lemmaid-cli 0.1.0__py3-none-any.whl

lemmaid_cli-0.1.0.dist-info/METADATA

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: lemmaid-cli
+Version: 0.1.0
+Summary: Lemma.id integration CLI
+Author: Lemma.id Team
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://lemma.id
+Project-URL: Documentation, https://lemma.id/docs/quickstart
+Project-URL: Repository, https://github.com/JEDMckenna99/lemma-enterprise
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.31.0
+Dynamic: license-file
+
+# lemma-cli
+
+`lemma-cli` is the command-line interface for integrating Lemma.id authentication and running launch-grade auth checks.
+
+## Install
+
+```bash
+pipx install lemma-cli
+```
+
+## OpenClaw Starter Path
+
+```bash
+lemma setup-openclaw --api-base https://lemma.id --json
+lemma safety-status --firewall-url http://127.0.0.1:8787 --json
+```
+
+`lemma setup-openclaw` is the public starter-safe path. It:
+
+- opens one browser approval
+- issues a starter-safe OpenClaw proof
+- connects the runtime
+- starts the local firewall
+- verifies one protected allow
+- kills the runtime and verifies deny
+
+## Other Core Commands
+
+```bash
+lemma session start --api-base https://lemma.id
+lemma session status --api-base https://lemma.id --json
+lemma setup-firewall --api-base https://lemma.id --json
+lemma setup --site-id site_demo --site-domain example.com --framework flask --json
+lemma audit --project-dir . --framework flask --skip-health --json
+lemma fix --project-dir . --framework flask --safe --skip-health --json
+lemma ci --project-dir . --framework flask --skip-health --skip-smoke --json
+```
+
+## Authentication for Sensitive Operations
+
+Local interactive browser flow:
+
+```bash
+lemma login --api-base https://lemma.id
+lemma auth-status --api-base https://lemma.id --json
+```
+
+Headless/CI flow:
+
+```bash
+lemma login --api-base https://lemma.id --non-interactive --platform-api-key "$LEMMA_API_KEY" --user-email "$LEMMA_ADMIN_EMAIL" --json
+```
+
+## Sensitive Management Commands
+
+```bash
+lemma site-create --domain demo.example --environment development --json
+lemma key-bootstrap --site-id site_demo --name "CI Key" --permissions read,write --json
+lemma iam-type-create --site-id site_demo --name admin_access --iam-type role --json
+lemma iam-type-list --site-id site_demo --json
+```
+
+## Contract
+
+All machine-oriented commands support `--json` and emit:
+- `schema_version`
+- `command`
+- `ok`
+- `error_code`
+
+## Documentation
+
+- OpenClaw Personal Quickstart: `docs/openclaw/PERSONAL_QUICKSTART.md`
+- Quickstart: <https://lemma.id/docs/quickstart>
+- Release checklist: `docs/operations/CLI_RELEASE_CHECKLIST.md`

lemmaid_cli-0.1.0.dist-info/RECORD

@@ -0,0 +1,39 @@
+lemmaid_cli-0.1.0.dist-info/licenses/LICENSE,sha256=scSw5Ep6ba4q3InTsv3G2cRN_9NEWUhI9jw8WtjXoxU,8977
+scripts/__init__.py,sha256=CR-qYQrYuYaFvrmaNmV9Xuo9raJyDxxe7to7T7QCle8,46
+scripts/auth_scope_matrix_check.py,sha256=5jKsN53HQkevPm3YjRG7RS-vopNzTTeSPC69x-_lLRM,7498
+scripts/backfill_agent_ops_workspace_schema.py,sha256=H1QFWFkOwuKaJtMEcWPau2POhbtdIL1MbOwFL-jmYzE,342
+scripts/check_compat_bearer_sunset.py,sha256=EABsKtWyzyopU-znZi68Cbwj59JYTEWgqiHBAAgeBxc,2230
+scripts/check_trusted_issuers.py,sha256=RQLycZ0FTCsWM8GStlyHi0jJtzLqTDmTHLkCssgu_vE,1511
+scripts/compare_issuers.py,sha256=oI4NSWqDHd0L_k1EDTdZyxoNqQ6nxptFkayMkBB6qKA,2188
+scripts/diag_site_admin.py,sha256=Cjuh1NfGbdb85Ic_fEZhgUmUquAavplSYm_gUhB9R9w,3667
+scripts/full_kms_migration.py,sha256=DirquqAa4vRIcdTmN1XNRoatRoYRVGCIpns0dvSAi2A,5973
+scripts/generate_architecture_diagram.py,sha256=mpzWAw4GkXlCDoGPnp99xgyxECS-WqWzS2fiTkRmbDo,21816
+scripts/generate_auth_scope_matrix.py,sha256=skWbIOTIP3zsX88zmytoAf3rXODsdg0m1vgGRzEhLEs,6783
+scripts/generate_sri_hashes.py,sha256=wWAuZRqNFIOZWX8CU5prLyRsKvBq8-g-AFBEw81mzaQ,6711
+scripts/latency_budget_gate.py,sha256=1Ql8Oh6OTdcMx7ttDyeDAlnRR_45jmXfGbPM1iCqeJQ,5360
+scripts/launch_gate_smoke_ci.py,sha256=2feRR-GhLzbAHbUKPJAKzjKpwm_hdWFO-LrM00Y4Sws,5520
+scripts/lemma_cli.py,sha256=-9m9-V0-nmHp9EoQLc3ETD94Acy59_PJBtKxYGKPVbQ,248237
+scripts/lemma_firewall.py,sha256=J3PiDuMeJBQkp-3HLf0TVjhzkb8nyy7vEZ_YA0waBvM,76714
+scripts/proof_exchange_contract_check.py,sha256=rSEItUXQS4D-TWdM33GC3BRZusYNKNp6MciNpPI7YBM,11551
+scripts/redis_degrade_gate_check.py,sha256=zoTNwiln9I4K6wn6-QqV-QKNbO6xd5tG-SJFWxb1vbA,2071
+scripts/reencrypt_kms_key.py,sha256=2xPKf8U0tO9jBu1xEcJlmKiWkDE001BAMK4pWuSWRrc,4019
+scripts/review_auth_scope_matrix.py,sha256=Vh-OGdrhnc9Jj759UPaEdQFxumVUwYYaUaOf1rd_KSs,5441
+scripts/revoke_to_deny_evidence.py,sha256=2foD0Wm064wCoBCYivTI4p1T2v-jUd5CuaRjbIkbQEI,10831
+scripts/run_agent_ops_pov_loops.py,sha256=s4TxLlk2Q4t3QoTYrB9f0Wr1tmXuY7XIZE51mxbzsB4,11746
+scripts/run_agent_session_simulation.py,sha256=q1muP_UXO_E1ObqwSpHZlvhE7vjRURzrGbeUgUn6jUU,9321
+scripts/run_containment_simulation.py,sha256=fneLM_s-k-DT38Sc_FTUcZNEGLNFkBXUQksZMP25Q5w,15906
+scripts/run_firewall_integration_example.py,sha256=D8Xn8c87fEquqlS9Iqnxn2zjeRnLnSJ_ofvily8Il88,10399
+scripts/run_firewall_live_smoke.py,sha256=FwRUpgdrAfrIgVFC8nw274Jeu8UgVs3_JE8pm2SjBaU,11232
+scripts/run_full_gap_test.py,sha256=JnlpXXuEyThC6xoV8ST_cu7d2Hb1XYmUz-EkzTrcTmU,9103
+scripts/run_full_taxonomy_demo.py,sha256=jgH1sdJj9VFacM5H8FS1esUWV7EaBOQrJ9qH9HXrUgQ,11246
+scripts/run_ppid_migration.py,sha256=tf9CsdDiCRdtB680LThfMwR_3iEb1L4Qu-Y_xRSv7II,5348
+scripts/run_revocation_benchmark_matrix.py,sha256=FisG5lsI6AOTYdNdJXiQAHVT1hemVnUfWgE4QeT8Swg,48726
+scripts/run_runtime_taint_drill.py,sha256=qk1OGoZvIrA--PS1vncDZZypgRUJSdHNbDnLYzRofYY,12715
+scripts/run_sentry_alert_routing_drill.py,sha256=2Rknc5VAjQwr0wK9VPGq_25Ch31w9DkwD5KJpfpctMI,11081
+scripts/seed_permissions.py,sha256=tTQqMBwR6IIWOXga_t1YOkT7eZKnKssbPp7e8o-M-nY,4661
+scripts/verify_kms.py,sha256=CezZTdDRuZns14A-qwJAI7np_gMXdQGgOns83-OpgZs,1421
+lemmaid_cli-0.1.0.dist-info/METADATA,sha256=wong78JB4vjNoBLOo7fEUS1w6pwNt0lJ9wYV7BFR31M,2849
+lemmaid_cli-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+lemmaid_cli-0.1.0.dist-info/entry_points.txt,sha256=Kiv8XN_gSKKpL-4cggtsM3S0JGq5VWiIwjgZatLIkuA,49
+lemmaid_cli-0.1.0.dist-info/top_level.txt,sha256=rmzd5mewlrJy4sT608KPib7sM7edoY75AeqJeY3SPB4,8
+lemmaid_cli-0.1.0.dist-info/RECORD,,

lemmaid_cli-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

lemmaid_cli-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+lemma = scripts.lemma_cli:main

lemmaid_cli-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,173 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity
+exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work
+(an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including
+the original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work
+or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses
+granted to You under this License for that Work shall terminate
+as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or
+Derivative Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work,
+excluding those notices that do not pertain to any part of
+the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained
+within such NOTICE file, excluding those notices that do not
+pertain to any part of the Derivative Works, in at least one
+of the following places: within a NOTICE text file distributed
+as part of the Derivative Works; within the Source form or
+documentation, if provided along with the Derivative Works; or,
+within a display generated by the Derivative Works, if and
+wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and
+do not modify the License. You may add Your own attribution
+notices within Derivative Works that You distribute, alongside
+or as an addendum to the NOTICE text from the Work, provided
+that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each
+Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all
+other commercial damages or losses), even if such Contributor
+has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer,
+and charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only
+on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason
+of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

lemmaid_cli-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+scripts

scripts/__init__.py

@@ -0,0 +1 @@
+# Package marker for CLI entry-point imports.

scripts/auth_scope_matrix_check.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""
+Scope matrix checks for server-enforced controlled actions.
+
+This script is intended for CI/post-deploy verification and validates:
+- read-allowed token can access read endpoint
+- non-admin token is forbidden on admin endpoint
+- admin token can access admin endpoint
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+import time
+import urllib.error
+import urllib.request
+import base64
+from typing import Any
+
+
+BASE_URL = os.environ.get("LEMMA_BASE_URL", "https://lemma.id").rstrip("/")
+PLATFORM_API_KEY = os.environ.get("LEMMA_PLATFORM_API_KEY", "").strip()
+EXPECT_EDGE_ADMIN_COMPAT = os.environ.get("LEMMA_EXPECT_EDGE_ADMIN_COMPAT", "").strip()
+
+
+def _request(
+    url: str,
+    *,
+    method: str = "GET",
+    body: dict[str, Any] | None = None,
+    headers: dict[str, str] | None = None,
+) -> tuple[int, str]:
+    req_headers = {"User-Agent": "lemma-auth-scope-matrix/1.0"}
+    if headers:
+        req_headers.update(headers)
+
+    payload = None
+    if body is not None:
+        payload = json.dumps(body).encode("utf-8")
+        req_headers["Content-Type"] = "application/json"
+
+    req = urllib.request.Request(url=url, method=method, data=payload, headers=req_headers)
+    try:
+        with urllib.request.urlopen(req, timeout=45) as resp:
+            return resp.getcode(), resp.read().decode("utf-8", errors="replace")
+    except urllib.error.HTTPError as err:
+        return err.code, err.read().decode("utf-8", errors="replace")
+
+
+def _assert(condition: bool, message: str) -> None:
+    if not condition:
+        raise AssertionError(message)
+
+
+def _parse_json(content: str) -> dict[str, Any]:
+    if not content:
+        return {}
+    return json.loads(content)
+
+
+def _issue_lemma(permission_level: str, email: str) -> dict[str, Any]:
+    status, content = _request(
+        f"{BASE_URL}/api/platform/issue-site-permission",
+        method="POST",
+        body={
+            "site_id": "lemma.id",
+            "user_email": email,
+            "permission_level": permission_level,
+            "expiry_days": 7,
+        },
+        headers={"X-API-Key": PLATFORM_API_KEY},
+    )
+    _assert(status == 200, f"Expected 200 from issue-site-permission, got {status}")
+    payload = _parse_json(content)
+    _assert(payload.get("success") is True, "issue-site-permission success != true")
+    lemma = payload.get("permission_lemma")
+    _assert(isinstance(lemma, dict), "permission_lemma missing")
+    return lemma
+
+
+def _encode_lemma_header(lemma: dict[str, Any]) -> str:
+    raw = json.dumps(lemma, separators=(",", ":"), sort_keys=True).encode("utf-8")
+    return base64.urlsafe_b64encode(raw).decode("utf-8").rstrip("=")
+
+
+def _edge_admin_headers_from_lemma(lemma: dict[str, Any]) -> dict[str, str]:
+    credential_id = str(lemma.get("id") or lemma.get("credential_id") or "").strip()
+    subject = lemma.get("credentialSubject")
+    if not isinstance(subject, dict):
+        subject = {}
+    claims = lemma.get("claims")
+    if not isinstance(claims, dict):
+        claims = {}
+    permission_id = str(
+        subject.get("permissionId")
+        or subject.get("permission_id")
+        or claims.get("permissionId")
+        or claims.get("permission_id")
+        or lemma.get("permission_id")
+        or ""
+    ).strip()
+    _assert(credential_id, "lemma credential id missing for edge-admin path")
+    _assert(permission_id, "lemma permission id missing for edge-admin path")
+    return {
+        "X-Credential-ID": credential_id,
+        "X-Permission-ID": permission_id,
+    }
+
+
+def _exchange(lemma: dict[str, Any]) -> str:
+    status, content = _request(
+        f"{BASE_URL}/api/auth/exchange-proof",
+        method="POST",
+        body={"credential": lemma, "site_id": "lemma.id"},
+    )
+    _assert(status == 200, f"Expected 200 from exchange-proof, got {status}")
+    payload = _parse_json(content)
+    token = payload.get("access_token", "")
+    _assert(token.startswith("lm_at_"), "exchange-proof did not return lm_at_ token")
+    return token
+
+
+def main() -> int:
+    if not PLATFORM_API_KEY:
+        raise AssertionError("LEMMA_PLATFORM_API_KEY is required for scope matrix checks")
+
+    ts = int(time.time())
+    user_email = f"scope-user-{ts}@lemma.id"
+    admin_email = f"scope-admin-{ts}@lemma.id"
+
+    user_lemma = _issue_lemma("user", user_email)
+    admin_lemma = _issue_lemma("admin", admin_email)
+
+    user_lemma_header = _encode_lemma_header(user_lemma)
+
+    # Read endpoint should work for user lemma (VC-first runtime auth)
+    status, _ = _request(
+        f"{BASE_URL}/api/billing/usage/cus_test",
+        method="GET",
+        headers={"X-Lemma-Credential": user_lemma_header},
+    )
+    print(f"user_lemma -> GET /api/billing/usage/cus_test => {status}")
+    _assert(status == 200, f"Expected 200 for user lemma on read endpoint, got {status}")
+
+    user_edge_headers = _edge_admin_headers_from_lemma(user_lemma)
+    admin_edge_headers = _edge_admin_headers_from_lemma(admin_lemma)
+
+    # Admin endpoint should reject non-admin lemma (edge-admin path headers).
+    # In production, edge compat may be disabled and return 401 auth_required.
+    status, _ = _request(
+        f"{BASE_URL}/api/admin/platform-stats",
+        method="GET",
+        headers=user_edge_headers,
+    )
+    print(f"user_edge_headers -> GET /api/admin/platform-stats => {status}")
+    if EXPECT_EDGE_ADMIN_COMPAT == "1":
+        _assert(status == 403, f"Expected 403 for user edge-admin headers on admin endpoint, got {status}")
+    elif EXPECT_EDGE_ADMIN_COMPAT == "0":
+        _assert(status == 401, f"Expected 401 when edge-admin compat is disabled, got {status}")
+    else:
+        _assert(status in {401, 403}, f"Expected 401/403 for user edge-admin headers on admin endpoint, got {status}")
+
+    # Admin endpoint should allow admin lemma (edge-admin path headers) only when compat enabled.
+    status, _ = _request(
+        f"{BASE_URL}/api/admin/platform-stats",
+        method="GET",
+        headers=admin_edge_headers,
+    )
+    print(f"admin_edge_headers -> GET /api/admin/platform-stats => {status}")
+    if EXPECT_EDGE_ADMIN_COMPAT == "1":
+        _assert(status == 200, f"Expected 200 for admin edge-admin headers on admin endpoint, got {status}")
+    elif EXPECT_EDGE_ADMIN_COMPAT == "0":
+        _assert(status == 401, f"Expected 401 when edge-admin compat is disabled, got {status}")
+    else:
+        _assert(status in {200, 401}, f"Expected 200/401 for admin edge-admin headers on admin endpoint, got {status}")
+
+    # Compatibility check: exchanged access-token behavior varies by runtime mode.
+    user_token = _exchange(user_lemma)
+    status, _ = _request(
+        f"{BASE_URL}/api/billing/usage/cus_test",
+        method="GET",
+        headers={"Authorization": f"Bearer {user_token}"},
+    )
+    print(f"user_token -> GET /api/billing/usage/cus_test => {status}")
+
+    expected_bearer_runtime = os.environ.get("LEMMA_EXPECT_BEARER_RUNTIME", "").strip()
+    if expected_bearer_runtime == "1":
+        _assert(status == 200, f"Expected 200 for user bearer token in bearer-runtime mode, got {status}")
+    elif expected_bearer_runtime == "0":
+        _assert(status == 401, f"Expected 401 for user bearer token in VC-only mode, got {status}")
+
+    print("Auth scope matrix checks passed.")
+    return 0
+
+
+if __name__ == "__main__":
+    try:
+        raise SystemExit(main())
+    except Exception as exc:
+        print(f"Auth scope matrix checks failed: {exc}", file=sys.stderr)
+        raise SystemExit(1) from exc
+

scripts/backfill_agent_ops_workspace_schema.py

@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+"""Backfill the workspace-first Agent Ops schema from legacy tables."""
+
+import json
+
+from api.agent_ops_store import backfill_agent_ops_schema
+
+
+def main() -> None:
+    summary = backfill_agent_ops_schema()
+    print(json.dumps({"success": True, "summary": summary}, indent=2))
+
+
+if __name__ == "__main__":
+    main()

scripts/check_compat_bearer_sunset.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+"""
+Compatibility bearer sunset gate.
+
+Fails when compat_bearer routes remain after configured sunset date.
+"""
+
+from __future__ import annotations
+
+import argparse
+from datetime import datetime, timezone
+import os
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
+from api.authz_policy import ROUTE_AUTHZ_POLICY
+
+
+def _parse_iso(text: str) -> datetime:
+    parsed = datetime.fromisoformat(text.replace("Z", "+00:00"))
+    if parsed.tzinfo is None:
+        parsed = parsed.replace(tzinfo=timezone.utc)
+    return parsed.astimezone(timezone.utc)
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Fail when compat bearer routes remain after sunset")
+    parser.add_argument("--sunset-utc", default=os.getenv("LEMMA_COMPAT_BEARER_SUNSET_UTC", ""))
+    parser.add_argument("--allow-empty-sunset", action="store_true")
+    args = parser.parse_args()
+
+    sunset_raw = str(args.sunset_utc or "").strip()
+    if not sunset_raw:
+        if args.allow_empty_sunset:
+            print("compat sunset check: skipped (sunset not set)")
+            return 0
+        print("compat sunset check: failed (sunset not set)")
+        return 1
+
+    try:
+        sunset = _parse_iso(sunset_raw)
+    except ValueError:
+        print(f"compat sunset check: failed (invalid sunset format: {sunset_raw})")
+        return 1
+
+    now = datetime.now(timezone.utc)
+    compat_routes = [
+        f"{method} {path}"
+        for (method, path), policy in ROUTE_AUTHZ_POLICY.items()
+        if str(getattr(policy, "auth_mode", "compat_bearer") or "compat_bearer") == "compat_bearer"
+    ]
+    if now >= sunset and compat_routes:
+        print(f"compat sunset check: failed (sunset passed at {sunset.isoformat()})")
+        print(f"remaining compat_bearer routes: {len(compat_routes)}")
+        for route in compat_routes[:25]:
+            print(f" - {route}")
+        if len(compat_routes) > 25:
+            print(" - ...")
+        return 1
+
+    print(
+        "compat sunset check: pass "
+        f"(now={now.isoformat()}, sunset={sunset.isoformat()}, remaining_compat={len(compat_routes)})"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
+

scripts/check_trusted_issuers.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+"""
+Check trusted issuers and validate credential issuer trust
+"""
+
+from api.trusted_issuers import get_trusted_issuer_dids, is_trusted_issuer, clear_cache
+
+print("=" * 60)
+print("TRUSTED ISSUER REGISTRY")
+print("=" * 60)
+
+# Clear cache to get fresh data
+clear_cache()
+
+trusted = get_trusted_issuer_dids()
+
+print(f"\nTotal trusted issuers: {len(trusted)}")
+print("\nTrusted Issuer DIDs:")
+
+for did in sorted(trusted):
+    print(f"  - {did[:60]}...")
+
+# Check some old DIDs that might be in credentials
+print("\n" + "=" * 60)
+print("OLD ISSUER CHECK")
+print("=" * 60)
+
+old_issuers = [
+    # These are the old DIDs from before KMS migration
+    "did:lemma:aba9b52a0af7966628d68f2890a899277b88f688",  # Old federated
+    "did:lemma:143b960715ecaa24d02943fc0bd7b391af8f5e92",  # Old lemma.id
+    "did:lemma:843982bf25189ae055c93bb381a6b3",            # Old lemma_platform
+]
+
+print("\nChecking if old issuers are still trusted:")
+for did in old_issuers:
+    is_trust = is_trusted_issuer(did)
+    status = "TRUSTED" if is_trust else "NOT TRUSTED"
+    print(f"  {did[:40]}... -> {status}")
+
+print("\n" + "=" * 60)
+print("CURRENT ISSUER STATUS")
+print("=" * 60)
+
+from api.database import SessionLocal, Site
+db = SessionLocal()
+
+sites = db.query(Site).filter(Site.kms_encrypted_signing_key != None).all()
+for site in sites:
+    print(f"\n{site.site_id}:")
+    print(f"  DID: {site.issuer_did}")
+    print(f"  Status: {site.key_status}")
+    print(f"  Created: {site.key_created_at}")
+
+db.close()
+