Trust store & policy presets

A signature is only as useful as the question "do I trust this key?" CGF separates the trust store (who you trust) from the trust policy (how strict you want to be) so the same bundle can be verified under different policies in different environments.

Trust store

The trust store is a small JSON document on the verifying machine. It lives at .dpw/compliance/trust-store.json.

{
  "keys": [
    {
      "id":  "ops@acme",
      "alg": "Ed25519",
      "pub": "9c4d…ef10",
      "addedAt": "2026-04-08T11:02:00Z",
      "note": "Release signer, rotated quarterly"
    }
  ],
  "tsas": [
    { "url": "https://freetsa.org/tsr", "note": "EU operations, free TSA" }
  ]
}

Manage it from the CLI:

cgf trust add-key  ops@acme 9c4d…ef10
cgf trust add-tsa  https://freetsa.org/tsr
cgf trust list-keys
cgf trust list-tsas
cgf trust export > trust.json
cgf trust import --mode merge   trust.json    # default
cgf trust import --mode replace trust.json    # wipes local first

Or open Compliance → Trust Store in DPW. The UI and CLI write to the same file.

Cross-machine flow

Laptop A                         Laptop B
─────────                        ─────────
trust add-key alice  …
trust add-tsa freetsa …
trust export > trust.json  ────► trust import --mode merge trust.json
                                 verify dossier.cgfevidence   ✓

Trust policy

A TrustPolicy is the invariant a bundle must satisfy after its signatures cryptographically verify:

interface TrustPolicy {
  minSigners:        number;   // e.g. 2
  requireAllTrusted: boolean;  // every signer must be in the trust store
  requireTimestamp:  boolean;  // a valid RFC 3161 token must be present
  requireTSAUrl?:    string;   // the timestamp must come from this TSA
}

verifyWithPolicy returns structured violations, never a bare pass/fail:

const result = await verifyWithPolicy(bytes, trustStore, {
  minSigners: 2,
  requireAllTrusted: true,
  requireTimestamp: true,
});

if (!result.ok) {
  for (const v of result.violations) console.error(v);
}

Example violation:

{
  "code":   "policy.requireAllTrusted",
  "signer": "ops@acme",
  "reason": "Public key not in trust store"
}

Built-in presets

PresetminSignersrequireAllTrustedrequireTimestamp
Open — hobby / experiments0falsefalse
Minimal trust — internal staging1truefalse
EU AI Act high-risk — regulated AI2truetrue
Banking grade — finance, registered TSA3truetrue (requireTSAUrl set)

Presets are saved at .dpw/compliance/policy-presets.json and can be exported together with the trust store. User-defined presets show up in the same list as built-ins.

import { BUILTIN_POLICY_PRESETS, PolicyPresetsStore } from '@/lib/cgf';

const presets = await PolicyPresetsStore.load();
const policy  = presets.byId('eu-ai-act-high-risk');

Picking a preset

You are…Use
building a side projectOpen
running internal stagingMinimal trust
shipping under the EU AI ActEU AI Act high-risk
shipping under banking regulationBanking grade, then requireTSAUrl

Reading next