Skip to content

[runtime] add remaining trust-verification v1 receipt endpoints#73

Merged
GsCommand merged 1 commit into
mainfrom
codex/add-canonical-receipt-endpoints-for-trust-verification
May 20, 2026
Merged

[runtime] add remaining trust-verification v1 receipt endpoints#73
GsCommand merged 1 commit into
mainfrom
codex/add-canonical-receipt-endpoints-for-trust-verification

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 20, 2026

Motivation

  • Complete runtime-backed canonical receipt coverage for Trust Verification v1 verbs beyond the existing sign endpoint so clients can obtain signed canonical receipts for all trust-verification actions.
  • Reuse the existing runtime signing configuration and makeReceipt flow to ensure canonical metadata.proof and consistent verification behavior without accepting request-provided private keys.

Description

  • Register POST /trust-verification/<verb>/v1.0.0 routes for verbs: sign, attest, authorize, approve, reject, permit, grant, authenticate, and endorse via a shared loop in server.mjs.
  • Each route enforces input shape of { payload } and returns 400 with error: "missing_payload" when missing, using the existing extractSignPayload helper.
  • Each route constructs an execution object with entry: <canonical>/trust-verification/<verb>, verb, version: "1.0.0", and class: "trust-verification", then emits a signed receipt via the existing makeReceipt flow (no request-side private key handling added). The emitted response is wrapped with wrapReceiptResponse so receipt.metadata.proof is present.
  • Updated runtime/tests/runtime-signing.test.mjs to exercise each verb for: proof presence, verb/class/version fields, proof algs (Ed25519 / SHA-256), successful /verify verification, tamper detection, and missing-payload rejection.
  • Files changed: server.mjs, runtime/tests/runtime-signing.test.mjs.

Testing

  • Ran the repository checks and test suites: npm install, npm run check, npm test, and npm run ci.
  • All automated tests passed: unit + smoke test run completed successfully (50 tests passing, 0 failures).
  • The new per-verb tests validate that receipts include metadata.proof, that execution/receipt fields reflect verb, class: "trust-verification", and version: "1.0.0", that proof.signature.alg === "Ed25519" and proof.hash.alg === "SHA-256", that /verify accepts the produced receipt, and that tampering invalidates the receipt signature.

Codex Task

@GsCommand
[runtime] add remaining trust-verification v1 receipt endpoints
8f46df4 
Why: complete runtime-backed canonical receipt coverage for all Trust Verification v1 verbs with existing signing flow.
Contract impact: none
@GsCommand GsCommand merged commit 4f04106 into main May 20, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand