--- tags: [report, wzp] type: report status: Pending Review --- # T3.4 — Tier D (per-codec packet size sanity) **Status:** Pending Review **Agent:** Kimi Code CLI **Started:** 2026-05-11T16:29Z **Completed:** 2026-05-11T16:29Z **Commit:** (see git log) **PRD:** ../PRD-relay-conformance.md ## What I changed - `crates/wzp-relay/src/conformance.rs:1` — Updated module doc comment: `Tier A/B/C` → `Tier A/B/C/D`. - `crates/wzp-relay/src/conformance.rs:24-25` — Added `Violation::PayloadSizeExceeded` variant for Tier D. - `crates/wzp-relay/src/conformance.rs:40` — Added `ewma_payload_size: f64` field to `ConformanceMeter`. - `crates/wzp-relay/src/conformance.rs:44` — Initialized `ewma_payload_size` to `0.0` in `ConformanceMeter::new()`. - `crates/wzp-relay/src/conformance.rs:106-116` — Added Tier D payload-size EWMA check in `observe()` after Tier C. Uses `alpha = 0.05` (~20-packet smoothing). Rejects if EWMA exceeds `2 × payload_size_bound(codec)`. - `crates/wzp-relay/src/conformance.rs:141-157` — Added `pub fn payload_size_bound(codec: CodecId) -> usize` with per-codec typical bounds: - `Opus64k => 320`, `Opus48k => 240`, `Opus32k => 200`, `Opus24k => 160`, `Opus16k => 100`, `Opus6k => 90` - `Codec2_3200 => 30`, `Codec2_1200 => 30` - `ComfortNoise => 16` - `crates/wzp-relay/src/metrics.rs:408` — Added `Violation::PayloadSizeExceeded => "D"` tier label in Prometheus metrics. - `crates/wzp-relay/src/conformance.rs:234-244` — Fixed pre-existing `window_resets_after_one_second` test: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit for `Opus24k` (2× bound = 320). - `crates/wzp-relay/src/conformance.rs:359-384` — Added two Tier D tests: - `conformance_tier_d` — 200 packets of 1400 bytes declared as `Codec2_1200`; asserts `PayloadSizeExceeded` is triggered. - `payload_size_normal_stays_within_bound` — 10 packets of 150 bytes declared as `Opus24k`; asserts no violation. ## Why these choices - EWMA with `alpha = 0.05` provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject. - The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector. - Unit variants (`ComfortNoise => 16`) get a small bound because they carry minimal silence-descriptor data. ## Deviations from the task spec None. ## Verification output ```bash $ cargo test -p wzp-relay conformance_tier_d running 1 test test conformance::tests::conformance_tier_d ... ok test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s ``` ```bash $ cargo test -p wzp-relay --lib running 88 tests ... test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s ``` ```bash $ cargo test --workspace --exclude wzp-android --no-fail-fast ... (all crates pass) Total: 612 passed; 0 failed ``` ## Test summary - Tests added: 2 - `conformance_tier_d` — 200 × 1400-byte payloads as `Codec2_1200`, flags `PayloadSizeExceeded` - `payload_size_normal_stays_within_bound` — 10 × 150-byte payloads as `Opus24k`, stays clean - Tests modified: 1 - `window_resets_after_one_second` — reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit - Workspace test count before: 610 / after: 612 - `cargo clippy -p wzp-relay --all-targets -- -D warnings`: clean in `wzp-relay`; failures are pre-existing debt in `wzp-codec` (9 errors) and `warzone-protocol` (3 errors) per PROTOCOL-AUDIT.md - `cargo fmt --all -- --check`: pass ## Risks / follow-ups - Tier D is currently observe-only (returns `Err(Violation)` but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers A–C. A future task can wire hard enforcement if the reviewer wants. - The `payload_size_bound` table is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning. ## Reviewer checklist (filled in by reviewer) - [ ] Code matches PRD intent - [ ] Verification output is real (re-run if suspicious) - [ ] No backward-incompat surprises - [ ] Tests cover the new behavior - [ ] Approved