fix: Enable stack canaries, heap poisoning, WDT panic; remove dead code

- CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y (buffer overflow detection)
- CONFIG_HEAP_POISONING_LIGHT=y (use-after-free/corruption detection)
- CONFIG_ESP_TASK_WDT_PANIC=y (auto-reboot on hung task)
- Remove unused #include "esp_now.h" (CVE-2025-52471 mitigation)
- Replace hardcoded default IP 192.168.129.11 with 0.0.0.0 in Kconfig

ROADMAP.md

@@ -167,8 +167,11 @@ Note: Promiscuous mode (probe/deauth capture) disabled on original ESP32 — bre
 - [x] Serial console AUTH management
 - [x] Auto-generated auth secret on first boot
 - [x] Pentest completed: 50+ tests, all network-facing tests PASS
-- [ ] Enable stack canaries (`CONFIG_COMPILER_STACK_CHECK_MODE_NORM`)
+- [x] Enable stack canaries (`CONFIG_COMPILER_STACK_CHECK_MODE_NORM`)
-- [ ] Enable heap poisoning (`CONFIG_HEAP_POISONING_LIGHT`)
+- [x] Enable heap poisoning (`CONFIG_HEAP_POISONING_LIGHT`)
+- [x] Enable WDT panic (`CONFIG_ESP_TASK_WDT_PANIC`)
+- [x] Remove unused `#include "esp_now.h"` (CVE-2025-52471 mitigation)
+- [x] Remove hardcoded default IP from Kconfig (use TARGET command)
 - [ ] Multi-target (send data to 2+ UDP destinations)
 
 ## Web Backend (`~/git/esp32-web/`)

TASKS.md

@@ -51,8 +51,11 @@ Tracked separately in `~/git/esp32-web/TASKS.md`. Currently at v0.1.5.
 
 ### P1 - High
 - [x] Test OTA rollback — crasher firmware flashed to amber-maple, bootloader rolled back to v1.11.0 (2026-02-14)
-- [ ] Enable stack canaries: `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y`
+- [x] Enable stack canaries: `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y` (2026-02-14)
-- [ ] Enable heap poisoning: `CONFIG_HEAP_POISONING_LIGHT=y`
+- [x] Enable heap poisoning: `CONFIG_HEAP_POISONING_LIGHT=y` (2026-02-14)
+- [x] Enable WDT panic: `CONFIG_ESP_TASK_WDT_PANIC=y` (2026-02-14)
+- [x] Remove unused `#include "esp_now.h"` (2026-02-14)
+- [x] Remove hardcoded default IP from Kconfig (2026-02-14)
 
 ### P2 - Normal
 - [ ] Tune presence threshold per room with real-world testing

TODO.md

@@ -3,11 +3,11 @@
 ## Firmware
 
 ### Security (from pentest findings)
-- [ ] Enable `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y` (stack canaries)
+- [x] Enable `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y` (stack canaries)
-- [ ] Enable `CONFIG_HEAP_POISONING_LIGHT=y` (heap corruption detection)
+- [x] Enable `CONFIG_HEAP_POISONING_LIGHT=y` (heap corruption detection)
-- [ ] Enable `CONFIG_ESP_TASK_WDT_PANIC=y` (WDT auto-recovery)
+- [x] Enable `CONFIG_ESP_TASK_WDT_PANIC=y` (WDT auto-recovery)
-- [ ] Remove unused `#include "esp_now.h"` from app_main.c
+- [x] Remove unused `#include "esp_now.h"` from app_main.c
-- [ ] Remove hardcoded default IP `192.168.129.11` from binary
+- [x] Remove hardcoded default IP `192.168.129.11` from binary
 - [ ] Flash encryption planning (irreversible eFuse burn)
 - [ ] Secure Boot V2 planning (irreversible eFuse burn)
 - [ ] DTLS for UDP command channel (stretch goal)

get-started/csi_recv_router/main/Kconfig.projbuild

@@ -2,9 +2,10 @@ menu "CSI UDP Configuration"
 
     config CSI_UDP_TARGET_IP
         string "UDP target IP address"
-        default "192.168.129.11"
+        default "0.0.0.0"
         help
             IP address of the host receiving CSI data (e.g., Raspberry Pi).
+            Set to 0.0.0.0 to disable sending until configured via TARGET command.
 
     config CSI_UDP_TARGET_PORT
         int "UDP target port"

get-started/csi_recv_router/main/app_main.c

@@ -28,7 +28,6 @@
 #include "esp_log.h"
 #include "esp_wifi.h"
 #include "esp_netif.h"
-#include "esp_now.h"
 #include "esp_timer.h"
 #include "esp_task_wdt.h"
 #include "esp_pm.h"
@@ -819,8 +818,12 @@ static void udp_socket_init(void)
     s_dest_addr.sin_port = htons(s_target_port);
     inet_pton(AF_INET, s_target_ip, &s_dest_addr.sin_addr);
 
-    ESP_LOGI(TAG, "UDP socket initialized, sending to %s:%d",
+    if (strcmp(s_target_ip, "0.0.0.0") == 0) {
-             s_target_ip, s_target_port);
+        ESP_LOGW(TAG, "No UDP target configured — use TARGET command to set destination");
+    } else {
+        ESP_LOGI(TAG, "UDP socket initialized, sending to %s:%d",
+                 s_target_ip, s_target_port);
+    }
 }
 
 /* --- Ping --- */

get-started/csi_recv_router/sdkconfig.defaults

@@ -14,6 +14,7 @@ CONFIG_ESP_CONSOLE_UART_NUM=0
 CONFIG_CONSOLE_UART_BAUDRATE=921600
 
 CONFIG_ESP_TASK_WDT_TIMEOUT_S=30
+CONFIG_ESP_TASK_WDT_PANIC=y
 
 CONFIG_ESPTOOLPY_MONITOR_BAUD_921600B=y
 CONFIG_ESPTOOLPY_MONITOR_BAUD=921600
@@ -30,6 +31,8 @@ CONFIG_ESP32_WIFI_AMPDU_RX_ENABLED=
 # Compiler options (size optimization saves ~75 KB)
 #
 CONFIG_COMPILER_OPTIMIZATION_SIZE=y
+CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y
+CONFIG_HEAP_POISONING_LIGHT=y
 
 #
 # FreeRTOS

get-started/csi_recv_router/sdkconfig.sample

@@ -435,7 +435,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 #
 # CSI UDP Configuration
 #
-CONFIG_CSI_UDP_TARGET_IP="192.168.129.11"
+CONFIG_CSI_UDP_TARGET_IP="0.0.0.0"
 CONFIG_CSI_UDP_TARGET_PORT=5500
 CONFIG_CSI_CMD_PORT=5501
 CONFIG_CSI_HOSTNAME="your-hostname"