feat: implement full replication subsystem#54
Open
mickvandijke wants to merge 41 commits intomainfrom
Open
Conversation
mickvandijke
added a commit
that referenced
this pull request
Apr 1, 2026
Add unit and e2e tests covering the remaining Section 18 scenarios: Unit tests (32 new): - Quorum: #4 fail→abandoned, #16 timeout→inconclusive, #27 single-round dual-evidence, #28 dynamic threshold undersized, #33 batched per-key, #34 partial response unresolved, #42 quorum-derived paid-list auth - Admission: #5 unauthorized peer, #7 out-of-range rejected - Config: #18 invalid config rejected, #26 dynamic paid threshold - Scheduling: #8 dedup safety, #8 replica/paid collapse - Neighbor sync: #35 round-robin cooldown skip, #36 cycle completion, #38 snapshot stability mid-join, #39 unreachable removal + slot fill, #40 cooldown peer removed, #41 cycle termination guarantee, consecutive rounds, cycle preserves sync times - Pruning: #50 hysteresis prevents premature delete, #51 timestamp reset on heal, #52 paid/record timestamps independent, #23 entry removal - Audit: #19/#53 partial failure mixed responsibility, #54 all pass, #55 empty failure discard, #56 repair opportunity filter, response count validation, digest uses full record bytes - Types: #13 bootstrap drain, repair opportunity edge cases, terminal state variants - Bootstrap claims: #46 first-seen recorded, #49 cleared on normal E2e tests (4 new): - #2 fresh offer with empty PoP rejected - #5/#37 neighbor sync request returns response - #11 audit challenge multi-key (present + absent) - Fetch not-found for non-existent key Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Implement the complete replication design from REPLICATION_DESIGN.md: - Fresh replication with PoP validation via PaymentVerifier (Section 6.1) - Neighbor sync with round-robin cycle management and cooldown (Section 6.2) - Per-key hint admission with cross-set precedence (Section 7) - Receiver verification state machine (Section 8) - Batched quorum verification with single-round dual-evidence (Section 9) - Content-address integrity check on fetched records (Section 10) - Post-cycle responsibility pruning with time-based hysteresis (Section 11) - Adaptive fetch scheduling with post-bootstrap concurrency adjustment (Section 12) - Topology churn handling with close-group event classification (Section 13) - Trust engine integration with ReplicationFailure and BootstrapClaimAbuse (Section 14) - Storage audit protocol with per-key digest verification and responsibility confirmation (Section 15) - Bootstrap sync with drain gate for audit scheduling (Section 16) - LMDB-backed PaidForList persistence across restarts - Wire protocol with postcard serialization for all replication messages Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…harness Wire ReplicationEngine into TestNode so E2E tests run full replication. Add 8 replication e2e tests covering: - Fresh replication propagation to close group - PaidForList persistence across reopen - Verification request/response with presence and paid-list checks - Fetch request/response (success and not-found) - Audit challenge digest verification (present and absent keys) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Replace `[x].into_iter().collect()` with `std::iter::once(x).collect()` - Add `clippy::panic` allow in test modules - Rename similar bindings in paid_list tests - Use `sort_unstable` for primitive types Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Fix unresolved doc link: `[`get`]` -> `[`Self::get`]` in lmdb.rs - Fix `Instant::checked_sub` panics on Windows CI where system uptime may be less than the subtracted duration. Use small offsets (2s) with `unwrap_or_else(Instant::now)` fallback and matching thresholds. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Add unit and e2e tests covering the remaining Section 18 scenarios: Unit tests (32 new): - Quorum: #4 fail→abandoned, #16 timeout→inconclusive, #27 single-round dual-evidence, #28 dynamic threshold undersized, #33 batched per-key, #34 partial response unresolved, #42 quorum-derived paid-list auth - Admission: #5 unauthorized peer, #7 out-of-range rejected - Config: #18 invalid config rejected, #26 dynamic paid threshold - Scheduling: #8 dedup safety, #8 replica/paid collapse - Neighbor sync: #35 round-robin cooldown skip, #36 cycle completion, #38 snapshot stability mid-join, #39 unreachable removal + slot fill, #40 cooldown peer removed, #41 cycle termination guarantee, consecutive rounds, cycle preserves sync times - Pruning: #50 hysteresis prevents premature delete, #51 timestamp reset on heal, #52 paid/record timestamps independent, #23 entry removal - Audit: #19/#53 partial failure mixed responsibility, #54 all pass, #55 empty failure discard, #56 repair opportunity filter, response count validation, digest uses full record bytes - Types: #13 bootstrap drain, repair opportunity edge cases, terminal state variants - Bootstrap claims: #46 first-seen recorded, #49 cleared on normal E2e tests (4 new): - #2 fresh offer with empty PoP rejected - #5/#37 neighbor sync request returns response - #11 audit challenge multi-key (present + absent) - Fetch not-found for non-existent key Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Complete the Section 18 test matrix with the remaining scenarios: - #3: Fresh replication stores chunk + updates PaidForList on remote nodes - #9: Fetch retry rotates to alternate source - #10: Fetch retry exhaustion with single source - #11: Repeated ApplicationFailure events decrease peer trust score - #12: Bootstrap node discovers keys stored on multiple peers - #14: Hint construction covers all locally stored keys - #15: Data and PaidForList survive node shutdown (partition) - #17: Neighbor sync request returns valid response (admission test) - #21: Paid-list majority confirmed from multiple peers via verification - #24: PaidNotify propagates paid-list entries after fresh replication - #25: Paid-list convergence verified via majority peer queries - #44: PaidForList persists across restart (cold-start recovery) - #45: PaidForList lost in fresh directory (unrecoverable scenario) All 56 Section 18 scenarios now have test coverage. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
The e2e test target requires the `test-utils` feature flag but both CI and release workflows ran `cargo test` without it, silently skipping all 73 e2e tests including 24 replication tests. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Implements the remaining untested scenarios from REPLICATION_DESIGN.md Section 18, bringing coverage from 47/56 to 56/56: - #20: paid-list local hit bypasses presence quorum (quorum.rs) - #22: paid-list rejection below threshold (quorum.rs) - #29: audit start gate during bootstrap (audit.rs) - #30: audit peer selection from sampled keys (audit.rs) - #31: audit periodic cadence with jitter bounds (config.rs) - #32: dynamic challenge size equals PeerKeySet (audit.rs) - #47: bootstrap claim grace period in audit path (audit.rs) - #48: bootstrap claim abuse after grace period (paid_list.rs) - #53: audit partial per-key failure with mixed responsibility (audit.rs) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
E2e tests spin up multi-node testnets, each opening several LMDB environments. Running them in parallel exhausts thread-local storage slots (MDB_TLS_FULL) and causes "environment already open" errors on all platforms. Split CI test step into parallel unit tests and single-threaded e2e tests (`--test-threads=1`). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…n replication subsystem saorsa-core 0.20.0 rejects `/` in protocol names (it adds `/rr/` prefix itself on the wire). Both protocol IDs used slashes, causing all replication e2e tests to fail with "Invalid protocol name". Additionally, the replication handler only matched bare protocol topics and responded via send_message, but the tests used send_request (which wraps payloads in /rr/ envelopes). The handler now supports both patterns: bare send_message and /rr/ request-response. Also fixes LMDB "environment already open" errors in restart tests by adding ReplicationEngine::shutdown() to properly join background tasks and release Arc<LmdbStorage> references before reopening. Changes: - Replace `/` with `.` in CHUNK_PROTOCOL_ID and REPLICATION_PROTOCOL_ID - Add ReplicationEngine::shutdown() to cancel and await background tasks - Handler now matches both bare and /rr/-prefixed replication topics - Thread rr_message_id through handler chain for send_response routing - Simplify test helper to use send_request directly (23 call sites) - Fix paid-list persistence tests to shut down engine before LMDB reopen - Update testnet teardown to use engine.shutdown().await Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…m test On Windows, `Instant` is backed by `QueryPerformanceCounter` which starts near zero at process launch. Subtracting 25 hours from a process that has only run for seconds causes `checked_sub` to return `None`, panicking the test. Fall back to `Instant::now()` when the platform cannot represent the backdated time, and conditionally skip the claim-age assertion since the core logic under test (evidence construction) is time-independent. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- #3: Add proper unit test in scheduling.rs exercising full pipeline (PendingVerify → QueuedForFetch → Fetching → Stored); rename mislabeled e2e test to scenario_1_and_24 - #12: Rewrite e2e test to send verification requests to 4 holders and assert quorum-level presence + paid confirmations - #13: Rename mislabeled bootstrap drain test in types.rs; add proper unit test in paid_list.rs covering range shrink, hysteresis retention, and new key acceptance - #14: Rewrite e2e test to send NeighborSyncRequest and assert response hints cover all locally stored keys - #15: Rewrite e2e test to store on 2 nodes, partition one, then verify paid-list authorization confirmable via verification request - #17: Rewrite e2e test to store data on receiver, send sync, and assert outbound replica hints returned (proving bidirectional exchange) - #55: Replace weak enum-distinctness check with full audit failure flow: compute digests, identify mismatches, filter by responsibility, verify empty confirmed failure set produces no evidence Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…on engine The message handler blocked on `run_neighbor_sync_round()` during PeerConnected/PeerDisconnected events. That function calls `send_request()` to peers, whose handlers were also blocked — deadlocking the entire network. Replace inline sync with a `Notify` signal to the neighbor sync loop, which runs in its own task. Additionally, `is_bootstrapping` was never set to `false` after bootstrap drained, causing neighbor sync responses to claim bootstrapping and audit challenges to return bootstrapping claims instead of digests. Fix three e2e tests that pre-populated the payment cache only on the source node; receiving nodes rejected the dummy PoP. Pre-populate on all nodes to bypass EVM verification in the test harness. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…ests - Rename mislabeled scenario_44 → scenario_43 (tests persistence, not cold-start recovery) - Rename mislabeled scenario_36 (tested cycle completion, not post-cycle pruning) - Add missing scenario_36 (post-cycle combined prune pass trigger + hysteresis) - Add missing scenario_37 (non-LocalRT inbound sync drops hints, outbound still sent) - Add missing scenario_44 (cold-start recovery via replica majority with total paid-list loss) - Strengthen scenario_5 (traces actual admit_hints dedup/cross-set/relevance logic) - Strengthen scenario_7 (exercises distance-based rejection through admission pipeline) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
… PeerConnected/PeerDisconnected Subscribe to DhtNetworkEvent::KClosestPeersChanged from the DHT routing table rather than manually classifying every PeerConnected/PeerDisconnected event against the close group. This is more precise — the routing table emits the event only when the K-closest set actually changes — and eliminates a potential race in the old classify_topology_event approach. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Bootstrap sync was firing immediately on engine start, racing with saorsa-core's DHT bootstrap. The routing table could be empty when neighbors were snapshotted, causing the sync to find no peers and mark bootstrap as drained prematurely. Now the bootstrap-sync task waits for BootstrapComplete before proceeding. The DHT event subscription is created before P2PNode::start() to avoid missing the event. A 60s configurable timeout ensures bootstrap nodes (which have no peers and never receive the event) still proceed gracefully. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
mickvandijke
force-pushed
the
feat/replication-subsystem
branch
from
f73f639 to
16d5ba5
Compare
Replace the static AUDIT_BATCH_SIZE=8 with floor(sqrt(total_keys)), so nodes storing more chunks audit proportionally more keys per tick. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Audit peer selection and responsibility confirmation now use find_closest_nodes_local instead of find_closest_nodes_network, making audit cost purely local regardless of sample size. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Reverse the audit selection order: select one eligible peer upfront, then sample local keys and filter to those the peer is responsible for via local RT close-group lookup. Eliminates the multi-peer map building that discarded most of its work. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Pull request overview
Implements a full replication subsystem (per docs/REPLICATION_DESIGN.md) and integrates it into node lifecycle + e2e test harness, adding scheduling, neighbor-sync, quorum verification, audits, pruning, and an LMDB-backed paid list.
Changes:
- Add
src/replication/with wire protocol, engine orchestration, neighbor sync, verification queues, pruning/audit/bootstrapping, and paid-list persistence. - Integrate
ReplicationEngineintoRunningNodestartup/shutdown and extend storage APIs to support replication/audit. - Update CI workflows to run unit tests and e2e tests separately.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
src/replication/mod.rs |
Replication engine orchestration, background tasks, and message handling integration points. |
src/replication/protocol.rs |
Defines replication wire messages (postcard) and size limits. |
src/replication/config.rs |
Centralizes replication tuning parameters and validation helpers. |
src/replication/types.rs |
Replication FSM + domain types used across the subsystem. |
src/replication/scheduling.rs |
Pipeline queues (pending verify, fetch queue, in-flight) and eviction/dedup helpers. |
src/replication/neighbor_sync.rs |
Round-robin neighbor sync ordering, cooldown, and request/response helpers. |
src/replication/fresh.rs |
Fresh replication fanout + PaidNotify emission. |
src/replication/bootstrap.rs |
Bootstrap gate/drain tracking helpers for replication startup. |
src/replication/pruning.rs |
Post-cycle pruning of out-of-range records and paid-list entries with hysteresis. |
src/replication/paid_list.rs |
LMDB-backed persistent PaidForList plus hysteresis timestamp tracking. |
src/replication/audit.rs |
Storage-audit challenge/response and digest verification flow. |
src/replication/quorum.rs |
Batched verification/quorum evaluation and evidence aggregation. |
src/node.rs |
Wires ReplicationEngine into the node lifecycle and DHT event subscription timing. |
src/lib.rs |
Exposes replication module and re-exports ReplicationEngine / ReplicationConfig. |
src/error.rs |
Adds Error::Replication variant. |
src/storage/handler.rs |
Adds accessors for storage and payment verifier needed by replication. |
src/storage/lmdb.rs |
Adds all_keys() and get_raw() to support hint construction and audits. |
src/storage/mod.rs |
Updates protocol ID documentation string. |
src/ant_protocol/chunk.rs |
Changes CHUNK_PROTOCOL_ID value (wire routing identifier). |
tests/e2e/testnet.rs |
Starts/stops replication engine in e2e nodes; bumps max message size to accommodate replication traffic. |
tests/e2e/data_types/chunk.rs |
Adjusts restart simulation to fully shutdown replication before reopening LMDB. |
tests/e2e/mod.rs |
Adds replication e2e module. |
docs/REPLICATION_DESIGN.md |
Adds the replication design/specification document. |
.github/workflows/ci.yml |
Splits unit vs e2e test execution. |
.github/workflows/release.yml |
Splits unit vs e2e test execution in release workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The fetch worker was processing fetches sequentially — one at a time — despite having a configurable concurrency limit. Replace the serial loop with FuturesUnordered backed by tokio::spawn, filling up to available_parallelism() slots concurrently. This also removes the per-poll bootstrap concurrency adjustment that acquired a write lock on every 100ms tick for the node's entire lifetime. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Security fixes: - Reject audit challenges where challenged_peer_id != self (oracle attack) - Validate fetch response key matches requested key (data injection) - Reject audit challenges exceeding MAX_AUDIT_CHALLENGE_KEYS (DoS) Correctness fixes: - Preserve bootstrap_claims across neighbor sync cycle transitions - Shutdown replication engine before P2P node on shutdown - Add pending_verify to enqueue_fetch dedup guard (Rule 8) - Make FetchCandidate PartialEq/Ord consistent (BinaryHeap invariant) - Change paid_list_check_indices from u16 to u32 (silent truncation) Performance fixes: - Make all_keys()/get_raw() async with spawn_blocking (tokio blocking) - Release queues write lock before paid-list inserts in verification Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Remove ApplicationSuccess on fetch — successful fetches are expected behavior and should not inflate trust scores. Move the sole trust reward to audit pass, where a peer has cryptographically proven it holds the challenged data. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
The audit path (Passed/Failed) never cleared bootstrap_claims entries when a peer responded normally with digests. A stale first-seen timestamp could cause false BootstrapClaimAbuse penalties if the peer later legitimately claimed bootstrap again. This aligns the audit path with the existing sync path clearing at line 1336. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
P2PNode::send_request() already reports ConnectionTimeout/ConnectionFailed to the TrustEngine when a request fails. The application layer was also reporting ApplicationFailure for the same error, penalizing the peer twice. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Rename MAX_CONSUMER_TRUST_WEIGHT to AUDIT_FAILURE_TRUST_WEIGHT to accurately reflect its purpose and lower the weight to 2.0. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Replace the flat 12s audit timeout with 6s + (1ms * chunk_count). This keeps the deadline tight enough to prevent peers from fetching audited chunks from neighbours while still allowing legitimate local LMDB reads and digest computation. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Reduces false audit failures on slower networks by giving peers more time to read and hash each challenged key. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 27 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Use replacement peer from handle_sync_failure instead of discarding it - Apply cooldown filtering in handle_sync_failure (matching select_sync_batch) - Extract handle_sync_response helper to deduplicate sync response handling - Fix pruning counters to only increment on actual state transitions - Deduplicate MAX_REPLICATION_MESSAGE_SIZE via re-export from config Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Fix stale test comment about enqueue_fetch dedup (it does check all stages) - Fix JoinError messages from "panicked" to "failed" (covers cancellation too) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Fix fetch retry not spawning new task (C1 data loss) - Fix storage.put failure silently reporting Stored (C2 data loss) - Fix pruning not clearing record_out_of_range timestamps (H6) - Make MAX_AUDIT_CHALLENGE_KEYS dynamic via ReplicationConfig (H7) - Add AuditResponse::Rejected variant for wrong-peer/too-many-keys (H8) - Cap peer_keys at challenger side before sending audit challenge (H7) - Filter expired bootstrap claims from audit target selection (H9) - Add double-start guard to ReplicationEngine::start() (H10) - Validate neighbor_sync_scope > 0 in config - Document sync_history, bootstrap_claims, and queue growth (H1/H3-H5) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Replace the static MAX_AUDIT_CHALLENGE_KEYS const and config field with dynamic scaling based on current store size: - Outgoing: naturally bounded by sqrt(stored_chunks) via audit_sample_count - Incoming: 2 * sqrt(stored_chunks) via new max_incoming_audit_keys() The 2x margin on incoming accounts for the challenger having a larger store. Removes DEFAULT_MAX_AUDIT_CHALLENGE_KEYS, MAX_AUDIT_SAMPLE_ESTIMATE, and the max_audit_challenge_keys config field. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Bootstrap drain was only checked once, immediately after the bootstrap
sync loop ended. If keys were still in-flight at that moment, audits
were permanently disabled. Fix with two complementary approaches:
(A) Re-check drain condition in the fetch worker (on terminal
complete_fetch) and verification worker (after terminal
remove_pending), flipping is_bootstrapping to false when drained.
(B) Incrementally remove keys from BootstrapState.pending_keys at
terminal exits so the drain-check set shrinks over time rather
than being re-scanned in full.
Both paths are guarded by a cheap is_drained() read-check so there
is zero overhead once bootstrap completes.
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
BootstrapState::new() had pending_peer_requests=0 and empty pending_keys, so is_drained() returned true before bootstrap even began. If the audit loop polled before increment_pending_requests was called, audits could start prematurely (Invariant 19 violation). Remove the (requests==0 && keys.empty()) shortcut from is_drained(). Now only the explicit `drained` flag (set by check_bootstrap_drained or mark_bootstrap_drained) gates the transition. This is safe because the prior commit ensures check_bootstrap_drained is called reliably at every terminal pipeline exit. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
audit_tick now takes an is_bootstrapping parameter and returns Idle immediately if the local node is still bootstrapping (Invariant 19). Previously, the only guard was the audit loop's is_drained() gate — audit_tick itself would happily initiate audits if called directly. This makes the invariant self-contained in the function rather than relying solely on caller discipline. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…ission/pruning Audit used find_closest_nodes_local (self-excluded) to determine peer responsibility, while admission and pruning used find_closest_nodes_local_with_self. This caused the systems to disagree on close-group membership at the boundary, potentially leading to false audit failures. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
… shutdown Bulk increment_pending_requests(neighbor_count) before the loop left un-decremented peers when shutdown broke the loop early. Switching to per-peer increment inside the loop keeps each increment/decrement pair in the same iteration body, making early exit safe. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- IntegrityFailed now retries alternate sources instead of abandoning key - Audit Rejected responses route through handle_audit_failure with trust penalty - NotFound fetch responses no longer penalize peers (only Error/malformed do) - Storage-pruned records seed paid_out_of_range timer to close re-admission window - Saturating u32 conversion in audit_response_timeout prevents silent truncation - Remove dead replica_set and unreachable cross-set precedence check in admission - Use checked_duration_since in pruning hysteresis to handle clock ordering safely Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 27 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…n subsystem Fix critical deadlock from opposite lock ordering between audit loop (sync_history→sync_state) and neighbor sync (sync_state→sync_history) by enforcing consistent sync_state-first ordering throughout. Security: validate challenge_id on all audit response variants, add bounds checks on incoming VerificationRequest/NeighborSyncRequest vectors using the same dynamic limit as audit challenges, and prevent granting unearned positive trust when audit failures are cleared by topology churn. Also fixes stale bootstrap flag during sync, wrong close-group query in fresh replication, and consolidates three copies of hint admission logic into a single function. Removes dead code, duplicate functions, and replaces flaky sleep-based test waits with polling loops. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Address 14 findings from deep review of PR #54: High severity: - H1: Handle leaked in-flight fetch entries on task panic/cancel by wrapping futures to always return the key for cleanup - H2: Propagate CancellationToken into spawned fetch tasks and drain (not drop) in-flight futures on shutdown - H3: Release sync_state write lock before expensive prune pass and DHT snapshot; re-acquire with double-check before cycle swap - H4: Scope bootstrap claim state mutation in blocks so sync_state write lock is not held across report_trust_event network I/O - H7: Fix ABBA deadlock potential by releasing queues lock before acquiring bootstrap_state in fetch worker Medium severity: - M1: Treat audit challenge ID mismatch as MalformedResponse with responsibility confirmation instead of silent Idle return - M2: Classify audit decode failure as MalformedResponse not Timeout - M4: Use HashSet for O(1) key lookups in verification response processing; cap results at 2x requested keys - M5: Call evict_stale(PENDING_VERIFY_MAX_AGE) at start of each verification cycle to bound unbounded pending_verify growth - M7: Add warn! logging for unexpected key lengths in PaidList and LmdbStorage all_keys() methods - M8: Send empty NeighborSyncResponse when rejecting oversized hints instead of leaving the peer waiting until timeout - M9: Log warning for fetch candidates with empty sources - M10: Return 0 from quorum_needed(0) and guard evaluate_key_evidence against trivially-met quorum/paid checks with zero targets - M11: Validate paid_list_check_indices against keys.len() with warning for out-of-bounds indices Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Wire fresh replication into chunk PUT handler via unbounded channel so newly-stored chunks trigger fan-out to close group peers - Enforce MAX_CHUNK_SIZE on replication receive paths (fresh offers and fetch responses) with trust penalties to prevent oversized record injection - Track bootstrap-era hints from inbound sync requests and regular neighbor sync responses so bootstrap drain detection is accurate - Update default max_message_size to max(chunk, replication) ceiling so larger hint batches are not silently dropped by the transport layer Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/REPLICATION_DESIGN.mdacross 14 new source files (8,001 lines insrc/replication/)New modules
mod.rsprotocol.rsquorum.rsaudit.rspaid_list.rstypes.rsscheduling.rsneighbor_sync.rsconfig.rsadmission.rsbootstrap.rspruning.rsfresh.rsModified existing files
node.rs— IntegratesReplicationEngineintoRunningNodelifecyclestorage/handler.rs— Exposesstorage()andpayment_verifier_arc()accessorsstorage/lmdb.rs— Addsall_keys()andget_raw()for replicationerror.rs— AddsReplicationerror variantlib.rs— Adds module + re-exportsTest plan
cargo test --lib)🤖 Generated with Claude Code