v0.32.0 — the authenticated multi-principal brain

Turns the deferred multi-principal items from the 0.31.0 brain audit into real controls, so a shared remote brain can be trusted across principals — not just one local operator. Closes the deferred Findings 3 & 4.

Highlights

• Authenticated principals. A principal is an ed25519 keypair whose key_id IS its identity (verel.memory.Principal). A write is signed; the server derives author from the verified key — so you can't author as someone else, and AuthorTrust can't be forged/inflated/impersonated (Finding 3).
• Trust-weighted recall. rank() folds in the trust tier — a verified memory edges out an equally-relevant candidate, so a poisoned candidate can't outrank a verified fact (Finding 4).
• Hosted wiring. MemoryServer(trusted_principals=…) + /write_signed (RemoteMemory.remember_signed); the verbatim replication channel (/apply,/replicate) requires a separate cluster credential (X-Cluster-Token), not the client bearer.

Security — 7-round adversarial red-team (7th clean)

Secure-by-default signed-writes mode (a bearer connects + reads, but only signed writes author; raw /write + all trust-mutation endpoints refused); a structural backstop so a client FACT can never supersede a server-managed non-FACT record (failure ledger, skills, induced rules/schemas) + a reserved-predicate/scope denylist for the one FACT-kind control record; verified beliefs can't be overwritten or reattributed by a peer; graduate() stamps a collective author so a pre-empted key can't forge authorship of team knowledge.

Residuals (honest): cross-principal verified tier still candidate-only (deferred); no TLS on a routable bind (non-loopback refuses without a token); the FACT-kind reserved-predicate denylist is a per-name maintenance obligation.

413-test suite; ruff + mypy clean. pip install "verel[attest]" for the principal layer.