Skip to main content

ReplicationConfig

Struct ReplicationConfig 

Source
pub struct ReplicationConfig {
Show 21 fields pub close_group_size: usize, pub quorum_threshold: usize, pub paid_list_close_group_size: usize, pub neighbor_sync_scope: usize, pub neighbor_sync_peer_count: usize, pub neighbor_sync_interval_min: Duration, pub neighbor_sync_interval_max: Duration, pub neighbor_sync_cooldown: Duration, pub self_lookup_interval_min: Duration, pub self_lookup_interval_max: Duration, pub audit_tick_interval_min: Duration, pub audit_tick_interval_max: Duration, pub audit_response_floor: Duration, pub audit_honest_read_bps: u64, pub audit_response_honest_multiplier: u64, pub prune_audit_response_timeout: Duration, pub bootstrap_claim_grace_period: Duration, pub prune_hysteresis_duration: Duration, pub verification_request_timeout: Duration, pub fetch_request_timeout: Duration, pub bootstrap_complete_timeout_secs: u64,
}
Expand description

Runtime-configurable replication parameters.

Validated on construction — node rejects invalid configs.

Fields§

§close_group_size: usize

Close-group width and target holder count per key.

§quorum_threshold: usize

Required positive presence votes for quorum.

§paid_list_close_group_size: usize

Maximum closest nodes tracking paid status for a key.

§neighbor_sync_scope: usize

Number of closest peers to self eligible for neighbor sync.

§neighbor_sync_peer_count: usize

Peers synced concurrently per round-robin repair round.

§neighbor_sync_interval_min: Duration

Neighbor sync cadence range (min).

§neighbor_sync_interval_max: Duration

Neighbor sync cadence range (max).

§neighbor_sync_cooldown: Duration

Minimum spacing between successive syncs with the same peer.

§self_lookup_interval_min: Duration

Self-lookup cadence range (min).

§self_lookup_interval_max: Duration

Self-lookup cadence range (max).

§audit_tick_interval_min: Duration

Audit scheduler cadence range (min).

§audit_tick_interval_max: Duration

Audit scheduler cadence range (max).

§audit_response_floor: Duration

Floor on the audit response deadline. Covers global RTT for the small request/response envelope plus scheduling jitter. See AUDIT_RESPONSE_FLOOR_SECS for sizing.

§audit_honest_read_bps: u64

Conservative honest-responder read throughput (bytes/sec). Used to scale the audit response deadline against the size of the challenge. Slow enough that even an HDD-backed honest peer fits inside the budget; fast enough that a relay attacker who must fetch bytes over the network falls outside.

§audit_response_honest_multiplier: u64

Slack multiplier on the honest-read estimate before declaring an audit timed out.

§prune_audit_response_timeout: Duration

Single-key prune-audit response deadline. Has its own constant because the relay-defence rationale that motivates the tight commitment-bound budget does not apply to a single-key prune challenge.

§bootstrap_claim_grace_period: Duration

Maximum duration a peer may claim bootstrap status.

§prune_hysteresis_duration: Duration

Minimum continuous out-of-range duration before pruning a key.

§verification_request_timeout: Duration

Verification request timeout (per-batch).

§fetch_request_timeout: Duration

Fetch request timeout.

§bootstrap_complete_timeout_secs: u64

Seconds to wait for DhtNetworkEvent::BootstrapComplete before proceeding with bootstrap sync (covers bootstrap nodes with no peers).

Implementations§

Source§

impl ReplicationConfig

Source

pub fn validate(&self) -> Result<(), String>

Validate safety constraints. Returns Err with a description if any constraint is violated.

§Errors

Returns a human-readable message describing the first violated constraint.

Source

pub fn quorum_needed(&self, quorum_targets_count: usize) -> usize

Effective quorum votes required for a key given the number of reachable quorum targets.

min(self.quorum_threshold, floor(quorum_targets_count / 2) + 1)

Source

pub fn confirm_needed(paid_group_size: usize) -> usize

Confirmations required for paid-list consensus given the number of peers in the paid-list close group for a key.

floor(paid_group_size / 2) + 1

Source

pub fn random_neighbor_sync_interval(&self) -> Duration

Returns a random duration in [neighbor_sync_interval_min, neighbor_sync_interval_max].

Source

pub fn audit_sample_count(total_keys: usize) -> usize

Compute the number of keys to sample for an audit round, scaled dynamically by the total number of locally stored keys.

Formula: max(floor(sqrt(total_keys)), 1), capped at total_keys.

Source

pub fn max_incoming_audit_keys(stored_chunks: usize) -> usize

Maximum number of keys to accept in an incoming audit challenge.

Scales dynamically: 2 * audit_sample_count(stored_chunks). The 2x margin accounts for the challenger having a larger store than us and therefore sampling more keys.

Source

pub fn audit_response_timeout(&self, challenged_key_count: usize) -> Duration

Compute the audit response timeout for a challenge with challenged_key_count keys, sized to be tight enough that a relay attacker that must fetch the chunk bytes from elsewhere falls outside the budget.

Formula: floor + (challenged_bytes / honest_read_bps) × multiplier

Where challenged_bytes = k × MAX_CHUNK_SIZE. An honest peer reads k × 4 MiB from local disk at honest_read_bps (set conservatively at 50 MB/s — well below modern SSDs); the multiplier of 5 absorbs jitter, BLAKE3, ML-DSA, and slow disks.

A relay attacker on a residential link (~5-12 MB/s) who must fetch the same k × 4 MiB over the network sees ~10-100× higher latency than disk for the data alone, plus per-chunk round-trips, and misses the budget — recording a timeout strike (per handle_audit_timeouthandle_audit_failure). After AUDIT_TIMEOUT_STRIKE_THRESHOLD consecutive timeouts this would fire an application_failure trust event — but note that report is currently suppressed for the breaking rollout (grep TIMEOUT-EVICTION-DISABLED); the strike accounting still runs.

This is an economic deterrent for the §7 relay limit calibrated for residential bandwidth, NOT a hard bound: a relay on a datacenter cross-connect (≥1 Gbps) can fetch k × 4 MiB fast enough to answer in time. It raises the relay’s cost (bandwidth per audit) without claiming to make relaying impossible. The cryptographic guarantee remains commitment-binding (the relay must still hold or fetch the exact committed bytes); the timeout only attacks the economics.

Source

pub fn byte_audit_response_timeout( &self, challenged_key_count: usize, ) -> Duration

Deadline for the round-2 BYTE challenge serving challenged_key_count full chunks back to the auditor.

Same per-byte scaling as Self::audit_response_timeout (so a relay that must fetch the bytes over a residential link still blows it), but on a higher floor (BYTE_AUDIT_RESPONSE_FLOOR_SECS) because the reply carries up to MAX_BYTE_CHALLENGE_KEYS × MAX_CHUNK_SIZE of chunk data — handshake + multi-MiB upload + a busy honest disk read do not fit the hashes-only round-1 floor (the §4 finding).

Source

pub fn audit_spotcheck_count(&self) -> u32

Number of subtree leaves to spot-check against real chunk bytes per audit (ADR-0002 real-bytes layer). Faking a fraction x of nonced leaves survives only (1 - x)^k.

Source

pub fn subtree_audit_timeout_leaf_hint(&self) -> usize

Conservative leaf-count hint for sizing the subtree-audit response deadline before the proof arrives.

The selected subtree holds about sqrt(key_count) real leaves; sizing for a large store keeps an honest peer with a big store from timing out.

Source

pub fn random_audit_tick_interval(&self) -> Duration

Returns a random duration in [audit_tick_interval_min, audit_tick_interval_max].

Source

pub fn random_self_lookup_interval(&self) -> Duration

Returns a random duration in [self_lookup_interval_min, self_lookup_interval_max].

Trait Implementations§

Source§

impl Clone for ReplicationConfig

Source§

fn clone(&self) -> ReplicationConfig

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ReplicationConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for ReplicationConfig

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more