The Problem
After chain verification succeeds, the verifier persists each receipt to the store for audit retention. If the store write fails, the error is silently discarded:
```go
// drs-verify/pkg/verify/chain.go:346-348
if err := deps.Store.Put(hash, jwt); err != nil {
_ = err
}
```
The verification returns success. The caller has no idea the receipt was not persisted. The audit trail has a gap. If this is a Tier 3 deployment with RFC 3161 timestamping, the timestamp token that depends on this receipt also fails silently.
A full disk, a permissions error, a network failure on a remote store — any of these creates a silent hole in the audit log. Nobody gets notified. The next time an auditor asks "show me the receipts for this delegation chain," one is missing.
What Must Change
- Add a `StoreWarnings []string` field to `VerificationResult` (or reuse the existing `Timestamps` pattern).
- Log the error.
- Return the warning in the result so the caller can decide whether a missing audit record is acceptable.
Do not fail the verification — that would be wrong. The chain is cryptographically valid regardless of whether we stored it. But do not pretend the store succeeded.
Severity
MEDIUM. No security bypass. But audit trail gaps in a compliance-focused system are the kind of thing that makes regulators unhappy, and unhappy regulators make everyone unhappy.
The Problem
After chain verification succeeds, the verifier persists each receipt to the store for audit retention. If the store write fails, the error is silently discarded:
```go
// drs-verify/pkg/verify/chain.go:346-348
if err := deps.Store.Put(hash, jwt); err != nil {
_ = err
}
```
The verification returns success. The caller has no idea the receipt was not persisted. The audit trail has a gap. If this is a Tier 3 deployment with RFC 3161 timestamping, the timestamp token that depends on this receipt also fails silently.
A full disk, a permissions error, a network failure on a remote store — any of these creates a silent hole in the audit log. Nobody gets notified. The next time an auditor asks "show me the receipts for this delegation chain," one is missing.
What Must Change
Do not fail the verification — that would be wrong. The chain is cryptographically valid regardless of whether we stored it. But do not pretend the store succeeded.
Severity
MEDIUM. No security bypass. But audit trail gaps in a compliance-focused system are the kind of thing that makes regulators unhappy, and unhappy regulators make everyone unhappy.