# Policy Publish and Sign CLI

## Module
Cli

## Status
IMPLEMENTED

## Description
Publish approved policy revisions with optional cryptographic signing using configurable algorithm (ecdsa-sha256, ed25519) and key ID selection.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/PolicyCommandGroup.cs` -- policy publish commands
- **Sign Commands**: `src/Cli/StellaOps.Cli/Commands/SignCommandGroup.cs` -- signing operations
- **Command Handlers**: `src/Cli/StellaOps.Cli/Commands/CommandHandlers.Sign.cs` -- signing handlers
- **Commands**:
  - `stella policy publish <file>` -- publish approved policy revision. Options: `--sign`, `--algorithm ecdsa-sha256|ed25519`, `--key-id <id>`

## E2E Test Plan
- [ ] Run `stella policy publish ./policy.stella` and verify policy published
- [ ] Run with `--sign --algorithm ecdsa-sha256` and verify DSSE-signed publication
- [ ] Run with `--sign --algorithm ed25519 --key-id <id>` and verify Ed25519 signing
- [ ] Verify published policy is retrievable via `stella policy show`
- [ ] Verify signing key selection with `--key-id`
- [ ] Verify error when trying to publish unapproved policy