Memory #107 CURRENT
DEV-RECOVERY-001 Design and Succession Plan Personal Recovery Prime (Mark) + Arthur Hewitt proxy + Jason Aufdermaur trustee, 72hr veto, 6mo time-bomb — single-key dev-only recovery scaffolding for PrIA nodes Design decisions for `GCD.SPEC.DEV-RECOVERY-001` agreed 2026-04-25, before drafting begins. This is dev-only recovery scaffolding to bridge the period before production 7-of-12 authority-tier rings exist; spec carries an explicit sunset clause. **Why:** During development, Mark needs a single-signature path to restore a PrIA node (re-issue genesis or replace chain from snapshot) without the production 7-of-12 quorum, which doesn't exist yet. The arrangement must be cryptographically bound to Mark's authority, survive Mark's incapacitation through a controlled proxy, and self-retire automatically. **How to apply:** When drafting DEV-RECOVERY-001, when reviewing related onboarding/recovery flows, or when a future maintenance pass touches the dev-recovery code path. The spec's sunset clause is the criterion for deletion — three conditions, all checkable. ## Authority Structure - **Mark S. Hewitt** — primary Personal Recovery Prime (PRP). YubiKey carries `DEV_RECOVERY_AUTHORITY_GRANT`. Can sign `DEV_RECOVERY_RESTORE` HLRs directly. Holds the burn key (separate keypair, offline). - **Arthur Hewitt** (Mark's son) — designated proxy. YubiKey held in trust by Jason. Carries `DEV_RECOVERY_PROXY_GRANT`. Cannot sign a restore on his own; requires Jason's co-attestation in-chain. - **Jason Aufdermaur** (CEO of GCD + licensed Attorney) — trustee + co-signer. Holds Arthur's YubiKey in trust per the trust instrument. Carries a narrow `DEV_RECOVERY_PROXY_TRUSTEE_GRANT` whose only capability is signing `DEV_RECOVERY_PROXY_ATTESTATION` HLRs (Mark's broader signing authorities cannot accidentally trigger). Attestation declares (a) Mark incapacitated/unavailable, (b) Arthur designated successor, (c) recovery operation authorized. ## Mechanism - **Event types** (private range 0x90-0xFF): - `0x91` `DEV_RECOVERY_AUTHORITY_GRANT` — issued at genesis, scopes Mark's PRP to a specific node_identity - `0x92` `DEV_RECOVERY_BURN` — Mark-signed only, idempotent retirement - `0x93` `DEV_RECOVERY_PROXY_GRANT` — Arthur's grant, also scoped to node_identity - `0x94` `DEV_RECOVERY_PROXY_TRUSTEE_GRANT` — Jason's narrow attestation authority - `0x95` `DEV_RECOVERY_PROXY_ATTESTATION` — Jason-signed activation declaration - `0x96` `DEV_RECOVERY_PROXY_VETO` — Mark-signed cancellation, valid only within 72hr window - `0x97` `DEV_RECOVERY_RESTORE` — ARCHIVE-class HLR carrying snapshot/genesis payload - **Restore scope:** both re-issue-genesis (full bootstrap from nothing) AND replace-chain-from-snapshot. Snapshot-only narrowing becomes a sunset condition once snapshots are reliable. - **72-hour veto window:** Arthur's `RESTORE` is rejected if its timestamp is less than 72 hours after Jason's `PROXY_ATTESTATION`. During that window Mark can publish `PROXY_VETO` to cancel. Defends against duress / mistaken attestation. - **6-month time-bomb:** all three grants (`AUTHORITY_GRANT`, `PROXY_GRANT`, `PROXY_TRUSTEE_GRANT`) carry `valid_until_ns`. Verifiers reject after expiry regardless of burn status. Re-issuance ceremony reissues all three together. Fail-closed: if Mark is incapacitated AND nobody re-issues AND the time-bomb expires, the PRP self-retires — by then production redundancy must exist. - **Burn key with Mark only:** voluntary retirement is not on the emergency path. Emergency goes through Arthur+Jason; burn is for "production is ready, we don't need this anymore." ## Production Fences (Three Layers) 1. `node_identity.node_class ∈ {dev, prod}` — set at genesis, immutable. Prod-class nodes reject all `0x90-0xFF` event types at the verifier, full stop. 2. Code lives in its own package `pria_core.dev_recovery`, gated by build flag `LYDIAN_DEV_RECOVERY_ENABLED` (default false). Production builds exclude the import entirely. 3. Spec §1 carries a **Sunset clause** with three checkable conditions: - All production nodes are 7-of-12-quorum-capable - Any active PRP has been burned (or all time-bombs expired) - The `pria_core.dev_recovery` package is removed from the codebase When all three are true, DEV-RECOVERY-001 is retired in a single PR. ## Two-Layer Authority - **Cryptographic** (in spec): event-type rules, time-bomb, veto window. Chain enforces "Arthur alone is inert", "everything self-retires." - **Legal** (outside spec, in trust instrument): conditions Jason uses to determine incapacity, successor designation for Arthur, YubiKey custody terms. Spec references "the trust instrument" but doesn't define it — that lives with Mark's estate planning. ## Companion Memory - `project_v22_gate_status.md` — V2.3 just landed at Genesis@4e5d600 / lydian-node-specs@12baffa - `feedback_frame_class_alignment.md` — DEV_RECOVERY_RESTORE is ARCHIVE-class per the same alignment principle — [project_dev_recovery_design.md]
| Composite | 5784ADD3F2FFEFDB3 |
| Project prime | 13 |
| Domain prime | 1D |
| Type prime | 67 |
| Importance | 0.343295 (ACTIVE) |
| Decay epoch | 0 |
| Created | 2026-05-04 15:46:49 |
| Valid from | (unset) |
| Valid to | NULL — still believed true |
Outgoing Edges
No outgoing edges.