refract is a Rust workspace for a production-grade, single-edge WebRTC SFU
and media control plane. The current codebase is Stage 1 focused: it defines
the stable crate boundaries, hot-path invariants, daemon wiring, media packet
primitives, signaling safety envelope, room/application interfaces, and the
verification gates required before multi-edge clustering and deeper protocol
surface area are expanded.
Repository: https://github.com/sockudo/refract
- A thread-per-core SFU daemon in
crates/refract-bin. - RTP, RTCP, SRTP, jitter, pacing, congestion-control, slab, and UDP/XDP boundaries for the media plane.
- Stateless signaling, application policy, room store traits, admin actions, observability, resilience, and configuration crates for the control plane.
- Deterministic simulation and load generation support for release gates.
- Strict workspace automation through
cargo xtask ...and optionaljustaliases.
This is a Stage 1 workspace. Some crates are production-oriented implementations, and some are explicit API or integration boundaries whose backend implementations are intentionally deferred until later stages.
Implemented or substantially defined areas include:
- daemon startup, config loading, signal handling, watchdogs, systemd readiness, and worker ownership;
- RTP/RTCP parsing and rewrite helpers;
- AES-GCM SRTP/SRTCP protection and replay tracking;
- jitter buffer support, NACK/PLI/FIR coalescing, congestion control, and pacing primitives;
- signaling admission, bounded JSON parsing, auth/rate-limit/backpressure boundaries, and in-process load generation;
- admin operations for drain, stats, session inspection, kick, profiling requests, log-level update, and capabilities;
- Redis room store implementation behind the Stage 1
RoomStoretrait; - Linux XDP classifier/loader boundary, with deterministic classifier tests and Linux-only attach support.
Deferred or scaffolded areas are documented in the individual crate README files, especially codec and future storage/application backends.
.
|-- Cargo.toml # Rust workspace manifest
|-- Justfile # short aliases for xtask commands
|-- example.toml # local single-edge daemon config
|-- docs/ # architecture, production gates, app protocols
|-- deploy/ # systemd unit example
|-- crates/ # workspace crates
`-- xtask/ # project automation commands
Core crate groups:
| Area | Crates |
|---|---|
| Daemon and operations | refract-bin, refract-admin, refract-config, refract-obs, refract-resilience |
| Media hot path | refract-sfu, refract-rtp, refract-srtp, refract-jitter, refract-cc, refract-slab, refract-uring, refract-xdp |
| WebRTC and network | refract-rtc, refract-net, refract-crypto, refract-signal |
| Apps and room state | refract-app, refract-app-room, refract-app-echo, refract-app-textroom, refract-app-audiomix, refract-app-recording, refract-app-sip, refract-app-streaming, refract-roomstore, refract-roomstore-redis, refract-roomstore-dual, refract-roomstore-scylla |
| Codecs | refract-codec-vp8, refract-codec-vp9, refract-codec-av1, refract-codec-h264, refract-codec-h265, refract-codec-opus |
| Test and release support | refract-sim, refract-loadgen, refract-chaos, xtask |
| Extension boundary | refract-wasm |
- Rust toolchain from
rust-toolchain.toml. - Cargo with the workspace lockfile checked in.
justis optional; every recipe maps tocargo xtask ....
Useful optional tools:
cargo install cargo-audit --version 0.22.0 --locked
cargo install cargo-deny --version 0.19.6 --locked
cargo install cargo-llvm-cov --locked
cargo install cargo-fuzz
cargo install typos-cliLinux XDP work additionally requires clang with BPF target support and a Linux
host where XDP attach is allowed.
Clone and enter the repository:
git clone git@github.com:sockudo/refract.git
cd refractBuild the workspace:
cargo build --workspace --all-targets --all-featuresRun the daemon startup check against the sample config:
cargo run -p refract-bin -- --config example.toml --checkThe --check mode loads configuration, starts the daemon components, triggers a
graceful drain, and exits. It is the fastest local smoke test for operator
wiring.
Run the daemon normally:
cargo run -p refract-bin -- --config example.tomlThe sample config binds media to localhost and enables the echo app:
[runtime]
cores = 1
[net]
bind_addrs = ["127.0.0.1:50000"]
rtp_port = 50000
rtcp_port = 50001
[apps.echo]
enabled = true
max_sessions = 64Stop the daemon with SIGTERM for graceful drain. SIGUSR1 requests config
reload, and SIGUSR2 requests a diagnostic stack dump.
The canonical test path is xtask; the Justfile provides shorter aliases.
Run formatting checks:
cargo xtask fmt
# or
just fmtRun lint checks:
cargo xtask lint
# or
just lintThis runs cargo fmt --all --check and workspace Clippy with all targets,
all features, and the workspace deny settings.
Run unit, integration, and doctests:
cargo xtask test
# or
just testThis expands to:
cargo test --workspace --all-targets --all-features
cargo test --workspace --doc --all-featuresRun one crate while iterating:
cargo test -p refract-rtp
cargo test -p refract-srtp --all-features
cargo test -p refract-bin --test refract_bin_startsRun the daemon smoke check:
cargo run -p refract-bin -- --config example.toml --checkRun the Stage 1 signaling load gate:
cargo xtask signal-loadgenSmaller local loadgen runs are useful during development:
cargo xtask signal-loadgen --connections 10000
cargo xtask signal-loadgen --connections 100000 --messages-per-connection 1Run supply-chain checks:
cargo xtask audit
cargo xtask denyRun coverage with the workspace threshold:
cargo xtask coveragecoverage requires cargo-llvm-cov and currently fails under 80 percent line
coverage, excluding xtask.
Run benchmarks:
cargo xtask benchRun fuzzing:
cargo xtask fuzz --seconds 60xtask fuzz looks for root-level targets under fuzz/fuzz_targets. Several
crates also carry crate-local fuzz packages. Run those directly, for example:
cd crates/refract-rtp/fuzz
cargo fuzz run rtp_parse -- -max_total_time=60Other crate-local fuzz packages include refract-net, refract-signal,
refract-srtp, and the codec crates that have fuzz/ directories.
Run Redis room-store tests:
cargo test -p refract-roomstore-redisThe ignored Redis integration path expects Sentinel configuration:
REFRACT_REDIS_SENTINELS=127.0.0.1:26379 \
REFRACT_REDIS_MASTER=mymaster \
cargo test -p refract-roomstore-redis --features redis-integration -- --ignoredRun Linux XDP load/attach validation:
sudo REFRACT_XDP_INTERFACE=eth0 cargo xtask xdp-load --port 50000Use generic/SKB mode on development hosts without native driver XDP:
sudo REFRACT_XDP_INTERFACE=eth0 cargo xtask xdp-load --port 50000 --genericPrint the full release checklist:
cargo xtask preflightRun the release gate:
cargo xtask releaseFor a native CPU-tuned release build:
cargo xtask release --nativeRecommended loop for most changes:
cargo xtask fmt
cargo xtask lint
cargo xtask testBefore opening or merging a production-facing change, also run:
cargo xtask audit
cargo xtask deny
cargo run -p refract-bin -- --config example.toml --checkInstall the local pre-commit hook:
cargo xtask install-hooksThe hook runs format, lint, and tests.
Configuration is loaded by refract-config from:
- built-in defaults,
- TOML file values,
REFRACT_environment variables using__for nesting.
Example:
REFRACT_RUNTIME__CORES=2 \
REFRACT_NET__RTP_PORT=50000 \
cargo run -p refract-bin -- --config example.toml --checkStartup fields that cannot be changed safely at runtime are preserved during reload and reported through reload warnings.
docs/architecture.md describes the five-tier state model:
- per-core hot-path state for routing, SRTP, jitter, pacing, and bandwidth estimation;
- per-node process state for ICE, DTLS, WebRTC sessions, and app sessions;
- Raft-owned placement, membership, configuration, and auth-key state;
- sharded room state for participants, tracks, subscriptions, and active speakers;
- off-hot-path recordings, audit logs, and long-term metrics.
Stage 1 keeps the sacred interfaces stable so later stages can swap storage, mesh, and runtime details without touching hot-path contracts.
The workspace follows these rules:
compiois the async I/O runtime boundary; do not add competing runtimes.- Hot-path code is thread-per-core and shared-nothing.
Arc<Mutex<_>>is not allowed on media ingress-to-egress paths.- Unsafe code is forbidden except in audited unsafe-boundary crates such as
refract-uring,refract-srtp, andrefract-slab. - Every external parser needs bounded lengths, tests, fuzz targets, and seed corpus.
- New dependencies must be exact-pinned in
[workspace.dependencies]and justified in the change record.
See CONTRIBUTING.md, docs/production-gates.md, and crate-local SAFETY.md
files for details.
docs/architecture.md- state tiers and boundary model.docs/production-gates.md- current release and readiness gates.docs/protocols/*.md- versioned app protocol contracts.crates/*/README.md- crate-local status and verification notes.deploy/refract.service- example systemd service.
Licensed under either of:
- Apache License, Version 2.0 (
LICENSE-APACHE) - MIT license (
LICENSE-MIT)
at your option.