@ai-dossier/cli 0.3.0 → 0.4.2

package/README.md

@@ -36,22 +36,48 @@ cd cli
 npm link  # Links the CLI globally for development
 
 # Or use directly
-chmod +x bin/dossier-verify
-./bin/dossier-verify <file-or-url>
+chmod +x bin/ai-dossier
+./bin/ai-dossier verify <file-or-url>
 ```
 
 ---
 
+## Authentication
+
+### Interactive (Browser OAuth)
+
+```bash
+dossier login
+```
+
+### Non-Interactive (CI/CD, Agents)
+
+Set the `DOSSIER_REGISTRY_TOKEN` environment variable:
+
+```bash
+export DOSSIER_REGISTRY_TOKEN=<your-token>
+
+# Optional: set user/org context
+export DOSSIER_REGISTRY_USER=<username>
+export DOSSIER_REGISTRY_ORGS=org1,org2
+```
+
+When `DOSSIER_REGISTRY_TOKEN` is set, it takes precedence over stored credentials. This is recommended for CI/CD pipelines, Docker containers, and AI agent contexts where interactive login is not possible.
+
+Commands that require confirmation (`publish`, `remove`, `cache clean`) will fail with a clear error in non-interactive sessions. Use `-y`/`--yes` to skip confirmation prompts.
+
+---
+
 ## Usage
 
 ### Basic Verification
 
 ```bash
 # Verify local file
-dossier-verify path/to/dossier.ds.md
+ai-dossier verify path/to/dossier.ds.md
 
 # Verify remote dossier
-dossier-verify https://example.com/dossier.ds.md
+ai-dossier verify https://example.com/dossier.ds.md
 ```
 
 **Exit codes**:
@@ -62,7 +88,7 @@ dossier-verify https://example.com/dossier.ds.md
 ### Verbose Mode
 
 ```bash
-dossier-verify --verbose path/to/dossier.ds.md
+ai-dossier verify --verbose path/to/dossier.ds.md
 ```
 
 Shows:
@@ -77,7 +103,7 @@ Shows:
 ```bash
 # Shell function wrapper
 claude-run-dossier() {
-  if dossier-verify "$1"; then
+  if ai-dossier verify "$1"; then
     claude-code "The dossier at $1 has been verified. Please execute it."
   else
     echo "❌ Security verification failed. Not executing."
@@ -91,7 +117,7 @@ claude-run-dossier https://example.com/dossier.ds.md
 **Cursor**:
 ```bash
 cursor-run-dossier() {
-  if dossier-verify "$1"; then
+  if ai-dossier verify "$1"; then
     cursor "Execute the verified dossier at $1"
   else
     echo "❌ Verification failed"
@@ -106,7 +132,7 @@ safe-run-dossier() {
   local url="$1"
   local tool="${2:-claude-code}"
 
-  if dossier-verify "$url"; then
+  if ai-dossier verify "$url"; then
     echo "✅ Dossier verified. Passing to $tool..."
     "$tool" "run $url"
   else
@@ -173,7 +199,7 @@ safe-run-dossier https://example.com/dossier.ds.md cursor
 ### Example 1: Legitimate Dossier (Passes)
 
 ```bash
-$ dossier-verify examples/data-science/train-ml-model.ds.md
+$ ai-dossier verify examples/data-science/train-ml-model.ds.md
 
 🔐 Dossier Verification Tool
 
@@ -202,7 +228,7 @@ $ echo $?
 ### Example 2: Malicious Dossier (Blocked)
 
 ```bash
-$ dossier-verify https://raw.githubusercontent.com/imboard-ai/ai-dossier/main/examples/security/validate-project-config.ds.md
+$ ai-dossier verify https://raw.githubusercontent.com/imboard-ai/ai-dossier/main/examples/security/validate-project-config.ds.md
 
 🔐 Dossier Verification Tool
 
@@ -242,7 +268,7 @@ $ echo $?
 # Wrapper function for Claude Code
 claude-run-dossier() {
   echo "Verifying dossier security..."
-  if ~/projects/dossier/cli/bin/dossier-verify "$1"; then
+  if ai-dossier verify "$1"; then
     echo ""
     echo "✅ Verification passed. Executing with Claude Code..."
     claude-code "Execute the verified dossier at $1"
@@ -266,7 +292,7 @@ claude-run-dossier https://example.com/dossier.ds.md
 
 ```
 User Command:
-dossier-verify https://example.com/dossier.ds.md
+ai-dossier verify https://example.com/dossier.ds.md
          ↓
     Download/Read File
          ↓
@@ -331,23 +357,28 @@ Exit 0 (safe) or 1 (unsafe)
 
 ## Roadmap
 
-### v0.1.0 (Current)
+### v0.1.0
 - ✅ Basic checksum verification
 - ✅ Signature presence detection
 - ✅ Exit code support
 - ✅ URL download support
 
-### v0.2.0 (Next)
-- ⏳ Full minisign signature verification
-- ⏳ Trusted keys management (~/.dossier/trusted-keys.txt)
-- ⏳ --run flag implementation
-- ⏳ Better error messages
+### v0.2.0
+- ✅ Multi-command CLI structure (`ai-dossier <command>`)
+- ✅ `dossier run` command with 5-stage verification pipeline
+- ✅ LLM auto-detection and execution integration
+
+### v0.3.0
+- ✅ Modular TypeScript migration
+- ✅ Comprehensive test suite (261+ tests)
+- ✅ CLI parity with dossier-tools
+- ✅ `@ai-dossier` npm scope and CI/CD publishing
 
-### v0.3.0 (Future)
-- ⏳ Interactive trust prompts
-- ⏳ Key import/export
-- ⏳ Signature verification caching
-- ⏳ JSON output mode (for tooling)
+### v0.4.0 (Current)
+- ✅ Unified dossier parser across core/cli/mcp
+- ✅ JSON output mode (`--json` flag on commands)
+- ✅ Registry integration (publish, remove, install-skill)
+- ✅ Non-TTY stdin detection
 
 ### v1.0.0 (Stable)
 - ⏳ Complete signature verification
@@ -366,10 +397,10 @@ cd cli
 npm link  # For local testing
 
 # Test
-dossier-verify ../examples/devops/deploy-to-aws.ds.md
+ai-dossier verify ../examples/devops/deploy-to-aws.ds.md
 
 # Test with malicious example
-dossier-verify ../examples/security/validate-project-config.ds.md
+ai-dossier verify ../examples/security/validate-project-config.ds.md
 ```
 
 ### Adding Features

package/bin/dossier-verify

@@ -1,435 +1,9 @@
 #!/usr/bin/env node
 
-/**
- * Dossier Verification CLI
- *
- * Enforces security verification of dossier files before execution.
- * Provides command-line interface for checksum and signature validation.
- *
- * Usage:
- *   dossier-verify <file-or-url>
- *   dossier-verify --run <file-or-url>
- *   dossier-verify --verbose <file-or-url>
- */
+// Thin shim — all logic lives in src/verify-dossier.ts
+const { main } = require('../dist/verify-dossier');
 
-const fs = require('fs');
-const path = require('path');
-const crypto = require('crypto');
-const https = require('https');
-const http = require('http');
-const { execSync } = require('child_process');
-const {
-  parseDossierContent,
-  verifyIntegrity,
-  loadTrustedKeys,
-  verifySignature
-} = require('@ai-dossier/core');
-const { convertGitHubBlobToRaw } = require('../dist/github-url');
-
-// Colors for terminal output
-const colors = {
-  reset: '\x1b[0m',
-  bright: '\x1b[1m',
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  cyan: '\x1b[36m',
-};
-
-function log(message, color = 'reset') {
-  console.log(`${colors[color]}${message}${colors.reset}`);
-}
-
-function error(message) {
-  log(`❌ ${message}`, 'red');
-}
-
-function success(message) {
-  log(`✅ ${message}`, 'green');
-}
-
-function warning(message) {
-  log(`⚠️  ${message}`, 'yellow');
-}
-
-function info(message) {
-  log(`ℹ️  ${message}`, 'cyan');
-}
-
-// Parse command line arguments
-function parseArgs() {
-  const args = process.argv.slice(2);
-  const options = {
-    verbose: false,
-    run: false,
-    outputPath: false,
-    help: false,
-    input: null,
-  };
-
-  for (let i = 0; i < args.length; i++) {
-    const arg = args[i];
-    if (arg === '--verbose' || arg === '-v') {
-      options.verbose = true;
-    } else if (arg === '--run') {
-      options.run = true;
-    } else if (arg === '--output-path') {
-      options.outputPath = true;
-    } else if (arg === '--help' || arg === '-h') {
-      options.help = true;
-    } else if (!options.input) {
-      options.input = arg;
-    }
-  }
-
-  return options;
-}
-
-function showHelp() {
-  console.log(`
-${colors.bright}Dossier Verification CLI${colors.reset}
-
-${colors.bright}Usage:${colors.reset}
-  dossier-verify <file-or-url>              Verify dossier security
-  dossier-verify --run <file-or-url>        Verify and execute if safe
-  dossier-verify --verbose <file-or-url>    Show detailed verification
-  dossier-verify --output-path <url>        Download and output path
-  dossier-verify --help                     Show this help
-
-${colors.bright}Exit Codes:${colors.reset}
-  0 - Verification passed (safe to execute)
-  1 - Verification failed (do not execute)
-  2 - Error occurred (cannot verify)
-
-${colors.bright}Examples:${colors.reset}
-  # Verify local file
-  dossier-verify path/to/dossier.ds.md
-
-  # Verify remote dossier
-  dossier-verify https://example.com/dossier.ds.md
-
-  # Verify and run if safe
-  dossier-verify --run https://example.com/dossier.ds.md
-
-  # Use in shell script
-  if dossier-verify "$URL"; then
-    claude-code "run $URL"
-  else
-    echo "Security verification failed"
-  fi
-
-${colors.bright}Security Checks:${colors.reset}
-  ✓ SHA256 checksum verification (required)
-  ✓ Signature verification (if present)
-  ✓ Trusted keys check
-  ✓ Risk level assessment
-
-${colors.bright}More Information:${colors.reset}
-  Documentation: https://github.com/imboard/ai-dossier
-  Security: SECURITY_STATUS.md
-  Protocol: PROTOCOL.md
-`);
-}
-
-// Download file from URL
-async function downloadFile(url) {
-  // Convert GitHub blob URLs to raw URLs
-  const resolvedUrl = convertGitHubBlobToRaw(url);
-
-  return new Promise((resolve, reject) => {
-    const protocol = resolvedUrl.startsWith('https://') ? https : http;
-
-    protocol.get(resolvedUrl, (res) => {
-      if (res.statusCode === 301 || res.statusCode === 302) {
-        // Follow redirect
-        return downloadFile(res.headers.location).then(resolve).catch(reject);
-      }
-
-      if (res.statusCode !== 200) {
-        return reject(new Error(`HTTP ${res.statusCode}: ${res.statusMessage}`));
-      }
-
-      let data = '';
-      res.on('data', (chunk) => { data += chunk; });
-      res.on('end', () => resolve(data));
-    }).on('error', reject);
-  });
-}
-
-// Parse dossier frontmatter (using @ai-dossier/core)
-function parseDossier(content) {
-  const parsed = parseDossierContent(content);
-  return {
-    frontmatter: parsed.frontmatter,
-    body: parsed.body
-  };
-}
-
-// Verify checksum (using @ai-dossier/core)
-function verifyChecksum(body, declaredHash) {
-  const result = verifyIntegrity(body, declaredHash);
-  return {
-    passed: result.status === 'valid',
-    declared: result.expectedHash,
-    actual: result.actualHash,
-  };
-}
-
-// Verify signature (using @ai-dossier/core for real cryptographic verification)
-async function checkSignature(body, frontmatter) {
-  if (!frontmatter.signature) {
-    return {
-      present: false,
-      verified: false,
-      trusted: false,
-      message: 'No signature present',
-    };
-  }
-
-  const signature = frontmatter.signature;
-  const trustedKeys = loadTrustedKeys();
-  // Check both key_id and public_key for trusted status
-  // key_id is easier to manage in trusted-keys.txt file
-  const isTrusted = trustedKeys.has(signature.key_id) || trustedKeys.has(signature.public_key);
-
-  try {
-    const isValid = await verifySignature(body, signature);
-
-    if (!isValid) {
-      return {
-        present: true,
-        verified: false,
-        trusted: isTrusted,
-        message: 'Signature verification FAILED',
-      };
-    }
-
-    return {
-      present: true,
-      verified: true,
-      trusted: isTrusted,
-      message: isTrusted
-        ? `Verified signature from trusted source: ${trustedKeys.get(signature.key_id) || trustedKeys.get(signature.public_key)}`
-        : 'Valid signature but key is not in trusted list',
-    };
-  } catch (err) {
-    return {
-      present: true,
-      verified: false,
-      trusted: false,
-      message: `Verification error: ${err.message}`,
-    };
-  }
-}
-
-// Assess risk
-function assessRisk(frontmatter, checksumResult, signatureResult) {
-  const issues = [];
-  let riskLevel = 'low';
-  let shouldBlock = false;
-
-  // Checksum failure is critical
-  if (!checksumResult.passed) {
-    issues.push('Checksum verification FAILED - content has been tampered with');
-    riskLevel = 'critical';
-    shouldBlock = true;
-  }
-
-  // Signature issues
-  if (signatureResult.present && !signatureResult.verified) {
-    issues.push('Signature verification FAILED or could not be verified');
-    if (riskLevel !== 'critical') riskLevel = 'high';
-    shouldBlock = true;
-  }
-
-  // Valid signature but not trusted - BLOCK execution
-  if (signatureResult.present && signatureResult.verified && !signatureResult.trusted) {
-    issues.push('Signature is valid but signer is not in your trusted keys list');
-    issues.push('Add the public key to ~/.dossier/trusted-keys.txt to trust this signer');
-    if (riskLevel === 'low') riskLevel = 'medium';
-    shouldBlock = true;
-  }
-
-  // No signature on high-risk dossier
-  if (!signatureResult.present && frontmatter.risk_level === 'high') {
-    issues.push('High-risk dossier without signature');
-    if (riskLevel === 'low') riskLevel = 'medium';
-  }
-
-  if (!signatureResult.present && frontmatter.risk_level === 'critical') {
-    issues.push('Critical-risk dossier without signature');
-    if (riskLevel !== 'critical') riskLevel = 'high';
-  }
-
-  return {
-    level: riskLevel,
-    issues,
-    recommendation: shouldBlock ? 'BLOCK' : 'ALLOW',
-  };
-}
-
-// Main verification function
-async function verifyDossier(input, options) {
-  try {
-    log(`\n${colors.bright}🔐 Dossier Verification Tool${colors.reset}\n`);
-
-    // Determine if input is URL or file
-    const isUrl = input.startsWith('http://') || input.startsWith('https://');
-    let content;
-    let displayPath = input;
-
-    if (isUrl) {
-      info(`Downloading: ${input}`);
-      content = await downloadFile(input);
-      success('Downloaded successfully');
-    } else {
-      info(`Reading: ${input}`);
-      content = fs.readFileSync(input, 'utf8');
-      displayPath = path.resolve(input);
-      success('File read successfully');
-    }
-
-    // Parse dossier
-    info('Parsing dossier...');
-    const { frontmatter, body } = parseDossier(content);
-    success(`Parsed: ${frontmatter.title} v${frontmatter.version}`);
-
-    if (options.verbose) {
-      console.log(`\n${colors.bright}Dossier Metadata:${colors.reset}`);
-      console.log(`  Title: ${frontmatter.title}`);
-      console.log(`  Version: ${frontmatter.version}`);
-      console.log(`  Risk Level: ${frontmatter.risk_level}`);
-      console.log(`  Protocol: ${frontmatter.protocol_version}`);
-    }
-
-    // Verify checksum
-    console.log(`\n${colors.bright}📊 Integrity Check:${colors.reset}`);
-    const checksumResult = verifyChecksum(body, frontmatter.checksum?.hash);
-
-    if (checksumResult.passed) {
-      success('Checksum VALID - content has not been tampered with');
-      if (options.verbose) {
-        console.log(`   Hash: ${checksumResult.actual}`);
-      }
-    } else {
-      error('Checksum INVALID - content has been modified!');
-      if (options.verbose) {
-        console.log(`   Declared: ${checksumResult.declared}`);
-        console.log(`   Actual:   ${checksumResult.actual}`);
-      }
-    }
-
-    // Verify signature
-    console.log(`\n${colors.bright}🔏 Authenticity Check:${colors.reset}`);
-    const signatureResult = await checkSignature(body, frontmatter);
-
-    if (signatureResult.present) {
-      if (signatureResult.verified && signatureResult.trusted) {
-        success('Signature VERIFIED - from trusted author');
-      } else if (signatureResult.verified && !signatureResult.trusted) {
-        warning(signatureResult.message);
-        if (frontmatter.signature?.signed_by) {
-          console.log(`   Signed by: ${frontmatter.signature.signed_by}`);
-        }
-        console.log(`\n   ${colors.cyan}To trust this signer, run:${colors.reset}`);
-        const publicKey = frontmatter.signature.public_key || frontmatter.signature.key_id;
-        const identifier = frontmatter.signature.signed_by
-          ? frontmatter.signature.signed_by.split('<')[0].trim().toLowerCase().replace(/\s+/g, '-')
-          : 'unknown-signer';
-        console.log(`   ${colors.bright}dossier keys add "${publicKey}" "${identifier}"${colors.reset}\n`);
-      } else {
-        warning(signatureResult.message);
-        if (frontmatter.signature?.signed_by) {
-          console.log(`   Signed by: ${frontmatter.signature.signed_by}`);
-        }
-      }
-    } else {
-      warning('No signature present (dossier is unsigned)');
-    }
-
-    // Assess risk
-    console.log(`\n${colors.bright}🔴 Risk Assessment:${colors.reset}`);
-    const risk = assessRisk(frontmatter, checksumResult, signatureResult);
-
-    const riskColors = {
-      low: 'green',
-      medium: 'yellow',
-      high: 'yellow',
-      critical: 'red',
-    };
-
-    log(`   Risk Level: ${risk.level.toUpperCase()}`, riskColors[risk.level]);
-
-    if (risk.issues.length > 0) {
-      console.log(`\n   Issues Found:`);
-      risk.issues.forEach(issue => {
-        console.log(`   - ${issue}`);
-      });
-    }
-
-    // Recommendation
-    console.log(`\n${colors.bright}Recommendation:${colors.reset}`, risk.recommendation);
-
-    if (risk.recommendation === 'BLOCK') {
-      error('\nDO NOT EXECUTE this dossier');
-      console.log('   Security verification failed.');
-      console.log('   This dossier may have been tampered with or is from an untrusted source.\n');
-      return false;
-    } else if (risk.level === 'medium' || risk.level === 'high') {
-      warning('\nProceed with CAUTION');
-      console.log('   Review the dossier code before executing.');
-      console.log('   Consider the risk level and your trust in the source.\n');
-      return true;
-    } else {
-      success('\nSafe to execute');
-      console.log('   Dossier passed security verification.\n');
-      return true;
-    }
-
-  } catch (err) {
-    error(`\nVerification failed: ${err.message}`);
-    if (options.verbose) {
-      console.error(err);
-    }
-    return false;
-  }
-}
-
-// Main entry point
-async function main() {
-  const options = parseArgs();
-
-  if (options.help || !options.input) {
-    showHelp();
-    process.exit(options.help ? 0 : 2);
-  }
-
-  const passed = await verifyDossier(options.input, options);
-
-  if (!passed) {
-    process.exit(1);  // Verification failed
-  }
-
-  if (options.run) {
-    warning('\n--run flag not yet implemented');
-    warning('For now, manually execute the dossier if verification passed');
-  }
-
-  if (options.outputPath) {
-    // Would output the path to downloaded file
-    warning('\n--output-path flag not yet implemented');
-  }
-
-  process.exit(0);  // Success
-}
-
-// Run if called directly
-if (require.main === module) {
-  main().catch(err => {
-    error(`Fatal error: ${err.message}`);
-    process.exit(2);
-  });
-}
-
-module.exports = { verifyDossier, parseDossier, verifyChecksum };
+main().catch((err) => {
+  console.error(`Fatal error: ${err.message}`);
+  process.exit(2);
+});