@certivu/cli 2.1.0 → 2.3.0

package/README.md

@@ -72,6 +72,13 @@ certivu verify ./output.jpg
 | Flag | Description |
 |------|-------------|
 | `--token <ctv_token>` | Provide token explicitly (extracted automatically if omitted) |
+| `--fail-on-missing` | Exit non-zero if any file lacks valid provenance (for CI) |
+
+`verify` also accepts multiple files and glob patterns (quote them — the CLI expands them itself):
+
+```bash
+certivu verify "assets/**/*.{png,jpg,mp4}" --fail-on-missing
+```
 
 ### `certivu status <ctv_token>`
 

package/dist/index.js

@@ -382,59 +382,183 @@ async function statusCommand(token, flags) {
 
 // src/commands/verify.ts
 var import_node_fs3 = require("fs");
-async function verifyCommand(filePath, flags) {
-  if (!filePath) die("Usage: certivu verify <file> [--token <ctv_token>]");
-  const config = await loadConfig();
-  let content;
+var import_node_path3 = require("path");
+var GLOB_CHARS = /[*?{[]/;
+function expandBraces(pattern) {
+  const match = pattern.match(/\{([^{}]*)\}/);
+  if (!match) return [pattern];
+  const whole = match[0];
+  const body = match[1] ?? "";
+  const out = [];
+  for (const choice of body.split(",")) {
+    out.push(...expandBraces(pattern.replace(whole, choice)));
+  }
+  return out;
+}
+function globToRegExp(glob) {
+  let re = "";
+  for (let i = 0; i < glob.length; i++) {
+    const c2 = glob[i];
+    if (c2 === "*") {
+      if (glob[i + 1] === "*") {
+        i++;
+        if (glob[i + 1] === "/") i++;
+        re += "(?:.*/)?";
+      } else {
+        re += "[^/]*";
+      }
+    } else if (c2 === "?") {
+      re += "[^/]";
+    } else if ("\\^$+.()|[]{}".includes(c2)) {
+      re += `\\${c2}`;
+    } else {
+      re += c2;
+    }
+  }
+  return new RegExp(`^${re}$`);
+}
+function staticBase(glob) {
+  const parts = glob.split("/");
+  const fixed = [];
+  for (const p of parts) {
+    if (GLOB_CHARS.test(p)) break;
+    fixed.push(p);
+  }
+  return fixed.join("/") || ".";
+}
+var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", ".svn", ".hg"]);
+function walk(dir, acc) {
+  let entries;
   try {
-    content = new Uint8Array((0, import_node_fs3.readFileSync)(filePath));
+    entries = (0, import_node_fs3.readdirSync)(dir, { encoding: "utf8" });
   } catch {
-    die(`Cannot read file: ${filePath}`);
+    return;
+  }
+  for (const name of entries) {
+    if (SKIP_DIRS.has(name)) continue;
+    const full = (0, import_node_path3.join)(dir, name);
+    try {
+      if ((0, import_node_fs3.statSync)(full).isDirectory()) walk(full, acc);
+      else acc.push(full);
+    } catch {
+    }
+  }
+}
+function resolveTargets(targets) {
+  const found = /* @__PURE__ */ new Set();
+  for (const target of targets) {
+    if (!GLOB_CHARS.test(target)) {
+      try {
+        if ((0, import_node_fs3.statSync)(target).isFile()) found.add(target);
+      } catch {
+        die(`Cannot read file: ${target}`);
+      }
+      continue;
+    }
+    for (const pattern of expandBraces(target)) {
+      const base = staticBase(pattern);
+      const files = [];
+      try {
+        if ((0, import_node_fs3.statSync)(base).isFile()) {
+          found.add(base);
+          continue;
+        }
+      } catch {
+      }
+      walk(base, files);
+      const rx = globToRegExp(pattern);
+      for (const f of files) {
+        const rel = (0, import_node_path3.relative)(".", f).split(import_node_path3.sep).join("/");
+        if (rx.test(rel) || rx.test(f.split(import_node_path3.sep).join("/"))) found.add(f);
+      }
+    }
   }
+  return [...found].sort();
+}
+async function verifyOne(client, filePath, token) {
+  const content = new Uint8Array((0, import_node_fs3.readFileSync)(filePath));
+  return client.verify({ content, ...token ? { token } : {} });
+}
+async function verifyCommand(targets, flags) {
+  if (!targets || targets.length === 0) {
+    die("Usage: certivu verify <file|glob...> [--token <ctv_token>] [--fail-on-missing]");
+  }
+  const failOnMissing = flags.failOnMissing === true || flags["fail-on-missing"] === true;
+  const config = await loadConfig();
   const client = new CertivuClient({
     apiKey: flags.apiKey ?? config.apiKey ?? "public",
     ...flags.baseUrl || config.baseUrl ? { baseUrl: flags.baseUrl ?? config.baseUrl } : {}
   });
-  let result;
-  try {
-    result = await client.verify({ content, ...flags.token ? { token: flags.token } : {} });
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : String(e);
-    die(`Verify failed: ${msg}`);
-  }
-  if (result.authentic) {
-    console.log(ok(`Authentic \u2014 ${confidenceBadge(result.confidence)} confidence`));
-    if (result.provenance) {
-      row("Org", result.provenance.org);
-      row("Model", result.provenance.model);
-      row("Signed", result.provenance.signed_at);
+  const files = resolveTargets(targets);
+  if (files.length === 0) {
+    die(`No files matched: ${targets.join(", ")}`);
+  }
+  if (files.length === 1 && !failOnMissing) {
+    const filePath = files[0];
+    let result;
+    try {
+      result = await verifyOne(client, filePath, flags.token);
+    } catch (e) {
+      die(`Verify failed: ${e instanceof Error ? e.message : String(e)}`);
     }
-    if (result.token_source) row("Source", result.token_source);
-  } else if (result.tampered) {
-    console.log(err("Tampered \u2014 content has been modified since signing"));
-    row("Reason", result.reason ?? "hash mismatch");
-  } else {
-    console.log(err(`Not verified \u2014 ${result.reason ?? "no provenance found"}`));
-    console.log("  Absence of provenance does not imply human origin.");
-  }
-  const { signals } = result;
-  const signalLine = [
-    signals.watermark_found ? "watermark \u2713" : "watermark \u2717",
-    signals.record_found ? "record \u2713" : "record \u2717",
-    signals.signature_valid ? "signature \u2713" : "signature \u2717"
-  ].join("  ");
+    if (result.authentic) {
+      console.log(ok(`Authentic \u2014 ${confidenceBadge(result.confidence)} confidence`));
+      if (result.provenance) {
+        row("Org", result.provenance.org);
+        row("Model", result.provenance.model);
+        row("Signed", result.provenance.signed_at);
+      }
+      if (result.token_source) row("Source", result.token_source);
+    } else if (result.tampered) {
+      console.log(err("Tampered \u2014 content has been modified since signing"));
+      row("Reason", result.reason ?? "hash mismatch");
+    } else {
+      console.log(err(`Not verified \u2014 ${result.reason ?? "no provenance found"}`));
+      console.log("  Absence of provenance does not imply human origin.");
+    }
+    const { signals } = result;
+    console.log(
+      `
+  Signals: ${[
+        signals.watermark_found ? "watermark \u2713" : "watermark \u2717",
+        signals.record_found ? "record \u2713" : "record \u2717",
+        signals.signature_valid ? "signature \u2713" : "signature \u2717"
+      ].join("  ")}`
+    );
+    return;
+  }
+  let verified = 0;
+  let failedCount = 0;
+  for (const filePath of files) {
+    try {
+      const result = await verifyOne(client, filePath);
+      if (result.authentic) {
+        verified++;
+        console.log(ok(`${filePath} \u2014 authentic (${result.confidence})`));
+      } else {
+        failedCount++;
+        console.log(err(`${filePath} \u2014 ${result.tampered ? "tampered" : result.reason ?? "no provenance"}`));
+      }
+    } catch (e) {
+      failedCount++;
+      console.log(err(`${filePath} \u2014 error: ${e instanceof Error ? e.message : String(e)}`));
+    }
+  }
   console.log(`
-  Signals: ${signalLine}`);
+  ${files.length} checked \xB7 ${verified} verified \xB7 ${failedCount} without valid provenance`);
+  if (failOnMissing && failedCount > 0) {
+    process.exit(1);
+  }
 }
 
 // src/index.ts
-var VERSION = "1.1.0";
+var VERSION = "2.3.0";
 var HELP = `
 ${amber("certivu")} \u2014 quantum-resistant AI content trust
 
 ${bold("Usage:")}
   certivu sign <file> --model <model> [flags]
-  certivu verify <file> [--token <ctv_token>]
+  certivu verify <file|glob...> [--token <ctv_token>] [--fail-on-missing]
   certivu status <ctv_token>
   certivu config [get | set <key> <value>]
 
@@ -453,6 +577,9 @@ ${bold("Sign flags:")}
 
 ${bold("Verify flags:")}
   --token <ctv_token>    Provide token explicitly (extracted automatically if omitted)
+  --fail-on-missing      Exit non-zero if any file lacks valid provenance ${dim("(for CI)")}
+
+  Accepts multiple files and glob patterns, e.g. ${dim('certivu verify "assets/**/*.{png,jpg}" --fail-on-missing')}
 
 ${bold("Global flags:")}
   --base-url <url>       Override API base URL ${dim("(default: https://api.certivu.ai)")}
@@ -469,6 +596,7 @@ ${bold("Examples:")}
   certivu config set api-key ctv_key_abc123
   certivu sign ./output.jpg --model stable-diffusion-xl
   certivu verify ./output.jpg
+  certivu verify "assets/**/*.{png,jpg,mp4}" --fail-on-missing
   certivu status ctv_7f3kx9mq2...
 `.trim();
 function parseArgs(argv) {
@@ -510,7 +638,7 @@ async function main() {
         await signCommand(positional[0] ?? "", flags);
         break;
       case "verify":
-        await verifyCommand(positional[0] ?? "", flags);
+        await verifyCommand(positional, flags);
         break;
       case "status":
         await statusCommand(positional[0] ?? "", flags);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@certivu/cli",
-  "version": "2.1.0",
+  "version": "2.3.0",
   "description": "Certivu CLI — sign and verify AI-generated content",
   "license": "UNLICENSED",
   "homepage": "https://certivu.ai",