Enforce canonical metadata.proof verification in /api/verify

[GsCommand]

Motivation

• Runtime-produced receipts must be verified against the canonical metadata.proof envelope (canonicalization, hash, signature, signer_id) rather than accepting legacy top-level proof fields.
• The previous verifier accepted non-canonical/legacy shapes which could cause false VERIFIED results for production runtime receipts.
• Harden the site verifier so that schema-valid alone cannot yield VERIFIED and the endpoint safely represents production-canonical verification.

Description

• Require the canonical metadata.proof envelope fields (canonicalization, hash.alg, hash.value, signature.alg, signature.kid, signature.value, signer_id) and enforce SHA-256/Ed25519 expectations during verification in lib/verifyReceipt.js.
• Reject legacy top-level signature / hash_sha256 shapes as non-canonical and prevent them from producing VERIFIED.
• Tighten verification logic so success requires ENS key resolution, canonicalization match, hash integrity, key id match, signer id match, and signature verification.
• Add runtime-style tests that generate Ed25519 keypairs and mock ENS text-record resolution, and update API tests to expect legacy sample receipts to be INVALID (files changed: lib/verifyReceipt.js, tests/verifyReceipt-runtime.test.js, tests/api-verify.test.js, tests/api-agents-verifyagent.test.js).

Testing

• Ran npm install successfully and then npm test which executed the test suite node --test tests/*.test.js.
• All tests passed: 26 tests run, 26 passed, 0 failed.
• No build script is defined in package.json, so npm run build was not run.

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commandlayer-commandlayer-org	Ready	Preview, Comment	May 20, 2026 9:44pm
commandlayer-org	Ready	Preview, Comment	May 20, 2026 9:44pm
commandlayer-org111	Ready	Preview, Comment	May 20, 2026 9:44pm