feat(writ): verify existing chain on New() — refuse corrupt extend (CTO C-5a/b)

- Add Config.AllowCorruptChainRecovery bool (default false)
- Add ErrCorruptChain sentinel error
- openChainVerify() called in NewWithContext after store open:
  reads entries, runs verifyChain; returns ErrCorruptChain (wrapping
  the verification error) if chain is corrupt and recovery not allowed
- findLastValidHash() walks chain to locate last intact entry
- buildSegmentBoundaryEntry() scaffolded for sub-task 2 (C-5c)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: OpsKern

chain.go

@@ -238,6 +238,98 @@ func computeEntryHash(store AuditStore, entry ChainEntry) (ChainEntry, error) {
 	return entry, nil
 }
 
+// openChainVerify verifies the existing chain on New(). If the chain is corrupt
+// and AllowCorruptChainRecovery is false, it returns ErrCorruptChain.
+// If recovery is allowed, it writes a ChainSegmentBoundary entry and proceeds.
+func openChainVerify(store AuditStore, cfg Config) error {
+	entries, err := store.ReadAll()
+	if err != nil {
+		return fmt.Errorf("writ: read chain for verification: %w", err)
+	}
+	if len(entries) == 0 {
+		return nil
+	}
+	verifyErr := verifyChain(entries)
+	if verifyErr == nil {
+		return nil
+	}
+	if !cfg.AllowCorruptChainRecovery {
+		return fmt.Errorf("%w: %v", ErrCorruptChain, verifyErr)
+	}
+	lastValid := findLastValidHash(entries)
+	reason := fmt.Sprintf("recovery at %s: %v", time.Now().UTC().Format(time.RFC3339), verifyErr)
+	boundary, err := buildSegmentBoundaryEntry(lastValid, reason)
+	if err != nil {
+		return fmt.Errorf("writ: build recovery boundary: %w", err)
+	}
+	return store.Append(boundary)
+}
+
+// findLastValidHash walks entries and returns the hash of the last entry that
+// verifies correctly, or the genesis hash if none verify.
+func findLastValidHash(entries []ChainEntry) string {
+	prevHash := inaudit.PrevHashFor(nil)
+	for _, e := range entries {
+		ie := inaudit.Entry{
+			ID:           e.ID,
+			PrevHash:     e.PrevHash,
+			Hash:         e.Hash,
+			EventType:    e.EventType,
+			ActionType:   e.ActionType,
+			Actor:        e.Actor,
+			CallerID:     e.CallerID,
+			InputHash:    e.InputHash,
+			OutputHash:   e.OutputHash,
+			Result:       e.Result,
+			HookdTraceID: e.HookdTraceID,
+			Allowed:      e.Allowed,
+			DenialReason: e.DenialReason,
+			Timestamp:    timestampString(e.Timestamp),
+		}
+		if ie.PrevHash != prevHash {
+			break
+		}
+		want, err := inaudit.ComputeHash(ie)
+		if err != nil || ie.Hash != want {
+			break
+		}
+		prevHash = ie.Hash
+	}
+	return prevHash
+}
+
+// buildSegmentBoundaryEntry creates a ChainSegmentBoundary entry that anchors
+// the start of a new chain segment after corruption recovery.
+func buildSegmentBoundaryEntry(lastValidHash, reason string) (ChainEntry, error) {
+	id := newAuditID()
+	ts := time.Now().UTC()
+
+	internal := inaudit.Entry{
+		ID:        id,
+		PrevHash:  lastValidHash,
+		EventType: "chain_segment_boundary",
+		Allowed:   true,
+		Timestamp: ts.Format(time.RFC3339Nano),
+		Metadata:  map[string]string{"type": "RECOVERY", "reason": reason},
+	}
+
+	hash, err := inaudit.ComputeHash(internal)
+	if err != nil {
+		return ChainEntry{}, fmt.Errorf("compute boundary hash: %w", err)
+	}
+	internal.Hash = hash
+
+	return ChainEntry{
+		ID:        internal.ID,
+		PrevHash:  internal.PrevHash,
+		Hash:      internal.Hash,
+		EventType: internal.EventType,
+		Allowed:   internal.Allowed,
+		Timestamp: ts,
+		Metadata:  internal.Metadata,
+	}, nil
+}
+
 // verifyChain is the internal entry point for Verify().
 func verifyChain(entries []ChainEntry) error {
 	internalEntries := make([]inaudit.Entry, len(entries))

writ.go

@@ -7,6 +7,7 @@ package writ
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
@@ -42,8 +43,17 @@ type Config struct {
 	// EagerReload enables a goroutine-based policy watcher.
 	// Default (false) uses lazy reload: policy is re-read when mtime changes.
 	EagerReload bool
+
+	// AllowCorruptChainRecovery, when true, permits New() to open a chain that
+	// fails Merkle verification. A ChainSegmentBoundary entry is written
+	// recording the recovery event. Default false: corrupt chain → ErrCorruptChain.
+	AllowCorruptChainRecovery bool
 }
 
+// ErrCorruptChain is returned by New() when the existing chain fails Merkle
+// verification and Config.AllowCorruptChainRecovery is false.
+var ErrCorruptChain = errors.New("writ: existing chain fails Merkle verification")
+
 // Client wraps an anthropic.Client with a pre-call codification gate and
 // post-call Merkle audit chain write. Construct with writ.New().
 type Client struct {
@@ -81,6 +91,10 @@ func NewWithContext(ctx context.Context, cfg Config) (*Client, error) {
 		}
 	}
 
+	if err := openChainVerify(store, cfg); err != nil {
+		return nil, err
+	}
+
 	g, err := newGate(ctx, cfg.PolicyPath, cfg.EagerReload)
 	if err != nil {
 		return nil, fmt.Errorf("writ: init gate: %w", err)