Skip to content

Check off exploration 0243 (account validation & recovery — complete)#342

Merged
crs48 merged 1 commit into
mainfrom
claude/0243-resolve
Jun 29, 2026
Merged

Check off exploration 0243 (account validation & recovery — complete)#342
crs48 merged 1 commit into
mainfrom
claude/0243-resolve

Conversation

@crs48

@crs48 crs48 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Marks exploration 0243 complete: renames [_][x], records a Resolution summary of everything shipped, and reframes the last item (P3.1) from "implement custodial escrow" to a documented decision to decline it.

Why P3.1 is "done" by being declined

A WorkOS-gated KMS escrow that recovers from a login alone would make xNet coercible — a subpoena or a compromised WorkOS account would reach user data, the opposite of this exploration's guarantee. Following Apple's model (ADP holds no key; recovery via a user-held key + recovery contacts), we shipped the non-coercible alternative instead — configurable trusted-guardian social recovery (Shamir; #337/#339/#341), entirely user-to-user. A privacy-preserving escrow engine (#335) remains for a future Apple-grade ZK-PIN + rate-limiting-HSM design if a concrete enterprise need ever arises; the naive custodial variant is intentionally not built.

Delivered across 17 PRs

Validation hardening · recovery phrase + synced passkey + guardian social recovery + Settings management · account/device ledger (schemas, ops, binding→account, content-key re-wrap) · privacy-preserving escrow engine · Apple-reframed escrow design note. 13/13 implementation, 9/9 validation.

Docs-only → skip-changelog.

🤖 Generated with Claude Code

All 13 implementation + 9 validation items resolved across 17 PRs. P3.1 (custodial
escrow) is recorded as a deliberate DECISION to decline — it would make xNet
coercible — in favor of the non-coercible social-recovery (guardians) path, per the
Apple-reframed design note. Renames the exploration [_] -> [x] and adds a Resolution
summary of everything that shipped.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: xNet Test <test@xnet.dev>
@crs48 crs48 temporarily deployed to pr-342 June 29, 2026 03:17 — with GitHub Actions Inactive
@crs48 crs48 added the skip-changelog Exclude this PR from the changelog label Jun 29, 2026
@crs48 crs48 merged commit b87bc26 into main Jun 29, 2026
3 of 5 checks passed
@crs48 crs48 deleted the claude/0243-resolve branch June 29, 2026 03:18
@github-actions

Copy link
Copy Markdown
Contributor

Preview removed for PR #342.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog Exclude this PR from the changelog

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant