Verifier System

Failure modes

A failed verification is useful evidence. It tells a reviewer which guarantee is missing or contradicted instead of silently presenting a weak history as complete.

Verification fails

Treat a failed verification report as a blocker for relying on that bundle until the reason is understood. The report should identify the object kind, failed check, and affected artifact path.

{
  "ok": false,
  "kind": "bundle",
  "problems": [
    {
      "code": "wrong_witness_signature",
      "path": "witnesses[2].signature",
      "message": "Witness signature does not verify for the checkpoint statement."
    }
  ]
}

Witness quorum is missing

Missing quorum means the stream may still have valid receipts and checkpoints, but it has not satisfied the witness policy for the selected range. Wait for witnesses to recover or export a range whose policy is satisfied.

Fork evidence appears

Fork evidence means conflicting checkpoint histories were observed. The verifier rejects ambiguous history. A tenant operator should stop relying on the affected stream range until the source of the conflict is investigated and a new accepted range is produced.

Bundle is incomplete

An incomplete bundle lacks one or more artifacts needed by policy: receipts, windows, checkpoints, witness statements, anchors, manifest hashes, or verifier metadata. The recipient should request a complete bundle rather than manually filling gaps.

Connector reliability issues

Connector failures do not invalidate earlier accepted events, but they can create gaps in source coverage. Review connector status, idempotency conflicts, retry results, and source-system delivery logs before relying on the affected period.