felhom.eu/REPORT.md

# felhom.eu — task reports

> **Overwrite** this file with a summary of the most recent task only (uniform with the other repos; not cumulative). The cumulative hub history lives in [hub/CHANGELOG.md](hub/CHANGELOG.md).

---

# REPORT — Slice 10C (docs only): escrow consumption productionized (2026-06-10)

## Type

Documentation update for **slice 10C** (implementation is **agent-only**: `felhom-agent` v0.17.0 —
`escrow.Consume`). **No hub code change** — 10C reads a restore directive it is given; 10D wires the
hub side (serving the blob + expected fingerprint + PBS connection, prompting for R).

## What changed (doc 03 — host-agent)

- **§8a**: escrow **consumption** is now a real, tested path (`escrow.Consume` = **Unwrap →
  fingerprint-gate → install**), replacing the throwaway spike harness. The spike findings are baked
  in: F-C2 (install the raw key where the restore reads it), **F-C3** (wrong R fails closed), **F-C4**
  (fingerprint-gate *before* any multi-GB restore), **F-C6** (blob read-only/retryable, `K` never
  mutated). **Zero-knowledge holds end-to-end**: the hub serves the blob + expected fingerprint + PBS
  connection; **R comes from the customer by hand, never the hub** — a hub compromise alone cannot
  decrypt.
- **§9 slice table**: **10C done**. **10D** (DR capstone — re-enroll in restore mode, serve the
  directive, consume, restore guests + identity, reuse the 10B gate for restore-overwrite, the
  re-enrollment-auth fork) is the last piece of slice 10.

## Pending

- Live validation runs against the demo (agent v0.17.0): create escrow → `Consume` → restore real
  data with the consumed key; wrong R → clean failure, nothing installed; live `K` byte-unchanged.