diff --git a/CHANGELOG.md b/CHANGELOG.md index c02f6b0..30f1370 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [Unreleased] + +- Separated VerifyAgent into its own public Commons/MIT repository. The SDK now focuses on receipt generation, canonicalization, hashing, signing, verification, ENS helpers, and agent-wrapping utilities. Public paste-and-verify UI is handled externally by VerifyAgent. + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent + ## [1.1.0] - 2026-03-19 CommandLayer SDKs now align on the Commons-first Protocol-Commons v1.1.0 surface. This release replaces the mixed 1.0.0-era documentation and response assumptions with a single canonical receipt model shared by the TypeScript SDK, Python SDK, fixtures, and verification flow. diff --git a/EXAMPLES.md b/EXAMPLES.md index 09ad2ab..5360d69 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -1,11 +1,21 @@ # CommandLayer SDK Examples -Canonical examples for the CommandLayer SDK repo. These examples keep the Commons v1.1.0 story receipt-first: `receipt` is signed, `runtime_metadata` is optional and unsigned, and Commons examples do not include payment metadata. +Examples in this repository focus on reusable SDK behavior: +- receipt creation, +- canonicalization, +- SHA-256 hashing, +- Ed25519 signing/verification, +- ENS key-resolution helpers, and +- wrapping agent execution in CommandLayer receipts. -All examples in this file target: -- Protocol-Commons v1.1.0, -- canonical signed receipts returned as `response.receipt`, and -- optional execution context returned as `response.runtime_metadata`. +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent + +## Architecture boundaries + +- SDK repo: programmatic receipt tooling. +- VerifyAgent repo: external public verifier UI. +- Commercial API: hosted runtime, x402/paid flows, indexing, dashboards. ## 1. Canonical response envelope @@ -35,7 +45,7 @@ All examples in this file target: } ``` -## TypeScript +## 2. TypeScript ```ts import { createClient, extractReceiptVerb, verifyReceipt } from "@commandlayer/sdk"; @@ -49,105 +59,13 @@ const response = await client.summarize({ console.log(extractReceiptVerb(response)); console.log(response.receipt.metadata.receipt_id); -```ts -const response = await client.clean({ - content: " test@example.com ", - operations: ["trim", "redact_emails"] -}); -``` - -### Convert - -```ts -const response = await client.convert({ - content: '{"a":1}', - from: "json", - to: "csv" -}); -``` - -### Describe - -```ts -const response = await client.describe({ - subject: "receipt verification", - audience: "general", - detail: "medium" -}); -``` - -### Explain - -```ts -const response = await client.explain({ - subject: "receipt verification", - audience: "novice", - style: "step-by-step" -}); -``` - -### Format - -```ts -const response = await client.format({ - content: "a: 1\nb: 2", - to: "table" -}); -``` - -### Parse - -```ts -const response = await client.parse({ - content: '{ "a": 1 }', - contentType: "json", - mode: "strict", - schema: "invoice.summary.v1" -}); -``` - -### Fetch - -```ts -const response = await client.fetch({ - source: "https://example.com", - include_metadata: true -}); -``` - -## 3. Python examples - -```python -from commandlayer import create_client - -client = create_client(actor="examples-py") - -summary = client.summarize(content="CommandLayer defines semantic agent verbs.", style="bullet_points") -analysis = client.analyze(content="Invoice total: $1200", goal="detect finance intent") -classification = client.classify(content="Contact support@example.com") -cleaned = client.clean(content=" test@example.com ", operations=["trim", "redact_emails"]) -converted = client.convert(content='{"a":1}', from_format="json", to_format="csv") -description = client.describe(subject="receipt verification") -explanation = client.explain(subject="receipt verification", style="step-by-step") -formatted = client.format(content="a: 1\nb: 2", to="table") -parsed = client.parse(content='{ "a": 1 }', content_type="json", mode="strict", schema="invoice.summary.v1") -fetched = client.fetch(source="https://example.com", include_metadata=True) -``` - -## 4. Verification examples - -### TypeScript, explicit key - -```ts -import { verifyReceipt } from "@commandlayer/sdk"; - -const result = await verifyReceipt(response.receipt, { +const verified = await verifyReceipt(response.receipt, { publicKey: "ed25519:BASE64_PUBLIC_KEY" }); console.log(verified.ok); ``` -## Python +## 3. Python ```python from commandlayer import create_client, verify_receipt @@ -164,17 +82,21 @@ print(response["receipt"]["metadata"]["receipt_id"]) print(verify_receipt(response["receipt"], public_key="ed25519:BASE64_PUBLIC_KEY")["ok"]) ``` -## Explicit request building +## 4. Explicit request building ### Commons ```ts import { buildCommonsRequest } from "@commandlayer/sdk"; -const payload = buildCommonsRequest("parse", { - input: { content: '{"a":1}', content_type: "json", mode: "strict" }, - limits: { max_output_tokens: 300 } -}, { actor: "examples-ts" }); +const payload = buildCommonsRequest( + "parse", + { + input: { content: '{"a":1}', content_type: "json", mode: "strict" }, + limits: { max_output_tokens: 300 } + }, + { actor: "examples-ts" } +); ``` ```python @@ -192,4 +114,4 @@ payload = build_commons_request( ### Commercial request shaping -Commercial request shaping is intentionally separate from Commons examples. Use the dedicated `buildCommercialRequest` / `build_commercial_request` helper only if you are integrating a payment-aware flow outside this repo's first-class runtime client surface. +Commercial request shaping is intentionally separate from Commons SDK examples in this repository. diff --git a/QUICKSTART.md b/QUICKSTART.md index b2c3e8c..ad53e62 100644 --- a/QUICKSTART.md +++ b/QUICKSTART.md @@ -1,5 +1,17 @@ # CommandLayer SDK Quickstart +## What this quickstart covers + +SDK-only receipt flow: +1. Install SDK +2. Wrap agent execution +3. Generate signed receipt +4. Verify with SDK locally or VerifyAgent publicly +5. Move to Commercial API for hosted/high-volume verification + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent + ## 1. Install ```bash @@ -7,7 +19,7 @@ npm install @commandlayer/sdk pip install commandlayer ``` -## 2. Make one call +## 2. Wrap agent execution ### TypeScript @@ -39,36 +51,7 @@ print(response["receipt"]["result"]["summary"]) print(response["receipt"]["metadata"]["receipt_id"]) ``` -## 3. Inspect the response - -Both SDKs return the same shape: - -```json -{ - "receipt": { - "status": "success", - "verb": "summarize", - "result": { "summary": "..." }, - "metadata": { - "proof": { - "alg": "ed25519-sha256", - "canonical": "cl-stable-json-v1", - "signer_id": "runtime.commandlayer.eth", - "hash_sha256": "...", - "signature_b64": "..." - } - } - }, - "runtime_metadata": { - "trace_id": "trace_123", - "duration_ms": 118 - } -} -``` - -Use `response.receipt` as the durable protocol artifact. `runtime_metadata` is optional execution context. Commons responses should be treated as receipt-first and non-payment-aware; `x402` only appears in legacy or explicitly commercial payloads. - -## 4. Verify the receipt +## 3. Verify locally with SDK ### TypeScript @@ -77,14 +60,19 @@ import { verifyReceipt } from "@commandlayer/sdk"; await verifyReceipt(response.receipt, { publicKey: "ed25519:BASE64_PUBLIC_KEY" }); ``` +### Python + ```python from commandlayer import verify_receipt verify_receipt(response["receipt"], public_key="ed25519:BASE64_PUBLIC_KEY") ``` -## 4. Remember the contract +## 4. Verification options + +- Local SDK verification: canonicalization + SHA-256 + Ed25519 signature checks. +- ENS-based key resolution: resolve signer keys via ENS helpers. +- Public verification UI: use external VerifyAgent repository. + +## 5. Commercial upgrade path -- Persist `response.receipt`. -- Treat `response.runtime_metadata` as optional unsigned context. -- Treat `receipt.metadata.receipt_id` as the receipt hash identifier. -- Read the verb from `receipt.verb`. Legacy/commercial payloads may expose `receipt.x402.verb` as a fallback. +Use CommandLayer Commercial when you need hosted runtime integrations, paid API/x402 flows, or high-volume verification infrastructure. diff --git a/README.md b/README.md index 81966ca..f7efff4 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,40 @@ # CommandLayer SDK -Official SDK repo for the current-line CommandLayer Commons receipt contract (`1.1.0`). +Official SDK repository for reusable CommandLayer receipt tooling. -## Quick Start +## Scope of this repository + +This repository is SDK-only. It focuses on: + +- creating receipts, +- canonicalizing receipts, +- hashing receipts (SHA-256), +- signing receipts (Ed25519), +- verifying receipts (Ed25519 + receipt proof hash), +- ENS signer-resolution helpers, and +- utilities/examples for wrapping agent execution with CommandLayer receipts. + +It does **not** contain the VerifyAgent product UI/demo app. + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent + +## Architecture boundaries + +- **CommandLayer SDK (this repo)**: local/developer receipt generation and verification building blocks. +- **VerifyAgent**: external public verifier (Commons/MIT) for paste-and-verify workflows. +- **CommandLayer Commercial**: hosted runtime, paid API, x402 flows, indexing, and dashboards. +- **Agent Cards**: identity/capability metadata used by agents and signer discovery. + +## Developer flow -Install CommandLayer, wrap an agent action, get a signed receipt, and verify it. +1. Install SDK. +2. Wrap agent execution. +3. Generate signed CommandLayer receipt. +4. Verify locally with SDK or publicly with VerifyAgent. +5. Upgrade to Commercial API for hosted/high-volume verification. + +## Quick Start ```bash npm install @commandlayer/sdk @@ -18,201 +48,14 @@ const receipt = await commandlayer.run("summarize", { }); const result = await commandlayer.verify(receipt); - console.log(result.valid); ``` -### Commons vs Commercial - -- Commons requests do not include x402 metadata. -- Commercial requests include x402 metadata where required. - -## What this repo now treats as canonical - -- **Requests**: Commons requests are built with an explicit verb + payload envelope, and receipts surface that canonical verb at top-level `receipt.verb`. -- **Responses**: the signed artifact is always `response.receipt`. -- **Unsigned runtime context**: optional execution details live in `response.runtime_metadata`. -- **Verification**: verification recomputes the receipt hash from the unsigned receipt, checks it against `metadata.proof.hash_sha256`, and verifies the Ed25519 signature over the UTF-8 hash string. `metadata.receipt_id` is optional compatibility metadata; when present it should match the proof hash. -- **Verb semantics**: the canonical verb is read from `receipt.verb`; `receipt.x402.verb` is legacy / commercial fallback only. - -This repo no longer presents legacy blended envelopes as the primary contract. Legacy normalization remains only to accept older runtime responses that inlined `trace` beside the receipt. - ## Start here - Quickstart → `QUICKSTART.md` - Full usage → `EXAMPLES.md` -- Contributing → `CONTRIBUTING.md` -- Maintainers → `MAINTAINER_GUIDE.md` -- Releases → `RELEASE_GUIDE.md` +- TypeScript package docs → `typescript-sdk/README.md` +- Python package docs → `python-sdk/README.md` - Test vectors → `test_vectors/README.md` - Changelog → `CHANGELOG.md` - -This repository ships the public developer surfaces for CommandLayer: -- the TypeScript SDK: `@commandlayer/sdk`, -- the Python SDK: `commandlayer`, -- the `commandlayer` CLI shipped with the npm package, -- verification helpers and test vectors, and -- repo-level docs for install, release, and reproducibility. - -## Supported protocol line - -This repo is aligned to the current CommandLayer v1.1.0 surface: -- Protocol-Commons v1.1.0, -- Agent-Cards v1.1.0 for ENS-backed signer discovery, -- canonical signed receipts as the verification contract payload, and -- optional `runtime_metadata` as unsigned execution context. - -Protocol-Commercial / x402 payment flows are intentionally separate from the Commons SDK surface in this repo. Commons examples and helpers below avoid payment metadata entirely; any retained `receipt.x402` handling is legacy / commercial-only compatibility, not the Commons happy path. - -## Install - -### TypeScript / JavaScript - -```bash -npm install @commandlayer/sdk -``` - -### Python - -```bash -pip install commandlayer -``` - -## Canonical receipt shape - -```json -{ - "receipt": { - "status": "success", - "verb": "summarize", - "result": { - "summary": "..." - }, - "metadata": { - "receipt_id": "sha256-of-unsigned-receipt", - "proof": { - "alg": "ed25519-sha256", - "canonical": "cl-stable-json-v1", - "signer_id": "runtime.commandlayer.eth", - "hash_sha256": "sha256-of-unsigned-receipt", - "signature_b64": "..." - } - } - }, - "runtime_metadata": { - "trace_id": "trace_123", - "duration_ms": 118, - "provider": "runtime.commandlayer.org" - } -} -``` - -## TypeScript quick path - -```ts -import { createClient, verifyReceipt } from "@commandlayer/sdk"; - -const client = createClient({ actor: "my-app" }); -const response = await client.summarize({ - content: "CommandLayer turns agent calls into signed receipts.", - style: "bullet_points" -}); - -console.log(response.receipt.result?.summary); -console.log(response.runtime_metadata?.duration_ms); - -const verification = await verifyReceipt(response.receipt, { - publicKey: process.env.COMMANDLAYER_PUBLIC_KEY! -}); - -console.log(verification.ok); -``` - -## Python quick path - -```python -from commandlayer import create_client, verify_receipt - -client = create_client(actor="my-app") -response = client.summarize( - content="CommandLayer turns agent calls into signed receipts.", - style="bullet_points", -) - -print(response["receipt"]["result"]["summary"]) -print(response.get("runtime_metadata", {}).get("duration_ms")) - -verification = verify_receipt( - response["receipt"], - public_key="ed25519:BASE64_PUBLIC_KEY", -) -print(verification["ok"]) -``` - -## Return shape - -Client methods now return a command response envelope: - -```json -{ - "receipt": { - "status": "success", - "verb": "summarize", - "result": { - "summary": "..." - }, - "metadata": { - "proof": { - "alg": "ed25519-sha256", - "canonical": "cl-stable-json-v1", - "signer_id": "runtime.commandlayer.eth", - "hash_sha256": "...", - "signature_b64": "..." - } - } - }, - "runtime_metadata": { - "trace_id": "trace_123", - "duration_ms": 118, - "provider": "runtime.commandlayer.org" - } -} -``` - -The canonical signed object is `receipt`. `runtime_metadata` is optional and unsigned. Verification, persistence, and downstream audit should use the canonical `receipt` object. - -### Commons - -Use the client verb methods or the explicit request builder helpers: - -- TypeScript: `buildCommonsRequest(verb, body, { actor })` -- Python: `build_commons_request(verb, body, actor=...)` - -### Commercial - -The repo does **not** claim first-class commercial runtime coverage, but both SDKs now isolate commercial request shaping behind explicit opt-in helpers instead of mixing it into Commons request construction: - -- TypeScript: `buildCommercialRequest(...)` -- Python: `build_commercial_request(...)` - -That commercial builder is intentionally separate from the Commons happy path. - -## Verification - -Verification reads exactly the current receipt contract: - -1. take `response.receipt`, -2. remove `metadata.receipt_id` and the signed hash/signature fields, -3. canonicalize with `cl-stable-json-v1`, -4. recompute `sha256`, -5. compare the recomputed hash to `metadata.proof.hash_sha256`, -6. if `metadata.receipt_id` is present, treat equality to the proof hash as a compatibility / diagnostic check, -7. verify the Ed25519 signature. - -## Legacy handling retained - -Only one legacy surface is retained in the main packages: - -- `normalizeCommandResponse` / `normalize_command_response` still accept older blended runtime payloads that used a top-level `trace` field and convert them into `{ receipt, runtime_metadata }`. - -Everything else is documented and typed against the current receipt contract. diff --git a/python-sdk/README.md b/python-sdk/README.md index b621498..a15ceae 100644 --- a/python-sdk/README.md +++ b/python-sdk/README.md @@ -1,10 +1,19 @@ # CommandLayer Python SDK -Current-line Python SDK for the CommandLayer Commons receipt contract (`1.1.0`). +Current-line Python SDK for reusable CommandLayer receipt flows. -## Canonical contract +## Scope -Any `response["receipt"]["x402"]` block should be treated as legacy / commercial-only metadata rather than part of the Commons happy path in this repository. +This package is SDK-only and focuses on: +- receipt generation helpers, +- canonicalization, +- SHA-256 hashing, +- Ed25519 signing + verification, +- ENS key-resolution helpers, +- agent-wrapping utilities. + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent ## Install @@ -23,9 +32,6 @@ response = client.summarize( style="bullet_points", ) -print(response["receipt"]["result"]["summary"]) -print(response.get("runtime_metadata", {}).get("duration_ms")) - verification = verify_receipt( response["receipt"], public_key="ed25519:BASE64_PUBLIC_KEY", @@ -33,30 +39,6 @@ verification = verify_receipt( print(verification["ok"]) ``` -## Explicit request builders - -```python -from commandlayer import build_commons_request, build_commercial_request - -commons = build_commons_request( - "summarize", - { - "input": {"content": "hello", "summary_style": "bullet_points"}, - "limits": {"max_output_tokens": 400}, - }, - actor="docs-example", -) - -commercial = build_commercial_request( - "summarize", - {"input": {"content": "hello"}}, - actor="docs-example", - payment={"scheme": "x402", "quote_id": "quote_123"}, -) -``` - -Commercial request shaping is deliberately isolated from the Commons client happy path. - ## Verification helpers - `verify_receipt(receipt, public_key=...)` @@ -64,6 +46,7 @@ Commercial request shaping is deliberately isolated from the Commons client happ - `extract_receipt_verb(receipt_or_response)` - `recompute_receipt_hash_sha256(receipt_or_response)` -## Legacy support +## Boundary notes -`normalize_command_response()` still accepts older blended payloads with top-level `trace` and rewrites them to the canonical envelope. That is compatibility-only. +- VerifyAgent is external and not part of this package/repository runtime surface. +- Commercial hosted runtime, x402, and indexing/dashboard product surfaces are outside the SDK package scope. diff --git a/python-sdk/docs/client.md b/python-sdk/docs/client.md index ce9f5da..866a116 100644 --- a/python-sdk/docs/client.md +++ b/python-sdk/docs/client.md @@ -25,6 +25,13 @@ Every verb method returns: `receipt` is the canonical signed payload. `runtime_metadata` is execution context and is not part of the signed receipt hash. +## Boundaries + +This SDK is programmatic tooling only. It does not include a public verifier UI. + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent + ## Verbs - `summarize` @@ -38,8 +45,6 @@ Every verb method returns: - `parse` - `fetch` -`parse()` accepts the current-line `schema` field for schema-guided parsing. The legacy `target_schema` argument is still accepted as a compatibility alias, but new integrations should prefer `schema`. - ## Generic invoke Use `client.call(verb, payload)` for full control. diff --git a/python-sdk/docs/getting-started.md b/python-sdk/docs/getting-started.md index 5977a35..b56a9fb 100644 --- a/python-sdk/docs/getting-started.md +++ b/python-sdk/docs/getting-started.md @@ -6,6 +6,17 @@ pip install commandlayer ``` +## Developer flow + +1. Install SDK +2. Wrap agent execution +3. Generate signed CommandLayer receipt +4. Verify locally with SDK or publicly with VerifyAgent +5. Upgrade to Commercial API for hosted/high-volume verification + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent + ## First request ```python diff --git a/python-sdk/docs/verification.md b/python-sdk/docs/verification.md index c25f603..eb98878 100644 --- a/python-sdk/docs/verification.md +++ b/python-sdk/docs/verification.md @@ -1,6 +1,9 @@ # Verification -The verification helper validates the current receipt contract directly. +The SDK verification helper validates the current receipt contract directly. + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent ## Rules diff --git a/typescript-sdk/README.md b/typescript-sdk/README.md index 4b50d0a..ff13761 100644 --- a/typescript-sdk/README.md +++ b/typescript-sdk/README.md @@ -1,14 +1,19 @@ # CommandLayer TypeScript SDK -Current-line TypeScript SDK for the CommandLayer Commons receipt contract (`1.1.0`). +Current-line TypeScript SDK for reusable CommandLayer receipt flows. -## What is canonical +## Scope -- `response.receipt` is the signed receipt. -- `response.runtime_metadata` is optional unsigned execution context. -- `receipt.metadata.proof.hash_sha256` is the signed/recomputed receipt proof hash. -- The canonical verb lives at `receipt.verb`; `receipt.x402.verb` is legacy / commercial fallback only. -- `receipt.metadata.receipt_id`, when present, should match the proof hash but is not required for verification `ok`. +This package is SDK-only and focuses on: +- receipt generation helpers, +- canonicalization, +- SHA-256 hashing, +- Ed25519 signing + verification, +- ENS key-resolution helpers, +- agent-wrapping utilities. + +For public paste-and-verify receipt verification, use VerifyAgent: +https://github.com/commandlayer/verifyagent ## Install @@ -27,76 +32,14 @@ const response = await client.summarize({ style: "bullet_points" }); -console.log(response.receipt.result?.summary); -console.log(response.runtime_metadata?.duration_ms); - const verification = await verifyReceipt(response.receipt, { publicKey: "ed25519:BASE64_PUBLIC_KEY" }); +console.log(response.receipt.result?.summary); console.log(verification.ok); ``` -## Return shape - -Client methods return: - -```json -{ - "receipt": { - "status": "success", - "verb": "summarize", - "result": {}, - "metadata": { - "proof": { - "alg": "ed25519-sha256", - "canonical": "cl-stable-json-v1", - "signer_id": "runtime.commandlayer.eth", - "hash_sha256": "...", - "signature_b64": "..." - } - } - }, - "runtime_metadata": { - "trace_id": "trace_123", - "duration_ms": 118, - "provider": "runtime.commandlayer.org" - } -} -``` - -`verifyReceipt()` accepts the canonical `receipt` object. The SDK also accepts a whole response envelope for legacy compatibility, but new integrations should pass `response.receipt` explicitly. Any `receipt.x402` block should be treated as legacy / commercial-only metadata rather than part of the Commons contract. - -## Verification modes - -### Offline - -```ts -const result = await verifyReceipt(response.receipt, { - publicKey: "ed25519:BASE64_PUBLIC_KEY" -}); -``` - -### ENS-backed - -```ts -import { buildCommonsRequest, buildCommercialRequest } from "@commandlayer/sdk"; - -const commons = buildCommonsRequest("summarize", { - input: { content: "hello", summary_style: "bullet_points" }, - limits: { max_output_tokens: 400 } -}, { actor: "docs-example" }); - -const commercial = buildCommercialRequest("summarize", { - input: { content: "hello" } -}, { - actor: "docs-example", - payment: { scheme: "x402", quote_id: "quote_123" } -}); -``` - -The commercial builder is isolated on purpose; this package's first-class runtime client remains Commons-first. - ## Verification helpers - `verifyReceipt(receipt, { publicKey })` @@ -104,20 +47,14 @@ The commercial builder is isolated on purpose; this package's first-class runtim - `extractReceiptVerb(receiptOrResponse)` - `recomputeReceiptHashSha256(receiptOrResponse)` -## Legacy support +## Contract semantics -```bash -cd typescript-sdk -npm ci -npm run typecheck -npm test -npm run test:integration -``` +- `response.receipt` is the signed canonical artifact. +- `response.runtime_metadata` is optional unsigned context. +- Verification recomputes the canonical SHA-256 hash and validates Ed25519 signature proof. +- `receipt.metadata.receipt_id` is compatibility metadata when present. -## Receipt verification semantics +## Boundary notes -- `receipt.verb` is the canonical verb field returned by the runtime. -- `receipt.metadata.receipt_id` is an identifier for the receipt instance. -- `receipt.metadata.proof.hash_sha256` is the SHA-256 hash over the unsigned canonical receipt payload. -- `verifyReceipt()` succeeds when the declared algorithm/canonicalization match, the recomputed payload hash matches `hash_sha256`, and the Ed25519 signature validates over that hash. Any `receipt_id_matches` output is compatibility/diagnostic metadata and is not required for `ok`. -- Legacy receipts that still place the verb under `receipt.x402.verb` continue to parse, but that path is fallback-only. +- VerifyAgent is external and not part of this package/repository runtime surface. +- Commercial hosted runtime, x402, and indexing/dashboard product surfaces are outside the SDK package scope.