cordance-cli 0.1.2

Cordance CLI — installs the `cordance` binary. The umbrella package `cordance` re-exports this entry; either install command works.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221

//! Cortex tier (authority-bearing): `cordance_cortex_receipt`.
//!
//! Generates a `cordance-cortex-receipt-v1-candidate` for the current
//! target, writes it to `.cordance/cortex-receipt.json`, and returns the
//! receipt inline so the caller does not need filesystem access.
//!
//! Doctrine invariant: every authority flag inside `authority_boundary`
//! must be `false` (except `candidate_only`). `AuthorityBoundary::candidate_only()`
//! enforces this constructor-side; we re-assert it in the tool body so a
//! future refactor of the receipt builder cannot accidentally widen the
//! boundary without being caught here.

use camino::Utf8PathBuf;
use cordance_core::receipt::CortexReceiptV1Candidate;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};

use crate::config::Config;
use crate::mcp::error::{McpToolError, McpToolResult};

#[derive(Clone, Debug, Default, Deserialize, JsonSchema)]
pub struct CortexReceiptParams {
    #[serde(default)]
    pub target: Option<String>,
    /// When `true`, the receipt is *not* written to disk; only returned
    /// inline. Useful for clients that have no filesystem access at all.
    #[serde(default)]
    pub dry_run: bool,
}

#[derive(Clone, Debug, Serialize, JsonSchema)]
pub struct CortexReceiptOutput {
    pub schema: String,
    /// Always `.cordance/cortex-receipt.json` under `target`; absent when
    /// `dry_run = true`.
    #[schemars(with = "Option<String>")]
    pub written_path: Option<Utf8PathBuf>,
    /// The receipt itself. Schema literal:
    /// `cordance-cortex-receipt-v1-candidate`. We do not derive `JsonSchema`
    /// on the cordance-core struct because its shape mirrors the axiom
    /// receipt contract; clients validate against that contract instead.
    #[schemars(with = "serde_json::Value")]
    pub receipt: CortexReceiptV1Candidate,
}

pub fn receipt(
    target: &Utf8PathBuf,
    cfg: &Config,
    dry_run: bool,
) -> McpToolResult<CortexReceiptOutput> {
    let pack = super::pack::build_pack_for_cortex_receipt(target, cfg)?;
    let receipt = cordance_cortex::build_receipt(&pack)
        .map_err(|e| McpToolError::internal_redacted("receipt build", e))?;

    // Defence in depth: this struct is the only authority claim Cordance can
    // emit. Even if the builder is later refactored, the MCP path must
    // continue to refuse any boundary widening.
    assert_authority_invariants(&receipt)?;

    let written_path = if dry_run {
        None
    } else {
        // Round-6 redteam #2 CRITICAL: round-5's symlink-write hardening
        // covered the CLI cortex_cmd path but missed THIS MCP cortex site —
        // raw `std::fs::write` here would follow a target-planted symlink at
        // `<target>/.cordance/cortex-receipt.json` and write through to
        // operator-owned files. Route through `cordance_core::fs::
        // safe_write_with_mkdir` so the reparse-point check fires for both
        // the parent dir and the receipt file itself.
        let out_path = target.join(".cordance").join("cortex-receipt.json");
        let json = serde_json::to_string_pretty(&receipt)
            .map_err(|e| McpToolError::internal_redacted("receipt serialise", e))?;
        cordance_core::fs::safe_write_with_mkdir(out_path.as_std_path(), json.as_bytes())
            .map_err(McpToolError::from_io)?;
        Some(out_path)
    };

    Ok(CortexReceiptOutput {
        schema: cordance_core::schema::CORDANCE_CORTEX_RECEIPT_V1_CANDIDATE.to_string(),
        written_path,
        receipt,
    })
}

fn assert_authority_invariants(r: &CortexReceiptV1Candidate) -> McpToolResult<()> {
    let b = &r.authority_boundary;
    if !b.candidate_only
        || b.cortex_truth_allowed
        || b.cortex_admission_allowed
        || b.durable_promotion_allowed
        || b.memory_promotion_allowed
        || b.doctrine_promotion_allowed
        || b.trusted_history_allowed
        || b.release_acceptance_allowed
        || b.runtime_authority_allowed
    {
        return Err(McpToolError::Internal(
            "authority boundary widened — refused (Cordance never grants Cortex authority)".into(),
        ));
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::config::DoctrineConfig;
    use cordance_core::receipt::AuthorityBoundary;

    fn temp_utf8_dir() -> (tempfile::TempDir, Utf8PathBuf) {
        let dir = tempfile::tempdir().expect("tempdir");
        let path = Utf8PathBuf::from_path_buf(dir.path().to_path_buf())
            .expect("tempdir path must be utf8");
        (dir, path)
    }

    fn fixture_receipt() -> CortexReceiptV1Candidate {
        // The default builder path always uses `candidate_only`. We construct
        // a receipt directly from `AuthorityBoundary::candidate_only()` and
        // the simplest possible body so we don't need a pack on disk.
        //
        // Receipt structs in `cordance-core` are `#[non_exhaustive]`, so this
        // test fixture must build them through their `new` constructors.
        use chrono::Utc;
        use cordance_core::receipt::{
            ExecutionTrust, OperatorApproval, ReceiptBody, RuntimeIntegrity, SourceContext,
            TruthCeiling,
        };
        CortexReceiptV1Candidate::new(
            cordance_core::schema::CORDANCE_CORTEX_RECEIPT_V1_CANDIDATE.into(),
            1,
            "candidate_only".into(),
            "cortex context-pack admit-cordance".into(),
            AuthorityBoundary::candidate_only(),
            ReceiptBody::new(
                "test".into(),
                Utc::now(),
                "candidate_only".into(),
                "partial_structural_evidence".into(),
                "repo_only_no_runtime_write".into(),
                "not_bound_for_cortex_promotion".into(),
                "test".into(),
                SourceContext::new(
                    "test".into(),
                    TruthCeiling::CandidateEvidenceOnly,
                    "not_cleared_by_boundary_crossing".into(),
                ),
                ExecutionTrust::new(
                    "local_candidate_only".into(),
                    "deny_authority_grant".into(),
                    "not_field_level_bound_for_cortex".into(),
                    "not_field_level_bound_for_cortex".into(),
                ),
                RuntimeIntegrity::new(false, false, "not_requested".into()),
                OperatorApproval::new(
                    true,
                    "not_supplied_for_cortex_promotion".into(),
                    "not_supplied_for_cortex_promotion".into(),
                ),
                vec![],
                vec![],
                vec![],
                vec![],
            ),
            vec![],
        )
    }

    #[test]
    fn invariants_pass_for_candidate_only_boundary() {
        let r = fixture_receipt();
        assert!(assert_authority_invariants(&r).is_ok());
    }

    #[test]
    fn invariants_fail_when_boundary_widens() {
        let mut r = fixture_receipt();
        r.authority_boundary.cortex_truth_allowed = true;
        let err = assert_authority_invariants(&r).expect_err("widening must be refused");
        match err {
            McpToolError::Internal(msg) => assert!(msg.contains("authority")),
            other => panic!("expected Internal, got {other:?}"),
        }
    }

    #[test]
    fn mcp_receipt_omits_pack_cortex_receipt_noop_warning() {
        let (_target_dir, target) = temp_utf8_dir();
        let (_doctrine_dir, doctrine_root) = temp_utf8_dir();
        let cfg = Config {
            doctrine: DoctrineConfig {
                source: doctrine_root.as_str().to_string(),
                fallback_repo: "https://nonexistent.example.invalid/doctrine".into(),
                pin_commit: "auto".into(),
            },
            ..Default::default()
        };

        let output = receipt(&target, &cfg, true).expect("MCP receipt should build");
        let body = &output.receipt.cordance_execution_receipt_v1;
        let needle = "cortex-receipt requested via --targets";

        assert!(
            output.written_path.is_none(),
            "dry-run receipt must not write to disk"
        );
        assert!(
            !body
                .allowed_claim_language
                .iter()
                .any(|claim| claim.contains(needle)),
            "MCP cortex receipt must not pollute allowed claims: {:?}",
            body.allowed_claim_language
        );
        assert!(
            !body.residual_risk.iter().any(|risk| risk.contains(needle)),
            "MCP cortex receipt must not pollute residual risk: {:?}",
            body.residual_risk
        );
    }
}