Audit
Verify event store integrity with signature and tamper detection.
Overview
All Starweft protocol messages are recorded in a SQLite database using an event sourcing approach. The audit verify-log command verifies the integrity and signature validity of this event log, detecting tampering and corruption.
audit verify-log
Usage
starweft audit verify-logInspection Items
audit verify-log inspects the following items.
| Inspection Item | Description |
|---|---|
| Raw JSON integrity | Verifies that the stored raw JSON (raw_json) matches the values decomposed into database columns. This is a direct method for detecting tampering. |
| Ed25519 signature verification | Re-verifies the Ed25519 signature against the raw JSON using the sender's public key. Events with unknown keys are reported as unverifiable. |
| task_id presence | Confirms that task_id is set on TaskDelegated / TaskProgress / TaskResultSubmitted events. |
| ProjectCharter duplication | Confirms that multiple ProjectCharter entries do not exist for the same project_id. |
| Lamport timestamp | Confirms that Lamport timestamps are monotonically increasing within the same project. Regression indicates event ordering inconsistency. |
| JSON parsing | Confirms that struct deserialization of the event completes successfully. |
Reading the Output
checked_events: 42
invalid_events: 0
signature_failures: 0
raw_json_mismatches: 0
unverifiable_signatures: 0
audit: okchecked_events: 42
invalid_events: 2
signature_failures: 1
raw_json_mismatches: 1
unverifiable_signatures: 3
error: msg_01ABC...: signature verification failed
error: msg_01DEF...: raw_json mismatch for field lamport_ts
[E_AUDIT_FAILED] Inconsistencies found in task_eventsOutput Field Definitions
| Field | Meaning |
|---|---|
checked_events | Total number of events inspected |
invalid_events | Number of events with detected issues (sum of signature failures + raw JSON mismatches + structural errors + duplicates + Lamport regressions + missing task_ids) |
signature_failures | Number of events that failed Ed25519 signature verification |
raw_json_mismatches | Number of events where the raw JSON and column values do not match |
unverifiable_signatures | Number of events where signature verification was skipped because the public key is unknown or raw_json was not stored |
Handling Detected Issues
When signature_failures / raw_json_mismatches Are Detected
Event data may have been tampered with.
- Consider restoring from a backup (see
backup restorebelow) - If only projections (aggregation tables) are corrupted,
repair rebuild-projectionsmay be able to repair them
When unverifiable_signatures Is High
The peer's public key may not be registered locally.
# Register the peer's public key
starweft peer add /ip4/192.168.1.10/tcp/9000 \
--public-key "<base64 public key>"
# Run the audit again
starweft audit verify-logrepair rebuild-projections
repair rebuild-projections is a command that rebuilds projection tables from the event log (task_events table).
starweft repair rebuild-projectionsreplayed_events: 42
rebuilt_projects: 3
rebuilt_tasks: 15
rebuilt_publish_events: 2
rebuilt_snapshots: 3What rebuild-projections Can Repair
projectstable (project state aggregation)taskstable (task state aggregation)task_results/evaluations/publish_eventstablessnapshotstablestop_orders/stop_receiptstablesapproval_statetable
backup create / backup restore
Creating a Backup
starweft backup create --output ~/starweft-backupThe backup copies the complete set of files to the specified directory and generates a signed manifest.json.
Files included in the backup
| Path | Contents |
|---|---|
config.toml | Node configuration |
identity/actor_key | Main identity key |
identity/stop_authority_key | Stop authority key (if present) |
ledger/node.db | SQLite database (clean copy via VACUUM INTO) |
artifacts/ | Task artifacts |
logs/ | Log files |
cache/ | Cache |
Backup Trust Anchor
The backup's manifest.json incorporates the following protection mechanisms.
The entire payload field of the manifest is signed with the actor_key. This detects tampering with the manifest itself.
The manifest records the SHA-256 checksums and sizes of all included files. During restoration, the checksums of all files are verified.
{
"files": [
{ "path": "config.toml", "sha256": "a1b2c3...", "size_bytes": 1024 },
{ "path": "identity/actor_key", "sha256": "d4e5f6...", "size_bytes": 256 }
]
}Verifies that the manifest's signer_public_key field matches the public key from the identity/actor_key file in the bundle. Even if an attacker replaces both the manifest and signer_public_key, the mismatch with the actor_key in the bundle will be detected. The checksum of actor_key itself is also included in the manifest, providing circular protection.
If files not listed in the manifest are present in the bundle, the restore is rejected. This prevents file injection by an attacker.
Restoring a Backup
starweft backup restore --input ~/starweft-backupDuring restoration, the following verifications are automatically performed.
- Confirm the existence of
manifest.jsonand its format version (starweft-local-backup/v1) - Ed25519 verification of the manifest signature
- Confirm that
signer_public_keymatches theactor_keyin the bundle - Verify SHA-256 checksums and sizes of all files
- Confirm that no files outside the manifest are present
- If an existing identity is present at the restore destination, confirm it matches the signer
# Forcibly restore a backup from a different node
starweft backup restore --input ~/starweft-backup --forceOverwriting Existing Data
Without the --force flag, an error is raised if existing files are found at the restore destination. Specifying --force overwrites the existing data.
Recommended Workflow
Regular auditing and backups help maintain data integrity.
starweft audit verify-logConfirm that no issues are found.
starweft backup create --output ~/starweft-backup-$(date +%Y%m%d)If projections are corrupted, first try rebuild-projections.
starweft repair rebuild-projectionsIf the event log itself has issues, restore from a backup.
starweft backup restore --input ~/starweft-backup-20260315 --forceRelated Pages
Integrity guarantees through Ed25519 signing and Canonical JSON
Ed25519 key generation, storage, and exchange methods