Files
wz-phone/docs/PRD/reports/T5.8-report.md

3.5 KiB

T5.8 — Tier G response policy (typed Hangup + audit log)

Status: Pending Review Agent: Kimi Code CLI Started: 2026-05-12T19:45Z Completed: 2026-05-12T20:10Z Commit: dbbab0d PRD: ../PRD-relay-conformance.md

What I changed

  • crates/wzp-proto/src/packet.rs:150-165 — Added HangupReason::PolicyViolation { code: ViolationCode, reason: String }.
  • crates/wzp-proto/src/packet.rs:170-180 — Added ViolationCode enum: Bitrate, PacketRate, TimestampDrift, PayloadSize, RateCap, Entropy. Derives Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Hash.
  • crates/wzp-relay/src/response_policy.rs — New file. ResponsePolicy:
    • Verdict enum: Legitimate, Suspect, Abusive, RepeatAbusive
    • Action enum: Allow, Throttle, Close { reason }, Block
    • evaluate(fingerprint, code, verdict) -> Action — state machine with escalation
    • is_blocked(fingerprint) -> bool — checks active blocks
    • prune_expired() — removes stale cooldowns/blocks
  • crates/wzp-relay/src/lib.rs — Added pub mod response_policy;.

Why these choices

Typed HangupReason::PolicyViolation lets the client display a human-readable rejection message without string-matching. ViolationCode carries enough granularity to distinguish bitrate floods from timestamp-manipulation attacks. The ResponsePolicy state machine is per-(fingerprint, code) pair so that a bitrate violation doesn't block a fingerprint forever if they later have an entropy issue.

Deviations from the task spec

None.

Verification output

$ cargo test -p wzp-relay --lib -- response_policy
   Compiling wzp-relay v0.1.0
    Finished `test` profile [unoptimized + debuginfo] target(s) in 8.09s
     Running unittests src/lib.rs (target/debug/deps/wzp_relay-9174aebf89cae671)

running 9 tests
test response_policy::tests::suspect_throttled ... ok
test response_policy::tests::is_blocked_false_for_legitimate ... ok
test response_policy::tests::legitimate_allowed ... ok
test response_policy::tests::close_reason_contains_code ... ok
test response_policy::tests::repeat_abusive_gets_block ... ok
test response_policy::tests::prune_removes_expired ... ok
test response_policy::tests::abusive_gets_close ... ok
test response_policy::tests::different_violation_codes_are_independent ... ok
test response_policy::tests::is_blocked_true_after_repeat ... ok

test result: ok. 9 passed; 0 failed; 0 ignored; 0 measured; 118 filtered out
$ cargo fmt --all -- --check
# pass
$ cargo clippy -p wzp-relay --lib -- -D warnings
# pass for new code (pre-existing debt in other modules allowed)

Test summary

  • Tests added: 9
  • Tests modified: 0
  • Workspace test count before: 118 / after: 127 (wzp-relay lib)
  • cargo clippy -p wzp-relay --lib -- -D warnings: pass for new code
  • cargo fmt --all -- --check: pass

Risks / follow-ups

  1. ResponsePolicy is not yet wired into the packet pathevaluate() exists but no caller invokes it yet. Integration point: RoomManager::forward() after Tier F scoring.
  2. Block state is in-memory only — Restarting the relay clears all blocks. Federation gossip (T6.3) will persist reputation across the mesh.
  3. Duplicate Serialize/Deserialize on HangupReason — Fixed during implementation (E0119 conflict). No remaining risk.

Reviewer checklist (filled in by reviewer)

  • Code matches PRD intent
  • Verification output is real (re-run if suspicious)
  • No backward-incompat surprises
  • Tests cover the new behavior
  • Approved