docs: Update cheatsheet for security hardening changes

- HMAC protocol: 16 -> 32 hex chars, document replay window - Remove AUTH OFF (disabled remotely, use FACTORY reset) - Split STATUS fields into authed/unauthed columns - Update LED states for quiet mode (now default) - Update mDNS discovery note (service ad removed)
2026-02-14 20:15:55 +01:00
parent 57927c7c22
commit 8fcc90a6db
1 changed files with 45 additions and 35 deletions
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -52,7 +52,6 @@ esp-cmd <host> CSIMODE COMPACT         # Features only (~200 B/pkt)
 esp-cmd <host> CSIMODE HYBRID 10       # Compact + raw every Nth packet
 esp-cmd <host> AUTH                     # Query auth status (on/off)
 esp-cmd <host> AUTH mysecret123         # Enable HMAC auth (8-64 char secret)
-esp-cmd <host> AUTH OFF                 # Disable auth
 esp-cmd <host> FLOODTHRESH             # Query deauth flood threshold (5/10s)
 esp-cmd <host> FLOODTHRESH 10 30       # Set: 10 deauths in 30s = flood
 esp-cmd <host> CALIBRATE                # Start baseline capture (default 10s, room must be empty)
@@ -184,12 +183,20 @@ esp-cmd amber-maple.local PRESENCE THRESHOLD 0.08  # Higher = less sensitive

 ### LED States

-| LED | Meaning |
-|-----|---------|
+Default mode is **quiet** (LED off unless noteworthy). Use `LED AUTO` for constant blink.
+
+| LED (quiet mode) | Meaning |
+|-------------------|---------|
+| Off | Normal operation |
+| Solid | Motion or presence detected |
+| Double blink | OTA in progress |
+| Solid (5s) | IDENTIFY command active |
+
+| LED (auto mode) | Meaning |
+|------------------|---------|
 | Off | Not connected to WiFi |
 | Slow blink (1 Hz) | Connected, no CSI activity |
 | Fast blink (5 Hz) | CSI data flowing |
-| Solid (5s) | IDENTIFY command active |
 | Double blink | OTA in progress |

 ## Sensor Discovery
@@ -201,7 +208,7 @@ esp-ctl status --discover               # Status using discovered fleet
 esp-ctl target --discover               # Query targets via discovery
 ```

-Requires firmware with `_esp-csi._udp` mDNS service (v1.1+).
+Sensors register their hostname via mDNS on boot.

 ## HMAC Command Authentication

@@ -215,10 +222,11 @@ export ESP_CMD_SECRET="mysecretkey123"   # add to ~/.bashrc.secrets
 # All esp-cmd/esp-ctl/esp-fleet/esp-ota commands auto-sign when ESP_CMD_SECRET is set
 # Unsigned commands are rejected with "ERR AUTH required"

-esp-ctl cmd amber-maple.local "AUTH OFF"  # Disable auth
+# To disable auth, use FACTORY reset via serial or NVS erase
 ```

-Protocol: `HMAC:<16hex>:<cmd>` — first 16 hex chars of HMAC-SHA256(secret, cmd).
+Protocol: `HMAC:<32hex>:<uptime_s>:<cmd>` — first 32 hex chars of HMAC-SHA256(secret, `<uptime_s>:<cmd>`).
+Replay window: +/-5s from device uptime.

 ## OUI Vendor Lookup

@@ -305,34 +313,36 @@ only generated on ESP32-C6 and newer chips.

 ## STATUS Fields

-| Field | Example | Description |
-|-------|---------|-------------|
-| uptime | 1h23m | Human-readable uptime |
-| uptime_s | 4980 | Raw uptime in seconds |
-| heap | 108744 | Free heap bytes |
-| rssi | -67 | Current AP RSSI (dBm) |
-| channel | 11 | WiFi channel |
-| tx_power | 10 | TX power (dBm) |
-| rate | 100 | Target CSI rate (Hz) |
-| csi_rate | 97 | Actual CSI rate (Hz, computed) |
-| hostname | amber-maple | Device hostname |
-| version | 27aeddb | Firmware git commit |
-| adaptive | on/off | Adaptive sampling |
-| motion | 0/1 | Motion detected |
-| ble | on/off | BLE scanning |
-| target | 192.168.129.11:5500 | UDP destination |
-| temp | 0.0 | Chip temperature (ESP32-S2/C3/C6 only) |
-| csi_count | 30002 | Total CSI frames since boot |
-| boots | 3 | Boot count (NVS persisted) |
-| rssi_min | -71 | Lowest RSSI since boot |
-| rssi_max | -62 | Highest RSSI since boot |
-| csi_mode | raw/compact/hybrid | CSI output mode |
-| hybrid_n | 10 | Raw packet interval (hybrid mode) |
-| auth | on/off | HMAC command authentication |
-| flood_thresh | 5/10 | Deauth flood: count/window_seconds |
-| powersave | on/off | WiFi modem sleep |
-| presence | on/off | Presence detection |
-| pr_score | 0.0432 | Current presence score (0 = no change from baseline) |
+Unauthenticated STATUS returns a minimal subset. Full fields require HMAC auth.
+
+| Field | Example | Auth | Description |
+|-------|---------|------|-------------|
+| hostname | amber-maple | no | Device hostname |
+| uptime | 1h23m | no | Human-readable uptime |
+| uptime_s | 4980 | no | Raw uptime in seconds |
+| rssi | -67 | no | Current AP RSSI (dBm) |
+| channel | 11 | no | WiFi channel |
+| version | 27aeddb | no | Firmware git commit |
+| motion | 0/1 | no | Motion detected |
+| presence | on/off | no | Presence detection |
+| heap | 108744 | yes | Free heap bytes |
+| tx_power | 10 | yes | TX power (dBm) |
+| rate | 100 | yes | Target CSI rate (Hz) |
+| csi_rate | 97 | yes | Actual CSI rate (Hz, computed) |
+| adaptive | on/off | yes | Adaptive sampling |
+| ble | on/off | yes | BLE scanning |
+| target | 192.168.129.11:5500 | yes | UDP destination |
+| temp | 0.0 | yes | Chip temperature (ESP32-S2/C3/C6 only) |
+| csi_count | 30002 | yes | Total CSI frames since boot |
+| boots | 3 | yes | Boot count (NVS persisted) |
+| rssi_min | -71 | yes | Lowest RSSI since boot |
+| rssi_max | -62 | yes | Highest RSSI since boot |
+| csi_mode | raw/compact/hybrid | yes | CSI output mode |
+| hybrid_n | 10 | yes | Raw packet interval (hybrid mode) |
+| auth | on/off | yes | HMAC command authentication |
+| flood_thresh | 5/10 | yes | Deauth flood: count/window_seconds |
+| powersave | on/off | yes | WiFi modem sleep |
+| pr_score | 0.0432 | yes | Current presence score |

 ## PROFILE Sections