This is not a mock animation. The homepage calls the production runtime, verifies the returned receipt, then tampers with the payload and verifies again.
+
-
Resolve / identify signer
pending
pending
-
-
-
-
+
1. Resolvepending
Identify runtime signer identity
waiting for runtime.commandlayer.eth
+
2. Signpending
Call runtime and receive signed metadata.proof
waiting for signed payload
+
3. Verifypending
Verifier recomputes json.sorted_keys.v1 + SHA-256 + Ed25519
waiting for verifier response
+
4. Tamperpending
Mutate canonical payload bytes
waiting for mutation step
+
5. Rejectpending
Verifier should reject tampered receipt
waiting for invalid result
-
Original receipt
waiting...
-
Tampered receipt
waiting...
+
Original receipt
waiting...
+
Tampered receipt
waiting...
Runtime or verifier unavailable. No success was faked.
Show raw JSON
No data yet.
@@ -1445,62 +1468,59 @@
Trust the proof.
Not the agent.
const knownKid = 'vC4WbcNoq2znSCiQ';
const stateEls = Object.fromEntries(['resolve','sign','verify','tamper','reject'].map(k => [k, document.querySelector(`[data-live-state="${k}"]`)]));
const metaEls = Object.fromEntries(['resolve','sign','verify','tamper','reject'].map(k => [k, document.querySelector(`[data-live-meta="${k}"]`)]));
+ const resultEls = Object.fromEntries(['resolve','sign','verify','tamper','reject'].map(k => [k, document.querySelector(`[data-live-result="${k}"]`)]));
const rowEls = Object.fromEntries(['resolve','sign','verify','tamper','reject'].map(k => [k, document.querySelector(`[data-live-step="${k}"]`)]));
const validSummary = document.getElementById('lp-valid-summary');
const invalidSummary = document.getElementById('lp-invalid-summary');
const raw = document.getElementById('lp-raw-json');
const err = document.getElementById('lp-error');
const compact = v => typeof v === 'string' && v.length > 18 ? `${v.slice(0,10)}…${v.slice(-8)}` : String(v ?? 'n/a');
- const setStep = (name, status, meta) => { rowEls[name].className = `lp-row ${status}`; stateEls[name].textContent = status; metaEls[name].textContent = meta; };
- const normalize = r => ({ status: r?.status || (r?.ok === true ? 'VALID' : 'INVALID'), hash_matches: r?.hash_matches, signature_valid: r?.signature_valid });
+ const setStep = (name, status, meta, result) => { rowEls[name].className = `lp-row ${status}`; stateEls[name].textContent = status; metaEls[name].textContent = meta; if (resultEls[name] && result) resultEls[name].textContent = result; };
+ const valueOrDash = v => (v === true || v === false ? String(v) : 'not returned');
+ const pickCheck = (r, k) => r?.[k] ?? r?.checks?.[k] ?? r?.result?.[k];
+ const normalize = r => ({ status: r?.status || (r?.ok === true ? 'VALID' : 'INVALID'), hash_matches: pickCheck(r,'hash_matches'), signature_valid: pickCheck(r,'signature_valid') });
const isValid = r => r?.ok === true || r?.status === 'VALID' || r?.status === 'VERIFIED';
async function runLive() {
err.style.display = 'none';
- ['resolve','sign','verify','tamper','reject'].forEach(k => setStep(k,'pending','pending'));
- setStep('resolve','running','Signer identity loaded');
+ ['resolve','sign','verify','tamper','reject'].forEach(k => setStep(k,'pending','pending','waiting...'));
+ setStep('resolve','running','resolving signer identity...','querying runtime.commandlayer.eth');
await Promise.resolve();
- setStep('resolve','passed',`signer_id=${signerId} · kid=${knownKid}`);
+ setStep('resolve','passed',`runtime.commandlayer.eth · kid=${knownKid}`,'resolved signer identity');
let receipt;
try {
- setStep('sign','running','POST /trust-verification/sign/v1.0.0');
+ setStep('sign','running','calling production runtime sign endpoint...','POST https://runtime.commandlayer.org/trust-verification/sign/v1.0.0');
const signResp = await fetch(`${runtimeBase}/trust-verification/sign/v1.0.0`, { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify({ payload:{ message:'homepage live proof', source:'commandlayer.org', ts:new Date().toISOString() } }) });
const signJson = await signResp.json();
receipt = signJson?.receipt || signJson?.final_receipt;
if (!signResp.ok || !receipt) throw new Error('TRANSPORT_ERROR');
const proof = receipt?.metadata?.proof || {};
- setStep('sign','passed',`verb=${receipt?.verb||'n/a'} class=${receipt?.class||'n/a'} hash=${compact(proof?.hash?.value)} kid=${proof?.signature?.kid||'n/a'} signer_id=${proof?.signer_id||'n/a'}`);
+ setStep('sign','passed',`runtime signed metadata.proof`,`verb=${receipt?.verb||'n/a'} hash=${compact(proof?.hash?.value)} kid=${proof?.signature?.kid||'n/a'} signer_id=${proof?.signer_id||'n/a'}`);
- setStep('verify','running','POST /verify');
+ setStep('verify','running','verifying original receipt...','POST https://runtime.commandlayer.org/verify');
const verifyResp = await fetch(`${runtimeBase}/verify`, { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify({ receipt }) });
const verifyJson = await verifyResp.json();
const v = normalize(verifyJson);
if (!verifyResp.ok || !isValid(verifyJson)) throw new Error('VERIFY_INVALID');
- setStep('verify','passed',`verifier_status=${v.status} hash_matches=${String(v.hash_matches)} signature_valid=${String(v.signature_valid)}`);
- validSummary.textContent = `VALID
-verifier_status: ${v.status}
-hash_matches: ${String(v.hash_matches)}
-signature_valid: ${String(v.signature_valid)}`;
+ setStep('verify','passed',`original receipt ${v.status}`,`hash_matches=${valueOrDash(v.hash_matches)} signature_valid=${valueOrDash(v.signature_valid)}`);
+ validSummary.innerHTML = `
VALID
verifier_status: ${v.status}
hash_matches: ${valueOrDash(v.hash_matches)}
signature_valid: ${valueOrDash(v.signature_valid)}
`;
- setStep('tamper','running','Mutating receipt.result.payload.message');
+ setStep('tamper','running','modifying payload output text...','canonical payload mutated');
const tampered = JSON.parse(JSON.stringify(receipt));
if (!tampered.result) tampered.result = {};
if (!tampered.result.payload) tampered.result.payload = {};
tampered.result.payload.message = 'tampered homepage proof';
- setStep('tamper','passed','message="tampered homepage proof"');
+ setStep('tamper','passed','payload tampered (same signer metadata retained)','tampered receipt prepared');
- setStep('reject','running','POST /verify with tampered receipt');
+ setStep('reject','running','verifying tampered receipt...','expect INVALID result');
const rejectResp = await fetch(`${runtimeBase}/verify`, { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify({ receipt: tampered }) });
const rejectJson = await rejectResp.json();
const t = normalize(rejectJson);
const tamperRejected = !isValid(rejectJson);
if (!rejectResp.ok || !tamperRejected) throw new Error('REJECT_EXPECTED');
- setStep('reject','failed',`tampered_status=${t.status} hash_matches=${String(t.hash_matches)} signature_valid=${String(t.signature_valid)}`);
- invalidSummary.textContent = `INVALID
-tampered_status: ${t.status}
-hash_matches: ${String(t.hash_matches)}
-signature_valid: ${String(t.signature_valid)}`;
+ setStep('reject','failed',`tampered receipt ${t.status}`,`hash_matches=${valueOrDash(t.hash_matches)} signature_valid=${valueOrDash(t.signature_valid)}`);
+ invalidSummary.innerHTML = `
INVALID
tampered_status: ${t.status}
hash_matches: ${valueOrDash(t.hash_matches)}
signature_valid: ${valueOrDash(t.signature_valid)}
`;
raw.textContent = JSON.stringify({ sign_response: signJson, verify_response: verifyJson, tampered_verify_response: rejectJson }, null, 2);
} catch (e) {
err.style.display = 'block';