daemon: drop PILOT_TRUSTED_PUBLISHERS wiring (catalogue is the trust anchor) (#320)

daemon: drop PILOT_TRUSTED_PUBLISHERS wiring; bump app-store (trust anchor removed)

The per-publisher trust anchor is removed in app-store (the release-signed
catalogue is the source of truth). So the env-var wiring added in #318 is no
longer needed — a fresh node installs and runs catalogue apps with zero config.

- remove the PILOT_TRUSTED_PUBLISHERS env block + the now-unused manifest import
- bump github.com/pilot-protocol/app-store to the trust-anchor-removal commit
- keep PILOT_APPSTORE_ROOT honoring

Depends on pilot-protocol/app-store#25; re-pin go.mod to the merged app-store
commit before this lands. Verified: a fresh node with NO env installs
io.pilot.smolmachines from the real catalogue and boots a microVM.

Co-authored-by: Alex Godoroja <alex@vulturelabs.io>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: 3 people

cmd/daemon/main.go

@@ -25,7 +25,6 @@ import (
 	// L11 plugin imports — cmd/daemon (L12) is the only place these
 	// are allowed. The daemon proper imports only pkg/coreapi
 	// interfaces.
-	"github.com/pilot-protocol/app-store/pkg/manifest"
 	"github.com/pilot-protocol/app-store/plugin/appstore"
 	"github.com/pilot-protocol/dataexchange"
 	"github.com/pilot-protocol/eventstream"
@@ -350,19 +349,6 @@ func main() {
 	if r := os.Getenv("PILOT_APPSTORE_ROOT"); r != "" {
 		appstoreInstallRoot = r
 	}
-	// Trust anchor (G4′): the supervisor refuses to spawn a non-sideloaded app
-	// whose publisher is not on manifest.TrustedPublishers. Nothing populated it
-	// before, so enforcement skipped every catalogue app. Wire it from
-	// PILOT_TRUSTED_PUBLISHERS (comma-separated ed25519:<b64> ids) — in
-	// production this list is the reviewed publisher registry.
-	if tp := strings.TrimSpace(os.Getenv("PILOT_TRUSTED_PUBLISHERS")); tp != "" {
-		for _, p := range strings.Split(tp, ",") {
-			if p = strings.TrimSpace(p); p != "" {
-				manifest.TrustedPublishers = append(manifest.TrustedPublishers, p)
-			}
-		}
-		log.Printf("appstore: %d trusted publisher(s) loaded from PILOT_TRUSTED_PUBLISHERS", len(manifest.TrustedPublishers))
-	}
 	// The app-usage telemetry emitter shares the daemon's identity file
 	// and telemetry URL. When consent is off (empty URL) the client is
 	// a permanent no-op — no goroutines, no dials, no buffering.

go.mod

@@ -4,7 +4,7 @@ go 1.25.11
 
 require (
 	github.com/coder/websocket v1.8.15
-	github.com/pilot-protocol/app-store v1.0.1-beta.1.0.20260622180016-07b4170265dc
+	github.com/pilot-protocol/app-store v1.0.1-beta.1.0.20260622235003-2f290c314a42
 	github.com/pilot-protocol/beacon v0.2.6
 	github.com/pilot-protocol/common v0.5.5
 	github.com/pilot-protocol/dataexchange v0.2.1-beta.1.0.20260615113607-fac933edea98

go.sum

@@ -4,8 +4,8 @@ github.com/coder/websocket v1.8.15 h1:6B2JPeOGlpff2Uz6vOEH1Vzpi0iUz20A+lPVhPHtNU
 github.com/coder/websocket v1.8.15/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/expr-lang/expr v1.17.8 h1:W1loDTT+0PQf5YteHSTpju2qfUfNoBt4yw9+wOEU9VM=
 github.com/expr-lang/expr v1.17.8/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
-github.com/pilot-protocol/app-store v1.0.1-beta.1.0.20260622180016-07b4170265dc h1:Ze7h3rEPMhFaAyjNH9riySBs8HEeeoB3wODwtoLQ4Eo=
-github.com/pilot-protocol/app-store v1.0.1-beta.1.0.20260622180016-07b4170265dc/go.mod h1:leZPtX43gE2JB7xeljexXri81g6qhdZfYExLtzI+bhg=
+github.com/pilot-protocol/app-store v1.0.1-beta.1.0.20260622235003-2f290c314a42 h1:5Yns67RaNxd2xwVJj7VY2+vXzo9zTbMgPM+CXgwiW1M=
+github.com/pilot-protocol/app-store v1.0.1-beta.1.0.20260622235003-2f290c314a42/go.mod h1:leZPtX43gE2JB7xeljexXri81g6qhdZfYExLtzI+bhg=
 github.com/pilot-protocol/beacon v0.2.6 h1:grxwaVyPRUT0W6coyjYfNkO0rpzOIrwrKn94S21DuVE=
 github.com/pilot-protocol/beacon v0.2.6/go.mod h1:I/UhEv097g1z/qtAVDZbEhf3R5tzM0Dp71vGHah52A4=
 github.com/pilot-protocol/common v0.5.5 h1:mnv3q84alVaotGD+Qxfo4ECFEquqsUwrI3mjKIGUKFY=