save checkpoint

docs/features/checked/cli/policy-publish-and-sign-cli.md

@@ -0,0 +1,34 @@
+# Policy Publish and Sign CLI
+
+## Module
+Cli
+
+## Status
+VERIFIED
+
+## Description
+Publish approved policy revisions with optional cryptographic signing using configurable algorithm (ecdsa-sha256, ed25519) and key ID selection.
+
+## Implementation Details
+- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy publish commands
+- **Sign Commands**: `src/Cli/StellaOps.Cli/Commands/SignCommandGroup.cs` -- signing operations
+- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Sign.cs` -- signing handlers
+- **Commands**:
+  - `stella policy publish <file>` -- publish approved policy revision. Options: `--sign`, `--algorithm ecdsa-sha256|ed25519`, `--key-id <id>`
+
+## E2E Test Plan
+- [ ] Run `stella policy publish ./policy.stella` and verify policy published
+- [ ] Run with `--sign --algorithm ecdsa-sha256` and verify DSSE-signed publication
+- [ ] Run with `--sign --algorithm ed25519 --key-id <id>` and verify Ed25519 signing
+- [ ] Verify published policy is retrievable via `stella policy show`
+- [ ] Verify signing key selection with `--key-id`
+- [ ] Verify error when trying to publish unapproved policy
+
+## Verification
+
+- **Verified**: 2026-02-13T15:30:00Z
+- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
+- **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
+- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
+- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj`
+- **Evidence**: `docs/qa/feature-checks/runs/cli/policy-publish-and-sign-cli/run-001/tier2-integration-check.json`