chore(docs): standardize public messaging and claims boundary

[chrismaz11]

Standardizes canonical public messaging language and claims-boundary framing across README and boundary/security docs.\n\nScope:\n- README product-intro canonicalization\n- public security summary opening section normalization\n- public/private boundary responsibility wording update\n\nNo code-path or runtime behavior changes.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
trustsignal	Ready	Preview, Comment	Mar 27, 2026 6:08pm

In general, to fix “password hash with insufficient computational effort,” replace fast hash constructions (like md5, sha1, sha256 / HMAC alone) with a password hashing / key‑derivation function designed to be slow and optionally memory‑hard, such as bcrypt, scrypt, PBKDF2, or Argon2. These functions drastically increase the cost of offline guessing attacks if the derived values are exposed.

For this specific code, the best fix with minimal behavioral change is:

• Keep the idea of a deterministic API‑key fingerprint, but derive it using a KDF that supports configurable iterations, such as crypto.pbkdf2Sync with HMAC‑SHA256.
• Use the existing secret (API_KEY_FINGERPRINT_SECRET or the development fallback) as the PBKDF2 salt input, and the API key as the password input.
• Configure a modest but non‑trivial iteration count that is acceptable for this use (for example 100,000) and a small output length (e.g., 16 bytes, then hex‑encode and slice to 16 characters to preserve the current external representation size).
• Keep the return type and shape the same (a 16‑character hex string) so that callers (requireApiKeyScope and getApiRateLimitKey) continue to work without further changes.

Concretely, in apps/api/src/security.ts:

• Add pbkdf2Sync to the existing import from node:crypto.
• Update fingerprintApiKey to use pbkdf2Sync instead of createHmac. The function will still return a 16‑char hex string, but now derived using PBKDF2 with sufficient iterations.

No other files or call sites need functional changes.

---

In general, the problem is that the script-removal regex only matches </script> with no trailing whitespace or attributes. To fix this while keeping the behavior the same otherwise, expand the closing-tag part of the regex to allow optional whitespace and attributes before the closing >. We should also keep it case-insensitive and non-greedy, as in the original.

The best minimal change is to adjust only the first .replace in stripHtml:

• From: /\<script[\s\S]*?<\/script>/gi
• To: /\<script\b[\s\S]*?<\/script\b[^>]*>/gi

Changes:

• Add \b after script in the opening tag to avoid matching longer words.
• Change the closing tag to </script\b[^>]*> to permit variants such as </script >, </script foo="bar">, and with odd spacing, which browsers accept.

We keep all other replacements intact. No new imports or external libraries are required, and we stay within apps/api/src/services/registryAdapters.ts, modifying only the lines shown.

[Copilot]

Pull request overview

This PR broadly rebrands “Deed Shield” surfaces to “TrustSignal” across documentation, packages, demos, and ops artifacts, while also introducing several substantive runtime/security/registry and circuit-proof changes (despite the PR description claiming docs-only scope).

Changes:

• Rebrand identifiers and public-facing messaging across docs, packages, demo UI, and monitoring artifacts.
• Update API/server behavior: revocation pre-handler, API-key fingerprinting, rate-limit configuration, env loading changes, and expanded registry adapter/snapshot logic with new tests and schema/db updates.
• Add/adjust repo guardrails and CI/security workflows (Trivy, dependency review, zizmor) plus CODEOWNERS and gitignore updates.

Reviewed changes

Copilot reviewed 62 out of 66 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
trustsignal_tests.sh	Adds a bash-based API test runner for ingest/verify flows.
src/routes/verify.ts	Adds per-route rate limiting config for /v1/verify-bundle.
src/api/verify.js	Rebrands legacy demo HTML title/header.
sdk/index.ts	Replaces regex trailing-slash removal with a helper function.
packages/core/src/receiptSigner.test.ts	Updates tests to use trustsignal verifierId.
packages/core/src/receipt.ts	Changes default verifierId to trustsignal.
packages/core/package.json	Renames package scope to @trustsignal/core.
packages/contracts/package.json	Renames package scope to @trustsignal/contracts.
packages/README.md	Updates workspace package naming guidance.
package.json	Renames repo/package name to trustsignal.
package-lock.json	Updates workspace names and links for renamed packages.
ml/model/pycache/common.cpython-314.pyc	Adds a Python bytecode artifact (should be excluded).
docs/security-summary.md	Rewrites public security summary opening + audience section.
docs/public-private-boundary.md	Updates public/private boundary framing and guardrails text.
docs/partner-eval/integration-model.md	Updates wording from DeedShield to TrustSignal surface.
docs/ops/monitoring/grafana-dashboard-deedshield-api.json	Rebrands dashboard title.
docs/ops/monitoring/alert-rules.yml	Rebrands alert names (expressions remain deedshield-prefixed).
docs/ops/monitoring/README.md	Rebrands monitoring README wording.
docs/legal/terms-of-service.md	Updates product/module naming in legal terms.
docs/legal/privacy-policy.md	Updates naming and scope wording.
docs/legal/pilot-agreement.md	Updates pilot program naming.
docs/legal/cookie-policy.md	Updates naming for cookie policy.
docs/final/14_VANTA_INTEGRATION_USE_CASE.md	Rebrands “module” fields and vertical naming.
docs/final/11_NSF_GRANT_WHITEPAPER.md	Removes DeedShield wedge naming from abstract.
docs/final/10_INCIDENT_ESCALATION_AND_SLO_BASELINE.md	Rebrands scope statement.
docs/final/01_EXECUTIVE_SUMMARY.md	Rebrands title and product-position language.
docs/customer/pilot-handbook.md	Rebrands pilot handbook welcome text.
docs/compliance/kpmg-evidence-index.md	Adds machine-generated evidence index doc.
docs/compliance/kpmg-enterprise-readiness-validation-report.md	Adds machine-generated readiness validation report.
docs/compliance/kpmg-enterprise-audit-runbook.md	Adds audit runbook for diligence execution.
docs/IT_INSTALLATION_MANUAL.md	Rebrands installation manual and PRIA mapping language.
docs/IMPLEMENTATION_PLAN_PASSIVE_INSPECTOR.md	Rebrands watcher plan references + package scope.
docs/CANONICAL_MESSAGING.md	Adjusts canonical messaging guidance wording.
circuits/non_mem_gadget/src/revocation.rs	Switches revocation prove path to shared proof helper.
circuits/non_mem_gadget/src/lib.rs	Replaces MockProver with create/verify proof flow helper.
bench/run-bench.ts	Updates benchmark receipt builder verifierId.
apps/web/src/contexts/OperatorContext.tsx	Migrates localStorage key from deed-shield to trustsignal.
apps/web/src/app/verify-artifact/page.tsx	Replaces page with redirect alias to /verify.
apps/web/package.json	Renames package to @trustsignal/web.
apps/watcher/src/index.js	Rebrands watcher log strings and notification titles.
apps/api/src/services/registryAdapters.ts	Expands registry sources, adds snapshots, new provider types, job metadata, and test hooks.
apps/api/src/services/compliance.ts	Updates/duplicates system prompt wording.
apps/api/src/server.ts	Rebrands verifierId/service name, refactors revocation auth handling, adjusts per-route rate limit config.
apps/api/src/security.ts	Switches API-key fingerprinting to HMAC + adds revocation auth context typing.
apps/api/src/security-hardening.test.ts	Adds stronger revocation negative/edge-case coverage.
apps/api/src/registryLoader.test.ts	Updates imports to @trustsignal/core.
apps/api/src/registry-adapters.test.ts	Expands expected registry source IDs list.
apps/api/src/registry-adapters-new-sources.test.ts	Adds new test coverage for new registry sources and snapshot behavior.
apps/api/src/env.ts	Switches env loading to dotenv + expands DB URL resolution logic.
apps/api/src/db.ts	Adds DB columns for accessType/jobType/snapshot metadata.
apps/api/prisma/schema.prisma	Adds Prisma fields for RegistrySource/accessType and RegistryOracleJob metadata.
apps/api/package.json	Renames package and updates core dependency scope.
apps/api/SETUP.md	Rebrands setup doc and docker container naming.
apps/api/.env.example	Adds env vars for new registry sources + snapshot dir.
USER_MANUAL.md	Rebrands user manual language.
SECURITY_CHECKLIST.md	Rebrands checklist title and references.
README.md	Rewrites intro and updates links/auth guidance (now claims bearer-token flow).
.gitignore	Adds Python cache/pyc ignore patterns.
.github/workflows/zizmor.yml	Adds zizmor advisory workflow audit job.
.github/workflows/trivy.yml	Adds Trivy filesystem scanning with SARIF upload.
.github/workflows/main.yml	Pins checkout action and adds minimal permissions block.
.github/workflows/dependency-review.yml	Adds dependency diff review workflow.
.github/workflows/copilotsetupsteps.yml	Pins actions and adds workflow permissions.
.github/workflows/ci.yml	Pins actions and adds workflow permissions.
.github/CODEOWNERS	Adds CODEOWNERS entries for repo areas.

Comments suppressed due to low confidence (1)

docs/ops/monitoring/alert-rules.yml:77

• Alert names were rebranded to TrustSignal*, but the rule expressions and labels still reference deedshield_* metrics and service: deedshield-api. If the intent is a full rename, these should be updated together (or keep the legacy alert names) to avoid confusion and broken alerting when metric/service naming diverges.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test script hard-codes an API key value in-repo. Even if this is a non-production key, committing it risks accidental reuse and will trigger secret scanners. Prefer reading API_KEY from the environment (or prompting) and fail with a clear message when it’s missing.

[Copilot]

The README’s curl example uses Authorization: Bearer $TRUSTSIGNAL_ACCESS_TOKEN, but the /api/v1/verify route in apps/api/src/server.ts is guarded by requireApiKeyScope (expects x-api-key). Either update the docs back to x-api-key for this API surface, or implement bearer-token auth in the server so the example matches reality.

[Copilot]

For snapshot-backed sources, buildMatches(subject, snapshot.candidates) is computed twice (once to determine status and again for the returned matches). This repeats scoring/sorting work unnecessarily; compute it once and reuse the result for both status and matches.

Suggested change

	return {
	status: buildMatches(subject, snapshot.candidates).length > 0 ? 'MATCH' : 'NO_MATCH',
	matches: buildMatches(subject, snapshot.candidates),
	const matches = buildMatches(subject, snapshot.candidates);
	return {
	status: matches.length > 0 ? 'MATCH' : 'NO_MATCH',
	matches,

[Copilot]

The default snapshot directory is derived from __dirname. This will resolve to different locations when running via tsx (src) vs node dist (dist), which can lead to snapshots being written under dist/ in production. Prefer a stable default like process.cwd() (still overridable via REGISTRY_SNAPSHOT_DIR) so snapshot storage is consistent across run modes.

[Copilot]

The Cook County system prompt now contains two consecutive sentences starting with “You are an AI assistant integrated into TrustSignal...” with slightly different product descriptions. This duplication is likely accidental and can dilute prompt clarity; keep a single canonical version.

Suggested change

You are an AI assistant integrated into TrustSignal, an evidence verification and title workflow automation platform. Your primary responsibility is to validate real estate documents against Cook County Clerk's Office recording requirements and identify policy mismatches before submission.

[Copilot]

This report includes absolute local paths (e.g., /Users/.../coverage/coverage-summary.json). These paths won’t exist for other readers and may leak workstation details; prefer repo-relative paths or describe outputs in a location-agnostic way.

[Copilot]

PR description says this is docs-only with no runtime changes, but this PR includes substantive code-path changes (API auth/rate limiting/registry adapters, Rust proof generation, package renames). Please update the PR title/description/scope or split into smaller PRs so reviewers can assess runtime impact appropriately.

[Copilot]

This doc references npm run check:api-boundary, but there doesn’t appear to be any script/command with that name in the repo. Either add the script (and describe where it lives) or adjust the guardrails section to reference an actual enforced check so readers don’t assume a protection exists when it doesn’t.

[Copilot]

This file contains absolute local machine paths (e.g., /Users/...) which are not portable and leak developer workstation details into the repo. Replace with repo-relative links/paths (or remove the path references) so the document is usable for external reviewers.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e4bffa380f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve legacy verifierId when hydrating stored receipts

Changing the reconstructed verifierId to trustsignal for every row breaks verification of receipts created before the rebrand (which were signed with deed-shield). verifyStoredReceipt recomputes the unsigned payload hash/signature from this reconstructed object, so historical records will now fail integrity/signature checks even though the stored receipt data is otherwise unchanged.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Assign raw Supabase password instead of encoded string

In the Supabase pooler fallback path, URL.password is being set to encodeURIComponent(supabasePassword), but URL.password already handles percent-encoding. This double-encodes credentials containing reserved characters (for example % becoming %25 again), which produces an invalid DATABASE_URL and can cause authentication failures when connecting to Postgres.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep /verify-artifact mapped to artifact verification UI

This redirect removes the dedicated artifact-verification flow from /verify-artifact and sends users to /verify, which is a different bundle-verification path. Since ArtifactVerifyClient is no longer mounted by any page, existing links/bookmarks for local artifact fingerprint verification now lose that functionality.

Useful? React with 👍 / 👎.

In general, to fix missing rate limiting on an authorization-related route in a Fastify app, you configure the @fastify/rate-limit plugin globally (already present in this project) and add per-route config.rateLimit settings so that expensive or security-sensitive handlers cannot be abused via high request volumes. Here, we should add a rateLimit configuration to the /api/v1/auth/logout route, similar in spirit to the existing login rate limit on /api/v1/auth/login, but with appropriately relaxed limits since logout is cheaper.

Concretely, in apps/api/src/server.ts, locate the app.post('/api/v1/auth/logout', async (request, reply) => { ... }); definition around lines 1693–1709. Change this route definition to use the Fastify options object form with a config property that specifies a rateLimit block, analogous to the login handler above. For example, we can allow a higher volume of logouts (e.g., max: 60 per minute per IP) to avoid impacting normal users while still mitigating abuse. The plugin import already exists (import rateLimit from '@fastify/rate-limit';), and no new helper methods are needed; we only add the route-level configuration object between the path string and the async handler. No other files or lines need to be modified.

In general, the problem is fixed by applying appropriate rate limiting to HTTP handlers that perform authorization or other expensive operations, so that a single client cannot overwhelm the service with repeated requests. This project already uses Fastify’s @fastify/rate-limit plugin and defines a perApiKeyRateLimit configuration that is applied to other sensitive routes; the best fix is to apply the same pattern to the OAuth consent POST route.

Concretely, in apps/api/src/server.ts, locate the app.post('/api/v1/oauth/authorize/consent', ...) definition around line 1819. Currently it is declared with only the URL and the handler function. We should change it to use the object‑form route options, adding config: { rateLimit: perApiKeyRateLimit } (or another appropriate limiter that is already defined in this file) so that Fastify’s rate‑limit plugin will enforce limits on this endpoint. The project already imports and uses rateLimit and perApiKeyRateLimit elsewhere (e.g., for /api/v1/clients/:clientId/keys), so no new imports or helper definitions are required—just adding the config property to this route’s options.

This keeps existing functionality and behavior intact: the handler logic remains unchanged; we only add metadata for Fastify’s route options. All listed alert variants (1–1e) are addressed because they refer to calls within this same handler, and rate limiting at the route level protects all of them.

In general, to fix missing rate limiting on a security‑sensitive route in a Fastify app, you ensure that: (1) the @fastify/rate-limit plugin is registered on the Fastify instance; and (2) the route is configured with an appropriate config.rateLimit or included within a rate‑limited scope. For consistency and least surprise, it’s best to reuse an existing, well‑vetted rate‑limit policy (such as perApiKeyRateLimit) that is already used for other OAuth‑related endpoints in this file.

For this specific code, the /api/v1/token route already has a custom, per‑IP rate limit configuration. Other OAuth endpoints nearby (/api/v1/introspect, /api/v1/clients/:clientId/revoke) use config: { rateLimit: perApiKeyRateLimit }, which is likely the intended policy for authenticated API clients. To fix the CodeQL finding and align with existing security patterns without changing semantics elsewhere, we should replace the ad‑hoc rateLimit configuration on /api/v1/token with perApiKeyRateLimit. This keeps behavior coherent and guarantees that the handler is clearly rate‑limited in the same way as related authorization endpoints.

Concretely:

• In apps/api/src/server.ts, locate the app.post('/api/v1/token', { config: { rateLimit: { ... } } }, ...) definition around line 2133.
• Replace the inner rateLimit object (max/timeWindow/keyGenerator) with perApiKeyRateLimit, matching how /api/v1/introspect and /api/v1/clients/:clientId/revoke are configured.
• No new imports or helpers are needed because perApiKeyRateLimit is already in scope and used in this file.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0ef74a34bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require auth on client lookup endpoint

This route is publicly reachable and returns client IDs/scopes for any userEmail query, so an unauthenticated caller can enumerate another tenant’s registered clients just by knowing or guessing an email address. Given that other client-management routes enforce API-key ownership checks, leaving GET /api/v1/clients unauthenticated creates an avoidable data-exposure path and weakens least-privilege controls.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove committed API key from test script

A concrete API key value is hardcoded in-repo, which risks credential leakage and accidental unauthorized use if the token is valid in any environment. Even if intended for testing, committing a real-looking secret violates secret-handling controls and should be replaced with an environment variable or placeholder so no sensitive token is stored in source history.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Provide access-token config before issuing tokens

The token endpoint now passes securityConfig.accessTokens into issueAccessToken, but buildSecurityConfig (in apps/api/src/security.ts) does not construct an accessTokens field, so this value is undefined. As soon as a valid OAuth flow reaches token issuance, issueAccessToken dereferences input.accessTokenConfig.current and fails, turning successful authorization-code/client-credentials exchanges into server errors.

Useful? React with 👍 / 👎.