Module federation

Expand description

Federation autonomy — wires the quorum primitives from replication into the HTTP write path (v0.7 track C, PR 2 of N).

§Contract

When the ai-memory serve daemon is started with --quorum-writes N and --quorum-peers <url1,url2,…>, every successful HTTP write fans out a 1-memory /api/v1/sync/push POST to each peer and counts 2xx responses as acks. The write returns OK to the HTTP caller only once the local commit plus W - 1 peer acks land within the --quorum-timeout-ms deadline. Fewer acks → 503 with body {"error":"quorum_not_met", "got":X, "needed":Y, "reason":…}.

§Scope of this module

FederationConfig — the serve-time config parsed from CLI flags.
broadcast_store_quorum — async HTTP fan-out that builds an AckTracker from replication::QuorumPolicy, spawns one task per peer, and waits on either quorum-met or deadline.
Mock-peer integration tests covering the happy path, a dropped ack pattern, and a total outage.

§NOT in scope of this module

The real multi-process chaos harness lives under packaging/chaos/ as an operator-facing shell script. A campaign report is produced by packaging/chaos/run-chaos.sh — see that file for how to measure the convergence bound committed to in ADR-0001.
MCP-over-stdio and CLI writes do NOT fan out to peers. The MCP server is a single-tenant stdio client and the CLI is local; both rely on the sync-daemon for eventual propagation. Only the HTTP daemon is a federation node.

Re-exports§

pub use receive::spawn_catchup_loop;
pub use quorum::*;
pub use sync::*;

Modules§

identity: Federation identity.
peer: Peer construction and FederationConfig::build.
peer_attestation: v0.7.0 federation security — peer attestation + scope-allowlist substrate for /api/v1/sync/push and /api/v1/sync/since.
quorum: Quorum finalisation and error payload serialisation.
receive: Post-partition catchup poller: spawn_catchup_loop, catchup_once, urlencoding_encode.
reflection_bookkeeping: v0.7.0 L2-2 — cross-peer reflection_depth bookkeeping.
signing: v0.7.0 #791 — federation per-message Ed25519 signing.
sync: Quorum-broadcast fan-out logic: post_once, post_and_classify, broadcast_*_quorum, bulk_catchup_push.
vector_clock: Federation-specific vector-clock logic (placeholder).

Structs§

FederationConfig: Configured-at-serve federation state. Parsed from --quorum-writes + --quorum-peers + --quorum-timeout-ms.
PeerEndpoint: A single peer in the quorum mesh. The id is what we record in the ack tracker (typically the URL or the peer’s mTLS fingerprint).
ShippedEmbedding: #1566 / #1579 B1 — embed-once-replicate-vector. A source-side embedding shipped alongside its memory row in the federation /sync/push payload (wire key crate::models::field_names::EMBEDDINGS).

Constants§

SHIPPED_VECTOR_NORM_TOLERANCE: #1584 (SEC) — tolerance band around unit L2 norm within which a peer-shipped vector is accepted as-is (already normalized by the sender’s embedder). Outside the band the receiver re-normalizes; a zero / non-finite norm is rejected entirely.

Functions§

sanitize_shipped_vector: #1584 (SEC, MED) — validate + L2-normalize a peer-shipped embedding before it is stored as a memory’s embedding on the #1579 B1 embed-ship receive path.