chore: add CI, CHANGELOG, SECURITY, RELEASING, .gitignore, ROADMAP, C…

.github/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: CI
+
+on:
+  push:
+    branches: [main, "claude/**", "codex/**"]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate-schemas:
+    name: Validate trust-verification schemas
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - name: Install dependencies
+        run: npm install
+      - name: Run schema example validation
+        run: npm test
+
+  build-validator:
+    name: Build @commandlayer/clas-validator
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: packages/clas-validator
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - name: Install dependencies
+        run: npm install
+      - name: Build
+        run: npm run build

.gitignore

@@ -0,0 +1,8 @@
+node_modules/
+dist/
+*.log
+.env
+.env.local
+.DS_Store
+*.tmp
+.tmp-test

CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+
+All notable changes to CLAS (CommandLayer Action Schema) are documented here.
+
+## [1.0.0] — 2026-05-12
+
+### Added
+- `trust-verification` action family with 10 verbs: verify, authenticate, authorize, attest, sign, permit, grant, approve, reject, endorse
+- Shared `_shared/proof.schema.json` with aligned proof field names (`alg`, `kid`, `signer_id`)
+- Schema mirror at `schemas/v1.0.0/` matching the URL path structure that `runtime-core/schema-client.ts` fetches
+- `packages/clas-validator` — TypeScript validator with CLI entrypoint (`clas-validate`)
+- CI via `.github/workflows/ci.yml` — schema validation on every push and PR
+- `.gitignore`, `SECURITY.md`, `RELEASING.md`
+- `docs/ROADMAP.md` for planned families
+
+### Changed
+- Proof schema field names aligned with ecosystem standard: `signature_alg` → `alg`, `key_id` → `kid`, `signer` → `signer_id`
+- `packages/clas-validator` renamed from `@clas/clas-validator` to `@commandlayer/clas-validator` and bumped to `1.0.0`
+- Root `manifest.json` now lists only `trust-verification` (the only family with actual schemas)
+- All 10 verb example files (`valid.receipt.json`, `tampered.receipt.json`) updated to use new proof field names
+
+### Removed
+- 9 empty stub family directories: `commerce-payments`, `communication-outreach`, `content-creation`, `data-analytics`, `identity-compliance`, `lifecycle-management`, `logistics-fulfillment`, `training-optimization`, `workflow-approval` — moved to `docs/ROADMAP.md`
+- `.tmp-test` artifact from repo root

RELEASING.md

@@ -0,0 +1,43 @@
+# Releasing
+
+## Schema Versioning
+
+CLAS schemas follow semantic versioning at the family level. `trust-verification` is currently at `1.0.0`.
+
+| Bump | When |
+|------|------|
+| Patch (1.0.x) | Description/documentation changes only — no structural change |
+| Minor (1.x.0) | New optional fields, new verbs — backwards compatible |
+| Major (x.0.0) | Required field changes, field renames, removed fields — breaking |
+
+## Release Process
+
+1. Update schema files under `schemas/trust-verification/`
+2. Update `version` in `schemas/trust-verification/manifest.json`
+3. Update the mirror under `schemas/v<version>/trust-verification/`
+4. Regenerate `checksums.txt`:
+   ```sh
+   find schemas -name "*.json" | sort | xargs sha256sum > checksums.txt
+   ```
+5. Update `CHANGELOG.md`
+6. Commit, push, and create a git tag:
+   ```sh
+   git tag -a v1.0.0 -m "trust-verification v1.0.0"
+   git push origin v1.0.0
+   ```
+7. Publish `@commandlayer/clas-validator`:
+   ```sh
+   cd packages/clas-validator
+   npm run build
+   npm publish --access public
+   ```
+
+## Adding a New Family
+
+A family is only added to `manifest.json` and `schemas/` when:
+
+1. At least one verb has complete `request.schema.json`, `receipt.schema.json`, and `examples/` with valid/tampered/invalid fixtures
+2. CI passes for all verb examples
+3. `manifest.json` for the family is present and valid
+
+Do not create stub directories for planned families — use `docs/ROADMAP.md` instead.

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Scope
+
+This repository defines JSON schemas for the CommandLayer Action Schema (CLAS) protocol and publishes the `@commandlayer/clas-validator` package. Schemas are consumed by cryptographic signing and verification systems across the CommandLayer ecosystem.
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 1.0.0   | ✓         |
+
+## Reporting a Vulnerability
+
+To report a security vulnerability in schema definitions or the `@commandlayer/clas-validator` package:
+
+1. **Do not open a public GitHub issue.**
+2. Email **security@commandlayer.org** with:
+   - A description of the vulnerability
+   - The schema family and verb affected
+   - Steps to reproduce or a proof-of-concept
+   - The potential impact on signing/verification systems
+
+You will receive acknowledgement within 48 hours.
+
+## Known Limitations
+
+- **No schema revocation.** Once a schema version is published, there is no mechanism to invalidate receipts that validated against it. Schema versions are append-only; breaking changes require a new version identifier.
+- **`additionalProperties: false` enforcement.** All schemas reject unknown fields at the top level. Implementations must not rely on extension fields outside defined properties.
+- **Schema integrity.** The `checksums.txt` file provides SHA-256 checksums for all schema files. Consumers should validate checksums when fetching schemas from the network.
+- **Proof field binding.** The `proof` object in receipts binds to the canonicalized receipt body. Schema validation alone does not verify the cryptographic signature — that requires the runtime verifier.

docs/ROADMAP.md

@@ -0,0 +1,17 @@
+# CLAS Family Roadmap
+
+The `trust-verification` family is fully implemented. The following families are planned for future releases. Schema directories will not be created until actual schemas are written and CI-validated.
+
+| Family | Status | Description |
+|--------|--------|-------------|
+| commerce-payments | planned | Payment authorization, refund, settlement receipts |
+| communication-outreach | planned | Email send, notification dispatch receipts |
+| content-creation | planned | Content generation, publishing, moderation |
+| data-analytics | planned | Query execution, report generation |
+| identity-compliance | planned | KYC verification, identity attestation |
+| lifecycle-management | planned | Create, update, delete, archive operations |
+| logistics-fulfillment | planned | Order fulfillment, shipping, delivery |
+| training-optimization | planned | Model training, fine-tuning, evaluation |
+| workflow-approval | planned | Multi-step approval, escalation, routing |
+
+To propose or contribute a new family, open an issue or see [CONTRIBUTING.md](../CONTRIBUTING.md).

manifest.json

@@ -6,51 +6,6 @@
       "family": "trust-verification",
       "manifest": "schemas/trust-verification/manifest.json",
       "status": "draft-v1"
-    },
-    {
-      "family": "commerce-payments",
-      "manifest": "schemas/commerce-payments/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "communication-outreach",
-      "manifest": "schemas/communication-outreach/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "content-creation",
-      "manifest": "schemas/content-creation/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "data-analytics",
-      "manifest": "schemas/data-analytics/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "identity-compliance",
-      "manifest": "schemas/identity-compliance/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "lifecycle-management",
-      "manifest": "schemas/lifecycle-management/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "logistics-fulfillment",
-      "manifest": "schemas/logistics-fulfillment/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "training-optimization",
-      "manifest": "schemas/training-optimization/manifest.json",
-      "status": "planned"
-    },
-    {
-      "family": "workflow-approval",
-      "manifest": "schemas/workflow-approval/manifest.json",
-      "status": "planned"
     }
   ]
 }

package.json

@@ -1,6 +1,10 @@
 {
+  "name": "@commandlayer/clas",
+  "version": "1.0.0",
   "type": "module",
   "scripts": {
+    "test": "node scripts/validate-trust-verification-examples.mjs",
+    "validate": "node scripts/validate-trust-verification-examples.mjs",
     "validate:trust-verification": "node scripts/validate-trust-verification-examples.mjs"
   },
   "devDependencies": {

packages/clas-validator/bin/validate.js

@@ -0,0 +1,84 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('node:path');
+const fs = require('node:fs');
+
+const HELP = `Usage: clas-validate <file.json> [options]
+
+Options:
+  --verb <verb>    Action verb (e.g. verify, authenticate, authorize)
+                   Auto-detected from file content if omitted
+  --kind <kind>    request or receipt (auto-detected if omitted)
+  --help           Show this help
+
+Examples:
+  clas-validate receipt.json
+  clas-validate request.json --verb verify --kind request
+`;
+
+const args = process.argv.slice(2);
+
+if (args.length === 0 || args.includes('--help')) {
+  process.stdout.write(HELP);
+  process.exit(0);
+}
+
+let filePath = null;
+let verb = null;
+let kind = null;
+
+for (let i = 0; i < args.length; i++) {
+  if (args[i] === '--verb' && args[i + 1]) { verb = args[++i]; continue; }
+  if (args[i] === '--kind' && args[i + 1]) { kind = args[++i]; continue; }
+  if (!args[i].startsWith('--')) { filePath = args[i]; }
+}
+
+if (!filePath) {
+  process.stderr.write('Error: no input file specified\n');
+  process.exit(1);
+}
+
+const resolved = path.resolve(filePath);
+if (!fs.existsSync(resolved)) {
+  process.stderr.write(`Error: file not found: ${resolved}\n`);
+  process.exit(1);
+}
+
+let data;
+try {
+  data = JSON.parse(fs.readFileSync(resolved, 'utf8'));
+} catch (e) {
+  process.stderr.write(`Error: invalid JSON: ${e.message}\n`);
+  process.exit(1);
+}
+
+verb = verb || data.verb;
+if (!verb) {
+  process.stderr.write('Error: could not detect verb from file content. Use --verb <verb>\n');
+  process.exit(1);
+}
+
+kind = kind || (data.proof !== undefined ? 'receipt' : 'request');
+
+let validator;
+try {
+  validator = require('../dist/index.js');
+} catch (e) {
+  process.stderr.write(`Error: could not load validator (run npm run build first)\n${e.message}\n`);
+  process.exit(1);
+}
+
+const fn = kind === 'receipt' ? validator.validateTrustReceipt : validator.validateTrustRequest;
+const result = fn(verb, data);
+
+if (result.valid) {
+  process.stdout.write(`VALID ${kind} — verb: ${verb}\n`);
+  process.exit(0);
+} else {
+  process.stderr.write(`INVALID ${kind} — verb: ${verb}\n`);
+  for (const err of result.errors) {
+    process.stderr.write(`  ${err}\n`);
+  }
+  process.exit(1);
+}

packages/clas-validator/package.json

@@ -1,16 +1,21 @@
 {
-  "name": "@clas/clas-validator",
-  "version": "0.1.0",
-  "description": "Minimal schema-shape validator for CLAS Trust Verification requests and receipts.",
+  "name": "@commandlayer/clas-validator",
+  "version": "1.0.0",
+  "description": "Schema validator for CLAS (CommandLayer Action Schema) trust verification requests and receipts.",
   "license": "MIT",
   "type": "commonjs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "bin": {
+    "clas-validate": "bin/validate.js"
+  },
   "files": [
-    "dist"
+    "dist",
+    "bin"
   ],
   "scripts": {
-    "build": "tsc -p tsconfig.json"
+    "build": "tsc -p tsconfig.json",
+    "test": "node --test dist/**/*.test.js 2>/dev/null || echo 'No tests found — run npm run build first'"
   },
   "dependencies": {
     "ajv": "^8.17.1",
@@ -19,5 +24,8 @@
   "devDependencies": {
     "@types/node": "^22.10.2",
     "typescript": "^5.7.2"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }