daitaidaitai大体
/

Trust store & policy presets

A signature is only as useful as the question "do I trust this key?" CGF separates the trust store (who you trust) from the trust policy (how strict you want to be) so the same bundle can be verified under different policies in different environments.

Trust store

The trust store is a small JSON document on the verifying machine. It lives at .dpw/compliance/trust-store.json.

{
  "keys": [
    {
      "id":  "ops@acme",
      "alg": "Ed25519",
      "pub": "9c4d…ef10",
      "addedAt": "2026-04-08T11:02:00Z",
      "note": "Release signer, rotated quarterly"
    }
  ],
  "tsas": [
    { "url": "https://freetsa.org/tsr", "note": "EU operations, free TSA" }
  ]
}

Manage it from the CLI:

cgf trust add-key  ops@acme 9c4d…ef10
cgf trust add-tsa  https://freetsa.org/tsr
cgf trust list-keys
cgf trust list-tsas
cgf trust export > trust.json
cgf trust import --mode merge   trust.json    # default
cgf trust import --mode replace trust.json    # wipes local first

Or open Compliance → Trust Store in DPW. The UI and CLI write to the same file.

Cross-machine flow

Laptop A                         Laptop B
─────────                        ─────────
trust add-key alice  …
trust add-tsa freetsa …
trust export > trust.json  ────► trust import --mode merge trust.json
                                 verify dossier.cgfevidence   ✓

Trust policy

A TrustPolicy is the invariant a bundle must satisfy after its signatures cryptographically verify:

interface TrustPolicy {
  minSigners:        number;   // e.g. 2
  requireAllTrusted: boolean;  // every signer must be in the trust store
  requireTimestamp:  boolean;  // a valid RFC 3161 token must be present
  requireTSAUrl?:    string;   // the timestamp must come from this TSA
}

verifyWithPolicy returns structured violations, never a bare pass/fail:

const result = await verifyWithPolicy(bytes, trustStore, {
  minSigners: 2,
  requireAllTrusted: true,
  requireTimestamp: true,
});

if (!result.ok) {
  for (const v of result.violations) console.error(v);
}

Example violation:

{
  "code":   "policy.requireAllTrusted",
  "signer": "ops@acme",
  "reason": "Public key not in trust store"
}

Built-in presets

| Preset | minSigners | requireAllTrusted | requireTimestamp | |---|---|---|---| | Open — hobby / experiments | 0 | false | false | | Minimal trust — internal staging | 1 | true | false | | EU AI Act high-risk — regulated AI | 2 | true | true | | Banking grade — finance, registered TSA | 3 | true | true (requireTSAUrl set) |

Presets are saved at .dpw/compliance/policy-presets.json and can be exported together with the trust store. User-defined presets show up in the same list as built-ins.

import { BUILTIN_POLICY_PRESETS, PolicyPresetsStore } from '@/lib/cgf';

const presets = await PolicyPresetsStore.load();
const policy  = presets.byId('eu-ai-act-high-risk');

Picking a preset

| You are… | Use | |---|---| | building a side project | Open | | running internal staging | Minimal trust | | shipping under the EU AI Act | EU AI Act high-risk | | shipping under banking regulation | Banking grade, then requireTSAUrl |

Reading next