Skip to content

Add webhook auto-verify example with runtime canonical receipt verification#251

Merged
GsCommand merged 1 commit into
mainfrom
codex/create-webhook-auto-verification-example
May 21, 2026
Merged

Add webhook auto-verify example with runtime canonical receipt verification#251
GsCommand merged 1 commit into
mainfrom
codex/create-webhook-auto-verification-example

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 21, 2026

Motivation

  • Provide a small, current, runnable example that demonstrates automatic receipt verification via the runtime verifier using the canonical metadata.proof model and avoiding legacy/top-level proof fields.

Description

  • Add a new example at examples/webhook-auto-verify including package.json, .gitignore, README.md, and an npm script set (start, check, generate:samples).
  • Implement server.js as an Express server that exposes POST /webhook, requires event and receipt, posts { receipt } to the verifier (default https://runtime.commandlayer.org/verify, overrideable with COMMANDLAYER_VERIFY_URL), accepts when verifyJson.ok === true or verifyJson.status is VALID or VERIFIED, rejects otherwise with 400, and returns 502 on verifier/network failure while logging verification details (hash_matches, signature_valid, signer_id, kid).
  • Add scripts/generate-samples.mjs which calls the runtime sign endpoint (default https://runtime.commandlayer.org/trust-verification/sign/v1.0.0, overrideable with COMMANDLAYER_SIGN_URL), extracts receipt (or final_receipt), enforces presence of metadata.proof, writes a valid webhook sample and a tampered copy, and prints status messages.
  • Include a README explaining the flow, commands, environment variables, trust boundaries, and a note that offline environments will use committed structure-only placeholder files (sample-canonical-shape-*.json) rather than live signed receipts.

Testing

  • Ran npm install inside the example and the repo, and ran node --check server.js and node --check scripts/generate-samples.mjs to validate syntax successfully.
  • Attempted npm run generate:samples but live sample generation failed due to DNS/network resolution error (getaddrinfo EAI_AGAIN runtime.commandlayer.org).
  • Started the local server and posted the committed placeholder canonical-shape samples; the requests returned 502 because the runtime verifier was unreachable from this environment.
  • Ran repository tests with npm test, which reported two failing tests unrelated to this change caused by missing examples/sample-receipt.json in the repo (pre-existing).

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 21, 2026 8:36pm
commandlayer-org Ready Ready Preview, Comment May 21, 2026 8:36pm
commandlayer-org111 Ready Ready Preview, Comment May 21, 2026 8:36pm

Request Review

@GsCommand GsCommand merged commit 9d69f57 into main May 21, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand