Spec-18-Conformance-and-Failure-Modes
What this page is
Rendered compatibility entry point for
Spec-18-Conformance-and-Failure-Modes.
Acceptance test scenarios — split-brain, malicious peer, partial
failure, replay attack.
Authoritative source:
spec/stigmem-spec-v0.9.0a1.md
Each subsection below shows the most recent normative text from the spec source.
These scenarios are acceptance gates for the pre-reset design work.
All four MUST pass before the phase is considered complete.
§11.1 Split-Brain
Setup: Two nodes A and B are federated with scope=public. Both
are initially in sync (same public facts).
Scenario:
- Cut network connectivity between A and B (simulated partition).
- Write fact
F_ato node A:(entity="stigmem://node-a/test/entity", relation="test:value", value="from-a", scope="public"). - Write fact
F_bto node B:(entity="stigmem://node-a/test/entity", relation="test:value", value="from-b", scope="public"). - Maintain partition for >5 minutes. Both nodes continue accepting reads and writes.
- Restore connectivity.
- Allow replication to complete (pull cycle fires on both sides).
Expected outcomes:
Both facts stored
Both nodes store both F_a and F_b.
Conflict fact exists
A stigmem:conflict:between fact exists on both nodes (or at minimum on the node that ingested the second fact — the local node MUST detect the conflict on ingestion).
Conflict surfaced
GET /v1/conflicts?status=unresolved returns the conflict on both nodes.
Both contradicted
GET /v1/facts?entity=stigmem://node-a/test/entity&relation=test:value&include_contradicted=true returns both facts with contradicted: true.
No silent discard
No fact is silently discarded.
§11.2 Malicious Peer
Setup: Node A and Node B are federated. A third process
("attacker") obtains a valid peer token for the node_b → node_a
direction (simulating a compromised peer or MITM).
Scenario:
- Attacker attempts to push a fact with
scope="company"to node A's/v1/federation/facts/push, where the PeerDeclaration only allows["public"]. - Attacker attempts to push a fact with
source="stigmem://node-c/user/alice"(an entity not belonging to node B's declared namespace). - Attacker replays a previously-seen valid peer token (captured from an earlier legitimate exchange) after the nonce window expires. Then replays within the window.
Expected outcomes:
federation_audit: event_type="scope_violation".federation_audit: event_type="rejected_fact", reason=source_not_owned.federation_audit: event_type="replay_attempt". Node A's fact store is not corrupted.§11.3 Partial Failure (Peer Down Mid-Replication)
Setup: Node A (subscriber) is pulling from Node B (publisher). Node B has 1000 public facts. A has pulled 500 so far; cursor is stored.
Scenario:
- Node B crashes after returning facts 501–600 but before node A persists the cursor for that batch.
- Node A attempts its next pull; node B is unreachable.
- Node A continues serving read and write requests normally.
- Node B restarts.
- Node A's next pull cycle fires.
Expected outcomes:
During peer-down
Node A returns 503 or times out on the pull attempt; no crash; local reads/writes unaffected.
After restart
Node A resumes from cursor 500 (not 0, not 600). Facts 501–1000 are ingested. No duplicates created (idempotency check passes on facts 501–600 that may have been partially ingested).
Final state
Node A has all 1000 facts.
§11.4 Replay Attack
Setup: Node A and B are federated. A valid peer token T is
intercepted.
Scenario:
- Token
Tis used legitimately for a pull request by node B. Succeeds. - Token
Tis immediately replayed by an attacker. (Within nonce window.) - A new token
T2is generated with the same nonce asTbut a freshiat/exp. - Token
T3is generated with a pastexp(already expired).
Expected outcomes:
Terror: "nonce_already_seen". Audit log entry.T2 with duplicate nonceT3 already expirederror: "token_expired".