Skip to content

Reject recovery member changes during recovery#7980

Open
Copilot wants to merge 16 commits into
mainfrom
copilot/add-test-member-encryption-keys
Open

Reject recovery member changes during recovery#7980
Copilot wants to merge 16 commits into
mainfrom
copilot/add-test-member-encryption-keys

Conversation

Copilot AI commented Jun 24, 2026
edited by eddyashton
Loading

Copy link
Copy Markdown
Contributor

Closes #4573.

Recovery member changes during public recovery can re-share current ledger secrets, but cannot rekey the at-recovery secrets users depend on. This makes adding/removing recovery members, changing threshold, or refreshing shares during recovery misleading and now rejected.

  • Governance validation

    • Reject set_member during recovery when the input includes an encryption key or the existing member has one.
    • Reject remove_member during recovery when the target member has an encryption key.
    • Reject set_recovery_threshold, trigger_recovery_shares_refresh, and trigger_ledger_rekey while recovering.

  • Native enforcement

    • Reject activating recovery members via /ack during recovery.
    • Reject native recovery-share refresh and JS-triggered share refresh/rekey while the service is recovering.

  • Coverage and docs

    • Added an e2e recovery test for validate-time and apply-time rejection paths.
    • Documented the recovery-member limitation in the governance FAQ.
    • Added a CHANGELOG entry.

@achamayou
Restrict recovery member changes
50ce68c 
Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Copilot AI changed the title [WIP] Add test for adding/removing members with share encryption keys in public recovery Reject recovery member changes during recovery Jun 24, 2026
Copilot AI requested a review from achamayou June 24, 2026 21:37
@achamayou

achamayou commented Jun 25, 2026

Copy link
Copy Markdown
Member

@copilot fix formatting and update changelog to clarify which constitution actions users are expected to update, and that making these changes during recovery was always potentially unsafe, and that the change in behaviour is that they now correctly trigger an error.

@achamayou
Address recovery changelog feedback
d73da2c 
Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>

Copilot AI commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

@copilot fix formatting and update changelog to clarify which constitution actions users are expected to update, and that making these changes during recovery was always potentially unsafe, and that t...

Addressed in d73da2c: applied C++ formatting and expanded the changelog entry to identify the custom constitution actions to update and clarify that the unsafe behavior now correctly errors.

@achamayou achamayou marked this pull request as ready for review June 25, 2026 12:36
@achamayou achamayou requested a review from a team as a code owner June 25, 2026 12:36
Copilot AI review requested due to automatic review settings June 25, 2026 12:36
@achamayou achamayou added the run-long-test Run Long Test job label Jun 25, 2026
achamayou
achamayou reviewed Jun 25, 2026
View reviewed changes
Comment thread CHANGELOG.md Outdated

Copilot AI commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

@achamayou I've opened a new pull request, #7984, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Jun 25, 2026
Merged
Copilot AI added a commit that referenced this pull request Jun 25, 2026
@achamayou
Move #7980 changelog entry to new 7.0.7 section
2c46a97 
Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Copilot AI reviewed Jun 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens recovery workflows by rejecting governance operations that would (misleadingly) appear to succeed during public recovery, specifically changes to recovery members/shares/threshold that cannot safely affect “at-recovery” secrets.

Changes:

  • Adds validation in the sample constitutions to reject recovery-member changes and recovery-share operations while the service is recovering.
  • Adds native enforcement in C++ to block recovery share refresh, recovery-member activation via /ack, and recovery-threshold updates during recovery.
  • Adds an e2e recovery test, documents the limitation in the governance FAQ, and records the behavior change in the changelog.

Custom instructions used:

  • .github/copilot-instructions.md
  • .github/instructions/reviewing.instructions.md

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/suite/test_suite.py Adds new recovery test to the membership recovery suite.
tests/recovery.py New e2e test covering proposal creation/acceptance/ack rejection during recovery.
src/service/internal_tables_access.h Introduces is_service_recovering() helper and uses it to block threshold changes during recovery.
src/node/node_state.h Blocks native recovery-share refresh during recovery.
src/node/gov/handlers/acks.h Rejects activation of recovery members via /ack during recovery.
src/js/extensions/ccf/node.cpp Adds native JS extension guards to block share refresh / ledger rekey during recovery.
samples/minimal_ccf/app/actions.js Updates sample constitution actions to reject recovery-member/share operations while recovering.
samples/constitutions/default/actions.js Same as above for the default constitution.
doc/governance/common_member_operations.rst Adds FAQ entry documenting the recovery-member limitation during recovery.
CHANGELOG.md Records user-visible behavior change with PR reference.

Comment thread src/js/extensions/ccf/node.cpp
Comment thread src/js/extensions/ccf/node.cpp
Copilot AI and others added 3 commits June 25, 2026 13:45
@achamayou
[WIP] [WIP] Update PR to address comment on 7.0.7 section inclusion (#…
e4d00c8 
…7984)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
@achamayou
Potential fix for pull request finding
ee96f00 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@achamayou
Potential fix for pull request finding
7905aa8 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@achamayou

achamayou commented Jun 25, 2026

Copy link
Copy Markdown
Member

@copilot fix formatting

@achamayou
Fix release notes check: bump pyproject.toml to 7.0.7
9f166c8 
Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>

Copilot AI commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

@copilot fix formatting

Fixed in the latest commit: bumped python/pyproject.toml to 7.0.7 to match the new CHANGELOG section, which was causing the release notes CI check to fail.

Copilot AI requested a review from achamayou June 25, 2026 13:29
@achamayou achamayou removed the run-long-test Run Long Test job label Jun 25, 2026
@achamayou achamayou requested a review from Copilot June 26, 2026 07:02
Copilot AI reviewed Jun 26, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Comment thread src/service/internal_tables_access.h Outdated
Comment thread samples/minimal_ccf/app/actions.js Outdated
Comment thread samples/constitutions/default/actions.js Outdated
achamayou and others added 5 commits June 26, 2026 09:21
@achamayou
Potential fix for pull request finding
5ce3b8e 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@achamayou
Potential fix for pull request finding
83d4c6b 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@achamayou
Potential fix for pull request finding
97f9a07 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@achamayou
Merge branch 'main' into copilot/add-test-member-encryption-keys
5d04aa7
@achamayou
Merge branch 'main' into copilot/add-test-member-encryption-keys
4470985
@achamayou achamayou requested a review from eddyashton June 26, 2026 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@eddyashton eddyashton Awaiting requested review from eddyashton
+1 more reviewer
@achamayou achamayou achamayou approved these changes
Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@achamayou achamayou

Copilot code review Copilot

Labels

READY TO MERGE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add test that adds/removes members with share encryption keys in public recovery

3 participants

@achamayou