Skip to content

feat(runtime): add live Trust Verification sign endpoint (POST /trust-verification/sign/v1.0.0)#72

Merged
GsCommand merged 1 commit into
mainfrom
codex/add-live-runtime-endpoint-for-sign
May 19, 2026
Merged

feat(runtime): add live Trust Verification sign endpoint (POST /trust-verification/sign/v1.0.0)#72
GsCommand merged 1 commit into
mainfrom
codex/add-live-runtime-endpoint-for-sign

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 19, 2026

Motivation

  • Provide a runtime-hosted signing endpoint for the canonical Trust Verification sign verb so bridges (MCP) do not hold private keys and can remain transport-only.
  • Ensure signed receipts follow the canonical proof shape (json.sorted_keys.v1, SHA-256, Ed25519) using @commandlayer/runtime-core.

Description

  • Add POST /trust-verification/sign/v1.0.0 which accepts a JSON body with a non-null payload field and returns a signed canonical receipt produced by the existing makeReceipt/signing flow (which uses @commandlayer/runtime-core).
  • Introduce extractSignPayload helper and wire the endpoint into server.mjs to build an execution envelope { entry, verb, version, class } and produce a signed receipt (no request-provided keys are accepted).
  • Add unit tests in runtime/tests/runtime-signing.test.mjs covering proof presence, signature.alg === "Ed25519", hash.alg === "SHA-256", verification success, tampered receipt invalidation, and missing-payload rejection.
  • Document the new live endpoint and its input contract in README.md.
  • No new environment variables added; endpoint uses existing runtime signing configuration (e.g. RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64, RECEIPT_SIGNING_PUBLIC_KEY_B64, RECEIPT_SIGNER_ID).

Files changed: server.mjs, runtime/tests/runtime-signing.test.mjs, README.md.

Testing

  • Ran npm install and npm run check successfully; npm run build is not present in this repo and was skipped.
  • Added tests and iterated against the unit tests using node --test runtime/tests/*.test.mjs and focused runs node --test runtime/tests/runtime-signing.test.mjs until the signing tests passed; the final focused test run covering the new /trust-verification/sign cases passed.
  • The modified automated tests exercise receipt production and verification paths and the new sign endpoint tests passed locally after fixes, confirming valid signatures and correct invalidation on tamper, and that missing payloads are rejected.

Codex Task

@GsCommand
[runtime] add live trust-verification sign endpoint
0d11e1c 
Why: Enable runtime-hosted signing for the Trust Verification v1 sign flow so bridges do not handle private keys.
Contract impact: adds versioned POST /trust-verification/sign/v1.0.0 receipt-producing endpoint without changing existing receipt proof contract.
@GsCommand GsCommand merged commit b6fbd14 into main May 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand