Motivation

• Audit the repository against the canonical CommandLayer runtime-core requirements (receipt canonicalization, hash/signature envelope, algorithm casing, key config names, verification, schema and tests) without changing runtime behavior.
• Produce an actionable checklist and migration plan to align SDK with @commandlayer/runtime-core@1.2.0 and surface release blockers.

Description

• Added AUDIT-agent-sdk-runtime-core-alignment.md at the repo root containing ratings, findings, duplicate-logic inventory, public API mismatches, files likely affected, safe migration order, required tests, and release blockers.
• The audit documents that the SDK currently emits a legacy top-level proof envelope (fields like proof.canonical, proof.alg, proof.signature), uses lowercase ed25519 in schema/tests, implements local canonicalization/signing in src/canonicalize.ts, src/receipt.ts, and src/crypto.ts, and performs verification via remote verifier HTTP calls only (cl.verify).
• No implementation code was modified as part of this change; the audit lists affected files to change in a later implementation phase (for example src/index.ts, src/receipt.ts, src/crypto.ts, src/canonicalize.ts, src/schemas.trust-receipt-v1.json, tests, docs, and examples).

Testing

• Ran npm install, which failed due to a registry 403 when fetching require-from-string-2.0.2.tgz, preventing dependency installation.
• Ran npm run build, which failed with TypeScript module/type errors caused by missing dependencies and type definitions after the install failure.
• Ran npm test, which also failed because pretest calls the build step that failed; therefore automated test suite could not complete successfully.

Commit recorded as SHA 8e69f2775543fb2acd44078ea7b1f2fa85a3f238 and the audit file contains the full findings and recommendations for the next implementation steps.

Codex Task