Follow-up to #1367
docs/manifest-command-trust.md defines the model for local manifest command approval. This issue implements the storage and command surface before enforcement is wired into project command execution.
Scope
- Compute manifest command trust identity: project root, manifest path, manifest SHA-256, project name, Git root, sanitized origin, and HEAD metadata when available.
- Store allow records under
~/.base.d/trust/manifest-commands/ with schema version 1 and atomic writes.
- Add
basectl trust status <project> [--workspace <path>] [--format text|json].
- Add
basectl trust allow <project> [--workspace <path>] [--manifest-sha256 <sha256>].
- Add
basectl trust revoke <project> [--workspace <path>].
- Include non-interactive behavior for
--manifest-sha256 mismatches.
Acceptance Criteria
- Trust identity and storage are covered by Python unit tests.
trust status --format json emits the structured payload described in the design doc.
- Allow records are written only under Base-managed local state, never inside project repositories.
- Command help and command reference are updated.
Follow-up to #1367
docs/manifest-command-trust.mddefines the model for local manifest command approval. This issue implements the storage and command surface before enforcement is wired into project command execution.Scope
~/.base.d/trust/manifest-commands/with schema version 1 and atomic writes.basectl trust status <project> [--workspace <path>] [--format text|json].basectl trust allow <project> [--workspace <path>] [--manifest-sha256 <sha256>].basectl trust revoke <project> [--workspace <path>].--manifest-sha256mismatches.Acceptance Criteria
trust status --format jsonemits the structured payload described in the design doc.