KWAM — Erasure coding & durability: nines as a design target

00 · The math, in motion

The KWAM mathematics

RS(8,4) over GF(2⁸): 8 data + 4 parity, any 8 of 12 rebuild the exact original, six nines as a design target.

01 · The code

RS(8,4): any 8 of 12 fragments rebuild the original

Reed–Solomon over GF(2⁸): a standard systematic MDS construction, so it tolerates the loss of any 4 of 12.

8 data + 4 parity

Each object is split into 8 data fragments and 4 parity fragments. The code is MDS, so any 8 of the 12 reconstruct the exact original, bit-for-bit, exhaustively tested.

Survives any 4 losses

Lose any 4 of the 12 fragments and the data still rebuilds. Below 8 survivors the data is gone; KWAM reports that, it does not fabricate it.

Content-addressed

Every fragment carries a SHA-256 content address: cid = sha256:<64hex>. A corrupted fragment fails its hash and becomes a known erasure: detected, never silently used.

Pure math Recovery is deterministic linear algebra over a finite field: no AI, no randomness. The deterministic codec produces the bytes; the model is advisory only and never produces a data byte.

02 · The millibit

Same nines at roughly one-third the stored bytes

A millibit is stored bits per logical bit × 1000: a unit of fractional redundancy (information), not a sub-bit storage cell. A stored bit is indivisible.

1500 millibit

RS(8,4): 1.5× stored bytes to tolerate any 4-of-12 loss.

5000 millibit

Plain replication needs factor 5 (5× stored bytes) to tolerate the same 4-loss.

~⅓

RS gives the same nines at roughly one-third the stored bytes of replication.

What a millibit is not The millibit measures fractional redundancy, not fractional storage. You cannot store half a bit; a stored bit is indivisible. The unit describes how much information overhead the code carries per logical bit.

03 · Six nines

A design target — an annual durability probability

KWAM signs the number it can measure and reproduce: six nines (99.9999%) durability, as a design target, not a guarantee of perfection. It is discounted from naive arithmetic for real-world correlation.

Why discounted Shared cooling and power couple domains that look "independent" on paper. Operators see correlated-failure rates an order or two above optimistic models, so the headline target is six nines, not eleven. We do not multiply out an idealized independence we cannot defend.

Below k survivors, the data is gone: we report it, we don't fabricate it If failures exceed the code distance, the data is lost. KWAM surfaces that loss rather than inventing bytes. Knowing is not recovering; that residual is the nines.

A measured integrity rate Alongside the six-nines design target, KWAM now also reports a measured integrity rate: the observed no-silently-corrupted-bits rate, carried with its sample size and a confidence interval, computed by a deterministic harness and never by the model. The headline durability stays a design target; the measured rate is what we can show and reproduce today.

A design target and a measured rate, never blended into one number The six-nines figure is a design target. Separately, KWAM surfaces a measured recovery rate from real round-trips, carried with its sample size and a 95% confidence interval (a rule-of-three bound when zero failures are observed). One is a target; the other is a measurement. We keep them apart and never collapse the two into a single headline figure.

04 · The compiler-checked guard

The language rejects a durability claim its math can't back Designed · demonstrated

A guard block declares a durability in nines. The validator checks it against replication factor, fault-domain independence, MTTR and audited node/domain MTBF via a closed form.

Assert more nines than the math supports and the validator rejects the guard with a reproducible verdict. For example, claiming 11nines at factor 3 is rejected; backed: 6 nines.

This is demonstrated in the shipped validator's conformance suite: the unbacked-guard rejection above is a passing test, and the verdict is deterministic and reproducible. We still say compiler-checked against a stated model, never "compiler-verified": the check is only as strong as the declared failure-model inputs.

The architecture itself is grounded in practice, not invented: exabyte-scale physics archives run the same shape today, where a failed integrity check converts corruption into an erasure repaired by deterministic Reed–Solomon reconstruction, and the same code family has flown on spacecraft data recorders for decades. KWAM's difference is that the gate is cryptographic (SHA-256), closing the documented failure mode where lightweight checksums collide and miss real corruption.

The KWAM language Language reference

Rejected counter-example

guard durability {
  durability: 11nines
  factor: 3
}
# validator verdict
# REJECTED — claimed 11 nines,
# math backs 6 nines at factor 3

05 · Recovery time

Two MTTRs — stated separately, never conflated

Per-bit replica restore is fast. Fleet-scale correlated recovery is not, and we will not pretend otherwise.

Scenario	Recovery target	Notes
(a) Per-bit replica restore	p99 < 60–90s	Under independent single-node loss, KWAM-controlled.
(b) Fleet recovery, correlated AZ-scale loss	minutes to hours	Throughput-bounded; explicitly not 60s. Surfaced as time_to_full_redundancy.
(c) Code-activation	bounded by safe-point	Cooperative hot-swap; a non-cooperative reexec path for security-critical swaps.

Don't conflate them The fast number, p99 under 60–90s, is per-bit replica restore under independent single-node loss. It is not the fleet's recovery time under a correlated AZ-scale event, which is minutes-to-hours and throughput-bounded. We report fleet recovery as time_to_full_redundancy.

06 · The SDK

protect → recover, a deterministic round-trip

Embeddable from Python. The codec produces the bytes; the SHA gate verifies them.

from kwam import protect, recover

# split into 8 data + 4 parity, each SHA-256 content-addressed
fragments = protect(data, k=8, m=4)

# lose any 4 of 12 — corrupted fragments fail their hash and
# become known erasures, never silently used
survivors = drop_any(fragments, 4)

# pure deterministic math rebuilds the exact original
original = recover(survivors)
assert original == data   # bit-for-bit, exhaustively tested

Below k survivors, the data is gone: we report it, we don't fabricate it With fewer than 8 surviving fragments, recover cannot reconstruct the object. KWAM surfaces the loss; it does not manufacture bytes.

07 · Roadmap codes

More codes — each a design target until its nines math is verified

RS(8,4) is in production today. These are additional codes on the roadmap, and they stay design targets: none ships until its durability math is verified the same way RS(8,4) was.

LRC designed Clay designed RaptorQ (fountain) designed RLNC designed

The bar to ship A code is built when its nines are measured and reproduced, not when it merely encodes and decodes. Until then it carries a designed badge.

A durability SLA you can defend

Six nines as a design target, no silently-corrupted bits, and a residual we surface rather than hide. Tell us about your fleet.

Request a license Space weather

Legal

Ownership & governing law

KWAM is our intellectual property, grounded in Swiss law.

Intellectual property & governing law

KWAM is the sole and exclusive property of the owners of KWAM.CH

KWAM — its source code, the KWAM language, the JHMM reconstruction orchestrator, the deterministic codec runtime, and all associated AI components — is a proprietary computer program and the sole and exclusive intellectual property of KWAM.CH. As a computer program it is a protected work under the Swiss Federal Act on Copyright and Related Rights (Copyright Act, CopA), and the exclusive rights of use vest in KWAM as employer; it is further protected as a trade secret under the Swiss Federal Act Against Unfair Competition (UCA). KWAM is offered by private licence only. All rights reserved.

CopA (SR 231.1) Art. 2 para. 3 & Art. 17 · UCA (SR 241) Art. 6 · Governed by the laws of Switzerland · Place of jurisdiction: Zürich