pub struct ReplicationConfig {Show 23 fields
pub close_group_size: usize,
pub quorum_threshold: usize,
pub paid_list_close_group_size: usize,
pub neighbor_sync_scope: usize,
pub neighbor_sync_peer_count: usize,
pub neighbor_sync_interval_min: Duration,
pub neighbor_sync_interval_max: Duration,
pub neighbor_sync_cooldown: Duration,
pub self_lookup_interval_min: Duration,
pub self_lookup_interval_max: Duration,
pub audit_tick_interval_min: Duration,
pub audit_tick_interval_max: Duration,
pub audit_response_floor: Duration,
pub audit_honest_read_bps: u64,
pub audit_response_honest_multiplier: u64,
pub prune_audit_response_timeout: Duration,
pub bootstrap_claim_grace_period: Duration,
pub prune_hysteresis_duration: Duration,
pub verification_request_timeout: Duration,
pub fetch_request_timeout: Duration,
pub bootstrap_complete_timeout_secs: u64,
pub possession_check_delay_min: Duration,
pub possession_check_delay_max: Duration,
}Expand description
Runtime-configurable replication parameters.
Validated on construction — node rejects invalid configs.
Fields§
§close_group_size: usizeClose-group width and target holder count per key.
quorum_threshold: usizeRequired positive presence votes for quorum.
paid_list_close_group_size: usizeMaximum closest nodes tracking paid status for a key.
neighbor_sync_scope: usizeNumber of closest peers to self eligible for neighbor sync.
neighbor_sync_peer_count: usizePeers synced concurrently per round-robin repair round.
neighbor_sync_interval_min: DurationNeighbor sync cadence range (min).
neighbor_sync_interval_max: DurationNeighbor sync cadence range (max).
neighbor_sync_cooldown: DurationMinimum spacing between successive syncs with the same peer.
self_lookup_interval_min: DurationSelf-lookup cadence range (min).
self_lookup_interval_max: DurationSelf-lookup cadence range (max).
audit_tick_interval_min: DurationAudit scheduler cadence range (min).
audit_tick_interval_max: DurationAudit scheduler cadence range (max).
audit_response_floor: DurationFloor on the audit response deadline. Covers global RTT for
the small request/response envelope plus scheduling jitter.
See AUDIT_RESPONSE_FLOOR_SECS for sizing.
audit_honest_read_bps: u64Conservative honest-responder read throughput (bytes/sec). Used to scale the audit response deadline against the size of the challenge. Slow enough that even an HDD-backed honest peer fits inside the budget; fast enough that a relay attacker who must fetch bytes over the network falls outside.
audit_response_honest_multiplier: u64Slack multiplier on the honest-read estimate before declaring an audit timed out.
prune_audit_response_timeout: DurationSingle-key prune-audit response deadline. Has its own constant because the relay-defence rationale that motivates the tight commitment-bound budget does not apply to a single-key prune challenge.
bootstrap_claim_grace_period: DurationMaximum duration a peer may claim bootstrap status.
prune_hysteresis_duration: DurationMinimum continuous out-of-range duration before pruning a key.
verification_request_timeout: DurationVerification request timeout (per-batch).
fetch_request_timeout: DurationFetch request timeout.
bootstrap_complete_timeout_secs: u64Seconds to wait for DhtNetworkEvent::BootstrapComplete before
proceeding with bootstrap sync (covers bootstrap nodes with no peers).
possession_check_delay_min: DurationLower bound of the delay before a fresh-replication possession check
runs (ADR-0003). Defaults to POSSESSION_CHECK_DELAY_MIN; tests
shorten it so the scheduled check fires quickly.
possession_check_delay_max: DurationUpper bound of the possession-check delay window (ADR-0003). Defaults
to POSSESSION_CHECK_DELAY_MAX.
Implementations§
Source§impl ReplicationConfig
impl ReplicationConfig
Sourcepub fn validate(&self) -> Result<(), String>
pub fn validate(&self) -> Result<(), String>
Validate safety constraints. Returns Err with a description if any
constraint is violated.
§Errors
Returns a human-readable message describing the first violated constraint.
Sourcepub fn quorum_needed(&self, quorum_targets_count: usize) -> usize
pub fn quorum_needed(&self, quorum_targets_count: usize) -> usize
Effective quorum votes required for a key given the number of reachable quorum targets.
min(self.quorum_threshold, floor(quorum_targets_count / 2) + 1)
Sourcepub fn confirm_needed(paid_group_size: usize) -> usize
pub fn confirm_needed(paid_group_size: usize) -> usize
Confirmations required for paid-list consensus given the number of peers in the paid-list close group for a key.
floor(paid_group_size / 2) + 1
Sourcepub fn random_neighbor_sync_interval(&self) -> Duration
pub fn random_neighbor_sync_interval(&self) -> Duration
Returns a random duration in [neighbor_sync_interval_min, neighbor_sync_interval_max].
Sourcepub fn audit_sample_count(total_keys: usize) -> usize
pub fn audit_sample_count(total_keys: usize) -> usize
Compute the number of keys to sample for an audit round, scaled dynamically by the total number of locally stored keys.
Formula: max(floor(sqrt(total_keys)), 1), capped at total_keys.
Sourcepub fn max_incoming_audit_keys(stored_chunks: usize) -> usize
pub fn max_incoming_audit_keys(stored_chunks: usize) -> usize
Maximum number of keys to accept in an incoming audit challenge.
Scales dynamically: 2 * audit_sample_count(stored_chunks). The 2x
margin accounts for the challenger having a larger store than us and
therefore sampling more keys.
Sourcepub fn audit_response_timeout(&self, challenged_key_count: usize) -> Duration
pub fn audit_response_timeout(&self, challenged_key_count: usize) -> Duration
Compute the audit response timeout for a challenge with
challenged_key_count keys, sized to be tight enough that a
relay attacker that must fetch the chunk bytes from elsewhere
falls outside the budget.
Formula:
floor + (challenged_bytes / honest_read_bps) × multiplier
Where challenged_bytes = k × MAX_CHUNK_SIZE. An honest peer
reads k × 4 MiB from local disk at honest_read_bps (set
conservatively at 50 MB/s — well below modern SSDs); the
multiplier of 5 absorbs jitter, BLAKE3, ML-DSA, and slow disks.
A relay attacker on a residential link (~5-12 MB/s) who must
fetch the same k × 4 MiB over the network sees ~10-100× higher
latency than disk for the data alone, plus per-chunk round-trips,
and misses the budget. In the periodic responsible-chunk
AuditChallenge, prune-confirmation, and ADR-0003 possession-check paths
that timeout is an immediate audit failure. The heavier subtree audit
still graces timeouts separately.
This is an economic deterrent for the §7 relay limit calibrated
for residential bandwidth, NOT a hard bound: a relay on a
datacenter cross-connect (≥1 Gbps) can fetch k × 4 MiB fast
enough to answer in time. It raises the relay’s cost (bandwidth
per audit) without claiming to make relaying impossible. The
cryptographic guarantee remains commitment-binding (the relay
must still hold or fetch the exact committed bytes); the timeout
only attacks the economics.
Sourcepub fn byte_audit_response_timeout(
&self,
challenged_key_count: usize,
) -> Duration
pub fn byte_audit_response_timeout( &self, challenged_key_count: usize, ) -> Duration
Deadline for the round-2 BYTE challenge serving challenged_key_count
full chunks back to the auditor.
Same per-byte scaling as Self::audit_response_timeout (so a relay
that must fetch the bytes over a residential link still blows it), but on
a higher floor (BYTE_AUDIT_RESPONSE_FLOOR_SECS) because the reply
carries up to
MAX_BYTE_CHALLENGE_KEYS × MAX_CHUNK_SIZE of chunk data — handshake +
multi-MiB upload + a busy honest disk read do not fit the hashes-only
round-1 floor (the §4 finding).
Sourcepub fn audit_spotcheck_count(&self) -> u32
pub fn audit_spotcheck_count(&self) -> u32
Number of subtree leaves to spot-check against real chunk bytes per
audit (ADR-0002 real-bytes layer). Faking a fraction x of nonced
leaves survives only (1 - x)^k.
Sourcepub fn subtree_audit_timeout_leaf_hint(&self) -> usize
pub fn subtree_audit_timeout_leaf_hint(&self) -> usize
Conservative leaf-count hint for sizing the subtree-audit response deadline before the proof arrives.
The selected subtree holds about sqrt(key_count) real leaves; sizing
for a large store keeps an honest peer with a big store from timing out.
Sourcepub fn random_audit_tick_interval(&self) -> Duration
pub fn random_audit_tick_interval(&self) -> Duration
Returns a random duration in [audit_tick_interval_min, audit_tick_interval_max].
Sourcepub fn random_self_lookup_interval(&self) -> Duration
pub fn random_self_lookup_interval(&self) -> Duration
Returns a random duration in [self_lookup_interval_min, self_lookup_interval_max].
Trait Implementations§
Source§impl Clone for ReplicationConfig
impl Clone for ReplicationConfig
Source§fn clone(&self) -> ReplicationConfig
fn clone(&self) -> ReplicationConfig
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for ReplicationConfig
impl Debug for ReplicationConfig
Auto Trait Implementations§
impl Freeze for ReplicationConfig
impl RefUnwindSafe for ReplicationConfig
impl Send for ReplicationConfig
impl Sync for ReplicationConfig
impl Unpin for ReplicationConfig
impl UnsafeUnpin for ReplicationConfig
impl UnwindSafe for ReplicationConfig
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more