Skip to content

Add CL canonical namespace search and tighten commandlayer-namespace claim validation#288

Merged
GsCommand merged 1 commit into
mainfrom
codex/add-namespace-search-and-validation-guardrails
May 22, 2026
Merged

Add CL canonical namespace search and tighten commandlayer-namespace claim validation#288
GsCommand merged 1 commit into
mainfrom
codex/add-namespace-search-and-validation-guardrails

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 22, 2026

Motivation

  • Let users type letters to discover CommandLayer-owned canonical capability parents while preventing activation requests for ENS names they do not control.
  • Ensure CommandLayer-only activation requests are safe by enforcing strict tenant and canonical-parent mappings server-side.
  • Preserve existing SIWE, Ed25519 key generation, package download, and preview flows while keeping user-owned ENS and single-agent modes package-only until ENS control verification is implemented.

Description

  • UI: updated public/claim.html to introduce a TRUST_VERIFICATION_MAP / TRUST_PARENTS source, canonical autocomplete (Type a letter), selected canonical namespace chips with remove controls, and tenant-label validation (/^[a-z0-9-]{3,32}$/ with no leading/trailing hyphen or .eth).
  • UI: wired Trust Verification pack quick-select to auto-select all 10 canonical parents in CommandLayer (signagent.ethverifyagent.eth), limited selections to 10, and implemented getEffectiveClVerbs() to derive verbs from selected canonical parents for preview, package, and submission payloads.
  • Behaviour: kept own and single modes as package-only (no submit button / no POST to the CL claim endpoint) and added small safety copy clarifying CommandLayer-subnames do not grant ownership of the canonical parent.
  • Backend: tightened validation in api/claim/commandlayer-namespace.js to require activationMode === 'cl', strict tenant label rules, packId === 'trust', capability → canonical parent mapping from the allowed map, agent.ens === \\${tenant}.${canonicalParent}\``, skill === 'trust-verification.{capability}', and `skillFamily === 'trust-verification'`.
  • Tests: expanded tests/api-claim-commandlayer-namespace.test.js with cases covering rejected activationMode values (own, single), tenant .eth, tenant leading/trailing hyphen, unsupported canonical parent, mismatched capability/canonicalParent, skill mismatch, and too-many capabilities.

Testing

  • Ran npm test in repo root and all tests passed (53 tests passed).
  • Root npm install failed in this environment due to registry access (npm 403 for @neondatabase/serverless) so a full local install was not possible here.
  • npm run build is not defined in this repo (reported as missing).
  • Ran cd examples/webhook-auto-verify && npm install && npm run check and the example checks completed successfully.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 22, 2026 9:51pm
commandlayer-org Ready Ready Preview, Comment May 22, 2026 9:51pm
commandlayer-org111 Ready Ready Preview, Comment May 22, 2026 9:51pm

Request Review

@GsCommand GsCommand merged commit 7eb611f into main May 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand