-        env:
-          KOREXT_API_TOKEN: ${{ secrets.KOREXT_API_TOKEN }}
-        run: korext enforce .
-```
-
-## Need Help?
-Visit the official documentation at [Korext.com](https://www.korext.com) or reach out to your Account Executive for Enterprise Support.
+- Website: https://www.korext.com
+- Dashboard: https://app.korext.com
+- Documentation: https://www.korext.com/docs

package/bin/korext.js

@@ -537,7 +537,7 @@ policyCmd
       };
       draft.templateRule = templateRule;
       saveLatestDraft(draft);
-      console.log(chalk.yellow('⚡ Airgap mode — no network calls made'));
+      console.log(chalk.yellow('⚡ Airgap mode: no network calls made'));
       console.log(chalk.dim('\nNext: korext policy review'));
       return;
     }
@@ -561,7 +561,7 @@ policyCmd
     }
 
     if (!textPayload && draft.fileType === 'pdf') {
-      spinner.info('PDF detected — uploading for server-side text extraction only');
+      spinner.info('PDF detected. uploading for server-side text extraction only');
       textPayload = null;
     }
 
@@ -730,7 +730,7 @@ function generateReviewHTML(draft) {
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>Korext Policy Review — ${packName}</title>
+<title>Korext Policy Review - ${packName}</title>
 <style>
   :root {
     --bg: #0d1117; --surface: #161b22; --border: #30363d;
@@ -929,7 +929,7 @@ policyCmd
       process.exit(1);
     }
 
-    const spinner = ora(`Publishing ${approvedRules.length} rules to Korext (rules only — no document text)...`).start();
+    const spinner = ora(`Publishing ${approvedRules.length} rules to Korext (rules only, no document text)...`).start();
 
     // CRITICAL DATA PROTECTION: Only send rule definitions
     const publishPayload = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "korext",
-  "version": "0.3.0",
+  "version": "0.6.0",
   "description": "Korext Command Line Interface",
   "type": "module",
   "main": "bin/korext.js",

package/test-policy.md

@@ -6,7 +6,7 @@ All applications must enforce the following password standards:
 
 - Minimum password length of 12 characters
 - Passwords must include uppercase, lowercase, numbers, and special characters
-- Passwords must never be stored in plain text — use bcrypt or argon2 with a cost factor of at least 12
+- Passwords must never be stored in plain text: use bcrypt or argon2 with a cost factor of at least 12
 - Developers must not hardcode passwords, API keys, or secrets in source code
 
 ## Data Encryption
@@ -15,14 +15,14 @@ All sensitive data must be encrypted at rest and in transit:
 
 - Use AES-256 for encryption at rest
 - TLS 1.2 or higher required for all network communication
-- Do not use MD5 or SHA-1 for cryptographic purposes — they are considered broken
+- Do not use MD5 or SHA-1 for cryptographic purposes, as they are considered broken
 - All database connections must use encrypted transport
 
 ## Input Validation
 
 All user input must be validated before processing:
 
-- Never concatenate user input directly into SQL queries — use parameterized queries
+- Never concatenate user input directly into SQL queries: use parameterized queries
 - Sanitize all HTML output to prevent cross-site scripting (XSS)
 - Validate file upload types using magic bytes, not just file extension
 - Limit request body size to prevent denial of service
@@ -31,7 +31,7 @@ All user input must be validated before processing:
 
 Authentication systems must follow these rules:
 
-- Implement rate limiting on login endpoints — maximum 10 attempts per minute
+- Implement rate limiting on login endpoints: maximum 10 attempts per minute
 - Session tokens must be regenerated after successful authentication
 - Set HttpOnly, Secure, and SameSite flags on all session cookies
 - Session timeout must not exceed 30 minutes of inactivity