Every time thcode performs a built-in file mutation — creating, editing, or deleting a file — it captures a checkpoint: an encrypted snapshot of the file’s state both before and after the change. These checkpoints are stored in a crash-consistent SQLite-backed key-value store and form the foundation of thcode’s rollback capability. When you want to undo a set of changes, thcode performs a three-way analysis comparing the recorded pre-image, the recorded post-image, and the file’s current on-disk state before applying any inverse operation.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Temicide/thcode/llms.txt
Use this file to discover all available pages before exploring further.
How Checkpoints Are Structured
A checkpoint consists of two layers: theCheckpointRepository holds checkpoint metadata, and the ArtifactStore holds the encrypted bytes of the original file content.
CheckpointRepository
CheckpointRepository stores checkpoint records in an injectable KeyValueStore (SQLite in production, in-memory in tests). Each record tracks the checkpoint’s lifecycle from staging through commit.
stage() and commit() leaves the record in staging state. On next startup, reconcile() detects all such incomplete stages, marks their records as unreachable, and sets integrityState to 'recovery-locked' — they are never surfaced as complete checkpoints.
ArtifactStore
ArtifactStore holds the actual file bytes for each checkpoint target. Plaintext bytes never enter the backing store, logs, or any UI output. Every artifact is encrypted with AES-256-GCM before being written, using the same versioned envelope as session content.
Branded ID Types
Both stores use opaque branded types to prevent accidental ID confusion at the type level:Integrity Verification
integrity.ts provides the read-with-integrity path used by every consumer of checkpoint data.
Checkpoint Record Integrity
Before aCheckpointRecord is returned to application code, verifyCheckpointIntegrity checks:
- The stored
checkpointIdmatches the requested ID (detects record tampering) mutation.operationIdis present and non-emptyartifactIdsfield exists (empty is valid for metadata-only checkpoints)stageStateis not'unreachable'integrityStateis not'corrupt'or'recovery-locked'
IntegrityFailure — no content reaches application code on failure.
Artifact Content Integrity
After decryption,verifyArtifactIntegrity checks:
- SHA-256 digest of the decrypted bytes matches the stored
metadata.digest - Byte length matches
metadata.size
Failure Categories
corrupt
Record or content has been altered. Non-retryable. Recovery actions: inspect the store, restore from backup.
recovery-locked
Checkpoint is unreachable or in an incomplete stage. Non-retryable. Recovery actions: inspect the store, run recovery procedure.
Retention Policy
Retention is measured in Prompt Rounds, not wall-clock time, making it predictable regardless of session activity.Capacity Caps
evaluateCapacity() in retention/capacity.ts enforces two hard limits before any checkpoint is created:
| Cap | Value |
|---|---|
| Per-checkpoint | 100 MB |
| Total store | 500 MB |
over-cap and requires explicit confirmation to proceed without rollback protection. The exact usage and unprotected scope are disclosed. Full Access cannot suppress this disclosure.
Three-Way Conflict Analysis
Before any rollback is applied,analyzeRollbackSet() performs a three-way comparison for each target file. The three states involved are:
analyzeRollbackTarget(), which:
- Resolves the file’s stable current identity (detects renames, symlink re-targets, and case/unicode changes)
- Checks accessibility and open file handles
- Builds
preImage,postImage, andcurrentStateasThreeWayStatevalues - Determines the
AnalysisOutcome
Analysis Outcomes
applied-eligible
applied-eligible
The current file digest matches the recorded post-image and the identity is unchanged. A concrete
InverseOperation is produced, along with the expected current digest and version.conflict
conflict
The current state differs from the post-image, or the file is behind a symlink, or a concurrent change overlapped the checkpoint. Three safe resolution choices are offered:
skip-target, export-sanitized-patch, or user-authored-resolution. Generic overwrite, blind retry, and continue are never available.Conflict reason codes include: behind-symlink, target-deleted, target-recreated, content-conflict, binary-corrupt, no-pre-image-digest.skipped
skipped
The target was explicitly excluded or is not covered by this checkpoint.
inaccessible
inaccessible
The current state cannot be read — typically a permissions issue or a file that exists but is not readable.
mismatch
mismatch
The target’s identity has changed since the checkpoint was created (renamed, recreated, case/unicode changed). Reason codes:
identity-changed.unknown-outcome
unknown-outcome
The file has open handles or the concurrency state is uncertain. No overwrite or best-effort reversal is prepared.
Binary Originals
Binary files are handled via theArtifactStore. The analysis reads binary originals through the integrity-verified path and verifies their digest without exposing raw bytes in the UI, logs, or Evidence. If the artifact is missing or corrupt, the target is marked inaccessible or conflict respectively — it is never apply-eligible.
Applying a Rollback
applyRollback() applies only the conflict-free targets from a prior analysis. The full ordered execution sequence per target is:
Resolve identity
Re-resolve the file’s canonical path. Detects renames or symlink changes that occurred between analysis and apply time.
Capture current digest and version
Reads the current file state immediately before any mutation, before authorization is consumed.
Revalidate against analysis
Compares the captured current state against the analysis expectation. A concurrent change since analysis causes the target to be re-classified — no stale inverse is applied.
Stage and commit checkpoint
A new checkpoint is created for the rollback operation itself before any mutation (so the rollback can itself be rolled back).
Append EffectDispatchCommitted
Written to the journal before the native mutation. The journal is the sole commit-visibility authority.
Inverse Operation Types
| Inverse | When used |
|---|---|
restore-pre-image | Reverse an edit_file — writes the pre-image content back from the ArtifactStore, verifying its digest before writing |
delete-file | Reverse a create_file — removes the file (idempotent if already absent) |
restore-from-artifact | Reverse a delete_file on a binary file — reads and integrity-verifies the encrypted artifact before writing |
Aggregate Result Types
full— every selected target was appliedpartial— some targets applied, others had conflicts or errorsblocked— no targets could be applied
RollbackApplyResult includes per-target outcomes, counts by category, residual conflicts with safe choices, excluded effects, and a reference to the new checkpoint created for the rollback operation.