npm - @baselineos/cli - Versions diffs - 0.1.0 - Mend

@baselineos/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/.baseline/govern/audit-trail.json +61 -0
package/.turbo/turbo-build.log +23 -0
package/.turbo/turbo-test.log +80 -0
package/LICENSE +17 -0
package/README.md +19 -0
package/dist/chunk-CCIHFLKI.js +1792 -0
package/dist/cli.cjs +2290 -0
package/dist/cli.d.cts +8 -0
package/dist/cli.d.ts +8 -0
package/dist/cli.js +470 -0
package/dist/index.cjs +3488 -0
package/dist/index.d.cts +616 -0
package/dist/index.d.ts +616 -0
package/dist/index.js +1664 -0
package/in/.baseline/govern/audit-trail.json +61 -0
package/package.json +45 -0
package/src/__tests__/badge.test.ts +93 -0
package/src/__tests__/cli.test.ts +22 -0
package/src/__tests__/commands.test.ts +178 -0
package/src/__tests__/schema.test.ts +114 -0
package/src/__tests__/smoke.test.ts +15 -0
package/src/__tests__/verify.test.ts +135 -0
package/src/badge.ts +88 -0
package/src/cli.ts +314 -0
package/src/commands.ts +2228 -0
package/src/config/megagem-config.json +266 -0
package/src/index.ts +19 -0
package/src/megagem.ts +1800 -0
package/src/verify.ts +254 -0
package/tsconfig.json +8 -0

package/src/verify.ts ADDED Viewed

@@ -0,0 +1,254 @@
+/**
+ * Baseline Verify Command
+ *
+ * Verifies governance policy compliance and evidence bundle integrity.
+ * Used for "Baseline-governed" certification checks.
+ *
+ * Usage:
+ *   baseline verify --policy <path> --evidence <path>
+ *   baseline verify --evidence <path>
+ *   baseline verify --audit-trail <path>
+ */
+import { readFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { createHash } from 'node:crypto';
+export interface VerifyOptions {
+  policyPath?: string;
+  evidencePath?: string;
+  auditTrailPath?: string;
+}
+export interface VerifyCheck {
+  name: string;
+  status: 'pass' | 'fail' | 'warn' | 'skip';
+  message: string;
+}
+export interface VerifyResult {
+  success: boolean;
+  passed: number;
+  failed: number;
+  warnings: number;
+  skipped: number;
+  checks: VerifyCheck[];
+  hash?: string;
+  verifiedAt: string;
+}
+export async function runVerify(options: VerifyOptions): Promise<VerifyResult> {
+  const checks: VerifyCheck[] = [];
+  // Verify evidence bundle
+  if (options.evidencePath) {
+    const evidenceChecks = await verifyEvidenceBundle(options.evidencePath);
+    checks.push(...evidenceChecks);
+  }
+  // Verify policy
+  if (options.policyPath) {
+    const policyChecks = await verifyPolicy(options.policyPath);
+    checks.push(...policyChecks);
+  }
+  // Verify audit trail
+  if (options.auditTrailPath) {
+    const auditChecks = await verifyAuditTrail(options.auditTrailPath);
+    checks.push(...auditChecks);
+  }
+  if (checks.length === 0) {
+    checks.push({
+      name: 'input',
+      status: 'fail',
+      message: 'No files provided. Use --policy, --evidence, or --audit-trail.',
+    });
+  }
+  const passed = checks.filter(c => c.status === 'pass').length;
+  const failed = checks.filter(c => c.status === 'fail').length;
+  const warnings = checks.filter(c => c.status === 'warn').length;
+  const skipped = checks.filter(c => c.status === 'skip').length;
+  // Generate verification hash
+  const hashInput = checks.map(c => `${c.name}:${c.status}:${c.message}`).join('|');
+  const hash = createHash('sha256').update(hashInput).digest('hex').slice(0, 16);
+  return {
+    success: failed === 0,
+    passed,
+    failed,
+    warnings,
+    skipped,
+    checks,
+    hash,
+    verifiedAt: new Date().toISOString(),
+  };
+}
+async function verifyEvidenceBundle(filePath: string): Promise<VerifyCheck[]> {
+  const checks: VerifyCheck[] = [];
+  if (!existsSync(filePath)) {
+    checks.push({ name: 'evidence.exists', status: 'fail', message: `Evidence file not found: ${filePath}` });
+    return checks;
+  }
+  checks.push({ name: 'evidence.exists', status: 'pass', message: 'Evidence file found' });
+  try {
+    const raw = await readFile(filePath, 'utf-8');
+    const bundle = JSON.parse(raw);
+    // Check bundle structure
+    if (bundle.policy) {
+      checks.push({ name: 'evidence.policy', status: 'pass', message: `Policy: ${bundle.policy.name ?? bundle.policy.id}` });
+    } else {
+      checks.push({ name: 'evidence.policy', status: 'warn', message: 'Evidence bundle has no policy reference' });
+    }
+    if (Array.isArray(bundle.auditTrail)) {
+      checks.push({
+        name: 'evidence.auditTrail',
+        status: bundle.auditTrail.length > 0 ? 'pass' : 'warn',
+        message: `Audit trail: ${bundle.auditTrail.length} events`,
+      });
+    } else {
+      checks.push({ name: 'evidence.auditTrail', status: 'fail', message: 'Evidence bundle missing audit trail' });
+    }
+    if (bundle.latestEvaluation) {
+      const eval_ = bundle.latestEvaluation;
+      checks.push({
+        name: 'evidence.evaluation',
+        status: eval_.passed ? 'pass' : 'fail',
+        message: `Evaluation: ${eval_.passed ? 'passed' : 'failed'} (score: ${eval_.score ?? 'N/A'})`,
+      });
+    } else {
+      checks.push({ name: 'evidence.evaluation', status: 'skip', message: 'No evaluation in evidence bundle' });
+    }
+    if (Array.isArray(bundle.approvals)) {
+      const approved = bundle.approvals.filter((a: { status: string }) => a.status === 'approved');
+      checks.push({
+        name: 'evidence.approvals',
+        status: 'pass',
+        message: `Approvals: ${approved.length}/${bundle.approvals.length} approved`,
+      });
+    }
+    // Integrity hash
+    const contentHash = createHash('sha256').update(raw).digest('hex');
+    checks.push({ name: 'evidence.integrity', status: 'pass', message: `SHA-256: ${contentHash.slice(0, 16)}...` });
+  } catch (error) {
+    checks.push({
+      name: 'evidence.parse',
+      status: 'fail',
+      message: `Failed to parse evidence: ${error instanceof Error ? error.message : String(error)}`,
+    });
+  }
+  return checks;
+}
+async function verifyPolicy(filePath: string): Promise<VerifyCheck[]> {
+  const checks: VerifyCheck[] = [];
+  if (!existsSync(filePath)) {
+    checks.push({ name: 'policy.exists', status: 'fail', message: `Policy file not found: ${filePath}` });
+    return checks;
+  }
+  checks.push({ name: 'policy.exists', status: 'pass', message: 'Policy file found' });
+  try {
+    const raw = await readFile(filePath, 'utf-8');
+    const policy = JSON.parse(raw);
+    if (policy.id && policy.name) {
+      checks.push({ name: 'policy.identity', status: 'pass', message: `Policy: ${policy.name} (${policy.id})` });
+    } else {
+      checks.push({ name: 'policy.identity', status: 'fail', message: 'Policy missing id or name' });
+    }
+    if (policy.status === 'approved' || policy.status === 'enforced') {
+      checks.push({ name: 'policy.status', status: 'pass', message: `Status: ${policy.status}` });
+    } else {
+      checks.push({ name: 'policy.status', status: 'warn', message: `Policy status is ${policy.status ?? 'unknown'}, not approved/enforced` });
+    }
+    if (policy.version) {
+      checks.push({ name: 'policy.version', status: 'pass', message: `Version: ${policy.version}` });
+    } else {
+      checks.push({ name: 'policy.version', status: 'warn', message: 'Policy has no version' });
+    }
+    if (Array.isArray(policy.rules) && policy.rules.length > 0) {
+      checks.push({ name: 'policy.rules', status: 'pass', message: `${policy.rules.length} rules defined` });
+    } else {
+      checks.push({ name: 'policy.rules', status: 'warn', message: 'Policy has no rules defined' });
+    }
+  } catch (error) {
+    checks.push({
+      name: 'policy.parse',
+      status: 'fail',
+      message: `Failed to parse policy: ${error instanceof Error ? error.message : String(error)}`,
+    });
+  }
+  return checks;
+}
+async function verifyAuditTrail(filePath: string): Promise<VerifyCheck[]> {
+  const checks: VerifyCheck[] = [];
+  if (!existsSync(filePath)) {
+    checks.push({ name: 'audit.exists', status: 'fail', message: `Audit trail not found: ${filePath}` });
+    return checks;
+  }
+  checks.push({ name: 'audit.exists', status: 'pass', message: 'Audit trail found' });
+  try {
+    const raw = await readFile(filePath, 'utf-8');
+    const events = JSON.parse(raw);
+    if (!Array.isArray(events)) {
+      checks.push({ name: 'audit.format', status: 'fail', message: 'Audit trail is not an array' });
+      return checks;
+    }
+    checks.push({ name: 'audit.count', status: 'pass', message: `${events.length} audit events` });
+    // Check chronological ordering
+    let ordered = true;
+    for (let i = 1; i < events.length; i++) {
+      if (events[i].timestamp < events[i - 1].timestamp) {
+        ordered = false;
+        break;
+      }
+    }
+    checks.push({
+      name: 'audit.order',
+      status: ordered ? 'pass' : 'warn',
+      message: ordered ? 'Events are chronologically ordered' : 'Events are NOT chronologically ordered',
+    });
+    // Check event types
+    const types = new Set(events.map((e: { type: string }) => e.type));
+    checks.push({ name: 'audit.types', status: 'pass', message: `Event types: ${Array.from(types).join(', ')}` });
+    // Integrity
+    const contentHash = createHash('sha256').update(raw).digest('hex');
+    checks.push({ name: 'audit.integrity', status: 'pass', message: `SHA-256: ${contentHash.slice(0, 16)}...` });
+  } catch (error) {
+    checks.push({
+      name: 'audit.parse',
+      status: 'fail',
+      message: `Failed to parse audit trail: ${error instanceof Error ? error.message : String(error)}`,
+    });
+  }
+  return checks;
+}

package/tsconfig.json ADDED Viewed

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src/**/*.ts"]
+}