Context
The relay canary gate now prevents unverified MASQUE relay allocations from entering saorsa-core DHT self-record gossip. The core reachability driver clears unpublished relay state after canary rejection or insufficient witness coverage.
The MASQUE allocation itself has already been established at the transport layer before canaries run. For a fully airtight gate, saorsa-transport should expose APIs that let core either defer outbound relay advertisement until canary verification succeeds or explicitly tear down a rejected allocation.
Follow-up work
- Add a transport API for tearing down a specific proactive MASQUE relay allocation after canary rejection.
- Consider deferring outbound ADD_ADDRESS relay advertisement until core marks the relay as canary-verified.
- Ensure rejected allocations do not remain usable or advertised outside the sequenced DHT self-record path.
- Add integration coverage for rejected relay cleanup once the transport API exists.
Related PR
Context
The relay canary gate now prevents unverified MASQUE relay allocations from entering saorsa-core DHT self-record gossip. The core reachability driver clears unpublished relay state after canary rejection or insufficient witness coverage.
The MASQUE allocation itself has already been established at the transport layer before canaries run. For a fully airtight gate, saorsa-transport should expose APIs that let core either defer outbound relay advertisement until canary verification succeeds or explicitly tear down a rejected allocation.
Follow-up work
Related PR