cohere-ai
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 39 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎LICENSE-HEADER‎
Lines changed: 13 additions & 0 deletions b/‎LICENSE-HEADER‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 33 additions & 4 deletions b/‎README.md‎
Lines changed: 33 additions & 4 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 2 additions & 1 deletion b/‎pyproject.toml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/cvm_measure/__init__.py‎
Lines changed: 14 additions & 0 deletions b/‎src/cvm_measure/__init__.py‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/cvm_measure/__main__.py‎
Lines changed: 14 additions & 0 deletions b/‎src/cvm_measure/__main__.py‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/cvm_measure/cli.py‎
Lines changed: 28 additions & 0 deletions b/‎src/cvm_measure/cli.py‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎src/cvm_measure/tdx/__init__.py‎
Lines changed: 14 additions & 0 deletions b/‎src/cvm_measure/tdx/__init__.py‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/cvm_measure/tdx/baseline.py‎
Lines changed: 14 additions & 0 deletions b/‎src/cvm_measure/tdx/baseline.py‎
Lines changed: 14 additions & 0 deletions
@@ -9,6 +9,8 @@ build/
 
 # Testing
 .pytest_cache/
+tests/fixtures/firmware/*.fd
+tests/fixtures/uki/*.efi
 
 # IDE
 .vscode/
 
@@ -1,4 +1,13 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-yaml
+      - id: check-toml
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: ["--maxkb=512"]
+
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.21.2
     hooks:
@@ -21,3 +30,33 @@ repos:
     hooks:
       - id: bandit
         args: ["-r", "src/"]
+
+  - repo: https://github.com/lucas-c/pre-commit-hooks
+    rev: v1.5.5
+    hooks:
+      - id: insert-license
+        files: \.py$
+        args:
+          - --license-filepath=LICENSE-HEADER
+          - --comment-style=#
+
+  - repo: https://github.com/pypa/pip-audit
+    rev: v2.7.3
+    hooks:
+      - id: pip-audit
+
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v4.4.1
+    hooks:
+      - id: commitizen
+        stages: [commit-msg]
+
+  - repo: local
+    hooks:
+      - id: pytest-cov
+        name: pytest with coverage
+        entry: python3 -m pytest tests/ --cov=cvm_measure --cov-fail-under=80 -q
+        language: system
+        types: [python]
+        pass_filenames: false
+        always_run: true
@@ -0,0 +1,13 @@
+Copyright 2026 Cohere, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
@@ -6,12 +6,16 @@
 [![PyPI](https://img.shields.io/pypi/v/cvm-measure)](https://pypi.org/project/cvm-measure/)
 ![License](https://img.shields.io/github/license/cohere-ai/cvm-measure)
 
-Compute expected Intel TDX register values (MRTD + RTMR[0-3]) from published inputs, entirely offline.
-
-`cvm-measure` is the TDX equivalent of [sev-snp-measure](https://github.com/virtee/sev-snp-measure) for AMD SEV-SNP. It takes firmware, UKI, baseline, and RAM topology as inputs and produces the hex register values that a correctly-launched CVM should report.
+Compute expected confidential VM register values from published inputs, entirely offline. `cvm-measure` takes firmware, UKI, baseline, and RAM topology as inputs and produces the hex register values that a correctly-launched CVM should report, letting you verify attestation without booting a VM.
 
 **Zero dependencies.** Python 3.10+ standard library only.
 
+### Supported Hardware
+
+| Platform | Technology | Registers | Status |
+|----------|------------|-----------|--------|
+| Intel | [TDX](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html) | MRTD, RTMR[0-3] | Supported |
+
 ## Install
 
 ```bash
@@ -48,6 +52,31 @@ rtmr2: 5e8f3a...
 rtmr3: 000000...
 ```
 
+### JSON output
+
+Add `--output-format json` for machine-readable output, useful for CI pipelines and scripting:
+
+```bash
+cvm-measure tdx \
+  --firmware OVMF.fd \
+  --uki BOOTX64.EFI \
+  --baseline baseline.json \
+  --ram 234 \
+  --output-format json
+```
+
+Output:
+
+```json
+{
+  "mrtd": "3a7b2c...",
+  "rtmr0": "8f4e1d...",
+  "rtmr1": "c2a9b7...",
+  "rtmr2": "5e8f3a...",
+  "rtmr3": "000000..."
+}
+```
+
 ### Multi-NUMA topology
 
 ```bash
@@ -129,7 +158,7 @@ A baseline file contains SHA-384 digests for events that **cannot be computed of
 - **Boot variables**: BootOrder, Boot0000-Boot0003
 - **GPT**: Disk partition table hash
 
-Baselines are **not shipped with this tool**. They are data artifacts published alongside each CVM image release by the operator.
+Baselines are **not shipped with this tool**. Cohere publishes baselines in the [cohere-cc-baselines](https://github.com/cohere-ai/cohere-cc-baselines) repository, organized by provider, platform, and machine type.
 
 ### How baselines are created
 
 
@@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "cvm-measure"
 version = "0.1.0"
-description = "Compute expected TDX register values (MRTD + RTMR) from firmware, UKI, and baseline inputs"
+description = "Compute expected confidential VM register values from firmware, UKI, and baseline inputs"
 requires-python = ">=3.10"
 license = {text = "Apache-2.0"}
 readme = "README.md"
@@ -14,6 +14,7 @@ dependencies = []
 [project.optional-dependencies]
 dev = [
     "pytest",
+    "pytest-cov",
     "mypy",
     "ruff",
 ]
 
@@ -1,3 +1,17 @@
+# Copyright 2026 Cohere, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 """cvm-measure: compute expected TDX register values from published inputs."""
 
 __version__ = "0.1.0"
@@ -1,3 +1,17 @@
+# Copyright 2026 Cohere, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 """Allow running as: python -m cvm_measure"""
 
 from .cli import main
 
@@ -1,3 +1,17 @@
+# Copyright 2026 Cohere, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 """CLI entry point for cvm-measure.
 
 Usage:
@@ -95,6 +109,8 @@ def _resolve_rtmr3(args: argparse.Namespace, parser: argparse.ArgumentParser) ->
         parser.error("--initdata and --rtmr3 are mutually exclusive")
 
     if args.initdata is not None:
+        _require_file(args.initdata, "--initdata")
+
         from .tdx.initdata import compute_digest
         from .tdx.rtmr import SHA384_SIZE, extend_rtmr
 
@@ -105,12 +121,19 @@ def _resolve_rtmr3(args: argparse.Namespace, parser: argparse.ArgumentParser) ->
     return args.rtmr3
 
 
+def _require_file(path: Path, flag: str) -> None:
+    if not path.exists():
+        print(f"error: {flag} file not found: {path}", file=sys.stderr)
+        sys.exit(1)
+
+
 def _cmd_compute(args: argparse.Namespace, parser: argparse.ArgumentParser) -> None:
     if args.firmware is None:
         parser.error("--firmware is required")
     if args.ram is None:
         parser.error("--ram is required")
 
+    _require_file(args.firmware, "--firmware")
     firmware = args.firmware.read_bytes()
 
     if args.mode == "mrtd":
@@ -133,6 +156,9 @@ def _cmd_compute(args: argparse.Namespace, parser: argparse.ArgumentParser) -> N
 
     from .tdx import compute_all_registers, load_baseline
 
+    _require_file(args.uki, "--uki")
+    _require_file(args.baseline, "--baseline")
+
     uki = args.uki.read_bytes()
     baseline = load_baseline(args.baseline)
 
@@ -163,6 +189,7 @@ def _cmd_extract_baseline(args: argparse.Namespace) -> None:
 
     from .tdx.baseline import extract_from_ccel, save
 
+    _require_file(args.ccel, "--ccel")
     ccel_data = args.ccel.read_bytes()
     baseline = extract_from_ccel(ccel_data, args.machine_type)
 
@@ -194,6 +221,7 @@ def _cmd_replay(args: argparse.Namespace) -> None:
     from .tdx.ccel import parse_event_log
     from .tdx.rtmr import replay_event_log
 
+    _require_file(args.ccel, "--ccel")
     ccel_data = args.ccel.read_bytes()
     log = parse_event_log(ccel_data)
     rtmrs = replay_event_log(log)
 
@@ -1,3 +1,17 @@
+# Copyright 2026 Cohere, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 """cvm_measure.tdx -- Intel TDX register computation.
 
 Public API:
 
@@ -1,3 +1,17 @@
+# Copyright 2026 Cohere, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 """Baseline management for non-computable event digests.
 
 Stores event data that cannot be computed from firmware, UKI, or