@peerbit/shared-log 13.1.0 → 13.1.1

package/src/index.ts

@@ -168,7 +168,7 @@ import type {
 	Syncronizer,
 } from "./sync/index.js";
 import { RatelessIBLTSynchronizer } from "./sync/rateless-iblt.js";
-import { SimpleSyncronizer } from "./sync/simple.js";
+import { ConfirmEntriesMessage, SimpleSyncronizer } from "./sync/simple.js";
 import { groupByGid } from "./utils.js";
 
 const toLocalPublicSignKey = (
@@ -468,6 +468,7 @@ export type SharedLogOptions<
 	waitForReplicatorRequestMaxAttempts?: number;
 	waitForPruneDelay?: number;
 	distributionDebounceTime?: number;
+	strictFullReplicaFallback?: boolean;
 	compatibility?: number;
 	domain?: ReplicationDomainConstructor<D>;
 	eagerBlocks?: boolean | { cacheSize?: number };
@@ -513,10 +514,143 @@ const REPLICATOR_LIVENESS_PROBE_FAILURES_TO_EVICT = 2;
 // Churn/join repair can race with pruning and transient missed sync requests under
 // heavy event-loop load. Keep retries alive with a longer tail so reassigned
 // entries are retried after short bursts and slower recovery windows.
-const FORCE_FRESH_RETRY_SCHEDULE_MS = [
+const CHURN_REPAIR_RETRY_SCHEDULE_MS = [
 	0, 1_000, 3_000, 7_000, 15_000, 30_000, 45_000,
 ];
-const JOIN_WARMUP_RETRY_SCHEDULE_MS = [0, 1_000, 3_000, 7_000, 15_000];
+const JOIN_WARMUP_RETRY_SCHEDULE_MS = [
+	0,
+	1_000,
+	3_000,
+	7_000,
+	15_000,
+	30_000,
+	60_000,
+];
+const JOIN_AUTHORITATIVE_RETRY_SCHEDULE_MS = [
+	0,
+	1_000,
+	3_000,
+	7_000,
+	15_000,
+	30_000,
+	60_000,
+];
+const APPEND_BACKFILL_RETRY_SCHEDULE_MS = [0, 1_000, 3_000, 7_000];
+const JOIN_AUTHORITATIVE_REPAIR_DELAY_MS = 2_000;
+const JOIN_AUTHORITATIVE_REPAIR_SWEEP_DELAYS_MS = [
+	JOIN_AUTHORITATIVE_REPAIR_DELAY_MS,
+	7_000,
+	15_000,
+	30_000,
+];
+const APPEND_BACKFILL_DELAY_MS = 500;
+const ASSUME_SYNCED_REPAIR_SUPPRESSION_MS = 5_000;
+const REPAIR_CONFIRMATION_HASH_BATCH_SIZE = 1_024;
+
+type RepairDispatchMode =
+	| "join-warmup"
+	| "join-authoritative"
+	| "append-backfill"
+	| "churn";
+type RepairTransportMode = "rateless" | "simple";
+type RepairMetricBucket = {
+	dispatches: number;
+	entries: number;
+	ratelessFirstPasses: number;
+	simpleFallbackPasses: number;
+};
+type RepairMetrics = Record<RepairDispatchMode, RepairMetricBucket>;
+
+const REPAIR_DISPATCH_MODES: RepairDispatchMode[] = [
+	"join-warmup",
+	"join-authoritative",
+	"append-backfill",
+	"churn",
+];
+
+const createRepairMetricBucket = (): RepairMetricBucket => ({
+	dispatches: 0,
+	entries: 0,
+	ratelessFirstPasses: 0,
+	simpleFallbackPasses: 0,
+});
+
+const createRepairMetrics = (): RepairMetrics => ({
+	"join-warmup": createRepairMetricBucket(),
+	"join-authoritative": createRepairMetricBucket(),
+	"append-backfill": createRepairMetricBucket(),
+	churn: createRepairMetricBucket(),
+});
+
+const createRepairPendingPeersByMode = () =>
+	new Map<RepairDispatchMode, Set<string>>(
+		REPAIR_DISPATCH_MODES.map((mode) => [mode, new Set<string>()]),
+	);
+
+const cloneRepairPendingPeersByMode = (
+	pending: Map<RepairDispatchMode, Set<string>>,
+) =>
+	new Map<RepairDispatchMode, Set<string>>(
+		REPAIR_DISPATCH_MODES.map((mode) => [mode, new Set(pending.get(mode) ?? [])]),
+	);
+
+const createRepairFrontierByMode = () =>
+	new Map<
+		RepairDispatchMode,
+		Map<string, Map<string, EntryReplicated<any>>>
+	>(REPAIR_DISPATCH_MODES.map((mode) => [mode, new Map()]));
+
+const createRepairActiveTargetsByMode = () =>
+	new Map<RepairDispatchMode, Set<string>>(
+		REPAIR_DISPATCH_MODES.map((mode) => [mode, new Set()]),
+	);
+
+const getRepairRetrySchedule = (mode: RepairDispatchMode) => {
+	switch (mode) {
+		case "join-warmup":
+			return JOIN_WARMUP_RETRY_SCHEDULE_MS;
+		case "join-authoritative":
+			return JOIN_AUTHORITATIVE_RETRY_SCHEDULE_MS;
+		case "append-backfill":
+			return APPEND_BACKFILL_RETRY_SCHEDULE_MS;
+		case "churn":
+			return CHURN_REPAIR_RETRY_SCHEDULE_MS;
+	}
+};
+
+const resolveRepairRetrySchedule = (
+	mode: RepairDispatchMode,
+	override?: number[],
+	trackedFrontier = false,
+) => {
+	const fallback = getRepairRetrySchedule(mode);
+	if (!override || override.length === 0) {
+		return fallback;
+	}
+	if (
+		trackedFrontier &&
+		override.length === 1 &&
+		override[0] === 0 &&
+		fallback.length > 1
+	) {
+		// A tracked frontier with only an immediate retry would otherwise stay on
+		// attempt 0 forever, which means rateless-only retries and no sparse-tail
+		// simple fallback. Keep the immediate seed, then continue with the normal
+		// tracked repair schedule.
+		return [0, ...fallback.slice(1)];
+	}
+	return override;
+};
+
+const getRepairTransportForAttempt = (
+	mode: RepairDispatchMode,
+	attemptIndex: number,
+): RepairTransportMode => {
+	if (mode === "churn") {
+		return "simple";
+	}
+	return attemptIndex === 0 ? "rateless" : "simple";
+};
 
 const toPositiveInteger = (
 	value: number | undefined,
@@ -751,8 +885,24 @@ export class SharedLog<
 	private _repairRetryTimers!: Set<ReturnType<typeof setTimeout>>;
 	private _recentRepairDispatch!: Map<string, Map<string, number>>;
 	private _repairSweepRunning!: boolean;
-	private _repairSweepForceFreshPending!: boolean;
-	private _repairSweepAddedPeersPending!: Set<string>;
+	private _repairSweepPendingModes!: Set<RepairDispatchMode>;
+	private _repairSweepPendingPeersByMode!: Map<RepairDispatchMode, Set<string>>;
+	private _repairFrontierByMode!: Map<
+		RepairDispatchMode,
+		Map<string, Map<string, EntryReplicated<R>>>
+	>;
+	private _repairFrontierActiveTargetsByMode!: Map<RepairDispatchMode, Set<string>>;
+	private _repairSweepOptimisticGidPeersPending!: Map<string, Map<string, number>>;
+	private _entryKnownPeers!: Map<string, Set<string>>;
+	private _joinAuthoritativeRepairTimersByDelay!: Map<
+		number,
+		ReturnType<typeof setTimeout>
+	>;
+	private _joinAuthoritativeRepairPeersByDelay!: Map<number, Set<string>>;
+	private _assumeSyncedRepairSuppressedUntil!: number;
+	private _appendBackfillTimer?: ReturnType<typeof setTimeout>;
+	private _appendBackfillPendingByTarget!: Map<string, Map<string, EntryReplicated<R>>>;
+	private _repairMetrics!: RepairMetrics;
 	private _topicSubscribersCache!: Map<
 		string,
 		{ expiresAt: number; keys: PublicSignKey[] }
@@ -1187,6 +1337,7 @@ export class SharedLog<
 
 		private async _appendDeliverToReplicators(
 			entry: Entry<T>,
+			coordinates: NumberFromType<R>[],
 			minReplicasValue: number,
 			leaders: Map<string, any>,
 			selfHash: string,
@@ -1204,11 +1355,35 @@ export class SharedLog<
 					? { timeoutMs: delivery.timeout, signal: delivery.signal }
 					: undefined;
 
+			const fullReplicaDeliveryCandidates =
+				await this.getFullReplicaRepairCandidates(undefined, {
+					includeSubscribers: false,
+				});
+			if (minReplicasValue >= Math.max(1, fullReplicaDeliveryCandidates.size)) {
+				for (const peer of fullReplicaDeliveryCandidates) {
+					if (!leaders.has(peer)) {
+						leaders.set(peer, { intersecting: true });
+					}
+				}
+			}
+
+			const entryReplicatedForRepair = this.createEntryReplicatedForRepair({
+				entry,
+				coordinates,
+				leaders: leaders as Map<string, { intersecting: boolean }>,
+				replicas: minReplicasValue,
+			});
 			for await (const message of createExchangeHeadsMessages(this.log, [entry])) {
 				await this._mergeLeadersFromGidReferences(message, minReplicasValue, leaders);
-				const leadersForDelivery = delivery ? new Set(leaders.keys()) : undefined;
+				const authoritativeRecipients = new Set(leaders.keys());
+				const leadersForDelivery = delivery
+					? new Set(authoritativeRecipients)
+					: undefined;
 
-				const set = this.addPeersToGidPeerHistory(entry.meta.gid, leaders.keys());
+				// Outbound append delivery only tells us who we intend to send to, not who has
+				// actually stored the entry. Keep this recipient set local so later repair
+				// sweeps can still backfill peers that missed the initial delivery.
+				const set = new Set(leaders.keys());
 				let hasRemotePeers = set.has(selfHash) ? set.size > 1 : set.size > 0;
 				const allowSubscriberFallback =
 					this.syncronizer instanceof SimpleSyncronizer ||
@@ -1239,6 +1414,17 @@ export class SharedLog<
 			}
 
 				if (!delivery) {
+					for (const peer of authoritativeRecipients) {
+						if (peer === selfHash) {
+							continue;
+						}
+						// Default live append delivery is still optimistic. If one remote misses
+						// the initial heads exchange and the caller did not opt into explicit
+						// delivery acks, we still need a targeted backfill source of truth for the
+						// authoritative recipients or one entry can get stuck at 2/3 replicas
+						// forever. Best-effort fallback subscribers are not repair-worthy.
+						this.queueAppendBackfill(peer, entryReplicatedForRepair);
+					}
 					this.rpc
 						.send(message, {
 							mode: isLeader
@@ -1268,6 +1454,7 @@ export class SharedLog<
 
 				const ackTo: string[] = [];
 				let silentTo: string[] | undefined;
+				const repairTargets = new Set<string>();
 				// Default delivery semantics: require enough remote ACKs to reach the requested
 				// replication degree (local append counts as 1).
 				const defaultMinAcks = Math.max(0, minReplicasValue - 1);
@@ -1279,6 +1466,9 @@ export class SharedLog<
 				);
 
 				for (const peer of orderedRemoteRecipients) {
+					if (authoritativeRecipients.has(peer)) {
+						repairTargets.add(peer);
+					}
 					if (ackTo.length < ackLimit) {
 						ackTo.push(peer);
 					} else {
@@ -1317,6 +1507,12 @@ export class SharedLog<
 					})
 					.catch((error) => logger.error(error));
 			}
+				for (const peer of repairTargets) {
+					// Direct append delivery is intentionally optimistic. Queue one delayed,
+					// batched maybe-sync pass for the intended recipients so stable 3-peer
+					// append workloads do not depend on perfect first-try delivery ordering.
+					this.queueAppendBackfill(peer, entryReplicatedForRepair);
+				}
 		}
 
 		if (pending.length > 0) {
@@ -2016,6 +2212,7 @@ export class SharedLog<
 		// Keep local sync/prune state consistent even when a peer disappears
 		// through replication-info updates without a topic unsubscribe event.
 		this.removePeerFromGidPeerHistory(keyHash);
+		this.removeRepairFrontierTarget(keyHash);
 		this._recentRepairDispatch.delete(keyHash);
 		if (!isMe) {
 			this.syncronizer.onPeerDisconnected(keyHash);
@@ -2483,6 +2680,7 @@ export class SharedLog<
 			for (const key of this._gidPeersHistory.keys()) {
 				this.removePeerFromGidPeerHistory(publicKeyHash, key);
 			}
+			this.removePeerFromEntryKnownPeers(publicKeyHash);
 		}
 	}
 
@@ -2507,19 +2705,448 @@ export class SharedLog<
 		return set;
 	}
 
+	private markEntriesKnownByPeer(hashes: Iterable<string>, peer: string) {
+		for (const hash of hashes) {
+			let peers = this._entryKnownPeers.get(hash);
+			if (!peers) {
+				peers = new Set();
+				this._entryKnownPeers.set(hash, peers);
+			}
+			peers.add(peer);
+		}
+	}
+
+	private removeEntriesKnownByPeer(hashes: Iterable<string>, peer: string) {
+		for (const hash of hashes) {
+			const peers = this._entryKnownPeers.get(hash);
+			if (!peers) {
+				continue;
+			}
+			peers.delete(peer);
+			if (peers.size === 0) {
+				this._entryKnownPeers.delete(hash);
+			}
+		}
+	}
+
+	private removePeerFromEntryKnownPeers(peer: string) {
+		for (const [hash, peers] of this._entryKnownPeers) {
+			peers.delete(peer);
+			if (peers.size === 0) {
+				this._entryKnownPeers.delete(hash);
+			}
+		}
+	}
+
+	private isEntryKnownByPeer(hash: string, peer: string) {
+		return this._entryKnownPeers.get(hash)?.has(peer) === true;
+	}
+
+	private markRepairSweepOptimisticPeer(gid: string, peer: string) {
+		let peers = this._repairSweepOptimisticGidPeersPending.get(gid);
+		if (!peers) {
+			peers = new Map();
+			this._repairSweepOptimisticGidPeersPending.set(gid, peers);
+		}
+		peers.set(peer, (peers.get(peer) || 0) + 1);
+	}
+
+	private hasPendingRepairSweepOptimisticPeer(gid: string, peer: string) {
+		return (this._repairSweepOptimisticGidPeersPending.get(gid)?.get(peer) || 0) > 0;
+	}
+
+	private createEntryReplicatedForRepair(properties: {
+		entry: Entry<T>;
+		coordinates: NumberFromType<R>[];
+		leaders: Map<string, { intersecting: boolean }>;
+		replicas: number;
+	}) {
+		const assignedToRangeBoundary = shouldAssignToRangeBoundary(
+			properties.leaders,
+			properties.replicas,
+		);
+		const cidObject = cidifyString(properties.entry.hash);
+		const hashNumber = this.indexableDomain.numbers.bytesToNumber(
+			cidObject.multihash.digest,
+		);
+		return new this.indexableDomain.constructorEntry({
+			assignedToRangeBoundary,
+			coordinates: properties.coordinates,
+			meta: properties.entry.meta,
+			hash: properties.entry.hash,
+			hashNumber,
+		});
+	}
+
+	private isAssumeSyncedRepairSuppressed() {
+		return this._assumeSyncedRepairSuppressedUntil > Date.now();
+	}
+
+	private isFrontierTrackedRepairMode(mode: RepairDispatchMode) {
+		return mode !== "join-warmup";
+	}
+
+	private async sleepTracked(delayMs: number) {
+		if (delayMs <= 0) {
+			return;
+		}
+		await new Promise<void>((resolve) => {
+			const timer = setTimeout(() => {
+				this._repairRetryTimers.delete(timer);
+				resolve();
+			}, delayMs);
+			timer.unref?.();
+			this._repairRetryTimers.add(timer);
+		});
+	}
+
+	private queueRepairFrontierEntries(
+		mode: RepairDispatchMode,
+		target: string,
+		entries: Map<string, EntryReplicated<R>>,
+	) {
+		let targets = this._repairFrontierByMode.get(mode);
+		if (!targets) {
+			targets = new Map();
+			this._repairFrontierByMode.set(mode, targets);
+		}
+		let pending = targets.get(target);
+		if (!pending) {
+			pending = new Map();
+			targets.set(target, pending);
+		}
+		for (const [hash, entry] of entries) {
+			pending.set(hash, entry);
+		}
+	}
+
+	private clearRepairFrontierHashes(target: string, hashes: Iterable<string>) {
+		const hashList = [...hashes];
+		if (hashList.length === 0) {
+			return;
+		}
+		for (const mode of REPAIR_DISPATCH_MODES) {
+			const pending = this._repairFrontierByMode.get(mode)?.get(target);
+			if (!pending) {
+				continue;
+			}
+			for (const hash of hashList) {
+				pending.delete(hash);
+			}
+			if (pending.size === 0) {
+				this._repairFrontierByMode.get(mode)?.delete(target);
+			}
+		}
+	}
+
+	private async getFullReplicaRepairCandidates(
+		extraPeers?: Iterable<string>,
+		options?: { includeSubscribers?: boolean },
+	) {
+		const candidates = new Set<string>([
+			this.node.identity.publicKey.hashcode(),
+		]);
+		try {
+			for (const peer of await this.getReplicators()) {
+				candidates.add(peer);
+			}
+		} catch {
+			for (const peer of this.uniqueReplicators) {
+				candidates.add(peer);
+			}
+		}
+		for (const peer of extraPeers ?? []) {
+			candidates.add(peer);
+		}
+		if (options?.includeSubscribers !== false) {
+			try {
+				for (const subscriber of (await this._getTopicSubscribers(this.topic)) ?? []) {
+					candidates.add(subscriber.hashcode());
+				}
+			} catch {
+				// Best-effort only; explicit repair peers still keep the path safe.
+			}
+		}
+		return candidates;
+	}
+
+	private removeRepairFrontierTarget(target: string) {
+		for (const mode of REPAIR_DISPATCH_MODES) {
+			this._repairFrontierByMode.get(mode)?.delete(target);
+			this._repairFrontierActiveTargetsByMode.get(mode)?.delete(target);
+		}
+	}
+
+	private async sendRepairConfirmation(
+		target: PublicSignKey,
+		hashes: Iterable<string>,
+	) {
+		const uniqueHashes = [...new Set(hashes)];
+		for (let i = 0; i < uniqueHashes.length; i += REPAIR_CONFIRMATION_HASH_BATCH_SIZE) {
+			const chunk = uniqueHashes.slice(
+				i,
+				i + REPAIR_CONFIRMATION_HASH_BATCH_SIZE,
+			);
+			await this.rpc.send(new ConfirmEntriesMessage({ hashes: chunk }), {
+				priority: 1,
+				mode: new SilentDelivery({ to: [target], redundancy: 1 }),
+			});
+		}
+	}
+
+	private async pushRepairEntries(
+		target: string,
+		entries: Map<string, EntryReplicated<R>>,
+	) {
+		for await (const message of createExchangeHeadsMessages(
+			this.log,
+			[...entries.keys()],
+		)) {
+			await this.rpc.send(message, {
+				priority: 1,
+				mode: new SilentDelivery({ to: [target], redundancy: 1 }),
+			});
+		}
+	}
+
+	private async sendRepairEntriesWithTransport(
+		target: string,
+		entries: Map<string, EntryReplicated<R>>,
+		transport: RepairTransportMode,
+		options?: { bypassKnownPeers?: boolean },
+	) {
+		const unknownEntries = new Map<string, EntryReplicated<R>>();
+		const knownHashes: string[] = [];
+		for (const [hash, entry] of entries) {
+			if (options?.bypassKnownPeers || !this.isEntryKnownByPeer(hash, target)) {
+				unknownEntries.set(hash, entry);
+			} else {
+				knownHashes.push(hash);
+			}
+		}
+		this.clearRepairFrontierHashes(target, knownHashes);
+		if (unknownEntries.size === 0) {
+			return;
+		}
+		if (transport === "simple") {
+			// Fallback repair should not depend on the target completing the
+			// RequestMaybeSync -> ResponseMaybeSync round trip.
+			await this.pushRepairEntries(target, unknownEntries);
+			return;
+		}
+
+		await this.syncronizer.onMaybeMissingEntries({
+			entries: unknownEntries,
+			targets: [target],
+		});
+	}
+
+	private async sendMaybeMissingEntriesNow(
+		target: string,
+		entries: Map<string, EntryReplicated<R>>,
+		options: {
+			mode: RepairDispatchMode;
+			transport: RepairTransportMode;
+			bypassRecentDedupe?: boolean;
+		},
+	) {
+		if (entries.size === 0) {
+			return;
+		}
+
+		const now = Date.now();
+		let recentlyDispatchedByHash = this._recentRepairDispatch.get(target);
+		if (!recentlyDispatchedByHash) {
+			recentlyDispatchedByHash = new Map();
+			this._recentRepairDispatch.set(target, recentlyDispatchedByHash);
+		}
+		for (const [hash, ts] of recentlyDispatchedByHash) {
+			if (now - ts > RECENT_REPAIR_DISPATCH_TTL_MS) {
+				recentlyDispatchedByHash.delete(hash);
+			}
+		}
+
+		const filteredEntries =
+			options.bypassRecentDedupe === true
+				? new Map(entries)
+				: new Map<string, EntryReplicated<any>>();
+		if (options.bypassRecentDedupe !== true) {
+			for (const [hash, entry] of entries) {
+				const prev = recentlyDispatchedByHash.get(hash);
+				if (prev != null && now - prev <= RECENT_REPAIR_DISPATCH_TTL_MS) {
+					continue;
+				}
+				recentlyDispatchedByHash.set(hash, now);
+				filteredEntries.set(hash, entry);
+			}
+		} else {
+			for (const hash of entries.keys()) {
+				recentlyDispatchedByHash.set(hash, now);
+			}
+		}
+		if (filteredEntries.size === 0) {
+			return;
+		}
+
+		const bucket = this._repairMetrics[options.mode];
+		bucket.dispatches += 1;
+		bucket.entries += filteredEntries.size;
+		if (options.transport === "simple") {
+			bucket.simpleFallbackPasses += 1;
+		} else {
+			bucket.ratelessFirstPasses += 1;
+		}
+
+		await Promise.resolve(
+			this.sendRepairEntriesWithTransport(
+				target,
+				filteredEntries,
+				options.transport,
+				{ bypassKnownPeers: options.mode === "churn" },
+			),
+		).catch((error: any) => logger.error(error));
+	}
+
+	private ensureRepairFrontierRunner(
+		mode: RepairDispatchMode,
+		target: string,
+		retryScheduleMs?: number[],
+	) {
+		const activeTargets = this._repairFrontierActiveTargetsByMode.get(mode);
+		if (!activeTargets || activeTargets.has(target) || this.closed) {
+			return;
+		}
+		activeTargets.add(target);
+		const retrySchedule = resolveRepairRetrySchedule(
+			mode,
+			retryScheduleMs,
+			this.isFrontierTrackedRepairMode(mode),
+		);
+		const steadyStateDelay =
+			retrySchedule.length > 1
+				? Math.max(1, retrySchedule[retrySchedule.length - 1] - retrySchedule[retrySchedule.length - 2])
+				: Math.max(retrySchedule[0] || 1_000, 1_000);
+
+		void (async () => {
+			let attemptIndex = 0;
+			try {
+				for (;;) {
+					if (this.closed) {
+						return;
+					}
+					const pending = this._repairFrontierByMode.get(mode)?.get(target);
+					if (!pending || pending.size === 0) {
+						return;
+					}
+
+					if (
+						(mode === "join-warmup" || mode === "join-authoritative") &&
+						this.isAssumeSyncedRepairSuppressed()
+					) {
+						await this.sleepTracked(
+							Math.max(250, this._assumeSyncedRepairSuppressedUntil - Date.now()),
+						);
+						continue;
+					}
+
+					await this.sendMaybeMissingEntriesNow(target, pending, {
+						mode,
+						transport: getRepairTransportForAttempt(mode, attemptIndex),
+						bypassRecentDedupe: true,
+					});
+
+					const remaining = this._repairFrontierByMode.get(mode)?.get(target);
+					if (!remaining || remaining.size === 0) {
+						return;
+					}
+
+					const waitMs =
+						attemptIndex + 1 < retrySchedule.length
+							? Math.max(0, retrySchedule[attemptIndex + 1] - retrySchedule[attemptIndex])
+							: steadyStateDelay;
+					attemptIndex = Math.min(attemptIndex + 1, retrySchedule.length - 1);
+					await this.sleepTracked(waitMs);
+				}
+			} finally {
+				activeTargets.delete(target);
+				if (
+					!this.closed &&
+					(this._repairFrontierByMode.get(mode)?.get(target)?.size || 0) > 0
+				) {
+					this.ensureRepairFrontierRunner(mode, target, retryScheduleMs);
+				}
+			}
+		})().catch((error: any) => {
+			activeTargets.delete(target);
+			logger.error(error);
+		});
+	}
+
+	private flushAppendBackfill() {
+		if (this._appendBackfillPendingByTarget.size === 0) {
+			return;
+		}
+		const pending = this._appendBackfillPendingByTarget;
+		this._appendBackfillPendingByTarget = new Map();
+		for (const [target, entries] of pending) {
+			this.dispatchMaybeMissingEntries(target, entries, {
+				mode: "append-backfill",
+			});
+		}
+	}
+
+	private queueAppendBackfill(target: string, entry: EntryReplicated<R>) {
+		let entries = this._appendBackfillPendingByTarget.get(target);
+		if (!entries) {
+			entries = new Map();
+			this._appendBackfillPendingByTarget.set(target, entries);
+		}
+		entries.set(entry.hash, entry);
+		if (entries.size >= this.repairSweepTargetBufferSize) {
+			this.flushAppendBackfill();
+			return;
+		}
+		if (this._appendBackfillTimer || this.closed) {
+			return;
+		}
+		const timer = setTimeout(() => {
+			this._repairRetryTimers.delete(timer);
+			if (this._appendBackfillTimer === timer) {
+				this._appendBackfillTimer = undefined;
+			}
+			if (this.closed) {
+				return;
+			}
+			this.flushAppendBackfill();
+		}, APPEND_BACKFILL_DELAY_MS);
+		timer.unref?.();
+		this._repairRetryTimers.add(timer);
+		this._appendBackfillTimer = timer;
+	}
+
 	private dispatchMaybeMissingEntries(
 		target: string,
 		entries: Map<string, EntryReplicated<R>>,
-		options?: {
+		options: {
+			mode: RepairDispatchMode;
 			bypassRecentDedupe?: boolean;
 			retryScheduleMs?: number[];
-			forceFreshDelivery?: boolean;
 		},
 	) {
 		if (entries.size === 0) {
 			return;
 		}
 
+		if (this.isFrontierTrackedRepairMode(options.mode)) {
+			this.queueRepairFrontierEntries(options.mode, target, entries);
+			this.ensureRepairFrontierRunner(
+				options.mode,
+				target,
+				options.retryScheduleMs,
+			);
+			return;
+		}
+
 		const now = Date.now();
 		let recentlyDispatchedByHash = this._recentRepairDispatch.get(target);
 		if (!recentlyDispatchedByHash) {
@@ -2533,10 +3160,10 @@ export class SharedLog<
 		}
 
 		const filteredEntries =
-			options?.bypassRecentDedupe === true
+			options.bypassRecentDedupe === true
 				? new Map(entries)
 				: new Map<string, EntryReplicated<any>>();
-		if (options?.bypassRecentDedupe !== true) {
+		if (options.bypassRecentDedupe !== true) {
 			for (const [hash, entry] of entries) {
 				const prev = recentlyDispatchedByHash.get(hash);
 				if (prev != null && now - prev <= RECENT_REPAIR_DISPATCH_TTL_MS) {
@@ -2553,64 +3180,69 @@ export class SharedLog<
 		if (filteredEntries.size === 0) {
 			return;
 		}
-		const retrySchedule =
-			options?.retryScheduleMs && options.retryScheduleMs.length > 0
-				? options.retryScheduleMs
-				: options?.forceFreshDelivery
-					? FORCE_FRESH_RETRY_SCHEDULE_MS
-					: [0];
-
-		const run = () => {
-			// For force-fresh churn repair we intentionally bypass rateless IBLT and
-			// use simple hash-based sync. This path is a directed "push these hashes
-			// to that peer" recovery flow; using simple sync here avoids occasional
-			// single-hash gaps seen with IBLT-oriented maybe-sync batches under churn.
-			if (
-				options?.forceFreshDelivery &&
-				this.syncronizer instanceof RatelessIBLTSynchronizer
-			) {
-				return Promise.resolve(
-					this.syncronizer.simple.onMaybeMissingEntries({
-						entries: filteredEntries,
-						targets: [target],
-					}),
-				).catch((error: any) => logger.error(error));
+
+		if (
+			(options.mode === "join-warmup" ||
+				options.mode === "join-authoritative") &&
+			this.isAssumeSyncedRepairSuppressed()
+		) {
+			return;
+		}
+
+		const retrySchedule = resolveRepairRetrySchedule(
+			options.mode,
+			options.retryScheduleMs,
+			this.isFrontierTrackedRepairMode(options.mode),
+		);
+		const bucket = this._repairMetrics[options.mode];
+		bucket.dispatches += 1;
+		bucket.entries += filteredEntries.size;
+
+		const run = (transport: RepairTransportMode) => {
+			if (transport === "simple") {
+				bucket.simpleFallbackPasses += 1;
+			} else {
+				bucket.ratelessFirstPasses += 1;
 			}
 
 			return Promise.resolve(
-				this.syncronizer.onMaybeMissingEntries({
-					entries: filteredEntries,
-					targets: [target],
-				}),
+				this.sendRepairEntriesWithTransport(
+					target,
+					filteredEntries,
+					transport,
+					{ bypassKnownPeers: options.mode === "churn" },
+				),
 			).catch((error: any) => logger.error(error));
 		};
 
-		for (const delayMs of retrySchedule) {
+		retrySchedule.forEach((delayMs, index) => {
+			const transport = getRepairTransportForAttempt(options.mode, index);
 			if (delayMs === 0) {
-				void run();
-				continue;
+				void run(transport);
+				return;
 			}
 			const timer = setTimeout(() => {
 				this._repairRetryTimers.delete(timer);
 				if (this.closed) {
 					return;
 				}
-				void run();
+				void run(transport);
 			}, delayMs);
 			timer.unref?.();
 			this._repairRetryTimers.add(timer);
-		}
+		});
 	}
 
 	private scheduleRepairSweep(options: {
-		forceFreshDelivery: boolean;
-		addedPeers: Set<string>;
+		mode: RepairDispatchMode;
+		peers?: Iterable<string>;
 	}) {
-		if (options.forceFreshDelivery) {
-			this._repairSweepForceFreshPending = true;
-		}
-		for (const peer of options.addedPeers) {
-			this._repairSweepAddedPeersPending.add(peer);
+		this._repairSweepPendingModes.add(options.mode);
+		const pendingPeers = this._repairSweepPendingPeersByMode.get(options.mode);
+		if (pendingPeers) {
+			for (const peer of options.peers ?? []) {
+				pendingPeers.add(peer);
+			}
 		}
 		if (!this._repairSweepRunning && !this.closed) {
 			this._repairSweepRunning = true;
@@ -2618,88 +3250,293 @@ export class SharedLog<
 		}
 	}
 
+	private scheduleJoinAuthoritativeRepair(peers: Set<string>) {
+		if (this.closed || peers.size === 0) {
+			return;
+		}
+
+		for (const delayMs of JOIN_AUTHORITATIVE_REPAIR_SWEEP_DELAYS_MS) {
+			let pendingPeers = this._joinAuthoritativeRepairPeersByDelay.get(delayMs);
+			if (!pendingPeers) {
+				pendingPeers = new Set();
+				this._joinAuthoritativeRepairPeersByDelay.set(delayMs, pendingPeers);
+			}
+			for (const peer of peers) {
+				pendingPeers.add(peer);
+			}
+
+			if (this._joinAuthoritativeRepairTimersByDelay.has(delayMs)) {
+				continue;
+			}
+
+			const timer = setTimeout(() => {
+				this._repairRetryTimers.delete(timer);
+				this._joinAuthoritativeRepairTimersByDelay.delete(delayMs);
+				if (this.closed) {
+					return;
+				}
+
+				const peersForSweep = new Set(
+					this._joinAuthoritativeRepairPeersByDelay.get(delayMs) ?? [],
+				);
+				this._joinAuthoritativeRepairPeersByDelay.delete(delayMs);
+				if (peersForSweep.size === 0) {
+					return;
+				}
+
+				// A joiner's leader view can still be partial on the first delayed pass
+				// under pubsub jitter. Bounded per-peer rescans widen the authoritative
+				// frontier without adding per-append sweeps.
+				this.scheduleRepairSweep({
+					mode: "join-authoritative",
+					peers: peersForSweep,
+				});
+			}, delayMs);
+			timer.unref?.();
+			this._repairRetryTimers.add(timer);
+			this._joinAuthoritativeRepairTimersByDelay.set(delayMs, timer);
+		}
+	}
+
 	private async runRepairSweep() {
 		try {
 			while (!this.closed) {
-				const forceFreshDelivery = this._repairSweepForceFreshPending;
-				const addedPeers = new Set(this._repairSweepAddedPeersPending);
-				this._repairSweepForceFreshPending = false;
-				this._repairSweepAddedPeersPending.clear();
+				const pendingModes = new Set(this._repairSweepPendingModes);
+				const pendingPeersByMode = cloneRepairPendingPeersByMode(
+					this._repairSweepPendingPeersByMode,
+				);
+				this._repairSweepPendingModes.clear();
+				for (const peers of this._repairSweepPendingPeersByMode.values()) {
+					peers.clear();
+				}
 
-				if (!forceFreshDelivery && addedPeers.size === 0) {
+				if (pendingModes.size === 0) {
 					return;
 				}
 
-				const pendingByTarget = new Map<string, Map<string, EntryReplicated<any>>>();
-				const flushTarget = (target: string) => {
-					const entries = pendingByTarget.get(target);
+				const optimisticGidPeersByMode = new Map<
+					RepairDispatchMode,
+					Map<string, Set<string>>
+				>();
+				const optimisticGidPeersConsumedByMode = new Map<
+					RepairDispatchMode,
+					Map<string, Map<string, number>>
+				>();
+				for (const mode of pendingModes) {
+					const modePeers = pendingPeersByMode.get(mode);
+					if (!modePeers || modePeers.size === 0) {
+						continue;
+					}
+					const optimisticGidPeers = new Map<string, Set<string>>();
+					const optimisticGidPeersConsumed = new Map<string, Map<string, number>>();
+					for (const [gid, peerCounts] of this._repairSweepOptimisticGidPeersPending) {
+						let matchedPeers: Set<string> | undefined;
+						let matchedCounts: Map<string, number> | undefined;
+						for (const [peer, count] of peerCounts) {
+							if (!modePeers.has(peer)) {
+								continue;
+							}
+							matchedPeers ||= new Set();
+							matchedCounts ||= new Map();
+							matchedPeers.add(peer);
+							matchedCounts.set(peer, count);
+						}
+						if (matchedPeers && matchedCounts) {
+							optimisticGidPeers.set(gid, matchedPeers);
+							optimisticGidPeersConsumed.set(gid, matchedCounts);
+						}
+					}
+					if (optimisticGidPeers.size > 0) {
+						optimisticGidPeersByMode.set(mode, optimisticGidPeers);
+						optimisticGidPeersConsumedByMode.set(mode, optimisticGidPeersConsumed);
+					}
+				}
+
+				const pendingByMode = new Map<
+					RepairDispatchMode,
+					Map<string, Map<string, EntryReplicated<any>>>
+				>(REPAIR_DISPATCH_MODES.map((mode) => [mode, new Map()]));
+				const pendingRepairPeers = new Set<string>();
+				for (const peers of pendingPeersByMode.values()) {
+					for (const peer of peers) {
+						pendingRepairPeers.add(peer);
+					}
+				}
+				const fullReplicaRepairCandidates =
+					await this.getFullReplicaRepairCandidates(pendingRepairPeers, {
+						includeSubscribers: false,
+					});
+				const fullReplicaRepairCandidateCount = Math.max(
+					1,
+					fullReplicaRepairCandidates.size,
+				);
+				const nextFrontierByMode = new Map<
+					RepairDispatchMode,
+					Map<string, Map<string, EntryReplicated<any>>>
+				>([
+					["join-authoritative", new Map()],
+					["churn", new Map()],
+				]);
+				const flushTarget = (mode: RepairDispatchMode, target: string) => {
+					const targets = pendingByMode.get(mode);
+					const entries = targets?.get(target);
 					if (!entries || entries.size === 0) {
 						return;
 					}
-					const isJoinWarmupTarget = addedPeers.has(target);
-					const bypassRecentDedupe = isJoinWarmupTarget || forceFreshDelivery;
 					this.dispatchMaybeMissingEntries(target, entries, {
-						bypassRecentDedupe,
-						retryScheduleMs: isJoinWarmupTarget
-							? JOIN_WARMUP_RETRY_SCHEDULE_MS
-							: undefined,
-						forceFreshDelivery,
+						bypassRecentDedupe: true,
+						mode,
 					});
-					pendingByTarget.delete(target);
+					targets?.delete(target);
 				};
 				const queueEntryForTarget = (
+					mode: RepairDispatchMode,
 					target: string,
 					entry: EntryReplicated<any>,
 				) => {
-					let set = pendingByTarget.get(target);
+					const sweepTargets = nextFrontierByMode.get(mode);
+					if (sweepTargets) {
+						let sweepSet = sweepTargets.get(target);
+						if (!sweepSet) {
+							sweepSet = new Map();
+							sweepTargets.set(target, sweepSet);
+						}
+						sweepSet.set(entry.hash, entry);
+					}
+					const targets = pendingByMode.get(mode)!;
+					let set = targets.get(target);
 					if (!set) {
 						set = new Map();
-						pendingByTarget.set(target, set);
+						targets.set(target, set);
 					}
 					if (set.has(entry.hash)) {
 						return;
 					}
 					set.set(entry.hash, entry);
 					if (set.size >= this.repairSweepTargetBufferSize) {
-						flushTarget(target);
+						flushTarget(mode, target);
 					}
 				};
 
 				const iterator = this.entryCoordinatesIndex.iterate({});
 				try {
-						while (!this.closed && !iterator.done()) {
-							const entries = await iterator.next(REPAIR_SWEEP_ENTRY_BATCH_SIZE);
-							for (const entry of entries) {
-								const entryReplicated = entry.value;
-								const knownPeers = this._gidPeersHistory.get(entryReplicated.gid);
-								const currentPeers = await this.findLeaders(
-									entryReplicated.coordinates,
-									entryReplicated,
-									{ roleAge: 0 },
-								);
-							if (forceFreshDelivery) {
+					while (!this.closed && !iterator.done()) {
+						const entries = await iterator.next(REPAIR_SWEEP_ENTRY_BATCH_SIZE);
+						for (const entry of entries) {
+							const entryReplicated = entry.value;
+							const gid = entryReplicated.gid;
+							const knownPeers = this._gidPeersHistory.get(gid);
+							const requestedReplicas =
+								decodeReplicas(entryReplicated).getValue(this);
+							const currentPeers = await this.findLeaders(
+								entryReplicated.coordinates,
+								entryReplicated,
+								{ roleAge: 0 },
+							);
+
+							if (pendingModes.has("churn")) {
 								for (const [currentPeer] of currentPeers) {
 									if (currentPeer === this.node.identity.publicKey.hashcode()) {
 										continue;
 									}
-									queueEntryForTarget(currentPeer, entryReplicated);
+									queueEntryForTarget("churn", currentPeer, entryReplicated);
 								}
 							}
-								if (addedPeers.size > 0) {
-									for (const peer of addedPeers) {
-										if (currentPeers.has(peer) && !knownPeers?.has(peer)) {
-											queueEntryForTarget(peer, entryReplicated);
-										}
+
+							for (const mode of pendingModes) {
+								const modePeers = pendingPeersByMode.get(mode);
+								if (!modePeers || modePeers.size === 0) {
+									continue;
+								}
+								const optimisticPeers = optimisticGidPeersByMode.get(mode)?.get(gid);
+								for (const peer of modePeers) {
+									if (this.isEntryKnownByPeer(entryReplicated.hash, peer)) {
+										continue;
+									}
+									const wasOptimisticallyAssigned =
+										optimisticPeers?.has(peer) === true;
+									const isCoveredByFullReplicaRepair =
+										mode === "join-authoritative" &&
+										fullReplicaRepairCandidates.has(peer) &&
+										requestedReplicas >= fullReplicaRepairCandidateCount;
+									const shouldQueue =
+										mode === "join-authoritative"
+											? currentPeers.has(peer) || isCoveredByFullReplicaRepair
+											: wasOptimisticallyAssigned ||
+											  (currentPeers.has(peer) && !knownPeers?.has(peer));
+									if (shouldQueue) {
+										// Authoritative join repair must not trust partial gid peer history,
+										// otherwise a late joiner can get stuck with a partial historical
+										// backfill forever. Once we enter the authoritative pass, queue every
+										// entry whose current leader set still includes the added peer.
+										queueEntryForTarget(mode, peer, entryReplicated);
 									}
 								}
 							}
+						}
 					}
 				} finally {
 					await iterator.close();
 				}
 
-				for (const target of [...pendingByTarget.keys()]) {
-					flushTarget(target);
+				for (const [, optimisticGidPeersConsumed] of optimisticGidPeersConsumedByMode) {
+					for (const [gid, peerCounts] of optimisticGidPeersConsumed) {
+						const pendingPeerCounts =
+							this._repairSweepOptimisticGidPeersPending.get(gid);
+						if (!pendingPeerCounts) {
+							continue;
+						}
+						for (const [peer, count] of peerCounts) {
+							const current = pendingPeerCounts.get(peer) || 0;
+							const next = current - count;
+							if (next > 0) {
+								pendingPeerCounts.set(peer, next);
+							} else {
+								pendingPeerCounts.delete(peer);
+							}
+						}
+						if (pendingPeerCounts.size === 0) {
+							this._repairSweepOptimisticGidPeersPending.delete(gid);
+						}
+					}
+				}
+
+				for (const mode of pendingModes) {
+					if (mode !== "join-authoritative" && mode !== "churn") {
+						continue;
+					}
+					const nextTargets = nextFrontierByMode.get(mode) ?? new Map();
+					const frontierTargets = this._repairFrontierByMode.get(mode);
+					for (const target of pendingPeersByMode.get(mode) ?? []) {
+						const replacement = nextTargets.get(target);
+						if (mode === "join-authoritative") {
+							// Authoritative join repair is receipt-driven: a later sweep can have a
+							// narrower transient leader view, but it must not forget unconfirmed
+							// hashes that were already queued for this joiner.
+							if (replacement && replacement.size > 0) {
+								const existing = frontierTargets?.get(target);
+								if (existing && existing.size > 0) {
+									for (const [hash, entry] of replacement) {
+										existing.set(hash, entry);
+									}
+								} else {
+									frontierTargets?.set(target, replacement);
+								}
+							}
+							continue;
+						}
+						if (replacement && replacement.size > 0) {
+							frontierTargets?.set(target, replacement);
+						} else {
+							frontierTargets?.delete(target);
+						}
+					}
+				}
+
+				for (const [mode, targets] of pendingByMode) {
+					for (const target of [...targets.keys()]) {
+						flushTarget(mode, target);
+					}
 				}
 			}
 		} catch (error: any) {
@@ -2708,11 +3545,7 @@ export class SharedLog<
 			}
 		} finally {
 			this._repairSweepRunning = false;
-			if (
-				!this.closed &&
-				(this._repairSweepForceFreshPending ||
-					this._repairSweepAddedPeersPending.size > 0)
-			) {
+			if (!this.closed && this._repairSweepPendingModes.size > 0) {
 				this._repairSweepRunning = true;
 				void this.runRepairSweep();
 			}
@@ -2725,9 +3558,89 @@ export class SharedLog<
 			entry: Entry<T> | ShallowEntry | EntryReplicated<R>;
 			leaders: Map<string, any>;
 		};
-	}) {
-		if (!this.keep || !(await this.keep(args.value.entry))) {
-			return this.pruneDebouncedFn.add(args);
+	}): Promise<boolean> {
+		if (this.keep && (await this.keep(args.value.entry))) {
+			return false;
+		}
+		void this.pruneDebouncedFn.add(args);
+		return true;
+	}
+
+	private async pruneJoinedEntriesNoLongerLed(entries: Entry<T>[]) {
+		const selfHash = this.node.identity.publicKey.hashcode();
+		for (const entry of entries) {
+			if (this.closed || this._pendingDeletes.has(entry.hash)) {
+				continue;
+			}
+
+			const leaders = await this.findLeadersFromEntry(
+				entry,
+				decodeReplicas(entry).getValue(this),
+				{ roleAge: 0 },
+			);
+
+			if (leaders.has(selfHash)) {
+				this.pruneDebouncedFn.delete(entry.hash);
+				continue;
+			}
+
+			if (leaders.size === 0) {
+				continue;
+			}
+
+			await this.pruneDebouncedFnAddIfNotKeeping({
+				key: entry.hash,
+				value: { entry, leaders },
+			});
+			this.responseToPruneDebouncedFn.delete(entry.hash);
+		}
+	}
+
+	private async pruneIndexedEntriesNoLongerLed() {
+		const selfHash = this.node.identity.publicKey.hashcode();
+		const iterator = this.entryCoordinatesIndex.iterate({});
+		let enqueuedPrune = false;
+		try {
+			while (!this.closed && !iterator.done()) {
+				const entries = await iterator.next(REPAIR_SWEEP_ENTRY_BATCH_SIZE);
+				for (const entry of entries) {
+					const entryReplicated = entry.value;
+					if (this.closed || this._pendingDeletes.has(entryReplicated.hash)) {
+						continue;
+					}
+
+					const leaders = await this.findLeaders(
+						entryReplicated.coordinates,
+						entryReplicated,
+						{ roleAge: 0 },
+					);
+
+					if (leaders.has(selfHash)) {
+						this.pruneDebouncedFn.delete(entryReplicated.hash);
+						await this._pendingDeletes
+							.get(entryReplicated.hash)
+							?.reject(new Error("Failed to delete, is leader again"));
+						this.removePruneRequestSent(entryReplicated.hash);
+						continue;
+					}
+
+					if (leaders.size === 0) {
+						continue;
+					}
+
+					enqueuedPrune =
+						(await this.pruneDebouncedFnAddIfNotKeeping({
+							key: entryReplicated.hash,
+							value: { entry: entryReplicated, leaders },
+						})) || enqueuedPrune;
+					this.responseToPruneDebouncedFn.delete(entryReplicated.hash);
+				}
+			}
+		} finally {
+			await iterator.close();
+		}
+		if (enqueuedPrune && !this.closed) {
+			await this.pruneDebouncedFn.flush();
 		}
 	}
 
@@ -2904,6 +3817,7 @@ export class SharedLog<
 			} else {
 				await this._appendDeliverToReplicators(
 					result.entry,
+					coordinates,
 					minReplicasValue,
 					leaders,
 					selfHash,
@@ -2913,13 +3827,14 @@ export class SharedLog<
 			}
 		}
 
-		if (!isLeader && !this.shouldDelayAdaptiveRebalance()) {
+		const delayAdaptiveRebalance = this.shouldDelayAdaptiveRebalance();
+		if (!isLeader && !delayAdaptiveRebalance) {
 			this.pruneDebouncedFnAddIfNotKeeping({
 				key: result.entry.hash,
 				value: { entry: result.entry, leaders },
 			});
 		}
-		if (!this._isAdaptiveReplicating) {
+		if (!delayAdaptiveRebalance) {
 			this.rebalanceParticipationDebounced?.call();
 		}
 
@@ -2961,8 +3876,21 @@ export class SharedLog<
 		this._repairRetryTimers = new Set();
 		this._recentRepairDispatch = new Map();
 		this._repairSweepRunning = false;
-		this._repairSweepForceFreshPending = false;
-		this._repairSweepAddedPeersPending = new Set();
+		this._repairSweepPendingModes = new Set();
+		this._repairSweepPendingPeersByMode = createRepairPendingPeersByMode();
+		this._repairFrontierByMode = createRepairFrontierByMode() as Map<
+			RepairDispatchMode,
+			Map<string, Map<string, EntryReplicated<R>>>
+		>;
+		this._repairFrontierActiveTargetsByMode = createRepairActiveTargetsByMode();
+		this._repairSweepOptimisticGidPeersPending = new Map();
+		this._entryKnownPeers = new Map();
+		this._joinAuthoritativeRepairTimersByDelay = new Map();
+		this._joinAuthoritativeRepairPeersByDelay = new Map();
+		this._assumeSyncedRepairSuppressedUntil = 0;
+		this._appendBackfillTimer = undefined;
+		this._appendBackfillPendingByTarget = new Map();
+		this._repairMetrics = createRepairMetrics();
 		this._topicSubscribersCache = new Map();
 		this.coordinateToHash = new Cache<string>({ max: 1e6, ttl: 1e4 });
 		this.recentlyRebalanced = new Cache<string>({ max: 1e4, ttl: 1e5 });
@@ -3041,7 +3969,10 @@ export class SharedLog<
 		this.pendingMaturity = new Map();
 
 		const id = sha256Base64Sync(this.log.id);
-		const storage = await this.node.storage.sublevel(id);
+		const [storage, logScope] = await Promise.all([
+			this.node.storage.sublevel(id),
+			this.node.indexer.scope(id),
+		]);
 
 		const localBlocks = await new AnyBlockStore(await storage.sublevel("blocks"));
 		const fanoutService = getSharedLogFanoutService(this.node.services);
@@ -3104,20 +4035,19 @@ export class SharedLog<
 			},
 		});
 
-		await this.remoteBlocks.start();
-
-		const logScope = await this.node.indexer.scope(id);
-		const replicationIndex = await logScope.scope("replication");
+		const remoteBlocksStartPromise = this.remoteBlocks.start();
+		const [replicationIndex, logIndex] = await Promise.all([
+			logScope.scope("replication"),
+			logScope.scope("log"),
+		]);
 		this._replicationRangeIndex = await replicationIndex.init({
 			schema: this.indexableDomain.constructorRange,
 		});
-
 		this._entryCoordinatesIndex = await replicationIndex.init({
 			schema: this.indexableDomain.constructorEntry,
 		});
 
-		const logIndex = await logScope.scope("log");
-
+		await remoteBlocksStartPromise;
 		const hasIndexedReplicationInfo =
 			(await this.replicationIndex.count({
 				query: [
@@ -3279,47 +4209,50 @@ export class SharedLog<
 		}
 
 		// Open for communcation
-		await this.rpc.open({
-			queryType: TransportMessage,
-			responseType: TransportMessage,
-			responseHandler: (query, context) => this.onMessage(query, context),
-			topic: this.topic,
-		});
-
 		this._onSubscriptionFn =
 			this._onSubscriptionFn || this._onSubscription.bind(this);
-		await this.node.services.pubsub.addEventListener(
-			"subscribe",
-			this._onSubscriptionFn,
-		);
-
 		this._onUnsubscriptionFn =
 			this._onUnsubscriptionFn || this._onUnsubscription.bind(this);
-		await this.node.services.pubsub.addEventListener(
-			"unsubscribe",
-			this._onUnsubscriptionFn,
-		);
-
-		await this.rpc.subscribe();
-		await this._openFanoutChannel(options?.fanout);
+		await Promise.all([
+			this.rpc.open({
+				queryType: TransportMessage,
+				responseType: TransportMessage,
+				responseHandler: (query, context) => this.onMessage(query, context),
+				topic: this.topic,
+			}),
+			this.node.services.pubsub.addEventListener(
+				"subscribe",
+				this._onSubscriptionFn,
+			),
+			this.node.services.pubsub.addEventListener(
+				"unsubscribe",
+				this._onUnsubscriptionFn,
+			),
+		]);
 
-		// mark all our replicaiton ranges as "new", this would allow other peers to understand that we recently reopend our database and might need some sync and warmup
-		await this.updateTimestampOfOwnedReplicationRanges(); // TODO do we need to do this before subscribing?
+		const fanoutOpenPromise = this._openFanoutChannel(options?.fanout);
+		// Mark previously-owned replication ranges as "new" only when they already exist.
+		// Fresh opens have nothing to touch here, so skip the extra scan/write entirely.
+		const updateOwnedReplicationPromise = hasIndexedReplicationInfo
+			? this.updateTimestampOfOwnedReplicationRanges()
+			: Promise.resolve();
+		await Promise.all([fanoutOpenPromise, updateOwnedReplicationPromise]);
 
 		// if we had a previous session with replication info, and new replication info dictates that we unreplicate
 		// we should do that. Otherwise if options is a unreplication we dont need to do anything because
 		// we are already unreplicated (as we are just opening)
 
-		let isUnreplicationOptionsDefined = isUnreplicationOptions(
+		const isUnreplicationOptionsDefined = isUnreplicationOptions(
 			options?.replicate,
 		);
 
 		const canResumeReplication =
+			hasIndexedReplicationInfo &&
 			(await isReplicationOptionsDependentOnPreviousState(
 				options?.replicate,
 				this.replicationIndex,
 				this.node.identity.publicKey,
-			)) && hasIndexedReplicationInfo;
+			));
 
 		if (hasIndexedReplicationInfo && isUnreplicationOptionsDefined) {
 			await this.replicate(options?.replicate, { checkDuplicates: true });
@@ -3372,25 +4305,26 @@ export class SharedLog<
 
 	async afterOpen(): Promise<void> {
 		await super.afterOpen();
+		const existingSubscribersPromise = this._getTopicSubscribers(this.topic);
 
 		// We do this here, because these calls requires this.closed == false
-			void this.pruneOfflineReplicators()
-				.then(() => {
-					this._replicatorsReconciled = true;
-				})
+		void this.pruneOfflineReplicators()
+			.then(() => {
+				this._replicatorsReconciled = true;
+			})
 			.catch((error) => {
 				if (isNotStartedError(error as Error)) {
 					return;
 				}
-					logger.error(error);
-				});
+				logger.error(error);
+			});
 
-			this.startReplicatorLivenessSweep();
+		this.startReplicatorLivenessSweep();
 
-			await this.rebalanceParticipation();
+		await this.rebalanceParticipation();
 
 		// Take into account existing subscription
-		(await this._getTopicSubscribers(this.topic))?.forEach((v) => {
+		(await existingSubscribersPromise)?.forEach((v) => {
 			if (v.equals(this.node.identity.publicKey)) {
 				return;
 			}
@@ -4021,8 +4955,28 @@ export class SharedLog<
 		this._repairRetryTimers.clear();
 		this._recentRepairDispatch.clear();
 		this._repairSweepRunning = false;
-		this._repairSweepForceFreshPending = false;
-		this._repairSweepAddedPeersPending.clear();
+		this._repairSweepPendingModes.clear();
+		for (const peers of this._repairSweepPendingPeersByMode.values()) {
+			peers.clear();
+		}
+		this._repairSweepOptimisticGidPeersPending.clear();
+		this._entryKnownPeers.clear();
+		for (const timer of this._joinAuthoritativeRepairTimersByDelay.values()) {
+			clearTimeout(timer);
+		}
+		this._joinAuthoritativeRepairTimersByDelay.clear();
+		this._joinAuthoritativeRepairPeersByDelay.clear();
+		for (const targets of this._repairFrontierByMode.values()) {
+			targets.clear();
+		}
+		for (const targets of this._repairFrontierActiveTargetsByMode.values()) {
+			targets.clear();
+		}
+		if (this._appendBackfillTimer) {
+			clearTimeout(this._appendBackfillTimer);
+			this._appendBackfillTimer = undefined;
+		}
+		this._appendBackfillPendingByTarget.clear();
 
 		for (const [_k, v] of this._pendingDeletes) {
 			v.clear();
@@ -4205,6 +5159,7 @@ export class SharedLog<
 
 				if (heads) {
 					const filteredHeads: EntryWithRefs<any>[] = [];
+					const confirmedHashes = new Set<string>();
 					for (const head of heads) {
 						if (!(await this.log.has(head.entry.hash))) {
 							head.entry.init({
@@ -4213,10 +5168,22 @@ export class SharedLog<
 								encoding: this.log.encoding,
 							});
 							filteredHeads.push(head);
+						} else {
+							confirmedHashes.add(head.entry.hash);
 						}
 					}
+					const fromIsSelf = context.from.equals(this.node.identity.publicKey);
+					if (!fromIsSelf) {
+						this.markEntriesKnownByPeer(
+							heads.map((head) => head.entry.hash),
+							context.from.hashcode(),
+						);
+					}
 
 					if (filteredHeads.length === 0) {
+						if (confirmedHashes.size > 0 && !fromIsSelf) {
+							await this.sendRepairConfirmation(context.from!, confirmedHashes);
+						}
 						return;
 					}
 					const groupedByGid = await groupByGid(filteredHeads);
@@ -4350,7 +5317,15 @@ export class SharedLog<
 							}
 
 							if (toMerge.length > 0) {
+								this.markEntriesKnownByPeer(
+									toMerge.map((entry) => entry.hash),
+									context.from!.hashcode(),
+								);
 								await this.log.join(toMerge);
+								for (const merged of toMerge) {
+									confirmedHashes.add(merged.hash);
+								}
+								await this.pruneJoinedEntriesNoLongerLed(toMerge);
 
 								toDelete?.map((x) =>
 									// TODO types
@@ -4397,6 +5372,10 @@ export class SharedLog<
 						promises.push(fn()); // we do this concurrently since waitForIsLeader might be a blocking operation for some entries
 					}
 					await Promise.all(promises);
+					if (confirmedHashes.size > 0 && !context.from.equals(this.node.identity.publicKey)) {
+						this.markEntriesKnownByPeer(confirmedHashes, context.from.hashcode());
+						await this.sendRepairConfirmation(context.from!, confirmedHashes);
+					}
 				}
 			} else if (msg instanceof RequestIPrune) {
 				const hasAndIsLeader: string[] = [];
@@ -4404,6 +5383,7 @@ export class SharedLog<
 
 				for (const hash of msg.hashes) {
 					this.removePruneRequestSent(hash, from);
+					this.removeEntriesKnownByPeer([hash], from);
 
 					// if we expect the remote to be owner of this entry because we are to prune ourselves, then we need to remove the remote
 					// this is due to that the remote has previously indicated to be a replicator to help us prune but now has changed their mind
@@ -4518,6 +5498,10 @@ export class SharedLog<
 				for (const hash of msg.hashes) {
 					this._pendingDeletes.get(hash)?.resolve(context.from.hashcode());
 				}
+			} else if (msg instanceof ConfirmEntriesMessage) {
+				this.markEntriesKnownByPeer(msg.hashes, context.from.hashcode());
+				this.clearRepairFrontierHashes(context.from.hashcode(), msg.hashes);
+				return;
 			} else if (await this.syncronizer.onMessage(msg, context)) {
 				return; // the syncronizer has handled the message
 			} else if (msg instanceof BlocksMessage) {
@@ -4948,6 +5932,11 @@ export class SharedLog<
 			let messageToSend: AddedReplicationSegmentMessage | undefined = undefined;
 
 			if (assumeSynced) {
+				// `assumeSynced` is an explicit contract that this join should trust the
+				// supplied history and avoid initiating outbound repair while the local
+				// replication ranges settle.
+				this._assumeSyncedRepairSuppressedUntil =
+					Date.now() + ASSUME_SYNCED_REPAIR_SUPPRESSION_MS;
 				for (const entry of entriesToReplicate) {
 					await seedAssumeSyncedPeerHistory(entry);
 				}
@@ -5033,9 +6022,14 @@ export class SharedLog<
 				clear();
 				// `waitForReplicator()` is typically used as a precondition before join/replicate
 				// flows. A replicator can become mature and enqueue a debounced rebalance
-				// (`replicationChangeDebounceFn`) slightly later. Flush here so callers don't
-				// observe a "late" rebalance after the wait resolves.
-				await this.replicationChangeDebounceFn?.flush?.();
+				// (`replicationChangeDebounceFn`) slightly later. Kick the flush, but do not
+				// make membership waits depend on all rebalance work finishing; callers that
+				// need settled distribution already wait for that explicitly.
+				this.replicationChangeDebounceFn?.flush?.().catch((error: any) => {
+					if (!isNotStartedError(error)) {
+						logger.error(error?.toString?.() ?? String(error));
+					}
+				});
 				deferred.resolve();
 			};
 
@@ -5580,6 +6574,18 @@ export class SharedLog<
 				}
 			}
 		}
+
+		if (!options?.candidates) {
+			const fullReplicaLeaders = await this.findFullReplicaLeaders(
+				cursors.length,
+				roleAge,
+				peerFilter,
+			);
+			if (fullReplicaLeaders) {
+				return fullReplicaLeaders;
+			}
+		}
+
 		return getSamples<R>(
 			cursors,
 			this.replicationIndex,
@@ -5592,6 +6598,50 @@ export class SharedLog<
 		);
 	}
 
+	private async findFullReplicaLeaders(
+		replicas: number,
+		roleAge: number,
+		peerFilter?: Set<string>,
+	): Promise<Map<string, { intersecting: boolean }> | undefined> {
+		const now = Date.now();
+		const leaders = new Map<string, { intersecting: boolean }>();
+		const includeStrict =
+			this._logProperties?.strictFullReplicaFallback !== false;
+		const iterator = this.replicationIndex.iterate(
+			{},
+			{ shape: { hash: true, timestamp: true, mode: true } },
+		);
+
+		try {
+			for (;;) {
+				const batch = await iterator.next(64);
+				if (batch.length === 0) {
+					break;
+				}
+				for (const result of batch) {
+					const range = result.value;
+					if (peerFilter && !peerFilter.has(range.hash)) {
+						continue;
+					}
+					if (!isMatured(range, now, roleAge)) {
+						continue;
+					}
+					if (range.mode === ReplicationIntent.Strict && !includeStrict) {
+						continue;
+					}
+					leaders.set(range.hash, { intersecting: true });
+					if (leaders.size > replicas) {
+						return undefined;
+					}
+				}
+			}
+		} finally {
+			await iterator.close();
+		}
+
+		return leaders.size > 0 ? leaders : undefined;
+	}
+
 	async findLeadersFromEntry(
 		entry: ShallowOrFullEntry<any> | EntryReplicated<R>,
 		replicas: number,
@@ -6231,16 +7281,33 @@ export class SharedLog<
 
 			const changed = false;
 			const addedPeers = new Set<string>();
+			const authoritativeRepairPeers = new Set<string>();
 			const warmupPeers = new Set<string>();
+			const churnRepairPeers = new Set<string>();
 			const hasSelfWarmupChange = changes.some(
 				(change) =>
 					change.range.hash === selfHash &&
 					(change.type === "added" || change.type === "replaced"),
 			);
+			const hasSelfRangeRemoval = changes.some(
+				(change) =>
+					change.range.hash === selfHash &&
+					(change.type === "removed" || change.type === "replaced"),
+			);
 			for (const change of changes) {
+				if (
+					change.range.hash !== selfHash &&
+					(change.type === "removed" || change.type === "replaced")
+				) {
+					this.removePeerFromEntryKnownPeers(change.range.hash);
+				}
 				if (change.type === "added" || change.type === "replaced") {
 					const hash = change.range.hash;
 					if (hash !== selfHash) {
+						// Existing peers can widen/shift ranges after the initial join. If we
+						// only rescan on first-seen "added", late authoritative range updates can
+						// leave historical backfill permanently partial under load.
+						authoritativeRepairPeers.add(hash);
 						// Range updates can reassign entries to an existing peer shortly after it
 						// already received a subset. Avoid suppressing legitimate follow-up repair.
 						this._recentRepairDispatch.delete(hash);
@@ -6277,26 +7344,34 @@ export class SharedLog<
 				string,
 				Map<string, EntryReplicated<any>>
 			> = new Map();
-			const flushUncheckedDeliverTarget = (target: string) => {
-				const entries = uncheckedDeliver.get(target);
-				if (!entries || entries.size === 0) {
-					return;
-				}
+				const flushUncheckedDeliverTarget = (target: string) => {
+					const entries = uncheckedDeliver.get(target);
+					if (!entries || entries.size === 0) {
+						return;
+					}
 					const isWarmupTarget = warmupPeers.has(target);
-					const bypassRecentDedupe = isWarmupTarget || forceFreshDelivery;
+					const mode: RepairDispatchMode = forceFreshDelivery
+						? "churn"
+						: isWarmupTarget
+							? "join-warmup"
+							: "join-authoritative";
 					this.dispatchMaybeMissingEntries(target, entries, {
-						bypassRecentDedupe,
-						retryScheduleMs: isWarmupTarget
-							? JOIN_WARMUP_RETRY_SCHEDULE_MS
-							: undefined,
-						forceFreshDelivery,
+						bypassRecentDedupe: isWarmupTarget || forceFreshDelivery,
+						mode,
+						retryScheduleMs:
+							mode === "join-warmup"
+								? JOIN_WARMUP_RETRY_SCHEDULE_MS
+								: mode === "join-authoritative"
+									? [0]
+									: undefined,
 					});
-				uncheckedDeliver.delete(target);
-			};
+					uncheckedDeliver.delete(target);
+				};
 			const queueUncheckedDeliver = (
 				target: string,
 				entry: EntryReplicated<any>,
 			) => {
+				churnRepairPeers.add(target);
 				let set = uncheckedDeliver.get(target);
 				if (!set) {
 					set = new Map();
@@ -6320,74 +7395,85 @@ export class SharedLog<
 							forceFresh: forceFreshDelivery || useJoinWarmupFastPath,
 						},
 					)) {
-				if (this.closed) {
-					break;
-				}
-
-					if (useJoinWarmupFastPath) {
-						let oldPeersSet: Set<string> | undefined;
-						const gid = entryReplicated.gid;
-						oldPeersSet = gidPeersHistorySnapshot.get(gid);
-						if (!gidPeersHistorySnapshot.has(gid)) {
-							const existing = this._gidPeersHistory.get(gid);
-							oldPeersSet = existing ? new Set(existing) : undefined;
-							gidPeersHistorySnapshot.set(gid, oldPeersSet);
+						if (this.closed) {
+							break;
 						}
 
-						for (const target of warmupPeers) {
-							queueUncheckedDeliver(target, entryReplicated);
-						}
+						if (useJoinWarmupFastPath) {
+							let oldPeersSet: Set<string> | undefined;
+							const gid = entryReplicated.gid;
+							oldPeersSet = gidPeersHistorySnapshot.get(gid);
+							if (!gidPeersHistorySnapshot.has(gid)) {
+								const existing = this._gidPeersHistory.get(gid);
+								oldPeersSet = existing ? new Set(existing) : undefined;
+								gidPeersHistorySnapshot.set(gid, oldPeersSet);
+							}
 
-						const candidatePeers = new Set<string>([selfHash]);
-						for (const target of warmupPeers) {
-							candidatePeers.add(target);
-						}
-						if (oldPeersSet) {
-							for (const oldPeer of oldPeersSet) {
-								candidatePeers.add(oldPeer);
+							for (const target of warmupPeers) {
+								queueUncheckedDeliver(target, entryReplicated);
 							}
-						}
 
-						const currentPeers = await this.findLeaders(
-							entryReplicated.coordinates,
-							entryReplicated,
-							{
-								roleAge: 0,
-								candidates: candidatePeers,
-								persist: false,
-							},
-						);
+							const candidatePeers = new Set<string>([selfHash]);
+							for (const target of warmupPeers) {
+								candidatePeers.add(target);
+							}
+							if (oldPeersSet) {
+								for (const oldPeer of oldPeersSet) {
+									candidatePeers.add(oldPeer);
+								}
+							}
 
-						if (oldPeersSet) {
-							for (const oldPeer of oldPeersSet) {
-								if (!currentPeers.has(oldPeer)) {
-									this.removePruneRequestSent(entryReplicated.hash);
+							const currentPeers = await this.findLeaders(
+								entryReplicated.coordinates,
+								entryReplicated,
+								{
+									roleAge: 0,
+									candidates: candidatePeers,
+									persist: false,
+								},
+							);
+
+							if (oldPeersSet) {
+								for (const oldPeer of oldPeersSet) {
+									if (!currentPeers.has(oldPeer)) {
+										this.removePruneRequestSent(entryReplicated.hash);
+									}
 								}
 							}
-						}
 
-						this.addPeersToGidPeerHistory(
-							entryReplicated.gid,
-							currentPeers.keys(),
-							true,
-						);
+							for (const [peer] of currentPeers) {
+								if (warmupPeers.has(peer)) {
+									this.markRepairSweepOptimisticPeer(entryReplicated.gid, peer);
+								}
+							}
 
-						if (!currentPeers.has(selfHash)) {
-							this.pruneDebouncedFnAddIfNotKeeping({
-								key: entryReplicated.hash,
-								value: { entry: entryReplicated, leaders: currentPeers },
-							});
+							const authoritativePeers = [...currentPeers.keys()].filter(
+								(peer) =>
+									!warmupPeers.has(peer) &&
+									!this.hasPendingRepairSweepOptimisticPeer(entryReplicated.gid, peer),
+							);
+							this.addPeersToGidPeerHistory(
+								entryReplicated.gid,
+								authoritativePeers,
+								true,
+							);
 
-							this.responseToPruneDebouncedFn.delete(entryReplicated.hash);
-						} else {
-							this.pruneDebouncedFn.delete(entryReplicated.hash);
-							await this._pendingDeletes
-								.get(entryReplicated.hash)
-								?.reject(new Error("Failed to delete, is leader again"));
-							this.removePruneRequestSent(entryReplicated.hash);
+							if (!currentPeers.has(selfHash)) {
+								this.pruneDebouncedFnAddIfNotKeeping({
+									key: entryReplicated.hash,
+									value: { entry: entryReplicated, leaders: currentPeers },
+								});
+
+								this.responseToPruneDebouncedFn.delete(entryReplicated.hash);
+							} else {
+								this.pruneDebouncedFn.delete(entryReplicated.hash);
+								await this._pendingDeletes
+									.get(entryReplicated.hash)
+									?.reject(new Error("Failed to delete, is leader again"));
+								this.removePruneRequestSent(entryReplicated.hash);
+							}
+							continue;
 						}
-						continue;
-					}
 
 					let oldPeersSet: Set<string> | undefined;
 					const gid = entryReplicated.gid;
@@ -6421,19 +7507,30 @@ export class SharedLog<
 						}
 					}
 
-					if (oldPeersSet) {
-						for (const oldPeer of oldPeersSet) {
-							if (!currentPeers.has(oldPeer)) {
-								this.removePruneRequestSent(entryReplicated.hash);
+						if (oldPeersSet) {
+							for (const oldPeer of oldPeersSet) {
+								if (!currentPeers.has(oldPeer)) {
+									this.removePruneRequestSent(entryReplicated.hash);
+								}
 							}
 						}
-					}
 
-					this.addPeersToGidPeerHistory(
-						entryReplicated.gid,
-						currentPeers.keys(),
-						true,
-					);
+						for (const [peer] of currentPeers) {
+							if (addedPeers.has(peer)) {
+								this.markRepairSweepOptimisticPeer(entryReplicated.gid, peer);
+							}
+						}
+
+						const authoritativePeers = [...currentPeers.keys()].filter(
+							(peer) =>
+								!addedPeers.has(peer) &&
+								!this.hasPendingRepairSweepOptimisticPeer(entryReplicated.gid, peer),
+						);
+						this.addPeersToGidPeerHistory(
+							entryReplicated.gid,
+							authoritativePeers,
+							true,
+						);
 
 					if (!isLeader) {
 						this.pruneDebouncedFnAddIfNotKeeping({
@@ -6452,9 +7549,18 @@ export class SharedLog<
 				}
 				}
 
+				if (this._isAdaptiveReplicating && hasSelfRangeRemoval) {
+					await this.pruneIndexedEntriesNoLongerLed();
+				}
+
 				if (forceFreshDelivery) {
-					// Removed/shrunk ranges still need the authoritative background pass.
-					this.scheduleRepairSweep({ forceFreshDelivery, addedPeers });
+					// Pure leave/shrink churn can have zero `addedPeers`, but the peers that
+					// received redistributed entries still need a follow-up repair pass if the
+					// immediate maybe-sync misses one entry.
+					this.scheduleRepairSweep({
+						mode: "churn",
+						peers: churnRepairPeers,
+					});
 				} else if (useJoinWarmupFastPath) {
 					// Pure join warmup uses the cheap immediate maybe-missing dispatch above,
 					// then defers the authoritative sweep so it does not compete with the
@@ -6466,19 +7572,23 @@ export class SharedLog<
 							return;
 						}
 						this.scheduleRepairSweep({
-							forceFreshDelivery: false,
-							addedPeers: peers,
+							mode: "join-warmup",
+							peers,
 						});
 					}, 250);
 					timer.unref?.();
 					this._repairRetryTimers.add(timer);
-				} else if (addedPeers.size > 0) {
+				} else if (authoritativeRepairPeers.size > 0) {
 					this.scheduleRepairSweep({
-						forceFreshDelivery: false,
-						addedPeers,
+						mode: "join-authoritative",
+						peers: authoritativeRepairPeers,
 					});
 				}
 
+				if (!forceFreshDelivery && authoritativeRepairPeers.size > 0) {
+					this.scheduleJoinAuthoritativeRepair(authoritativeRepairPeers);
+				}
+
 			for (const target of [...uncheckedDeliver.keys()]) {
 				flushUncheckedDeliverTarget(target);
 			}
@@ -6585,6 +7695,13 @@ export class SharedLog<
 					return; // not allowed to replicate
 				}
 
+				if (
+					this.replicationController.maxMemoryLimit != null &&
+					usedMemory > this.replicationController.maxMemoryLimit
+				) {
+					await this.pruneIndexedEntriesNoLongerLed();
+				}
+
 				const peersSize = (await peers.getSize()) || 1;
 				const totalParticipation = await this.calculateTotalParticipation();