opentrust-cli 1.0.0__py3-none-any.whl

opentrust_cli/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

opentrust_cli/api_client.py

@@ -0,0 +1,17 @@
+import os
+import httpx
+
+
+class APIClient:
+    def __init__(self, base_url: str | None = None):
+        self.base_url = (base_url or os.getenv("OPENTRUST_API_URL") or "http://localhost:8000").rstrip("/")
+
+    def get(self, path: str, **params):
+        response = httpx.get(f"{self.base_url}/api/v1{path}", params=params, timeout=10)
+        response.raise_for_status()
+        return response.json()
+
+    def post(self, path: str, json: dict | None = None):
+        response = httpx.post(f"{self.base_url}/api/v1{path}", json=json, timeout=10)
+        response.raise_for_status()
+        return response.json()

opentrust_cli/commands/__init__.py

@@ -0,0 +1 @@
+

opentrust_cli/commands/badge.py

@@ -0,0 +1,9 @@
+import typer
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def badge(slug: str, base_url: str = "https://opentrust.dev"):
+    console.print(f"![OpenTrust]({base_url.rstrip('/')}/api/v1/badge/{slug}.svg)")

opentrust_cli/commands/claim.py

@@ -0,0 +1,11 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def claim(slug: str):
+    data = APIClient().post(f"/claim?slug={slug}", json=None)
+    console.print(f"Claim {slug}: {data.get('auth_url')}")

opentrust_cli/commands/inspect.py

@@ -0,0 +1,10 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import print_passport
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def inspect(slug: str):
+    print_passport(APIClient().get(f"/tools/{slug}"))

opentrust_cli/commands/payment.py

@@ -0,0 +1,30 @@
+from decimal import Decimal
+from uuid import uuid4
+
+import typer
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+PRICES = {
+    "trust_report": Decimal("19.00"),
+    "verified_badge": Decimal("49.00"),
+    "monitoring_monthly": Decimal("19.00"),
+}
+
+
+@app.command("create-checkout")
+def create_checkout(tool_id: str, plan: str = "verified_badge"):
+    amount = PRICES.get(plan, PRICES["verified_badge"])
+    checkout_id = f"chk_{uuid4().hex}"
+    console.print(
+        {
+            "checkout_id": checkout_id,
+            "tool_id": tool_id,
+            "plan": plan,
+            "amount_usdc": str(amount),
+            "status": "paid",
+            "provider": "mock",
+            "checkout_url": f"https://mock.opentrust.local/checkouts/{checkout_id}",
+        }
+    )

opentrust_cli/commands/policy.py

@@ -0,0 +1,183 @@
+import json
+from pathlib import Path
+
+import typer
+
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+# ── Helpers ──────────────────────────────────────────────────────────────────
+
+
+VALID_TRUST_STATUSES = frozenset({
+    "auto_generated_draft", "creator_claimed", "owner_confirmed",
+    "community_reviewed", "reviewer_signed", "security_checked",
+    "continuously_monitored", "disputed",
+})
+
+BROAD_DANGEROUS_PERMISSIONS = frozenset({"wallet", "private_data", "terminal"})
+TRUST_ORDER = {
+    "auto_generated_draft": 0,
+    "creator_claimed": 1,
+    "owner_confirmed": 2,
+    "community_reviewed": 3,
+    "reviewer_signed": 4,
+    "security_checked": 5,
+    "continuously_monitored": 6,
+}
+DEFAULT_SPEND_POLICY = {
+    "max_cost_per_call_usdc": 999999.0,
+    "min_trust_status": "community_reviewed",
+    "blocked_permissions": ["wallet", "private_data", "terminal"],
+    "allowed_networks": ["base"],
+    "allowed_currencies": ["USDC"],
+    "require_escrow_above_usdc": 0.10,
+    "human_approval_above_usdc": 0.01,
+}
+# Thresholds in USDC — amounts at or below these are "free/safe"
+ESCROW_THRESHOLD_USDC = 0.10   # above this, escrow must be available
+HUMAN_APPROVAL_THRESHOLD_USDC = 0.01  # above this, human approval or escrow needed
+
+
+def _load_json(path_str: str) -> dict:
+    path = Path(path_str)
+    if not path.exists():
+        raise typer.BadParameter(f"File not found: {path_str}")
+    try:
+        return json.loads(path.read_text())
+    except json.JSONDecodeError as exc:
+        raise typer.BadParameter(
+            f"Invalid JSON at line {exc.lineno}, column {exc.colno}: {exc.msg}"
+        )
+
+
+def _get_amount(passport: dict) -> float:
+    """Extract the payment amount from commercial_status, defaulting to 0."""
+    cs = passport.get("commercial_status") or {}
+    pricing = cs.get("pricing") if isinstance(cs, dict) else {}
+    if isinstance(pricing, dict):
+        return float(pricing.get("amount", 0))
+    return 0.0
+
+
+def _has_escrow(passport: dict) -> bool:
+    """Check if the passport has escrow_config with supported=True."""
+    cs = passport.get("commercial_status") or {}
+    if not isinstance(cs, dict):
+        return False
+    escrow = cs.get("escrow_config")
+    if isinstance(escrow, dict):
+        return escrow.get("supported") is True
+    return False
+
+
+def _payment_config(passport: dict) -> dict:
+    cs = passport.get("commercial_status") or {}
+    config = cs.get("payment_config") if isinstance(cs, dict) else None
+    return config if isinstance(config, dict) else {}
+
+
+def _pricing(passport: dict) -> dict:
+    cs = passport.get("commercial_status") or {}
+    pricing = cs.get("pricing") if isinstance(cs, dict) else None
+    return pricing if isinstance(pricing, dict) else {}
+
+
+# ── Policy check command ─────────────────────────────────────────────────────
+
+
+@app.command()
+def check(
+    passport_path: str = typer.Argument(..., help="Path to passport JSON file"),
+    policy_path: str | None = typer.Option(None, "--policy", help="Path to local spend policy JSON"),
+):
+    """Check a passport against local agent policy rules.
+
+    Denies:
+    - Disputed or inline-revoked passports
+    - Unknown or unparseable trust_status
+    - Broad boolean true for wallet / private_data / terminal permissions
+    - Payment above threshold without escrow or human approval
+    """
+    passport = _load_json(passport_path)
+    spend_policy = DEFAULT_SPEND_POLICY | (_load_json(policy_path) if policy_path else {})
+    denials: list[str] = []
+
+    # ── 1. Trust status checks ───────────────────────────────────────────
+    trust_status = passport.get("trust_status", "")
+
+    if trust_status not in VALID_TRUST_STATUSES:
+        denials.append(
+            f"INVALID TRUST STATUS: '{trust_status}' is not a recognized "
+            f"trust_status value"
+        )
+    elif trust_status == "disputed":
+        denials.append("DISPUTED: passport trust_status is 'disputed' — denied by policy")
+    else:
+        minimum = spend_policy.get("min_trust_status", "community_reviewed")
+        if TRUST_ORDER.get(trust_status, -1) < TRUST_ORDER.get(minimum, 99):
+            denials.append(
+                f"TRUST TOO LOW: '{trust_status}' is below required min_trust_status '{minimum}'"
+            )
+
+    # ── 2. Inline revocation check ───────────────────────────────────────
+    revocation = passport.get("revocation") or {}
+    if revocation.get("revoked") is True:
+        reason = revocation.get("reason", "unspecified")
+        denials.append(f"REVOKED: passport is revoked (reason: {reason}) — denied by policy")
+
+    # ── 3. Broad dangerous permission check ──────────────────────────────
+    perm_manifest = passport.get("permission_manifest") or {}
+    blocked_permissions = set(spend_policy.get("blocked_permissions") or BROAD_DANGEROUS_PERMISSIONS)
+    for perm in blocked_permissions:
+        if perm_manifest.get(perm) is True:
+            denials.append(
+                f"BROAD PERMISSION: '{perm}' is set to boolean true — "
+                f"policy requires scoped/granular declarations"
+            )
+
+    # ── 4. Payment threshold checks ──────────────────────────────────────
+    amount = _get_amount(passport)
+    pricing = _pricing(passport)
+    payment_config = _payment_config(passport)
+    max_per_call = float(spend_policy.get("max_cost_per_call_usdc", ESCROW_THRESHOLD_USDC))
+    if amount > max_per_call:
+        denials.append(
+            f"SPEND CAP: payment amount ${amount:.2f} exceeds max_cost_per_call_usdc ${max_per_call:.2f}"
+        )
+
+    currency = pricing.get("currency")
+    allowed_currencies = set(spend_policy.get("allowed_currencies") or [])
+    if amount > 0 and allowed_currencies and currency not in allowed_currencies:
+        denials.append(f"CURRENCY DENIED: '{currency}' is not in allowed_currencies")
+
+    network = payment_config.get("network") or payment_config.get("chain")
+    allowed_networks = set(spend_policy.get("allowed_networks") or [])
+    if amount > 0 and allowed_networks and network and network not in allowed_networks:
+        denials.append(f"NETWORK DENIED: '{network}' is not in allowed_networks")
+
+    escrow_threshold = float(spend_policy.get("require_escrow_above_usdc", ESCROW_THRESHOLD_USDC))
+    human_threshold = float(spend_policy.get("human_approval_above_usdc", HUMAN_APPROVAL_THRESHOLD_USDC))
+    if amount > escrow_threshold and not _has_escrow(passport):
+        denials.append(
+            f"ESCROW REQUIRED: payment amount ${amount:.2f} exceeds "
+            f"${escrow_threshold:.2f} threshold but passport "
+            f"does not declare escrow support"
+        )
+
+    if amount > human_threshold and not _has_escrow(passport):
+        denials.append(
+            f"HUMAN APPROVAL REQUIRED: payment amount ${amount:.2f} exceeds "
+            f"${human_threshold:.2f} threshold — "
+            f"escrow or human approval path is required"
+        )
+
+    # ── Report ───────────────────────────────────────────────────────────
+    if denials:
+        for d in denials:
+            console.print(f"[red]DENY:[/] {d}")
+        raise typer.Exit(1)
+
+    console.print(f"[green]ALLOW:[/] {passport_path} — policy checks passed")

opentrust_cli/commands/search.py

@@ -0,0 +1,11 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def search(q: str):
+    for item in APIClient().get("/search", q=q):
+        console.print(f"[bold]{item['name']}[/] {item['trust_status']} /tools/{item['slug']}")

opentrust_cli/commands/status.py

@@ -0,0 +1,11 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def status(slug: str):
+    data = APIClient().get(f"/tools/{slug}")
+    console.print(f"[bold]{slug}[/]: [{data['trust_status']}]{data['trust_status']}[/]")

opentrust_cli/commands/validate.py

@@ -0,0 +1,15 @@
+import typer
+from opentrust_cli.formatters import console
+from opentrust_cli.schema_validator import validate_passport_file
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def validate(path: str):
+    errors = validate_passport_file(path)
+    if errors:
+        for error in errors:
+            console.print(f"[red]invalid:[/] {error}")
+        raise typer.Exit(1)
+    console.print("[green]valid passport[/]")

opentrust_cli/commands/verify.py

@@ -0,0 +1,234 @@
+import base64
+import hashlib
+import json
+from pathlib import Path
+from typing import Any
+
+import typer
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+from ecdsa import Ed25519, VerifyingKey
+from ecdsa.keys import BadSignatureError
+
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+VALID_TRUST_STATUSES = frozenset({
+    "auto_generated_draft", "creator_claimed", "owner_confirmed",
+    "community_reviewed", "reviewer_signed", "security_checked",
+    "continuously_monitored", "disputed",
+})
+
+
+def _canonical_json(data: dict) -> str:
+    return json.dumps(data, sort_keys=True, separators=(",", ":"))
+
+
+def _sha256_hex(canonical: str) -> str:
+    return "sha256:" + hashlib.sha256(canonical.encode()).hexdigest()
+
+
+def _without_path(data: dict[str, Any], path: tuple[str, ...]) -> dict[str, Any]:
+    copied = json.loads(json.dumps(data))
+    current: Any = copied
+    for part in path[:-1]:
+        if not isinstance(current, dict):
+            return copied
+        current = current.get(part, {})
+    if isinstance(current, dict):
+        current.pop(path[-1], None)
+    return copied
+
+
+def _load_json(path_str: str) -> dict:
+    path = Path(path_str)
+    if not path.exists():
+        raise typer.BadParameter(f"File not found: {path_str}")
+    try:
+        return json.loads(path.read_text())
+    except json.JSONDecodeError as exc:
+        raise typer.BadParameter(
+            f"Invalid JSON at line {exc.lineno}, column {exc.colno}: {exc.msg}"
+        )
+
+
+def _find_key(keys_data: dict, key_id: str) -> dict | None:
+    for key in keys_data.get("keys", []):
+        if key.get("key_id") == key_id or key.get("kid") == key_id:
+            return key
+    return None
+
+
+def _b64decode(value: str) -> bytes:
+    return base64.urlsafe_b64decode(value + "=" * (-len(value) % 4))
+
+
+def _key_public_value(key_record: dict) -> str:
+    return key_record.get("public_key") or key_record.get("x") or ""
+
+
+def _signature_value(sig: dict) -> str:
+    return sig.get("value") or sig.get("signature") or ""
+
+
+def _verify_ed25519_digest(public_key_b64: str, signature_b64: str, digest: bytes) -> bool:
+    """Verify legacy OpenTrust tests: ecdsa package signs raw sha256 digest bytes."""
+    try:
+        vk = VerifyingKey.from_string(_b64decode(public_key_b64), curve=Ed25519)
+        vk.verify(_b64decode(signature_b64), digest)
+        return True
+    except (BadSignatureError, ValueError, Exception):
+        return False
+
+
+def _verify_ed25519_message(public_key_b64: str, signature_b64: str, message: bytes) -> bool:
+    """Verify production OpenTrust signatures: cryptography signs payload_hash text."""
+    try:
+        public_key = Ed25519PublicKey.from_public_bytes(_b64decode(public_key_b64))
+        public_key.verify(_b64decode(signature_b64), message)
+        return True
+    except (InvalidSignature, ValueError, Exception):
+        return False
+
+
+def _verify_signature_block(document: dict, signature_path: tuple[str, ...], keys_data: dict) -> list[str]:
+    errors: list[str] = []
+    current: Any = document
+    for part in signature_path:
+        if not isinstance(current, dict) or part not in current:
+            return [f"MISSING SIGNATURE: {'.'.join(signature_path)}"]
+        current = current[part]
+    sig = current
+    if not isinstance(sig, dict):
+        return [f"INVALID SIGNATURE BLOCK: {'.'.join(signature_path)}"]
+
+    candidates = [_without_path(document, signature_path)]
+    # Older passport signatures removed the whole top-level security object
+    # before hashing. Production signatures remove only security.registry_signature.
+    if signature_path == ("security", "registry_signature"):
+        candidates.append(_without_path(document, ("security",)))
+
+    expected_hash = sig.get("payload_hash", "")
+    matched_hash = ""
+    for unsigned in candidates:
+        candidate_hash = _sha256_hex(_canonical_json(unsigned))
+        if candidate_hash == expected_hash:
+            matched_hash = candidate_hash
+            break
+    if not matched_hash:
+        computed = _sha256_hex(_canonical_json(candidates[0]))
+        errors.append(
+            f"PAYLOAD HASH MISMATCH: expected '{expected_hash}', computed '{computed}'"
+        )
+        matched_hash = computed
+
+    key_id = sig.get("key_id") or sig.get("kid") or ""
+    key_record = _find_key(keys_data, key_id)
+    if not key_record:
+        errors.append(f"KEY NOT FOUND: no key with key_id '{key_id}' in keys file")
+        return errors
+
+    public_key_b64 = _key_public_value(key_record)
+    signature_b64 = _signature_value(sig)
+    if not signature_b64:
+        errors.append("MISSING SIGNATURE VALUE")
+        return errors
+
+    digest = bytes.fromhex(matched_hash[len("sha256:"):])
+    valid = _verify_ed25519_message(public_key_b64, signature_b64, matched_hash.encode("utf-8"))
+    valid = valid or _verify_ed25519_digest(public_key_b64, signature_b64, digest)
+    if not valid:
+        errors.append(f"INVALID SIGNATURE: Ed25519 signature verification failed (key_id: {key_id})")
+    return errors
+
+
+class RevocationVersionStore:
+    """Tiny local JSON store for revocation monotonic-version rollback checks."""
+
+    def __init__(self, path: str | Path | None = None) -> None:
+        self.path = Path(path or Path.home() / ".opentrust" / "revocation_versions.json")
+
+    def load(self) -> dict[str, int]:
+        if not self.path.exists():
+            return {}
+        try:
+            return json.loads(self.path.read_text())
+        except json.JSONDecodeError:
+            return {}
+
+    def save(self, versions: dict[str, int]) -> None:
+        self.path.parent.mkdir(parents=True, exist_ok=True)
+        self.path.write_text(json.dumps(versions, sort_keys=True, indent=2))
+
+
+def _check_revocation_rollback(registry_id: str, revocations_data: dict, store: RevocationVersionStore) -> None:
+    version = int(revocations_data.get("version", (revocations_data.get("payload") or {}).get("version", 0)))
+    versions = store.load()
+    previous = versions.get(registry_id)
+    if previous is not None and version < previous:
+        raise ValueError(f"revocation rollback detected: version {version} < previous {previous}")
+    versions[registry_id] = max(version, previous or 0)
+    store.save(versions)
+
+
+def _revocation_entries(revocations_data: dict) -> list[dict]:
+    if "passports" in revocations_data:
+        return revocations_data.get("passports") or []
+    payload = revocations_data.get("payload") or {}
+    return payload.get("passports") or payload.get("revoked") or []
+
+
+@app.callback(invoke_without_command=True)
+def verify(
+    passport_path: str = typer.Argument(..., help="Path to passport JSON file"),
+    keys: str = typer.Option(..., "--keys", help="Path to registry keys JSON file"),
+    revocations: str | None = typer.Option(
+        None, "--revocations", help="Path to signed revocation list JSON file"
+    ),
+):
+    """Offline verify a passport's registry signature and revocation status."""
+    errors: list[str] = []
+    passport = _load_json(passport_path)
+    keys_data = _load_json(keys)
+    revocations_data = _load_json(revocations) if revocations else None
+
+    revocation = passport.get("revocation") or {}
+    if revocation.get("revoked") is True:
+        errors.append(f"INLINE REVOKED: passport is revoked (reason: {revocation.get('reason', 'unspecified')})")
+
+    trust_status = passport.get("trust_status", "")
+    if trust_status == "disputed":
+        errors.append("DISPUTED: passport trust_status is 'disputed'")
+
+    errors.extend(_verify_signature_block(passport, ("security", "registry_signature"), keys_data))
+
+    if revocations_data:
+        try:
+            _check_revocation_rollback("default", revocations_data, RevocationVersionStore())
+        except ValueError as exc:
+            errors.append(f"REVOCATION ROLLBACK: {exc}")
+
+        errors.extend(_verify_signature_block(revocations_data, ("signature",), keys_data))
+        slug = (passport.get("tool_identity") or {}).get("slug", "")
+        version = (passport.get("version_hash") or {}).get("version", "")
+        for entry in _revocation_entries(revocations_data):
+            entry_slug = entry.get("slug") or entry.get("passport_id") or ""
+            entry_version = entry.get("version", "*")
+            if entry_slug == slug and (entry_version == version or entry_version == "*"):
+                errors.append(
+                    f"REVOKED: passport '{slug}:{version}' is in the revocation list "
+                    f"(reason: {entry.get('reason', 'unspecified')})"
+                )
+                break
+
+    _report_results(passport_path, errors)
+
+
+def _report_results(passport_path: str, errors: list[str]):
+    if errors:
+        for err in errors:
+            console.print(f"[red]FAIL:[/] {err}")
+        raise typer.Exit(1)
+    console.print(f"[green]VERIFIED:[/] {passport_path} — registry signature valid, no revocations found")

opentrust_cli/formatters.py

@@ -0,0 +1,29 @@
+from rich.console import Console
+from rich.table import Table
+
+console = Console()
+
+STATUS_COLORS = {
+    "auto_generated_draft": "yellow",
+    "creator_claimed": "cyan",
+    "seller_confirmed": "blue",
+    "community_reviewed": "green",
+    "reviewer_signed": "green",
+    "security_checked": "bold green",
+    "continuously_monitored": "bold green",
+    "disputed": "bold red",
+}
+
+
+def print_passport(passport: dict) -> None:
+    table = Table(title=passport.get("name", "Passport"))
+    table.add_column("Field")
+    table.add_column("Value")
+    status = passport.get("trust_status", "unknown")
+    table.add_row("trust_status", f"[{STATUS_COLORS.get(status, 'white')}]{status}[/]")
+    table.add_row("slug", passport.get("slug", ""))
+    table.add_row("capabilities", ", ".join(passport.get("capabilities", [])))
+    table.add_row("commercial_status", passport.get("commercial_status", {}).get("status", "unknown"))
+    console.print(table)
+    if passport.get("warning"):
+        console.print(f"[bold yellow]{passport['warning']}[/]")

opentrust_cli/main.py

@@ -0,0 +1,17 @@
+import typer
+from opentrust_cli.commands import badge, claim, inspect, payment, policy, search, status, validate, verify
+
+app = typer.Typer(help="OpenTrust registry CLI")
+app.add_typer(inspect.app, name="inspect")
+app.add_typer(search.app, name="search")
+app.add_typer(status.app, name="status")
+app.add_typer(validate.app, name="validate")
+app.add_typer(claim.app, name="claim")
+app.add_typer(badge.app, name="badge")
+app.add_typer(payment.app, name="payment")
+app.add_typer(verify.app, name="verify")
+app.add_typer(policy.app, name="policy")
+
+
+if __name__ == "__main__":
+    app()

opentrust_cli/schema_validator.py

@@ -0,0 +1,161 @@
+import json
+from pathlib import Path
+from typing import Any
+
+from jsonschema import Draft202012Validator
+from referencing import Registry, Resource
+
+
+DANGEROUS_PERMISSION_FLAGS = (
+    "wallet",
+    "private_data",
+    "terminal",
+    "filesystem_write",
+    "file_write",
+    "code_execution",
+    "network_unrestricted",
+)
+
+_REQUIRES_GRANULAR_AT_REVIEWER_SIGNED = frozenset({
+    "file", "network", "terminal", "wallet", "private_data"
+})
+
+_TRUST_LEVELS_REQUIRING_GRANULAR = frozenset({
+    "reviewer_signed", "security_checked", "continuously_monitored"
+})
+
+_EVIDENCE_REQUIRED_KEYS = frozenset({
+    "scanner_output", "reviewer_identity", "commit_hash",
+    "dependency_snapshot", "signed_attestation"
+})
+
+
+def _json_path(error) -> str:
+    if not error.absolute_path:
+        return "$"
+    return "$" + "".join(f"[{part}]" if isinstance(part, int) else f".{part}" for part in error.absolute_path)
+
+
+def _load_schema_bundle(root: Path) -> tuple[dict[str, Any], Registry]:
+    schema = json.loads((root / "passport.schema.json").read_text())
+    permissions = json.loads((root / "permissions.schema.json").read_text())
+    commercial = json.loads((root / "commercial-status.schema.json").read_text())
+    security = json.loads((root / "security.schema.json").read_text())
+    registry = Registry().with_resources(
+        [
+            ("permissions.schema.json", Resource.from_contents(permissions)),
+            ("commercial-status.schema.json", Resource.from_contents(commercial)),
+            ("security.schema.json", Resource.from_contents(security)),
+            ("https://opentrust.dev/schemas/permissions.schema.json", Resource.from_contents(permissions)),
+            ("https://opentrust.dev/schemas/commercial-status.schema.json", Resource.from_contents(commercial)),
+            ("https://opentrust.dev/schemas/security.schema.json", Resource.from_contents(security)),
+        ]
+    )
+    return schema, registry
+
+
+def _format_schema_error(error) -> str:
+    path = _json_path(error)
+    if error.validator == "required":
+        missing = ", ".join(repr(item) for item in error.validator_value if item not in error.instance)
+        return f"{path}: missing required field(s): {missing}"
+    if error.validator == "additionalProperties":
+        return f"{path}: {error.message}; remove unknown fields or update the schema/RFC"
+    if error.validator == "enum":
+        allowed = ", ".join(repr(item) for item in error.validator_value)
+        return f"{path}: {error.instance!r} is not allowed; expected one of: {allowed}"
+    if error.validator == "pattern":
+        return f"{path}: {error.instance!r} does not match required pattern {error.validator_value!r}"
+    return f"{path}: {error.message}"
+
+
+def _semantic_errors(data: dict[str, Any]) -> list[str]:
+    errors: list[str] = []
+
+    version_hash = data.get("version_hash") or {}
+    if not version_hash.get("commit") and not version_hash.get("artifact_hash"):
+        errors.append(
+            "$.version_hash: production passports must include either 'commit' or 'artifact_hash'; "
+            "a version string alone is not enough to bind trust to code"
+        )
+
+    trust_status = data.get("trust_status")
+
+    permission_manifest = data.get("permission_manifest") or {}
+    for key in DANGEROUS_PERMISSION_FLAGS:
+        if permission_manifest.get(key) is True:
+            # At reviewer_signed and above, the granular enforcement block emits a more specific error
+            if trust_status not in _TRUST_LEVELS_REQUIRING_GRANULAR:
+                errors.append(
+                    f"$.permission_manifest.{key}: dangerous permissions must be scoped, justified, "
+                    "and denied by default in local policy; do not ship a broad boolean true for production"
+                )
+
+    # v0.2 enforcement: reviewer_signed+ must use granular scopes for high-risk surfaces
+    if trust_status in _TRUST_LEVELS_REQUIRING_GRANULAR:
+        for key in _REQUIRES_GRANULAR_AT_REVIEWER_SIGNED:
+            val = permission_manifest.get(key)
+            if val is True:
+                errors.append(
+                    f"$.permission_manifest.{key}: trust_status '{trust_status}' requires granular "
+                    f"scope object (v0.2) — boolean true is not allowed at this trust level. "
+                    f"Replace with a structured scope: e.g. network: {{allowed_domains: [...], outbound_only: true}}"
+                )
+
+    # v0.3 enforcement: security_checked requires a complete evidence block
+    if trust_status in {"security_checked", "continuously_monitored"}:
+        evidence = data.get("evidence")
+        if not evidence:
+            errors.append(
+                "$.evidence: trust_status 'security_checked' requires a complete evidence block "
+                "with scanner_output, reviewer_identity, commit_hash, dependency_snapshot, "
+                "and signed_attestation"
+            )
+        elif isinstance(evidence, dict):
+            missing_keys = _EVIDENCE_REQUIRED_KEYS - set(evidence.keys())
+            if missing_keys:
+                errors.append(
+                    f"$.evidence: incomplete evidence block — missing: {', '.join(sorted(missing_keys))}. "
+                    "All five fields are required for security_checked."
+                )
+
+    if trust_status in {"reviewer_signed", "security_checked", "continuously_monitored"}:
+        if not data.get("review_history"):
+            errors.append(
+                f"$.review_history: trust_status '{trust_status}' requires at least one reviewer/security attestation"
+            )
+        security = data.get("security") or {}
+        registry_signature = security.get("registry_signature") if isinstance(security, dict) else None
+        if not registry_signature:
+            errors.append(
+                f"$.security.registry_signature: trust_status '{trust_status}' requires a signed registry passport"
+            )
+
+    revocation = data.get("revocation") or {}
+    if revocation.get("revoked") is True and not revocation.get("reason"):
+        errors.append("$.revocation.reason: revoked passports must publish a machine-readable reason")
+
+    commercial_status = data.get("commercial_status") or {}
+    payment_config = commercial_status.get("payment_config") if isinstance(commercial_status, dict) else None
+    if payment_config:
+        wallet = payment_config.get("wallet_address") or payment_config.get("recipient")
+        signed_invoice = payment_config.get("signed_invoice_required")
+        if wallet and signed_invoice is False:
+            errors.append(
+                "$.commercial_status.payment_config: wallet payments must be bound to a signed passport or signed invoice"
+            )
+
+    return errors
+
+
+def validate_passport_file(path: str) -> list[str]:
+    root = Path(__file__).resolve().parents[3] / "passport-schema"
+    schema, registry = _load_schema_bundle(root)
+    try:
+        data = json.loads(Path(path).read_text())
+    except json.JSONDecodeError as exc:
+        return [f"$: invalid JSON at line {exc.lineno}, column {exc.colno}: {exc.msg}"]
+
+    validator = Draft202012Validator(schema, registry=registry)
+    schema_errors = sorted(validator.iter_errors(data), key=lambda error: list(error.absolute_path))
+    return [_format_schema_error(error) for error in schema_errors] + _semantic_errors(data)

opentrust_cli-1.0.0.dist-info/METADATA

@@ -0,0 +1,48 @@
+Metadata-Version: 2.4
+Name: opentrust-cli
+Version: 1.0.0
+Summary: Command-line tools for inspecting, validating, and working with OpenTrust passports
+Author-email: Novel Hut Studios <founder@novelhut.net>
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/Costder/opentrust
+Project-URL: Repository, https://github.com/Costder/opentrust
+Project-URL: Issues, https://github.com/Costder/opentrust/issues
+Keywords: opentrust,cli,ai-agents,trust-registry,tool-passports
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: typer>=0.25.1
+Requires-Dist: rich>=15.0.0
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: jsonschema>=4.26.0
+Requires-Dist: cryptography>=42
+Requires-Dist: ecdsa>=0.19
+
+# opentrust-cli
+
+Command-line tools for OpenTrust passports and trust registry workflows.
+
+## Install
+
+```bash
+pip install opentrust-cli
+```
+
+## Commands
+
+```bash
+opentrust inspect <tool-id>
+opentrust search <query>
+opentrust status <tool-id>
+opentrust validate <passport.json>
+opentrust claim ...
+opentrust badge <tool-id>
+opentrust payment create-checkout <tool-id>
+```
+
+## Repository
+
+https://github.com/Costder/opentrust
+
+## License
+
+MIT

opentrust_cli-1.0.0.dist-info/RECORD

@@ -0,0 +1,20 @@
+opentrust_cli/__init__.py,sha256=kUR5RAFc7HCeiqdlX36dZOHkUI5wI6V_43RpEcD8b-0,22
+opentrust_cli/api_client.py,sha256=IoxLxXXSJxOlDdyxpr6MffxR4NQD0wFfY0nn5K3JZ9c,611
+opentrust_cli/formatters.py,sha256=TZfKz7Oqb7LNrgh83uNoEQworwpkX0j2WBfQR0EOKOo,1042
+opentrust_cli/main.py,sha256=wix2E9MIV4-UaVCTM1m5L-ZnWOdGhAZQmKH-DDvIhFs,583
+opentrust_cli/schema_validator.py,sha256=l9jyi4OREw5jD2A9jycBRi2yNHUSR6bk-vmttEGjdVw,7344
+opentrust_cli/commands/__init__.py,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+opentrust_cli/commands/badge.py,sha256=ohRLCge6G1zL5ziknizX94fR7D6C_da10qu-E584lqI,270
+opentrust_cli/commands/claim.py,sha256=IKxRJqCGnGKLzVIvppybez4x3CpODzpJKMQeuNug25Y,314
+opentrust_cli/commands/inspect.py,sha256=hVjfdsnY3ZrI6VEeiVU2xT2_tIYSPHnjJcUYJwOxL6s,256
+opentrust_cli/commands/payment.py,sha256=gNwzfKRwzDLKvBuBXAOvT_rrx37MDucdyXsIA7BG5KE,791
+opentrust_cli/commands/policy.py,sha256=GaTHJ5AOM1jbwKS4-kOzXU31pEyLPNEuk0NnAQYFZC0,7867
+opentrust_cli/commands/search.py,sha256=-9udsqvBP47fQhrWy8h7EdvNsgP5pjIXYNI2AqwGZZY,335
+opentrust_cli/commands/status.py,sha256=FdUK19fkOHIBTznqPAZk_CUC16vUwMGrMB3J1JqxuyY,328
+opentrust_cli/commands/validate.py,sha256=NqHkfd3dOjpY_4_Y9iT4wFJptJGt9Re6P540HRos-g8,430
+opentrust_cli/commands/verify.py,sha256=V5UwgFh7v0Wsct1EiBfXuca-cClKJ2HfEP7t2A_Bul4,8972
+opentrust_cli-1.0.0.dist-info/METADATA,sha256=Y7Ou3XD9lnF_usDj7mcsdT8jBbs9sBxq6Rh_2gYHXRI,1166
+opentrust_cli-1.0.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+opentrust_cli-1.0.0.dist-info/entry_points.txt,sha256=51uZN5L-yY8cpKpT_MbVhAos92syZgIbo7mFa6FiDU4,53
+opentrust_cli-1.0.0.dist-info/top_level.txt,sha256=awTSpXh8Lo4rHQzqibforyuVy0fdSOr8SB9HO6Yykeg,14
+opentrust_cli-1.0.0.dist-info/RECORD,,

opentrust_cli-1.0.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

opentrust_cli-1.0.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+opentrust = opentrust_cli.main:app

opentrust_cli-1.0.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+opentrust_cli