@phosra/cli 0.1.0

package/README.md

@@ -0,0 +1,42 @@
+# `@phosra/cli`
+
+The `phosra` command-line tool — the fastest way to verify a Phosra OCSS integration and prove a signed round-trip against the hosted census, **with zero provisioning**.
+
+> **Status:** not yet published to npm. Until then, run from the monorepo (`packages/cli`) after `npm run build`, or contact `developers@phosra.com`. Full guide: **https://docs.phosra.com/integration/cli**
+
+## What it does (and doesn't)
+
+The CLI is a thin, **§12.3-clean** wrapper over the SDKs (`@openchildsafety/ocss`, `@phosra/link`, `@phosra/gatekeeper`). It **verifies** signed artifacts to the Ed25519 trust root and **drives** the census — it holds **no authority**: it never mints a grant, accepts a rule, publishes the trust list, or carries billing. Keys are generated client-side only. The census is the sole safety authority.
+
+## Quickstart
+
+```bash
+phosra init --role provider   # scaffold .phosra.env against the shared sandbox DID (zero backend)
+phosra doctor                 # verify the whole setup end-to-end → a green signed round-trip
+```
+
+`phosra doctor` runs five ordered, fail-closed checks (honest WARN/SKIP, never a false green):
+
+1. `census_reachable` — `/health`
+2. `trust_list_verified` — `/.well-known/ocss/trust-list` verified to root
+3. `caps_verified` — `/.well-known/ocss/capabilities` (the self-describing rule + version doc) verified to root
+4. `version_negotiates` — spec-version range negotiation
+5. `sandbox_round_trip` — a full §8.3.2 consent + §8.3.1 rule write (consent 201 / rule 201)
+
+## Commands
+
+| Command | What it does |
+|---|---|
+| `phosra init --role provider\|platform` | Scaffold a working `.phosra.env` against the shared sandbox |
+| `phosra doctor` | The five end-to-end checks above |
+| `phosra caps` | Fetch + verify + pretty-print the capabilities doc |
+| `phosra link write` | Provider: sign + write a rule (a real census write) |
+| `phosra gatekeeper check` | Platform: verify a profile + evaluate a decision |
+
+Every command supports `--json` for CI and agent use.
+
+## Configuration
+
+Resolution order: environment variable → `.phosra.env` → baked-in sandbox default. Point at a different census with `PHOSRA_CENSUS_URL` + `PHOSRA_TRUST_ROOT_X`.
+
+All baked-in keys are **sandbox-only, deterministic test keys** — never production material.

package/dist/bin.d.ts

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+/**
+ * @phosra/cli — main entry point.
+ *
+ * Commands:
+ *   phosra init [--role provider|platform] [--force] [--json]
+ *   phosra doctor                                    [--json]
+ *   phosra caps                                      [--json]
+ *
+ * Config priority: process.env > .phosra.env in cwd > baked-in sandbox defaults.
+ * The sandbox defaults wire to the STAGING shared sandbox (household-acme,
+ * staging census URL, sandbox trust root) — zero provisioning required.
+ *
+ * §12.3 clean: the CLI VERIFIES and DRIVES the census. It holds NO authority:
+ * it cannot mint grants, accept rules on behalf of a child, publish the trust
+ * list, or carry billing. The census is the sole safety authority.
+ */
+export {};
+//# sourceMappingURL=bin.d.ts.map

package/dist/bin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.d.ts","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;GAeG"}

package/dist/bin.js

@@ -0,0 +1,159 @@
+#!/usr/bin/env node
+/**
+ * @phosra/cli — main entry point.
+ *
+ * Commands:
+ *   phosra init [--role provider|platform] [--force] [--json]
+ *   phosra doctor                                    [--json]
+ *   phosra caps                                      [--json]
+ *
+ * Config priority: process.env > .phosra.env in cwd > baked-in sandbox defaults.
+ * The sandbox defaults wire to the STAGING shared sandbox (household-acme,
+ * staging census URL, sandbox trust root) — zero provisioning required.
+ *
+ * §12.3 clean: the CLI VERIFIES and DRIVES the census. It holds NO authority:
+ * it cannot mint grants, accept rules on behalf of a child, publish the trust
+ * list, or carry billing. The census is the sole safety authority.
+ */
+import { Command } from "commander";
+import { loadConfig } from "./config.js";
+import { runInit } from "./commands/init.js";
+import { runDoctor } from "./commands/doctor.js";
+import { runCaps } from "./commands/caps.js";
+import { runLinkWrite } from "./commands/link-write.js";
+import { runGkCheck } from "./commands/gk-check.js";
+import { runRegister } from "./commands/register.js";
+const program = new Command("phosra")
+    .description("Phosra CLI — OCSS partner setup verification and sandbox round-trips")
+    .version("0.1.0");
+// ── phosra init ─────────────────────────────────────────────────────────────
+program
+    .command("init")
+    .description("Scaffold a .phosra.env wired to the staging shared sandbox — zero provisioning")
+    .option("-r, --role <role>", 'Integration role: "provider" or "platform"', "provider")
+    .option("-f, --force", "Overwrite existing .phosra.env", false)
+    .option("--json", "Machine-readable JSON output", false)
+    .action(async (opts) => {
+    const role = opts.role;
+    if (role !== "provider" && role !== "platform") {
+        console.error(`error: --role must be "provider" or "platform", got "${role}"`);
+        process.exit(1);
+    }
+    await runInit({ role, force: opts.force, json: opts.json });
+});
+// ── phosra register ──────────────────────────────────────────────────────────
+//
+// Phase 2a: self-serve cold onboarding. Generates a fresh Ed25519 keypair,
+// registers the DID on the sandbox census as a provisional trust-list entry,
+// and proves a verifiable rule-write round-trip — no email, no pre-seed.
+//
+// SANDBOX-ONLY: the census rejects this on production (SANDBOX_MODE guard).
+program
+    .command("register")
+    .description("Cold-party onboarding: generate a fresh DID, self-register on the sandbox " +
+    "census as a provisional entry, and prove a green verifiable round-trip.\n" +
+    "SANDBOX ONLY — the census rejects self-registration in production.")
+    .option("--api-url <url>", "Census base URL (default: staging sandbox)")
+    .option("--trust-root-x <x>", "Trust-list root public key X (base64url-raw)")
+    .option("--slug <slug>", "Party slug for the DID (default: random p<hex>)")
+    .option("--out <path>", "Path for the .phosra.env file (default: .phosra.env in cwd)")
+    .option("--roles <roles>", "Comma-separated roles (default: editor)")
+    .option("--json", "Machine-readable JSON output", false)
+    .action(async (opts) => {
+    try {
+        const roles = opts.roles ? opts.roles.split(",").map((r) => r.trim()) : ["editor"];
+        const result = await runRegister({
+            apiUrl: opts.apiUrl,
+            trustRootX: opts.trustRootX,
+            slug: opts.slug,
+            out: opts.out,
+            roles,
+        });
+        if (opts.json) {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else {
+            console.log(`\nPASS — registered DID: ${result.PHOSRA_DID}`);
+            console.log(`  trust tier: provisional`);
+            console.log(`  census:     ${result.PHOSRA_CENSUS_URL}`);
+            console.log(`  env file:   ${result.envFile}`);
+            console.log(`\nGREEN — your own DID completed a verifiable round-trip\n`);
+        }
+    }
+    catch (err) {
+        if (opts.json) {
+            console.log(JSON.stringify({ error: String(err) }));
+        }
+        else {
+            console.error(`register failed: ${String(err)}`);
+        }
+        process.exit(1);
+    }
+});
+// ── phosra doctor ────────────────────────────────────────────────────────────
+program
+    .command("doctor")
+    .description("Verify the whole OCSS setup end-to-end: census reachable, trust list verified, " +
+    "capabilities fetched, spec version negotiated, signed round-trip passes")
+    .option("--json", "Machine-readable JSON output (for CI/agents)", false)
+    .action(async (opts) => {
+    const cfg = loadConfig();
+    const results = await runDoctor(cfg, opts.json);
+    // runDoctor prints its own output; we set the exit code here.
+    const failed = results.filter((r) => r.status === "fail");
+    if (failed.length > 0)
+        process.exit(1);
+});
+// ── phosra caps ──────────────────────────────────────────────────────────────
+program
+    .command("caps")
+    .description("Fetch, verify-to-root, and pretty-print the /.well-known/ocss/capabilities document")
+    .option("--json", "Machine-readable JSON output", false)
+    .action(async (opts) => {
+    const cfg = loadConfig();
+    await runCaps(cfg, opts.json);
+    // runCaps calls process.exit(1) on error; reaching here = success.
+});
+// ── phosra link ──────────────────────────────────────────────────────────────
+const linkCmd = program
+    .command("link")
+    .description("Provider (parental-controls vendor) commands — drives @phosra/link SDK.\n" +
+    "Requires @phosra/link peer dep and PHOSRA_DATABASE_URL.");
+linkCmd
+    .command("write <category>")
+    .description("Write a signed rule via the @phosra/link directive() — the metered binding leg.")
+    .requiredOption("--grant-id <id>", "Active grant ID from the connect ceremony")
+    .requiredOption("--child-ref <ref>", "Target child ref, e.g. child:<uuid>")
+    .option("--decision <d>", "block | warn | allow", "block")
+    .option("--json", "Machine-readable JSON output", false)
+    .action(async (category, opts) => {
+    const cfg = loadConfig();
+    const decision = (["block", "warn", "allow"].includes(opts.decision)
+        ? opts.decision
+        : "block");
+    await runLinkWrite(cfg, { category, decision, grantId: opts.grantId, childRef: opts.childRef, json: opts.json });
+});
+// ── phosra gatekeeper ────────────────────────────────────────────────────────
+const gkCmd = program
+    .command("gatekeeper")
+    .description("Platform commands — drives @phosra/gatekeeper SDK.\n" +
+    "Requires @phosra/gatekeeper peer dep and PHOSRA_ENDPOINT_ID.");
+gkCmd
+    .command("check <category>")
+    .description("Refresh the enforcement profile and call isAllowed() for a rule category.")
+    .option("--endpoint-id <id>", "Override PHOSRA_ENDPOINT_ID")
+    .option("--confirm <state>", "Emit a §8.3.8 enforcement-confirmation: applied | degraded | refused")
+    .option("--json", "Machine-readable JSON output", false)
+    .action(async (category, opts) => {
+    const cfg = loadConfig();
+    const confirm = (["applied", "degraded", "refused"].includes(opts.confirm ?? "")
+        ? opts.confirm
+        : undefined);
+    await runGkCheck(cfg, { category, endpointId: opts.endpointId, confirm, json: opts.json });
+});
+// ── entrypoint ───────────────────────────────────────────────────────────────
+program.parseAsync(process.argv).catch((err) => {
+    console.error("fatal:", err);
+    process.exit(1);
+});
+//# sourceMappingURL=bin.js.map

package/dist/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.js","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC;KAClC,WAAW,CAAC,sEAAsE,CAAC;KACnF,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,+EAA+E;AAE/E,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CACV,gFAAgF,CACjF;KACA,MAAM,CAAC,mBAAmB,EAAE,4CAA4C,EAAE,UAAU,CAAC;KACrF,MAAM,CAAC,aAAa,EAAE,gCAAgC,EAAE,KAAK,CAAC;KAC9D,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,KAAK,CAAC;KACvD,MAAM,CAAC,KAAK,EAAE,IAAqD,EAAE,EAAE;IACtE,MAAM,IAAI,GAAG,IAAI,CAAC,IAA+B,CAAC;IAClD,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAC/C,OAAO,CAAC,KAAK,CAAC,wDAAwD,IAAI,GAAG,CAAC,CAAC;QAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;AAC9D,CAAC,CAAC,CAAC;AAEL,gFAAgF;AAChF,EAAE;AACF,2EAA2E;AAC3E,6EAA6E;AAC7E,yEAAyE;AACzE,EAAE;AACF,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CACV,4EAA4E;IAC5E,2EAA2E;IAC3E,oEAAoE,CACrE;KACA,MAAM,CAAC,iBAAiB,EAAE,4CAA4C,CAAC;KACvE,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;KAC5E,MAAM,CAAC,eAAe,EAAE,iDAAiD,CAAC;KAC1E,MAAM,CAAC,cAAc,EAAE,6DAA6D,CAAC;KACrF,MAAM,CAAC,iBAAiB,EAAE,yCAAyC,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,KAAK,CAAC;KACvD,MAAM,CACL,KAAK,EAAE,IAON,EAAE,EAAE;IACH,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACnF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK;SACN,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,oBAAoB,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,gFAAgF;AAEhF,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CACV,iFAAiF;IACjF,yEAAyE,CAC1E;KACA,MAAM,CAAC,QAAQ,EAAE,8CAA8C,EAAE,KAAK,CAAC;KACvE,MAAM,CAAC,KAAK,EAAE,IAAuB,EAAE,EAAE;IACxC,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,8DAA8D;IAC9D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAC1D,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACzC,CAAC,CAAC,CAAC;AAEL,gFAAgF;AAEhF,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CACV,qFAAqF,CACtF;KACA,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,KAAK,CAAC;KACvD,MAAM,CAAC,KAAK,EAAE,IAAuB,EAAE,EAAE;IACxC,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9B,mEAAmE;AACrE,CAAC,CAAC,CAAC;AAEL,gFAAgF;AAEhF,MAAM,OAAO,GAAG,OAAO;KACpB,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CACV,2EAA2E;IAC3E,yDAAyD,CAC1D,CAAC;AAEJ,OAAO;KACJ,OAAO,CAAC,kBAAkB,CAAC;KAC3B,WAAW,CACV,iFAAiF,CAClF;KACA,cAAc,CAAC,iBAAiB,EAAE,2CAA2C,CAAC;KAC9E,cAAc,CAAC,mBAAmB,EAAE,qCAAqC,CAAC;KAC1E,MAAM,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,OAAO,CAAC;KACzD,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,KAAK,CAAC;KACvD,MAAM,CACL,KAAK,EACH,QAAgB,EAChB,IAA4E,EAC5E,EAAE;IACF,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;QAClE,CAAC,CAAC,IAAI,CAAC,QAAQ;QACf,CAAC,CAAC,OAAO,CAA+B,CAAC;IAC3C,MAAM,YAAY,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;AACnH,CAAC,CACF,CAAC;AAEJ,gFAAgF;AAEhF,MAAM,KAAK,GAAG,OAAO;KAClB,OAAO,CAAC,YAAY,CAAC;KACrB,WAAW,CACV,sDAAsD;IACtD,8DAA8D,CAC/D,CAAC;AAEJ,KAAK;KACF,OAAO,CAAC,kBAAkB,CAAC;KAC3B,WAAW,CACV,2EAA2E,CAC5E;KACA,MAAM,CAAC,oBAAoB,EAAE,6BAA6B,CAAC;KAC3D,MAAM,CACL,mBAAmB,EACnB,sEAAsE,CACvE;KACA,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,KAAK,CAAC;KACvD,MAAM,CACL,KAAK,EACH,QAAgB,EAChB,IAA8D,EAC9D,EAAE;IACF,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,OAAO,GAAG,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;QAC9E,CAAC,CAAC,IAAI,CAAC,OAAO;QACd,CAAC,CAAC,SAAS,CAAmD,CAAC;IACjE,MAAM,UAAU,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;AAC7F,CAAC,CACF,CAAC;AAEJ,gFAAgF;AAEhF,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IAC7C,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/commands/caps.d.ts

@@ -0,0 +1,16 @@
+/**
+ * phosra caps — fetch + root-verify + pretty-print the capabilities document.
+ *
+ * Reads /.well-known/ocss/capabilities from the census, verifies the Ed25519
+ * root signature (same path as phosra doctor check 3, but standalone + verbose),
+ * then renders the supported lanes, rule categories, and version range.
+ *
+ * §12.3: verification only — the CLI never publishes or rotates the caps doc.
+ * The census is the sole publisher; `ops caps publish` (future Go binary) is
+ * the operator path.
+ */
+import type { PhosraConfig } from "../config.js";
+type FetchImpl = typeof fetch;
+export declare function runCaps(cfg: PhosraConfig, json: boolean, fetchImpl?: FetchImpl): Promise<void>;
+export {};
+//# sourceMappingURL=caps.d.ts.map

package/dist/commands/caps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"caps.d.ts","sourceRoot":"","sources":["../../src/commands/caps.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAGjD,KAAK,SAAS,GAAG,OAAO,KAAK,CAAC;AAU9B,wBAAsB,OAAO,CAC3B,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,OAAO,EACb,SAAS,GAAE,SAAiB,GAC3B,OAAO,CAAC,IAAI,CAAC,CAgHf"}

package/dist/commands/caps.js

@@ -0,0 +1,125 @@
+/**
+ * phosra caps — fetch + root-verify + pretty-print the capabilities document.
+ *
+ * Reads /.well-known/ocss/capabilities from the census, verifies the Ed25519
+ * root signature (same path as phosra doctor check 3, but standalone + verbose),
+ * then renders the supported lanes, rule categories, and version range.
+ *
+ * §12.3: verification only — the CLI never publishes or rotates the caps doc.
+ * The census is the sole publisher; `ops caps publish` (future Go binary) is
+ * the operator path.
+ */
+import { verifyCapabilitiesDocument, } from "@openchildsafety/ocss";
+import { printJson, heading, note } from "../out.js";
+const C = {
+    bold: (s) => process.stdout.isTTY ? `\x1b[1m${s}\x1b[0m` : s,
+    green: (s) => process.stdout.isTTY ? `\x1b[32m${s}\x1b[0m` : s,
+    dim: (s) => process.stdout.isTTY ? `\x1b[2m${s}\x1b[0m` : s,
+    cyan: (s) => process.stdout.isTTY ? `\x1b[36m${s}\x1b[0m` : s,
+    yellow: (s) => process.stdout.isTTY ? `\x1b[33m${s}\x1b[0m` : s,
+};
+export async function runCaps(cfg, json, fetchImpl = fetch) {
+    heading("Phosra caps", json);
+    const url = `${cfg.censusUrl}/.well-known/ocss/capabilities`;
+    let signed;
+    try {
+        const res = await fetchImpl(url, { method: "GET" });
+        if (res.status === 404) {
+            if (json) {
+                printJson({ ok: false, error: "not_found", url });
+            }
+            else {
+                console.log(`  ${C.yellow("⚠")}  Capabilities doc not published at this census (P1 feature)\n` +
+                    C.dim(`     URL: ${url}`));
+            }
+            process.exit(1);
+        }
+        if (!res.ok) {
+            if (json) {
+                printJson({ ok: false, error: `http_${res.status}`, url });
+            }
+            else {
+                console.error(`  ✘  HTTP ${res.status} from ${url}`);
+            }
+            process.exit(1);
+        }
+        signed = (await res.json());
+    }
+    catch (err) {
+        if (json) {
+            printJson({ ok: false, error: "network_error", message: err.message });
+        }
+        else {
+            console.error(`  ✘  Network error: ${err.message}`);
+        }
+        process.exit(1);
+    }
+    let doc;
+    try {
+        doc = verifyCapabilitiesDocument(signed, cfg.trustRootX);
+    }
+    catch (err) {
+        if (json) {
+            printJson({
+                ok: false,
+                error: "verification_failed",
+                message: err.message,
+                trust_root_x: cfg.trustRootX,
+            });
+        }
+        else {
+            console.error(`  ✘  Verification failed: ${err.message}`);
+            console.error(C.dim(`     Check PHOSRA_TRUST_ROOT_X: ${cfg.trustRootX}`));
+        }
+        process.exit(1);
+    }
+    if (json) {
+        printJson({
+            ok: true,
+            url,
+            ocss_version: doc.ocss_version,
+            serial: doc.serial,
+            not_after: doc.not_after,
+            version_range: doc.version_range,
+            rule_categories: doc.rule_categories,
+            decision_verbs: doc.decision_verbs,
+            param_families: doc.param_families,
+            rating_crosswalk_ordinals: doc.rating_crosswalk_ordinals,
+        });
+        return;
+    }
+    // ── human render ──────────────────────────────────────────────────────────
+    console.log(`  ${C.green("✔")}  Verified to root  ` +
+        C.dim(`(${cfg.trustRootX.slice(0, 12)}…)`) +
+        "\n");
+    console.log(`  ${C.bold("OCSS version:")}   ${doc.ocss_version}`);
+    console.log(`  ${C.bold("Serial:")}         ${doc.serial}`);
+    console.log(`  ${C.bold("Not after:")}      ${doc.not_after}`);
+    const supported = doc.version_range?.supported ?? [];
+    console.log(`  ${C.bold("Version range:")}  ${supported.join(", ") || "(none)"}`);
+    const rules = doc.rule_categories ?? [];
+    if (rules.length > 0) {
+        console.log(`\n  ${C.bold(`Rule categories (${rules.length}):`)}`);
+        // Group by tier for compact display
+        const byTier = {};
+        for (const r of rules) {
+            (byTier[r.tier] ??= []).push(r);
+        }
+        for (const [tier, cats] of Object.entries(byTier)) {
+            console.log(`\n    ${C.cyan(tier.toUpperCase())}`);
+            for (const c of cats) {
+                const floor = c.floor ? C.dim(` [floor: ${c.floor}]`) : "";
+                console.log(`      ${C.dim("·")} ${c.slug}${floor}`);
+            }
+        }
+    }
+    const verbs = doc.decision_verbs ?? [];
+    if (verbs.length > 0) {
+        console.log(`\n  ${C.bold(`Decision verbs (${verbs.length}):`)}`);
+        for (const v of verbs) {
+            console.log(`    ${C.dim("·")} ${v.verb}  ${C.dim(`fallback=${v.fallback}  class=${v.safety_class}`)}`);
+        }
+    }
+    note(`Source: ${url}`, json);
+}
+//# sourceMappingURL=caps.js.map

package/dist/commands/caps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"caps.js","sourceRoot":"","sources":["../../src/commands/caps.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,0BAA0B,GAG3B,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIrD,MAAM,CAAC,GAAG;IACR,IAAI,EAAG,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAE,CAAC,CAAC,CAAC;IACtE,KAAK,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtE,GAAG,EAAI,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAE,CAAC,CAAC,CAAC;IACtE,IAAI,EAAG,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,EAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;CACvE,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,GAAiB,EACjB,IAAa,EACb,YAAuB,KAAK;IAE5B,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAE7B,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,SAAS,gCAAgC,CAAC;IAC7D,IAAI,MAAsB,CAAC;IAE3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,IAAI,IAAI,EAAE,CAAC;gBACT,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,gEAAgE;oBAClF,CAAC,CAAC,GAAG,CAAC,aAAa,GAAG,EAAE,CAAC,CAC1B,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,IAAI,EAAE,CAAC;gBACT,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,aAAa,GAAG,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC;YACvD,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAmB,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,EAAE,CAAC;YACT,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACpF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,GAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,GAAG,GAAG,0BAA0B,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,EAAE,CAAC;YACT,SAAS,CAAC;gBACR,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,qBAAqB;gBAC5B,OAAO,EAAG,GAAa,CAAC,OAAO;gBAC/B,YAAY,EAAE,GAAG,CAAC,UAAU;aAC7B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,6BAA8B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACrE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,mCAAmC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC5E,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,EAAE,CAAC;QACT,SAAS,CAAC;YACR,EAAE,EAAE,IAAI;YACR,GAAG;YACH,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,eAAe,EAAE,GAAG,CAAC,eAAe;YACpC,cAAc,EAAE,GAAG,CAAC,cAAc;YAClC,cAAc,EAAE,GAAG,CAAC,cAAc;YAClC,yBAAyB,EAAE,GAAG,CAAC,yBAAyB;SACzD,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,6EAA6E;IAC7E,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,sBAAsB;QACvC,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;QAC1C,IAAI,CACL,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAE/D,MAAM,SAAS,GAAG,GAAG,CAAC,aAAa,EAAE,SAAS,IAAI,EAAE,CAAC;IACrD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IAElF,MAAM,KAAK,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;IACxC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC;QACnE,oCAAoC;QACpC,MAAM,MAAM,GAAiC,EAAE,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,KAAK,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,mBAAmB,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC;QAClE,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CACT,OAAO,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,QAAQ,WAAW,CAAC,CAAC,YAAY,EAAE,CAAC,EAAE,CAC3F,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC,WAAW,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;AAC/B,CAAC"}

package/dist/commands/doctor.d.ts

@@ -0,0 +1,34 @@
+/**
+ * phosra doctor — end-to-end setup verification.
+ *
+ * Runs 5 checks in order, reporting PASS / FAIL / WARN for each.
+ * Exits 0 if all checks pass (warns are non-fatal).  Exits 1 on any FAIL.
+ *
+ * Checks:
+ *   1. census_reachable     GET /health → 200
+ *   2. trust_list_verified  GET /.well-known/ocss/trust-list + Ed25519 root-sig verify
+ *   3. caps_verified        GET /.well-known/ocss/capabilities + root-sig verify (WARN if 404)
+ *   4. version_negotiates   negotiate(SUPPORTED_VERSIONS, caps.version_range.supported)
+ *   5. sandbox_round_trip   Full §8.3.2 + §8.3.1 write cycle via runProviderRoundTrip:
+ *                             trust-list fetch → router JWK extract →
+ *                             consent_attestation ingest (201) → rule write (201)
+ *
+ * Check 5 uses the zero-provisioning sandbox: household-acme against the STAGING
+ * shared sandbox trust-list + Mia child/policy — no DB, no per-org provisioning,
+ * no extra backend.
+ *
+ * §12.3: census is the safety authority. The CLI verifies; it never decides.
+ * Fail-closed: any FAIL exits non-zero, never a false green.
+ */
+import type { PhosraConfig } from "../config.js";
+import { type CheckResult } from "../out.js";
+type FetchImpl = typeof fetch;
+/**
+ * Run all doctor checks.
+ * Returns the array of CheckResults; the caller (bin.ts) sets the exit code.
+ *
+ * fetchImpl is injectable for unit tests — real commands pass global fetch.
+ */
+export declare function runDoctor(cfg: PhosraConfig, json: boolean, fetchImpl?: FetchImpl): Promise<CheckResult[]>;
+export {};
+//# sourceMappingURL=doctor.d.ts.map

package/dist/commands/doctor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAYH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAIjD,OAAO,EACL,KAAK,WAAW,EAKjB,MAAM,WAAW,CAAC;AAEnB,KAAK,SAAS,GAAG,OAAO,KAAK,CAAC;AAE9B;;;;;GAKG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,OAAO,EACb,SAAS,GAAE,SAAiB,GAC3B,OAAO,CAAC,WAAW,EAAE,CAAC,CA0DxB"}