Skip to content

Integrate community fixes: DevKitC-1 overlay, EngineBridge guard config, pose-WS bearer auth (#1308 #1309 #1310)#1332

Merged
ruvnet merged 8 commits into
mainfrom
integrate/pr-1311-1313
Jul 14, 2026
Merged

Integrate community fixes: DevKitC-1 overlay, EngineBridge guard config, pose-WS bearer auth (#1308 #1309 #1310)#1332
ruvnet merged 8 commits into
mainfrom
integrate/pr-1311-1313

Conversation

@ruvnet

@ruvnet ruvnet commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Integrates three hardware-verified community PRs by @erichkusuki, with post-review fixes.

Included PRs

Merged with merge commits so the original PRs retain authorship and auto-close as merged.

Post-review fixes (this branch)

  • sdkconfig.defaults.devkitc: header build command espressif/idf:v5.2v5.4 — the overlay's own copy-paste command referenced the IDF version this PR removes from the README (source needs esp_driver_uart, IDF ≥5.3)
  • wifi-densepose-engine/src/lib.rs: separated doc comments — set_room_adapter's ADR-150 adapter/witness doc had merged into the new set_multistatic_config doc block
  • UI: stored bearer token now applied at api.service.js module load — initializeServices() and the dashboard tab dispatch their first /api/v1/* requests before QuickSettings.init() runs, so the first requests on every load went out without the Authorization header
  • CHANGELOG entries under Unreleased for all three fixes
  • Version bumps for crates.io publish: wifi-densepose-engine 0.3.0 → 0.3.1 (additive set_multistatic_config), wifi-densepose-sensing-server 0.3.3 → 0.3.4 (no public lib API change; engine_bridge is binary-internal)

Validation (local, Windows)

  • cargo test --workspace --no-default-features --no-fail-fast: 3,458 passed / 0 failed across 168 test binaries
  • python archive/v1/data/proof/verify.py: VERDICT: PASS
  • One earlier run flaked on wifi-densepose-bfld::serialization_throughput::round_trip_through_bytes_remains_constant_time_per_byte — a wall-clock micro-benchmark whose measured ratio swings 0.95×–12.63× across identical runs on Windows; unrelated to these changes (bfld untouched) and green on the final full run

Security note

/api/v1/stream/pose is now reachable without a bearer token when RUVIEW_API_TOKEN is set (browsers cannot attach Authorization to a WS upgrade). This matches the existing /ws/sensing posture. A ticket-based WS auth flow is a candidate follow-up.

🤖 Generated with claude-flow

erichkusuki and others added 8 commits July 11, 2026 13:32
… IDF v5.2 refs to v5.4

The ADR-045 display probe false-positives on display-less
ESP32-S3-DevKitC-1 boards (SH8601 init 'succeeds' against floating
pins), so main.c skips the RuView#893 MGMT+DATA promiscuous upgrade
and CSI yield collapses to 0 pps. sdkconfig.defaults.devkitc compiles
display support out, making has_display constant-false so the #893
upgrade always applies. Hardware-verified on 2x DevKitC-1-N16R8:
0 pps -> steady 40-45 pps.

Also updates the Quick Start build commands and badge from
espressif/idf:v5.2 to v5.4 — current source uses esp_driver_uart
(IDF v5.3+) and no longer builds under v5.2; CI already uses v5.4.

Addresses #1308

Co-Authored-By: claude-flow <ruv@ruv.net>
…Bridge

EngineBridge::new built its own StreamingEngine, whose internal
MultistaticFuser was hardcoded to MultistaticConfig::default() (60 ms
guard) — the #1031/#1049 env overrides only reached the sibling
multistatic_fuser field on AppState, so governed trust cycles failed
against the default guard no matter what the deployment configured.

- wifi-densepose-engine: add StreamingEngine::set_multistatic_config()
- engine_bridge: EngineBridge::new takes Option<MultistaticConfig>
- main.rs: thread the same env-derived config into both fusion paths

Verified on a 2-node ESP32-S3 deployment: the failure message now
reflects the configured guard, and with healthy nodes governed cycles
ran 90 s with zero fusion errors.

Fixes #1309

Co-Authored-By: claude-flow <ruv@ruv.net>
…add UI token field

Browsers cannot attach an Authorization header to a WebSocket upgrade,
so with RUVIEW_API_TOKEN set the Live Demo pose stream at
/api/v1/stream/pose always failed with 401 — the same reason
/ws/sensing is already exempted (see bearer_auth module docs). Adds a
narrow EXEMPT_PATHS list plus a regression test that the exemption
does not leak to other /api/v1/* paths. Query-string tokens remain
rejected (CWE-598 test untouched).

Also adds an 'API Access' bearer-token field to the QuickSettings
panel: ui/services/api.service.js had setAuthToken() but nothing ever
called it, so enabling RUVIEW_API_TOKEN broke every /api/v1/* call
from the bundled dashboard. The token is stored in localStorage and
applied before the first request.

Fixes #1310

Co-Authored-By: claude-flow <ruv@ruv.net>
- sdkconfig.defaults.devkitc: header build command idf v5.2 -> v5.4
  (source needs esp_driver_uart, IDF >=5.3 — same reason the PR fixed
  the README refs)
- engine/lib.rs: separate doc comments — set_room_adapter's ADR-150
  adapter/witness doc had merged into set_multistatic_config's doc
- ui: apply stored bearer token at api.service.js module load instead
  of QuickSettings.init — services + dashboard tab dispatch their first
  /api/v1/* requests before initializeEnhancements() runs, so the first
  requests on every load went out without the Authorization header
- CHANGELOG: Unreleased entries for #1308/#1309/#1310

Co-Authored-By: claude-flow <ruv@ruv.net>
…r 0.3.4

engine 0.3.1: additive StreamingEngine::set_multistatic_config (#1312)
sensing-server 0.3.4: bearer-auth pose-WS exemption + EngineBridge guard
config threading (#1312, #1313); no public lib API change (engine_bridge
is binary-internal)

Co-Authored-By: claude-flow <ruv@ruv.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment