Correct verification API route priority

README.md

@@ -125,8 +125,8 @@ Required values:
 Important distinction:
 
 - `TRUSTSIGNAL_API_BASE_URL` is the outbound verification API this service calls, for example `https://api.trustsignal.dev`.
-  - Primary route expected by this service: `${TRUSTSIGNAL_API_BASE_URL}/v1/verifications/github`
-  - Compatibility route (if needed): `${TRUSTSIGNAL_API_BASE_URL}/api/v1/verifications/github`
+  - Primary route expected by this service: `${TRUSTSIGNAL_API_BASE_URL}/api/v1/verifications/github`
+  - Compatibility route (if needed): `${TRUSTSIGNAL_API_BASE_URL}/v1/verifications/github`
 
   The API base URL is distinct from the webhook host:
   - App callback/base webhook host: `https://github.trustsignal.dev`

apps/action/dist/index.js

@@ -4152,7 +4152,7 @@ function mapProvenanceEventName(eventName) {
 // src/trustsignal/client.ts
 var TrustSignalVerificationClient = class {
   baseUrl;
-  candidatePaths = ["/v1/verifications/github", "/api/v1/verifications/github"];
+  candidatePaths = ["/api/v1/verifications/github", "/v1/verifications/github"];
   timeoutMs;
   fetchImpl;
   constructor(config, fetchImpl = globalThis.fetch) {
@@ -4220,7 +4220,7 @@ var TrustSignalVerificationClient = class {
     }
   }
   canFallback(path) {
-    return path === "/v1/verifications/github";
+    return path === "/api/v1/verifications/github";
   }
 };
 function looksLikeJson(value) {

docs/architecture.md

@@ -39,8 +39,8 @@ This keeps the website, outbound verification API, and inbound webhook receiver
 
 `TRUSTSIGNAL_API_BASE_URL` must target the API origin only and is currently normalized as:
 
-- Primary path: `/v1/verifications/github`
-- Compatibility path: `/api/v1/verifications/github` (used when the primary route is unavailable)
+- Primary path: `/api/v1/verifications/github`
+- Compatibility path: `/v1/verifications/github` (used when the primary route is unavailable)
 
 If the API is moved or renamed, update `TRUSTSIGNAL_API_BASE_URL` and keep only one canonical base URL.
 

docs/integrations/github.md

@@ -107,7 +107,7 @@ jobs:
               "sha": "'"${GITHUB_SHA}"'",
               "artifactDigest": "'"${{ steps.digest.outputs.sha256 }}"'"
             }' \
-            "${TRUSTSIGNAL_API_BASE_URL}/v1/verifications/github"
+            "${TRUSTSIGNAL_API_BASE_URL}/api/v1/verifications/github"
 ```
 
 ## Compatibility Notes

src/trustsignal/client.ts

@@ -29,7 +29,7 @@ export interface FetchLike {
 
 export class TrustSignalVerificationClient {
   private readonly baseUrl: string;
-  private readonly candidatePaths = ["/v1/verifications/github", "/api/v1/verifications/github"] as const;
+  private readonly candidatePaths = ["/api/v1/verifications/github", "/v1/verifications/github"] as const;
   private readonly timeoutMs: number;
   private readonly fetchImpl: FetchLike;
 
@@ -111,7 +111,7 @@ export class TrustSignalVerificationClient {
   }
 
   private canFallback(path: (typeof this.candidatePaths)[number]) {
-    return path === "/v1/verifications/github";
+    return path === "/api/v1/verifications/github";
   }
 }
 

tests/trustsignalClient.test.ts

@@ -51,7 +51,7 @@ describe("TrustSignalVerificationClient", () => {
     const result = await client.verify(request);
 
     expect(fetchImpl).toHaveBeenCalledWith(
-      "https://trustsignal.example.com/v1/verifications/github",
+      "https://trustsignal.example.com/api/v1/verifications/github",
       expect.objectContaining({
         method: "POST",
         headers: expect.objectContaining({
@@ -62,7 +62,7 @@ describe("TrustSignalVerificationClient", () => {
     expect(result.receiptId).toBe("rcpt_1");
   });
 
-  it("falls back to /api/v1/verifications/github when /v1 returns HTML", async () => {
+  it("falls back to /v1/verifications/github when /api returns HTML", async () => {
     const fallbackResponse = {
       ok: true,
       status: 200,
@@ -89,7 +89,7 @@ describe("TrustSignalVerificationClient", () => {
     };
 
     const fetchImplementation = vi.fn(async (url: string) => {
-      const response = url === "https://trustsignal.example.com/v1/verifications/github" ? primaryResponse : fallbackResponse;
+      const response = url === "https://trustsignal.example.com/api/v1/verifications/github" ? primaryResponse : fallbackResponse;
       return {
         ok: response.ok,
         status: response.status,
@@ -131,7 +131,7 @@ describe("TrustSignalVerificationClient", () => {
     expect(fetchImplementation).toHaveBeenCalledTimes(2);
     expect(fetchImplementation).toHaveBeenNthCalledWith(
       1,
-      "https://trustsignal.example.com/v1/verifications/github",
+      "https://trustsignal.example.com/api/v1/verifications/github",
       expect.objectContaining({
         method: "POST",
         headers: expect.objectContaining({
@@ -141,7 +141,7 @@ describe("TrustSignalVerificationClient", () => {
     );
     expect(fetchImplementation).toHaveBeenNthCalledWith(
       2,
-      "https://trustsignal.example.com/api/v1/verifications/github",
+      "https://trustsignal.example.com/v1/verifications/github",
       expect.objectContaining({
         method: "POST",
         headers: expect.objectContaining({
@@ -188,7 +188,7 @@ describe("TrustSignalVerificationClient", () => {
       },
     });
 
-    await expect(client.verify(request)).rejects.toThrow("TrustSignal verification response for https://trustsignal.example.com/api/v1/verifications/github was not JSON");
+    await expect(client.verify(request)).rejects.toThrow("TrustSignal verification response for https://trustsignal.example.com/v1/verifications/github was not JSON");
     expect(fetchImplementation).toHaveBeenCalledTimes(2);
   });
 });