Files
wz-phone/vault/Reports/T3.4-report.md
Siavash Sameni ed8a7ae5aa docs: protocol audit 2026-05-25, update architecture + Obsidian vault
Audit:
- docs/AUDIT-2026-05-25.md: full protocol audit covering 8 findings
  (4 critical, 2 high, 5 medium, 4 low) with code references and fix
  effort estimates
- vault/Audit/Tasks.md: Obsidian Tasks plugin file tracking all audit
  items with priorities, due dates, and per-step checklists

Architecture docs updated for Wire format v2 and Wave 5/6 features:
- ARCHITECTURE.md: adds wzp-video to dependency graph and project
  structure; wire format updated to v2 (16B header, 5B MiniHeader);
  relay concurrency section corrected (DashMap+RwLock is current, not
  a future optimization); test count 571→702; Android note
- PROGRESS.md: Wave 5 and Wave 6 sections appended; test count 372→702;
  current status and open blockers as of 2026-05-25
- ROAD-TO-VIDEO.md: implementation status table inserted (/🟡/🔴/🔲
  per phase); 6-step critical path to first video call
- WZP-SPEC.md: MediaHeader updated to v2 (16B byte-aligned); MiniHeader
  updated to 5B with seq_delta; codec IDs 9-12 added (H.264/H.265/AV1);
  version negotiation section added

Obsidian vault (vault/):
- 114 files across Architecture/, PRDs/, Reports/, Android/,
  Reference/, Audit/ with YAML frontmatter
- 00 - Home.md index note with wiki links
- .obsidian/app.json config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 06:00:17 +04:00

89 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
tags: [report, wzp]
type: report
status: Pending Review
---
# T3.4 — Tier D (per-codec packet size sanity)
**Status:** Pending Review
**Agent:** Kimi Code CLI
**Started:** 2026-05-11T16:29Z
**Completed:** 2026-05-11T16:29Z
**Commit:** (see git log)
**PRD:** ../PRD-relay-conformance.md
## What I changed
- `crates/wzp-relay/src/conformance.rs:1` — Updated module doc comment: `Tier A/B/C``Tier A/B/C/D`.
- `crates/wzp-relay/src/conformance.rs:24-25` — Added `Violation::PayloadSizeExceeded` variant for Tier D.
- `crates/wzp-relay/src/conformance.rs:40` — Added `ewma_payload_size: f64` field to `ConformanceMeter`.
- `crates/wzp-relay/src/conformance.rs:44` — Initialized `ewma_payload_size` to `0.0` in `ConformanceMeter::new()`.
- `crates/wzp-relay/src/conformance.rs:106-116` — Added Tier D payload-size EWMA check in `observe()` after Tier C. Uses `alpha = 0.05` (~20-packet smoothing). Rejects if EWMA exceeds `2 × payload_size_bound(codec)`.
- `crates/wzp-relay/src/conformance.rs:141-157` — Added `pub fn payload_size_bound(codec: CodecId) -> usize` with per-codec typical bounds:
- `Opus64k => 320`, `Opus48k => 240`, `Opus32k => 200`, `Opus24k => 160`, `Opus16k => 100`, `Opus6k => 90`
- `Codec2_3200 => 30`, `Codec2_1200 => 30`
- `ComfortNoise => 16`
- `crates/wzp-relay/src/metrics.rs:408` — Added `Violation::PayloadSizeExceeded => "D"` tier label in Prometheus metrics.
- `crates/wzp-relay/src/conformance.rs:234-244` — Fixed pre-existing `window_resets_after_one_second` test: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit for `Opus24k` (2× bound = 320).
- `crates/wzp-relay/src/conformance.rs:359-384` — Added two Tier D tests:
- `conformance_tier_d` — 200 packets of 1400 bytes declared as `Codec2_1200`; asserts `PayloadSizeExceeded` is triggered.
- `payload_size_normal_stays_within_bound` — 10 packets of 150 bytes declared as `Opus24k`; asserts no violation.
## Why these choices
- EWMA with `alpha = 0.05` provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject.
- The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector.
- Unit variants (`ComfortNoise => 16`) get a small bound because they carry minimal silence-descriptor data.
## Deviations from the task spec
None.
## Verification output
```bash
$ cargo test -p wzp-relay conformance_tier_d
running 1 test
test conformance::tests::conformance_tier_d ... ok
test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s
```
```bash
$ cargo test -p wzp-relay --lib
running 88 tests
...
test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
```
```bash
$ cargo test --workspace --exclude wzp-android --no-fail-fast
... (all crates pass)
Total: 612 passed; 0 failed
```
## Test summary
- Tests added: 2
- `conformance_tier_d` — 200 × 1400-byte payloads as `Codec2_1200`, flags `PayloadSizeExceeded`
- `payload_size_normal_stays_within_bound` — 10 × 150-byte payloads as `Opus24k`, stays clean
- Tests modified: 1
- `window_resets_after_one_second` — reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit
- Workspace test count before: 610 / after: 612
- `cargo clippy -p wzp-relay --all-targets -- -D warnings`: clean in `wzp-relay`; failures are pre-existing debt in `wzp-codec` (9 errors) and `warzone-protocol` (3 errors) per PROTOCOL-AUDIT.md
- `cargo fmt --all -- --check`: pass
## Risks / follow-ups
- Tier D is currently observe-only (returns `Err(Violation)` but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers AC. A future task can wire hard enforcement if the reviewer wants.
- The `payload_size_bound` table is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning.
## Reviewer checklist (filled in by reviewer)
- [ ] Code matches PRD intent
- [ ] Verification output is real (re-run if suspicious)
- [ ] No backward-incompat surprises
- [ ] Tests cover the new behavior
- [ ] Approved