diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 5fd4b90..158c9e4 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -14,7 +14,7 @@ jobs:
     needs: [cppcheck, flawfinder, gitleaks]
     runs-on: anvil
     container:
-      image: docker.io/espressif/idf:v5.3
+      image: docker.io/espressif/idf:v5.5
       volumes:
         - /var/cache/ccache:/ccache
     env:
@@ -90,15 +90,33 @@ jobs:
           cd get-started/csi_recv_router
           idf.py size-components 2>/dev/null | head -30
 
-      - name: Upload firmware artifact
+      - name: Create release
+        if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          mkdir -p /tmp/artifacts
-          cp get-started/csi_recv_router/build/csi_recv_router.bin /tmp/artifacts/
-          cp get-started/csi_recv_router/build/bootloader/bootloader.bin /tmp/artifacts/
-          cp get-started/csi_recv_router/build/partition_table/partition-table.bin /tmp/artifacts/
-          cp get-started/csi_recv_router/build/ota_data_initial.bin /tmp/artifacts/
-          echo "Artifacts ready in /tmp/artifacts"
-          ls -la /tmp/artifacts/
+          BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
+          TAG="${{ github.ref_name }}"
+          API="https://git.mymx.me/api/v1/repos/${{ github.repository }}"
+          TOKEN="${{ github.token }}"
+          SIZE=$(stat -c%s "$BIN")
+
+          RELEASE_ID=$(curl -sS -f -X POST "$API/releases" \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"tag_name\": \"$TAG\",
+              \"name\": \"$TAG\",
+              \"body\": \"Firmware $TAG — $((SIZE / 1024)) KB\"
+            }" | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])")
+
+          echo "Release $RELEASE_ID created for $TAG"
+
+          curl -sS -f -X POST \
+            "$API/releases/$RELEASE_ID/assets?name=csi_recv_router.bin" \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"$BIN"
+
+          echo "Uploaded csi_recv_router.bin ($((SIZE / 1024)) KB)"
 
   cppcheck:
     name: C/C++ Static Analysis
diff --git a/ROADMAP.md b/ROADMAP.md
index f55ab3a..57dd680 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -172,6 +172,7 @@ Note: Promiscuous mode (probe/deauth capture) disabled on original ESP32 — bre
 - [x] Enable WDT panic (`CONFIG_ESP_TASK_WDT_PANIC`)
 - [x] Remove unused `#include "esp_now.h"` (CVE-2025-52471 mitigation)
 - [x] Remove hardcoded default IP from Kconfig (use TARGET command)
+- [x] OTA TLS certificate verification (ESP-IDF 150-CA bundle, `crt_bundle_attach`)
 - [ ] Multi-target (send data to 2+ UDP destinations)
 
 ## Web Backend (`~/git/esp32-web/`)
diff --git a/TASKS.md b/TASKS.md
index 8a82bdd..1860e68 100644
--- a/TASKS.md
+++ b/TASKS.md
@@ -57,6 +57,9 @@ Tracked separately in `~/git/esp32-web/TASKS.md`. Currently at v0.1.5.
 - [x] Remove unused `#include "esp_now.h"` (2026-02-14)
 - [x] Remove hardcoded default IP from Kconfig (2026-02-14)
 
+### P1 - High
+- [x] OTA TLS certificate verification via ESP-IDF CA bundle (2026-02-14)
+
 ### P2 - Normal
 - [ ] Tune presence threshold per room with real-world testing
 - [ ] Power consumption measurements using POWERTEST + external meter
diff --git a/TODO.md b/TODO.md
index 83e2bdf..027a6c6 100644
--- a/TODO.md
+++ b/TODO.md
@@ -11,7 +11,7 @@
 - [ ] Flash encryption planning (irreversible eFuse burn)
 - [ ] Secure Boot V2 planning (irreversible eFuse burn)
 - [ ] DTLS for UDP command channel (stretch goal)
-- [ ] OTA certificate pinning / embedded CA cert
+- [x] OTA TLS certificate verification (ESP-IDF CA bundle)
 - [ ] NVS encryption for auth_secret at rest
 
 ### Features
diff --git a/get-started/csi_recv_router/main/app_main.c b/get-started/csi_recv_router/main/app_main.c
index f4e9840..9c2779b 100644
--- a/get-started/csi_recv_router/main/app_main.c
+++ b/get-started/csi_recv_router/main/app_main.c
@@ -35,6 +35,7 @@
 #include "esp_random.h"
 #include "esp_ota_ops.h"
 #include "esp_https_ota.h"
+#include "esp_crt_bundle.h"
 #include "esp_partition.h"
 #include "esp_chip_info.h"
 #include "esp_http_client.h"
@@ -1235,6 +1236,7 @@ static void ota_task(void *arg)
     esp_http_client_config_t http_cfg = {
         .url = url,
         .timeout_ms = 30000,
+        .crt_bundle_attach = esp_crt_bundle_attach,
     };
 
     esp_https_ota_config_t ota_cfg = {
diff --git a/get-started/csi_recv_router/sdkconfig.defaults b/get-started/csi_recv_router/sdkconfig.defaults
index 17e42c9..cdb15e9 100644
--- a/get-started/csi_recv_router/sdkconfig.defaults
+++ b/get-started/csi_recv_router/sdkconfig.defaults
@@ -69,6 +69,12 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
 CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE=y
 CONFIG_ESP_HTTPS_OTA_ALLOW_HTTP=y
 
+#
+# TLS Certificate Bundle (CA root store for HTTPS OTA)
+#
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=y
+
 #
 # BLE (NimBLE, scan-only, WiFi coexistence)
 #