npm - codex-plugin-doctor - Versions diffs - 1.0.1 → 1.0.3 - Mend

codex-plugin-doctor 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +5 -3
package/dist/core/attestation.d.ts +34 -0
package/dist/core/attestation.js +176 -9
package/dist/core/doctor-export-bundle.d.ts +2 -0
package/dist/core/doctor-export-bundle.js +2 -2
package/dist/core/output-contract.js +12 -0
package/dist/core/release-evidence.d.ts +66 -0
package/dist/core/release-evidence.js +196 -0
package/dist/index.d.ts +2 -1
package/dist/index.js +2 -1
package/dist/run-cli.js +120 -2
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -199,6 +199,8 @@ codex-plugin-doctor doctor npm <published-plugin-package> --json --output npm-pr
 codex-plugin-doctor doctor attest .
 codex-plugin-doctor doctor attest . --json --output attestation.json
 codex-plugin-doctor doctor attest . --json --sign-key-env CODEX_PLUGIN_DOCTOR_SIGNING_KEY --output attestation.json
+codex-plugin-doctor doctor attest verify attestation.json --target . --sign-key-env CODEX_PLUGIN_DOCTOR_SIGNING_KEY
+codex-plugin-doctor doctor attest verify attestation.json --target . --json --sign-key-env CODEX_PLUGIN_DOCTOR_SIGNING_KEY
 codex-plugin-doctor doctor inspector .
 codex-plugin-doctor doctor inspector . --server context7 --json --output inspector-command.json
 codex-plugin-doctor doctor diff --before ./old-plugin --after ./new-plugin
@@ -280,7 +282,7 @@ codex-plugin-doctor check . --json --runtime --verbose-runtime
 `self-test` runs the bundled runtime-complete sample through static validation, runtime MCP probes, and the compatibility scorecard. It is the fastest post-install check after `npm install -g codex-plugin-doctor`.
-`doctor` checks the local environment, including package version, platform, Node version, npm global prefix, Codex home, and Codex plugin cache visibility. The text output also includes recommended next commands for self-test, installed plugin discovery, runtime checks, compatibility scoring, and CI setup. `doctor contract` publishes the machine-readable output contract, including public JSON schema surfaces, stable-through-1.0 compatibility metadata, and a frozen rule catalog digest. Add `--json` for automation or `--output output-contract.json` to write the contract to disk. `doctor corpus` runs the bundled validation corpus against healthy runtime, risky security, starter skill, and generic MCP packages, then reports whether each case matched its expected outcome. Add `--json` for automation or `--output validation-corpus.json` to write the corpus report to disk. `doctor npm <package>` runs a preinstall scan by packing the npm package with scripts disabled, extracting the publish tarball, and running validation, security, trust, and recommendation checks against the shipped contents. Use a published Codex plugin package as the target; scanning `codex-plugin-doctor` itself intentionally reports a missing plugin manifest because this CLI package is not a plugin package. Add `--json` for automation or `--output npm-preinstall.json` to write the report to disk. `doctor attest <path>` creates a deterministic local attestation with a package fingerprint, report digest, validation/security/compatibility/trust summary, and unsigned verification metadata. Add `--sign-key-env NAME` to attach a local HMAC-SHA256 signature without printing the secret, or `--json --output attestation.json` to write the artifact to disk. `doctor inspector <path>` builds a safe MCP Inspector launch command from a packaged `.mcp.json` file without starting the Inspector proxy automatically. Use `--server <name>` when the package contains multiple MCP server entries. `doctor diff --before <path> --after <path>` compares two package roots and reports new findings, resolved findings, trust score delta, and whether risk increased. `doctor recommend <path>` turns validation, security, and compatibility signals into a prioritized action plan with blocker, high, medium, and info actions. Add `--json` for automation or `--output recommendations.json` to write the report to disk. `doctor trust <path>` creates a local trust score from package lifecycle scripts, dependency specs, and MCP security findings. Use it before release when you want supply-chain risks summarized as one score. `doctor perf <path>` profiles the shared package analysis pipeline and reports per-stage durations for validation, config, security, compatibility, trust, recommendations, and total runtime. Add `--max-total-ms <ms>` or repeatable `--max-stage-ms stage=ms` to fail CI when a budget is exceeded. `doctor mcp <path>` exposes the generic MCP static health report under the doctor command family without starting local MCP servers. `doctor export --bundle <path>` creates a redacted operator handoff bundle that includes validation JSON, security scorecard data, compatibility matrix, recommendations, and trust score in one file. `doctor snapshot` creates a redacted diagnostics bundle with environment health, client config readiness, installed plugin metadata, and next commands. Add `--json` for machine-readable output or `--output doctor-snapshot.json` to write the bundle to disk. `doctor clients` reports local Codex, Claude Desktop, Cursor, Cline, and Windsurf config readiness. `doctor --update-check` compares the installed CLI version with the latest npm version and prints the upgrade command when a newer release is available.
+`doctor` checks the local environment, including package version, platform, Node version, npm global prefix, Codex home, and Codex plugin cache visibility. The text output also includes recommended next commands for self-test, installed plugin discovery, runtime checks, compatibility scoring, and CI setup. `doctor contract` publishes the machine-readable output contract, including public JSON schema surfaces, stable-through-1.0 compatibility metadata, and a frozen rule catalog digest. Add `--json` for automation or `--output output-contract.json` to write the contract to disk. `doctor corpus` runs the bundled validation corpus against healthy runtime, risky security, starter skill, and generic MCP packages, then reports whether each case matched its expected outcome. Add `--json` for automation or `--output validation-corpus.json` to write the corpus report to disk. `doctor npm <package>` runs a preinstall scan by packing the npm package with scripts disabled, extracting the publish tarball, and running validation, security, trust, and recommendation checks against the shipped contents. Use a published Codex plugin package as the target; scanning `codex-plugin-doctor` itself intentionally reports a missing plugin manifest because this CLI package is not a plugin package. Add `--json` for automation or `--output npm-preinstall.json` to write the report to disk. `doctor attest <path>` creates a local attestation with stable package/report digests, validation/security/compatibility/trust summary, and verification metadata. Add `--sign-key-env NAME` to attach a local HMAC-SHA256 signature without printing the secret, or `--json --output attestation.json` to write the artifact to disk. `doctor attest verify <attestation.json> --target <path> --sign-key-env NAME` recomputes the package fingerprint, report digest, and HMAC signature offline; verification intentionally treats `generatedAt`, `targetPath`, `verification`, and `signature.keyHint` as unsigned display metadata. `doctor release-evidence <path> --sign-key-env NAME` creates one redacted release bundle with signed attestation, offline verification, corpus, performance, security, trust, package metadata, and git release gates. Strict release evidence requires a clean tagged worktree; use `--allow-dirty` or `--allow-untagged` only for local rehearsal. `doctor inspector <path>` builds a safe MCP Inspector launch command from a packaged `.mcp.json` file without starting the Inspector proxy automatically. Use `--server <name>` when the package contains multiple MCP server entries. `doctor diff --before <path> --after <path>` compares two package roots and reports new findings, resolved findings, trust score delta, and whether risk increased. `doctor recommend <path>` turns validation, security, and compatibility signals into a prioritized action plan with blocker, high, medium, and info actions. Add `--json` for automation or `--output recommendations.json` to write the report to disk. `doctor trust <path>` creates a local trust score from package lifecycle scripts, dependency specs, and MCP security findings. Use it before release when you want supply-chain risks summarized as one score. `doctor perf <path>` profiles the shared package analysis pipeline and reports per-stage durations for validation, config, security, compatibility, trust, recommendations, and total runtime. Add `--max-total-ms <ms>` or repeatable `--max-stage-ms stage=ms` to fail CI when a budget is exceeded. `doctor mcp <path>` exposes the generic MCP static health report under the doctor command family without starting local MCP servers. `doctor export --bundle <path>` creates a redacted operator handoff bundle that includes validation JSON, security scorecard data, compatibility matrix, recommendations, and trust score in one file. `doctor snapshot` creates a redacted diagnostics bundle with environment health, client config readiness, installed plugin metadata, and next commands. Add `--json` for machine-readable output or `--output doctor-snapshot.json` to write the bundle to disk. `doctor clients` reports local Codex, Claude Desktop, Cursor, Cline, and Windsurf config readiness. `doctor --update-check` compares the installed CLI version with the latest npm version and prints the upgrade command when a newer release is available.
 `audit --installed` runs a local ecosystem audit against every discovered Codex plugin in the installed plugin cache. Add `--security` to include security scorecards, `--compat` to include the all-client compatibility matrix, and `--json --output local-audit.json` when you want a shareable machine-readable report. Add `--cache` to reuse unchanged plugin results between runs; add `--changed` to only report plugins whose fingerprint changed since the last cached audit. Use `--cache-file path/to/audit-cache.json` when CI or scripted runs need an explicit cache location.
@@ -346,9 +348,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: Esquetta/CodexPluginDoctor@v1.0.1
+      - uses: Esquetta/CodexPluginDoctor@v1.0.3
         with:
-          version: "1.0.1"
+          version: "1.0.3"
           path: .
           runtime: "true"
           policy: codex-publish

package/dist/core/attestation.d.ts CHANGED Viewed

@@ -66,9 +66,43 @@ export interface BuildDoctorAttestationOptions {
     signingKey?: string;
     signingKeyHint?: string;
     recomputeKeyEnv?: string;
+    versionOverride?: string;
+}
+export interface DoctorAttestationVerificationReport {
+    schemaVersion: "1.0.0";
+    kind: "doctor.attestation.verification";
+    generatedAt: string;
+    artifactPath: string;
+    targetPath: string;
+    status: "pass" | "fail";
+    exitCode: 0 | 1;
+    summary: {
+        packageFingerprint: "pass" | "fail";
+        reportDigest: "pass" | "fail";
+        signature: "pass" | "fail";
+    };
+    unsignedFields: string[];
+    checks: DoctorAttestationVerificationCheck[];
+}
+export interface DoctorAttestationVerificationCheck {
+    id: string;
+    status: "pass" | "fail";
+    message: string;
+    expected?: string;
+    actual?: string;
+}
+export interface VerifyDoctorAttestationOptions {
+    signingKey: string;
+    artifactPath?: string;
 }
 export declare function buildDoctorAttestation(targetPath: string, options?: BuildDoctorAttestationOptions): Promise<DoctorAttestation>;
+export declare function verifyDoctorAttestation(artifactPath: string, targetPath: string, options: VerifyDoctorAttestationOptions): Promise<DoctorAttestationVerificationReport>;
+export declare function verifyDoctorAttestationObject(artifact: unknown, targetPath: string, options: VerifyDoctorAttestationOptions): Promise<DoctorAttestationVerificationReport>;
 export declare function renderDoctorAttestationJson(attestation: DoctorAttestation): string;
+export declare function renderDoctorAttestationVerificationJson(report: DoctorAttestationVerificationReport): string;
+export declare function renderDoctorAttestationVerification(report: DoctorAttestationVerificationReport, options?: {
+    outputPath?: string | null;
+}): string;
 export declare function renderDoctorAttestation(attestation: DoctorAttestation, options?: {
     outputPath?: string | null;
 }): string;

package/dist/core/attestation.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { createHash, createHmac } from "node:crypto";
+import { createHash, createHmac, timingSafeEqual } from "node:crypto";
 import { readdir, readFile, stat } from "node:fs/promises";
 import path from "node:path";
 import { buildDoctorRecommendationsFromAnalysis, buildPackageAnalysis } from "./package-analysis.js";
@@ -116,9 +116,9 @@ async function readManifestSubject(rootPath) {
         description: discoveredPackage.manifest.description
     };
 }
-function buildReportDigestPayload(analysis, packageFingerprint) {
+function buildReportDigestPayload(analysis, packageFingerprint, version) {
     return {
-        version: packageVersion,
+        version,
         packageFingerprint,
         validation: {
             status: analysis.validation.status,
@@ -139,7 +139,13 @@ function buildReportDigestPayload(analysis, packageFingerprint) {
             score: analysis.trust.score,
             findings: analysis.trust.findings
         },
-        recommendations: buildDoctorRecommendationsFromAnalysis(analysis).actions
+        recommendations: buildDoctorRecommendationsFromAnalysis(analysis).actions.map((action) => ({
+            priority: action.priority,
+            category: action.category,
+            title: action.title,
+            reason: action.reason,
+            findingId: action.findingId
+        }))
     };
 }
 function buildSummary(analysis) {
@@ -188,18 +194,19 @@ export async function buildDoctorAttestation(targetPath, options = {}) {
         readPackageSubject(analysis.targetPath),
         readManifestSubject(analysis.targetPath)
     ]);
-    const reportDigest = sha256(stableStringify(buildReportDigestPayload(analysis, packageFingerprint)));
+    const attestationVersion = options.versionOverride ?? packageVersion;
+    const reportDigest = sha256(stableStringify(buildReportDigestPayload(analysis, packageFingerprint, attestationVersion)));
     const subject = buildSubject(analysis, packageJson, manifest);
     const summary = buildSummary(analysis);
-    const signingPayload = {
+    const signingPayload = buildSigningPayload({
         schemaVersion: "1.0.0",
         kind: "doctor.attestation.signature.v1",
-        version: packageVersion,
+        version: attestationVersion,
         subject,
         packageFingerprint,
         reportDigest,
         summary
-    };
+    });
     const signature = options.signingKey
         ? {
             status: "signed",
@@ -221,7 +228,7 @@ export async function buildDoctorAttestation(targetPath, options = {}) {
         schemaVersion: "1.0.0",
         kind: "doctor.attestation",
         generatedAt: analysis.generatedAt,
-        version: packageVersion,
+        version: attestationVersion,
         targetPath: analysis.targetPath,
         subject,
         packageFingerprint,
@@ -243,9 +250,169 @@ export async function buildDoctorAttestation(targetPath, options = {}) {
         signature
     };
 }
+function buildSigningPayload(attestation) {
+    return {
+        schemaVersion: attestation.schemaVersion,
+        kind: "doctor.attestation.signature.v1",
+        version: attestation.version,
+        subject: attestation.subject,
+        packageFingerprint: attestation.packageFingerprint,
+        reportDigest: typeof attestation.reportDigest === "string"
+            ? attestation.reportDigest
+            : attestation.reportDigest.digest,
+        summary: attestation.summary
+    };
+}
+function signPayload(payload, signingKey) {
+    const serializedPayload = stableStringify(payload);
+    return {
+        digest: `sha256:${createHmac("sha256", signingKey)
+            .update(serializedPayload)
+            .digest("hex")}`,
+        payloadDigest: sha256(serializedPayload)
+    };
+}
+function isDoctorAttestation(value) {
+    return isPlainObject(value) &&
+        value.schemaVersion === "1.0.0" &&
+        value.kind === "doctor.attestation" &&
+        typeof value.version === "string" &&
+        isPlainObject(value.packageFingerprint) &&
+        isPlainObject(value.reportDigest) &&
+        isPlainObject(value.signature);
+}
+function digestMatches(expected, actual) {
+    const expectedBuffer = Buffer.from(expected);
+    const actualBuffer = Buffer.from(actual);
+    return expectedBuffer.length === actualBuffer.length &&
+        timingSafeEqual(expectedBuffer, actualBuffer);
+}
+function createDigestVerificationCheck(id, message, expected, actual, includeDigests = true) {
+    return {
+        id,
+        status: digestMatches(expected, actual) ? "pass" : "fail",
+        message,
+        ...(includeDigests ? { expected, actual } : {})
+    };
+}
+export async function verifyDoctorAttestation(artifactPath, targetPath, options) {
+    const resolvedArtifactPath = path.resolve(artifactPath);
+    const artifact = await readJsonFile(resolvedArtifactPath);
+    return verifyDoctorAttestationObject(artifact, targetPath, {
+        ...options,
+        artifactPath: resolvedArtifactPath
+    });
+}
+export async function verifyDoctorAttestationObject(artifact, targetPath, options) {
+    const artifactPath = options.artifactPath ?? "inline:doctor.attestation";
+    if (!isDoctorAttestation(artifact)) {
+        return {
+            schemaVersion: "1.0.0",
+            kind: "doctor.attestation.verification",
+            generatedAt: new Date().toISOString(),
+            artifactPath,
+            targetPath: path.resolve(targetPath),
+            status: "fail",
+            exitCode: 1,
+            summary: {
+                packageFingerprint: "fail",
+                reportDigest: "fail",
+                signature: "fail"
+            },
+            unsignedFields: [
+                "generatedAt",
+                "targetPath",
+                "verification",
+                "signature.keyHint"
+            ],
+            checks: [
+                {
+                    id: "attestation.artifact.invalid",
+                    status: "fail",
+                    message: "The attestation artifact is not a valid doctor attestation."
+                }
+            ]
+        };
+    }
+    const expected = await buildDoctorAttestation(targetPath, {
+        signingKey: options.signingKey,
+        signingKeyHint: "verification",
+        versionOverride: artifact.version
+    });
+    const checks = [
+        createDigestVerificationCheck("attestation.package_fingerprint", "Package fingerprint matches the target package contents.", expected.packageFingerprint.digest, artifact.packageFingerprint.digest),
+        createDigestVerificationCheck("attestation.report_digest", "Report digest matches the target validation evidence.", expected.reportDigest.digest, artifact.reportDigest.digest)
+    ];
+    if (artifact.signature.status !== "signed") {
+        checks.push({
+            id: "attestation.signature.unsigned",
+            status: "fail",
+            message: "The attestation artifact is unsigned and cannot be verified with a signing key."
+        });
+    }
+    else {
+        const expectedSignature = signPayload(buildSigningPayload(artifact), options.signingKey);
+        checks.push(createDigestVerificationCheck("attestation.signature.payload", "Signature payload digest matches the canonical attestation payload.", expectedSignature.payloadDigest, artifact.signature.payloadDigest, false), createDigestVerificationCheck("attestation.signature.mismatch", "HMAC-SHA256 signature matches the canonical attestation payload and signing key.", expectedSignature.digest, artifact.signature.digest, false));
+    }
+    const failedChecks = checks.filter((check) => check.status === "fail");
+    const packageFingerprint = checks.find((check) => check.id === "attestation.package_fingerprint")?.status ?? "fail";
+    const reportDigest = checks.find((check) => check.id === "attestation.report_digest")?.status ?? "fail";
+    const signature = checks
+        .filter((check) => check.id.startsWith("attestation.signature."))
+        .every((check) => check.status === "pass")
+        ? "pass"
+        : "fail";
+    return {
+        schemaVersion: "1.0.0",
+        kind: "doctor.attestation.verification",
+        generatedAt: new Date().toISOString(),
+        artifactPath,
+        targetPath: expected.targetPath,
+        status: failedChecks.length === 0 ? "pass" : "fail",
+        exitCode: failedChecks.length === 0 ? 0 : 1,
+        summary: {
+            packageFingerprint,
+            reportDigest,
+            signature
+        },
+        unsignedFields: [
+            "generatedAt",
+            "targetPath",
+            "verification",
+            "signature.keyHint"
+        ],
+        checks
+    };
+}
 export function renderDoctorAttestationJson(attestation) {
     return JSON.stringify(attestation, null, 2);
 }
+export function renderDoctorAttestationVerificationJson(report) {
+    return JSON.stringify(report, null, 2);
+}
+export function renderDoctorAttestationVerification(report, options = {}) {
+    const lines = [
+        "Doctor Attestation Verification",
+        "===============================",
+        `Artifact: ${report.artifactPath}`,
+        `Target: ${report.targetPath}`,
+        `Status: ${report.status.toUpperCase()}`,
+        `Package fingerprint: ${report.summary.packageFingerprint.toUpperCase()}`,
+        `Report digest: ${report.summary.reportDigest.toUpperCase()}`,
+        `Signature: ${report.summary.signature.toUpperCase()}`
+    ];
+    if (options.outputPath) {
+        lines.push(`Output: ${options.outputPath}`);
+    }
+    lines.push("", "Checks", "------");
+    for (const check of report.checks) {
+        lines.push(`${check.status === "pass" ? "PASS" : "FAIL"} ${check.id}`);
+        lines.push(`  ${check.message}`);
+    }
+    lines.push("", "Unsigned metadata", "-----------------");
+    lines.push(report.unsignedFields.join(", "));
+    return lines.join("\n");
+}
 export function renderDoctorAttestation(attestation, options = {}) {
     const lines = [
         "Doctor Attestation",

package/dist/core/doctor-export-bundle.d.ts CHANGED Viewed

@@ -15,6 +15,8 @@ export interface DoctorExportBundle {
     recommendations: DoctorRecommendationsReport;
     trust: TrustScoreReport;
 }
+export declare function redactString(value: string): string;
+export declare function redactValue(value: unknown): unknown;
 export declare function buildDoctorExportBundle(targetPath: string, environment?: CompatibilityEnvironment): Promise<DoctorExportBundle>;
 export declare function renderDoctorExportBundleJson(bundle: DoctorExportBundle): string;
 export declare function renderDoctorExportBundle(bundle: DoctorExportBundle, options?: {

package/dist/core/doctor-export-bundle.js CHANGED Viewed

@@ -1,12 +1,12 @@
 import { buildDoctorExportBundleFromAnalysis, buildDoctorRecommendationsFromAnalysis, buildPackageAnalysis } from "./package-analysis.js";
-function redactString(value) {
+export function redactString(value) {
     return value
         .replace(/sk-[A-Za-z0-9_-]{12,}/g, "[REDACTED_SECRET]")
         .replace(/npm_[A-Za-z0-9_-]{12,}/g, "[REDACTED_SECRET]")
         .replace(/gh[pousr]_[A-Za-z0-9_]{12,}/g, "[REDACTED_SECRET]")
         .replace(/SHOULD_NOT_LEAK/g, "[REDACTED_SECRET]");
 }
-function redactValue(value) {
+export function redactValue(value) {
     if (typeof value === "string") {
         return redactString(value);
     }

package/dist/core/output-contract.js CHANGED Viewed

@@ -83,6 +83,18 @@ const publicSchemaDefinitions = [
         outputKind: "doctor.attestation",
         required: ["schemaVersion", "kind", "generatedAt", "targetPath", "subject", "packageFingerprint", "reportDigest", "summary", "verification", "signature"]
     },
+    {
+        id: "doctor.attestation.verification.json",
+        command: "codex-plugin-doctor doctor attest verify <attestation.json> --target <path> --json",
+        outputKind: "doctor.attestation.verification",
+        required: ["schemaVersion", "kind", "generatedAt", "artifactPath", "targetPath", "status", "exitCode", "summary", "unsignedFields", "checks"]
+    },
+    {
+        id: "doctor.release.evidence.json",
+        command: "codex-plugin-doctor doctor release-evidence <path> --json",
+        outputKind: "doctor.release.evidence",
+        required: ["schemaVersion", "kind", "generatedAt", "version", "targetPath", "status", "exitCode", "releaseReady", "summary", "package", "git", "releaseGates", "attestation", "attestationVerification", "corpus", "performance", "security", "trust"]
+    },
     {
         id: "doctor.npm.json",
         command: "codex-plugin-doctor doctor npm <package> --json",

package/dist/core/release-evidence.d.ts ADDED Viewed

@@ -0,0 +1,66 @@
+import { type DoctorAttestation, type DoctorAttestationVerificationReport } from "./attestation.js";
+import { type DoctorPerformanceReport, type DoctorPerformanceThresholdOptions } from "./performance-report.js";
+import { type DoctorValidationCorpusReport } from "./validation-corpus.js";
+import { type SecurityAudit } from "../security/security-audit.js";
+import { type TrustScoreReport } from "../security/trust-score.js";
+import type { CompatibilityEnvironment } from "../compatibility/compatibility-matrix.js";
+import type { CheckResult } from "../domain/types.js";
+type EvidenceStatus = "pass" | "warn" | "fail";
+export interface DoctorReleaseEvidencePackageMetadata {
+    name: string | null;
+    version: string | null;
+    private: boolean | null;
+}
+export interface DoctorReleaseEvidenceGitMetadata {
+    commit: string | null;
+    tag: string | null;
+    dirty: boolean | null;
+}
+export interface DoctorReleaseEvidenceReport {
+    schemaVersion: "1.0.0";
+    kind: "doctor.release.evidence";
+    generatedAt: string;
+    version: string;
+    targetPath: string;
+    status: "pass" | "fail";
+    exitCode: 0 | 1;
+    releaseReady: boolean;
+    summary: {
+        attestation: EvidenceStatus;
+        attestationVerification: EvidenceStatus;
+        corpus: EvidenceStatus;
+        performance: EvidenceStatus;
+        releaseGates: EvidenceStatus;
+        security: EvidenceStatus;
+        trust: EvidenceStatus;
+    };
+    releaseGates: {
+        status: EvidenceStatus;
+        checks: Array<{
+            id: string;
+            status: EvidenceStatus;
+            message: string;
+        }>;
+    };
+    package: DoctorReleaseEvidencePackageMetadata;
+    git: DoctorReleaseEvidenceGitMetadata;
+    attestation: DoctorAttestation;
+    attestationVerification: DoctorAttestationVerificationReport;
+    corpus: DoctorValidationCorpusReport;
+    performance: DoctorPerformanceReport;
+    security: Pick<SecurityAudit, "status" | "score" | "findingCounts">;
+    trust: Pick<TrustScoreReport, "status" | "score" | "findingCounts">;
+}
+export interface BuildDoctorReleaseEvidenceOptions {
+    signingKey: string;
+    signingKeyEnv: string;
+    allowDirty?: boolean;
+    allowUntagged?: boolean;
+    environment?: CompatibilityEnvironment;
+    runCheck?: (targetPath: string) => Promise<CheckResult>;
+    performanceThresholds?: DoctorPerformanceThresholdOptions;
+}
+export declare function buildDoctorReleaseEvidenceReport(targetPath: string, options: BuildDoctorReleaseEvidenceOptions): Promise<DoctorReleaseEvidenceReport>;
+export declare function renderDoctorReleaseEvidenceJson(report: DoctorReleaseEvidenceReport): string;
+export declare function renderDoctorReleaseEvidence(report: DoctorReleaseEvidenceReport): string;
+export {};

package/dist/core/release-evidence.js ADDED Viewed

@@ -0,0 +1,196 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import path from "node:path";
+import { buildDoctorAttestation, verifyDoctorAttestationObject } from "./attestation.js";
+import { buildDoctorPerformanceReport } from "./performance-report.js";
+import { buildDoctorValidationCorpusReport } from "./validation-corpus.js";
+import { redactValue } from "./doctor-export-bundle.js";
+import { readJsonFile } from "./read-json-file.js";
+import { buildSecurityAudit } from "../security/security-audit.js";
+import { buildTrustScore } from "../security/trust-score.js";
+import { packageVersion } from "../version.js";
+const execFileAsync = promisify(execFile);
+function toEvidenceStatus(status) {
+    return status;
+}
+async function readPackageMetadata(rootPath) {
+    try {
+        const packageJson = await readJsonFile(path.join(rootPath, "package.json"));
+        return {
+            name: typeof packageJson.name === "string" ? packageJson.name : null,
+            version: typeof packageJson.version === "string" ? packageJson.version : null,
+            private: typeof packageJson.private === "boolean" ? packageJson.private : null
+        };
+    }
+    catch {
+        return {
+            name: null,
+            version: null,
+            private: null
+        };
+    }
+}
+async function readGitValue(args, cwd) {
+    try {
+        const { stdout } = await execFileAsync("git", args, { cwd });
+        const value = stdout.trim();
+        return value.length > 0 ? value : null;
+    }
+    catch {
+        return null;
+    }
+}
+async function readGitDirty(cwd) {
+    try {
+        const { stdout } = await execFileAsync("git", ["status", "--short"], { cwd });
+        return stdout.trim().length > 0;
+    }
+    catch {
+        return null;
+    }
+}
+async function readGitMetadata(rootPath) {
+    const [commit, tag, dirtyOutput] = await Promise.all([
+        readGitValue(["rev-parse", "HEAD"], rootPath),
+        readGitValue(["describe", "--tags", "--exact-match"], rootPath),
+        readGitDirty(rootPath)
+    ]);
+    return {
+        commit,
+        tag,
+        dirty: dirtyOutput
+    };
+}
+function releaseReady(report) {
+    return report.attestation.summary.status !== "fail" &&
+        report.attestationVerification.status === "pass" &&
+        report.corpus.summary.status === "pass" &&
+        report.performance.status === "pass" &&
+        report.releaseGates.status === "pass" &&
+        report.security.status !== "fail" &&
+        report.trust.status !== "fail";
+}
+function buildReleaseGateReport(git, options) {
+    const checks = [
+        {
+            id: "git.commit.present",
+            status: git.commit ? "pass" : "fail",
+            message: git.commit
+                ? "Git commit resolved for this release evidence bundle."
+                : "Git commit could not be resolved."
+        },
+        {
+            id: "git.tag.exact",
+            status: git.tag || options.allowUntagged ? "pass" : "fail",
+            message: git.tag
+                ? `Current commit is tagged as ${git.tag}.`
+                : options.allowUntagged
+                    ? "Current commit is not on an exact git tag, but --allow-untagged was explicitly set."
+                    : "Current commit is not on an exact git tag."
+        },
+        {
+            id: "git.worktree.clean",
+            status: git.dirty === false || options.allowDirty ? "pass" : "fail",
+            message: git.dirty === false
+                ? "Git worktree is clean."
+                : options.allowDirty
+                    ? "Git worktree is dirty, but --allow-dirty was explicitly set."
+                    : "Git worktree has uncommitted changes."
+        }
+    ];
+    return {
+        status: checks.every((check) => check.status === "pass") ? "pass" : "fail",
+        checks
+    };
+}
+export async function buildDoctorReleaseEvidenceReport(targetPath, options) {
+    const rootPath = path.resolve(targetPath);
+    const security = await buildSecurityAudit(rootPath);
+    const [attestation, corpus, performance, trust, packageMetadata, git] = await Promise.all([
+        buildDoctorAttestation(rootPath, {
+            signingKey: options.signingKey,
+            signingKeyHint: `env:${options.signingKeyEnv}`,
+            recomputeKeyEnv: options.signingKeyEnv
+        }),
+        buildDoctorValidationCorpusReport({ environment: options.environment }),
+        buildDoctorPerformanceReport(rootPath, {
+            environment: options.environment,
+            runCheck: options.runCheck,
+            thresholds: options.performanceThresholds
+        }),
+        buildTrustScore(rootPath, { securityAudit: security }),
+        readPackageMetadata(rootPath),
+        readGitMetadata(rootPath)
+    ]);
+    const normalizedPackageMetadata = {
+        name: packageMetadata.name ?? attestation.subject.name,
+        version: packageMetadata.version ?? attestation.subject.version,
+        private: packageMetadata.private
+    };
+    const attestationVerification = await verifyDoctorAttestationObject(attestation, rootPath, {
+        signingKey: options.signingKey,
+        artifactPath: "inline:doctor.release-evidence.attestation"
+    });
+    const releaseGates = buildReleaseGateReport(git, options);
+    const partialReport = {
+        schemaVersion: "1.0.0",
+        kind: "doctor.release.evidence",
+        generatedAt: new Date().toISOString(),
+        version: packageVersion,
+        targetPath: rootPath,
+        summary: {
+            attestation: toEvidenceStatus(attestation.summary.status),
+            attestationVerification: attestationVerification.status,
+            corpus: corpus.summary.status,
+            performance: performance.status,
+            releaseGates: releaseGates.status,
+            security: toEvidenceStatus(security.status),
+            trust: toEvidenceStatus(trust.status)
+        },
+        package: normalizedPackageMetadata,
+        git,
+        releaseGates,
+        attestation,
+        attestationVerification,
+        corpus,
+        performance,
+        security: {
+            status: security.status,
+            score: security.score,
+            findingCounts: security.findingCounts
+        },
+        trust: {
+            status: trust.status,
+            score: trust.score,
+            findingCounts: trust.findingCounts
+        }
+    };
+    const ready = releaseReady(partialReport);
+    return {
+        ...partialReport,
+        status: ready ? "pass" : "fail",
+        exitCode: ready ? 0 : 1,
+        releaseReady: ready
+    };
+}
+export function renderDoctorReleaseEvidenceJson(report) {
+    return JSON.stringify(redactValue(report), null, 2);
+}
+export function renderDoctorReleaseEvidence(report) {
+    return [
+        "Doctor Release Evidence",
+        "=======================",
+        `Target: ${report.targetPath}`,
+        `Status: ${report.status.toUpperCase()}`,
+        `Release ready: ${report.releaseReady ? "yes" : "no"}`,
+        `Attestation: ${report.summary.attestation.toUpperCase()}`,
+        `Attestation verification: ${report.summary.attestationVerification.toUpperCase()}`,
+        `Corpus: ${report.summary.corpus.toUpperCase()}`,
+        `Performance: ${report.summary.performance.toUpperCase()}`,
+        `Release gates: ${report.summary.releaseGates.toUpperCase()}`,
+        `Security: ${report.summary.security.toUpperCase()} (${report.security.score}/100)`,
+        `Trust: ${report.summary.trust.toUpperCase()} (${report.trust.score}/100)`,
+        `Git commit: ${report.git.commit ?? "unknown"}`,
+        `Git tag: ${report.git.tag ?? "not tagged"}`
+    ].join("\n");
+}

package/dist/index.d.ts CHANGED Viewed

@@ -4,11 +4,12 @@ export { buildTrustScore, renderTrustScore, renderTrustScoreJson, type BuildTrus
 export { buildDoctorSnapshot, renderDoctorSnapshot, renderDoctorSnapshotJson, type DoctorSnapshot } from "./core/doctor-snapshot.js";
 export { buildDoctorRecommendations, renderDoctorRecommendations, renderDoctorRecommendationsJson, type DoctorRecommendationAction, type DoctorRecommendationsReport } from "./core/doctor-recommendations.js";
 export { buildDoctorExportBundle, renderDoctorExportBundle, renderDoctorExportBundleJson, type DoctorExportBundle } from "./core/doctor-export-bundle.js";
-export { buildDoctorAttestation, renderDoctorAttestation, renderDoctorAttestationJson, type DoctorAttestation, type Digest, type PackageFingerprint } from "./core/attestation.js";
+export { buildDoctorAttestation, renderDoctorAttestation, renderDoctorAttestationJson, renderDoctorAttestationVerification, renderDoctorAttestationVerificationJson, verifyDoctorAttestation, type DoctorAttestation, type DoctorAttestationVerificationCheck, type DoctorAttestationVerificationReport, type Digest, type PackageFingerprint } from "./core/attestation.js";
 export { buildDoctorOutputContract, renderDoctorOutputContract, renderDoctorOutputContractJson, type DoctorOutputContract, type OutputContractRule, type OutputContractSchema } from "./core/output-contract.js";
 export { buildDoctorValidationCorpusReport, renderDoctorValidationCorpusJson, renderDoctorValidationCorpusReport, type BuildDoctorValidationCorpusOptions, type DoctorValidationCorpusReport, type ValidationCorpusCaseDefinition, type ValidationCorpusCaseResult } from "./core/validation-corpus.js";
 export { buildDoctorExportBundleFromAnalysis, buildDoctorRecommendationsFromAnalysis, buildPackageAnalysis, type PackageAnalysis, type PackageAnalysisOptions, type PackageAnalysisStage, type PackageAnalysisTiming } from "./core/package-analysis.js";
 export { buildDoctorPerformanceReport, renderDoctorPerformanceReport, renderDoctorPerformanceReportJson, type BuildDoctorPerformanceReportOptions, type DoctorPerformanceReport, type DoctorPerformanceStage, type DoctorPerformanceStageName } from "./core/performance-report.js";
+export { buildDoctorReleaseEvidenceReport, renderDoctorReleaseEvidence, renderDoctorReleaseEvidenceJson, type BuildDoctorReleaseEvidenceOptions, type DoctorReleaseEvidenceGitMetadata, type DoctorReleaseEvidencePackageMetadata, type DoctorReleaseEvidenceReport } from "./core/release-evidence.js";
 export { buildDoctorNpmPackageReport, renderDoctorNpmPackageReport, renderDoctorNpmPackageReportJson, type BuildDoctorNpmPackageReportOptions, type DoctorNpmPackageReport } from "./core/npm-package-doctor.js";
 export { buildDoctorRiskDiffReport, renderDoctorRiskDiffReport, renderDoctorRiskDiffReportJson, type BuildDoctorRiskDiffReportOptions, type DoctorRiskDiffReport, type RiskDiffFinding, type RiskFindingCategory } from "./core/risk-diff.js";
 export { buildDoctorInspectorReport, renderDoctorInspectorReport, renderDoctorInspectorReportJson, type BuildDoctorInspectorReportOptions, type DoctorInspectorReport } from "./core/inspector-bridge.js";

package/dist/index.js CHANGED Viewed

@@ -4,11 +4,12 @@ export { buildTrustScore, renderTrustScore, renderTrustScoreJson } from "./secur
 export { buildDoctorSnapshot, renderDoctorSnapshot, renderDoctorSnapshotJson } from "./core/doctor-snapshot.js";
 export { buildDoctorRecommendations, renderDoctorRecommendations, renderDoctorRecommendationsJson } from "./core/doctor-recommendations.js";
 export { buildDoctorExportBundle, renderDoctorExportBundle, renderDoctorExportBundleJson } from "./core/doctor-export-bundle.js";
-export { buildDoctorAttestation, renderDoctorAttestation, renderDoctorAttestationJson } from "./core/attestation.js";
+export { buildDoctorAttestation, renderDoctorAttestation, renderDoctorAttestationJson, renderDoctorAttestationVerification, renderDoctorAttestationVerificationJson, verifyDoctorAttestation } from "./core/attestation.js";
 export { buildDoctorOutputContract, renderDoctorOutputContract, renderDoctorOutputContractJson } from "./core/output-contract.js";
 export { buildDoctorValidationCorpusReport, renderDoctorValidationCorpusJson, renderDoctorValidationCorpusReport } from "./core/validation-corpus.js";
 export { buildDoctorExportBundleFromAnalysis, buildDoctorRecommendationsFromAnalysis, buildPackageAnalysis } from "./core/package-analysis.js";
 export { buildDoctorPerformanceReport, renderDoctorPerformanceReport, renderDoctorPerformanceReportJson } from "./core/performance-report.js";
+export { buildDoctorReleaseEvidenceReport, renderDoctorReleaseEvidence, renderDoctorReleaseEvidenceJson } from "./core/release-evidence.js";
 export { buildDoctorNpmPackageReport, renderDoctorNpmPackageReport, renderDoctorNpmPackageReportJson } from "./core/npm-package-doctor.js";
 export { buildDoctorRiskDiffReport, renderDoctorRiskDiffReport, renderDoctorRiskDiffReportJson } from "./core/risk-diff.js";
 export { buildDoctorInspectorReport, renderDoctorInspectorReport, renderDoctorInspectorReportJson } from "./core/inspector-bridge.js";

package/dist/run-cli.js CHANGED Viewed

@@ -16,10 +16,11 @@ import { applyDoctorConfig, loadDoctorConfig } from "./core/doctor-config.js";
 import { buildDoctorSnapshot, renderDoctorSnapshot, renderDoctorSnapshotJson } from "./core/doctor-snapshot.js";
 import { buildDoctorRecommendations, renderDoctorRecommendations, renderDoctorRecommendationsJson } from "./core/doctor-recommendations.js";
 import { buildDoctorExportBundle, renderDoctorExportBundle, renderDoctorExportBundleJson } from "./core/doctor-export-bundle.js";
-import { buildDoctorAttestation, renderDoctorAttestation, renderDoctorAttestationJson } from "./core/attestation.js";
+import { buildDoctorAttestation, renderDoctorAttestation, renderDoctorAttestationJson, renderDoctorAttestationVerification, renderDoctorAttestationVerificationJson, verifyDoctorAttestation } from "./core/attestation.js";
 import { buildDoctorOutputContract, renderDoctorOutputContract, renderDoctorOutputContractJson } from "./core/output-contract.js";
 import { buildDoctorValidationCorpusReport, renderDoctorValidationCorpusJson, renderDoctorValidationCorpusReport } from "./core/validation-corpus.js";
 import { buildDoctorPerformanceReport, renderDoctorPerformanceReport, renderDoctorPerformanceReportJson } from "./core/performance-report.js";
+import { buildDoctorReleaseEvidenceReport, renderDoctorReleaseEvidence, renderDoctorReleaseEvidenceJson } from "./core/release-evidence.js";
 import { buildDoctorNpmPackageReport, renderDoctorNpmPackageReport, renderDoctorNpmPackageReportJson } from "./core/npm-package-doctor.js";
 import { buildDoctorRiskDiffReport, renderDoctorRiskDiffReport, renderDoctorRiskDiffReportJson } from "./core/risk-diff.js";
 import { buildDoctorInspectorReport, renderDoctorInspectorReport, renderDoctorInspectorReportJson } from "./core/inspector-bridge.js";
@@ -69,7 +70,7 @@ const defaultIo = {
     }
 };
 function printUsage(io) {
-    io.writeStderr("Usage: codex-plugin-doctor check <path|--installed> [filter] [--policy codex-publish|mcp-strict|security] [--compat] [--json|--markdown|--badge-json|--badge-markdown] [--output <path>] [--history <path>] [--runtime] [--verbose-runtime] [--explain] [--no-animations] [--ascii]\n       codex-plugin-doctor audit --installed [filter] [--policy codex-publish|mcp-strict|security] [--security] [--compat] [--json] [--output <path>] [--cache] [--changed]\n       codex-plugin-doctor mcp <path> [--json] [--output <path>]\n       codex-plugin-doctor security <path> [--policy security] [--json|--scorecard]\n       codex-plugin-doctor compat <path> [--all|--client <client>] [--json] [--scorecard] [--output <path>] [--install-preview|--apply --backup]\n       codex-plugin-doctor fix <path> (--dry-run|--interactive --backup|--apply --backup)\n       codex-plugin-doctor history <history.jsonl> [--json] [--fail-on-regression]\n       codex-plugin-doctor doctor [npm <package>|contract|corpus|attest <path> [--sign-key-env NAME]|mcp <path>|inspector <path>|diff --before <path> --after <path>|recommend <path>|trust <path>|perf <path> [--max-total-ms <ms>] [--max-stage-ms stage=ms]|export --bundle <path>|snapshot|clients|--json|--update-check]\n       codex-plugin-doctor init [path] [--template skill-only|mcp-stdio|mcp-http|full-runtime]\n       codex-plugin-doctor init-ci [path]\n       codex-plugin-doctor self-test\n       codex-plugin-doctor list --installed\n       codex-plugin-doctor explain <finding-id>\n       codex-plugin-doctor --version\n\nFirst run:\n       codex-plugin-doctor doctor\n       codex-plugin-doctor self-test\n       codex-plugin-doctor init my-plugin\n       codex-plugin-doctor check . --runtime --explain");
+    io.writeStderr("Usage: codex-plugin-doctor check <path|--installed> [filter] [--policy codex-publish|mcp-strict|security] [--compat] [--json|--markdown|--badge-json|--badge-markdown] [--output <path>] [--history <path>] [--runtime] [--verbose-runtime] [--explain] [--no-animations] [--ascii]\n       codex-plugin-doctor audit --installed [filter] [--policy codex-publish|mcp-strict|security] [--security] [--compat] [--json] [--output <path>] [--cache] [--changed]\n       codex-plugin-doctor mcp <path> [--json] [--output <path>]\n       codex-plugin-doctor security <path> [--policy security] [--json|--scorecard]\n       codex-plugin-doctor compat <path> [--all|--client <client>] [--json] [--scorecard] [--output <path>] [--install-preview|--apply --backup]\n       codex-plugin-doctor fix <path> (--dry-run|--interactive --backup|--apply --backup)\n       codex-plugin-doctor history <history.jsonl> [--json] [--fail-on-regression]\n       codex-plugin-doctor doctor [npm <package>|contract|corpus|attest <path> [--sign-key-env NAME]|attest verify <attestation.json> --target <path> --sign-key-env NAME|release-evidence <path> --sign-key-env NAME [--allow-dirty] [--allow-untagged]|mcp <path>|inspector <path>|diff --before <path> --after <path>|recommend <path>|trust <path>|perf <path> [--max-total-ms <ms>] [--max-stage-ms stage=ms]|export --bundle <path>|snapshot|clients|--json|--update-check]\n       codex-plugin-doctor init [path] [--template skill-only|mcp-stdio|mcp-http|full-runtime]\n       codex-plugin-doctor init-ci [path]\n       codex-plugin-doctor self-test\n       codex-plugin-doctor list --installed\n       codex-plugin-doctor explain <finding-id>\n       codex-plugin-doctor --version\n\nFirst run:\n       codex-plugin-doctor doctor\n       codex-plugin-doctor self-test\n       codex-plugin-doctor init my-plugin\n       codex-plugin-doctor check . --runtime --explain");
 }
 const performanceStageNames = new Set([
     "validation",
@@ -339,6 +340,69 @@ export async function runCli(args, io = defaultIo, options = {}) {
             io.writeStdout(renderedReport);
             return report.exitCode;
         }
+        if (maybePath === "release-evidence") {
+            const targetPath = remainingArgs[0] && !remainingArgs[0].startsWith("--")
+                ? remainingArgs[0]
+                : ".";
+            const evidenceFlags = remainingArgs[0] && !remainingArgs[0].startsWith("--")
+                ? remainingArgs.slice(1)
+                : remainingArgs;
+            const jsonOutput = evidenceFlags.includes("--json");
+            const outputIndex = evidenceFlags.indexOf("--output");
+            const outputPath = outputIndex === -1 ? null : evidenceFlags[outputIndex + 1];
+            const signKeyIndex = evidenceFlags.indexOf("--sign-key");
+            const signKeyEnvIndex = evidenceFlags.indexOf("--sign-key-env");
+            const signKeyEnv = signKeyEnvIndex === -1 ? null : evidenceFlags[signKeyEnvIndex + 1];
+            const allowDirty = evidenceFlags.includes("--allow-dirty");
+            const allowUntagged = evidenceFlags.includes("--allow-untagged");
+            if (outputIndex !== -1 && (!outputPath || outputPath.startsWith("--"))) {
+                io.writeStderr("Missing path after --output.");
+                return 2;
+            }
+            if (signKeyIndex !== -1) {
+                io.writeStderr("Use --sign-key-env for release evidence; inline signing keys are not supported.");
+                return 2;
+            }
+            if (signKeyEnvIndex === -1) {
+                io.writeStderr("Missing signing key. Use --sign-key-env <name>.");
+                return 2;
+            }
+            if (!signKeyEnv || signKeyEnv.startsWith("--")) {
+                io.writeStderr("Missing environment variable name after --sign-key-env.");
+                return 2;
+            }
+            const signingKey = terminalContext.env[signKeyEnv];
+            if (!signingKey) {
+                io.writeStderr(`Environment variable ${signKeyEnv} is not set.`);
+                return 2;
+            }
+            const parsedThresholds = parsePerformanceThresholds(evidenceFlags);
+            if (typeof parsedThresholds === "string") {
+                io.writeStderr(parsedThresholds);
+                return 2;
+            }
+            const report = await buildDoctorReleaseEvidenceReport(targetPath, {
+                signingKey,
+                signingKeyEnv: signKeyEnv,
+                allowDirty,
+                allowUntagged,
+                environment: {
+                    env: terminalContext.env,
+                    platform: terminalContext.platform
+                },
+                runCheck: options.runCheckImpl
+                    ? (pathToCheck) => options.runCheckImpl(pathToCheck)
+                    : undefined,
+                performanceThresholds: parsedThresholds.thresholds
+            });
+            const reportJson = renderDoctorReleaseEvidenceJson(report);
+            const renderedReport = jsonOutput ? reportJson : renderDoctorReleaseEvidence(report);
+            if (outputPath) {
+                await writeFile(outputPath, reportJson, "utf8");
+            }
+            io.writeStdout(renderedReport);
+            return report.exitCode;
+        }
         if (maybePath === "corpus") {
             const jsonOutput = remainingArgs.includes("--json");
             const outputIndex = remainingArgs.indexOf("--output");
@@ -363,6 +427,60 @@ export async function runCli(args, io = defaultIo, options = {}) {
             return report.summary.status === "pass" ? 0 : 1;
         }
         if (maybePath === "attest") {
+            if (remainingArgs[0] === "verify") {
+                const artifactPath = remainingArgs[1] && !remainingArgs[1].startsWith("--")
+                    ? remainingArgs[1]
+                    : null;
+                const verifyFlags = artifactPath ? remainingArgs.slice(2) : remainingArgs.slice(1);
+                const jsonOutput = verifyFlags.includes("--json");
+                const outputIndex = verifyFlags.indexOf("--output");
+                const outputPath = outputIndex === -1 ? null : verifyFlags[outputIndex + 1];
+                const targetIndex = verifyFlags.indexOf("--target");
+                const targetPath = targetIndex === -1 ? null : verifyFlags[targetIndex + 1];
+                const signKeyIndex = verifyFlags.indexOf("--sign-key");
+                const signKeyEnvIndex = verifyFlags.indexOf("--sign-key-env");
+                const signKeyEnv = signKeyEnvIndex === -1 ? null : verifyFlags[signKeyEnvIndex + 1];
+                if (!artifactPath) {
+                    io.writeStderr("Missing attestation artifact path. Usage: codex-plugin-doctor doctor attest verify <attestation.json> --target <path> --sign-key-env <name>");
+                    return 2;
+                }
+                if (targetIndex === -1 || !targetPath || targetPath.startsWith("--")) {
+                    io.writeStderr("Missing target path after --target.");
+                    return 2;
+                }
+                if (outputIndex !== -1 && (!outputPath || outputPath.startsWith("--"))) {
+                    io.writeStderr("Missing path after --output.");
+                    return 2;
+                }
+                if (signKeyEnvIndex !== -1 && (!signKeyEnv || signKeyEnv.startsWith("--"))) {
+                    io.writeStderr("Missing environment variable name after --sign-key-env.");
+                    return 2;
+                }
+                if (signKeyIndex !== -1) {
+                    io.writeStderr("Use --sign-key-env for verification; inline verification keys are not supported.");
+                    return 2;
+                }
+                if (signKeyEnvIndex === -1) {
+                    io.writeStderr("Missing signing key. Use --sign-key-env <name> for verification.");
+                    return 2;
+                }
+                const envSigningKey = signKeyEnv ? terminalContext.env[signKeyEnv] : undefined;
+                if (signKeyEnv && !envSigningKey) {
+                    io.writeStderr(`Environment variable ${signKeyEnv} is not set.`);
+                    return 2;
+                }
+                const report = await verifyDoctorAttestation(artifactPath, targetPath, {
+                    signingKey: envSigningKey
+                });
+                const renderedReport = jsonOutput
+                    ? renderDoctorAttestationVerificationJson(report)
+                    : renderDoctorAttestationVerification(report, { outputPath });
+                if (outputPath) {
+                    await writeFile(outputPath, renderedReport, "utf8");
+                }
+                io.writeStdout(renderedReport);
+                return report.exitCode;
+            }
             const targetPath = remainingArgs[0] && !remainingArgs[0].startsWith("--")
                 ? remainingArgs[0]
                 : ".";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codex-plugin-doctor",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "CLI-first validator for Codex plugins, skills, and MCP package surfaces with runtime MCP protocol validation.",
   "type": "module",
   "main": "./dist/index.js",