Motivation

• Complete runtime-backed canonical receipt coverage for Trust Verification v1 verbs beyond the existing sign endpoint so clients can obtain signed canonical receipts for all trust-verification actions.
• Reuse the existing runtime signing configuration and makeReceipt flow to ensure canonical metadata.proof and consistent verification behavior without accepting request-provided private keys.

Description

• Register POST /trust-verification/<verb>/v1.0.0 routes for verbs: sign, attest, authorize, approve, reject, permit, grant, authenticate, and endorse via a shared loop in server.mjs.
• Each route enforces input shape of { payload } and returns 400 with error: "missing_payload" when missing, using the existing extractSignPayload helper.
• Each route constructs an execution object with entry: <canonical>/trust-verification/<verb>, verb, version: "1.0.0", and class: "trust-verification", then emits a signed receipt via the existing makeReceipt flow (no request-side private key handling added). The emitted response is wrapped with wrapReceiptResponse so receipt.metadata.proof is present.
• Updated runtime/tests/runtime-signing.test.mjs to exercise each verb for: proof presence, verb/class/version fields, proof algs (Ed25519 / SHA-256), successful /verify verification, tamper detection, and missing-payload rejection.
• Files changed: server.mjs, runtime/tests/runtime-signing.test.mjs.

Testing

• Ran the repository checks and test suites: npm install, npm run check, npm test, and npm run ci.
• All automated tests passed: unit + smoke test run completed successfully (50 tests passing, 0 failures).
• The new per-verb tests validate that receipts include metadata.proof, that execution/receipt fields reflect verb, class: "trust-verification", and version: "1.0.0", that proof.signature.alg === "Ed25519" and proof.hash.alg === "SHA-256", that /verify accepts the produced receipt, and that tampering invalidates the receipt signature.

Codex Task