Expose VPN fabric stream shard install flags

agents/rap-node-agent/cmd/rap-host-agent/main.go

@@ -218,6 +218,12 @@ func runInstallLinux(ctx context.Context, args []string) error {
 	fs.BoolVar(&cfg.RuntimeConfig.MeshSyntheticRuntimeEnabled, "mesh-synthetic-runtime-enabled", getenvBool("RAP_MESH_SYNTHETIC_RUNTIME_ENABLED", true), "Enable synthetic mesh runtime.")
 	fs.BoolVar(&cfg.RuntimeConfig.MeshProductionForwardingEnabled, "mesh-production-forwarding-enabled", getenvBool("RAP_MESH_PRODUCTION_FORWARDING_ENABLED", false), "Enable production forwarding gate; runtime still fail-closed if unavailable.")
 	fs.BoolVar(&cfg.RuntimeConfig.MeshFabricSessionEnabled, "mesh-fabric-session-enabled", getenvBool("RAP_MESH_FABRIC_SESSION_ENABLED", false), "Enable authenticated fabric session WebSocket endpoint.")
+	fs.BoolVar(&cfg.RuntimeConfig.VPNFabricSessionTransportEnabled, "vpn-fabric-session-transport-enabled", getenvBool("RAP_VPN_FABRIC_SESSION_TRANSPORT_ENABLED", false), "Route VPN packet transport over persistent fabric sessions.")
+	fs.BoolVar(&cfg.RuntimeConfig.MeshQUICFabricEnabled, "mesh-quic-fabric-enabled", getenvBool("RAP_MESH_QUIC_FABRIC_ENABLED", false), "Enable QUIC/UDP fabric listener.")
+	fs.StringVar(&cfg.RuntimeConfig.MeshQUICFabricListenAddr, "mesh-quic-fabric-listen-addr", getenv("RAP_MESH_QUIC_FABRIC_LISTEN_ADDR", ""), "QUIC/UDP fabric listen address.")
+	fs.IntVar(&cfg.RuntimeConfig.VPNFabricSessionStreamShards, "vpn-fabric-session-stream-shards", getenvInt("RAP_VPN_FABRIC_SESSION_STREAM_SHARDS", 4), "VPN fabric-session stream shards per traffic class.")
+	fs.IntVar(&cfg.RuntimeConfig.VPNFabricQUICMaxStreamsPerConn, "vpn-fabric-quic-max-streams-per-conn", getenvInt("RAP_VPN_FABRIC_QUIC_MAX_STREAMS_PER_CONN", 64), "Maximum logical fabric-session streams per cached VPN QUIC carrier connection.")
+	fs.IntVar(&cfg.RuntimeConfig.VPNFabricQUICIdleTTLSeconds, "vpn-fabric-quic-idle-ttl-seconds", getenvInt("RAP_VPN_FABRIC_QUIC_IDLE_TTL_SECONDS", 300), "Idle TTL seconds for cached VPN QUIC carrier connections.")
 	fs.StringVar(&cfg.RuntimeConfig.MeshListenAddr, "mesh-listen-addr", getenv("RAP_MESH_LISTEN_ADDR", ":19131"), "Synthetic mesh HTTP listen address.")
 	fs.StringVar(&cfg.RuntimeConfig.MeshListenPortMode, "mesh-listen-port-mode", getenv("RAP_MESH_LISTEN_PORT_MODE", "auto"), "Mesh listen port behavior: manual, auto, or disabled.")
 	fs.IntVar(&cfg.RuntimeConfig.MeshListenAutoPortStart, "mesh-listen-auto-port-start", getenvInt("RAP_MESH_LISTEN_AUTO_PORT_START", 19131), "First port used when mesh listen port mode is auto.")
@@ -300,6 +306,12 @@ func runInstallWindows(ctx context.Context, args []string) error {
 	fs.BoolVar(&cfg.RuntimeConfig.MeshSyntheticRuntimeEnabled, "mesh-synthetic-runtime-enabled", getenvBool("RAP_MESH_SYNTHETIC_RUNTIME_ENABLED", true), "Enable synthetic mesh runtime.")
 	fs.BoolVar(&cfg.RuntimeConfig.MeshProductionForwardingEnabled, "mesh-production-forwarding-enabled", getenvBool("RAP_MESH_PRODUCTION_FORWARDING_ENABLED", false), "Enable production forwarding gate; runtime still fail-closed if unavailable.")
 	fs.BoolVar(&cfg.RuntimeConfig.MeshFabricSessionEnabled, "mesh-fabric-session-enabled", getenvBool("RAP_MESH_FABRIC_SESSION_ENABLED", false), "Enable authenticated fabric session WebSocket endpoint.")
+	fs.BoolVar(&cfg.RuntimeConfig.VPNFabricSessionTransportEnabled, "vpn-fabric-session-transport-enabled", getenvBool("RAP_VPN_FABRIC_SESSION_TRANSPORT_ENABLED", false), "Route VPN packet transport over persistent fabric sessions.")
+	fs.BoolVar(&cfg.RuntimeConfig.MeshQUICFabricEnabled, "mesh-quic-fabric-enabled", getenvBool("RAP_MESH_QUIC_FABRIC_ENABLED", false), "Enable QUIC/UDP fabric listener.")
+	fs.StringVar(&cfg.RuntimeConfig.MeshQUICFabricListenAddr, "mesh-quic-fabric-listen-addr", getenv("RAP_MESH_QUIC_FABRIC_LISTEN_ADDR", ""), "QUIC/UDP fabric listen address.")
+	fs.IntVar(&cfg.RuntimeConfig.VPNFabricSessionStreamShards, "vpn-fabric-session-stream-shards", getenvInt("RAP_VPN_FABRIC_SESSION_STREAM_SHARDS", 4), "VPN fabric-session stream shards per traffic class.")
+	fs.IntVar(&cfg.RuntimeConfig.VPNFabricQUICMaxStreamsPerConn, "vpn-fabric-quic-max-streams-per-conn", getenvInt("RAP_VPN_FABRIC_QUIC_MAX_STREAMS_PER_CONN", 64), "Maximum logical fabric-session streams per cached VPN QUIC carrier connection.")
+	fs.IntVar(&cfg.RuntimeConfig.VPNFabricQUICIdleTTLSeconds, "vpn-fabric-quic-idle-ttl-seconds", getenvInt("RAP_VPN_FABRIC_QUIC_IDLE_TTL_SECONDS", 300), "Idle TTL seconds for cached VPN QUIC carrier connections.")
 	fs.StringVar(&cfg.RuntimeConfig.MeshListenAddr, "mesh-listen-addr", getenv("RAP_MESH_LISTEN_ADDR", ":19131"), "Synthetic mesh HTTP listen address.")
 	fs.StringVar(&cfg.RuntimeConfig.MeshListenPortMode, "mesh-listen-port-mode", getenv("RAP_MESH_LISTEN_PORT_MODE", "auto"), "Mesh listen port behavior: manual, auto, or disabled.")
 	fs.IntVar(&cfg.RuntimeConfig.MeshListenAutoPortStart, "mesh-listen-auto-port-start", getenvInt("RAP_MESH_LISTEN_AUTO_PORT_START", 19131), "First port used when mesh listen port mode is auto.")
@@ -788,6 +800,12 @@ func parseInstall(args []string) (installCommandConfig, error) {
 	fs.BoolVar(&cfg.MeshSyntheticRuntimeEnabled, "mesh-synthetic-runtime-enabled", getenvBool("RAP_MESH_SYNTHETIC_RUNTIME_ENABLED", false), "Enable synthetic mesh runtime.")
 	fs.BoolVar(&cfg.MeshProductionForwardingEnabled, "mesh-production-forwarding-enabled", getenvBool("RAP_MESH_PRODUCTION_FORWARDING_ENABLED", false), "Enable production forwarding gate; runtime still fail-closed if unavailable.")
 	fs.BoolVar(&cfg.MeshFabricSessionEnabled, "mesh-fabric-session-enabled", getenvBool("RAP_MESH_FABRIC_SESSION_ENABLED", false), "Enable authenticated fabric session WebSocket endpoint.")
+	fs.BoolVar(&cfg.VPNFabricSessionTransportEnabled, "vpn-fabric-session-transport-enabled", getenvBool("RAP_VPN_FABRIC_SESSION_TRANSPORT_ENABLED", false), "Route VPN packet transport over persistent fabric sessions.")
+	fs.BoolVar(&cfg.MeshQUICFabricEnabled, "mesh-quic-fabric-enabled", getenvBool("RAP_MESH_QUIC_FABRIC_ENABLED", false), "Enable QUIC/UDP fabric listener.")
+	fs.StringVar(&cfg.MeshQUICFabricListenAddr, "mesh-quic-fabric-listen-addr", getenv("RAP_MESH_QUIC_FABRIC_LISTEN_ADDR", ""), "QUIC/UDP fabric listen address.")
+	fs.IntVar(&cfg.VPNFabricSessionStreamShards, "vpn-fabric-session-stream-shards", getenvInt("RAP_VPN_FABRIC_SESSION_STREAM_SHARDS", 4), "VPN fabric-session stream shards per traffic class.")
+	fs.IntVar(&cfg.VPNFabricQUICMaxStreamsPerConn, "vpn-fabric-quic-max-streams-per-conn", getenvInt("RAP_VPN_FABRIC_QUIC_MAX_STREAMS_PER_CONN", 64), "Maximum logical fabric-session streams per cached VPN QUIC carrier connection.")
+	fs.IntVar(&cfg.VPNFabricQUICIdleTTLSeconds, "vpn-fabric-quic-idle-ttl-seconds", getenvInt("RAP_VPN_FABRIC_QUIC_IDLE_TTL_SECONDS", 300), "Idle TTL seconds for cached VPN QUIC carrier connections.")
 	fs.StringVar(&cfg.MeshListenAddr, "mesh-listen-addr", getenv("RAP_MESH_LISTEN_ADDR", ""), "Synthetic mesh HTTP listen address inside container.")
 	fs.StringVar(&cfg.MeshListenPortMode, "mesh-listen-port-mode", getenv("RAP_MESH_LISTEN_PORT_MODE", ""), "Mesh listen port behavior: manual, auto, or disabled.")
 	fs.IntVar(&cfg.MeshListenAutoPortStart, "mesh-listen-auto-port-start", getenvInt("RAP_MESH_LISTEN_AUTO_PORT_START", 0), "First port used when mesh listen port mode is auto.")

agents/rap-node-agent/internal/hostagent/docker_test.go

@@ -66,6 +66,12 @@ func TestDockerRunArgsBuildNodeRuntimePlacement(t *testing.T) {
 		ContainerName:                    "rap-node-agent-node-a",
 		StateDir:                         "/srv/rap/node-a",
 		MeshSyntheticRuntimeEnabled:      true,
+		VPNFabricSessionTransportEnabled: true,
+		MeshQUICFabricEnabled:            true,
+		MeshQUICFabricListenAddr:         ":19443",
+		VPNFabricSessionStreamShards:     6,
+		VPNFabricQUICMaxStreamsPerConn:   24,
+		VPNFabricQUICIdleTTLSeconds:      120,
 		MeshListenAddr:                   ":19131",
 		MeshAdvertiseEndpoint:            "http://10.0.0.11:19131/",
 		MeshConnectivityMode:             "private_lan",
@@ -81,6 +87,12 @@ func TestDockerRunArgsBuildNodeRuntimePlacement(t *testing.T) {
 		"RAP_NODE_STATE_DIR=/var/lib/rap-node-agent",
 		"RAP_ENROLLMENT_POLL_TIMEOUT_SECONDS=0",
 		"RAP_MESH_SYNTHETIC_RUNTIME_ENABLED=true",
+		"RAP_VPN_FABRIC_SESSION_TRANSPORT_ENABLED=true",
+		"RAP_MESH_QUIC_FABRIC_ENABLED=true",
+		"RAP_MESH_QUIC_FABRIC_LISTEN_ADDR=:19443",
+		"RAP_VPN_FABRIC_SESSION_STREAM_SHARDS=6",
+		"RAP_VPN_FABRIC_QUIC_MAX_STREAMS_PER_CONN=24",
+		"RAP_VPN_FABRIC_QUIC_IDLE_TTL_SECONDS=120",
 		"RAP_MESH_LISTEN_ADDR=:19131",
 		"RAP_MESH_ADVERTISE_ENDPOINT=http://10.0.0.11:19131",
 		"RAP_MESH_CONNECTIVITY_MODE=private_lan",
@@ -162,6 +174,10 @@ func TestFetchDockerInstallProfileBuildsRuntimeConfig(t *testing.T) {
 				"restart_policy":                       "unless-stopped",
 				"replace":                              true,
 				"mesh_synthetic_runtime_enabled":       true,
+				"vpn_fabric_session_transport_enabled": true,
+				"mesh_quic_fabric_enabled":             true,
+				"mesh_quic_fabric_listen_addr":         ":19443",
+				"vpn_fabric_session_stream_shards":     6,
 				"mesh_connectivity_mode":               "outbound_only",
 			},
 		})
@@ -185,6 +201,10 @@ func TestFetchDockerInstallProfileBuildsRuntimeConfig(t *testing.T) {
 		len(cfg.ImageArtifactURLs) != 1 ||
 		cfg.ImageArtifactSizeBytes != 21 ||
 		!cfg.MeshSyntheticRuntimeEnabled ||
+		!cfg.VPNFabricSessionTransportEnabled ||
+		!cfg.MeshQUICFabricEnabled ||
+		cfg.MeshQUICFabricListenAddr != ":19443" ||
+		cfg.VPNFabricSessionStreamShards != 6 ||
 		cfg.MeshConnectivityMode != "outbound_only" {
 		t.Fatalf("unexpected cfg: %+v", cfg)
 	}

docs/architecture/DISTRIBUTED_FABRIC_NODE_PROTOCOL_PLAN.md

@@ -383,6 +383,9 @@ declaring that carrier failed.
 VPN fabric-session transport now opens configurable per-class stream shards
 for interactive and bulk packet traffic, so heavy browser flows do not share a
 single logical stream with latency-sensitive RDP/control packets.
+Host-agent install commands for Docker, Linux, and Windows expose the same
+VPN fabric-session/QUIC tuning flags as install profiles, keeping manual and
+profile-based rollout paths aligned.
 Gateway runtime snapshots include the fabric-session packet transport stream
 layout and send counters by traffic class/stream id for load-test diagnosis.
 Endpoint ranking treats `capacity_limited` observations as a soft pressure