provenance-cli 0.1.0

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "provenance-cli",
+  "version": "0.1.0",
+  "description": "CLI for the Provenance agent identity registry and AJP protocol",
+  "type": "module",
+  "bin": {
+    "provenance": "./src/index.js"
+  },
+  "scripts": {
+    "test": "node src/index.js --help"
+  },
+  "dependencies": {
+    "provenance-protocol": "^0.1.1"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ilucky21c/provenance-cli"
+  },
+  "keywords": ["provenance", "ai", "agents", "ajp", "cli"],
+  "license": "MIT"
+}

package/src/index.js

@@ -0,0 +1,502 @@
+#!/usr/bin/env node
+/**
+ * provenance-cli — Provenance Protocol + AJP command-line tool
+ *
+ * Usage:
+ *   provenance keygen
+ *   provenance register --id <id> --url <url> [options]
+ *   provenance status <id>
+ *   provenance validate [file]
+ *   provenance revoke --id <id>
+ *   provenance hire <id> --instruction <text> [--budget <usd>] [--timeout <s>]
+ *   provenance jobs <job_id> --endpoint <url>
+ */
+
+import { createPrivateKey, createPublicKey, generateKeyPairSync, sign as nodeSign, randomBytes } from 'crypto';
+import { readFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
+
+const API = process.env.PROVENANCE_API_URL || 'https://provenance-web-mu.vercel.app';
+const VERSION = '0.1.0';
+
+// ── Colours ───────────────────────────────────────────────────────────────────
+
+const c = {
+  reset:  '\x1b[0m',
+  dim:    '\x1b[2m',
+  bold:   '\x1b[1m',
+  green:  '\x1b[32m',
+  amber:  '\x1b[33m',
+  red:    '\x1b[31m',
+  blue:   '\x1b[34m',
+  white:  '\x1b[97m',
+};
+
+const ok  = s => `${c.green}✓${c.reset} ${s}`;
+const err = s => `${c.red}✗${c.reset} ${s}`;
+const dim = s => `${c.dim}${s}${c.reset}`;
+const hi  = s => `${c.white}${c.bold}${s}${c.reset}`;
+const amb = s => `${c.amber}${s}${c.reset}`;
+
+// ── Arg parsing ───────────────────────────────────────────────────────────────
+
+function parseArgs(argv) {
+  const args = { _: [] };
+  let i = 0;
+  while (i < argv.length) {
+    const a = argv[i];
+    if (a.startsWith('--')) {
+      const key = a.slice(2);
+      const next = argv[i + 1];
+      if (next && !next.startsWith('--')) { args[key] = next; i += 2; }
+      else { args[key] = true; i++; }
+    } else {
+      args._.push(a);
+      i++;
+    }
+  }
+  return args;
+}
+
+// ── Crypto helpers ────────────────────────────────────────────────────────────
+
+function generateKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+  return {
+    publicKey:  Buffer.from(publicKey).toString('base64'),
+    privateKey: Buffer.from(privateKey).toString('base64'),
+  };
+}
+
+function signMessage(privateKeyBase64, message) {
+  const keyBuffer = Buffer.from(privateKeyBase64, 'base64');
+  const key = createPrivateKey({ key: keyBuffer, format: 'der', type: 'pkcs8' });
+  return nodeSign(null, Buffer.from(message, 'utf8'), key).toString('base64');
+}
+
+function signForProvenance(privateKey, provenanceId, publicKey) {
+  return signMessage(privateKey, `${provenanceId}:${publicKey}`);
+}
+
+function signChallenge(privateKey, provenanceId, nonce) {
+  return signMessage(privateKey, `${provenanceId}:${nonce}`);
+}
+
+function generateJobId() {
+  return `job_${Date.now().toString(36)}${randomBytes(6).toString('hex')}`;
+}
+
+function signOffer(offer, privateKeyBase64) {
+  const { signature: _, ...rest } = offer;
+  const canonical = JSON.stringify(rest, Object.keys(rest).sort());
+  const keyBuffer = Buffer.from(privateKeyBase64, 'base64');
+  const key = createPrivateKey({ key: keyBuffer, format: 'der', type: 'pkcs8' });
+  const sig = nodeSign(null, Buffer.from(canonical, 'utf8'), key);
+  return `ed25519:${sig.toString('base64')}`;
+}
+
+// ── Commands ──────────────────────────────────────────────────────────────────
+
+async function cmdKeygen() {
+  console.log(`\n${amb('Generating Ed25519 keypair...')}\n`);
+  const { publicKey, privateKey } = generateKeyPair();
+
+  console.log(`${hi('Public key')} ${dim('(add to PROVENANCE.yml identity.public_key)')}`);
+  console.log(`${c.green}${publicKey}${c.reset}\n`);
+
+  console.log(`${hi('Private key')} ${dim('(store as PROVENANCE_PRIVATE_KEY — never commit)')}`);
+  console.log(`${c.amber}${privateKey}${c.reset}\n`);
+
+  console.log(dim('─'.repeat(60)));
+  console.log(dim('Add to your environment:'));
+  console.log(`  PROVENANCE_PRIVATE_KEY=${privateKey}\n`);
+  console.log(dim('Add to PROVENANCE.yml:'));
+  console.log(`  identity:`);
+  console.log(`    public_key: "${publicKey}"`);
+  console.log(`    algorithm: ed25519`);
+  console.log(`    signature: "<run: provenance register --id <your-id>>\n"`);
+}
+
+async function cmdRegister(args) {
+  const id          = args.id || args['provenance-id'];
+  const url         = args.url;
+  const name        = args.name;
+  const description = args.description || args.desc;
+  const caps        = args.capabilities ? args.capabilities.split(',').map(s => s.trim()) : [];
+  const cons        = args.constraints  ? args.constraints.split(',').map(s => s.trim())  : [];
+  const model       = args.model;
+  const modelId     = args['model-id'];
+  const ajpEndpoint = args['ajp-endpoint'];
+  const privateKey  = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
+  const publicKey   = args['public-key']  || process.env.PROVENANCE_PUBLIC_KEY;
+
+  if (!id)  { console.error(err('--id required')); process.exit(1); }
+  if (!url) { console.error(err('--url required')); process.exit(1); }
+
+  console.log(`\n${amb('Registering')} ${hi(id)}...\n`);
+
+  let signedChallenge, pubKey;
+  if (privateKey) {
+    const kp = publicKey ? { publicKey } : (() => {
+      // Derive public key from private key
+      const privBuf = Buffer.from(privateKey, 'base64');
+      const privKey = createPrivateKey({ key: privBuf, format: 'der', type: 'pkcs8' });
+      const pubBuf  = createPublicKey(privKey).export({ type: 'spki', format: 'der' });
+      return { publicKey: Buffer.from(pubBuf).toString('base64') };
+    })();
+    pubKey = kp.publicKey;
+    signedChallenge = signChallenge(privateKey, id, 'REGISTER');
+    console.log(ok('Signing with private key'));
+  }
+
+  const body = {
+    provenance_id: id,
+    url,
+    ...(name        && { name }),
+    ...(description && { description }),
+    ...(caps.length && { capabilities: caps }),
+    ...(cons.length && { constraints: cons }),
+    ...(model       && { model_provider: model }),
+    ...(modelId     && { model_id: modelId }),
+    ...(ajpEndpoint && { ajp_endpoint: ajpEndpoint }),
+    ...(pubKey      && { public_key: pubKey }),
+    ...(signedChallenge && { signed_challenge: signedChallenge }),
+  };
+
+  const res  = await fetch(`${API}/api/agents/register`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+  const data = await res.json();
+
+  if (!res.ok) {
+    console.error(err(data.error || `HTTP ${res.status}`));
+    process.exit(1);
+  }
+
+  const agent = data.agent || data;
+  console.log(ok(data.created ? 'Agent registered' : 'Agent updated'));
+  console.log(`  ${dim('provenance_id:')}  ${agent.provenance_id}`);
+  console.log(`  ${dim('confidence:')}     ${c.green}${agent.confidence}${c.reset}`);
+  console.log(`  ${dim('identity_verified:')} ${agent.identity_verified ? c.green + 'true' + c.reset : c.amber + 'false' + c.reset}`);
+  if (ajpEndpoint) console.log(`  ${dim('ajp_endpoint:')}   ${ajpEndpoint}`);
+
+  if (!agent.identity_verified) {
+    console.log(`\n${c.amber}Tip:${c.reset} Run with ${hi('--private-key')} to get identity_verified status (confidence 1.0)`);
+  }
+  console.log();
+}
+
+async function cmdStatus(args) {
+  const id = args._[1];
+  if (!id) { console.error(err('Usage: provenance status <provenance_id>')); process.exit(1); }
+
+  console.log(`\n${amb('Checking')} ${hi(id)}...\n`);
+
+  const res  = await fetch(`${API}/api/agent/${id.replace('provenance:', '').replace(':', '/')}`);
+  const data = await res.json();
+
+  if (!res.ok || data.error) {
+    console.error(err(data.error || 'Not found'));
+    process.exit(1);
+  }
+
+  const trust = data.confidence ? Math.round(data.confidence * 100) : 0;
+  const trustColor = trust >= 80 ? c.green : trust >= 50 ? c.amber : c.red;
+
+  console.log(`${hi(data.name || id)}`);
+  console.log(`${dim(data.provenance_id)}\n`);
+
+  console.log(`${dim('Trust score:')}      ${trustColor}${trust}/100${c.reset}`);
+  console.log(`${dim('Declared:')}         ${data.declared ? c.green + 'yes' + c.reset : c.amber + 'no' + c.reset}`);
+  console.log(`${dim('Identity verified:')} ${data.identity_verified ? c.green + 'yes' + c.reset : c.amber + 'no' + c.reset}`);
+  console.log(`${dim('AJP endpoint:')}     ${data.ajp?.endpoint ? c.green + data.ajp.endpoint + c.reset : c.dim + 'not set' + c.reset}`);
+  console.log(`${dim('Incidents:')}        ${(data.incident_count || 0) === 0 ? c.green + '0' + c.reset : c.red + data.incident_count + c.reset}`);
+
+  if (data.capabilities?.length) {
+    console.log(`${dim('Capabilities:')}     ${data.capabilities.join(', ')}`);
+  }
+  if (data.constraints?.length) {
+    console.log(`${dim('Constraints:')}      ${data.constraints.join(', ')}`);
+  }
+
+  // Checklist
+  const checklist = [
+    [data.declared,             'PROVENANCE.yml declared'],
+    [data.identity_verified,    'Identity verified (Ed25519)'],
+    [!!data.ajp?.endpoint,      'AJP endpoint configured'],
+    [(data.incident_count||0)===0, 'No open incidents'],
+  ];
+  console.log();
+  for (const [pass, label] of checklist) {
+    console.log(`  ${pass ? ok(label) : `${c.dim}○${c.reset} ${c.dim}${label}${c.reset}`}`);
+  }
+  console.log();
+}
+
+async function cmdValidate(args) {
+  const file = args._[1] || 'PROVENANCE.yml';
+  const path = resolve(process.cwd(), file);
+
+  if (!existsSync(path)) {
+    console.error(err(`File not found: ${path}`));
+    process.exit(1);
+  }
+
+  console.log(`\n${amb('Validating')} ${hi(file)}...\n`);
+
+  const content = readFileSync(path, 'utf8');
+  const res  = await fetch(`${API}/api/mcp`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      jsonrpc: '2.0', id: 1,
+      method: 'tools/call',
+      params: { name: 'validate_provenance_yml', arguments: { content } },
+    }),
+  });
+  const rpc  = await res.json();
+  const data = JSON.parse(rpc.result?.content?.[0]?.text || '{}');
+
+  if (data.valid) {
+    console.log(ok('Valid PROVENANCE.yml'));
+  } else {
+    console.log(err('Validation failed'));
+    for (const e of data.errors || []) console.log(`  ${c.red}✗${c.reset} ${e}`);
+  }
+  for (const w of data.warnings || []) {
+    console.log(`  ${c.amber}⚠${c.reset} ${w}`);
+  }
+  console.log();
+}
+
+async function cmdRevoke(args) {
+  const id         = args.id || args['provenance-id'];
+  const privateKey = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
+
+  if (!id)         { console.error(err('--id required')); process.exit(1); }
+  if (!privateKey) { console.error(err('--private-key or PROVENANCE_PRIVATE_KEY required')); process.exit(1); }
+
+  console.log(`\n${c.red}Revoking identity for${c.reset} ${hi(id)}...\n`);
+
+  const signedChallenge = signChallenge(privateKey, id, 'REVOKE');
+
+  const res  = await fetch(`${API}/api/agents/revoke`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ provenance_id: id, signed_challenge: signedChallenge }),
+  });
+  const data = await res.json();
+
+  if (!res.ok || !data.success) {
+    console.error(err(data.error || `HTTP ${res.status}`));
+    process.exit(1);
+  }
+
+  console.log(ok('Identity revoked'));
+  console.log(dim('Run `provenance register` with a new keypair to re-establish.'));
+  console.log();
+}
+
+async function cmdHire(args) {
+  const targetId   = args._[1];
+  const instruction = args.instruction || args.i;
+  const budget     = parseFloat(args.budget || args.b || '1.0');
+  const timeout    = parseInt(args.timeout || args.t || '120');
+  const privateKey = args['private-key'] || process.env.PROVENANCE_PRIVATE_KEY;
+  const provenanceId = args['from-id'] || process.env.PROVENANCE_ID;
+
+  if (!targetId)    { console.error(err('Usage: provenance hire <provenance_id> --instruction <text>')); process.exit(1); }
+  if (!instruction) { console.error(err('--instruction required')); process.exit(1); }
+  if (!privateKey)  { console.error(err('--private-key or PROVENANCE_PRIVATE_KEY required')); process.exit(1); }
+  if (!provenanceId){ console.error(err('--from-id or PROVENANCE_ID required')); process.exit(1); }
+
+  console.log(`\n${amb('Hiring')} ${hi(targetId)}...\n`);
+
+  // Resolve endpoint from index
+  process.stdout.write(dim('  Resolving endpoint...'));
+  const agentRes  = await fetch(`${API}/api/agent/${targetId.replace('provenance:', '').replace(':', '/')}`);
+  const agentData = await agentRes.json();
+  if (!agentData?.ajp?.endpoint) {
+    console.log('\n' + err('Agent has no AJP endpoint declared'));
+    process.exit(1);
+  }
+  const endpoint = agentData.ajp.endpoint.replace(/\/$/, '');
+  console.log(` ${c.green}${endpoint}${c.reset}`);
+
+  // Build offer
+  const now       = new Date();
+  const expiresAt = new Date(now.getTime() + timeout * 1000);
+  const jobId     = generateJobId();
+
+  const offer = {
+    ajp: '0.1',
+    job_id: jobId,
+    parent_job_id: null,
+    from: { type: 'orchestrator', id: null, provenance_id: provenanceId },
+    to:   { provenance_id: targetId },
+    task: { type: 'task', instruction, input: {}, output_format: 'json' },
+    context: { credentials: {}, memory: [], constraints: [] },
+    budget:  { max_usd: budget, max_seconds: timeout, max_llm_tokens: 10000 },
+    callback: null,
+    issued_at:  now.toISOString(),
+    expires_at: expiresAt.toISOString(),
+    signature: '',
+  };
+  offer.signature = signOffer(offer, privateKey);
+
+  // Submit
+  process.stdout.write(dim('  Submitting job...'));
+  const submitRes  = await fetch(`${endpoint}/jobs`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(offer),
+  });
+  const submitData = await submitRes.json().catch(() => ({}));
+
+  if (!submitRes.ok) {
+    console.log('\n' + err(submitData.error || submitData.reason || `HTTP ${submitRes.status}`));
+    process.exit(1);
+  }
+  console.log(` ${c.green}${jobId}${c.reset}`);
+
+  // Poll
+  const deadline = Date.now() + timeout * 1000;
+  const frames   = ['⠋','⠙','⠹','⠸','⠼','⠴','⠦','⠧','⠇','⠏'];
+  let   fi       = 0;
+
+  while (Date.now() < deadline) {
+    await new Promise(r => setTimeout(r, 2000));
+    const pollRes  = await fetch(`${endpoint}/jobs/${jobId}`);
+    const pollData = await pollRes.json().catch(() => ({}));
+
+    process.stdout.write(`\r  ${c.blue}${frames[fi++ % frames.length]}${c.reset} ${c.dim}${pollData.status || 'polling'}...${c.reset}   `);
+
+    if (pollData.status === 'completed') {
+      // Ack
+      await fetch(`${endpoint}/jobs/${jobId}/ack`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ received: true }),
+      }).catch(() => {});
+
+      const dur = pollData.usage?.duration_seconds?.toFixed(1);
+      process.stdout.write(`\r${ok(`Completed${dur ? ` in ${dur}s` : ''}`)}                    \n\n`);
+
+      const out = pollData.output;
+      if (typeof out === 'string') {
+        console.log(out);
+      } else {
+        console.log(JSON.stringify(out, null, 2));
+      }
+
+      if (pollData.usage) {
+        const u = pollData.usage;
+        const parts = [];
+        if (u.duration_seconds != null) parts.push(`${u.duration_seconds.toFixed(1)}s`);
+        if (u.cost_usd > 0)            parts.push(`$${u.cost_usd.toFixed(4)}`);
+        if (u.llm_tokens > 0)          parts.push(`${u.llm_tokens} tokens`);
+        if (parts.length) console.log('\n' + dim(parts.join(' · ')));
+      }
+      console.log();
+      return;
+    }
+
+    if (['failed','expired','rejected'].includes(pollData.status)) {
+      process.stdout.write(`\r${err(pollData.status + (pollData.message ? ': ' + pollData.message : ''))}                    \n\n`);
+      process.exit(1);
+    }
+  }
+
+  console.log('\n' + err(`Timed out after ${timeout}s`));
+  process.exit(1);
+}
+
+async function cmdJobs(args) {
+  const jobId   = args._[1];
+  const endpoint = args.endpoint;
+
+  if (!jobId)    { console.error(err('Usage: provenance jobs <job_id> --endpoint <url>')); process.exit(1); }
+  if (!endpoint) { console.error(err('--endpoint required')); process.exit(1); }
+
+  const res  = await fetch(`${endpoint.replace(/\/$/, '')}/jobs/${jobId}`);
+  const data = await res.json();
+
+  const statusColor = { completed: c.green, failed: c.red, expired: c.red, running: c.blue, accepted: c.amber }[data.status] || c.dim;
+  console.log(`\n${dim('job_id:')} ${data.job_id}`);
+  console.log(`${dim('status:')} ${statusColor}${data.status}${c.reset}`);
+  if (data.output)   console.log(`\n${JSON.stringify(data.output, null, 2)}`);
+  if (data.message)  console.log(`${c.red}${data.message}${c.reset}`);
+  console.log();
+}
+
+function cmdHelp() {
+  console.log(`
+${hi('provenance')} ${dim(`v${VERSION}`)} — Provenance Protocol + AJP CLI
+
+${amb('Identity commands:')}
+  ${hi('keygen')}                              Generate an Ed25519 keypair
+  ${hi('register')}  --id <id> --url <url>     Register or update your agent
+               [--name <name>]
+               [--description <text>]
+               [--capabilities read:web,write:code]
+               [--constraints no:pii,no:financial:transact]
+               [--model anthropic] [--model-id claude-sonnet-4-6]
+               [--ajp-endpoint <url>]
+               [--private-key <key>]
+  ${hi('status')}    <provenance_id>            Check trust score and checklist
+  ${hi('validate')}  [file]                     Validate PROVENANCE.yml (default: ./PROVENANCE.yml)
+  ${hi('revoke')}    --id <id>                  Revoke cryptographic identity
+               [--private-key <key>]
+
+${amb('AJP commands:')}
+  ${hi('hire')}      <provenance_id>            Send a job to an agent
+               --instruction <text>
+               [--budget <usd>]       default: 1.00
+               [--timeout <seconds>]  default: 120
+               [--from-id <id>]       default: \$PROVENANCE_ID
+               [--private-key <key>]  default: \$PROVENANCE_PRIVATE_KEY
+  ${hi('jobs')}      <job_id>                   Check job status
+               --endpoint <url>
+
+${amb('Environment variables:')}
+  PROVENANCE_ID           Your agent's Provenance ID
+  PROVENANCE_PRIVATE_KEY  Your Ed25519 private key (base64 PKCS8 DER)
+  PROVENANCE_API_URL      Override API base URL (default: https://provenance-web-mu.vercel.app)
+
+${amb('Examples:')}
+  npx provenance keygen
+  npx provenance register --id provenance:github:alice/my-agent --url https://github.com/alice/my-agent
+  npx provenance status provenance:github:alice/my-agent
+  npx provenance hire provenance:github:alice/my-agent --instruction "Summarize this doc" --budget 0.50
+`);
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+const argv = process.argv.slice(2);
+const args = parseArgs(argv);
+const cmd  = args._[0];
+
+try {
+  if (!cmd || cmd === 'help' || args.help || args.h) { cmdHelp(); }
+  else if (cmd === 'keygen')   { await cmdKeygen(); }
+  else if (cmd === 'register') { await cmdRegister(args); }
+  else if (cmd === 'status')   { await cmdStatus(args); }
+  else if (cmd === 'validate') { await cmdValidate(args); }
+  else if (cmd === 'revoke')   { await cmdRevoke(args); }
+  else if (cmd === 'hire')     { await cmdHire(args); }
+  else if (cmd === 'jobs')     { await cmdJobs(args); }
+  else {
+    console.error(err(`Unknown command: ${cmd}`));
+    console.error(dim('Run `provenance help` for usage.'));
+    process.exit(1);
+  }
+} catch (e) {
+  console.error(err(e.message));
+  process.exit(1);
+}