This file governs how Codex (and compatible AI agents) behave in any CommandLayer repository. Drop this file into the root of any repo you want governed. The companion file
CLAUDE.mdcarries the same rules for Claude Code — keep them in sync.
CommandLayer is a layered protocol system. Understand these layers before touching anything:
| Layer | Repos | Purpose |
|---|---|---|
| 1 — Protocol Contracts | protocol-commons, protocol-commercial |
Schemas, versions, receipt shapes |
| 2 — Crypto Truth | runtime-core |
Canonicalization + signing/verifying. Single source of truth |
| 3 — Execution Runtimes | runtime, commercial-runtime |
Deterministic verbs that emit receipts |
| 4 — Routing | router |
Stable entrypoint, health/readiness/version, forwards to runtimes |
| 5 — Developer Surface | sdk |
Typed clients + verification helpers |
| 6 — Discovery | agent-cards |
Discovery payloads |
| Integration Root | stack |
E2E tests, docker-compose, compatibility matrix |
Do not blur these layers. A change in runtime must not invent fields not in the protocol schema. A change in sdk must not embed verification logic that belongs in runtime-core.
- Endpoints MUST be versioned:
/{verb}/v{protocol_version}(e.g./describe/v1.0.0) - Receipts MUST verify via
runtime-core— no custom verification logic elsewhere - Protocol schemas are the contract; runtimes must not invent fields unless the schema allows it
- Health endpoints are required on all services:
- Router:
GET /health,GET /ready,GET /version - Runtimes:
GET /health,GET /version
- Router:
Always plan before writing code. Outline:
- What layer(s) are affected
- What contracts are touched
- What tests will verify the change
- What can break downstream
Do not begin implementation until the plan is confirmed.
For tasks spanning multiple repos or layers, decompose per layer. Never carry cross-layer changes silently. Surface cross-repo impacts explicitly before acting.
After completing a task, review what you changed and ask: Did I introduce any layer blurring, contract deviation, or fragility? If yes, fix it before committing.
A task is not done until:
- The targeted layer's tests pass
- Stack e2e (
./e2e.sh) is green (or you've confirmed it's unaffected) - No hard contracts are broken
- The changeset is minimal — no collateral edits
Prefer the simplest correct solution. Do not over-engineer. Three similar lines of code is better than a premature abstraction. Do not add features, fallbacks, or options that weren't asked for.
When you encounter a bug in code you did not write, fix the root cause — do not paper over it with a workaround. If the root cause is in a different layer or repo, flag it explicitly rather than patching around it.
Use a task list for any work with 3+ steps. Mark tasks in progress before starting and completed immediately upon finishing. Never batch completions.
Every commit message must explain why, not just what. Reference the layer affected and the contract being upheld or changed. Format:
[layer] short imperative description
Why: <one sentence on the reason>
Contract impact: <none | describe if any>
After each step, re-read the plan. Confirm you're still on the minimal path. Bail early if scope has crept.
If you discover something surprising about the codebase (hidden coupling, undocumented constraint, layer violation), add a note to ARCHITECTURE.md or the relevant COMPATIBILITY_MATRIX.md before finishing.
Every line added is a maintenance burden. Add only what the task requires. Do not refactor surrounding code unless it directly blocks the task.
Do not work around a problem. Identify and fix the actual cause. If the cause is outside your scope, surface it to the user and stop.
Prefer changes that are local to one layer. If a change ripples into two or more layers, that is a signal to slow down, re-plan, and confirm with the user.
cp .env.example .env
./checkout-deps.sh # clones all dependent repos at correct refs
./inject-dockerfiles.sh # only needed if dep repos lack Dockerfiles
docker compose up -d --build
./e2e.sh # must be green before any PR- Router is up and healthy
- Runtimes respond
- A request returns a structured receipt (or 402 if paywall enabled)
- No HTML errors or junk responses
All repo refs are pinned in REPO_LOCK.json. Do not change a ref without understanding the compatibility matrix in COMPATIBILITY_MATRIX.md.
- Branch names for AI sessions:
claude/<task-slug>-<session-id> - Commit to the designated branch — never push to
maindirectly - Push with:
git push -u origin <branch-name>
This file does not replace per-repo README or inline code comments. It governs agent behavior, not user documentation. Keep it focused on rules and conventions — not tutorials.
Sync any changes here into CLAUDE.md (Claude Code equivalent) to keep both agents governed by the same rules.