opentrust-cli 1.0.0__tar.gz

opentrust_cli-1.0.0/PKG-INFO

@@ -0,0 +1,48 @@
+Metadata-Version: 2.4
+Name: opentrust-cli
+Version: 1.0.0
+Summary: Command-line tools for inspecting, validating, and working with OpenTrust passports
+Author-email: Novel Hut Studios <founder@novelhut.net>
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/Costder/opentrust
+Project-URL: Repository, https://github.com/Costder/opentrust
+Project-URL: Issues, https://github.com/Costder/opentrust/issues
+Keywords: opentrust,cli,ai-agents,trust-registry,tool-passports
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: typer>=0.25.1
+Requires-Dist: rich>=15.0.0
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: jsonschema>=4.26.0
+Requires-Dist: cryptography>=42
+Requires-Dist: ecdsa>=0.19
+
+# opentrust-cli
+
+Command-line tools for OpenTrust passports and trust registry workflows.
+
+## Install
+
+```bash
+pip install opentrust-cli
+```
+
+## Commands
+
+```bash
+opentrust inspect <tool-id>
+opentrust search <query>
+opentrust status <tool-id>
+opentrust validate <passport.json>
+opentrust claim ...
+opentrust badge <tool-id>
+opentrust payment create-checkout <tool-id>
+```
+
+## Repository
+
+https://github.com/Costder/opentrust
+
+## License
+
+MIT

opentrust_cli-1.0.0/README.md

@@ -0,0 +1,29 @@
+# opentrust-cli
+
+Command-line tools for OpenTrust passports and trust registry workflows.
+
+## Install
+
+```bash
+pip install opentrust-cli
+```
+
+## Commands
+
+```bash
+opentrust inspect <tool-id>
+opentrust search <query>
+opentrust status <tool-id>
+opentrust validate <passport.json>
+opentrust claim ...
+opentrust badge <tool-id>
+opentrust payment create-checkout <tool-id>
+```
+
+## Repository
+
+https://github.com/Costder/opentrust
+
+## License
+
+MIT

opentrust_cli-1.0.0/pyproject.toml

@@ -0,0 +1,25 @@
+[build-system]
+requires = ["setuptools>=82", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "opentrust-cli"
+version = "1.0.0"
+description = "Command-line tools for inspecting, validating, and working with OpenTrust passports"
+readme = "README.md"
+requires-python = ">=3.11"
+license = "MIT"
+authors = [{ name = "Novel Hut Studios", email = "founder@novelhut.net" }]
+keywords = ["opentrust", "cli", "ai-agents", "trust-registry", "tool-passports"]
+dependencies = ["typer>=0.25.1", "rich>=15.0.0", "httpx>=0.28.1", "jsonschema>=4.26.0", "cryptography>=42", "ecdsa>=0.19"]
+
+[project.urls]
+Homepage = "https://github.com/Costder/opentrust"
+Repository = "https://github.com/Costder/opentrust"
+Issues = "https://github.com/Costder/opentrust/issues"
+
+[project.scripts]
+opentrust = "opentrust_cli.main:app"
+
+[tool.setuptools.packages.find]
+where = ["src"]

opentrust_cli-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

opentrust_cli-1.0.0/src/opentrust_cli/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

opentrust_cli-1.0.0/src/opentrust_cli/api_client.py

@@ -0,0 +1,17 @@
+import os
+import httpx
+
+
+class APIClient:
+    def __init__(self, base_url: str | None = None):
+        self.base_url = (base_url or os.getenv("OPENTRUST_API_URL") or "http://localhost:8000").rstrip("/")
+
+    def get(self, path: str, **params):
+        response = httpx.get(f"{self.base_url}/api/v1{path}", params=params, timeout=10)
+        response.raise_for_status()
+        return response.json()
+
+    def post(self, path: str, json: dict | None = None):
+        response = httpx.post(f"{self.base_url}/api/v1{path}", json=json, timeout=10)
+        response.raise_for_status()
+        return response.json()

opentrust_cli-1.0.0/src/opentrust_cli/commands/__init__.py

@@ -0,0 +1 @@
+

opentrust_cli-1.0.0/src/opentrust_cli/commands/badge.py

@@ -0,0 +1,9 @@
+import typer
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def badge(slug: str, base_url: str = "https://opentrust.dev"):
+    console.print(f"![OpenTrust]({base_url.rstrip('/')}/api/v1/badge/{slug}.svg)")

opentrust_cli-1.0.0/src/opentrust_cli/commands/claim.py

@@ -0,0 +1,11 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def claim(slug: str):
+    data = APIClient().post(f"/claim?slug={slug}", json=None)
+    console.print(f"Claim {slug}: {data.get('auth_url')}")

opentrust_cli-1.0.0/src/opentrust_cli/commands/inspect.py

@@ -0,0 +1,10 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import print_passport
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def inspect(slug: str):
+    print_passport(APIClient().get(f"/tools/{slug}"))

opentrust_cli-1.0.0/src/opentrust_cli/commands/payment.py

@@ -0,0 +1,30 @@
+from decimal import Decimal
+from uuid import uuid4
+
+import typer
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+PRICES = {
+    "trust_report": Decimal("19.00"),
+    "verified_badge": Decimal("49.00"),
+    "monitoring_monthly": Decimal("19.00"),
+}
+
+
+@app.command("create-checkout")
+def create_checkout(tool_id: str, plan: str = "verified_badge"):
+    amount = PRICES.get(plan, PRICES["verified_badge"])
+    checkout_id = f"chk_{uuid4().hex}"
+    console.print(
+        {
+            "checkout_id": checkout_id,
+            "tool_id": tool_id,
+            "plan": plan,
+            "amount_usdc": str(amount),
+            "status": "paid",
+            "provider": "mock",
+            "checkout_url": f"https://mock.opentrust.local/checkouts/{checkout_id}",
+        }
+    )

opentrust_cli-1.0.0/src/opentrust_cli/commands/policy.py

@@ -0,0 +1,183 @@
+import json
+from pathlib import Path
+
+import typer
+
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+# ── Helpers ──────────────────────────────────────────────────────────────────
+
+
+VALID_TRUST_STATUSES = frozenset({
+    "auto_generated_draft", "creator_claimed", "owner_confirmed",
+    "community_reviewed", "reviewer_signed", "security_checked",
+    "continuously_monitored", "disputed",
+})
+
+BROAD_DANGEROUS_PERMISSIONS = frozenset({"wallet", "private_data", "terminal"})
+TRUST_ORDER = {
+    "auto_generated_draft": 0,
+    "creator_claimed": 1,
+    "owner_confirmed": 2,
+    "community_reviewed": 3,
+    "reviewer_signed": 4,
+    "security_checked": 5,
+    "continuously_monitored": 6,
+}
+DEFAULT_SPEND_POLICY = {
+    "max_cost_per_call_usdc": 999999.0,
+    "min_trust_status": "community_reviewed",
+    "blocked_permissions": ["wallet", "private_data", "terminal"],
+    "allowed_networks": ["base"],
+    "allowed_currencies": ["USDC"],
+    "require_escrow_above_usdc": 0.10,
+    "human_approval_above_usdc": 0.01,
+}
+# Thresholds in USDC — amounts at or below these are "free/safe"
+ESCROW_THRESHOLD_USDC = 0.10   # above this, escrow must be available
+HUMAN_APPROVAL_THRESHOLD_USDC = 0.01  # above this, human approval or escrow needed
+
+
+def _load_json(path_str: str) -> dict:
+    path = Path(path_str)
+    if not path.exists():
+        raise typer.BadParameter(f"File not found: {path_str}")
+    try:
+        return json.loads(path.read_text())
+    except json.JSONDecodeError as exc:
+        raise typer.BadParameter(
+            f"Invalid JSON at line {exc.lineno}, column {exc.colno}: {exc.msg}"
+        )
+
+
+def _get_amount(passport: dict) -> float:
+    """Extract the payment amount from commercial_status, defaulting to 0."""
+    cs = passport.get("commercial_status") or {}
+    pricing = cs.get("pricing") if isinstance(cs, dict) else {}
+    if isinstance(pricing, dict):
+        return float(pricing.get("amount", 0))
+    return 0.0
+
+
+def _has_escrow(passport: dict) -> bool:
+    """Check if the passport has escrow_config with supported=True."""
+    cs = passport.get("commercial_status") or {}
+    if not isinstance(cs, dict):
+        return False
+    escrow = cs.get("escrow_config")
+    if isinstance(escrow, dict):
+        return escrow.get("supported") is True
+    return False
+
+
+def _payment_config(passport: dict) -> dict:
+    cs = passport.get("commercial_status") or {}
+    config = cs.get("payment_config") if isinstance(cs, dict) else None
+    return config if isinstance(config, dict) else {}
+
+
+def _pricing(passport: dict) -> dict:
+    cs = passport.get("commercial_status") or {}
+    pricing = cs.get("pricing") if isinstance(cs, dict) else None
+    return pricing if isinstance(pricing, dict) else {}
+
+
+# ── Policy check command ─────────────────────────────────────────────────────
+
+
+@app.command()
+def check(
+    passport_path: str = typer.Argument(..., help="Path to passport JSON file"),
+    policy_path: str | None = typer.Option(None, "--policy", help="Path to local spend policy JSON"),
+):
+    """Check a passport against local agent policy rules.
+
+    Denies:
+    - Disputed or inline-revoked passports
+    - Unknown or unparseable trust_status
+    - Broad boolean true for wallet / private_data / terminal permissions
+    - Payment above threshold without escrow or human approval
+    """
+    passport = _load_json(passport_path)
+    spend_policy = DEFAULT_SPEND_POLICY | (_load_json(policy_path) if policy_path else {})
+    denials: list[str] = []
+
+    # ── 1. Trust status checks ───────────────────────────────────────────
+    trust_status = passport.get("trust_status", "")
+
+    if trust_status not in VALID_TRUST_STATUSES:
+        denials.append(
+            f"INVALID TRUST STATUS: '{trust_status}' is not a recognized "
+            f"trust_status value"
+        )
+    elif trust_status == "disputed":
+        denials.append("DISPUTED: passport trust_status is 'disputed' — denied by policy")
+    else:
+        minimum = spend_policy.get("min_trust_status", "community_reviewed")
+        if TRUST_ORDER.get(trust_status, -1) < TRUST_ORDER.get(minimum, 99):
+            denials.append(
+                f"TRUST TOO LOW: '{trust_status}' is below required min_trust_status '{minimum}'"
+            )
+
+    # ── 2. Inline revocation check ───────────────────────────────────────
+    revocation = passport.get("revocation") or {}
+    if revocation.get("revoked") is True:
+        reason = revocation.get("reason", "unspecified")
+        denials.append(f"REVOKED: passport is revoked (reason: {reason}) — denied by policy")
+
+    # ── 3. Broad dangerous permission check ──────────────────────────────
+    perm_manifest = passport.get("permission_manifest") or {}
+    blocked_permissions = set(spend_policy.get("blocked_permissions") or BROAD_DANGEROUS_PERMISSIONS)
+    for perm in blocked_permissions:
+        if perm_manifest.get(perm) is True:
+            denials.append(
+                f"BROAD PERMISSION: '{perm}' is set to boolean true — "
+                f"policy requires scoped/granular declarations"
+            )
+
+    # ── 4. Payment threshold checks ──────────────────────────────────────
+    amount = _get_amount(passport)
+    pricing = _pricing(passport)
+    payment_config = _payment_config(passport)
+    max_per_call = float(spend_policy.get("max_cost_per_call_usdc", ESCROW_THRESHOLD_USDC))
+    if amount > max_per_call:
+        denials.append(
+            f"SPEND CAP: payment amount ${amount:.2f} exceeds max_cost_per_call_usdc ${max_per_call:.2f}"
+        )
+
+    currency = pricing.get("currency")
+    allowed_currencies = set(spend_policy.get("allowed_currencies") or [])
+    if amount > 0 and allowed_currencies and currency not in allowed_currencies:
+        denials.append(f"CURRENCY DENIED: '{currency}' is not in allowed_currencies")
+
+    network = payment_config.get("network") or payment_config.get("chain")
+    allowed_networks = set(spend_policy.get("allowed_networks") or [])
+    if amount > 0 and allowed_networks and network and network not in allowed_networks:
+        denials.append(f"NETWORK DENIED: '{network}' is not in allowed_networks")
+
+    escrow_threshold = float(spend_policy.get("require_escrow_above_usdc", ESCROW_THRESHOLD_USDC))
+    human_threshold = float(spend_policy.get("human_approval_above_usdc", HUMAN_APPROVAL_THRESHOLD_USDC))
+    if amount > escrow_threshold and not _has_escrow(passport):
+        denials.append(
+            f"ESCROW REQUIRED: payment amount ${amount:.2f} exceeds "
+            f"${escrow_threshold:.2f} threshold but passport "
+            f"does not declare escrow support"
+        )
+
+    if amount > human_threshold and not _has_escrow(passport):
+        denials.append(
+            f"HUMAN APPROVAL REQUIRED: payment amount ${amount:.2f} exceeds "
+            f"${human_threshold:.2f} threshold — "
+            f"escrow or human approval path is required"
+        )
+
+    # ── Report ───────────────────────────────────────────────────────────
+    if denials:
+        for d in denials:
+            console.print(f"[red]DENY:[/] {d}")
+        raise typer.Exit(1)
+
+    console.print(f"[green]ALLOW:[/] {passport_path} — policy checks passed")

opentrust_cli-1.0.0/src/opentrust_cli/commands/search.py

@@ -0,0 +1,11 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def search(q: str):
+    for item in APIClient().get("/search", q=q):
+        console.print(f"[bold]{item['name']}[/] {item['trust_status']} /tools/{item['slug']}")

opentrust_cli-1.0.0/src/opentrust_cli/commands/status.py

@@ -0,0 +1,11 @@
+import typer
+from opentrust_cli.api_client import APIClient
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def status(slug: str):
+    data = APIClient().get(f"/tools/{slug}")
+    console.print(f"[bold]{slug}[/]: [{data['trust_status']}]{data['trust_status']}[/]")

opentrust_cli-1.0.0/src/opentrust_cli/commands/validate.py

@@ -0,0 +1,15 @@
+import typer
+from opentrust_cli.formatters import console
+from opentrust_cli.schema_validator import validate_passport_file
+
+app = typer.Typer()
+
+
+@app.callback(invoke_without_command=True)
+def validate(path: str):
+    errors = validate_passport_file(path)
+    if errors:
+        for error in errors:
+            console.print(f"[red]invalid:[/] {error}")
+        raise typer.Exit(1)
+    console.print("[green]valid passport[/]")

opentrust_cli-1.0.0/src/opentrust_cli/commands/verify.py

@@ -0,0 +1,234 @@
+import base64
+import hashlib
+import json
+from pathlib import Path
+from typing import Any
+
+import typer
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+from ecdsa import Ed25519, VerifyingKey
+from ecdsa.keys import BadSignatureError
+
+from opentrust_cli.formatters import console
+
+app = typer.Typer()
+
+
+VALID_TRUST_STATUSES = frozenset({
+    "auto_generated_draft", "creator_claimed", "owner_confirmed",
+    "community_reviewed", "reviewer_signed", "security_checked",
+    "continuously_monitored", "disputed",
+})
+
+
+def _canonical_json(data: dict) -> str:
+    return json.dumps(data, sort_keys=True, separators=(",", ":"))
+
+
+def _sha256_hex(canonical: str) -> str:
+    return "sha256:" + hashlib.sha256(canonical.encode()).hexdigest()
+
+
+def _without_path(data: dict[str, Any], path: tuple[str, ...]) -> dict[str, Any]:
+    copied = json.loads(json.dumps(data))
+    current: Any = copied
+    for part in path[:-1]:
+        if not isinstance(current, dict):
+            return copied
+        current = current.get(part, {})
+    if isinstance(current, dict):
+        current.pop(path[-1], None)
+    return copied
+
+
+def _load_json(path_str: str) -> dict:
+    path = Path(path_str)
+    if not path.exists():
+        raise typer.BadParameter(f"File not found: {path_str}")
+    try:
+        return json.loads(path.read_text())
+    except json.JSONDecodeError as exc:
+        raise typer.BadParameter(
+            f"Invalid JSON at line {exc.lineno}, column {exc.colno}: {exc.msg}"
+        )
+
+
+def _find_key(keys_data: dict, key_id: str) -> dict | None:
+    for key in keys_data.get("keys", []):
+        if key.get("key_id") == key_id or key.get("kid") == key_id:
+            return key
+    return None
+
+
+def _b64decode(value: str) -> bytes:
+    return base64.urlsafe_b64decode(value + "=" * (-len(value) % 4))
+
+
+def _key_public_value(key_record: dict) -> str:
+    return key_record.get("public_key") or key_record.get("x") or ""
+
+
+def _signature_value(sig: dict) -> str:
+    return sig.get("value") or sig.get("signature") or ""
+
+
+def _verify_ed25519_digest(public_key_b64: str, signature_b64: str, digest: bytes) -> bool:
+    """Verify legacy OpenTrust tests: ecdsa package signs raw sha256 digest bytes."""
+    try:
+        vk = VerifyingKey.from_string(_b64decode(public_key_b64), curve=Ed25519)
+        vk.verify(_b64decode(signature_b64), digest)
+        return True
+    except (BadSignatureError, ValueError, Exception):
+        return False
+
+
+def _verify_ed25519_message(public_key_b64: str, signature_b64: str, message: bytes) -> bool:
+    """Verify production OpenTrust signatures: cryptography signs payload_hash text."""
+    try:
+        public_key = Ed25519PublicKey.from_public_bytes(_b64decode(public_key_b64))
+        public_key.verify(_b64decode(signature_b64), message)
+        return True
+    except (InvalidSignature, ValueError, Exception):
+        return False
+
+
+def _verify_signature_block(document: dict, signature_path: tuple[str, ...], keys_data: dict) -> list[str]:
+    errors: list[str] = []
+    current: Any = document
+    for part in signature_path:
+        if not isinstance(current, dict) or part not in current:
+            return [f"MISSING SIGNATURE: {'.'.join(signature_path)}"]
+        current = current[part]
+    sig = current
+    if not isinstance(sig, dict):
+        return [f"INVALID SIGNATURE BLOCK: {'.'.join(signature_path)}"]
+
+    candidates = [_without_path(document, signature_path)]
+    # Older passport signatures removed the whole top-level security object
+    # before hashing. Production signatures remove only security.registry_signature.
+    if signature_path == ("security", "registry_signature"):
+        candidates.append(_without_path(document, ("security",)))
+
+    expected_hash = sig.get("payload_hash", "")
+    matched_hash = ""
+    for unsigned in candidates:
+        candidate_hash = _sha256_hex(_canonical_json(unsigned))
+        if candidate_hash == expected_hash:
+            matched_hash = candidate_hash
+            break
+    if not matched_hash:
+        computed = _sha256_hex(_canonical_json(candidates[0]))
+        errors.append(
+            f"PAYLOAD HASH MISMATCH: expected '{expected_hash}', computed '{computed}'"
+        )
+        matched_hash = computed
+
+    key_id = sig.get("key_id") or sig.get("kid") or ""
+    key_record = _find_key(keys_data, key_id)
+    if not key_record:
+        errors.append(f"KEY NOT FOUND: no key with key_id '{key_id}' in keys file")
+        return errors
+
+    public_key_b64 = _key_public_value(key_record)
+    signature_b64 = _signature_value(sig)
+    if not signature_b64:
+        errors.append("MISSING SIGNATURE VALUE")
+        return errors
+
+    digest = bytes.fromhex(matched_hash[len("sha256:"):])
+    valid = _verify_ed25519_message(public_key_b64, signature_b64, matched_hash.encode("utf-8"))
+    valid = valid or _verify_ed25519_digest(public_key_b64, signature_b64, digest)
+    if not valid:
+        errors.append(f"INVALID SIGNATURE: Ed25519 signature verification failed (key_id: {key_id})")
+    return errors
+
+
+class RevocationVersionStore:
+    """Tiny local JSON store for revocation monotonic-version rollback checks."""
+
+    def __init__(self, path: str | Path | None = None) -> None:
+        self.path = Path(path or Path.home() / ".opentrust" / "revocation_versions.json")
+
+    def load(self) -> dict[str, int]:
+        if not self.path.exists():
+            return {}
+        try:
+            return json.loads(self.path.read_text())
+        except json.JSONDecodeError:
+            return {}
+
+    def save(self, versions: dict[str, int]) -> None:
+        self.path.parent.mkdir(parents=True, exist_ok=True)
+        self.path.write_text(json.dumps(versions, sort_keys=True, indent=2))
+
+
+def _check_revocation_rollback(registry_id: str, revocations_data: dict, store: RevocationVersionStore) -> None:
+    version = int(revocations_data.get("version", (revocations_data.get("payload") or {}).get("version", 0)))
+    versions = store.load()
+    previous = versions.get(registry_id)
+    if previous is not None and version < previous:
+        raise ValueError(f"revocation rollback detected: version {version} < previous {previous}")
+    versions[registry_id] = max(version, previous or 0)
+    store.save(versions)
+
+
+def _revocation_entries(revocations_data: dict) -> list[dict]:
+    if "passports" in revocations_data:
+        return revocations_data.get("passports") or []
+    payload = revocations_data.get("payload") or {}
+    return payload.get("passports") or payload.get("revoked") or []
+
+
+@app.callback(invoke_without_command=True)
+def verify(
+    passport_path: str = typer.Argument(..., help="Path to passport JSON file"),
+    keys: str = typer.Option(..., "--keys", help="Path to registry keys JSON file"),
+    revocations: str | None = typer.Option(
+        None, "--revocations", help="Path to signed revocation list JSON file"
+    ),
+):
+    """Offline verify a passport's registry signature and revocation status."""
+    errors: list[str] = []
+    passport = _load_json(passport_path)
+    keys_data = _load_json(keys)
+    revocations_data = _load_json(revocations) if revocations else None
+
+    revocation = passport.get("revocation") or {}
+    if revocation.get("revoked") is True:
+        errors.append(f"INLINE REVOKED: passport is revoked (reason: {revocation.get('reason', 'unspecified')})")
+
+    trust_status = passport.get("trust_status", "")
+    if trust_status == "disputed":
+        errors.append("DISPUTED: passport trust_status is 'disputed'")
+
+    errors.extend(_verify_signature_block(passport, ("security", "registry_signature"), keys_data))
+
+    if revocations_data:
+        try:
+            _check_revocation_rollback("default", revocations_data, RevocationVersionStore())
+        except ValueError as exc:
+            errors.append(f"REVOCATION ROLLBACK: {exc}")
+
+        errors.extend(_verify_signature_block(revocations_data, ("signature",), keys_data))
+        slug = (passport.get("tool_identity") or {}).get("slug", "")
+        version = (passport.get("version_hash") or {}).get("version", "")
+        for entry in _revocation_entries(revocations_data):
+            entry_slug = entry.get("slug") or entry.get("passport_id") or ""
+            entry_version = entry.get("version", "*")
+            if entry_slug == slug and (entry_version == version or entry_version == "*"):
+                errors.append(
+                    f"REVOKED: passport '{slug}:{version}' is in the revocation list "
+                    f"(reason: {entry.get('reason', 'unspecified')})"
+                )
+                break
+
+    _report_results(passport_path, errors)
+
+
+def _report_results(passport_path: str, errors: list[str]):
+    if errors:
+        for err in errors:
+            console.print(f"[red]FAIL:[/] {err}")
+        raise typer.Exit(1)
+    console.print(f"[green]VERIFIED:[/] {passport_path} — registry signature valid, no revocations found")