Builder Guide

Wrap first. Use schemas when you need interoperability.

Most builders only need the schemas for the capabilities they support. Schema validation helps structure receipts, but schema-valid alone is not verified. Verification requires hash and signature checks.

Two ways developers use CommandLayer

1. Just wrap my agent

You already have an agent and just want receipts. Use the SDK wrapper and let CommandLayer handle receipt structure plus canonical metadata.proof fields: metadata.proof.canonicalization, metadata.proof.hash.alg/value, metadata.proof.signature.alg/value/kid, and metadata.proof.signer_id.

wrap("summarize", async () => {
  return { summary: "..." };
});
2. Build against a capability

You want your agent to support a known capability like summarize, authorize, verify, attest, ship, or invoice. Follow that capability's schemas, examples, agent card, discovery record, and verifier expectations.

The simple rule: use only the schemas for the capabilities your agent supports. If your agent only summarizes text, you need the summarize request schema and summarize receipt schema — not ship, refund, approve, kyc, broadcast, or inventory.

How the stack fits together

Capabilities are the menu of possible actions. Schemas are the contracts for each action. The SDK wraps an agent action and emits receipts. The verifier checks those receipts. Your agent only uses the capabilities it actually performs.

Layer 1 — Canonical proof envelope. Every receipt uses metadata.proof with canonicalization, hash, signature, key id, and signer identity.
Layer 2 — Capability schemas. Each capability has its own request and receipt shape, such as verify.request.schema.json or authorize.receipt.schema.json.
Layer 3 — SDK wrapper. The SDK helps wrap actions and emit receipts without manually assembling proof objects.
Layer 4 — Runtime / verifier. Runtime signs production receipts. The verifier checks hash, signature, signer identity, and capability verb.

Should schemas be downloaded?

Not usually. The better model is to resolve, fetch, or pin schemas by capability and version.

capability: summarize
version: 1.0.0

schemas:
  summarize.request.schema.json
  summarize.receipt.schema.json
  shared-proof.schema.json

Later, discovery can expose those through ENS records, agent cards, MCP, OpenAPI, manifests, and a capability registry.

01Install SDK
02Wrap action
03Emit receipt
04Verify proof

Install

npm install @commandlayer/agent-sdk

Wrap an action

Wrap your function with a capability verb. The wrapped function returns normal output plus a signed receipt with metadata.proof using json.sorted_keys.v1 canonicalization, SHA-256 hash, and Ed25519 signatures that can be independently verified.

import { CommandLayer } from "@commandlayer/agent-sdk";

const cl = new CommandLayer({
  agent: "runtime.commandlayer.eth",
  privateKeyPem: process.env.CL_PRIVATE_KEY_PEM,
  keyId: "vC4WbcNoq2znSCiQ",
  verifierUrl: "https://runtime.commandlayer.org/verify"
});

const { output, receipt } = await cl.wrap("summarize", async () => {
  return { summary: "hello world" };
});

console.log(output);
console.log(receipt);

Verify the receipt

Use the SDK in-app, or paste the receipt into the public verifier.

const check = await cl.verify(receipt);

console.log(check.ok);
console.log(check.status);
console.log(check.checks);

Browser verification: /verify.html

Tamper test

const tampered = structuredClone(receipt);
tampered.result.payload.summary = "changed";

const tamperedCheck = await cl.verify(tampered);

console.log(tamperedCheck.status); // INVALID
console.log(tamperedCheck.errors?.signature_error); // hash_mismatch

Trust boundary

SDK wraps.
Runtime signs.
MCP bridges.
Verifier validates.
Schema-valid alone is not verified.
Private keys never go through MCP.

What you get back

  • output: the result from your wrapped function.
  • receipt: the signed proof payload for verification.
  • check.ok / check.status: whether verification passed.
  • check.checks.hash_matches and check.checks.signature_valid: critical proof checks.