The authenticated server-to-server write path, shape A: track stays a library;
the verified caller (the sentropic platform API / the h2a bridge — which already
verified the OIDC JWT or the NHI Ed25519 signature) constructs a signed
IngestContext and calls the SAME ingest(). Track RECORDS the attestation; it
NEVER verifies — record-only and h2a-free. No network service, no new
dependency.

Provenance widened additively:
- auth += 'signed' (means "a verifiable attestation was recorded", NOT "track
  verified it" — owner-ratified semantics, documented),
- transport += 'http' (records the caller's origin channel; track hosts no HTTP),
- principal? (NHI id / JWT sub) + sig?:{alg,value,by} (mirrors h2a H2ASignature;
  recorded for audit, not a signature over the EventCore, not a bearer token).

BINDING_AUTH already admitted 'signed', so a signed channel may perform binding
writes with no ingest change — and workspace containment still applies (signed
is not a bypass). The prov snapshot now deep-clones the nested sig
(structuredClone), preserving D3's inert-snapshot guarantee against a caller
mutating sig after construction. The recorded sig lives inside the hashed core,
so a tampered attestation surfaces as a content-hash finding.

Frozen contract intact: payload/enum-only on the existing optional prov field;
old events hash byte-identically. CLI unchanged (signed contexts are built
programmatically by the caller). Double-reviewed (Codex + Opus, both SHIP):
docs/reviews/lot-B-m3-{codex,opus}.md.

Release 0.6.0.