esp32-web/TODO.md

# ESP32-Web TODO

## API

- [x] Pagination for all list endpoints (with total count)
- [x] Request logging middleware
- [x] Data retention policy (auto-cleanup old records)
- [ ] Filter by date range
- [ ] Sort options
- [ ] Rate limiting (flask-limiter)
- [ ] API authentication (JWT or API keys)

## OSINT

- [ ] Device fingerprinting by advertisement patterns
- [ ] SSID categorization (home, corporate, mobile hotspot)
- [ ] MAC randomization detection (correlate probe bursts, RSSI, timing)
- [ ] Device reputation scoring (randomized MAC, probe hygiene, visit frequency)
- [ ] Organizational mapping (group devices by vendor + behavior)

## Collector

- [ ] CSI data storage (optional, high volume)

## Fleet Management

- [ ] Bulk commands (multi-sensor OTA/config)

## Deployment

- [ ] Podman quadlet (systemd integration)
- [ ] PostgreSQL configuration
- [ ] Nginx reverse proxy config
- [ ] TLS setup guide
- [ ] Backup/restore scripts

## Testing

- [ ] API endpoint tests (all routes)
- [ ] Collector parser tests (edge cases)
- [ ] Integration tests with mock sensors
- [ ] Load testing

## Visualizations

### Spatial / RF (D3.js)
- [ ] RSSI heatmap — triangulate device positions from multi-sensor readings, animate over time
- [ ] Sensor coverage Voronoi — show reach/overlap/blind spots
- [ ] Channel utilization spectrogram — waterfall display per sensor

### Device Intelligence
- [x] Device fingerprint clusters — group by behavior (probes, BLE company, cadence)
- [x] SSID social graph — devices as nodes, shared probed SSIDs as edges (reveals co-location history)
- [ ] Probe request worldmap — map probed SSIDs to geolocations via WiGLE
- [x] Vendor treemap — OUI + BLE company breakdown, anomaly spotting

### Temporal
- [ ] Presence timeline / Gantt — per-device strips showing enter/leave range (routines, anomalies)
- [ ] First-seen drift — highlight novel devices vs. known regulars
- [ ] Dwell time distributions — histogram, bimodal = passers-by vs. occupants

### Purple Team
- [ ] Deauth attack timeline — overlay alerts with source/target, correlate with device disappearances
- [ ] Evil twin detection — flag when probed SSID appears as local AP
- [ ] Flood intensity gauge — real-time deauth rate + historical sparklines
- [ ] Attack surface dashboard — broadcast probes (evil twin targets), static MACs (trackable), deauth-vulnerable
- [ ] Kill chain tracker — map events to MITRE ATT&CK for WiFi

### Experimental
- [ ] CSI radar — amplitude/phase matrix as real-time presence radar (if CSI enabled)
- [ ] Mesh consensus view — sensor agreement graph, fork/resolve visualization
- [ ] Temporal knowledge graph — devices/SSIDs/sensors/alerts with timestamped edges
- [ ] Adversarial simulation replay — VCR-style event playback with what-if scenarios
- [ ] Entropy dashboard — single ambient metric (new devices/hr, probe diversity, alert rate)

### Priority picks (high value, low-medium effort)
1. ~~Presence timeline (low effort, high value)~~ — next up
2. ~~Deauth attack timeline (low effort, high value)~~ — next up
3. ~~SSID social graph (medium effort, high value)~~ — done v0.1.4
4. ~~Device fingerprint clusters (medium effort, high value)~~ — done v0.1.4
5. RSSI heatmap / triangulation (high effort, very high value)

### Tech notes
- D3.js v7 + htmx + Pico CSS served locally from `static/vendor/`
- Dashboard at `/dashboard/` with htmx tab switching
- Intelligence API at `/api/v1/intelligence/*`

## Ideas

- WebSocket for live updates
- SSE (Server-Sent Events) alternative
- Webhook callbacks for alerts
- Slack/Discord notifications
- Home Assistant MQTT integration
- Grafana dashboard templates
- ML device classification