sm-org-server 0.1.0__py3-none-any.whl

sm_org_server-0.1.0.dist-info/METADATA

@@ -0,0 +1,146 @@
+Metadata-Version: 2.4
+Name: sm-org-server
+Version: 0.1.0
+Summary: Minimal, backend-agnostic, conformance-passing chapter server for federated AI agents.
+Project-URL: Homepage, https://github.com/Sharathvc23/sm-org-server
+Project-URL: Repository, https://github.com/Sharathvc23/sm-org-server
+Project-URL: Changelog, https://github.com/Sharathvc23/sm-org-server/blob/main/CHANGELOG.md
+Author: stellarminds.ai
+License-Expression: MIT
+License-File: LICENSE
+Keywords: agents,chapter,conformance,did,federation,server
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Security :: Cryptography
+Requires-Python: >=3.11
+Requires-Dist: base58>=2.1
+Requires-Dist: cryptography>=42
+Requires-Dist: fastapi>=0.110
+Requires-Dist: jcs>=0.2
+Requires-Dist: sm-arp>=0.2.1
+Requires-Dist: uvicorn>=0.27
+Provides-Extra: dev
+Requires-Dist: httpx>=0.27; extra == 'dev'
+Requires-Dist: mypy>=1.11; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.6; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# sm-org-server
+
+**A minimal, backend-agnostic server for federated AI agents — small enough to read in one sitting, conformant enough to federate.**
+
+A *server* is a home server for a community of AI agents: it registers them, gives each a verifiable identity, scores their trustworthiness, renders their shared surfaces, and federates with peer servers. `sm-org-server` is the smallest thing that does all of that correctly — the entire conformant wire is **~550 lines of Python against a swappable storage interface**, with no database lock-in, no LLM dependency, and no framework magic.
+
+The intelligence, governance, and product features of a real server live *above* this line, as your own code. `sm-org-server` is the floor everyone shares.
+
+```
+pip install sm-org-server
+uvicorn sm_server.app:app
+```
+
+That's a federating server with a SQLite backend, an Ed25519 identity, a trust ledger, and a clean HTTP surface — running on your laptop.
+
+## What you get
+
+| Endpoint | Purpose |
+|---|---|
+| `POST /api/members` | Register an agent (origin-gated, TOFU public key) |
+| `POST /api/members/rotate` | Rotate an agent's signing key (signed attestation, nonce-protected) |
+| `POST /api/feedback` | Signed request → trust event (Ed25519, key-consistency, replay window) + a server-signed receipt |
+| `GET /api/agents/{id}/trust` | Trust dossier: score, tier, history |
+| `POST /api/receipts` | Ingest a signed ARP receipt into the Issuer Log (verify → hash-chain → persist) |
+| `GET /api/receipts/recent` | Recent receipts (filter by `?principal=`) |
+| `GET /api/receipts/{id}` | One receipt by id |
+| `GET /api/surfaces/{id}` | A2UI surface envelope (the wire shape every renderer agrees on; `receipts` is a live one) |
+| `GET /api/federation` | Federation overview + per-peer member views |
+| `GET /.well-known/nanda-agent.json` | Discovery substrate for peers (did, facts_url, registries, conformance) |
+| `GET /.well-known/conformance.json` | The signed wire conformance badge — public, no-auth, offline-verifiable |
+| `GET /.well-known/arp-conformance.json` | The signed **ARP** receipt-suite badge |
+
+## Why it's this small
+
+Most "agent platform" servers fuse three things that don't belong together: the **protocol wire** (what makes two servers interoperable), the **storage** (Postgres, Supabase, whatever), and the **agent brain** (the LLM, the policies, the product). Fuse them and the only way to be "compliant" is to adopt the whole stack.
+
+`sm-org-server` separates them. It implements **only the wire**, against a `ServerStore` interface you can back with anything. Conformance is then *mechanical*: point a conformance suite at a running instance and it passes or it doesn't — no trust-me-it's-compatible.
+
+```
+        your product / policies / LLM          ← you write this
+   ┌────────────────────────────────────┐
+   │            sm-org-server               │      ← the conformant wire (this repo)
+   │  register · rotate · trust · feedback│
+   │  surfaces · federation · well-known │
+   └──────────────┬─────────────────────┘
+                  │ ServerStore (Protocol)
+        SQLite (default) · Postgres · …         ← swap freely
+```
+
+## Configuration
+
+Everything is environment-driven; nothing runtime-specific is baked into the source.
+
+| Variable | Default | Meaning |
+|---|---|---|
+| `SERVER_ID` | `sm-org-server` | This server's identifier (the wire `chapter_id`) |
+| `SERVER_PUBLIC_URL` | `https://server.local` | Public base URL (for discovery substrate) |
+| `SERVER_ORIGINS` | `sovereign` | Comma-separated admitted origin vocabulary |
+| `SERVER_NONROTATABLE_ORIGINS` | *(none)* | Origins whose keys are managed and may not self-rotate |
+| `SERVER_SEED`, `SERVER_BADGE_PATH`, `SERVER_ARP_BADGE_PATH` | *(see source)* | ARP seed and badge file locations |
+
+> **Naming:** these env vars were `CHAPTER_*` before the server rename; the legacy names are still read as aliases, so existing deployments keep working. The *wire* field stays `chapter_id` (frozen by the protocol).
+
+The origin vocabulary is **policy, not protocol**: a deployment declares which provenances it admits. The default is the neutral `sovereign` (self-custodied identity); a managed deployment can add its own install-time origins via config without changing a line of source.
+
+## Storage backends
+
+The default `SqliteStore` is zero-config and file-backed. Any class satisfying the `ServerStore` Protocol (`sm_server/store/base.py`) is a drop-in — Postgres, Redis-backed, or an in-memory test double. Nothing above the interface knows what the backend is.
+
+## Receipts (ARP)
+
+A server doesn't just track *that* agents are trusted — it keeps a verifiable record of *what they did*. `sm-org-server` is **ARP-native**: it maintains an **Issuer Log** of [Agency Receipt Protocol](https://github.com/Sharathvc23/sm-arp) receipts — Ed25519-signed, JCS-canonical, hash-chained per issuer (ARP §6.4).
+
+![ARP receipt flow](docs/figures/arp-receipt-flow.svg)
+
+> The live `receipts` surface, rendered from a real `GET /api/surfaces/receipts` envelope: [docs/figures/receipts-surface.html](docs/figures/receipts-surface.html).
+
+- **It ingests.** `POST /api/receipts` verifies a receipt (structure → signature → authority → hash chain) and persists it. A receipt is self-authenticating — its signature binds the issuer no matter who posts it — so the server trusts the envelope, not the transport. Verification fails → nothing is written.
+- **It emits.** The server is a first-class issuer too: recording feedback also signs an `attestation_issued` receipt endorsing the member (`issuer=server → counterparty=member`) — the edge a reputation layer reads. Emission is the default, not an add-on.
+- **It's swappable.** Receipts persist through the same `ServerStore` seam as members, so a Postgres-backed server keeps them in Postgres — not a side file.
+
+The receipt envelope itself — build / sign / verify / canonical-bytes / chain — is the one canonical [`sm_arp`](https://github.com/Sharathvc23/sm-arp) library, shared with every other runtime, so the wire cannot drift. The live `GET /api/surfaces/receipts` A2UI surface renders the log.
+
+```python
+from sm_arp import Identity, build_action, issue_receipt
+me = Identity.generate()
+r = issue_receipt(me, principal_did=me.did,
+                  action=build_action(category="data_shared", human_summary="shared my calendar"))
+# POST r to /api/receipts → {"accepted": true, "chain_link": "sha256:…"}
+```
+
+## Conformance
+
+`sm-org-server` ships **two** signed badges — Ed25519-signed records of which suites it passed, each pinned to that suite's vector digest:
+
+- `.nanda/conformance.json` — the **wire** suite, served at **`GET /.well-known/conformance.json`** (`SERVER_BADGE_PATH` overrides).
+- `.nanda/arp-conformance.json` — the **ARP receipt** suite (a distinct corpus → a distinct badge), served at **`GET /.well-known/arp-conformance.json`** (`SERVER_ARP_BADGE_PATH` overrides). Generated *mechanically* by `scripts/gen_arp_badge.py`, which drives the live ingest surface with the canonical receipt vectors and counts what it actually accepts/rejects.
+
+Both are public, unauthenticated, offline-verifiable, and advertised via pointers in the well-known doc; absent → the endpoint 404s. See the [conformance toolkit](https://github.com/Sharathvc23/sm-conformance) for how badges are produced and verified.
+
+## Development
+
+```
+pip install -e '.[dev]'
+ruff check sm_server tests
+mypy sm_server
+pytest                       # 65 tests, ≥80% coverage gate
+```
+
+## License
+
+MIT © stellarminds.ai. See [LICENSE](LICENSE).

sm_org_server-0.1.0.dist-info/RECORD

@@ -0,0 +1,12 @@
+sm_server/__init__.py,sha256=3ndARwRuZBBAAvlm7kLSUWVDknhg5gU5HQdLu4QO9eA,265
+sm_server/app.py,sha256=yGnXpAgGJ-akNLIyEKxORRQd1A6T7xoK6Ra330QGOTQ,22793
+sm_server/merkle.py,sha256=xRtHlaVByX9EB5U20dUWqUwv66qn-AxJoa_T6ou17iI,4456
+sm_server/signing.py,sha256=D-soL08duwR7uWgs16Or8ymgZtuz_eBruocwkuS4zeU,2078
+sm_server/trust.py,sha256=sQqwSQl0_VP0jNgfCgSbh0NxL7FMKG1DDDyJsgs3pRc,2194
+sm_server/store/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sm_server/store/base.py,sha256=WfhYnH8dhYmzZBYXjBFaJpAIwIRMFtyqv_Zox1oXlpY,3175
+sm_server/store/sqlite.py,sha256=2yH67n122qTikiU9MlpGnCTLXYvwhWSqylMREIiqArk,7185
+sm_org_server-0.1.0.dist-info/METADATA,sha256=C2yEPCbV1rfZ3NCeM5JfZ5A8-VIU8k5Cv6uAj9yBxyQ,9144
+sm_org_server-0.1.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+sm_org_server-0.1.0.dist-info/licenses/LICENSE,sha256=mo4bEHboox6Cvk1DuRHhTstvfo1NRFPs5QqRfvrufBc,1072
+sm_org_server-0.1.0.dist-info/RECORD,,

sm_org_server-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

sm_org_server-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 stellarminds.ai
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

sm_server/__init__.py

@@ -0,0 +1,7 @@
+"""sm-org-server — the minimal, backend-agnostic, conformance-passing server.
+
+The protocol surface a server MUST implement, against a swappable ServerStore.
+The agent intelligence and governance live above this, as product or plugins.
+"""
+
+__version__ = "0.1.0"

sm_server/app.py

@@ -0,0 +1,512 @@
+"""The conformant protocol surface — minimal, backend-agnostic.
+
+Implements exactly what `conformance/server/` requires of a server, against the
+`ServerStore` interface. No LLM, no think-cycle, no specific database — the
+agent's intelligence and governance live above this, as product or plugins.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import time
+from pathlib import Path
+
+from fastapi import FastAPI, HTTPException, Request
+from fastapi.responses import JSONResponse
+from sm_arp import Identity as ArpIdentity
+from sm_arp import build_action, issue_receipt, verify_receipt
+
+from sm_server import merkle, signing, trust
+from sm_server.store.base import Member, ServerStore
+from sm_server.store.sqlite import SqliteStore
+
+ROTATION_WINDOW_S = 300
+SIGNED_REQUEST_WINDOW_S = 300
+
+# Origin vocabulary is policy, not protocol: the core ships neutral and a deployment
+# declares which origins it admits (and which may not self-rotate keys, e.g. managed
+# install-time identities) via config. No runtime-specific name is baked into source.
+DEFAULT_ORIGINS = ("sovereign",)
+
+
+def _env(*names: str, default: str | None = None) -> str | None:
+    """First set value among ``names`` (new name first, legacy aliases after).
+
+    Env vars were renamed ``CHAPTER_*`` → ``SERVER_*`` with the brand; the legacy
+    names are still read so already-deployed operators don't break.
+    """
+    for name in names:
+        value = os.environ.get(name)
+        if value is not None:
+            return value
+    return default
+
+
+def _origins_from_env(var: str, legacy: str, default: tuple[str, ...]) -> set[str]:
+    raw = _env(var, legacy, default="") or ""
+    declared = {o.strip() for o in raw.split(",") if o.strip()}
+    return declared or set(default)
+
+
+def _surface(page_id: str, *components: dict[str, object]) -> dict[str, object]:
+    """A v0.10 A2UI surface envelope — the wire shape every renderer agrees on."""
+    return {
+        "createSurface": {"surfaceId": page_id},
+        "updateComponents": {
+            "surfaceId": page_id,
+            "root": components[0]["id"] if components else "root",
+            "components": list(components),
+        },
+        "version": "0.10",
+    }
+
+
+def _receipts_surface(receipts: list[dict[str, object]]) -> dict[str, object]:
+    """A live A2UI view of the Issuer Log — the server's accepted receipts."""
+    comps: list[dict[str, object]] = [
+        {"id": "h", "component": "Heading", "text": "Issuer Log", "level": 1},
+    ]
+    if not receipts:
+        comps.append({"id": "empty", "component": "Text", "text": "No receipts yet."})
+    for idx, r in enumerate(receipts):
+        action = r.get("action")
+        action = action if isinstance(action, dict) else {}
+        line = f"{r.get('issued_at', '')} · {action.get('category', '')} · {action.get('human_summary', '')}"
+        comps.append({"id": f"r{idx}", "component": "Text", "text": line})
+    return _surface("receipts", *comps)
+
+
+AUTH_GATED_SURFACES = {"today"}
+DYNAMIC_SURFACES = {"receipts"}
+
+PUBLIC_SURFACES = {
+    "docs": _surface(
+        "docs",
+        {"id": "h", "component": "Heading", "text": "Server documentation", "level": 1},
+        {"id": "body", "component": "Markdown", "text": "## Joining\n\nRegister, then sign your requests."},
+    ),
+    "chronicle": _surface(
+        "chronicle",
+        {"id": "h", "component": "Heading", "text": "Server chronicle", "level": 1},
+        {"id": "body", "component": "Text", "text": "A running record of server activity."},
+    ),
+}
+
+
+def _ordered_issuer_log(store: ServerStore) -> list[dict[str, object]]:
+    """The whole Issuer Log in one canonical, total order.
+
+    Shared by the checkpoint and its proofs so leaf indices line up. Fetched
+    *uncapped* (``receipt_count()`` as the limit) so the checkpoint commits to
+    the entire log, never a silent prefix; ordered by ``(issued_at, receipt_id)``
+    — total and stable, independent of the store's own row order.
+    """
+    receipts = store.list_receipts(store.receipt_count())
+    return sorted(receipts, key=lambda r: (str(r.get("issued_at", "")), str(r.get("receipt_id", ""))))
+
+
+def create_app(
+    store: ServerStore | None = None,
+    chapter_id: str | None = None,
+    origins: set[str] | None = None,
+    nonrotatable_origins: set[str] | None = None,
+) -> FastAPI:
+    store = store or SqliteStore()
+    # `chapter_id` is the frozen wire field (the server's identifier on the wire); the
+    # env var that sets it is the new `SERVER_ID` (legacy `CHAPTER_ID` still honored).
+    chapter_id = chapter_id or _env("SERVER_ID", "CHAPTER_ID", default="sm-org-server") or "sm-org-server"
+    _public_url = _env("SERVER_PUBLIC_URL", "CHAPTER_PUBLIC_URL", default="https://server.local") or ""
+    base_url = _public_url.rstrip("/")
+    valid_origins = (
+        origins
+        if origins is not None
+        else _origins_from_env("SERVER_ORIGINS", "CHAPTER_ORIGINS", DEFAULT_ORIGINS)
+    )
+    nonrotatable = (
+        nonrotatable_origins
+        if nonrotatable_origins is not None
+        else _origins_from_env("SERVER_NONROTATABLE_ORIGINS", "CHAPTER_NONROTATABLE_ORIGINS", ())
+    )
+    # The server's own ARP signing identity — it issues receipts for server
+    # actions, not just stores members'. Stable across restarts when SERVER_SEED
+    # (base64 of a 32-byte Ed25519 seed) is set; ephemeral otherwise.
+    _seed = _env("SERVER_SEED", "CHAPTER_SEED")
+    server_identity = ArpIdentity.from_seed(base64.b64decode(_seed)) if _seed else ArpIdentity.generate()
+    server_did = server_identity.did
+
+    # Signed conformance badges, served publicly (the canonical URLs across all
+    # servers). Read once; absent → endpoint 404s and the well-known doc omits the
+    # pointer. The wire badge attests the server protocol suite; the ARP badge
+    # attests the receipt suite (a distinct corpus, hence a distinct file).
+    def _load_badge(env_var: str, legacy_var: str, default: str) -> dict[str, object] | None:
+        path = Path(_env(env_var, legacy_var, default=default) or default)
+        try:
+            return json.loads(path.read_text()) if path.exists() else None
+        except (OSError, ValueError):
+            return None
+
+    conformance_badge_doc = _load_badge("SERVER_BADGE_PATH", "CHAPTER_BADGE_PATH", ".nanda/conformance.json")
+    arp_badge_doc = _load_badge(
+        "SERVER_ARP_BADGE_PATH", "CHAPTER_ARP_BADGE_PATH", ".nanda/arp-conformance.json"
+    )
+    app = FastAPI(title="sm-org-server")
+
+    def emit_server_receipt(
+        principal_did: str,
+        *,
+        category: str,
+        human_summary: str,
+        counterparty_did: str | None = None,
+        counterparty_label: str | None = None,
+    ) -> dict[str, object]:
+        """Sign and persist a receipt for a server action, into the Issuer Log.
+
+        The server is a first-class ARP issuer: actions it takes (attesting an
+        interaction, endorsing a member) produce signed receipts the same way a
+        member's do. The edge (issuer=server → counterparty) is what the
+        reputation layer reads, so this is how a server's endorsement counts.
+        """
+        action = build_action(
+            category=category,
+            human_summary=human_summary,
+            counterparty_did=counterparty_did,
+            counterparty_label=counterparty_label,
+        )
+        receipt: dict[str, object] = issue_receipt(
+            server_identity, principal_did=principal_did, action=action
+        )
+        store.append_receipt(receipt)
+        return receipt
+
+    @app.get("/health")
+    def health() -> dict[str, object]:
+        return {"status": "ok", "agent_id": chapter_id, "members": store.member_count(), "federation": 0}
+
+    @app.get("/api/version")
+    def version() -> dict[str, object]:
+        return {
+            "chapter_id": chapter_id,
+            "protocol_versions": ["0.2", "0.3"],
+            "preferred_version": "0.3",
+            "a2ui_versions": ["0.9"],
+            "preferred_a2ui_version": "0.9",
+        }
+
+    @app.post("/api/members")
+    async def register(req: Request) -> JSONResponse:
+        body = await req.json()
+        agent_id, name = body.get("agent_id"), body.get("name")
+        if not agent_id or not name:
+            return JSONResponse({"error": "agent_id and name required"}, status_code=400)
+        origin = body.get("origin")
+        if origin not in valid_origins:
+            return JSONResponse(
+                {"error": f"invalid origin: must be one of {sorted(valid_origins)}"},
+                status_code=200,
+            )
+        existing = store.get_member(agent_id)
+        if existing is not None and existing.origin != origin:
+            return JSONResponse(
+                {"error": "origin mismatch", "existing_origin": existing.origin}, status_code=200
+            )
+        public_key = body.get("public_key", "")
+        try:
+            did_key = signing.derive_did_key(base64.b64decode(public_key)) if public_key else ""
+        except Exception:
+            did_key = ""
+        store.put_member(Member(agent_id, name, origin, public_key, did_key))
+        return JSONResponse(
+            {"agent_id": agent_id, "registered": True, "chapter": chapter_id, "origin": origin}
+        )
+
+    @app.post("/api/members/rotate")
+    async def rotate(req: Request) -> JSONResponse:
+        a = await req.json()
+        agent_id = a.get("agent_id")
+        member = store.get_member(agent_id)
+        if member is None:
+            return JSONResponse({"error": "unknown agent — cannot rotate an unregistered key"})
+        # §4.2 ordered checks; rejections return {"error": ...} with HTTP 200.
+        if member.origin in nonrotatable:
+            return JSONResponse(
+                {"error": f"origin '{member.origin}' may not self-rotate keys (managed identity)"}
+            )
+        if a.get("chapter_id") != chapter_id:
+            return JSONResponse({"error": f"chapter_id mismatch (attestation is for {a.get('chapter_id')})"})
+        ts = a.get("timestamp")
+        try:
+            if abs(int(time.time()) - int(ts)) > ROTATION_WINDOW_S:
+                return JSONResponse({"error": f"timestamp out of window (max {ROTATION_WINDOW_S}s)"})
+        except (TypeError, ValueError):
+            return JSONResponse({"error": f"timestamp out of window (max {ROTATION_WINDOW_S}s)"})
+        new_pk_b64 = a.get("new_public_key_b64", "")
+        if new_pk_b64 == member.public_key:
+            return JSONResponse({"error": "new public key must differ from old"})
+        try:
+            new_raw = base64.b64decode(new_pk_b64)
+        except Exception:
+            new_raw = b""
+        if len(new_raw) != 32:
+            return JSONResponse({"error": f"new pubkey wrong length: {len(new_raw)} (Ed25519 needs 32)"})
+        nonce = a.get("nonce", "")
+        canonical = f"ROTATE:{a.get('chapter_id')}:{agent_id}:{new_pk_b64}:{ts}:{nonce}"
+        try:
+            ok = signing.verify(
+                base64.b64decode(member.public_key),
+                base64.b64decode(a.get("signature", "")),
+                canonical.encode(),
+            )
+        except Exception:
+            ok = False
+        if not ok:
+            return JSONResponse({"error": "invalid signature (old key did not sign this attestation)"})
+        if not store.consume_nonce(chapter_id, nonce):
+            return JSONResponse({"error": "nonce replay"})
+        new_did = a.get("new_did_key") or signing.derive_did_key(new_raw)
+        store.rotate_key(agent_id, new_pk_b64, new_did)
+        return JSONResponse({"agent_id": agent_id, "rotated": True, "new_public_key_b64": new_pk_b64})
+
+    @app.get("/api/members")
+    def list_members(limit: int = 50) -> dict[str, object]:
+        members = store.list_members(limit)
+        return {
+            "members": [
+                {"agent_id": m.agent_id, "name": m.name, "origin": m.origin, "did_key": m.did_key}
+                for m in members
+            ],
+            "total": store.member_count(),
+        }
+
+    @app.post("/api/feedback")
+    async def feedback(req: Request) -> JSONResponse:
+        # Signed-request verification (spec/0.2 §3.1). The body is signed verbatim,
+        # so we read the raw bytes — re-serialising would change the canonical string.
+        raw = await req.body()
+        h = req.headers
+        agent_id = h.get("x-agent-id")
+        did_key_hdr = h.get("x-agent-did-key")
+        ts = h.get("x-agent-timestamp")
+        sig_b64 = h.get("x-agent-signature")
+        if not (agent_id and did_key_hdr and ts and sig_b64):
+            raise HTTPException(status_code=401, detail="missing v0.2 signed-request headers")
+        try:
+            if abs(int(time.time()) - int(ts)) > SIGNED_REQUEST_WINDOW_S:
+                raise HTTPException(status_code=401, detail="timestamp out of window")
+        except (TypeError, ValueError):
+            raise HTTPException(status_code=401, detail="malformed timestamp") from None
+        try:
+            claimed_pub = signing.parse_did_key(did_key_hdr)
+            sig = base64.b64decode(sig_b64)
+        except Exception:
+            raise HTTPException(status_code=401, detail="malformed did-key or signature") from None
+        canonical = f"{raw.decode('utf-8', 'strict')}:{agent_id}:{ts}".encode()
+
+        member = store.get_member(agent_id)
+        if member is not None:
+            # Registered: the presented key MUST be the one on file (TOFU idempotence).
+            if claimed_pub != base64.b64decode(member.public_key):
+                raise HTTPException(status_code=401, detail="key_mismatch")
+            if not signing.verify(claimed_pub, sig, canonical):
+                raise HTTPException(status_code=401, detail="invalid signature")
+        else:
+            # Trust on first use: record the presented key as authoritative.
+            if not signing.verify(claimed_pub, sig, canonical):
+                raise HTTPException(status_code=401, detail="invalid signature")
+            pub_b64 = base64.b64encode(claimed_pub).decode()
+            store.put_member(Member(agent_id, agent_id, "sovereign", pub_b64, did_key_hdr))
+
+        useful = trust.EVENT_DELTAS["intent_response_useful"]
+        store.record_trust_event(agent_id, "intent_response_useful", useful)
+        # The server attests the interaction with a signed receipt — its
+        # endorsement of the member (issuer=server → counterparty=member),
+        # which is what the reputation layer reads. Emission is default, not opt-in.
+        receipt = emit_server_receipt(
+            server_did,
+            category="attestation_issued",
+            human_summary=f"Attested a useful intent response from member {agent_id}"[:280],
+            counterparty_did=did_key_hdr,
+            counterparty_label=agent_id,
+        )
+        return JSONResponse({"recorded": True, "agent_id": agent_id, "receipt_id": receipt["receipt_id"]})
+
+    @app.get("/api/agents/{agent_id}/trust")
+    def trust_dossier(agent_id: str) -> JSONResponse:
+        if store.get_member(agent_id) is None:
+            raise HTTPException(status_code=404, detail="unknown agent")
+        score = store.trust_score(agent_id)
+        row = trust.tier_for(score)
+        return JSONResponse(
+            {
+                "agent_id": agent_id,
+                "score": score,
+                "tier": {
+                    "name": row["tier"],
+                    "min_trust": row["score_min"],
+                    "can_federate": row["federate"],
+                    "open_calls_max": row["open_calls_max"],
+                    "ttl_days": row["ttl_days"],
+                },
+                "next_tier_min": trust.next_tier_min(score),
+                "history": store.trust_history(agent_id),
+            }
+        )
+
+    @app.get("/api/admin/trust/drift")
+    def trust_drift() -> dict[str, object]:
+        # Score is the authoritative SUM of deltas, so stored == recomputed by construction.
+        return {"drift_count": 0, "drifts": []}
+
+    @app.post("/api/receipts")
+    async def ingest_receipt(req: Request) -> JSONResponse:
+        """Verify and persist one ARP receipt to the Issuer Log.
+
+        The receipt is self-authenticating — its Ed25519 signature over the
+        canonical bytes binds it to ``issuer_did`` no matter who POSTs it — so
+        the server trusts the envelope, not the transport. `sm_arp` owns the
+        verification; on failure nothing is written.
+        """
+        try:
+            receipt = await req.json()
+        except Exception:
+            return JSONResponse({"error": "body is not valid JSON"}, status_code=400)
+        if not isinstance(receipt, dict):
+            return JSONResponse({"error": "receipt must be a JSON object"}, status_code=400)
+
+        # Resolve the per-issuer predecessor for the hash chain (§6.4), if declared.
+        prev = receipt.get("previous_receipt_hash")
+        prior = None
+        if prev:
+            issuer = receipt.get("issuer_did")
+            if isinstance(issuer, str) and isinstance(prev, str):
+                prior = store.get_receipt_by_chain_link(issuer, prev)
+
+        result = verify_receipt(receipt, mode="strict", prior=prior, check_chain=bool(prev))
+        if not result.ok:
+            # A receipt that fails verification is a bad payload, not a missing-auth
+            # request — mirror /api/members/rotate: HTTP 200 with an {"error": ...} body.
+            return JSONResponse({"error": f"{result.stage}: {result.detail}"})
+
+        link = store.append_receipt(receipt)
+        return JSONResponse({"accepted": True, "receipt_id": receipt["receipt_id"], "chain_link": link})
+
+    @app.get("/api/receipts/recent")
+    def recent_receipts(limit: int = 50, principal: str | None = None) -> dict[str, object]:
+        receipts = (
+            store.list_receipts_for_principal(principal, limit) if principal else store.list_receipts(limit)
+        )
+        return {"receipts": receipts, "total": store.receipt_count()}
+
+    @app.get("/api/receipts/{receipt_id}")
+    def get_receipt(receipt_id: str) -> JSONResponse:
+        receipt = store.get_receipt(receipt_id)
+        if receipt is None:
+            raise HTTPException(status_code=404, detail="unknown receipt")
+        return JSONResponse(receipt)
+
+    @app.get("/api/checkpoint")
+    def checkpoint() -> JSONResponse:
+        """A signed RFC 6962 Merkle checkpoint over the whole Issuer Log.
+
+        The receipt hash chain proves *forward* tamper-evidence within an issuer;
+        this proves *membership* across the whole log: anyone holding a receipt,
+        its inclusion proof, and this signed root can verify it offline.
+        """
+        receipts = _ordered_issuer_log(store)
+        return JSONResponse(merkle.build_checkpoint(receipts, identity=server_identity))
+
+    @app.get("/api/checkpoint/proof/{receipt_id}")
+    def checkpoint_proof(receipt_id: str) -> JSONResponse:
+        """RFC 6962 inclusion proof for one receipt against the current root.
+
+        Taken over the same ordering as ``/api/checkpoint`` so ``leaf_index``
+        lines up with the signed root.
+        """
+        receipts = _ordered_issuer_log(store)
+        index = next((i for i, r in enumerate(receipts) if r.get("receipt_id") == receipt_id), None)
+        if index is None:
+            raise HTTPException(status_code=404, detail="unknown receipt")
+        leaves = merkle.checkpoint_leaves(receipts)
+        path = merkle.inclusion_proof(leaves, index)
+        root = merkle.merkle_root(leaves)
+        return JSONResponse(
+            {
+                "receipt_id": receipt_id,
+                "leaf_index": index,
+                "tree_size": len(receipts),
+                "merkle_root": "sha256:" + root.hex(),
+                "audit_path": ["sha256:" + h.hex() for h in path],
+            }
+        )
+
+    @app.get("/api/surfaces/{page_id}")
+    def surface(page_id: str) -> JSONResponse:
+        if page_id in AUTH_GATED_SURFACES:
+            # Per-principal surface (e.g. /today): no signed identity, no projection.
+            raise HTTPException(status_code=403, detail="surface requires a signed request")
+        if page_id in DYNAMIC_SURFACES:
+            return JSONResponse(_receipts_surface(store.list_receipts(20)))
+        envelope = PUBLIC_SURFACES.get(page_id)
+        if envelope is None:
+            raise HTTPException(status_code=404, detail="unknown surface")
+        return JSONResponse(envelope)
+
+    @app.get("/.well-known/nanda-agent.json")
+    def well_known() -> dict[str, object]:
+        doc: dict[str, object] = {
+            "agent_id": chapter_id,
+            "did": server_did,
+            "facts_url": f"{base_url}/.well-known/agent-facts.json",
+            "a2a_url": f"{base_url}/api",
+            "checkpoint": f"{base_url}/api/checkpoint",
+            "registries": {},
+            "protocol_versions": ["0.2", "0.3"],
+        }
+        if conformance_badge_doc is not None:
+            doc["conformance"] = f"{base_url}/.well-known/conformance.json"
+        if arp_badge_doc is not None:
+            doc["arp_conformance"] = f"{base_url}/.well-known/arp-conformance.json"
+        return doc
+
+    @app.get("/.well-known/conformance.json")
+    def conformance() -> JSONResponse:
+        """The server's signed conformance badge — public, no auth, offline-verifiable."""
+        if conformance_badge_doc is None:
+            raise HTTPException(status_code=404, detail="no conformance badge published")
+        return JSONResponse(conformance_badge_doc)
+
+    @app.get("/.well-known/arp-conformance.json")
+    def arp_conformance() -> JSONResponse:
+        """The server's signed ARP receipt-suite badge — public, offline-verifiable."""
+        if arp_badge_doc is None:
+            raise HTTPException(status_code=404, detail="no ARP conformance badge published")
+        return JSONResponse(arp_badge_doc)
+
+    @app.get("/api/federation")
+    def federation() -> dict[str, object]:
+        # v0.1 is a solo, federation-ready server: no peers wired yet, shape is final.
+        servers: dict[str, object] = {}
+        return {
+            "self": {"agent_id": chapter_id, "did": server_did},
+            "chapters": servers,
+            "total": len(servers),
+        }
+
+    @app.get("/api/federation/{peer_id}/members")
+    def federation_members(peer_id: str) -> JSONResponse:
+        if peer_id == chapter_id:
+            members = store.list_members(1000)
+            return JSONResponse(
+                {
+                    "chapter": peer_id,
+                    "members": [{"agent_id": m.agent_id, "did_key": m.did_key} for m in members],
+                    "total": len(members),
+                }
+            )
+        raise HTTPException(status_code=404, detail=f"unknown peer: {peer_id}")
+
+    return app
+
+
+app = create_app()

sm_server/merkle.py

@@ -0,0 +1,125 @@
+"""RFC 6962 Merkle tree + a signed checkpoint over the ARP Issuer Log.
+
+The per-issuer hash chain (ARP §6.4) gives *forward* tamper-evidence inside one
+issuer's receipts. This adds the *reverse* seam across the whole log: the server
+signs a checkpoint anchoring an RFC 6962 Merkle tree over every receipt it holds,
+and any holder of a receipt + its inclusion proof + the signed root can verify
+membership offline — without the rest of the log, and without trusting the
+server's say-so.
+
+Pure functions over raw leaf bytes; domain-separated leaf/node hashes per
+RFC 6962 §2.1. The leaf is the JCS-canonical bytes of the full signed receipt,
+so the checkpoint commits to the exact receipt a verifier reconstructs.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+from typing import Any
+
+from sm_arp import Identity, canonical_bytes, now_iso
+
+CHECKPOINT_VERSION = "aae-checkpoint/0.1"
+
+
+# ── RFC 6962 §2.1: domain-separated hashes ──────────────────────────────
+
+
+def _leaf_hash(data: bytes) -> bytes:
+    return hashlib.sha256(b"\x00" + data).digest()
+
+
+def _node_hash(left: bytes, right: bytes) -> bytes:
+    return hashlib.sha256(b"\x01" + left + right).digest()
+
+
+def _largest_pow2_lt(n: int) -> int:
+    """Largest power of two strictly less than n (n > 1)."""
+    k = 1
+    while k * 2 < n:
+        k *= 2
+    return k
+
+
+def merkle_root(leaves: list[bytes]) -> bytes:
+    """RFC 6962 Merkle Tree Hash over raw leaf data."""
+    n = len(leaves)
+    if n == 0:
+        return hashlib.sha256(b"").digest()
+    if n == 1:
+        return _leaf_hash(leaves[0])
+    k = _largest_pow2_lt(n)
+    return _node_hash(merkle_root(leaves[:k]), merkle_root(leaves[k:]))
+
+
+def inclusion_proof(leaves: list[bytes], m: int) -> list[bytes]:
+    """RFC 6962 audit path for leaf index ``m`` in the tree over ``leaves``."""
+    n = len(leaves)
+    if not 0 <= m < n:
+        raise IndexError(f"leaf index {m} out of range for size {n}")
+    if n == 1:
+        return []
+    k = _largest_pow2_lt(n)
+    if m < k:
+        return inclusion_proof(leaves[:k], m) + [merkle_root(leaves[k:])]
+    return inclusion_proof(leaves[k:], m - k) + [merkle_root(leaves[:k])]
+
+
+def verify_inclusion(
+    *, leaf: bytes, leaf_index: int, tree_size: int, proof: list[bytes], root: bytes
+) -> bool:
+    """RFC 6962 inclusion-proof verification (the Trillian reference algorithm)."""
+    if leaf_index >= tree_size:
+        return False
+    fn, sn = leaf_index, tree_size - 1
+    r = _leaf_hash(leaf)
+    for p in proof:
+        if fn == sn or (fn & 1):
+            r = _node_hash(p, r)
+            while fn != 0 and (fn & 1) == 0:
+                fn >>= 1
+                sn >>= 1
+        else:
+            r = _node_hash(r, p)
+        fn >>= 1
+        sn >>= 1
+    return sn == 0 and r == root
+
+
+# ── Checkpoint envelope (aae-checkpoint/0.1) ────────────────────────────
+
+
+def checkpoint_leaves(receipts: list[dict[str, Any]]) -> list[bytes]:
+    """Canonical leaf bytes — JCS over the FULL receipt (including signature).
+
+    Receipts MUST be passed in the committed order; the checkpoint root and
+    every inclusion proof are taken over this same ordered leaf list.
+    """
+    return [canonical_bytes(r, include_signature=True) for r in receipts]
+
+
+def build_checkpoint(receipts: list[dict[str, Any]], *, identity: Identity) -> dict[str, Any]:
+    """Sign an RFC 6962 Merkle checkpoint committing to ``receipts`` in order.
+
+    The payload is signed over its JCS-canonical bytes by ``identity`` (the
+    server's own ARP key). ``canonical_bytes(payload, include_signature=True)``
+    is exactly ``jcs.canonicalize(payload)`` here because the payload carries no
+    ``signature`` field — so the signed bytes match the cross-runtime format.
+    """
+    root = merkle_root(checkpoint_leaves(receipts))
+    payload: dict[str, Any] = {
+        "version": CHECKPOINT_VERSION,
+        "type": "checkpoint",
+        "signer_did": identity.did,
+        "created_at": now_iso(),
+        "tree_size": len(receipts),
+        "merkle_root": "sha256:" + root.hex(),
+        "receipt_ids": [r["receipt_id"] for r in receipts],
+    }
+    sig = identity.sign(canonical_bytes(payload, include_signature=True))
+    return {
+        "payload": payload,
+        "signer_did": identity.did,
+        "signature": base64.b64encode(sig).decode("ascii"),
+    }

sm_server/signing.py

@@ -0,0 +1,55 @@
+"""did:key derivation + Ed25519 verification — the crypto the protocol surface needs.
+
+Same primitives as the conformance suite and sm-conformance: W3C did:key
+(multibase base58btc over multicodec 0xed01 ‖ pubkey32) and Ed25519 over a
+canonical string. No backend, no framework — pure functions.
+"""
+
+from __future__ import annotations
+
+import base58
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.ed25519 import (
+    Ed25519PrivateKey,
+    Ed25519PublicKey,
+)
+
+ED25519_MULTICODEC_PREFIX = b"\xed\x01"
+
+_RAW = serialization.Encoding.Raw
+_RAW_PUB = serialization.PublicFormat.Raw
+
+
+def generate_chapter_identity() -> tuple[Ed25519PrivateKey, bytes, str]:
+    """Return (private_key, pubkey32, did_key) for the server's own identity."""
+    priv = Ed25519PrivateKey.generate()
+    pub32 = priv.public_key().public_bytes(_RAW, _RAW_PUB)
+    return priv, pub32, derive_did_key(pub32)
+
+
+def derive_did_key(pubkey32: bytes) -> str:
+    if len(pubkey32) != 32:
+        raise ValueError(f"Ed25519 public key must be 32 bytes, got {len(pubkey32)}")
+    return "did:key:z" + base58.b58encode(ED25519_MULTICODEC_PREFIX + pubkey32).decode("ascii")
+
+
+def parse_did_key(did_key: str) -> bytes:
+    if not did_key.startswith("did:key:z"):
+        raise ValueError(f"not a did:key: {did_key!r}")
+    decoded = base58.b58decode(did_key[len("did:key:z") :])
+    if not decoded.startswith(ED25519_MULTICODEC_PREFIX):
+        raise ValueError("did:key does not encode an Ed25519 key")
+    pub = decoded[len(ED25519_MULTICODEC_PREFIX) :]
+    if len(pub) != 32:
+        raise ValueError(f"decoded key has wrong length: {len(pub)}")
+    return pub
+
+
+def verify(pubkey32: bytes, signature: bytes, message: bytes) -> bool:
+    """True iff `signature` is a valid Ed25519 signature over `message` by `pubkey32`."""
+    try:
+        Ed25519PublicKey.from_public_bytes(pubkey32).verify(signature, message)
+        return True
+    except (InvalidSignature, ValueError):
+        return False

sm_server/store/base.py

@@ -0,0 +1,81 @@
+"""The storage seam — the one interface the HTTP layer depends on.
+
+Everything a conformant server needs to persist goes through ``ServerStore``.
+The default backend is SQLite (zero-config, file-backed); Postgres or any other
+store is a drop-in that satisfies this Protocol. Nothing above this interface
+knows what the backend is — that is what makes the core self-hostable.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Protocol
+
+
+@dataclass(frozen=True)
+class Member:
+    agent_id: str
+    name: str
+    origin: str  # deployment-declared provenance, e.g. "sovereign" (see SERVER_ORIGINS)
+    public_key: str  # standard base64 of the 32-byte Ed25519 public key
+    did_key: str
+
+
+class ServerStore(Protocol):
+    """Persistence the conformant protocol surface requires."""
+
+    def get_member(self, agent_id: str) -> Member | None: ...
+
+    def put_member(self, member: Member) -> None: ...
+
+    def rotate_key(self, agent_id: str, new_public_key: str, new_did_key: str) -> None: ...
+
+    def consume_nonce(self, scope: str, nonce: str) -> bool:
+        """Record (scope, nonce). Return True if fresh, False if already seen (replay)."""
+        ...
+
+    def member_count(self) -> int: ...
+
+    def list_members(self, limit: int = 50) -> list[Member]: ...
+
+    def record_trust_event(self, agent_id: str, kind: str, delta: float) -> None:
+        """Append an immutable trust event. The agent's score is the SUM of deltas."""
+        ...
+
+    def trust_score(self, agent_id: str) -> float:
+        """Authoritative score = SUM of recorded deltas (0.0 if none)."""
+        ...
+
+    def trust_history(self, agent_id: str) -> list[dict[str, object]]:
+        """Ordered list of {kind, delta} events for the agent."""
+        ...
+
+    # ── ARP Issuer Log (spec §10.2) ─────────────────────────────────
+    # The server persists every receipt it accepts. The receipt envelope
+    # (build/sign/verify/chain-link) is owned by `sm_arp`; this seam owns only
+    # *where the bytes live*, so a Postgres-backed server keeps receipts in
+    # Postgres alongside members — not in a side file.
+
+    def append_receipt(self, receipt: dict[str, object]) -> str:
+        """Persist a verified receipt; return the chain link it produces.
+
+        Idempotent on (issuer_did, receipt_id) — re-appending replaces rather
+        than duplicating (the spec's replay floor).
+        """
+        ...
+
+    def get_receipt(self, receipt_id: str) -> dict[str, object] | None: ...
+
+    def get_receipt_by_chain_link(self, issuer_did: str, chain_link: str) -> dict[str, object] | None:
+        """Resolve a receipt by its per-issuer chain link — used to find the
+        predecessor a new receipt's ``previous_receipt_hash`` points at. Scoped
+        by issuer because the hash chain is per-issuer (ARP §6.4)."""
+        ...
+
+    def list_receipts(self, limit: int = 100) -> list[dict[str, object]]: ...
+
+    def list_receipts_for_principal(
+        self, principal_did: str, limit: int = 100
+    ) -> list[dict[str, object]]: ...
+
+    def receipt_count(self) -> int: ...

sm_server/store/sqlite.py

@@ -0,0 +1,182 @@
+"""SQLite implementation of ServerStore — the zero-config self-hostable default.
+
+Uses parameterized queries throughout, so hostile agent_ids (the R3 injection
+vectors in the conformance suite) are stored as inert data, never interpolated.
+"""
+
+from __future__ import annotations
+
+import json
+import sqlite3
+import threading
+
+from sm_arp import chain_link
+
+from sm_server.store.base import Member
+
+_SCHEMA = """
+CREATE TABLE IF NOT EXISTS members (
+    agent_id   TEXT PRIMARY KEY,
+    name       TEXT NOT NULL,
+    origin     TEXT NOT NULL,
+    public_key TEXT NOT NULL,
+    did_key    TEXT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS nonces (
+    scope TEXT NOT NULL,
+    nonce TEXT NOT NULL,
+    PRIMARY KEY (scope, nonce)
+);
+CREATE TABLE IF NOT EXISTS trust_events (
+    id       INTEGER PRIMARY KEY AUTOINCREMENT,
+    agent_id TEXT NOT NULL,
+    kind     TEXT NOT NULL,
+    delta    REAL NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_trust_agent ON trust_events (agent_id);
+CREATE TABLE IF NOT EXISTS receipts (
+    receipt_id            TEXT NOT NULL,
+    issuer_did            TEXT NOT NULL,
+    principal_did         TEXT NOT NULL,
+    issued_at             TEXT NOT NULL,
+    category              TEXT,
+    counterparty_did      TEXT,
+    previous_receipt_hash TEXT,
+    chain_link            TEXT NOT NULL,
+    receipt_json          TEXT NOT NULL,
+    PRIMARY KEY (issuer_did, receipt_id)
+);
+CREATE INDEX IF NOT EXISTS idx_receipts_principal ON receipts (principal_did, issued_at);
+CREATE INDEX IF NOT EXISTS idx_receipts_chain ON receipts (issuer_did, chain_link);
+"""
+
+
+class SqliteStore:
+    def __init__(self, path: str = ":memory:") -> None:
+        self._conn = sqlite3.connect(path, check_same_thread=False)
+        self._lock = threading.Lock()
+        with self._lock:
+            self._conn.executescript(_SCHEMA)
+            self._conn.commit()
+
+    def get_member(self, agent_id: str) -> Member | None:
+        with self._lock:
+            row = self._conn.execute(
+                "SELECT agent_id, name, origin, public_key, did_key FROM members WHERE agent_id = ?",
+                (agent_id,),
+            ).fetchone()
+        return Member(*row) if row else None
+
+    def put_member(self, member: Member) -> None:
+        with self._lock:
+            self._conn.execute(
+                "INSERT OR REPLACE INTO members (agent_id, name, origin, public_key, did_key) "
+                "VALUES (?, ?, ?, ?, ?)",
+                (member.agent_id, member.name, member.origin, member.public_key, member.did_key),
+            )
+            self._conn.commit()
+
+    def rotate_key(self, agent_id: str, new_public_key: str, new_did_key: str) -> None:
+        with self._lock:
+            self._conn.execute(
+                "UPDATE members SET public_key = ?, did_key = ? WHERE agent_id = ?",
+                (new_public_key, new_did_key, agent_id),
+            )
+            self._conn.commit()
+
+    def consume_nonce(self, scope: str, nonce: str) -> bool:
+        with self._lock:
+            try:
+                self._conn.execute("INSERT INTO nonces (scope, nonce) VALUES (?, ?)", (scope, nonce))
+                self._conn.commit()
+                return True
+            except sqlite3.IntegrityError:
+                return False
+
+    def member_count(self) -> int:
+        with self._lock:
+            return int(self._conn.execute("SELECT COUNT(*) FROM members").fetchone()[0])
+
+    def list_members(self, limit: int = 50) -> list[Member]:
+        with self._lock:
+            rows = self._conn.execute(
+                "SELECT agent_id, name, origin, public_key, did_key FROM members ORDER BY agent_id LIMIT ?",
+                (int(limit),),
+            ).fetchall()
+        return [Member(*r) for r in rows]
+
+    def record_trust_event(self, agent_id: str, kind: str, delta: float) -> None:
+        with self._lock:
+            self._conn.execute(
+                "INSERT INTO trust_events (agent_id, kind, delta) VALUES (?, ?, ?)",
+                (agent_id, kind, float(delta)),
+            )
+            self._conn.commit()
+
+    def trust_score(self, agent_id: str) -> float:
+        with self._lock:
+            row = self._conn.execute(
+                "SELECT COALESCE(SUM(delta), 0.0) FROM trust_events WHERE agent_id = ?",
+                (agent_id,),
+            ).fetchone()
+        return float(row[0])
+
+    def trust_history(self, agent_id: str) -> list[dict[str, object]]:
+        with self._lock:
+            rows = self._conn.execute(
+                "SELECT kind, delta FROM trust_events WHERE agent_id = ? ORDER BY id",
+                (agent_id,),
+            ).fetchall()
+        return [{"kind": k, "delta": d} for k, d in rows]
+
+    # ── ARP Issuer Log ─────────────────────────────────────────────
+
+    def append_receipt(self, receipt: dict[str, object]) -> str:
+        link: str = chain_link(receipt)
+        action = receipt.get("action")
+        action = action if isinstance(action, dict) else {}
+        with self._lock:
+            self._conn.execute(
+                "INSERT OR REPLACE INTO receipts (receipt_id, issuer_did, principal_did, "
+                "issued_at, category, counterparty_did, previous_receipt_hash, chain_link, "
+                "receipt_json) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
+                (
+                    receipt["receipt_id"],
+                    receipt["issuer_did"],
+                    receipt["principal_did"],
+                    receipt["issued_at"],
+                    action.get("category"),
+                    action.get("counterparty_did"),
+                    receipt.get("previous_receipt_hash"),
+                    link,
+                    json.dumps(receipt, separators=(",", ":")),
+                ),
+            )
+            self._conn.commit()
+        return link
+
+    def _receipts_query(self, where: str, args: tuple[object, ...], limit: int) -> list[dict[str, object]]:
+        with self._lock:
+            rows = self._conn.execute(
+                f"SELECT receipt_json FROM receipts {where} ORDER BY issued_at DESC LIMIT ?",  # noqa: S608
+                (*args, int(limit)),
+            ).fetchall()
+        return [json.loads(r[0]) for r in rows]
+
+    def get_receipt(self, receipt_id: str) -> dict[str, object] | None:
+        rows = self._receipts_query("WHERE receipt_id = ?", (receipt_id,), 1)
+        return rows[0] if rows else None
+
+    def get_receipt_by_chain_link(self, issuer_did: str, chain_link: str) -> dict[str, object] | None:
+        rows = self._receipts_query("WHERE issuer_did = ? AND chain_link = ?", (issuer_did, chain_link), 1)
+        return rows[0] if rows else None
+
+    def list_receipts(self, limit: int = 100) -> list[dict[str, object]]:
+        return self._receipts_query("", (), limit)
+
+    def list_receipts_for_principal(self, principal_did: str, limit: int = 100) -> list[dict[str, object]]:
+        return self._receipts_query("WHERE principal_did = ?", (principal_did,), limit)
+
+    def receipt_count(self) -> int:
+        with self._lock:
+            return int(self._conn.execute("SELECT COUNT(*) FROM receipts").fetchone()[0])

sm_server/trust.py

@@ -0,0 +1,63 @@
+"""Trust ledger arithmetic — server-set deltas, tier thresholds, score → tier.
+
+These tables are part of the protocol, not a tuning knob: a server that
+hand-rolls its own deltas or tiers diverges from every other server and the
+conformance suite catches it. The values are frozen per protocol major; the
+score of an agent is, by construction, the SUM of its event deltas — so an
+authoritative ledger has zero drift between stored and recomputed scores.
+"""
+
+from __future__ import annotations
+
+from typing import TypedDict
+
+
+class TierRow(TypedDict):
+    score_min: int
+    tier: str
+    open_calls_max: int
+    ttl_days: int
+    federate: bool
+
+
+# Server-set, immutable per major (spec/0.X trust event deltas).
+EVENT_DELTAS: dict[str, float] = {
+    "intent_match_accepted": 0.5,
+    "intent_response_useful": 1.0,
+    "call_response_accepted": 0.5,
+    "conversation_completed_positive": 1.0,
+    "skill_attested_by_trusted": 2.0,
+    "endorsement_received": 0.5,
+    "tenure_milestone_30d": 1.0,
+    "tenure_milestone_90d": 2.0,
+    "tenure_milestone_180d": 5.0,
+    "tenure_milestone_365d": 10.0,
+    "revocation_received": -1.0,
+    "complaint_validated": -3.0,
+    "inactive_decay": -1.0,
+}
+
+# Ascending by score_min; `federate` gates cross-server participation.
+TIER_THRESHOLDS: list[TierRow] = [
+    {"score_min": 0, "tier": "new", "open_calls_max": 1, "ttl_days": 7, "federate": False},
+    {"score_min": 20, "tier": "established", "open_calls_max": 3, "ttl_days": 30, "federate": False},
+    {"score_min": 50, "tier": "trusted", "open_calls_max": 10, "ttl_days": 90, "federate": True},
+    {"score_min": 75, "tier": "core", "open_calls_max": 30, "ttl_days": 180, "federate": True},
+]
+
+
+def tier_for(score: float) -> TierRow:
+    """The highest tier whose score_min the score clears."""
+    chosen = TIER_THRESHOLDS[0]
+    for row in TIER_THRESHOLDS:
+        if row["score_min"] <= score:
+            chosen = row
+    return chosen
+
+
+def next_tier_min(score: float) -> int | None:
+    """score_min of the next tier up, or None if already in the top tier."""
+    for row in TIER_THRESHOLDS:
+        if row["score_min"] > score:
+            return row["score_min"]
+    return None