aevum-cli 0.6.0__tar.gz → 0.7.1__tar.gz

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aevum-cli
-Version: 0.6.0
+Version: 0.7.1
 Summary: Aevum -- command-line interface for operating Aevum nodes.
 Project-URL: Homepage, https://aevum.build
 Project-URL: Repository, https://github.com/aevum-labs/aevum

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "aevum-cli"
-version = "0.6.0"
+version = "0.7.1"
 description = "Aevum -- command-line interface for operating Aevum nodes."
 readme = "README.md"
 requires-python = ">=3.11"

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum.cli -- Command-line interface for operating Aevum nodes.
 

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/__main__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 Entry point: aevum <command>
 Invoked via [project.scripts] aevum = "aevum.cli.__main__:app"

aevum_cli-0.7.1/src/aevum/cli/app.py

@@ -0,0 +1,470 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2024-2026 Aevum Labs contributors
+"""
+Top-level typer app — CLI v2. Sub-commands and direct commands registered here.
+"""
+from __future__ import annotations
+
+import hashlib
+import json
+from pathlib import Path
+from typing import Annotated, Any
+
+import typer
+
+from aevum.cli.commands import complication, conformance, server, store, version
+
+# Module-level import for mock.patch patchability (Rule 57).
+# Soft import: aevum-conformance is a workspace package not on PyPI, so
+# callers without it installed still get a usable CLI (conform command
+# shows a helpful error instead of crashing at startup).
+try:
+    from aevum.conformance.suite import ConformanceSuite
+except ImportError:  # pragma: no cover
+    ConformanceSuite = None  # type: ignore[assignment,misc]
+
+app = typer.Typer(
+    name="aevum",
+    help="Aevum governed context kernel — CLI v2",
+    no_args_is_help=True,
+    pretty_exceptions_enable=False,
+    rich_markup_mode="markdown",
+)
+
+app.add_typer(server.app, name="server")
+app.add_typer(store.app, name="store")
+app.add_typer(complication.app, name="complication")
+app.add_typer(conformance.app, name="conformance")
+app.command(name="version")(version.version_command)
+
+_DEFAULT_STATE = Path.home() / ".aevum"
+
+
+@app.command()
+def init(
+    state_dir: Annotated[
+        Path,
+        typer.Option("--state-dir", "-s", help="State directory path"),
+    ] = _DEFAULT_STATE,
+    principles: Annotated[
+        Path,
+        typer.Option("--principles", "-p", help="Path to signed_principles.yaml"),
+    ] = Path("signed_principles.yaml"),
+) -> None:
+    """
+    Initialize Aevum state directory and verify principles.
+
+    Creates the state directory, generates dual signing keys (Ed25519 +
+    ML-DSA-65), and verifies the signed_principles.yaml file.
+    """
+    typer.echo(f"Initializing Aevum state at {state_dir}...")
+
+    try:
+        from aevum.core.principles import PrinciplesVerifier
+        verifier = PrinciplesVerifier(principles)
+        p = verifier.verify()
+        typer.echo(f"  Principles: OK (sequence={p.sequence}, signed_by={p.signed_by[:30]}...)")
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"  Principles: FAILED — {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    try:
+        from aevum.core.kernel import Kernel
+        kernel = Kernel.local(
+            state_dir=state_dir,
+            principles_path=principles,
+            tsa_enabled=False,
+        )
+        ed25519_pub = kernel.signer.ed25519_public_key.hex()[:16]
+        typer.echo(f"  Keys: OK (ed25519={ed25519_pub}...)")
+        typer.echo(f"  Canaries: PASS ({len(kernel.principles.immutable_ids())} immutable principles)")
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"  Kernel init: FAILED — {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    typer.echo(typer.style("Aevum initialized successfully.", fg=typer.colors.GREEN))
+
+
+@app.command()
+def verify(
+    session_id: Annotated[str, typer.Argument(help="Session ID to verify")],
+    state_dir: Annotated[
+        Path,
+        typer.Option("--state-dir", "-s"),
+    ] = _DEFAULT_STATE,
+) -> None:
+    """
+    Verify a session's Merkle root and signatures.
+
+    Re-reads the stored session events from SQLite, recomputes the
+    Merkle root, and compares it to the signed root in the sigchain.
+    """
+    db_path = state_dir / "aevum.db"
+    if not db_path.exists():
+        typer.echo(f"Database not found: {db_path}", err=True)
+        raise typer.Exit(code=1)
+
+    try:
+        from aevum.core.replay import ReplayEngine
+        engine = ReplayEngine(db_path)
+        result = engine.replay(session_id)
+
+        if result.all_matched:
+            typer.echo(typer.style(
+                f"Session {session_id[:8]}... VERIFIED",
+                fg=typer.colors.GREEN,
+            ))
+            typer.echo(f"  Merkle root: {result.original_merkle_root[:16]}...")
+            typer.echo(f"  Events: {len(result.event_results)}")
+        else:
+            typer.echo(typer.style(
+                f"Session {session_id[:8]}... TAMPERED",
+                fg=typer.colors.RED,
+            ), err=True)
+            typer.echo(
+                f"  First divergence: event #{result.first_divergence}", err=True
+            )
+            raise typer.Exit(code=1)
+
+    except ValueError as exc:
+        typer.echo(f"Session not found: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+
+@app.command(name="audit-pack")
+def audit_pack(
+    session_id: Annotated[str, typer.Argument(help="Session ID")],
+    output: Annotated[
+        Path | None,
+        typer.Option("--output", "-o", help="Output file path (default: stdout)"),
+    ] = None,
+    state_dir: Annotated[
+        Path,
+        typer.Option("--state-dir", "-s"),
+    ] = _DEFAULT_STATE,
+) -> None:
+    """
+    Export EU AI Act Article 12 audit pack for a session.
+
+    Produces a JSON-LD document using the PROV-O vocabulary.
+    """
+    db_path = state_dir / "aevum.db"
+    if not db_path.exists():
+        typer.echo(f"Database not found: {db_path}", err=True)
+        raise typer.Exit(code=1)
+
+    try:
+        from aevum.core.audit.audit_pack import AuditPackExporter
+        exporter = AuditPackExporter(db_path)
+        json_text = exporter.export_json(session_id)
+
+        if output:
+            output.write_text(json_text, encoding="utf-8")
+            typer.echo(f"Audit pack written to {output}")
+        else:
+            typer.echo(json_text)
+
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"Audit pack error: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+
+@app.command()
+def conform(
+    output: Annotated[
+        str,
+        typer.Option("--output", "-o", help="Output format: text or json"),
+    ] = "text",
+) -> None:
+    """
+    Run the 9-invariant conformance suite.
+
+    Tests all required Aevum behavioral invariants and prints a report.
+    Exit code 0 = all pass, 1 = one or more fail.
+    """
+    if ConformanceSuite is None:
+        typer.echo(
+            "aevum-conformance is not installed. Install it with: pip install aevum-conformance",
+            err=True,
+        )
+        raise typer.Exit(code=1)
+    suite = ConformanceSuite()
+    result = suite.run_all()
+
+    if output == "json":
+        typer.echo(json.dumps(result.to_dict(), indent=2))
+    else:
+        typer.echo(result.render())
+
+    if not result.all_passed:
+        raise typer.Exit(code=1)
+
+
+@app.command(name="verify-receipt")
+def verify_receipt(
+    receipt_file: Annotated[
+        Path | None,
+        typer.Argument(help="Path to COSE_Sign1 receipt file"),
+    ] = None,
+    receipt_hash: Annotated[
+        str | None,
+        typer.Option("--hash", help="SHA3-256 hex hash — lookup from AEVUM_RECEIPT_DB"),
+    ] = None,
+) -> None:
+    """
+    Verify an Aevum COSE_Sign1 receipt file or hash.
+
+    Decodes the receipt, verifies the Ed25519 signature over the canonical payload,
+    and prints a human-readable summary. Exit 0 on valid, exit 1 on invalid signature.
+    Exit 2 on unsupported algorithm or hash not found.
+
+    Examples:
+      aevum verify-receipt receipt.cbor
+      aevum verify-receipt --hash <sha3-256-hex>
+    """
+    import cbor2
+    import nacl.exceptions
+    import nacl.signing
+    from aevum.core.receipt import AevumReceipt
+
+    if receipt_file is None and receipt_hash is None:
+        typer.echo("Provide a receipt file path or --hash <hash>.", err=True)
+        raise typer.Exit(code=1)
+    if receipt_file is not None and receipt_hash is not None:
+        typer.echo("Provide either a file path or --hash, not both.", err=True)
+        raise typer.Exit(code=1)
+
+    store_info: dict[str, object] | None = None
+
+    if receipt_hash is not None:
+        try:
+            from aevum.core.sqlite_store import SqliteReceiptStore
+            store = SqliteReceiptStore.from_env()
+            raw = store.get(receipt_hash)
+            if raw is None:
+                typer.echo(f"RECEIPT NOT FOUND: {receipt_hash}", err=True)
+                raise typer.Exit(code=2)
+            store_info = store.get_receipt_info(receipt_hash)
+        except typer.Exit:
+            raise
+        except RuntimeError as exc:
+            typer.echo(f"Store error: {exc}", err=True)
+            raise typer.Exit(code=1) from None
+    else:
+        assert receipt_file is not None
+        if not receipt_file.exists():
+            typer.echo(f"File not found: {receipt_file}", err=True)
+            raise typer.Exit(code=1)
+        raw = receipt_file.read_bytes()
+
+    try:
+        cose = cbor2.loads(raw)
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"INVALID: not a valid CBOR file: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    if not isinstance(cose, list) or len(cose) != 4:
+        typer.echo("INVALID: not a 4-element COSE_Sign1 array", err=True)
+        raise typer.Exit(code=1)
+
+    protected_bstr, unprotected, payload_bstr, signature_bytes = cose
+
+    try:
+        protected = cbor2.loads(protected_bstr)
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"INVALID: cannot decode protected header: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    alg = protected.get(1)
+    if alg != -8:
+        typer.echo(f"UNSUPPORTED ALGORITHM: alg={alg!r} (expected -8 for EdDSA/Ed25519)", err=True)
+        raise typer.Exit(code=2) from None
+
+    try:
+        receipt_data = cbor2.loads(payload_bstr)
+        receipt = AevumReceipt.model_validate(receipt_data)
+    except Exception as exc:  # noqa: BLE001
+        typer.echo(f"INVALID: cannot decode receipt payload: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    # Reconstruct Sig_Structure and verify signature
+    sig_structure = cbor2.dumps(["Signature1", protected_bstr, b"", payload_bstr])
+    digest = hashlib.sha3_256(sig_structure).digest()
+
+    # Try to find Ed25519 public key from state dir (kid field in protected header reserved for future)
+    pub_key_bytes: bytes | None = None
+    state_dir = Path.home() / ".aevum"
+    ed25519_pub_path = state_dir / "ed25519.pub"
+    if ed25519_pub_path.exists():
+        pub_key_bytes = ed25519_pub_path.read_bytes()
+
+    if pub_key_bytes is None:
+        typer.echo(
+            "WARNING: no public key found in ~/.aevum/ed25519.pub — skipping signature check.",
+            err=True,
+        )
+        typer.echo("WARNING: receipt content is displayed but authenticity is NOT verified.", err=True)
+        verified = False
+    else:
+        try:
+            verify_key = nacl.signing.VerifyKey(pub_key_bytes)
+            verify_key.verify(digest, bytes(signature_bytes))
+            verified = True
+        except nacl.exceptions.BadSignatureError:
+            typer.echo("SIGNATURE INVALID", err=True)
+            _print_receipt_summary(receipt, unprotected, verified=False, store_info=store_info)
+            raise typer.Exit(code=1) from None
+        except Exception as exc:  # noqa: BLE001
+            typer.echo(f"SIGNATURE INVALID: {exc}", err=True)
+            raise typer.Exit(code=1) from None
+
+    _print_receipt_summary(receipt, unprotected, verified=verified, store_info=store_info)
+
+
+def _print_receipt_summary(
+    receipt: Any,
+    unprotected: dict,  # type: ignore[type-arg]
+    verified: bool,
+    store_info: dict[str, object] | None = None,
+) -> None:
+    """Print human-readable receipt summary."""
+
+    status_line = "✓ Aevum Receipt Verified" if verified else "! Aevum Receipt (unverified)"
+    typer.echo(status_line)
+    typer.echo("─" * 36)
+
+    tsa_info = "none"
+    if 9 in unprotected:
+        tsa_info = f"<RFC 3161 token, {len(unprotected[9])} bytes>"
+
+    barriers_summary = (
+        ", ".join(f"{k}:{v}" for k, v in receipt.barrier_evaluations.items())
+        if receipt.barrier_evaluations
+        else "none"
+    )
+
+    prior_display = receipt.prior_hash[:12] if len(receipt.prior_hash) >= 12 else receipt.prior_hash
+    model_display = receipt.model_identity_hash[:12] if len(receipt.model_identity_hash) >= 12 else receipt.model_identity_hash
+
+    typer.echo(f"Action:         {receipt.action}")
+    typer.echo(f"Agent:          {receipt.agent_id}")
+    typer.echo(f"Principal:      {receipt.principal}")
+    typer.echo(f"Occurred at:    {receipt.occurred_at}")
+    typer.echo(f"Sequence:       {receipt.sequence}")
+    typer.echo(f"Prior hash:     {prior_display}...")
+    typer.echo(f"Handoff type:   {receipt.handoff_type or 'none'}")
+    typer.echo(f"Model hash:     {model_display}...")
+    typer.echo(f"Policy version: {receipt.policy_version}")
+    typer.echo(f"TSA timestamp:  {tsa_info}")
+    typer.echo(f"Barriers:       {barriers_summary}")
+
+    if store_info is not None:
+        tier = store_info.get("tier", "unknown")
+        locked = store_info.get("locked", False)
+        rekor_ref = store_info.get("rekor_entry_ref", "") or "not submitted"
+        typer.echo(f"Tier:           {tier}")
+        typer.echo(f"Crash-protected:{' yes' if locked else ' no'}")
+        typer.echo(f"Rekor ref:      {rekor_ref}")
+
+
+@app.command(name="vault-check")
+def vault_check() -> None:
+    """
+    Verify Vault Transit connectivity with a sign/verify round-trip.
+
+    Reads VAULT_ADDR, VAULT_TOKEN, and AEVUM_VAULT_KEY_NAME from the environment.
+    Exits 0 on success, exits 1 on failure.
+    """
+    import os
+
+    vault_addr = os.environ.get("VAULT_ADDR", "http://127.0.0.1:8200")
+    vault_token = os.environ.get("VAULT_TOKEN", "")
+    key_name = os.environ.get("AEVUM_VAULT_KEY_NAME", "aevum-signing")
+
+    if not vault_token:
+        typer.echo("VAULT_TOKEN is not set.", err=True)
+        raise typer.Exit(code=1)
+
+    typer.echo(f"Vault address : {vault_addr}")
+    typer.echo(f"Key name      : {key_name}")
+
+    try:
+        from aevum.core.audit.signer import VaultTransitSigner
+        signer = VaultTransitSigner(key_name=key_name, vault_addr=vault_addr, token=vault_token)
+    except Exception as exc:
+        typer.echo(f"Failed to create VaultTransitSigner: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    payload = b"aevum vault-check probe"
+    try:
+        sig = signer.sign(payload)
+        typer.echo(typer.style("  sign()   PASS", fg=typer.colors.GREEN))
+    except Exception as exc:
+        typer.echo(typer.style("  sign()   FAIL", fg=typer.colors.RED))
+        typer.echo(f"  {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    try:
+        valid = signer.verify(payload, sig)
+        if not valid:
+            raise RuntimeError("verify() returned False for a freshly signed payload")
+        typer.echo(typer.style("  verify() PASS", fg=typer.colors.GREEN))
+    except Exception as exc:
+        typer.echo(typer.style("  verify() FAIL", fg=typer.colors.RED))
+        typer.echo(f"  {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    typer.echo(typer.style("Vault Transit check PASSED.", fg=typer.colors.GREEN))
+
+
+@app.command()
+def replay(
+    session_id: Annotated[str, typer.Argument(help="Session ID to replay")],
+    verbose: Annotated[
+        bool,
+        typer.Option("--verbose", "-v", help="Show per-event results"),
+    ] = False,
+    state_dir: Annotated[
+        Path,
+        typer.Option("--state-dir", "-s"),
+    ] = _DEFAULT_STATE,
+) -> None:
+    """
+    Replay a session and verify Merkle chain integrity.
+
+    Re-reads all events and recomputes the Merkle root. Reports any
+    divergence from the stored root (indicating tampering).
+    """
+    db_path = state_dir / "aevum.db"
+    if not db_path.exists():
+        typer.echo(f"Database not found: {db_path}", err=True)
+        raise typer.Exit(code=1)
+
+    try:
+        from aevum.core.replay import ReplayEngine
+        engine = ReplayEngine(db_path)
+        result = engine.replay(session_id)
+
+        status = (
+            typer.style("PASS", fg=typer.colors.GREEN)
+            if result.all_matched
+            else typer.style("FAIL", fg=typer.colors.RED)
+        )
+        typer.echo(f"Replay {session_id[:8]}...: {status}")
+        typer.echo(f"  Events: {len(result.event_results)}")
+        typer.echo(f"  Merkle root: {result.original_merkle_root[:16]}...")
+
+        if verbose:
+            for ev in result.event_results:
+                ev_status = "OK" if ev.matched else "DIVERGED"
+                typer.echo(f"  [{ev.sequence:3d}] {ev.event_type:<12} {ev_status}")
+
+        if not result.all_matched:
+            typer.echo(
+                f"  First divergence: event #{result.first_divergence}", err=True
+            )
+            raise typer.Exit(code=1)
+
+    except ValueError as exc:
+        typer.echo(f"Session not found: {exc}", err=True)
+        raise typer.Exit(code=1) from None

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/commands/__init__.py

@@ -1 +1,2 @@
+# SPDX-License-Identifier: Apache-2.0
 """aevum.cli.commands -- sub-command modules."""

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/commands/complication.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum complication list/suspend/resume -- manage complications.
 """

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/commands/conformance.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum conformance run -- run the conformance suite.
 """

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/commands/server.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum server start -- start the Aevum HTTP API server.
 """

aevum_cli-0.7.1/src/aevum/cli/commands/store.py

@@ -0,0 +1,121 @@
+# SPDX-License-Identifier: Apache-2.0
+"""
+aevum store — manage graph store backends and receipt storage.
+"""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+
+app = typer.Typer(help="Manage graph store backends and receipt storage.")
+
+
+@app.command("migrate")
+def migrate(
+    from_backend: Annotated[str, typer.Option("--from", help="Source backend (oxigraph:<path>)")] = "",
+    to_backend: Annotated[str, typer.Option("--to", help="Target backend (postgres:<dsn>)")] = "",
+) -> None:
+    """Migrate graph data between backends."""
+    if not from_backend or not to_backend:
+        typer.echo("Both --from and --to are required.", err=True)
+        raise typer.Exit(code=1)
+
+    if not from_backend.startswith("oxigraph:"):
+        typer.echo(f"Unsupported source backend: {from_backend!r}", err=True)
+        typer.echo("Currently supported source: oxigraph:<path>", err=True)
+        raise typer.Exit(code=1)
+
+    if not to_backend.startswith("postgres:"):
+        typer.echo(f"Unsupported target backend: {to_backend!r}", err=True)
+        typer.echo("Currently supported target: postgres:<dsn>", err=True)
+        raise typer.Exit(code=1)
+
+    try:
+        from aevum.store.postgres.migrate import migrate_from_oxigraph
+    except ImportError:
+        typer.echo("Error: aevum-store-postgres is not installed.", err=True)
+        raise typer.Exit(code=1) from None
+
+    oxigraph_path = from_backend[len("oxigraph:"):]
+    postgres_dsn = to_backend[len("postgres:"):]
+
+    typer.echo(f"Migrating: {oxigraph_path} -> PostgreSQL")
+    try:
+        import psycopg
+        conn = psycopg.connect(postgres_dsn)
+        migrated = migrate_from_oxigraph(oxigraph_path, conn)  # type: ignore[arg-type]  # Phase 2: wire store construction
+        typer.echo(f"Migration complete: {migrated} entities transferred.")
+    except Exception as e:
+        typer.echo(f"Migration failed: {e}", err=True)
+        raise typer.Exit(code=1) from e
+
+
+@app.command("migrate-receipts")
+def migrate_receipts(
+    oxigraph_path: Annotated[
+        str,
+        typer.Option("--oxigraph", help="Path to Oxigraph store directory"),
+    ] = "",
+) -> None:
+    """
+    Migrate receipt blobs from Oxigraph provenance graph to SQLite receipt store.
+
+    Checks for receipt blobs stored as xsd:base64Binary literals in the Oxigraph
+    provenance graph and moves them to the SQLite receipt store (AEVUM_RECEIPT_DB).
+
+    This is a one-time idempotent migration. For new deployments (no receipts in
+    Oxigraph), this is a no-op. Receipt blobs were never stored in Oxigraph in
+    versions <= 0.6.0, so this command is a no-op for all current deployments.
+    """
+    try:
+        from aevum.core.sqlite_store import SqliteReceiptStore
+        store = SqliteReceiptStore.from_env()
+    except RuntimeError as exc:
+        typer.echo(f"Store error: {exc}", err=True)
+        raise typer.Exit(code=1) from None
+
+    if not oxigraph_path:
+        typer.echo("No receipts to migrate. SQLite store is current.")
+        raise typer.Exit(code=0)
+
+    try:
+        from aevum.store.oxigraph.store import OxigraphStore
+        graph_store = OxigraphStore(path=oxigraph_path)
+    except ImportError:
+        typer.echo("Error: aevum-store-oxigraph is not installed.", err=True)
+        raise typer.Exit(code=1) from None
+
+    # Query for any receipt blobs stored as literals in the provenance graph.
+    # Receipt blobs were never stored in Oxigraph in v0.6.0 or earlier, so
+    # this query returns zero rows for all current deployments.
+    sparql = """
+        SELECT ?h ?b WHERE {
+            GRAPH <urn:aevum:provenance> {
+                ?h <https://aevum.build/vocab/receiptBlob> ?b
+            }
+        }
+    """
+    rows = graph_store.sparql_select(sparql)
+
+    if not rows:
+        typer.echo("No receipts to migrate. SQLite store is current.")
+        raise typer.Exit(code=0)
+
+    import base64
+    migrated = 0
+    for row in rows:
+        h = row.get("h", "")
+        b_str = row.get("b", "")
+        if not h or not b_str:
+            continue
+        try:
+            blob = base64.b64decode(b_str)
+            receipt_hash = h.split(":")[-1] if ":" in h else h
+            store.put(receipt_hash=receipt_hash, blob=blob)
+            migrated += 1
+        except Exception as exc:  # noqa: BLE001
+            typer.echo(f"  Skipped {h}: {exc}", err=True)
+
+    typer.echo(f"Migrated {migrated} receipts from Oxigraph to SQLite.")

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/src/aevum/cli/commands/version.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 aevum version -- print installed package versions.
 """

{aevum_cli-0.6.0 → aevum_cli-0.7.1}/tests/test_cli.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 """
 Tests for aevum-cli commands.
 Uses typer's CliRunner -- no real server, no real graph backend.

aevum_cli-0.7.1/tests/test_verify_receipt.py

@@ -0,0 +1,143 @@
+# SPDX-License-Identifier: Apache-2.0
+"""
+Tests for aevum verify-receipt CLI command.
+Uses typer's CliRunner.
+"""
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+import cbor2
+import nacl.signing
+import pytest
+from typer.testing import CliRunner
+
+from aevum.cli.app import app
+
+runner = CliRunner()
+
+_ANSI = re.compile(r"\x1b\[[0-9;]*[mGKH]")
+
+
+def plain(text: str) -> str:
+    return _ANSI.sub("", text)
+
+
+def _make_valid_receipt_file(tmp_path: Path) -> tuple[Path, nacl.signing.SigningKey]:
+    """Create a valid COSE_Sign1 receipt file and return its path + signing key."""
+    from aevum.core.audit.event import AuditEvent
+    from aevum.core.receipt import AevumReceipt
+    from aevum.publish.encoder import ReceiptEncoder
+
+    signer_key = nacl.signing.SigningKey.generate()
+
+    class _NaClSigner:
+        key_id = "test-verify-key"
+        provenance = "test"
+        def sign(self, digest: bytes) -> bytes:
+            return bytes(signer_key.sign(digest).signature)
+        def public_key_bytes(self) -> bytes:
+            return bytes(signer_key.verify_key)
+
+    encoder = ReceiptEncoder(signer=_NaClSigner(), dev_mode=True)  # type: ignore[arg-type]
+    event = AuditEvent(
+        event_id="ev-cli-test-01",
+        episode_id="ep-cli-01",
+        sequence=1,
+        event_type="cli.test.action",
+        schema_version="1.0",
+        valid_from="2026-05-24T00:00:00+00:00",
+        valid_to=None,
+        system_time=0,
+        causation_id=None,
+        correlation_id=None,
+        actor="cli-test-agent",
+        trace_id=None,
+        span_id=None,
+        payload={},
+        payload_hash=AuditEvent.hash_payload({}),
+        prior_hash="c" * 64,
+        signature="dGVzdA",
+        signer_key_id="test-key",
+    )
+    receipt = AevumReceipt.from_sigchain_event(event)
+    receipt_cbor = encoder.encode(receipt)
+
+    receipt_file = tmp_path / "test_receipt.cose"
+    receipt_file.write_bytes(receipt_cbor)
+
+    pub_key_path = tmp_path / ".aevum" / "ed25519.pub"
+    pub_key_path.parent.mkdir(parents=True, exist_ok=True)
+    pub_key_path.write_bytes(bytes(signer_key.verify_key))
+
+    return receipt_file, signer_key
+
+
+def test_verify_receipt_help() -> None:
+    result = runner.invoke(app, ["verify-receipt", "--help"])
+    assert result.exit_code == 0
+    assert "receipt" in plain(result.output).lower()
+
+
+def test_verify_receipt_file_not_found(tmp_path: Path) -> None:
+    result = runner.invoke(app, ["verify-receipt", str(tmp_path / "nonexistent.cose")])
+    assert result.exit_code == 1
+    assert "not found" in plain(result.output + (result.stdout or "")).lower()
+
+
+def test_verify_receipt_invalid_cbor(tmp_path: Path) -> None:
+    bad_file = tmp_path / "bad.cose"
+    bad_file.write_bytes(b"\xff\xff\xff not valid cbor")
+    result = runner.invoke(app, ["verify-receipt", str(bad_file)])
+    assert result.exit_code == 1
+
+
+def test_verify_receipt_wrong_algorithm(tmp_path: Path) -> None:
+    protected_bstr = cbor2.dumps({1: -7, 3: "application/aevum-receipt+cbor", 4: b"kid"})
+    payload = cbor2.dumps({"action": "test"})
+    cose = [protected_bstr, {}, payload, b"sig"]
+    bad_file = tmp_path / "wrong_alg.cose"
+    bad_file.write_bytes(cbor2.dumps(cose))
+    result = runner.invoke(app, ["verify-receipt", str(bad_file)])
+    assert result.exit_code == 2
+    assert "UNSUPPORTED ALGORITHM" in plain(result.output + (result.stdout or ""))
+
+
+def test_verify_receipt_no_public_key_shows_warning(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    from aevum.core.audit.event import AuditEvent
+    from aevum.core.audit.signer import InProcessSigner
+    from aevum.core.receipt import AevumReceipt
+    from aevum.publish.encoder import ReceiptEncoder
+
+    monkeypatch.setenv("HOME", str(tmp_path))
+    signer = InProcessSigner()
+    encoder = ReceiptEncoder(signer=signer, dev_mode=True)
+    event = AuditEvent(
+        event_id="ev-warn-01",
+        episode_id="ep-warn-01",
+        sequence=1,
+        event_type="warn.test",
+        schema_version="1.0",
+        valid_from="2026-05-24T00:00:00+00:00",
+        valid_to=None,
+        system_time=0,
+        causation_id=None,
+        correlation_id=None,
+        actor="warn-agent",
+        trace_id=None,
+        span_id=None,
+        payload={},
+        payload_hash=AuditEvent.hash_payload({}),
+        prior_hash="d" * 64,
+        signature="dGVzdA",
+        signer_key_id="test-key",
+    )
+    receipt = AevumReceipt.from_sigchain_event(event)
+    receipt_cbor = encoder.encode(receipt)
+    receipt_file = tmp_path / "no_key_receipt.cose"
+    receipt_file.write_bytes(receipt_cbor)
+
+    result = runner.invoke(app, ["verify-receipt", str(receipt_file)])
+    output = plain(result.output + (result.stdout or ""))
+    assert "WARNING" in output or "unverified" in output.lower()

aevum_cli-0.6.0/src/aevum/cli/app.py

@@ -1,252 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-# Copyright 2024-2026 Aevum Labs contributors
-"""
-Top-level typer app — CLI v2. Sub-commands and direct commands registered here.
-"""
-from __future__ import annotations
-
-import json
-from pathlib import Path
-from typing import Annotated
-
-import typer
-
-from aevum.cli.commands import complication, conformance, server, store, version
-
-# Module-level import for mock.patch patchability (Rule 57).
-# Soft import: aevum-conformance is a workspace package not on PyPI, so
-# callers without it installed still get a usable CLI (conform command
-# shows a helpful error instead of crashing at startup).
-try:
-    from aevum.conformance.suite import ConformanceSuite
-except ImportError:  # pragma: no cover
-    ConformanceSuite = None  # type: ignore[assignment,misc]
-
-app = typer.Typer(
-    name="aevum",
-    help="Aevum governed context kernel — CLI v2",
-    no_args_is_help=True,
-    pretty_exceptions_enable=False,
-    rich_markup_mode="markdown",
-)
-
-app.add_typer(server.app, name="server")
-app.add_typer(store.app, name="store")
-app.add_typer(complication.app, name="complication")
-app.add_typer(conformance.app, name="conformance")
-app.command(name="version")(version.version_command)
-
-_DEFAULT_STATE = Path.home() / ".aevum"
-
-
-@app.command()
-def init(
-    state_dir: Annotated[
-        Path,
-        typer.Option("--state-dir", "-s", help="State directory path"),
-    ] = _DEFAULT_STATE,
-    principles: Annotated[
-        Path,
-        typer.Option("--principles", "-p", help="Path to signed_principles.yaml"),
-    ] = Path("signed_principles.yaml"),
-) -> None:
-    """
-    Initialize Aevum state directory and verify principles.
-
-    Creates the state directory, generates dual signing keys (Ed25519 +
-    ML-DSA-65), and verifies the signed_principles.yaml file.
-    """
-    typer.echo(f"Initializing Aevum state at {state_dir}...")
-
-    try:
-        from aevum.core.principles import PrinciplesVerifier
-        verifier = PrinciplesVerifier(principles)
-        p = verifier.verify()
-        typer.echo(f"  Principles: OK (sequence={p.sequence}, signed_by={p.signed_by[:30]}...)")
-    except Exception as exc:  # noqa: BLE001
-        typer.echo(f"  Principles: FAILED — {exc}", err=True)
-        raise typer.Exit(code=1) from None
-
-    try:
-        from aevum.core.kernel import Kernel
-        kernel = Kernel.local(
-            state_dir=state_dir,
-            principles_path=principles,
-            tsa_enabled=False,
-        )
-        ed25519_pub = kernel.signer.ed25519_public_key.hex()[:16]
-        typer.echo(f"  Keys: OK (ed25519={ed25519_pub}...)")
-        typer.echo(f"  Canaries: PASS ({len(kernel.principles.immutable_ids())} immutable principles)")
-    except Exception as exc:  # noqa: BLE001
-        typer.echo(f"  Kernel init: FAILED — {exc}", err=True)
-        raise typer.Exit(code=1) from None
-
-    typer.echo(typer.style("Aevum initialized successfully.", fg=typer.colors.GREEN))
-
-
-@app.command()
-def verify(
-    session_id: Annotated[str, typer.Argument(help="Session ID to verify")],
-    state_dir: Annotated[
-        Path,
-        typer.Option("--state-dir", "-s"),
-    ] = _DEFAULT_STATE,
-) -> None:
-    """
-    Verify a session's Merkle root and signatures.
-
-    Re-reads the stored session events from SQLite, recomputes the
-    Merkle root, and compares it to the signed root in the sigchain.
-    """
-    db_path = state_dir / "aevum.db"
-    if not db_path.exists():
-        typer.echo(f"Database not found: {db_path}", err=True)
-        raise typer.Exit(code=1)
-
-    try:
-        from aevum.core.replay import ReplayEngine
-        engine = ReplayEngine(db_path)
-        result = engine.replay(session_id)
-
-        if result.all_matched:
-            typer.echo(typer.style(
-                f"Session {session_id[:8]}... VERIFIED",
-                fg=typer.colors.GREEN,
-            ))
-            typer.echo(f"  Merkle root: {result.original_merkle_root[:16]}...")
-            typer.echo(f"  Events: {len(result.event_results)}")
-        else:
-            typer.echo(typer.style(
-                f"Session {session_id[:8]}... TAMPERED",
-                fg=typer.colors.RED,
-            ), err=True)
-            typer.echo(
-                f"  First divergence: event #{result.first_divergence}", err=True
-            )
-            raise typer.Exit(code=1)
-
-    except ValueError as exc:
-        typer.echo(f"Session not found: {exc}", err=True)
-        raise typer.Exit(code=1) from None
-
-
-@app.command(name="audit-pack")
-def audit_pack(
-    session_id: Annotated[str, typer.Argument(help="Session ID")],
-    output: Annotated[
-        Path | None,
-        typer.Option("--output", "-o", help="Output file path (default: stdout)"),
-    ] = None,
-    state_dir: Annotated[
-        Path,
-        typer.Option("--state-dir", "-s"),
-    ] = _DEFAULT_STATE,
-) -> None:
-    """
-    Export EU AI Act Article 12 audit pack for a session.
-
-    Produces a JSON-LD document using the PROV-O vocabulary.
-    """
-    db_path = state_dir / "aevum.db"
-    if not db_path.exists():
-        typer.echo(f"Database not found: {db_path}", err=True)
-        raise typer.Exit(code=1)
-
-    try:
-        from aevum.core.audit.audit_pack import AuditPackExporter
-        exporter = AuditPackExporter(db_path)
-        json_text = exporter.export_json(session_id)
-
-        if output:
-            output.write_text(json_text, encoding="utf-8")
-            typer.echo(f"Audit pack written to {output}")
-        else:
-            typer.echo(json_text)
-
-    except Exception as exc:  # noqa: BLE001
-        typer.echo(f"Audit pack error: {exc}", err=True)
-        raise typer.Exit(code=1) from None
-
-
-@app.command()
-def conform(
-    output: Annotated[
-        str,
-        typer.Option("--output", "-o", help="Output format: text or json"),
-    ] = "text",
-) -> None:
-    """
-    Run the 9-invariant conformance suite.
-
-    Tests all required Aevum behavioral invariants and prints a report.
-    Exit code 0 = all pass, 1 = one or more fail.
-    """
-    if ConformanceSuite is None:
-        typer.echo(
-            "aevum-conformance is not installed. Install it with: pip install aevum-conformance",
-            err=True,
-        )
-        raise typer.Exit(code=1)
-    suite = ConformanceSuite()
-    result = suite.run_all()
-
-    if output == "json":
-        typer.echo(json.dumps(result.to_dict(), indent=2))
-    else:
-        typer.echo(result.render())
-
-    if not result.all_passed:
-        raise typer.Exit(code=1)
-
-
-@app.command()
-def replay(
-    session_id: Annotated[str, typer.Argument(help="Session ID to replay")],
-    verbose: Annotated[
-        bool,
-        typer.Option("--verbose", "-v", help="Show per-event results"),
-    ] = False,
-    state_dir: Annotated[
-        Path,
-        typer.Option("--state-dir", "-s"),
-    ] = _DEFAULT_STATE,
-) -> None:
-    """
-    Replay a session and verify Merkle chain integrity.
-
-    Re-reads all events and recomputes the Merkle root. Reports any
-    divergence from the stored root (indicating tampering).
-    """
-    db_path = state_dir / "aevum.db"
-    if not db_path.exists():
-        typer.echo(f"Database not found: {db_path}", err=True)
-        raise typer.Exit(code=1)
-
-    try:
-        from aevum.core.replay import ReplayEngine
-        engine = ReplayEngine(db_path)
-        result = engine.replay(session_id)
-
-        status = (
-            typer.style("PASS", fg=typer.colors.GREEN)
-            if result.all_matched
-            else typer.style("FAIL", fg=typer.colors.RED)
-        )
-        typer.echo(f"Replay {session_id[:8]}...: {status}")
-        typer.echo(f"  Events: {len(result.event_results)}")
-        typer.echo(f"  Merkle root: {result.original_merkle_root[:16]}...")
-
-        if verbose:
-            for ev in result.event_results:
-                ev_status = "OK" if ev.matched else "DIVERGED"
-                typer.echo(f"  [{ev.sequence:3d}] {ev.event_type:<12} {ev_status}")
-
-        if not result.all_matched:
-            typer.echo(
-                f"  First divergence: event #{result.first_divergence}", err=True
-            )
-            raise typer.Exit(code=1)
-
-    except ValueError as exc:
-        typer.echo(f"Session not found: {exc}", err=True)
-        raise typer.Exit(code=1) from None

aevum_cli-0.6.0/src/aevum/cli/commands/store.py

@@ -1,51 +0,0 @@
-"""
-aevum store migrate -- migrate between graph backends.
-"""
-
-from __future__ import annotations
-
-from typing import Annotated
-
-import typer
-
-app = typer.Typer(help="Manage graph store backends.")
-
-
-@app.command("migrate")
-def migrate(
-    from_backend: Annotated[str, typer.Option("--from", help="Source backend (oxigraph:<path>)")] = "",
-    to_backend: Annotated[str, typer.Option("--to", help="Target backend (postgres:<dsn>)")] = "",
-) -> None:
-    """Migrate graph data between backends."""
-    if not from_backend or not to_backend:
-        typer.echo("Both --from and --to are required.", err=True)
-        raise typer.Exit(code=1)
-
-    if not from_backend.startswith("oxigraph:"):
-        typer.echo(f"Unsupported source backend: {from_backend!r}", err=True)
-        typer.echo("Currently supported source: oxigraph:<path>", err=True)
-        raise typer.Exit(code=1)
-
-    if not to_backend.startswith("postgres:"):
-        typer.echo(f"Unsupported target backend: {to_backend!r}", err=True)
-        typer.echo("Currently supported target: postgres:<dsn>", err=True)
-        raise typer.Exit(code=1)
-
-    try:
-        from aevum.store.postgres.migrate import migrate_from_oxigraph
-    except ImportError:
-        typer.echo("Error: aevum-store-postgres is not installed.", err=True)
-        raise typer.Exit(code=1) from None
-
-    oxigraph_path = from_backend[len("oxigraph:"):]
-    postgres_dsn = to_backend[len("postgres:"):]
-
-    typer.echo(f"Migrating: {oxigraph_path} -> PostgreSQL")
-    try:
-        import psycopg
-        conn = psycopg.connect(postgres_dsn)
-        migrated = migrate_from_oxigraph(oxigraph_path, conn)  # type: ignore[arg-type]  # Phase 2: wire store construction
-        typer.echo(f"Migration complete: {migrated} entities transferred.")
-    except Exception as e:
-        typer.echo(f"Migration failed: {e}", err=True)
-        raise typer.Exit(code=1) from e