Skip to content

Implement CommandLayer Python SDK with Ed25519 signing#37

Merged
GsCommand merged 1 commit into
mainfrom
claude/audit-commandlayer-protocol-O05aO
May 14, 2026
Merged

Implement CommandLayer Python SDK with Ed25519 signing#37
GsCommand merged 1 commit into
mainfrom
claude/audit-commandlayer-protocol-O05aO

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 14, 2026

Summary

This PR implements a complete Python SDK for CommandLayer that enables agents to sign and verify action receipts using Ed25519 cryptography. The implementation mirrors the TypeScript SDK's functionality while following Python conventions.

Key Changes

  • Python SDK Implementation (python-sdk/commandlayer/__init__.py):

    • Added CommandLayer class with wrap() method to execute functions, record metadata, and sign receipts with Ed25519
    • Added verify() method to POST receipts to the CommandLayer verifier endpoint
    • Implemented canonical JSON serialization (_canonicalize()) with sorted keys for deterministic signing
    • Added Ed25519 private key loading and base64 signature encoding
    • Graceful handling of missing cryptography dependency with helpful error messages
    • Support for both signer and agent parameters (agent takes precedence)

  • Schema Updates (src/schemas.trust-receipt-v1.json):

    • Flattened schema structure from nested allOf to direct property definitions
    • Updated proof field names: kid (was key_id), signer_id (was signer), alg (was signature_alg), canonical (was canonicalization)
    • Added explicit additionalProperties: false for stricter validation
    • Defined allowed verbs: verify, authenticate, authorize, attest, sign, permit, grant, approve, reject, endorse

  • Documentation (python-sdk/README.md):

    • Added comprehensive quickstart guide with environment variable setup
    • Documented API surface: CommandLayer() constructor, wrap(), and verify() methods
    • Included receipt proof schema reference
    • Added installation instructions with optional crypto dependencies

  • TypeScript SDK Refinements:

    • Added VerifyResult interface for type-safe verification responses
    • Removed deprecated privateKey parameter warning
    • Replaced console.log() with process.stdout.write() for cleaner output in examples
    • Updated example files to use dotenv/config for environment variable loading
    • Fixed verifier URL handling to use configured URL consistently

  • Project Configuration:

    • Updated python-sdk/pyproject.toml with version 1.0.0 and proper description
    • Added optional crypto dependency group for cryptography package
    • Updated .env.example with CL_VERIFIER_URL configuration option

Implementation Details

  • The Python SDK uses the same receipt format and signing algorithm (Ed25519 with base64 encoding) as the TypeScript implementation
  • Execution metadata (duration, timestamps, status) is automatically captured during wrap() execution
  • Errors during function execution are caught and recorded in the receipt with status "error"
  • The verifier endpoint communication uses standard urllib with 10-second timeout
  • Private key validation ensures only Ed25519 keys are accepted

https://claude.ai/code/session_01GQcff5HnFcrTbyuwuvsNEv

@GsCommand
audit: fix all production-quality violations found in security/code a…
a7bc2dc 
…udit

- src/index.ts: remove console.warn, add VerifyResult return type to verify(), add CL_VERIFIER_URL note
- src/trust.ts: tighten AJV error type from inline object to AJV ErrorObject
- src/schemas.trust-receipt-v1.json: fix additionalProperties enforcement via inline allOf merge
- examples/basic-agent.ts: replace hardcoded verifierUrl with env var, add guard for missing key
- examples/wrapped-agent-demo.ts: add missing CL_PRIVATE_KEY_PEM guard
- examples/full-demo.ts: remove dead proof.hash / proof.key_id references (fields do not exist)
- examples/agent-to-agent-verify.ts: import dotenv/config for env var loading
- examples/existing-agent-integration.ts: import dotenv/config for env var loading
- examples/langchain-agent.ts: no changes needed (already has dotenv/config)
- examples/openai-tool-wrapper.ts: import dotenv/config for env var loading
- examples/workflow-job-runner.ts: import dotenv/config for env var loading
- .env.example: add CL_VERIFIER_URL
- python-sdk/commandlayer/__init__.py: replace empty stub with real implementation
- python-sdk/pyproject.toml: update version and description, add cryptography dependency
- python-sdk/README.md: replace placeholder with real usage docs
- docs/examples.md: fix receipt shape example to match actual proof schema
- README.md: remove stale npm caveat note
@GsCommand GsCommand merged commit f8208d5 into main May 14, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand