feat(battle-node): bound InboundTracker with watermark-guarded sliding window

Audit Md11 (part 1 of 2). Replace unbounded HashSet<long> _seen with a WindowSize=256 ring (HashSet + Queue, LRU eviction). The stale-below-window guard (pubSeq <= HighWaterMark - WindowSize) prevents window eviction from re-admitting old seqs as novel — the load-bearing invariant. pubSeq is client-monotonic and SIO retransmit horizons are seconds-scale, so 256 covers realistic retries by a wide margin. HighWaterMark semantics preserved (Gungnir still reports it). Tests: 5 new InboundTrackerTests covering below-window guard, evicted-seq rejection, within-window dedup after eviction, memory bound, and watermark monotonicity. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 13:06:08 -04:00
parent 898b872edd
commit 3991bcc653
2 changed files with 116 additions and 4 deletions
--- a/SVSim.BattleNode/Reliability/InboundTracker.cs
+++ b/SVSim.BattleNode/Reliability/InboundTracker.cs
@@ -4,17 +4,54 @@ namespace SVSim.BattleNode.Reliability;
 /// Per-session inbound-emit ledger. Dedupes the client's pubSeq so we never dispatch
 /// a retransmitted emit twice; ack-echo (via SIO callback) is the caller's job.
 /// </summary>
+/// <remarks>
+/// State is bounded: the ledger keeps the most recent <see cref="WindowSize"/>
+/// pubSeqs in an LRU ring. Seqs below <c>HighWaterMark - WindowSize</c> are
+/// treated as stale-below-window and rejected without recording — this is what
+/// prevents window eviction from re-admitting an old seq as novel. The pubSeq is
+/// client-assigned monotonically; the bound is sized well above the realistic
+/// Socket.IO retransmit horizon, so legitimate retransmits always fall inside.
+/// </remarks>
 public sealed class InboundTracker
 {
-    private readonly HashSet<long> _seen = new();
+    /// <summary>Sliding-window size. Anything below <c>HighWaterMark - WindowSize</c> is dropped.</summary>
+    public const int WindowSize = 256;
+
+    private readonly HashSet<long> _seen = new(WindowSize);
+    private readonly Queue<long> _order = new(WindowSize);

    /// <summary>Highest pubSeq observed so far. Reported via Gungnir for diagnostics.</summary>
    public long HighWaterMark { get; private set; }

-    /// <summary>Record an incoming pubSeq. Returns true if the caller should dispatch the envelope, false on duplicate.</summary>
+    /// <summary>Record an incoming pubSeq. Returns true if the caller should dispatch the envelope, false on duplicate or stale-below-window.</summary>
    public bool Observe(long pubSeq)
    {
-        if (pubSeq > HighWaterMark) HighWaterMark = pubSeq;
-        return _seen.Add(pubSeq);
+        // Stale-below-window guard. Required AFTER HighWaterMark is past the window,
+        // otherwise an evicted ring entry would re-admit as novel.
+        if (HighWaterMark > 0 && pubSeq <= HighWaterMark - WindowSize)
+            return false;
+
+        if (pubSeq > HighWaterMark)
+        {
+            HighWaterMark = pubSeq;
+            Record(pubSeq);
+            return true;
+        }
+
+        if (_seen.Contains(pubSeq))
+            return false;
+        Record(pubSeq);
+        return true;
+    }
+
+    private void Record(long pubSeq)
+    {
+        if (_order.Count >= WindowSize)
+        {
+            var evicted = _order.Dequeue();
+            _seen.Remove(evicted);
+        }
+        _order.Enqueue(pubSeq);
+        _seen.Add(pubSeq);
    }
 }