Align CLAS trust-verification receipts to canonical metadata proof envelope by GsCommand · Pull Request #34 · commandlayer/clas

GsCommand · 2026-05-18T23:32:01Z

Align CLAS trust-verification schemas, examples, and docs with the canonical receipt/proof shape used by @commandlayer/runtime-core and @commandlayer/agent-sdk so emitted receipts are interoperable with runtime/verifyagent verification.
Replace legacy, fragmented proof fields (top-level proof, proof.alg, proof.signature, kid, lowercase ed25519, etc.) with a single canonical proof envelope under metadata.proof to reduce divergence and ambiguity.
Clarify repository responsibilities and trust boundaries so runtime-core owns canonicalization/hashing/signing primitives while agent-sdk/runtime emit receipts and verifyagent performs verification.

Updated the shared proof schema at schemas/trust-verification/_shared/proof.schema.json to the canonical envelope requiring metadata.proof.canonicalization = "json.sorted_keys.v1", metadata.proof.hash = { alg: "SHA-256", value: <64-hex> }, and metadata.proof.signature = { alg: "Ed25519", value, kid }.
Updated every trust-verification receipt schema (*/**.receipt.schema.json) to require a metadata object containing proof (via $ref to the shared proof schema) instead of a top-level proof field.
Migrated all trust-verification receipt example files to the new metadata.proof shape and normalized algorithm casing/fields to match runtime/agent-sdk output semantics, and preserved invalid/tampered fixtures as intended.
Revised documentation strings to reflect the contract changes (schemas/trust-verification/README.md and docs/mcp-compatibility.md) and added AUDIT-clas-runtime-stack-alignment.md describing the audit, stale fields replaced, files changed, and release notes; also added a package-lock.json from npm install run.

Ran npm install and it completed successfully.
Ran npm run build which failed because no build script is defined in package.json (repository script gap, not schema validation failure).
Ran npm test which executes node scripts/validate-trust-verification-examples.mjs, and all trust-verification fixtures validated as expected after the changes.
Ran npm run validate which also passed and confirmed example/ schema validation matches expected outcomes.

Align trust verification schemas with canonical metadata proof envelope

8b7022d

GsCommand added the codex label May 18, 2026 — with ChatGPT Codex Connector

GsCommand merged commit 66df95a into main May 18, 2026
4 checks passed

GsCommand deleted the codex/align-clas-schemas-with-canonical-implementation branch May 22, 2026 19:34

Provide feedback