@ai-dossier/cli 0.2.1

package/bin/dossier-verify

@@ -0,0 +1,435 @@
+#!/usr/bin/env node
+
+/**
+ * Dossier Verification CLI
+ *
+ * Enforces security verification of dossier files before execution.
+ * Provides command-line interface for checksum and signature validation.
+ *
+ * Usage:
+ *   dossier-verify <file-or-url>
+ *   dossier-verify --run <file-or-url>
+ *   dossier-verify --verbose <file-or-url>
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const https = require('https');
+const http = require('http');
+const { execSync } = require('child_process');
+const {
+  parseDossierContent,
+  verifyIntegrity,
+  loadTrustedKeys,
+  verifySignature
+} = require('@ai-dossier/core');
+const { convertGitHubBlobToRaw } = require('../dist/github-url');
+
+// Colors for terminal output
+const colors = {
+  reset: '\x1b[0m',
+  bright: '\x1b[1m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  cyan: '\x1b[36m',
+};
+
+function log(message, color = 'reset') {
+  console.log(`${colors[color]}${message}${colors.reset}`);
+}
+
+function error(message) {
+  log(`❌ ${message}`, 'red');
+}
+
+function success(message) {
+  log(`✅ ${message}`, 'green');
+}
+
+function warning(message) {
+  log(`⚠️  ${message}`, 'yellow');
+}
+
+function info(message) {
+  log(`ℹ️  ${message}`, 'cyan');
+}
+
+// Parse command line arguments
+function parseArgs() {
+  const args = process.argv.slice(2);
+  const options = {
+    verbose: false,
+    run: false,
+    outputPath: false,
+    help: false,
+    input: null,
+  };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === '--verbose' || arg === '-v') {
+      options.verbose = true;
+    } else if (arg === '--run') {
+      options.run = true;
+    } else if (arg === '--output-path') {
+      options.outputPath = true;
+    } else if (arg === '--help' || arg === '-h') {
+      options.help = true;
+    } else if (!options.input) {
+      options.input = arg;
+    }
+  }
+
+  return options;
+}
+
+function showHelp() {
+  console.log(`
+${colors.bright}Dossier Verification CLI${colors.reset}
+
+${colors.bright}Usage:${colors.reset}
+  dossier-verify <file-or-url>              Verify dossier security
+  dossier-verify --run <file-or-url>        Verify and execute if safe
+  dossier-verify --verbose <file-or-url>    Show detailed verification
+  dossier-verify --output-path <url>        Download and output path
+  dossier-verify --help                     Show this help
+
+${colors.bright}Exit Codes:${colors.reset}
+  0 - Verification passed (safe to execute)
+  1 - Verification failed (do not execute)
+  2 - Error occurred (cannot verify)
+
+${colors.bright}Examples:${colors.reset}
+  # Verify local file
+  dossier-verify path/to/dossier.ds.md
+
+  # Verify remote dossier
+  dossier-verify https://example.com/dossier.ds.md
+
+  # Verify and run if safe
+  dossier-verify --run https://example.com/dossier.ds.md
+
+  # Use in shell script
+  if dossier-verify "$URL"; then
+    claude-code "run $URL"
+  else
+    echo "Security verification failed"
+  fi
+
+${colors.bright}Security Checks:${colors.reset}
+  ✓ SHA256 checksum verification (required)
+  ✓ Signature verification (if present)
+  ✓ Trusted keys check
+  ✓ Risk level assessment
+
+${colors.bright}More Information:${colors.reset}
+  Documentation: https://github.com/imboard/ai-dossier
+  Security: SECURITY_STATUS.md
+  Protocol: PROTOCOL.md
+`);
+}
+
+// Download file from URL
+async function downloadFile(url) {
+  // Convert GitHub blob URLs to raw URLs
+  const resolvedUrl = convertGitHubBlobToRaw(url);
+
+  return new Promise((resolve, reject) => {
+    const protocol = resolvedUrl.startsWith('https://') ? https : http;
+
+    protocol.get(resolvedUrl, (res) => {
+      if (res.statusCode === 301 || res.statusCode === 302) {
+        // Follow redirect
+        return downloadFile(res.headers.location).then(resolve).catch(reject);
+      }
+
+      if (res.statusCode !== 200) {
+        return reject(new Error(`HTTP ${res.statusCode}: ${res.statusMessage}`));
+      }
+
+      let data = '';
+      res.on('data', (chunk) => { data += chunk; });
+      res.on('end', () => resolve(data));
+    }).on('error', reject);
+  });
+}
+
+// Parse dossier frontmatter (using @ai-dossier/core)
+function parseDossier(content) {
+  const parsed = parseDossierContent(content);
+  return {
+    frontmatter: parsed.frontmatter,
+    body: parsed.body
+  };
+}
+
+// Verify checksum (using @ai-dossier/core)
+function verifyChecksum(body, declaredHash) {
+  const result = verifyIntegrity(body, declaredHash);
+  return {
+    passed: result.status === 'valid',
+    declared: result.expectedHash,
+    actual: result.actualHash,
+  };
+}
+
+// Verify signature (using @ai-dossier/core for real cryptographic verification)
+async function checkSignature(body, frontmatter) {
+  if (!frontmatter.signature) {
+    return {
+      present: false,
+      verified: false,
+      trusted: false,
+      message: 'No signature present',
+    };
+  }
+
+  const signature = frontmatter.signature;
+  const trustedKeys = loadTrustedKeys();
+  // Check both key_id and public_key for trusted status
+  // key_id is easier to manage in trusted-keys.txt file
+  const isTrusted = trustedKeys.has(signature.key_id) || trustedKeys.has(signature.public_key);
+
+  try {
+    const isValid = await verifySignature(body, signature);
+
+    if (!isValid) {
+      return {
+        present: true,
+        verified: false,
+        trusted: isTrusted,
+        message: 'Signature verification FAILED',
+      };
+    }
+
+    return {
+      present: true,
+      verified: true,
+      trusted: isTrusted,
+      message: isTrusted
+        ? `Verified signature from trusted source: ${trustedKeys.get(signature.key_id) || trustedKeys.get(signature.public_key)}`
+        : 'Valid signature but key is not in trusted list',
+    };
+  } catch (err) {
+    return {
+      present: true,
+      verified: false,
+      trusted: false,
+      message: `Verification error: ${err.message}`,
+    };
+  }
+}
+
+// Assess risk
+function assessRisk(frontmatter, checksumResult, signatureResult) {
+  const issues = [];
+  let riskLevel = 'low';
+  let shouldBlock = false;
+
+  // Checksum failure is critical
+  if (!checksumResult.passed) {
+    issues.push('Checksum verification FAILED - content has been tampered with');
+    riskLevel = 'critical';
+    shouldBlock = true;
+  }
+
+  // Signature issues
+  if (signatureResult.present && !signatureResult.verified) {
+    issues.push('Signature verification FAILED or could not be verified');
+    if (riskLevel !== 'critical') riskLevel = 'high';
+    shouldBlock = true;
+  }
+
+  // Valid signature but not trusted - BLOCK execution
+  if (signatureResult.present && signatureResult.verified && !signatureResult.trusted) {
+    issues.push('Signature is valid but signer is not in your trusted keys list');
+    issues.push('Add the public key to ~/.dossier/trusted-keys.txt to trust this signer');
+    if (riskLevel === 'low') riskLevel = 'medium';
+    shouldBlock = true;
+  }
+
+  // No signature on high-risk dossier
+  if (!signatureResult.present && frontmatter.risk_level === 'high') {
+    issues.push('High-risk dossier without signature');
+    if (riskLevel === 'low') riskLevel = 'medium';
+  }
+
+  if (!signatureResult.present && frontmatter.risk_level === 'critical') {
+    issues.push('Critical-risk dossier without signature');
+    if (riskLevel !== 'critical') riskLevel = 'high';
+  }
+
+  return {
+    level: riskLevel,
+    issues,
+    recommendation: shouldBlock ? 'BLOCK' : 'ALLOW',
+  };
+}
+
+// Main verification function
+async function verifyDossier(input, options) {
+  try {
+    log(`\n${colors.bright}🔐 Dossier Verification Tool${colors.reset}\n`);
+
+    // Determine if input is URL or file
+    const isUrl = input.startsWith('http://') || input.startsWith('https://');
+    let content;
+    let displayPath = input;
+
+    if (isUrl) {
+      info(`Downloading: ${input}`);
+      content = await downloadFile(input);
+      success('Downloaded successfully');
+    } else {
+      info(`Reading: ${input}`);
+      content = fs.readFileSync(input, 'utf8');
+      displayPath = path.resolve(input);
+      success('File read successfully');
+    }
+
+    // Parse dossier
+    info('Parsing dossier...');
+    const { frontmatter, body } = parseDossier(content);
+    success(`Parsed: ${frontmatter.title} v${frontmatter.version}`);
+
+    if (options.verbose) {
+      console.log(`\n${colors.bright}Dossier Metadata:${colors.reset}`);
+      console.log(`  Title: ${frontmatter.title}`);
+      console.log(`  Version: ${frontmatter.version}`);
+      console.log(`  Risk Level: ${frontmatter.risk_level}`);
+      console.log(`  Protocol: ${frontmatter.protocol_version}`);
+    }
+
+    // Verify checksum
+    console.log(`\n${colors.bright}📊 Integrity Check:${colors.reset}`);
+    const checksumResult = verifyChecksum(body, frontmatter.checksum?.hash);
+
+    if (checksumResult.passed) {
+      success('Checksum VALID - content has not been tampered with');
+      if (options.verbose) {
+        console.log(`   Hash: ${checksumResult.actual}`);
+      }
+    } else {
+      error('Checksum INVALID - content has been modified!');
+      if (options.verbose) {
+        console.log(`   Declared: ${checksumResult.declared}`);
+        console.log(`   Actual:   ${checksumResult.actual}`);
+      }
+    }
+
+    // Verify signature
+    console.log(`\n${colors.bright}🔏 Authenticity Check:${colors.reset}`);
+    const signatureResult = await checkSignature(body, frontmatter);
+
+    if (signatureResult.present) {
+      if (signatureResult.verified && signatureResult.trusted) {
+        success('Signature VERIFIED - from trusted author');
+      } else if (signatureResult.verified && !signatureResult.trusted) {
+        warning(signatureResult.message);
+        if (frontmatter.signature?.signed_by) {
+          console.log(`   Signed by: ${frontmatter.signature.signed_by}`);
+        }
+        console.log(`\n   ${colors.cyan}To trust this signer, run:${colors.reset}`);
+        const publicKey = frontmatter.signature.public_key || frontmatter.signature.key_id;
+        const identifier = frontmatter.signature.signed_by
+          ? frontmatter.signature.signed_by.split('<')[0].trim().toLowerCase().replace(/\s+/g, '-')
+          : 'unknown-signer';
+        console.log(`   ${colors.bright}dossier keys add "${publicKey}" "${identifier}"${colors.reset}\n`);
+      } else {
+        warning(signatureResult.message);
+        if (frontmatter.signature?.signed_by) {
+          console.log(`   Signed by: ${frontmatter.signature.signed_by}`);
+        }
+      }
+    } else {
+      warning('No signature present (dossier is unsigned)');
+    }
+
+    // Assess risk
+    console.log(`\n${colors.bright}🔴 Risk Assessment:${colors.reset}`);
+    const risk = assessRisk(frontmatter, checksumResult, signatureResult);
+
+    const riskColors = {
+      low: 'green',
+      medium: 'yellow',
+      high: 'yellow',
+      critical: 'red',
+    };
+
+    log(`   Risk Level: ${risk.level.toUpperCase()}`, riskColors[risk.level]);
+
+    if (risk.issues.length > 0) {
+      console.log(`\n   Issues Found:`);
+      risk.issues.forEach(issue => {
+        console.log(`   - ${issue}`);
+      });
+    }
+
+    // Recommendation
+    console.log(`\n${colors.bright}Recommendation:${colors.reset}`, risk.recommendation);
+
+    if (risk.recommendation === 'BLOCK') {
+      error('\nDO NOT EXECUTE this dossier');
+      console.log('   Security verification failed.');
+      console.log('   This dossier may have been tampered with or is from an untrusted source.\n');
+      return false;
+    } else if (risk.level === 'medium' || risk.level === 'high') {
+      warning('\nProceed with CAUTION');
+      console.log('   Review the dossier code before executing.');
+      console.log('   Consider the risk level and your trust in the source.\n');
+      return true;
+    } else {
+      success('\nSafe to execute');
+      console.log('   Dossier passed security verification.\n');
+      return true;
+    }
+
+  } catch (err) {
+    error(`\nVerification failed: ${err.message}`);
+    if (options.verbose) {
+      console.error(err);
+    }
+    return false;
+  }
+}
+
+// Main entry point
+async function main() {
+  const options = parseArgs();
+
+  if (options.help || !options.input) {
+    showHelp();
+    process.exit(options.help ? 0 : 2);
+  }
+
+  const passed = await verifyDossier(options.input, options);
+
+  if (!passed) {
+    process.exit(1);  // Verification failed
+  }
+
+  if (options.run) {
+    warning('\n--run flag not yet implemented');
+    warning('For now, manually execute the dossier if verification passed');
+  }
+
+  if (options.outputPath) {
+    // Would output the path to downloaded file
+    warning('\n--output-path flag not yet implemented');
+  }
+
+  process.exit(0);  // Success
+}
+
+// Run if called directly
+if (require.main === module) {
+  main().catch(err => {
+    error(`Fatal error: ${err.message}`);
+    process.exit(2);
+  });
+}
+
+module.exports = { verifyDossier, parseDossier, verifyChecksum };

package/dist/cli.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Dossier CLI - Main entry point (TypeScript)
+ * Sets up Commander program and registers all commands.
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/cli.js

@@ -0,0 +1,77 @@
+"use strict";
+/**
+ * Dossier CLI - Main entry point (TypeScript)
+ * Sets up Commander program and registers all commands.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+// Package info
+const pkg = require('../package.json');
+const cache_1 = require("./commands/cache");
+const checksum_1 = require("./commands/checksum");
+const config_cmd_1 = require("./commands/config-cmd");
+const create_1 = require("./commands/create");
+const export_1 = require("./commands/export");
+const format_1 = require("./commands/format");
+const from_file_1 = require("./commands/from-file");
+const get_1 = require("./commands/get");
+const info_1 = require("./commands/info");
+const init_1 = require("./commands/init");
+const install_skill_1 = require("./commands/install-skill");
+const keys_1 = require("./commands/keys");
+const lint_1 = require("./commands/lint");
+const list_1 = require("./commands/list");
+const login_1 = require("./commands/login");
+const logout_1 = require("./commands/logout");
+const prompt_hook_1 = require("./commands/prompt-hook");
+const publish_1 = require("./commands/publish");
+const pull_1 = require("./commands/pull");
+const remove_1 = require("./commands/remove");
+const reset_hooks_1 = require("./commands/reset-hooks");
+const run_1 = require("./commands/run");
+const search_1 = require("./commands/search");
+const sign_1 = require("./commands/sign");
+const validate_1 = require("./commands/validate");
+// Import command registrations
+const verify_1 = require("./commands/verify");
+const whoami_1 = require("./commands/whoami");
+// Setup program
+commander_1.program
+    .name('ai-dossier')
+    .description('CLI tool for creating, verifying, and executing dossiers')
+    .version(pkg.version);
+// Register all commands
+(0, verify_1.registerVerifyCommand)(commander_1.program);
+(0, run_1.registerRunCommand)(commander_1.program);
+(0, create_1.registerCreateCommand)(commander_1.program);
+(0, config_cmd_1.registerConfigCommand)(commander_1.program);
+(0, list_1.registerListCommand)(commander_1.program);
+(0, search_1.registerSearchCommand)(commander_1.program);
+(0, info_1.registerInfoCommand)(commander_1.program);
+(0, sign_1.registerSignCommand)(commander_1.program);
+(0, publish_1.registerPublishCommand)(commander_1.program);
+(0, remove_1.registerRemoveCommand)(commander_1.program);
+(0, login_1.registerLoginCommand)(commander_1.program);
+(0, logout_1.registerLogoutCommand)(commander_1.program);
+(0, whoami_1.registerWhoamiCommand)(commander_1.program);
+(0, checksum_1.registerChecksumCommand)(commander_1.program);
+(0, validate_1.registerValidateCommand)(commander_1.program);
+(0, init_1.registerInitCommand)(commander_1.program);
+(0, reset_hooks_1.registerResetHooksCommand)(commander_1.program);
+(0, prompt_hook_1.registerPromptHookCommand)(commander_1.program);
+(0, pull_1.registerPullCommand)(commander_1.program);
+(0, export_1.registerExportCommand)(commander_1.program);
+(0, cache_1.registerCacheCommand)(commander_1.program);
+(0, install_skill_1.registerInstallSkillCommand)(commander_1.program);
+(0, keys_1.registerKeysCommand)(commander_1.program);
+(0, lint_1.registerLintCommand)(commander_1.program);
+(0, format_1.registerFormatCommand)(commander_1.program);
+(0, from_file_1.registerFromFileCommand)(commander_1.program);
+(0, get_1.registerGetCommand)(commander_1.program);
+// Parse and execute
+commander_1.program.parse(process.argv);
+// Show help if no command provided
+if (!process.argv.slice(2).length) {
+    commander_1.program.outputHelp();
+}
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAEH,yCAAoC;AAEpC,eAAe;AACf,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,4CAAwD;AACxD,kDAA8D;AAC9D,sDAA8D;AAC9D,8CAA0D;AAC1D,8CAA0D;AAC1D,8CAA0D;AAC1D,oDAA+D;AAC/D,wCAAoD;AACpD,0CAAsD;AACtD,0CAAsD;AACtD,4DAAuE;AACvE,0CAAsD;AACtD,0CAAsD;AACtD,0CAAsD;AACtD,4CAAwD;AACxD,8CAA0D;AAC1D,wDAAmE;AACnE,gDAA4D;AAC5D,0CAAsD;AACtD,8CAA0D;AAC1D,wDAAmE;AACnE,wCAAoD;AACpD,8CAA0D;AAC1D,0CAAsD;AACtD,kDAA8D;AAC9D,+BAA+B;AAC/B,8CAA0D;AAC1D,8CAA0D;AAE1D,gBAAgB;AAChB,mBAAO;KACJ,IAAI,CAAC,YAAY,CAAC;KAClB,WAAW,CAAC,0DAA0D,CAAC;KACvE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAExB,wBAAwB;AACxB,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,wBAAkB,EAAC,mBAAO,CAAC,CAAC;AAC5B,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,kCAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,gCAAsB,EAAC,mBAAO,CAAC,CAAC;AAChC,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,4BAAoB,EAAC,mBAAO,CAAC,CAAC;AAC9B,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,kCAAuB,EAAC,mBAAO,CAAC,CAAC;AACjC,IAAA,kCAAuB,EAAC,mBAAO,CAAC,CAAC;AACjC,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,uCAAyB,EAAC,mBAAO,CAAC,CAAC;AACnC,IAAA,uCAAyB,EAAC,mBAAO,CAAC,CAAC;AACnC,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,4BAAoB,EAAC,mBAAO,CAAC,CAAC;AAC9B,IAAA,2CAA2B,EAAC,mBAAO,CAAC,CAAC;AACrC,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,0BAAmB,EAAC,mBAAO,CAAC,CAAC;AAC7B,IAAA,8BAAqB,EAAC,mBAAO,CAAC,CAAC;AAC/B,IAAA,mCAAuB,EAAC,mBAAO,CAAC,CAAC;AACjC,IAAA,wBAAkB,EAAC,mBAAO,CAAC,CAAC;AAE5B,oBAAoB;AACpB,mBAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAE5B,mCAAmC;AACnC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAClC,mBAAO,CAAC,UAAU,EAAE,CAAC;AACvB,CAAC"}

package/dist/commands/cache.d.ts

@@ -0,0 +1,3 @@
+import type { Command } from 'commander';
+export declare function registerCacheCommand(program: Command): void;
+//# sourceMappingURL=cache.d.ts.map

package/dist/commands/cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../../src/commands/cache.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGzC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAuO3D"}