This document lists every possible runtime failure, how to detect it, how the system responds, and how to recover.
Failure: dApp attempts to use capability not declared in manifest.
Detection:
capabilityGuard()throws error- Error message: "Capability denied: dappId has not declared capability"
Response:
- Execution immediately stopped
- Error returned to caller
- No receipt generated
Recovery:
- Update manifest to declare capability
- Re-execute intent
Failure: dApp attempts to use capability without permission grant.
Detection:
hasPermission()returns false- Check happens before execution
Response:
- Execution blocked
- Permission request returned:
{ type: 'permission_request', dappId, capability } - UI shows permission modal
Recovery:
- User grants permission
- Intent execution retried
- Permission stored in
permissions:<identity>
Failure: Manifest declares capability not in CAPABILITY_SCHEMA.
Detection:
validateCapabilities()returns false- Manifest validation fails
Response:
- Manifest rejected
- dApp not loaded
- Router skips dApp during resolution
Recovery:
- Remove invalid capability from manifest
- Or add capability to
CAPABILITY_SCHEMA(requires protocol version bump)
Failure: Receipt version doesn't match RECEIPT_VERSION.
Detection:
- Receipt verification checks
receipt.version - Comparison:
receipt.version !== RECEIPT_VERSION
Response:
- Receipt verification fails
- Chain import rejected
- Replay fails
Recovery:
- Cannot recover (version incompatibility)
- Must upgrade runtime or downgrade receipts
Failure: State root version doesn't match STATE_ROOT_VERSION.
Detection:
- State root computation checks version
- Comparison:
stateRoot.version !== STATE_ROOT_VERSION
Response:
- State root computation fails
- Snapshot import rejected
Recovery:
- Cannot recover (version incompatibility)
- Must upgrade runtime or use compatible snapshot
Failure: Capability schema version doesn't match CAPABILITY_VERSION.
Detection:
- Boot-time check in
invariants.js - Comparison:
CAPABILITY_VERSION !== 2
Response:
- Runtime initialization fails
- Boot aborted
Recovery:
- Fix capability version constant
- Reboot runtime
Failure: Protocol version doesn't match PROTOCOL_VERSION.
Detection:
- Attestation verification
- Snapshot import verification
Response:
- Attestation verification fails
- Snapshot import rejected
- Federation sync fails
Recovery:
- Cannot recover (version incompatibility)
- Must use compatible protocol version
Failure: Receipt's previousReceiptHash doesn't match previous receipt's hash.
Detection:
- Chain verification:
receipt[n].previousReceiptHash !== receipt[n-1].receiptHash - First receipt:
previousReceiptHash !== null
Response:
- Chain verification fails
- Replay stops at broken link
- Safe mode entered
Recovery:
- Find last valid receipt
- Truncate chain to last valid receipt
- Re-execute from that point
Failure: Receipt hash doesn't match recomputed hash.
Detection:
- Chain verification recomputes hash
- Comparison:
recomputedHash !== receipt.receiptHash
Response:
- Receipt verification fails
- Chain verification fails
- Safe mode entered
Recovery:
- Receipt corrupted
- Must restore from backup or truncate chain
Failure: Receipt signature doesn't verify with public key.
Detection:
- Ed25519 signature verification fails
crypto.subtle.verify()returns false
Response:
- Receipt verification fails
- Chain verification fails
- Safe mode entered
Recovery:
- Receipt tampered or key mismatch
- Must restore from backup or truncate chain
Failure: Input hash doesn't match canonicalized input payload.
Detection:
- Chain verification recomputes input hash
- Comparison:
recomputedInputHash !== receipt.inputHash
Response:
- Receipt verification fails
- Chain verification fails
Recovery:
- Input payload corrupted
- Must restore from backup
Failure: Result hash doesn't match canonicalized result during replay.
Detection:
- Replay recomputes result hash
- Comparison:
recomputedResultHash !== receipt.resultHash
Response:
- Replay fails
- Nondeterminism detected
- Safe mode entered
Recovery:
- Execution not deterministic
- Must fix nondeterministic code
- Re-execute from that point
Failure: Computed state root doesn't match receipt's state root.
Detection:
- Before execution:
computedRoot !== receipt.previousStateRoot - After execution:
computedRoot !== receipt.nextStateRoot - During replay:
computedRoot !== receipt.nextStateRoot
Response:
- Integrity lock check fails
- Safe mode entered
- Execution blocked
Recovery:
- State corruption detected
- Restore from snapshot
- Or replay from last valid state root
Failure: dApp code hash doesn't match boot-time hash.
Detection:
verifyDAppCodeHash()compares current vs boot hash- Comparison:
currentHash !== bootHash
Response:
- Safe mode entered
- dApp execution blocked
Recovery:
- Code drift detected
- Restore original dApp code
- Or update boot hash (if intentional)
Failure: Current state root doesn't match boot-time state root.
Detection:
checkIntegrityLock()compares state roots- Comparison:
currentRoot !== bootRoot
Response:
- Safe mode entered
- State-changing operations disabled
Recovery:
- State corruption detected
- Restore from snapshot
- Or replay from boot state
Failure: dApp uses Date.now() during execution (not frozen).
Detection:
- Nondeterministic execution
- Replay produces different result hash
- State root mismatch during replay
Response:
- Replay fails
- Nondeterminism detected
- Safe mode entered
Recovery:
- Fix dApp to use frozen timestamp
- Re-execute from that point
Failure: dApp uses Math.random() directly (not seeded).
Detection:
- Nondeterministic execution
- Replay produces different result hash
- State root mismatch during replay
Response:
- Replay fails
- Nondeterminism detected
- Safe mode entered
Recovery:
- Fix dApp to use seeded PRNG
- Re-execute from that point
Failure: Network request made but response not sealed in receipt.
Detection:
- Replay makes live network call
- Different response received
- Result hash mismatch
Response:
- Replay fails
- Nondeterminism detected
Recovery:
- Fix dApp to use
network.requestcapability - Re-execute from that point
Failure: dApp uses blocked async API (setTimeout, fetch, etc.).
Detection:
- Async blocker throws error
- Error message: "setTimeout blocked during deterministic execution"
Response:
- Execution immediately stopped
- Error returned
- No receipt generated
Recovery:
- Fix dApp to avoid async APIs
- Re-execute intent
Failure: Attempt to store non-canonical JSON value.
Detection:
validateCanonicalJson()throws error- Error message: "Non-canonical JSON value rejected"
Response:
- Storage write rejected
- Error thrown
- No state mutation
Recovery:
- Fix value to be canonical JSON
- Retry storage write
Failure: Storage data corrupted or invalid.
Detection:
- Storage read returns invalid data
- State root computation fails
- Receipt chain read fails
Response:
- State root mismatch
- Safe mode entered
Recovery:
- Restore from snapshot
- Or restore from backup
Failure: dApp module fails to load.
Detection:
import(modulePath)throws error- Error: "Failed to load module"
Response:
- Execution fails
- Error returned
- No receipt generated
Recovery:
- Fix module path
- Fix module syntax errors
- Re-execute intent
Failure: dApp manifest fails validation.
Detection:
validateManifest()returns false- Error: "Invalid manifest"
Response:
- Manifest rejected
- dApp not loaded
- Router skips dApp
Recovery:
- Fix manifest structure
- Fix capability declarations
- Re-install dApp
Failure: dApp attempts to load module outside dapps/ directory.
Detection:
- Path validation:
modulePath.indexOf('..') !== -1 - Path validation:
modulePath not under dapps/
Response:
- Execution fails
- Error: "Path traversal detected"
- No receipt generated
Recovery:
- Fix module path
- Re-execute intent
Failure: dApp's run() function throws error.
Detection:
dApp.run()throws exception- Error caught by router
Response:
- Execution fails
- Error returned
- No receipt generated
Recovery:
- Fix dApp code
- Re-execute intent
Failure: Local and remote state roots differ.
Detection:
compareStateRoots()detects mismatch- Divergence:
localRoot !== remoteRoot
Response:
- Sync fails
- Divergence logged
Recovery:
- Find divergence point
- Merge chains if possible
- Or choose one chain to keep
Failure: Imported receipt chain fails verification.
Detection:
- Chain verification fails
- Structural or signature verification fails
Response:
- Import rejected
- Local chain unchanged
Recovery:
- Fix remote chain
- Or use different peer
Failure: Chain merge fails after replay.
Detection:
- Replay produces different state root
- State root doesn't match peer's
Response:
- Merge rejected
- Local chain unchanged
Recovery:
- Cannot merge (nondeterminism)
- Keep local chain
- Or investigate divergence cause
Failure: Snapshot version doesn't match expected version.
Detection:
importSnapshot()checks version- Comparison:
snapshot.version !== 1
Response:
- Import rejected
- Error: "Unsupported snapshot version"
Recovery:
- Use compatible snapshot version
- Or upgrade snapshot format
Failure: Snapshot protocol version doesn't match runtime.
Detection:
- Protocol version comparison
- Capability version comparison
- Receipt version comparison
Response:
- Import rejected
- Error: "Protocol version mismatch"
Recovery:
- Use compatible snapshot
- Or upgrade runtime
Failure: Restored state root doesn't match snapshot's state root.
Detection:
- After restore:
computedRoot !== snapshot.stateRoot
Response:
- Rollback triggered
- Storage restored to pre-import state
- Error thrown
Recovery:
- Snapshot corrupted
- Use different snapshot
- Or restore from receipt chain
Failure: Boot-time invariant check fails.
Detection:
invariants.jsassertion fails- Error: "Invariant: ..."
Response:
- Runtime initialization fails
- Boot aborted
Recovery:
- Fix invariant violation
- Reboot runtime
Failure: Replay determinism check fails at boot.
Detection:
replayDeterminismCheck()detects nondeterminism- Last receipt replay produces different state root
Response:
- Boot fails
- Safe mode entered
Recovery:
- Fix nondeterministic code
- Or truncate chain to last deterministic receipt
- Reboot
Failure: State reconstruction fails at boot.
Detection:
reconstructAndVerify()fails- Receipt chain verification fails
Response:
- Boot fails
- Safe mode entered
Recovery:
- Fix receipt chain corruption
- Or restore from snapshot
- Reboot
| Failure | Detection | Response | Recovery |
|---|---|---|---|
| Undeclared capability | capabilityGuard() | Execution stopped | Update manifest |
| Permission denied | hasPermission() | Permission request | Grant permission |
| Receipt hash mismatch | Chain verification | Safe mode | Restore from backup |
| State root mismatch | Integrity lock | Safe mode | Restore from snapshot |
| Code hash mismatch | verifyDAppCodeHash() | Safe mode | Restore code |
| Nondeterminism | Replay verification | Safe mode | Fix code |
| Storage corruption | State root check | Safe mode | Restore from backup |
| Module load failure | import() | Execution fails | Fix module |
| Chain divergence | compareStateRoots() | Sync fails | Merge or choose |
When safe mode is entered:
- State-changing operations disabled
- Only diagnostic operations allowed
- Receipt generation blocked
- dApp execution blocked (except system intents)
Safe mode triggers:
- Core hash mismatch
- State root mismatch
- Code hash mismatch
- Receipt chain corruption
- Replay verification failure
- Integrity lock failure
Exiting safe mode:
- Restore from snapshot
- Fix corruption
- Reboot runtime
- Runtime Invariants - What must be true
- Test Coverage - Test coverage
- Debugging Guide - How to debug failures