Module trust 

Trust root declarations. LOADBEARING: algorithm is a property of the key, not the artifact - artifacts MUST NOT carry their own algorithm claim, or an attacker could downgrade by lying about which algo signed the bytes.

Structs

KeySlot

LOADBEARING: reject_before is the compromise kill-switch - artifacts signed before this timestamp are refused regardless of which key signed. successor + retire_at declare a planned rotation: while now < retire_at the successor’s signature is accepted (overlap window); past retire_at the reconciler emits Action::RotateTrustRoot so the operator’s tooling can promote current -> previous, successor -> current.

TrustConfig

Loaded from /etc/nixfleet/{cp,agent}/trust.json. Restart-only reload.

TrustedPubkey

algorithm is String (not enum) for forward-compat. Unknown values surface as UnsupportedAlgorithm at verify time. Today: ed25519, with public as 32-byte base64 (padded).