Enum ConfigError 

pub enum ConfigError {
    InvalidDeviationBps,
    InvalidStalenessSeconds,
    InvalidLiquidityThreshold,
    InvalidCrossSourceBps,
    InvalidHaltLedgers,
    InvalidTradeCountThreshold,
    InvalidSnapshotAge,
    InvalidPreviousStalenessSeconds,
}

Errors returned by SafeOracleConfig::validate when a config field has an out-of-range value that would silently disable a guardrail or produce nonsensical behavior at runtime.

Spec

See spec §4 — Config Struct. Validation prevents silent guardrail disabling caused by misconfiguration (e.g., max_deviation_bps = 0 allows infinite deviation, effectively disabling the deviation check without any visible signal).

Audit notes

• Validation is opt-in — callers must invoke config.validate(). The library does not enforce validation in lastprice() to avoid per-call gas cost. Production integrators should validate at init time (recommended pattern: MockLending::initialize calls validate).

• All errors are recoverable at init time; runtime config changes are not supported (config is immutable after deploy per spec §4).

Variants

InvalidDeviationBps

max_deviation_bps is 0 (allows infinite deviation, disabling the check) or > 10_000 (100% — values above this are nonsensical for a relative-deviation threshold).

InvalidStalenessSeconds

max_staleness_seconds is 0 (rejects every recorded price as stale) or > 86_400 (24h — stale data older than a day is unsafe regardless of how lenient the integrator wants to be).

InvalidLiquidityThreshold

min_liquidity_usd is <= 0 — negative values are semantically nonsense (liquidity is non-negative by definition), and 0 silently disables the Layer 2 liquidity check (every snapshot’s volume_30m_usd > 0 trivially passes the threshold). Same defensive principle as InvalidTradeCountThreshold: a zero guardrail is no guardrail.

AR.H M1 closure

This variant’s runtime rule was tightened from < 0 to <= 0 after AR.H surfaced the silent-disable case as the single residual asymmetry from Hardening Closure (Debt #22).

InvalidCrossSourceBps

max_cross_source_bps is 0 (requires impossible primary/secondary price equality) or > 10_000 (semantically nonsensical, > 100% deviation) when secondary_oracle is configured. Validation skipped if secondary is None (field is dormant).

AR.H L2 closure

Validation rule was tightened from > 10_000 only to == 0 || > 10_000 after AR.H surfaced the silent-footgun case where a zero threshold produces always-fires CrossSourceMismatch on every borrow.

InvalidHaltLedgers

circuit_breaker_halt_ledgers is 0 (degenerate halt window — the breaker would fire and immediately auto-recover, providing no actual halt) or > MAX_CIRCUIT_BREAKER_HALT_LEDGERS (~1 week, beyond the reasonable auto-recovery window) when circuit_breaker_enabled is true. Validation skipped if breaker is disabled (field is dormant).

AR.H L1 closure

Upper bound added after AR.H surfaced that u32::MAX (~6.8 years at Stellar’s ledger cadence) makes a misconfigured deploy effectively-permanently halted without governance intervention.

InvalidTradeCountThreshold

min_trade_count_1h is 0 — disables thin-sampling check entirely (every snapshot’s unique_trades_1h >= 0 always true). Same defensive principle as InvalidDeviationBps: a “guardrail of zero” is no guardrail at all. Integrators wanting to disable Layer 2 thin-sampling should leave the guardrail’s threshold meaningful and route around it via Layer 1 / circuit breaker controls.

Hardening 3A follow-up (Debt #22)

This variant closes the gap intentionally left open in Hardening 3A, where the prompt’s “5 variant” boundary kept the pattern consistent with the other guardrails but left two silent-disable cases undetected. Hardening Closure brings parity.

InvalidSnapshotAge

max_snapshot_age_seconds is 0 (rejects all snapshots) or > 86_400 (24h — staler than this is unsafe regardless of integrator intent). Mirrors InvalidStalenessSeconds boundary logic for the Layer 2 path.

Hardening 3A follow-up (Debt #22)

Same closure rationale as InvalidTradeCountThreshold. The Hardening 3A boundary kept the new-variant count at 5; the Layer 2 snapshot age validation remained an audit-trail gap until this patch.

InvalidPreviousStalenessSeconds

previous_max_staleness_seconds == 0 silently disables the previous-price freshness check (every previous price would be classified StaleData, blocking every borrow), or > 86_400 (24h) accepts unsafe staleness for the deviation reference. Mirrors InvalidStalenessSeconds boundary logic.

Phase 7.2 addition — pairs with the new previous_max_staleness_seconds field on SafeOracleConfig.

Implementations

impl ConfigError

pub const fn spec_xdr() -> [u8; 4580]

Trait Implementations

impl Clone for ConfigError

fn clone(&self) -> ConfigError

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ConfigError

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for ConfigError

fn eq(&self, other: &ConfigError) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl TryFromVal<Env, &ConfigError> for Val

type Error = ConversionError

fn try_from_val(env: &Env, val: &&ConfigError) -> Result<Self, ConversionError>

impl TryFromVal<Env, ConfigError> for Val

type Error = ConversionError

fn try_from_val(env: &Env, val: &ConfigError) -> Result<Self, ConversionError>

impl TryFromVal<Env, Val> for ConfigError

type Error = ConversionError

fn try_from_val(env: &Env, val: &Val) -> Result<Self, ConversionError>

impl Eq for ConfigError

impl StructuralPartialEq for ConfigError