@better-internet/oss-verify 0.1.0-draft

package/dist/src/checks/sbom/python.js

@@ -0,0 +1,240 @@
+// Python ecosystem detector.
+//
+// Lockfile precedence (first match wins; we don't merge across managers):
+//   1. uv.lock                 — TOML, modern uv format
+//   2. poetry.lock             — TOML, Poetry format
+//   3. Pipfile.lock            — JSON, Pipenv
+//   4. requirements.txt        — line-oriented, vanilla pip
+//
+// License lookup via PyPI's JSON API:
+//   GET https://pypi.org/pypi/<name>/<version>/json
+//   -> { info: { license: <string>, classifiers: [...] } }
+//
+// Many packages declare `info.license` as free-form ("MIT", "MIT License",
+// "BSD-3-Clause" or worse, "see LICENSE file"). The Trove classifiers
+// `License :: OSI Approved :: <name>` are far more reliable; we prefer
+// them and fall back to the free-form field.
+//
+// Concurrency-limited + memoised, same pattern as cargo + go detectors.
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+const PYPI = "https://pypi.org/pypi";
+const PYPI_CONCURRENCY = 4;
+const USER_AGENT = "oss-verify/0.1 (https://github.com/better-internet-org/oss-verify)";
+// SPDX identifiers for the classifiers PyPI lists. Sparse list — covers the
+// common cases; falls through to free-form `info.license` parsing otherwise.
+const CLASSIFIER_TO_SPDX = {
+    "License :: OSI Approved :: MIT License": "MIT",
+    "License :: OSI Approved :: BSD License": "BSD-3-Clause",
+    "License :: OSI Approved :: Apache Software License": "Apache-2.0",
+    "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)": "MPL-2.0",
+    "License :: OSI Approved :: Mozilla Public License 1.1 (MPL 1.1)": "MPL-1.1",
+    "License :: OSI Approved :: GNU General Public License v2 (GPLv2)": "GPL-2.0-only",
+    "License :: OSI Approved :: GNU General Public License v3 (GPLv3)": "GPL-3.0-only",
+    "License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+)": "GPL-2.0-or-later",
+    "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)": "GPL-3.0-or-later",
+    "License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2)": "LGPL-2.0-only",
+    "License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)": "LGPL-3.0-only",
+    "License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+)": "LGPL-2.0-or-later",
+    "License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+)": "LGPL-3.0-or-later",
+    "License :: OSI Approved :: ISC License (ISCL)": "ISC",
+    "License :: OSI Approved :: Python Software Foundation License": "PSF-2.0",
+    "License :: OSI Approved :: GNU Affero General Public License v3": "AGPL-3.0-only",
+    "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)": "AGPL-3.0-or-later",
+    "License :: OSI Approved :: Zope Public License": "ZPL-2.1",
+    "License :: OSI Approved :: Common Public License": "CPL-1.0",
+    "License :: OSI Approved :: Eclipse Public License 1.0 (EPL-1.0)": "EPL-1.0",
+    "License :: OSI Approved :: Eclipse Public License 2.0 (EPL-2.0)": "EPL-2.0",
+};
+export async function detect(ctx) {
+    const detected = pickLockfile(ctx.repoRoot);
+    if (!detected) {
+        // We saw a marker file (pyproject.toml, etc.) but no parseable lockfile.
+        // Fall back to "not implemented for this layout" rather than silently passing.
+        if (anyPythonMarker(ctx.repoRoot)) {
+            return {
+                ecosystem: "python",
+                components: [],
+                missing: [
+                    "Python project detected but no supported lockfile found (uv.lock, poetry.lock, Pipfile.lock, requirements.txt). Run your package manager to materialise one before re-running.",
+                ],
+            };
+        }
+        return null;
+    }
+    let pairs;
+    try {
+        pairs = detected.parser(readFileSync(detected.path, "utf8"));
+    }
+    catch (e) {
+        return {
+            ecosystem: "python",
+            components: [],
+            missing: [`${detected.kind} parse failed: ${e.message}`],
+        };
+    }
+    if (pairs.length === 0) {
+        return {
+            ecosystem: "python",
+            components: [],
+            missing: [],
+            details: `${detected.kind}: no deps`,
+        };
+    }
+    const components = [];
+    const missing = [];
+    const queue = [...pairs];
+    const workers = Array.from({ length: PYPI_CONCURRENCY }, async () => {
+        while (queue.length > 0) {
+            const p = queue.shift();
+            if (!p)
+                break;
+            const license = await fetchPypiLicense(p.name, p.version);
+            if (license === undefined) {
+                missing.push(`${p.name}@${p.version}`);
+                continue;
+            }
+            components.push({
+                name: p.name,
+                version: p.version,
+                license,
+                purl: `pkg:pypi/${p.name.toLowerCase()}@${p.version}`,
+            });
+        }
+    });
+    await Promise.all(workers);
+    components.sort((a, b) => a.name === b.name ? (a.version < b.version ? -1 : 1) : a.name < b.name ? -1 : 1);
+    return { ecosystem: "python", components, missing };
+}
+function pickLockfile(root) {
+    const cands = [
+        ["uv.lock", parseTomlLockPackages],
+        ["poetry.lock", parseTomlLockPackages],
+        ["Pipfile.lock", parsePipfileLock],
+        ["requirements.txt", parseRequirementsTxt],
+    ];
+    for (const [kind, parser] of cands) {
+        const p = join(root, kind);
+        if (existsSync(p))
+            return { kind, path: p, parser };
+    }
+    return null;
+}
+function anyPythonMarker(root) {
+    for (const f of ["pyproject.toml", "setup.py", "Pipfile", "requirements.txt"]) {
+        if (existsSync(join(root, f)))
+            return true;
+    }
+    return false;
+}
+/**
+ * Minimal TOML lock-package parser shared by uv.lock + poetry.lock. Both
+ * use the same `[[package]] / name = "..." / version = "..."` shape. We
+ * don't pull in a TOML library — the format is machine-generated and
+ * stable, so a regex over `[[package]]` blocks is sufficient.
+ *
+ * Skips entries whose `category = "dev"` (poetry) when present. uv.lock
+ * doesn't have a category field for the lockfile structure as of writing;
+ * its dev-deps are still listed and we conservatively include them, same
+ * as the cargo detector's runtime-vs-dev tradeoff.
+ */
+function parseTomlLockPackages(text) {
+    const out = [];
+    const seen = new Set();
+    const blocks = text.split(/^\[\[package\]\]\s*$/m);
+    for (let i = 1; i < blocks.length; i++) {
+        const block = blocks[i];
+        const name = matchField(block, "name");
+        const version = matchField(block, "version");
+        const category = matchField(block, "category");
+        if (!name || !version)
+            continue;
+        if (category === "dev")
+            continue;
+        const key = `${name}@${version}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push({ name, version });
+    }
+    return out;
+}
+function matchField(block, field) {
+    const m = block.match(new RegExp(`^${field}\\s*=\\s*"([^"]+)"`, "m"));
+    return m ? m[1] : null;
+}
+function parsePipfileLock(text) {
+    const data = JSON.parse(text);
+    const out = [];
+    for (const [name, entry] of Object.entries(data.default ?? {})) {
+        // `version` is in the form `==1.2.3`. Strip the leading `==` if present.
+        const v = (entry.version ?? "").replace(/^==/, "");
+        if (v)
+            out.push({ name, version: v });
+    }
+    return out;
+}
+function parseRequirementsTxt(text) {
+    const out = [];
+    const seen = new Set();
+    for (const raw of text.split("\n")) {
+        const line = raw.split("#", 1)[0].trim();
+        if (!line || line.startsWith("-") || line.startsWith("--"))
+            continue;
+        // Accept `name==version`. `~=` and `>=` are ranges; pip doesn't pin them
+        // without a lockfile — skip them rather than guessing.
+        const m = line.match(/^([A-Za-z0-9_.\-]+)\s*==\s*([A-Za-z0-9_.\-+]+)/);
+        if (!m)
+            continue;
+        const key = `${m[1]}@${m[2]}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push({ name: m[1], version: m[2] });
+    }
+    return out;
+}
+const licenseCache = new Map();
+async function fetchPypiLicense(name, version) {
+    const key = `${name.toLowerCase()}@${version}`;
+    if (licenseCache.has(key))
+        return licenseCache.get(key);
+    try {
+        const url = `${PYPI}/${encodeURIComponent(name)}/${encodeURIComponent(version)}/json`;
+        const res = await fetch(url, {
+            headers: { accept: "application/json", "user-agent": USER_AGENT },
+        });
+        if (!res.ok) {
+            licenseCache.set(key, undefined);
+            return undefined;
+        }
+        const data = (await res.json());
+        // Prefer Trove classifiers — more reliable + maps cleanly to SPDX.
+        const classifiers = data.info?.classifiers ?? [];
+        const spdxFromClassifiers = classifiers
+            .map((c) => CLASSIFIER_TO_SPDX[c])
+            .filter((v) => Boolean(v));
+        if (spdxFromClassifiers.length > 0) {
+            const expr = spdxFromClassifiers.length === 1
+                ? spdxFromClassifiers[0]
+                : `(${[...new Set(spdxFromClassifiers)].join(" OR ")})`;
+            licenseCache.set(key, expr);
+            return expr;
+        }
+        // Fall back to free-form `info.license`. Often this is a valid SPDX
+        // expression already ("MIT", "Apache-2.0"); occasionally it's a sentence
+        // ("see LICENSE"). The SPDX parser will reject the latter — which is
+        // the right outcome per SPEC §3.3.
+        const free = data.info?.license?.trim();
+        if (free && free.length > 0 && !/\s{2,}|\.|see /i.test(free)) {
+            licenseCache.set(key, free);
+            return free;
+        }
+        licenseCache.set(key, undefined);
+        return undefined;
+    }
+    catch {
+        licenseCache.set(key, undefined);
+        return undefined;
+    }
+}

package/dist/src/checks/sbom/types.js

@@ -0,0 +1,10 @@
+// SBOM ecosystem detector contract.
+//
+// Each detector inspects the repo root for ecosystem-specific manifest files
+// and returns either:
+//   - `null` if no ecosystem-specific manifests are present
+//   - a `DetectorResult` describing what was found + the component list
+//
+// The orchestrator (../sbom.ts) runs detectors in order and combines results.
+// If multiple detectors match, the SBOM is multi-ecosystem.
+export {};

package/dist/src/checks/sbom.js

@@ -0,0 +1,173 @@
+// SBOM dependency-license check (SPEC §3.3).
+//
+// Orchestrates per-ecosystem detectors:
+//   - sbom/javascript.ts — node_modules walk via Node resolution
+//   - sbom/cargo.ts      — Cargo.lock + crates.io license lookup
+//   - sbom/go.ts         — go.mod (detection-only stub)
+//   - sbom/python.ts     — pyproject.toml/poetry/uv/pip (detection-only stub)
+//
+// Per SPEC §3.3 the SBOM MUST cover direct + transitive runtime dependencies,
+// every package MUST declare at least one OSI-approved license, and the
+// output MUST be reproducible from (SHA, cli_version). The CycloneDX 1.5
+// output here is canonical-JSON serialised (no serialNumber, sorted keys
+// + components).
+//
+// Multi-ecosystem repos (e.g. JS + Rust in the same root) produce a single
+// SBOM merging components from all detectors that matched. Repos with no
+// detected ecosystem fail closed — silently passing would hide a real gap.
+import parseSpdx from "spdx-expression-parse";
+import { sha256Hex } from "../hash.js";
+import { fetchOsiApprovedIds, leafIdentifiers } from "./osi-license.js";
+import { detect as detectCargo } from "./sbom/cargo.js";
+import { detect as detectGo } from "./sbom/go.js";
+import { detect as detectJavascript } from "./sbom/javascript.js";
+import { detect as detectPython } from "./sbom/python.js";
+const DETECTORS = [detectJavascript, detectCargo, detectGo, detectPython];
+export async function checkSbom(ctx) {
+    const detections = [];
+    for (const d of DETECTORS) {
+        const r = await d(ctx);
+        if (r)
+            detections.push(r);
+    }
+    const meta = { name: ctx.repoUrl, version: "0.0.0" };
+    if (detections.length === 0) {
+        return fail("No supported ecosystem detected at the repo root. Supported today: JavaScript/Node " +
+            "(package.json) and Cargo (Cargo.lock). Go and Python are tracked as follow-up work " +
+            "and currently fail closed.", ctx, meta, []);
+    }
+    const allMissing = [];
+    const allComponents = [];
+    for (const det of detections) {
+        allMissing.push(...det.missing);
+        allComponents.push(...det.components);
+    }
+    // Sort by (purl) so output is deterministic across detector orderings.
+    allComponents.sort((a, b) => (a.purl < b.purl ? -1 : a.purl > b.purl ? 1 : 0));
+    const sbom = buildCycloneDx(ctx, meta, allComponents);
+    const sbomHash = sha256Hex(canonicalJson(sbom));
+    if (allMissing.length > 0) {
+        return {
+            result: {
+                pass: false,
+                details: `${allMissing.length} unresolved entr${allMissing.length === 1 ? "y" : "ies"}: ${allMissing.slice(0, 5).join(" | ")}${allMissing.length > 5 ? `, +${allMissing.length - 5} more` : ""}`,
+            },
+            sbomHash,
+            sbomFormat: "cyclonedx-1.5",
+            sbomUri: null,
+        };
+    }
+    if (allComponents.length === 0) {
+        return {
+            result: {
+                pass: true,
+                details: `${detections.map((d) => d.ecosystem).join("+")}: no runtime deps`,
+            },
+            sbomHash,
+            sbomFormat: "cyclonedx-1.5",
+            sbomUri: null,
+        };
+    }
+    const osi = await fetchOsiApprovedIds();
+    const violations = [];
+    const noLicense = [];
+    for (const c of allComponents) {
+        if (!c.license) {
+            noLicense.push(`${c.name}@${c.version}`);
+            continue;
+        }
+        const verdict = checkLicenseExpression(c.license, osi.ids);
+        if (!verdict.ok)
+            violations.push(`${c.name}@${c.version}: ${verdict.reason}`);
+    }
+    if (noLicense.length > 0 || violations.length > 0) {
+        const details = [
+            noLicense.length > 0
+                ? `${noLicense.length} packages declare no license: ${noLicense.slice(0, 5).join(", ")}${noLicense.length > 5 ? `, +${noLicense.length - 5} more` : ""}`
+                : null,
+            violations.length > 0
+                ? `${violations.length} packages with non-OSI licenses:\n  ${violations.slice(0, 10).join("\n  ")}`
+                : null,
+        ]
+            .filter(Boolean)
+            .join("\n");
+        return {
+            result: { pass: false, details },
+            sbomHash,
+            sbomFormat: "cyclonedx-1.5",
+            sbomUri: null,
+        };
+    }
+    return {
+        result: {
+            pass: true,
+            details: `${allComponents.length} runtime deps (${detections.map((d) => d.ecosystem).join("+")}), all OSI-approved`,
+        },
+        sbomHash,
+        sbomFormat: "cyclonedx-1.5",
+        sbomUri: null,
+    };
+}
+function checkLicenseExpression(expr, osiIds) {
+    let parsed;
+    try {
+        parsed = parseSpdx(expr);
+    }
+    catch (e) {
+        return {
+            ok: false,
+            reason: `'${expr}' is not a valid SPDX expression: ${e.message}`,
+        };
+    }
+    const leaves = leafIdentifiers(parsed);
+    if (leaves.length === 0)
+        return { ok: false, reason: `no SPDX identifiers in '${expr}'` };
+    const nonOsi = leaves.filter((id) => !osiIds.has(id));
+    if (nonOsi.length > 0)
+        return { ok: false, reason: `non-OSI leaves: ${nonOsi.join(", ")}` };
+    return { ok: true };
+}
+function buildCycloneDx(ctx, meta, components) {
+    return {
+        bomFormat: "CycloneDX",
+        specVersion: "1.5",
+        version: 1,
+        metadata: {
+            component: {
+                type: "application",
+                name: meta.name,
+                version: meta.version,
+                purl: `pkg:generic/${encodeURIComponent(meta.name)}@${meta.version}`,
+                externalReferences: [{ type: "vcs", url: ctx.repoUrl }],
+            },
+        },
+        components: components.map((c) => ({
+            type: "library",
+            name: c.name,
+            version: c.version,
+            purl: c.purl,
+            ...(c.license ? { licenses: [{ expression: c.license }] } : { licenses: [] }),
+        })),
+    };
+}
+function canonicalJson(value) {
+    return JSON.stringify(value, (_k, v) => {
+        if (v && typeof v === "object" && !Array.isArray(v)) {
+            const keys = Object.keys(v).sort();
+            const sorted = {};
+            for (const k of keys)
+                sorted[k] = v[k];
+            return sorted;
+        }
+        return v;
+    });
+}
+function fail(details, ctx, meta, components) {
+    const sbom = buildCycloneDx(ctx, meta, components);
+    return {
+        result: { pass: false, details },
+        sbomHash: sha256Hex(canonicalJson(sbom)),
+        sbomFormat: "cyclonedx-1.5",
+        sbomUri: null,
+    };
+}

package/dist/src/cli.mjs

@@ -0,0 +1,225 @@
+#!/usr/bin/env node
+import { resolve } from "node:path";
+import { checkNoProprietaryBlobs } from "./checks/blobs.js";
+import { runLlmAudit } from "./checks/llm-audit.js";
+import { checkOsiLicense } from "./checks/osi-license.js";
+import { checkReuse } from "./checks/reuse.js";
+import { checkSbom } from "./checks/sbom.js";
+import { commitSha, defaultBranch, repoUrlFromRemote } from "./git.js";
+import { buildPredicate } from "./predicate.js";
+function parseArgs(argv) {
+    const args = {
+        repoRoot: process.cwd(),
+        output: "report",
+        skipSbom: false,
+        reportJson: false,
+    };
+    for (let i = 2; i < argv.length; i++) {
+        const a = argv[i];
+        if (a === "--repo")
+            args.repoRoot = resolve(argv[++i] ?? ".");
+        else if (a === "--repo-url")
+            args.repoUrl = argv[++i];
+        else if (a === "--output")
+            args.output = argv[++i];
+        else if (a === "--skip-sbom")
+            args.skipSbom = true;
+        else if (a === "--report-json")
+            args.reportJson = true;
+        else if (a === "--help" || a === "-h") {
+            printHelp();
+            process.exit(0);
+        }
+        else {
+            console.error(`unknown flag: ${a}`);
+            printHelp();
+            process.exit(2);
+        }
+    }
+    return args;
+}
+function printHelp() {
+    console.log(`oss-verify — deterministic OSS-compliance attestation CLI
+
+Usage:
+  oss-verify [options]
+
+Options:
+  --repo <path>        Repository root (default: cwd)
+  --repo-url <url>     Override repo URL (default: derived from git remote)
+  --output <mode>      'report' (human, default) | 'predicate' (in-toto JSON) | 'both'
+  --skip-sbom          Pass the SBOM check (use only for non-JS projects until
+                       other-ecosystem detectors ship)
+  --report-json        INTERNAL/preview mode. Runs the full conformant
+                       pipeline (deterministic + LLM) and emits a JSON status
+                       report instead of a predicate; always exits 0 so the
+                       caller can record fail states. NOT a substitute for
+                       the conformant attestation flow — output is not a
+                       valid predicate and MUST NOT be signed or published as
+                       one. Used by the oss-verified watchlist for monthly
+                       monitoring of tracked projects.
+  -h, --help           Show this help
+
+Required environment:
+  ANTHROPIC_API_KEY    SPEC §7 LLM audit. The CLI exits 1 if missing —
+                       per SPEC §4 the LLM step is mandatory and there
+                       is no opt-out.
+
+Exit codes:
+  0  all checks pass; predicate would be signed in CI
+  1  one or more checks fail; no predicate
+  2  CLI invocation error
+`);
+}
+function pad(label, width = 22) {
+    return label.padEnd(width);
+}
+function statusGlyph(pass) {
+    return pass ? "\x1b[32m✓\x1b[0m" : "\x1b[31m✗\x1b[0m";
+}
+async function main() {
+    const args = parseArgs(process.argv);
+    const ctx = {
+        repoRoot: args.repoRoot,
+        commitSha: commitSha(args.repoRoot),
+        repoUrl: args.repoUrl ?? repoUrlFromRemote(args.repoRoot),
+    };
+    const branch = defaultBranch(args.repoRoot);
+    if (args.output !== "predicate") {
+        console.error(`oss-verify on ${ctx.repoUrl}@${ctx.commitSha.slice(0, 8)} (${branch})`);
+        console.error("");
+    }
+    // Run deterministic checks
+    const reuse = checkReuse(ctx);
+    const { result: osi, osiResponseHash } = await checkOsiLicense(ctx);
+    const blobs = checkNoProprietaryBlobs(ctx);
+    const sbomRaw = await checkSbom(ctx);
+    const sbom = args.skipSbom
+        ? { ...sbomRaw, result: { pass: true, details: "skipped via --skip-sbom" } }
+        : sbomRaw;
+    const criteria = {
+        reuse,
+        osi_license: osi,
+        dependency_licenses: sbom.result,
+        no_proprietary_blobs: blobs,
+    };
+    const deterministicPass = Object.values(criteria).every((c) => c.pass);
+    if (args.output !== "predicate") {
+        for (const [name, result] of Object.entries(criteria)) {
+            console.error(`  ${statusGlyph(result.pass)} ${pad(name)}${result.details ? `  ${result.details.split("\n")[0]}` : ""}`);
+            if (result.details?.includes("\n")) {
+                for (const line of result.details.split("\n").slice(1)) {
+                    console.error(`    ${line}`);
+                }
+            }
+        }
+        console.error("");
+        console.error(deterministicPass
+            ? "\x1b[32mPASS\x1b[0m  all deterministic checks succeeded"
+            : "\x1b[31mFAIL\x1b[0m  one or more deterministic checks failed");
+    }
+    // In `--report-json` mode the LLM step still runs (SPEC §7 mandatory) but
+    // any failure surfaces as an llm_verdict in the JSON rather than crashing
+    // the CLI — the watchlist runner needs a structured record either way.
+    const auditTry = async () => {
+        try {
+            return {
+                ok: true,
+                audit: await runLlmAudit(ctx, {
+                    modelId: process.env.OSS_VERIFY_MODEL_ID || "claude-sonnet-4-6",
+                    apiKey: process.env.ANTHROPIC_API_KEY,
+                }),
+            };
+        }
+        catch (e) {
+            return { ok: false, error: e.message };
+        }
+    };
+    if (args.reportJson) {
+        // Internal/preview mode. Runs the full conformant pipeline (deterministic
+        // + LLM) and emits a JSON status report instead of a predicate. Always
+        // exits 0 so callers can record fail states (the watchlist runner does).
+        // NOT a substitute for the conformant attestation flow — output is not
+        // a valid predicate and MUST NOT be signed and published as one.
+        const a = await auditTry();
+        const llm = a.ok
+            ? a.audit.verdict
+            : { verdict: "block", rationale: a.error, passes: 0 };
+        const report = {
+            mode: "report-json",
+            repo_url: ctx.repoUrl,
+            commit_sha: ctx.commitSha,
+            default_branch: branch,
+            checked_at: new Date().toISOString(),
+            deterministic_pass: deterministicPass,
+            llm_verdict: llm,
+            overall_pass: deterministicPass && llm.verdict === "pass",
+            criteria,
+            evidence: {
+                osi_response_hash: osiResponseHash,
+                sbom_hash: sbom.sbomHash,
+                sbom_format: sbom.sbomFormat,
+            },
+        };
+        process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
+        process.exit(0);
+    }
+    if (!deterministicPass) {
+        // Per SPEC §4: CLI MUST refuse to produce a predicate if any deterministic stage fails.
+        if (args.output !== "report") {
+            console.error("predicate not emitted (deterministic checks failed)");
+        }
+        process.exit(1);
+    }
+    // LLM audit (SPEC §7). MAY block, MUST NOT grant.
+    const auditAttempt = await auditTry();
+    if (!auditAttempt.ok) {
+        console.error(`oss-verify error (LLM audit): ${auditAttempt.error}`);
+        process.exit(2);
+    }
+    const audit = auditAttempt.audit;
+    if (args.output !== "predicate") {
+        const glyph = audit.verdict.verdict === "block" ? "\x1b[31m✗\x1b[0m" : "\x1b[32m✓\x1b[0m";
+        console.error("");
+        console.error(`  ${glyph} ${pad("llm_audit")} ${audit.verdict.rationale ?? ""}`);
+    }
+    if (audit.verdict.verdict === "block") {
+        if (args.output !== "report") {
+            console.error(`predicate not emitted (LLM audit blocked: ${audit.verdict.rationale})`);
+        }
+        process.exit(1);
+    }
+    const predicate = buildPredicate({
+        commitSha: ctx.commitSha,
+        repoUrl: ctx.repoUrl,
+        defaultBranch: branch,
+        criteria,
+        evidence: {
+            osi_response_hash: osiResponseHash,
+            sbom_hash: sbom.sbomHash,
+            sbom_format: sbom.sbomFormat,
+            sbom_uri: sbom.sbomUri,
+            exemptions: [],
+            llm_verdict: audit.verdict,
+        },
+        modelId: audit.modelId,
+        promptHash: audit.promptHash,
+    });
+    if (args.output === "predicate" || args.output === "both") {
+        // Emit ONLY the predicate body. `cosign attest-blob --predicate` reads
+        // this file as the predicate content and wraps it in its own in-toto
+        // Statement using `--type` for predicateType and the input file for
+        // the subject. Emitting a full Statement here would cause cosign to
+        // nest our Statement inside another Statement, so verifiers see
+        // `statement.predicate.predicate.criteria` and `predicateAllPass`
+        // reads the wrong layer as undefined.
+        process.stdout.write(`${JSON.stringify(predicate, null, 2)}\n`);
+    }
+    process.exit(0);
+}
+main().catch((err) => {
+    console.error(`oss-verify error: ${err instanceof Error ? err.message : String(err)}`);
+    if (err instanceof Error && err.stack)
+        console.error(err.stack);
+    process.exit(2);
+});

package/dist/src/git.js

@@ -0,0 +1,27 @@
+import { execSync } from "node:child_process";
+const exec = (cmd, cwd) => execSync(cmd, { cwd, encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] }).trim();
+export function commitSha(repoRoot) {
+    return exec("git rev-parse HEAD", repoRoot);
+}
+export function defaultBranch(repoRoot) {
+    // Prefer the symbolic ref of origin/HEAD; fall back to current branch.
+    try {
+        const ref = exec("git symbolic-ref --short refs/remotes/origin/HEAD", repoRoot);
+        return ref.replace(/^origin\//, "");
+    }
+    catch {
+        return exec("git branch --show-current", repoRoot) || "main";
+    }
+}
+/** All files tracked by git at HEAD (working-tree paths, repo-relative, no submodules). */
+export function lsFiles(repoRoot) {
+    return exec("git ls-files --cached --exclude-standard", repoRoot).split("\n").filter(Boolean);
+}
+export function repoUrlFromRemote(repoRoot) {
+    const url = exec("git config --get remote.origin.url", repoRoot);
+    // Normalise: drop .git suffix, prefer https form
+    return url
+        .replace(/^git@([^:]+):/, "https://$1/")
+        .replace(/\.git$/, "")
+        .replace(/\/$/, "");
+}

package/dist/src/hash.js

@@ -0,0 +1,2 @@
+import { createHash } from "node:crypto";
+export const sha256Hex = (input) => createHash("sha256").update(input).digest("hex");