@trigguard/cli 0.1.1

package/dist/commands/policyLifecycle.js

@@ -0,0 +1,601 @@
+import { access, mkdir, readFile, unlink, writeFile } from "node:fs/promises";
+import { constants as fsConstants, existsSync } from "node:fs";
+import { basename, dirname, join } from "node:path";
+import { CompilerError, ParseError, assertBundleHashMatches, compilePolicyBundle, evaluatePolicyBundleOnInput, parsePolicy, stringifyCompiledBundle, } from "@trigguard/policy-dsl";
+import { validateBundleVersionContract } from "@trigguard/policy-engine";
+const TG = () => join(process.cwd(), ".trigguard");
+const policiesDir = () => join(TG(), "policies");
+const activePolicyPath = () => join(TG(), "active_policy");
+const candidatePolicyPath = () => join(TG(), "candidate_policy");
+const policyMetricsPath = () => join(TG(), "policy_metrics.json");
+const historyPath = () => join(TG(), "policy_history.json");
+const stackPath = () => join(TG(), "activation_stack.json");
+export function policyUsage() {
+    console.error(`Usage:
+  trigguard policy lint <file.dsl>
+  trigguard policy test <file.dsl>
+  trigguard policy build <file.dsl>
+  trigguard policy simulate <bundle.json> <inputs.jsonl> [--compare <bundle2.json>]
+  trigguard policy publish <bundle.json>   (optional TRIGGUARD_POLICY_DISTRIBUTION_URL → POST /policy/publish)
+  trigguard policy activate <bundle_hash>
+  trigguard policy stack-rollback
+  trigguard policy reload <manifest.json> <bundle.json>
+  trigguard policy rollback
+  trigguard policy history
+  trigguard policy active
+  trigguard policy stage <bundle.json|bundle_hash>
+  trigguard policy promote
+  trigguard policy metrics
+  trigguard policy sync <manifest.json> <bundle.json>
+  trigguard policy state
+  trigguard policy verify-manifest <manifest.json>
+  trigguard policy validate <bundle.json>
+  trigguard policy version bump <bundle.json> <major|minor|patch>
+  trigguard policy request-change <bundle.json>
+  trigguard policy approve <changeId>
+  trigguard policy reject <changeId>
+  trigguard policy set-window <start> <end>
+  trigguard policy break-glass <reason>
+  trigguard policy break-glass-end
+  trigguard policy pending`);
+    process.exit(1);
+}
+function defaultBundlePath(dslPath) {
+    const base = basename(dslPath);
+    const dir = dirname(dslPath);
+    const outBase = /\.dsl$/i.test(base) ? base.replace(/\.dsl$/i, ".bundle.json") : `${base}.bundle.json`;
+    return join(dir, outBase);
+}
+function normalizeBundleHash(input) {
+    const s = String(input).trim();
+    if (/^sha256:[a-f0-9]{64}$/i.test(s)) {
+        return `sha256:${s.slice("sha256:".length).toLowerCase()}`;
+    }
+    if (/^[a-f0-9]{64}$/i.test(s)) {
+        return `sha256:${s.toLowerCase()}`;
+    }
+    throw new Error(`Invalid bundle hash: ${input}`);
+}
+function policyFileNameFromHash(hash) {
+    return `${normalizeBundleHash(hash).replace(/^sha256:/i, "")}.json`;
+}
+async function readJsonFile(path) {
+    const raw = await readFile(path, "utf8");
+    return JSON.parse(raw);
+}
+async function readHistory() {
+    try {
+        const h = await readJsonFile(historyPath());
+        return Array.isArray(h) ? h : [];
+    }
+    catch {
+        return [];
+    }
+}
+async function writeHistory(rows) {
+    await mkdir(TG(), { recursive: true });
+    await writeFile(historyPath(), `${JSON.stringify(rows, null, 2)}\n`, "utf8");
+}
+async function readStack() {
+    try {
+        const s = await readJsonFile(stackPath());
+        if (Array.isArray(s))
+            return s;
+        if (s && typeof s === "object" && Array.isArray(s.stack)) {
+            return s.stack;
+        }
+        return [];
+    }
+    catch {
+        return [];
+    }
+}
+async function writeStack(stack) {
+    await mkdir(TG(), { recursive: true });
+    await writeFile(stackPath(), `${JSON.stringify(stack, null, 2)}\n`, "utf8");
+}
+async function readDsl(path) {
+    try {
+        return await readFile(path, "utf8");
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`Failed to read ${path}: ${msg}`);
+        process.exit(1);
+        return "";
+    }
+}
+export async function runPolicyLint(path) {
+    const text = await readDsl(path);
+    try {
+        const rules = parsePolicy(text, { filename: path });
+        console.log("Policy valid");
+        console.log(`Rules: ${rules.length}`);
+    }
+    catch (e) {
+        if (e instanceof ParseError) {
+            console.error(e.format());
+            process.exit(1);
+            return;
+        }
+        throw e;
+    }
+}
+export async function runPolicyTest(path) {
+    const text = await readDsl(path);
+    try {
+        const rules = parsePolicy(text, { filename: path });
+        const bundle = compilePolicyBundle(rules, {});
+        console.log("Syntax OK");
+        console.log(`Rules: ${rules.length}`);
+        console.log(`Bundle hash: ${bundle.bundle_hash}`);
+    }
+    catch (e) {
+        if (e instanceof ParseError) {
+            console.error(e.format());
+            process.exit(1);
+            return;
+        }
+        if (e instanceof CompilerError) {
+            console.error(e.message);
+            process.exit(1);
+            return;
+        }
+        throw e;
+    }
+}
+export async function runPolicyBuild(path) {
+    const text = await readDsl(path);
+    try {
+        const rules = parsePolicy(text, { filename: path });
+        const bundle = compilePolicyBundle(rules, {});
+        const outPath = defaultBundlePath(path);
+        await writeFile(outPath, `${stringifyCompiledBundle(bundle)}\n`, "utf8");
+        console.log(`Wrote ${outPath}`);
+    }
+    catch (e) {
+        if (e instanceof ParseError) {
+            console.error(e.format());
+            process.exit(1);
+            return;
+        }
+        if (e instanceof CompilerError) {
+            console.error(e.message);
+            process.exit(1);
+            return;
+        }
+        throw e;
+    }
+}
+function parseSimulateArgs(rest) {
+    const idx = rest.indexOf("--compare");
+    if (idx >= 0) {
+        const comparePath = rest[idx + 1];
+        if (!comparePath)
+            policyUsage();
+        const head = rest.slice(0, idx);
+        if (head.length < 2)
+            policyUsage();
+        return { bundlePath: head[0], inputsPath: head[1], comparePath };
+    }
+    if (rest.length < 2)
+        policyUsage();
+    return { bundlePath: rest[0], inputsPath: rest[1], comparePath: null };
+}
+function validateBundleShape(b) {
+    if (!b || typeof b !== "object" || Array.isArray(b)) {
+        throw new CompilerError("bundle must be a JSON object");
+    }
+    const o = b;
+    if (!Array.isArray(o.rules)) {
+        throw new CompilerError("bundle.rules must be an array");
+    }
+    for (const r of o.rules) {
+        if (!r || typeof r !== "object")
+            throw new CompilerError("Invalid rule entry");
+        const rr = r;
+        if (typeof rr.id !== "string" || typeof rr.effect !== "string" || rr.condition == null) {
+            throw new CompilerError("Each rule needs id, effect, and condition");
+        }
+    }
+    if (typeof o.bundle_hash !== "string" || !/^sha256:[a-f0-9]{64}$/i.test(o.bundle_hash)) {
+        throw new CompilerError("bundle.bundle_hash must be sha256:<64-hex>");
+    }
+    if (typeof o.bundleVersion !== "string" || !/^\d+\.\d+\.\d+$/.test(o.bundleVersion)) {
+        throw new CompilerError("bundle.bundleVersion must be semantic version (x.y.z)");
+    }
+    if (typeof o.policySchema !== "string" || !o.policySchema.trim()) {
+        throw new CompilerError("bundle.policySchema is required");
+    }
+    if (!o.engineCompatibility ||
+        typeof o.engineCompatibility.minEngine !== "string" ||
+        typeof o.engineCompatibility.maxEngine !== "string") {
+        throw new CompilerError("bundle.engineCompatibility.{minEngine,maxEngine} required");
+    }
+}
+async function loadBundleForSimulate(path) {
+    let raw;
+    try {
+        raw = await readFile(path, "utf8");
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`Failed to read ${path}: ${msg}`);
+        process.exit(1);
+        throw new Error("unreachable");
+    }
+    const parsed = JSON.parse(raw);
+    validateBundleShape(parsed);
+    try {
+        assertBundleHashMatches(parsed);
+    }
+    catch (e) {
+        if (e instanceof CompilerError) {
+            console.error(e.message);
+            process.exit(1);
+            throw new Error("unreachable");
+        }
+        throw e;
+    }
+    const contract = validateBundleVersionContract(parsed);
+    if (!contract.ok) {
+        console.error(contract.code);
+        console.error(contract.detail);
+        process.exit(1);
+    }
+    return parsed;
+}
+export async function runPolicySimulate(rest) {
+    const { bundlePath, inputsPath, comparePath } = parseSimulateArgs(rest);
+    let rawInputs;
+    try {
+        rawInputs = await readFile(inputsPath, "utf8");
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`Failed to read ${inputsPath}: ${msg}`);
+        process.exit(1);
+        return;
+    }
+    const bundle = await loadBundleForSimulate(bundlePath);
+    const bundleB = comparePath ? await loadBundleForSimulate(comparePath) : null;
+    const lines = rawInputs.split(/\r?\n/).filter((l) => l.trim().length > 0);
+    const summary = { PERMIT: 0, DENY: 0, SILENCE: 0 };
+    for (let i = 0; i < lines.length; i += 1) {
+        const line = lines[i];
+        let row;
+        try {
+            row = JSON.parse(line);
+        }
+        catch {
+            console.error(`Invalid JSON on line ${i + 1}`);
+            process.exit(1);
+            return;
+        }
+        const d = evaluatePolicyBundleOnInput(bundle, row);
+        summary[d] += 1;
+        console.log(`INPUT ${i + 1} → ${d}`);
+        if (bundleB) {
+            const d2 = evaluatePolicyBundleOnInput(bundleB, row);
+            if (d !== d2) {
+                console.log(`Input ${i + 1} decision changed:`);
+                console.log(`A → ${d}`);
+                console.log(`B → ${d2}`);
+            }
+        }
+    }
+    console.log("Summary:");
+    console.log(`Total inputs: ${lines.length}`);
+    console.log(`PERMIT: ${summary.PERMIT}`);
+    console.log(`DENY: ${summary.DENY}`);
+    console.log(`SILENCE: ${summary.SILENCE}`);
+}
+export async function runPolicyPublish(bundlePath) {
+    let raw;
+    try {
+        raw = await readFile(bundlePath, "utf8");
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`Failed to read ${bundlePath}: ${msg}`);
+        process.exit(1);
+        return;
+    }
+    const parsed = JSON.parse(raw);
+    validateBundleShape(parsed);
+    try {
+        assertBundleHashMatches(parsed);
+    }
+    catch (e) {
+        if (e instanceof CompilerError) {
+            console.error(e.message);
+            process.exit(1);
+            return;
+        }
+        throw e;
+    }
+    const b = parsed;
+    const h = normalizeBundleHash(b.bundle_hash);
+    const destDir = policiesDir();
+    await mkdir(destDir, { recursive: true });
+    const dest = join(destDir, policyFileNameFromHash(h));
+    const body = `${JSON.stringify(parsed, null, 2)}\n`;
+    await writeFile(dest, body, "utf8");
+    const history = await readHistory();
+    history.push({ bundle_hash: h, published_at: new Date().toISOString(), activated_at: null });
+    await writeHistory(history);
+    const distUrl = (process.env.TRIGGUARD_POLICY_DISTRIBUTION_URL || "").trim();
+    if (distUrl) {
+        const url = `${distUrl.replace(/\/+$/, "")}/policy/publish`;
+        const res = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: body.trimEnd(),
+        });
+        const text = await res.text();
+        if (!res.ok) {
+            console.error(`Distribution publish failed (HTTP ${res.status}): ${text}`);
+            process.exitCode = 2;
+            return;
+        }
+        try {
+            const j = JSON.parse(text);
+            if (!j.ok) {
+                console.error(`Distribution publish rejected: ${j.error ?? text}`);
+                process.exitCode = 2;
+                return;
+            }
+        }
+        catch {
+            console.error(`Distribution publish: unexpected response: ${text}`);
+            process.exitCode = 2;
+            return;
+        }
+        console.log(`Policy published to distribution service: ${url}`);
+    }
+    console.log("Policy published");
+    console.log(`Bundle hash: ${h}`);
+}
+export async function runPolicyActivate(hashArg) {
+    const h = normalizeBundleHash(hashArg);
+    const dest = join(policiesDir(), policyFileNameFromHash(h));
+    try {
+        await access(dest, fsConstants.F_OK);
+    }
+    catch {
+        console.error(`Bundle not found for hash (expected file ${dest})`);
+        process.exit(1);
+        return;
+    }
+    const activated_at = new Date().toISOString();
+    await mkdir(TG(), { recursive: true });
+    await writeFile(activePolicyPath(), `${JSON.stringify({ bundle_hash: h, activated_at }, null, 2)}\n`, "utf8");
+    const stack = await readStack();
+    if (stack.length === 0 || stack[stack.length - 1] !== h) {
+        stack.push(h);
+    }
+    await writeStack(stack);
+    const history = await readHistory();
+    history.push({ bundle_hash: h, published_at: null, activated_at });
+    await writeHistory(history);
+}
+export async function runPolicyStackRollback() {
+    const stack = await readStack();
+    if (stack.length === 0) {
+        console.error("Nothing to rollback (no activations recorded).");
+        process.exit(1);
+        return;
+    }
+    stack.pop();
+    await writeStack(stack);
+    const activated_at = new Date().toISOString();
+    if (stack.length === 0) {
+        try {
+            await unlink(activePolicyPath());
+        }
+        catch {
+            // ignore missing file
+        }
+        console.log("Rollback successful");
+        console.log("Active bundle: (none)");
+        return;
+    }
+    const prev = stack[stack.length - 1];
+    await writeFile(activePolicyPath(), `${JSON.stringify({ bundle_hash: prev, activated_at }, null, 2)}\n`, "utf8");
+    console.log("Rollback successful");
+    console.log(`Active bundle: ${prev}`);
+}
+function emptyMetrics() {
+    return {
+        evaluations: 0,
+        decision_diff: { permit_to_deny: 0, permit_to_silence: 0, deny_to_permit: 0 },
+    };
+}
+async function readMetrics() {
+    try {
+        const parsed = await readJsonFile(policyMetricsPath());
+        return {
+            evaluations: Number(parsed.evaluations ?? 0),
+            decision_diff: {
+                permit_to_deny: Number(parsed.decision_diff?.permit_to_deny ?? 0),
+                permit_to_silence: Number(parsed.decision_diff?.permit_to_silence ?? 0),
+                deny_to_permit: Number(parsed.decision_diff?.deny_to_permit ?? 0),
+            },
+        };
+    }
+    catch {
+        return emptyMetrics();
+    }
+}
+function totalDiff(m) {
+    return m.decision_diff.permit_to_deny + m.decision_diff.permit_to_silence + m.decision_diff.deny_to_permit;
+}
+async function resolveBundleHashForStage(arg) {
+    const trimmed = String(arg).trim();
+    if (!trimmed)
+        throw new Error("bundle argument required");
+    if (existsSync(trimmed)) {
+        const raw = await readFile(trimmed, "utf8");
+        const parsed = JSON.parse(raw);
+        validateBundleShape(parsed);
+        assertBundleHashMatches(parsed);
+        return normalizeBundleHash(parsed.bundle_hash);
+    }
+    return normalizeBundleHash(trimmed);
+}
+export async function runPolicyStage(bundleArg) {
+    const h = await resolveBundleHashForStage(bundleArg);
+    const bundlePath = join(policiesDir(), policyFileNameFromHash(h));
+    try {
+        await access(bundlePath, fsConstants.F_OK);
+    }
+    catch {
+        console.error(`Bundle not found for stage (expected file ${bundlePath}). Publish first.`);
+        process.exit(1);
+        return;
+    }
+    await mkdir(TG(), { recursive: true });
+    await writeFile(candidatePolicyPath(), `${JSON.stringify({ bundle_hash: h, staged_at: new Date().toISOString() }, null, 2)}\n`, "utf8");
+    console.log(`Candidate policy staged: ${h}`);
+}
+export async function runPolicyPromote() {
+    let candidate;
+    try {
+        candidate = await readJsonFile(candidatePolicyPath());
+    }
+    catch {
+        console.error("No candidate policy staged. Run: trigguard policy stage <bundle>");
+        process.exit(1);
+        return;
+    }
+    if (typeof candidate.bundle_hash !== "string" || !candidate.bundle_hash.trim()) {
+        console.error("candidate_policy is invalid (missing bundle_hash)");
+        process.exit(1);
+        return;
+    }
+    const h = normalizeBundleHash(candidate.bundle_hash);
+    const bundlePath = join(policiesDir(), policyFileNameFromHash(h));
+    try {
+        await access(bundlePath, fsConstants.F_OK);
+    }
+    catch {
+        console.error(`Candidate bundle file missing: ${bundlePath}`);
+        process.exit(1);
+        return;
+    }
+    const thresholdRaw = (process.env.TRIGGUARD_POLICY_DIFF_THRESHOLD || "").trim();
+    const threshold = thresholdRaw ? Number(thresholdRaw) : 0.01;
+    const metrics = await readMetrics();
+    const driftRate = metrics.evaluations > 0 ? totalDiff(metrics) / metrics.evaluations : 0;
+    if (Number.isFinite(threshold) && driftRate >= threshold) {
+        console.error("Policy candidate diverges from active policy");
+        console.error(`diff_rate=${(driftRate * 100).toFixed(2)}% threshold=${(threshold * 100).toFixed(2)}%`);
+        process.exit(1);
+        return;
+    }
+    await writeFile(activePolicyPath(), `${JSON.stringify({ bundle_hash: h, activated_at: new Date().toISOString() }, null, 2)}\n`, "utf8");
+    try {
+        await unlink(candidatePolicyPath());
+    }
+    catch {
+        // ignore
+    }
+    console.log(`Candidate promoted to active: ${h}`);
+}
+export async function runPolicyMetrics() {
+    const metrics = await readMetrics();
+    const diff = totalDiff(metrics);
+    const rate = metrics.evaluations > 0 ? (diff / metrics.evaluations) * 100 : 0;
+    console.log(JSON.stringify({ ...metrics, diff_total: diff, diff_rate_percent: Number(rate.toFixed(4)) }, null, 2));
+}
+export async function runPolicyValidate(bundlePath) {
+    let raw;
+    try {
+        raw = await readFile(bundlePath, "utf8");
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`Failed to read ${bundlePath}: ${msg}`);
+        process.exitCode = 2;
+        return;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        console.log("POLICY_BUNDLE_INVALID");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        validateBundleShape(parsed);
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        if (msg.includes("bundleVersion") || msg.includes("policySchema") || msg.includes("engineCompatibility")) {
+            console.log("MISSING_MANIFEST_FIELDS");
+            process.exitCode = 2;
+            return;
+        }
+        if (msg.includes("policySchema")) {
+            console.log("INVALID_SCHEMA");
+            process.exitCode = 2;
+            return;
+        }
+        console.log("POLICY_BUNDLE_INVALID");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        assertBundleHashMatches(parsed);
+    }
+    catch {
+        console.log("POLICY_BUNDLE_INVALID");
+        process.exitCode = 2;
+        return;
+    }
+    const contract = validateBundleVersionContract(parsed);
+    if (!contract.ok) {
+        if (contract.code === "POLICY_ENGINE_VERSION_INCOMPATIBLE")
+            console.log("INCOMPATIBLE_ENGINE_VERSION");
+        else if (contract.code === "POLICY_SCHEMA_UNSUPPORTED")
+            console.log("INVALID_SCHEMA");
+        else
+            console.log("MISSING_MANIFEST_FIELDS");
+        process.exitCode = 2;
+        return;
+    }
+    console.log("VALID");
+}
+function parseSemverString(v) {
+    const t = String(v || "").trim();
+    const m = /^(\d+)\.(\d+)\.(\d+)$/.exec(t);
+    if (!m)
+        throw new Error(`invalid semantic version: ${v}`);
+    return { major: Number(m[1]), minor: Number(m[2]), patch: Number(m[3]) };
+}
+function bumpSemver(version, kind) {
+    const p = parseSemverString(version);
+    if (kind === "major")
+        return `${p.major + 1}.0.0`;
+    if (kind === "minor")
+        return `${p.major}.${p.minor + 1}.0`;
+    return `${p.major}.${p.minor}.${p.patch + 1}`;
+}
+export async function runPolicyVersionBump(argv) {
+    const bundlePath = argv[0];
+    const kind = argv[1];
+    if (!bundlePath || !kind || !["major", "minor", "patch"].includes(kind)) {
+        console.error("Usage: trigguard policy version bump <bundle.json> <major|minor|patch>");
+        process.exitCode = 1;
+        return;
+    }
+    const raw = await readFile(bundlePath, "utf8");
+    const parsed = JSON.parse(raw);
+    validateBundleShape(parsed);
+    const next = bumpSemver(parsed.bundleVersion, kind);
+    parsed.bundleVersion = next;
+    await writeFile(bundlePath, `${JSON.stringify(parsed, null, 2)}\n`, "utf8");
+    console.log(JSON.stringify({ bundleVersion: next, path: bundlePath }, null, 2));
+}

package/dist/commands/receiptFetch.d.ts

@@ -0,0 +1 @@
+export declare function runReceiptFetch(argv: string[]): Promise<void>;

package/dist/commands/receiptFetch.js

@@ -0,0 +1,44 @@
+import { parseArgs } from "node:util";
+function baseUrlFromArgs(values) {
+    const raw = (typeof values["log-url"] === "string" && values["log-url"]) ||
+        process.env.TRIGGUARD_RECEIPT_LOG_URL ||
+        "http://127.0.0.1:3847";
+    return String(raw).replace(/\/$/, "");
+}
+export async function runReceiptFetch(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            "log-url": { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const receiptId = positionals[0];
+    if (!receiptId) {
+        console.error("Usage: trigguard receipt fetch <receipt_id> [--log-url URL] [--json]");
+        process.exit(1);
+    }
+    const base = baseUrlFromArgs(values);
+    const res = await fetch(`${base}/v1/receipts/${encodeURIComponent(receiptId)}`, {
+        headers: { Accept: "application/json" },
+    });
+    if (!res.ok) {
+        console.error(`receipt fetch failed: HTTP ${res.status}`);
+        process.exit(1);
+    }
+    const row = (await res.json());
+    if (values.json) {
+        console.log(JSON.stringify(row));
+        return;
+    }
+    console.log(`receipt_id: ${String(row.receipt_id ?? "")}`);
+    console.log(`decision: ${String(row.decision ?? "")}`);
+    if (row.surface != null)
+        console.log(`surface: ${String(row.surface)}`);
+    console.log(`timestamp: ${String(row.timestamp ?? "")}`);
+    console.log(`receipt_hash: ${String(row.receipt_hash ?? "")}`);
+    if (row.merkle_root != null)
+        console.log(`merkle_root: ${String(row.merkle_root)}`);
+}

package/dist/commands/receiptProof.d.ts

@@ -0,0 +1 @@
+export declare function runReceiptProof(argv: string[]): Promise<void>;

package/dist/commands/receiptProof.js

@@ -0,0 +1,43 @@
+import { parseArgs } from "node:util";
+function baseUrlFromArgs(values) {
+    const raw = (typeof values["log-url"] === "string" && values["log-url"]) ||
+        process.env.TRIGGUARD_RECEIPT_LOG_URL ||
+        "http://127.0.0.1:3847";
+    return String(raw).replace(/\/$/, "");
+}
+export async function runReceiptProof(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            "log-url": { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const receiptId = positionals[0];
+    if (!receiptId) {
+        console.error("Usage: trigguard receipt proof <receipt_id> [--log-url URL] [--json]");
+        process.exit(1);
+    }
+    const base = baseUrlFromArgs(values);
+    const res = await fetch(`${base}/v1/receipts/${encodeURIComponent(receiptId)}/proof`, {
+        headers: { Accept: "application/json" },
+    });
+    if (!res.ok) {
+        console.error(`receipt proof failed: HTTP ${res.status}`);
+        process.exit(1);
+    }
+    const proof = (await res.json());
+    if (values.json) {
+        console.log(JSON.stringify(proof));
+        return;
+    }
+    console.log(`receipt_id: ${String(proof.receipt_id ?? "")}`);
+    console.log(`merkle_root: ${String(proof.merkle_root ?? "")}`);
+    console.log(`leaf_index: ${String(proof.leaf_index ?? "")}`);
+    const path = Array.isArray(proof.inclusion_proof) ? proof.inclusion_proof : [];
+    console.log(`inclusion_proof_len: ${path.length}`);
+    for (const h of path)
+        console.log(`  - ${String(h)}`);
+}

package/dist/commands/replay.d.ts

@@ -0,0 +1,2 @@
+export declare function runReplay(argv: string[]): Promise<void>;
+export declare function runReplayAudit(): Promise<void>;