npm - provenance-cli - Versions diffs - 0.1.0 → 0.1.1 - Mend

provenance-cli 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,272 @@
+#!/usr/bin/env node
+/**
+ * provenance-cli — Provenance Protocol identity CLI
+ *
+ * Usage:
+ *   provenance keygen
+ *   provenance register --id <id> --url <url> [options]
+ *   provenance status <id>
+ *   provenance validate [file]
+ *   provenance revoke --id <id> [--private-key <key>]
+ */
+import { createPrivateKey, createPublicKey, generateKeyPairSync, sign as nodeSign } from 'crypto';
+import { readFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
+const API     = process.env.PROVENANCE_API_URL || 'https://provenance-web-mu.vercel.app';
+const VERSION = '0.1.1';
+// ── Colours ───────────────────────────────────────────────────────────────────
+const c = {
+  reset: '\x1b[0m', dim: '\x1b[2m', bold: '\x1b[1m',
+  green: '\x1b[32m', amber: '\x1b[33m', red: '\x1b[31m', white: '\x1b[97m',
+};
+const ok  = s => `${c.green}✓${c.reset} ${s}`;
+const err = s => `${c.red}✗${c.reset} ${s}`;
+const dim = s => `${c.dim}${s}${c.reset}`;
+const hi  = s => `${c.white}${c.bold}${s}${c.reset}`;
+const amb = s => `${c.amber}${s}${c.reset}`;
+// ── Arg parsing ───────────────────────────────────────────────────────────────
+function parseArgs(argv) {
+  const args = { _: [] };
+  let i = 0;
+  while (i < argv.length) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const key = a.slice(2);
+      const next = argv[i + 1];
+      if (next && !next.startsWith('--')) { args[key] = next; i += 2; }
+      else { args[key] = true; i++; }
+    } else { args._.push(a); i++; }
+  }
+  return args;
+}
+// ── Crypto helpers ────────────────────────────────────────────────────────────
+function generateKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+    publicKeyEncoding:  { type: 'spki',  format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+  return {
+    publicKey:  Buffer.from(publicKey).toString('base64'),
+    privateKey: Buffer.from(privateKey).toString('base64'),
+  };
+}
+function signMessage(privateKeyBase64, message) {
+  const key = createPrivateKey({ key: Buffer.from(privateKeyBase64, 'base64'), format: 'der', type: 'pkcs8' });
+  return nodeSign(null, Buffer.from(message, 'utf8'), key).toString('base64');
+}
+function derivePublicKey(privateKeyBase64) {
+  const priv = createPrivateKey({ key: Buffer.from(privateKeyBase64, 'base64'), format: 'der', type: 'pkcs8' });
+  return Buffer.from(createPublicKey(priv).export({ type: 'spki', format: 'der' })).toString('base64');
+}
+// ── Commands ──────────────────────────────────────────────────────────────────
+async function cmdKeygen() {
+  console.log(`\n${amb('Generating Ed25519 keypair...')}\n`);
+  const { publicKey, privateKey } = generateKeyPair();
+  console.log(`${hi('Public key')} ${dim('(add to PROVENANCE.yml identity.public_key)')}`);
+  console.log(`${c.green}${publicKey}${c.reset}\n`);
+  console.log(`${hi('Private key')} ${dim('(store as PROVENANCE_PRIVATE_KEY — never commit)')}`);
+  console.log(`${c.amber}${privateKey}${c.reset}\n`);
+  console.log(dim('─'.repeat(60)));
+  console.log(dim('Add to your environment:'));
+  console.log(`  PROVENANCE_PRIVATE_KEY=${privateKey}\n`);
+  console.log(dim('Add to PROVENANCE.yml:'));
+  console.log(`  identity:`);
+  console.log(`    public_key: "${publicKey}"`);
+  console.log(`    algorithm: ed25519\n`);
+}
+async function cmdRegister(args) {
+  const id          = args.id;
+  const url         = args.url;
+  const name        = args.name;
+  const description = args.description || args.desc;
+  const caps        = args.capabilities ? args.capabilities.split(',').map(s => s.trim()) : [];
+  const cons        = args.constraints  ? args.constraints.split(',').map(s => s.trim())  : [];
+  const model       = args.model;
+  const modelId     = args['model-id'];
+  const ajpEndpoint = args['ajp-endpoint'];
+  const privateKey  = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
+  if (!id)  { console.error(err('--id required'));  process.exit(1); }
+  if (!url) { console.error(err('--url required')); process.exit(1); }
+  console.log(`\n${amb('Registering')} ${hi(id)}...\n`);
+  let pubKey, signedChallenge;
+  if (privateKey) {
+    pubKey          = args['public-key'] || process.env.PROVENANCE_PUBLIC_KEY || derivePublicKey(privateKey);
+    signedChallenge = signMessage(privateKey, `${id}:REGISTER`);
+    console.log(ok('Signing with private key'));
+  }
+  const body = {
+    provenance_id: id, url,
+    ...(name        && { name }),
+    ...(description && { description }),
+    ...(caps.length && { capabilities: caps }),
+    ...(cons.length && { constraints: cons }),
+    ...(model       && { model_provider: model }),
+    ...(modelId     && { model_id: modelId }),
+    ...(ajpEndpoint && { ajp_endpoint: ajpEndpoint }),
+    ...(pubKey      && { public_key: pubKey }),
+    ...(signedChallenge && { signed_challenge: signedChallenge }),
+  };
+  const res  = await fetch(`${API}/api/agents/register`, {
+    method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body),
+  });
+  const data = await res.json();
+  if (!res.ok) { console.error(err(data.error || `HTTP ${res.status}`)); process.exit(1); }
+  const agent = data.agent || data;
+  console.log(ok(data.created ? 'Agent registered' : 'Agent updated'));
+  console.log(`  ${dim('confidence:')}      ${c.green}${agent.confidence}${c.reset}`);
+  console.log(`  ${dim('identity_verified:')} ${agent.identity_verified ? c.green + 'true' : c.amber + 'false'}${c.reset}`);
+  if (ajpEndpoint) console.log(`  ${dim('ajp_endpoint:')}    ${ajpEndpoint}`);
+  if (!agent.identity_verified)
+    console.log(`\n${c.amber}Tip:${c.reset} Run with ${hi('--private-key')} to get identity_verified status`);
+  console.log();
+}
+async function cmdStatus(args) {
+  const id = args._[1];
+  if (!id) { console.error(err('Usage: provenance status <provenance_id>')); process.exit(1); }
+  console.log(`\n${amb('Checking')} ${hi(id)}...\n`);
+  const res  = await fetch(`${API}/api/agent/${id.replace('provenance:', '').replace(':', '/')}`);
+  const data = await res.json();
+  if (!res.ok || data.error) { console.error(err(data.error || 'Not found')); process.exit(1); }
+  const trust      = Math.round((data.confidence || 0) * 100);
+  const trustColor = trust >= 80 ? c.green : trust >= 50 ? c.amber : c.red;
+  console.log(`${hi(data.name || id)}`);
+  console.log(`${dim(data.provenance_id)}\n`);
+  console.log(`${dim('Trust score:')}       ${trustColor}${trust}/100${c.reset}`);
+  console.log(`${dim('Declared:')}          ${data.declared ? c.green + 'yes' : c.amber + 'no'}${c.reset}`);
+  console.log(`${dim('Identity verified:')} ${data.identity_verified ? c.green + 'yes' : c.amber + 'no'}${c.reset}`);
+  console.log(`${dim('AJP endpoint:')}      ${data.ajp?.endpoint ? c.green + data.ajp.endpoint : c.dim + 'not set'}${c.reset}`);
+  console.log(`${dim('Incidents:')}         ${(data.incident_count || 0) === 0 ? c.green + '0' : c.red + data.incident_count}${c.reset}`);
+  if (data.capabilities?.length) console.log(`${dim('Capabilities:')}      ${data.capabilities.join(', ')}`);
+  if (data.constraints?.length)  console.log(`${dim('Constraints:')}       ${data.constraints.join(', ')}`);
+  console.log();
+  for (const [pass, label] of [
+    [data.declared,                'PROVENANCE.yml declared'],
+    [data.identity_verified,       'Identity verified (Ed25519)'],
+    [!!data.ajp?.endpoint,         'AJP endpoint configured'],
+    [(data.incident_count||0)===0, 'No open incidents'],
+  ]) console.log(`  ${pass ? ok(label) : dim('○ ' + label)}`);
+  console.log();
+}
+async function cmdValidate(args) {
+  const file = args._[1] || 'PROVENANCE.yml';
+  const path = resolve(process.cwd(), file);
+  if (!existsSync(path)) { console.error(err(`File not found: ${path}`)); process.exit(1); }
+  console.log(`\n${amb('Validating')} ${hi(file)}...\n`);
+  const content = readFileSync(path, 'utf8');
+  const res  = await fetch(`${API}/api/mcp`, {
+    method: 'POST', headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/call',
+      params: { name: 'validate_provenance_yml', arguments: { content } } }),
+  });
+  const rpc  = await res.json();
+  const data = JSON.parse(rpc.result?.content?.[0]?.text || '{}');
+  if (data.valid) console.log(ok('Valid PROVENANCE.yml'));
+  else { console.log(err('Validation failed')); for (const e of data.errors || []) console.log(`  ${c.red}✗${c.reset} ${e}`); }
+  for (const w of data.warnings || []) console.log(`  ${c.amber}⚠${c.reset} ${w}`);
+  console.log();
+}
+async function cmdRevoke(args) {
+  const id         = args.id;
+  const privateKey = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
+  if (!id)         { console.error(err('--id required')); process.exit(1); }
+  if (!privateKey) { console.error(err('--private-key or PROVENANCE_PRIVATE_KEY required')); process.exit(1); }
+  console.log(`\n${c.red}Revoking identity for${c.reset} ${hi(id)}...\n`);
+  const res  = await fetch(`${API}/api/agents/revoke`, {
+    method: 'POST', headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ provenance_id: id, signed_challenge: signMessage(privateKey, `${id}:REVOKE`) }),
+  });
+  const data = await res.json();
+  if (!res.ok || !data.success) { console.error(err(data.error || `HTTP ${res.status}`)); process.exit(1); }
+  console.log(ok('Identity revoked'));
+  console.log(dim('Run `provenance register` with a new keypair to re-establish.\n'));
+}
+function cmdHelp() {
+  console.log(`
+${hi('provenance')} ${dim(`v${VERSION}`)} — Provenance Protocol identity CLI
+${amb('Commands:')}
+  ${hi('keygen')}                              Generate an Ed25519 keypair
+  ${hi('register')}  --id <id> --url <url>     Register or update your agent
+               [--name <name>]
+               [--description <text>]
+               [--capabilities read:web,write:code]
+               [--constraints no:pii,no:financial:transact]
+               [--model anthropic] [--model-id claude-sonnet-4-6]
+               [--ajp-endpoint <url>]
+               [--private-key <key>]
+  ${hi('status')}    <provenance_id>            Check trust score and checklist
+  ${hi('validate')}  [file]                     Validate PROVENANCE.yml (default: ./PROVENANCE.yml)
+  ${hi('revoke')}    --id <id>                  Revoke cryptographic identity
+               [--private-key <key>]
+${amb('Environment variables:')}
+  PROVENANCE_ID           Your agent's Provenance ID
+  PROVENANCE_PRIVATE_KEY  Your Ed25519 private key (base64 PKCS8 DER)
+  PROVENANCE_API_URL      Override API base (default: https://provenance-web-mu.vercel.app)
+${amb('For AJP job delegation:')}
+  ${dim('npm install -g ajp-cli')}
+  ${dim('npx ajp hire <id> --instruction "..."')}
+${amb('Examples:')}
+  npx provenance keygen
+  npx provenance register --id provenance:github:alice/my-agent --url https://github.com/alice/my-agent
+  npx provenance status provenance:github:alice/my-agent
+  npx provenance validate
+`);
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+const argv = process.argv.slice(2);
+const args = parseArgs(argv);
+const cmd  = args._[0];
+try {
+  if (!cmd || cmd === 'help' || args.help) cmdHelp();
+  else if (cmd === 'keygen')   await cmdKeygen();
+  else if (cmd === 'register') await cmdRegister(args);
+  else if (cmd === 'status')   await cmdStatus(args);
+  else if (cmd === 'validate') await cmdValidate(args);
+  else if (cmd === 'revoke')   await cmdRevoke(args);
+  else { console.error(err(`Unknown command: ${cmd}\nRun \`provenance help\` for usage.`)); process.exit(1); }
+} catch (e) {
+  console.error(err(e.message));
+  process.exit(1);
+}

package/package.json CHANGED Viewed

@@ -1,24 +1,17 @@
 {
   "name": "provenance-cli",
-  "version": "0.1.0",
-  "description": "CLI for the Provenance agent identity registry and AJP protocol",
+  "version": "0.1.1",
+  "description": "CLI for the Provenance Protocol — agent identity, registration, and trust",
   "type": "module",
   "bin": {
-    "provenance": "./src/index.js"
-  },
-  "scripts": {
-    "test": "node src/index.js --help"
-  },
-  "dependencies": {
-    "provenance-protocol": "^0.1.1"
-  },
-  "engines": {
-    "node": ">=18"
+    "provenance": "./index.js"
   },
+  "engines": { "node": ">=18" },
   "repository": {
     "type": "git",
-    "url": "https://github.com/ilucky21c/provenance-cli"
+    "url": "git+https://github.com/ilucky21c/provenance-protocol.git",
+    "directory": "cli"
   },
-  "keywords": ["provenance", "ai", "agents", "ajp", "cli"],
+  "keywords": ["provenance", "ai", "agents", "identity", "cli"],
   "license": "MIT"
 }

package/src/index.js DELETED Viewed

@@ -1,502 +0,0 @@
-#!/usr/bin/env node
-/**
- * provenance-cli — Provenance Protocol + AJP command-line tool
- *
- * Usage:
- *   provenance keygen
- *   provenance register --id <id> --url <url> [options]
- *   provenance status <id>
- *   provenance validate [file]
- *   provenance revoke --id <id>
- *   provenance hire <id> --instruction <text> [--budget <usd>] [--timeout <s>]
- *   provenance jobs <job_id> --endpoint <url>
- */
-import { createPrivateKey, createPublicKey, generateKeyPairSync, sign as nodeSign, randomBytes } from 'crypto';
-import { readFileSync, existsSync } from 'fs';
-import { resolve } from 'path';
-const API = process.env.PROVENANCE_API_URL || 'https://provenance-web-mu.vercel.app';
-const VERSION = '0.1.0';
-// ── Colours ───────────────────────────────────────────────────────────────────
-const c = {
-  reset:  '\x1b[0m',
-  dim:    '\x1b[2m',
-  bold:   '\x1b[1m',
-  green:  '\x1b[32m',
-  amber:  '\x1b[33m',
-  red:    '\x1b[31m',
-  blue:   '\x1b[34m',
-  white:  '\x1b[97m',
-};
-const ok  = s => `${c.green}✓${c.reset} ${s}`;
-const err = s => `${c.red}✗${c.reset} ${s}`;
-const dim = s => `${c.dim}${s}${c.reset}`;
-const hi  = s => `${c.white}${c.bold}${s}${c.reset}`;
-const amb = s => `${c.amber}${s}${c.reset}`;
-// ── Arg parsing ───────────────────────────────────────────────────────────────
-function parseArgs(argv) {
-  const args = { _: [] };
-  let i = 0;
-  while (i < argv.length) {
-    const a = argv[i];
-    if (a.startsWith('--')) {
-      const key = a.slice(2);
-      const next = argv[i + 1];
-      if (next && !next.startsWith('--')) { args[key] = next; i += 2; }
-      else { args[key] = true; i++; }
-    } else {
-      args._.push(a);
-      i++;
-    }
-  }
-  return args;
-}
-// ── Crypto helpers ────────────────────────────────────────────────────────────
-function generateKeyPair() {
-  const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
-    publicKeyEncoding: { type: 'spki', format: 'der' },
-    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
-  });
-  return {
-    publicKey:  Buffer.from(publicKey).toString('base64'),
-    privateKey: Buffer.from(privateKey).toString('base64'),
-  };
-}
-function signMessage(privateKeyBase64, message) {
-  const keyBuffer = Buffer.from(privateKeyBase64, 'base64');
-  const key = createPrivateKey({ key: keyBuffer, format: 'der', type: 'pkcs8' });
-  return nodeSign(null, Buffer.from(message, 'utf8'), key).toString('base64');
-}
-function signForProvenance(privateKey, provenanceId, publicKey) {
-  return signMessage(privateKey, `${provenanceId}:${publicKey}`);
-}
-function signChallenge(privateKey, provenanceId, nonce) {
-  return signMessage(privateKey, `${provenanceId}:${nonce}`);
-}
-function generateJobId() {
-  return `job_${Date.now().toString(36)}${randomBytes(6).toString('hex')}`;
-}
-function signOffer(offer, privateKeyBase64) {
-  const { signature: _, ...rest } = offer;
-  const canonical = JSON.stringify(rest, Object.keys(rest).sort());
-  const keyBuffer = Buffer.from(privateKeyBase64, 'base64');
-  const key = createPrivateKey({ key: keyBuffer, format: 'der', type: 'pkcs8' });
-  const sig = nodeSign(null, Buffer.from(canonical, 'utf8'), key);
-  return `ed25519:${sig.toString('base64')}`;
-}
-// ── Commands ──────────────────────────────────────────────────────────────────
-async function cmdKeygen() {
-  console.log(`\n${amb('Generating Ed25519 keypair...')}\n`);
-  const { publicKey, privateKey } = generateKeyPair();
-  console.log(`${hi('Public key')} ${dim('(add to PROVENANCE.yml identity.public_key)')}`);
-  console.log(`${c.green}${publicKey}${c.reset}\n`);
-  console.log(`${hi('Private key')} ${dim('(store as PROVENANCE_PRIVATE_KEY — never commit)')}`);
-  console.log(`${c.amber}${privateKey}${c.reset}\n`);
-  console.log(dim('─'.repeat(60)));
-  console.log(dim('Add to your environment:'));
-  console.log(`  PROVENANCE_PRIVATE_KEY=${privateKey}\n`);
-  console.log(dim('Add to PROVENANCE.yml:'));
-  console.log(`  identity:`);
-  console.log(`    public_key: "${publicKey}"`);
-  console.log(`    algorithm: ed25519`);
-  console.log(`    signature: "<run: provenance register --id <your-id>>\n"`);
-}
-async function cmdRegister(args) {
-  const id          = args.id || args['provenance-id'];
-  const url         = args.url;
-  const name        = args.name;
-  const description = args.description || args.desc;
-  const caps        = args.capabilities ? args.capabilities.split(',').map(s => s.trim()) : [];
-  const cons        = args.constraints  ? args.constraints.split(',').map(s => s.trim())  : [];
-  const model       = args.model;
-  const modelId     = args['model-id'];
-  const ajpEndpoint = args['ajp-endpoint'];
-  const privateKey  = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
-  const publicKey   = args['public-key']  || process.env.PROVENANCE_PUBLIC_KEY;
-  if (!id)  { console.error(err('--id required')); process.exit(1); }
-  if (!url) { console.error(err('--url required')); process.exit(1); }
-  console.log(`\n${amb('Registering')} ${hi(id)}...\n`);
-  let signedChallenge, pubKey;
-  if (privateKey) {
-    const kp = publicKey ? { publicKey } : (() => {
-      // Derive public key from private key
-      const privBuf = Buffer.from(privateKey, 'base64');
-      const privKey = createPrivateKey({ key: privBuf, format: 'der', type: 'pkcs8' });
-      const pubBuf  = createPublicKey(privKey).export({ type: 'spki', format: 'der' });
-      return { publicKey: Buffer.from(pubBuf).toString('base64') };
-    })();
-    pubKey = kp.publicKey;
-    signedChallenge = signChallenge(privateKey, id, 'REGISTER');
-    console.log(ok('Signing with private key'));
-  }
-  const body = {
-    provenance_id: id,
-    url,
-    ...(name        && { name }),
-    ...(description && { description }),
-    ...(caps.length && { capabilities: caps }),
-    ...(cons.length && { constraints: cons }),
-    ...(model       && { model_provider: model }),
-    ...(modelId     && { model_id: modelId }),
-    ...(ajpEndpoint && { ajp_endpoint: ajpEndpoint }),
-    ...(pubKey      && { public_key: pubKey }),
-    ...(signedChallenge && { signed_challenge: signedChallenge }),
-  };
-  const res  = await fetch(`${API}/api/agents/register`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify(body),
-  });
-  const data = await res.json();
-  if (!res.ok) {
-    console.error(err(data.error || `HTTP ${res.status}`));
-    process.exit(1);
-  }
-  const agent = data.agent || data;
-  console.log(ok(data.created ? 'Agent registered' : 'Agent updated'));
-  console.log(`  ${dim('provenance_id:')}  ${agent.provenance_id}`);
-  console.log(`  ${dim('confidence:')}     ${c.green}${agent.confidence}${c.reset}`);
-  console.log(`  ${dim('identity_verified:')} ${agent.identity_verified ? c.green + 'true' + c.reset : c.amber + 'false' + c.reset}`);
-  if (ajpEndpoint) console.log(`  ${dim('ajp_endpoint:')}   ${ajpEndpoint}`);
-  if (!agent.identity_verified) {
-    console.log(`\n${c.amber}Tip:${c.reset} Run with ${hi('--private-key')} to get identity_verified status (confidence 1.0)`);
-  }
-  console.log();
-}
-async function cmdStatus(args) {
-  const id = args._[1];
-  if (!id) { console.error(err('Usage: provenance status <provenance_id>')); process.exit(1); }
-  console.log(`\n${amb('Checking')} ${hi(id)}...\n`);
-  const res  = await fetch(`${API}/api/agent/${id.replace('provenance:', '').replace(':', '/')}`);
-  const data = await res.json();
-  if (!res.ok || data.error) {
-    console.error(err(data.error || 'Not found'));
-    process.exit(1);
-  }
-  const trust = data.confidence ? Math.round(data.confidence * 100) : 0;
-  const trustColor = trust >= 80 ? c.green : trust >= 50 ? c.amber : c.red;
-  console.log(`${hi(data.name || id)}`);
-  console.log(`${dim(data.provenance_id)}\n`);
-  console.log(`${dim('Trust score:')}      ${trustColor}${trust}/100${c.reset}`);
-  console.log(`${dim('Declared:')}         ${data.declared ? c.green + 'yes' + c.reset : c.amber + 'no' + c.reset}`);
-  console.log(`${dim('Identity verified:')} ${data.identity_verified ? c.green + 'yes' + c.reset : c.amber + 'no' + c.reset}`);
-  console.log(`${dim('AJP endpoint:')}     ${data.ajp?.endpoint ? c.green + data.ajp.endpoint + c.reset : c.dim + 'not set' + c.reset}`);
-  console.log(`${dim('Incidents:')}        ${(data.incident_count || 0) === 0 ? c.green + '0' + c.reset : c.red + data.incident_count + c.reset}`);
-  if (data.capabilities?.length) {
-    console.log(`${dim('Capabilities:')}     ${data.capabilities.join(', ')}`);
-  }
-  if (data.constraints?.length) {
-    console.log(`${dim('Constraints:')}      ${data.constraints.join(', ')}`);
-  }
-  // Checklist
-  const checklist = [
-    [data.declared,             'PROVENANCE.yml declared'],
-    [data.identity_verified,    'Identity verified (Ed25519)'],
-    [!!data.ajp?.endpoint,      'AJP endpoint configured'],
-    [(data.incident_count||0)===0, 'No open incidents'],
-  ];
-  console.log();
-  for (const [pass, label] of checklist) {
-    console.log(`  ${pass ? ok(label) : `${c.dim}○${c.reset} ${c.dim}${label}${c.reset}`}`);
-  }
-  console.log();
-}
-async function cmdValidate(args) {
-  const file = args._[1] || 'PROVENANCE.yml';
-  const path = resolve(process.cwd(), file);
-  if (!existsSync(path)) {
-    console.error(err(`File not found: ${path}`));
-    process.exit(1);
-  }
-  console.log(`\n${amb('Validating')} ${hi(file)}...\n`);
-  const content = readFileSync(path, 'utf8');
-  const res  = await fetch(`${API}/api/mcp`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      jsonrpc: '2.0', id: 1,
-      method: 'tools/call',
-      params: { name: 'validate_provenance_yml', arguments: { content } },
-    }),
-  });
-  const rpc  = await res.json();
-  const data = JSON.parse(rpc.result?.content?.[0]?.text || '{}');
-  if (data.valid) {
-    console.log(ok('Valid PROVENANCE.yml'));
-  } else {
-    console.log(err('Validation failed'));
-    for (const e of data.errors || []) console.log(`  ${c.red}✗${c.reset} ${e}`);
-  }
-  for (const w of data.warnings || []) {
-    console.log(`  ${c.amber}⚠${c.reset} ${w}`);
-  }
-  console.log();
-}
-async function cmdRevoke(args) {
-  const id         = args.id || args['provenance-id'];
-  const privateKey = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
-  if (!id)         { console.error(err('--id required')); process.exit(1); }
-  if (!privateKey) { console.error(err('--private-key or PROVENANCE_PRIVATE_KEY required')); process.exit(1); }
-  console.log(`\n${c.red}Revoking identity for${c.reset} ${hi(id)}...\n`);
-  const signedChallenge = signChallenge(privateKey, id, 'REVOKE');
-  const res  = await fetch(`${API}/api/agents/revoke`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ provenance_id: id, signed_challenge: signedChallenge }),
-  });
-  const data = await res.json();
-  if (!res.ok || !data.success) {
-    console.error(err(data.error || `HTTP ${res.status}`));
-    process.exit(1);
-  }
-  console.log(ok('Identity revoked'));
-  console.log(dim('Run `provenance register` with a new keypair to re-establish.'));
-  console.log();
-}
-async function cmdHire(args) {
-  const targetId   = args._[1];
-  const instruction = args.instruction || args.i;
-  const budget     = parseFloat(args.budget || args.b || '1.0');
-  const timeout    = parseInt(args.timeout || args.t || '120');
-  const privateKey = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
-  const provenanceId = args['from-id'] || process.env.PROVENANCE_ID;
-  if (!targetId)    { console.error(err('Usage: provenance hire <provenance_id> --instruction <text>')); process.exit(1); }
-  if (!instruction) { console.error(err('--instruction required')); process.exit(1); }
-  if (!privateKey)  { console.error(err('--private-key or PROVENANCE_PRIVATE_KEY required')); process.exit(1); }
-  if (!provenanceId){ console.error(err('--from-id or PROVENANCE_ID required')); process.exit(1); }
-  console.log(`\n${amb('Hiring')} ${hi(targetId)}...\n`);
-  // Resolve endpoint from index
-  process.stdout.write(dim('  Resolving endpoint...'));
-  const agentRes  = await fetch(`${API}/api/agent/${targetId.replace('provenance:', '').replace(':', '/')}`);
-  const agentData = await agentRes.json();
-  if (!agentData?.ajp?.endpoint) {
-    console.log('\n' + err('Agent has no AJP endpoint declared'));
-    process.exit(1);
-  }
-  const endpoint = agentData.ajp.endpoint.replace(/\/$/, '');
-  console.log(` ${c.green}${endpoint}${c.reset}`);
-  // Build offer
-  const now       = new Date();
-  const expiresAt = new Date(now.getTime() + timeout * 1000);
-  const jobId     = generateJobId();
-  const offer = {
-    ajp: '0.1',
-    job_id: jobId,
-    parent_job_id: null,
-    from: { type: 'orchestrator', id: null, provenance_id: provenanceId },
-    to:   { provenance_id: targetId },
-    task: { type: 'task', instruction, input: {}, output_format: 'json' },
-    context: { credentials: {}, memory: [], constraints: [] },
-    budget:  { max_usd: budget, max_seconds: timeout, max_llm_tokens: 10000 },
-    callback: null,
-    issued_at:  now.toISOString(),
-    expires_at: expiresAt.toISOString(),
-    signature: '',
-  };
-  offer.signature = signOffer(offer, privateKey);
-  // Submit
-  process.stdout.write(dim('  Submitting job...'));
-  const submitRes  = await fetch(`${endpoint}/jobs`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify(offer),
-  });
-  const submitData = await submitRes.json().catch(() => ({}));
-  if (!submitRes.ok) {
-    console.log('\n' + err(submitData.error || submitData.reason || `HTTP ${submitRes.status}`));
-    process.exit(1);
-  }
-  console.log(` ${c.green}${jobId}${c.reset}`);
-  // Poll
-  const deadline = Date.now() + timeout * 1000;
-  const frames   = ['⠋','⠙','⠹','⠸','⠼','⠴','⠦','⠧','⠇','⠏'];
-  let   fi       = 0;
-  while (Date.now() < deadline) {
-    await new Promise(r => setTimeout(r, 2000));
-    const pollRes  = await fetch(`${endpoint}/jobs/${jobId}`);
-    const pollData = await pollRes.json().catch(() => ({}));
-    process.stdout.write(`\r  ${c.blue}${frames[fi++ % frames.length]}${c.reset} ${c.dim}${pollData.status || 'polling'}...${c.reset}   `);
-    if (pollData.status === 'completed') {
-      // Ack
-      await fetch(`${endpoint}/jobs/${jobId}/ack`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ received: true }),
-      }).catch(() => {});
-      const dur = pollData.usage?.duration_seconds?.toFixed(1);
-      process.stdout.write(`\r${ok(`Completed${dur ? ` in ${dur}s` : ''}`)}                    \n\n`);
-      const out = pollData.output;
-      if (typeof out === 'string') {
-        console.log(out);
-      } else {
-        console.log(JSON.stringify(out, null, 2));
-      }
-      if (pollData.usage) {
-        const u = pollData.usage;
-        const parts = [];
-        if (u.duration_seconds != null) parts.push(`${u.duration_seconds.toFixed(1)}s`);
-        if (u.cost_usd > 0)            parts.push(`$${u.cost_usd.toFixed(4)}`);
-        if (u.llm_tokens > 0)          parts.push(`${u.llm_tokens} tokens`);
-        if (parts.length) console.log('\n' + dim(parts.join(' · ')));
-      }
-      console.log();
-      return;
-    }
-    if (['failed','expired','rejected'].includes(pollData.status)) {
-      process.stdout.write(`\r${err(pollData.status + (pollData.message ? ': ' + pollData.message : ''))}                    \n\n`);
-      process.exit(1);
-    }
-  }
-  console.log('\n' + err(`Timed out after ${timeout}s`));
-  process.exit(1);
-}
-async function cmdJobs(args) {
-  const jobId   = args._[1];
-  const endpoint = args.endpoint;
-  if (!jobId)    { console.error(err('Usage: provenance jobs <job_id> --endpoint <url>')); process.exit(1); }
-  if (!endpoint) { console.error(err('--endpoint required')); process.exit(1); }
-  const res  = await fetch(`${endpoint.replace(/\/$/, '')}/jobs/${jobId}`);
-  const data = await res.json();
-  const statusColor = { completed: c.green, failed: c.red, expired: c.red, running: c.blue, accepted: c.amber }[data.status] || c.dim;
-  console.log(`\n${dim('job_id:')} ${data.job_id}`);
-  console.log(`${dim('status:')} ${statusColor}${data.status}${c.reset}`);
-  if (data.output)   console.log(`\n${JSON.stringify(data.output, null, 2)}`);
-  if (data.message)  console.log(`${c.red}${data.message}${c.reset}`);
-  console.log();
-}
-function cmdHelp() {
-  console.log(`
-${hi('provenance')} ${dim(`v${VERSION}`)} — Provenance Protocol + AJP CLI
-${amb('Identity commands:')}
-  ${hi('keygen')}                              Generate an Ed25519 keypair
-  ${hi('register')}  --id <id> --url <url>     Register or update your agent
-               [--name <name>]
-               [--description <text>]
-               [--capabilities read:web,write:code]
-               [--constraints no:pii,no:financial:transact]
-               [--model anthropic] [--model-id claude-sonnet-4-6]
-               [--ajp-endpoint <url>]
-               [--private-key <key>]
-  ${hi('status')}    <provenance_id>            Check trust score and checklist
-  ${hi('validate')}  [file]                     Validate PROVENANCE.yml (default: ./PROVENANCE.yml)
-  ${hi('revoke')}    --id <id>                  Revoke cryptographic identity
-               [--private-key <key>]
-${amb('AJP commands:')}
-  ${hi('hire')}      <provenance_id>            Send a job to an agent
-               --instruction <text>
-               [--budget <usd>]       default: 1.00
-               [--timeout <seconds>]  default: 120
-               [--from-id <id>]       default: \$PROVENANCE_ID
-               [--private-key <key>]  default: \$PROVENANCE_PRIVATE_KEY
-  ${hi('jobs')}      <job_id>                   Check job status
-               --endpoint <url>
-${amb('Environment variables:')}
-  PROVENANCE_ID           Your agent's Provenance ID
-  PROVENANCE_PRIVATE_KEY  Your Ed25519 private key (base64 PKCS8 DER)
-  PROVENANCE_API_URL      Override API base URL (default: https://provenance-web-mu.vercel.app)
-${amb('Examples:')}
-  npx provenance keygen
-  npx provenance register --id provenance:github:alice/my-agent --url https://github.com/alice/my-agent
-  npx provenance status provenance:github:alice/my-agent
-  npx provenance hire provenance:github:alice/my-agent --instruction "Summarize this doc" --budget 0.50
-`);
-}
-// ── Main ──────────────────────────────────────────────────────────────────────
-const argv = process.argv.slice(2);
-const args = parseArgs(argv);
-const cmd  = args._[0];
-try {
-  if (!cmd || cmd === 'help' || args.help || args.h) { cmdHelp(); }
-  else if (cmd === 'keygen')   { await cmdKeygen(); }
-  else if (cmd === 'register') { await cmdRegister(args); }
-  else if (cmd === 'status')   { await cmdStatus(args); }
-  else if (cmd === 'validate') { await cmdValidate(args); }
-  else if (cmd === 'revoke')   { await cmdRevoke(args); }
-  else if (cmd === 'hire')     { await cmdHire(args); }
-  else if (cmd === 'jobs')     { await cmdJobs(args); }
-  else {
-    console.error(err(`Unknown command: ${cmd}`));
-    console.error(dim('Run `provenance help` for usage.'));
-    process.exit(1);
-  }
-} catch (e) {
-  console.error(err(e.message));
-  process.exit(1);
-}