Feat/vouch trust

[claytonlin1110]

What changed

Every dict-shaped kb.* response now includes read-only _meta.vouch_trust: {remote, caller_kind, auth_subject}. A new src/vouch/trust.py module holds the trust model and contextvar wiring; JSONL (handle_request), MCP tools (wrapper on all FastMCP tools), HTTP /rpc and /mcp, and CLI --json output each set the appropriate preset before dispatch. README documents the block under the JSONL request/response section; CHANGELOG.md updated under [Unreleased].

Why

Clients need to know the trust state a call was evaluated under — especially when they are talking to a remote, bearer-gated HTTP deployment rather than a local stdio MCP session. This mirrors gbrain's server-attached _meta pattern: opt-in to render, never authoritative over the KB payload. Closes #233.

What might break

No on-disk layout changes. No review-gate or audit-log changes.

Wire-shape nuance: array-shaped read results (kb.list_claims, kb.audit, etc.) are unchanged — arrays cannot carry _meta inline, so trust metadata applies to dict-shaped results only. Clients that assumed result was always a bare array are unaffected; clients that parse _meta on dict responses will see a new sibling field under _meta.vouch_trust.

VEP

Not required — additive response metadata only; no new kb.* methods, no object-model or on-disk changes.

Tests

• make check passes locally (lint + mypy + pytest)
• New / changed behaviour has a test (tests/test_trust.py — JSONL read coverage, MCP HTTP/stdio presets, CLI --json, bearer fingerprint)
• CHANGELOG.md updated under ## [Unreleased]

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: fe59f7d6-3a6b-42ac-98cc-e5d3532516ed

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[plind-junior]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d6fe1f2157

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[claytonlin1110]

@plind-junior please review