diff --git a/AUDIT-clas-runtime-stack-alignment.md b/AUDIT-clas-runtime-stack-alignment.md new file mode 100644 index 0000000..21bee2d --- /dev/null +++ b/AUDIT-clas-runtime-stack-alignment.md @@ -0,0 +1,52 @@ +# CLAS Runtime Stack Alignment Audit + +Date: 2026-05-18 +Branch: align/clas-to-canonical-runtime-stack + +## Files changed +- Trust verification shared proof schema and all trust-verification receipt schemas. +- Trust verification receipt examples across approve/attest/authenticate/authorize/endorse/grant/permit/reject/sign/verify. +- Documentation updates: + - `schemas/trust-verification/README.md` + - `docs/mcp-compatibility.md` + +## Stale fields found +The following stale proof fields were found and replaced in schemas/examples: +- `receipt.proof` +- `proof.canonical` +- `proof.alg` +- `proof.signature` +- `proof.kid` +- `proof.signer_id` +- lowercase-only `ed25519` + +Not found in the trust-verification schema/examples payloads audited: +- `hash_sha256` +- `signature_b64` + +## Schemas updated +- Receipt schemas now require `metadata` with required `metadata.proof` object. +- Shared proof schema now enforces canonical shape: + - `metadata.proof.canonicalization = "json.sorted_keys.v1"` + - `metadata.proof.hash.alg = "SHA-256"` + - `metadata.proof.hash.value = <64 hex chars>` + - `metadata.proof.signature.alg = "Ed25519"` + - `metadata.proof.signature.value = ` + - `metadata.proof.signature.kid = ` + +## Examples updated +- All trust-verification `*.receipt.json` examples were migrated from top-level `proof` to `metadata.proof`. +- Invalid examples were preserved as schema-invalid fixtures by using invalid proof content where required. + +## Checks run +- `npm install` ✅ +- `npm run build` ❌ (script missing in package.json) +- `npm test` ✅ +- `npm run validate` ✅ + +## Release blockers +- `npm run build` script does not exist in this repository; build check cannot run as requested. + +## Draft-v1 readiness +- **Ready for draft-v1 tag with caveat**: schema/example alignment for canonical proof envelope is complete and validation passes. +- Caveat: missing build script should be addressed or explicitly waived in release criteria. diff --git a/docs/mcp-compatibility.md b/docs/mcp-compatibility.md index f8a5195..b73b7fb 100644 --- a/docs/mcp-compatibility.md +++ b/docs/mcp-compatibility.md @@ -12,7 +12,7 @@ An MCP server implementing `get_action_schema` can return canonical CLAS schema ## `verify_receipt` -An MCP server implementing `verify_receipt` can validate CLAS receipts using canonicalization, SHA-256 hashes, and Ed25519 signatures. +An MCP server implementing `verify_receipt` can transport verification requests and results, but it is not the trust root; trust validation is performed by runtime/verifyagent against CLAS receipt contracts. ## Trust model diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..55527b8 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,92 @@ +{ + "name": "@commandlayer/clas", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "@commandlayer/clas", + "version": "1.0.0", + "devDependencies": { + "ajv": "^8.17.1", + "ajv-formats": "^3.0.1" + } + }, + "node_modules/ajv": { + "version": "8.20.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz", + "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==", + "dev": true, + "license": "MIT", + "dependencies": { + "fast-deep-equal": "^3.1.3", + "fast-uri": "^3.0.1", + "json-schema-traverse": "^1.0.0", + "require-from-string": "^2.0.2" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, + "node_modules/ajv-formats": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-3.0.1.tgz", + "integrity": "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "ajv": "^8.0.0" + }, + "peerDependencies": { + "ajv": "^8.0.0" + }, + "peerDependenciesMeta": { + "ajv": { + "optional": true + } + } + }, + "node_modules/fast-deep-equal": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", + "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", + "dev": true, + "license": "MIT" + }, + "node_modules/fast-uri": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/fastify" + }, + { + "type": "opencollective", + "url": "https://opencollective.com/fastify" + } + ], + "license": "BSD-3-Clause" + }, + "node_modules/json-schema-traverse": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz", + "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==", + "dev": true, + "license": "MIT" + }, + "node_modules/require-from-string": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", + "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + } + } +} diff --git a/schemas/trust-verification/README.md b/schemas/trust-verification/README.md index 2b43b53..e3e80cc 100644 --- a/schemas/trust-verification/README.md +++ b/schemas/trust-verification/README.md @@ -72,12 +72,12 @@ Every receipt references the shared proof schema: Shared proof fields (as defined in `_shared/proof.schema.json`): -- `canonical` — canonicalization algorithm identifier (const: `json.sorted_keys.v1`) -- `hash` — SHA-256 hash of the canonical payload (pattern: `sha256:<64 hex chars>`) -- `alg` — signature algorithm (enum: `ed25519`) -- `signature` — the cryptographic signature value -- `kid` — key identifier -- `signer_id` — identifier of the signing party +- `metadata.proof.canonicalization` — canonicalization identifier (const: `json.sorted_keys.v1`) +- `metadata.proof.hash.alg` — hash algorithm (const: `SHA-256`) +- `metadata.proof.hash.value` — lowercase SHA-256 hex digest (`64` hex chars) +- `metadata.proof.signature.alg` — signature algorithm (const: `Ed25519`) +- `metadata.proof.signature.value` — signature value +- `metadata.proof.signature.kid` — key identifier These fields provide a common cryptographic envelope model across all verb receipts. diff --git a/schemas/trust-verification/_shared/proof.schema.json b/schemas/trust-verification/_shared/proof.schema.json index 49290da..3e188a8 100644 --- a/schemas/trust-verification/_shared/proof.schema.json +++ b/schemas/trust-verification/_shared/proof.schema.json @@ -1,40 +1,57 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://schemas.commandlayer.org/schemas/trust-verification/_shared/proof.schema.json", + "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/_shared/proof.schema.json", "title": "CLAS Trust Proof", "description": "Shared proof envelope for trust verification receipts.", "type": "object", "additionalProperties": false, "required": [ - "canonical", + "canonicalization", "hash", - "alg", - "signature", - "kid", - "signer_id" + "signature" ], "properties": { - "canonical": { + "canonicalization": { "const": "json.sorted_keys.v1" }, "hash": { - "type": "string", - "pattern": "^sha256:[a-fA-F0-9]{64}$" - }, - "alg": { - "enum": ["ed25519"] + "type": "object", + "additionalProperties": false, + "required": [ + "alg", + "value" + ], + "properties": { + "alg": { + "const": "SHA-256" + }, + "value": { + "type": "string", + "pattern": "^[a-fA-F0-9]{64}$" + } + } }, "signature": { - "type": "string", - "minLength": 16 - }, - "kid": { - "type": "string", - "minLength": 1 - }, - "signer_id": { - "type": "string", - "minLength": 1 + "type": "object", + "additionalProperties": false, + "required": [ + "alg", + "value", + "kid" + ], + "properties": { + "alg": { + "const": "Ed25519" + }, + "value": { + "type": "string", + "minLength": 16 + }, + "kid": { + "type": "string", + "minLength": 1 + } + } } } } diff --git a/schemas/trust-verification/approve/approve.receipt.schema.json b/schemas/trust-verification/approve/approve.receipt.schema.json index 6658ebe..ac744dd 100644 --- a/schemas/trust-verification/approve/approve.receipt.schema.json +++ b/schemas/trust-verification/approve/approve.receipt.schema.json @@ -13,7 +13,7 @@ "request", "approval", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -64,8 +64,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/approve/examples/invalid.receipt.json b/schemas/trust-verification/approve/examples/invalid.receipt.json index ac66778..4b87ee6 100644 --- a/schemas/trust-verification/approve/examples/invalid.receipt.json +++ b/schemas/trust-verification/approve/examples/invalid.receipt.json @@ -34,12 +34,18 @@ "expires_at": "2026-05-10T14:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ecdsa", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/approve/examples/tampered.receipt.json b/schemas/trust-verification/approve/examples/tampered.receipt.json index 2fde333..05c457b 100644 --- a/schemas/trust-verification/approve/examples/tampered.receipt.json +++ b/schemas/trust-verification/approve/examples/tampered.receipt.json @@ -34,12 +34,18 @@ "expires_at": "2026-05-10T14:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/approve/examples/valid.receipt.json b/schemas/trust-verification/approve/examples/valid.receipt.json index 07554b9..16031cc 100644 --- a/schemas/trust-verification/approve/examples/valid.receipt.json +++ b/schemas/trust-verification/approve/examples/valid.receipt.json @@ -34,12 +34,18 @@ "expires_at": "2026-05-10T14:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/attest/attest.receipt.schema.json b/schemas/trust-verification/attest/attest.receipt.schema.json index 83a8382..4b00234 100644 --- a/schemas/trust-verification/attest/attest.receipt.schema.json +++ b/schemas/trust-verification/attest/attest.receipt.schema.json @@ -13,7 +13,7 @@ "request", "attestation", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -64,8 +64,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/attest/examples/invalid.receipt.json b/schemas/trust-verification/attest/examples/invalid.receipt.json index 7526867..b82bbb2 100644 --- a/schemas/trust-verification/attest/examples/invalid.receipt.json +++ b/schemas/trust-verification/attest/examples/invalid.receipt.json @@ -43,12 +43,18 @@ "expires_at": "2026-06-10T12:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/attest/examples/tampered.receipt.json b/schemas/trust-verification/attest/examples/tampered.receipt.json index 0d797ad..e5d1299 100644 --- a/schemas/trust-verification/attest/examples/tampered.receipt.json +++ b/schemas/trust-verification/attest/examples/tampered.receipt.json @@ -43,12 +43,18 @@ "expires_at": "2026-06-10T12:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/attest/examples/valid.receipt.json b/schemas/trust-verification/attest/examples/valid.receipt.json index fe8ab00..f727f86 100644 --- a/schemas/trust-verification/attest/examples/valid.receipt.json +++ b/schemas/trust-verification/attest/examples/valid.receipt.json @@ -43,12 +43,18 @@ "expires_at": "2026-06-10T12:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/authenticate/authenticate.receipt.schema.json b/schemas/trust-verification/authenticate/authenticate.receipt.schema.json index eb9650c..0bbf560 100644 --- a/schemas/trust-verification/authenticate/authenticate.receipt.schema.json +++ b/schemas/trust-verification/authenticate/authenticate.receipt.schema.json @@ -13,12 +13,18 @@ "request", "authentication", "ts", - "proof" + "metadata" ], "properties": { - "version": { "const": "1.0.0" }, - "family": { "const": "trust" }, - "verb": { "const": "authenticate" }, + "version": { + "const": "1.0.0" + }, + "family": { + "const": "trust" + }, + "verb": { + "const": "authenticate" + }, "receipt_id": { "type": "string", "minLength": 1 @@ -29,20 +35,33 @@ "authentication": { "type": "object", "additionalProperties": false, - "required": ["status"], + "required": [ + "status" + ], "properties": { "status": { "type": "string", - "enum": ["authenticated", "unauthenticated", "uncertain", "expired"] + "enum": [ + "authenticated", + "unauthenticated", + "uncertain", + "expired" + ] + }, + "subject_id": { + "type": "string" + }, + "method": { + "type": "string" }, - "subject_id": { "type": "string" }, - "method": { "type": "string" }, "confidence": { "type": "number", "minimum": 0, "maximum": 1 }, - "reason": { "type": "string" }, + "reason": { + "type": "string" + }, "expires_at": { "type": "string", "format": "date-time" @@ -53,8 +72,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/authenticate/examples/invalid.receipt.json b/schemas/trust-verification/authenticate/examples/invalid.receipt.json index 9789c6a..05b6918 100644 --- a/schemas/trust-verification/authenticate/examples/invalid.receipt.json +++ b/schemas/trust-verification/authenticate/examples/invalid.receipt.json @@ -36,6 +36,5 @@ "reason": "Challenge response verified against DID document.", "expires_at": "2026-05-10T15:00:00Z" }, - "ts": "2026-05-10T12:05:00Z", - "proof": null + "ts": "2026-05-10T12:05:00Z" } diff --git a/schemas/trust-verification/authenticate/examples/tampered.receipt.json b/schemas/trust-verification/authenticate/examples/tampered.receipt.json index ba29359..10b7cb2 100644 --- a/schemas/trust-verification/authenticate/examples/tampered.receipt.json +++ b/schemas/trust-verification/authenticate/examples/tampered.receipt.json @@ -37,12 +37,18 @@ "expires_at": "2026-05-10T15:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/authenticate/examples/valid.receipt.json b/schemas/trust-verification/authenticate/examples/valid.receipt.json index 5106358..16fb368 100644 --- a/schemas/trust-verification/authenticate/examples/valid.receipt.json +++ b/schemas/trust-verification/authenticate/examples/valid.receipt.json @@ -37,12 +37,18 @@ "expires_at": "2026-05-10T15:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/authorize/authorize.receipt.schema.json b/schemas/trust-verification/authorize/authorize.receipt.schema.json index 0e44870..160f62c 100644 --- a/schemas/trust-verification/authorize/authorize.receipt.schema.json +++ b/schemas/trust-verification/authorize/authorize.receipt.schema.json @@ -13,7 +13,7 @@ "request", "decision", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -64,8 +64,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/authorize/examples/invalid.receipt.json b/schemas/trust-verification/authorize/examples/invalid.receipt.json index 0ca2016..676b1ea 100644 --- a/schemas/trust-verification/authorize/examples/invalid.receipt.json +++ b/schemas/trust-verification/authorize/examples/invalid.receipt.json @@ -33,12 +33,18 @@ "policy_id": "policy.deploy.payments.v3" }, "ts": "not-a-timestamp", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/authorize/examples/tampered.receipt.json b/schemas/trust-verification/authorize/examples/tampered.receipt.json index a46128c..104e140 100644 --- a/schemas/trust-verification/authorize/examples/tampered.receipt.json +++ b/schemas/trust-verification/authorize/examples/tampered.receipt.json @@ -32,12 +32,18 @@ "policy_id": "policy.deploy.payments.v3" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/authorize/examples/valid.receipt.json b/schemas/trust-verification/authorize/examples/valid.receipt.json index 0357dd5..09f047e 100644 --- a/schemas/trust-verification/authorize/examples/valid.receipt.json +++ b/schemas/trust-verification/authorize/examples/valid.receipt.json @@ -33,12 +33,18 @@ "policy_id": "policy.deploy.payments.v3" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/endorse/endorse.receipt.schema.json b/schemas/trust-verification/endorse/endorse.receipt.schema.json index e46f0b5..ea5bb1c 100644 --- a/schemas/trust-verification/endorse/endorse.receipt.schema.json +++ b/schemas/trust-verification/endorse/endorse.receipt.schema.json @@ -13,7 +13,7 @@ "request", "endorsement_result", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -63,8 +63,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/endorse/examples/invalid.receipt.json b/schemas/trust-verification/endorse/examples/invalid.receipt.json index 9b89b6f..7110f20 100644 --- a/schemas/trust-verification/endorse/examples/invalid.receipt.json +++ b/schemas/trust-verification/endorse/examples/invalid.receipt.json @@ -33,12 +33,18 @@ "expires_at": "2026-11-10T00:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/endorse/examples/tampered.receipt.json b/schemas/trust-verification/endorse/examples/tampered.receipt.json index 222cf8c..22dbd8e 100644 --- a/schemas/trust-verification/endorse/examples/tampered.receipt.json +++ b/schemas/trust-verification/endorse/examples/tampered.receipt.json @@ -33,12 +33,18 @@ "expires_at": "2026-11-10T00:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/endorse/examples/valid.receipt.json b/schemas/trust-verification/endorse/examples/valid.receipt.json index 8407fd2..3dde3db 100644 --- a/schemas/trust-verification/endorse/examples/valid.receipt.json +++ b/schemas/trust-verification/endorse/examples/valid.receipt.json @@ -33,12 +33,18 @@ "expires_at": "2026-11-10T00:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/grant/examples/invalid.receipt.json b/schemas/trust-verification/grant/examples/invalid.receipt.json index e62d82f..f6971c0 100644 --- a/schemas/trust-verification/grant/examples/invalid.receipt.json +++ b/schemas/trust-verification/grant/examples/invalid.receipt.json @@ -37,12 +37,18 @@ "expires_at": "2026-12-31T23:59:59Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/grant/examples/tampered.receipt.json b/schemas/trust-verification/grant/examples/tampered.receipt.json index 7255147..83e8e06 100644 --- a/schemas/trust-verification/grant/examples/tampered.receipt.json +++ b/schemas/trust-verification/grant/examples/tampered.receipt.json @@ -37,12 +37,18 @@ "expires_at": "2026-12-31T23:59:59Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/grant/examples/valid.receipt.json b/schemas/trust-verification/grant/examples/valid.receipt.json index 058ba4f..5c5ae96 100644 --- a/schemas/trust-verification/grant/examples/valid.receipt.json +++ b/schemas/trust-verification/grant/examples/valid.receipt.json @@ -37,12 +37,18 @@ "expires_at": "2026-12-31T23:59:59Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/grant/grant.receipt.schema.json b/schemas/trust-verification/grant/grant.receipt.schema.json index 4846d20..a599f54 100644 --- a/schemas/trust-verification/grant/grant.receipt.schema.json +++ b/schemas/trust-verification/grant/grant.receipt.schema.json @@ -13,7 +13,7 @@ "request", "grant_result", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -64,8 +64,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/permit/examples/invalid.receipt.json b/schemas/trust-verification/permit/examples/invalid.receipt.json index dcec595..9dd84c5 100644 --- a/schemas/trust-verification/permit/examples/invalid.receipt.json +++ b/schemas/trust-verification/permit/examples/invalid.receipt.json @@ -39,12 +39,18 @@ "expires_at": "2026-05-10T14:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:xyz", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "xyz" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/permit/examples/tampered.receipt.json b/schemas/trust-verification/permit/examples/tampered.receipt.json index 1d0024a..b816567 100644 --- a/schemas/trust-verification/permit/examples/tampered.receipt.json +++ b/schemas/trust-verification/permit/examples/tampered.receipt.json @@ -20,7 +20,9 @@ }, "conditions": { "expires_at": "2026-05-10T14:00:00Z", - "ip_allowlist": ["10.42.0.0/16"] + "ip_allowlist": [ + "10.42.0.0/16" + ] }, "context": { "environment": "prod-us-east-1", @@ -37,12 +39,18 @@ "expires_at": "2026-05-11T14:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/permit/examples/valid.receipt.json b/schemas/trust-verification/permit/examples/valid.receipt.json index 78e471c..93a2400 100644 --- a/schemas/trust-verification/permit/examples/valid.receipt.json +++ b/schemas/trust-verification/permit/examples/valid.receipt.json @@ -20,7 +20,9 @@ }, "conditions": { "expires_at": "2026-05-10T14:00:00Z", - "ip_allowlist": ["10.42.0.0/16"] + "ip_allowlist": [ + "10.42.0.0/16" + ] }, "context": { "environment": "prod-us-east-1", @@ -37,12 +39,18 @@ "expires_at": "2026-05-10T14:00:00Z" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/permit/permit.receipt.schema.json b/schemas/trust-verification/permit/permit.receipt.schema.json index ed0fa21..44a5511 100644 --- a/schemas/trust-verification/permit/permit.receipt.schema.json +++ b/schemas/trust-verification/permit/permit.receipt.schema.json @@ -13,7 +13,7 @@ "request", "permit_result", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -64,8 +64,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/reject/examples/invalid.receipt.json b/schemas/trust-verification/reject/examples/invalid.receipt.json index 357053e..31d6129 100644 --- a/schemas/trust-verification/reject/examples/invalid.receipt.json +++ b/schemas/trust-verification/reject/examples/invalid.receipt.json @@ -29,12 +29,18 @@ "appeal_uri": "https://go.acme.internal/change-appeals/deploy-orders-api-2026-05-10-rc3" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/reject/examples/tampered.receipt.json b/schemas/trust-verification/reject/examples/tampered.receipt.json index 8706f52..6b03ff7 100644 --- a/schemas/trust-verification/reject/examples/tampered.receipt.json +++ b/schemas/trust-verification/reject/examples/tampered.receipt.json @@ -29,12 +29,18 @@ "appeal_uri": "https://go.acme.internal/change-appeals/deploy-orders-api-2026-05-10-rc3" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/reject/examples/valid.receipt.json b/schemas/trust-verification/reject/examples/valid.receipt.json index a7b7bbd..69276f9 100644 --- a/schemas/trust-verification/reject/examples/valid.receipt.json +++ b/schemas/trust-verification/reject/examples/valid.receipt.json @@ -29,12 +29,18 @@ "appeal_uri": "https://go.acme.internal/change-appeals/deploy-orders-api-2026-05-10-rc3" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/reject/reject.receipt.schema.json b/schemas/trust-verification/reject/reject.receipt.schema.json index f95b5be..e040905 100644 --- a/schemas/trust-verification/reject/reject.receipt.schema.json +++ b/schemas/trust-verification/reject/reject.receipt.schema.json @@ -13,7 +13,7 @@ "request", "rejection", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -59,8 +59,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/sign/examples/invalid.receipt.json b/schemas/trust-verification/sign/examples/invalid.receipt.json index 0d6fe5b..4bc5555 100644 --- a/schemas/trust-verification/sign/examples/invalid.receipt.json +++ b/schemas/trust-verification/sign/examples/invalid.receipt.json @@ -29,12 +29,18 @@ "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/sign/examples/tampered.receipt.json b/schemas/trust-verification/sign/examples/tampered.receipt.json index f76a82c..8391a36 100644 --- a/schemas/trust-verification/sign/examples/tampered.receipt.json +++ b/schemas/trust-verification/sign/examples/tampered.receipt.json @@ -29,12 +29,18 @@ "content_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/sign/examples/valid.receipt.json b/schemas/trust-verification/sign/examples/valid.receipt.json index 6a5ec1c..12c8e9e 100644 --- a/schemas/trust-verification/sign/examples/valid.receipt.json +++ b/schemas/trust-verification/sign/examples/valid.receipt.json @@ -29,12 +29,18 @@ "content_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/sign/sign.receipt.schema.json b/schemas/trust-verification/sign/sign.receipt.schema.json index 0c683f9..2639090 100644 --- a/schemas/trust-verification/sign/sign.receipt.schema.json +++ b/schemas/trust-verification/sign/sign.receipt.schema.json @@ -13,7 +13,7 @@ "request", "signature_result", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -74,8 +74,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } } diff --git a/schemas/trust-verification/verify/examples/invalid.receipt.json b/schemas/trust-verification/verify/examples/invalid.receipt.json index cdefc49..78d4b3d 100644 --- a/schemas/trust-verification/verify/examples/invalid.receipt.json +++ b/schemas/trust-verification/verify/examples/invalid.receipt.json @@ -45,12 +45,18 @@ ] }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonicalization": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "signature_alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "key_id": "cl-key-1", - "signer": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/verify/examples/tampered.receipt.json b/schemas/trust-verification/verify/examples/tampered.receipt.json index b77c001..38f4477 100644 --- a/schemas/trust-verification/verify/examples/tampered.receipt.json +++ b/schemas/trust-verification/verify/examples/tampered.receipt.json @@ -45,12 +45,18 @@ ] }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/verify/examples/valid.receipt.json b/schemas/trust-verification/verify/examples/valid.receipt.json index fd36383..927c5fd 100644 --- a/schemas/trust-verification/verify/examples/valid.receipt.json +++ b/schemas/trust-verification/verify/examples/valid.receipt.json @@ -45,12 +45,18 @@ ] }, "ts": "2026-05-10T12:05:00Z", - "proof": { - "canonical": "json.sorted_keys.v1", - "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "alg": "ed25519", - "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", - "kid": "cl-key-1", - "signer_id": "runtime.commandlayer.eth" + "metadata": { + "proof": { + "canonicalization": "json.sorted_keys.v1", + "hash": { + "alg": "SHA-256", + "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + }, + "signature": { + "alg": "Ed25519", + "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd", + "kid": "cl-key-1" + } + } } } diff --git a/schemas/trust-verification/verify/verify.receipt.schema.json b/schemas/trust-verification/verify/verify.receipt.schema.json index 3c45cf5..93fb741 100644 --- a/schemas/trust-verification/verify/verify.receipt.schema.json +++ b/schemas/trust-verification/verify/verify.receipt.schema.json @@ -13,7 +13,7 @@ "request", "result", "ts", - "proof" + "metadata" ], "properties": { "version": { @@ -79,8 +79,17 @@ "type": "string", "format": "date-time" }, - "proof": { - "$ref": "../_shared/proof.schema.json" + "metadata": { + "type": "object", + "additionalProperties": false, + "required": [ + "proof" + ], + "properties": { + "proof": { + "$ref": "../_shared/proof.schema.json" + } + } } } }