An update on this is in order :)
After a bit of back and forth we settled on a name for a new concept in ssb-crut. Using
nextStepData you can now pass in data to the transformation (what you do with each message of a tangle) that will not be part of the final state. We use this for adding types that makes it easier to reason about the different steps. The whole specification for fusion identity is now roughly 100 lines of code. This takes care of everything from schema validation to checking the logic of who is a member.
I also merged in the latest spec change so that things should be a lot clearer. We decided to focus on the basics for v1, so attestation and redirection is for future versions to spec. That being said, there is code for the current draft of those features in the JS module as well.
The last remaining bit is to come up with a proper way to encrypt things. That one is waiting for a larger db2 refactor to fall into place as part of the private groups work.