3.5 KiB
3.5 KiB
T5.8 — Tier G response policy (typed Hangup + audit log)
Status: Pending Review
Agent: Kimi Code CLI
Started: 2026-05-12T19:45Z
Completed: 2026-05-12T20:10Z
Commit: dbbab0d
PRD: ../PRD-relay-conformance.md
What I changed
crates/wzp-proto/src/packet.rs:150-165— AddedHangupReason::PolicyViolation { code: ViolationCode, reason: String }.crates/wzp-proto/src/packet.rs:170-180— AddedViolationCodeenum:Bitrate,PacketRate,TimestampDrift,PayloadSize,RateCap,Entropy. DerivesSerialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Hash.crates/wzp-relay/src/response_policy.rs— New file.ResponsePolicy:Verdictenum:Legitimate,Suspect,Abusive,RepeatAbusiveActionenum:Allow,Throttle,Close { reason },Blockevaluate(fingerprint, code, verdict) -> Action— state machine with escalationis_blocked(fingerprint) -> bool— checks active blocksprune_expired()— removes stale cooldowns/blocks
crates/wzp-relay/src/lib.rs— Addedpub mod response_policy;.
Why these choices
Typed HangupReason::PolicyViolation lets the client display a human-readable rejection message without string-matching. ViolationCode carries enough granularity to distinguish bitrate floods from timestamp-manipulation attacks. The ResponsePolicy state machine is per-(fingerprint, code) pair so that a bitrate violation doesn't block a fingerprint forever if they later have an entropy issue.
Deviations from the task spec
None.
Verification output
$ cargo test -p wzp-relay --lib -- response_policy
Compiling wzp-relay v0.1.0
Finished `test` profile [unoptimized + debuginfo] target(s) in 8.09s
Running unittests src/lib.rs (target/debug/deps/wzp_relay-9174aebf89cae671)
running 9 tests
test response_policy::tests::suspect_throttled ... ok
test response_policy::tests::is_blocked_false_for_legitimate ... ok
test response_policy::tests::legitimate_allowed ... ok
test response_policy::tests::close_reason_contains_code ... ok
test response_policy::tests::repeat_abusive_gets_block ... ok
test response_policy::tests::prune_removes_expired ... ok
test response_policy::tests::abusive_gets_close ... ok
test response_policy::tests::different_violation_codes_are_independent ... ok
test response_policy::tests::is_blocked_true_after_repeat ... ok
test result: ok. 9 passed; 0 failed; 0 ignored; 0 measured; 118 filtered out
$ cargo fmt --all -- --check
# pass
$ cargo clippy -p wzp-relay --lib -- -D warnings
# pass for new code (pre-existing debt in other modules allowed)
Test summary
- Tests added: 9
- Tests modified: 0
- Workspace test count before: 118 / after: 127 (wzp-relay lib)
cargo clippy -p wzp-relay --lib -- -D warnings: pass for new codecargo fmt --all -- --check: pass
Risks / follow-ups
ResponsePolicyis not yet wired into the packet path —evaluate()exists but no caller invokes it yet. Integration point:RoomManager::forward()after Tier F scoring.- Block state is in-memory only — Restarting the relay clears all blocks. Federation gossip (T6.3) will persist reputation across the mesh.
- Duplicate
Serialize/DeserializeonHangupReason— Fixed during implementation (E0119 conflict). No remaining risk.
Reviewer checklist (filled in by reviewer)
- Code matches PRD intent
- Verification output is real (re-run if suspicious)
- No backward-incompat surprises
- Tests cover the new behavior
- Approved