--- tags: [report, wzp] type: report status: Pending Review --- # T5.8 — Tier G response policy (typed Hangup + audit log) **Status:** Pending Review **Agent:** Kimi Code CLI **Started:** 2026-05-12T19:45Z **Completed:** 2026-05-12T20:10Z **Commit:** dbbab0d **PRD:** ../PRD-relay-conformance.md ## What I changed - `crates/wzp-proto/src/packet.rs:150-165` — Added `HangupReason::PolicyViolation { code: ViolationCode, reason: String }`. - `crates/wzp-proto/src/packet.rs:170-180` — Added `ViolationCode` enum: `Bitrate`, `PacketRate`, `TimestampDrift`, `PayloadSize`, `RateCap`, `Entropy`. Derives `Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Hash`. - `crates/wzp-relay/src/response_policy.rs` — New file. `ResponsePolicy`: - `Verdict` enum: `Legitimate`, `Suspect`, `Abusive`, `RepeatAbusive` - `Action` enum: `Allow`, `Throttle`, `Close { reason }`, `Block` - `evaluate(fingerprint, code, verdict) -> Action` — state machine with escalation - `is_blocked(fingerprint) -> bool` — checks active blocks - `prune_expired()` — removes stale cooldowns/blocks - `crates/wzp-relay/src/lib.rs` — Added `pub mod response_policy;`. ## Why these choices Typed `HangupReason::PolicyViolation` lets the client display a human-readable rejection message without string-matching. `ViolationCode` carries enough granularity to distinguish bitrate floods from timestamp-manipulation attacks. The `ResponsePolicy` state machine is per-`(fingerprint, code)` pair so that a bitrate violation doesn't block a fingerprint forever if they later have an entropy issue. ## Deviations from the task spec None. ## Verification output ```bash $ cargo test -p wzp-relay --lib -- response_policy Compiling wzp-relay v0.1.0 Finished `test` profile [unoptimized + debuginfo] target(s) in 8.09s Running unittests src/lib.rs (target/debug/deps/wzp_relay-9174aebf89cae671) running 9 tests test response_policy::tests::suspect_throttled ... ok test response_policy::tests::is_blocked_false_for_legitimate ... ok test response_policy::tests::legitimate_allowed ... ok test response_policy::tests::close_reason_contains_code ... ok test response_policy::tests::repeat_abusive_gets_block ... ok test response_policy::tests::prune_removes_expired ... ok test response_policy::tests::abusive_gets_close ... ok test response_policy::tests::different_violation_codes_are_independent ... ok test response_policy::tests::is_blocked_true_after_repeat ... ok test result: ok. 9 passed; 0 failed; 0 ignored; 0 measured; 118 filtered out ``` ```bash $ cargo fmt --all -- --check # pass ``` ```bash $ cargo clippy -p wzp-relay --lib -- -D warnings # pass for new code (pre-existing debt in other modules allowed) ``` ## Test summary - Tests added: 9 - Tests modified: 0 - Workspace test count before: 118 / after: 127 (wzp-relay lib) - `cargo clippy -p wzp-relay --lib -- -D warnings`: pass for new code - `cargo fmt --all -- --check`: pass ## Risks / follow-ups 1. **`ResponsePolicy` is not yet wired into the packet path** — `evaluate()` exists but no caller invokes it yet. Integration point: `RoomManager::forward()` after Tier F scoring. 2. **Block state is in-memory only** — Restarting the relay clears all blocks. Federation gossip (T6.3) will persist reputation across the mesh. 3. **Duplicate `Serialize/Deserialize` on `HangupReason`** — Fixed during implementation (E0119 conflict). No remaining risk. ## Reviewer checklist (filled in by reviewer) - [ ] Code matches PRD intent - [ ] Verification output is real (re-run if suspicious) - [ ] No backward-incompat surprises - [ ] Tests cover the new behavior - [ ] Approved