is message kind for diagnostic purposes?

at time t_i, avoid making any real GET requests (i.e. dummy GET requests are OK) using the relays
whose hash is lexicographically smallest not just at time t_i, but at times t_{i-2}..t_{i+2} or at least
t_{i-1}..t_{i+1}
they should always use a different relay for the post and the get, avoiding the worst case leak

k=3 and skew=2 are fixed at the upper end of #919 (comment)

with 3-5 public OHTTP relays, the reservation budget (up to 15 buckets) can swallow the whole pool, so POLL falls back (286-289) to POST-reserved buckets, silently violating the spec when poll_candidates is empty (small pool)

picking k and skew based on pool size (k=2/skew=1 when small) would reduce reserved bucket to 6 and avoid the fallback for B ≥ 7, while keeping max protection when B ≥ 16. The remaining edge case (B ≤ 6) would still hit the warn!, possibly worth surfacing to the caller, maybe with a typed error

makes sense?

Yeah, that makes sense. Fixed k=3 / skew=2 is good for larger pools but too aggressive for small relay sets since it can reserve every bucket.

would be good to add tests for the deterministic selection

selection_hash stability (interop), deterministic ordering per (pubkey, RequestKind, TimeWindow), POLL/POST exclusion, and round-robin fairness

Yeah was trying to keep PR small and only keep essential so it can be easier to review and get approach ack with the smaller PR's test should be added

btw, relays.shuffle seems inert as ordered_candidates reorders everything afterwards

leftover of the old shuffle?

Yep, good catch. This looks like leftover behavior from the old random relay ordering. Since request-time selection now goes through ordered_candidates, the initial relays.shuffle does not affect POST/POLL ordering. I’ll remove it.

would be good to know what the team think about adding this dep to parse the binary, especially if we are moving to the payjoin crate

is it a good idea or would it be better to have our own parser? #1452 (comment)

I did check out the library also saw a contibutor to asmap bitcoin core library give it a star but more eyes on the library would be nice

a configured, per-integration asmap file is a client fingerprint two ways: (1) only some integrations load one, so the AS-aware ones stand out (uses-it-or-not), and (2) selection is deterministic from the asmap, so even those that do load one diverge unless they're on the exact same snapshot.

could the lib ship one bundled snapshot per version instead, so every integration on a given version has the same file with nothing to fetch?

it's ~1.5 MB, and asmap-data updates ~monthly (irregular, gaps up to ~2 months), but relay ASNs are stable so across versions keeping everyone consistent

https://github.com/bitcoin-core/asmap-data

wdyt?

No answer for this yet , this might require more discussion will get back to you

Given a list of trusted directories and relays, these lists should be filtered to exclude servers that share an AS with the user. This is potentially tricky as it users to be able to determine their public IP(s).

requiring the user's own ASN/IP makes AS-aware mode operator-only, a NAT'd wallet can't supply it without an external lookup, which is a privacy leak of its own

#919 lists four AS-overlap risks:

• sender∩receiver → inherent: relay selection can't fix it (it's the two endpoints themselves). VPN/Tor territory. out of scope.

of the three that selection can address, two don't need your own AS:

• relay∩directory → exclude relays in the directory's AS. Needs only the directory + relay ASes.
• relay∩relay → the windowed ordering derived from the receiver key. Needs only the relays' ASes.

both use IPs you resolve via DNS anyway to connect, like Bitcoin Core's asmap, which diversifies its peers by AS (anti-eclipse) and never learns its own ASN; you bucket the servers, not yourself.

• only user-AS exclusion user∩directory needs your own AS, and thats the one that could be dropped to the network layer (VPN/Tor) , not the selector:
  • a directory's AS (datacenter) vs a user's AS (residential/mobile) almost never coincide.
  • the sender uses the directory that came in the URI, so it can't pick a different one to escape its own AS. it can't be addressed in selection.

so, if we drop this and keep just:

• directory-AS exclusion relay∩directory
• windowed ordering relay∩relay

that way both use only server ASes, zero input, so AS-aware selection can be on by default for everyone, which removes the uses-it-or-not fingerprint, default and zero-input, instead of operator-only.

makes sense?

with the asmap bundled and the user-AS input dropped, could this Option and the random fallback go, so AS-aware is the default instead of an opt-in?