Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Temicide/thcode/llms.txt

Use this file to discover all available pages before exploring further.

thcode’s checkpoint system creates durable snapshots before built-in file mutations. The /rollback command lets you discover and preview those checkpoints; /recover helps you reconcile operations that were interrupted before they reached a terminal outcome. Both commands are read-safe: inspecting a checkpoint does not stage or apply anything.
Rollback honesty principle (AD-19): Automatic rollback covers only checkpointed built-in create_file, edit_file, and delete_file effects. Shell commands, process invocations, remote API calls, permission changes, symlink side-effects, and external effects are never claimed reversible. A checkpoint summary never implies that the whole Prompt Round is reversible — only the specifically covered file targets can be rolled back.

/rollback — checkpoint discovery and preview

Alias: /rb
Requires approval: No
/rollback lists eligible rollback checkpoints for the current session and lets you inspect individual checkpoints before any rollback is staged or applied. Listing and inspecting are always read-only.

Listing checkpoints

listCheckpoints returns a ListCheckpointsResult:
type ListCheckpointsResult =
  | { readonly ok: true; readonly checkpoints: readonly CheckpointSummary[] }
  | { readonly ok: false; readonly failure: RollbackFailure };
Checkpoints are sorted most-recent-first. By default, only apply-eligible checkpoints are shown. Pass --include-hidden to also see expired, corrupt, and locked checkpoints as non-authoritative recovery records.

DiscoverOptions

OptionDefaultDescription
maxCheckpoints50Maximum number of checkpoints to return
includeHiddenfalseInclude hidden (expired, corrupt, locked) checkpoints

CheckpointSummary fields

FieldTypeDescription
promptRoundIdPromptRoundIdThe Prompt Round that created this checkpoint
checkpointIdCheckpointIdStable checkpoint identity
createdAtstringISO-8601 creation timestamp
observedAtstringISO-8601 observation timestamp
subsequentPromptAgeMsnumberAge in milliseconds since creation
targetCountnumberNumber of file targets covered
preDigestsstring[]Pre-image SHA-256 digests per target
postDigestsstring[]Post-image SHA-256 digests per target
renameInfoRenameInfoEntry[]Rename/alias information for targets
retentionExpirystring | nullRetention expiry timestamp, or null for indefinite
perCheckpointUsageBytesnumberStorage used by this checkpoint
storeUsageBytesnumberTotal checkpoint store usage
encryptionState'encrypted' | 'unencrypted'Whether checkpoint artifacts are encrypted
integrityStateIntegrityStateIntegrity verification state
coverageRollbackCoverageCoverage classification
excludedEffectsExcludedEffectsEffects explicitly excluded from rollback (AD-19)

Coverage states

CoverageMeaningEligible for apply
fully protectedAll targets have complete pre/post-image artifacts
partially protectedSome targets covered, some not
unprotectedCheckpoint exists but no target artifacts
expiredRetention has evicted this checkpointHidden
corruptIntegrity verification failed — data may be alteredNon-authoritative
lockedRecovery-locked — cannot be used for rollbackNon-authoritative
apply-eligible includes fully protected, partially protected, and unprotected — the coverage level affects how much can be reversed, but all three allow a rollback attempt. expired, corrupt, and locked checkpoints are hidden from the default listing but remain inspectable.

RollbackEligibility

Every checkpoint is classified into one of three eligibility kinds:
type RollbackEligibility =
  | { readonly kind: 'apply-eligible' }
  | { readonly kind: 'hidden'; readonly reason: string }
  | { readonly kind: 'non-authoritative-recovery-record'; readonly reason: string };
KindWhenAvailable actions
apply-eligibleCoverage is fully protected, partially protected, or unprotectedInspect + apply (apply is a separate staged step)
hiddenCheckpoint has expired (retention evicted)Inspectable via --include-hidden only
non-authoritative-recovery-recordIntegrity is corrupt or recovery-lockedSafe evidence review, recovery, and exit only — no rollback apply

Inspecting a checkpoint — RollbackPreview

inspectCheckpoint returns a RollbackPreview in canonical field order. No changes are staged or applied.
FieldDescription
headingCanonical heading, e.g. "ROLLBACK INSPECT"
purposePurpose of this preview
riskRisk disclosure including excluded effects count and the AD-19 honesty statement
targetCheckpoint and Prompt Round identity
authorityCoverage, integrity state, and encryption state
evidenceCompletenessCompleteness statement (count of targets and bytes, or the corrupt/locked/expired label)
outcomeWhether the checkpoint is apply-eligible, hidden, or a non-authoritative record
nextStepAvailable next actions
rollbackTokensExact command tokens to proceed (e.g. rollback apply <id>)
summaryFull CheckpointSummary
eligibilityFull RollbackEligibility

Excluded effects and the honesty principle

Every CheckpointSummary carries an ExcludedEffects structure. These are effects that occurred during the Prompt Round but are never claimed reversible by the rollback system.
interface ExcludedEffects {
  readonly shell: readonly ExcludedEffectEntry[];
  readonly remote: readonly ExcludedEffectEntry[];
  readonly permission: readonly ExcludedEffectEntry[];
  readonly process: readonly ExcludedEffectEntry[];
  readonly symlinkSide: readonly ExcludedEffectEntry[];
  readonly external: readonly ExcludedEffectEntry[];
  readonly unknown: readonly ExcludedEffectEntry[];
}
Each ExcludedEffectEntry has a target, reason, reasonCode, and status ('excluded' or 'never-protected').
If the risk field in a RollbackPreview reports a non-zero excludedCount, some effects from that Prompt Round cannot be reversed by any rollback operation. Review the excluded effects list before applying. Rolling back the file targets does not undo shell commands, remote calls, permission grants, process launches, or any external side-effects.
The risk disclosure in every RollbackPreview always includes both sentences:
Automatic rollback covers checkpointed built-in create/edit/delete ONLY.
Shell, process, remote, permission, symlink-side, and external effects are NEVER claimed reversible.

/recover — reconcile interrupted operations

Alias: /rc
Requires approval: No
/recover addresses operations that were interrupted — by a crash, a cancellation, or a process termination — before they reached a durable terminal outcome. It classifies the operation from the journal and offers only safe actions. It never replays a native effect automatically.

Recovery actions

ActionDescription
inspectClassify the operation from journal evidence and show its recovery state
reconcileAttempt to clean up incomplete checkpoint stages and resolve the operation state
export-safe-evidenceExport a sanitized evidence bundle for the operation (no raw bytes, no secrets)
exitAcknowledge the classification and exit without further action

RecoveryClassification

classify(input) reads the durable event journal and returns a RecoveryClassification:
interface RecoveryClassification {
  readonly operationId: OperationId;
  readonly journalState: OperationRecoveryState;
  readonly operationState: OperationState;
  readonly checkpointMaterial: CheckpointMaterialState;
  readonly residualRisk: ResidualRisk;
  readonly dispatchClassification: DispatchClassification;
  readonly hasEffectDispatchCommitted: boolean;
  readonly hasTerminalEvent: boolean;
  readonly terminalKind: string | null;
}

OperationRecoveryState

Seven mutually exclusive recovery states derived from the journal:
StateConditionResidual risk
not-sentNo lifecycle-fact or terminal events for this operationNone
preparedProposal/preparation events exist but no dispatch commitLow — checkpoint material may be incomplete
dispatch-committedEffectDispatchCommitted event exists but no terminal eventHigh — native mutation may have committed
succeededOperationSucceeded event existsNone
failedOperationFailed event existsNone
cancelledOperationCancelled (or OperationBlocked) event exists before dispatch commitNone
unknown-outcomeOperationUnknownOutcome event or no terminal proofHigh — native mutation may have committed
Operations in dispatch-committed or unknown-outcome state carry high residual risk. The native mutation may have already committed on disk or on a remote. /recover will only offer inspect, reconcile, export-safe-evidence, and exit. Blind retry is always blocked for these states.

Checkpoint material states

StateMeaning
completeCheckpoint record is staged and integrity-verified
incompleteCheckpoint is staging or staged but not committed
unreachableCheckpoint record exists but the stage is unreachable
corruptIntegrity or recovery-lock failure
recovery-lockedStage is locked — cannot be reconciled automatically
not-applicableNo checkpoint record exists for this operation

Dispatch classification

The dispatchClassification field records the most advanced dispatch phase reached:
ClassificationCondition
not-dispatchedNo lifecycle or terminal events
pre-dispatch-commitPre-dispatch events only (proposal/preparation)
post-dispatch-commitEffectDispatchCommitted exists, no terminal
native-mutation-committedNative mutation was committed per journal
reference-publication-failedMutation committed but reference publication failed
terminal-evidence-recordedTerminal event exists in journal

RecoveryResult output structure

/recover renders its result in canonical order:
interface RecoveryResult {
  readonly heading: string;
  readonly purpose: string;
  readonly state: OperationRecoveryState;
  readonly residualRisk: ResidualRisk;
  readonly action: RecoveryAction;
  readonly nextStep: string;
  readonly exitClass: ExitClass;
  readonly exitCode: number;
  readonly body?: string;
}
Output parity is maintained across interactive, redirected, linearized, and headless JSON surfaces. No color-only cues are used.

Failure envelopes

Both /rollback and /recover return typed AD-9 failure envelopes when an operation cannot be completed. Each failure carries a category, retryable flag, scope, human-readable message, and machine-readable causeCode.
CategoryRetryableMeaning
checkpoint-not-foundNoThe requested checkpoint ID does not exist
checkpoint-unreadableNoThe checkpoint record is present but cannot be parsed
session-not-foundNoNo session record found for the given session ID
internal-errorNoUnexpected failure during discovery or inspection

Build docs developers (and LLMs) love