Integrity Verification
Context Nest uses SHA-256 hash chains to make version history tamper-evident.
Hash types
| Hash | Scope | What it proves |
|---|---|---|
content_hash | Single version | The document content hasn’t changed |
chain_hash | Version chain | No versions have been inserted, removed, or reordered |
checkpoint_hash | Checkpoint | The checkpoint hasn’t been modified |
| Cross-chain binding | Checkpoint ↔ document | Document chain hashes match what the checkpoint recorded |
How chain hashes work
v1: chain_hash = SHA256(content_hash_v1)
v2: chain_hash = SHA256(chain_hash_v1 + content_hash_v2)
v3: chain_hash = SHA256(chain_hash_v2 + content_hash_v3)Each version’s chain hash depends on all previous versions. Changing any version invalidates all subsequent chain hashes.
Verification
ctx verify # Verify all hash chains
ctx verify --json # JSON output for CI integrationVerification checks:
- Each document’s content hash matches the stored content
- Each chain hash is correctly derived from the previous chain hash + content hash
- Each checkpoint’s document chain hashes match the actual document histories
CI integration
Run ctx verify in your CI pipeline to ensure vault integrity on every commit:
# GitHub Actions example
- name: Verify vault integrity
run: ctx verifyVerification is idempotent and read-only — it produces no file changes.
Last updated on