Auto-advance activation after managed ENS verification

[GsCommand]

Motivation

• Allow the operator-managed ENS flow to continue server-side activation steps automatically after live ENS TXT verification succeeds, reducing manual follow-up while preserving safety and payment gating.

Description

• Update POST /api/admin/verify-managed-ens-publication to mark managed ENS and tenant signer records as verified, set verification timestamps, clear errors, and then invoke the existing activation orchestrator to attempt safe post-ENS steps; the endpoint returns an advanced object describing what advanced. (file: api/admin/verify-managed-ens-publication.js)
• Make the activation orchestrator idempotent and report per-step errors by: detecting and skipping already-pinned agent cards, honoring existing genesis receipts (already_generated), preserving verified / challenge_ready first-action receipt states, and attempting to generate a first-action challenge when prerequisites are met. It also collects errors per sub-step. (file: api/admin/run-activation-pipeline.js)
• Accept the new tenant_signer_record_status = 'verified' as equivalent to records_verified in first-action preflight and public status logic, so auto-advancement enables downstream steps. (files: api/admin/generate-first-action-receipt.js, api/claims/status.js)
• Update admin UI to store and display an advancement panel after clicking Verify ENS TXT records showing Managed ENS, agent card pinning, genesis generation, first-action receipt status, and advancement errors without marking managed ENS verification as failed on downstream failures. (file: public/admin/claims.html)
• Add tests that cover successful managed ENS verification advancing the pipeline, idempotency (preserving verified first-action receipt), and existing managed ENS/public pipeline behavior. (file: tests/managed-ens-publication.test.js)

Testing

• Ran npm test and all tests passed (167 tests run in this workspace); the updated and new tests covering verification advancement and idempotency passed.
• Ran npm run check:links and link checks succeeded.
• Verified the change does not introduce any onchain writes, wallet signing, ENS transaction broadcasting, payment settlement, ERC-8004 registration, tenant private key custody, or receipt cryptography/runtime/verifier changes.

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commandlayer-commandlayer-org	Ready	Preview, Comment	Jun 17, 2026 1:52am
commandlayer-org	Ready	Preview, Comment	Jun 17, 2026 1:52am
commandlayer-org111	Ready	Preview, Comment	Jun 17, 2026 1:52am

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 07ab9b851b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve the submit-compatible signer status

Setting managed-ENS claims to the new tenant_signer_record_status = 'verified' leaves them incompatible with the tenant receipt-submission flow: api/claims/submit-first-action-receipt.js still rejects anything other than records_verified before verifying the signed first-action receipt. In the managed flow this endpoint now generates a challenge successfully, but the tenant cannot submit the signed receipt until another path rewrites the status, so use the existing records_verified value or update all consumers that gate on it.

Useful? React with 👍 / 👎.