pub async fn run_subtree_audit(
p2p_node: &Arc<P2PNode>,
config: &ReplicationConfig,
challenged_peer: &PeerId,
expected_commitment_hash: [u8; 32],
key_count: u32,
credit: Option<&AuditCredit<'_>>,
) -> AuditTickResultExpand description
Run one gossip-triggered subtree audit against challenged_peer, pinned to
the commitment hash the peer just gossiped (expected_commitment_hash).
ADR-0002 two-round audit. The auditor sends a fresh random nonce and runs:
- Structure (round 1) — the returned subtree rebuilds to the pinned root, within a size-scaled deadline.
- Real bytes (round 2) — the auditor demands the ORIGINAL chunk content
for a 3..=5 FRESHLY-RANDOM sample of the proven leaves (chosen after the
proof arrives, not nonce-derived — see
random_spotcheck_leaves) FROM the responder, and recomputes both the content-address hash and the nonce freshness hash from that served content. The auditor holds none of the peer’s chunks. - Timing — each round’s deadline is sized to an honest local-disk read, so a relay forced to fetch over the network blows it.
A timeout (either round) is reported as AuditFailureReason::Timeout (the
caller applies the strike/grace policy). Any structural failure, served
content that fails a hash, an explicit Absent for a committed sampled key,
or a rejection of a recently gossiped commitment, is a confirmed failure
acted on immediately. On a full pass, records the peer as a proven holder.