Add tenant agent signer identity foundation

[GsCommand]

Motivation

• Allow claimed tenant agents to sign their own action receipts and let the verifier resolve each agent’s public key from the agent’s ENS TXT identity rather than relying on runtime.commandlayer.eth.
• Preserve existing platform behavior where genesis receipts remain platform-issued attestations signed by the runtime signer and do not pretend tenant-signed genesis receipts exist.
• Provide a minimal, safe BYO-key foundation that stores only tenant public signer identity and deterministic ENS TXT instructions while leaving private-key custody decisions to tenants or external systems.

Description

• Add tenant signer identity utilities in lib/tenantSignerIdentity.js to normalize identity fields and produce the deterministic TXT record package and ENS check behavior for the four required TXT records (cl.sig.pub, cl.sig.kid, cl.sig.canonical, cl.receipt.signer).
• Add admin API POST /api/admin/tenant-signer-identity to upsert per-agent public identity and to check_records by calling the same ENS resolver used during verification, and extend claim detail output to include tenant_signer_record_package for admin UI consumption.
• Add DB migration db/migrations/008_tenant_signer_identity.sql to add per-agent fields: agent_ens_name, tenant_signer_kid, tenant_signer_public_key, tenant_signer_canonicalization, tenant_signer_created_at, and tenant_signer_status with lifecycle validation.
• Preserve platform genesis semantics by adding subject_agent and issuer_role: 'platform_genesis_attestor' to generated genesis receipts and adjust canonical payload handling so action receipts may include issuer_role: 'tenant_agent' without breaking older shapes.
• Export the resolver from lib/verifyReceipt.js so tenant ENS checks call the same resolution path used for verification, and add admin UI changes to public/admin/claims.html to show the Tenant Agent Signer Identity section with copyable TXT records and Check ENS Records/Add BYO public key actions.
• Add docs docs/ops/tenant-agent-signer-identity.md documenting audit findings, custody model, record package shape, and the identity distinction between platform genesis and tenant action receipts.
• Add unit tests tests/tenant-signer-identity.test.js that cover runtime signer verification, tenant-signed receipt verification against tenant ENS records, failure modes (kid/pub mismatches and verifying tenant receipts against runtime records), TXT record package shape and pending/verified status, and checks that the admin API never exposes tenant private key material.

Testing

• Ran npm test and all tests passed (129 tests passed, 0 failed), including the new tests/tenant-signer-identity.test.js verifying tenant signing and ENS-resolution behavior.
• Ran npm run check:links and it completed successfully with all local links resolved.
• Ran example checks via cd examples/webhook-auto-verify && npm run check and the example check completed successfully.

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commandlayer-commandlayer-org	Ready	Preview, Comment	May 29, 2026 2:58am
commandlayer-org	Ready	Preview, Comment	May 29, 2026 2:58am
commandlayer-org111	Ready	Preview, Comment	May 29, 2026 2:58am