Harden runtime signing config and verification paths

GsCommand · GsCommand · commit 381da50cf4f1 · 2026-02-19T22:06:16.000-05:00
diff --git a/.env.example b/.env.example
@@ -0,0 +1,17 @@
+# Required runtime signing config
+CL_RECEIPT_SIGNER=runtime.commandlayer.eth
+CL_KEY_ID=v1
+CL_CANONICAL_ID=json.sorted_keys.v1
+
+# Recommended for node --env-file: single-line PEM with literal \n escapes
+CL_PRIVATE_KEY_PEM=-----BEGIN PRIVATE KEY-----\nREPLACE_WITH_BASE64_BODY\n-----END PRIVATE KEY-----
+
+# Base64 of raw 32-byte Ed25519 public key (same bytes as ENS TXT after ed25519:)
+CL_PUBLIC_KEY_B64=REPLACE_WITH_32_BYTE_RAW_PUBKEY_BASE64
+
+# Optional (required only for /verify?ens=1)
+ETH_RPC_URL=
+
+HOST=0.0.0.0
+PORT=8080
+ENABLED_VERBS=fetch,describe,format,clean,parse,summarize,convert,explain,analyze,classify
diff --git a/scripts/smoke.mjs b/scripts/smoke.mjs
@@ -0,0 +1,47 @@
+import process from "node:process";
+
+const base = process.env.SMOKE_BASE_URL || `http://127.0.0.1:${process.env.PORT || 8080}`;
+const input = {
+  x402: { entry: "x402://describeagent.eth/describe/v1.0.0", verb: "describe", version: "1.0.0" },
+  input: { subject: "CommandLayer", detail_level: "short" },
+};
+
+function fail(step, details) {
+  console.error(`[smoke] FAIL: ${step}`);
+  if (details) console.error(typeof details === "string" ? details : JSON.stringify(details, null, 2));
+  process.exit(1);
+}
+
+try {
+  const healthResp = await fetch(`${base}/health`);
+  const health = await healthResp.json();
+  if (!healthResp.ok) fail("/health http", health);
+  if (!health.signer_ok || !health.verifier_ok) fail("/health signer/verifier", health);
+
+  const describeResp = await fetch(`${base}/describe/v1.0.0`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(input),
+  });
+  const receipt = await describeResp.json();
+  if (!describeResp.ok) fail("/describe/v1.0.0 http", receipt);
+  if (!receipt?.metadata?.proof?.hash_sha256 || !receipt?.metadata?.proof?.signature_b64) {
+    fail("describe proof fields", receipt?.metadata?.proof || receipt);
+  }
+
+  const verifyResp = await fetch(`${base}/verify?schema=0&ens=0`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(receipt),
+  });
+  const verify = await verifyResp.json();
+  if (!verifyResp.ok) fail("/verify http", verify);
+  if (!verify.ok || !verify?.checks?.signature_valid || !verify?.checks?.hash_matches) {
+    fail("/verify checks", verify);
+  }
+
+  console.log("[smoke] PASS");
+  console.log(JSON.stringify({ health, verify }, null, 2));
+} catch (err) {
+  fail("exception", err?.stack || String(err));
+}
diff --git a/server.mjs b/server.mjs
