commandlayer
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 27 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 147 additions & 12 deletions b/‎README.md‎
Lines changed: 147 additions & 12 deletions
diff --git a/‎docs/CONFIGURATION.md‎
Lines changed: 104 additions & 0 deletions b/‎docs/CONFIGURATION.md‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎docs/OPERATIONS.md‎
Lines changed: 75 additions & 0 deletions b/‎docs/OPERATIONS.md‎
Lines changed: 75 additions & 0 deletions
@@ -0,0 +1,27 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Syntax check
+        run: npm run check
+
+      - name: Smoke tests
+        run: npm test
@@ -1,17 +1,152 @@
-# CommandLayer Runtime (Commons)
+# CommandLayer Runtime
 
-Reference runtime for CommandLayer Commons verbs.
+Reference Node.js runtime for CommandLayer Commons verbs. This service executes deterministic verb handlers, signs receipts with Ed25519, and verifies receipts using local keys or ENS-discovered public keys.
 
-## Endpoints
-- GET /health
-- GET /debug/env
-- POST /fetch/v1.0.0
-- POST /verify
+## What this service does
 
-## Example
-RECEIPT=$(curl -s -X POST https://<YOUR_DOMAIN>/fetch/v1.0.0 \
+- Exposes `POST /<verb>/v1.0.0` endpoints for Commons verbs (`fetch`, `describe`, `format`, `clean`, `parse`, `summarize`, `convert`, `explain`, `analyze`, `classify`).
+- Returns signed receipts containing:
+  - deterministic result payloads,
+  - execution trace metadata,
+  - proof metadata (`alg`, canonical mode, SHA-256 hash, signature).
+- Exposes `POST /verify` to verify receipt hash/signature, and optionally validate schema + fetch public key from ENS.
+- Includes schema validator caching, warmup queueing, SSRF protections for `fetch`, and runtime safety budgets.
+
+## API overview
+
+### Core routes
+
+- `GET /` — service index with links and enabled verbs.
+- `GET /health` — process/service health and signer readiness.
+- `POST /<verb>/v1.0.0` — execute a single verb and return a signed receipt.
+- `POST /verify` — verify receipt integrity/signature; optional schema and ENS verification.
+
+### Debug routes
+
+> Debug routes are disabled by default. Enable with `DEBUG_ROUTES_ENABLED=1` and optionally protect with `DEBUG_BEARER_TOKEN`.
+
+- `GET /debug/env` — effective runtime configuration.
+- `GET /debug/enskey` — ENS TXT key discovery state.
+- `GET /debug/schemafetch?verb=<verb>` — computed receipt schema URL.
+- `GET /debug/validators` — validator cache and warm-queue state.
+- `POST /debug/prewarm` — queue schema validator warmup.
+
+## Quickstart
+
+### 1) Install dependencies
+
+```bash
+npm install
+```
+
+### 2) Generate an Ed25519 keypair (for local signing)
+
+```bash
+openssl genpkey -algorithm Ed25519 -out private.pem
+openssl pkey -in private.pem -pubout -out public.pem
+
+export RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64="$(base64 -w0 < private.pem)"
+export RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64="$(base64 -w0 < public.pem)"
+export RECEIPT_SIGNER_ID="runtime.local"
+```
+
+> macOS note: replace `base64 -w0` with `base64 | tr -d '\n'`.
+
+### 3) Start the runtime
+
+```bash
+npm start
+```
+
+Default port is `8080` (override with `PORT`).
+
+### 4) Verify startup
+
+```bash
+curl -s http://localhost:8080/health | jq .
+```
+
+You should see `"ok": true` and `"signer_ok": true`.
+
+## Example flow
+
+### Request a fetch receipt
+
+```bash
+RECEIPT=$(curl -s -X POST "http://localhost:8080/fetch/v1.0.0" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "x402": {
+      "entry": "x402://fetchagent.eth/fetch/v1.0.0",
+      "verb": "fetch",
+      "version": "1.0.0"
+    },
+    "source": "https://example.com"
+  }')
+
+printf '%s\n' "$RECEIPT" | jq .
+```
+
+### Verify the receipt locally
+
+```bash
+printf '%s' "$RECEIPT" | curl -s -X POST "http://localhost:8080/verify" \
+  -H "Content-Type: application/json" \
+  -d @- | jq .
+```
+
+### Verify with ENS public key lookup
+
+```bash
+printf '%s' "$RECEIPT" | curl -s -X POST "http://localhost:8080/verify?ens=1" \
   -H "Content-Type: application/json" \
-  -d '{"x402":{"entry":"x402://fetchagent.eth/fetch/v1.0.0","verb":"fetch","version":"1.0.0"},"source":"https://example.com"}')
+  -d @- | jq .
+```
+
+## Verification semantics
+
+`POST /verify` supports query flags:
+
+- `ens=1` — fetch verifier pubkey from ENS TXT record (`VERIFIER_ENS_NAME`, `ENS_PUBKEY_TEXT_KEY`).
+- `refresh=1` — bypass ENS cache and refresh lookup.
+- `schema=1` — validate receipt against verb schema.
+
+When `VERIFY_SCHEMA_CACHED_ONLY=1` (default), schema validation is edge-safe:
+
+- if validator is warm: request is fully validated,
+- if validator is cold: service returns `202` with `validator_not_warmed_yet` and queues async prewarm.
+
+Use `POST /debug/prewarm` and `GET /debug/validators` for schema prewarming workflows.
+
+## Configuration
+
+Detailed environment variable documentation lives in [`docs/CONFIGURATION.md`](docs/CONFIGURATION.md).
+
+## Development checks
+
+```bash
+npm run check
+npm test
+```
+
+`npm test` runs an automated smoke suite for signer readiness, verb execution, verify pass/fail paths, and debug route auth.
+
+## Security notes
+
+- `fetch` only allows `http(s)` URLs.
+- SSRF guard blocks localhost/private IP ranges and DNS resolutions to private ranges.
+- Optional host allowlist (`ALLOW_FETCH_HOSTS`) can strictly bound outbound `fetch`.
+- Request-level limits are capped by server-side `SERVER_MAX_HANDLER_MS`.
+- `/verify` execution is bounded by `VERIFY_MAX_MS`.
+
+## Operational notes
+
+- Validator/schema caches are in-memory (per process).
+- Prewarm is best-effort and asynchronous.
+- In multi-replica deployments, warm each replica independently.
+
+See [`docs/OPERATIONS.md`](docs/OPERATIONS.md) for deployment and runbook guidance.
+
+## Engineering review artifacts
 
-printf '%s' "$RECEIPT" | curl -s -X POST "https://<YOUR_DOMAIN>/verify?ens=1" \
-  -H "Content-Type: application/json" -d @-
+For a focused codebase review (strengths, risks, and prioritized improvements), see [`docs/REVIEW.md`](docs/REVIEW.md).
@@ -0,0 +1,104 @@
+# Configuration Reference
+
+This runtime is configured via environment variables.
+
+## Core service identity
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `PORT` | `8080` | HTTP listen port. |
+| `SERVICE_NAME` | `commandlayer-runtime` | Name exposed in index/health metadata. |
+| `SERVICE_VERSION` | `1.0.0` | Service version exposed in responses. |
+| `API_VERSION` | `1.0.0` | Version segment used in verb route shape. |
+| `CANONICAL_BASE_URL` | `https://runtime.commandlayer.org` | Base URL metadata in index/health payloads. |
+
+## CORS controls
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `CORS_ALLOW_ORIGINS` | empty | CSV allowlist of browser origins. Empty rejects cross-origin browser requests. Use `*` only when intended. |
+| `CORS_ALLOW_HEADERS` | `Content-Type, Authorization` | Allowed CORS request headers. |
+| `CORS_ALLOW_METHODS` | `GET,POST,OPTIONS` | Allowed CORS methods. |
+
+## Enabled verbs
+
+| Variable | Default |
+|---|---|
+| `ENABLED_VERBS` | `fetch,describe,format,clean,parse,summarize,convert,explain,analyze,classify` |
+
+Comma-separated list of enabled handlers. Disabled verbs return `404`.
+
+## Signing + verifier identity
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `RECEIPT_SIGNER_ID` | `runtime` (or `ENS_NAME` when set) | Receipt proof signer identifier. |
+| `RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64` | empty | Required for signing receipts. Base64 of PEM private key. |
+| `RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64` | empty | Optional local pubkey for `/verify` signature checks. |
+| `ENS_NAME` | empty | Optional identity alias fallback. |
+
+## ENS-based verification
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `ETH_RPC_URL` | empty | Ethereum RPC endpoint for ENS resolver lookups. |
+| `VERIFIER_ENS_NAME` | `ENS_NAME` / `RECEIPT_SIGNER_ID` fallback | ENS name queried for TXT pubkey value. |
+| `ENS_PUBKEY_TEXT_KEY` | `cl.receipt.pubkey.pem` | ENS TXT key containing PEM-formatted public key. |
+
+## Schema fetching + validation budgets
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `SCHEMA_HOST` | `https://www.commandlayer.org` | Schema host prefix used to compute receipt schema URLs. |
+| `SCHEMA_FETCH_TIMEOUT_MS` | `15000` | Timeout per schema document fetch. |
+| `SCHEMA_VALIDATE_BUDGET_MS` | `15000` | Budget for async schema compilation. |
+| `VERIFY_SCHEMA_CACHED_ONLY` | `1` | If `1`, `/verify?schema=1` only uses warm validators and returns `202` on cold cache. |
+| `REQUEST_SCHEMA_VALIDATION` | `0` | If `1`, verb endpoints validate request payloads against verb request schema before execution. |
+
+## Debug route controls
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `DEBUG_ROUTES_ENABLED` | `0` | If `1`, enables `/debug/*` endpoints. |
+| `DEBUG_BEARER_TOKEN` | empty | Optional bearer token required for `/debug/*` when set. |
+
+## Cache controls
+
+| Variable | Default |
+|---|---|
+| `MAX_JSON_CACHE_ENTRIES` | `256` |
+| `JSON_CACHE_TTL_MS` | `600000` |
+| `MAX_VALIDATOR_CACHE_ENTRIES` | `128` |
+| `VALIDATOR_CACHE_TTL_MS` | `1800000` |
+
+## Request safety limits
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `SERVER_MAX_HANDLER_MS` | `12000` | Hard upper bound for verb execution timeout. |
+| `VERIFY_MAX_MS` | `30000` | Upper bound for `/verify` request processing. |
+
+## `fetch` hardening
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `FETCH_TIMEOUT_MS` | `8000` | Timeout for outbound `fetch` HTTP request. |
+| `FETCH_MAX_BYTES` | `262144` | Max bytes read from outbound response body. |
+| `ENABLE_SSRF_GUARD` | `1` | Enables DNS/IP/local-network SSRF checks. |
+| `ALLOW_FETCH_HOSTS` | empty | Optional CSV domain allowlist (`example.com,api.example.com`). |
+
+## Schema prewarm behavior
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `PREWARM_MAX_VERBS` | `25` | Max verbs accepted in one `/debug/prewarm` call. |
+| `PREWARM_TOTAL_BUDGET_MS` | `12000` | Total worker runtime budget. |
+| `PREWARM_PER_VERB_BUDGET_MS` | `5000` | Max warm budget per verb. |
+
+## Recommended production baseline
+
+- Set explicit signing keys and verify `signer_ok=true` on `/health`.
+- Keep `VERIFY_SCHEMA_CACHED_ONLY=1` for edge stability.
+- Restrict egress using both network policy and `ALLOW_FETCH_HOSTS` where possible.
+- Tune `FETCH_MAX_BYTES` and timeout budgets based on expected payload sizes.
+- Poll `/debug/validators` after deploy and prewarm critical verbs.
@@ -0,0 +1,75 @@
+# Operations Runbook
+
+## Deploy checklist
+
+1. Set signing keys:
+   - `RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64`
+   - `RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64`
+2. Set identity metadata:
+   - `RECEIPT_SIGNER_ID`
+   - `SERVICE_NAME`, `SERVICE_VERSION`
+3. If using ENS verification:
+   - `ETH_RPC_URL`
+   - `VERIFIER_ENS_NAME`
+   - `ENS_PUBKEY_TEXT_KEY`
+4. Set safety limits (`FETCH_TIMEOUT_MS`, `FETCH_MAX_BYTES`, `VERIFY_MAX_MS`).
+5. Restrict outbound domains with `ALLOW_FETCH_HOSTS` where possible.
+
+## Post-deploy validation
+
+```bash
+curl -s "$BASE_URL/health" | jq .
+curl -s "$BASE_URL/debug/env" | jq .
+```
+
+Expected:
+- `ok=true`
+- `signer_ok=true`
+- expected `enabled_verbs`
+- expected timeouts/cache settings
+
+## Schema prewarm sequence
+
+```bash
+curl -s -X POST "$BASE_URL/debug/prewarm" \
+  -H 'content-type: application/json' \
+  -d '{"verbs":["fetch","parse","summarize","classify"]}' | jq .
+
+curl -s "$BASE_URL/debug/validators" | jq .
+```
+
+Repeat validator polling until required verbs appear under `cached`.
+
+## Verification troubleshooting
+
+### `no public key available`
+
+- Set `RECEIPT_SIGNING_PUBLIC_KEY_PEM_B64` **or** use ENS verification with:
+  - `ETH_RPC_URL`
+  - `VERIFIER_ENS_NAME`
+  - valid PEM at ENS TXT key.
+
+### `validator_not_warmed_yet` with HTTP 202
+
+- Expected when `VERIFY_SCHEMA_CACHED_ONLY=1` and schema validator is cold.
+- Trigger `/debug/prewarm` and retry `/verify?schema=1`.
+
+### `schema fetch failed`
+
+- Confirm schema host reachability from runtime environment.
+- Check `SCHEMA_HOST`, `SCHEMA_FETCH_TIMEOUT_MS`, outbound egress rules.
+
+## Recommended observability
+
+At minimum, capture and alert on:
+- HTTP 5xx rate by endpoint and verb.
+- `/verify` latency and timeout count.
+- `fetch` timeout/error rates.
+- cold-validator 202 rate after deploy.
+- cache sizes from `/debug/validators`.
+
+## Hardening notes
+
+- Keep CORS policy constrained if this service is not intended for broad browser access.
+- If internet fetch is not required, disable `fetch` verb via `ENABLED_VERBS`.
+- Consider process isolation or egress proxy for stricter SSRF containment.