Integrity monitor

The parts that protect the chain around the chain

The decision chain proves the governance trail. The integrity monitor protects the runtime pieces that make that trail meaningful: the chain file, the proxy code, and the policy rules.

What is protected

Chain file

After first run, Atested expects the chain file to exist with the same record count and tail hash recorded in integrity metadata. Missing or truncated history is treated as an integrity violation, not as a reason to silently create a new chain.

Proxy code

Critical source files are hashed at startup. The current hash is recorded in the chain. If the hash changes later, that change is recorded so auditors can see which code version governed each decision period.

Policy rules

capabilities/policy-rules.json is hashed at startup and checked before policy evaluation. Runtime changes are recorded and cause Atested to deny operations until the change is acknowledged.

Startup and runtime behavior

On a genuine first run, with no previous chain and no integrity metadata, Atested creates a new chain normally. After that, startup verification compares the chain file against integrity metadata. If the file is missing, truncated, or has the wrong tail hash, startup refuses to continue until the operator acknowledges the violation.

During operation, chain writes update the metadata. Runtime checks stop accepting operations if the chain disappears or policy rules drift. Proxy source changes are allowed because legitimate updates change code, but the change is visible in the chain.

Event types

Integrity events are additive. Existing chain records remain valid; these event types add context around the runtime state.

proxy_startup_code_hash

Fires at startup. Contains the current critical proxy source hash.

proxy_code_hash_changed

Fires when the critical source hash differs from the previous recorded hash. Contains previous and current hash values.

policy_rules_loaded

Fires at startup. Contains the policy rules hash loaded for this run.

policy_rules_changed

Fires when policy rules change during operation. Contains previous and current policy hash values. Operations are denied until acknowledged.

chain_integrity_violation

Fires when Atested detects missing, truncated, mismatched, or otherwise invalid chain state.

Background verification

In addition to startup checks, Atested continuously verifies the chain during operation. The background verifier runs automatically every 100 records (configurable via ATESTED_CHAIN_VERIFY_EVERY_RECORDS). It re-reads the entire chain, recomputes every hash, checks every linkage reference, and writes the result to a status file — all in a background thread that never blocks chain writes.

When verification passes, the status reads "Verified" with the record count and timestamp. When it detects a break, it records the break sequence number, the reason, and the break count. The Health window reads this status file and shows the result. If a break is found, Health displays the reason and a button that opens the Chain Walker centered on the exact record where linkage failed.

Break classification is automatic. Known patterns — unsigned legacy records, chain resets, truncation recovery, partial writes from crashes — are identified and labeled. Suspicious breaks that don't match a known pattern are flagged for investigation. Repeated breaks (three or more in 24 hours) trigger a critical health status indicating possible ongoing attack or system failure.

Archiving on violation

When startup verification detects a violation, Atested archives the existing chain file to gov_runtime/LOGS/archive/ before starting a fresh chain. Each archive includes a manifest recording the timestamp, reason, record count, and last record hash. Archived chains remain accessible through the Chain Walker and can be used to create evidence packages. Atested never deletes archives; disk retention is your decision.

Where to see it

The Health window shows chain file status, proxy code hash, policy rules hash, and background verifier results. The chain contains startup and change events. The integrity metadata file defaults to the chain location as decision-chain.jsonl.integrity.json. The background verifier status file is at chain_verification_status.json in the chain directory.