Align CLAS trust-verification receipts to canonical metadata proof envelope

AUDIT-clas-runtime-stack-alignment.md

@@ -0,0 +1,52 @@
+# CLAS Runtime Stack Alignment Audit
+
+Date: 2026-05-18
+Branch: align/clas-to-canonical-runtime-stack
+
+## Files changed
+- Trust verification shared proof schema and all trust-verification receipt schemas.
+- Trust verification receipt examples across approve/attest/authenticate/authorize/endorse/grant/permit/reject/sign/verify.
+- Documentation updates:
+  - `schemas/trust-verification/README.md`
+  - `docs/mcp-compatibility.md`
+
+## Stale fields found
+The following stale proof fields were found and replaced in schemas/examples:
+- `receipt.proof`
+- `proof.canonical`
+- `proof.alg`
+- `proof.signature`
+- `proof.kid`
+- `proof.signer_id`
+- lowercase-only `ed25519`
+
+Not found in the trust-verification schema/examples payloads audited:
+- `hash_sha256`
+- `signature_b64`
+
+## Schemas updated
+- Receipt schemas now require `metadata` with required `metadata.proof` object.
+- Shared proof schema now enforces canonical shape:
+  - `metadata.proof.canonicalization = "json.sorted_keys.v1"`
+  - `metadata.proof.hash.alg = "SHA-256"`
+  - `metadata.proof.hash.value = <64 hex chars>`
+  - `metadata.proof.signature.alg = "Ed25519"`
+  - `metadata.proof.signature.value = <string>`
+  - `metadata.proof.signature.kid = <string>`
+
+## Examples updated
+- All trust-verification `*.receipt.json` examples were migrated from top-level `proof` to `metadata.proof`.
+- Invalid examples were preserved as schema-invalid fixtures by using invalid proof content where required.
+
+## Checks run
+- `npm install` ✅
+- `npm run build` ❌ (script missing in package.json)
+- `npm test` ✅
+- `npm run validate` ✅
+
+## Release blockers
+- `npm run build` script does not exist in this repository; build check cannot run as requested.
+
+## Draft-v1 readiness
+- **Ready for draft-v1 tag with caveat**: schema/example alignment for canonical proof envelope is complete and validation passes.
+- Caveat: missing build script should be addressed or explicitly waived in release criteria.

docs/mcp-compatibility.md

@@ -12,7 +12,7 @@ An MCP server implementing `get_action_schema` can return canonical CLAS schema
 
 ## `verify_receipt`
 
-An MCP server implementing `verify_receipt` can validate CLAS receipts using canonicalization, SHA-256 hashes, and Ed25519 signatures.
+An MCP server implementing `verify_receipt` can transport verification requests and results, but it is not the trust root; trust validation is performed by runtime/verifyagent against CLAS receipt contracts.
 
 ## Trust model
 

schemas/trust-verification/README.md

@@ -72,12 +72,12 @@ Every receipt references the shared proof schema:
 
 Shared proof fields (as defined in `_shared/proof.schema.json`):
 
-- `canonical` — canonicalization algorithm identifier (const: `json.sorted_keys.v1`)
-- `hash` — SHA-256 hash of the canonical payload (pattern: `sha256:<64 hex chars>`)
-- `alg` — signature algorithm (enum: `ed25519`)
-- `signature` — the cryptographic signature value
-- `kid` — key identifier
-- `signer_id` — identifier of the signing party
+- `metadata.proof.canonicalization` — canonicalization identifier (const: `json.sorted_keys.v1`)
+- `metadata.proof.hash.alg` — hash algorithm (const: `SHA-256`)
+- `metadata.proof.hash.value` — lowercase SHA-256 hex digest (`64` hex chars)
+- `metadata.proof.signature.alg` — signature algorithm (const: `Ed25519`)
+- `metadata.proof.signature.value` — signature value
+- `metadata.proof.signature.kid` — key identifier
 
 These fields provide a common cryptographic envelope model across all verb receipts.
 

schemas/trust-verification/_shared/proof.schema.json

@@ -1,40 +1,57 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://schemas.commandlayer.org/schemas/trust-verification/_shared/proof.schema.json",
+  "$id": "https://schemas.commandlayer.org/schemas/v1.0.0/trust/_shared/proof.schema.json",
   "title": "CLAS Trust Proof",
   "description": "Shared proof envelope for trust verification receipts.",
   "type": "object",
   "additionalProperties": false,
   "required": [
-    "canonical",
+    "canonicalization",
     "hash",
-    "alg",
-    "signature",
-    "kid",
-    "signer_id"
+    "signature"
   ],
   "properties": {
-    "canonical": {
+    "canonicalization": {
       "const": "json.sorted_keys.v1"
     },
     "hash": {
-      "type": "string",
-      "pattern": "^sha256:[a-fA-F0-9]{64}$"
-    },
-    "alg": {
-      "enum": ["ed25519"]
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "alg",
+        "value"
+      ],
+      "properties": {
+        "alg": {
+          "const": "SHA-256"
+        },
+        "value": {
+          "type": "string",
+          "pattern": "^[a-fA-F0-9]{64}$"
+        }
+      }
     },
     "signature": {
-      "type": "string",
-      "minLength": 16
-    },
-    "kid": {
-      "type": "string",
-      "minLength": 1
-    },
-    "signer_id": {
-      "type": "string",
-      "minLength": 1
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "alg",
+        "value",
+        "kid"
+      ],
+      "properties": {
+        "alg": {
+          "const": "Ed25519"
+        },
+        "value": {
+          "type": "string",
+          "minLength": 16
+        },
+        "kid": {
+          "type": "string",
+          "minLength": 1
+        }
+      }
     }
   }
 }

schemas/trust-verification/approve/approve.receipt.schema.json

@@ -13,7 +13,7 @@
     "request",
     "approval",
     "ts",
-    "proof"
+    "metadata"
   ],
   "properties": {
     "version": {
@@ -64,8 +64,17 @@
       "type": "string",
       "format": "date-time"
     },
-    "proof": {
-      "$ref": "../_shared/proof.schema.json"
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        }
+      }
     }
   }
 }

schemas/trust-verification/approve/examples/invalid.receipt.json

@@ -34,12 +34,18 @@
     "expires_at": "2026-05-10T14:00:00Z"
   },
   "ts": "2026-05-10T12:05:00Z",
-  "proof": {
-    "canonicalization": "json.sorted_keys.v1",
-    "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-    "signature_alg": "ecdsa",
-    "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
-    "key_id": "cl-key-1",
-    "signer": "runtime.commandlayer.eth"
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
   }
 }

schemas/trust-verification/approve/examples/tampered.receipt.json

@@ -34,12 +34,18 @@
     "expires_at": "2026-05-10T14:00:00Z"
   },
   "ts": "2026-05-10T12:05:00Z",
-  "proof": {
-    "canonical": "json.sorted_keys.v1",
-    "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-    "alg": "ed25519",
-    "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
-    "kid": "cl-key-1",
-    "signer_id": "runtime.commandlayer.eth"
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
   }
 }

schemas/trust-verification/approve/examples/valid.receipt.json

@@ -34,12 +34,18 @@
     "expires_at": "2026-05-10T14:00:00Z"
   },
   "ts": "2026-05-10T12:05:00Z",
-  "proof": {
-    "canonical": "json.sorted_keys.v1",
-    "hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-    "alg": "ed25519",
-    "signature": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
-    "kid": "cl-key-1",
-    "signer_id": "runtime.commandlayer.eth"
+  "metadata": {
+    "proof": {
+      "canonicalization": "json.sorted_keys.v1",
+      "hash": {
+        "alg": "SHA-256",
+        "value": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      },
+      "signature": {
+        "alg": "Ed25519",
+        "value": "ed25519:demo:9f7c4d1ab3e6c8d14f2a98b7c3d5e1f09a8b7c6d5e4f3029182736455aabbccd",
+        "kid": "cl-key-1"
+      }
+    }
   }
 }

schemas/trust-verification/attest/attest.receipt.schema.json

@@ -13,7 +13,7 @@
     "request",
     "attestation",
     "ts",
-    "proof"
+    "metadata"
   ],
   "properties": {
     "version": {
@@ -64,8 +64,17 @@
       "type": "string",
       "format": "date-time"
     },
-    "proof": {
-      "$ref": "../_shared/proof.schema.json"
+    "metadata": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "proof"
+      ],
+      "properties": {
+        "proof": {
+          "$ref": "../_shared/proof.schema.json"
+        }
+      }
     }
   }
 }