4.4 KiB
4.4 KiB
T3.4 — Tier D (per-codec packet size sanity)
Status: Pending Review Agent: Kimi Code CLI Started: 2026-05-11T16:29Z Completed: 2026-05-11T16:29Z Commit: (see git log) PRD: ../PRD-relay-conformance.md
What I changed
crates/wzp-relay/src/conformance.rs:1— Updated module doc comment:Tier A/B/C→Tier A/B/C/D.crates/wzp-relay/src/conformance.rs:24-25— AddedViolation::PayloadSizeExceededvariant for Tier D.crates/wzp-relay/src/conformance.rs:40— Addedewma_payload_size: f64field toConformanceMeter.crates/wzp-relay/src/conformance.rs:44— Initializedewma_payload_sizeto0.0inConformanceMeter::new().crates/wzp-relay/src/conformance.rs:106-116— Added Tier D payload-size EWMA check inobserve()after Tier C. Usesalpha = 0.05(~20-packet smoothing). Rejects if EWMA exceeds2 × payload_size_bound(codec).crates/wzp-relay/src/conformance.rs:141-157— Addedpub fn payload_size_bound(codec: CodecId) -> usizewith per-codec typical bounds:Opus64k => 320,Opus48k => 240,Opus32k => 200,Opus24k => 160,Opus16k => 100,Opus6k => 90Codec2_3200 => 30,Codec2_1200 => 30ComfortNoise => 16
crates/wzp-relay/src/metrics.rs:408— AddedViolation::PayloadSizeExceeded => "D"tier label in Prometheus metrics.crates/wzp-relay/src/conformance.rs:234-244— Fixed pre-existingwindow_resets_after_one_secondtest: reduced payload from 1000 bytes to 300 bytes so it no longer trips the new Tier D limit forOpus24k(2× bound = 320).crates/wzp-relay/src/conformance.rs:359-384— Added two Tier D tests:conformance_tier_d— 200 packets of 1400 bytes declared asCodec2_1200; assertsPayloadSizeExceededis triggered.payload_size_normal_stays_within_bound— 10 packets of 150 bytes declared asOpus24k; asserts no violation.
Why these choices
- EWMA with
alpha = 0.05provides roughly 20-packet smoothing. This is tight enough to catch sustained abuse (1400-byte frames for a 30-byte codec) within a handful of packets, but loose enough that a single legitimate outlier (e.g., an FEC burst) won't immediately hard-reject. - The check runs after Tier A/B/C so that the more established bitrate and packet-rate guards still fire first on obvious abuse. Tier D catches the case where an attacker keeps packet count and bitrate low but inflates individual payload sizes — the classic "tunnel large blobs through few packets" vector.
- Unit variants (
ComfortNoise => 16) get a small bound because they carry minimal silence-descriptor data.
Deviations from the task spec
None.
Verification output
$ cargo test -p wzp-relay conformance_tier_d
running 1 test
test conformance::tests::conformance_tier_d ... ok
test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 87 filtered out; finished in 0.00s
$ cargo test -p wzp-relay --lib
running 88 tests
...
test result: ok. 88 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.01s
$ cargo test --workspace --exclude wzp-android --no-fail-fast
... (all crates pass)
Total: 612 passed; 0 failed
Test summary
- Tests added: 2
conformance_tier_d— 200 × 1400-byte payloads asCodec2_1200, flagsPayloadSizeExceededpayload_size_normal_stays_within_bound— 10 × 150-byte payloads asOpus24k, stays clean
- Tests modified: 1
window_resets_after_one_second— reduced payload size from 1000 → 300 bytes to avoid tripping new Tier D limit
- Workspace test count before: 610 / after: 612
cargo clippy -p wzp-relay --all-targets -- -D warnings: clean inwzp-relay; failures are pre-existing debt inwzp-codec(9 errors) andwarzone-protocol(3 errors) per PROTOCOL-AUDIT.mdcargo fmt --all -- --check: pass
Risks / follow-ups
- Tier D is currently observe-only (returns
Err(Violation)but the caller in the relay pipeline logs the violation rather than dropping the packet). This is consistent with Tiers A–C. A future task can wire hard enforcement if the reviewer wants. - The
payload_size_boundtable is empirical. If codec implementations change frame packing or add new metadata headers, these bounds may need tuning.
Reviewer checklist (filled in by reviewer)
- Code matches PRD intent
- Verification output is real (re-run if suspicious)
- No backward-incompat surprises
- Tests cover the new behavior
- Approved