Skip to main content

ReplicationConfig

Struct ReplicationConfig 

Source
pub struct ReplicationConfig {
Show 23 fields pub close_group_size: usize, pub quorum_threshold: usize, pub paid_list_close_group_size: usize, pub neighbor_sync_scope: usize, pub neighbor_sync_peer_count: usize, pub neighbor_sync_interval_min: Duration, pub neighbor_sync_interval_max: Duration, pub neighbor_sync_cooldown: Duration, pub self_lookup_interval_min: Duration, pub self_lookup_interval_max: Duration, pub audit_tick_interval_min: Duration, pub audit_tick_interval_max: Duration, pub audit_response_floor: Duration, pub audit_honest_read_bps: u64, pub audit_response_honest_multiplier: u64, pub prune_audit_response_timeout: Duration, pub bootstrap_claim_grace_period: Duration, pub prune_hysteresis_duration: Duration, pub verification_request_timeout: Duration, pub fetch_request_timeout: Duration, pub bootstrap_complete_timeout_secs: u64, pub possession_check_delay_min: Duration, pub possession_check_delay_max: Duration,
}
Expand description

Runtime-configurable replication parameters.

Validated on construction — node rejects invalid configs.

Fields§

§close_group_size: usize

Close-group width and target holder count per key.

§quorum_threshold: usize

Required positive presence votes for quorum.

§paid_list_close_group_size: usize

Maximum closest nodes tracking paid status for a key.

§neighbor_sync_scope: usize

Number of closest peers to self eligible for neighbor sync.

§neighbor_sync_peer_count: usize

Peers synced concurrently per round-robin repair round.

§neighbor_sync_interval_min: Duration

Neighbor sync cadence range (min).

§neighbor_sync_interval_max: Duration

Neighbor sync cadence range (max).

§neighbor_sync_cooldown: Duration

Minimum spacing between successive syncs with the same peer.

§self_lookup_interval_min: Duration

Self-lookup cadence range (min).

§self_lookup_interval_max: Duration

Self-lookup cadence range (max).

§audit_tick_interval_min: Duration

Audit scheduler cadence range (min).

§audit_tick_interval_max: Duration

Audit scheduler cadence range (max).

§audit_response_floor: Duration

Floor on the audit response deadline. Covers global RTT for the small request/response envelope plus scheduling jitter. See AUDIT_RESPONSE_FLOOR_SECS for sizing.

§audit_honest_read_bps: u64

Conservative honest-responder read throughput (bytes/sec). Used to scale the audit response deadline against the size of the challenge. Slow enough that even an HDD-backed honest peer fits inside the budget; fast enough that a relay attacker who must fetch bytes over the network falls outside.

§audit_response_honest_multiplier: u64

Slack multiplier on the honest-read estimate before declaring an audit timed out.

§prune_audit_response_timeout: Duration

Single-key prune-audit response deadline. Has its own constant because the relay-defence rationale that motivates the tight commitment-bound budget does not apply to a single-key prune challenge.

§bootstrap_claim_grace_period: Duration

Maximum duration a peer may claim bootstrap status.

§prune_hysteresis_duration: Duration

Minimum continuous out-of-range duration before pruning a key.

§verification_request_timeout: Duration

Verification request timeout (per-batch).

§fetch_request_timeout: Duration

Fetch request timeout.

§bootstrap_complete_timeout_secs: u64

Seconds to wait for DhtNetworkEvent::BootstrapComplete before proceeding with bootstrap sync (covers bootstrap nodes with no peers).

§possession_check_delay_min: Duration

Lower bound of the delay before a fresh-replication possession check runs (ADR-0003). Defaults to POSSESSION_CHECK_DELAY_MIN; tests shorten it so the scheduled check fires quickly.

§possession_check_delay_max: Duration

Upper bound of the possession-check delay window (ADR-0003). Defaults to POSSESSION_CHECK_DELAY_MAX.

Implementations§

Source§

impl ReplicationConfig

Source

pub fn validate(&self) -> Result<(), String>

Validate safety constraints. Returns Err with a description if any constraint is violated.

§Errors

Returns a human-readable message describing the first violated constraint.

Source

pub fn quorum_needed(&self, quorum_targets_count: usize) -> usize

Effective quorum votes required for a key given the number of reachable quorum targets.

min(self.quorum_threshold, floor(quorum_targets_count / 2) + 1)

Source

pub fn confirm_needed(paid_group_size: usize) -> usize

Confirmations required for paid-list consensus given the number of peers in the paid-list close group for a key.

floor(paid_group_size / 2) + 1

Source

pub fn random_neighbor_sync_interval(&self) -> Duration

Returns a random duration in [neighbor_sync_interval_min, neighbor_sync_interval_max].

Source

pub fn audit_sample_count(total_keys: usize) -> usize

Compute the number of keys to sample for an audit round, scaled dynamically by the total number of locally stored keys.

Formula: max(floor(sqrt(total_keys)), 1), capped at total_keys.

Source

pub fn max_incoming_audit_keys(stored_chunks: usize) -> usize

Maximum number of keys to accept in an incoming audit challenge.

Scales dynamically: 2 * audit_sample_count(stored_chunks). The 2x margin accounts for the challenger having a larger store than us and therefore sampling more keys.

Source

pub fn audit_response_timeout(&self, challenged_key_count: usize) -> Duration

Compute the audit response timeout for a challenge with challenged_key_count keys, sized to be tight enough that a relay attacker that must fetch the chunk bytes from elsewhere falls outside the budget.

Formula: floor + (challenged_bytes / honest_read_bps) × multiplier

Where challenged_bytes = k × MAX_CHUNK_SIZE. An honest peer reads k × 4 MiB from local disk at honest_read_bps (set conservatively at 50 MB/s — well below modern SSDs); the multiplier of 5 absorbs jitter, BLAKE3, ML-DSA, and slow disks.

A relay attacker on a residential link (~5-12 MB/s) who must fetch the same k × 4 MiB over the network sees ~10-100× higher latency than disk for the data alone, plus per-chunk round-trips, and misses the budget. In the periodic responsible-chunk AuditChallenge, prune-confirmation, and ADR-0003 possession-check paths that timeout is an immediate audit failure. The heavier subtree audit still graces timeouts separately.

This is an economic deterrent for the §7 relay limit calibrated for residential bandwidth, NOT a hard bound: a relay on a datacenter cross-connect (≥1 Gbps) can fetch k × 4 MiB fast enough to answer in time. It raises the relay’s cost (bandwidth per audit) without claiming to make relaying impossible. The cryptographic guarantee remains commitment-binding (the relay must still hold or fetch the exact committed bytes); the timeout only attacks the economics.

Source

pub fn byte_audit_response_timeout( &self, challenged_key_count: usize, ) -> Duration

Deadline for the round-2 BYTE challenge serving challenged_key_count full chunks back to the auditor.

Same per-byte scaling as Self::audit_response_timeout (so a relay that must fetch the bytes over a residential link still blows it), but on a higher floor (BYTE_AUDIT_RESPONSE_FLOOR_SECS) because the reply carries up to MAX_BYTE_CHALLENGE_KEYS × MAX_CHUNK_SIZE of chunk data — handshake + multi-MiB upload + a busy honest disk read do not fit the hashes-only round-1 floor (the §4 finding).

Source

pub fn audit_spotcheck_count(&self) -> u32

Number of subtree leaves to spot-check against real chunk bytes per audit (ADR-0002 real-bytes layer). Faking a fraction x of nonced leaves survives only (1 - x)^k.

Source

pub fn subtree_audit_timeout_leaf_hint(&self) -> usize

Conservative leaf-count hint for sizing the subtree-audit response deadline before the proof arrives.

The selected subtree holds about sqrt(key_count) real leaves; sizing for a large store keeps an honest peer with a big store from timing out.

Source

pub fn random_audit_tick_interval(&self) -> Duration

Returns a random duration in [audit_tick_interval_min, audit_tick_interval_max].

Source

pub fn random_self_lookup_interval(&self) -> Duration

Returns a random duration in [self_lookup_interval_min, self_lookup_interval_max].

Trait Implementations§

Source§

impl Clone for ReplicationConfig

Source§

fn clone(&self) -> ReplicationConfig

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ReplicationConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for ReplicationConfig

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more