Skip to content

Kad preferences and routing snapshots still save in place

Summary

Kad still writes preferencesKad.dat and nodes.dat directly to the live paths. A partial write, disk error, sharing violation, or crash during these saves can truncate the current Kad identity/preferences or routing snapshot.

Current Main Evidence

  • srchybrid\kademlia\kademlia\Prefs.cpp opens preferencesKad.dat with CFile::modeWrite | CFile::modeCreate and writes directly to the live file.
  • srchybrid\kademlia\routing\RoutingZone.cpp opens nodes.dat with CFile::modeWrite | CFile::modeCreate, writes contacts, closes it, and then saves FastKad metadata.
  • RoutingZone.cpp already avoids overwriting a bootstrap-only nodes.dat with an empty one, but it does not make the actual save atomic once a save proceeds.

Risk

nodes.dat can be rebuilt over time, so this is less severe than losing download metadata. Still, corrupting Kad persistence hurts startup connectivity and can discard the local Kad identity/preferences. The sidecar metadata also needs a clear ordering rule so the route file and FastKad metadata do not drift after a partial save.

Broadband Fit

This is low-drift durability hardening that follows persistence patterns already accepted elsewhere in main.

Acceptance Criteria

  • [x] save Kad preferences to a temporary file and atomically promote it
  • [x] save nodes.dat through a temporary file and checked promotion path
  • [x] keep the existing bootstrap-empty guard
  • [x] define and document sidecar ordering for FastKad metadata relative to nodes.dat
  • [x] preserve the previous live file when promotion fails
  • [x] add targeted persistence tests that simulate failed write and failed promotion

Resolution

Done in app commit efb8871 and tests commit f31b890.

Kad preferences now save to preferencesKad.dat.new, validate the prepared candidate shape, and promote it through the shared long-path-safe atomic replacement seam. nodes.dat now saves to nodes.dat.new, validates the candidate with the existing inspector, and promotes it only after validation. The bootstrap-empty guard is preserved, and FastKad sidecar metadata is saved only after the nodes.dat promotion succeeds.