Skip to main content

Module commitment_state

Module commitment_state 

Source
Expand description

Responder-side commitment builder + rotation state.

Phase 2b of the v12 storage-bound audit design. Builds, signs, and caches a StorageCommitment over the responder’s currently-stored key set; serves audit lookups by expected_commitment_hash; retains the previous commitment across one rotation so an audit pinned to it does not false-fail at the rotation boundary (v5/v12 §4 retention).

Rotation strategy:

  • rotate(new_built) atomically replaces current with new_built and demotes the prior current to previous. The prior previous is dropped.
  • lookup(hash) reads the in-memory map and returns an Arc to the matching BuiltCommitment, keeping it alive for the audit response regardless of subsequent rotation (mirrors the ArcSwap semantics specified in v6 §2: an in-flight reader holding its Arc is unaffected by a concurrent rotate).

No persistent disk state. Trees are rebuilt from LmdbStorage at the next rotation tick. Memory cost is bounded by 2 × (key_count × ~64 bytes + signature_size) — for 10k keys, ~1.3 MB.

Structs§

BuiltCommitment
A fully-built commitment: signed wire blob, cached hash, Merkle tree for inclusion proofs, and a sorted leaf-index lookup for the auditor’s leaf_index field.
PeerCommitmentRecord
Auditor-side per-peer commitment state.
ResponderCommitmentState
Responder retention state (ADR-0002).