* fix(ci): SAST actually scans the code + drop deprecated flaky semgrep action
Two real problems in the Static Application Security Testing job:
1. **It scanned a path that no longer exists.** `bandit -r src/` and
`semgrep … src/` pointed at the repo-root `src/`, but the Python code
moved to `archive/v1/src/` (64 .py files) when the runtime was rewritten
in Rust. So the SAST scan matched nothing — a silent no-op (this is also
why `bandit-results.sarif` was "Path does not exist" on recent runs).
Fixed both to `archive/v1/src/`.
2. **Deprecated + redundant + flaky semgrep step.** The
`returntocorp/semgrep-action@v1` step pulled `returntocorp/semgrep-agent:v1`
from Docker Hub every run (intermittently timing out → red check, e.g. on
#929) and is EOL. It was redundant: the pip `semgrep --sarif` step is what
feeds GitHub Security; the action only pushed to the Semgrep cloud app via
SEMGREP_APP_TOKEN. Removed it and folded its `p/docker` + `p/kubernetes`
rulesets into the pip semgrep command, so coverage is preserved with no
Docker pull.
The job stays `continue-on-error: true` (non-gating). YAML validated.
Co-Authored-By: claude-flow <ruv@ruv.net>
* fix(protocol): resolve 0xC511_0004 magic collision (closes#928)
Background
`0xC511_0004` was assigned to two different packet formats in firmware
— `EDGE_FUSED_MAGIC` (ADR-063, 48-byte `edge_fused_vitals_pkt_t`) and
`WASM_OUTPUT_MAGIC` (ADR-040, variable-length `wasm_output_pkt_t`).
Both were transmitted. The sensing-server only had a WASM parser for
that magic and no fused-vitals parser, so on the ESP32-C6 + MR60BHA2
mmWave configuration the fused-vitals packet was silently misparsed
as a malformed WASM output — `breathing_rate` was read as
`event_count`, mmWave-fused vitals were lost, and spurious WASM events
were emitted to subscribers.
Fix
1. Reassign `WASM_OUTPUT_MAGIC` to `0xC511_0007` (next free slot per
the registry in `rv_feature_state.h`). Smaller blast radius than
moving fused-vitals — the registry already treats `0xC511_0004` as
fused-vitals canonical and several years of deployed feature
tracking depends on that assignment.
2. Add `parse_edge_fused_vitals` + `EdgeFusedVitalsPacket` in
`wifi-densepose-sensing-server::main`. Byte layout taken directly
from `edge_processing.h:129`, mirroring the firmware's
`_Static_assert(sizeof(edge_fused_vitals_pkt_t) == 48)` so future
firmware changes that grow the packet will break this parser
loudly instead of silently.
3. Add a dispatch arm in the UDP receive loop. Fused-vitals is tried
BEFORE WASM so a stale firmware (still emitting 0xC511_0004 with
the WASM payload) fails to parse as fused-vitals (size mismatch),
then fails to parse as WASM (magic mismatch on the new 0x...0007),
and gets dropped — a deliberate "fail loud" outcome rather than the
pre-fix silent garbage.
4. Update the registry comment in `rv_feature_state.h` to add the new
0x...0007 row.
5. Add five tests in a new `issue_928_magic_collision_tests` mod:
- `parse_edge_fused_vitals_extracts_fields_correctly`
- `parse_edge_fused_vitals_rejects_short_buffer`
- `parse_edge_fused_vitals_rejects_wrong_magic`
- `parse_wasm_output_rejects_legacy_0004_magic`
- `parse_wasm_output_accepts_new_0007_magic`
WebSocket payload
Fused-vitals now broadcasts as `{"type": "edge_fused_vitals", ...}`
with the mmWave-specific block nested under `mmwave`. Schema is
additive — existing subscribers that only inspect `type` are
unaffected; subscribers that switch on `type` gain a new branch.
Deployment note
This is a wire-protocol change. Firmware older than this commit that
emits WASM output on 0xC511_0004 will lose its WASM event stream
against an updated host (host expects 0xC511_0007). Per the issue
discussion, "fail loud" is preferred to silent misparsing. Operators
running C6+mmWave should reflash firmware concurrent with the host
upgrade.
Test results
cargo test -p wifi-densepose-sensing-server --no-default-features
--bin sensing-server
→ 122 passed / 0 failed (5 new + 117 existing, unchanged)
Co-Authored-By: claude-flow <ruv@ruv.net>
#613 fixed adaptive_classifier.rs:94 (the IQR sort) and called the audit
done, but the grep used `partial_cmp(b).unwrap()` as a literal and missed
seven additional production sites that use comparator variants:
adaptive_classifier.rs:205 AdaptiveModel::classify() argmax over softmax
probs — same per-frame hot path as #611.
NaN flows through normalise → logits → softmax
and still reaches this site even after the
IQR fix.
adaptive_classifier.rs:480 train() argmax (training accuracy loop)
adaptive_classifier.rs:500 train() per-class argmax
main.rs:2446, 2449 count_persons_mincut variance source/sink select
csi.rs:602, 605 count_persons_mincut variance source/sink select
(duplicate of main.rs logic in csi.rs)
For the variance-select sites, note that the *outer* `unwrap_or((0, &0))`
only catches an empty iterator — it cannot rescue a panic raised inside
the comparator. A single NaN in `variances[]` still aborts the process.
Same fix as #613: swap `.unwrap()` for `.unwrap_or(std::cmp::Ordering::Equal)`
inside the comparator closure. Pure behavioural change, no API surface.
Re-audit of the remaining `partial_cmp(...).unwrap()` matches in v2/:
they are all inside `#[cfg(test)]` / `#[test]` blocks (spectrogram.rs:269,
depth.rs:234, connectivity.rs:477, vital_signs.rs:737) where inputs are
controlled and panic-on-NaN is acceptable.
The Rust port lived two directories deep (rust-port/wifi-densepose-rs/)
without any sibling under rust-port/ that warranted the extra level.
Move the whole workspace up to v2/ to match v1/ (Python) at the same
depth and shorten every cd / build command across the repo.
git mv preserves history for all tracked files. 60 files updated for
path references (CI workflows, ADRs, docs, scripts, READMEs, internal
.claude-flow state). Two manual fixes for relative-cd paths in
CLAUDE.md and ADR-043 that became wrong after the depth change
(cd ../.. → cd ..).
Validated:
- cargo check --workspace --no-default-features → clean (after target/
nuke; the gitignored target/ was carried by the OS rename and had
hard-coded old paths in build scripts)
- cargo test --workspace --no-default-features → 1,539 passed, 0 failed,
8 ignored (same totals as pre-rename)
- ESP32-S3 on COM7 → still streaming live CSI (cb #40300, RSSI -64 dBm)
After-merge follow-up: contributors should `rm -rf v2/target` once and
let cargo regenerate from the new path.
rUv
Rahul