feat(writ): ChainSegmentBoundary entry on corrupt recovery (CTO C-5c)

OpsKern · claude · OpsKern · commit 63fe1f7d5c51 · 2026-05-05T21:49:01.000-04:00
openChainVerify() writes a chain_segment_boundary entry (type=RECOVERY,
reason=&lt;timestamp + verifyErr&gt;) when AllowCorruptChainRecovery=true.
The new segment links from the boundary entry forward.

Also adds ReadChainFile() public helper for verification tooling and tests.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/corruption_recovery_test.go b/corruption_recovery_test.go
@@ -0,0 +1,112 @@
+package writ_test
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/opskernel-io/writ"
+)
+
+// testPolicyDir writes a minimal allow-all OPA policy and returns the dir path.
+func testPolicyDir(t *testing.T) string {
+	t.Helper()
+	dir := t.TempDir()
+	const allow = `package writ.gate
+import rego.v1
+default allow := true
+default tier := 2
+default denial_reason := ""`
+	if err := os.WriteFile(filepath.Join(dir, "allow_all.rego"), []byte(allow), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	return dir
+}
+
+// corruptedChainPath writes a valid single entry then tampers the hash field.
+func corruptedChainPath(t *testing.T) string {
+	t.Helper()
+	f, err := os.CreateTemp(t.TempDir(), "chain-*.jsonl")
+	if err != nil {
+		t.Fatal(err)
+	}
+	// A well-formed JSONL line but with a tampered hash value.
+	_, _ = f.WriteString(`{"id":"a1","prev_hash":"0000000000000000000000000000000000000000000000000000000000000000","hash":"deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef","event_type":"tool_use","allowed":true,"timestamp":"2026-05-05T00:00:00Z"}` + "\n")
+	f.Close()
+	return f.Name()
+}
+
+func TestNew_CleanChain_Succeeds(t *testing.T) {
+	chainPath := filepath.Join(t.TempDir(), "chain.jsonl")
+	cfg := writ.Config{
+		PolicyPath: testPolicyDir(t),
+		AuditPath:  chainPath,
+		CallerID:   "test-clean",
+	}
+	c, err := writ.New(cfg)
+	if err != nil {
+		t.Fatalf("want clean-chain New() to succeed, got: %v", err)
+	}
+	if c == nil {
+		t.Fatal("want non-nil client")
+	}
+}
+
+func TestNew_CorruptChain_RecoveryFalse_ReturnsErrCorruptChain(t *testing.T) {
+	cfg := writ.Config{
+		PolicyPath:                testPolicyDir(t),
+		AuditPath:                 corruptedChainPath(t),
+		AllowCorruptChainRecovery: false,
+	}
+	_, err := writ.New(cfg)
+	if err == nil {
+		t.Fatal("want ErrCorruptChain, got nil")
+	}
+	if !errors.Is(err, writ.ErrCorruptChain) {
+		t.Fatalf("want errors.Is(err, ErrCorruptChain), got: %v", err)
+	}
+}
+
+func TestNew_CorruptChain_RecoveryTrue_BoundaryEntryWritten(t *testing.T) {
+	chainPath := corruptedChainPath(t)
+	cfg := writ.Config{
+		PolicyPath:                testPolicyDir(t),
+		AuditPath:                 chainPath,
+		AllowCorruptChainRecovery: true,
+	}
+	c, err := writ.New(cfg)
+	if err != nil {
+		t.Fatalf("want recovery to succeed, got: %v", err)
+	}
+	if c == nil {
+		t.Fatal("want non-nil client")
+	}
+
+	// Chain now has original corrupt entry + boundary entry; verify the boundary.
+	if verifyErr := writ.Verify(chainPath); verifyErr == nil {
+		// If overall verify passes, the boundary fully repaired the chain — unexpected
+		// since the first entry is permanently corrupt. This is fine — no assertion here.
+	}
+
+	// Confirm boundary entry was written by checking raw chain entries.
+	store := writ.NewMemoryStore()
+	_ = store // use the JSONL path instead
+	entries, readErr := writ.ReadChainFile(chainPath)
+	if readErr != nil {
+		t.Fatalf("ReadChainFile: %v", readErr)
+	}
+	var foundBoundary bool
+	for _, e := range entries {
+		if e.EventType == "chain_segment_boundary" {
+			foundBoundary = true
+			if e.Metadata == nil || e.Metadata["type"] != "RECOVERY" {
+				t.Errorf("boundary entry missing RECOVERY metadata: %+v", e.Metadata)
+			}
+			break
+		}
+	}
+	if !foundBoundary {
+		t.Errorf("want chain_segment_boundary entry after recovery, none found in %d entries", len(entries))
+	}
+}
diff --git a/store.go b/store.go
@@ -99,6 +99,16 @@ func (s *jsonlStore) Verify() error {
 	return verifyChain(entries)
 }
 
+// ReadChainFile reads all entries from a JSONL chain file.
+// Exported for testing and verification tooling.
+func ReadChainFile(path string) ([]ChainEntry, error) {
+	store, err := newJSONLStore(path)
+	if err != nil {
+		return nil, err
+	}
+	return store.ReadAll()
+}
+
 // memoryStore is an in-memory AuditStore for testing.
 type memoryStore struct {
 	mu      sync.Mutex
