Integrate community fixes: DevKitC-1 overlay, EngineBridge guard config, pose-WS bearer auth (#1308 #1309 #1310)#1332
Merged
Merged
Conversation
… IDF v5.2 refs to v5.4 The ADR-045 display probe false-positives on display-less ESP32-S3-DevKitC-1 boards (SH8601 init 'succeeds' against floating pins), so main.c skips the RuView#893 MGMT+DATA promiscuous upgrade and CSI yield collapses to 0 pps. sdkconfig.defaults.devkitc compiles display support out, making has_display constant-false so the #893 upgrade always applies. Hardware-verified on 2x DevKitC-1-N16R8: 0 pps -> steady 40-45 pps. Also updates the Quick Start build commands and badge from espressif/idf:v5.2 to v5.4 — current source uses esp_driver_uart (IDF v5.3+) and no longer builds under v5.2; CI already uses v5.4. Addresses #1308 Co-Authored-By: claude-flow <ruv@ruv.net>
…Bridge EngineBridge::new built its own StreamingEngine, whose internal MultistaticFuser was hardcoded to MultistaticConfig::default() (60 ms guard) — the #1031/#1049 env overrides only reached the sibling multistatic_fuser field on AppState, so governed trust cycles failed against the default guard no matter what the deployment configured. - wifi-densepose-engine: add StreamingEngine::set_multistatic_config() - engine_bridge: EngineBridge::new takes Option<MultistaticConfig> - main.rs: thread the same env-derived config into both fusion paths Verified on a 2-node ESP32-S3 deployment: the failure message now reflects the configured guard, and with healthy nodes governed cycles ran 90 s with zero fusion errors. Fixes #1309 Co-Authored-By: claude-flow <ruv@ruv.net>
…add UI token field Browsers cannot attach an Authorization header to a WebSocket upgrade, so with RUVIEW_API_TOKEN set the Live Demo pose stream at /api/v1/stream/pose always failed with 401 — the same reason /ws/sensing is already exempted (see bearer_auth module docs). Adds a narrow EXEMPT_PATHS list plus a regression test that the exemption does not leak to other /api/v1/* paths. Query-string tokens remain rejected (CWE-598 test untouched). Also adds an 'API Access' bearer-token field to the QuickSettings panel: ui/services/api.service.js had setAuthToken() but nothing ever called it, so enabling RUVIEW_API_TOKEN broke every /api/v1/* call from the bundled dashboard. The token is stored in localStorage and applied before the first request. Fixes #1310 Co-Authored-By: claude-flow <ruv@ruv.net>
- sdkconfig.defaults.devkitc: header build command idf v5.2 -> v5.4 (source needs esp_driver_uart, IDF >=5.3 — same reason the PR fixed the README refs) - engine/lib.rs: separate doc comments — set_room_adapter's ADR-150 adapter/witness doc had merged into set_multistatic_config's doc - ui: apply stored bearer token at api.service.js module load instead of QuickSettings.init — services + dashboard tab dispatch their first /api/v1/* requests before initializeEnhancements() runs, so the first requests on every load went out without the Authorization header - CHANGELOG: Unreleased entries for #1308/#1309/#1310 Co-Authored-By: claude-flow <ruv@ruv.net>
This was referenced Jul 14, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Integrates three hardware-verified community PRs by @erichkusuki, with post-review fixes.
Included PRs
WDP_GUARD_INTERVAL_US/WDP_TDM_*into EngineBridge (fixes sensing-server: EngineBridge ignores WDP_GUARD_INTERVAL_US/WDP_TDM_* — governed trust cycles always use the hardcoded 60 ms guard #1309)/api/v1/stream/poseWS from bearer auth + UI token field (fixes sensing-server: /api/v1/stream/pose WebSocket is unreachable when RUVIEW_API_TOKEN is set (browsers cannot send Authorization on WS upgrade) #1310)Merged with merge commits so the original PRs retain authorship and auto-close as merged.
Post-review fixes (this branch)
sdkconfig.defaults.devkitc: header build commandespressif/idf:v5.2→v5.4— the overlay's own copy-paste command referenced the IDF version this PR removes from the README (source needsesp_driver_uart, IDF ≥5.3)wifi-densepose-engine/src/lib.rs: separated doc comments —set_room_adapter's ADR-150 adapter/witness doc had merged into the newset_multistatic_configdoc blockapi.service.jsmodule load —initializeServices()and the dashboard tab dispatch their first/api/v1/*requests beforeQuickSettings.init()runs, so the first requests on every load went out without the Authorization headerwifi-densepose-engine0.3.0 → 0.3.1 (additiveset_multistatic_config),wifi-densepose-sensing-server0.3.3 → 0.3.4 (no public lib API change;engine_bridgeis binary-internal)Validation (local, Windows)
cargo test --workspace --no-default-features --no-fail-fast: 3,458 passed / 0 failed across 168 test binariespython archive/v1/data/proof/verify.py: VERDICT: PASSwifi-densepose-bfld::serialization_throughput::round_trip_through_bytes_remains_constant_time_per_byte— a wall-clock micro-benchmark whose measured ratio swings 0.95×–12.63× across identical runs on Windows; unrelated to these changes (bfld untouched) and green on the final full runSecurity note
/api/v1/stream/poseis now reachable without a bearer token whenRUVIEW_API_TOKENis set (browsers cannot attach Authorization to a WS upgrade). This matches the existing/ws/sensingposture. A ticket-based WS auth flow is a candidate follow-up.🤖 Generated with claude-flow