Struct SlashingManager 

pub struct SlashingManager { /* private fields */ }

Top-level slashing lifecycle manager.

Traces to SPEC §7. Owns the processed-hash dedup map, the pending-slash book, and correlation- window counters — all of which land in subsequent DSL commits. For DSL-022 the manager holds only the current_epoch field, which is consumed when calling ValidatorEntry::slash_absolute.

Implementations

impl SlashingManager

pub fn new(current_epoch: u64) -> Self

New manager at current_epoch with the default MAX_PENDING_SLASHES book capacity. Further fields (pending book, processed map) start empty.

pub fn with_book_capacity(current_epoch: u64, book_capacity: usize) -> Self

New manager with a caller-specified book capacity. Used by DSL-027 tests to exercise the PendingBookFull rejection.

pub fn current_epoch(&self) -> u64

Current epoch accessor.

pub fn book(&self) -> &PendingSlashBook

Immutable view of the pending-slash book.

pub fn book_mut(&mut self) -> &mut PendingSlashBook

Mutable access to the pending-slash book.

Exposed for adjudication code (DSL-064..070) that needs to transition pending statuses to Reverted/ChallengeOpen outside the manager’s own submit_evidence + finalise_expired_slashes flow. Test suites also use this to inject pre-Reverted state for DSL-033 skip-path coverage.

pub fn is_processed(&self, hash: &Bytes32) -> bool

true iff the evidence hash has been admitted. Used by DSL-026 (AlreadySlashed short-circuit) + tests.

pub fn processed_epoch(&self, hash: &Bytes32) -> Option<u64>

Admission epoch recorded for a processed hash. None when the hash is not in the map.

pub fn submit_evidence( &mut self, evidence: SlashingEvidence, validator_set: &mut dyn ValidatorView, effective_balances: &dyn EffectiveBalanceView, bond_escrow: &mut dyn BondEscrow, reward_payout: &mut dyn RewardPayout, proposer: &dyn ProposerView, network_id: &Bytes32, ) -> Result<SlashingResult, SlashingError>

Optimistic-admission entry point for validator slashing evidence.

Implements the base-slash branch of DSL-022. Traces to SPEC §7.3 step 5, §4.

Pipeline (DSL-022 + DSL-023 scope)

1. verify_evidence(...) → VerifiedEvidence (DSL-011..020). Failure propagates as SlashingError.
2. bond_escrow.lock(reporter_idx, REPORTER_BOND_MOJOS, BondTag::Reporter(evidence.hash())) (DSL-023). Lock failure collapses to SlashingError::BondLockFailed with no validator-side mutation — hence the ordering (bond BEFORE any slash_absolute).
3. For each slashable index:
   • eff_bal = effective_balances.get(idx)
   • bps_term = eff_bal * base_bps / BPS_DENOMINATOR
   • floor_term = eff_bal / MIN_SLASHING_PENALTY_QUOTIENT
   • base_slash = max(bps_term, floor_term)
   • Skip iff validator_set.get(idx).is_slashed() OR index absent from the view (defensive tolerance per SPEC §7.3).
   • Otherwise validator_set.get_mut(idx).slash_absolute( base_slash, self.current_epoch).
   • Record a PerValidatorSlash.
4. Return SlashingResult { per_validator, reporter_bond_escrowed: REPORTER_BOND_MOJOS, .. } — reward / pending-slash fields stay 0 / empty until DSL-024/025.

Deviations from SPEC signature

SPEC §7.3 lists additional parameters (CollateralSlasher, RewardPayout, ProposerView) that are consumed by DSL-025. Signature grows incrementally — each future DSL adds the trait it needs.

pub fn finalise_expired_slashes( &mut self, validator_set: &mut dyn ValidatorView, effective_balances: &dyn EffectiveBalanceView, bond_escrow: &mut dyn BondEscrow, total_active_balance: u64, ) -> Vec<FinalisationResult>

Transition every expired pending slash from Accepted/ChallengeOpen to Finalised { finalised_at_epoch: self.current_epoch } and emit one FinalisationResult per transition.

Implements DSL-029. Traces to SPEC §7.4 steps 1, 6–7.

Scope (incremental)

This method currently covers the status transition + result emission only. Side effects land in subsequent DSLs:

• DSL-030 populates per_validator_correlation_penalty.
• DSL-031 populates reporter_bond_returned via bond_escrow.release.
• DSL-032 populates exit_lock_until_epoch via validator_set.schedule_exit.

Behaviour

• Iterates book.expired_by(self.current_epoch) in ascending window-expiry order (stable across calls).
• Skips pendings already in Reverted { .. } or Finalised { .. } (DSL-033).
• Idempotent: calling twice in the same epoch yields an empty second result vec.

pub fn submit_appeal( &mut self, appeal: &SlashAppeal, bond_escrow: &mut dyn BondEscrow, ) -> Result<(), SlashingError>

Submit an appeal against an existing pending slash.

Implements DSL-055. Traces to SPEC §6.1, §7.2.

Scope (incremental)

First-cut pipeline stops at the UnknownEvidence precondition: if appeal.evidence_hash is not present in the pending-slash book the method returns SlashingError::UnknownEvidence(hex) WITHOUT touching the bond escrow. Later DSLs extend the pipeline:

• DSL-056: WindowExpired
• DSL-057: VariantMismatch
• DSL-058: DuplicateAppeal
• DSL-059: TooManyAttempts
• DSL-060/061: SlashAlreadyReverted / SlashAlreadyFinalised
• DSL-062: appellant-bond lock (FIRST bond-touching step)
• DSL-063: PayloadTooLarge
• DSL-064+: dispatch to per-ground verifiers + adjudicate

Error ordering invariant

UnknownEvidence MUST be checked BEFORE any bond operation so a caller with a stale / misrouted appeal does not pay gas to lock collateral that would immediately need to be returned. Preserved by running the book lookup as the first statement — see the DSL-055 test suite’s test_dsl_055_bond_not_locked guard.

pub fn set_epoch(&mut self, epoch: u64)

Advance the manager’s epoch. Consumers at the consensus layer call this at every epoch boundary AFTER running finalise_expired_slashes — keeps the current epoch in lock step with the chain. Test helper.

pub fn mark_processed(&mut self, hash: Bytes32, epoch: u64)

Record a processed-evidence entry for persistence load or test fixtures.

submit_evidence does this implicitly on admission; this method is the public surface for replaying a persisted book or constructing a unit-test fixture without going through the full verify + bond-lock pipeline.

pub fn mark_slashed_in_window( &mut self, epoch: u64, idx: u32, effective_balance: u64, )

Record a (epoch, validator_index) → effective_balance entry in the slashed-in-window cohort map. Companion to mark_processed; used by persistence load + tests.

pub fn is_slashed_in_window(&self, epoch: u64, idx: u32) -> bool

Lookup for slashed_in_window — test helper so integration tests can verify DSL-129 rewind actually cleared an entry.

pub fn pending(&self, hash: &Bytes32) -> Option<&PendingSlash>

Read-side lookup for a pending slash by evidence_hash.

Implements DSL-150. Convenience wrapper over self.book().get(hash) so callers don’t need to chain through book(). Returns None when the slash has been removed via book.remove or was never admitted.

pub fn prune(&mut self, before_epoch: u64) -> usize

Prune processed + slashed_in_window entries older than before_epoch. Convenience alias for prune_processed_older_than per DSL-150 naming.

Does NOT touch book — pending slashes are removed via book.remove or finalise_expired_slashes which own the status-transition lifecycle.

Typical caller: DSL-127 run_epoch_boundary with before_epoch = current.saturating_sub(CORRELATION_WINDOW_EPOCHS).

pub fn is_slashed(&self, idx: u32, validator_set: &dyn ValidatorView) -> bool

Delegate to ValidatorView::get(idx)?.is_slashed().

Implements DSL-149. Returns false for unknown indices (no panic) — matches DSL-136 ValidatorView::get out-of-range semantics. Read-only: does not mutate self or the validator set.

pub fn rewind_on_reorg( &mut self, new_tip_epoch: u64, validator_set: &mut dyn ValidatorView, collateral: Option<&mut dyn CollateralSlasher>, bond_escrow: &mut dyn BondEscrow, ) -> Vec<Bytes32>

Rewind every pending slash whose submitted_at_epoch is STRICTLY greater than new_tip_epoch — the canonical fork-choice reorg response.

Implements DSL-129. Traces to SPEC §13.

Side effects per rewound entry

• ValidatorEntry::credit_stake(base_slash_amount) on each slashable validator.
• ValidatorEntry::restore_status() on each.
• CollateralSlasher::credit(validator_index, collateral_slashed) on each (when collateral present).
• BondEscrow::release of the reporter bond at BondTag::Reporter(evidence_hash) — NOT forfeit. Reorg is not the reporter’s fault; the bond returns intact.
• Entry removed from self.book, self.processed, and self.slashed_in_window.

What it does NOT do

• NO reporter penalty. DSL-069 applies a reporter penalty on SUSTAINED-APPEAL revert; a reorg is a consensus-layer signal that the original evidence was never canonical, so the reporter is not at fault.
• NO appeal-history inspection. Any filed appeals on the rewound slash are discarded along with the slash itself.

Returns

List of evidence_hash values that were rewound. Empty when no pending slashes are past the new tip.

pub fn prune_processed_older_than(&mut self, cutoff_epoch: u64) -> usize

Prune processed-evidence map entries whose recorded epoch is strictly less than cutoff_epoch. Called by the DSL-127 run_epoch_boundary step 8 (last step) to bound memory of the AlreadySlashed dedup window.

Returns the number of entries removed. Also drops any slashed_in_window rows whose epoch is older than the cutoff — the cohort-sum window (DSL-030) is CORRELATION_WINDOW_EPOCHS wide so entries older than current_epoch - CORRELATION_WINDOW_EPOCHS can never contribute to a future finalisation.

Trait Implementations

impl Clone for SlashingManager

fn clone(&self) -> SlashingManager

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SlashingManager

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SlashingManager

fn default() -> Self

Returns the “default value” for a type.