Skip to main content

run_subtree_audit

Function run_subtree_audit 

Source
pub async fn run_subtree_audit(
    p2p_node: &Arc<P2PNode>,
    config: &ReplicationConfig,
    challenged_peer: &PeerId,
    expected_commitment_hash: [u8; 32],
    key_count: u32,
    credit: Option<&AuditCredit<'_>>,
) -> AuditTickResult
Expand description

Run one gossip-triggered subtree audit against challenged_peer, pinned to the commitment hash the peer just gossiped (expected_commitment_hash).

ADR-0002 two-round audit. The auditor sends a fresh random nonce and runs:

  1. Structure (round 1) — the returned subtree rebuilds to the pinned root, within a size-scaled deadline.
  2. Real bytes (round 2) — the auditor demands the ORIGINAL chunk content for a 3..=5 FRESHLY-RANDOM sample of the proven leaves (chosen after the proof arrives, not nonce-derived — see random_spotcheck_leaves) FROM the responder, and recomputes both the content-address hash and the nonce freshness hash from that served content. The auditor holds none of the peer’s chunks.
  3. Timing — each round’s deadline is sized to an honest local-disk read, so a relay forced to fetch over the network blows it.

A timeout (either round) is reported as AuditFailureReason::Timeout (the caller applies the strike/grace policy). Any structural failure, served content that fails a hash, an explicit Absent for a committed sampled key, or a rejection of a recently gossiped commitment, is a confirmed failure acted on immediately. On a full pass, records the peer as a proven holder.