Replace verify subcommands with passthrough to secretvm-verify#10
Open
azaidelson wants to merge 1 commit intomasterfrom
Open
Replace verify subcommands with passthrough to secretvm-verify#10azaidelson wants to merge 1 commit intomasterfrom
azaidelson wants to merge 1 commit intomasterfrom
Conversation
azaidelson
force-pushed
the
verify-passthrough
branch
2 times, most recently
from
cc185e6 to
6e93218
Compare
azaidelson
force-pushed
the
verify-passthrough
branch
from
6e93218 to
2f49b8c
Compare
iKapitonau
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
verify quote/verify workload/verify proof-of-cloudsubcommands and replaces them with a singleverifypassthrough that spawns thesecretvm-verifybinary with the user's args forwarded verbatim.--vm-id <id>, which resolves to a hostname via the portal API and injects--vm <host>(or--secretvm <host>if no other verb flag is present) before forwarding.secretvm-verifydirectly. Help output rewritessecretvm-verify→secretvm-cli verifyin usage examples and prepends a one-line note showing the upstream version.secretvm-verification-sdk, addssecretvm-verify@^0.8.4.Why
Maintaining a parallel CLI surface in this repo was costing flag drift, output-shape divergence, and missed upstream improvements.
secretvm-verifyalready has its own well-maintained CLI with a richer feature set (--cpu,--tdx,--sev,--gpu,--secretvm,--verify-workload,--resolve-version,--check-agent,--agent,--compose, plus modifiers like--docker-files,--proof-of-cloud,--show-compose,--json,--raw,--verbose). Forwarding to it gives us one source of truth and automatic feature parity.Breaking changes
secretvm-cli verify quote .../verify workload .../verify proof-of-cloud ...no longer exist. Migrate to the upstream flag form:verify quote --quote-file x.txt→verify --cpu x.txtverify workload --quote-file q.txt -d compose.yaml→verify --verify-workload q.txt --compose compose.yamlverify proof-of-cloud --quote-file q.txt→verify --proof-of-cloud --cpu q.txtv0.8.0and aren't widely deployed, so blast radius is small.Design + plan docs
docs/superpowers/specs/2026-04-24-verify-passthrough-design.mddocs/superpowers/plans/2026-04-24-verify-passthrough.mdTest plan
secretvm-cli verify(no args) → banner with upstream version + upstream usage, all examples shown assecretvm-cli verify ....secretvm-cli verify --help→ same as above.secretvm-cli verify --cpu <quote>→ output matchesnpx secretvm-verify --cpu <quote>byte-for-byte.secretvm-cli verify --json --cpu <quote>→ upstream JSON output.secretvm-cli verify --secretvm <host>→ end-to-end check against a live SecretVM.secretvm-cli verify --vm-id <id>(logged in) → portal lookup → forwards as--secretvm <host>.secretvm-cli verify --cpu --vm-id <id>→ forwards as--cpu --vm <host>.secretvm-cli verify --secretvm foo --vm-id bar→ clean single-line error, exit 1, no stack trace.secretvm-cli verify --cpu /dev/null→ upstream's failure output, exit 1 propagates.