Expand description
Responder-side commitment builder + rotation state.
Phase 2b of the v12 storage-bound audit design. Builds, signs, and
caches a StorageCommitment over the responder’s currently-stored
key set; serves audit lookups by expected_commitment_hash; retains
the previous commitment across one rotation so an audit pinned to it
does not false-fail at the rotation boundary (v5/v12 §4 retention).
Rotation strategy:
rotate(new_built)atomically replacescurrentwithnew_builtand demotes the priorcurrenttoprevious. The priorpreviousis dropped.lookup(hash)reads the in-memory map and returns anArcto the matchingBuiltCommitment, keeping it alive for the audit response regardless of subsequent rotation (mirrors theArcSwapsemantics specified in v6 §2: an in-flight reader holding itsArcis unaffected by a concurrent rotate).
No persistent disk state. Trees are rebuilt from LmdbStorage at
the next rotation tick. Memory cost is bounded by
2 × (key_count × ~64 bytes + signature_size) — for 10k keys, ~1.3 MB.
Structs§
- Built
Commitment - A fully-built commitment: signed wire blob, cached hash, Merkle tree
for inclusion proofs, and a sorted leaf-index lookup for the auditor’s
leaf_indexfield. - Peer
Commitment Record - Auditor-side per-peer commitment state.
- Responder
Commitment State - Responder retention state (ADR-0002).