diff --git a/website/design.html b/website/design.html
index 5c938b7..b608721 100644
--- a/website/design.html
+++ b/website/design.html
@@ -1034,13 +1034,24 @@ FAILURE: C → B → A: AnchorProbeResult { reachable: false }Engagement propagation
Reactions, comments, and policy changes propagate via BlobHeaderDiff (0xD0) through the CDN tree:
- - Push (real-time): On react/comment, the diff is sent to both downstream peers (CDN tree children) and the upstream peer (who we got the post from). Each intermediate node re-propagates both directions, excluding sender. This flows the diff up to the author and down to all holders.
+ - Push (real-time): On react/comment, the diff is sent to both downstream peers (CDN tree children) and all upstream peers (up to 3, who we got the post from). Each intermediate node re-propagates both directions, excluding sender. This flows the diff up to the author and down to all holders.
- Auto downstream registration: Nodes that receive a post via pull sync or push notification automatically send
PostDownstreamRegister (0xD3) to the sender, ensuring bidirectional diff flow.
- - Pull (safety net): Every 5 minutes, the pull cycle requests
BlobHeaderRequest (0xD1) with the local header timestamp. Peers respond with the full header only if theirs is newer. Additive merge — store_reaction upserts, store_comment inserts with ON CONFLICT DO NOTHING.
- - Tombstones: Deleted reactions and comments are not hard-deleted. Instead, a
deleted_at timestamp is set on the record. Tombstones propagate via pull sync headers — when a peer receives a header with a tombstoned entry, it applies the deletion locally. This prevents deleted engagement from being re-introduced by peers that haven't yet received the deletion.
+ - Pull (safety net): Tiered frequency based on content age: 5min (<72h), 1hr (3-14d), 4hr (14-30d), 24hr (>30d). Requests
BlobHeaderRequest (0xD1) with local header timestamp. Peers respond with full header only if newer. Additive merge — store_reaction upserts, store_comment inserts with ON CONFLICT DO NOTHING. Writes batched per chunk (single lock acquisition).
+ - Tombstones: Deleted reactions and comments are not hard-deleted. Instead, a
deleted_at timestamp is set on the record. Tombstones propagate via pull sync headers. Prevents deleted engagement from being re-introduced by peers that haven't yet received the deletion.
- Planned: Pull engagement from both upstream and downstream peers to catch missed diffs from either direction.
+ Engagement security Complete
+ Engagement operations are cryptographically verified on receipt to prevent forgery and unauthorized modification:
+
+ - Reaction signatures: Each reaction carries an ed25519 signature over
BLAKE3(reactor || post_id || emoji || timestamp_ms). Verified before storing. Unsigned reactions from older nodes accepted for backward compatibility (#[serde(default)] on signature field).
+ - Comment signatures: Comments carry an ed25519 signature (existing field).
verify_comment_signature() now called on receipt via BlobHeaderDiff. Forged comments rejected.
+ - Reaction removal: Only the reactor (original author of the reaction) or the post author can remove a reaction. Sender verified against
reactor and payload.author.
+ - Comment edit/delete: Only the comment author can edit; comment author or post author can delete. Sender identity verified via QUIC transport authentication (iroh ed25519).
+ - BlobHeader author: When rebuilding headers after engagement diffs, the author is verified against the stored post’s actual author, not trusted from the payload. Prevents relay nodes from misattributing headers.
+ - BlobHeader source of truth: The
reactions and comments tables are authoritative. The blob_headers JSON is a derived snapshot rebuilt after each engagement operation. When they diverge (e.g., after a BlobHeaderResponse with a newer snapshot), the next engagement op rebuilds from tables.
+
+
Device roles & bandwidth budgets Complete
Each node advertises its device role in InitialExchange, which determines its bandwidth budgets for replication (pulling posts to cache) and delivery (serving requests from peers):