aevum-cli 0.6.0__tar.gz → 0.7.0__tar.gz

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aevum-cli
-Version: 0.6.0
+Version: 0.7.0
 Summary: Aevum -- command-line interface for operating Aevum nodes.
 Project-URL: Homepage, https://aevum.build
 Project-URL: Repository, https://github.com/aevum-labs/aevum

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "aevum-cli"
-version = "0.6.0"
+version = "0.7.0"
 description = "Aevum -- command-line interface for operating Aevum nodes."
 readme = "README.md"
 requires-python = ">=3.11"

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum.cli -- Command-line interface for operating Aevum nodes.
 

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/__main__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 Entry point: aevum <command>
 Invoked via [project.scripts] aevum = "aevum.cli.__main__:app"

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/app.py

@@ -5,9 +5,10 @@ Top-level typer app — CLI v2. Sub-commands and direct commands registered here
 """
 from __future__ import annotations
 
+import hashlib
 import json
 from pathlib import Path
-from typing import Annotated
+from typing import Annotated, Any
 
 import typer
 
@@ -199,6 +200,173 @@ def conform(
         raise typer.Exit(code=1)
 
 
+@app.command(name="verify-receipt")
+def verify_receipt(
+    receipt_file: Annotated[
+        Path | None,
+        typer.Argument(help="Path to COSE_Sign1 receipt file"),
+    ] = None,
+    receipt_hash: Annotated[
+        str | None,
+        typer.Option("--hash", help="SHA3-256 hex hash — lookup from AEVUM_RECEIPT_DB"),
+    ] = None,
+) -> None:
+    """
+    Verify an Aevum COSE_Sign1 receipt file or hash.
+
+    Decodes the receipt, verifies the Ed25519 signature over the canonical payload,
+    and prints a human-readable summary. Exit 0 on valid, exit 1 on invalid signature.
+    Exit 2 on unsupported algorithm or hash not found.
+
+    Examples:
+      aevum verify-receipt receipt.cbor
+      aevum verify-receipt --hash <sha3-256-hex>
+    """
+    import cbor2
+    import nacl.exceptions
+    import nacl.signing
+    from aevum.core.receipt import AevumReceipt
+
+    if receipt_file is None and receipt_hash is None:
+        typer.echo("Provide a receipt file path or --hash <hash>.", err=True)
+        raise typer.Exit(code=1)
+    if receipt_file is not None and receipt_hash is not None:
+        typer.echo("Provide either a file path or --hash, not both.", err=True)
+        raise typer.Exit(code=1)
+
+    store_info: dict[str, object] | None = None
+
+    if receipt_hash is not None:
+        try:
+            from aevum.core.sqlite_store import SqliteReceiptStore
+            store = SqliteReceiptStore.from_env()
+            raw = store.get(receipt_hash)
+            if raw is None:
+                typer.echo(f"RECEIPT NOT FOUND: {receipt_hash}", err=True)
+                raise typer.Exit(code=2)
+            store_info = store.get_receipt_info(receipt_hash)
+        except typer.Exit:
+            raise
+        except RuntimeError as exc:
+            typer.echo(f"Store error: {exc}", err=True)
+            raise typer.Exit(code=1) from None
+    else:
+        assert receipt_file is not None
+        if not receipt_file.exists():
+            typer.echo(f"File not found: {receipt_file}", err=True)
+            raise typer.Exit(code=1)
+        raw = receipt_file.read_bytes()
+
+    try:
+        cose = cbor2.loads(raw)
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"INVALID: not a valid CBOR file: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    if not isinstance(cose, list) or len(cose) != 4:
+        typer.echo("INVALID: not a 4-element COSE_Sign1 array", err=True)
+        raise typer.Exit(code=1)
+
+    protected_bstr, unprotected, payload_bstr, signature_bytes = cose
+
+    try:
+        protected = cbor2.loads(protected_bstr)
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"INVALID: cannot decode protected header: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    alg = protected.get(1)
+    if alg != -8:
+        typer.echo(f"UNSUPPORTED ALGORITHM: alg={alg!r} (expected -8 for EdDSA/Ed25519)", err=True)
+        raise typer.Exit(code=2) from None
+
+    try:
+        receipt_data = cbor2.loads(payload_bstr)
+        receipt = AevumReceipt.model_validate(receipt_data)
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"INVALID: cannot decode receipt payload: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    # Reconstruct Sig_Structure and verify signature
+    sig_structure = cbor2.dumps(["Signature1", protected_bstr, b"", payload_bstr])
+    digest = hashlib.sha3_256(sig_structure).digest()
+
+    # Try to find Ed25519 public key from state dir (kid field in protected header reserved for future)
+    pub_key_bytes: bytes | None = None
+    state_dir = Path.home() / ".aevum"
+    ed25519_pub_path = state_dir / "ed25519.pub"
+    if ed25519_pub_path.exists():
+        pub_key_bytes = ed25519_pub_path.read_bytes()
+
+    if pub_key_bytes is None:
+        typer.echo(
+            "WARNING: no public key found in ~/.aevum/ed25519.pub — skipping signature check.",
+            err=True,
+        )
+        typer.echo("WARNING: receipt content is displayed but authenticity is NOT verified.", err=True)
+        verified = False
+    else:
+        try:
+            verify_key = nacl.signing.VerifyKey(pub_key_bytes)
+            verify_key.verify(digest, bytes(signature_bytes))
+            verified = True
+        except nacl.exceptions.BadSignatureError:
+            typer.echo("SIGNATURE INVALID", err=True)
+            _print_receipt_summary(receipt, unprotected, verified=False, store_info=store_info)
+            raise typer.Exit(code=1) from None
+        except Exception as exc:  # noqa: BLE001
+            typer.echo(f"SIGNATURE INVALID: {exc}", err=True)
+            raise typer.Exit(code=1) from None
+
+    _print_receipt_summary(receipt, unprotected, verified=verified, store_info=store_info)
+
+
+def _print_receipt_summary(
+    receipt: Any,
+    unprotected: dict,  # type: ignore[type-arg]
+    verified: bool,
+    store_info: dict[str, object] | None = None,
+) -> None:
+    """Print human-readable receipt summary."""
+
+    status_line = "✓ Aevum Receipt Verified" if verified else "! Aevum Receipt (unverified)"
+    typer.echo(status_line)
+    typer.echo("─" * 36)
+
+    tsa_info = "none"
+    if 9 in unprotected:
+        tsa_info = f"<RFC 3161 token, {len(unprotected[9])} bytes>"
+
+    barriers_summary = (
+        ", ".join(f"{k}:{v}" for k, v in receipt.barrier_evaluations.items())
+        if receipt.barrier_evaluations
+        else "none"
+    )
+
+    prior_display = receipt.prior_hash[:12] if len(receipt.prior_hash) >= 12 else receipt.prior_hash
+    model_display = receipt.model_identity_hash[:12] if len(receipt.model_identity_hash) >= 12 else receipt.model_identity_hash
+
+    typer.echo(f"Action:         {receipt.action}")
+    typer.echo(f"Agent:          {receipt.agent_id}")
+    typer.echo(f"Principal:      {receipt.principal}")
+    typer.echo(f"Occurred at:    {receipt.occurred_at}")
+    typer.echo(f"Sequence:       {receipt.sequence}")
+    typer.echo(f"Prior hash:     {prior_display}...")
+    typer.echo(f"Handoff type:   {receipt.handoff_type or 'none'}")
+    typer.echo(f"Model hash:     {model_display}...")
+    typer.echo(f"Policy version: {receipt.policy_version}")
+    typer.echo(f"TSA timestamp:  {tsa_info}")
+    typer.echo(f"Barriers:       {barriers_summary}")
+
+    if store_info is not None:
+        tier = store_info.get("tier", "unknown")
+        locked = store_info.get("locked", False)
+        rekor_ref = store_info.get("rekor_entry_ref", "") or "not submitted"
+        typer.echo(f"Tier:           {tier}")
+        typer.echo(f"Crash-protected:{' yes' if locked else ' no'}")
+        typer.echo(f"Rekor ref:      {rekor_ref}")
+
+
 @app.command()
 def replay(
     session_id: Annotated[str, typer.Argument(help="Session ID to replay")],

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/commands/__init__.py

@@ -1 +1,2 @@
+# SPDX-License-Identifier: Apache-2.0
 """aevum.cli.commands -- sub-command modules."""

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/commands/complication.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum complication list/suspend/resume -- manage complications.
 """

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/commands/conformance.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum conformance run -- run the conformance suite.
 """

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/commands/server.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum server start -- start the Aevum HTTP API server.
 """

aevum_cli-0.7.0/src/aevum/cli/commands/store.py

@@ -0,0 +1,121 @@
+# SPDX-License-Identifier: Apache-2.0
+"""
+aevum store — manage graph store backends and receipt storage.
+"""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+
+app = typer.Typer(help="Manage graph store backends and receipt storage.")
+
+
+@app.command("migrate")
+def migrate(
+    from_backend: Annotated[str, typer.Option("--from", help="Source backend (oxigraph:<path>)")] = "",
+    to_backend: Annotated[str, typer.Option("--to", help="Target backend (postgres:<dsn>)")] = "",
+) -> None:
+    """Migrate graph data between backends."""
+    if not from_backend or not to_backend:
+        typer.echo("Both --from and --to are required.", err=True)
+        raise typer.Exit(code=1)
+
+    if not from_backend.startswith("oxigraph:"):
+        typer.echo(f"Unsupported source backend: {from_backend!r}", err=True)
+        typer.echo("Currently supported source: oxigraph:<path>", err=True)
+        raise typer.Exit(code=1)
+
+    if not to_backend.startswith("postgres:"):
+        typer.echo(f"Unsupported target backend: {to_backend!r}", err=True)
+        typer.echo("Currently supported target: postgres:<dsn>", err=True)
+        raise typer.Exit(code=1)
+
+    try:
+        from aevum.store.postgres.migrate import migrate_from_oxigraph
+    except ImportError:
+        typer.echo("Error: aevum-store-postgres is not installed.", err=True)
+        raise typer.Exit(code=1) from None
+
+    oxigraph_path = from_backend[len("oxigraph:"):]
+    postgres_dsn = to_backend[len("postgres:"):]
+
+    typer.echo(f"Migrating: {oxigraph_path} -> PostgreSQL")
+    try:
+        import psycopg
+        conn = psycopg.connect(postgres_dsn)
+        migrated = migrate_from_oxigraph(oxigraph_path, conn)  # type: ignore[arg-type]  # Phase 2: wire store construction
+        typer.echo(f"Migration complete: {migrated} entities transferred.")
+    except Exception as e:
+        typer.echo(f"Migration failed: {e}", err=True)
+        raise typer.Exit(code=1) from e
+
+
+@app.command("migrate-receipts")
+def migrate_receipts(
+    oxigraph_path: Annotated[
+        str,
+        typer.Option("--oxigraph", help="Path to Oxigraph store directory"),
+    ] = "",
+) -> None:
+    """
+    Migrate receipt blobs from Oxigraph provenance graph to SQLite receipt store.
+
+    Checks for receipt blobs stored as xsd:base64Binary literals in the Oxigraph
+    provenance graph and moves them to the SQLite receipt store (AEVUM_RECEIPT_DB).
+
+    This is a one-time idempotent migration. For new deployments (no receipts in
+    Oxigraph), this is a no-op. Receipt blobs were never stored in Oxigraph in
+    versions <= 0.6.0, so this command is a no-op for all current deployments.
+    """
+    try:
+        from aevum.core.sqlite_store import SqliteReceiptStore
+        store = SqliteReceiptStore.from_env()
+    except RuntimeError as exc:
+        typer.echo(f"Store error: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    if not oxigraph_path:
+        typer.echo("No receipts to migrate. SQLite store is current.")
+        raise typer.Exit(code=0)
+
+    try:
+        from aevum.store.oxigraph.store import OxigraphStore
+        graph_store = OxigraphStore(path=oxigraph_path)
+    except ImportError:
+        typer.echo("Error: aevum-store-oxigraph is not installed.", err=True)
+        raise typer.Exit(code=1) from None
+
+    # Query for any receipt blobs stored as literals in the provenance graph.
+    # Receipt blobs were never stored in Oxigraph in v0.6.0 or earlier, so
+    # this query returns zero rows for all current deployments.
+    sparql = """
+        SELECT ?h ?b WHERE {
+            GRAPH <urn:aevum:provenance> {
+                ?h <https://aevum.build/vocab/receiptBlob> ?b
+            }
+        }
+    """
+    rows = graph_store.sparql_select(sparql)
+
+    if not rows:
+        typer.echo("No receipts to migrate. SQLite store is current.")
+        raise typer.Exit(code=0)
+
+    import base64
+    migrated = 0
+    for row in rows:
+        h = row.get("h", "")
+        b_str = row.get("b", "")
+        if not h or not b_str:
+            continue
+        try:
+            blob = base64.b64decode(b_str)
+            receipt_hash = h.split(":")[-1] if ":" in h else h
+            store.put(receipt_hash=receipt_hash, blob=blob)
+            migrated += 1
+        except Exception as exc:  # noqa: BLE001
+            typer.echo(f"  Skipped {h}: {exc}", err=True)
+
+    typer.echo(f"Migrated {migrated} receipts from Oxigraph to SQLite.")

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/src/aevum/cli/commands/version.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum version -- print installed package versions.
 """

{aevum_cli-0.6.0 → aevum_cli-0.7.0}/tests/test_cli.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 Tests for aevum-cli commands.
 Uses typer's CliRunner -- no real server, no real graph backend.

aevum_cli-0.7.0/tests/test_verify_receipt.py

@@ -0,0 +1,143 @@
+# SPDX-License-Identifier: Apache-2.0
+"""
+Tests for aevum verify-receipt CLI command.
+Uses typer's CliRunner.
+"""
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+import cbor2
+import nacl.signing
+import pytest
+from typer.testing import CliRunner
+
+from aevum.cli.app import app
+
+runner = CliRunner()
+
+_ANSI = re.compile(r"\x1b\[[0-9;]*[mGKH]")
+
+
+def plain(text: str) -> str:
+    return _ANSI.sub("", text)
+
+
+def _make_valid_receipt_file(tmp_path: Path) -> tuple[Path, nacl.signing.SigningKey]:
+    """Create a valid COSE_Sign1 receipt file and return its path + signing key."""
+    from aevum.core.audit.event import AuditEvent
+    from aevum.core.receipt import AevumReceipt
+    from aevum.publish.encoder import ReceiptEncoder
+
+    signer_key = nacl.signing.SigningKey.generate()
+
+    class _NaClSigner:
+        key_id = "test-verify-key"
+        provenance = "test"
+        def sign(self, digest: bytes) -> bytes:
+            return bytes(signer_key.sign(digest).signature)
+        def public_key_bytes(self) -> bytes:
+            return bytes(signer_key.verify_key)
+
+    encoder = ReceiptEncoder(signer=_NaClSigner(), dev_mode=True)  # type: ignore[arg-type]
+    event = AuditEvent(
+        event_id="ev-cli-test-01",
+        episode_id="ep-cli-01",
+        sequence=1,
+        event_type="cli.test.action",
+        schema_version="1.0",
+        valid_from="2026-05-24T00:00:00+00:00",
+        valid_to=None,
+        system_time=0,
+        causation_id=None,
+        correlation_id=None,
+        actor="cli-test-agent",
+        trace_id=None,
+        span_id=None,
+        payload={},
+        payload_hash=AuditEvent.hash_payload({}),
+        prior_hash="c" * 64,
+        signature="dGVzdA",
+        signer_key_id="test-key",
+    )
+    receipt = AevumReceipt.from_sigchain_event(event)
+    receipt_cbor = encoder.encode(receipt)
+
+    receipt_file = tmp_path / "test_receipt.cose"
+    receipt_file.write_bytes(receipt_cbor)
+
+    pub_key_path = tmp_path / ".aevum" / "ed25519.pub"
+    pub_key_path.parent.mkdir(parents=True, exist_ok=True)
+    pub_key_path.write_bytes(bytes(signer_key.verify_key))
+
+    return receipt_file, signer_key
+
+
+def test_verify_receipt_help() -> None:
+    result = runner.invoke(app, ["verify-receipt", "--help"])
+    assert result.exit_code == 0
+    assert "receipt" in plain(result.output).lower()
+
+
+def test_verify_receipt_file_not_found(tmp_path: Path) -> None:
+    result = runner.invoke(app, ["verify-receipt", str(tmp_path / "nonexistent.cose")])
+    assert result.exit_code == 1
+    assert "not found" in plain(result.output + (result.stdout or "")).lower()
+
+
+def test_verify_receipt_invalid_cbor(tmp_path: Path) -> None:
+    bad_file = tmp_path / "bad.cose"
+    bad_file.write_bytes(b"\xff\xff\xff not valid cbor")
+    result = runner.invoke(app, ["verify-receipt", str(bad_file)])
+    assert result.exit_code == 1
+
+
+def test_verify_receipt_wrong_algorithm(tmp_path: Path) -> None:
+    protected_bstr = cbor2.dumps({1: -7, 3: "application/aevum-receipt+cbor", 4: b"kid"})
+    payload = cbor2.dumps({"action": "test"})
+    cose = [protected_bstr, {}, payload, b"sig"]
+    bad_file = tmp_path / "wrong_alg.cose"
+    bad_file.write_bytes(cbor2.dumps(cose))
+    result = runner.invoke(app, ["verify-receipt", str(bad_file)])
+    assert result.exit_code == 2
+    assert "UNSUPPORTED ALGORITHM" in plain(result.output + (result.stdout or ""))
+
+
+def test_verify_receipt_no_public_key_shows_warning(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    from aevum.core.audit.event import AuditEvent
+    from aevum.core.audit.signer import InProcessSigner
+    from aevum.core.receipt import AevumReceipt
+    from aevum.publish.encoder import ReceiptEncoder
+
+    monkeypatch.setenv("HOME", str(tmp_path))
+    signer = InProcessSigner()
+    encoder = ReceiptEncoder(signer=signer, dev_mode=True)
+    event = AuditEvent(
+        event_id="ev-warn-01",
+        episode_id="ep-warn-01",
+        sequence=1,
+        event_type="warn.test",
+        schema_version="1.0",
+        valid_from="2026-05-24T00:00:00+00:00",
+        valid_to=None,
+        system_time=0,
+        causation_id=None,
+        correlation_id=None,
+        actor="warn-agent",
+        trace_id=None,
+        span_id=None,
+        payload={},
+        payload_hash=AuditEvent.hash_payload({}),
+        prior_hash="d" * 64,
+        signature="dGVzdA",
+        signer_key_id="test-key",
+    )
+    receipt = AevumReceipt.from_sigchain_event(event)
+    receipt_cbor = encoder.encode(receipt)
+    receipt_file = tmp_path / "no_key_receipt.cose"
+    receipt_file.write_bytes(receipt_cbor)
+
+    result = runner.invoke(app, ["verify-receipt", str(receipt_file)])
+    output = plain(result.output + (result.stdout or ""))
+    assert "WARNING" in output or "unverified" in output.lower()

aevum_cli-0.6.0/src/aevum/cli/commands/store.py

@@ -1,51 +0,0 @@
-"""
-aevum store migrate -- migrate between graph backends.
-"""
-
-from __future__ import annotations
-
-from typing import Annotated
-
-import typer
-
-app = typer.Typer(help="Manage graph store backends.")
-
-
-@app.command("migrate")
-def migrate(
-    from_backend: Annotated[str, typer.Option("--from", help="Source backend (oxigraph:<path>)")] = "",
-    to_backend: Annotated[str, typer.Option("--to", help="Target backend (postgres:<dsn>)")] = "",
-) -> None:
-    """Migrate graph data between backends."""
-    if not from_backend or not to_backend:
-        typer.echo("Both --from and --to are required.", err=True)
-        raise typer.Exit(code=1)
-
-    if not from_backend.startswith("oxigraph:"):
-        typer.echo(f"Unsupported source backend: {from_backend!r}", err=True)
-        typer.echo("Currently supported source: oxigraph:<path>", err=True)
-        raise typer.Exit(code=1)
-
-    if not to_backend.startswith("postgres:"):
-        typer.echo(f"Unsupported target backend: {to_backend!r}", err=True)
-        typer.echo("Currently supported target: postgres:<dsn>", err=True)
-        raise typer.Exit(code=1)
-
-    try:
-        from aevum.store.postgres.migrate import migrate_from_oxigraph
-    except ImportError:
-        typer.echo("Error: aevum-store-postgres is not installed.", err=True)
-        raise typer.Exit(code=1) from None
-
-    oxigraph_path = from_backend[len("oxigraph:"):]
-    postgres_dsn = to_backend[len("postgres:"):]
-
-    typer.echo(f"Migrating: {oxigraph_path} -> PostgreSQL")
-    try:
-        import psycopg
-        conn = psycopg.connect(postgres_dsn)
-        migrated = migrate_from_oxigraph(oxigraph_path, conn)  # type: ignore[arg-type]  # Phase 2: wire store construction
-        typer.echo(f"Migration complete: {migrated} entities transferred.")
-    except Exception as e:
-        typer.echo(f"Migration failed: {e}", err=True)
-        raise typer.Exit(code=1) from e