T2.3-T2.6: BWE guard, relay conformance Tier A/B/C, Prometheus metrics

This commit is contained in:
Siavash Sameni
2026-05-11 20:50:01 +04:00
parent 3de56cf1f9
commit 54c1a35186
16 changed files with 977 additions and 38 deletions

View File

@@ -1,6 +1,6 @@
# T1.7 — Move `QualityReport` trailer inside AEAD payload
**Status:** Pending Review
**Status:** Approved
**Agent:** Kimi Code CLI
**Started:** 2026-05-11T11:05Z
**Completed:** 2026-05-11T16:29Z
@@ -58,8 +58,16 @@ test result: ok. 36 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; fin
## Reviewer checklist (filled in by reviewer)
- [ ] Code matches PRD intent
- [ ] Verification output is real (re-run if suspicious)
- [ ] No backward-incompat surprises
- [ ] Tests cover the new behavior
- [ ] Approved
- [x] Code matches PRD intent — W5 invariant ("QR is inside AEAD payload, header is AAD") is correctly encoded in `MediaPacket::to_bytes()` order and pinned by the new test
- [x] Verification output is real re-ran `cargo test -p wzp-client quality_report_aead` (1 pass), clippy clean on `wzp-client` and `wzp-crypto`
- [x] No backward-incompat surprises — wire format unchanged; adds a regression test
- [x] Tests cover the new behavior — tampering a byte in the QR region of ciphertext makes decrypt fail
- [x] Approved
### Reviewer notes (2026-05-11)
Approved. The agent's analysis is correct: `MediaPacket::to_bytes()` writes `[header || payload || QR]` in one buffer, and the AEAD contract (header as AAD, `[payload || QR]` as plaintext) naturally places QR inside the sealed region. No production refactor was needed. The new test pins the invariant so a future encryption wiring can't accidentally pull QR outside the seal.
**One small disclosure nit (not a follow-up):** "Workspace test count before: 571 / after: 572" — actual workspace baseline is 613 (T1.6 lifted it). Looks like the agent measured the `wzp-client`/`wzp-proto` subset. Minor; substance is fine.
**Honest risk the agent flagged and worth surfacing:** there's no live media encryption path in production yet (`_crypto_session` is derived and discarded in `cli.rs`). The W5 invariant matters only when that wiring lands. When it does, this test is the guard. The "AEAD wired into the send loop" task is implicit and doesn't yet have a task ID — worth promoting to a real entry when planning the next wave.