@attest-it/cli 0.0.1

package/dist/index.js

@@ -0,0 +1,854 @@
+import { Command } from 'commander';
+import * as fs from 'fs';
+import * as path from 'path';
+import YAML from 'yaml';
+import pc from 'picocolors';
+import { confirm, input, select } from '@inquirer/prompts';
+import { loadConfig, readAttestations, computeFingerprint, findAttestation, createAttestation, upsertAttestation, getDefaultPrivateKeyPath, writeSignedAttestations, checkOpenSSL, getDefaultPublicKeyPath, generateKeyPair, setKeyPermissions, verifyAttestations, toAttestItConfig } from '@attest-it/core';
+import { spawn } from 'child_process';
+import * as os from 'os';
+import { parse } from 'shell-quote';
+
+// src/index.ts
+var globalOptions = {};
+function setOutputOptions(options) {
+  globalOptions = options;
+}
+function log(message) {
+  if (!globalOptions.quiet) {
+    console.log(message);
+  }
+}
+function verbose(message) {
+  if (globalOptions.verbose && !globalOptions.quiet) {
+    console.log(pc.dim(message));
+  }
+}
+function success(message) {
+  log(pc.green("\u2713 " + message));
+}
+function error(message) {
+  console.error(pc.red("\u2717 " + message));
+}
+function warn(message) {
+  if (!globalOptions.quiet) {
+    console.warn(pc.yellow("\u26A0 " + message));
+  }
+}
+function info(message) {
+  log(pc.blue("\u2139 " + message));
+}
+function formatTable(rows) {
+  const headers = ["Suite", "Status", "Fingerprint", "Age"];
+  const getRowValues = (row) => [
+    row.suite,
+    row.status,
+    row.fingerprint,
+    row.age
+  ];
+  const widths = headers.map((h, i) => {
+    const columnValues = rows.map((r) => {
+      const values = getRowValues(r);
+      return values[i] ?? "";
+    });
+    const maxValueLength = Math.max(...columnValues.map((v) => v.length), 0);
+    return Math.max(h.length, maxValueLength);
+  });
+  const separator = "\u2500";
+  const lines = [];
+  lines.push(headers.map((h, i) => h.padEnd(widths[i] ?? 0)).join(" \u2502 "));
+  lines.push(widths.map((w) => separator.repeat(w)).join("\u2500\u253C\u2500"));
+  for (const row of rows) {
+    const values = getRowValues(row);
+    lines.push(values.map((v, i) => v.padEnd(widths[i] ?? 0)).join(" \u2502 "));
+  }
+  return lines.join("\n");
+}
+function colorizeStatus(status) {
+  switch (status) {
+    case "VALID":
+      return pc.green(status);
+    case "NEEDS_ATTESTATION":
+    case "FINGERPRINT_CHANGED":
+      return pc.yellow(status);
+    case "EXPIRED":
+    case "INVALIDATED_BY_PARENT":
+      return pc.red(status);
+    case "SIGNATURE_INVALID":
+      return pc.red(pc.bold(status));
+    default:
+      return status;
+  }
+}
+function outputJson(data) {
+  console.log(JSON.stringify(data, null, 2));
+}
+async function confirmAction(options) {
+  return confirm({
+    message: options.message,
+    default: options.default ?? false
+  });
+}
+async function selectOption(options) {
+  return select({
+    message: options.message,
+    choices: options.choices
+  });
+}
+async function getInput(options) {
+  const inputConfig = {
+    message: options.message
+  };
+  if (options.default !== void 0) {
+    inputConfig.default = options.default;
+  }
+  if (options.validate !== void 0) {
+    inputConfig.validate = options.validate;
+  }
+  return input(inputConfig);
+}
+
+// src/utils/exit-codes.ts
+var ExitCode = {
+  /** Operation completed successfully */
+  SUCCESS: 0,
+  /** Tests failed or attestation invalid */
+  FAILURE: 1,
+  /** Configuration or validation error */
+  CONFIG_ERROR: 2,
+  /** User cancelled the operation */
+  CANCELLED: 3,
+  /** Missing required key file */
+  MISSING_KEY: 4
+};
+
+// src/commands/init.ts
+var initCommand = new Command("init").description("Initialize attest-it configuration").option("-p, --path <path>", "Config file path", ".attest-it/config.yaml").option("-f, --force", "Overwrite existing config").option("--json", "Output JSON instead of YAML").action(async (options) => {
+  await runInit(options);
+});
+async function runInit(options) {
+  try {
+    const configPath = path.resolve(options.path);
+    const configDir = path.dirname(configPath);
+    if (fs.existsSync(configPath) && !options.force) {
+      const overwrite = await confirmAction({
+        message: `Config already exists at ${configPath}. Overwrite?`,
+        default: false
+      });
+      if (!overwrite) {
+        error("Init cancelled");
+        process.exit(ExitCode.CANCELLED);
+      }
+    }
+    log("");
+    info("Welcome to attest-it!");
+    log("This will create a configuration file for human-gated test attestations.");
+    log("");
+    const maxAgeDays = await getInput({
+      message: "Maximum attestation age (days):",
+      default: "30",
+      validate: (v) => {
+        const n = parseInt(v, 10);
+        return !isNaN(n) && n > 0 ? true : "Must be a positive number";
+      }
+    });
+    const algorithm = await selectOption({
+      message: "Signing algorithm:",
+      choices: [
+        {
+          value: "ed25519",
+          name: "Ed25519 (Recommended)",
+          description: "Fast, modern, secure"
+        },
+        { value: "rsa", name: "RSA", description: "Broader compatibility" }
+      ]
+    });
+    const suites = [];
+    let addMore = true;
+    log("");
+    info("Now configure your test suites.");
+    log("Suites are groups of tests that require human verification.");
+    log("");
+    while (addMore) {
+      const suiteName = await getInput({
+        message: "Suite name:",
+        validate: (v) => v.length > 0 ? true : "Required"
+      });
+      const description = await getInput({
+        message: "Description (optional):"
+      });
+      const packagesInput = await getInput({
+        message: "Package paths (comma-separated):",
+        default: `packages/${suiteName}`,
+        validate: (v) => v.length > 0 ? true : "At least one package required"
+      });
+      const command = await getInput({
+        message: "Test command:",
+        default: `pnpm vitest ${packagesInput.split(",")[0]?.trim() ?? ""}`
+      });
+      suites.push({
+        name: suiteName,
+        description,
+        packages: packagesInput.split(",").map((p) => p.trim()).filter(Boolean),
+        command
+      });
+      addMore = await confirmAction({
+        message: "Add another suite?",
+        default: false
+      });
+    }
+    if (suites.length === 0) {
+      error("At least one suite is required");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const config = {
+      version: 1,
+      settings: {
+        maxAgeDays: parseInt(maxAgeDays, 10),
+        publicKeyPath: ".attest-it/pubkey.pem",
+        attestationsPath: ".attest-it/attestations.json",
+        algorithm
+      },
+      suites: Object.fromEntries(
+        suites.map((s) => {
+          const suite = {
+            packages: s.packages,
+            command: s.command
+          };
+          if (s.description) {
+            suite.description = s.description;
+          }
+          return [s.name, suite];
+        })
+      )
+    };
+    await fs.promises.mkdir(configDir, { recursive: true });
+    const content = options.json ? JSON.stringify(config, null, 2) : YAML.stringify(config, { indent: 2 });
+    await fs.promises.writeFile(configPath, content, "utf-8");
+    const attestDir = path.dirname(
+      path.resolve(path.dirname(configPath), config.settings.attestationsPath)
+    );
+    await fs.promises.mkdir(attestDir, { recursive: true });
+    success(`Configuration created at ${configPath}`);
+    log("");
+    log("Next steps:");
+    log("  1. Review and edit the configuration as needed");
+    log("  2. Run: attest-it keygen");
+    log("  3. Run: attest-it run --suite <suite-name>");
+    log("  4. Commit the attestation file");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var statusCommand = new Command("status").description("Show attestation status for all suites").option("-s, --suite <name>", "Show status for specific suite only").option("--json", "Output JSON for machine parsing").action(async (options) => {
+  await runStatus(options);
+});
+async function runStatus(options) {
+  try {
+    const config = await loadConfig();
+    const attestationsPath = config.settings.attestationsPath;
+    let attestationsFile = null;
+    try {
+      attestationsFile = await readAttestations(attestationsPath);
+    } catch (err) {
+      if (err instanceof Error && !err.message.includes("ENOENT")) {
+        throw err;
+      }
+    }
+    const attestations = attestationsFile?.attestations ?? [];
+    const suiteNames = options.suite ? [options.suite] : Object.keys(config.suites);
+    if (options.suite && !config.suites[options.suite]) {
+      error(`Suite "${options.suite}" not found in config`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const results = [];
+    let hasInvalid = false;
+    for (const suiteName of suiteNames) {
+      const suiteConfig = config.suites[suiteName];
+      if (!suiteConfig) continue;
+      const fingerprintResult = await computeFingerprint({
+        packages: suiteConfig.packages,
+        ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+      });
+      const attestation = findAttestation(
+        {
+          schemaVersion: "1",
+          attestations,
+          signature: ""
+        },
+        suiteName
+      );
+      const status = determineStatus(
+        attestation ?? null,
+        fingerprintResult.fingerprint,
+        config.settings.maxAgeDays
+      );
+      let age;
+      if (attestation) {
+        const attestedAt = new Date(attestation.attestedAt);
+        age = Math.floor((Date.now() - attestedAt.getTime()) / (1e3 * 60 * 60 * 24));
+      }
+      if (status !== "VALID") {
+        hasInvalid = true;
+      }
+      results.push({
+        name: suiteName,
+        status,
+        currentFingerprint: fingerprintResult.fingerprint,
+        attestedFingerprint: attestation?.fingerprint,
+        attestedAt: attestation?.attestedAt,
+        age
+      });
+    }
+    if (options.json) {
+      outputJson(results);
+    } else {
+      displayStatusTable(results, hasInvalid);
+    }
+    process.exit(hasInvalid ? ExitCode.FAILURE : ExitCode.SUCCESS);
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+function determineStatus(attestation, currentFingerprint, maxAgeDays) {
+  if (!attestation) {
+    return "NEEDS_ATTESTATION";
+  }
+  if (attestation.fingerprint !== currentFingerprint) {
+    return "FINGERPRINT_CHANGED";
+  }
+  const attestedAt = new Date(attestation.attestedAt);
+  const ageInDays = Math.floor((Date.now() - attestedAt.getTime()) / (1e3 * 60 * 60 * 24));
+  if (ageInDays > maxAgeDays) {
+    return "EXPIRED";
+  }
+  return "VALID";
+}
+function displayStatusTable(results, hasInvalid) {
+  const tableRows = results.map((r) => ({
+    suite: r.name,
+    status: colorizeStatus(r.status),
+    fingerprint: r.currentFingerprint.slice(0, 16) + "...",
+    age: formatAge(r)
+  }));
+  log("");
+  log(formatTable(tableRows));
+  log("");
+  if (hasInvalid) {
+    log("Run `attest-it run --suite <name>` to update attestations");
+  } else {
+    success("All attestations valid");
+  }
+}
+function formatAge(result) {
+  if (result.status === "VALID") {
+    return `${String(result.age ?? 0)} days`;
+  }
+  if (result.status === "FINGERPRINT_CHANGED") {
+    return "(changed)";
+  }
+  if (result.status === "NEEDS_ATTESTATION") {
+    return "(none)";
+  }
+  if (result.status === "EXPIRED") {
+    return `${String(result.age ?? 0)} days (expired)`;
+  }
+  return "-";
+}
+var runCommand = new Command("run").description("Execute tests and create attestation").option("-s, --suite <name>", "Run specific suite (required unless --all)").option("-a, --all", "Run all suites needing attestation").option("--no-attest", "Run tests without creating attestation").option("-y, --yes", "Skip confirmation prompt").action(async (options) => {
+  await runTests(options);
+});
+async function runTests(options) {
+  try {
+    if (!options.suite && !options.all) {
+      error("Either --suite or --all is required");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const config = await loadConfig();
+    const suitesToRun = options.all ? Object.keys(config.suites) : options.suite ? [options.suite] : [];
+    if (options.suite && !config.suites[options.suite]) {
+      error(`Suite "${options.suite}" not found in config`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const isDirty = await checkDirtyWorkingTree();
+    if (isDirty) {
+      error("Working tree has uncommitted changes. Please commit or stash before attesting.");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    for (const suiteName of suitesToRun) {
+      const suiteConfig = config.suites[suiteName];
+      if (!suiteConfig) continue;
+      log(`
+=== Running suite: ${suiteName} ===
+`);
+      const fingerprintOptions = {
+        packages: suiteConfig.packages,
+        ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+      };
+      const fingerprintResult = await computeFingerprint(fingerprintOptions);
+      verbose(`Fingerprint: ${fingerprintResult.fingerprint}`);
+      verbose(`Files: ${String(fingerprintResult.fileCount)}`);
+      const command = buildCommand(config, suiteConfig.command, suiteConfig.files);
+      log(`Running: ${command}`);
+      log("");
+      const exitCode = await executeCommand(command);
+      if (exitCode !== 0) {
+        error(`Tests failed with exit code ${String(exitCode)}`);
+        process.exit(ExitCode.FAILURE);
+      }
+      success("Tests passed!");
+      if (options.attest === false) {
+        log("Skipping attestation (--no-attest)");
+        continue;
+      }
+      const shouldAttest = options.yes ?? await confirmAction({
+        message: "Create attestation?",
+        default: true
+      });
+      if (!shouldAttest) {
+        warn("Attestation cancelled");
+        process.exit(ExitCode.CANCELLED);
+      }
+      const attestation = createAttestation({
+        suite: suiteName,
+        fingerprint: fingerprintResult.fingerprint,
+        command,
+        attestedBy: os.userInfo().username
+      });
+      const attestationsPath = config.settings.attestationsPath;
+      const existingFile = await readAttestations(attestationsPath);
+      const existingAttestations = existingFile?.attestations ?? [];
+      const newAttestations = upsertAttestation(existingAttestations, attestation);
+      const privateKeyPath = getDefaultPrivateKeyPath();
+      if (!fs.existsSync(privateKeyPath)) {
+        error(`Private key not found: ${privateKeyPath}`);
+        error('Run "attest-it keygen" first to generate a keypair.');
+        process.exit(ExitCode.MISSING_KEY);
+      }
+      await writeSignedAttestations({
+        filePath: attestationsPath,
+        attestations: newAttestations,
+        privateKeyPath
+      });
+      success(`Attestation created for ${suiteName}`);
+      log(`  Fingerprint: ${fingerprintResult.fingerprint}`);
+      log(`  Attested by: ${attestation.attestedBy}`);
+      log(`  Attested at: ${attestation.attestedAt}`);
+    }
+    log("");
+    success("All suites completed!");
+    log(
+      `
+To commit: git add ${config.settings.attestationsPath} && git commit -m "Update attestations"`
+    );
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+function buildCommand(config, suiteCommand, suiteFiles) {
+  let command = suiteCommand ?? config.settings.defaultCommand;
+  if (!command) {
+    error("No command specified for suite and no defaultCommand in settings");
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  if (command.includes("${files}") && suiteFiles) {
+    const files = suiteFiles.join(" ");
+    command = command.replaceAll("${files}", files);
+  }
+  return command;
+}
+function parseCommand(command) {
+  const parsed = parse(command);
+  const stringArgs = parsed.filter((token) => {
+    return typeof token === "string";
+  });
+  if (stringArgs.length === 0) {
+    throw new Error("Command string is empty or contains only control operators");
+  }
+  const [executable, ...args] = stringArgs;
+  if (executable === void 0) {
+    throw new Error("Command string is empty or contains only control operators");
+  }
+  return { executable, args };
+}
+async function executeCommand(command) {
+  return new Promise((resolve2) => {
+    let parsed;
+    try {
+      parsed = parseCommand(command);
+    } catch (err) {
+      if (err instanceof Error) {
+        error(`Failed to parse command: ${err.message}`);
+      } else {
+        error("Failed to parse command: Unknown error");
+      }
+      resolve2(1);
+      return;
+    }
+    const child = spawn(parsed.executable, parsed.args, {
+      stdio: "inherit"
+      // Stream output to terminal
+    });
+    child.on("close", (code) => {
+      resolve2(code ?? 1);
+    });
+    child.on("error", (err) => {
+      error(`Failed to execute command: ${err.message}`);
+      resolve2(1);
+    });
+  });
+}
+async function checkDirtyWorkingTree() {
+  return new Promise((resolve2) => {
+    const child = spawn("git", ["status", "--porcelain"], {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let output = "";
+    child.stdout.on("data", (data) => {
+      output += data.toString();
+    });
+    child.on("close", () => {
+      resolve2(output.trim().length > 0);
+    });
+    child.on("error", () => {
+      resolve2(false);
+    });
+  });
+}
+var keygenCommand = new Command("keygen").description("Generate a new keypair for signing attestations").option("-a, --algorithm <alg>", "Algorithm: ed25519 (default) or rsa", "ed25519").option("-o, --output <path>", "Private key output path").option("-p, --public <path>", "Public key output path").option("-f, --force", "Overwrite existing keys").action(async (options) => {
+  await runKeygen(options);
+});
+async function runKeygen(options) {
+  try {
+    const algorithm = validateAlgorithm(options.algorithm);
+    log("Checking OpenSSL...");
+    const version = await checkOpenSSL();
+    info(`OpenSSL: ${version}`);
+    const privatePath = options.output ?? getDefaultPrivateKeyPath();
+    const publicPath = options.public ?? getDefaultPublicKeyPath();
+    log(`Private key: ${privatePath}`);
+    log(`Public key: ${publicPath}`);
+    const privateExists = fs.existsSync(privatePath);
+    const publicExists = fs.existsSync(publicPath);
+    if ((privateExists || publicExists) && !options.force) {
+      if (privateExists) {
+        warn(`Private key already exists: ${privatePath}`);
+      }
+      if (publicExists) {
+        warn(`Public key already exists: ${publicPath}`);
+      }
+      const shouldOverwrite = await confirmAction({
+        message: "Overwrite existing keys?",
+        default: false
+      });
+      if (!shouldOverwrite) {
+        error("Keygen cancelled");
+        process.exit(ExitCode.CANCELLED);
+      }
+    }
+    log(`
+Generating ${algorithm.toUpperCase()} keypair...`);
+    const result = await generateKeyPair({
+      algorithm,
+      privatePath,
+      publicPath,
+      force: true
+    });
+    await setKeyPermissions(result.privatePath);
+    success("Keypair generated successfully!");
+    log("");
+    log("Private key (KEEP SECRET):");
+    log(`  ${result.privatePath}`);
+    log("");
+    log("Public key (commit to repo):");
+    log(`  ${result.publicPath}`);
+    log("");
+    info("Important: Back up your private key securely!");
+    log("");
+    log("Next steps:");
+    log(`  1. git add ${result.publicPath}`);
+    log("  2. Update .attest-it/config.yaml publicKeyPath if needed");
+    log("  3. attest-it run --suite <suite-name>");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+function validateAlgorithm(alg) {
+  const normalized = alg.toLowerCase();
+  if (normalized === "ed25519" || normalized === "rsa") {
+    return normalized;
+  }
+  error(`Invalid algorithm: ${alg}. Use 'ed25519' or 'rsa'.`);
+  process.exit(ExitCode.CONFIG_ERROR);
+}
+var pruneCommand = new Command("prune").description("Remove stale attestations").option("-n, --dry-run", "Show what would be removed without removing").option("-k, --keep-days <n>", "Keep attestations newer than n days", "30").action(async (options) => {
+  await runPrune(options);
+});
+async function runPrune(options) {
+  try {
+    const keepDays = parseInt(options.keepDays, 10);
+    if (isNaN(keepDays) || keepDays < 1) {
+      error("--keep-days must be a positive integer");
+      process.exit(ExitCode.CONFIG_ERROR);
+      return;
+    }
+    const config = await loadConfig();
+    const attestationsPath = config.settings.attestationsPath;
+    const file = await readAttestations(attestationsPath);
+    if (!file || file.attestations.length === 0) {
+      info("No attestations to prune");
+      process.exit(ExitCode.SUCCESS);
+      return;
+    }
+    const now = Date.now();
+    const keepMs = keepDays * 24 * 60 * 60 * 1e3;
+    const stale = [];
+    const keep = [];
+    for (const attestation of file.attestations) {
+      const attestedAt = new Date(attestation.attestedAt).getTime();
+      const ageMs = now - attestedAt;
+      const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+      const suiteExists = attestation.suite in config.suites;
+      let fingerprintMatches = false;
+      if (suiteExists) {
+        const suiteConfig = config.suites[attestation.suite];
+        if (suiteConfig) {
+          const fingerprintOptions = {
+            packages: suiteConfig.packages,
+            ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+          };
+          const result = await computeFingerprint(fingerprintOptions);
+          fingerprintMatches = result.fingerprint === attestation.fingerprint;
+        }
+      }
+      const isStale = !fingerprintMatches && ageMs > keepMs;
+      const orphaned = !suiteExists;
+      if (isStale || orphaned) {
+        stale.push(attestation);
+        const reason = orphaned ? "suite removed" : !fingerprintMatches ? "fingerprint changed" : "expired";
+        verbose(`Stale: ${attestation.suite} (${reason}, ${String(ageDays)} days old)`);
+      } else {
+        keep.push(attestation);
+      }
+    }
+    if (stale.length === 0) {
+      success("No stale attestations found");
+      process.exit(ExitCode.SUCCESS);
+      return;
+    }
+    log(`Found ${String(stale.length)} stale attestation(s):`);
+    for (const attestation of stale) {
+      const ageDays = Math.floor(
+        (now - new Date(attestation.attestedAt).getTime()) / (1e3 * 60 * 60 * 24)
+      );
+      log(`  - ${attestation.suite} (${String(ageDays)} days old)`);
+    }
+    if (options.dryRun) {
+      info("Dry run - no changes made");
+      process.exit(ExitCode.SUCCESS);
+      return;
+    }
+    const privateKeyPath = getDefaultPrivateKeyPath();
+    if (!fs.existsSync(privateKeyPath)) {
+      error(`Private key not found: ${privateKeyPath}`);
+      error("Cannot re-sign attestations file.");
+      process.exit(ExitCode.MISSING_KEY);
+      return;
+    }
+    await writeSignedAttestations({
+      filePath: attestationsPath,
+      attestations: keep,
+      privateKeyPath
+    });
+    success(`Pruned ${String(stale.length)} stale attestation(s)`);
+    log(`Remaining: ${String(keep.length)} attestation(s)`);
+    process.exit(ExitCode.SUCCESS);
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(2);
+    return;
+  }
+}
+var verifyCommand = new Command("verify").description("Verify all attestations (for CI)").option("-s, --suite <name>", "Verify specific suite only").option("--json", "Output JSON for machine parsing").option("--strict", "Fail on warnings (approaching expiry)").action(async (options) => {
+  await runVerify(options);
+});
+async function runVerify(options) {
+  try {
+    const config = await loadConfig();
+    if (options.suite) {
+      if (!config.suites[options.suite]) {
+        error(`Suite "${options.suite}" not found in config`);
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+      const filteredSuiteEntry = config.suites[options.suite];
+      if (!filteredSuiteEntry) {
+        error(`Suite "${options.suite}" not found in config`);
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+      const filteredConfig = {
+        version: config.version,
+        settings: config.settings,
+        suites: { [options.suite]: filteredSuiteEntry }
+      };
+      const result2 = await verifyAttestations({ config: toAttestItConfig(filteredConfig) });
+      if (options.json) {
+        outputJson(result2);
+      } else {
+        displayResults(result2, filteredConfig.settings.maxAgeDays, options.strict);
+      }
+      if (!result2.success) {
+        process.exit(ExitCode.FAILURE);
+        return;
+      }
+      if (options.strict && hasWarnings(result2, filteredConfig.settings.maxAgeDays)) {
+        process.exit(ExitCode.FAILURE);
+        return;
+      }
+      process.exit(ExitCode.SUCCESS);
+      return;
+    }
+    const result = await verifyAttestations({ config: toAttestItConfig(config) });
+    if (options.json) {
+      outputJson(result);
+    } else {
+      displayResults(result, config.settings.maxAgeDays, options.strict);
+    }
+    if (!result.success) {
+      process.exit(ExitCode.FAILURE);
+    }
+    if (options.strict && hasWarnings(result, config.settings.maxAgeDays)) {
+      process.exit(ExitCode.FAILURE);
+    }
+    process.exit(ExitCode.SUCCESS);
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(2);
+  }
+}
+function displayResults(result, maxAgeDays, strict) {
+  log("");
+  if (!result.signatureValid) {
+    error("Signature verification FAILED");
+    log("The attestations file may have been tampered with.");
+    log("");
+  }
+  for (const errorMsg of result.errors) {
+    error(errorMsg);
+  }
+  if (result.errors.length > 0) {
+    log("");
+  }
+  const tableRows = result.suites.map((s) => ({
+    suite: s.suite,
+    status: colorizeStatus(s.status),
+    fingerprint: s.fingerprint.slice(0, 16) + "...",
+    age: formatAgeColumn(s)
+  }));
+  log(formatTable(tableRows));
+  log("");
+  if (result.success) {
+    success("All attestations valid");
+  } else {
+    const needsAttestation = result.suites.filter((s) => s.status !== "VALID");
+    if (needsAttestation.length > 0) {
+      log("Remediation:");
+      for (const suite of needsAttestation) {
+        log(`  attest-it run --suite ${suite.suite}`);
+        if (suite.message) {
+          log(`    ${suite.message}`);
+        }
+      }
+    }
+  }
+  const warningThreshold = 7;
+  const nearExpiry = result.suites.filter(
+    (s) => s.status === "VALID" && (s.age ?? 0) > maxAgeDays - warningThreshold
+  );
+  if (nearExpiry.length > 0) {
+    log("");
+    for (const suite of nearExpiry) {
+      warn(`${suite.suite} attestation approaching expiry (${String(suite.age)} days old)`);
+    }
+    if (strict) {
+      log("(--strict mode: warnings are treated as errors)");
+    }
+  }
+}
+function formatAgeColumn(s) {
+  if (s.status === "VALID") {
+    return `${String(s.age ?? 0)} days`;
+  }
+  if (s.status === "NEEDS_ATTESTATION") {
+    return "(none)";
+  }
+  if (s.status === "EXPIRED") {
+    return `${String(s.age ?? 0)} days (expired)`;
+  }
+  if (s.status === "FINGERPRINT_CHANGED") {
+    return "(changed)";
+  }
+  if (s.status === "INVALIDATED_BY_PARENT") {
+    return "(invalidated)";
+  }
+  return "-";
+}
+function hasWarnings(result, maxAgeDays) {
+  const warningThreshold = 7;
+  return result.suites.some(
+    (s) => s.status === "VALID" && (s.age ?? 0) > maxAgeDays - warningThreshold
+  );
+}
+
+// src/index.ts
+var program = new Command();
+program.name("attest-it").description("Human-gated test attestation system").version("0.0.1").option("-c, --config <path>", "Path to config file").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Minimal output");
+program.addCommand(initCommand);
+program.addCommand(statusCommand);
+program.addCommand(runCommand);
+program.addCommand(keygenCommand);
+program.addCommand(pruneCommand);
+program.addCommand(verifyCommand);
+function run() {
+  program.parse();
+  const options = program.opts();
+  const outputOptions = {};
+  if (options.verbose !== void 0) {
+    outputOptions.verbose = options.verbose;
+  }
+  if (options.quiet !== void 0) {
+    outputOptions.quiet = options.quiet;
+  }
+  setOutputOptions(outputOptions);
+}
+
+export { program, run };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map