fix(signal): send PresenceList directly to new client after ack

The broadcast alone wasn't reaching the first client because its recv loop hadn't started yet when the second client registered. Now the relay sends PresenceList directly to the new client (right after RegisterPresenceAck) AND broadcasts to all others. This guarantees every client gets the full user list: - New client: via direct send (queued before recv loop starts) - Existing clients: via broadcast Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat(signal): PresenceList broadcast for lobby user discovery
2026-04-14 18:20:37 +04:00 · 2026-04-14 18:12:47 +04:00 · 2026-04-14 17:25:34 +04:00 · 2026-04-14 17:07:43 +04:00 · 2026-04-14 16:54:22 +04:00 · 2026-04-14 16:50:11 +04:00
92 changed files with 17943 additions and 1062 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -32,6 +32,7 @@ serde = { version = "1", features = ["derive"] }
 # Transport
 quinn = "0.11"
 socket2 = "0.5"
 # FEC
 raptorq = "2"
--- a/android/app/src/main/java/com/wzp/engine/WzpEngine.kt
+++ b/android/app/src/main/java/com/wzp/engine/WzpEngine.kt
@@ -96,6 +96,17 @@ class WzpEngine(private val callback: WzpCallback) {
        if (nativeHandle != 0L) nativeForceProfile(nativeHandle, profile)
    }
    /**
     * Signal a network transport change (e.g. WiFi → LTE handoff).
     *
     * @param networkType matches Rust `NetworkContext` ordinals:
     *   0=WiFi, 1=LTE, 2=5G, 3=3G, 4=Unknown, 5=None
     * @param bandwidthKbps reported downstream bandwidth in kbps
     */
    fun onNetworkChanged(networkType: Int, bandwidthKbps: Int) {
        if (nativeHandle != 0L) nativeOnNetworkChanged(nativeHandle, networkType, bandwidthKbps)
    }
    /** Destroy the native engine and free all resources. The instance must not be reused. */
    @Synchronized
    fun destroy() {
@@ -163,6 +174,7 @@ class WzpEngine(private val callback: WzpCallback) {
    private external fun nativeStartSignaling(handle: Long, relay: String, seed: String, token: String, alias: String): Int
    private external fun nativePlaceCall(handle: Long, targetFp: String): Int
    private external fun nativeAnswerCall(handle: Long, callId: String, mode: Int): Int
    private external fun nativeOnNetworkChanged(handle: Long, networkType: Int, bandwidthKbps: Int)
    /**
     * Ping a relay server. Requires engine to be initialized.
--- a/android/app/src/main/java/com/wzp/net/NetworkMonitor.kt
+++ b/android/app/src/main/java/com/wzp/net/NetworkMonitor.kt
@@ -0,0 +1,141 @@
 package com.wzp.net
 import android.content.Context
 import android.net.ConnectivityManager
 import android.net.Network
 import android.net.NetworkCapabilities
 import android.net.NetworkRequest
 import android.os.Handler
 import android.os.Looper
 /**
 * Monitors network connectivity changes via [ConnectivityManager.NetworkCallback]
 * and classifies the active transport (WiFi, LTE, 5G, 3G).
 *
 * Callbacks fire on the main looper so callers can safely update UI state or
 * dispatch to a native engine from any callback.
 *
 * Usage:
 * 1. Set [onNetworkChanged] to receive `(type: Int, downlinkKbps: Int)` events
 * 2. Optionally set [onIpChanged] for IP address change events (mid-call ICE refresh)
 * 3. Call [register] when the call starts
 * 4. Call [unregister] when the call ends
 */
 class NetworkMonitor(context: Context) {
    private val cm = context.getSystemService(Context.CONNECTIVITY_SERVICE) as ConnectivityManager
    private val mainHandler = Handler(Looper.getMainLooper())
    /**
     * Called when the network transport type or bandwidth changes.
     * `type` constants match the Rust `NetworkContext` enum ordinals.
     */
    var onNetworkChanged: ((type: Int, downlinkKbps: Int) -> Unit)? = null
    /**
     * Called when the device's IP address changes (link properties changed).
     * Useful for triggering mid-call ICE candidate re-gathering.
     */
    var onIpChanged: (() -> Unit)? = null
    // Track the last emitted type to avoid redundant callbacks
    @Volatile
    private var lastEmittedType: Int = TYPE_UNKNOWN
    private val callback = object : ConnectivityManager.NetworkCallback() {
        override fun onAvailable(network: Network) {
            classifyAndEmit(network)
        }
        override fun onCapabilitiesChanged(network: Network, caps: NetworkCapabilities) {
            classifyFromCaps(caps)
        }
        override fun onLinkPropertiesChanged(
            network: Network,
            linkProperties: android.net.LinkProperties
        ) {
            // IP address may have changed — notify for ICE refresh
            onIpChanged?.invoke()
            // Also re-classify in case the transport changed simultaneously
            classifyAndEmit(network)
        }
        override fun onLost(network: Network) {
            lastEmittedType = TYPE_NONE
            onNetworkChanged?.invoke(TYPE_NONE, 0)
        }
    }
    // -- Public API -----------------------------------------------------------
    /** Register the network callback. Call when a call starts. */
    fun register() {
        val request = NetworkRequest.Builder()
            .addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET)
            .build()
        cm.registerNetworkCallback(request, callback, mainHandler)
    }
    /** Unregister the network callback. Call when the call ends. */
    fun unregister() {
        try {
            cm.unregisterNetworkCallback(callback)
        } catch (_: IllegalArgumentException) {
            // Already unregistered — safe to ignore
        }
    }
    // -- Classification -------------------------------------------------------
    private fun classifyAndEmit(network: Network) {
        val caps = cm.getNetworkCapabilities(network) ?: return
        classifyFromCaps(caps)
    }
    private fun classifyFromCaps(caps: NetworkCapabilities) {
        val type = when {
            caps.hasTransport(NetworkCapabilities.TRANSPORT_WIFI) -> TYPE_WIFI
            caps.hasTransport(NetworkCapabilities.TRANSPORT_ETHERNET) -> TYPE_WIFI // treat as WiFi
            caps.hasTransport(NetworkCapabilities.TRANSPORT_CELLULAR) -> classifyCellular(caps)
            else -> TYPE_UNKNOWN
        }
        val bw = caps.getLinkDownstreamBandwidthKbps()
        // Deduplicate: only emit when the transport type actually changes
        if (type != lastEmittedType) {
            lastEmittedType = type
            onNetworkChanged?.invoke(type, bw)
        }
    }
    /**
     * Approximate cellular generation from reported downstream bandwidth.
     * This avoids requiring READ_PHONE_STATE permission (needed for
     * TelephonyManager.getNetworkType on API 30+).
     *
     * Thresholds are conservative — carriers over-report bandwidth, so we
     * classify based on what's actually usable for VoIP:
     * - >= 100 Mbps → 5G NR
     * - >= 10 Mbps  → LTE
     * - < 10 Mbps   → 3G or worse
     */
    private fun classifyCellular(caps: NetworkCapabilities): Int {
        val bw = caps.getLinkDownstreamBandwidthKbps()
        return when {
            bw >= 100_000 -> TYPE_CELLULAR_5G
            bw >= 10_000 -> TYPE_CELLULAR_LTE
            else -> TYPE_CELLULAR_3G
        }
    }
    companion object {
        /** Constants matching Rust `NetworkContext` enum ordinals. */
        const val TYPE_WIFI = 0
        const val TYPE_CELLULAR_LTE = 1
        const val TYPE_CELLULAR_5G = 2
        const val TYPE_CELLULAR_3G = 3
        const val TYPE_UNKNOWN = 4
        const val TYPE_NONE = 5
    }
 }
--- a/android/app/src/main/java/com/wzp/ui/call/CallViewModel.kt
+++ b/android/app/src/main/java/com/wzp/ui/call/CallViewModel.kt
@@ -5,6 +5,7 @@ import android.util.Log
 import androidx.lifecycle.ViewModel
 import androidx.lifecycle.viewModelScope
 import com.wzp.audio.AudioPipeline
 import com.wzp.audio.AudioRoute
 import com.wzp.audio.AudioRouteManager
 import com.wzp.data.SettingsRepository
 import com.wzp.debug.DebugReporter
@@ -12,6 +13,7 @@ import com.wzp.engine.CallStats
 import com.wzp.service.CallService
 import com.wzp.engine.WzpCallback
 import com.wzp.engine.WzpEngine
 import com.wzp.net.NetworkMonitor
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.delay
@@ -43,6 +45,7 @@ class CallViewModel : ViewModel(), WzpCallback {
    private var engineInitialized = false
    private var audioPipeline: AudioPipeline? = null
    private var audioRouteManager: AudioRouteManager? = null
    private var networkMonitor: NetworkMonitor? = null
    private var audioStarted = false
    private var appContext: Context? = null
    private var settings: SettingsRepository? = null
@@ -60,6 +63,9 @@ class CallViewModel : ViewModel(), WzpCallback {
    private val _isSpeaker = MutableStateFlow(false)
    val isSpeaker: StateFlow<Boolean> = _isSpeaker.asStateFlow()
    private val _audioRoute = MutableStateFlow(AudioRoute.EARPIECE)
    val audioRoute: StateFlow<AudioRoute> = _audioRoute.asStateFlow()
    private val _stats = MutableStateFlow(CallStats())
    val stats: StateFlow<CallStats> = _stats.asStateFlow()
@@ -226,7 +232,19 @@ class CallViewModel : ViewModel(), WzpCallback {
            audioPipeline = AudioPipeline(appCtx)
        }
        if (audioRouteManager == null) {
-            audioRouteManager = AudioRouteManager(appCtx)
+            audioRouteManager = AudioRouteManager(appCtx).also { arm ->
                arm.onRouteChanged = { route ->
                    _audioRoute.value = route
                    _isSpeaker.value = (route == AudioRoute.SPEAKER)
                }
            }
        }
        if (networkMonitor == null) {
            networkMonitor = NetworkMonitor(appCtx).also { nm ->
                nm.onNetworkChanged = { type, bw ->
                    engine?.onNetworkChanged(type, bw)
                }
            }
        }
        if (debugReporter == null) {
            debugReporter = DebugReporter(appCtx)
@@ -607,6 +625,27 @@ class CallViewModel : ViewModel(), WzpCallback {
        audioRouteManager?.setSpeaker(newSpeaker)
    }
    /** Cycle audio output: Earpiece → Speaker → Bluetooth (if available) → Earpiece. */
    fun cycleAudioRoute() {
        val routes = audioRouteManager?.availableRoutes() ?: return
        val currentIdx = routes.indexOf(_audioRoute.value)
        val next = routes[(currentIdx + 1) % routes.size]
        when (next) {
            AudioRoute.EARPIECE -> {
                audioRouteManager?.setBluetoothSco(false)
                audioRouteManager?.setSpeaker(false)
            }
            AudioRoute.SPEAKER -> {
                audioRouteManager?.setSpeaker(true)
            }
            AudioRoute.BLUETOOTH -> {
                audioRouteManager?.setBluetoothSco(true)
            }
        }
        _audioRoute.value = next
        _isSpeaker.value = (next == AudioRoute.SPEAKER)
    }
    fun clearError() { _errorMessage.value = null }
    fun sendDebugReport() {
@@ -661,6 +700,7 @@ class CallViewModel : ViewModel(), WzpCallback {
            it.start(e)
        }
        audioRouteManager?.register()
        networkMonitor?.register()
        audioStarted = true
    }
@@ -668,8 +708,10 @@ class CallViewModel : ViewModel(), WzpCallback {
        if (!audioStarted) return
        audioPipeline?.stop()    // sets running=false; DON'T null — teardown needs awaitDrain()
        audioRouteManager?.unregister()
        networkMonitor?.unregister()
        audioRouteManager?.setSpeaker(false)
        _isSpeaker.value = false
        _audioRoute.value = AudioRoute.EARPIECE
        audioStarted = false
    }
--- a/android/app/src/main/java/com/wzp/ui/call/InCallScreen.kt
+++ b/android/app/src/main/java/com/wzp/ui/call/InCallScreen.kt
@@ -49,6 +49,7 @@ import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.text.style.TextAlign
 import androidx.compose.ui.unit.dp
 import androidx.compose.ui.unit.sp
 import com.wzp.audio.AudioRoute
 import com.wzp.engine.CallStats
 import com.wzp.ui.components.CopyableFingerprint
 import com.wzp.ui.components.Identicon
@@ -74,6 +75,7 @@ fun InCallScreen(
    val callState by viewModel.callState.collectAsState()
    val isMuted by viewModel.isMuted.collectAsState()
    val isSpeaker by viewModel.isSpeaker.collectAsState()
    val audioRoute by viewModel.audioRoute.collectAsState()
    val stats by viewModel.stats.collectAsState()
    val qualityTier by viewModel.qualityTier.collectAsState()
    val errorMessage by viewModel.errorMessage.collectAsState()
@@ -621,12 +623,12 @@ fun InCallScreen(
                Spacer(modifier = Modifier.height(16.dp))
-                // Controls: Mic / End / Spk
+                // Controls: Mic / End / Route (Ear/Spk/BT)
                ControlRow(
                    isMuted = isMuted,
-                    isSpeaker = isSpeaker,
+                    audioRoute = audioRoute,
                    onToggleMute = viewModel::toggleMute,
-                    onToggleSpeaker = viewModel::toggleSpeaker,
+                    onCycleRoute = viewModel::cycleAudioRoute,
                    onHangUp = { viewModel.stopCall() }
                )
@@ -915,9 +917,9 @@ private fun AudioLevelBar(audioLevel: Int) {
@Composable
 private fun ControlRow(
    isMuted: Boolean,
-    isSpeaker: Boolean,
+    audioRoute: AudioRoute,
    onToggleMute: () -> Unit,
-    onToggleSpeaker: () -> Unit,
+    onCycleRoute: () -> Unit,
    onHangUp: () -> Unit
 ) {
    Row(
@@ -959,22 +961,28 @@ private fun ControlRow(
            Text("End", style = MaterialTheme.typography.titleMedium.copy(fontWeight = FontWeight.Bold))
        }
-        // Speaker
+        // Audio route: cycles Earpiece → Speaker → Bluetooth (when available)
        FilledTonalIconButton(
-            onClick = onToggleSpeaker,
+            onClick = onCycleRoute,
            modifier = Modifier.size(56.dp),
-            colors = if (isSpeaker) {
+            colors = when (audioRoute) {
-                IconButtonDefaults.filledTonalIconButtonColors(
+                AudioRoute.SPEAKER -> IconButtonDefaults.filledTonalIconButtonColors(
                    containerColor = Color(0xFF0F3460), contentColor = Color.White
                )
-            } else {
+                AudioRoute.BLUETOOTH -> IconButtonDefaults.filledTonalIconButtonColors(
-                IconButtonDefaults.filledTonalIconButtonColors(
+                    containerColor = Color(0xFF2563EB), contentColor = Color.White
                )
                else -> IconButtonDefaults.filledTonalIconButtonColors(
                    containerColor = DarkSurface2, contentColor = Color.White
                )
            }
        ) {
            Text(
-                text = if (isSpeaker) "Spk\nOn" else "Spk",
+                text = when (audioRoute) {
                    AudioRoute.EARPIECE -> "Ear"
                    AudioRoute.SPEAKER -> "Spk"
                    AudioRoute.BLUETOOTH -> "BT"
                },
                textAlign = TextAlign.Center,
                style = MaterialTheme.typography.labelSmall,
                lineHeight = 12.sp
--- a/crates/wzp-android/src/engine.rs
+++ b/crates/wzp-android/src/engine.rs
@@ -99,6 +99,9 @@ pub(crate) struct EngineState {
    /// QUIC transport handle — stored so stop_call() can close it immediately,
    /// triggering relay-side leave + RoomUpdate broadcast.
    pub quic_transport: Mutex<Option<Arc<wzp_transport::QuinnTransport>>>,
    /// Network type from Android ConnectivityManager, polled by recv task.
    /// 0xFF = no change pending; 0-5 = NetworkContext ordinal.
    pub pending_network_type: AtomicU8,
 }
 pub struct WzpEngine {
@@ -120,6 +123,7 @@ impl WzpEngine {
            playout_ring: AudioRing::new(),
            audio_level_rms: AtomicU32::new(0),
            quic_transport: Mutex::new(None),
            pending_network_type: AtomicU8::new(PROFILE_NO_CHANGE),
        });
        Self {
            state,
@@ -342,7 +346,7 @@ impl WzpEngine {
                    Ok(Some(SignalMessage::DirectCallAnswer { call_id, accept_mode, .. })) => {
                        info!(call_id = %call_id, mode = ?accept_mode, "signal: call answered");
                    }
-                    Ok(Some(SignalMessage::CallSetup { call_id, room, relay_addr })) => {
+                    Ok(Some(SignalMessage::CallSetup { call_id, room, relay_addr, .. })) => {
                        info!(call_id = %call_id, room = %room, relay = %relay_addr, "signal: call setup");
                        // Connect to media room via the existing start_call mechanism
                        // Store the room info so Kotlin can call startCall with it
@@ -351,7 +355,7 @@ impl WzpEngine {
                        // Store call setup info for Kotlin to pick up
                        stats.incoming_call_id = Some(format!("{relay_addr}|{room}"));
                    }
-                    Ok(Some(SignalMessage::Hangup { reason })) => {
+                    Ok(Some(SignalMessage::Hangup { reason, .. })) => {
                        info!(reason = ?reason, "signal: call ended by remote");
                        let mut stats = signal_state.stats.lock().unwrap();
                        stats.state = crate::stats::CallState::Closed;
@@ -404,6 +408,13 @@ impl WzpEngine {
    pub fn force_profile(&self, _profile: QualityProfile) {}
    /// Signal a network transport change from Android ConnectivityManager.
    /// Stores the type atomically; the recv task polls it on each packet.
    pub fn on_network_changed(&self, network_type: u8, bandwidth_kbps: u32) {
        info!(network_type, bandwidth_kbps, "on_network_changed");
        self.state.pending_network_type.store(network_type, Ordering::Release);
    }
    pub fn get_stats(&self) -> CallStats {
        let mut stats = self.state.stats.lock().unwrap().clone();
        if let Some(start) = self.call_start {
@@ -871,6 +882,23 @@ async fn run_call(
                        );
                    }
                    // Check for network transport change from ConnectivityManager
                    {
                        let net = state.pending_network_type.swap(PROFILE_NO_CHANGE, Ordering::Acquire);
                        if net != PROFILE_NO_CHANGE {
                            use wzp_proto::NetworkContext;
                            let ctx = match net {
                                0 => NetworkContext::WiFi,
                                1 => NetworkContext::CellularLte,
                                2 => NetworkContext::Cellular5g,
                                3 => NetworkContext::Cellular3g,
                                _ => NetworkContext::Unknown,
                            };
                            quality_ctrl.signal_network_change(ctx);
                            info!(?ctx, "quality controller: network context updated");
                        }
                    }
                    // Adaptive quality: ingest quality reports from relay
                    if auto_profile {
                        if let Some(ref qr) = pkt.quality_report {
@@ -1181,6 +1209,15 @@ async fn run_call(
                    stats.room_participant_count = count;
                    stats.room_participants = members;
                }
                Ok(Some(SignalMessage::QualityDirective { recommended_profile, reason })) => {
                    let idx = profile_to_index(&recommended_profile);
                    info!(
                        codec = ?recommended_profile.codec,
                        reason = reason.as_deref().unwrap_or(""),
                        "relay quality directive: switching profile"
                    );
                    pending_profile_recv.store(idx, Ordering::Release);
                }
                Ok(Some(msg)) => {
                    info!("signal received: {:?}", std::mem::discriminant(&msg));
                }
--- a/crates/wzp-android/src/jni_bridge.rs
+++ b/crates/wzp-android/src/jni_bridge.rs
@@ -222,6 +222,29 @@ pub unsafe extern "system" fn Java_com_wzp_engine_WzpEngine_nativeForceProfile(
    }));
 }
 /// Signal a network transport change from the Android ConnectivityManager.
 ///
 /// `network_type` matches the Rust `NetworkContext` enum:
 ///   0=WiFi, 1=CellularLte, 2=Cellular5g, 3=Cellular3g, 4=Unknown, 5=None
 ///
 /// The engine forwards this to the `AdaptiveQualityController` which:
 /// - Preemptively downgrades one tier on WiFi→cellular
 /// - Activates a 10-second FEC boost
 /// - Uses faster downgrade thresholds on cellular
 #[unsafe(no_mangle)]
 pub unsafe extern "system" fn Java_com_wzp_engine_WzpEngine_nativeOnNetworkChanged(
    _env: JNIEnv,
    _class: JClass,
    handle: jlong,
    network_type: jint,
    bandwidth_kbps: jint,
 ) {
    let _ = panic::catch_unwind(panic::AssertUnwindSafe(|| {
        let h = unsafe { handle_ref(handle) };
        h.engine.on_network_changed(network_type as u8, bandwidth_kbps as u32);
    }));
 }
 /// Write captured PCM samples from Kotlin AudioRecord into the engine's capture ring.
 /// pcm is a Java short[] array.
 #[unsafe(no_mangle)]
--- a/crates/wzp-client/Cargo.toml
+++ b/crates/wzp-client/Cargo.toml
@@ -21,9 +21,20 @@ anyhow = "1"
 serde = { workspace = true }
 serde_json = "1"
 chrono = "0.4"
 clap = { version = "4", features = ["derive"] }
 ratatui = "0.29"
 crossterm = "0.28"
 rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
 cpal = { version = "0.15", optional = true }
 libc = "0.2"
 # Phase 5.5 — LAN host-candidate ICE: enumerate local network
 # interface addresses for inclusion in DirectCallOffer/Answer so
 # peers on the same LAN can direct-connect without NAT hairpinning
 # through the WAN reflex addr (which many consumer NATs, including
 # MikroTik's default masquerade, don't support).
 if-addrs = "0.13"
 rand = { workspace = true }
 socket2 = "0.5"
 # coreaudio-rs is Apple-framework-only; gate it to macOS so enabling
 # the `vpio` feature from a non-macOS target builds cleanly instead of
@@ -93,6 +104,10 @@ linux-aec = ["dep:webrtc-audio-processing"]
 name = "wzp-client"
 path = "src/cli.rs"
 [[bin]]
 name = "wzp-analyzer"
 path = "src/analyzer.rs"
 [[bin]]
 name = "wzp-bench"
 path = "src/bench_cli.rs"
--- a/crates/wzp-client/src/analyzer.rs
+++ b/crates/wzp-client/src/analyzer.rs
@@ -0,0 +1,952 @@
 //! WarzonePhone Protocol Analyzer — passive call quality observer.
 //!
 //! Joins a relay room as a passive participant (no media sent) and displays
 //! real-time per-participant quality metrics in a terminal UI.
 //!
 //! Usage:
 //!   wzp-analyzer 127.0.0.1:4433 --room test
 //!   wzp-analyzer 1.2.3.4:4433 --room test --capture session.wzp
 //!   wzp-analyzer 1.2.3.4:4433 --room test --no-tui --duration 60
 use std::io::Write;
 use std::sync::Arc;
 use std::time::{Duration, Instant};
 use clap::Parser;
 use tracing::info;
 use wzp_proto::{CodecId, MediaPacket, MediaTransport};
 // ---------------------------------------------------------------------------
 // CLI
 // ---------------------------------------------------------------------------
 /// WarzonePhone Protocol Analyzer — passive call quality observer
 #[derive(Parser)]
 #[command(name = "wzp-analyzer", version)]
 struct Args {
    /// Relay address (host:port) — required for live mode, ignored with --replay
    relay: Option<String>,
    /// Room name to observe — required for live mode, ignored with --replay
    #[arg(short, long)]
    room: Option<String>,
    /// Auth token for relay
    #[arg(long)]
    token: Option<String>,
    /// Identity seed (64-char hex)
    #[arg(long)]
    seed: Option<String>,
    /// Capture packets to file
    #[arg(long)]
    capture: Option<String>,
    /// Auto-stop after N seconds
    #[arg(long)]
    duration: Option<u64>,
    /// Disable TUI (print stats to stdout instead)
    #[arg(long)]
    no_tui: bool,
    /// Replay a captured .wzp file (offline analysis)
    #[arg(long)]
    replay: Option<String>,
    /// Generate HTML report (from live session or replay)
    #[arg(long)]
    html: Option<String>,
    /// Session key hex for decrypting payloads (enables audio decode)
    // TODO(#17): Audio decode requires session key + nonce context.
    // In SFU mode, payloads are E2E encrypted. Decoding requires
    // either: (a) session key from both endpoints, or (b) running
    // the analyzer as a trusted participant with its own key exchange.
    // For now, header-only analysis provides loss%, jitter, codec stats.
    #[arg(long)]
    key: Option<String>,
 }
 // ---------------------------------------------------------------------------
 // Per-participant statistics
 // ---------------------------------------------------------------------------
 struct ParticipantStats {
    /// Stream identifier (index, assigned when we detect a new seq stream)
    stream_id: usize,
    /// Display name from RoomUpdate (if available)
    alias: Option<String>,
    /// Current codec
    codec: CodecId,
    /// Total packets received
    packets: u64,
    /// Detected lost packets (sequence gaps)
    lost: u64,
    /// Last seen sequence number
    last_seq: u16,
    /// Whether we've seen the first packet (for gap detection)
    seq_initialized: bool,
    /// EWMA jitter in ms
    jitter_ms: f64,
    /// Last packet arrival time
    last_arrival: Option<Instant>,
    /// Codec changes observed
    codec_switches: u32,
    /// First packet time
    first_seen: Instant,
    /// Last packet time
    last_seen: Instant,
 }
 impl ParticipantStats {
    fn new(id: usize, codec: CodecId) -> Self {
        let now = Instant::now();
        Self {
            stream_id: id,
            alias: None,
            codec,
            packets: 0,
            lost: 0,
            last_seq: 0,
            seq_initialized: false,
            jitter_ms: 0.0,
            last_arrival: None,
            codec_switches: 0,
            first_seen: now,
            last_seen: now,
        }
    }
    fn ingest(&mut self, pkt: &MediaPacket, now: Instant) {
        self.packets += 1;
        self.last_seen = now;
        // Codec switch detection
        if pkt.header.codec_id != self.codec {
            self.codec_switches += 1;
            self.codec = pkt.header.codec_id;
        }
        // Loss detection from sequence gaps
        if self.seq_initialized {
            let expected = self.last_seq.wrapping_add(1);
            let gap = pkt.header.seq.wrapping_sub(expected);
            if gap > 0 && gap < 100 {
                self.lost += gap as u64;
            }
        }
        self.last_seq = pkt.header.seq;
        self.seq_initialized = true;
        // Jitter (inter-arrival time variance, EWMA)
        if let Some(last) = self.last_arrival {
            let interval_ms = now.duration_since(last).as_secs_f64() * 1000.0;
            let expected_ms = pkt.header.codec_id.frame_duration_ms() as f64;
            let diff = (interval_ms - expected_ms).abs();
            self.jitter_ms = 0.1 * diff + 0.9 * self.jitter_ms;
        }
        self.last_arrival = Some(now);
    }
    fn loss_percent(&self) -> f64 {
        let total = self.packets + self.lost;
        if total == 0 {
            0.0
        } else {
            (self.lost as f64 / total as f64) * 100.0
        }
    }
    fn duration(&self) -> Duration {
        self.last_seen.duration_since(self.first_seen)
    }
    fn display_name(&self) -> String {
        self.alias
            .as_deref()
            .map(String::from)
            .unwrap_or_else(|| format!("Stream {}", self.stream_id))
    }
 }
 // ---------------------------------------------------------------------------
 // Participant identification by sequence stream
 // ---------------------------------------------------------------------------
 /// Find the participant whose sequence counter is close to `seq`, or create a
 /// new one.  Each sender has an independent wrapping u16 counter, so we can
 /// distinguish streams by proximity of consecutive sequence numbers.
 fn find_or_create_participant(
    participants: &mut Vec<ParticipantStats>,
    seq: u16,
    codec: CodecId,
 ) -> usize {
    for (i, p) in participants.iter().enumerate() {
        if p.seq_initialized {
            let delta = seq.wrapping_sub(p.last_seq);
            if delta > 0 && delta < 50 {
                return i;
            }
        }
    }
    // New stream detected
    let id = participants.len();
    participants.push(ParticipantStats::new(id, codec));
    id
 }
 // ---------------------------------------------------------------------------
 // Capture writer (binary packet log for later replay)
 // ---------------------------------------------------------------------------
 struct CaptureWriter {
    file: std::io::BufWriter<std::fs::File>,
    start: Instant,
 }
 impl CaptureWriter {
    fn new(path: &str, room: &str, relay: &str) -> anyhow::Result<Self> {
        let file = std::fs::File::create(path)?;
        let mut writer = std::io::BufWriter::new(file);
        // Magic + version
        writer.write_all(b"WZP\x01")?;
        let header = serde_json::json!({
            "room": room,
            "relay": relay,
            "start_time": chrono::Utc::now().to_rfc3339(),
            "version": 1,
        });
        let header_bytes = serde_json::to_vec(&header)?;
        writer.write_all(&(header_bytes.len() as u32).to_le_bytes())?;
        writer.write_all(&header_bytes)?;
        Ok(Self {
            file: writer,
            start: Instant::now(),
        })
    }
    fn write_packet(&mut self, pkt: &MediaPacket, now: Instant) -> anyhow::Result<()> {
        let elapsed_us = now.duration_since(self.start).as_micros() as u64;
        self.file.write_all(&elapsed_us.to_le_bytes())?;
        let raw = pkt.to_bytes();
        self.file.write_all(&(raw.len() as u32).to_le_bytes())?;
        self.file.write_all(&raw)?;
        Ok(())
    }
 }
 // ---------------------------------------------------------------------------
 // Capture reader (for replay mode)
 // ---------------------------------------------------------------------------
 struct CaptureReader {
    reader: std::io::BufReader<std::fs::File>,
    header: serde_json::Value,
 }
 impl CaptureReader {
    fn open(path: &str) -> anyhow::Result<Self> {
        use std::io::Read;
        let file = std::fs::File::open(path)?;
        let mut reader = std::io::BufReader::new(file);
        // Read magic
        let mut magic = [0u8; 4];
        reader.read_exact(&mut magic)?;
        anyhow::ensure!(&magic == b"WZP\x01", "not a WZP capture file");
        // Read header
        let mut len_buf = [0u8; 4];
        reader.read_exact(&mut len_buf)?;
        let header_len = u32::from_le_bytes(len_buf) as usize;
        let mut header_bytes = vec![0u8; header_len];
        reader.read_exact(&mut header_bytes)?;
        let header: serde_json::Value = serde_json::from_slice(&header_bytes)?;
        Ok(Self { reader, header })
    }
    fn next_packet(&mut self) -> anyhow::Result<Option<(u64, MediaPacket)>> {
        use std::io::Read;
        // Read timestamp
        let mut ts_buf = [0u8; 8];
        match self.reader.read_exact(&mut ts_buf) {
            Ok(()) => {}
            Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
            Err(e) => return Err(e.into()),
        }
        let timestamp_us = u64::from_le_bytes(ts_buf);
        // Read packet
        let mut len_buf = [0u8; 4];
        self.reader.read_exact(&mut len_buf)?;
        let pkt_len = u32::from_le_bytes(len_buf) as usize;
        let mut pkt_bytes = vec![0u8; pkt_len];
        self.reader.read_exact(&mut pkt_bytes)?;
        let pkt = MediaPacket::from_bytes(bytes::Bytes::from(pkt_bytes))
            .ok_or_else(|| anyhow::anyhow!("malformed packet in capture"))?;
        Ok(Some((timestamp_us, pkt)))
    }
 }
 // ---------------------------------------------------------------------------
 // Timeline entry (for HTML report generation)
 // ---------------------------------------------------------------------------
 struct TimelineEntry {
    timestamp_us: u64,
    stream_id: usize,
    #[allow(dead_code)]
    codec: CodecId,
    #[allow(dead_code)]
    seq: u16,
    #[allow(dead_code)]
    payload_len: usize,
    loss_pct: f64,
    jitter_ms: f64,
 }
 // ---------------------------------------------------------------------------
 // Replay mode (#15)
 // ---------------------------------------------------------------------------
 async fn run_replay(path: &str, args: &Args) -> anyhow::Result<()> {
    let mut reader = CaptureReader::open(path)?;
    eprintln!(
        "Replaying: {} (room: {})",
        path,
        reader
            .header
            .get("room")
            .and_then(|v| v.as_str())
            .unwrap_or("?")
    );
    let mut participants: Vec<ParticipantStats> = Vec::new();
    let mut total_packets: u64 = 0;
    let start = Instant::now();
    let mut timeline: Vec<TimelineEntry> = Vec::new();
    // Decrypt session from --key (optional)
    let mut decrypt_session: Option<wzp_crypto::ChaChaSession> = args.key.as_ref().and_then(|hex| {
        if hex.len() != 64 { return None; }
        let mut key = [0u8; 32];
        for (i, chunk) in hex.as_bytes().chunks(2).enumerate() {
            let s = std::str::from_utf8(chunk).unwrap_or("00");
            key[i] = u8::from_str_radix(s, 16).unwrap_or(0);
        }
        Some(wzp_crypto::ChaChaSession::new(key))
    });
    let mut decrypt_ok: u64 = 0;
    let mut decrypt_fail: u64 = 0;
    while let Some((ts_us, pkt)) = reader.next_packet()? {
        let now = Instant::now();
        let idx = find_or_create_participant(&mut participants, pkt.header.seq, pkt.header.codec_id);
        participants[idx].ingest(&pkt, now);
        total_packets += 1;
        // Attempt decryption if key provided
        if let Some(ref mut session) = decrypt_session {
            use wzp_proto::CryptoSession;
            let header_bytes = pkt.header.to_bytes();
            let mut plaintext = Vec::new();
            match session.decrypt(&header_bytes, &pkt.payload, &mut plaintext) {
                Ok(()) => {
                    decrypt_ok += 1;
                    if decrypt_ok <= 5 || decrypt_ok % 100 == 0 {
                        eprintln!(
                            "  decrypt ok: seq={} codec={:?} payload={}B → plaintext={}B",
                            pkt.header.seq, pkt.header.codec_id,
                            pkt.payload.len(), plaintext.len()
                        );
                    }
                }
                Err(_) => {
                    decrypt_fail += 1;
                    if decrypt_fail <= 3 {
                        eprintln!(
                            "  decrypt FAIL: seq={} (key mismatch, wrong direction, or rekey boundary)",
                            pkt.header.seq
                        );
                    }
                }
            }
        }
        // Record for HTML timeline
        timeline.push(TimelineEntry {
            timestamp_us: ts_us,
            stream_id: idx,
            codec: pkt.header.codec_id,
            seq: pkt.header.seq,
            payload_len: pkt.payload.len(),
            loss_pct: participants[idx].loss_percent(),
            jitter_ms: participants[idx].jitter_ms,
        });
    }
    if decrypt_session.is_some() {
        eprintln!(
            "Decrypt stats: {} ok, {} failed (total {})",
            decrypt_ok, decrypt_fail, total_packets
        );
    }
    print_summary(&participants, total_packets, start.elapsed());
    // Generate HTML if requested
    if let Some(html_path) = &args.html {
        generate_html_report(html_path, &participants, &timeline, total_packets, &reader.header)?;
        eprintln!("HTML report: {}", html_path);
    }
    Ok(())
 }
 // ---------------------------------------------------------------------------
 // HTML report generation (#16)
 // ---------------------------------------------------------------------------
 fn generate_html_report(
    path: &str,
    participants: &[ParticipantStats],
    timeline: &[TimelineEntry],
    total_packets: u64,
    capture_header: &serde_json::Value,
 ) -> anyhow::Result<()> {
    use std::io::Write as _;
    let mut f = std::fs::File::create(path)?;
    let room = capture_header
        .get("room")
        .and_then(|v| v.as_str())
        .unwrap_or("unknown");
    let start_time = capture_header
        .get("start_time")
        .and_then(|v| v.as_str())
        .unwrap_or("?");
    // Build per-stream loss/jitter timeline data for Chart.js
    // Sample every 1 second (group timeline entries by second)
    let max_ts = timeline.last().map(|e| e.timestamp_us).unwrap_or(0);
    let duration_secs = (max_ts / 1_000_000) + 1;
    let mut loss_data: std::collections::HashMap<usize, Vec<f64>> =
        std::collections::HashMap::new();
    let mut jitter_data: std::collections::HashMap<usize, Vec<f64>> =
        std::collections::HashMap::new();
    for stream_id in 0..participants.len() {
        loss_data.insert(stream_id, vec![0.0; duration_secs as usize]);
        jitter_data.insert(stream_id, vec![0.0; duration_secs as usize]);
    }
    for entry in timeline {
        let sec = (entry.timestamp_us / 1_000_000) as usize;
        if sec < duration_secs as usize {
            if let Some(losses) = loss_data.get_mut(&entry.stream_id) {
                losses[sec] = entry.loss_pct;
            }
            if let Some(jitters) = jitter_data.get_mut(&entry.stream_id) {
                jitters[sec] = entry.jitter_ms;
            }
        }
    }
    let colors = [
        "#e74c3c", "#3498db", "#2ecc71", "#f39c12", "#9b59b6", "#1abc9c",
    ];
    // Build dataset JSON for charts
    let mut loss_datasets = String::new();
    let mut jitter_datasets = String::new();
    for (i, p) in participants.iter().enumerate() {
        let name = p.display_name();
        let color = colors[i % colors.len()];
        let loss_vals = loss_data
            .get(&i)
            .map(|v| format!("{:?}", v))
            .unwrap_or_default();
        let jitter_vals = jitter_data
            .get(&i)
            .map(|v| format!("{:?}", v))
            .unwrap_or_default();
        loss_datasets.push_str(&format!(
            "{{ label: '{}', data: {}, borderColor: '{}', fill: false }},\n",
            name, loss_vals, color
        ));
        jitter_datasets.push_str(&format!(
            "{{ label: '{}', data: {}, borderColor: '{}', fill: false }},\n",
            name, jitter_vals, color
        ));
    }
    let labels: Vec<String> = (0..duration_secs).map(|s| format!("{}s", s)).collect();
    let labels_json = format!("{:?}", labels);
    // Summary table rows
    let mut summary_rows = String::new();
    for p in participants {
        summary_rows.push_str(&format!(
            "<tr><td>{}</td><td>{:?}</td><td>{}</td><td>{:.1}%</td><td>{:.0}ms</td><td>{}</td></tr>\n",
            p.display_name(),
            p.codec,
            p.packets,
            p.loss_percent(),
            p.jitter_ms,
            p.codec_switches
        ));
    }
    write!(
        f,
        r#"<!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <title>WZP Call Report — {room}</title>
 <script src="https://cdn.jsdelivr.net/npm/chart.js@4"></script>
 <style>
  body {{ font-family: -apple-system, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; background: #1a1a2e; color: #e0e0e0; }}
  h1,h2 {{ color: #4a9eff; }}
  table {{ border-collapse: collapse; width: 100%; margin: 20px 0; }}
  th,td {{ border: 1px solid #333; padding: 8px 12px; text-align: left; }}
  th {{ background: #16213e; }}
  tr:nth-child(even) {{ background: #1a1a3e; }}
  .chart-container {{ background: #16213e; border-radius: 8px; padding: 16px; margin: 20px 0; }}
  canvas {{ max-height: 300px; }}
  .meta {{ color: #888; font-size: 0.9em; }}
 </style>
 </head><body>
 <h1>WZP Call Quality Report</h1>
 <p class="meta">Room: <b>{room}</b> | Start: {start_time} | Packets: {total_packets} | Duration: {duration_secs}s</p>
 <h2>Participant Summary</h2>
 <table>
 <tr><th>Name</th><th>Codec</th><th>Packets</th><th>Loss</th><th>Jitter</th><th>Codec Switches</th></tr>
 {summary_rows}
 </table>
 <h2>Packet Loss Over Time</h2>
 <div class="chart-container"><canvas id="lossChart"></canvas></div>
 <h2>Jitter Over Time</h2>
 <div class="chart-container"><canvas id="jitterChart"></canvas></div>
 <script>
 const labels = {labels_json};
 new Chart(document.getElementById('lossChart'), {{
  type: 'line',
  data: {{ labels, datasets: [{loss_datasets}] }},
  options: {{ responsive: true, scales: {{ y: {{ beginAtZero: true, title: {{ display: true, text: 'Loss %' }} }} }} }}
 }});
 new Chart(document.getElementById('jitterChart'), {{
  type: 'line',
  data: {{ labels, datasets: [{jitter_datasets}] }},
  options: {{ responsive: true, scales: {{ y: {{ beginAtZero: true, title: {{ display: true, text: 'Jitter (ms)' }} }} }} }}
 }});
 </script>
 </body></html>"#
    )?;
    Ok(())
 }
 // ---------------------------------------------------------------------------
 // No-TUI mode (print stats to stdout periodically)
 // ---------------------------------------------------------------------------
 async fn run_no_tui(
    transport: &wzp_transport::QuinnTransport,
    participants: &mut Vec<ParticipantStats>,
    total_packets: &mut u64,
    deadline: Option<Instant>,
    mut capture_writer: Option<&mut CaptureWriter>,
 ) -> anyhow::Result<()> {
    let mut print_timer = Instant::now();
    loop {
        if let Some(dl) = deadline {
            if Instant::now() > dl {
                break;
            }
        }
        match tokio::time::timeout(Duration::from_millis(100), transport.recv_media()).await {
            Ok(Ok(Some(pkt))) => {
                let now = Instant::now();
                let idx =
                    find_or_create_participant(participants, pkt.header.seq, pkt.header.codec_id);
                participants[idx].ingest(&pkt, now);
                *total_packets += 1;
                if let Some(ref mut w) = capture_writer {
                    w.write_packet(&pkt, now)?;
                }
            }
            Ok(Ok(None)) => break,   // connection closed
            Ok(Err(e)) => {
                tracing::warn!("recv error: {e}");
                break;
            }
            Err(_) => {}              // timeout, loop again
        }
        if print_timer.elapsed() >= Duration::from_secs(2) {
            print_stats(participants, *total_packets);
            print_timer = Instant::now();
        }
    }
    Ok(())
 }
 fn print_stats(participants: &[ParticipantStats], total: u64) {
    eprintln!("--- {} participants | {} total packets ---", participants.len(), total);
    for p in participants {
        eprintln!(
            "  {}: {} pkts, {:.1}% loss, {:.0}ms jitter, {:?}, {:.0}s",
            p.display_name(),
            p.packets,
            p.loss_percent(),
            p.jitter_ms,
            p.codec,
            p.duration().as_secs_f64(),
        );
    }
 }
 // ---------------------------------------------------------------------------
 // TUI mode (ratatui + crossterm)
 // ---------------------------------------------------------------------------
 async fn run_tui(
    transport: &wzp_transport::QuinnTransport,
    participants: &mut Vec<ParticipantStats>,
    total_packets: &mut u64,
    start_time: Instant,
    deadline: Option<Instant>,
    mut capture_writer: Option<&mut CaptureWriter>,
 ) -> anyhow::Result<()> {
    crossterm::terminal::enable_raw_mode()?;
    let mut stdout = std::io::stdout();
    crossterm::execute!(stdout, crossterm::terminal::EnterAlternateScreen)?;
    let backend = ratatui::backend::CrosstermBackend::new(stdout);
    let mut terminal = ratatui::Terminal::new(backend)?;
    let mut redraw_timer = Instant::now();
    let result: anyhow::Result<()> = async {
        loop {
            // Check for quit key (q or Ctrl+C)
            if crossterm::event::poll(Duration::from_millis(0))? {
                if let crossterm::event::Event::Key(key) = crossterm::event::read()? {
                    use crossterm::event::{KeyCode, KeyModifiers};
                    if key.code == KeyCode::Char('q')
                        || (key.code == KeyCode::Char('c')
                            && key.modifiers.contains(KeyModifiers::CONTROL))
                    {
                        break;
                    }
                }
            }
            if let Some(dl) = deadline {
                if Instant::now() > dl {
                    break;
                }
            }
            // Receive packets (non-blocking with short timeout)
            match tokio::time::timeout(Duration::from_millis(20), transport.recv_media()).await {
                Ok(Ok(Some(pkt))) => {
                    let now = Instant::now();
                    let idx = find_or_create_participant(
                        participants,
                        pkt.header.seq,
                        pkt.header.codec_id,
                    );
                    participants[idx].ingest(&pkt, now);
                    *total_packets += 1;
                    if let Some(ref mut w) = capture_writer {
                        w.write_packet(&pkt, now)?;
                    }
                }
                Ok(Ok(None)) => break,
                Ok(Err(e)) => {
                    tracing::warn!("recv error: {e}");
                    break;
                }
                Err(_) => {}
            }
            // Redraw TUI at ~10 FPS
            if redraw_timer.elapsed() >= Duration::from_millis(100) {
                terminal.draw(|f| draw_ui(f, participants, *total_packets, start_time))?;
                redraw_timer = Instant::now();
            }
        }
        Ok(())
    }
    .await;
    // Always restore terminal, even on error
    crossterm::terminal::disable_raw_mode()?;
    crossterm::execute!(
        std::io::stdout(),
        crossterm::terminal::LeaveAlternateScreen
    )?;
    result
 }
 fn draw_ui(
    f: &mut ratatui::Frame,
    participants: &[ParticipantStats],
    total_packets: u64,
    start_time: Instant,
 ) {
    use ratatui::layout::{Constraint, Direction, Layout};
    use ratatui::style::{Color, Modifier, Style};
    use ratatui::widgets::{Block, Borders, Paragraph, Row, Table};
    let elapsed = start_time.elapsed();
    let elapsed_str = format!(
        "{:02}:{:02}:{:02}",
        elapsed.as_secs() / 3600,
        (elapsed.as_secs() % 3600) / 60,
        elapsed.as_secs() % 60
    );
    let chunks = Layout::default()
        .direction(Direction::Vertical)
        .constraints([
            Constraint::Length(3), // header
            Constraint::Min(5),   // participant table
            Constraint::Length(3), // footer
        ])
        .split(f.area());
    // Header
    let header = Paragraph::new(format!(
        " WZP Analyzer | {} participants | {} packets | {}",
        participants.len(),
        total_packets,
        elapsed_str
    ))
    .block(Block::default().borders(Borders::ALL).title(" Protocol Analyzer "));
    f.render_widget(header, chunks[0]);
    // Participant table
    let header_row = Row::new(vec![
        "#", "Name", "Codec", "Packets", "Loss%", "Jitter", "Switches", "Duration",
    ])
    .style(Style::default().add_modifier(Modifier::BOLD));
    let rows: Vec<Row> = participants
        .iter()
        .map(|p| {
            let loss_color = if p.loss_percent() > 5.0 {
                Color::Red
            } else if p.loss_percent() > 1.0 {
                Color::Yellow
            } else {
                Color::Green
            };
            Row::new(vec![
                format!("{}", p.stream_id),
                p.display_name(),
                format!("{:?}", p.codec),
                format!("{}", p.packets),
                format!("{:.1}%", p.loss_percent()),
                format!("{:.0}ms", p.jitter_ms),
                format!("{}", p.codec_switches),
                format!("{:.0}s", p.duration().as_secs_f64()),
            ])
            .style(Style::default().fg(loss_color))
        })
        .collect();
    let widths = [
        Constraint::Length(3),  // #
        Constraint::Length(20), // Name
        Constraint::Length(12), // Codec
        Constraint::Length(10), // Packets
        Constraint::Length(8),  // Loss%
        Constraint::Length(10), // Jitter
        Constraint::Length(10), // Switches
        Constraint::Length(10), // Duration
    ];
    let table = Table::new(rows, widths)
        .header(header_row)
        .block(Block::default().borders(Borders::ALL).title(" Participants "));
    f.render_widget(table, chunks[1]);
    // Footer
    let footer =
        Paragraph::new(" Press 'q' to quit ").block(Block::default().borders(Borders::ALL));
    f.render_widget(footer, chunks[2]);
 }
 // ---------------------------------------------------------------------------
 // Summary (printed on exit)
 // ---------------------------------------------------------------------------
 fn print_summary(participants: &[ParticipantStats], total: u64, elapsed: Duration) {
    eprintln!("\n=== Session Summary ===");
    eprintln!(
        "Duration: {:.1}s | Total packets: {} | Participants: {}",
        elapsed.as_secs_f64(),
        total,
        participants.len()
    );
    for p in participants {
        eprintln!(
            "  {}: {} pkts, {:.1}% loss, {:.0}ms jitter, {:?}, {} codec switches",
            p.display_name(),
            p.packets,
            p.loss_percent(),
            p.jitter_ms,
            p.codec,
            p.codec_switches,
        );
    }
 }
 // ---------------------------------------------------------------------------
 // main
 // ---------------------------------------------------------------------------
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
    let args = Args::parse();
    // Only init tracing subscriber in no-tui mode (it would corrupt the TUI otherwise)
    if args.no_tui || args.replay.is_some() {
        tracing_subscriber::fmt().init();
    }
    let _crypto_session: Option<std::sync::Mutex<wzp_crypto::ChaChaSession>> =
        if let Some(ref key_hex) = args.key {
            if key_hex.len() != 64 {
                eprintln!("Error: --key must be 64 hex characters (32 bytes). Got {} chars.", key_hex.len());
                std::process::exit(1);
            }
            let mut key_bytes = [0u8; 32];
            for (i, chunk) in key_hex.as_bytes().chunks(2).enumerate() {
                let hex_str = std::str::from_utf8(chunk).unwrap_or("00");
                key_bytes[i] = u8::from_str_radix(hex_str, 16).unwrap_or(0);
            }
            eprintln!("Encrypted payload decoding enabled (key loaded).");
            Some(std::sync::Mutex::new(
                wzp_crypto::ChaChaSession::new(key_bytes),
            ))
        } else {
            None
        };
    // Replay mode: offline analysis of a .wzp capture file
    if let Some(ref replay_path) = args.replay {
        return run_replay(replay_path, &args).await;
    }
    // Live mode requires relay and room
    let relay = args
        .relay
        .as_deref()
        .ok_or_else(|| anyhow::anyhow!("relay address required for live mode (use --replay for offline)"))?;
    let room = args
        .room
        .as_deref()
        .ok_or_else(|| anyhow::anyhow!("--room required for live mode (use --replay for offline)"))?;
    // TLS crypto provider
    let _ = rustls::crypto::ring::default_provider().install_default();
    // Identity seed
    let seed = match &args.seed {
        Some(hex) => {
            let s = wzp_crypto::Seed::from_hex(hex).map_err(|e| anyhow::anyhow!(e))?;
            info!(fingerprint = %s.derive_identity().public_identity().fingerprint, "identity from --seed");
            s
        }
        None => {
            let s = wzp_crypto::Seed::generate();
            info!(fingerprint = %s.derive_identity().public_identity().fingerprint, "generated ephemeral identity");
            s
        }
    };
    // Connect to relay
    let relay_addr: std::net::SocketAddr = relay.parse()?;
    let bind_addr: std::net::SocketAddr = if relay_addr.is_ipv6() {
        "[::]:0".parse()?
    } else {
        "0.0.0.0:0".parse()?
    };
    let endpoint = wzp_transport::create_endpoint(bind_addr, None)?;
    let client_config = wzp_transport::client_config();
    let conn = wzp_transport::connect(&endpoint, relay_addr, room, client_config).await?;
    let transport = Arc::new(wzp_transport::QuinnTransport::new(conn));
    // Crypto handshake
    let _crypto_session =
        wzp_client::handshake::perform_handshake(&*transport, &seed.0, Some("analyzer")).await?;
    // Auth if token provided
    if let Some(ref token) = args.token {
        let auth = wzp_proto::SignalMessage::AuthToken {
            token: token.clone(),
        };
        transport.send_signal(&auth).await?;
    }
    // Capture file (optional)
    let mut capture_writer = args
        .capture
        .as_ref()
        .map(|path| CaptureWriter::new(path, room, relay))
        .transpose()?;
    // Duration timeout
    let deadline = args
        .duration
        .map(|s| Instant::now() + Duration::from_secs(s));
    // State
    let mut participants: Vec<ParticipantStats> = Vec::new();
    let mut total_packets: u64 = 0;
    let start_time = Instant::now();
    if args.no_tui {
        run_no_tui(
            &transport,
            &mut participants,
            &mut total_packets,
            deadline,
            capture_writer.as_mut(),
        )
        .await?;
    } else {
        run_tui(
            &transport,
            &mut participants,
            &mut total_packets,
            start_time,
            deadline,
            capture_writer.as_mut(),
        )
        .await?;
    }
    // Print summary
    print_summary(&participants, total_packets, start_time.elapsed());
    // Clean close
    transport.close().await?;
    Ok(())
 }
--- a/crates/wzp-client/src/birthday.rs
+++ b/crates/wzp-client/src/birthday.rs
@@ -0,0 +1,350 @@
 //! Birthday attack for hard NAT traversal.
 //!
 //! When both peers are behind symmetric NATs with random port
 //! allocation, standard hole-punching fails because neither side
 //! can predict the other's external port. This module implements
 //! the birthday-paradox approach:
 //!
 //! 1. **Acceptor** opens N sockets, STUN-probes each to learn
 //!    their external ports, reports them to the Dialer.
 //! 2. **Dialer** sprays QUIC connect attempts to the Acceptor's
 //!    reported ports + random ports on the Acceptor's IP.
 //! 3. Birthday paradox: with N=64 ports and M=256 probes across
 //!    65536 ports, collision probability is high.
 //!
 //! In practice, the Acceptor's STUN-probed ports are known
 //! exactly (not random), so the Dialer targets them first —
 //! making this more like "spray-and-pray with a hit list" than
 //! a pure birthday attack.
 use std::net::{Ipv4Addr, SocketAddr};
 use std::time::{Duration, Instant};
 use crate::stun;
 /// Configuration for the birthday attack.
 #[derive(Debug, Clone)]
 pub struct BirthdayConfig {
    /// Number of sockets the Acceptor opens (default: 32).
    /// Each socket gets STUN-probed to learn its external port.
    /// More = higher chance of collision, but more resource usage.
    pub acceptor_ports: u16,
    /// Number of QUIC connect attempts the Dialer makes (default: 128).
    /// Spread across the Acceptor's known ports + random ports.
    pub dialer_probes: u16,
    /// Rate limit: ms between consecutive probes (default: 20ms = 50/s).
    pub probe_interval_ms: u16,
    /// Overall timeout for the birthday attack phase.
    pub timeout: Duration,
    /// STUN config for probing external ports.
    pub stun_config: stun::StunConfig,
 }
 impl Default for BirthdayConfig {
    fn default() -> Self {
        Self {
            acceptor_ports: 32,
            dialer_probes: 128,
            probe_interval_ms: 20,
            timeout: Duration::from_secs(8),
            stun_config: stun::StunConfig {
                servers: vec!["stun.l.google.com:19302".into()],
                timeout: Duration::from_secs(2),
            },
        }
    }
 }
 /// Result of the Acceptor's port-opening phase.
 #[derive(Debug, Clone, serde::Serialize)]
 pub struct AcceptorPorts {
    /// External IP (from STUN).
    pub external_ip: Option<Ipv4Addr>,
    /// List of (local_port, external_port) for each opened socket.
    pub ports: Vec<PortMapping>,
    /// How many sockets we attempted to open.
    pub attempted: u16,
    /// How many STUN probes succeeded.
    pub succeeded: u16,
 }
 /// A single socket's local↔external port mapping.
 #[derive(Debug, Clone, serde::Serialize)]
 pub struct PortMapping {
    pub local_port: u16,
    pub external_port: u16,
 }
 /// Open N sockets and STUN-probe each to discover external ports.
 ///
 /// Returns the set of known external ports that the Dialer should
 /// target. Each socket stays open (bound) so the NAT mapping
 /// remains active until the returned `PortGuard` is dropped.
 ///
 /// The sockets are returned so the caller can keep them alive
 /// during the attack. Dropping them closes the NAT pinholes.
 pub async fn open_acceptor_ports(
    config: &BirthdayConfig,
 ) -> (AcceptorPorts, Vec<tokio::net::UdpSocket>) {
    let mut sockets = Vec::new();
    let mut mappings = Vec::new();
    let mut external_ip: Option<Ipv4Addr> = None;
    let mut succeeded: u16 = 0;
    let stun_server = match config.stun_config.servers.first() {
        Some(s) => match stun::resolve_stun_server(s).await {
            Ok(a) => Some(a),
            Err(_) => None,
        },
        None => None,
    };
    for _ in 0..config.acceptor_ports {
        // Bind to random port
        let sock = match tokio::net::UdpSocket::bind("0.0.0.0:0").await {
            Ok(s) => s,
            Err(_) => continue,
        };
        let local_port = match sock.local_addr() {
            Ok(a) => a.port(),
            Err(_) => continue,
        };
        // STUN probe to learn external port
        if let Some(stun_addr) = stun_server {
            match stun::stun_reflect(&sock, stun_addr, config.stun_config.timeout).await {
                Ok(ext_addr) => {
                    if external_ip.is_none() {
                        if let std::net::IpAddr::V4(ip) = ext_addr.ip() {
                            external_ip = Some(ip);
                        }
                    }
                    mappings.push(PortMapping {
                        local_port,
                        external_port: ext_addr.port(),
                    });
                    succeeded += 1;
                }
                Err(e) => {
                    tracing::debug!(local_port, error = %e, "birthday: STUN probe failed for socket");
                }
            }
        }
        sockets.push(sock);
    }
    tracing::info!(
        attempted = config.acceptor_ports,
        succeeded,
        external_ip = ?external_ip,
        "birthday: acceptor ports opened"
    );
    let result = AcceptorPorts {
        external_ip,
        ports: mappings,
        attempted: config.acceptor_ports,
        succeeded,
    };
    (result, sockets)
 }
 /// Generate the list of target addresses for the Dialer to spray.
 ///
 /// Priority order:
 /// 1. Acceptor's known external ports (from STUN probes) — highest hit rate
 /// 2. Random ports on the Acceptor's IP — birthday paradox fill
 pub fn generate_dialer_targets(
    acceptor_ip: Ipv4Addr,
    known_ports: &[u16],
    total_probes: u16,
 ) -> Vec<SocketAddr> {
    let mut targets = Vec::with_capacity(total_probes as usize);
    // First: all known ports (guaranteed targets)
    for &port in known_ports {
        targets.push(SocketAddr::new(
            std::net::IpAddr::V4(acceptor_ip),
            port,
        ));
    }
    // Fill remaining with random ports (birthday attack)
    let remaining = total_probes.saturating_sub(known_ports.len() as u16);
    if remaining > 0 {
        use rand::Rng;
        let mut rng = rand::thread_rng();
        for _ in 0..remaining {
            let port = rng.gen_range(1024..=65535u16);
            let addr = SocketAddr::new(
                std::net::IpAddr::V4(acceptor_ip),
                port,
            );
            if !targets.contains(&addr) {
                targets.push(addr);
            }
        }
    }
    targets
 }
 /// Run the Dialer side of the birthday attack.
 ///
 /// Sprays QUIC connection attempts at the target addresses.
 /// Returns the first successful connection, or None on timeout.
 pub async fn spray_dialer(
    endpoint: &wzp_transport::Endpoint,
    targets: &[SocketAddr],
    call_sni: &str,
    probe_interval: Duration,
    timeout: Duration,
 ) -> Option<wzp_transport::QuinnTransport> {
    let start = Instant::now();
    let mut set = tokio::task::JoinSet::new();
    tracing::info!(
        target_count = targets.len(),
        interval_ms = probe_interval.as_millis(),
        timeout_s = timeout.as_secs(),
        "birthday: dialer starting spray"
    );
    // Spray connects with rate limiting
    for (idx, &target) in targets.iter().enumerate() {
        if start.elapsed() >= timeout {
            break;
        }
        let ep = endpoint.clone();
        let sni = call_sni.to_string();
        let client_cfg = wzp_transport::client_config();
        set.spawn(async move {
            let result = wzp_transport::connect(&ep, target, &sni, client_cfg).await;
            (idx, target, result)
        });
        // Rate limit — don't blast the NAT
        if idx < targets.len() - 1 {
            tokio::time::sleep(probe_interval).await;
        }
    }
    tracing::info!(
        spawned = set.len(),
        elapsed_ms = start.elapsed().as_millis(),
        "birthday: all probes spawned, waiting for first success"
    );
    // Wait for first success or all failures
    let deadline = start + timeout;
    while let Some(join_res) = tokio::select! {
        r = set.join_next() => r,
        _ = tokio::time::sleep_until(tokio::time::Instant::from_std(deadline)) => None,
    } {
        match join_res {
            Ok((idx, target, Ok(conn))) => {
                tracing::info!(
                    idx,
                    %target,
                    remote = %conn.remote_address(),
                    elapsed_ms = start.elapsed().as_millis(),
                    "birthday: HIT! QUIC handshake succeeded"
                );
                set.abort_all();
                return Some(wzp_transport::QuinnTransport::new(conn));
            }
            Ok((idx, target, Err(e))) => {
                tracing::debug!(
                    idx,
                    %target,
                    error = %e,
                    "birthday: probe failed"
                );
            }
            Err(_) => {}
        }
    }
    tracing::info!(
        elapsed_ms = start.elapsed().as_millis(),
        "birthday: all probes failed or timed out"
    );
    None
 }
 // ── Tests ──────────────────────────────────────────────────────────
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn generate_targets_known_ports_first() {
        let ip = Ipv4Addr::new(203, 0, 113, 5);
        let known = vec![10000, 10001, 10002];
        let targets = generate_dialer_targets(ip, &known, 10);
        // Known ports should be first
        assert_eq!(targets[0].port(), 10000);
        assert_eq!(targets[1].port(), 10001);
        assert_eq!(targets[2].port(), 10002);
        // Rest are random
        assert!(targets.len() <= 10);
        // All target the right IP
        assert!(targets.iter().all(|a| a.ip() == std::net::IpAddr::V4(ip)));
    }
    #[test]
    fn generate_targets_no_known_all_random() {
        let ip = Ipv4Addr::new(10, 0, 0, 1);
        let targets = generate_dialer_targets(ip, &[], 50);
        assert!(!targets.is_empty());
        assert!(targets.len() <= 50);
        // All ports in valid range
        assert!(targets.iter().all(|a| a.port() >= 1024));
    }
    #[test]
    fn generate_targets_more_known_than_total() {
        let ip = Ipv4Addr::new(10, 0, 0, 1);
        let known: Vec<u16> = (10000..10100).collect();
        let targets = generate_dialer_targets(ip, &known, 50);
        // All 100 known ports included even though total=50
        assert_eq!(targets.len(), 100);
    }
    #[test]
    fn generate_targets_dedup() {
        let ip = Ipv4Addr::new(10, 0, 0, 1);
        let targets = generate_dialer_targets(ip, &[], 100);
        // No duplicates
        let mut sorted = targets.clone();
        sorted.sort();
        sorted.dedup();
        assert_eq!(sorted.len(), targets.len());
    }
    #[test]
    fn default_config() {
        let cfg = BirthdayConfig::default();
        assert_eq!(cfg.acceptor_ports, 32);
        assert_eq!(cfg.dialer_probes, 128);
        assert!(cfg.timeout.as_secs() > 0);
    }
    #[test]
    fn acceptor_ports_serializes() {
        let result = AcceptorPorts {
            external_ip: Some(Ipv4Addr::new(203, 0, 113, 5)),
            ports: vec![PortMapping { local_port: 12345, external_port: 54321 }],
            attempted: 32,
            succeeded: 1,
        };
        let json = serde_json::to_string(&result).unwrap();
        assert!(json.contains("54321"));
        assert!(json.contains("203.0.113.5"));
    }
 }
--- a/crates/wzp-client/src/call.rs
+++ b/crates/wzp-client/src/call.rs
@@ -234,6 +234,8 @@ pub struct CallEncoder {
    mini_frames_enabled: bool,
    /// Frames encoded since the last full header was emitted.
    frames_since_full: u32,
    /// Pending quality report to attach to the next source packet.
    pending_quality_report: Option<QualityReport>,
 }
 impl CallEncoder {
@@ -264,6 +266,7 @@ impl CallEncoder {
            mini_context: MiniFrameContext::default(),
            mini_frames_enabled: config.mini_frames_enabled,
            frames_since_full: 0,
            pending_quality_report: None,
        }
    }
@@ -367,7 +370,7 @@ impl CallEncoder {
                version: 0,
                is_repair: false,
                codec_id: self.profile.codec,
-                has_quality_report: false,
+                has_quality_report: self.pending_quality_report.is_some(),
                fec_ratio_encoded,
                seq: self.seq,
                timestamp: self.timestamp_ms,
@@ -377,7 +380,7 @@ impl CallEncoder {
                csrc_count: 0,
            },
            payload: Bytes::from(encoded.clone()),
-            quality_report: None,
+            quality_report: self.pending_quality_report.take(),
        };
        self.seq = self.seq.wrapping_add(1);
@@ -445,6 +448,22 @@ impl CallEncoder {
        self.aec.feed_farend(farend);
    }
    /// Apply DRED tuning output to the encoder.
    ///
    /// Called by the send loop after `DredTuner::update()` returns `Some`.
    /// No-op when the active codec is Codec2 (DRED is Opus-only).
    pub fn apply_dred_tuning(&mut self, tuning: wzp_proto::DredTuning) {
        self.audio_enc.set_dred_duration(tuning.dred_frames);
        self.audio_enc.set_expected_loss(tuning.expected_loss_pct);
    }
    /// Queue a quality report for attachment to the next source packet.
    /// Used by the send task to embed locally-observed path quality so
    /// the peer can drive adaptive quality switching.
    pub fn set_pending_quality_report(&mut self, report: QualityReport) {
        self.pending_quality_report = Some(report);
    }
    /// Enable or disable acoustic echo cancellation.
    pub fn set_aec_enabled(&mut self, enabled: bool) {
        self.aec.set_enabled(enabled);
@@ -1442,4 +1461,155 @@ mod tests {
            "frames_suppressed should be > 0"
        );
    }
    // ---- DredTuner integration tests ----
    /// End-to-end test: DredTuner reacts to simulated network degradation
    /// and adjusts the encoder's DRED parameters via `apply_dred_tuning`.
    #[test]
    fn dred_tuner_adjusts_encoder_on_loss() {
        use wzp_proto::DredTuner;
        let mut enc = CallEncoder::new(&CallConfig {
            profile: QualityProfile::GOOD,
            suppression_enabled: false,
            ..Default::default()
        });
        let mut tuner = DredTuner::new(QualityProfile::GOOD.codec);
        // Baseline: good network → baseline DRED (20 frames = 200 ms).
        let baseline = tuner.current();
        assert_eq!(baseline.dred_frames, 20);
        // Warm up the tuner — first few updates may return Some as the
        // EWMA initializes and expected_loss settles from the initial 15%.
        for _ in 0..10 {
            tuner.update(0.0, 50, 5);
        }
        // After settling, the tuning should be at baseline.
        assert_eq!(tuner.current().dred_frames, 20);
        // Simulate network degradation: 30% loss, 300ms RTT.
        // The tuner should increase DRED frames above baseline.
        let tuning = tuner.update(30.0, 300, 15);
        assert!(tuning.is_some(), "loss spike should trigger tuning change");
        let t = tuning.unwrap();
        assert!(
            t.dred_frames > 20,
            "30% loss should increase DRED above baseline 20, got {}",
            t.dred_frames
        );
        // Apply to encoder — should not panic.
        enc.apply_dred_tuning(t);
        // Verify the encoder still works after tuning.
        let pcm = voice_frame_20ms(0);
        let packets = enc.encode_frame(&pcm).unwrap();
        assert!(!packets.is_empty(), "encoder must still produce packets after DRED tuning");
    }
    /// DredTuner jitter spike triggers pre-emptive DRED boost to ceiling.
    #[test]
    fn dred_tuner_spike_boosts_to_ceiling() {
        use wzp_proto::DredTuner;
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // Establish low-jitter baseline.
        for _ in 0..20 {
            tuner.update(0.0, 50, 5);
        }
        assert!(!tuner.spike_boost_active());
        // Jitter spikes to 40ms (8x baseline of ~5ms).
        let tuning = tuner.update(0.0, 50, 40);
        assert!(tuner.spike_boost_active(), "jitter spike should activate boost");
        assert!(tuning.is_some());
        // Ceiling for Opus24k is 50 frames = 500 ms.
        assert_eq!(
            tuning.unwrap().dred_frames, 50,
            "spike should push to ceiling"
        );
    }
    /// DredTuner is a no-op for Codec2 profiles.
    #[test]
    fn dred_tuner_noop_for_codec2() {
        use wzp_proto::DredTuner;
        let mut tuner = DredTuner::new(CodecId::Codec2_1200);
        // Even extreme conditions produce no tuning output.
        assert!(tuner.update(50.0, 800, 100).is_none());
        assert_eq!(tuner.current().dred_frames, 0);
    }
    /// DredTuner + CallEncoder: full cycle through profile switch.
    #[test]
    fn dred_tuner_handles_profile_switch() {
        use wzp_proto::DredTuner;
        let mut enc = CallEncoder::new(&CallConfig {
            profile: QualityProfile::GOOD,
            suppression_enabled: false,
            ..Default::default()
        });
        let mut tuner = DredTuner::new(QualityProfile::GOOD.codec);
        // Apply initial tuning on good network.
        if let Some(t) = tuner.update(0.0, 50, 5) {
            enc.apply_dred_tuning(t);
        }
        // Switch to degraded profile.
        enc.set_profile(QualityProfile::DEGRADED).unwrap();
        tuner.set_codec(QualityProfile::DEGRADED.codec);
        // Opus6k baseline is 50 frames (500 ms), ceiling is 104 (1040 ms).
        let baseline = tuner.current();
        // After set_codec, the cached tuning should reflect old state;
        // a fresh update gives the new codec's mapping.
        let tuning = tuner.update(20.0, 200, 10);
        assert!(tuning.is_some());
        let t = tuning.unwrap();
        assert!(
            t.dred_frames >= 50,
            "Opus6k with 20% loss should be at least baseline 50, got {}",
            t.dred_frames
        );
        enc.apply_dred_tuning(t);
        // Encode a 40ms frame (Opus6k uses 40ms frames = 1920 samples).
        let pcm: Vec<i16> = (0..1920)
            .map(|i| ((i as f32 * 0.1).sin() * 10_000.0) as i16)
            .collect();
        let packets = enc.encode_frame(&pcm).unwrap();
        assert!(!packets.is_empty());
    }
    #[test]
    fn encoder_attaches_quality_report() {
        let mut enc = CallEncoder::new(&CallConfig {
            profile: QualityProfile::GOOD,
            suppression_enabled: false,
            ..Default::default()
        });
        // Set a quality report
        enc.set_pending_quality_report(QualityReport::from_path_stats(5.0, 80, 10));
        // Encode a frame — should have quality_report attached
        let pcm = voice_frame_20ms(0);
        let packets = enc.encode_frame(&pcm).unwrap();
        assert!(!packets.is_empty());
        assert!(packets[0].header.has_quality_report, "first packet should have quality report");
        assert!(packets[0].quality_report.is_some());
        // Next frame should NOT have quality_report (it was consumed)
        let packets2 = enc.encode_frame(&voice_frame_20ms(960)).unwrap();
        assert!(!packets2[0].header.has_quality_report, "second packet should not have quality report");
        assert!(packets2[0].quality_report.is_none());
    }
 }
--- a/crates/wzp-client/src/cli.rs
+++ b/crates/wzp-client/src/cli.rs
@@ -52,6 +52,8 @@ struct CliArgs {
    signal: bool,
    /// Place a direct call to a fingerprint (requires --signal).
    call_target: Option<String>,
    /// Run network diagnostic (STUN, port mapping, relay latencies).
    netcheck: bool,
 }
 impl CliArgs {
@@ -97,6 +99,7 @@ fn parse_args() -> CliArgs {
    let mut relay_str = None;
    let mut signal = false;
    let mut call_target = None;
    let mut netcheck = false;
    let mut i = 1;
    while i < args.len() {
@@ -182,6 +185,7 @@ fn parse_args() -> CliArgs {
                );
            }
            "--sweep" => sweep = true,
            "--netcheck" => { netcheck = true; }
            "--version-check" => { version_check = true; }
            "--help" | "-h" => {
                eprintln!("Usage: wzp-client [options] [relay-addr]");
@@ -238,6 +242,7 @@ fn parse_args() -> CliArgs {
        version_check,
        signal,
        call_target,
        netcheck,
    }
 }
@@ -256,6 +261,23 @@ async fn main() -> anyhow::Result<()> {
        return Ok(());
    }
    // --netcheck: run network diagnostic and exit
    if cli.netcheck {
        let config = wzp_client::netcheck::NetcheckConfig {
            stun_config: wzp_client::stun::StunConfig::default(),
            relays: vec![
                ("relay".into(), cli.relay_addr),
            ],
            timeout: std::time::Duration::from_secs(5),
            test_portmap: true,
            test_ipv6: true,
            local_port: 0,
        };
        let report = wzp_client::netcheck::run_netcheck(&config).await;
        print!("{}", wzp_client::netcheck::format_report(&report));
        return Ok(());
    }
    // --version-check: query relay version over QUIC and exit
    if cli.version_check {
        let client_config = wzp_transport::client_config();
@@ -424,6 +446,7 @@ async fn run_silence(transport: Arc<wzp_transport::QuinnTransport>) -> anyhow::R
    info!(total_source, total_repair, total_bytes, "done — closing");
    let hangup = wzp_proto::SignalMessage::Hangup {
        reason: wzp_proto::HangupReason::Normal,
        call_id: None,
    };
    transport.send_signal(&hangup).await.ok();
    transport.close().await?;
@@ -575,6 +598,7 @@ async fn run_file_mode(
    // Send Hangup signal so the relay knows we're done
    let hangup = wzp_proto::SignalMessage::Hangup {
        reason: wzp_proto::HangupReason::Normal,
        call_id: None,
    };
    transport.send_signal(&hangup).await.ok();
@@ -747,7 +771,7 @@ async fn run_signal_mode(
        Some(SignalMessage::RegisterPresenceAck { success: true, .. }) => {
            info!(fingerprint = %fp, "registered on relay — waiting for calls");
        }
-        Some(SignalMessage::RegisterPresenceAck { success: false, error }) => {
+        Some(SignalMessage::RegisterPresenceAck { success: false, error, .. }) => {
            anyhow::bail!("registration failed: {}", error.unwrap_or_default());
        }
        other => {
@@ -773,6 +797,9 @@ async fn run_signal_mode(
            // CLI client doesn't attempt hole-punching; always
            // relay-path.
            caller_reflexive_addr: None,
            caller_local_addrs: Vec::new(),
            caller_mapped_addr: None,
            caller_build_version: None,
        }).await?;
    }
@@ -805,12 +832,15 @@ async fn run_signal_mode(
                        // CLI auto-accept uses generic (privacy) mode,
                        // so callee addr stays hidden from the caller.
                        callee_reflexive_addr: None,
                        callee_local_addrs: Vec::new(),
                        callee_mapped_addr: None,
                        callee_build_version: None,
                    }).await;
                }
                SignalMessage::DirectCallAnswer { call_id, accept_mode, .. } => {
                    info!(call_id = %call_id, mode = ?accept_mode, "call answered");
                }
-                SignalMessage::CallSetup { call_id, room, relay_addr: setup_relay, peer_direct_addr: _ } => {
+                SignalMessage::CallSetup { call_id, room, relay_addr: setup_relay, peer_direct_addr: _, peer_local_addrs: _, peer_mapped_addr: _ } => {
                    info!(call_id = %call_id, room = %room, relay = %setup_relay, "call setup — connecting to media room");
                    // Connect to the media room
@@ -861,6 +891,7 @@ async fn run_signal_mode(
                                                info!("hanging up...");
                                                let _ = signal_transport.send_signal(&SignalMessage::Hangup {
                                                    reason: wzp_proto::HangupReason::Normal,
                                                    call_id: None,
                                                }).await;
                                                break;
                                            }
@@ -877,7 +908,7 @@ async fn run_signal_mode(
                        Err(e) => error!("media connect failed: {e}"),
                    }
                }
-                SignalMessage::Hangup { reason } => {
+                SignalMessage::Hangup { reason, .. } => {
                    info!(reason = ?reason, "call ended by remote");
                }
                SignalMessage::Pong { .. } => {}
--- a/crates/wzp-client/src/dual_path.rs
+++ b/crates/wzp-client/src/dual_path.rs
@@ -38,6 +38,35 @@ pub enum WinningPath {
    Relay,
 }
 /// Diagnostic info for a single candidate dial attempt.
 #[derive(Debug, Clone, serde::Serialize)]
 pub struct CandidateDiag {
    pub index: usize,
    pub addr: String,
    pub result: String,  // "ok", "skipped:ipv6", "error:..."
    pub elapsed_ms: Option<u32>,
 }
 /// Phase 6: the race now returns BOTH transports (when available)
 /// so the connect command can negotiate with the peer before
 /// committing. The negotiation decides which transport to use
 /// based on whether BOTH sides report `direct_ok = true`.
 pub struct RaceResult {
    /// The direct P2P transport, if the direct path completed.
    /// `None` if the direct dial/accept failed or timed out.
    pub direct_transport: Option<Arc<QuinnTransport>>,
    /// The relay transport, if the relay dial completed.
    /// `None` if the relay dial failed (shouldn't happen in
    /// practice since relay is always reachable).
    pub relay_transport: Option<Arc<QuinnTransport>>,
    /// Which future completed first in the local race.
    /// Informational — the actual path used is decided by the
    /// Phase 6 negotiation after both sides exchange reports.
    pub local_winner: WinningPath,
    /// Per-candidate diagnostic info for debugging.
    pub candidate_diags: Vec<CandidateDiag>,
 }
 /// Attempt a direct QUIC connection to the peer in parallel with
 /// the relay dial and return the winning `QuinnTransport`.
 ///
@@ -52,22 +81,156 @@ pub enum WinningPath {
 /// genuinely fail (network partition). Returns
 /// `Err(anyhow::anyhow!(...))` if both paths fail within the
 /// timeout.
 /// Phase 5.5 candidate bundle — full ICE-ish candidate list for
 /// the peer. The race tries them all in parallel alongside the
 /// relay path. At minimum this should contain the peer's
 /// server-reflexive address; `local_addrs` carries LAN host
 /// candidates gathered from their physical interfaces.
 ///
 /// Empty is valid: the D-role has nothing to dial and the race
 /// reduces to "relay only" + (if A-role) accepting on the
 /// shared endpoint.
 #[derive(Debug, Clone, Default)]
 pub struct PeerCandidates {
    /// Peer's server-reflexive address (Phase 3). `None` if the
    /// peer didn't advertise one.
    pub reflexive: Option<SocketAddr>,
    /// Peer's LAN host addresses (Phase 5.5). Tried first on
    /// same-LAN pairs — direct dials to these bypass the NAT
    /// entirely.
    pub local: Vec<SocketAddr>,
    /// Phase 8 (Tailscale-inspired): peer's port-mapped external
    /// address from NAT-PMP/PCP/UPnP. When the router supports
    /// port mapping, this gives a stable external address even
    /// behind symmetric NATs.
    pub mapped: Option<SocketAddr>,
 }
 impl PeerCandidates {
    /// Flatten into the list of addrs the D-role should dial.
    /// Order: LAN host candidates first (fastest when they
    /// work), then port-mapped (stable even behind symmetric
    /// NATs), then reflexive (covers the non-LAN case).
    pub fn dial_order(&self) -> Vec<SocketAddr> {
        let mut out = Vec::with_capacity(self.local.len() + 2);
        out.extend(self.local.iter().copied());
        // Port-mapped address goes before reflexive — it's
        // more reliable on symmetric NATs where the reflexive
        // addr might not match what the peer actually sees.
        if let Some(a) = self.mapped {
            if !out.contains(&a) {
                out.push(a);
            }
        }
        if let Some(a) = self.reflexive {
            if !out.contains(&a) {
                out.push(a);
            }
        }
        out
    }
    /// Smart dial order: filters out candidates that can't possibly
    /// work given our own reflexive address.
    ///
    /// - **LAN candidates**: only included if peer's public IP
    ///   matches ours (same network). Private IPs are unreachable
    ///   cross-network.
    /// - **IPv6 candidates**: stripped entirely (Phase 7 disabled).
    /// - **Reflexive + mapped**: always included.
    pub fn smart_dial_order(&self, own_reflexive: Option<&SocketAddr>) -> Vec<SocketAddr> {
        let own_public_ip = own_reflexive.map(|a| a.ip());
        let peer_public_ip = self.reflexive.map(|a| a.ip());
        let same_network = match (own_public_ip, peer_public_ip) {
            (Some(a), Some(b)) => a == b,
            _ => false,
        };
        let mut out = Vec::with_capacity(self.local.len() + 2);
        // LAN candidates only when on the same network.
        if same_network {
            for addr in &self.local {
                if !addr.is_ipv6() {
                    out.push(*addr);
                }
            }
        }
        // Port-mapped (always useful — it's a public addr).
        if let Some(a) = self.mapped {
            if !a.is_ipv6() && !out.contains(&a) {
                out.push(a);
            }
        }
        // Reflexive (always useful — it's the peer's public addr).
        if let Some(a) = self.reflexive {
            if !a.is_ipv6() && !out.contains(&a) {
                out.push(a);
            }
        }
        out
    }
    /// Is there anything for the D-role to dial? If not, the
    /// race reduces to relay-only.
    pub fn is_empty(&self) -> bool {
        self.reflexive.is_none() && self.local.is_empty() && self.mapped.is_none()
    }
 }
 #[allow(clippy::too_many_arguments)]
 pub async fn race(
    role: Role,
-    peer_direct_addr: SocketAddr,
+    peer_candidates: PeerCandidates,
    relay_addr: SocketAddr,
    room_sni: String,
    call_sni: String,
-) -> anyhow::Result<(Arc<QuinnTransport>, WinningPath)> {
+    // Our own reflexive address — used to filter LAN candidates
    // that can't work cross-network.
    own_reflexive: Option<SocketAddr>,
    // Phase 5: when `Some`, reuse this endpoint for BOTH the
    // direct-path branch AND the relay dial. Pass the signal
    // endpoint. The endpoint MUST be server-capable (created
    // with a server config) for the A-role accept branch to
    // work.
    //
    // When `None`, falls back to fresh endpoints per role.
    // Used by tests.
    shared_endpoint: Option<wzp_transport::Endpoint>,
    // Phase 7: dedicated IPv6 endpoint with IPV6_V6ONLY=1.
    // When `Some`, A-role accepts on both v4+v6, D-role routes
    // each candidate to its matching-AF endpoint. When `None`,
    // IPv6 candidates are skipped (IPv4-only, pre-Phase-7).
    ipv6_endpoint: Option<wzp_transport::Endpoint>,
 ) -> anyhow::Result<RaceResult> {
    // Rustls provider must be installed before any quinn endpoint
    // is created. Install attempt is idempotent.
    let _ = rustls::crypto::ring::default_provider().install_default();
    // Shared diagnostic collector for per-candidate results.
    let diags_collector: Arc<std::sync::Mutex<Vec<CandidateDiag>>> =
        Arc::new(std::sync::Mutex::new(Vec::new()));
    // Build the direct-path endpoint + future based on role.
-    // Each future returns an already-wrapped `QuinnTransport` so we
+    //
-    // don't need a direct `quinn::Connection` type in scope here
+    // A-role: one accept future on the shared endpoint. The
-    // (this crate doesn't depend on quinn directly).
+    //   first incoming QUIC connection wins — we don't care
    //   which peer candidate the dialer used to reach us.
    //
    // D-role: N parallel dial futures, one per peer candidate
    //   (all LAN host addrs + the reflex addr), consolidated
    //   into a single direct_fut via FuturesUnordered-style
    //   "first OK wins" semantics. The first successful dial
    //   becomes the direct path; the losers are dropped (quinn
    //   will abort the in-flight handshakes via the dropped
    //   Connecting futures).
    //
    // Either way, direct_fut resolves to a single QuinnTransport
    // (or an error) and is raced against the relay_fut by the
    // outer tokio::select!.
    let direct_ep: wzp_transport::Endpoint;
    let direct_fut: std::pin::Pin<
        Box<dyn std::future::Future<Output = anyhow::Result<QuinnTransport>> + Send>,
@@ -75,54 +238,344 @@ pub async fn race(
    match role {
        Role::Acceptor => {
-            let (sc, _cert_der) = wzp_transport::server_config();
+            let ep = match shared_endpoint.clone() {
-            let bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
+                Some(ep) => {
-            let ep = wzp_transport::create_endpoint(bind, Some(sc))?;
+                    tracing::info!(
-            tracing::info!(
+                        local_addr = ?ep.local_addr().ok(),
-                local_addr = ?ep.local_addr().ok(),
+                        "dual_path: A-role reusing shared endpoint for accept"
-                "dual_path: A-role endpoint up, awaiting peer dial"
+                    );
-            );
+                    ep
                }
                None => {
                    let (sc, _cert_der) = wzp_transport::server_config();
                    // 0.0.0.0:0 = IPv4 socket. [::]:0 dual-stack was
                    // tried but breaks on Android devices where
                    // IPV6_V6ONLY=1 (default on some kernels) —
                    // IPv4 candidates silently fail. IPv6 host
                    // candidates are skipped for now; they need a
                    // dedicated IPv6 socket alongside the v4 one
                    // (like WebRTC's dual-socket approach).
                    let bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
                    let fresh = wzp_transport::create_endpoint(bind, Some(sc))?;
                    tracing::info!(
                        local_addr = ?fresh.local_addr().ok(),
                        "dual_path: A-role fresh endpoint up, awaiting peer dial"
                    );
                    fresh
                }
            };
            let ep_for_fut = ep.clone();
            // Phase 7: IPv6 accept temporarily disabled (same reason
            // as dial — IPv6 connections die on datagram send).
            // Accept on IPv4 shared endpoint only.
            let _v6_ep_unused = ipv6_endpoint.clone();
            // Collect peer addrs for NAT tickle (Acceptor-side).
            let tickle_addrs: Vec<SocketAddr> = peer_candidates
                .smart_dial_order(own_reflexive.as_ref())
                .into_iter()
                .filter(|a| !a.ip().is_loopback() && !a.ip().is_unspecified())
                .collect();
            direct_fut = Box::pin(async move {
-                // `wzp_transport::accept` wraps the same
+                // NAT tickle: send a small UDP packet to each of the
-                // `endpoint.accept().await?.await?` dance we want
+                // Dialer's candidate addresses FROM our shared endpoint.
-                // and maps errors into TransportError for us.
+                // This opens our NAT's pinhole for return traffic from
-                let conn = wzp_transport::accept(&ep_for_fut)
+                // those IPs — critical for address-restricted NATs that
-                    .await
+                // only allow inbound from IPs they've seen outbound
-                    .map_err(|e| anyhow::anyhow!("direct accept: {e}"))?;
+                // traffic to. Without this, the Dialer's QUIC Initial
-                Ok(QuinnTransport::new(conn))
+                // gets dropped by our NAT.
                if !tickle_addrs.is_empty() {
                    if let Ok(local_addr) = ep_for_fut.local_addr() {
                        // Send a tickle to each peer candidate address
                        // to open our NAT for return traffic from that IP.
                        //
                        // We use a socket2 socket with SO_REUSEADDR +
                        // SO_REUSEPORT on the SAME port as the quinn
                        // endpoint. This is necessary because quinn
                        // already holds the port — a plain bind() would
                        // fail with EADDRINUSE.
                        let tickle_result: Result<(), String> = (|| {
                            use std::net::UdpSocket as StdUdpSocket;
                            let sock = socket2::Socket::new(
                                socket2::Domain::IPV4,
                                socket2::Type::DGRAM,
                                Some(socket2::Protocol::UDP),
                            ).map_err(|e| format!("socket: {e}"))?;
                            sock.set_reuse_address(true).map_err(|e| format!("reuseaddr: {e}"))?;
                            // macOS/BSD/Linux also need SO_REUSEPORT
                            #[cfg(any(target_os = "macos", target_os = "linux", target_os = "android"))]
                            {
                                // socket2 exposes set_reuse_port on unix
                                unsafe {
                                    let optval: libc::c_int = 1;
                                    libc::setsockopt(
                                        std::os::unix::io::AsRawFd::as_raw_fd(&sock),
                                        libc::SOL_SOCKET,
                                        libc::SO_REUSEPORT,
                                        &optval as *const _ as *const libc::c_void,
                                        std::mem::size_of::<libc::c_int>() as libc::socklen_t,
                                    );
                                }
                            }
                            sock.set_nonblocking(true).map_err(|e| format!("nonblock: {e}"))?;
                            let bind_addr: SocketAddr = SocketAddr::new(
                                std::net::IpAddr::V4(std::net::Ipv4Addr::UNSPECIFIED),
                                local_addr.port(),
                            );
                            sock.bind(&bind_addr.into()).map_err(|e| format!("bind :{}: {e}", local_addr.port()))?;
                            let std_sock: StdUdpSocket = sock.into();
                            for addr in &tickle_addrs {
                                let _ = std_sock.send_to(&[0u8; 1], addr);
                                tracing::info!(
                                    %addr,
                                    local_port = local_addr.port(),
                                    "dual_path: A-role sent NAT tickle"
                                );
                            }
                            Ok(())
                        })();
                        if let Err(e) = tickle_result {
                            tracing::warn!(error = %e, "dual_path: A-role NAT tickle failed");
                        }
                    }
                }
                // Accept loop: retry if we get a stale/closed
                // connection from a previous call. Max 3 retries
                // to avoid spinning until the race timeout.
                const MAX_STALE: usize = 3;
                let mut stale_count: usize = 0;
                loop {
                    let conn = wzp_transport::accept(&ep_for_fut)
                        .await
                        .map_err(|e| anyhow::anyhow!("direct accept: {e}"))?;
                    if let Some(reason) = conn.close_reason() {
                        // Explicitly close so the peer gets a
                        // close frame instead of idle timeout.
                        conn.close(0u32.into(), b"stale");
                        stale_count += 1;
                        tracing::warn!(
                            remote = %conn.remote_address(),
                            stable_id = conn.stable_id(),
                            stale_count,
                            ?reason,
                            "dual_path: A-role skipping stale connection"
                        );
                        if stale_count >= MAX_STALE {
                            return Err(anyhow::anyhow!(
                                "A-role: {stale_count} stale connections, aborting"
                            ));
                        }
                        continue;
                    }
                    let has_dgram = conn.max_datagram_size().is_some();
                    tracing::info!(
                        remote = %conn.remote_address(),
                        stable_id = conn.stable_id(),
                        has_dgram,
                        "dual_path: A-role accepted direct connection"
                    );
                    break Ok(QuinnTransport::new(conn));
                }
            });
            direct_ep = ep;
        }
        Role::Dialer => {
-            let bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
+            let ep = match shared_endpoint.clone() {
-            let ep = wzp_transport::create_endpoint(bind, None)?;
+                Some(ep) => {
-            tracing::info!(
+                    tracing::info!(
-                local_addr = ?ep.local_addr().ok(),
+                        local_addr = ?ep.local_addr().ok(),
-                %peer_direct_addr,
+                        candidates = ?peer_candidates.dial_order(),
-                "dual_path: D-role endpoint up, dialing peer"
+                        "dual_path: D-role reusing shared endpoint to dial peer candidates"
-            );
+                    );
                    ep
                }
                None => {
                    // 0.0.0.0:0 = IPv4 socket. [::]:0 dual-stack was
                    // tried but breaks on Android devices where
                    // IPV6_V6ONLY=1 (default on some kernels) —
                    // IPv4 candidates silently fail. IPv6 host
                    // candidates are skipped for now; they need a
                    // dedicated IPv6 socket alongside the v4 one
                    // (like WebRTC's dual-socket approach).
                    let bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
                    let fresh = wzp_transport::create_endpoint(bind, None)?;
                    tracing::info!(
                        local_addr = ?fresh.local_addr().ok(),
                        candidates = ?peer_candidates.dial_order(),
                        "dual_path: D-role fresh endpoint up, dialing peer candidates"
                    );
                    fresh
                }
            };
            let ep_for_fut = ep.clone();
-            let client_cfg = wzp_transport::client_config();
+            let _v6_ep_for_dial = ipv6_endpoint.clone();
            let dial_order = peer_candidates.smart_dial_order(own_reflexive.as_ref());
            let sni = call_sni.clone();
            let diags = diags_collector.clone();
            direct_fut = Box::pin(async move {
-                let conn =
+                if dial_order.is_empty() {
-                    wzp_transport::connect(&ep_for_fut, peer_direct_addr, &sni, client_cfg)
+                    // No candidates — the race reduces to
-                        .await
+                    // relay-only. Surface a stable error so the
-                        .map_err(|e| anyhow::anyhow!("direct dial: {e}"))?;
+                    // outer select falls through to relay_fut
-                Ok(QuinnTransport::new(conn))
+                    // without a spurious "direct failed" warning.
                    // Use a pending future that never resolves so
                    // the select's "other side wins" branch is
                    // the natural outcome.
                    std::future::pending::<anyhow::Result<QuinnTransport>>().await
                } else {
                    // Fan out N parallel dials via JoinSet. First
                    // `Ok` wins; `Err` from a single candidate is
                    // not fatal — we wait for the others. Only
                    // when ALL have failed do we return Err.
                    let mut set = tokio::task::JoinSet::new();
                    for (idx, candidate) in dial_order.iter().enumerate() {
                        // Phase 7: route each candidate to the
                        // endpoint matching its address family.
                        let candidate = *candidate;
                        // Phase 7: IPv6 dials temporarily disabled.
                        // IPv6 QUIC handshakes succeed but the
                        // connection dies immediately on datagram
                        // send ("connection lost"). Root cause is
                        // likely router-level IPv6 UDP filtering.
                        // Re-enable once IPv6 datagram delivery is
                        // verified on target networks.
                        if candidate.is_ipv6() {
                            tracing::info!(
                                %candidate,
                                candidate_idx = idx,
                                "dual_path: skipping IPv6 candidate (disabled)"
                            );
                            if let Ok(mut d) = diags.lock() {
                                d.push(CandidateDiag {
                                    index: idx,
                                    addr: candidate.to_string(),
                                    result: "skipped:ipv6".into(),
                                    elapsed_ms: None,
                                });
                            }
                            continue;
                        }
                        let ep = ep_for_fut.clone();
                        let client_cfg = wzp_transport::client_config();
                        let sni = sni.clone();
                        let diags_inner = diags.clone();
                        set.spawn(async move {
                            let start = std::time::Instant::now();
                            tracing::info!(
                                %candidate,
                                candidate_idx = idx,
                                "dual_path: dialing candidate"
                            );
                            let result = wzp_transport::connect(
                                &ep,
                                candidate,
                                &sni,
                                client_cfg,
                            )
                            .await;
                            let elapsed = start.elapsed().as_millis() as u32;
                            let diag_result = match &result {
                                Ok(_) => "ok".to_string(),
                                Err(e) => format!("error:{e}"),
                            };
                            if let Ok(mut d) = diags_inner.lock() {
                                d.push(CandidateDiag {
                                    index: idx,
                                    addr: candidate.to_string(),
                                    result: diag_result,
                                    elapsed_ms: Some(elapsed),
                                });
                            }
                            (idx, candidate, result)
                        });
                    }
                    let mut last_err: Option<String> = None;
                    while let Some(join_res) = set.join_next().await {
                        let (idx, candidate, dial_res) = match join_res {
                            Ok(t) => t,
                            Err(e) => {
                                last_err = Some(format!("join {e}"));
                                continue;
                            }
                        };
                        match dial_res {
                            Ok(conn) => {
                                tracing::info!(
                                    %candidate,
                                    candidate_idx = idx,
                                    remote = %conn.remote_address(),
                                    stable_id = conn.stable_id(),
                                    "dual_path: direct dial succeeded on candidate"
                                );
                                // Abort the remaining in-flight
                                // dials so they don't complete
                                // and leak QUIC sessions.
                                set.abort_all();
                                return Ok(QuinnTransport::new(conn));
                            }
                            Err(e) => {
                                tracing::info!(
                                    %candidate,
                                    candidate_idx = idx,
                                    error = %e,
                                    "dual_path: direct dial failed, trying others"
                                );
                                last_err = Some(format!("candidate {candidate}: {e}"));
                            }
                        }
                    }
                    Err(anyhow::anyhow!(
                        "all {} direct candidates failed; last: {}",
                        dial_order.len(),
                        last_err.unwrap_or_else(|| "n/a".into())
                    ))
                }
            });
            direct_ep = ep;
        }
    }
-    // Relay path: classic dial to the relay's media room.
+    // Relay path: classic dial to the relay's media room. Phase 5:
-    let relay_bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
+    // reuse the shared endpoint here too so MikroTik-style NATs
-    let relay_ep = wzp_transport::create_endpoint(relay_bind, None)?;
+    // keep a stable external port across all flows from this
    // client. Falls back to a fresh endpoint when not shared.
    let relay_ep = match shared_endpoint.clone() {
        Some(ep) => ep,
        None => {
            let relay_bind: SocketAddr = "[::]:0".parse().unwrap();
            wzp_transport::create_endpoint(relay_bind, None)?
        }
    };
    let relay_ep_for_fut = relay_ep.clone();
    let relay_client_cfg = wzp_transport::client_config();
    let relay_sni = room_sni.clone();
    // Phase 5.5 direct-path head-start: hold the relay dial for
    // 500ms before attempting it. On same-LAN cone-NAT pairs the
    // direct dial finishes in ~30-100ms, so giving direct a 500ms
    // head start means direct reliably wins when it's going to
    // work at all. The worst case adds 500ms to the fall-back-
    // to-relay scenario, which is imperceptible for users on
    // setups where direct isn't available anyway.
    //
    // Prior behavior (immediate race) caused the relay to win
    // ~105ms races on a MikroTik LAN because:
    //   - Acceptor role's direct_fut = accept() can only fire
    //     when the peer has completed its outbound LAN dial
    //   - Dialer role's parallel LAN dials need the peer's
    //     CallSetup processed + the race started on the other
    //     side before they can reach us
    //   - Meanwhile relay_fut is a plain dial that completes in
    //     whatever the client→relay RTT is (often <100ms)
    //
    // The 500ms head start is the minimum that empirically makes
    // same-LAN direct reliably beat relay, without penalizing
    // users who genuinely need the relay path.
    const DIRECT_HEAD_START: Duration = Duration::from_millis(500);
    let relay_fut = async move {
        tokio::time::sleep(DIRECT_HEAD_START).await;
        let conn =
            wzp_transport::connect(&relay_ep_for_fut, relay_addr, &relay_sni, relay_client_cfg)
                .await
@@ -130,66 +583,378 @@ pub async fn race(
        Ok::<_, anyhow::Error>(QuinnTransport::new(conn))
    };
-    // Race the two with a shared 2s ceiling on the direct attempt.
+    // Phase 6: run both paths concurrently via tokio::spawn and
-    // Pin both so we can poll them from multiple branches of the
+    // collect BOTH results. The old tokio::select! approach dropped
-    // select without moving the futures — the "direct failed, wait
+    // the loser, which meant the connect command couldn't negotiate
-    // for relay" and "relay failed, wait for direct" fallback paths
+    // with the peer — it had to commit to whichever path won locally.
-    // below need to await the OPPOSITE future after the winning
+    //
-    // branch fires. Without pinning, tokio::select! moves the
+    // Now we spawn both as tasks, wait for the first to complete
-    // future out and we can't touch it again.
+    // (that determines `local_winner`), then give the loser a short
-    tracing::info!(?role, %peer_direct_addr, %relay_addr, "dual_path: racing direct vs relay");
+    // grace period to also complete. The connect command gets a
-    let direct_timed = tokio::time::timeout(Duration::from_secs(2), direct_fut);
+    // RaceResult with both transports (when available) and uses the
-    tokio::pin!(direct_timed, relay_fut);
+    // Phase 6 MediaPathReport exchange to decide which one to
    // actually use for media.
    let smart_order = peer_candidates.smart_dial_order(own_reflexive.as_ref());
    tracing::info!(
        ?role,
        raw_candidates = ?peer_candidates.dial_order(),
        filtered_candidates = ?smart_order,
        ?own_reflexive,
        %relay_addr,
        "dual_path: racing direct vs relay"
    );
-    let result = tokio::select! {
+    let mut direct_task = tokio::spawn(
-        biased; // prefer direct win if both arrive in the same tick
+        tokio::time::timeout(Duration::from_secs(4), direct_fut),
-        direct_result = &mut direct_timed => {
+    );
-            match direct_result {
+    let mut relay_task = tokio::spawn(async move {
-                Ok(Ok(transport)) => {
+        // Keep the 500ms head start so direct has a chance
-                    tracing::info!(%peer_direct_addr, "dual_path: direct WON");
+        tokio::time::sleep(Duration::from_millis(500)).await;
-                    Ok((Arc::new(transport), WinningPath::Direct))
+        tokio::time::timeout(Duration::from_secs(5), relay_fut).await
    });
    // Wait for the first one to complete. This tells us the
    // local_winner — but we DON'T commit to it yet. Phase 6
    // negotiation decides the actual path.
    let (mut direct_result, mut relay_result): (
        Option<anyhow::Result<QuinnTransport>>,
        Option<anyhow::Result<QuinnTransport>>,
    ) = (None, None);
    let local_winner;
    tokio::select! {
        biased;
        d = &mut direct_task => {
            match d {
                Ok(Ok(Ok(t))) => {
                    tracing::info!("dual_path: direct completed first");
                    direct_result = Some(Ok(t));
                    local_winner = WinningPath::Direct;
                }
-                Ok(Err(e)) => {
+                Ok(Ok(Err(e))) => {
-                    // Direct failed — fall back to waiting for relay.
+                    tracing::warn!(error = %e, "dual_path: direct failed");
-                    tracing::warn!(error = %e, "dual_path: direct failed, awaiting relay");
+                    direct_result = Some(Err(anyhow::anyhow!("{e}")));
-                    match tokio::time::timeout(Duration::from_secs(5), &mut relay_fut).await {
+                    local_winner = WinningPath::Relay; // direct failed → relay is our only hope
-                        Ok(Ok(transport)) => Ok((Arc::new(transport), WinningPath::Relay)),
+                }
-                        Ok(Err(e2)) => Err(anyhow::anyhow!("both paths failed: direct={e}, relay={e2}")),
+                Ok(Err(_)) => {
-                        Err(_) => Err(anyhow::anyhow!("both paths failed: direct={e}, relay=timeout(5s)")),
+                    tracing::warn!("dual_path: direct timed out (4s)");
                    direct_result = Some(Err(anyhow::anyhow!("direct timeout")));
                    local_winner = WinningPath::Relay;
                    // Record timeout diag for candidates that were
                    // still in-flight when the timeout fired.
                    if let Ok(mut d) = diags_collector.lock() {
                        let recorded_indices: std::collections::HashSet<usize> =
                            d.iter().map(|diag| diag.index).collect();
                        for (idx, addr) in smart_order.iter().enumerate() {
                            if !recorded_indices.contains(&idx) {
                                d.push(CandidateDiag {
                                    index: idx,
                                    addr: addr.to_string(),
                                    result: "timeout:4s".into(),
                                    elapsed_ms: Some(4000),
                                });
                            }
                        }
                    }
                }
                Err(_elapsed) => {
                    tracing::warn!("dual_path: direct timed out (2s), awaiting relay");
                    match tokio::time::timeout(Duration::from_secs(5), &mut relay_fut).await {
                        Ok(Ok(transport)) => Ok((Arc::new(transport), WinningPath::Relay)),
                        Ok(Err(e2)) => Err(anyhow::anyhow!("direct timeout + relay failed: {e2}")),
                        Err(_) => Err(anyhow::anyhow!("direct timeout + relay timeout")),
                    }
                }
            }
        }
        relay_result = &mut relay_fut => {
            match relay_result {
                Ok(transport) => {
                    tracing::info!("dual_path: relay WON (direct still pending)");
                    Ok((Arc::new(transport), WinningPath::Relay))
                }
                Err(e) => {
-                    tracing::warn!(error = %e, "dual_path: relay failed, awaiting direct remainder");
+                    tracing::warn!(error = %e, "dual_path: direct task panicked");
-                    match tokio::time::timeout(Duration::from_millis(1500), &mut direct_timed).await {
+                    direct_result = Some(Err(anyhow::anyhow!("direct task panic")));
-                        Ok(Ok(Ok(transport))) => Ok((Arc::new(transport), WinningPath::Direct)),
+                    local_winner = WinningPath::Relay;
-                        _ => Err(anyhow::anyhow!("relay failed + direct unavailable: {e}")),
+                }
            }
        }
        r = &mut relay_task => {
            match r {
                Ok(Ok(Ok(t))) => {
                    tracing::info!("dual_path: relay completed first");
                    relay_result = Some(Ok(t));
                    local_winner = WinningPath::Relay;
                }
                Ok(Ok(Err(e))) => {
                    tracing::warn!(error = %e, "dual_path: relay failed");
                    relay_result = Some(Err(anyhow::anyhow!("{e}")));
                    local_winner = WinningPath::Direct;
                }
                Ok(Err(_)) => {
                    tracing::warn!("dual_path: relay timed out");
                    relay_result = Some(Err(anyhow::anyhow!("relay timeout")));
                    local_winner = WinningPath::Direct;
                }
                Err(e) => {
                    relay_result = Some(Err(anyhow::anyhow!("relay task panic: {e}")));
                    local_winner = WinningPath::Direct;
                }
            }
        }
    }
    // Give the loser a short grace period (1s) to also complete.
    // If it does, we have both transports for Phase 6 negotiation.
    // If it doesn't, we still proceed with just the winner.
    if direct_result.is_none() {
        match tokio::time::timeout(Duration::from_secs(1), direct_task).await {
            Ok(Ok(Ok(Ok(t)))) => { direct_result = Some(Ok(t)); }
            Ok(Ok(Ok(Err(e)))) => { direct_result = Some(Err(anyhow::anyhow!("{e}"))); }
            _ => {
                direct_result = Some(Err(anyhow::anyhow!("direct: no result in grace period")));
                // Fill timeout diags for candidates that never reported.
                if let Ok(mut d) = diags_collector.lock() {
                    let recorded: std::collections::HashSet<usize> =
                        d.iter().map(|diag| diag.index).collect();
                    for (idx, addr) in smart_order.iter().enumerate() {
                        if !recorded.contains(&idx) {
                            d.push(CandidateDiag {
                                index: idx,
                                addr: addr.to_string(),
                                result: "timeout:grace".into(),
                                elapsed_ms: None,
                            });
                        }
                    }
                }
            }
        }
-    };
+    }
    if relay_result.is_none() {
        match tokio::time::timeout(Duration::from_secs(1), relay_task).await {
            Ok(Ok(Ok(Ok(t)))) => { relay_result = Some(Ok(t)); }
            Ok(Ok(Ok(Err(e)))) => { relay_result = Some(Err(anyhow::anyhow!("{e}"))); }
            _ => { relay_result = Some(Err(anyhow::anyhow!("relay: no result in grace period"))); }
        }
    }
-    // Drop both endpoints once the winner is stored in result. The
+    let direct_ok = direct_result.as_ref().map(|r| r.is_ok()).unwrap_or(false);
-    // winning transport owns its own connection so dropping the
+    let relay_ok = relay_result.as_ref().map(|r| r.is_ok()).unwrap_or(false);
    // endpoint won't kill it.
    drop(direct_ep);
    drop(relay_ep);
-    result
+    tracing::info!(
        ?local_winner,
        direct_ok,
        relay_ok,
        "dual_path: race finished, both results collected for Phase 6 negotiation"
    );
    if !direct_ok && !relay_ok {
        return Err(anyhow::anyhow!("both paths failed: no media transport available"));
    }
    let _ = (direct_ep, relay_ep, ipv6_endpoint);
    let candidate_diags = diags_collector.lock()
        .map(|d| d.clone())
        .unwrap_or_default();
    Ok(RaceResult {
        direct_transport: direct_result
            .and_then(|r| r.ok())
            .map(|t| Arc::new(t)),
        relay_transport: relay_result
            .and_then(|r| r.ok())
            .map(|t| Arc::new(t)),
        local_winner,
        candidate_diags,
    })
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn peer_candidates_dial_order_all_types() {
        let candidates = PeerCandidates {
            reflexive: Some("203.0.113.5:4433".parse().unwrap()),
            local: vec![
                "192.168.1.10:4433".parse().unwrap(),
                "10.0.0.5:4433".parse().unwrap(),
            ],
            mapped: Some("198.51.100.42:12345".parse().unwrap()),
        };
        let order = candidates.dial_order();
        // Order: local first, then mapped, then reflexive
        assert_eq!(order.len(), 4);
        assert_eq!(order[0], "192.168.1.10:4433".parse::<SocketAddr>().unwrap());
        assert_eq!(order[1], "10.0.0.5:4433".parse::<SocketAddr>().unwrap());
        assert_eq!(order[2], "198.51.100.42:12345".parse::<SocketAddr>().unwrap());
        assert_eq!(order[3], "203.0.113.5:4433".parse::<SocketAddr>().unwrap());
    }
    #[test]
    fn peer_candidates_dial_order_no_mapped() {
        let candidates = PeerCandidates {
            reflexive: Some("203.0.113.5:4433".parse().unwrap()),
            local: vec!["192.168.1.10:4433".parse().unwrap()],
            mapped: None,
        };
        let order = candidates.dial_order();
        assert_eq!(order.len(), 2);
        assert_eq!(order[0], "192.168.1.10:4433".parse::<SocketAddr>().unwrap());
        assert_eq!(order[1], "203.0.113.5:4433".parse::<SocketAddr>().unwrap());
    }
    #[test]
    fn peer_candidates_dial_order_only_mapped() {
        let candidates = PeerCandidates {
            reflexive: None,
            local: vec![],
            mapped: Some("198.51.100.42:12345".parse().unwrap()),
        };
        let order = candidates.dial_order();
        assert_eq!(order.len(), 1);
        assert_eq!(order[0], "198.51.100.42:12345".parse::<SocketAddr>().unwrap());
    }
    #[test]
    fn peer_candidates_dial_order_dedup_mapped_equals_reflexive() {
        let addr: SocketAddr = "203.0.113.5:4433".parse().unwrap();
        let candidates = PeerCandidates {
            reflexive: Some(addr),
            local: vec![],
            mapped: Some(addr), // same as reflexive
        };
        let order = candidates.dial_order();
        // Should be deduped to 1
        assert_eq!(order.len(), 1);
        assert_eq!(order[0], addr);
    }
    #[test]
    fn peer_candidates_dial_order_dedup_mapped_in_local() {
        let addr: SocketAddr = "192.168.1.10:4433".parse().unwrap();
        let candidates = PeerCandidates {
            reflexive: None,
            local: vec![addr],
            mapped: Some(addr), // same as a local addr
        };
        let order = candidates.dial_order();
        assert_eq!(order.len(), 1);
        assert_eq!(order[0], addr);
    }
    #[test]
    fn peer_candidates_is_empty() {
        let empty = PeerCandidates::default();
        assert!(empty.is_empty());
        let with_reflexive = PeerCandidates {
            reflexive: Some("1.2.3.4:5".parse().unwrap()),
            ..Default::default()
        };
        assert!(!with_reflexive.is_empty());
        let with_local = PeerCandidates {
            local: vec!["10.0.0.1:5".parse().unwrap()],
            ..Default::default()
        };
        assert!(!with_local.is_empty());
        let with_mapped = PeerCandidates {
            mapped: Some("1.2.3.4:5".parse().unwrap()),
            ..Default::default()
        };
        assert!(!with_mapped.is_empty());
    }
    #[test]
    fn peer_candidates_empty_dial_order() {
        let empty = PeerCandidates::default();
        assert!(empty.dial_order().is_empty());
    }
    #[test]
    fn winning_path_debug() {
        // Just verify Debug impl doesn't panic
        let _ = format!("{:?}", WinningPath::Direct);
        let _ = format!("{:?}", WinningPath::Relay);
    }
    // ── smart_dial_order tests ─────────────────────────────────
    #[test]
    fn smart_dial_order_same_network_includes_lan() {
        let candidates = PeerCandidates {
            reflexive: Some("203.0.113.5:4433".parse().unwrap()),
            local: vec![
                "192.168.1.10:4433".parse().unwrap(),
                "10.0.0.5:4433".parse().unwrap(),
            ],
            mapped: None,
        };
        let own: SocketAddr = "203.0.113.5:12345".parse().unwrap();
        let order = candidates.smart_dial_order(Some(&own));
        // Same public IP → LAN candidates included
        assert!(order.contains(&"192.168.1.10:4433".parse().unwrap()));
        assert!(order.contains(&"10.0.0.5:4433".parse().unwrap()));
        assert!(order.contains(&"203.0.113.5:4433".parse().unwrap()));
    }
    #[test]
    fn smart_dial_order_different_network_strips_lan() {
        let candidates = PeerCandidates {
            reflexive: Some("150.228.49.65:4433".parse().unwrap()),
            local: vec![
                "172.16.81.126:4433".parse().unwrap(),
                "10.0.0.5:4433".parse().unwrap(),
            ],
            mapped: None,
        };
        // Different public IP → LAN candidates stripped
        let own: SocketAddr = "185.115.4.212:12345".parse().unwrap();
        let order = candidates.smart_dial_order(Some(&own));
        assert!(!order.contains(&"172.16.81.126:4433".parse().unwrap()));
        assert!(!order.contains(&"10.0.0.5:4433".parse().unwrap()));
        // Reflexive still included
        assert!(order.contains(&"150.228.49.65:4433".parse().unwrap()));
    }
    #[test]
    fn smart_dial_order_strips_ipv6() {
        let candidates = PeerCandidates {
            reflexive: Some("150.228.49.65:4433".parse().unwrap()),
            local: vec![
                "[2a0d:3344:692c::1]:4433".parse().unwrap(),
                "172.16.81.126:4433".parse().unwrap(),
            ],
            mapped: None,
        };
        // Same network, but IPv6 should be stripped
        let own: SocketAddr = "150.228.49.65:5555".parse().unwrap();
        let order = candidates.smart_dial_order(Some(&own));
        assert!(!order.iter().any(|a| a.is_ipv6()));
        assert!(order.contains(&"172.16.81.126:4433".parse().unwrap()));
    }
    #[test]
    fn smart_dial_order_no_own_reflexive_strips_lan() {
        let candidates = PeerCandidates {
            reflexive: Some("150.228.49.65:4433".parse().unwrap()),
            local: vec!["172.16.81.126:4433".parse().unwrap()],
            mapped: Some("198.51.100.42:12345".parse().unwrap()),
        };
        // No own reflexive → can't determine same network → strip LAN
        let order = candidates.smart_dial_order(None);
        assert!(!order.contains(&"172.16.81.126:4433".parse().unwrap()));
        assert!(order.contains(&"198.51.100.42:12345".parse().unwrap()));
        assert!(order.contains(&"150.228.49.65:4433".parse().unwrap()));
    }
    #[test]
    fn smart_dial_order_mapped_always_included() {
        let candidates = PeerCandidates {
            reflexive: Some("150.228.49.65:4433".parse().unwrap()),
            local: vec![],
            mapped: Some("198.51.100.42:12345".parse().unwrap()),
        };
        let own: SocketAddr = "185.115.4.212:12345".parse().unwrap();
        let order = candidates.smart_dial_order(Some(&own));
        assert_eq!(order.len(), 2); // mapped + reflexive
        assert!(order.contains(&"198.51.100.42:12345".parse().unwrap()));
        assert!(order.contains(&"150.228.49.65:4433".parse().unwrap()));
    }
 }
--- a/crates/wzp-client/src/featherchat.rs
+++ b/crates/wzp-client/src/featherchat.rs
@@ -130,6 +130,16 @@ pub fn signal_to_call_type(signal: &SignalMessage) -> CallSignalType {
        // relay-to-relay message, never rides the featherChat
        // bridge. Catch-all mapping for completeness.
        SignalMessage::FederatedSignalForward { .. } => CallSignalType::Offer,
        SignalMessage::MediaPathReport { .. } => CallSignalType::Offer, // control-plane
        SignalMessage::CandidateUpdate { .. } => CallSignalType::IceCandidate, // mid-call re-gather
        SignalMessage::HardNatProbe { .. } => CallSignalType::IceCandidate, // hard NAT coordination
        SignalMessage::HardNatBirthdayStart { .. } => CallSignalType::IceCandidate, // birthday attack
        SignalMessage::UpgradeProposal { .. }
        | SignalMessage::UpgradeResponse { .. }
        | SignalMessage::UpgradeConfirm { .. }
        | SignalMessage::QualityCapability { .. } => CallSignalType::Offer, // quality negotiation
        SignalMessage::PresenceList { .. } => CallSignalType::Offer, // lobby presence
        SignalMessage::QualityDirective { .. } => CallSignalType::Offer, // relay-initiated
    }
 }
@@ -169,6 +179,7 @@ mod tests {
        let hangup = SignalMessage::Hangup {
            reason: wzp_proto::HangupReason::Normal,
            call_id: None,
        };
        assert!(matches!(signal_to_call_type(&hangup), CallSignalType::Hangup));
--- a/crates/wzp-client/src/ice_agent.rs
+++ b/crates/wzp-client/src/ice_agent.rs
@@ -0,0 +1,444 @@
 //! Phase 8 (Tailscale-inspired): ICE agent for candidate lifecycle
 //! management and mid-call re-gathering.
 //!
 //! The `IceAgent` owns the state of all candidate discovery
 //! mechanisms (STUN, port mapping, host candidates) and provides:
 //!
 //! - `gather()`: initial candidate gathering during call setup
 //! - `re_gather()`: triggered on network change, produces a
 //!   `CandidateUpdate` to send to the peer
 //! - `apply_peer_update()`: processes peer's candidate updates
 //!
 //! This is NOT a full ICE agent (RFC 8445). It's the Tailscale-style
 //! "gather all candidates, race them all in parallel, pick the
 //! winner" approach, adapted for QUIC transport.
 use std::net::SocketAddr;
 use std::sync::atomic::{AtomicU32, Ordering};
 use std::time::Duration;
 use wzp_proto::SignalMessage;
 use crate::dual_path::PeerCandidates;
 use crate::portmap;
 use crate::reflect;
 use crate::stun;
 /// All candidates gathered for the local side.
 #[derive(Debug, Clone)]
 pub struct CandidateSet {
    /// STUN-discovered server-reflexive address.
    pub reflexive: Option<SocketAddr>,
    /// LAN host candidates from local interfaces.
    pub local: Vec<SocketAddr>,
    /// Port-mapped address from NAT-PMP/PCP/UPnP.
    pub mapped: Option<SocketAddr>,
    /// Generation counter (monotonically increasing per call).
    pub generation: u32,
 }
 /// Configuration for the ICE agent.
 #[derive(Debug, Clone)]
 pub struct IceAgentConfig {
    /// STUN servers to use for reflexive discovery.
    pub stun_config: stun::StunConfig,
    /// Whether to attempt port mapping.
    pub enable_portmap: bool,
    /// Timeout for each discovery mechanism.
    pub gather_timeout: Duration,
    /// The QUIC endpoint's local port (for host candidate pairing).
    pub local_v4_port: u16,
    /// Optional IPv6 port.
    pub local_v6_port: Option<u16>,
 }
 impl Default for IceAgentConfig {
    fn default() -> Self {
        Self {
            stun_config: stun::StunConfig::default(),
            enable_portmap: true,
            gather_timeout: Duration::from_secs(3),
            local_v4_port: 0,
            local_v6_port: None,
        }
    }
 }
 /// ICE agent managing candidate lifecycle.
 pub struct IceAgent {
    config: IceAgentConfig,
    generation: AtomicU32,
    call_id: String,
    /// Last-seen peer generation (to filter stale updates).
    peer_generation: AtomicU32,
 }
 impl IceAgent {
    pub fn new(call_id: String, config: IceAgentConfig) -> Self {
        Self {
            config,
            generation: AtomicU32::new(0),
            call_id,
            peer_generation: AtomicU32::new(0),
        }
    }
    /// Initial candidate gathering. Runs all discovery mechanisms
    /// in parallel and returns the full candidate set.
    pub async fn gather(&self) -> CandidateSet {
        let generation = self.generation.fetch_add(1, Ordering::Relaxed);
        // Run STUN + port mapping + host candidates in parallel.
        let stun_fut = stun::discover_reflexive(&self.config.stun_config);
        let portmap_fut = async {
            if self.config.enable_portmap && self.config.local_v4_port > 0 {
                portmap::acquire_port_mapping(self.config.local_v4_port, None)
                    .await
                    .ok()
            } else {
                None
            }
        };
        let (stun_result, portmap_result) = tokio::join!(
            tokio::time::timeout(self.config.gather_timeout, stun_fut),
            tokio::time::timeout(self.config.gather_timeout, portmap_fut),
        );
        let reflexive = stun_result.ok().and_then(|r| r.ok());
        let mapped = portmap_result
            .ok()
            .flatten()
            .map(|m| m.external_addr);
        let local = reflect::local_host_candidates(
            self.config.local_v4_port,
            self.config.local_v6_port,
        );
        tracing::info!(
            generation,
            reflexive = ?reflexive,
            mapped = ?mapped,
            local_count = local.len(),
            "ice_agent: gathered candidates"
        );
        CandidateSet {
            reflexive,
            local,
            mapped,
            generation,
        }
    }
    /// Re-gather candidates after a network change. Increments the
    /// generation counter and returns a `CandidateUpdate` signal
    /// message to send to the peer.
    pub async fn re_gather(&self) -> (CandidateSet, SignalMessage) {
        let candidates = self.gather().await;
        let update = SignalMessage::CandidateUpdate {
            call_id: self.call_id.clone(),
            reflexive_addr: candidates.reflexive.map(|a| a.to_string()),
            local_addrs: candidates.local.iter().map(|a| a.to_string()).collect(),
            mapped_addr: candidates.mapped.map(|a| a.to_string()),
            generation: candidates.generation,
        };
        (candidates, update)
    }
    /// Process a peer's candidate update. Returns `Some(PeerCandidates)`
    /// if the update is newer than the last-seen generation, `None`
    /// if it's stale.
    pub fn apply_peer_update(
        &self,
        update: &SignalMessage,
    ) -> Option<PeerCandidates> {
        let (reflexive_addr, local_addrs, mapped_addr, generation) = match update {
            SignalMessage::CandidateUpdate {
                reflexive_addr,
                local_addrs,
                mapped_addr,
                generation,
                ..
            } => (reflexive_addr, local_addrs, mapped_addr, *generation),
            _ => return None,
        };
        // Only accept if newer than last-seen generation.
        let prev = self.peer_generation.fetch_max(generation, Ordering::AcqRel);
        if generation <= prev {
            tracing::debug!(
                generation,
                prev,
                "ice_agent: ignoring stale CandidateUpdate"
            );
            return None;
        }
        let reflexive = reflexive_addr
            .as_deref()
            .and_then(|s| s.parse().ok());
        let local: Vec<SocketAddr> = local_addrs
            .iter()
            .filter_map(|s| s.parse().ok())
            .collect();
        let mapped = mapped_addr
            .as_deref()
            .and_then(|s| s.parse().ok());
        tracing::info!(
            generation,
            reflexive = ?reflexive,
            mapped = ?mapped,
            local_count = local.len(),
            "ice_agent: applied peer candidate update"
        );
        Some(PeerCandidates {
            reflexive,
            local,
            mapped,
        })
    }
    /// Get the current generation counter.
    pub fn generation(&self) -> u32 {
        self.generation.load(Ordering::Relaxed)
    }
 }
 // ── Tests ──────────────────────────────────────────────────────────
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn apply_peer_update_rejects_stale() {
        let agent = IceAgent::new("test-call".into(), IceAgentConfig::default());
        // First update (gen=1) should succeed.
        let update1 = SignalMessage::CandidateUpdate {
            call_id: "test-call".into(),
            reflexive_addr: Some("203.0.113.5:4433".into()),
            local_addrs: vec!["192.168.1.10:4433".into()],
            mapped_addr: None,
            generation: 1,
        };
        let result = agent.apply_peer_update(&update1);
        assert!(result.is_some());
        let candidates = result.unwrap();
        assert_eq!(
            candidates.reflexive,
            Some("203.0.113.5:4433".parse().unwrap())
        );
        assert_eq!(candidates.local.len(), 1);
        // Same generation (gen=1) should be rejected.
        let update1b = SignalMessage::CandidateUpdate {
            call_id: "test-call".into(),
            reflexive_addr: Some("198.51.100.9:4433".into()),
            local_addrs: vec![],
            mapped_addr: None,
            generation: 1,
        };
        assert!(agent.apply_peer_update(&update1b).is_none());
        // Older generation (gen=0) should be rejected.
        let update0 = SignalMessage::CandidateUpdate {
            call_id: "test-call".into(),
            reflexive_addr: Some("10.0.0.1:4433".into()),
            local_addrs: vec![],
            mapped_addr: None,
            generation: 0,
        };
        assert!(agent.apply_peer_update(&update0).is_none());
        // Newer generation (gen=2) should succeed.
        let update2 = SignalMessage::CandidateUpdate {
            call_id: "test-call".into(),
            reflexive_addr: Some("198.51.100.9:5555".into()),
            local_addrs: vec![],
            mapped_addr: Some("203.0.113.5:12345".into()),
            generation: 2,
        };
        let result = agent.apply_peer_update(&update2);
        assert!(result.is_some());
        let candidates = result.unwrap();
        assert_eq!(
            candidates.reflexive,
            Some("198.51.100.9:5555".parse().unwrap())
        );
        assert_eq!(
            candidates.mapped,
            Some("203.0.113.5:12345".parse().unwrap())
        );
    }
    #[test]
    fn apply_wrong_signal_returns_none() {
        let agent = IceAgent::new("test-call".into(), IceAgentConfig::default());
        let wrong = SignalMessage::Reflect;
        assert!(agent.apply_peer_update(&wrong).is_none());
    }
    #[test]
    fn generation_increments() {
        let agent = IceAgent::new("test".into(), IceAgentConfig::default());
        assert_eq!(agent.generation(), 0);
        // Simulate what gather() does internally
        let g1 = agent.generation.fetch_add(1, Ordering::Relaxed);
        assert_eq!(g1, 0);
        assert_eq!(agent.generation(), 1);
        let g2 = agent.generation.fetch_add(1, Ordering::Relaxed);
        assert_eq!(g2, 1);
        assert_eq!(agent.generation(), 2);
    }
    #[test]
    fn apply_peer_update_parses_all_fields() {
        let agent = IceAgent::new("test-call".into(), IceAgentConfig::default());
        let update = SignalMessage::CandidateUpdate {
            call_id: "test-call".into(),
            reflexive_addr: Some("203.0.113.5:4433".into()),
            local_addrs: vec![
                "192.168.1.10:4433".into(),
                "10.0.0.5:4433".into(),
            ],
            mapped_addr: Some("198.51.100.42:12345".into()),
            generation: 1,
        };
        let candidates = agent.apply_peer_update(&update).unwrap();
        assert_eq!(
            candidates.reflexive,
            Some("203.0.113.5:4433".parse().unwrap())
        );
        assert_eq!(candidates.local.len(), 2);
        assert_eq!(
            candidates.local[0],
            "192.168.1.10:4433".parse::<SocketAddr>().unwrap()
        );
        assert_eq!(
            candidates.mapped,
            Some("198.51.100.42:12345".parse().unwrap())
        );
    }
    #[test]
    fn apply_peer_update_handles_empty_fields() {
        let agent = IceAgent::new("test".into(), IceAgentConfig::default());
        let update = SignalMessage::CandidateUpdate {
            call_id: "test".into(),
            reflexive_addr: None,
            local_addrs: vec![],
            mapped_addr: None,
            generation: 1,
        };
        let candidates = agent.apply_peer_update(&update).unwrap();
        assert!(candidates.reflexive.is_none());
        assert!(candidates.local.is_empty());
        assert!(candidates.mapped.is_none());
    }
    #[test]
    fn apply_peer_update_skips_unparseable_addrs() {
        let agent = IceAgent::new("test".into(), IceAgentConfig::default());
        let update = SignalMessage::CandidateUpdate {
            call_id: "test".into(),
            reflexive_addr: Some("not-an-addr".into()),
            local_addrs: vec![
                "192.168.1.10:4433".into(),
                "garbage".into(),
                "10.0.0.5:4433".into(),
            ],
            mapped_addr: Some("also-bad".into()),
            generation: 1,
        };
        let candidates = agent.apply_peer_update(&update).unwrap();
        assert!(candidates.reflexive.is_none()); // unparseable
        assert_eq!(candidates.local.len(), 2); // garbage filtered
        assert!(candidates.mapped.is_none()); // unparseable
    }
    #[test]
    fn default_config_values() {
        let cfg = IceAgentConfig::default();
        assert!(cfg.enable_portmap);
        assert!(cfg.gather_timeout.as_secs() > 0);
        assert!(!cfg.stun_config.servers.is_empty());
        assert_eq!(cfg.local_v4_port, 0);
        assert!(cfg.local_v6_port.is_none());
    }
    #[tokio::test]
    async fn gather_returns_candidates_even_with_no_stun() {
        // With default config (port 0 = no portmap, STUN will timeout
        // quickly on loopback), gather should still return host candidates.
        let agent = IceAgent::new("test".into(), IceAgentConfig {
            stun_config: stun::StunConfig {
                servers: vec![], // no servers = quick failure
                timeout: Duration::from_millis(100),
            },
            enable_portmap: false,
            gather_timeout: Duration::from_millis(200),
            local_v4_port: 12345,
            local_v6_port: None,
        });
        let candidates = agent.gather().await;
        assert_eq!(candidates.generation, 0);
        // Reflexive should be None (no STUN servers)
        assert!(candidates.reflexive.is_none());
        // Mapped should be None (portmap disabled)
        assert!(candidates.mapped.is_none());
        // Local candidates depend on the machine's interfaces
        // but gather() should not panic.
    }
    #[tokio::test]
    async fn re_gather_produces_signal_message() {
        let agent = IceAgent::new("call-42".into(), IceAgentConfig {
            stun_config: stun::StunConfig {
                servers: vec![],
                timeout: Duration::from_millis(50),
            },
            enable_portmap: false,
            gather_timeout: Duration::from_millis(100),
            local_v4_port: 4433,
            local_v6_port: None,
        });
        let (candidates, signal) = agent.re_gather().await;
        assert_eq!(candidates.generation, 0);
        match signal {
            SignalMessage::CandidateUpdate {
                call_id,
                generation,
                ..
            } => {
                assert_eq!(call_id, "call-42");
                assert_eq!(generation, 0);
            }
            _ => panic!("expected CandidateUpdate"),
        }
        // Second re_gather increments generation
        let (candidates2, signal2) = agent.re_gather().await;
        assert_eq!(candidates2.generation, 1);
        match signal2 {
            SignalMessage::CandidateUpdate { generation, .. } => {
                assert_eq!(generation, 1);
            }
            _ => panic!("expected CandidateUpdate"),
        }
    }
 }
--- a/crates/wzp-client/src/lib.rs
+++ b/crates/wzp-client/src/lib.rs
@@ -34,7 +34,13 @@ pub mod featherchat;
 pub mod handshake;
 pub mod dual_path;
 pub mod metrics;
 pub mod birthday;
 pub mod ice_agent;
 pub mod netcheck;
 pub mod portmap;
 pub mod reflect;
 pub mod relay_map;
 pub mod stun;
 pub mod sweep;
 // AudioPlayback: three possible backends depending on feature flags.
--- a/crates/wzp-client/src/netcheck.rs
+++ b/crates/wzp-client/src/netcheck.rs
@@ -0,0 +1,524 @@
 //! Phase 8 (Tailscale-inspired): Comprehensive network diagnostic.
 //!
 //! Probes STUN servers, relay infrastructure, port mapping
 //! capabilities, IPv6 reachability, and NAT hairpinning in parallel
 //! to produce a `NetcheckReport` that captures the client's network
 //! environment at a point in time.
 //!
 //! Used for:
 //! - Troubleshooting connectivity issues
 //! - Automatic relay selection (Phase 5)
 //! - Pre-call NAT assessment
 //! - Quality prediction
 use std::net::SocketAddr;
 use std::time::{Duration, Instant};
 use serde::Serialize;
 use crate::portmap::{self, PortMapProtocol};
 use crate::reflect::{self, NatType};
 use crate::stun::{self, StunConfig};
 /// Complete network diagnostic report.
 #[derive(Debug, Clone, Serialize)]
 pub struct NetcheckReport {
    /// NAT type classification (from combined STUN + relay probes).
    pub nat_type: NatType,
    /// Server-reflexive address (consensus from probes).
    pub reflexive_addr: Option<String>,
    /// Whether IPv4 connectivity is available.
    pub ipv4_reachable: bool,
    /// Whether IPv6 connectivity is available.
    pub ipv6_reachable: bool,
    /// Whether the NAT supports hairpinning (loopback to own
    /// reflexive address).
    pub hairpin_works: Option<bool>,
    /// Which port mapping protocol is available (if any).
    pub port_mapping: Option<PortMapProtocol>,
    /// Per-relay latency measurements.
    pub relay_latencies: Vec<RelayLatency>,
    /// Preferred relay (lowest latency).
    pub preferred_relay: Option<String>,
    /// STUN latency to first responding server (ms).
    pub stun_latency_ms: Option<u32>,
    /// Whether UPnP is available on the gateway.
    pub upnp_available: bool,
    /// Whether PCP is available on the gateway.
    pub pcp_available: bool,
    /// Whether NAT-PMP is available on the gateway.
    pub nat_pmp_available: bool,
    /// Default gateway address.
    pub gateway: Option<String>,
    /// Total time taken for the diagnostic (ms).
    pub duration_ms: u32,
    /// Individual STUN probe results.
    pub stun_probes: Vec<reflect::NatProbeResult>,
    /// NAT port allocation pattern (sequential vs random).
    pub port_allocation: Option<stun::PortAllocation>,
 }
 /// Latency to a specific relay.
 #[derive(Debug, Clone, Serialize)]
 pub struct RelayLatency {
    pub name: String,
    pub addr: String,
    pub rtt_ms: Option<u32>,
    pub error: Option<String>,
 }
 /// Configuration for the netcheck run.
 #[derive(Debug, Clone)]
 pub struct NetcheckConfig {
    /// STUN servers to probe.
    pub stun_config: StunConfig,
    /// Relay servers to probe (name, address pairs).
    pub relays: Vec<(String, SocketAddr)>,
    /// Per-probe timeout.
    pub timeout: Duration,
    /// Whether to test port mapping.
    pub test_portmap: bool,
    /// Whether to test IPv6.
    pub test_ipv6: bool,
    /// Local port for port mapping test (0 = skip).
    pub local_port: u16,
 }
 impl Default for NetcheckConfig {
    fn default() -> Self {
        Self {
            stun_config: StunConfig::default(),
            relays: Vec::new(),
            timeout: Duration::from_secs(5),
            test_portmap: true,
            test_ipv6: true,
            local_port: 0,
        }
    }
 }
 /// Run a comprehensive network diagnostic.
 ///
 /// Probes run in parallel for speed — the total time is bounded
 /// by the slowest individual probe, not the sum.
 pub async fn run_netcheck(config: &NetcheckConfig) -> NetcheckReport {
    let start = Instant::now();
    // Run all probes in parallel.
    let stun_fut = stun::probe_stun_servers(&config.stun_config);
    let relay_fut = probe_relays(&config.relays, config.timeout);
    let portmap_fut = probe_portmap(config.test_portmap, config.local_port);
    let gateway_fut = portmap::default_gateway();
    let ipv6_fut = test_ipv6(config.test_ipv6, config.timeout);
    let port_alloc_fut = stun::detect_port_allocation(&config.stun_config);
    let (stun_probes, relay_latencies, portmap_result, gateway_result, ipv6_reachable, port_alloc_result) =
        tokio::join!(stun_fut, relay_fut, portmap_fut, gateway_result_fut(gateway_fut), ipv6_fut, port_alloc_fut);
    // Classify NAT from STUN probes.
    let (nat_type, consensus_addr) = reflect::classify_nat(&stun_probes);
    // Determine STUN latency (first successful probe).
    let stun_latency_ms = stun_probes
        .iter()
        .filter_map(|p| p.latency_ms)
        .min();
    // IPv4 reachable if any STUN probe succeeded.
    let ipv4_reachable = stun_probes
        .iter()
        .any(|p| p.observed_addr.is_some());
    // Preferred relay = lowest RTT.
    let preferred_relay = relay_latencies
        .iter()
        .filter_map(|r| r.rtt_ms.map(|rtt| (r.name.clone(), rtt)))
        .min_by_key(|(_, rtt)| *rtt)
        .map(|(name, _)| name);
    // Port mapping availability.
    let (port_mapping, nat_pmp_available, pcp_available, upnp_available) = match portmap_result {
        Some(mapping) => {
            let proto = mapping.protocol;
            (
                Some(proto),
                proto == PortMapProtocol::NatPmp,
                proto == PortMapProtocol::Pcp,
                proto == PortMapProtocol::UPnP,
            )
        }
        None => (None, false, false, false),
    };
    let gateway = match gateway_result {
        Ok(gw) => Some(gw.to_string()),
        Err(_) => None,
    };
    NetcheckReport {
        nat_type,
        reflexive_addr: consensus_addr,
        ipv4_reachable,
        ipv6_reachable,
        hairpin_works: None, // TODO: implement hairpin test
        port_mapping,
        relay_latencies,
        preferred_relay,
        stun_latency_ms,
        upnp_available,
        pcp_available,
        nat_pmp_available,
        gateway,
        duration_ms: start.elapsed().as_millis() as u32,
        stun_probes,
        port_allocation: Some(port_alloc_result.allocation),
    }
 }
 /// Probe relay latencies via reflect.
 async fn probe_relays(
    relays: &[(String, SocketAddr)],
    timeout: Duration,
 ) -> Vec<RelayLatency> {
    if relays.is_empty() {
        return Vec::new();
    }
    let timeout_ms = timeout.as_millis() as u64;
    let mut set = tokio::task::JoinSet::new();
    for (name, addr) in relays {
        let name = name.clone();
        let addr = *addr;
        set.spawn(async move {
            let start = Instant::now();
            match reflect::probe_reflect_addr(addr, timeout_ms, None).await {
                Ok((_observed, _latency)) => RelayLatency {
                    name,
                    addr: addr.to_string(),
                    rtt_ms: Some(start.elapsed().as_millis() as u32),
                    error: None,
                },
                Err(e) => RelayLatency {
                    name,
                    addr: addr.to_string(),
                    rtt_ms: None,
                    error: Some(e),
                },
            }
        });
    }
    let mut results = Vec::with_capacity(relays.len());
    while let Some(join_result) = set.join_next().await {
        match join_result {
            Ok(r) => results.push(r),
            Err(_) => {}
        }
    }
    // Sort by RTT (lowest first).
    results.sort_by_key(|r| r.rtt_ms.unwrap_or(u32::MAX));
    results
 }
 /// Attempt port mapping and return the mapping if successful.
 async fn probe_portmap(
    enabled: bool,
    local_port: u16,
 ) -> Option<portmap::PortMapping> {
    if !enabled || local_port == 0 {
        return None;
    }
    portmap::acquire_port_mapping(local_port, None).await.ok()
 }
 /// Wrap the gateway future to handle the Result.
 async fn gateway_result_fut(
    fut: impl std::future::Future<Output = Result<std::net::Ipv4Addr, portmap::PortMapError>>,
 ) -> Result<std::net::Ipv4Addr, portmap::PortMapError> {
    fut.await
 }
 /// Test IPv6 connectivity by attempting to bind and send on an IPv6 socket.
 async fn test_ipv6(enabled: bool, timeout: Duration) -> bool {
    if !enabled {
        return false;
    }
    // Try to resolve and connect to an IPv6 STUN server.
    let result = tokio::time::timeout(timeout, async {
        let sock = tokio::net::UdpSocket::bind("[::]:0").await.ok()?;
        // Try Google's IPv6 STUN — if DNS resolves to an AAAA record
        // and we can send a packet, IPv6 is working.
        let addr = stun::resolve_stun_server("stun.l.google.com:19302").await.ok()?;
        if addr.is_ipv6() {
            sock.send_to(&[0u8; 1], addr).await.ok()?;
            Some(true)
        } else {
            // Server resolved to IPv4 — try binding to [::] at least
            Some(false)
        }
    })
    .await;
    match result {
        Ok(Some(true)) => true,
        _ => {
            // Fallback: can we at least bind an IPv6 socket?
            tokio::net::UdpSocket::bind("[::]:0").await.is_ok()
        }
    }
 }
 /// Format a netcheck report as a human-readable string.
 pub fn format_report(report: &NetcheckReport) -> String {
    let mut out = String::new();
    out.push_str(&format!("=== WarzonePhone Netcheck ===\n\n"));
    out.push_str(&format!(
        "NAT Type:       {:?}\n",
        report.nat_type
    ));
    out.push_str(&format!(
        "Reflexive Addr: {}\n",
        report.reflexive_addr.as_deref().unwrap_or("(unknown)")
    ));
    out.push_str(&format!(
        "IPv4:           {}\n",
        if report.ipv4_reachable { "yes" } else { "no" }
    ));
    out.push_str(&format!(
        "IPv6:           {}\n",
        if report.ipv6_reachable { "yes" } else { "no" }
    ));
    out.push_str(&format!(
        "Gateway:        {}\n",
        report.gateway.as_deref().unwrap_or("(unknown)")
    ));
    if let Some(ref alloc) = report.port_allocation {
        out.push_str(&format!(
            "Port Alloc:     {alloc}\n"
        ));
    }
    out.push_str(&format!("\n--- Port Mapping ---\n"));
    out.push_str(&format!(
        "NAT-PMP: {}  PCP: {}  UPnP: {}\n",
        if report.nat_pmp_available { "yes" } else { "no" },
        if report.pcp_available { "yes" } else { "no" },
        if report.upnp_available { "yes" } else { "no" },
    ));
    if let Some(proto) = &report.port_mapping {
        out.push_str(&format!("Active mapping: {:?}\n", proto));
    }
    if !report.stun_probes.is_empty() {
        out.push_str(&format!("\n--- STUN Probes ---\n"));
        for p in &report.stun_probes {
            out.push_str(&format!(
                "  {} → {} ({}ms){}\n",
                p.relay_name,
                p.observed_addr.as_deref().unwrap_or("failed"),
                p.latency_ms.map(|ms| ms.to_string()).unwrap_or_else(|| "-".into()),
                p.error.as_ref().map(|e| format!(" [{e}]")).unwrap_or_default(),
            ));
        }
    }
    if !report.relay_latencies.is_empty() {
        out.push_str(&format!("\n--- Relay Latencies ---\n"));
        for r in &report.relay_latencies {
            out.push_str(&format!(
                "  {} ({}) → {}ms{}\n",
                r.name,
                r.addr,
                r.rtt_ms.map(|ms| ms.to_string()).unwrap_or_else(|| "-".into()),
                r.error.as_ref().map(|e| format!(" [{e}]")).unwrap_or_default(),
            ));
        }
        if let Some(ref pref) = report.preferred_relay {
            out.push_str(&format!("  Preferred: {pref}\n"));
        }
    }
    out.push_str(&format!("\nCompleted in {}ms\n", report.duration_ms));
    out
 }
 // ── Tests ──────────────────────────────────────────────────────────
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn default_config_has_stun_servers() {
        let config = NetcheckConfig::default();
        assert!(!config.stun_config.servers.is_empty());
    }
    #[test]
    fn format_report_produces_output() {
        let report = NetcheckReport {
            nat_type: NatType::Cone,
            reflexive_addr: Some("203.0.113.5:4433".into()),
            ipv4_reachable: true,
            ipv6_reachable: false,
            hairpin_works: None,
            port_mapping: None,
            relay_latencies: vec![RelayLatency {
                name: "relay-1".into(),
                addr: "10.0.0.1:4433".into(),
                rtt_ms: Some(25),
                error: None,
            }],
            preferred_relay: Some("relay-1".into()),
            stun_latency_ms: Some(15),
            upnp_available: false,
            pcp_available: false,
            nat_pmp_available: false,
            gateway: Some("192.168.1.1".into()),
            duration_ms: 1500,
            stun_probes: vec![],
            port_allocation: None,
        };
        let text = format_report(&report);
        assert!(text.contains("Cone"));
        assert!(text.contains("203.0.113.5:4433"));
        assert!(text.contains("relay-1"));
        assert!(text.contains("1500ms"));
    }
    #[test]
    fn report_serializes_to_json() {
        let report = NetcheckReport {
            nat_type: NatType::Cone,
            reflexive_addr: Some("203.0.113.5:4433".into()),
            ipv4_reachable: true,
            ipv6_reachable: false,
            hairpin_works: None,
            port_mapping: Some(PortMapProtocol::NatPmp),
            relay_latencies: vec![],
            preferred_relay: None,
            stun_latency_ms: Some(25),
            upnp_available: false,
            pcp_available: false,
            nat_pmp_available: true,
            gateway: Some("192.168.1.1".into()),
            duration_ms: 500,
            stun_probes: vec![],
            port_allocation: Some(stun::PortAllocation::Sequential { delta: 1 }),
        };
        let json = serde_json::to_string(&report).unwrap();
        assert!(json.contains("Cone"));
        assert!(json.contains("203.0.113.5:4433"));
        assert!(json.contains("NatPmp"));
        // Roundtrip
        let decoded: serde_json::Value = serde_json::from_str(&json).unwrap();
        assert_eq!(decoded["ipv4_reachable"], true);
        assert_eq!(decoded["ipv6_reachable"], false);
        assert_eq!(decoded["stun_latency_ms"], 25);
    }
    #[test]
    fn relay_latency_serializes() {
        let lat = RelayLatency {
            name: "eu-west".into(),
            addr: "10.0.0.1:4433".into(),
            rtt_ms: Some(42),
            error: None,
        };
        let json = serde_json::to_string(&lat).unwrap();
        assert!(json.contains("eu-west"));
        assert!(json.contains("42"));
    }
    #[test]
    fn format_report_empty_relays() {
        let report = NetcheckReport {
            nat_type: NatType::Unknown,
            reflexive_addr: None,
            ipv4_reachable: false,
            ipv6_reachable: false,
            hairpin_works: None,
            port_mapping: None,
            relay_latencies: vec![],
            preferred_relay: None,
            stun_latency_ms: None,
            upnp_available: false,
            pcp_available: false,
            nat_pmp_available: false,
            gateway: None,
            duration_ms: 100,
            stun_probes: vec![],
            port_allocation: None,
        };
        let text = format_report(&report);
        assert!(text.contains("Unknown"));
        assert!(text.contains("(unknown)")); // reflexive addr
        assert!(text.contains("100ms"));
    }
    #[test]
    fn format_report_with_stun_probes() {
        let report = NetcheckReport {
            nat_type: NatType::SymmetricPort,
            reflexive_addr: None,
            ipv4_reachable: true,
            ipv6_reachable: true,
            hairpin_works: Some(false),
            port_mapping: Some(PortMapProtocol::UPnP),
            relay_latencies: vec![
                RelayLatency {
                    name: "us-east".into(),
                    addr: "10.0.0.1:4433".into(),
                    rtt_ms: Some(15),
                    error: None,
                },
                RelayLatency {
                    name: "eu-west".into(),
                    addr: "10.0.0.2:4433".into(),
                    rtt_ms: None,
                    error: Some("timeout".into()),
                },
            ],
            preferred_relay: Some("us-east".into()),
            stun_latency_ms: Some(20),
            upnp_available: true,
            pcp_available: false,
            nat_pmp_available: false,
            gateway: Some("192.168.0.1".into()),
            duration_ms: 3000,
            stun_probes: vec![reflect::NatProbeResult {
                relay_name: "stun:google".into(),
                relay_addr: "74.125.250.129:19302".into(),
                observed_addr: Some("203.0.113.5:12345".into()),
                latency_ms: Some(20),
                error: None,
            }],
            port_allocation: Some(stun::PortAllocation::Random),
        };
        let text = format_report(&report);
        assert!(text.contains("SymmetricPort"));
        assert!(text.contains("us-east"));
        assert!(text.contains("eu-west"));
        assert!(text.contains("Preferred: us-east"));
        assert!(text.contains("UPnP: yes"));
        assert!(text.contains("stun:google"));
        assert!(text.contains("3000ms"));
    }
    /// Integration test: run actual netcheck (requires network).
    #[tokio::test]
    #[ignore]
    async fn integration_netcheck() {
        let config = NetcheckConfig::default();
        let report = run_netcheck(&config).await;
        println!("{}", format_report(&report));
        assert!(report.duration_ms > 0);
    }
 }
--- a/crates/wzp-client/src/portmap.rs
+++ b/crates/wzp-client/src/portmap.rs
--- a/crates/wzp-client/src/reflect.rs
+++ b/crates/wzp-client/src/reflect.rs
@@ -67,22 +67,45 @@ pub enum NatType {
    Unknown,
 }
-/// Probe a single relay with a throwaway QUIC connection.
+/// Probe a single relay with a QUIC connection.
 ///
-/// Each call creates a fresh `quinn::Endpoint` so the OS hands out a
+/// # Endpoint reuse (Phase 5 — Nebula-style architecture)
-/// fresh ephemeral source port — essential for NAT-type detection
+///
-/// because a shared socket would produce the same mapping against
+/// If `existing_endpoint` is `Some`, the probe uses that socket
-/// every relay and mask symmetric NAT.
+/// instead of creating a fresh one. This is the desired mode in
 /// production: a port-preserving NAT (MikroTik masquerade, most
 /// consumer routers) gives a **stable** external port for the
 /// one socket, so the reflex addr observed by ANY relay is the
 /// SAME addr and matches what a peer would see on a direct dial.
 /// Pass the signal endpoint here.
 ///
 /// If `None`, creates a fresh one-shot endpoint. Kept for:
 /// - tests that spin up isolated probes
 /// - the "I'm not registered yet" case where there's no signal
 ///   endpoint to reuse
 ///
 /// NOTE on NAT-type detection: the pre-Phase-5 behavior of
 /// forcing a fresh endpoint per probe was wrong — it made every
 /// port-preserving NAT look symmetric because the classifier saw
 /// a different external port for each fresh source port. With
 /// one shared socket, the classifier reflects the REAL NAT
 /// behavior.
 pub async fn probe_reflect_addr(
    relay: SocketAddr,
    timeout_ms: u64,
    existing_endpoint: Option<wzp_transport::Endpoint>,
 ) -> Result<(SocketAddr, u32), String> {
    // Install rustls provider idempotently — a second install on the
    // same thread is a no-op.
    let _ = rustls::crypto::ring::default_provider().install_default();
-    let bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
+    let endpoint = match existing_endpoint {
-    let endpoint = create_endpoint(bind, None).map_err(|e| format!("endpoint: {e}"))?;
+        Some(ep) => ep,
        None => {
            let bind: SocketAddr = "0.0.0.0:0".parse().unwrap();
            create_endpoint(bind, None).map_err(|e| format!("endpoint: {e}"))?
        }
    };
    let start = Instant::now();
    let probe = async {
@@ -153,9 +176,10 @@ pub async fn probe_reflect_addr(
        .await
        .map_err(|_| format!("probe timeout ({timeout_ms}ms)"))??;
-    // Drop the endpoint explicitly AFTER the probe finishes so the
+    // `endpoint` is a quinn::Endpoint clone — an Arc under the
-    // UDP socket is released before we return.
+    // hood. Letting it drop at end-of-scope is correct whether it
-    drop(endpoint);
+    // was fresh (last ref → socket closes) or shared (ref count
    // decrements, socket stays alive for the signal loop).
    Ok(out)
 }
@@ -163,17 +187,32 @@ pub async fn probe_reflect_addr(
 /// classifying the returned addresses. Never errors — failing
 /// probes surface via `NatProbeResult.error`; aggregate is always
 /// returned.
 ///
 /// # Endpoint reuse (Phase 5)
 ///
 /// If `shared_endpoint` is `Some`, every probe reuses it. This is
 /// the PRODUCTION behavior: all probes source from the same UDP
 /// port, so port-preserving NATs map them to the same external
 /// port, and the classifier reflects the real NAT type. Pass the
 /// signal endpoint.
 ///
 /// If `None`, each probe creates its own fresh endpoint — useful
 /// in tests that don't have a signal endpoint, but produces
 /// spurious `SymmetricPort` classifications against NATs that
 /// would otherwise look cone-like.
 pub async fn detect_nat_type(
    relays: Vec<(String, SocketAddr)>,
    timeout_ms: u64,
    shared_endpoint: Option<wzp_transport::Endpoint>,
 ) -> NatDetection {
    // Parallel probes via tokio::task::JoinSet so the wall-clock is
    // bounded by the slowest probe, not the sum. JoinSet keeps the
    // dep surface at just tokio — we already depend on it.
    let mut set = tokio::task::JoinSet::new();
    for (name, addr) in relays {
        let ep = shared_endpoint.clone();
        set.spawn(async move {
-            let result = probe_reflect_addr(addr, timeout_ms).await;
+            let result = probe_reflect_addr(addr, timeout_ms, ep).await;
            (name, addr, result)
        });
    }
@@ -223,6 +262,90 @@ pub async fn detect_nat_type(
    }
 }
 /// Enumerate LAN-local host candidates this client is reachable
 /// on, paired with the given port (typically the signal
 /// endpoint's bound port so that incoming dials land on the same
 /// socket the advertised reflex addr points to).
 ///
 /// Gathers BOTH IPv4 and IPv6 candidates:
 ///
 /// - **IPv4**: RFC1918 private ranges (10/8, 172.16/12, 192.168/16)
 ///   and CGNAT shared-transition (100.64/10). Public IPv4 is
 ///   skipped because the reflex-addr path already covers it.
 ///   Loopback and link-local (169.254/16) are skipped.
 ///
 /// - **IPv6**: ALL global-unicast addresses (2000::/3 — the real
 ///   routable IPv6 space) AND unique-local (fc00::/7). These
 ///   are directly dialable from a peer on the same LAN, and on
 ///   true dual-stack LANs (which most consumer ISPs now provide,
 ///   including Starlink) IPv6 often gives a direct path even
 ///   when IPv4 can't hairpin. Loopback (::1), unspecified (::),
 ///   and link-local (fe80::/10) are skipped — link-local would
 ///   require a scope ID to be useful and is basically never
 ///   reachable across interface boundaries.
 ///
 /// The port must come from the caller — typically
 /// `signal_endpoint.local_addr()?.port()`, so that the peer's
 /// dials to these addresses land on the same socket that's
 /// already listening (Phase 5 shared-endpoint architecture).
 ///
 /// Safe to call from any thread; no I/O, no async. The `if-addrs`
 /// crate reads the kernel's interface table via a single
 /// getifaddrs(3) syscall.
 pub fn local_host_candidates(v4_port: u16, v6_port: Option<u16>) -> Vec<SocketAddr> {
    let Ok(ifaces) = if_addrs::get_if_addrs() else {
        return Vec::new();
    };
    let mut out = Vec::new();
    for iface in ifaces {
        if iface.is_loopback() {
            continue;
        }
        match iface.ip() {
            std::net::IpAddr::V4(v4) => {
                if v4.is_link_local() {
                    continue;
                }
                // Keep RFC1918 private ranges and CGNAT — those
                // are the LAN-dialable addrs we actually want.
                // Skip public v4 because the reflex addr already
                // covers that path.
                if v4.is_private() {
                    out.push(SocketAddr::new(std::net::IpAddr::V4(v4), v4_port));
                } else if v4.octets()[0] == 100 && (v4.octets()[1] & 0xc0) == 0x40 {
                    // 100.64/10 CGNAT — rare but valid if two
                    // phones are on the same CGNAT-hairpinned
                    // carrier LAN (some hotspot setups).
                    out.push(SocketAddr::new(std::net::IpAddr::V4(v4), v4_port));
                }
            }
            std::net::IpAddr::V6(v6) => {
                // Phase 7: IPv6 host candidates via dedicated
                // IPv6 socket. When v6_port is None, no IPv6
                // endpoint exists — skip silently.
                let Some(port) = v6_port else { continue };
                if v6.is_loopback() || v6.is_unspecified() {
                    continue;
                }
                // fe80::/10 link-local — needs scope ID, not
                // routable across interfaces.
                if (v6.segments()[0] & 0xffc0) == 0xfe80 {
                    continue;
                }
                // Accept global unicast (2000::/3) and
                // unique-local (fc00::/7).
                let first_seg = v6.segments()[0];
                let is_global = (first_seg & 0xe000) == 0x2000;
                let is_ula = (first_seg & 0xfe00) == 0xfc00;
                if is_global || is_ula {
                    out.push(SocketAddr::new(std::net::IpAddr::V6(v6), port));
                }
            }
        }
    }
    out
 }
 /// Role assignment for the Phase 3.5 dual-path QUIC race.
 ///
 /// Both peers already know two strings at CallSetup time: their
@@ -275,14 +398,63 @@ pub fn determine_role(
    }
 }
 /// Returns `true` if the address is in an RFC1918 / link-local /
 /// loopback range and therefore cannot possibly be a post-NAT
 /// reflex address from the public internet's point of view.
 ///
 /// A probe against a relay ON THE SAME LAN as the client will
 /// naturally report the client's LAN IP back (because there's no
 /// NAT between them) — that observation is real but says nothing
 /// about the client's public-internet-facing NAT state. Mixing
 /// LAN reflex addrs with public-internet reflex addrs in
 /// `classify_nat` would always report `Multiple` (different IPs)
 /// and falsely warn about symmetric NAT. Filter them out before
 /// classifying.
 fn is_private_or_loopback(addr: &SocketAddr) -> bool {
    match addr.ip() {
        std::net::IpAddr::V4(v4) => {
            let o = v4.octets();
            v4.is_loopback()
                || v4.is_private() // 10/8, 172.16/12, 192.168/16
                || v4.is_link_local() // 169.254/16
                || (o[0] == 100 && (o[1] & 0xc0) == 0x40) // 100.64/10 CGNAT shared
        }
        std::net::IpAddr::V6(v6) => {
            v6.is_loopback() || v6.is_unspecified() || (v6.segments()[0] & 0xffc0) == 0xfe80 // fe80::/10 link-local
        }
    }
 }
 /// Pure-function NAT classifier — split out for unit testing
 /// without touching the network.
 ///
 /// Only considers probes whose reflex addr is a **public-internet**
 /// address. LAN / private / loopback reflex addrs are dropped
 /// because they reflect the same-network path rather than the
 /// real NAT state. CGNAT (100.64/10) is also treated as private
 /// because the post-CGNAT address would be what we actually want
 /// to classify on — but CGNAT is unreachable from outside the
 /// carrier, so a relay seeing the CGNAT addr is on the same
 /// carrier network and again not useful for classification.
 pub fn classify_nat(probes: &[NatProbeResult]) -> (NatType, Option<String>) {
-    let successes: Vec<SocketAddr> = probes
+    // First: parse every successful probe's observed addr.
    let parsed: Vec<SocketAddr> = probes
        .iter()
        .filter_map(|p| p.observed_addr.as_deref().and_then(|s| s.parse().ok()))
        .collect();
    // Then: drop LAN / private / loopback reflex addrs. Those are
    // legitimate observations by same-network relays, but they
    // don't contribute to NAT-type classification because the
    // client's real public-facing NAT mapping is not involved on
    // that path. A relay on the same LAN always sees the client's
    // LAN IP, regardless of whether the NAT beyond it is cone or
    // symmetric.
    let successes: Vec<SocketAddr> = parsed
        .into_iter()
        .filter(|a| !is_private_or_loopback(a))
        .collect();
    if successes.len() < 2 {
        return (NatType::Unknown, None);
    }
@@ -301,6 +473,40 @@ pub fn classify_nat(probes: &[NatProbeResult]) -> (NatType, Option<String>) {
    }
 }
 /// Enhanced NAT detection that combines relay-based reflection with
 /// public STUN server probes for more robust classification.
 ///
 /// Runs both probe sets concurrently:
 /// 1. Relay probes via `detect_nat_type` (existing behavior)
 /// 2. Public STUN probes via `probe_stun_servers`
 ///
 /// Merges all results and classifies. More probes = higher confidence
 /// in the NAT type classification. Falls back gracefully: if STUN
 /// servers are unreachable, relay probes still work (and vice versa).
 pub async fn detect_nat_type_with_stun(
    relays: Vec<(String, SocketAddr)>,
    timeout_ms: u64,
    shared_endpoint: Option<wzp_transport::Endpoint>,
    stun_config: &crate::stun::StunConfig,
 ) -> NatDetection {
    // Run relay probes and STUN probes concurrently.
    let relay_fut = detect_nat_type(relays, timeout_ms, shared_endpoint);
    let stun_fut = crate::stun::probe_stun_servers(stun_config);
    let (relay_detection, stun_probes) = tokio::join!(relay_fut, stun_fut);
    // Merge all probes and re-classify.
    let mut all_probes = relay_detection.probes;
    all_probes.extend(stun_probes);
    let (nat_type, consensus_addr) = classify_nat(&all_probes);
    NatDetection {
        probes: all_probes,
        nat_type,
        consensus_addr,
    }
 }
 // ── Unit tests for the pure classifier ───────────────────────────
 #[cfg(test)]
@@ -365,6 +571,66 @@ mod tests {
        assert!(addr.is_none());
    }
    #[test]
    fn classify_drops_private_ip_probes() {
        // One LAN probe + one public probe should behave like a
        // single public probe — i.e. Unknown (not enough data to
        // classify). This is the common real-world case: the user
        // has a LAN relay + an internet relay configured, the LAN
        // relay sees the LAN IP, the internet relay sees the WAN
        // IP, and the old classifier would flag "Multiple" and
        // falsely warn about symmetric NAT.
        let probes = vec![
            mk(Some("192.168.1.100:4433")), // LAN — must be dropped
            mk(Some("203.0.113.5:4433")),   // public (TEST-NET-3)
        ];
        let (nt, _) = classify_nat(&probes);
        assert_eq!(nt, NatType::Unknown);
    }
    #[test]
    fn classify_drops_loopback_probes() {
        let probes = vec![
            mk(Some("127.0.0.1:4433")),     // loopback — must be dropped
            mk(Some("203.0.113.5:4433")),   // public
            mk(Some("203.0.113.5:4433")),   // public, same addr
        ];
        let (nt, addr) = classify_nat(&probes);
        // Two public probes with identical addrs → Cone.
        assert_eq!(nt, NatType::Cone);
        assert_eq!(addr.as_deref(), Some("203.0.113.5:4433"));
    }
    #[test]
    fn classify_drops_cgnat_probes() {
        // 100.64.0.0/10 is the CGNAT shared-transition range.
        // Filter treats it like RFC1918 — a relay that sees the
        // client with a 100.64/10 addr is on the same CGNAT
        // network and can't contribute to public NAT classification.
        let probes = vec![
            mk(Some("100.64.0.42:4433")),   // CGNAT — dropped
            mk(Some("203.0.113.5:4433")),   // public
            mk(Some("203.0.113.5:12345")),  // public, different port
        ];
        let (nt, _) = classify_nat(&probes);
        // Two public probes same IP different port → SymmetricPort.
        assert_eq!(nt, NatType::SymmetricPort);
    }
    #[test]
    fn classify_two_lan_probes_is_unknown_not_cone() {
        // Even if both probes come back from LAN relays, we can't
        // say anything useful about the public NAT state. Unknown,
        // not Cone.
        let probes = vec![
            mk(Some("192.168.1.100:4433")),
            mk(Some("192.168.1.100:4433")),
        ];
        let (nt, addr) = classify_nat(&probes);
        assert_eq!(nt, NatType::Unknown);
        assert!(addr.is_none());
    }
    #[test]
    fn classify_mix_of_success_and_failure() {
        let probes = vec![
--- a/crates/wzp-client/src/relay_map.rs
+++ b/crates/wzp-client/src/relay_map.rs
@@ -0,0 +1,339 @@
 //! Phase 8 (Tailscale-inspired): Relay map for automatic relay
 //! selection based on latency.
 //!
 //! Maintains a sorted list of known relays with their measured
 //! latencies. Used during call setup to pick the lowest-latency
 //! relay, and by netcheck to report relay health.
 use std::net::SocketAddr;
 use std::time::{Duration, Instant};
 use serde::Serialize;
 /// A known relay endpoint with measured latency.
 #[derive(Debug, Clone, Serialize)]
 pub struct RelayEntry {
    /// Human-readable name (e.g., "us-east", "eu-west").
    pub name: String,
    /// Relay address.
    pub addr: SocketAddr,
    /// Geographic region (from RegisterPresenceAck).
    pub region: Option<String>,
    /// Last measured RTT (ms).
    pub rtt_ms: Option<u32>,
    /// When the RTT was last measured.
    #[serde(skip)]
    pub last_probed: Option<Instant>,
    /// Whether this relay is currently reachable.
    pub reachable: bool,
 }
 /// Sorted relay map. Entries are ordered by RTT (lowest first).
 #[derive(Debug, Clone, Default)]
 pub struct RelayMap {
    entries: Vec<RelayEntry>,
 }
 impl RelayMap {
    pub fn new() -> Self {
        Self {
            entries: Vec::new(),
        }
    }
    /// Add or update a relay entry.
    pub fn upsert(&mut self, name: &str, addr: SocketAddr, region: Option<String>) {
        if let Some(entry) = self.entries.iter_mut().find(|e| e.addr == addr) {
            entry.name = name.to_string();
            if region.is_some() {
                entry.region = region;
            }
        } else {
            self.entries.push(RelayEntry {
                name: name.to_string(),
                addr,
                region,
                rtt_ms: None,
                last_probed: None,
                reachable: false,
            });
        }
    }
    /// Update RTT measurement for a relay.
    pub fn update_rtt(&mut self, addr: SocketAddr, rtt_ms: u32) {
        if let Some(entry) = self.entries.iter_mut().find(|e| e.addr == addr) {
            entry.rtt_ms = Some(rtt_ms);
            entry.last_probed = Some(Instant::now());
            entry.reachable = true;
        }
        self.sort();
    }
    /// Mark a relay as unreachable.
    pub fn mark_unreachable(&mut self, addr: SocketAddr) {
        if let Some(entry) = self.entries.iter_mut().find(|e| e.addr == addr) {
            entry.reachable = false;
            entry.last_probed = Some(Instant::now());
        }
        self.sort();
    }
    /// Get the preferred (lowest-latency, reachable) relay.
    pub fn preferred(&self) -> Option<&RelayEntry> {
        self.entries
            .iter()
            .find(|e| e.reachable && e.rtt_ms.is_some())
    }
    /// Get all entries, sorted by RTT.
    pub fn entries(&self) -> &[RelayEntry] {
        &self.entries
    }
    /// Populate from a `RegisterPresenceAck.available_relays` list.
    /// Each entry is "name|addr" format.
    pub fn populate_from_ack(&mut self, relays: &[String], relay_region: Option<&str>) {
        for entry_str in relays {
            if let Some((name, addr_str)) = entry_str.split_once('|') {
                if let Ok(addr) = addr_str.parse::<SocketAddr>() {
                    self.upsert(name, addr, None);
                }
            }
        }
        // If the ack included a region for the current relay, we
        // could tag it — but we'd need to know which relay we're
        // connected to. Left for the caller to handle.
        let _ = relay_region;
    }
    /// Check if any entry has a stale probe (older than `max_age`).
    pub fn needs_reprobe(&self, max_age: Duration) -> bool {
        self.entries.iter().any(|e| {
            match e.last_probed {
                None => true,
                Some(t) => t.elapsed() > max_age,
            }
        })
    }
    /// Get entries that need reprobing.
    pub fn stale_entries(&self, max_age: Duration) -> Vec<(String, SocketAddr)> {
        self.entries
            .iter()
            .filter(|e| match e.last_probed {
                None => true,
                Some(t) => t.elapsed() > max_age,
            })
            .map(|e| (e.name.clone(), e.addr))
            .collect()
    }
    fn sort(&mut self) {
        self.entries.sort_by_key(|e| {
            if e.reachable {
                e.rtt_ms.unwrap_or(u32::MAX)
            } else {
                u32::MAX
            }
        });
    }
 }
 // ── Tests ──────────────────────────────────────────────────────────
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn preferred_returns_lowest_rtt() {
        let mut map = RelayMap::new();
        let a1: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        let a2: SocketAddr = "10.0.0.2:4433".parse().unwrap();
        let a3: SocketAddr = "10.0.0.3:4433".parse().unwrap();
        map.upsert("slow", a1, None);
        map.upsert("fast", a2, None);
        map.upsert("mid", a3, None);
        map.update_rtt(a1, 200);
        map.update_rtt(a2, 15);
        map.update_rtt(a3, 80);
        let pref = map.preferred().unwrap();
        assert_eq!(pref.addr, a2);
        assert_eq!(pref.rtt_ms, Some(15));
    }
    #[test]
    fn unreachable_not_preferred() {
        let mut map = RelayMap::new();
        let a1: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        let a2: SocketAddr = "10.0.0.2:4433".parse().unwrap();
        map.upsert("fast-dead", a1, None);
        map.upsert("slow-alive", a2, None);
        map.update_rtt(a1, 5);
        map.update_rtt(a2, 200);
        map.mark_unreachable(a1);
        let pref = map.preferred().unwrap();
        assert_eq!(pref.addr, a2);
    }
    #[test]
    fn populate_from_ack() {
        let mut map = RelayMap::new();
        map.populate_from_ack(
            &[
                "us-east|203.0.113.5:4433".into(),
                "eu-west|198.51.100.9:4433".into(),
            ],
            Some("us-east"),
        );
        assert_eq!(map.entries().len(), 2);
        assert_eq!(map.entries()[0].name, "us-east");
        assert_eq!(map.entries()[1].name, "eu-west");
    }
    #[test]
    fn upsert_updates_existing() {
        let mut map = RelayMap::new();
        let addr: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        map.upsert("old-name", addr, None);
        map.upsert("new-name", addr, Some("us-west".into()));
        assert_eq!(map.entries().len(), 1);
        assert_eq!(map.entries()[0].name, "new-name");
        assert_eq!(map.entries()[0].region, Some("us-west".into()));
    }
    #[test]
    fn upsert_preserves_region_when_none() {
        let mut map = RelayMap::new();
        let addr: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        map.upsert("relay", addr, Some("eu-west".into()));
        map.upsert("relay", addr, None); // region is None
        // Should keep the original region
        assert_eq!(map.entries()[0].region, Some("eu-west".into()));
    }
    #[test]
    fn preferred_returns_none_on_empty() {
        let map = RelayMap::new();
        assert!(map.preferred().is_none());
    }
    #[test]
    fn preferred_returns_none_when_all_unreachable() {
        let mut map = RelayMap::new();
        let addr: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        map.upsert("relay", addr, None);
        // Not update_rtt'd, so reachable=false
        assert!(map.preferred().is_none());
    }
    #[test]
    fn needs_reprobe_empty_is_false() {
        let map = RelayMap::new();
        // No entries → nothing to reprobe
        assert!(!map.needs_reprobe(Duration::from_secs(60)));
    }
    #[test]
    fn needs_reprobe_never_probed() {
        let mut map = RelayMap::new();
        map.upsert("relay", "10.0.0.1:4433".parse().unwrap(), None);
        assert!(map.needs_reprobe(Duration::from_secs(60)));
    }
    #[test]
    fn needs_reprobe_fresh_is_false() {
        let mut map = RelayMap::new();
        let addr: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        map.upsert("relay", addr, None);
        map.update_rtt(addr, 50);
        // Just probed, so 60s max_age should not trigger
        assert!(!map.needs_reprobe(Duration::from_secs(60)));
    }
    #[test]
    fn stale_entries_returns_unprobed() {
        let mut map = RelayMap::new();
        let a1: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        let a2: SocketAddr = "10.0.0.2:4433".parse().unwrap();
        map.upsert("probed", a1, None);
        map.upsert("stale", a2, None);
        map.update_rtt(a1, 50);
        let stale = map.stale_entries(Duration::from_secs(60));
        assert_eq!(stale.len(), 1);
        assert_eq!(stale[0].1, a2);
    }
    #[test]
    fn sort_stability_with_equal_rtt() {
        let mut map = RelayMap::new();
        let a1: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        let a2: SocketAddr = "10.0.0.2:4433".parse().unwrap();
        map.upsert("first", a1, None);
        map.upsert("second", a2, None);
        map.update_rtt(a1, 50);
        map.update_rtt(a2, 50);
        // Both have same RTT — sort should be stable (insertion order)
        assert_eq!(map.entries().len(), 2);
        // Both are valid preferred relays
        assert!(map.preferred().is_some());
    }
    #[test]
    fn populate_from_ack_skips_malformed() {
        let mut map = RelayMap::new();
        map.populate_from_ack(
            &[
                "good|10.0.0.1:4433".into(),
                "no-pipe-separator".into(),
                "bad-addr|not-a-socket-addr".into(),
                "also-good|10.0.0.2:4433".into(),
            ],
            None,
        );
        assert_eq!(map.entries().len(), 2);
    }
    #[test]
    fn mark_unreachable_sorts_to_end() {
        let mut map = RelayMap::new();
        let a1: SocketAddr = "10.0.0.1:4433".parse().unwrap();
        let a2: SocketAddr = "10.0.0.2:4433".parse().unwrap();
        map.upsert("fast", a1, None);
        map.upsert("slow", a2, None);
        map.update_rtt(a1, 10);
        map.update_rtt(a2, 200);
        assert_eq!(map.preferred().unwrap().addr, a1);
        map.mark_unreachable(a1);
        assert_eq!(map.preferred().unwrap().addr, a2);
    }
    #[test]
    fn relay_entry_serializes() {
        let entry = RelayEntry {
            name: "test".into(),
            addr: "10.0.0.1:4433".parse().unwrap(),
            region: Some("us-east".into()),
            rtt_ms: Some(42),
            last_probed: Some(Instant::now()),
            reachable: true,
        };
        let json = serde_json::to_string(&entry).unwrap();
        assert!(json.contains("test"));
        assert!(json.contains("us-east"));
        assert!(json.contains("42"));
        // last_probed is #[serde(skip)]
        assert!(!json.contains("last_probed"));
    }
 }
--- a/crates/wzp-client/src/stun.rs
+++ b/crates/wzp-client/src/stun.rs
--- a/crates/wzp-client/tests/dual_path.rs
+++ b/crates/wzp-client/tests/dual_path.rs
@@ -19,7 +19,7 @@
 use std::net::{Ipv4Addr, SocketAddr};
 use std::time::Duration;
-use wzp_client::dual_path::{race, WinningPath};
+use wzp_client::dual_path::{race, PeerCandidates, WinningPath};
 use wzp_client::reflect::Role;
 use wzp_transport::{create_endpoint, server_config};
@@ -110,15 +110,23 @@ async fn dual_path_direct_wins_on_loopback() {
    // should win.
    let result = race(
        Role::Dialer,
-        acceptor_listen_addr,
+        PeerCandidates {
            reflexive: Some(acceptor_listen_addr),
            local: Vec::new(),
            mapped: None,
        },
        relay_addr,
        "test-room".into(),
        "call-test".into(),
        None, // own_reflexive: not needed in tests
        None, // Phase 5: tests use fresh endpoints (no shared signal)
        None, // Phase 7: no IPv6 endpoint in tests
    )
    .await
    .expect("race must succeed");
-    assert_eq!(result.1, WinningPath::Direct, "direct should win on loopback");
+    assert!(result.direct_transport.is_some(), "direct transport should be available");
    assert_eq!(result.local_winner, WinningPath::Direct, "direct should win on loopback");
    // Cancel the acceptor accept task so the test finishes.
    acceptor_accept_task.abort();
@@ -147,16 +155,24 @@ async fn dual_path_relay_wins_when_direct_is_dead() {
    let result = race(
        Role::Dialer,
-        dead_peer,
+        PeerCandidates {
            reflexive: Some(dead_peer),
            local: Vec::new(),
            mapped: None,
        },
        relay_addr,
        "test-room".into(),
        "call-test".into(),
        None, // own_reflexive: not needed in tests
        None, // Phase 5: tests use fresh endpoints (no shared signal)
        None, // Phase 7: no IPv6 endpoint in tests
    )
    .await
    .expect("race must succeed via relay fallback");
    assert!(result.relay_transport.is_some(), "relay transport should be available");
    assert_eq!(
-        result.1,
+        result.local_winner,
        WinningPath::Relay,
        "relay should win when direct dial has nowhere to land"
    );
@@ -180,10 +196,17 @@ async fn dual_path_errors_cleanly_when_both_paths_dead() {
    let start = std::time::Instant::now();
    let result = race(
        Role::Dialer,
-        dead_peer,
+        PeerCandidates {
            reflexive: Some(dead_peer),
            local: Vec::new(),
            mapped: None,
        },
        dead_relay,
        "test-room".into(),
        "call-test".into(),
        None, // own_reflexive: not needed in tests
        None, // Phase 5: tests use fresh endpoints (no shared signal)
        None, // Phase 7: no IPv6 endpoint in tests
    )
    .await;
    let elapsed = start.elapsed();
--- a/crates/wzp-codec/src/adaptive.rs
+++ b/crates/wzp-codec/src/adaptive.rs
@@ -116,6 +116,14 @@ impl AudioEncoder for AdaptiveEncoder {
    fn set_dtx(&mut self, enabled: bool) {
        self.opus.set_dtx(enabled);
    }
    fn set_expected_loss(&mut self, loss_pct: u8) {
        self.opus.set_expected_loss(loss_pct);
    }
    fn set_dred_duration(&mut self, frames: u8) {
        self.opus.set_dred_duration(frames);
    }
 }
 // ─── AdaptiveDecoder ─────────────────────────────────────────────────────────
--- a/crates/wzp-codec/src/opus_enc.rs
+++ b/crates/wzp-codec/src/opus_enc.rs
@@ -14,8 +14,9 @@
 //!   networks; short window keeps decoder CPU modest.
 //! - Normal tiers (Opus 16k/24k): 200 ms — balanced baseline covering common
 //!   VoIP loss patterns (20–150 ms bursts from wifi roam, transient congestion).
-//! - Degraded tier (Opus 6k): 500 ms — users on 6k are by definition on a
+//! - Degraded tier (Opus 6k): 1040 ms — users on 6k are by definition on a
-//!   bad link; longer DRED buys maximum burst resilience where it matters.
+//!   bad link; the maximum libopus DRED window buys the best burst resilience
 //!   where it matters. The RDO-VAE naturally degrades quality at longer offsets.
 //!
 //! # Why the 15% packet loss floor
 //!
@@ -78,8 +79,12 @@ pub fn dred_duration_for(codec: CodecId) -> u8 {
        CodecId::Opus32k | CodecId::Opus48k | CodecId::Opus64k => 10,
        // Normal tiers — balanced baseline.
        CodecId::Opus16k | CodecId::Opus24k => 20,
-        // Degraded tier — maximum burst resilience.
+        // Degraded tier — maximum burst resilience. 104 × 10 ms = 1040 ms,
-        CodecId::Opus6k => 50,
+        // the highest value libopus 1.5 supports. Users on 6k are on a bad
        // link by definition; the RDO-VAE naturally degrades quality at longer
        // offsets, so the extra window costs only ~1-2 kbps additional overhead
        // while buying substantially better burst resilience (up from 500 ms).
        CodecId::Opus6k => 104,
        // Non-Opus (Codec2 / CN): DRED is N/A.
        CodecId::Codec2_1200 | CodecId::Codec2_3200 | CodecId::ComfortNoise => 0,
    }
@@ -334,6 +339,14 @@ impl AudioEncoder for OpusEncoder {
    fn set_dtx(&mut self, enabled: bool) {
        let _ = self.inner.set_dtx(enabled);
    }
    fn set_expected_loss(&mut self, loss_pct: u8) {
        OpusEncoder::set_expected_loss(self, loss_pct);
    }
    fn set_dred_duration(&mut self, frames: u8) {
        OpusEncoder::set_dred_duration(self, frames);
    }
 }
 #[cfg(test)]
@@ -389,8 +402,8 @@ mod tests {
    }
    #[test]
-    fn dred_duration_for_degraded_tier_is_500ms() {
+    fn dred_duration_for_degraded_tier_is_1040ms() {
-        assert_eq!(dred_duration_for(CodecId::Opus6k), 50);
+        assert_eq!(dred_duration_for(CodecId::Opus6k), 104);
    }
    #[test]
--- a/crates/wzp-crypto/src/handshake.rs
+++ b/crates/wzp-crypto/src/handshake.rs
@@ -18,10 +18,14 @@ use crate::session::ChaChaSession;
 pub struct WarzoneKeyExchange {
    /// Ed25519 signing key (identity).
    signing_key: SigningKey,
-    /// X25519 static secret (derived from seed, used for identity encryption).
+    /// X25519 static secret derived from identity seed. Reserved for future
    /// use in static-key federation authentication (not used in current
    /// ephemeral-only handshake protocol).
    #[allow(dead_code)]
    x25519_static_secret: StaticSecret,
-    /// X25519 static public key.
+    /// X25519 static public key derived from identity seed. Reserved for
    /// future use in static-key federation authentication (not used in
    /// current ephemeral-only handshake protocol).
    #[allow(dead_code)]
    x25519_static_public: X25519PublicKey,
    /// Ephemeral X25519 secret for the current call (set by generate_ephemeral).
--- a/crates/wzp-crypto/tests/featherchat_compat.rs
+++ b/crates/wzp-crypto/tests/featherchat_compat.rs
@@ -199,6 +199,7 @@ fn wzp_answer_round_trips_through_fc_callsignal() {
 fn wzp_hangup_round_trips_through_fc_callsignal() {
    let hangup = wzp_proto::SignalMessage::Hangup {
        reason: wzp_proto::HangupReason::Normal,
        call_id: None,
    };
    let payload = wzp_client::featherchat::encode_call_payload(&hangup, None, None);
@@ -302,6 +303,7 @@ fn all_signal_types_map_correctly() {
        (
            wzp_proto::SignalMessage::Hangup {
                reason: wzp_proto::HangupReason::Normal,
                call_id: None,
            },
            "Hangup",
        ),
--- a/crates/wzp-native/cpp/oboe_bridge.cpp
+++ b/crates/wzp-native/cpp/oboe_bridge.cpp
@@ -8,6 +8,8 @@
 #include <android/log.h>
 #include <cstring>
 #include <atomic>
 #include <chrono>
 #include <thread>
 #define LOG_TAG "wzp-oboe"
 #define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)
@@ -254,14 +256,28 @@ int wzp_oboe_start(const WzpOboeConfig* config, const WzpOboeRings* rings) {
    oboe::AudioStreamBuilder captureBuilder;
    captureBuilder.setDirection(oboe::Direction::Input)
        ->setPerformanceMode(oboe::PerformanceMode::LowLatency)
-        ->setSharingMode(oboe::SharingMode::Exclusive)
+        ->setSharingMode(oboe::SharingMode::Shared)
        ->setFormat(oboe::AudioFormat::I16)
        ->setChannelCount(config->channel_count)
-        ->setSampleRate(config->sample_rate)
+        ->setSampleRateConversionQuality(oboe::SampleRateConversionQuality::Best)
        ->setFramesPerDataCallback(config->frames_per_burst)
        ->setInputPreset(oboe::InputPreset::VoiceCommunication)
        ->setDataCallback(&g_capture_cb);
    if (config->bt_active) {
        // BT SCO mode: do NOT set sample rate or input preset.
        // Requesting 48kHz against a BT SCO device fails with
        // "getInputProfile could not find profile". Letting the system
        // choose the native rate (8/16kHz) and relying on Oboe's
        // resampler (SampleRateConversionQuality::Best) to bridge
        // to our 48kHz ring buffer is the only path that works.
        // InputPreset::VoiceCommunication can also prevent BT SCO
        // routing on some devices — skip it for BT.
        LOGI("capture: BT mode — no sample rate or input preset set");
    } else {
        captureBuilder.setSampleRate(config->sample_rate)
            ->setFramesPerDataCallback(config->frames_per_burst)
            ->setInputPreset(oboe::InputPreset::VoiceCommunication);
    }
    oboe::Result result = captureBuilder.openStream(g_capture_stream);
    if (result != oboe::Result::OK) {
        LOGE("Failed to open capture stream: %s", oboe::convertToText(result));
@@ -314,14 +330,23 @@ int wzp_oboe_start(const WzpOboeConfig* config, const WzpOboeRings* rings) {
    oboe::AudioStreamBuilder playoutBuilder;
    playoutBuilder.setDirection(oboe::Direction::Output)
        ->setPerformanceMode(oboe::PerformanceMode::LowLatency)
-        ->setSharingMode(oboe::SharingMode::Exclusive)
+        ->setSharingMode(oboe::SharingMode::Shared)
        ->setFormat(oboe::AudioFormat::I16)
        ->setChannelCount(config->channel_count)
-        ->setSampleRate(config->sample_rate)
+        ->setSampleRateConversionQuality(oboe::SampleRateConversionQuality::Best)
        ->setFramesPerDataCallback(config->frames_per_burst)
        ->setUsage(oboe::Usage::VoiceCommunication)
        ->setDataCallback(&g_playout_cb);
    if (config->bt_active) {
        LOGI("playout: BT mode — no sample rate set, using Usage::Media");
        // Usage::Media instead of VoiceCommunication for BT output
        // to avoid conflicts with the communication device routing.
        playoutBuilder.setUsage(oboe::Usage::Media);
    } else {
        playoutBuilder.setSampleRate(config->sample_rate)
            ->setFramesPerDataCallback(config->frames_per_burst)
            ->setUsage(oboe::Usage::VoiceCommunication);
    }
    result = playoutBuilder.openStream(g_playout_stream);
    if (result != oboe::Result::OK) {
        LOGE("Failed to open playout stream: %s", oboe::convertToText(result));
@@ -365,6 +390,38 @@ int wzp_oboe_start(const WzpOboeConfig* config, const WzpOboeRings* rings) {
        return -5;
    }
    // Log initial stream states right after requestStart() returns.
    // On well-behaved HALs both will already be Started; on others
    // (Nothing A059) they may still be in Starting state.
    LOGI("requestStart returned: capture_state=%d playout_state=%d",
         (int)g_capture_stream->getState(),
         (int)g_playout_stream->getState());
    // Poll until both streams report Started state, up to 2s timeout.
    // Some Android HALs (Nothing A059) delay transitioning from Starting
    // to Started; proceeding before the transition completes causes the
    // first capture/playout callbacks to be dropped silently.
    {
        auto deadline = std::chrono::steady_clock::now() + std::chrono::milliseconds(2000);
        int poll_count = 0;
        while (std::chrono::steady_clock::now() < deadline) {
            auto cap_state = g_capture_stream->getState();
            auto play_state = g_playout_stream->getState();
            if (cap_state == oboe::StreamState::Started &&
                play_state == oboe::StreamState::Started) {
                LOGI("both streams Started after %d polls", poll_count);
                break;
            }
            poll_count++;
            std::this_thread::sleep_for(std::chrono::milliseconds(10));
        }
        // Log final state even on timeout (helps diagnose HAL quirks)
        LOGI("stream states after poll: capture=%d playout=%d (polls=%d)",
             (int)g_capture_stream->getState(),
             (int)g_playout_stream->getState(),
             poll_count);
    }
    LOGI("Oboe started: sr=%d burst=%d ch=%d",
         config->sample_rate, config->frames_per_burst, config->channel_count);
    return 0;
--- a/crates/wzp-native/cpp/oboe_bridge.h
+++ b/crates/wzp-native/cpp/oboe_bridge.h
@@ -16,6 +16,7 @@ typedef struct {
    int32_t sample_rate;
    int32_t frames_per_burst;
    int32_t channel_count;
    int32_t bt_active;  /* nonzero = BT SCO mode: skip sample rate + input preset */
 } WzpOboeConfig;
 typedef struct {
--- a/crates/wzp-native/src/lib.rs
+++ b/crates/wzp-native/src/lib.rs
@@ -26,6 +26,11 @@ pub extern "C" fn wzp_native_version() -> i32 {
 /// Writes a NUL-terminated string into `out` (capped at `cap`) and
 /// returns bytes written excluding the NUL.
 ///
 /// # Safety
 /// `out` must be a valid pointer to at least `cap` contiguous bytes of
 /// writable memory. Passing a null pointer or zero capacity is safe
 /// (returns 0), but a dangling non-null pointer is undefined behaviour.
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wzp_native_hello(out: *mut u8, cap: usize) -> usize {
    const MSG: &[u8] = b"hello from wzp-native\0";
@@ -47,6 +52,10 @@ struct WzpOboeConfig {
    sample_rate: i32,
    frames_per_burst: i32,
    channel_count: i32,
    /// When nonzero, capture stream skips setSampleRate and setInputPreset
    /// so the system can route to BT SCO at its native rate (8/16kHz).
    /// Oboe's SampleRateConversionQuality::Best resamples to 48kHz.
    bt_active: i32,
 }
 #[repr(C)]
@@ -174,6 +183,13 @@ struct AudioBackend {
    started: std::sync::Mutex<bool>,
    /// Per-write logging throttle counter for wzp_native_audio_write_playout.
    playout_write_log_count: std::sync::atomic::AtomicU64,
    /// Fix A (task #35): the playout ring's read_idx at the last
    /// check. If audio_write_playout observes read_idx hasn't
    /// advanced after N writes, the Oboe playout callback has
    /// stopped firing → restart the streams.
    playout_last_read_idx: std::sync::atomic::AtomicI32,
    /// Number of writes since the last read_idx advance.
    playout_stall_writes: std::sync::atomic::AtomicU32,
 }
 static BACKEND: OnceLock<&'static AudioBackend> = OnceLock::new();
@@ -185,6 +201,8 @@ fn backend() -> &'static AudioBackend {
            playout: RingBuffer::new(RING_CAPACITY),
            started: std::sync::Mutex::new(false),
            playout_write_log_count: std::sync::atomic::AtomicU64::new(0),
            playout_last_read_idx: std::sync::atomic::AtomicI32::new(0),
            playout_stall_writes: std::sync::atomic::AtomicU32::new(0),
        }))
    })
 }
@@ -195,6 +213,17 @@ fn backend() -> &'static AudioBackend {
 /// Idempotent — calling while already running is a no-op that returns 0.
 #[unsafe(no_mangle)]
 pub extern "C" fn wzp_native_audio_start() -> i32 {
    audio_start_inner(false)
 }
 /// Start Oboe in Bluetooth SCO mode — skips sample rate and input preset
 /// on capture so the system can route to the BT SCO device natively.
 #[unsafe(no_mangle)]
 pub extern "C" fn wzp_native_audio_start_bt() -> i32 {
    audio_start_inner(true)
 }
 fn audio_start_inner(bt: bool) -> i32 {
    let b = backend();
    let mut started = match b.started.lock() {
        Ok(g) => g,
@@ -208,6 +237,7 @@ pub extern "C" fn wzp_native_audio_start() -> i32 {
        sample_rate: 48_000,
        frames_per_burst: FRAME_SAMPLES as i32,
        channel_count: 1,
        bt_active: if bt { 1 } else { 0 },
    };
    let rings = WzpOboeRings {
        capture_buf: b.capture.buf_ptr(),
@@ -239,9 +269,20 @@ pub extern "C" fn wzp_native_audio_stop() {
    }
 }
 /// Number of capture samples available to read without blocking.
 #[unsafe(no_mangle)]
 pub extern "C" fn wzp_native_audio_capture_available() -> usize {
    backend().capture.available_read()
 }
 /// Read captured PCM samples from the capture ring. Returns the number
 /// of `i16` samples actually copied into `out` (may be less than
 /// `out_len` if the ring is empty).
 ///
 /// # Safety
 /// `out` must be a valid pointer to `out_len` contiguous `i16` values.
 /// The caller must ensure no other thread writes to the same buffer
 /// concurrently. Passing a null pointer or zero length is safe (returns 0).
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wzp_native_audio_read_capture(out: *mut i16, out_len: usize) -> usize {
    if out.is_null() || out_len == 0 {
@@ -255,6 +296,12 @@ pub unsafe extern "C" fn wzp_native_audio_read_capture(out: *mut i16, out_len: u
 /// samples actually enqueued (may be less than `in_len` if the ring
 /// is nearly full — in practice the caller should pace to 20 ms
 /// frames and spin briefly if the ring is full).
 ///
 /// # Safety
 /// `input` must be a valid pointer to `in_len` contiguous `i16` values
 /// that remain valid for the duration of the call. Passing a null pointer
 /// or zero length is safe (returns 0). The caller must not free or mutate
 /// the buffer while this function is executing.
 #[unsafe(no_mangle)]
 pub unsafe extern "C" fn wzp_native_audio_write_playout(input: *const i16, in_len: usize) -> usize {
    if input.is_null() || in_len == 0 {
@@ -262,6 +309,77 @@ pub unsafe extern "C" fn wzp_native_audio_write_playout(input: *const i16, in_le
    }
    let slice = unsafe { std::slice::from_raw_parts(input, in_len) };
    let b = backend();
    // Fix A (task #35): detect playout callback stall. If the
    // playout ring's read_idx hasn't advanced in 50+ writes
    // (~1 second at 50 writes/sec), the Oboe playout callback
    // has stopped firing → restart the streams. This is the
    // self-healing behavior that makes rejoin work: teardown +
    // rebuild clears whatever HAL state locked up the callback.
    let current_read_idx = b.playout.read_idx.load(std::sync::atomic::Ordering::Relaxed);
    let last_read_idx = b.playout_last_read_idx.load(std::sync::atomic::Ordering::Relaxed);
    if current_read_idx == last_read_idx {
        let stall = b.playout_stall_writes.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
        if stall >= 50 {
            // Callback hasn't drained anything in ~1 second.
            // Force a stream restart.
            unsafe {
                android_log("playout STALL detected (50 writes, read_idx unchanged) — restarting Oboe streams");
            }
            b.playout_stall_writes.store(0, std::sync::atomic::Ordering::Relaxed);
            // Release the started lock, stop, re-start.
            // This is the same logic as the Rust-side
            // audio_stop() + audio_start() but done inline
            // because we can't call the extern "C" fns
            // recursively. Just call the C++ side directly.
            {
                if let Ok(mut started) = b.started.lock() {
                    if *started {
                        unsafe { wzp_oboe_stop() };
                        *started = false;
                    }
                }
            }
            // Clear the rings so the restart doesn't read stale data
            b.playout.write_idx.store(0, std::sync::atomic::Ordering::Relaxed);
            b.playout.read_idx.store(0, std::sync::atomic::Ordering::Relaxed);
            b.capture.write_idx.store(0, std::sync::atomic::Ordering::Relaxed);
            b.capture.read_idx.store(0, std::sync::atomic::Ordering::Relaxed);
            // Re-start (stall detector — always non-BT mode)
            let config = WzpOboeConfig {
                sample_rate: 48_000,
                frames_per_burst: FRAME_SAMPLES as i32,
                channel_count: 1,
                bt_active: 0,
            };
            let rings = WzpOboeRings {
                capture_buf: b.capture.buf_ptr(),
                capture_capacity: b.capture.capacity as i32,
                capture_write_idx: b.capture.write_idx_ptr(),
                capture_read_idx: b.capture.read_idx_ptr(),
                playout_buf: b.playout.buf_ptr(),
                playout_capacity: b.playout.capacity as i32,
                playout_write_idx: b.playout.write_idx_ptr(),
                playout_read_idx: b.playout.read_idx_ptr(),
            };
            let ret = unsafe { wzp_oboe_start(&config, &rings) };
            if ret == 0 {
                if let Ok(mut started) = b.started.lock() {
                    *started = true;
                }
                unsafe { android_log("playout restart OK — Oboe streams rebuilt"); }
            } else {
                unsafe { android_log(&format!("playout restart FAILED: {ret}")); }
            }
            b.playout_last_read_idx.store(0, std::sync::atomic::Ordering::Relaxed);
            return 0; // caller will retry on next frame
        }
    } else {
        // read_idx advanced — callback is alive, reset counter
        b.playout_stall_writes.store(0, std::sync::atomic::Ordering::Relaxed);
        b.playout_last_read_idx.store(current_read_idx, std::sync::atomic::Ordering::Relaxed);
    }
    let before_w = b.playout.write_idx.load(std::sync::atomic::Ordering::Relaxed);
    let before_r = b.playout.read_idx.load(std::sync::atomic::Ordering::Relaxed);
    let written = b.playout.write(slice);
--- a/crates/wzp-proto/src/dred_tuner.rs
+++ b/crates/wzp-proto/src/dred_tuner.rs
@@ -0,0 +1,316 @@
 //! Continuous DRED tuning from real-time network metrics.
 //!
 //! Instead of locking DRED duration to 3 discrete quality tiers (100/200/500 ms),
 //! `DredTuner` maps live path quality metrics to a continuous DRED duration and
 //! expected-loss hint, updated every N packets. This makes DRED reactive within
 //! ~200 ms instead of waiting for 3+ consecutive bad quality reports to trigger
 //! a full tier transition.
 //!
 //! The tuner also implements pre-emptive jitter-spike detection ("sawtooth"
 //! prediction): when jitter variance spikes >30% over a 200 ms window — typical
 //! of Starlink satellite handovers — it temporarily boosts DRED to the maximum
 //! allowed for the current codec before packets actually start dropping.
 //!
 //! See also: [`crate::quality`] for discrete tier classification that drives
 //! codec switching. DredTuner operates within a tier, adjusting DRED
 //! parameters continuously based on live network metrics.
 use crate::CodecId;
 /// Output of a single tuning cycle.
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub struct DredTuning {
    /// DRED duration in 10 ms frame units (0–104). Passed directly to
    /// `OpusEncoder::set_dred_duration()`.
    pub dred_frames: u8,
    /// Expected packet loss percentage (0–100). Passed to
    /// `OpusEncoder::set_expected_loss()`. Floored at 15% by the encoder
    /// itself, but we pass the real value so the encoder can override upward.
    pub expected_loss_pct: u8,
 }
 /// Minimum DRED frames for any Opus codec (matches DRED_LOSS_FLOOR_PCT logic:
 /// at 15% loss, libopus 1.5 emits ~95 ms of DRED, which needs at least 10
 /// frames configured to be useful).
 const MIN_DRED_FRAMES: u8 = 5;
 /// Maximum DRED frames libopus supports (104 × 10 ms = 1040 ms).
 const MAX_DRED_FRAMES: u8 = 104;
 /// Jitter variance spike ratio that triggers pre-emptive DRED boost.
 const JITTER_SPIKE_RATIO: f32 = 1.3;
 /// How many tuning cycles a jitter-spike boost persists (at 25 packets/cycle
 /// and 20 ms/packet, 10 cycles ≈ 5 seconds).
 const SPIKE_BOOST_COOLDOWN_CYCLES: u32 = 10;
 /// Maps codec tier to its baseline DRED frames (used when network is healthy).
 fn baseline_dred_frames(codec: CodecId) -> u8 {
    match codec {
        CodecId::Opus32k | CodecId::Opus48k | CodecId::Opus64k => 10, // 100 ms
        CodecId::Opus16k | CodecId::Opus24k => 20,                    // 200 ms
        CodecId::Opus6k => 50,                                         // 500 ms
        _ => 0,
    }
 }
 /// Maps codec tier to its maximum allowed DRED frames under spike/bad conditions.
 fn max_dred_frames_for(codec: CodecId) -> u8 {
    match codec {
        // Studio: cap at 300 ms (don't waste bitrate on good links)
        CodecId::Opus32k | CodecId::Opus48k | CodecId::Opus64k => 30,
        // Normal: cap at 500 ms
        CodecId::Opus16k | CodecId::Opus24k => 50,
        // Degraded: allow full 1040 ms
        CodecId::Opus6k => MAX_DRED_FRAMES,
        _ => 0,
    }
 }
 /// Continuous DRED tuner driven by network path metrics.
 pub struct DredTuner {
    /// Current codec (determines baseline and ceiling).
    codec: CodecId,
    /// Last computed tuning output.
    last_tuning: DredTuning,
    /// EWMA-smoothed jitter for spike detection (in ms).
    jitter_ewma: f32,
    /// Remaining cooldown cycles for a jitter-spike boost.
    spike_cooldown: u32,
    /// Whether the tuner has received at least one observation.
    initialized: bool,
 }
 impl DredTuner {
    /// Create a new tuner for the given codec.
    pub fn new(codec: CodecId) -> Self {
        let baseline = baseline_dred_frames(codec);
        Self {
            codec,
            last_tuning: DredTuning {
                dred_frames: baseline,
                expected_loss_pct: 15, // match DRED_LOSS_FLOOR_PCT
            },
            jitter_ewma: 0.0,
            spike_cooldown: 0,
            initialized: false,
        }
    }
    /// Update the active codec (e.g. on tier transition). Resets spike state.
    pub fn set_codec(&mut self, codec: CodecId) {
        self.codec = codec;
        self.spike_cooldown = 0;
    }
    /// Feed network metrics and compute new DRED parameters.
    ///
    /// Call this every tuning cycle (e.g. every 25 packets ≈ 500 ms at 20 ms
    /// frame duration).
    ///
    /// - `loss_pct`: observed packet loss (0.0–100.0)
    /// - `rtt_ms`: smoothed round-trip time
    /// - `jitter_ms`: current jitter estimate (RTT variance)
    ///
    /// Returns `Some(tuning)` if the output changed, `None` if unchanged.
    pub fn update(&mut self, loss_pct: f32, rtt_ms: u32, jitter_ms: u32) -> Option<DredTuning> {
        if !self.codec.is_opus() {
            return None;
        }
        let baseline = baseline_dred_frames(self.codec);
        let ceiling = max_dred_frames_for(self.codec);
        // --- Jitter spike detection ---
        let jitter_f = jitter_ms as f32;
        if !self.initialized {
            self.jitter_ewma = jitter_f;
            self.initialized = true;
        } else {
            // Fast-up (alpha=0.3), slow-down (alpha=0.05) asymmetric EWMA
            let alpha = if jitter_f > self.jitter_ewma { 0.3 } else { 0.05 };
            self.jitter_ewma = alpha * jitter_f + (1.0 - alpha) * self.jitter_ewma;
        }
        // Detect spike: instantaneous jitter > EWMA × 1.3
        if self.jitter_ewma > 1.0 && jitter_f > self.jitter_ewma * JITTER_SPIKE_RATIO {
            self.spike_cooldown = SPIKE_BOOST_COOLDOWN_CYCLES;
        }
        // Decrement cooldown
        if self.spike_cooldown > 0 {
            self.spike_cooldown -= 1;
        }
        // --- Compute DRED frames ---
        let dred_frames = if self.spike_cooldown > 0 {
            // During spike boost: jump to ceiling
            ceiling
        } else {
            // Continuous mapping: scale linearly between baseline and ceiling
            // based on loss percentage.
            //   0% loss → baseline
            //  40% loss → ceiling
            let loss_clamped = loss_pct.clamp(0.0, 40.0);
            let t = loss_clamped / 40.0;
            let raw = baseline as f32 + t * (ceiling - baseline) as f32;
            (raw as u8).clamp(MIN_DRED_FRAMES, ceiling)
        };
        // --- Compute expected loss hint ---
        // Pass the real loss so the encoder can clamp at its own floor (15%).
        // For RTT-driven boost: high RTT suggests impending loss, so add a
        // phantom loss contribution to keep DRED emitting generously.
        let rtt_loss_phantom = if rtt_ms > 200 {
            ((rtt_ms - 200) as f32 / 40.0).min(15.0)
        } else {
            0.0
        };
        let expected_loss = (loss_pct + rtt_loss_phantom).clamp(0.0, 100.0) as u8;
        let tuning = DredTuning {
            dred_frames,
            expected_loss_pct: expected_loss,
        };
        if tuning != self.last_tuning {
            self.last_tuning = tuning;
            Some(tuning)
        } else {
            None
        }
    }
    /// Get the last computed tuning without updating.
    pub fn current(&self) -> DredTuning {
        self.last_tuning
    }
    /// Whether a jitter-spike boost is currently active.
    pub fn spike_boost_active(&self) -> bool {
        self.spike_cooldown > 0
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn baseline_for_opus24k() {
        let tuner = DredTuner::new(CodecId::Opus24k);
        assert_eq!(tuner.current().dred_frames, 20); // 200 ms
    }
    #[test]
    fn baseline_for_opus6k() {
        let tuner = DredTuner::new(CodecId::Opus6k);
        assert_eq!(tuner.current().dred_frames, 50); // 500 ms
    }
    #[test]
    fn codec2_returns_none() {
        let mut tuner = DredTuner::new(CodecId::Codec2_1200);
        assert!(tuner.update(10.0, 100, 20).is_none());
    }
    #[test]
    fn scales_with_loss() {
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // 0% loss → baseline (20 frames)
        tuner.update(0.0, 50, 5);
        assert_eq!(tuner.current().dred_frames, 20);
        // 20% loss → midpoint between 20 and 50 = 35
        tuner.update(20.0, 50, 5);
        assert_eq!(tuner.current().dred_frames, 35);
        // 40%+ loss → ceiling (50 frames)
        tuner.update(40.0, 50, 5);
        assert_eq!(tuner.current().dred_frames, 50);
    }
    #[test]
    fn jitter_spike_triggers_boost() {
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // Establish baseline jitter
        for _ in 0..20 {
            tuner.update(0.0, 50, 10);
        }
        assert!(!tuner.spike_boost_active());
        // Spike: jitter jumps to 50 ms (5x the EWMA of ~10)
        tuner.update(0.0, 50, 50);
        assert!(tuner.spike_boost_active());
        // Should be at ceiling (50 frames = 500 ms for Opus24k)
        assert_eq!(tuner.current().dred_frames, 50);
    }
    #[test]
    fn spike_cooldown_decays() {
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // Establish baseline then spike
        for _ in 0..20 {
            tuner.update(0.0, 50, 10);
        }
        tuner.update(0.0, 50, 50);
        assert!(tuner.spike_boost_active());
        // Run through cooldown
        for _ in 0..SPIKE_BOOST_COOLDOWN_CYCLES {
            tuner.update(0.0, 50, 10);
        }
        assert!(!tuner.spike_boost_active());
        // Should return to baseline
        assert_eq!(tuner.current().dred_frames, 20);
    }
    #[test]
    fn rtt_phantom_loss() {
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // High RTT (400ms) with 0% real loss
        tuner.update(0.0, 400, 10);
        // Phantom loss = (400-200)/40 = 5
        assert_eq!(tuner.current().expected_loss_pct, 5);
    }
    #[test]
    fn set_codec_resets_spike() {
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // Trigger spike
        for _ in 0..20 {
            tuner.update(0.0, 50, 10);
        }
        tuner.update(0.0, 50, 50);
        assert!(tuner.spike_boost_active());
        // Switch codec — spike should reset
        tuner.set_codec(CodecId::Opus6k);
        assert!(!tuner.spike_boost_active());
    }
    #[test]
    fn opus6k_reaches_max_1040ms() {
        let mut tuner = DredTuner::new(CodecId::Opus6k);
        // High loss → should reach 104 frames (1040 ms)
        tuner.update(40.0, 50, 5);
        assert_eq!(tuner.current().dred_frames, MAX_DRED_FRAMES);
    }
    #[test]
    fn returns_none_when_unchanged() {
        let mut tuner = DredTuner::new(CodecId::Opus24k);
        // First update always returns Some (initial → computed)
        let first = tuner.update(0.0, 50, 5);
        // Same inputs → None
        let second = tuner.update(0.0, 50, 5);
        assert!(first.is_some() || second.is_none());
    }
 }
--- a/crates/wzp-proto/src/lib.rs
+++ b/crates/wzp-proto/src/lib.rs
@@ -14,6 +14,7 @@
 pub mod bandwidth;
 pub mod codec_id;
 pub mod dred_tuner;
 pub mod error;
 pub mod jitter;
 pub mod packet;
@@ -26,10 +27,11 @@ pub use codec_id::{CodecId, QualityProfile};
 pub use error::*;
 pub use packet::{
    CallAcceptMode, HangupReason, MediaHeader, MediaPacket, MiniFrameContext, MiniHeader,
-    QualityReport, RoomParticipant, SignalMessage, TrunkEntry, TrunkFrame, FRAME_TYPE_FULL,
+    PresenceUser, QualityReport, RoomParticipant, SignalMessage, TrunkEntry, TrunkFrame, FRAME_TYPE_FULL,
    FRAME_TYPE_MINI,
 };
 pub use bandwidth::{BandwidthEstimator, CongestionState};
 pub use dred_tuner::{DredTuner, DredTuning};
 pub use quality::{AdaptiveQualityController, NetworkContext, Tier};
 pub use session::{Session, SessionEvent, SessionState};
 pub use traits::*;
--- a/crates/wzp-proto/src/packet.rs
+++ b/crates/wzp-proto/src/packet.rs
@@ -156,6 +156,14 @@ impl MediaHeader {
    }
 }
 /// A user visible in the signal presence list.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct PresenceUser {
    pub fingerprint: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub alias: Option<String>,
 }
 /// Quality report appended to a media packet when Q flag is set (4 bytes).
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Serialize, Deserialize)]
 pub struct QualityReport {
@@ -180,6 +188,19 @@ impl QualityReport {
        self.rtt_4ms as u16 * 4
    }
    /// Construct a QualityReport from locally-observed path statistics.
    ///
    /// Used by the send task to embed quality data in outgoing packets so
    /// the peer's recv task (or relay) can drive adaptive quality switching.
    pub fn from_path_stats(loss_pct: f32, rtt_ms: u32, jitter_ms: u32) -> Self {
        Self {
            loss_pct: (loss_pct / 100.0 * 255.0).clamp(0.0, 255.0) as u8,
            rtt_4ms: (rtt_ms / 4).min(255) as u8,
            jitter_ms: jitter_ms.min(255) as u8,
            bitrate_cap_kbps: 200,
        }
    }
    pub fn write_to(&self, buf: &mut impl BufMut) {
        buf.put_u8(self.loss_pct);
        buf.put_u8(self.rtt_4ms);
@@ -608,8 +629,14 @@ pub enum SignalMessage {
    Ping { timestamp_ms: u64 },
    Pong { timestamp_ms: u64 },
-    /// End the call.
+    /// End the call. `call_id` is optional for backwards compatibility
-    Hangup { reason: HangupReason },
+    /// with older clients that send Hangup without it — the relay falls
    /// back to ending ALL active calls for the sender in that case.
    Hangup {
        reason: HangupReason,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        call_id: Option<String>,
    },
    /// featherChat bearer token for relay authentication.
    /// Sent as the first signal message when --auth-url is configured.
@@ -716,6 +743,16 @@ pub enum SignalMessage {
        success: bool,
        #[serde(skip_serializing_if = "Option::is_none")]
        error: Option<String>,
        /// Relay's build version (git short hash).
        #[serde(default, skip_serializing_if = "Option::is_none")]
        relay_build: Option<String>,
        /// Phase 8: relay's geographic region (e.g., "us-east", "eu-west").
        #[serde(default, skip_serializing_if = "Option::is_none")]
        relay_region: Option<String>,
        /// Phase 8: other relays the client can use, sorted by relay
        /// mesh proximity. Each entry is "name|addr" (e.g., "eu-west|203.0.113.5:4433").
        #[serde(default, skip_serializing_if = "Vec::is_empty")]
        available_relays: Vec<String>,
    },
    /// Direct call offer routed through the relay to a specific peer.
@@ -745,6 +782,25 @@ pub enum SignalMessage {
        /// `None` means "caller doesn't want P2P, use relay only".
        #[serde(default, skip_serializing_if = "Option::is_none")]
        caller_reflexive_addr: Option<String>,
        /// Phase 5.5 (ICE host candidates): caller's LAN-local
        /// interface addresses paired with its signal endpoint's
        /// port. Peers on the same physical LAN can direct-dial
        /// these without going through the WAN reflex addr,
        /// which is important because most consumer NATs
        /// (including MikroTik masquerade) don't support NAT
        /// hairpinning — the reflex addr is unreachable from
        /// the same LAN.
        #[serde(default, skip_serializing_if = "Vec::is_empty")]
        caller_local_addrs: Vec<String>,
        /// Phase 8 (Tailscale-inspired): caller's port-mapped external
        /// address from NAT-PMP/PCP/UPnP. When the router supports
        /// port mapping, this gives a stable external address even
        /// behind symmetric NATs.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        caller_mapped_addr: Option<String>,
        /// Build version (git short hash) for debugging.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        caller_build_version: Option<String>,
    },
    /// Callee's response to a direct call.
@@ -771,6 +827,20 @@ pub enum SignalMessage {
        /// carries it opaquely into the caller's `CallSetup`.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        callee_reflexive_addr: Option<String>,
        /// Phase 5.5 (ICE host candidates): callee's LAN-local
        /// interface addresses. Same purpose as
        /// `caller_local_addrs` in `DirectCallOffer`. Only
        /// populated on `AcceptTrusted` alongside
        /// `callee_reflexive_addr`.
        #[serde(default, skip_serializing_if = "Vec::is_empty")]
        callee_local_addrs: Vec<String>,
        /// Phase 8 (Tailscale-inspired): callee's port-mapped external
        /// address from NAT-PMP/PCP/UPnP.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        callee_mapped_addr: Option<String>,
        /// Build version (git short hash) for debugging.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        callee_build_version: Option<String>,
    },
    /// Relay tells both parties: media room is ready.
@@ -791,6 +861,19 @@ pub enum SignalMessage {
        /// wasn't viable.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        peer_direct_addr: Option<String>,
        /// Phase 5.5 (ICE host candidates): the OTHER party's LAN
        /// host addresses (RFC1918 IPv4 + CGNAT + non-link-local
        /// IPv6). On same-LAN calls these are directly dialable
        /// and bypass the NAT-hairpinning problem that blocks
        /// same-LAN peers from using `peer_direct_addr`.
        /// Client-side race tries all of these in parallel.
        #[serde(default, skip_serializing_if = "Vec::is_empty")]
        peer_local_addrs: Vec<String>,
        /// Phase 8 (Tailscale-inspired): the OTHER party's port-mapped
        /// external address from NAT-PMP/PCP/UPnP. Added to the
        /// candidate dial order between host and reflexive addrs.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        peer_mapped_addr: Option<String>,
    },
    /// Ringing notification (relay → caller, callee received the offer).
@@ -821,6 +904,90 @@ pub enum SignalMessage {
        observed_addr: String,
    },
    // ── Phase 6: ICE-style path negotiation ─────────────────────
    /// Phase 6: each side reports the result of its local dual-
    /// path race to the other side through the relay. Both peers
    /// send this after their race completes; both wait for the
    /// other's report before committing a transport to the
    /// CallEngine.
    ///
    /// The decision rule is: if BOTH sides report `direct_ok =
    /// true`, use the direct P2P connection. If EITHER reports
    /// `direct_ok = false`, BOTH fall back to relay. This
    /// eliminates the race condition where one side picks Direct
    /// and the other picks Relay — they now agree on the path
    /// before any media flows.
    MediaPathReport {
        call_id: String,
        /// Did the direct QUIC connection (P2P dial or accept)
        /// complete successfully on this side?
        direct_ok: bool,
        /// Which future won the local tokio::select race?
        /// "Direct" or "Relay" — informational for debug logs.
        #[serde(default)]
        race_winner: String,
    },
    // ── Phase 8: mid-call ICE re-gathering ────────────────────────
    /// Phase 8 (Tailscale-inspired): mid-call candidate update sent
    /// when a client's network changes (WiFi → cellular, IP change,
    /// etc.). The relay forwards this to the call peer, who can
    /// re-race with the new candidates to upgrade or maintain the
    /// direct path.
    ///
    /// The `generation` counter is monotonically increasing per call
    /// — peers ignore updates with a generation <= their last-seen
    /// generation to handle reordering.
    CandidateUpdate {
        call_id: String,
        /// New server-reflexive address (STUN-discovered or relay-reflected).
        #[serde(default, skip_serializing_if = "Option::is_none")]
        reflexive_addr: Option<String>,
        /// New LAN host addresses.
        #[serde(default, skip_serializing_if = "Vec::is_empty")]
        local_addrs: Vec<String>,
        /// New port-mapped address (NAT-PMP/PCP/UPnP).
        #[serde(default, skip_serializing_if = "Option::is_none")]
        mapped_addr: Option<String>,
        /// Monotonic generation counter.
        generation: u32,
    },
    // ── Hard NAT traversal (port prediction) ──────────────────────
    /// Hard NAT probe coordination — exchanged when both peers
    /// detect symmetric NAT. Carries the port allocation pattern
    /// and recent port sequence so the peer can predict which port
    /// to dial.
    HardNatProbe {
        call_id: String,
        /// Last observed external ports (most recent first).
        /// Typically 3-5 entries from sequential STUN probes.
        port_sequence: Vec<u16>,
        /// Detected allocation pattern as string:
        /// "sequential:N" (N=delta), "random", "preserving"
        allocation: String,
        /// Probe timestamp (ms since epoch) for synchronization.
        probe_time_ms: u64,
        /// External IP from STUN.
        external_ip: String,
    },
    /// Birthday attack coordination — Acceptor tells Dialer which
    /// ports it has open. The Dialer then sprays QUIC connects to
    /// these ports (and optionally random ports) on the Acceptor's IP.
    HardNatBirthdayStart {
        call_id: String,
        /// Number of sockets the Acceptor opened.
        acceptor_port_count: u16,
        /// External ports discovered via STUN (the "hit list").
        acceptor_ports: Vec<u16>,
        /// Acceptor's external IP.
        external_ip: String,
    },
    // ── Phase 4: cross-relay direct-call signaling ────────────────────
    /// Phase 4: relay-to-relay envelope for forwarding direct-call
@@ -852,6 +1019,79 @@ pub enum SignalMessage {
        /// federation link via `send_signal_to_peer`.
        origin_relay_fp: String,
    },
    /// Relay-initiated quality directive: all participants should switch
    /// to the recommended profile to match the weakest link.
    QualityDirective {
        recommended_profile: crate::QualityProfile,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        reason: Option<String>,
    },
    // ── Signal presence ───────────────────────────────────────────
    /// Relay broadcasts the list of currently registered signal
    /// users to all connected clients. Sent on every register/
    /// deregister so clients can maintain a live lobby user list.
    PresenceList {
        /// List of online users. Each entry is { fingerprint, alias }.
        users: Vec<PresenceUser>,
    },
    // ── Quality upgrade negotiation (#28, #29) ──────────────────
    /// Peer proposes upgrading to a higher quality profile.
    /// The other side can accept or reject based on its own network
    /// conditions. Used for consensual upgrades that require both
    /// sides to agree (e.g., switching from Opus24k to Studio48k).
    UpgradeProposal {
        call_id: String,
        /// Unique ID for this proposal (to match response).
        proposal_id: String,
        /// The profile being proposed.
        proposed_profile: crate::QualityProfile,
        /// Current local network quality to justify the upgrade.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        local_loss_pct: Option<f32>,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        local_rtt_ms: Option<u32>,
    },
    /// Response to an UpgradeProposal.
    UpgradeResponse {
        call_id: String,
        proposal_id: String,
        /// true = accepted, both sides switch. false = rejected.
        accepted: bool,
        /// Reason for rejection (if any).
        #[serde(default, skip_serializing_if = "Option::is_none")]
        reason: Option<String>,
    },
    /// Confirmation that the upgrade is committed — both sides
    /// should switch encoder at the next frame boundary.
    UpgradeConfirm {
        call_id: String,
        proposal_id: String,
        confirmed_profile: crate::QualityProfile,
    },
    // ── Per-participant quality (#30) ───────────────────────────
    /// Peer reports its own quality capability — allows asymmetric
    /// encoding where each side uses the best quality its connection
    /// supports, rather than forcing all to the weakest link.
    QualityCapability {
        call_id: String,
        /// The best profile this peer can sustain based on its
        /// current network conditions.
        max_profile: crate::QualityProfile,
        /// Current loss/RTT for context.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        loss_pct: Option<f32>,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        rtt_ms: Option<u32>,
    },
 }
 /// How the callee responds to a direct call.
@@ -893,6 +1133,32 @@ pub enum HangupReason {
 mod tests {
    use super::*;
    #[test]
    fn quality_report_from_path_stats_basic() {
        let qr = QualityReport::from_path_stats(10.0, 100, 20);
        // 10.0 / 100.0 * 255.0 = 25.5 → truncated to 25
        assert_eq!(qr.loss_pct, 25);
        assert_eq!(qr.rtt_4ms, 25); // 100 / 4 = 25
        assert_eq!(qr.jitter_ms, 20);
        assert_eq!(qr.bitrate_cap_kbps, 200);
    }
    #[test]
    fn quality_report_from_path_stats_zero() {
        let qr = QualityReport::from_path_stats(0.0, 0, 0);
        assert_eq!(qr.loss_pct, 0);
        assert_eq!(qr.rtt_4ms, 0);
        assert_eq!(qr.jitter_ms, 0);
    }
    #[test]
    fn quality_report_from_path_stats_clamps_high() {
        let qr = QualityReport::from_path_stats(100.0, 2000, 300);
        assert_eq!(qr.loss_pct, 255);
        assert_eq!(qr.rtt_4ms, 255); // 2000/4=500, clamped to 255
        assert_eq!(qr.jitter_ms, 255);
    }
    #[test]
    fn header_roundtrip() {
        let header = MediaHeader {
@@ -1034,6 +1300,9 @@ mod tests {
            signature: vec![3u8; 64],
            supported_profiles: vec![],
            caller_reflexive_addr: Some("192.0.2.1:4433".into()),
            caller_local_addrs: Vec::new(),
            caller_mapped_addr: None,
            caller_build_version: None,
        };
        let forward = SignalMessage::FederatedSignalForward {
            inner: Box::new(inner),
@@ -1075,9 +1344,12 @@ mod tests {
                signature: None,
                chosen_profile: None,
                callee_reflexive_addr: Some("198.51.100.9:4433".into()),
                callee_local_addrs: Vec::new(),
                callee_mapped_addr: None,
                callee_build_version: None,
            },
            SignalMessage::CallRinging { call_id: "c1".into() },
-            SignalMessage::Hangup { reason: HangupReason::Normal },
+            SignalMessage::Hangup { reason: HangupReason::Normal, call_id: None },
        ];
        for inner in cases {
            let inner_disc = std::mem::discriminant(&inner);
@@ -1109,6 +1381,9 @@ mod tests {
            signature: vec![],
            supported_profiles: vec![],
            caller_reflexive_addr: Some("192.0.2.1:4433".into()),
            caller_local_addrs: Vec::new(),
            caller_mapped_addr: None,
            caller_build_version: None,
        };
        let json = serde_json::to_string(&offer).unwrap();
        assert!(
@@ -1136,6 +1411,9 @@ mod tests {
            signature: vec![],
            supported_profiles: vec![],
            caller_reflexive_addr: None,
            caller_local_addrs: Vec::new(),
            caller_mapped_addr: None,
            caller_build_version: None,
        };
        let json_none = serde_json::to_string(&offer_none).unwrap();
        assert!(
@@ -1152,6 +1430,9 @@ mod tests {
            signature: None,
            chosen_profile: None,
            callee_reflexive_addr: Some("198.51.100.9:4433".into()),
            callee_local_addrs: Vec::new(),
            callee_mapped_addr: None,
            callee_build_version: None,
        };
        let decoded: SignalMessage =
            serde_json::from_str(&serde_json::to_string(&answer).unwrap()).unwrap();
@@ -1171,6 +1452,8 @@ mod tests {
            room: "call-c1".into(),
            relay_addr: "203.0.113.5:4433".into(),
            peer_direct_addr: Some("192.0.2.1:4433".into()),
            peer_local_addrs: Vec::new(),
            peer_mapped_addr: None,
        };
        let decoded: SignalMessage =
            serde_json::from_str(&serde_json::to_string(&setup).unwrap()).unwrap();
@@ -1231,7 +1514,7 @@ mod tests {
        let cases = vec![
            SignalMessage::Ping { timestamp_ms: 12345 },
            SignalMessage::Hold,
-            SignalMessage::Hangup { reason: HangupReason::Normal },
+            SignalMessage::Hangup { reason: HangupReason::Normal, call_id: None },
            SignalMessage::CallRinging { call_id: "abcd".into() },
        ];
        for m in cases {
@@ -1589,6 +1872,41 @@ mod tests {
        }
    }
    #[test]
    fn quality_directive_roundtrip() {
        let msg = SignalMessage::QualityDirective {
            recommended_profile: crate::QualityProfile::DEGRADED,
            reason: Some("weakest link degraded".into()),
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::QualityDirective { recommended_profile, reason } => {
                assert_eq!(recommended_profile.codec, CodecId::Opus6k);
                assert_eq!(reason.as_deref(), Some("weakest link degraded"));
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn quality_directive_without_reason_roundtrip() {
        let msg = SignalMessage::QualityDirective {
            recommended_profile: crate::QualityProfile::GOOD,
            reason: None,
        };
        let json = serde_json::to_string(&msg).unwrap();
        // None reason should be omitted from JSON
        assert!(!json.contains("reason"));
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::QualityDirective { reason, .. } => {
                assert!(reason.is_none());
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn mini_frame_disabled() {
        // Simulate disabled mini-frames by always keeping frames_since_full at 0
@@ -1605,4 +1923,345 @@ mod tests {
            assert_eq!(wire[0], FRAME_TYPE_FULL, "frame {i} should be FULL when disabled");
        }
    }
    // ── Quality negotiation roundtrip tests (#28, #29, #30) ─────
    #[test]
    fn upgrade_proposal_roundtrip() {
        let msg = SignalMessage::UpgradeProposal {
            call_id: "c1".into(),
            proposal_id: "p1".into(),
            proposed_profile: crate::QualityProfile::STUDIO_48K,
            local_loss_pct: Some(0.5),
            local_rtt_ms: Some(25),
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::UpgradeProposal { proposal_id, proposed_profile, .. } => {
                assert_eq!(proposal_id, "p1");
                assert_eq!(proposed_profile, crate::QualityProfile::STUDIO_48K);
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn upgrade_response_roundtrip() {
        let msg = SignalMessage::UpgradeResponse {
            call_id: "c1".into(),
            proposal_id: "p1".into(),
            accepted: true,
            reason: None,
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::UpgradeResponse { accepted, .. } => assert!(accepted),
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn upgrade_confirm_roundtrip() {
        let msg = SignalMessage::UpgradeConfirm {
            call_id: "c1".into(),
            proposal_id: "p1".into(),
            confirmed_profile: crate::QualityProfile::STUDIO_64K,
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::UpgradeConfirm { confirmed_profile, .. } => {
                assert_eq!(confirmed_profile, crate::QualityProfile::STUDIO_64K);
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn quality_capability_roundtrip() {
        let msg = SignalMessage::QualityCapability {
            call_id: "c1".into(),
            max_profile: crate::QualityProfile::GOOD,
            loss_pct: Some(2.5),
            rtt_ms: Some(80),
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::QualityCapability { max_profile, loss_pct, .. } => {
                assert_eq!(max_profile, crate::QualityProfile::GOOD);
                assert!((loss_pct.unwrap() - 2.5).abs() < 0.01);
            }
            _ => panic!("wrong variant"),
        }
    }
    // ── Phase 8: Tailscale-inspired signal roundtrip tests ──────
    #[test]
    fn candidate_update_roundtrip() {
        let msg = SignalMessage::CandidateUpdate {
            call_id: "test-123".into(),
            reflexive_addr: Some("203.0.113.5:4433".into()),
            local_addrs: vec![
                "192.168.1.10:4433".into(),
                "10.0.0.5:4433".into(),
            ],
            mapped_addr: Some("198.51.100.42:12345".into()),
            generation: 7,
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::CandidateUpdate {
                call_id,
                reflexive_addr,
                local_addrs,
                mapped_addr,
                generation,
            } => {
                assert_eq!(call_id, "test-123");
                assert_eq!(reflexive_addr.as_deref(), Some("203.0.113.5:4433"));
                assert_eq!(local_addrs.len(), 2);
                assert_eq!(mapped_addr.as_deref(), Some("198.51.100.42:12345"));
                assert_eq!(generation, 7);
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn candidate_update_minimal_roundtrip() {
        let msg = SignalMessage::CandidateUpdate {
            call_id: "c".into(),
            reflexive_addr: None,
            local_addrs: vec![],
            mapped_addr: None,
            generation: 0,
        };
        let json = serde_json::to_string(&msg).unwrap();
        // skip_serializing_if should omit None/empty fields
        assert!(!json.contains("reflexive_addr"));
        assert!(!json.contains("local_addrs"));
        assert!(!json.contains("mapped_addr"));
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::CandidateUpdate { generation, .. } => {
                assert_eq!(generation, 0);
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn offer_with_mapped_addr_roundtrip() {
        let msg = SignalMessage::DirectCallOffer {
            caller_fingerprint: "alice".into(),
            caller_alias: None,
            target_fingerprint: "bob".into(),
            call_id: "c1".into(),
            identity_pub: [0; 32],
            ephemeral_pub: [0; 32],
            signature: vec![],
            supported_profiles: vec![],
            caller_reflexive_addr: Some("1.2.3.4:5".into()),
            caller_local_addrs: vec!["10.0.0.1:5".into()],
            caller_mapped_addr: Some("5.6.7.8:9999".into()),
            caller_build_version: None,
        };
        let json = serde_json::to_string(&msg).unwrap();
        assert!(json.contains("caller_mapped_addr"));
        assert!(json.contains("5.6.7.8:9999"));
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::DirectCallOffer {
                caller_mapped_addr, ..
            } => {
                assert_eq!(caller_mapped_addr.as_deref(), Some("5.6.7.8:9999"));
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn offer_without_mapped_addr_omits_field() {
        let msg = SignalMessage::DirectCallOffer {
            caller_fingerprint: "alice".into(),
            caller_alias: None,
            target_fingerprint: "bob".into(),
            call_id: "c1".into(),
            identity_pub: [0; 32],
            ephemeral_pub: [0; 32],
            signature: vec![],
            supported_profiles: vec![],
            caller_reflexive_addr: None,
            caller_local_addrs: vec![],
            caller_mapped_addr: None,
            caller_build_version: None,
        };
        let json = serde_json::to_string(&msg).unwrap();
        assert!(!json.contains("caller_mapped_addr"));
    }
    #[test]
    fn answer_with_mapped_addr_roundtrip() {
        let msg = SignalMessage::DirectCallAnswer {
            call_id: "c1".into(),
            accept_mode: CallAcceptMode::AcceptTrusted,
            identity_pub: None,
            ephemeral_pub: None,
            signature: None,
            chosen_profile: None,
            callee_reflexive_addr: Some("1.2.3.4:5".into()),
            callee_local_addrs: vec![],
            callee_mapped_addr: Some("9.8.7.6:1111".into()),
            callee_build_version: None,
        };
        let json = serde_json::to_string(&msg).unwrap();
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::DirectCallAnswer {
                callee_mapped_addr, ..
            } => {
                assert_eq!(callee_mapped_addr.as_deref(), Some("9.8.7.6:1111"));
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn setup_with_mapped_addr_roundtrip() {
        let msg = SignalMessage::CallSetup {
            call_id: "c1".into(),
            room: "room".into(),
            relay_addr: "1.2.3.4:5".into(),
            peer_direct_addr: Some("5.6.7.8:9".into()),
            peer_local_addrs: vec!["10.0.0.1:9".into()],
            peer_mapped_addr: Some("11.12.13.14:15".into()),
        };
        let json = serde_json::to_string(&msg).unwrap();
        assert!(json.contains("peer_mapped_addr"));
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::CallSetup {
                peer_mapped_addr, ..
            } => {
                assert_eq!(peer_mapped_addr.as_deref(), Some("11.12.13.14:15"));
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn backward_compat_offer_without_mapped_addr_parses() {
        // Old client JSON that doesn't have caller_mapped_addr at all
        let json = r#"{
            "DirectCallOffer": {
                "caller_fingerprint": "alice",
                "target_fingerprint": "bob",
                "call_id": "c1",
                "identity_pub": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
                "ephemeral_pub": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
                "signature": [],
                "supported_profiles": [],
                "caller_reflexive_addr": "1.2.3.4:5"
            }
        }"#;
        let decoded: SignalMessage = serde_json::from_str(json).unwrap();
        match decoded {
            SignalMessage::DirectCallOffer {
                caller_mapped_addr,
                caller_reflexive_addr,
                ..
            } => {
                assert!(caller_mapped_addr.is_none());
                assert_eq!(caller_reflexive_addr.as_deref(), Some("1.2.3.4:5"));
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn backward_compat_setup_without_mapped_addr_parses() {
        let json = r#"{
            "CallSetup": {
                "call_id": "c1",
                "room": "room",
                "relay_addr": "1.2.3.4:5",
                "peer_direct_addr": "5.6.7.8:9"
            }
        }"#;
        let decoded: SignalMessage = serde_json::from_str(json).unwrap();
        match decoded {
            SignalMessage::CallSetup {
                peer_mapped_addr,
                peer_direct_addr,
                ..
            } => {
                assert!(peer_mapped_addr.is_none());
                assert_eq!(peer_direct_addr.as_deref(), Some("5.6.7.8:9"));
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn register_presence_ack_with_new_fields_roundtrip() {
        let msg = SignalMessage::RegisterPresenceAck {
            success: true,
            error: None,
            relay_build: Some("abc123".into()),
            relay_region: Some("us-east".into()),
            available_relays: vec![
                "eu-west|10.0.0.1:4433".into(),
                "ap-south|10.0.0.2:4433".into(),
            ],
        };
        let json = serde_json::to_string(&msg).unwrap();
        assert!(json.contains("relay_region"));
        assert!(json.contains("us-east"));
        assert!(json.contains("available_relays"));
        let decoded: SignalMessage = serde_json::from_str(&json).unwrap();
        match decoded {
            SignalMessage::RegisterPresenceAck {
                relay_region,
                available_relays,
                ..
            } => {
                assert_eq!(relay_region.as_deref(), Some("us-east"));
                assert_eq!(available_relays.len(), 2);
            }
            _ => panic!("wrong variant"),
        }
    }
    #[test]
    fn register_presence_ack_backward_compat() {
        // Old relay JSON without relay_region or available_relays
        let json = r#"{
            "RegisterPresenceAck": {
                "success": true,
                "relay_build": "old-build"
            }
        }"#;
        let decoded: SignalMessage = serde_json::from_str(json).unwrap();
        match decoded {
            SignalMessage::RegisterPresenceAck {
                relay_region,
                available_relays,
                relay_build,
                ..
            } => {
                assert!(relay_region.is_none());
                assert!(available_relays.is_empty());
                assert_eq!(relay_build.as_deref(), Some("old-build"));
            }
            _ => panic!("wrong variant"),
        }
    }
 }
--- a/crates/wzp-proto/src/quality.rs
+++ b/crates/wzp-proto/src/quality.rs
@@ -1,3 +1,5 @@
 //! See also: [`crate::dred_tuner`] for continuous DRED tuning within a tier.
 use std::collections::VecDeque;
 use std::time::{Duration, Instant};
@@ -6,19 +8,31 @@ use crate::traits::QualityController;
 use crate::QualityProfile;
 /// Network quality tier — drives codec and FEC selection.
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+///
 /// 5-tier range from studio quality down to catastrophic:
 /// Studio64k > Studio48k > Studio32k > Good > Degraded > Catastrophic
 #[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord)]
 pub enum Tier {
-    /// loss < 10%, RTT < 400ms
+    /// loss >= 15% OR RTT >= 200ms — Codec2 1.2k
-    Good,
+    Catastrophic = 0,
-    /// loss 10-40% OR RTT 400-600ms
+    /// loss < 15% AND RTT < 200ms — Opus 6k
-    Degraded,
+    Degraded = 1,
-    /// loss > 40% OR RTT > 600ms
+    /// loss < 5% AND RTT < 100ms — Opus 24k
-    Catastrophic,
+    Good = 2,
    /// loss < 2% AND RTT < 80ms — Opus 32k
    Studio32k = 3,
    /// loss < 1% AND RTT < 50ms — Opus 48k
    Studio48k = 4,
    /// loss < 1% AND RTT < 30ms — Opus 64k
    Studio64k = 5,
 }
 impl Tier {
    pub fn profile(self) -> QualityProfile {
        match self {
            Self::Studio64k => QualityProfile::STUDIO_64K,
            Self::Studio48k => QualityProfile::STUDIO_48K,
            Self::Studio32k => QualityProfile::STUDIO_32K,
            Self::Good => QualityProfile::GOOD,
            Self::Degraded => QualityProfile::DEGRADED,
            Self::Catastrophic => QualityProfile::CATASTROPHIC,
@@ -39,7 +53,7 @@ impl Tier {
            NetworkContext::CellularLte
            | NetworkContext::Cellular5g
            | NetworkContext::Cellular3g => {
-                // Tighter thresholds for cellular networks
+                // Tighter thresholds for cellular — no studio tiers
                if loss > 25.0 || rtt > 500 {
                    Self::Catastrophic
                } else if loss > 8.0 || rtt > 300 {
@@ -49,13 +63,18 @@ impl Tier {
                }
            }
            NetworkContext::WiFi | NetworkContext::Unknown => {
-                // Original thresholds
+                if loss >= 15.0 || rtt >= 200 {
                if loss > 40.0 || rtt > 600 {
                    Self::Catastrophic
-                } else if loss > 10.0 || rtt > 400 {
+                } else if loss >= 5.0 || rtt >= 100 {
                    Self::Degraded
-                } else {
+                } else if loss >= 2.0 || rtt >= 80 {
                    Self::Good
                } else if loss >= 1.0 || rtt >= 50 {
                    Self::Studio32k
                } else if rtt >= 30 {
                    Self::Studio48k
                } else {
                    Self::Studio64k
                }
            }
        }
@@ -64,11 +83,19 @@ impl Tier {
    /// Return the next lower (worse) tier, or None if already at the worst.
    pub fn downgrade(self) -> Option<Tier> {
        match self {
            Self::Studio64k => Some(Self::Studio48k),
            Self::Studio48k => Some(Self::Studio32k),
            Self::Studio32k => Some(Self::Good),
            Self::Good => Some(Self::Degraded),
            Self::Degraded => Some(Self::Catastrophic),
            Self::Catastrophic => None,
        }
    }
    /// Whether this is a studio tier (above Good).
    pub fn is_studio(self) -> bool {
        matches!(self, Self::Studio64k | Self::Studio48k | Self::Studio32k)
    }
 }
 /// Describes the network transport type for context-aware quality decisions.
@@ -108,20 +135,48 @@ pub struct AdaptiveQualityController {
    fec_boost_until: Option<Instant>,
    /// FEC boost amount to add during handoff recovery window.
    fec_boost_amount: f32,
    /// Probing state: when Some, we're actively testing a higher tier.
    probe: Option<ProbeState>,
    /// Time spent stable at the current tier (for probe trigger).
    stable_since: Option<Instant>,
 }
 /// Threshold for downgrading (fast reaction to degradation).
 const DOWNGRADE_THRESHOLD: u32 = 3;
 /// Threshold for downgrading on cellular networks (even faster).
 const CELLULAR_DOWNGRADE_THRESHOLD: u32 = 2;
-/// Threshold for upgrading (slow, cautious improvement).
+/// Threshold for upgrading from Catastrophic/Degraded to Good.
-const UPGRADE_THRESHOLD: u32 = 10;
+const UPGRADE_THRESHOLD: u32 = 5;
 /// Threshold for upgrading into studio tiers (very conservative).
 const STUDIO_UPGRADE_THRESHOLD: u32 = 10;
 /// Maximum history window size.
 const HISTORY_SIZE: usize = 20;
 /// Default FEC boost amount during handoff recovery.
 const DEFAULT_FEC_BOOST: f32 = 0.2;
 /// Duration of FEC boost after a network handoff.
 const FEC_BOOST_DURATION_SECS: u64 = 10;
 /// Minimum time stable at current tier before probing upward (30 seconds).
 const PROBE_STABLE_SECS: u64 = 30;
 /// Duration of a probe window (5 seconds — ~25 quality reports at 1/s).
 const PROBE_DURATION_SECS: u64 = 5;
 /// Maximum bad reports during probe before aborting (1 out of ~5 = 20%).
 const PROBE_MAX_BAD: u32 = 1;
 /// Cooldown after a failed probe before trying again (60 seconds).
 const PROBE_COOLDOWN_SECS: u64 = 60;
 /// Active bandwidth probe state.
 struct ProbeState {
    /// The tier we're probing (one step above current).
    target_tier: Tier,
    /// Profile to apply during probe.
    target_profile: QualityProfile,
    /// When the probe started.
    started: Instant,
    /// Reports observed during probe.
    probe_reports: u32,
    /// Bad reports during probe (loss/RTT exceeded target tier thresholds).
    bad_reports: u32,
 }
 impl AdaptiveQualityController {
    pub fn new() -> Self {
@@ -135,6 +190,8 @@ impl AdaptiveQualityController {
            network_context: NetworkContext::default(),
            fec_boost_until: None,
            fec_boost_amount: DEFAULT_FEC_BOOST,
            probe: None,
            stable_since: None,
        }
    }
@@ -174,6 +231,10 @@ impl AdaptiveQualityController {
            self.forced = false;
        }
        // Cancel any active probe
        self.probe = None;
        self.stable_since = None;
        // Activate FEC boost for any network change
        self.fec_boost_until = Some(Instant::now() + Duration::from_secs(FEC_BOOST_DURATION_SECS));
    }
@@ -194,6 +255,8 @@ impl AdaptiveQualityController {
    pub fn reset_counters(&mut self) {
        self.consecutive_up = 0;
        self.consecutive_down = 0;
        self.probe = None;
        self.stable_since = None;
    }
    /// Get the effective downgrade threshold based on network context.
@@ -213,16 +276,13 @@ impl AdaptiveQualityController {
            return None;
        }
-        let is_worse = match (self.current_tier, observed_tier) {
+        let is_worse = observed_tier < self.current_tier;
            (Tier::Good, Tier::Degraded | Tier::Catastrophic) => true,
            (Tier::Degraded, Tier::Catastrophic) => true,
            _ => false,
        };
        if is_worse {
            self.consecutive_up = 0;
            self.consecutive_down += 1;
            if self.consecutive_down >= self.downgrade_threshold() {
                // Jump directly to the observed tier (don't step one-at-a-time on downgrade)
                self.current_tier = observed_tier;
                self.current_profile = observed_tier.profile();
                self.consecutive_down = 0;
@@ -232,22 +292,115 @@ impl AdaptiveQualityController {
            // Better conditions
            self.consecutive_down = 0;
            self.consecutive_up += 1;
-            if self.consecutive_up >= UPGRADE_THRESHOLD {
+            // Studio tiers require more consecutive good reports
            let threshold = if self.current_tier >= Tier::Good {
                STUDIO_UPGRADE_THRESHOLD
            } else {
                UPGRADE_THRESHOLD
            };
            if self.consecutive_up >= threshold {
                // Only upgrade one step at a time
-                let next_tier = match self.current_tier {
+                if let Some(next_tier) = self.upgrade_one_step() {
-                    Tier::Catastrophic => Tier::Degraded,
+                    self.current_tier = next_tier;
-                    Tier::Degraded => Tier::Good,
+                    self.current_profile = next_tier.profile();
-                    Tier::Good => return None,
+                    self.consecutive_up = 0;
-                };
+                    return Some(self.current_profile);
-                self.current_tier = next_tier;
+                }
                self.current_profile = next_tier.profile();
                self.consecutive_up = 0;
                return Some(self.current_profile);
            }
        }
        None
    }
    /// Check whether to start, continue, or conclude a bandwidth probe.
    ///
    /// Called from `observe()` when no hysteresis transition fired.
    fn check_probe(&mut self, observed_tier: Tier) -> Option<QualityProfile> {
        // Don't probe if forced, or if already at highest tier, or on cellular
        if self.forced || self.current_tier == Tier::Studio64k {
            return None;
        }
        if matches!(
            self.network_context,
            NetworkContext::CellularLte | NetworkContext::Cellular5g | NetworkContext::Cellular3g
        ) {
            return None;
        }
        // If we have an active probe, evaluate it
        if let Some(ref mut probe) = self.probe {
            probe.probe_reports += 1;
            // Check if the observed tier meets the probe target
            if observed_tier < probe.target_tier {
                probe.bad_reports += 1;
            }
            // Probe failed: too many bad reports
            if probe.bad_reports > PROBE_MAX_BAD {
                let _failed_probe = self.probe.take();
                // Reset stable_since to trigger cooldown
                self.stable_since =
                    Some(Instant::now() + Duration::from_secs(PROBE_COOLDOWN_SECS));
                return None; // stay at current tier
            }
            // Probe succeeded: enough good reports within the window
            if probe.started.elapsed() >= Duration::from_secs(PROBE_DURATION_SECS) {
                let target = probe.target_tier;
                let profile = probe.target_profile;
                self.probe.take();
                self.current_tier = target;
                self.current_profile = profile;
                self.consecutive_up = 0;
                self.stable_since = Some(Instant::now());
                return Some(profile);
            }
            return None; // probe still running
        }
        // No active probe — check if we should start one
        if observed_tier >= self.current_tier {
            // Track stability
            if self.stable_since.is_none() {
                self.stable_since = Some(Instant::now());
            }
            if let Some(stable_since) = self.stable_since {
                if stable_since.elapsed() >= Duration::from_secs(PROBE_STABLE_SECS) {
                    // Stable long enough — start probing
                    if let Some(next) = self.upgrade_one_step() {
                        self.probe = Some(ProbeState {
                            target_tier: next,
                            target_profile: next.profile(),
                            started: Instant::now(),
                            probe_reports: 0,
                            bad_reports: 0,
                        });
                        // Return the probe profile so the encoder switches
                        return Some(next.profile());
                    }
                }
            }
        } else {
            // Conditions degraded — reset stability timer
            self.stable_since = None;
        }
        None
    }
    fn upgrade_one_step(&self) -> Option<Tier> {
        match self.current_tier {
            Tier::Catastrophic => Some(Tier::Degraded),
            Tier::Degraded => Some(Tier::Good),
            Tier::Good => Some(Tier::Studio32k),
            Tier::Studio32k => Some(Tier::Studio48k),
            Tier::Studio48k => Some(Tier::Studio64k),
            Tier::Studio64k => None,
        }
    }
 }
 impl Default for AdaptiveQualityController {
@@ -269,7 +422,17 @@ impl QualityController for AdaptiveQualityController {
        }
        let observed = Tier::classify_with_context(report, self.network_context);
-        self.try_transition(observed)
+
        // First check for downgrades/upgrades via hysteresis
        if let Some(profile) = self.try_transition(observed) {
            // Cancel any active probe on tier change
            self.probe.take();
            self.stable_since = None;
            return Some(profile);
        }
        // Then check probing
        self.check_probe(observed)
    }
    fn force_profile(&mut self, profile: QualityProfile) {
@@ -331,25 +494,33 @@ mod tests {
        }
        assert_eq!(ctrl.tier(), Tier::Catastrophic);
-        // 9 good reports — not enough
+        // 4 good reports — not enough (threshold is 5)
-        let good = make_report(2.0, 100);
+        let good = make_report(0.5, 20); // studio-quality report
-        for _ in 0..9 {
+        for _ in 0..4 {
            assert!(ctrl.observe(&good).is_none());
        }
        assert_eq!(ctrl.tier(), Tier::Catastrophic);
-        // 10th good report triggers upgrade (one step: Catastrophic → Degraded)
+        // 5th good report triggers upgrade (one step: Catastrophic → Degraded)
        let result = ctrl.observe(&good);
        assert!(result.is_some());
        assert_eq!(ctrl.tier(), Tier::Degraded);
-        // Need another 10 to go from Degraded → Good
+        // Another 5 to go from Degraded → Good
-        for _ in 0..9 {
+        for _ in 0..4 {
            assert!(ctrl.observe(&good).is_none());
        }
        let result = ctrl.observe(&good);
        assert!(result.is_some());
        assert_eq!(ctrl.tier(), Tier::Good);
        // Studio upgrades need 10 consecutive — Good → Studio32k
        for _ in 0..9 {
            assert!(ctrl.observe(&good).is_none());
        }
        let result = ctrl.observe(&good);
        assert!(result.is_some());
        assert_eq!(ctrl.tier(), Tier::Studio32k);
    }
    #[test]
@@ -366,11 +537,29 @@ mod tests {
    #[test]
    fn tier_classification() {
-        assert_eq!(Tier::classify(&make_report(5.0, 200)), Tier::Good);
+        // Studio tiers
-        assert_eq!(Tier::classify(&make_report(15.0, 200)), Tier::Degraded);
+        assert_eq!(Tier::classify(&make_report(0.5, 20)), Tier::Studio64k);
-        assert_eq!(Tier::classify(&make_report(5.0, 500)), Tier::Degraded);
+        assert_eq!(Tier::classify(&make_report(0.5, 40)), Tier::Studio48k);
-        assert_eq!(Tier::classify(&make_report(50.0, 200)), Tier::Catastrophic);
+        assert_eq!(Tier::classify(&make_report(1.5, 60)), Tier::Studio32k);
-        assert_eq!(Tier::classify(&make_report(5.0, 700)), Tier::Catastrophic);
+        // Good/Degraded/Catastrophic
        assert_eq!(Tier::classify(&make_report(3.0, 90)), Tier::Good);
        assert_eq!(Tier::classify(&make_report(6.0, 120)), Tier::Degraded);
        assert_eq!(Tier::classify(&make_report(16.0, 120)), Tier::Catastrophic);
        assert_eq!(Tier::classify(&make_report(5.0, 200)), Tier::Catastrophic);
    }
    #[test]
    fn studio_tier_boundaries() {
        // loss < 1% AND RTT < 30ms → Studio64k
        assert_eq!(Tier::classify(&make_report(0.9, 28)), Tier::Studio64k);
        // loss < 1% AND RTT 30-49ms → Studio48k
        assert_eq!(Tier::classify(&make_report(0.9, 32)), Tier::Studio48k);
        // loss < 2% AND RTT < 80ms → Studio32k (but loss >= 1%)
        assert_eq!(Tier::classify(&make_report(1.5, 40)), Tier::Studio32k);
        // loss >= 2% → Good (use 2.5 to survive u8 quantization)
        assert_eq!(Tier::classify(&make_report(2.5, 40)), Tier::Good);
        // RTT 80ms → Good
        assert_eq!(Tier::classify(&make_report(0.5, 80)), Tier::Good);
    }
    // ---------------------------------------------------------------
@@ -379,8 +568,8 @@ mod tests {
    #[test]
    fn cellular_tighter_thresholds() {
-        // 12% loss: Good on WiFi, Degraded on cellular
+        // 9% loss: Degraded on both WiFi (>=5%) and cellular (>=8%)
-        let report = make_report(12.0, 200);
+        let report = make_report(9.0, 80);
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::WiFi),
            Tier::Degraded
@@ -390,22 +579,22 @@ mod tests {
            Tier::Degraded
        );
-        // 9% loss: Good on WiFi, Degraded on cellular
+        // 6% loss, low RTT: Degraded on WiFi (>=5%), Good on cellular (<8%)
-        let report = make_report(9.0, 200);
+        let report = make_report(6.0, 80);
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::WiFi),
            Tier::Degraded
        );
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::CellularLte),
            Tier::Good
        );
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::CellularLte),
            Tier::Degraded
        );
-        // 30% loss: Degraded on WiFi, Catastrophic on cellular
+        // 30% loss: Catastrophic on WiFi (>=15%), Catastrophic on cellular (>=25%)
-        let report = make_report(30.0, 200);
+        let report = make_report(30.0, 80);
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::WiFi),
-            Tier::Degraded
+            Tier::Catastrophic
        );
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::Cellular3g),
@@ -415,15 +604,29 @@ mod tests {
    #[test]
    fn cellular_rtt_thresholds() {
-        // RTT 350ms: Good on WiFi, Degraded on cellular
+        // RTT 150ms: Degraded on WiFi (>=100ms), Good on cellular (<300ms and loss<8%)
-        let report = make_report(2.0, 348); // rtt_4ms rounds so use 348
+        let report = make_report(2.0, 148);
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::WiFi),
-            Tier::Good
+            Tier::Degraded
        );
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::CellularLte),
-            Tier::Degraded
+            Tier::Good
        );
    }
    #[test]
    fn cellular_no_studio_tiers() {
        // Even with perfect network, cellular stays at Good (no studio)
        let report = make_report(0.0, 10);
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::CellularLte),
            Tier::Good
        );
        assert_eq!(
            Tier::classify_with_context(&report, NetworkContext::WiFi),
            Tier::Studio64k
        );
    }
@@ -469,6 +672,9 @@ mod tests {
    #[test]
    fn tier_downgrade() {
        assert_eq!(Tier::Studio64k.downgrade(), Some(Tier::Studio48k));
        assert_eq!(Tier::Studio48k.downgrade(), Some(Tier::Studio32k));
        assert_eq!(Tier::Studio32k.downgrade(), Some(Tier::Good));
        assert_eq!(Tier::Good.downgrade(), Some(Tier::Degraded));
        assert_eq!(Tier::Degraded.downgrade(), Some(Tier::Catastrophic));
        assert_eq!(Tier::Catastrophic.downgrade(), None);
@@ -478,4 +684,97 @@ mod tests {
    fn network_context_default() {
        assert_eq!(NetworkContext::default(), NetworkContext::Unknown);
    }
    // ---------------------------------------------------------------
    // Bandwidth probing tests
    // ---------------------------------------------------------------
    #[test]
    fn probe_triggers_after_stable_period() {
        let mut ctrl = AdaptiveQualityController::new();
        let excellent = make_report(0.3, 20); // would classify as Studio64k
        // Starts at Good. Fast-forward stability by setting stable_since directly.
        ctrl.stable_since = Some(Instant::now() - Duration::from_secs(31));
        // One excellent report should trigger a probe (Good → Studio32k)
        let result = ctrl.observe(&excellent);
        assert!(result.is_some(), "should start probe after 30s stable");
        assert!(ctrl.probe.is_some(), "probe should be active");
        assert_eq!(ctrl.probe.as_ref().unwrap().target_tier, Tier::Studio32k);
    }
    #[test]
    fn probe_succeeds_after_window() {
        let mut ctrl = AdaptiveQualityController::new();
        ctrl.stable_since = Some(Instant::now() - Duration::from_secs(31));
        let excellent = make_report(0.3, 20);
        // Trigger probe start
        let result = ctrl.observe(&excellent);
        assert!(result.is_some());
        // Simulate probe window elapsed by backdating started
        ctrl.probe.as_mut().unwrap().started =
            Instant::now() - Duration::from_secs(PROBE_DURATION_SECS);
        // Next good report should finalize the probe
        let result = ctrl.observe(&excellent);
        assert!(result.is_some(), "probe should succeed");
        assert_eq!(ctrl.current_tier, Tier::Studio32k);
        assert!(ctrl.probe.is_none(), "probe should be cleared");
    }
    #[test]
    fn probe_fails_on_bad_reports() {
        let mut ctrl = AdaptiveQualityController::new();
        // Put controller at Studio32k, pretend we've been stable
        ctrl.current_tier = Tier::Studio32k;
        ctrl.current_profile = Tier::Studio32k.profile();
        ctrl.stable_since = Some(Instant::now() - Duration::from_secs(31));
        // Start a probe to Studio48k
        let excellent = make_report(0.3, 20);
        let result = ctrl.observe(&excellent);
        assert!(result.is_some()); // probe started
        assert_eq!(ctrl.probe.as_ref().unwrap().target_tier, Tier::Studio48k);
        // Feed bad reports (loss too high for Studio48k)
        let degraded = make_report(3.0, 100);
        ctrl.observe(&degraded); // first bad
        ctrl.observe(&degraded); // second bad — exceeds PROBE_MAX_BAD (1)
        // Probe should be cancelled
        assert!(ctrl.probe.is_none(), "probe should be cancelled after bad reports");
        // Should still be at Studio32k (not upgraded)
        assert_eq!(ctrl.current_tier, Tier::Studio32k);
    }
    #[test]
    fn no_probe_on_cellular() {
        let mut ctrl = AdaptiveQualityController::new();
        ctrl.signal_network_change(NetworkContext::CellularLte);
        ctrl.current_tier = Tier::Good;
        ctrl.current_profile = Tier::Good.profile();
        ctrl.stable_since = Some(Instant::now() - Duration::from_secs(60));
        let good = make_report(0.5, 40);
        let result = ctrl.observe(&good);
        // Should NOT probe on cellular
        assert!(ctrl.probe.is_none(), "should not probe on cellular");
        assert!(result.is_none() || ctrl.current_tier == Tier::Good);
    }
    #[test]
    fn no_probe_at_highest_tier() {
        let mut ctrl = AdaptiveQualityController::new();
        ctrl.current_tier = Tier::Studio64k;
        ctrl.current_profile = Tier::Studio64k.profile();
        ctrl.stable_since = Some(Instant::now() - Duration::from_secs(60));
        let excellent = make_report(0.1, 10);
        let result = ctrl.observe(&excellent);
        assert!(result.is_none(), "should not probe when already at Studio64k");
    }
 }
--- a/crates/wzp-proto/src/traits.rs
+++ b/crates/wzp-proto/src/traits.rs
@@ -28,6 +28,13 @@ pub trait AudioEncoder: Send + Sync {
    /// Enable/disable DTX (discontinuous transmission). No-op for Codec2.
    fn set_dtx(&mut self, _enabled: bool) {}
    /// Hint the encoder about expected packet loss (0–100). In DRED mode the
    /// encoder floors this at 15% internally. No-op for Codec2.
    fn set_expected_loss(&mut self, _loss_pct: u8) {}
    /// Set DRED duration in 10 ms frame units (0–104). No-op for Codec2.
    fn set_dred_duration(&mut self, _frames: u8) {}
 }
 /// Decodes compressed frames back to PCM audio.
--- a/crates/wzp-relay/Cargo.toml
+++ b/crates/wzp-relay/Cargo.toml
@@ -20,6 +20,7 @@ bytes = { workspace = true }
 serde = { workspace = true }
 toml = "0.8"
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
 reqwest = { version = "0.12", features = ["json"] }
 serde_json = "1"
 rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
@@ -28,6 +29,7 @@ prometheus = "0.13"
 axum = { version = "0.7", default-features = false, features = ["tokio", "http1", "ws"] }
 tower-http = { version = "0.6", features = ["fs"] }
 futures-util = "0.3"
 dashmap = "6"
 dirs = "6"
 sha2 = { workspace = true }
 chrono = "0.4"
--- a/crates/wzp-relay/src/call_registry.rs
+++ b/crates/wzp-relay/src/call_registry.rs
@@ -50,6 +50,24 @@ pub struct DirectCall {
    /// `DirectCallAnswer` handling uses this to route the reply
    /// back through the SAME link instead of broadcasting again.
    pub peer_relay_fp: Option<String>,
    /// Phase 5.5 (ICE host candidates): caller's LAN-local
    /// interface addresses from the `DirectCallOffer`. Cross-
    /// wired into the callee's `CallSetup.peer_local_addrs` so
    /// the callee can direct-dial the caller over the same LAN
    /// without going through the WAN reflex addr (NAT
    /// hairpinning often doesn't work for same-LAN peers).
    pub caller_local_addrs: Vec<String>,
    /// Phase 5.5 (ICE host candidates): callee's LAN-local
    /// interface addresses from the `DirectCallAnswer`. Cross-
    /// wired into the caller's `CallSetup.peer_local_addrs`.
    pub callee_local_addrs: Vec<String>,
    /// Phase 8 (Tailscale-inspired): caller's port-mapped
    /// external address from NAT-PMP/PCP/UPnP. Cross-wired
    /// into callee's `CallSetup.peer_mapped_addr`.
    pub caller_mapped_addr: Option<String>,
    /// Phase 8: callee's port-mapped external address.
    /// Cross-wired into caller's `CallSetup.peer_mapped_addr`.
    pub callee_mapped_addr: Option<String>,
 }
 /// Registry of active direct calls.
@@ -79,11 +97,32 @@ impl CallRegistry {
            caller_reflexive_addr: None,
            callee_reflexive_addr: None,
            peer_relay_fp: None,
            caller_local_addrs: Vec::new(),
            callee_local_addrs: Vec::new(),
            caller_mapped_addr: None,
            callee_mapped_addr: None,
        };
        self.calls.insert(call_id.clone(), call);
        self.calls.get(&call_id).unwrap()
    }
    /// Phase 5.5: stash the caller's LAN host candidates from
    /// the `DirectCallOffer`. Empty Vec is a valid value meaning
    /// "caller has no LAN candidates" (e.g. old client).
    pub fn set_caller_local_addrs(&mut self, call_id: &str, addrs: Vec<String>) {
        if let Some(call) = self.calls.get_mut(call_id) {
            call.caller_local_addrs = addrs;
        }
    }
    /// Phase 5.5: stash the callee's LAN host candidates from
    /// the `DirectCallAnswer`.
    pub fn set_callee_local_addrs(&mut self, call_id: &str, addrs: Vec<String>) {
        if let Some(call) = self.calls.get_mut(call_id) {
            call.callee_local_addrs = addrs;
        }
    }
    /// Phase 4: stash the federation TLS fingerprint of the peer
    /// relay that originated (or will receive) the cross-relay
    /// forward for this call. Safe to call with `None` to clear
@@ -112,6 +151,22 @@ impl CallRegistry {
        }
    }
    /// Phase 8: stash the caller's port-mapped address from
    /// the `DirectCallOffer`.
    pub fn set_caller_mapped_addr(&mut self, call_id: &str, addr: Option<String>) {
        if let Some(call) = self.calls.get_mut(call_id) {
            call.caller_mapped_addr = addr;
        }
    }
    /// Phase 8: stash the callee's port-mapped address from
    /// the `DirectCallAnswer`.
    pub fn set_callee_mapped_addr(&mut self, call_id: &str, addr: Option<String>) {
        if let Some(call) = self.calls.get_mut(call_id) {
            call.callee_mapped_addr = addr;
        }
    }
    /// Get a call by ID.
    pub fn get(&self, call_id: &str) -> Option<&DirectCall> {
        self.calls.get(call_id)
@@ -310,6 +365,49 @@ mod tests {
        reg.set_peer_relay_fp("does-not-exist", Some("x".into()));
    }
    #[test]
    fn call_registry_stores_mapped_addrs() {
        let mut reg = CallRegistry::new();
        reg.create_call("c1".into(), "alice".into(), "bob".into());
        // Default: both mapped addrs are None.
        let c = reg.get("c1").unwrap();
        assert!(c.caller_mapped_addr.is_none());
        assert!(c.callee_mapped_addr.is_none());
        // Caller advertises its port-mapped addr via DirectCallOffer.
        reg.set_caller_mapped_addr("c1", Some("203.0.113.5:12345".into()));
        assert_eq!(
            reg.get("c1").unwrap().caller_mapped_addr.as_deref(),
            Some("203.0.113.5:12345")
        );
        // Callee responds with its mapped addr.
        reg.set_callee_mapped_addr("c1", Some("198.51.100.9:54321".into()));
        assert_eq!(
            reg.get("c1").unwrap().callee_mapped_addr.as_deref(),
            Some("198.51.100.9:54321")
        );
        // Both addrs readable — relay uses them to cross-wire
        // peer_mapped_addr in CallSetup.
        let c = reg.get("c1").unwrap();
        assert_eq!(c.caller_mapped_addr.as_deref(), Some("203.0.113.5:12345"));
        assert_eq!(c.callee_mapped_addr.as_deref(), Some("198.51.100.9:54321"));
        // Setter on unknown call is a no-op.
        reg.set_caller_mapped_addr("nope", Some("x".into()));
    }
    #[test]
    fn call_registry_clearing_mapped_addr_works() {
        let mut reg = CallRegistry::new();
        reg.create_call("c1".into(), "alice".into(), "bob".into());
        reg.set_caller_mapped_addr("c1", Some("1.2.3.4:5".into()));
        reg.set_caller_mapped_addr("c1", None);
        assert!(reg.get("c1").unwrap().caller_mapped_addr.is_none());
    }
    #[test]
    fn call_registry_clearing_reflex_addr_works() {
        // Passing None to the setter must clear a previously-set value
--- a/crates/wzp-relay/src/config.rs
+++ b/crates/wzp-relay/src/config.rs
@@ -87,6 +87,14 @@ pub struct RelayConfig {
    /// Unlike [[peers]], no url is needed — the peer connects to us.
    #[serde(default)]
    pub trusted: Vec<TrustedConfig>,
    /// Phase 8: geographic region identifier (e.g., "us-east", "eu-west").
    /// Sent to clients in `RegisterPresenceAck.relay_region` so they can
    /// build a relay map for automatic selection.
    pub region: Option<String>,
    /// Phase 8: externally-advertised address for this relay. Used to
    /// populate `available_relays` in `RegisterPresenceAck`. If not set,
    /// `listen_addr` is used.
    pub advertised_addr: Option<SocketAddr>,
    /// Debug tap: log packet headers for matching rooms ("*" = all rooms).
    /// Activated via --debug-tap <room> or debug_tap = "room" in TOML.
    pub debug_tap: Option<String>,
@@ -114,6 +122,8 @@ impl Default for RelayConfig {
            peers: Vec::new(),
            global_rooms: Vec::new(),
            trusted: Vec::new(),
            region: None,
            advertised_addr: None,
            debug_tap: None,
            event_log: None,
        }
--- a/crates/wzp-relay/src/federation.rs
+++ b/crates/wzp-relay/src/federation.rs
@@ -134,7 +134,7 @@ pub struct FederationManager {
    peers: Vec<PeerConfig>,
    trusted: Vec<TrustedConfig>,
    global_rooms: HashSet<String>,
-    room_mgr: Arc<Mutex<RoomManager>>,
+    room_mgr: Arc<RoomManager>,
    endpoint: quinn::Endpoint,
    local_tls_fp: String,
    metrics: Arc<crate::metrics::RelayMetrics>,
@@ -161,7 +161,7 @@ impl FederationManager {
        peers: Vec<PeerConfig>,
        trusted: Vec<TrustedConfig>,
        global_rooms: HashSet<String>,
-        room_mgr: Arc<Mutex<RoomManager>>,
+        room_mgr: Arc<RoomManager>,
        endpoint: quinn::Endpoint,
        local_tls_fp: String,
        metrics: Arc<crate::metrics::RelayMetrics>,
@@ -213,16 +213,19 @@ impl FederationManager {
    /// `origin_relay_fp` against its own fp and drops self-sourced
    /// forwards.
    pub async fn broadcast_signal(&self, msg: &wzp_proto::SignalMessage) -> usize {
-        let links = self.peer_links.lock().await;
+        let peers: Vec<(String, String, Arc<QuinnTransport>)> = {
            let links = self.peer_links.lock().await;
            links.iter().map(|(fp, l)| (fp.clone(), l.label.clone(), l.transport.clone())).collect()
        };  // lock released
        let mut count = 0;
-        for (fp, link) in links.iter() {
+        for (fp, label, transport) in &peers {
-            match link.transport.send_signal(msg).await {
+            match transport.send_signal(msg).await {
                Ok(()) => {
                    count += 1;
-                    tracing::debug!(peer = %link.label, %fp, "federation: broadcast signal ok");
+                    tracing::debug!(peer = %label, %fp, "federation: broadcast signal ok");
                }
                Err(e) => {
-                    tracing::warn!(peer = %link.label, %fp, error = %e, "federation: broadcast signal failed");
+                    tracing::warn!(peer = %label, %fp, error = %e, "federation: broadcast signal failed");
                }
            }
        }
@@ -243,10 +246,12 @@ impl FederationManager {
        msg: &wzp_proto::SignalMessage,
    ) -> Result<(), String> {
        let normalized = normalize_fp(peer_relay_fp);
-        let links = self.peer_links.lock().await;
+        let transport = {
-        match links.get(&normalized) {
+            let links = self.peer_links.lock().await;
-            Some(link) => link
+            links.get(&normalized).map(|l| l.transport.clone())
-                .transport
+        };  // lock released
        match transport {
            Some(t) => t
                .send_signal(msg)
                .await
                .map_err(|e| format!("send to peer {normalized}: {e}")),
@@ -255,27 +260,55 @@ impl FederationManager {
    }
    /// Check if a room name (which may be hashed) is a global room.
    ///
    /// Phase 4.1: ALL `call-*` rooms are implicitly global for
    /// federation. This is the simplest path to cross-relay direct
    /// calling with relay-mediated media fallback: when both peers
    /// join the same `call-<id>` room on their respective relays,
    /// the federation media pipeline automatically forwards
    /// datagrams between them. The relay's existing ACL (`call-*`
    /// rooms are restricted to the two authorized participants in
    /// the call registry) prevents random clients from creating or
    /// joining `call-*` rooms.
    pub fn is_global_room(&self, room: &str) -> bool {
        if room.starts_with("call-") {
            return true;
        }
        self.resolve_global_room(room).is_some()
    }
    /// Resolve a room name (raw or hashed) to the canonical global room name.
    /// Returns the configured global room name if it matches.
-    pub fn resolve_global_room(&self, room: &str) -> Option<&str> {
+    ///
    /// Phase 4.1: `call-*` rooms resolve to themselves (they ARE
    /// the canonical name — no hashing or aliasing involved).
    ///
    /// Returns `Option<String>` (owned) instead of `Option<&str>`
    /// because call-* room names aren't stored on `self` — they
    /// come from the caller and we just confirm "yes, this is
    /// global" by returning it back. Pre-4.1 callers that used
    /// the reference for equality checks or hashing work
    /// unchanged via String/&str auto-deref.
    pub fn resolve_global_room(&self, room: &str) -> Option<String> {
        // Phase 4.1: call-* rooms are implicitly global, resolve
        // to themselves
        if room.starts_with("call-") {
            return Some(room.to_string());
        }
        // Direct match (raw room name, e.g. Android clients)
        if self.global_rooms.contains(room) {
-            return Some(self.global_rooms.iter().find(|n| n.as_str() == room).unwrap());
+            return Some(room.to_string());
        }
        // Hashed match (desktop clients hash room names for SNI privacy)
        self.global_rooms.iter().find(|name| {
            wzp_crypto::hash_room_name(name) == room
-        }).map(|s| s.as_str())
+        }).map(|s| s.to_string())
    }
    /// Get the canonical federation room hash for a room.
    /// Always uses the configured global room name, not the client-provided name.
    pub fn global_room_hash(&self, room: &str) -> [u8; 8] {
-        if let Some(canonical) = self.resolve_global_room(room) {
+        if let Some(ref canonical) = self.resolve_global_room(room) {
            room_hash(canonical)
        } else {
            room_hash(room)
@@ -305,10 +338,7 @@ impl FederationManager {
        }
        // Room event dispatcher
-        let room_events = {
+        let room_events = self.room_mgr.subscribe_events();
            let mgr = self.room_mgr.lock().await;
            mgr.subscribe_events()
        };
        let this = self.clone();
        handles.push(tokio::spawn(async move {
            run_room_event_dispatcher(this, room_events).await;
@@ -347,8 +377,8 @@ impl FederationManager {
        let mut result = Vec::new();
        for link in links.values() {
            // Check canonical name
-            if let Some(c) = canonical {
+            if let Some(ref c) = canonical {
-                if let Some(remote) = link.remote_participants.get(c) {
+                if let Some(remote) = link.remote_participants.get(c.as_str()) {
                    result.extend(remote.iter().cloned());
                }
                // Also check raw room name, but only if different from canonical
@@ -378,20 +408,22 @@ impl FederationManager {
    /// or rate limiting; the body currently forwards on `room_hash` alone
    /// because that's what the wire format carries.
    pub async fn forward_to_peers(&self, _room_name: &str, room_hash: &[u8; 8], media_data: &Bytes) {
-        let links = self.peer_links.lock().await;
+        let peers: Vec<(String, Arc<QuinnTransport>)> = {
-        if links.is_empty() {
+            let links = self.peer_links.lock().await;
-            return;
+            if links.is_empty() { return; }
-        }
+            links.values().map(|l| (l.label.clone(), l.transport.clone())).collect()
-        for (_fp, link) in links.iter() {
+        };  // lock released
        for (label, transport) in &peers {
            let mut tagged = Vec::with_capacity(8 + media_data.len());
            tagged.extend_from_slice(room_hash);
            tagged.extend_from_slice(media_data);
-            match link.transport.send_raw_datagram(&tagged) {
+            match transport.send_raw_datagram(&tagged) {
                Ok(()) => {
                    self.metrics.federation_packets_forwarded
-                        .with_label_values(&[&link.label, "out"]).inc();
+                        .with_label_values(&[label, "out"]).inc();
                }
-                Err(e) => warn!(peer = %link.label, "federation send error: {e}"),
+                Err(e) => warn!(peer = %label, "federation send error: {e}"),
            }
        }
    }
@@ -455,15 +487,15 @@ async fn run_room_event_dispatcher(
        match events.recv().await {
            Ok(RoomEvent::LocalJoin { room }) => {
                if fm.is_global_room(&room) {
-                    let participants = {
+                    let participants = fm.room_mgr.local_participant_list(&room);
                        let mgr = fm.room_mgr.lock().await;
                        mgr.local_participant_list(&room)
                    };
                    info!(room = %room, count = participants.len(), "global room now active, announcing to peers");
                    let msg = SignalMessage::GlobalRoomActive { room, participants };
-                    let links = fm.peer_links.lock().await;
+                    let transports: Vec<Arc<QuinnTransport>> = {
-                    for link in links.values() {
+                        let links = fm.peer_links.lock().await;
-                        let _ = link.transport.send_signal(&msg).await;
+                        links.values().map(|l| l.transport.clone()).collect()
                    };
                    for t in &transports {
                        let _ = t.send_signal(&msg).await;
                    }
                }
            }
@@ -471,9 +503,12 @@ async fn run_room_event_dispatcher(
                if fm.is_global_room(&room) {
                    info!(room = %room, "global room now inactive, announcing to peers");
                    let msg = SignalMessage::GlobalRoomInactive { room };
-                    let links = fm.peer_links.lock().await;
+                    let transports: Vec<Arc<QuinnTransport>> = {
-                    for link in links.values() {
+                        let links = fm.peer_links.lock().await;
-                        let _ = link.transport.send_signal(&msg).await;
+                        links.values().map(|l| l.transport.clone()).collect()
                    };
                    for t in &transports {
                        let _ = t.send_signal(&msg).await;
                    }
                }
            }
@@ -532,11 +567,11 @@ async fn run_stale_presence_sweeper(fm: Arc<FederationManager>) {
        // Broadcast updated RoomUpdate for affected rooms
        for room in &affected_rooms {
-            let mgr = fm.room_mgr.lock().await;
+            let active = fm.room_mgr.active_rooms();
-            for local_room in mgr.active_rooms() {
+            for local_room in &active {
-                if fm.resolve_global_room(&local_room) == fm.resolve_global_room(room) {
+                if fm.resolve_global_room(local_room) == fm.resolve_global_room(room) {
-                    let mut all_participants = mgr.local_participant_list(&local_room);
+                    let mut all_participants = fm.room_mgr.local_participant_list(local_room);
-                    let remote = fm.get_remote_participants(&local_room).await;
+                    let remote = fm.get_remote_participants(local_room).await;
                    all_participants.extend(remote);
                    let mut seen = HashSet::new();
                    all_participants.retain(|p| seen.insert(p.fingerprint.clone()));
@@ -544,8 +579,7 @@ async fn run_stale_presence_sweeper(fm: Arc<FederationManager>) {
                        count: all_participants.len() as u32,
                        participants: all_participants,
                    };
-                    let senders = mgr.local_senders(&local_room);
+                    let senders = fm.room_mgr.local_senders(local_room);
                    drop(mgr);
                    room::broadcast_signal(&senders, &update).await;
                    info!(room = %room, "swept stale presence — broadcast updated RoomUpdate");
                    break;
@@ -623,14 +657,13 @@ async fn run_federation_link(
    // Announce our currently active global rooms to this new peer
    // Collect all announcements first, then send (avoid holding locks across await)
    let announcements = {
-        let mgr = fm.room_mgr.lock().await;
+        let active = fm.room_mgr.active_rooms();
        let active = mgr.active_rooms();
        let mut msgs = Vec::new();
        // Local rooms
        for room_name in &active {
            if fm.is_global_room(room_name) {
-                let participants = mgr.local_participant_list(room_name);
+                let participants = fm.room_mgr.local_participant_list(room_name);
                info!(peer = %peer_label, room = %room_name, participants = participants.len(), "announcing local global room to new peer");
                msgs.push(SignalMessage::GlobalRoomActive { room: room_name.clone(), participants });
            }
@@ -800,22 +833,24 @@ async fn handle_signal(
                // Broadcast updated RoomUpdate to local clients in this room
                // Find the local room name (may be hashed or raw)
-                let mgr = fm.room_mgr.lock().await;
+                let active = fm.room_mgr.active_rooms();
-                for local_room in mgr.active_rooms() {
+                for local_room in &active {
-                    if fm.is_global_room(&local_room) && fm.resolve_global_room(&local_room) == fm.resolve_global_room(&room) {
+                    if fm.is_global_room(local_room) && fm.resolve_global_room(local_room) == fm.resolve_global_room(&room) {
                        // Build merged participant list: local + all remote (deduped)
-                        let mut all_participants = mgr.local_participant_list(&local_room);
+                        let mut all_participants = fm.room_mgr.local_participant_list(local_room);
-                        let links = fm.peer_links.lock().await;
+                        {
-                        for link in links.values() {
+                            let links = fm.peer_links.lock().await;
-                            if let Some(canonical) = fm.resolve_global_room(&local_room) {
+                            for link in links.values() {
-                                if let Some(remote) = link.remote_participants.get(canonical) {
+                                if let Some(ref canonical) = fm.resolve_global_room(local_room) {
-                                    all_participants.extend(remote.iter().cloned());
+                                    if let Some(remote) = link.remote_participants.get(canonical.as_str()) {
                                }
                                // Also check raw room name, but only if different from canonical
                                if canonical != local_room {
                                    if let Some(remote) = link.remote_participants.get(&local_room) {
                                        all_participants.extend(remote.iter().cloned());
                                    }
                                    // Also check raw room name, but only if different from canonical
                                    if canonical != local_room {
                                        if let Some(remote) = link.remote_participants.get(local_room) {
                                            all_participants.extend(remote.iter().cloned());
                                        }
                                    }
                                }
                            }
                        }
@@ -826,9 +861,7 @@ async fn handle_signal(
                            count: all_participants.len() as u32,
                            participants: all_participants,
                        };
-                        let senders = mgr.local_senders(&local_room);
+                        let senders = fm.room_mgr.local_senders(local_room);
                        drop(links);
                        drop(mgr);
                        room::broadcast_signal(&senders, &update).await;
                        break;
                    }
@@ -843,8 +876,8 @@ async fn handle_signal(
                // Clear remote participants for this peer+room
                link.remote_participants.remove(&room);
                // Also try canonical name
-                if let Some(canonical) = fm.resolve_global_room(&room) {
+                if let Some(ref canonical) = fm.resolve_global_room(&room) {
-                    link.remote_participants.remove(canonical);
+                    link.remote_participants.remove(canonical.as_str());
                }
            }
@@ -858,8 +891,8 @@ async fn handle_signal(
                let mut result = Vec::new();
                for (fp, link) in links.iter() {
                    if fp == peer_fp { continue; }
-                    if let Some(c) = canonical {
+                    if let Some(ref c) = canonical {
-                        if let Some(remote) = link.remote_participants.get(c) {
+                        if let Some(remote) = link.remote_participants.get(c.as_str()) {
                            result.extend(remote.iter().cloned());
                        }
                    }
@@ -871,10 +904,7 @@ async fn handle_signal(
            // Propagate to other peers: send updated GlobalRoomActive with revised list,
            // or GlobalRoomInactive if no participants remain anywhere
-            let local_active = {
+            let local_active = fm.room_mgr.active_rooms().iter().any(|r| fm.resolve_global_room(r) == fm.resolve_global_room(&room));
                let mgr = fm.room_mgr.lock().await;
                mgr.active_rooms().iter().any(|r| fm.resolve_global_room(r) == fm.resolve_global_room(&room))
            };
            let has_remaining = !remaining_remote.is_empty() || local_active;
            // Collect peer transports to send to (avoid holding lock across await)
@@ -888,10 +918,9 @@ async fn handle_signal(
                // Send updated participant list to other peers
                let mut updated_participants = remaining_remote.clone();
                if local_active {
-                    let mgr = fm.room_mgr.lock().await;
+                    for local_room in fm.room_mgr.active_rooms() {
                    for local_room in mgr.active_rooms() {
                        if fm.resolve_global_room(&local_room) == fm.resolve_global_room(&room) {
-                            updated_participants.extend(mgr.local_participant_list(&local_room));
+                            updated_participants.extend(fm.room_mgr.local_participant_list(&local_room));
                            break;
                        }
                    }
@@ -912,10 +941,10 @@ async fn handle_signal(
            }
            // Broadcast updated RoomUpdate to local clients (remote participant removed)
-            let mgr = fm.room_mgr.lock().await;
+            let active = fm.room_mgr.active_rooms();
-            for local_room in mgr.active_rooms() {
+            for local_room in &active {
-                if fm.is_global_room(&local_room) && fm.resolve_global_room(&local_room) == fm.resolve_global_room(&room) {
+                if fm.is_global_room(local_room) && fm.resolve_global_room(local_room) == fm.resolve_global_room(&room) {
-                    let mut all_participants = mgr.local_participant_list(&local_room);
+                    let mut all_participants = fm.room_mgr.local_participant_list(local_room);
                    all_participants.extend(remaining_remote.iter().cloned());
                    // Deduplicate by fingerprint
                    let mut seen = HashSet::new();
@@ -924,8 +953,7 @@ async fn handle_signal(
                        count: all_participants.len() as u32,
                        participants: all_participants,
                    };
-                    let senders = mgr.local_senders(&local_room);
+                    let senders = fm.room_mgr.local_senders(local_room);
                    drop(mgr);
                    room::broadcast_signal(&senders, &update).await;
                    info!(room = %room, "broadcast updated presence (remote participant removed)");
                    break;
@@ -1042,14 +1070,13 @@ async fn handle_datagram(
        }
    }
-    // Find room by hash — check local rooms AND global room config
+    // Find room by hash -- check local rooms AND global room config
    let room_name = {
-        let mgr = fm.room_mgr.lock().await;
+        let active = fm.room_mgr.active_rooms();
        let active = mgr.active_rooms();
        // First: check local rooms (has participants)
        active.iter().find(|r| room_hash(r) == rh).cloned()
            .or_else(|| active.iter().find(|r| fm.global_room_hash(r) == rh).cloned())
-            // Second: check global room config (hub relay may have no local participants)
+            // Second: check static global room config (hub relay may have no local participants)
            .or_else(|| {
                fm.global_rooms.iter().find(|name| room_hash(name) == rh).cloned()
            })
@@ -1059,6 +1086,20 @@ async fn handle_datagram(
        Some(r) => r,
        None => {
            fm.event_log.emit(Event::new("room_not_found").seq(pkt.header.seq).peer(&peer_label));
            // Phase 4.1 diagnostic: log the hash + active rooms
            // so we can diagnose cross-relay call-* media routing
            // failures. This fires when a peer relay sends media
            // for a room we don't have locally — could be a
            // timing issue (peer joined before us) or a hash
            // mismatch.
            let active = fm.room_mgr.active_rooms();
            warn!(
                room_hash = ?rh,
                active_rooms = ?active,
                seq = pkt.header.seq,
                peer = %peer_label,
                "federation datagram for unknown room — no local room matches hash"
            );
            return;
        }
    };
@@ -1076,10 +1117,7 @@ async fn handle_datagram(
    // Deliver to all local participants — forward the raw bytes as-is.
    // The original sender's MediaPacket is preserved exactly (no re-serialization).
-    let locals = {
+    let locals = fm.room_mgr.local_senders(&room_name);
        let mgr = fm.room_mgr.lock().await;
        mgr.local_senders(&room_name)
    };
    for sender in &locals {
        match sender {
            room::ParticipantSender::Quic(t) => {
--- a/crates/wzp-relay/src/main.rs
+++ b/crates/wzp-relay/src/main.rs
@@ -12,6 +12,7 @@ use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
 use std::time::Duration;
 use clap::Parser;
 use tokio::sync::Mutex;
 use tracing::{debug, error, info, warn};
@@ -23,6 +24,79 @@ use wzp_relay::presence::PresenceRegistry;
 use wzp_relay::room::{self, RoomManager};
 use wzp_relay::session_mgr::SessionManager;
 /// Close a transport gracefully, logging any error at debug level.
 async fn close_transport(t: &dyn wzp_proto::MediaTransport, context: &str) {
    if let Err(e) = t.close().await {
        tracing::debug!(context, error = %e, "transport close (non-fatal)");
    }
 }
 /// WarzonePhone relay daemon — SFU, federation, direct-call signaling
 #[derive(Parser, Debug)]
 #[command(name = "wzp-relay", version = env!("WZP_BUILD_HASH"))]
 struct Args {
    /// Load config from TOML file (creates example if missing)
    #[arg(short = 'c', long = "config")]
    config_file: Option<String>,
    /// Identity file path (creates if missing, uses OsRng)
    #[arg(short = 'i', long)]
    identity: Option<String>,
    /// Listen address for QUIC connections
    #[arg(long)]
    listen: Option<SocketAddr>,
    /// Remote relay address for forwarding (disables room mode)
    #[arg(long)]
    remote: Option<SocketAddr>,
    /// featherChat auth endpoint (e.g., https://chat.example.com/v1/auth/validate).
    /// When set, clients must send a bearer token as first signal message.
    #[arg(long)]
    auth_url: Option<String>,
    /// Prometheus metrics HTTP port (e.g., 9090). Disabled if not set.
    #[arg(long)]
    metrics_port: Option<u16>,
    /// Peer relay to probe for health monitoring (repeatable)
    #[arg(long = "probe")]
    probe: Vec<SocketAddr>,
    /// Enable mesh mode (probes all --probe targets concurrently)
    #[arg(long)]
    probe_mesh: bool,
    /// Enable trunk batching for outgoing media in room mode
    #[arg(long)]
    trunking: bool,
    /// WebSocket listener port for browser clients (e.g., 8080)
    #[arg(long)]
    ws_port: Option<u16>,
    /// Directory to serve static files from (HTML/JS/WASM)
    #[arg(long)]
    static_dir: Option<String>,
    /// Declare a room as global (bridged across federation). Repeatable.
    #[arg(long = "global-room")]
    global_room: Vec<String>,
    /// Log packet headers for a room ('*' for all rooms)
    #[arg(long)]
    debug_tap: Option<String>,
    /// JSONL event log file path for protocol analysis
    #[arg(long)]
    event_log: Option<String>,
    /// Print mesh health table and exit (diagnostic)
    #[arg(long)]
    mesh_status: bool,
 }
 /// Parsed CLI result — config + identity path.
 struct CliResult {
    config: RelayConfig,
@@ -32,25 +106,21 @@ struct CliResult {
 }
 fn parse_args() -> CliResult {
-    let args: Vec<String> = std::env::args().collect();
+    let args = Args::parse();
-    // First pass: extract --config and --identity
+    // Handle --mesh-status: print and exit
-    let mut config_file = None;
+    if args.mesh_status {
-    let mut identity_path = None;
+        let m = RelayMetrics::new();
-    let mut i = 1;
+        print!("{}", wzp_relay::probe::mesh_summary(m.registry()));
-    while i < args.len() {
+        std::process::exit(0);
        match args[i].as_str() {
            "--config" | "-c" => { i += 1; config_file = args.get(i).cloned(); }
            "--identity" | "-i" => { i += 1; identity_path = args.get(i).cloned(); }
            _ => {}
        }
        i += 1;
    }
    // Track if we need to create the config after identity is known
-    let config_needs_create = config_file.as_ref().map(|p| !std::path::Path::new(p).exists()).unwrap_or(false);
+    let config_needs_create = args.config_file.as_ref()
        .map(|p| !std::path::Path::new(p).exists())
        .unwrap_or(false);
-    let mut config = if let Some(ref path) = config_file {
+    let mut config = if let Some(ref path) = args.config_file {
        if config_needs_create {
            // Will be re-created with personalized info after identity is loaded
            RelayConfig::default()
@@ -66,125 +136,49 @@ fn parse_args() -> CliResult {
    };
    // CLI flags override config file values
-    let mut i = 1;
+    if let Some(addr) = args.listen {
-    while i < args.len() {
+        config.listen_addr = addr;
-        match args[i].as_str() {
+    }
-            "--config" | "-c" => { i += 1; } // already handled
+    if let Some(addr) = args.remote {
-            "--identity" | "-i" => { i += 1; } // already handled
+        config.remote_relay = Some(addr);
-            "--listen" => {
+    }
-                i += 1;
+    if let Some(url) = args.auth_url {
-                config.listen_addr = args.get(i).expect("--listen requires an address")
+        config.auth_url = Some(url);
-                    .parse().expect("invalid --listen address");
+    }
-            }
+    if let Some(port) = args.metrics_port {
-            "--remote" => {
+        config.metrics_port = Some(port);
-                i += 1;
+    }
-                config.remote_relay = Some(
+    if !args.probe.is_empty() {
-                    args.get(i).expect("--remote requires an address")
+        config.probe_targets.extend(args.probe);
-                        .parse().expect("invalid --remote address"),
+    }
-                );
+    if args.probe_mesh {
-            }
+        config.probe_mesh = true;
-            "--auth-url" => {
+    }
-                i += 1;
+    if args.trunking {
-                config.auth_url = Some(
+        config.trunking_enabled = true;
-                    args.get(i).expect("--auth-url requires a URL").to_string(),
+    }
-                );
+    if let Some(port) = args.ws_port {
-            }
+        config.ws_port = Some(port);
-            "--metrics-port" => {
+    }
-                i += 1;
+    if let Some(dir) = args.static_dir {
-                config.metrics_port = Some(
+        config.static_dir = Some(dir);
-                    args.get(i).expect("--metrics-port requires a port number")
+    }
-                        .parse().expect("invalid --metrics-port number"),
+    for name in args.global_room {
-                );
+        config.global_rooms.push(wzp_relay::config::GlobalRoomConfig { name });
-            }
+    }
-            "--probe" => {
+    if let Some(tap) = args.debug_tap {
-                i += 1;
+        config.debug_tap = Some(tap);
-                let addr: SocketAddr = args.get(i)
+    }
-                    .expect("--probe requires an address")
+    if let Some(log) = args.event_log {
-                    .parse()
+        config.event_log = Some(log);
-                    .expect("invalid --probe address");
+    }
-                config.probe_targets.push(addr);
+
-            }
+    CliResult {
-            "--probe-mesh" => {
+        config,
-                config.probe_mesh = true;
+        identity_path: args.identity,
-            }
+        config_file: args.config_file,
-            "--trunking" => {
+        config_needs_create,
                config.trunking_enabled = true;
            }
            "--ws-port" => {
                i += 1;
                config.ws_port = Some(
                    args.get(i).expect("--ws-port requires a port number")
                        .parse().expect("invalid --ws-port number"),
                );
            }
            "--static-dir" => {
                i += 1;
                config.static_dir = Some(
                    args.get(i).expect("--static-dir requires a directory path").to_string(),
                );
            }
            "--global-room" => {
                i += 1;
                config.global_rooms.push(wzp_relay::config::GlobalRoomConfig {
                    name: args.get(i).expect("--global-room requires a room name").to_string(),
                });
            }
            "--debug-tap" => {
                i += 1;
                config.debug_tap = Some(
                    args.get(i).expect("--debug-tap requires a room name (or '*' for all)").to_string(),
                );
            }
            "--event-log" => {
                i += 1;
                config.event_log = Some(
                    args.get(i).expect("--event-log requires a file path").to_string(),
                );
            }
            "--version" | "-V" => {
                println!("wzp-relay {}", env!("WZP_BUILD_HASH"));
                std::process::exit(0);
            }
            "--mesh-status" => {
                // Print mesh table from a fresh registry and exit.
                // In practice this is useful after the relay has been running;
                // here we just demonstrate the formatter with an empty registry.
                let m = RelayMetrics::new();
                print!("{}", wzp_relay::probe::mesh_summary(m.registry()));
                std::process::exit(0);
            }
            "--help" | "-h" => {
                eprintln!("Usage: wzp-relay [--config <path>] [--listen <addr>] [--remote <addr>] [--auth-url <url>] [--metrics-port <port>] [--probe <addr>]... [--probe-mesh] [--mesh-status]");
                eprintln!();
                eprintln!("Options:");
                eprintln!("  -c, --config <path>    Load config from TOML file (creates example if missing)");
                eprintln!("  -i, --identity <path>  Identity file path (creates if missing, uses OsRng)");
                eprintln!("  --listen <addr>        Listen address (default: 0.0.0.0:4433)");
                eprintln!("  --remote <addr>        Remote relay for forwarding (disables room mode)");
                eprintln!("  --auth-url <url>       featherChat auth endpoint (e.g., https://chat.example.com/v1/auth/validate)");
                eprintln!("                         When set, clients must send a bearer token as first signal message.");
                eprintln!("  --metrics-port <port>  Prometheus metrics HTTP port (e.g., 9090). Disabled if not set.");
                eprintln!("  --probe <addr>         Peer relay to probe for health monitoring (repeatable).");
                eprintln!("  --probe-mesh           Enable mesh mode (mark config flag, probes all --probe targets).");
                eprintln!("  --mesh-status          Print mesh health table and exit (diagnostic).");
                eprintln!("  --trunking             Enable trunk batching for outgoing media in room mode.");
                eprintln!("  --global-room <name>   Declare a room as global (bridged across federation). Repeatable.");
                eprintln!("  --debug-tap <room>     Log packet headers for a room ('*' for all rooms).");
                eprintln!("  --ws-port <port>       WebSocket listener port for browser clients (e.g., 8080).");
                eprintln!("  --static-dir <dir>     Directory to serve static files from (HTML/JS/WASM).");
                eprintln!();
                eprintln!("Room mode (default):");
                eprintln!("  Clients join rooms by name. Packets forwarded to all others (SFU).");
                std::process::exit(0);
            }
            other => {
                eprintln!("unknown argument: {other}");
                std::process::exit(1);
            }
        }
        i += 1;
    }
    CliResult { config, identity_path, config_file, config_needs_create }
 }
 struct RelayStats {
@@ -416,7 +410,7 @@ async fn main() -> anyhow::Result<()> {
        };
    // Room manager (room mode only)
-    let room_mgr = Arc::new(Mutex::new(RoomManager::new()));
+    let room_mgr = Arc::new(RoomManager::new());
    // Event log for protocol analysis
    let event_log = wzp_relay::event_log::start_event_log(
@@ -509,7 +503,7 @@ async fn main() -> anyhow::Result<()> {
        }
    }
    if let Some(ref tap) = config.debug_tap {
-        info!(filter = %tap, "debug tap enabled — logging packet headers");
+        info!(filter = %tap, "debug tap enabled — logging packets, signals, join/leave events");
    }
    // Phase 4: cross-relay direct-call dispatcher task.
@@ -543,6 +537,8 @@ async fn main() -> anyhow::Result<()> {
                        ref caller_fingerprint,
                        ref call_id,
                        ref caller_reflexive_addr,
                        ref caller_local_addrs,
                        ref caller_mapped_addr,
                        ..
                    } => {
                        // Is the target on THIS relay? If not, drop —
@@ -561,7 +557,9 @@ async fn main() -> anyhow::Result<()> {
                        }
                        // Stash in local registry so the answer path
                        // can find the call + route the reply back
-                        // through the same federation link.
+                        // through the same federation link. Include
                        // Phase 5.5 LAN host candidates + Phase 8
                        // port-mapped addr.
                        {
                            let mut reg = call_registry_d.lock().await;
                            reg.create_call(
@@ -570,6 +568,8 @@ async fn main() -> anyhow::Result<()> {
                                target_fingerprint.clone(),
                            );
                            reg.set_caller_reflexive_addr(call_id, caller_reflexive_addr.clone());
                            reg.set_caller_local_addrs(call_id, caller_local_addrs.clone());
                            reg.set_caller_mapped_addr(call_id, caller_mapped_addr.clone());
                            reg.set_peer_relay_fp(call_id, Some(origin_relay_fp.clone()));
                        }
                        // Deliver the offer to the local target.
@@ -587,6 +587,8 @@ async fn main() -> anyhow::Result<()> {
                        ref call_id,
                        accept_mode,
                        ref callee_reflexive_addr,
                        ref callee_local_addrs,
                        ref callee_mapped_addr,
                        ..
                    } => {
                        // Look up the local caller fp from the registry.
@@ -607,6 +609,7 @@ async fn main() -> anyhow::Result<()> {
                                    &caller_fp,
                                    &SignalMessage::Hangup {
                                        reason: wzp_proto::HangupReason::Normal,
                                        call_id: None,
                                    },
                                )
                                .await;
@@ -616,24 +619,28 @@ async fn main() -> anyhow::Result<()> {
                            continue;
                        }
-                        // Accept — stash the callee's reflex addr + mark
+                        // Accept — stash the callee's reflex addr + LAN
-                        // the call active, then read back BOTH addrs so
+                        // host candidates + mapped addr + mark the call
-                        // we can cross-wire peer_direct_addr in CallSetup.
+                        // active, then read back everything needed to
                        // cross-wire into the local CallSetup.
                        let room_name = format!("call-{call_id}");
-                        let (caller_addr, callee_addr_for_setup) = {
+                        let (callee_addr_for_setup, callee_local_for_setup, callee_mapped_for_setup) = {
                            let mut reg = call_registry_d.lock().await;
                            reg.set_active(call_id, accept_mode, room_name.clone());
                            reg.set_peer_relay_fp(call_id, Some(origin_relay_fp.clone()));
                            reg.set_callee_reflexive_addr(
                                call_id,
                                callee_reflexive_addr.clone(),
                            );
                            reg.set_callee_local_addrs(call_id, callee_local_addrs.clone());
                            reg.set_callee_mapped_addr(call_id, callee_mapped_addr.clone());
                            let c = reg.get(call_id);
                            (
                                c.and_then(|c| c.caller_reflexive_addr.clone()),
                                c.and_then(|c| c.callee_reflexive_addr.clone()),
                                c.map(|c| c.callee_local_addrs.clone()).unwrap_or_default(),
                                c.and_then(|c| c.callee_mapped_addr.clone()),
                            )
                        };
                        let _ = caller_addr; // unused on the caller side; callee holds the relevant addr
                        // Forward the raw answer to the local caller so
                        // the JS side sees DirectCallAnswer (fires any
@@ -644,17 +651,13 @@ async fn main() -> anyhow::Result<()> {
                        }
                        // Emit the LOCAL CallSetup to our local caller.
                        // relay_addr = our own advertised addr so if P2P
                        // fails the caller will at least dial OUR relay
                        // (single-relay fallback — Phase 4.1 will wire
                        // federated media so that actually reaches the
                        // peer). peer_direct_addr = the callee's reflex
                        // addr carried in the answer.
                        let setup = SignalMessage::CallSetup {
                            call_id: call_id.clone(),
                            room: room_name.clone(),
                            relay_addr: advertised_addr_d.clone(),
                            peer_direct_addr: callee_addr_for_setup,
                            peer_local_addrs: callee_local_for_setup,
                            peer_mapped_addr: callee_mapped_for_setup,
                        };
                        let hub = signal_hub_d.lock().await;
                        let _ = hub.send_to(&caller_fp, &setup).await;
@@ -679,6 +682,33 @@ async fn main() -> anyhow::Result<()> {
                        }
                    }
                    // Phase 6: MediaPathReport forwarded across
                    // federation — deliver to the LOCAL participant.
                    // The report comes from the remote side, so we
                    // deliver to whichever participant is local. In
                    // the cross-relay case, one is local and one is
                    // remote. Try both — send_to is a no-op if the
                    // target isn't connected to this relay.
                    SignalMessage::MediaPathReport { ref call_id, .. } => {
                        let (caller_fp, callee_fp) = {
                            let reg = call_registry_d.lock().await;
                            match reg.get(call_id) {
                                Some(c) => (
                                    Some(c.caller_fingerprint.clone()),
                                    Some(c.callee_fingerprint.clone()),
                                ),
                                None => (None, None),
                            }
                        };
                        let hub = signal_hub_d.lock().await;
                        if let Some(fp) = caller_fp {
                            let _ = hub.send_to(&fp, &inner).await;
                        }
                        if let Some(fp) = callee_fp {
                            let _ = hub.send_to(&fp, &inner).await;
                        }
                    }
                    SignalMessage::Hangup { .. } => {
                        // Best-effort: broadcast the hangup to every
                        // local participant of any call that currently
@@ -739,6 +769,14 @@ async fn main() -> anyhow::Result<()> {
        let signal_hub = signal_hub.clone();
        let call_registry = call_registry.clone();
        let advertised_addr_str = advertised_addr_str.clone();
        // Phase 8: relay region + peer addresses for RegisterPresenceAck
        let relay_region = config.region.clone();
        let relay_peers_for_ack: Vec<String> = config.peers.iter()
            .filter_map(|p| {
                let label = p.label.as_deref().unwrap_or("peer");
                Some(format!("{label}|{}", p.url))
            })
            .collect();
        // Phase 4: per-task clone of this relay's federation TLS
        // fingerprint so the FederatedSignalForward envelopes the
        // spawned signal handler builds carry `origin_relay_fp`.
@@ -869,7 +907,7 @@ async fn main() -> anyhow::Result<()> {
                        }
                    }
                }
-                transport.close().await.ok();
+                close_transport(&*transport, "cleanup").await;
                return;
            }
@@ -971,10 +1009,26 @@ async fn main() -> anyhow::Result<()> {
                let _ = transport.send_signal(&SignalMessage::RegisterPresenceAck {
                    success: true,
                    error: None,
                    relay_build: Some(BUILD_GIT_HASH.to_string()),
                    relay_region: relay_region.clone(),
                    available_relays: relay_peers_for_ack.clone(),
                }).await;
                info!(%addr, fingerprint = %client_fp, alias = ?client_alias, "signal client registered");
                // Send the full presence list directly to the new
                // client (guaranteed delivery — their recv loop is
                // about to start). Then broadcast to all OTHER
                // clients so they learn about the new user.
                {
                    let hub = signal_hub.lock().await;
                    let presence = hub.presence_list();
                    // Direct send to new client (arrives right after ack)
                    let _ = transport.send_signal(&presence).await;
                    // Broadcast to everyone else
                    hub.broadcast(&presence).await;
                }
                // Signal recv loop
                loop {
                    match transport.recv_signal().await {
@@ -984,11 +1038,15 @@ async fn main() -> anyhow::Result<()> {
                                    ref target_fingerprint,
                                    ref call_id,
                                    ref caller_reflexive_addr,
                                    ref caller_local_addrs,
                                    ref caller_mapped_addr,
                                    ..
                                } => {
                                    let target_fp = target_fingerprint.clone();
                                    let call_id = call_id.clone();
                                    let caller_addr_for_registry = caller_reflexive_addr.clone();
                                    let caller_local_for_registry = caller_local_addrs.clone();
                                    let caller_mapped_for_registry = caller_mapped_addr.clone();
                                    // Check if target is online
                                    let online = {
@@ -1030,12 +1088,14 @@ async fn main() -> anyhow::Result<()> {
                                            info!(%addr, target = %target_fp, "call target not online (no federation route)");
                                            let _ = transport.send_signal(&SignalMessage::Hangup {
                                                reason: wzp_proto::HangupReason::Normal,
                                                call_id: None,
                                            }).await;
                                            continue;
                                        }
                                        // Create call in registry with the
-                                        // caller's reflex addr + mark it as
+                                        // caller's reflex addr + LAN host
                                        // candidates, and mark it as
                                        // cross-relay so the answer path knows
                                        // to route the CallSetup's
                                        // peer_direct_addr from what the
@@ -1053,7 +1113,15 @@ async fn main() -> anyhow::Result<()> {
                                            );
                                            reg.set_caller_reflexive_addr(
                                                &call_id,
-                                                caller_addr_for_registry,
+                                                caller_addr_for_registry.clone(),
                                            );
                                            reg.set_caller_local_addrs(
                                                &call_id,
                                                caller_local_for_registry.clone(),
                                            );
                                            reg.set_caller_mapped_addr(
                                                &call_id,
                                                caller_mapped_for_registry.clone(),
                                            );
                                        }
@@ -1067,14 +1135,16 @@ async fn main() -> anyhow::Result<()> {
                                    }
                                    // Create call in registry + stash the caller's
-                                    // reflex addr (Phase 3 hole-punching). The relay
+                                    // reflex addr (Phase 3 hole-punching) AND its
-                                    // treats the addr as opaque — no validation.
+                                    // LAN host candidates (Phase 5.5 ICE). The
-                                    // Injected later into the callee's CallSetup as
+                                    // relay treats both as opaque. Both are
-                                    // peer_direct_addr.
+                                    // injected later into the callee's CallSetup.
                                    {
                                        let mut reg = call_registry.lock().await;
                                        reg.create_call(call_id.clone(), client_fp.clone(), target_fp.clone());
                                        reg.set_caller_reflexive_addr(&call_id, caller_addr_for_registry);
                                        reg.set_caller_local_addrs(&call_id, caller_local_for_registry);
                                        reg.set_caller_mapped_addr(&call_id, caller_mapped_for_registry);
                                    }
                                    // Forward offer to callee
@@ -1095,11 +1165,15 @@ async fn main() -> anyhow::Result<()> {
                                    ref call_id,
                                    ref accept_mode,
                                    ref callee_reflexive_addr,
                                    ref callee_local_addrs,
                                    ref callee_mapped_addr,
                                    ..
                                } => {
                                    let call_id = call_id.clone();
                                    let mode = *accept_mode;
                                    let callee_addr_for_registry = callee_reflexive_addr.clone();
                                    let callee_local_for_registry = callee_local_addrs.clone();
                                    let callee_mapped_for_registry = callee_mapped_addr.clone();
                                    // Phase 4: look up peer fingerprint AND
                                    // peer_relay_fp in one lock acquisition.
@@ -1137,6 +1211,7 @@ async fn main() -> anyhow::Result<()> {
                                            if let Some(ref fm) = federation_mgr {
                                                let hangup = SignalMessage::Hangup {
                                                    reason: wzp_proto::HangupReason::Normal,
                                                    call_id: Some(call_id.clone()),
                                                };
                                                let forward = SignalMessage::FederatedSignalForward {
                                                    inner: Box::new(hangup),
@@ -1150,6 +1225,7 @@ async fn main() -> anyhow::Result<()> {
                                            let hub = signal_hub.lock().await;
                                            let _ = hub.send_to(&peer_fp, &SignalMessage::Hangup {
                                                reason: wzp_proto::HangupReason::Normal,
                                                call_id: Some(call_id.clone()),
                                            }).await;
                                        }
                                    } else {
@@ -1160,14 +1236,20 @@ async fn main() -> anyhow::Result<()> {
                                        // BOTH parties' addrs so we can cross-wire
                                        // peer_direct_addr on the CallSetups below.
                                        let room = format!("call-{call_id}");
-                                        let (caller_addr, callee_addr) = {
+                                        let (caller_addr, callee_addr, caller_local, callee_local, caller_mapped, callee_mapped) = {
                                            let mut reg = call_registry.lock().await;
                                            reg.set_active(&call_id, mode, room.clone());
                                            reg.set_callee_reflexive_addr(&call_id, callee_addr_for_registry);
                                            reg.set_callee_local_addrs(&call_id, callee_local_for_registry.clone());
                                            reg.set_callee_mapped_addr(&call_id, callee_mapped_for_registry);
                                            let call = reg.get(&call_id);
                                            (
                                                call.and_then(|c| c.caller_reflexive_addr.clone()),
                                                call.and_then(|c| c.callee_reflexive_addr.clone()),
                                                call.map(|c| c.caller_local_addrs.clone()).unwrap_or_default(),
                                                call.map(|c| c.callee_local_addrs.clone()).unwrap_or_default(),
                                                call.and_then(|c| c.caller_mapped_addr.clone()),
                                                call.and_then(|c| c.callee_mapped_addr.clone()),
                                            )
                                        };
                                        info!(
@@ -1215,6 +1297,8 @@ async fn main() -> anyhow::Result<()> {
                                                room: room.clone(),
                                                relay_addr: relay_addr_for_setup,
                                                peer_direct_addr: caller_addr.clone(),
                                                peer_local_addrs: caller_local.clone(),
                                                peer_mapped_addr: caller_mapped.clone(),
                                            };
                                            let hub = signal_hub.lock().await;
                                            let _ = hub.send_to(&client_fp, &setup_for_callee).await;
@@ -1227,18 +1311,23 @@ async fn main() -> anyhow::Result<()> {
                                            }
                                            // Send CallSetup to BOTH parties with
-                                            // cross-wired peer_direct_addr.
+                                            // cross-wired candidates (Phase 5.5 ICE
                                            // + Phase 8 port-mapped addrs).
                                            let setup_for_caller = SignalMessage::CallSetup {
                                                call_id: call_id.clone(),
                                                room: room.clone(),
                                                relay_addr: relay_addr_for_setup.clone(),
                                                peer_direct_addr: callee_addr.clone(),
                                                peer_local_addrs: callee_local.clone(),
                                                peer_mapped_addr: callee_mapped,
                                            };
                                            let setup_for_callee = SignalMessage::CallSetup {
                                                call_id: call_id.clone(),
                                                room: room.clone(),
                                                relay_addr: relay_addr_for_setup,
                                                peer_direct_addr: caller_addr.clone(),
                                                peer_local_addrs: caller_local.clone(),
                                                peer_mapped_addr: caller_mapped,
                                            };
                                            let hub = signal_hub.lock().await;
                                            let _ = hub.send_to(&peer_fp, &setup_for_caller).await;
@@ -1247,25 +1336,159 @@ async fn main() -> anyhow::Result<()> {
                                    }
                                }
-                                SignalMessage::Hangup { .. } => {
+                                SignalMessage::Hangup { ref call_id, .. } => {
-                                    // Forward hangup to all active calls for this user
+                                    // If the client sent a call_id, only end
                                    // that specific call. Otherwise (old clients)
                                    // fall back to ending ALL active calls for
                                    // this user — which can race with new calls.
                                    let calls = {
                                        let reg = call_registry.lock().await;
-                                        reg.calls_for_fingerprint(&client_fp)
+                                        if let Some(cid) = call_id {
-                                            .iter()
+                                            // Targeted hangup: only the named call
-                                            .map(|c| (c.call_id.clone(), if c.caller_fingerprint == client_fp {
+                                            reg.get(cid)
-                                                c.callee_fingerprint.clone()
+                                                .map(|c| vec![(c.call_id.clone(), if c.caller_fingerprint == client_fp {
-                                            } else {
+                                                    c.callee_fingerprint.clone()
-                                                c.caller_fingerprint.clone()
+                                                } else {
-                                            }))
+                                                    c.caller_fingerprint.clone()
-                                            .collect::<Vec<_>>()
+                                                })])
                                                .unwrap_or_default()
                                        } else {
                                            // Legacy: end all calls for this user
                                            reg.calls_for_fingerprint(&client_fp)
                                                .iter()
                                                .map(|c| (c.call_id.clone(), if c.caller_fingerprint == client_fp {
                                                    c.callee_fingerprint.clone()
                                                } else {
                                                    c.caller_fingerprint.clone()
                                                }))
                                                .collect::<Vec<_>>()
                                        }
                                    };
-                                    for (call_id, peer_fp) in &calls {
+                                    for (cid, peer_fp) in &calls {
                                        let hub = signal_hub.lock().await;
                                        let _ = hub.send_to(peer_fp, &msg).await;
                                        drop(hub);
                                        let mut reg = call_registry.lock().await;
-                                        reg.end_call(call_id);
+                                        reg.end_call(cid);
                                    }
                                }
                                // Phase 6: forward MediaPathReport to the
                                // call peer so both sides can negotiate
                                // the media path before committing.
                                SignalMessage::MediaPathReport { ref call_id, .. } => {
                                    // Look up peer AND check if this is a
                                    // cross-relay call (same pattern as
                                    // DirectCallAnswer).
                                    let (peer_fp, peer_relay_fp) = {
                                        let reg = call_registry.lock().await;
                                        match reg.get(call_id) {
                                            Some(c) => (
                                                reg.peer_fingerprint(call_id, &client_fp)
                                                    .map(|s| s.to_string()),
                                                c.peer_relay_fp.clone(),
                                            ),
                                            None => (None, None),
                                        }
                                    };
                                    if let Some(fp) = peer_fp {
                                        if let Some(ref origin_fp) = peer_relay_fp {
                                            // Cross-relay: wrap and forward
                                            if let Some(ref fm) = federation_mgr {
                                                let forward = SignalMessage::FederatedSignalForward {
                                                    inner: Box::new(msg.clone()),
                                                    origin_relay_fp: tls_fp.clone(),
                                                };
                                                if let Err(e) = fm.send_signal_to_peer(origin_fp, &forward).await {
                                                    warn!(
                                                        %call_id,
                                                        %origin_fp,
                                                        error = %e,
                                                        "cross-relay MediaPathReport forward failed"
                                                    );
                                                }
                                            }
                                        } else {
                                            // Local call
                                            let hub = signal_hub.lock().await;
                                            let _ = hub.send_to(&fp, &msg).await;
                                        }
                                    }
                                }
                                // Phase 8: forward CandidateUpdate to the
                                // call peer for mid-call ICE re-gathering.
                                // Same forwarding pattern as MediaPathReport.
                                SignalMessage::CandidateUpdate { ref call_id, .. } => {
                                    let (peer_fp, peer_relay_fp) = {
                                        let reg = call_registry.lock().await;
                                        match reg.get(call_id) {
                                            Some(c) => (
                                                reg.peer_fingerprint(call_id, &client_fp)
                                                    .map(|s| s.to_string()),
                                                c.peer_relay_fp.clone(),
                                            ),
                                            None => (None, None),
                                        }
                                    };
                                    if let Some(fp) = peer_fp {
                                        if let Some(ref origin_fp) = peer_relay_fp {
                                            if let Some(ref fm) = federation_mgr {
                                                let forward = SignalMessage::FederatedSignalForward {
                                                    inner: Box::new(msg.clone()),
                                                    origin_relay_fp: tls_fp.clone(),
                                                };
                                                if let Err(e) = fm.send_signal_to_peer(origin_fp, &forward).await {
                                                    warn!(
                                                        %call_id,
                                                        %origin_fp,
                                                        error = %e,
                                                        "cross-relay CandidateUpdate forward failed"
                                                    );
                                                }
                                            }
                                        } else {
                                            let hub = signal_hub.lock().await;
                                            let _ = hub.send_to(&fp, &msg).await;
                                        }
                                    }
                                }
                                // Hard NAT: forward HardNatProbe + HardNatBirthdayStart
                                // to call peer (same pattern as CandidateUpdate).
                                SignalMessage::HardNatBirthdayStart { ref call_id, .. } |
                                SignalMessage::HardNatProbe { ref call_id, .. } |
                                SignalMessage::UpgradeProposal { ref call_id, .. } |
                                SignalMessage::UpgradeResponse { ref call_id, .. } |
                                SignalMessage::UpgradeConfirm { ref call_id, .. } |
                                SignalMessage::QualityCapability { ref call_id, .. } => {
                                    let (peer_fp, peer_relay_fp) = {
                                        let reg = call_registry.lock().await;
                                        match reg.get(call_id) {
                                            Some(c) => (
                                                reg.peer_fingerprint(call_id, &client_fp)
                                                    .map(|s| s.to_string()),
                                                c.peer_relay_fp.clone(),
                                            ),
                                            None => (None, None),
                                        }
                                    };
                                    if let Some(fp) = peer_fp {
                                        if let Some(ref origin_fp) = peer_relay_fp {
                                            if let Some(ref fm) = federation_mgr {
                                                let forward = SignalMessage::FederatedSignalForward {
                                                    inner: Box::new(msg.clone()),
                                                    origin_relay_fp: tls_fp.clone(),
                                                };
                                                let _ = fm.send_signal_to_peer(origin_fp, &forward).await;
                                            }
                                        } else {
                                            let hub = signal_hub.lock().await;
                                            let _ = hub.send_to(&fp, &msg).await;
                                        }
                                    }
                                }
@@ -1340,6 +1563,7 @@ async fn main() -> anyhow::Result<()> {
                    let hub = signal_hub.lock().await;
                    let _ = hub.send_to(peer_fp, &SignalMessage::Hangup {
                        reason: wzp_proto::HangupReason::Normal,
                        call_id: Some(call_id.clone()),
                    }).await;
                    drop(hub);
                    let mut reg = call_registry.lock().await;
@@ -1349,13 +1573,16 @@ async fn main() -> anyhow::Result<()> {
                {
                    let mut hub = signal_hub.lock().await;
                    hub.unregister(&client_fp);
                    // Broadcast updated presence to remaining clients
                    let presence_msg = hub.presence_list();
                    hub.broadcast(&presence_msg).await;
                }
                {
                    let mut reg = presence.lock().await;
                    reg.unregister_local(&client_fp);
                }
-                transport.close().await.ok();
+                close_transport(&*transport, "cleanup").await;
                return;
            }
@@ -1379,14 +1606,14 @@ async fn main() -> anyhow::Result<()> {
                            Err(e) => {
                                metrics.auth_attempts.with_label_values(&["fail"]).inc();
                                error!(%addr, "auth failed: {e}");
-                                transport.close().await.ok();
+                                close_transport(&*transport, "cleanup").await;
                                return;
                            }
                        }
                    }
                    Ok(Some(_)) => {
                        error!(%addr, "expected AuthToken as first signal, got something else");
-                        transport.close().await.ok();
+                        close_transport(&*transport, "cleanup").await;
                        return;
                    }
                    Ok(None) => {
@@ -1395,7 +1622,7 @@ async fn main() -> anyhow::Result<()> {
                    }
                    Err(e) => {
                        error!(%addr, "signal recv error during auth: {e}");
-                        transport.close().await.ok();
+                        close_transport(&*transport, "cleanup").await;
                        return;
                    }
                }
@@ -1417,7 +1644,7 @@ async fn main() -> anyhow::Result<()> {
                }
                Err(e) => {
                    error!(%addr, "handshake failed: {e}");
-                    transport.close().await.ok();
+                    close_transport(&*transport, "cleanup").await;
                    return;
                }
            };
@@ -1441,7 +1668,7 @@ async fn main() -> anyhow::Result<()> {
                };
                if !authorized {
                    warn!(%addr, room = %room_name, fp = %participant_fp, "rejected: not authorized for this call room");
-                    transport.close().await.ok();
+                    close_transport(&*transport, "cleanup").await;
                    return;
                }
                info!(%addr, room = %room_name, fp = %participant_fp, "authorized for call room");
@@ -1482,7 +1709,7 @@ async fn main() -> anyhow::Result<()> {
                tokio::select! { _ = up => {} _ = dn => {} }
                stats_handle.abort();
-                transport.close().await.ok();
+                close_transport(&*transport, "cleanup").await;
            } else {
                // Room mode — enforce max sessions, then join room
                let session_id = {
@@ -1491,7 +1718,7 @@ async fn main() -> anyhow::Result<()> {
                        Ok(id) => id,
                        Err(e) => {
                            error!(%addr, room = %room_name, "session rejected: {e}");
-                            transport.close().await.ok();
+                            close_transport(&*transport, "cleanup").await;
                            return;
                        }
                    }
@@ -1501,21 +1728,18 @@ async fn main() -> anyhow::Result<()> {
                // Call rooms: enforce 2-participant limit
                if room_name.starts_with("call-") {
-                    let mgr = room_mgr.lock().await;
+                    if room_mgr.room_size(&room_name) >= 2 {
                    if mgr.room_size(&room_name) >= 2 {
                        drop(mgr);
                        warn!(%addr, room = %room_name, "call room full (max 2 participants)");
                        metrics.active_sessions.dec();
                        let mut smgr = session_mgr.lock().await;
                        smgr.remove_session(session_id);
-                        transport.close().await.ok();
+                        close_transport(&*transport, "cleanup").await;
                        return;
                    }
                }
                let participant_id = {
-                    let mut mgr = room_mgr.lock().await;
+                    match room_mgr.join(
                    match mgr.join(
                        &room_name,
                        addr,
                        room::ParticipantSender::Quic(transport.clone()),
@@ -1523,8 +1747,7 @@ async fn main() -> anyhow::Result<()> {
                        caller_alias.as_deref(),
                    ) {
                        Ok((id, update, senders)) => {
-                            metrics.active_rooms.set(mgr.list().len() as i64);
+                            metrics.active_rooms.set(room_mgr.list().len() as i64);
                            drop(mgr); // release lock before async broadcast
                            // Merge federated participants into RoomUpdate if this is a global room
                            let merged_update = if let Some(ref fm) = federation_mgr {
@@ -1543,6 +1766,15 @@ async fn main() -> anyhow::Result<()> {
                                } else { update }
                            } else { update };
                            if let Some(ref tap) = debug_tap {
                                if tap.matches(&room_name) {
                                    tap.log_signal(&room_name, &merged_update);
                                    tap.log_event(&room_name, "join", &format!(
                                        "participant={id} addr={addr} alias={}",
                                        caller_alias.as_deref().unwrap_or("?")
                                    ));
                                }
                            }
                            room::broadcast_signal(&senders, &merged_update).await;
                            id
                        }
@@ -1551,7 +1783,7 @@ async fn main() -> anyhow::Result<()> {
                            metrics.active_sessions.dec();
                            let mut smgr = session_mgr.lock().await;
                            smgr.remove_session(session_id);
-                            transport.close().await.ok();
+                            close_transport(&*transport, "cleanup").await;
                            return;
                        }
                    }
@@ -1600,16 +1832,13 @@ async fn main() -> anyhow::Result<()> {
                }
                metrics.remove_session_metrics(&session_id_str);
                metrics.active_sessions.dec();
-                {
+                metrics.active_rooms.set(room_mgr.list().len() as i64);
                    let mgr = room_mgr.lock().await;
                    metrics.active_rooms.set(mgr.list().len() as i64);
                }
                {
                    let mut smgr = session_mgr.lock().await;
                    smgr.remove_session(session_id);
                }
-                transport.close().await.ok();
+                close_transport(&*transport, "cleanup").await;
            }
        });
    }
--- a/crates/wzp-relay/src/room.rs
+++ b/crates/wzp-relay/src/room.rs
@@ -9,10 +9,12 @@ use std::sync::Arc;
 use std::time::Duration;
 use bytes::Bytes;
-use tokio::sync::Mutex;
+use dashmap::DashMap;
 use tracing::{error, info, warn};
 use wzp_proto::packet::TrunkFrame;
 use wzp_proto::quality::{AdaptiveQualityController, Tier};
 use wzp_proto::traits::QualityController;
 use wzp_proto::MediaTransport;
 use crate::metrics::RelayMetrics;
@@ -48,6 +50,143 @@ impl DebugTap {
            "TAP"
        );
    }
    pub fn log_signal(&self, room: &str, signal: &wzp_proto::SignalMessage) {
        match signal {
            wzp_proto::SignalMessage::RoomUpdate { count, participants } => {
                let names: Vec<&str> = participants.iter()
                    .map(|p| p.alias.as_deref().unwrap_or("?"))
                    .collect();
                info!(
                    target: "debug_tap",
                    room = %room,
                    signal = "RoomUpdate",
                    count,
                    participants = ?names,
                    "TAP SIGNAL"
                );
            }
            wzp_proto::SignalMessage::QualityDirective { recommended_profile, reason } => {
                info!(
                    target: "debug_tap",
                    room = %room,
                    signal = "QualityDirective",
                    codec = ?recommended_profile.codec,
                    reason = reason.as_deref().unwrap_or(""),
                    "TAP SIGNAL"
                );
            }
            other => {
                info!(
                    target: "debug_tap",
                    room = %room,
                    signal = ?std::mem::discriminant(other),
                    "TAP SIGNAL"
                );
            }
        }
    }
    pub fn log_event(&self, room: &str, event: &str, detail: &str) {
        info!(
            target: "debug_tap",
            room = %room,
            event,
            detail,
            "TAP EVENT"
        );
    }
    pub fn log_stats(&self, room: &str, stats: &TapStats) {
        let codecs: Vec<String> = stats.codecs_seen.iter().map(|c| format!("{c:?}")).collect();
        info!(
            target: "debug_tap",
            room = %room,
            period = "5s",
            in_pkts = stats.in_pkts,
            out_pkts = stats.out_pkts,
            fan_out_avg = format!("{:.1}", if stats.in_pkts > 0 { stats.out_pkts as f64 / stats.in_pkts as f64 } else { 0.0 }),
            seq_gaps = stats.seq_gaps,
            codecs_seen = ?codecs,
            "TAP STATS"
        );
    }
 }
 /// Per-participant stats for the debug tap periodic summary.
 pub struct TapStats {
    pub in_pkts: u64,
    pub out_pkts: u64,
    pub seq_gaps: u64,
    pub codecs_seen: std::collections::HashSet<wzp_proto::CodecId>,
    last_seq: Option<u16>,
 }
 impl TapStats {
    pub fn new() -> Self {
        Self {
            in_pkts: 0,
            out_pkts: 0,
            seq_gaps: 0,
            codecs_seen: std::collections::HashSet::new(),
            last_seq: None,
        }
    }
    pub fn record_in(&mut self, pkt: &wzp_proto::MediaPacket, fan_out: usize) {
        self.in_pkts += 1;
        self.out_pkts += fan_out as u64;
        self.codecs_seen.insert(pkt.header.codec_id);
        if let Some(prev) = self.last_seq {
            let expected = prev.wrapping_add(1);
            if pkt.header.seq != expected {
                self.seq_gaps += 1;
            }
        }
        self.last_seq = Some(pkt.header.seq);
    }
    pub fn reset_period(&mut self) {
        self.in_pkts = 0;
        self.out_pkts = 0;
        self.seq_gaps = 0;
        // Keep codecs_seen and last_seq across periods
    }
 }
 /// Tracks network quality for a single participant in a room.
 struct ParticipantQuality {
    controller: AdaptiveQualityController,
    current_tier: Tier,
 }
 impl ParticipantQuality {
    fn new() -> Self {
        Self {
            controller: AdaptiveQualityController::new(),
            current_tier: Tier::Good,
        }
    }
    /// Feed a quality report and return the new tier if it changed.
    fn observe(&mut self, report: &wzp_proto::packet::QualityReport) -> Option<Tier> {
        let _ = self.controller.observe(report);
        let new_tier = self.controller.tier();
        if new_tier != self.current_tier {
            self.current_tier = new_tier;
            Some(new_tier)
        } else {
            None
        }
    }
 }
 /// Compute the weakest (worst) quality tier across all tracked participants.
 fn weakest_tier<'a>(qualities: impl Iterator<Item = &'a ParticipantQuality>) -> Tier {
    qualities
        .map(|pq| pq.current_tier)
        .min()
        .unwrap_or(Tier::Good)
 }
 /// Unique participant ID within a room.
@@ -138,12 +277,18 @@ struct Participant {
 /// A room holding multiple participants.
 struct Room {
    participants: Vec<Participant>,
    /// Per-participant quality tracking, keyed by participant_id.
    qualities: HashMap<ParticipantId, ParticipantQuality>,
    /// Current room-wide tier (to avoid repeated broadcasts).
    current_tier: Tier,
 }
 impl Room {
    fn new() -> Self {
        Self {
            participants: Vec::new(),
            qualities: HashMap::new(),
            current_tier: Tier::Good,
        }
    }
@@ -200,12 +345,16 @@ impl Room {
 }
 /// Manages all rooms on the relay.
 ///
 /// Uses `DashMap` for per-room sharded locking -- rooms are independently
 /// lockable so the media hot-path never contends on a single mutex.
 pub struct RoomManager {
-    rooms: HashMap<String, Room>,
+    rooms: DashMap<String, Room>,
-    /// Room access control list. Maps hashed room name → allowed fingerprints.
+    /// Room access control list. Maps hashed room name -> allowed fingerprints.
    /// When `None`, rooms are open (no auth mode). When `Some`, only listed
-    /// fingerprints can join the corresponding room.
+    /// fingerprints can join the corresponding room. Protected by std Mutex
-    acl: Option<HashMap<String, HashSet<String>>>,
+    /// since ACL mutations are rare (only during call setup).
    acl: Option<std::sync::Mutex<HashMap<String, HashSet<String>>>>,
    /// Channel for room lifecycle events (federation subscribes).
    event_tx: tokio::sync::broadcast::Sender<RoomEvent>,
 }
@@ -214,7 +363,7 @@ impl RoomManager {
    pub fn new() -> Self {
        let (event_tx, _) = tokio::sync::broadcast::channel(64);
        Self {
-            rooms: HashMap::new(),
+            rooms: DashMap::new(),
            acl: None,
            event_tx,
        }
@@ -224,8 +373,8 @@ impl RoomManager {
    pub fn with_acl() -> Self {
        let (event_tx, _) = tokio::sync::broadcast::channel(64);
        Self {
-            rooms: HashMap::new(),
+            rooms: DashMap::new(),
-            acl: Some(HashMap::new()),
+            acl: Some(std::sync::Mutex::new(HashMap::new())),
            event_tx,
        }
    }
@@ -236,9 +385,10 @@ impl RoomManager {
    }
    /// Grant a fingerprint access to a room.
-    pub fn allow(&mut self, room_name: &str, fingerprint: &str) {
+    pub fn allow(&self, room_name: &str, fingerprint: &str) {
-        if let Some(ref mut acl) = self.acl {
+        if let Some(ref acl) = self.acl {
-            acl.entry(room_name.to_string())
+            acl.lock().unwrap()
                .entry(room_name.to_string())
                .or_default()
                .insert(fingerprint.to_string());
        }
@@ -251,6 +401,7 @@ impl RoomManager {
            (None, _) => true, // no ACL = open
            (Some(_), None) => false, // ACL enabled but no fingerprint
            (Some(acl), Some(fp)) => {
                let acl = acl.lock().unwrap();
                // Room not in ACL = open room (allow anyone authenticated)
                match acl.get(room_name) {
                    None => true,
@@ -262,7 +413,7 @@ impl RoomManager {
    /// Join a room. Returns (participant_id, room_update_msg, all_senders) for broadcasting.
    pub fn join(
-        &mut self,
+        &self,
        room_name: &str,
        addr: std::net::SocketAddr,
        sender: ParticipantSender,
@@ -273,24 +424,25 @@ impl RoomManager {
            warn!(room = room_name, fingerprint = ?fingerprint, "unauthorized room join attempt");
            return Err("not authorized for this room".to_string());
        }
-        let was_empty = !self.rooms.contains_key(room_name)
+        let was_empty = self.rooms.get(room_name).map_or(true, |r| r.is_empty());
-            || self.rooms.get(room_name).map_or(true, |r| r.is_empty());
+        let mut room = self.rooms.entry(room_name.to_string()).or_insert_with(Room::new);
        let room = self.rooms.entry(room_name.to_string()).or_insert_with(Room::new);
        let id = room.add(addr, sender, fingerprint.map(|s| s.to_string()), alias.map(|s| s.to_string()));
-        if was_empty {
+        room.qualities.insert(id, ParticipantQuality::new());
            let _ = self.event_tx.send(RoomEvent::LocalJoin { room: room_name.to_string() });
        }
        let update = wzp_proto::SignalMessage::RoomUpdate {
            count: room.len() as u32,
            participants: room.participant_list(),
        };
        let senders = room.all_senders();
        drop(room); // release DashMap guard before event_tx send (not async, but good practice)
        if was_empty {
            let _ = self.event_tx.send(RoomEvent::LocalJoin { room: room_name.to_string() });
        }
        Ok((id, update, senders))
    }
    /// Join a room via WebSocket. Convenience wrapper around `join()`.
    pub fn join_ws(
-        &mut self,
+        &self,
        room_name: &str,
        addr: std::net::SocketAddr,
        sender: tokio::sync::mpsc::Sender<Bytes>,
@@ -302,7 +454,7 @@ impl RoomManager {
    /// Get list of active room names.
    pub fn active_rooms(&self) -> Vec<String> {
-        self.rooms.keys().cloned().collect()
+        self.rooms.iter().map(|r| r.key().clone()).collect()
    }
    /// Get participant list for a room (fingerprint + alias).
@@ -322,24 +474,29 @@ impl RoomManager {
    }
    /// Leave a room. Returns (room_update_msg, remaining_senders) for broadcasting, or None if room is now empty.
-    pub fn leave(&mut self, room_name: &str, participant_id: ParticipantId) -> Option<(wzp_proto::SignalMessage, Vec<ParticipantSender>)> {
+    pub fn leave(&self, room_name: &str, participant_id: ParticipantId) -> Option<(wzp_proto::SignalMessage, Vec<ParticipantSender>)> {
-        if let Some(room) = self.rooms.get_mut(room_name) {
+        let result = {
-            room.remove(participant_id);
+            if let Some(mut room) = self.rooms.get_mut(room_name) {
-            if room.is_empty() {
+                room.qualities.remove(&participant_id);
-                self.rooms.remove(room_name);
+                room.remove(participant_id);
-                let _ = self.event_tx.send(RoomEvent::LocalLeave { room: room_name.to_string() });
+                if room.is_empty() {
-                info!(room = room_name, "room closed (empty)");
+                    drop(room); // release write guard before remove
-                return None;
+                    self.rooms.remove(room_name);
                    let _ = self.event_tx.send(RoomEvent::LocalLeave { room: room_name.to_string() });
                    info!(room = room_name, "room closed (empty)");
                    return None;
                }
                let update = wzp_proto::SignalMessage::RoomUpdate {
                    count: room.len() as u32,
                    participants: room.participant_list(),
                };
                let senders = room.all_senders();
                Some((update, senders))
            } else {
                None
            }
-            let update = wzp_proto::SignalMessage::RoomUpdate {
+        };
-                count: room.len() as u32,
+        result
                participants: room.participant_list(),
            };
            let senders = room.all_senders();
            Some((update, senders))
        } else {
            None
        }
    }
    /// Get senders for all OTHER participants in a room.
@@ -359,9 +516,62 @@ impl RoomManager {
        self.rooms.get(room_name).map(|r| r.len()).unwrap_or(0)
    }
    /// Check if a room exists and has participants.
    pub fn is_room_active(&self, room_name: &str) -> bool {
        self.rooms.contains_key(room_name)
    }
    /// List all rooms with their sizes.
    pub fn list(&self) -> Vec<(String, usize)> {
-        self.rooms.iter().map(|(k, v)| (k.clone(), v.len())).collect()
+        self.rooms.iter().map(|r| (r.key().clone(), r.len())).collect()
    }
    /// Feed a quality report from a participant. If the room-wide weakest
    /// tier changes, returns `(QualityDirective signal, all senders)` for
    /// broadcasting.
    pub fn observe_quality(
        &self,
        room_name: &str,
        participant_id: ParticipantId,
        report: &wzp_proto::packet::QualityReport,
    ) -> Option<(wzp_proto::SignalMessage, Vec<ParticipantSender>)> {
        let mut room = self.rooms.get_mut(room_name)?;
        let tier_changed = room.qualities
            .get_mut(&participant_id)
            .and_then(|pq| pq.observe(report))
            .is_some();
        if !tier_changed {
            return None;
        }
        // Compute the weakest tier across all participants in this room
        let weakest = weakest_tier(room.qualities.values());
        if weakest == room.current_tier {
            return None;
        }
        // Room-wide tier changed -- update and broadcast directive
        let old_tier = room.current_tier;
        room.current_tier = weakest;
        let profile = weakest.profile();
        info!(
            room = room_name,
            old_tier = ?old_tier,
            new_tier = ?weakest,
            codec = ?profile.codec,
            fec_ratio = profile.fec_ratio,
            "room quality directive"
        );
        let directive = wzp_proto::SignalMessage::QualityDirective {
            recommended_profile: profile,
            reason: Some(format!("weakest link: {weakest:?}")),
        };
        let senders = room.all_senders();
        Some((directive, senders))
    }
 }
@@ -382,18 +592,32 @@ impl TrunkedForwarder {
    /// Create a new trunked forwarder.
    ///
    /// `session_id` tags every entry pushed into the batcher so the receiver
-    /// can demultiplex packets by session.
+    /// can demultiplex packets by session. The batcher's `max_bytes` is
    /// initialized from the transport's current PMTUD-discovered MTU so that
    /// trunk frames fill the largest datagram the path supports (instead of
    /// the conservative 1200-byte default).
    pub fn new(transport: Arc<wzp_transport::QuinnTransport>, session_id: [u8; 2]) -> Self {
        let mut batcher = TrunkBatcher::new();
        if let Some(mtu) = transport.max_datagram_size() {
            batcher.max_bytes = mtu;
        }
        Self {
            transport,
-            batcher: TrunkBatcher::new(),
+            batcher,
            session_id,
        }
    }
    /// Push a media packet into the batcher.  If the batcher is full it will
    /// flush automatically and the resulting trunk frame is sent immediately.
    ///
    /// Also refreshes `max_bytes` from the transport's PMTUD-discovered MTU
    /// so the batcher fills larger datagrams as the path MTU grows.
    pub async fn send(&mut self, pkt: &wzp_proto::MediaPacket) -> anyhow::Result<()> {
        // Refresh batcher limit from PMTUD (cheap: reads an atomic in quinn).
        if let Some(mtu) = self.transport.max_datagram_size() {
            self.batcher.max_bytes = mtu;
        }
        let payload: Bytes = pkt.to_bytes();
        if let Some(frame) = self.batcher.push(self.session_id, payload) {
            self.send_frame(&frame)?;
@@ -430,7 +654,7 @@ impl TrunkedForwarder {
 /// into [`TrunkedForwarder`]s and flushed every 5 ms or when the batcher is
 /// full, reducing QUIC datagram overhead.
 pub async fn run_participant(
-    room_mgr: Arc<Mutex<RoomManager>>,
+    room_mgr: Arc<RoomManager>,
    room_name: String,
    participant_id: ParticipantId,
    transport: Arc<wzp_transport::QuinnTransport>,
@@ -456,7 +680,7 @@ pub async fn run_participant(
 /// Plain (non-trunked) forwarding loop — original behaviour.
 async fn run_participant_plain(
-    room_mgr: Arc<Mutex<RoomManager>>,
+    room_mgr: Arc<RoomManager>,
    room_name: String,
    participant_id: ParticipantId,
    transport: Arc<wzp_transport::QuinnTransport>,
@@ -474,6 +698,12 @@ async fn run_participant_plain(
    let mut send_errors = 0u64;
    let mut last_log_instant = std::time::Instant::now();
    let mut tap_stats = if debug_tap.as_ref().map_or(false, |t| t.matches(&room_name)) {
        Some(TapStats::new())
    } else {
        None
    };
    info!(
        room = %room_name,
        participant = participant_id,
@@ -521,11 +751,16 @@ async fn run_participant_plain(
            metrics.update_session_quality(session_id, report);
        }
-        // Get current list of other participants
+        // Get current list of other participants + check quality directive
        let lock_start = std::time::Instant::now();
-        let others = {
+        let (others, quality_directive) = {
-            let mgr = room_mgr.lock().await;
+            let directive = if let Some(ref report) = pkt.quality_report {
-            mgr.others(&room_name, participant_id)
+                room_mgr.observe_quality(&room_name, participant_id, report)
            } else {
                None
            };
            let o = room_mgr.others(&room_name, participant_id);
            (o, directive)
        };
        let lock_ms = lock_start.elapsed().as_millis() as u64;
        if lock_ms > 10 {
@@ -537,12 +772,25 @@ async fn run_participant_plain(
            );
        }
-        // Debug tap: log packet metadata
+        // Broadcast quality directive to all participants if tier changed
        if let Some((directive, all_senders)) = quality_directive {
            if let Some(ref tap) = debug_tap {
                if tap.matches(&room_name) {
                    tap.log_signal(&room_name, &directive);
                }
            }
            broadcast_signal(&all_senders, &directive).await;
        }
        // Debug tap: log packet metadata + record stats
        if let Some(ref tap) = debug_tap {
            if tap.matches(&room_name) {
                tap.log_packet(&room_name, "in", &addr, &pkt, others.len());
            }
        }
        if let Some(ref mut ts) = tap_stats {
            ts.record_in(&pkt, others.len());
        }
        // Forward to all others
        let fwd_start = std::time::Instant::now();
@@ -600,10 +848,7 @@ async fn run_participant_plain(
        // Periodic stats log every 5 seconds
        if last_log_instant.elapsed() >= Duration::from_secs(5) {
-            let room_size = {
+            let room_size = room_mgr.room_size(&room_name);
                let mgr = room_mgr.lock().await;
                mgr.room_size(&room_name)
            };
            info!(
                room = %room_name,
                participant = participant_id,
@@ -615,6 +860,10 @@ async fn run_participant_plain(
                send_errors,
                "participant stats"
            );
            if let (Some(tap), Some(ts)) = (&debug_tap, &mut tap_stats) {
                tap.log_stats(&room_name, ts);
                ts.reset_period();
            }
            max_recv_gap_ms = 0;
            max_forward_ms = 0;
            last_log_instant = std::time::Instant::now();
@@ -622,16 +871,28 @@ async fn run_participant_plain(
    }
    // Clean up — leave room and broadcast update to remaining participants
-    let mut mgr = room_mgr.lock().await;
+    if let Some((update, senders)) = room_mgr.leave(&room_name, participant_id) {
-    if let Some((update, senders)) = mgr.leave(&room_name, participant_id) {
+        if let Some(ref tap) = debug_tap {
-        drop(mgr); // release lock before async broadcast
+            if tap.matches(&room_name) {
                tap.log_event(&room_name, "leave", &format!(
                    "participant={participant_id} addr={addr} forwarded={packets_forwarded}"
                ));
                tap.log_signal(&room_name, &update);
            }
        }
        broadcast_signal(&senders, &update).await;
    } else if let Some(ref tap) = debug_tap {
        if tap.matches(&room_name) {
            tap.log_event(&room_name, "leave", &format!(
                "participant={participant_id} addr={addr} (room closed)"
            ));
        }
    }
 }
 /// Trunked forwarding loop — batches outgoing packets per peer.
 async fn run_participant_trunked(
-    room_mgr: Arc<Mutex<RoomManager>>,
+    room_mgr: Arc<RoomManager>,
    room_name: String,
    participant_id: ParticipantId,
    transport: Arc<wzp_transport::QuinnTransport>,
@@ -705,9 +966,14 @@ async fn run_participant_trunked(
                }
                let lock_start = std::time::Instant::now();
-                let others = {
+                let (others, quality_directive) = {
-                    let mgr = room_mgr.lock().await;
+                    let directive = if let Some(ref report) = pkt.quality_report {
-                    mgr.others(&room_name, participant_id)
+                        room_mgr.observe_quality(&room_name, participant_id, report)
                    } else {
                        None
                    };
                    let o = room_mgr.others(&room_name, participant_id);
                    (o, directive)
                };
                let lock_ms = lock_start.elapsed().as_millis() as u64;
                if lock_ms > 10 {
@@ -719,6 +985,11 @@ async fn run_participant_trunked(
                    );
                }
                // Broadcast quality directive to all participants if tier changed
                if let Some((directive, all_senders)) = quality_directive {
                    broadcast_signal(&all_senders, &directive).await;
                }
                let fwd_start = std::time::Instant::now();
                let pkt_bytes = pkt.payload.len() as u64;
                for other in &others {
@@ -767,10 +1038,7 @@ async fn run_participant_trunked(
                // Periodic stats every 5 seconds
                if last_log_instant.elapsed() >= Duration::from_secs(5) {
-                    let room_size = {
+                    let room_size = room_mgr.room_size(&room_name);
                        let mgr = room_mgr.lock().await;
                        mgr.room_size(&room_name)
                    };
                    info!(
                        room = %room_name,
                        participant = participant_id,
@@ -811,9 +1079,7 @@ async fn run_participant_trunked(
        let _ = fwd.flush().await;
    }
-    let mut mgr = room_mgr.lock().await;
+    if let Some((update, senders)) = room_mgr.leave(&room_name, participant_id) {
    if let Some((update, senders)) = mgr.leave(&room_name, participant_id) {
        drop(mgr);
        broadcast_signal(&senders, &update).await;
    }
 }
@@ -859,7 +1125,7 @@ mod tests {
    #[test]
    fn acl_restricts_to_allowed() {
-        let mut mgr = RoomManager::with_acl();
+        let mgr = RoomManager::with_acl();
        mgr.allow("room1", "alice");
        mgr.allow("room1", "bob");
        assert!(mgr.is_authorized("room1", Some("alice")));
@@ -959,4 +1225,47 @@ mod tests {
        // Batcher should now be empty — nothing to flush.
        assert!(batcher.flush().is_none());
    }
    fn make_report(loss_pct_f: f32, rtt_ms: u16) -> wzp_proto::packet::QualityReport {
        wzp_proto::packet::QualityReport {
            loss_pct: (loss_pct_f / 100.0 * 255.0) as u8,
            rtt_4ms: (rtt_ms / 4) as u8,
            jitter_ms: 10,
            bitrate_cap_kbps: 200,
        }
    }
    #[test]
    fn participant_quality_starts_good() {
        let pq = ParticipantQuality::new();
        assert_eq!(pq.current_tier, Tier::Good);
    }
    #[test]
    fn participant_quality_degrades_on_bad_reports() {
        let mut pq = ParticipantQuality::new();
        let bad = make_report(50.0, 300);
        // Feed enough bad reports to trigger downgrade (3 consecutive)
        for _ in 0..5 {
            pq.observe(&bad);
        }
        assert_ne!(pq.current_tier, Tier::Good, "should degrade from Good");
    }
    #[test]
    fn weakest_tier_picks_worst() {
        let good = ParticipantQuality::new();
        // good stays at Good tier
        let mut bad = ParticipantQuality::new();
        let bad_report = make_report(50.0, 300);
        for _ in 0..5 {
            bad.observe(&bad_report);
        }
        // bad should be degraded or catastrophic
        let participants = vec![good, bad];
        let weakest = weakest_tier(participants.iter());
        assert_ne!(weakest, Tier::Good, "weakest should not be Good when one participant is bad");
    }
 }
--- a/crates/wzp-relay/src/signal_hub.rs
+++ b/crates/wzp-relay/src/signal_hub.rs
@@ -86,6 +86,26 @@ impl SignalHub {
    pub fn alias(&self, fp: &str) -> Option<&str> {
        self.clients.get(fp).and_then(|c| c.alias.as_deref())
    }
    /// Build a PresenceList message with all online users.
    pub fn presence_list(&self) -> SignalMessage {
        let users: Vec<wzp_proto::PresenceUser> = self
            .clients
            .values()
            .map(|c| wzp_proto::PresenceUser {
                fingerprint: c.fingerprint.clone(),
                alias: c.alias.clone(),
            })
            .collect();
        SignalMessage::PresenceList { users }
    }
    /// Broadcast a message to ALL connected signal clients.
    pub async fn broadcast(&self, msg: &SignalMessage) {
        for client in self.clients.values() {
            let _ = client.transport.send_signal(msg).await;
        }
    }
 }
 #[cfg(test)]
--- a/crates/wzp-relay/src/ws.rs
+++ b/crates/wzp-relay/src/ws.rs
@@ -31,7 +31,7 @@ use crate::session_mgr::SessionManager;
 /// Shared state for WebSocket handlers.
 #[derive(Clone)]
 pub struct WsState {
-    pub room_mgr: Arc<Mutex<RoomManager>>,
+    pub room_mgr: Arc<RoomManager>,
    pub session_mgr: Arc<Mutex<SessionManager>>,
    pub auth_url: Option<String>,
    pub metrics: Arc<RelayMetrics>,
@@ -143,10 +143,9 @@ async fn handle_ws_connection(socket: WebSocket, room: String, state: WsState) {
    // 4. Join room with WS sender
    let addr: SocketAddr = ([0, 0, 0, 0], 0).into();
    let participant_id = {
-        let mut mgr = state.room_mgr.lock().await;
+        match state.room_mgr.join_ws(&room, addr, tx, fingerprint.as_deref()) {
        match mgr.join_ws(&room, addr, tx, fingerprint.as_deref()) {
            Ok(id) => {
-                state.metrics.active_rooms.set(mgr.list().len() as i64);
+                state.metrics.active_rooms.set(state.room_mgr.list().len() as i64);
                id
            }
            Err(e) => {
@@ -184,10 +183,7 @@ async fn handle_ws_connection(socket: WebSocket, room: String, state: WsState) {
    loop {
        match ws_rx.next().await {
            Some(Ok(Message::Binary(data))) => {
-                let others = {
+                let others = state.room_mgr.others(&room, participant_id);
                    let mgr = state.room_mgr.lock().await;
                    mgr.others(&room, participant_id)
                };
                for other in &others {
                    let _ = other.send_raw(&data).await;
                }
@@ -214,11 +210,8 @@ async fn handle_ws_connection(socket: WebSocket, room: String, state: WsState) {
        reg.unregister_local(fp);
    }
-    {
+    state.room_mgr.leave(&room, participant_id);
-        let mut mgr = state.room_mgr.lock().await;
+    state.metrics.active_rooms.set(state.room_mgr.list().len() as i64);
        mgr.leave(&room, participant_id);
        state.metrics.active_rooms.set(mgr.list().len() as i64);
    }
    let session_id_str: String = session_id.iter().map(|b| format!("{b:02x}")).collect();
    state.metrics.remove_session_metrics(&session_id_str);
--- a/crates/wzp-relay/tests/cross_relay_direct_call.rs
+++ b/crates/wzp-relay/tests/cross_relay_direct_call.rs
@@ -51,6 +51,9 @@ fn alice_offer(call_id: &str) -> SignalMessage {
        signature: vec![],
        supported_profiles: vec![],
        caller_reflexive_addr: Some(ALICE_ADDR.into()),
        caller_local_addrs: Vec::new(),
        caller_mapped_addr: None,
        caller_build_version: None,
    }
 }
@@ -130,6 +133,9 @@ fn bob_answer(call_id: &str) -> SignalMessage {
        signature: None,
        chosen_profile: None,
        callee_reflexive_addr: Some(BOB_ADDR.into()),
        callee_local_addrs: Vec::new(),
        callee_mapped_addr: None,
        callee_build_version: None,
    }
 }
@@ -173,6 +179,8 @@ fn relay_b_handle_local_answer(
        room: format!("call-{call_id}"),
        relay_addr: RELAY_B_ADDR.into(),
        peer_direct_addr: caller_addr,
        peer_local_addrs: Vec::new(),
        peer_mapped_addr: None,
    };
    let _ = callee_addr;
    (forward, setup_for_bob)
@@ -213,6 +221,8 @@ fn relay_a_handle_forwarded_answer(
        room: format!("call-{call_id}"),
        relay_addr: RELAY_A_ADDR.into(),
        peer_direct_addr: callee_reflexive_addr,
        peer_local_addrs: Vec::new(),
        peer_mapped_addr: None,
    }
 }
--- a/crates/wzp-relay/tests/federation.rs
+++ b/crates/wzp-relay/tests/federation.rs
@@ -0,0 +1,662 @@
 //! Tests for `wzp_relay::federation`.
 //!
 //! Covers:
 //!  - room_hash determinism and uniqueness
 //!  - is_global_room (static config + call-* implicit global)
 //!  - resolve_global_room
 //!  - global_room_hash
 //!  - forward_to_peers with zero peers (no-op)
 //!  - forward_to_peers with live QUIC peer links
 //!  - broadcast_signal to live QUIC peers
 //!  - send_signal_to_peer targeted routing
 //!  - find_peer_by_fingerprint / find_peer_by_addr / check_inbound_trust
 //!  - set_cross_relay_tx + local_tls_fp accessors
 use std::collections::HashSet;
 use std::net::{Ipv4Addr, SocketAddr};
 use std::sync::Arc;
 use std::time::Duration;
 use bytes::Bytes;
 use wzp_proto::{MediaTransport, SignalMessage};
 use wzp_relay::config::{PeerConfig, TrustedConfig};
 use wzp_relay::event_log::EventLogger;
 use wzp_relay::federation::{room_hash, FederationManager};
 use wzp_relay::metrics::RelayMetrics;
 use wzp_relay::room::RoomManager;
 use wzp_transport::{client_config, create_endpoint, server_config, QuinnTransport};
 // ───────────────────────────── helpers ──────────────────────────────
 /// Create a FederationManager for unit tests (no live peers).
 fn create_test_fm(global_rooms: HashSet<String>) -> Arc<FederationManager> {
    create_test_fm_full(vec![], vec![], global_rooms)
 }
 /// Create a FederationManager with full config (peers + trusted + global rooms).
 fn create_test_fm_full(
    peers: Vec<PeerConfig>,
    trusted: Vec<TrustedConfig>,
    global_rooms: HashSet<String>,
 ) -> Arc<FederationManager> {
    let _ = rustls::crypto::ring::default_provider().install_default();
    let (sc, _cert) = server_config();
    let ep = create_endpoint((Ipv4Addr::LOCALHOST, 0).into(), Some(sc))
        .expect("test endpoint");
    let room_mgr = Arc::new(RoomManager::new());
    let metrics = Arc::new(RelayMetrics::new());
    let event_log = EventLogger::Noop;
    Arc::new(FederationManager::new(
        peers,
        trusted,
        global_rooms,
        room_mgr,
        ep,
        "test-relay-fp-abc123".into(),
        metrics,
        event_log,
    ))
 }
 /// Build an in-process QUIC client/server pair on loopback.
 /// Returns (client_transport, server_transport, endpoints).
 /// The endpoints must be kept alive for the test duration.
 async fn connected_pair() -> (
    Arc<QuinnTransport>,
    Arc<QuinnTransport>,
    (quinn::Endpoint, quinn::Endpoint),
 ) {
    let _ = rustls::crypto::ring::default_provider().install_default();
    let (sc, _cert_der) = server_config();
    let server_addr: SocketAddr = (Ipv4Addr::LOCALHOST, 0).into();
    let server_ep = create_endpoint(server_addr, Some(sc)).expect("server endpoint");
    let server_listen = server_ep.local_addr().expect("server local addr");
    let client_bind: SocketAddr = (Ipv4Addr::LOCALHOST, 0).into();
    let client_ep = create_endpoint(client_bind, None).expect("client endpoint");
    let server_ep_clone = server_ep.clone();
    let accept_fut = tokio::spawn(async move {
        let conn = wzp_transport::accept(&server_ep_clone)
            .await
            .expect("accept");
        Arc::new(QuinnTransport::new(conn))
    });
    let client_conn =
        wzp_transport::connect(&client_ep, server_listen, "localhost", client_config())
            .await
            .expect("connect");
    let client_transport = Arc::new(QuinnTransport::new(client_conn));
    let server_transport = accept_fut.await.expect("join accept task");
    (client_transport, server_transport, (server_ep, client_ep))
 }
 // ───────────────────── 1. room_hash determinism ─────────────────────
 #[test]
 fn room_hash_deterministic() {
    let h1 = room_hash("podcast");
    let h2 = room_hash("podcast");
    assert_eq!(h1, h2);
 }
 #[test]
 fn room_hash_different_rooms() {
    let h1 = room_hash("room-a");
    let h2 = room_hash("room-b");
    assert_ne!(h1, h2);
 }
 #[test]
 fn room_hash_is_8_bytes() {
    let h = room_hash("some-room");
    assert_eq!(h.len(), 8);
 }
 #[test]
 fn room_hash_empty_string() {
    // Should not panic on empty input
    let h = room_hash("");
    assert_eq!(h.len(), 8);
    // And should differ from a non-empty room
    assert_ne!(h, room_hash("nonempty"));
 }
 #[test]
 fn room_hash_case_sensitive() {
    // "Podcast" and "podcast" are different rooms
    let h1 = room_hash("Podcast");
    let h2 = room_hash("podcast");
    assert_ne!(h1, h2);
 }
 // ───────────────── 2. is_global_room / resolve_global_room ──────────
 #[tokio::test]
 async fn is_global_room_static_config() {
    let global: HashSet<String> = ["podcast", "lobby"].iter().map(|s| s.to_string()).collect();
    let fm = create_test_fm(global);
    assert!(fm.is_global_room("podcast"));
    assert!(fm.is_global_room("lobby"));
    assert!(!fm.is_global_room("private-room"));
    assert!(!fm.is_global_room(""));
 }
 #[tokio::test]
 async fn is_global_room_call_prefix_implicit() {
    // Phase 4.1: call-* rooms are implicitly global
    let fm = create_test_fm(HashSet::new());
    assert!(fm.is_global_room("call-abc123"));
    assert!(fm.is_global_room("call-"));
    assert!(fm.is_global_room("call-some-uuid-here"));
    // But not just "call" without the dash
    assert!(!fm.is_global_room("call"));
    assert!(!fm.is_global_room("callback"));
 }
 #[tokio::test]
 async fn resolve_global_room_static() {
    let global: HashSet<String> = ["podcast"].iter().map(|s| s.to_string()).collect();
    let fm = create_test_fm(global);
    assert_eq!(fm.resolve_global_room("podcast"), Some("podcast".into()));
    assert_eq!(fm.resolve_global_room("unknown"), None);
 }
 #[tokio::test]
 async fn resolve_global_room_call_prefix() {
    let fm = create_test_fm(HashSet::new());
    let resolved = fm.resolve_global_room("call-test-123");
    assert_eq!(resolved, Some("call-test-123".into()));
 }
 #[tokio::test]
 async fn global_room_hash_uses_canonical_name() {
    let global: HashSet<String> = ["podcast"].iter().map(|s| s.to_string()).collect();
    let fm = create_test_fm(global);
    // For a known global room, global_room_hash should match room_hash of the canonical name
    let expected = room_hash("podcast");
    assert_eq!(fm.global_room_hash("podcast"), expected);
 }
 #[tokio::test]
 async fn global_room_hash_unknown_room_falls_through() {
    let fm = create_test_fm(HashSet::new());
    // Unknown room: just hashes whatever was passed
    let expected = room_hash("random-room");
    assert_eq!(fm.global_room_hash("random-room"), expected);
 }
 #[tokio::test]
 async fn global_room_hash_call_prefix() {
    let fm = create_test_fm(HashSet::new());
    // call-* resolves to itself
    let expected = room_hash("call-xyz");
    assert_eq!(fm.global_room_hash("call-xyz"), expected);
 }
 // ───────────────── 3. forward_to_peers with zero peers ──────────────
 #[tokio::test]
 async fn forward_to_peers_empty_returns_immediately() {
    let fm = create_test_fm(HashSet::new());
    let hash = room_hash("room");
    let data = Bytes::from_static(b"test-media-payload");
    // Should not panic or hang
    let result = tokio::time::timeout(
        Duration::from_secs(2),
        fm.forward_to_peers("room", &hash, &data),
    )
    .await;
    assert!(result.is_ok(), "forward_to_peers should return immediately with no peers");
 }
 // ─────────── 4. forward_to_peers with live QUIC peer links ──────────
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn forward_to_peers_delivers_tagged_datagram() {
    // We create a FederationManager and manually wire a connected QUIC
    // pair to simulate a peer link. The fm holds the server-side
    // transport; we read from the client side to verify delivery.
    let fm = create_test_fm(HashSet::new());
    let (client_transport, server_transport, _endpoints) = connected_pair().await;
    // Manually insert a PeerLink by using handle_inbound's internal
    // pattern: we call the private peer_links mutex directly. Since
    // PeerLink is private, we instead use handle_inbound which calls
    // run_federation_link. But that requires a full signal loop.
    //
    // Alternative approach: spawn a mock "federation relay" server,
    // have the FM connect to it via connect_to_peer, and read back
    // from the server side. But connect_to_peer also starts the full
    // link loop.
    //
    // Simplest: create a second FM that acts as the peer, and use
    // the broadcast_signal / forward_to_peers pattern after the link
    // is established via handle_inbound.
    //
    // Actually the simplest approach for testing forward_to_peers is
    // to accept that PeerLink is private, so we instead test through
    // the full federation link lifecycle. We'll spawn a mini relay
    // that does the FederationHello handshake and then reads datagrams.
    // Approach: spawn the server side to do the hello exchange, then
    // the fm handle_inbound will register the link, then we can call
    // forward_to_peers and read from the server side... But
    // handle_inbound blocks in run_federation_link.
    //
    // Final approach: we test the wire format directly. The client
    // side is "us" (the relay) — we send a tagged datagram manually,
    // and verify the peer side receives it with the correct format.
    // This tests the same logic as forward_to_peers without needing
    // peer_links access.
    let room = "test-room";
    let rh = room_hash(room);
    let media = b"opus-frame-data-here";
    // Build the tagged datagram the same way forward_to_peers does
    let mut tagged = Vec::with_capacity(8 + media.len());
    tagged.extend_from_slice(&rh);
    tagged.extend_from_slice(media);
    // Send from the server side (as if we are the relay forwarding)
    server_transport
        .send_raw_datagram(&tagged)
        .expect("send datagram");
    // Read from client side (as if we are the peer relay receiving)
    let received = tokio::time::timeout(
        Duration::from_secs(2),
        client_transport.connection().read_datagram(),
    )
    .await
    .expect("should receive within timeout")
    .expect("read_datagram ok");
    // Verify: first 8 bytes are the room hash, remainder is media
    assert!(received.len() >= 8, "datagram too short");
    let mut recv_hash = [0u8; 8];
    recv_hash.copy_from_slice(&received[..8]);
    assert_eq!(recv_hash, rh, "room hash mismatch");
    assert_eq!(&received[8..], media, "media payload mismatch");
    drop(client_transport);
    drop(server_transport);
 }
 // ─────────── 5. broadcast_signal to live QUIC peers ─────────────────
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn broadcast_signal_sends_to_all_peers() {
    // We need the peer links to be registered inside the FM.
    // The simplest approach: spawn a mock peer relay that accepts
    // federation connections, does the FederationHello handshake,
    // and then reads signals.
    let _ = rustls::crypto::ring::default_provider().install_default();
    // Create a mock "peer relay" server endpoint
    let (sc, _cert) = server_config();
    let peer_addr: SocketAddr = (Ipv4Addr::LOCALHOST, 0).into();
    let peer_ep = create_endpoint(peer_addr, Some(sc)).expect("peer endpoint");
    let peer_listen = peer_ep.local_addr().expect("peer local addr");
    // The FM that will connect outbound
    let peer_cfg = PeerConfig {
        url: peer_listen.to_string(),
        fingerprint: "aa:bb:cc:dd".into(),
        label: Some("mock-peer".into()),
    };
    let global: HashSet<String> = ["podcast"].iter().map(|s| s.to_string()).collect();
    let fm = create_test_fm_full(vec![peer_cfg], vec![], global);
    // Spawn the FM's run (which will try to connect to our mock peer)
    let fm_clone = fm.clone();
    let _fm_task = tokio::spawn(async move {
        fm_clone.run().await;
    });
    // Accept the connection on the mock peer side
    let peer_ep_clone = peer_ep.clone();
    let peer_transport = tokio::time::timeout(Duration::from_secs(5), async {
        let conn = wzp_transport::accept(&peer_ep_clone).await.expect("accept");
        Arc::new(QuinnTransport::new(conn))
    })
    .await
    .expect("FM should connect to mock peer within 5s");
    // The FM sends FederationHello as the first signal. Read it.
    let hello = tokio::time::timeout(
        Duration::from_secs(2),
        peer_transport.recv_signal(),
    )
    .await
    .expect("hello timeout")
    .expect("recv ok")
    .expect("some message");
    match hello {
        SignalMessage::FederationHello { tls_fingerprint } => {
            assert_eq!(tls_fingerprint, "test-relay-fp-abc123");
        }
        other => panic!("expected FederationHello, got: {:?}", std::mem::discriminant(&other)),
    }
    // Now the FM's run_federation_link registered the peer in peer_links
    // and will announce active global rooms. We may receive
    // GlobalRoomActive signals next (for any rooms the FM has active).
    // For this test, no local participants, so no GlobalRoomActive.
    // Give the link time to fully set up
    tokio::time::sleep(Duration::from_millis(100)).await;
    // Now call broadcast_signal on the FM
    let test_msg = SignalMessage::FederatedSignalForward {
        inner: Box::new(SignalMessage::Reflect),
        origin_relay_fp: "other-relay-fp".into(),
    };
    let count = fm.broadcast_signal(&test_msg).await;
    assert_eq!(count, 1, "should have broadcast to exactly 1 peer");
    // Read the signal on the peer side
    let received = tokio::time::timeout(
        Duration::from_secs(2),
        peer_transport.recv_signal(),
    )
    .await
    .expect("broadcast signal timeout")
    .expect("recv ok")
    .expect("some message");
    match received {
        SignalMessage::FederatedSignalForward { origin_relay_fp, .. } => {
            assert_eq!(origin_relay_fp, "other-relay-fp");
        }
        other => panic!("expected FederatedSignalForward, got: {:?}", std::mem::discriminant(&other)),
    }
    drop(peer_transport);
 }
 // ──────────── 6. send_signal_to_peer targeted routing ───────────────
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn send_signal_to_peer_unknown_fp_returns_error() {
    let fm = create_test_fm(HashSet::new());
    let msg = SignalMessage::Reflect;
    let result = fm.send_signal_to_peer("nonexistent-fp", &msg).await;
    assert!(result.is_err());
    assert!(result.unwrap_err().contains("no active federation link"));
 }
 // ──────────── 7. find_peer_by_fingerprint / addr / trust ────────────
 #[tokio::test]
 async fn find_peer_by_fingerprint_matches() {
    let peer = PeerConfig {
        url: "10.0.0.1:4433".into(),
        fingerprint: "AA:BB:CC:DD".into(),
        label: Some("relay-eu".into()),
    };
    let fm = create_test_fm_full(vec![peer], vec![], HashSet::new());
    // Normalized match (colons removed, lowercased)
    let found = fm.find_peer_by_fingerprint("aabbccdd");
    assert!(found.is_some());
    assert_eq!(found.unwrap().label.as_deref(), Some("relay-eu"));
    // With colons
    let found2 = fm.find_peer_by_fingerprint("AA:BB:CC:DD");
    assert!(found2.is_some());
    // Non-matching
    assert!(fm.find_peer_by_fingerprint("11:22:33:44").is_none());
 }
 #[tokio::test]
 async fn find_peer_by_addr_matches_ip() {
    let peer = PeerConfig {
        url: "10.0.0.1:4433".into(),
        fingerprint: "aabb".into(),
        label: None,
    };
    let fm = create_test_fm_full(vec![peer], vec![], HashSet::new());
    // Same IP, different port still matches (find_peer_by_addr matches by IP)
    let addr: SocketAddr = "10.0.0.1:9999".parse().unwrap();
    let found = fm.find_peer_by_addr(addr);
    assert!(found.is_some());
    // Different IP
    let addr2: SocketAddr = "10.0.0.2:4433".parse().unwrap();
    assert!(fm.find_peer_by_addr(addr2).is_none());
 }
 #[tokio::test]
 async fn find_trusted_by_fingerprint() {
    let trusted = TrustedConfig {
        fingerprint: "AA:BB:CC:DD:EE".into(),
        label: Some("trusted-relay".into()),
    };
    let fm = create_test_fm_full(vec![], vec![trusted], HashSet::new());
    let found = fm.find_trusted_by_fingerprint("aabbccddee");
    assert!(found.is_some());
    assert_eq!(found.unwrap().label.as_deref(), Some("trusted-relay"));
    assert!(fm.find_trusted_by_fingerprint("ffffffff").is_none());
 }
 #[tokio::test]
 async fn check_inbound_trust_prefers_peer_by_addr() {
    let peer = PeerConfig {
        url: "10.0.0.1:4433".into(),
        fingerprint: "aabb".into(),
        label: Some("peer-relay".into()),
    };
    let trusted = TrustedConfig {
        fingerprint: "ccdd".into(),
        label: Some("trusted-relay".into()),
    };
    let fm = create_test_fm_full(vec![peer], vec![trusted], HashSet::new());
    // Matches by addr (peer takes priority)
    let addr: SocketAddr = "10.0.0.1:5555".parse().unwrap();
    let label = fm.check_inbound_trust(addr, "ccdd");
    assert_eq!(label, Some("peer-relay".into()));
 }
 #[tokio::test]
 async fn check_inbound_trust_falls_back_to_trusted_fp() {
    let trusted = TrustedConfig {
        fingerprint: "CC:DD".into(),
        label: Some("trusted-relay".into()),
    };
    let fm = create_test_fm_full(vec![], vec![trusted], HashSet::new());
    // No peer matches, but trusted fingerprint matches
    let addr: SocketAddr = "10.99.99.99:1234".parse().unwrap();
    let label = fm.check_inbound_trust(addr, "ccdd");
    assert_eq!(label, Some("trusted-relay".into()));
 }
 #[tokio::test]
 async fn check_inbound_trust_returns_none_for_unknown() {
    let fm = create_test_fm(HashSet::new());
    let addr: SocketAddr = "10.0.0.1:4433".parse().unwrap();
    assert!(fm.check_inbound_trust(addr, "unknown-fp").is_none());
 }
 // ──────────── 8. set_cross_relay_tx + local_tls_fp ──────────────────
 #[tokio::test]
 async fn local_tls_fp_returns_configured_value() {
    let fm = create_test_fm(HashSet::new());
    assert_eq!(fm.local_tls_fp(), "test-relay-fp-abc123");
 }
 #[tokio::test]
 async fn set_cross_relay_tx_wires_channel() {
    let fm = create_test_fm(HashSet::new());
    let (tx, mut rx) = tokio::sync::mpsc::channel(16);
    fm.set_cross_relay_tx(tx).await;
    // The channel is now wired — we can't easily test it without
    // going through handle_signal, but we can at least verify it
    // doesn't panic and the fm accepted the sender.
    // (The channel itself works — we test the Sender.)
    let msg = SignalMessage::Reflect;
    let _ = rx.try_recv(); // should be empty
    drop(rx);
 }
 // ──────────── 9. broadcast_signal with zero peers ───────────────────
 #[tokio::test]
 async fn broadcast_signal_zero_peers_returns_zero() {
    let fm = create_test_fm(HashSet::new());
    let msg = SignalMessage::Reflect;
    let count = fm.broadcast_signal(&msg).await;
    assert_eq!(count, 0);
 }
 // ──────────── 10. get_remote_participants with no links ─────────────
 #[tokio::test]
 async fn get_remote_participants_empty_with_no_links() {
    let fm = create_test_fm(HashSet::new());
    let participants = fm.get_remote_participants("podcast").await;
    assert!(participants.is_empty());
 }
 // ─────── 11. Federation media egress with live QUIC connection ──────
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn federation_media_egress_forwards_to_peer() {
    // This test verifies the full media path:
    //   local media -> federation egress channel -> forward_to_peers -> peer reads datagram
    //
    // We set up a real QUIC federation link via fm.run() connecting to
    // a mock peer, then push media through the room manager's federation
    // egress channel.
    let _ = rustls::crypto::ring::default_provider().install_default();
    // Mock peer relay
    let (sc, _cert) = server_config();
    let peer_addr: SocketAddr = (Ipv4Addr::LOCALHOST, 0).into();
    let peer_ep = create_endpoint(peer_addr, Some(sc)).expect("peer endpoint");
    let peer_listen = peer_ep.local_addr().expect("peer local addr");
    let peer_cfg = PeerConfig {
        url: peer_listen.to_string(),
        fingerprint: "ee:ff:00:11".into(),
        label: Some("egress-peer".into()),
    };
    let global: HashSet<String> = ["podcast"].iter().map(|s| s.to_string()).collect();
    let fm = create_test_fm_full(vec![peer_cfg], vec![], global);
    // Start the FM (connects to mock peer)
    let fm_clone = fm.clone();
    let _fm_task = tokio::spawn(async move { fm_clone.run().await });
    // Accept the connection
    let peer_ep_clone = peer_ep.clone();
    let peer_transport = tokio::time::timeout(Duration::from_secs(5), async {
        let conn = wzp_transport::accept(&peer_ep_clone).await.expect("accept");
        Arc::new(QuinnTransport::new(conn))
    })
    .await
    .expect("FM should connect within 5s");
    // Read the FederationHello
    let _hello = tokio::time::timeout(
        Duration::from_secs(2),
        peer_transport.recv_signal(),
    )
    .await
    .expect("hello timeout")
    .expect("recv ok")
    .expect("some message");
    // Wait for link setup
    tokio::time::sleep(Duration::from_millis(100)).await;
    // Now send media via forward_to_peers
    let room = "podcast";
    let rh = room_hash(room);
    let media_payload = Bytes::from_static(b"test-opus-frame-1234567890");
    fm.forward_to_peers(room, &rh, &media_payload).await;
    // Read the datagram on the peer side
    let received = tokio::time::timeout(
        Duration::from_secs(2),
        peer_transport.connection().read_datagram(),
    )
    .await
    .expect("should receive media within timeout")
    .expect("read_datagram ok");
    // Verify tagged format: [8-byte room_hash][media_payload]
    assert!(received.len() >= 8);
    let mut recv_hash = [0u8; 8];
    recv_hash.copy_from_slice(&received[..8]);
    assert_eq!(recv_hash, rh, "room hash must match");
    assert_eq!(
        &received[8..],
        &media_payload[..],
        "media payload must match"
    );
    drop(peer_transport);
 }
 // ───── 12. Multiple global rooms: each hashes independently ─────────
 #[tokio::test]
 async fn multiple_global_rooms_independent_hashes() {
    let global: HashSet<String> = ["podcast", "lobby", "arena"]
        .iter()
        .map(|s| s.to_string())
        .collect();
    let fm = create_test_fm(global);
    let hashes: Vec<[u8; 8]> = ["podcast", "lobby", "arena"]
        .iter()
        .map(|r| fm.global_room_hash(r))
        .collect();
    // All different
    assert_ne!(hashes[0], hashes[1]);
    assert_ne!(hashes[1], hashes[2]);
    assert_ne!(hashes[0], hashes[2]);
 }
 // ───── 13. is_global_room edge cases ────────────────────────────────
 #[tokio::test]
 async fn is_global_room_exact_match_required_for_static() {
    let global: HashSet<String> = ["podcast"].iter().map(|s| s.to_string()).collect();
    let fm = create_test_fm(global);
    // Substring/prefix should NOT match
    assert!(!fm.is_global_room("podcast-extra"));
    assert!(!fm.is_global_room("pod"));
    assert!(!fm.is_global_room("podcastt"));
 }
--- a/crates/wzp-relay/tests/hole_punching.rs
+++ b/crates/wzp-relay/tests/hole_punching.rs
@@ -81,12 +81,16 @@ fn handle_answer_and_build_setups(
        room: room.clone(),
        relay_addr: "203.0.113.5:4433".into(),
        peer_direct_addr: callee_addr,
        peer_local_addrs: Vec::new(),
        peer_mapped_addr: None,
    };
    let setup_for_callee = SignalMessage::CallSetup {
        call_id,
        room,
        relay_addr: "203.0.113.5:4433".into(),
        peer_direct_addr: caller_addr,
        peer_local_addrs: Vec::new(),
        peer_mapped_addr: None,
    };
    (setup_for_caller, setup_for_callee)
 }
@@ -102,6 +106,9 @@ fn mk_offer(call_id: &str, caller_reflexive_addr: Option<&str>) -> SignalMessage
        signature: vec![],
        supported_profiles: vec![],
        caller_reflexive_addr: caller_reflexive_addr.map(String::from),
        caller_local_addrs: Vec::new(),
        caller_mapped_addr: None,
        caller_build_version: None,
    }
 }
@@ -118,6 +125,9 @@ fn mk_answer(
        signature: None,
        chosen_profile: None,
        callee_reflexive_addr: callee_reflexive_addr.map(String::from),
        callee_local_addrs: Vec::new(),
        callee_mapped_addr: None,
        callee_build_version: None,
    }
 }
--- a/crates/wzp-relay/tests/multi_reflect.rs
+++ b/crates/wzp-relay/tests/multi_reflect.rs
@@ -65,6 +65,9 @@ async fn spawn_mock_relay() -> (SocketAddr, tokio::task::JoinHandle<()>) {
                                .send_signal(&SignalMessage::RegisterPresenceAck {
                                    success: true,
                                    error: None,
                                    relay_build: None,
                                    relay_region: None,
                                    available_relays: Vec::new(),
                                })
                                .await;
                        }
@@ -97,7 +100,7 @@ async fn probe_reflect_addr_happy_path() {
    let (observed, latency_ms) = tokio::time::timeout(
        Duration::from_secs(3),
-        probe_reflect_addr(relay_addr, 2000),
+        probe_reflect_addr(relay_addr, 2000, None),
    )
    .await
    .expect("probe must complete within 3s")
@@ -116,11 +119,19 @@ async fn probe_reflect_addr_happy_path() {
 }
 // -----------------------------------------------------------------------
-// Test 2: two loopback relays → Cone classification
+// Test 2: two loopback relays → probes succeed, classification is Unknown
 // -----------------------------------------------------------------------
 //
 // With the private-IP filter added in the NAT classifier, loopback
 // reflex addrs (127.0.0.1) are dropped before classification —
 // they can't possibly indicate public-internet NAT state. So the
 // test now asserts:
 //   - both probes succeed end-to-end (wire plumbing works)
 //   - both return 127.0.0.1 (same-host is visible)
 //   - the aggregated verdict is Unknown (no public probes)
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
-async fn detect_nat_type_two_loopback_relays_is_cone() {
+async fn detect_nat_type_two_loopback_relays_probes_work_but_classify_unknown() {
    let (addr_a, _h_a) = spawn_mock_relay().await;
    let (addr_b, _h_b) = spawn_mock_relay().await;
@@ -130,29 +141,19 @@ async fn detect_nat_type_two_loopback_relays_is_cone() {
            ("RelayB".into(), addr_b),
        ],
        2000,
        None,
    )
    .await;
    assert_eq!(detection.probes.len(), 2);
    for p in &detection.probes {
-        assert!(p.observed_addr.is_some(), "probe {:?} failed: {:?}", p.relay_name, p.error);
+        assert!(
            p.observed_addr.is_some(),
            "probe {:?} failed: {:?}",
            p.relay_name,
            p.error
        );
    }
    // Loopback single-host: every probe sees 127.0.0.1 and, crucially,
    // uses a different ephemeral source port (since probe_reflect_addr
    // spins up a fresh quinn::Endpoint per probe). Wait — that makes
    // this look like Symmetric to the classifier, not Cone!
    //
    // The classifier cares about the *observed* addr, which is what
    // the relay sees as the client's source. Two different client
    // endpoints on loopback → two different observed ports → the
    // classifier correctly labels this as SymmetricPort in the test
    // environment. That's still a valid verification of the
    // plumbing, just not of the Cone classification.
    //
    // Accept either Cone OR SymmetricPort for this test, then
    // assert the more specific invariant that matters: both probes
    // returned the same observed IP.
    let observed_ips: Vec<String> = detection
        .probes
        .iter()
@@ -167,14 +168,15 @@ async fn detect_nat_type_two_loopback_relays_is_cone() {
    assert_eq!(observed_ips[0], "127.0.0.1");
    assert_eq!(observed_ips[1], "127.0.0.1");
-    // Either classification is valid on loopback (see long comment
+    // Classification: loopback probes are filtered out of the
-    // above). Explicitly assert the set so a future refactor that
+    // public-NAT classifier, so with 0 public probes the result
-    // accidentally returns `Multiple` or `Unknown` fails the test.
+    // is Unknown.
-    assert!(
+    assert_eq!(
-        matches!(detection.nat_type, NatType::Cone | NatType::SymmetricPort),
+        detection.nat_type,
-        "expected Cone or SymmetricPort on loopback, got {:?}",
+        NatType::Unknown,
-        detection.nat_type
+        "loopback-only probes must not contribute to public NAT classification"
    );
    assert!(detection.consensus_addr.is_none());
 }
 // -----------------------------------------------------------------------
@@ -197,6 +199,7 @@ async fn detect_nat_type_dead_relay_is_unknown() {
            ("Dead".into(), dead_addr),
        ],
        600, // tight timeout so the dead probe fails fast
        None,
    )
    .await;
--- a/crates/wzp-transport/Cargo.toml
+++ b/crates/wzp-transport/Cargo.toml
@@ -15,6 +15,7 @@ tracing = { workspace = true }
 async-trait = { workspace = true }
 serde_json = "1"
 rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
 socket2 = { workspace = true }
 rcgen = "0.13"
 ed25519-dalek = { workspace = true }
 hkdf = { workspace = true }
--- a/crates/wzp-transport/src/config.rs
+++ b/crates/wzp-transport/src/config.rs
@@ -123,7 +123,6 @@ fn transport_config() -> quinn::TransportConfig {
    config.keep_alive_interval(Some(Duration::from_secs(5)));
    // Enable DATAGRAM extension for unreliable media packets.
    // Allow datagrams up to 1200 bytes (conservative for lossy links).
    config.datagram_receive_buffer_size(Some(65536));
    // Conservative flow control for bandwidth-constrained links
@@ -134,6 +133,26 @@ fn transport_config() -> quinn::TransportConfig {
    // Aggressive initial RTT estimate for high-latency links
    config.initial_rtt(Duration::from_millis(300));
    // PMTUD (Path MTU Discovery) — quinn 0.11 enables this by default but
    // with conservative bounds (initial 1200, upper 1452). We keep the safe
    // initial_mtu of 1200 so the first packets always get through, but raise
    // upper_bound so the binary search can discover larger MTUs on paths that
    // support them. Typical results:
    //   - Ethernet/fiber: discovers ~1452 (Ethernet MTU minus IP/UDP/QUIC)
    //   - WireGuard/VPN: discovers ~1380-1420
    //   - Starlink: discovers ~1400-1452
    //   - Cellular: stays at 1200-1300
    // Black hole detection automatically falls back to 1200 if probes fail.
    // This matters for future video frames which can be 1-50 KB and benefit
    // from fewer application-layer fragments per frame.
    let mut mtu_config = quinn::MtuDiscoveryConfig::default();
    mtu_config
        .upper_bound(1452)
        .interval(Duration::from_secs(300))       // re-probe every 5 min
        .black_hole_cooldown(Duration::from_secs(30)); // retry faster on lossy links
    config.mtu_discovery_config(Some(mtu_config));
    config.initial_mtu(1200); // safe starting point
    config
 }
--- a/crates/wzp-transport/src/connection.rs
+++ b/crates/wzp-transport/src/connection.rs
@@ -39,6 +39,71 @@ pub async fn connect(
    Ok(connection)
 }
 /// Create an IPv6-only QUIC endpoint with `IPV6_V6ONLY=1`.
 ///
 /// Tries `[::]:preferred_port` first (same port as the IPv4 signal
 /// endpoint — allowed on Linux/Android when the AFs differ and
 /// V6ONLY is set). Falls back to `[::]:0` (OS-assigned) if the
 /// preferred port is already taken.
 ///
 /// Must be called from within a tokio runtime (quinn needs the
 /// async runtime handle for its I/O driver).
 pub fn create_ipv6_endpoint(
    preferred_port: u16,
    server_config: Option<quinn::ServerConfig>,
 ) -> Result<quinn::Endpoint, TransportError> {
    use socket2::{Domain, Protocol, Socket, Type};
    use std::net::{Ipv6Addr, SocketAddrV6};
    let sock = Socket::new(Domain::IPV6, Type::DGRAM, Some(Protocol::UDP))
        .map_err(|e| TransportError::Internal(format!("ipv6 socket: {e}")))?;
    // Critical: IPv6-only so this socket never intercepts IPv4.
    // On Android some kernels default to V6ONLY=1 anyway, but we
    // set it explicitly for cross-platform consistency.
    sock.set_only_v6(true)
        .map_err(|e| TransportError::Internal(format!("set_only_v6: {e}")))?;
    sock.set_reuse_address(true)
        .map_err(|e| TransportError::Internal(format!("set_reuse_address: {e}")))?;
    // Try the preferred port (same as IPv4 signal endpoint), fall
    // back to ephemeral if the OS rejects it.
    let bind_addr = SocketAddrV6::new(Ipv6Addr::UNSPECIFIED, preferred_port, 0, 0);
    if let Err(e) = sock.bind(&bind_addr.into()) {
        if preferred_port != 0 {
            tracing::debug!(
                preferred_port,
                error = %e,
                "ipv6 bind to preferred port failed, falling back to ephemeral"
            );
            let fallback = SocketAddrV6::new(Ipv6Addr::UNSPECIFIED, 0, 0, 0);
            sock.bind(&fallback.into())
                .map_err(|e| TransportError::Internal(format!("ipv6 bind fallback: {e}")))?;
        } else {
            return Err(TransportError::Internal(format!("ipv6 bind: {e}")));
        }
    }
    sock.set_nonblocking(true)
        .map_err(|e| TransportError::Internal(format!("set_nonblocking: {e}")))?;
    let udp_socket: std::net::UdpSocket = sock.into();
    let runtime = quinn::default_runtime()
        .ok_or_else(|| TransportError::Internal("no async runtime for ipv6 endpoint".into()))?;
    let endpoint = quinn::Endpoint::new(
        quinn::EndpointConfig::default(),
        server_config,
        udp_socket,
        runtime,
    )
    .map_err(|e| TransportError::Internal(format!("ipv6 endpoint: {e}")))?;
    Ok(endpoint)
 }
 /// Accept the next incoming connection on an endpoint.
 pub async fn accept(endpoint: &quinn::Endpoint) -> Result<quinn::Connection, TransportError> {
    let incoming = endpoint
--- a/crates/wzp-transport/src/lib.rs
+++ b/crates/wzp-transport/src/lib.rs
@@ -23,9 +23,9 @@ pub mod quic;
 pub mod reliable;
 pub use config::{client_config, server_config, server_config_from_seed, tls_fingerprint};
-pub use connection::{accept, connect, create_endpoint};
+pub use connection::{accept, connect, create_endpoint, create_ipv6_endpoint};
 pub use path_monitor::PathMonitor;
-pub use quic::QuinnTransport;
+pub use quic::{QuinnPathSnapshot, QuinnTransport};
 pub use wzp_proto::{MediaTransport, PathQuality, TransportError};
 // Re-export the quinn Endpoint type so downstream crates (wzp-desktop) can
--- a/crates/wzp-transport/src/path_monitor.rs
+++ b/crates/wzp-transport/src/path_monitor.rs
@@ -2,11 +2,17 @@
 //!
 //! Tracks packet loss (via sequence number gaps), RTT, jitter, and bandwidth.
 use std::collections::VecDeque;
 use wzp_proto::PathQuality;
 /// EWMA smoothing factor.
 const ALPHA: f64 = 0.1;
 /// Maximum number of RTT samples in the jitter variance sliding window.
 /// At ~50 packets/sec (20 ms frame), 10 samples ≈ 200 ms.
 const JITTER_VARIANCE_WINDOW_SIZE: usize = 10;
 /// Monitors network path quality metrics.
 pub struct PathMonitor {
    /// EWMA-smoothed loss percentage (0.0 - 100.0).
@@ -31,6 +37,8 @@ pub struct PathMonitor {
    last_rtt_ms: Option<f64>,
    /// Whether we have any observations yet.
    initialized: bool,
    /// Sliding window of recent RTT samples for variance calculation.
    rtt_window: VecDeque<f64>,
 }
 impl PathMonitor {
@@ -51,6 +59,7 @@ impl PathMonitor {
            total_received: 0,
            last_rtt_ms: None,
            initialized: false,
            rtt_window: VecDeque::with_capacity(JITTER_VARIANCE_WINDOW_SIZE),
        }
    }
@@ -122,6 +131,12 @@ impl PathMonitor {
        } else {
            self.rtt_ewma = ALPHA * rtt + (1.0 - ALPHA) * self.rtt_ewma;
        }
        // Maintain sliding window for variance calculation
        if self.rtt_window.len() >= JITTER_VARIANCE_WINDOW_SIZE {
            self.rtt_window.pop_front();
        }
        self.rtt_window.push_back(rtt);
    }
    /// Get the current estimated path quality.
@@ -155,6 +170,20 @@ impl PathMonitor {
        0
    }
    /// Compute the jitter (RTT standard deviation) over the sliding window.
    ///
    /// Returns the standard deviation in milliseconds, or 0.0 if insufficient
    /// samples. Used by `DredTuner` for spike detection.
    pub fn jitter_variance_ms(&self) -> f64 {
        let n = self.rtt_window.len();
        if n < 2 {
            return 0.0;
        }
        let mean = self.rtt_window.iter().sum::<f64>() / n as f64;
        let var = self.rtt_window.iter().map(|r| (r - mean).powi(2)).sum::<f64>() / n as f64;
        var.sqrt()
    }
    /// Detect whether a network handoff likely occurred.
    ///
    /// Returns `true` if the most recent RTT jitter measurement exceeds 3x
--- a/crates/wzp-transport/src/quic.rs
+++ b/crates/wzp-transport/src/quic.rs
@@ -13,6 +13,29 @@ use crate::datagram;
 use crate::path_monitor::PathMonitor;
 use crate::reliable;
 /// Snapshot of quinn's QUIC-level path statistics.
 ///
 /// Provides more accurate loss/RTT data than `PathMonitor`'s sequence-gap
 /// heuristic because quinn sees ACK frames and congestion signals directly.
 #[derive(Clone, Copy, Debug)]
 pub struct QuinnPathSnapshot {
    /// Smoothed RTT in milliseconds (from quinn's congestion controller).
    pub rtt_ms: u32,
    /// Cumulative loss percentage (lost_packets / sent_packets × 100).
    pub loss_pct: f32,
    /// Total congestion events observed by the QUIC stack.
    pub congestion_events: u64,
    /// Current congestion window in bytes.
    pub cwnd: u64,
    /// Total packets sent on this path.
    pub sent_packets: u64,
    /// Total packets lost on this path.
    pub lost_packets: u64,
    /// Current PMTUD-discovered maximum datagram payload size (bytes).
    /// Starts at `initial_mtu` (1200) and grows as PMTUD probes succeed.
    pub current_mtu: usize,
 }
 /// QUIC-based transport implementing the `MediaTransport` trait.
 pub struct QuinnTransport {
    connection: quinn::Connection,
@@ -33,6 +56,11 @@ impl QuinnTransport {
        &self.connection
    }
    /// Remote address of the peer on this connection.
    pub fn remote_address(&self) -> std::net::SocketAddr {
        self.connection.remote_address()
    }
    /// Send raw bytes as a QUIC datagram (no MediaPacket framing).
    pub fn send_raw_datagram(&self, data: &[u8]) -> Result<(), TransportError> {
        self.connection
@@ -61,6 +89,31 @@ impl QuinnTransport {
        datagram::max_datagram_payload(&self.connection)
    }
    /// Snapshot of QUIC-level path stats from quinn, useful for DRED tuning.
    ///
    /// Returns `(rtt_ms, loss_pct, congestion_events)` derived from quinn's
    /// internal congestion controller — more accurate than our own sequence-gap
    /// heuristic in `PathMonitor` because quinn sees ACK frames directly.
    pub fn quinn_path_stats(&self) -> QuinnPathSnapshot {
        let stats = self.connection.stats();
        let rtt_ms = stats.path.rtt.as_millis() as u32;
        let loss_pct = if stats.path.sent_packets > 0 {
            (stats.path.lost_packets as f32 / stats.path.sent_packets as f32) * 100.0
        } else {
            0.0
        };
        let current_mtu = self.connection.max_datagram_size().unwrap_or(1200);
        QuinnPathSnapshot {
            rtt_ms,
            loss_pct,
            congestion_events: stats.path.congestion_events,
            cwnd: stats.path.cwnd,
            sent_packets: stats.path.sent_packets,
            lost_packets: stats.path.lost_packets,
            current_mtu,
        }
    }
    /// Send an encoded [`TrunkFrame`] as a single QUIC datagram.
    pub fn send_trunk(&self, frame: &TrunkFrame) -> Result<(), TransportError> {
        let data = frame.encode();
--- a/desktop/index.html
+++ b/desktop/index.html
@@ -52,7 +52,7 @@
            <button id="register-btn" class="primary" style="background:#2196F3">Register on Relay</button>
            <div id="direct-registered" class="hidden" style="margin-top:12px">
              <div class="direct-registered-header">
-                <p style="color:var(--green);font-size:13px;margin:0">&#x2705; Registered — waiting for calls</p>
+                <p id="registered-status" style="color:var(--green);font-size:13px;margin:0">&#x2705; Registered — waiting for calls</p>
                <button id="deregister-btn" class="secondary-btn small">Deregister</button>
              </div>
              <div id="incoming-call-panel" class="hidden" style="background:#1B5E20;padding:12px;border-radius:8px;margin:8px 0">
@@ -111,6 +111,16 @@
        <div class="level-meter">
          <div id="level-bar" class="level-bar-fill"></div>
        </div>
        <!-- Direct-call phone layout — shown instead of the group
             participant list when directCallPeer is set. Centered
             identicon, name, fp, connection badge. Hidden for
             room calls (directCallPeer == null). -->
        <div id="direct-call-view" class="direct-call-view hidden">
          <div id="dc-identicon" class="dc-identicon"></div>
          <div id="dc-name" class="dc-name">Unknown</div>
          <div id="dc-fp" class="dc-fp"></div>
          <div id="dc-badge" class="dc-badge">Connecting...</div>
        </div>
        <div id="participants" class="participants"></div>
        <div class="controls">
          <button id="mic-btn" class="control-btn" title="Toggle Mic (m)">
@@ -177,11 +187,24 @@
              <input id="s-call-debug" type="checkbox" />
              Call flow debug logs (trace every step of a call)
            </label>
            <label class="checkbox">
              <input id="s-direct-only" type="checkbox" />
              Direct-only mode (no relay fallback — fails if P2P can't connect)
            </label>
            <label class="checkbox">
              <input id="s-birthday-attack" type="checkbox" />
              Birthday attack (opens extra ports for hard NAT — adds ~3s to setup)
            </label>
          </div>
          <div class="settings-section" id="s-call-debug-section" style="display:none">
            <h3>Call Debug Log</h3>
            <div id="s-call-debug-log" style="max-height:220px;overflow-y:auto;background:#0a0a0a;color:#e0e0e0;font-family:ui-monospace,Menlo,Monaco,'Courier New',monospace;font-size:10px;padding:6px;border-radius:4px;line-height:1.4;white-space:pre-wrap"></div>
-            <button id="s-call-debug-clear" class="secondary-btn" style="margin-top:6px">Clear log</button>
+            <div style="display:flex;gap:6px;margin-top:6px">
              <button id="s-call-debug-copy" class="secondary-btn" style="flex:1">Copy log</button>
              <button id="s-call-debug-share" class="secondary-btn" style="flex:1">Share</button>
              <button id="s-call-debug-clear" class="secondary-btn" style="flex:1">Clear log</button>
            </div>
            <small id="s-call-debug-copy-status" style="display:block;margin-top:4px;color:var(--text-dim);font-size:10px"></small>
            <small style="color:var(--text-dim);display:block;margin-top:4px">
              Rolling buffer of the last 200 call-flow events. Turned off by
              default — the GUI overlay only populates when the checkbox above
--- a/desktop/src-tauri/Cargo.toml
+++ b/desktop/src-tauri/Cargo.toml
@@ -36,6 +36,7 @@ tauri-build = { version = "2", features = [] }
 [dependencies]
 tauri = { version = "2", features = [] }
 tauri-plugin-shell = "2"
 tauri-plugin-notification = "2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 tokio = { version = "1", features = ["full"] }
--- a/desktop/src-tauri/capabilities/default.json
+++ b/desktop/src-tauri/capabilities/default.json
@@ -21,6 +21,10 @@
    "core:window:default",
    "core:app:default",
    "core:webview:default",
-    "shell:default"
+    "shell:default",
    "notification:default",
    "notification:allow-notify",
    "notification:allow-request-permission",
    "notification:allow-is-permission-granted"
  ]
 }
--- a/desktop/src-tauri/gen/android/app/src/main/java/com/wzp/desktop/MainActivity.kt
+++ b/desktop/src-tauri/gen/android/app/src/main/java/com/wzp/desktop/MainActivity.kt
@@ -72,18 +72,22 @@ class MainActivity : TauriActivity() {
   * STREAM_VOICE_CALL volume is cranked to max since the in-call volume
   * slider is separate from media volume on most devices.
   */
  /**
   * Pre-flight: only set volumes. Do NOT set MODE_IN_COMMUNICATION here —
   * that hijacks the entire audio routing (music stops, BT A2DP drops to
   * earpiece) even before a call starts. The Rust side sets the mode via
   * JNI when the call engine actually starts, and restores MODE_NORMAL
   * when the call ends.
   */
  private fun configureAudioForCall() {
    try {
      val am = getSystemService(Context.AUDIO_SERVICE) as AudioManager
-      Log.i(TAG, "audio state before: mode=${am.mode} speaker=${am.isSpeakerphoneOn} " +
+      Log.i(TAG, "audio state: mode=${am.mode} speaker=${am.isSpeakerphoneOn} " +
        "voiceVol=${am.getStreamVolume(AudioManager.STREAM_VOICE_CALL)}/" +
        "${am.getStreamMaxVolume(AudioManager.STREAM_VOICE_CALL)} " +
        "musicVol=${am.getStreamVolume(AudioManager.STREAM_MUSIC)}/" +
        "${am.getStreamMaxVolume(AudioManager.STREAM_MUSIC)}")
      am.mode = AudioManager.MODE_IN_COMMUNICATION
      am.isSpeakerphoneOn = false   // default: handset / earpiece
      // Crank both voice-call and music volumes so nothing silent slips
      // through regardless of which stream actually ends up driving.
      val maxVoice = am.getStreamMaxVolume(AudioManager.STREAM_VOICE_CALL)
@@ -91,9 +95,7 @@ class MainActivity : TauriActivity() {
      val maxMusic = am.getStreamMaxVolume(AudioManager.STREAM_MUSIC)
      am.setStreamVolume(AudioManager.STREAM_MUSIC, maxMusic, 0)
-      Log.i(TAG, "audio state after: mode=${am.mode} speaker=${am.isSpeakerphoneOn} " +
+      Log.i(TAG, "volumes set: voiceVol=$maxVoice musicVol=$maxMusic (mode left at ${am.mode})")
        "voiceVol=${am.getStreamVolume(AudioManager.STREAM_VOICE_CALL)}/$maxVoice " +
        "musicVol=${am.getStreamVolume(AudioManager.STREAM_MUSIC)}/$maxMusic")
    } catch (e: Throwable) {
      Log.e(TAG, "configureAudioForCall failed: ${e.message}", e)
    }
--- a/desktop/src-tauri/gen/schemas/acl-manifests.json
+++ b/desktop/src-tauri/gen/schemas/acl-manifests.json
--- a/desktop/src-tauri/gen/schemas/capabilities.json
+++ b/desktop/src-tauri/gen/schemas/capabilities.json
@@ -1 +1 @@
-{"default":{"identifier":"default","description":"Default capability — grants core APIs (events, path, window, app, clipboard) to the main window on every platform we ship to.","local":true,"windows":["main"],"permissions":["core:default","core:event:default","core:event:allow-listen","core:event:allow-unlisten","core:event:allow-emit","core:event:allow-emit-to","core:path:default","core:window:default","core:app:default","core:webview:default","shell:default"],"platforms":["linux","macOS","windows","android","iOS"]}}
+{"default":{"identifier":"default","description":"Default capability — grants core APIs (events, path, window, app, clipboard) to the main window on every platform we ship to.","local":true,"windows":["main"],"permissions":["core:default","core:event:default","core:event:allow-listen","core:event:allow-unlisten","core:event:allow-emit","core:event:allow-emit-to","core:path:default","core:window:default","core:app:default","core:webview:default","shell:default","notification:default","notification:allow-notify","notification:allow-request-permission","notification:allow-is-permission-granted"],"platforms":["linux","macOS","windows","android","iOS"]}}
--- a/desktop/src-tauri/gen/schemas/desktop-schema.json
+++ b/desktop/src-tauri/gen/schemas/desktop-schema.json
@@ -2354,6 +2354,204 @@
          "const": "core:window:deny-unminimize",
          "markdownDescription": "Denies the unminimize command without any pre-configured scope."
        },
        {
          "description": "This permission set configures which\nnotification features are by default exposed.\n\n#### Granted Permissions\n\nIt allows all notification related features.\n\n\n#### This default permission set includes:\n\n- `allow-is-permission-granted`\n- `allow-request-permission`\n- `allow-notify`\n- `allow-register-action-types`\n- `allow-register-listener`\n- `allow-cancel`\n- `allow-get-pending`\n- `allow-remove-active`\n- `allow-get-active`\n- `allow-check-permissions`\n- `allow-show`\n- `allow-batch`\n- `allow-list-channels`\n- `allow-delete-channel`\n- `allow-create-channel`\n- `allow-permission-state`",
          "type": "string",
          "const": "notification:default",
          "markdownDescription": "This permission set configures which\nnotification features are by default exposed.\n\n#### Granted Permissions\n\nIt allows all notification related features.\n\n\n#### This default permission set includes:\n\n- `allow-is-permission-granted`\n- `allow-request-permission`\n- `allow-notify`\n- `allow-register-action-types`\n- `allow-register-listener`\n- `allow-cancel`\n- `allow-get-pending`\n- `allow-remove-active`\n- `allow-get-active`\n- `allow-check-permissions`\n- `allow-show`\n- `allow-batch`\n- `allow-list-channels`\n- `allow-delete-channel`\n- `allow-create-channel`\n- `allow-permission-state`"
        },
        {
          "description": "Enables the batch command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-batch",
          "markdownDescription": "Enables the batch command without any pre-configured scope."
        },
        {
          "description": "Enables the cancel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-cancel",
          "markdownDescription": "Enables the cancel command without any pre-configured scope."
        },
        {
          "description": "Enables the check_permissions command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-check-permissions",
          "markdownDescription": "Enables the check_permissions command without any pre-configured scope."
        },
        {
          "description": "Enables the create_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-create-channel",
          "markdownDescription": "Enables the create_channel command without any pre-configured scope."
        },
        {
          "description": "Enables the delete_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-delete-channel",
          "markdownDescription": "Enables the delete_channel command without any pre-configured scope."
        },
        {
          "description": "Enables the get_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-get-active",
          "markdownDescription": "Enables the get_active command without any pre-configured scope."
        },
        {
          "description": "Enables the get_pending command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-get-pending",
          "markdownDescription": "Enables the get_pending command without any pre-configured scope."
        },
        {
          "description": "Enables the is_permission_granted command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-is-permission-granted",
          "markdownDescription": "Enables the is_permission_granted command without any pre-configured scope."
        },
        {
          "description": "Enables the list_channels command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-list-channels",
          "markdownDescription": "Enables the list_channels command without any pre-configured scope."
        },
        {
          "description": "Enables the notify command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-notify",
          "markdownDescription": "Enables the notify command without any pre-configured scope."
        },
        {
          "description": "Enables the permission_state command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-permission-state",
          "markdownDescription": "Enables the permission_state command without any pre-configured scope."
        },
        {
          "description": "Enables the register_action_types command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-register-action-types",
          "markdownDescription": "Enables the register_action_types command without any pre-configured scope."
        },
        {
          "description": "Enables the register_listener command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-register-listener",
          "markdownDescription": "Enables the register_listener command without any pre-configured scope."
        },
        {
          "description": "Enables the remove_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-remove-active",
          "markdownDescription": "Enables the remove_active command without any pre-configured scope."
        },
        {
          "description": "Enables the request_permission command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-request-permission",
          "markdownDescription": "Enables the request_permission command without any pre-configured scope."
        },
        {
          "description": "Enables the show command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-show",
          "markdownDescription": "Enables the show command without any pre-configured scope."
        },
        {
          "description": "Denies the batch command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-batch",
          "markdownDescription": "Denies the batch command without any pre-configured scope."
        },
        {
          "description": "Denies the cancel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-cancel",
          "markdownDescription": "Denies the cancel command without any pre-configured scope."
        },
        {
          "description": "Denies the check_permissions command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-check-permissions",
          "markdownDescription": "Denies the check_permissions command without any pre-configured scope."
        },
        {
          "description": "Denies the create_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-create-channel",
          "markdownDescription": "Denies the create_channel command without any pre-configured scope."
        },
        {
          "description": "Denies the delete_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-delete-channel",
          "markdownDescription": "Denies the delete_channel command without any pre-configured scope."
        },
        {
          "description": "Denies the get_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-get-active",
          "markdownDescription": "Denies the get_active command without any pre-configured scope."
        },
        {
          "description": "Denies the get_pending command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-get-pending",
          "markdownDescription": "Denies the get_pending command without any pre-configured scope."
        },
        {
          "description": "Denies the is_permission_granted command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-is-permission-granted",
          "markdownDescription": "Denies the is_permission_granted command without any pre-configured scope."
        },
        {
          "description": "Denies the list_channels command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-list-channels",
          "markdownDescription": "Denies the list_channels command without any pre-configured scope."
        },
        {
          "description": "Denies the notify command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-notify",
          "markdownDescription": "Denies the notify command without any pre-configured scope."
        },
        {
          "description": "Denies the permission_state command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-permission-state",
          "markdownDescription": "Denies the permission_state command without any pre-configured scope."
        },
        {
          "description": "Denies the register_action_types command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-register-action-types",
          "markdownDescription": "Denies the register_action_types command without any pre-configured scope."
        },
        {
          "description": "Denies the register_listener command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-register-listener",
          "markdownDescription": "Denies the register_listener command without any pre-configured scope."
        },
        {
          "description": "Denies the remove_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-remove-active",
          "markdownDescription": "Denies the remove_active command without any pre-configured scope."
        },
        {
          "description": "Denies the request_permission command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-request-permission",
          "markdownDescription": "Denies the request_permission command without any pre-configured scope."
        },
        {
          "description": "Denies the show command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-show",
          "markdownDescription": "Denies the show command without any pre-configured scope."
        },
        {
          "description": "This permission set configures which\nshell functionality is exposed by default.\n\n#### Granted Permissions\n\nIt allows to use the `open` functionality with a reasonable\nscope pre-configured. It will allow opening `http(s)://`,\n`tel:` and `mailto:` links.\n\n#### This default permission set includes:\n\n- `allow-open`",
          "type": "string",
--- a/desktop/src-tauri/gen/schemas/macOS-schema.json
+++ b/desktop/src-tauri/gen/schemas/macOS-schema.json
@@ -2354,6 +2354,204 @@
          "const": "core:window:deny-unminimize",
          "markdownDescription": "Denies the unminimize command without any pre-configured scope."
        },
        {
          "description": "This permission set configures which\nnotification features are by default exposed.\n\n#### Granted Permissions\n\nIt allows all notification related features.\n\n\n#### This default permission set includes:\n\n- `allow-is-permission-granted`\n- `allow-request-permission`\n- `allow-notify`\n- `allow-register-action-types`\n- `allow-register-listener`\n- `allow-cancel`\n- `allow-get-pending`\n- `allow-remove-active`\n- `allow-get-active`\n- `allow-check-permissions`\n- `allow-show`\n- `allow-batch`\n- `allow-list-channels`\n- `allow-delete-channel`\n- `allow-create-channel`\n- `allow-permission-state`",
          "type": "string",
          "const": "notification:default",
          "markdownDescription": "This permission set configures which\nnotification features are by default exposed.\n\n#### Granted Permissions\n\nIt allows all notification related features.\n\n\n#### This default permission set includes:\n\n- `allow-is-permission-granted`\n- `allow-request-permission`\n- `allow-notify`\n- `allow-register-action-types`\n- `allow-register-listener`\n- `allow-cancel`\n- `allow-get-pending`\n- `allow-remove-active`\n- `allow-get-active`\n- `allow-check-permissions`\n- `allow-show`\n- `allow-batch`\n- `allow-list-channels`\n- `allow-delete-channel`\n- `allow-create-channel`\n- `allow-permission-state`"
        },
        {
          "description": "Enables the batch command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-batch",
          "markdownDescription": "Enables the batch command without any pre-configured scope."
        },
        {
          "description": "Enables the cancel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-cancel",
          "markdownDescription": "Enables the cancel command without any pre-configured scope."
        },
        {
          "description": "Enables the check_permissions command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-check-permissions",
          "markdownDescription": "Enables the check_permissions command without any pre-configured scope."
        },
        {
          "description": "Enables the create_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-create-channel",
          "markdownDescription": "Enables the create_channel command without any pre-configured scope."
        },
        {
          "description": "Enables the delete_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-delete-channel",
          "markdownDescription": "Enables the delete_channel command without any pre-configured scope."
        },
        {
          "description": "Enables the get_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-get-active",
          "markdownDescription": "Enables the get_active command without any pre-configured scope."
        },
        {
          "description": "Enables the get_pending command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-get-pending",
          "markdownDescription": "Enables the get_pending command without any pre-configured scope."
        },
        {
          "description": "Enables the is_permission_granted command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-is-permission-granted",
          "markdownDescription": "Enables the is_permission_granted command without any pre-configured scope."
        },
        {
          "description": "Enables the list_channels command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-list-channels",
          "markdownDescription": "Enables the list_channels command without any pre-configured scope."
        },
        {
          "description": "Enables the notify command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-notify",
          "markdownDescription": "Enables the notify command without any pre-configured scope."
        },
        {
          "description": "Enables the permission_state command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-permission-state",
          "markdownDescription": "Enables the permission_state command without any pre-configured scope."
        },
        {
          "description": "Enables the register_action_types command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-register-action-types",
          "markdownDescription": "Enables the register_action_types command without any pre-configured scope."
        },
        {
          "description": "Enables the register_listener command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-register-listener",
          "markdownDescription": "Enables the register_listener command without any pre-configured scope."
        },
        {
          "description": "Enables the remove_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-remove-active",
          "markdownDescription": "Enables the remove_active command without any pre-configured scope."
        },
        {
          "description": "Enables the request_permission command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-request-permission",
          "markdownDescription": "Enables the request_permission command without any pre-configured scope."
        },
        {
          "description": "Enables the show command without any pre-configured scope.",
          "type": "string",
          "const": "notification:allow-show",
          "markdownDescription": "Enables the show command without any pre-configured scope."
        },
        {
          "description": "Denies the batch command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-batch",
          "markdownDescription": "Denies the batch command without any pre-configured scope."
        },
        {
          "description": "Denies the cancel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-cancel",
          "markdownDescription": "Denies the cancel command without any pre-configured scope."
        },
        {
          "description": "Denies the check_permissions command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-check-permissions",
          "markdownDescription": "Denies the check_permissions command without any pre-configured scope."
        },
        {
          "description": "Denies the create_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-create-channel",
          "markdownDescription": "Denies the create_channel command without any pre-configured scope."
        },
        {
          "description": "Denies the delete_channel command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-delete-channel",
          "markdownDescription": "Denies the delete_channel command without any pre-configured scope."
        },
        {
          "description": "Denies the get_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-get-active",
          "markdownDescription": "Denies the get_active command without any pre-configured scope."
        },
        {
          "description": "Denies the get_pending command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-get-pending",
          "markdownDescription": "Denies the get_pending command without any pre-configured scope."
        },
        {
          "description": "Denies the is_permission_granted command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-is-permission-granted",
          "markdownDescription": "Denies the is_permission_granted command without any pre-configured scope."
        },
        {
          "description": "Denies the list_channels command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-list-channels",
          "markdownDescription": "Denies the list_channels command without any pre-configured scope."
        },
        {
          "description": "Denies the notify command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-notify",
          "markdownDescription": "Denies the notify command without any pre-configured scope."
        },
        {
          "description": "Denies the permission_state command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-permission-state",
          "markdownDescription": "Denies the permission_state command without any pre-configured scope."
        },
        {
          "description": "Denies the register_action_types command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-register-action-types",
          "markdownDescription": "Denies the register_action_types command without any pre-configured scope."
        },
        {
          "description": "Denies the register_listener command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-register-listener",
          "markdownDescription": "Denies the register_listener command without any pre-configured scope."
        },
        {
          "description": "Denies the remove_active command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-remove-active",
          "markdownDescription": "Denies the remove_active command without any pre-configured scope."
        },
        {
          "description": "Denies the request_permission command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-request-permission",
          "markdownDescription": "Denies the request_permission command without any pre-configured scope."
        },
        {
          "description": "Denies the show command without any pre-configured scope.",
          "type": "string",
          "const": "notification:deny-show",
          "markdownDescription": "Denies the show command without any pre-configured scope."
        },
        {
          "description": "This permission set configures which\nshell functionality is exposed by default.\n\n#### Granted Permissions\n\nIt allows to use the `open` functionality with a reasonable\nscope pre-configured. It will allow opening `http(s)://`,\n`tel:` and `mailto:` links.\n\n#### This default permission set includes:\n\n- `allow-open`",
          "type": "string",
--- a/desktop/src-tauri/src/android_audio.rs
+++ b/desktop/src-tauri/src/android_audio.rs
@@ -57,11 +57,37 @@ fn audio_manager<'local>(
    Ok(am)
 }
 /// Set `AudioManager.MODE_IN_COMMUNICATION`. Call when a VoIP call starts.
 /// This tells the audio policy to route through the communication device
 /// path (earpiece/BT SCO) instead of the media path (speaker/BT A2DP).
 pub fn set_audio_mode_communication() -> Result<(), String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
        .attach_current_thread()
        .map_err(|e| format!("attach_current_thread: {e}"))?;
    let am = audio_manager(&mut env, &activity)?;
    // MODE_IN_COMMUNICATION = 3
    env.call_method(&am, "setMode", "(I)V", &[JValue::Int(3)])
        .map_err(|e| format!("setMode(MODE_IN_COMMUNICATION): {e}"))?;
    tracing::info!("AudioManager: mode set to MODE_IN_COMMUNICATION");
    Ok(())
 }
 /// Restore `AudioManager.MODE_NORMAL`. Call when a VoIP call ends.
 pub fn set_audio_mode_normal() -> Result<(), String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
        .attach_current_thread()
        .map_err(|e| format!("attach_current_thread: {e}"))?;
    let am = audio_manager(&mut env, &activity)?;
    // MODE_NORMAL = 0
    env.call_method(&am, "setMode", "(I)V", &[JValue::Int(0)])
        .map_err(|e| format!("setMode(MODE_NORMAL): {e}"))?;
    tracing::info!("AudioManager: mode set to MODE_NORMAL");
    Ok(())
 }
 /// Switch between loud speaker (`true`) and earpiece/handset (`false`).
 ///
 /// Calls `AudioManager.setSpeakerphoneOn(on)` on the JVM. Requires that
 /// the audio mode is already `MODE_IN_COMMUNICATION` — MainActivity.kt
 /// sets this at startup, so by the time a call is up this is always true.
 pub fn set_speakerphone(on: bool) -> Result<(), String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
@@ -96,3 +122,238 @@ pub fn is_speakerphone_on() -> Result<bool, String> {
        .map_err(|e| format!("isSpeakerphoneOn: {e}"))?;
    Ok(on)
 }
 // ─── Bluetooth SCO routing ──────────────────────────────────────────────────
 /// Start Bluetooth SCO audio routing.
 ///
 /// On API 31+ uses `setCommunicationDevice()` which is the modern way to
 /// route voice audio to a specific device. Falls back to the deprecated
 /// `startBluetoothSco()` path on older APIs.
 ///
 /// The caller must restart Oboe streams after this call.
 pub fn start_bluetooth_sco() -> Result<(), String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
        .attach_current_thread()
        .map_err(|e| format!("attach_current_thread: {e}"))?;
    let am = audio_manager(&mut env, &activity)?;
    // Ensure speaker is off — mutually exclusive with BT.
    env.call_method(
        &am,
        "setSpeakerphoneOn",
        "(Z)V",
        &[JValue::Bool(0)],
    )
    .map_err(|e| format!("setSpeakerphoneOn(false): {e}"))?;
    // Try modern API first (API 31+): setCommunicationDevice(AudioDeviceInfo)
    // Find a BT SCO or BLE device from getAvailableCommunicationDevices()
    let used_modern = try_set_communication_device(&mut env, &am, true)?;
    if !used_modern {
        // Fallback: deprecated startBluetoothSco (API < 31)
        tracing::info!("start_bluetooth_sco: falling back to deprecated startBluetoothSco");
        env.call_method(&am, "startBluetoothSco", "()V", &[])
            .map_err(|e| format!("startBluetoothSco: {e}"))?;
    }
    tracing::info!(used_modern, "AudioManager: Bluetooth SCO started");
    Ok(())
 }
 /// Stop Bluetooth SCO audio routing, returning audio to the earpiece.
 ///
 /// The caller must restart Oboe streams after this call.
 pub fn stop_bluetooth_sco() -> Result<(), String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
        .attach_current_thread()
        .map_err(|e| format!("attach_current_thread: {e}"))?;
    let am = audio_manager(&mut env, &activity)?;
    // Modern API: clearCommunicationDevice() (API 31+)
    let cleared = try_set_communication_device(&mut env, &am, false)?;
    if !cleared {
        // Fallback: deprecated stopBluetoothSco
        env.call_method(&am, "stopBluetoothSco", "()V", &[])
            .map_err(|e| format!("stopBluetoothSco: {e}"))?;
    }
    tracing::info!(cleared, "AudioManager: Bluetooth SCO stopped");
    Ok(())
 }
 /// Try to use the modern `setCommunicationDevice` / `clearCommunicationDevice`
 /// API (Android 12 / API 31+). Returns `true` if the modern API was used.
 fn try_set_communication_device(
    env: &mut jni::AttachGuard<'_>,
    am: &JObject<'_>,
    enable: bool,
 ) -> Result<bool, String> {
    // Check SDK_INT >= 31 (Android 12)
    let sdk_int = env
        .get_static_field(
            "android/os/Build$VERSION",
            "SDK_INT",
            "I",
        )
        .and_then(|v| v.i())
        .unwrap_or(0);
    if sdk_int < 31 {
        return Ok(false);
    }
    if !enable {
        // clearCommunicationDevice()
        env.call_method(am, "clearCommunicationDevice", "()V", &[])
            .map_err(|e| format!("clearCommunicationDevice: {e}"))?;
        tracing::info!("clearCommunicationDevice: done");
        return Ok(true);
    }
    // getAvailableCommunicationDevices() → List<AudioDeviceInfo>
    let device_list = env
        .call_method(
            am,
            "getAvailableCommunicationDevices",
            "()Ljava/util/List;",
            &[],
        )
        .and_then(|v| v.l())
        .map_err(|e| format!("getAvailableCommunicationDevices: {e}"))?;
    let size = env
        .call_method(&device_list, "size", "()I", &[])
        .and_then(|v| v.i())
        .unwrap_or(0);
    // Find first BT device: TYPE_BLUETOOTH_SCO (7), TYPE_BLUETOOTH_A2DP (8),
    // TYPE_BLE_HEADSET (26), TYPE_BLE_SPEAKER (27)
    for i in 0..size {
        let device = env
            .call_method(
                &device_list,
                "get",
                "(I)Ljava/lang/Object;",
                &[JValue::Int(i)],
            )
            .and_then(|v| v.l())
            .map_err(|e| format!("list.get({i}): {e}"))?;
        let device_type = env
            .call_method(&device, "getType", "()I", &[])
            .and_then(|v| v.i())
            .unwrap_or(0);
        // BT SCO = 7, A2DP = 8, BLE headset = 26, BLE speaker = 27
        if matches!(device_type, 7 | 8 | 26 | 27) {
            let ok = env
                .call_method(
                    am,
                    "setCommunicationDevice",
                    "(Landroid/media/AudioDeviceInfo;)Z",
                    &[JValue::Object(&device)],
                )
                .and_then(|v| v.z())
                .unwrap_or(false);
            tracing::info!(
                device_type,
                ok,
                "setCommunicationDevice: set BT device"
            );
            return Ok(ok);
        }
    }
    tracing::warn!("setCommunicationDevice: no BT device in available list");
    Ok(false)
 }
 /// Query whether Bluetooth audio is currently the active communication device.
 ///
 /// On API 31+ checks `getCommunicationDevice()` type. Falls back to the
 /// deprecated `isBluetoothScoOn()` on older APIs.
 pub fn is_bluetooth_sco_on() -> Result<bool, String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
        .attach_current_thread()
        .map_err(|e| format!("attach_current_thread: {e}"))?;
    let am = audio_manager(&mut env, &activity)?;
    let sdk_int = env
        .get_static_field("android/os/Build$VERSION", "SDK_INT", "I")
        .and_then(|v| v.i())
        .unwrap_or(0);
    if sdk_int >= 31 {
        // getCommunicationDevice() → AudioDeviceInfo (nullable)
        let device = env
            .call_method(am, "getCommunicationDevice", "()Landroid/media/AudioDeviceInfo;", &[])
            .and_then(|v| v.l())
            .unwrap_or(JObject::null());
        if device.is_null() {
            return Ok(false);
        }
        let device_type = env
            .call_method(&device, "getType", "()I", &[])
            .and_then(|v| v.i())
            .unwrap_or(0);
        // BT SCO = 7, A2DP = 8, BLE headset = 26, BLE speaker = 27
        return Ok(matches!(device_type, 7 | 8 | 26 | 27));
    }
    // Fallback: deprecated API
    env.call_method(&am, "isBluetoothScoOn", "()Z", &[])
        .and_then(|v| v.z())
        .map_err(|e| format!("isBluetoothScoOn: {e}"))
 }
 /// Check whether a Bluetooth audio device is currently connected.
 ///
 /// Iterates `AudioManager.getDevices(GET_DEVICES_OUTPUTS)` and looks for
 /// any Bluetooth device type. Many headsets only register as A2DP until
 /// SCO is explicitly started, so we check for both SCO and A2DP types.
 pub fn is_bluetooth_available() -> Result<bool, String> {
    let (vm, activity) = jvm_and_activity()?;
    let mut env = vm
        .attach_current_thread()
        .map_err(|e| format!("attach_current_thread: {e}"))?;
    let am = audio_manager(&mut env, &activity)?;
    // AudioManager.GET_DEVICES_OUTPUTS = 2
    let devices = env
        .call_method(
            &am,
            "getDevices",
            "(I)[Landroid/media/AudioDeviceInfo;",
            &[JValue::Int(2)],
        )
        .and_then(|v| v.l())
        .map_err(|e| format!("getDevices(OUTPUTS): {e}"))?;
    let arr = jni::objects::JObjectArray::from(devices);
    let len = env
        .get_array_length(&arr)
        .map_err(|e| format!("get_array_length: {e}"))?;
    for i in 0..len {
        let device = env
            .get_object_array_element(&arr, i)
            .map_err(|e| format!("get_object_array_element({i}): {e}"))?;
        let device_type = env
            .call_method(&device, "getType", "()I", &[])
            .and_then(|v| v.i())
            .unwrap_or(0);
        // TYPE_BLUETOOTH_SCO = 7, TYPE_BLUETOOTH_A2DP = 8
        if device_type == 7 || device_type == 8 {
            tracing::info!(device_type, idx = i, "is_bluetooth_available: found BT device");
            return Ok(true);
        }
    }
    Ok(false)
 }
--- a/desktop/src-tauri/src/engine.rs
+++ b/desktop/src-tauri/src/engine.rs
--- a/desktop/src-tauri/src/lib.rs
+++ b/desktop/src-tauri/src/lib.rs
--- a/desktop/src-tauri/src/wzp_native.rs
+++ b/desktop/src-tauri/src/wzp_native.rs
@@ -26,7 +26,9 @@ static LIB: OnceLock<libloading::Library> = OnceLock::new();
 static VERSION: OnceLock<unsafe extern "C" fn() -> i32> = OnceLock::new();
 static HELLO: OnceLock<unsafe extern "C" fn(*mut u8, usize) -> usize> = OnceLock::new();
 static AUDIO_START: OnceLock<unsafe extern "C" fn() -> i32> = OnceLock::new();
 static AUDIO_START_BT: OnceLock<unsafe extern "C" fn() -> i32> = OnceLock::new();
 static AUDIO_STOP: OnceLock<unsafe extern "C" fn()> = OnceLock::new();
 static AUDIO_CAPTURE_AVAILABLE: OnceLock<extern "C" fn() -> usize> = OnceLock::new();
 static AUDIO_READ_CAPTURE: OnceLock<unsafe extern "C" fn(*mut i16, usize) -> usize> = OnceLock::new();
 static AUDIO_WRITE_PLAYOUT: OnceLock<unsafe extern "C" fn(*const i16, usize) -> usize> = OnceLock::new();
 static AUDIO_IS_RUNNING: OnceLock<unsafe extern "C" fn() -> i32> = OnceLock::new();
@@ -65,7 +67,9 @@ pub fn init() -> Result<(), String> {
        resolve!(VERSION, unsafe extern "C" fn() -> i32, b"wzp_native_version");
        resolve!(HELLO, unsafe extern "C" fn(*mut u8, usize) -> usize, b"wzp_native_hello");
        resolve!(AUDIO_START, unsafe extern "C" fn() -> i32, b"wzp_native_audio_start");
        resolve!(AUDIO_START_BT, unsafe extern "C" fn() -> i32, b"wzp_native_audio_start_bt");
        resolve!(AUDIO_STOP, unsafe extern "C" fn(), b"wzp_native_audio_stop");
        resolve!(AUDIO_CAPTURE_AVAILABLE, extern "C" fn() -> usize, b"wzp_native_audio_capture_available");
        resolve!(AUDIO_READ_CAPTURE, unsafe extern "C" fn(*mut i16, usize) -> usize, b"wzp_native_audio_read_capture");
        resolve!(AUDIO_WRITE_PLAYOUT, unsafe extern "C" fn(*const i16, usize) -> usize, b"wzp_native_audio_write_playout");
        resolve!(AUDIO_IS_RUNNING, unsafe extern "C" fn() -> i32, b"wzp_native_audio_is_running");
@@ -104,6 +108,14 @@ pub fn audio_start() -> Result<(), i32> {
    if ret == 0 { Ok(()) } else { Err(ret) }
 }
 /// Start Oboe in Bluetooth SCO mode — capture skips sample rate and
 /// input preset so the system routes to the BT SCO device natively.
 pub fn audio_start_bt() -> Result<(), i32> {
    let f = AUDIO_START_BT.get().ok_or(-100_i32)?;
    let ret = unsafe { f() };
    if ret == 0 { Ok(()) } else { Err(ret) }
 }
 /// Stop both streams. Safe to call even if not running.
 pub fn audio_stop() {
    if let Some(f) = AUDIO_STOP.get() {
@@ -111,6 +123,12 @@ pub fn audio_stop() {
    }
 }
 /// Number of capture samples available to read without blocking.
 pub fn audio_capture_available() -> usize {
    let Some(f) = AUDIO_CAPTURE_AVAILABLE.get() else { return 0; };
    f()
 }
 /// Read captured i16 PCM into `out`. Returns bytes actually copied.
 pub fn audio_read_capture(out: &mut [i16]) -> usize {
    let Some(f) = AUDIO_READ_CAPTURE.get() else { return 0; };
--- a/desktop/src/main.ts
+++ b/desktop/src/main.ts
@@ -2,6 +2,125 @@ import { invoke } from "@tauri-apps/api/core";
 import { listen } from "@tauri-apps/api/event";
 import { generateIdenticon, createIdenticonEl } from "./identicon";
 // ── Incoming-call ringer ─────────────────────────────────────────────
 //
 // Web Audio synthesized two-tone ring that loops until stop() is
 // called. No external asset file — works immediately on every
 // platform Tauri has a WebView on (Android, macOS, Windows, Linux).
 //
 // The pattern is a classic North American ring cadence: 440Hz +
 // 480Hz tone for 2s, 4s silence, repeat. Volume ramps to ~30%
 // peak so it's audible without being obnoxious on laptop
 // speakers. Stops cleanly on stop() — cancels the timer AND
 // disconnects the active oscillators so there's no tail audio.
 class Ringer {
  private ctx: AudioContext | null = null;
  private timer: number | null = null;
  private activeNodes: AudioNode[] = [];
  private running = false;
  start() {
    if (this.running) return;
    this.running = true;
    // Construct the AudioContext lazily on the first ring — some
    // platforms (iOS WebView, Android WebView) refuse to create
    // one until after a user gesture, so we MUST be past that
    // point by the time start() is called. Incoming call event is
    // user-adjacent enough that the WebView normally allows it.
    try {
      if (!this.ctx) {
        this.ctx = new (window.AudioContext || (window as any).webkitAudioContext)();
      }
    } catch (e) {
      console.warn("Ringer: AudioContext unavailable", e);
      this.running = false;
      return;
    }
    this.playOnce();
    // 2s tone + 4s silence = 6s cadence. Loop with setInterval.
    this.timer = window.setInterval(() => this.playOnce(), 6000);
  }
  stop() {
    this.running = false;
    if (this.timer != null) {
      window.clearInterval(this.timer);
      this.timer = null;
    }
    for (const n of this.activeNodes) {
      try {
        (n as any).disconnect();
      } catch {}
    }
    this.activeNodes = [];
  }
  private playOnce() {
    if (!this.ctx || !this.running) return;
    const ctx = this.ctx;
    const now = ctx.currentTime;
    const toneDurSec = 2.0;
    // Two-tone ring: 440Hz (A4) + 480Hz (close to B4). Mix both
    // through one gain node for envelope control.
    const gain = ctx.createGain();
    gain.gain.setValueAtTime(0, now);
    gain.gain.linearRampToValueAtTime(0.3, now + 0.05);
    gain.gain.setValueAtTime(0.3, now + toneDurSec - 0.05);
    gain.gain.linearRampToValueAtTime(0, now + toneDurSec);
    gain.connect(ctx.destination);
    for (const freq of [440, 480]) {
      const osc = ctx.createOscillator();
      osc.type = "sine";
      osc.frequency.value = freq;
      osc.connect(gain);
      osc.start(now);
      osc.stop(now + toneDurSec);
      this.activeNodes.push(osc);
    }
    this.activeNodes.push(gain);
    // Schedule a cleanup of old nodes after this tone finishes so
    // the activeNodes array doesn't grow unbounded across long
    // rings.
    window.setTimeout(() => {
      this.activeNodes = this.activeNodes.filter((n) => n !== gain);
    }, (toneDurSec + 0.1) * 1000);
  }
 }
 const ringer = new Ringer();
 /// Best-effort system notification via the tauri-plugin-notification
 /// plugin. Uses raw `invoke` so we don't need to import
 /// `@tauri-apps/plugin-notification` — just invoke the plugin
 /// commands directly. Silently no-ops if the plugin isn't
 /// available or permission is denied.
 async function notifyIncomingCall(from: string) {
  try {
    // Make sure we have permission first. On Android this prompts
    // the user once; after that it's cached.
    const granted = await invoke<boolean>(
      "plugin:notification|is_permission_granted",
    ).catch(() => false);
    if (!granted) {
      const result = await invoke<string>(
        "plugin:notification|request_permission",
      ).catch(() => "denied");
      if (result !== "granted") return;
    }
    await invoke("plugin:notification|notify", {
      options: {
        title: "Incoming call",
        body: `From ${from}`,
      },
    });
  } catch (e) {
    // Notification plugin missing or refused — not fatal, the
    // visible panel + ringer still alert the user.
    console.debug("notify: plugin unavailable or refused", e);
  }
 }
 // ── WebView hardening ──
 // Suppress the browser-style right-click context menu on desktop Tauri — it
 // exposes Inspect/Reload/Back/Forward entries that don't belong in a native-
@@ -50,6 +169,11 @@ const callTimer = document.getElementById("call-timer")!;
 const callStatus = document.getElementById("call-status")!;
 const levelBar = document.getElementById("level-bar")!;
 const participantsDiv = document.getElementById("participants")!;
 const directCallView = document.getElementById("direct-call-view")!;
 const dcIdenticon = document.getElementById("dc-identicon")!;
 const dcName = document.getElementById("dc-name")!;
 const dcFp = document.getElementById("dc-fp")!;
 const dcBadge = document.getElementById("dc-badge")!;
 const micBtn = document.getElementById("mic-btn")!;
 const micIcon = document.getElementById("mic-icon")!;
 const spkBtn = document.getElementById("spk-btn")!;
@@ -84,9 +208,14 @@ const sAlias = document.getElementById("s-alias") as HTMLInputElement;
 const sOsAec = document.getElementById("s-os-aec") as HTMLInputElement;
 const sDredDebug = document.getElementById("s-dred-debug") as HTMLInputElement;
 const sCallDebug = document.getElementById("s-call-debug") as HTMLInputElement;
 const sDirectOnly = document.getElementById("s-direct-only") as HTMLInputElement;
 const sBirthdayAttack = document.getElementById("s-birthday-attack") as HTMLInputElement;
 const sCallDebugSection = document.getElementById("s-call-debug-section") as HTMLDivElement;
 const sCallDebugLogEl = document.getElementById("s-call-debug-log") as HTMLDivElement;
 const sCallDebugClearBtn = document.getElementById("s-call-debug-clear") as HTMLButtonElement;
 const sCallDebugCopyBtn = document.getElementById("s-call-debug-copy") as HTMLButtonElement;
 const sCallDebugShareBtn = document.getElementById("s-call-debug-share") as HTMLButtonElement;
 const sCallDebugCopyStatus = document.getElementById("s-call-debug-copy-status") as HTMLElement;
 const sReflectedAddr = document.getElementById("s-reflected-addr") as HTMLSpanElement;
 const sReflectBtn = document.getElementById("s-reflect-btn") as HTMLButtonElement;
 const sNatType = document.getElementById("s-nat-type") as HTMLSpanElement;
@@ -160,6 +289,12 @@ interface Settings {
  /// renders into the rolling Debug Log panel in settings. Off in
  /// normal mode keeps the GUI quiet but logcat always has a copy.
  callDebugLogs: boolean;
  /// Debug: skip relay fallback on direct calls — fail if P2P
  /// doesn't connect. Useful for testing NAT traversal.
  directOnly: boolean;
  /// Enable birthday attack for hard NAT traversal. Adds ~3s to
  /// call setup when peer has symmetric NAT. Off by default.
  birthdayAttack: boolean;
 }
 function loadSettings(): Settings {
@@ -174,6 +309,8 @@ function loadSettings(): Settings {
    osAec: true, agc: true, quality: "auto", recentRooms: [],
    dredDebugLogs: false,
    callDebugLogs: false,
    directOnly: false,
    birthdayAttack: false,
  };
  try {
    const raw = localStorage.getItem("wzp-settings");
@@ -347,6 +484,9 @@ function renderRelayDialogList() {
    // Click to select
    item.addEventListener("click", () => {
      const prev = loadSettings();
      const prevRelayAddr = prev.relays[prev.selectedRelay]?.address;
      const s = loadSettings();
      s.selectedRelay = i;
@@ -358,6 +498,30 @@ function renderRelayDialogList() {
      saveSettingsObj(s);
      renderRelayDialogList();
      renderRelayButton();
      // If the user switched relays and we're currently registered,
      // transparently re-register against the new one. The Rust
      // `register_signal` command is idempotent and handles the
      // swap internally (close old transport → connect new). This
      // makes "change server" a single-click operation instead of
      // manual deregister + re-register.
      const newRelayAddr = r.address;
      if (newRelayAddr && newRelayAddr !== prevRelayAddr) {
        (async () => {
          // Is a signal currently registered? get_signal_status is
          // cheap and lets us decide whether to kick the swap.
          try {
            const st: any = await invoke("get_signal_status");
            if (st && st.status === "registered") {
              await invoke<string>("register_signal", { relay: newRelayAddr });
              // `signal-event { type: "registered" }` from Rust will
              // update directRegistered for us — no manual render here.
            }
          } catch (e) {
            console.warn("relay swap: failed to re-register", e);
          }
        })();
      }
    });
    relayDialogList.appendChild(item);
@@ -471,6 +635,100 @@ sCallDebugClearBtn.addEventListener("click", () => {
  sCallDebugLogEl.textContent = "";
 });
 /// Serialise the rolling call-debug buffer as plain text for
 /// copy/share. One entry per line, HH:MM:SS.mmm + step +
 /// compact JSON details. Same format the on-screen panel uses.
 function formatCallDebugLog(): string {
  return callDebugBuffer
    .map((e) => {
      const iso = new Date(e.ts_ms).toISOString().slice(11, 23);
      const details =
        e.details && Object.keys(e.details).length > 0
          ? " " + JSON.stringify(e.details)
          : "";
      return `${iso} ${e.step}${details}`;
    })
    .join("\n");
 }
 /// One-shot status helper for the copy/share buttons.
 function flashCallDebugStatus(msg: string, isError: boolean = false) {
  sCallDebugCopyStatus.textContent = msg;
  sCallDebugCopyStatus.style.color = isError ? "var(--yellow)" : "var(--green)";
  setTimeout(() => {
    sCallDebugCopyStatus.textContent = "";
  }, 2500);
 }
 sCallDebugCopyBtn.addEventListener("click", async () => {
  const text = formatCallDebugLog();
  if (!text) {
    flashCallDebugStatus("Log is empty", true);
    return;
  }
  try {
    await navigator.clipboard.writeText(text);
    flashCallDebugStatus(`✓ Copied ${callDebugBuffer.length} entries`);
  } catch (e) {
    // Some WebViews refuse clipboard access without a user
    // permission prompt; fall back to a selection-based copy.
    try {
      const ta = document.createElement("textarea");
      ta.value = text;
      ta.style.position = "fixed";
      ta.style.top = "0";
      ta.style.left = "0";
      ta.style.opacity = "0";
      document.body.appendChild(ta);
      ta.focus();
      ta.select();
      const ok = document.execCommand("copy");
      document.body.removeChild(ta);
      if (ok) {
        flashCallDebugStatus(`✓ Copied ${callDebugBuffer.length} entries`);
      } else {
        throw new Error("execCommand returned false");
      }
    } catch (e2) {
      flashCallDebugStatus(`⚠ Copy failed: ${String(e2)}`, true);
    }
  }
 });
 sCallDebugShareBtn.addEventListener("click", async () => {
  const text = formatCallDebugLog();
  if (!text) {
    flashCallDebugStatus("Log is empty", true);
    return;
  }
  // Try the Web Share API first — on Android WebView, this opens
  // the standard Share sheet and the user can send the text to
  // any messaging app. Falls back to clipboard copy if the
  // WebView doesn't expose navigator.share (most desktop
  // WebViews don't).
  const nav: any = navigator;
  if (nav.share) {
    try {
      await nav.share({
        title: "WarzonePhone debug log",
        text,
      });
      flashCallDebugStatus(`✓ Shared ${callDebugBuffer.length} entries`);
      return;
    } catch (e) {
      // User cancelled or WebView rejected — fall through to
      // clipboard copy as a best-effort.
      console.debug("share failed, falling back to clipboard", e);
    }
  }
  try {
    await navigator.clipboard.writeText(text);
    flashCallDebugStatus(`✓ Copied (no share API)`);
  } catch (e) {
    flashCallDebugStatus(`⚠ Share + copy both failed`, true);
  }
 });
 // Load fingerprint + alias + git hash + render identicon
 interface AppInfo { git_hash: string; alias: string; fingerprint: string; data_dir: string }
@@ -592,18 +850,43 @@ async function doConnect() {
  }
 }
 // Phase 5.6: when we're in a direct P2P call (not relay-
 // mediated), the relay's room infrastructure never sends a
 // RoomUpdate because neither peer actually joined the room.
 // pollStatus sees an empty participant list and shows "Waiting
 // for participants...". Track the peer's identity from the
 // signal plane and render a synthetic participant entry instead.
 let directCallPeer: { fingerprint: string; alias: string | null } | null = null;
 function showCallScreen() {
  connectScreen.classList.add("hidden");
  callScreen.classList.remove("hidden");
-  roomName.textContent = roomInput.value;
+
  // Direct call → phone-style layout; room call → group layout.
  if (directCallPeer) {
    const fp = directCallPeer.fingerprint || "";
    const alias = directCallPeer.alias;
    roomName.textContent = alias || fp.substring(0, 16) || "Direct Call";
    dcName.textContent = alias || "Unknown";
    dcFp.textContent = fp;
    dcIdenticon.innerHTML = "";
    dcIdenticon.appendChild(createIdenticonEl(fp || "?", 96, true));
    dcBadge.textContent = "Connecting...";
    dcBadge.className = "dc-badge connecting";
    directCallView.classList.remove("hidden");
    participantsDiv.classList.add("hidden");
  } else {
    roomName.textContent = roomInput.value;
    directCallView.classList.add("hidden");
    participantsDiv.classList.remove("hidden");
  }
  callStatus.className = "status-dot";
  statusInterval = window.setInterval(pollStatus, 250);
-  // Sync the Speaker/Earpiece label with the OS state (Android only; on
+  // Sync the audio route label with the OS state (Android only; on desktop
-  // desktop the command is a no-op returning false so we land on "Earpiece"
+  // get_audio_route returns "earpiece" so we land on the default).
-  // which is fine because desktop has no routing concept).
+  invoke<string>("get_audio_route")
-  invoke<boolean>("is_speakerphone_on")
+    .then((route) => { currentAudioRoute = (route as AudioRoute) || "earpiece"; updateRouteLabel(); })
-    .then((on) => { speakerphoneOn = !!on; updateSpkLabel(); })
+    .catch(() => { currentAudioRoute = "earpiece"; updateRouteLabel(); });
    .catch(() => { speakerphoneOn = false; updateSpkLabel(); });
 }
 function showConnectScreen() {
@@ -612,6 +895,10 @@ function showConnectScreen() {
  connectBtn.disabled = false;
  connectBtn.textContent = "Connect";
  levelBar.style.width = "0%";
  directCallPeer = null;
  // Clear the media-degraded banner if present
  const banner = document.getElementById("media-degraded-banner");
  if (banner) banner.remove();
  if (statusInterval) { clearInterval(statusInterval); statusInterval = null; }
 }
@@ -620,41 +907,92 @@ micBtn.addEventListener("click", async () => {
  try { const m: boolean = await invoke("toggle_mic"); micBtn.classList.toggle("muted", m); micIcon.textContent = m ? "Mic Off" : "Mic"; } catch {}
 });
-// Speaker routing (Android) — toggles AudioManager.setSpeakerphoneOn + then
+// Audio routing (Android) — cycles between earpiece, speaker, and Bluetooth
-// stops and restarts the Oboe streams so AAudio reconfigures with the new
+// SCO. Each transition calls the corresponding Tauri command which sets the
-// routing. The Rust-side Tauri command handles the restart, we just swap
+// AudioManager state and restarts Oboe streams so AAudio picks up the new
-// the button label.
+// route. On desktop all commands are no-ops.
 //
 // Earpiece is NOT a "muted" state, so DO NOT add the `.muted` CSS class
 // (which would tint the button red); that was a bug in 0178cbd that made
-// earpiece mode look like playback was off. A separate `.speaker-on` class
+// earpiece mode look like playback was off.
-// is available for css styling if we want to visually indicate loud mode.
+type AudioRoute = "earpiece" | "speaker" | "bluetooth";
-let speakerphoneOn = false;
+let currentAudioRoute: AudioRoute = "earpiece";
-let speakerphoneBusy = false;
+let routeBusy = false;
-function updateSpkLabel() {
+
-  spkBtn.classList.toggle("speaker-on", speakerphoneOn);
+function updateRouteLabel() {
  spkBtn.classList.remove("speaker-on", "bt-on");
  spkBtn.classList.remove("muted");
-  spkIcon.textContent = speakerphoneOn ? "🔊 Speaker" : "🔈 Earpiece";
+  switch (currentAudioRoute) {
    case "speaker":
      spkIcon.textContent = "🔊 Speaker";
      spkBtn.classList.add("speaker-on");
      break;
    case "bluetooth":
      spkIcon.textContent = "🎧 BT";
      spkBtn.classList.add("bt-on");
      break;
    default:
      spkIcon.textContent = "🔈 Earpiece";
      break;
  }
 }
-spkBtn.addEventListener("click", async () => {
+
-  if (speakerphoneBusy) return;  // debounce — the restart takes ~60ms
+async function cycleAudioRoute() {
-  speakerphoneBusy = true;
+  if (routeBusy) return; // debounce — Oboe restart takes ~60-400ms
-  const next = !speakerphoneOn;
+  routeBusy = true;
  spkBtn.disabled = true;
  try {
-    await invoke("set_speakerphone", { on: next });
+    const btAvailable = await invoke<boolean>("is_bluetooth_available");
-    speakerphoneOn = next;
+    const routes: AudioRoute[] = btAvailable
-    updateSpkLabel();
+      ? ["earpiece", "speaker", "bluetooth"]
      : ["earpiece", "speaker"];
    const idx = routes.indexOf(currentAudioRoute);
    const next = routes[(idx + 1) % routes.length];
    // Tear down current route, then activate next.
    // start_bluetooth_sco() already calls setSpeakerphoneOn(false)
    // internally, so we skip the separate speakerphone toggle when
    // transitioning to BT to avoid a redundant Oboe restart.
    if (currentAudioRoute === "bluetooth") {
      await invoke("set_bluetooth_sco", { on: false });
    }
    if (next === "speaker") {
      await invoke("set_speakerphone", { on: true });
    } else if (next === "bluetooth") {
      // BT start handles speaker-off internally + waits for SCO link
      await invoke("set_bluetooth_sco", { on: true });
    } else {
      // earpiece — turn everything off
      await invoke("set_speakerphone", { on: false });
    }
    currentAudioRoute = next;
    updateRouteLabel();
  } catch (e) {
-    console.error("set_speakerphone failed:", e);
+    console.error("cycleAudioRoute failed:", e);
  } finally {
    spkBtn.disabled = false;
-    speakerphoneBusy = false;
+    routeBusy = false;
  }
-});
+}
 spkBtn.addEventListener("click", cycleAudioRoute);
 hangupBtn.addEventListener("click", async () => {
  userDisconnected = true;
-  try { await invoke("disconnect"); } catch {}
+  // Use the new hangup_call command instead of raw disconnect —
  // it sends a Hangup signal to the relay FIRST so the peer
  // gets auto-dismissed from the call screen, then tears down
  // our local engine. Plain `disconnect` would leave the peer
  // stuck on the call screen with silent audio.
  try {
    await invoke("hangup_call");
  } catch {
    // Fall back to plain disconnect if hangup_call errors
    // (older Rust build without the new command).
    try {
      await invoke("disconnect");
    } catch {}
  }
  showConnectScreen();
 });
@@ -711,7 +1049,7 @@ async function pollStatus() {
    micBtn.classList.toggle("muted", st.mic_muted);
    micIcon.textContent = st.mic_muted ? "Mic Off" : "Mic";
    // NB: spkBtn label is driven by the Android audio routing state
-    // (speakerphoneOn / updateSpkLabel), not by the engine's spk_muted.
+    // (currentAudioRoute / updateRouteLabel), not by the engine's spk_muted.
    // Skip that here so pollStatus doesn't clobber the routing UI.
    callTimer.textContent = formatDuration(st.call_duration_secs);
@@ -719,8 +1057,35 @@ async function pollStatus() {
    const pct = rms > 0 ? Math.min(100, (Math.log(rms) / Math.log(32767)) * 100) : 0;
    levelBar.style.width = `${pct}%`;
-    // Participants grouped by relay
+    // Direct-call phone-style layout: update the connection
-    if (st.participants.length === 0) {
+    // badge from the call-debug buffer or from participants.
    if (directCallPeer) {
      // Check the debug buffer for the race result to label
      // the connection type (P2P Direct vs Relay).
      // Use reverse search for MOST RECENT event (avoid stale data
      // from previous calls). Spread+reverse instead of findLast for
      // WebView compatibility (findLast requires Chrome 97+).
      const pathNeg = [...callDebugBuffer].reverse().find((e) => e.step === "connect:path_negotiated");
      const engineOk = [...callDebugBuffer].reverse().find((e) => e.step === "connect:call_engine_started");
      if (engineOk) {
        if (pathNeg?.details?.use_direct === true) {
          dcBadge.textContent = "P2P Direct";
          dcBadge.className = "dc-badge";
        } else {
          dcBadge.textContent = "Via Relay";
          dcBadge.className = "dc-badge relay";
        }
      }
      // Skip the group participant rendering — direct-call
      // view is already visible and showing the peer.
    }
    // Participants grouped by relay (group/room calls only).
    // Hidden when directCallPeer is set — the phone-style
    // layout above handles the 1:1 display.
    if (directCallPeer) {
      // no-op: direct call view handles it
    } else if (st.participants.length === 0) {
      participantsDiv.innerHTML = '<div class="participants-empty">Waiting for participants...</div>';
    } else {
      participantsDiv.innerHTML = "";
@@ -776,6 +1141,42 @@ listen("call-event", (event: any) => {
  const { kind } = event.payload;
  if (kind === "room-update") pollStatus();
  if (kind === "disconnected" && !userDisconnected) pollStatus();
  // Phase 5.6: media health watchdog — show/clear a warning
  // banner when the media path dies (e.g., P2P direct
  // established but the network path changed, or cross-relay
  // media forwarding isn't working).
  if (kind === "media-degraded") {
    // Show a warning banner on the call screen. Don't auto-
    // disconnect — the user might be on a briefly-unstable
    // network and recovery is possible (the engine tracks
    // "media-recovered" and clears the banner if packets
    // resume).
    let banner = document.getElementById("media-degraded-banner");
    if (!banner) {
      banner = document.createElement("div");
      banner.id = "media-degraded-banner";
      banner.style.cssText =
        "background:rgba(239,68,68,0.15);color:var(--red);padding:8px 12px;" +
        "border-radius:8px;text-align:center;font-size:13px;margin:8px 0;";
      banner.innerHTML =
        '⚠ No audio — connection may be lost.<br>' +
        '<small style="color:var(--text-dim)">Try hanging up and reconnecting, or switch to a different relay.</small>';
      // Insert at the top of the call screen, below the header
      const participants = document.getElementById("participants");
      const directView = document.getElementById("direct-call-view");
      const insertBefore = (directView && !directView.classList.contains("hidden"))
        ? directView
        : participants;
      if (insertBefore?.parentNode) {
        insertBefore.parentNode.insertBefore(banner, insertBefore);
      }
    }
  }
  if (kind === "media-recovered") {
    const banner = document.getElementById("media-degraded-banner");
    if (banner) banner.remove();
  }
 });
 // ── Settings ──
@@ -784,6 +1185,8 @@ function openSettings() {
  sRoom.value = s.room; sAlias.value = s.alias; sOsAec.checked = s.osAec;
  sDredDebug.checked = !!s.dredDebugLogs;
  sCallDebug.checked = !!s.callDebugLogs;
  sDirectOnly.checked = !!s.directOnly;
  sBirthdayAttack.checked = !!s.birthdayAttack;
  // Show the debug-log panel only when the user has the flag on —
  // keeps the settings panel short in normal use.
  sCallDebugSection.style.display = s.callDebugLogs ? "" : "none";
@@ -826,9 +1229,18 @@ settingsBtnCall.addEventListener("click", openSettings);
 // shows its working state inline so the user knows it's waiting on
 // the relay rather than the network.
 // Phase 2 multi-relay NAT type detection. Probes every configured
-// relay in parallel through transient QUIC connections and
+// relay in parallel and classifies the result.
-// classifies the result. Green = Cone (P2P viable),
+//
-// amber = SymmetricPort (must relay), gray = Multiple / Unknown.
+//   Cone          = P2P direct path viable, green cue
 //   SymmetricPort = per-destination port mapping, informational
 //                   (P2P will fall back to relay but calls still work)
 //   Multiple      = classifier saw different public IPs; informational
 //   Unknown       = not enough public probes, neutral
 //
 // The classifier drops LAN / private / CGNAT reflex addrs before
 // deciding, so a mixed "LAN relay + internet relay" setup does NOT
 // falsely flag as symmetric. Failed probes are shown in the list
 // for transparency but dimmed, not highlighted.
 sNatDetectBtn.addEventListener("click", async () => {
  const s = loadSettings();
  if (!s.relays || s.relays.length === 0) {
@@ -859,17 +1271,18 @@ sNatDetectBtn.addEventListener("click", async () => {
      detection.nat_type === "Cone"
        ? `✓ Cone NAT — P2P viable (${detection.consensus_addr})`
        : detection.nat_type === "SymmetricPort"
-        ? "⚠ Symmetric NAT — must use relay"
+        ? "ℹ Symmetric NAT — P2P falls back to relay, calls still work"
        : detection.nat_type === "Multiple"
-        ? "⚠ Multiple IPs — treating as symmetric"
+        ? "ℹ Multiple public IPs observed"
-        : "? Unknown (not enough successful probes)";
+        : "? Unknown (not enough public probes)";
    // Only Cone is "good news green". Everything else is neutral
    // informational — the user has configured relays so any
    // classification result just describes their network; none
    // are "wrong" per se.
    const verdictColor =
      detection.nat_type === "Cone"
        ? "var(--green)"
        : detection.nat_type === "SymmetricPort" ||
          detection.nat_type === "Multiple"
        ? "var(--yellow)"
        : "var(--text-dim)";
    sNatType.textContent = verdictLabel;
@@ -882,7 +1295,10 @@ sNatDetectBtn.addEventListener("click", async () => {
            p.relay_addr
          )}) → ${escapeHtml(p.observed_addr)} [${p.latency_ms ?? "?"}ms]</div>`;
        } else {
-          return `<div style="color:var(--yellow)">• ${escapeHtml(
+          // Failed probes are dimmed, not highlighted — the classifier
          // already ignores them, and the user doesn't need to be
          // alarmed by a momentarily-offline relay.
          return `<div style="color:var(--text-dim);opacity:0.7">• ${escapeHtml(
            p.relay_name
          )} (${escapeHtml(p.relay_addr)}) → ${escapeHtml(
            p.error ?? "probe failed"
@@ -933,6 +1349,8 @@ settingsSave.addEventListener("click", () => {
  s.quality = QUALITY_STEPS[parseInt(sQuality.value)] || "auto";
  s.dredDebugLogs = sDredDebug.checked;
  s.callDebugLogs = sCallDebug.checked;
  s.directOnly = sDirectOnly.checked;
  s.birthdayAttack = sBirthdayAttack.checked;
  saveSettingsObj(s);
  // Push the new flags to the Rust side immediately so the next
  // frame / call already honors them without waiting for a restart.
@@ -1125,11 +1543,51 @@ clearHistoryBtn.addEventListener("click", async () => {
  } catch (e) { console.error(e); }
 });
 // Track whether a registration is in flight so the same button
 // can toggle between "Register" and "Cancel". The cancel path
 // calls deregister which closes the transport and makes the
 // in-flight connect fail, breaking the await cleanly.
 let registerInFlight = false;
 registerBtn.addEventListener("click", async () => {
  // ── Cancel path: user tapped the button while registration
  // is in flight (it says "Cancel") → tear down the attempt
  // so we don't block for 30s on an unreachable relay.
  if (registerInFlight) {
    registerInFlight = false;
    try { await invoke("deregister"); } catch {}
    registerBtn.textContent = "Register on Relay";
    registerBtn.disabled = false;
    connectError.textContent = "Registration cancelled";
    return;
  }
  const relay = getSelectedRelay();
  if (!relay) { connectError.textContent = "No relay selected"; return; }
  connectError.textContent = "";
  // ── Pre-flight ping: quick 3s QUIC handshake to check if
  // the relay is reachable BEFORE committing to the full
  // register flow (which takes ~10s to time out against a dead
  // host). If the ping fails, show "server unavailable"
  // immediately without blocking.
  registerBtn.textContent = "Checking...";
  registerBtn.disabled = true;
-  registerBtn.textContent = "Registering...";
+  try {
    await invoke("ping_relay", { relay: relay.address });
  } catch (e: any) {
    connectError.textContent = `Server unavailable: ${String(e)}`;
    registerBtn.disabled = false;
    registerBtn.textContent = "Register on Relay";
    return;
  }
  // ── Register path: ping succeeded, proceed with the full
  // registration. Show "Cancel" on the button so the user
  // can bail if the relay goes unreachable mid-handshake.
  registerInFlight = true;
  registerBtn.disabled = false;
  registerBtn.textContent = "Cancel";
  try {
    const fp = await invoke<string>("register_signal", { relay: relay.address });
    registerBtn.classList.add("hidden");
@@ -1137,9 +1595,14 @@ registerBtn.addEventListener("click", async () => {
    callStatusText.textContent = `Your fingerprint: ${fp}`;
    refreshHistory();
  } catch (e: any) {
-    connectError.textContent = String(e);
+    if (registerInFlight) {
      // Real failure, not a user cancel
      connectError.textContent = String(e);
    }
    registerBtn.disabled = false;
    registerBtn.textContent = "Register on Relay";
  } finally {
    registerInFlight = false;
  }
 });
@@ -1161,6 +1624,10 @@ callBtn.addEventListener("click", async () => {
  const target = targetFpInput.value.trim();
  if (!target) return;
  callStatusText.textContent = "Calling...";
  // Remember the target for P2P participant display — on a
  // direct call the relay never sends RoomUpdate so pollStatus
  // would otherwise show "Waiting for participants...".
  directCallPeer = { fingerprint: target, alias: null };
  try {
    await invoke("place_call", { targetFp: target });
  } catch (e: any) {
@@ -1169,14 +1636,24 @@ callBtn.addEventListener("click", async () => {
 });
 acceptCallBtn.addEventListener("click", async () => {
  ringer.stop();
  const status = await invoke<any>("get_signal_status");
  if (status.incoming_call_id) {
-    await invoke("answer_call", { callId: status.incoming_call_id, mode: 2 });
+    // mode=1 → AcceptTrusted — enables P2P direct path by
    // querying + advertising the callee's reflex addr in the
    // answer. The alternative is mode=2 → AcceptGeneric
    // (privacy mode) which intentionally skips the reflex query
    // to keep the callee's IP hidden from the caller but forces
    // the call onto the relay path. Default to trusted so the
    // Accept button gets real P2P; privacy can be a future
    // dedicated button if anyone needs it.
    await invoke("answer_call", { callId: status.incoming_call_id, mode: 1 });
    incomingCallPanel.classList.add("hidden");
  }
 });
 rejectCallBtn.addEventListener("click", async () => {
  ringer.stop();
  const status = await invoke<any>("get_signal_status");
  if (status.incoming_call_id) {
    await invoke("answer_call", { callId: status.incoming_call_id, mode: 0 });
@@ -1194,12 +1671,26 @@ listen("signal-event", (event: any) => {
    case "incoming":
      incomingCallPanel.classList.remove("hidden");
      incomingCaller.textContent = `From: ${data.caller_alias || data.caller_fp?.substring(0, 16) || "unknown"}`;
      // Remember the peer for the P2P participant display.
      directCallPeer = {
        fingerprint: data.caller_fp || "",
        alias: data.caller_alias || null,
      };
      // Start ringing + fire a system notification. Both stop in
      // the hangup/answered/accepted paths below (and via the
      // accept/reject button handlers).
      ringer.start();
      notifyIncomingCall(
        data.caller_alias || data.caller_fp?.substring(0, 16) || "unknown",
      );
      break;
    case "answered":
      callStatusText.textContent = `Call answered (${data.mode})`;
      ringer.stop();
      break;
    case "setup":
      callStatusText.textContent = "Connecting to media...";
      ringer.stop();
      // Phase 3 hole-punching: peer_direct_addr carries the OTHER
      // party's reflex addr when both sides advertised one. Forward
      // to Rust connect() which currently logs it + takes the relay
@@ -1213,6 +1704,10 @@ listen("signal-event", (event: any) => {
            osAec: osAecCheckbox.checked,
            quality: loadSettings().quality || "auto",
            peerDirectAddr: data.peer_direct_addr ?? null,
            peerLocalAddrs: data.peer_local_addrs ?? [],
            peerMappedAddr: data.peer_mapped_addr ?? null,
            directOnly: loadSettings().directOnly || false,
            birthdayAttack: loadSettings().birthdayAttack || false,
          });
          showCallScreen();
        } catch (e: any) {
@@ -1221,8 +1716,71 @@ listen("signal-event", (event: any) => {
      })();
      break;
    case "hangup":
      // Peer (or the relay) ended the call. Tear down OUR side
      // of the media engine and return to the connect screen
      // automatically — the user shouldn't have to hit End Call
      // on a call that's already over.
      //
      // Scenarios this handles:
      //   * active direct call, peer hung up → disconnect + back
      //     to connect screen
      //   * incoming call was ringing but caller bailed → hide
      //     incoming panel (no engine to disconnect)
      //   * setup failure mid-handshake → same as above
      callStatusText.textContent = "";
      incomingCallPanel.classList.add("hidden");
      ringer.stop();
      (async () => {
        try {
          // disconnect errors out with "not connected" if there's
          // no active engine — safe to ignore, we just want to
          // make sure any engine IS torn down.
          await invoke("disconnect");
        } catch {}
        // Suppress the call-event "disconnected" auto-reconnect
        // path since this was a peer-initiated hangup, not a
        // transport drop.
        userDisconnected = true;
        if (!callScreen.classList.contains("hidden")) {
          showConnectScreen();
        }
      })();
      break;
    case "reconnecting":
      // Signal supervisor is retrying the relay connection. Show
      // a non-blocking indicator on the small status line INSIDE
      // the registered panel — do NOT touch directRegistered
      // itself, that's the parent that holds the entire
      // registered UI (address bar, call button, history, ...)
      // and overwriting its textContent wipes all children.
      {
        const relay = typeof data.relay === "string" ? data.relay : "relay";
        const status = document.getElementById("registered-status");
        if (status) {
          status.textContent = `🔄 reconnecting to ${relay}…`;
          (status as HTMLElement).style.color = "var(--yellow)";
        }
      }
      break;
    case "registered":
      // Supervisor (re-)succeeded, or the first register landed.
      // Clear the reconnecting badge and keep the registered UI.
      {
        const fp = typeof data.fingerprint === "string" ? data.fingerprint : "";
        const status = document.getElementById("registered-status");
        if (status) {
          status.textContent = fp
            ? `✅ Registered (${fp.slice(0, 16)}…)`
            : "✅ Registered — waiting for calls";
          (status as HTMLElement).style.color = "var(--green)";
        }
        // Make sure the registered panel is visible and the
        // Register button is hidden. This is the critical path
        // both for the first register and for a transparent
        // supervisor-driven reconnect.
        directRegistered.classList.remove("hidden");
        registerBtn.classList.add("hidden");
      }
      break;
  }
 });
--- a/desktop/src/style.css
+++ b/desktop/src/style.css
@@ -371,7 +371,65 @@ button.primary:disabled { opacity: 0.5; cursor: not-allowed; }
  transition: width 0.1s ease-out;
 }
-/* ── Participants ── */
+/* ── Direct call phone-style layout ── */
 .direct-call-view {
  display: flex;
  flex-direction: column;
  align-items: center;
  justify-content: center;
  flex: 1;
  padding: 32px 16px;
  gap: 8px;
 }
 .dc-identicon {
  width: 96px;
  height: 96px;
  border-radius: 50%;
  overflow: hidden;
  margin-bottom: 12px;
  box-shadow: 0 0 24px rgba(74, 222, 128, 0.15);
 }
 .dc-identicon canvas,
 .dc-identicon svg,
 .dc-identicon img {
  width: 100% !important;
  height: 100% !important;
  display: block;
 }
 .dc-name {
  font-size: 22px;
  font-weight: 600;
  color: var(--text);
  text-align: center;
 }
 .dc-fp {
  font-size: 11px;
  font-family: ui-monospace, Menlo, Monaco, 'Courier New', monospace;
  color: var(--text-dim);
  text-align: center;
  word-break: break-all;
  max-width: 280px;
 }
 .dc-badge {
  display: inline-block;
  margin-top: 8px;
  padding: 4px 12px;
  border-radius: 12px;
  font-size: 11px;
  font-weight: 500;
  background: rgba(74, 222, 128, 0.12);
  color: var(--green);
 }
 .dc-badge.relay {
  background: rgba(96, 165, 250, 0.12);
  color: #60a5fa;
 }
 .dc-badge.connecting {
  background: rgba(250, 204, 21, 0.12);
  color: var(--yellow);
 }
 /* ── Participants (group call layout) ── */
 .participants {
  background: var(--surface);
  border-radius: var(--radius);
@@ -1025,7 +1083,10 @@ button.primary:disabled { opacity: 0.5; cursor: not-allowed; }
  color: white;
 }
-/* Speaker routing button (non-muted earpiece state should not look red) */
+/* Audio routing button — highlight color depends on active route */
 #spk-btn.speaker-on .icon {
  color: var(--accent);
 }
 #spk-btn.bt-on .icon {
  color: #60a5fa; /* blue-400 for Bluetooth */
 }
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -103,11 +103,13 @@ sequenceDiagram
    participant RNN as RNNoise<br/>(2 x 480)
    participant VAD as SilenceDetector
    participant Codec as Opus / Codec2
    participant DT as DredTuner<br/>(wzp-proto)
    participant FEC as RaptorQ FEC
    participant INT as Interleaver<br/>(depth=3)
    participant HDR as MediaHeader<br/>(12B or Mini 4B)
    participant Enc as ChaCha20-Poly1305
    participant QUIC as QUIC Datagram
    participant QPS as QuinnPathSnapshot
    Mic->>Ring: f32 x 512 (macOS callback)
    Ring->>Ring: Accumulate to 960 samples
@@ -118,10 +120,19 @@ sequenceDiagram
    else Silence (>100ms)
        VAD->>Codec: ComfortNoise (every 200ms)
    end
-    Codec->>FEC: Compressed bytes (pad to 256B symbol)
+
-    FEC->>FEC: Accumulate block (5-10 symbols)
+    Note over QPS,DT: Every 25 frames (~500ms)
-    FEC->>INT: Source + repair symbols
+    QPS->>DT: loss_pct, rtt_ms, jitter_ms
-    INT->>HDR: Interleaved packets
+    DT->>Codec: set_dred_duration() + set_expected_loss()
    alt Opus tier (any bitrate)
        Codec->>HDR: Compressed bytes + DRED side-channel (no RaptorQ)
    else Codec2 tier
        Codec->>FEC: Compressed bytes (pad to 256B symbol)
        FEC->>FEC: Accumulate block (5-10 symbols)
        FEC->>INT: Source + repair symbols
        INT->>HDR: Interleaved packets
    end
    HDR->>Enc: Header as AAD
    Enc->>QUIC: Encrypted payload + 16B tag
 ```
@@ -134,6 +145,9 @@ sequenceDiagram
 - Silence detection uses VAD + 100ms hangover before switching to ComfortNoise
 - FEC symbols are padded to **256 bytes** with a 2-byte LE length prefix
 - MiniHeaders (4 bytes) replace full headers (12 bytes) for 49 of every 50 frames
 - DRED tuner polls quinn path stats every 25 frames (~500ms) and adjusts DRED lookback duration continuously
 - Opus tiers bypass RaptorQ entirely -- DRED handles loss recovery at the codec layer
 - Opus6k DRED window: 1040ms (maximum libopus allows)
 ## Audio Decode Pipeline
@@ -154,13 +168,30 @@ sequenceDiagram
    Dec->>AR: Decrypt (header = AAD)
    AR->>AR: Check seq window (reject replay)
    AR->>HDR: Verified packet
-    HDR->>DEINT: MediaHeader + payload
+
-    DEINT->>FEC: Reordered symbols by block
+    alt Opus packet
-    FEC->>FEC: Attempt decode (need K of K+R)
+        HDR->>JIT: Direct to jitter buffer (no FEC/interleave)
-    FEC->>JIT: Recovered audio frames
+    else Codec2 packet
        HDR->>DEINT: MediaHeader + payload
        DEINT->>FEC: Reordered symbols by block
        FEC->>FEC: Attempt decode (need K of K+R)
        FEC->>JIT: Recovered audio frames
    end
    JIT->>JIT: BTreeMap ordered by seq
    JIT->>JIT: Wait until depth >= target
-    JIT->>Codec: Pop lowest seq frame
+
    alt Packet present
        JIT->>Codec: Pop lowest seq frame
    else Packet missing (Opus)
        JIT->>Codec: DRED reconstruction (neural)
        alt DRED fails or unavailable
            Codec->>Codec: Classical PLC fallback
        end
    else Packet missing (Codec2)
        Codec->>Codec: Classical PLC
    end
    Codec->>Ring: PCM i16 x 960
    Ring->>SPK: Audio callback pulls samples
 ```
@@ -172,6 +203,8 @@ sequenceDiagram
 - Jitter buffer target: **10 packets (200ms)** for client, **50 packets (1s)** for relay
 - Desktop client uses **direct playout** (no jitter buffer) with lock-free ring
 - Codec2 frames at 8 kHz are resampled to 48 kHz transparently
 - DRED reconstruction: on packet loss, decoder tries neural DRED reconstruction before falling back to classical PLC
 - Jitter-spike detection pre-emptively boosts DRED to ceiling when jitter variance spikes >30%
 ## Relay SFU Forwarding
@@ -211,6 +244,7 @@ graph TB
 3. If one send fails, the relay continues to the next participant (best-effort)
 4. The relay never decodes or re-encodes audio (preserves E2E encryption)
 5. With trunking enabled, packets to the same receiver are batched into TrunkFrames (flushed every 5ms)
 6. Relay tracks per-participant quality from QualityReport trailers and broadcasts `QualityDirective` when the room-wide tier degrades (coordinated codec switching)
 ## Federation Topology
@@ -348,7 +382,7 @@ Used for 49 of every 50 frames (~1s cycle). Saves 8 bytes per packet (67% header
  [session_id: 2][len: u16][payload: len]  x count
 ```
-Packs multiple session packets into one QUIC datagram. Maximum 10 entries or 1200 bytes, flushed every 5ms.
+Packs multiple session packets into one QUIC datagram. Maximum 10 entries or PMTUD-discovered MTU (starts at 1200, grows to ~1452 on Ethernet), flushed every 5ms.
 ### QualityReport (4 bytes, optional trailer)
@@ -361,6 +395,40 @@ Byte 3: bitrate_cap_kbps (0-255 kbps)
 Appended to a media packet when the Q flag is set in the MediaHeader.
 ## Path MTU Discovery
 Quinn's PLPMTUD is enabled with:
 - `initial_mtu`: 1200 bytes (QUIC minimum, always safe)
 - `upper_bound`: 1452 bytes (Ethernet minus IP/UDP/QUIC headers)
 - `interval`: 300s (re-probe every 5 minutes)
 - `black_hole_cooldown`: 30s (faster retry on lossy links)
 The discovered MTU is exposed via `QuinnPathSnapshot::current_mtu` and used by:
 - `TrunkedForwarder`: refreshes `max_bytes` on every send to fill larger datagrams
 - Future video framer: larger MTU = fewer application-layer fragments per frame
 ## Continuous DRED Tuning
 Instead of locking DRED duration to 3 discrete quality tiers, the `DredTuner` (in `wzp-proto::dred_tuner`) maps live path quality to a continuous DRED duration:
 | Input | Source | Update Rate |
 |-------|--------|-------------|
 | Loss % | `QuinnPathSnapshot::loss_pct` (from quinn ACK frames) | Every 25 packets (~500ms) |
 | RTT ms | `QuinnPathSnapshot::rtt_ms` (quinn congestion controller) | Every 25 packets |
 | Jitter ms | `PathMonitor::jitter_ms` (EWMA of RTT variance) | Every 25 packets |
 ### Mapping Logic
 - **Baseline**: codec-tier default (Studio=100ms, Good=200ms, Degraded=500ms)
 - **Ceiling**: codec-tier max (Studio=300ms, Good=500ms, Degraded=1040ms)
 - **Continuous**: linear interpolation between baseline and ceiling based on loss (0%->baseline, 40%->ceiling)
 - **RTT phantom loss**: high RTT (>200ms) adds phantom loss contribution to keep DRED generous
 - **Jitter spike**: >30% EWMA spike pre-emptively boosts to ceiling for ~5s cooldown
 ### Output
 `DredTuning { dred_frames: u8, expected_loss_pct: u8 }` -> fed to `CallEncoder::apply_dred_tuning()` -> `OpusEncoder::set_dred_duration()` + `set_expected_loss()`
 ## Signal Message Handshake Flow
 ```mermaid
@@ -405,6 +473,34 @@ sequenceDiagram
    R->>R: Remove from room, broadcast RoomUpdate
 ```
 ## Relay Concurrency Model
 ### Threading
 - Multi-threaded Tokio runtime (all available cores, work-stealing scheduler)
 - Task-per-connection: each QUIC connection gets a dedicated `tokio::spawn`
 - Task-per-participant-per-room: each participant's media forwarding loop is independent
 ### Shared State & Locking
 | Lock | Protected Data | Hold Duration | Contention |
 |------|---------------|---------------|------------|
 | `RoomManager` (Mutex) | Rooms, participants, quality tiers | ~1ms/packet | O(N) per room |
 | `PresenceRegistry` (Mutex) | Fingerprint registrations | ~1ms | Low (join/leave only) |
 | `SessionManager` (Mutex) | Active session tracking | ~1ms | Low |
 | `FederationManager.peer_links` (Mutex) | Peer connections | ~10ms during forward | Per-federation-packet |
 ### Scaling Characteristics
 - **Many small rooms**: Scales well across all cores (rooms are independent)
 - **Large single room (100+ participants)**: Serialized by RoomManager lock
 - **Federation**: Per-peer tasks scale; `peer_links` lock held during send loop
 ### Primary Bottleneck
 The RoomManager Mutex is acquired per-packet by every participant to get the fan-out peer list. Lock is released before I/O (sends happen outside lock), but packet processing is serialized through the lock within a room.
 Future optimization: per-room locks or lock-free participant lists via `DashMap`.
 ## Client Architecture
 ### Desktop Engine (Tauri)
@@ -940,3 +1036,182 @@ The patch introduces an `MSVC_CL` variable that is true only for real `cl.exe` (
 This does not affect macOS or Linux builds — on those platforms `MSVC=0` everywhere so the patched logic behaves identically to upstream.
 Upstream tracking: xiph/opus#256, xiph/opus PR #257 (both stale).
 ## Network Awareness (Android)
 The adaptive quality controller (`AdaptiveQualityController` in `wzp-proto`) supports proactive network-aware adaptation via `signal_network_change(NetworkContext)`. On Android, this is fed by `NetworkMonitor.kt` which wraps `ConnectivityManager.NetworkCallback`.
 ```
 ConnectivityManager
       │ onCapabilitiesChanged / onLost
       ▼
 NetworkMonitor.kt  ──classify──►  type: Int (WiFi=0, LTE=1, 5G=2, 3G=3)
       │ onNetworkChanged(type, bw)
       ▼
 CallViewModel  ──►  WzpEngine.onNetworkChanged()
                        │ JNI
                        ▼
                    jni_bridge.rs
                        │
                        ▼
                    EngineState.pending_network_type  (AtomicU8, lock-free)
                        │ polled every ~20ms
                        ▼
                    recv task: quality_ctrl.signal_network_change(ctx)
                        │
                        ├─ WiFi → Cellular: preemptive 1-tier downgrade
                        ├─ Any change: 10s FEC boost (+0.2 ratio)
                        └─ Cellular: faster downgrade thresholds (2 vs 3)
 ```
 Cellular generation is approximated from `getLinkDownstreamBandwidthKbps()` to avoid requiring `READ_PHONE_STATE` permission.
 ## Audio Routing (Android)
 Both Android app variants support 3-way audio routing: **Earpiece → Speaker → Bluetooth SCO**.
 ### Audio Mode Lifecycle
 `MODE_IN_COMMUNICATION` is set by the Rust call engine (via JNI `AudioManager.setMode()`) right before Oboe streams open — NOT at app launch. Restored to `MODE_NORMAL` when the call ends. This prevents hijacking system audio routing (music, BT A2DP) before a call is active.
 ### Native Kotlin App
 `AudioRouteManager.kt` handles device detection (via `AudioDeviceCallback`), SCO lifecycle, and auto-fallback on BT disconnect. `CallViewModel.cycleAudioRoute()` cycles through available routes.
 ### Tauri Desktop App
 `android_audio.rs` provides JNI bridges to `AudioManager` for speakerphone and Bluetooth SCO control. After each route change, Oboe streams are stopped and restarted via `spawn_blocking`.
 ```
 User tap ──► cycleAudioRoute()
                │
                ├─ Earpiece: setSpeakerphoneOn(false) + clearCommunicationDevice()
                ├─ Speaker:  setSpeakerphoneOn(true)
                └─ BT SCO:   setCommunicationDevice(bt_device)  [API 31+]
                │              fallback: startBluetoothSco()     [API < 31]
                ▼
            Oboe stop + start_bt() for BT / start() for others
 ```
 ### BT SCO and Oboe
 BT SCO only supports 8/16kHz. When `bt_active=1`, Oboe capture skips `setSampleRate(48000)` and `setInputPreset(VoiceCommunication)`, letting the system choose the native BT rate. Oboe's `SampleRateConversionQuality::Best` bridges to our 48kHz ring buffers. Playout uses `Usage::Media` in BT mode to avoid conflicts with the communication device routing.
 ### Hangup Signal Fix
 `SignalMessage::Hangup` now carries an optional `call_id` field. The relay uses it to end only the specific call instead of broadcasting to all active calls for the user — preventing a race where a hangup for call 1 kills a newly-placed call 2.
 ## Phase 8: Tailscale-Inspired NAT Traversal (2026-04-14)
 Five new modules in `wzp-client` bring NAT traversal capability close to Tailscale's approach:
 ```
 ┌──────────────────────────────────────────────────────────────────────┐
 │  wzp-client NAT Traversal Stack                                      │
 │                                                                      │
 │  ┌─────────────┐  ┌──────────────┐  ┌──────────────────────────┐    │
 │  │  stun.rs    │  │  portmap.rs  │  │  reflect.rs (existing)   │    │
 │  │  RFC 5389   │  │  NAT-PMP     │  │  Relay-based STUN        │    │
 │  │  Public     │  │  PCP         │  │  Multi-relay NAT detect  │    │
 │  │  STUN       │  │  UPnP IGD   │  │                          │    │
 │  └──────┬──────┘  └──────┬───────┘  └────────────┬─────────────┘    │
 │         │                │                        │                  │
 │         └────────────────┼────────────────────────┘                  │
 │                          │                                           │
 │                  ┌───────▼────────┐                                  │
 │                  │  ice_agent.rs  │                                  │
 │                  │  Gather / Re-  │                                  │
 │                  │  gather / Apply│                                  │
 │                  └───────┬────────┘                                  │
 │                          │                                           │
 │              ┌───────────┼───────────┐                               │
 │              │           │           │                               │
 │      ┌───────▼───┐  ┌───▼───┐  ┌───▼──────────┐                    │
 │      │ netcheck  │  │ dual_ │  │ relay_map.rs │                    │
 │      │ .rs       │  │ path  │  │ RTT-sorted   │                    │
 │      │ Diagnostic│  │ .rs   │  │ relay list   │                    │
 │      └───────────┘  │ Race  │  └──────────────┘                    │
 │                     └───────┘                                       │
 └──────────────────────────────────────────────────────────────────────┘
 ```
 ### Candidate Types
 | Type | Source | Priority | When Used |
 |------|--------|----------|-----------|
 | Host | `local_host_candidates()` | 1 (highest) | Same-LAN peers |
 | Port-mapped | `portmap::acquire_port_mapping()` | 2 | Router supports NAT-PMP/PCP/UPnP |
 | Server-reflexive | `stun::discover_reflexive()` or relay Reflect | 3 | Cone NAT |
 | Relay | Relay address (fallback) | 4 (lowest) | Always available |
 ### Signal Flow for Mid-Call Re-Gathering
 ```
 Network change (WiFi → cellular)
    │
    ▼
 IceAgent::re_gather()
    ├── stun::discover_reflexive()
    ├── portmap::acquire_port_mapping()
    └── local_host_candidates()
    │
    ▼
 SignalMessage::CandidateUpdate { generation: N+1, ... }
    │
    ▼ (via relay)
 Peer's IceAgent::apply_peer_update()
    │
    ▼
 PeerCandidates { reflexive, local, mapped }
    │
    ▼
 dual_path::race() with new candidates (TODO: transport hot-swap)
 ```
 ### New SignalMessage Variants & Fields
 | Signal | New Fields | Purpose |
 |--------|-----------|---------|
 | `DirectCallOffer` | `caller_mapped_addr` | Port-mapped address from NAT-PMP/PCP/UPnP |
 | `DirectCallAnswer` | `callee_mapped_addr` | Same, callee side |
 | `CallSetup` | `peer_mapped_addr` | Relay cross-wires mapped addr to peer |
 | `CandidateUpdate` | (new variant) | Mid-call candidate re-gathering |
 | `RegisterPresenceAck` | `relay_region`, `available_relays` | Relay mesh metadata for auto-selection |
 All new fields use `#[serde(default, skip_serializing_if)]` for backward compatibility with older clients/relays.
 ### Hard NAT Port Prediction
 For symmetric NATs that don't support port mapping, the system detects the NAT's port allocation pattern:
 ```
 Single socket → 5 STUN servers (sequential probes)
    │
    ▼
 Observed ports: [40001, 40002, 40003, 40004, 40005]
    │
    ▼
 classify_port_allocation() → Sequential { delta: 1 }
    │
    ▼
 predict_ports(last=40005, delta=1, offset=0, spread=2)
    → [40004, 40005, 40006, 40007, 40008]
    │
    ▼
 HardNatProbe signal → peer
    │
    ▼
 Peer dials predicted port range in parallel
 ```
 | Pattern | Detection | Traversal Strategy |
 |---------|-----------|-------------------|
 | Port-preserving | All probes return same port | Standard hole-punch |
 | Sequential (delta=N) | Consistent N-increment | Predict next port, dial range |
 | Random | No pattern | Birthday attack or relay |
 | Unknown | < 3 probes succeeded | Relay fallback |
 The classifier tolerates:
 - **Jitter**: ±1 from dominant delta (concurrent flow grabbed a port)
 - **Wraparound**: 65535 → 1 treated as delta=+2, not -65534
 - **Noise**: 60% threshold — if most deltas agree, call it sequential
--- a/docs/DESIGN.md
+++ b/docs/DESIGN.md
@@ -583,9 +583,79 @@ Signal messages are sent over reliable QUIC streams as length-prefixed JSON:
 | wzp-client | 30 + 2 integration | Encoder/decoder, quality adapter, silence, drift, sweep |
 | wzp-web | 2 | Metrics |
 ## Audio Routing (Android)
 WarzonePhone supports three audio output routes on Android: **Earpiece**, **Speaker**, and **Bluetooth SCO**. The user cycles through available routes with a single button.
 ### Audio mode lifecycle
 `MODE_IN_COMMUNICATION` is set **when the call engine starts** (right before Oboe `audio_start()`), not at app launch. This is critical — setting it early hijacks system audio routing (e.g. music drops from BT A2DP to earpiece). `MODE_NORMAL` is restored when the call engine stops.
 ```
 App launch  → MODE_NORMAL (other apps' audio unaffected)
 Call start  → set_audio_mode_communication() → MODE_IN_COMMUNICATION
 Call end    → audio_stop() → set_audio_mode_normal() → MODE_NORMAL
 ```
 ### Route lifecycle
 1. Call starts → Earpiece (default).
 2. User taps route button → cycles to next available route.
 3. Route change requires Oboe stream restart (~60-400ms) because AAudio silently tears down streams on some OEMs when the routing target changes mid-stream.
 4. Bluetooth disconnect mid-call → `AudioDeviceCallback.onAudioDevicesRemoved` fires → auto-fallback to Earpiece or Speaker.
 ### Bluetooth SCO
 SCO (Synchronous Connection Oriented) is the correct Bluetooth profile for VoIP — it provides bidirectional mono audio at 8/16 kHz with ~30ms latency. A2DP (stereo, high-quality) is unidirectional and adds 100-200ms of buffering, making it unsuitable for real-time voice.
 On API 31+ (Android 12), we use the modern `setCommunicationDevice(AudioDeviceInfo)` API to route audio to the BT SCO device. The deprecated `startBluetoothSco()` + `setBluetoothScoOn()` path is used as fallback on older APIs. `setBluetoothScoOn()` is silently rejected on Android 12+ for non-system apps.
 BT SCO devices only support 8/16kHz sample rates, but our pipeline runs at 48kHz. When BT is active, Oboe opens in **BT mode** (`bt_active=1`): capture skips `setSampleRate(48000)` and `setInputPreset(VoiceCommunication)`, letting the system open at the device's native rate. Oboe's `SampleRateConversionQuality::Best` resamples to/from 48kHz for our ring buffers.
 ### Two app variants
 Both the native Kotlin app (`AudioRouteManager.kt`) and the Tauri app (`android_audio.rs` JNI bridge) support BT SCO routing. The native app uses `AudioDeviceCallback` for automatic device detection; the Tauri app uses `getAvailableCommunicationDevices()` (API 31+) or `getDevices()` on demand.
 ## Network Change Response
 The `AdaptiveQualityController` in `wzp-proto` reacts to network transport changes signaled via `signal_network_change(NetworkContext)`:
 | Transition | Response |
 |-----------|----------|
 | WiFi → Cellular | Preemptive 1-tier quality downgrade + 10s FEC boost |
 | Cellular → WiFi | FEC boost only (quality recovers via normal adaptive logic) |
 | Any change | Reset hysteresis counters to avoid stale state |
 On Android, `NetworkMonitor.kt` wraps `ConnectivityManager.NetworkCallback` and classifies the transport type using bandwidth heuristics (no `READ_PHONE_STATE` needed). The classification is delivered to the Rust engine via JNI → `AtomicU8` → recv task polling — the same lock-free cross-task signaling pattern used for adaptive profile switches.
 ### Cellular generation heuristics
 | Downstream bandwidth | Classification |
 |---------------------|---------------|
 | >= 100 Mbps | 5G NR |
 | >= 10 Mbps | LTE |
 | < 10 Mbps | 3G or worse |
 These thresholds are conservative. Carriers over-report bandwidth, but for VoIP quality decisions the exact generation matters less than the rough category.
 ## Build Requirements
 - **Rust** 1.85+ (2024 edition)
 - **Linux**: cmake, pkg-config, libasound2-dev (for audio feature)
 - **macOS**: Xcode command line tools (CoreAudio included)
- **Android**: NDK r27c, cmake 3.28+ (from pip)
+- **Android**: NDK 26.1 (r26b), cmake 3.25-3.28 (system package)
 ### Android APK Builds
 ```bash
 # arm64 only (default, 25MB release APK)
 ./scripts/build-tauri-android.sh --init --release --arch arm64
 # armv7 only (smaller devices)
 ./scripts/build-tauri-android.sh --init --release --arch armv7
 # both architectures as separate APKs
 ./scripts/build-tauri-android.sh --init --release --arch all
 ```
 Release APKs are signed with `android/keystore/wzp-release.jks` via `apksigner`. Per-arch builds produce separate APKs (~25MB each vs ~50MB universal) for easier sharing with testers.
--- a/docs/PRD-adaptive-quality.md
+++ b/docs/PRD-adaptive-quality.md
@@ -61,12 +61,16 @@ Catastrophic       →  Codec2 1.2k (minimum viable voice)
   - Encoder can switch codec mid-stream
   - Decoder already auto-detects incoming codec from packet headers
-### What's missing
+### What's been implemented since PRD was written
-1. **QualityReport ingestion** — neither Android engine nor desktop engine reads quality reports from the relay
+1. **QualityReport ingestion** — ~~neither Android engine nor desktop engine reads quality reports from the relay~~ **Done**: both Android (`crates/wzp-android/src/engine.rs`) and desktop (`desktop/src-tauri/src/engine.rs`) recv tasks ingest quality reports and feed `AdaptiveQualityController`
-2. **Profile switch loop** — no periodic check that feeds reports to `QualityAdapter` and applies recommended switches
+2. **Profile switch loop** — ~~no periodic check~~ **Done**: `pending_profile` AtomicU8 bridges recv→send task in both engines; send task applies profile switch at frame boundary
-3. **Upward adaptation** — `QualityAdapter` only classifies into 3 tiers (GOOD/DEGRADED/CATASTROPHIC). Needs extension to recommend studio tiers when conditions are excellent (loss < 1%, RTT < 50ms)
+3. **Notification to UI** — ~~when quality changes, the UI should show the current active codec~~ **Done**: `tx_codec`/`rx_codec` in desktop `EngineStatus`; `currentCodec`/`peerCodec` in Android `CallStats`
-4. **Notification to UI** — when quality changes, the UI should show the current active codec
+
 ### What's still missing
 1. **Upward adaptation** — `QualityAdapter` only classifies into 3 tiers (GOOD/DEGRADED/CATASTROPHIC). Needs extension to recommend studio tiers when conditions are excellent (loss < 1%, RTT < 50ms). See Phase 2 below.
 2. **Relay QualityDirective handling** — relay broadcasts coordinated quality directives but neither engine processes them (signals are silently discarded). See PRD-coordinated-codec.md for details.
 ## Requirements
@@ -191,11 +195,20 @@ The `CallEncoder` already has `set_profile()`. The `CallDecoder` already auto-sw
 ## Milestones
-| Phase | Scope | Effort | Dependency |
+| Phase | Scope | Effort | Status |
-|-------|-------|--------|------------|
+|-------|-------|--------|--------|
-| 0 | Verify relay sends QualityReports | 0.5 day | None |
+| 0 | Verify relay sends QualityReports | 0.5 day | Done |
-| 1a | Wire QualityAdapter in Android engine | 1 day | Phase 0 |
+| 1a | Wire QualityAdapter in Android engine | 1 day | Done |
-| 1b | Wire QualityAdapter in desktop engine | 1 day | Phase 0 |
+| 1b | Wire QualityAdapter in desktop engine | 1 day | Done |
-| 1c | UI indicator (current codec) | 0.5 day | Phase 1a/1b |
+| 1c | UI indicator (current codec) | 0.5 day | Done |
-| 2 | Extended 5-tier classification | 0.5 day | Phase 1 |
+| 2 | Extended 5-tier classification (Studio64k→Catastrophic) | 0.5 day | Done (2026-04-13) |
-| 3 | Bandwidth probing | 2 days | Phase 2 |
+| 3 | Bandwidth probing | 2 days | Pending (task #10) |
 ## Implementation Status Update (2026-04-13)
 All phases implemented:
 - Phase 1: QualityAdapter with 3-tier classification — DONE
 - Phase 2: Extended 5-tier (Studio 64k/48k/32k + GOOD + DEGRADED + CATASTROPHIC) — DONE
 - Phase 3: Bandwidth probing — NOT DONE (see remaining tasks)
 - P2P adaptive quality: QualityReport::from_path_stats() + self-observation from quinn stats — DONE
 - Both relay and P2P calls now have full adaptive quality switching
--- a/docs/PRD-bluetooth-audio.md
+++ b/docs/PRD-bluetooth-audio.md
@@ -0,0 +1,105 @@
 # PRD: Bluetooth Audio Routing
 > Phase: Implemented  
 > Status: Ready for testing  
 > Platforms: Android (native Kotlin app + Tauri desktop app)
 ## Problem
 WarzonePhone had `AudioRouteManager.kt` with complete Bluetooth SCO support, but it was disconnected from both UIs. Users with Bluetooth headsets had no way to route call audio to them.
 ## Solution
 Wire Bluetooth SCO routing end-to-end through both app variants, replacing the binary speaker toggle with a 3-way audio route cycle: **Earpiece → Speaker → Bluetooth**.
 ## Architecture
 ```
 ┌─────────────────────────────────────────────────────┐
 │ Native Kotlin App (com.wzp)                         │
 │                                                     │
 │  InCallScreen ──► CallViewModel ──► AudioRouteManager
 │  (Compose UI)     cycleAudioRoute()  setSpeaker()   │
 │  "Ear/Spk/BT"    audioRoute Flow     setBluetoothSco()
 │                                      isBluetoothAvailable()
 └─────────────────────────────────────────────────────┘
 ┌─────────────────────────────────────────────────────┐
 │ Tauri Desktop App (com.wzp.desktop)                 │
 │                                                     │
 │  main.ts ──► Tauri Commands ──► android_audio.rs    │
 │  cycleAudioRoute()  set_bluetooth_sco()  JNI calls  │
 │  "Ear/Spk/BT"      is_bluetooth_available()         │
 │                     get_audio_route()                │
 │                                                     │
 │  After each route change: Oboe stop + start         │
 │  (spawn_blocking to avoid stalling tokio)           │
 └─────────────────────────────────────────────────────┘
 ```
 ## Components Modified
 ### Native Kotlin App
 | File | Change |
 |------|--------|
 | `CallViewModel.kt` | Added `audioRoute: StateFlow<AudioRoute>`, `cycleAudioRoute()`, wired `onRouteChanged` callback |
 | `InCallScreen.kt` | `ControlRow` now takes `audioRoute: AudioRoute` + `onCycleRoute`, displays Ear/Spk/BT with distinct colors |
 ### Tauri App
 | File | Change |
 |------|--------|
 | `android_audio.rs` | `setCommunicationDevice()` (API 31+) with `startBluetoothSco()` fallback; `set_audio_mode_communication/normal()` for call lifecycle |
 | `lib.rs` | `set_bluetooth_sco`, `is_bluetooth_available`, `get_audio_route` Tauri commands; SCO polling + 500ms route delay |
 | `wzp_native.rs` | Added `audio_start_bt()` for BT-mode Oboe (skips 48kHz + VoiceCommunication preset) |
 | `oboe_bridge.cpp` | `bt_active` flag: capture skips sample rate + input preset; playout uses `Usage::Media`; both use `Shared` mode + `SampleRateConversionQuality::Best` |
 | `engine.rs` | `set_audio_mode_communication()` before `audio_start()`; `set_audio_mode_normal()` after `audio_stop()` |
 | `MainActivity.kt` | Removed `MODE_IN_COMMUNICATION` from app launch — deferred to call start |
 | `main.ts` | Replaced `speakerphoneOn` toggle with `currentAudioRoute` cycling logic |
 | `style.css` | Added `.bt-on` CSS class (blue-400 highlight) |
 ## Audio Route Lifecycle
 1. **App launch** → `MODE_NORMAL` (other apps' audio unaffected — BT A2DP music keeps playing)
 2. **Call starts** → `MODE_IN_COMMUNICATION` set via JNI, Oboe opens with earpiece routing
 3. **User taps route button** → cycles to next available route
 4. **Route changes** → `setCommunicationDevice()` (API 31+) + Oboe restart in BT mode or normal mode
 5. **BT device disconnects mid-call** → `AudioDeviceCallback.onAudioDevicesRemoved` fires → auto-fallback to Earpiece/Speaker
 6. **Call ends** → route reset, `MODE_NORMAL` restored
 ## Route Cycling Logic
 ```
 Available routes = [Earpiece, Speaker] + [Bluetooth] if SCO device connected
 Tap cycle:
  Earpiece → Speaker → Bluetooth (if available) → Earpiece → ...
 If BT not available:
  Earpiece → Speaker → Earpiece → ...
 ```
 ## Permissions
 - `BLUETOOTH_CONNECT` (Android 12+) — already in `AndroidManifest.xml`
 - `MODIFY_AUDIO_SETTINGS` — already in manifest
 ## Known Limitations
 - **SCO only** — no A2DP (stereo music profile). SCO is correct for VoIP (bidirectional mono).
 - **API 31+ required for modern path** — `setCommunicationDevice()` is the primary BT routing API. Fallback to deprecated `startBluetoothSco()` on API < 31 (untested).
 - **BT SCO capture at 8/16kHz** — Oboe resamples to 48kHz via `SampleRateConversionQuality::Best`. Quality is inherently limited by the SCO codec (CVSD at 8kHz or mSBC at 16kHz).
 - **No auto-switch on BT connect** — when a BT device connects mid-call, user must tap the route button.
 - **500ms route switch delay** — after `setCommunicationDevice()` returns, the audio policy needs time to apply the bt-sco route. We wait 500ms before restarting Oboe.
 ## Testing
 1. Pair a Bluetooth SCO headset with Android device
 2. Start call → verify Earpiece is default
 3. Tap route → Speaker (audio moves to loudspeaker, button shows "Spk")
 4. Tap route → BT (audio moves to headset, button shows "BT", blue highlight)
 5. Tap route → Earpiece (audio back to earpiece, button shows "Ear")
 6. Disconnect BT mid-call → verify auto-fallback
 7. Verify both app variants work identically
 8. Verify no audio glitches during route transitions
--- a/docs/PRD-coordinated-codec.md
+++ b/docs/PRD-coordinated-codec.md
@@ -196,3 +196,26 @@ Implementation strategy: build for P2P first (simpler, 2 parties), then wrap the
 | 4 | Upgrade proposal + negotiation protocol | 2 days |
 | 5 | P2P quality adaptation (direct observation) | 1 day |
 | 6 | Per-participant asymmetric encoding (Option 2) | 1 day |
 ## Implementation Status (2026-04-13)
 Phases 1-2 are implemented. Phase 3 has a critical gap.
 ### What was built
 - **`QualityDirective` signal** (`crates/wzp-proto/src/packet.rs`): New `SignalMessage` variant with `recommended_profile` and optional `reason`
 - **`ParticipantQuality`** (`crates/wzp-relay/src/room.rs`): Per-participant quality tracking using `AdaptiveQualityController`, created on join, removed on leave
 - **Weakest-link broadcast**: `observe_quality()` method computes room-wide worst tier, broadcasts `QualityDirective` to all participants when tier changes
 - **Desktop engine handling** (`desktop/src-tauri/src/engine.rs`): `AdaptiveQualityController` in recv task, `pending_profile` AtomicU8 bridge to send task, auto-mode profile switching based on **inbound quality reports**
 ### Phase 3 completed (2026-04-13)
 Both engines now handle `QualityDirective` signals from the relay:
 - **Desktop** (`engine.rs`): both P2P and relay signal tasks match `QualityDirective`, extract `recommended_profile`, store index via `sig_pending_profile.store(idx, Release)`. Send task picks it up at the next frame boundary.
 - **Android** (`engine.rs`): signal task matches `QualityDirective`, stores via `pending_profile_recv.store(idx, Release)`.
 Relay-coordinated codec switching is now end-to-end: relay monitors → broadcasts directive → clients switch.
 ### Phase remaining
 - Phase 4: Upgrade proposal/negotiation protocol for quality recovery (task #28)
--- a/docs/PRD-dred-integration.md
+++ b/docs/PRD-dred-integration.md
@@ -358,3 +358,45 @@ End-to-end testing, in order:
 - **OSCE enable**: opusic-c has an `osce` feature flag for Opus Speech Coding Enhancement, a separate libopus 1.5 neural post-processor. Out of scope for this PRD but should be the next audio-quality follow-up. Probably one-line enable once opusic-c is in.
 - **Upstream PR to opusic-c**: our own `dred_ffi.rs` wrapper should be proven in production first, then the fixes upstreamed to `opusic-c/src/dred.rs` (preserve `dred_end`, fix `dred_offset` double-pass, expose `DredPacket` externally). Follow-up task, not blocking this PRD.
 - **`feat/desktop-audio-rewrite` merge**: the vendored `audiopus_sys` patch on that branch becomes obsolete under this PRD. Coordinate removal with whoever owns that branch.
 ## Phase A: Continuous DRED Tuning (Implemented 2026-04-12)
 Phase A extends the discrete tier-locked DRED durations from Phases 1-3 with continuous, network-driven tuning.
 ### What was built
 - **`DredTuner`** (`crates/wzp-proto/src/dred_tuner.rs`): Maps `(loss_pct, rtt_ms, jitter_ms)` → `(dred_frames, expected_loss_pct)` continuously
 - **Quinn stats exposure** (`crates/wzp-transport/src/quic.rs`): `QuinnPathSnapshot` provides quinn's internal RTT, loss, congestion events — more accurate than sequence-gap heuristics
 - **Jitter variance window** (`crates/wzp-transport/src/path_monitor.rs`): 10-sample sliding window for RTT standard deviation, used for spike detection
 - **`AudioEncoder` trait extensions** (`crates/wzp-proto/src/traits.rs`): `set_expected_loss()` and `set_dred_duration()` with default no-op, overridden by `OpusEncoder` and `AdaptiveEncoder`
 - **Engine integration** (`desktop/src-tauri/src/engine.rs`): Both Android and desktop send tasks poll every 25 frames and apply tuning
 ### Opus6k DRED extended
 `dred_duration_for(Opus6k)` changed from 50 (500ms) to 104 (1040ms) — the maximum libopus 1.5 supports. The RDO-VAE's quality-vs-offset curve makes this nearly free in bitrate terms while doubling burst resilience on the worst links.
 ### Jitter spike detection ("Sawtooth" prediction)
 When instantaneous jitter exceeds the EWMA × 1.3 (asymmetric: fast-up α=0.3, slow-down α=0.05), the tuner enters spike-boost mode:
 - DRED immediately jumps to the codec tier's ceiling
 - Cooldown: 10 cycles (~5 seconds at 25 packets/cycle)
 - Designed for Starlink satellite handover sawtooth jitter pattern
 ### Test coverage
 - 10 unit tests for tuner math (baseline, scaling, spike, cooldown, codec switch, Codec2 no-op)
 - 4 integration tests (encoder adjustment, spike boost, Codec2 no-op, profile switch with encode verification)
 ### Opus6k Frame Starvation Bug (Fixed 2026-04-13)
 During testing of the extended 1040ms DRED window on Opus6k, the 40ms codec produced only ~11 frames/s instead of 25 — making audio choppy regardless of DRED quality.
 **Root cause:** The Android capture ring read loop did partial reads that consumed samples from the ring but discarded them when retrying:
 1. Ring has 960 samples (one Oboe burst)
 2. `audio_read_capture(&mut buf[..1920])` reads 960 into `buf[0..960]`, returns 960
 3. Loop sees 960 < 1920, sleeps, retries from `buf[0..]` → overwrites the consumed samples
 4. ~50% of captured audio thrown away per frame
 **Fix:** Added `wzp_native_audio_capture_available()` to check ring fill level before reading (same pattern as the desktop CPAL path's `capture_ring.available()`). Also made `frame_samples` mutable so codec switches update the read size.
 **Affected codecs:** Only 40ms frame codecs (Opus6k, Codec2_1200). 20ms codecs (Opus24k, etc.) were unaffected because a single Oboe burst fills the entire request.
--- a/docs/PRD-engine-dedup.md
+++ b/docs/PRD-engine-dedup.md
@@ -0,0 +1,140 @@
 # PRD: Engine.rs Deduplication — Extract Shared Send/Recv Helpers
 ## Problem
 `desktop/src-tauri/src/engine.rs` is 1,705 lines with two nearly identical `CallEngine::start()` implementations — one for Android (880 lines) and one for desktop (430 lines). ~350 lines are copy-pasted between them. Every change to the encode/decode/adaptive-quality pipeline requires editing both places, and they've already diverged in subtle ways (Android has extensive first-join diagnostics that desktop lacks).
 ## Scope
 Extract the duplicated logic into shared helper functions. The Android and desktop paths should only differ in their audio I/O mechanism (Oboe ring via wzp-native vs CPAL capture_ring/playout_ring).
 ## What's Duplicated
 | Block | Description | Lines (each) |
 |-------|-------------|------|
 | `build_call_config()` | Resolve quality string → CallConfig | 23 |
 | Codec-to-profile match | Map CodecId → QualityProfile for decoder switch | 19 |
 | Adaptive quality switch | Read AtomicU8, index_to_profile, set_profile, update frame_samples + dred_tuner | 15 |
 | DRED tuner poll | Check frame counter, poll quinn stats, apply tuning | 15 |
 | Quality report ingestion | Extract quality_report, feed to AdaptiveQualityController, store to AtomicU8 | 8 |
 | Signal task | Accept signals, handle RoomUpdate/QualityDirective/Hangup | 48 |
 | **Total** | | **~128 lines × 2 = 256 lines eliminated** |
 ## Implementation
 ### Phase 1: Top-Level Helper Functions
 ```rust
 fn build_call_config(quality: &str) -> CallConfig {
    let profile = resolve_quality(quality);
    match profile {
        Some(p) => CallConfig {
            noise_suppression: false,
            suppression_enabled: false,
            ..CallConfig::from_profile(p)
        },
        None => CallConfig {
            noise_suppression: false,
            suppression_enabled: false,
            ..CallConfig::default()
        },
    }
 }
 fn codec_to_profile(codec: CodecId) -> QualityProfile {
    match codec {
        CodecId::Opus24k => QualityProfile::GOOD,
        CodecId::Opus6k => QualityProfile::DEGRADED,
        CodecId::Opus32k => QualityProfile::STUDIO_32K,
        CodecId::Opus48k => QualityProfile::STUDIO_48K,
        CodecId::Opus64k => QualityProfile::STUDIO_64K,
        CodecId::Codec2_1200 => QualityProfile::CATASTROPHIC,
        CodecId::Codec2_3200 => QualityProfile {
            codec: CodecId::Codec2_3200,
            fec_ratio: 0.5,
            frame_duration_ms: 20,
            frames_per_block: 5,
        },
        other => QualityProfile { codec: other, ..QualityProfile::GOOD },
    }
 }
 fn check_adaptive_switch(
    pending: &AtomicU8,
    encoder: &mut CallEncoder,
    tuner: &mut wzp_proto::DredTuner,
    frame_samples: &mut usize,
    tx_codec: &tokio::sync::Mutex<String>,
 ) -> bool {
    let p = pending.swap(PROFILE_NO_CHANGE, Ordering::Acquire);
    if p == PROFILE_NO_CHANGE { return false; }
    if let Some(new_profile) = index_to_profile(p) {
        let new_fs = (new_profile.frame_duration_ms as usize) * 48;
        if encoder.set_profile(new_profile).is_ok() {
            *frame_samples = new_fs;
            tuner.set_codec(new_profile.codec);
            // Caller updates tx_codec display string
            return true;
        }
    }
    false
 }
 ```
 ### Phase 2: Shared Signal Task
 Extract the signal task into a standalone async function:
 ```rust
 async fn run_signal_task(
    transport: Arc<wzp_transport::QuinnTransport>,
    running: Arc<AtomicBool>,
    pending_profile: Arc<AtomicU8>,
    participants: Arc<Mutex<Vec<ParticipantInfo>>>,
 ) {
    loop {
        if !running.load(Ordering::Relaxed) { break; }
        match tokio::time::timeout(
            Duration::from_millis(SIGNAL_TIMEOUT_MS),
            transport.recv_signal(),
        ).await {
            Ok(Ok(Some(msg))) => {
                // Handle RoomUpdate, QualityDirective, Hangup...
            }
            _ => {}
        }
    }
 }
 ```
 ### Phase 3: Shared DRED Poll + Quality Ingestion
 These are small blocks but appear in both send and recv tasks. Extract as inline helpers or closures.
 ## Verification
 1. `cargo check --workspace` — must compile
 2. `cargo test -p wzp-proto -p wzp-relay -p wzp-client --lib` — must pass
 3. Manual test: place a call Android↔Desktop, verify audio works in both directions
 4. Verify adaptive quality still switches (set one side to auto, degrade network)
 ## Effort
 - Phase 1: 1 hour (extract 3 functions, update 6 call sites)
 - Phase 2: 30 min (extract signal task, update 2 spawn sites)
 - Phase 3: 30 min (cleanup remaining small duplicates)
 - Total: ~2 hours
 ## Not In Scope
 - Audio I/O trait abstraction (Oboe vs CPAL) — different project, different risk profile
 - Moving Android-specific diagnostics (first-join, PCM recorder) into a feature flag
 - Splitting engine.rs into multiple files
 ## Implementation Status (2026-04-13)
 All phases implemented:
 - build_call_config(): shared CallConfig construction — DONE
 - codec_to_profile(): shared CodecId → QualityProfile mapping — DONE
 - run_signal_task(): shared signal handler — DONE
 - Net reduction: ~39 lines, 6 duplicated blocks → single-line calls
--- a/docs/PRD-hard-nat.md
+++ b/docs/PRD-hard-nat.md
@@ -0,0 +1,220 @@
 # PRD: Hard NAT Traversal (Port Prediction + Birthday Attack)
 > Phase: Partial implementation
 > Status: Phase A done, Phase B signal ready, C-D not started (2026-04-14)
 > Crate: wzp-client, wzp-proto, wzp-relay
 ## Problem
 When both peers are behind **symmetric NATs** (endpoint-dependent mapping), standard hole-punching fails because the external port changes per destination. Our Phase 8.2 port mapping (NAT-PMP/PCP/UPnP) solves this when the router supports it (~70% of consumer routers), but the remaining ~30% — plus corporate firewalls, cloud NATs (AWS/Azure), and carrier-grade NATs — fall back to relay.
 Tailscale tackles this with two techniques:
 1. **Port prediction** for NATs with sequential allocation patterns
 2. **Birthday attack** for NATs with random allocation
 Both are viable when **at least one peer has a predictable NAT** (easy+hard pair). When **both** peers have fully random symmetric NATs, even Tailscale falls back to relay.
 ## Background: How Symmetric NATs Allocate Ports
 | Pattern | Behavior | Prevalence | Traversal |
 |---------|----------|------------|-----------|
 | **Sequential** | port N, N+1, N+2... per new flow | ~40% of symmetric NATs (home routers) | Port prediction viable |
 | **Random** | truly random port per flow | ~50% (enterprise, cloud, CGNAT) | Birthday attack only |
 | **Port-preserving** | same as source port when possible | ~10% (behaves like cone NAT) | Standard hole-punch works |
 ## Solution Overview
 ### Phase A: NAT Port Allocation Pattern Detection
 Before attempting hard NAT traversal, detect whether the NAT allocates ports sequentially or randomly. This determines which strategy to use.
 **Method**: Send 5 STUN Binding Requests from the same source socket to 5 different STUN servers. Collect the 5 observed external ports. Analyze:
 ```
 Ports: [40001, 40002, 40003, 40004, 40005]  → Sequential (delta=1)
 Ports: [40001, 40003, 40005, 40007, 40009]  → Sequential (delta=2)
 Ports: [40001, 52847, 19432, 61203, 8847]   → Random
 Ports: [4433,  4433,  4433,  4433,  4433]   → Port-preserving (cone-like)
 ```
 Classification:
 - All same port → `PortPreserving` (use standard hole-punch)
 - Consistent delta between consecutive ports → `Sequential { delta: i16 }`
 - No pattern → `Random`
 **New struct**:
 ```rust
 pub enum PortAllocation {
    PortPreserving,
    Sequential { delta: i16 },
    Random,
    Unknown,
 }
 ```
 Add to `NetcheckReport` and `NatDetection`.
 ### Phase B: Port Prediction (Sequential NATs)
 When the NAT is sequential, we can **predict** the next external port:
 1. Client sends a STUN probe → observes external port P
 2. Client knows the NAT will assign P+delta for the next outbound flow
 3. Client tells peer (via relay or chat): "dial me at `my_ip:(P + delta * N)`" where N is the number of flows the client will open before the peer's packet arrives
 4. Client opens a QUIC connection to the peer's predicted port at the same time
 5. If the prediction lands within a small window, the QUIC handshake succeeds
 **Timing is critical**: both peers must probe, predict, and dial within a tight window (~500ms) so the port prediction doesn't drift.
 **Coordination via relay** (or out-of-band chat):
 ```
 SignalMessage::HardNatProbe {
    call_id: String,
    /// My observed port sequence (last 3 ports, most recent first)
    port_sequence: Vec<u16>,
    /// My detected allocation pattern
    allocation: PortAllocation,
    /// Timestamp (ms since epoch) — for synchronization
    probe_time_ms: u64,
    /// My external IP (from STUN)
    external_ip: String,
 }
 ```
 Both peers exchange `HardNatProbe`, then simultaneously:
 1. Each predicts the other's next port: `peer_ip:(peer_last_port + peer_delta * offset)`
 2. Each opens N parallel QUIC connections to predicted port range: `[predicted - 2, predicted + 2]`
 3. First successful handshake wins
 **Expected success rate**: ~80% for sequential NATs with consistent delta, within 2-3 seconds.
 ### Phase C: Birthday Attack (Random NATs)
 When the NAT is random, port prediction is impossible. Instead, exploit the **birthday paradox**:
 **Math**: With N ports open on side A and M probes from side B into a 65536-port space:
 - N=256, M=256: P(collision) ≈ 1 - e^(-256*256/65536) ≈ 63%
 - N=256, M=512: P(collision) ≈ 1 - e^(-256*512/65536) ≈ 87%
 - N=256, M=1024: P(collision) ≈ 1 - e^(-256*1024/65536) ≈ 98%
 **Implementation**:
 1. **Acceptor side** (easy NAT or the side with more ports available):
   - Open 256 UDP sockets bound to random ports
   - For each socket, send one STUN probe to learn its external port
   - Report all 256 external ports to the peer
 2. **Dialer side** (hard NAT):
   - Send 1024 QUIC Initial packets to random ports on the Acceptor's external IP
   - Rate: 100-200 packets/sec to avoid triggering rate limits
   - Duration: ~5-10 seconds
 3. **Collision detection**:
   - When one of the Dialer's packets hits one of the Acceptor's open ports, the QUIC handshake begins
   - The Acceptor sees an incoming Initial on one of its 256 sockets
 **Problem for VoIP**: This takes 5-10 seconds even at high probe rates. For a phone call, this means a long "connecting..." phase. Acceptable as a last resort before relay fallback.
 ### Phase D: Hybrid Strategy
 Combine all techniques in a waterfall:
 ```
 1. Port mapping (NAT-PMP/PCP/UPnP)     → <100ms   [Phase 8.2, done]
   ↓ failed
 2. Standard hole-punch (cone NAT)       → <500ms   [Phase 3-6, done]
   ↓ failed (symmetric NAT detected)
 3. Port prediction (sequential NAT)     → <2s      [Phase A+B, new]
   ↓ failed (random NAT detected)
 4. Birthday attack (one side random)    → <10s     [Phase C, new]
   ↓ failed (both sides random)
 5. Relay fallback                       → always   [Phase 1, done]
 ```
 The relay path starts **immediately in parallel** with all direct attempts (existing 500ms head-start architecture). The user hears audio via relay while the harder traversal techniques probe in the background. If a direct path is found, the call seamlessly upgrades (using the Phase 8.3 transport hot-swap mechanism).
 ## QUIC-Specific Challenges
 ### 1. Connection ID Mismatch
 QUIC's Initial packet contains a random Destination Connection ID. When birthday-attack probes land on the Acceptor's socket, the CID won't match any expected value. Quinn handles this via its `Endpoint` which accepts any incoming Initial — but we need to ensure the Endpoint is in server mode on all 256 ports.
 **Solution**: Use quinn's `Endpoint` with a server config on each socket. Quinn's accept logic handles unknown CIDs correctly.
 ### 2. Probe Packet Format
 Birthday attack probes must be valid QUIC Initial packets (not raw UDP). Quinn's `Endpoint::connect()` sends a proper Initial, so each probe is a real connection attempt. Failed probes time out naturally.
 ### 3. Stateful Connections
 Unlike WireGuard (stateless), each QUIC probe creates connection state. With 1024 probes, that's 1024 half-open connections. Must aggressively abort losers once one succeeds.
 **Solution**: Use `JoinSet` (existing pattern in `dual_path.rs`) and `abort_all()` on first success.
 ### 4. NAT Pinhole Lifetime
 QUIC Initial retransmission timer (1s default) may exceed the NAT pinhole lifetime on aggressive NATs. One probe per port may not be enough.
 **Solution**: Send 2-3 Initials per predicted port, 200ms apart.
 ## Signal Protocol
 New variants:
 ```rust
 /// Hard NAT probe coordination — exchanged before birthday attack.
 HardNatProbe {
    call_id: String,
    /// Last 5 observed external ports (most recent first).
    port_sequence: Vec<u16>,
    /// Detected allocation pattern.
    allocation: String,  // "sequential:1", "sequential:2", "random", "preserving"
    /// Probe timestamp for synchronization (ms since epoch).
    probe_time_ms: u64,
    /// External IP from STUN.
    external_ip: String,
 }
 /// Hard NAT birthday attack coordination.
 HardNatBirthdayStart {
    call_id: String,
    /// Number of ports opened by the acceptor side.
    acceptor_port_count: u16,
    /// External ports the acceptor has open (for targeted probing).
    /// Only sent if port_count is small enough to enumerate.
    acceptor_ports: Vec<u16>,
    /// "start probing now" timestamp.
    start_at_ms: u64,
 }
 ```
 ## Integration with Existing Architecture
 - **Netcheck**: `NetcheckReport` gains `port_allocation: PortAllocation` field
 - **IceAgent**: `gather()` includes port allocation detection; `re_gather()` re-probes on network change
 - **dual_path**: `race()` extended with hard-NAT probe phase between standard hole-punch timeout and relay commitment
 - **Desktop**: `place_call` / `answer_call` exchange `HardNatProbe` when both sides report `SymmetricPort` NAT type
 ## Effort Estimate
 | Phase | Scope | Effort | Status |
 |-------|-------|--------|--------|
 | A | Port allocation pattern detection | 1 day | **Done** — `PortAllocation` enum, `detect_port_allocation()`, `classify_port_allocation()`, `predict_ports()`, 17 tests |
 | B | Sequential port prediction + coordination | 2 days | **Signal ready** — `HardNatProbe` signal + relay forwarding done. `dual_path::race()` integration pending |
 | C | Birthday attack (256 sockets + 1024 probes) | 3 days | Not started |
 | D | Hybrid waterfall + background upgrade | 2 days | Not started |
 **Total**: ~8 days. Phase A is done and feeds into netcheck. Phase B has signal plumbing complete — needs `dual_path::race()` integration to actually dial predicted ports. Phase C (birthday) is the most complex and lowest ROI.
 ## Success Criteria
 - Port allocation detection correctly classifies sequential vs random on test routers
 - Sequential port prediction achieves >70% direct connection rate on sequential-NAT routers
 - Birthday attack achieves >90% within 10 seconds when one peer has cone NAT
 - Relay-to-direct upgrade is seamless (no audio gap) via Phase 8.3 transport hot-swap
 - No regression in call setup time for cone-NAT pairs (the common case)
 ## References
 - [Tailscale: How NAT traversal works](https://tailscale.com/blog/how-nat-traversal-works)
 - [Tailscale: NAT traversal improvements pt.1](https://tailscale.com/blog/nat-traversal-improvements-pt-1)
 - [Tailscale: NAT traversal improvements pt.2 — cloud environments](https://tailscale.com/blog/nat-traversal-improvements-pt-2-cloud-environments)
 - RFC 4787: NAT Behavioral Requirements for Unicast UDP
 - RFC 5245: ICE (Interactive Connectivity Establishment)
 - Birthday problem: P(collision) = 1 - e^(-n²/2m) where n=probes, m=port space
--- a/docs/PRD-ice-regather.md
+++ b/docs/PRD-ice-regather.md
@@ -0,0 +1,116 @@
 # PRD: Mid-Call ICE Re-Gathering
 > Phase: Implemented (signal plane); transport hot-swap deferred
 > Status: Partial (2026-04-14)
 > Crate: wzp-client, wzp-proto, wzp-relay
 ## Problem
 When a mobile device transitions between networks (WiFi -> cellular, IP address change), the active QUIC connection dies. The call stays on a dead path until timeout, then the user experiences silence. There is no mechanism to re-discover candidates and re-establish a direct path mid-call.
 Android's `NetworkMonitor.onIpChanged` already fires on `onLinkPropertiesChanged`, but nothing consumes it for candidate re-gathering or path migration.
 ## Solution
 Implement an `IceAgent` that manages the full candidate lifecycle — initial gathering, mid-call re-gathering on network change, and peer candidate application. A new `CandidateUpdate` signal message carries refreshed candidates to the peer through the relay.
 ## Implementation
 ### New Module: `crates/wzp-client/src/ice_agent.rs`
 **IceAgent struct**:
 - Owns `IceAgentConfig` (STUN config, portmap toggle, gather timeout, local ports)
 - Monotonic `generation: AtomicU32` — incremented on each re-gather, peers reject stale updates
 - `peer_generation: AtomicU32` — tracks last-seen peer generation for ordering
 **Public API**:
 - `gather()` -> `CandidateSet` — runs STUN + portmap + host candidates in parallel with timeout
 - `re_gather()` -> `(CandidateSet, SignalMessage)` — increments generation, returns update to send
 - `apply_peer_update(signal)` -> `Option<PeerCandidates>` — parses `CandidateUpdate`, rejects if generation <= last-seen
 **CandidateSet**:
 ```rust
 pub struct CandidateSet {
    pub reflexive: Option<SocketAddr>,
    pub local: Vec<SocketAddr>,
    pub mapped: Option<SocketAddr>,
    pub generation: u32,
 }
 ```
 ### New Signal: `CandidateUpdate`
 ```rust
 CandidateUpdate {
    call_id: String,
    reflexive_addr: Option<String>,
    local_addrs: Vec<String>,
    mapped_addr: Option<String>,
    generation: u32,
 }
 ```
 - All address fields use `#[serde(default, skip_serializing_if)]` for backward compat
 - Generation counter is mandatory — prevents stale updates from network reordering
 ### Relay Forwarding
 `CandidateUpdate` is forwarded to the call peer using the same pattern as `MediaPathReport`:
 1. Look up peer fingerprint + `peer_relay_fp` from `CallRegistry`
 2. If cross-relay: wrap in `FederatedSignalForward` and forward via federation link
 3. If local: send via `signal_hub.send_to()`
 ### Desktop Handling
 Signal recv loop handles `CandidateUpdate`:
 - Logs generation, reflexive, mapped, local count
 - Emits `recv:CandidateUpdate` debug event
 - Emits `signal-event` type `candidate_update` to JS frontend
 - TODO: wire into `IceAgent.apply_peer_update()` + `race_upgrade()` for transport hot-swap
 ### Deferred: Transport Hot-Swap
 The actual mid-call transport replacement is not yet wired. The designed approach:
 - `Arc<RwLock<Arc<QuinnTransport>>>` — send/recv tasks clone inner Arc per frame
 - On upgrade, swap inner Arc under write lock — next frame picks up new transport
 - Android: `pending_ice_regather: AtomicBool` polled in recv task, triggers re-gather + swap
 - Requires live testing to validate seamless audio continuity during swap
 ## Signal Flow
 ```
 Network change (WiFi -> cellular)
    |
    v
 IceAgent::re_gather()
    |-- stun::discover_reflexive()
    |-- portmap::acquire_port_mapping()
    |-- local_host_candidates()
    |
    v
 SignalMessage::CandidateUpdate { generation: N+1 }
    |
    v (via relay)
 Peer IceAgent::apply_peer_update()
    |
    v
 PeerCandidates { reflexive, local, mapped }
    |
    v
 dual_path::race() with new candidates [NOT YET WIRED]
 ```
 ## Files
 | File | Change |
 |------|--------|
 | `crates/wzp-client/src/ice_agent.rs` | New — IceAgent + CandidateSet |
 | `crates/wzp-proto/src/packet.rs` | `CandidateUpdate` variant |
 | `crates/wzp-relay/src/main.rs` | Forward `CandidateUpdate` to peer |
 | `crates/wzp-client/src/featherchat.rs` | Map `CandidateUpdate` to `IceCandidate` type |
 | `desktop/src-tauri/src/lib.rs` | Handle `CandidateUpdate` in signal recv loop |
 ## Testing
 - 10 unit tests: generation monotonicity, apply_peer_update (all fields, empty fields, unparseable addrs, stale rejection, wrong signal type), default config, gather with no STUN, re_gather produces signal with incrementing generation
 - 2 protocol roundtrip tests: CandidateUpdate full + minimal
--- a/docs/PRD-mtu-discovery.md
+++ b/docs/PRD-mtu-discovery.md
@@ -57,3 +57,28 @@ When the path MTU is small, the relay or client should:
 - MTU-based codec selection (future, needs adaptive quality)
 ## Effort: 1 day
 ## Implementation Status (2026-04-12)
 Phase 1 is now implemented:
 ### What was built
 - **Transport config** (`crates/wzp-transport/src/config.rs`):
  - `MtuDiscoveryConfig` with `upper_bound=1452`, `interval=300s`, `black_hole_cooldown=30s`
  - `initial_mtu=1200` (safe QUIC minimum)
  - Quinn's PLPMTUD binary-searches from 1200 up to 1452 automatically
 - **`QuinnPathSnapshot::current_mtu`** (`crates/wzp-transport/src/quic.rs`):
  - Reads `connection.max_datagram_size()` which reflects the PMTUD-discovered value
  - Available to all callers via `transport.quinn_path_stats()`
 - **Trunk batcher MTU-aware** (`crates/wzp-relay/src/room.rs`):
  - `TrunkedForwarder::new()` initializes `max_bytes` from discovered MTU
  - `send()` refreshes `max_bytes` on every call (cheap atomic read in quinn)
  - Federation trunk frames grow automatically as PMTUD discovers larger paths
 ### Phases 2-3 status
 - Phase 2 (handle MTU failures): Already handled — `send_media()`/`send_trunk()` check `max_datagram_size()` and return `DatagramTooLarge` errors. These are logged and the packet is dropped gracefully.
 - Phase 3 (codec-aware MTU): Not yet implemented. Future video frames will need application-layer fragmentation when they exceed the discovered MTU.
--- a/docs/PRD-netcheck.md
+++ b/docs/PRD-netcheck.md
@@ -0,0 +1,77 @@
 # PRD: Network Diagnostic (Netcheck)
 > Phase: Implemented
 > Status: Done (2026-04-14)
 > Crate: wzp-client
 ## Problem
 When P2P connections fail or call quality is poor, there is no diagnostic tool to understand why. Users and developers must manually probe STUN, check NAT type, test relay connectivity, and verify port mapping support — all separately. Tailscale's `netcheck` consolidates all of this into a single diagnostic report.
 ## Solution
 A comprehensive `run_netcheck()` function that probes all network capabilities in parallel and produces a structured `NetcheckReport`. Exposed as a CLI subcommand (`wzp-client --netcheck`) and available for in-app diagnostics.
 ## Implementation
 ### New Module: `crates/wzp-client/src/netcheck.rs`
 **NetcheckReport**:
 ```rust
 pub struct NetcheckReport {
    pub nat_type: NatType,
    pub reflexive_addr: Option<String>,
    pub ipv4_reachable: bool,
    pub ipv6_reachable: bool,
    pub hairpin_works: Option<bool>,
    pub port_mapping: Option<PortMapProtocol>,
    pub relay_latencies: Vec<RelayLatency>,
    pub preferred_relay: Option<String>,
    pub stun_latency_ms: Option<u32>,
    pub upnp_available: bool,
    pub pcp_available: bool,
    pub nat_pmp_available: bool,
    pub gateway: Option<String>,
    pub duration_ms: u32,
    pub stun_probes: Vec<NatProbeResult>,
    pub port_allocation: Option<PortAllocation>,
 }
 ```
 **Probes (all parallel via `tokio::join!`)**:
 1. **STUN probes** — `probe_stun_servers()` to all configured STUN servers
 2. **Relay latencies** — `probe_reflect_addr()` to each configured relay
 3. **Port mapping** — `acquire_port_mapping()` to detect NAT-PMP/PCP/UPnP
 4. **Gateway** — `default_gateway()` for the router address
 5. **IPv6** — attempt to bind `[::]:0` and send to an IPv6 STUN server
 6. **Port allocation** — `detect_port_allocation()` probes STUN servers from single socket to classify NAT pattern as PortPreserving/Sequential/Random (feeds into hard NAT prediction)
 **Derived fields**:
 - `nat_type` / `reflexive_addr` — from `classify_nat()` on STUN probes
 - `ipv4_reachable` — true if any STUN probe succeeded
 - `preferred_relay` — relay with lowest RTT
 - `port_mapping` / `nat_pmp_available` / `pcp_available` / `upnp_available` — from portmap result
 **Human-readable output**: `format_report()` produces a formatted text report with sections for NAT info, port mapping, STUN probes, relay latencies.
 ### CLI Integration
 `wzp-client --netcheck <relay-addr>` — runs the diagnostic using the specified relay plus default STUN servers, prints the report, and exits.
 ### Deferred
 - **Hairpin test** — send packet from shared endpoint to own reflexive addr to test NAT hairpinning. Architecture is in place (`hairpin_works: Option<bool>`) but the actual probe is not yet implemented.
 - **Android/Desktop in-app UI** — expose via JNI (Android) and Tauri command (desktop) for user-facing diagnostics.
 ## Files
 | File | Change |
 |------|--------|
 | `crates/wzp-client/src/netcheck.rs` | New — NetcheckReport + run_netcheck + format_report |
 | `crates/wzp-client/src/lib.rs` | Add `pub mod netcheck` |
 | `crates/wzp-client/src/cli.rs` | `--netcheck` flag + handler |
 ## Testing
 - 5 unit tests: default config, report JSON serialization + roundtrip, RelayLatency serialization, format_report with empty relays, format_report with full data (STUN probes, relay latencies, preferred relay, port mapping)
 - 1 integration test (`#[ignore]`): full netcheck run
--- a/docs/PRD-network-awareness.md
+++ b/docs/PRD-network-awareness.md
@@ -0,0 +1,139 @@
 # PRD: Network Awareness
 > Phase: Implemented (core path)  
 > Status: Ready for testing  
 > Platform: Android native Kotlin app (com.wzp)
 ## Problem
 WarzonePhone's quality controller (`AdaptiveQualityController`) had a `signal_network_change()` API for proactive adaptation to WiFi↔cellular transitions, but nothing called it. Network handoffs during calls were only detected reactively via jitter spikes — by which time the user had already experienced degraded audio.
 ## Solution
 Integrate Android's `ConnectivityManager.NetworkCallback` to detect network transport changes in real-time and feed them to the quality controller. This enables:
 1. **Preemptive quality downgrade** when switching from WiFi to cellular
 2. **FEC boost** (10-second window with +0.2 ratio) after any network change
 3. **Faster downgrade thresholds** on cellular (2 consecutive reports vs 3 on WiFi)
 ## Architecture
 ```
 ┌──────────────────────────────────────────────────────────────┐
 │ Android                                                      │
 │                                                              │
 │  ConnectivityManager                                         │
 │       │ NetworkCallback                                      │
 │       ▼                                                      │
 │  NetworkMonitor.kt                                           │
 │       │ onNetworkChanged(type, bandwidthKbps)                │
 │       ▼                                                      │
 │  CallViewModel.kt ──► WzpEngine.onNetworkChanged()           │
 │                            │ JNI                             │
 │                            ▼                                 │
 │  jni_bridge.rs: nativeOnNetworkChanged(handle, type, bw)     │
 │                            │                                 │
 │                            ▼                                 │
 │  engine.rs: state.pending_network_type.store(type)           │
 │                            │ AtomicU8 (lock-free)            │
 │                            ▼                                 │
 │  recv task: quality_ctrl.signal_network_change(ctx)          │
 │       │                                                      │
 │       ├─ Preemptive downgrade (WiFi → cellular)              │
 │       ├─ FEC boost 10s                                       │
 │       └─ Faster cellular thresholds                          │
 └──────────────────────────────────────────────────────────────┘
 ```
 ## Network Classification
 `NetworkMonitor` classifies the active transport without requiring `READ_PHONE_STATE` permission by using bandwidth heuristics:
 | Downstream Bandwidth | Classification | Rust `NetworkContext` |
 |----------------------|---------------|----------------------|
 | N/A (WiFi transport) | WiFi | `WiFi` |
 | >= 100 Mbps | 5G NR | `Cellular5g` |
 | >= 10 Mbps | LTE | `CellularLte` |
 | < 10 Mbps | 3G or worse | `Cellular3g` |
 | Ethernet | WiFi (equivalent) | `WiFi` |
 | Network lost | None | `Unknown` |
 ## Cross-Task Signaling
 The network type is communicated from the JNI thread to the recv task via `AtomicU8` — the same pattern used for `pending_profile` (adaptive quality profile switches):
 ```
 JNI thread                     recv task (tokio)
    │                               │
    │ store(type, Release)          │
    │──────────────────────────────►│
    │                               │ swap(0xFF, Acquire)
    │                               │ if != 0xFF:
    │                               │   quality_ctrl.signal_network_change(ctx)
    │                               │
 ```
 Sentinel value `0xFF` means "no change pending". The recv task polls on every received packet (~20-40ms), so latency is bounded by the inter-packet interval.
 ## Components
 ### New File
 | File | Purpose |
 |------|---------|
 | `android/.../net/NetworkMonitor.kt` | ConnectivityManager callback, transport classification, deduplication |
 ### Modified Files
 | File | Change |
 |------|--------|
 | `android/.../engine/WzpEngine.kt` | Added `onNetworkChanged()` method + `nativeOnNetworkChanged` external |
 | `android/.../ui/call/CallViewModel.kt` | Instantiates NetworkMonitor, wires callback, register/unregister lifecycle |
 | `crates/wzp-android/src/jni_bridge.rs` | Added `Java_com_wzp_engine_WzpEngine_nativeOnNetworkChanged` JNI entry |
 | `crates/wzp-android/src/engine.rs` | Added `pending_network_type: AtomicU8` to EngineState, recv task polls it |
 ### Unchanged (already implemented)
 | File | API |
 |------|-----|
 | `crates/wzp-proto/src/quality.rs` | `AdaptiveQualityController::signal_network_change(NetworkContext)` |
 | `crates/wzp-transport/src/path_monitor.rs` | `PathMonitor::detect_handoff()` (available for future use) |
 ## Deferred Work
 ### Tauri Desktop App (com.wzp.desktop)
 ~~The Tauri engine doesn't use `AdaptiveQualityController` — quality is resolved once at call start.~~ **Update (2026-04-13):** Desktop now has `AdaptiveQualityController` wired into the recv task with `pending_profile` AtomicU8 bridge. Network monitoring on desktop is now feasible — the blocker was adaptive quality, which is done. Remaining work: platform-specific network change detection (macOS: `SCNetworkReachability` or `NWPathMonitor`; Linux: `netlink` socket).
 ### Mid-Call ICE Re-gathering — PARTIALLY IMPLEMENTED (2026-04-14)
 When the device's IP address changes, the system now:
 1. Re-gather local host candidates (`local_host_candidates()`) ✅
 2. Re-probe STUN (`stun::discover_reflexive()` + `portmap::acquire_port_mapping()`) ✅
 3. Send updated candidates to the peer (`CandidateUpdate` signal message) ✅
 4. Relay forwards `CandidateUpdate` to peer (same pattern as `MediaPathReport`) ✅
 5. Peer receives and can parse via `IceAgent::apply_peer_update()` ✅
 6. Attempt new dual-path race for path upgrade — **NOT YET WIRED** (transport hot-swap)
 `NetworkMonitor.onIpChanged` fires on `onLinkPropertiesChanged` — the hook is ready.
 The signaling plane is fully implemented via `IceAgent` + `CandidateUpdate`.
 Remaining: wire `onIpChanged` → JNI → `pending_ice_regather` AtomicBool → recv task → `ice_agent.re_gather()` → transport swap.
 New modules added in Phase 8 (Tailscale-inspired):
 - `crates/wzp-client/src/ice_agent.rs` — candidate lifecycle management
 - `crates/wzp-client/src/stun.rs` — public STUN server probing (independent of relay)
 - `crates/wzp-client/src/portmap.rs` — NAT-PMP/PCP/UPnP port mapping
 - `crates/wzp-client/src/netcheck.rs` — comprehensive network diagnostic
 ## Testing
 1. Build native APK
 2. Start a call on WiFi
 3. Verify logcat: `quality controller: network context updated` with `ctx=WiFi`
 4. Disable WiFi → device falls to cellular
 5. Verify logcat: `ctx=CellularLte` (or `Cellular5g`/`Cellular3g`)
 6. Verify FEC boost activates (check quality_ctrl logs)
 7. Verify preemptive quality downgrade (tier drops one level on WiFi→cellular)
 8. Re-enable WiFi → verify transition back
 9. Rapid WiFi toggle (5x in 10s) → verify no crashes, deduplication works
 10. Airplane mode → verify `onLost` fires with `TYPE_NONE`
--- a/docs/PRD-p2p-direct.md
+++ b/docs/PRD-p2p-direct.md
@@ -138,9 +138,75 @@ The existing relay connection carries `IceCandidate` signals. No new infrastruct
 ## Milestones
-| Phase | Scope | Effort |
+| Phase | Scope | Effort | Status |
-|-------|-------|--------|
+|-------|-------|--------|--------|
-| 1 | STUN client + candidate gathering | 2 days |
+| 1 | STUN client + candidate gathering | 2 days | Done |
-| 2 | QUIC hole punching + identity verification | 3 days |
+| 2 | QUIC hole punching + identity verification | 3 days | Done |
-| 3 | Adaptive quality on P2P connection | 2 days |
+| 3 | Adaptive quality on P2P connection | 2 days | Done (#23) |
-| 4 | Hybrid mode (relay + P2P, seamless migration) | 3 days |
+| 4 | Hybrid mode (relay + P2P, seamless migration) | 3 days | Done |
 | 5 | Single-socket Nebula (shared signal+direct endpoint) | 2 days | Done |
 | 6 | ICE path negotiation + dual-path race | 3 days | Done |
 | 7 | IPv6 dual-socket | 2 days | Done (but `dual_path.rs` integration tests broken — missing `ipv6_endpoint` arg) |
 | 8.1 | Public STUN client (RFC 5389) | 1 day | Done |
 | 8.2 | PCP/PMP/UPnP port mapping | 2 days | Done |
 | 8.3 | Mid-call ICE re-gathering + CandidateUpdate signal | 2 days | Done (signal plane; transport hot-swap TODO) |
 | 8.4 | Netcheck diagnostic | 1 day | Done |
 | 8.5 | Region-based relay selection (data model) | 1 day | Done |
 | 8.6a | Hard NAT: port allocation detection | 1 day | Done |
 | 8.6b | Hard NAT: sequential port prediction signal | 1 day | Done (signal + prediction fn; dial integration pending) |
 | 8.6c | Hard NAT: birthday attack (256×1024 probes) | 3 days | Not started |
 | 8.6d | Hard NAT: hybrid waterfall + background upgrade | 2 days | Not started |
 ## Implementation Status (2026-04-13)
 Phases 1-2, 4-7 are implemented. First P2P call completed 2026-04-12.
 ### Known regression
 Phase 7 added `ipv6_endpoint: Option<Endpoint>` parameter to `race()` in `crates/wzp-client/src/dual_path.rs` but the 3 test call sites in `crates/wzp-client/tests/dual_path.rs` (lines 111, 153, 191) were not updated — they pass 6 args instead of 7. Fix: add `None,` after the `shared_endpoint` arg in each call.
 ## Update (2026-04-13)
 P2P adaptive quality (#23) now implemented:
 - Both peers self-observe network quality from QUIC path stats
 - Quality reports generated every ~1s and attached to outgoing packets
 - AdaptiveQualityController drives codec switching on both P2P and relay calls
 ## Update (2026-04-14): Phase 8 — Tailscale-Inspired Enhancements
 Added 5 new modules to bring NAT traversal capability close to Tailscale's:
 ### Phase 8.1: Public STUN Client (Done)
 - `stun.rs`: RFC 5389 Binding Request/Response over raw UDP
 - Independent reflexive discovery via public STUN servers (Google, Cloudflare)
 - `detect_nat_type_with_stun()` combines relay + STUN probes for higher confidence
 - STUN fallback in desktop's `try_reflect_own_addr()` when relay reflection fails
 ### Phase 8.2: PCP/PMP/UPnP Port Mapping (Done)
 - `portmap.rs`: NAT-PMP (RFC 6886), PCP (RFC 6887), UPnP IGD
 - Gateway discovery (macOS + Linux), try NAT-PMP → PCP → UPnP in sequence
 - New candidate type: `PeerCandidates.mapped` + signal fields `caller_mapped_addr`/`callee_mapped_addr`/`peer_mapped_addr`
 - Dial order: host → mapped → reflexive (mapped helps on symmetric NATs)
 ### Phase 8.3: Mid-Call ICE Re-Gathering (Done — signal plane)
 - `ice_agent.rs`: `IceAgent` with `gather()`, `re_gather()`, `apply_peer_update()`
 - `SignalMessage::CandidateUpdate` with monotonic generation counter
 - Relay forwards `CandidateUpdate` like `MediaPathReport`
 - Desktop handles and emits to JS frontend
 - Transport hot-swap: designed but not yet wired into live call engine
 ### Phase 8.4: Netcheck Diagnostic (Done)
 - `netcheck.rs`: comprehensive network diagnostic (NAT type, reflexive addr, IPv4/v6, port mapping, relay latencies)
 - CLI: `wzp-client --netcheck <relay>`
 ### Phase 8.5: Region-Based Relay Selection (Done — data model)
 - `relay_map.rs`: `RelayMap` sorted by RTT with `preferred()` selection
 - `RegisterPresenceAck` extended with `relay_region` + `available_relays`
 ### Phase 8.6: Hard NAT Traversal (Phase A done, B-D pending)
 - **Phase A (Done)**: Port allocation pattern detection — `PortAllocation` enum (`PortPreserving`/`Sequential{delta}`/`Random`/`Unknown`), `detect_port_allocation()` probes N STUN servers from single socket, `classify_port_allocation()` with wraparound + jitter tolerance, `predict_ports()` for sequential NATs
 - **Phase B (signal ready)**: `HardNatProbe` signal message carries `port_sequence`, `allocation`, `external_ip` — relay forwarding implemented. Actual dial-to-predicted-ports integration into `dual_path::race()` pending.
 - **Phase C (not started)**: Birthday attack (256 sockets × 1024 probes) for random NATs
 - **Phase D (not started)**: Hybrid waterfall with background relay-to-direct upgrade
 - `NetcheckReport.port_allocation` populated automatically from `detect_port_allocation()`
 - See `docs/PRD-hard-nat.md` for full design
--- a/docs/PRD-portmap.md
+++ b/docs/PRD-portmap.md
@@ -0,0 +1,92 @@
 # PRD: NAT Port Mapping (PCP/PMP/UPnP)
 > Phase: Implemented
 > Status: Done (2026-04-14)
 > Crate: wzp-client, wzp-proto, wzp-relay
 ## Problem
 WarzonePhone falls back to relay-only when the client is behind a symmetric NAT (different external port per destination). The STUN-discovered reflexive address won't match what a peer sees, so direct hole-punching fails. Tailscale reports ~70% of consumer routers support NAT-PMP, PCP, or UPnP — protocols that let clients request explicit port mappings, making symmetric NATs traversable.
 ## Solution
 Implement all three port mapping protocols, tried in sequence (NAT-PMP -> PCP -> UPnP). When a mapping is acquired, advertise the mapped address as a new candidate type alongside reflexive and host candidates. The relay cross-wires it into `CallSetup.peer_mapped_addr` so the peer can dial it.
 ## Implementation
 ### New Module: `crates/wzp-client/src/portmap.rs`
 **NAT-PMP (RFC 6886)**:
 - UDP to gateway:5351
 - External address request (opcode 0) -> returns router's public IP
 - Map UDP request (opcode 1) -> returns mapped external port + lifetime
 - 12-byte request, 16-byte response
 **PCP (RFC 6887)**:
 - Same gateway:5351, version 2
 - MAP opcode with client IP as IPv4-mapped IPv6
 - 60-byte request/response with 12-byte nonce for anti-spoofing
 - Superset of NAT-PMP, supports IPv6
 **UPnP IGD**:
 - SSDP M-SEARCH to 239.255.255.250:1900 for InternetGatewayDevice discovery
 - Parse LOCATION header -> fetch device description XML -> find WANIPConnection controlURL
 - SOAP `GetExternalIPAddress` -> router's public IP
 - SOAP `AddPortMapping` -> maps the QUIC port
 **Gateway discovery**:
 - macOS: `route -n get default` (parse `gateway:` line)
 - Linux/Android: `/proc/net/route` (parse hex gateway for 00000000 destination)
 **Public API**:
 - `acquire_port_mapping(internal_port, local_ip)` -> tries all 3, first success wins
 - `release_port_mapping(mapping)` -> best-effort cleanup (lifetime=0 for NAT-PMP)
 - `spawn_refresh(mapping)` -> background task renewing at half-lifetime
 - `default_gateway()` -> cross-platform gateway discovery
 ### Signal Protocol Extensions
 | Message | New Field | Purpose |
 |---------|-----------|---------|
 | `DirectCallOffer` | `caller_mapped_addr: Option<String>` | Caller's port-mapped address |
 | `DirectCallAnswer` | `callee_mapped_addr: Option<String>` | Callee's port-mapped address |
 | `CallSetup` | `peer_mapped_addr: Option<String>` | Relay cross-wires peer's mapped addr |
 All fields use `#[serde(default, skip_serializing_if)]` for backward compatibility.
 ### Relay Cross-Wiring
 `CallRegistry` extended with `caller_mapped_addr` / `callee_mapped_addr` fields + setter methods. The relay:
 1. Extracts `caller_mapped_addr` from `DirectCallOffer`, stores in registry
 2. Extracts `callee_mapped_addr` from `DirectCallAnswer`, stores in registry
 3. Cross-wires into `CallSetup`: caller gets callee's mapped addr as `peer_mapped_addr`, and vice versa
 ### Candidate Priority
 `PeerCandidates.mapped` added to `dual_path.rs`. Dial order:
 1. Host (LAN) candidates — fastest on same-LAN
 2. **Port-mapped** — stable even behind symmetric NATs
 3. Server-reflexive (STUN) — standard hole-punching
 4. Relay — always-available fallback
 ### Desktop Integration
 Both `place_call()` and `answer_call()` call `acquire_port_mapping()` using the signal endpoint's local port. Privacy-mode answers (`AcceptGeneric`) skip portmap to keep the address hidden.
 ## Files
 | File | Change |
 |------|--------|
 | `crates/wzp-client/src/portmap.rs` | New — NAT-PMP/PCP/UPnP client |
 | `crates/wzp-client/src/dual_path.rs` | `PeerCandidates.mapped` field + dial_order update |
 | `crates/wzp-proto/src/packet.rs` | `caller/callee_mapped_addr` + `peer_mapped_addr` fields |
 | `crates/wzp-relay/src/call_registry.rs` | `caller/callee_mapped_addr` fields + setters |
 | `crates/wzp-relay/src/main.rs` | Extract, store, cross-wire mapped addrs |
 | `desktop/src-tauri/src/lib.rs` | Call portmap in place_call/answer_call |
 ## Testing
 - 18 unit tests: NAT-PMP encoding, UPnP XML parsing (5 variants including real-world router XML), URL host extraction, error Display, protocol serde, PortMapping serialization, gateway detection, constants verification
 - 2 integration tests (`#[ignore]`): gateway discovery, acquire_mapping
 - 9 PeerCandidates tests: dial_order with all types, dedup, is_empty edge cases
 - 12 protocol roundtrip tests: offer/answer/setup with mapped addr, backward compat without
--- a/docs/PRD-protocol-analyzer.md
+++ b/docs/PRD-protocol-analyzer.md
@@ -62,6 +62,16 @@ if debug_tap_enabled {
 ### Effort: 0.5 day
 ### Implementation Status (2026-04-13)
 Fully implemented. `--debug-tap <room>` (or `*` for all rooms) logs:
 - **Per-packet metadata** (`TAP`): direction, addr, seq, codec, timestamp, FEC fields, payload size, fan_out
 - **Signal events** (`TAP SIGNAL`): `RoomUpdate` (count + participant names), `QualityDirective` (codec + reason), other signals by discriminant
 - **Lifecycle events** (`TAP EVENT`): participant join (id, addr, alias), participant leave (id, addr, forwarded count, or room closed)
 All output uses tracing `target: "debug_tap"` so it can be filtered with `RUST_LOG=debug_tap=info`.
 ---
 ## 2. Full Protocol Analyzer (Standalone Tool)
@@ -176,3 +186,15 @@ wzp-analyzer --replay capture.wzp --report report.html
 - Modifying packets in transit
 - Automated quality scoring (MOS estimation)
 - Video support
 ## Implementation Status (2026-04-13)
 All phases implemented:
 - Phase 1 (Observer + stats): wzp-analyzer binary, passive room observer, per-participant stats — DONE
 - Phase 2 (TUI): ratatui display with color-coded loss severity — DONE
 - Phase 3 (Capture/Replay): Binary .wzp format + CaptureReader for offline replay — DONE
 - Phase 4 (HTML report): Self-contained with Chart.js loss/jitter timelines — DONE
 - Phase 5 (Encrypted decode): Stub — SFU E2E encryption requires session context. Header-only analysis works. — PARTIAL
 Binary: `cargo build --bin wzp-analyzer`
 Usage: `wzp-analyzer relay:4433 --room test [--capture out.wzp] [--html report.html] [--no-tui]`
--- a/docs/PRD-public-stun.md
+++ b/docs/PRD-public-stun.md
@@ -0,0 +1,68 @@
 # PRD: Public STUN Client
 > Phase: Implemented
 > Status: Done (2026-04-14)
 > Crate: wzp-client
 ## Problem
 WarzonePhone's reflexive address discovery depends entirely on relay-based `Reflect` messages over an authenticated QUIC signal channel. If the relay is unreachable, overloaded, or not yet connected, the client cannot discover its public IP:port for P2P hole-punching. This single point of failure means call setup is delayed or falls back to relay-only unnecessarily.
 Tailscale solves this by querying multiple public STUN servers in parallel, independent of its DERP relay infrastructure.
 ## Solution
 Implement a minimal RFC 5389 STUN Binding client over raw UDP that queries public STUN servers (Google, Cloudflare) in parallel. This provides:
 1. **Independent reflexive discovery** — works without any relay connection
 2. **Redundancy** — STUN fallback when relay reflection fails
 3. **Better NAT classification** — more probes = higher confidence in Cone vs Symmetric detection
 4. **Faster call setup** — STUN can run before signal registration completes
 ## Implementation
 ### New Module: `crates/wzp-client/src/stun.rs`
 **Wire format** (RFC 5389):
 - 20-byte header: type (u16) + length (u16) + magic cookie (0x2112A442) + transaction ID (12 bytes)
 - Binding Request (0x0001): no attributes, just the header
 - Binding Response (0x0101): parses XOR-MAPPED-ADDRESS (0x0020, preferred) and MAPPED-ADDRESS (0x0001, fallback)
 - XOR decoding: port XOR'd with top 16 bits of magic cookie, IPv4 XOR'd with cookie, IPv6 XOR'd with cookie || txn ID
 **Public API**:
 - `stun_reflect(socket, server, timeout)` — single-server probe with one retry on first-packet timeout
 - `discover_reflexive(config)` — parallel probe of N servers, first success wins
 - `probe_stun_servers(config)` — all-server probe returning `Vec<NatProbeResult>` for NAT classification
 - `resolve_stun_server(host_port)` — DNS resolution preferring IPv4
 **Default servers**: `stun.l.google.com:19302`, `stun1.l.google.com:19302`, `stun.cloudflare.com:3478`
 **Error handling**: `StunError` enum — Io, Timeout, Malformed, TxnMismatch, ErrorResponse, NoMappedAddress, DnsError
 ### Integration Points
 1. **`reflect.rs`**: New `detect_nat_type_with_stun()` runs relay probes and STUN probes concurrently via `tokio::join!`, merges results, re-classifies
 2. **Desktop `lib.rs`**: `try_reflect_own_addr()` falls back to `try_stun_fallback()` when relay reflection fails or times out
 3. **Desktop `detect_nat_type` command**: Uses `detect_nat_type_with_stun()` for combined relay + STUN classification
 ### Design Decisions
 - **Separate UDP socket** per STUN probe — can't share the QUIC socket (quinn owns its I/O driver)
 - **No external crate** — RFC 5389 Binding is ~200 lines of code, no need for `stun-rs` or `webrtc-rs`
 - **Retry once** at half-timeout — handles the "first-packet problem" where some NATs drop the initial UDP packet to a new destination
 - **IPv4 preferred** for DNS resolution — Phase 7 IPv6 is still flaky
 ## Files
 | File | Change |
 |------|--------|
 | `crates/wzp-client/src/stun.rs` | New — STUN client |
 | `crates/wzp-client/src/lib.rs` | Add `pub mod stun` |
 | `crates/wzp-client/src/reflect.rs` | Add `detect_nat_type_with_stun()` |
 | `crates/wzp-client/Cargo.toml` | Add `rand` dependency |
 | `desktop/src-tauri/src/lib.rs` | STUN fallback in `try_reflect_own_addr()`, STUN in `detect_nat_type` |
 ## Testing
 - 22 unit tests: encode/decode roundtrips, XOR-MAPPED-ADDRESS (IPv4, IPv6, high port), MAPPED-ADDRESS fallback (IPv4, IPv6), unknown family, attribute padding, unknown attributes skipped, truncated attributes, error response, bad cookie, txn mismatch, too short, no mapped address, XOR preferred over mapped, error Display, default config, empty servers
 - 2 integration tests (`#[ignore]`): query `stun.l.google.com`, multi-server probe
--- a/docs/PRD-relay-concurrency.md
+++ b/docs/PRD-relay-concurrency.md
@@ -0,0 +1,314 @@
 # PRD: Relay Concurrency — DashMap Room Sharding
 ## Problem
 The relay's media forwarding hot path routes every packet through a single `Arc<Mutex<RoomManager>>`. In a room with N participants, all N per-participant tasks compete for this one lock on every packet. The lock hold time is short (~1ms, no I/O), but the serialization means a 100-participant room effectively runs single-threaded despite having a multi-core tokio runtime.
 Separately, the federation manager holds `peer_links` locked across multiple network sends, meaning a slow federation peer blocks all others.
 ### Measured bottleneck (from code audit)
 ```
 Per-packet hot path (room.rs:748-757, 968-976):
  lock(room_mgr)
    → observe_quality()    O(N) iterate qualities HashMap
    → others()             O(M) clone Vec<ParticipantSender>
  unlock
  → fan-out sends          sequential, no lock held
 ```
 Lock contention = O(N) per room per packet, where N = participants in the room.
 ### Current lock inventory (hot path only)
 | Lock | Location | Hold Duration | I/O While Locked | Frequency |
 |------|----------|---------------|-------------------|-----------|
 | `RoomManager` | room.rs:749, 968 | ~1ms | No | Every packet, every participant |
 | `RoomManager` | room.rs:845, 1041 | <1ms | No | Every 5s per participant |
 | `RoomManager` | room.rs:870 | ~1ms | No (explicit `drop` before broadcast) | On leave |
 | `peer_links` | federation.rs:409 | N × send latency | **YES** — `send_raw_datagram` in loop | Every federation packet |
 | `peer_links` | federation.rs:216 | N × send latency | **YES** — `send_signal` in loop | Every federation signal |
 | `dedup` | federation.rs:1066 | <1ms | No | Every federation ingress packet |
 | `rate_limiters` | federation.rs:1113 | <1ms | No | Every federation ingress packet |
 ### Scaling impact
 | Room Size | Effective Core Usage | Bottleneck |
 |-----------|---------------------|------------|
 | 3 people × 100 rooms | All cores | None |
 | 10 people × 10 rooms | Most cores | Mild contention per room |
 | 100 people × 1 room | ~1 core | RoomManager lock |
 | 1000 people × 1 room | ~1 core | Severely serialized |
 ## Goals
 - Eliminate the global RoomManager Mutex as a serialization point for media forwarding
 - Allow per-room parallelism: packets in room A don't block packets in room B
 - Fix federation `peer_links` lock held across network sends
 - Maintain correctness: no double-delivery, no stale participant lists
 - Zero-copy or minimal-clone for fan-out participant lists
 - Keep the refactor incremental — each phase independently shippable
 ## Non-Goals
 - Lock-free data structures (overkill for our scale; DashMap or per-room Mutex is sufficient)
 - Changing the SFU forwarding model (no mixing, no transcoding)
 - Optimizing single-room beyond ~1000 participants (conferencing at that scale needs a different architecture)
 - Changing the wire protocol or client behavior
 ## Design Options Evaluated
 ### Option A: Per-Room `Arc<Mutex<Room>>`
 **Approach:** Replace `HashMap<String, Room>` inside RoomManager with `HashMap<String, Arc<Mutex<Room>>>`. The outer HashMap is protected by a short-lived lock for room lookup only; the per-room lock protects participant state.
 ```rust
 struct RoomManager {
    rooms: Mutex<HashMap<String, Arc<Mutex<Room>>>>,  // outer: room lookup
    // ...
 }
 // Hot path becomes:
 let room_arc = {
    let rooms = room_mgr.rooms.lock().await;
    rooms.get(&room_name).cloned()  // Arc clone, <1ns
 };  // outer lock released
 if let Some(room) = room_arc {
    let room = room.lock().await;  // per-room lock
    let others = room.others(participant_id);
    drop(room);
    // fan-out sends...
 }
 ```
 **Pros:**
 - Rooms are fully independent — room A's lock doesn't block room B
 - Minimal code change (~50 lines)
 - Per-room lock contention = O(participants in that room), not O(total participants)
 - Outer lock held for <1μs (just a HashMap get + Arc clone)
 **Cons:**
 - Two-level locking (room lookup + room lock) — slightly more complex
 - Room creation/deletion still serialized through outer lock (acceptable, rare operation)
 - Quality tracking needs to move into the Room struct
 **Verdict: Best option. Biggest win for least effort.**
 ### Option B: `DashMap<String, Room>`
 **Approach:** Replace `Mutex<HashMap<String, Room>>` with `dashmap::DashMap<String, Room>`. DashMap uses internal sharding (default 64 shards) with per-shard RwLocks.
 ```rust
 struct RoomManager {
    rooms: DashMap<String, Room>,
 }
 // Hot path:
 if let Some(room) = room_mgr.rooms.get(&room_name) {
    let others = room.others(participant_id);  // read lock on shard
    drop(room);  // release shard lock
    // fan-out sends...
 }
 ```
 **Pros:**
 - No explicit locking in user code
 - Built-in sharding (64 shards by default)
 - Read-heavy workload benefits from RwLock per shard
 **Cons:**
 - New dependency (`dashmap` crate)
 - DashMap guards can't be held across `.await` points (not `Send`)
 - Mutable operations (join/leave/quality update) need `get_mut()` which takes exclusive shard lock
 - Less control over lock granularity than Option A
 - Quality tracking across rooms becomes awkward (can't iterate all rooms while holding one shard)
 **Verdict: Good but Option A is simpler and more explicit.**
 ### Option C: Channel-Based Fan-Out
 **Approach:** Replace direct `send_media()` calls with per-participant `mpsc::Sender` channels. Room join registers a sender; the forwarding loop just does `tx.send(pkt)` which is lock-free.
 ```rust
 struct Room {
    participants: Vec<(ParticipantId, mpsc::Sender<MediaPacket>)>,
 }
 // Each participant's task:
 let (tx, mut rx) = mpsc::channel(64);
 room_mgr.join(room, participant_id, tx);
 // Forwarding in recv loop:
 let senders = room.others(participant_id);  // Vec<mpsc::Sender> clone
 for tx in &senders {
    let _ = tx.try_send(pkt.clone());  // non-blocking, no lock
 }
 ```
 **Pros:**
 - Fan-out is completely lock-free (channel send is atomic)
 - Backpressure per participant (full channel = drop packet, not block others)
 - Natural decoupling: recv task → channel → send task
 **Cons:**
 - Requires cloning MediaPacket per participant (currently we clone ParticipantSender Arc, much cheaper)
 - Additional memory: 64-packet channel buffer × N participants
 - Still need a lock to get the sender list (unless we snapshot on join/leave)
 - Adds latency: channel hop + wake adds ~1-5μs vs direct send
 **Verdict: Over-engineered for current scale. Consider for 1000+ participant rooms.**
 ### Option D: Snapshot-on-Change (Optimistic Read)
 **Approach:** Maintain a read-optimized `Arc<Vec<ParticipantSender>>` snapshot per room. Updated atomically on join/leave (rare). Readers just `Arc::clone()` — no lock at all.
 ```rust
 struct Room {
    participants: Vec<Participant>,
    /// Atomically-updated snapshot of all senders (rebuilt on join/leave).
    sender_snapshot: Arc<ArcSwap<Vec<ParticipantSender>>>,
 }
 // Hot path (zero locking!):
 let senders = room.sender_snapshot.load();  // atomic load, ~1ns
 for sender in senders.iter() {
    if sender.id != participant_id { ... }
 }
 ```
 **Pros:**
 - Zero lock contention on hot path — just an atomic pointer load
 - Rebuild cost amortized over all packets between joins/leaves
 - `arc-swap` crate is battle-tested and tiny
 **Cons:**
 - New dependency (`arc-swap`)
 - Quality tracking still needs a mutable path (separate concern)
 - Snapshot doesn't include mutable room state (quality tiers)
 - More complex join/leave (must rebuild snapshot atomically)
 **Verdict: Best theoretical performance, but adds complexity. Consider if DashMap proves insufficient.**
 ## Recommended Implementation: Option B (DashMap) + Federation Fix
 DashMap is the right tool here. The original objections don't hold up:
 - "Guards can't be held across `.await`" — we already drop locks before any async sends
 - "Less control" — DashMap's 64 internal shards give finer granularity than manual per-room locks
 - "New dependency" — one crate, battle-tested, widely used in the Rust ecosystem
 DashMap's advantages over manual per-room `Arc<Mutex<Room>>`:
 - **No two-level locking** — single `rooms.get()` vs outer-lock → Arc clone → drop → inner-lock
 - **Read/write separation** — `get()` is a shared shard lock, multiple rooms on the same shard can read concurrently
 - **Less code** — no manual Arc/Mutex wrapping, no explicit lock choreography
 - **Iteration without global lock** — federation room announcements don't block media forwarding
 ### Phase 1: DashMap Room Storage (Biggest Win)
 1. Add `dashmap` dependency to `wzp-relay`
 2. Replace `rooms: HashMap<String, Room>` with `rooms: DashMap<String, Room>`
 3. Move `qualities` and `room_tiers` into the `Room` struct (per-room state, not global)
 4. RoomManager no longer needs a wrapping Mutex — it becomes `Arc<RoomManager>` directly
 5. Per-packet hot path: `rooms.get(&name)` takes a shared shard lock, releases on drop
 ```rust
 pub struct RoomManager {
    rooms: DashMap<String, Room>,
    acl: Option<HashMap<String, HashSet<String>>>,  // read-only after init
    event_tx: broadcast::Sender<RoomEvent>,
 }
 struct Room {
    participants: Vec<Participant>,
    qualities: HashMap<ParticipantId, ParticipantQuality>,
    current_tier: Tier,
 }
 // Hot path becomes:
 let (others, directive) = if let Some(mut room) = room_mgr.rooms.get_mut(&room_name) {
    let directive = if let Some(ref qr) = pkt.quality_report {
        room.observe_quality(participant_id, qr)
    } else {
        None
    };
    let o = room.others(participant_id);
    (o, directive)
 } else {
    (vec![], None)
 };
 // Shard lock released here — fan-out sends are lock-free
 ```
 **Files to modify:**
 - `crates/wzp-relay/Cargo.toml` — add `dashmap` dependency
 - `crates/wzp-relay/src/room.rs` — RoomManager struct, Room struct, all methods
 - `crates/wzp-relay/src/lib.rs` — change from `Arc<Mutex<RoomManager>>` to `Arc<RoomManager>`
 - `crates/wzp-relay/src/main.rs` — update RoomManager construction and all `.lock().await` call sites
 - `crates/wzp-relay/src/federation.rs` — update room_mgr usage (no more `.lock().await`)
 **Key behavior change:** `Arc<Mutex<RoomManager>>` → `Arc<RoomManager>`. Every call site that does `room_mgr.lock().await.some_method()` becomes `room_mgr.some_method()` directly. The DashMap handles internal locking.
 **Concurrency improvement:**
 - Before: 100 rooms × 10 people = all 1000 tasks compete for 1 Mutex
 - After: 100 rooms × 10 people = distributed across 64 shards, ~15 tasks per shard average
 - Within a room: participants still serialize through the shard lock, but hold time is <0.1ms for `get()` and `others()` (just Vec clone of Arcs)
 ### Phase 2: Federation Lock Fix
 Clone the peer list, release lock, then send:
 ```rust
 pub async fn forward_to_peers(&self, room_hash: &[u8; 8], media_data: &Bytes) {
    let peers: Vec<_> = {
        let links = self.peer_links.lock().await;
        links.values().map(|l| (l.label.clone(), l.transport.clone())).collect()
    };  // lock released immediately
    for (label, transport) in &peers {
        // send without holding lock — slow peer doesn't block others
    }
 }
 ```
 Also apply to `broadcast_signal()` and `send_signal_to_peer()`.
 **Files to modify:**
 - `crates/wzp-relay/src/federation.rs` — 3 methods
 **Concurrency improvement:** A slow federation peer no longer blocks all other peers' media delivery.
 ### Phase 3: Quality Tracking Optimization (Optional)
 With DashMap, quality tracking uses `get_mut()` (exclusive shard lock) on every packet that carries a QualityReport. For rooms where quality reports are frequent, this creates write contention on the shard.
 Option: Move quality observation to a background task:
 1. Per-participant `AtomicU8` for latest loss/RTT (lock-free write from hot path)
 2. Background task every 1s reads atomics, computes tiers, broadcasts directives
 3. Hot path becomes read-only: `rooms.get()` (shared lock) → `others()` → done
 **Reduces shard lock from exclusive (`get_mut`) to shared (`get`) on every packet.**
 ## Verification
 1. **Correctness:** `cargo test -p wzp-relay` — all existing tests must pass
 2. **Compile check:** `cargo check --workspace` — no regressions
 3. **Load test:** 10 rooms × 10 participants, verify rooms forward concurrently
 4. **Large room:** 1 room × 50 participants, no deadlocks
 5. **Federation:** 3 relays, media bridges correctly with new lock pattern
 6. **Benchmark:** Before/after packets-per-second on multi-core with `wzp-bench`
 ## Effort
 - Phase 1: 1 day (DashMap migration + test updates)
 - Phase 2: 0.5 day (federation clone-and-release)
 - Phase 3: 0.5 day (optional, quality tracking with atomics)
 - Total: 1.5–2 days
 ## Implementation Status (2026-04-13)
 Phase 1 (DashMap): DONE — global Mutex → DashMap<String, Room> with 64 shards
 Phase 2 (Federation clone-before-send): DONE — forward_to_peers, broadcast_signal, send_signal_to_peer
 Phase 3 (Quality atomics): NOT DONE — optional optimization
 See also: docs/REFACTOR-relay-concurrency.md for the full post-refactor analysis.
--- a/docs/PRD-relay-selection.md
+++ b/docs/PRD-relay-selection.md
@@ -0,0 +1,88 @@
 # PRD: Region-Based Relay Selection
 > Phase: Implemented (data model)
 > Status: Done (2026-04-14)
 > Crate: wzp-client, wzp-proto, wzp-relay
 ## Problem
 Clients are configured with a single relay address. With multiple relays in the federation mesh, the client should automatically discover all available relays and select the lowest-latency one. Currently there is no mechanism for the relay to advertise its mesh peers to clients, and no client-side data structure to track relay health over time.
 ## Solution
 1. Relays advertise their region and mesh peers in `RegisterPresenceAck`
 2. Clients maintain a `RelayMap` sorted by measured RTT
 3. `preferred()` returns the best relay for call setup
 ## Implementation
 ### New Module: `crates/wzp-client/src/relay_map.rs`
 **RelayEntry**:
 ```rust
 pub struct RelayEntry {
    pub name: String,
    pub addr: SocketAddr,
    pub region: Option<String>,
    pub rtt_ms: Option<u32>,
    pub last_probed: Option<Instant>,
    pub reachable: bool,
 }
 ```
 **RelayMap API**:
 - `upsert(name, addr, region)` — add or update a relay entry
 - `update_rtt(addr, rtt_ms)` — record probe result, marks reachable, re-sorts
 - `mark_unreachable(addr)` — sorts unreachable entries to end
 - `preferred()` -> `Option<&RelayEntry>` — lowest RTT reachable relay
 - `populate_from_ack(relays, region)` — parse `RegisterPresenceAck.available_relays` (format: `"name|addr"`)
 - `needs_reprobe(max_age)` — true if any entry has stale or missing probe
 - `stale_entries(max_age)` — list of entries needing fresh probes
 ### Signal Protocol Extension
 `RegisterPresenceAck` extended:
 ```rust
 RegisterPresenceAck {
    success: bool,
    error: Option<String>,
    relay_build: Option<String>,
    relay_region: Option<String>,           // NEW
    available_relays: Vec<String>,          // NEW — "name|addr" format
 }
 ```
 ### Relay Config Extension
 `RelayConfig` extended:
 ```rust
 pub region: Option<String>,          // e.g., "us-east", "eu-west"
 pub advertised_addr: Option<SocketAddr>,  // for available_relays population
 ```
 ### Relay Population
 On `RegisterPresenceAck`, the relay populates:
 - `relay_region` from `config.region`
 - `available_relays` from `config.peers` (label|url format)
 ### Deferred
 - **Automatic relay switching** — using `preferred()` to select relay during call setup instead of hardcoded config
 - **Background reprobing** — periodic RTT measurements to keep the relay map fresh
 - **Cross-relay RTT estimation** — using mesh probe data to estimate combined caller-RTT + callee-RTT for optimal relay placement
 ## Files
 | File | Change |
 |------|--------|
 | `crates/wzp-client/src/relay_map.rs` | New — RelayMap + RelayEntry |
 | `crates/wzp-client/src/lib.rs` | Add `pub mod relay_map` |
 | `crates/wzp-proto/src/packet.rs` | `relay_region` + `available_relays` on RegisterPresenceAck |
 | `crates/wzp-relay/src/config.rs` | `region` + `advertised_addr` fields |
 | `crates/wzp-relay/src/main.rs` | Populate RegisterPresenceAck from config + peers |
 ## Testing
 - 15 unit tests: preferred by RTT, unreachable not preferred, preferred empty/all-unreachable, populate_from_ack (valid + malformed entries), upsert updates/preserves region, needs_reprobe (empty/never/fresh), stale_entries, sort stability with equal RTT, mark_unreachable sorts to end, RelayEntry serialization
 - 2 protocol tests: RegisterPresenceAck roundtrip with new fields, backward compat without new fields
--- a/docs/PROGRESS.md
+++ b/docs/PROGRESS.md
@@ -120,7 +120,7 @@
 - **Web audio drift**: The browser AudioWorklet playback buffer caps at 200ms, but clock drift between the WebSocket message arrival rate and the AudioContext output rate can cause occasional underruns or accumulation. The cap prevents unbounded growth but may cause glitches.
- **No adaptive loop integration**: The `PathMonitor` feeds and `AdaptiveQualityController` are implemented but not wired together in the client's main loop. Quality reports are consumed when present in packets, but the client does not currently generate periodic quality reports from transport metrics.
+- **Adaptive loop integration (resolved)**: AdaptiveQualityController wired into both desktop and Android send/recv tasks. Relay-coordinated codec switching broadcasts QualityDirective — now handled by both engines (fixed 2026-04-13). 5-tier classification (Studio64k through Catastrophic) with asymmetric hysteresis.
 - **Relay FEC pass-through**: In room mode, the relay forwards packets opaquely without FEC decode/re-encode. This means FEC protection is end-to-end only, not per-hop. In forward mode, the relay pipeline does perform FEC decode/re-encode.
@@ -128,18 +128,18 @@
 ## Test Coverage
-119 tests across 7 crates (wzp-web has no Rust tests):
+372+ tests across 7 crates (wzp-web has no Rust tests):
-| Crate | Test Files | Test Count |
+| Crate | Test Count |
-|-------|-----------|------------|
+|-------|------------|
-| wzp-proto | 5 | 27 |
+| wzp-proto | ~84 |
-| wzp-codec | 3 | 24 |
+| wzp-codec | ~69 |
-| wzp-fec | 5 | 21 |
+| wzp-fec | ~21 |
-| wzp-crypto | 5 | 21 |
+| wzp-crypto | ~21 |
-| wzp-transport | 3 | 12 |
+| wzp-transport | ~11 |
-| wzp-relay | 4 | 10 |
+| wzp-relay | ~120 |
-| wzp-client | 3 | 8 |
+| wzp-client | ~57 |
-| **Total** | **28** | **119** |
+| **Total** | **372+** |
 Tests cover:
 - Wire format roundtrip (header, quality report, full packet)
@@ -191,3 +191,201 @@ Run with `wzp-bench --all`. Representative results (Apple M-series, single core)
 - **Hetzner VPS**: Build script (`scripts/build-linux.sh`) tested for provisioning, building, and downloading Linux binaries
 - **CI**: Gitea workflow defined for amd64/arm64/armv7 builds
 - **Production**: Not yet deployed to production networks
 ## Recent Changes (2026-04-13)
 ### P2P Adaptive Quality (#23, 2026-04-13)
 - QualityReport::from_path_stats() — construct reports from local quinn stats
 - CallEncoder.pending_quality_report — one-shot attachment to source packets
 - Send tasks generate quality reports every 50 frames (~1s) from path stats
 - Recv tasks self-observe from own QUIC stats for P2P adaptation
 - Both relay and P2P calls now have full adaptive quality
 ### Protocol Analyzer (#13-17, 2026-04-13)
 - New binary: wzp-analyzer (crates/wzp-client/src/analyzer.rs, ~900 lines)
 - Passive observer: joins room, receives all media, never sends
 - TUI mode (ratatui): per-participant table with loss%, jitter, codec, color-coded
 - No-TUI mode: stats printed to stderr every 2s
 - Binary capture format (.wzp) with microsecond timestamps
 - Replay mode: offline analysis from capture files
 - HTML report: self-contained with Chart.js loss/jitter timelines
 - Encrypted decode: stub (needs session key + nonce context for SFU E2E)
 ### Codebase Refactoring (2026-04-13)
 - DashMap relay concurrency: global Mutex → 64-shard DashMap
 - Federation clone-before-send: eliminated last lock-during-I/O
 - Engine deduplication: 3 shared helpers, eliminated 250 lines duplication
 - 29 federation tests (was 0)
 - Clap CLI parser for relay (replaced 154-line manual parser)
 - Magic number constants, error handling helpers, safety docs
 ### 5-Tier Adaptive Quality Classification (#9)
 - `Tier` enum extended from 3 to 6 levels: Studio64k > Studio48k > Studio32k > Good > Degraded > Catastrophic
 - WiFi thresholds: loss < 1%/RTT < 30ms (Studio64k) through loss >= 15%/RTT >= 200ms (Catastrophic)
 - Cellular stays at Good ceiling (no studio tiers on mobile data)
 - Asymmetric hysteresis: downgrade 3 reports, upgrade 5, studio upgrade 10
 - `Tier` derives `Ord` — ordering matches quality level (Catastrophic=0, Studio64k=5)
 - `weakest_tier()` simplified to `.min()` via Ord
 ### Client QualityDirective Handling (#27)
 - Both desktop signal tasks (P2P and relay engines) now match `QualityDirective` signals
 - Android signal task matches `QualityDirective` and stores profile index via `pending_profile_recv`
 - Relay-coordinated codec switching now works end-to-end: relay broadcasts → clients react
 - Closes the gap documented in PRD-coordinated-codec.md
 ### Debug Tap Enhancements (#11, #12)
 - `log_signal()`: logs `RoomUpdate` (count + participant names), `QualityDirective` (codec + reason)
 - `log_event()`: logs participant join/leave lifecycle events
 - `log_stats()`: periodic 5-second summary — packets in/out, fan-out avg, seq gaps, codecs seen
 - `TapStats` struct tracks per-participant metrics across the forwarding loop
 - All output via `target: "debug_tap"` for RUST_LOG filtering
 ### Bug Fix: dual_path.rs Phase 7 regression
 - Added missing `ipv6_endpoint: None` parameter to 3 `race()` call sites in integration tests
 - Phase 7 IPv6 dual-socket changed the function signature but tests were not updated
 ### Build: Keystore sync (f17420a)
 - `build.sh` syncs keystores from persistent cache before build
 ## Previous Changes (2026-04-12)
 ### Bluetooth Audio Routing
 - 3-way route cycling: Earpiece → Speaker → Bluetooth SCO
 - `setCommunicationDevice()` API 31+ with `startBluetoothSco()` fallback
 - BT-mode Oboe: capture skips 48kHz + VoiceCommunication, Oboe resamples 8/16kHz ↔ 48kHz
 - `MODE_IN_COMMUNICATION` deferred to call start (was at app launch — hijacked system audio)
 ### Network Change Detection
 - `NetworkMonitor.kt` wraps `ConnectivityManager.NetworkCallback`
 - WiFi/cellular classification via bandwidth heuristics (no READ_PHONE_STATE needed)
 - Feeds `AdaptiveQualityController::signal_network_change()` via JNI → AtomicU8 → recv task
 ### Hangup Signal Fix
 - `SignalMessage::Hangup` now carries optional `call_id`
 - Relay only ends the named call (not all calls for the user)
 - Fixes race: hangup for call 1 no longer kills newly-placed call 2
 ### Per-Architecture APK Builds
 - `build-tauri-android.sh --arch arm64|armv7|all`
 - Separate per-arch APKs (~25MB each vs ~50MB universal)
 - Release APKs signed with `wzp-release.jks` via `apksigner`
 ### Continuous DRED Tuning (Phase A: opus-DRED-v2)
 - `DredTuner` in `wzp-proto::dred_tuner` maps live network metrics to continuous DRED duration
 - Polls quinn path stats every 25 frames (~500ms): loss%, RTT, jitter
 - Linear interpolation between baseline and ceiling per codec tier (not discrete tier jumps)
 - Jitter-spike detection: >30% EWMA spike pre-emptively boosts DRED to ceiling for ~5s
 - RTT phantom loss: high RTT (>200ms) adds phantom contribution to keep DRED generous
 - `set_expected_loss()` and `set_dred_duration()` added to `AudioEncoder` trait
 - Integrated into both Android and desktop send tasks in engine.rs
 ### Extended DRED Window
 - Opus6k DRED duration increased from 500ms to 1040ms (max libopus 1.5 supports)
 - RDO-VAE naturally degrades quality at longer offsets — extra window costs ~1-2 kbps
 ### PMTUD (Path MTU Discovery)
 - Quinn's PLPMTUD explicitly configured: initial 1200, upper bound 1452, 300s interval
 - `QuinnPathSnapshot` exposes discovered MTU via `current_mtu` field
 - `TrunkedForwarder` refreshes `max_bytes` from PMTUD (was hard-coded 1200)
 - Federation trunk frames now fill the discovered path MTU automatically
 ### New Tests
 - 4 DRED tuner integration tests in wzp-client (encoder adjustment, spike boost, Codec2 no-op, profile switch)
 - 10 unit tests in wzp-proto for DredTuner mapping logic
 - Jitter variance window tests in wzp-transport PathMonitor
 - Pre-existing test fixes: added missing `build_version` fields to 7 SignalMessage constructors
 ### Desktop Adaptive Quality (#7, #31)
 - `AdaptiveQualityController` wired into both Android and desktop send/recv tasks
 - `pending_profile: Arc<AtomicU8>` bridge between recv (writer) and send (reader)
 - Auto mode: ingests QualityReports from relay, switches encoder profile when adapter recommends
 - `tx_codec` display string updated on profile switch for UI indicator
 - `profile_to_index()` / `index_to_profile()` mapping for 6-tier range
 ### Relay Coordinated Codec Switching (#25, #26)
 - `ParticipantQuality` struct in relay RoomManager tracks per-participant quality
 - Quality reports from forwarded packets feed per-participant `AdaptiveQualityController`
 - `weakest_tier()` computes room-wide worst tier across all participants
 - `QualityDirective` SignalMessage variant: relay broadcasts recommended profile to all participants
 - Triggered on tier change — instant, no negotiation (weakest-link policy)
 ### Oboe Stream State Polling (#35)
 - C++ polling loop after `requestStart()`: checks `getState()` every 10ms for up to 2s
 - Waits for both capture and playout streams to reach `Started` state
 - Logs initial state, poll count, and final state for HAL debugging
 - Does NOT fail on timeout — Rust-side stall detector remains as safety net
 - Targets Nothing Phone A059 intermittent silent calls on cold start
 ### Opus6k Frame Starvation Fix (2026-04-13)
 - Root cause: partial reads from capture ring consumed samples that were discarded on retry
 - `audio_read_capture(&mut buf[..1920])` with only 960 available → read 960, loop retried from buf[0], overwriting
 - Added `wzp_native_audio_capture_available()` — check before reading (matches desktop pattern)
 - `frame_samples` made mutable and updated on adaptive profile switch
 - `buf` sized to max frame (1920) with `[..frame_samples]` slices throughout
 - Result: Opus6k frame rate restored from ~11/s to expected 25/s
 ### Build Script Fixes (2026-04-13)
 - Stale APK cleanup: delete all APKs before build, prefer `*release*.apk` on upload
 - APK signing: added zipalign + apksigner pipeline to `build.sh` (was in `build-tauri-android.sh` only)
 - Keystore persistence: `$BASE_DIR/data/keystore/` cache synced into source tree before build
 - Fixes: 384MB debug APK uploaded instead of 25MB release; unsigned APK on alt server
 ### Phase 8: Tailscale-Inspired STUN/ICE Enhancements (2026-04-14)
 5 new modules in `wzp-client`, 83 new unit tests (588 total across workspace).
 #### Public STUN Client (`stun.rs`)
 - Minimal RFC 5389 STUN Binding Request/Response over raw UDP
 - XOR-MAPPED-ADDRESS (preferred) + MAPPED-ADDRESS (fallback) parsing
 - Default servers: `stun.l.google.com:19302`, `stun1.l.google.com:19302`, `stun.cloudflare.com:3478`
 - `discover_reflexive()` — first-success parallel probe across N servers
 - `probe_stun_servers()` — full results for NAT classification
 - Integrated into `detect_nat_type_with_stun()` combining relay + STUN probes
 - Desktop STUN fallback in `try_reflect_own_addr()` when relay reflection fails
 #### PCP/PMP/UPnP Port Mapping (`portmap.rs`)
 - **NAT-PMP** (RFC 6886): UDP to gateway:5351, external address + port mapping
 - **PCP** (RFC 6887): PCP MAP opcode, IPv4-mapped IPv6 client address
 - **UPnP IGD**: SSDP M-SEARCH discovery + SOAP `AddPortMapping`/`GetExternalIPAddress`
 - Gateway discovery: macOS (`route -n get default`), Linux (`/proc/net/route`)
 - `acquire_port_mapping()` tries NAT-PMP → PCP → UPnP, first success wins
 - `release_port_mapping()` + `spawn_refresh()` for lifecycle management
 - Signal protocol: `caller_mapped_addr`/`callee_mapped_addr` on offer/answer, `peer_mapped_addr` on CallSetup
 - `PeerCandidates.mapped` — new candidate type in dial order (host → mapped → reflexive)
 #### Mid-Call ICE Re-Gathering (`ice_agent.rs`)
 - `IceAgent`: owns candidate lifecycle with `gather()`, `re_gather()`, `apply_peer_update()`
 - Monotonic generation counter prevents stale candidate updates from reordering
 - `SignalMessage::CandidateUpdate` — new signal for mid-call candidate exchange
 - Relay forwards `CandidateUpdate` to call peer (same pattern as `MediaPathReport`)
 - Desktop handles `CandidateUpdate` in signal recv loop, emits to JS frontend
 - Transport hot-swap architecture designed (TODO: wire into live call engine)
 #### Netcheck Diagnostic (`netcheck.rs`)
 - `NetcheckReport`: NAT type, reflexive addr, IPv4/v6, port mapping, relay latencies, gateway
 - `run_netcheck()` — parallel probes for STUN + relay + portmap + IPv6
 - `format_report()` — human-readable diagnostic output
 - CLI: `wzp-client --netcheck <relay>` runs diagnostic
 #### Region-Based Relay Selection (`relay_map.rs`)
 - `RelayMap` sorted by RTT, `preferred()` returns lowest-latency reachable relay
 - `populate_from_ack()` — parses `RegisterPresenceAck.available_relays`
 - Stale detection (`needs_reprobe()`, `stale_entries()`)
 - `RegisterPresenceAck` extended with `relay_region` and `available_relays`
 #### Hard NAT Port Allocation Detection (`stun.rs` Phase A)
 - `PortAllocation` enum: `PortPreserving` / `Sequential { delta }` / `Random` / `Unknown`
 - `detect_port_allocation()` — sequential STUN probes from single socket, analyzes external port sequence
 - `classify_port_allocation()` — pure classifier with wraparound handling, jitter tolerance (±1), 60% threshold for noisy sequences
 - `predict_ports(last_port, delta, offset, spread)` — generates target port range for sequential NATs
 - `HardNatProbe` signal message for peer coordination (carries port_sequence, allocation, external_ip)
 - Relay forwards `HardNatProbe` to call peer
 - `NetcheckReport.port_allocation` field populated automatically
 - 17 new tests for classification, prediction, serde, Display
 #### Relay End-to-End Wiring (2026-04-14)
 - `CallRegistry` stores + cross-wires `caller_mapped_addr`/`callee_mapped_addr` into `CallSetup.peer_mapped_addr`
 - `RelayConfig` extended with `region` + `advertised_addr` fields
 - `RegisterPresenceAck` populates `relay_region` from config, `available_relays` from federation peers
 - Desktop `place_call`/`answer_call` call `acquire_port_mapping()` and fill mapped addr fields
 - Legacy `build-android-docker.sh` renamed to `build-android-docker-LEGACY.sh` to prevent accidental use
--- a/docs/REFACTOR-codebase-audit.md
+++ b/docs/REFACTOR-codebase-audit.md
@@ -0,0 +1,271 @@
 # Codebase Refactoring Audit (2026-04-13)
 > Full analysis of the WarzonePhone codebase after the DashMap relay refactor, DRED continuous tuning, and adaptive quality wiring. The codebase is ~15K lines of Rust across 8 crates plus a 1.7K-line Tauri engine. This document identifies every refactoring opportunity ranked by impact.
 ## Critical: engine.rs is 1,705 Lines With ~35% Duplication
 `desktop/src-tauri/src/engine.rs` has two nearly-identical `CallEngine::start()` implementations:
 - **Android path:** 880 lines (lines 321–1200)
 - **Desktop path:** 430 lines (lines 1203–1633)
 ### What's Duplicated (350+ lines)
 | Block | Android Lines | Desktop Lines | Size | Identical? |
 |-------|--------------|---------------|------|-----------|
 | CallConfig initialization | 529–539 | 1353–1363 | 23 lines | Yes |
 | DRED tuner + frame_samples setup | 541–555 | 1360–1375 | 15 lines | Yes |
 | Adaptive quality profile switch | 651–665 | 1414–1428 | 15 lines | Yes |
 | Codec-to-QualityProfile match | 852–864 | 1488–1500 | 19 lines | Yes |
 | DRED ingest + gap fill | 886–902 | 1511–1528 | 17 lines | Yes |
 | Quality report ingestion | 905–912 | 1531–1538 | 8 lines | Yes |
 | Signal task (entire thing) | 1133–1180 | 1569–1616 | 48 lines | Yes |
 ### Suggested Fix: Extract Shared Helpers
 ```rust
 // Top of engine.rs — shared between both platforms
 fn build_call_config(quality: &str) -> CallConfig { ... }
 fn codec_to_profile(codec: CodecId) -> QualityProfile { ... }
 fn check_adaptive_switch(
    pending: &AtomicU8,
    encoder: &mut CallEncoder,
    tuner: &mut DredTuner,
    frame_samples: &mut usize,
    tx_codec: &Mutex<String>,
 ) { ... }
 async fn run_signal_task(
    transport: Arc<QuinnTransport>,
    running: Arc<AtomicBool>,
    pending_profile: Arc<AtomicU8>,
    participants: Arc<Mutex<Vec<ParticipantInfo>>>,
 ) { ... }
 ```
 This would reduce engine.rs by ~200 lines and make the Android/desktop paths only differ in their audio I/O (Oboe vs CPAL).
 **Effort:** 2-3 hours. **Impact:** High — every future change to the send/recv pipeline currently requires editing two places.
 ---
 ## High: SignalMessage Enum Has 36 Variants
 `crates/wzp-proto/src/packet.rs` (1,727 lines) has a `SignalMessage` enum with 36 variants mixing orthogonal concerns:
 - Legacy call signaling (CallOffer, CallAnswer, IceCandidate, Rekey...)
 - Direct calling (RegisterPresence, DirectCallOffer, DirectCallAnswer, CallSetup...)
 - Federation (FederationHello, GlobalRoomActive/Inactive, FederatedSignalForward)
 - Relay control (SessionForward, PresenceUpdate, RouteQuery, RoomUpdate)
 - NAT traversal (Reflect, ReflectResponse, MediaPathReport)
 - Quality (QualityUpdate, QualityDirective)
 - Call control (Ping/Pong, Hold/Unhold, Mute/Unmute, Transfer)
 Every new feature adds variants here, and every match on `SignalMessage` must handle all 36 arms (or use `_` wildcard).
 ### Suggested Fix: Sub-Enum Grouping
 ```rust
 enum SignalMessage {
    Call(CallSignal),           // CallOffer, CallAnswer, IceCandidate, Rekey, Hangup...
    Direct(DirectCallSignal),   // RegisterPresence, DirectCallOffer, CallSetup, MediaPathReport...
    Federation(FedSignal),      // FederationHello, GlobalRoomActive, FederatedSignalForward...
    Control(ControlSignal),     // Ping/Pong, Hold/Unhold, Mute/Unmute, QualityDirective...
    Relay(RelaySignal),         // SessionForward, PresenceUpdate, RouteQuery, RoomUpdate...
 }
 ```
 **Caution:** This is a wire-format change. Serde serialization must remain backward-compatible with already-deployed relays. Use `#[serde(untagged)]` or versioned deserialization. Consider doing this as a v2 protocol bump.
 **Effort:** 1 day. **Impact:** High for maintainability, but risky for wire compatibility.
 ---
 ## High: Federation Has Zero Tests
 `crates/wzp-relay/src/federation.rs` (1,132 lines) has **no unit tests and no integration tests**. This is the most complex file in the relay crate, handling:
 - Peer link management (connect, reconnect, stale sweep)
 - Federation media egress (forward_to_peers)
 - Federation media ingress (handle_datagram: dedup, rate limit, local delivery, multi-hop)
 - Cross-relay signal forwarding
 - Room event subscription and GlobalRoomActive/Inactive broadcasting
 The relay crate has 91 tests, but none cover federation. Any refactoring of federation (like the DashMap migration or clone-before-send) is flying blind.
 ### Suggested Fix
 Priority test cases:
 1. `forward_to_peers` with 0, 1, 3 peers — verify datagram construction and label tracking
 2. `handle_datagram` — dedup (same packet twice → second dropped), rate limit (exceed → dropped)
 3. Stale presence sweeper — verify cleanup after timeout
 4. `broadcast_signal` — verify signal reaches all peers
 5. Multi-hop forward — verify source peer excluded from re-forward
 **Effort:** 1 day. **Impact:** Critical for safe refactoring.
 ---
 ## Medium: Federation `peer_links` Lock-During-Send
 `broadcast_signal()` (line 216) holds `peer_links` Mutex **across async `send_signal()` calls**. A slow peer blocks all signal delivery. `forward_to_peers()` (line 406) holds it during sync sends (less severe but still serializes).
 ### Fix (30 minutes)
 ```rust
 // Before:
 let links = self.peer_links.lock().await;
 for (fp, link) in links.iter() {
    link.transport.send_signal(msg).await;  // lock held across await!
 }
 // After:
 let peers: Vec<_> = {
    let links = self.peer_links.lock().await;
    links.values().map(|l| (l.label.clone(), l.transport.clone())).collect()
 };
 for (label, transport) in &peers {
    transport.send_signal(msg).await;  // no lock held
 }
 ```
 Apply to `forward_to_peers()`, `broadcast_signal()`, and `send_signal_to_peer()`.
 **Effort:** 30 minutes. **Impact:** Medium — eliminates last lock-during-I/O pattern.
 ---
 ## Medium: Magic Numbers Scattered Through engine.rs
 ```rust
 // These appear as literals in multiple places:
 tokio::time::sleep(Duration::from_millis(5))    // 6 occurrences
 tokio::time::sleep(Duration::from_millis(100))   // 2 occurrences
 Duration::from_millis(200)                        // 2 occurrences (signal timeout)
 Duration::from_secs(10)                           // 1 occurrence (QUIC connect timeout)
 Duration::from_secs(2)                            // 2 occurrences (heartbeat interval)
 const DRED_POLL_INTERVAL: u32 = 25;              // defined twice (Android + desktop)
 vec![0i16; 1920]                                  // 2 occurrences (should use FRAME_SAMPLES_40MS)
 ```
 ### Fix
 ```rust
 // Top of engine.rs
 const CAPTURE_POLL_MS: u64 = 5;
 const RECV_TIMEOUT_MS: u64 = 100;
 const SIGNAL_TIMEOUT_MS: u64 = 200;
 const CONNECT_TIMEOUT_SECS: u64 = 10;
 const HEARTBEAT_INTERVAL_SECS: u64 = 2;
 const DRED_POLL_INTERVAL: u32 = 25;
 // Already exists: const FRAME_SAMPLES_40MS: usize = 1920;
 ```
 **Effort:** 15 minutes. **Impact:** Low but prevents bugs from inconsistent values.
 ---
 ## Medium: CLI Arg Parsing in Relay main.rs
 `parse_args()` in main.rs is 154 lines of manual `while i < args.len()` parsing with `match args[i].as_str()`. Every new flag adds 5-10 lines of boilerplate.
 ### Suggested Fix
 Replace with `clap` derive macro:
 ```rust
 #[derive(clap::Parser)]
 struct RelayArgs {
    #[arg(long, default_value = "0.0.0.0:4433")]
    listen: SocketAddr,
    #[arg(long)]
    remote: Option<String>,
    #[arg(long)]
    auth_url: Option<String>,
    // ...
 }
 ```
 **Effort:** 1 hour. **Impact:** Medium — cleaner, auto-generates `--help`, validates types at parse time.
 ---
 ## Medium: Error Handling Inconsistency
 13 instances of `.ok()` silently swallowing errors on `transport.close()` across the relay. Federation signal forwarding has inconsistent error handling — some paths log, some don't.
 ### Fix
 ```rust
 // Helper at top of main.rs/federation.rs:
 async fn close_transport(t: &impl MediaTransport, context: &str) {
    if let Err(e) = t.close().await {
        tracing::debug!(context, error = %e, "transport close error (non-fatal)");
    }
 }
 ```
 **Effort:** 30 minutes. **Impact:** Better observability when debugging connection issues.
 ---
 ## Low: Unused Crypto Fields
 `crates/wzp-crypto/src/handshake.rs` has `x25519_static_secret` and `x25519_static_public` fields marked `#[allow(dead_code)]`. These are derived from the identity seed but never used in any handshake flow.
 **Decision needed:** Are these intended for a future feature (static key federation auth)? If not, remove. If yes, document the intended use.
 **Effort:** 5 minutes to remove, or 10 minutes to document.
 ---
 ## Low: 20 Unsafe Functions Missing Safety Docs
 `crates/wzp-native/src/lib.rs` has 20 `unsafe` functions (extern "C" FFI bridge to Oboe) without `/// # Safety` documentation. Clippy flags all of them.
 **Effort:** 30 minutes. **Impact:** Clippy clean, better documentation for contributors.
 ---
 ## Low: quality.rs vs dred_tuner.rs Overlap
 Both files deal with network quality → codec decisions, but they're complementary:
 - `quality.rs`: discrete tier classification (Good/Degraded/Catastrophic) → codec profile
 - `dred_tuner.rs`: continuous DRED frame mapping from loss/RTT/jitter
 No consolidation needed, but add cross-references:
 ```rust
 // In dred_tuner.rs:
 //! See also: `quality.rs` for discrete tier classification that drives
 //! codec switching. DredTuner operates within a tier, adjusting DRED
 //! parameters continuously.
 // In quality.rs:
 //! See also: `dred_tuner.rs` for continuous DRED tuning within a tier.
 ```
 **Effort:** 5 minutes.
 ---
 ## Summary: Priority Matrix
 | # | Refactor | Effort | Impact | Risk |
 |---|----------|--------|--------|------|
 | 1 | Extract shared engine.rs helpers | 2-3h | High | Low |
 | 2 | Federation tests | 1 day | Critical | None |
 | 3 | Federation clone-before-send | 30 min | Medium | Low |
 | 4 | Extract magic numbers to constants | 15 min | Low | None |
 | 5 | Error handling helpers | 30 min | Medium | None |
 | 6 | CLI parser → clap | 1h | Medium | Low |
 | 7 | SignalMessage sub-enums | 1 day | High | High (wire compat) |
 | 8 | Safety docs on unsafe fns | 30 min | Low | None |
 | 9 | Remove/document dead crypto fields | 5 min | Low | None |
 | 10 | Cross-reference quality.rs ↔ dred_tuner.rs | 5 min | Low | None |
 **Recommended order:** 4 → 3 → 5 → 1 → 2 → 6 → 8 → 9 → 10 → 7
 Items 4, 3, 5 are quick wins (under 1 hour total). Item 1 is the biggest maintainability win. Item 2 is the most important for safety. Item 7 should wait for a protocol version bump.
--- a/docs/REFACTOR-relay-concurrency.md
+++ b/docs/REFACTOR-relay-concurrency.md
@@ -0,0 +1,256 @@
 # Relay Concurrency Refactor Guide
 > Post-DashMap analysis: what was done, what remains, and what to do next.
 ## What Was Done (2026-04-13)
 Replaced the global `Arc<Mutex<RoomManager>>` with `DashMap<String, Room>` inside `RoomManager`. The relay's media forwarding hot path no longer serializes through a single lock.
 ### Before
 ```
 Participant A recv_media()
  → room_mgr.lock().await          ← ALL participants, ALL rooms compete here
  → mgr.observe_quality(...)       ← O(N) quality computation inside lock
  → mgr.others(...)                ← clone Vec<ParticipantSender>
  → drop(lock)
  → fan-out sends
 ```
 One `tokio::sync::Mutex` guarding all rooms, all participants, all quality state. A 100-room relay was effectively single-threaded for media forwarding.
 ### After
 ```
 Participant A recv_media()
  → room_mgr.observe_quality(...)  ← DashMap::get_mut(), per-room shard lock
  → room_mgr.others(...)           ← DashMap::get(), shared shard lock
  → fan-out sends                  ← no lock held
 ```
 64 internal shards. Rooms on different shards are fully parallel. Rooms on the same shard use RwLock semantics — reads (`others()`) are concurrent, writes (`observe_quality()`, `join()`, `leave()`) are exclusive per-shard only.
 ### Files Changed
 | File | Change |
 |------|--------|
 | `crates/wzp-relay/Cargo.toml` | Added `dashmap = "6"` |
 | `crates/wzp-relay/src/room.rs` | `HashMap<String, Room>` → `DashMap<String, Room>`, per-room quality/tier, all methods `&self` |
 | `crates/wzp-relay/src/main.rs` | `Arc<Mutex<RoomManager>>` → `Arc<RoomManager>`, 3 lock sites removed |
 | `crates/wzp-relay/src/federation.rs` | 11 lock sites removed, `room_mgr` field type changed |
 | `crates/wzp-relay/src/ws.rs` | 3 lock sites removed, `room_mgr` field type changed |
 ### Measured Improvement
 | Metric | Before | After |
 |--------|--------|-------|
 | Lock type (rooms) | 1 global `tokio::sync::Mutex` | 64-shard `DashMap` with per-shard RwLock |
 | Cross-room blocking | Yes (all rooms share 1 lock) | No (rooms are independent) |
 | Read concurrency within room | None (Mutex is exclusive) | Yes (`get()` is shared) |
 | `.lock().await` sites | 20 across 4 files | 0 for room operations |
 | Test count | 314 passing | 314 passing (0 regressions) |
 ---
 ## Current Lock Inventory
 ### Tier 0: Eliminated (Room Hot Path)
 These are gone — DashMap handles them internally:
 - ~~`room_mgr.lock().await` in media forwarding~~ → `room_mgr.others()` (DashMap shard)
 - ~~`room_mgr.lock().await` in quality tracking~~ → `room_mgr.observe_quality()` (DashMap shard)
 - ~~`room_mgr.lock().await` in join/leave~~ → `room_mgr.join()` / `.leave()` (DashMap entry)
 ### Tier 1: Federation `peer_links` (Medium Priority)
 **Location:** `crates/wzp-relay/src/federation.rs:142`
 ```rust
 peer_links: Arc<Mutex<HashMap<String, PeerLink>>>
 ```
 **22 lock sites** across federation.rs. The most important:
 | Method | Line | Hold Duration | I/O While Locked | Frequency |
 |--------|------|---------------|-------------------|-----------|
 | `forward_to_peers()` | 406 | 1-5ms (iterate + sync send) | Sync only | Per-packet batch |
 | `broadcast_signal()` | 216 | N × send_signal latency | **YES (async)** | Per-signal |
 | `handle_datagram()` multi-hop | 1123 | 1-2ms (iterate + sync send) | Sync only | Per-federation-packet |
 | `send_signal_to_peer()` | 246 | send_signal latency | **YES (async)** | Per-signal |
 | Stale sweeper | 523 | 1-5ms | No | Every 5s |
 **Impact:** Only matters with 5+ federation peers or high federation datagram rates (>1000 pps). For 1-3 peers, contention is negligible.
 ### Tier 2: Control Plane (Low Priority)
 These are on the connection setup / signal path, not the media hot path:
 | Lock | Location | Frequency |
 |------|----------|-----------|
 | `session_mgr` | main.rs:450 | Per-connection setup |
 | `signal_hub` | main.rs:453 | Per-signal lookup |
 | `call_registry` | main.rs:454 | Per-call setup |
 | `presence` | main.rs:283 | Per-presence change |
 | `ACL` | room.rs:357 | Per-room join |
 **Impact:** None. These handle rare events (connection setup, call signaling) and hold locks for <5ms with no I/O inside.
 ### Tier 3: Forward Mode Pipeline (Niche)
 | Lock | Location | Notes |
 |------|----------|-------|
 | `RelayPipeline` | main.rs:198, 228 | Only used in `--remote` forward mode (relay-to-relay), not SFU room mode |
 **Impact:** None for normal operation. Forward mode is a niche deployment.
 ---
 ## Suggested Next Refactors (Priority Order)
 ### 1. Federation `peer_links` Clone-Before-Send
 **Effort:** 30 minutes
 **Impact:** Eliminates the lock-held-during-iteration pattern in `forward_to_peers()` and `broadcast_signal()`
 **Current:**
 ```rust
 pub async fn forward_to_peers(&self, ...) {
    let links = self.peer_links.lock().await;  // held for entire loop
    for (_fp, link) in links.iter() {
        link.transport.send_raw_datagram(&tagged);  // sync, but lock still held
    }
 }
 ```
 **Fix:**
 ```rust
 pub async fn forward_to_peers(&self, ...) {
    let peers: Vec<(String, Arc<QuinnTransport>)> = {
        let links = self.peer_links.lock().await;
        links.values().map(|l| (l.label.clone(), l.transport.clone())).collect()
    };  // lock released — hold time: ~1μs for Arc clones
    for (label, transport) in &peers {
        transport.send_raw_datagram(&tagged);  // no lock held
    }
 }
 ```
 Same treatment for `broadcast_signal()` (line 216) which currently holds the lock across **async** `send_signal()` calls — this is the worst offender since a slow peer blocks all signal delivery.
 ### 2. Federation `peer_links` → DashMap
 **Effort:** 2 hours
 **Impact:** Per-peer sharding, eliminates all cross-peer contention
 Only worth doing if:
 - Running 10+ federation peers
 - `forward_to_peers()` shows up in profiling
 - The clone-before-send fix from suggestion 1 is insufficient
 ```rust
 peer_links: DashMap<String, PeerLink>
 ```
 Most lock sites become `self.peer_links.get(&fp)` or `.get_mut(&fp)`. The multi-hop forward loop would use `.iter()` which takes temporary shared locks per shard.
 ### 3. Quality Tracking Out of Hot Path
 **Effort:** 1 day
 **Impact:** Reduces per-packet DashMap shard lock from exclusive (`get_mut`) to shared (`get`)
 Currently, every packet with a `QualityReport` calls `observe_quality()` which uses `rooms.get_mut()` (exclusive shard lock). This serializes quality-carrying packets within the same DashMap shard.
 **Fix:** Use per-participant `AtomicU8` for latest loss/RTT (written lock-free from hot path). A background task (every 1s) reads the atomics, computes tiers via `rooms.get_mut()`, and broadcasts `QualityDirective`. The per-packet hot path becomes purely read-only: `rooms.get()` → `others()`.
 ```rust
 struct ParticipantQualityAtomic {
    latest_loss: AtomicU8,      // written per-packet (lock-free)
    latest_rtt: AtomicU8,       // written per-packet (lock-free)
 }
 // Hot path (per-packet):
 if let Some(ref qr) = pkt.quality_report {
    participant_quality.latest_loss.store(qr.loss_pct, Ordering::Relaxed);
    participant_quality.latest_rtt.store(qr.rtt_4ms, Ordering::Relaxed);
 }
 let others = room_mgr.others(&room_name, participant_id);  // DashMap::get() — shared lock
 // Background task (every 1 second):
 for room in room_mgr.rooms.iter_mut() {  // DashMap::iter_mut() — exclusive per-shard
    room.recompute_tiers_from_atomics();
    if tier_changed { broadcast QualityDirective }
 }
 ```
 ### 4. Lock-Free Participant Snapshot (Future)
 **Effort:** 0.5 day
 **Impact:** Zero-lock media hot path
 Replace `Vec<Participant>` in `Room` with an `arc-swap` snapshot:
 ```rust
 struct Room {
    participants: Vec<Participant>,
    sender_snapshot: arc_swap::ArcSwap<Vec<ParticipantSender>>,
 }
 ```
 The snapshot is rebuilt on join/leave (rare). The hot path does `sender_snapshot.load()` — an atomic pointer read with zero locking. DashMap wouldn't even be involved in the per-packet path.
 Only worth doing if DashMap shard contention becomes measurable in profiling (unlikely for rooms <100 people).
 ---
 ## Decision Matrix
 | Scenario | Current (DashMap) | + Clone-Before-Send | + Quality Atomics | + arc-swap |
 |----------|-------------------|---------------------|-------------------|-----------|
 | 10 rooms × 5 people | Saturates all cores | Same | Same | Same |
 | 1 room × 100 people | Good (shared read) | Same | Better (no exclusive) | Best |
 | 5 federation peers | 1-5ms contention | <1μs contention | Same | Same |
 | 20 federation peers | 10-20ms contention | <1μs contention | Same | Same |
 | 1000 rooms × 3 people | Excellent | Same | Same | Same |
 **Recommendation:** Do suggestion 1 (clone-before-send, 30 min) now. Everything else is future optimization that current workloads don't need.
 ---
 ## Concurrency Diagram (Current State)
 ```
                        ┌─────────────────────────────────┐
                        │      tokio multi-threaded        │
                        │      work-stealing runtime       │
                        └───────────────┬─────────────────┘
                                        │
           ┌────────────────────────────┼────────────────────────────┐
           │                            │                            │
    ┌──────▼──────┐             ┌───────▼───────┐            ┌───────▼───────┐
    │  QUIC Accept │             │  Federation   │            │  Signal Hub   │
    │  (per-conn   │             │  (per-peer    │            │  (per-client  │
    │   task)      │             │   task)       │            │   task)       │
    └──────┬──────┘             └───────┬───────┘            └───────┬───────┘
           │                            │                            │
    ┌──────▼──────┐             ┌───────▼───────┐            ┌───────▼───────┐
    │  Per-Room    │             │  peer_links   │            │  signal_hub   │
    │  DashMap     │◄──64 shards│  Mutex        │◄──1 lock   │  Mutex        │
    │  (media hot  │             │  (federation  │            │  (signal      │
    │   path)      │             │   hot path)   │            │   plane)      │
    └─────────────┘             └───────────────┘            └───────────────┘
         │                                                         │
    No cross-room                                            Low frequency
    blocking                                                 (<1 call/sec)
 ```
 ## Files Reference
 | File | Lines | Role |
 |------|-------|------|
 | `crates/wzp-relay/src/room.rs` | ~1275 | DashMap room storage, participant management, quality tracking, media forwarding loops |
 | `crates/wzp-relay/src/federation.rs` | ~1152 | Peer link management, federation media egress/ingress, signal forwarding |
 | `crates/wzp-relay/src/main.rs` | ~1746 | Connection accept, handshake dispatch, signal handling, room/federation wiring |
 | `crates/wzp-relay/src/ws.rs` | ~250 | WebSocket bridge, room integration |
 | `crates/wzp-relay/src/metrics.rs` | ~200 | Prometheus counters (lock-free atomics) |
 | `crates/wzp-relay/src/trunk.rs` | ~150 | TrunkBatcher (per-instance, no shared state) |
--- a/scripts/build-and-notify.sh.old
+++ b/scripts/build-and-notify.sh.old
--- a/scripts/build-android-docker-LEGACY.sh
+++ b/scripts/build-android-docker-LEGACY.sh
--- a/scripts/build-tauri-android.sh
+++ b/scripts/build-tauri-android.sh
@@ -15,11 +15,14 @@ set -euo pipefail
 #   - Output: desktop/src-tauri/gen/android/.../*.apk
 #
 # Usage:
-#   ./scripts/build-tauri-android.sh                  # full pipeline (debug)
+#   ./scripts/build-tauri-android.sh                  # full pipeline (debug, arm64 only)
 #   ./scripts/build-tauri-android.sh --release        # release APK
 #   ./scripts/build-tauri-android.sh --no-pull        # skip git fetch
 #   ./scripts/build-tauri-android.sh --rust           # force-clean rust target
 #   ./scripts/build-tauri-android.sh --init           # also run `cargo tauri android init`
 #   ./scripts/build-tauri-android.sh --arch arm64     # arm64 only (default)
 #   ./scripts/build-tauri-android.sh --arch armv7     # armv7 only (smaller APK)
 #   ./scripts/build-tauri-android.sh --arch all       # both arm64 + armv7 (separate APKs)
 #
 # Environment:
 #   WZP_BRANCH   Branch to build (default: feat/desktop-audio-rewrite)
@@ -29,27 +32,47 @@ REMOTE_HOST="SepehrHomeserverdk"
 BASE_DIR="/mnt/storage/manBuilder"
 NTFY_TOPIC="https://ntfy.sh/wzp"
 LOCAL_OUTPUT="target/tauri-android-apk"
-BRANCH="${WZP_BRANCH:-feat/desktop-audio-rewrite}"
+BRANCH="${WZP_BRANCH:-$(git -C "$(dirname "$0")/.." branch --show-current 2>/dev/null || echo "")}"
 SSH_OPTS="-o ConnectTimeout=15 -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o LogLevel=ERROR"
 REBUILD_RUST=0
 DO_PULL=1
 DO_INIT=0
 BUILD_RELEASE=0
 BUILD_ARCH="arm64"
 NEXT_IS_ARCH=0
 for arg in "$@"; do
    if [ "$NEXT_IS_ARCH" = "1" ]; then
        BUILD_ARCH="$arg"
        NEXT_IS_ARCH=0
        continue
    fi
    case "$arg" in
        --rust)     REBUILD_RUST=1 ;;
        --pull)     DO_PULL=1 ;;
        --no-pull)  DO_PULL=0 ;;
        --init)     DO_INIT=1 ;;
        --release)  BUILD_RELEASE=1 ;;
        --arch)     NEXT_IS_ARCH=1 ;;
        -h|--help)
-            sed -n '3,30p' "$0"
+            sed -n '3,32p' "$0"
            exit 0
            ;;
    esac
 done
 # Validate --arch
 case "$BUILD_ARCH" in
    arm64|armv7|all) ;;
    *) echo "ERROR: --arch must be arm64, armv7, or all (got: $BUILD_ARCH)"; exit 1 ;;
 esac
 if [ -z "$BRANCH" ]; then
    echo "ERROR: could not determine target branch (detached HEAD?). Pass WZP_BRANCH=name."
    exit 1
 fi
 echo "Target branch: $BRANCH  arch: $BUILD_ARCH"
 log() { echo -e "\033[1;36m>>> $*\033[0m"; }
 ssh_cmd() { ssh -A $SSH_OPTS "$REMOTE_HOST" "$@"; }
@@ -69,6 +92,7 @@ DO_PULL="${2:-1}"
 REBUILD_RUST="${3:-0}"
 DO_INIT="${4:-0}"
 BUILD_RELEASE="${5:-0}"
 BUILD_ARCH="${6:-arm64}"
 LOG_FILE=/tmp/wzp-tauri-build.log
 GIT_HASH="unknown"  # populated after fetch
@@ -149,10 +173,25 @@ PROFILE_FLAG="--debug"
 mkdir -p "$BASE_DIR/data/cache/android-home"
 chown 1000:1000 "$BASE_DIR/data/cache/android-home" 2>/dev/null || true
 # ─── Determine target architectures ──────────────────────────────────────
 # Maps BUILD_ARCH to cargo-ndk ABI names and cargo-tauri target names.
 # BUILD_ARCH=arm64 → one APK; BUILD_ARCH=armv7 → one APK; BUILD_ARCH=all → two APKs.
 case "$BUILD_ARCH" in
    arm64)  ARCH_LIST="arm64" ;;
    armv7)  ARCH_LIST="armv7" ;;
    all)    ARCH_LIST="arm64 armv7" ;;
 esac
 # Mapping functions (used inside docker via env vars)
 # cargo-ndk ABI:   arm64-v8a | armeabi-v7a
 # cargo-tauri:     aarch64   | armv7
 # NDK sysroot:     aarch64-linux-android | arm-linux-androideabi
 docker run --rm \
    --user 1000:1000 \
    -e DO_INIT="$DO_INIT" \
    -e PROFILE_FLAG="$PROFILE_FLAG" \
    -e BUILD_ARCH="$BUILD_ARCH" \
    -v "$BASE_DIR/data/source:/build/source" \
    -v "$BASE_DIR/data/cache/cargo-registry:/home/builder/.cargo/registry" \
    -v "$BASE_DIR/data/cache/cargo-git:/home/builder/.cargo/git" \
@@ -179,60 +218,179 @@ if [ "${DO_INIT}" = "1" ] || [ ! -x gen/android/gradlew ]; then
    cargo tauri android init 2>&1 | tail -20
 fi
 # ─── Arch list from BUILD_ARCH env var ───────────────────────────────────
 case "${BUILD_ARCH}" in
    arm64)  ARCHS="arm64" ;;
    armv7)  ARCHS="armv7" ;;
    all)    ARCHS="arm64 armv7" ;;
    *)      ARCHS="arm64" ;;
 esac
 ndk_abi() {
    case "$1" in
        arm64) echo "arm64-v8a" ;;
        armv7) echo "armeabi-v7a" ;;
    esac
 }
 tauri_target() {
    case "$1" in
        arm64) echo "aarch64" ;;
        armv7) echo "armv7" ;;
    esac
 }
 ndk_sysroot_dir() {
    case "$1" in
        arm64) echo "aarch64-linux-android" ;;
        armv7) echo "arm-linux-androideabi" ;;
    esac
 }
 # ─── wzp-native standalone cdylib (built with cargo-ndk, not cargo-tauri) ──
 # Produces libwzp_native.so which wzp-desktop dlopens at runtime via
-# libloading. Split exists because cargo-tauri`s linker wiring pulls
+# libloading. Split exists because cargo-tauri linker wiring pulls
 # bionic private symbols into any cdylib with cc::Build C++, causing
 # __init_tcb+4 SIGSEGV. cargo-ndk uses the same linker path as the
 # legacy wzp-android crate which works.
-echo ">>> cargo ndk build -p wzp-native --release"
+JNILIBS_BASE=gen/android/app/src/main/jniLibs
 JNI_ABI_DIR=gen/android/app/src/main/jniLibs/arm64-v8a
 mkdir -p "$JNI_ABI_DIR"
 (
    cd /build/source
    cargo ndk -t arm64-v8a -o desktop/src-tauri/gen/android/app/src/main/jniLibs \
        build --release -p wzp-native 2>&1 | tail -10
 )
 if [ -f "$JNI_ABI_DIR/libwzp_native.so" ]; then
    ls -lh "$JNI_ABI_DIR/libwzp_native.so"
 else
    echo ">>> WARNING: libwzp_native.so not produced"
 fi
-# ─── libc++_shared.so — required by wzp-native at runtime ──────────────
+for ARCH in $ARCHS; do
-# wzp-native/build.rs uses cpp_link_stdlib(Some("c++_shared")) which adds
+    ABI=$(ndk_abi "$ARCH")
-# a NEEDED entry for libc++_shared.so to libwzp_native.so. cargo-ndk does
+    SYSROOT_DIR=$(ndk_sysroot_dir "$ARCH")
-# NOT copy the actual libc++_shared.so into jniLibs, so unless we copy it
+    JNI_ABI_DIR="$JNILIBS_BASE/$ABI"
-# explicitly, the APK ships without it and the Android dynamic linker
+    mkdir -p "$JNI_ABI_DIR"
-# fails the dlopen with "library libc++_shared.so not found" at runtime.
+
-# Same fix that build-and-notify.sh has had for the legacy wzp-android
+    echo ">>> cargo ndk build -p wzp-native --release -t $ABI"
-# path (lines 126-134 there) — ported here for the Tauri pipeline.
+    (
-# NOTE: no apostrophes in this comment block. The enclosing docker
+        cd /build/source
-# bash -c uses single quotes and a stray apostrophe closes the string
+        cargo ndk -t "$ABI" -o "desktop/src-tauri/$JNILIBS_BASE" \
-# prematurely, breaking variable scope for everything below.
+            build --release -p wzp-native 2>&1 | tail -10
-if [ ! -f "$JNI_ABI_DIR/libc++_shared.so" ]; then
+    )
-    echo ">>> libc++_shared.so missing, copying from NDK..."
+    if [ -f "$JNI_ABI_DIR/libwzp_native.so" ]; then
-    NDK_LIBCXX=$(find "$ANDROID_NDK_HOME" -name "libc++_shared.so" -path "*/aarch64-linux-android/*" | head -1)
+        ls -lh "$JNI_ABI_DIR/libwzp_native.so"
    if [ -n "$NDK_LIBCXX" ]; then
        cp "$NDK_LIBCXX" "$JNI_ABI_DIR/"
        ls -lh "$JNI_ABI_DIR/libc++_shared.so"
    else
-        echo ">>> ERROR: libc++_shared.so not found in NDK — APK will crash at dlopen time"
+        echo ">>> WARNING: libwzp_native.so not produced for $ABI"
        exit 1
    fi
 fi
-echo ">>> cargo tauri android build ${PROFILE_FLAG} --target aarch64 --apk"
+    # ─── libc++_shared.so — required by wzp-native at runtime ────────────
-cargo tauri android build ${PROFILE_FLAG} --target aarch64 --apk
+    # wzp-native/build.rs uses cpp_link_stdlib(Some("c++_shared")) which adds
    # a NEEDED entry for libc++_shared.so to libwzp_native.so. cargo-ndk does
    # NOT copy the actual libc++_shared.so into jniLibs, so unless we copy it
    # explicitly, the APK ships without it and the Android dynamic linker
    # fails the dlopen with "library libc++_shared.so not found" at runtime.
    if [ ! -f "$JNI_ABI_DIR/libc++_shared.so" ]; then
        echo ">>> libc++_shared.so missing for $ABI, copying from NDK..."
        NDK_LIBCXX=$(find "$ANDROID_NDK_HOME" -name "libc++_shared.so" -path "*/${SYSROOT_DIR}/*" | head -1)
        if [ -n "$NDK_LIBCXX" ]; then
            cp "$NDK_LIBCXX" "$JNI_ABI_DIR/"
            ls -lh "$JNI_ABI_DIR/libc++_shared.so"
        else
            echo ">>> ERROR: libc++_shared.so not found in NDK for $ABI — APK will crash at dlopen time"
            exit 1
        fi
    fi
 done
 # ─── Build per-arch APKs ────────────────────────────────────────────────
 # When building for a single arch, only that arch jniLibs dir exists so
 # the APK is naturally single-arch and smaller.
 # When building --arch all, we produce SEPARATE per-arch APKs by:
 #   1. Building each target individually with cargo tauri android build
 #   2. Temporarily hiding the other arch jniLibs so the APK only contains one
 # This keeps APKs small (~15-20MB instead of ~30-40MB for universal).
 APK_OUTPUT_DIR="/build/source/target/apk-output"
 mkdir -p "$APK_OUTPUT_DIR"
 for ARCH in $ARCHS; do
    TARGET=$(tauri_target "$ARCH")
    ABI=$(ndk_abi "$ARCH")
    # If building all, temporarily hide other arches to get single-arch APK
    if [ "${BUILD_ARCH}" = "all" ]; then
        for OTHER_ARCH in $ARCHS; do
            OTHER_ABI=$(ndk_abi "$OTHER_ARCH")
            if [ "$OTHER_ABI" != "$ABI" ] && [ -d "$JNILIBS_BASE/$OTHER_ABI" ]; then
                mv "$JNILIBS_BASE/$OTHER_ABI" "$JNILIBS_BASE/_hide_$OTHER_ABI"
            fi
        done
    fi
    echo ""
    echo ">>> cargo tauri android build ${PROFILE_FLAG} --target $TARGET --apk"
    cargo tauri android build ${PROFILE_FLAG} --target "$TARGET" --apk
    # Copy produced APK with arch suffix
    BUILT_APK=$(find gen/android -name "*.apk" -newer "$APK_OUTPUT_DIR" -type f 2>/dev/null | head -1)
    if [ -z "$BUILT_APK" ]; then
        BUILT_APK=$(find gen/android -name "*.apk" -type f 2>/dev/null | sort -t/ -k1 | tail -1)
    fi
    if [ -n "$BUILT_APK" ]; then
        OUT_APK="$APK_OUTPUT_DIR/wzp-tauri-${ARCH}.apk"
        cp "$BUILT_APK" "$OUT_APK"
        # ─── Sign release APKs with the project keystore ─────────────
        # Release builds are unsigned by default. Sign with the release
        # keystore (checked into the repo at android/keystore/) so the
        # APK can be installed on real devices.
        # Pick keystore + credentials (release preferred, debug fallback)
        KS_RELEASE="/build/source/android/keystore/wzp-release.jks"
        KS_DEBUG="/build/source/android/keystore/wzp-debug.jks"
        if [ -f "$KS_RELEASE" ]; then
            KEYSTORE="$KS_RELEASE"; KS_PASS="wzphone2024"; KS_ALIAS="wzp-release"
        elif [ -f "$KS_DEBUG" ]; then
            KEYSTORE="$KS_DEBUG"; KS_PASS="android"; KS_ALIAS="wzp-debug"
        else
            KEYSTORE=""
        fi
        if [ -n "$KEYSTORE" ]; then
            ZIPALIGN=$(find "$ANDROID_HOME" -name zipalign -type f 2>/dev/null | head -1)
            APKSIGNER=$(find "$ANDROID_HOME" -name apksigner -type f 2>/dev/null | head -1)
            if [ -n "$ZIPALIGN" ] && [ -n "$APKSIGNER" ]; then
                echo ">>> Signing $ARCH APK with $(basename "$KEYSTORE")..."
                ALIGNED="$APK_OUTPUT_DIR/wzp-tauri-${ARCH}-aligned.apk"
                "$ZIPALIGN" -f 4 "$OUT_APK" "$ALIGNED"
                "$APKSIGNER" sign \
                    --ks "$KEYSTORE" \
                    --ks-pass "pass:$KS_PASS" \
                    --ks-key-alias "$KS_ALIAS" \
                    --key-pass "pass:$KS_PASS" \
                    "$ALIGNED"
                mv "$ALIGNED" "$OUT_APK"
                echo ">>> Signed: $(ls -lh "$OUT_APK" | awk "{print \$5}")"
            else
                echo ">>> WARNING: zipalign/apksigner not found — APK is unsigned"
            fi
        else
            echo ">>> WARNING: no keystore found — APK is unsigned"
        fi
        echo ">>> $ARCH APK: $(ls -lh "$OUT_APK" | awk "{print \$5}")"
    fi
    # Restore hidden arches
    if [ "${BUILD_ARCH}" = "all" ]; then
        for OTHER_ARCH in $ARCHS; do
            OTHER_ABI=$(ndk_abi "$OTHER_ARCH")
            if [ "$OTHER_ABI" != "$ABI" ] && [ -d "$JNILIBS_BASE/_hide_$OTHER_ABI" ]; then
                mv "$JNILIBS_BASE/_hide_$OTHER_ABI" "$JNILIBS_BASE/$OTHER_ABI"
            fi
        done
    fi
 done
 echo ""
 echo ">>> Build artifacts:"
-find gen/android -name "*.apk" -exec ls -lh {} \; 2>/dev/null
+ls -lh "$APK_OUTPUT_DIR/"*.apk 2>/dev/null || echo "  (none)"
 '
-# Locate the produced APK
+# ─── Collect and upload APKs ────────────────────────────────────────────
-APK=$(find "$BASE_DIR/data/source/desktop/src-tauri/gen/android" -name "*.apk" -type f 2>/dev/null | head -1)
+# target/ is mounted from cache, not source
-if [ -z "$APK" ] || [ ! -f "$APK" ]; then
+APK_OUTPUT="$BASE_DIR/data/cache/target/apk-output"
 APK_LIST=$(find "$APK_OUTPUT" -name "wzp-tauri-*.apk" -type f 2>/dev/null | sort)
 if [ -z "$APK_LIST" ]; then
    LOG_URL=$(upload_to_rustypaste "$LOG_FILE" || echo "")
    if [ -n "$LOG_URL" ]; then
        notify "WZP Tauri Android build [$GIT_HASH]: no APK produced
@@ -242,35 +400,56 @@ log: $LOG_URL"
    fi
    exit 1
 fi
 APK_SIZE=$(du -h "$APK" | cut -f1)
-RUSTY_URL=$(upload_to_rustypaste "$APK" || echo "")
+# Upload each APK and collect URLs
-if [ -n "$RUSTY_URL" ]; then
+NOTIFY_MSG="WZP Tauri Android build OK [$GIT_HASH] ($BUILD_ARCH)"
-    notify "WZP Tauri Android build OK [$GIT_HASH] ($APK_SIZE)
+APK_PATHS=""
-$RUSTY_URL"
+for APK in $APK_LIST; do
-else
+    APK_NAME=$(basename "$APK")
-    notify "WZP Tauri Android build OK [$GIT_HASH] ($APK_SIZE) — rustypaste upload skipped"
+    APK_SIZE=$(du -h "$APK" | cut -f1)
-fi
+    RUSTY_URL=$(upload_to_rustypaste "$APK" || echo "")
    if [ -n "$RUSTY_URL" ]; then
        NOTIFY_MSG="$NOTIFY_MSG
 $APK_NAME ($APK_SIZE): $RUSTY_URL"
    else
        NOTIFY_MSG="$NOTIFY_MSG
 $APK_NAME ($APK_SIZE) — upload skipped"
    fi
    APK_PATHS="$APK_PATHS $APK"
 done
 notify "$NOTIFY_MSG"
-# Print path so the local script can grab it
+# Print paths so the local script can grab them
-echo "APK_REMOTE_PATH=$APK"
+for APK in $APK_LIST; do
    echo "APK_REMOTE_PATH=$APK"
 done
 REMOTE_SCRIPT
 ssh_cmd "chmod +x /tmp/wzp-tauri-build.sh"
-notify_local "WZP Tauri Android build dispatched (branch=$BRANCH, release=$BUILD_RELEASE)"
+notify_local "WZP Tauri Android build dispatched (branch=$BRANCH, arch=$BUILD_ARCH, release=$BUILD_RELEASE)"
-log "Triggering remote build (branch=$BRANCH)..."
+log "Triggering remote build (branch=$BRANCH, arch=$BUILD_ARCH)..."
-# Run; capture full output, last line is APK_REMOTE_PATH=...
+# Run; last lines are APK_REMOTE_PATH=...  (one per arch)
-REMOTE_OUTPUT=$(ssh_cmd "/tmp/wzp-tauri-build.sh '$BRANCH' '$DO_PULL' '$REBUILD_RUST' '$DO_INIT' '$BUILD_RELEASE'" || true)
+REMOTE_OUTPUT=$(ssh_cmd "/tmp/wzp-tauri-build.sh '$BRANCH' '$DO_PULL' '$REBUILD_RUST' '$DO_INIT' '$BUILD_RELEASE' '$BUILD_ARCH'" || true)
 echo "$REMOTE_OUTPUT" | tail -60
-APK_REMOTE=$(echo "$REMOTE_OUTPUT" | grep '^APK_REMOTE_PATH=' | tail -1 | cut -d= -f2-)
+# Download all produced APKs
-if [ -n "$APK_REMOTE" ]; then
+APK_REMOTES=$(echo "$REMOTE_OUTPUT" | grep '^APK_REMOTE_PATH=' | cut -d= -f2-)
-    log "Downloading APK to $LOCAL_OUTPUT/wzp-tauri.apk..."
+if [ -z "$APK_REMOTES" ]; then
    scp $SSH_OPTS "$REMOTE_HOST:$APK_REMOTE" "$LOCAL_OUTPUT/wzp-tauri.apk"
    echo "  $LOCAL_OUTPUT/wzp-tauri.apk ($(du -h "$LOCAL_OUTPUT/wzp-tauri.apk" | cut -f1))"
 else
    log "No APK produced — see ntfy / remote log /tmp/wzp-tauri-build.log"
    exit 1
 fi
 DOWNLOADED=0
 echo "$APK_REMOTES" | while IFS= read -r APK_REMOTE; do
    [ -z "$APK_REMOTE" ] && continue
    APK_NAME=$(basename "$APK_REMOTE")
    log "Downloading $APK_NAME..."
    scp $SSH_OPTS "$REMOTE_HOST:$APK_REMOTE" "$LOCAL_OUTPUT/$APK_NAME"
    echo "  $LOCAL_OUTPUT/$APK_NAME ($(du -h "$LOCAL_OUTPUT/$APK_NAME" | cut -f1))"
    DOWNLOADED=$((DOWNLOADED + 1))
 done
 log "Done! APKs in $LOCAL_OUTPUT/"
 ls -lh "$LOCAL_OUTPUT"/wzp-tauri-*.apk 2>/dev/null || true
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -0,0 +1,421 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # =============================================================================
 # WZ Phone — unified build script
 #
 # Builds Tauri Android APK and/or Linux x86_64 binaries via Docker on a
 # remote build server. Uploads artifacts, notifies via ntfy.sh/wzp.
 #
 # Two servers:
 #   PRIMARY (default)  SepehrHomeserverdk    paste.dk.manko.yoga   origin (gitea)
 #   ALT (--alt)        manwe@172.16.81.175   paste.tbs.amn.gg      fj (forgejo)
 #
 # Usage:
 #   ./scripts/build.sh                       Android APK (current branch, primary)
 #   ./scripts/build.sh --alt                  Android APK on alt server
 #   ./scripts/build.sh --linux               Linux binaries only
 #   ./scripts/build.sh --all                 Android + Linux
 #   ./scripts/build.sh --branch NAME         Override branch
 #   ./scripts/build.sh --rust                Force Rust rebuild
 #   ./scripts/build.sh --no-pull             Skip git pull
 #   ./scripts/build.sh --init                First-time setup (clone + Docker image)
 #   ./scripts/build.sh --install             Download APK + adb install locally
 #   ./scripts/build.sh --release             Release APK (not debug)
 #   ./scripts/build.sh --android64          Release arm64 APK (shorthand for --android --release)
 # =============================================================================
 NTFY_TOPIC="https://ntfy.sh/wzp"
 LOCAL_OUTPUT="target/tauri-android-apk"
 SSH_BASE_OPTS="-o ConnectTimeout=15 -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o LogLevel=ERROR"
 # ── Server profiles ─────────────────────────────────────────────────────────
 USE_ALT=0
 REBUILD_RUST=0
 DO_PULL=1
 DO_INSTALL=0
 DO_INIT=0
 BUILD_ANDROID=1
 BUILD_LINUX=0
 BUILD_RELEASE=0
 BRANCH=$(git -C "$(dirname "$0")/.." branch --show-current 2>/dev/null || echo "")
 while [ $# -gt 0 ]; do
    case "$1" in
        --alt)      USE_ALT=1 ;;
        --rust)     REBUILD_RUST=1 ;;
        --pull)     DO_PULL=1 ;;
        --no-pull)  DO_PULL=0 ;;
        --install)  DO_INSTALL=1 ;;
        --init)     DO_INIT=1 ;;
        --android)  BUILD_ANDROID=1; BUILD_LINUX=0 ;;
        --android64) BUILD_ANDROID=1; BUILD_LINUX=0; BUILD_RELEASE=1; BRANCH="main" ;;
        --linux)    BUILD_ANDROID=0; BUILD_LINUX=1 ;;
        --all)      BUILD_ANDROID=1; BUILD_LINUX=1 ;;
        --release)  BUILD_RELEASE=1 ;;
        --branch)   shift; BRANCH="$1" ;;
        --branch=*) BRANCH="${1#--branch=}" ;;
        -h|--help)  sed -n '3,22p' "$0"; exit 0 ;;
        *)          echo "Unknown arg: $1"; exit 1 ;;
    esac
    shift
 done
 if [ -z "$BRANCH" ]; then
    echo "ERROR: could not determine target branch (detached HEAD?). Pass --branch NAME."
    exit 1
 fi
 # ── Select server profile ───────────────────────────────────────────────────
 if [ "$USE_ALT" = "1" ]; then
    SERVER_TAG="ALT"
    REMOTE_HOST="manwe@172.16.81.175"
    BASE_DIR="/home/manwe/wzp-builder"
    SSH_OPTS="$SSH_BASE_OPTS"
    GIT_ORIGIN="ssh://git@git.tbs.amn.gg:2222/manawenuz/wzp.git"
    # Alt server uploads directly (no .env file)
    UPLOAD_MODE="direct"
    PASTE_URL="https://paste.tbs.manko.yoga"
    PASTE_AUTH="X2j6szIQaoJGaxZjLkpl3A8IX9/mTkDgdhhgyYFcpaU="
 else
    SERVER_TAG="PRI"
    REMOTE_HOST="SepehrHomeserverdk"
    BASE_DIR="/mnt/storage/manBuilder"
    SSH_OPTS="-A $SSH_BASE_OPTS"
    GIT_ORIGIN=""  # uses existing origin on the remote
    # Primary server uses .env file for rustypaste credentials
    UPLOAD_MODE="envfile"
    PASTE_URL=""
    PASTE_AUTH=""
 fi
 TARGETS=""
 [ "$BUILD_ANDROID" = 1 ] && TARGETS="Android"
 [ "$BUILD_LINUX" = 1 ] && TARGETS="${TARGETS:+$TARGETS + }Linux"
 echo "[$SERVER_TAG] branch: $BRANCH | targets: $TARGETS"
 log() { echo -e "\033[1;36m>>> $*\033[0m"; }
 ssh_cmd() { ssh $SSH_OPTS "$REMOTE_HOST" "$@"; }
 # ── First-time setup (--init) ───────────────────────────────────────────────
 if [ "$DO_INIT" = "1" ]; then
    log "[$SERVER_TAG] First-time setup..."
    ssh_cmd "mkdir -p $BASE_DIR/data/{source,cache/target,cache/cargo-registry,cache/cargo-git,cache/gradle,cache/android-home,cache-linux/target,cache-linux/cargo-registry,cache-linux/cargo-git}"
    if [ -n "$GIT_ORIGIN" ]; then
        log "Cloning from $GIT_ORIGIN..."
        ssh_cmd "if [ ! -d $BASE_DIR/data/source/.git ]; then git clone $GIT_ORIGIN $BASE_DIR/data/source; else echo 'Repo already cloned'; fi"
    fi
    log "Uploading Dockerfile..."
    cat scripts/Dockerfile.android-builder | ssh_cmd "cat > /tmp/Dockerfile.android-builder"
    log "Building Docker image (10-20 min on first run)..."
    ssh_cmd "cd /tmp && docker build -t wzp-android-builder -f Dockerfile.android-builder . 2>&1 | tail -20"
    log "[$SERVER_TAG] Init done! Run without --init to build."
    exit 0
 fi
 # ── Upload remote build script ──────────────────────────────────────────────
 log "[$SERVER_TAG] Uploading build script..."
 ssh_cmd "cat > /tmp/wzp-build.sh" <<REMOTE_SCRIPT
 #!/usr/bin/env bash
 set -euo pipefail
 BASE_DIR="$BASE_DIR"
 NTFY_TOPIC="$NTFY_TOPIC"
 REBUILD_RUST="$REBUILD_RUST"
 DO_PULL="$DO_PULL"
 BRANCH="$BRANCH"
 BUILD_ANDROID="$BUILD_ANDROID"
 BUILD_LINUX="$BUILD_LINUX"
 BUILD_RELEASE="$BUILD_RELEASE"
 SERVER_TAG="$SERVER_TAG"
 UPLOAD_MODE="$UPLOAD_MODE"
 PASTE_URL="$PASTE_URL"
 PASTE_AUTH="$PASTE_AUTH"
 notify() { curl -s -d "\$1" "\$NTFY_TOPIC" > /dev/null 2>&1 || true; }
 # Upload a file; print URL on stdout.
 upload_file() {
    local file="\$1"
    if [ "\$UPLOAD_MODE" = "direct" ]; then
        curl -s -F "file=@\$file" -H "Authorization: \$PASTE_AUTH" "\$PASTE_URL" || echo ""
    else
        local env_file="\$BASE_DIR/.env"
        [ ! -f "\$env_file" ] && { echo ""; return; }
        source "\$env_file"
        if [ -n "\${rusty_address:-}" ] && [ -n "\${rusty_auth_token:-}" ]; then
            curl -s -F "file=@\$file" -H "Authorization: \$rusty_auth_token" "\$rusty_address" || echo ""
        else
            echo ""
        fi
    fi
 }
 trap 'notify "WZP [\$SERVER_TAG] build FAILED [\$BRANCH]! Check /tmp/wzp-build.log"' ERR
 # ── Pull source ─────────────────────────────────────────────────────────
 if [ "\$DO_PULL" = "1" ]; then
    echo ">>> Pulling branch '\$BRANCH' from origin..."
    cd "\$BASE_DIR/data/source"
    git reset --hard HEAD 2>/dev/null || true
    # NOTE: do NOT git clean -fd — it wipes tauri-generated scaffold
    git fetch origin "\$BRANCH" 2>&1 | tail -3
    git checkout "\$BRANCH" 2>/dev/null || git checkout -b "\$BRANCH" "origin/\$BRANCH"
    git reset --hard "origin/\$BRANCH"
    git submodule update --init || true
    echo ">>> HEAD: \$(git rev-parse --short HEAD) — \$(git log -1 --format=%s)"
    # Ensure signing keystores exist. They're gitignored so git reset/clean
    # may delete them. Copy from the persistent cache if available, or warn.
    KS_DIR="\$BASE_DIR/data/source/android/keystore"
    KS_CACHE="\$BASE_DIR/data/keystore"
    mkdir -p "\$KS_DIR"
    if [ -d "\$KS_CACHE" ] && ls "\$KS_CACHE"/*.jks >/dev/null 2>&1; then
        cp -n "\$KS_CACHE"/*.jks "\$KS_DIR/" 2>/dev/null || true
        echo ">>> Keystores synced from cache"
    elif ! ls "\$KS_DIR"/*.jks >/dev/null 2>&1; then
        echo ">>> WARNING: no keystores in \$KS_DIR or \$KS_CACHE — APK will be unsigned!"
    fi
 fi
 GIT_HASH=\$(cd "\$BASE_DIR/data/source" && git rev-parse --short HEAD 2>/dev/null || echo unknown)
 GIT_MSG=\$(cd "\$BASE_DIR/data/source" && git log -1 --pretty=%s 2>/dev/null | head -c 60 || echo "?")
 # ── Clean Rust if requested ─────────────────────────────────────────────
 if [ "\$REBUILD_RUST" = "1" ]; then
    echo ">>> Cleaning Rust targets..."
    rm -rf "\$BASE_DIR/data/cache/target/aarch64-linux-android" \
           "\$BASE_DIR/data/cache/target/armv7-linux-androideabi" \
           "\$BASE_DIR/data/cache/target/i686-linux-android" \
           "\$BASE_DIR/data/cache/target/x86_64-linux-android"
    rm -rf "\$BASE_DIR/data/cache-linux/target/release"
 fi
 # ── Fix perms ───────────────────────────────────────────────────────────
 find "\$BASE_DIR/data/source" "\$BASE_DIR/data/cache" \
    ! -user 1000 -o ! -group 1000 2>/dev/null | \
    xargs -r chown 1000:1000 2>/dev/null || true
 if [ -d "\$BASE_DIR/data/cache-linux" ]; then
    find "\$BASE_DIR/data/cache-linux" \
        ! -user 1000 -o ! -group 1000 2>/dev/null | \
        xargs -r chown 1000:1000 2>/dev/null || true
 fi
 # ── Tauri Android APK ──────────────────────────────────────────────────
 if [ "\$BUILD_ANDROID" = "1" ]; then
    notify "WZP [\$SERVER_TAG] Tauri Android build STARTED [\$BRANCH @ \$GIT_HASH] — \$GIT_MSG"
    echo ">>> Cleaning stale APKs from prior builds..."
    find "\$BASE_DIR/data/source/desktop/src-tauri/gen/android" -name "*.apk" -type f -delete 2>/dev/null || true
    echo ">>> Building Tauri Android APK..."
    PROFILE_FLAG="--debug"
    [ "\$BUILD_RELEASE" = "1" ] && PROFILE_FLAG=""
    mkdir -p "\$BASE_DIR/data/cache/android-home"
    chown 1000:1000 "\$BASE_DIR/data/cache/android-home" 2>/dev/null || true
    docker run --rm --user 1000:1000 \
        -e PROFILE_FLAG="\$PROFILE_FLAG" \
        -v "\$BASE_DIR/data/source:/build/source" \
        -v "\$BASE_DIR/data/cache/cargo-registry:/home/builder/.cargo/registry" \
        -v "\$BASE_DIR/data/cache/cargo-git:/home/builder/.cargo/git" \
        -v "\$BASE_DIR/data/cache/target:/build/source/target" \
        -v "\$BASE_DIR/data/cache/gradle:/home/builder/.gradle" \
        -v "\$BASE_DIR/data/cache/android-home:/home/builder/.android" \
        wzp-android-builder bash -c '
 set -euo pipefail
 cd /build/source/desktop
 echo ">>> npm install"
 npm install --silent 2>&1 | tail -5 || npm install 2>&1 | tail -20
 cd src-tauri
 if [ ! -x gen/android/gradlew ]; then
    echo ">>> cargo tauri android init"
    cargo tauri android init 2>&1 | tail -20
 fi
 echo ">>> cargo ndk build -p wzp-native --release"
 JNI_ABI_DIR=gen/android/app/src/main/jniLibs/arm64-v8a
 mkdir -p "\$JNI_ABI_DIR"
 (
    cd /build/source
    cargo ndk -t arm64-v8a -o desktop/src-tauri/gen/android/app/src/main/jniLibs \
        build --release -p wzp-native 2>&1 | tail -10
 )
 [ -f "\$JNI_ABI_DIR/libwzp_native.so" ] && ls -lh "\$JNI_ABI_DIR/libwzp_native.so"
 if [ ! -f "\$JNI_ABI_DIR/libc++_shared.so" ]; then
    echo ">>> libc++_shared.so missing, copying from NDK..."
    NDK_LIBCXX=\$(find "\$ANDROID_NDK_HOME" -name "libc++_shared.so" -path "*/aarch64-linux-android/*" | head -1)
    if [ -n "\$NDK_LIBCXX" ]; then
        cp "\$NDK_LIBCXX" "\$JNI_ABI_DIR/"
    else
        echo "ERROR: libc++_shared.so not found in NDK"; exit 1
    fi
 fi
 echo ">>> cargo tauri android build \${PROFILE_FLAG} --target aarch64 --apk"
 cargo tauri android build \${PROFILE_FLAG} --target aarch64 --apk
 # ─── Sign the APK ────────────────────────────────────────────────
 # Release builds from cargo-tauri are unsigned. Sign with the project
 # keystore so the APK can be installed on real devices.
 BUILT_APK=\$(find gen/android -name "*.apk" -type f 2>/dev/null | sort -t/ -k1 | tail -1)
 if [ -n "\$BUILT_APK" ]; then
    KS_RELEASE="/build/source/android/keystore/wzp-release.jks"
    KS_DEBUG="/build/source/android/keystore/wzp-debug.jks"
    if [ -f "\$KS_RELEASE" ]; then
        KEYSTORE="\$KS_RELEASE"; KS_PASS="wzphone2024"; KS_ALIAS="wzp-release"
    elif [ -f "\$KS_DEBUG" ]; then
        KEYSTORE="\$KS_DEBUG"; KS_PASS="android"; KS_ALIAS="wzp-debug"
    else
        KEYSTORE=""
    fi
    if [ -n "\$KEYSTORE" ]; then
        ZIPALIGN=\$(find "\$ANDROID_HOME" -name zipalign -type f 2>/dev/null | head -1)
        APKSIGNER=\$(find "\$ANDROID_HOME" -name apksigner -type f 2>/dev/null | head -1)
        if [ -n "\$ZIPALIGN" ] && [ -n "\$APKSIGNER" ]; then
            echo ">>> Signing APK with \$(basename \$KEYSTORE)..."
            ALIGNED="\${BUILT_APK%.apk}-aligned.apk"
            "\$ZIPALIGN" -f 4 "\$BUILT_APK" "\$ALIGNED"
            "\$APKSIGNER" sign \
                --ks "\$KEYSTORE" \
                --ks-pass "pass:\$KS_PASS" \
                --ks-key-alias "\$KS_ALIAS" \
                --key-pass "pass:\$KS_PASS" \
                "\$ALIGNED"
            mv "\$ALIGNED" "\$BUILT_APK"
            echo ">>> Signed: \$(ls -lh \$BUILT_APK | awk "{print \\\$5}")"
        else
            echo ">>> WARNING: zipalign/apksigner not found — APK is unsigned"
        fi
    else
        echo ">>> WARNING: no keystore found — APK is unsigned"
    fi
 fi
 echo ">>> Build artifacts:"
 find gen/android -name "*.apk" -exec ls -lh {} \; 2>/dev/null
 echo "APK_BUILT"
 '
    echo ">>> Uploading APK..."
    # Clean stale APKs from prior builds so find doesn't pick an old
    # debug APK over the fresh release one (or vice versa).
    find "\$BASE_DIR/data/source/desktop/src-tauri/gen/android" -name "*.apk" -type f \
        ! -newer "\$BASE_DIR/data/source/desktop/src-tauri/gen/android/app/build/outputs" \
        -delete 2>/dev/null || true
    # Prefer release APK if it exists, else fall back to debug.
    APK=\$(find "\$BASE_DIR/data/source/desktop/src-tauri/gen/android" -name "*release*.apk" -type f 2>/dev/null | head -1)
    [ -z "\$APK" ] && APK=\$(find "\$BASE_DIR/data/source/desktop/src-tauri/gen/android" -name "*.apk" -type f 2>/dev/null | head -1)
    if [ -n "\$APK" ]; then
        APK_SIZE=\$(du -h "\$APK" | cut -f1)
        URL=\$(upload_file "\$APK")
        echo "APK_URL=\$URL"
        notify "WZP [\$SERVER_TAG] Tauri Android OK [\$BRANCH @ \$GIT_HASH] (\$APK_SIZE)
 \$URL"
        echo ">>> APK: \$URL (\$APK_SIZE)"
    else
        notify "WZP [\$SERVER_TAG] Tauri Android FAILED [\$BRANCH @ \$GIT_HASH] - no APK"
        echo "ERROR: No APK found"; exit 1
    fi
 fi
 # ── Linux x86_64 binaries ───────────────────────────────────────────────
 if [ "\$BUILD_LINUX" = "1" ]; then
    mkdir -p "\$BASE_DIR/data/cache-linux/target" \
             "\$BASE_DIR/data/cache-linux/cargo-registry" \
             "\$BASE_DIR/data/cache-linux/cargo-git"
    notify "WZP [\$SERVER_TAG] Linux x86_64 build STARTED [\$BRANCH @ \$GIT_HASH]..."
    echo ">>> Building Linux binaries..."
    docker run --rm --user 1000:1000 \
        -v "\$BASE_DIR/data/source:/build/source" \
        -v "\$BASE_DIR/data/cache-linux/cargo-registry:/home/builder/.cargo/registry" \
        -v "\$BASE_DIR/data/cache-linux/cargo-git:/home/builder/.cargo/git" \
        -v "\$BASE_DIR/data/cache-linux/target:/build/source/target" \
        wzp-android-builder bash -c '
 set -euo pipefail
 cd /build/source
 echo ">>> Building relay + client + web + bench..."
 cargo build --release --bin wzp-relay --bin wzp-client --bin wzp-web --bin wzp-bench 2>&1 | tail -5
 echo ">>> Building audio client..."
 cargo build --release --bin wzp-client --features audio 2>&1 | tail -3
 cp target/release/wzp-client target/release/wzp-client-audio
 cargo build --release --bin wzp-client 2>&1 | tail -3
 echo ">>> Binaries:"
 ls -lh target/release/wzp-relay target/release/wzp-client target/release/wzp-client-audio target/release/wzp-web target/release/wzp-bench
 echo ">>> Packaging..."
 tar czf /tmp/wzp-linux-x86_64.tar.gz \
    -C target/release wzp-relay wzp-client wzp-client-audio wzp-web wzp-bench
 echo "BINARIES_BUILT"
 '
    echo ">>> Uploading Linux binaries..."
    docker run --rm \
        -v "\$BASE_DIR/data/cache-linux/target:/build/target" \
        wzp-android-builder bash -c \
        "cp /build/target/release/wzp-relay /build/target/release/wzp-client /build/target/release/wzp-client-audio /build/target/release/wzp-web /build/target/release/wzp-bench /tmp/ && tar czf /tmp/wzp-linux-x86_64.tar.gz -C /tmp wzp-relay wzp-client wzp-client-audio wzp-web wzp-bench && cat /tmp/wzp-linux-x86_64.tar.gz" \
        > /tmp/wzp-linux-x86_64.tar.gz
    URL=\$(upload_file /tmp/wzp-linux-x86_64.tar.gz)
    if [ -n "\$URL" ]; then
        echo "LINUX_URL=\$URL"
        notify "WZP [\$SERVER_TAG] Linux x86_64 OK [\$BRANCH @ \$GIT_HASH]
 \$URL"
        echo ">>> Linux binaries: \$URL"
    else
        notify "WZP [\$SERVER_TAG] Linux build FAILED - upload error"
        echo "ERROR: Linux upload failed"; exit 1
    fi
 fi
 echo ">>> All builds complete!"
 REMOTE_SCRIPT
 ssh_cmd "chmod +x /tmp/wzp-build.sh"
 # Run in tmux
 log "[$SERVER_TAG] Starting build in tmux (branch: $BRANCH)..."
 ssh_cmd "tmux kill-session -t wzp-build 2>/dev/null; true"
 ssh_cmd "tmux new-session -d -s wzp-build '/tmp/wzp-build.sh 2>&1 | tee /tmp/wzp-build.log'"
 log "[$SERVER_TAG] Build running! Notification on ntfy.sh/wzp when done."
 echo ""
 echo "  Monitor:  ssh $REMOTE_HOST 'tail -f /tmp/wzp-build.log'"
 echo "  Status:   ssh $REMOTE_HOST 'tail -5 /tmp/wzp-build.log'"
 echo ""
 # Optionally wait and install locally
 if [ "$DO_INSTALL" = "1" ]; then
    log "Waiting for build..."
    while true; do
        sleep 15
        if ssh_cmd "grep -q 'APK_URL\|LINUX_URL\|ERROR\|All builds complete' /tmp/wzp-build.log 2>/dev/null"; then
            break
        fi
    done
    URL=$(ssh_cmd "grep APK_URL /tmp/wzp-build.log | tail -1 | cut -d= -f2")
    if [ -n "$URL" ]; then
        log "Downloading APK..."
        mkdir -p "$LOCAL_OUTPUT"
        curl -s -o "$LOCAL_OUTPUT/wzp-tauri.apk" "$URL"
        log "Installing..."
        adb uninstall com.wzp.phone 2>/dev/null || true
        adb install "$LOCAL_OUTPUT/wzp-tauri.apk"
        log "Done!"
    else
        log "No APK URL found in log"
    fi
 fi
		`@@ -1 +1 @@`
			{"default":{"identifier":"default","description":"Default capability — grants core APIs (events, path, window, app, clipboard) to the main window on every platform we ship to.","local":true,"windows":["main"],"permissions":["core:default","core:event:default","core:event:allow-listen","core:event:allow-unlisten","core:event:allow-emit","core:event:allow-emit-to","core:path:default","core:window:default","core:app:default","core:webview:default","shell:default"],"platforms":["linux","macOS","windows","android","iOS"]}}				{"default":{"identifier":"default","description":"Default capability — grants core APIs (events, path, window, app, clipboard) to the main window on every platform we ship to.","local":true,"windows":["main"],"permissions":["core:default","core:event:default","core:event:allow-listen","core:event:allow-unlisten","core:event:allow-emit","core:event:allow-emit-to","core:path:default","core:window:default","core:app:default","core:webview:default","shell:default","notification:default","notification:allow-notify","notification:allow-request-permission","notification:allow-is-permission-granted"],"platforms":["linux","macOS","windows","android","iOS"]}}