Longevity and Verification Promise

Helix bundles produced today remain verifiable for the long term. Commitment:

Minimum guarantee: any bundle produced on a supported Helix minor remains verifiable for 5 years from its creation date.
If engines or schemas evolve: we will ship a migration verifier or compatibility shim that reads old manifests and compares outputs within documented tolerances.
If policies are deprecated: bundles keep their recorded policy/profile; verifiers will not mutate them and will surface a clear policy_deprecated taint, not fail silently.
If backends retire: verification uses stored expected outputs and tolerance metadata; if a backend class disappears, we publish a compatibility runner that replays with the nearest stable backend and documents the delta.

Operational rules

Every breaking schema change requires a compatibility path in the verifier and a note in docs/policies/compatibility_deprecation.md.
Conformance packs keep a frozen copy of canonical expected outputs; new releases must prove compatibility or document the deliberate drift.
Release notes must state when a migration verifier is required and provide the command to run it.

manifest.json parses, hashes match files, schemas validate, and helix verify --kind auto|repro completes without network.
If deterministic replay is impossible (e.g., obsolete GPU backend), verifier emits a machine-readable downgrade reason and a reproduction plan.

After 5 years, we reserve the right to archive support, but will document how to self-verify using the last compatible verifier image.