Conversation
…_RECOVERY_PROTOCOL.md + episteme chain recover CLI (Event 80)
First v1.1 architectural cycle CP shipped. Foundational; prereq for
Cognitive Arm A (CP-TEMPORAL-INTEGRITY-EXPANSION-01).
Pillar 2 (append-only hash chain) is tamper-evident, but chains break
legitimately: disk corruption, schema migration, accidental directory
deletion, multi-machine fork, post-fact tamper detection. Until this
Event the kernel had a detection contract (verify_chain) but no
recovery contract — verify reports a break, then what?
What ships:
1. kernel/CHAIN_RECOVERY_PROTOCOL.md — canonical doc enumerating the
5 critical-gap scenarios + 3 recovery modes (reset / selective /
migrate) + recovery-attestation envelope schema + threat model +
CLI usage examples.
2. episteme chain recover --mode={reset,selective,migrate} CLI
subcommand. mode=reset is functional; selective + migrate are
stubs that return exit code 2 with named-dependency error messages
so the API surface is visible + stable but the deferred-by-design
work is honestly named.
3. Recovery-attestation envelope schema. Genesis record of any
recovered chain carries: type, mode, reason, operator_confirmation,
previous_head, recovered_at, archived_from, what_was_lost.
reset_stream extended (backward-compat) to populate the new fields;
default mode='reset' preserves pre-Event-80 caller behavior.
Mode capabilities:
- reset (functional) — full rewind; archive prior chain; new genesis
carries attestation envelope. Use for fresh-start recovery + post-
tamper rewind. Wraps existing reset_stream from CP7.
- selective (stub; depends on Component 5) — partial-corruption
windowed-rebuild. Identifies the last verifiably-good record;
archives the corrupted suffix; writes attestation linking the two.
- migrate (stub; depends on CP-TEMPORAL-INTEGRITY-EXPANSION-01) —
schema-migration forward-walk. v1.0-chain to v1.1-chain
transformations preserved as supersede-with-history per Cognitive
Arm A's temporal-integrity infrastructure.
Tests at tests/test_chain_recover.py — 5/5 pass; full suite 158/158.
Live smoke tests verified: --help renders, --mode=selective and
--mode=migrate stubs return exit 2 with named-dependency messages.
Threat-model gaps explicitly named in doc as v1.2+ federation work
(tail truncation, coordinated FS rewrite, multi-machine merge
adjudication).
Components 4 (migrate) + 5 (selective) deferred to follow-up Events
with named dependencies. CP-CHAIN-RECOVERY-PROTOCOL-01 first slice
(doc + reset + stubs) ships now; full implementation continues
through v1.1 cycle.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v1.1 architectural cycle opens. First CP shipped per
~/episteme-private/docs/cp-v1.1-architectural.mdsequencing —CP-CHAIN-RECOVERY-PROTOCOL-01(foundational; prereq for Cognitive Arm A / CP-TEMPORAL-INTEGRITY-EXPANSION-01).Background gap. Pillar 2 (append-only hash chain) is tamper-evident —
verify_chainreports the first break-index. But chains break legitimately: disk corruption, schema migration, accidental directory deletion, multi-machine fork, post-fact tamper detection. Until this Event the kernel had a detection contract but no recovery contract.verifyreports a break — then what?What ships
1.
kernel/CHAIN_RECOVERY_PROTOCOL.md(NEW, ~250 lines, public-tier)Canonical doc enumerating:
2.
episteme chain recoverCLI subcommandresetreset_stream(CP7) with the new attestation envelope.selectivemigrateStubs ship in this Event so the API surface is visible + stable; operators see the mode names + their dependencies before the implementations land. API forward-stability rather than absent-by-design.
3. Recovery-attestation envelope schema
Genesis record of any recovered chain now carries:
{ "type": "chain_reset" | "chain_recovery_selective" | "chain_recovery_migrate", "mode": "reset" | "selective" | "migrate", "reason": "<operator rationale>", "operator_confirmation": "<operator confirmation phrase>", "previous_head": "sha256:<hex>" | null, "recovered_at": "<ISO-8601 UTC>", "archived_from": "<absolute path to archived prior chain>" | null, "what_was_lost": "<operator description of lost data>" | null }core/hooks/_chain.py:reset_streamextended (backward-compatible) to populate the new fields. Defaultmode='reset'preserves pre-Event-80 caller behavior.Tests
tests/test_chain_recover.py(NEW) — 5/5 pass:reset_genesis_payload_has_all_attestation_fields— verifies all 8 documented fields are emittedreset_genesis_archived_from_null_when_no_prior_chain— recovery on a virgin streamreset_what_was_lost_optional— field is null when not providedreset_default_mode_is_reset— backward compatibility for pre-Event-80 callersreset_archives_prior_chain_and_creates_new_intact_chain— end-to-end: prior entries + recovery + new chain intact + archived file readableFull test suite green: 158/158 (153 baseline + 5 new). Existing
test_chain_and_framework.pycovers backward compat — passes unchanged.Live smoke tests verified pre-PR:
episteme chain recover --helprenders all flags--mode=selectivereturns exit 2 with named-dependency message pointing at Component 5--mode=migratereturns exit 2 with named-dependency message pointing at CP-TEMPORAL-INTEGRITY-EXPANSION-01What's deferred (named dependencies)
Both deferrals are explicitly named in the spec doc + in the stub messages. Operators see the deferral structure rather than a hidden absence.
Threat-model gaps (out of scope; named for honesty)
Per
kernel/CHAIN_RECOVERY_PROTOCOL.md§ Threat model:The recovery-attestation envelope is operator-attestation grade, not cryptographic-signature grade. Operator's
--confirmstring is auditable evidence of intent; not a tamper-proof signature. Mitigation against forged attestations is the same v1.2+ federation work.Soak-protected surfaces touched
kernel/CHAIN_RECOVERY_PROTOCOL.mdcore/hooks/_chain.pysrc/episteme/cli.pytests/test_chain_recover.pycore/blueprints/*/src/episteme/_profile_audit*.py/templates/*/labs/*v1.1 cycle queue post-Event-80
Plus deferred components from this CP:
Cross-references
~/episteme-private/docs/cp-v1.1-architectural.md§ CP-CHAIN-RECOVERY-PROTOCOL-01core/hooks/_chain.pycp7-chained-v1 envelopekernel/FALSIFIABILITY_CONDITIONS.md§ A1 (Pillar 2 hash chain tamper-evidence)~/episteme-private/docs/PROGRESS.mdEvent 80 entry (private)