Trust State

Trust state as an authoritative resource

Trust state is authoritative control-plane state, not cache state and not hint state (per TP-001). Trust transitions are durable events and are reconstructable from event history (per TP-004).

Per-boundary independence

Trust is tracked independently per boundary type:

• tool
• path scope
• specialist
• provider
• workflow class

Trust does not transfer across boundaries (per TP-003).

State transitions

Transition rules:

• every new boundary starts untrusted (per GP-005)
• trust accumulates through policy-defined evidence classes over time (per TP-002)
• each mutation emits trust transition events and increments record version (per TP-004)
• first violation resets affected boundary to untrusted immediately, with no grace period (per TP-006a)

Persistence model

Trust records are persisted in the control-plane event-sourced store and survive process restarts (per TP-001, trust_state_persistence_spec.md §6).

Cross-session behavior:

• stable boundaries retain trust continuity across sessions (per TP-002)
• session-scoped specialist trust is revoked at session end (per TP-008)

Stale records and policy interaction

Trust records embed policy version used for evaluation. Policy upgrades can require trust re-evaluation or demotion where tier boundaries change (per TP-007, trust_state_persistence_spec.md §16).

Stale records are handled explicitly, including policy incompatibility and unresolvable boundary identity cases (trust_state_persistence_spec.md §10.3).

Trust revocation conditions

Trust revocation triggers include (trust_state_persistence_spec.md §12):

• trust violation (automatic immediate revocation)
• policy-triggered revocation after version changes
• operator-initiated revocation by boundary

syndicate trust list
syndicate trust grant <boundary-id>
syndicate trust revoke <boundary-id> --reason "<reason>"