Files
wz-phone/docs/PRD/reports/T3.4-report.md
2026-05-12 06:24:40 +04:00

4.4 KiB
Raw Blame History

T3.4 — Tier D (per-codec packet size sanity)

Status: Pending Review Agent: Kimi Code CLI Started: 2026-05-11T16:29Z Completed: 2026-05-11T16:29Z Commit: (see git log) PRD: ../PRD-relay-conformance.md

What I changed

  • crates/wzp-relay/src/conformance.rs:1 — Updated module doc comment: Tier A/B/CTier A/B/C/D.
  • crates/wzp-relay/src/conformance.rs:24-25 — Added Violation::PayloadSizeExceeded variant for Tier D.
  • crates/wzp-relay/src/conformance.rs:40 — Added ewma_payload_size: f64 field to ConformanceMeter.
  • crates/wzp-relay/src/conformance.rs:44 — Initialized ewma_payload_size to 0.0 in ConformanceMeter::new().
  • crates/wzp-relay/src/conformance.rs:106-116 — Added Tier D payload-size EWMA check in observe() after Tier C. Uses alpha = 0.05 (~20-packet smoothing). Rejects if EWMA exceeds 2 × payload_size_bound(codec).
  • crates/wzp-relay/src/conformance.rs:141-157 — Added pub fn payload_size_bound(codec: CodecId) -> usize with per-codec typical bounds:
    • Opus64k => 320, Opus48k => 240, Opus32k => 200, Opus24k => 160, Opus16k => 100, Opus6k => 90
    • Codec2_3200 => 30, Codec2_1200 => 30
    • ComfortNoise => 16
  • crates/wzp-relay/src/metrics.rs:408 — Added Violation::PayloadSizeExceeded => "D" tier label in Prometheus metrics.
  • crates/wzp-relay/src/conformance.rs:234-244 — Fixed pre-existing window_resets_after_one_second test: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit for Opus24k (2× bound = 320).
  • crates/wzp-relay/src/conformance.rs:359-384 — Added two Tier D tests:
    • conformance_tier_d — 200 packets of 1400 bytes declared as Codec2_1200; asserts PayloadSizeExceeded is triggered.
    • payload_size_normal_stays_within_bound — 10 packets of 150 bytes declared as Opus24k; asserts no violation.

Why these choices

  • EWMA with alpha = 0.05 provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject.
  • The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector.
  • Unit variants (ComfortNoise => 16) get a small bound because they carry minimal silence-descriptor data.

Deviations from the task spec

None.

Verification output

$ cargo test -p wzp-relay conformance_tier_d
running 1 test
test conformance::tests::conformance_tier_d ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s
$ cargo test -p wzp-relay --lib
running 88 tests
...
test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
$ cargo test --workspace --exclude wzp-android --no-fail-fast
... (all crates pass)
Total: 612 passed; 0 failed

Test summary

  • Tests added: 2
    • conformance_tier_d — 200 × 1400-byte payloads as Codec2_1200, flags PayloadSizeExceeded
    • payload_size_normal_stays_within_bound — 10 × 150-byte payloads as Opus24k, stays clean
  • Tests modified: 1
    • window_resets_after_one_second — reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit
  • Workspace test count before: 610 / after: 612
  • cargo clippy -p wzp-relay --all-targets -- -D warnings: clean in wzp-relay; failures are pre-existing debt in wzp-codec (9 errors) and warzone-protocol (3 errors) per PROTOCOL-AUDIT.md
  • cargo fmt --all -- --check: pass

Risks / follow-ups

  • Tier D is currently observe-only (returns Err(Violation) but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers AC. A future task can wire hard enforcement if the reviewer wants.
  • The payload_size_bound table is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning.

Reviewer checklist (filled in by reviewer)

  • Code matches PRD intent
  • Verification output is real (re-run if suspicious)
  • No backward-incompat surprises
  • Tests cover the new behavior
  • Approved