yakmesh 2.8.2 → 3.0.0

package/security/khata-trust-integration.js

@@ -13,9 +13,12 @@
  */
 
 import { EventEmitter } from 'events';
-import { sha3_256 } from '@noble/hashes/sha3.js';
-import { bytesToHex, randomBytes, hexToBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { sha3_256 as _nobleSha3 } from '@noble/hashes/sha3.js';
+import { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { ternaryId } from '../utils/ternary-id.js';
 import { ml_dsa65 } from '@noble/post-quantum/ml-dsa.js';
+// ACCEL: Hardware-accelerated crypto
+import { sha3_256, mlDsa65Verify } from '../utils/accel.js';
 import { createLogger } from '../utils/logger.js';
 import { MESH_REVOCATION_MESSAGES } from './mesh-revocation.js';
 import { SILICON_PARITY_MESSAGES } from './silicon-parity.js';
@@ -31,20 +34,20 @@ export const KHATA_TRUST_MESSAGE = {
   ATTESTATION_ANNOUNCE: 'khata:trust:attestation:announce',
   ATTESTATION_REQUEST: 'khata:trust:attestation:request',
   REVOCATION_CERTIFICATE: 'khata:trust:revocation:cert',
-  
+
   // Silicon Parity messages
   SILICON_CHALLENGE: 'khata:trust:silicon:challenge',
   SILICON_RESPONSE: 'khata:trust:silicon:response',
   SILICON_IDENTITY: 'khata:trust:silicon:identity',
-  
+
   // Sybil Graph messages
   GRAPH_UPDATE: 'khata:trust:graph:update',
   CLUSTER_ALERT: 'khata:trust:cluster:alert',
-  
+
   // Trust Tier messages
   TIER_ANNOUNCE: 'khata:trust:tier:announce',
   TIER_REQUEST: 'khata:trust:tier:request',
-  
+
   // v2.5.0 Geographic Proof messages
   GEO_PROOF_ANNOUNCE: 'khata:trust:geo:announce',
   GEO_PROOF_REQUEST: 'khata:trust:geo:request',
@@ -64,10 +67,10 @@ const DEFAULT_CONFIG = {
 };
 
 /**
- * Generate unique message ID
+ * Generate unique message ID (balanced ternary — '666' impossible by design)
  */
 function generateMessageId() {
-  return bytesToHex(randomBytes(16));
+  return ternaryId(16);
 }
 
 /**
@@ -79,9 +82,9 @@ function generateMessageId() {
 export class KhataTrustIntegration extends EventEmitter {
   constructor(options = {}) {
     super();
-    
+
     this.config = { ...DEFAULT_CONFIG, ...options };
-    
+
     // Core components (injected)
     this.meshRevocation = options.meshRevocation || null;
     this.siliconParity = options.siliconParity || null;
@@ -89,17 +92,17 @@ export class KhataTrustIntegration extends EventEmitter {
     this.trustRegistry = options.trustRegistry || null;
     this.nodeIdentity = options.nodeIdentity || null;
     this.geoProofService = options.geoProofService || null;  // v2.5.0
-    
+
     // Network layer (set by setNetworkLayer)
     this.sendToPeer = null;
     this.broadcastToPeers = null;
-    
+
     // Message deduplication
     this.seenMessages = new Map();
-    
+
     // Pending silicon challenges
     this.pendingChallenges = new Map();
-    
+
     // Statistics
     this.stats = {
       attestationsGossiped: 0,
@@ -112,11 +115,11 @@ export class KhataTrustIntegration extends EventEmitter {
       geoProofsReceived: 0,
       landmarksAnnounced: 0,
     };
-    
+
     // Cleanup interval
     this.cleanupInterval = setInterval(() => this.cleanup(), 60000);
   }
-  
+
   /**
    * Set network layer functions
    */
@@ -124,7 +127,7 @@ export class KhataTrustIntegration extends EventEmitter {
     this.sendToPeer = sendToPeer;
     this.broadcastToPeers = broadcastToPeers;
   }
-  
+
   /**
    * Set core components
    */
@@ -136,11 +139,103 @@ export class KhataTrustIntegration extends EventEmitter {
     if (nodeIdentity) this.nodeIdentity = nodeIdentity;
     if (geoProofService) this.geoProofService = geoProofService;
   }
-  
+
+  /**
+   * Verify ML-DSA-65 signature on an incoming trust message.
+   * 
+   * Messages that include a `signature` field must prove authorship via
+   * the signer's public key. The dokoId/nodeId in the message identifies
+   * who signed. Their publicKey is resolved from the mesh peer registry.
+   * 
+   * @param {Object} message - The incoming trust message
+   * @param {string} fromPeerId - The peer who forwarded this message
+   * @returns {{ valid: boolean, reason?: string }}
+   */
+  _verifyMessageSignature(message, fromPeerId) {
+    // Messages without signatures are rejected if they should have one
+    if (!message.signature) {
+      return { valid: false, reason: 'Missing signature' };
+    }
+
+    // Identify the signer's public key. Trust messages carry dokoId or nodeId.
+    const signerId = message.dokoId || message.landmark?.nodeId || fromPeerId;
+    if (!signerId) {
+      return { valid: false, reason: 'Cannot identify message signer' };
+    }
+
+    // Resolve public key from mesh peer registry (same pattern as requirePeerAuth)
+    let publicKey = null;
+    if (this._resolvePublicKey) {
+      publicKey = this._resolvePublicKey(signerId);
+    }
+    // Fallback: if this is the message dispatcher for another node's forwarded message,
+    // the fromPeerId may differ from the original signer. Try the signer directly.
+    if (!publicKey && signerId !== fromPeerId && this._resolvePublicKey) {
+      publicKey = this._resolvePublicKey(fromPeerId);
+    }
+
+    if (!publicKey) {
+      return { valid: false, reason: `No public key for signer ${signerId.slice(0, 20)}` };
+    }
+
+    // Reconstruct the signed payload based on message type
+    try {
+      let payload;
+
+      // Each announcement type signs a specific subset of fields
+      switch (message.type) {
+        case KHATA_TRUST_MESSAGE.TIER_ANNOUNCE:
+          payload = JSON.stringify({
+            dokoId: message.dokoId,
+            tier: message.tier,
+            weight: message.weight,
+            timestamp: message.timestamp,
+          });
+          break;
+        case KHATA_TRUST_MESSAGE.GEO_PROOF_ANNOUNCE:
+          payload = JSON.stringify({
+            proof: message.proof,
+            dokoId: message.dokoId,
+            timestamp: message.timestamp,
+          });
+          break;
+        case KHATA_TRUST_MESSAGE.LANDMARK_ANNOUNCE:
+          payload = JSON.stringify({
+            landmark: message.landmark,
+            timestamp: message.timestamp,
+          });
+          break;
+        default:
+          // For other signed messages, sign the full payload minus signature/messageId/hops
+          const { signature: _s, messageId: _m, hops: _h, ...rest } = message;
+          payload = JSON.stringify(rest);
+      }
+
+      const sigBytes = hexToBytes(message.signature);
+      const pubKeyBytes = hexToBytes(publicKey);
+      const msgBytes = utf8ToBytes(payload);
+      const valid = mlDsa65Verify(sigBytes, msgBytes, pubKeyBytes);
+
+      return { valid };
+    } catch (e) {
+      return { valid: false, reason: `Verification error: ${e.message}` };
+    }
+  }
+
+  /**
+   * Set public key resolver function.
+   * Called during construction or setNetworkLayer to allow signature verification
+   * against the mesh peer registry.
+   * @param {Function} resolver - (nodeId) => publicKeyHex | null
+   */
+  setPublicKeyResolver(resolver) {
+    this._resolvePublicKey = resolver;
+  }
+
   // ═══════════════════════════════════════════════════════════════════════════
   // MESH REVOCATION GOSSIP
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Gossip an attestation to the network
    */
@@ -149,7 +244,7 @@ export class KhataTrustIntegration extends EventEmitter {
       log.warn('khata-trust', 'Cannot gossip: network layer not set');
       return;
     }
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.ATTESTATION_ANNOUNCE,
       messageId: generateMessageId(),
@@ -158,19 +253,19 @@ export class KhataTrustIntegration extends EventEmitter {
       ttl: this.config.attestationTTL,
       hops: 0,
     };
-    
+
     // Mark as seen
     const hash = this.computeMessageHash(message);
     this.seenMessages.set(hash, Date.now());
-    
+
     this.stats.attestationsGossiped++;
     log.debug('khata-trust', `Gossiping attestation for ${attestation.targetDokoId}`);
-    
+
     await this.broadcastToPeers(message);
-    
+
     return message.messageId;
   }
-  
+
   /**
    * Handle incoming attestation announcement
    */
@@ -181,32 +276,32 @@ export class KhataTrustIntegration extends EventEmitter {
       return;
     }
     this.seenMessages.set(hash, Date.now());
-    
+
     // Check hop limit
     if (message.hops >= this.config.maxHops) {
       return;
     }
-    
+
     // Check TTL
     const age = Date.now() - message.timestamp;
     if (age > message.ttl) {
       return;
     }
-    
+
     this.stats.attestationsReceived++;
-    
+
     // Add to local mesh revocation system
     if (this.meshRevocation) {
       try {
         const result = await this.meshRevocation.addAttestation(message.attestation);
-        
+
         if (result.added) {
           this.emit('attestation-received', {
             attestation: message.attestation,
             fromPeerId,
             revocationTriggered: result.revoked,
           });
-          
+
           // Update sybil graph with attestation
           if (this.sybilGraph) {
             this.sybilGraph.addAttestation(
@@ -215,7 +310,7 @@ export class KhataTrustIntegration extends EventEmitter {
               message.timestamp
             );
           }
-          
+
           // Propagate to other peers
           if (this.broadcastToPeers) {
             await this.broadcastToPeers({
@@ -229,31 +324,31 @@ export class KhataTrustIntegration extends EventEmitter {
       }
     }
   }
-  
+
   /**
    * Broadcast revocation certificate
    */
   async broadcastRevocationCertificate(certificate) {
     if (!this.broadcastToPeers) return;
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.REVOCATION_CERTIFICATE,
       messageId: generateMessageId(),
       certificate,
       timestamp: Date.now(),
     };
-    
+
     log.info('khata-trust', `Broadcasting revocation certificate for ${certificate.targetDokoId}`);
-    
+
     await this.broadcastToPeers(message);
   }
-  
+
   /**
    * Handle incoming revocation certificate
    */
   async handleRevocationCertificate(message, fromPeerId) {
     const { certificate } = message;
-    
+
     // Verify certificate
     if (this.meshRevocation) {
       const valid = await this.meshRevocation.constructor.verifyCertificate(
@@ -267,28 +362,28 @@ export class KhataTrustIntegration extends EventEmitter {
           return null;
         }
       );
-      
+
       if (valid) {
         this.emit('revocation-certificate', {
           certificate,
           fromPeerId,
           targetDokoId: certificate.targetDokoId,
         });
-        
+
         // Mark node as revoked in local state
-        log.info('khata-trust', 
+        log.info('khata-trust',
           `Verified revocation certificate for ${certificate.targetDokoId}`);
       } else {
-        log.warn('khata-trust', 
+        log.warn('khata-trust',
           `Invalid revocation certificate for ${certificate.targetDokoId}`);
       }
     }
   }
-  
+
   // ═══════════════════════════════════════════════════════════════════════════
   // SILICON PARITY CHALLENGES
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Challenge a peer to prove their silicon identity
    */
@@ -296,55 +391,55 @@ export class KhataTrustIntegration extends EventEmitter {
     if (!this.sendToPeer) {
       throw new Error('Network layer not set');
     }
-    
+
     const challengeId = generateMessageId();
     const challenge = {
       type: KHATA_TRUST_MESSAGE.SILICON_CHALLENGE,
       challengeId,
       challengerId: this.nodeIdentity?.identity?.nodeId,
-      nonce: bytesToHex(randomBytes(32)),
+      nonce: ternaryId(32),
       timestamp: Date.now(),
     };
-    
+
     // Create promise for response
     return new Promise((resolve, reject) => {
       const timeout = setTimeout(() => {
         this.pendingChallenges.delete(challengeId);
         reject(new Error('Silicon challenge timeout'));
       }, this.config.siliconChallengeTimeout);
-      
-      this.pendingChallenges.set(challengeId, { 
-        resolve, 
-        reject, 
+
+      this.pendingChallenges.set(challengeId, {
+        resolve,
+        reject,
         timeout,
         peerId,
       });
-      
+
       this.stats.siliconChallengesSent++;
       this.sendToPeer(peerId, challenge);
     });
   }
-  
+
   /**
    * Handle incoming silicon challenge
    */
   async handleSiliconChallenge(message, fromPeerId) {
     this.stats.siliconChallengesReceived++;
-    
+
     if (!this.siliconParity) {
       log.warn('khata-trust', 'Received silicon challenge but SiliconParity not configured');
       return;
     }
-    
+
     // Collect or retrieve our silicon identity
     const myDokoId = this.nodeIdentity?.identity?.nodeId;
     let identity = this.siliconParity.getIdentity(myDokoId);
-    
+
     if (!identity) {
       // Collect identity on demand
       identity = await this.siliconParity.collectIdentity(myDokoId);
     }
-    
+
     // Create response
     const response = {
       type: KHATA_TRUST_MESSAGE.SILICON_RESPONSE,
@@ -352,10 +447,10 @@ export class KhataTrustIntegration extends EventEmitter {
       responderId: myDokoId,
       identity: identity.toJSON(),
       challengeNonce: message.nonce,
-      responseNonce: bytesToHex(randomBytes(16)),
+      responseNonce: ternaryId(16),
       timestamp: Date.now(),
     };
-    
+
     // Sign response
     if (this.nodeIdentity) {
       const payload = JSON.stringify({
@@ -366,12 +461,12 @@ export class KhataTrustIntegration extends EventEmitter {
       });
       response.signature = this.nodeIdentity.sign(payload);
     }
-    
+
     if (this.sendToPeer) {
       await this.sendToPeer(fromPeerId, response);
     }
   }
-  
+
   /**
    * Handle silicon challenge response
    */
@@ -380,10 +475,10 @@ export class KhataTrustIntegration extends EventEmitter {
     if (!pending) {
       return; // Unknown or expired challenge
     }
-    
+
     clearTimeout(pending.timeout);
     this.pendingChallenges.delete(message.challengeId);
-    
+
     // Verify response
     const result = {
       valid: true,
@@ -391,7 +486,7 @@ export class KhataTrustIntegration extends EventEmitter {
       responderId: message.responderId,
       issues: [],
     };
-    
+
     // Check signature if we have the public key
     if (message.signature && this.nodeIdentity) {
       const payload = JSON.stringify({
@@ -400,7 +495,7 @@ export class KhataTrustIntegration extends EventEmitter {
         responseNonce: message.responseNonce,
         fingerprint: message.identity.aesFingerprint,
       });
-      
+
       // Verify signature with responder's public key from trust registry
       if (this.trustRegistry && message.responderId) {
         try {
@@ -409,9 +504,9 @@ export class KhataTrustIntegration extends EventEmitter {
             const payloadBytes = utf8ToBytes(payload);
             const publicKey = hexToBytes(profile.publicKey);
             const signature = hexToBytes(message.signature);
-            
+
             // ml_dsa65.verify(signature, message, publicKey)
-            const sigValid = ml_dsa65.verify(signature, payloadBytes, publicKey);
+            const sigValid = mlDsa65Verify(signature, payloadBytes, publicKey);
             if (!sigValid) {
               result.valid = false;
               result.issues.push('Invalid signature on silicon response');
@@ -426,33 +521,33 @@ export class KhataTrustIntegration extends EventEmitter {
         }
       }
     }
-    
+
     // Check for VM indicators
     if (!message.identity.isRealSilicon) {
       result.issues.push('VM or emulation detected');
     }
-    
+
     // Check core count for weight calculation
     if (message.identity.coreCount > 64) {
       result.issues.push(`High core count: ${message.identity.coreCount}`);
     }
-    
+
     pending.resolve(result);
   }
-  
+
   /**
    * Announce silicon identity to network
    */
   async announceSiliconIdentity() {
     if (!this.broadcastToPeers || !this.siliconParity) return;
-    
+
     const myDokoId = this.nodeIdentity?.identity?.nodeId;
     let identity = this.siliconParity.getIdentity(myDokoId);
-    
+
     if (!identity) {
       identity = await this.siliconParity.collectIdentity(myDokoId);
     }
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.SILICON_IDENTITY,
       messageId: generateMessageId(),
@@ -460,23 +555,23 @@ export class KhataTrustIntegration extends EventEmitter {
       identity: identity.toJSON(),
       timestamp: Date.now(),
     };
-    
+
     await this.broadcastToPeers(message);
   }
-  
+
   // ═══════════════════════════════════════════════════════════════════════════
   // SYBIL GRAPH UPDATES
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Share graph update with network
    */
   async shareGraphUpdate() {
     if (!this.broadcastToPeers || !this.sybilGraph) return;
-    
+
     const stats = this.sybilGraph.getGraphStats();
     const myDokoId = this.nodeIdentity?.identity?.nodeId;
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.GRAPH_UPDATE,
       messageId: generateMessageId(),
@@ -484,31 +579,31 @@ export class KhataTrustIntegration extends EventEmitter {
       graphStats: stats,
       timestamp: Date.now(),
     };
-    
+
     await this.broadcastToPeers(message);
   }
-  
+
   /**
    * Handle incoming graph update
    */
   async handleGraphUpdate(message, fromPeerId) {
     this.stats.graphUpdatesReceived++;
-    
+
     this.emit('graph-update', {
       senderId: message.senderId,
       stats: message.graphStats,
       fromPeerId,
     });
-    
+
     // Could merge graph data here if implementing distributed analysis
   }
-  
+
   /**
    * Broadcast cluster alert
    */
   async broadcastClusterAlert(cluster) {
     if (!this.broadcastToPeers) return;
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.CLUSTER_ALERT,
       messageId: generateMessageId(),
@@ -522,53 +617,53 @@ export class KhataTrustIntegration extends EventEmitter {
       detectedBy: this.nodeIdentity?.identity?.nodeId,
       timestamp: Date.now(),
     };
-    
-    log.warn('khata-trust', 
+
+    log.warn('khata-trust',
       `Broadcasting cluster alert: ${cluster.size} nodes, score=${cluster.suspicionScore}`);
-    
+
     await this.broadcastToPeers(message);
   }
-  
+
   /**
    * Handle incoming cluster alert
    */
   async handleClusterAlert(message, fromPeerId) {
     this.stats.clusterAlertsReceived++;
-    
+
     this.emit('cluster-alert', {
       cluster: message.cluster,
       detectedBy: message.detectedBy,
       fromPeerId,
     });
-    
+
     // Cross-reference with our own analysis
     if (this.sybilGraph) {
       const ourAnalysis = this.sybilGraph.analyze();
-      const matchingCluster = ourAnalysis.clusters.find(c => 
+      const matchingCluster = ourAnalysis.clusters.find(c =>
         c.nodes.some(n => message.cluster.nodes.includes(n))
       );
-      
+
       if (matchingCluster) {
-        log.info('khata-trust', 
+        log.info('khata-trust',
           `Cluster alert confirmed by local analysis: ${matchingCluster.size} nodes`);
       }
     }
   }
-  
+
   // ═══════════════════════════════════════════════════════════════════════════
   // TRUST TIER ANNOUNCEMENTS
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Announce our trust tier
    */
   async announceTier() {
     if (!this.broadcastToPeers || !this.trustRegistry) return;
-    
+
     const myDokoId = this.nodeIdentity?.identity?.nodeId;
     const tier = await this.trustRegistry.getTier(myDokoId);
     const weight = await this.trustRegistry.getWeight(myDokoId);
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.TIER_ANNOUNCE,
       messageId: generateMessageId(),
@@ -577,7 +672,7 @@ export class KhataTrustIntegration extends EventEmitter {
       weight,
       timestamp: Date.now(),
     };
-    
+
     // Sign announcement
     if (this.nodeIdentity) {
       const payload = JSON.stringify({
@@ -588,26 +683,26 @@ export class KhataTrustIntegration extends EventEmitter {
       });
       message.signature = this.nodeIdentity.sign(payload);
     }
-    
+
     await this.broadcastToPeers(message);
   }
-  
+
   // ═══════════════════════════════════════════════════════════════════════════
   // GEOGRAPHIC PROOF (v2.5.0)
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Announce our geographic proof to the network
    */
   async announceGeoProof() {
     if (!this.broadcastToPeers || !this.geoProofService) return;
-    
+
     const proof = this.geoProofService.getProof();
     if (!proof) {
       log.debug('khata-trust', 'No geo-proof available to announce');
       return;
     }
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.GEO_PROOF_ANNOUNCE,
       messageId: generateMessageId(),
@@ -616,7 +711,7 @@ export class KhataTrustIntegration extends EventEmitter {
       timestamp: Date.now(),
       hops: 0,
     };
-    
+
     // Sign announcement
     if (this.nodeIdentity) {
       const payload = JSON.stringify({
@@ -626,14 +721,14 @@ export class KhataTrustIntegration extends EventEmitter {
       });
       message.signature = this.nodeIdentity.sign(payload);
     }
-    
+
     this.stats.geoProofsGossiped++;
     log.debug('khata-trust', `Announcing geo-proof with ${proof.exclusionZones.length} zones`);
-    
+
     await this.broadcastToPeers(message);
     return message.messageId;
   }
-  
+
   /**
    * Request geographic proof from a specific peer
    */
@@ -641,18 +736,18 @@ export class KhataTrustIntegration extends EventEmitter {
     if (!this.sendToPeer) {
       throw new Error('Network layer not set');
     }
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.GEO_PROOF_REQUEST,
       messageId: generateMessageId(),
       requesterId: this.nodeIdentity?.identity?.nodeId,
       timestamp: Date.now(),
     };
-    
+
     await this.sendToPeer(peerId, message);
     return message.messageId;
   }
-  
+
   /**
    * Handle incoming geo-proof announcement
    */
@@ -663,20 +758,20 @@ export class KhataTrustIntegration extends EventEmitter {
       return;
     }
     this.seenMessages.set(hash, Date.now());
-    
+
     // Check hop limit
     if (message.hops >= this.config.maxHops) {
       return;
     }
-    
+
     this.stats.geoProofsReceived++;
-    
+
     this.emit('geo-proof-received', {
       proof: message.proof,
       dokoId: message.dokoId,
       fromPeerId,
     });
-    
+
     // Store in local registry if trust registry supports it
     if (this.trustRegistry && this.trustRegistry.setGeoProof) {
       try {
@@ -685,7 +780,18 @@ export class KhataTrustIntegration extends EventEmitter {
         log.warn('khata-trust', `Failed to store geo-proof: ${err.message}`);
       }
     }
-    
+
+    // Cache deserialized proof in GeoProofService for /geo/verify lookups
+    if (this.geoProofService && message.proof) {
+      try {
+        const { GeographicProof } = await import('./geo-proof.js');
+        const peerProof = GeographicProof.deserialize(message.proof);
+        this.geoProofService.proofs.set(peerProof.nodeId || message.dokoId, peerProof);
+      } catch (err) {
+        log.warn('khata-trust', `Failed to cache peer geo-proof: ${err.message}`);
+      }
+    }
+
     // Propagate to other peers
     if (this.broadcastToPeers) {
       await this.broadcastToPeers({
@@ -694,19 +800,19 @@ export class KhataTrustIntegration extends EventEmitter {
       }, fromPeerId);
     }
   }
-  
+
   /**
    * Handle incoming geo-proof request
    */
   async handleGeoProofRequest(message, fromPeerId) {
     if (!this.sendToPeer || !this.geoProofService) return;
-    
+
     const proof = this.geoProofService.getProof();
     if (!proof) {
       log.debug('khata-trust', 'No geo-proof available to respond with');
       return;
     }
-    
+
     const response = {
       type: KHATA_TRUST_MESSAGE.GEO_PROOF_RESPONSE,
       requestId: message.messageId,
@@ -714,10 +820,10 @@ export class KhataTrustIntegration extends EventEmitter {
       dokoId: this.nodeIdentity?.identity?.nodeId,
       timestamp: Date.now(),
     };
-    
+
     await this.sendToPeer(fromPeerId, response);
   }
-  
+
   /**
    * Handle incoming geo-proof response
    */
@@ -729,13 +835,13 @@ export class KhataTrustIntegration extends EventEmitter {
       fromPeerId,
     });
   }
-  
+
   /**
    * Announce this node as a landmark
    */
   async announceLandmark(landmarkInfo) {
     if (!this.broadcastToPeers) return;
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.LANDMARK_ANNOUNCE,
       messageId: generateMessageId(),
@@ -751,7 +857,7 @@ export class KhataTrustIntegration extends EventEmitter {
       },
       timestamp: Date.now(),
     };
-    
+
     // Sign announcement
     if (this.nodeIdentity) {
       const payload = JSON.stringify({
@@ -760,14 +866,14 @@ export class KhataTrustIntegration extends EventEmitter {
       });
       message.signature = this.nodeIdentity.sign(payload);
     }
-    
+
     this.stats.landmarksAnnounced++;
     log.info('khata-trust', `Announcing as landmark: ${landmarkInfo.name} (${landmarkInfo.region})`);
-    
+
     await this.broadcastToPeers(message);
     return message.messageId;
   }
-  
+
   /**
    * Handle incoming landmark announcement
    */
@@ -778,29 +884,29 @@ export class KhataTrustIntegration extends EventEmitter {
       return;
     }
     this.seenMessages.set(hash, Date.now());
-    
+
     this.emit('landmark-announce', {
       landmark: message.landmark,
       fromPeerId,
     });
-    
+
     // Register landmark if geo-proof service is available
     if (this.geoProofService) {
       try {
         this.geoProofService.registerLandmark(message.landmark);
-        log.info('khata-trust', 
+        log.info('khata-trust',
           `Registered landmark from gossip: ${message.landmark.name} (${message.landmark.region})`);
       } catch (err) {
         log.warn('khata-trust', `Failed to register landmark: ${err.message}`);
       }
     }
-    
+
     // Propagate to other peers
     if (this.broadcastToPeers) {
       await this.broadcastToPeers(message, fromPeerId);
     }
   }
-  
+
   /**
    * Request landmark verification from peer
    */
@@ -808,7 +914,7 @@ export class KhataTrustIntegration extends EventEmitter {
     if (!this.sendToPeer) {
       throw new Error('Network layer not set');
     }
-    
+
     const message = {
       type: KHATA_TRUST_MESSAGE.LANDMARK_VERIFY,
       messageId: generateMessageId(),
@@ -816,19 +922,40 @@ export class KhataTrustIntegration extends EventEmitter {
       requesterId: this.nodeIdentity?.identity?.nodeId,
       timestamp: Date.now(),
     };
-    
+
     await this.sendToPeer(peerId, message);
     return message.messageId;
   }
-  
+
   // ═══════════════════════════════════════════════════════════════════════════
   // MESSAGE ROUTING
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Handle incoming trust message
    */
   async handleMessage(message, fromPeerId) {
+    // Messages that carry a signature MUST pass verification.
+    // Requests and challenges without signatures are allowed through.
+    const SIGNED_TYPES = new Set([
+      KHATA_TRUST_MESSAGE.TIER_ANNOUNCE,
+      KHATA_TRUST_MESSAGE.GEO_PROOF_ANNOUNCE,
+      KHATA_TRUST_MESSAGE.LANDMARK_ANNOUNCE,
+      KHATA_TRUST_MESSAGE.SILICON_IDENTITY,
+      KHATA_TRUST_MESSAGE.GRAPH_UPDATE,
+      KHATA_TRUST_MESSAGE.ATTESTATION_ANNOUNCE,
+      KHATA_TRUST_MESSAGE.REVOCATION_CERTIFICATE,
+    ]);
+
+    if (SIGNED_TYPES.has(message.type)) {
+      const sigResult = this._verifyMessageSignature(message, fromPeerId);
+      if (!sigResult.valid) {
+        log.warn('khata-trust',
+          `Rejected unsigned/forged trust message: ${message.type} from ${fromPeerId?.slice(0, 20)} — ${sigResult.reason}`);
+        return false;
+      }
+    }
+
     switch (message.type) {
       // Mesh Revocation
       case KHATA_TRUST_MESSAGE.ATTESTATION_ANNOUNCE:
@@ -837,7 +964,7 @@ export class KhataTrustIntegration extends EventEmitter {
       case KHATA_TRUST_MESSAGE.REVOCATION_CERTIFICATE:
         await this.handleRevocationCertificate(message, fromPeerId);
         break;
-        
+
       // Silicon Parity
       case KHATA_TRUST_MESSAGE.SILICON_CHALLENGE:
         await this.handleSiliconChallenge(message, fromPeerId);
@@ -848,7 +975,7 @@ export class KhataTrustIntegration extends EventEmitter {
       case KHATA_TRUST_MESSAGE.SILICON_IDENTITY:
         this.emit('silicon-identity', { identity: message.identity, dokoId: message.dokoId, fromPeerId });
         break;
-        
+
       // Sybil Graph
       case KHATA_TRUST_MESSAGE.GRAPH_UPDATE:
         await this.handleGraphUpdate(message, fromPeerId);
@@ -856,12 +983,12 @@ export class KhataTrustIntegration extends EventEmitter {
       case KHATA_TRUST_MESSAGE.CLUSTER_ALERT:
         await this.handleClusterAlert(message, fromPeerId);
         break;
-        
+
       // Trust Tier
       case KHATA_TRUST_MESSAGE.TIER_ANNOUNCE:
         this.emit('tier-announce', { dokoId: message.dokoId, tier: message.tier, weight: message.weight, fromPeerId });
         break;
-        
+
       // Geographic Proof (v2.5.0)
       case KHATA_TRUST_MESSAGE.GEO_PROOF_ANNOUNCE:
         await this.handleGeoProofAnnounce(message, fromPeerId);
@@ -878,26 +1005,26 @@ export class KhataTrustIntegration extends EventEmitter {
       case KHATA_TRUST_MESSAGE.LANDMARK_VERIFY:
         this.emit('landmark-verify-request', { landmarkId: message.landmarkId, requesterId: message.requesterId, fromPeerId });
         break;
-        
+
       default:
         // Unknown message type - might be handled by base KHATA protocol
         return false;
     }
-    
+
     return true;
   }
-  
+
   /**
    * Check if message type is a trust message
    */
   isTrustMessage(messageType) {
     return Object.values(KHATA_TRUST_MESSAGE).includes(messageType);
   }
-  
+
   // ═══════════════════════════════════════════════════════════════════════════
   // UTILITIES
   // ═══════════════════════════════════════════════════════════════════════════
-  
+
   /**
    * Compute message hash for deduplication
    */
@@ -908,21 +1035,21 @@ export class KhataTrustIntegration extends EventEmitter {
     });
     return bytesToHex(sha3_256(new TextEncoder().encode(content)));
   }
-  
+
   /**
    * Cleanup old data
    */
   cleanup() {
     const now = Date.now();
     const maxAge = this.config.attestationTTL;
-    
+
     for (const [hash, timestamp] of this.seenMessages.entries()) {
       if (now - timestamp > maxAge) {
         this.seenMessages.delete(hash);
       }
     }
   }
-  
+
   /**
    * Get statistics
    */
@@ -933,13 +1060,13 @@ export class KhataTrustIntegration extends EventEmitter {
       pendingChallenges: this.pendingChallenges.size,
     };
   }
-  
+
   /**
    * Shutdown
    */
   destroy() {
     clearInterval(this.cleanupInterval);
-    
+
     // Cleanup pending challenges
     for (const [id, pending] of this.pendingChallenges.entries()) {
       clearTimeout(pending.timeout);