Struct MeshNodeConfig 

pub struct MeshNodeConfig {

    pub bind_addr: SocketAddr,
    pub psk: [u8; 32],
    pub heartbeat_interval: Duration,
    pub session_timeout: Duration,
    pub num_shards: u16,
    pub packet_pool_size: usize,
    pub default_reliable: bool,
    pub handshake_timeout: Duration,
    pub handshake_retries: usize,
    pub socket_buffers: SocketBufferConfig,
    pub max_queue_depth: usize,
    pub fair_quantum: usize,
    pub stream_idle_timeout: Duration,
    pub max_streams: usize,
    pub max_channels_per_peer: usize,
    pub membership_ack_timeout: Duration,
    pub require_signed_capabilities: bool,
    pub capability_gc_interval: Duration,
    pub subnet: SubnetId,
    pub subnet_policy: Option<Arc<SubnetPolicy>>,
    pub default_visibility: Visibility,
    pub min_announce_interval: Duration,
    pub token_sweep_interval: Duration,
    pub max_auth_failures_per_window: u16,
    pub auth_failure_window: Duration,
    pub auth_throttle_duration: Duration,
    pub reflex_override: Option<SocketAddr>,
}

Configuration for a MeshNode.

Fields

bind_addr: SocketAddr

Local bind address

psk: [u8; 32]

Pre-shared key (32 bytes, shared across the mesh)

heartbeat_interval: Duration

Heartbeat interval for failure detection

session_timeout: Duration

Session timeout

num_shards: u16

Number of shards for inbound event routing

packet_pool_size: usize

Packet pool size per session

default_reliable: bool

Default reliability mode

handshake_timeout: Duration

Handshake timeout per attempt

handshake_retries: usize

Handshake retries

socket_buffers: SocketBufferConfig

Socket buffer config

max_queue_depth: usize

Max queue depth per stream for the fair scheduler.

fair_quantum: usize

Fair scheduling quantum (packets per stream per round).

stream_idle_timeout: Duration

Idle timeout before a stream is evicted from its session. A stream with no send or receive activity for this long is dropped on the heartbeat-loop sweep. Protects against unbounded StreamState growth under workloads that hash into stream ids.

max_streams: usize

Hard cap on the number of streams per session. When exceeded, the least-recently-active stream is evicted via the same path as close_stream (logged with reason=cap_exceeded).

max_channels_per_peer: usize

Max channels a single peer may subscribe to via SUBPROTOCOL_CHANNEL_MEMBERSHIP. Extra Subscribe requests are rejected with AckReason::TooManyChannels. Protects the roster from a peer that spams subscriptions.

membership_ack_timeout: Duration

Timeout for subscribe_channel / unsubscribe_channel to wait for an Ack before returning AdapterError::Timeout.

require_signed_capabilities: bool

Drop inbound CapabilityAnnouncement packets whose signature is missing. Defaults to true because the cap data feeds channel-auth (can_publish / can_subscribe cap filters) and subnet visibility — an unsigned announcement is attacker-controlled input, and accepting it silently meant a peer could claim any caps or subnet just by announcing. The dispatch path still applies a second belt-and-braces guard on individual auth-load-bearing state updates (peer_entity_ids, peer_subnets), so explicitly setting this to false for discovery-only deployments is defensible; flipping this on simply makes the rejection happen up-front instead of silently no-oping the state writes downstream.

capability_gc_interval: Duration

How often the capability index sweeps expired entries. Low values waste CPU; high values keep stale peers queryable past their TTL.

subnet: SubnetId

This node’s subnet. Defaults to SubnetId::GLOBAL — “no restriction.” Visibility checks compare against this value on both the publish and subscribe paths.

subnet_policy: Option<Arc<SubnetPolicy>>

Policy applied to inbound CapabilityAnnouncements to derive each peer’s subnet. None disables per-peer subnet tracking; every peer is treated as GLOBAL, which in practice means Visibility::SubnetLocal channels ship only when both sides are GLOBAL.

default_visibility: Visibility

Visibility applied on publish when a channel has no registered config in the local ChannelConfigRegistry. Defaults to Visibility::Global — simple deployments without a registry publish unrestricted, which is the lowest- friction default for single-subnet meshes.

Security-conservative deployments (fleets where forgetting to register a channel should not silently leak messages across subnets) set this to Visibility::SubnetLocal. The publish path reads it on every fanout, so toggling it propagates without a restart.

This is only the fallback for unregistered channels — a channel with an explicit registry entry always uses its configured visibility.

min_announce_interval: Duration

Minimum time between successive MeshNode::announce_capabilities broadcasts from this origin. Calls within the window coalesce: the local index and local_announcement are updated so self-queries + late- joiner session-open pushes reflect the latest caps, but the network broadcast is skipped. Rate-limits apps that re-announce in tight loops.

token_sweep_interval: Duration

Period between TokenCache expiry sweeps. A subscriber whose token expires mid-subscription is evicted from the SubscriberRoster and revoked from the AuthGuard within one sweep interval. Set to Duration::MAX (or any value longer than the mesh’s lifetime) to disable the sweep — publishes will still re-check the guard, so this mainly affects how quickly stale tokens drop off the roster.

max_auth_failures_per_window: u16

Authorization-failure threshold per peer per window. A peer that exceeds this count across a rolling Self::auth_failure_window gets throttled — subsequent subscribes short-circuit with AckReason::RateLimited for Self::auth_throttle_duration without running the cap-filter + ed25519 path. Set to u16::MAX to disable.

auth_failure_window: Duration

Rolling window over which failed subscribes are counted for the throttle check above. Default: 60 s.

auth_throttle_duration: Duration

How long a peer stays throttled after tripping the failure threshold. Default: 30 s.

reflex_override: Option<SocketAddr>

Override the mesh’s public-facing SocketAddr — the address peers see this node as reachable at. When Some, the classifier’s background sweep is skipped entirely and the node immediately advertises NatClass::Open with the supplied SocketAddr on its capability announcements.

Intended for:

• Port-forwarded servers. An operator who has manually configured a port forward knows the external address directly; setting this short-circuits the multi-peer classification that wouldn’t discover anything new.
• Stage-4 port mapping (UPnP / NAT-PMP / PCP). A successful mapping installation records the mapped external ip:port here, so subsequent peers see the node as Open without the classifier needing to probe for a reflex.

Framing (plan §4): this is an optimization surface, not a connectivity requirement — a node with no override still reaches every peer through routed-handshake. Stored on MeshNodeConfig so both programmatic callers and future port-mapping runtime writers have a single site to update.

Default: None (use classifier observations).

Implementations

impl MeshNodeConfig

pub fn new(bind_addr: SocketAddr, psk: [u8; 32]) -> Self

Create with minimal required fields.

pub fn with_reflex_override(self, external: SocketAddr) -> Self

Set the reflex override — the public SocketAddr this node advertises to peers. See MeshNodeConfig::reflex_override for semantics.

Requires the nat-traversal cargo feature.

pub fn with_heartbeat_interval(self, interval: Duration) -> Self

Set heartbeat interval.

pub fn with_session_timeout(self, timeout: Duration) -> Self

Set session timeout.

pub fn with_num_shards(self, n: u16) -> Self

Set number of shards.

pub fn with_handshake(self, retries: usize, timeout: Duration) -> Self

Set handshake timing.

pub fn with_require_signed_capabilities(self, require: bool) -> Self

Require inbound CapabilityAnnouncement packets to carry a signature. Unsigned announcements are dropped silently (a trace is emitted).

pub fn with_capability_gc_interval(self, interval: Duration) -> Self

Set the capability-index GC sweep interval.

pub fn with_min_announce_interval(self, interval: Duration) -> Self

Set the minimum interval between outbound capability- announcement broadcasts. See Self::min_announce_interval.

pub fn with_token_sweep_interval(self, interval: Duration) -> Self

Set the token-expiry sweep interval. See Self::token_sweep_interval.

pub fn with_auth_failure_limit( self, max_per_window: u16, window: Duration, throttle: Duration, ) -> Self

Tune the per-peer authorization-failure rate limit. See Self::max_auth_failures_per_window.

pub fn with_subnet(self, subnet: SubnetId) -> Self

Pin this node to a specific subnet.

pub fn with_subnet_policy(self, policy: Arc<SubnetPolicy>) -> Self

Derive each peer’s subnet locally by applying this policy to their inbound CapabilityAnnouncements. Mesh-wide policy consistency is assumed; mismatched policies lead to asymmetric views of peer subnets.

pub fn with_default_visibility(self, visibility: Visibility) -> Self

Override the visibility applied to publishes on channels that have no registered config. Defaults to Visibility::Global — messages flow unrestricted when no registry entry exists. Flip to Visibility::SubnetLocal for fail-closed deployments where forgetting to register a channel should confine messages to the local subnet rather than broadcasting them mesh-wide.

No effect on channels that do have a registry entry — their configured visibility always wins.

Trait Implementations

impl Clone for MeshNodeConfig

fn clone(&self) -> MeshNodeConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for MeshNodeConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.