Problem
`connection_manager` covers trim/backoff at the peer layer, but the codebase has no equivalent to go-libp2p's `rcmgr` — i.e. nested resource scopes (system → service → peer → connection → stream) with budget caps for memory, file-descriptors, inbound/outbound streams, etc., enforced at allocation sites.
Without that, a single misbehaving peer or protocol can starve the host of memory or substreams; today the only backstops are the wire caps documented in `docs/SECURITY.md` (gossipsub frame, req/resp accumulator, snappy) and `connection_manager` trim policy.
Scope
- Hierarchical resource scopes (system / transient / peer / protocol / stream).
- Budgets for: inbound + outbound streams per scope, peer memory, FDs, connections per peer.
- Reservation API surfaced to transport accept paths and the swarm's command dispatch.
- Metrics: rejection counters per scope + reason.
- Default policy mirroring go-libp2p's `AutoScale` baseline so embedders don't have to hand-tune for a typical 2k-peer node.
Out of scope
DoS scoring overlaps with gossipsub peer behaviour scores (`gossipsub.runtime`) — keep that separate; rcmgr is about resource budgets, not consensus-layer misbehaviour.
Acceptance
- New module `src/resource_manager.zig` with the scope hierarchy + reservation API.
- Wired into `transport.quic_runtime` (accept + outbound dial) and `transport.tcp` listener.
- Test coverage for budget exhaustion → reservation failure → caller-visible `ResourceLimitExceeded` error.
- Documented in `docs/SECURITY.md` (replaces or supplements the static wire-cap table).
- Tracked separately from `connection_manager`.
Problem
`connection_manager` covers trim/backoff at the peer layer, but the codebase has no equivalent to go-libp2p's `rcmgr` — i.e. nested resource scopes (system → service → peer → connection → stream) with budget caps for memory, file-descriptors, inbound/outbound streams, etc., enforced at allocation sites.
Without that, a single misbehaving peer or protocol can starve the host of memory or substreams; today the only backstops are the wire caps documented in `docs/SECURITY.md` (gossipsub frame, req/resp accumulator, snappy) and `connection_manager` trim policy.
Scope
Out of scope
DoS scoring overlaps with gossipsub peer behaviour scores (`gossipsub.runtime`) — keep that separate; rcmgr is about resource budgets, not consensus-layer misbehaviour.
Acceptance