Wire ESP-IDF's built-in 150-CA root bundle to the OTA HTTP client
so HTTPS OTA verifies server certificates. Pin bundle config in
sdkconfig.defaults. Replace dead artifact-copy step with Gitea
release creation on tag push. Bump CI container to IDF v5.5.
Firmware: HELP lists all 27 commands with syntax, CONFIG dumps
running config as key=value, FACTORY erases NVS and reboots.
Docs: update PROJECT, ROADMAP, TASKS, TODO to reflect v1.10
completion, v1.11 unreleased work, and esp32-web v0.1.5 state.
Remove stale v2.0 Flask phase-by-phase plan (now tracked in
~/git/esp32-web/). Clean deferred items from completed milestones.
Plan for REST API backend (purple team/OPSEC/OSINT):
- Phase 1: Project scaffold, SQLAlchemy models, podman
- Phase 2: UDP collector for sensor data streams
- Phase 3: Core API endpoints (sensors, devices, alerts, probes, events)
- Phase 4: OSINT features (OUI lookup, BLE company ID mapping)
- Phase 5: Fleet management API
Port allocation:
- TCP 5500: HTTP REST API
- UDP 5500: Sensor data collector
- UDP 5501: Sensor commands (outbound)
Also documents completed v1.8 (HTTPS OTA) and v1.9 (multi-channel
scanning, BLE fingerprinting) milestones.
CALIBRATE command captures per-subcarrier CSI amplitudes over a timed
window and stores the averaged baseline in NVS. PRESENCE command enables
real-time scoring via normalized Euclidean distance against the baseline,
with rolling window averaging and 10s holdoff on state transitions.
New commands: CALIBRATE [3-60|STATUS|CLEAR], PRESENCE [ON|OFF|THRESHOLD]
New NVS keys: bl_amps (blob), bl_nsub, presence, pr_thresh
New STATUS fields: presence=, pr_score=
New events: calibrate=done, presence=0|1
Firmware:
- HMAC-SHA256 command authentication (AUTH command, NVS persisted)
- Deauth flood detection with ring buffer and aggregate ALERT_DATA
- FLOODTHRESH command (count + window, NVS persisted)
- New STATUS fields: auth=on/off, flood_thresh=5/10
- mbedtls dependency in CMakeLists.txt, rx_buf increased to 192
Tools:
- esp-cmd/esp-fleet/esp-ota import sign_command from esp_ctl.auth
- Commands auto-signed when ESP_CMD_SECRET env var is set
Docs:
- CHEATSHEET: AUTH, FLOODTHRESH, HMAC auth, OUI, watch, osint sections
- TASKS: v1.3 completed section with all new features
Check off sensor ID, deauth detection, chip temperature, BLE alerting,
dwell time, timestamped logging. Advance TASKS sprint to v1.1. Clean
completed items from TODO.
On-device CSI wander calculation (coefficient of variation over 50-packet
window). Rate drops to 10 Hz when idle, jumps to 100 Hz on motion with
3s holdoff. EVENT notifications sent to Pi on rate changes. New commands:
ADAPTIVE ON/OFF, THRESHOLD. RATE command disables adaptive mode.
All settings NVS-persisted.
Dual OTA partition table (ota_0/ota_1, 1920 KB each) on 4MB flash.
Firmware gains OTA command, LED_OTA double-blink, version in STATUS,
and automatic rollback validation. Pi-side esp-ota tool serves firmware
via HTTP and orchestrates the update flow. esp-fleet gains ota subcommand.
Firmware (app_main.c):
- UDP command listener on port 5501 (configurable via Kconfig)
- Commands: REBOOT, IDENTIFY, STATUS, RATE, POWER
- LED status indicator on GPIO2 (off/slow/fast blink/solid)
- NVS persistence for send_rate and tx_power settings
- Refactored ping to support stop/restart for dynamic rate changes
- TX power control via esp_wifi_set_max_tx_power()
Pi-side tooling:
- tools/esp-cmd: standalone Python3 UDP client for device management
Tested on amber-maple (ESP32 v3.1) with ESP-IDF v5.5.2.
Matches the version deployed on ESP32 sensors. Removes v6.1
workaround, updates all docs to reflect v5.5.2, regenerates
sdkconfig for the correct IDF version.
