# SEC-SLURP 1.1a – DHT Resilience Supplement

## Requirements (derived from `docs/Modules/DHT.md`)

1. **Real DHT state & persistence**
   - Replace mock DHT usage with libp2p-based storage or equivalent real implementation.
   - Store DHT/blockstore data on persistent volumes (named volumes/ZFS/NFS) with node placement constraints.
   - Ensure bootstrap nodes are stateful and survive container churn.

2. **Pin Steward + replication policy**
   - Introduce a Pin Steward service that tracks UCXL CID manifests and enforces replication factor (e.g. 3–5 replicas).
   - Re-announce providers on Pulse/Reverb and heal under-replicated content.
   - Schedule anti-entropy jobs to verify and repair replicas.

3. **Envelope encryption & shared key custody**
   - Implement envelope encryption (DEK+KEK) with threshold/organizational custody rather than per-role ownership.
   - Store KEK metadata with UCXL manifests; rotate via BACKBEAT.
   - Update crypto/key-manager stubs to real implementations once available.

4. **Shared UCXL Beacon index**
   - Maintain an authoritative CID registry (DR/UCXL) replicated outside individual agents.
   - Ensure metadata updates are durable and role-agnostic to prevent stranded CIDs.

5. **CI/SLO validation**
   - Add automated tests/health checks covering provider refresh, replication factor, and persistent-storage guarantees.
   - Gate releases on DHT resilience checks (provider TTLs, replica counts).

## Integration Path for SEC-SLURP 1.1

- Incorporate the above requirements as acceptance criteria alongside LevelDB persistence.
- Sequence work to: migrate DHT interactions, introduce Pin Steward, implement envelope crypto, and wire CI validation.
- Attach artifacts (Pin Steward design, envelope crypto spec, CI scripts) to the Phase 1 deliverable checklist.