Files
wz-phone/docs/PRD/reports/T3.4-report.md
2026-05-12 06:24:40 +04:00

83 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T3.4 — Tier D (per-codec packet size sanity)
**Status:** Pending Review
**Agent:** Kimi Code CLI
**Started:** 2026-05-11T16:29Z
**Completed:** 2026-05-11T16:29Z
**Commit:** (see git log)
**PRD:** ../PRD-relay-conformance.md
## What I changed
- `crates/wzp-relay/src/conformance.rs:1` — Updated module doc comment: `Tier A/B/C``Tier A/B/C/D`.
- `crates/wzp-relay/src/conformance.rs:24-25` — Added `Violation::PayloadSizeExceeded` variant for Tier D.
- `crates/wzp-relay/src/conformance.rs:40` — Added `ewma_payload_size: f64` field to `ConformanceMeter`.
- `crates/wzp-relay/src/conformance.rs:44` — Initialized `ewma_payload_size` to `0.0` in `ConformanceMeter::new()`.
- `crates/wzp-relay/src/conformance.rs:106-116` — Added Tier D payload-size EWMA check in `observe()` after Tier C. Uses `alpha = 0.05` (~20-packet smoothing). Rejects if EWMA exceeds `2 × payload_size_bound(codec)`.
- `crates/wzp-relay/src/conformance.rs:141-157` — Added `pub fn payload_size_bound(codec: CodecId) -> usize` with per-codec typical bounds:
- `Opus64k => 320`, `Opus48k => 240`, `Opus32k => 200`, `Opus24k => 160`, `Opus16k => 100`, `Opus6k => 90`
- `Codec2_3200 => 30`, `Codec2_1200 => 30`
- `ComfortNoise => 16`
- `crates/wzp-relay/src/metrics.rs:408` — Added `Violation::PayloadSizeExceeded => "D"` tier label in Prometheus metrics.
- `crates/wzp-relay/src/conformance.rs:234-244` — Fixed pre-existing `window_resets_after_one_second` test: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit for `Opus24k` (2× bound = 320).
- `crates/wzp-relay/src/conformance.rs:359-384` — Added two Tier D tests:
- `conformance_tier_d` — 200 packets of 1400 bytes declared as `Codec2_1200`; asserts `PayloadSizeExceeded` is triggered.
- `payload_size_normal_stays_within_bound` — 10 packets of 150 bytes declared as `Opus24k`; asserts no violation.
## Why these choices
- EWMA with `alpha = 0.05` provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject.
- The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector.
- Unit variants (`ComfortNoise => 16`) get a small bound because they carry minimal silence-descriptor data.
## Deviations from the task spec
None.
## Verification output
```bash
$ cargo test -p wzp-relay conformance_tier_d
running 1 test
test conformance::tests::conformance_tier_d ... ok
test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s
```
```bash
$ cargo test -p wzp-relay --lib
running 88 tests
...
test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
```
```bash
$ cargo test --workspace --exclude wzp-android --no-fail-fast
... (all crates pass)
Total: 612 passed; 0 failed
```
## Test summary
- Tests added: 2
- `conformance_tier_d` — 200 × 1400-byte payloads as `Codec2_1200`, flags `PayloadSizeExceeded`
- `payload_size_normal_stays_within_bound` — 10 × 150-byte payloads as `Opus24k`, stays clean
- Tests modified: 1
- `window_resets_after_one_second` — reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit
- Workspace test count before: 610 / after: 612
- `cargo clippy -p wzp-relay --all-targets -- -D warnings`: clean in `wzp-relay`; failures are pre-existing debt in `wzp-codec` (9 errors) and `warzone-protocol` (3 errors) per PROTOCOL-AUDIT.md
- `cargo fmt --all -- --check`: pass
## Risks / follow-ups
- Tier D is currently observe-only (returns `Err(Violation)` but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers AC. A future task can wire hard enforcement if the reviewer wants.
- The `payload_size_bound` table is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning.
## Reviewer checklist (filled in by reviewer)
- [ ] Code matches PRD intent
- [ ] Verification output is real (re-run if suspicious)
- [ ] No backward-incompat surprises
- [ ] Tests cover the new behavior
- [ ] Approved