feat(cli): Add interactive review for prune plans (#3421)

## Branch Summary

  Branch: prune-plan-review

  ### What Changed

  - Added interactive review support for prune plans.
  - Renamed migration interactive review files for clarity:
      - interactive_review.go -> migration_review.go
      - interactive_review_test.go -> migration_review_test.go
  - Added prune review flow in prune_review.go.
  - Added shared policy formatting helpers in policy_formatting.go.
- Added prune plan item interfaces and helper methods in prune_plan.go.
  - Added TargetRef.String() and PruneStatusReason.String() formatting.
- Updated prune planner behavior to use prune status reason messages
consistently.
  - Moved shared formatting helpers out of summary.go:
      - appendDetails
      - strconvQuote

  ### Interactive Prune Review Behavior

  The prune review flow now prompts for unresolved prune items across:

  - actions
  - subject condition sets
  - subject mappings
  - registered resources
  - obligation triggers

  For each unresolved item, the user can:

  - delete the source object
  - skip and leave it unresolved
  - abort the review

  Choosing delete now clears the prune reason.

  ### Formatting

  Added reusable formatting for policy-related prompt details:

  - action name lists
  - registered resource values and action bindings
  - obligation labels
  - request contexts
  - target refs

  Target refs now render as structured fields, including empty values:

  id="target-1" (namespace="https://example.com")
  id="" (namespace="")

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

* **New Features**
* Added interactive review functionality for namespace policy prune
plans, enabling users to review, approve, skip, or abort individual
migration items with detailed context and reasoning.

* **Refactor**
* Improved formatting and display of policy structures, including better
human-readable summaries for actions, resources, and obligations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: c-r33d

…s/namespacedpolicy/interactive_review.go …ons/namespacedpolicy/migration_review.gootdfctl/migrations/namespacedpolicy/interactive_review.go renamed to otdfctl/migrations/namespacedpolicy/migration_review.go otdfctl/migrations/namespacedpolicy/interactive_review.go renamed to otdfctl/migrations/namespacedpolicy/migration_review.go

@@ -0,0 +1,137 @@
+package namespacedpolicy
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/opentdf/platform/protocol/go/policy"
+)
+
+func plainPolicyActionNamesSummary(actions []*policy.Action) string {
+	names := make([]string, 0, len(actions))
+	seen := make(map[string]struct{}, len(actions))
+	for _, action := range actions {
+		if action == nil {
+			continue
+		}
+		name := actionLabel(action)
+		if strings.TrimSpace(name) == "" || name == unknownLabel {
+			continue
+		}
+		if _, ok := seen[name]; ok {
+			continue
+		}
+		seen[name] = struct{}{}
+		names = append(names, strconvQuote(name))
+	}
+	return plainListSummary(names)
+}
+
+func plainRegisteredResourceSourceSummary(resource *policy.RegisteredResource) string {
+	return appendDetails(
+		"values="+plainRegisteredResourceValuesSummary(resource),
+		"action_bindings="+plainRegisteredResourceActionAttributeValuesSummary(resource),
+	)
+}
+
+func appendDetails(line string, details ...string) string {
+	filtered := make([]string, 0, len(details))
+	for _, detail := range details {
+		if strings.TrimSpace(detail) != "" {
+			filtered = append(filtered, detail)
+		}
+	}
+	if len(filtered) == 0 {
+		return line
+	}
+	return fmt.Sprintf("%s (%s)", line, strings.Join(filtered, ", "))
+}
+
+func strconvQuote(value string) string {
+	return fmt.Sprintf("%q", value)
+}
+
+func plainRegisteredResourceValuesSummary(resource *policy.RegisteredResource) string {
+	values := make([]string, 0, len(resource.GetValues()))
+	seen := make(map[string]struct{}, len(resource.GetValues()))
+	for _, value := range resource.GetValues() {
+		if value == nil {
+			continue
+		}
+		label := strings.TrimSpace(value.GetValue())
+		if label == "" {
+			label = strings.TrimSpace(value.GetId())
+		}
+		if label == "" {
+			continue
+		}
+		if _, ok := seen[label]; ok {
+			continue
+		}
+		seen[label] = struct{}{}
+		values = append(values, strconvQuote(label))
+	}
+	return plainListSummary(values)
+}
+
+func plainRegisteredResourceActionAttributeValuesSummary(resource *policy.RegisteredResource) string {
+	bindings := make([]string, 0)
+	seen := make(map[string]struct{})
+	for _, value := range resource.GetValues() {
+		if value == nil {
+			continue
+		}
+		for _, binding := range value.GetActionAttributeValues() {
+			if binding == nil {
+				continue
+			}
+			label := fmt.Sprintf("%s -> %s", strconvQuote(actionLabel(binding.GetAction())), valueFQN(binding.GetAttributeValue()))
+			if _, ok := seen[label]; ok {
+				continue
+			}
+			seen[label] = struct{}{}
+			bindings = append(bindings, label)
+		}
+	}
+	return plainListSummary(bindings)
+}
+
+func obligationLabel(obligation *policy.Obligation) string {
+	if obligation == nil {
+		return noneLabel
+	}
+	if fqn := strings.TrimSpace(obligation.GetFqn()); fqn != "" {
+		return fqn
+	}
+	if name := strings.TrimSpace(obligation.GetName()); name != "" {
+		return name
+	}
+	if id := strings.TrimSpace(obligation.GetId()); id != "" {
+		return id
+	}
+	return noneLabel
+}
+
+func plainRequestContextsSummary(contexts []*policy.RequestContext) string {
+	clientIDs := make([]string, 0, len(contexts))
+	seen := make(map[string]struct{}, len(contexts))
+	for _, requestContext := range contexts {
+		clientID := strings.TrimSpace(requestContext.GetPep().GetClientId())
+		if clientID == "" {
+			continue
+		}
+		if _, ok := seen[clientID]; ok {
+			continue
+		}
+		seen[clientID] = struct{}{}
+		clientIDs = append(clientIDs, "client_id="+strconvQuote(clientID))
+	}
+	return plainListSummary(clientIDs)
+}
+
+func plainListSummary(items []string) string {
+	if len(items) == 0 {
+		return noneLabel
+	}
+	return strings.Join(items, ", ")
+}

…espacedpolicy/interactive_review_test.go …amespacedpolicy/migration_review_test.gootdfctl/migrations/namespacedpolicy/interactive_review_test.go renamed to otdfctl/migrations/namespacedpolicy/migration_review_test.go otdfctl/migrations/namespacedpolicy/interactive_review_test.go renamed to otdfctl/migrations/namespacedpolicy/migration_review_test.go

@@ -0,0 +1,176 @@
+package namespacedpolicy
+
+import (
+	"testing"
+
+	"github.com/opentdf/platform/protocol/go/policy"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPlainPolicyActionNamesSummary(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		actions []*policy.Action
+		want    string
+	}{
+		{name: "empty", want: noneLabel},
+		{
+			name: "skips nil and deduplicates labels",
+			actions: []*policy.Action{
+				nil,
+				{Id: "action-1", Name: "read"},
+				{Id: "action-2", Name: "write"},
+				{Id: "action-3", Name: "read"},
+			},
+			want: `"read", "write"`,
+		},
+		{
+			name: "falls back to id",
+			actions: []*policy.Action{
+				{Id: "action-1"},
+			},
+			want: `"action-1"`,
+		},
+		{
+			name: "ignores empty labels",
+			actions: []*policy.Action{
+				{},
+			},
+			want: noneLabel,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tc.want, plainPolicyActionNamesSummary(tc.actions))
+		})
+	}
+}
+
+func TestPlainRegisteredResourceSourceSummary(t *testing.T) {
+	t.Parallel()
+
+	secretValue := testAttributeValue("https://example.com/attr/classification/value/secret", testNamespace("https://example.com"))
+
+	tests := []struct {
+		name     string
+		resource *policy.RegisteredResource
+		want     string
+	}{
+		{name: "nil", want: "values=(none) (action_bindings=(none))"},
+		{
+			name:     "empty values",
+			resource: &policy.RegisteredResource{},
+			want:     "values=(none) (action_bindings=(none))",
+		},
+		{
+			name: "deduplicates values and bindings",
+			resource: testRegisteredResource(
+				"resource-1",
+				"dataset",
+				testRegisteredResourceValue("prod", testActionAttributeValue("action-1", "read", secretValue)),
+				testRegisteredResourceValue("prod", testActionAttributeValue("action-1", "read", secretValue)),
+				testRegisteredResourceValue("dev", testActionAttributeValue("action-2", "write", secretValue)),
+			),
+			want: `values="prod", "dev" (action_bindings="read" -> https://example.com/attr/classification/value/secret, "write" -> https://example.com/attr/classification/value/secret)`,
+		},
+		{
+			name: "value falls back to id",
+			resource: testRegisteredResource(
+				"resource-1",
+				"dataset",
+				&policy.RegisteredResourceValue{Id: "value-1"},
+			),
+			want: `values="value-1" (action_bindings=(none))`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tc.want, plainRegisteredResourceSourceSummary(tc.resource))
+		})
+	}
+}
+
+func TestObligationLabel(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		obligation *policy.Obligation
+		want       string
+	}{
+		{name: "nil", want: noneLabel},
+		{
+			name: "uses fqn first",
+			obligation: &policy.Obligation{
+				Id:   "obligation-1",
+				Name: "watermark",
+				Fqn:  "https://example.com/obl/watermark",
+			},
+			want: "https://example.com/obl/watermark",
+		},
+		{
+			name: "falls back to name",
+			obligation: &policy.Obligation{
+				Id:   "obligation-1",
+				Name: "watermark",
+			},
+			want: "watermark",
+		},
+		{
+			name: "falls back to id",
+			obligation: &policy.Obligation{
+				Id: "obligation-1",
+			},
+			want: "obligation-1",
+		},
+		{
+			name:       "empty",
+			obligation: &policy.Obligation{},
+			want:       noneLabel,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tc.want, obligationLabel(tc.obligation))
+		})
+	}
+}
+
+func TestPlainRequestContextsSummary(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		contexts []*policy.RequestContext
+		want     string
+	}{
+		{name: "empty", want: noneLabel},
+		{
+			name: "skips empty and deduplicates client ids",
+			contexts: []*policy.RequestContext{
+				nil,
+				{},
+				{Pep: &policy.PolicyEnforcementPoint{}},
+				{Pep: &policy.PolicyEnforcementPoint{ClientId: "tdf-client"}},
+				{Pep: &policy.PolicyEnforcementPoint{ClientId: "tdf-client"}},
+				{Pep: &policy.PolicyEnforcementPoint{ClientId: "admin-client"}},
+			},
+			want: `client_id="tdf-client", client_id="admin-client"`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tc.want, plainRequestContextsSummary(tc.contexts))
+		})
+	}
+}