@baselineos/cli 0.1.0

package/in/.baseline/govern/audit-trail.json

@@ -0,0 +1,61 @@
+[
+  {
+    "id": "audit-1775397759527-609",
+    "type": "policy_created",
+    "actor": "system",
+    "policyId": "policy-1775397759527",
+    "details": {
+      "policyId": "policy-1775397759527",
+      "name": "baseline-default"
+    },
+    "timestamp": "2026-04-05T14:02:39.527Z"
+  },
+  {
+    "id": "audit-1775397759528-689",
+    "type": "policy_approved",
+    "actor": "baseline-cli",
+    "policyId": "policy-1775397759527",
+    "details": {
+      "policyId": "policy-1775397759527"
+    },
+    "timestamp": "2026-04-05T14:02:39.528Z"
+  },
+  {
+    "id": "audit-1775397759528-276",
+    "type": "policy_evaluated",
+    "actor": "system",
+    "policyId": "policy-1775397759527",
+    "details": {
+      "policyId": "policy-1775397759527",
+      "passed": true,
+      "enforcementAction": "allow",
+      "violationCount": 0
+    },
+    "timestamp": "2026-04-05T14:02:39.528Z"
+  },
+  {
+    "id": "audit-1775397759528-276",
+    "type": "policy_enforced",
+    "actor": "system",
+    "policyId": "policy-1775397759527",
+    "resourceId": "./in",
+    "details": {
+      "policyId": "policy-1775397759527",
+      "resourceId": "./in",
+      "enforcementAction": "allow"
+    },
+    "timestamp": "2026-04-05T14:02:39.528Z"
+  },
+  {
+    "id": "audit-1775397759530-271",
+    "type": "compliance_checked",
+    "actor": "system",
+    "details": {
+      "complianceId": "compliance-1775397759530",
+      "standard": "ISO27001",
+      "compliant": true,
+      "violationCount": 0
+    },
+    "timestamp": "2026-04-05T14:02:39.530Z"
+  }
+]

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@baselineos/cli",
+  "version": "0.1.0",
+  "description": "Baseline Protocol - Command Line Interface",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "baseline": "dist/cli.js"
+  },
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "@baselineos/lang": "0.1.0",
+    "@baselineos/protocol-core": "1.0.0",
+    "@baselineos/frame": "0.1.0",
+    "@baselineos/studio": "0.1.0",
+    "@baselineos/experience": "0.1.0",
+    "@baselineos/govern": "1.0.0",
+    "@baselineos/autonomy": "0.1.0",
+    "@baselineos/persona": "0.1.0",
+    "baselineos": "0.2.0-beta.1"
+  },
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^2.1.0"
+  },
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts src/cli.ts --format esm,cjs --dts",
+    "dev": "tsup src/index.ts src/cli.ts --format esm,cjs --dts --watch",
+    "test": "vitest run",
+    "lint": "eslint src/",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  }
+}

package/src/__tests__/badge.test.ts

@@ -0,0 +1,93 @@
+/**
+ * Tests for Baseline-governed trust signal badge
+ * Sprint 40
+ */
+import { describe, it, expect } from 'vitest';
+import { generateBadge, validateBadge, formatBadgeText } from '../badge.js';
+
+describe('Badge Generation', () => {
+  it('generates a valid badge', () => {
+    const badge = generateBadge({ subject: 'my-app' });
+    expect(badge.governedBy).toBe('baseline-protocol');
+    expect(badge.subject).toBe('my-app');
+    expect(badge.version).toBe('1.0.0');
+    expect(badge.verificationHash.length).toBeGreaterThanOrEqual(16);
+    expect(badge.issuedAt).toBeDefined();
+    expect(badge.expiresAt).toBeDefined();
+  });
+
+  it('includes specified standards', () => {
+    const badge = generateBadge({
+      subject: 'trade-platform',
+      standards: ['AFCFTA-ROO', 'COCOBOD-GRADING'],
+    });
+    expect(badge.standards).toEqual(['AFCFTA-ROO', 'COCOBOD-GRADING']);
+  });
+
+  it('uses custom issuer', () => {
+    const badge = generateBadge({ subject: 'app', issuer: 'gtcx-authority' });
+    expect(badge.issuer).toBe('gtcx-authority');
+  });
+
+  it('defaults to 90-day validity', () => {
+    const badge = generateBadge({ subject: 'app' });
+    const issued = new Date(badge.issuedAt);
+    const expires = new Date(badge.expiresAt);
+    const days = (expires.getTime() - issued.getTime()) / 86_400_000;
+    expect(Math.round(days)).toBe(90);
+  });
+
+  it('accepts custom validity period', () => {
+    const badge = generateBadge({ subject: 'app', validityDays: 30 });
+    const issued = new Date(badge.issuedAt);
+    const expires = new Date(badge.expiresAt);
+    const days = (expires.getTime() - issued.getTime()) / 86_400_000;
+    expect(Math.round(days)).toBe(30);
+  });
+});
+
+describe('Badge Validation', () => {
+  it('validates a good badge', () => {
+    const badge = generateBadge({ subject: 'app' });
+    expect(validateBadge(badge).valid).toBe(true);
+  });
+
+  it('rejects non-baseline badge', () => {
+    const badge = generateBadge({ subject: 'app' });
+    (badge as any).governedBy = 'other';
+    expect(validateBadge(badge).valid).toBe(false);
+  });
+
+  it('rejects expired badge', () => {
+    const badge = generateBadge({ subject: 'app', validityDays: 0 });
+    badge.expiresAt = new Date(Date.now() - 1000).toISOString();
+    const result = validateBadge(badge);
+    expect(result.valid).toBe(false);
+    expect(result.reason).toContain('expired');
+  });
+
+  it('rejects missing hash', () => {
+    const badge = generateBadge({ subject: 'app' });
+    badge.verificationHash = '';
+    expect(validateBadge(badge).valid).toBe(false);
+  });
+
+  it('rejects missing subject', () => {
+    const badge = generateBadge({ subject: 'app' });
+    badge.subject = '';
+    expect(validateBadge(badge).valid).toBe(false);
+  });
+});
+
+describe('Badge Formatting', () => {
+  it('formats badge as text', () => {
+    const badge = generateBadge({
+      subject: 'cocoa-trade-platform',
+      standards: ['AFCFTA-ROO'],
+    });
+    const text = formatBadgeText(badge);
+    expect(text).toContain('Baseline-Governed');
+    expect(text).toContain('cocoa-trade-platform');
+    expect(text).toContain('AFCFTA-ROO');
+  });
+});

package/src/__tests__/cli.test.ts

@@ -0,0 +1,22 @@
+import { describe, it, expect } from 'vitest';
+import { buildCommandLine } from '../cli.js';
+
+describe('cli buildCommandLine', () => {
+  it('returns empty string for no args', () => {
+    expect(buildCommandLine([])).toBe('');
+  });
+
+  it('prefixes bare commands with --', () => {
+    expect(buildCommandLine(['status'])).toBe('--status');
+  });
+
+  it('preserves full argument line for option forwarding', () => {
+    const args = ['baseline', '--context', './proj', '--mode', 'production'];
+    expect(buildCommandLine(args)).toBe('--baseline --context ./proj --mode production');
+  });
+
+  it('does not double-prefix when command already starts with --', () => {
+    const args = ['--baseline', '--context', './proj'];
+    expect(buildCommandLine(args)).toBe('--baseline --context ./proj');
+  });
+});

package/src/__tests__/commands.test.ts

@@ -0,0 +1,178 @@
+import { describe, it, expect, vi } from 'vitest';
+import { BaselineCommandSystem } from '../commands.js';
+import { mkdtemp, rm, mkdir, writeFile, readFile } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+
+describe('BaselineCommandSystem option parsing', () => {
+  it('forwards options into the workflow layers', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+
+    const system = new BaselineCommandSystem();
+    const result = await system.executeCommand(
+      '--baseline --context /tmp/baseline --mode production --input ./in --output ./out'
+    );
+
+    logSpy.mockRestore();
+
+    expect(result.success).toBe(true);
+
+    if ('results' in result && result.results) {
+      const results = result.results as {
+        init: { contextPath: string; mode: string };
+        lang: { inputPath: string; outputPath: string };
+      };
+      expect(results.init.contextPath).toBe('/tmp/baseline');
+      expect(results.init.mode).toBe('production');
+      expect(results.lang.inputPath).toBe('./in');
+      expect(results.lang.outputPath).toBe('./out');
+    } else {
+      throw new Error('Expected workflow results');
+    }
+  });
+
+  it('runs the onboarding flow and returns ids', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+
+    const system = new BaselineCommandSystem();
+    const result = await system.executeCommand(
+      '--onboard --name Amani --role Engineer --company GTCX --team Acme --project Demo --language en --learning-style visual --pace fast --focus practical --learning-path standard --context /tmp/baseline --skip-workflow'
+    );
+
+    logSpy.mockRestore();
+
+    expect(result.success).toBe(true);
+
+    const onboarding = (result as {
+      onboarding?: {
+        user?: { name?: string; role?: string };
+        preferences?: { language?: string; learningStyle?: string; pace?: string };
+        team?: { teamId?: string };
+        project?: { projectId?: string };
+      };
+    }).onboarding;
+    expect(onboarding?.team?.teamId).toBeDefined();
+    expect(onboarding?.project?.projectId).toBeDefined();
+    expect(onboarding?.user?.name).toBe('Amani');
+    expect(onboarding?.user?.role).toBe('Engineer');
+    expect(onboarding?.preferences?.language).toBe('en');
+    expect(onboarding?.preferences?.learningStyle).toBe('visual');
+    expect(onboarding?.preferences?.pace).toBe('fast');
+  });
+
+  it('runs experience flow and records completion', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+    const tmpDir = await mkdtemp(path.join(os.tmpdir(), 'baseline-exp-'));
+
+    try {
+      const system = new BaselineCommandSystem();
+      const result = await system.executeCommand(
+        `--experience --learning-path standard --context ${tmpDir} --fresh`
+      );
+
+      logSpy.mockRestore();
+
+      expect(result.success).toBe(true);
+      const experience = (result as {
+        experience?: { path?: string; experiences?: Array<{ id?: string }> };
+      }).experience;
+      expect(experience?.path).toBe('standard');
+      expect(experience?.experiences?.length).toBeGreaterThan(0);
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  it('updates config language and persists baseline config', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+    const tmpDir = await mkdtemp(path.join(os.tmpdir(), 'baseline-config-'));
+
+    try {
+      const system = new BaselineCommandSystem();
+      const result = await system.executeCommand(
+        `--config language --set en --context ${tmpDir}`
+      );
+
+      logSpy.mockRestore();
+
+      expect(result.success).toBe(true);
+      const config = (result as { config?: { language?: string } }).config;
+      expect(config?.language).toBe('en');
+
+      const configPath = path.join(tmpDir, '.baseline', 'baseline.config.json');
+      const raw = await readFile(configPath, 'utf8');
+      const saved = JSON.parse(raw) as { language?: string };
+      expect(saved.language).toBe('en');
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  it('indexes docs and writes index file', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+    const tmpDir = await mkdtemp(path.join(os.tmpdir(), 'baseline-index-'));
+
+    try {
+      await mkdir(path.join(tmpDir, 'docs'));
+      await writeFile(path.join(tmpDir, 'docs', 'README.md'), '# Doc', 'utf8');
+
+      const system = new BaselineCommandSystem();
+      const result = await system.executeCommand(
+        `--index --paths docs --context ${tmpDir}`
+      );
+
+      logSpy.mockRestore();
+
+      expect(result.success).toBe(true);
+      const indexPath = path.join(tmpDir, '.baseline', 'index.json');
+      const raw = await readFile(indexPath, 'utf8');
+      const saved = JSON.parse(raw) as { total?: number };
+      expect(saved.total).toBeGreaterThan(0);
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  it('runs doctor diagnostics', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+    const tmpDir = await mkdtemp(path.join(os.tmpdir(), 'baseline-doctor-'));
+
+    try {
+      const system = new BaselineCommandSystem();
+      const result = await system.executeCommand(`--doctor --context ${tmpDir}`);
+
+      logSpy.mockRestore();
+
+      expect(result.success).toBe(true);
+      const doctor = result as { score?: number; total?: number };
+      expect(doctor.total).toBeGreaterThan(0);
+      expect(doctor.score).toBeGreaterThanOrEqual(0);
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  it('returns governance evidence for baseline-govern', async () => {
+    const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+    const tmpDir = await mkdtemp(path.join(os.tmpdir(), 'baseline-govern-cli-'));
+
+    try {
+      const system = new BaselineCommandSystem();
+      const result = await system.executeCommand(
+        `--baseline-govern --context ${tmpDir}`
+      );
+
+      logSpy.mockRestore();
+
+      expect(result.success).toBe(true);
+      const typed = result as {
+        evidence?: { auditTrail?: unknown[]; latestEvaluation?: { enforcementAction?: string } };
+      };
+      expect(Array.isArray(typed.evidence?.auditTrail)).toBe(true);
+      expect((typed.evidence?.auditTrail?.length ?? 0)).toBeGreaterThan(0);
+      expect(typed.evidence?.latestEvaluation?.enforcementAction).toBeDefined();
+    } finally {
+      await rm(tmpDir, { recursive: true, force: true });
+    }
+  });
+});

package/src/__tests__/schema.test.ts

@@ -0,0 +1,114 @@
+/**
+ * Tests for JSON Schema validity
+ * Sprint 44
+ */
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'fs';
+import { join } from 'path';
+
+const SCHEMAS_DIR = join(__dirname, '../../../../specs/schemas');
+
+function loadSchema(name: string): Record<string, unknown> {
+  const content = readFileSync(join(SCHEMAS_DIR, name), 'utf-8');
+  return JSON.parse(content) as Record<string, unknown>;
+}
+
+describe('JSON Schema Validity', () => {
+  const schemaFiles = [
+    'govern.schema.json',
+    'orchestrator.schema.json',
+    'evidence-bundle.schema.json',
+    'protocol-core.schema.json',
+  ];
+
+  for (const file of schemaFiles) {
+    describe(file, () => {
+      it('is valid JSON', () => {
+        expect(() => loadSchema(file)).not.toThrow();
+      });
+
+      it('has $schema property', () => {
+        const schema = loadSchema(file);
+        expect(schema.$schema).toBeDefined();
+        expect(schema.$schema).toContain('json-schema.org');
+      });
+
+      it('has $id property', () => {
+        const schema = loadSchema(file);
+        expect(schema.$id).toBeDefined();
+        expect(schema.$id).toContain('baselineprotocol.org');
+      });
+
+      it('has title and description', () => {
+        const schema = loadSchema(file);
+        expect(schema.title).toBeDefined();
+        expect(schema.description).toBeDefined();
+      });
+
+      it('has $defs with type definitions', () => {
+        const schema = loadSchema(file);
+        const defs = schema.$defs as Record<string, unknown>;
+        expect(defs).toBeDefined();
+        expect(Object.keys(defs).length).toBeGreaterThan(0);
+      });
+    });
+  }
+});
+
+describe('Protocol Core Schema — Structure', () => {
+  it('defines all three layers', () => {
+    const schema = loadSchema('protocol-core.schema.json');
+    const defs = schema.$defs as Record<string, unknown>;
+    expect(defs.LangBlock).toBeDefined();
+    expect(defs.FrameBlock).toBeDefined();
+    expect(defs.CoreBlock).toBeDefined();
+  });
+
+  it('defines BaselineProgram as root', () => {
+    const schema = loadSchema('protocol-core.schema.json');
+    const defs = schema.$defs as Record<string, unknown>;
+    expect(defs.BaselineProgram).toBeDefined();
+  });
+
+  it('defines knowledge graph types', () => {
+    const schema = loadSchema('protocol-core.schema.json');
+    const defs = schema.$defs as Record<string, unknown>;
+    expect(defs.KnowledgeNode).toBeDefined();
+    expect(defs.KnowledgeRelationship).toBeDefined();
+  });
+
+  it('has at least 40 type definitions', () => {
+    const schema = loadSchema('protocol-core.schema.json');
+    const defs = schema.$defs as Record<string, unknown>;
+    expect(Object.keys(defs).length).toBeGreaterThanOrEqual(40);
+  });
+
+  it('all $ref pointers resolve to defined types', () => {
+    const schema = loadSchema('protocol-core.schema.json');
+    const defs = schema.$defs as Record<string, Record<string, unknown>>;
+    const definedTypes = new Set(Object.keys(defs));
+    const content = JSON.stringify(schema);
+
+    // Extract all internal $ref pointers
+    const refs = content.match(/#\/\$defs\/\w+/g) ?? [];
+    for (const ref of refs) {
+      const typeName = ref.replace('#/$defs/', '');
+      expect(definedTypes.has(typeName), `$ref to undefined type: ${typeName}`).toBe(true);
+    }
+  });
+});
+
+describe('Govern Schema — Structure', () => {
+  it('defines Policy and ComplianceCheck', () => {
+    const schema = loadSchema('govern.schema.json');
+    const defs = schema.$defs as Record<string, unknown>;
+    expect(defs.Policy).toBeDefined();
+    expect(defs.ComplianceCheck).toBeDefined();
+  });
+
+  it('defines audit event types', () => {
+    const schema = loadSchema('govern.schema.json');
+    const defs = schema.$defs as Record<string, unknown>;
+    expect(defs.GovernanceAuditEvent).toBeDefined();
+  });
+});

package/src/__tests__/smoke.test.ts

@@ -0,0 +1,15 @@
+import { describe, it, expect } from 'vitest';
+import { BaselineCommandSystem } from '../index.js';
+
+describe('cli', () => {
+  it('should instantiate BaselineCommandSystem', () => {
+    const cmd = new BaselineCommandSystem();
+    expect(cmd).toBeDefined();
+  });
+
+  it('should report status', () => {
+    const cmd = new BaselineCommandSystem();
+    const status = cmd.getStatus();
+    expect(status).toBeDefined();
+  });
+});

package/src/__tests__/verify.test.ts

@@ -0,0 +1,135 @@
+/**
+ * Tests for baseline verify command
+ * Sprint 39 — Commercial Boundary + Enterprise Package
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { runVerify } from '../verify.js';
+import { writeFileSync, mkdirSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+
+const TMP_DIR = `/tmp/test-verify-${Date.now()}`;
+
+beforeEach(() => {
+  mkdirSync(TMP_DIR, { recursive: true });
+});
+
+afterEach(() => {
+  rmSync(TMP_DIR, { recursive: true, force: true });
+});
+
+describe('baseline verify', () => {
+  it('fails with no arguments', async () => {
+    const result = await runVerify({});
+    expect(result.success).toBe(false);
+    expect(result.failed).toBeGreaterThan(0);
+  });
+
+  it('verifies a valid evidence bundle', async () => {
+    const evidencePath = join(TMP_DIR, 'evidence.json');
+    writeFileSync(evidencePath, JSON.stringify({
+      policy: { id: 'policy-1', name: 'Test Policy' },
+      latestEvaluation: { passed: true, score: 95 },
+      approvals: [{ status: 'approved' }],
+      auditTrail: [
+        { type: 'policy_created', actor: 'admin', timestamp: new Date().toISOString() },
+      ],
+    }));
+
+    const result = await runVerify({ evidencePath });
+    expect(result.success).toBe(true);
+    expect(result.passed).toBeGreaterThan(0);
+    expect(result.hash).toBeDefined();
+  });
+
+  it('fails on missing evidence file', async () => {
+    const result = await runVerify({ evidencePath: '/nonexistent/path.json' });
+    expect(result.success).toBe(false);
+    expect(result.checks.some(c => c.name === 'evidence.exists' && c.status === 'fail')).toBe(true);
+  });
+
+  it('fails on malformed evidence', async () => {
+    const evidencePath = join(TMP_DIR, 'bad.json');
+    writeFileSync(evidencePath, 'not json');
+
+    const result = await runVerify({ evidencePath });
+    expect(result.success).toBe(false);
+    expect(result.checks.some(c => c.status === 'fail')).toBe(true);
+  });
+
+  it('warns on evidence with no policy', async () => {
+    const evidencePath = join(TMP_DIR, 'no-policy.json');
+    writeFileSync(evidencePath, JSON.stringify({ auditTrail: [] }));
+
+    const result = await runVerify({ evidencePath });
+    expect(result.warnings).toBeGreaterThan(0);
+  });
+
+  it('verifies a valid policy file', async () => {
+    const policyPath = join(TMP_DIR, 'policy.json');
+    writeFileSync(policyPath, JSON.stringify({
+      id: 'policy-1',
+      name: 'Test Policy',
+      version: '1.0.0',
+      status: 'approved',
+      rules: [{ id: 'r1', name: 'Rule 1' }],
+    }));
+
+    const result = await runVerify({ policyPath });
+    expect(result.success).toBe(true);
+    expect(result.checks.some(c => c.name === 'policy.identity' && c.status === 'pass')).toBe(true);
+  });
+
+  it('warns on draft policy', async () => {
+    const policyPath = join(TMP_DIR, 'draft.json');
+    writeFileSync(policyPath, JSON.stringify({
+      id: 'p1', name: 'Draft', version: '0.1.0', status: 'draft', rules: [],
+    }));
+
+    const result = await runVerify({ policyPath });
+    expect(result.checks.some(c => c.name === 'policy.status' && c.status === 'warn')).toBe(true);
+  });
+
+  it('verifies a valid audit trail', async () => {
+    const auditPath = join(TMP_DIR, 'audit.json');
+    writeFileSync(auditPath, JSON.stringify([
+      { type: 'policy_created', actor: 'admin', timestamp: '2026-01-01T00:00:00Z' },
+      { type: 'policy_approved', actor: 'admin', timestamp: '2026-01-01T01:00:00Z' },
+    ]));
+
+    const result = await runVerify({ auditTrailPath: auditPath });
+    expect(result.success).toBe(true);
+    expect(result.checks.some(c => c.name === 'audit.order' && c.status === 'pass')).toBe(true);
+  });
+
+  it('warns on unordered audit trail', async () => {
+    const auditPath = join(TMP_DIR, 'unordered.json');
+    writeFileSync(auditPath, JSON.stringify([
+      { type: 'policy_approved', actor: 'admin', timestamp: '2026-01-02T00:00:00Z' },
+      { type: 'policy_created', actor: 'admin', timestamp: '2026-01-01T00:00:00Z' },
+    ]));
+
+    const result = await runVerify({ auditTrailPath: auditPath });
+    expect(result.checks.some(c => c.name === 'audit.order' && c.status === 'warn')).toBe(true);
+  });
+
+  it('verifies all three inputs together', async () => {
+    const policyPath = join(TMP_DIR, 'policy.json');
+    const evidencePath = join(TMP_DIR, 'evidence.json');
+    const auditPath = join(TMP_DIR, 'audit.json');
+
+    writeFileSync(policyPath, JSON.stringify({ id: 'p1', name: 'P', version: '1.0', status: 'enforced', rules: [{ id: 'r1' }] }));
+    writeFileSync(evidencePath, JSON.stringify({ policy: { id: 'p1' }, auditTrail: [{ type: 'policy_created' }] }));
+    writeFileSync(auditPath, JSON.stringify([{ type: 'policy_created', timestamp: '2026-01-01' }]));
+
+    const result = await runVerify({ policyPath, evidencePath, auditTrailPath: auditPath });
+    expect(result.success).toBe(true);
+    expect(result.passed).toBeGreaterThanOrEqual(5);
+    expect(result.hash).toHaveLength(16);
+  });
+
+  it('returns verification timestamp', async () => {
+    const result = await runVerify({});
+    expect(result.verifiedAt).toBeDefined();
+    expect(new Date(result.verifiedAt).getTime()).toBeGreaterThan(0);
+  });
+});