RuView / WiFi-DensePose -- QE Executive Summary
Date: 2026-04-05
Analysis: Full-spectrum Quality Engineering assessment (8 specialized agents)
Codebase: ~305K lines across Rust (153K), Python (39K), C firmware (9K), TypeScript/JS (33K), Docs (71K)
Fleet ID: fleet-02558e91
Overall Quality Score: 55/100 (C+) -- QUALITY GATE FAILED
| Domain |
Score |
Verdict |
| Code Quality & Complexity |
55-82/100 |
CONDITIONAL PASS |
| Security |
68/100 |
CONDITIONAL PASS |
| Performance |
Borderline |
AT RISK (37-54ms vs 50ms budget) |
| Test Suite Quality |
Mixed |
3,353 tests but heavy duplication |
| Coverage |
77% file-level |
FAIL (Python 30%, Firmware 19%) |
| Quality Experience (QX) |
71/100 |
CONDITIONAL PASS |
| Product Factors (SFDIPOT) |
TIME = CRITICAL |
FAIL on time factor |
P0 -- Fix Immediately (Security + CI)
| # |
Issue |
File(s) |
Impact |
| 1 |
Rate limiter bypass -- trusts X-Forwarded-For without validation |
archive/v1/src/middleware/rate_limit.py:200-206 |
Any client can bypass rate limits via header spoofing |
| 2 |
Exception details leaked in HTTP responses regardless of environment |
archive/v1/src/api/routers/pose.py:140, stream.py:297, +5 others |
Stack traces visible to attackers |
| 3 |
WebSocket JWT in URL -- tokens visible in logs, browser history, proxies |
archive/v1/src/api/routers/stream.py:74, archive/v1/src/middleware/auth.py:243 |
Token exposure (CWE-598) |
| 4 |
Rust tests not in CI -- 2,618 tests in largest codebase never run in pipeline |
No cargo test in any GitHub Actions workflow |
Regressions ship undetected |
| 5 |
WebSocket path mismatch -- mobile app sends to wrong endpoint |
ui/mobile/src/services/ws.service.ts:104 vs constants/websocket.ts:1 |
Mobile WebSocket connections fail silently |
P1 -- Fix This Sprint (Performance + Code Health)
| # |
Issue |
File(s) |
Impact |
| 6 |
God file: 4,846 lines, CC=121 -- sensing-server main.rs |
crates/wifi-densepose-sensing-server/src/main.rs |
Untestable, unmaintainable monolith |
| 7 |
O(L*V) tomography voxel scan per frame |
ruvsense/tomography.rs:345-383 |
~10ms wasted per frame; use DDA ray march for 5-10x speedup |
| 8 |
Sequential neural inference -- defeats GPU batching |
wifi-densepose-nn inference.rs:334-336 |
2-4x latency penalty |
| 9 |
720 .unwrap() calls in Rust production code |
Across entire Rust workspace |
Each is a potential panic in real-time/safety-critical paths |
| 10 |
Python Doppler: 112KB alloc per frame at 20Hz |
archive/v1/src/core/csi_processor.py:412-414 |
Converts deque -> list -> numpy every frame |
P2 -- Fix This Quarter (Coverage + Safety)
| # |
Issue |
File(s) |
Impact |
| 11 |
11/12 Python modules untested -- only CSI extraction has unit tests |
archive/v1/src/services/, middleware/, database/, tasks/ |
12,280 LOC with zero unit tests |
| 12 |
Firmware at 19% coverage -- WASM runtime, OTA, swarm bridge untested |
firmware/esp32-csi-node/main/wasm_runtime.c (867 LOC) |
Security-critical code with no tests |
| 13 |
MAT simulation fallback -- disaster tool auto-falls back to simulated data |
ui/mobile/src/screens/MATScreen/index.tsx |
Risk of operators monitoring fake data during real incidents |
| 14 |
Token blacklist never consulted during auth |
archive/v1/src/api/middleware/auth.py:246-252 |
Revoked tokens remain valid |
| 15 |
50ms frame budget never benchmarked -- no latency CI gate |
No benchmark harness exists |
Real-time requirement is aspirational, not verified |
P3 -- Technical Debt
| # |
Issue |
Impact |
| 16 |
340 unsafe blocks need formal safety audit |
Potential UB in production |
| 17 |
5 duplicate CSI extractor test files (~90 redundant tests) |
Maintenance burden |
| 18 |
Performance tests mock inference with asyncio.sleep() |
Tests measure scheduling, not performance |
| 19 |
CORS wildcard + credentials default |
Browser security weakened |
| 20 |
ESP32 UDP CSI stream unencrypted |
CSI data interceptable on LAN |
Bright Spots
- 79 ADRs -- exceptional architectural governance
- Witness bundle system (ADR-028) -- deterministic SHA-256 proof verification
- Rust test depth -- 2,618 tests with mathematical rigor (Doppler, phase, losses)
- Daily security scanning in CI (Bandit, Semgrep, Safety)
- Mobile state management -- clean Zustand stores with good test coverage
- Ed25519 WASM signature verification on firmware
- Constant-time OTA PSK comparison -- proper timing-safe crypto
Reports Index
All detailed reports are in the docs/qe-reports/ directory:
| Report |
Lines |
Description |
| 00-qe-queen-summary.md |
315 |
Master synthesis, quality score, cross-cutting analysis |
| 01-code-quality-complexity.md |
591 |
Cyclomatic/cognitive complexity, code smells, top 20 hotspots |
| 02-security-review.md |
600 |
15 findings (0 CRITICAL, 3 HIGH, 7 MEDIUM), OWASP coverage |
| 03-performance-analysis.md |
795 |
23 findings (4 CRITICAL), frame budget analysis, optimization roadmap |
| 04-test-analysis.md |
544 |
3,353 tests inventoried, duplication analysis, quality assessment |
| 05-quality-experience.md |
746 |
API/CLI/Mobile/DX/Hardware UX assessment, 3 oracle problems |
| 06-product-assessment-sfdipot.md |
711 |
SFDIPOT analysis, 57 test ideas, 14 exploratory session charters |
| 07-coverage-gaps.md |
514 |
Coverage matrix, top 20 risk gaps, 8-week improvement roadmap |
Total analysis: 4,816 lines across 8 reports (265 KB)
Generated by QE Swarm (8 agents, fleet-02558e91) on 2026-04-05
Orchestrated by QE Queen Coordinator with shared learning/memory