Merge pull request #254 from commandlayer/codex/update-homepage-for-automatic-verification-model

GsCommand · web-flow · commit 0df59eb211b5 · 2026-05-21T17:36:34.000-04:00
Add Automatic Verification section and Webhook Auto-Verify cross-links to homepage
diff --git a/public/ambient-verification.html b/public/ambient-verification.html
@@ -71,6 +71,11 @@ <h2>The working model</h2>
       <p>Runtime: <a class="link" href="https://runtime.commandlayer.org" target="_blank" rel="noopener">https://runtime.commandlayer.org</a><br/>Verifier: <a class="link" href="https://runtime.commandlayer.org/verify" target="_blank" rel="noopener">https://runtime.commandlayer.org/verify</a></p>
     </section>
 
+    <section class="section">
+      <h2>Webhook Auto-Verify</h2>
+      <div class="grid"><article class="card"><h3>Webhook Auto-Verify</h3><p>Working example of automatic receipt verification.</p><a class="link" href="/webhook-auto-verify.html">Open demo</a></article></div>
+    </section>
+
     <section class="section">
       <h2>Live today</h2>
       <div class="grid">
diff --git a/public/api.html b/public/api.html
@@ -211,6 +211,10 @@ <h2>Developer integration paths</h2>
     </div>
   </section>
 
+  <section class="api-card section">
+    <h2>Webhook Auto-Verify</h2><div class="path-card"><h3>Webhook Auto-Verify</h3><p>Server-side accept/reject flow using runtime verification.</p><a href="/webhook-auto-verify.html">Open demo</a></div>
+  </section>
+
   <section class="api-card section">
     <h2>Next steps</h2>
     <div class="cta-grid">
diff --git a/public/docs.html b/public/docs.html
@@ -123,6 +123,10 @@ <h2>Developer paths</h2>
       </div>
     </section>
 
+    <section>
+      <h2>Automatic Verification</h2><div class="grid"><a class="card" href="/webhook-auto-verify.html"><h3>Automatic Verification</h3><p>See a webhook-style receipt verification flow.</p></a></div>
+    </section>
+
     <section>
       <h2>Reference links</h2>
       <div class="grid">
diff --git a/public/index.html b/public/index.html
@@ -1055,6 +1055,7 @@ <h1 class="hero-h1">
           <a class="btn btn-primary btn-lg" href="/stack-proof-demo.html">View the proof</a>
           <a class="btn btn-secondary btn-lg" href="/capabilities.html">Explore capabilities</a>
           <a class="btn btn-outline btn-lg" href="https://github.com/commandlayer/agent-sdk" target="_blank" rel="noopener">Install SDK</a>
+          <a class="btn btn-outline btn-lg" href="/webhook-auto-verify.html">Run Auto-Verify Demo</a>
         </div>
       </div>
 
@@ -1278,6 +1279,34 @@ <h2 class="section-h2">Four steps to cryptographic certainty</h2>
     </div>
   </section>
 
+
+
+  <!-- ── AUTOMATIC VERIFICATION ─────────────────── -->
+  <section class="section">
+    <div class="container">
+      <div style="text-align: center; max-width: 820px; margin: 0 auto;">
+        <p class="section-eyebrow">Automatic verification</p>
+        <h2 class="section-h2">Valid receipts are accepted. Tampered receipts are rejected.</h2>
+        <p class="section-p">CommandLayer verification is not limited to manual paste. A webhook can receive a receipt, verify it server-side, accept the valid event, and reject the same receipt after payload tampering.</p>
+      </div>
+      <div class="endpoint-grid" style="margin-top:22px;">
+        <div class="ep-card">
+          <div class="ep-header"><span class="ep-method" style="background:#dcfce7;color:#065f46;">Valid receipt</span><span class="ep-path">ACCEPTED</span></div>
+          <div class="ep-desc"><code>verifier_status: VALID</code><br><code>hash_matches: true</code><br><code>signature_valid: true</code></div>
+        </div>
+        <div class="ep-card">
+          <div class="ep-header"><span class="ep-method" style="background:#fee2e2;color:#991b1b;">Tampered receipt</span><span class="ep-path">REJECTED</span></div>
+          <div class="ep-desc"><code>verifier_status: INVALID</code><br><code>hash_matches: false</code><br><code>signature_valid: false</code></div>
+        </div>
+      </div>
+      <p class="section-p" style="text-align:center;margin-top:20px;">Runtime signs → Webhook receives → Verifier checks → Accept / reject</p>
+      <div class="api-actions" style="justify-content:center; margin-top:8px;">
+        <a class="btn btn-primary" href="/webhook-auto-verify.html">Run the automatic verification demo</a>
+        <a class="btn btn-secondary" href="https://github.com/commandlayer/commandlayer-org/tree/main/examples/webhook-auto-verify" target="_blank" rel="noopener">View example code</a>
+      </div>
+    </div>
+  </section>
+
   <!-- ── CAPABILITIES PREVIEW ─────────────────────── -->
   <section class="section section-alt">
     <div class="container">
@@ -1309,7 +1338,7 @@ <h2 class="section-h2">Trust verification now, broader capability families next<
         <div>
           <p class="section-eyebrow">Verification surfaces</p>
           <h2 class="section-h2">Runtime-validated verification.<br>Public verifier surface.</h2>
-          <p class="section-p" style="max-width: 52ch;">Runtime <code>/verify</code> has been validated against production runtime receipts. Website <code>/api/verify</code> is a public verifier surface and should align with the same canonical proof model.</p>
+          <p class="section-p" style="max-width: 52ch;">Runtime <code>/verify</code> has been validated against production runtime receipts. Website <code>/api/verify</code> is a public verifier surface and should align with the same canonical proof model. Webhook sender authentication is separate from receipt verification.</p>
         </div>
         <div class="api-actions">
           <a class="btn btn-primary" href="/verify.html">Open Verifier</a>
@@ -1346,10 +1375,11 @@ <h2 class="section-h2">Runtime-validated verification.<br>Public verifier surfac
     <div class="container">
       <div class="cta-box">
         <h2>Trust the proof.<br><span class="grad">Not the agent.</span></h2>
-        <p>Start adding cryptographic verification to your AI agent actions in minutes.</p>
+        <p>Start adding cryptographic verification to your AI agent actions in minutes.<br><span style="opacity:.92;">Now with manual verification, production proof, and automatic webhook verification.</span></p>
         <div class="cta-actions">
           <a class="btn btn-white btn-lg" href="/verify.html">Verify a Receipt</a>
           <a class="btn btn-ghost-white btn-lg" href="https://github.com/commandlayer/agent-sdk" target="_blank" rel="noopener">View SDK on GitHub</a>
+          <a class="btn btn-ghost-white btn-lg" href="/webhook-auto-verify.html">Run Auto-Verify Demo</a>
         </div>
       </div>
     </div>
diff --git a/public/verify.html b/public/verify.html
@@ -57,7 +57,7 @@
 <section class="verify-hero"><div class="container"><div class="hero-badge"><span class="badge-dot"></span>Verifier</div><h1 class="verify-h1">Verify agent receipts by proof, not claim.</h1><p class="verify-sub">Paste a CommandLayer receipt, inspect its canonical proof, and confirm whether the hash and Ed25519 signature still match.</p><div class="hero-actions"><a class="hero-btn primary" href="#manual-verifier">Verify a receipt</a><a class="hero-btn" href="/stack-proof-demo.html">View production proof</a></div><div class="proof-status"><strong>Receipts are not trusted by claim. They are verified by proof.</strong><br/>Runtime production is live. Runtime signs canonical Trust Verification receipts. MCP E2E against production runtime passes: STEP 1 SIGNED, STEP 2 VERIFIED, STEP 3 TAMPERED INVALID. Runtime signer: <code>runtime.commandlayer.eth</code> with <code>kid=vC4WbcNoq2znSCiQ</code>. Canonical proof uses <code>metadata.proof.canonicalization=json.sorted_keys.v1</code>, <code>metadata.proof.hash.alg=SHA-256</code>, and <code>metadata.proof.signature.alg=Ed25519</code>.</div></div></section>
 <section class="section"><div class="container"><div class="section-eyebrow">What gets checked</div><h2 class="section-h2">Manual verifier checks, not just shape.</h2><div class="cards"><div class="card">Receipt structure</div><div class="card">Canonical metadata.proof envelope</div><div class="card">json.sorted_keys.v1 canonical hash</div><div class="card">SHA-256 hash match</div><div class="card">Ed25519 signature validity</div><div class="card">Signer identity and key id</div><div class="card">Supported capability verb</div><div class="card">Tamper resistance</div></div><div class="warn">A receipt is only verified when hash and signature checks pass. Schema-valid alone is not verified.</div></div></section>
 <section class="verifier-section" id="manual-verifier"><div class="container layout"><div class="tool-card"><label class="label" for="receiptInput">Manual verifier input</label><textarea id="receiptInput" spellcheck="false" placeholder="Paste a CommandLayer receipt JSON here..."></textarea><div class="btn-row"><button id="loadSampleBtn">Load Sample</button><button id="loadTamperedBtn">Load Tampered</button><button id="clearBtn">Clear</button><button class="primary" id="verifyBtn">Verify</button></div></div><div class="tool-card"><div class="result-card" id="resultCard"><div class="result-state" id="resultState">—</div><div class="result-note" id="resultNote">Run verification to see verdict.</div></div><ul class="checks" id="checksList"></ul><div class="meta" id="metaRows"></div></div></div></section>
-<section class="section"><div class="container"><div class="section-eyebrow">Proof surfaces</div><div class="cards"><div class="card"><h3>Manual verifier</h3><p>Paste a receipt and inspect every verification check.</p></div><div class="card"><h3>Proof URLs</h3><p>Open a receipt verification result from a shareable URL.</p></div><div class="card"><h3>Embedded badges</h3><p>Display verified/invalid state inside an app or product UI.</p></div><div class="card"><h3>Ambient verification</h3><p>Let systems verify receipts automatically through SDKs, APIs, webhooks, MCP tools, or agent-to-agent flows.</p></div></div></div></section>
+<section class="section"><div class="container"><div class="section-eyebrow">Proof surfaces</div><div class="warn" style="margin-bottom:12px;"><strong>Need automatic verification?</strong> Use the webhook auto-verify demo to verify receipts without manual paste. <a href="/webhook-auto-verify.html">Open demo</a>.</div><div class="cards"><div class="card"><h3>Manual verifier</h3><p>Paste a receipt and inspect every verification check.</p></div><div class="card"><h3>Proof URLs</h3><p>Open a receipt verification result from a shareable URL.</p></div><div class="card"><h3>Embedded badges</h3><p>Display verified/invalid state inside an app or product UI.</p></div><div class="card"><h3>Ambient verification</h3><p>Let systems verify receipts automatically through SDKs, APIs, webhooks, MCP tools, or agent-to-agent flows.</p></div></div></div></section>
 <section class="section"><div class="container"><div class="section-eyebrow">Backed by CLAS Trust Verification</div><p class="section-p">VerifyAgent validates canonical CLAS Trust Verification receipts using schemas where applicable, then checks canonical hash, Ed25519 signature, signer identity, and trust verb.</p><p class="section-p">Schema validation supports verification, but does not replace cryptographic proof.</p><h3>Canonical receipt example</h3><pre class="example">{
   "metadata": {
     "proof": {
