Stabilize runtime key loading, deterministic receipts, and verify behavior by GsCommand · Pull Request #7 · commandlayer/runtime

GsCommand · 2026-02-20T03:06:18Z

The runtime was intermittently failing to sign/verify due to fragile env PEM handling and nondeterministic receipt fields, causing /health to show signer_ok:false, /describe to crash, and /verify to lack proof fields.
Enforce a compact, predictable config contract and deterministic signing so receipts can be verified offline or via ENS without silent fallbacks.

Normalize config to CL_* env vars and implement robust PEM loading that converts literal \n escapes to newline and validates input, using CL_PRIVATE_KEY_PEM and CL_PUBLIC_KEY_B64 as the canonical inputs and failing fast at boot if invalid or missing via assertBootConfigOrThrow().
Use @commandlayer/runtime-core for canonicalization/signing/verification and ensure signed receipts omit non-deterministic trace/timestamp fields so signatures/hash are stable across runs.
Harden /verify to prefer the env public key, support ens=1 which strictly resolves cl.sig.pub, cl.sig.kid, and cl.sig.canonical (and enforces signer/kid/canonical match before cryptographic verify), and return clear structured checks/errors with no silent fallbacks.
Add diagnostics and safer UX: GET /health now exposes signer_ok, verifier_ok, kid, canonical_id, and enabled_verbs (no secrets), GET /debug/env reports env presence and key-loading mode (no key material), provide .env.example demonstrating single-line \n-escaped PEM, and add scripts/smoke.mjs to exercise the full smoke flow.

Ran node --check server.mjs and node --check scripts/smoke.mjs with no syntax errors and no type issues.
Launched the server with node --env-file=.env server.mjs using ephemeral keys and ran SMOKE_BASE_URL=http://127.0.0.1:18080 node scripts/smoke.mjs, which printed [smoke] PASS and returned a successful verify payload.
Observed /health showing signer_ok:true and verifier_ok:true, describe receipts containing metadata.proof.hash_sha256 and metadata.proof.signature_b64, and /verify returning ok:true with checks.hash_matches:true and checks.signature_valid:true.

Harden runtime signing config and verification paths

381da50

GsCommand added the codex label Feb 20, 2026 — with ChatGPT Codex Connector

GsCommand merged commit 8e6e3e7 into main Feb 20, 2026
1 check failed

Provide feedback