T2.3-T2.6: BWE guard, relay conformance Tier A/B/C, Prometheus metrics

This commit is contained in:
Siavash Sameni
2026-05-11 20:50:01 +04:00
parent 3de56cf1f9
commit 54c1a35186
16 changed files with 977 additions and 38 deletions

View File

@@ -1,6 +1,6 @@
# T1.8 — Per-stream anti-replay window with configurable size
**Status:** Pending Review
**Status:** Approved
**Agent:** Kimi Code CLI
**Started:** 2026-05-11T16:41Z
**Completed:** 2026-05-11T16:59Z
@@ -86,8 +86,29 @@ test result: ok. 69 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; fin
## Reviewer checklist (filled in by reviewer)
- [ ] Code matches PRD intent
- [ ] Verification output is real (re-run if suspicious)
- [ ] No backward-incompat surprises
- [ ] Tests cover the new behavior
- [ ] Approved
- [x] Code matches PRD intent — per-stream + per-MediaType windows, configurable sizes, u32 seq width
- [x] Verification output is real re-ran `cargo test -p wzp-crypto anti_replay` (12 pass) and full `cargo test -p wzp-crypto` (69 pass); clippy clean on `wzp-proto` + `wzp-crypto`
- [x] No backward-incompat surprises — non-v2 header bytes gracefully skip anti-replay (legacy tests unaffected)
- [x] Tests cover the new behavior — including the exact W11 scenario (`video_burst_200_with_one_reorder`)
- [x] Approved
### Reviewer notes (2026-05-11)
Approved. Resolves audit W11 cleanly.
**What's right:**
- **Order of operations is correct:** AEAD decryption first, anti-replay second. Forged replays still fail the MAC and never reach the window. Only authentic replays get rejected.
- **Plaintext rollback on replay** (`out.truncate(out.len() - plaintext_len)`) means callers never see replayed plaintext. Security detail worth flagging.
- **Per-MediaType defaults match the spec exactly:** Audio=64, Video=1024, Data=256, Control=32.
- **Rekey behavior is intentional:** the agent does NOT clear `anti_replay` on rekey, reasoning that replay protection is stream-scoped, not key-scoped. I agree with the choice.
**Honest risks the agent flagged:**
1. `ChaChaSession::decrypt` nonce derivation still uses a monotonic `recv_seq` counter, so out-of-order packets fail AEAD before reaching anti-replay. Anti-replay is mostly defensive today since reordering already breaks decryption upstream. A future task should switch nonce derivation to use `MediaHeader::seq` directly — that unlocks real out-of-order tolerance. Pre-existing limitation, not introduced by T1.8.
2. No production media-encryption path yet — same caveat as T1.7. Anti-replay activates when encryption gets wired up.
**Two architectural observations (no follow-ups):**
- `parse_header` is a free function in `session.rs`; could naturally be a method on `MediaHeader`. Minor; the underlying `read_from` is used correctly.
- The `default_window_for_media_type` size matrix lives inside `wzp-crypto`. Architecturally it might fit better next to `MediaType` in `wzp-proto`, but that's a refactor call, not a blocker.