TrustSignal-dev · chrismaz11 · Mar 16, 2026 · Mar 16, 2026 · chatgpt-codex-connector · Mar 16, 2026
diff --git a/.env.example b/.env.example
@@ -5,11 +5,14 @@ ISSUER_PUBLIC_JWK_JSON='{"kty":"EC","crv":"P-256","x":"<x>","y":"<y>"}'
 DB_PATH=attestations.sqlite
 DATABASE_URL="file:./prisma/dev.db"
 # Supabase aliases for apps/api Postgres (optional)
+SUPABASE_URL=https://<project-ref>.supabase.co
+SUPABASE_SERVICE_ROLE_KEY=replace-with-server-only-service-role-key
 SUPABASE_DB_URL=postgresql://postgres.<project-ref>:[password]@aws-0-<region>.pooler.supabase.com:6543/postgres?sslmode=require
 SUPABASE_POOLER_URL=postgresql://postgres.<project-ref>:[password]@aws-0-<region>.pooler.supabase.com:6543/postgres?sslmode=require
 SUPABASE_DIRECT_URL=postgresql://postgres:[password]@db.<project-ref>.supabase.co:5432/postgres?sslmode=require
 # Optional helper if using Supabase CLI pooler URL discovery from `supabase/.temp/pooler-url`.
 SUPABASE_DB_PASSWORD=replace-with-supabase-db-password
+SUPABASE_SECRET_KEY=replace-with-server-only-secret-key
 PORT=3000
 
 # apps/api security controls

diff --git a/.eslintrc.cjs b/.eslintrc.cjs
@@ -16,6 +16,68 @@ module.exports = {
     'import/order': ['error', { 'newlines-between': 'always' }],
     '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }]
   },
+  overrides: [
+    {
+      files: [
+        'apps/api/src/server.ts',
+        'api/**/*.ts',
+        'apps/api/src/lib/**/*.ts',
+        'apps/api/src/receiptPdf.ts',
+        'apps/api/src/security.ts',
+        'apps/api/src/db.ts',
+        'apps/api/src/registryLoader.ts'
+      ],
+      rules: {
+        'no-restricted-imports': ['error', {
+          paths: [
+            {
+              name: './services/registryAdapters.js',
+              message: 'Gateway code must use ./registry/catalog.js for public registry types and the verification engine interface for registry operations.'
+            },
+            {
+              name: './services/compliance.js',
+              message: 'Compliance evaluation is engine-owned. Route code must call the verification engine interface.'
+            },
+            {
+              name: './anchor.js',
+              message: 'Anchoring is engine-owned. Route code must call the verification engine interface.'
+            },
+            {
+              name: './engine/registry/adapterService.js',
+              message: 'Registry adapter orchestration is engine-owned. Route code must call the verification engine interface.'
+            },
+            {
+              name: './engine/compliance/cookCountyComplianceValidator.js',
+              message: 'Compliance evaluation is engine-owned. Route code must call the verification engine interface.'
+            },
+            {
+              name: './engine/anchoring/service.js',
+              message: 'Anchoring is engine-owned. Route code must call the verification engine interface.'
+            }
+          ],
+          patterns: [
+            {
+              group: [
+                '**/packages/engine-internal/**',
+                '**/packages/core/src/**',
+                '**/packages/core/dist/**',
+                '**/src/core/**',
+                '**/src/verifiers/**',
+                '**/src/services/polygonMumbaiAnchor.js',
+                '**/engine/anchoring/**',
+                '**/engine/compliance/**',
+                '**/engine/registry/**',
+                '**/services/compliance.js',
+                '**/services/registryAdapters.js',
+                '**/anchor.js'
+              ],
+              message: 'Gateway-facing code must use public contracts and the narrow verification engine interface only.'
+            }
+          ]
+        }]
+      }
+    }
+  ],
   ignorePatterns: [
     '**/node_modules/**',
     '**/.next/**',

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,19 +1,53 @@
 version: 2
+
 updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "05:00"
+      timezone: "America/Chicago"
     open-pull-requests-limit: 5
+    groups:
+      npm-production:
+        dependency-type: "production"
+      npm-development:
+        dependency-type: "development"
     labels:
       - "dependencies"
       - "security"
+    commit-message:
+      prefix: "deps"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "05:30"
+      timezone: "America/Chicago"
     open-pull-requests-limit: 5
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "cargo"
+    directory: "/circuits/non_mem_gadget"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 3
     labels:
       - "dependencies"
       - "security"
+    commit-message:
+      prefix: "deps"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,14 +1,33 @@
 ## Summary
 
-- Describe the change
+- Describe the change and why it is needed.
 
-## AI Disclosure
+## Change Type
 
-- [ ] AI-assisted changes are included in this PR
+- [ ] Runtime or API behavior
+- [ ] Security or repo governance
+- [ ] Workflow or CI configuration
+- [ ] Documentation or claims boundary only
+- [ ] Dependency update
 
-## Review Checklist
+## Security Review
 
-- [ ] Human review requested
-- [ ] Tests added or updated where appropriate
+- [ ] Security impact is described
 - [ ] No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
-- [ ] Security impact and remaining risks are described
+- [ ] New permissions, auth assumptions, or trust-boundary changes are called out
+- [ ] Dependency changes were reviewed for risk
+
+## Claims Boundary And Docs
+
+- [ ] Public-facing claims or evaluator docs were updated if needed
+- [ ] No unsupported claims were introduced
+
+## Validation
+
+- [ ] Human review requested
+- [ ] Tests or validation commands were run where appropriate
+- [ ] Workflow changes were reviewed for least privilege and pinned actions
+
+## AI Disclosure
+
+- [ ] AI-assisted changes are included in this PR
diff --git a/.github/workflows/contracts-ci.yml b/.github/workflows/contracts-ci.yml
@@ -0,0 +1,33 @@
+name: TrustSignal Contracts CI
+
+on:
+  pull_request:
+    paths:
+      - "packages/contracts/**"
+      - ".github/workflows/contracts-ci.yml"
+  push:
+    branches:
+      - work
+      - master
+    paths:
+      - "packages/contracts/**"
+      - ".github/workflows/contracts-ci.yml"
+
+jobs:
+  contracts-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Compile contracts
+        run: npm run build:contracts
@@ -13,6 +13,9 @@
      - "packages/contracts/**"
      - ".github/workflows/contracts-ci.yml"
+permissions:
+  contents: read
+
 jobs:
  contracts-build:
    runs-on: ubuntu-latest
@@ -13,6 +13,9 @@
      - "packages/contracts/**"
      - ".github/workflows/contracts-ci.yml"

+permissions:
+  contents: read
+
 jobs:
  contracts-build:
    runs-on: ubuntu-latest
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,17 @@
+name: Security / Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: Dependency diff review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4 # GitHub-maintained action pinned to supported major; Dependabot tracks updates.
+        with:
+          fail-on-severity: high
diff --git a/.github/workflows/messaging-guardrails.yml b/.github/workflows/messaging-guardrails.yml
@@ -0,0 +1,26 @@
+name: TrustSignal Messaging Guardrails
+
+on:
+  pull_request:
+    paths:
+      - "README.md"
+      - "USER_MANUAL.md"
+      - "docs/**"
+      - "apps/web/**"
+      - "package.json"
+      - "scripts/check-public-messaging.sh"
+
+jobs:
+  messaging-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Run messaging guardrail check
+        run: npm run messaging:check
@@ -1,5 +1,8 @@
 name: TrustSignal Messaging Guardrails
+permissions:
+  contents: read
+
 on:
  pull_request:
    paths:
@@ -1,5 +1,8 @@
 name: TrustSignal Messaging Guardrails

+permissions:
+  contents: read
+
 on:
  pull_request:
    paths:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,78 +1,44 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
+name: Security / OpenSSF Scorecard
 
-name: Scorecard supply-chain security
 on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
-  schedule:
-    - cron: '36 3 * * 1'
   push:
-    branches: [ "master" ]
+    branches:
+      - main
+  schedule:
+    - cron: "23 4 * * 1"
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
-  analysis:
-    name: Scorecard analysis
+  scorecard:
+    name: OpenSSF Scorecard analysis
     runs-on: ubuntu-latest
-    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
-    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
+      actions: read
+      contents: read
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
-
+      security-events: write
     steps:
-      - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v4.1.7
         with:
           persist-credentials: false
 
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+      - name: Run OpenSSF Scorecard
+        uses: ossf/scorecard-action@v2.4.3
         with:
-          results_file: results.sarif
+          results_file: scorecard-results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
 
-          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
-          # file_mode: git
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+      - name: Upload Scorecard SARIF
+        uses: github/codeql-action/upload-sarif@v4 # GitHub-maintained action pinned to supported major; Dependabot tracks updates.
         with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
+          sarif_file: scorecard-results.sarif
 
-      # Upload the results to GitHub's code scanning dashboard (optional).
-      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload Scorecard artifact
+        uses: actions/upload-artifact@v4 # GitHub-maintained action pinned to supported major; Dependabot tracks updates.
         with:
-          sarif_file: results.sarif
+          name: scorecard-results
+          path: scorecard-results.sarif
+          retention-days: 7