Motivation

• Users could sign the SIWE message in MetaMask but the server rejected it due to a statement mismatch and the UI only showed a generic "SIWE verification failed." message.
• The verify endpoint returned unstructured, opaque errors which made debugging and UX difficult.
• Domain/URI allowances need explicit handling so production and development hosts are accepted consistently.

Description

• Frontend: introduced a single SIWE_STATEMENT = 'Authenticate with CommandLayer Claim activation.' in public/claim.html and used it when constructing the SIWE message so the signed statement is exact.
• Frontend: improved error surfacing in signInWithEthereum to throw and display SIWE verification failed: <error> — <reason> when /api/auth/verify returns structured failure details.
• Backend: updated api/auth/verify.js to enforce the exact REQUIRED_STATEMENT, accept configurable allowlists via COMMANDLAYER_SIWE_DOMAINS and COMMANDLAYER_SITE_URLS (with sensible defaults for www.commandlayer.org, optional commandlayer.org, and localhost in development), and validate normalized URIs and chain IDs.
• Backend: replaced opaque messages with structured AUTH_FAILED JSON payloads and stable error codes and reasons (including missing_message, missing_signature, dependency_unavailable, malformed_message, domain_mismatch, uri_mismatch, chain_not_allowed, statement_mismatch, and signature_invalid).
• Tests: updated tests/api-auth.test.js to assert the new error codes and added a statement-mismatch test path.

Testing

• Ran npm test in the repository and all tests passed (31 passing tests).
• Attempted npm run build but a build script is not defined in this repo (noted in validation).
• Ran example checks with cd examples/webhook-auto-verify && npm install && npm run check and the example checks succeeded.

Codex Task