# Physical Safety & Network Fault Tolerance

> **Feature Flag**: Requires `safety-critical` (forwarded from `bauxite`'s `predictive-safety` tier).

Bauxite Mesh provides mechanisms to detect network degradation and respond deterministically. These features are gated behind the `safety-critical` feature flag and implemented in `dataplane.rs` and `jamming.rs`.

## Active-Active Packet Duplication

For mission-critical control traffic, Bauxite can duplicate critical packets so the receiver processes the first arrival from any path.

- **Packet Duplication**: Under `safety-critical`, the dataplane scheduler (`dataplane.rs:140`) clones each critical-priority packet and pushes two copies into the outbound batch.
- **Sequence ID Assignment**: Each packet is stamped with a monotonically increasing `sequence_id` via `ctx.next_seq.fetch_add(1, Ordering::SeqCst)`.
- **Receiver Deduplication**: The receiving node (`ice.rs:892`) reads the first 8 bytes of the decrypted payload as a `u64` sequence ID, checks it against a 64-bit sliding window bitmask to track received sequences (allowing out-of-order delivery while dropping duplicates), and strips the 8-byte header before internal processing.

## Predictive Degradation Warning

The safety monitor (`spawn_safety_monitor` in `dataplane.rs:48`) runs at 5ms intervals, polling the `CongestionStrategy` for RTT and drop-rate metrics.

- **Degradation Warning**: If RTT exceeds **30ms** (`rtt_us > 30_000`), the monitor emits `SafetyNotification::DegradationWarning` via the `safety_tx` channel.
- **Jamming Sidecar**: A separate gRPC service (`jamming.rs`) polls `CongestionStrategy` at 50ms intervals and yields `JammingStateResponse` with threat-level classifications to subscribers. Its thresholds are:

| Threat Level | Condition | Description |
|---|---|---|
| **NONE** | `rtt_ms <= 5` | Normal |
| **LOW** | `rtt_ms > 5` | Minor latency increase |
| **MODERATE** | `rtt_ms > 15` or `drop_rate > 20` | Noticeable degradation |
| **HIGH** | `rtt_ms > 30` or `drop_rate > 50` | Significant degradation |
| **CRITICAL** | `rtt_ms > 50` and `drop_rate >= 90` | Link considered dead |

## Safety Severance (The Kill-Switch)

If network conditions collapse beyond safe operation, Bauxite severs all active tunnels.

- **Threshold**: RTT exceeds **50ms** AND packet drop rate exceeds **90%** (`rtt_us > 50_000 && drop_rate >= 90` in `dataplane.rs:68`).
- **Tunnel Collapse**: The monitor emits `SafetyNotification::SafetySeverance`, then iterates all agents in `ice_agents` and calls `agent.close().await` on each, tearing down P2P tunnels.
- **Downstream Effect**: The sudden loss of connectivity is the signal for external systems (e.g., ROS 2 Nav2, custom watchdogs) to trigger their own safety behaviors — Bauxite does not control downstream robot hardware.

## IPC Bypass Watchdog (eBPF)

> **Feature Flag**: Requires `ipc-bypass` on `bauxite-conduit` (via `bauxite`).

When eBPF IPC bypass is active, `IpcBypassService` runs a watchdog loop to manage the shared memory pool.

- **Watchdog Interval**: Defaults to **250ms** (`watchdog_interval_ms` in `IpcBypassServiceConfig`).
- **Utilization Guard**: When active slot utilization exceeds the guard threshold (default: **90%**), the watchdog reclaims expired slots from the pool.
- **Slot Consumer**: A separate task polls the SHM pool at 10ms intervals and dispatches redirected packets to the TUN writer for dataplane scheduling.

## Congestion Intelligence

Bauxite uses a `CongestionStrategy` trait to adapt outbound scheduling based on network conditions.

- **Congestion Detection**: The `is_congested()` method defaults to `rtt_ewma_us > 50_000` (50ms). When congested, the bulk lane's burst limit is reduced via `base_low_burst()`.
- **Intent-Based Throttling**: The `IntentState` can impose explicit kbps limits on the bulk lane via the Intent API (`get_active_throttle()`), overriding the congestion controller's defaults.
- **Bulk Elevation**: Under high-priority FEC levels ("absolute" or "aggressive" via Intent API), bulk packets are elevated to the telemetry lane to guarantee delivery.