ant_node/replication/config.rs
1//! Tunable parameters for the replication subsystem.
2//!
3//! All values below are a reference profile used for logic validation.
4//! Parameter safety constraints (Section 4):
5//! 1. `1 <= QUORUM_THRESHOLD <= CLOSE_GROUP_SIZE`
6//! 2. Effective paid-list threshold is per-key dynamic:
7//! `ConfirmNeeded(K) = floor(PaidGroupSize(K)/2)+1`
8//! 3. If constraints are violated at runtime reconfiguration, node MUST reject
9//! the config.
10
11#![allow(clippy::module_name_repetitions)]
12
13use std::time::Duration;
14
15use rand::Rng;
16
17use crate::ant_protocol::{CLOSE_GROUP_SIZE, MAX_CHUNK_SIZE};
18
19// ---------------------------------------------------------------------------
20// Static constants (compile-time reference profile)
21// ---------------------------------------------------------------------------
22
23/// Maximum number of peers per k-bucket in the Kademlia routing table.
24pub const K_BUCKET_SIZE: usize = 20;
25
26/// Extra local-routing-table positions accepted for local chunk storage
27/// admission and stored-record pruning.
28///
29/// This margin absorbs small local RT disagreement between peers. It does not
30/// widen audit, quorum, or paid-list target sets; those remain strict
31/// `close_group_size` / paid-list group checks.
32pub const STORAGE_ADMISSION_MARGIN: usize = 2;
33
34/// Full-network target for required positive presence votes.
35///
36/// Effective per-key threshold is
37/// `QuorumNeeded(K) = min(QUORUM_THRESHOLD, floor(|QuorumTargets|/2)+1)`.
38pub const QUORUM_THRESHOLD: usize = 4; // floor(CLOSE_GROUP_SIZE / 2) + 1
39
40/// Maximum number of closest nodes tracking paid status for a key.
41pub const PAID_LIST_CLOSE_GROUP_SIZE: usize = 20;
42
43/// Number of closest peers to self eligible for neighbor sync.
44pub const NEIGHBOR_SYNC_SCOPE: usize = 20;
45
46/// Number of close-neighbor peers synced concurrently per round-robin repair
47/// round.
48pub const NEIGHBOR_SYNC_PEER_COUNT: usize = 4;
49
50/// Width used when deciding whether this node may locally store or retain a
51/// chunk.
52#[must_use]
53pub const fn storage_admission_width(close_group_size: usize) -> usize {
54 close_group_size.saturating_add(STORAGE_ADMISSION_MARGIN)
55}
56
57/// Minimum neighbor-sync cadence. Actual interval is randomized within
58/// `[min, max]`.
59const NEIGHBOR_SYNC_INTERVAL_MIN_SECS: u64 = 10 * 60;
60/// Maximum neighbor-sync cadence.
61const NEIGHBOR_SYNC_INTERVAL_MAX_SECS: u64 = 20 * 60;
62
63/// Neighbor sync cadence range (min).
64pub const NEIGHBOR_SYNC_INTERVAL_MIN: Duration =
65 Duration::from_secs(NEIGHBOR_SYNC_INTERVAL_MIN_SECS);
66
67/// Neighbor sync cadence range (max).
68pub const NEIGHBOR_SYNC_INTERVAL_MAX: Duration =
69 Duration::from_secs(NEIGHBOR_SYNC_INTERVAL_MAX_SECS);
70
71/// Per-peer minimum spacing between successive syncs with the same peer.
72const NEIGHBOR_SYNC_COOLDOWN_SECS: u64 = 60 * 60; // 1 hour
73/// Per-peer minimum spacing between successive syncs with the same peer.
74pub const NEIGHBOR_SYNC_COOLDOWN: Duration = Duration::from_secs(NEIGHBOR_SYNC_COOLDOWN_SECS);
75
76/// Minimum age for a replica repair hint before the hinted peer can be audited
77/// for that key.
78const REPAIR_HINT_MIN_AGE_SECS: u64 = 60 * 60; // 1 hour
79/// Minimum age for a replica repair hint before the hinted peer can be audited
80/// for that key.
81pub const REPAIR_HINT_MIN_AGE: Duration = Duration::from_secs(REPAIR_HINT_MIN_AGE_SECS);
82
83/// Minimum self-lookup cadence.
84const SELF_LOOKUP_INTERVAL_MIN_SECS: u64 = 5 * 60;
85/// Maximum self-lookup cadence.
86const SELF_LOOKUP_INTERVAL_MAX_SECS: u64 = 10 * 60;
87
88/// Periodic self-lookup cadence range (min) to keep close neighborhood
89/// current.
90pub const SELF_LOOKUP_INTERVAL_MIN: Duration = Duration::from_secs(SELF_LOOKUP_INTERVAL_MIN_SECS);
91
92/// Periodic self-lookup cadence range (max).
93pub const SELF_LOOKUP_INTERVAL_MAX: Duration = Duration::from_secs(SELF_LOOKUP_INTERVAL_MAX_SECS);
94
95/// Maximum number of concurrent outbound replication sends.
96///
97/// Caps how many fresh-replication chunk transfers can be in-flight at once
98/// across the entire replication engine. Prevents bandwidth saturation on
99/// home broadband connections when multiple chunks arrive simultaneously.
100/// Each send transfers up to 4 MB (`MAX_CHUNK_SIZE`), so a limit of 3 means
101/// at most ~12 MB queued for the upload link at any instant.
102pub const MAX_CONCURRENT_REPLICATION_SENDS: usize = 3;
103
104/// Maximum number of concurrent in-flight audit-responder tasks.
105///
106/// The responsible-chunk (audit #2), subtree (round 1), and byte (round 2)
107/// challenge handlers are all spawned off the serial replication message loop so
108/// their disk reads don't stall replication. This caps how many run at once
109/// across the engine, restoring backpressure: a peer flooding audit challenges
110/// cannot fan out unbounded `get_raw` reads or multi-MiB byte serves. When the
111/// cap is hit, the challenge is dropped — the auditor graces a non-response as a
112/// timeout, so honest auditors are unaffected and only a flooder is throttled.
113/// Sized to cover a handful of concurrent honest auditors (the per-peer
114/// gossip-audit cooldown is 30 min, so genuine concurrent audits are few) while
115/// bounding the byte round's worst-case resident bytes
116/// (`N × MAX_BYTE_CHALLENGE_KEYS × MAX_CHUNK_SIZE`).
117pub const MAX_CONCURRENT_AUDIT_RESPONSES: usize = 16;
118
119/// Maximum concurrent in-flight audit-responder tasks from any SINGLE peer.
120///
121/// The global [`MAX_CONCURRENT_AUDIT_RESPONSES`] ceiling alone is not
122/// flood-fair: one peer spamming challenges could occupy every slot and starve
123/// honest auditors (whose dropped challenges convert to timeouts → strikes on
124/// the honest peers). This per-peer cap guarantees no source holds more than
125/// its share, so a flood self-throttles. Audits are cooldown-gated (one
126/// gossip-triggered audit per peer per 30 min), so 2 in-flight per peer
127/// comfortably covers the legitimate round-1 + round-2 overlap.
128pub const MAX_AUDIT_RESPONSES_PER_PEER: u32 = 2;
129
130/// Concurrent fetches cap, derived from hardware thread count.
131///
132/// Uses `std::thread::available_parallelism()` so the node scales to the
133/// machine it runs on. Falls back to 4 if the OS query fails.
134const AVAILABLE_PARALLELISM_FALLBACK: usize = 4;
135
136/// Returns the number of hardware threads available, used as the fetch
137/// concurrency limit.
138#[allow(clippy::incompatible_msrv)] // NonZero::get is stable since 1.79; MSRV lint conflicts with redundant_closure
139pub fn max_parallel_fetch() -> usize {
140 std::thread::available_parallelism()
141 .map_or(AVAILABLE_PARALLELISM_FALLBACK, std::num::NonZero::get)
142}
143
144/// Minimum audit-scheduler cadence.
145const AUDIT_TICK_INTERVAL_MIN_SECS: u64 = 10 * 60;
146/// Maximum audit-scheduler cadence.
147const AUDIT_TICK_INTERVAL_MAX_SECS: u64 = 20 * 60;
148
149/// Audit scheduler cadence range (min).
150pub const AUDIT_TICK_INTERVAL_MIN: Duration = Duration::from_secs(AUDIT_TICK_INTERVAL_MIN_SECS);
151
152/// Audit scheduler cadence range (max).
153pub const AUDIT_TICK_INTERVAL_MAX: Duration = Duration::from_secs(AUDIT_TICK_INTERVAL_MAX_SECS);
154
155/// Floor on the audit response deadline (independent of challenge size).
156///
157/// Sized to absorb worst-case global RTT for the audit envelope
158/// (the request + response messages are KB-scale, not chunk-scale)
159/// plus scheduling jitter. Tokyo↔NY round-trip is ~150ms each way,
160/// so 2 seconds comfortably covers cross-continent communication
161/// for the round-1 proof, whose payload is hashes (KB-scale).
162const AUDIT_RESPONSE_FLOOR_SECS: u64 = 2;
163
164/// Floor on the round-2 BYTE-challenge deadline.
165///
166/// Unlike round 1 (KB of hashes), the byte challenge ships up to
167/// `MAX_BYTE_CHALLENGE_KEYS` full chunks (2 × 4 MiB = 8 MiB) back over the
168/// wire, so the envelope must also cover a cold QUIC handshake, the
169/// multi-MiB upload back to the auditor, and a busy honest peer's disk read.
170/// The round-1 2 s floor (sized for a hashes-only reply) is too tight here —
171/// the §4 finding. 5 s matches the cross-continent-RTT + handshake + 8 MiB
172/// transfer budget while keeping a relay that must fetch the bytes over a
173/// residential link outside it (the scaled term adds the per-byte estimate on
174/// top). Mirrors main's more generous byte-round base.
175const BYTE_AUDIT_RESPONSE_FLOOR_SECS: u64 = 5;
176
177/// Conservative honest-responder read throughput, in bytes per second.
178///
179/// Used to size the audit response deadline. An honest peer answers
180/// a k-key challenge by reading k chunks from local disk, computing
181/// BLAKE3 + path proofs, and signing the response. The bottleneck is
182/// disk read; BLAKE3 at ~3 GB/s + ML-DSA signing at ~3 ms are
183/// negligible.
184///
185/// Set conservatively below any modern SSD (typical: 500 MB/s+).
186/// At 50 MB/s, a k=10 sample at 4 MiB chunks reads in ~0.8s, well
187/// inside even an aggressive timeout. A relay attacker who must
188/// fetch the same 40 MB over the network at typical bandwidth
189/// (100 Mbps = 12.5 MB/s) takes 3+ seconds for the data alone, plus
190/// per-chunk network round-trips. At larger sample sizes the gap
191/// is exponential in the relay's disadvantage.
192const AUDIT_HONEST_READ_BPS: u64 = 50 * 1024 * 1024;
193
194/// Slack multiplier on the honest-read estimate.
195///
196/// Set so an honest peer that's slower than `HONEST_READ_BPS` (e.g. an
197/// HDD-backed node, or one under load) still answers within the
198/// timeout. 5× is generous; a relay peer fetching the same data over a
199/// residential link (~5-12 MB/s) sees ~10-100× higher latency than disk
200/// and misses the budget. This is an economic deterrent calibrated for
201/// residential bandwidth, NOT a hard cryptographic bound — a relay on a
202/// datacenter cross-connect could still fetch fast enough to answer in
203/// time (see the §7 note on `audit_response_timeout`).
204const AUDIT_RESPONSE_HONEST_MULTIPLIER: u64 = 5;
205
206/// Single-key prune audit response deadline.
207///
208/// Prune audits ask a peer whether they still hold one specific key
209/// they previously claimed. The relay-defence rationale that motivates
210/// the tight commitment-bound timeout does NOT apply here: the
211/// auditor's own out-of-range hysteresis (`PRUNE_HYSTERESIS_DURATION`,
212/// 3 days) already makes "fetch on demand" infeasible as a sustained
213/// strategy.
214///
215/// Sized to comfortably accommodate cold cross-continent QUIC
216/// handshake plus scheduling jitter on a busy honest peer answering
217/// a single-key challenge: 10 s.
218const PRUNE_AUDIT_RESPONSE_SECS: u64 = 10;
219
220/// Maximum duration a peer may claim bootstrap status before penalties apply.
221const BOOTSTRAP_CLAIM_GRACE_PERIOD_SECS: u64 = 24 * 60 * 60; // 24 h
222/// Maximum duration a peer may claim bootstrap status before penalties apply.
223pub const BOOTSTRAP_CLAIM_GRACE_PERIOD: Duration =
224 Duration::from_secs(BOOTSTRAP_CLAIM_GRACE_PERIOD_SECS);
225
226/// Minimum continuous out-of-range duration before pruning a key.
227const PRUNE_HYSTERESIS_DURATION_SECS: u64 = 3 * 24 * 60 * 60; // 3 days
228/// Minimum continuous out-of-range duration before pruning a key.
229pub const PRUNE_HYSTERESIS_DURATION: Duration = Duration::from_secs(PRUNE_HYSTERESIS_DURATION_SECS);
230
231/// Protocol identifier for replication operations.
232///
233/// Bumped to `v2` for the v12 storage-bound audit. That change extends the
234/// wire types (`NeighborSyncRequest`/`Response` carry an optional trailing
235/// `StorageCommitment`, and the gossip-triggered storage-commitment audit adds
236/// the `SubtreeAuditChallenge`/`SubtreeAuditResponse` and `SubtreeByteChallenge`/
237/// `SubtreeByteResponse` messages). The bump is for SEMANTIC interop, not
238/// decode failure: postcard tolerates the appended optional field (an old
239/// decoder reads the fields it knows and ignores the trailer — pinned by the
240/// `old_decoder_tolerates_new_neighbor_sync_*` tests in `protocol.rs`), but
241/// tolerating bytes is not interoperating. A v1 node cannot decode the NEW
242/// message variants at all (unknown enum discriminant) and never acts on a
243/// piggybacked commitment, so mixed-version replication would half-function —
244/// audit challenges unanswered, commitments silently dropped — and a v2 node
245/// could read that silence as misbehaviour. Rather than reason about each
246/// such case, we route v12 replication on a distinct protocol id: a node only
247/// delivers messages whose topic matches its own id (see the topic check in
248/// `mod.rs`), so v1 and v2 nodes simply do not exchange replication traffic
249/// during a mixed-version window. This is the rollout-safe behaviour: no
250/// half-interpreted exchange, no spurious eviction. Replication between
251/// matched-version peers is unaffected. (DHT routing/lookups are a separate
252/// protocol and continue to span both versions.)
253pub const REPLICATION_PROTOCOL_ID: &str = "autonomi.ant.replication.v2";
254
255/// 10 MiB — maximum replication wire message size (accommodates hint batches).
256const REPLICATION_MESSAGE_SIZE_MIB: usize = 10;
257/// Maximum replication wire message size.
258pub const MAX_REPLICATION_MESSAGE_SIZE: usize = REPLICATION_MESSAGE_SIZE_MIB * 1024 * 1024;
259
260/// Headroom reserved for the envelope (enum tags, ids, length prefixes) when
261/// sizing a round-2 byte-challenge batch against the wire cap.
262const BYTE_CHALLENGE_RESPONSE_HEADROOM: usize = 64 * 1024;
263
264/// Maximum keys per round-2 [`SubtreeByteChallenge`] (per-batch cap).
265///
266/// Sized so the WORST-CASE response (every requested chunk at
267/// `MAX_CHUNK_SIZE`) still encodes under [`MAX_REPLICATION_MESSAGE_SIZE`].
268/// The auditor splits its spot-check sample into batches of this size (one
269/// challenge per batch, same nonce/pin); the responder rejects any single
270/// challenge requesting more.
271///
272/// [`SubtreeByteChallenge`]: crate::replication::protocol::SubtreeByteChallenge
273pub const MAX_BYTE_CHALLENGE_KEYS: usize =
274 (MAX_REPLICATION_MESSAGE_SIZE - BYTE_CHALLENGE_RESPONSE_HEADROOM) / MAX_CHUNK_SIZE;
275const _: () = assert!(
276 MAX_BYTE_CHALLENGE_KEYS >= 1,
277 "wire cap must fit at least one max-size chunk per byte-challenge response"
278);
279
280/// Rollout gate for timeout-driven eviction.
281///
282/// When `false`, a peer that crosses the consecutive-timeout strike threshold
283/// is logged but NOT reported to the trust engine (no eviction). This PR is a
284/// breaking wire change (old nodes cannot decode the new `StorageCommitment`
285/// gossip), so a not-yet-upgraded peer times out on every new audit and looks
286/// exactly like a non-storing peer; penalising timeouts during the mixed-version
287/// window would make upgraded nodes evict every old node — a death spiral.
288///
289/// Confirmed storage-integrity failures (`DigestMismatch`/`KeyAbsent`/
290/// `Rejected`/`MalformedResponse`) are NEVER gated by this — those only come
291/// from a peer that actually answered with bad data, never an old node. Flip to
292/// `true` in a small follow-up release once the fleet has upgraded. This is a
293/// real `const` (not commented-out code) so both gate sites compile and stay in
294/// sync, and the flip is one line.
295pub const TIMEOUT_EVICTION_ENABLED: bool = false;
296
297/// Verification request timeout (per-batch).
298const VERIFICATION_REQUEST_TIMEOUT_SECS: u64 = 15;
299/// Verification request timeout (per-batch).
300pub const VERIFICATION_REQUEST_TIMEOUT: Duration =
301 Duration::from_secs(VERIFICATION_REQUEST_TIMEOUT_SECS);
302
303/// Fetch request timeout.
304const FETCH_REQUEST_TIMEOUT_SECS: u64 = 30;
305/// Fetch request timeout.
306pub const FETCH_REQUEST_TIMEOUT: Duration = Duration::from_secs(FETCH_REQUEST_TIMEOUT_SECS);
307
308/// Maximum age for pending-verification entries before stale eviction.
309const PENDING_VERIFY_MAX_AGE_SECS: u64 = 30 * 60;
310/// Maximum age for pending-verification entries before stale eviction.
311pub const PENDING_VERIFY_MAX_AGE: Duration = Duration::from_secs(PENDING_VERIFY_MAX_AGE_SECS);
312
313/// Trust event weight for confirmed audit failures.
314pub const AUDIT_FAILURE_TRUST_WEIGHT: f64 = 5.0;
315
316/// Consecutive audit *timeouts* a peer may accumulate before a timeout is
317/// reported as an `ApplicationFailure` trust event.
318///
319/// The audit response timeout is an economic deterrent calibrated for
320/// residential bandwidth, not a hard cryptographic bound: a single slow
321/// response is routine for an honest node under transient load (GC pause,
322/// disk flush, a burst of concurrent requests). Penalizing on the first
323/// timeout false-positives those nodes.
324///
325/// Requiring `N` *consecutive* timeouts before penalizing removes that
326/// false-positive while preserving the deterrent against a peer that does not
327/// actually store the data and must fetch it at audit time: such a peer is
328/// slow on *every* audit and accumulates a fresh strike each tick until it
329/// crosses the threshold, whereas an honest node answers normally between rare
330/// slow ticks and any success resets its strike counter to zero (see
331/// `handle_audit_result`). The discriminator is *persistence* of slowness
332/// versus *transience*. This deliberately does not widen the per-challenge
333/// window. Applies ONLY to `AuditFailureReason::Timeout`; confirmed
334/// storage-integrity failures (`DigestMismatch` / `KeyAbsent` / `Rejected` /
335/// `MalformedResponse`) remain instantly punishable.
336pub const AUDIT_TIMEOUT_STRIKE_THRESHOLD: u32 = 3;
337
338/// Probability of launching a subtree audit when a peer's *changed* commitment
339/// is ingested via gossip (ADR-0002). Keeps audits occasional surprise exams.
340pub const AUDIT_ON_GOSSIP_PROBABILITY: f64 = 0.2;
341
342/// Per-peer cooldown between gossip-triggered subtree audits (ADR-0002), in
343/// seconds. Bounds how often any one peer is audited regardless of gossip rate.
344pub const AUDIT_ON_GOSSIP_COOLDOWN_SECS: u64 = 30 * 60;
345
346/// Number of subtree leaves spot-checked against real chunk bytes per audit
347/// (ADR-0002 real-bytes layer).
348///
349/// The auditor clamps this to its 3..=5 band (`BYTE_SPOTCHECK_MIN..=MAX` in
350/// `storage_commitment_audit`), so this is the effective MAXIMUM — set it
351/// within the band rather than advertising a sample size the auditor never
352/// requests.
353pub const AUDIT_SPOTCHECK_COUNT: u32 = 5;
354
355/// Conservative leaf-count hint for sizing the subtree-audit response deadline.
356///
357/// The deadline is set before the proof arrives, so we size for the largest
358/// legal store: `sqrt(MAX_COMMITMENT_KEY_COUNT) = 1000`. Honest small stores
359/// finish well within it.
360pub const SUBTREE_AUDIT_TIMEOUT_LEAF_HINT: usize = 1000;
361
362/// Maximum number of prune-confirmation audit challenges sent per prune pass.
363pub const MAX_PRUNE_AUDIT_CHALLENGES_PER_PASS: usize = 64;
364
365/// Seconds to wait for `DhtNetworkEvent::BootstrapComplete` before proceeding
366/// with bootstrap sync. Covers bootstrap nodes with no peers to connect to.
367const BOOTSTRAP_COMPLETE_TIMEOUT_SECS: u64 = 60;
368
369// ---------------------------------------------------------------------------
370// Runtime-configurable wrapper
371// ---------------------------------------------------------------------------
372
373/// Runtime-configurable replication parameters.
374///
375/// Validated on construction — node rejects invalid configs.
376#[derive(Debug, Clone)]
377pub struct ReplicationConfig {
378 /// Close-group width and target holder count per key.
379 pub close_group_size: usize,
380 /// Required positive presence votes for quorum.
381 pub quorum_threshold: usize,
382 /// Maximum closest nodes tracking paid status for a key.
383 pub paid_list_close_group_size: usize,
384 /// Number of closest peers to self eligible for neighbor sync.
385 pub neighbor_sync_scope: usize,
386 /// Peers synced concurrently per round-robin repair round.
387 pub neighbor_sync_peer_count: usize,
388 /// Neighbor sync cadence range (min).
389 pub neighbor_sync_interval_min: Duration,
390 /// Neighbor sync cadence range (max).
391 pub neighbor_sync_interval_max: Duration,
392 /// Minimum spacing between successive syncs with the same peer.
393 pub neighbor_sync_cooldown: Duration,
394 /// Self-lookup cadence range (min).
395 pub self_lookup_interval_min: Duration,
396 /// Self-lookup cadence range (max).
397 pub self_lookup_interval_max: Duration,
398 /// Audit scheduler cadence range (min).
399 pub audit_tick_interval_min: Duration,
400 /// Audit scheduler cadence range (max).
401 pub audit_tick_interval_max: Duration,
402 /// Floor on the audit response deadline. Covers global RTT for
403 /// the small request/response envelope plus scheduling jitter.
404 /// See `AUDIT_RESPONSE_FLOOR_SECS` for sizing.
405 pub audit_response_floor: Duration,
406 /// Conservative honest-responder read throughput (bytes/sec).
407 /// Used to scale the audit response deadline against the size of
408 /// the challenge. Slow enough that even an HDD-backed honest peer
409 /// fits inside the budget; fast enough that a relay attacker who
410 /// must fetch bytes over the network falls outside.
411 pub audit_honest_read_bps: u64,
412 /// Slack multiplier on the honest-read estimate before
413 /// declaring an audit timed out.
414 pub audit_response_honest_multiplier: u64,
415 /// Single-key prune-audit response deadline. Has its own constant
416 /// because the relay-defence rationale that motivates the tight
417 /// commitment-bound budget does not apply to a single-key prune
418 /// challenge.
419 pub prune_audit_response_timeout: Duration,
420 /// Maximum duration a peer may claim bootstrap status.
421 pub bootstrap_claim_grace_period: Duration,
422 /// Minimum continuous out-of-range duration before pruning a key.
423 pub prune_hysteresis_duration: Duration,
424 /// Verification request timeout (per-batch).
425 pub verification_request_timeout: Duration,
426 /// Fetch request timeout.
427 pub fetch_request_timeout: Duration,
428 /// Seconds to wait for `DhtNetworkEvent::BootstrapComplete` before
429 /// proceeding with bootstrap sync (covers bootstrap nodes with no peers).
430 pub bootstrap_complete_timeout_secs: u64,
431}
432
433impl Default for ReplicationConfig {
434 fn default() -> Self {
435 Self {
436 close_group_size: CLOSE_GROUP_SIZE,
437 quorum_threshold: QUORUM_THRESHOLD,
438 paid_list_close_group_size: PAID_LIST_CLOSE_GROUP_SIZE,
439 neighbor_sync_scope: NEIGHBOR_SYNC_SCOPE,
440 neighbor_sync_peer_count: NEIGHBOR_SYNC_PEER_COUNT,
441 neighbor_sync_interval_min: NEIGHBOR_SYNC_INTERVAL_MIN,
442 neighbor_sync_interval_max: NEIGHBOR_SYNC_INTERVAL_MAX,
443 neighbor_sync_cooldown: NEIGHBOR_SYNC_COOLDOWN,
444 self_lookup_interval_min: SELF_LOOKUP_INTERVAL_MIN,
445 self_lookup_interval_max: SELF_LOOKUP_INTERVAL_MAX,
446 audit_tick_interval_min: AUDIT_TICK_INTERVAL_MIN,
447 audit_tick_interval_max: AUDIT_TICK_INTERVAL_MAX,
448 audit_response_floor: Duration::from_secs(AUDIT_RESPONSE_FLOOR_SECS),
449 audit_honest_read_bps: AUDIT_HONEST_READ_BPS,
450 audit_response_honest_multiplier: AUDIT_RESPONSE_HONEST_MULTIPLIER,
451 prune_audit_response_timeout: Duration::from_secs(PRUNE_AUDIT_RESPONSE_SECS),
452 bootstrap_claim_grace_period: BOOTSTRAP_CLAIM_GRACE_PERIOD,
453 prune_hysteresis_duration: PRUNE_HYSTERESIS_DURATION,
454 verification_request_timeout: VERIFICATION_REQUEST_TIMEOUT,
455 fetch_request_timeout: FETCH_REQUEST_TIMEOUT,
456 bootstrap_complete_timeout_secs: BOOTSTRAP_COMPLETE_TIMEOUT_SECS,
457 }
458 }
459}
460
461impl ReplicationConfig {
462 /// Validate safety constraints. Returns `Err` with a description if any
463 /// constraint is violated.
464 ///
465 /// # Errors
466 ///
467 /// Returns a human-readable message describing the first violated
468 /// constraint.
469 pub fn validate(&self) -> Result<(), String> {
470 if self.close_group_size == 0 {
471 return Err("close_group_size must be >= 1".to_string());
472 }
473 if self.quorum_threshold == 0 || self.quorum_threshold > self.close_group_size {
474 return Err(format!(
475 "quorum_threshold ({}) must satisfy 1 <= quorum_threshold <= close_group_size ({})",
476 self.quorum_threshold, self.close_group_size,
477 ));
478 }
479 if self.close_group_size > MAX_PRUNE_AUDIT_CHALLENGES_PER_PASS {
480 return Err(format!(
481 "close_group_size ({}) must be <= MAX_PRUNE_AUDIT_CHALLENGES_PER_PASS ({})",
482 self.close_group_size, MAX_PRUNE_AUDIT_CHALLENGES_PER_PASS,
483 ));
484 }
485 if self.paid_list_close_group_size == 0 {
486 return Err("paid_list_close_group_size must be >= 1".to_string());
487 }
488 if self.neighbor_sync_interval_min > self.neighbor_sync_interval_max {
489 return Err(format!(
490 "neighbor_sync_interval_min ({:?}) must be <= neighbor_sync_interval_max ({:?})",
491 self.neighbor_sync_interval_min, self.neighbor_sync_interval_max,
492 ));
493 }
494 if self.audit_tick_interval_min > self.audit_tick_interval_max {
495 return Err(format!(
496 "audit_tick_interval_min ({:?}) must be <= audit_tick_interval_max ({:?})",
497 self.audit_tick_interval_min, self.audit_tick_interval_max,
498 ));
499 }
500 if self.self_lookup_interval_min > self.self_lookup_interval_max {
501 return Err(format!(
502 "self_lookup_interval_min ({:?}) must be <= self_lookup_interval_max ({:?})",
503 self.self_lookup_interval_min, self.self_lookup_interval_max,
504 ));
505 }
506 if self.neighbor_sync_peer_count == 0 {
507 return Err("neighbor_sync_peer_count must be >= 1".to_string());
508 }
509 if self.neighbor_sync_scope == 0 {
510 return Err("neighbor_sync_scope must be >= 1".to_string());
511 }
512 if self.neighbor_sync_scope > K_BUCKET_SIZE {
513 return Err(format!(
514 "neighbor_sync_scope ({}) must be <= K_BUCKET_SIZE ({})",
515 self.neighbor_sync_scope, K_BUCKET_SIZE,
516 ));
517 }
518 Ok(())
519 }
520
521 /// Effective quorum votes required for a key given the number of
522 /// reachable quorum targets.
523 ///
524 /// `min(self.quorum_threshold, floor(quorum_targets_count / 2) + 1)`
525 #[must_use]
526 pub fn quorum_needed(&self, quorum_targets_count: usize) -> usize {
527 if quorum_targets_count == 0 {
528 return 0;
529 }
530 let majority = quorum_targets_count / 2 + 1;
531 self.quorum_threshold.min(majority)
532 }
533
534 /// Confirmations required for paid-list consensus given the number of
535 /// peers in the paid-list close group for a key.
536 ///
537 /// `floor(paid_group_size / 2) + 1`
538 #[must_use]
539 pub fn confirm_needed(paid_group_size: usize) -> usize {
540 paid_group_size / 2 + 1
541 }
542
543 /// Returns a random duration in `[neighbor_sync_interval_min,
544 /// neighbor_sync_interval_max]`.
545 #[must_use]
546 pub fn random_neighbor_sync_interval(&self) -> Duration {
547 random_duration_in_range(
548 self.neighbor_sync_interval_min,
549 self.neighbor_sync_interval_max,
550 )
551 }
552
553 /// Compute the number of keys to sample for an audit round, scaled
554 /// dynamically by the total number of locally stored keys.
555 ///
556 /// Formula: `max(floor(sqrt(total_keys)), 1)`, capped at `total_keys`.
557 #[must_use]
558 pub fn audit_sample_count(total_keys: usize) -> usize {
559 #[allow(
560 clippy::cast_possible_truncation,
561 clippy::cast_sign_loss,
562 clippy::cast_precision_loss
563 )]
564 let sqrt = (total_keys as f64).sqrt() as usize;
565 sqrt.max(1).min(total_keys)
566 }
567
568 /// Maximum number of keys to accept in an incoming audit challenge.
569 ///
570 /// Scales dynamically: `2 * audit_sample_count(stored_chunks)`. The 2x
571 /// margin accounts for the challenger having a larger store than us and
572 /// therefore sampling more keys.
573 #[must_use]
574 pub fn max_incoming_audit_keys(stored_chunks: usize) -> usize {
575 // Allow at least 1 key so a newly-joined node can still be audited.
576 (2 * Self::audit_sample_count(stored_chunks)).max(1)
577 }
578
579 /// Compute the audit response timeout for a challenge with
580 /// `challenged_key_count` keys, **sized to be tight enough that a
581 /// relay attacker that must fetch the chunk bytes from elsewhere
582 /// falls outside the budget**.
583 ///
584 /// Formula:
585 /// `floor + (challenged_bytes / honest_read_bps) × multiplier`
586 ///
587 /// Where `challenged_bytes = k × MAX_CHUNK_SIZE`. An honest peer
588 /// reads `k × 4 MiB` from local disk at `honest_read_bps` (set
589 /// conservatively at 50 MB/s — well below modern SSDs); the
590 /// multiplier of 5 absorbs jitter, BLAKE3, ML-DSA, and slow disks.
591 ///
592 /// A relay attacker on a residential link (~5-12 MB/s) who must
593 /// fetch the same `k × 4 MiB` over the network sees ~10-100× higher
594 /// latency than disk for the data alone, plus per-chunk round-trips,
595 /// and misses the budget — recording a timeout strike (per
596 /// `handle_audit_timeout` → `handle_audit_failure`). After
597 /// [`AUDIT_TIMEOUT_STRIKE_THRESHOLD`] consecutive timeouts this would
598 /// fire an `application_failure` trust event — but note that report is
599 /// currently suppressed for the breaking rollout (grep
600 /// TIMEOUT-EVICTION-DISABLED); the strike accounting still runs.
601 ///
602 /// This is an economic deterrent for the §7 relay limit calibrated
603 /// for residential bandwidth, NOT a hard bound: a relay on a
604 /// datacenter cross-connect (≥1 Gbps) can fetch `k × 4 MiB` fast
605 /// enough to answer in time. It raises the relay's cost (bandwidth
606 /// per audit) without claiming to make relaying impossible. The
607 /// cryptographic guarantee remains commitment-binding (the relay
608 /// must still hold or fetch the exact committed bytes); the timeout
609 /// only attacks the economics.
610 #[must_use]
611 pub fn audit_response_timeout(&self, challenged_key_count: usize) -> Duration {
612 let bytes_per_key = u64::try_from(crate::ant_protocol::MAX_CHUNK_SIZE).unwrap_or(u64::MAX);
613 let keys = u64::try_from(challenged_key_count).unwrap_or(u64::MAX);
614 let total_bytes = bytes_per_key.saturating_mul(keys);
615 let bps = self.audit_honest_read_bps.max(1);
616 // Apply the multiplier BEFORE integer-dividing by bps so each
617 // chunk contributes a fractional second rather than rounding
618 // down to zero. Otherwise k in 1..=12 would all collapse to the
619 // floor (~40 MiB / 50 MB/s = 0 secs in integer arithmetic), and
620 // an honest HDD-backed peer at sqrt(N)=10 stored chunks could
621 // miss the budget under load.
622 let multiplied = total_bytes.saturating_mul(self.audit_response_honest_multiplier);
623 // Resolve the scaled term in MILLISECONDS, not seconds: at the
624 // byte-round sizes (MAX_BYTE_CHALLENGE_KEYS = 2 → 8 MiB) the per-second
625 // quotient `multiplied / bps` integer-truncates to 0, leaving only the
626 // floor (the §4 finding: a 2×4 MiB honest serve under load could blow a
627 // 2 s budget). Computing in ms keeps the sub-second honest-read estimate
628 // (e.g. 8 MiB × 5 / 50 MB/s ≈ 840 ms) instead of dropping it.
629 let scaled_ms = multiplied.saturating_mul(1000) / bps;
630 // saturating_add avoids a panic if the floor plus the scaled term would
631 // overflow `Duration::MAX`.
632 self.audit_response_floor
633 .saturating_add(Duration::from_millis(scaled_ms))
634 }
635
636 /// Deadline for the round-2 BYTE challenge serving `challenged_key_count`
637 /// full chunks back to the auditor.
638 ///
639 /// Same per-byte scaling as [`Self::audit_response_timeout`] (so a relay
640 /// that must fetch the bytes over a residential link still blows it), but on
641 /// a higher floor (`BYTE_AUDIT_RESPONSE_FLOOR_SECS`) because the reply
642 /// carries up to
643 /// `MAX_BYTE_CHALLENGE_KEYS × MAX_CHUNK_SIZE` of chunk data — handshake +
644 /// multi-MiB upload + a busy honest disk read do not fit the hashes-only
645 /// round-1 floor (the §4 finding).
646 #[must_use]
647 pub fn byte_audit_response_timeout(&self, challenged_key_count: usize) -> Duration {
648 let scaled = self
649 .audit_response_timeout(challenged_key_count)
650 .saturating_sub(self.audit_response_floor);
651 Duration::from_secs(BYTE_AUDIT_RESPONSE_FLOOR_SECS).saturating_add(scaled)
652 }
653
654 /// Number of subtree leaves to spot-check against real chunk bytes per
655 /// audit (ADR-0002 real-bytes layer). Faking a fraction `x` of nonced
656 /// leaves survives only `(1 - x)^k`.
657 #[must_use]
658 pub fn audit_spotcheck_count(&self) -> u32 {
659 AUDIT_SPOTCHECK_COUNT
660 }
661
662 /// Conservative leaf-count hint for sizing the subtree-audit response
663 /// deadline before the proof arrives.
664 ///
665 /// The selected subtree holds about `sqrt(key_count)` real leaves; sizing
666 /// for a large store keeps an honest peer with a big store from timing out.
667 #[must_use]
668 pub fn subtree_audit_timeout_leaf_hint(&self) -> usize {
669 SUBTREE_AUDIT_TIMEOUT_LEAF_HINT
670 }
671
672 /// Returns a random duration in `[audit_tick_interval_min,
673 /// audit_tick_interval_max]`.
674 #[must_use]
675 pub fn random_audit_tick_interval(&self) -> Duration {
676 random_duration_in_range(self.audit_tick_interval_min, self.audit_tick_interval_max)
677 }
678
679 /// Returns a random duration in `[self_lookup_interval_min,
680 /// self_lookup_interval_max]`.
681 #[must_use]
682 pub fn random_self_lookup_interval(&self) -> Duration {
683 random_duration_in_range(self.self_lookup_interval_min, self.self_lookup_interval_max)
684 }
685}
686
687/// Pick a random `Duration` uniformly in `[min, max]` at millisecond
688/// granularity.
689///
690/// When `min == max` the result is deterministic.
691fn random_duration_in_range(min: Duration, max: Duration) -> Duration {
692 if min == max {
693 return min;
694 }
695 // Our intervals are minutes/hours, well within u64 range. Saturate to
696 // u64::MAX on the impossible overflow path to avoid a lossy cast.
697 let to_u64_millis = |d: Duration| -> u64 { u64::try_from(d.as_millis()).unwrap_or(u64::MAX) };
698 let chosen = rand::thread_rng().gen_range(to_u64_millis(min)..=to_u64_millis(max));
699 Duration::from_millis(chosen)
700}
701
702// ---------------------------------------------------------------------------
703// Tests
704// ---------------------------------------------------------------------------
705
706#[cfg(test)]
707#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
708mod tests {
709 use super::*;
710
711 #[test]
712 fn defaults_pass_validation() {
713 let config = ReplicationConfig::default();
714 assert!(config.validate().is_ok(), "default config must be valid");
715 }
716
717 #[test]
718 fn default_prune_hysteresis_is_three_days() {
719 let config = ReplicationConfig::default();
720 assert_eq!(
721 config.prune_hysteresis_duration,
722 Duration::from_secs(3 * 24 * 60 * 60)
723 );
724 }
725
726 #[test]
727 fn storage_admission_width_adds_margin() {
728 const TEST_CLOSE_GROUP_SIZE: usize = 7;
729
730 assert_eq!(
731 storage_admission_width(TEST_CLOSE_GROUP_SIZE),
732 TEST_CLOSE_GROUP_SIZE + STORAGE_ADMISSION_MARGIN
733 );
734 assert_eq!(storage_admission_width(usize::MAX), usize::MAX);
735 }
736
737 #[test]
738 fn audit_failure_weight_is_five() {
739 assert!((AUDIT_FAILURE_TRUST_WEIGHT - 5.0).abs() <= f64::EPSILON);
740 }
741
742 #[test]
743 fn audit_timeout_strike_threshold_is_three() {
744 // Smallest threshold that tolerates back-to-back transient slowness
745 // while still penalizing a persistently-slow non-storing peer within a
746 // few audit ticks.
747 assert_eq!(AUDIT_TIMEOUT_STRIKE_THRESHOLD, 3);
748 }
749
750 #[test]
751 fn replication_protocol_id_is_v2() {
752 // The v12 storage-bound audit changes replication SEMANTICS. The
753 // protocol id MUST advance past v1 so v1 and v2 nodes never exchange
754 // replication traffic they can only half-interpret (rollout safety —
755 // see the const's doc). If this regresses to v1, mixed-version nodes
756 // would talk past each other and risk spurious penalties.
757 assert_eq!(REPLICATION_PROTOCOL_ID, "autonomi.ant.replication.v2");
758 }
759
760 #[test]
761 fn audit_response_timeout_floor_at_zero_keys() {
762 let config = ReplicationConfig::default();
763 assert_eq!(
764 config.audit_response_timeout(0),
765 Duration::from_secs(AUDIT_RESPONSE_FLOOR_SECS),
766 "zero-key challenge should yield the floor exactly"
767 );
768 }
769
770 #[test]
771 fn audit_response_timeout_scales_with_key_count() {
772 let config = ReplicationConfig::default();
773 let t1 = config.audit_response_timeout(1);
774 let t10 = config.audit_response_timeout(10);
775 let t100 = config.audit_response_timeout(100);
776 assert!(t1 <= t10 && t10 < t100, "timeout must not decrease with k");
777
778 // Scaling now resolves in MILLISECONDS so a sub-second honest read no
779 // longer truncates to zero (§4). For k=1:
780 // (4_194_304 × 5 × 1000) / 52_428_800 = 400 ms, + 2 s round-1 floor =
781 // 2.4 s (previously collapsed to the bare 2 s floor).
782 assert_eq!(t1, Duration::from_millis(2400));
783
784 // For k=10: (10 × 4_194_304 × 5 × 1000) / 52_428_800 = 4000 ms scaled,
785 // + 2 s floor = 6 s. An HDD-backed honest peer at 20 MB/s reads 40 MiB
786 // in ~2 s, comfortably inside; a relay fetching 40 MiB at 5 MB/s
787 // residential bandwidth needs ~8 s for the data alone, outside.
788 assert_eq!(t10, Duration::from_secs(6));
789
790 // For k=100: (100 × 4_194_304 × 5 × 1000) / 52_428_800 = 40_000 ms
791 // scaled, + 2 s floor = 42 s.
792 assert_eq!(t100, Duration::from_secs(42));
793 }
794
795 #[test]
796 fn audit_response_timeout_fits_honest_hdd_at_typical_sample_size() {
797 // The canonical audit sample is sqrt(N) at N stored chunks.
798 // At N=100 stored chunks, sample is 10. An HDD-backed honest
799 // peer at the slowest realistic random-read throughput (20 MB/s,
800 // well below modern HDDs which sustain 80-150 MB/s sequential)
801 // reads 10 × 4 MiB = 40 MiB in ~2 s. Add 300 ms cross-continent
802 // RTT, ~10 ms scheduling, ~3 ms ML-DSA sign, and the honest
803 // envelope is ~2.3 s. The 6 s budget at k=10 leaves >3 s of
804 // slack.
805 let config = ReplicationConfig::default();
806 let budget = config.audit_response_timeout(10);
807 let realistic_hdd_bps: u64 = 20 * 1024 * 1024;
808 let bytes: u64 = 10 * 4 * 1024 * 1024;
809 let honest_envelope_secs = bytes / realistic_hdd_bps + 1; // +1 s for network/scheduling/sign
810 assert!(
811 Duration::from_secs(honest_envelope_secs) < budget,
812 "honest HDD envelope ({honest_envelope_secs}s) must fit inside k=10 budget ({}s)",
813 budget.as_secs(),
814 );
815 }
816
817 #[test]
818 fn audit_response_timeout_relay_is_outside_envelope() {
819 // The intended invariant: an honest peer with the SSD-class
820 // read budget fits inside `audit_response_timeout(k)`, while a
821 // relay attacker fetching k*4MiB over residential bandwidth
822 // (≈ 5 MB/s realistic for sustained download) does NOT. Spot-
823 // check this at k=100: honest budget is 42s, relay needs at
824 // least 100 * 4 MiB / 5 MB/s = 80s for the data alone, which
825 // exceeds the budget.
826 let config = ReplicationConfig::default();
827 let budget = config.audit_response_timeout(100);
828 let relay_data_only = Duration::from_secs(100 * 4 * 1024 * 1024 / (5 * 1024 * 1024));
829 assert!(
830 relay_data_only > budget,
831 "relay fetch ({}s) must exceed honest audit budget ({}s)",
832 relay_data_only.as_secs(),
833 budget.as_secs(),
834 );
835 }
836
837 #[test]
838 fn audit_response_timeout_saturates_on_huge_k() {
839 let config = ReplicationConfig::default();
840 // Should not panic or overflow at extreme k values.
841 let _ = config.audit_response_timeout(usize::MAX);
842 }
843
844 #[test]
845 fn quorum_threshold_zero_rejected() {
846 let config = ReplicationConfig {
847 quorum_threshold: 0,
848 ..ReplicationConfig::default()
849 };
850 assert!(config.validate().is_err());
851 }
852
853 #[test]
854 fn quorum_threshold_exceeds_close_group_rejected() {
855 let defaults = ReplicationConfig::default();
856 let config = ReplicationConfig {
857 quorum_threshold: defaults.close_group_size + 1,
858 ..defaults
859 };
860 assert!(config.validate().is_err());
861 }
862
863 #[test]
864 fn close_group_size_zero_rejected() {
865 let config = ReplicationConfig {
866 close_group_size: 0,
867 ..ReplicationConfig::default()
868 };
869 assert!(config.validate().is_err());
870 }
871
872 #[test]
873 fn close_group_size_exceeding_prune_audit_budget_rejected() {
874 let config = ReplicationConfig {
875 close_group_size: MAX_PRUNE_AUDIT_CHALLENGES_PER_PASS + 1,
876 quorum_threshold: QUORUM_THRESHOLD,
877 ..ReplicationConfig::default()
878 };
879
880 let err = config.validate().unwrap_err();
881
882 assert!(
883 err.contains("MAX_PRUNE_AUDIT_CHALLENGES_PER_PASS"),
884 "error should mention prune audit budget: {err}"
885 );
886 }
887
888 #[test]
889 fn paid_list_close_group_size_zero_rejected() {
890 let config = ReplicationConfig {
891 paid_list_close_group_size: 0,
892 ..ReplicationConfig::default()
893 };
894 assert!(config.validate().is_err());
895 }
896
897 #[test]
898 fn neighbor_sync_interval_inverted_rejected() {
899 let config = ReplicationConfig {
900 neighbor_sync_interval_min: Duration::from_secs(100),
901 neighbor_sync_interval_max: Duration::from_secs(50),
902 ..ReplicationConfig::default()
903 };
904 assert!(config.validate().is_err());
905 }
906
907 #[test]
908 fn audit_tick_interval_inverted_rejected() {
909 let config = ReplicationConfig {
910 audit_tick_interval_min: Duration::from_secs(100),
911 audit_tick_interval_max: Duration::from_secs(50),
912 ..ReplicationConfig::default()
913 };
914 assert!(config.validate().is_err());
915 }
916
917 #[test]
918 fn self_lookup_interval_inverted_rejected() {
919 let config = ReplicationConfig {
920 self_lookup_interval_min: Duration::from_secs(100),
921 self_lookup_interval_max: Duration::from_secs(50),
922 ..ReplicationConfig::default()
923 };
924 assert!(config.validate().is_err());
925 }
926
927 #[test]
928 fn neighbor_sync_peer_count_zero_rejected() {
929 let config = ReplicationConfig {
930 neighbor_sync_peer_count: 0,
931 ..ReplicationConfig::default()
932 };
933 assert!(config.validate().is_err());
934 }
935
936 #[test]
937 fn neighbor_sync_scope_exceeding_k_bucket_size_rejected() {
938 let config = ReplicationConfig {
939 neighbor_sync_scope: K_BUCKET_SIZE + 1,
940 ..ReplicationConfig::default()
941 };
942 assert!(config.validate().is_err());
943 }
944
945 #[test]
946 fn audit_sample_count_scales_with_sqrt() {
947 // Empty store
948 assert_eq!(ReplicationConfig::audit_sample_count(0), 0);
949
950 // Single key
951 assert_eq!(ReplicationConfig::audit_sample_count(1), 1);
952
953 // Small stores: sqrt(3)=1
954 assert_eq!(ReplicationConfig::audit_sample_count(3), 1);
955
956 // sqrt scaling
957 assert_eq!(ReplicationConfig::audit_sample_count(4), 2);
958 assert_eq!(ReplicationConfig::audit_sample_count(25), 5);
959 assert_eq!(ReplicationConfig::audit_sample_count(100), 10);
960 assert_eq!(ReplicationConfig::audit_sample_count(1_000), 31);
961 assert_eq!(ReplicationConfig::audit_sample_count(10_000), 100);
962 assert_eq!(ReplicationConfig::audit_sample_count(1_000_000), 1_000);
963 }
964
965 #[test]
966 fn max_incoming_audit_keys_scales_dynamically() {
967 // Empty store: at least 1 key accepted.
968 assert_eq!(ReplicationConfig::max_incoming_audit_keys(0), 1);
969
970 // 1 chunk: 2 * sqrt(1) = 2.
971 assert_eq!(ReplicationConfig::max_incoming_audit_keys(1), 2);
972
973 // 100 chunks: 2 * sqrt(100) = 20.
974 assert_eq!(ReplicationConfig::max_incoming_audit_keys(100), 20);
975
976 // 1M chunks: 2 * sqrt(1_000_000) = 2_000.
977 assert_eq!(ReplicationConfig::max_incoming_audit_keys(1_000_000), 2_000);
978
979 // 5M chunks: 2 * sqrt(5_000_000) = 4_472.
980 assert_eq!(ReplicationConfig::max_incoming_audit_keys(5_000_000), 4_472);
981 }
982
983 #[test]
984 fn quorum_needed_uses_smaller_of_threshold_and_majority() {
985 let config = ReplicationConfig::default();
986
987 // With 7 targets: majority = 7/2+1 = 4, threshold = 4 → min = 4
988 assert_eq!(config.quorum_needed(7), 4);
989
990 // With 3 targets: majority = 3/2+1 = 2, threshold = 4 → min = 2
991 assert_eq!(config.quorum_needed(3), 2);
992
993 // With 0 targets: quorum is impossible — returns 0
994 assert_eq!(config.quorum_needed(0), 0);
995
996 // With 100 targets: majority = 51, threshold = 4 → min = 4
997 assert_eq!(config.quorum_needed(100), 4);
998 }
999
1000 #[test]
1001 fn confirm_needed_is_strict_majority() {
1002 assert_eq!(ReplicationConfig::confirm_needed(1), 1);
1003 assert_eq!(ReplicationConfig::confirm_needed(2), 2);
1004 assert_eq!(ReplicationConfig::confirm_needed(3), 2);
1005 assert_eq!(ReplicationConfig::confirm_needed(4), 3);
1006 assert_eq!(ReplicationConfig::confirm_needed(20), 11);
1007 }
1008
1009 #[test]
1010 fn random_intervals_within_bounds() {
1011 let config = ReplicationConfig::default();
1012
1013 // Run several iterations to exercise randomness.
1014 let iterations = 50;
1015 for _ in 0..iterations {
1016 let ns = config.random_neighbor_sync_interval();
1017 assert!(ns >= config.neighbor_sync_interval_min);
1018 assert!(ns <= config.neighbor_sync_interval_max);
1019
1020 let at = config.random_audit_tick_interval();
1021 assert!(at >= config.audit_tick_interval_min);
1022 assert!(at <= config.audit_tick_interval_max);
1023
1024 let sl = config.random_self_lookup_interval();
1025 assert!(sl >= config.self_lookup_interval_min);
1026 assert!(sl <= config.self_lookup_interval_max);
1027 }
1028 }
1029
1030 #[test]
1031 fn random_interval_equal_bounds_is_deterministic() {
1032 let fixed = Duration::from_secs(42);
1033 let config = ReplicationConfig {
1034 neighbor_sync_interval_min: fixed,
1035 neighbor_sync_interval_max: fixed,
1036 ..ReplicationConfig::default()
1037 };
1038 assert_eq!(config.random_neighbor_sync_interval(), fixed);
1039 }
1040
1041 // -----------------------------------------------------------------------
1042 // Section 18 scenarios
1043 // -----------------------------------------------------------------------
1044
1045 /// Scenario 18: Invalid runtime config is rejected by `validate()`.
1046 #[test]
1047 fn scenario_18_invalid_config_rejected() {
1048 // quorum_threshold > close_group_size -> validation fails.
1049 let config = ReplicationConfig {
1050 quorum_threshold: 10,
1051 close_group_size: 7,
1052 ..ReplicationConfig::default()
1053 };
1054 let err = config.validate().unwrap_err();
1055 assert!(
1056 err.contains("quorum_threshold"),
1057 "error should mention quorum_threshold: {err}"
1058 );
1059
1060 // close_group_size = 0 -> validation fails.
1061 let config = ReplicationConfig {
1062 close_group_size: 0,
1063 ..ReplicationConfig::default()
1064 };
1065 let err = config.validate().unwrap_err();
1066 assert!(
1067 err.contains("close_group_size"),
1068 "error should mention close_group_size: {err}"
1069 );
1070
1071 // neighbor_sync interval min > max -> validation fails.
1072 let config = ReplicationConfig {
1073 neighbor_sync_interval_min: Duration::from_secs(200),
1074 neighbor_sync_interval_max: Duration::from_secs(100),
1075 ..ReplicationConfig::default()
1076 };
1077 let err = config.validate().unwrap_err();
1078 assert!(
1079 err.contains("neighbor_sync_interval"),
1080 "error should mention neighbor_sync_interval: {err}"
1081 );
1082
1083 // self_lookup interval min > max -> validation fails.
1084 let config = ReplicationConfig {
1085 self_lookup_interval_min: Duration::from_secs(999),
1086 self_lookup_interval_max: Duration::from_secs(1),
1087 ..ReplicationConfig::default()
1088 };
1089 let err = config.validate().unwrap_err();
1090 assert!(
1091 err.contains("self_lookup_interval"),
1092 "error should mention self_lookup_interval: {err}"
1093 );
1094
1095 // audit_tick interval min > max -> validation fails.
1096 let config = ReplicationConfig {
1097 audit_tick_interval_min: Duration::from_secs(500),
1098 audit_tick_interval_max: Duration::from_secs(10),
1099 ..ReplicationConfig::default()
1100 };
1101 let err = config.validate().unwrap_err();
1102 assert!(
1103 err.contains("audit_tick_interval"),
1104 "error should mention audit_tick_interval: {err}"
1105 );
1106 }
1107
1108 /// Scenario 26: Dynamic paid-list threshold for undersized set.
1109 /// With PaidGroupSize=8, `ConfirmNeeded` = floor(8/2)+1 = 5.
1110 #[test]
1111 fn scenario_26_dynamic_paid_threshold_undersized() {
1112 assert_eq!(ReplicationConfig::confirm_needed(8), 5, "floor(8/2)+1 = 5");
1113
1114 // Additional boundary checks for small paid groups.
1115 assert_eq!(
1116 ReplicationConfig::confirm_needed(1),
1117 1,
1118 "single peer requires 1 confirmation"
1119 );
1120 assert_eq!(
1121 ReplicationConfig::confirm_needed(2),
1122 2,
1123 "2 peers require 2 confirmations"
1124 );
1125 assert_eq!(
1126 ReplicationConfig::confirm_needed(3),
1127 2,
1128 "3 peers require 2 confirmations"
1129 );
1130 assert_eq!(
1131 ReplicationConfig::confirm_needed(0),
1132 1,
1133 "0 peers yields floor(0/2)+1 = 1 (degenerate case)"
1134 );
1135 }
1136
1137 /// Scenario 31: Consecutive audit ticks occur on randomized intervals
1138 /// bounded by the configured `[audit_tick_interval_min, audit_tick_interval_max]`
1139 /// window.
1140 #[test]
1141 fn scenario_31_audit_cadence_within_jitter_bounds() {
1142 let config = ReplicationConfig {
1143 audit_tick_interval_min: Duration::from_secs(600),
1144 audit_tick_interval_max: Duration::from_secs(1200),
1145 ..ReplicationConfig::default()
1146 };
1147
1148 // Sample many intervals and verify each is within bounds.
1149 let iterations = 100;
1150 let mut saw_different = false;
1151 let mut prev = Duration::ZERO;
1152
1153 for _ in 0..iterations {
1154 let interval = config.random_audit_tick_interval();
1155 assert!(
1156 interval >= config.audit_tick_interval_min,
1157 "interval {interval:?} below min {:?}",
1158 config.audit_tick_interval_min,
1159 );
1160 assert!(
1161 interval <= config.audit_tick_interval_max,
1162 "interval {interval:?} above max {:?}",
1163 config.audit_tick_interval_max,
1164 );
1165 if interval != prev && prev != Duration::ZERO {
1166 saw_different = true;
1167 }
1168 prev = interval;
1169 }
1170
1171 // With 100 samples from a 10-minute range, at least two should differ
1172 // (probabilistically near-certain).
1173 assert!(
1174 saw_different,
1175 "audit intervals should exhibit randomized jitter across samples"
1176 );
1177 }
1178}