Require verifier in verify.receipt and finalize provenance wording by GsCommand · Pull Request #4 · commandlayer/protocol-commercial

GsCommand · 2026-03-19T06:31:02Z

Ensure verification receipts always identify the auditing actor so no anonymous or ambiguous verifier can validate a receipt.
Remove provisional provenance wording from the repository so the provenance document reads as a completed, repository-backed release artifact.

Add verifier to the top-level required array in schemas/v1.1.0/commercial/verify/verify.receipt.schema.json and constrain it to the existing actor shape while requiring role: "verifier" via an allOf refinement.
Rewrite SECURITY_PROVENANCE.md to remove “pending” / “CID later” language and state the repository-backed release integrity posture (current line, checksums, canonical schema paths) without asserting external pin/mirror state.
Regenerate checksums.txt so the recorded SHA-256 digests match the updated schema artifact.
No example files required changes because existing current-line examples already include a verifier.

Ran npm run validate which completed successfully.
Ran npm run validate:examples which completed successfully and reported all current-line examples validated.
Ran npm run generate:checksums to refresh checksums.txt and it wrote updated checksums successfully.

Tighten verify receipt provenance

298d639

GsCommand added the codex label Mar 19, 2026 — with ChatGPT Codex Connector

GsCommand merged commit b5699f9 into main Mar 19, 2026
1 check passed

GsCommand deleted the codex/require-verifier-in-receipt-schema-and-clean-provenance branch March 20, 2026 01:50

Provide feedback