oss.sarwagya.wtf

Command-line usage

Verify, inspect, diff, and disclose receipts offline.

The CLI ships as the clinical-receipt binary once the package is installed. It is a thin wrapper around the same verify surface a library caller uses.

verify

clinical-receipt verify receipt.json [--key public.jwk]... [--json]

Exits 0 when the report is ok, 1 when integrity or a signature fails, 2 on bad arguments or unreadable input. Pass --json for the structured report.

verify --disclosure

clinical-receipt verify --disclosure package.json [--key public.jwk]...

Same exit-code convention; the report is a DisclosureVerificationReport so it carries disclosedEvents and disclosures.complete in addition to the standard fields.

inspect

clinical-receipt inspect receipt.json [--json]

Prints stats — id, workflow, event count, event-type histogram, root digest, signature key ids. No payload values are ever printed.

diff

clinical-receipt diff a.json b.json [--json]

Reports whether roots match, and lists event ids that appear only in one side. Deliberately says nothing about payload contents — a diff tool that leaks values is a diff tool that leaks PHI.

disclose

clinical-receipt disclose receipt.json --event <pattern>... [--redact <pattern>...] [--out share.json]

Patterns match event ids, exact types, or wildcards ending in * (human-review.*). Writes to stdout by default; pass --out to save to a file. The resulting package verifies cleanly with verify --disclosure.

fhir inspect

clinical-receipt fhir inspect receipt.json [--json]

Projects the FHIR events in the receipt into a trace: servers, reads, searches, writes, transactions, errors, lineage. Identifiers and version ids are printed; resource bodies are not.

fhir verify

clinical-receipt fhir verify receipt.json \
  [--key public.jwk]... \
  [--resource <ref>=<path>]... \
  [--json]

Runs base receipt verification, then walks the FHIR events. For every --resource <ref>=<path> pair, canonicalizes the JSON at <path> under fhir-json-r4@1 and reports match, mismatch, or no-content-supplied against the receipt's commitment. Exit 0 when the report is ok, 1 when integrity, signature, or FHIR commitment verification fails.

The verifier is offline — it never contacts a FHIR server. Live store comparison (Layer 3 in the FHIR verification model) is a follow-up release.

fhir diff

clinical-receipt fhir diff a.json b.json [--json]

Reports which FHIR reads and writes appear only in receipt A vs receipt B, and each side's search count. Diffs by resource reference, not by receipt event id — a workflow rerun against the same server often yields new event ids for the same clinical read.