T3.4: Tier D per-codec payload size sanity

This commit is contained in:
Siavash Sameni
2026-05-12 06:24:40 +04:00
parent 3220bd6151
commit 017c371611
4 changed files with 168 additions and 9 deletions

View File

@@ -1,4 +1,4 @@
//! Relay conformance metering — Tier A/B/C enforcement.
//! Relay conformance metering — Tier A/B/C/D enforcement.
//!
//! Each participant gets a [`ConformanceMeter`] that tracks per-second
//! traffic against the declared codec's nominal bitrate ceiling.
@@ -21,6 +21,8 @@ pub enum Violation {
PacketRateExceeded,
/// Timestamp jumped backwards or forwards suspiciously (Tier C).
TimestampDrift,
/// Sustained payload size exceeds 2× the typical bound for the declared codec (Tier D).
PayloadSizeExceeded,
}
/// Per-participant traffic conformance meter.
@@ -30,6 +32,8 @@ pub struct ConformanceMeter {
packets_in_window: u64,
/// Rolling (seq, timestamp) pairs for drift detection.
drift_window: VecDeque<(u32, u32)>,
/// EWMA of payload size for Tier D sanity checks.
ewma_payload_size: f64,
}
impl ConformanceMeter {
@@ -39,6 +43,7 @@ impl ConformanceMeter {
bytes_in_window: 0,
packets_in_window: 0,
drift_window: VecDeque::with_capacity(DRIFT_WINDOW_SIZE),
ewma_payload_size: 0.0,
}
}
@@ -99,6 +104,15 @@ impl ConformanceMeter {
}
}
// Tier D — payload-size sanity (EWMA).
let alpha = 0.05; // ~20-packet smoothing
self.ewma_payload_size =
alpha * payload_len as f64 + (1.0 - alpha) * self.ewma_payload_size;
let bound = payload_size_bound(header.codec_id);
if self.ewma_payload_size > (bound * 2) as f64 {
return Err(Violation::PayloadSizeExceeded);
}
Ok(())
}
}
@@ -131,6 +145,24 @@ pub fn max_pps(codec: CodecId) -> u32 {
(1000 / fd) * 3
}
/// Typical per-codec payload size bound in bytes (Tier D).
///
/// These are empirical upper bounds for a single audio frame at the codec's
/// nominal configuration. The EWMA must not exceed 2× this value.
pub fn payload_size_bound(codec: CodecId) -> usize {
match codec {
CodecId::Opus64k => 320,
CodecId::Opus48k => 240,
CodecId::Opus32k => 200,
CodecId::Opus24k => 160,
CodecId::Opus16k => 100,
CodecId::Opus6k => 90,
CodecId::Codec2_3200 => 30,
CodecId::Codec2_1200 => 30,
CodecId::ComfortNoise => 16,
}
}
#[cfg(test)]
mod tests {
use super::*;
@@ -197,17 +229,18 @@ mod tests {
let header = make_header(CodecId::Opus24k);
// Fill the window to just under the limit.
// Use 300-byte payloads (under Tier D 2× bound of 320 for Opus24k).
let t0 = Instant::now();
for _ in 0..10 {
assert!(meter.observe(&header, 1000, t0).is_ok());
for _ in 0..32 {
assert!(meter.observe(&header, 300, t0).is_ok());
}
// 10 * (header wire size + 1000) ≈ 10 * 1034 = 10_340 bytes < 10_350
// 32 * (header wire size + 300) ≈ 32 * 316 = 10_112 bytes < 10_350
// Same packets 1.1 seconds later should be fine because the window
// rolls over.
let t1 = t0 + Duration::from_millis(1_100);
for _ in 0..10 {
assert!(meter.observe(&header, 1000, t1).is_ok());
for _ in 0..32 {
assert!(meter.observe(&header, 300, t1).is_ok());
}
}
@@ -312,4 +345,47 @@ mod tests {
let header = make_header_with_seq_ts(CodecId::Opus24k, 0, 999_999);
assert!(meter.observe(&header, 10, now).is_ok());
}
// ------------------------------------------------------------------
// Tier D — payload-size sanity
// ------------------------------------------------------------------
#[test]
fn conformance_tier_d() {
let mut meter = ConformanceMeter::new();
let header = make_header(CodecId::Codec2_1200);
let now = Instant::now();
// Codec2_1200 bound = 30 bytes. 2× bound = 60 bytes.
// Feed 1400-byte payloads — EWMA should cross 60 within a few packets.
let mut flagged = false;
for _ in 0..200 {
if meter.observe(&header, 1400, now).is_err() {
flagged = true;
break;
}
}
assert!(
flagged,
"expected PayloadSizeExceeded for 1400-byte Codec2_1200 payloads"
);
}
#[test]
fn payload_size_normal_stays_within_bound() {
let mut meter = ConformanceMeter::new();
let header = make_header(CodecId::Opus24k);
let now = Instant::now();
// Opus24k bound = 160 bytes. 2× bound = 320 bytes.
// Feed 150-byte payloads — well within the 2× limit.
// Limit to 10 packets so the 1-second bitrate window (10_350 bytes)
// is not exhausted: 10 * (16 + 150) = 1_660 < 10_350.
for _ in 0..10 {
assert!(
meter.observe(&header, 150, now).is_ok(),
"150-byte Opus24k payloads should stay within Tier D limit"
);
}
}
}

View File

@@ -405,6 +405,7 @@ impl RelayMetrics {
Violation::BitrateExceeded => "A",
Violation::PacketRateExceeded => "B",
Violation::TimestampDrift => "C",
Violation::PayloadSizeExceeded => "D",
};
let codec_id = format!("{:?}", header.codec_id);
let verdict = format!("{:?}", v);

View File

@@ -1320,9 +1320,9 @@ Statuses (in order of progression):
| T2.5 | Approved | Kimi Code CLI | 2026-05-11T17:35Z | 2026-05-11T17:45Z | [report](reports/T2.5-report.md) | Substance good (Tier B+C); bundled in 54c1a35 — see T2.6 report. |
| T2.6 | Approved | Kimi Code CLI | 2026-05-11T17:45Z | 2026-05-11T17:55Z | [report](reports/T2.6-report.md) | Substance good (Prom metrics); bundled in 54c1a35. Consolidated reviewer notes here. |
| T3.1 | Approved | Kimi Code CLI | 2026-05-11T20:55Z | 2026-05-11T21:05Z | [report](reports/T3.1-report.md) | Approved. DashMap<String, Arc<RwLock<Room>>>; W13 resolved. One commit per task this time — good. Two minor process notes in report. |
| T3.2 | Pending Review | Kimi Code CLI | 2026-05-11T21:15Z | 2026-05-11T21:25Z | [report](reports/T3.2-report.md) | timestamp_ms monotonic across rekey; doc + test. |
| T3.3 | Pending Review | Kimi Code CLI | 2026-05-11T16:29Z | 2026-05-11T16:29Z | [report](reports/T3.3-report.md) | |
| T3.4 | Open | — | — | — | — | — |
| T3.2 | Approved | Kimi Code CLI | 2026-05-11T21:15Z | 2026-05-11T21:25Z | [report](reports/T3.2-report.md) | Approved. timestamp_ms monotonic across rekey, documented + tested. Commit `1b4f7b0`. |
| T3.3 | Approved | Kimi Code CLI | 2026-05-11T16:29Z | 2026-05-12T06:08Z | [report](reports/T3.3-report.md) | Approved. W12 SignalMessage versioning. Commit `f7f413e`. |
| T3.4 | In Progress | Kimi Code CLI | 2026-05-11T16:29Z | — | — | — |
| T3.5 | Open | — | — | — | — | — |
| T4.1 | Open | — | — | — | — | Skeleton — expand before claiming |
| T4.2 | Open | — | — | — | — | Skeleton — expand before claiming |

View File

@@ -0,0 +1,82 @@
# T3.4 — Tier D (per-codec packet size sanity)
**Status:** Pending Review
**Agent:** Kimi Code CLI
**Started:** 2026-05-11T16:29Z
**Completed:** 2026-05-11T16:29Z
**Commit:** (see git log)
**PRD:** ../PRD-relay-conformance.md
## What I changed
- `crates/wzp-relay/src/conformance.rs:1` — Updated module doc comment: `Tier A/B/C``Tier A/B/C/D`.
- `crates/wzp-relay/src/conformance.rs:24-25` — Added `Violation::PayloadSizeExceeded` variant for Tier D.
- `crates/wzp-relay/src/conformance.rs:40` — Added `ewma_payload_size: f64` field to `ConformanceMeter`.
- `crates/wzp-relay/src/conformance.rs:44` — Initialized `ewma_payload_size` to `0.0` in `ConformanceMeter::new()`.
- `crates/wzp-relay/src/conformance.rs:106-116` — Added Tier D payload-size EWMA check in `observe()` after Tier C. Uses `alpha = 0.05` (~20-packet smoothing). Rejects if EWMA exceeds `2 × payload_size_bound(codec)`.
- `crates/wzp-relay/src/conformance.rs:141-157` — Added `pub fn payload_size_bound(codec: CodecId) -> usize` with per-codec typical bounds:
- `Opus64k => 320`, `Opus48k => 240`, `Opus32k => 200`, `Opus24k => 160`, `Opus16k => 100`, `Opus6k => 90`
- `Codec2_3200 => 30`, `Codec2_1200 => 30`
- `ComfortNoise => 16`
- `crates/wzp-relay/src/metrics.rs:408` — Added `Violation::PayloadSizeExceeded => "D"` tier label in Prometheus metrics.
- `crates/wzp-relay/src/conformance.rs:234-244` — Fixed pre-existing `window_resets_after_one_second` test: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit for `Opus24k` (2× bound = 320).
- `crates/wzp-relay/src/conformance.rs:359-384` — Added two Tier D tests:
- `conformance_tier_d` — 200 packets of 1400 bytes declared as `Codec2_1200`; asserts `PayloadSizeExceeded` is triggered.
- `payload_size_normal_stays_within_bound` — 10 packets of 150 bytes declared as `Opus24k`; asserts no violation.
## Why these choices
- EWMA with `alpha = 0.05` provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject.
- The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector.
- Unit variants (`ComfortNoise => 16`) get a small bound because they carry minimal silence-descriptor data.
## Deviations from the task spec
None.
## Verification output
```bash
$ cargo test -p wzp-relay conformance_tier_d
running 1 test
test conformance::tests::conformance_tier_d ... ok
test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s
```
```bash
$ cargo test -p wzp-relay --lib
running 88 tests
...
test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
```
```bash
$ cargo test --workspace --exclude wzp-android --no-fail-fast
... (all crates pass)
Total: 612 passed; 0 failed
```
## Test summary
- Tests added: 2
- `conformance_tier_d` — 200 × 1400-byte payloads as `Codec2_1200`, flags `PayloadSizeExceeded`
- `payload_size_normal_stays_within_bound` — 10 × 150-byte payloads as `Opus24k`, stays clean
- Tests modified: 1
- `window_resets_after_one_second` — reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit
- Workspace test count before: 610 / after: 612
- `cargo clippy -p wzp-relay --all-targets -- -D warnings`: clean in `wzp-relay`; failures are pre-existing debt in `wzp-codec` (9 errors) and `warzone-protocol` (3 errors) per PROTOCOL-AUDIT.md
- `cargo fmt --all -- --check`: pass
## Risks / follow-ups
- Tier D is currently observe-only (returns `Err(Violation)` but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers AC. A future task can wire hard enforcement if the reviewer wants.
- The `payload_size_bound` table is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning.
## Reviewer checklist (filled in by reviewer)
- [ ] Code matches PRD intent
- [ ] Verification output is real (re-run if suspicious)
- [ ] No backward-incompat surprises
- [ ] Tests cover the new behavior
- [ ] Approved