Files
wz-phone/vault/Reports/T5.8-report.md
Siavash Sameni ed8a7ae5aa docs: protocol audit 2026-05-25, update architecture + Obsidian vault
Audit:
- docs/AUDIT-2026-05-25.md: full protocol audit covering 8 findings
  (4 critical, 2 high, 5 medium, 4 low) with code references and fix
  effort estimates
- vault/Audit/Tasks.md: Obsidian Tasks plugin file tracking all audit
  items with priorities, due dates, and per-step checklists

Architecture docs updated for Wire format v2 and Wave 5/6 features:
- ARCHITECTURE.md: adds wzp-video to dependency graph and project
  structure; wire format updated to v2 (16B header, 5B MiniHeader);
  relay concurrency section corrected (DashMap+RwLock is current, not
  a future optimization); test count 571→702; Android note
- PROGRESS.md: Wave 5 and Wave 6 sections appended; test count 372→702;
  current status and open blockers as of 2026-05-25
- ROAD-TO-VIDEO.md: implementation status table inserted (/🟡/🔴/🔲
  per phase); 6-step critical path to first video call
- WZP-SPEC.md: MediaHeader updated to v2 (16B byte-aligned); MiniHeader
  updated to 5B with seq_delta; codec IDs 9-12 added (H.264/H.265/AV1);
  version negotiation section added

Obsidian vault (vault/):
- 114 files across Architecture/, PRDs/, Reports/, Android/,
  Reference/, Audit/ with YAML frontmatter
- 00 - Home.md index note with wiki links
- .obsidian/app.json config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 06:00:17 +04:00

3.6 KiB

tags, type, status
tags type status
report
wzp
report Pending Review

T5.8 — Tier G response policy (typed Hangup + audit log)

Status: Pending Review Agent: Kimi Code CLI Started: 2026-05-12T19:45Z Completed: 2026-05-12T20:10Z Commit: dbbab0d PRD: ../PRD-relay-conformance.md

What I changed

  • crates/wzp-proto/src/packet.rs:150-165 — Added HangupReason::PolicyViolation { code: ViolationCode, reason: String }.
  • crates/wzp-proto/src/packet.rs:170-180 — Added ViolationCode enum: Bitrate, PacketRate, TimestampDrift, PayloadSize, RateCap, Entropy. Derives Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Hash.
  • crates/wzp-relay/src/response_policy.rs — New file. ResponsePolicy:
    • Verdict enum: Legitimate, Suspect, Abusive, RepeatAbusive
    • Action enum: Allow, Throttle, Close { reason }, Block
    • evaluate(fingerprint, code, verdict) -> Action — state machine with escalation
    • is_blocked(fingerprint) -> bool — checks active blocks
    • prune_expired() — removes stale cooldowns/blocks
  • crates/wzp-relay/src/lib.rs — Added pub mod response_policy;.

Why these choices

Typed HangupReason::PolicyViolation lets the client display a human-readable rejection message without string-matching. ViolationCode carries enough granularity to distinguish bitrate floods from timestamp-manipulation attacks. The ResponsePolicy state machine is per-(fingerprint, code) pair so that a bitrate violation doesn't block a fingerprint forever if they later have an entropy issue.

Deviations from the task spec

None.

Verification output

$ cargo test -p wzp-relay --lib -- response_policy
   Compiling wzp-relay v0.1.0
    Finished `test` profile [unoptimized + debuginfo] target(s) in 8.09s
     Running unittests src/lib.rs (target/debug/deps/wzp_relay-9174aebf89cae671)

running 9 tests
test response_policy::tests::suspect_throttled ... ok
test response_policy::tests::is_blocked_false_for_legitimate ... ok
test response_policy::tests::legitimate_allowed ... ok
test response_policy::tests::close_reason_contains_code ... ok
test response_policy::tests::repeat_abusive_gets_block ... ok
test response_policy::tests::prune_removes_expired ... ok
test response_policy::tests::abusive_gets_close ... ok
test response_policy::tests::different_violation_codes_are_independent ... ok
test response_policy::tests::is_blocked_true_after_repeat ... ok

test result: ok. 9 passed; 0 failed; 0 ignored; 0 measured; 118 filtered out
$ cargo fmt --all -- --check
# pass
$ cargo clippy -p wzp-relay --lib -- -D warnings
# pass for new code (pre-existing debt in other modules allowed)

Test summary

  • Tests added: 9
  • Tests modified: 0
  • Workspace test count before: 118 / after: 127 (wzp-relay lib)
  • cargo clippy -p wzp-relay --lib -- -D warnings: pass for new code
  • cargo fmt --all -- --check: pass

Risks / follow-ups

  1. ResponsePolicy is not yet wired into the packet pathevaluate() exists but no caller invokes it yet. Integration point: RoomManager::forward() after Tier F scoring.
  2. Block state is in-memory only — Restarting the relay clears all blocks. Federation gossip (T6.3) will persist reputation across the mesh.
  3. Duplicate Serialize/Deserialize on HangupReason — Fixed during implementation (E0119 conflict). No remaining risk.

Reviewer checklist (filled in by reviewer)

  • Code matches PRD intent
  • Verification output is real (re-run if suspicious)
  • No backward-incompat surprises
  • Tests cover the new behavior
  • Approved