S06 — Consensus
BFT (Byzantine Fault Tolerant) voting. Tolerates f faulty nodes out of n total where n ≥ 3f + 1.
Quorum
- Threshold:
⌊2n/3⌋ + 1votes to accept - Equivocation: signing conflicting messages on the same proposal → votes invalidated, reputation penalty
- View change: if proposer unresponsive, PBFT-style leader rotation
Finality levels
| Level | Condition | External effects allowed |
|---|---|---|
| PENDING | Event submitted | None |
| SOFT | Some votes, below quorum | None |
| QUORUM | votes ≥ threshold |
None (dispute window active) |
| HARD | Quorum held for full dispute window (≥24h) | Yes |
| ABSOLUTE | HARD + no pending appeals | Irreversible effects |
Rule: no irreversible external side-effects before HARD finality.
Event validation (per node)
- Ed25519 signature verification
- Admission gate check (rate limits, stake, quality — see S10)
- Rule engine evaluation (deterministic — see S11)
- State consistency check (no conflicts with accepted events)
- Sign accept/reject, broadcast
Signed time anchors
High-reputation nodes periodically broadcast signed timestamps. Other nodes use the median of recent anchors to detect clock drift. Proposals from nodes with >30s drift are deprioritized.
Implementation Status
Verified against source: 2026-04-06
| Claim | Status | Notes |
|---|---|---|
| BFT voting (n >= 3f+1) | Spec-only | No BFT, Byzantine, or quorum logic in source. |
| Quorum threshold (2n/3 + 1) | Spec-only | No quorum calculation found. |
| Equivocation detection | Spec-only | No equivocation or double-signing checks. |
| View change / leader rotation | Spec-only | No PBFT-style leader rotation. |
| Finality levels (PENDING through ABSOLUTE) | Spec-only | No finality state machine in source. |
| Ed25519 signature verification | Spec-only | Source uses HMAC for webhook signatures (claude/webhooks/signature.js), not Ed25519. No public-key cryptography. |
| Admission gate (S10) | Spec-only | Rate limiting exists (claude/resilience/) but not the admission gate described in spec. |
| Rule engine (S11) | Spec-only | No deterministic rule engine for event validation. |
| Signed time anchors | Spec-only | No clock-drift detection or signed timestamp broadcasting. |
This spec describes the P2P consensus layer, which is entirely a design-phase specification. The current Colibri source is a single-node MCP server with no multi-node or distributed components.