fix(client): cap voice.participants + gate unknown channels (SEC-V-03)#467
Merged
Conversation
…-03)
Drop VoiceJoin/Leave/Signal whose `channel_id` is not in
`ServerState.channels`. Cap distinct channels and per-channel
participants in `VoiceState`. Without these gates any signed peer can
flood `WireMessage::VoiceJoin { channel_id, peer_id }` with arbitrary
strings until receiving clients exhaust memory.
## Caps
- `MAX_VOICE_CHANNELS = 256` — outer dimension of `participants`.
- `MAX_PARTICIPANTS_PER_CHANNEL = 256` — inner dimension.
Caps are defensive ceilings, not expected operating points; real
servers run with single-digit voice channels.
## Where
`crates/client/src/listeners.rs` — `process_received_message` Voice*
arms. Channel-existence check reads `ctx.event_state` (the actor that
mirrors materialized `ServerState`); cap check runs inside the voice
mutate to keep insert atomic with the size check.
## Tradeoffs
Runner-up: cap inside `VoiceState` itself (e.g. wrap `participants`
in a capped type). Rejected — the listener already sits at the trust
boundary and owns the existence-vs-cap policy. Pushing into
`VoiceState` would either need passing `ServerState` snapshots into
the actor or duplicating the state read; both worse than two short
selects in the listener.
## Tests (client tier — `crates/client/src/listeners.rs` test mod)
- `voice_join_with_unknown_channel_is_dropped`
- `voice_join_with_known_channel_records_participant` (sanity)
- `voice_join_rejects_when_distinct_channels_at_cap`
- `voice_join_rejects_when_participants_at_cap`
- `voice_leave_with_unknown_channel_is_dropped`
State-machine tier rejected: `VoiceState` lives in the client crate,
not state. Bug is in listener wiring, not pure state logic.
## Verification
Local (sub-PR base = main, CI fires on push):
- `cargo fmt --check` clean
- `cargo clippy --workspace --all-targets -- -D warnings` clean
- `cargo test -p willow-client` 292 passed
- `cargo check -p willow-client --target wasm32-unknown-unknown` clean
Closes #303
https://claude.ai/code/session_014KLEYzesqZwWdFQnUeXtrJ
intendednull
pushed a commit
that referenced
this pull request
Apr 28, 2026
…gates PR #467 (SEC-V-03 voice cap, issue #303) merged into main while this batch was open. It modified the same Voice* listener arms that #253 migrated to warn_if_err. Both changes are independent and compose: - Keep all SEC-V-03 logic from origin/main (drop unknown-channel VoiceJoin/Leave/Signal, cap participants at MAX_VOICE_CHANNELS / MAX_PARTICIPANTS_PER_CHANNEL). - Wrap the final event_broker.do_send(Publish(...)) calls in warn_if_err per #253. cargo check -p willow-client --tests + cargo test -p willow-client both clean (310 passed).
This was referenced Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
Drop
VoiceJoin/Leave/Signalwhosechannel_idno inServerState.channels. Cap distinct channels + per-channel participants inVoiceState. Stop signed peer flood arbitrarychannel_idstrings until receiving clients exhaust memory.caps
MAX_VOICE_CHANNELS = 256— outer dim ofparticipantsMAX_PARTICIPANTS_PER_CHANNEL = 256— inner dimDefensive ceiling, no expected operating point. Real servers run single-digit voice channels.
where
crates/client/src/listeners.rs—process_received_messageVoice* arms. Channel-existence check readctx.event_state(actor mirror materializedServerState). Cap check inside voicemutateso size check + insert atomic.tradeoffs
Runner-up: cap inside
VoiceStatetype itself. Rejected — listener already at trust boundary, own existence-vs-cap policy. Pushing intoVoiceStateneed passServerStatesnapshot into actor or dup state read. Both worse than two short selects in listener.tests (client tier)
voice_join_with_unknown_channel_is_droppedvoice_join_with_known_channel_records_participant(sanity)voice_join_rejects_when_distinct_channels_at_capvoice_join_rejects_when_participants_at_capvoice_leave_with_unknown_channel_is_droppedState-tier rejected:
VoiceStatelive in client crate not state. Bug in listener wire, not pure state logic.verify
cargo fmt --checkcleancargo clippy --workspace --all-targets -- -D warningscleancargo test -p willow-client→ 292 passedcargo check -p willow-client --target wasm32-unknown-unknowncleanCloses #303
https://claude.ai/code/session_014KLEYzesqZwWdFQnUeXtrJ
Generated by Claude Code