gitchain-sol 0.1.0

package/README.md

@@ -0,0 +1,78 @@
+# gitchain
+
+Software provenance & lineage protocol on Solana. Fingerprint your code, register it on-chain, and verify the origin of any repository.
+
+## Install
+
+```bash
+npm install -g gitchain
+```
+
+Requires a [Solana wallet](https://docs.solana.com/cli/install-solana-cli-tools):
+
+```bash
+solana-keygen new          # generate wallet (one-time)
+solana airdrop 2 --url devnet  # fund it on devnet
+```
+
+## Usage
+
+### Initialize a project
+
+```bash
+cd your-project
+gitchain init
+```
+
+### Publish to Solana + push
+
+```bash
+gitchain publish origin main
+```
+
+This will:
+1. Fingerprint all source files (SHA-256 Merkle tree)
+2. Register/update the fingerprint on Solana devnet
+3. `git push` to your remote
+
+### Clone with provenance verification
+
+```bash
+gitchain clone https://github.com/user/repo.git
+```
+
+This will:
+1. Query Solana for any on-chain provenance record
+2. `git clone` the repository
+3. Verify the cloned code matches the on-chain fingerprint
+4. Initialize `.gitchain/` tracking in the cloned repo
+
+### Verify code against on-chain records
+
+```bash
+gitchain verify ./suspect-code
+```
+
+Compares a local directory against all registered projects on Solana and reports lineage matches.
+
+### Check status
+
+```bash
+gitchain status
+```
+
+Shows local and on-chain provenance state for the current project.
+
+## How it works
+
+GitChain creates a multi-layer fingerprint of your source code:
+
+1. **File hashes** — SHA-256 hash of each source file (with CRLF/LF normalization)
+2. **Merkle root** — Merkle tree root of all file hashes
+3. **File hashes hash** — SHA-256 of the sorted file hash map (secondary verification)
+
+These are stored in a Solana Program Derived Address (PDA) tied to your wallet and project name. Anyone cloning or verifying code can check it against the on-chain record.
+
+## License
+
+MIT

package/dist/gitchain.mjs

@@ -0,0 +1,853 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/init.ts
+import chalk from "chalk";
+import { resolve } from "node:path";
+
+// src/utils/config.ts
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { join, basename } from "node:path";
+var GITCHAIN_DIR = ".gitchain";
+var CONFIG_FILE = "config.json";
+var PROVENANCE_FILE = "provenance.json";
+function getGitChainDir(projectPath) {
+  return join(projectPath, GITCHAIN_DIR);
+}
+function isGitRepo(projectPath) {
+  return existsSync(join(projectPath, ".git"));
+}
+function isInitialized(projectPath) {
+  return existsSync(join(getGitChainDir(projectPath), CONFIG_FILE));
+}
+function readConfig(projectPath) {
+  const configPath = join(getGitChainDir(projectPath), CONFIG_FILE);
+  return JSON.parse(readFileSync(configPath, "utf-8"));
+}
+function writeConfig(projectPath, config) {
+  const dir = getGitChainDir(projectPath);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(join(dir, CONFIG_FILE), JSON.stringify(config, null, 2) + "\n");
+}
+function readProvenance(projectPath) {
+  const provPath = join(getGitChainDir(projectPath), PROVENANCE_FILE);
+  if (!existsSync(provPath)) return { published: false };
+  return JSON.parse(readFileSync(provPath, "utf-8"));
+}
+function writeProvenance(projectPath, state) {
+  const provPath = join(getGitChainDir(projectPath), PROVENANCE_FILE);
+  writeFileSync(provPath, JSON.stringify(state, null, 2) + "\n");
+}
+function getProjectName(projectPath) {
+  try {
+    const gitConfigPath = join(projectPath, ".git", "config");
+    const gitConfig = readFileSync(gitConfigPath, "utf-8");
+    const match = gitConfig.match(/url\s*=\s*.*[/:]([^/]+?)(?:\.git)?\s*$/m);
+    if (match) return match[1];
+  } catch {
+  }
+  return basename(projectPath);
+}
+function ensureGitignore(projectPath) {
+  const gitignorePath = join(projectPath, ".gitignore");
+  if (existsSync(gitignorePath)) {
+    const content = readFileSync(gitignorePath, "utf-8");
+    if (!content.includes(".gitchain/")) {
+      writeFileSync(gitignorePath, content.trimEnd() + "\n.gitchain/\n");
+    }
+  } else {
+    writeFileSync(gitignorePath, ".gitchain/\n");
+  }
+}
+
+// src/commands/init.ts
+var DEFAULT_WALLET_PATH = process.platform === "win32" ? `${process.env.USERPROFILE}\\.config\\solana\\id.json` : `${process.env.HOME}/.config/solana/id.json`;
+var DEFAULT_RPC_URL = "https://api.devnet.solana.com";
+var DEFAULT_PROGRAM_ID = "5bHSYFLoEtoxQnqi6vuDvjFGbcuwnLJbi6wJbHmHW8R4";
+async function initCommand(options) {
+  const projectPath = resolve(options.path || ".");
+  if (!isGitRepo(projectPath)) {
+    console.error(chalk.red("Error: Not a Git repository."));
+    console.error(chalk.gray("Run 'git init' first, or navigate to a Git repo."));
+    process.exit(1);
+  }
+  if (isInitialized(projectPath)) {
+    console.log(chalk.yellow("Already initialized."));
+    console.log(chalk.gray("Run 'gitchain status' to see current state."));
+    return;
+  }
+  const projectName = getProjectName(projectPath);
+  const config = {
+    projectName,
+    walletPath: DEFAULT_WALLET_PATH,
+    rpcUrl: DEFAULT_RPC_URL,
+    programId: DEFAULT_PROGRAM_ID
+  };
+  writeConfig(projectPath, config);
+  writeProvenance(projectPath, { published: false });
+  ensureGitignore(projectPath);
+  console.log(chalk.green(`
+GitChain initialized for "${projectName}"
+`));
+  console.log(chalk.gray("  Config:     .gitchain/config.json"));
+  console.log(chalk.gray("  Provenance: .gitchain/provenance.json"));
+  console.log(chalk.gray(`  Wallet:     ${config.walletPath}`));
+  console.log(chalk.gray(`  RPC:        ${config.rpcUrl}`));
+  console.log(chalk.gray("\nNext: run 'gitchain publish' to register on Solana."));
+}
+
+// src/commands/publish.ts
+import chalk2 from "chalk";
+import { resolve as resolve2 } from "node:path";
+import { existsSync as existsSync2 } from "node:fs";
+import { createHash as createHash3 } from "node:crypto";
+import { execSync } from "node:child_process";
+import { SystemProgram } from "@solana/web3.js";
+
+// ../fingerprint/dist/hash.js
+import { createHash } from "node:crypto";
+import { readFile, readdir } from "node:fs/promises";
+import { join as join2, relative } from "node:path";
+var EXCLUDED_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  "node_modules",
+  ".gitchain",
+  "target",
+  ".anchor",
+  "dist",
+  "test-ledger",
+  ".next"
+]);
+var EXCLUDED_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".ico",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".eot",
+  ".mp3",
+  ".mp4",
+  ".mov",
+  ".zip",
+  ".tar",
+  ".gz"
+]);
+var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
+  ...EXCLUDED_EXTENSIONS,
+  ".wasm",
+  ".so",
+  ".dll",
+  ".exe",
+  ".bin",
+  ".dat"
+]);
+async function hashFile(filePath) {
+  const content = await readFile(filePath);
+  const ext = filePath.substring(filePath.lastIndexOf(".")).toLowerCase();
+  if (!BINARY_EXTENSIONS.has(ext)) {
+    let normalized = content.toString("utf-8").replace(/\r\n/g, "\n");
+    if (filePath.endsWith(".gitignore")) {
+      normalized = normalized.split("\n").filter((line) => line.trim() !== ".gitchain/").join("\n").trimEnd() + "\n";
+    }
+    return createHash("sha256").update(normalized).digest("hex");
+  }
+  return createHash("sha256").update(content).digest("hex");
+}
+async function hashDirectory(dirPath) {
+  const fileHashes = {};
+  await walkDir(dirPath, dirPath, fileHashes);
+  const contentHashes = Object.values(fileHashes).sort();
+  return {
+    fileHashes,
+    contentHashes,
+    fileCount: Object.keys(fileHashes).length
+  };
+}
+async function walkDir(basePath, currentPath, result) {
+  const entries = await readdir(currentPath, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join2(currentPath, entry.name);
+    if (entry.isDirectory()) {
+      if (!EXCLUDED_DIRS.has(entry.name)) {
+        await walkDir(basePath, fullPath, result);
+      }
+      continue;
+    }
+    if (entry.isFile()) {
+      const ext = entry.name.substring(entry.name.lastIndexOf(".")).toLowerCase();
+      if (EXCLUDED_EXTENSIONS.has(ext))
+        continue;
+      const relativePath = relative(basePath, fullPath).split("\\").join("/");
+      const hash = await hashFile(fullPath);
+      result[relativePath] = hash;
+    }
+  }
+}
+
+// ../fingerprint/dist/merkle.js
+import { createHash as createHash2 } from "node:crypto";
+function sha256(data) {
+  return createHash2("sha256").update(data).digest("hex");
+}
+function buildMerkleTree(leaves) {
+  if (leaves.length === 0) {
+    return { root: sha256(""), leaves: [], depth: 0 };
+  }
+  const sortedLeaves = [...leaves].sort();
+  let currentLevel = sortedLeaves.map((l) => sha256(l));
+  let depth = 0;
+  while (currentLevel.length > 1) {
+    const nextLevel = [];
+    for (let i = 0; i < currentLevel.length; i += 2) {
+      const left = currentLevel[i];
+      const right = i + 1 < currentLevel.length ? currentLevel[i + 1] : currentLevel[i];
+      nextLevel.push(sha256(left + right));
+    }
+    currentLevel = nextLevel;
+    depth++;
+  }
+  return {
+    root: currentLevel[0],
+    leaves: sortedLeaves,
+    depth
+  };
+}
+function computeMerkleRoot(contentHashes) {
+  return buildMerkleTree(contentHashes).root;
+}
+
+// ../fingerprint/dist/compare.js
+function classifyOverlap(overlapPercent) {
+  if (overlapPercent >= 90)
+    return "Disputed Origin";
+  if (overlapPercent >= 60)
+    return "High Derivation Likelihood";
+  if (overlapPercent >= 30)
+    return "Possible Derivation";
+  return "No significant similarity";
+}
+function compareFingerprints(source, suspect) {
+  const merkleMatch = source.merkleRoot === suspect.merkleRoot;
+  const sourceContentSet = new Set(source.contentHashes);
+  const suspectContentSet = new Set(suspect.contentHashes);
+  let matchedFiles = 0;
+  for (const hash of suspectContentSet) {
+    if (sourceContentSet.has(hash)) {
+      matchedFiles++;
+    }
+  }
+  const denominator = Math.min(source.fileCount, suspect.fileCount);
+  const fileOverlapPercent = denominator === 0 ? 0 : matchedFiles / denominator * 100;
+  const confidence = merkleMatch ? 100 : Math.min(fileOverlapPercent * 1.05, 99);
+  const status = classifyOverlap(fileOverlapPercent);
+  return {
+    merkleMatch,
+    fileOverlapPercent,
+    matchedFiles,
+    totalFilesCompared: denominator,
+    confidence: Math.round(confidence),
+    status
+  };
+}
+
+// ../fingerprint/dist/index.js
+async function fingerprintDirectory(dirPath) {
+  const dirResult = await hashDirectory(dirPath);
+  const merkleRoot = computeMerkleRoot(dirResult.contentHashes);
+  return {
+    merkleRoot,
+    fileHashes: dirResult.fileHashes,
+    contentHashes: dirResult.contentHashes,
+    fileCount: dirResult.fileCount
+  };
+}
+
+// src/utils/solana.ts
+import {
+  Connection,
+  PublicKey,
+  Keypair
+} from "@solana/web3.js";
+import { AnchorProvider, Program, Wallet, setProvider } from "@coral-xyz/anchor";
+import { readFileSync as readFileSync2 } from "node:fs";
+var PROGRAM_ID_STRING = "5bHSYFLoEtoxQnqi6vuDvjFGbcuwnLJbi6wJbHmHW8R4";
+var IDL = {
+  address: PROGRAM_ID_STRING,
+  metadata: { name: "gitchain", version: "0.1.0", spec: "0.1.0" },
+  instructions: [
+    {
+      name: "register_project",
+      discriminator: [130, 150, 121, 216, 183, 225, 243, 192],
+      accounts: [
+        { name: "project_record", writable: true },
+        { name: "creator", writable: true, signer: true },
+        { name: "system_program", address: "11111111111111111111111111111111" }
+      ],
+      args: [
+        { name: "name", type: "string" },
+        { name: "merkle_root", type: { array: ["u8", 32] } },
+        { name: "file_hashes_hash", type: { array: ["u8", 32] } },
+        { name: "file_count", type: "u16" },
+        { name: "repo_url", type: "string" }
+      ]
+    },
+    {
+      name: "update_fingerprint",
+      discriminator: [160, 228, 44, 176, 237, 68, 236, 123],
+      accounts: [
+        { name: "project_record", writable: true },
+        { name: "creator", signer: true }
+      ],
+      args: [
+        { name: "merkle_root", type: { array: ["u8", 32] } },
+        { name: "file_hashes_hash", type: { array: ["u8", 32] } },
+        { name: "file_count", type: "u16" }
+      ]
+    },
+    {
+      name: "update_status",
+      discriminator: [147, 215, 74, 174, 55, 191, 42, 0],
+      accounts: [
+        { name: "project_record", writable: true },
+        { name: "creator", signer: true }
+      ],
+      args: [
+        { name: "new_status", type: "u8" },
+        { name: "parent", type: "pubkey" },
+        { name: "origin", type: "pubkey" }
+      ]
+    }
+  ],
+  accounts: [
+    {
+      name: "ProjectRecord",
+      discriminator: [93, 174, 112, 203, 231, 123, 92, 56]
+    }
+  ],
+  types: [
+    {
+      name: "ProjectRecord",
+      type: {
+        kind: "struct",
+        fields: [
+          { name: "creator", type: "pubkey" },
+          { name: "project_name", type: "string" },
+          { name: "merkle_root", type: { array: ["u8", 32] } },
+          { name: "file_hashes_hash", type: { array: ["u8", 32] } },
+          { name: "file_count", type: "u16" },
+          { name: "status", type: "u8" },
+          { name: "parent_project", type: "pubkey" },
+          { name: "origin_project", type: "pubkey" },
+          { name: "registered_at", type: "i64" },
+          { name: "repo_url", type: "string" },
+          { name: "bump", type: "u8" }
+        ]
+      }
+    }
+  ]
+};
+function loadKeypair(walletPath) {
+  const raw = readFileSync2(walletPath, "utf-8");
+  const secretKey = Uint8Array.from(JSON.parse(raw));
+  return Keypair.fromSecretKey(secretKey);
+}
+function getConnection(rpcUrl) {
+  return new Connection(rpcUrl, "confirmed");
+}
+function getProgramId() {
+  return new PublicKey(PROGRAM_ID_STRING);
+}
+function deriveProjectPda(creatorPubkey, projectName) {
+  return PublicKey.findProgramAddressSync(
+    [
+      Buffer.from("project"),
+      creatorPubkey.toBuffer(),
+      Buffer.from(projectName)
+    ],
+    getProgramId()
+  );
+}
+function getProgram(connection, keypair) {
+  const wallet = new Wallet(keypair);
+  const provider = new AnchorProvider(connection, wallet, {
+    commitment: "confirmed"
+  });
+  setProvider(provider);
+  return new Program(IDL, provider);
+}
+function hexToBytes32(hex) {
+  const buf = Buffer.from(hex, "hex");
+  return Array.from(buf.subarray(0, 32));
+}
+async function fetchAllProjectsViaProgram(program2) {
+  return await program2.account.projectRecord.all();
+}
+var STATUS_LABELS = {
+  0: "Registered",
+  1: "Verified Original",
+  2: "Verified Derivative",
+  3: "Disputed Origin",
+  4: "Provenance Stripped"
+};
+
+// src/commands/publish.ts
+async function publishCommand(remote, branch, options) {
+  const projectPath = resolve2(options.path || ".");
+  if (!isInitialized(projectPath)) {
+    console.error(chalk2.red("Error: Not initialized. Run 'gitchain init' first."));
+    process.exit(1);
+  }
+  const config = readConfig(projectPath);
+  if (!existsSync2(config.walletPath)) {
+    console.error(chalk2.red(`Error: Wallet not found at ${config.walletPath}`));
+    console.error(chalk2.gray("Generate one with: solana-keygen new"));
+    process.exit(1);
+  }
+  console.log(chalk2.gray("Fingerprinting project..."));
+  const fingerprint = await fingerprintDirectory(projectPath);
+  console.log(chalk2.gray(`  Files scanned: ${fingerprint.fileCount}`));
+  console.log(chalk2.gray(`  Merkle root:   ${fingerprint.merkleRoot.substring(0, 16)}...`));
+  const provenance = readProvenance(projectPath);
+  const codeChanged = provenance.merkleRoot !== fingerprint.merkleRoot;
+  if (!codeChanged && provenance.published) {
+    console.log(chalk2.yellow("\nNo code changes since last publish. Skipping Solana registration."));
+    console.log(chalk2.gray(`Pushing to ${remote}/${branch}...
+`));
+    try {
+      execSync(`git push ${remote} ${branch}`, {
+        cwd: projectPath,
+        stdio: "inherit"
+      });
+      console.log(chalk2.green(`
+Pushed to ${remote}/${branch}.`));
+    } catch {
+      console.error(chalk2.red(`
+git push failed. Resolve the issue and retry.`));
+      process.exit(1);
+    }
+    return;
+  }
+  const fileHashesJson = JSON.stringify(
+    Object.fromEntries(
+      Object.entries(fingerprint.fileHashes).sort(([a], [b]) => a.localeCompare(b))
+    )
+  );
+  const fileHashesHash = createHash3("sha256").update(fileHashesJson).digest("hex");
+  console.log(chalk2.gray("\nConnecting to Solana..."));
+  const keypair = loadKeypair(config.walletPath);
+  const connection = getConnection(config.rpcUrl);
+  const program2 = getProgram(connection, keypair);
+  const [pda] = deriveProjectPda(keypair.publicKey, config.projectName);
+  console.log(chalk2.gray(`  Wallet:  ${keypair.publicKey.toString()}`));
+  console.log(chalk2.gray(`  PDA:     ${pda.toString()}`));
+  let alreadyRegistered = false;
+  try {
+    const existing = await program2.account.projectRecord.fetch(pda);
+    if (existing) alreadyRegistered = true;
+  } catch {
+  }
+  let txSignature = provenance.txSignature || "";
+  if (!alreadyRegistered) {
+    console.log(chalk2.gray("\nRegistering on Solana..."));
+    try {
+      txSignature = await program2.methods.registerProject(
+        config.projectName,
+        hexToBytes32(fingerprint.merkleRoot),
+        hexToBytes32(fileHashesHash),
+        fingerprint.fileCount,
+        getRepoUrl(projectPath)
+      ).accounts({
+        projectRecord: pda,
+        creator: keypair.publicKey,
+        systemProgram: SystemProgram.programId
+      }).rpc();
+      console.log(chalk2.green("  Solana registration successful."));
+    } catch (err) {
+      console.error(chalk2.red(`
+Solana transaction failed: ${err.message}`));
+      console.error(chalk2.red("Aborting push. Fix the issue and retry."));
+      process.exit(1);
+    }
+  } else {
+    console.log(chalk2.gray("\nUpdating fingerprint on Solana..."));
+    try {
+      txSignature = await program2.methods.updateFingerprint(
+        hexToBytes32(fingerprint.merkleRoot),
+        hexToBytes32(fileHashesHash),
+        fingerprint.fileCount
+      ).accounts({
+        projectRecord: pda,
+        creator: keypair.publicKey
+      }).rpc();
+      console.log(chalk2.green("  Fingerprint updated on Solana."));
+    } catch (err) {
+      console.error(chalk2.red(`
+Solana update failed: ${err.message}`));
+      console.error(chalk2.red("Aborting push. Fix the issue and retry."));
+      process.exit(1);
+    }
+  }
+  console.log(chalk2.gray(`
+Pushing to ${remote}/${branch}...`));
+  try {
+    execSync(`git push ${remote} ${branch}`, {
+      cwd: projectPath,
+      stdio: "inherit"
+    });
+  } catch {
+    console.error(chalk2.red(`
+git push failed. Your code IS registered on Solana.`));
+    console.error(chalk2.gray("Resolve the git issue and run: git push " + remote + " " + branch));
+    process.exit(1);
+  }
+  writeProvenance(projectPath, {
+    published: true,
+    merkleRoot: fingerprint.merkleRoot,
+    fileHashesHash,
+    fileCount: fingerprint.fileCount,
+    txSignature,
+    pdaAddress: pda.toString(),
+    publishedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  console.log(chalk2.green("\nPublished & pushed!\n"));
+  console.log(`  ${chalk2.bold("Merkle Root:")} ${fingerprint.merkleRoot}`);
+  console.log(`  ${chalk2.bold("Files:")}       ${fingerprint.fileCount}`);
+  console.log(`  ${chalk2.bold("Solana TX:")}   ${txSignature}`);
+  console.log(`  ${chalk2.bold("Pushed to:")}   ${remote}/${branch}`);
+  console.log(
+    chalk2.gray(`
+  Explorer: https://explorer.solana.com/tx/${txSignature}?cluster=devnet`)
+  );
+}
+function getRepoUrl(projectPath) {
+  try {
+    return execSync("git remote get-url origin", { cwd: projectPath, encoding: "utf-8" }).trim();
+  } catch {
+    return "";
+  }
+}
+
+// src/commands/clone.ts
+import chalk3 from "chalk";
+import { resolve as resolve3, basename as basename2 } from "node:path";
+import { existsSync as existsSync3 } from "node:fs";
+import { execSync as execSync2 } from "node:child_process";
+import { createHash as createHash4 } from "node:crypto";
+var DEFAULT_WALLET_PATH2 = process.platform === "win32" ? `${process.env.USERPROFILE}\\.config\\solana\\id.json` : `${process.env.HOME}/.config/solana/id.json`;
+var DEFAULT_RPC_URL2 = "https://api.devnet.solana.com";
+var DEFAULT_PROGRAM_ID2 = "5bHSYFLoEtoxQnqi6vuDvjFGbcuwnLJbi6wJbHmHW8R4";
+async function cloneCommand(url, options) {
+  const repoName = extractRepoName(url);
+  const targetDir = resolve3(options.directory || repoName);
+  console.log(chalk3.bold(`
+GitChain Clone: ${repoName}
+`));
+  console.log(chalk3.gray("Checking on-chain provenance..."));
+  let onChainRecord = null;
+  try {
+    if (existsSync3(DEFAULT_WALLET_PATH2)) {
+      const keypair = loadKeypair(DEFAULT_WALLET_PATH2);
+      const connection = getConnection(DEFAULT_RPC_URL2);
+      const program2 = getProgram(connection, keypair);
+      const allProjects = await fetchAllProjectsViaProgram(program2);
+      for (const item of allProjects) {
+        const account = item.account;
+        const accountRepoUrl = (account.repoUrl || "").replace(/\.git$/, "").toLowerCase();
+        const searchUrl = url.replace(/\.git$/, "").toLowerCase();
+        if (accountRepoUrl && (accountRepoUrl === searchUrl || accountRepoUrl.includes(repoName.toLowerCase()))) {
+          const registeredAt = account.registeredAt.toNumber ? account.registeredAt.toNumber() : Number(account.registeredAt);
+          onChainRecord = {
+            projectName: account.projectName,
+            creator: account.creator.toString(),
+            registeredAt,
+            status: account.status,
+            merkleRoot: Buffer.from(account.merkleRoot).toString("hex"),
+            fileCount: account.fileCount,
+            repoUrl: account.repoUrl,
+            fileHashesHash: Buffer.from(account.fileHashesHash).toString("hex")
+          };
+          break;
+        }
+      }
+    }
+  } catch (err) {
+    console.log(chalk3.gray(`  Could not query Solana: ${err.message}`));
+  }
+  if (onChainRecord) {
+    const statusLabel = STATUS_LABELS[onChainRecord.status] || "Unknown";
+    console.log(chalk3.green("\n  On-chain provenance found:\n"));
+    console.log(`    ${chalk3.bold("Project:")}    ${onChainRecord.projectName}`);
+    console.log(`    ${chalk3.bold("Creator:")}    ${onChainRecord.creator.substring(0, 8)}...${onChainRecord.creator.substring(onChainRecord.creator.length - 4)}`);
+    console.log(`    ${chalk3.bold("Registered:")} ${new Date(onChainRecord.registeredAt * 1e3).toISOString().substring(0, 10)}`);
+    console.log(`    ${chalk3.bold("Status:")}     ${statusLabel}`);
+    console.log(`    ${chalk3.bold("Files:")}      ${onChainRecord.fileCount}`);
+    console.log(`    ${chalk3.bold("Merkle Root:")} ${onChainRecord.merkleRoot.substring(0, 16)}...`);
+  } else {
+    console.log(chalk3.yellow("\n  Warning: No provenance record found for this repository."));
+    console.log(chalk3.yellow("  Origin is unverified.\n"));
+  }
+  console.log(chalk3.gray(`
+Cloning ${url}...`));
+  const cloneArgs = options.directory ? `${url} ${options.directory}` : url;
+  try {
+    execSync2(`git clone ${cloneArgs}`, { stdio: "inherit" });
+  } catch {
+    console.error(chalk3.red("\ngit clone failed."));
+    process.exit(1);
+  }
+  if (onChainRecord) {
+    console.log(chalk3.gray("\nVerifying cloned code against on-chain fingerprint..."));
+    const clonedFp = await fingerprintDirectory(targetDir);
+    if (clonedFp.merkleRoot === onChainRecord.merkleRoot) {
+      console.log(chalk3.green("\n  Verified: code matches on-chain fingerprint."));
+    } else {
+      const fileHashesJson = JSON.stringify(
+        Object.fromEntries(
+          Object.entries(clonedFp.fileHashes).sort(([a], [b]) => a.localeCompare(b))
+        )
+      );
+      const clonedHashesHash = createHash4("sha256").update(fileHashesJson).digest("hex");
+      if (clonedHashesHash === onChainRecord.fileHashesHash) {
+        console.log(chalk3.green("\n  Verified: file content matches on-chain commitment."));
+      } else {
+        console.log(chalk3.yellow("\n  Warning: code does NOT match registered fingerprint."));
+        console.log(chalk3.yellow("  The repository may have been modified since registration."));
+        console.log(chalk3.gray("  Run 'gitchain verify' for detailed analysis."));
+      }
+    }
+  }
+  console.log(chalk3.gray("\nInitializing GitChain in cloned repository..."));
+  const cloneConfig = {
+    projectName: onChainRecord?.projectName || repoName,
+    walletPath: DEFAULT_WALLET_PATH2,
+    rpcUrl: DEFAULT_RPC_URL2,
+    programId: DEFAULT_PROGRAM_ID2
+  };
+  writeConfig(targetDir, cloneConfig);
+  writeProvenance(targetDir, {
+    published: onChainRecord ? true : false,
+    merkleRoot: onChainRecord?.merkleRoot,
+    fileCount: onChainRecord?.fileCount,
+    publishedAt: onChainRecord ? new Date(onChainRecord.registeredAt * 1e3).toISOString() : void 0
+  });
+  ensureGitignore(targetDir);
+  console.log(chalk3.green(`
+Done! Repository cloned to ${targetDir}`));
+  if (onChainRecord) {
+    console.log(chalk3.gray("  GitChain provenance data imported from Solana."));
+  } else {
+    console.log(chalk3.gray("  GitChain initialized (no provenance data available)."));
+  }
+  console.log();
+}
+function extractRepoName(url) {
+  const match = url.match(/[/:]([^/]+?)(?:\.git)?$/);
+  return match ? match[1] : basename2(url).replace(/\.git$/, "");
+}
+
+// src/commands/verify.ts
+import chalk4 from "chalk";
+import { resolve as resolve4 } from "node:path";
+import { existsSync as existsSync4 } from "node:fs";
+import { createHash as createHash5 } from "node:crypto";
+async function verifyCommand(targetPath, options) {
+  const resolvedTarget = resolve4(targetPath);
+  if (!existsSync4(resolvedTarget)) {
+    console.error(chalk4.red(`Error: Path not found: ${resolvedTarget}`));
+    process.exit(1);
+  }
+  const configPath = resolve4(options.path || ".");
+  let rpcUrl = "https://api.devnet.solana.com";
+  let walletPath = process.platform === "win32" ? `${process.env.USERPROFILE}\\.config\\solana\\id.json` : `${process.env.HOME}/.config/solana/id.json`;
+  let programId = "";
+  if (isInitialized(configPath)) {
+    const config = readConfig(configPath);
+    rpcUrl = config.rpcUrl;
+    walletPath = config.walletPath;
+    programId = config.programId;
+  }
+  console.log(chalk4.gray("Fingerprinting target code..."));
+  const suspectFingerprint = await fingerprintDirectory(resolvedTarget);
+  console.log(chalk4.gray(`  Files: ${suspectFingerprint.fileCount}`));
+  console.log(chalk4.gray(`  Merkle root: ${suspectFingerprint.merkleRoot.substring(0, 16)}...`));
+  console.log(chalk4.gray("\nFetching on-chain lineage records..."));
+  const keypair = loadKeypair(walletPath);
+  const connection = getConnection(rpcUrl);
+  const program2 = getProgram(connection, keypair);
+  let allProjects = [];
+  try {
+    allProjects = await fetchAllProjectsViaProgram(program2);
+  } catch (err) {
+    console.error(chalk4.red(`Failed to fetch on-chain records: ${err.message}`));
+    process.exit(1);
+  }
+  if (allProjects.length === 0) {
+    console.log(chalk4.yellow("\nNo projects registered on-chain yet."));
+    console.log(chalk4.gray("Register a project first with 'gitchain publish'."));
+    return;
+  }
+  console.log(chalk4.gray(`  Found ${allProjects.length} registered project(s)
+`));
+  let bestMatch = null;
+  for (const item of allProjects) {
+    const pubkey = item.publicKey ?? item.pubkey;
+    const account = item.account;
+    const onChainMerkle = Buffer.from(account.merkleRoot).toString("hex");
+    const merkleMatch = onChainMerkle === suspectFingerprint.merkleRoot;
+    let fileOverlapPercent = 0;
+    let confidence = 0;
+    if (merkleMatch) {
+      fileOverlapPercent = 100;
+      confidence = 100;
+    } else {
+      const suspectHashesHash = computeFileHashesHash(suspectFingerprint);
+      const onChainHashesHash = Buffer.from(account.fileHashesHash).toString("hex");
+      if (suspectHashesHash === onChainHashesHash) {
+        fileOverlapPercent = 100;
+        confidence = 99;
+      }
+    }
+    const overlapForRanking = merkleMatch ? 100 : fileOverlapPercent;
+    if (!bestMatch || overlapForRanking > bestMatch.fileOverlapPercent) {
+      bestMatch = {
+        projectName: account.projectName,
+        creator: account.creator.toString(),
+        registeredAt: account.registeredAt.toNumber ? account.registeredAt.toNumber() : Number(account.registeredAt),
+        merkleMatch,
+        fileOverlapPercent: overlapForRanking,
+        confidence: merkleMatch ? 100 : confidence,
+        status: merkleMatch ? "Disputed Origin" : fileOverlapPercent >= 90 ? "Disputed Origin" : "Checking...",
+        repoUrl: account.repoUrl || "",
+        pda: pubkey.toString()
+      };
+    }
+  }
+  if (bestMatch && bestMatch.fileOverlapPercent === 0) {
+    console.log(chalk4.gray("  No Merkle or commitment match. Trying local comparison...\n"));
+    if (isInitialized(configPath)) {
+      const localFp = await fingerprintDirectory(configPath);
+      const comparison = compareFingerprints(localFp, suspectFingerprint);
+      if (comparison.fileOverlapPercent > (bestMatch?.fileOverlapPercent || 0)) {
+        const config = readConfig(configPath);
+        bestMatch = {
+          projectName: config.projectName,
+          creator: keypair.publicKey.toString(),
+          registeredAt: Date.now() / 1e3,
+          merkleMatch: comparison.merkleMatch,
+          fileOverlapPercent: comparison.fileOverlapPercent,
+          confidence: comparison.confidence,
+          status: comparison.status,
+          repoUrl: "",
+          pda: bestMatch?.pda || "local"
+        };
+      }
+    }
+  }
+  console.log(chalk4.bold("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(chalk4.bold("\u2551     Lineage Analysis Result          \u2551"));
+  console.log(chalk4.bold("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D\n"));
+  if (!bestMatch || bestMatch.fileOverlapPercent === 0) {
+    console.log(chalk4.green("  Status: No known lineage match found."));
+    console.log(chalk4.gray("  This code does not match any registered project."));
+    return;
+  }
+  console.log(`  ${chalk4.bold("Closest Known Origin:")} ${bestMatch.projectName}`);
+  console.log(`  ${chalk4.bold("Creator:")}              ${bestMatch.creator.substring(0, 8)}...${bestMatch.creator.substring(bestMatch.creator.length - 4)}`);
+  console.log(`  ${chalk4.bold("Registered:")}           ${new Date(bestMatch.registeredAt * 1e3).toISOString().substring(0, 10)}`);
+  if (bestMatch.repoUrl) {
+    console.log(`  ${chalk4.bold("Repo:")}                 ${bestMatch.repoUrl}`);
+  }
+  console.log(chalk4.bold("\n  Signals:"));
+  console.log(`    Exact File Overlap:   ${formatPercent(bestMatch.fileOverlapPercent)}`);
+  console.log(`    Merkle Root Match:    ${bestMatch.merkleMatch ? chalk4.red("Yes (exact copy)") : "No"}`);
+  console.log(chalk4.bold("\n  Conclusion:"));
+  const statusColor = bestMatch.fileOverlapPercent >= 60 ? chalk4.red : chalk4.yellow;
+  console.log(`    ${chalk4.bold("Status:")}     ${statusColor(bestMatch.status)}`);
+  console.log(`    ${chalk4.bold("Confidence:")} ${bestMatch.confidence}%
+`);
+}
+function formatPercent(value) {
+  const formatted = `${value.toFixed(1)}%`;
+  if (value >= 90) return chalk4.red(formatted);
+  if (value >= 60) return chalk4.yellow(formatted);
+  if (value >= 30) return chalk4.cyan(formatted);
+  return chalk4.green(formatted);
+}
+function computeFileHashesHash(fp) {
+  const sorted = JSON.stringify(
+    Object.fromEntries(
+      Object.entries(fp.fileHashes).sort(([a], [b]) => a.localeCompare(b))
+    )
+  );
+  return createHash5("sha256").update(sorted).digest("hex");
+}
+
+// src/commands/status.ts
+import chalk5 from "chalk";
+import { resolve as resolve5 } from "node:path";
+import { existsSync as existsSync5 } from "node:fs";
+async function statusCommand(options) {
+  const projectPath = resolve5(options.path || ".");
+  if (!isInitialized(projectPath)) {
+    console.error(chalk5.red("Error: Not initialized. Run 'gitchain init' first."));
+    process.exit(1);
+  }
+  const config = readConfig(projectPath);
+  const provenance = readProvenance(projectPath);
+  console.log(chalk5.bold(`
+GitChain Status: ${config.projectName}
+`));
+  if (!provenance.published) {
+    console.log(chalk5.yellow("  Not published."));
+    console.log(chalk5.gray("  Run 'gitchain publish' to register on Solana.\n"));
+    return;
+  }
+  console.log(chalk5.gray("  Local State:"));
+  console.log(`    Merkle Root:  ${provenance.merkleRoot?.substring(0, 32)}...`);
+  console.log(`    Files:        ${provenance.fileCount}`);
+  console.log(`    Published:    ${provenance.publishedAt}`);
+  console.log(`    PDA:          ${provenance.pdaAddress}`);
+  console.log(`    TX:           ${provenance.txSignature}`);
+  if (existsSync5(config.walletPath)) {
+    console.log(chalk5.gray("\n  On-Chain State:"));
+    try {
+      const keypair = loadKeypair(config.walletPath);
+      const connection = getConnection(config.rpcUrl);
+      const program2 = getProgram(connection, keypair);
+      const [pda] = deriveProjectPda(keypair.publicKey, config.projectName);
+      const account = await program2.account.projectRecord.fetch(pda);
+      const statusLabel = STATUS_LABELS[account.status] || `Unknown (${account.status})`;
+      const registeredAt = account.registeredAt.toNumber ? account.registeredAt.toNumber() : Number(account.registeredAt);
+      console.log(`    Creator:      ${account.creator.toString()}`);
+      console.log(`    Status:       ${statusLabel}`);
+      console.log(`    Registered:   ${new Date(registeredAt * 1e3).toISOString()}`);
+      console.log(`    Merkle Root:  ${Buffer.from(account.merkleRoot).toString("hex").substring(0, 32)}...`);
+      console.log(`    Files:        ${account.fileCount}`);
+      if (account.repoUrl) {
+        console.log(`    Repo:         ${account.repoUrl}`);
+      }
+      console.log(
+        chalk5.gray(`
+  Explorer: https://explorer.solana.com/address/${pda.toString()}?cluster=devnet`)
+      );
+    } catch (err) {
+      console.log(chalk5.yellow(`    Could not fetch on-chain data: ${err.message}`));
+    }
+  }
+  console.log();
+}
+
+// src/index.ts
+var program = new Command();
+program.name("gitchain").description("Software provenance & lineage protocol on Solana").version("0.1.0");
+program.command("init").description("Initialize GitChain tracking for this repository").option("-p, --path <path>", "Path to Git repository", ".").action(initCommand);
+program.command("publish <remote> <branch>").description("Fingerprint, register on Solana, then push to remote").option("-p, --path <path>", "Path to Git repository", ".").action(publishCommand);
+program.command("clone <url>").description("Check on-chain provenance, then clone repository").option("-d, --directory <dir>", "Target directory for clone").action(cloneCommand);
+program.command("verify <target-path>").description("Verify code against on-chain lineage records").option("-p, --path <path>", "Path to initialized GitChain project for config", ".").action(verifyCommand);
+program.command("status").description("Show GitChain provenance status").option("-p, --path <path>", "Path to GitChain project", ".").action(statusCommand);
+program.parse();

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "gitchain-sol",
+  "version": "0.1.0",
+  "description": "Software provenance & lineage protocol on Solana — fingerprint, register, and verify code on-chain",
+  "type": "module",
+  "bin": {
+    "gitchain": "dist/gitchain.mjs"
+  },
+  "files": [
+    "dist/gitchain.mjs",
+    "README.md"
+  ],
+  "scripts": {
+    "dev": "tsx src/index.ts",
+    "build": "tsc && node build.mjs",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "solana",
+    "provenance",
+    "git",
+    "blockchain",
+    "fingerprint",
+    "lineage",
+    "cli"
+  ],
+  "author": "ayushsaklani",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ayushsaklani/gitchain"
+  },
+  "dependencies": {
+    "@coral-xyz/anchor": "^0.32.1",
+    "@solana/web3.js": "^1.98.4",
+    "chalk": "^5.6.2",
+    "commander": "^14.0.3"
+  },
+  "devDependencies": {
+    "@gitchain/fingerprint": "*",
+    "@types/node": "^25.5.0",
+    "esbuild": "^0.27.5"
+  }
+}