Skip to content

Security: commandlayer/runtime

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in this project, do not open a public issue.

Report it to: security@commandlayer.org

Include:

  • a description of the issue
  • reproduction steps
  • impact
  • any suggested remediation

Supported Versions

Version Supported
1.1.x Yes

Current implementation notes

This file describes controls that are enforced by the current code in server.mjs.

Signing keys

  • The runtime signs receipts at request time.
  • Boot fails if valid signing configuration is missing and DEV_AUTO_KEYS is not enabled.
  • The canonical/current variables in .env.example are RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64, RECEIPT_SIGNING_PUBLIC_KEY_B64, and RECEIPT_SIGNER_ID.
  • DEV_AUTO_KEYS=1 generates an in-memory keypair for development and logs the generated material; it is not appropriate for production handling of signing keys.

Debug routes

Debug routes are controlled by the implemented variables:

  • ENABLE_DEBUG
  • DEBUG_TOKEN

The server does not read DEBUG_ROUTES_ENABLED or DEBUG_BEARER_TOKEN.

When debug access is disabled, misconfigured, or unauthorized, the debug routes return 404.

CORS

CORS is hardcoded in the current server:

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Headers: Content-Type, Authorization, X-Debug-Token
  • Access-Control-Allow-Methods: GET,POST,OPTIONS

There is no environment-based CORS configuration in the implementation today.

SSRF guard for the fetch verb

The built-in SSRF guard is enabled by default with ENABLE_SSRF_GUARD=1.

Current behavior blocks:

  • non-HTTP(S) schemes
  • localhost names
  • 169.254.169.254
  • IPv4 private/local ranges
  • IPv6 literals
  • hostnames whose IPv4 DNS answers resolve to blocked ranges

ALLOW_FETCH_HOSTS can further restrict allowed outbound hosts.

Verification behavior

Production receipt signing and verification in server.mjs uses @commandlayer/runtime-core as the cryptographic implementation.

ENS-backed verification currently reads these TXT records directly from the signer ENS name:

  • cl.sig.pub by default
  • cl.sig.kid by default
  • cl.sig.canonical by default

The server does not implement VERIFIER_ENS_NAME or ENS_SIGNER_TEXT_KEY.

When schema verification is requested, the runtime resolves receipt schemas from the v1.1.0 schema tree under SCHEMA_HOST. When a commons verb request omits execution, the runtime fabricates entry: "https://runtime.commandlayer.org/execute", the live verb, version: "1.1.0", and class: "commons" before signing.

Controls not implemented by the current server

Do not rely on these as live controls in this repository:

  • configurable CORS env vars such as CORS_ALLOW_ORIGINS
  • built-in rate limiting via RATE_LIMIT_ENABLED, RATE_LIMIT_MAX, or RATE_LIMIT_WINDOW_MS
  • request-schema validation via REQUEST_SCHEMA_VALIDATION
  • request logging via LOG_REQUESTS

There aren’t any published security advisories