ME Soft Reinit tuning

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>

src/config/defaults.rs

@@ -182,6 +182,26 @@ pub(crate) fn default_update_every_secs() -> u64 {
     30 * 60
 }
 
+pub(crate) fn default_me_config_stable_snapshots() -> u8 {
+    2
+}
+
+pub(crate) fn default_me_config_apply_cooldown_secs() -> u64 {
+    300
+}
+
+pub(crate) fn default_proxy_secret_stable_snapshots() -> u8 {
+    2
+}
+
+pub(crate) fn default_proxy_secret_rotate_runtime() -> bool {
+    true
+}
+
+pub(crate) fn default_proxy_secret_len_max() -> usize {
+    256
+}
+
 pub(crate) fn default_me_reinit_drain_timeout_secs() -> u64 {
     120
 }

src/config/load.rs

@@ -147,6 +147,24 @@ impl ProxyConfig {
             }
         }
 
+        if config.general.me_config_stable_snapshots == 0 {
+            return Err(ProxyError::Config(
+                "general.me_config_stable_snapshots must be > 0".to_string(),
+            ));
+        }
+
+        if config.general.proxy_secret_stable_snapshots == 0 {
+            return Err(ProxyError::Config(
+                "general.proxy_secret_stable_snapshots must be > 0".to_string(),
+            ));
+        }
+
+        if !(32..=4096).contains(&config.general.proxy_secret_len_max) {
+            return Err(ProxyError::Config(
+                "general.proxy_secret_len_max must be within [32, 4096]".to_string(),
+            ));
+        }
+
         if !(0.0..=1.0).contains(&config.general.me_pool_min_fresh_ratio) {
             return Err(ProxyError::Config(
                 "general.me_pool_min_fresh_ratio must be within [0.0, 1.0]".to_string(),
@@ -462,6 +480,66 @@ mod tests {
         let _ = std::fs::remove_file(path);
     }
 
+    #[test]
+    fn me_config_stable_snapshots_zero_is_rejected() {
+        let toml = r#"
+            [general]
+            me_config_stable_snapshots = 0
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_me_config_stable_snapshots_zero_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains("general.me_config_stable_snapshots must be > 0"));
+        let _ = std::fs::remove_file(path);
+    }
+
+    #[test]
+    fn proxy_secret_stable_snapshots_zero_is_rejected() {
+        let toml = r#"
+            [general]
+            proxy_secret_stable_snapshots = 0
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_proxy_secret_stable_snapshots_zero_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains("general.proxy_secret_stable_snapshots must be > 0"));
+        let _ = std::fs::remove_file(path);
+    }
+
+    #[test]
+    fn proxy_secret_len_max_out_of_range_is_rejected() {
+        let toml = r#"
+            [general]
+            proxy_secret_len_max = 16
+
+            [censorship]
+            tls_domain = "example.com"
+
+            [access.users]
+            user = "00000000000000000000000000000000"
+        "#;
+        let dir = std::env::temp_dir();
+        let path = dir.join("telemt_proxy_secret_len_max_out_of_range_test.toml");
+        std::fs::write(&path, toml).unwrap();
+        let err = ProxyConfig::load(&path).unwrap_err().to_string();
+        assert!(err.contains("general.proxy_secret_len_max must be within [32, 4096]"));
+        let _ = std::fs::remove_file(path);
+    }
+
     #[test]
     fn me_pool_min_fresh_ratio_out_of_range_is_rejected() {
         let toml = r#"

src/config/types.rs

@@ -267,6 +267,26 @@ pub struct GeneralConfig {
     #[serde(default)]
     pub update_every: Option<u64>,
 
+    /// Number of identical getProxyConfig snapshots required before applying ME map updates.
+    #[serde(default = "default_me_config_stable_snapshots")]
+    pub me_config_stable_snapshots: u8,
+
+    /// Cooldown in seconds between applied ME map updates.
+    #[serde(default = "default_me_config_apply_cooldown_secs")]
+    pub me_config_apply_cooldown_secs: u64,
+
+    /// Number of identical getProxySecret snapshots required before runtime secret rotation.
+    #[serde(default = "default_proxy_secret_stable_snapshots")]
+    pub proxy_secret_stable_snapshots: u8,
+
+    /// Enable runtime proxy-secret rotation from getProxySecret.
+    #[serde(default = "default_proxy_secret_rotate_runtime")]
+    pub proxy_secret_rotate_runtime: bool,
+
+    /// Maximum allowed proxy-secret length in bytes for startup and runtime refresh.
+    #[serde(default = "default_proxy_secret_len_max")]
+    pub proxy_secret_len_max: usize,
+
     /// Drain-TTL in seconds for stale ME writers after endpoint map changes.
     /// During TTL, stale writers may be used only as fallback for new bindings.
     #[serde(default = "default_me_pool_drain_ttl_secs")]
@@ -346,6 +366,11 @@ impl Default for GeneralConfig {
             hardswap: default_hardswap(),
             fast_mode_min_tls_record: default_fast_mode_min_tls_record(),
             update_every: Some(default_update_every_secs()),
+            me_config_stable_snapshots: default_me_config_stable_snapshots(),
+            me_config_apply_cooldown_secs: default_me_config_apply_cooldown_secs(),
+            proxy_secret_stable_snapshots: default_proxy_secret_stable_snapshots(),
+            proxy_secret_rotate_runtime: default_proxy_secret_rotate_runtime(),
+            proxy_secret_len_max: default_proxy_secret_len_max(),
             me_pool_drain_ttl_secs: default_me_pool_drain_ttl_secs(),
             me_pool_min_fresh_ratio: default_me_pool_min_fresh_ratio(),
             me_reinit_drain_timeout_secs: default_me_reinit_drain_timeout_secs(),