@trigguard/cli 0.1.1

package/dist/commands/tg-authorize.js

@@ -0,0 +1,191 @@
+import { readFile } from "node:fs/promises";
+import { stdin as input } from "node:process";
+import { createExecutionClient, fetchPublicKeys, verifyReceiptSignature, } from "@trigguard/execution-sdk";
+import { resolveBearer } from "../auth.js";
+import { loadConfig } from "../cp/config.js";
+import { missingConfiguredApiKeyMessage, resolveApiKey as resolveStoredApiKey, } from "../cp/credentials.js";
+import { readStdin } from "../stdin.js";
+import { flagValue, hasFlag } from "../tg/args.js";
+import { defaultGatewayUrl } from "../tg/gateway.js";
+import { buildAuthorizeDisplay, printHumanAuthorize, printJsonAuthorize, } from "../tg/authorize-format.js";
+import { formatFetchError, formatGatewayError, missingSurfaceMessage, } from "../tg/errors.js";
+function parseRisk(raw) {
+    if (raw === undefined)
+        return undefined;
+    if (typeof raw === "number" && !Number.isNaN(raw)) {
+        return raw <= 1 ? raw : raw / 100;
+    }
+    const s = String(raw).trim().toLowerCase();
+    if (!s)
+        return undefined;
+    const n = Number(s);
+    if (!Number.isNaN(n))
+        return n <= 1 ? n : n / 100;
+    if (s === "critical")
+        return 0.95;
+    if (s === "high")
+        return 0.85;
+    if (s === "medium")
+        return 0.5;
+    if (s === "low")
+        return 0.15;
+    return undefined;
+}
+export { defaultGatewayUrl } from "../tg/gateway.js";
+export function resolveApiKey() {
+    return resolveStoredApiKey(loadConfig());
+}
+async function readPayloadSource(args) {
+    const file = flagValue(args, "--file");
+    if (file) {
+        const raw = file === "-" ? await readStdin() : await readFile(file, "utf8");
+        return JSON.parse(raw);
+    }
+    if (!input.isTTY && !flagValue(args, "--surface")) {
+        const raw = await readStdin();
+        if (raw.trim())
+            return JSON.parse(raw);
+    }
+    return null;
+}
+async function mergeAuthorizeInput(base, args) {
+    const fromPayload = base ?? {};
+    const surface = flagValue(args, "--surface") ?? String(fromPayload.surface ?? "");
+    const actorId = flagValue(args, "--actor") ??
+        flagValue(args, "--actor-id") ??
+        String(fromPayload.actorId ?? process.env.TRIGGUARD_ACTOR_ID ?? "tg-cli");
+    const intent = flagValue(args, "--intent") ?? fromPayload.intent;
+    const risk = flagValue(args, "--risk") ?? fromPayload.risk;
+    const environment = flagValue(args, "--environment") ??
+        fromPayload.environment ??
+        loadConfig().environment;
+    let context = fromPayload.context && typeof fromPayload.context === "object"
+        ? { ...fromPayload.context }
+        : {};
+    const payloadFlag = flagValue(args, "--payload");
+    if (payloadFlag) {
+        const inline = payloadFlag.startsWith("{") || payloadFlag.startsWith("[")
+            ? payloadFlag
+            : await readFile(payloadFlag, "utf8");
+        Object.assign(context, JSON.parse(inline));
+    }
+    if (intent)
+        context.intent = intent;
+    const riskScore = parseRisk(risk);
+    if (riskScore !== undefined)
+        context.riskScore = riskScore;
+    if (environment)
+        context.environment = environment;
+    if (!surface) {
+        throw new Error("missing_surface");
+    }
+    return {
+        surface,
+        actorId,
+        intent,
+        risk,
+        environment,
+        context: Object.keys(context).length ? context : undefined,
+        subjectDigest: typeof fromPayload.subjectDigest === "string" ? fromPayload.subjectDigest : undefined,
+    };
+}
+export async function runTgAuthorize(args) {
+    const json = hasFlag(args, "--json");
+    let inputReq;
+    try {
+        const payload = await readPayloadSource(args);
+        inputReq = await mergeAuthorizeInput(payload, args);
+    }
+    catch (e) {
+        if (e instanceof Error && e.message === "missing_surface") {
+            console.error(missingSurfaceMessage());
+            process.exit(1);
+        }
+        throw e;
+    }
+    const gatewayUrl = flagValue(args, "--gateway-url") ?? defaultGatewayUrl(inputReq.environment);
+    const apiKey = resolveApiKey();
+    if (!apiKey && process.env.TRIGGUARD_USE_GCLOUD !== "1") {
+        console.error(missingConfiguredApiKeyMessage());
+        process.exit(1);
+    }
+    const getBearerToken = () => resolveBearer(gatewayUrl);
+    const client = createExecutionClient({
+        gatewayUrl,
+        apiKey,
+        getBearerToken: apiKey ? undefined : getBearerToken,
+    });
+    let result;
+    try {
+        result = await client.authorize({
+            surface: inputReq.surface,
+            actorId: inputReq.actorId,
+            context: inputReq.context,
+            subjectDigest: inputReq.subjectDigest,
+        });
+    }
+    catch (e) {
+        const msg = formatFetchError(e, gatewayUrl);
+        if (json)
+            printJsonAuthorize({ ok: false, error: msg });
+        else
+            console.error(msg);
+        process.exit(1);
+    }
+    if (!result.ok || !result.receipt) {
+        const errBody = result.body && typeof result.body === "object" ? result.body : { error: result.status };
+        const msg = formatGatewayError(result.status, errBody, { apiKeyProvided: Boolean(apiKey) });
+        if (json) {
+            printJsonAuthorize({ ok: false, status: result.status, error: errBody, message: msg });
+        }
+        else {
+            console.error(msg);
+        }
+        process.exit(1);
+    }
+    const body = (result.body && typeof result.body === "object" ? result.body : {});
+    const receipt = result.receipt;
+    let receiptValid = false;
+    try {
+        const keys = await fetchPublicKeys(gatewayUrl, apiKey ? () => Promise.resolve(apiKey) : getBearerToken);
+        receiptValid = verifyReceiptSignature(receipt, keys);
+    }
+    catch (e) {
+        const msg = formatFetchError(e, gatewayUrl);
+        if (json)
+            printJsonAuthorize({ ok: false, error: msg, partial: body });
+        else
+            console.error(msg);
+        process.exit(1);
+    }
+    const display = buildAuthorizeDisplay(body, receiptValid);
+    if (json) {
+        printJsonAuthorize({
+            ok: true,
+            decision: display.decision,
+            reason: display.reason,
+            riskScore: display.riskScore,
+            executionId: display.executionId,
+            receiptValid,
+            receiptStatus: display.receiptStatus,
+            signatureStatus: display.signatureStatus,
+            authority: display.authority,
+            protocol: display.protocol,
+            verificationResult: display.verificationResult,
+            surface: inputReq.surface,
+            actorId: inputReq.actorId,
+            intent: inputReq.intent ?? null,
+            policyId: display.policyId,
+            policyBundleHash: display.policyBundleHash,
+            latencyMs: display.latencyMs,
+            receipt,
+        });
+    }
+    else {
+        printHumanAuthorize(display);
+    }
+    if (!receiptValid)
+        process.exit(1);
+    if (display.decision !== "PERMIT")
+        process.exit(1);
+}

package/dist/commands/tg-init.d.ts

@@ -0,0 +1 @@
+export declare function runTgInit(args: string[]): Promise<void>;

package/dist/commands/tg-init.js

@@ -0,0 +1,149 @@
+import fs from "node:fs";
+import path from "node:path";
+import { flagValue, hasFlag } from "../tg/args.js";
+function detectStack(cwd) {
+    const hints = new Set();
+    const pkgPath = path.join(cwd, "package.json");
+    let packageName = null;
+    let hasPackageJson = false;
+    if (fs.existsSync(pkgPath)) {
+        hasPackageJson = true;
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+            packageName = pkg.name ?? null;
+            const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+            if (deps.express)
+                hints.add("express");
+            if (deps.fastify)
+                hints.add("fastify");
+            if (deps.langchain || deps["@langchain/core"])
+                hints.add("langchain");
+            if (!hints.size)
+                hints.add("node");
+        }
+        catch {
+            hints.add("generic");
+        }
+    }
+    const workflowsDir = path.join(cwd, ".github", "workflows");
+    if (fs.existsSync(workflowsDir)) {
+        hints.add("github-actions");
+    }
+    if (!hints.size)
+        hints.add("generic");
+    return { hints: [...hints], hasPackageJson, packageName };
+}
+function writeIfAbsent(filePath, content, force) {
+    if (fs.existsSync(filePath) && !force)
+        return false;
+    fs.writeFileSync(filePath, content, { mode: 0o644 });
+    return true;
+}
+export async function runTgInit(args) {
+    const json = hasFlag(args, "--json");
+    const force = hasFlag(args, "--force");
+    const dir = flagValue(args, "--dir") ?? "trigguard";
+    const cwd = process.cwd();
+    const outDir = path.join(cwd, dir);
+    const stack = detectStack(cwd);
+    fs.mkdirSync(outDir, { recursive: true });
+    const envExample = `# TrigGuard — copy to .env and fill in values (never commit .env)
+TRIGGUARD_API_KEY=tg_live_REPLACE_ME
+TRIGGUARD_GATEWAY_URL=https://api.trigguardai.com
+TRIGGUARD_ACTOR_ID=${stack.packageName ?? "my-service"}
+`;
+    const exampleJson = {
+        surface: "deploy.release",
+        actorId: stack.packageName ?? "my-service",
+        intent: "example governed action",
+        risk: "medium",
+        context: {
+            repository: "org/repo",
+            branch: "main",
+        },
+    };
+    const integrationMd = `# TrigGuard Integration
+
+Generated by \`tg init\`. Non-destructive scaffold — review before use.
+
+## Detected stack
+
+${stack.hints.map((h) => `- ${h}`).join("\n")}
+
+## 1. Configure
+
+\`\`\`bash
+cp ${dir}/.env.example .env
+# Edit .env — set TRIGGUARD_API_KEY from console (Settings → API keys)
+\`\`\`
+
+## 2. First authorization
+
+\`\`\`bash
+export $(grep -v '^#' .env | xargs)
+tg authorize --surface deploy.release --actor ${stack.packageName ?? "my-service"} --intent "test deploy"
+\`\`\`
+
+## 3. Verify receipt
+
+\`\`\`bash
+tg verify --execution-id <execution-id-from-output>
+\`\`\`
+
+## 4. Integrate
+
+See \`examples/integrations/cli-adoption/\` in the TrigGuard repo for copy-paste templates:
+- GitHub Actions deployment gate
+- Node.js / Express / Fastify
+- LangChain agent pre-flight
+- CI/CD patterns
+
+Docs: \`docs/developer/TRIGGUARD_QUICKSTART.md\`, \`docs/developer/DESIGN_PARTNER_DEMO.md\`
+`;
+    const written = [];
+    const skipped = [];
+    function track(relPath, filePath, content) {
+        if (writeIfAbsent(filePath, content, force))
+            written.push(relPath);
+        else
+            skipped.push(relPath);
+    }
+    track(path.join(dir, ".env.example"), path.join(outDir, ".env.example"), envExample);
+    track(path.join(dir, "trigguard.example.json"), path.join(outDir, "trigguard.example.json"), `${JSON.stringify(exampleJson, null, 2)}\n`);
+    track(path.join(dir, "TRIGGUARD_INTEGRATION.md"), path.join(outDir, "TRIGGUARD_INTEGRATION.md"), integrationMd);
+    const exampleSnippets = {
+        node: `# Run governed authorize from Node (shell out to tg)
+# tg authorize --file trigguard/trigguard.example.json --json
+`,
+        express: `# Express: authorize before route handler
+# See examples/integrations/cli-adoption/express-middleware.mjs
+`,
+        fastify: `# Fastify: preHandler hook
+# See examples/integrations/cli-adoption/fastify-hook.mjs
+`,
+        langchain: `# LangChain: tool pre-flight
+# See examples/integrations/cli-adoption/langchain-preflight.mjs
+`,
+        "github-actions": `# GitHub Actions: see examples/integrations/cli-adoption/github-actions/trigguard-authorize.yml
+`,
+        generic: `# tg authorize --surface deploy.release --actor my-agent --intent "action"
+`,
+    };
+    for (const hint of stack.hints) {
+        const rel = path.join(dir, `example-${hint}.md`);
+        track(rel, path.join(outDir, `example-${hint}.md`), exampleSnippets[hint] ?? exampleSnippets.generic);
+    }
+    if (json) {
+        console.log(JSON.stringify({ ok: true, directory: dir, detected: stack.hints, written, skipped }, null, 2));
+        return;
+    }
+    console.log("TrigGuard integration scaffold created.");
+    console.log(`  Directory: ${dir}/`);
+    console.log(`  Detected:  ${stack.hints.join(", ")}`);
+    console.log("");
+    console.log("Next steps:");
+    console.log(`  1. cp ${dir}/.env.example .env`);
+    console.log("  2. Set TRIGGUARD_API_KEY in .env");
+    console.log(`  3. tg authorize --file ${dir}/trigguard.example.json`);
+    console.log(`  4. Read ${dir}/TRIGGUARD_INTEGRATION.md`);
+}

package/dist/commands/tg-setup.d.ts

@@ -0,0 +1 @@
+export declare function runTgSetup(args: string[]): Promise<void>;

package/dist/commands/tg-setup.js

@@ -0,0 +1,43 @@
+import { hasFlag } from "../tg/args.js";
+import { loadConfig } from "../cp/config.js";
+import { resolveApiKey, resolveApiKeySource } from "../cp/credentials.js";
+import { resolveSessionSnapshot } from "./session.js";
+import { runLoginWeb } from "./login-web.js";
+import { loadExecutionSurfaces } from "./tg-surfaces.js";
+import { shellQuoteArg } from "../tg/shellQuote.js";
+import os from "node:os";
+export async function runTgSetup(args) {
+    const json = hasFlag(args, "--json");
+    const config = loadConfig();
+    const snap = await resolveSessionSnapshot();
+    const hasKey = Boolean(resolveApiKey(config));
+    if (!snap.authenticated || !hasKey) {
+        if (!json)
+            console.log("Step 1/3 — Sign in (browser)");
+        await runLoginWeb(json ? ["--json"] : []);
+    }
+    const refreshed = loadConfig();
+    const snap2 = await resolveSessionSnapshot();
+    if (!snap2.authenticated || !resolveApiKey(refreshed)) {
+        throw new Error("Setup incomplete: login did not configure credentials.");
+    }
+    if (!json)
+        console.log("\nStep 2/3 — Execution surfaces");
+    const surfaces = loadExecutionSurfaces();
+    const sample = surfaces.find((s) => s.surface === "deploy.release") ?? surfaces[0];
+    if (json) {
+        console.log(JSON.stringify({
+            ok: true,
+            workspace: snap2.activeOrg?.orgId ?? refreshed.activeOrgId ?? null,
+            apiKeySource: resolveApiKeySource(refreshed),
+            recommendedSurface: sample?.surface ?? null,
+            surfaceCount: surfaces.length,
+        }, null, 2));
+    }
+    else {
+        console.log(`  ${surfaces.length} surfaces registered. Try: tg surfaces list`);
+        const actor = shellQuoteArg(snap2.activeOrg?.name ?? os.userInfo().username ?? "demo");
+        console.log("\nStep 3/3 — First authorization");
+        console.log(`  tg authorize --surface ${sample?.surface ?? "deploy.release"} --actor ${actor} --intent "setup test"`);
+    }
+}

package/dist/commands/tg-surfaces.d.ts

@@ -0,0 +1,7 @@
+export interface ExecutionSurfaceEntry {
+    readonly surface: string;
+    readonly category: string;
+    readonly description: string;
+}
+export declare function loadExecutionSurfaces(): ExecutionSurfaceEntry[];
+export declare function runTgSurfaces(args: string[]): Promise<void>;

package/dist/commands/tg-surfaces.js

@@ -0,0 +1,50 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { hasFlag } from "../tg/args.js";
+const SURFACE_META = {
+    "deploy.release": { category: "delivery", description: "Release deployment to an environment" },
+    "infra.apply": { category: "infrastructure", description: "Apply infrastructure changes" },
+    "artifact.publish": { category: "delivery", description: "Publish build artifacts" },
+    "data.export": { category: "data", description: "Export sensitive data" },
+    "payment.execute": { category: "financial", description: "Execute payment or refund" },
+    "secrets.access": { category: "security", description: "Read or use secrets" },
+    "database.migrate": { category: "data", description: "Run database migrations" },
+    "production.write": { category: "infrastructure", description: "Write to production systems" },
+};
+function surfacesRegistryPath() {
+    const here = path.dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+        path.join(here, "../../data/execution-surfaces.json"),
+        path.join(here, "../../../../protocol/execution-surfaces.json"),
+    ];
+    for (const candidate of candidates) {
+        if (fs.existsSync(candidate))
+            return candidate;
+    }
+    throw new Error("execution-surfaces.json not found");
+}
+export function loadExecutionSurfaces() {
+    const raw = JSON.parse(fs.readFileSync(surfacesRegistryPath(), "utf8"));
+    const surfaces = Array.isArray(raw.surfaces) ? raw.surfaces : [];
+    return surfaces.map((surface) => {
+        const meta = SURFACE_META[surface];
+        return {
+            surface,
+            category: meta?.category ?? "general",
+            description: meta?.description ?? "Registered execution surface",
+        };
+    });
+}
+export async function runTgSurfaces(args) {
+    const json = hasFlag(args, "--json");
+    const list = loadExecutionSurfaces();
+    if (json) {
+        console.log(JSON.stringify({ ok: true, surfaces: list }, null, 2));
+        return;
+    }
+    console.log("Execution surfaces (read-only registry)");
+    for (const entry of list) {
+        console.log(`  ${entry.surface.padEnd(28)} ${entry.category.padEnd(14)} ${entry.description}`);
+    }
+}

package/dist/commands/tg-verify.d.ts

@@ -0,0 +1 @@
+export declare function runTgVerify(args: string[]): Promise<void>;

package/dist/commands/tg-verify.js

@@ -0,0 +1,118 @@
+import { readFile } from "node:fs/promises";
+import { fetchPublicKeys, verifyReceiptSignature } from "@trigguard/execution-sdk";
+import { resolveBearer } from "../auth.js";
+import { flagValue, hasFlag, stripFlags } from "../tg/args.js";
+import { extractReceiptFromPayload } from "../tg/receipt.js";
+import { resolveGatewayUrl } from "../tg/gateway.js";
+import { resolveApiKey } from "./tg-authorize.js";
+import { formatFetchError } from "../tg/errors.js";
+import { printJsonAuthorize } from "../tg/authorize-format.js";
+async function fetchReceiptByExecutionId(gatewayUrl, executionId, token) {
+    const headers = { Accept: "application/json" };
+    if (token)
+        headers.Authorization = `Bearer ${token}`;
+    const res = await fetch(`${gatewayUrl.replace(/\/$/, "")}/verify/${encodeURIComponent(executionId)}`, {
+        headers,
+        signal: AbortSignal.timeout(30_000),
+    });
+    const text = await res.text();
+    let body = {};
+    try {
+        body = text ? JSON.parse(text) : {};
+    }
+    catch {
+        throw new Error(`Gateway returned non-JSON for execution ${executionId}`);
+    }
+    if (!res.ok) {
+        const err = body && typeof body === "object" ? body.error : res.status;
+        throw new Error(`Cannot fetch receipt: ${String(err)} (HTTP ${res.status})`);
+    }
+    const obj = body;
+    const receipt = obj.receipt;
+    if (!receipt || typeof receipt !== "object") {
+        throw new Error(`No receipt in gateway response for ${executionId}`);
+    }
+    return receipt;
+}
+export async function runTgVerify(args) {
+    const json = hasFlag(args, "--json");
+    const executionId = flagValue(args, "--execution-id");
+    const gatewayUrl = resolveGatewayUrl(args);
+    const apiKey = resolveApiKey();
+    let receipt;
+    if (executionId) {
+        try {
+            receipt = await fetchReceiptByExecutionId(gatewayUrl, executionId, apiKey);
+        }
+        catch (e) {
+            const msg = formatFetchError(e, gatewayUrl);
+            if (json)
+                printJsonAuthorize({ ok: false, error: msg });
+            else
+                console.error(msg);
+            process.exit(1);
+        }
+    }
+    else {
+        const file = stripFlags(args)[0];
+        if (!file) {
+            console.error("Usage: tg verify receipt.json | tg verify --execution-id EXEC_ID");
+            process.exit(1);
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(await readFile(file, "utf8"));
+        }
+        catch {
+            console.error(`Cannot read receipt file: ${file}`);
+            process.exit(1);
+        }
+        try {
+            receipt = extractReceiptFromPayload(parsed);
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            if (json)
+                printJsonAuthorize({ ok: false, error: msg });
+            else
+                console.error(msg);
+            process.exit(1);
+        }
+    }
+    let valid = false;
+    try {
+        const keys = await fetchPublicKeys(gatewayUrl, apiKey
+            ? () => Promise.resolve(apiKey)
+            : process.env.TRIGGUARD_USE_GCLOUD === "1"
+                ? () => resolveBearer(gatewayUrl)
+                : undefined);
+        valid = verifyReceiptSignature(receipt, keys);
+    }
+    catch (e) {
+        const msg = formatFetchError(e, gatewayUrl);
+        if (json)
+            printJsonAuthorize({ ok: false, error: msg });
+        else
+            console.error(msg);
+        process.exit(1);
+    }
+    const execId = typeof receipt.executionId === "string" ? receipt.executionId : executionId ?? null;
+    const payload = {
+        ok: valid,
+        verificationResult: valid ? "passed" : "failed",
+        executionId: execId,
+        decision: receipt.decision ?? null,
+        signatureStatus: valid ? "valid (Ed25519)" : "invalid",
+    };
+    if (json) {
+        printJsonAuthorize(payload);
+    }
+    else {
+        console.log(`Verification:     ${valid ? "passed" : "failed"}`);
+        console.log(`Execution ID:     ${execId ?? "—"}`);
+        console.log(`Decision:         ${String(receipt.decision ?? "—")}`);
+        console.log(`Signature Status: ${valid ? "valid (Ed25519)" : "invalid"}`);
+    }
+    if (!valid)
+        process.exit(1);
+}

package/dist/commands/transparency.d.ts

@@ -0,0 +1,2 @@
+export declare function runTransparencyRoot(argv: string[]): Promise<void>;
+export declare function runTransparencyVerify(argv: string[]): Promise<void>;

package/dist/commands/transparency.js

@@ -0,0 +1,65 @@
+import { computeMerkleRoot, computeReplayArtifactHash, loadReplayArtifact, loadTransparencyLog, verifyReplayReceipt, } from "@trigguard/policy-engine";
+import { readFileSync } from "node:fs";
+function argValue(args, name) {
+    const i = args.indexOf(name);
+    if (i < 0)
+        return undefined;
+    return args[i + 1];
+}
+function hasFlag(args, name) {
+    return args.includes(name);
+}
+export async function runTransparencyRoot(argv) {
+    const json = hasFlag(argv, "--json");
+    const entries = loadTransparencyLog();
+    const root_hash = computeMerkleRoot(entries);
+    const out = { root_hash, entries: entries.length };
+    if (json)
+        console.log(JSON.stringify(out, null, 2));
+    else {
+        console.log(`Transparency root: ${root_hash}`);
+        console.log(`Entries: ${entries.length}`);
+    }
+}
+export async function runTransparencyVerify(argv) {
+    const receiptPath = argv[0];
+    if (!receiptPath) {
+        console.error("Usage: trigguard transparency-verify <replay-receipt.json> [--artifact artifact.json] [--public-key pem]");
+        process.exit(1);
+        return;
+    }
+    const artifactPath = argValue(argv, "--artifact");
+    const publicKeyPem = argValue(argv, "--public-key");
+    const replayReceipt = JSON.parse(readFileSync(receiptPath, "utf8"));
+    const artifact = artifactPath
+        ? JSON.parse(readFileSync(artifactPath, "utf8"))
+        : loadReplayArtifact(replayReceipt.receipt_id);
+    if (!artifact) {
+        console.error("Replay artifact not found; pass --artifact <path>");
+        process.exit(1);
+        return;
+    }
+    const vr = verifyReplayReceipt({
+        replayReceipt,
+        artifact,
+        publicKeyPem,
+    });
+    if (!vr.ok) {
+        console.error(`INVALID ${vr.failed_check}: ${vr.detail}`);
+        process.exit(2);
+        return;
+    }
+    const artifactHash = computeReplayArtifactHash(artifact);
+    const entries = loadTransparencyLog();
+    const index = entries.findIndex((x) => x.artifact_hash === artifactHash);
+    const root = computeMerkleRoot(entries);
+    if (index < 0) {
+        console.error("INVALID inclusion: artifact hash not found in transparency log");
+        process.exit(2);
+        return;
+    }
+    console.log("OK transparency verification");
+    console.log(`Receipt: ${replayReceipt.receipt_id}`);
+    console.log(`Artifact index: ${index}`);
+    console.log(`Root hash: ${root}`);
+}

package/dist/commands/verify.d.ts

@@ -0,0 +1 @@
+export declare function runVerify(argv: string[]): Promise<void>;