Command-line usage
Verify, inspect, diff, and disclose receipts offline.
The CLI ships as the clinical-receipt binary once the package is
installed. It is a thin wrapper around the same verify surface a
library caller uses.
verify
clinical-receipt verify receipt.json [--key public.jwk]... [--json]
Exits 0 when the report is ok, 1 when integrity or a signature
fails, 2 on bad arguments or unreadable input. Pass --json for the
structured report.
verify --disclosure
clinical-receipt verify --disclosure package.json [--key public.jwk]...
Same exit-code convention; the report is a DisclosureVerificationReport
so it carries disclosedEvents and disclosures.complete in addition
to the standard fields.
inspect
clinical-receipt inspect receipt.json [--json]
Prints stats — id, workflow, event count, event-type histogram, root digest, signature key ids. No payload values are ever printed.
diff
clinical-receipt diff a.json b.json [--json]
Reports whether roots match, and lists event ids that appear only in one side. Deliberately says nothing about payload contents — a diff tool that leaks values is a diff tool that leaks PHI.
disclose
clinical-receipt disclose receipt.json --event <pattern>... [--redact <pattern>...] [--out share.json]
Patterns match event ids, exact types, or wildcards ending in *
(human-review.*). Writes to stdout by default; pass --out to save
to a file. The resulting package verifies cleanly with
verify --disclosure.
fhir inspect
clinical-receipt fhir inspect receipt.json [--json]
Projects the FHIR events in the receipt into a trace: servers, reads, searches, writes, transactions, errors, lineage. Identifiers and version ids are printed; resource bodies are not.
fhir verify
clinical-receipt fhir verify receipt.json \
[--key public.jwk]... \
[--resource <ref>=<path>]... \
[--json]
Runs base receipt verification, then walks the FHIR events. For every
--resource <ref>=<path> pair, canonicalizes the JSON at <path>
under fhir-json-r4@1 and reports match, mismatch, or
no-content-supplied against the receipt's commitment. Exit 0
when the report is ok, 1 when integrity, signature, or FHIR
commitment verification fails.
The verifier is offline — it never contacts a FHIR server. Live store comparison (Layer 3 in the FHIR verification model) is a follow-up release.
fhir diff
clinical-receipt fhir diff a.json b.json [--json]
Reports which FHIR reads and writes appear only in receipt A vs receipt B, and each side's search count. Diffs by resource reference, not by receipt event id — a workflow rerun against the same server often yields new event ids for the same clinical read.