Skip to content

Add playground and Chrome receipt-inspector foundation; scoped CORS for /api/verify#351

Merged
GsCommand merged 1 commit into
mainfrom
codex/create-branch-for-verifier-improvements
May 26, 2026
Merged

Add playground and Chrome receipt-inspector foundation; scoped CORS for /api/verify#351
GsCommand merged 1 commit into
mainfrom
codex/create-branch-for-verifier-improvements

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 26, 2026

Motivation

  • Provide a safe public playground surface so users can try CommandLayer flows without exposing admin/payment logic or private keys.
  • Enable a developer-preview foundation for a Chrome Receipt Inspector that can detect receipt IDs and verify receipts via the public verifier API.
  • Allow browser extensions to call the public verifier by adding scoped CORS support to /api/verify without opening admin or payment endpoints.

Description

  • Added scoped CORS and preflight handling to api/verify.js with an allowlist for https://www.commandlayer.org, https://commandlayer.org, and chrome-extension://*, returning 204 for OPTIONS, and adding Access-Control-Allow-* headers.
  • Introduced public/playground.html as a lightweight playground UI that picks a verb, accepts text, loads a sample receipt, shows a clear fallback ("Live runtime unavailable. Use sample receipt."), and links into the existing verifier surface.
  • Added developer-preview extension docs at docs/extension/chrome-receipt-inspector.md describing detection (clrcpt_[a-f0-9]{32}), verifier path, CORS needs, and receipt-ID lookup fallback.
  • Added an optional MV3 scaffold under extension/chrome-receipt-inspector/ (manifest, popup, popup.js, content.js, content.css, background.js, README) implementing a paste-and-verify popup and a content script that detects receipt-ID candidates, explicitly as a developer preview (no private keys, no admin/payment calls, no store publish).
  • Updated tests/api-verify.test.js to expect Allow: POST,OPTIONS on 405 responses to match the new handler behavior while preserving the verification logic exercised by existing tests.
  • Preserved all existing payment/admin/auth behavior and the runtime logic used by public/verify.html; no changes to Stripe, admin auth, ENS provisioning, or ERC-8004 registration were made.

Testing

  • Ran npm test and all tests passed (65 tests, 0 failures).
  • Ran npm run check:links and it completed successfully with all local links resolved.
  • Ran cd examples/webhook-auto-verify && npm run check and the example checks passed successfully.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 26, 2026 12:22am
commandlayer-org Ready Ready Preview, Comment May 26, 2026 12:22am
commandlayer-org111 Ready Ready Preview, Comment May 26, 2026 12:22am

Request Review

@GsCommand GsCommand merged commit 0e5a895 into main May 26, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand