@primust/verifier 1.0.0 → 1.1.0

package/dist/cli.js

@@ -1,391 +1,339 @@
 #!/usr/bin/env node
-/**
- * primust-verify CLI
- *
- * Usage:
- *   primust-verify vpec_<id>.json
- *   primust-verify vpec_<id>.json --production
- *   primust-verify vpec_<id>.json --trust-root ./my-pubkey.pem
- *   primust-verify vpec_<id>.json --skip-network
- *   primust-verify vpec_<id>.json --json
- *
- * Exit codes:
- *   0 = valid (production)
- *   1 = invalid / tampered
- *   2 = valid but sandbox-only (or system error)
- */
-import { readFileSync } from 'node:fs';
-import { parseArgs } from 'node:util';
-import { verify } from './verifier.js';
-import { createUpstreamRootResolver } from './upstream_resolver.js';
-const PROOF_LEVEL_DISPLAY = {
-    mathematical: 'mathematical',
-    verifiable_inference: 'verifiable_inference',
-    operator_bound: 'operator_bound',
-    execution: 'execution',
-    witnessed: 'witnessed',
-    attestation: 'attestation',
+import {
+  createUpstreamRootResolver,
+  verify
+} from "./chunk-NOADQWB6.js";
+
+// src/cli.ts
+import { readFileSync } from "fs";
+import { parseArgs } from "util";
+var PROOF_LEVEL_DISPLAY = {
+  mathematical: "mathematical",
+  verifiable_inference: "verifiable_inference",
+  operator_bound: "operator_bound",
+  execution: "execution",
+  witnessed: "witnessed",
+  attestation: "attestation"
 };
 function formatProofLevel(level) {
-    return PROOF_LEVEL_DISPLAY[level] ?? level;
+  return PROOF_LEVEL_DISPLAY[level] ?? level;
 }
 function formatDistribution(dist) {
-    const levels = ['mathematical', 'verifiable_inference', 'operator_bound', 'execution', 'witnessed', 'attestation'];
-    return levels
-        .filter((l) => typeof dist[l] === 'number' && dist[l] > 0)
-        .map((l) => `${formatProofLevel(l)}: ${dist[l]}`)
-        .join('  ');
+  const levels = ["mathematical", "verifiable_inference", "operator_bound", "execution", "witnessed", "attestation"];
+  return levels.filter((l) => typeof dist[l] === "number" && dist[l] > 0).map((l) => `${formatProofLevel(l)}: ${dist[l]}`).join("  ");
 }
 function formatGapsSummary(gaps) {
-    if (gaps.length === 0)
-        return '0';
-    const counts = {};
-    for (const g of gaps) {
-        counts[g.severity] = (counts[g.severity] ?? 0) + 1;
-    }
-    const parts = Object.entries(counts).map(([sev, n]) => `${n} ${sev}`);
-    return `${gaps.length} (${parts.join(', ')})`;
+  if (gaps.length === 0) return "0";
+  const counts = {};
+  for (const g of gaps) {
+    counts[g.severity] = (counts[g.severity] ?? 0) + 1;
+  }
+  const parts = Object.entries(counts).map(([sev, n]) => `${n} ${sev}`);
+  return `${gaps.length} (${parts.join(", ")})`;
 }
 function formatTimestamp(result) {
-    let ts = result.signed_at;
-    if (result.timestamp_anchor_valid === true) {
-        ts += ' (RFC 3161 \u2713)';
-    }
-    return ts;
+  let ts = result.signed_at;
+  if (result.timestamp_anchor_valid === true) {
+    ts += " (RFC 3161 \u2713)";
+  }
+  return ts;
 }
-/* ── V23-2: --format human — relying-party readable certificate ── */
 function formatHumanCertificate(artifact, result) {
-    const sig = result.valid ? 'VALID \u2713' : 'INVALID \u2717';
-    const env = artifact.environment === 'sandbox'
-        ? 'SANDBOX \u2014 not audit-acceptable'
-        : 'PRODUCTION';
-    const lines = [];
-    lines.push(`GOVERNANCE CREDENTIAL${' '.repeat(28)}${sig}`);
-    lines.push('\u2500'.repeat(56));
-    lines.push('');
-    lines.push(`Credential ID:    ${result.vpec_id}`);
-    lines.push(`System:           ${result.workflow_id}`);
-    lines.push(`Environment:      ${env}`);
-    const started = artifact.started_at ?? '';
-    const closed = artifact.closed_at ?? '';
-    if (started || closed) {
-        lines.push(`Run:              ${started} \u2192 ${closed}`);
+  const sig = result.valid ? "VALID \u2713" : "INVALID \u2717";
+  const env = artifact.environment === "sandbox" ? "SANDBOX \u2014 not audit-acceptable" : "PRODUCTION";
+  const lines = [];
+  lines.push(`GOVERNANCE CREDENTIAL${" ".repeat(28)}${sig}`);
+  lines.push("\u2500".repeat(56));
+  lines.push("");
+  lines.push(`Credential ID:    ${result.vpec_id}`);
+  lines.push(`System:           ${result.workflow_id}`);
+  lines.push(`Environment:      ${env}`);
+  const started = artifact.started_at ?? "";
+  const closed = artifact.closed_at ?? "";
+  if (started || closed) {
+    lines.push(`Run:              ${started} \u2192 ${closed}`);
+  }
+  lines.push("");
+  lines.push("SIGNATURE");
+  lines.push(`  Status:         ${sig}`);
+  lines.push(`  Signed by:      Primust, Inc.`);
+  lines.push(`  Timestamp:      ${result.timestamp_anchor_valid ? "DigiCert RFC 3161" : "unsigned"}`);
+  lines.push(`  Issued:         ${result.signed_at}`);
+  lines.push("");
+  lines.push("GOVERNANCE PROOF");
+  const ps = artifact.provable_surface;
+  lines.push(`  Provable surface: ${ps != null ? `${(ps * 100).toFixed(1)}%` : "\u2014"}`);
+  const records = artifact.records ?? [];
+  lines.push(`  Checks run:     ${records.length}`);
+  lines.push(`  Open gaps:      ${result.gaps.length}`);
+  const ac = artifact.action_coverage;
+  if (ac) {
+    lines.push("");
+    lines.push("ACTION COVERAGE");
+    const total = ac.total_actions;
+    const gov = ac.governed_actions;
+    const ungov = ac.ungoverned_actions;
+    const cov = ac.coverage_pct ?? 0;
+    lines.push(`  Actions taken:  ${total}`);
+    lines.push(`  Governed:       ${gov}  (${(cov * 100).toFixed(1)}%)`);
+    lines.push(`  Ungoverned:     ${ungov}  (${((1 - cov) * 100).toFixed(1)}%)`);
+    const ungovList = ac.ungoverned;
+    if (ungovList && ungovList.length > 0) {
+      lines.push("");
+      const cu = ac.consequential_ungoverned ?? {};
+      const cuIndices = cu.sequence_indices ?? [];
+      for (const u of ungovList) {
+        const idx = u.sequence_index ?? "?";
+        const atype = u.action_type ?? "unknown";
+        const tname = u.tool_name;
+        let label = `  #${idx}   ${atype}`;
+        if (tname) label += `: ${tname}`;
+        label += cuIndices.includes(idx) ? "     \u26A0 consequential \u2014 no check ran" : "     \u2014 no check ran";
+        lines.push(label);
+      }
     }
-    lines.push('');
-    lines.push('SIGNATURE');
-    lines.push(`  Status:         ${sig}`);
-    lines.push(`  Signed by:      Primust, Inc.`);
-    lines.push(`  Timestamp:      ${result.timestamp_anchor_valid ? 'DigiCert RFC 3161' : 'unsigned'}`);
-    lines.push(`  Issued:         ${result.signed_at}`);
-    lines.push('');
-    lines.push('GOVERNANCE PROOF');
-    const ps = artifact.provable_surface;
-    lines.push(`  Provable surface: ${ps != null ? `${(ps * 100).toFixed(1)}%` : '\u2014'}`);
-    const records = artifact.records ?? [];
-    lines.push(`  Checks run:     ${records.length}`);
-    lines.push(`  Open gaps:      ${result.gaps.length}`);
-    // Action coverage (v23)
-    const ac = artifact.action_coverage;
-    if (ac) {
-        lines.push('');
-        lines.push('ACTION COVERAGE');
-        const total = ac.total_actions;
-        const gov = ac.governed_actions;
-        const ungov = ac.ungoverned_actions;
-        const cov = ac.coverage_pct ?? 0;
-        lines.push(`  Actions taken:  ${total}`);
-        lines.push(`  Governed:       ${gov}  (${(cov * 100).toFixed(1)}%)`);
-        lines.push(`  Ungoverned:     ${ungov}  (${((1 - cov) * 100).toFixed(1)}%)`);
-        // Rich mode — per-action detail
-        const ungovList = ac.ungoverned;
-        if (ungovList && ungovList.length > 0) {
-            lines.push('');
-            const cu = ac.consequential_ungoverned ?? {};
-            const cuIndices = cu.sequence_indices ?? [];
-            for (const u of ungovList) {
-                const idx = u.sequence_index ?? '?';
-                const atype = u.action_type ?? 'unknown';
-                const tname = u.tool_name;
-                let label = `  #${idx}   ${atype}`;
-                if (tname)
-                    label += `: ${tname}`;
-                label += cuIndices.includes(idx)
-                    ? '     \u26A0 consequential \u2014 no check ran'
-                    : '     \u2014 no check ran';
-                lines.push(label);
-            }
-        }
-        // Strict mode — indices only
-        const ungovIndices = ac.ungoverned_sequence_indices;
-        if (ungovIndices && ungovIndices.length > 0 && !ungovList) {
-            lines.push('');
-            lines.push(`  Ungoverned at indices: ${JSON.stringify(ungovIndices)}`);
-            const cuCount = ac.consequential_ungoverned_count;
-            if (cuCount)
-                lines.push(`  ${cuCount} consequential`);
-            lines.push('');
-            lines.push('  Per-action detail available via:');
-            lines.push('    primust verify-activity vpec.json activity_export.json');
-        }
+    const ungovIndices = ac.ungoverned_sequence_indices;
+    if (ungovIndices && ungovIndices.length > 0 && !ungovList) {
+      lines.push("");
+      lines.push(`  Ungoverned at indices: ${JSON.stringify(ungovIndices)}`);
+      const cuCount = ac.consequential_ungoverned_count;
+      if (cuCount) lines.push(`  ${cuCount} consequential`);
+      lines.push("");
+      lines.push("  Per-action detail available via:");
+      lines.push("    primust verify-activity vpec.json activity_export.json");
     }
-    // Check summaries with evidence_metadata (rich mode)
-    const metadataMode = artifact.metadata_mode;
-    if (records.length > 0 && metadataMode === 'rich') {
-        lines.push('');
-        lines.push('GOVERNANCE CHECKS');
-        const shown = records.slice(0, 10);
-        for (const r of shown) {
-            let checkId = r.manifest_id ?? r.check_id ?? 'unknown';
-            if (checkId.includes('@'))
-                checkId = checkId.split('@')[0];
-            const checkResult = r.check_result ?? 'unknown';
-            const em = r.evidence_metadata;
-            let line = `  ${checkId}: ${checkResult}`;
-            if (em) {
-                const details = [];
-                if ('entity_count' in em)
-                    details.push(`${em.entity_count} entities`);
-                if ('risk_score' in em)
-                    details.push(`risk ${em.risk_score}`);
-                if ('action_taken' in em)
-                    details.push(em.action_taken);
-                if (details.length > 0)
-                    line += `  (${details.join(', ')})`;
-            }
-            lines.push(line);
-        }
-        if (records.length > 10) {
-            lines.push(`  ... and ${records.length - 10} more checks`);
-        }
+  }
+  const metadataMode = artifact.metadata_mode;
+  if (records.length > 0 && metadataMode === "rich") {
+    lines.push("");
+    lines.push("GOVERNANCE CHECKS");
+    const shown = records.slice(0, 10);
+    for (const r of shown) {
+      let checkId = r.manifest_id ?? r.check_id ?? "unknown";
+      if (checkId.includes("@")) checkId = checkId.split("@")[0];
+      const checkResult = r.check_result ?? "unknown";
+      const em = r.evidence_metadata;
+      let line = `  ${checkId}: ${checkResult}`;
+      if (em) {
+        const details = [];
+        if ("entity_count" in em) details.push(`${em.entity_count} entities`);
+        if ("risk_score" in em) details.push(`risk ${em.risk_score}`);
+        if ("action_taken" in em) details.push(em.action_taken);
+        if (details.length > 0) line += `  (${details.join(", ")})`;
+      }
+      lines.push(line);
+    }
+    if (records.length > 10) {
+      lines.push(`  ... and ${records.length - 10} more checks`);
     }
-    lines.push('');
-    lines.push('WHAT THIS PROVES');
-    lines.push('  Governance checks ran on the actions listed in this credential');
-    lines.push('  at the stated proof levels. This credential was issued at the');
-    lines.push('  time of the governed run and has not been altered since.');
-    lines.push('');
-    lines.push('WHAT THIS DOES NOT PROVE');
-    lines.push('  That the checks run constitute sufficient evidence for any');
-    lines.push('  specific regulatory requirement. That determination belongs');
-    lines.push('  to the customer, their compliance function, and their auditors.');
-    lines.push('');
-    lines.push('VERIFY INDEPENDENTLY');
-    lines.push(`  verify.primust.com/${result.vpec_id}`);
-    lines.push(`  primust verify ${result.vpec_id}.json`);
-    lines.push('\u2500'.repeat(56));
-    return lines.join('\n');
+  }
+  lines.push("");
+  lines.push("WHAT THIS PROVES");
+  lines.push("  Governance checks ran on the actions listed in this credential");
+  lines.push("  at the stated proof levels. This credential was issued at the");
+  lines.push("  time of the governed run and has not been altered since.");
+  lines.push("");
+  lines.push("WHAT THIS DOES NOT PROVE");
+  lines.push("  That the checks run constitute sufficient evidence for any");
+  lines.push("  specific regulatory requirement. That determination belongs");
+  lines.push("  to the customer, their compliance function, and their auditors.");
+  lines.push("");
+  lines.push("VERIFY INDEPENDENTLY");
+  lines.push(`  verify.primust.com/${result.vpec_id}`);
+  lines.push(`  primust verify ${result.vpec_id}.json`);
+  lines.push("\u2500".repeat(56));
+  return lines.join("\n");
 }
 function printHumanResult(result) {
-    const dist = result.proof_distribution;
-    const cov = result.coverage;
-    if (result.valid) {
-        console.log(`\n  \u2713 VPEC ${result.vpec_id} \u2014 VALID`);
-    }
-    else {
-        console.log(`\n  \u2717 VPEC ${result.vpec_id} \u2014 INVALID`);
-        for (const err of result.errors) {
-            console.log(`    Error: ${err}`);
-        }
-    }
-    const distStr = formatDistribution(dist);
-    if (distStr) {
-        console.log(`    Distribution:  ${distStr}`);
+  const dist = result.proof_distribution;
+  const cov = result.coverage;
+  if (result.valid) {
+    console.log(`
+  \u2713 VPEC ${result.vpec_id} \u2014 VALID`);
+  } else {
+    console.log(`
+  \u2717 VPEC ${result.vpec_id} \u2014 INVALID`);
+    for (const err of result.errors) {
+      console.log(`    Error: ${err}`);
     }
-    console.log(`    Workflow:      ${result.workflow_id}`);
-    console.log(`    Org:           ${result.org_id}`);
-    console.log(`    Signed:        ${formatTimestamp(result)}`);
-    console.log(`    Signer:        ${result.signer_id} / kid: ${result.kid}`);
-    console.log(`    Rekor:         ${result.rekor_status}`);
-    if (cov && typeof cov.policy_coverage_pct === 'number') {
-        let covStr = `${cov.policy_coverage_pct}% policy`;
-        if (typeof cov.instrumentation_surface_pct === 'number') {
-            covStr += ` | ${cov.instrumentation_surface_pct}% instrumentation surface`;
-        }
-        console.log(`    Coverage:      ${covStr}`);
-    }
-    console.log(`    Gaps:          ${formatGapsSummary(result.gaps)}`);
-    if (result.process_context_hash) {
-        console.log(`    Process hash:  ${result.process_context_hash}`);
+  }
+  const distStr = formatDistribution(dist);
+  if (distStr) {
+    console.log(`    Distribution:  ${distStr}`);
+  }
+  console.log(`    Workflow:      ${result.workflow_id}`);
+  console.log(`    Org:           ${result.org_id}`);
+  console.log(`    Signed:        ${formatTimestamp(result)}`);
+  console.log(`    Signer:        ${result.signer_id} / kid: ${result.kid}`);
+  console.log(`    Rekor:         ${result.rekor_status}`);
+  if (cov && typeof cov.policy_coverage_pct === "number") {
+    let covStr = `${cov.policy_coverage_pct}% policy`;
+    if (typeof cov.instrumentation_surface_pct === "number") {
+      covStr += ` | ${cov.instrumentation_surface_pct}% instrumentation surface`;
     }
-    console.log(`    Test mode:     ${result.test_mode}`);
-    if (result.test_mode && result.valid) {
-        console.log(`    \u26A0 TEST CREDENTIAL \u2014 not for production use`);
+    console.log(`    Coverage:      ${covStr}`);
+  }
+  console.log(`    Gaps:          ${formatGapsSummary(result.gaps)}`);
+  if (result.process_context_hash) {
+    console.log(`    Process hash:  ${result.process_context_hash}`);
+  }
+  console.log(`    Test mode:     ${result.test_mode}`);
+  if (result.test_mode && result.valid) {
+    console.log(`    \u26A0 TEST CREDENTIAL \u2014 not for production use`);
+  }
+  if (result.warnings.length > 0) {
+    for (const w of result.warnings) {
+      console.log(`    Warning: ${w}`);
     }
-    if (result.warnings.length > 0) {
-        for (const w of result.warnings) {
-            console.log(`    Warning: ${w}`);
-        }
-    }
-    console.log('');
+  }
+  console.log("");
 }
-export async function main(args) {
-    let parsed;
-    try {
-        parsed = parseArgs({
-            args: args ?? process.argv.slice(2),
-            options: {
-                production: { type: 'boolean', default: false },
-                'skip-network': { type: 'boolean', default: false },
-                'trust-root': { type: 'string' },
-                json: { type: 'boolean', default: false },
-                format: { type: 'string' },
-                human: { type: 'boolean', default: false },
-                help: { type: 'boolean', short: 'h', default: false },
-                // Follow-6 #79: parent-root upstream-VPEC anchor check. When the
-                // local SqliteStore (or an envelope file) contains the parent
-                // VPEC's commitment_root, the verifier upgrades the legacy
-                // "unanchored" warning to a cryptographic equality check.
-                'upstream-db': { type: 'string' },
-                'upstream-envelope': { type: 'string', multiple: true },
-            },
-            allowPositionals: true,
-        });
-    }
-    catch (err) {
-        console.error(`Error: ${err.message}`);
-        return 2;
-    }
-    if (parsed.values.help || parsed.positionals.length === 0) {
-        console.log('Usage: primust-verify [format] <artifact.json> [options]');
-        console.log('');
-        console.log('Formats: vpec, pack, w3c-vc, dsse, scitt, receipt, all');
-        console.log('If format omitted, auto-detects from file contents.');
-        console.log('');
-        console.log('Options:');
-        console.log('  --production      Require production environment');
-        console.log('  --skip-network    Skip online checks');
-        console.log('  --trust-root      Custom public key path');
-        console.log('  --json            Output as JSON');
-        console.log('  --format human    Human-readable certificate for non-technical relying parties');
-        console.log('  --human           Shorthand for --format human');
-        console.log('  --upstream-db <path>          SqliteStore with cached parent VPEC roots');
-        console.log('                                (defaults to PRIMUST_RUNTIME_DB_PATH or');
-        console.log('                                 ~/.primust/runtime.db when present).');
-        console.log('  --upstream-envelope <path>    JSON envelope file mapping');
-        console.log('                                upstream_vpec_id → commitment_root_poseidon2');
-        console.log('                                (repeatable; merged with --upstream-db).');
-        return parsed.values.help ? 0 : 2;
-    }
-    // Support subcommand: primust verify vpec artifact.json
-    const FORMATS = new Set(['vpec', 'pack', 'w3c-vc', 'dsse', 'scitt', 'receipt', 'all']);
-    let format = null;
-    let filePath;
-    if (parsed.positionals.length >= 2 && FORMATS.has(parsed.positionals[0])) {
-        format = parsed.positionals[0];
-        filePath = parsed.positionals[1];
-    }
-    else {
-        filePath = parsed.positionals[0];
-    }
-    const jsonOutput = parsed.values.json ?? false;
-    const humanCert = parsed.values.human || parsed.values.format === 'human';
-    // Read artifact file
-    let rawJson;
-    try {
-        rawJson = readFileSync(filePath, 'utf-8');
-    }
-    catch {
-        const msg = `Error: file not found: ${filePath}`;
-        if (jsonOutput) {
-            console.error(msg);
-        }
-        else {
-            console.error(msg);
-        }
-        return 2;
-    }
-    let artifact;
-    try {
-        artifact = JSON.parse(rawJson);
-    }
-    catch {
-        const msg = `Error: invalid JSON in ${filePath}`;
-        if (jsonOutput) {
-            console.error(msg);
-        }
-        else {
-            console.error(msg);
-        }
-        return 2;
-    }
-    // ── Follow-6 #79: build upstream-root resolver ──
-    // The CLI wires the parent-VPEC anchor check whenever the caller
-    // passes --upstream-db (or --upstream-envelope). When neither flag
-    // is supplied we leave the resolver undefined so legacy callers
-    // keep the existing "unanchored" warning behavior — strict backward
-    // compat for tests / scripts that don't know about the flag.
-    let resolver;
-    const dbPath = parsed.values['upstream-db'];
-    const envelopePaths = parsed.values['upstream-envelope'] ?? [];
-    if (dbPath || envelopePaths.length > 0) {
-        const envelopes = new Map();
-        for (const ep of envelopePaths) {
-            try {
-                const env = JSON.parse(readFileSync(ep, 'utf-8'));
-                // Two accepted shapes:
-                //  - { vpec_id: 'vpec_xxx', commitment_root_poseidon2: 'poseidon2:…' }
-                //  - { '<vpec_id>': '<root>', ... } (flat map)
-                if (typeof env.vpec_id === 'string' && typeof env.commitment_root_poseidon2 === 'string') {
-                    envelopes.set(env.vpec_id, env.commitment_root_poseidon2);
-                }
-                else {
-                    for (const [k, v] of Object.entries(env)) {
-                        if (typeof v === 'string')
-                            envelopes.set(k, v);
-                    }
-                }
-            }
-            catch (err) {
-                const msg = `Error: cannot read upstream envelope ${ep}: ${err.message}`;
-                console.error(msg);
-                return 2;
-            }
-        }
-        resolver = createUpstreamRootResolver({
-            dbPath,
-            envelopes: envelopes.size > 0 ? envelopes : undefined,
-        });
+async function main(args) {
+  let parsed;
+  try {
+    parsed = parseArgs({
+      args: args ?? process.argv.slice(2),
+      options: {
+        production: { type: "boolean", default: false },
+        "skip-network": { type: "boolean", default: false },
+        "trust-root": { type: "string" },
+        json: { type: "boolean", default: false },
+        format: { type: "string" },
+        human: { type: "boolean", default: false },
+        help: { type: "boolean", short: "h", default: false },
+        // Follow-6 #79: parent-root upstream-VPEC anchor check. When the
+        // local SqliteStore (or an envelope file) contains the parent
+        // VPEC's commitment_root, the verifier upgrades the legacy
+        // "unanchored" warning to a cryptographic equality check.
+        "upstream-db": { type: "string" },
+        "upstream-envelope": { type: "string", multiple: true }
+      },
+      allowPositionals: true
+    });
+  } catch (err) {
+    console.error(`Error: ${err.message}`);
+    return 2;
+  }
+  if (parsed.values.help || parsed.positionals.length === 0) {
+    console.log("Usage: primust-verify [format] <artifact.json> [options]");
+    console.log("");
+    console.log("Formats: vpec, pack, w3c-vc, dsse, scitt, receipt, all");
+    console.log("If format omitted, auto-detects from file contents.");
+    console.log("");
+    console.log("Options:");
+    console.log("  --production      Require production environment");
+    console.log("  --skip-network    Skip online checks");
+    console.log("  --trust-root      Custom public key path");
+    console.log("  --json            Output as JSON");
+    console.log("  --format human    Human-readable certificate for non-technical relying parties");
+    console.log("  --human           Shorthand for --format human");
+    console.log("  --upstream-db <path>          SqliteStore with cached parent VPEC roots");
+    console.log("                                (defaults to PRIMUST_RUNTIME_DB_PATH or");
+    console.log("                                 ~/.primust/runtime.db when present).");
+    console.log("  --upstream-envelope <path>    JSON envelope file mapping");
+    console.log("                                upstream_vpec_id \u2192 commitment_root_poseidon2");
+    console.log("                                (repeatable; merged with --upstream-db).");
+    return parsed.values.help ? 0 : 2;
+  }
+  const FORMATS = /* @__PURE__ */ new Set(["vpec", "pack", "w3c-vc", "dsse", "scitt", "receipt", "all"]);
+  let format = null;
+  let filePath;
+  if (parsed.positionals.length >= 2 && FORMATS.has(parsed.positionals[0])) {
+    format = parsed.positionals[0];
+    filePath = parsed.positionals[1];
+  } else {
+    filePath = parsed.positionals[0];
+  }
+  const jsonOutput = parsed.values.json ?? false;
+  const humanCert = parsed.values.human || parsed.values.format === "human";
+  let rawJson;
+  try {
+    rawJson = readFileSync(filePath, "utf-8");
+  } catch {
+    const msg = `Error: file not found: ${filePath}`;
+    if (jsonOutput) {
+      console.error(msg);
+    } else {
+      console.error(msg);
     }
-    // Run verification
-    let result;
-    try {
-        result = await verify(artifact, {
-            production: parsed.values.production,
-            skip_network: parsed.values['skip-network'],
-            trust_root: parsed.values['trust-root'],
-        }, resolver);
+    return 2;
+  }
+  let artifact;
+  try {
+    artifact = JSON.parse(rawJson);
+  } catch {
+    const msg = `Error: invalid JSON in ${filePath}`;
+    if (jsonOutput) {
+      console.error(msg);
+    } else {
+      console.error(msg);
     }
-    catch (err) {
-        const msg = `Error: verification failed: ${err.message}`;
-        if (jsonOutput) {
-            console.error(msg);
-        }
-        else {
-            console.error(msg);
+    return 2;
+  }
+  let resolver;
+  const dbPath = parsed.values["upstream-db"];
+  const envelopePaths = parsed.values["upstream-envelope"] ?? [];
+  if (dbPath || envelopePaths.length > 0) {
+    const envelopes = /* @__PURE__ */ new Map();
+    for (const ep of envelopePaths) {
+      try {
+        const env = JSON.parse(readFileSync(ep, "utf-8"));
+        if (typeof env.vpec_id === "string" && typeof env.commitment_root_poseidon2 === "string") {
+          envelopes.set(env.vpec_id, env.commitment_root_poseidon2);
+        } else {
+          for (const [k, v] of Object.entries(env)) {
+            if (typeof v === "string") envelopes.set(k, v);
+          }
         }
+      } catch (err) {
+        const msg = `Error: cannot read upstream envelope ${ep}: ${err.message}`;
+        console.error(msg);
         return 2;
+      }
     }
-    // Output
+    resolver = createUpstreamRootResolver({
+      dbPath,
+      envelopes: envelopes.size > 0 ? envelopes : void 0
+    });
+  }
+  let result;
+  try {
+    result = await verify(
+      artifact,
+      {
+        production: parsed.values.production,
+        skip_network: parsed.values["skip-network"],
+        trust_root: parsed.values["trust-root"]
+      },
+      resolver
+    );
+  } catch (err) {
+    const msg = `Error: verification failed: ${err.message}`;
     if (jsonOutput) {
-        console.log(JSON.stringify(result, null, 2));
-    }
-    else if (humanCert) {
-        console.log(formatHumanCertificate(artifact, result));
+      console.error(msg);
+    } else {
+      console.error(msg);
     }
-    else {
-        printHumanResult(result);
-    }
-    if (result.valid && artifact.environment === 'sandbox') {
-        console.log('\nSANDBOX — not audit-acceptable.');
-        console.log('Change key to pk_live_xxx for production.\n');
-        return 2;
-    }
-    return result.valid ? 0 : 1;
+    return 2;
+  }
+  if (jsonOutput) {
+    console.log(JSON.stringify(result, null, 2));
+  } else if (humanCert) {
+    console.log(formatHumanCertificate(artifact, result));
+  } else {
+    printHumanResult(result);
+  }
+  if (result.valid && artifact.environment === "sandbox") {
+    console.log("\nSANDBOX \u2014 not audit-acceptable.");
+    console.log("Change key to pk_live_xxx for production.\n");
+    return 2;
+  }
+  return result.valid ? 0 : 1;
 }
-// Run if invoked directly
-const isDirectRun = process.argv[1] && (process.argv[1].endsWith('/cli.js') ||
-    process.argv[1].endsWith('/cli.ts'));
+var isDirectRun = process.argv[1] && (process.argv[1].endsWith("/cli.js") || process.argv[1].endsWith("/cli.ts"));
 if (isDirectRun) {
-    main().then((code) => process.exit(code));
+  main().then((code) => process.exit(code));
 }
-//# sourceMappingURL=cli.js.map
+export {
+  main
+};