Skip to content

CONTRIBUTING.md

Latest commit

 

History

History
59 lines (40 loc) · 1.63 KB

CONTRIBUTING.md

File metadata and controls

59 lines (40 loc) · 1.63 KB

Contributing to CommandLayer Runtime

Prerequisites

  • Node.js >= 20
  • An Ed25519 keypair (generate via DEV_AUTO_KEYS=1 node server.mjs)

Local Development

cp .env.example .env
# Edit .env with your keys, or set DEV_AUTO_KEYS=1 for ephemeral dev keys
npm install
npm run check    # syntax check
npm run test:unit

Protocol Spec

All receipts emitted by this runtime conform to CommandLayer Receipt v1.1.0:

  • Signing: Ed25519(UTF8(canonicalize(payload)))
  • Canonicalization: json.sorted_keys.v1 (recursive sorted-keys JSON)
  • Proof fields: alg, canonical, signer_id, kid, signature

The alg value is "ed25519". Legacy receipts using "ed25519-sha256" and signature_b64/hash_sha256 are accepted at /verify for backward compatibility.

The /verify route accepts both:

  • v1.1.0: proof.signature (preferred)
  • legacy: proof.signature_b64 (backward compat)

Env Variables

See .env.example for the full list.

Tests

npm test           # unit + smoke
npm run test:unit  # unit only (runtime/tests/*.test.mjs)

Rate Limiting

The runtime includes a built-in in-memory rate limiter (default: 120 req/min per IP). Configure via RATE_LIMIT_MAX and RATE_LIMIT_WINDOW_MS. For multi-instance deployments, replace src/middleware/rateLimit.mjs with express-rate-limit + a Redis store.

Submitting Changes

  1. Branch from main
  2. npm run check && npm test must pass
  3. For protocol changes, update CHANGELOG.md and add a test vector to test_vectors/
  4. Open a PR with a clear description

Security

See SECURITY.md for the vulnerability disclosure policy.