Validator node
A validator secures the network: it discovers peers from the on-chain registry, receives
signed commitment records from providers, audits a sampled fraction of replies, and (when it
holds the settlement role) gathers peer co-signatures and submits the on-chain quorum settle.
The binary is ogong-validatord.
Build
cargo build --release --features settlement \
-p validator-service --bin ogong-validatord --bin ogong-verifierd
The settlement feature is what enables on-chain settle; build without it for an
audit-/cosign-only node.
Run
ogong-validatord \
--bind 0.0.0.0:4533 \
--alpha 1 \
--verifier-endpoint 127.0.0.1:4544 \
--verifier-cert /path/to/verifier.der
Key flags
| Flag | Default | Meaning |
|---|---|---|
--bind <addr> | 0.0.0.0:4533 | UDP address for the QUIC endpoint |
--alpha <0..1> | 1.0 | Audit coverage. 1 audits every reply; 0 audits none |
--verifier-endpoint <host:port> | - | Verifier to auto-dispatch audit-selected replies to |
--verifier-cert <path> | - | Pinned verifier cert (PEM/DER); required with the endpoint |
--peer <host:port|cert> | - | Peer validator for the audit beacon; repeatable |
--s <prob> | 1.0 | Verifier soundness (chance a substitute reply is rejected) |
--eps <prob> | 0.0 | Verifier false-positive rate (honest reply rejected) |
--beta <rate> | 0.001 | Target lifetime false-ejection rate (the Ville bound) |
--consensus | false | Run the shared-ordered-log consensus driver atop quorum-settle |
Without --verifier-endpoint, audited replies await a manual verdict submission instead of
auto-dispatch. With no --peer, the node draws its audit beacon solo.
In production the audit randomness comes from the threshold-BLS committee beacon (set up by
a dealerless DKG across the registered validators); the per-validator VRF described by --peer
is the bootstrap fallback used until that committee key is established.
Discovery - no manual peering
A validator reads the on-chain registry every ~30s (at confirmed commitment) to discover
peers. You stake and register the node on-chain with its real endpoint and cert; from then
on the mesh finds itself. The --peer flag exists for the audit beacon and for setups
without registry discovery.
consensus_id = sha256(cert) ties a registered validator to the cert it presents over QUIC,
so peers pin each other by their on-chain-registered certs.
Settlement environment
When a node holds the settlement role it needs these (the settlement feature reads them):
| Env var | Purpose |
|---|---|
OGONG_VALIDATOR_KEYPAIR | this validator’s keypair |
OGONG_VALIDATOR_CERT_OUT | where to write its QUIC cert for peer pinning |
OGONG_PROGRAM_ID | the on-chain program id |
OGONG_RPC_URL | Solana RPC endpoint |
OGONG_AUTHORITY_KEYPAIR | settlement authority |
OGONG_MINT | the OGONG mint |
OGONG_FEE_OWNERS | fee/payout owners |
OGONG_QUORUM | k - required co-signers (including the authority) |
A release settles only when authority + k co-signatures are assembled. Cosign-only peers
run without the sink env (strip it with env -u if reusing a shell).
The verifier
ogong-verifierd is the audit muscle a validator dispatches to. It re-runs sampled steps of
a committed trajectory on an independent engine and returns a verdict.
ogong-verifierd \
--bind 0.0.0.0:4544 \
--provider-url http://127.0.0.1:11436 \
--k 2 \
--cert-out verifier.der
| Flag | Default | Meaning |
|---|---|---|
--bind <addr> | 0.0.0.0:4544 | QUIC bind address |
--provider-url <url> | - | the engine to re-run the committed work on |
--ref-url <url> | - | reference model endpoint (when distinct) |
--audio-engine-url <url> | - | audio engine for diffusion-audio audits |
--k <n> | 2 | sampled steps per audit |
--cert-out <path> | - | write the verifier’s pinned cert here |
Run the verifier against a separate engine instance from the provider’s; soundness comes from independent re-execution, not co-location.
See How verification works for the audit theory.