korext 0.7.0 → 0.8.0

package/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.8.0 - 2026-03-27
+
+### New
+- Scoped AI fixes: fixes are constrained to the violation region. Surrounding code is never modified.
+- Four deterministic verification guards: every fix is checked for scope boundary, security function preservation, dangerous function introduction, and middleware chain integrity before it is applied.
+- Silent token refresh: sessions no longer expire after one hour. Tokens refresh automatically in the background.
+- Tiered AI concurrency: Enterprise (15), Team (10), Free (5) concurrent AI calls for faster explanations on large files.
+- Offline mode improvements: status bar shows "Offline (local rules only)" with helpful messaging instead of error states.
+- 478 policy rules across 44 packs with real detection logic. Zero stubs.
+- Full 3-layer governance mappings on every rule: regulatory citations, technical standards (CWE, OWASP), and security intelligence (MITRE ATT&CK).
+- 9 jurisdiction coverage: US, EU, UK, Canada, Australia, New Zealand, Japan, Taiwan, Singapore.
+
+### Fixed
+- IDE and dashboard fix paths unified. Both use the same scoped extraction and deterministic guards.
+- HMAC signature verification now returns signatureValid: true for correctly signed bundles.
+- Auto-subscription for first-time users. No more access denied on sign-in.
+
+### Improved
+- Consistent KOREXT_API_TOKEN environment variable across all clients. KOREXT_TOKEN is deprecated with a warning.
+- Rate limiting adjusted: IDE status polling (200/min), explain stream (30/min).
+
 ## 0.7.0 - 2026-03-19
 
 ### Added

package/README.md

@@ -1,41 +1,115 @@
-# KOREXT - AI Code Governance
+# Korext CLI
 
-Real time policy enforcement and compliance proof for AI-generated code.
+Enforce compliance on AI-generated code from the command line and CI/CD pipelines. 478 rules across 44 policy packs with real detection logic. Every violation mapped to specific regulatory clauses. SARIF output for CI scanner integration.
 
-## What It Does
+## Install
 
-KOREXT enforces your compliance policies at the point of code generation. Every file is checked against your selected policy pack. Violations appear as CLI-based error logs with severity, governance context (regulatory, technical standards, security intelligence), and an AI-powered explanation. One click applies a verified fix with diff preview. Every enforcement decision generates a cryptographically signed proof bundle your compliance team can verify.
+```bash
+npm install -g korext
+```
 
-## Core Commands
+## Quick Start
 
-- `korext login`: Login via browser (recommended)
-- `korext status`: View your current authentication state and active Policy Pack
-- `korext enforce`: Scan a target directory or file and cross-reference it against your policy pack
-- `korext packs list`: Retrieve and list all available internal Policy Packs
-- `korext policy init`: Initialize a new custom policy workflow
-- `korext policy extract`: Extract rules from a PDF/Markdown policy document
-- `korext policy review`: Interactively review extracted rules
-- `korext policy publish`: Deploy and activate custom policy packs
+```bash
+korext login
+korext enforce ./src --pack web-platform-v2
+```
 
-## Features
+## Commands
 
-- CLI violation detection
-- Three-layer governance context: regulatory compliance, technical standards, security intelligence
-- Command line verified code fixes via Shadow Test Protocol
-- Cryptographically signed proof bundles
-- Publication-quality PDF export for auditors
-- Covers PCI-DSS, HIPAA, GDPR, SOC 2, OWASP, NIST, CIS, and more
-- Custom policy packs on Team plan
-- Air-gapped deployment for Enterprise
+| Command | Description |
+|---------|-------------|
+| `korext login [token]` | Save API token |
+| `korext status` | Check connection and subscription |
+| `korext enforce [dir]` | Scan files for violations |
+| `korext policy init` | Initialize a policy document |
+| `korext policy extract` | AI rule extraction from documents |
+| `korext policy review` | Review extracted rules |
+| `korext rules sync` | Cache rules for offline use |
 
-## Getting Started
+### Enforce Options
 
-Install the CLI via `npm install -g korext` and sign in. Select a policy pack. Run `korext enforce`. KOREXT runs in the terminal and surfaces violations instantly.
+| Flag | Description |
+|------|-------------|
+| `--pack <id>` | Select a policy pack |
+| `--format text\|json\|sarif` | Output format |
+| `--offline` | Use cached rules only |
+| `--sync-rules` | Download rule cache before scan |
 
-Free tier available. Team and Enterprise plans for organisations that need signed proof bundles, PDF export, and compliance reporting.
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+- name: Korext Compliance Check
+  run: |
+    npm install -g korext
+    korext enforce ./src \
+      --pack cmmc-level2-v1 \
+      --format sarif
+  env:
+    KOREXT_API_TOKEN: ${{ secrets.KOREXT_API_TOKEN }}
+```
+
+### Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| `0` | Clean (no critical or high violations) |
+| `1` | Violations found |
+| `2` | Error |
+
+Writes GitHub Actions Step Summary via `GITHUB_STEP_SUMMARY` when detected.
+
+## SARIF Output
+
+```bash
+korext enforce ./src --format sarif > results.sarif
+```
+
+Generates OASIS SARIF 2.1.0 for CI scanner integration (GitHub Code Scanning, Azure DevOps, etc.).
+
+## Offline Mode
+
+```bash
+korext rules sync
+korext enforce ./src --offline
+```
+
+Cached rules enforce locally with zero network calls. Status output shows "Offline (local rules only)".
+
+## Supported Compliance Frameworks
+
+OWASP Top 10 | PCI-DSS | HIPAA | GDPR | SOC 2 | NIST SP 800-53 | NIST SP 800-171 | CMMC Level 2/3 | FedRAMP | ISO 27001 | DORA | NIS2 | CIS Benchmarks | UK DPA | Australian Privacy Act | APPI (Japan) | PDPA (Singapore, Taiwan) | and 25+ more
+
+## Key Features
+
+- 478 rules across 44 policy packs
+- Three-layer governance: regulatory, technical standards (CWE, OWASP), security intelligence (MITRE ATT&CK)
+- 9 jurisdiction coverage (US, EU, UK, Canada, Australia, New Zealand, Japan, Taiwan, Singapore)
+- SARIF 2.1.0 output for CI scanner integration
+- GitHub Actions Step Summary generation
+- Offline mode with cached rules
+- Custom policy packs from uploaded documents
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `KOREXT_API_TOKEN` | API authentication token (recommended) |
+| `KOREXT_TOKEN` | Deprecated alias (shows warning) |
 
 ## Links
 
-- Website: https://www.korext.com
-- Dashboard: https://app.korext.com
-- Documentation: https://www.korext.com/docs
+- Website: [korext.com](https://www.korext.com)
+- Dashboard: [app.korext.com](https://app.korext.com)
+- VS Code Extension: [marketplace.visualstudio.com](https://marketplace.visualstudio.com/items?itemName=Korext.korext)
+- LinkedIn: [linkedin.com/company/korext](https://www.linkedin.com/company/korext)
+- GitHub: [github.com/Korext](https://github.com/Korext)
+- Support: support@korext.com
+
+---
+
+**Publisher**: Korext
+**License**: Proprietary
+**Version**: 0.8.0

package/bin/korext.js

@@ -34,8 +34,17 @@ function saveConfig(config) {
   fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), 'utf-8');
 }
 
+let _deprecationWarned = false;
 function getToken() {
-  return process.env.KOREXT_TOKEN || getConfig().token || null;
+  if (process.env.KOREXT_API_TOKEN) return process.env.KOREXT_API_TOKEN;
+  if (process.env.KOREXT_TOKEN) {
+    if (!_deprecationWarned) {
+      console.warn('\x1b[33m⚠ KOREXT_TOKEN is deprecated. Use KOREXT_API_TOKEN instead.\x1b[0m');
+      _deprecationWarned = true;
+    }
+    return process.env.KOREXT_TOKEN;
+  }
+  return getConfig().token || null;
 }
 
 function getLanguageFromExt(ext) {
@@ -48,6 +57,90 @@ function getLanguageFromExt(ext) {
   return map[ext] || 'plaintext';
 }
 
+// ─── LOCAL ENGINE: Rule Definition Caching + Offline Analysis ─────────────────
+
+const RULES_CACHE_FILE = path.join(CONFIG_DIR, 'rule-definitions.json');
+
+function getRuleDefinitionsCache() {
+  if (fs.existsSync(RULES_CACHE_FILE)) {
+    try {
+      const cached = JSON.parse(fs.readFileSync(RULES_CACHE_FILE, 'utf-8'));
+      if (cached && cached.rules && cached.packs) return cached;
+    } catch { /* corrupt cache, ignore */ }
+  }
+  return null;
+}
+
+function saveRuleDefinitionsCache(payload) {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+  fs.writeFileSync(RULES_CACHE_FILE, JSON.stringify(payload, null, 2), { mode: 0o600 });
+}
+
+async function fetchAndCacheRules() {
+  const token = getToken();
+  const res = await fetch(`${API_URL}/api/rules/definitions`, {
+    method: 'GET',
+    headers: {
+      'Content-Type': 'application/json',
+      ...(token && { 'Authorization': `Bearer ${token}` })
+    }
+  });
+  if (!res.ok) throw new Error(`HTTP ${res.status}`);
+  const payload = await res.json();
+  saveRuleDefinitionsCache(payload);
+  return payload;
+}
+
+/**
+ * Run rules locally against code using cached regex definitions.
+ * Mirrors korext-core/src/engine/localEngine.ts analyzeLocally().
+ */
+function analyzeLocally(code, packId, definitions) {
+  const pack = definitions.packs[packId];
+  if (!pack) return [];
+
+  const violations = [];
+  const lines = code.split('\n');
+
+  for (const ruleId of pack.rules) {
+    const rule = definitions.rules[ruleId];
+    if (!rule) continue;
+    if (rule.checkMode === 'server-only') continue;
+    if (!rule.patterns || rule.patterns.length === 0) continue;
+
+    for (const pattern of rule.patterns) {
+      try {
+        const re = new RegExp(pattern.regex, pattern.flags || 'gi');
+        lines.forEach((line, i) => {
+          re.lastIndex = 0;
+          if (re.test(line)) {
+            violations.push({
+              ruleName: rule.label,
+              severity: rule.severity,
+              explanation: pattern.message || rule.message || `${rule.label} violation detected`,
+              line: i + 1,
+              column: 0,
+              snippet: line.trim().slice(0, 90),
+              detectedBy: 'local-static'
+            });
+          }
+        });
+      } catch { /* invalid regex, skip */ }
+    }
+  }
+
+  // Deduplicate by ruleId + line + message
+  const seen = new Set();
+  return violations.filter(v => {
+    const key = `${v.ruleName}:${v.line}:${v.explanation}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
 function findFiles(dir, fileList = []) {
   if (!fs.existsSync(dir)) return fileList;
   const files = fs.readdirSync(dir);
@@ -160,19 +253,51 @@ program
   .description('Statically analyze files in a directory against Korext policies')
   .option('-p, --pack <packId>', 'Policy Pack ID to enforce', 'web')
   .option('-f, --format <format>', 'Output format (text, json, sarif)', 'text')
+  .option('--offline', 'Force local-only analysis using cached rule definitions (no server calls)', false)
+  .option('--sync-rules', 'Fetch and cache latest rule definitions before running analysis', false)
   .action(async (dirArg, options) => {
     const dir = dirArg || '.';
     const pack = options.pack;
     const format = options.format.toLowerCase();
     const isText = format === 'text';
 
+    let forceOffline = options.offline;
+    let localDefinitions = null;
+
     if (isText) {
       console.log(`\n${chalk.bold.hex('#F27D26')('▲ KOREXT CLI ENFORCEMENT ENGINE')} v${version}`);
       console.log(chalk.dim('======================================='));
     }
 
+    // Pre-flight: sync rules if requested
+    if (options.syncRules) {
+      const syncSpinner = isText ? ora('Syncing rule definitions...').start() : null;
+      try {
+        const defs = await fetchAndCacheRules();
+        if (syncSpinner) syncSpinner.succeed(chalk.green(`Synced ${defs.ruleCount} rules, ${defs.packCount} packs (v${defs.version})`));
+      } catch (e) {
+        if (syncSpinner) syncSpinner.warn(chalk.yellow(`Rule sync failed: ${e.message}. Will use cached definitions if available.`));
+      }
+    }
+
+    // Load cached rule definitions for offline/fallback use
+    localDefinitions = getRuleDefinitionsCache();
+
+    if (forceOffline) {
+      if (!localDefinitions) {
+        if (isText) console.error(chalk.red('\n✖ Offline mode requires cached rule definitions.'));
+        if (isText) console.error(chalk.dim(`  Run ${chalk.green('korext rules sync')} or ${chalk.green('korext enforce --sync-rules')} first while online.`));
+        process.exit(1);
+      }
+      if (isText) {
+        console.log(chalk.yellow('\n⚡ Offline mode: using local rule engine (regex-based analysis)'));
+        console.log(chalk.dim(`   Cached rules: v${localDefinitions.version} · ${localDefinitions.ruleCount} rules · ${localDefinitions.packCount} packs`));
+        console.log(chalk.dim('   Note: AI-powered deep analysis is unavailable in offline mode.\n'));
+      }
+    }
+
     const token = getToken();
-    if (!token && isText) {
+    if (!token && !forceOffline && isText) {
       console.log(chalk.yellow('\n⚠ Warning: No authentication token found.'));
       console.log(chalk.dim('Anonymous evaluation runs are limited to 20 requests per hour per IP.'));
       console.log(chalk.dim(`Run ${chalk.green('korext login')} to authenticate for unlimited CI/CD analytics.\n`));
@@ -204,6 +329,8 @@ program
 
     if (isText) console.log(`Found ${files.length} files. Starting analysis with pack: ${chalk.cyan(pack)}...\n`);
 
+    let usedLocalEngine = false;
+
     for (let i = 0; i < files.length; i++) {
       const file = files[i];
       const displayPath = path.relative(process.cwd(), file);
@@ -221,66 +348,94 @@ program
       const ext = path.extname(file);
       const language = getLanguageFromExt(ext);
 
-      try {
-        const res = await fetch(`${API_URL}/api/ide/analyze`, {
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/json',
-            ...(token && { 'Authorization': `Bearer ${token}` })
-          },
-          body: JSON.stringify({
-            fileContent,
-            language,
-            fileName: file,
-            packId: pack,
-            requestSignature: false
-          })
-        });
+      // ── Analysis: server-first with local fallback ─────────────────────
+      let fileViolations = [];
 
-        if (!res.ok) {
-          if (fileSpinner) fileSpinner.fail(chalk.red(`Server error analyzing ${displayPath}: HTTP ${res.status}`));
-          report.summary.errorFiles++;
-          continue;
-        }
+      if (forceOffline) {
+        // Offline mode: local engine only
+        fileViolations = analyzeLocally(fileContent, pack, localDefinitions);
+        usedLocalEngine = true;
+      } else {
+        // Online mode: try server, fall back to local on failure
+        try {
+          const res = await fetch(`${API_URL}/api/ide/analyze`, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              ...(token && { 'Authorization': `Bearer ${token}` })
+            },
+            body: JSON.stringify({
+              fileContent,
+              language,
+              fileName: file,
+              packId: pack,
+              requestSignature: false
+            })
+          });
 
-        const result = await res.json();
-        
-        if (result.skipped) {
-          if (fileSpinner) fileSpinner.info(chalk.yellow(`Skipped ${displayPath}: ${result.reason}`));
-          report.summary.skippedFiles++;
-          continue;
-        }
+          if (!res.ok) {
+            throw new Error(`HTTP ${res.status}`);
+          }
+
+          const result = await res.json();
+
+          if (result.skipped) {
+            if (fileSpinner) fileSpinner.info(chalk.yellow(`Skipped ${displayPath}: ${result.reason}`));
+            report.summary.skippedFiles++;
+            continue;
+          }
 
-        report.summary.scannedFiles++;
-        const fileViolations = result.violations || [];
-        report.summary.totalViolations += fileViolations.length;
-
-        if (fileViolations.length > 0) {
-          if (fileSpinner) fileSpinner.stop();
-          if (isText) console.log(`\n📄 ${chalk.bold.underline(displayPath)}`);
-          
-          const storedV = [];
-          for (const v of fileViolations) {
-            let severityTag = chalk.blue('LOW');
-            if (v.severity === 'critical') { severityTag = chalk.bgRed.white.bold(' CRITICAL '); report.summary.critical++; }
-            else if (v.severity === 'high') { severityTag = chalk.red.bold('HIGH'); report.summary.high++; }
-            else if (v.severity === 'medium') { severityTag = chalk.yellow.bold('MED'); report.summary.medium++; }
-            else { report.summary.low++; }
-
-            if (isText) {
-              console.log(`   ${chalk.dim(v.line + ':' + (v.column || 0))}  ${severityTag}  ${v.ruleName}`);
-              console.log(`   ${chalk.dim('↳')} ${chalk.italic(v.explanation)} `);
+          fileViolations = result.violations || [];
+
+          // Cache rule definitions on first successful server response (opportunistic sync)
+          if (!localDefinitions && i === 0) {
+            fetchAndCacheRules().catch(() => {});
+          }
+        } catch (e) {
+          // Server unreachable — fall back to local engine
+          if (localDefinitions) {
+            if (!usedLocalEngine && isText && i === 0) {
+              // Show fallback banner once
+              console.log(chalk.yellow(`\n⚡ Server unreachable. Falling back to local engine (regex-based analysis).`));
+              console.log(chalk.dim(`   Cached rules: v${localDefinitions.version} · ${localDefinitions.ruleCount} rules\n`));
             }
-            storedV.push(v);
+            fileViolations = analyzeLocally(fileContent, pack, localDefinitions);
+            usedLocalEngine = true;
+            forceOffline = true; // Don't retry server for remaining files
+          } else {
+            if (fileSpinner) fileSpinner.fail(chalk.red(`Failed to analyze ${displayPath}: ${e.message}`));
+            report.summary.errorFiles++;
+            continue;
           }
-          report.results.push({ file: displayPath, violations: storedV });
-        } else {
-          if (fileSpinner) fileSpinner.stop();
-          report.results.push({ file: displayPath, violations: [] });
         }
-      } catch (e) {
-        if (fileSpinner) fileSpinner.fail(chalk.red(`Failed to analyze ${displayPath}: ${e.message}`));
-        report.summary.errorFiles++;
+      }
+
+      report.summary.scannedFiles++;
+      report.summary.totalViolations += fileViolations.length;
+
+      if (fileViolations.length > 0) {
+        if (fileSpinner) fileSpinner.stop();
+        if (isText) console.log(`\n📄 ${chalk.bold.underline(displayPath)}`);
+
+        const storedV = [];
+        for (const v of fileViolations) {
+          let severityTag = chalk.blue('LOW');
+          if (v.severity === 'critical') { severityTag = chalk.bgRed.white.bold(' CRITICAL '); report.summary.critical++; }
+          else if (v.severity === 'high') { severityTag = chalk.red.bold('HIGH'); report.summary.high++; }
+          else if (v.severity === 'medium') { severityTag = chalk.yellow.bold('MED'); report.summary.medium++; }
+          else { report.summary.low++; }
+
+          if (isText) {
+            const localTag = v.detectedBy === 'local-static' ? chalk.dim(' [local]') : '';
+            console.log(`   ${chalk.dim(v.line + ':' + (v.column || 0))}  ${severityTag}  ${v.ruleName}${localTag}`);
+            console.log(`   ${chalk.dim('↳')} ${chalk.italic(v.explanation)} `);
+          }
+          storedV.push(v);
+        }
+        report.results.push({ file: displayPath, violations: storedV });
+      } else {
+        if (fileSpinner) fileSpinner.stop();
+        report.results.push({ file: displayPath, violations: [] });
       }
     }
 
@@ -313,6 +468,9 @@ program
       console.log(JSON.stringify(sarif, null, 2));
     } else {
       console.log('\n' + chalk.dim('======================================='));
+      if (usedLocalEngine) {
+        console.log(chalk.dim('Engine: LOCAL (regex-based, cached rules)'));
+      }
       if (report.summary.totalViolations === 0 && report.summary.errorFiles === 0) {
         console.log(chalk.green.bold('✔ Success! Found 0 policy violations. Your code is clean.\n'));
       } else {
@@ -359,6 +517,43 @@ program
     process.exit(0);
   });
 
+// ─── RULE SYNC COMMAND ──────────────────────────────────────────────────────
+
+const rulesCmd = program.command('rules').description('Rule definition management commands');
+
+rulesCmd
+  .command('sync')
+  .description('Download and cache rule definitions for offline enforcement')
+  .action(async () => {
+    console.log(chalk.bold.hex('#F27D26')('\n▲ KOREXT RULE SYNC'));
+    console.log(chalk.dim('======================================='));
+    const spinner = ora('Fetching rule definitions...').start();
+    try {
+      const defs = await fetchAndCacheRules();
+      spinner.succeed(chalk.green(`Cached ${defs.ruleCount} rules across ${defs.packCount} packs`));
+      console.log(chalk.dim(`  Version: ${defs.version}`));
+      console.log(chalk.dim(`  Saved to: ${RULES_CACHE_FILE}`));
+      console.log(chalk.dim(`  Generated: ${defs.generatedAt}`));
+
+      // List available packs
+      console.log(`\n${chalk.bold('Available packs for offline enforcement:')}`);
+      for (const [packId, pack] of Object.entries(defs.packs)) {
+        const ruleCount = pack.rules ? pack.rules.length : 0;
+        console.log(`  ${chalk.cyan(packId)} — ${pack.label} (${ruleCount} rules)`);
+      }
+      console.log(`\n  Run: ${chalk.green('korext enforce . --offline --pack <packId>')} to enforce offline.\n`);
+    } catch (e) {
+      spinner.fail(chalk.red(`Failed to fetch rule definitions: ${e.message}`));
+      const cached = getRuleDefinitionsCache();
+      if (cached) {
+        console.log(chalk.yellow(`  Existing cache still available (v${cached.version}, ${cached.ruleCount} rules)`));
+      } else {
+        console.log(chalk.dim('  No cached definitions available. Connect to the network and try again.'));
+      }
+      process.exit(1);
+    }
+  });
+
 // ─── POLICY COMMANDS ─────────────────────────────────────────────────────────
 
 const LOCAL_DRAFT_DIR = path.join(process.cwd(), '.korext');

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "korext",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "Korext Command Line Interface",
   "type": "module",
   "main": "bin/korext.js",
   "bin": {
     "korext": "bin/korext.js"
   },
-  "author": "Korext",
+  "author": "Korext <support@korext.com>",
   "license": "ISC",
   "dependencies": {
     "chalk": "^4.1.2",
@@ -30,5 +30,23 @@
     "glob",
     "node-fetch",
     "ora"
+  ],
+  "homepage": "https://www.korext.com",
+  "bugs": {
+    "email": "support@korext.com"
+  },
+  "keywords": [
+    "governance",
+    "compliance",
+    "security",
+    "cli",
+    "cicd",
+    "sarif",
+    "AI",
+    "code review",
+    "PCI-DSS",
+    "HIPAA",
+    "OWASP",
+    "korext"
   ]
 }