feat: self-encryption, batched payments, and saorsa-core compatibility

Cargo.toml

@@ -32,12 +32,12 @@ path = "src/bin/saorsa-cli/main.rs"
 
 [dependencies]
 # Core (provides EVERYTHING: networking, DHT, security, trust, storage)
-saorsa-core = "0.14.1"
+saorsa-core = "0.17"
 saorsa-pqc = "0.5"
 
 # Payment verification - autonomi network lookup + EVM payment
 ant-evm = "0.1.19"
-evmlib = "0.4.7"
+evmlib = "0.4.9"
 xor_name = "5"
 libp2p = "0.56"  # For PeerId in payment proofs
 multihash = "0.19"  # For identity multihash in PeerId construction

docs/DESIGN.md

@@ -8,7 +8,7 @@ Build a **pure quantum-proof network node** (`saorsa-node`) that:
 3. Auto-migrates local ant-node data on startup
 4. Implements auto-upgrade with ML-DSA signature verification
 5. Supports dual IPv4/IPv6 DHT for maximum connectivity
-6. Features geographic routing, Sybil resistance, and EigenTrust
+6. Features geographic routing, Sybil resistance, and trust-based routing
 
 ## Architecture Philosophy
 
@@ -122,7 +122,7 @@ impl SaorsaNode {
 | Network Protocol | **Dual IPv4/IPv6 DHT** | Maximum connectivity and resilience |
 | Geographic Routing | **Enabled** | No datacenter concentration |
 | Sybil Resistance | **Required** | Prevent Sybil attacks |
-| Node Reputation | **EigenTrust** | Measure and remove bad nodes |
+| Node Reputation | **TrustEngine** | Measure and block bad nodes |
 | Auto-Upgrade | Phase 1 Critical | Essential for network transition |
 
 ---
@@ -170,7 +170,7 @@ saorsa-node/
 
 **REMOVED** (provided by saorsa-core):
 - `network/` - Use NetworkCoordinator + DualStackNetworkNode
-- `trust/` - Use EigenTrustEngine
+- `trust/` - Use TrustEngine
 - `storage/` - Use ContentStore
 - `replication/` - Use ReplicationManager
 
@@ -182,28 +182,26 @@ saorsa-node/
 
 ```rust
 use saorsa_core::{
-    adaptive::coordinator::NetworkCoordinator,
-    adaptive::security::SecurityManager,
-    adaptive::trust::EigenTrustEngine,
-    bootstrap::BootstrapManager,
-    dht::trust_weighted_kademlia::TrustWeightedKademlia,
-    messaging::NetworkConfig,
-    security::{IPv6NodeID, IPDiversityEnforcer},
+    P2PNode, NodeConfig, NodeMode,
+    adaptive::trust::TrustEngine,
+    adaptive::dht::AdaptiveDhtConfig,
+    BootstrapConfig, BootstrapManager,
+    IPDiversityConfig,
+    identity::peer_id::PeerId,
 };
 
 pub struct RunningNode {
     shutdown_sender: watch::Sender<bool>,
     // USE SAORSA-CORE DIRECTLY - NO REIMPLEMENTATION!
-    coordinator: Arc<NetworkCoordinator>,  // Integrates ALL components
-    security: Arc<SecurityManager>,         // Rate limiting, blacklist, eclipse detection
+    node: Arc<P2PNode>,                     // Integrates ALL components
     bootstrap: Arc<BootstrapManager>,       // 30,000 peer cache
     // Events
     node_events_channel: NodeEventsChannel,
     root_dir_path: PathBuf,
 }
 
 pub struct NodeBuilder {
-    network_config: NetworkConfig,          // saorsa-core's config
+    node_config: NodeConfig,                // saorsa-core's config
     identity: saorsa_core::identity::NodeIdentity,
     root_dir: PathBuf,
     auto_migrate_ant_data: bool,
@@ -274,22 +272,19 @@ pub struct IPv6NodeID {
 **File:** `saorsa-core/src/adaptive/trust.rs` (825 lines)
 
 ```rust
-// Just use saorsa-core's EigenTrust++ engine!
-use saorsa_core::adaptive::trust::EigenTrustEngine;
+// Just use saorsa-core's TrustEngine (formerly EigenTrust++)!
+use saorsa_core::TrustEngine;
 
 // Multi-factor trust scoring ALREADY IMPLEMENTED:
-// - 40% response_rate (correct/total responses)
-// - 20% uptime_estimate
-// - 15% storage_contributed
-// - 15% bandwidth_contributed
-// - 10% compute_contributed
-// + Time decay (0.99 per hour)
-// + Pre-trusted node bootstrap (0.9 initial)
-// + Background computation every 5 minutes
-
-let engine = EigenTrustEngine::new(pre_trusted_nodes);
-engine.update_local_trust(from, to, success).await;
-let score = engine.get_trust_async(node_id).await;
+// - Response rate tracking
+// - Connection success/failure monitoring
+// - Time decay
+// - Pre-trusted node bootstrap
+// - Background computation
+
+// Trust is accessed via P2PNode:
+let score = node.peer_trust(&peer_id);
+node.report_trust_event(&peer_id, TrustEvent::SuccessfulResponse);
 ```
 
 #### 5. Geographic Routing - ALREADY IN SAORSA-CORE!
@@ -306,44 +301,31 @@ use saorsa_core::dht::geographic_routing::{GeographicRegion, LatencyAwareSelecti
 // ASN diversity enforcement
 ```
 
-#### 6. Security Manager - ALREADY IN SAORSA-CORE!
-
-**File:** `saorsa-core/src/adaptive/security.rs` (1,326 lines)
+#### 6. Security - ALREADY IN SAORSA-CORE!
 
 ```rust
-// Comprehensive security - just configure and use!
-use saorsa_core::adaptive::security::{SecurityManager, SecurityConfig};
-
-let security = SecurityManager::new(config, identity);
-
-// ALREADY IMPLEMENTED:
-// - Rate limiting: 100 req/min per node, 500/min per IP
-// - Join rate: 20 new nodes/hour
-// - Blacklist with 24-hour TTL
-// - Eclipse attack detection via diversity scoring
-// - Message integrity verification (ML-DSA)
-// - Full audit logging with 30-day retention
+// IP diversity enforcement for Sybil resistance
+use saorsa_core::IPDiversityConfig;
+
+// Multi-layer subnet enforcement ALREADY IMPLEMENTED:
+// - Per-subnet limits (/64, /48, /32)
+// - ASN diversity
+// - Configurable via IPDiversityConfig::permissive() / ::testnet()
+
+// Rate limiting and trust-based blocking handled by AdaptiveDHT
 ```
 
-#### 7. NetworkCoordinator - INTEGRATES EVERYTHING!
+#### 7. P2PNode - INTEGRATES EVERYTHING!
 
-**File:** `saorsa-core/src/adaptive/coordinator.rs`
+**File:** `saorsa-core/src/network.rs`
 
 ```rust
-// The coordinator brings ALL components together
-pub struct NetworkCoordinator {
-    identity: Arc<NodeIdentity>,
-    transport: Arc<TransportManager>,
-    dht: Arc<AdaptiveDHT>,                    // Trust-weighted Kademlia
-    router: Arc<AdaptiveRouter>,              // Geographic + trust routing
-    trust_engine: Arc<EigenTrustEngine>,      // EigenTrust++
-    gossip: Arc<AdaptiveGossipSub>,           // Pub/sub messaging
-    storage: Arc<ContentStore>,               // DHT storage
-    replication: Arc<ReplicationManager>,     // k=8 replication
-    churn_handler: Arc<ChurnHandler>,         // Node churn handling
-    security: Arc<SecurityManager>,           // All security features
-    // + ML optimization components
-}
+// P2PNode brings ALL components together
+// Access trust via:
+node.trust_engine()      // Arc<TrustEngine>
+node.adaptive_dht()      // &AdaptiveDHT
+node.peer_trust(&peer)   // Quick trust score lookup
+node.report_trust_event(&peer, event)  // Report trust signals
 ```
 
 #### 8. What saorsa-node ACTUALLY Needs to Build
@@ -368,7 +350,7 @@ pub struct AntDataMigrator {
 
 /// Node lifecycle and CLI (wrapper around saorsa-core)
 pub struct NodeLifecycle {
-    coordinator: Arc<NetworkCoordinator>,
+    node: Arc<P2PNode>,
     upgrade_monitor: UpgradeMonitor,
     migrator: Option<AntDataMigrator>,
 }
@@ -381,11 +363,10 @@ pub struct NodeLifecycle {
 **KEY INSIGHT**: saorsa-core already provides:
 - Dual IPv4/IPv6 with DualStackNetworkNode and Happy Eyeballs
 - Sybil Resistance with IPv6NodeID and IPDiversityEnforcer
-- EigenTrust++ with full trust engine
+- TrustEngine with trust scoring and blocking
 - Geographic Routing with 7 regions and latency-aware selection
-- Security Manager with rate limiting, blacklist, eclipse detection
-- NetworkCoordinator that integrates everything
-- Storage and replication via ContentStore and ReplicationManager
+- IP diversity enforcement for Sybil resistance
+- P2PNode that integrates everything
 
 **saorsa-node only needs to build**:
 1. Auto-upgrade system (Phase 1 Critical)
@@ -476,7 +457,7 @@ pub struct NodeLifecycle {
 ### 5. Network Hardening
 - **Geographic routing**: No datacenter concentration in close groups
 - **Sybil resistance**: Join rate limiting, node age, resource verification
-- **EigenTrust**: Node reputation and automatic bad node removal
+- **TrustEngine**: Node reputation and automatic bad node blocking
 - **Rationale**: Production-grade security
 
 ### 6. Migration Strategy: Client-as-Bridge + Node Auto-Migration

src/bin/saorsa-cli/cli.rs

@@ -21,6 +21,10 @@ pub struct Cli {
     #[arg(long, default_value_t = 60)]
     pub timeout_secs: u64,
 
+    /// Allow loopback connections (required for devnet/local testing).
+    #[arg(long)]
+    pub allow_loopback: bool,
+
     /// Log level.
     #[arg(long, default_value = "info")]
     pub log_level: String,

src/bin/saorsa-cli/main.rs

@@ -60,7 +60,7 @@ async fn main() -> color_eyre::Result<()> {
     }
 
     let (bootstrap, manifest) = resolve_bootstrap(&cli)?;
-    let node = create_client_node(bootstrap).await?;
+    let node = create_client_node(bootstrap, cli.allow_loopback).await?;
 
     // Build client with timeout
     let mut client = QuantumClient::new(QuantumConfig {
@@ -309,9 +309,14 @@ fn resolve_evm_network(
 
 fn resolve_bootstrap(
     cli: &Cli,
-) -> color_eyre::Result<(Vec<std::net::SocketAddr>, Option<DevnetManifest>)> {
+) -> color_eyre::Result<(Vec<saorsa_core::MultiAddr>, Option<DevnetManifest>)> {
     if !cli.bootstrap.is_empty() {
-        return Ok((cli.bootstrap.clone(), None));
+        let addrs = cli
+            .bootstrap
+            .iter()
+            .map(|addr| saorsa_core::MultiAddr::quic(*addr))
+            .collect();
+        return Ok((addrs, None));
     }
 
     if let Some(ref manifest_path) = cli.devnet_manifest {
@@ -326,17 +331,17 @@ fn resolve_bootstrap(
     ))
 }
 
-async fn create_client_node(bootstrap: Vec<std::net::SocketAddr>) -> Result<Arc<P2PNode>, Error> {
-    let mut core_config = saorsa_core::NodeConfig::new()
+async fn create_client_node(
+    bootstrap: Vec<saorsa_core::MultiAddr>,
+    allow_loopback: bool,
+) -> Result<Arc<P2PNode>, Error> {
+    let mut core_config = saorsa_core::NodeConfig::builder()
+        .local(allow_loopback)
+        .max_message_size(MAX_WIRE_MESSAGE_SIZE)
+        .mode(saorsa_core::NodeMode::Client)
+        .build()
         .map_err(|e| Error::Config(format!("Failed to create core config: {e}")))?;
-    core_config.listen_addr = "0.0.0.0:0"
-        .parse()
-        .map_err(|e| Error::Config(format!("Invalid listen addr: {e}")))?;
-    core_config.listen_addrs = vec![core_config.listen_addr];
-    core_config.enable_ipv6 = false;
     core_config.bootstrap_peers = bootstrap;
-    core_config.max_message_size = Some(MAX_WIRE_MESSAGE_SIZE);
-    core_config.mode = saorsa_core::NodeMode::Client;
 
     let node = P2PNode::new(core_config)
         .await

src/client/mod.rs

@@ -62,4 +62,6 @@ pub use chunk_protocol::send_and_await_chunk_response;
 pub use data_types::{
     compute_address, peer_id_to_xor_name, xor_distance, ChunkStats, DataChunk, XorName,
 };
-pub use quantum::{hex_node_id_to_encoded_peer_id, QuantumClient, QuantumConfig};
+pub use quantum::{
+    hex_node_id_to_encoded_peer_id, PaidChunk, PreparedChunk, QuantumClient, QuantumConfig,
+};