feat: close 5 remaining beads — discovery, codegen, trust config

bd-36b: Extraction codegen now emits real dsl::extract::extract() calls
        instead of placeholder values. Generated code constructs
        ExtractSection structs and passes them to the extract function.

bd-1zj: Content hash codegen now emits dsl::content_hash::content_hash()
        calls over extracted data. Generated code passes the extracted
        HashMap and the configured 'over' field names.

bd-1kv: Generated Cargo.toml uses version-based dependency
        (fingerprint = { version = "0.1.0" }) instead of path = "../.."
        so compiled crates build from any directory.

bd-28w: discover_installed() scans ~/.fingerprint/definitions/ for
        .fp.yaml files and wraps each in a DslFingerprint that implements
        the Fingerprint trait via evaluate_named_assertions + extract +
        content_hash at runtime. Wired into build_registry(). Override
        scan directory with FINGERPRINT_DEFINITIONS env var.

bd-3g1: Trust allowlist loaded from ~/.fingerprint/trust.yaml (user)
        and .fingerprint/trust.yaml (project). Supports wildcard
        matching (e.g. "installed:*"). Refusal message now shows the
        exact trust.yaml entry to add. Override with FINGERPRINT_TRUST
        env var.

All 204 unit tests + all integration/smoke/golden tests pass.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Zac

.beads/issues.jsonl

@@ -203,36 +203,79 @@ fn generate_extracted_code(extract: &[ExtractSection]) -> String {
         return "            None".to_string();
     }
 
-    let mut code_lines = vec!["            let mut extracted = HashMap::new();".to_string()];
-
+    let mut section_inits = Vec::new();
     for section in extract {
-        code_lines.push(format!(
-            r#"            // Extract section: {}
-            // TODO: Implement extraction for type: {}
-            extracted.insert("{}.to_owned(), json!("extracted_placeholder"));"#,
-            section.name, section.r#type, section.name
+        section_inits.push(format!(
+            r#"                fingerprint::dsl::parser::ExtractSection {{
+                    name: {name}.to_owned(),
+                    r#type: {typ}.to_owned(),
+                    sheet: {sheet},
+                    range: {range},
+                    anchor_heading: {anchor_heading},
+                    index: {index},
+                    anchor: {anchor},
+                    pattern: {pattern},
+                    within_chars: {within_chars},
+                }}"#,
+            name = format_args!("{:?}", section.name),
+            typ = format_args!("{:?}", section.r#type),
+            sheet = codegen_option_string(section.sheet.as_deref()),
+            range = codegen_option_string(section.range.as_deref()),
+            anchor_heading = codegen_option_string(section.anchor_heading.as_deref()),
+            index = codegen_option_display(section.index),
+            anchor = codegen_option_string(section.anchor.as_deref()),
+            pattern = codegen_option_string(section.pattern.as_deref()),
+            within_chars = codegen_option_display(section.within_chars),
         ));
     }
 
-    code_lines.push("            Some(extracted)".to_string());
-    code_lines.join("\n")
+    format!(
+        r#"            let sections = vec![
+{sections}
+            ];
+            match fingerprint::dsl::extract::extract(doc, &sections) {{
+                Ok(map) => Some(map),
+                Err(_) => None,
+            }}"#,
+        sections = section_inits.join(",\n"),
+    )
 }
 
 /// Generate code for content hash computation.
 fn generate_content_hash_code(content_hash: &Option<ContentHashConfig>) -> String {
     match content_hash {
         Some(config) => {
+            let over_entries: Vec<String> = config
+                .over
+                .iter()
+                .map(|name| format!("{:?}.to_owned()", name))
+                .collect();
             format!(
-                r#"            // Content hash over fields: {:?}
-            // TODO: Implement {} content hash computation
-            Some("{}:placeholder".to_owned())"#,
-                config.over, config.algorithm, config.algorithm
+                r#"            let over = vec![{over}];
+            extracted.as_ref().map(|ext| fingerprint::dsl::content_hash::content_hash(ext, &over))"#,
+                over = over_entries.join(", "),
             )
         }
         None => "            None".to_string(),
     }
 }
 
+/// Generate Rust source for `Option<String>` — `Some("value".to_owned())` or `None`.
+fn codegen_option_string(value: Option<&str>) -> String {
+    match value {
+        Some(s) => format!("Some({:?}.to_owned())", s),
+        None => "None".to_owned(),
+    }
+}
+
+/// Generate Rust source for `Option<T: Display>` — `Some(42)` or `None`.
+fn codegen_option_display<T: std::fmt::Display>(value: Option<T>) -> String {
+    match value {
+        Some(v) => format!("Some({})", v),
+        None => "None".to_owned(),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

src/compile/codegen.rs

@@ -59,7 +59,7 @@ description = "{description}"
 # Source: DSL definition for {fingerprint_id}
 
 [dependencies]
-fingerprint = {{ path = "../.." }}
+fingerprint = {{ version = "{compiler_version}" }}
 serde_json = "1.0"
 
 [lib]

src/compile/crate_gen.rs

@@ -413,6 +413,57 @@ fn handle_run_mode(cli: cli::Cli) -> u8 {
     outcome.exit_code()
 }
 
+/// Trust configuration file format (YAML).
+#[derive(serde::Deserialize, Default)]
+struct TrustConfig {
+    #[serde(default)]
+    trust: Vec<String>,
+}
+
+/// Load trust allowlist from config files.
+///
+/// Searches (in order, merging entries):
+/// 1. `~/.fingerprint/trust.yaml` (user config)
+/// 2. `.fingerprint/trust.yaml` (project config)
+///
+/// Override location with `FINGERPRINT_TRUST` environment variable.
+fn load_trust_config() -> Vec<String> {
+    let mut entries = Vec::new();
+
+    if let Ok(path) = std::env::var("FINGERPRINT_TRUST") {
+        load_trust_file(&std::path::PathBuf::from(path), &mut entries);
+        return entries;
+    }
+
+    // User config: ~/.fingerprint/trust.yaml
+    let home_config = std::env::var("HOME")
+        .map(std::path::PathBuf::from)
+        .unwrap_or_else(|_| std::path::PathBuf::from("."))
+        .join(".fingerprint")
+        .join("trust.yaml");
+    load_trust_file(&home_config, &mut entries);
+
+    // Project config: .fingerprint/trust.yaml
+    let project_config = std::path::PathBuf::from(".fingerprint").join("trust.yaml");
+    load_trust_file(&project_config, &mut entries);
+
+    entries
+}
+
+fn load_trust_file(path: &std::path::Path, entries: &mut Vec<String>) {
+    let Ok(contents) = std::fs::read_to_string(path) else {
+        return;
+    };
+    let Ok(config) = serde_yaml::from_str::<TrustConfig>(&contents) else {
+        eprintln!(
+            "Warning: failed to parse trust config '{}', skipping",
+            path.display()
+        );
+        return;
+    };
+    entries.extend(config.trust);
+}
+
 /// Build the fingerprint registry with builtin fingerprints.
 #[allow(clippy::result_large_err)]
 fn build_registry() -> Result<registry::FingerprintRegistry, refusal::codes::RefusalEnvelope> {
@@ -436,10 +487,13 @@ fn build_registry() -> Result<registry::FingerprintRegistry, refusal::codes::Ref
         registry.register_with_info(builtin, info);
     }
 
-    // TODO: Discover and register installed fingerprint crates
+    // Discover and register installed fingerprint definitions
+    for (installed, info) in registry::installed::discover_installed() {
+        registry.register_with_info(installed, info);
+    }
 
     // Validate registry (check for duplicates and trust policy)
-    let allowlist: Vec<String> = vec![]; // TODO: Load from config
+    let allowlist = load_trust_config();
     registry
         .validate(&allowlist)
         .map_err(|validation_error| match validation_error {
@@ -459,16 +513,22 @@ fn build_registry() -> Result<registry::FingerprintRegistry, refusal::codes::Ref
                 fingerprint_id,
                 provider,
                 policy,
-            } => build_envelope(
-                RefusalCode::UntrustedFp,
-                "Untrusted fingerprint provider",
-                RefusalDetail::UntrustedFp(refusal::codes::UntrustedFpDetail {
-                    fingerprint_id,
-                    provider,
-                    policy,
-                }),
-                Some("Add provider to allowlist or use --trust-all".to_owned()),
-            ),
+            } => {
+                let next_command = format!(
+                    "Add to ~/.fingerprint/trust.yaml:\ntrust:\n  - \"{}\"",
+                    provider
+                );
+                build_envelope(
+                    RefusalCode::UntrustedFp,
+                    "Untrusted fingerprint provider",
+                    RefusalDetail::UntrustedFp(refusal::codes::UntrustedFpDetail {
+                        fingerprint_id,
+                        provider,
+                        policy,
+                    }),
+                    Some(next_command),
+                )
+            }
         })?;
 
     Ok(registry)

src/lib.rs

@@ -229,7 +229,13 @@ impl std::error::Error for RegistryValidationError {}
 fn is_trusted_source(source: &str, allowlist: &[String]) -> bool {
     source == "builtin"
         || source.starts_with("builtin:")
-        || allowlist.iter().any(|entry| entry == source)
+        || allowlist.iter().any(|entry| {
+            if let Some(prefix) = entry.strip_suffix('*') {
+                source.starts_with(prefix)
+            } else {
+                entry == source
+            }
+        })
 }
 
 #[cfg(test)]