refactor(cli): deepen the command layer — retention sweep + relocate policy prompt

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Internal refactors with no API change: consolidated the six retention-sweep CLI commands (`purge-secrets`, `purge-transit-keys`, `purge-tokenization-keys`, `clean-expired-tokens`, `clean-audit-logs`, `purge-auth-tokens`) behind a single `RunRetentionSweep` module, and relocated the interactive policy-prompt helpers from `internal/ui` into the CLI commands package (#141).
+
+### Fixed
+
+- `clean-audit-logs` now records operation metrics like the other retention-sweep commands; audit-log cleanup was previously unmetered (#141).
+
 ## [0.29.0] - 2026-05-27
 
 ### Removed

CONTEXT.md

@@ -132,3 +132,28 @@ inside a `database.TxManager` transaction propagated via `context.Context`
 (per [ADR-0005](docs/adr/0005-context-based-transaction-management.md)).
 `Keyring.Encrypt` and `Keyring.AllocateDek` join the caller's transaction
 when one is present.
+
+## Operations
+
+### Retention sweep
+The age-based deletion shared by six CLI commands (`purge-secrets`,
+`purge-transit-keys`, `purge-tokenization-keys`, `clean-expired-tokens`,
+`clean-audit-logs`, `purge-auth-tokens`). Each deletes rows older than a
+`--days` threshold. The umbrella term covers both the soft-delete *purges*
+and the expiry-based *cleans*; use "retention sweep" for the shared concept
+and keep the per-command verb (`purge` / `clean`) in user-facing text.
+
+A single deep module, `RunRetentionSweep` in `cmd/app/commands`, owns the
+shape: validate `days` → log → `metrics.Track(module, op)` → run the
+feature's sweep func (dry-run aware where supported) → format output as
+text or JSON. Each command supplies a `SweepSpec`:
+
+- `Verb` / `Subject` — the wording for output (e.g. `purge` /
+  `"expired/revoked authentication token(s)"`).
+- `MetricModule` / `MetricOp` — the `metrics.Track` labels.
+- `SupportsDryRun` — `false` only for the auth-token sweep, whose
+  `TokenUseCase.PurgeExpiredAndRevoked` takes no `dryRun`; the module then
+  emits a "dry-run not supported" notice and deletes nothing.
+- `Sweep` — a closure adapting the feature usecase's sweep method
+  (`PurgeDeleted`, `CleanupExpired`, `DeleteOlderThan`,
+  `PurgeExpiredAndRevoked`), which have no shared interface.

cmd/app/auth_commands.go

@@ -49,9 +49,19 @@ func getAuthCommands() []*cli.Command {
 							return err
 						}
 
-						return commands.RunPurgeAuthTokens(
+						return commands.RunRetentionSweep(
 							ctx,
-							tokenUseCase,
+							commands.SweepSpec{
+								Verb:           "purge",
+								VerbPast:       "purged",
+								Subject:        "expired/revoked authentication token(s)",
+								MetricModule:   "auth",
+								MetricOp:       "token_purge",
+								SupportsDryRun: false,
+								Sweep: func(c context.Context, days int, _ bool) (int64, error) {
+									return tokenUseCase.PurgeExpiredAndRevoked(c, days)
+								},
+							},
 							bm,
 							container.Logger(),
 							commands.DefaultIO().Writer,
@@ -99,9 +109,19 @@ func getAuthCommands() []*cli.Command {
 							return err
 						}
 
-						return commands.RunCleanExpiredTokens(
+						return commands.RunRetentionSweep(
 							ctx,
-							tokenizationUseCase,
+							commands.SweepSpec{
+								Verb:           "delete",
+								VerbPast:       "deleted",
+								Subject:        "expired token(s)",
+								MetricModule:   "tokenization",
+								MetricOp:       "tokenize_cleanup_expired",
+								SupportsDryRun: true,
+								Sweep: func(c context.Context, days int, dryRun bool) (int64, error) {
+									return tokenizationUseCase.CleanupExpired(c, days, dryRun)
+								},
+							},
 							bm,
 							container.Logger(),
 							commands.DefaultIO().Writer,