Tighten validation and release metadata hygiene (#25)

GsCommand · web-flow · commit d553104bdefa · 2026-03-19T23:01:15.000-04:00
diff --git a/INTEGRATOR.md b/INTEGRATOR.md
@@ -57,7 +57,7 @@ The checksum-covered payload for this release is intentionally narrow:
 - `examples/v1.1.0/`
 - `manifest.json`
 
-`checksums.txt` is the ledger for that payload. It is not itself inside the hashed set. Prose docs remain authoritative for interpretation and release process, but they are outside the checksum boundary.
+`checksums.txt` is the ledger for that payload. It is not itself inside the hashed set, so checksum verification confirms covered files only relative to the checked-in `checksums.txt` ledger and does not independently authenticate that ledger. Prose docs remain authoritative for interpretation and release process, but they are outside the checksum boundary.
 
 ## TypeScript guidance
 
diff --git a/README.md b/README.md
@@ -247,7 +247,7 @@ sha256sum -c checksums.txt
 - `npm run validate:schemas` checks current-line metadata, schema identity, layout, and manifest/index alignment expectations.
 - `npm run validate:examples` validates every current-line JSON valid and invalid example against the canonical schemas.
 - `npm run validate:integrity` verifies the checksum file scope and hash coverage for the current release artifact set.
-- `checksums.txt` intentionally covers machine-validated release payloads only: `manifest.json`, `schemas/v1.1.0/index.json`, `schemas/v1.1.0/`, and `examples/v1.1.0/`.
+- `checksums.txt` intentionally covers machine-validated release payloads only: `manifest.json`, `schemas/v1.1.0/`, and `examples/v1.1.0/`.
 
 ## Agent Cards and Commons alignment
 
@@ -268,7 +268,7 @@ The v1.1.0 checksum-covered machine-artifact set is intentionally limited to:
 - `examples/v1.1.0/`
 - `manifest.json`
 
-`checksums.txt` is the generated hash ledger for that machine-artifact set; it describes that surface but is not itself part of the hashed payload. Release-defining prose docs such as `README.md`, `SPEC.md`, `POLICY.md`, `SECURITY_PROVENANCE.md`, `INTEGRATOR.md`, and `ONBOARDING.md` are authoritative guidance, but they are outside the checksum surface unless the tooling is expanded deliberately in a later release.
+`checksums.txt` is the generated hash ledger for that machine-artifact set; it describes that surface but is not itself part of the hashed payload, so checksum verification confirms covered files only relative to the checked-in `checksums.txt` ledger and does not independently authenticate that ledger. Release-defining prose docs such as `README.md`, `SPEC.md`, `POLICY.md`, `SECURITY_PROVENANCE.md`, `INTEGRATOR.md`, and `ONBOARDING.md` are authoritative guidance, but they are outside the checksum surface unless the tooling is expanded deliberately in a later release.
 
 For external verification, the minimal path is:
 
diff --git a/SECURITY_PROVENANCE.md b/SECURITY_PROVENANCE.md
@@ -10,7 +10,7 @@ Checksum-covered machine-artifact roots:
 - `examples/v1.1.0/`
 - `manifest.json`
 
-`checksums.txt` is the generated SHA-256 ledger for that machine-artifact set. It describes the checksum-covered payload but is not itself part of the hashed payload. Release-defining prose docs in the repository are intentionally outside this checksum boundary and must not be described as checksum-protected.
+`checksums.txt` is the generated SHA-256 ledger for that machine-artifact set. It describes the checksum-covered payload but is not itself part of the hashed payload, so checksum verification confirms covered files only relative to the checked-in `checksums.txt` ledger and does not independently authenticate that ledger. Release-defining prose docs in the repository are intentionally outside this checksum boundary and must not be described as checksum-protected.
 
 Release integrity state for this repository:
 
diff --git a/checksums.txt b/checksums.txt
@@ -28,7 +28,7 @@ a2a5e61fa04e12786a848e03bbabbc3f9d066ca55a6f48cb1ae1140f6373bf94  examples/v1.1.
 9492d90ea14ad35eeb8acd03248ce6061ccdc04a7aff4ed538d8c42be3abc015  examples/v1.1.0/commercial/verify/valid/002-verify.request.valid.json
 50874f3eea69a51ac132873b05e39318e4c2241078ca5e258e466934935ec945  examples/v1.1.0/commercial/verify/valid/900-verify.receipt.valid.json
 455d19ad1b7ef98e436d8f1c675fee7f2716eb17d301da8d2cc4e2e2c51e624a  examples/v1.1.0/commercial/verify/valid/901-verify.receipt.valid.json
-80fa9124c1560d0e55b83554d83581dabf72505cc4d9c1354157f51fddd9686a  manifest.json
+0e4a8b868fa2f7d68bd5f65d7687a91ed97cd380b1b979dd7dc15b44a5a28939  manifest.json
 4d1178e63f6c5a9e1e4d9cc4d386fbad023dd5a85c000ff193285b1fed9af243  schemas/v1.1.0/commercial/authorize/authorize.receipt.schema.json
 ef5da55ba5acdd43e8d2715204938762a63819dd370ebc8dfedad014617259c3  schemas/v1.1.0/commercial/authorize/authorize.request.schema.json
 66e39d85a503ec2fa096d789b5b3136a451387186fa33424c4bcb07ce9aea49b  schemas/v1.1.0/commercial/checkout/checkout.receipt.schema.json
@@ -39,4 +39,4 @@ e9b62cf29d5f58fed922e9bc77c8d3e13e6f7ed04785baad7a7e4fc600ab44b8  schemas/v1.1.0
 b876f8ffbfd87e5554374de114414f9e4091ba09c80d07b9b99a40ff1befd7c5  schemas/v1.1.0/commercial/ship/ship.request.schema.json
 7abc8e8a2dec058298ba5dd0603f20d9f95f6bc411fcd429fdb3c7a116dcbcca  schemas/v1.1.0/commercial/verify/verify.receipt.schema.json
 09707b90a6317d10d13f6e5339bc17a7ddc4d5938970ff7e25842876b7f2eea5  schemas/v1.1.0/commercial/verify/verify.request.schema.json
-1431008b047fc5eb8fe2e0647a7a9d5e27e731ad89b97866c259a5e9937cc549  schemas/v1.1.0/index.json
+ef4d9050f892c9d4b86382b9fd3018ee8496e6ad26c2fa9a64cbb44b7d549598  schemas/v1.1.0/index.json
diff --git a/manifest.json b/manifest.json
@@ -34,7 +34,7 @@
     "actors": "payer/payee/merchant/provider/carrier/verifier",
     "payment_layers": "payment_requirement, payment_session, payment_proof"
   },
-  "aligns_with": {
+  "declared_alignment": {
     "protocol_commons": "1.1.0",
     "agent_cards": "1.1.0"
   },
diff --git a/package.json b/package.json
@@ -8,6 +8,9 @@
   ],
   "license": "Apache-2.0",
   "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
   "type": "module",
   "engines": {
     "node": ">=20.0.0"
diff --git a/schemas/v1.1.0/index.json b/schemas/v1.1.0/index.json
@@ -1,10 +1,8 @@
 {
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://commandlayer.org/schemas/v1.1.0/index.json",
   "name": "@commandlayer/commercial",
   "version": "1.1.0",
   "class": "commercial",
-  "schemas_root": "https://commandlayer.org/schemas/v1.1.0/",
+  "schemas_root": "schemas/v1.1.0",
   "verbs": [
     {
       "verb": "authorize",
diff --git a/scripts/generate-checksums.mjs b/scripts/generate-checksums.mjs
@@ -8,7 +8,6 @@ const OUTPUT_PATH = path.join(ROOT_DIR, "checksums.txt");
 const CURRENT_VERSION = "1.1.0";
 const TARGETS = [
   "manifest.json",
-  `schemas/v${CURRENT_VERSION}/index.json`,
   `schemas/v${CURRENT_VERSION}`,
   `examples/v${CURRENT_VERSION}`
 ];
diff --git a/scripts/validate-all.mjs b/scripts/validate-all.mjs
@@ -100,6 +100,8 @@ async function validateManifest() {
   assert(manifest.examples_root === `examples/v${CURRENT_VERSION}`, "manifest examples_root drift");
   assert(manifest.current_index === `schemas/v${CURRENT_VERSION}/index.json`, "manifest current_index drift");
   assert(manifest.checksums_file === "checksums.txt", "manifest checksums_file drift");
+  assert("declared_alignment" in manifest, "manifest must expose declarative alignment metadata");
+  assert(!("aligns_with" in manifest), "manifest aligns_with field must not imply verified enforcement");
   assert(JSON.stringify(manifest.verbs.map((v) => v.verb)) === JSON.stringify(EXPECTED_VERBS), "manifest verb list drift");
 }
 
@@ -108,6 +110,8 @@ async function validatePackage() {
   assert(pkg.version === CURRENT_VERSION, `package version must be ${CURRENT_VERSION}`);
   assert(pkg.main === `schemas/v${CURRENT_VERSION}/index.json`, "package main drift");
   assert(pkg.exports['.'] === `./schemas/v${CURRENT_VERSION}/index.json`, "package exports current entry drift");
+  assert(pkg.publishConfig?.access === "public", "package publishConfig.access drift");
+  assert(pkg.files.includes("INTEGRATOR.md"), "package files must include INTEGRATOR.md");
 }
 
 async function validateSchemaTree() {
@@ -167,8 +171,7 @@ async function validateIndex() {
   const indexPath = path.join(SCHEMAS_ROOT, "index.json");
   const indexJson = await loadJsonStrict(indexPath);
   assert(indexJson.version === CURRENT_VERSION, "index.json version drift");
-  assert(indexJson.$id === `https://commandlayer.org/schemas/v${CURRENT_VERSION}/index.json`, "index.json $id drift");
-  assert(indexJson.schemas_root === `https://commandlayer.org/schemas/v${CURRENT_VERSION}/`, "index.json schemas_root drift");
+  assert(indexJson.schemas_root === `schemas/v${CURRENT_VERSION}`, "index.json schemas_root drift");
   assert(JSON.stringify(indexJson.verbs) === JSON.stringify(EXPECTED_VERBS.map(expectedVerbEntry)), "index.json verb inventory drift");
 
   const manifest = await loadJsonStrict(path.join(ROOT_DIR, "manifest.json"));
diff --git a/scripts/validate-integrity.mjs b/scripts/validate-integrity.mjs
@@ -8,7 +8,6 @@ const CURRENT_VERSION = "1.1.0";
 const CHECKSUMS_PATH = path.join(ROOT_DIR, "checksums.txt");
 const TARGETS = [
   "manifest.json",
-  `schemas/v${CURRENT_VERSION}/index.json`,
   `schemas/v${CURRENT_VERSION}`,
   `examples/v${CURRENT_VERSION}`
 ];

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,8 @@`
`1`	`1`	`{`
`2`		`- "$schema": "https://json-schema.org/draft/2020-12/schema",`
`3`		`- "$id": "https://commandlayer.org/schemas/v1.1.0/index.json",`
`4`	`2`	`"name": "@commandlayer/commercial",`
`5`	`3`	`"version": "1.1.0",`
`6`	`4`	`"class": "commercial",`
`7`		`- "schemas_root": "https://commandlayer.org/schemas/v1.1.0/",`
	`5`	`+ "schemas_root": "schemas/v1.1.0",`
`8`	`6`	`"verbs": [`
`9`	`7`	`{`
`10`	`8`	`"verb": "authorize",`