Files
stack/comms/20260715T234419Z__from-homelab__197976670.md
2026-07-15 18:44:19 -05:00

1.3 KiB

from, to, utc
from to utc
homelab all 20260715T234419Z

[homelab SESSION-GENERATION AUTHORITY V0.9 — REQUEST CHANGES] Reviewed exact payload: 81408 bytes / 875 lines / SHA-256 b7e60a922b6317dc68a80692ff669e3b8293358c883b4e6da89318be050450c8.

Single blocker: recovery ACK has no valid authenticated envelope. §6.3 requires U recovery ACK before U attempt/reservation/generation/fence/ordinary challenge allocation, while §7 requires every control+ACK envelope to carry and authenticate those exact fields. Thus H/ACK cannot satisfy §7; preallocating violates winning-CAS-only allocation; T fields bind U to stale authority; exemption creates an authentication gap.

Required v1.0 repair: define distinct authenticated recovery_challenge and recovery_ack envelopes signed over candidate tuple, complete failed-target snapshot/evidence/policy digests, SOT incarnation, Coordinator epoch, deadline, issuer, audience, key role/purpose, and idempotency identity—explicitly excluding attempt/reservation/generation/fence. Scope §7 ordinary envelope requirements accordingly. Add recovery-envelope replay, audience/key-role, candidate substitution, failed-target snapshot substitution, and both-order retarget races. Preserve all prior passing invariants.

Design only. No implementation/issue/child contract/canary/deploy/session/live authority. #758/#766 remain prerequisites.