pal-explorer-cli 0.4.12 → 0.4.14

package/lib/commands/revoke.js

@@ -1,50 +1,50 @@
-import chalk from 'chalk';
-import { removeShare, rotateShareKey, removeRecipientFromShare, listShares } from '../core/shares.js';
-
-export default function revokeCommand(program) {
-  program
-    .command('revoke <idOrPath>')
-    .description('revoke access to a shared resource or remove a specific recipient')
-    .option('--pal <palId>', 'Remove a specific pal from the share (triggers key rotation)')
-    .addHelpText('after', `
-Examples:
-  $ pe revoke abc123                Revoke share by ID
-  $ pe revoke ./photos              Revoke share by path
-  $ pe revoke abc123 --pal alice    Remove one recipient (rotates key)
-`)
-    .action(async (idOrPath, opts) => {
-      try {
-        if (opts.pal) {
-          // Remove a specific recipient and rotate keys
-          const shares = listShares();
-          const share = shares.find(s => s.id === idOrPath || s.path === idOrPath);
-          if (!share) {
-            console.error(chalk.red('Share not found.'));
-            process.exitCode = 1;
-            return;
-          }
-
-          removeRecipientFromShare(share.id, opts.pal);
-          console.log(chalk.yellow(`Removed ${opts.pal} from share ${share.id}`));
-
-          if (share.visibility === 'private' && (share.recipients || []).length > 0) {
-            console.log(chalk.blue('Rotating share key and re-encrypting...'));
-            const { newEncryptedShareKeys } = await rotateShareKey(share.id);
-            const remaining = Object.keys(newEncryptedShareKeys).length;
-            console.log(chalk.green(`Key rotated. ${remaining} recipient(s) will need new magnet on next serve.`));
-          }
-          return;
-        }
-
-        // Full revoke
-        const removed = removeShare(idOrPath);
-        if (removed) {
-          console.log(chalk.green(`Successfully revoked share: ${idOrPath}`));
-        } else {
-          console.error(chalk.red('Share not found.'));
-        }
-      } catch (err) {
-        console.error(chalk.red(`Error: ${err.message}`));
-      }
-    });
-}
+import chalk from 'chalk';
+import { removeShare, rotateShareKey, removeRecipientFromShare, listShares } from '../core/shares.js';
+
+export default function revokeCommand(program) {
+  program
+    .command('revoke <idOrPath>')
+    .description('revoke access to a shared resource or remove a specific recipient')
+    .option('--pal <palId>', 'Remove a specific pal from the share (triggers key rotation)')
+    .addHelpText('after', `
+Examples:
+  $ pal revoke abc123                Revoke share by ID
+  $ pal revoke ./photos              Revoke share by path
+  $ pal revoke abc123 --pal alice    Remove one recipient (rotates key)
+`)
+    .action(async (idOrPath, opts) => {
+      try {
+        if (opts.pal) {
+          // Remove a specific recipient and rotate keys
+          const shares = listShares();
+          const share = shares.find(s => s.id === idOrPath || s.path === idOrPath);
+          if (!share) {
+            console.error(chalk.red('Share not found.'));
+            process.exitCode = 1;
+            return;
+          }
+
+          removeRecipientFromShare(share.id, opts.pal);
+          console.log(chalk.yellow(`Removed ${opts.pal} from share ${share.id}`));
+
+          if (share.visibility === 'private' && (share.recipients || []).length > 0) {
+            console.log(chalk.blue('Rotating share key and re-encrypting...'));
+            const { newEncryptedShareKeys } = await rotateShareKey(share.id);
+            const remaining = Object.keys(newEncryptedShareKeys).length;
+            console.log(chalk.green(`Key rotated. ${remaining} recipient(s) will need new magnet on next serve.`));
+          }
+          return;
+        }
+
+        // Full revoke
+        const removed = removeShare(idOrPath);
+        if (removed) {
+          console.log(chalk.green(`Successfully revoked share: ${idOrPath}`));
+        } else {
+          console.error(chalk.red('Share not found.'));
+        }
+      } catch (err) {
+        console.error(chalk.red(`Error: ${err.message}`));
+      }
+    });
+}

package/lib/commands/scanner.js

@@ -1,280 +1,280 @@
-import chalk from 'chalk';
-import fs from 'fs';
-import path from 'path';
-
-const BUILTIN_RULES = [
-  { name: 'SSN', pattern: '\\d{3}-\\d{2}-\\d{4}', severity: 'critical', description: 'Social Security Number' },
-  { name: 'CreditCard', pattern: '4\\d{3}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}', severity: 'critical', description: 'Credit card number (Visa)' },
-  { name: 'CreditCardMC', pattern: '5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}', severity: 'critical', description: 'Credit card number (Mastercard)' },
-  { name: 'APIKey', pattern: '(?:sk_|pk_|api_|key_)[a-zA-Z0-9]{16,}', severity: 'high', description: 'API key' },
-  { name: 'PrivateKey', pattern: '-----BEGIN PRIVATE KEY-----', severity: 'critical', description: 'Private key block' },
-  { name: 'AWSKey', pattern: 'AKIA[0-9A-Z]{16}', severity: 'critical', description: 'AWS access key' },
-  { name: 'Email', pattern: '\\b[\\w.-]+@[\\w.-]+\\.\\w{2,}\\b', severity: 'low', description: 'Email address' },
-];
-
-const SEVERITY_ORDER = { critical: 4, high: 3, medium: 2, low: 1 };
-const SEVERITY_COLORS = {
-  critical: chalk.red,
-  high: chalk.yellow,
-  medium: chalk.cyan,
-  low: chalk.gray,
-};
-
-function classifyFile(maxSeverity) {
-  if (maxSeverity === 'critical') return 'Restricted';
-  if (maxSeverity === 'high') return 'Confidential';
-  if (maxSeverity === 'medium') return 'Internal';
-  return 'Public';
-}
-
-function scanContent(content, rules) {
-  const findings = [];
-  const lines = content.split('\n');
-  for (const rule of rules) {
-    const re = new RegExp(rule.pattern, 'g');
-    for (let i = 0; i < lines.length; i++) {
-      let match;
-      while ((match = re.exec(lines[i])) !== null) {
-        findings.push({
-          rule: rule.name,
-          severity: rule.severity,
-          line: i + 1,
-          match: match[0].length > 40 ? match[0].slice(0, 37) + '...' : match[0],
-        });
-      }
-    }
-  }
-  return findings;
-}
-
-export default function scannerCommand(program) {
-  const cmd = program
-    .command('scanner')
-    .description('content scanning and DLP (Enterprise)')
-    .addHelpText('after', `
-Examples:
-  $ pe scanner scan ./documents              Scan directory for sensitive data
-  $ pe scanner scan ./secrets.txt            Scan a single file
-  $ pe scanner rules                         List active DLP rules
-  $ pe scanner rules --add MyRule "\\d{6}" high  Add a custom rule
-  $ pe scanner rules --remove MyRule         Remove a custom rule
-  $ pe scanner quarantine                    List quarantined files
-  $ pe scanner release <id>                  Release file from quarantine
-`)
-    .action(() => { cmd.outputHelp(); });
-
-  cmd
-    .command('scan <path>')
-    .description('scan a file or directory for sensitive data')
-    .action(async (targetPath) => {
-      try {
-        const extConfig = (await import('../utils/config.js')).default;
-        const extSettings = extConfig.get('ext.content-scanner') || {};
-        const customRules = extSettings.rules || [];
-        const allRules = [...BUILTIN_RULES, ...customRules];
-
-        const resolved = path.resolve(targetPath);
-        if (!fs.existsSync(resolved)) {
-          console.log(chalk.red(`Path not found: ${resolved}`));
-          process.exitCode = 1;
-          return;
-        }
-
-        const stat = fs.statSync(resolved);
-        const files = [];
-        if (stat.isDirectory()) {
-          const entries = fs.readdirSync(resolved, { recursive: true });
-          for (const entry of entries) {
-            const full = path.join(resolved, entry);
-            try {
-              if (fs.statSync(full).isFile()) files.push(full);
-            } catch { /* skip unreadable */ }
-          }
-        } else {
-          files.push(resolved);
-        }
-
-        if (files.length === 0) {
-          console.log(chalk.gray('No files to scan.'));
-          return;
-        }
-
-        console.log(chalk.cyan(`Scanning ${files.length} file(s)...\n`));
-        let totalFindings = 0;
-        let maxSeverity = 'low';
-
-        for (const file of files) {
-          let content;
-          try {
-            content = fs.readFileSync(file, 'utf8');
-          } catch {
-            continue;
-          }
-
-          const findings = scanContent(content, allRules);
-          if (findings.length === 0) continue;
-
-          totalFindings += findings.length;
-          const rel = path.relative(process.cwd(), file);
-          console.log(`  ${chalk.white(rel)}`);
-
-          for (const f of findings) {
-            const colorFn = SEVERITY_COLORS[f.severity] || chalk.white;
-            console.log(`    Line ${chalk.gray(f.line)}: ${colorFn(`[${f.severity.toUpperCase()}]`)} ${chalk.white(f.rule)} — ${chalk.dim(f.match)}`);
-            if (SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[maxSeverity]) {
-              maxSeverity = f.severity;
-            }
-          }
-          console.log('');
-        }
-
-        if (totalFindings === 0) {
-          console.log(chalk.green('✔ No sensitive data found.'));
-          console.log(`  Classification: ${chalk.green('Public')}`);
-        } else {
-          const classification = classifyFile(maxSeverity);
-          console.log(chalk.gray('─'.repeat(50)));
-          console.log(`  Total findings: ${chalk.white(totalFindings)}`);
-          console.log(`  Classification: ${SEVERITY_COLORS[maxSeverity](classification)}`);
-        }
-      } catch (err) {
-        console.log(chalk.red(`Scan failed: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-
-  cmd
-    .command('rules')
-    .description('list active DLP rules')
-    .option('--add <name>', 'add a custom rule (requires <pattern> <severity> as args)')
-    .option('--remove <name>', 'remove a custom rule')
-    .action(async (opts, command) => {
-      try {
-        const extConfig = (await import('../utils/config.js')).default;
-        const extSettings = extConfig.get('ext.content-scanner') || {};
-
-        if (opts.remove) {
-          const customRules = extSettings.rules || [];
-          const idx = customRules.findIndex(r => r.name === opts.remove);
-          if (idx === -1) {
-            console.log(chalk.yellow(`Rule not found: ${opts.remove}`));
-            process.exitCode = 1;
-            return;
-          }
-          customRules.splice(idx, 1);
-          extSettings.rules = customRules;
-          extConfig.set('ext.content-scanner', extSettings);
-          console.log(chalk.green(`✔ Rule removed: ${opts.remove}`));
-          return;
-        }
-
-        if (opts.add) {
-          const args = command.args;
-          if (args.length < 2) {
-            console.log(chalk.red('Usage: pe scanner rules --add <name> <pattern> <severity>'));
-            process.exitCode = 1;
-            return;
-          }
-          const pattern = args[0];
-          try {
-            const testRe = new RegExp(pattern);
-            const start = Date.now();
-            'a'.repeat(25).match(testRe);
-            if (Date.now() - start > 100) throw new Error('Pattern too complex');
-          } catch (e) {
-            console.error(chalk.red(`Invalid or unsafe regex pattern: ${e.message}`));
-            process.exitCode = 1;
-            return;
-          }
-          const severity = args[1] || 'medium';
-          if (!['critical', 'high', 'medium', 'low'].includes(severity)) {
-            console.log(chalk.red('Severity must be: critical, high, medium, or low'));
-            process.exitCode = 1;
-            return;
-          }
-          const customRules = extSettings.rules || [];
-          if (customRules.find(r => r.name === opts.add)) {
-            console.log(chalk.yellow(`Rule already exists: ${opts.add}`));
-            process.exitCode = 1;
-            return;
-          }
-          customRules.push({ name: opts.add, pattern, severity, description: `Custom rule: ${opts.add}` });
-          extSettings.rules = customRules;
-          extConfig.set('ext.content-scanner', extSettings);
-          console.log(chalk.green(`✔ Rule added: ${opts.add}`));
-          console.log(`  Pattern: ${chalk.white(pattern)}`);
-          console.log(`  Severity: ${SEVERITY_COLORS[severity](severity)}`);
-          return;
-        }
-
-        // List all rules
-        const customRules = extSettings.rules || [];
-        const allRules = [...BUILTIN_RULES, ...customRules];
-        console.log(chalk.bold(`DLP Rules (${allRules.length})\n`));
-        console.log(chalk.cyan('  Built-in:'));
-        for (const r of BUILTIN_RULES) {
-          const colorFn = SEVERITY_COLORS[r.severity] || chalk.white;
-          console.log(`    ${chalk.white(r.name)} ${colorFn(`[${r.severity}]`)} — ${chalk.dim(r.description)}`);
-        }
-        if (customRules.length > 0) {
-          console.log('');
-          console.log(chalk.cyan('  Custom:'));
-          for (const r of customRules) {
-            const colorFn = SEVERITY_COLORS[r.severity] || chalk.white;
-            console.log(`    ${chalk.white(r.name)} ${colorFn(`[${r.severity}]`)} — ${chalk.dim(r.pattern)}`);
-          }
-        }
-      } catch (err) {
-        console.log(chalk.red(`Rules failed: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-
-  cmd
-    .command('quarantine')
-    .description('list quarantined files')
-    .action(async () => {
-      try {
-        const extConfig = (await import('../utils/config.js')).default;
-        const store = extConfig.get('ext_store.content-scanner') || {};
-        const quarantined = store.quarantined || [];
-        if (quarantined.length === 0) {
-          console.log(chalk.dim('No quarantined files.'));
-          return;
-        }
-        console.log(chalk.bold(`Quarantined Files (${quarantined.length})\n`));
-        for (const f of quarantined) {
-          const colorFn = SEVERITY_COLORS[f.severity] || chalk.white;
-          console.log(`  ${chalk.white(f.id)} ${colorFn(`[${f.severity}]`)} ${chalk.cyan(f.path)}`);
-          console.log(`    Reason: ${chalk.dim(f.reason || 'DLP violation')}  Quarantined: ${chalk.dim(f.quarantinedAt)}`);
-        }
-      } catch (err) {
-        console.log(chalk.red(`Quarantine list failed: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-
-  cmd
-    .command('release <id>')
-    .description('release a file from quarantine')
-    .action(async (id) => {
-      try {
-        const extConfig = (await import('../utils/config.js')).default;
-        const store = extConfig.get('ext_store.content-scanner') || {};
-        const quarantined = store.quarantined || [];
-        const idx = quarantined.findIndex(f => f.id === id);
-        if (idx === -1) {
-          console.log(chalk.yellow(`Quarantined file not found: ${id}`));
-          process.exitCode = 1;
-          return;
-        }
-        const released = quarantined.splice(idx, 1)[0];
-        store.quarantined = quarantined;
-        extConfig.set('ext_store.content-scanner', store);
-        console.log(chalk.green(`✔ Released from quarantine: ${released.path}`));
-      } catch (err) {
-        console.log(chalk.red(`Release failed: ${err.message}`));
-        process.exitCode = 1;
-      }
-    });
-}
+import chalk from 'chalk';
+import fs from 'fs';
+import path from 'path';
+
+const BUILTIN_RULES = [
+  { name: 'SSN', pattern: '\\d{3}-\\d{2}-\\d{4}', severity: 'critical', description: 'Social Security Number' },
+  { name: 'CreditCard', pattern: '4\\d{3}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}', severity: 'critical', description: 'Credit card number (Visa)' },
+  { name: 'CreditCardMC', pattern: '5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}', severity: 'critical', description: 'Credit card number (Mastercard)' },
+  { name: 'APIKey', pattern: '(?:sk_|pk_|api_|key_)[a-zA-Z0-9]{16,}', severity: 'high', description: 'API key' },
+  { name: 'PrivateKey', pattern: '-----BEGIN PRIVATE KEY-----', severity: 'critical', description: 'Private key block' },
+  { name: 'AWSKey', pattern: 'AKIA[0-9A-Z]{16}', severity: 'critical', description: 'AWS access key' },
+  { name: 'Email', pattern: '\\b[\\w.-]+@[\\w.-]+\\.\\w{2,}\\b', severity: 'low', description: 'Email address' },
+];
+
+const SEVERITY_ORDER = { critical: 4, high: 3, medium: 2, low: 1 };
+const SEVERITY_COLORS = {
+  critical: chalk.red,
+  high: chalk.yellow,
+  medium: chalk.cyan,
+  low: chalk.gray,
+};
+
+function classifyFile(maxSeverity) {
+  if (maxSeverity === 'critical') return 'Restricted';
+  if (maxSeverity === 'high') return 'Confidential';
+  if (maxSeverity === 'medium') return 'Internal';
+  return 'Public';
+}
+
+function scanContent(content, rules) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (const rule of rules) {
+    const re = new RegExp(rule.pattern, 'g');
+    for (let i = 0; i < lines.length; i++) {
+      let match;
+      while ((match = re.exec(lines[i])) !== null) {
+        findings.push({
+          rule: rule.name,
+          severity: rule.severity,
+          line: i + 1,
+          match: match[0].length > 40 ? match[0].slice(0, 37) + '...' : match[0],
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+export default function scannerCommand(program) {
+  const cmd = program
+    .command('scanner')
+    .description('content scanning and DLP (Enterprise)')
+    .addHelpText('after', `
+Examples:
+  $ pal scanner scan ./documents              Scan directory for sensitive data
+  $ pal scanner scan ./secrets.txt            Scan a single file
+  $ pal scanner rules                         List active DLP rules
+  $ pal scanner rules --add MyRule "\\d{6}" high  Add a custom rule
+  $ pal scanner rules --remove MyRule         Remove a custom rule
+  $ pal scanner quarantine                    List quarantined files
+  $ pal scanner release <id>                  Release file from quarantine
+`)
+    .action(() => { cmd.outputHelp(); });
+
+  cmd
+    .command('scan <path>')
+    .description('scan a file or directory for sensitive data')
+    .action(async (targetPath) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const extSettings = extConfig.get('ext.content-scanner') || {};
+        const customRules = extSettings.rules || [];
+        const allRules = [...BUILTIN_RULES, ...customRules];
+
+        const resolved = path.resolve(targetPath);
+        if (!fs.existsSync(resolved)) {
+          console.log(chalk.red(`Path not found: ${resolved}`));
+          process.exitCode = 1;
+          return;
+        }
+
+        const stat = fs.statSync(resolved);
+        const files = [];
+        if (stat.isDirectory()) {
+          const entries = fs.readdirSync(resolved, { recursive: true });
+          for (const entry of entries) {
+            const full = path.join(resolved, entry);
+            try {
+              if (fs.statSync(full).isFile()) files.push(full);
+            } catch { /* skip unreadable */ }
+          }
+        } else {
+          files.push(resolved);
+        }
+
+        if (files.length === 0) {
+          console.log(chalk.gray('No files to scan.'));
+          return;
+        }
+
+        console.log(chalk.cyan(`Scanning ${files.length} file(s)...\n`));
+        let totalFindings = 0;
+        let maxSeverity = 'low';
+
+        for (const file of files) {
+          let content;
+          try {
+            content = fs.readFileSync(file, 'utf8');
+          } catch {
+            continue;
+          }
+
+          const findings = scanContent(content, allRules);
+          if (findings.length === 0) continue;
+
+          totalFindings += findings.length;
+          const rel = path.relative(process.cwd(), file);
+          console.log(`  ${chalk.white(rel)}`);
+
+          for (const f of findings) {
+            const colorFn = SEVERITY_COLORS[f.severity] || chalk.white;
+            console.log(`    Line ${chalk.gray(f.line)}: ${colorFn(`[${f.severity.toUpperCase()}]`)} ${chalk.white(f.rule)} — ${chalk.dim(f.match)}`);
+            if (SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[maxSeverity]) {
+              maxSeverity = f.severity;
+            }
+          }
+          console.log('');
+        }
+
+        if (totalFindings === 0) {
+          console.log(chalk.green('✔ No sensitive data found.'));
+          console.log(`  Classification: ${chalk.green('Public')}`);
+        } else {
+          const classification = classifyFile(maxSeverity);
+          console.log(chalk.gray('─'.repeat(50)));
+          console.log(`  Total findings: ${chalk.white(totalFindings)}`);
+          console.log(`  Classification: ${SEVERITY_COLORS[maxSeverity](classification)}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`Scan failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('rules')
+    .description('list active DLP rules')
+    .option('--add <name>', 'add a custom rule (requires <pattern> <severity> as args)')
+    .option('--remove <name>', 'remove a custom rule')
+    .action(async (opts, command) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const extSettings = extConfig.get('ext.content-scanner') || {};
+
+        if (opts.remove) {
+          const customRules = extSettings.rules || [];
+          const idx = customRules.findIndex(r => r.name === opts.remove);
+          if (idx === -1) {
+            console.log(chalk.yellow(`Rule not found: ${opts.remove}`));
+            process.exitCode = 1;
+            return;
+          }
+          customRules.splice(idx, 1);
+          extSettings.rules = customRules;
+          extConfig.set('ext.content-scanner', extSettings);
+          console.log(chalk.green(`✔ Rule removed: ${opts.remove}`));
+          return;
+        }
+
+        if (opts.add) {
+          const args = command.args;
+          if (args.length < 2) {
+            console.log(chalk.red('Usage: pal scanner rules --add <name> <pattern> <severity>'));
+            process.exitCode = 1;
+            return;
+          }
+          const pattern = args[0];
+          try {
+            const testRe = new RegExp(pattern);
+            const start = Date.now();
+            'a'.repeat(25).match(testRe);
+            if (Date.now() - start > 100) throw new Error('Pattern too complex');
+          } catch (e) {
+            console.error(chalk.red(`Invalid or unsafe regex pattern: ${e.message}`));
+            process.exitCode = 1;
+            return;
+          }
+          const severity = args[1] || 'medium';
+          if (!['critical', 'high', 'medium', 'low'].includes(severity)) {
+            console.log(chalk.red('Severity must be: critical, high, medium, or low'));
+            process.exitCode = 1;
+            return;
+          }
+          const customRules = extSettings.rules || [];
+          if (customRules.find(r => r.name === opts.add)) {
+            console.log(chalk.yellow(`Rule already exists: ${opts.add}`));
+            process.exitCode = 1;
+            return;
+          }
+          customRules.push({ name: opts.add, pattern, severity, description: `Custom rule: ${opts.add}` });
+          extSettings.rules = customRules;
+          extConfig.set('ext.content-scanner', extSettings);
+          console.log(chalk.green(`✔ Rule added: ${opts.add}`));
+          console.log(`  Pattern: ${chalk.white(pattern)}`);
+          console.log(`  Severity: ${SEVERITY_COLORS[severity](severity)}`);
+          return;
+        }
+
+        // List all rules
+        const customRules = extSettings.rules || [];
+        const allRules = [...BUILTIN_RULES, ...customRules];
+        console.log(chalk.bold(`DLP Rules (${allRules.length})\n`));
+        console.log(chalk.cyan('  Built-in:'));
+        for (const r of BUILTIN_RULES) {
+          const colorFn = SEVERITY_COLORS[r.severity] || chalk.white;
+          console.log(`    ${chalk.white(r.name)} ${colorFn(`[${r.severity}]`)} — ${chalk.dim(r.description)}`);
+        }
+        if (customRules.length > 0) {
+          console.log('');
+          console.log(chalk.cyan('  Custom:'));
+          for (const r of customRules) {
+            const colorFn = SEVERITY_COLORS[r.severity] || chalk.white;
+            console.log(`    ${chalk.white(r.name)} ${colorFn(`[${r.severity}]`)} — ${chalk.dim(r.pattern)}`);
+          }
+        }
+      } catch (err) {
+        console.log(chalk.red(`Rules failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('quarantine')
+    .description('list quarantined files')
+    .action(async () => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const store = extConfig.get('ext_store.content-scanner') || {};
+        const quarantined = store.quarantined || [];
+        if (quarantined.length === 0) {
+          console.log(chalk.dim('No quarantined files.'));
+          return;
+        }
+        console.log(chalk.bold(`Quarantined Files (${quarantined.length})\n`));
+        for (const f of quarantined) {
+          const colorFn = SEVERITY_COLORS[f.severity] || chalk.white;
+          console.log(`  ${chalk.white(f.id)} ${colorFn(`[${f.severity}]`)} ${chalk.cyan(f.path)}`);
+          console.log(`    Reason: ${chalk.dim(f.reason || 'DLP violation')}  Quarantined: ${chalk.dim(f.quarantinedAt)}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`Quarantine list failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('release <id>')
+    .description('release a file from quarantine')
+    .action(async (id) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const store = extConfig.get('ext_store.content-scanner') || {};
+        const quarantined = store.quarantined || [];
+        const idx = quarantined.findIndex(f => f.id === id);
+        if (idx === -1) {
+          console.log(chalk.yellow(`Quarantined file not found: ${id}`));
+          process.exitCode = 1;
+          return;
+        }
+        const released = quarantined.splice(idx, 1)[0];
+        store.quarantined = quarantined;
+        extConfig.set('ext_store.content-scanner', store);
+        console.log(chalk.green(`✔ Released from quarantine: ${released.path}`));
+      } catch (err) {
+        console.log(chalk.red(`Release failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+}