{ "version": "2026-06-02", "title": "QUAD public failure and recovery drill contract", "owner": "uquad.org main website", "source_class": "static public recovery drill contract", "freshness": "Static fallback. Verify any actual drill result on the owning surface before quoting recovery proof.", "boundary": "This file describes recovery-drill proof shape, expected public states, terminal receipts, and non-inference boundaries. It does not prove that any drill has been run live, any route has recovered live, any chain has restarted cleanly, any funds are safe, any custody state is proved, or any market, settlement, launch, sale, reward, allocation, or economic activation is open.", "global_rules": [ "A runbook is not a drill.", "A drill is not closed until it has a terminal receipt or owner-published result.", "Recovery language cannot expand what the failed route originally proved.", "Restored source is not source of truth without compare and rebuild proof.", "Private recovery detail must stay private.", "If the owner result cannot be read, say recovery proof cannot be verified." ], "required_fields": [ "drill_id", "owner_surface", "trigger", "expected_public_state", "recovery_action_class", "terminal_receipt_requirement", "public_summary_shape", "next_public_check", "must_not_infer" ], "drill_states": [ "not_run", "planned", "running", "degraded", "refused", "recovered", "restored", "rolled_back", "quarantined", "cannot_verify" ], "drills": [ { "drill_id": "chain-restart-v1", "owner_surface": "Core, Infra, Bridge, or Liquid", "trigger": "The owning chain process is restarted under a controlled recovery test.", "expected_public_state": "degraded", "recovery_action_class": "restart, resync, compare public status, then publish restored or cannot_verify label.", "terminal_receipt_requirement": "Owner-published restart result, latest readable status, last known block or route state where public, and restored/cannot_verify label.", "public_summary_shape": "Name owner, trigger, degraded window, current public state, last readable evidence, and what remains unverified.", "next_public_check": "https://uquad.org/status.html", "must_not_infer": [ "production topology", "no data loss", "funds safe", "economic activation", "automatic recovery" ] }, { "drill_id": "stale-genesis-home-v1", "owner_surface": "Core, Infra, Bridge, Liquid, wallet, validator, or operator route", "trigger": "A node, wallet, validator, CLI, or indexer uses stale chain metadata, wrong home, or old genesis.", "expected_public_state": "invalid", "recovery_action_class": "reject stale metadata, point to owner-published metadata, and require fresh compare before restoring the claim.", "terminal_receipt_requirement": "Visible invalid/stale label, corrected metadata route, and owner-published restored or cannot_verify state.", "public_summary_shape": "Name chain id, owner route, invalid condition, corrected source, and what cannot be verified from old metadata.", "next_public_check": "https://uquad.org/operators.html", "must_not_infer": [ "chain reset proof", "current block height", "validator failure", "wallet custody", "mainnet activation" ] }, { "drill_id": "relayer-outage-v1", "owner_surface": "Bridge, Infra, Core, Liquid, or external rail", "trigger": "Relayer liveness, gas float, packet delivery, acknowledgement, or timeout observation becomes unavailable.", "expected_public_state": "degraded", "recovery_action_class": "pause stronger movement claims, retry or timeout by owner policy, then publish acknowledgement/refusal/retry state.", "terminal_receipt_requirement": "Packet or route id, outage label, retry/timeout/refusal result, and owner-published acknowledgement where available.", "public_summary_shape": "Name route, dependency, outage state, current packet posture, and what movement claim remains closed.", "next_public_check": "https://uquad.org/dependencies.html", "must_not_infer": [ "destination admission", "open public movement", "host custody", "wrapper minting", "live liquidity" ] }, { "drill_id": "rpc-provider-outage-v1", "owner_surface": "Core, Infra, Bridge, Liquid, indexer, or external provider", "trigger": "RPC, endpoint, explorer, indexer, or host-chain view is unavailable, stale, or conflicting.", "expected_public_state": "cannot_verify", "recovery_action_class": "downgrade current values, compare owner source ladder, and publish restored or cannot_verify state.", "terminal_receipt_requirement": "Endpoint URL or status route, last readable timestamp, conflicting source where public, and restored/cannot_verify label.", "public_summary_shape": "Name owner, affected endpoint, last known status, comparison source, and current verification boundary.", "next_public_check": "https://uquad.org/sources.html", "must_not_infer": [ "chain halt", "current height", "fork resolution", "host custody", "settlement truth" ] }, { "drill_id": "stale-oracle-price-v1", "owner_surface": "Liquid, Bridge, or external market rail", "trigger": "A price, source quorum, venue, route provider, or risk input is stale, paused, unavailable, or below owner confidence.", "expected_public_state": "refused", "recovery_action_class": "refuse quote or route, pause market-facing claim, re-quote only after fresh owner-published input.", "terminal_receipt_requirement": "Quote id or risk label, stale input label, refusal/pause state, and restored/requoted/cannot_verify result.", "public_summary_shape": "Name input, owner, stale state, refusal result, and what market claim remains closed.", "next_public_check": "https://uquad.org/risks.html", "must_not_infer": [ "market activity", "guaranteed execution", "Core worth", "settlement truth", "yield" ] }, { "drill_id": "bad-denom-ingress-v1", "owner_surface": "Core, Bridge, Liquid, wallet metadata, or receiving route", "trigger": "A denom, voucher, wrapper, or fee unit does not match the route contract.", "expected_public_state": "invalid", "recovery_action_class": "refuse, quarantine, re-label, or re-quote by owner contract.", "terminal_receipt_requirement": "Displayed denom, expected denom, route id, invalid/quarantine/refusal label, and owner-published terminal state.", "public_summary_shape": "Name owner, displayed denom, expected denom, refusal/quarantine state, and wallet-label boundary.", "next_public_check": "https://uquad.org/wallets.html", "must_not_infer": [ "spend authority", "redemption", "admission", "yield", "destination acceptance" ] }, { "drill_id": "failed-upload-v1", "owner_surface": "Infra", "trigger": "An upload, proof, retrieval, contract lane, or receipt path fails before accepted storage or verification.", "expected_public_state": "refused", "recovery_action_class": "publish failure label, retry/reissue only by Infra route, and keep missing proof downgraded.", "terminal_receipt_requirement": "Object id or receipt id, visible failure label, retry/refusal/reissue result, and verification route where available.", "public_summary_shape": "Name object or receipt, route, failure state, reissue or refusal result, and payload boundary.", "next_public_check": "https://infra.uquad.org/failures", "must_not_infer": [ "payload loss", "storage acceptance", "provider payout", "Core value", "storage guarantee" ] }, { "drill_id": "missing-payload-v1", "owner_surface": "Infra or support", "trigger": "A receipt exists but the expected payload, retrieval path, proof material, or reconstruction input is missing.", "expected_public_state": "cannot_verify", "recovery_action_class": "verify receipt scope, reissue bounded proof where possible, or keep payload claim downgraded.", "terminal_receipt_requirement": "Receipt id, retrieval/proof route, missing-payload label, reissue/refusal state, and what changed.", "public_summary_shape": "Name receipt, missing material class, owner route, reissue/refusal state, and what the receipt still proves.", "next_public_check": "https://uquad.org/support.html", "must_not_infer": [ "payload truth", "payload custody", "storage acceptance", "expanded receipt meaning", "guaranteed recovery" ] }, { "drill_id": "provider-timeout-v1", "owner_surface": "Infra, Bridge, Liquid, or external provider rail", "trigger": "Provider, relayer, endpoint, route provider, or work lane misses its expected response window.", "expected_public_state": "degraded", "recovery_action_class": "queue, retry, reassign, withhold, dispute, refuse, or downgrade by owner route.", "terminal_receipt_requirement": "Provider public label where available, work/route id, timeout state, dispute/refusal/reassignment result, and terminal receipt where public.", "public_summary_shape": "Name provider class, owner, timeout state, current terminal/retry state, and what entitlement is not created.", "next_public_check": "https://uquad.org/playbooks.html", "must_not_infer": [ "provider payout", "node earning", "allocation", "special privilege", "service guarantee" ] }, { "drill_id": "bridge-host-stale-head-v1", "owner_surface": "Bridge", "trigger": "Bridge host-chain RPC, watcher, source pool, host evidence, or route gate sees stale or conflicting host-chain state.", "expected_public_state": "paused", "recovery_action_class": "pause passage, compare host evidence, refuse or restore by Bridge owner route.", "terminal_receipt_requirement": "Host-evidence id, route id, stale/conflict label, pause/refusal/restored state, and proof route where available.", "public_summary_shape": "Name host lane, route, stale/conflict state, current gate result, and destination-admission boundary.", "next_public_check": "https://bridge.uquad.org/product", "must_not_infer": [ "host asset custody", "destination acceptance", "live swap access", "reserve backing", "production value movement" ] }, { "drill_id": "signer-disabled-v1", "owner_surface": "Bridge, Core, Infra, Liquid, wallet, or operator route", "trigger": "A public action requires a signer, account class, route permission, or authority class that is disabled or unauthorized.", "expected_public_state": "unauthorized", "recovery_action_class": "refuse the action, route to owner account class, and publish disabled/unauthorized state without private signer detail.", "terminal_receipt_requirement": "Public account class, route, disabled/unauthorized label, refusal id where public, and next owner check.", "public_summary_shape": "Name owner, account class, disabled state, refusal result, and private-key boundary.", "next_public_check": "https://uquad.org/custody.html", "must_not_infer": [ "custody", "reserve access", "spendability", "governance right", "private support authority" ] }, { "drill_id": "liquid-venue-pause-v1", "owner_surface": "Liquid or external market rail", "trigger": "A venue, route provider, oracle, wrapper, or settlement input pauses or becomes unavailable.", "expected_public_state": "paused", "recovery_action_class": "refuse or pause motion, keep settlement local to owner truth, and restore only after Liquid-published evidence.", "terminal_receipt_requirement": "Quote/motion/position id, pause label, risk state, settlement-request posture, and restored/refused/cannot_verify state.", "public_summary_shape": "Name Liquid route, pause cause, current risk state, settlement owner, and market-activity boundary.", "next_public_check": "https://liquid.uquad.org/", "must_not_infer": [ "final balance truth", "Core worth", "public market activity", "guaranteed execution", "redemption" ] }, { "drill_id": "packet-timeout-v1", "owner_surface": "Bridge, Infra, Core, Liquid, or external rail", "trigger": "A packet, acknowledgement, receipt export, route handoff, or fallback movement exceeds its timeout policy.", "expected_public_state": "expired", "recovery_action_class": "publish timeout, retry/refuse/quarantine by owner route, and avoid destination claims until acknowledged.", "terminal_receipt_requirement": "Packet or route id, timeout label, retry/refusal/quarantine result, and acknowledgement where available.", "public_summary_shape": "Name packet, source, destination, timeout result, and what destination claim remains unproved.", "next_public_check": "https://uquad.org/data/failure-matrix.json", "must_not_infer": [ "destination admission", "successful transfer", "settlement", "host custody", "live interop" ] }, { "drill_id": "duplicate-receipt-v1", "owner_surface": "Core, Infra, Bridge, Liquid, or support", "trigger": "A receipt, request, quote, packet, or action id is submitted or observed twice.", "expected_public_state": "duplicate", "recovery_action_class": "point to original record, refuse replay where required, and avoid creating a second meaning.", "terminal_receipt_requirement": "Duplicate id, original id where public, duplicate/refusal label, and owner route.", "public_summary_shape": "Name duplicate id, original record, owner, replay/refusal state, and what second event is not created.", "next_public_check": "https://uquad.org/errors.html", "must_not_infer": [ "second payment accepted", "second settlement", "new allocation", "new receipt meaning", "bypass authority" ] }, { "drill_id": "public-site-stale-export-v1", "owner_surface": "Main website", "trigger": "The main-domain source, launch-current export, zip, manifest, summary, assistant guide, sitemap, or live site falls out of alignment.", "expected_public_state": "stale", "recovery_action_class": "compare source/export/artifact/live state, rebuild, recheck, repackage, and publish local or live boundary.", "terminal_receipt_requirement": "Release receipt, manifest, artifact hash, smoke result, and live-upload result only when live URL verification is performed.", "public_summary_shape": "Name artifact class, stale source, checks run, current package hash, and whether live upload was verified.", "next_public_check": "https://uquad.org/data/release-provenance.json", "must_not_infer": [ "deployed proof from local package", "subdomain deployment", "current chain state", "economic activation", "endorsement" ] }, { "drill_id": "backup-restore-artifact-v1", "owner_surface": "Main website, Core, Infra, Bridge, or Liquid owning repo", "trigger": "Active repo, release artifact, manifest, config, or public export must be restored from backup or archive.", "expected_public_state": "restored", "recovery_action_class": "restore, compare, rebuild, run checks, archive superseded artifact, and publish restored/cannot_verify label.", "terminal_receipt_requirement": "Restored source or artifact id, compare result, rebuild result, smoke/check result, manifest hash, and restored/cannot_verify label.", "public_summary_shape": "Name owner, restored artifact class, compare result, check result, and what live state remains unverified.", "next_public_check": "https://uquad.org/continuity.html", "must_not_infer": [ "immutable operations", "governance handoff", "chain rollback", "funds safe", "private recovery detail" ] } ] }