korext 0.9.6 → 0.9.7

package/bin/korext.js

@@ -6,6 +6,7 @@ import { Command } from 'commander';
 import chalk from 'chalk';
 import ora from 'ora';
 import fetch from 'node-fetch';
+import { createInterface } from 'readline';
 
 // Load version
 const pkgUrl = new URL('../package.json', import.meta.url);
@@ -29,9 +30,9 @@ function getConfig() {
 
 function saveConfig(config) {
   if (!fs.existsSync(CONFIG_DIR)) {
-    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
   }
-  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), 'utf-8');
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { encoding: 'utf-8', mode: 0o600 });
 }
 
 let _deprecationWarned = false;
@@ -57,6 +58,203 @@ function getLanguageFromExt(ext) {
   return map[ext] || 'plaintext';
 }
 
+// ─── TAXONOMY BUILDER ─────────────────────────────────────────────────────────
+// Standalone copy of derivation logic from src/lib/packTaxonomy.ts.
+// Operates on cached rule definitions (packs with tags).
+
+const INDUSTRY_LABELS = {
+  finance: 'Finance',
+  healthcare: 'Healthcare',
+  defense: 'Defense',
+  government: 'Government',
+  aerospace: 'Aerospace',
+  energy: 'Energy',
+  ecommerce: 'E-Commerce',
+  technology: 'Technology',
+  education: 'Education and Research',
+  insurance: 'Insurance',
+  automotive: 'Automotive',
+  telecom: 'Telecom',
+  transport: 'Transport and Maritime',
+  manufacturing: 'Manufacturing',
+  lifesciences: 'Life Sciences',
+  critical_infrastructure: 'Critical Infrastructure',
+  legal: 'Legal',
+  general: 'General',
+};
+
+const INDUSTRY_DESCRIPTIONS = {
+  finance: 'PCI-DSS, DORA, Basel III, SWIFT',
+  healthcare: 'HIPAA, FDA, FHIR, GxP',
+  defense: 'CMMC, NIST 800-171, ITAR',
+  government: 'FedRAMP, FISMA, CISA',
+  aerospace: 'DO-178C, NASA, EASA, ICAO',
+  energy: 'NERC CIP, IEC 62443, NRC',
+  critical_infrastructure: 'IEC 62443, NERC, NIST CSF',
+  manufacturing: 'IEC 62443, EN Standards',
+  ecommerce: 'PCI-DSS, GDPR Public',
+  lifesciences: 'GxP, ICH, EMA',
+  education: 'FERPA, UKRI',
+  insurance: 'NAIC, Solvency II',
+  automotive: 'ISO 26262, WP.29',
+  telecom: '3GPP, Ofcom',
+  transport: 'IMO Maritime, ITS Transport',
+  legal: 'SRA Compliance',
+  technology: 'Age Encryption, ASP.NET',
+  general: 'OWASP, Web Security, AI Safety',
+};
+
+const REGION_LABELS = {
+  global: 'Global',
+  us: 'United States',
+  eu: 'European Union',
+  uk: 'United Kingdom',
+};
+
+const INDUSTRY_MERGES = {
+  maritime: 'transport',
+  research: 'education',
+};
+
+const RECOMMENDED_PACKS = {
+  finance: ['pci-dss-v1', 'dora-financial-v1', 'swift-cscf-v1'],
+  healthcare: ['hipaa-hitech-v1', 'fda-21cfr-v1', 'hl7-fhir-v1'],
+  defense: ['cmmc-level2-v1', 'nist-sp800-171-v1', 'itar-ear-v1'],
+  government: ['fedramp-moderate-v1', 'fisma-v1', 'nist-csf2-v1'],
+  aerospace: ['do-178c-v1', 'nasa-7150-v1', 'easa-part21-v1'],
+  energy: ['nerc-cip-v1', 'iec-62443-v1', 'ofgem-v1'],
+  critical_infrastructure: ['iec-62443-v1', 'nerc-cip-v1', 'nist-csf2-v1'],
+  manufacturing: ['iec-62443-v1', 'en-standards-v1'],
+  ecommerce: ['pci-dss-v1', 'gdpr-public-v1'],
+  lifesciences: ['gxp-pharma-v1', 'ich-pharma-v1'],
+  education: ['ferpa-education-v1', 'ukri-research-v1'],
+  insurance: ['naic-insurance-v1', 'solvency-v1'],
+  automotive: ['iso-26262-v1', 'wp29-automotive-v1'],
+  telecom: ['3gpp-telecom-v1', 'ofcom-telecom-v1'],
+  transport: ['its-transport-v1', 'imo-maritime-v1'],
+  legal: ['sra-legal-v1'],
+  technology: ['age-encryption-v1', 'asp-security-v1'],
+  general: ['web', 'security'],
+};
+
+const CROSS_CUTTING_DEFAULT_ON = ['web'];
+const CROSS_CUTTING_AVAILABLE = [
+  'browser-gov-v1', 'euai-act-v2', 'gdpr-privacy-v1', 'gpc-privacy-v1',
+  'iso-27001-v1', 'nist-csf2-v1', 'quantum-safe-v1',
+];
+
+function resolveIndustryTag(tag) {
+  return INDUSTRY_MERGES[tag] || tag;
+}
+
+function buildTaxonomyFromPacks(packs) {
+  const industries = {};
+  const regions = {};
+
+  for (const key of Object.keys(INDUSTRY_LABELS)) {
+    industries[key] = { label: INDUSTRY_LABELS[key], description: INDUSTRY_DESCRIPTIONS[key] || '', packIds: [], recommended: [] };
+  }
+  for (const key of Object.keys(REGION_LABELS)) {
+    regions[key] = { label: REGION_LABELS[key], packIds: [] };
+  }
+
+  const crossCuttingSet = new Set([...CROSS_CUTTING_DEFAULT_ON, ...CROSS_CUTTING_AVAILABLE]);
+
+  for (const [packId, pack] of Object.entries(packs)) {
+    const rawIndustries = pack.tags?.industries || [];
+    const rawRegions = pack.tags?.regions || [];
+
+    if (crossCuttingSet.has(packId)) {
+      const pr = rawRegions.length > 0 ? rawRegions : ['global'];
+      for (const r of pr) {
+        if (!regions[r]) regions[r] = { label: REGION_LABELS[r] || r, packIds: [] };
+        if (!regions[r].packIds.includes(packId)) regions[r].packIds.push(packId);
+      }
+      continue;
+    }
+
+    let resolved;
+    if (rawIndustries.length === 0) {
+      resolved = ['general'];
+    } else {
+      const filtered = rawIndustries.filter(t => t !== 'all').map(resolveIndustryTag);
+      resolved = [...new Set(filtered)];
+      if (resolved.length === 0) resolved = ['general'];
+    }
+
+    for (const ind of resolved) {
+      if (!industries[ind]) {
+        industries[ind] = { label: INDUSTRY_LABELS[ind] || ind, description: INDUSTRY_DESCRIPTIONS[ind] || '', packIds: [], recommended: [] };
+      }
+      if (!industries[ind].packIds.includes(packId)) industries[ind].packIds.push(packId);
+    }
+
+    const pr = rawRegions.length > 0 ? rawRegions : ['global'];
+    for (const r of pr) {
+      if (!regions[r]) regions[r] = { label: REGION_LABELS[r] || r, packIds: [] };
+      if (!regions[r].packIds.includes(packId)) regions[r].packIds.push(packId);
+    }
+  }
+
+  // Apply recommended
+  for (const [ind, recList] of Object.entries(RECOMMENDED_PACKS)) {
+    if (industries[ind]) {
+      industries[ind].recommended = recList.filter(pid => industries[ind].packIds.includes(pid));
+    }
+  }
+
+  // Remove empties
+  for (const key of Object.keys(industries)) {
+    if (industries[key].packIds.length === 0) delete industries[key];
+  }
+  for (const key of Object.keys(regions)) {
+    if (regions[key].packIds.length === 0) delete regions[key];
+  }
+
+  // Sort
+  for (const g of Object.values(industries)) g.packIds.sort();
+  for (const g of Object.values(regions)) g.packIds.sort();
+
+  return {
+    industries,
+    regions,
+    crossCutting: {
+      defaultOn: CROSS_CUTTING_DEFAULT_ON.filter(pid => pid in packs),
+      available: CROSS_CUTTING_AVAILABLE.filter(pid => pid in packs),
+    },
+  };
+}
+
+function resolvePacksForIndustryRegion(industryFilter, regionFilter, taxonomy) {
+  const matchedPacks = new Set();
+  const industryIds = industryFilter.split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
+  const regionIds = regionFilter ? regionFilter.split(',').map(s => s.trim().toLowerCase()).filter(Boolean) : [];
+
+  for (const indId of industryIds) {
+    const group = taxonomy.industries[indId];
+    if (!group) continue;
+    for (const pid of group.packIds) {
+      if (regionIds.length === 0) {
+        matchedPacks.add(pid);
+      } else {
+        // Only include packs whose region overlaps with the filter
+        const packRegions = taxonomy.regions;
+        let inRegion = false;
+        for (const r of regionIds) {
+          if (packRegions[r] && packRegions[r].packIds.includes(pid)) inRegion = true;
+          if (packRegions['global'] && packRegions['global'].packIds.includes(pid)) inRegion = true;
+        }
+        if (inRegion) matchedPacks.add(pid);
+      }
+    }
+  }
+
+  // Include cross-cutting defaults
+  for (const pid of taxonomy.crossCutting.defaultOn) matchedPacks.add(pid);
+
+  return [...matchedPacks];
+}
+
 // ─── LOCAL ENGINE: Rule Definition Caching + Offline Analysis ─────────────────
 
 const RULES_CACHE_FILE = path.join(CONFIG_DIR, 'rule-definitions.json');
@@ -223,7 +421,9 @@ program
 program
   .command('packs list')
   .description('List available policy packs from the server')
-  .action(async () => {
+  .option('--industry <name>', 'Filter packs by industry (e.g. finance)')
+  .option('--region <name>', 'Filter packs by region (e.g. us, eu)')
+  .action(async (_sub, options) => {
     const token = getToken();
     const spinner = ora('Fetching policy packs...').start();
     try {
@@ -233,15 +433,62 @@ program
       if (res.ok) {
         const data = await res.json();
         spinner.stop();
-        console.log(chalk.bold.hex('#F27D26')('\n▲ AVAILABLE KOREXT POLICY PACKS'));
+
+        let packs = data.packs || [];
+
+        // Apply industry/region filter from taxonomy if cached definitions exist
+        if (options.industry || options.region) {
+          const defs = getRuleDefinitionsCache();
+          if (defs && defs.packs) {
+            const taxonomy = buildTaxonomyFromPacks(defs.packs);
+            const matchedIds = resolvePacksForIndustryRegion(
+              options.industry || Object.keys(taxonomy.industries).join(','),
+              options.region || null,
+              taxonomy
+            );
+            const matchedSet = new Set(matchedIds);
+            packs = packs.filter(p => matchedSet.has(p.packId));
+          } else {
+            console.log(chalk.yellow('No cached rule definitions found. Run korext rules sync for industry/region filtering.'));
+          }
+        }
+
+        const filterStr = [options.industry, options.region].filter(Boolean).join(', ');
+        console.log(chalk.bold.hex('#F27D26')(`\n\u25b2 AVAILABLE KOREXT POLICY PACKS${filterStr ? ` (filtered: ${filterStr})` : ''}`));
         console.log(chalk.dim('======================================='));
-        if (data.packs && data.packs.length > 0) {
-          data.packs.forEach((p) => {
-            console.log(`${chalk.bold(p.packId)} - ${p.packName || p.packId} ${p.isEnterprise ? chalk.bgRed.white(' ENTERPRISE ') : ''}`);
-            console.log(chalk.dim(`  ${p.description || 'No description provided'}\n`));
-          });
+
+        if (packs.length > 0) {
+          // Group by industry if taxonomy is available
+          const defs = getRuleDefinitionsCache();
+          if (defs && defs.packs) {
+            const taxonomy = buildTaxonomyFromPacks(defs.packs);
+            const recSets = {};
+            for (const [indId, group] of Object.entries(taxonomy.industries)) {
+              recSets[indId] = new Set(group.recommended);
+            }
+
+            for (const p of packs) {
+              // Find industries this pack belongs to
+              const packIndustries = [];
+              for (const [indId, group] of Object.entries(taxonomy.industries)) {
+                if (group.packIds.includes(p.packId)) packIndustries.push(indId);
+              }
+              const indLabel = packIndustries.map(i => INDUSTRY_LABELS[i] || i).join(', ') || 'Cross-cutting';
+              const isRec = packIndustries.some(i => recSets[i]?.has(p.packId));
+              const recTag = isRec ? chalk.green(' [recommended]') : '';
+              console.log(`${chalk.bold(p.packId)} ${chalk.dim('|')} ${p.packName || p.packId} ${chalk.dim('|')} ${chalk.cyan(indLabel)}${recTag}${p.isEnterprise ? chalk.bgRed.white(' ENTERPRISE ') : ''}`);
+              console.log(chalk.dim(`  ${p.description || 'No description provided'}\n`));
+            }
+          } else {
+            packs.forEach((p) => {
+              console.log(`${chalk.bold(p.packId)} - ${p.packName || p.packId} ${p.isEnterprise ? chalk.bgRed.white(' ENTERPRISE ') : ''}`);
+              console.log(chalk.dim(`  ${p.description || 'No description provided'}\n`));
+            });
+          }
+
+          console.log(chalk.dim(`Total: ${packs.length} packs`));
         } else {
-            console.log(chalk.dim('No policy packs available.'));
+            console.log(chalk.dim('No policy packs match the filters.'));
         }
       } else {
         spinner.fail(chalk.red('Failed to fetch packs. Check authentication.'));
@@ -251,22 +498,411 @@ program
     }
   });
 
+// ─── KOREXT INDUSTRIES COMMAND ─────────────────────────────────────────────────
+
+program
+  .command('industries')
+  .description('List all supported industries and their associated policy packs')
+  .action(async () => {
+    const defs = getRuleDefinitionsCache();
+    if (!defs || !defs.packs) {
+      const spinner = ora('Fetching rule definitions...').start();
+      try {
+        await fetchAndCacheRules();
+        spinner.succeed('Rule definitions cached.');
+      } catch (e) {
+        spinner.fail(chalk.red('Failed to fetch rule definitions. Run korext rules sync while online.'));
+        process.exit(1);
+      }
+    }
+
+    const cachedDefs = getRuleDefinitionsCache();
+    const taxonomy = buildTaxonomyFromPacks(cachedDefs.packs);
+
+    console.log(chalk.bold.hex('#F27D26')('\n\u25b2 KOREXT INDUSTRY TAXONOMY'));
+    console.log(chalk.dim('=======================================\n'));
+
+    const sortedIndustries = Object.entries(taxonomy.industries)
+      .sort(([, a], [, b]) => a.label.localeCompare(b.label));
+
+    for (const [id, group] of sortedIndustries) {
+      const desc = INDUSTRY_DESCRIPTIONS[id] || '';
+      const recCount = group.recommended.length;
+      console.log(`  ${chalk.bold.cyan(group.label)} ${chalk.dim(`(${id})`)}`);
+      console.log(`    ${chalk.dim(desc)}`);
+      console.log(`    ${chalk.white(`${group.packIds.length} packs`)}${recCount > 0 ? chalk.green(` (${recCount} recommended)`) : ''}`);
+      console.log(`    ${chalk.dim(group.packIds.join(', '))}\n`);
+    }
+
+    // Show regions
+    console.log(chalk.bold('\n  Regions:'));
+    for (const [id, group] of Object.entries(taxonomy.regions)) {
+      console.log(`    ${chalk.cyan(group.label)} ${chalk.dim(`(${id})`)} ${chalk.dim(`${group.packIds.length} packs`)}`);
+    }
+
+    // Show cross-cutting
+    console.log(chalk.bold('\n  Cross-cutting packs:'));
+    console.log(`    Default: ${chalk.green(taxonomy.crossCutting.defaultOn.join(', ') || 'none')}`);
+    console.log(`    Available: ${chalk.dim(taxonomy.crossCutting.available.join(', ') || 'none')}`);
+
+    console.log(`\n  ${chalk.dim('Use:')} ${chalk.green('korext enforce . --industry finance')} ${chalk.dim('to enforce all finance packs.')}`);
+    console.log(`  ${chalk.dim('Use:')} ${chalk.green('korext enforce . --industry finance --region eu')} ${chalk.dim('to filter by region.\n')}`);
+  });
+
+// ─── KOREXT INIT COMMAND ───────────────────────────────────────────────────────
+
+program
+  .command('init')
+  .description('Initialize a korext.json configuration file for your project')
+  .option('--non-interactive', 'Skip prompts and use defaults', false)
+  .action(async (options) => {
+    console.log(chalk.bold.hex('#F27D26')('\n\u25b2 KOREXT PROJECT INIT'));
+    console.log(chalk.dim('=======================================\n'));
+
+    const outputPath = path.resolve('korext.json');
+
+    if (fs.existsSync(outputPath)) {
+      console.log(chalk.yellow(`korext.json already exists at ${outputPath}`));
+      console.log(chalk.dim('Delete it manually to re-initialize.\n'));
+      process.exit(0);
+    }
+
+    // Ensure rule definitions are cached
+    let defs = getRuleDefinitionsCache();
+    if (!defs || !defs.packs) {
+      const spinner = ora('Fetching rule definitions...').start();
+      try {
+        defs = await fetchAndCacheRules();
+        spinner.succeed('Rule definitions cached.');
+      } catch (e) {
+        spinner.fail(chalk.red('Failed to fetch rule definitions. Unable to resolve industries.'));
+        process.exit(1);
+      }
+    }
+
+    const taxonomy = buildTaxonomyFromPacks(defs.packs);
+
+    if (options.nonInteractive) {
+      // Non-interactive: default to web pack
+      const config = {
+        targetPacks: ['web'],
+        exclude: ['node_modules', 'dist', 'build', '.next']
+      };
+      fs.writeFileSync(outputPath, JSON.stringify(config, null, 2));
+      console.log(chalk.green(`Created ${outputPath} with default pack: web\n`));
+      process.exit(0);
+    }
+
+    // Interactive prompts
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+
+    try {
+      // Show industries
+      console.log(chalk.bold('  Available industries:\n'));
+      const sortedIndustries = Object.entries(taxonomy.industries)
+        .filter(([id]) => id !== 'general')
+        .sort(([, a], [, b]) => a.label.localeCompare(b.label));
+
+      sortedIndustries.forEach(([id, group], i) => {
+        console.log(`    ${chalk.dim(`${i + 1}.`)} ${chalk.cyan(group.label)} ${chalk.dim(`(${id})`)} ${chalk.dim(INDUSTRY_DESCRIPTIONS[id] || '')}`);
+      });
+
+      console.log();
+      const industryInput = await ask(chalk.bold('  Select industries (comma-separated numbers or IDs): '));
+
+      // Parse user input (numbers or IDs)
+      const selectedIndustries = industryInput.split(',').map(s => s.trim()).filter(Boolean).map(s => {
+        const num = parseInt(s, 10);
+        if (!isNaN(num) && num >= 1 && num <= sortedIndustries.length) {
+          return sortedIndustries[num - 1][0];
+        }
+        return s.toLowerCase();
+      }).filter(id => taxonomy.industries[id]);
+
+      if (selectedIndustries.length === 0) {
+        console.log(chalk.yellow('\n  No valid industries selected. Using default: web\n'));
+        const config = {
+          targetPacks: ['web'],
+          exclude: ['node_modules', 'dist', 'build', '.next']
+        };
+        fs.writeFileSync(outputPath, JSON.stringify(config, null, 2));
+        console.log(chalk.green(`  Created ${outputPath}\n`));
+        rl.close();
+        process.exit(0);
+      }
+
+      // Show regions
+      console.log(chalk.bold('\n  Available regions:\n'));
+      const regionEntries = Object.entries(taxonomy.regions).sort(([a], [b]) => a.localeCompare(b));
+      regionEntries.forEach(([id, group], i) => {
+        console.log(`    ${chalk.dim(`${i + 1}.`)} ${chalk.cyan(group.label)} ${chalk.dim(`(${id})`)}`);
+      });
+      console.log(`    ${chalk.dim('0.')} All regions`);
+      console.log();
+      const regionInput = await ask(chalk.bold('  Select region (number or ID, default: all): '));
+
+      let selectedRegion = null;
+      if (regionInput.trim()) {
+        const num = parseInt(regionInput, 10);
+        if (num === 0) {
+          selectedRegion = null;
+        } else if (!isNaN(num) && num >= 1 && num <= regionEntries.length) {
+          selectedRegion = regionEntries[num - 1][0];
+        } else {
+          const lower = regionInput.trim().toLowerCase();
+          if (taxonomy.regions[lower]) selectedRegion = lower;
+        }
+      }
+
+      // Resolve packs
+      const resolvedPacks = resolvePacksForIndustryRegion(
+        selectedIndustries.join(','),
+        selectedRegion,
+        taxonomy
+      );
+
+      console.log(chalk.green(`\n  Resolved ${resolvedPacks.length} packs for ${selectedIndustries.map(id => INDUSTRY_LABELS[id]).join(', ')}${selectedRegion ? ` (${REGION_LABELS[selectedRegion] || selectedRegion})` : ''}:`));
+      for (const pid of resolvedPacks) {
+        console.log(`    ${chalk.cyan(pid)}`);
+      }
+
+      const config = {
+        industry: selectedIndustries.join(','),
+        ...(selectedRegion && { region: selectedRegion }),
+        targetPacks: resolvedPacks,
+        exclude: ['node_modules', 'dist', 'build', '.next']
+      };
+
+      fs.writeFileSync(outputPath, JSON.stringify(config, null, 2));
+      console.log(chalk.green(`\n  Created ${outputPath}\n`));
+      console.log(chalk.dim(`  Run: ${chalk.green('korext enforce .')} to enforce these packs.\n`));
+
+      rl.close();
+    } catch (e) {
+      rl.close();
+      console.error(chalk.red(`Init failed: ${e.message}`));
+      process.exit(1);
+    }
+  });
+
+// ─── KOREXT POLICY COMMAND ────────────────────────────────────────────────────
+
+program
+  .command('org-policy')
+  .description('Display the organisation governance policy for your account')
+  .action(async () => {
+    console.log(chalk.bold.hex('#F27D26')('\n\u25b2 KOREXT ORGANISATION POLICY'));
+    console.log(chalk.dim('=======================================\n'));
+
+    const token = getToken();
+    if (!token) {
+      console.log(chalk.yellow('Not authenticated. Run korext auth to sign in.'));
+      process.exit(1);
+    }
+
+    const spinner = ora('Fetching org policy...').start();
+    try {
+      const res = await fetch(`${API_URL}/api/org/policy`, {
+        headers: { Authorization: `Bearer ${token}` },
+      });
+      if (!res.ok) {
+        spinner.fail(chalk.red(`Server returned ${res.status}: ${res.statusText}`));
+        process.exit(1);
+      }
+      const data = await res.json();
+      spinner.succeed('Organisation policy loaded.\n');
+
+      const hasMandated = data.mandatedPacks && data.mandatedPacks.length > 0;
+      const hasRecommended = data.recommendedPacks && data.recommendedPacks.length > 0;
+      const hasAllowed = data.allowedPacks && data.allowedPacks.length > 0;
+
+      if (!hasMandated && !hasRecommended && !hasAllowed && !data.industry) {
+        console.log(chalk.dim('  No organisation policy configured.'));
+        console.log(chalk.dim('  Set one at https://app.korext.com under Org Policy (ADMIN only).\n'));
+        return;
+      }
+
+      if (data.industry) console.log(`  ${chalk.bold('Industry:')}   ${data.industry}`);
+      if (data.region) console.log(`  ${chalk.bold('Region:')}     ${data.region}`);
+      if (data.updatedAt) console.log(`  ${chalk.bold('Updated:')}    ${data.updatedAt}`);
+      console.log('');
+
+      if (hasMandated) {
+        console.log(chalk.red.bold('  MANDATED PACKS (locked):'));
+        for (const pid of data.mandatedPacks) {
+          console.log(`    ${chalk.red('\u25cf')} ${pid}`);
+        }
+        console.log('');
+      }
+
+      if (hasRecommended) {
+        console.log(chalk.green.bold('  RECOMMENDED PACKS:'));
+        for (const pid of data.recommendedPacks) {
+          console.log(`    ${chalk.green('\u25cb')} ${pid}`);
+        }
+        console.log('');
+      }
+
+      if (hasAllowed) {
+        console.log(chalk.yellow.bold('  ALLOWED PACKS:'));
+        for (const pid of data.allowedPacks) {
+          console.log(`    ${chalk.yellow('\u25cb')} ${pid}`);
+        }
+        console.log('');
+      } else {
+        console.log(chalk.dim('  Allowed: all packs (no restrictions)\n'));
+      }
+    } catch (e) {
+      spinner.fail(chalk.red(`Failed: ${e.message}`));
+      process.exit(1);
+    }
+  });
+
+
 program
   .command('enforce [dir]')
   .description('Statically analyze files in a directory against Korext policies')
-  .option('-p, --pack <packIds>', 'Policy Pack ID(s) to enforce (comma-separated, e.g. web,pci-dss-v1)', 'web')
+  .option('-p, --pack <packIds>', 'Policy Pack ID(s) to enforce (comma-separated, e.g. web,pci-dss-v1)')
   .option('-f, --format <format>', 'Output format (text, json, sarif)', 'text')
+  .option('--industry <industries>', 'Industry filter (comma separated, e.g. finance,healthcare)')
+  .option('--region <regions>', 'Region filter (comma separated, e.g. us,eu)')
   .option('--offline', 'Force local-only analysis using cached rule definitions (no server calls)', false)
   .option('--sync-rules', 'Fetch and cache latest rule definitions before running analysis', false)
+  .option('--sign', 'Request HMAC signed proof bundles (requires authentication)', false)
+  .option('--sovereignty-region <region>', 'Data sovereignty region: us, eu, or apac (routes data to regional database)')
   .action(async (dirArg, options) => {
     const dir = dirArg || '.';
-    const packInput = options.pack;
-    // Multi-pack: split on comma, trim whitespace
-    const packIds = packInput.split(',').map(p => p.trim()).filter(Boolean);
-    const pack = packIds.length === 1 ? packIds[0] : packIds;
     const format = options.format.toLowerCase();
     const isText = format === 'text';
 
+    // ── Workspace config reader ──────────────────────────────────────────────
+    function loadWorkspaceConfig(targetDir) {
+      const configPaths = [
+        path.join(targetDir, 'korext.json'),
+        path.join(targetDir, '.korextrc'),
+        path.join(process.cwd(), 'korext.json'),
+        path.join(process.cwd(), '.korextrc'),
+      ];
+      // Deduplicate paths (targetDir might equal cwd)
+      const seen = new Set();
+      for (const p of configPaths) {
+        const resolved = path.resolve(p);
+        if (seen.has(resolved)) continue;
+        seen.add(resolved);
+        if (fs.existsSync(resolved)) {
+          try {
+            const raw = JSON.parse(fs.readFileSync(resolved, 'utf-8'));
+            return raw;
+          } catch (e) {
+            console.warn(`[KOREXT] Invalid config at ${resolved}: ${e.message}`);
+            return null;
+          }
+        }
+      }
+      return null;
+    }
+
+    // ── Pack resolution priority chain ───────────────────────────────────────
+    // 1. --pack flag (highest, explicit)
+    // 2. --industry + --region flags (resolved via taxonomy)
+    // 3. korext.json targetPacks (workspace config)
+    // 4. korext.json industry + region (workspace config, resolved)
+    // 5. Default 'web' (fallback)
+    let packIds;
+    let packSource = 'default';
+
+    // Helper: try to build taxonomy from cached definitions
+    const tryBuildTaxonomy = () => {
+      const defs = getRuleDefinitionsCache();
+      if (!defs || !defs.packs) return null;
+      return buildTaxonomyFromPacks(defs.packs);
+    };
+
+    if (options.pack) {
+      // Priority 1: User explicitly passed --pack
+      packIds = options.pack.split(',').map(s => s.trim()).filter(Boolean);
+      packSource = 'flag';
+    } else if (options.industry) {
+      // Priority 2: --industry (and optional --region) flags
+      const taxonomy = tryBuildTaxonomy();
+      if (!taxonomy) {
+        if (isText) console.error(chalk.red('\n\u2716 --industry requires cached rule definitions.'));
+        if (isText) console.error(chalk.dim(`  Run ${chalk.green('korext rules sync')} first to cache pack tags.`));
+        process.exit(1);
+      }
+      packIds = resolvePacksForIndustryRegion(options.industry, options.region || null, taxonomy);
+      packSource = 'industry-flag';
+      if (packIds.length === 0) {
+        if (isText) console.error(chalk.red(`\n\u2716 No packs found for industry '${options.industry}'${options.region ? ` in region '${options.region}'` : ''}.`));
+        if (isText) console.error(chalk.dim(`  Run ${chalk.green('korext industries')} to see valid industry names.`));
+        process.exit(1);
+      }
+      if (isText) console.log(`[KOREXT] Resolved ${packIds.length} packs for industry: ${options.industry}${options.region ? ` (region: ${options.region})` : ''}`);
+    } else {
+      // Priority 3-5: workspace config or default
+      const config = loadWorkspaceConfig(dirArg || '.');
+      if (config) {
+        if (Array.isArray(config.targetPacks) && config.targetPacks.length > 0) {
+          // Priority 3: korext.json targetPacks
+          packIds = config.targetPacks;
+          packSource = 'config';
+          if (isText) console.log(`[KOREXT] Using packs from korext.json: ${packIds.join(', ')}`);
+        } else if (config.industry) {
+          // Priority 4: korext.json industry + region
+          const taxonomy = tryBuildTaxonomy();
+          if (taxonomy) {
+            packIds = resolvePacksForIndustryRegion(config.industry, config.region || null, taxonomy);
+            packSource = 'config-industry';
+            if (packIds.length > 0) {
+              if (isText) console.log(`[KOREXT] Resolved ${packIds.length} packs from korext.json industry: ${config.industry}`);
+            } else {
+              if (isText) console.log(chalk.yellow(`[KOREXT] No packs matched industry '${config.industry}' in korext.json. Falling back to 'web'.`));
+              packIds = ['web'];
+            }
+          } else {
+            if (isText) console.log(chalk.yellow('[KOREXT] industry config found but no cached rule definitions. Run korext rules sync. Falling back to web.'));
+            packIds = ['web'];
+          }
+        } else {
+          packIds = ['web'];
+        }
+        // Note: config.exclude is acknowledged but not wired up in this version.
+        // The enforce command uses hardcoded excludes in findFiles() (node_modules, .git, dist, build, .next).
+      } else {
+        packIds = ['web'];
+      }
+    }
+
+    // ── Org policy merge (highest priority: mandated packs always included) ──
+    const orgToken = getToken();
+    if (orgToken && !options.offline) {
+      try {
+        const policyRes = await fetch(`${API_URL}/api/org/policy/packs`, {
+          headers: { Authorization: `Bearer ${orgToken}` },
+        });
+        if (policyRes.ok) {
+          const policyData = await policyRes.json();
+          if (policyData.mandated && policyData.mandated.length > 0) {
+            const before = packIds.length;
+            const mandatedSet = new Set(policyData.mandated);
+            // Add mandated packs that are not already selected
+            for (const mid of policyData.mandated) {
+              if (!packIds.includes(mid)) packIds.push(mid);
+            }
+            if (isText && packIds.length > before) {
+              console.log(chalk.hex('#F27D26')(`[KOREXT] Org policy: ${policyData.mandated.length} mandated pack(s) injected: ${policyData.mandated.join(', ')}`));
+            }
+          }
+        }
+      } catch {
+        // No org, not authenticated, or server error: continue without org policy
+      }
+    }
+
+    const packInput = packIds.join(',');
+    const pack = packIds.length === 1 ? packIds[0] : packIds;
+
     let forceOffline = options.offline;
     let localDefinitions = null;
 
@@ -328,7 +964,8 @@ program
       packIds,
       directory: dir,
       summary: { totalFiles: 0, scannedFiles: 0, skippedFiles: 0, errorFiles: 0, critical: 0, high: 0, medium: 0, low: 0, totalViolations: 0 },
-      results: []
+      results: [],
+      bundles: []
     };
 
     let files;
@@ -387,14 +1024,15 @@ program
             method: 'POST',
             headers: {
               'Content-Type': 'application/json',
-              ...(token && { 'Authorization': `Bearer ${token}` })
+              ...(token && { 'Authorization': `Bearer ${token}` }),
+              ...(options.sovereigntyRegion && { 'X-Korext-Region': options.sovereigntyRegion })
             },
             body: JSON.stringify({
               fileContent,
               language,
-              fileName: file,
+              fileName: path.basename(file),
               packId: pack,
-              requestSignature: false,
+              requestSignature: !!options.sign,
               asyncExplanations: false
             }),
             signal: controller.signal
@@ -415,6 +1053,17 @@ program
 
           fileViolations = result.violations || [];
 
+          // Capture proof bundle if present
+          if (result.proofBundle) {
+            report.bundles.push({
+              file: displayPath,
+              bundleId: result.proofBundle.bundleId,
+              decision: result.proofBundle.decision,
+              signed: !!result.proofBundle.hmacSignature,
+              verifyUrl: `https://app.korext.com/verify/${result.proofBundle.bundleId}`,
+            });
+          }
+
           // Cache rule definitions on first successful server response (opportunistic sync)
           if (!localDefinitions && i === 0) {
             fetchAndCacheRules().catch(() => {});
@@ -468,7 +1117,7 @@ program
     }
 
     if (format === 'json') {
-      console.log(JSON.stringify(report, null, 2));
+      console.log(JSON.stringify({ ...report, bundles: report.bundles }, null, 2));
     } else if (format === 'sarif') {
       // Build SARIF results
       const sarifResults = [];
@@ -497,12 +1146,19 @@ program
         shortDescription: { text: id.replace(/-/g, ' ') }
       }));
 
+      const sarifProperties = {};
+      if (report.bundles.length > 0) {
+        sarifProperties['korext:bundleIds'] = report.bundles.map(b => b.bundleId);
+        sarifProperties['korext:bundleCount'] = report.bundles.length;
+        sarifProperties['korext:bundlesSigned'] = report.bundles.filter(b => b.signed).length;
+      }
       const sarif = {
         version: "2.1.0",
         $schema: "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json",
         runs: [{
           tool: { driver: { name: "Korext", version, rules } },
-          results: sarifResults
+          results: sarifResults,
+          ...(Object.keys(sarifProperties).length > 0 && { properties: sarifProperties })
         }]
       };
       console.log(JSON.stringify(sarif, null, 2));
@@ -539,6 +1195,18 @@ program
           }
         });
       }
+
+      // Add proof bundle info
+      if (report.bundles.length > 0) {
+        const signedCount = report.bundles.filter(b => b.signed).length;
+        md += `### Proof Bundles\n\n`;
+        md += `**Generated:** ${report.bundles.length} | **Signed:** ${signedCount}\n\n`;
+        md += `| File | Bundle ID | Decision | Signed | Verify |\n| --- | --- | --- | --- | --- |\n`;
+        for (const b of report.bundles) {
+          md += `| \`${b.file || ''}\` | \`${b.bundleId}\` | ${b.decision} | ${b.signed ? 'Yes' : 'No'} | [Verify](${b.verifyUrl}) |\n`;
+        }
+        md += '\n';
+      }
       try {
         fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, md, 'utf-8');
       } catch (e) {
@@ -594,6 +1262,96 @@ rulesCmd
     }
   });
 
+// ─── BUNDLE COMMANDS ─────────────────────────────────────────────────────────
+
+const bundleCmd = program.command('bundle').description('Proof bundle management commands');
+
+bundleCmd
+  .command('list')
+  .description('List your recent proof bundles (requires authentication)')
+  .action(async () => {
+    const token = getToken();
+    if (!token) {
+      console.log(chalk.red('Not authenticated. Run korext login <token> to sign in.'));
+      process.exit(1);
+    }
+
+    const spinner = ora('Fetching proof bundles...').start();
+    try {
+      const res = await fetch(`${API_URL}/api/ide/bundles`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      if (!res.ok) {
+        spinner.fail(chalk.red(`Server returned ${res.status}: ${res.statusText}`));
+        process.exit(1);
+      }
+      const data = await res.json();
+      spinner.stop();
+
+      const bundles = data.bundles || [];
+      if (bundles.length === 0) {
+        console.log(chalk.dim('No proof bundles found. Run korext enforce with --sign to generate bundles.'));
+        return;
+      }
+
+      console.log(chalk.bold.hex('#F27D26')('\n\u25b2 KOREXT PROOF BUNDLES'));
+      console.log(chalk.dim('=======================================\n'));
+
+      for (const b of bundles) {
+        const signedTag = b.isSigned ? chalk.green(' [SIGNED]') : chalk.dim(' [unsigned]');
+        const decisionTag = b.decision === 'PASS' ? chalk.green(b.decision) : (b.decision === 'BLOCK' ? chalk.red(b.decision) : chalk.yellow(b.decision));
+        console.log(`  ${chalk.cyan(b.bundleId)} ${decisionTag}${signedTag}`);
+        console.log(chalk.dim(`    Pack: ${b.policyPackId} | Violations: ${b.violationCount} | ${b.ts}`));
+        console.log(chalk.dim(`    Verify: ${b.verifyUrl}\n`));
+      }
+
+      console.log(chalk.dim(`  Total: ${bundles.length} bundles\n`));
+    } catch (e) {
+      spinner.fail(chalk.red(`Failed: ${e.message}`));
+      process.exit(1);
+    }
+  });
+
+bundleCmd
+  .command('verify <bundleId>')
+  .description('Verify a proof bundle by ID')
+  .action(async (bundleId) => {
+    const spinner = ora('Verifying bundle...').start();
+    try {
+      const res = await fetch(`${API_URL}/api/verify/${bundleId}`);
+      if (!res.ok) {
+        spinner.fail(chalk.red(`Bundle not found or verification failed (${res.status}).`));
+        process.exit(1);
+      }
+      const data = await res.json();
+      spinner.stop();
+
+      console.log(chalk.bold.hex('#F27D26')('\n\u25b2 KOREXT BUNDLE VERIFICATION'));
+      console.log(chalk.dim('=======================================\n'));
+      console.log(`  Bundle ID:   ${chalk.cyan(data.bundleId || bundleId)}`);
+      console.log(`  Decision:    ${data.decision === 'PASS' ? chalk.green(data.decision) : chalk.red(data.decision)}`);
+      console.log(`  Violations:  ${data.violationCount ?? 'N/A'}`);
+      console.log(`  Policy Pack: ${data.policyPackId || data.policy || 'N/A'}`);
+      console.log(`  Signed:      ${data.signatureValid ? chalk.green('Valid') : (data.hmacSignature ? chalk.yellow('Unverified') : chalk.dim('No'))}`);
+      console.log(`  Timestamp:   ${data.ts || 'N/A'}`);
+      console.log('');
+    } catch (e) {
+      spinner.fail(chalk.red(`Failed: ${e.message}`));
+      process.exit(1);
+    }
+  });
+
+bundleCmd
+  .command('open <bundleId>')
+  .description('Open a proof bundle verification page in your browser')
+  .action(async (bundleId) => {
+    const url = `https://app.korext.com/verify/${bundleId}`;
+    console.log(chalk.dim(`Opening ${url}`));
+    const { exec } = await import('child_process');
+    const cmd = process.platform === 'darwin' ? 'open' : (process.platform === 'win32' ? 'start' : 'xdg-open');
+    exec(`${cmd} "${url}"`);
+  });
+
 // ─── POLICY COMMANDS ─────────────────────────────────────────────────────────
 
 const LOCAL_DRAFT_DIR = path.join(process.cwd(), '.korext');
@@ -1289,7 +2047,7 @@ program
               'Content-Type': 'application/json',
               ...(token && { 'Authorization': `Bearer ${token}` })
             },
-            body: JSON.stringify({ fileContent, language, fileName: filePath, packId: pack, requestSignature: false, asyncExplanations: false })
+            body: JSON.stringify({ fileContent, language, fileName: path.basename(filePath), packId: pack, requestSignature: false, asyncExplanations: false })
           });
           if (res.ok) {
             const result = await res.json();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "korext",
-  "version": "0.9.6",
+  "version": "0.9.7",
   "description": "Korext Command Line Interface",
   "type": "module",
   "main": "bin/korext.js",