chore(v-ecosystem): RSR compliance + Trustfiles + docs for all v-api-interfaces modules

- Added SPDX headers to v-rest/v-graphql/v-grpc src/abi/Types.idr (were missing)
- Added validated_status() bounds-checking wrapper around unsafe http.Status
  casts in all 8 V source files (v-rest, v-graphql, v-grpc, v-jsonrpc, v-trpc,
  verisimdb-rest, verisimdb-graphql, verisimdb-grpc)
- Created contractiles/Trustfile.a2ml for all 12 protocol modules with
  module-specific threat models, invariant checks, and recovery strategies
- Created README.md for verisimdb-graphql and verisimdb-grpc (were missing)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

v-ecosystem/v-api-interfaces/v-capnproto/contractiles/Trustfile.a2ml

@@ -0,0 +1,20 @@
+# Trustfile.a2ml -- v-capnproto
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# Contractile trust specification for the v-capnproto protocol module.
+# Evaluated by the contractile-cli (must/trust/dust/intend/k9) toolchain.
+
+[trust]
+post-quantum-keys = "pending"
+threat-model = "network-facing-binary"
+formal-verification = "idris2-abi"
+audit-status = "unaudited"
+
+[must]
+invariant-checks = ["input-validation", "bounds-checking", "utf8-validation", "segment-bounds-checking", "pointer-traversal-limit"]
+build-contract = "v build src/"
+
+[dust]
+recovery = "reconnect-with-backoff"
+rollback = "discard-segment-and-retry"

v-ecosystem/v-api-interfaces/v-graphql/contractiles/Trustfile.a2ml

@@ -0,0 +1,20 @@
+# Trustfile.a2ml -- v-graphql
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# Contractile trust specification for the v-graphql protocol module.
+# Evaluated by the contractile-cli (must/trust/dust/intend/k9) toolchain.
+
+[trust]
+post-quantum-keys = "pending"
+threat-model = "network-facing-query"
+formal-verification = "idris2-abi"
+audit-status = "unaudited"
+
+[must]
+invariant-checks = ["input-validation", "bounds-checking", "utf8-validation", "query-depth-limit", "introspection-control"]
+build-contract = "v build src/"
+
+[dust]
+recovery = "retry-with-partial-data"
+rollback = "return-error-response"

v-ecosystem/v-api-interfaces/v-graphql/src/abi/Types.idr

@@ -1,3 +1,6 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+--
 module VApi.ABI.Types
 
 import Data.Bits

v-ecosystem/v-api-interfaces/v-graphql/src/graphql.v

@@ -261,9 +261,19 @@ fn gnosis_health() GnosisHealthResult {
 
 // --- Helpers ---
 
+// validated_status converts an integer HTTP status code to http.Status
+// with bounds checking to avoid unsafe casts.
+fn validated_status(code int) http.Status {
+	// HTTP status codes are 100-599; default to 200 OK if out of range.
+	if code >= 100 && code <= 599 {
+		return unsafe { http.Status(code) }
+	}
+	return .ok
+}
+
 fn json_response(status_code int, body string) http.Response {
 	return http.new_response(
-		status: unsafe { http.Status(status_code) }
+		status: validated_status(status_code)
 		header: http.new_header(key: .content_type, value: 'application/json')
 		body: body
 	)

v-ecosystem/v-api-interfaces/v-grpc/contractiles/Trustfile.a2ml

@@ -0,0 +1,20 @@
+# Trustfile.a2ml -- v-grpc
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# Contractile trust specification for the v-grpc protocol module.
+# Evaluated by the contractile-cli (must/trust/dust/intend/k9) toolchain.
+
+[trust]
+post-quantum-keys = "pending"
+threat-model = "network-facing-rpc"
+formal-verification = "idris2-abi"
+audit-status = "unaudited"
+
+[must]
+invariant-checks = ["input-validation", "bounds-checking", "utf8-validation", "message-size-limit", "metadata-validation"]
+build-contract = "v build src/"
+
+[dust]
+recovery = "retry-with-backoff"
+rollback = "return-status-error"

v-ecosystem/v-api-interfaces/v-grpc/src/abi/Types.idr

@@ -1,3 +1,6 @@
+-- SPDX-License-Identifier: PMPL-1.0-or-later
+-- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+--
 module VApi.ABI.Types
 
 import Data.Bits

v-ecosystem/v-api-interfaces/v-grpc/src/grpc.v

@@ -271,9 +271,19 @@ fn gnosis_health() GnosisHealthResult {
 
 // --- Helpers ---
 
+// validated_status converts an integer HTTP status code to http.Status
+// with bounds checking to avoid unsafe casts.
+fn validated_status(code int) http.Status {
+	// HTTP status codes are 100-599; default to 200 OK if out of range.
+	if code >= 100 && code <= 599 {
+		return unsafe { http.Status(code) }
+	}
+	return .ok
+}
+
 fn grpc_response(status_code int, body string) http.Response {
 	return http.new_response(
-		status: unsafe { http.Status(status_code) }
+		status: validated_status(status_code)
 		header: http.new_header(key: .content_type, value: 'application/grpc+json')
 		body: body
 	)

v-ecosystem/v-api-interfaces/v-jsonrpc/contractiles/Trustfile.a2ml

@@ -0,0 +1,20 @@
+# Trustfile.a2ml -- v-jsonrpc
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# Contractile trust specification for the v-jsonrpc protocol module.
+# Evaluated by the contractile-cli (must/trust/dust/intend/k9) toolchain.
+
+[trust]
+post-quantum-keys = "pending"
+threat-model = "network-facing-rpc"
+formal-verification = "idris2-abi"
+audit-status = "unaudited"
+
+[must]
+invariant-checks = ["input-validation", "bounds-checking", "utf8-validation", "json-schema-validation", "id-deduplication"]
+build-contract = "v build src/"
+
+[dust]
+recovery = "retry-with-id-dedup"
+rollback = "return-error-response"

v-ecosystem/v-api-interfaces/v-jsonrpc/src/jsonrpc.v

@@ -185,6 +185,16 @@ pub fn (s Server) start() {
 
 // --- Helpers ---
 
+// validated_status converts an integer HTTP status code to http.Status
+// with bounds checking to avoid unsafe casts.
+fn validated_status(code int) http.Status {
+	// HTTP status codes are 100-599; default to 200 OK if out of range.
+	if code >= 100 && code <= 599 {
+		return unsafe { http.Status(code) }
+	}
+	return .ok
+}
+
 fn error_response(id json.Any, code int, message string) Response {
 	return Response{
 		id: id
@@ -209,7 +219,7 @@ fn encode_response(resp Response) string {
 
 fn json_resp(status_code int, body string) http.Response {
 	return http.new_response(
-		status: unsafe { http.Status(status_code) }
+		status: validated_status(status_code)
 		header: http.new_header(key: .content_type, value: 'application/json')
 		body: body
 	)

v-ecosystem/v-api-interfaces/v-mqtt/contractiles/Trustfile.a2ml

@@ -0,0 +1,20 @@
+# Trustfile.a2ml -- v-mqtt
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# Contractile trust specification for the v-mqtt protocol module.
+# Evaluated by the contractile-cli (must/trust/dust/intend/k9) toolchain.
+
+[trust]
+post-quantum-keys = "pending"
+threat-model = "network-facing-pubsub"
+formal-verification = "idris2-abi"
+audit-status = "unaudited"
+
+[must]
+invariant-checks = ["input-validation", "bounds-checking", "utf8-validation", "topic-filter-validation", "qos-level-bounds"]
+build-contract = "v build src/"
+
+[dust]
+recovery = "reconnect-with-backoff"
+rollback = "close-and-reopen"