Skip to content

durability: document the relayed-evidence trust boundary + defence-in-depth guards#128

Merged
mbertschler merged 2 commits into
offload-v1from
claude/offload-v1-trust-hardening
Jun 20, 2026
Merged

durability: document the relayed-evidence trust boundary + defence-in-depth guards#128
mbertschler merged 2 commits into
offload-v1from
claude/offload-v1-trust-hardening

Conversation

@mbertschler

@mbertschler mbertschler commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Targets offload-v1 (not main). Follow-up to the review of #126.

The review of #126 flagged the peer durability pull as the place where, in the worst case, a peer's assertion could drive a premature local offload. Working it through for the intended deployment — a single operator whose laptop and NAS are both machines they own and hold the only credentials to — the conclusion is that the relayed-evidence trust is an accepted boundary (an in-domain NAS that lies about durability is already a compromised archive), not a vulnerability to engineer away. This PR writes that decision down and adds two cheap guards that turn bugs into loud failures.

Code — defence-in-depth (not trust controls)

  • Verify-method allow-list at the pull boundary. New store.KnownVerifyMethod; validateComponent now refuses a non-empty verify_method this build doesn't recognise. Previously an unknown method was stored and then silently treated as unverified by the offload gate — now a peer bug or version-skew string is rejected at receipt. Empty (legitimately "unverified") still passes.
  • Origin-node creation cap. pullDurability refuses a pull naming more than maxOriginNodesPerPull (256) distinct origins, so a runaway/buggy peer can't grow the local nodes table without bound via GetOrCreateOriginNode. A real volume references a handful of origins; the cap only converts a flood into an observable refusal.
  • Regression tests: TestValidateComponentVerifyMethod (allow-list) and TestPullDurabilityCapsOriginNodeCreation (cap).

Docs — SAFETY-AUDIT.md (offload-v1 section)

  • D1 — the relayed-evidence trust boundary: direct self-verified components (laptop's own verified push) vs peer-asserted components (relayed offsites); the accepted decision to trust an in-domain NAS; the gate-on-all-copies redundancy stance; and the two guards above. Records what's deliberately not built (proof-of-possession, laptop-side offsite verification) and why.
  • D2 — the content-addressed offsite push proves presence + size + decrypt-input correctness, but not decrypt-output correctness; sketches an opt-in, NAS-local read-back-decrypt-rehash as the proportionate close (scoped to initial upload, never cold-tier).

Validation

go vet ./..., go build ./..., go test ./sync ./store all green; gofmt clean. (golangci-lint couldn't run in my environment due to a Go version skew — please let CI run it.)

No schema change (adds a function and a doc section only).

🤖 Generated with Claude Code

https://claude.ai/code/session_01KE9A1VTdw7k1GQq87fQyfx

Generated by Claude Code

claude added 2 commits June 19, 2026 21:47
@claude
sync: harden the durability pull against unknown methods and origin f…
2ffca42 
…loods

Two cheap defence-in-depth guards on the peer durability pull. Neither is
a trust control — the peer is trusted to assert its own durability — they
turn a peer bug or version skew into a loud refusal instead of a silent
local effect.

- Add store.KnownVerifyMethod and refuse a non-empty verify_method the
  build does not recognise in validateComponent. Previously an unknown
  method was stored and then silently treated as unverified by the
  offload gate; now it is rejected at receipt. Empty (legitimately
  "unverified") still passes.
- Cap distinct origins one pull will resolve (maxOriginNodesPerPull) so a
  runaway peer cannot grow the local nodes table without bound via
  GetOrCreateOriginNode. A real volume references a handful of origins.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KE9A1VTdw7k1GQq87fQyfx
@claude
docs: record the durability trust boundary and offsite verification gap
6167547 
Add an offload-v1 section to SAFETY-AUDIT.md framed for the single-operator
deployment (laptop + NAS, all owned, adversary is entropy not a hostile
peer):

- D1 documents the relayed-evidence trust boundary in the durability pull
  (direct self-verified vs peer-asserted components), states the accepted
  decision to trust an in-domain NAS, and records the two defence-in-depth
  guards added alongside.
- D2 documents that the content-addressed offsite push proves
  presence+size and decrypt-input correctness but not decrypt-output
  correctness, and sketches an opt-in, NAS-local read-back-decrypt-rehash
  verification as the proportionate close.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KE9A1VTdw7k1GQq87fQyfx
@mbertschler mbertschler merged commit 89a0e16 into offload-v1 Jun 20, 2026
2 checks passed
@mbertschler mbertschler deleted the claude/offload-v1-trust-hardening branch June 20, 2026 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbertschler @claude