Skip to content
SBO3L Docs

passport verify

Terminal window
sbo3l passport verify [OPTIONS] --path <CAPSULE>

Modes

ModeWhat it checksCostWhen to use
--mode structural (default)schema + hash linkage< 10 mscontinuous CI, smoke tests
--mode strictstructural + signatures + content hashes + consistency rules< 200 mspre-merge gate, audit, judging

Strict mode runs all 6 checks documented in self-contained capsule v2.

Flags

FlagDefaultEffect
--path <FILE>requiredpath to the capsule JSON
--mode <structural|strict>structuralcheck depth
--jsonoffemit JCS-canonical JSON result instead of human text
--quietoffno stdout unless error
--verboseofftrace-level diagnostics on stderr

--json output is JCS-canonical (sorted keys, no insignificant whitespace) so CI can hash it for golden-file diffs.

Exit codes

Per Bob’s CLI exit-code contract:

CodeMeaning
0OK — all checks passed
1IO error — capsule file missing, malformed JSON, can’t open
2semantic / verification failure — at least one check failed
3nothing-to-do — empty input, no-op flag combination

Examples

Smoke against a known-good fixture

Terminal window
sbo3l passport verify --path tests/fixtures/passport-v2-good.json
# stdout: capsule OK · 4 structural checks passed
# rc=0

Strict mode in CI

Terminal window
sbo3l passport verify --strict --json --path capsule.json | tee verify.json
test "$(jq -r .decision verify.json)" = "ok"

Adversarial corpus loop

Terminal window
for f in tests/fixtures/passport-v2-tampered/*.json; do
  out=$(sbo3l passport verify --strict --path "$f" 2>&1)
  rc=$?
  if [ "$rc" -ne 2 ]; then
    echo "FAIL: $f did not reject (rc=$rc)"
    exit 1
  fi
done
echo "all 9 tampered fixtures rejected with rc=2"

Pitfalls

  • Strict mode requires the capsule’s embedded agent_pubkey to match the original signing key. The capsule is self-contained on this front — there’s no separate --pubkey flag.
  • --json output is stable across releases (semver-locked schema). --verbose text format is not stable; don’t grep it from CI.
  • rc=3 can fire if you pass --mode structural against a v1 capsule — v1 capsules are refused by v2-aware verifiers; bump them with the CLI’s passport upgrade subcommand (separate page).

See also