docs: protocol audit 2026-05-25, update architecture + Obsidian vault
Audit: - docs/AUDIT-2026-05-25.md: full protocol audit covering 8 findings (4 critical, 2 high, 5 medium, 4 low) with code references and fix effort estimates - vault/Audit/Tasks.md: Obsidian Tasks plugin file tracking all audit items with priorities, due dates, and per-step checklists Architecture docs updated for Wire format v2 and Wave 5/6 features: - ARCHITECTURE.md: adds wzp-video to dependency graph and project structure; wire format updated to v2 (16B header, 5B MiniHeader); relay concurrency section corrected (DashMap+RwLock is current, not a future optimization); test count 571→702; Android note - PROGRESS.md: Wave 5 and Wave 6 sections appended; test count 372→702; current status and open blockers as of 2026-05-25 - ROAD-TO-VIDEO.md: implementation status table inserted (✅/🟡/🔴/🔲 per phase); 6-step critical path to first video call - WZP-SPEC.md: MediaHeader updated to v2 (16B byte-aligned); MiniHeader updated to 5B with seq_delta; codec IDs 9-12 added (H.264/H.265/AV1); version negotiation section added Obsidian vault (vault/): - 114 files across Architecture/, PRDs/, Reports/, Android/, Reference/, Audit/ with YAML frontmatter - 00 - Home.md index note with wiki links - .obsidian/app.json config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
88
vault/Reports/T3.4-report.md
Normal file
88
vault/Reports/T3.4-report.md
Normal file
@@ -0,0 +1,88 @@
|
||||
---
|
||||
tags: [report, wzp]
|
||||
type: report
|
||||
status: Pending Review
|
||||
---
|
||||
|
||||
# T3.4 — Tier D (per-codec packet size sanity)
|
||||
|
||||
**Status:** Pending Review
|
||||
**Agent:** Kimi Code CLI
|
||||
**Started:** 2026-05-11T16:29Z
|
||||
**Completed:** 2026-05-11T16:29Z
|
||||
**Commit:** (see git log)
|
||||
**PRD:** ../PRD-relay-conformance.md
|
||||
|
||||
## What I changed
|
||||
|
||||
- `crates/wzp-relay/src/conformance.rs:1` — Updated module doc comment: `Tier A/B/C` → `Tier A/B/C/D`.
|
||||
- `crates/wzp-relay/src/conformance.rs:24-25` — Added `Violation::PayloadSizeExceeded` variant for Tier D.
|
||||
- `crates/wzp-relay/src/conformance.rs:40` — Added `ewma_payload_size: f64` field to `ConformanceMeter`.
|
||||
- `crates/wzp-relay/src/conformance.rs:44` — Initialized `ewma_payload_size` to `0.0` in `ConformanceMeter::new()`.
|
||||
- `crates/wzp-relay/src/conformance.rs:106-116` — Added Tier D payload-size EWMA check in `observe()` after Tier C. Uses `alpha = 0.05` (~20-packet smoothing). Rejects if EWMA exceeds `2 × payload_size_bound(codec)`.
|
||||
- `crates/wzp-relay/src/conformance.rs:141-157` — Added `pub fn payload_size_bound(codec: CodecId) -> usize` with per-codec typical bounds:
|
||||
- `Opus64k => 320`, `Opus48k => 240`, `Opus32k => 200`, `Opus24k => 160`, `Opus16k => 100`, `Opus6k => 90`
|
||||
- `Codec2_3200 => 30`, `Codec2_1200 => 30`
|
||||
- `ComfortNoise => 16`
|
||||
- `crates/wzp-relay/src/metrics.rs:408` — Added `Violation::PayloadSizeExceeded => "D"` tier label in Prometheus metrics.
|
||||
- `crates/wzp-relay/src/conformance.rs:234-244` — Fixed pre-existing `window_resets_after_one_second` test: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit for `Opus24k` (2× bound = 320).
|
||||
- `crates/wzp-relay/src/conformance.rs:359-384` — Added two Tier D tests:
|
||||
- `conformance_tier_d` — 200 packets of 1400 bytes declared as `Codec2_1200`; asserts `PayloadSizeExceeded` is triggered.
|
||||
- `payload_size_normal_stays_within_bound` — 10 packets of 150 bytes declared as `Opus24k`; asserts no violation.
|
||||
|
||||
## Why these choices
|
||||
|
||||
- EWMA with `alpha = 0.05` provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject.
|
||||
- The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector.
|
||||
- Unit variants (`ComfortNoise => 16`) get a small bound because they carry minimal silence-descriptor data.
|
||||
|
||||
## Deviations from the task spec
|
||||
|
||||
None.
|
||||
|
||||
## Verification output
|
||||
|
||||
```bash
|
||||
$ cargo test -p wzp-relay conformance_tier_d
|
||||
running 1 test
|
||||
test conformance::tests::conformance_tier_d ... ok
|
||||
|
||||
test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s
|
||||
```
|
||||
|
||||
```bash
|
||||
$ cargo test -p wzp-relay --lib
|
||||
running 88 tests
|
||||
...
|
||||
test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
|
||||
```
|
||||
|
||||
```bash
|
||||
$ cargo test --workspace --exclude wzp-android --no-fail-fast
|
||||
... (all crates pass)
|
||||
Total: 612 passed; 0 failed
|
||||
```
|
||||
|
||||
## Test summary
|
||||
|
||||
- Tests added: 2
|
||||
- `conformance_tier_d` — 200 × 1400-byte payloads as `Codec2_1200`, flags `PayloadSizeExceeded`
|
||||
- `payload_size_normal_stays_within_bound` — 10 × 150-byte payloads as `Opus24k`, stays clean
|
||||
- Tests modified: 1
|
||||
- `window_resets_after_one_second` — reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit
|
||||
- Workspace test count before: 610 / after: 612
|
||||
- `cargo clippy -p wzp-relay --all-targets -- -D warnings`: clean in `wzp-relay`; failures are pre-existing debt in `wzp-codec` (9 errors) and `warzone-protocol` (3 errors) per PROTOCOL-AUDIT.md
|
||||
- `cargo fmt --all -- --check`: pass
|
||||
|
||||
## Risks / follow-ups
|
||||
|
||||
- Tier D is currently observe-only (returns `Err(Violation)` but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers A–C. A future task can wire hard enforcement if the reviewer wants.
|
||||
- The `payload_size_bound` table is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning.
|
||||
|
||||
## Reviewer checklist (filled in by reviewer)
|
||||
|
||||
- [ ] Code matches PRD intent
|
||||
- [ ] Verification output is real (re-run if suspicious)
|
||||
- [ ] No backward-incompat surprises
|
||||
- [ ] Tests cover the new behavior
|
||||
- [ ] Approved
|
||||
Reference in New Issue
Block a user