From cc71e58231d23b9c517a5842700c2d7446abf564 Mon Sep 17 00:00:00 2001
From: Greg Soucy <GREG@COMMANDLAYER.ORG>
Date: Tue, 16 Jun 2026 20:31:43 -0400
Subject: [PATCH] Add managed ENS publication helper

---
 api/admin/prepare-managed-ens-publication.js  | 34 +++++++++++
 api/admin/run-activation-pipeline.js          |  2 +-
 api/admin/verify-managed-ens-publication.js   | 42 +++++++++++++
 api/claims/status.js                          |  5 +-
 db/migrations/011_managed_ens_publication.sql |  7 +++
 lib/claims/managed-ens-publication.js         | 59 +++++++++++++++++++
 public/admin/claims.html                      | 12 +++-
 tests/managed-ens-publication.test.js         | 50 ++++++++++++++++
 8 files changed, 205 insertions(+), 6 deletions(-)
 create mode 100644 api/admin/prepare-managed-ens-publication.js
 create mode 100644 api/admin/verify-managed-ens-publication.js
 create mode 100644 db/migrations/011_managed_ens_publication.sql
 create mode 100644 lib/claims/managed-ens-publication.js
 create mode 100644 tests/managed-ens-publication.test.js

diff --git a/api/admin/prepare-managed-ens-publication.js b/api/admin/prepare-managed-ens-publication.js
new file mode 100644
index 0000000..0c79b41
--- /dev/null
+++ b/api/admin/prepare-managed-ens-publication.js
@@ -0,0 +1,34 @@
+'use strict';
+
+const db = require('../../lib/db');
+const { requireAdminAuth } = require('./_auth');
+const { buildManagedEnsPublicationPackage } = require('../../lib/claims/managed-ens-publication');
+
+module.exports = async function handler(req, res) {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Cache-Control', 'no-store');
+  if (req.method !== 'POST') { res.setHeader('Allow', 'POST'); return res.status(405).json({ ok: false, status: 'METHOD_NOT_ALLOWED' }); }
+  if (!requireAdminAuth(req, res)) return;
+  const claimId = req.body && (req.body.claim_id || req.body.claimId);
+  if (!claimId) return res.status(400).json({ ok: false, status: 'CLAIM_ID_REQUIRED' });
+  try {
+    const result = await db.query('select * from claim_requests where claim_id = $1 limit 1', [claimId]);
+    const claim = result.rows[0];
+    if (!claim) return res.status(404).json({ ok: false, status: 'CLAIM_NOT_FOUND' });
+    const publication = buildManagedEnsPublicationPackage(claim);
+    await db.query(
+      `update claim_requests
+       set managed_ens_publication_status = 'ready_to_publish',
+           managed_ens_required_txt_records = $2::jsonb,
+           managed_ens_publication_instructions = $3::jsonb,
+           managed_ens_parent_namespace = $4,
+           managed_ens_publication_error = null,
+           updated_at = now()
+       where claim_id = $1`,
+      [claimId, JSON.stringify(publication.required_txt_records), JSON.stringify(publication.instructions), publication.parent_namespace]
+    );
+    return res.status(200).json({ ok: true, claim_id: claimId, publication });
+  } catch (error) {
+    return res.status(400).json({ ok: false, status: error.status || 'MANAGED_ENS_PUBLICATION_PREPARE_FAILED', error: error.message });
+  }
+};
diff --git a/api/admin/run-activation-pipeline.js b/api/admin/run-activation-pipeline.js
index a51f537..a3baf89 100644
--- a/api/admin/run-activation-pipeline.js
+++ b/api/admin/run-activation-pipeline.js
@@ -47,11 +47,11 @@ module.exports = async function handler(req, res) {
 
     const steps = {
       payment: paymentStep(claim),
+      managed_ens_publication: claim.managed_ens_publication_status || (claim.activation_mode === 'managed_namespace' ? 'not_started' : 'not_applicable'),
       ens_records: claim.tenant_signer_record_status || 'records_pending',
       agent_cards: 'not_started',
       genesis_receipt: claim.genesis_receipt_id ? 'already_generated' : 'not_started',
       tenant_action_proof: claim.tenant_proof_status || 'not_submitted',
-      managed_ens_publication: claim.managed_ens_publication_status || (claim.activation_mode === 'managed_namespace' ? 'not_started' : 'not_applicable'),
     };
 
     if (steps.payment !== 'already_paid') {
diff --git a/api/admin/verify-managed-ens-publication.js b/api/admin/verify-managed-ens-publication.js
new file mode 100644
index 0000000..2b7271a
--- /dev/null
+++ b/api/admin/verify-managed-ens-publication.js
@@ -0,0 +1,42 @@
+'use strict';
+
+const db = require('../../lib/db');
+const { requireAdminAuth } = require('./_auth');
+const { verifyManagedEnsPublication } = require('../../lib/claims/managed-ens-publication');
+
+module.exports = async function handler(req, res) {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.setHeader('Cache-Control', 'no-store');
+  if (req.method !== 'POST') { res.setHeader('Allow', 'POST'); return res.status(405).json({ ok: false, status: 'METHOD_NOT_ALLOWED' }); }
+  if (!requireAdminAuth(req, res)) return;
+  const claimId = req.body && (req.body.claim_id || req.body.claimId);
+  if (!claimId) return res.status(400).json({ ok: false, status: 'CLAIM_ID_REQUIRED' });
+  try {
+    const result = await db.query('select * from claim_requests where claim_id = $1 limit 1', [claimId]);
+    const claim = result.rows[0];
+    if (!claim) return res.status(404).json({ ok: false, status: 'CLAIM_NOT_FOUND' });
+    const verification = await verifyManagedEnsPublication(claim, req.verifyOptions || {});
+    if (verification.ok) {
+      await db.query(
+        `update claim_requests
+         set managed_ens_publication_status = 'verified', tenant_signer_record_status = 'records_verified',
+             tenant_signer_records_verified_at = now(), managed_ens_verified_at = now(),
+             managed_ens_publication_error = null, tenant_signer_verification_error = null, updated_at = now()
+         where claim_id = $1`,
+        [claimId]
+      );
+    } else {
+      await db.query(
+        `update claim_requests
+         set managed_ens_publication_status = $2, managed_ens_publication_error = $3,
+             tenant_signer_verification_error = $3, updated_at = now()
+         where claim_id = $1`,
+        [claimId, verification.status, verification.error]
+      );
+    }
+    return res.status(200).json({ ok: true, claim_id: claimId, verification });
+  } catch (error) {
+    try { await db.query(`update claim_requests set managed_ens_publication_status = 'failed', managed_ens_publication_error = $2, updated_at = now() where claim_id = $1`, [claimId, error.message]); } catch (_) {}
+    return res.status(400).json({ ok: false, status: error.status || 'MANAGED_ENS_PUBLICATION_VERIFY_FAILED', error: error.message });
+  }
+};
diff --git a/api/claims/status.js b/api/claims/status.js
index 6a288d9..d9414fd 100644
--- a/api/claims/status.js
+++ b/api/claims/status.js
@@ -25,7 +25,7 @@ module.exports = async function handler(req, res) {
       `select claim_id, claim_access_token_hash, tenant, activation_mode, status, payment_status, paid_at,
         tenant_signer_ens, tenant_signer_record_status, tenant_signer_records_verified_at, tenant_signer_records_network,
         tenant_signer_txt_records, managed_ens_publication_status, managed_ens_parent_namespace,
-        managed_ens_parent_authority_audited, tenant_proof_status, tenant_proof_signer, tenant_proof_verified_at,
+        managed_ens_required_txt_records, managed_ens_verified_at, managed_ens_publication_error, managed_ens_parent_authority_audited, tenant_proof_status, tenant_proof_signer, tenant_proof_verified_at,
         genesis_receipt_id, genesis_generated_at, first_action_receipt_status, first_action_receipt_id, first_action_receipt_hash, first_action_receipt_error
        from claim_requests where claim_id = $1 limit 1`,
       [claimId]
@@ -49,6 +49,7 @@ module.exports = async function handler(req, res) {
       tenant_signing_identity: claim.tenant_signer_ens ? 'generated' : 'missing',
       claim_request: 'created',
       payment: paymentConfirmed ? 'paid' : (claim.payment_status || 'unpaid'),
+      managed_ens_publication: claim.activation_mode === 'managed_namespace' ? (claim.managed_ens_publication_status || 'not_started') : 'not_applicable',
       ens_records: claim.tenant_signer_record_status || 'records_pending',
       agent_cards: cardsStatus(cards),
       genesis_receipt: claim.genesis_receipt_id ? 'generated' : 'not_generated',
@@ -56,7 +57,7 @@ module.exports = async function handler(req, res) {
       first_action_receipt: claim.first_action_receipt_status || 'not_generated',
       agent_live: paymentConfirmed && claim.tenant_signer_record_status === 'records_verified' && cardsStatus(cards) === 'cards_pinned' && claim.genesis_receipt_id && claim.tenant_proof_status === 'verified' && (claim.first_action_receipt_status === 'verified' || typeof claim.first_action_receipt_status === 'undefined') ? 'live' : 'not_live',
     };
-    return res.status(200).json({ ok: true, read_only: true, claim: { ...stripClaimSecrets(claim), cardsStatus: cardsStatus(cards) }, pipeline, cards });
+    return res.status(200).json({ ok: true, read_only: true, claim: { ...stripClaimSecrets(claim), cardsStatus: cardsStatus(cards), managed_ens_publication: { status: claim.managed_ens_publication_status || 'not_started', signer_ens: claim.tenant_signer_ens || null, parent_namespace: claim.managed_ens_parent_namespace || null, record_names: Object.keys(claim.managed_ens_required_txt_records || claim.tenant_signer_txt_records || {}), helper_copy: 'The operator must publish the generated TXT records to ENS before signer verification can pass.', verified_at: claim.managed_ens_verified_at || null, error: claim.managed_ens_publication_error || null } }, pipeline, cards });
   } catch (_error) {
     return res.status(500).json({ ok: false, status: 'CLAIM_STATUS_UNAVAILABLE' });
   }
diff --git a/db/migrations/011_managed_ens_publication.sql b/db/migrations/011_managed_ens_publication.sql
new file mode 100644
index 0000000..ecebd6e
--- /dev/null
+++ b/db/migrations/011_managed_ens_publication.sql
@@ -0,0 +1,7 @@
+alter table if exists claim_requests
+  add column if not exists managed_ens_publication_status text default 'not_started',
+  add column if not exists managed_ens_parent_namespace text,
+  add column if not exists managed_ens_publication_instructions jsonb,
+  add column if not exists managed_ens_required_txt_records jsonb,
+  add column if not exists managed_ens_verified_at timestamptz,
+  add column if not exists managed_ens_publication_error text;
diff --git a/lib/claims/managed-ens-publication.js b/lib/claims/managed-ens-publication.js
new file mode 100644
index 0000000..44ce61d
--- /dev/null
+++ b/lib/claims/managed-ens-publication.js
@@ -0,0 +1,59 @@
+'use strict';
+
+const { buildSignerRecords, CANONICALIZATION, resolveRequiredSignerRecords, compareSignerRecords } = require('./signer-records');
+
+const APPROVED_MANAGED_PARENTS = ['attestagent.eth', 'approveagent.eth', 'verifyagent.eth', 'authorizeagent.eth'];
+const PUBLICATION_STATUSES = ['not_started', 'ready_to_publish', 'published_pending_verification', 'verified', 'failed'];
+
+function normalizeEns(value) { return String(value || '').trim().toLowerCase(); }
+function tenantRootEns(claim) { return normalizeEns(claim.tenant_root_ens || claim.root_ens || (claim.tenant ? `${claim.tenant}.eth` : '')); }
+function parentNamespace(signerEns) { const parts = normalizeEns(signerEns).split('.'); return parts.length > 2 ? parts.slice(1).join('.') : ''; }
+function isApprovedParent(parent) { return APPROVED_MANAGED_PARENTS.includes(normalizeEns(parent)); }
+function readReceiptSigner(claim) {
+  const pkg = claim.claim_package || claim.request_json || claim.receipt_json || {};
+  return normalizeEns(pkg?.cl?.receipt?.signer || pkg?.['cl.receipt.signer'] || pkg?.receipt?.signer || claim.receipt_signer || '');
+}
+function validationError(status, error) { const e = new Error(error); e.status = status; return e; }
+
+function validateManagedEnsPublicationClaim(claim) {
+  if (!claim || claim.activation_mode !== 'managed_namespace') throw validationError('MANAGED_NAMESPACE_REQUIRED', 'Managed ENS publication is only available for managed namespace claims.');
+  const signerEns = normalizeEns(claim.tenant_signer_ens);
+  if (!signerEns) throw validationError('TENANT_SIGNER_ENS_REQUIRED', 'tenant_signer_ens is required.');
+  const root = tenantRootEns(claim);
+  if (root && signerEns === root) throw validationError('TENANT_ROOT_ENS_NOT_ALLOWED', 'Managed signer ENS must not equal the tenant root ENS.');
+  const parent = parentNamespace(signerEns);
+  if (!parent || !isApprovedParent(parent)) throw validationError('MANAGED_PARENT_NOT_APPROVED', 'tenant_signer_ens must end in an approved managed parent namespace.');
+  if (!claim.tenant_signer_public_key || !claim.tenant_signer_kid || !claim.tenant_signer_canonicalization) throw validationError('SIGNER_RECORD_FIELDS_REQUIRED', 'public key, kid, and canonicalization are required.');
+  const receiptSigner = readReceiptSigner(claim);
+  if (receiptSigner && receiptSigner !== signerEns) throw validationError('RECEIPT_SIGNER_MISMATCH', 'claim package cl.receipt.signer must match tenant_signer_ens.');
+  return { signerEns, parent, tenant: claim.tenant || signerEns.split('.')[0] };
+}
+
+function buildManagedEnsPublicationPackage(claim) {
+  const { signerEns, parent, tenant } = validateManagedEnsPublicationClaim(claim);
+  const required = buildSignerRecords({ publicKey: claim.tenant_signer_public_key, kid: claim.tenant_signer_kid, canonicalization: claim.tenant_signer_canonicalization || CANONICALIZATION, signerEns });
+  return {
+    signer_ens: signerEns,
+    parent_namespace: parent,
+    tenant,
+    required_txt_records: required,
+    agent_records: {
+      'cl.capability': 'attest',
+      'cl.runtime': 'https://runtime.commandlayer.org',
+      'cl.verifier': 'https://runtime.commandlayer.org/verify',
+      'cl.trust_verification_entry': 'https://runtime.commandlayer.org/trust-verification/attest/v1.0.0',
+      'cl.agent.card': 'pending_provisioning',
+    },
+    instructions: ['Open ENS Manager', 'Select the managed signer name', 'Add the required TXT records', 'Save changes', 'Return to CommandLayer and run verification'],
+  };
+}
+
+async function verifyManagedEnsPublication(claim, options = {}) {
+  const pkg = buildManagedEnsPublicationPackage(claim);
+  const resolved = await resolveRequiredSignerRecords(pkg.signer_ens, options);
+  const { checks, verified } = compareSignerRecords({ ...claim, tenant_signer_ens: pkg.signer_ens }, resolved);
+  const missing = Object.values(resolved).some((value) => !value);
+  return { ok: verified && !missing, status: verified && !missing ? 'verified' : (missing ? 'published_pending_verification' : 'failed'), signer_ens: pkg.signer_ens, parent_namespace: pkg.parent_namespace, required_txt_records: pkg.required_txt_records, resolved_txt_records: resolved, checks, error: verified && !missing ? null : (missing ? 'required_txt_record_missing' : 'required_txt_record_mismatch') };
+}
+
+module.exports = { APPROVED_MANAGED_PARENTS, PUBLICATION_STATUSES, validateManagedEnsPublicationClaim, buildManagedEnsPublicationPackage, verifyManagedEnsPublication };
diff --git a/public/admin/claims.html b/public/admin/claims.html
index 400c0d8..189472b 100644
--- a/public/admin/claims.html
+++ b/public/admin/claims.html
@@ -51,7 +51,7 @@ <h1>CommandLayer Claims Admin</h1><p class="muted">Internal operator dashboard f
 </div>
 <script>
 (() => {
-const s={claims:[],selected:'',detail:null,error:null,checkoutLoading:false,checkoutUrl:null,genesisLoading:false,genesisStatus:''};
+const s={claims:[],selected:'',detail:null,error:null,checkoutLoading:false,checkoutUrl:null,genesisLoading:false,genesisStatus:'',managedEnsPublication:null};
 const apiKey=document.getElementById('apiKey'); apiKey.value=sessionStorage.getItem('cl_admin_api_key')||localStorage.getItem('cl_admin_api_key')||'';
 const headers=()=>{const key=apiKey.value.trim();return {Authorization:`Bearer ${key}`,'x-admin-api-key':key,'Content-Type':'application/json'};};
 const short=(v,n=10)=>v?`${v.slice(0,n)}…`:''; const dt=(v)=>v?new Date(v).toLocaleString():'-';
@@ -72,9 +72,15 @@ <h1>CommandLayer Claims Admin</h1><p class="muted">Internal operator dashboard f
 
 function pipeline(status){const steps=['created','approved','cards_published','payment_pending','paid','erc8004','ens_provisioned','live'];return `<div class='pipeline'>${steps.map(x=>`<span class='badge ${status===x|| (x==='created')|| (status==='approved'&&x==='created')|| (status==='cards_published'&&(x==='created'||x==='approved')) ? (['payment_pending','paid','erc8004','ens_provisioned'].includes(x)?'created':x):'created'}'>${x.replaceAll('_',' ')}</span>`).join('')}</div><p class='muted'>Future steps are coming next.</p>`}
 
+async function runActivationPipeline(claimId){const r=await fetch('/api/admin/run-activation-pipeline',{method:'POST',headers:headers(),body:JSON.stringify({claimId})});const d=await r.json().catch(()=>({}));if(!r.ok||!d.ok){s.error=d?.status||'ACTIVATION_PIPELINE_FAILED';renderDetail();return;}await loadClaims();await loadDetail(claimId);}
 async function generateFirstActionReceipt(){if(!s.selected){s.error='Request failed: 400';renderDetail();return;}s.error=null;try{const r=await fetch('/api/admin/generate-first-action-receipt',{method:'POST',headers:headers(),body:JSON.stringify({claimId:s.selected})});const d=await r.json().catch(()=>({}));if(!r.ok||!d.ok){s.error=d?.status||'FIRST_ACTION_RECEIPT_FAILED';renderDetail();return;}await loadClaims();await loadDetail(s.selected);}catch(e){s.error='FIRST_ACTION_RECEIPT_FAILED';renderDetail();}}
 
-function renderDetail(loadingMsg=''){const el=document.getElementById('detailPanel');if(loadingMsg){el.innerHTML=`<p class="muted">${loadingMsg}</p>`;return;}if(!s.detail){el.innerHTML=`<p class="muted">${s.error||'Select a claim to review.'}</p>`;return;}const payload=s.detail||{};const claim=payload.claim||{};const agents=payload.agents||[];const genesis=claim.genesis_receipt_json||null;const events=payload.events||[];const transitions=payload.transitions||[];const cards=payload.cards||[];const urls=cards.map(c=>c.card_url).filter(Boolean);const missing=claim.status==='cards_published'&&agents.some(a=>!a.card_url);const firstUrl=urls[0];el.innerHTML=`${s.error?`<div class='error-panel'>${s.error}</div>`:''}<h3>Claim <span class='mono'>${short(claim.claim_id,16)}</span> <button id='copyClaim' class='btn btn-muted'>Copy</button> ${badge(claim.status)}</h3><p class='muted'>Tenant: ${claim.tenant||'-'} · Wallet: <span class='mono'>${claim.authenticated_address||'-'}</span> · Status: ${claim.status||'-'} · Payment: ${claim.payment_status||'-'} · Agents: ${agents.length} · Created: ${dt(claim.created_at)}</p><h4>Pipeline</h4>${pipeline(claim.status)}<h4>Signer identity</h4><div class='panel'><div>Activation mode: <strong>${claim.activation_mode||'-'}</strong></div><div>Signer ENS: <span class='mono'>${claim.tenant_signer_ens||'-'}</span></div><div>ENS records: <strong>${claim.tenant_signer_record_status||'records_pending'}</strong> · Network: ${claim.tenant_signer_records_network||'ethereum-mainnet'}</div><div>Managed ENS publication: <strong>${claim.managed_ens_publication_status||'-'}</strong></div><div>Desired parent namespace: <span class='mono'>${claim.managed_ens_parent_namespace||'-'}</span></div><div>Parent-control/resolver authority audited: <strong>${claim.managed_ens_parent_authority_audited?'yes':'no'}</strong></div><div>Tenant proof: <strong>${claim.tenant_proof_status||'not_submitted'}</strong> · signer <span class='mono'>${claim.tenant_proof_signer||'-'}</span></div><details><summary>Four public TXT records</summary><pre style='white-space:pre-wrap;overflow-wrap:anywhere;'>${JSON.stringify(claim.tenant_signer_txt_records||{},null,2)}</pre></details><p class='muted'>Network required: Ethereum mainnet. Managed ENS publication is operator-ready only; no onchain TXT writes are executed here.</p></div><h4>Next action</h4><div class='row'><input id='reasonInput' placeholder='Reason'><input id='notesInput' placeholder='Notes'></div><div class='row' id='actions'></div><h4>Agents</h4><div class='table-scroll'><table><thead><tr><th>ENS</th><th>Capability</th><th>Parent</th><th>Card</th><th>Actions</th></tr></thead><tbody>${agents.map(a=>`<tr><td class='mono ens-wrap'>${a.ens||'-'}</td><td>${a.capability||'-'}</td><td>${a.canonical_parent||'-'}</td><td>${a.card_status||'-'}</td><td>${a.card_url?`<a href='${a.card_url}' target='_blank'>Open</a> <button class='btn btn-muted copy-url' data-url='${a.card_url}'>Copy</button>`:'-'}</td></tr>`).join('')}</tbody></table></div>${claim.status==='payment_pending'?`<h4>Payment pending</h4><p class='muted'>Checkout has been created. Open it to complete payment.</p><p class='mono'>${claim.stripe_checkout_session_id||'-'}</p>`:''}${claim.status==='paid'?`<h4>Payment received</h4><p class='muted'>Next: ERC-8004 registration</p>`:''}${claim.status==='cards_published'?`<h4>Agent cards published</h4><p class='muted'>Founding Activation: $20 first year for 10 Trust Verification namespaces.</p><p class='muted'>${urls.length} cards${missing?' · Missing card URLs detected':''}</p>${s.checkoutUrl?`<div class='panel'><strong>Checkout created</strong><div class='row'><a class='btn btn-secondary' href='${s.checkoutUrl}' target='_blank' rel='noopener'>Open checkout</a><button id='copyCheckoutUrl' type='button' class='btn btn-secondary' data-url='${s.checkoutUrl}'>Copy checkout URL</button></div><div class='mono' style='overflow-wrap:anywhere;'>${s.checkoutUrl}</div></div>`:''}<div class='row'><button id='copyUrls' type='button' class='btn btn-secondary'>Copy all URLs</button>${firstUrl?`<button id='openFirst' type='button' class='btn btn-secondary'>Open first card</button>`:''}</div><div>${urls.map(u=>`<div class='card-url-row'><span class='mono truncate' title='${u}'>${u.split('/').pop()?.replace(/\.json$/,'')||u}</span><a href='${u}' target='_blank'>Open</a>${copyBtn(u)}</div>`).join('')}</div>${missing?`<p class='error-panel'>Some cards are missing URLs. Use Repair / Publish cards.</p>`:''}`:''}<h4>Events</h4>${events.map(e=>`<div class='panel' style='margin-bottom:8px'><strong>${e.event_type}</strong><div style='overflow-wrap:anywhere;'>${e.message||''}</div><div class='muted'>${dt(e.created_at)}</div><details><summary>metadata</summary><pre style='white-space:pre-wrap;overflow-wrap:anywhere;'>${JSON.stringify(e.event_json||{},null,2)}</pre></details></div>`).join('')||'<p class="muted">No events.</p>'}<h4>Genesis Receipt</h4><div class='panel'><div>Status: <strong>${genesis?'generated':'not generated'}</strong></div><div class='mono'>Receipt ID: ${claim.genesis_receipt_id||'-'}</div><div class='mono'>Receipt Hash: ${claim.genesis_receipt_hash||'-'}</div><div class='mono'>Chain Root: ${claim.receipt_chain_root||'-'}</div><div class='muted'>Generated at: ${dt(claim.genesis_generated_at)}</div>${s.genesisStatus?`<div class='muted'>${s.genesisStatus}</div>`:''}${genesis?`<button id='copyGenesis' class='btn btn-secondary' type='button'>Copy JSON</button>`:''}</div><h4>First Action Receipt</h4><div class='panel'><div>Status: <strong>${claim.first_action_receipt_status||'not_generated'}</strong></div><div class='mono'>Receipt ID: ${claim.first_action_receipt_id||'-'}</div><div class='mono'>Receipt Hash: ${claim.first_action_receipt_hash||'-'}</div><div class='muted'>${claim.first_action_receipt_error||'This proves the claimed agent can produce a scoped execution receipt. It does not prove payment settlement.'}</div><button id='generateFirstAction' class='btn btn-secondary' type='button'>Generate challenge</button></div><h4>Transitions</h4>${transitions.map(t=>`<div class='panel' style='margin-bottom:8px'>${t.from_status||'-'} → ${t.to_status||'-'} · ${t.action||'-'} · ${t.actor||'-'}<div class='muted'>${dt(t.created_at)} ${t.reason?`· ${t.reason}`:''}</div></div>`).join('')||'<p class="muted">No transitions.</p>'}<details><summary>Show raw JSON</summary><pre style='white-space:pre-wrap;overflow-wrap:anywhere;'>${JSON.stringify(s.detail,null,2)}</pre></details>`;
+
+async function prepareManagedEnsPublication(){if(!s.selected){s.error='Request failed: 400';renderDetail();return;}s.error=null;const r=await fetch('/api/admin/prepare-managed-ens-publication',{method:'POST',headers:headers(),body:JSON.stringify({claimId:s.selected})});const d=await r.json().catch(()=>({}));if(!r.ok||!d.ok){s.error=d?.status||'MANAGED_ENS_PUBLICATION_PREPARE_FAILED';renderDetail();return;}s.managedEnsPublication=d.publication;await loadDetail(s.selected);} 
+async function verifyManagedEnsPublication(){if(!s.selected){s.error='Request failed: 400';renderDetail();return;}s.error=null;const r=await fetch('/api/admin/verify-managed-ens-publication',{method:'POST',headers:headers(),body:JSON.stringify({claimId:s.selected})});const d=await r.json().catch(()=>({}));if(!r.ok||!d.ok){s.error=d?.status||'MANAGED_ENS_PUBLICATION_VERIFY_FAILED';renderDetail();return;}s.managedEnsPublication=null;await loadDetail(s.selected);} 
+function txtRecordBlocks(claim){const records=(s.managedEnsPublication&&s.managedEnsPublication.required_txt_records)||claim.managed_ens_required_txt_records||claim.tenant_signer_txt_records||{};return Object.entries(records).map(([k,v])=>`<div class='panel' style='margin:8px 0'><div><strong>${k}</strong> <button class='btn btn-muted copy-url' data-url='${String(v).replaceAll("'",'&#39;')}'>Copy value</button></div><pre class='mono' style='white-space:pre-wrap;overflow-wrap:anywhere;'>${v}</pre></div>`).join('')||'<p class="muted">Prepare TXT records to display required values.</p>';}
+
+function renderDetail(loadingMsg=''){const el=document.getElementById('detailPanel');if(loadingMsg){el.innerHTML=`<p class="muted">${loadingMsg}</p>`;return;}if(!s.detail){el.innerHTML=`<p class="muted">${s.error||'Select a claim to review.'}</p>`;return;}const payload=s.detail||{};const claim=payload.claim||{};const agents=payload.agents||[];const genesis=claim.genesis_receipt_json||null;const events=payload.events||[];const transitions=payload.transitions||[];const cards=payload.cards||[];const urls=cards.map(c=>c.card_url).filter(Boolean);const missing=claim.status==='cards_published'&&agents.some(a=>!a.card_url);const firstUrl=urls[0];el.innerHTML=`${s.error?`<div class='error-panel'>${s.error}</div>`:''}<h3>Claim <span class='mono'>${short(claim.claim_id,16)}</span> <button id='copyClaim' class='btn btn-muted'>Copy</button> ${badge(claim.status)}</h3><p class='muted'>Tenant: ${claim.tenant||'-'} · Wallet: <span class='mono'>${claim.authenticated_address||'-'}</span> · Status: ${claim.status||'-'} · Payment: ${claim.payment_status||'-'} · Agents: ${agents.length} · Created: ${dt(claim.created_at)}</p><h4>Pipeline</h4>${pipeline(claim.status)}<h4>Signer identity</h4><div class='panel'><div>Activation mode: <strong>${claim.activation_mode||'-'}</strong></div><div>Signer ENS: <span class='mono'>${claim.tenant_signer_ens||'-'}</span></div><div>ENS records: <strong>${claim.tenant_signer_record_status||'records_pending'}</strong> · Network: ${claim.tenant_signer_records_network||'ethereum-mainnet'}</div><div>Managed ENS publication: <strong>${claim.managed_ens_publication_status||'-'}</strong></div><div>Publication error: <span class='mono'>${claim.managed_ens_publication_error||'-'}</span></div><div>Desired parent namespace: <span class='mono'>${claim.managed_ens_parent_namespace||'-'}</span></div><div>Parent-control/resolver authority audited: <strong>${claim.managed_ens_parent_authority_audited?'yes':'no'}</strong></div><div>Tenant proof: <strong>${claim.tenant_proof_status||'not_submitted'}</strong> · signer <span class='mono'>${claim.tenant_proof_signer||'-'}</span></div><details open><summary>Required managed ENS TXT records</summary>${txtRecordBlocks(claim)}</details><details><summary>Four public TXT records</summary><pre style='white-space:pre-wrap;overflow-wrap:anywhere;'>${JSON.stringify(claim.tenant_signer_txt_records||{},null,2)}</pre></details><p class='muted'>Network required: Ethereum mainnet. Managed ENS publication is operator-ready only; no onchain TXT writes are executed here.</p></div><h4>Next action</h4><div class='row'><input id='reasonInput' placeholder='Reason'><input id='notesInput' placeholder='Notes'></div><div class='row' id='actions'></div><h4>Agents</h4><div class='table-scroll'><table><thead><tr><th>ENS</th><th>Capability</th><th>Parent</th><th>Card</th><th>Actions</th></tr></thead><tbody>${agents.map(a=>`<tr><td class='mono ens-wrap'>${a.ens||'-'}</td><td>${a.capability||'-'}</td><td>${a.canonical_parent||'-'}</td><td>${a.card_status||'-'}</td><td>${a.card_url?`<a href='${a.card_url}' target='_blank'>Open</a> <button class='btn btn-muted copy-url' data-url='${a.card_url}'>Copy</button>`:'-'}</td></tr>`).join('')}</tbody></table></div>${claim.status==='payment_pending'?`<h4>Payment pending</h4><p class='muted'>Checkout has been created. Open it to complete payment.</p><p class='mono'>${claim.stripe_checkout_session_id||'-'}</p>`:''}${claim.status==='paid'?`<h4>Payment received</h4><p class='muted'>Next: ERC-8004 registration</p>`:''}${claim.status==='cards_published'?`<h4>Agent cards published</h4><p class='muted'>Founding Activation: $20 first year for 10 Trust Verification namespaces.</p><p class='muted'>${urls.length} cards${missing?' · Missing card URLs detected':''}</p>${s.checkoutUrl?`<div class='panel'><strong>Checkout created</strong><div class='row'><a class='btn btn-secondary' href='${s.checkoutUrl}' target='_blank' rel='noopener'>Open checkout</a><button id='copyCheckoutUrl' type='button' class='btn btn-secondary' data-url='${s.checkoutUrl}'>Copy checkout URL</button></div><div class='mono' style='overflow-wrap:anywhere;'>${s.checkoutUrl}</div></div>`:''}<div class='row'><button id='copyUrls' type='button' class='btn btn-secondary'>Copy all URLs</button>${firstUrl?`<button id='openFirst' type='button' class='btn btn-secondary'>Open first card</button>`:''}</div><div>${urls.map(u=>`<div class='card-url-row'><span class='mono truncate' title='${u}'>${u.split('/').pop()?.replace(/\.json$/,'')||u}</span><a href='${u}' target='_blank'>Open</a>${copyBtn(u)}</div>`).join('')}</div>${missing?`<p class='error-panel'>Some cards are missing URLs. Use Repair / Publish cards.</p>`:''}`:''}<h4>Events</h4>${events.map(e=>`<div class='panel' style='margin-bottom:8px'><strong>${e.event_type}</strong><div style='overflow-wrap:anywhere;'>${e.message||''}</div><div class='muted'>${dt(e.created_at)}</div><details><summary>metadata</summary><pre style='white-space:pre-wrap;overflow-wrap:anywhere;'>${JSON.stringify(e.event_json||{},null,2)}</pre></details></div>`).join('')||'<p class="muted">No events.</p>'}<h4>Genesis Receipt</h4><div class='panel'><div>Status: <strong>${genesis?'generated':'not generated'}</strong></div><div class='mono'>Receipt ID: ${claim.genesis_receipt_id||'-'}</div><div class='mono'>Receipt Hash: ${claim.genesis_receipt_hash||'-'}</div><div class='mono'>Chain Root: ${claim.receipt_chain_root||'-'}</div><div class='muted'>Generated at: ${dt(claim.genesis_generated_at)}</div>${s.genesisStatus?`<div class='muted'>${s.genesisStatus}</div>`:''}${genesis?`<button id='copyGenesis' class='btn btn-secondary' type='button'>Copy JSON</button>`:''}</div><h4>First Action Receipt</h4><div class='panel'><div>Status: <strong>${claim.first_action_receipt_status||'not_generated'}</strong></div><div class='mono'>Receipt ID: ${claim.first_action_receipt_id||'-'}</div><div class='mono'>Receipt Hash: ${claim.first_action_receipt_hash||'-'}</div><div class='muted'>${claim.first_action_receipt_error||'This proves the claimed agent can produce a scoped execution receipt. It does not prove payment settlement.'}</div><button id='generateFirstAction' class='btn btn-secondary' type='button'>Generate challenge</button></div><h4>Transitions</h4>${transitions.map(t=>`<div class='panel' style='margin-bottom:8px'>${t.from_status||'-'} → ${t.to_status||'-'} · ${t.action||'-'} · ${t.actor||'-'}<div class='muted'>${dt(t.created_at)} ${t.reason?`· ${t.reason}`:''}</div></div>`).join('')||'<p class="muted">No transitions.</p>'}<details><summary>Show raw JSON</summary><pre style='white-space:pre-wrap;overflow-wrap:anywhere;'>${JSON.stringify(s.detail,null,2)}</pre></details>`;
 const a=document.getElementById('actions');const mk=(t,c,cls='btn',opts={})=>{const b=document.createElement('button');b.type='button';b.textContent=t;b.className=cls;b.disabled=Boolean(opts.disabled);if(opts.id)b.id=opts.id;b.onclick=c;a.appendChild(b);};
 if(claim.status==='created'){mk('Approve',()=>action('approve',{notes:document.getElementById('notesInput').value}),'btn btn-primary');mk('Reject',()=>action('reject',{reason:document.getElementById('reasonInput').value}),'btn btn-secondary');mk('Mark failed',()=>action('mark_failed',{reason:document.getElementById('reasonInput').value}),'btn btn-danger');}
 if(claim.status==='approved'){mk('Publish agent cards',()=>publish(),'btn btn-primary');mk('Mark failed',()=>action('mark_failed',{reason:document.getElementById('reasonInput').value}),'btn btn-danger');mk('Add note',()=>action('add_note',{notes:document.getElementById('notesInput').value,reason:document.getElementById('reasonInput').value}),'btn');}
@@ -82,7 +88,7 @@ <h1>CommandLayer Claims Admin</h1><p class="muted">Internal operator dashboard f
 const firstActionBtn=document.getElementById('generateFirstAction');if(firstActionBtn)firstActionBtn.onclick=generateFirstActionReceipt;
 if(claim.status==='cards_pinned'){mk(s.genesisLoading?'Generating genesis...':'Generate genesis receipt',()=>generateGenesisReceipt(false),'btn btn-primary',{disabled:s.genesisLoading});if(claim.genesis_receipt_id)mk(s.genesisLoading?'Generating genesis...':'Regenerate genesis receipt',()=>generateGenesisReceipt(true),'btn btn-secondary',{disabled:s.genesisLoading});mk('Add note',()=>action('add_note',{notes:document.getElementById('notesInput').value,reason:document.getElementById('reasonInput').value}),'btn');}
 if(claim.status==='payment_pending'){mk('Open checkout',()=>openCheckout(claim),'btn btn-secondary');mk('Copy checkout URL',()=>copyCheckout(claim),'btn btn-secondary');mk(s.checkoutLoading?'Creating checkout...':'Regenerate checkout session',()=>createCheckoutSession(claim.claim_id,true),'btn btn-primary',{disabled:s.checkoutLoading,id:'regenerateCheckoutBtn'});mk('Add note',()=>action('add_note',{notes:document.getElementById('notesInput').value,reason:document.getElementById('reasonInput').value}),'btn');}
-mk('Run activation pipeline',()=>runActivationPipeline(claim.claim_id),'btn btn-primary');
+mk('Prepare ENS TXT records',()=>prepareManagedEnsPublication(),'btn btn-secondary');mk('Verify ENS TXT records',()=>verifyManagedEnsPublication(),'btn btn-secondary');mk('Run activation pipeline',()=>runActivationPipeline(claim.claim_id),'btn btn-primary');
 if(claim.status==='failed'||claim.status==='rejected'){mk('Add note',()=>action('add_note',{notes:document.getElementById('notesInput').value,reason:document.getElementById('reasonInput').value}),'btn');}
 const copy=document.getElementById('copyClaim');if(copy)copy.onclick=()=>navigator.clipboard.writeText(claim.claim_id);const cu=document.getElementById('copyUrls');if(cu)cu.onclick=()=>navigator.clipboard.writeText(urls.join('\n'));const of=document.getElementById('openFirst');if(of)of.onclick=()=>window.open(urls[0],'_blank');const ccu=document.getElementById('copyCheckoutUrl');if(ccu)ccu.onclick=()=>navigator.clipboard.writeText(ccu.dataset.url||'');document.querySelectorAll('.copy-url').forEach((btn)=>{btn.onclick=()=>navigator.clipboard.writeText(btn.dataset.url||'');});const cg=document.getElementById('copyGenesis');if(cg&&genesis)cg.onclick=()=>navigator.clipboard.writeText(JSON.stringify(genesis,null,2)); }
 const status=(m)=>document.getElementById('status').textContent=m;
diff --git a/tests/managed-ens-publication.test.js b/tests/managed-ens-publication.test.js
new file mode 100644
index 0000000..7772788
--- /dev/null
+++ b/tests/managed-ens-publication.test.js
@@ -0,0 +1,50 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const db = require('../lib/db');
+const prepare = require('../api/admin/prepare-managed-ens-publication');
+const verify = require('../api/admin/verify-managed-ens-publication');
+const status = require('../api/claims/status');
+const { buildManagedEnsPublicationPackage } = require('../lib/claims/managed-ens-publication');
+const { hashClaimAccessToken } = require('../lib/claims/access-token');
+
+function makeRes(){return {statusCode:200,body:null,headers:{},setHeader(k,v){this.headers[k]=v;},status(c){this.statusCode=c;return this;},json(p){this.body=p;return this;}};}
+const token = 'tok';
+const tokenHash = hashClaimAccessToken(token);
+function claim(overrides={}){return {claim_id:'c1',claim_access_token_hash:tokenHash,tenant:'acme',activation_mode:'managed_namespace',tenant_signer_ens:'acme.attestagent.eth',tenant_signer_public_key:'ed25519:pub',tenant_signer_kid:'kid1',tenant_signer_canonicalization:'json.sorted_keys.v1',request_json:{'cl.receipt.signer':'acme.attestagent.eth'},...overrides};}
+
+test('managed claim can prepare publication package', async()=>{
+  process.env.ADMIN_API_KEY='admin'; let updated=false;
+  db.query=async(q)=> q.includes('select * from claim_requests') ? {rows:[claim()]} : (updated=true,{rows:[],rowCount:1});
+  const res=makeRes(); await prepare({method:'POST',headers:{'x-admin-api-key':'admin'},body:{claimId:'c1'}},res);
+  assert.equal(res.statusCode,200); assert.equal(updated,true); assert.equal(res.body.publication.signer_ens,'acme.attestagent.eth'); assert.equal(res.body.publication.required_txt_records['cl.receipt.signer'],'acme.attestagent.eth');
+});
+
+test('BYO/root signer claim is rejected by managed helper',()=>{assert.throws(()=>buildManagedEnsPublicationPackage(claim({activation_mode:'bring_your_own_ens'})),/only available/);});
+test('missing tenant_signer_ens rejected',()=>{assert.throws(()=>buildManagedEnsPublicationPackage(claim({tenant_signer_ens:''})),/tenant_signer_ens/);});
+test('tenant root ENS rejected in managed mode',()=>{assert.throws(()=>buildManagedEnsPublicationPackage(claim({tenant_signer_ens:'acme.eth'})),/approved managed parent|root ENS/);});
+test('unapproved parent namespace rejected',()=>{assert.throws(()=>buildManagedEnsPublicationPackage(claim({tenant_signer_ens:'acme.badagent.eth'})),/approved managed parent/);});
+test('mismatched cl.receipt.signer rejected',()=>{assert.throws(()=>buildManagedEnsPublicationPackage(claim({request_json:{'cl.receipt.signer':'other.attestagent.eth'}})),/must match/);});
+
+test('successful verification updates managed ENS and signer statuses', async()=>{
+  process.env.ADMIN_API_KEY='admin'; const updates=[];
+  db.query=async(q,params)=>{ if(q.includes('select * from claim_requests')) return {rows:[claim()]}; updates.push({q,params}); return {rows:[],rowCount:1}; };
+  const resolver=async(_ens,key)=>({'cl.sig.pub':'ed25519:pub','cl.sig.kid':'kid1','cl.sig.canonical':'json.sorted_keys.v1','cl.receipt.signer':'acme.attestagent.eth'}[key]);
+  const res=makeRes(); await verify({method:'POST',headers:{'x-admin-api-key':'admin'},body:{claimId:'c1'},verifyOptions:{textResolver:resolver}},res);
+  assert.equal(res.statusCode,200); assert.equal(res.body.verification.ok,true); assert.ok(updates[0].q.includes("tenant_signer_record_status = 'records_verified'"));
+});
+
+test('failed verification stores error and does not mark signer verified', async()=>{
+  process.env.ADMIN_API_KEY='admin'; const updates=[];
+  db.query=async(q,params)=>{ if(q.includes('select * from claim_requests')) return {rows:[claim()]}; updates.push({q,params}); return {rows:[],rowCount:1}; };
+  const resolver=async(_ens,key)=> key === 'cl.sig.pub' ? 'wrong' : ({'cl.sig.kid':'kid1','cl.sig.canonical':'json.sorted_keys.v1','cl.receipt.signer':'acme.attestagent.eth'}[key]);
+  const res=makeRes(); await verify({method:'POST',headers:{'x-admin-api-key':'admin'},body:{claimId:'c1'},verifyOptions:{textResolver:resolver}},res);
+  assert.equal(res.statusCode,200); assert.equal(res.body.verification.ok,false); assert.ok(!updates[0].q.includes("tenant_signer_record_status = 'records_verified'")); assert.equal(updates[0].params[2],'required_txt_record_mismatch');
+});
+
+test('public claim status includes managed ENS publication status', async()=>{
+  db.query=async(q)=>{ if(q.includes('from claim_requests')) return {rows:[claim({managed_ens_publication_status:'ready_to_publish',managed_ens_required_txt_records:{'cl.sig.kid':'kid1'}})]}; if(q.includes('from agent_cards')) return {rows:[]}; return {rows:[]}; };
+  const res=makeRes(); await status({method:'GET',query:{claimId:'c1'},headers:{'x-claim-access-token':token}},res);
+  assert.equal(res.statusCode,200); assert.equal(res.body.pipeline.managed_ens_publication,'ready_to_publish'); assert.equal(res.body.claim.managed_ens_publication.helper_copy.includes('operator must publish'),true); assert.deepEqual(res.body.claim.managed_ens_publication.record_names,['cl.sig.kid']);
+});