@c956180462/awbs 0.0.1

package/src/domain/hash.ts

@@ -0,0 +1,27 @@
+import { createHash } from "node:crypto";
+
+export function sha256String(value: string | Buffer): string {
+  return `sha256:${createHash("sha256").update(value).digest("hex")}`;
+}
+
+export function canonicalJson(value: unknown): string {
+  return JSON.stringify(sortForCanonicalJson(value));
+}
+
+export function contentHash(value: unknown): string {
+  return sha256String(canonicalJson(value));
+}
+
+function sortForCanonicalJson(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sortForCanonicalJson);
+  }
+  if (value && typeof value === "object") {
+    const result: Record<string, unknown> = {};
+    for (const key of Object.keys(value).sort()) {
+      result[key] = sortForCanonicalJson((value as Record<string, unknown>)[key]);
+    }
+    return result;
+  }
+  return value;
+}

package/src/domain/path-policy.ts

@@ -0,0 +1,36 @@
+import { VIEW_MANIFEST } from "./constants.ts";
+import { AwbsError } from "./errors.ts";
+import { assertSafeRelativePath, isPathUnderAny } from "./paths.ts";
+
+export const RESERVED_DATA_PATHS = [".git", ".awbs", VIEW_MANIFEST] as const;
+
+export function assertUserDataPath(path: string, action: string): void {
+  assertSafeRelativePath(path);
+  if (!path || path === ".") {
+    throw new AwbsError(`Cannot ${action} the database root as a data path.`);
+  }
+  if (isReservedDataPath(path)) {
+    throw new AwbsError(`Cannot ${action} AWBS reserved path: ${path}`);
+  }
+}
+
+export function assertUserDataPaths(paths: string[], action: string): void {
+  for (const path of paths) {
+    assertUserDataPath(path, action);
+  }
+}
+
+export function isReservedDataPath(path: string): boolean {
+  const normalized = pathKey(path);
+  return RESERVED_DATA_PATHS.some((reserved) => normalized === pathKey(reserved) || normalized.startsWith(`${pathKey(reserved)}/`));
+}
+
+export function isPathAllowedByWritePaths(path: string, writePaths: string[]): boolean {
+  assertUserDataPath(path, "write");
+  assertUserDataPaths(writePaths, "declare write access to");
+  return isPathUnderAny(path, writePaths);
+}
+
+function pathKey(path: string): string {
+  return path.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase();
+}

package/src/domain/paths.ts

@@ -0,0 +1,65 @@
+import { isAbsolute, sep } from "node:path";
+import { AwbsError } from "./errors.ts";
+
+export function normalizeUserPaths(paths: string[]): string[] {
+  return uniquePaths(paths.flatMap((path) => path.split(",")).map((path) => normalizeUserPath(path)).filter(Boolean));
+}
+
+export function normalizeUserPath(input: string): string {
+  const trimmed = input.trim();
+  if (!trimmed) {
+    return "";
+  }
+  const normalized = trimmed.replace(/\\/g, "/");
+  const displayPath = normalized === "." ? "." : normalized.replace(/^\.\/+/, "").replace(/\/+$/, "");
+  assertSafeRelativePath(displayPath);
+  return toPosixPath(displayPath);
+}
+
+export function assertSafeRelativePath(input: string): void {
+  const normalized = input.replace(/\\/g, "/");
+  const segments = normalized.split("/");
+  if (isAbsolute(input) || normalized.startsWith("/") || segments.some((segment) => segment === "." || segment === "..")) {
+    throw new AwbsError(`Unsafe path: ${input}`);
+  }
+}
+
+export function uniquePaths(paths: string[]): string[] {
+  const seen = new Set<string>();
+  const result: string[] = [];
+  for (const path of paths) {
+    if (!seen.has(path)) {
+      seen.add(path);
+      result.push(path);
+    }
+  }
+  return result;
+}
+
+export function isPathUnderAny(path: string, roots: string[]): boolean {
+  return roots.some((root) => path === root || path.startsWith(`${root}/`));
+}
+
+export function makeId(prefix: string): string {
+  const stamp = new Date().toISOString().replace(/[-:.TZ]/g, "").slice(0, 14);
+  const random = Math.random().toString(36).slice(2, 8);
+  return `${prefix}_${stamp}_${random}`;
+}
+
+export function toPosixPath(path: string): string {
+  return path.split(sep).join("/");
+}
+
+export function fromPosixPath(path: string): string {
+  return path.split("/").join(sep);
+}
+
+export function filterIgnoredStatus(status: string, root: string, ignoredRelPaths: string[]): string {
+  const normalizedIgnored = ignoredRelPaths.map((path) => path.replace(/\\/g, "/").replace(/\/+$/, "")).filter(Boolean);
+  const lines = status.split(/\r?\n/).filter(Boolean);
+  const kept = lines.filter((line) => {
+    const statusPath = line.slice(3).replace(/\\/g, "/");
+    return !normalizedIgnored.some((ignored) => statusPath === ignored || statusPath.startsWith(`${ignored}/`));
+  });
+  return kept.length > 0 ? `${kept.join("\n")}\n` : "";
+}

package/src/domain/session-proof.ts

@@ -0,0 +1,140 @@
+import { createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import type { AuthoritySessionRequest, AuthoritySessionResponse } from "./session-types.ts";
+
+const MAX_PROOF_AGE_MS = 5 * 60 * 1000;
+
+export function attachControllerProof(request: AuthoritySessionRequest, controllerToken: string): AuthoritySessionRequest {
+  const base = proofBase(request);
+  const requestHash = sha256String(canonicalJson(base));
+  const nonce = randomBytes(16).toString("hex");
+  const createdAt = new Date().toISOString();
+  return {
+    ...base,
+    controllerProof: {
+      algorithm: "AWBS-HMAC-SHA256-v1",
+      requestHash,
+      nonce,
+      createdAt,
+      proof: hmacProof(tokenHash(controllerToken), proofMessage(requestHash, nonce, createdAt))
+    }
+  };
+}
+
+export function verifyControllerProof(expectedTokenHash: string, request: AuthoritySessionRequest, usedNonces?: Set<string>): boolean {
+  const proof = request.controllerProof;
+  if (!proof || proof.algorithm !== "AWBS-HMAC-SHA256-v1") {
+    return false;
+  }
+  if (!proof.nonce || usedNonces?.has(proof.nonce)) {
+    return false;
+  }
+  const createdAtTime = Date.parse(proof.createdAt);
+  if (!Number.isFinite(createdAtTime) || Math.abs(Date.now() - createdAtTime) > MAX_PROOF_AGE_MS) {
+    return false;
+  }
+  const base = proofBase(request);
+  const requestHash = sha256String(canonicalJson(base));
+  if (proof.requestHash !== requestHash) {
+    return false;
+  }
+  const expectedProof = hmacProof(expectedTokenHash, proofMessage(requestHash, proof.nonce, proof.createdAt));
+  const actual = Buffer.from(proof.proof, "hex");
+  const expected = Buffer.from(expectedProof, "hex");
+  const ok = actual.length === expected.length && timingSafeEqual(actual, expected);
+  if (ok) {
+    usedNonces?.add(proof.nonce);
+  }
+  return ok;
+}
+
+export function attachControllerResponseProof(response: AuthoritySessionResponse, request: AuthoritySessionRequest, expectedTokenHash: string): AuthoritySessionResponse {
+  const requestNonce = request.controllerProof?.nonce;
+  if (!requestNonce) {
+    return response;
+  }
+  const base = responseBase(response);
+  const responseHash = sha256String(canonicalJson(base));
+  return {
+    ...base,
+    controllerResponseProof: {
+      algorithm: "AWBS-HMAC-SHA256-v1",
+      requestNonce,
+      responseHash,
+      proof: hmacProof(expectedTokenHash, responseProofMessage(responseHash, requestNonce))
+    }
+  } as AuthoritySessionResponse;
+}
+
+export function verifyControllerResponseProof(controllerToken: string, request: AuthoritySessionRequest, response: AuthoritySessionResponse): boolean {
+  const requestNonce = request.controllerProof?.nonce;
+  const proof = response.controllerResponseProof;
+  if (!requestNonce || !proof || proof.algorithm !== "AWBS-HMAC-SHA256-v1" || proof.requestNonce !== requestNonce) {
+    return false;
+  }
+  const base = responseBase(response);
+  const responseHash = sha256String(canonicalJson(base));
+  if (proof.responseHash !== responseHash) {
+    return false;
+  }
+  const expectedProof = hmacProof(tokenHash(controllerToken), responseProofMessage(responseHash, requestNonce));
+  const actual = Buffer.from(proof.proof, "hex");
+  const expected = Buffer.from(expectedProof, "hex");
+  return actual.length === expected.length && timingSafeEqual(actual, expected);
+}
+
+function proofBase(request: AuthoritySessionRequest): AuthoritySessionRequest {
+  const base: AuthoritySessionRequest = {
+    schemaVersion: request.schemaVersion,
+    method: request.method,
+    root: request.root
+  };
+  if (request.args !== undefined) {
+    base.args = request.args;
+  }
+  return base;
+}
+
+function responseBase(response: AuthoritySessionResponse): AuthoritySessionResponse {
+  if (response.ok) {
+    return { ok: true, result: response.result };
+  }
+  return { ok: false, error: response.error };
+}
+
+function tokenHash(controllerToken: string): string {
+  return sha256String(controllerToken);
+}
+
+function proofMessage(requestHash: string, nonce: string, createdAt: string): string {
+  return canonicalJson({ createdAt, nonce, requestHash });
+}
+
+function responseProofMessage(responseHash: string, requestNonce: string): string {
+  return canonicalJson({ kind: "response", requestNonce, responseHash });
+}
+
+function hmacProof(tokenHashValue: string, message: string): string {
+  return createHmac("sha256", Buffer.from(tokenHashValue.slice("sha256:".length), "hex")).update(message).digest("hex");
+}
+
+function sha256String(value: string): string {
+  return `sha256:${createHash("sha256").update(value).digest("hex")}`;
+}
+
+function canonicalJson(value: unknown): string {
+  return JSON.stringify(sortForCanonicalJson(value));
+}
+
+function sortForCanonicalJson(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sortForCanonicalJson);
+  }
+  if (value && typeof value === "object") {
+    const result: Record<string, unknown> = {};
+    for (const key of Object.keys(value).sort()) {
+      result[key] = sortForCanonicalJson((value as Record<string, unknown>)[key]);
+    }
+    return result;
+  }
+  return value;
+}

package/src/domain/session-types.ts

@@ -0,0 +1,101 @@
+import type { AuthorityLocal, AuthorityTrustMode } from "./authority-types.ts";
+
+export type AuthoritySessionStatus = "active" | "inactive" | "stale" | "unavailable";
+
+export type AuthoritySessionControlInput = {
+  recoverySecret: string;
+  controllerToken: string;
+};
+
+export type AuthoritySessionFile = {
+  schemaVersion: 1;
+  repoId: string;
+  trustMode: AuthorityTrustMode;
+  pid: number;
+  socketPath: string;
+  startedAt: string;
+  status: "active";
+};
+
+export type AuthoritySessionStatusReport = {
+  status: AuthoritySessionStatus;
+  active: boolean;
+  repoId: string | null;
+  pid: number | null;
+  socketPath: string | null;
+  startedAt: string | null;
+  errors: string[];
+};
+
+export type AuthoritySessionStartResult = AuthoritySessionStatusReport & {
+  recoverySealPath: string;
+};
+
+export type AuthoritySessionStopResult = {
+  stopped: boolean;
+  localRestored: boolean;
+};
+
+export type AuthoritySessionRecoverResult = {
+  recovered: boolean;
+  localPath: string;
+};
+
+export type RecoverySealEnvelope = {
+  schemaVersion: 1;
+  sealType: "awbs.recovery.seal.v1";
+  payloadType: "authority.local";
+  kdf: "scrypt-recovery-secret-v1";
+  aad: {
+    repoId: string;
+    payloadType: "authority.local";
+  };
+  salt: string;
+  nonce: string;
+  ciphertext: string;
+  tag: string;
+  contentHash: string;
+};
+
+export type AuthoritySessionDaemonStartup = {
+  schemaVersion: 1;
+  root: string;
+  repoId: string;
+  local: AuthorityLocal;
+  controllerTokenHash: string;
+};
+
+export type AuthoritySessionRequest = {
+  schemaVersion: 1;
+  method: string;
+  root: string;
+  controllerProof?: AuthoritySessionControllerProof;
+  args?: unknown[];
+};
+
+export type AuthoritySessionControllerProof = {
+  algorithm: "AWBS-HMAC-SHA256-v1";
+  requestHash: string;
+  nonce: string;
+  createdAt: string;
+  proof: string;
+};
+
+export type AuthoritySessionControllerResponseProof = {
+  algorithm: "AWBS-HMAC-SHA256-v1";
+  requestNonce: string;
+  responseHash: string;
+  proof: string;
+};
+
+export type AuthoritySessionResponse =
+  | {
+      ok: true;
+      result: unknown;
+      controllerResponseProof?: AuthoritySessionControllerResponseProof;
+    }
+  | {
+      ok: false;
+      error: string;
+      controllerResponseProof?: AuthoritySessionControllerResponseProof;
+    };

package/src/domain/types.ts

@@ -0,0 +1,94 @@
+export type IndexStatus = "active" | "removed";
+export type IndexKind = "file" | "directory";
+export type ChangeKind = "add" | "modify" | "delete";
+export type ChangesetStatus = "valid" | "invalid";
+export type SummarySource = "external" | "fallback" | "path-level";
+
+export type IndexEntry = {
+  path: string;
+  kind: IndexKind;
+  sha256: string | null;
+  size: number | null;
+  mtime: string;
+  commit: string | null;
+  status: IndexStatus;
+  summary: string;
+  summarySource?: SummarySource;
+};
+
+export type SummaryEntry = {
+  schemaVersion: 1;
+  path: string;
+  kind: IndexKind | "unknown";
+  sha256: string | null;
+  commit: string | null;
+  summary: string;
+  source: "external";
+  updatedAt: string;
+  ext: Record<string, unknown>;
+};
+
+export type ViewManifest = {
+  schemaVersion: 1;
+  viewId: string;
+  projectRoot: string;
+  workspacePath: string;
+  baseCommit: string;
+  createdAt: string;
+  readPaths: string[];
+  writePaths: string[];
+  sources: Array<{
+    path: string;
+    sourcePath: string;
+    workspacePath: string;
+    baselinePath: string;
+    kind: IndexKind;
+    sha256: string | null;
+  }>;
+};
+
+export type ChangeRecord = {
+  path: string;
+  kind: ChangeKind;
+  allowed: boolean;
+  reason?: string;
+  file?: string;
+  sha256?: string | null;
+};
+
+export type ChangesetManifest = {
+  schemaVersion: 1;
+  changesetId: string;
+  viewId: string;
+  baseCommit: string;
+  createdAt: string;
+  projectRoot: string;
+  workspacePath: string;
+  status: ChangesetStatus;
+  readPaths: string[];
+  writePaths: string[];
+  changes: ChangeRecord[];
+  violations: ChangeRecord[];
+  payloadHash: string;
+  operationHash: string;
+  summary: {
+    added: number;
+    modified: number;
+    deleted: number;
+    violations: number;
+  };
+};
+
+export type SnapshotEntry = {
+  path: string;
+  sha256: string;
+  size: number;
+};
+
+export type FileEntry = {
+  path: string;
+  kind: IndexKind;
+  size: number | null;
+  mtime: string;
+  sha256: string | null;
+};

package/src/ports/authority-session.ts

@@ -0,0 +1,8 @@
+import type { AuthoritySessionControlInput, AuthoritySessionRecoverResult, AuthoritySessionStartResult, AuthoritySessionStatusReport, AuthoritySessionStopResult } from "../domain/session-types.ts";
+
+export interface AuthoritySessionPort {
+  start(cwd: string, input: AuthoritySessionControlInput): Promise<AuthoritySessionStartResult>;
+  status(cwd: string): AuthoritySessionStatusReport;
+  stop(cwd: string, controllerToken: string): AuthoritySessionStopResult;
+  recover(cwd: string, recoverySecret: string): AuthoritySessionRecoverResult;
+}

package/src/ports/authority.ts

@@ -0,0 +1,26 @@
+import type {
+  AuthorityCatalog,
+  AuthorityChangesetApplyOperation,
+  AuthorityChangesetReceipt,
+  AuthorityLedger,
+  AuthorityLedgerEntry,
+  AuthorityRepairReport,
+  AuthorityVerifyReport,
+  AuthorityViewContract
+} from "../domain/authority-types.ts";
+
+export interface AuthorityPort {
+  ensureInitialized(root: string): void;
+  createView(root: string, contract: AuthorityViewContract): AuthorityViewContract;
+  getViewContract(root: string, viewId: string, options?: { allowRevoked?: boolean }): AuthorityViewContract;
+  revokeView(root: string, viewId: string): AuthorityViewContract;
+  verify(root: string): AuthorityVerifyReport;
+  repairMirrors(root: string): AuthorityRepairReport;
+  readCatalog(root: string): AuthorityCatalog;
+  hasLedger(root: string): boolean;
+  bootstrapLedger(root: string, parentTrustedCommit: string): AuthorityLedger;
+  readLedger(root: string): AuthorityLedger;
+  recordChangesetApply(root: string, operation: AuthorityChangesetApplyOperation): AuthorityLedgerEntry;
+  sealChangesetReceipt(root: string, changesetRoot: string, receipt: AuthorityChangesetReceipt): AuthorityChangesetReceipt;
+  openChangesetReceipt(root: string, changesetRoot: string): AuthorityChangesetReceipt;
+}

package/src/ports/file-database.ts

@@ -0,0 +1,18 @@
+import type { FileEntry, SnapshotEntry } from "../domain/types.ts";
+
+export interface FileDatabasePort {
+  findProjectRoot(cwd: string): string;
+  pathExists(path: string): boolean;
+  isDirectory(path: string): boolean;
+  ensureDir(path: string): void;
+  assertSafeOutputDirectory(path: string): void;
+  copyPath(source: string, destination: string): void;
+  removePath(path: string): void;
+  readText(path: string): string;
+  writeText(path: string, value: string): void;
+  readJson<T>(path: string): T;
+  writeJson(path: string, value: unknown): void;
+  sha256File(path: string): string;
+  walkIndexableEntries(root: string): FileEntry[];
+  snapshotFiles(root: string, options: { ignoreAwbsViewManifest: boolean }): Map<string, SnapshotEntry>;
+}

package/src/ports/git.ts

@@ -0,0 +1,23 @@
+export type GitCommandResult = {
+  stdout: string;
+  stderr: string;
+  status: number | null;
+};
+
+export interface GitPort {
+  isRepository(root: string): boolean;
+  init(root: string): void;
+  headCommit(root: string): string | null;
+  requireHeadCommit(root: string): string;
+  refCommit(root: string, ref: string): string | null;
+  updateRef(root: string, ref: string, commit: string): void;
+  isAncestor(root: string, ancestor: string, descendant: string): boolean;
+  revList(root: string, range: string): string[];
+  statusPorcelain(root: string): string;
+  addAll(root: string, paths: string[]): void;
+  commit(root: string, message: string): void;
+  createDetachedWorktree(root: string, path: string, commit: string): void;
+  removeWorktree(root: string, path: string): void;
+  cloneAtCommit(sourceRoot: string, destination: string, commit: string): void;
+  diffNoIndex(baselineRoot: string, workspacePath: string): string;
+}

package/src/ports/index-store.ts

@@ -0,0 +1,7 @@
+import type { IndexEntry, IndexStatus } from "../domain/types.ts";
+
+export interface IndexStorePort {
+  readIndex(indexFile: string): IndexEntry[];
+  writeIndex(indexFile: string, entries: IndexEntry[]): void;
+  queryIndex(indexFile: string, term: string | null, options: { status?: IndexStatus | "all" }): IndexEntry[];
+}

package/src/ports/summary-store.ts

@@ -0,0 +1,16 @@
+import type { IndexKind, SummaryEntry } from "../domain/types.ts";
+
+export type SummaryWriteInput = {
+  path: string;
+  kind: IndexKind | "unknown";
+  sha256: string | null;
+  commit: string | null;
+  summary: string;
+};
+
+export interface SummaryStorePort {
+  readSummaries(summaryFile: string): SummaryEntry[];
+  writeSummary(summaryFile: string, input: SummaryWriteInput): SummaryEntry;
+  findSummary(summaryFile: string, path: string, sha256: string | null): SummaryEntry | null;
+  fallbackSummary(absPath: string, relPath: string, kind: IndexKind): string;
+}

package/src/runtime.ts

@@ -0,0 +1,56 @@
+import { FileSummaryStoreAdapter } from "./adapters/file-summary-store.ts";
+import { GitCliAdapter } from "./adapters/git-cli.ts";
+import { LocalFileDatabaseAdapter } from "./adapters/local-file-database.ts";
+import { LocalAuthoritySessionAdapter } from "./adapters/local-authority-session.ts";
+import { SealedAuthorityAdapter } from "./adapters/sealed-authority.ts";
+import { AutoAuthorityAdapter, SessionAuthorityClientAdapter } from "./adapters/session-authority-client.ts";
+import { SqliteIndexStoreAdapter } from "./adapters/sqlite-index-store.ts";
+import { createAuthorityUseCases, type AuthorityUseCases } from "./usecases/authority.ts";
+import { createChangesetUseCases, type ChangesetUseCases } from "./usecases/changeset.ts";
+import { createDbUseCases, type DbUseCases } from "./usecases/db.ts";
+import { createIndexUseCases, type IndexUseCases } from "./usecases/index.ts";
+import { createInitUseCases, type InitUseCases } from "./usecases/init.ts";
+import { createLedgerUseCases, type LedgerUseCases } from "./usecases/ledger.ts";
+import { createAuthoritySessionUseCases, type AuthoritySessionUseCases } from "./usecases/session.ts";
+import { createViewUseCases, type ViewUseCases } from "./usecases/view.ts";
+
+export type AwbsRuntime = {
+  usecases: {
+    init: InitUseCases;
+    index: IndexUseCases;
+    view: ViewUseCases;
+    changeset: ChangesetUseCases;
+    authority: AuthorityUseCases;
+    session: AuthoritySessionUseCases;
+    ledger: LedgerUseCases;
+    db: DbUseCases;
+  };
+};
+
+export function createDefaultRuntime(options: { authorityMode?: "local" | "auto" | "session"; controllerToken?: string; cliPath?: string } = {}): AwbsRuntime {
+  const files = new LocalFileDatabaseAdapter();
+  const git = new GitCliAdapter();
+  const index = new SqliteIndexStoreAdapter(files);
+  const summaries = new FileSummaryStoreAdapter(files);
+  const cliPath = options.cliPath ?? process.argv[1];
+  const authority =
+    options.authorityMode === "session"
+      ? new SessionAuthorityClientAdapter(cliPath, { controllerToken: options.controllerToken })
+      : options.authorityMode === "auto"
+        ? new AutoAuthorityAdapter(files, cliPath)
+        : new SealedAuthorityAdapter(files);
+  const session = new LocalAuthoritySessionAdapter(files, cliPath);
+
+  return {
+    usecases: {
+      init: createInitUseCases({ files, git, authority }),
+      index: createIndexUseCases({ files, git, index, summaries }),
+      view: createViewUseCases({ files, git, authority }),
+      changeset: createChangesetUseCases({ files, git, authority }),
+      authority: createAuthorityUseCases({ files, authority }),
+      session: createAuthoritySessionUseCases({ session }),
+      ledger: createLedgerUseCases({ files, git, authority }),
+      db: createDbUseCases({ files, git, authority })
+    }
+  };
+}

package/src/session-entry.ts

@@ -0,0 +1 @@
+export { runAuthoritySessionDaemon, runAuthoritySessionRequest } from "./adapters/local-authority-session.ts";

package/src/usecases/authority.ts

@@ -0,0 +1,53 @@
+import type { AuthorityRepairReport, AuthorityVerifyReport } from "../domain/authority-types.ts";
+import type { AuthorityPort } from "../ports/authority.ts";
+import type { FileDatabasePort } from "../ports/file-database.ts";
+
+export type AuthorityUseCases = {
+  verifyAuthority(cwd: string): AuthorityVerifyReport;
+  repairMirrors(cwd: string): AuthorityRepairReport;
+  formatVerifyReport(report: AuthorityVerifyReport): string;
+  formatRepairReport(report: AuthorityRepairReport): string;
+};
+
+export function createAuthorityUseCases(deps: { files: FileDatabasePort; authority: AuthorityPort }): AuthorityUseCases {
+  return {
+    verifyAuthority(cwd: string): AuthorityVerifyReport {
+      const root = deps.files.findProjectRoot(cwd);
+      return deps.authority.verify(root);
+    },
+
+    repairMirrors(cwd: string): AuthorityRepairReport {
+      const root = deps.files.findProjectRoot(cwd);
+      return deps.authority.repairMirrors(root);
+    },
+
+    formatVerifyReport(report: AuthorityVerifyReport): string {
+      const lines = [
+        `Authority: ${report.ok ? "ok" : "failed"}`,
+        `Views: ${report.catalog.views}`,
+        `Resources: ${report.catalog.resources}`,
+        `Mirror mismatches: ${report.mirrorMismatches.length}`
+      ];
+      if (report.mirrorMismatches.length > 0) {
+        lines.push("", "Mismatched mirrors:");
+        for (const mirror of report.mirrorMismatches) {
+          lines.push(`  ${mirror}`);
+        }
+      }
+      if (report.errors.length > 0) {
+        lines.push("", "Errors:");
+        for (const error of report.errors) {
+          lines.push(`  ${error}`);
+        }
+      }
+      return lines.join("\n");
+    },
+
+    formatRepairReport(report: AuthorityRepairReport): string {
+      if (report.repairedMirrors.length === 0) {
+        return "Authority mirrors are already in sync.";
+      }
+      return [`Repaired ${report.repairedMirrors.length} mirror(s):`, ...report.repairedMirrors.map((mirror) => `  ${mirror}`)].join("\n");
+    }
+  };
+}