commandlayer
diff --git a/‎.gitignore‎
Lines changed: 15 additions & 0 deletions b/‎.gitignore‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 5 deletions b/‎README.md‎
Lines changed: 2 additions & 5 deletions
diff --git a/‎docs/CONFIGURATION.md‎
Lines changed: 3 additions & 1 deletion b/‎docs/CONFIGURATION.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎docs/OPERATIONS.md‎
Lines changed: 6 additions & 4 deletions b/‎docs/OPERATIONS.md‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎docs/REVIEW.md‎
Lines changed: 0 additions & 76 deletions b/‎docs/REVIEW.md‎
Lines changed: 0 additions & 76 deletions
diff --git a/‎package-lock.json‎
Lines changed: 30 additions & 3 deletions b/‎package-lock.json‎
Lines changed: 30 additions & 3 deletions
diff --git a/‎package.json‎
Lines changed: 5 additions & 2 deletions b/‎package.json‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎runtime/src/receipt-verification.js‎
Lines changed: 93 additions & 0 deletions b/‎runtime/src/receipt-verification.js‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎runtime/tests/ens-resolution.test.mjs‎
Lines changed: 13 additions & 0 deletions b/‎runtime/tests/ens-resolution.test.mjs‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎runtime/tests/helpers.mjs‎
Lines changed: 24 additions & 0 deletions b/‎runtime/tests/helpers.mjs‎
Lines changed: 24 additions & 0 deletions
@@ -1 +1,16 @@
 node_modules/
+
+# local env / logs
+.env
+.env.*
+*.log
+
+# local test artifacts
+receipt*.json
+body.*.json
+analyze_receipt.json
+classify_receipt.json
+clean_receipt.json
+tmp.*.json
+payload.json
+
@@ -44,7 +44,7 @@ openssl genpkey -algorithm Ed25519 -out private.pem
 openssl pkey -in private.pem -pubout -out public.pem
 
 export RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64="$(base64 -w0 < private.pem)"
-export RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64="$(base64 -w0 < public.pem)"
+export RECEIPT_SIGNING_PUBLIC_KEY="ed25519:$(openssl pkey -in public.pem -pubin -outform DER | tail -c 32 | base64 -w0)"
 export RECEIPT_SIGNER_ID="runtime.local"
 ```
 
@@ -105,7 +105,7 @@ printf '%s' "$RECEIPT" | curl -s -X POST "http://localhost:8080/verify?ens=1" \
 
 `POST /verify` supports query flags:
 
-- `ens=1` — fetch verifier pubkey from ENS TXT record (`VERIFIER_ENS_NAME`, `ENS_PUBKEY_TEXT_KEY`).
+- `ens=1` — fetch verifier pubkey from ENS TXT records (`VERIFIER_ENS_NAME`, `cl.receipt.signer`, `cl.sig.pub`, `cl.sig.kid`).
 - `refresh=1` — bypass ENS cache and refresh lookup.
 - `schema=1` — validate receipt against verb schema.
 
@@ -136,6 +136,3 @@ Detailed environment variable documentation lives in [`docs/CONFIGURATION.md`](d
 
 See [`docs/OPERATIONS.md`](docs/OPERATIONS.md) for deployment and runbook guidance.
 
-## Engineering review artifacts
-
-For a focused codebase review (strengths, risks, and prioritized improvements), see [`docs/REVIEW.md`](docs/REVIEW.md).
@@ -36,7 +36,9 @@ Comma-separated list of enabled handlers. Disabled verbs return `404`.
 |---|---|---|
 | `ETH_RPC_URL` | empty | Ethereum RPC endpoint for ENS resolver lookups. |
 | `VERIFIER_ENS_NAME` | `ENS_NAME` / `RECEIPT_SIGNER_ID` fallback | ENS name queried for TXT pubkey value. |
-| `ENS_PUBKEY_TEXT_KEY` | `cl.receipt.pubkey.pem` | ENS TXT key containing PEM-formatted public key. |
+| `ENS_SIGNER_TEXT_KEY` | `cl.receipt.signer` | ENS TXT key on verifier name that delegates to signer ENS name. |
+| `ENS_SIG_PUB_TEXT_KEY` | `cl.sig.pub` | ENS TXT key on signer name containing `ed25519:<base64>` public key. |
+| `ENS_SIG_KID_TEXT_KEY` | `cl.sig.kid` | ENS TXT key on signer name containing key identifier. |
 
 ## Schema fetching + validation budgets
 
 
@@ -4,14 +4,16 @@
 
 1. Set signing keys:
    - `RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64`
-   - `RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64`
+   - `RECEIPT_SIGNING_PUBLIC_KEY`
 2. Set identity metadata:
    - `RECEIPT_SIGNER_ID`
    - `SERVICE_NAME`, `SERVICE_VERSION`
 3. If using ENS verification:
    - `ETH_RPC_URL`
    - `VERIFIER_ENS_NAME`
-   - `ENS_PUBKEY_TEXT_KEY`
+   - `ENS_SIGNER_TEXT_KEY`
+   - `ENS_SIG_PUB_TEXT_KEY`
+   - `ENS_SIG_KID_TEXT_KEY`
 4. Set safety limits (`FETCH_TIMEOUT_MS`, `FETCH_MAX_BYTES`, `VERIFY_MAX_MS`).
 5. Restrict outbound domains with `ALLOW_FETCH_HOSTS` where possible.
 
@@ -44,10 +46,10 @@ Repeat validator polling until required verbs appear under `cached`.
 
 ### `no public key available`
 
-- Set `RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64` **or** use ENS verification with:
+- Set `RECEIPT_SIGNING_PUBLIC_KEY` (`ed25519:<base64>`) **or** use ENS verification with:
   - `ETH_RPC_URL`
   - `VERIFIER_ENS_NAME`
-  - valid PEM at ENS TXT key.
+  - valid `cl.sig.pub` and `cl.sig.kid` TXT values on signer ENS name.
 
 ### `validator_not_warmed_yet` with HTTP 202
 
 
@@ -15,12 +15,15 @@
   "scripts": {
     "start": "node server.mjs",
     "check": "node --check server.mjs",
-    "test": "node tests/smoke.mjs",
-    "ci": "npm run check && npm test"
+    "test": "npm run test:unit && node tests/smoke.mjs",
+    "ci": "npm run check && npm test",
+    "test:unit": "node --test runtime/tests/*.test.mjs sdk/typescript-sdk/tests/*.test.mjs"
   },
   "dependencies": {
+    "@commandlayer/runtime-core": "github:commandlayer/runtime-core#main",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
+    "dotenv": "^17.3.1",
     "ethers": "^6.16.0",
     "express": "^4.22.1",
     "node-fetch": "^3.3.2"
 
@@ -0,0 +1,93 @@
+import crypto from "node:crypto";
+
+const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex");
+
+export function stableStringify(value) {
+  const seen = new WeakSet();
+  const helper = (current) => {
+    if (current === null || typeof current !== "object") return current;
+    if (seen.has(current)) return "[Circular]";
+    seen.add(current);
+    if (Array.isArray(current)) return current.map(helper);
+    const output = {};
+    for (const key of Object.keys(current).sort()) output[key] = helper(current[key]);
+    return output;
+  };
+  return JSON.stringify(helper(value));
+}
+
+export function parseEd25519PublicKey(text) {
+  if (typeof text !== "string") throw new Error("Invalid ed25519 format");
+  const [alg, payload] = text.trim().split(":", 2);
+  if (alg?.toLowerCase() !== "ed25519" || !payload) throw new Error("Invalid ed25519 format");
+
+  const bytes = Buffer.from(payload, "base64");
+  if (!bytes.length || bytes.toString("base64") !== payload || bytes.length !== 32) {
+    throw new Error("Invalid ed25519 format");
+  }
+  return bytes;
+}
+
+export function computeReceiptHash(receipt) {
+  const canonicalReceipt = {
+    issuer: receipt.issuer,
+    verb: receipt.verb,
+    version: receipt.version,
+    timestamp: receipt.timestamp,
+    payload_hash: receipt.payload_hash,
+    alg: receipt.alg,
+    kid: receipt.kid,
+  };
+  return crypto.createHash("sha256").update(stableStringify(canonicalReceipt)).digest("hex");
+}
+
+export async function resolveSigner(agentEnsName, resolver) {
+  const signer = await resolver.getText(agentEnsName, "cl.receipt.signer");
+  const normalized = String(signer || "").trim();
+  if (!normalized) throw new Error("Missing cl.receipt.signer");
+  return normalized;
+}
+
+export async function resolveSignatureKey(signerEnsName, resolver) {
+  const pub = await resolver.getText(signerEnsName, "cl.sig.pub");
+  const kid = String(await resolver.getText(signerEnsName, "cl.sig.kid") || "").trim();
+  if (!pub) throw new Error("Missing cl.sig.pub");
+  if (!kid) throw new Error("Missing cl.sig.kid");
+
+  const pubkeyBytes = parseEd25519PublicKey(pub);
+  return { algorithm: "ed25519", kid, pubkeyBytes, rawPublicKeyBytes: pubkeyBytes };
+}
+
+function verifySignature(receiptHash, signatureB64, pubkeyBytes) {
+  const spki = Buffer.concat([ED25519_SPKI_PREFIX, pubkeyBytes]);
+  const key = crypto.createPublicKey({ key: spki, format: "der", type: "spki" });
+  return crypto.verify(null, Buffer.from(receiptHash, "utf8"), key, Buffer.from(signatureB64, "base64"));
+}
+
+export async function verifyReceipt(receipt, { resolver, expectedIssuer } = {}) {
+  if (!resolver) throw new Error("Resolver required");
+  if (expectedIssuer && receipt.issuer !== expectedIssuer) throw new Error("Issuer mismatch");
+
+  const signerEnsName = await resolveSigner(receipt.issuer, resolver);
+  const key = await resolveSignatureKey(signerEnsName, resolver);
+  if (receipt.kid !== key.kid) {
+    return { valid: false, error: "Unknown key id" };
+  }
+
+  const computedHash = computeReceiptHash(receipt);
+  if (computedHash !== receipt.receipt_hash) {
+    return { valid: false, error: "Receipt hash mismatch" };
+  }
+
+  const signatureOk = verifySignature(receipt.receipt_hash, receipt.sig, key.pubkeyBytes);
+  if (!signatureOk) {
+    return { valid: false, error: "Signature verification failed" };
+  }
+
+  return { valid: true, signer: signerEnsName, kid: key.kid };
+}
+
+export async function resolveSignerKey(agentEnsName, resolver) {
+  const signer = await resolveSigner(agentEnsName, resolver);
+  return resolveSignatureKey(signer, resolver);
+}
@@ -0,0 +1,13 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { resolveSigner } from "../src/receipt-verification.js";
+import { buildResolver } from "./helpers.mjs";
+
+test("ENS Resolution: resolves cl.receipt.signer correctly", async () => {
+  const signer = await resolveSigner("parseagent.eth", buildResolver());
+  assert.equal(signer, "runtime.commandlayer.eth");
+});
+
+test("ENS Resolution: fails if cl.receipt.signer missing", async () => {
+  await assert.rejects(() => resolveSigner("invalidagent.eth", buildResolver()), /Missing cl\.receipt\.signer/);
+});
@@ -0,0 +1,24 @@
+import fs from "node:fs";
+import path from "node:path";
+
+export function loadFixture(name) {
+  const fixturePath = path.join(process.cwd(), "test_vectors", name);
+  return JSON.parse(fs.readFileSync(fixturePath, "utf8"));
+}
+
+export function buildResolver(overrides = {}) {
+  const pub = fs.readFileSync(path.join(process.cwd(), "test_vectors", "public_key_base64.txt"), "utf8").trim();
+  const base = {
+    "parseagent.eth": { "cl.receipt.signer": "runtime.commandlayer.eth" },
+    "runtime.commandlayer.eth": { "cl.sig.pub": `ed25519:${pub}`, "cl.sig.kid": "v1" },
+    "bad-signer.eth": { "cl.sig.kid": "v1" },
+    "malformed.eth": { "cl.sig.pub": "ed25519:not-base64*", "cl.sig.kid": "v1" },
+    "invalidagent.eth": {},
+  };
+  const records = { ...base, ...overrides };
+  return {
+    async getText(name, key) {
+      return records[name]?.[key] ?? "";
+    },
+  };
+}