Audit: - docs/AUDIT-2026-05-25.md: full protocol audit covering 8 findings (4 critical, 2 high, 5 medium, 4 low) with code references and fix effort estimates - vault/Audit/Tasks.md: Obsidian Tasks plugin file tracking all audit items with priorities, due dates, and per-step checklists Architecture docs updated for Wire format v2 and Wave 5/6 features: - ARCHITECTURE.md: adds wzp-video to dependency graph and project structure; wire format updated to v2 (16B header, 5B MiniHeader); relay concurrency section corrected (DashMap+RwLock is current, not a future optimization); test count 571→702; Android note - PROGRESS.md: Wave 5 and Wave 6 sections appended; test count 372→702; current status and open blockers as of 2026-05-25 - ROAD-TO-VIDEO.md: implementation status table inserted (✅/🟡/🔴/🔲 per phase); 6-step critical path to first video call - WZP-SPEC.md: MediaHeader updated to v2 (16B byte-aligned); MiniHeader updated to 5B with seq_delta; codec IDs 9-12 added (H.264/H.265/AV1); version negotiation section added Obsidian vault (vault/): - 114 files across Architecture/, PRDs/, Reports/, Android/, Reference/, Audit/ with YAML frontmatter - 00 - Home.md index note with wiki links - .obsidian/app.json config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.4 KiB
5.4 KiB
tags, type, status
| tags | type | status | ||
|---|---|---|---|---|
|
report | Pending Review |
T3.5 — Tier E (per-fingerprint token bucket)
Status: Pending Review Agent: Kimi Code CLI Started: 2026-05-11T16:29Z Completed: 2026-05-11T16:29Z Commit: (see git log) PRD: ../PRD-relay-conformance.md
What I changed
crates/wzp-relay/src/conformance.rs:1— Updated module doc:Tier A/B/C/D→Tier A/B/C/D/E.crates/wzp-relay/src/conformance.rs:26-27— AddedViolation::RateCapExceededvariant for Tier E.crates/wzp-relay/src/conformance.rs:30-76— AddedTokenBucketstruct with:capacity: u64,tokens: f64,refill_per_sec: u64,last_refill: Instantnew(capacity, refill_per_sec)constructorfor_audio_session()factory: 256 kbps cap, 30 s @ 2× burst = 1_920_000 byte capacitytry_consume(bytes, now)— refills based on elapsed time, then deducts cost
crates/wzp-relay/src/conformance.rs:84-85— Addedtoken_bucket: Option<TokenBucket>toConformanceMeter.crates/wzp-relay/src/conformance.rs:97-102— AddedConformanceMeter::with_token_bucket(bucket)constructor.crates/wzp-relay/src/conformance.rs:130-137— Wired Tier E check intoobserve(): after Tier D, if a token bucket is present, attempt to consume the full wire size; returnErr(Violation::RateCapExceeded)on exhaustion.crates/wzp-relay/src/metrics.rs:409— AddedViolation::RateCapExceeded => "E"tier label.crates/wzp-relay/src/room.rs:762-785— Updatedrun_participant()signature to acceptis_authenticated: booland forward it to both plain and trunked loops.crates/wzp-relay/src/room.rs:807-814— Plain loop: createsConformanceMeter::with_token_bucket(TokenBucket::for_audio_session())for all participants (authed and anon share the same per-session audio cap).crates/wzp-relay/src/room.rs:1042-1044— Trunked loop: same token-bucket meter setup.crates/wzp-relay/src/main.rs:2028— Call site passesauthenticated_fp.is_some()intorun_participant().crates/wzp-relay/src/conformance.rs:470-528— Added 5 Tier E tests:token_bucket_small_burst_ok— 50 KB inside 100 KB cap succeedstoken_bucket_large_burst_fails— 1 MB exceeds 100 KB captoken_bucket_refills_over_time— drain, wait 1 s, consume refilled amounttoken_bucket_sustained_rate_balanced— 32 KB/s for 5 s stays balancedconformance_tier_e_integration— meter with 1_000-byte bucket, two 500-byte packets OK, third packet triggersRateCapExceeded
Why these choices
- Used
f64for internal token tracking so fractional refills across sub-second intervals are accurate. The public API still speaks in whole bytes. - Both authenticated and anonymous participants get the same per-session audio cap (256 kbps / 1.92 MB burst). The spec's authed/anon split applies to the monthly quota (50 GB vs 1 GB), which is a separate accounting concern not covered by the per-session token bucket. Passing
is_authenticatedthrough the call chain makes it easy to add monthly-quota wiring later. - Tier E runs after Tiers A–D so the cheaper checks still fire first on obvious abuse, while the token bucket catches the "low packet count, high burst size" tunneling vector.
Deviations from the task spec
- The spec's
TokenBucketsketch usedAtomicU64fortokensandlast_refill. Since eachConformanceMeter(and its bucket) is owned by a single tokio task (the per-participant forwarding loop), atomics are unnecessary. I used plainf64/Instantfields instead.
Verification output
$ cargo test -p wzp-relay token_bucket
running 4 tests
test conformance::tests::token_bucket_large_burst_fails ... ok
test conformance::tests::token_bucket_refills_over_time ... ok
test conformance::tests::token_bucket_small_burst_ok ... ok
test conformance::tests::token_bucket_sustained_rate_balanced ... ok
test result: ok. 4 passed; 0 failed; 0 ignored; 0 measured; 89 filtered out; finished in 0.00s
$ cargo test -p wzp-relay --lib
running 93 tests
...
test result: ok. 93 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
$ cargo test --workspace --exclude wzp-android --no-fail-fast
... (all crates pass)
Total: 617 passed; 0 failed
Test summary
- Tests added: 5
token_bucket_small_burst_oktoken_bucket_large_burst_failstoken_bucket_refills_over_timetoken_bucket_sustained_rate_balancedconformance_tier_e_integration
- Tests modified: 0
- Workspace test count before: 612 / after: 617
cargo clippy -p wzp-relay --all-targets -- -D warnings: clean inwzp-relay; failures are pre-existing debt inwzp-codec(9 errors) andwarzone-protocol(3 errors)cargo fmt --all -- --check: pass
Risks / follow-ups
- Monthly byte quota (50 GB authed / 1 GB anon) is not yet implemented. The
is_authenticatedflag is now threaded through the forwarding loop so a future task can add a per-fingerprint monthly counter alongside the per-session token bucket. - Video sessions will need
TokenBucket::for_video_session()(5 Mbps cap) once video forwarding loops land in Wave 4. - Tier E is observe-only, consistent with Tiers A–D. Hard enforcement (packet drop or session close) can be wired later if the reviewer wants.
Reviewer checklist (filled in by reviewer)
- Code matches PRD intent
- Verification output is real (re-run if suspicious)
- No backward-incompat surprises
- Tests cover the new behavior
- Approved