# Policy Publish and Sign CLI

## Module
Cli

## Status
VERIFIED

## Description
Publish approved policy revisions with optional cryptographic signing using configurable algorithm (ecdsa-sha256, ed25519) and key ID selection.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy publish commands
- **Sign Commands**: `src/Cli/StellaOps.Cli/Commands/SignCommandGroup.cs` -- signing operations
- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Sign.cs` -- signing handlers
- **Commands**:
  - `stella policy publish <file>` -- publish approved policy revision. Options: `--sign`, `--algorithm ecdsa-sha256|ed25519`, `--key-id <id>`

## E2E Test Plan
- [ ] Run `stella policy publish ./policy.stella` and verify policy published
- [ ] Run with `--sign --algorithm ecdsa-sha256` and verify DSSE-signed publication
- [ ] Run with `--sign --algorithm ed25519 --key-id <id>` and verify Ed25519 signing
- [ ] Verify published policy is retrievable via `stella policy show`
- [ ] Verify signing key selection with `--key-id`
- [ ] Verify error when trying to publish unapproved policy

## Verification

- **Verified**: 2026-02-13T15:30:00Z
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
- **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj`
- **Evidence**: `docs/qa/feature-checks/runs/cli/policy-publish-and-sign-cli/run-001/tier2-integration-check.json`