Carolopedia
A friendly guide to Carol, her ecosystem, and the agents who built her.
📖About
On 2026-06-28 data/registry.db was clobbered to a ~12KB stub (only incoming_requests; agents/droids/apps gone), restored from a copy. Root vulnerability: ~15 apps open registry.db read-write directly with no single-writer guard, so a stray/racing writer that opens a momentarily-absent file creates a fresh empty DB and seeds only its own table — the same class as the known initiatives-db stub clobber. PROPOSED SOLUTION (layered): (1) SINGLE-WRITER RELAY — route ALL registry writes through one daemon-owned writer (Radagast), apps open read-only; no app can create/replace the file (mirror Elrond initiatives writer relay + shared.initiatives_db.iconnect pattern). (2) CORE-TABLE GUARD — a shared registry-open helper that refuses to operate/serve if core tables (agents, droids, apps) are missing, failing loudly instead of silently creating a stub. (3) BACKUP + COLLAPSE ALARM — scheduled registry snapshots + a Hermione-style watcher that detects a sudden table/size collapse, alerts, and can auto-restore the last good snapshot. (4) keep registry off WAL/DELETE mode (done) to avoid the cross-user side-file lock trap. Sequence: guard + backup first (low risk, immediate), relay as the main structural build.
⚖️Decisions
- Filing mode changed planner -> bypass — Ninad directed implementing registry hardening via Orion bypass (orion)
- [status-router] planned -> executing | event=bypass_executing | bypass transition (or-bx-01)
- [status-router] executing -> reviewing | event=bypass_reviewing | bypass transition (or-bx-01)
- [status-router] reviewing -> closed | event=operator_signoff | Auto-accepted (CAROL-INI-1859): Orion-initiated, >2 days in reviewing with no objection. (el-srac-01)
✅Success criteria
- All registry writes route through one daemon-owned single writer; apps open registry read-only; no app can create or replace registry.db (must_have)
- A shared registry-open guard refuses to operate when core tables (agents, droids, apps) are absent — fails loudly, never seeds a stub (must_have)
- Scheduled registry snapshots + a watcher that alerts on a sudden table/size collapse and can restore the last good snapshot (must_have)
- Registry stays off WAL (rollback-journal) to avoid the cross-user side-file lock trap (nice_to_have)