Skip to content

serviceability: allow count > max in Device::validate#3600

Merged
ben-dz merged 1 commit intomainfrom
bdz/relax-device-max-validate
Apr 29, 2026
Merged

serviceability: allow count > max in Device::validate#3600
ben-dz merged 1 commit intomainfrom
bdz/relax-device-max-validate

Conversation

@ben-dz
Copy link
Copy Markdown
Contributor

@ben-dz ben-dz commented Apr 28, 2026
edited
Loading

Summary

  • Removes the four count <= max invariants from Device::validate (max_users, max_unicast_users, max_multicast_subscribers, max_multicast_publishers) so operators can lower a per-device cap below the live count.
  • Admission-time gates in processors/user/create_core.rs continue to reject new users when the cap is hit, so reducing the cap simply prevents further growth and the live count drains through natural churn.
  • Restores the pre-fix: add max_user exceeded check #2259 behavior for max_users, and extends the same operator-friendly behavior to the per-type caps added in serviceability: add per-device unicast and multicast user limits #2863.

Why

Today doublezero device update --max-multicast-subscribers N (or any of the other caps) fails with MaxMulticastSubscribersExceeded whenever the current count exceeds N — making the cap a hard floor at the live count. There's no graceful way to shrink a cap. The structural invariant in validate() duplicates the admission check at user creation time; only the admission check meaningfully gates behavior, so removing the structural one is safe.

Example on testnet:

$ doublezero --env testnet device update --pubkey 6E1fuqbDBG5ejhYEGKHNkWG5mSTczjy4R77XCKEdUtpb --max-multicast-subscribers 1
Program log: Max multicast subscribers exceeded: multicast_subscribers_count = 2, max_multicast_subscribers = 1
Error: Max multicast subscribers exceeded

Testing Verification

  • Updated the two unit tests that asserted the old behavior (test_state_device_validate_error_max_users_exceeded, test_max_users_exceeded) to instead assert that validate() succeeds when count > max for all four caps.
  • Ran integration tests in device_test.rs (11 pass) and user_tests.rs (6 pass) to confirm nothing else relied on the structural invariant.

@ben-dz
serviceability: allow count > max in Device::validate
1d7c814 
Remove the structural count <= max invariants in Device::validate so
operators can lower a per-device cap below the live count. Admission-
time gates in user create_core enforce the cap when new users connect,
so reducing the cap simply prevents further growth and lets the live
count drain through natural churn.

Affects all four caps: max_users, max_unicast_users,
max_multicast_subscribers, max_multicast_publishers. Before this change,
'doublezero device update --max-multicast-subscribers N' (or any of the
other caps) failed with MaxMulticastSubscribersExceeded whenever the
current count exceeded N, blocking graceful shrinking.
@ben-dz ben-dz force-pushed the bdz/relax-device-max-validate branch from 6db0de2 to 1d7c814 Compare April 28, 2026 21:29
@ben-dz ben-dz marked this pull request as ready for review April 28, 2026 21:29
ben-malbeclabs
ben-malbeclabs approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ben-malbeclabs ben-malbeclabs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ben-dz ben-dz merged commit 797f8ec into main Apr 29, 2026
43 of 44 checks passed
@ben-dz ben-dz deleted the bdz/relax-device-max-validate branch April 29, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ben-malbeclabs ben-malbeclabs ben-malbeclabs approved these changes

@packethog packethog Awaiting requested review from packethog

@karl-dz karl-dz Awaiting requested review from karl-dz

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ben-dz @ben-malbeclabs