agentskeptic 0.1.1 → 0.1.2

package/dist/cli.js

@@ -35,97 +35,97 @@ import { runBatchCiLockFromRestArgs, runQuickCiLockFromRestArgs } from "./ciLock
 import { formatDistributionFooter } from "./distributionFooter.js";
 import { postPublicVerificationReport } from "./shareReport/postPublicVerificationReport.js";
 function usageQuick() {
-    return `Usage:
-  agentskeptic quick --input <path> (--postgres-url <url> | --db <sqlitePath>) --export-registry <path>
-    [--emit-events <path>] [--workflow-id <id>] [--share-report-origin <https://host>]
-
-  Input must contain structured tool activity (tool names and parameters extractable as JSON). Verification uses read-only SQL against the database you pass.
-
-  Use - for stdin. Writes registry JSON array atomically, then optional events file, then stdout (see docs/quick-verify-normative.md).
-  With --share-report-origin, human stderr is deferred until after a successful POST (same contract as batch verify; see docs/shareable-verification-reports.md).
-
-Exit codes:
-  0  verdict pass
-  1  verdict fail
-  2  verdict uncertain
-  3  operational failure (stderr: JSON envelope)
-
+    return `Usage:
+  agentskeptic quick --input <path> (--postgres-url <url> | --db <sqlitePath>) --export-registry <path>
+    [--emit-events <path>] [--workflow-id <id>] [--share-report-origin <https://host>]
+
+  Input must contain structured tool activity (tool names and parameters extractable as JSON). Verification uses read-only SQL against the database you pass.
+
+  Use - for stdin. Writes registry JSON array atomically, then optional events file, then stdout (see docs/quick-verify-normative.md).
+  With --share-report-origin, human stderr is deferred until after a successful POST (same contract as batch verify; see docs/shareable-verification-reports.md).
+
+Exit codes:
+  0  verdict pass
+  1  verdict fail
+  2  verdict uncertain
+  3  operational failure (stderr: JSON envelope)
+
   --help, -h  print this message and exit 0`;
 }
 function usageVerify() {
-    return `Usage:
-  agentskeptic quick --input <path> (--postgres-url <url> | --db <sqlitePath>) --export-registry <path> [--emit-events <path>] [--workflow-id <id>]
-    (zero-config path; structured tool activity + read-only SQL; see docs/quick-verify-normative.md)
-
-  agentskeptic --workflow-id <id> --events <path> --registry <path> --db <sqlitePath>
-  agentskeptic --workflow-id <id> --events <path> --registry <path> --postgres-url <url>
-
-  Optional CI lock (commercial build; same as enforce batch): append exactly one of
-  --output-lock <path> or --expect-lock <path> (requires active subscription; see docs/ci-enforcement.md).
-
-Optional consistency (default strong):
-  --consistency strong|eventual
-  With eventual, required:
-  --verification-window-ms <int>
-  --poll-interval-ms <int>   (must be >= 1 and <= window)
-
-With strong, do not pass --verification-window-ms or --poll-interval-ms.
-
-Provide exactly one of --db or --postgres-url.
-
-Optional output:
-  --no-truth-report   For verdict exits 0–2, do not print the human truth report to stderr (stderr empty). stdout WorkflowResult JSON is unchanged. Exit 3 stderr is unchanged (single-line JSON envelope).
-  --share-report-origin <https://host>   After successful verification, POST a shareable report to that origin (https only, origin with no path), then print human report + footer to stderr and WorkflowResult JSON to stdout. On POST failure: exit 3, stdout empty, stderr single-line JSON envelope (code SHARE_REPORT_FAILED). See docs/shareable-verification-reports.md.
-
-Exit codes:
-  0  workflow status complete
-  1  workflow status inconsistent
-  2  workflow status incomplete
-  3  operational failure (see stderr JSON)
-  4  CI lock mismatch with --expect-lock (stdout: WorkflowResult line; stderr: envelope after human report if any)
-
-  agentskeptic compare --prior <path> [--prior <path> ...] --current <path>
-  Compare saved WorkflowResult JSON files (local only; see docs).
-
-  agentskeptic validate-registry --registry <path>
-  agentskeptic validate-registry --registry <path> --events <path> --workflow-id <id>
-  Validate tools registry JSON (and optionally resolution vs events) without a database.
-  See docs/agentskeptic.md (Registry validation).
-
-  agentskeptic execution-trace --workflow-id <id> --events <path> [--workflow-result <path>] [--format json|text]
-  Emit ExecutionTraceView JSON or text (see docs/agentskeptic.md).
-
-  agentskeptic enforce batch (--expect-lock <path> | --output-lock <path>) <same flags as batch verify>
-  agentskeptic enforce quick (--expect-lock <path> | --output-lock <path>) <same flags as quick>
-  CI enforcement with pinned ci-lock-v1 (see docs/ci-enforcement.md).
-
-  agentskeptic assurance run --manifest <path> [--write-report <path>]
-  agentskeptic assurance stale --report <path> --max-age-hours <n>
-  Multi-scenario assurance sweep and staleness gate (see docs/agentskeptic.md).
-
-Advanced / optional (persisted runs, signing, local UI, plan/git checks):
-  --write-run-bundle <dir>   After a successful verify (schema-valid WorkflowResult), write a canonical run directory: events.ndjson (byte copy of --events), workflow-result.json (emitted result), agent-run.json (SHA-256 manifest). Directory is created if missing. Requires exit 0–2 (operational failure skips the write).
-  --sign-ed25519-private-key <path>   With --write-run-bundle only: PKCS#8 PEM Ed25519 private key; also writes workflow-result.sig.json and manifest schemaVersion 2.
-
-  verify-bundle-signature --run-dir <dir> --public-key <path>
-  Verify signed bundle (Ed25519 + manifest v2). Exit 0 if valid; exit 3 with JSON envelope on failure.
-
-  agentskeptic debug --corpus <dir> [--port <n>]
-  Local Debug Console on 127.0.0.1 (see docs/agentskeptic.md — Debug Console).
-
-  agentskeptic plan-transition --repo <dir> --before <ref> --after <ref> --plan <path>
-  Validate git Before..After against machine plan rules (planValidation, body YAML section, or derived path citations as required diff surfaces; Git >= 2.30.0; see docs).
-
+    return `Usage:
+  agentskeptic quick --input <path> (--postgres-url <url> | --db <sqlitePath>) --export-registry <path> [--emit-events <path>] [--workflow-id <id>]
+    (zero-config path; structured tool activity + read-only SQL; see docs/quick-verify-normative.md)
+
+  agentskeptic --workflow-id <id> --events <path> --registry <path> --db <sqlitePath>
+  agentskeptic --workflow-id <id> --events <path> --registry <path> --postgres-url <url>
+
+  Optional CI lock (commercial build; same as enforce batch): append exactly one of
+  --output-lock <path> or --expect-lock <path> (requires active subscription; see docs/ci-enforcement.md).
+
+Optional consistency (default strong):
+  --consistency strong|eventual
+  With eventual, required:
+  --verification-window-ms <int>
+  --poll-interval-ms <int>   (must be >= 1 and <= window)
+
+With strong, do not pass --verification-window-ms or --poll-interval-ms.
+
+Provide exactly one of --db or --postgres-url.
+
+Optional output:
+  --no-truth-report   For verdict exits 0–2, do not print the human truth report to stderr (stderr empty). stdout WorkflowResult JSON is unchanged. Exit 3 stderr is unchanged (single-line JSON envelope).
+  --share-report-origin <https://host>   After successful verification, POST a shareable report to that origin (https only, origin with no path), then print human report + footer to stderr and WorkflowResult JSON to stdout. On POST failure: exit 3, stdout empty, stderr single-line JSON envelope (code SHARE_REPORT_FAILED). See docs/shareable-verification-reports.md.
+
+Exit codes:
+  0  workflow status complete
+  1  workflow status inconsistent
+  2  workflow status incomplete
+  3  operational failure (see stderr JSON)
+  4  CI lock mismatch with --expect-lock (stdout: WorkflowResult line; stderr: envelope after human report if any)
+
+  agentskeptic compare --prior <path> [--prior <path> ...] --current <path>
+  Compare saved WorkflowResult JSON files (local only; see docs).
+
+  agentskeptic validate-registry --registry <path>
+  agentskeptic validate-registry --registry <path> --events <path> --workflow-id <id>
+  Validate tools registry JSON (and optionally resolution vs events) without a database.
+  See docs/agentskeptic.md (Registry validation).
+
+  agentskeptic execution-trace --workflow-id <id> --events <path> [--workflow-result <path>] [--format json|text]
+  Emit ExecutionTraceView JSON or text (see docs/agentskeptic.md).
+
+  agentskeptic enforce batch (--expect-lock <path> | --output-lock <path>) <same flags as batch verify>
+  agentskeptic enforce quick (--expect-lock <path> | --output-lock <path>) <same flags as quick>
+  CI enforcement with pinned ci-lock-v1 (see docs/ci-enforcement.md).
+
+  agentskeptic assurance run --manifest <path> [--write-report <path>]
+  agentskeptic assurance stale --report <path> --max-age-hours <n>
+  Multi-scenario assurance sweep and staleness gate (see docs/agentskeptic.md).
+
+Advanced / optional (persisted runs, signing, local UI, plan/git checks):
+  --write-run-bundle <dir>   After a successful verify (schema-valid WorkflowResult), write a canonical run directory: events.ndjson (byte copy of --events), workflow-result.json (emitted result), agent-run.json (SHA-256 manifest). Directory is created if missing. Requires exit 0–2 (operational failure skips the write).
+  --sign-ed25519-private-key <path>   With --write-run-bundle only: PKCS#8 PEM Ed25519 private key; also writes workflow-result.sig.json and manifest schemaVersion 2.
+
+  verify-bundle-signature --run-dir <dir> --public-key <path>
+  Verify signed bundle (Ed25519 + manifest v2). Exit 0 if valid; exit 3 with JSON envelope on failure.
+
+  agentskeptic debug --corpus <dir> [--port <n>]
+  Local Debug Console on 127.0.0.1 (see docs/agentskeptic.md — Debug Console).
+
+  agentskeptic plan-transition --repo <dir> --before <ref> --after <ref> --plan <path>
+  Validate git Before..After against machine plan rules (planValidation, body YAML section, or derived path citations as required diff surfaces; Git >= 2.30.0; see docs).
+
   --help, -h  print this message and exit 0`;
 }
 function usageExecutionTrace() {
-    return `Usage:
-  agentskeptic execution-trace --workflow-id <id> --events <path> [--workflow-result <path>] [--format json|text]
-
-Exit codes:
-  0  success (stdout: ExecutionTraceView JSON or text; stderr empty)
-  3  operational failure (stderr: JSON envelope only; stdout empty)
-
+    return `Usage:
+  agentskeptic execution-trace --workflow-id <id> --events <path> [--workflow-result <path>] [--format json|text]
+
+Exit codes:
+  0  success (stdout: ExecutionTraceView JSON or text; stderr empty)
+  3  operational failure (stderr: JSON envelope only; stdout empty)
+
   --help, -h  print this message and exit 0`;
 }
 function assertExecutionTraceArgsWellFormed(args) {
@@ -261,41 +261,41 @@ function runExecutionTraceSubcommand(args) {
     process.exit(0);
 }
 function usageCompare() {
-    return `Usage:
-  agentskeptic compare --prior <workflowResult.json> [--prior <path> ...] --current <workflowResult.json>
-
-Compares the current run (last file) against the immediate prior run (last --prior).
-Recurrence uses all runs in order: each --prior in order, then --current.
-
-Exit codes:
-  0  comparison succeeded (stdout: RunComparisonReport JSON; stderr: human summary)
-  3  operational failure (stderr: JSON envelope only; stdout empty)
-
+    return `Usage:
+  agentskeptic compare --prior <workflowResult.json> [--prior <path> ...] --current <workflowResult.json>
+
+Compares the current run (last file) against the immediate prior run (last --prior).
+Recurrence uses all runs in order: each --prior in order, then --current.
+
+Exit codes:
+  0  comparison succeeded (stdout: RunComparisonReport JSON; stderr: human summary)
+  3  operational failure (stderr: JSON envelope only; stdout empty)
+
   --help, -h  print this message and exit 0`;
 }
 function writeCliError(code, message) {
     console.error(cliErrorEnvelope(code, message));
 }
 function usageAssurance() {
-    return `Usage:
-  agentskeptic assurance run --manifest <path> [--write-report <path>]
-  agentskeptic assurance stale --report <path> --max-age-hours <n>
-
-  assurance run executes each manifest scenario by spawning this CLI (schemas/assurance-manifest-v1.schema.json).
-  Path arguments in each scenario argv are resolved relative to the manifest file's directory unless absolute.
-
-  assurance stale exits 1 when the report issuedAt is older than max-age-hours (UTC wall clock).
-
-Exit codes (run):
-  0  all scenarios exited 0
-  1  at least one scenario non-zero
-  3  operational failure (stderr: JSON envelope)
-
-Exit codes (stale):
-  0  report fresh
-  1  report stale
-  3  missing/invalid report (stderr: JSON envelope)
-
+    return `Usage:
+  agentskeptic assurance run --manifest <path> [--write-report <path>]
+  agentskeptic assurance stale --report <path> --max-age-hours <n>
+
+  assurance run executes each manifest scenario by spawning this CLI (schemas/assurance-manifest-v1.schema.json).
+  Path arguments in each scenario argv are resolved relative to the manifest file's directory unless absolute.
+
+  assurance stale exits 1 when the report issuedAt is older than max-age-hours (UTC wall clock).
+
+Exit codes (run):
+  0  all scenarios exited 0
+  1  at least one scenario non-zero
+  3  operational failure (stderr: JSON envelope)
+
+Exit codes (stale):
+  0  report fresh
+  1  report stale
+  3  missing/invalid report (stderr: JSON envelope)
+
   --help, -h  print this message and exit 0`;
 }
 function runAssuranceSubcommand(args) {
@@ -512,13 +512,13 @@ async function runQuickSubcommand(args) {
 }
 function runVerifyBundleSignatureSubcommand(args) {
     if (args.includes("--help") || args.includes("-h")) {
-        console.log(`Usage:
-  agentskeptic verify-bundle-signature --run-dir <dir> --public-key <path>
-
-Exit codes:
-  0  signature and manifest integrity OK
-  3  verification failed (stderr: JSON envelope; code is BUNDLE_SIGNATURE_*)
-
+        console.log(`Usage:
+  agentskeptic verify-bundle-signature --run-dir <dir> --public-key <path>
+
+Exit codes:
+  0  signature and manifest integrity OK
+  3  verification failed (stderr: JSON envelope; code is BUNDLE_SIGNATURE_*)
+
   --help, -h  print this message and exit 0`);
         process.exit(0);
     }
@@ -536,17 +536,17 @@ Exit codes:
     process.exit(3);
 }
 function usageValidateRegistry() {
-    return `Usage:
-  agentskeptic validate-registry --registry <path>
-  agentskeptic validate-registry --registry <path> --events <path> --workflow-id <id>
-
-Exit codes:
-  0  registry valid (stdout: RegistryValidationResult JSON; stderr empty)
-  1  validation failed (stdout: RegistryValidationResult JSON; stderr human report)
-  3  operational failure (stderr JSON envelope only; stdout empty)
-
-Options: --registry (required), --events and --workflow-id (both or neither).
-
+    return `Usage:
+  agentskeptic validate-registry --registry <path>
+  agentskeptic validate-registry --registry <path> --events <path> --workflow-id <id>
+
+Exit codes:
+  0  registry valid (stdout: RegistryValidationResult JSON; stderr empty)
+  1  validation failed (stdout: RegistryValidationResult JSON; stderr human report)
+  3  operational failure (stderr JSON envelope only; stdout empty)
+
+Options: --registry (required), --events and --workflow-id (both or neither).
+
   --help, -h  print this message and exit 0`;
 }
 function assertValidateRegistryArgsWellFormed(args) {
@@ -701,14 +701,14 @@ function runCompareSubcommand(args) {
     process.exit(0);
 }
 function usageDebug() {
-    return `Usage:
-  agentskeptic debug --corpus <dir> [--port <n>]
-
-Serves the Debug Console on 127.0.0.1 only. Each run is a subfolder of the corpus
-with workflow-result.json and events.ndjson (see docs/agentskeptic.md).
-
-Exit: Ctrl+C ends the server (exit 0). Port in use or bad corpus → exit 3.
-
+    return `Usage:
+  agentskeptic debug --corpus <dir> [--port <n>]
+
+Serves the Debug Console on 127.0.0.1 only. Each run is a subfolder of the corpus
+with workflow-result.json and events.ndjson (see docs/agentskeptic.md).
+
+Exit: Ctrl+C ends the server (exit 0). Port in use or bad corpus → exit 3.
+
   --help, -h  print this message and exit 0`;
 }
 async function runDebugSubcommand(args) {
@@ -762,23 +762,23 @@ async function runDebugSubcommand(args) {
     process.on("SIGTERM", onSig);
 }
 function usagePlanTransition() {
-    return `Usage:
-  agentskeptic plan-transition --repo <dir> --before <ref> --after <ref> --plan <path>
-
-Optional:
-  --workflow-id <id>   (default ${PLAN_TRANSITION_WORKFLOW_ID})
-  --no-truth-report
-  --write-run-bundle <dir>
-  --sign-ed25519-private-key <path>   (requires --write-run-bundle)
-
-Requires Git >= 2.30.0. Plan file must start with YAML front matter; rules from front matter planValidation, or from a body section "Repository transition validation", or derived from path citations as required diff surfaces when neither is present (see docs).
-
-Exit codes:
-  0  workflow status complete
-  1  workflow status inconsistent
-  2  workflow status incomplete
-  3  operational failure (see stderr JSON)
-
+    return `Usage:
+  agentskeptic plan-transition --repo <dir> --before <ref> --after <ref> --plan <path>
+
+Optional:
+  --workflow-id <id>   (default ${PLAN_TRANSITION_WORKFLOW_ID})
+  --no-truth-report
+  --write-run-bundle <dir>
+  --sign-ed25519-private-key <path>   (requires --write-run-bundle)
+
+Requires Git >= 2.30.0. Plan file must start with YAML front matter; rules from front matter planValidation, or from a body section "Repository transition validation", or derived from path citations as required diff surfaces when neither is present (see docs).
+
+Exit codes:
+  0  workflow status complete
+  1  workflow status inconsistent
+  2  workflow status incomplete
+  3  operational failure (see stderr JSON)
+
   --help, -h  print this message and exit 0`;
 }
 function runPlanTransitionSubcommand(args) {