@claude-flow/cli 3.5.1 → 3.5.3

package/dist/src/appliance/rvfa-signing.js

@@ -0,0 +1,347 @@
+/**
+ * RVFA Ed25519 Code Signing -- Digital signatures for RVFA appliance files.
+ *
+ * Provides tamper detection and publisher identity verification using
+ * Ed25519 (RFC 8032) via Node.js native crypto. Zero external dependencies.
+ *
+ * @module @claude-flow/cli/appliance/rvfa-signing
+ */
+import { generateKeyPairSync, createHash, sign, verify, createPublicKey, createPrivateKey, } from 'node:crypto';
+import { readFile, writeFile, stat, chmod, mkdir } from 'node:fs/promises';
+// ── Constants ────────────────────────────────────────────────
+const PREAMBLE_SIZE = 12; // 4B magic + 4B version + 4B header_len
+const SHA256_SIZE = 32;
+const KEY_FILE_MODE = 0o600;
+// ── Key Management ───────────────────────────────────────────
+/** Compute the fingerprint of a public key: first 16 hex chars of its SHA256. */
+function computeFingerprint(publicKeyPem) {
+    return createHash('sha256')
+        .update(publicKeyPem, 'utf-8')
+        .digest('hex')
+        .slice(0, 16);
+}
+/**
+ * Generate a new Ed25519 key pair for RVFA signing.
+ */
+export async function generateKeyPair() {
+    const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+    });
+    const pubBuf = Buffer.from(publicKey, 'utf-8');
+    const privBuf = Buffer.from(privateKey, 'utf-8');
+    const fingerprint = computeFingerprint(publicKey);
+    return { publicKey: pubBuf, privateKey: privBuf, fingerprint };
+}
+/**
+ * Save a key pair to disk as PEM files.
+ *
+ * @param keyPair  The key pair to persist.
+ * @param dir      Directory to write files into.
+ * @param name     Base name for the key files (default: 'rvfa-signing').
+ * @returns Paths to the written public and private key files.
+ */
+export async function saveKeyPair(keyPair, dir, name = 'rvfa-signing') {
+    await mkdir(dir, { recursive: true });
+    const pubPath = `${dir}/${name}.pub`;
+    const privPath = `${dir}/${name}.key`;
+    await writeFile(pubPath, keyPair.publicKey);
+    await writeFile(privPath, keyPair.privateKey, { mode: KEY_FILE_MODE });
+    // Ensure private key has restrictive permissions even on existing files
+    await chmod(privPath, KEY_FILE_MODE);
+    return { publicKeyPath: pubPath, privateKeyPath: privPath };
+}
+/**
+ * Load a key pair from PEM files on disk.
+ *
+ * @param dir   Directory containing the key files.
+ * @param name  Base name for the key files (default: 'rvfa-signing').
+ */
+export async function loadKeyPair(dir, name = 'rvfa-signing') {
+    const pubPath = `${dir}/${name}.pub`;
+    const privPath = `${dir}/${name}.key`;
+    const publicKey = await readFile(pubPath);
+    const privateKey = await readFile(privPath);
+    // Warn if private key permissions are too open
+    const privStat = await stat(privPath);
+    const mode = privStat.mode & 0o777;
+    if (mode & 0o077) {
+        console.warn(`[rvfa-signing] WARNING: Private key ${privPath} has open permissions ` +
+            `(${mode.toString(8)}). Consider running: chmod 600 ${privPath}`);
+    }
+    const fingerprint = computeFingerprint(publicKey.toString('utf-8'));
+    return { publicKey, privateKey, fingerprint };
+}
+/**
+ * Load a public key from a single PEM file.
+ */
+export async function loadPublicKey(path) {
+    return readFile(path);
+}
+// ── Internal Helpers ─────────────────────────────────────────
+/**
+ * Recursively sort object keys for canonical JSON serialization.
+ * Produces deterministic output regardless of insertion order.
+ */
+function canonicalJson(value) {
+    return JSON.stringify(value, (_key, val) => {
+        if (val !== null && typeof val === 'object' && !Array.isArray(val) && !Buffer.isBuffer(val)) {
+            const sorted = {};
+            for (const k of Object.keys(val).sort()) {
+                sorted[k] = val[k];
+            }
+            return sorted;
+        }
+        return val;
+    });
+}
+/**
+ * Parse an RVFA binary into its components without full validation.
+ * Returns the header object, header JSON bytes, section data region, and footer.
+ */
+function parseRvfaBinary(buf) {
+    if (buf.length < PREAMBLE_SIZE + SHA256_SIZE) {
+        throw new Error('Buffer too small to be a valid RVFA file');
+    }
+    const magic = buf.subarray(0, 4).toString('ascii');
+    if (magic !== 'RVFA') {
+        throw new Error(`Invalid RVFA magic: expected "RVFA", got "${magic}"`);
+    }
+    const headerLen = buf.readUInt32LE(8);
+    const headerStart = PREAMBLE_SIZE;
+    const headerEnd = headerStart + headerLen;
+    if (headerEnd > buf.length - SHA256_SIZE) {
+        throw new Error('Header length extends beyond buffer');
+    }
+    const headerJson = buf.subarray(headerStart, headerEnd).toString('utf-8');
+    let header;
+    try {
+        header = JSON.parse(headerJson);
+    }
+    catch {
+        throw new Error('Failed to parse RVFA header JSON');
+    }
+    const footer = buf.subarray(buf.length - SHA256_SIZE);
+    const sectionData = buf.subarray(headerEnd, buf.length - SHA256_SIZE);
+    return { header, headerStart, headerEnd, sectionData, footer };
+}
+/**
+ * Compute the signing digest for an RVFA file.
+ *
+ * The digest is SHA256 of: canonical_header_json (without signature field)
+ *                         + section_data_bytes
+ *                         + footer_32_bytes
+ */
+function computeSigningDigest(header, sectionData, footer) {
+    // Strip signature field from header for digest computation
+    const stripped = { ...header };
+    delete stripped.signature;
+    const canonical = Buffer.from(canonicalJson(stripped), 'utf-8');
+    return createHash('sha256')
+        .update(canonical)
+        .update(sectionData)
+        .update(footer)
+        .digest();
+}
+/** Convert a Buffer or PEM string into a KeyObject. */
+function toPrivateKeyObject(key) {
+    const pem = Buffer.isBuffer(key) ? key.toString('utf-8') : key;
+    return createPrivateKey(pem);
+}
+/** Convert a Buffer or PEM string into a KeyObject. */
+function toPublicKeyObject(key) {
+    const pem = Buffer.isBuffer(key) ? key.toString('utf-8') : key;
+    return createPublicKey(pem);
+}
+/**
+ * Rebuild the RVFA binary with an updated header.
+ *
+ * Preserves the original preamble version, recalculates header length,
+ * and keeps section data and footer intact.
+ */
+function rebuildRvfa(originalBuf, newHeader, sectionData, footer) {
+    const headerJson = Buffer.from(JSON.stringify(newHeader), 'utf-8');
+    // Preamble: magic + version + new header length
+    const preamble = Buffer.alloc(PREAMBLE_SIZE);
+    originalBuf.copy(preamble, 0, 0, 8); // magic + version unchanged
+    preamble.writeUInt32LE(headerJson.length, 8);
+    return Buffer.concat([preamble, headerJson, sectionData, footer]);
+}
+// ── RvfaSigner ───────────────────────────────────────────────
+/**
+ * Signs RVFA appliance files and data with Ed25519.
+ */
+export class RvfaSigner {
+    keyObj;
+    fingerprint;
+    constructor(privateKey) {
+        this.keyObj = toPrivateKeyObject(privateKey);
+        // Derive public key to compute fingerprint
+        const pubPem = createPublicKey(this.keyObj)
+            .export({ type: 'spki', format: 'pem' });
+        this.fingerprint = computeFingerprint(pubPem);
+    }
+    /**
+     * Sign an RVFA appliance file in-place.
+     *
+     * Algorithm:
+     *  1. Read and parse the RVFA binary
+     *  2. Strip any existing signature from the header
+     *  3. Compute SHA256 of [canonical_header + section_data + footer]
+     *  4. Sign the digest with Ed25519
+     *  5. Embed signature metadata into the header
+     *  6. Write the updated binary back to the file
+     *
+     * @param rvfaPath   Path to the .rvf appliance file.
+     * @param signedBy   Optional publisher name.
+     * @returns The signature metadata that was embedded.
+     */
+    async signAppliance(rvfaPath, signedBy) {
+        const buf = await readFile(rvfaPath);
+        const { header, sectionData, footer } = parseRvfaBinary(buf);
+        // Compute digest over header (without signature) + sections + footer
+        const digest = computeSigningDigest(header, sectionData, footer);
+        // Ed25519 sign
+        const sig = sign(null, digest, this.keyObj);
+        const metadata = {
+            algorithm: 'ed25519',
+            publicKeyFingerprint: this.fingerprint,
+            signature: sig.toString('hex'),
+            signedAt: new Date().toISOString(),
+            signedBy,
+            scope: 'full',
+        };
+        // Embed signature in header and rebuild
+        header.signature = metadata;
+        const rebuilt = rebuildRvfa(buf, header, sectionData, footer);
+        await writeFile(rvfaPath, rebuilt);
+        return metadata;
+    }
+    /**
+     * Sign a section footer hash (detached signature).
+     *
+     * @param footerHash  The 32-byte SHA256 footer hash from an RVFA file.
+     * @returns Hex-encoded Ed25519 signature.
+     */
+    async signSections(footerHash) {
+        if (footerHash.length !== SHA256_SIZE) {
+            throw new Error(`Footer hash must be ${SHA256_SIZE} bytes, got ${footerHash.length}`);
+        }
+        const sig = sign(null, footerHash, this.keyObj);
+        return sig.toString('hex');
+    }
+    /**
+     * Sign an RVFP patch file (detached signature).
+     *
+     * @param patchData  The raw patch binary data.
+     * @returns Hex-encoded Ed25519 signature.
+     */
+    async signPatch(patchData) {
+        const digest = createHash('sha256').update(patchData).digest();
+        const sig = sign(null, digest, this.keyObj);
+        return sig.toString('hex');
+    }
+}
+// ── RvfaVerifier ─────────────────────────────────────────────
+/**
+ * Verifies Ed25519 signatures on RVFA appliance files and data.
+ */
+export class RvfaVerifier {
+    keyObj;
+    fingerprint;
+    constructor(publicKey) {
+        this.keyObj = toPublicKeyObject(publicKey);
+        const pem = Buffer.isBuffer(publicKey) ? publicKey.toString('utf-8') : publicKey;
+        this.fingerprint = computeFingerprint(pem);
+    }
+    /**
+     * Verify the Ed25519 signature embedded in an RVFA appliance file.
+     *
+     * @param rvfaPath  Path to the .rvf appliance file.
+     * @returns Verification result with details and any errors.
+     */
+    async verifyAppliance(rvfaPath) {
+        const errors = [];
+        let buf;
+        try {
+            buf = await readFile(rvfaPath);
+        }
+        catch (err) {
+            return { valid: false, errors: [`Failed to read file: ${err.message}`] };
+        }
+        let parsed;
+        try {
+            parsed = parseRvfaBinary(buf);
+        }
+        catch (err) {
+            return { valid: false, errors: [`Invalid RVFA file: ${err.message}`] };
+        }
+        const { header, sectionData, footer } = parsed;
+        // Extract signature metadata from header
+        const sigRaw = header.signature;
+        if (!sigRaw || typeof sigRaw !== 'object') {
+            return { valid: false, errors: ['No signature found in RVFA header'] };
+        }
+        const sigMeta = sigRaw;
+        if (sigMeta.algorithm !== 'ed25519') {
+            errors.push(`Unsupported algorithm: ${String(sigMeta.algorithm)}`);
+            return { valid: false, errors };
+        }
+        if (typeof sigMeta.signature !== 'string' || !sigMeta.signature) {
+            errors.push('Signature field is missing or empty');
+            return { valid: false, errors };
+        }
+        // Recompute the digest the same way the signer did
+        const digest = computeSigningDigest(header, sectionData, footer);
+        // Verify
+        let sigBuf;
+        try {
+            sigBuf = Buffer.from(sigMeta.signature, 'hex');
+        }
+        catch {
+            errors.push('Signature is not valid hex');
+            return { valid: false, errors };
+        }
+        let valid;
+        try {
+            valid = verify(null, digest, this.keyObj, sigBuf);
+        }
+        catch (err) {
+            errors.push(`Verification error: ${err.message}`);
+            return { valid: false, errors };
+        }
+        if (!valid) {
+            errors.push('Ed25519 signature verification failed: data may be tampered');
+        }
+        return {
+            valid,
+            signerFingerprint: sigMeta.publicKeyFingerprint,
+            signedAt: sigMeta.signedAt,
+            signedBy: sigMeta.signedBy,
+            errors,
+        };
+    }
+    /**
+     * Verify a detached Ed25519 signature over arbitrary data.
+     *
+     * @param data       The data that was signed.
+     * @param signature  Hex-encoded Ed25519 signature.
+     */
+    async verifyDetached(data, signature) {
+        const digest = createHash('sha256').update(data).digest();
+        const sigBuf = Buffer.from(signature, 'hex');
+        return verify(null, digest, this.keyObj, sigBuf);
+    }
+    /**
+     * Verify an RVFP patch file signature.
+     *
+     * @param patchData  The raw patch binary data.
+     * @param signature  Hex-encoded Ed25519 signature.
+     */
+    async verifyPatch(patchData, signature) {
+        const digest = createHash('sha256').update(patchData).digest();
+        const sigBuf = Buffer.from(signature, 'hex');
+        return verify(null, digest, this.keyObj, sigBuf);
+    }
+}
+//# sourceMappingURL=rvfa-signing.js.map

package/dist/src/appliance/rvfa-signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rvfa-signing.js","sourceRoot":"","sources":["../../../src/appliance/rvfa-signing.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,mBAAmB,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAC7C,eAAe,EAAE,gBAAgB,GAElC,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAG3E,gEAAgE;AAEhE,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC,wCAAwC;AAClE,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,aAAa,GAAG,KAAK,CAAC;AA2B5B,gEAAgE;AAEhE,iFAAiF;AACjF,SAAS,kBAAkB,CAAC,YAAoB;IAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC;SAC7B,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,EAAE;QAC/D,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAmB,EAAE,OAAO,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAoB,EAAE,OAAO,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,kBAAkB,CAAC,SAAmB,CAAC,CAAC;IAE5D,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;AACjE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,GAAW,EACX,IAAI,GAAG,cAAc;IAErB,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEtC,MAAM,OAAO,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IAEtC,MAAM,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC5C,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IAEvE,wEAAwE;IACxE,MAAM,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAErC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,IAAI,GAAG,cAAc;IAErB,MAAM,OAAO,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IACrC,MAAM,QAAQ,GAAG,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC;IAEtC,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE5C,+CAA+C;IAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,GAAG,KAAK,CAAC;IACnC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CACV,uCAAuC,QAAQ,wBAAwB;YACvE,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,kCAAkC,QAAQ,EAAE,CACjE,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,kBAAkB,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY;IAC9C,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,gEAAgE;AAEhE;;;GAGG;AACH,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACzC,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5F,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;gBACnE,MAAM,CAAC,CAAC,CAAC,GAAI,GAA+B,CAAC,CAAC,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,GAAW;IAOlC,IAAI,GAAG,CAAC,MAAM,GAAG,aAAa,GAAG,WAAW,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,6CAA6C,KAAK,GAAG,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,WAAW,GAAG,aAAa,CAAC;IAClC,MAAM,SAAS,GAAG,WAAW,GAAG,SAAS,CAAC;IAE1C,IAAI,SAAS,GAAG,GAAG,CAAC,MAAM,GAAG,WAAW,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC1E,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAA4B,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC;IACtD,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC;IAEtE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;AACjE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,oBAAoB,CAC3B,MAA+B,EAC/B,WAAmB,EACnB,MAAc;IAEd,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IAC/B,OAAO,QAAQ,CAAC,SAAS,CAAC;IAE1B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;IAEhE,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,SAAS,CAAC;SACjB,MAAM,CAAC,WAAW,CAAC;SACnB,MAAM,CAAC,MAAM,CAAC;SACd,MAAM,EAAE,CAAC;AACd,CAAC;AAED,uDAAuD;AACvD,SAAS,kBAAkB,CAAC,GAAoB;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC/D,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,uDAAuD;AACvD,SAAS,iBAAiB,CAAC,GAAoB;IAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC/D,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAClB,WAAmB,EACnB,SAAkC,EAClC,WAAmB,EACnB,MAAc;IAEd,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,CAAC;IAEnE,gDAAgD;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC7C,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;IACjE,QAAQ,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAE7C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,gEAAgE;AAEhE;;GAEG;AACH,MAAM,OAAO,UAAU;IACJ,MAAM,CAAY;IAClB,WAAW,CAAS;IAErC,YAAY,UAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAE7C,2CAA2C;QAC3C,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;aACxC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;QACrD,IAAI,CAAC,WAAW,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,QAAiB;QACrD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAE7D,qEAAqE;QACrE,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAEjE,eAAe;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAsB;YAClC,SAAS,EAAE,SAAS;YACpB,oBAAoB,EAAE,IAAI,CAAC,WAAW;YACtC,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC9B,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,QAAQ;YACR,KAAK,EAAE,MAAM;SACd,CAAC;QAEF,wCAAwC;QACxC,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC5B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEnC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,uBAAuB,WAAW,eAAe,UAAU,CAAC,MAAM,EAAE,CACrE,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,SAAiB;QAC/B,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,gEAAgE;AAEhE;;GAEG;AACH,MAAM,OAAO,YAAY;IACN,MAAM,CAAY;IAClB,WAAW,CAAS;IAErC,YAAY,SAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACjF,IAAI,CAAC,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe,CAAC,QAAgB;QACpC,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,wBAAyB,GAAa,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QACtF,CAAC;QAED,IAAI,MAA0C,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,sBAAuB,GAAa,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QACpF,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;QAE/C,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,mCAAmC,CAAC,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,OAAO,GAAG,MAAiC,CAAC;QAClD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YAChE,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,mDAAmD;QACnD,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAEjE,SAAS;QACT,IAAI,MAAc,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAmB,EAAE,KAAK,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,KAAc,CAAC;QACnB,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;QAC7E,CAAC;QAED,OAAO;YACL,KAAK;YACL,iBAAiB,EAAE,OAAO,CAAC,oBAA0C;YACrE,QAAQ,EAAE,OAAO,CAAC,QAA8B;YAChD,QAAQ,EAAE,OAAO,CAAC,QAA8B;YAChD,MAAM;SACP,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,IAAY,EAAE,SAAiB;QAClD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,SAAiB,EAAE,SAAiB;QACpD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;CACF"}

package/dist/src/commands/appliance-advanced.d.ts

@@ -0,0 +1,9 @@
+/**
+ * V3 CLI Appliance Advanced Commands (Phase 3-4)
+ * Sign, publish, and hot-patch RVFA appliances.
+ */
+import type { Command } from '../types.js';
+export declare const signCommand: Command;
+export declare const publishCommand: Command;
+export declare const updateAppCommand: Command;
+//# sourceMappingURL=appliance-advanced.d.ts.map

package/dist/src/commands/appliance-advanced.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"appliance-advanced.d.ts","sourceRoot":"","sources":["../../../src/commands/appliance-advanced.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,aAAa,CAAC;AAoC1E,eAAO,MAAM,WAAW,EAAE,OAyDzB,CAAC;AAGF,eAAO,MAAM,cAAc,EAAE,OAmC5B,CAAC;AAGF,eAAO,MAAM,gBAAgB,EAAE,OA+E9B,CAAC"}

package/dist/src/commands/appliance-advanced.js

@@ -0,0 +1,215 @@
+/**
+ * V3 CLI Appliance Advanced Commands (Phase 3-4)
+ * Sign, publish, and hot-patch RVFA appliances.
+ */
+import { output } from '../output.js';
+function fmtSize(bytes) {
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    if (bytes < 1024 * 1024 * 1024)
+        return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+    return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+}
+function errMsg(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+const fail = (msg, detail) => {
+    output.printError(msg, detail);
+    return { success: false, exitCode: 1 };
+};
+function hdr(title) {
+    output.writeln();
+    output.writeln(output.bold(title));
+    output.writeln(output.dim('─'.repeat(50)));
+    output.writeln();
+}
+async function requireFile(file) {
+    const fs = await import('fs');
+    if (!fs.existsSync(file)) {
+        output.printError(`File not found: ${file}`);
+        return false;
+    }
+    return true;
+}
+// SIGN
+export const signCommand = {
+    name: 'sign',
+    description: 'Sign an RVFA appliance with Ed25519 for tamper detection',
+    options: [
+        { name: 'file', short: 'f', type: 'string', description: 'Path to .rvf file', required: true },
+        { name: 'key', short: 'k', type: 'string', description: 'Path to Ed25519 private key (PEM)' },
+        { name: 'generate-keys', type: 'boolean', description: 'Generate a new key pair' },
+        { name: 'key-dir', type: 'string', description: 'Directory for key storage', default: '.rvfa-keys' },
+        { name: 'signer', type: 'string', description: 'Publisher name for signature metadata' },
+    ],
+    action: async (ctx) => {
+        const file = ctx.flags.file;
+        const keyPath = ctx.flags.key;
+        const genKeys = ctx.flags['generate-keys'];
+        const keyDir = ctx.flags['key-dir'] || '.rvfa-keys';
+        const signer = ctx.flags.signer;
+        if (!file)
+            return fail('--file is required');
+        try {
+            const signing = await import('../appliance/rvfa-signing.js');
+            if (genKeys) {
+                hdr('Generating Ed25519 Key Pair');
+                const kp = await signing.generateKeyPair();
+                const paths = await signing.saveKeyPair(kp, keyDir);
+                output.printSuccess(`Public key:  ${paths.publicKeyPath}`);
+                output.printSuccess(`Private key: ${paths.privateKeyPath}`);
+                output.printInfo(`Fingerprint: ${kp.fingerprint}`);
+                output.writeln(output.dim('  Keep the private key secure. Share only the public key.'));
+                output.writeln();
+            }
+            if (!(await requireFile(file)))
+                return { success: false, exitCode: 1 };
+            hdr('Signing RVFA Appliance');
+            let privateKey;
+            if (keyPath) {
+                const fs = await import('fs');
+                privateKey = fs.readFileSync(keyPath);
+            }
+            else {
+                const kp = await signing.loadKeyPair(keyDir);
+                privateKey = kp.privateKey;
+            }
+            const s = new signing.RvfaSigner(privateKey);
+            const meta = await s.signAppliance(file, signer);
+            output.printSuccess('Appliance signed successfully');
+            output.printInfo(`Algorithm:   ${meta.algorithm}`);
+            output.printInfo(`Fingerprint: ${meta.publicKeyFingerprint}`);
+            output.printInfo(`Signed at:   ${meta.signedAt}`);
+            if (signer)
+                output.printInfo(`Signed by:   ${signer}`);
+            output.printInfo(`Signature:   ${meta.signature.slice(0, 32)}...`);
+            return { success: true, data: meta };
+        }
+        catch (err) {
+            return fail('Signing failed', errMsg(err));
+        }
+    },
+};
+// PUBLISH
+export const publishCommand = {
+    name: 'publish',
+    description: 'Publish an RVFA appliance to IPFS via Pinata',
+    options: [
+        { name: 'file', short: 'f', type: 'string', description: 'Path to .rvf file', required: true },
+        { name: 'name', short: 'n', type: 'string', description: 'Publication name' },
+        { name: 'description', type: 'string', description: 'Description' },
+    ],
+    action: async (ctx) => {
+        const file = ctx.flags.file;
+        if (!file)
+            return fail('--file is required');
+        if (!(await requireFile(file)))
+            return { success: false, exitCode: 1 };
+        try {
+            const dist = await import('../appliance/rvfa-distribution.js');
+            hdr('Publishing RVFA to IPFS');
+            output.printInfo(`File: ${file}`);
+            output.writeln();
+            const publisher = dist.createPublisher();
+            const result = await publisher.publish(file, {
+                name: ctx.flags.name,
+                description: ctx.flags.description,
+            });
+            output.printSuccess('Published successfully');
+            output.printInfo(`CID:     ${output.bold(result.cid)}`);
+            output.printInfo(`Size:    ${fmtSize(result.size)}`);
+            output.printInfo(`Gateway: ${result.gatewayUrl}`);
+            return { success: true, data: result };
+        }
+        catch (err) {
+            return fail('Publishing failed', errMsg(err));
+        }
+    },
+};
+// UPDATE (hot-patch)
+export const updateAppCommand = {
+    name: 'update',
+    description: 'Hot-patch a section in an RVFA appliance',
+    options: [
+        { name: 'file', short: 'f', type: 'string', description: 'Path to .rvf file', required: true },
+        { name: 'section', short: 's', type: 'string', description: 'Section to patch (e.g. ruflo, models)', required: true },
+        { name: 'patch', short: 'p', type: 'string', description: 'Path to .rvfp patch file' },
+        { name: 'data', short: 'd', type: 'string', description: 'Path to new section data (creates patch automatically)' },
+        { name: 'version', type: 'string', description: 'Patch version', default: '0.0.1' },
+        { name: 'no-backup', type: 'boolean', description: 'Skip backup creation' },
+        { name: 'public-key', type: 'string', description: 'Path to public key for patch verification' },
+    ],
+    action: async (ctx) => {
+        const file = ctx.flags.file;
+        const section = ctx.flags.section;
+        const patchPath = ctx.flags.patch;
+        const dataPath = ctx.flags.data;
+        if (!file || !section)
+            return fail('--file and --section are required');
+        if (!patchPath && !dataPath)
+            return fail('Provide --patch (RVFP file) or --data (raw section data)');
+        if (!(await requireFile(file)))
+            return { success: false, exitCode: 1 };
+        try {
+            const dist = await import('../appliance/rvfa-distribution.js');
+            const { RvfaReader } = await import('../appliance/rvfa-format.js');
+            const fs = await import('fs');
+            hdr('RVFA Hot-Patch Update');
+            output.printInfo(`Appliance: ${file}`);
+            output.printInfo(`Section:   ${section}`);
+            output.writeln();
+            let patchBuf;
+            if (patchPath) {
+                if (!(await requireFile(patchPath)))
+                    return { success: false, exitCode: 1 };
+                patchBuf = fs.readFileSync(patchPath);
+                output.printInfo(`Patch file: ${patchPath} (${fmtSize(patchBuf.length)})`);
+            }
+            else {
+                if (!(await requireFile(dataPath)))
+                    return { success: false, exitCode: 1 };
+                const newData = fs.readFileSync(dataPath);
+                const reader = await RvfaReader.fromFile(file);
+                const appHdr = reader.getHeader();
+                output.printInfo(`Creating patch for section "${section}" (${fmtSize(newData.length)} new data)`);
+                patchBuf = await dist.RvfaPatcher.createPatch({
+                    targetName: appHdr.name,
+                    targetVersion: appHdr.appVersion,
+                    sectionId: section,
+                    sectionData: newData,
+                    patchVersion: ctx.flags.version || '0.0.1',
+                    compression: 'gzip',
+                });
+            }
+            let pubKey;
+            if (ctx.flags['public-key']) {
+                const pkPath = ctx.flags['public-key'];
+                if (!(await requireFile(pkPath)))
+                    return { success: false, exitCode: 1 };
+                pubKey = fs.readFileSync(pkPath);
+            }
+            const result = await dist.RvfaPatcher.applyPatch(file, patchBuf, {
+                backup: !ctx.flags['no-backup'],
+                verify: true,
+                publicKey: pubKey,
+            });
+            if (result.success) {
+                output.printSuccess(`Section "${result.patchedSection}" updated successfully`);
+                output.printInfo(`New size: ${fmtSize(result.newSize)}`);
+                if (result.backupPath)
+                    output.printInfo(`Backup:  ${result.backupPath}`);
+            }
+            else {
+                output.printError('Patch failed');
+                result.errors.forEach(e => output.writeln(`  ${output.error('X')} ${e}`));
+            }
+            return { success: result.success, exitCode: result.success ? 0 : 1, data: result };
+        }
+        catch (err) {
+            return fail('Update failed', errMsg(err));
+        }
+    },
+};
+//# sourceMappingURL=appliance-advanced.js.map

package/dist/src/commands/appliance-advanced.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"appliance-advanced.js","sourceRoot":"","sources":["../../../src/commands/appliance-advanced.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAEtC,SAAS,OAAO,CAAC,KAAa;IAC5B,IAAI,KAAK,GAAG,IAAI;QAAE,OAAO,GAAG,KAAK,IAAI,CAAC;IACtC,IAAI,KAAK,GAAG,IAAI,GAAG,IAAI;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAClE,IAAI,KAAK,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAClF,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;AAC3D,CAAC;AAED,SAAS,MAAM,CAAC,GAAY;IAC1B,OAAO,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,IAAI,GAAG,CAAC,GAAW,EAAE,MAAe,EAAiB,EAAE;IAC3D,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AACzC,CAAC,CAAC;AAEF,SAAS,GAAG,CAAC,KAAa;IACxB,MAAM,CAAC,OAAO,EAAE,CAAC;IACjB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IACnC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3C,MAAM,CAAC,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY;IACrC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,UAAU,CAAC,mBAAmB,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,OAAO;AACP,MAAM,CAAC,MAAM,WAAW,GAAY;IAClC,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,0DAA0D;IACvE,OAAO,EAAE;QACP,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;QAC9F,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mCAAmC,EAAE;QAC7F,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,yBAAyB,EAAE;QAClF,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,2BAA2B,EAAE,OAAO,EAAE,YAAY,EAAE;QACpG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,uCAAuC,EAAE;KACzF;IACD,MAAM,EAAE,KAAK,EAAE,GAAmB,EAA0B,EAAE;QAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,IAAc,CAAC;QACtC,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,GAAyB,CAAC;QACpD,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAY,CAAC;QACtD,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,SAAS,CAAW,IAAI,YAAY,CAAC;QAC9D,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,MAA4B,CAAC;QACtD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAE7C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;YAE7D,IAAI,OAAO,EAAE,CAAC;gBACZ,GAAG,CAAC,6BAA6B,CAAC,CAAC;gBACnC,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,eAAe,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;gBACpD,MAAM,CAAC,YAAY,CAAC,gBAAgB,KAAK,CAAC,aAAa,EAAE,CAAC,CAAC;gBAC3D,MAAM,CAAC,YAAY,CAAC,gBAAgB,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC;gBAC5D,MAAM,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;gBACnD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC,CAAC;gBACxF,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;gBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YACvE,GAAG,CAAC,wBAAwB,CAAC,CAAC;YAE9B,IAAI,UAAkB,CAAC;YACvB,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC9B,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACN,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC7C,UAAU,GAAG,EAAE,CAAC,UAAU,CAAC;YAC7B,CAAC;YAED,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,CAAC,YAAY,CAAC,+BAA+B,CAAC,CAAC;YACrD,MAAM,CAAC,SAAS,CAAC,gBAAgB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YACnD,MAAM,CAAC,SAAS,CAAC,gBAAgB,IAAI,CAAC,oBAAoB,EAAE,CAAC,CAAC;YAC9D,MAAM,CAAC,SAAS,CAAC,gBAAgB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAClD,IAAI,MAAM;gBAAE,MAAM,CAAC,SAAS,CAAC,gBAAgB,MAAM,EAAE,CAAC,CAAC;YACvD,MAAM,CAAC,SAAS,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;YACnE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;CACF,CAAC;AAEF,UAAU;AACV,MAAM,CAAC,MAAM,cAAc,GAAY;IACrC,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,8CAA8C;IAC3D,OAAO,EAAE;QACP,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;QAC9F,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kBAAkB,EAAE;QAC7E,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE;KACpE;IACD,MAAM,EAAE,KAAK,EAAE,GAAmB,EAA0B,EAAE;QAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,IAAc,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAC7C,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEvE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,mCAAmC,CAAC,CAAC;YAE/D,GAAG,CAAC,yBAAyB,CAAC,CAAC;YAC/B,MAAM,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,CAAC,OAAO,EAAE,CAAC;YAEjB,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE;gBAC3C,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAA0B;gBAC1C,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,WAAiC;aACzD,CAAC,CAAC;YAEH,MAAM,CAAC,YAAY,CAAC,wBAAwB,CAAC,CAAC;YAC9C,MAAM,CAAC,SAAS,CAAC,YAAY,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACxD,MAAM,CAAC,SAAS,CAAC,YAAY,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrD,MAAM,CAAC,SAAS,CAAC,YAAY,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;YAClD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACzC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,mBAAmB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;CACF,CAAC;AAEF,qBAAqB;AACrB,MAAM,CAAC,MAAM,gBAAgB,GAAY;IACvC,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,0CAA0C;IACvD,OAAO,EAAE;QACP,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mBAAmB,EAAE,QAAQ,EAAE,IAAI,EAAE;QAC9F,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,uCAAuC,EAAE,QAAQ,EAAE,IAAI,EAAE;QACrH,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;QACtF,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wDAAwD,EAAE;QACnH,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE;QACnF,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,sBAAsB,EAAE;QAC3E,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,2CAA2C,EAAE;KACjG;IACD,MAAM,EAAE,KAAK,EAAE,GAAmB,EAA0B,EAAE;QAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,IAAc,CAAC;QACtC,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAiB,CAAC;QAC5C,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,KAA2B,CAAC;QACxD,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,IAA0B,CAAC;QACtD,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACxE,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,0DAA0D,CAAC,CAAC;QACrG,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEvE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,mCAAmC,CAAC,CAAC;YAC/D,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YACnE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;YAE9B,GAAG,CAAC,uBAAuB,CAAC,CAAC;YAC7B,MAAM,CAAC,SAAS,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;YACvC,MAAM,CAAC,SAAS,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,EAAE,CAAC;YAEjB,IAAI,QAAgB,CAAC;YAErB,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;oBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;gBAC5E,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBACtC,MAAM,CAAC,SAAS,CAAC,eAAe,SAAS,KAAK,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7E,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,QAAS,CAAC,CAAC;oBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;gBAC5E,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAS,CAAC,CAAC;gBAC3C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,SAAS,CAAC,+BAA+B,OAAO,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBAClG,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC;oBAC5C,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,aAAa,EAAE,MAAM,CAAC,UAAU;oBAChC,SAAS,EAAE,OAAO;oBAClB,WAAW,EAAE,OAAO;oBACpB,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,OAAiB,IAAI,OAAO;oBACpD,WAAW,EAAE,MAAM;iBACpB,CAAC,CAAC;YACL,CAAC;YAED,IAAI,MAA0B,CAAC;YAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5B,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,YAAY,CAAW,CAAC;gBACjD,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;oBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;gBACzE,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;YACnC,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,EAAE;gBAC/D,MAAM,EAAE,CAAE,GAAG,CAAC,KAAK,CAAC,WAAW,CAAa;gBAC5C,MAAM,EAAE,IAAI;gBACZ,SAAS,EAAE,MAAM;aAClB,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,MAAM,CAAC,YAAY,CAAC,YAAY,MAAM,CAAC,cAAc,wBAAwB,CAAC,CAAC;gBAC/E,MAAM,CAAC,SAAS,CAAC,aAAa,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBACzD,IAAI,MAAM,CAAC,UAAU;oBAAE,MAAM,CAAC,SAAS,CAAC,YAAY,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;YAC3E,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;gBAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAC5E,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACrF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/src/commands/appliance.d.ts

@@ -0,0 +1,8 @@
+/**
+ * V3 CLI Appliance Command
+ * Self-contained RVFA appliance management (build, inspect, verify, extract, run, sign, publish, update)
+ */
+import type { Command } from '../types.js';
+export declare const applianceCommand: Command;
+export default applianceCommand;
+//# sourceMappingURL=appliance.d.ts.map

package/dist/src/commands/appliance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"appliance.d.ts","sourceRoot":"","sources":["../../../src/commands/appliance.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,aAAa,CAAC;AA4Y1E,eAAO,MAAM,gBAAgB,EAAE,OA0C9B,CAAC;AAEF,eAAe,gBAAgB,CAAC"}