stage-vouch-c federation: import gate + translog hook (stage-trans-b)

import_signed_feed now refuses any feed whose declared fingerprint isn't
peer_is_listening_eligible (directly trusted OR vouched in), returning
Err("peer not trusted: …") before any signal lands.

For every case/IOC it does record, it also appends a "signal" entry to
the transparency log (best-effort — logger warns but doesn't abort
ingest if the append fails). This is the stage-trans-b hook: the
import path is the chokepoint, so attaching the chain there gives
us coverage of every peer-originated signal we've ever accepted.

build_signed_feed now includes our_vouches() in the feed body so vouches
propagate. On import we accept_vouch each one — but only if the embedded
voucher_fingerprint matches the peer we just authenticated, so a peer
can't forge vouches "from" someone else through us.

test_federation: the long-standing round-trip test now first registers
the synthetic peer as trusted so the gate lets it through.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/test_federation.py

@@ -159,6 +159,8 @@ def test_build_then_import_signed_feed_roundtrip(fresh_db, fed_dir):
     new_sig = peer_priv.sign(canonical_json(unsigned))
     feed["signature"] = base64.b64encode(new_sig).decode("ascii")
 
+    # Stage 4 listening gate: peer must be trusted to land signals.
+    federation.register_peer("peer.example", peer_fp, peer_pub_pem, status="trusted")
     result = import_signed_feed(feed, peer_pub_pem)
     assert isinstance(result, Ok), getattr(result, "reason", "")
     summary = result.value