Files

T

admin a98210ae00 docs: slice 10C escrow consumption productionized (doc 03 §8a/§9)

Agent-only implementation (felhom-agent v0.17.0 escrow.Consume); no hub code
change. 10C done; 10D is the last piece of slice 10.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-10 22:18:10 +02:00

1.7 KiB

Raw Blame History

felhom.eu — task reports

Overwrite this file with a summary of the most recent task only (uniform with the other repos; not cumulative). The cumulative hub history lives in hub/CHANGELOG.md.

REPORT — Slice 10C (docs only): escrow consumption productionized (2026-06-10)

Type

Documentation update for slice 10C (implementation is agent-only: felhom-agent v0.17.0 — escrow.Consume). No hub code change — 10C reads a restore directive it is given; 10D wires the hub side (serving the blob + expected fingerprint + PBS connection, prompting for R).

What changed (doc 03 — host-agent)

§8a: escrow consumption is now a real, tested path (escrow.Consume = Unwrap → fingerprint-gate → install), replacing the throwaway spike harness. The spike findings are baked in: F-C2 (install the raw key where the restore reads it), F-C3 (wrong R fails closed), F-C4 (fingerprint-gate before any multi-GB restore), F-C6 (blob read-only/retryable, K never mutated). Zero-knowledge holds end-to-end: the hub serves the blob + expected fingerprint + PBS connection; R comes from the customer by hand, never the hub — a hub compromise alone cannot decrypt.
§9 slice table: 10C done. 10D (DR capstone — re-enroll in restore mode, serve the directive, consume, restore guests + identity, reuse the 10B gate for restore-overwrite, the re-enrollment-auth fork) is the last piece of slice 10.

Pending

Live validation runs against the demo (agent v0.17.0): create escrow → Consume → restore real data with the consumed key; wrong R → clean failure, nothing installed; live K byte-unchanged.