@git-stunts/git-warp 10.7.0 → 11.2.1

package/src/domain/services/HttpSyncServer.js

@@ -184,17 +184,18 @@ function parseBody(body) {
  * Initializes auth service from config if present.
  *
  * @param {{ keys: Record<string, string>, mode?: 'enforce'|'log-only', crypto?: *, logger?: *, wallClockMs?: () => number }|undefined} auth
+ * @param {string[]} [allowedWriters]
  * @returns {{ auth: SyncAuthService|null, authMode: string|null }}
  * @private
  */
-function initAuth(auth) {
+function initAuth(auth, allowedWriters) {
   if (auth && auth.keys) {
     const VALID_MODES = new Set(['enforce', 'log-only']);
     const mode = auth.mode || 'enforce';
     if (!VALID_MODES.has(mode)) {
       throw new Error(`Invalid auth.mode: '${mode}'. Must be 'enforce' or 'log-only'.`);
     }
-    return { auth: new SyncAuthService(auth), authMode: mode };
+    return { auth: new SyncAuthService({ ...auth, allowedWriters }), authMode: mode };
   }
   return { auth: null, authMode: null };
 }
@@ -208,45 +209,58 @@ export default class HttpSyncServer {
    * @param {string} [options.host='127.0.0.1'] - Host to bind
    * @param {number} [options.maxRequestBytes=4194304] - Maximum request body size in bytes
    * @param {{ keys: Record<string, string>, mode?: 'enforce'|'log-only', crypto?: import('../../ports/CryptoPort.js').default, logger?: import('../../ports/LoggerPort.js').default, wallClockMs?: () => number }} [options.auth] - Auth configuration
+   * @param {string[]} [options.allowedWriters] - Optional whitelist of allowed writer IDs
    */
-  constructor({ httpPort, graph, path = '/sync', host = '127.0.0.1', maxRequestBytes = DEFAULT_MAX_REQUEST_BYTES, auth } = /** @type {*} */ ({})) { // TODO(ts-cleanup): needs options type
+  constructor({ httpPort, graph, path = '/sync', host = '127.0.0.1', maxRequestBytes = DEFAULT_MAX_REQUEST_BYTES, auth, allowedWriters } = /** @type {*} */ ({})) { // TODO(ts-cleanup): needs options type
     this._httpPort = httpPort;
     this._graph = graph;
     this._path = path && path.startsWith('/') ? path : `/${path || 'sync'}`;
     this._host = host;
     this._maxRequestBytes = maxRequestBytes;
     this._server = null;
-    const authInit = initAuth(auth);
+    const authInit = initAuth(auth, allowedWriters);
     this._auth = authInit.auth;
     this._authMode = authInit.authMode;
+    if (allowedWriters && !authInit.auth) {
+      throw new Error('allowedWriters requires auth.keys to be configured');
+    }
   }
 
   /**
-   * Handles an incoming HTTP request through the port abstraction.
+   * Runs auth verification and writer whitelist checks. Returns an error
+   * response when enforcement blocks the request, or null to proceed.
    *
-   * @param {{ method: string, url: string, headers: { [x: string]: string }, body: Buffer|undefined }} request
-   * @returns {Promise<{ status: number, headers: Object, body: string }>}
-   * @private
-   */
-  /**
-   * Runs auth verification if configured. Returns an error response to
-   * send, or null if the request should proceed.
+   * In log-only mode both checks record metrics/logs but always return
+   * null so the request proceeds.
    *
-   * @param {*} request
+   * @param {{ method: string, url: string, headers: { [x: string]: string }, body: Buffer|undefined }} request
+   * @param {*} parsed - Parsed sync request body
    * @returns {Promise<{ status: number, headers: Object, body: string }|null>}
    * @private
    */
-  async _checkAuth(request) {
+  async _authorize(request, parsed) {
     if (!this._auth) {
       return null;
     }
-    const result = await this._auth.verify(request);
-    if (!result.ok) {
+
+    // Signature verification (uses raw request headers + body hash)
+    const authResult = await this._auth.verify(request);
+    if (!authResult.ok) {
       if (this._authMode === 'enforce') {
-        return errorResponse(result.status, result.reason);
+        return errorResponse(authResult.status, authResult.reason);
       }
       this._auth.recordLogOnlyPassthrough();
     }
+
+    // Writer whitelist (uses parsed body for writer IDs)
+    if (parsed.patches && typeof parsed.patches === 'object') {
+      const writerIds = Object.keys(parsed.patches);
+      const writerResult = this._auth.enforceWriters(writerIds);
+      if (!writerResult.ok) {
+        return errorResponse(writerResult.status, writerResult.reason);
+      }
+    }
+
     return null;
   }
 
@@ -267,16 +281,16 @@ export default class HttpSyncServer {
       return sizeError;
     }
 
-    const authError = await this._checkAuth(request);
-    if (authError) {
-      return authError;
-    }
-
     const { error, parsed } = parseBody(request.body);
     if (error) {
       return error;
     }
 
+    const authError = await this._authorize(request, parsed);
+    if (authError) {
+      return authError;
+    }
+
     try {
       const response = await this._graph.processSyncRequest(parsed);
       return jsonResponse(response);

package/src/domain/services/MessageCodecInternal.js

@@ -27,6 +27,7 @@ export const MESSAGE_TITLES = {
   patch: 'warp:patch',
   checkpoint: 'warp:checkpoint',
   anchor: 'warp:anchor',
+  audit: 'warp:audit',
 };
 
 /**
@@ -44,6 +45,8 @@ export const TRAILER_KEYS = {
   indexOid: 'eg-index-oid',
   schema: 'eg-schema',
   checkpointVersion: 'eg-checkpoint',
+  dataCommit: 'eg-data-commit',
+  opsDigest: 'eg-ops-digest',
 };
 
 /**

package/src/domain/services/MessageSchemaDetector.js

@@ -116,7 +116,7 @@ export function assertOpsCompatible(ops, maxSchema) {
  * Detects the WARP message kind from a raw commit message.
  *
  * @param {string} message - The raw commit message
- * @returns {'patch'|'checkpoint'|'anchor'|null} The message kind, or null if not a WARP message
+ * @returns {'patch'|'checkpoint'|'anchor'|'audit'|null} The message kind, or null if not a WARP message
  *
  * @example
  * const kind = detectMessageKind(message);
@@ -134,7 +134,7 @@ export function detectMessageKind(message) {
     const decoded = codec.decode(message);
     const kind = decoded.trailers[TRAILER_KEYS.kind];
 
-    if (kind === 'patch' || kind === 'checkpoint' || kind === 'anchor') {
+    if (kind === 'patch' || kind === 'checkpoint' || kind === 'anchor' || kind === 'audit') {
       return kind;
     }
     return null;

package/src/domain/services/SyncAuthService.js

@@ -12,6 +12,7 @@
 import LRUCache from '../utils/LRUCache.js';
 import defaultCrypto from '../utils/defaultCrypto.js';
 import nullLogger from '../utils/nullLogger.js';
+import { validateWriterId } from '../utils/RefLayout.js';
 
 const SIG_VERSION = '1';
 const SIG_PREFIX = 'warp-v1';
@@ -103,7 +104,7 @@ function fail(reason, status) {
 }
 
 /**
- * @returns {{ authFailCount: number, replayRejectCount: number, nonceEvictions: number, clockSkewRejects: number, malformedRejects: number, logOnlyPassthroughs: number }}
+ * @returns {{ authFailCount: number, replayRejectCount: number, nonceEvictions: number, clockSkewRejects: number, malformedRejects: number, logOnlyPassthroughs: number, forbiddenWriterRejects: number }}
  */
 function _freshMetrics() {
   return {
@@ -113,6 +114,7 @@ function _freshMetrics() {
     clockSkewRejects: 0,
     malformedRejects: 0,
     logOnlyPassthroughs: 0,
+    forbiddenWriterRejects: 0,
   };
 }
 
@@ -149,6 +151,23 @@ function _validateKeys(keys) {
   }
 }
 
+/**
+ * @param {string[]|undefined} allowedWriters
+ * @returns {Set<string>|null}
+ */
+function _validateAllowedWriters(allowedWriters) {
+  if (!allowedWriters) {
+    return null;
+  }
+  if (allowedWriters.length === 0) {
+    throw new Error('allowedWriters must be a non-empty array when provided');
+  }
+  for (const w of allowedWriters) {
+    validateWriterId(w);
+  }
+  return new Set(allowedWriters);
+}
+
 export default class SyncAuthService {
   /**
    * @param {Object} options
@@ -159,8 +178,9 @@ export default class SyncAuthService {
    * @param {import('../../ports/CryptoPort.js').default} [options.crypto] - Crypto port
    * @param {import('../../ports/LoggerPort.js').default} [options.logger] - Logger port
    * @param {() => number} [options.wallClockMs] - Wall clock function
+   * @param {string[]} [options.allowedWriters] - Optional whitelist of allowed writer IDs. If set, sync requests with unlisted writers are rejected with 403.
    */
-  constructor({ keys, mode = 'enforce', nonceCapacity, maxClockSkewMs, crypto, logger, wallClockMs } = /** @type {*} */ ({})) { // TODO(ts-cleanup): needs options type
+  constructor({ keys, mode = 'enforce', nonceCapacity, maxClockSkewMs, crypto, logger, wallClockMs, allowedWriters } = /** @type {*} */ ({})) { // TODO(ts-cleanup): needs options type
     _validateKeys(keys);
     this._keys = keys;
     this._mode = mode;
@@ -170,6 +190,7 @@ export default class SyncAuthService {
     this._maxClockSkewMs = typeof maxClockSkewMs === 'number' ? maxClockSkewMs : MAX_CLOCK_SKEW_MS;
     this._nonceCache = new LRUCache(nonceCapacity || DEFAULT_NONCE_CAPACITY);
     this._metrics = _freshMetrics();
+    this._allowedWriters = _validateAllowedWriters(allowedWriters);
   }
 
   /** @returns {'enforce'|'log-only'} */
@@ -364,6 +385,51 @@ export default class SyncAuthService {
     return { ok: true };
   }
 
+  /**
+   * Validates that all writer IDs are in the allowed set.
+   * Call after verify() succeeds.
+   *
+   * This method is a pure validator — it always returns `{ ok: false }` for
+   * forbidden writers regardless of `this._mode`. Mode enforcement (enforce
+   * vs log-only) is the caller's responsibility, matching the same pattern
+   * used by `verify()` and `HttpSyncServer._checkAuth()`.
+   *
+   * @param {string[]} writerIds - Writer IDs from the sync request
+   * @returns {{ ok: true } | { ok: false, reason: string, status: number }}
+   */
+  verifyWriters(writerIds) {
+    if (!this._allowedWriters) {
+      return { ok: true };
+    }
+    const forbidden = writerIds.filter(id => !/** @type {Set<string>} */ (this._allowedWriters).has(id));
+    if (forbidden.length > 0) {
+      this._metrics.forbiddenWriterRejects += 1;
+      this._logger.warn('sync auth: forbidden writers rejected', { forbidden });
+      return fail('FORBIDDEN_WRITER', 403);
+    }
+    return { ok: true };
+  }
+
+  /**
+   * Mode-aware convenience wrapper around `verifyWriters()`.
+   *
+   * In `enforce` mode, returns the failure result from `verifyWriters()`.
+   * In `log-only` mode, records a passthrough and returns `{ ok: true }`.
+   * Callers that want simple single-call authorization can use this instead
+   * of calling `verifyWriters()` + checking mode manually.
+   *
+   * @param {string[]} writerIds - Writer IDs from the sync request
+   * @returns {{ ok: true } | { ok: false, reason: string, status: number }}
+   */
+  enforceWriters(writerIds) {
+    const result = this.verifyWriters(writerIds);
+    if (!result.ok && this._mode !== 'enforce') {
+      this._metrics.logOnlyPassthroughs += 1;
+      return { ok: true };
+    }
+    return result;
+  }
+
   /**
    * Records an auth failure and returns the result.
    * @param {string} message
@@ -388,7 +454,7 @@ export default class SyncAuthService {
   /**
    * Returns a snapshot of auth metrics.
    *
-   * @returns {{ authFailCount: number, replayRejectCount: number, nonceEvictions: number, clockSkewRejects: number, malformedRejects: number, logOnlyPassthroughs: number }}
+   * @returns {{ authFailCount: number, replayRejectCount: number, nonceEvictions: number, clockSkewRejects: number, malformedRejects: number, logOnlyPassthroughs: number, forbiddenWriterRejects: number }}
    */
   getMetrics() {
     return { ...this._metrics };

package/src/domain/services/WarpMessageCodec.js

@@ -2,16 +2,18 @@
  * WARP Message Codec — facade re-exporting all message encoding, decoding,
  * and schema utilities.
  *
- * This module provides backward-compatible access to the three types of
+ * This module provides backward-compatible access to the four types of
  * WARP (Write-Ahead Reference Protocol) commit messages:
  * - Patch: Contains graph mutations from a single writer
  * - Checkpoint: Contains a snapshot of materialized graph state
  * - Anchor: Marks a merge point in the WARP DAG
+ * - Audit: Records tamper-evident audit receipts for data commits
  *
  * Implementation is split across focused sub-modules:
  * - {@link module:domain/services/PatchMessageCodec}
  * - {@link module:domain/services/CheckpointMessageCodec}
  * - {@link module:domain/services/AnchorMessageCodec}
+ * - {@link module:domain/services/AuditMessageCodec}
  * - {@link module:domain/services/MessageSchemaDetector}
  *
  * @module domain/services/WarpMessageCodec
@@ -20,6 +22,7 @@
 export { encodePatchMessage, decodePatchMessage } from './PatchMessageCodec.js';
 export { encodeCheckpointMessage, decodeCheckpointMessage } from './CheckpointMessageCodec.js';
 export { encodeAnchorMessage, decodeAnchorMessage } from './AnchorMessageCodec.js';
+export { encodeAuditMessage, decodeAuditMessage } from './AuditMessageCodec.js';
 export {
   detectSchemaVersion,
   detectMessageKind,

package/src/domain/trust/TrustCanonical.js

@@ -0,0 +1,42 @@
+/**
+ * SHA-256 hashing layer on top of canonical.js string payloads.
+ *
+ * Computes record IDs (content-addressed hex digests) and
+ * signature payloads (raw UTF-8 bytes) for trust records.
+ *
+ * @module domain/trust/TrustCanonical
+ * @see docs/specs/TRUST_V1_CRYPTO.md
+ */
+
+import { createHash } from 'node:crypto';
+import { recordIdPayload, signaturePayload } from './canonical.js';
+
+/**
+ * Computes the record ID (SHA-256 hex digest) for a trust record.
+ *
+ * @param {Record<string, *>} record - Full trust record
+ * @returns {string} 64-character lowercase hex string
+ */
+export function computeRecordId(record) {
+  return createHash('sha256').update(recordIdPayload(record)).digest('hex');
+}
+
+/**
+ * Computes the signature payload as a Buffer (UTF-8 bytes).
+ *
+ * @param {Record<string, *>} record - Full trust record (signature will be stripped)
+ * @returns {Buffer} UTF-8 encoded bytes of the domain-separated canonical string
+ */
+export function computeSignaturePayload(record) {
+  return Buffer.from(signaturePayload(record), 'utf8');
+}
+
+/**
+ * Verifies that a record's recordId matches its content.
+ *
+ * @param {Record<string, *>} record - Trust record with `recordId` field
+ * @returns {boolean} true if recordId matches computed value
+ */
+export function verifyRecordId(record) {
+  return record.recordId === computeRecordId(record);
+}

package/src/domain/trust/TrustCrypto.js

@@ -0,0 +1,111 @@
+/**
+ * Ed25519 cryptographic operations for trust records.
+ *
+ * Uses `node:crypto` directly — Ed25519 is trust-specific and does not
+ * belong on the general CryptoPort hash/hmac interface.
+ *
+ * @module domain/trust/TrustCrypto
+ * @see docs/specs/TRUST_V1_CRYPTO.md
+ */
+
+import { createHash, createPublicKey, verify } from 'node:crypto';
+import TrustError from '../errors/TrustError.js';
+
+/** Algorithms supported by this module. */
+export const SUPPORTED_ALGORITHMS = new Set(['ed25519']);
+
+const ED25519_PUBLIC_KEY_LENGTH = 32;
+
+/**
+ * Decodes a base64-encoded Ed25519 public key and validates its length.
+ *
+ * @param {string} base64 - Base64-encoded raw public key bytes
+ * @returns {Buffer} 32-byte raw key
+ * @throws {TrustError} E_TRUST_INVALID_KEY if base64 is malformed or wrong length
+ */
+function decodePublicKey(base64) {
+  /** @type {Buffer} */
+  let raw;
+  try {
+    raw = Buffer.from(base64, 'base64');
+  } catch {
+    throw new TrustError('Malformed base64 in public key', {
+      code: 'E_TRUST_INVALID_KEY',
+    });
+  }
+
+  // Buffer.from with 'base64' never throws on bad input — it silently
+  // produces an empty or truncated buffer. Validate that the round-trip
+  // matches to detect garbage input.
+  if (raw.toString('base64') !== base64) {
+    throw new TrustError('Malformed base64 in public key', {
+      code: 'E_TRUST_INVALID_KEY',
+    });
+  }
+
+  if (raw.length !== ED25519_PUBLIC_KEY_LENGTH) {
+    throw new TrustError(
+      `Ed25519 public key must be ${ED25519_PUBLIC_KEY_LENGTH} bytes, got ${raw.length}`,
+      { code: 'E_TRUST_INVALID_KEY' },
+    );
+  }
+
+  return raw;
+}
+
+/**
+ * Verifies an Ed25519 signature against a payload.
+ *
+ * @param {Object} params
+ * @param {string} params.algorithm - Must be 'ed25519'
+ * @param {string} params.publicKeyBase64 - Base64-encoded 32-byte public key
+ * @param {string} params.signatureBase64 - Base64-encoded signature
+ * @param {Buffer} params.payload - Bytes to verify
+ * @returns {boolean} true if signature is valid
+ * @throws {TrustError} E_TRUST_UNSUPPORTED_ALGORITHM for non-ed25519
+ * @throws {TrustError} E_TRUST_INVALID_KEY for malformed public key
+ */
+export function verifySignature({
+  algorithm,
+  publicKeyBase64,
+  signatureBase64,
+  payload,
+}) {
+  if (!SUPPORTED_ALGORITHMS.has(algorithm)) {
+    throw new TrustError(`Unsupported algorithm: ${algorithm}`, {
+      code: 'E_TRUST_UNSUPPORTED_ALGORITHM',
+      context: { algorithm },
+    });
+  }
+
+  const raw = decodePublicKey(publicKeyBase64);
+
+  const keyObject = createPublicKey({
+    key: Buffer.concat([
+      // DER prefix for Ed25519 public key (RFC 8410)
+      Buffer.from('302a300506032b6570032100', 'hex'),
+      raw,
+    ]),
+    format: 'der',
+    type: 'spki',
+  });
+
+  const sig = Buffer.from(signatureBase64, 'base64');
+
+  return verify(null, payload, keyObject, sig);
+}
+
+/**
+ * Computes the key fingerprint for an Ed25519 public key.
+ *
+ * Format: `"ed25519:" + sha256_hex(rawBytes)`
+ *
+ * @param {string} publicKeyBase64 - Base64-encoded 32-byte public key
+ * @returns {string} Fingerprint string, e.g. "ed25519:abcd1234..."
+ * @throws {TrustError} E_TRUST_INVALID_KEY for malformed key
+ */
+export function computeKeyFingerprint(publicKeyBase64) {
+  const raw = decodePublicKey(publicKeyBase64);
+  const hash = createHash('sha256').update(raw).digest('hex');
+  return `ed25519:${hash}`;
+}

package/src/domain/trust/TrustEvaluator.js

@@ -0,0 +1,180 @@
+/**
+ * Trust V1 evaluator.
+ *
+ * Pure function that evaluates writer trust status against a built
+ * trust state and policy configuration. No I/O, no side effects.
+ *
+ * @module domain/trust/TrustEvaluator
+ * @see docs/specs/TRUST_V1_CRYPTO.md Section 12
+ */
+
+import { TrustPolicySchema } from './schemas.js';
+import { TRUST_REASON_CODES } from './reasonCodes.js';
+import { deriveTrustVerdict } from './verdict.js';
+
+/**
+ * @typedef {import('./TrustStateBuilder.js').TrustState} TrustState
+ */
+
+/**
+ * Evaluates trust status for a set of writers against the current trust state.
+ *
+ * For each writer (sorted deterministically), checks:
+ * 1. Whether any active binding exists for that writer
+ * 2. Whether the bound key is still active (not revoked)
+ *
+ * @param {string[]} writerIds - Writer IDs to evaluate
+ * @param {TrustState} trustState - Built trust state from TrustStateBuilder
+ * @param {Record<string, *>} policy - Trust policy configuration
+ * @returns {Record<string, *>} Frozen TrustAssessment object
+ */
+export function evaluateWriters(writerIds, trustState, policy) {
+  const policyResult = TrustPolicySchema.safeParse(policy);
+  if (!policyResult.success) {
+    return buildErrorAssessment(writerIds, TRUST_REASON_CODES.TRUST_POLICY_INVALID);
+  }
+
+  const sortedWriters = [...writerIds].sort();
+  const explanations = sortedWriters.map((writerId) =>
+    evaluateSingleWriter(writerId, trustState),
+  );
+
+  const untrustedWriters = explanations
+    .filter((e) => !e.trusted)
+    .map((e) => e.writerId);
+
+  const trust = {
+    status: /** @type {'configured'|'pinned'|'error'|'not_configured'} */ ('configured'),
+    source: 'ref',
+    sourceDetail: null,
+    evaluatedWriters: sortedWriters,
+    untrustedWriters,
+    explanations: explanations.map((e) => Object.freeze(e)),
+    evidenceSummary: buildEvidenceSummary(trustState),
+  };
+
+  const trustVerdict = deriveTrustVerdict(trust);
+
+  return Object.freeze({
+    trustSchemaVersion: 1,
+    mode: 'signed_evidence_v1',
+    trustVerdict,
+    trust: Object.freeze(trust),
+  });
+}
+
+/**
+ * Evaluates trust for a single writer.
+ *
+ * @param {string} writerId
+ * @param {TrustState} trustState
+ * @returns {{writerId: string, trusted: boolean, reasonCode: string, reason: string}}
+ */
+function evaluateSingleWriter(writerId, trustState) {
+  // Check all bindings for this writer
+  const activeBindingKeys = [];
+  for (const [bindingKey, binding] of trustState.writerBindings) {
+    if (bindingKey.startsWith(`${writerId}\0`)) {
+      activeBindingKeys.push({ bindingKey, keyId: binding.keyId });
+    }
+  }
+
+  // Check revoked bindings too (for reason code accuracy)
+  let hasRevokedBinding = false;
+  for (const bindingKey of trustState.revokedBindings.keys()) {
+    if (bindingKey.startsWith(`${writerId}\0`)) {
+      hasRevokedBinding = true;
+    }
+  }
+
+  if (activeBindingKeys.length === 0) {
+    if (hasRevokedBinding) {
+      return {
+        writerId,
+        trusted: false,
+        reasonCode: TRUST_REASON_CODES.BINDING_REVOKED,
+        reason: `Writer '${writerId}' has no active bindings (all revoked)`,
+      };
+    }
+    return {
+      writerId,
+      trusted: false,
+      reasonCode: TRUST_REASON_CODES.WRITER_HAS_NO_ACTIVE_BINDING,
+      reason: `Writer '${writerId}' has no active bindings`,
+    };
+  }
+
+  // Check if any active binding points to an active key
+  for (const { keyId } of activeBindingKeys) {
+    if (trustState.activeKeys.has(keyId)) {
+      return {
+        writerId,
+        trusted: true,
+        reasonCode: TRUST_REASON_CODES.WRITER_BOUND_TO_ACTIVE_KEY,
+        reason: `Writer '${writerId}' is bound to active key ${keyId}`,
+      };
+    }
+  }
+
+  // All bindings point to revoked keys
+  return {
+    writerId,
+    trusted: false,
+    reasonCode: TRUST_REASON_CODES.WRITER_BOUND_KEY_REVOKED,
+    reason: `Writer '${writerId}' is bound only to revoked keys`,
+  };
+}
+
+/**
+ * Builds an error assessment when policy validation fails.
+ *
+ * @param {string[]} writerIds
+ * @param {string} reasonCode
+ * @returns {Record<string, *>}
+ */
+function buildErrorAssessment(writerIds, reasonCode) {
+  const sortedWriters = [...writerIds].sort();
+  const trust = {
+    status: /** @type {'configured'|'pinned'|'error'|'not_configured'} */ ('error'),
+    source: 'none',
+    sourceDetail: null,
+    evaluatedWriters: sortedWriters,
+    untrustedWriters: sortedWriters,
+    explanations: sortedWriters.map((writerId) => Object.freeze({
+      writerId,
+      trusted: false,
+      reasonCode,
+      reason: `Policy validation failed: ${reasonCode}`,
+    })),
+    evidenceSummary: {
+      recordsScanned: 0,
+      activeKeys: 0,
+      revokedKeys: 0,
+      activeBindings: 0,
+      revokedBindings: 0,
+    },
+  };
+
+  return Object.freeze({
+    trustSchemaVersion: 1,
+    mode: 'signed_evidence_v1',
+    trustVerdict: deriveTrustVerdict(trust),
+    trust: Object.freeze(trust),
+  });
+}
+
+/**
+ * Builds the evidence summary from trust state.
+ *
+ * @param {TrustState} trustState
+ * @returns {{recordsScanned: number, activeKeys: number, revokedKeys: number, activeBindings: number, revokedBindings: number}}
+ */
+function buildEvidenceSummary(trustState) {
+  return Object.freeze({
+    recordsScanned: trustState.recordsProcessed,
+    activeKeys: trustState.activeKeys.size,
+    revokedKeys: trustState.revokedKeys.size,
+    activeBindings: trustState.writerBindings.size,
+    revokedBindings: trustState.revokedBindings.size,
+  });
+}