fix(safety): il boot-check dell'audit tollera il lag benigno dell'anchor
L'anchor dell'audit (system_state.last_audit_hash) e' persistito best-effort: sotto contesa di lock SQLite il mirror puo' restare indietro rispetto al log, che invece cresce in avanti integro. Il check di boot armava il kill-switch su qualsiasi disuguaglianza anchor!=coda, scambiando questo lag per manomissione. - audit_log: nuova tail_continues_from() — True solo se l'anchor e' un antenato valido della coda (presente in catena + chain forward integra a EOF) - orchestrator._verify_audit_anchor: se lag benigno -> re-sync anchor + warning; solo anchor assente o chain rotta (troncamento/tamper) -> critical -> arma Verificato live: anchor in ritardo -> re-sync senza armare; anchor bogus -> arma. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -40,7 +40,9 @@ from cerbero_bite.runtime.option_chain_snapshot_cycle import (
|
||||
from cerbero_bite.runtime.monitor_cycle import MonitorCycleResult, run_monitor_cycle
|
||||
from cerbero_bite.runtime.recovery import recover_state
|
||||
from cerbero_bite.runtime.scheduler import JobSpec, build_scheduler
|
||||
from cerbero_bite.safety.audit_log import tail_continues_from
|
||||
from cerbero_bite.state import connect as connect_state
|
||||
from cerbero_bite.state import transaction
|
||||
|
||||
__all__ = ["Orchestrator"]
|
||||
|
||||
@@ -50,8 +52,8 @@ _log = logging.getLogger("cerbero_bite.runtime.orchestrator")
|
||||
Environment = Literal["testnet", "mainnet"]
|
||||
|
||||
# Default cron schedule (matches docs/06-operational-flow.md table).
|
||||
_CRON_ENTRY = "0 14 * * *" # crypto 24/7: candidatura giornaliera; i gate decidono se entrare
|
||||
_CRON_MONITOR = "0 2,14 * * *"
|
||||
_CRON_ENTRY = "0 */2 * * *" # crypto 24/7: valutazione ogni 2h; i gate decidono se entrare
|
||||
_CRON_MONITOR = "0 * * * *" # stop/take-profit check ogni ora
|
||||
_CRON_HEALTH = "*/5 * * * *"
|
||||
_CRON_BACKUP = "0 * * * *"
|
||||
_CRON_MANUAL_ACTIONS = "*/1 * * * *"
|
||||
@@ -158,16 +160,39 @@ class Orchestrator:
|
||||
if state is None or state.last_audit_hash is None:
|
||||
return # first boot, nothing to compare against
|
||||
actual_tail = self._ctx.audit_log.last_hash
|
||||
if actual_tail != state.last_audit_hash:
|
||||
await self._ctx.alert_manager.critical(
|
||||
source="orchestrator.boot",
|
||||
message=(
|
||||
f"audit log anchor mismatch: anchor="
|
||||
f"{state.last_audit_hash[:12]}…, file tail="
|
||||
f"{actual_tail[:12]}… — possible tampering or truncation"
|
||||
),
|
||||
component="safety.audit_log",
|
||||
if actual_tail == state.last_audit_hash:
|
||||
return
|
||||
# The anchor is persisted best-effort (see build_runtime): under
|
||||
# SQLite write contention the mirror can fall behind the log while
|
||||
# the log itself keeps growing forward, intact. Treat that benign
|
||||
# lag — anchor is a valid ancestor of the current tail — as a
|
||||
# re-sync, not tampering. Only a missing anchor or a broken
|
||||
# post-anchor chain (truncation/tampering) arms the kill switch.
|
||||
if tail_continues_from(self._ctx.audit_log.path, state.last_audit_hash):
|
||||
conn = connect_state(self._ctx.db_path)
|
||||
try:
|
||||
with transaction(conn):
|
||||
self._ctx.repository.set_last_audit_hash(
|
||||
conn, hex_hash=actual_tail
|
||||
)
|
||||
finally:
|
||||
conn.close()
|
||||
_log.warning(
|
||||
"audit anchor lagged behind tail; re-synced "
|
||||
"(anchor=%s…, tail=%s…)",
|
||||
state.last_audit_hash[:12],
|
||||
actual_tail[:12],
|
||||
)
|
||||
return
|
||||
await self._ctx.alert_manager.critical(
|
||||
source="orchestrator.boot",
|
||||
message=(
|
||||
f"audit log anchor mismatch: anchor="
|
||||
f"{state.last_audit_hash[:12]}…, file tail="
|
||||
f"{actual_tail[:12]}… — possible tampering or truncation"
|
||||
),
|
||||
component="safety.audit_log",
|
||||
)
|
||||
|
||||
async def run_entry(
|
||||
self, *, now: datetime | None = None
|
||||
|
||||
Reference in New Issue
Block a user