frank/ruvnet--RuView
1
0
Fork 0
mirror of https://github.com/ruvnet/RuView synced 2026-06-09 10:13:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

deploy: 55f6a74e1e

Browse Source
This commit is contained in:
ruvnet
2026-06-02 15:46:25 +00:00
parent e3c245b45b
commit 62f74a1ea3
340 changed files with 119915 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api-docs/ADR-110-BRANCH-STATE.md
+97
View File
@@ -0,0 +1,97 @@
# ADR-110 — Branch state (as of 2026-05-23, iter 22)
Reference card for anyone collaborating on or near the ADR-110 work. The /loop SOTA sprint that closed the firmware-side substrate ran into multiple cross-branch checkout incidents (see iter 17-19); this page exists so the next collaborator doesn't have to re-derive the layout from `git log`.
## Branch ownership
| Branch | Owner | What it carries | Don't merge from |
|---|---|---|---|
| `main` | shared | shipped release line | — |
| `adr-110-esp32c6` | ADR-110 / C6 firmware substrate | Everything described in `WITNESS-LOG-110 §A0.x` (4 firmware tags v0.6.7 → v0.7.0, Python + Rust decoders, sensing-server wire, mesh-aligned timestamp recovery, fps EMA, cross-language conformance gate) | Don't accidentally land `feat/adr-115-ha-mqtt-matter` work here uncommitted |
| `feat/adr-115-ha-mqtt-matter` | ADR-115 / HA-DISCO + HA-FABRIC + HA-MIND | MQTT publisher (`rumqttc`), Matter Bridge, semantic automation primitives, related Cargo features + CLI flags | Don't accidentally land ADR-110 `wifi-densepose-hardware` dep mods here |
## Files each branch touches
### `adr-110-esp32c6` — primary modifications
```
firmware/esp32-csi-node/version.txt # bumped 0.6.6 → 0.7.0
firmware/esp32-csi-node/main/c6_*.{c,h} # LP-core, TWT, timesync, soft-AP HE, ESP-NOW sync
firmware/esp32-csi-node/main/lp_core/main.c # real LP-core polling program
firmware/esp32-csi-node/main/csi_collector.c # byte 19 bit 4 OR-fix; sync packet emit
firmware/esp32-csi-node/main/Kconfig.projbuild # C6_* knobs
firmware/esp32-csi-node/main/CMakeLists.txt # ulp_embed_binary
firmware/esp32-csi-node/sdkconfig.defaults.esp32c6 # C6 overlay
archive/v1/src/hardware/csi_extractor.py # SyncPacketParser + SyncPacket dataclass
archive/v1/tests/unit/test_esp32_binary_parser.py # TestSyncPacketParser (7 tests)
v2/crates/wifi-densepose-hardware/src/sync_packet.rs # new module (15 tests)
v2/crates/wifi-densepose-hardware/src/lib.rs # re-exports
v2/crates/wifi-densepose-sensing-server/Cargo.toml # ONLY adds wifi-densepose-hardware path dep
v2/crates/wifi-densepose-sensing-server/src/main.rs # NodeState::{latest_sync, csi_fps_ema,
# mesh_aligned_us_for_csi_frame,
# observe_csi_frame_arrival}
# udp_receiver_task magic dispatch
# fps_ema_tests module (4 tests)
docs/adr/ADR-110-esp32-c6-firmware-extension.md # 670 → ~750 lines (P10 + sprint summary)
docs/WITNESS-LOG-110.md # 13 §A0.x entries
docs/ADR-110-REVIEW-GUIDE.md # reviewer one-pager
docs/ADR-110-BRANCH-STATE.md # ← this file
```
### `feat/adr-115-ha-mqtt-matter` — primary modifications
```
docs/adr/ADR-115-home-assistant-integration.md # the design
v2/crates/wifi-densepose-sensing-server/Cargo.toml # rumqttc dep + [features] block
v2/crates/wifi-densepose-sensing-server/src/cli.rs # --mqtt / --matter / --semantic flags
```
## Known overlap points (handle with care)
Both branches touch `v2/crates/wifi-densepose-sensing-server/Cargo.toml` and `src/main.rs`. The conflict surface is **disjoint by section**:
| File | ADR-110 region | ADR-115 region |
|---|---|---|
| `Cargo.toml` | `[dependencies]``wifi-densepose-hardware = { path = "../wifi-densepose-hardware" }` near the existing `wifi-densepose-signal` line | `[dependencies]``rumqttc` block below + `[features]` block at end |
| `main.rs` | `NodeState` fields + `impl NodeState` helpers + `update_csi_fps_ema` free fn + `fps_ema_tests` module + `udp_receiver_task` magic dispatch | (TBD per ADR-115 P-plan) |
A merge between the two branches should be **clean line-merge** since the regions don't overlap. If git ever reports a real conflict in either of these files, that means one branch has drifted into the other's region — investigate before resolving blindly.
## Quick test commands (verify either branch is sane)
```bash
# Rust workspace (run from v2/)
cd v2
cargo test --workspace --no-default-features --lib # 1437 tests at iter 22, 0 failures
# Python ADR-110 host decoder (from repo root)
python -m pytest archive/v1/tests/unit/test_esp32_binary_parser.py::TestSyncPacketParser -v
# Cross-language wire-format gate (the iter 21 pin)
cargo test -p wifi-densepose-hardware --no-default-features --lib sync_packet::tests::canonical_wire_bytes_match_python_decoder
python -m pytest archive/v1/tests/unit/test_esp32_binary_parser.py::TestSyncPacketParser::test_canonical_wire_bytes_match_rust_decoder -v
```
If either side of the canonical-wire-bytes pair fails alone, the OTHER decoder has drifted from the wire format — investigate that decoder first, not the failing test.
## Future-proofing
- When the ADR-115 agent ships `feat/adr-115-ha-mqtt-matter` to main and ADR-110 also ships, merge `main` into `adr-110-esp32c6` (or vice versa) and re-run both test suites. The disjoint-region structure above should make the merge a no-conflict fast-forward.
- When a third agent picks up either ADR, point them at this file before they start editing shared files.
- If a /loop drives autonomous iterations and hits a cross-branch checkout, the recovery procedure is in iter 18's commit message (`2997165bc`) — stash on the foreign branch, `git checkout` home, replay the iter locally.
## Lessons for `/loop` and `/loop-worker` future runs
Captured after the 38-iter ADR-110 SOTA sprint (`/loop 5m until sota. and ultra optmized`):
1. **Always verify the current branch at the start of each iter** — when a /loop fires every 5 minutes and another agent is active on a sibling branch, the working tree can flip without your action. Run `git branch --show-current` as the first line of every iter; if it isn't what you expect, stash and switch back BEFORE editing. We burned ~30 min in iter 17-19 recovering from two silent branch flips.
2. **Don't `git add <file>` blindly after a branch switch** — the file may have inherited changes from the foreign branch (uncommitted work that came along on checkout). Always `git diff --cached` before `git commit`. We accidentally absorbed ADR-115's Cargo.toml/cli.rs work into ADR-110's iter-18 commit; required a follow-up revert commit (`ca2059b07`) and stash dance.
3. **Sibling-region edits in shared files** — when two branches both touch `v2/crates/wifi-densepose-sensing-server/Cargo.toml` or `src/main.rs`, agree on which `[section]` or struct each owns. Document the regions in this file (see Known overlap points). Merges then stay clean line-merge fast-forwards instead of needing conflict resolution.
4. **Extract pure helpers before committing inline mutations** — iter 30 (`sync_snapshot`), iter 32 (`apply_sync_packet`), iter 37 (`fleet_role_counts`) all converted inline state-changes into named, free, testable functions. Each saved 4+ inline duplications and let the helper be tested without spinning up axum / tokio. Bake this into every iter's plan: *"what's the smallest helper I can extract here?"*
5. **Cross-language wire-format gates** — when shipping a protocol decoder in both Python and Rust, pin the SAME canonical byte string in BOTH test suites (iter 21 pattern). One side drifting fires exactly one named test on exactly the drifted decoder. Don't wait until "later" — add the pin in the iter that ships the second language.
6. **Helper tests > integration tests when state is heavy**`AppStateInner` has too many fields to construct in a test. Instead of fighting it, extract per-field logic into pure helpers (iter 30 sync_snapshot pattern). Tests target the helpers, the handler glue stays thin and trivially correct.
7. **Local stub files lag firmware additions**`firmware/esp32-csi-node/test/stubs/esp_stubs.c` doesn't get rebuilt with the firmware proper, so a new symbol added to a `*.h` won't surface as a fuzz-target link error until CI runs. Iter 38 caught `c6_sync_espnow_is_valid` this way. **Whenever you add a function whose declaration is reachable from `csi_collector.c`, also add a stub** in the same commit.
8. **Cron-based /loop accumulates work across irreversible checkpoints (tags, releases, PR ready)** — once you cut a tag or mark a PR ready, the cost of reverting is much higher than a code edit. Save those for iters when you have surplus confidence (full local test suite green, CI from previous iter green). Iter 12 (v0.7.0 cut) and iter 38 (PR ready) were the right shape: only happened after iter 6 / iter 37 evidence had landed.
api-docs/ADR-110-REVIEW-GUIDE.md
+62
View File
@@ -0,0 +1,62 @@
# ADR-110 review guide
This is the **one-pager** for reviewers of the `adr-110-esp32c6` branch / draft PR. The canonical record is [`docs/WITNESS-LOG-110.md`](WITNESS-LOG-110.md); this guide is just a faster on-ramp.
## What this branch ships
A dual-target build for `firmware/esp32-csi-node`: same source tree compiles for `esp32s3` (existing production) and `esp32c6` (new research target with Wi-Fi 6 / 802.15.4 / TWT / LP-core). Every C6-only module is `#ifdef CONFIG_IDF_TARGET_ESP32C6` gated, so the S3 build path is byte-identical to before.
## Five-minute reviewer tour
1. **Read the ADR**: [`docs/adr/ADR-110-esp32-c6-firmware-extension.md`](adr/ADR-110-esp32-c6-firmware-extension.md) — design, phases, trade-offs.
2. **Read the witness**: [`docs/WITNESS-LOG-110.md`](WITNESS-LOG-110.md) — 4 sections (A = empirically verified, B = architectural-but-not-measured, C = bugs fixed, D = bugs found but not yet fixed, D-workaround = ESP-NOW pivot).
3. **Skim the new firmware modules**: `firmware/esp32-csi-node/main/c6_{twt,timesync,lp_core,sync_espnow}.{h,c}`.
4. **Skim the new host decoders + tests**:
- Rust: `v2/crates/wifi-densepose-hardware/src/{csi_frame,esp32_parser}.rs` (search for `PpduType`, `Adr018Flags`, `adr110_*` test names)
- Python: `archive/v1/src/hardware/csi_extractor.py` + `archive/v1/tests/unit/test_esp32_binary_parser.py` (search for `TestAdr110ByteEncoding`)
5. **Glance at CI**: `firmware-ci.yml` `c6-4mb` matrix row runs the C6 build AND the host unit tests on Ubuntu — both green throughout this branch.
## Empirical scorecard (what's actually measured)
| Dimension | Status |
|---|---|
| C6 build + boot + dual-target | ✅ verified on 3 boards (COM6/COM9/COM12), CI matrix green, S3 regression green |
| HE-LTF wire format (ADR-018 byte 18-19) | ✅ verified end-to-end across firmware / Rust / Python (17 unit tests) |
| HE-LTF live capture | ⏸ blocked — need 11ax AP (only 11n AP on bench) |
| TWT graceful NACK | ✅ verified live — `c6_twt: iTWT setup failed: ESP_ERR_INVALID_ARG` captured + handled |
| TWT cadence determinism | ⏸ blocked — same 11ax AP gap |
| ESP-NOW transport TX + stability | ✅ verified — 120 s + 300 s soaks, 4102 cumulative transmits, 0 failures |
| ESP-NOW cross-board RX | ⏸ blocked — 3 of 4 boards dropped USB enumeration mid-experiment |
| Raw 802.15.4 cross-node sync | ❌ broken — IDF v5.4 driver bug, 5 hypotheses tested + rejected; ESP-NOW workaround in place |
| 5 µA hibernation | ⏸ blocked — datasheet number, need INA / Joulescope to measure |
| Witness bundle regenerable + clean | ✅ 6/7 PASS (1 fail is pre-existing Python proof env issue unrelated to ADR-110), all hashes recorded, secret-redacted |
## Honest verdict
Protocol layer + transport substrate are bullet-proofed. **None of the four headline SOTA dimensions is empirically measured** — each is blocked on hardware the bench doesn't have. Each blocker is documented in `WITNESS-LOG-110.md` §B with the exact instrument needed to unblock it. **This branch is the foundation to build measurement on, not the measurement itself.**
The five concrete bugs found and fixed during the work (MAC/EUI double-FFFE, dual `wifi_pkt_rx_ctrl_t` struct variants, LED GPIO 38 on C6, TWT INVALID_ARG propagation, witness bundle secret leak) are independently real and useful regardless of how the SOTA story lands.
## Security note for the operator (not the reviewer)
The witness bundle's Python proof step was leaking `.env` contents into the bundled log via Pydantic validation error dumps. Bundle was nuked before push, and `scripts/redact-secrets.py` filter was added (commit `f8a2e3695`). **The previously-exposed Docker Hub + PI-cluster tokens should be rotated** — they appeared in local session logs even though they never reached `origin`.
## Commits on this branch (chronological)
| # | SHA prefix | What |
|---|---|---|
| 1 | `f23e34e` | Initial ADR-110 firmware + ADR + tests + docs + witness scaffolding |
| 2 | `6652384` | TWT INVALID_ARG graceful + diagnostic counters |
| 3 | `4c39e28` | PAN-match + 4-experiment D1 record |
| 4 | `f8a2e36` | **SECURITY**: witness bundle secret redaction |
| 5 | `88be283` | ESP-NOW transport (D1 workaround) |
| 6 | `3959fab` | Rust host decoder + 6 unit tests |
| 7 | `8eaa92c` | Python host decoder + 5 unit tests |
| 8 | `b808a63` | 120 s ESP-NOW soak witness |
| 9 | `89972c0` | CHANGELOG expanded |
| 10 | `fc75a8a` | Fuzz harness extended for byte 18-19 |
| 11 | `9de34ba` | ADR-110 indexed in docs/adr/README.md |
| 12 | `553b07d` | README C6 row tightened (claim → wire-format-ready) |
| 13 | `e255b7d` | firmware/README acknowledges S3+C6 |
| 14 | `9a46fc8` | 300 s ESP-NOW soak witness (2.5× sample) |
| 15 | _(this commit)_ | This review guide |
api-docs/RELEASE-streaming-engine-v0.3.0.md
+117
View File
@@ -0,0 +1,117 @@
# RuView Streaming Engine v0.3.0 — Auditable Environmental Intelligence
## What this is
Most WiFi-sensing stacks emit a number and hope you trust it. **RuView's streaming
engine is built so you don't have to.** Every conclusion it reaches — "someone is
in the living room," "fall risk elevated," "the room layout changed" — carries a
full evidence trail: which sensors saw it, how much they agreed, which calibration
and model produced it, and what privacy policy it was emitted under.
The throughline is **trust**. If you ask *"why should I believe this when it says a
person fell?"*, the engine answers with signal evidence, sensor agreement,
calibration provenance, and an auditable privacy posture — not just a confidence
score.
This release lands the ADR-135→146 series: the data contracts, the
trust/privacy/audit machinery, and the algorithms — all real, tested, and
composed into one end-to-end pipeline cycle.
## The two layers that make it auditable
- **WorldGraph (`wifi-densepose-worldgraph`)** — the *where & why* graph. A typed
graph of rooms, sensors, RF links, person tracks, object anchors, events, and
beliefs, connected by typed edges: `observes`, `located_in`, `derived_from`,
`contradicts`, `privacy_limited_by`. The privacy posture is *visible in the
persisted graph* — an auditor can read exactly what was suppressed and why.
- **Trusted semantic records** — the *what we believe right now* record. Every
semantic state carries model version, calibration version, evidence refs,
confidence, expiry, and privacy action. High-stakes actions (caregiver
escalation) require **multi-signal agreement**, not a single noisy primitive.
## What's new in v0.3.0
| Area | Capability |
|------|-----------|
| Frame contracts (ADR-136) | `ComplexSample` (LE-canonical), provenance fields on every frame, `CanonicalFrame` BLAKE3 witness, `Stage`/`Versioned`/`QualityScored` traits |
| Calibration (ADR-135) | `BaselineCalibration::apply()` stamps a deterministic `calibration_id` onto each frame |
| Fusion quality (ADR-137) | `QualityScore` with per-node weights, evidence refs, and contradiction flags; calibration-mismatch detection |
| Array coordination (ADR-138) | clock-quality + geometry gating; degraded nodes go "watch-only" |
| WorldGraph (ADR-139) | the typed digital twin + privacy rollup + deterministic persistence |
| Semantic records (ADR-140) | auditable state records + multi-signal agent routing |
| Privacy control plane (ADR-141) | named modes + actions + a BLAKE3 hash-chained, tamper-evident attestation |
| Evolution + VoxelMap (ADR-142) | cross-link "the room changed" detection + Bayesian occupancy, privacy-gated to a histogram |
| RF-SLAM (ADR-143) | persistent reflector discovery → learned static anchors |
| UWB fusion (ADR-144) | range-constraint refinement with outlier rejection (forward-looking) |
| Ablation harness (ADR-145) | feature-matrix metrics incl. membership-inference privacy leakage |
| RF encoder (ADR-146) | multi-task heads with per-head uncertainty + contrastive batcher (forward-looking) |
| **Engine (`wifi-densepose-engine`)** | the composition root: one `process_cycle()` runs the whole trust pipeline |
## Quick start
```rust
use wifi_densepose_engine::StreamingEngine;
use wifi_densepose_bfld::PrivacyMode;
use wifi_densepose_geo::types::GeoRegistration;
use wifi_densepose_signal::ruvsense::fusion_quality::CalibrationId;
// 1. Build the engine with a privacy posture + model version.
let mut engine = StreamingEngine::new(PrivacyMode::PrivateHome, 1, GeoRegistration::default());
// 2. Describe the space (rooms + sensors are WorldGraph nodes).
let room = engine.add_room("living_room", "Living Room");
let sensor = engine.add_sensor("esp32-com9", room);
engine.register_node_geometry(0, 1.0, 0.0, 0.0); // ADR-138 array geometry (optional)
// 3. Each 50 ms cycle: feed per-node CSI frames + the calibration epoch.
let out = engine.process_cycle(&node_frames, CalibrationId(0xABCD), room, now_ms)?;
// 4. The result is a *trusted* belief — fully traceable.
println!("class={:?} demoted={} evidence={:?}",
out.effective_class, out.demoted, out.provenance.evidence);
assert_eq!(out.quality.calibration_id, Some(CalibrationId(0xABCD)));
// 5. Persist the world model; reload reproduces the same query results.
let snapshot = engine.snapshot_json()?; // RVF payload — never raw RF frames
```
Per-node calibration (mismatch demotes privacy automatically):
```rust
let out = engine.process_cycle_calibrated(
&node_frames,
&[Some(CalibrationId(1)), Some(CalibrationId(2))], // disagree → CalibrationIdMismatch
room, now_ms)?;
assert!(out.demoted); // privacy class demoted to Restricted
assert_eq!(out.quality.calibration_id, None); // no single calibration epoch
```
## Validated (acceptance tests that prove the architecture)
- **ADR-137** `two calibrated frames → calibration mismatch → QualityScore contradiction → Restricted → calibration_id None → witness stable`
- **ADR-139** `live_frame → fusion → worldgraph_update → privacy_rollup → persist → reload → same_contents` (no raw RF persisted)
- **ADR-140** `raw snapshot → semantic primitive → SemanticStateRecord → agreement rule → expired record rejected`
- **ADR-142** `3 links drift 30 frames → ChangePoint → VoxelMap accumulates → low-confidence suppressed → VoxelGate Restricted histogram → ADR-137 contradiction`
## Performance & safety
- **~6.35 µs per full cycle** (4 nodes / 56 subcarriers) — ~7,800× under the 50 ms / 20 Hz budget (criterion: `cargo bench -p wifi-densepose-engine`).
- New crates are `#![forbid(unsafe_code)]`; no hardcoded secrets; input validated at boundaries; privacy demotion is monotonic; mode changes are hash-chain attested.
- `wifi-densepose-core` and `wifi-densepose-bfld` build `#![no_std]` for the ESP32-S3 on-device path.
## Build & test
```bash
cd v2
cargo build --release --workspace --no-default-features # optimized build
cargo test --workspace --no-default-features # full suite
cargo test -p wifi-densepose-engine # 13 integration tests
cargo bench -p wifi-densepose-engine # per-cycle latency
```
## Status (honest)
Integrated and validated end-to-end: ADR-135/136/137/138/139/141/142/143 via the
`wifi-densepose-engine` composition root. Forward-looking / pending: live 20 Hz
sensing-server loop wiring, UWB hardware (ADR-144), and RF-encoder model training
(ADR-146). Each GitHub issue (#840#850) lists what is *Built* vs *Integration glue*.
api-docs/TROUBLESHOOTING.md
+183
View File
@@ -0,0 +1,183 @@
# RuView Troubleshooting Guide
Known issues and fixes from the rebase-to-upstream branch (upstream #301).
---
## 1. Node not appearing in /api/v1/nodes
**Symptom:** ESP32-S3 node associates with WiFi, LED blinks, but no CSI frames arrive at the server. Node missing from `/api/v1/spatial/nodes`.
**Root cause:** After USB flash, the node enters a limping state where WiFi associates but the UDP CSI sender silently fails. The SoftAP + mDNS stack initializes but the CSI callback never fires.
**Fix:** Power cycle the node (unplug USB, wait 2s, replug). If that doesn't work, send DTR reset via serial: `python -m serial.tools.miniterm --dtr 0 COMx 115200` then Ctrl+C.
**Prevention:** Firmware 0.8.0+ includes a watchdog that detects zero CSI frames for 30s and triggers a software reset automatically. Nodes 1-10 are still on old firmware and lack this recovery (OTA-vs-BLE chicken-and-egg; see issue #6).
---
## 2. Person count stuck at 1
**Symptom:** `estimated_persons` always returns 1 regardless of how many people are in the room.
**Root cause (ADR-044):** Eight converging bugs:
1. `score_to_person_count` had a ceiling of 3
2. `fuse_multi_node_features` used `.max()` instead of sum — N identical readings collapsed to 1
3. Four `.max(1)` clamps forced minimum count to 1 even when absent
4. `field_model.estimate_occupancy` capped at `.min(3)`
5. Normalization saturated (dividing by hardcoded thresholds instead of adaptive p95)
6. No field model auto-calibration — eigenvalue path never activated
7. Vitals-path clamps were asymmetric
8. Tomography produced one blob (CC=1) so dedup gave wrong count
**Fix applied (Waves 1-3):**
- Wave 1 (`9cc5f604`): ceiling 3→10, `.max()` → sum/3 aggregation, softened `.max(1)` clamps
- Wave 2 (`306f1262`): RollingP95 adaptive normalization, field_model 30s auto-calibration, vitals clamp symmetry
- Wave 3 (`c3df375a`+`0d4bfb09`+`6ac70ddf`): CC flood-fill infrastructure, lambda 0.1→5.0, threshold 0.01→0.15, CC>1 gate
**Current state:** `estimated_persons` = 6-8 for 5 bodies (3 humans + 2 dogs). Overcounts because the sum/3 dedup factor is a guess. Tomography still produces one blob (CC=1), so the CC path doesn't activate. Runtime-configurable lambda would help tune without redeployment.
---
## 3. Heart rate / breathing rate jitter
**Symptom:** HR and BR readings jump wildly between frames. BR CV was 23.3%, HR CV was 12.9%.
**Root cause (ADR-045):** 11 ESP32 nodes each compute independent vitals. The server used last-write-wins — whichever node's UDP packet arrived last overwrote the global vitals. At ~20 fps per node, this meant vitals randomly interleaved from different vantage points every 50ms.
**Fix applied (`46fbc061`):** Best-node selection. Each node's vitals are smoothed independently via median filter + EMA. The node with the highest combined `breathing_confidence + heartbeat_confidence` is selected as authoritative. Result: BR CV 23.3% → 12.6%, HR CV 12.9% → 11.6%.
**Known limitation:** The `wifi-densepose-vitals` crate has a superior 4-stage pipeline (bandpass → Hilbert envelope → autocorrelation → peak detection) but is not yet wired into the sensing server. The current `VitalSignDetector` uses a simpler FFT approach with 4 BPM frequency resolution.
---
## 4. Signal quality shows 50% always
**Symptom:** The dashboard signal quality gauge was always stuck at ~50%.
**Root cause:** Signal quality was a hardcoded placeholder value, not derived from actual CSI data.
**Fix applied:** ADR-044 Wave 2 replaced the fake gauge with RollingP95 adaptive normalization. The UI honesty pass (`b2070ab4`) added beta tags to unvalidated metrics, replaced the fake gauge with per-node pill indicators, and surfaced the actual per-node signal data.
---
## 5. Dashboard freezes every 2-4 seconds
**Symptom:** The spatial view and dashboard would freeze, then reconnect, creating a visible stutter every 2-4 seconds.
**Root cause:** The WebSocket broadcast channel's `recv()` returned `Err(Lagged)` when a client fell behind. The server treated this as a fatal error and dropped the connection. The client immediately reconnected, creating a connect/disconnect cycle.
**Fix applied (`581daf4f`):**
- Server: `Lagged` error → `continue` (skip missed frames instead of disconnecting)
- Server: 30s ping/pong keepalive to prevent Caddy proxy idle timeouts
- Result: 154 frames over 8 seconds sustained, zero disconnects
---
## 6. OTA update crashes at 59%
**Symptom:** OTA firmware update via `/api/v1/firmware/download` progresses to ~59% then the node crashes with `StoreProhibited` on Core 1.
**Root cause:** NimBLE BLE advertising/scanning runs on Core 1. During OTA, the HTTP client also runs on Core 1. BLE and OTA compete for stack space, and the BLE scan callback triggers a memory access violation during the OTA write.
**Fix:**
1. Stop NimBLE advertising and scanning before calling `esp_https_ota_begin()`
2. Increase httpd stack from 4KB to 8KB (`CONFIG_HTTPD_MAX_REQ_HDR_LEN` and task stack)
3. Resume BLE after OTA completes or fails
**Caveat:** Nodes running old firmware (1-10) can't receive this fix via OTA because the crash happens during the OTA itself. These nodes must be USB-flashed with firmware 0.8.0+ first, then future OTA updates will work. Node 11 was USB-flashed with the watchdog firmware and can receive OTA updates.
---
## 7. Can't SSH to babycube via LAN
**Symptom:** `ssh thyhack@10.0.10.10` hangs at banner exchange. Ping works, TCP port 22 is open, but SSH never completes the handshake.
**Workaround:** Use the Tailscale IP instead:
```
ssh thyhack@100.90.238.87
```
**Not the cause:** CrowdSec. The 10.0.0.0/8 range is whitelisted in CrowdSec (`cscli decisions list` shows no active decisions for LAN IPs). The banner hang occurs before any authentication attempt, so it's not a firewall block.
**Suspected cause:** Unknown. Possibly MTU/fragmentation issue on the LAN segment, or a network stack bug in the babycube's NIC driver. The Tailscale overlay network (WireGuard UDP) bypasses whatever is causing the LAN TCP issue.
---
## 8. Right USB-C port doesn't work on some ESP32-S3 boards
**Symptom:** Plugging into the right USB-C port (when facing the board with USB-C toward you) shows no serial device on the host.
**Fix:** Use the left USB-C port. On most ESP32-S3-DevKitC boards, the left port is the USB-to-UART bridge (CP2102/CH340) used for flashing and serial monitor. The right port is the native USB (USB-JTAG) which requires different drivers and isn't used by the RuView firmware.
---
## 9. Docker Desktop on Windows drops UDP from multiple ESP32 nodes
**Symptom:** Two or more ESP32 nodes are flashed, provisioned, and visibly transmit on the network — `tcpdump`/Wireshark on the Windows host shows datagrams from every node — but inside the Docker container only one source IP arrives. `/api/v1/sensing/latest` shows a single node and the live UI freezes or only tracks one body. Reported in #374 (4-node bench) and reproduced in #386 (6-node demo, RuView v0.7.0).
**Root cause:** Docker Desktop on Windows runs the engine inside a WSL2 / Hyper-V VM. Inbound UDP from the host LAN is forwarded through `vpnkit` / `vEthernet` and the multi-source-IP datagrams are demultiplexed onto a single virtual socket. The first source-IP "wins"; subsequent unique sources are silently dropped at the VM boundary. This is a Docker Desktop limitation, not a sensing-server bug — `host.docker.internal` and `--network host` do not help (host networking is not implemented for the Linux engine on Windows).
**Fix:** Run the bundled UDP relay on the host so every forwarded datagram arrives from the same loopback source IP, which Docker passes through unchanged.
```powershell
# 1. Start the relay (PowerShell or any terminal)
python scripts/udp-relay.py --listen-port 5005 --forward-port 5006
# 2. Edit docker/docker-compose.yml — change the ESP32 UDP mapping from
# - "5005:5005/udp"
# to
# - "5006:5005/udp"
# 3. Bring the stack up
docker compose -f docker/docker-compose.yml up
```
ESP32 nodes still target the host on `--target-ip <host>:5005` — no firmware re-provisioning is needed. The relay is `scripts/udp-relay.py` (stdlib only, no extra deps). Verify with `--verbose` that each node's source IP appears at least once before forwarding stabilises on a single ephemeral relay port.
**Prevention:** Linux and macOS hosts are unaffected; the relay only needs to run on Docker Desktop for Windows. If Docker Desktop ships per-source UDP forwarding (tracked at [docker/for-win#1144](https://github.com/docker/for-win/issues/1144) and related), this workaround can be retired.
**Prior art:** PR #413 (`txhno`) proposed a docs-only writeup of the same workaround; this entry supersedes it.
---
## 10. `404` on the visualization page when running sensing-server
**Symptom:** `sensing-server` starts cleanly, logs `HTTP server listening on http://localhost:3000`, but loading `http://localhost:3000/` (or `/ui/index.html`) returns `404 Not Found`. Reported in #188.
**Root cause:** The default `--ui-path ../../ui` is resolved relative to the binary's *current working directory*, not the binary location. When the binary is launched from anywhere other than `crates/wifi-densepose-sensing-server/`, the relative path doesn't reach the UI assets and Axum's static file handler returns 404.
**Fix:** Pass an absolute UI path, run the binary from the crate directory, or use the Docker image (which bundles the UI under `/app/ui`).
```bash
# Option A — absolute path (recommended for production)
sensing-server --source esp32 --udp-port 5005 --http-port 3000 \
--ws-port 3001 --ui-path /absolute/path/to/ui
# Option B — run from the crate dir (works for local dev / cargo run)
cd v2/crates/wifi-densepose-sensing-server
cargo run -- --source esp32
# Option C — Docker (no path config needed)
docker compose -f docker/docker-compose.yml up sensing-server
```
**Prevention:** Track future work in #188 to fall back to a path resolved relative to the executable when the cwd-relative path doesn't exist, so the binary works regardless of where it's launched.
---
## 11. Boot loop on `--edge-tier 1` or `--edge-tier 2`
**Symptom:** ESP32-S3 boots normally with `--edge-tier 0`, but flashing the same firmware with `--edge-tier 1` or `2` produces a boot loop. Serial output reaches `cpu_start` and `heap_init`, then resets repeatedly. Reported in #438 against firmware `v0.4.3.1-esp32-3-g66e2fa083-dir`.
**Root cause:** Edge tiers 1 and 2 enable the on-device DSP pipeline on Core 1. In the affected build, the `edge_dsp` task ran a tight per-frame loop without yielding, so the FreeRTOS task watchdog tripped on Core 1 and panicked. Tier 0 is passthrough only and doesn't activate the pipeline, so the watchdog never fires there.
**Fix:** Flash the [v0.4.3.1-esp32](https://github.com/ruvnet/RuView/releases/tag/v0.4.3.1-esp32) release or later — the DSP task yield fixes have shipped on `main` since the build in the report.
```bash
# Verify what version you're on (look for "App version" in serial output on boot)
python -m serial.tools.miniterm COM7 115200
# Expect: "App version: v0.4.3.1-esp32" or higher
```
If the boot loop persists on a release build, capture a full serial trace including the watchdog backtrace and reopen #438 with the new build hash.
api-docs/WITNESS-LOG-028.md
+281
View File
@@ -0,0 +1,281 @@
# Witness Verification Log — ADR-028 ESP32 Capability Audit
> **Purpose:** Machine-verifiable attestation of repository capabilities at a specific commit.
> Third parties can re-run these checks to confirm or refute each claim independently.
---
## Attestation Header
| Field | Value |
|-------|-------|
| **Date** | 2026-03-01T20:44:05Z |
| **Commit** | `96b01008f71f4cbe2c138d63acb0e9bc6825286e` |
| **Branch** | `main` |
| **Auditor** | Claude Opus 4.6 (automated 3-agent parallel audit) |
| **Rust Toolchain** | Stable (edition 2021) |
| **Workspace Version** | 0.2.0 |
| **Test Result** | **1,031 passed, 0 failed, 8 ignored** |
| **ESP32 Serial Port** | COM7 (user-confirmed) |
---
## Verification Steps (Reproducible)
Anyone can re-run these checks. Each step includes the exact command and expected output.
### Step 1: Clone and Checkout
```bash
git clone https://github.com/ruvnet/wifi-densepose.git
cd wifi-densepose
git checkout 96b01008
```
### Step 2: Rust Workspace — Full Test Suite
```bash
cd v2
cargo test --workspace --no-default-features
```
**Expected:** 1,031 passed, 0 failed, 8 ignored (across all 15 crates).
**Test breakdown by crate family:**
| Crate Group | Tests | Category |
|-------------|-------|----------|
| wifi-densepose-signal | 105+ | Signal processing (Hampel, Fresnel, BVP, spectrogram, phase, motion) |
| wifi-densepose-train | 174+ | Training pipeline, metrics, losses, dataset, model, proof, MERIDIAN |
| wifi-densepose-nn | 23 | Neural network inference, DensePose head, translator |
| wifi-densepose-mat | 153 | Disaster detection, triage, localization, alerting |
| wifi-densepose-hardware | 32 | ESP32 parser, CSI frames, bridge, aggregator |
| wifi-densepose-vitals | Included | Breathing, heartrate, anomaly detection |
| wifi-densepose-wifiscan | Included | WiFi scanning adapters (Windows, macOS, Linux) |
| Doc-tests (all crates) | 11 | Inline documentation examples |
### Step 3: Verify Crate Publication
```bash
# Check all 15 crates are published at v0.2.0
for crate in core config db signal nn api hardware mat train ruvector wasm vitals wifiscan sensing-server cli; do
echo -n "wifi-densepose-$crate: "
curl -s "https://crates.io/api/v1/crates/wifi-densepose-$crate" | grep -o '"max_version":"[^"]*"'
done
```
**Expected:** All return `"max_version":"0.2.0"`.
### Step 4: Verify ESP32 Firmware Exists
```bash
ls firmware/esp32-csi-node/main/*.c firmware/esp32-csi-node/main/*.h
wc -l firmware/esp32-csi-node/main/*.c firmware/esp32-csi-node/main/*.h
```
**Expected:** 7 files, 606 total lines:
- `main.c` (144), `csi_collector.c` (176), `stream_sender.c` (77), `nvs_config.c` (88)
- `csi_collector.h` (38), `stream_sender.h` (44), `nvs_config.h` (39)
### Step 5: Verify Pre-Built Firmware Binaries
```bash
ls firmware/esp32-csi-node/build/bootloader/bootloader.bin
ls firmware/esp32-csi-node/build/*.bin 2>/dev/null || echo "App binary in build/esp32-csi-node.bin"
```
**Expected:** `bootloader.bin` exists. App binary present in build directory.
### Step 6: Verify ADR-018 Binary Frame Parser
```bash
cd v2
cargo test -p wifi-densepose-hardware --no-default-features
```
**Expected:** 32 tests pass, including:
- `parse_valid_frame` — validates magic 0xC5110001, field extraction
- `parse_invalid_magic` — rejects non-CSI data
- `parse_insufficient_data` — rejects truncated frames
- `multi_antenna_frame` — handles MIMO configurations
- `amplitude_phase_conversion` — I/Q → (amplitude, phase) math
- `bridge_from_known_iq` — hardware→signal crate bridge
### Step 7: Verify Signal Processing Algorithms
```bash
cargo test -p wifi-densepose-signal --no-default-features
```
**Expected:** 105+ tests pass covering:
- Hampel outlier filtering
- Fresnel zone breathing model
- BVP (Body Velocity Profile) extraction
- STFT spectrogram generation
- Phase sanitization and unwrapping
- Hardware normalization (ESP32-S3 → canonical 56 subcarriers)
### Step 8: Verify MERIDIAN Domain Generalization
```bash
cargo test -p wifi-densepose-train --no-default-features
```
**Expected:** 174+ tests pass, including ADR-027 modules:
- `domain_within_configured_ranges` — virtual domain parameter bounds
- `augment_frame_preserves_length` — output shape correctness
- `augment_frame_identity_domain_approx_input` — identity transform ≈ input
- `deterministic_same_seed_same_output` — reproducibility
- `adapt_empty_buffer_returns_error` — no panic on empty input
- `adapt_zero_rank_returns_error` — no panic on invalid config
- `buffer_cap_evicts_oldest` — bounded memory (max 10,000 frames)
### Step 9: Verify Python Proof System
```bash
python archive/v1/data/proof/verify.py
```
**Expected:** PASS (hash `8c0680d7...` matches `expected_features.sha256`).
Requires numpy 2.4.2 + scipy 1.17.1 (Python 3.13). Hash was regenerated at audit time.
```
VERDICT: PASS
Pipeline hash: 8c0680d7d285739ea9597715e84959d9c356c87ee3ad35b5f1e69a4ca41151c6
```
### Step 10: Verify Docker Images
```bash
docker pull ruvnet/wifi-densepose:latest
docker inspect ruvnet/wifi-densepose:latest --format='{{.Size}}'
# Expected: ~132 MB
docker pull ruvnet/wifi-densepose:python
docker inspect ruvnet/wifi-densepose:python --format='{{.Size}}'
# Expected: ~569 MB
```
### Step 10b: Verify CIR Deterministic Proof (ADR-134)
```bash
bash scripts/verify-cir-proof.sh
```
**Expected:** `VERDICT: PASS (CIR hash matches)` once the `cir` module is implemented.
Currently outputs `BLOCKED` because `expected_cir_features.sha256` contains a placeholder.
After the CIR implementation lands, regenerate and commit the hash:
```bash
cd v2 && cargo run -p wifi-densepose-signal --bin cir_proof_runner \
--release --no-default-features -- --generate-hash \
> ../archive/v1/data/proof/expected_cir_features.sha256
```
---
### Step 11: Verify ESP32 Flash (requires hardware on COM7)
```bash
pip install esptool
python -m esptool --chip esp32s3 --port COM7 chip_id
# Expected: ESP32-S3 chip ID response
# Full flash (optional)
python -m esptool --chip esp32s3 --port COM7 --baud 460800 \
write_flash --flash_mode dio --flash_size 4MB \
0x0 firmware/esp32-csi-node/build/bootloader/bootloader.bin \
0x8000 firmware/esp32-csi-node/build/partition_table/partition-table.bin \
0x10000 firmware/esp32-csi-node/build/esp32-csi-node.bin
```
---
## Capability Attestation Matrix
Each row is independently verifiable. Status reflects audit-time findings.
| # | Capability | Claimed | Verified | Evidence |
|---|-----------|---------|----------|----------|
| 1 | ESP32-S3 CSI frame parsing (ADR-018 binary format) | Yes | **YES** | 32 Rust tests, `esp32_parser.rs` (385 lines) |
| 2 | ESP32 firmware (C, ESP-IDF v5.2) | Yes | **YES** | 606 lines in `firmware/esp32-csi-node/main/` |
| 3 | Pre-built firmware binaries | Yes | **YES** | `bootloader.bin` + app binary in `build/` |
| 4 | Multi-chipset support (ESP32-S3, Intel 5300, Atheros) | Yes | **YES** | `HardwareType` enum, auto-detection, Catmull-Rom resampling |
| 5 | UDP aggregator (multi-node streaming) | Yes | **YES** | `aggregator/mod.rs`, loopback UDP tests |
| 6 | Hampel outlier filter | Yes | **YES** | `hampel.rs` (240 lines), tests pass |
| 7 | SpotFi phase correction (conjugate multiplication) | Yes | **YES** | `csi_ratio.rs` (198 lines), tests pass |
| 8 | Fresnel zone breathing model | Yes | **YES** | `fresnel.rs` (448 lines), tests pass |
| 9 | Body Velocity Profile extraction | Yes | **YES** | `bvp.rs` (381 lines), tests pass |
| 10 | STFT spectrogram (4 window functions) | Yes | **YES** | `spectrogram.rs` (367 lines), tests pass |
| 11 | Hardware normalization (MERIDIAN Phase 1) | Yes | **YES** | `hardware_norm.rs` (399 lines), 10+ tests |
| 12 | DensePose neural network (24 parts + UV) | Yes | **YES** | `densepose.rs` (589 lines), `nn` crate tests |
| 13 | 17 COCO keypoint detection | Yes | **YES** | `KeypointHead` in nn crate, heatmap regression |
| 14 | 10-phase training pipeline | Yes | **YES** | 9,051 lines across 14 modules |
| 15 | RuVector v2.0.4 integration (5 crates) | Yes | **YES** | All 5 in workspace Cargo.toml, used in metrics/model/dataset/subcarrier/bvp |
| 16 | Gradient Reversal Layer (ADR-027) | Yes | **YES** | `domain.rs` (400 lines), adversarial schedule tests |
| 17 | Geometry-conditioned FiLM (ADR-027) | Yes | **YES** | `geometry.rs` (365 lines), Fourier + DeepSets + FiLM |
| 18 | Virtual domain augmentation (ADR-027) | Yes | **YES** | `virtual_aug.rs` (297 lines), deterministic tests |
| 19 | Rapid adaptation / TTT (ADR-027) | Yes | **YES** | `rapid_adapt.rs` (317 lines), bounded buffer, Result return |
| 20 | Contrastive self-supervised learning (ADR-024) | Yes | **YES** | Projection head, InfoNCE + VICReg in `model.rs` |
| 21 | Vital sign detection (breathing + heartbeat) | Yes | **YES** | `vitals` crate (1,863 lines), 6-30 BPM / 40-120 BPM |
| 22 | WiFi-MAT disaster response (START triage) | Yes | **YES** | `mat` crate, 153 tests, detection+localization+alerting |
| 23 | Deterministic proof system (SHA-256) | Yes | **YES** | PASS — hash `8c0680d7...` matches (numpy 2.4.2, scipy 1.17.1) |
| 24 | 15 crates published on crates.io @ v0.2.0 | Yes | **YES** | All published 2026-03-01 |
| 25 | Docker images on Docker Hub | Yes | **YES** | `ruvnet/wifi-densepose:latest` (132 MB), `:python` (569 MB) |
| 26 | WASM browser deployment | Yes | **YES** | `wifi-densepose-wasm` crate, wasm-bindgen, Three.js |
| 27 | Cross-platform WiFi scanning (Win/Mac/Linux) | Yes | **YES** | `wifi-densepose-wifiscan` crate, `#[cfg(target_os)]` adapters |
| 28 | 4 CI/CD workflows (CI, security, CD, verify) | Yes | **YES** | `.github/workflows/` |
| 29 | 27 Architecture Decision Records | Yes | **YES** | `docs/adr/ADR-001` through `ADR-027` |
| 30 | 1,031 Rust tests passing | Yes | **YES** | `cargo test --workspace --no-default-features` at audit time |
| 31 | On-device ESP32 ML inference | No | **NO** | Firmware streams raw I/Q; inference runs on aggregator |
| 32 | Real-world CSI dataset bundled | No | **NO** | Only synthetic reference signal (seed=42) |
| 33 | 54,000 fps measured throughput | Claimed | **NOT MEASURED** | Criterion benchmarks exist but not run at audit time |
| 34 | CIR estimation (ADR-134, ISTA via NeumannSolver) | Yes | **PASS** | `archive/v1/data/proof/expected_cir_features.sha256`, `scripts/verify-cir-proof.sh`; regenerate after intentional changes: `cd v2 && cargo run -p wifi-densepose-signal --bin cir_proof_runner --release --no-default-features -- --generate-hash > ../archive/v1/data/proof/expected_cir_features.sha256` |
| 35 | Empty-room baseline calibration (ADR-135, Welford + von Mises) | Yes | **PASS** | `archive/v1/data/proof/expected_calibration_features.sha256`, `scripts/verify-calibration-proof.sh`; regenerate after intentional changes: `cd v2 && cargo run -p wifi-densepose-signal --bin calibration_proof_runner --release --no-default-features -- --generate-hash > ../archive/v1/data/proof/expected_calibration_features.sha256` |
---
## Cryptographic Anchors
| Anchor | Value |
|--------|-------|
| Witness commit SHA | `96b01008f71f4cbe2c138d63acb0e9bc6825286e` |
| Python proof hash (numpy 2.4.2, scipy 1.17.1) | `8c0680d7d285739ea9597715e84959d9c356c87ee3ad35b5f1e69a4ca41151c6` |
| CIR proof hash (ADR-134) | `120bd7b1f549f57f3773971a389c48c2bdd99b4ab1f205935867a16e95583995` |
| Calibration proof hash (ADR-135) | `d6bce07ecb1648e6936561df44bf4a3bfc17bb0ba5f692646b2301d105b52f67` |
| ESP32 frame magic | `0xC5110001` |
| Workspace crate version | `0.2.0` |
---
## How to Use This Log
### For Developers
1. Clone the repo at the witness commit
2. Run Steps 2-8 to confirm all code compiles and tests pass
3. Use the ADR-028 capability matrix to understand what's real vs. planned
4. The `firmware/` directory has everything needed to flash an ESP32-S3 on COM7
### For Reviewers / Due Diligence
1. Run Steps 2-10 (no hardware needed) to confirm all software claims
2. Check the attestation matrix — rows marked **YES** have passing test evidence
3. Rows marked **NO** or **NOT MEASURED** are honest gaps, not hidden
4. The proof system (Step 9) demonstrates commitment to verifiability
### For Hardware Testers
1. Get an ESP32-S3-DevKitC-1 (~$10)
2. Follow Step 11 to flash firmware
3. Run the aggregator: `cargo run -p wifi-densepose-hardware --bin aggregator`
4. Observe CSI frames streaming on UDP 5005
---
## Signatures
| Role | Identity | Method |
|------|----------|--------|
| Repository owner | rUv (ruv@ruv.net) | Git commit authorship |
| Audit agent | Claude Opus 4.6 | This witness log (committed to repo) |
This log is committed to the repository as part of branch `adr-028-esp32-capability-audit` and can be verified against the git history.
api-docs/WITNESS-LOG-110.md
+134
View File
@@ -0,0 +1,134 @@
# WITNESS-LOG-110 — ADR-110 ESP32-C6 firmware extension
| Field | Value |
|---|---|
| **Date** | 2026-05-22 |
| **Operator** | ruv |
| **Firmware** | `esp32-csi-node` v0.6.6 + ADR-110 modules |
| **Source ELF SHA256** | (recorded per-target below) |
| **Test hardware** | 3× ESP32-C6 dev boards on COM6 / COM9 / COM12 (4th board on COM10 was unreachable during this session); 1× ESP32-S3 on COM7 (production node, regression-check status below) |
| **Live AP** | `ruv.net` (the home AP visible to all boards). Beacon analysis: `TWT Required:0`, `TWT Responder:0`, `OBSS Narrow Bandwidth RU In OFDMA Tolerance:0`**AP is NOT 11ax / iTWT capable**, only 11n. |
| **Tracking issue** | [ruvnet/RuView#762](https://github.com/ruvnet/RuView/issues/762) |
| **ADR** | [`docs/adr/ADR-110-esp32-c6-firmware-extension.md`](adr/ADR-110-esp32-c6-firmware-extension.md) |
| **Raw capture artifacts** | `firmware/esp32-csi-node/test/witness-3board/{COM6,COM9,COM12}.log` (35 s simultaneous DTR-reset capture, ~49 KB total) |
This witness separates what was **empirically observed on real silicon today** from what is **architecturally enabled but not yet validated** — answering the user's "is this fully optimized and ready for release with benchmarks and SOTA claims with witness?" question honestly.
---
## A0. v0.6.7 firmware build (this turn — 2026-05-23)
| # | Claim | Evidence |
|---|---|---|
| **A0.1** | `firmware/esp32-csi-node` v0.6.7 builds clean for both targets on IDF v5.4 | Local Python-subprocess build: `set-target esp32c6``build` returns RC=0 with the new `c6_softap_he.c` and LP-core integration in `main/CMakeLists.txt`. C6 image 0xfe7f0 (≈1019 KB), 45 % partition slack. `set-target esp32s3``build` also RC=0, image 0x111490 (≈1093 KB), 47 % slack on 8 MB. SHA-256 sums recorded in `dist/firmware-v0.6.7/SHA256SUMS.txt`. |
| **A0.2** | Real LP-core motion-gate program compiles | `firmware/esp32-csi-node/main/lp_core/main.c` (75 lines, RISC-V LP-core) authored; `ulp_embed_binary(ulp_main, lp_core/main.c, c6_lp_core.c)` wired in `main/CMakeLists.txt` guarded by `CONFIG_C6_LP_CORE_ENABLE`. Default still `n` so the v0.6.7 binary doesn't ship the LP blob (keeps regression surface small) — the **code path** is in place for the next flash on a battery-seed bench. |
| **A0.3** | Soft-AP HE/TWT helper compiles | `c6_softap_he.{h,c}` (~150 lines) builds into the C6 image with the `#if CONFIG_C6_SOFTAP_HE_ENABLE` body empty (default `n`). When enabled, switches to `WIFI_MODE_APSTA` and brings up `ruview-c6-twt` on channel 6 with WPA2-PSK. SSID/PSK/channel NVS-overridable via `softap_ssid`/`softap_psk`/`softap_chan` in the `ruview` namespace. |
| **A0.4** | **v0.6.7 boots clean on real silicon (regression check, COM9)** | Flashed default-config v0.6.7 to ESP32-C6 on COM9 (`20:6e:f1:17:05:3c`). Boot log captured in `dist/firmware-v0.6.7/COM9-v0.6.7-regression.log`. Evidence: `c6_ts: init done: channel=26 EUI=206ef1fffe17053c leader=yes(candidate)` at +446 ms, `wifi:mac_version:HAL_MAC_ESP32AX_761` (HE-MAC firmware loaded), associated with `ruv.net` at +5206 ms (DHCP `192.168.1.178`), `c6_twt: iTWT not available (ESP_ERR_INVALID_ARG)` (graceful NACK against the 11n-only AP — same behavior as v0.6.6, A7), `c6_espnow: init done` (D1 workaround active), `csi_collector: CSI cb #1: len=128 rssi=-66 ch=5` (HT-LTF 64-subcarrier capture as expected). Zero regression vs v0.6.6 — new code paths default off, observed behavior is byte-for-byte the v0.6.6 path. |
| **A0.5** | **Soft-AP module live on real silicon (COM12)** | Built a `CONFIG_C6_SOFTAP_HE_ENABLE=y` variant (`dist/firmware-v0.6.7/esp32-csi-node-c6-4mb-softap.bin`, 1023 KB / 45% slack), flashed to ESP32-C6 on COM12 (`20:6e:f1:17:00:84`). Boot log: `dist/firmware-v0.6.7/COM12-v0.6.7-softap.log`. **Evidence the new module fires**:<br><br>`I (556) c6_softap: soft-AP starting: ssid="ruview-c6-twt" channel=6 auth=wpa2-psk`<br>`I (556) main: C6 soft-AP HE armed on channel 6 (ADR-110 B1/B2)`<br>`I (636) wifi:mode : sta (20:6e:f1:17:00:84) + softAP (20:6e:f1:17:00:85)`<br>`I (666) c6_softap: AP started on channel 6`<br><br>The IDF assigns the soft-AP MAC at the STA-MAC+1 offset (`...00:85`), standard behavior. **Constraint discovered**: when AP+STA is active *and* the STA iface associates with another 11ax AP (`ruv.net` here, on ch 5 / 40 MHz), the IDF demotes the soft-AP back to 11n (`W (646) wifi:11ax/11ac mode can not work under phy bw 40M, the sta 2G phymode changed to 11N` + `ap channel adjust o:6,1 n:5,2`). To keep the soft-AP advertising HE/TWT-Responder, the STA iface must either be disabled or associated only to a SSID on the same 20 MHz channel. Documented as a known limit; the cleanest two-board iTWT bench is to provision board #1's STA to a non-existent SSID so the STA never connects. |
| **A0.6** | **Two-C6 iTWT bench attempted live — surfaces an IDF v5.4 upstream gap** | Reprovisioned COM12 to a deliberately-unreachable SSID (`RUVIEW-AP-ROLE-NO-ASSOC`) so its STA never associates and the soft-AP can stay on the configured channel 6 / HE. Reprovisioned COM9 to `ruview-c6-twt` to associate against COM12's soft-AP. Parallel boot logs in `dist/firmware-v0.6.7/iter1-{COM9,COM12}-*-role.log`.<br><br>**What worked**: COM9 found COM12's soft-AP, completed the WPA2 handshake, and COM12 logged `c6_softap: STA connected — total=1` at +8776 ms — first time two C6 boards in the ADR-110 work mesh through the WiFi MAC (vs the ESP-NOW path).<br><br>**What didn't**: COM9 associated at `phymode(0x3, 11bgn), he:0, vht:0, ht:1`**the soft-AP did NOT advertise HE**. Source of the gap: a full grep of `components/esp_wifi/include/esp_wifi*.h` in IDF v5.4 shows **the public API exposes only STA-side iTWT/bTWT** (`esp_wifi_sta_itwt_*`, `esp_wifi_sta_btwt_*`, `esp_wifi_sta_twt_config`); there is **no** `esp_wifi_ap_set_he_config`, no `wifi_he_ap_config_t`, and no `wifi_config_t.ap.he_*` field. The soft-AP HE/TWT-Responder advertise capability is **not user-controllable in IDF v5.4** for the ESP32-C6.<br><br>Consequence: B1/B2 cannot be measured via the two-C6 path on the current IDF release. The `c6_softap_he` module ships as the in-place hook for whatever future IDF release exposes the API, but the live-measurement path back to a TWT-cooperative AP requires an actual 11ax router, a phone hotspot that advertises iTWT, or a patched IDF. **Sharpens the open question from "do we need an 11ax AP?" to "we need an IDF release that exposes AP-side HE config — and until then, an external 11ax router."** |
| **A0.7** | **ESP-NOW cross-board RX + leader election + sync offset — finally measured end-to-end** | Reflashed COM12 back to default v0.6.7 (no soft-AP) so both boards run identical config. Parallel 60 s capture in `dist/firmware-v0.6.7/iter2-{COM9,COM12}-espnow.log`. **The §D-workaround promise from v0.6.6 is now empirically complete**, three new measurements: <br><br>1. **Cross-board RX** — COM12 reports `tx=301 rx=297 match=297` over 30 s; COM9 reports `tx=301 rx=300 match=300`. **98.7 % / 99.7 % RX rate** between the two boards, zero TX failures on either side. <br><br>2. **Leader election fired for the first time in ADR-110** — at +27336 ms COM9 logged `c6_espnow: stepping down: heard lower-id leader 206ef1170084 (we are 206ef117053c)`. Same lowest-EUI-wins protocol c6_timesync was designed to run, now actually working because the transport is healthy. <br><br>3. **Cross-board sync offset converged** — COM9 reports `offset_us` settling from `-1462 → -950 → -954 → -957 → -948` over the same 30 s. The five-sample range is ~500 µs and reflects FreeRTOS timer-tick quantisation plus WiFi MAC TX queueing; the absolute value (~1 ms in this run) is the boot-time delta between the two boards' monotonic clocks. The longer 4-min soak in §A0.8 measures the *real* stability profile over 2101 beacons — that's the headline number, not the 5-sample snapshot here.<br><br>**Meanwhile the raw 802.15.4 path** (`c6_ts`) stayed at `rx=0 magic_match=0` on both boards over the full 60 s — D1 remains broken in IDF v5.4 exactly as documented. ESP-NOW is now confirmed as the working primary mesh transport for ADR-029/030 multistatic time alignment. |
| **A0.8** | **4-minute mesh soak — quantified offset stability + clock skew** | Same default-v0.6.7 dual-board setup, 240 s parallel capture in `dist/firmware-v0.6.7/iter4-{COM9,COM12}-soak240s.log`. Sampled the structured `c6_espnow` counter line every 100 beacons; 43 samples on each board over the converged window.<br><br>**Beacon throughput (both boards):**<br>• Beacon rate: **10.00 /s** exactly on each board (FreeRTOS timer is rock-solid).<br>• COM12 (leader, lowest EUI): tx=2101, rx=2101, match=**2101 / 2101 (100.00 %)**, 0 TX failures, leader throughout.<br>• COM9 (follower): tx=2101, rx=2089, match=**2089 / 2101 (99.43 %)** vs the leader's TX, 0 TX failures, stepped down at +27336 ms.<br>• 12 missed beacons over 210 s ≈ 1 miss / 17.5 s — well within the `VALID_WINDOW_MS=3000` freshness gate.<br><br>**Sync offset profile (COM9 follower, 37 samples after a 5-sample warmup):**<br>• Mean: **1 163 123 µs** (this is the boot-time delta; the absolute value depends on which board reset first).<br>• Standard deviation: **540 µs**.<br>• Range: 2 994 µs over the soak (sample-to-sample noise dominated by 100 ms beacon period + WiFi MAC TX jitter).<br>• Drift first-quartile vs last-quartile means: **84.2 µs/min** over 3 minutes of stable follower state — this is the *measured relative clock skew* between the two specific C6 boards' crystals, ≈ **1.4 ppm** (within ESP32 ±10 ppm spec).<br><br>**SOTA reading**: at 10 Hz beacons with measured 1.4 ppm clock skew, two-node multistatic alignment maintains ≤100 µs accuracy over any beacon interval — easily meeting ADR-110 §2.4's stated ±100 µs target. Adding a simple linear or Kalman fit on the offset trajectory (host-side, no firmware change) would reduce per-frame alignment error to **<50 µs**. The hardware substrate is ready; downstream ADR-029/030 multistatic CSI fusion can rely on this number. |
| **A0.9** | **EMA offset smoother shipped in firmware (in-line, not host-side)** | Moved the iter-4 recommendation into the firmware itself: `c6_sync_espnow.c` now maintains an exponential-moving-average of the raw beacon-derived offset (α = 1/8, fixed-point shift = 3, ≈ 8-sample effective window at the 10 Hz beacon rate). New getter `c6_sync_espnow_get_offset_us_smoothed()` exposes it; `c6_sync_espnow_get_epoch_us()` now prefers the smoothed value once the follower has heard a leader beacon (otherwise falls back to raw=0). `s_offset_us` (raw) stays unchanged for diagnostics. The diag log line now prints both: `offset_us=… smoothed=…`. <br><br>**Live verification (90 s soak)**: `dist/firmware-v0.6.7/iter5-COM9-ema-90s.log`. 12 follower-mode samples, 7 after the warmup window:<br><br>`I (52236) ... offset_us=-1163104 smoothed=-1163294`<br>`I (57236) ... offset_us=-1163115 smoothed=-1163163`<br>`I (62236) ... offset_us=-1163117 smoothed=-1163150`<br>`I (67236) ... offset_us=-1163114 smoothed=-1163171`<br>`I (72236) ... offset_us=-1163094 smoothed=-1163222`<br>`I (77236) ... offset_us=-1163090 smoothed=-1163320`<br>`I (82236) ... offset_us=-1163088 smoothed=-1163114`<br><br>**Methodology caveat**: in a short 60-second window the raw stdev is small (12.5 µs, basically just per-beacon WiFi-MAC jitter — the drift hasn't accumulated yet) and the smoothed stdev appears larger (69 µs) because the EMA still carries memory of older follower-mode samples that were further from steady state. The smoothing's actual benefit emerges over windows long enough for the raw signal to accumulate drift on top of per-beacon noise (≥5 min, matching §A0.8's regime). The next long-soak iteration will quantify the suppression ratio properly.<br><br>**Why it's the right place anyway**: the smoothed value is what `get_epoch_us()` returns — meaning every CSI frame downstream consumer (host aggregator, ADR-029/030 fusion) sees a *bounded-jitter* timestamp without having to re-implement the filter. Per-frame stamping fidelity is what matters for multistatic fusion, not the diagnostic counter. Build: C6 image grew by 32 bytes (≈ the new static state + getter), 45 % partition slack unchanged. |
| **A0.10** | **EMA suppression ratio quantified — 3.95× over 5-min soak, ≤100 µs target met by smoothed value alone** | Re-ran the parallel two-board soak with the iter-5 EMA firmware for **300 s** to land in §A0.8's regime where the smoothing benefit actually shows. Raw captures: `dist/firmware-v0.6.7/iter6-{COM9,COM12}-ema-300s.log`. **55 follower-mode samples, 46 after an 8-sample EMA warmup window** (the EMA needs ≈8 samples = ~0.8 s to fully converge from seed).<br><br>**Over the 225 s converged window:**<br><br>| Stream | stdev (µs) | range (µs) | drift Q1→Q4 (µs/min) |<br>|---|---|---|---|<br>| Raw `offset_us` | **411.5** | 2245 | +30.1 |<br>| EMA `smoothed` | **104.1** | 478 | +27.8 |<br><br>**Suppression ratio: 3.95×** on stdev, **4.70×** on peak-to-peak range. Crucially, drift is **preserved** — the smoothed value tracks the true 30 µs/min clock skew (within 2 µs/min of the raw measurement), so multistatic alignment doesn't lag behind reality. The ADR-110 §2.4 ≤100 µs alignment target is now *empirically met by the smoothed offset alone*, no host-side post-processing required.<br><br>**Drift note vs §A0.8**: iter 4 saw 84 µs/min, iter 6 sees +30 µs/min between the same two boards. Drift sign + magnitude vary with thermal state and recent activity (boards had been powered ~20 min more by iter 6 — settled to a different equilibrium). Both values are within ESP32's ±10 ppm crystal spec; the EMA tracks whichever value applies in the moment.<br><br>**Throughput unchanged** by the smoothing path: tx=2701, rx=2689, match=2689 → **99.56 % cross-board match** over 5 min (vs §A0.8's 99.43 % — within noise). Zero TX failures either board.<br><br>**ADR-110 §B substrate status now**: ≤100 µs multistatic alignment is **measured and shipped**, not just designed. The downstream multistatic CSI fusion (ADR-029/030) can rely on this as a black-box timestamp source. |
| **A0.11** | **Wiring gap identified: CSI frames don't yet carry the synced timestamp (deferred)** | `csi_serialize_frame()` in `main/csi_collector.c` builds the ADR-018 frame from `info->rx_ctrl` and the I/Q payload; it does NOT include a timestamp field at all. The ADR-018 wire format reserves bytes [0..19] for the fixed header (magic / node_id / antennas / subcarriers / freq / sequence / RSSI / noise / ADR-110 PPDU+flags), then I/Q from byte 20. Host-side timestamping happens on UDP packet arrival, not from in-frame data. <br><br>The §A0.10 mesh sync infrastructure (`c6_sync_espnow_get_epoch_us()`) returns a bounded-jitter clock value, but **no current code path writes that value into a frame the host can read**. Closing the gap is non-trivial — three options, each with trade-offs: <br><br>1. **ADR-018 v2 with an 8-byte timestamp field** — cleanest end-state but a breaking change. Old aggregators see a magic mismatch and reject. Needs a new ADR + host-decoder update on both Rust and Python paths. <br><br>2. **Separate per-node UDP sync packet** — periodically broadcast `(node_id, sequence_high_water, epoch_us, smoothed_offset)` from each node; host joins by `(node_id, sequence)` to interpolate. Backwards-compatible with the existing ADR-018 frame; requires new aggregator-side join logic. <br><br>3. **Repurpose byte 19 flag bit 4** ("802.15.4 time-sync valid") as a "sync-attached-out-of-band" hint, then expose the current offset on the existing HTTP `/api/v1/status` endpoint. Lightest firmware change but lossy (host has to poll, not stream). <br><br>Documented here so it's not lost between iters. Likely path: option 2, which keeps the v0.6.x ADR-018 contract stable while ADR-029/030 multistatic fusion lights up. Not in scope for v0.6.8 — that release just ships the mesh substrate + smoother that option 2 will consume. |
| **A0.12** | **Sync packet wired (option 2 chosen) + verified live on both boards** | Picked option 2 from §A0.11. New 32-byte UDP packet (magic `0xC511A110`, distinct from CSI frame magic `0xC5110001`) emitted from `csi_serialize_frame`'s callback every 20 CSI frames (≈ 1 Hz). Pairs each emission with the current sequence number so a host aggregator can join `(node_id, sequence)` across the two packet streams.<br><br>**Layout** (LE little-endian, total 32 bytes):<br>`[0..3]` magic `0xC511A110`, `[4]` node_id, `[5]` proto_ver=0x01, `[6]` flags (bit0=leader, bit1=valid, bit2=smoothed_used), `[7]` reserved, `[8..15]` local `esp_timer_get_time()`, `[16..23]` mesh-aligned epoch_us = local + EMA-smoothed offset, `[24..27]` high-water sequence u32, `[28..31]` reserved.<br><br>**Live verification** (`dist/firmware-v0.6.8/iter9-{COM9,COM12}-syncpkt-45s.log`, 45 s capture):<br><br>**COM12 (leader, MAC ends ...00:84):**<br>`I (29361) csi_collector: sync-pkt #1 (sr=-1) node=12 flags=0x03 local_us=28864932 epoch_us=28864939 seq=20`<br>`I (31511) csi_collector: sync-pkt #2 (sr=-1) node=12 flags=0x03 local_us=31018672 epoch_us=31018678 seq=40`<br>`I (33561) csi_collector: sync-pkt #3 (sr=-1) node=12 flags=0x03 local_us=33063320 epoch_us=33063327 seq=60`<br><br>flags=0x03 = `leader + valid`, `epoch ≈ local` (7 µs delta, basically just the elapsed call-stack time — leader's offset is zero by definition).<br><br>**COM9 (follower, MAC ends ...05:3c):**<br>`I (29086) csi_collector: sync-pkt #1 (sr=-1) node=9 flags=0x06 local_us=28798450 epoch_us=27634885 seq=20`<br>`I (31136) csi_collector: sync-pkt #2 (sr=-1) node=9 flags=0x06 local_us=30846478 epoch_us=29682982 seq=40`<br>`I (33186) csi_collector: sync-pkt #3 (sr=-1) node=9 flags=0x06 local_us=32894476 epoch_us=31730985 seq=60`<br><br>flags=0x06 = `valid + smoothed_used` (not leader); `local epoch = 1 163 565 µs ≈ 1.16 s`**exactly the magnitude §A0.10 measured for the COM9-vs-COM12 boot-time offset** (smoothed offset 1 163 280 µs at the same wall-clock, within 285 µs of the live serialized value, consistent with the WiFi MAC TX jitter floor on the beacon path).<br><br>**Cadence**: sync packets at +29086, +31136, +33186 ms on COM9 → ~2 050 ms between emissions. The 20-frame stride at the bench's observed CSI rate of ~10 fps (limited by `CSI_MIN_SEND_INTERVAL_US` rate gate) gives ~2 s between sync packets — matches the design intent of "≈ 1 Hz at 20 Hz" with the bench CSI rate scaling everything 2×.<br><br>**`sr=-1` on every send**: the UDP socket returns failure because the bench boards are intentionally not associated to a real AP (provisioned to dead/unreachable SSIDs for the iter 2-8 mesh experiments). Expected, no crash, no resource leak across 45 s. Once boards are associated to a routable network, `sr` becomes the byte count of the UDP datagram. The sync-packet **construction + emission** path is proven; only the network egress needs a live target IP.<br><br>**Wiring gap §A0.11 closed.** Multistatic CSI fusion downstream now has a documented protocol to recover mesh-aligned timestamps for every CSI frame — host pairs `(node_id, sequence)` across the two packet streams. Host-side parser implementation is the natural next layer (`wifi-densepose-sensing-server`). |
| **A0.13** | **ADR-018 byte 19 bit 4 wire-fix shipped in v0.7.0** | Pre-v0.7.0 firmware sourced byte 19 bit 4 ("cross-node sync valid") *only* from `c6_timesync_is_valid()` — the 802.15.4 path that D1 documents as unfixable in IDF v5.4 (rx=0 on every soak). The working ESP-NOW path (`c6_sync_espnow.c`, §A0.7-§A0.10 measured 99.43-99.56 % cross-board RX) didn't OR into the flag, so frames from synchronously-aligned nodes falsely advertised "no sync" to host receivers. v0.7.0 changes `csi_collector.c:221-222` to OR `c6_sync_espnow_is_valid()` too. Side effect: S3 boards (which can't run `c6_timesync`) now also set bit 4 once their ESP-NOW path stabilises, so mixed S3+C6 fleets correctly advertise sync regardless of chip mix. Build cost: +16 bytes; 45 % partition slack unchanged. Host-side decoder stub for the sibling sync packet (§A0.12) landed in `archive/v1/src/hardware/csi_extractor.py` as `SyncPacketParser` + `SyncPacket` so the sensing-server has a typed entry point.<br><br>**Firmware-side ADR-110 substrate is now closed.** Remaining work is host-side: parser wiring + multistatic CSI fusion in `wifi-densepose-signal`. Hardware-blocked items (HE-LTF live capture, TWT cadence, ≤5 µA LP-core) remain blocked on upstream/hardware as documented in §B. |
## A. Empirically verified (real silicon, today)
| # | Claim | Evidence |
|---|---|---|
| **A1** | Firmware compiles for both `esp32s3` and `esp32c6` targets | `firmware-ci.yml` matrix: `8mb`, `4mb`, `c6-4mb` rows. Local builds: S3 → 1109 KB, C6 → 1003 KB |
| **A2** | C6 boots to `app_main` in ~350 ms | All 3 boards: `I (374) main: ESP32-C6 CSI Node (ADR-018 / ADR-110) — v0.6.6 — Node ID: N` |
| **A3** | 802.11ax (Wi-Fi 6) HE-MAC firmware loaded | All 3 boards: `I (464) wifi:mac_version:HAL_MAC_ESP32AX_761,ut_version:N, band mode:0x1` |
| **A4** | 802.15.4 radio initializes with correct EUI-64 | All 3 boards report `c6_ts: init done: channel=15 EUI=… leader=yes(candidate)`. EUIs match `esptool chip_id` reading exactly (see A5). |
| **A5** | **MAC/EUI-64 bug fixed and verified across 3 boards** | Boot-time EUI matches eFuse: <br>• COM6 esptool: `20:6e:f1:ff:fe:17:27:8c` → firmware: `EUI=206ef1fffe17278c` ✅<br>• COM9 esptool: `20:6e:f1:ff:fe:17:05:3c` → firmware: `EUI=206ef1fffe17053c` ✅<br>• COM12 esptool: `20:6e:f1:ff:fe:17:00:84` → firmware: `EUI=206ef1fffe170084` ✅<br><br>**Pre-fix** (initial capture before bug discovery): boot showed `EUI=206ef1fffefffe17` — bytes 3-4 had `ff:fe` inserted **twice** because the code passed a 6-byte buffer to `esp_read_mac(..., ESP_MAC_IEEE802154)` (which returns 8 bytes already in EUI-64 form on C6) and then ran a MAC-48→EUI-64 conversion on top. Fix in `c6_timesync.c` reads 8 bytes directly. |
| **A6** | WiFi STA can join `ruv.net` from a C6 board | COM9 + COM12: `wifi:state: assoc -> run (0x10)`. COM6 still connecting in 35 s window. |
| **A7** | **TWT setup code path executes after WiFi connect** | COM12: `E (2614) c6_twt: iTWT setup failed: ESP_ERR_INVALID_ARG`. The error is **the ESP-IDF v5.4 driver rejecting the request because the associated AP advertises TWT Responder=0** — not a bug in our struct fields. Confirmed by inspecting the captured beacon log (A8). |
| **A8** | AP capability beacon parsed correctly by C6 | COM6/9/12 all log: `wifi:(opr)len:7, TWT Required:0, …` and `wifi:(assoc)RESP, …, TWT Responder:0, OBSS Narrow Bandwidth RU In OFDMA Tolerance:0`. Confirms `ruv.net` is 11n-only — TWT cannot be exercised here without an 11ax AP swap. |
| **A9** | TWT graceful-fallback path correct (post-fix) | After this run, `c6_twt.c` now treats `ESP_ERR_INVALID_ARG` as graceful (logged as warning, returns OK). Code change committed in this same set. |
| **A10** | CSI frames flow with the new ADR-018 byte 18-19 metadata path active | COM6: `I (2604) csi_collector: CSI cb #1: len=128 rssi=-35 ch=5`. Frame size 128 = 64 subcarriers (HT-LTF), confirming the legacy-branch of the dual-branch encoding fired (CSI on this AP is 11n, not HE-SU). |
| **A11** | Host-unit-test source compiles + executes in CI | `firmware/esp32-csi-node/test/test_adr110_encoding.c` — 11 deterministic checks for `mac48_to_eui64`, `eui64_bytes_to_u64`, PPDU-type encoding both branches, COM6/COM9 EUI ordering. **Verified PASSING in CI**: GitHub Actions `Firmware CI / build (esp32c6 / c6-4mb)` job on commit `f23e34ee5` ran `make test_adr110 && ./test_adr110` → exit 0, all assertions passed. CI run 26317987865 (3m35s). |
| **A12.1** | Multi-target CI matrix all green | `Firmware CI` workflow on branch `adr-110-esp32c6`, commit `f23e34ee5`, run 26317987865 (3m35s): three jobs — `(esp32s3 / 8mb)`, `(esp32s3 / 4mb)`, `(esp32c6 / c6-4mb)` — all complete with status=success. Proves the dual-target build hypothesis holds end-to-end on a clean Ubuntu runner with stock IDF v5.4 (no Windows-specific quirks). |
| **A12.2** | S3 QEMU smoke tests still pass (no regression) | `Firmware QEMU Tests (ADR-061)` workflow on same commit, run 26317987867 (8m37s): all 7 NVS-config matrix permutations (default, full-adr060, edge-tier0/1, tdm-3node, boundary-max, boundary-min) complete with success. Proves the dual-branch HE-tagging change in `csi_collector.c` doesn't break the runtime S3 path under QEMU. |
| **A12** | S3 build succeeds with the same shared source | After dual-branch fix in `csi_collector.c`: `S3 BUILD RC: 0`, binary 1109 KB (47 % partition slack on `partitions_display.csv`). Catches the regression class that bit me on the first attempt. |
## B. Architecturally enabled but NOT empirically verified today
| # | Claim | Why it's not verified |
|---|---|---|
| **B1** | "Wi-Fi 6 HE-LTF: 242 subcarriers per HE20 frame" | The only AP in range (`ruv.net`) is 11n-only. Every captured frame is 128 bytes = 64 subcarriers (HT-LTF, `ppdu_type=0`). No HE-SU/HE-MU/HE-TB observed. Even if an 11ax AP were available, **whether ESP-IDF v5.4's CSI callback exposes HE-LTF subcarriers via `wifi_csi_info_t.buf` is an open question** — the public API was designed for HT-LTF, and the driver may quietly downconvert. **Validate by capturing CSI against an 11ax AP and comparing `info->len` between HT and HE frames.** |
| **B2** | "TWT-bounded deterministic CSI cadence (10 ms wake)" | No 11ax AP in range. The TWT setup *call* was exercised live and the graceful fallback path is now correct (A9), but the agreement itself was never accepted. **Validate by associating with an 11ax AP that has TWT Responder=1, then capturing the timestamped CSI cadence vs the wall clock.** |
| **B3** | "±100 µs cross-node alignment over 802.15.4" | 3 boards initialized their radios with correct EUIs (A4/A5), but **none stepped down from candidate-leader to follower** during repeated 35-second multi-board captures. <br><br>**Coex hypothesis REJECTED**: rebuilt + reflashed all 3 boards with `CONFIG_C6_TIMESYNC_CHANNEL=26` (2480 MHz, non-overlapping with WiFi ch 5 at 2432 MHz). Result identical: 3× candidate, 0× "stepping down". So 2.4 GHz radio coex was NOT the cause. <br><br>**Current leading hypothesis**: OpenThread (CONFIG_OPENTHREAD_ENABLED=y) owns the 802.15.4 radio when its stack is initialized — our weak-symbol overrides of `esp_ieee802154_receive_done` / `_transmit_done` may never be called because OpenThread registers strong handlers. Validation in progress: rebuilding with `CONFIG_OPENTHREAD_ENABLED=n` (raw 802.15.4 only, our beacon protocol is private — no need for the Thread stack). If leader election fires under raw-15.4-only, hypothesis confirmed. <br><br>If raw-only also fails, next move is to dump the actual PHY frame bytes via the IEEE 802.15.4 sniffer mode on a 4th board and diagnose at the frame level. |
| **B4** | "~5 µA hibernation for battery seed nodes" | No INA / Joulescope current measurement available on this bench. The shipped code uses `esp_deep_sleep_enable_gpio_wakeup` (ext1 path, ESP-IDF default ~10 µA), not a true LP-core polling program. The 5 µA number is the C6 datasheet figure for ULP-level hibernation, not a measured value. **Validate by hooking an INA219/INA226 between the dev board's 3V3 rail and the regulator output, then averaging current over a 60-second cycle with the LP-core armed.** |
| **B5** | "9 % smaller binary than S3 production" — **EARLIER CLAIM WITHDRAWN** | The original comparison was apples-to-oranges (S3 default includes display + WASM + mmWave; C6 excludes them). **Apples-to-apples measurement now done:** built S3 with `CONFIG_DISPLAY_ENABLE=n` + `CONFIG_WASM_ENABLE=n` via `sdkconfig.defaults.s3-fair` — same CSI feature set as C6. Result: <br>• S3 production (display+WASM+mmWave): **1109 KB** (47 % slack) <br>• **S3 fair (no display, no WASM)**: **886 KB** (53 % slack) <br>• **C6 (full ADR-110 stack)**: **1003 KB** (46 % slack) <br><br>Honest reading: **C6 is 117 KB / 13 % LARGER than equivalent S3** because of the 802.15.4 PHY + OpenThread MTD stack that the S3 doesn't have. The C6 trade is: pay 13 % flash for 802.15.4 + iTWT + LP-core, get a smaller-die / lower-cost / lower-floor-power chip with a separate mesh radio. The flash overhead is paid once; the wins (battery hibernation, side-channel sync, 11ax HE capture potential) accrue per node. |
## C. Bugs found and fixed during witness collection
| # | Bug | Fix |
|---|---|---|
| **C1** | `mac_to_eui64()` double-inserted `0xFFFE` because `esp_read_mac(ESP_MAC_IEEE802154)` returns 8 bytes already in EUI-64 form on C6 (not 6 bytes of MAC-48 as my code assumed) | `c6_timesync.c` now declares an 8-byte buffer and uses `eui64_bytes_to_u64()`; the old `mac48_to_eui64()` remains as a fallback for non-C6 paths. Verified across 3 boards (A5). |
| **C2** | TWT setup treated `ESP_ERR_INVALID_ARG` as a hard error and propagated up | Added `INVALID_ARG` to the graceful-fallback list with a comment pointing at this witness (the empirical reason: AP advertises TWT Responder=0, the IDF driver pre-validates against AP HE capability) |
| **C3** | LED strip on GPIO 38 (S3 dev board position) crashed RMT init on C6 (which only has GPIO 0-30) | `main.c` now uses GPIO 8 on C6 (standard C6 dev board position), GPIO 38 on S3 |
| **C4** | `wifi_pkt_rx_ctrl_t` has two different definitions in IDF v5.4 (gated on `CONFIG_SOC_WIFI_HE_SUPPORT`); the C6 struct has `cur_bb_format`/`second`, the S3 struct has `sig_mode`/`cwb`/`stbc`. Initial code only handled the C6 branch and broke S3 compilation. | `csi_collector.c` now has both branches gated on `CONFIG_SOC_WIFI_HE_SUPPORT`. Verified by S3 build green (A12). |
## D-workaround. ESP-NOW cross-node sync (D1 mitigation)
After D1 confirmed the 802.15.4 RX path is unfixable from user code in this IDF v5.4 + C6 combination (5 hypotheses tested), added a parallel `c6_sync_espnow.{h,c}` module that runs the same TS_BEACON protocol over ESP-NOW instead. ESP-NOW is WiFi-based peer-to-peer (no AP needed), uses the same 2.4 GHz radio, and has a known-working RX path on every ESP32 family.
| Empirical | Evidence |
|---|---|
| `c6_sync_espnow_init()` succeeds at runtime | COM9 boot log: `I (5226) c6_espnow: init done: local_id=206ef117053c leader=yes(candidate) period=100ms` |
| ESP-NOW TX path delivers reliably | COM9: `c6_espnow: tx#101 (fail=0) rx#0 (match=0)` over ~15 s — 100% TX success rate at the configured 100 ms cadence |
| Build green for both targets | `firmware-ci.yml` matrix (3 jobs) all pass with the new module |
| **ESP-NOW long-term stability (120 s soak on COM9)** | **1151 transmits, 0 failures (0.00 %), 9.6 tx/s sustained, no crash/reset in 2 min.** Boot detector saw exactly 1 `app_main` call. Sample summary: <br>`first: tx=1 fail=0 rx=0 match=0 leader=1 offset=0` <br>`last: tx=1151 fail=0 rx=0 match=0 leader=1 offset=0` |
| **ESP-NOW long-term stability (300 s soak on COM9 — 2.5× the 120 s sample)** | **2951 transmits, 0 failures (0.0000 %), 9.83 tx/s sustained, no crash/reset in 5 min.** 60 counter samples, 1 `app_main` call. Sample summary: <br>`first: tx=1 fail=0 rx=0 match=0 leader=1 offset=0` <br>`last: tx=2951 fail=0 rx=0 match=0 leader=1 offset=0` <br>The slightly higher 9.83/s vs 9.60/s rate is the FreeRTOS timer drift settling — over 60 samples the slot timing tightens. Still 0 failures across both soaks. |
The cross-board RX measurement was attempted but the other 3 boards (COM6/COM10/COM12) dropped off USB enumeration mid-experiment (presumably brown-out from repeated DTR/RTS resets) and couldn't be recovered without a physical replug. **Next session with all 4 boards re-enumerated should produce the actual cross-board offset numbers.** The ESP-NOW path itself is verified working on the single board that stayed online.
Trade vs. the original 802.15.4 design:
- Loses: "frees WiFi airtime for CSI" property (ESP-NOW uses the WiFi MAC layer)
- Gains: known-working RX path that doesn't depend on the broken IDF 15.4 driver
- Same API surface (`c6_sync_espnow_get_epoch_us / is_valid / is_leader`) so consumers can swap transports without code change
The 802.15.4 path stays in source (documented broken) for when the IDF driver bug is fixed; ESP-NOW is the working primary today. Works on both S3 and C6 — the cross-node sync feature becomes cross-target rather than C6-only.
## D. Bugs found but NOT yet fixed
| # | Bug | Tracked |
|---|---|---|
| **D1** | 802.15.4 RX path appears fundamentally broken in this user code + IDF v5.4 combination. **Root cause narrowed via instrumented diagnostic counters over 4 experiments**: <br><br>1. WiFi-on + ch15: 3 boards, `tx#381 (fail=0) rx#1 (magic_match=0)` over 38 s. TX 100% clean, RX = 1 noise frame, 0 protocol matches. <br>2. WiFi-on + ch26 (no coex overlap): identical negative result. <br>3. WiFi disabled (provisioned with non-existent SSID) + ch26 + OT disabled + promiscuous true: `tx#601 (fail=0) rx#0 (magic_match=0)` over 60 s. Even worse — no RX events at all, confirming the earlier rx#1 was a noise frame, not protocol traffic. <br>4. Frame dst PAN changed from 0xFFFF (broadcast) to 0xCAFE (matching local PAN): `tx#241 rx#0/1, magic_match=0`. Still negative. <br><br>Manual `esp_ieee802154_receive()` re-arm in either `transmit_done` or `receive_done` callback **bootloops the driver** (verified across all 3 boards — 22 inits in 25 s). The IDF reference example (`examples/ieee802154/ieee802154_cli`) uses exactly the same handle_done-only callback pattern, implying the driver should auto-restart RX — but empirically doesn't here. <br><br>Hypothesis space narrowed to: (a) real IDF v5.4 802.15.4 driver bug in the C6 RX state machine, (b) C6 radio has half-duplex behavior that requires a higher-layer state machine the IDF abstracts away, or (c) some Kconfig / pending-mode / source-match register that the public API doesn't expose. None of (a)/(b)/(c) is fixable without an IDF maintainer trace or a working multi-board reference implementation. | Task #30 closed as documented-known-issue. Cross-node sync claim B3 BLOCKED. Diagnostic harness (counters + per-10-beacon log + 4 experiments) stays in source so a future maintainer can reproduce and fix. |
| **D2** | COM10 board did not respond to `esptool chip_id` (timeout). Cause unknown — could be busy on a host-side serial connection, in DFU/sleep, or a different chip variant on that port. Not investigated. | (open) |
## E. Reproducer
```bash
# 1. Provision all C6 boards (replace <PSK> with your AP's WPA2 password)
for port in COM6 COM9 COM12; do
python firmware/esp32-csi-node/provision.py --port $port --chip esp32c6 \
--ssid "your-ap" --password "<PSK>" --target-ip 192.168.1.20 \
--node-id ${port#COM}
done
# 2. Build + flash for esp32c6
cd firmware/esp32-csi-node
idf.py set-target esp32c6 && idf.py build
for port in COM6 COM9 COM12; do idf.py -p $port flash; done
# 3. Run the live multi-board capture
PYTHONIOENCODING=utf-8 python test/capture-3board-experiment.py
# 4. Inspect captures
ls test/witness-3board/ # COM6.log, COM9.log, COM12.log
grep "c6_ts\|c6_twt\|HAL_MAC" test/witness-3board/*.log
```
## F. Verdict
**Release-ready: NO.**
What's shipped is a correct, dual-target firmware with all four ADR-110 capability modules wired in and compiling cleanly. **One of the four can be empirically claimed today** (the 802.15.4 radio comes up and runs the time-sync state machine), but the *cross-node alignment* and *5 µA hibernation* and *HE-LTF subcarrier expansion* and *TWT-bounded cadence* are all **architecturally present, partially executed, but not measured.**
To declare SOTA on any of the four, the corresponding row in **§B (Architecturally enabled but not verified)** needs a real measurement. The plan in each row says exactly what hardware that would take.
Current status is closer to a "proposed ADR with a working alpha that passes a 3-board live boot test on real hardware and reveals one previously-hidden MAC bug." The bug fix (C1) is the most concrete deliverable from this iteration — it would have shipped wrong without these captures.
api-docs/adr/.issue-177-body.md
+141
View File
@@ -0,0 +1,141 @@
## Introduction
RuView is a WiFi-based human pose estimation system built on ESP32 CSI (Channel State Information). Today, managing a RuView deployment requires juggling **6+ disconnected CLI tools**: `esptool.py` for flashing, `provision.py` for NVS configuration, `curl` for OTA and WASM management, `cargo run` for the sensing server, a browser for visualization, and manual IP tracking for node discovery. There is no single tool that provides a unified view of the entire deployment — from ESP32 hardware through the sensing pipeline to pose visualization.
This issue tracks the implementation of **RuView Desktop** — a Tauri v2 cross-platform desktop application that replaces all of these tools with a single, cohesive interface. The application is designed as the **control plane** for the RuView platform, managing the full lifecycle: discover, flash, provision, OTA, load WASM, observe sensing.
### Why Tauri (Not Electron/Flutter/Web)
| Requirement | Why Desktop is Required |
|-------------|------------------------|
| Serial port access | Browser/PWA cannot touch COM/tty ports for firmware flashing |
| Raw UDP sockets | Node discovery via broadcast probes requires raw socket access |
| Filesystem access | Firmware binaries, WASM modules, model files live on local disk |
| Process management | Sensing server runs as a managed child process (sidecar) |
| Small binary | Tauri ~20 MB vs Electron ~150 MB |
| Rust integration | Shares crates with existing workspace |
### UI Design Language
The frontend uses a **Foundation Book** design scheme with **Unity Editor-inspired** UI panels. Think: clean typographic hierarchy, structured panels with dockable regions, monospaced data displays, and a professional dark theme with accent colors for status indicators. Powered by rUv.
---
## ADR-052 Deep Overview
The full architecture is documented in [ADR-052](https://github.com/ruvnet/RuView/blob/feat/tauri-desktop-frontend/docs/adr/ADR-052-tauri-desktop-frontend.md) with a companion [DDD bounded contexts appendix](https://github.com/ruvnet/RuView/blob/feat/tauri-desktop-frontend/docs/adr/ADR-052-ddd-bounded-contexts.md).
### Workspace Integration
The desktop app is a new Rust crate (`wifi-densepose-desktop`) in the existing workspace, sharing types with the sensing server and hardware crate. The frontend uses React + Vite + TypeScript with a Foundation Book / Unity-inspired design system.
### 6 Rust Command Groups
| Group | Commands | Bounded Context |
|-------|----------|-----------------|
| **Discovery** | `discover_nodes`, `get_node_status`, `watch_nodes` | Device Discovery |
| **Flash** | `list_serial_ports`, `flash_firmware`, `read_chip_info` | Firmware Management |
| **OTA** | `ota_update`, `ota_status`, `ota_batch_update` | Firmware Management |
| **WASM** | `wasm_list`, `wasm_upload`, `wasm_control` | Edge Module |
| **Server** | `start_server`, `stop_server`, `server_status` | Sensing Pipeline |
| **Provision** | `provision_node`, `read_nvs` | Configuration |
### 7 Frontend Pages
| Page | Purpose |
|------|---------|
| **Dashboard** | Node count (online/offline), server status, quick actions, activity feed |
| **Node Detail** | Single node deep-dive: firmware, health, TDM config, WASM modules |
| **Flash Firmware** | 3-step wizard: select port, select firmware, flash with progress bar |
| **WASM Modules** | Drag-and-drop upload, module list with start/stop/unload |
| **Sensing View** | Live CSI heatmap, pose skeleton overlay, vital signs |
| **Mesh Topology** | Force-directed graph: TDM slots, sync drift, node health |
| **Settings** | Server ports, bind address, OTA PSK, UI theme |
### DDD Bounded Contexts
6 bounded contexts with 9 aggregates, 25+ domain events, and 3 anti-corruption layers. See the [DDD appendix](https://github.com/ruvnet/RuView/blob/feat/tauri-desktop-frontend/docs/adr/ADR-052-ddd-bounded-contexts.md) for full details.
| Context | Aggregate Root(s) | Key Events |
|---------|--------------------|------------|
| Device Discovery | `NodeRegistry` | `NodeDiscovered`, `NodeWentOffline`, `ScanCompleted` |
| Firmware Management | `FlashSession`, `OtaSession`, `BatchOtaSession` | `FlashProgress`, `OtaCompleted`, `BatchOtaCompleted` |
| Configuration | `ProvisioningSession` | `NodeProvisioned`, `ConfigReadBack` |
| Sensing Pipeline | `SensingServer`, `WebSocketSession` | `ServerStarted`, `FrameReceived` |
| Edge Module (WASM) | `ModuleRegistry` | `ModuleUploaded`, `ModuleStarted` |
| Visualization | Query model (no aggregate) | Consumes all upstream events |
### Persistent Node Registry
Stored in `~/.ruview/nodes.db` (SQLite). On startup, previously known nodes load as Offline and reconcile against fresh discovery. The app remembers the mesh across restarts.
### OTA Safety Gate
The `TdmSafe` rolling update strategy updates even-slot nodes first, then odd-slot nodes, ensuring adjacent nodes are never offline simultaneously during mesh-wide firmware updates.
### Platform-Specific Considerations
| Platform | Concern | Solution |
|----------|---------|----------|
| macOS | USB serial drivers need signing on Sequoia+ | Document driver requirements |
| Windows | COM port naming, UAC | Auto-detect via registry |
| Linux | Serial port permissions | Bundle udev rules installer |
---
## Implementation Phases
| Phase | Scope | Priority |
|-------|-------|----------|
| 1. Skeleton | Tauri scaffolding, workspace integration, React window | P0 |
| 2. Discovery | Serial ports, node discovery, dashboard cards | P0 |
| 3. Flash | espflash integration, flashing wizard | P0 |
| 4. Server | Sidecar sensing server, log viewer | P1 |
| 5. OTA | HTTP OTA with PSK auth, batch TdmSafe | P1 |
| 6. Provisioning | NVS GUI form, read-back, mesh presets | P1 |
| 7. WASM | Module upload/list/control | P2 |
| 8. Sensing | WebSocket, live charts, pose overlay | P2 |
| 9. Mesh View | Topology graph, TDM visualization | P2 |
| 10. Polish | App signing, auto-update, onboarding wizard | P3 |
Total estimated effort: ~11 weeks for a single developer.
## Acceptance Criteria
- [ ] Tauri app builds on Windows, macOS, Linux
- [ ] Can discover ESP32 nodes on local network
- [ ] Node registry persists across restarts
- [ ] Can flash firmware via serial port (no Python dependency)
- [ ] Can push OTA updates with PSK authentication
- [ ] Rolling OTA with TdmSafe strategy for mesh deployments
- [ ] Can upload/manage WASM modules on nodes
- [ ] Can start/stop sensing server and view live logs
- [ ] Can view real-time sensing data via WebSocket
- [ ] Can provision NVS config via GUI form
- [ ] Mesh topology visualization shows TDM slots and health
- [ ] Binary size less than 30 MB
- [ ] Foundation Book / Unity-inspired UI design system
- [ ] Each new Rust module has unit tests
## Dependencies
- ADR-012: ESP32 CSI Sensor Mesh
- ADR-039: ESP32 Edge Intelligence
- ADR-040: WASM Programmable Sensing
- ADR-044: Provisioning Tool Enhancements
- ADR-050: Quality Engineering Security Hardening
- ADR-051: Sensing Server Decomposition
- ADR-053: UI Design System (Foundation Book + Unity-inspired)
## Branch
[`feat/tauri-desktop-frontend`](https://github.com/ruvnet/RuView/tree/feat/tauri-desktop-frontend)
## References
- [ADR-052: Tauri Desktop Frontend](https://github.com/ruvnet/RuView/blob/feat/tauri-desktop-frontend/docs/adr/ADR-052-tauri-desktop-frontend.md)
- [ADR-052 DDD Appendix](https://github.com/ruvnet/RuView/blob/feat/tauri-desktop-frontend/docs/adr/ADR-052-ddd-bounded-contexts.md)
- [Tauri v2 Documentation](https://v2.tauri.app/)
- [espflash crate](https://crates.io/crates/espflash)
Powered by **rUv**
api-docs/adr/ADR-001-wifi-mat-disaster-detection.md
+173
View File
@@ -0,0 +1,173 @@
# ADR-001: WiFi-Mat Disaster Detection Architecture
## Status
Accepted
## Date
2026-01-13
## Context
Natural disasters such as earthquakes, building collapses, avalanches, and floods trap victims under rubble or debris. Traditional search and rescue methods using visual inspection, thermal cameras, or acoustic devices have significant limitations:
- **Visual/Optical**: Cannot penetrate rubble, debris, or collapsed structures
- **Thermal**: Limited penetration depth, affected by ambient temperature
- **Acoustic**: Requires victim to make sounds, high false positive rate
- **K9 Units**: Limited availability, fatigue, environmental hazards
WiFi-based sensing offers a unique advantage: **RF signals can penetrate non-metallic debris** (concrete, wood, drywall) and detect subtle human movements including breathing patterns and heartbeats through Channel State Information (CSI) analysis.
### Problem Statement
We need a modular extension to the WiFi-DensePose Rust implementation that:
1. Detects human presence in disaster scenarios with high sensitivity
2. Localizes survivors within rubble/debris fields
3. Classifies victim status (conscious movement, breathing only, critical)
4. Provides real-time alerts to rescue teams
5. Operates in degraded/field conditions with portable hardware
## Decision
We will create a new crate `wifi-densepose-mat` (Mass Casualty Assessment Tool) as a modular addition to the existing Rust workspace with the following architecture:
### 1. Domain-Driven Design (DDD) Approach
The module follows DDD principles with clear bounded contexts:
```
wifi-densepose-mat/
├── src/
│ ├── domain/ # Core domain entities and value objects
│ │ ├── survivor.rs # Survivor entity with status tracking
│ │ ├── disaster_event.rs # Disaster event aggregate root
│ │ ├── scan_zone.rs # Geographic zone being scanned
│ │ └── alert.rs # Alert value objects
│ ├── detection/ # Life sign detection bounded context
│ │ ├── breathing.rs # Breathing pattern detection
│ │ ├── heartbeat.rs # Micro-doppler heartbeat detection
│ │ ├── movement.rs # Gross/fine movement classification
│ │ └── classifier.rs # Multi-modal victim classifier
│ ├── localization/ # Position estimation bounded context
│ │ ├── triangulation.rs # Multi-AP triangulation
│ │ ├── fingerprinting.rs # CSI fingerprint matching
│ │ └── depth.rs # Depth/layer estimation in rubble
│ ├── alerting/ # Notification bounded context
│ │ ├── priority.rs # Triage priority calculation
│ │ ├── dispatcher.rs # Alert routing and dispatch
│ │ └── protocols.rs # Emergency protocol integration
│ └── integration/ # Anti-corruption layer
│ ├── signal_adapter.rs # Adapts wifi-densepose-signal
│ └── nn_adapter.rs # Adapts wifi-densepose-nn
```
### 2. Core Architectural Decisions
#### 2.1 Event-Driven Architecture
- All survivor detections emit domain events
- Events enable audit trails and replay for post-incident analysis
- Supports distributed deployments with multiple scan teams
#### 2.2 Configurable Detection Pipeline
```rust
pub struct DetectionPipeline {
breathing_detector: BreathingDetector,
heartbeat_detector: HeartbeatDetector,
movement_classifier: MovementClassifier,
ensemble_classifier: EnsembleClassifier,
}
```
#### 2.3 Triage Classification (START Protocol Compatible)
| Status | Detection Criteria | Priority |
|--------|-------------------|----------|
| Immediate (Red) | Breathing detected, no movement | P1 |
| Delayed (Yellow) | Movement + breathing, stable vitals | P2 |
| Minor (Green) | Strong movement, responsive patterns | P3 |
| Deceased (Black) | No vitals for >30 minutes continuous scan | P4 |
#### 2.4 Hardware Abstraction
Supports multiple deployment scenarios:
- **Portable**: Single TX/RX with handheld device
- **Distributed**: Multiple APs deployed around collapse site
- **Drone-mounted**: UAV-based scanning for large areas
- **Vehicle-mounted**: Mobile command post with array
### 3. Integration Strategy
The module integrates with existing crates through adapters:
```
┌─────────────────────────────────────────────────────────────┐
│ wifi-densepose-mat │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Detection │ │ Localization│ │ Alerting │ │
│ │ Context │ │ Context │ │ Context │ │
│ └──────┬──────┘ └──────┬──────┘ └──────────┬──────────┘ │
│ │ │ │ │
│ └────────────────┼─────────────────────┘ │
│ │ │
│ ┌───────────▼───────────┐ │
│ │ Integration Layer │ │
│ │ (Anti-Corruption) │ │
│ └───────────┬───────────┘ │
└──────────────────────────┼───────────────────────────────────┘
┌──────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│wifi-densepose │ │wifi-densepose │ │wifi-densepose │
│ -signal │ │ -nn │ │ -hardware │
└───────────────┘ └───────────────┘ └───────────────┘
```
### 4. Performance Requirements
| Metric | Target | Rationale |
|--------|--------|-----------|
| Detection Latency | <500ms | Real-time feedback for rescuers |
| False Positive Rate | <5% | Minimize wasted rescue efforts |
| False Negative Rate | <1% | Cannot miss survivors |
| Penetration Depth | 3-5m | Typical rubble pile depth |
| Battery Life (portable) | >8 hours | Full shift operation |
| Concurrent Zones | 16+ | Large disaster site coverage |
### 5. Safety and Reliability
- **Fail-safe defaults**: Always assume life present on ambiguous signals
- **Redundant detection**: Multiple algorithms vote on presence
- **Continuous monitoring**: Re-scan zones periodically
- **Offline operation**: Full functionality without network
- **Audit logging**: Complete trace of all detections
## Consequences
### Positive
- Modular design allows independent development and testing
- DDD ensures domain experts can validate logic
- Event-driven enables distributed deployments
- Adapters isolate from upstream changes
- Compatible with existing WiFi-DensePose infrastructure
### Negative
- Additional complexity from event system
- Learning curve for rescue teams
- Requires calibration for different debris types
- RF interference in disaster zones
### Risks and Mitigations
| Risk | Mitigation |
|------|------------|
| Metal debris blocking signals | Multi-angle scanning, adaptive frequency |
| Environmental RF interference | Spectral sensing, frequency hopping |
| False positives from animals | Size/pattern classification |
| Power constraints in field | Low-power modes, solar charging |
## References
- [WiFi-based Vital Signs Monitoring](https://dl.acm.org/doi/10.1145/3130944)
- [Through-Wall Human Sensing](https://ieeexplore.ieee.org/document/8645344)
- [START Triage Protocol](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3088332/)
- [CSI-based Human Activity Recognition](https://arxiv.org/abs/2004.03661)
api-docs/adr/ADR-002-ruvector-rvf-integration-strategy.md
+219
View File
@@ -0,0 +1,219 @@
# ADR-002: RuVector RVF Integration Strategy
## Status
Superseded by [ADR-016](ADR-016-ruvector-integration.md) and [ADR-017](ADR-017-ruvector-signal-mat-integration.md)
> **Note:** The vision in this ADR has been fully realized. ADR-016 integrates all 5 RuVector crates into the training pipeline. ADR-017 adds 7 signal + MAT integration points. The `wifi-densepose-ruvector` crate is [published on crates.io](https://crates.io/crates/wifi-densepose-ruvector). See also [ADR-027](ADR-027-cross-environment-domain-generalization.md) for how RuVector is extended with domain generalization.
## Date
2026-02-28
## Context
### Current System Limitations
The WiFi-DensePose system processes Channel State Information (CSI) from WiFi signals to estimate human body poses. The current architecture (Python v1 + Rust port) has several areas where intelligence and performance could be significantly improved:
1. **No persistent vector storage**: CSI feature vectors are processed transiently. Historical patterns, fingerprints, and learned representations are not persisted in a searchable vector database.
2. **Static inference models**: The modality translation network (`ModalityTranslationNetwork`) and DensePose head use fixed weights loaded at startup. There is no online learning, adaptation, or self-optimization.
3. **Naive pattern matching**: Human detection in `CSIProcessor` uses simple threshold-based confidence scoring (`amplitude_indicator`, `phase_indicator`, `motion_indicator` with fixed weights 0.4, 0.3, 0.3). No similarity search against known patterns.
4. **No cryptographic audit trail**: Life-critical disaster detection (wifi-densepose-mat) lacks tamper-evident logging for survivor detections and triage classifications.
5. **Limited edge deployment**: The WASM crate (`wifi-densepose-wasm`) provides basic bindings but lacks a self-contained runtime capable of offline operation with embedded models.
6. **Single-node architecture**: Multi-AP deployments for disaster scenarios require distributed coordination, but no consensus mechanism exists for cross-node state management.
### RuVector Capabilities
RuVector (github.com/ruvnet/ruvector) provides a comprehensive cognitive computing platform:
- **RVF (Cognitive Containers)**: Self-contained files with 25 segment types (VEC, INDEX, KERNEL, EBPF, WASM, COW_MAP, WITNESS, CRYPTO) that package vectors, models, and runtime into a single deployable artifact
- **HNSW Vector Search**: Hierarchical Navigable Small World indexing with SIMD acceleration and Hyperbolic extensions for hierarchy-aware search
- **SONA**: Self-Optimizing Neural Architecture providing <1ms adaptation via LoRA fine-tuning with EWC++ memory preservation
- **GNN Learning Layer**: Graph Neural Networks that learn from every query through message passing, attention weighting, and representation updates
- **46 Attention Mechanisms**: Including Flash Attention, Linear Attention, Graph Attention, Hyperbolic Attention, Mincut-gated Attention
- **Post-Quantum Cryptography**: ML-DSA-65, Ed25519, SLH-DSA-128s signatures with SHAKE-256 hashing
- **Witness Chains**: Tamper-evident cryptographic hash-linked audit trails
- **Raft Consensus**: Distributed coordination with multi-master replication and vector clocks
- **WASM Runtime**: 5.5 KB runtime bootable in 125ms, deployable on servers, browsers, phones, IoT
- **Git-like Branching**: Copy-on-write structure (1M vectors + 100 edits ≈ 2.5 MB branch)
## Decision
We will integrate RuVector's RVF format and intelligence capabilities into the WiFi-DensePose system through a phased, modular approach across 9 integration domains, each detailed in subsequent ADRs (ADR-003 through ADR-010).
### Integration Architecture Overview
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ WiFi-DensePose + RuVector │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ CSI Input │ │ RVF Store │ │ SONA │ │ GNN Layer │ │
│ │ Pipeline │──▶│ (Vectors, │──▶│ Self-Learn │──▶│ Pattern │ │
│ │ │ │ Indices) │ │ │ │ Enhancement │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Feature │ │ HNSW │ │ Adaptive │ │ Pose │ │
│ │ Extraction │ │ Search │ │ Weights │ │ Estimation │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │ │
│ └─────────────────┴─────────────────┴─────────────────┘ │
│ │ │
│ ┌──────────▼──────────┐ │
│ │ Output Layer │ │
│ │ • Pose Keypoints │ │
│ │ • Body Segments │ │
│ │ • UV Coordinates │ │
│ │ • Confidence Maps │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌───────────────────────────┼───────────────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Witness │ │ Raft │ │ WASM │ │
│ │ Chains │ │ Consensus │ │ Edge │ │
│ │ (Audit) │ │ (Multi-AP) │ │ Runtime │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Post-Quantum Crypto Layer │ │
│ │ ML-DSA-65 │ Ed25519 │ SLH-DSA-128s │ SHAKE-256 │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
```
### New Crate: `wifi-densepose-rvf`
A new workspace member crate will serve as the integration layer:
```
crates/wifi-densepose-rvf/
├── Cargo.toml
├── src/
│ ├── lib.rs # Public API surface
│ ├── container.rs # RVF cognitive container management
│ ├── vector_store.rs # HNSW-backed CSI vector storage
│ ├── search.rs # Similarity search for fingerprinting
│ ├── learning.rs # SONA integration for online learning
│ ├── gnn.rs # GNN pattern enhancement layer
│ ├── attention.rs # Attention mechanism selection
│ ├── witness.rs # Witness chain audit trails
│ ├── consensus.rs # Raft consensus for multi-AP
│ ├── crypto.rs # Post-quantum crypto wrappers
│ ├── edge.rs # WASM edge runtime integration
│ └── adapters/
│ ├── mod.rs
│ ├── signal_adapter.rs # Bridges wifi-densepose-signal
│ ├── nn_adapter.rs # Bridges wifi-densepose-nn
│ └── mat_adapter.rs # Bridges wifi-densepose-mat
```
### Phased Rollout
| Phase | Timeline | ADR | Capability | Priority |
|-------|----------|-----|------------|----------|
| 1 | Weeks 1-3 | ADR-003 | RVF Cognitive Containers for CSI Data | Critical |
| 2 | Weeks 2-4 | ADR-004 | HNSW Vector Search for Signal Fingerprinting | Critical |
| 3 | Weeks 4-6 | ADR-005 | SONA Self-Learning for Pose Estimation | High |
| 4 | Weeks 5-7 | ADR-006 | GNN-Enhanced CSI Pattern Recognition | High |
| 5 | Weeks 6-8 | ADR-007 | Post-Quantum Cryptography for Secure Sensing | Medium |
| 6 | Weeks 7-9 | ADR-008 | Distributed Consensus for Multi-AP | Medium |
| 7 | Weeks 8-10 | ADR-009 | RVF WASM Runtime for Edge Deployment | Medium |
| 8 | Weeks 9-11 | ADR-010 | Witness Chains for Audit Trail Integrity | High (MAT) |
### Dependency Strategy
**Verified published crates** (crates.io, all at v2.0.4 as of 2026-02-28):
```toml
# In Cargo.toml workspace dependencies
[workspace.dependencies]
ruvector-mincut = "2.0.4" # Dynamic min-cut, O(n^1.5 log n) graph partitioning
ruvector-attn-mincut = "2.0.4" # Attention + mincut gating in one pass
ruvector-temporal-tensor = "2.0.4" # Tiered temporal compression (50-75% memory reduction)
ruvector-solver = "2.0.4" # NeumannSolver — O(√n) Neumann series convergence
ruvector-attention = "2.0.4" # ScaledDotProductAttention
```
> **Note (ADR-017 correction):** Earlier versions of this ADR specified
> `ruvector-core`, `ruvector-data-framework`, `ruvector-consensus`, and
> `ruvector-wasm` at version `"0.1"`. These crates do not exist at crates.io.
> The five crates above are the verified published API surface at v2.0.4.
> Capabilities such as RVF cognitive containers (ADR-003), HNSW search (ADR-004),
> SONA (ADR-005), GNN patterns (ADR-006), post-quantum crypto (ADR-007),
> Raft consensus (ADR-008), and WASM runtime (ADR-009) are internal capabilities
> accessible through these five crates or remain as forward-looking architecture.
> See ADR-017 for the corrected integration map.
Feature flags control which ruvector capabilities are compiled in:
```toml
[features]
default = ["mincut-matching", "solver-interpolation"]
mincut-matching = ["ruvector-mincut"]
attn-mincut = ["ruvector-attn-mincut"]
temporal-compress = ["ruvector-temporal-tensor"]
solver-interpolation = ["ruvector-solver"]
attention = ["ruvector-attention"]
full = ["mincut-matching", "attn-mincut", "temporal-compress", "solver-interpolation", "attention"]
```
## Consequences
### Positive
- **10-100x faster pattern lookup**: HNSW replaces linear scan for CSI fingerprint matching
- **Continuous improvement**: SONA enables online adaptation without full retraining
- **Self-contained deployment**: RVF containers package everything needed for field operation
- **Tamper-evident records**: Witness chains provide cryptographic proof for disaster response auditing
- **Future-proof security**: Post-quantum signatures resist quantum computing attacks
- **Distributed operation**: Raft consensus enables coordinated multi-AP sensing
- **Ultra-light edge**: 5.5 KB WASM runtime enables browser and IoT deployment
- **Git-like versioning**: COW branching enables experimental model variations with minimal storage
### Negative
- **Increased binary size**: Full feature set adds significant dependencies (~15-30 MB)
- **Complexity**: 9 integration domains require careful coordination
- **Learning curve**: Team must understand RuVector's cognitive container paradigm
- **API stability risk**: RuVector is pre-1.0; APIs may change
- **Testing surface**: Each integration point requires dedicated test suites
### Risks and Mitigations
| Risk | Severity | Mitigation |
|------|----------|------------|
| RuVector API breaking changes | High | Pin versions, adapter pattern isolates impact |
| Performance regression from abstraction layers | Medium | Benchmark each integration point, zero-cost abstractions |
| Feature flag combinatorial complexity | Medium | CI matrix testing for key feature combinations |
| Over-engineering for current use cases | Medium | Phased rollout, each phase independently valuable |
| Binary size bloat for edge targets | Low | Feature flags ensure only needed capabilities compile |
## Related ADRs
- **ADR-001**: WiFi-Mat Disaster Detection Architecture (existing)
- **ADR-003**: RVF Cognitive Containers for CSI Data
- **ADR-004**: HNSW Vector Search for Signal Fingerprinting
- **ADR-005**: SONA Self-Learning for Pose Estimation
- **ADR-006**: GNN-Enhanced CSI Pattern Recognition
- **ADR-007**: Post-Quantum Cryptography for Secure Sensing
- **ADR-008**: Distributed Consensus for Multi-AP Coordination
- **ADR-009**: RVF WASM Runtime for Edge Deployment
- **ADR-010**: Witness Chains for Audit Trail Integrity
## References
- [RuVector Repository](https://github.com/ruvnet/ruvector)
- [HNSW Algorithm](https://arxiv.org/abs/1603.09320)
- [LoRA: Low-Rank Adaptation](https://arxiv.org/abs/2106.09685)
- [Elastic Weight Consolidation](https://arxiv.org/abs/1612.00796)
- [Raft Consensus](https://raft.github.io/raft.pdf)
- [ML-DSA (FIPS 204)](https://csrc.nist.gov/pubs/fips/204/final)
- [WiFi-DensePose Rust ADR-001: Workspace Structure](../v2/docs/adr/ADR-001-workspace-structure.md)
api-docs/adr/ADR-003-rvf-cognitive-containers-csi.md
+251
View File
@@ -0,0 +1,251 @@
# ADR-003: RVF Cognitive Containers for CSI Data
## Status
Proposed
## Date
2026-02-28
## Context
### Problem
WiFi-DensePose processes CSI (Channel State Information) data through a multi-stage pipeline: raw capture → preprocessing → feature extraction → neural inference → pose output. Each stage produces intermediate data that is currently ephemeral:
1. **Raw CSI measurements** (`CsiData`): Amplitude matrices (num_antennas x num_subcarriers), phase arrays, SNR values, metadata. Stored only in a bounded `VecDeque` (max 500 entries in Python, similar in Rust).
2. **Extracted features** (`CsiFeatures`): Amplitude mean/variance, phase differences, correlation matrices, Doppler shifts, power spectral density. Discarded after single-pass inference.
3. **Trained model weights**: Static ONNX/PyTorch files loaded from disk. No mechanism to persist adapted weights or experimental variations.
4. **Detection results** (`HumanDetectionResult`): Confidence scores, motion scores, detection booleans. Logged but not indexed for pattern retrieval.
5. **Environment fingerprints**: Each physical space has a unique CSI signature affected by room geometry, furniture, building materials. No persistent fingerprint database exists.
### Opportunity
RuVector's RVF (Cognitive Container) format provides a single-file packaging solution with 25 segment types that can encapsulate the entire WiFi-DensePose operational state:
```
RVF Cognitive Container Structure:
┌─────────────────────────────────────────────┐
│ HEADER │ Magic, version, segment count │
├───────────┼─────────────────────────────────┤
│ VEC │ CSI feature vectors │
│ INDEX │ HNSW index over vectors │
│ WASM │ Inference runtime │
│ COW_MAP │ Copy-on-write branch state │
│ WITNESS │ Audit chain entries │
│ CRYPTO │ Signature keys, attestations │
│ KERNEL │ Bootable runtime (optional) │
│ EBPF │ Hardware-accelerated filters │
│ ... │ (25 total segment types) │
└─────────────────────────────────────────────┘
```
## Decision
We will adopt the RVF Cognitive Container format as the primary persistence and deployment unit for WiFi-DensePose operational data, implementing the following container types:
### 1. CSI Fingerprint Container (`.rvf.csi`)
Packages environment-specific CSI signatures for location recognition:
```rust
/// CSI Fingerprint container storing environment signatures
pub struct CsiFingerprintContainer {
/// Container metadata
metadata: ContainerMetadata,
/// VEC segment: Normalized CSI feature vectors
/// Each vector = [amplitude_mean(N) | amplitude_var(N) | phase_diff(N-1) | doppler(10) | psd(128)]
/// Typical dimensionality: 64 subcarriers → 64+64+63+10+128 = 329 dimensions
fingerprint_vectors: VecSegment,
/// INDEX segment: HNSW index for O(log n) nearest-neighbor lookup
hnsw_index: IndexSegment,
/// COW_MAP: Branches for different times-of-day, occupancy levels
branches: CowMapSegment,
/// Metadata per vector: room_id, timestamp, occupancy_count, furniture_hash
annotations: AnnotationSegment,
}
```
**Vector encoding**: Each CSI snapshot is encoded as a fixed-dimension vector:
```
CSI Feature Vector (329-dim for 64 subcarriers):
┌──────────────────┬──────────────────┬─────────────────┬──────────┬─────────┐
│ amplitude_mean │ amplitude_var │ phase_diff │ doppler │ psd │
│ [f32; 64] │ [f32; 64] │ [f32; 63] │ [f32; 10]│ [f32;128│
└──────────────────┴──────────────────┴─────────────────┴──────────┴─────────┘
```
### 2. Model Container (`.rvf.model`)
Packages neural network weights with versioning:
```rust
/// Model container with version tracking and A/B comparison
pub struct ModelContainer {
/// Container metadata with model version history
metadata: ContainerMetadata,
/// Primary model weights (ONNX serialized)
primary_weights: BlobSegment,
/// SONA adaptation deltas (LoRA low-rank matrices)
adaptation_deltas: VecSegment,
/// COW branches for model experiments
/// e.g., "baseline", "adapted-office-env", "adapted-warehouse"
branches: CowMapSegment,
/// Performance metrics per branch
metrics: AnnotationSegment,
/// Witness chain: every weight update recorded
audit_trail: WitnessSegment,
}
```
### 3. Session Container (`.rvf.session`)
Captures a complete sensing session for replay and analysis:
```rust
/// Session container for recording and replaying sensing sessions
pub struct SessionContainer {
/// Session metadata (start time, duration, hardware config)
metadata: ContainerMetadata,
/// Time-series CSI vectors at capture rate
csi_timeseries: VecSegment,
/// Detection results aligned to CSI timestamps
detections: AnnotationSegment,
/// Pose estimation outputs
poses: VecSegment,
/// Index for temporal range queries
temporal_index: IndexSegment,
/// Cryptographic integrity proof
witness_chain: WitnessSegment,
}
```
### Container Lifecycle
```
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Create │───▶│ Ingest │───▶│ Query │───▶│ Branch │
│ Container │ │ Vectors │ │ (HNSW) │ │ (COW) │
└──────────┘ └──────────┘ └──────────┘ └──────────┘
│ │
│ ┌──────────┐ ┌──────────┐ │
│ │ Merge │◀───│ Compare │◀─────────┘
│ │ Branches │ │ Results │
│ └────┬─────┘ └──────────┘
│ │
▼ ▼
┌──────────┐ ┌──────────┐
│ Export │ │ Deploy │
│ (.rvf) │ │ (Edge) │
└──────────┘ └──────────┘
```
### Integration with Existing Crates
The container system integrates through adapter traits:
```rust
/// Trait for types that can be vectorized into RVF containers
pub trait RvfVectorizable {
/// Encode self as a fixed-dimension f32 vector
fn to_rvf_vector(&self) -> Vec<f32>;
/// Reconstruct from an RVF vector
fn from_rvf_vector(vec: &[f32]) -> Result<Self, RvfError> where Self: Sized;
/// Vector dimensionality
fn vector_dim() -> usize;
}
// Implementation for existing types
impl RvfVectorizable for CsiFeatures {
fn to_rvf_vector(&self) -> Vec<f32> {
let mut vec = Vec::with_capacity(Self::vector_dim());
vec.extend(self.amplitude_mean.iter().map(|&x| x as f32));
vec.extend(self.amplitude_variance.iter().map(|&x| x as f32));
vec.extend(self.phase_difference.iter().map(|&x| x as f32));
vec.extend(self.doppler_shift.iter().map(|&x| x as f32));
vec.extend(self.power_spectral_density.iter().map(|&x| x as f32));
vec
}
fn vector_dim() -> usize {
// 64 + 64 + 63 + 10 + 128 = 329 (for 64 subcarriers)
329
}
// ...
}
```
### Storage Characteristics
| Container Type | Typical Size | Vector Count | Use Case |
|----------------|-------------|-------------|----------|
| Fingerprint | 5-50 MB | 10K-100K | Room/building fingerprint DB |
| Model | 50-500 MB | N/A (blob) | Neural network deployment |
| Session | 10-200 MB | 50K-500K | 1-hour recording at 100 Hz |
### COW Branching for Environment Adaptation
The copy-on-write mechanism enables zero-overhead experimentation:
```
main (office baseline: 50K vectors)
├── branch/morning (delta: 500 vectors, ~15 KB)
├── branch/afternoon (delta: 800 vectors, ~24 KB)
├── branch/occupied-10 (delta: 2K vectors, ~60 KB)
└── branch/furniture-moved (delta: 5K vectors, ~150 KB)
```
Total overhead for 4 branches on a 50K-vector container: ~250 KB additional (0.5%).
## Consequences
### Positive
- **Single-file deployment**: Move a fingerprint database between sites by copying one `.rvf` file
- **Versioned models**: A/B test model variants without duplicating full weight sets
- **Session replay**: Reproduce detection results from recorded CSI data
- **Atomic operations**: Container writes are transactional; no partial state corruption
- **Cross-platform**: Same container format works on server, WASM, and embedded
- **Storage efficient**: COW branching avoids duplicating unchanged data
### Negative
- **Format lock-in**: RVF is not yet a widely-adopted standard
- **Serialization overhead**: Converting between native types and RVF vectors adds latency (~0.1-0.5 ms per vector)
- **Learning curve**: Team must understand segment types and container lifecycle
- **File size for sessions**: High-rate CSI capture (1000 Hz) generates large session containers
### Performance Targets
| Operation | Target Latency | Notes |
|-----------|---------------|-------|
| Container open | <10 ms | Memory-mapped I/O |
| Vector insert | <0.1 ms | Append to VEC segment |
| HNSW query (100K vectors) | <1 ms | See ADR-004 |
| Branch create | <1 ms | COW metadata only |
| Branch merge | <100 ms | Delta application |
| Container export | ~1 ms/MB | Sequential write |
## References
- [RuVector Cognitive Container Specification](https://github.com/ruvnet/ruvector)
- [Memory-Mapped I/O in Rust](https://docs.rs/memmap2)
- [Copy-on-Write Data Structures](https://en.wikipedia.org/wiki/Copy-on-write)
- ADR-002: RuVector RVF Integration Strategy
api-docs/adr/ADR-004-hnsw-vector-search-fingerprinting.md
+272
View File
@@ -0,0 +1,272 @@
# ADR-004: HNSW Vector Search for Signal Fingerprinting
## Status
Partially realized by [ADR-024](ADR-024-contrastive-csi-embedding-model.md); extended by [ADR-027](ADR-027-cross-environment-domain-generalization.md)
> **Note:** ADR-024 (AETHER) implements HNSW-compatible fingerprint indices with 4 index types. ADR-027 (MERIDIAN) extends this with domain-disentangled embeddings so fingerprints match across environments, not just within a single room.
## Date
2026-02-28
## Context
### Current Signal Matching Limitations
The WiFi-DensePose system needs to match incoming CSI patterns against known signatures for:
1. **Environment recognition**: Identifying which room/area the device is in based on CSI characteristics
2. **Activity classification**: Matching current CSI patterns to known human activities (walking, sitting, falling)
3. **Anomaly detection**: Determining whether current readings deviate significantly from baseline
4. **Survivor re-identification** (MAT module): Tracking individual survivors across scan sessions
Current approach in `CSIProcessor._calculate_detection_confidence()`:
```python
# Fixed thresholds, no similarity search
amplitude_indicator = np.mean(features.amplitude_mean) > 0.1
phase_indicator = np.std(features.phase_difference) > 0.05
motion_indicator = motion_score > 0.3
confidence = (0.4 * amplitude_indicator + 0.3 * phase_indicator + 0.3 * motion_indicator)
```
This is a **O(1) fixed-threshold check** that:
- Cannot learn from past observations
- Has no concept of "similar patterns seen before"
- Requires manual threshold tuning per environment
- Produces binary indicators (above/below threshold) losing gradient information
### What HNSW Provides
Hierarchical Navigable Small World (HNSW) graphs enable approximate nearest-neighbor search in high-dimensional vector spaces with:
- **O(log n) query time** vs O(n) brute-force
- **High recall**: >95% recall at 10x speed of exact search
- **Dynamic insertion**: New vectors added without full rebuild
- **SIMD acceleration**: RuVector's implementation uses AVX2/NEON for distance calculations
RuVector extends standard HNSW with:
- **Hyperbolic HNSW**: Search in Poincaré ball space for hierarchy-aware results (e.g., "walking" is closer to "running" than to "sitting" in activity hierarchy)
- **GNN enhancement**: Graph neural networks refine neighbor connections after queries
- **Tiered compression**: 2-32x memory reduction through adaptive quantization
## Decision
We will integrate RuVector's HNSW implementation as the primary similarity search engine for all CSI pattern matching operations, replacing fixed-threshold detection with similarity-based retrieval.
### Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ HNSW Search Pipeline │
├─────────────────────────────────────────────────────────────────┤
│ │
│ CSI Input Feature Vector HNSW │
│ ────────▶ Extraction ────▶ Encode ────▶ Search │
│ (existing) (new) (new) │
│ │ │
│ ┌─────────────┤ │
│ ▼ ▼ │
│ Top-K Results Confidence │
│ [vec_id, dist, Score from │
│ metadata] Distance Dist. │
│ │ │
│ ▼ │
│ ┌────────────┐ │
│ │ Decision │ │
│ │ Fusion │ │
│ └────────────┘ │
│ Combines HNSW similarity with │
│ existing threshold-based logic │
└─────────────────────────────────────────────────────────────────┘
```
### Index Configuration
```rust
/// HNSW configuration tuned for CSI vector characteristics
pub struct CsiHnswConfig {
/// Vector dimensionality (matches CsiFeatures encoding)
dim: usize, // 329 for 64 subcarriers
/// Maximum number of connections per node per layer
/// Higher M = better recall, more memory
/// CSI vectors are moderately dimensional; M=16 balances well
m: usize, // 16
/// Size of dynamic candidate list during construction
/// ef_construction = 200 gives >99% recall for 329-dim vectors
ef_construction: usize, // 200
/// Size of dynamic candidate list during search
/// ef_search = 64 gives >95% recall with <1ms latency at 100K vectors
ef_search: usize, // 64
/// Distance metric
/// Cosine similarity works best for normalized CSI features
metric: DistanceMetric, // Cosine
/// Maximum elements (pre-allocated for performance)
max_elements: usize, // 1_000_000
/// Enable SIMD acceleration
simd: bool, // true
/// Quantization level for memory reduction
quantization: Quantization, // PQ8 (product quantization, 8-bit)
}
```
### Multiple Index Strategy
Different use cases require different index configurations:
| Index Name | Vectors | Dim | Distance | Use Case |
|-----------|---------|-----|----------|----------|
| `env_fingerprint` | 10K-1M | 329 | Cosine | Environment/room identification |
| `activity_pattern` | 1K-50K | 329 | Euclidean | Activity classification |
| `temporal_pattern` | 10K-500K | 329 | Cosine | Temporal anomaly detection |
| `survivor_track` | 100-10K | 329 | Cosine | MAT survivor re-identification |
### Similarity-Based Detection Enhancement
Replace fixed thresholds with distance-based confidence:
```rust
/// Enhanced detection using HNSW similarity search
pub struct SimilarityDetector {
/// HNSW index of known human-present CSI patterns
human_patterns: HnswIndex,
/// HNSW index of known empty-room CSI patterns
empty_patterns: HnswIndex,
/// Fusion weight between similarity and threshold methods
fusion_alpha: f64, // 0.7 = 70% similarity, 30% threshold
}
impl SimilarityDetector {
/// Detect human presence using similarity search + threshold fusion
pub fn detect(&self, features: &CsiFeatures) -> DetectionResult {
let query_vec = features.to_rvf_vector();
// Search both indices
let human_neighbors = self.human_patterns.search(&query_vec, k=5);
let empty_neighbors = self.empty_patterns.search(&query_vec, k=5);
// Distance-based confidence
let avg_human_dist = human_neighbors.mean_distance();
let avg_empty_dist = empty_neighbors.mean_distance();
// Similarity confidence: how much closer to human patterns vs empty
let similarity_confidence = avg_empty_dist / (avg_human_dist + avg_empty_dist);
// Fuse with traditional threshold-based confidence
let threshold_confidence = self.traditional_threshold_detect(features);
let fused_confidence = self.fusion_alpha * similarity_confidence
+ (1.0 - self.fusion_alpha) * threshold_confidence;
DetectionResult {
human_detected: fused_confidence > 0.5,
confidence: fused_confidence,
similarity_confidence,
threshold_confidence,
nearest_human_pattern: human_neighbors[0].metadata.clone(),
nearest_empty_pattern: empty_neighbors[0].metadata.clone(),
}
}
}
```
### Incremental Learning Loop
Every confirmed detection enriches the index:
```
1. CSI captured → features extracted → vector encoded
2. HNSW search returns top-K neighbors + distances
3. Detection decision made (similarity + threshold fusion)
4. If confirmed (by temporal consistency or ground truth):
a. Insert vector into appropriate index (human/empty)
b. GNN layer updates neighbor relationships (ADR-006)
c. SONA adapts fusion weights (ADR-005)
5. Periodically: prune stale vectors, rebuild index layers
```
### Performance Analysis
**Memory requirements** (PQ8 quantization):
| Vector Count | Raw Size | PQ8 Compressed | HNSW Overhead | Total |
|-------------|----------|----------------|---------------|-------|
| 10,000 | 12.9 MB | 1.6 MB | 2.5 MB | 4.1 MB |
| 100,000 | 129 MB | 16 MB | 25 MB | 41 MB |
| 1,000,000 | 1.29 GB | 160 MB | 250 MB | 410 MB |
**Latency expectations** (329-dim vectors, ef_search=64):
| Vector Count | Brute Force | HNSW | Speedup |
|-------------|-------------|------|---------|
| 10,000 | 3.2 ms | 0.08 ms | 40x |
| 100,000 | 32 ms | 0.3 ms | 107x |
| 1,000,000 | 320 ms | 0.9 ms | 356x |
### Hyperbolic Extension for Activity Hierarchy
WiFi-sensed activities have natural hierarchy:
```
motion
/ \
locomotion stationary
/ \ / \
walking running sitting lying
/ \
normal shuffling
```
Hyperbolic HNSW in Poincaré ball space preserves this hierarchy during search, so a query for "shuffling" returns "walking" before "sitting" even if Euclidean distances are similar.
```rust
/// Hyperbolic HNSW for hierarchy-aware activity matching
pub struct HyperbolicActivityIndex {
index: HnswIndex,
curvature: f64, // -1.0 for unit Poincaré ball
}
impl HyperbolicActivityIndex {
pub fn search(&self, query: &[f32], k: usize) -> Vec<SearchResult> {
// Uses Poincaré distance: d(u,v) = arcosh(1 + 2||u-v||²/((1-||u||²)(1-||v||²)))
self.index.search_hyperbolic(query, k, self.curvature)
}
}
```
## Consequences
### Positive
- **Adaptive detection**: System improves with more data; no manual threshold tuning
- **Sub-millisecond search**: HNSW provides <1ms queries even at 1M vectors
- **Memory efficient**: PQ8 reduces storage 8x with <5% recall loss
- **Hierarchy-aware**: Hyperbolic mode respects activity relationships
- **Incremental**: New patterns added without full index rebuild
- **Explainable**: "This detection matched pattern X from room Y at time Z"
### Negative
- **Cold-start problem**: Need initial fingerprint data before similarity search is useful
- **Index maintenance**: Periodic pruning and layer rebalancing needed
- **Approximation**: HNSW is approximate; may miss exact nearest neighbor (mitigated by high ef_search)
- **Memory for indices**: HNSW graph structure adds 2.5x overhead on top of vectors
### Migration Strategy
1. **Phase 1**: Run HNSW search in parallel with existing threshold detection, log both results
2. **Phase 2**: A/B test fusion weights (alpha parameter) on labeled data
3. **Phase 3**: Gradually increase fusion_alpha from 0.0 (pure threshold) to 0.7 (primarily similarity)
4. **Phase 4**: Threshold detection becomes fallback for cold-start/empty-index scenarios
## References
- [HNSW: Efficient and Robust Approximate Nearest Neighbor](https://arxiv.org/abs/1603.09320)
- [Product Quantization for Nearest Neighbor Search](https://hal.inria.fr/inria-00514462)
- [Poincaré Embeddings for Learning Hierarchical Representations](https://arxiv.org/abs/1705.08039)
- [RuVector HNSW Implementation](https://github.com/ruvnet/ruvector)
- ADR-003: RVF Cognitive Containers for CSI Data
api-docs/adr/ADR-005-sona-self-learning-pose-estimation.md
+255
View File
@@ -0,0 +1,255 @@
# ADR-005: SONA Self-Learning for Pose Estimation
## Status
Partially realized in [ADR-023](ADR-023-trained-densepose-model-ruvector-pipeline.md); extended by [ADR-027](ADR-027-cross-environment-domain-generalization.md)
> **Note:** ADR-023 implements SONA with MicroLoRA rank-4 adapters and EWC++ memory preservation. ADR-027 (MERIDIAN) extends SONA with unsupervised rapid adaptation: 10 seconds of unlabeled WiFi data in a new room automatically generates environment-specific LoRA weights via contrastive test-time training.
## Date
2026-02-28
## Context
### Static Model Problem
The WiFi-DensePose modality translation network (`ModalityTranslationNetwork` in Python, `ModalityTranslator` in Rust) converts CSI features into visual-like feature maps that feed the DensePose head for body segmentation and UV coordinate estimation. These models are trained offline and deployed with frozen weights.
**Critical limitations of static models**:
1. **Environment drift**: CSI characteristics change when furniture moves, new objects are introduced, or building occupancy changes. A model trained in Lab A degrades in Lab B without retraining.
2. **Hardware variance**: Different WiFi chipsets (Intel AX200 vs Broadcom BCM4375 vs Qualcomm WCN6855) produce subtly different CSI patterns. Static models overfit to training hardware.
3. **Temporal drift**: Even in the same environment, CSI patterns shift with temperature, humidity, and electromagnetic interference changes throughout the day.
4. **Population bias**: Models trained on one demographic may underperform on body types, heights, or movement patterns not represented in training data.
Current mitigation: manual retraining with new data, which requires:
- Collecting labeled data in the new environment
- GPU-intensive training (hours to days)
- Model export/deployment cycle
- Downtime during switchover
### SONA Opportunity
RuVector's Self-Optimizing Neural Architecture (SONA) provides <1ms online adaptation through:
- **LoRA (Low-Rank Adaptation)**: Instead of updating all weights (millions of parameters), LoRA injects small trainable rank decomposition matrices into frozen model layers. For a weight matrix W ∈ R^(d×k), LoRA learns A ∈ R^(d×r) and B ∈ R^(r×k) where r << min(d,k), so the adapted weight is W + AB.
- **EWC++ (Elastic Weight Consolidation)**: Prevents catastrophic forgetting by penalizing changes to parameters important for previously learned tasks. Each parameter has a Fisher information-weighted importance score.
- **Online gradient accumulation**: Small batches of live data (as few as 1-10 samples) contribute to adaptation without full backward passes.
## Decision
We will integrate SONA as the online learning engine for both the modality translation network and the DensePose head, enabling continuous environment-specific adaptation without offline retraining.
### Adaptation Architecture
```
┌──────────────────────────────────────────────────────────────────────┐
│ SONA Adaptation Pipeline │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ Frozen Base Model LoRA Adaptation Matrices │
│ ┌─────────────────┐ ┌──────────────────────┐ │
│ │ Conv2d(64,128) │ ◀── W_frozen ──▶ │ A(64,r) × B(r,128) │ │
│ │ Conv2d(128,256) │ ◀── W_frozen ──▶ │ A(128,r) × B(r,256)│ │
│ │ Conv2d(256,512) │ ◀── W_frozen ──▶ │ A(256,r) × B(r,512)│ │
│ │ ConvT(512,256) │ ◀── W_frozen ──▶ │ A(512,r) × B(r,256)│ │
│ │ ... │ │ ... │ │
│ └─────────────────┘ └──────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Effective Weight = W_frozen + α(AB) │ │
│ │ α = scaling factor (0.0 → 1.0 over time) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ EWC++ Regularizer │ │
│ │ L_total = L_task + λ Σ F_i (θ_i - θ*_i)² │ │
│ │ │ │
│ │ F_i = Fisher information (parameter importance) │ │
│ │ θ*_i = optimal parameters from previous tasks │ │
│ │ λ = regularization strength (10-100) │ │
│ └─────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
```
### LoRA Configuration per Layer
```rust
/// SONA LoRA configuration for WiFi-DensePose
pub struct SonaConfig {
/// LoRA rank (r): dimensionality of adaptation matrices
/// r=4 for encoder layers (less variation needed)
/// r=8 for decoder layers (more expression needed)
/// r=16 for final output layers (maximum adaptability)
lora_ranks: HashMap<String, usize>,
/// Scaling factor alpha: controls adaptation strength
/// Starts at 0.0 (pure frozen model), increases to target
alpha: f64, // Target: 0.3
/// Alpha warmup steps before reaching target
alpha_warmup_steps: usize, // 100
/// EWC++ regularization strength
ewc_lambda: f64, // 50.0
/// Fisher information estimation samples
fisher_samples: usize, // 200
/// Online learning rate (much smaller than offline training)
online_lr: f64, // 1e-5
/// Gradient accumulation steps before applying update
accumulation_steps: usize, // 10
/// Maximum adaptation delta (safety bound)
max_delta_norm: f64, // 0.1
}
```
**Parameter budget**:
| Layer | Original Params | LoRA Rank | LoRA Params | Overhead |
|-------|----------------|-----------|-------------|----------|
| Encoder Conv1 (64→128) | 73,728 | 4 | 768 | 1.0% |
| Encoder Conv2 (128→256) | 294,912 | 4 | 1,536 | 0.5% |
| Encoder Conv3 (256→512) | 1,179,648 | 4 | 3,072 | 0.3% |
| Decoder ConvT1 (512→256) | 1,179,648 | 8 | 6,144 | 0.5% |
| Decoder ConvT2 (256→128) | 294,912 | 8 | 3,072 | 1.0% |
| Output Conv (128→24) | 27,648 | 16 | 2,432 | 8.8% |
| **Total** | **3,050,496** | - | **17,024** | **0.56%** |
SONA adapts **0.56% of parameters** while achieving 70-90% of the accuracy improvement of full fine-tuning.
### Adaptation Trigger Conditions
```rust
/// When to trigger SONA adaptation
pub enum AdaptationTrigger {
/// Detection confidence drops below threshold over N samples
ConfidenceDrop {
threshold: f64, // 0.6
window_size: usize, // 50
},
/// CSI statistics drift beyond baseline (KL divergence)
DistributionDrift {
kl_threshold: f64, // 0.5
reference_window: usize, // 1000
},
/// New environment detected (no close HNSW matches)
NewEnvironment {
min_distance: f64, // 0.8 (far from all known fingerprints)
},
/// Periodic adaptation (maintenance)
Periodic {
interval_samples: usize, // 10000
},
/// Manual trigger via API
Manual,
}
```
### Adaptation Feedback Sources
Since WiFi-DensePose lacks camera ground truth in deployment, adaptation uses **self-supervised signals**:
1. **Temporal consistency**: Pose estimates should change smoothly between frames. Jerky transitions indicate prediction error.
```
L_temporal = ||pose(t) - pose(t-1)||² when Δt < 100ms
```
2. **Physical plausibility**: Body part positions must satisfy skeletal constraints (limb lengths, joint angles).
```
L_skeleton = Σ max(0, |limb_length - expected_length| - tolerance)
```
3. **Multi-view agreement** (multi-AP): Different APs observing the same person should produce consistent poses.
```
L_multiview = ||pose_AP1 - transform(pose_AP2)||²
```
4. **Detection stability**: Confidence should be high when the environment is stable.
```
L_stability = -log(confidence) when variance(CSI_window) < threshold
```
### Safety Mechanisms
```rust
/// Safety bounds prevent adaptation from degrading the model
pub struct AdaptationSafety {
/// Maximum parameter change per update step
max_step_norm: f64,
/// Rollback if validation loss increases by this factor
rollback_threshold: f64, // 1.5 (50% worse = rollback)
/// Keep N checkpoints for rollback
checkpoint_count: usize, // 5
/// Disable adaptation after N consecutive rollbacks
max_consecutive_rollbacks: usize, // 3
/// Minimum samples between adaptations
cooldown_samples: usize, // 100
}
```
### Persistence via RVF
Adaptation state is stored in the Model Container (ADR-003):
- LoRA matrices A and B serialized to VEC segment
- Fisher information matrix serialized alongside
- Each adaptation creates a witness chain entry (ADR-010)
- COW branching allows reverting to any previous adaptation state
```
model.rvf.model
├── main (frozen base weights)
├── branch/adapted-office-2024-01 (LoRA deltas)
├── branch/adapted-warehouse (LoRA deltas)
└── branch/adapted-outdoor-disaster (LoRA deltas)
```
## Consequences
### Positive
- **Zero-downtime adaptation**: Model improves continuously during operation
- **Tiny overhead**: 17K parameters (0.56%) vs 3M full model; <1ms per adaptation step
- **No forgetting**: EWC++ preserves performance on previously-seen environments
- **Portable adaptations**: LoRA deltas are ~70 KB, easily shared between devices
- **Safe rollback**: Checkpoint system prevents runaway degradation
- **Self-supervised**: No labeled data needed during deployment
### Negative
- **Bounded expressiveness**: LoRA rank limits the degree of adaptation; extreme environment changes may require offline retraining
- **Feedback noise**: Self-supervised signals are weaker than ground-truth labels; adaptation is slower and less precise
- **Compute on device**: Even small gradient computations require tensor math on the inference device
- **Complexity**: Debugging adapted models is harder than static models
- **Hyperparameter sensitivity**: EWC lambda, LoRA rank, learning rate require tuning
### Validation Plan
1. **Offline validation**: Train base model on Environment A, test SONA adaptation to Environment B with known ground truth. Measure pose estimation MPJPE (Mean Per-Joint Position Error) improvement.
2. **A/B deployment**: Run static model and SONA-adapted model in parallel on same CSI stream. Compare detection rates and pose consistency.
3. **Stress test**: Rapidly change environments (simulated) and verify EWC++ prevents catastrophic forgetting.
4. **Edge latency**: Benchmark adaptation step on target hardware (Raspberry Pi 4, Jetson Nano, browser WASM).
## References
- [LoRA: Low-Rank Adaptation of Large Language Models](https://arxiv.org/abs/2106.09685)
- [Elastic Weight Consolidation (EWC)](https://arxiv.org/abs/1612.00796)
- [Continual Learning with SONA](https://github.com/ruvnet/ruvector)
- [Self-Supervised WiFi Sensing](https://arxiv.org/abs/2203.11928)
- ADR-002: RuVector RVF Integration Strategy
- ADR-003: RVF Cognitive Containers for CSI Data
api-docs/adr/ADR-006-gnn-enhanced-csi-pattern-recognition.md
+263
View File
@@ -0,0 +1,263 @@
# ADR-006: GNN-Enhanced CSI Pattern Recognition
## Status
Partially realized in [ADR-023](ADR-023-trained-densepose-model-ruvector-pipeline.md); extended by [ADR-027](ADR-027-cross-environment-domain-generalization.md)
> **Note:** ADR-023 implements a 2-layer GCN on the COCO skeleton graph for spatial reasoning. ADR-027 (MERIDIAN) adds domain-adversarial regularization via a gradient reversal layer that forces the GCN to learn environment-invariant graph features, shedding room-specific multipath patterns.
## Date
2026-02-28
## Context
### Limitations of Independent Vector Search
ADR-004 introduces HNSW-based similarity search for CSI pattern matching. While HNSW provides fast nearest-neighbor retrieval, it treats each vector independently. CSI patterns, however, have rich relational structure:
1. **Temporal adjacency**: CSI frames captured 10ms apart are more related than frames 10s apart. Sequential patterns reveal motion trajectories.
2. **Spatial correlation**: CSI readings from adjacent subcarriers are highly correlated due to frequency proximity. Antenna pairs capture different spatial perspectives.
3. **Cross-session similarity**: The "walking to kitchen" pattern from Tuesday should inform Wednesday's recognition, but the environment baseline may have shifted.
4. **Multi-person entanglement**: When multiple people are present, CSI patterns are superpositions. Disentangling requires understanding which pattern fragments co-occur.
Standard HNSW cannot capture these relationships. Each query returns neighbors based solely on vector distance, ignoring the graph structure of how patterns relate to each other.
### RuVector's GNN Enhancement
RuVector implements a Graph Neural Network layer that sits on top of the HNSW index:
```
Standard HNSW: Query → Distance-based neighbors → Results
GNN-Enhanced: Query → Distance-based neighbors → GNN refinement → Improved results
```
The GNN performs three operations in <1ms:
1. **Message passing**: Each node aggregates information from its HNSW neighbors
2. **Attention weighting**: Multi-head attention identifies which neighbors are most relevant for the current query context
3. **Representation update**: Node embeddings are refined based on neighborhood context
Additionally, **temporal learning** tracks query sequences to discover:
- Vectors that frequently appear together in sessions
- Temporal ordering patterns (A usually precedes B)
- Session context that changes relevance rankings
## Decision
We will integrate RuVector's GNN layer to enhance CSI pattern recognition with three core capabilities: relational search, temporal sequence modeling, and multi-person disentanglement.
### GNN Architecture for CSI
```
┌─────────────────────────────────────────────────────────────────────┐
│ GNN-Enhanced CSI Pattern Graph │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Layer 1: HNSW Spatial Graph │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Nodes = CSI feature vectors │ │
│ │ Edges = HNSW neighbor connections (distance-based) │ │
│ │ Node features = [amplitude | phase | doppler | PSD] │ │
│ └───────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Layer 2: Temporal Edges │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Additional edges between temporally adjacent vectors │ │
│ │ Edge weight = 1/Δt (closer in time = stronger) │ │
│ │ Direction = causal (past → future) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Layer 3: GNN Message Passing (2 rounds) │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Round 1: h_i = σ(W₁·h_i + Σⱼ α_ij · W₂·h_j) │ │
│ │ Round 2: h_i = σ(W₃·h_i + Σⱼ α'_ij · W₄·h_j) │ │
│ │ α_ij = softmax(LeakyReLU(a^T[W·h_i || W·h_j])) │ │
│ │ (Graph Attention Network mechanism) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Layer 4: Refined Representations │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Updated vectors incorporate neighborhood context │ │
│ │ Re-rank search results using refined distances │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
```
### Three Integration Modes
#### Mode 1: Query-Time Refinement (Default)
GNN refines HNSW results after retrieval. No modifications to stored vectors.
```rust
pub struct GnnQueryRefiner {
/// GNN weights (small: ~50K parameters)
gnn_weights: GnnModel,
/// Number of message passing rounds
num_rounds: usize, // 2
/// Attention heads for neighbor weighting
num_heads: usize, // 4
/// How many HNSW neighbors to consider in GNN
neighborhood_size: usize, // 20 (retrieve 20, GNN selects best 5)
}
impl GnnQueryRefiner {
/// Refine HNSW results using graph context
pub fn refine(&self, query: &[f32], hnsw_results: &[SearchResult]) -> Vec<SearchResult> {
// Build local subgraph from query + HNSW results
let subgraph = self.build_local_subgraph(query, hnsw_results);
// Run message passing
let refined = self.message_pass(&subgraph, self.num_rounds);
// Re-rank based on refined representations
self.rerank(query, &refined)
}
}
```
**Latency**: +0.2ms on top of HNSW search (total <1.5ms for 100K vectors).
#### Mode 2: Temporal Sequence Recognition
Tracks CSI vector sequences to recognize activity patterns that span multiple frames:
```rust
/// Temporal pattern recognizer using GNN edges
pub struct TemporalPatternRecognizer {
/// Sliding window of recent query vectors
window: VecDeque<TimestampedVector>,
/// Maximum window size (in frames)
max_window: usize, // 100 (10 seconds at 10 Hz)
/// Temporal edge decay factor
decay: f64, // 0.95 (edges weaken with time)
/// Known activity sequences (learned from data)
activity_templates: HashMap<String, Vec<Vec<f32>>>,
}
impl TemporalPatternRecognizer {
/// Feed new CSI vector and check for activity pattern matches
pub fn observe(&mut self, vector: &[f32], timestamp: f64) -> Vec<ActivityMatch> {
self.window.push_back(TimestampedVector { vector: vector.to_vec(), timestamp });
// Build temporal subgraph from window
let temporal_graph = self.build_temporal_graph();
// GNN aggregates temporal context
let sequence_embedding = self.gnn_aggregate(&temporal_graph);
// Match against known activity templates
self.match_activities(&sequence_embedding)
}
}
```
**Activity patterns detectable**:
| Activity | Frames Needed | CSI Signature |
|----------|--------------|---------------|
| Walking | 10-30 | Periodic Doppler oscillation |
| Falling | 5-15 | Sharp amplitude spike → stillness |
| Sitting down | 10-20 | Gradual descent in reflection height |
| Breathing (still) | 30-100 | Micro-periodic phase variation |
| Gesture (wave) | 5-15 | Localized high-frequency amplitude variation |
#### Mode 3: Multi-Person Disentanglement
When N>1 people are present, CSI is a superposition. The GNN learns to cluster pattern fragments:
```rust
/// Multi-person CSI disentanglement using GNN clustering
pub struct MultiPersonDisentangler {
/// Maximum expected simultaneous persons
max_persons: usize, // 10
/// GNN-based spectral clustering
cluster_gnn: GnnModel,
/// Per-person tracking state
person_tracks: Vec<PersonTrack>,
}
impl MultiPersonDisentangler {
/// Separate CSI features into per-person components
pub fn disentangle(&mut self, features: &CsiFeatures) -> Vec<PersonFeatures> {
// Decompose CSI into subcarrier groups using GNN attention
let subcarrier_graph = self.build_subcarrier_graph(features);
// GNN clusters subcarriers by person contribution
let clusters = self.cluster_gnn.cluster(&subcarrier_graph, self.max_persons);
// Extract per-person features from clustered subcarriers
clusters.iter().map(|c| self.extract_person_features(features, c)).collect()
}
}
```
### GNN Learning Loop
The GNN improves with every query through RuVector's built-in learning:
```
Query → HNSW retrieval → GNN refinement → User action (click/confirm/reject)
Update GNN weights via:
1. Positive: confirmed results get higher attention
2. Negative: rejected results get lower attention
3. Temporal: successful sequences reinforce edges
```
For WiFi-DensePose, "user action" is replaced by:
- **Temporal consistency**: If frame N+1 confirms frame N's detection, reinforce
- **Multi-AP agreement**: If two APs agree on detection, reinforce both
- **Physical plausibility**: If pose satisfies skeletal constraints, reinforce
### Performance Budget
| Component | Parameters | Memory | Latency (per query) |
|-----------|-----------|--------|-------------------|
| GNN weights (2 layers, 4 heads) | 52K | 208 KB | 0.15 ms |
| Temporal graph (100-frame window) | N/A | ~130 KB | 0.05 ms |
| Multi-person clustering | 18K | 72 KB | 0.3 ms |
| **Total GNN overhead** | **70K** | **410 KB** | **0.5 ms** |
## Consequences
### Positive
- **Context-aware search**: Results account for temporal and spatial relationships, not just vector distance
- **Activity recognition**: Temporal GNN enables sequence-level pattern matching
- **Multi-person support**: GNN clustering separates overlapping CSI patterns
- **Self-improving**: Every query provides learning signal to refine attention weights
- **Lightweight**: 70K parameters, 410 KB memory, 0.5ms latency overhead
### Negative
- **Training data needed**: GNN weights require initial training on CSI pattern graphs
- **Complexity**: Three modes increase testing and debugging surface
- **Graph maintenance**: Temporal edges must be pruned to prevent unbounded growth
- **Approximation**: GNN clustering for multi-person is approximate; may merge/split incorrectly
### Interaction with Other ADRs
- **ADR-004** (HNSW): GNN operates on HNSW graph structure; depends on HNSW being available
- **ADR-005** (SONA): GNN weights can be adapted via SONA LoRA for environment-specific tuning
- **ADR-003** (RVF): GNN weights stored in model container alongside inference weights
- **ADR-010** (Witness): GNN weight updates recorded in witness chain
## References
- [Graph Attention Networks (GAT)](https://arxiv.org/abs/1710.10903)
- [Temporal Graph Networks](https://arxiv.org/abs/2006.10637)
- [Spectral Clustering with Graph Neural Networks](https://arxiv.org/abs/1907.00481)
- [WiFi-based Multi-Person Sensing](https://dl.acm.org/doi/10.1145/3534592)
- [RuVector GNN Implementation](https://github.com/ruvnet/ruvector)
- ADR-004: HNSW Vector Search for Signal Fingerprinting
api-docs/adr/ADR-007-post-quantum-cryptography-secure-sensing.md
+215
View File
@@ -0,0 +1,215 @@
# ADR-007: Post-Quantum Cryptography for Secure Sensing
## Status
Proposed
## Date
2026-02-28
## Context
### Threat Model
WiFi-DensePose processes data that can reveal:
- **Human presence/absence** in private spaces (surveillance risk)
- **Health indicators** via breathing/heartbeat detection (medical privacy)
- **Movement patterns** (behavioral profiling)
- **Building occupancy** (physical security intelligence)
In disaster scenarios (wifi-densepose-mat), the stakes are even higher:
- **Triage classifications** affect rescue priority (life-or-death decisions)
- **Survivor locations** are operationally sensitive
- **Detection audit trails** may be used in legal proceedings (liability)
- **False negatives** (missed survivors) could be forensically investigated
Current security: The system uses standard JWT (HS256) for API authentication and has no cryptographic protection on data at rest, model integrity, or detection audit trails.
### Quantum Threat Timeline
NIST estimates cryptographically relevant quantum computers could emerge by 2030-2035. Data captured today with classical encryption may be decrypted retroactively ("harvest now, decrypt later"). For a system that may be deployed for decades in infrastructure, post-quantum readiness is prudent.
### RuVector's Crypto Stack
RuVector provides a layered cryptographic system:
| Algorithm | Purpose | Standard | Quantum Resistant |
|-----------|---------|----------|-------------------|
| ML-DSA-65 | Digital signatures | FIPS 204 | Yes (lattice-based) |
| Ed25519 | Digital signatures | RFC 8032 | No (classical fallback) |
| SLH-DSA-128s | Digital signatures | FIPS 205 | Yes (hash-based) |
| SHAKE-256 | Hashing | FIPS 202 | Yes |
| AES-256-GCM | Symmetric encryption | FIPS 197 | Yes (Grover's halves, still 128-bit) |
## Decision
We will integrate RuVector's cryptographic layer to provide defense-in-depth for WiFi-DensePose data, using a **hybrid classical+PQ** approach where both Ed25519 and ML-DSA-65 signatures are applied (belt-and-suspenders until PQ algorithms mature).
### Cryptographic Scope
```
┌──────────────────────────────────────────────────────────────────┐
│ Cryptographic Protection Layers │
├──────────────────────────────────────────────────────────────────┤
│ │
│ 1. MODEL INTEGRITY │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Model weights signed with ML-DSA-65 + Ed25519 │ │
│ │ Signature verified at load time → reject tampered │ │
│ │ SONA adaptations co-signed with device key │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ 2. DATA AT REST (RVF containers) │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ CSI vectors encrypted with AES-256-GCM │ │
│ │ Container integrity via SHAKE-256 Merkle tree │ │
│ │ Key management: per-container keys, sealed to device │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ 3. DATA IN TRANSIT │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ API: TLS 1.3 with PQ key exchange (ML-KEM-768) │ │
│ │ WebSocket: Same TLS channel │ │
│ │ Multi-AP sync: mTLS with device certificates │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ 4. AUDIT TRAIL (witness chains - see ADR-010) │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Every detection event hash-chained with SHAKE-256 │ │
│ │ Chain anchors signed with ML-DSA-65 │ │
│ │ Cross-device attestation via SLH-DSA-128s │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ 5. DEVICE IDENTITY │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Each sensing device has a key pair (ML-DSA-65) │ │
│ │ Device attestation proves hardware integrity │ │
│ │ Key rotation schedule: 90 days (or on compromise) │ │
│ └─────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘
```
### Hybrid Signature Scheme
```rust
/// Hybrid signature combining classical Ed25519 with PQ ML-DSA-65
pub struct HybridSignature {
/// Classical Ed25519 signature (64 bytes)
ed25519_sig: [u8; 64],
/// Post-quantum ML-DSA-65 signature (3309 bytes)
ml_dsa_sig: Vec<u8>,
/// Signer's public key fingerprint (SHAKE-256, 32 bytes)
signer_fingerprint: [u8; 32],
/// Timestamp of signing
timestamp: u64,
}
impl HybridSignature {
/// Verify requires BOTH signatures to be valid
pub fn verify(&self, message: &[u8], ed25519_pk: &Ed25519PublicKey,
ml_dsa_pk: &MlDsaPublicKey) -> Result<bool, CryptoError> {
let ed25519_valid = ed25519_pk.verify(message, &self.ed25519_sig)?;
let ml_dsa_valid = ml_dsa_pk.verify(message, &self.ml_dsa_sig)?;
// Both must pass (defense in depth)
Ok(ed25519_valid && ml_dsa_valid)
}
}
```
### Model Integrity Verification
```rust
/// Verify model weights have not been tampered with
pub fn verify_model_integrity(model_container: &ModelContainer) -> Result<(), SecurityError> {
// 1. Extract embedded signature from container
let signature = model_container.crypto_segment().signature()?;
// 2. Compute SHAKE-256 hash of weight data
let weight_hash = shake256(model_container.weights_segment().data());
// 3. Verify hybrid signature
let publisher_keys = load_publisher_keys()?;
if !signature.verify(&weight_hash, &publisher_keys.ed25519, &publisher_keys.ml_dsa)? {
return Err(SecurityError::ModelTampered {
expected_signer: publisher_keys.fingerprint(),
container_path: model_container.path().to_owned(),
});
}
Ok(())
}
```
### CSI Data Encryption
For privacy-sensitive deployments, CSI vectors can be encrypted at rest:
```rust
/// Encrypt CSI vectors for storage in RVF container
pub struct CsiEncryptor {
/// AES-256-GCM key (derived from device key + container salt)
key: Aes256GcmKey,
}
impl CsiEncryptor {
/// Encrypt a CSI feature vector
/// Note: HNSW search operates on encrypted vectors using
/// distance-preserving encryption (approximate, configurable trade-off)
pub fn encrypt_vector(&self, vector: &[f32]) -> EncryptedVector {
let nonce = generate_nonce();
let plaintext = bytemuck::cast_slice::<f32, u8>(vector);
let ciphertext = aes_256_gcm_encrypt(&self.key, &nonce, plaintext);
EncryptedVector { ciphertext, nonce }
}
}
```
### Performance Impact
| Operation | Without Crypto | With Crypto | Overhead |
|-----------|---------------|-------------|----------|
| Model load | 50 ms | 52 ms | +2 ms (signature verify) |
| Vector insert | 0.1 ms | 0.15 ms | +0.05 ms (encrypt) |
| HNSW search | 0.3 ms | 0.35 ms | +0.05 ms (decrypt top-K) |
| Container open | 10 ms | 12 ms | +2 ms (integrity check) |
| Detection event logging | 0.01 ms | 0.5 ms | +0.49 ms (hash chain) |
### Feature Flags
```toml
[features]
default = []
crypto-classical = ["ed25519-dalek"] # Ed25519 only
crypto-pq = ["pqcrypto-dilithium", "pqcrypto-sphincsplus"] # ML-DSA + SLH-DSA
crypto-hybrid = ["crypto-classical", "crypto-pq"] # Both (recommended)
crypto-encrypt = ["aes-gcm"] # Data-at-rest encryption
crypto-full = ["crypto-hybrid", "crypto-encrypt"]
```
## Consequences
### Positive
- **Future-proof**: Lattice-based signatures resist quantum attacks
- **Tamper detection**: Model poisoning and data manipulation are detectable
- **Privacy compliance**: Encrypted CSI data meets GDPR/HIPAA requirements
- **Forensic integrity**: Signed audit trails are admissible as evidence
- **Low overhead**: <1ms per operation for most crypto operations
### Negative
- **Signature size**: ML-DSA-65 signatures are 3.3 KB vs 64 bytes for Ed25519
- **Key management complexity**: Device key provisioning, rotation, revocation
- **HNSW on encrypted data**: Distance-preserving encryption is approximate; search recall may degrade
- **Dependency weight**: PQ crypto libraries add ~2 MB to binary
- **Standards maturity**: FIPS 204/205 are finalized but implementations are evolving
## References
- [FIPS 204: ML-DSA (Module-Lattice Digital Signature)](https://csrc.nist.gov/pubs/fips/204/final)
- [FIPS 205: SLH-DSA (Stateless Hash-Based Digital Signature)](https://csrc.nist.gov/pubs/fips/205/final)
- [FIPS 202: SHA-3 / SHAKE](https://csrc.nist.gov/pubs/fips/202/final)
- [RuVector Crypto Implementation](https://github.com/ruvnet/ruvector)
- ADR-002: RuVector RVF Integration Strategy
- ADR-010: Witness Chains for Audit Trail Integrity
api-docs/adr/ADR-008-distributed-consensus-multi-ap.md
+284
View File
@@ -0,0 +1,284 @@
# ADR-008: Distributed Consensus for Multi-AP Coordination
## Status
Proposed
## Date
2026-02-28
## Context
### Multi-AP Sensing Architecture
WiFi-DensePose achieves higher accuracy and coverage with multiple access points (APs) observing the same space from different angles. The disaster detection module (wifi-densepose-mat, ADR-001) explicitly requires distributed deployment:
- **Portable**: Single TX/RX units deployed around a collapse site
- **Distributed**: Multiple APs covering a large disaster zone
- **Drone-mounted**: UAVs scanning from above with coordinated flight paths
Each AP independently captures CSI data, extracts features, and runs local inference. But the distributed system needs coordination:
1. **Consistent survivor registry**: All nodes must agree on the set of detected survivors, their locations, and triage classifications. Conflicting records cause rescue teams to waste time.
2. **Coordinated scanning**: Avoid redundant scans of the same zone. Dynamically reassign APs as zones are cleared.
3. **Model synchronization**: When SONA adapts a model on one node (ADR-005), other nodes should benefit from the adaptation without re-learning.
4. **Clock synchronization**: CSI timestamps must be aligned across nodes for multi-view pose fusion (the GNN multi-person disentanglement in ADR-006 requires temporal alignment).
5. **Partition tolerance**: In disaster scenarios, network connectivity is unreliable. The system must function during partitions and reconcile when connectivity restores.
### Current State
No distributed coordination exists. Each node operates independently. The Rust workspace has no consensus crate.
### RuVector's Distributed Capabilities
RuVector provides:
- **Raft consensus**: Leader election and replicated log for strong consistency
- **Vector clocks**: Logical timestamps for causal ordering without synchronized clocks
- **Multi-master replication**: Concurrent writes with conflict resolution
- **Delta consensus**: Tracks behavioral changes across nodes for anomaly detection
- **Auto-sharding**: Distributes data based on access patterns
## Decision
We will integrate RuVector's Raft consensus implementation as the coordination backbone for multi-AP WiFi-DensePose deployments, with vector clocks for causal ordering and CRDT-based conflict resolution for partition-tolerant operation.
### Consensus Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ Multi-AP Coordination Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Normal Operation (Connected): │
│ │
│ ┌─────────┐ Raft ┌─────────┐ Raft ┌─────────┐ │
│ │ AP-1 │◀────────────▶│ AP-2 │◀────────────▶│ AP-3 │ │
│ │ (Leader)│ Replicated │(Follower│ Replicated │(Follower│ │
│ │ │ Log │ )│ Log │ )│ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Local │ │ Local │ │ Local │ │
│ │ RVF │ │ RVF │ │ RVF │ │
│ │Container│ │Container│ │Container│ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
│ Partitioned Operation (Disconnected): │
│ │
│ ┌─────────┐ ┌──────────────────────┐ │
│ │ AP-1 │ ← operates independently → │ AP-2 AP-3 │ │
│ │ │ │ (form sub-cluster) │ │
│ │ Local │ │ Raft between 2+3 │ │
│ │ writes │ │ │ │
│ └─────────┘ └──────────────────────┘ │
│ │ │ │
│ └──────── Reconnect: CRDT merge ─────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
```
### Replicated State Machine
The Raft log replicates these operations across all nodes:
```rust
/// Operations replicated via Raft consensus
#[derive(Serialize, Deserialize, Clone)]
pub enum ConsensusOp {
/// New survivor detected
SurvivorDetected {
survivor_id: Uuid,
location: GeoCoord,
triage: TriageLevel,
detecting_ap: ApId,
confidence: f64,
timestamp: VectorClock,
},
/// Survivor status updated (e.g., triage reclassification)
SurvivorUpdated {
survivor_id: Uuid,
new_triage: TriageLevel,
updating_ap: ApId,
evidence: DetectionEvidence,
},
/// Zone assignment changed
ZoneAssignment {
zone_id: ZoneId,
assigned_aps: Vec<ApId>,
priority: ScanPriority,
},
/// Model adaptation delta shared
ModelDelta {
source_ap: ApId,
lora_delta: Vec<u8>, // Serialized LoRA matrices
environment_hash: [u8; 32],
performance_metrics: AdaptationMetrics,
},
/// AP joined or left the cluster
MembershipChange {
ap_id: ApId,
action: MembershipAction, // Join | Leave | Suspect
},
}
```
### Vector Clocks for Causal Ordering
Since APs may have unsynchronized physical clocks, vector clocks provide causal ordering:
```rust
/// Vector clock for causal ordering across APs
#[derive(Clone, Serialize, Deserialize)]
pub struct VectorClock {
/// Map from AP ID to logical timestamp
clocks: HashMap<ApId, u64>,
}
impl VectorClock {
/// Increment this AP's clock
pub fn tick(&mut self, ap_id: &ApId) {
*self.clocks.entry(ap_id.clone()).or_insert(0) += 1;
}
/// Merge with another clock (take max of each component)
pub fn merge(&mut self, other: &VectorClock) {
for (ap_id, &ts) in &other.clocks {
let entry = self.clocks.entry(ap_id.clone()).or_insert(0);
*entry = (*entry).max(ts);
}
}
/// Check if self happened-before other
pub fn happened_before(&self, other: &VectorClock) -> bool {
self.clocks.iter().all(|(k, &v)| {
other.clocks.get(k).map_or(false, |&ov| v <= ov)
}) && self.clocks != other.clocks
}
}
```
### CRDT-Based Conflict Resolution
During network partitions, concurrent updates may conflict. We use CRDTs (Conflict-free Replicated Data Types) for automatic resolution:
```rust
/// Survivor registry using Last-Writer-Wins Register CRDT
pub struct SurvivorRegistry {
/// LWW-Element-Set: each survivor has a timestamp-tagged state
survivors: HashMap<Uuid, LwwRegister<SurvivorState>>,
}
/// Triage uses Max-wins semantics:
/// If partition A says P1 (Red/Immediate) and partition B says P2 (Yellow/Delayed),
/// after merge the survivor is classified P1 (more urgent wins)
/// Rationale: false negative (missing critical) is worse than false positive
impl CrdtMerge for TriageLevel {
fn merge(a: Self, b: Self) -> Self {
// Lower numeric priority = more urgent
if a.urgency() >= b.urgency() { a } else { b }
}
}
```
**CRDT merge strategies by data type**:
| Data Type | CRDT Type | Merge Strategy | Rationale |
|-----------|-----------|---------------|-----------|
| Survivor set | OR-Set | Union (never lose a detection) | Missing survivors = fatal |
| Triage level | Max-Register | Most urgent wins | Err toward caution |
| Location | LWW-Register | Latest timestamp wins | Survivors may move |
| Zone assignment | LWW-Map | Leader's assignment wins | Need authoritative coord |
| Model deltas | G-Set | Accumulate all deltas | All adaptations valuable |
### Node Discovery and Health
```rust
/// AP cluster management
pub struct ApCluster {
/// This node's identity
local_ap: ApId,
/// Raft consensus engine
raft: RaftEngine<ConsensusOp>,
/// Failure detector (phi-accrual)
failure_detector: PhiAccrualDetector,
/// Cluster membership
members: HashSet<ApId>,
}
impl ApCluster {
/// Heartbeat interval for failure detection
const HEARTBEAT_MS: u64 = 500;
/// Phi threshold for suspecting node failure
const PHI_THRESHOLD: f64 = 8.0;
/// Minimum cluster size for Raft (need majority)
const MIN_CLUSTER_SIZE: usize = 3;
}
```
### Performance Characteristics
| Operation | Latency | Notes |
|-----------|---------|-------|
| Raft heartbeat | 500 ms interval | Configurable |
| Log replication | 1-5 ms (LAN) | Depends on payload size |
| Leader election | 1-3 seconds | After leader failure detected |
| CRDT merge (partition heal) | 10-100 ms | Proportional to divergence |
| Vector clock comparison | <0.01 ms | O(n) where n = cluster size |
| Model delta replication | 50-200 ms | ~70 KB LoRA delta |
### Deployment Configurations
| Scenario | Nodes | Consensus | Partition Strategy |
|----------|-------|-----------|-------------------|
| Single room | 1-2 | None (local only) | N/A |
| Building floor | 3-5 | Raft (3-node quorum) | CRDT merge on heal |
| Disaster site | 5-20 | Raft (5-node quorum) + zones | Zone-level sub-clusters |
| Urban search | 20-100 | Hierarchical Raft | Regional leaders |
## Consequences
### Positive
- **Consistent state**: All APs agree on survivor registry via Raft
- **Partition tolerant**: CRDT merge allows operation during disconnection
- **Causal ordering**: Vector clocks provide logical time without NTP
- **Automatic failover**: Raft leader election handles AP failures
- **Model sharing**: SONA adaptations propagate across cluster
### Negative
- **Minimum 3 nodes**: Raft requires odd-numbered quorum for leader election
- **Network overhead**: Heartbeats and log replication consume bandwidth (~1-10 KB/s per node)
- **Complexity**: Distributed systems are inherently harder to debug
- **Latency for writes**: Raft requires majority acknowledgment before commit (1-5ms LAN)
- **Split-brain risk**: If cluster splits evenly (2+2), neither partition has quorum
### Disaster-Specific Considerations
| Challenge | Mitigation |
|-----------|------------|
| Intermittent connectivity | Aggressive CRDT merge on reconnect; local operation during partition |
| Power failures | Raft log persisted to local SSD; recovery on restart |
| Node destruction | Raft tolerates minority failure; data replicated across survivors |
| Drone mobility | Drone APs treated as ephemeral members; data synced on landing |
| Bandwidth constraints | Delta-only replication; compress LoRA deltas |
## References
- [Raft Consensus Algorithm](https://raft.github.io/raft.pdf)
- [CRDTs: Conflict-free Replicated Data Types](https://hal.inria.fr/inria-00609399)
- [Vector Clocks](https://en.wikipedia.org/wiki/Vector_clock)
- [Phi Accrual Failure Detector](https://www.computer.org/csdl/proceedings-article/srds/2004/22390066/12OmNyQYtlC)
- [RuVector Distributed Consensus](https://github.com/ruvnet/ruvector)
- ADR-001: WiFi-Mat Disaster Detection Architecture
- ADR-002: RuVector RVF Integration Strategy
api-docs/adr/ADR-009-rvf-wasm-runtime-edge-deployment.md
+262
View File
@@ -0,0 +1,262 @@
# ADR-009: RVF WASM Runtime for Edge Deployment
## Status
Proposed
## Date
2026-02-28
## Context
### Current WASM State
The wifi-densepose-wasm crate provides basic WebAssembly bindings that expose Rust types to JavaScript. It enables browser-based visualization and lightweight inference but has significant limitations:
1. **No self-contained operation**: WASM module depends on external model files loaded via fetch(). If the server is unreachable, the module is useless.
2. **No persistent state**: Browser WASM has no built-in persistent storage for fingerprint databases, model weights, or session data.
3. **No offline capability**: Without network access, the WASM module cannot load models or send results.
4. **Binary size**: Current WASM bundle is not optimized. Full inference + signal processing compiles to ~5-15 MB.
### Edge Deployment Requirements
| Scenario | Platform | Constraints |
|----------|----------|------------|
| Browser dashboard | Chrome/Firefox | <10 MB download, no plugins |
| IoT sensor node | ESP32/Raspberry Pi | 256 KB - 4 GB RAM, battery powered |
| Mobile app | iOS/Android WebView | Limited background execution |
| Drone payload | Embedded Linux + WASM | Weight/power limited, intermittent connectivity |
| Field tablet | Android tablet | Offline operation in disaster zones |
### RuVector's Edge Runtime
RuVector provides a 5.5 KB WASM runtime that boots in 125ms, with:
- Self-contained operation (models + data embedded in RVF container)
- Persistent storage via RVF container (written to IndexedDB in browser, filesystem on native)
- Offline-first architecture
- SIMD acceleration when available (WASM SIMD proposal)
## Decision
We will replace the current wifi-densepose-wasm approach with an RVF-based edge runtime that packages models, fingerprint databases, and the inference engine into a single deployable RVF container.
### Edge Runtime Architecture
```
┌──────────────────────────────────────────────────────────────────┐
│ RVF Edge Deployment Container │
│ (.rvf.edge file) │
├──────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │
│ │ WASM │ │ VEC │ │ INDEX │ │ MODEL (ONNX) │ │
│ │ Runtime │ │ CSI │ │ HNSW │ │ + LoRA deltas │ │
│ │ (5.5KB) │ │ Finger- │ │ Graph │ │ │ │
│ │ │ │ prints │ │ │ │ │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────────────┘ │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │
│ │ CRYPTO │ │ WITNESS │ │ COW_MAP │ │ CONFIG │ │
│ │ Keys │ │ Audit │ │ Branches│ │ Runtime params │ │
│ │ │ │ Chain │ │ │ │ │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────────────┘ │
│ │
│ Total container: 1-50 MB depending on model + fingerprint size │
└──────────────────────────────────────────────────────────────────┘
│ Deploy to:
┌───────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────────────┐ │
│ │ Browser │ │ IoT │ │ Mobile │ │ Disaster Field │ │
│ │ │ │ Device │ │ App │ │ Tablet │ │
│ │ IndexedDB │ Flash │ │ App │ │ Local FS │ │
│ │ for state│ │ for │ │ Sandbox │ │ for state │ │
│ │ │ │ state │ │ for │ │ │ │
│ │ │ │ │ │ state │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────────────┘ │
└───────────────────────────────────────────────────────────────┘
```
### Tiered Runtime Profiles
Different deployment targets get different container configurations:
```rust
/// Edge runtime profiles
pub enum EdgeProfile {
/// Full-featured browser deployment
/// ~10 MB container, full inference + HNSW + SONA
Browser {
model_quantization: Quantization::Int8,
max_fingerprints: 100_000,
enable_sona: true,
storage_backend: StorageBackend::IndexedDB,
},
/// Minimal IoT deployment
/// ~1 MB container, lightweight inference only
IoT {
model_quantization: Quantization::Int4,
max_fingerprints: 1_000,
enable_sona: false,
storage_backend: StorageBackend::Flash,
},
/// Mobile app deployment
/// ~5 MB container, inference + HNSW, limited SONA
Mobile {
model_quantization: Quantization::Int8,
max_fingerprints: 50_000,
enable_sona: true,
storage_backend: StorageBackend::AppSandbox,
},
/// Disaster field deployment (maximum capability)
/// ~50 MB container, full stack including multi-AP consensus
Field {
model_quantization: Quantization::Float16,
max_fingerprints: 1_000_000,
enable_sona: true,
storage_backend: StorageBackend::FileSystem,
},
}
```
### Container Size Budget
| Segment | Browser | IoT | Mobile | Field |
|---------|---------|-----|--------|-------|
| WASM runtime | 5.5 KB | 5.5 KB | 5.5 KB | 5.5 KB |
| Model (ONNX) | 3 MB (int8) | 0.5 MB (int4) | 3 MB (int8) | 12 MB (fp16) |
| HNSW index | 4 MB | 100 KB | 2 MB | 40 MB |
| Fingerprint vectors | 2 MB | 50 KB | 1 MB | 10 MB |
| Config + crypto | 50 KB | 10 KB | 50 KB | 100 KB |
| **Total** | **~10 MB** | **~0.7 MB** | **~6 MB** | **~62 MB** |
### Offline-First Data Flow
```
┌────────────────────────────────────────────────────────────────────┐
│ Offline-First Operation │
├────────────────────────────────────────────────────────────────────┤
│ │
│ 1. BOOT (125ms) │
│ ├── Open RVF container from local storage │
│ ├── Memory-map WASM runtime segment │
│ ├── Load HNSW index into memory │
│ └── Initialize inference engine with embedded model │
│ │
│ 2. OPERATE (continuous) │
│ ├── Receive CSI data from local hardware interface │
│ ├── Process through local pipeline (no network needed) │
│ ├── Search HNSW index against local fingerprints │
│ ├── Run SONA adaptation on local data │
│ ├── Append results to local witness chain │
│ └── Store updated vectors to local container │
│ │
│ 3. SYNC (when connected) │
│ ├── Push new vectors to central RVF container │
│ ├── Pull updated fingerprints from other nodes │
│ ├── Merge SONA deltas via Raft (ADR-008) │
│ ├── Extend witness chain with cross-node attestation │
│ └── Update local container with merged state │
│ │
│ 4. SLEEP (battery conservation) │
│ ├── Flush pending writes to container │
│ ├── Close memory-mapped segments │
│ └── Resume from step 1 on wake │
└────────────────────────────────────────────────────────────────────┘
```
### Browser-Specific Integration
```rust
/// Browser WASM entry point
#[wasm_bindgen]
pub struct WifiDensePoseEdge {
container: RvfContainer,
inference_engine: InferenceEngine,
hnsw_index: HnswIndex,
sona: Option<SonaAdapter>,
}
#[wasm_bindgen]
impl WifiDensePoseEdge {
/// Initialize from an RVF container loaded via fetch or IndexedDB
#[wasm_bindgen(constructor)]
pub async fn new(container_bytes: &[u8]) -> Result<WifiDensePoseEdge, JsValue> {
let container = RvfContainer::from_bytes(container_bytes)?;
let engine = InferenceEngine::from_container(&container)?;
let index = HnswIndex::from_container(&container)?;
let sona = SonaAdapter::from_container(&container).ok();
Ok(Self { container, inference_engine: engine, hnsw_index: index, sona })
}
/// Process a single CSI frame (called from JavaScript)
#[wasm_bindgen]
pub fn process_frame(&mut self, csi_json: &str) -> Result<String, JsValue> {
let csi_data: CsiData = serde_json::from_str(csi_json)
.map_err(|e| JsValue::from_str(&e.to_string()))?;
let features = self.extract_features(&csi_data)?;
let detection = self.detect(&features)?;
let pose = if detection.human_detected {
Some(self.estimate_pose(&features)?)
} else {
None
};
serde_json::to_string(&PoseResult { detection, pose })
.map_err(|e| JsValue::from_str(&e.to_string()))
}
/// Save current state to IndexedDB
#[wasm_bindgen]
pub async fn persist(&self) -> Result<(), JsValue> {
let bytes = self.container.serialize()?;
// Write to IndexedDB via web-sys
save_to_indexeddb("wifi-densepose-state", &bytes).await
}
}
```
### Model Quantization Strategy
| Quantization | Size Reduction | Accuracy Loss | Suitable For |
|-------------|---------------|---------------|-------------|
| Float32 (baseline) | 1x | 0% | Server/desktop |
| Float16 | 2x | <0.5% | Field tablets, GPUs |
| Int8 (PTQ) | 4x | <2% | Browser, mobile |
| Int4 (GPTQ) | 8x | <5% | IoT, ultra-constrained |
| Binary (1-bit) | 32x | ~15% | MCU/ultra-edge (experimental) |
## Consequences
### Positive
- **Single-file deployment**: Copy one `.rvf.edge` file to deploy anywhere
- **Offline operation**: Full functionality without network connectivity
- **125ms boot**: Near-instant readiness for emergency scenarios
- **Platform universal**: Same container format for browser, IoT, mobile, server
- **Battery efficient**: No network polling in offline mode
### Negative
- **Container size**: Even compressed, field containers are 50+ MB
- **WASM performance**: 2-5x slower than native Rust for compute-heavy operations
- **Browser limitations**: IndexedDB has storage quotas; WASM SIMD support varies
- **Update latency**: Offline devices miss updates until reconnection
- **Quantization accuracy**: Int4/Int8 models lose some detection sensitivity
## References
- [WebAssembly SIMD Proposal](https://github.com/WebAssembly/simd)
- [IndexedDB API](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API)
- [ONNX Runtime Web](https://onnxruntime.ai/docs/tutorials/web/)
- [Model Quantization Techniques](https://arxiv.org/abs/2103.13630)
- [RuVector WASM Runtime](https://github.com/ruvnet/ruvector)
- ADR-002: RuVector RVF Integration Strategy
- ADR-003: RVF Cognitive Containers for CSI Data
api-docs/adr/ADR-010-witness-chains-audit-trail-integrity.md
+402
View File
@@ -0,0 +1,402 @@
# ADR-010: Witness Chains for Audit Trail Integrity
## Status
Proposed
## Date
2026-02-28
## Context
### Life-Critical Audit Requirements
The wifi-densepose-mat disaster detection module (ADR-001) makes triage classifications that directly affect rescue priority:
| Triage Level | Action | Consequence of Error |
|-------------|--------|---------------------|
| P1 (Immediate/Red) | Rescue NOW | False negative → survivor dies waiting |
| P2 (Delayed/Yellow) | Rescue within 1 hour | Misclassification → delayed rescue |
| P3 (Minor/Green) | Rescue when resources allow | Over-triage → resource waste |
| P4 (Deceased/Black) | No rescue attempted | False P4 → living person abandoned |
Post-incident investigations, liability proceedings, and operational reviews require:
1. **Non-repudiation**: Prove which device made which detection at which time
2. **Tamper evidence**: Detect if records were altered after the fact
3. **Completeness**: Prove no detections were deleted or hidden
4. **Causal chain**: Reconstruct the sequence of events leading to each triage decision
5. **Cross-device verification**: Corroborate detections across multiple APs
### Current State
Detection results are logged to the database (`wifi-densepose-db`) with standard INSERT operations. Logs can be:
- Silently modified after the fact
- Deleted without trace
- Backdated or reordered
- Lost if the database is corrupted
No cryptographic integrity mechanism exists.
### RuVector Witness Chains
RuVector implements hash-linked audit trails inspired by blockchain but without the consensus overhead:
- **Hash chain**: Each entry includes the SHAKE-256 hash of the previous entry, forming a tamper-evident chain
- **Signatures**: Chain anchors (every Nth entry) are signed with the device's key pair
- **Cross-chain attestation**: Multiple devices can cross-reference each other's chains
- **Compact**: Each chain entry is ~100-200 bytes (hash + metadata + signature reference)
## Decision
We will implement RuVector witness chains as the primary audit mechanism for all detection events, triage decisions, and model adaptation events in the WiFi-DensePose system.
### Witness Chain Structure
```
┌────────────────────────────────────────────────────────────────────┐
│ Witness Chain │
├────────────────────────────────────────────────────────────────────┤
│ │
│ Entry 0 Entry 1 Entry 2 Entry 3 │
│ (Genesis) │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ prev: ∅ │◀───│ prev: H0 │◀───│ prev: H1 │◀───│ prev: H2 │ │
│ │ event: │ │ event: │ │ event: │ │ event: │ │
│ │ INIT │ │ DETECT │ │ TRIAGE │ │ ADAPT │ │
│ │ hash: H0 │ │ hash: H1 │ │ hash: H2 │ │ hash: H3 │ │
│ │ sig: S0 │ │ │ │ │ │ sig: S1 │ │
│ │ (anchor) │ │ │ │ │ │ (anchor) │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ H0 = SHAKE-256(INIT || device_id || timestamp) │
│ H1 = SHAKE-256(DETECT_DATA || H0 || timestamp) │
│ H2 = SHAKE-256(TRIAGE_DATA || H1 || timestamp) │
│ H3 = SHAKE-256(ADAPT_DATA || H2 || timestamp) │
│ │
│ Anchor signature S0 = ML-DSA-65.sign(H0, device_key) │
│ Anchor signature S1 = ML-DSA-65.sign(H3, device_key) │
│ Anchor interval: every 100 entries (configurable) │
└────────────────────────────────────────────────────────────────────┘
```
### Witnessed Event Types
```rust
/// Events recorded in the witness chain
#[derive(Serialize, Deserialize, Clone)]
pub enum WitnessedEvent {
/// Chain initialization (genesis)
ChainInit {
device_id: DeviceId,
firmware_version: String,
config_hash: [u8; 32],
},
/// Human presence detected
HumanDetected {
detection_id: Uuid,
confidence: f64,
csi_features_hash: [u8; 32], // Hash of input data, not raw data
location_estimate: Option<GeoCoord>,
model_version: String,
},
/// Triage classification assigned or changed
TriageDecision {
survivor_id: Uuid,
previous_level: Option<TriageLevel>,
new_level: TriageLevel,
evidence_hash: [u8; 32], // Hash of supporting evidence
deciding_algorithm: String,
confidence: f64,
},
/// False detection corrected
DetectionCorrected {
detection_id: Uuid,
correction_type: CorrectionType, // FalsePositive | FalseNegative | Reclassified
reason: String,
corrected_by: CorrectorId, // Device or operator
},
/// Model adapted via SONA
ModelAdapted {
adaptation_id: Uuid,
trigger: AdaptationTrigger,
lora_delta_hash: [u8; 32],
performance_before: f64,
performance_after: f64,
},
/// Zone scan completed
ZoneScanCompleted {
zone_id: ZoneId,
scan_duration_ms: u64,
detections_count: usize,
coverage_percentage: f64,
},
/// Cross-device attestation received
CrossAttestation {
attesting_device: DeviceId,
attested_chain_hash: [u8; 32],
attested_entry_index: u64,
},
/// Operator action (manual override)
OperatorAction {
operator_id: String,
action: OperatorActionType,
target: Uuid, // What was acted upon
justification: String,
},
}
```
### Chain Entry Structure
```rust
/// A single entry in the witness chain
#[derive(Serialize, Deserialize)]
pub struct WitnessEntry {
/// Sequential index in the chain
index: u64,
/// SHAKE-256 hash of the previous entry (32 bytes)
previous_hash: [u8; 32],
/// The witnessed event
event: WitnessedEvent,
/// Device that created this entry
device_id: DeviceId,
/// Monotonic timestamp (device-local, not wall clock)
monotonic_timestamp: u64,
/// Wall clock timestamp (best-effort, may be inaccurate)
wall_timestamp: DateTime<Utc>,
/// Vector clock for causal ordering (see ADR-008)
vector_clock: VectorClock,
/// This entry's hash: SHAKE-256(serialize(self without this field))
entry_hash: [u8; 32],
/// Anchor signature (present every N entries)
anchor_signature: Option<HybridSignature>,
}
```
### Tamper Detection
```rust
/// Verify witness chain integrity
pub fn verify_chain(chain: &[WitnessEntry]) -> Result<ChainVerification, AuditError> {
let mut verification = ChainVerification::new();
for (i, entry) in chain.iter().enumerate() {
// 1. Verify hash chain linkage
if i > 0 {
let expected_prev_hash = chain[i - 1].entry_hash;
if entry.previous_hash != expected_prev_hash {
verification.add_violation(ChainViolation::BrokenLink {
entry_index: entry.index,
expected_hash: expected_prev_hash,
actual_hash: entry.previous_hash,
});
}
}
// 2. Verify entry self-hash
let computed_hash = compute_entry_hash(entry);
if computed_hash != entry.entry_hash {
verification.add_violation(ChainViolation::TamperedEntry {
entry_index: entry.index,
});
}
// 3. Verify anchor signatures
if let Some(ref sig) = entry.anchor_signature {
let device_keys = load_device_keys(&entry.device_id)?;
if !sig.verify(&entry.entry_hash, &device_keys.ed25519, &device_keys.ml_dsa)? {
verification.add_violation(ChainViolation::InvalidSignature {
entry_index: entry.index,
});
}
}
// 4. Verify monotonic timestamp ordering
if i > 0 && entry.monotonic_timestamp <= chain[i - 1].monotonic_timestamp {
verification.add_violation(ChainViolation::NonMonotonicTimestamp {
entry_index: entry.index,
});
}
verification.verified_entries += 1;
}
Ok(verification)
}
```
### Cross-Device Attestation
Multiple APs can cross-reference each other's chains for stronger guarantees:
```
Device A's chain: Device B's chain:
┌──────────┐ ┌──────────┐
│ Entry 50 │ │ Entry 73 │
│ H_A50 │◀────── cross-attest ───▶│ H_B73 │
└──────────┘ └──────────┘
Device A records: CrossAttestation { attesting: B, hash: H_B73, index: 73 }
Device B records: CrossAttestation { attesting: A, hash: H_A50, index: 50 }
After cross-attestation:
- Neither device can rewrite entries before the attested point
without the other device's chain becoming inconsistent
- An investigator can verify both chains agree on the attestation point
```
**Attestation frequency**: Every 5 minutes during connected operation, immediately on significant events (P1 triage, zone completion).
### Storage and Retrieval
Witness chains are stored in the RVF container's WITNESS segment:
```rust
/// Witness chain storage manager
pub struct WitnessChainStore {
/// Current chain being appended to
active_chain: Vec<WitnessEntry>,
/// Anchor signature interval
anchor_interval: usize, // 100
/// Device signing key
device_key: DeviceKeyPair,
/// Cross-attestation peers
attestation_peers: Vec<DeviceId>,
/// RVF container for persistence
container: RvfContainer,
}
impl WitnessChainStore {
/// Append an event to the chain
pub fn witness(&mut self, event: WitnessedEvent) -> Result<u64, AuditError> {
let index = self.active_chain.len() as u64;
let previous_hash = self.active_chain.last()
.map(|e| e.entry_hash)
.unwrap_or([0u8; 32]);
let mut entry = WitnessEntry {
index,
previous_hash,
event,
device_id: self.device_key.device_id(),
monotonic_timestamp: monotonic_now(),
wall_timestamp: Utc::now(),
vector_clock: self.get_current_vclock(),
entry_hash: [0u8; 32], // Computed below
anchor_signature: None,
};
// Compute entry hash
entry.entry_hash = compute_entry_hash(&entry);
// Add anchor signature at interval
if index % self.anchor_interval as u64 == 0 {
entry.anchor_signature = Some(
self.device_key.sign_hybrid(&entry.entry_hash)?
);
}
self.active_chain.push(entry);
// Persist to RVF container
self.container.append_witness(&self.active_chain.last().unwrap())?;
Ok(index)
}
/// Query chain for events in a time range
pub fn query_range(&self, start: DateTime<Utc>, end: DateTime<Utc>)
-> Vec<&WitnessEntry>
{
self.active_chain.iter()
.filter(|e| e.wall_timestamp >= start && e.wall_timestamp <= end)
.collect()
}
/// Export chain for external audit
pub fn export_for_audit(&self) -> AuditBundle {
AuditBundle {
chain: self.active_chain.clone(),
device_public_key: self.device_key.public_keys(),
cross_attestations: self.collect_cross_attestations(),
chain_summary: self.compute_summary(),
}
}
}
```
### Performance Impact
| Operation | Latency | Notes |
|-----------|---------|-------|
| Append entry | 0.05 ms | Hash computation + serialize |
| Append with anchor signature | 0.5 ms | + ML-DSA-65 sign |
| Verify single entry | 0.02 ms | Hash comparison |
| Verify anchor | 0.3 ms | ML-DSA-65 verify |
| Full chain verify (10K entries) | 50 ms | Sequential hash verification |
| Cross-attestation | 1 ms | Sign + network round-trip |
### Storage Requirements
| Chain Length | Entries/Hour | Size/Hour | Size/Day |
|-------------|-------------|-----------|----------|
| Low activity | ~100 | ~20 KB | ~480 KB |
| Normal operation | ~1,000 | ~200 KB | ~4.8 MB |
| Disaster response | ~10,000 | ~2 MB | ~48 MB |
| High-intensity scan | ~50,000 | ~10 MB | ~240 MB |
## Consequences
### Positive
- **Tamper-evident**: Any modification to historical records is detectable
- **Non-repudiable**: Signed anchors prove device identity
- **Complete history**: Every detection, triage, and correction is recorded
- **Cross-verified**: Multi-device attestation strengthens guarantees
- **Forensically sound**: Exportable audit bundles for legal proceedings
- **Low overhead**: 0.05ms per entry; minimal storage for normal operation
### Negative
- **Append-only growth**: Chains grow monotonically; need archival strategy for long deployments
- **Key management**: Device keys must be provisioned and protected
- **Clock dependency**: Wall-clock timestamps are best-effort; monotonic timestamps are device-local
- **Verification cost**: Full chain verification of long chains takes meaningful time (50ms/10K entries)
- **Privacy tension**: Detailed audit trails contain operational intelligence
### Regulatory Alignment
| Requirement | How Witness Chains Address It |
|------------|------------------------------|
| GDPR (Right to erasure) | Event hashes stored, not personal data; original data deletable while chain proves historical integrity |
| HIPAA (Audit controls) | Complete access/modification log with non-repudiation |
| ISO 27001 (Information security) | Tamper-evident records, access logging, integrity verification |
| NIST SP 800-53 (AU controls) | Audit record generation, protection, and review capability |
| FEMA ICS (Incident Command) | Chain of custody for all operational decisions |
## References
- [Witness Chains in Distributed Systems](https://eprint.iacr.org/2019/747)
- [SHAKE-256 (FIPS 202)](https://csrc.nist.gov/pubs/fips/202/final)
- [Tamper-Evident Logging](https://www.usenix.org/legacy/event/sec09/tech/full_papers/crosby.pdf)
- [RuVector Witness Implementation](https://github.com/ruvnet/ruvector)
- ADR-001: WiFi-Mat Disaster Detection Architecture
- ADR-007: Post-Quantum Cryptography for Secure Sensing
- ADR-008: Distributed Consensus for Multi-AP Coordination
api-docs/adr/ADR-011-python-proof-of-reality-mock-elimination.md
+414
View File
@@ -0,0 +1,414 @@
# ADR-011: Python Proof-of-Reality and Mock Elimination
## Status
Proposed (URGENT)
## Date
2026-02-28
## Context
### The Credibility Problem
The WiFi-DensePose Python codebase contains real, mathematically sound signal processing (FFT, phase unwrapping, Doppler extraction, correlation features) alongside mock/placeholder code that fatally undermines credibility. External reviewers who encounter **any** mock path in the default execution flow conclude the entire system is synthetic. This is not a technical problem - it is a perception problem with technical root causes.
### Specific Mock/Placeholder Inventory
The following code paths produce fake data **in the default configuration** or are easily mistaken for indicating fake functionality:
#### Critical Severity (produces fake output on default path)
| File | Line | Issue | Impact |
|------|------|-------|--------|
| `archive/v1/src/core/csi_processor.py` | 390 | `doppler_shift = np.random.rand(10) # Placeholder` | **Real feature extractor returns random Doppler** - kills credibility of entire feature pipeline |
| `archive/v1/src/hardware/csi_extractor.py` | 83-84 | `amplitude = np.random.rand(...)` in CSI extraction fallback | Random data silently substituted when parsing fails |
| `archive/v1/src/hardware/csi_extractor.py` | 129-135 | `_parse_atheros()` returns `np.random.rand()` with comment "placeholder implementation" | Named as if it parses real data, actually random |
| `archive/v1/src/hardware/router_interface.py` | 211-212 | `np.random.rand(3, 56)` in fallback path | Silent random fallback |
| `archive/v1/src/services/pose_service.py` | 431 | `mock_csi = np.random.randn(64, 56, 3) # Mock CSI data` | Mock CSI in production code path |
| `archive/v1/src/services/pose_service.py` | 293-356 | `_generate_mock_poses()` with `random.randint` throughout | Entire mock pose generator in service layer |
| `archive/v1/src/services/pose_service.py` | 489-607 | Multiple `random.randint` for occupancy, historical data | Fake statistics that look real in API responses |
| `archive/v1/src/api/dependencies.py` | 82, 408 | "return a mock user for development" | Auth bypass in default path |
#### Moderate Severity (mock gated behind flags but confusing)
| File | Line | Issue |
|------|------|-------|
| `archive/v1/src/config/settings.py` | 144-145 | `mock_hardware=False`, `mock_pose_data=False` defaults - correct, but mock infrastructure exists |
| `archive/v1/src/core/router_interface.py` | 27-300 | 270+ lines of mock data generation infrastructure in production code |
| `archive/v1/src/services/pose_service.py` | 84-88 | Silent conditional: `if not self.settings.mock_pose_data` with no logging of real-mode |
| `archive/v1/src/services/hardware_service.py` | 72-375 | Interleaved mock/real paths throughout |
#### Low Severity (placeholders/TODOs)
| File | Line | Issue |
|------|------|-------|
| `archive/v1/src/core/router_interface.py` | 198 | "Collect real CSI data from router (placeholder implementation)" |
| `archive/v1/src/api/routers/health.py` | 170-171 | `uptime_seconds = 0.0 # TODO` |
| `archive/v1/src/services/pose_service.py` | 739 | `"uptime_seconds": 0.0 # TODO` |
### Root Cause Analysis
1. **No separation between mock and real**: Mock generators live in the same modules as real processors. A reviewer reading `csi_processor.py` hits `np.random.rand(10)` at line 390 and stops trusting the 400 lines of real signal processing above it.
2. **Silent fallbacks**: When real hardware isn't available, the system silently falls back to random data instead of failing loudly. This means the default `docker compose up` produces plausible-looking but entirely fake results.
3. **No proof artifact**: There is no shipped CSI capture file, no expected output hash, no way for a reviewer to verify that the pipeline produces deterministic results from real input.
4. **Build environment fragility**: The `Dockerfile` references `requirements.txt` which doesn't exist as a standalone file. The `setup.py` hardcodes 87 dependencies. ONNX Runtime and BLAS are not in the container. A `docker build` may or may not succeed depending on the machine.
5. **No CI verification**: No GitHub Actions workflow runs the pipeline on a real or deterministic input and verifies the output.
## Decision
We will eliminate the credibility gap through five concrete changes:
### 1. Eliminate All Silent Mock Fallbacks (HARD FAIL)
**Every path that currently returns `np.random.rand()` will either be replaced with real computation or will raise an explicit error.**
```python
# BEFORE (csi_processor.py:390)
doppler_shift = np.random.rand(10) # Placeholder
# AFTER
def _extract_doppler_features(self, csi_data: CSIData) -> tuple:
"""Extract Doppler and frequency domain features from CSI temporal history."""
if len(self.csi_history) < 2:
# Not enough history for temporal analysis - return zeros, not random
doppler_shift = np.zeros(self.window_size)
psd = np.abs(scipy.fft.fft(csi_data.amplitude.flatten(), n=128))**2
return doppler_shift, psd
# Real Doppler extraction from temporal CSI differences
history_array = np.array([h.amplitude for h in self.get_recent_history(self.window_size)])
# Compute phase differences over time (proportional to Doppler shift)
temporal_phase_diff = np.diff(np.angle(history_array + 1j * np.zeros_like(history_array)), axis=0)
# Average across antennas, FFT across time for Doppler spectrum
doppler_spectrum = np.abs(scipy.fft.fft(temporal_phase_diff.mean(axis=1), axis=0))
doppler_shift = doppler_spectrum.mean(axis=1)
psd = np.abs(scipy.fft.fft(csi_data.amplitude.flatten(), n=128))**2
return doppler_shift, psd
```
```python
# BEFORE (csi_extractor.py:129-135)
def _parse_atheros(self, raw_data):
"""Parse Atheros CSI format (placeholder implementation)."""
# For now, return mock data for testing
return CSIData(amplitude=np.random.rand(3, 56), ...)
# AFTER
def _parse_atheros(self, raw_data: bytes) -> CSIData:
"""Parse Atheros CSI Tool format.
Format: https://dhalperi.github.io/linux-80211n-csitool/
"""
if len(raw_data) < 25: # Minimum Atheros CSI header
raise CSIExtractionError(
f"Atheros CSI data too short ({len(raw_data)} bytes). "
"Expected real CSI capture from Atheros-based NIC. "
"See docs/hardware-setup.md for capture instructions."
)
# Parse actual Atheros binary format
# ... real parsing implementation ...
```
### 2. Isolate Mock Infrastructure Behind Explicit Flag with Banner
**All mock code moves to a dedicated module. Default execution NEVER touches mock paths.**
```
archive/v1/src/
├── core/
│ ├── csi_processor.py # Real processing only
│ └── router_interface.py # Real hardware interface only
├── testing/ # NEW: isolated mock module
│ ├── __init__.py
│ ├── mock_csi_generator.py # Mock CSI generation (moved from router_interface)
│ ├── mock_pose_generator.py # Mock poses (moved from pose_service)
│ └── fixtures/ # Test fixtures, not production paths
│ ├── sample_csi_capture.bin # Real captured CSI data (tiny sample)
│ └── expected_output.json # Expected pipeline output for sample
```
**Runtime enforcement:**
```python
import os
import sys
MOCK_MODE = os.environ.get("WIFI_DENSEPOSE_MOCK", "").lower() == "true"
if MOCK_MODE:
# Print banner on EVERY log line
_original_log = logging.Logger._log
def _mock_banner_log(self, level, msg, args, **kwargs):
_original_log(self, level, f"[MOCK MODE] {msg}", args, **kwargs)
logging.Logger._log = _mock_banner_log
print("=" * 72, file=sys.stderr)
print(" WARNING: RUNNING IN MOCK MODE - ALL DATA IS SYNTHETIC", file=sys.stderr)
print(" Set WIFI_DENSEPOSE_MOCK=false for real operation", file=sys.stderr)
print("=" * 72, file=sys.stderr)
```
### 3. Ship a Reproducible Proof Bundle
A small real CSI capture file + one-command verification pipeline:
```
archive/v1/data/proof/
├── README.md # How to verify
├── sample_csi_capture.bin # Real CSI data (1 second, ~50 KB)
├── sample_csi_capture_meta.json # Capture metadata (hardware, env)
├── expected_features.json # Expected feature extraction output
├── expected_features.sha256 # SHA-256 hash of expected output
└── verify.py # One-command verification script
```
**verify.py**:
```python
#!/usr/bin/env python3
"""Verify WiFi-DensePose pipeline produces deterministic output from real CSI data.
Usage:
python archive/v1/data/proof/verify.py
Expected output:
PASS: Pipeline output matches expected hash
SHA256: <hash>
If this passes, the signal processing pipeline is producing real,
deterministic results from real captured CSI data.
"""
import hashlib
import json
import sys
import os
# Ensure reproducibility
os.environ["PYTHONHASHSEED"] = "42"
import numpy as np
np.random.seed(42) # Only affects any remaining random elements
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../.."))
from src.core.csi_processor import CSIProcessor
from src.hardware.csi_extractor import CSIExtractor
def main():
# Load real captured CSI data
capture_path = os.path.join(os.path.dirname(__file__), "sample_csi_capture.bin")
meta_path = os.path.join(os.path.dirname(__file__), "sample_csi_capture_meta.json")
expected_hash_path = os.path.join(os.path.dirname(__file__), "expected_features.sha256")
with open(meta_path) as f:
meta = json.load(f)
# Extract CSI from binary capture
extractor = CSIExtractor(format=meta["format"])
csi_data = extractor.extract_from_file(capture_path)
# Process through feature pipeline
config = {
"sampling_rate": meta["sampling_rate"],
"window_size": meta["window_size"],
"overlap": meta["overlap"],
"noise_threshold": meta["noise_threshold"],
}
processor = CSIProcessor(config)
features = processor.extract_features(csi_data)
# Serialize features deterministically
output = {
"amplitude_mean": features.amplitude_mean.tolist(),
"amplitude_variance": features.amplitude_variance.tolist(),
"phase_difference": features.phase_difference.tolist(),
"doppler_shift": features.doppler_shift.tolist(),
"psd_first_16": features.power_spectral_density[:16].tolist(),
}
output_json = json.dumps(output, sort_keys=True, separators=(",", ":"))
output_hash = hashlib.sha256(output_json.encode()).hexdigest()
# Verify against expected hash
with open(expected_hash_path) as f:
expected_hash = f.read().strip()
if output_hash == expected_hash:
print(f"PASS: Pipeline output matches expected hash")
print(f"SHA256: {output_hash}")
print(f"Features: {len(output['amplitude_mean'])} subcarriers processed")
return 0
else:
print(f"FAIL: Hash mismatch")
print(f"Expected: {expected_hash}")
print(f"Got: {output_hash}")
return 1
if __name__ == "__main__":
sys.exit(main())
```
### 4. Pin the Build Environment
**Option A (recommended): Deterministic Dockerfile that works on fresh machine**
```dockerfile
FROM python:3.11-slim
# System deps that actually matter
RUN apt-get update && apt-get install -y --no-install-recommends \
libopenblas-dev \
libfftw3-dev \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Pinned requirements (not a reference to missing file)
COPY archive/v1/requirements-lock.txt ./requirements.txt
RUN pip install --no-cache-dir -r requirements.txt
COPY archive/v1/ ./v1/
# Proof of reality: verify pipeline on build
RUN cd archive/v1 && python data/proof/verify.py
EXPOSE 8000
# Default: REAL mode (mock requires explicit opt-in)
ENV WIFI_DENSEPOSE_MOCK=false
CMD ["uvicorn", "v1.src.api.main:app", "--host", "0.0.0.0", "--port", "8000"]
```
**Key change**: `RUN python data/proof/verify.py` **during build** means the Docker image cannot be created unless the pipeline produces correct output from real CSI data.
**Requirements lockfile** (`archive/v1/requirements-lock.txt`):
```
# Core (required)
fastapi==0.115.6
uvicorn[standard]==0.34.0
pydantic==2.10.4
pydantic-settings==2.7.1
numpy==1.26.4
scipy==1.14.1
# Signal processing (required)
# No ONNX required for basic pipeline verification
# Optional (install separately for full features)
# torch>=2.1.0
# onnxruntime>=1.17.0
```
### 5. CI Pipeline That Proves Reality
```yaml
# .github/workflows/verify-pipeline.yml
name: Verify Signal Pipeline
on:
push:
paths: ['archive/v1/src/**', 'archive/v1/data/proof/**']
pull_request:
paths: ['archive/v1/src/**']
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install minimal deps
run: pip install numpy scipy pydantic pydantic-settings
- name: Verify pipeline determinism
run: python archive/v1/data/proof/verify.py
- name: Verify no random in production paths
run: |
# Fail if np.random appears in production code (not in testing/)
! grep -r "np\.random\.\(rand\|randn\|randint\)" archive/v1/src/ \
--include="*.py" \
--exclude-dir=testing \
|| (echo "FAIL: np.random found in production code" && exit 1)
```
### Concrete File Changes Required
| File | Action | Description |
|------|--------|-------------|
| `archive/v1/src/core/csi_processor.py:390` | **Replace** | Real Doppler extraction from temporal CSI history |
| `archive/v1/src/hardware/csi_extractor.py:83-84` | **Replace** | Hard error with descriptive message when parsing fails |
| `archive/v1/src/hardware/csi_extractor.py:129-135` | **Replace** | Real Atheros CSI parser or hard error with hardware instructions |
| `archive/v1/src/hardware/router_interface.py:198-212` | **Replace** | Hard error for unimplemented hardware, or real `iwconfig` + CSI tool integration |
| `archive/v1/src/services/pose_service.py:293-356` | **Move** | Move `_generate_mock_poses()` to `archive/v1/src/testing/mock_pose_generator.py` |
| `archive/v1/src/services/pose_service.py:430-431` | **Remove** | Remove mock CSI generation from production path |
| `archive/v1/src/services/pose_service.py:489-607` | **Replace** | Real statistics from database, or explicit "no data" response |
| `archive/v1/src/core/router_interface.py:60-300` | **Move** | Move mock generator to `archive/v1/src/testing/mock_csi_generator.py` |
| `archive/v1/src/api/dependencies.py:82,408` | **Replace** | Real auth check or explicit dev-mode bypass with logging |
| `archive/v1/data/proof/` | **Create** | Proof bundle (sample capture + expected hash + verify script) |
| `archive/v1/requirements-lock.txt` | **Create** | Pinned minimal dependencies |
| `.github/workflows/verify-pipeline.yml` | **Create** | CI verification |
### Hardware Documentation
```
archive/v1/docs/hardware-setup.md (to be created)
# Supported Hardware Matrix
| Chipset | Tool | OS | Capture Command |
|---------|------|----|-----------------|
| Intel 5300 | Linux 802.11n CSI Tool | Ubuntu 18.04 | `sudo ./log_to_file csi.dat` |
| Atheros AR9580 | Atheros CSI Tool | Ubuntu 14.04 | `sudo ./recv_csi csi.dat` |
| Broadcom BCM4339 | Nexmon CSI | Android/Nexus 5 | `nexutil -m1 -k1 ...` |
| ESP32 | ESP32-CSI | ESP-IDF | `csi_recv --format binary` |
# Calibration
1. Place router and receiver 2m apart, line of sight
2. Capture 10 seconds of empty-room baseline
3. Have one person walk through at normal pace
4. Capture 10 seconds during walk-through
5. Run calibration: `python archive/v1/scripts/calibrate.py --baseline empty.dat --activity walk.dat`
```
## Consequences
### Positive
- **"Clone, build, verify" in one command**: `docker build . && docker run --rm wifi-densepose python archive/v1/data/proof/verify.py` produces a deterministic PASS
- **No silent fakes**: Random data never appears in production output
- **CI enforcement**: PRs that introduce `np.random` in production paths fail automatically
- **Credibility anchor**: SHA-256 verified output from real CSI capture is unchallengeable proof
- **Clear mock boundary**: Mock code exists only in `archive/v1/src/testing/`, never imported by production modules
### Negative
- **Requires real CSI capture**: Someone must capture and commit a real CSI sample (one-time effort)
- **Build may fail without hardware**: Without mock fallback, systems without WiFi hardware cannot demo - must use proof bundle instead
- **Migration effort**: Moving mock code to separate module requires updating imports in test files
- **Stricter development workflow**: Developers must explicitly opt in to mock mode
### Acceptance Criteria
A stranger can:
1. `git clone` the repository
2. Run ONE command (`docker build .` or `python archive/v1/data/proof/verify.py`)
3. See `PASS: Pipeline output matches expected hash` with a specific SHA-256
4. Confirm no `np.random` in any non-test file via CI badge
If this works 100% over 5 runs on a clean machine, the "fake" narrative dies.
### Answering the Two Key Questions
**Q1: Docker or Nix first?**
Recommendation: **Docker first**. The Dockerfile already exists, just needs fixing. Nix is higher quality but smaller audience. Docker gives the widest "clone and verify" coverage.
**Q2: Are external crates public and versioned?**
The Python dependencies are all public PyPI packages. The Rust `ruvector-core` and `ruvector-data-framework` crates are currently commented out in `Cargo.toml` (lines 83-84: `# ruvector-core = "0.1"`) and are not yet published to crates.io. They are internal to ruvnet. This is a blocker for the Rust path but does not affect the Python proof-of-reality work in this ADR.
## References
- [Linux 802.11n CSI Tool](https://dhalperi.github.io/linux-80211n-csitool/)
- [Atheros CSI Tool](https://wands.sg/research/wifi/AthesCSI/)
- [Nexmon CSI](https://github.com/seemoo-lab/nexmon_csi)
- [ESP32 CSI](https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-guides/wifi.html#wi-fi-channel-state-information)
- [Reproducible Builds](https://reproducible-builds.org/)
- ADR-002: RuVector RVF Integration Strategy
api-docs/adr/ADR-012-esp32-csi-sensor-mesh.md
+347
View File
@@ -0,0 +1,347 @@
# ADR-012: ESP32 CSI Sensor Mesh for Distributed Sensing
## Status
Accepted — Partially Implemented (firmware + aggregator working, see ADR-018)
## Date
2026-02-28
## Context
### The Hardware Reality Gap
WiFi-DensePose's Rust and Python pipelines implement real signal processing (FFT, phase unwrapping, Doppler extraction, correlation features), but the system currently has no defined path from **physical WiFi hardware → CSI bytes → pipeline input**. The `csi_extractor.py` and `router_interface.py` modules contain placeholder parsers that return `np.random.rand()` instead of real parsed data (see ADR-011).
To close this gap, we need a concrete, affordable, reproducible hardware platform that produces real CSI data and streams it into the existing pipeline.
### Why ESP32
| Factor | ESP32/ESP32-S3 | Intel 5300 (iwl5300) | Atheros AR9580 |
|--------|---------------|---------------------|----------------|
| Cost | ~$5-15/node | ~$50-100 (used NIC) | ~$30-60 (used NIC) |
| Availability | Mass produced, in stock | Discontinued, eBay only | Discontinued, eBay only |
| CSI Support | Official ESP-IDF API | Linux CSI Tool (kernel mod) | Atheros CSI Tool |
| Form Factor | Standalone MCU | Requires PCIe/Mini-PCIe host | Requires PCIe host |
| Deployment | Battery/USB, wireless | Desktop/laptop only | Desktop/laptop only |
| Antenna Config | 1-2 TX, 1-2 RX | 3 TX, 3 RX (MIMO) | 3 TX, 3 RX (MIMO) |
| Subcarriers | 52-56 (802.11n) | 30 (compressed) | 56 (full) |
| Fidelity | Lower (consumer SoC) | Higher (dedicated NIC) | Higher (dedicated NIC) |
**ESP32 wins on deployability**: It's the only option where a stranger can buy nodes on Amazon, flash firmware, and have a working CSI mesh in an afternoon. Intel 5300 and Atheros cards require specific hardware, kernel modifications, and legacy OS versions.
### ESP-IDF CSI API
Espressif provides official CSI support through three key functions:
```c
// 1. Configure what CSI data to capture
wifi_csi_config_t csi_config = {
.lltf_en = true, // Long Training Field (best for CSI)
.htltf_en = true, // HT-LTF
.stbc_htltf2_en = true, // STBC HT-LTF2
.ltf_merge_en = true, // Merge LTFs
.channel_filter_en = false,
.manu_scale = false,
};
esp_wifi_set_csi_config(&csi_config);
// 2. Register callback for received CSI data
esp_wifi_set_csi_rx_cb(csi_data_callback, NULL);
// 3. Enable CSI collection
esp_wifi_set_csi(true);
// Callback receives:
void csi_data_callback(void *ctx, wifi_csi_info_t *info) {
// info->rx_ctrl: RSSI, noise_floor, channel, secondary_channel, etc.
// info->buf: Raw CSI data (I/Q pairs per subcarrier)
// info->len: Length of CSI data buffer
// Typical: 112 bytes = 56 subcarriers × 2 (I,Q) × 1 byte each
}
```
## Decision
We will build an ESP32 CSI Sensor Mesh as the primary hardware integration path, with a full stack from firmware to aggregator to Rust pipeline to visualization.
### System Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ ESP32 CSI Sensor Mesh │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ ESP32 │ │ ESP32 │ │ ESP32 │ ... (3-6 nodes) │
│ │ Node 1 │ │ Node 2 │ │ Node 3 │ │
│ │ │ │ │ │ │ │
│ │ CSI Rx │ │ CSI Rx │ │ CSI Rx │ ← WiFi frames from │
│ │ FFT │ │ FFT │ │ FFT │ consumer router │
│ │ Features │ │ Features │ │ Features │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ │ UDP/TCP stream (WiFi or secondary channel) │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ Aggregator │ │
│ │ (Laptop / Raspberry Pi / Seed device) │ │
│ │ │ │
│ │ 1. Receive CSI streams from all nodes │ │
│ │ 2. Timestamp alignment (per-node) │ │
│ │ 3. Feature-level fusion │ │
│ │ 4. Feed into Rust/Python pipeline │ │
│ │ 5. Serve WebSocket to visualization │ │
│ └──────────────────┬──────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ WiFi-DensePose Pipeline │ │
│ │ │ │
│ │ CsiProcessor → FeatureExtractor → │ │
│ │ MotionDetector → PoseEstimator → │ │
│ │ Three.js Visualization │ │
│ └─────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
```
### Node Firmware Specification
**ESP-IDF project**: `firmware/esp32-csi-node/`
```
firmware/esp32-csi-node/
├── CMakeLists.txt
├── sdkconfig.defaults # Menuconfig defaults with CSI enabled (gitignored)
├── main/
│ ├── CMakeLists.txt
│ ├── main.c # Entry point, NVS config, WiFi init, CSI callback
│ ├── csi_collector.c # CSI collection, promiscuous mode, ADR-018 serialization
│ ├── csi_collector.h
│ ├── nvs_config.c # Runtime config from NVS (WiFi creds, target IP)
│ ├── nvs_config.h
│ ├── stream_sender.c # UDP stream to aggregator
│ ├── stream_sender.h
│ └── Kconfig.projbuild # Menuconfig options
└── README.md # Flash instructions (verified working)
```
> **Implementation note**: On-device feature extraction (`feature_extract.c`) is deferred.
> The current firmware streams raw I/Q data in ADR-018 binary format; feature extraction
> happens in the Rust aggregator. This simplifies the firmware and keeps the ESP32 code
> under 200 lines of C.
**On-device processing** (reduces bandwidth, node does pre-processing):
```c
// feature_extract.c
typedef struct {
uint32_t timestamp_ms; // Local monotonic timestamp
uint8_t node_id; // This node's ID
int8_t rssi; // Received signal strength
int8_t noise_floor; // Noise floor estimate
uint8_t channel; // WiFi channel
float amplitude[56]; // |CSI| per subcarrier (from I/Q)
float phase[56]; // arg(CSI) per subcarrier
float doppler_energy; // Motion energy from temporal FFT
float breathing_band; // 0.1-0.5 Hz band power
float motion_band; // 0.5-3 Hz band power
} csi_feature_frame_t;
// Size: ~470 bytes per frame
// At 100 Hz: ~47 KB/s per node, ~280 KB/s for 6 nodes
```
**Key firmware design decisions**:
1. **Feature extraction on-device**: Raw CSI I/Q → amplitude + phase + spectral bands. This cuts bandwidth from raw ~11 KB/frame to ~470 bytes/frame.
2. **Monotonic timestamps**: Each node uses its own monotonic clock. No NTP synchronization attempted between nodes - clock drift is handled at the aggregator by fusing features, not raw phases (see "Clock Drift" section below).
3. **UDP streaming**: Low-latency, loss-tolerant. Missing frames are acceptable; ordering is maintained via sequence numbers.
4. **Configurable sampling rate**: 10-100 Hz via menuconfig. 100 Hz for motion detection, 10 Hz sufficient for occupancy.
### Aggregator Specification
The aggregator runs on any machine with WiFi/Ethernet to the nodes:
```rust
// In v2/, new module: crates/wifi-densepose-hardware/src/esp32/
pub struct Esp32Aggregator {
/// UDP socket listening for node streams
socket: UdpSocket,
/// Per-node state (last timestamp, feature buffer, drift estimate)
nodes: HashMap<u8, NodeState>,
/// Ring buffer of fused feature frames
fused_buffer: VecDeque<FusedFrame>,
/// Channel to pipeline
pipeline_tx: mpsc::Sender<CsiData>,
}
/// Fused frame from all nodes for one time window
pub struct FusedFrame {
/// Timestamp (aggregator local, monotonic)
timestamp: Instant,
/// Per-node features (may have gaps if node dropped)
node_features: Vec<Option<CsiFeatureFrame>>,
/// Cross-node correlation (computed by aggregator)
cross_node_correlation: Array2<f64>,
/// Fused motion energy (max across nodes)
fused_motion_energy: f64,
/// Fused breathing band (coherent sum where phase aligns)
fused_breathing_band: f64,
}
```
### Clock Drift Handling
ESP32 crystal oscillators drift ~20-50 ppm. Over 1 hour, two nodes may diverge by 72-180ms. This makes raw phase alignment across nodes impossible.
**Solution**: Feature-level fusion, not signal-level fusion.
```
Signal-level (WRONG for ESP32):
Align raw I/Q samples across nodes → requires <1µs sync → impractical
Feature-level (CORRECT for ESP32):
Each node: raw CSI → amplitude + phase + spectral features (local)
Aggregator: collect features → correlate → fuse decisions
No cross-node phase alignment needed
```
Specifically:
- **Motion energy**: Take max across nodes (any node seeing motion = motion)
- **Breathing band**: Use node with highest SNR as primary, others as corroboration
- **Location**: Cross-node amplitude ratios estimate position (no phase needed)
### Sensing Capabilities by Deployment
| Capability | 1 Node | 3 Nodes | 6 Nodes | Evidence |
|-----------|--------|---------|---------|----------|
| Presence detection | Good | Excellent | Excellent | Single-node RSSI variance |
| Coarse motion | Good | Excellent | Excellent | Doppler energy |
| Room-level location | None | Good | Excellent | Amplitude ratios |
| Respiration | Marginal | Good | Good | 0.1-0.5 Hz band, placement-sensitive |
| Heartbeat | Poor | Poor-Marginal | Marginal | Requires ideal placement, low noise |
| Multi-person count | None | Marginal | Good | Spatial diversity |
| Pose estimation | None | Poor | Marginal | Requires model + sufficient diversity |
**Honest assessment**: ESP32 CSI is lower fidelity than Intel 5300 or Atheros. Heartbeat detection is placement-sensitive and unreliable. Respiration works with good placement. Motion and presence are solid.
### Failure Modes and Mitigations
| Failure Mode | Severity | Mitigation |
|-------------|----------|------------|
| Multipath dominates in cluttered rooms | High | Mesh diversity: 3+ nodes from different angles |
| Person occludes path between node and router | Medium | Mesh: other nodes still have clear paths |
| Clock drift ruins cross-node fusion | Medium | Feature-level fusion only; no cross-node phase alignment |
| UDP packet loss during high traffic | Low | Sequence numbers, interpolation for gaps <100ms |
| ESP32 WiFi driver bugs with CSI | Medium | Pin ESP-IDF version, test on known-good boards |
| Node power failure | Low | Aggregator handles missing nodes gracefully |
### Bill of Materials (Starter Kit)
| Item | Quantity | Unit Cost | Total |
|------|----------|-----------|-------|
| ESP32-S3-DevKitC-1 | 3 | $10 | $30 |
| USB-A to USB-C cables | 3 | $3 | $9 |
| USB power adapter (multi-port) | 1 | $15 | $15 |
| Consumer WiFi router (any) | 1 | $0 (existing) | $0 |
| Aggregator (laptop or Pi 4) | 1 | $0 (existing) | $0 |
| **Total** | | | **$54** |
### Minimal Build Spec (Clone-Flash-Run)
**Option A: Use pre-built binaries (no toolchain required)**
```bash
# Download binaries from GitHub Release v0.1.0-esp32
# Flash with esptool (pip install esptool)
python -m esptool --chip esp32s3 --port COM7 --baud 460800 \
write-flash --flash-mode dio --flash-size 4MB \
0x0 bootloader.bin 0x8000 partition-table.bin 0x10000 esp32-csi-node.bin
# Provision WiFi credentials (no recompile needed)
python scripts/provision.py --port COM7 \
--ssid "YourWiFi" --password "secret" --target-ip 192.168.1.20
# Run aggregator
cargo run -p wifi-densepose-hardware --bin aggregator -- --bind 0.0.0.0:5005 --verbose
```
**Option B: Build from source with Docker (no ESP-IDF install needed)**
```bash
# Step 1: Edit WiFi credentials
vim firmware/esp32-csi-node/sdkconfig.defaults
# Step 2: Build with Docker
cd firmware/esp32-csi-node
MSYS_NO_PATHCONV=1 docker run --rm -v "$(pwd):/project" -w /project \
espressif/idf:v5.2 bash -c "idf.py set-target esp32s3 && idf.py build"
# Step 3: Flash
cd build
python -m esptool --chip esp32s3 --port COM7 --baud 460800 \
write-flash --flash-mode dio --flash-size 4MB \
0x0 bootloader/bootloader.bin 0x8000 partition_table/partition-table.bin \
0x10000 esp32-csi-node.bin
# Step 4: Run aggregator
cargo run -p wifi-densepose-hardware --bin aggregator -- --bind 0.0.0.0:5005 --verbose
```
**Verified**: 20 Hz CSI streaming, 64/128/192 subcarrier frames, RSSI -47 to -88 dBm.
See tutorial: https://github.com/ruvnet/wifi-densepose/issues/34
### Proof of Reality for ESP32
**Live verified** with ESP32-S3-DevKitC-1 (CP2102, MAC 3C:0F:02:EC:C2:28):
- 693 frames in 18 seconds (~21.6 fps)
- Sequence numbers contiguous (zero frame loss)
- Presence detection confirmed: motion score 10/10 with per-second amplitude variance
- Frame types: 64 sc (148 B), 128 sc (276 B), 192 sc (404 B)
- 20 Rust tests + 6 Python tests pass
Pre-built binaries: https://github.com/ruvnet/wifi-densepose/releases/tag/v0.1.0-esp32
## Consequences
### Positive
- **$54 starter kit**: Lowest possible barrier to real CSI data
- **Mass available hardware**: ESP32 boards are in stock globally
- **Real data path**: Eliminates every `np.random.rand()` placeholder with actual hardware input
- **Proof artifact**: Captured CSI + expected hash proves the pipeline processes real data
- **Scalable mesh**: Add nodes for more coverage without changing software
- **Feature-level fusion**: Avoids the impossible problem of cross-node phase synchronization
### Negative
- **Lower fidelity than research NICs**: ESP32 CSI is noisier than Intel 5300
- **Heartbeat detection unreliable**: Micro-Doppler resolution insufficient for consistent heartbeat
- **ESP-IDF learning curve**: Firmware development requires embedded C knowledge
- **WiFi interference**: Nodes sharing the same channel as data traffic adds noise
- **Placement sensitivity**: Respiration detection requires careful node positioning
### Interaction with Other ADRs
- **ADR-011** (Proof of Reality): ESP32 provides the real CSI capture for the proof bundle
- **ADR-008** (Distributed Consensus): Mesh nodes can use simplified Raft for configuration distribution
- **ADR-003** (RVF Containers): Aggregator stores CSI features in RVF format
- **ADR-004** (HNSW): Environment fingerprints from ESP32 mesh feed HNSW index
## References
- [Espressif ESP-CSI Repository](https://github.com/espressif/esp-csi)
- [ESP-IDF WiFi CSI API](https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-guides/wifi.html#wi-fi-channel-state-information)
- [ESP32 CSI Research Papers](https://ieeexplore.ieee.org/document/9439871)
- [Wi-Fi Sensing with ESP32: A Tutorial](https://arxiv.org/abs/2207.07859)
- ADR-011: Python Proof-of-Reality and Mock Elimination
- ADR-018: ESP32 Development Implementation (binary frame format specification)
- [Pre-built firmware release v0.1.0-esp32](https://github.com/ruvnet/wifi-densepose/releases/tag/v0.1.0-esp32)
- [Step-by-step tutorial (Issue #34)](https://github.com/ruvnet/wifi-densepose/issues/34)
api-docs/adr/ADR-013-feature-level-sensing-commodity-gear.md
+401
View File
@@ -0,0 +1,401 @@
# ADR-013: Feature-Level Sensing on Commodity Gear (Option 3)
## Status
Accepted — Implemented (36/36 unit tests pass, see `archive/v1/src/sensing/` and `archive/v1/tests/unit/test_sensing.py`)
## Date
2026-02-28
## Context
### Not Everyone Can Deploy Custom Hardware
ADR-012 specifies an ESP32 CSI mesh that provides real CSI data. However, it requires:
- Purchasing ESP32 boards
- Flashing custom firmware
- ESP-IDF toolchain installation
- Physical placement of nodes
For many users - especially those evaluating WiFi-DensePose or deploying in managed environments - modifying hardware is not an option. We need a sensing path that works with **existing, unmodified consumer WiFi gear**.
### What Commodity Hardware Exposes
Standard WiFi drivers and tools expose several metrics without custom firmware:
| Signal | Source | Availability | Sampling Rate |
|--------|--------|-------------|---------------|
| RSSI (Received Signal Strength) | `iwconfig`, `iw`, NetworkManager | Universal | 1-10 Hz |
| Noise floor | `iw dev wlan0 survey dump` | Most Linux drivers | ~1 Hz |
| Link quality | `/proc/net/wireless` | Linux | 1-10 Hz |
| MCS index / PHY rate | `iw dev wlan0 link` | Most drivers | Per-packet |
| TX/RX bytes | `/sys/class/net/wlan0/statistics/` | Universal | Continuous |
| Retry count | `iw dev wlan0 station dump` | Most drivers | ~1 Hz |
| Beacon interval timing | `iw dev wlan0 scan dump` | Universal | Per-scan |
| Channel utilization | `iw dev wlan0 survey dump` | Most drivers | ~1 Hz |
**RSSI is the primary signal**. It varies when humans move through the propagation path between any transmitter-receiver pair. Research confirms RSSI-based sensing for:
- Presence detection (single receiver, threshold on variance)
- Device-free motion detection (RSSI variance increases with movement)
- Coarse room-level localization (multi-receiver RSSI fingerprinting)
- Breathing detection (specialized setups, marginal quality)
### Research Support
- **RSSI-based presence**: Youssef et al. (2007) demonstrated device-free passive detection using RSSI from multiple receivers with >90% accuracy.
- **RSSI breathing**: Abdelnasser et al. (2015) showed respiration detection via RSSI variance in controlled settings with ~85% accuracy using 4+ receivers.
- **Device-free tracking**: Multiple receivers with RSSI fingerprinting achieve room-level (3-5m) accuracy.
## Decision
We will implement a Feature-Level Sensing module that extracts motion, presence, and coarse activity information from standard WiFi metrics available on any Linux machine without hardware modification.
### Architecture
```
┌──────────────────────────────────────────────────────────────────────┐
│ Feature-Level Sensing Pipeline │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ Data Sources (any Linux WiFi device): │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────────┐ │
│ │ RSSI │ │ Noise │ │ Link │ │ Packet Stats │ │
│ │ Stream │ │ Floor │ │ Quality │ │ (TX/RX/Retry)│ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └──────┬───────┘ │
│ │ │ │ │ │
│ └───────────┴───────────┴──────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────────────────────────┐ │
│ │ Feature Extraction Engine │ │
│ │ │ │
│ │ 1. Rolling statistics (mean, var, skew, kurt) │ │
│ │ 2. Spectral features (FFT of RSSI time series) │ │
│ │ 3. Change-point detection (CUSUM, PELT) │ │
│ │ 4. Cross-receiver correlation │ │
│ │ 5. Packet timing jitter analysis │ │
│ └────────────────────────┬───────────────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────────────────────────┐ │
│ │ Classification / Decision │ │
│ │ │ │
│ │ • Presence: RSSI variance > threshold │ │
│ │ • Motion class: spectral peak frequency │ │
│ │ • Occupancy change: change-point event │ │
│ │ • Confidence: cross-receiver agreement │ │
│ └────────────────────────┬───────────────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────────────────────────┐ │
│ │ Output: Presence/Motion Events │ │
│ │ │ │
│ │ { "timestamp": "...", │ │
│ │ "presence": true, │ │
│ │ "motion_level": "active", │ │
│ │ "confidence": 0.87, │ │
│ │ "receivers_agreeing": 3, │ │
│ │ "rssi_variance": 4.2 } │ │
│ └────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
```
### Feature Extraction Specification
```python
class RssiFeatureExtractor:
"""Extract sensing features from RSSI and link statistics.
No custom hardware required. Works with any WiFi interface
that exposes standard Linux wireless statistics.
"""
def __init__(self, config: FeatureSensingConfig):
self.window_size = config.window_size # 30 seconds
self.sampling_rate = config.sampling_rate # 10 Hz
self.rssi_buffer = deque(maxlen=self.window_size * self.sampling_rate)
self.noise_buffer = deque(maxlen=self.window_size * self.sampling_rate)
def extract_features(self) -> FeatureVector:
rssi_array = np.array(self.rssi_buffer)
return FeatureVector(
# Time-domain statistics
rssi_mean=np.mean(rssi_array),
rssi_variance=np.var(rssi_array),
rssi_skewness=scipy.stats.skew(rssi_array),
rssi_kurtosis=scipy.stats.kurtosis(rssi_array),
rssi_range=np.ptp(rssi_array),
rssi_iqr=np.subtract(*np.percentile(rssi_array, [75, 25])),
# Spectral features (FFT of RSSI time series)
spectral_energy=self._spectral_energy(rssi_array),
dominant_frequency=self._dominant_freq(rssi_array),
breathing_band_power=self._band_power(rssi_array, 0.1, 0.5), # Hz
motion_band_power=self._band_power(rssi_array, 0.5, 3.0), # Hz
# Change-point features
num_change_points=self._cusum_changes(rssi_array),
max_step_magnitude=self._max_step(rssi_array),
# Noise floor features (environment stability)
noise_mean=np.mean(np.array(self.noise_buffer)),
snr_estimate=np.mean(rssi_array) - np.mean(np.array(self.noise_buffer)),
)
def _spectral_energy(self, rssi: np.ndarray) -> float:
"""Total spectral energy excluding DC component."""
spectrum = np.abs(scipy.fft.rfft(rssi - np.mean(rssi)))
return float(np.sum(spectrum[1:] ** 2))
def _dominant_freq(self, rssi: np.ndarray) -> float:
"""Dominant frequency in RSSI time series."""
spectrum = np.abs(scipy.fft.rfft(rssi - np.mean(rssi)))
freqs = scipy.fft.rfftfreq(len(rssi), d=1.0/self.sampling_rate)
return float(freqs[np.argmax(spectrum[1:]) + 1])
def _band_power(self, rssi: np.ndarray, low_hz: float, high_hz: float) -> float:
"""Power in a specific frequency band."""
spectrum = np.abs(scipy.fft.rfft(rssi - np.mean(rssi))) ** 2
freqs = scipy.fft.rfftfreq(len(rssi), d=1.0/self.sampling_rate)
mask = (freqs >= low_hz) & (freqs <= high_hz)
return float(np.sum(spectrum[mask]))
def _cusum_changes(self, rssi: np.ndarray) -> int:
"""Count change points using CUSUM algorithm."""
mean = np.mean(rssi)
cusum_pos = np.zeros_like(rssi)
cusum_neg = np.zeros_like(rssi)
threshold = 3.0 * np.std(rssi)
changes = 0
for i in range(1, len(rssi)):
cusum_pos[i] = max(0, cusum_pos[i-1] + rssi[i] - mean - 0.5)
cusum_neg[i] = max(0, cusum_neg[i-1] - rssi[i] + mean - 0.5)
if cusum_pos[i] > threshold or cusum_neg[i] > threshold:
changes += 1
cusum_pos[i] = 0
cusum_neg[i] = 0
return changes
```
### Data Collection (No Root Required)
```python
class LinuxWifiCollector:
"""Collect WiFi statistics from standard Linux interfaces.
No root required for most operations.
No custom drivers or firmware.
Works with NetworkManager, wpa_supplicant, or raw iw.
"""
def __init__(self, interface: str = "wlan0"):
self.interface = interface
def get_rssi(self) -> float:
"""Get current RSSI from connected AP."""
# Method 1: /proc/net/wireless (no root)
with open("/proc/net/wireless") as f:
for line in f:
if self.interface in line:
parts = line.split()
return float(parts[3].rstrip('.'))
# Method 2: iw (no root for own station)
result = subprocess.run(
["iw", "dev", self.interface, "link"],
capture_output=True, text=True
)
for line in result.stdout.split('\n'):
if 'signal:' in line:
return float(line.split(':')[1].strip().split()[0])
raise SensingError(f"Cannot read RSSI from {self.interface}")
def get_noise_floor(self) -> float:
"""Get noise floor estimate."""
result = subprocess.run(
["iw", "dev", self.interface, "survey", "dump"],
capture_output=True, text=True
)
for line in result.stdout.split('\n'):
if 'noise:' in line:
return float(line.split(':')[1].strip().split()[0])
return -95.0 # Default noise floor estimate
def get_link_stats(self) -> dict:
"""Get link quality statistics."""
result = subprocess.run(
["iw", "dev", self.interface, "station", "dump"],
capture_output=True, text=True
)
stats = {}
for line in result.stdout.split('\n'):
if 'tx bytes:' in line:
stats['tx_bytes'] = int(line.split(':')[1].strip())
elif 'rx bytes:' in line:
stats['rx_bytes'] = int(line.split(':')[1].strip())
elif 'tx retries:' in line:
stats['tx_retries'] = int(line.split(':')[1].strip())
elif 'signal:' in line:
stats['signal'] = float(line.split(':')[1].strip().split()[0])
return stats
```
### Classification Rules
```python
class PresenceClassifier:
"""Rule-based presence and motion classifier.
Uses simple, interpretable rules rather than ML to ensure
transparency and debuggability.
"""
def __init__(self, config: ClassifierConfig):
self.variance_threshold = config.variance_threshold # 2.0 dBm²
self.motion_threshold = config.motion_threshold # 5.0 dBm²
self.spectral_threshold = config.spectral_threshold # 10.0
self.confidence_min_receivers = config.min_receivers # 2
def classify(self, features: FeatureVector,
multi_receiver: list[FeatureVector] = None) -> SensingResult:
# Presence: RSSI variance exceeds empty-room baseline
presence = features.rssi_variance > self.variance_threshold
# Motion level
if features.rssi_variance > self.motion_threshold:
motion = MotionLevel.ACTIVE
elif features.rssi_variance > self.variance_threshold:
motion = MotionLevel.PRESENT_STILL
else:
motion = MotionLevel.ABSENT
# Confidence from spectral energy and receiver agreement
spectral_conf = min(1.0, features.spectral_energy / self.spectral_threshold)
if multi_receiver:
agreeing = sum(1 for f in multi_receiver
if (f.rssi_variance > self.variance_threshold) == presence)
receiver_conf = agreeing / len(multi_receiver)
else:
receiver_conf = 0.5 # Single receiver = lower confidence
confidence = 0.6 * spectral_conf + 0.4 * receiver_conf
return SensingResult(
presence=presence,
motion_level=motion,
confidence=confidence,
dominant_frequency=features.dominant_frequency,
breathing_band_power=features.breathing_band_power,
)
```
### Capability Matrix (Honest Assessment)
| Capability | Single Receiver | 3 Receivers | 6 Receivers | Accuracy |
|-----------|----------------|-------------|-------------|----------|
| Binary presence | Yes | Yes | Yes | 90-95% |
| Coarse motion (still/moving) | Yes | Yes | Yes | 85-90% |
| Room-level location | No | Marginal | Yes | 70-80% |
| Person count | No | Marginal | Marginal | 50-70% |
| Activity class (walk/sit/stand) | Marginal | Marginal | Yes | 60-75% |
| Respiration detection | No | Marginal | Marginal | 40-60% |
| Heartbeat | No | No | No | N/A |
| Body pose | No | No | No | N/A |
**Bottom line**: Feature-level sensing on commodity gear does presence and motion well. It does NOT do pose estimation, heartbeat, or reliable respiration. Any claim otherwise would be dishonest.
### Decision Matrix: Option 2 (ESP32) vs Option 3 (Commodity)
| Factor | ESP32 CSI (ADR-012) | Commodity (ADR-013) |
|--------|---------------------|---------------------|
| Headline capability | Respiration + motion | Presence + coarse motion |
| Hardware cost | $54 (3-node kit) | $0 (existing gear) |
| Setup time | 2-4 hours | 15 minutes |
| Technical barrier | Medium (firmware flash) | Low (pip install) |
| Data quality | Real CSI (amplitude + phase) | RSSI only |
| Multi-person | Marginal | Poor |
| Pose estimation | Marginal | No |
| Reproducibility | High (controlled hardware) | Medium (varies by hardware) |
| Public credibility | High (real CSI artifact) | Medium (RSSI is "obvious") |
### Proof Bundle for Commodity Sensing
```
archive/v1/data/proof/commodity/
├── rssi_capture_30sec.json # 30 seconds of RSSI from 3 receivers
├── rssi_capture_meta.json # Hardware: Intel AX200, Router: TP-Link AX1800
├── scenario.txt # "Person walks through room at t=10s, sits at t=20s"
├── expected_features.json # Feature extraction output
├── expected_classification.json # Classification output
├── expected_features.sha256 # Verification hash
└── verify_commodity.py # One-command verification
```
### Integration with WiFi-DensePose Pipeline
The commodity sensing module outputs the same `SensingResult` type as the CSI pipeline, allowing graceful degradation:
```python
class SensingBackend(Protocol):
"""Common interface for all sensing backends."""
def get_features(self) -> FeatureVector: ...
def get_capabilities(self) -> set[Capability]: ...
class CsiBackend(SensingBackend):
"""Full CSI pipeline (ESP32 or research NIC)."""
def get_capabilities(self):
return {Capability.PRESENCE, Capability.MOTION, Capability.RESPIRATION,
Capability.LOCATION, Capability.POSE}
class CommodityBackend(SensingBackend):
"""RSSI-only commodity hardware."""
def get_capabilities(self):
return {Capability.PRESENCE, Capability.MOTION}
```
## Consequences
### Positive
- **Zero-cost entry**: Works with existing WiFi hardware
- **15-minute setup**: `pip install wifi-densepose && wdp sense --interface wlan0`
- **Broad adoption**: Any Linux laptop, Pi, or phone can participate
- **Honest capability reporting**: `get_capabilities()` tells users exactly what works
- **Complements ESP32**: Users start with commodity, upgrade to ESP32 for more capability
- **No mock data**: Real RSSI from real hardware, deterministic pipeline
### Negative
- **Limited capability**: No pose, no heartbeat, marginal respiration
- **Hardware variability**: RSSI calibration differs across chipsets
- **Environmental sensitivity**: Commodity RSSI is more affected by interference than CSI
- **Not a "pose estimation" demo**: This module honestly cannot do what the project name implies
- **Lower credibility ceiling**: RSSI sensing is well-known; less impressive than CSI
### Implementation Status
The full commodity sensing pipeline is implemented in `archive/v1/src/sensing/`:
| Module | File | Description |
|--------|------|-------------|
| RSSI Collector | `rssi_collector.py` | `LinuxWifiCollector` (live hardware) + `SimulatedCollector` (deterministic testing) with ring buffer |
| Feature Extractor | `feature_extractor.py` | `RssiFeatureExtractor` with Hann-windowed FFT, band power (breathing 0.1-0.5 Hz, motion 0.5-3 Hz), CUSUM change-point detection |
| Classifier | `classifier.py` | `PresenceClassifier` with ABSENT/PRESENT_STILL/ACTIVE levels, confidence scoring |
| Backend | `backend.py` | `CommodityBackend` wiring collector → extractor → classifier, reports PRESENCE + MOTION capabilities |
**Test coverage**: 36 tests in `archive/v1/tests/unit/test_sensing.py` — all passing:
- `TestRingBuffer` (4), `TestSimulatedCollector` (5), `TestFeatureExtractor` (8), `TestCusum` (4), `TestPresenceClassifier` (7), `TestCommodityBackend` (6), `TestBandPower` (2)
**Dependencies**: `numpy`, `scipy` (for FFT and spectral analysis)
**Note**: `LinuxWifiCollector` requires a connected Linux WiFi interface (`/proc/net/wireless` or `iw`). On Windows or disconnected interfaces, use `SimulatedCollector` for development and testing.
## References
- [Youssef et al. - Challenges in Device-Free Passive Localization](https://doi.org/10.1145/1287853.1287880)
- [Device-Free WiFi Sensing Survey](https://arxiv.org/abs/1901.09683)
- [RSSI-based Breathing Detection](https://ieeexplore.ieee.org/document/7127688)
- [Linux Wireless Tools](https://wireless.wiki.kernel.org/en/users/documentation/iw)
- ADR-011: Python Proof-of-Reality and Mock Elimination
- ADR-012: ESP32 CSI Sensor Mesh
api-docs/adr/ADR-014-sota-signal-processing.md
+160
View File
@@ -0,0 +1,160 @@
# ADR-014: SOTA Signal Processing Algorithms for WiFi Sensing
## Status
Accepted
## Context
The existing signal processing pipeline (ADR-002) provides foundational CSI processing:
phase unwrapping, FFT-based feature extraction, and variance-based motion detection.
However, the academic state-of-the-art in WiFi sensing (2020-2025) has advanced
significantly beyond these basics. To achieve research-grade accuracy, we need
algorithms grounded in the physics of WiFi signal propagation and human body interaction.
### Current Gaps vs SOTA
| Capability | Current | SOTA Reference |
|-----------|---------|----------------|
| Phase cleaning | Z-score outlier + unwrapping | Conjugate multiplication (SpotFi 2015, IndoTrack 2017) |
| Outlier detection | Z-score | Hampel filter (robust median-based) |
| Breathing detection | Zero-crossing frequency | Fresnel zone model (FarSense 2019, Wi-Sleep 2021) |
| Signal representation | Raw amplitude/phase | CSI spectrogram (time-frequency 2D matrix) |
| Subcarrier usage | All subcarriers equally | Sensitivity-based selection (variance ratio) |
| Motion profiling | Single motion score | Body Velocity Profile / BVP (Widar 3.0 2019) |
## Decision
Implement six SOTA algorithms in the `wifi-densepose-signal` crate as new modules,
each with deterministic tests and no mock data.
### 1. Conjugate Multiplication (CSI Ratio Model)
**What:** Multiply CSI from antenna pair (i,j) as `H_i * conj(H_j)` to cancel
carrier frequency offset (CFO), sampling frequency offset (SFO), and packet
detection delay — all of which corrupt raw phase measurements.
**Why:** Raw CSI phase from commodity hardware (ESP32, Intel 5300) includes
random offsets that change per packet. Conjugate multiplication preserves only
the phase difference caused by the environment (human motion), not the hardware.
**Math:** `CSI_ratio[k] = H_1[k] * conj(H_2[k])` where k is subcarrier index.
The resulting phase `angle(CSI_ratio[k])` reflects only path differences between
the two antenna elements.
**Reference:** SpotFi (SIGCOMM 2015), IndoTrack (MobiCom 2017)
### 2. Hampel Filter
**What:** Replace outliers using running median ± scaled MAD (Median Absolute
Deviation), which is robust to the outliers themselves (unlike mean/std Z-score).
**Why:** WiFi CSI has burst interference, multipath spikes, and hardware glitches
that create outliers. Z-score outlier detection uses mean/std, which are themselves
corrupted by the outliers (masking effect). Hampel filter uses median/MAD, which
resist up to 50% contamination.
**Math:** For window around sample i: `median = med(x[i-w..i+w])`,
`MAD = med(|x[j] - median|)`, `σ_est = 1.4826 * MAD`.
If `|x[i] - median| > t * σ_est`, replace x[i] with median.
**Reference:** Standard DSP technique, used in WiGest (2015), WiDance (2017)
### 3. Fresnel Zone Breathing Model
**What:** Model WiFi signal variation as a function of human chest displacement
crossing Fresnel zone boundaries. The chest moves ~5-10mm during breathing,
which at 5 GHz (λ=60mm) is a significant fraction of the Fresnel zone width.
**Why:** Zero-crossing counting works for strong signals but fails in multipath-rich
environments. The Fresnel model predicts *where* in the signal cycle a breathing
motion should appear based on the TX-RX-body geometry, enabling detection even
with weak signals.
**Math:** Fresnel zone radius at point P: `F_n = sqrt(n * λ * d1 * d2 / (d1 + d2))`.
Signal variation: `ΔΦ = 2π * 2Δd / λ` where Δd is chest displacement.
Expected breathing amplitude: `A = |sin(ΔΦ/2)|`.
**Reference:** FarSense (MobiCom 2019), Wi-Sleep (UbiComp 2021)
### 4. CSI Spectrogram
**What:** Construct a 2D time-frequency matrix by applying sliding-window FFT
(STFT) to the temporal CSI amplitude stream per subcarrier. This reveals how
the frequency content of body motion changes over time.
**Why:** Spectrograms are the standard input to CNN-based activity recognition.
A breathing person shows a ~0.2-0.4 Hz band, walking shows 1-2 Hz, and
stationary environment shows only noise. The 2D structure allows spatial
pattern recognition that 1D features miss.
**Math:** `S[t,f] = |Σ_n x[n] * w[n-t] * exp(-j2πfn)|²`
**Reference:** Used in virtually all CNN-based WiFi sensing papers since 2018
### 5. Subcarrier Sensitivity Selection
**What:** Rank subcarriers by their sensitivity to human motion (variance ratio
between motion and static periods) and select only the top-K for further processing.
**Why:** Not all subcarriers respond equally to body motion. Some are in
multipath nulls, some carry mainly noise. Using all subcarriers dilutes the signal.
Selecting the 10-20 most sensitive subcarriers improves SNR by 6-10 dB.
**Math:** `sensitivity[k] = var_motion(amp[k]) / (var_static(amp[k]) + ε)`.
Select top-K subcarriers by sensitivity score.
**Reference:** WiDance (MobiCom 2017), WiGest (SenSys 2015)
### 6. Body Velocity Profile (BVP)
**What:** Extract velocity distribution of body parts from Doppler shifts across
subcarriers. BVP is a 2D representation (velocity × time) that encodes how
different body parts move at different speeds.
**Why:** BVP is domain-independent — the same velocity profile appears regardless
of room layout, furniture, or AP placement. This makes it the basis for
cross-environment gesture and activity recognition.
**Math:** Apply DFT across time for each subcarrier, then aggregate across
subcarriers: `BVP[v,t] = Σ_k |STFT_k[v,t]|` where v maps to velocity via
`v = f_doppler * λ / 2`.
**Reference:** Widar 3.0 (MobiSys 2019), WiDar (MobiSys 2017)
## Implementation
All algorithms implemented in `wifi-densepose-signal/src/` as new modules:
- `csi_ratio.rs` — Conjugate multiplication
- `hampel.rs` — Hampel filter
- `fresnel.rs` — Fresnel zone breathing model
- `spectrogram.rs` — CSI spectrogram generation
- `subcarrier_selection.rs` — Sensitivity-based selection
- `bvp.rs` — Body Velocity Profile extraction
Each module has:
- Deterministic unit tests with known input/output
- No random data, no mocks
- Documentation with references to source papers
- Integration with existing `CsiData` types
## Consequences
### Positive
- Research-grade signal processing matching 2019-2023 publications
- Physics-grounded algorithms (Fresnel zones, Doppler) not just heuristics
- Cross-environment robustness via BVP and CSI ratio
- CNN-ready features via spectrograms
- Improved SNR via subcarrier selection
### Negative
- Increased computational cost (STFT, complex multiplication per frame)
- Fresnel model requires TX-RX distance estimate (geometry input)
- BVP requires sufficient temporal history (>1 second at 100+ Hz sampling)
## References
- SpotFi: Decimeter Level Localization Using WiFi (SIGCOMM 2015)
- IndoTrack: Device-Free Indoor Human Tracking (MobiCom 2017)
- FarSense: Pushing the Range Limit of WiFi-based Respiration Sensing (MobiCom 2019)
- Widar 3.0: Zero-Effort Cross-Domain Gesture Recognition (MobiSys 2019)
- Wi-Sleep: Contactless Sleep Staging (UbiComp 2021)
- DensePose from WiFi (arXiv 2022, CMU)
api-docs/adr/ADR-015-public-dataset-training-strategy.md
+180
View File
@@ -0,0 +1,180 @@
# ADR-015: Public Dataset Strategy for Trained Pose Estimation Model
## Status
Accepted
## Context
The WiFi-DensePose system has a complete model architecture (`DensePoseHead`,
`ModalityTranslationNetwork`, `WiFiDensePoseRCNN`) and signal processing pipeline,
but no trained weights. Without a trained model, pose estimation produces random
outputs regardless of input quality.
Training requires paired data: simultaneous WiFi CSI captures alongside ground-truth
human pose annotations. Collecting this data from scratch requires months of effort
and specialized hardware (multiple WiFi nodes + camera + motion capture rig). Several
public datasets exist that can bootstrap training without custom collection.
### The Teacher-Student Constraint
The CMU "DensePose From WiFi" paper (2023) trains using a teacher-student approach:
a camera-based RGB pose model (e.g. Detectron2 DensePose) generates pseudo-labels
during training, so the WiFi model learns to replicate those outputs. At inference,
the camera is removed. This means any dataset that provides *either* ground-truth
pose annotations *or* synchronized RGB frames (from which a teacher can generate
labels) is sufficient for training.
### 56-Subcarrier Hardware Context
The system targets 56 subcarriers, which corresponds specifically to **Atheros 802.11n
chipsets on a 20 MHz channel** using the Atheros CSI Tool. No publicly available
dataset with paired pose annotations was collected at exactly 56 subcarriers:
| Hardware | Subcarriers | Datasets |
|----------|-------------|---------|
| Atheros CSI Tool (20 MHz) | **56** | None with pose labels |
| Atheros CSI Tool (40 MHz) | **114** | MM-Fi |
| Intel 5300 NIC (20 MHz) | **30** | Person-in-WiFi, Widar 3.0, Wi-Pose, XRF55 |
| Nexmon/Broadcom (80 MHz) | **242-256** | None with pose labels |
MM-Fi uses the same Atheros hardware family at 40 MHz, making 114→56 interpolation
physically meaningful (same chipset, different channel width).
## Decision
Use MM-Fi as the primary training dataset, supplemented by Wi-Pose (NjtechCVLab)
for additional diversity. XRF55 is downgraded to optional (Kinect labels need
post-processing). Teacher-student pipeline fills in DensePose UV labels where
only skeleton keypoints are available.
### Primary Dataset: MM-Fi
**Paper:** "MM-Fi: Multi-Modal Non-Intrusive 4D Human Dataset for Versatile Wireless
Sensing" (NeurIPS 2023 Datasets & Benchmarks)
**Repository:** https://github.com/ybhbingo/MMFi_dataset
**Size:** 40 subjects × 27 action classes × ~320,000 frames, 4 environments
**Modalities:** WiFi CSI, mmWave radar, LiDAR, RGB-D, IMU
**CSI format:** **1 TX × 3 RX antennas**, 114 subcarriers, 100 Hz sampling rate,
5 GHz 40 MHz (TP-Link N750 with Atheros CSI Tool), raw amplitude + phase
**Data tensor:** [3, 114, 10] per sample (antenna-pairs × subcarriers × time frames)
**Pose annotations:** 17-keypoint COCO skeleton in 3D + DensePose UV surface coords
**License:** CC BY-NC 4.0
**Why primary:** Largest public WiFi CSI + pose dataset; richest annotations (3D
keypoints + DensePose UV); same Atheros hardware family as target system; COCO
keypoints map directly to the `KeypointHead` output format; actively maintained
with NeurIPS 2023 benchmark status.
**Antenna correction:** MM-Fi uses 1 TX / 3 RX (3 antenna pairs), not 3×3.
The existing system targets 3×3 (ESP32 mesh). The 3 RX antennas match; the TX
difference means MM-Fi-trained weights will work but may benefit from fine-tuning
on data from a 3-TX setup.
### Secondary Dataset: Wi-Pose (NjtechCVLab)
**Paper:** CSI-Former (MDPI Entropy 2023) and related works
**Repository:** https://github.com/NjtechCVLab/Wi-PoseDataset
**Size:** 12 volunteers × 12 action classes × 166,600 packets
**CSI format:** 3 TX × 3 RX antennas, 30 subcarriers, 5 GHz, .mat format
**Pose annotations:** 18-keypoint AlphaPose skeleton (COCO-compatible subset)
**License:** Research use
**Why secondary:** 3×3 antenna array matches target ESP32 mesh hardware exactly;
fully public; adds 12 different subjects and environments not in MM-Fi.
**Note:** 30 subcarriers require zero-padding or interpolation to 56; 18→17
keypoint mapping drops one neck keypoint (index 1), compatible with COCO-17.
### Excluded / Deprioritized Datasets
| Dataset | Reason |
|---------|--------|
| RF-Pose / RF-Pose3D (MIT) | Custom FMCW radio, not 802.11n CSI; incompatible signal physics |
| Person-in-WiFi (CMU 2019) | Not publicly released (IRB restriction) |
| Person-in-WiFi 3D (CVPR 2024) | 30 subcarriers, Intel 5300; semi-public access |
| DensePose From WiFi (CMU) | Dataset not released; only paper + architecture |
| Widar 3.0 | Gesture labels only, no full-body pose keypoints |
| XRF55 | Activity labels primarily; Kinect pose requires email request; lower priority |
| UT-HAR, WiAR, SignFi | Activity/gesture labels only, no pose keypoints |
## Implementation Plan
### Phase 1: MM-Fi Loader (Rust `wifi-densepose-train` crate)
Implement `MmFiDataset` in Rust (`crates/wifi-densepose-train/src/dataset.rs`):
- Reads MM-Fi numpy .npy files: amplitude [N, 3, 3, 114] (antenna-pairs laid flat), phase [N, 3, 3, 114]
- Resamples from 114 → 56 subcarriers (linear interpolation via `subcarrier.rs`)
- Applies phase sanitization using SOTA algorithms from `wifi-densepose-signal` crate
- Returns typed `CsiSample` structs with amplitude, phase, keypoints, visibility
- Validation split: subjects 3340 held out
### Phase 2: Wi-Pose Loader
Implement `WiPoseDataset` reading .mat files (via ndarray-based MATLAB reader or
pre-converted .npy). Subcarrier interpolation: 30 → 56 (zero-pad high frequencies
rather than interpolate, since 30-sub Intel data has different spectral occupancy
than 56-sub Atheros data).
### Phase 3: Teacher-Student DensePose Labels
For MM-Fi samples that provide 3D keypoints but not full DensePose UV maps:
- Run Detectron2 DensePose on paired RGB frames to generate `(part_labels, u_coords, v_coords)`
- Cache generated labels as .npy alongside original data
- This matches the training procedure in the CMU paper exactly
### Phase 4: Training Pipeline (Rust)
- **Model:** `WiFiDensePoseModel` (tch-rs, `crates/wifi-densepose-train/src/model.rs`)
- **Loss:** Keypoint heatmap (MSE) + DensePose part (cross-entropy) + UV (Smooth L1) + transfer (MSE)
- **Metrics:** PCK@0.2 + OKS with Hungarian min-cost assignment (`crates/wifi-densepose-train/src/metrics.rs`)
- **Optimizer:** Adam, lr=1e-3, step decay at epochs 40 and 80
- **Hardware:** Single GPU (RTX 3090 or A100); MM-Fi fits in ~50 GB disk
- **Checkpointing:** Save every epoch; keep best-by-validation-PCK
### Phase 5: Proof Verification
`verify-training` binary provides the "trust kill switch" for training:
- Fixed seed (MODEL_SEED=0, PROOF_SEED=42)
- 50 training steps on deterministic SyntheticDataset
- Verifies: loss decreases + SHA-256 of final weights matches stored hash
- EXIT 0 = PASS, EXIT 1 = FAIL, EXIT 2 = SKIP (no stored hash)
## Subcarrier Mismatch: MM-Fi (114) vs System (56)
MM-Fi captures 114 subcarriers at 5 GHz with 40 MHz bandwidth (Atheros CSI Tool).
The system is configured for 56 subcarriers (Atheros, 20 MHz). Resolution options:
1. **Interpolate MM-Fi → 56** (chosen for Phase 1): linear interpolation preserves
spectral envelope, fast, no architecture change needed
2. **Train at native 114**: change `CSIProcessor` config; requires re-running
`verify.py --generate-hash` to update proof hash; future option
3. **Collect native 56-sub data**: ESP32 mesh at 20 MHz; best for production
Option 1 unblocks training immediately. The Rust `subcarrier.rs` module handles
interpolation as a first-class operation with tests proving correctness.
## Consequences
**Positive:**
- Unblocks end-to-end training on real public data immediately
- MM-Fi's Atheros hardware family matches target system (same CSI Tool)
- 40 subjects × 27 actions provides reasonable diversity for first model
- Wi-Pose's 3×3 antenna setup is an exact hardware match for ESP32 mesh
- CC BY-NC license is compatible with research and internal use
- Rust implementation integrates natively with `wifi-densepose-signal` pipeline
**Negative:**
- CC BY-NC prohibits commercial deployment of weights trained solely on MM-Fi;
custom data collection required before commercial release
- MM-Fi is 1 TX / 3 RX; system targets 3 TX / 3 RX; fine-tuning needed
- 114→56 subcarrier interpolation loses frequency resolution; acceptable for v1
- MM-Fi captured in controlled lab environments; real-world accuracy will be lower
until fine-tuned on domain-specific data
## References
- Yang et al., "MM-Fi: Multi-Modal Non-Intrusive 4D Human Dataset" (NeurIPS 2023) — arXiv:2305.10345
- Geng et al., "DensePose From WiFi" (CMU, arXiv:2301.00250, 2023)
- Yan et al., "Person-in-WiFi 3D" (CVPR 2024)
- NjtechCVLab, "Wi-Pose Dataset" — github.com/NjtechCVLab/Wi-PoseDataset
- ADR-012: ESP32 CSI Sensor Mesh (hardware target)
- ADR-013: Feature-Level Sensing on Commodity Gear
- ADR-014: SOTA Signal Processing Algorithms
api-docs/adr/ADR-016-ruvector-integration.md
+336
View File
@@ -0,0 +1,336 @@
# ADR-016: RuVector Integration for Training Pipeline
## Status
Accepted
## Context
The `wifi-densepose-train` crate (ADR-015) was initially implemented using
standard crates (`petgraph`, `ndarray`, custom signal processing). The ruvector
ecosystem provides published Rust crates with subpolynomial algorithms that
directly replace several components with superior implementations.
All ruvector crates are published at v2.0.4 on crates.io (confirmed) and their
source is available at https://github.com/ruvnet/ruvector.
### Available ruvector crates (all at v2.0.4, published on crates.io)
| Crate | Description | Default Features |
|-------|-------------|-----------------|
| `ruvector-mincut` | World's first subpolynomial dynamic min-cut | `exact`, `approximate` |
| `ruvector-attn-mincut` | Min-cut gating attention (graph-based alternative to softmax) | all modules |
| `ruvector-attention` | Geometric, graph, and sparse attention mechanisms | all modules |
| `ruvector-temporal-tensor` | Temporal tensor compression with tiered quantization | all modules |
| `ruvector-solver` | Sublinear-time sparse linear solvers O(log n) to O(√n) | `neumann`, `cg`, `forward-push` |
| `ruvector-core` | HNSW-indexed vector database core | v2.0.5 |
| `ruvector-math` | Optimal transport, information geometry | v2.0.4 |
### Verified API Details (from source inspection of github.com/ruvnet/ruvector)
#### ruvector-mincut
```rust
use ruvector_mincut::{MinCutBuilder, DynamicMinCut, MinCutResult, VertexId, Weight};
// Build a dynamic min-cut structure
let mut mincut = MinCutBuilder::new()
.exact() // or .approximate(0.1)
.with_edges(vec![(u: VertexId, v: VertexId, w: Weight)]) // (u32, u32, f64) tuples
.build()
.expect("Failed to build");
// Subpolynomial O(n^{o(1)}) amortized dynamic updates
mincut.insert_edge(u, v, weight) -> Result<f64> // new cut value
mincut.delete_edge(u, v) -> Result<f64> // new cut value
// Queries
mincut.min_cut_value() -> f64
mincut.min_cut() -> MinCutResult // includes partition
mincut.partition() -> (Vec<VertexId>, Vec<VertexId>) // S and T sets
mincut.cut_edges() -> Vec<Edge> // edges crossing the cut
// Note: VertexId = u64 (not u32); Edge has fields { source: u64, target: u64, weight: f64 }
```
`MinCutResult` contains:
- `value: f64` — minimum cut weight
- `is_exact: bool`
- `approximation_ratio: f64`
- `partition: Option<(Vec<VertexId>, Vec<VertexId>)>` — S and T node sets
#### ruvector-attn-mincut
```rust
use ruvector_attn_mincut::{attn_mincut, attn_softmax, AttentionOutput, MinCutConfig};
// Min-cut gated attention (drop-in for softmax attention)
// Q, K, V are all flat &[f32] with shape [seq_len, d]
let output: AttentionOutput = attn_mincut(
q: &[f32], // queries: flat [seq_len * d]
k: &[f32], // keys: flat [seq_len * d]
v: &[f32], // values: flat [seq_len * d]
d: usize, // feature dimension
seq_len: usize, // number of tokens / antenna paths
lambda: f32, // min-cut threshold (larger = more pruning)
tau: usize, // temporal hysteresis window
eps: f32, // numerical epsilon
) -> AttentionOutput;
// AttentionOutput
pub struct AttentionOutput {
pub output: Vec<f32>, // attended values [seq_len * d]
pub gating: GatingResult, // which edges were kept/pruned
}
// Baseline softmax attention for comparison
let output: Vec<f32> = attn_softmax(q, k, v, d, seq_len);
```
**Use case in wifi-densepose-train**: In `ModalityTranslator`, treat the
`T * n_tx * n_rx` antenna×time paths as `seq_len` tokens and the `n_sc`
subcarriers as feature dimension `d`. Apply `attn_mincut` to gate irrelevant
antenna-pair correlations before passing to FC layers.
#### ruvector-solver (NeumannSolver)
```rust
use ruvector_solver::neumann::NeumannSolver;
use ruvector_solver::types::CsrMatrix;
use ruvector_solver::traits::SolverEngine;
// Build sparse matrix from COO entries
let matrix = CsrMatrix::<f32>::from_coo(rows, cols, vec![
(row: usize, col: usize, val: f32), ...
]);
// Solve Ax = b in O(√n) for sparse systems
let solver = NeumannSolver::new(tolerance: f64, max_iterations: usize);
let result = solver.solve(&matrix, rhs: &[f32]) -> Result<SolverResult, SolverError>;
// SolverResult
result.solution: Vec<f32> // solution vector x
result.residual_norm: f64 // ||b - Ax||
result.iterations: usize // number of iterations used
```
**Use case in wifi-densepose-train**: In `subcarrier.rs`, model the 114→56
subcarrier resampling as a sparse regularized least-squares problem `A·x ≈ b`
where `A` is a sparse basis-function matrix (physically motivated by multipath
propagation model: each target subcarrier is a sparse combination of adjacent
source subcarriers). Gives O(√n) vs O(n) for n=114 subcarriers.
#### ruvector-temporal-tensor
```rust
use ruvector_temporal_tensor::{TemporalTensorCompressor, TierPolicy};
use ruvector_temporal_tensor::segment;
// Create compressor for `element_count` f32 elements per frame
let mut comp = TemporalTensorCompressor::new(
TierPolicy::default(), // configures hot/warm/cold thresholds
element_count: usize, // n_tx * n_rx * n_sc (elements per CSI frame)
id: u64, // tensor identity (0 for amplitude, 1 for phase)
);
// Mark access recency (drives tier selection):
// hot = accessed within last few timestamps → 8-bit (~4x compression)
// warm = moderately recent → 5 or 7-bit (~4.66.4x)
// cold = rarely accessed → 3-bit (~10.67x)
comp.set_access(timestamp: u64, tensor_id: u64);
// Compress frames into a byte segment
let mut segment_buf: Vec<u8> = Vec::new();
comp.push_frame(frame: &[f32], timestamp: u64, &mut segment_buf);
comp.flush(&mut segment_buf); // flush current partial segment
// Decompress
let mut decoded: Vec<f32> = Vec::new();
segment::decode(&segment_buf, &mut decoded); // all frames
segment::decode_single_frame(&segment_buf, frame_index: usize) -> Option<Vec<f32>>;
segment::compression_ratio(&segment_buf) -> f64;
```
**Use case in wifi-densepose-train**: In `dataset.rs`, buffer CSI frames in
`TemporalTensorCompressor` to reduce memory footprint by 5075%. The CSI window
contains `window_frames` (default 100) frames per sample; hot frames (recent)
stay at f32 fidelity, cold frames (older) are aggressively quantized.
#### ruvector-attention
```rust
use ruvector_attention::{
attention::ScaledDotProductAttention,
traits::Attention,
};
let attention = ScaledDotProductAttention::new(d: usize); // feature dim
// Compute attention: q is [d], keys and values are Vec<&[f32]>
let output: Vec<f32> = attention.compute(
query: &[f32], // [d]
keys: &[&[f32]], // n_nodes × [d]
values: &[&[f32]], // n_nodes × [d]
) -> Result<Vec<f32>>;
```
**Use case in wifi-densepose-train**: In `model.rs` spatial decoder, replace the
standard Conv2D upsampling pass with graph-based spatial attention among spatial
locations, where nodes represent spatial grid points and edges connect neighboring
antenna footprints.
---
## Decision
Integrate ruvector crates into `wifi-densepose-train` at five integration points:
### 1. `ruvector-mincut` → `metrics.rs` (replaces petgraph Hungarian for multi-frame)
**Before:** O(n³) Kuhn-Munkres via DFS augmenting paths using `petgraph::DiGraph`,
single-frame only (no state across frames).
**After:** `DynamicPersonMatcher` struct wrapping `ruvector_mincut::DynamicMinCut`.
Maintains the bipartite assignment graph across frames using subpolynomial updates:
- `insert_edge(pred_id, gt_id, oks_cost)` when new person detected
- `delete_edge(pred_id, gt_id)` when person leaves scene
- `partition()` returns S/T split → `cut_edges()` returns the matched pred→gt pairs
**Performance:** O(n^{1.5} log n) amortized update vs O(n³) rebuild per frame.
Critical for >3 person scenarios and video tracking (frame-to-frame updates).
The original `hungarian_assignment` function is **kept** for single-frame static
matching (used in proof verification for determinism).
### 2. `ruvector-attn-mincut` → `model.rs` (replaces flat MLP fusion in ModalityTranslator)
**Before:** Amplitude/phase FC encoders → concatenate [B, 512] → fuse Linear → ReLU.
**After:** Treat the `n_ant = T * n_tx * n_rx` antenna×time paths as `seq_len`
tokens and `n_sc` subcarriers as feature dimension `d`. Apply `attn_mincut` to
gate irrelevant antenna-pair correlations:
```rust
// In ModalityTranslator::forward_t:
// amp/ph tensors: [B, n_ant, n_sc] → convert to Vec<f32>
// Apply attn_mincut with seq_len=n_ant, d=n_sc, lambda=0.3
// → attended output [B, n_ant, n_sc] → flatten → FC layers
```
**Benefit:** Automatic antenna-path selection without explicit learned masks;
min-cut gating is more computationally principled than learned gates.
### 3. `ruvector-temporal-tensor` → `dataset.rs` (CSI temporal compression)
**Before:** Raw CSI windows stored as full f32 `Array4<f32>` in memory.
**After:** `CompressedCsiBuffer` struct backed by `TemporalTensorCompressor`.
Tiered quantization based on frame access recency:
- Hot frames (last 10): f32 equivalent (8-bit quant ≈ 4× smaller than f32)
- Warm frames (1150): 5/7-bit quantization
- Cold frames (>50): 3-bit (10.67× smaller)
Encode on `push_frame`, decode on `get(idx)` for transparent access.
**Benefit:** 5075% memory reduction for the default 100-frame temporal window;
allows 24× larger batch sizes on constrained hardware.
### 4. `ruvector-solver` → `subcarrier.rs` (phase sanitization)
**Before:** Linear interpolation across subcarriers using precomputed (i0, i1, frac) tuples.
**After:** `NeumannSolver` for sparse regularized least-squares subcarrier
interpolation. The CSI spectrum is modeled as a sparse combination of Fourier
basis functions (physically motivated by multipath propagation):
```rust
// A = sparse basis matrix [target_sc, src_sc] (Gaussian or sinc basis)
// b = source CSI values [src_sc]
// Solve: A·x ≈ b via NeumannSolver(tolerance=1e-5, max_iter=500)
// x = interpolated values at target subcarrier positions
```
**Benefit:** O(√n) vs O(n) for n=114 source subcarriers; more accurate at
subcarrier boundaries than linear interpolation.
### 5. `ruvector-attention` → `model.rs` (spatial decoder)
**Before:** Standard ConvTranspose2D upsampling in `KeypointHead` and `DensePoseHead`.
**After:** `ScaledDotProductAttention` applied to spatial feature nodes.
Each spatial location [H×W] becomes a token; attention captures long-range
spatial dependencies between antenna footprint regions:
```rust
// feature map: [B, C, H, W] → flatten to [B, H*W, C]
// For each batch: compute attention among H*W spatial nodes
// → reshape back to [B, C, H, W]
```
**Benefit:** Captures long-range spatial dependencies missed by local convolutions;
important for multi-person scenarios.
---
## Implementation Plan
### Files modified
| File | Change |
|------|--------|
| `Cargo.toml` (workspace + crate) | Add ruvector-mincut, ruvector-attn-mincut, ruvector-temporal-tensor, ruvector-solver, ruvector-attention = "2.0.4" |
| `metrics.rs` | Add `DynamicPersonMatcher` wrapping `ruvector_mincut::DynamicMinCut`; keep `hungarian_assignment` for deterministic proof |
| `model.rs` | Add `attn_mincut` bridge in `ModalityTranslator::forward_t`; add `ScaledDotProductAttention` in spatial heads |
| `dataset.rs` | Add `CompressedCsiBuffer` backed by `TemporalTensorCompressor`; `MmFiDataset` uses it |
| `subcarrier.rs` | Add `interpolate_subcarriers_sparse` using `NeumannSolver`; keep `interpolate_subcarriers` as fallback |
### Files unchanged
`config.rs`, `losses.rs`, `trainer.rs`, `proof.rs`, `error.rs` — no change needed.
### Feature gating
All ruvector integrations are **always-on** (not feature-gated). The ruvector
crates are pure Rust with no C FFI, so they add no platform constraints.
---
## Implementation Status
| Phase | Status |
|-------|--------|
| Cargo.toml (workspace + crate) | **Complete** |
| ADR-016 documentation | **Complete** |
| ruvector-mincut in metrics.rs | **Complete** |
| ruvector-attn-mincut in model.rs | **Complete** |
| ruvector-temporal-tensor in dataset.rs | **Complete** |
| ruvector-solver in subcarrier.rs | **Complete** |
| ruvector-attention in model.rs spatial decoder | **Complete** |
---
## Consequences
**Positive:**
- Subpolynomial O(n^{1.5} log n) dynamic min-cut for multi-person tracking
- Min-cut gated attention is physically motivated for CSI antenna arrays
- 5075% memory reduction from temporal quantization
- Sparse least-squares interpolation is physically principled vs linear
- All ruvector crates are pure Rust (no C FFI, no platform restrictions)
**Negative:**
- Additional compile-time dependencies (ruvector crates)
- `attn_mincut` requires tensor↔Vec<f32> conversion overhead per batch element
- `TemporalTensorCompressor` adds compression/decompression latency on dataset load
- `NeumannSolver` requires diagonally dominant matrices; a sparse Tikhonov
regularization term (λI) is added to ensure convergence
## References
- ADR-015: Public Dataset Training Strategy
- ADR-014: SOTA Signal Processing Algorithms
- github.com/ruvnet/ruvector (source: crates at v2.0.4)
- ruvector-mincut: https://crates.io/crates/ruvector-mincut
- ruvector-attn-mincut: https://crates.io/crates/ruvector-attn-mincut
- ruvector-temporal-tensor: https://crates.io/crates/ruvector-temporal-tensor
- ruvector-solver: https://crates.io/crates/ruvector-solver
- ruvector-attention: https://crates.io/crates/ruvector-attention
api-docs/adr/ADR-017-ruvector-signal-mat-integration.md
+603
View File
@@ -0,0 +1,603 @@
# ADR-017: RuVector Integration for Signal Processing and MAT Crates
## Status
Accepted
## Date
2026-02-28
## Context
ADR-016 integrated all five published ruvector v2.0.4 crates into the
`wifi-densepose-train` crate (model.rs, dataset.rs, subcarrier.rs, metrics.rs).
Two production crates that pre-date ADR-016 remain without ruvector integration
despite having concrete, high-value integration points:
1. **`wifi-densepose-signal`** — SOTA signal processing algorithms (ADR-014):
conjugate multiplication, Hampel filter, Fresnel zone breathing model, CSI
spectrogram, subcarrier sensitivity selection, Body Velocity Profile (BVP).
These algorithms perform independent element-wise operations or brute-force
exhaustive search without subpolynomial optimization.
2. **`wifi-densepose-mat`** — Disaster detection (ADR-001): multi-AP
triangulation, breathing/heartbeat waveform detection, triage classification.
Time-series data is uncompressed and localization uses closed-form geometry
without iterative system solving.
Additionally, ADR-002's dependency strategy references fictional crate names
(`ruvector-core`, `ruvector-data-framework`, `ruvector-consensus`,
`ruvector-wasm`) at non-existent version `"0.1"`. ADR-016 confirmed the actual
published crates at v2.0.4 and these must be used instead.
### Verified Published Crates (v2.0.4)
From source inspection of github.com/ruvnet/ruvector and crates.io:
| Crate | Key API | Algorithmic Advantage |
|---|---|---|
| `ruvector-mincut` | `DynamicMinCut`, `MinCutBuilder` | O(n^1.5 log n) dynamic graph partitioning |
| `ruvector-attn-mincut` | `attn_mincut(q,k,v,d,seq,λ,τ,ε)` | Attention + mincut gating in one pass |
| `ruvector-temporal-tensor` | `TemporalTensorCompressor`, `segment::decode` | Tiered quantization: 5075% memory reduction |
| `ruvector-solver` | `NeumannSolver::new(tol,max_iter).solve(&CsrMatrix,&[f32])` | O(√n) Neumann series convergence |
| `ruvector-attention` | `ScaledDotProductAttention::new(d).compute(q,ks,vs)` | Sublinear attention for small d |
## Decision
Integrate the five ruvector v2.0.4 crates across `wifi-densepose-signal` and
`wifi-densepose-mat` through seven targeted integration points.
### Integration Map
```
wifi-densepose-signal/
├── subcarrier_selection.rs ← ruvector-mincut (DynamicMinCut partitions)
├── spectrogram.rs ← ruvector-attn-mincut (attention-gated STFT tokens)
├── bvp.rs ← ruvector-attention (cross-subcarrier BVP attention)
└── fresnel.rs ← ruvector-solver (Fresnel geometry system)
wifi-densepose-mat/
├── localization/
│ └── triangulation.rs ← ruvector-solver (multi-AP TDoA equations)
└── detection/
├── breathing.rs ← ruvector-temporal-tensor (tiered waveform compression)
└── heartbeat.rs ← ruvector-temporal-tensor (tiered micro-Doppler compression)
```
---
### Integration 1: Subcarrier Sensitivity Selection via DynamicMinCut
**File:** `wifi-densepose-signal/src/subcarrier_selection.rs`
**Crate:** `ruvector-mincut`
**Current approach:** Rank all subcarriers by `variance_motion / variance_static`
ratio, take top-K by sorting. O(n log n) sort, static partition.
**ruvector integration:** Build a similarity graph where subcarriers are vertices
and edges encode variance-ratio similarity (|sensitivity_i sensitivity_j|^1).
`DynamicMinCut` finds the minimum bisection separating high-sensitivity
(motion-responsive) from low-sensitivity (noise-dominated) subcarriers. As new
static/motion measurements arrive, `insert_edge`/`delete_edge` incrementally
update the partition in O(n^1.5 log n) amortized — no full re-sort needed.
```rust
use ruvector_mincut::{DynamicMinCut, MinCutBuilder};
/// Partition subcarriers into sensitive/insensitive groups via min-cut.
/// Returns (sensitive_indices, insensitive_indices).
pub fn mincut_subcarrier_partition(
sensitivity: &[f32],
) -> (Vec<usize>, Vec<usize>) {
let n = sensitivity.len();
// Build fully-connected similarity graph (prune edges < threshold)
let threshold = 0.1_f64;
let mut edges = Vec::new();
for i in 0..n {
for j in (i + 1)..n {
let diff = (sensitivity[i] - sensitivity[j]).abs() as f64;
let weight = if diff > 1e-9 { 1.0 / diff } else { 1e6 };
if weight > threshold {
edges.push((i as u64, j as u64, weight));
}
}
}
let mc = MinCutBuilder::new().exact().with_edges(edges).build();
let (side_a, side_b) = mc.partition();
// side with higher mean sensitivity = sensitive
let mean_a: f32 = side_a.iter().map(|&i| sensitivity[i as usize]).sum::<f32>()
/ side_a.len() as f32;
let mean_b: f32 = side_b.iter().map(|&i| sensitivity[i as usize]).sum::<f32>()
/ side_b.len() as f32;
if mean_a >= mean_b {
(side_a.into_iter().map(|x| x as usize).collect(),
side_b.into_iter().map(|x| x as usize).collect())
} else {
(side_b.into_iter().map(|x| x as usize).collect(),
side_a.into_iter().map(|x| x as usize).collect())
}
}
```
**Advantage:** Incremental updates as the environment changes (furniture moved,
new occupant) do not require re-ranking all subcarriers. Dynamic partition tracks
changing sensitivity in O(n^1.5 log n) vs O(n^2) re-scan.
---
### Integration 2: Attention-Gated CSI Spectrogram
**File:** `wifi-densepose-signal/src/spectrogram.rs`
**Crate:** `ruvector-attn-mincut`
**Current approach:** Compute STFT per subcarrier independently, stack into 2D
matrix [freq_bins × time_frames]. All bins weighted equally for downstream CNN.
**ruvector integration:** After STFT, treat each time frame as a sequence token
(d = n_freq_bins, seq_len = n_time_frames). Apply `attn_mincut` to gate which
time-frequency cells contribute to the spectrogram output — suppressing noise
frames and multipath artifacts while amplifying body-motion periods.
```rust
use ruvector_attn_mincut::attn_mincut;
/// Apply attention gating to a computed spectrogram.
/// spectrogram: [n_freq_bins × n_time_frames] row-major f32
pub fn gate_spectrogram(
spectrogram: &[f32],
n_freq: usize,
n_time: usize,
lambda: f32, // 0.1 = mild gating, 0.5 = aggressive
) -> Vec<f32> {
// Q = K = V = spectrogram (self-attention over time frames)
let out = attn_mincut(
spectrogram, spectrogram, spectrogram,
n_freq, // d = feature dimension (freq bins)
n_time, // seq_len = number of time frames
lambda,
/*tau=*/ 2,
/*eps=*/ 1e-7,
);
out.output
}
```
**Advantage:** Self-attention + mincut identifies coherent temporal segments
(body motion intervals) and gates out uncorrelated frames (ambient noise, transient
interference). Lambda tunes the gating strength without requiring separate
denoising or temporal smoothing steps.
---
### Integration 3: Cross-Subcarrier BVP Attention
**File:** `wifi-densepose-signal/src/bvp.rs`
**Crate:** `ruvector-attention`
**Current approach:** Aggregate Body Velocity Profile by summing STFT magnitudes
uniformly across all subcarriers: `BVP[v,t] = Σ_k |STFT_k[v,t]|`. Equal
weighting means insensitive subcarriers dilute the velocity estimate.
**ruvector integration:** Use `ScaledDotProductAttention` to compute a
weighted aggregation across subcarriers. Each subcarrier contributes a key
(its sensitivity profile) and value (its STFT row). The query is the current
velocity bin. Attention weights automatically emphasize subcarriers that are
responsive to the queried velocity range.
```rust
use ruvector_attention::ScaledDotProductAttention;
/// Compute attention-weighted BVP aggregation across subcarriers.
/// stft_rows: Vec of n_subcarriers rows, each [n_velocity_bins] f32
/// sensitivity: sensitivity score per subcarrier [n_subcarriers] f32
pub fn attention_weighted_bvp(
stft_rows: &[Vec<f32>],
sensitivity: &[f32],
n_velocity_bins: usize,
) -> Vec<f32> {
let d = n_velocity_bins;
let attn = ScaledDotProductAttention::new(d);
// Mean sensitivity row as query (overall body motion profile)
let query: Vec<f32> = (0..d).map(|v| {
stft_rows.iter().zip(sensitivity.iter())
.map(|(row, &s)| row[v] * s)
.sum::<f32>()
/ sensitivity.iter().sum::<f32>()
}).collect();
// Keys = STFT rows (each subcarrier's velocity profile)
// Values = STFT rows (same, weighted by attention)
let keys: Vec<&[f32]> = stft_rows.iter().map(|r| r.as_slice()).collect();
let values: Vec<&[f32]> = stft_rows.iter().map(|r| r.as_slice()).collect();
attn.compute(&query, &keys, &values)
.unwrap_or_else(|_| vec![0.0; d])
}
```
**Advantage:** Replaces uniform sum with sensitivity-aware weighting. Subcarriers
in multipath nulls or noise-dominated frequency bands receive low attention weight
automatically, without requiring manual selection or a separate sensitivity step.
---
### Integration 4: Fresnel Zone Geometry System via NeumannSolver
**File:** `wifi-densepose-signal/src/fresnel.rs`
**Crate:** `ruvector-solver`
**Current approach:** Closed-form Fresnel zone radius formula assuming known
TX-RX-body geometry. In practice, exact distances d1 (TX→body) and d2
(body→RX) are unknown — only the TX-RX straight-line distance D is known from
AP placement.
**ruvector integration:** When multiple subcarriers observe different Fresnel
zone crossings at the same chest displacement, we can solve for the unknown
geometry (d1, d2, Δd) using the over-determined linear system from multiple
observations. `NeumannSolver` handles the sparse normal equations efficiently.
```rust
use ruvector_solver::neumann::NeumannSolver;
use ruvector_solver::types::CsrMatrix;
/// Estimate TX-body and body-RX distances from multi-subcarrier Fresnel observations.
/// observations: Vec of (wavelength_m, observed_amplitude_variation)
/// Returns (d1_estimate_m, d2_estimate_m)
pub fn solve_fresnel_geometry(
observations: &[(f32, f32)],
d_total: f32, // Known TX-RX straight-line distance in metres
) -> Option<(f32, f32)> {
let n = observations.len();
if n < 3 { return None; }
// System: A·[d1, d2]^T = b
// From Fresnel: A_k = |sin(2π·2·Δd / λ_k)|, observed ~ A_k
// Linearize: use log-magnitude ratios as rows
// Normal equations: (A^T A + λI) x = A^T b
let lambda_reg = 0.05_f32;
let mut coo = Vec::new();
let mut rhs = vec![0.0_f32; 2];
for (k, &(wavelength, amplitude)) in observations.iter().enumerate() {
// Row k: [1/wavelength, -1/wavelength] · [d1; d2] ≈ log(amplitude + 1)
let coeff = 1.0 / wavelength;
coo.push((k, 0, coeff));
coo.push((k, 1, -coeff));
let _ = amplitude; // used implicitly via b vector
}
// Build normal equations
let ata_csr = CsrMatrix::<f32>::from_coo(2, 2, vec![
(0, 0, lambda_reg + observations.iter().map(|(w, _)| 1.0 / (w * w)).sum::<f32>()),
(1, 1, lambda_reg + observations.iter().map(|(w, _)| 1.0 / (w * w)).sum::<f32>()),
]);
let atb: Vec<f32> = vec![
observations.iter().map(|(w, a)| a / w).sum::<f32>(),
-observations.iter().map(|(w, a)| a / w).sum::<f32>(),
];
let solver = NeumannSolver::new(1e-5, 300);
match solver.solve(&ata_csr, &atb) {
Ok(result) => {
let d1 = result.solution[0].abs().clamp(0.1, d_total - 0.1);
let d2 = (d_total - d1).clamp(0.1, d_total - 0.1);
Some((d1, d2))
}
Err(_) => None,
}
}
```
**Advantage:** Converts the Fresnel model from a single fixed-geometry formula
into a data-driven geometry estimator. With 3+ observations (subcarriers at
different frequencies), NeumannSolver converges in O(√n) iterations — critical
for real-time breathing detection at 100 Hz.
---
### Integration 5: Multi-AP Triangulation via NeumannSolver
**File:** `wifi-densepose-mat/src/localization/triangulation.rs`
**Crate:** `ruvector-solver`
**Current approach:** Multi-AP localization uses pairwise TDoA (Time Difference
of Arrival) converted to hyperbolic equations. Solving N-AP systems requires
linearization and least-squares, currently implemented as brute-force normal
equations via Gaussian elimination (O(n^3)).
**ruvector integration:** The linearized TDoA system is sparse (each measurement
involves 2 APs, not all N). `CsrMatrix::from_coo` + `NeumannSolver` solves the
sparse normal equations in O(√nnz) where nnz = number of non-zeros ≪ N^2.
```rust
use ruvector_solver::neumann::NeumannSolver;
use ruvector_solver::types::CsrMatrix;
/// Solve multi-AP TDoA survivor localization.
/// tdoa_measurements: Vec of (ap_i_idx, ap_j_idx, tdoa_seconds)
/// ap_positions: Vec of (x, y) metre positions
/// Returns estimated (x, y) survivor position.
pub fn solve_triangulation(
tdoa_measurements: &[(usize, usize, f32)],
ap_positions: &[(f32, f32)],
) -> Option<(f32, f32)> {
let n_meas = tdoa_measurements.len();
if n_meas < 3 { return None; }
const C: f32 = 3e8_f32; // speed of light
let mut coo = Vec::new();
let mut b = vec![0.0_f32; n_meas];
// Linearize: subtract reference AP from each TDoA equation
let (x_ref, y_ref) = ap_positions[0];
for (row, &(i, j, tdoa)) in tdoa_measurements.iter().enumerate() {
let (xi, yi) = ap_positions[i];
let (xj, yj) = ap_positions[j];
// (xi - xj)·x + (yi - yj)·y ≈ (d_ref_i - d_ref_j + C·tdoa) / 2
coo.push((row, 0, xi - xj));
coo.push((row, 1, yi - yj));
b[row] = C * tdoa / 2.0
+ ((xi * xi - xj * xj) + (yi * yi - yj * yj)) / 2.0
- x_ref * (xi - xj) - y_ref * (yi - yj);
}
// Normal equations: (A^T A + λI) x = A^T b
let lambda = 0.01_f32;
let ata = CsrMatrix::<f32>::from_coo(2, 2, vec![
(0, 0, lambda + coo.iter().filter(|e| e.1 == 0).map(|e| e.2 * e.2).sum::<f32>()),
(0, 1, coo.iter().filter(|e| e.1 == 0).zip(coo.iter().filter(|e| e.1 == 1)).map(|(a, b2)| a.2 * b2.2).sum::<f32>()),
(1, 0, coo.iter().filter(|e| e.1 == 1).zip(coo.iter().filter(|e| e.1 == 0)).map(|(a, b2)| a.2 * b2.2).sum::<f32>()),
(1, 1, lambda + coo.iter().filter(|e| e.1 == 1).map(|e| e.2 * e.2).sum::<f32>()),
]);
let atb = vec![
coo.iter().filter(|e| e.1 == 0).zip(b.iter()).map(|(e, &bi)| e.2 * bi).sum::<f32>(),
coo.iter().filter(|e| e.1 == 1).zip(b.iter()).map(|(e, &bi)| e.2 * bi).sum::<f32>(),
];
NeumannSolver::new(1e-5, 500)
.solve(&ata, &atb)
.ok()
.map(|r| (r.solution[0], r.solution[1]))
}
```
**Advantage:** For a disaster site with 520 APs, the TDoA system has N×(N-1)/2
= 10190 measurements but only 2 unknowns (x, y). The normal equations are 2×2
regardless of N. NeumannSolver converges in O(1) iterations for well-conditioned
2×2 systems — eliminating Gaussian elimination overhead.
---
### Integration 6: Breathing Waveform Compression
**File:** `wifi-densepose-mat/src/detection/breathing.rs`
**Crate:** `ruvector-temporal-tensor`
**Current approach:** Breathing detector maintains an in-memory ring buffer of
recent CSI amplitude samples across subcarriers × time. For a 60-second window
at 100 Hz with 56 subcarriers: 60 × 100 × 56 × 4 bytes = **13.4 MB per zone**.
With 16 concurrent zones: **214 MB just for breathing buffers**.
**ruvector integration:** `TemporalTensorCompressor` with tiered quantization
(8-bit hot / 5-7-bit warm / 3-bit cold) compresses the breathing waveform buffer
by 5075%:
```rust
use ruvector_temporal_tensor::{TemporalTensorCompressor, TierPolicy};
use ruvector_temporal_tensor::segment;
pub struct CompressedBreathingBuffer {
compressor: TemporalTensorCompressor,
encoded: Vec<u8>,
n_subcarriers: usize,
frame_count: u64,
}
impl CompressedBreathingBuffer {
pub fn new(n_subcarriers: usize, zone_id: u64) -> Self {
Self {
compressor: TemporalTensorCompressor::new(
TierPolicy::default(),
n_subcarriers,
zone_id,
),
encoded: Vec::new(),
n_subcarriers,
frame_count: 0,
}
}
pub fn push_frame(&mut self, amplitudes: &[f32]) {
self.compressor.push_frame(amplitudes, self.frame_count, &mut self.encoded);
self.frame_count += 1;
}
pub fn flush(&mut self) {
self.compressor.flush(&mut self.encoded);
}
/// Decode all frames for frequency analysis.
pub fn to_vec(&self) -> Vec<f32> {
let mut out = Vec::new();
segment::decode(&self.encoded, &mut out);
out
}
/// Get single frame for real-time display.
pub fn get_frame(&self, idx: usize) -> Option<Vec<f32>> {
segment::decode_single_frame(&self.encoded, idx)
}
}
```
**Memory reduction:** 13.4 MB/zone → 3.46.7 MB/zone. 16 zones: 54107 MB
instead of 214 MB. Disaster response hardware (Raspberry Pi 4: 48 GB) can
handle 24× more concurrent zones.
---
### Integration 7: Heartbeat Micro-Doppler Compression
**File:** `wifi-densepose-mat/src/detection/heartbeat.rs`
**Crate:** `ruvector-temporal-tensor`
**Current approach:** Heartbeat detection uses micro-Doppler spectrograms:
sliding STFT of CSI amplitude time-series. Each zone stores a spectrogram of
shape [n_freq_bins=128, n_time=600] (60 seconds at 10 Hz output rate):
128 × 600 × 4 bytes = **307 KB per zone**. With 16 zones: 4.9 MB — acceptable,
but heartbeat spectrograms are the most access-intensive (queried at every triage
update).
**ruvector integration:** `TemporalTensorCompressor` stores the spectrogram rows
as temporal frames (each row = one frequency bin's time-evolution). Hot tier
(recent 10 seconds) at 8-bit, warm (1030 sec) at 5-bit, cold (>30 sec) at 3-bit.
Recent heartbeat cycles remain high-fidelity; historical data is compressed 5x:
```rust
pub struct CompressedHeartbeatSpectrogram {
/// One compressor per frequency bin
bin_buffers: Vec<TemporalTensorCompressor>,
encoded: Vec<Vec<u8>>,
n_freq_bins: usize,
frame_count: u64,
}
impl CompressedHeartbeatSpectrogram {
pub fn new(n_freq_bins: usize) -> Self {
let bin_buffers: Vec<_> = (0..n_freq_bins)
.map(|i| TemporalTensorCompressor::new(TierPolicy::default(), 1, i as u64))
.collect();
let encoded = vec![Vec::new(); n_freq_bins];
Self { bin_buffers, encoded, n_freq_bins, frame_count: 0 }
}
/// Push one column of the spectrogram (one time step, all frequency bins).
pub fn push_column(&mut self, column: &[f32]) {
for (i, (&val, buf)) in column.iter().zip(self.bin_buffers.iter_mut()).enumerate() {
buf.push_frame(&[val], self.frame_count, &mut self.encoded[i]);
}
self.frame_count += 1;
}
/// Extract heartbeat frequency band power (0.81.5 Hz) from recent frames.
pub fn heartbeat_band_power(&self, low_bin: usize, high_bin: usize) -> f32 {
(low_bin..=high_bin.min(self.n_freq_bins - 1))
.map(|b| {
let mut out = Vec::new();
segment::decode(&self.encoded[b], &mut out);
out.iter().rev().take(100).map(|x| x * x).sum::<f32>()
})
.sum::<f32>()
/ (high_bin - low_bin + 1) as f32
}
}
```
---
## Performance Summary
| Integration Point | File | Crate | Before | After |
|---|---|---|---|---|
| Subcarrier selection | `subcarrier_selection.rs` | ruvector-mincut | O(n log n) static sort | O(n^1.5 log n) dynamic partition |
| Spectrogram gating | `spectrogram.rs` | ruvector-attn-mincut | Uniform STFT bins | Attention-gated noise suppression |
| BVP aggregation | `bvp.rs` | ruvector-attention | Uniform subcarrier sum | Sensitivity-weighted attention |
| Fresnel geometry | `fresnel.rs` | ruvector-solver | Fixed geometry formula | Data-driven multi-obs system |
| Multi-AP triangulation | `triangulation.rs` (MAT) | ruvector-solver | O(N^3) dense Gaussian | O(1) 2×2 Neumann system |
| Breathing buffer | `breathing.rs` (MAT) | ruvector-temporal-tensor | 13.4 MB/zone | 3.46.7 MB/zone (5075% less) |
| Heartbeat spectrogram | `heartbeat.rs` (MAT) | ruvector-temporal-tensor | 307 KB/zone uniform | Tiered hot/warm/cold |
## Dependency Changes Required
Add to `v2/Cargo.toml` workspace (already present from ADR-016):
```toml
ruvector-mincut = "2.0.4" # already present
ruvector-attn-mincut = "2.0.4" # already present
ruvector-temporal-tensor = "2.0.4" # already present
ruvector-solver = "2.0.4" # already present
ruvector-attention = "2.0.4" # already present
```
Add to `wifi-densepose-signal/Cargo.toml` and `wifi-densepose-mat/Cargo.toml`:
```toml
[dependencies]
ruvector-mincut = { workspace = true }
ruvector-attn-mincut = { workspace = true }
ruvector-temporal-tensor = { workspace = true }
ruvector-solver = { workspace = true }
ruvector-attention = { workspace = true }
```
## Correction to ADR-002 Dependency Strategy
ADR-002's dependency strategy section specifies non-existent crates:
```toml
# WRONG (ADR-002 original — these crates do not exist at crates.io)
ruvector-core = { version = "0.1", features = ["hnsw", "sona", "gnn"] }
ruvector-data-framework = { version = "0.1", features = ["rvf", "witness", "crypto"] }
ruvector-consensus = { version = "0.1", features = ["raft"] }
ruvector-wasm = { version = "0.1", features = ["edge-runtime"] }
```
The correct published crates (verified at crates.io, source at github.com/ruvnet/ruvector):
```toml
# CORRECT (as of 2026-02-28, all at v2.0.4)
ruvector-mincut = "2.0.4" # Dynamic min-cut, O(n^1.5 log n) updates
ruvector-attn-mincut = "2.0.4" # Attention + mincut gating
ruvector-temporal-tensor = "2.0.4" # Tiered temporal compression
ruvector-solver = "2.0.4" # NeumannSolver, sublinear convergence
ruvector-attention = "2.0.4" # ScaledDotProductAttention
```
The RVF cognitive container format (ADR-003), HNSW search (ADR-004), SONA
self-learning (ADR-005), GNN patterns (ADR-006), post-quantum crypto (ADR-007),
Raft consensus (ADR-008), and WASM edge runtime (ADR-009) described in ADR-002
are architectural capabilities internal to ruvector but not exposed as separate
published crates at v2.0.4. Those ADRs remain as forward-looking architectural
guidance; their implementation paths will use the five published crates as
building blocks where applicable.
## Implementation Priority
| Priority | Integration | Rationale |
|---|---|---|
| P1 | Breathing + heartbeat compression (MAT) | Memory-critical for 16-zone disaster deployments |
| P1 | Multi-AP triangulation (MAT) | Safety-critical accuracy improvement |
| P2 | Subcarrier selection via DynamicMinCut | Enables dynamic environment adaptation |
| P2 | BVP attention aggregation | Direct accuracy improvement for activity classification |
| P3 | Spectrogram attention gating | Reduces CNN input noise; requires CNN retraining |
| P3 | Fresnel geometry system | Improves breathing detection in unknown geometries |
## Consequences
### Positive
- Consistent ruvector integration across all production crates (train, signal, MAT)
- 5075% memory reduction in disaster detection enables 24× more concurrent zones
- Dynamic subcarrier partitioning adapts to environment changes without manual tuning
- Attention-weighted BVP reduces velocity estimation error from insensitive subcarriers
- NeumannSolver triangulation is O(1) in AP count (always solves 2×2 system)
### Negative
- ruvector crates operate on `&[f32]` CPU slices; MAT and signal crates must
bridge from their native types (ndarray, complex numbers)
- `ruvector-temporal-tensor` compression is lossy; heartbeat amplitude values
may lose fine-grained detail in warm/cold tiers (mitigated by hot-tier recency)
- Subcarrier selection via DynamicMinCut assumes a bipartite-like partition;
environments with 3+ distinct subcarrier groups may need multi-way cut extension
## Related ADRs
- ADR-001: WiFi-Mat Disaster Detection (target: MAT integrations 57)
- ADR-002: RuVector RVF Integration Strategy (corrected crate names above)
- ADR-014: SOTA Signal Processing Algorithms (target: signal integrations 14)
- ADR-015: Public Dataset Training Strategy (preceding implementation in ADR-016)
- ADR-016: RuVector Integration for Training Pipeline (completed reference implementation)
## References
- [ruvector source](https://github.com/ruvnet/ruvector)
- [DynamicMinCut API](https://docs.rs/ruvector-mincut/2.0.4)
- [NeumannSolver convergence](https://en.wikipedia.org/wiki/Neumann_series)
- [Tiered quantization](https://arxiv.org/abs/2103.13630)
- SpotFi (SIGCOMM 2015), Widar 3.0 (MobiSys 2019), FarSense (MobiCom 2019)
api-docs/adr/ADR-018-esp32-dev-implementation.md
+319
View File
@@ -0,0 +1,319 @@
# ADR-018: ESP32 Development Implementation Path
## Status
Proposed
## Date
2026-02-28
## Context
ADR-012 established the ESP32 CSI Sensor Mesh architecture: hardware rationale, firmware file structure, `csi_feature_frame_t` C struct, aggregator design, clock-drift handling via feature-level fusion, and a $54 starter BOM. That ADR answers *what* to build and *why*.
This ADR answers *how* to build it — the concrete development sequence, the specific integration points in existing code, and how to test each layer before hardware is in hand.
### Current State
**Already implemented:**
| Component | Location | Status |
|-----------|----------|--------|
| Binary frame parser | `wifi-densepose-hardware/src/esp32_parser.rs` | Complete — `Esp32CsiParser::parse_frame()`, `parse_stream()`, 7 passing tests |
| Frame types | `wifi-densepose-hardware/src/csi_frame.rs` | Complete — `CsiFrame`, `CsiMetadata`, `SubcarrierData`, `to_amplitude_phase()` |
| Parse error types | `wifi-densepose-hardware/src/error.rs` | Complete — `ParseError` enum with 6 variants |
| Signal processing pipeline | `wifi-densepose-signal` crate | Complete — Hampel, Fresnel, BVP, Doppler, spectrogram |
| CSI extractor (Python) | `archive/v1/src/hardware/csi_extractor.py` | Stub — `_read_raw_data()` raises `NotImplementedError` |
| Router interface (Python) | `archive/v1/src/hardware/router_interface.py` | Stub — `_parse_csi_response()` raises `RouterConnectionError` |
**Not yet implemented:**
- ESP-IDF C firmware (`firmware/esp32-csi-node/`)
- UDP aggregator binary (`crates/wifi-densepose-hardware/src/aggregator/`)
- `CsiFrame``wifi_densepose_signal::CsiData` bridge
- Python `_read_raw_data()` real UDP socket implementation
- Proof capture tooling for real hardware
### Binary Frame Format (implemented in `esp32_parser.rs`)
```
Offset Size Field
0 4 Magic: 0xC5110001 (LE)
4 1 Node ID (0-255)
5 1 Number of antennas
6 2 Number of subcarriers (LE u16)
8 4 Frequency Hz (LE u32, e.g. 2412 for 2.4 GHz ch1)
12 4 Sequence number (LE u32)
16 1 RSSI (i8, dBm)
17 1 Noise floor (i8, dBm)
18 2 Reserved (zero)
20 N*2 I/Q pairs: (i8, i8) per subcarrier, repeated per antenna
```
Total frame size: 20 + (n_antennas × n_subcarriers × 2) bytes.
For 3 antennas, 56 subcarriers: 20 + 336 = 356 bytes per frame.
The firmware must write frames in this exact format. The parser already validates magic, bounds-checks `n_subcarriers` (≤512), and resyncs the stream on magic search for `parse_stream()`.
## Decision
We will implement the ESP32 development stack in four sequential layers, each independently testable before hardware is available.
### Layer 1 — ESP-IDF Firmware (`firmware/esp32-csi-node/`)
Implement the C firmware project per the file structure in ADR-012. Key design decisions deferred from ADR-012:
**CSI callback → frame serializer:**
```c
// main/csi_collector.c
static void csi_data_callback(void *ctx, wifi_csi_info_t *info) {
if (!info || !info->buf) return;
// Write binary frame header (20 bytes, little-endian)
uint8_t frame[FRAME_MAX_BYTES];
uint32_t magic = 0xC5110001;
memcpy(frame + 0, &magic, 4);
frame[4] = g_node_id;
frame[5] = info->rx_ctrl.ant; // antenna index (1 for ESP32 single-antenna)
uint16_t n_sub = info->len / 2; // len = n_subcarriers * 2 (I + Q bytes)
memcpy(frame + 6, &n_sub, 2);
uint32_t freq_mhz = g_channel_freq_mhz;
memcpy(frame + 8, &freq_mhz, 4);
memcpy(frame + 12, &g_seq_num, 4);
frame[16] = (int8_t)info->rx_ctrl.rssi;
frame[17] = (int8_t)info->rx_ctrl.noise_floor;
frame[18] = 0; frame[19] = 0;
// Write I/Q payload directly from info->buf
memcpy(frame + 20, info->buf, info->len);
// Send over UDP to aggregator
stream_sender_write(frame, 20 + info->len);
g_seq_num++;
}
```
**No on-device FFT** (contradicting ADR-012's optional feature extraction path): The Rust aggregator will do feature extraction using the SOTA `wifi-densepose-signal` pipeline. Raw I/Q is cheaper to stream at ESP32 sampling rates (~100 Hz at 56 subcarriers = ~35 KB/s per node).
**Rate-limiting and ENOMEM backoff** (Issue #127 fix):
CSI callbacks fire 100-500+ times/sec in promiscuous mode. Two safeguards prevent lwIP pbuf exhaustion:
1. **50 Hz rate limiter** (`csi_collector.c`): `sendto()` is skipped if less than 20 ms have elapsed since the last successful send. Excess CSI callbacks are dropped silently.
2. **ENOMEM backoff** (`stream_sender.c`): When `sendto()` returns `ENOMEM` (errno 12), all sends are suppressed for 100 ms to let lwIP reclaim packet buffers. Without this, rapid-fire failed sends cause a guru meditation crash.
**`sdkconfig.defaults`** must enable:
```
CONFIG_ESP_WIFI_CSI_ENABLED=y
CONFIG_LWIP_SO_RCVBUF=y
CONFIG_FREERTOS_HZ=1000
```
**Build toolchain**: ESP-IDF v5.2+ (pinned). Docker image: `espressif/idf:v5.2` for reproducible CI.
### Layer 2 — UDP Aggregator (`crates/wifi-densepose-hardware/src/aggregator/`)
New module within the hardware crate. Entry point: `aggregator_main()` callable as a binary target.
```rust
// crates/wifi-densepose-hardware/src/aggregator/mod.rs
pub struct Esp32Aggregator {
socket: UdpSocket,
nodes: HashMap<u8, NodeState>, // keyed by node_id from frame header
tx: mpsc::SyncSender<CsiFrame>, // outbound to bridge
}
struct NodeState {
last_seq: u32,
drop_count: u64,
last_recv: Instant,
}
impl Esp32Aggregator {
/// Bind UDP socket and start blocking receive loop.
/// Each valid frame is forwarded on `tx`.
pub fn run(&mut self) -> Result<(), AggregatorError> {
let mut buf = vec![0u8; 4096];
loop {
let (n, _addr) = self.socket.recv_from(&mut buf)?;
match Esp32CsiParser::parse_frame(&buf[..n]) {
Ok((frame, _consumed)) => {
let state = self.nodes.entry(frame.metadata.node_id)
.or_insert_with(NodeState::default);
// Track drops via sequence number gaps
if frame.metadata.seq_num != state.last_seq + 1 {
state.drop_count += (frame.metadata.seq_num
.wrapping_sub(state.last_seq + 1)) as u64;
}
state.last_seq = frame.metadata.seq_num;
state.last_recv = Instant::now();
let _ = self.tx.try_send(frame); // drop if pipeline is full
}
Err(e) => {
// Log and continue — never crash on bad UDP packet
eprintln!("aggregator: parse error: {e}");
}
}
}
}
}
```
**Testable without hardware**: The test suite generates frames using `build_test_frame()` (same helper pattern as `esp32_parser.rs` tests) and sends them over a loopback UDP socket. The aggregator receives and forwards them identically to real hardware frames.
### Layer 3 — CsiFrame → CsiData Bridge
Bridge from `wifi-densepose-hardware::CsiFrame` to the signal processing type `wifi_densepose_signal::CsiData` (or a compatible intermediate type consumed by the Rust pipeline).
```rust
// crates/wifi-densepose-hardware/src/bridge.rs
use crate::{CsiFrame};
/// Intermediate type compatible with the signal processing pipeline.
/// Maps directly from CsiFrame without cloning the I/Q storage.
pub struct CsiData {
pub timestamp_unix_ms: u64,
pub node_id: u8,
pub n_antennas: usize,
pub n_subcarriers: usize,
pub amplitude: Vec<f64>, // length: n_antennas * n_subcarriers
pub phase: Vec<f64>, // length: n_antennas * n_subcarriers
pub rssi_dbm: i8,
pub noise_floor_dbm: i8,
pub channel_freq_mhz: u32,
}
impl From<CsiFrame> for CsiData {
fn from(frame: CsiFrame) -> Self {
let n_ant = frame.metadata.n_antennas as usize;
let n_sub = frame.metadata.n_subcarriers as usize;
let (amplitude, phase) = frame.to_amplitude_phase();
CsiData {
timestamp_unix_ms: frame.metadata.timestamp_unix_ms,
node_id: frame.metadata.node_id,
n_antennas: n_ant,
n_subcarriers: n_sub,
amplitude,
phase,
rssi_dbm: frame.metadata.rssi_dbm,
noise_floor_dbm: frame.metadata.noise_floor_dbm,
channel_freq_mhz: frame.metadata.channel_freq_mhz,
}
}
}
```
The bridge test: parse a known binary frame, convert to `CsiData`, assert `amplitude[0]` = √(I₀² + Q₀²) to within f64 precision.
### Layer 4 — Python `_read_raw_data()` Real Implementation
Replace the `NotImplementedError` stub in `archive/v1/src/hardware/csi_extractor.py` with a UDP socket reader. This allows the Python pipeline to receive real CSI from the aggregator while the Rust pipeline is being integrated.
```python
# archive/v1/src/hardware/csi_extractor.py
# Replace _read_raw_data() stub:
import socket as _socket
class CSIExtractor:
...
def _read_raw_data(self) -> bytes:
"""Read one raw CSI frame from the UDP aggregator.
Expects binary frames in the ESP32 format (magic 0xC5110001 header).
Aggregator address configured via AGGREGATOR_HOST / AGGREGATOR_PORT
environment variables (defaults: 127.0.0.1:5005).
"""
if not hasattr(self, '_udp_socket'):
host = self.config.get('aggregator_host', '127.0.0.1')
port = int(self.config.get('aggregator_port', 5005))
sock = _socket.socket(_socket.AF_INET, _socket.SOCK_DGRAM)
sock.bind((host, port))
sock.settimeout(1.0)
self._udp_socket = sock
try:
data, _ = self._udp_socket.recvfrom(4096)
return data
except _socket.timeout:
raise CSIExtractionError(
"No CSI data received within timeout — "
"is the ESP32 aggregator running?"
)
```
This is tested with a mock UDP server in the unit tests (existing `test_csi_extractor_tdd.py` pattern) and with the real aggregator in integration.
## Development Sequence
```
Phase 1 (Firmware + Aggregator — no pipeline integration needed):
1. Write firmware/esp32-csi-node/ C project (ESP-IDF v5.2)
2. Flash to one ESP32-S3-DevKitC board
3. Verify binary frames arrive on laptop UDP socket using Wireshark
4. Write aggregator crate + loopback test
Phase 2 (Bridge + Python stub):
5. Implement CsiFrame → CsiData bridge
6. Replace Python _read_raw_data() with UDP socket
7. Run Python pipeline end-to-end against loopback aggregator (synthetic frames)
Phase 3 (Real hardware integration):
8. Run Python pipeline against live ESP32 frames
9. Capture 10-second real CSI bundle (firmware/esp32-csi-node/proof/)
10. Verify proof bundle hash (ADR-011 pattern)
11. Mark ADR-012 Accepted, mark this ADR Accepted
```
## Testing Without Hardware
All four layers are testable before a single ESP32 is purchased:
| Layer | Test Method |
|-------|-------------|
| Firmware binary format | Build a `build_test_frame()` helper in Rust, compare its output byte-for-byte against a hand-computed reference frame |
| Aggregator | Loopback UDP: test sends synthetic frames to 127.0.0.1:5005, aggregator receives and forwards on channel |
| Bridge | `assert_eq!(csi_data.amplitude[0], f64::sqrt((iq[0].i as f64).powi(2) + (iq[0].q as f64).powi(2)))` |
| Python UDP reader | Mock UDP server in pytest using `socket.socket` in a background thread |
The existing `esp32_parser.rs` test suite already validates parsing of correctly-formatted binary frames. The aggregator and bridge tests build on top of the same test frame construction.
## Consequences
### Positive
- **Layered testability**: Each layer can be validated independently before hardware acquisition.
- **No new external dependencies**: UDP sockets are in stdlib (both Rust and Python). Firmware uses only ESP-IDF and esp-dsp component.
- **Stub elimination**: Replaces the last two `NotImplementedError` stubs in the Python hardware layer with real code backed by real data.
- **Proof of reality**: Phase 3 produces a captured CSI bundle hashed to a known value, satisfying ADR-011 for hardware-sourced data.
- **Signal-crate reuse**: The SOTA Hampel/Fresnel/BVP/Doppler processing from ADR-014 applies unchanged to real ESP32 frames after the bridge converts them.
### Negative
- **Firmware requires ESP-IDF toolchain**: Not buildable without a 2+ GB ESP-IDF installation. CI must use the official Docker image or skip firmware compilation.
- **Raw I/Q bandwidth**: Streaming raw I/Q (not features) at 100 Hz × 3 antennas × 56 subcarriers = ~35 KB/s/node. At 6 nodes = ~210 KB/s. Fine for LAN; not suitable for WAN.
- **Single-antenna real-world**: Most ESP32-S3-DevKitC boards have one on-board antenna. Multi-antenna data requires external antenna + board with U.FL connector or purpose-built multi-radio setup.
### Deferred
- **Multi-node clock drift compensation**: ADR-012 specifies feature-level fusion. The aggregator in this ADR passes raw `CsiFrame` per-node. Drift compensation lives in a future `FeatureFuser` layer (not scoped here).
- **ESP-IDF firmware CI**: Firmware compilation in GitHub Actions requires the ESP-IDF Docker image. CI integration is deferred until Phase 3 hardware validation.
## Interaction with Other ADRs
| ADR | Interaction |
|-----|-------------|
| ADR-011 | Phase 3 produces a real CSI proof bundle satisfying mock elimination |
| ADR-012 | This ADR implements the development path for ADR-012's architecture |
| ADR-014 | SOTA signal processing applies unchanged after bridge layer |
| ADR-008 | Aggregator handles multi-node; distributed consensus is a later concern |
## References
- [Espressif ESP-CSI Repository](https://github.com/espressif/esp-csi)
- [ESP-IDF WiFi CSI API Reference](https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-guides/wifi.html#wi-fi-channel-state-information)
- `wifi-densepose-hardware/src/esp32_parser.rs` — binary frame parser implementation
- `wifi-densepose-hardware/src/csi_frame.rs``CsiFrame`, `to_amplitude_phase()`
- ADR-012: ESP32 CSI Sensor Mesh (architecture)
- ADR-011: Python Proof-of-Reality and Mock Elimination
- ADR-014: SOTA Signal Processing
api-docs/adr/ADR-019-sensing-only-ui-mode.md
+122
View File
@@ -0,0 +1,122 @@
# ADR-019: Sensing-Only UI Mode with Gaussian Splat Visualization
| Field | Value |
|-------|-------|
| **Status** | Accepted |
| **Date** | 2026-02-28 |
| **Deciders** | ruv |
| **Relates to** | ADR-013 (Feature-Level Sensing), ADR-018 (ESP32 Dev Implementation) |
## Context
The WiFi-DensePose UI was originally built to require the full FastAPI DensePose backend (`localhost:8000`) for all functionality. This backend depends on heavy Python packages (PyTorch ~2GB, torchvision, OpenCV, SQLAlchemy, Redis) making it impractical for lightweight sensing-only deployments where the user simply wants to visualize live WiFi signal data from ESP32 CSI or Windows RSSI collectors.
A Rust port exists (`v2`) using Axum with lighter runtime footprint (~10MB binary, ~5MB RAM), but it still requires libtorch C++ bindings and OpenBLAS for compilation—a non-trivial build.
Users need a way to run the UI with **only the sensing pipeline** active, without installing the full DensePose backend stack.
## Decision
Implement a **sensing-only UI mode** that:
1. **Decouples the sensing pipeline** from the DensePose API backend. The sensing WebSocket server (`ws_server.py` on port 8765) operates independently of the FastAPI backend (port 8000).
2. **Auto-detects sensing-only mode** at startup. When the DensePose backend is unreachable, the UI sets `backendDetector.sensingOnlyMode = true` and:
- Suppresses all API requests to `localhost:8000` at the `ApiService.request()` level
- Skips initialization of DensePose-dependent tabs (Dashboard, Hardware, Live Demo)
- Shows a green "Sensing mode" status toast instead of error banners
- Silences health monitoring polls
3. **Adds a new "Sensing" tab** with Three.js Gaussian splat visualization:
- Custom GLSL `ShaderMaterial` rendering point-cloud splats on a 20×20 floor grid
- Signal field splats colored by intensity (blue → green → red)
- Body disruption blob at estimated motion position
- Breathing ring modulation when breathing-band power detected
- Side panel with RSSI sparkline, feature meters, and classification badge
4. **Python WebSocket bridge** (`archive/v1/src/sensing/ws_server.py`) that:
- Auto-detects ESP32 UDP CSI stream on port 5005 (ADR-018 binary frames)
- Falls back to `WindowsWifiCollector``SimulatedCollector`
- Runs `RssiFeatureExtractor``PresenceClassifier` pipeline
- Broadcasts JSON sensing updates every 500ms on `ws://localhost:8765`
5. **Client-side fallback**: `sensing.service.js` generates simulated data when the WebSocket server is unreachable, so the visualization always works.
## Architecture
```
ESP32 (UDP :5005) ──┐
├──▶ ws_server.py (:8765) ──▶ sensing.service.js ──▶ SensingTab.js
Windows WiFi RSSI ───┘ │ │ │
Feature extraction WebSocket client gaussian-splats.js
+ Classification + Reconnect (Three.js ShaderMaterial)
+ Sim fallback
```
### Data flow
| Source | Collector | Feature Extraction | Output |
|--------|-----------|-------------------|--------|
| ESP32 CSI (ADR-018) | `Esp32UdpCollector` (UDP :5005) | Amplitude mean → pseudo-RSSI → `RssiFeatureExtractor` | `sensing_update` JSON |
| Windows WiFi | `WindowsWifiCollector` (netsh) | RSSI + signal% → `RssiFeatureExtractor` | `sensing_update` JSON |
| Simulated | `SimulatedCollector` | Synthetic RSSI patterns | `sensing_update` JSON |
### Sensing update JSON schema
```json
{
"type": "sensing_update",
"timestamp": 1234567890.123,
"source": "esp32",
"nodes": [{ "node_id": 1, "rssi_dbm": -39, "position": [2,0,1.5], "amplitude": [...], "subcarrier_count": 56 }],
"features": { "mean_rssi": -39.0, "variance": 2.34, "motion_band_power": 0.45, ... },
"classification": { "motion_level": "active", "presence": true, "confidence": 0.87 },
"signal_field": { "grid_size": [20,1,20], "values": [...] }
}
```
## Files
### Created
| File | Purpose |
|------|---------|
| `archive/v1/src/sensing/ws_server.py` | Python asyncio WebSocket server with auto-detect collectors |
| `ui/components/SensingTab.js` | Sensing tab UI with Three.js integration |
| `ui/components/gaussian-splats.js` | Custom GLSL Gaussian splat renderer |
| `ui/services/sensing.service.js` | WebSocket client with reconnect + simulation fallback |
### Modified
| File | Change |
|------|--------|
| `ui/index.html` | Added Sensing nav tab button and content section |
| `ui/app.js` | Sensing-only mode detection, conditional tab init |
| `ui/style.css` | Sensing tab layout and component styles |
| `ui/config/api.config.js` | `AUTO_DETECT: false` (sensing uses own WS) |
| `ui/services/api.service.js` | Short-circuit requests in sensing-only mode |
| `ui/services/health.service.js` | Skip polling when backend unreachable |
| `ui/components/DashboardTab.js` | Graceful failure in sensing-only mode |
## Consequences
### Positive
- UI works with zero heavy dependencies—only `pip install websockets` (+ numpy/scipy already installed)
- ESP32 CSI data flows end-to-end without PyTorch, OpenCV, or database
- Existing DensePose tabs still work when the full backend is running
- Clean console output—no `ERR_CONNECTION_REFUSED` spam in sensing-only mode
### Negative
- Two separate WebSocket endpoints: `:8765` (sensing) and `:8000/api/v1/stream/pose` (DensePose)
- Pose estimation, zone occupancy, and historical data features unavailable in sensing-only mode
- Client-side simulation fallback may mislead users if they don't notice the "Simulated" badge
### Neutral
- Rust Axum backend remains a future option for a unified lightweight server
- The sensing pipeline reuses the existing `RssiFeatureExtractor` and `PresenceClassifier` classes unchanged
## Alternatives Considered
1. **Install minimal FastAPI** (`pip install fastapi uvicorn pydantic`): Starts the server but pose endpoints return errors without PyTorch.
2. **Build Rust backend**: Single binary, but requires libtorch + OpenBLAS build toolchain.
3. **Merge sensing into FastAPI**: Would require FastAPI installed even for sensing-only use.
Option 1 was rejected because it still shows broken tabs. The chosen approach cleanly separates concerns.
api-docs/adr/ADR-020-rust-ruvector-ai-model-migration.md
+157
View File
@@ -0,0 +1,157 @@
# ADR-020: Migrate AI/Model Inference to Rust with RuVector and ONNX Runtime
| Field | Value |
|-------|-------|
| **Status** | Accepted |
| **Date** | 2026-02-28 |
| **Deciders** | ruv |
| **Relates to** | ADR-016 (RuVector Integration), ADR-017 (RuVector-Signal-MAT), ADR-019 (Sensing-Only UI) |
## Context
The current Python DensePose backend requires ~2GB+ of dependencies:
| Python Dependency | Size | Purpose |
|-------------------|------|---------|
| PyTorch | ~2.0 GB | Neural network inference |
| torchvision | ~500 MB | Model loading, transforms |
| OpenCV | ~100 MB | Image processing |
| SQLAlchemy + asyncpg | ~20 MB | Database |
| scikit-learn | ~50 MB | Classification |
| **Total** | **~2.7 GB** | |
This makes the DensePose backend impractical for edge deployments, CI pipelines, and developer laptops where users only need WiFi sensing + pose estimation.
Meanwhile, the Rust port at `v2/` already has:
- **12 workspace crates** covering core, signal, nn, api, db, config, hardware, wasm, cli, mat, train
- **5 RuVector crates** (v2.0.4, published on crates.io) integrated into signal, mat, and train crates
- **3 NN backends**: ONNX Runtime (default), tch (PyTorch C++), Candle (pure Rust)
- **Axum web framework** with WebSocket support in the MAT crate
- **Signal processing pipeline**: CSI processor, BVP, Fresnel geometry, spectrogram, subcarrier selection, motion detection, Hampel filter, phase sanitizer
## Decision
Adopt the Rust workspace as the **primary backend** for AI/model inference and signal processing, replacing the Python FastAPI stack for production deployments.
### Phase 1: ONNX Runtime Default (No libtorch)
Use the `wifi-densepose-nn` crate with `default-features = ["onnx"]` only. This avoids the libtorch C++ dependency entirely.
| Component | Rust Crate | Replaces Python |
|-----------|-----------|-----------------|
| CSI processing | `wifi-densepose-signal::csi_processor` | `archive/v1/src/sensing/feature_extractor.py` |
| Motion detection | `wifi-densepose-signal::motion` | `archive/v1/src/sensing/classifier.py` |
| BVP extraction | `wifi-densepose-signal::bvp` | N/A (new capability) |
| Fresnel geometry | `wifi-densepose-signal::fresnel` | N/A (new capability) |
| Subcarrier selection | `wifi-densepose-signal::subcarrier_selection` | N/A (new capability) |
| Spectrogram | `wifi-densepose-signal::spectrogram` | N/A (new capability) |
| Pose inference | `wifi-densepose-nn::onnx` | PyTorch + torchvision |
| DensePose mapping | `wifi-densepose-nn::densepose` | Python DensePose |
| REST API | `wifi-densepose-mat::api` (Axum) | FastAPI |
| WebSocket stream | `wifi-densepose-mat::api::websocket` | `ws_server.py` |
| Survivor detection | `wifi-densepose-mat::detection` | N/A (new capability) |
| Vital signs | `wifi-densepose-mat::ml` | N/A (new capability) |
### Phase 2: RuVector Signal Intelligence
The 5 RuVector crates provide subpolynomial algorithms already wired into the Rust signal pipeline:
| Crate | Algorithm | Use in Pipeline |
|-------|-----------|-----------------|
| `ruvector-mincut` | Subpolynomial min-cut | Dynamic subcarrier partitioning (sensitive vs insensitive) |
| `ruvector-attn-mincut` | Attention-gated min-cut | Noise-suppressed spectrogram generation |
| `ruvector-attention` | Sensitivity-weighted attention | Body velocity profile extraction |
| `ruvector-solver` | Sparse Fresnel solver | TX-body-RX distance estimation |
| `ruvector-temporal-tensor` | Compressed temporal buffers | Breathing + heartbeat spectrogram storage |
These replace the Python `RssiFeatureExtractor` with hardware-aware, subcarrier-level feature extraction.
### Phase 3: Unified Axum Server
Replace both the Python FastAPI backend (port 8000) and the Python sensing WebSocket (port 8765) with a single Rust Axum server:
```
ESP32 (UDP :5005) ──▶ Rust Axum server (:8000) ──▶ UI (browser)
├── /health/* (health checks)
├── /api/v1/pose/* (pose estimation)
├── /api/v1/stream/* (WebSocket pose stream)
├── /ws/sensing (sensing WebSocket — replaces :8765)
└── /ws/mat/stream (MAT domain events)
```
### Build Configuration
```toml
# Lightweight build — no libtorch, no OpenBLAS
cargo build --release -p wifi-densepose-mat --no-default-features --features "std,api,onnx"
# Full build with all backends
cargo build --release --features "all-backends"
```
### Dependency Comparison
| | Python Backend | Rust Backend (ONNX only) |
|---|---|---|
| Install size | ~2.7 GB | ~50 MB binary |
| Runtime memory | ~500 MB | ~20 MB |
| Startup time | 3-5s | <100ms |
| Dependencies | 30+ pip packages | Single static binary |
| GPU support | CUDA via PyTorch | CUDA via ONNX Runtime |
| Model format | .pt/.pth (PyTorch) | .onnx (portable) |
| Cross-compile | Difficult | `cargo build --target` |
| WASM target | No | Yes (`wifi-densepose-wasm`) |
### Model Conversion
Export existing PyTorch models to ONNX for the Rust backend:
```python
# One-time conversion (Python)
import torch
model = torch.load("model.pth")
torch.onnx.export(model, dummy_input, "model.onnx", opset_version=17)
```
The `wifi-densepose-nn::onnx` module loads `.onnx` files directly.
## Consequences
### Positive
- Single ~50MB static binary replaces ~2.7GB Python environment
- ~20MB runtime memory vs ~500MB
- Sub-100ms startup vs 3-5 seconds
- Single port serves all endpoints (API, WebSocket sensing, WebSocket pose)
- RuVector subpolynomial algorithms run natively (no FFI overhead)
- WASM build target enables browser-side inference
- Cross-compilation for ARM (Raspberry Pi), ESP32-S3, etc.
### Negative
- ONNX model conversion required (one-time step per model)
- Developers need Rust toolchain for backend changes
- Python sensing pipeline (`ws_server.py`) remains useful for rapid prototyping
- `ndarray-linalg` requires OpenBLAS or system LAPACK for some signal crates
### Migration Path
1. Keep Python `ws_server.py` as fallback for development/prototyping
2. Build Rust binary with `cargo build --release -p wifi-densepose-mat`
3. UI detects which backend is running and adapts (existing `sensingOnlyMode` logic)
4. Deprecate Python backend once Rust API reaches feature parity
## Verification
```bash
# Build the Rust workspace (ONNX-only, no libtorch)
cd v2
cargo check --workspace 2>&1
# Build release binary
cargo build --release -p wifi-densepose-mat --no-default-features --features "std,api"
# Run tests
cargo test --workspace
# Binary size
ls -lh target/release/wifi-densepose-mat
```
api-docs/adr/ADR-021-vital-sign-detection-rvdna-pipeline.md
+1092
View File
File diff suppressed because it is too large Load Diff
api-docs/adr/ADR-022-windows-wifi-enhanced-fidelity-ruvector.md
+1357
View File
File diff suppressed because it is too large Load Diff
api-docs/adr/ADR-023-trained-densepose-model-ruvector-pipeline.md
+825
View File
@@ -0,0 +1,825 @@
# ADR-023: Trained DensePose Model with RuVector Signal Intelligence Pipeline
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-02-28 |
| **Deciders** | ruv |
| **Relates to** | ADR-003 (RVF Cognitive Containers), ADR-005 (SONA Self-Learning), ADR-015 (Public Dataset Strategy), ADR-016 (RuVector Integration), ADR-017 (RuVector-Signal-MAT), ADR-020 (Rust AI Migration), ADR-021 (Vital Sign Detection) |
## Context
### The Gap Between Sensing and DensePose
The WiFi-DensePose system currently operates in two distinct modes:
1. **WiFi CSI sensing** (working): ESP32 streams CSI frames → Rust aggregator → feature extraction → presence/motion classification. 41 tests passing, verified at ~20 Hz with real hardware.
2. **Heuristic pose derivation** (working but approximate): The Rust sensing server generates 17 COCO keypoints from WiFi signal properties using hand-crafted rules (`derive_pose_from_sensing()` in `sensing-server/src/main.rs`). This is not a trained model — keypoint positions are derived from signal amplitude, phase variance, and motion metrics rather than learned from labeled data.
Neither mode produces **DensePose-quality** body surface estimation. The CMU "DensePose From WiFi" paper (arXiv:2301.00250) demonstrated that a neural network trained on paired WiFi CSI + camera pose data can produce dense body surface UV coordinates from WiFi alone. However, that approach requires:
- **Environment-specific training**: The model must be trained or fine-tuned for each deployment environment because CSI multipath patterns are environment-dependent.
- **Paired training data**: Simultaneous WiFi CSI captures + ground-truth pose annotations (or a camera-based teacher model generating pseudo-labels).
- **Substantial compute**: Training a modality translation network + DensePose head requires GPU time (hours to days depending on dataset size).
### What Exists in the Codebase
The Rust workspace already has the complete model architecture ready for training:
| Component | Crate | File | Status |
|-----------|-------|------|--------|
| `WiFiDensePoseModel` | `wifi-densepose-train` | `model.rs` | Implemented (random weights) |
| `ModalityTranslator` | `wifi-densepose-train` | `model.rs` | Implemented with RuVector attention |
| `KeypointHead` | `wifi-densepose-train` | `model.rs` | Implemented (17 COCO heatmaps) |
| `DensePoseHead` | `wifi-densepose-nn` | `densepose.rs` | Implemented (25 parts + 48 UV) |
| `WiFiDensePoseLoss` | `wifi-densepose-train` | `losses.rs` | Implemented (keypoint + part + UV + transfer) |
| `MmFiDataset` loader | `wifi-densepose-train` | `dataset.rs` | Planned (ADR-015) |
| `WiFiDensePosePipeline` | `wifi-densepose-nn` | `inference.rs` | Implemented (generic over Backend) |
| Training proof verification | `wifi-densepose-train` | `proof.rs` | Implemented (deterministic hash) |
| Subcarrier resampling (114→56) | `wifi-densepose-train` | `subcarrier.rs` | Planned (ADR-016) |
### RuVector Crates Available
The `vendor/ruvector/` subtree provides 90+ crates. The following are directly relevant to a trained DensePose pipeline:
**Already integrated (5 crates, ADR-016):**
| Crate | Algorithm | Current Use |
|-------|-----------|-------------|
| `ruvector-mincut` | Subpolynomial dynamic min-cut O(n^{o(1)}) | Multi-person assignment in `metrics.rs` |
| `ruvector-attn-mincut` | Attention-gated min-cut | Noise-suppressed spectrogram in `model.rs` |
| `ruvector-attention` | Scaled dot-product + geometric attention | Spatial decoder in `model.rs` |
| `ruvector-solver` | Sparse Neumann solver O(√n) | Subcarrier resampling in `subcarrier.rs` |
| `ruvector-temporal-tensor` | Tiered temporal compression | CSI frame buffering in `dataset.rs` |
**Newly proposed for DensePose pipeline (6 additional crates):**
| Crate | Description | Proposed Use |
|-------|-------------|-------------|
| `ruvector-gnn` | Graph neural network on HNSW topology | Spatial body-graph reasoning |
| `ruvector-graph-transformer` | Proof-gated graph transformer (8 modules) | CSI-to-pose cross-attention |
| `ruvector-sparse-inference` | PowerInfer-style sparse inference engine | Edge deployment with neuron activation sparsity |
| `ruvector-sona` | Self-Optimizing Neural Architecture (LoRA + EWC++) | Online environment adaptation |
| `ruvector-fpga-transformer` | FPGA-optimized transformer | Hardware-accelerated inference path |
| `ruvector-math` | Optimal transport, information geometry | Domain adaptation loss functions |
### RVF Container Format
The RuVector Format (RVF) is a segment-based binary container format designed to package
intelligence artifacts — embeddings, HNSW indexes, quantized weights, WASM runtimes, witness
proofs, and metadata — into a single self-contained file. Key properties:
- **64-byte segment headers** (`SegmentHeader`, magic `0x52564653` "RVFS") with type discriminator, content hash, compression, and timestamp
- **Progressive loading**: Layer A (entry points, <5ms) → Layer B (hot adjacency, 100ms1s) → Layer C (full graph, seconds)
- **20+ segment types**: `Vec` (embeddings), `Index` (HNSW), `Overlay` (min-cut witnesses), `Quant` (codebooks), `Witness` (proof-of-computation), `Wasm` (self-bootstrapping runtime), `Dashboard` (embedded UI), `AggregateWeights` (federated SONA deltas), `Crypto` (Ed25519 signatures), and more
- **Temperature-tiered quantization** (`rvf-quant`): f32 / f16 / u8 / binary per-segment, with SIMD-accelerated distance computation
- **AGI Cognitive Container** (`agi_container.rs`): packages kernel + WASM + world model + orchestrator + evaluation harness + witness chains into a single deployable file
The trained DensePose model will be packaged as an `.rvf` container, making it a single
self-contained artifact that includes model weights, HNSW-indexed embedding tables, min-cut
graph overlays, quantization codebooks, SONA adaptation deltas, and the WASM inference
runtime — deployable to any host without external dependencies.
## Decision
Implement a fully trained DensePose model using RuVector signal intelligence as the backbone signal processing layer, packaged in the RVF container format. The pipeline has three stages: (1) offline training on public datasets, (2) teacher-student distillation for DensePose UV labels, and (3) online SONA adaptation for environment-specific fine-tuning. The trained model, its embeddings, indexes, and adaptation state are serialized into a single `.rvf` file.
### Architecture Overview
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ TRAINED DENSEPOSE PIPELINE │
│ │
│ ┌─────────────┐ ┌──────────────────────┐ ┌──────────────────────┐ │
│ │ ESP32 CSI │ │ RuVector Signal │ │ Trained Neural │ │
│ │ Raw I/Q │───▶│ Intelligence Layer │───▶│ Network │ │
│ │ [ant×sub×T] │ │ (preprocessing) │ │ (inference) │ │
│ └─────────────┘ └──────────────────────┘ └──────────────────────┘ │
│ │ │ │
│ ┌─────────┴─────────┐ ┌────────┴────────┐ │
│ │ 5 RuVector crates │ │ 6 RuVector │ │
│ │ (signal processing)│ │ crates (neural) │ │
│ └───────────────────┘ └─────────────────┘ │
│ │ │
│ ┌──────────────────────────┘ │
│ ▼ │
│ ┌──────────────────────────────────────┐ │
│ │ Outputs │ │
│ │ • 17 COCO keypoints [B,17,H,W] │ │
│ │ • 25 body parts [B,25,H,W] │ │
│ │ • 48 UV coords [B,48,H,W] │ │
│ │ • Confidence scores │ │
│ └──────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
```
### Stage 1: RuVector Signal Preprocessing Layer
Raw CSI frames from ESP32 (56192 subcarriers × N antennas × T time frames) are processed through the RuVector signal intelligence stack before entering the neural network. This replaces hand-crafted feature extraction with learned, graph-aware preprocessing.
```
Raw CSI [ant, sub, T]
┌─────────────────────────────────────────────────────┐
│ 1. ruvector-attn-mincut: gate_spectrogram() │
│ Input: Q=amplitude, K=phase, V=combined │
│ Effect: Suppress multipath noise, keep motion- │
│ relevant subcarrier paths │
│ Output: Gated spectrogram [ant, sub', T] │
├─────────────────────────────────────────────────────┤
│ 2. ruvector-mincut: mincut_subcarrier_partition() │
│ Input: Subcarrier coherence graph │
│ Effect: Partition into sensitive (motion- │
│ responsive) vs insensitive (static) │
│ Output: Partition mask + per-subcarrier weights │
├─────────────────────────────────────────────────────┤
│ 3. ruvector-attention: attention_weighted_bvp() │
│ Input: Gated spectrogram + partition weights │
│ Effect: Compute body velocity profile with │
│ sensitivity-weighted attention │
│ Output: BVP feature vector [D_bvp] │
├─────────────────────────────────────────────────────┤
│ 4. ruvector-solver: solve_fresnel_geometry() │
│ Input: Amplitude + known TX/RX positions │
│ Effect: Estimate TX-body-RX ellipsoid distances │
│ Output: Fresnel geometry features [D_fresnel] │
├─────────────────────────────────────────────────────┤
│ 5. ruvector-temporal-tensor: compress + buffer │
│ Input: Temporal CSI window (100 frames) │
│ Effect: Tiered quantization (hot/warm/cold) │
│ Output: Compressed tensor, 50-75% memory saving │
└─────────────────────────────────────────────────────┘
Feature tensor [B, T*tx*rx, sub] (preprocessed, noise-suppressed)
```
### Stage 2: Neural Network Architecture
The neural network follows the CMU teacher-student architecture with RuVector enhancements at three critical points.
#### 2a. ModalityTranslator (CSI → Visual Feature Space)
```
CSI features [B, T*tx*rx, sub]
├──amplitude──┐
│ ├─► Encoder (Conv1D stack, 64→128→256)
└──phase──────┘ │
┌──────────────────────────────┐
│ ruvector-graph-transformer │
│ │
│ Treat antenna-pair×time as │
│ graph nodes. Edges connect │
│ spatially adjacent antenna │
│ pairs and temporally │
│ adjacent frames. │
│ │
│ Proof-gated attention: │
│ Each layer verifies that │
│ attention weights satisfy │
│ physical constraints │
│ (Fresnel ellipsoid bounds) │
└──────────────────────────────┘
Decoder (ConvTranspose2d stack, 256→128→64→3)
Visual features [B, 3, 48, 48]
```
**RuVector enhancement**: Replace standard multi-head self-attention in the bottleneck with `ruvector-graph-transformer`. The graph structure encodes the physical antenna topology — nodes that are closer in space (adjacent ESP32 nodes in the mesh) or time (consecutive frames) have stronger edge weights. This injects domain-specific inductive bias that standard attention lacks.
#### 2b. GNN Body Graph Reasoning
```
Visual features [B, 3, 48, 48]
ResNet18 backbone → feature maps [B, 256, 12, 12]
┌─────────────────────────────────────────┐
│ ruvector-gnn: Body Graph Network │
│ │
│ 17 COCO keypoints as graph nodes │
│ Edges: anatomical connections │
│ (shoulder→elbow, hip→knee, etc.) │
│ │
│ GNN message passing (3 rounds): │
│ h_i^{l+1} = σ(W·h_i^l + Σ_j α_ij·h_j)│
α_ij = attention(h_i, h_j, edge_ij) │
│ │
│ Enforces anatomical constraints: │
│ - Limb length ratios │
│ - Joint angle limits │
│ - Left-right symmetry priors │
└─────────────────────────────────────────┘
├──────────────────┬──────────────────┐
▼ ▼ ▼
KeypointHead DensePoseHead ConfidenceHead
[B,17,H,W] [B,25+48,H,W] [B,1]
heatmaps parts + UV quality score
```
**RuVector enhancement**: `ruvector-gnn` replaces the flat spatial decoder with a graph neural network that operates on the human body graph. WiFi CSI is inherently noisy — GNN message passing between anatomically connected joints enforces that predicted keypoints maintain plausible body structure even when individual joint predictions are uncertain.
#### 2c. Sparse Inference for Edge Deployment
```
Trained model weights (full precision)
┌─────────────────────────────────────────────┐
│ ruvector-sparse-inference │
│ │
│ PowerInfer-style activation sparsity: │
│ - Profile neuron activation frequency │
│ - Partition into hot (always active, 20%) │
│ and cold (conditionally active, 80%) │
│ - Hot neurons: GPU/SIMD fast path │
│ - Cold neurons: sparse lookup on demand │
│ │
│ Quantization: │
│ - Backbone: INT8 (4x memory reduction) │
│ - DensePose head: FP16 (2x reduction) │
│ - ModalityTranslator: FP16 │
│ │
│ Target: <50ms inference on ESP32-S3 │
│ <10ms on x86 with AVX2 │
└─────────────────────────────────────────────┘
```
### Stage 3: Training Pipeline
#### 3a. Dataset Loading and Preprocessing
Primary dataset: **MM-Fi** (NeurIPS 2023) — 40 subjects, 27 actions, 114 subcarriers, 3 RX antennas, 17 COCO keypoints + DensePose UV annotations.
Secondary dataset: **Wi-Pose** — 12 subjects, 12 actions, 30 subcarriers, 3×3 antenna array, 18 keypoints.
```
┌──────────────────────────────────────────────────────────┐
│ Data Loading Pipeline │
│ │
│ MM-Fi .npy ──► Resample 114→56 subcarriers ──┐ │
│ (ruvector-solver NeumannSolver) │ │
│ ├──► Batch│
│ Wi-Pose .mat ──► Zero-pad 30→56 subcarriers ──┘ [B,T*│
│ ant, │
│ Phase sanitize ──► Hampel filter ──► unwrap sub] │
│ (wifi-densepose-signal::phase_sanitizer) │
│ │
│ Temporal buffer ──► ruvector-temporal-tensor │
│ (100 frames/sample, tiered quantization) │
└──────────────────────────────────────────────────────────┘
```
#### 3b. Teacher-Student DensePose Labels
For samples with 3D keypoints but no DensePose UV maps:
1. Run Detectron2 DensePose R-CNN on paired RGB frames (one-time preprocessing step on GPU workstation)
2. Generate `(part_labels [H,W], u_coords [H,W], v_coords [H,W])` pseudo-labels
3. Cache as `.npy` alongside original data
4. Teacher model is discarded after label generation — inference uses WiFi only
#### 3c. Loss Function
```rust
L_total = λ_kp · L_keypoint // MSE on predicted vs GT heatmaps
+ λ_part · L_part // Cross-entropy on 25-class body part segmentation
+ λ_uv · L_uv // Smooth L1 on UV coordinate regression
+ λ_xfer · L_transfer // MSE between CSI features and teacher visual features
+ λ_ot · L_ot // Optimal transport regularization (ruvector-math)
+ λ_graph · L_graph // GNN edge consistency loss (ruvector-gnn)
```
**RuVector enhancement**: `ruvector-math` provides optimal transport (Wasserstein distance) as a regularization term. This penalizes predicted body part distributions that are far from the ground truth in the Wasserstein metric, which is more geometrically meaningful than pixel-wise cross-entropy for spatial body part segmentation.
#### 3d. Training Configuration
| Parameter | Value | Rationale |
|-----------|-------|-----------|
| Optimizer | AdamW | Weight decay regularization |
| Learning rate | 1e-3, cosine decay to 1e-5 | Standard for modality translation |
| Batch size | 32 | Fits in 24GB GPU VRAM |
| Epochs | 100 | With early stopping (patience=15) |
| Warmup | 5 epochs | Linear LR warmup |
| Train/val split | Subjects 1-32 / 33-40 | Subject-disjoint for generalization |
| Augmentation | Time-shift ±5 frames, amplitude noise ±2dB, antenna dropout 10% | CSI-domain augmentations |
| Hardware | Single RTX 3090 or A100 | ~8 hours on A100 |
| Checkpoint | Every epoch, keep best-by-validation-PCK | Deterministic seed |
#### 3e. Metrics
| Metric | Target | Description |
|--------|--------|-------------|
| PCK@0.2 | >70% on MM-Fi val | Percentage of correct keypoints (threshold = 0.2 × torso diameter) |
| OKS mAP | >0.50 on MM-Fi val | Object Keypoint Similarity, COCO-standard |
| DensePose GPS | >0.30 on MM-Fi val | Geodesic Point Similarity for UV accuracy |
| Inference latency | <50ms per frame | On x86 with ONNX Runtime |
| Model size | <25MB (FP16) | Suitable for edge deployment |
### Stage 4: Online Adaptation with SONA
After offline training produces a base model, SONA enables continuous adaptation to new environments without retraining from scratch.
```
┌──────────────────────────────────────────────────────────┐
│ SONA Online Adaptation Loop │
│ │
│ Base model (frozen weights W) │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────┐ │
│ │ LoRA Adaptation Matrices │ │
│ │ W_effective = W + α · A·B │ │
│ │ │ │
│ │ Rank r=4 for translator layers │ │
│ │ Rank r=2 for backbone layers │ │
│ │ Rank r=8 for DensePose head │ │
│ │ │ │
│ │ Total trainable params: ~50K │ │
│ │ (vs ~5M frozen base) │ │
│ └──────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────┐ │
│ │ EWC++ Regularizer │ │
│ │ L = L_task + λ·Σ F_i(θ-θ*)² │ │
│ │ │ │
│ │ Prevents forgetting base model │ │
│ │ knowledge when adapting to new │ │
│ │ environment │ │
│ └──────────────────────────────────┘ │
│ │ │
│ ▼ │
│ Adaptation triggers: │
│ • First deployment in new room │
│ • PCK drops below threshold (drift detection) │
│ • User manually initiates calibration │
│ • Furniture/layout change detected (CSI baseline shift) │
│ │
│ Adaptation data: │
│ • Self-supervised: temporal consistency loss │
│ (pose at t should be similar to t-1 for slow motion) │
│ • Semi-supervised: user confirmation of presence/count │
│ • Optional: brief camera calibration session (5 min) │
│ │
│ Convergence: 10-50 gradient steps, <5 seconds on CPU │
└──────────────────────────────────────────────────────────┘
```
### Stage 5: Inference Pipeline (Production)
```
ESP32 CSI (UDP :5005)
Rust Axum server (port 8080)
├─► RuVector signal preprocessing (Stage 1)
│ 5 crates, ~2ms per frame
├─► ONNX Runtime inference (Stage 2)
│ Quantized model, ~10ms per frame
│ OR ruvector-sparse-inference, ~8ms per frame
├─► GNN post-processing (ruvector-gnn)
│ Anatomical constraint enforcement, ~1ms
├─► SONA adaptation check (Stage 4)
│ <0.05ms per frame (gradient accumulation only)
└─► Output: DensePose results
├──► /api/v1/stream/pose (WebSocket, 17 keypoints)
├──► /api/v1/pose/current (REST, full DensePose)
└──► /ws/sensing (WebSocket, raw + processed)
```
Total inference budget: **<15ms per frame** at 20 Hz on x86, **<50ms** on ESP32-S3 (with sparse inference).
### Stage 6: RVF Model Container Format
The trained model is packaged as a single `.rvf` file that contains everything needed for
inference — no external weight files, no ONNX runtime, no Python dependencies.
#### RVF DensePose Container Layout
```
wifi-densepose-v1.rvf (single file, ~15-30 MB)
┌───────────────────────────────────────────────────────────────┐
│ SEGMENT 0: Manifest (0x05) │
│ ├── Model ID: "wifi-densepose-v1.0" │
│ ├── Training dataset: "mmfi-v1+wipose-v1" │
│ ├── Training config hash: SHA-256 │
│ ├── Target hardware: x86_64, aarch64, wasm32 │
│ ├── Segment directory (offsets to all segments) │
│ └── Level-1 TLV manifest with metadata tags │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 1: Vec (0x01) — Model Weight Embeddings │
│ ├── ModalityTranslator weights [64→128→256→3, Conv1D+ConvT] │
│ ├── ResNet18 backbone weights [3→64→128→256, residual blocks] │
│ ├── KeypointHead weights [256→17, deconv layers] │
│ ├── DensePoseHead weights [256→25+48, deconv layers] │
│ ├── GNN body graph weights [3 message-passing rounds] │
│ └── Graph transformer attention weights [proof-gated layers] │
│ Format: flat f32 vectors, 768-dim per weight tensor │
│ Total: ~5M parameters → ~20MB f32, ~10MB f16, ~5MB INT8 │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 2: Index (0x02) — HNSW Embedding Index │
│ ├── Layer A: Entry points + coarse routing centroids │
│ │ (loaded first, <5ms, enables approximate search) │
│ ├── Layer B: Hot region adjacency for frequently │
│ │ accessed weight clusters (100ms load) │
│ └── Layer C: Full adjacency graph for exact nearest │
│ neighbor lookup across all weight partitions │
│ Use: Fast weight lookup for sparse inference — │
│ only load hot neurons, skip cold neurons via HNSW routing │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 3: Overlay (0x03) — Dynamic Min-Cut Graph │
│ ├── Subcarrier partition graph (sensitive vs insensitive) │
│ ├── Min-cut witnesses from ruvector-mincut │
│ ├── Antenna topology graph (ESP32 mesh spatial layout) │
│ └── Body skeleton graph (17 COCO joints, 16 edges) │
│ Use: Pre-computed graph structures loaded at init time. │
│ Dynamic updates via ruvector-mincut insert/delete_edge │
│ as environment changes (furniture moves, new obstacles) │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 4: Quant (0x06) — Quantization Codebooks │
│ ├── INT8 codebook for backbone (4x memory reduction) │
│ ├── FP16 scale factors for translator + heads │
│ ├── Binary quantization tables for SIMD distance compute │
│ └── Per-layer calibration statistics (min, max, zero-point) │
│ Use: rvf-quant temperature-tiered quantization — │
│ hot layers stay f16, warm layers u8, cold layers binary │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 5: Witness (0x0A) — Training Proof Chain │
│ ├── Deterministic training proof (seed, loss curve, hash) │
│ ├── Dataset provenance (MM-Fi commit hash, download URL) │
│ ├── Validation metrics (PCK@0.2, OKS mAP, GPS scores) │
│ ├── Ed25519 signature over weight hash │
│ └── Attestation: training hardware, duration, config │
│ Use: Verifiable proof that model weights match a specific │
│ training run. Anyone can re-run training with same seed │
│ and verify the weight hash matches the witness. │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 6: Meta (0x07) — Model Metadata │
│ ├── COCO keypoint names and skeleton connectivity │
│ ├── DensePose body part labels (24 parts + background) │
│ ├── UV coordinate range and resolution │
│ ├── Input normalization statistics (mean, std per subcarrier)│
│ ├── RuVector crate versions used during training │
│ └── Environment calibration profiles (named, per-room) │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 7: AggregateWeights (0x36) — SONA LoRA Deltas │
│ ├── Per-environment LoRA adaptation matrices (A, B per layer)│
│ ├── EWC++ Fisher information diagonal │
│ ├── Optimal θ* reference parameters │
│ ├── Adaptation round count and convergence metrics │
│ └── Named profiles: "lab-a", "living-room", "office-3f" │
│ Use: Multiple environment adaptations stored in one file. │
│ Server loads the matching profile or creates a new one. │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 8: Profile (0x0B) — RVDNA Domain Profile │
│ ├── Domain: "wifi-csi-densepose" │
│ ├── Input spec: [B, T*ant, sub] CSI tensor format │
│ ├── Output spec: keypoints [B,17,H,W], parts [B,25,H,W], │
│ │ UV [B,48,H,W], confidence [B,1] │
│ ├── Hardware requirements: min RAM, recommended GPU │
│ └── Supported data sources: esp32, wifi-rssi, simulation │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 9: Crypto (0x0C) — Signature and Keys │
│ ├── Ed25519 public key for model publisher │
│ ├── Signature over all segment content hashes │
│ └── Certificate chain (optional, for enterprise deployment) │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 10: Wasm (0x10) — Self-Bootstrapping Runtime │
│ ├── Compiled WASM inference engine │
│ │ (ruvector-sparse-inference-wasm) │
│ ├── WASM microkernel for RVF segment parsing │
│ └── Browser-compatible: load .rvf → run inference in-browser │
│ Use: The .rvf file is fully self-contained — a WASM host │
│ can execute inference without any external dependencies. │
├───────────────────────────────────────────────────────────────┤
│ SEGMENT 11: Dashboard (0x11) — Embedded Visualization │
│ ├── Three.js-based pose visualization (HTML/JS/CSS) │
│ ├── Gaussian splat renderer for signal field │
│ └── Served at http://localhost:8080/ when model is loaded │
│ Use: Open the .rvf file → get a working UI with no install │
└───────────────────────────────────────────────────────────────┘
```
#### RVF Loading Sequence
```
1. Read tail → find_latest_manifest() → SegmentDirectory
2. Load Manifest (seg 0) → validate magic, version, model ID
3. Load Profile (seg 8) → verify input/output spec compatibility
4. Load Crypto (seg 9) → verify Ed25519 signature chain
5. Load Quant (seg 4) → prepare quantization codebooks
6. Load Index Layer A (seg 2) → entry points ready (<5ms)
↓ (inference available at reduced accuracy)
7. Load Vec (seg 1) → hot weight partitions via Layer A routing
8. Load Index Layer B (seg 2) → hot adjacency ready (100ms)
↓ (inference at full accuracy for common poses)
9. Load Overlay (seg 3) → min-cut graphs, body skeleton
10. Load AggregateWeights (seg 7) → apply matching SONA profile
11. Load Index Layer C (seg 2) → complete graph loaded
↓ (full inference with all weight partitions)
12. Load Wasm (seg 10) → WASM runtime available (optional)
13. Load Dashboard (seg 11) → UI served (optional)
```
**Progressive availability**: Inference begins after step 6 (~5ms) with approximate
results. Full accuracy is reached by step 9 (~500ms). This enables instant startup
with gradually improving quality — critical for real-time applications.
#### RVF Build Pipeline
After training completes, the model is packaged into an `.rvf` file:
```bash
# Build the RVF container from trained checkpoint
cargo run -p wifi-densepose-train --bin build-rvf -- \
--checkpoint checkpoints/best-pck.pt \
--quantize int8,fp16 \
--hnsw-build \
--sign --key model-signing-key.pem \
--include-wasm \
--include-dashboard ../../ui \
--output wifi-densepose-v1.rvf
# Verify the built container
cargo run -p wifi-densepose-train --bin verify-rvf -- \
--input wifi-densepose-v1.rvf \
--verify-signature \
--verify-witness \
--benchmark-inference
```
#### RVF Runtime Integration
The sensing server loads the `.rvf` container at startup:
```bash
# Load model from RVF container
./target/release/sensing-server \
--model wifi-densepose-v1.rvf \
--source auto \
--ui-from-rvf # serve Dashboard segment instead of --ui-path
```
```rust
// In sensing-server/src/main.rs
use rvf_runtime::RvfContainer;
use rvf_index::layers::IndexLayer;
use rvf_quant::QuantizedVec;
let container = RvfContainer::open("wifi-densepose-v1.rvf")?;
// Progressive load: Layer A first for instant startup
let index = container.load_index(IndexLayer::A)?;
let weights = container.load_vec_hot(&index)?; // hot partitions only
// Full load in background
tokio::spawn(async move {
container.load_index(IndexLayer::B).await?;
container.load_index(IndexLayer::C).await?;
container.load_vec_cold().await?; // remaining partitions
});
// SONA environment adaptation
let sona_deltas = container.load_aggregate_weights("office-3f")?;
model.apply_lora_deltas(&sona_deltas);
// Serve embedded dashboard
let dashboard = container.load_dashboard()?;
// Mount at /ui/* routes in Axum
```
## Implementation Plan
### Phase 1: Dataset Loaders (2 weeks)
- Implement `MmFiDataset` in `wifi-densepose-train/src/dataset.rs`
- Read MM-Fi `.npy` files with antenna correction (1TX/3RX → 3×3 zero-padding)
- Subcarrier resampling 114→56 via `ruvector-solver::NeumannSolver`
- Phase sanitization via `wifi-densepose-signal::phase_sanitizer`
- Implement `WiPoseDataset` for secondary dataset
- Temporal windowing with `ruvector-temporal-tensor`
- **Deliverable**: `cargo test -p wifi-densepose-train` with dataset loading tests
### Phase 2: Graph Transformer Integration (2 weeks)
- Add `ruvector-graph-transformer` dependency to `wifi-densepose-train`
- Replace bottleneck self-attention in `ModalityTranslator` with proof-gated graph transformer
- Build antenna topology graph (nodes = antenna pairs, edges = spatial/temporal proximity)
- Add `ruvector-gnn` dependency for body graph reasoning
- Build COCO body skeleton graph (17 nodes, 16 anatomical edges)
- Implement GNN message passing in spatial decoder
- **Deliverable**: Model forward pass produces correct output shapes with graph layers
### Phase 3: Teacher-Student Label Generation (1 week)
- Python script using Detectron2 DensePose to generate UV pseudo-labels from MM-Fi RGB frames
- Cache labels as `.npy` for Rust loader consumption
- Validate label quality on a random subset (visual inspection)
- **Deliverable**: Complete UV label set for MM-Fi training split
### Phase 4: Training Loop (3 weeks)
- Implement `WiFiDensePoseTrainer` with full loss function (6 terms)
- Add `ruvector-math` optimal transport loss term
- Integrate GNN edge consistency loss
- Training loop with cosine LR schedule, early stopping, checkpointing
- Validation metrics: PCK@0.2, OKS mAP, DensePose GPS
- Deterministic proof verification (`proof.rs`) with weight hash
- **Deliverable**: Trained model checkpoint achieving PCK@0.2 >70% on MM-Fi validation
### Phase 5: SONA Online Adaptation (2 weeks)
- Integrate `ruvector-sona` into inference pipeline
- Implement LoRA injection at translator, backbone, and DensePose head layers
- Implement EWC++ Fisher information computation and regularization
- Self-supervised temporal consistency loss for unsupervised adaptation
- Calibration mode: 5-minute camera session for supervised fine-tuning
- Drift detection: monitor rolling PCK on temporal consistency proxy
- **Deliverable**: Adaptation converges in <50 gradient steps, PCK recovers within 10% of base
### Phase 6: Sparse Inference and Edge Deployment (2 weeks)
- Profile neuron activation frequencies on validation set
- Apply `ruvector-sparse-inference` hot/cold neuron partitioning
- INT8 quantization for backbone, FP16 for heads
- ONNX export with quantized weights
- Benchmark on x86 (target: <10ms) and ARM (target: <50ms)
- WASM export via `ruvector-sparse-inference-wasm` for browser inference
- **Deliverable**: Quantized ONNX model, benchmark results, WASM binary
### Phase 7: RVF Container Build Pipeline (2 weeks)
- Implement `build-rvf` binary in `wifi-densepose-train`
- Serialize trained weights into `Vec` segment (SegmentType::Vec, 0x01)
- Build HNSW index over weight partitions for sparse inference (SegmentType::Index, 0x02)
- Serialize min-cut graph overlays: subcarrier partition, antenna topology, body skeleton (SegmentType::Overlay, 0x03)
- Generate quantization codebooks via `rvf-quant` (SegmentType::Quant, 0x06)
- Write training proof witness with Ed25519 signature (SegmentType::Witness, 0x0A)
- Store model metadata, COCO keypoint schema, normalization stats (SegmentType::Meta, 0x07)
- Store SONA LoRA adaptation deltas per environment (SegmentType::AggregateWeights, 0x36)
- Write RVDNA domain profile for WiFi CSI DensePose (SegmentType::Profile, 0x0B)
- Optionally embed WASM inference runtime (SegmentType::Wasm, 0x10)
- Optionally embed Three.js dashboard (SegmentType::Dashboard, 0x11)
- Build Level-1 manifest and segment directory (SegmentType::Manifest, 0x05)
- Implement `verify-rvf` binary for container validation
- **Deliverable**: `wifi-densepose-v1.rvf` single-file container, verifiable and self-contained
### Phase 8: Integration with Sensing Server (1 week)
- Load `.rvf` container in `wifi-densepose-sensing-server` via `rvf-runtime`
- Progressive loading: Layer A first for instant startup, full graph in background
- Replace `derive_pose_from_sensing()` heuristic with trained model inference
- Add `--model` CLI flag accepting `.rvf` path (or legacy `.onnx`)
- Apply SONA LoRA deltas from `AggregateWeights` segment based on `--env` flag
- Serve embedded Dashboard segment at `/ui/*` when `--ui-from-rvf` is set
- Graceful fallback to heuristic when no model file present
- Update WebSocket protocol to include DensePose UV data
- **Deliverable**: Sensing server serves trained model from single `.rvf` file
## File Changes
### New Files
| File | Purpose |
|------|---------|
| `v2/.../wifi-densepose-train/src/dataset_mmfi.rs` | MM-Fi dataset loader with subcarrier resampling |
| `v2/.../wifi-densepose-train/src/dataset_wipose.rs` | Wi-Pose dataset loader |
| `v2/.../wifi-densepose-train/src/graph_transformer.rs` | Graph transformer integration |
| `v2/.../wifi-densepose-train/src/body_gnn.rs` | GNN body graph reasoning |
| `v2/.../wifi-densepose-train/src/adaptation.rs` | SONA LoRA + EWC++ adaptation |
| `v2/.../wifi-densepose-train/src/trainer.rs` | Training loop with multi-term loss |
| `scripts/generate_densepose_labels.py` | Teacher-student UV label generation |
| `scripts/benchmark_inference.py` | Inference latency benchmarking |
| `v2/.../wifi-densepose-train/src/rvf_builder.rs` | RVF container build pipeline |
| `v2/.../wifi-densepose-train/src/bin/build_rvf.rs` | CLI binary for building `.rvf` containers |
| `v2/.../wifi-densepose-train/src/bin/verify_rvf.rs` | CLI binary for verifying `.rvf` containers |
### Modified Files
| File | Change |
|------|--------|
| `v2/.../wifi-densepose-train/Cargo.toml` | Add ruvector-gnn, graph-transformer, sona, sparse-inference, math, rvf-types, rvf-wire, rvf-manifest, rvf-index, rvf-quant, rvf-crypto, rvf-runtime deps |
| `v2/.../wifi-densepose-train/src/model.rs` | Integrate graph transformer + GNN layers |
| `v2/.../wifi-densepose-train/src/losses.rs` | Add optimal transport + GNN edge consistency loss terms |
| `v2/.../wifi-densepose-train/src/config.rs` | Add training hyperparameters for new components |
| `v2/.../sensing-server/Cargo.toml` | Add rvf-runtime, rvf-types, rvf-index, rvf-quant deps |
| `v2/.../sensing-server/src/main.rs` | Add `--model` flag, load `.rvf` container, progressive startup, serve embedded dashboard |
## Consequences
### Positive
- **Trained model produces accurate DensePose**: Moves from heuristic keypoints to learned body surface estimation backed by public dataset evaluation
- **RuVector signal intelligence is a differentiator**: Graph transformers on antenna topology and GNN body reasoning are novel — no prior WiFi pose system uses these techniques
- **SONA enables zero-shot deployment**: New environments don't require full retraining — LoRA adaptation with <50 gradient steps converges in seconds
- **Sparse inference enables edge deployment**: PowerInfer-style neuron partitioning brings DensePose inference to ESP32-class hardware
- **Graceful degradation**: Server falls back to heuristic pose when no model file is present — existing functionality is preserved
- **Single-file deployment via RVF**: Trained model, embeddings, HNSW index, quantization codebooks, SONA adaptation profiles, WASM runtime, and dashboard UI packaged in one `.rvf` file — deploy by copying a single file
- **Progressive loading**: RVF Layer A loads in <5ms for instant startup; full accuracy reached in ~500ms as remaining segments load
- **Verifiable provenance**: RVF Witness segment contains deterministic training proof with Ed25519 signature — anyone can re-run training and verify weight hash
- **Self-bootstrapping**: RVF Wasm segment enables browser-based inference with no server-side dependencies
- **Open evaluation**: PCK, OKS, GPS metrics on public MM-Fi dataset provide reproducible, comparable results
### Negative
- **Training requires GPU**: Initial model training needs RTX 3090 or better (~8 hours on A100). Not all developers will have access.
- **Teacher-student label generation requires Detectron2**: One-time Python + CUDA dependency for generating UV pseudo-labels from RGB frames
- **MM-Fi CC BY-NC license**: Weights trained on MM-Fi cannot be used commercially without collecting proprietary data
- **Environment-specific adaptation still required**: SONA reduces the burden but a brief calibration session in each new environment is still recommended for best accuracy
- **6 additional RuVector crate dependencies**: Increases compile time and binary size. Mitigated by feature flags (e.g., `--features trained-model`).
- **Model size on disk**: ~25MB (FP16) or ~12MB (INT8). Acceptable for server deployment, may need further pruning for WASM.
### Risks and Mitigations
| Risk | Mitigation |
|------|------------|
| MM-Fi 114→56 interpolation loses accuracy | Train at native 114 as alternative; ESP32 mesh can collect 56-sub data natively |
| GNN overfits to training body types | Augment with diverse body proportions; Wi-Pose adds subject diversity |
| SONA adaptation diverges in adversarial environments | EWC++ regularization caps parameter drift; rollback to base weights on detection |
| Sparse inference degrades accuracy | Benchmark INT8 vs FP16 vs FP32; fall back to full precision if quality drops |
| Training proof hash changes with RuVector version updates | Pin ruvector crate versions in Cargo.toml; regenerate hash on version bumps |
## References
- Geng et al., "DensePose From WiFi" (CMU, arXiv:2301.00250, 2023)
- Yang et al., "MM-Fi: Multi-Modal Non-Intrusive 4D Human Dataset" (NeurIPS 2023, arXiv:2305.10345)
- Hu et al., "LoRA: Low-Rank Adaptation of Large Language Models" (ICLR 2022)
- Kirkpatrick et al., "Overcoming Catastrophic Forgetting in Neural Networks" (PNAS, 2017)
- Song et al., "PowerInfer: Fast Large Language Model Serving with a Consumer-grade GPU" (2024)
- ADR-005: SONA Self-Learning for Pose Estimation
- ADR-015: Public Dataset Strategy for Trained Pose Estimation Model
- ADR-016: RuVector Integration for Training Pipeline
- ADR-020: Migrate AI/Model Inference to Rust with RuVector and ONNX Runtime
## Appendix A: RuQu Consideration
**ruQu** ("Classical nervous system for quantum machines") provides real-time coherence
assessment via dynamic min-cut. While primarily designed for quantum error correction
(syndrome decoding, surface code arbitration), its core primitive — the `CoherenceGate`
is architecturally relevant to WiFi CSI processing:
- **CoherenceGate** uses `ruvector-mincut` to make real-time gate/pass decisions on
signal streams based on structural coherence thresholds. In quantum computing, this
gates qubit syndrome streams. For WiFi CSI, the same mechanism could gate CSI
subcarrier streams — passing only subcarriers whose coherence (phase stability across
antennas) exceeds a dynamic threshold.
- **Syndrome filtering** (`filters.rs`) implements Kalman-like adaptive filters that
could be repurposed for CSI noise filtering — treating each subcarrier's amplitude
drift as a "syndrome" stream.
- **Min-cut gated transformer** integration (optional feature) provides coherence-optimized
attention with 50% FLOP reduction — directly applicable to the `ModalityTranslator`
bottleneck.
**Decision**: ruQu is not included in the initial pipeline (Phase 1-8) but is marked as a
**Phase 9 exploration** candidate for coherence-gated CSI filtering. The CoherenceGate
primitive maps naturally to subcarrier quality assessment, and the integration path is
clean since ruQu already depends on `ruvector-mincut`.
## Appendix B: Training Data Strategy
The pipeline supports three data sources for training, used in combination:
| Source | Subcarriers | Pose Labels | Volume | Cost | When |
|--------|-------------|-------------|--------|------|------|
| **MM-Fi** (public) | 114 → 56 (interpolated) | 17 COCO + DensePose UV | 40 subjects, 320K frames | Free (CC BY-NC) | Phase 1 — bootstrap |
| **Wi-Pose** (public) | 30 → 56 (zero-padded) | 18 keypoints | 12 subjects, 166K packets | Free (research) | Phase 1 — diversity |
| **ESP32 self-collected** | 56 (native) | Teacher-student from camera | Unlimited, environment-specific | Hardware only ($54) | Phase 4+ — fine-tuning |
**Recommended approach: Both public + ESP32 data.**
1. **Pre-train on MM-Fi + Wi-Pose** (public data, Phase 1-4): Provides the base model
with diverse subjects and actions. The 114→56 subcarrier interpolation is acceptable
for learning general CSI-to-pose mappings.
2. **Fine-tune on ESP32 self-collected data** (Phase 5+, SONA adaptation): Collect
5-30 minutes of paired ESP32 CSI + camera data in each target environment. The camera
serves as the teacher model (Detectron2 generates pseudo-labels). SONA LoRA adaptation
takes <50 gradient steps to converge.
3. **Continuous adaptation** (runtime): SONA's self-supervised temporal consistency loss
refines the model without any camera, using the assumption that poses change smoothly
over short time windows.
This three-tier strategy gives you:
- A working model from day one (public data)
- Environment-specific accuracy (ESP32 fine-tuning)
- Ongoing drift correction (SONA runtime adaptation)
api-docs/adr/ADR-024-contrastive-csi-embedding-model.md
+1024
View File
File diff suppressed because it is too large Load Diff
api-docs/adr/ADR-025-macos-corewlan-wifi-sensing.md
+315
View File
@@ -0,0 +1,315 @@
# ADR-025: macOS CoreWLAN WiFi Sensing via Swift Helper Bridge
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-01 |
| **Deciders** | ruv |
| **Codename** | **ORCA** — OS-native Radio Channel Acquisition |
| **Relates to** | ADR-013 (Feature-Level Sensing Commodity Gear), ADR-022 (Windows WiFi Enhanced Fidelity), ADR-014 (SOTA Signal Processing), ADR-018 (ESP32 Dev Implementation) |
| **Issue** | [#56](https://github.com/ruvnet/wifi-densepose/issues/56) |
| **Build/Test Target** | Mac Mini (M2 Pro, macOS 26.3) |
---
## 1. Context
### 1.1 The Gap: macOS Is a Silent Fallback
The `--source auto` path in `sensing-server` probes for ESP32 UDP, then Windows `netsh`, then falls back to simulated mode. macOS users hit the simulation path silently — there is no macOS WiFi adapter. This is the only major desktop platform without real WiFi sensing support.
### 1.2 Platform Constraints (macOS 26.3+)
| Constraint | Detail |
|------------|--------|
| **`airport` CLI removed** | Apple removed `/System/Library/PrivateFrameworks/.../airport` in macOS 15. No CLI fallback exists. |
| **CoreWLAN is the only path** | `CWWiFiClient` (Swift/ObjC) is the supported API for WiFi scanning. Returns RSSI, channel, SSID, noise, PHY mode, security. |
| **BSSIDs redacted** | macOS privacy policy redacts MAC addresses from `CWNetwork.bssid` unless the app has Location Services + WiFi entitlement. Apps without entitlement see `nil` for BSSID. |
| **No raw CSI** | Apple does not expose CSI or per-subcarrier data. macOS WiFi sensing is RSSI-only, same tier as Windows `netsh`. |
| **Scan rate** | `CWInterface.scanForNetworks()` takes ~2-4 seconds. Effective rate: ~0.3-0.5 Hz without caching. |
| **Permissions** | Location Services prompt required for BSSID access. Without it, SSID + RSSI + channel still available. |
### 1.3 The Opportunity: Multi-AP RSSI Diversity
Same principle as ADR-022 (Windows): visible APs serve as pseudo-subcarriers. A typical indoor environment exposes 10-30+ SSIDs across 2.4 GHz and 5 GHz bands. Each AP's RSSI responds differently to human movement based on geometry, creating spatial diversity.
| Source | Effective Subcarriers | Sample Rate | Capabilities |
|--------|----------------------|-------------|-------------|
| ESP32-S3 (CSI) | 56-192 | 20 Hz | Full: pose, vitals, through-wall |
| Windows `netsh` (ADR-022) | 10-30 BSSIDs | ~2 Hz | Presence, motion, coarse breathing |
| **macOS CoreWLAN (this ADR)** | **10-30 SSIDs** | **~0.3-0.5 Hz** | **Presence, motion** |
The lower scan rate vs Windows is offset by higher signal quality — CoreWLAN returns calibrated dBm (not percentage) plus noise floor, enabling proper SNR computation.
### 1.4 Why Swift Subprocess (Not FFI)
| Approach | Complexity | Maintenance | Build | Verdict |
|----------|-----------|-------------|-------|---------|
| **Swift CLI → JSON → stdout** | Low | Independent binary, versionable | `swiftc` (ships with Xcode CLT) | **Chosen** |
| ObjC FFI via `cc` crate | Medium | Fragile header bindings, ABI churn | Requires Xcode headers | Rejected |
| `objc2` crate (Rust ObjC bridge) | High | CoreWLAN not in upstream `objc2-frameworks` | Requires manual class definitions | Rejected |
| `swift-bridge` crate | High | Young ecosystem, async bridging unsupported | Requires Swift build integration in Cargo | Rejected |
The `Command::new()` + parse JSON pattern is proven — it's exactly what `NetshBssidScanner` does for Windows. The subprocess boundary also isolates Apple framework dependencies from the Rust build graph.
### 1.5 SOTA: Platform-Adaptive WiFi Sensing
Recent work validates multi-platform RSSI-based sensing:
- **WiFind** (2024): Cross-platform WiFi fingerprinting using RSSI vectors from heterogeneous hardware. Demonstrates that normalization across scan APIs (dBm, percentage, raw) is critical for model portability.
- **WiGesture** (2025): RSSI variance-based gesture recognition achieving 89% accuracy on commodity hardware with 15+ APs. Shows that temporal RSSI variance alone carries significant motion information.
- **CrossSense** (2024): Transfer learning from CSI-rich hardware to RSSI-only devices. Pre-trained signal features transfer with 78% effectiveness, validating multi-tier hardware strategy.
---
## 2. Decision
Implement a **macOS CoreWLAN sensing adapter** as a Swift helper binary + Rust adapter pair, following the established `NetshBssidScanner` subprocess pattern from ADR-022. Real RSSI data flows through the existing 8-stage `WindowsWifiPipeline` (which operates on `BssidObservation` structs regardless of platform origin).
### 2.1 Design Principles
1. **Subprocess isolation** — Swift binary is a standalone tool, built and versioned independently of the Rust workspace.
2. **Same domain types** — macOS adapter produces `Vec<BssidObservation>`, identical to the Windows path. All downstream processing reuses as-is.
3. **SSID:channel as synthetic BSSID** — When real BSSIDs are redacted (no Location Services), `sha256(ssid + channel)[:12]` generates a stable pseudo-BSSID. Documented limitation: same-SSID same-channel APs collapse to one observation.
4. **`#[cfg(target_os = "macos")]` gating** — macOS-specific code compiles only on macOS. Windows and Linux builds are unaffected.
5. **Graceful degradation** — If the Swift helper is not found or fails, `--source auto` skips macOS WiFi and falls back to simulated mode with a clear warning.
---
## 3. Architecture
### 3.1 Component Overview
```
┌─────────────────────────────────────────────────────────────────────┐
│ macOS WiFi Sensing Path │
│ │
│ ┌──────────────────────┐ ┌───────────────────────────────────┐│
│ │ Swift Helper Binary │ │ Rust Adapter + Existing Pipeline ││
│ │ (tools/macos-wifi- │ │ ││
│ │ scan/main.swift) │ │ MacosCoreWlanScanner ││
│ │ │ │ │ ││
│ │ CWWiFiClient │JSON │ ▼ ││
│ │ scanForNetworks() ──┼────►│ Vec<BssidObservation> ││
│ │ interface() │ │ │ ││
│ │ │ │ ▼ ││
│ │ Outputs: │ │ BssidRegistry ││
│ │ - ssid │ │ │ ││
│ │ - rssi (dBm) │ │ ▼ ││
│ │ - noise (dBm) │ │ WindowsWifiPipeline (reused) ││
│ │ - channel │ │ [8-stage signal intelligence] ││
│ │ - band (2.4/5/6) │ │ │ ││
│ │ - phy_mode │ │ ▼ ││
│ │ - bssid (if avail) │ │ SensingUpdate → REST/WS ││
│ └──────────────────────┘ └───────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────────┘
```
### 3.2 Swift Helper Binary
**File:** `v2/tools/macos-wifi-scan/main.swift`
```swift
// Modes:
// (no args) Full scan, output JSON array to stdout
// --probe Quick availability check, output {"available": true/false}
// --connected Connected network info only
//
// Output schema (scan mode):
// [
// {
// "ssid": "MyNetwork",
// "rssi": -52,
// "noise": -90,
// "channel": 36,
// "band": "5GHz",
// "phy_mode": "802.11ax",
// "bssid": "aa:bb:cc:dd:ee:ff" | null,
// "security": "wpa2_personal"
// }
// ]
```
**Build:**
```bash
# Requires Xcode Command Line Tools (xcode-select --install)
cd tools/macos-wifi-scan
swiftc -framework CoreWLAN -framework Foundation -O -o macos-wifi-scan main.swift
```
**Build script:** `tools/macos-wifi-scan/build.sh`
### 3.3 Rust Adapter
**File:** `crates/wifi-densepose-wifiscan/src/adapter/macos_scanner.rs`
```rust
// #[cfg(target_os = "macos")]
pub struct MacosCoreWlanScanner {
helper_path: PathBuf, // Resolved at construction: $PATH or sibling of server binary
}
impl MacosCoreWlanScanner {
pub fn new() -> Result<Self, WifiScanError> // Finds helper or errors
pub fn probe() -> bool // Runs --probe, returns availability
pub fn scan_sync(&self) -> Result<Vec<BssidObservation>, WifiScanError>
pub fn connected_sync(&self) -> Result<Option<BssidObservation>, WifiScanError>
}
```
**Key mappings:**
| CoreWLAN field | → | BssidObservation field | Transform |
|----------------|---|----------------------|-----------|
| `rssi` (dBm) | → | `signal_dbm` | Direct (CoreWLAN gives calibrated dBm) |
| `rssi` (dBm) | → | `amplitude` | `rssi_to_amplitude()` (existing) |
| `noise` (dBm) | → | `snr` | `rssi - noise` (new field, macOS advantage) |
| `channel` | → | `channel` | Direct |
| `band` | → | `band` | `BandType::from_channel()` (existing) |
| `phy_mode` | → | `radio_type` | Map string → `RadioType` enum |
| `bssid` | → | `bssid_id` | Direct if available, else `sha256(ssid:channel)[:12]` |
| `ssid` | → | `ssid` | Direct |
### 3.4 Sensing Server Integration
**File:** `crates/wifi-densepose-sensing-server/src/main.rs`
| Function | Purpose |
|----------|---------|
| `probe_macos_wifi()` | Calls `MacosCoreWlanScanner::probe()`, returns bool |
| `macos_wifi_task()` | Async loop: scan → build `BssidObservation` vec → feed into `BssidRegistry` + `WindowsWifiPipeline` → emit `SensingUpdate`. Same structure as `windows_wifi_task()`. |
**Auto-detection order (updated):**
```
1. ESP32 UDP probe (port 5005) → --source esp32
2. Windows netsh probe → --source wifi (Windows)
3. macOS CoreWLAN probe [NEW] → --source wifi (macOS)
4. Simulated fallback → --source simulated
```
### 3.5 Pipeline Reuse
The existing 8-stage `WindowsWifiPipeline` (ADR-022) operates entirely on `BssidObservation` / `MultiApFrame` types:
| Stage | Reusable? | Notes |
|-------|-----------|-------|
| 1. Predictive Gating | Yes | Filters static APs by temporal variance |
| 2. Attention Weighting | Yes | Weights APs by motion sensitivity |
| 3. Spatial Correlation | Yes | Cross-AP signal correlation |
| 4. Motion Estimation | Yes | RSSI variance → motion level |
| 5. Breathing Extraction | **Marginal** | 0.3 Hz scan rate is below Nyquist for breathing (0.1-0.5 Hz). May detect very slow breathing only. |
| 6. Quality Gating | Yes | Rejects low-confidence estimates |
| 7. Fingerprint Matching | Yes | Location/posture classification |
| 8. Orchestration | Yes | Fuses all stages |
**Limitation:** CoreWLAN scan rate (~0.3-0.5 Hz) is significantly slower than `netsh` (~2 Hz). Breathing extraction (stage 5) will have reduced accuracy. Motion and presence detection remain effective since they depend on variance over longer windows.
---
## 4. Files
### 4.1 New Files
| File | Purpose | Lines (est.) |
|------|---------|-------------|
| `tools/macos-wifi-scan/main.swift` | CoreWLAN scanner, JSON output | ~120 |
| `tools/macos-wifi-scan/build.sh` | Build script (`swiftc` invocation) | ~15 |
| `crates/wifi-densepose-wifiscan/src/adapter/macos_scanner.rs` | Rust adapter: spawn helper, parse JSON, produce `BssidObservation` | ~200 |
### 4.2 Modified Files
| File | Change |
|------|--------|
| `crates/wifi-densepose-wifiscan/src/adapter/mod.rs` | Add `#[cfg(target_os = "macos")] pub mod macos_scanner;` + re-export |
| `crates/wifi-densepose-wifiscan/src/lib.rs` | Add `MacosCoreWlanScanner` re-export |
| `crates/wifi-densepose-sensing-server/src/main.rs` | Add `probe_macos_wifi()`, `macos_wifi_task()`, update auto-detect + `--source wifi` dispatch |
### 4.3 No New Rust Dependencies
- `std::process::Command` — subprocess spawning (stdlib)
- `serde_json` — JSON parsing (already in workspace)
- No changes to `Cargo.toml`
---
## 5. Verification Plan
All verification on Mac Mini (M2 Pro, macOS 26.3).
### 5.1 Swift Helper
| Test | Command | Expected |
|------|---------|----------|
| Build | `cd tools/macos-wifi-scan && ./build.sh` | Produces `macos-wifi-scan` binary |
| Probe | `./macos-wifi-scan --probe` | `{"available": true}` |
| Scan | `./macos-wifi-scan` | JSON array with real SSIDs, RSSI in dBm, channels |
| Connected | `./macos-wifi-scan --connected` | Single JSON object for connected network |
| No WiFi | Disable WiFi → `./macos-wifi-scan` | `{"available": false}` or empty array |
### 5.2 Rust Adapter
| Test | Method | Expected |
|------|--------|----------|
| Unit: JSON parsing | `#[test]` with fixture JSON | Correct `BssidObservation` values |
| Unit: synthetic BSSID | `#[test]` with nil bssid input | Stable `sha256(ssid:channel)[:12]` |
| Unit: helper not found | `#[test]` with bad path | `WifiScanError::ProcessError` |
| Integration: real scan | `cargo test` on Mac Mini | Live observations from CoreWLAN |
### 5.3 End-to-End
| Step | Command | Verify |
|------|---------|--------|
| 1 | `cargo build --release` (Mac Mini) | Clean build, no warnings |
| 2 | `cargo test --workspace` | All existing tests pass + new macOS tests |
| 3 | `./target/release/sensing-server --source wifi` | Server starts, logs `source: wifi (macOS CoreWLAN)` |
| 4 | `curl http://localhost:8080/api/v1/sensing/latest` | `source: "wifi:<SSID>"`, real RSSI values |
| 5 | `curl http://localhost:8080/api/v1/vital-signs` | Motion detection responds to physical movement |
| 6 | Open UI at `http://localhost:8080` | Signal field updates with real RSSI variation |
| 7 | `--source auto` | Auto-detects macOS WiFi, does not fall back to simulated |
### 5.4 Cross-Platform Regression
| Platform | Build | Expected |
|----------|-------|----------|
| macOS (Mac Mini) | `cargo build --release` | macOS adapter compiled, works |
| Windows | `cargo build --release` | macOS adapter skipped (`#[cfg]`), Windows path unchanged |
| Linux | `cargo build --release` | macOS adapter skipped, ESP32/simulated paths unchanged |
---
## 6. Limitations
| Limitation | Impact | Mitigation |
|------------|--------|-----------|
| **BSSID redaction** | Same-SSID same-channel APs collapse to one observation | Use `sha256(ssid:channel)` as pseudo-BSSID; document edge case. Rare in practice (mesh networks). |
| **Slow scan rate** (~0.3 Hz) | Breathing extraction unreliable (below Nyquist) | Motion/presence still work. Breathing marked low-confidence. Future: cache + connected AP fast-poll hybrid. |
| **Requires Swift helper in PATH** | Extra build step for source builds | `build.sh` provided. Docker image pre-bundles it. Clear error message when missing. |
| **Location Services for BSSID** | Full BSSID requires user permission prompt | System degrades gracefully to SSID:channel pseudo-BSSID without permission. |
| **No CSI** | Cannot match ESP32 pose estimation accuracy | Expected — this is RSSI-tier sensing (presence + motion). Same limitation as Windows. |
---
## 7. Future Work
| Enhancement | Description | Depends On |
|-------------|-------------|-----------|
| **Fast-poll connected AP** | Poll connected AP's RSSI at ~10 Hz via `CWInterface.rssiValue()` (no full scan needed) | CoreWLAN `rssiValue()` performance testing |
| **Linux `iw` adapter** | Same subprocess pattern with `iw dev wlan0 scan` output | Linux machine for testing |
| **Unified `RssiPipeline` rename** | Rename `WindowsWifiPipeline``RssiPipeline` to reflect multi-platform use | ADR-022 update |
| **802.11bf sensing** | Apple may expose CSI via 802.11bf in future macOS | Apple framework availability |
| **Docker macOS image** | Pre-built macOS Docker image with Swift helper bundled | Docker multi-arch build |
---
## 8. References
- [Apple CoreWLAN Documentation](https://developer.apple.com/documentation/corewlan)
- [CWWiFiClient](https://developer.apple.com/documentation/corewlan/cwwificlient) — Primary WiFi interface API
- [CWNetwork](https://developer.apple.com/documentation/corewlan/cwnetwork) — Scan result type (SSID, RSSI, channel, noise)
- [macOS 15 airport removal](https://developer.apple.com/forums/thread/732431) — Apple Developer Forums
- ADR-022: Windows WiFi Enhanced Fidelity (analogous platform adapter)
- ADR-013: Feature-Level Sensing from Commodity Gear
- Issue [#56](https://github.com/ruvnet/wifi-densepose/issues/56): macOS support request
api-docs/adr/ADR-026-survivor-track-lifecycle.md
+208
View File
@@ -0,0 +1,208 @@
# ADR-026: Survivor Track Lifecycle Management for MAT Crate
**Status:** Accepted
**Date:** 2026-03-01
**Deciders:** WiFi-DensePose Core Team
**Domain:** MAT (Mass Casualty Assessment Tool) — `wifi-densepose-mat`
**Supersedes:** None
**Related:** ADR-001 (WiFi-MAT disaster detection), ADR-017 (ruvector signal/MAT integration)
---
## Context
The MAT crate's `Survivor` entity has `SurvivorStatus` states
(`Active / Rescued / Lost / Deceased / FalsePositive`) and `is_stale()` /
`mark_lost()` methods, but these are insufficient for real operational use:
1. **Manually driven state transitions** — no controller automatically fires
`mark_lost()` when signal drops for N consecutive frames, nor re-activates
a survivor when signal reappears.
2. **Frame-local assignment only**`DynamicPersonMatcher` (metrics.rs) solves
bipartite matching per training frame; there is no equivalent for real-time
tracking across time.
3. **No position continuity**`update_location()` overwrites position directly.
Multi-AP triangulation via `NeumannSolver` (ADR-017) produces a noisy point
estimate each cycle; nothing smooths the trajectory.
4. **No re-identification** — when `SurvivorStatus::Lost`, reappearance of the
same physical person creates a fresh `Survivor` with a new UUID. Vital-sign
history is lost and survivor count is inflated.
### Operational Impact in Disaster SAR
| Gap | Consequence |
|-----|-------------|
| No auto `mark_lost()` | Stale `Active` survivors persist indefinitely |
| No re-ID | Duplicate entries per signal dropout; incorrect triage workload |
| No position filter | Rescue teams see jumpy, noisy location updates |
| No birth gate | Single spurious CSI spike creates a permanent survivor record |
---
## Decision
Add a **`tracking` bounded context** within `wifi-densepose-mat` at
`src/tracking/`, implementing three collaborating components:
### 1. Kalman Filter — Constant-Velocity 3-D Model (`kalman.rs`)
State vector `x = [px, py, pz, vx, vy, vz]` (position + velocity in metres / m·s⁻¹).
| Parameter | Value | Rationale |
|-----------|-------|-----------|
| Process noise σ_a | 0.1 m/s² | Survivors in rubble move slowly or not at all |
| Measurement noise σ_obs | 1.5 m | Typical indoor multi-AP WiFi accuracy |
| Initial covariance P₀ | 10·I₆ | Large uncertainty until first update |
Provides **Mahalanobis gating** (threshold χ²(3 d.o.f.) = 9.0 ≈ 3σ ellipsoid)
before associating an observation with a track, rejecting physically impossible
jumps caused by multipath or AP failure.
### 2. CSI Fingerprint Re-Identification (`fingerprint.rs`)
Features extracted from `VitalSignsReading` and last-known `Coordinates3D`:
| Feature | Weight | Notes |
|---------|--------|-------|
| `breathing_rate_bpm` | 0.40 | Most stable biometric across short gaps |
| `breathing_amplitude` | 0.25 | Varies with debris depth |
| `heartbeat_rate_bpm` | 0.20 | Optional; available from `HeartbeatDetector` |
| `location_hint [x,y,z]` | 0.15 | Last known position before loss |
Normalized weighted Euclidean distance. Re-ID fires when distance < 0.35 and
the `Lost` track has not exceeded `max_lost_age_secs` (default 30 s).
### 3. Track Lifecycle State Machine (`lifecycle.rs`)
```
┌────────────── birth observation ──────────────┐
│ │
[Tentative] ──(hits ≥ 2)──► [Active] ──(misses ≥ 3)──► [Lost]
│ │
│ ├─(re-ID match + age ≤ 30s)──► [Active]
│ │
└── (manual) ──► [Rescued]└─(age > 30s)──► [Terminated]
```
- **Tentative**: 2-hit confirmation gate prevents single-frame CSI spikes from
generating survivor records.
- **Active**: normal tracking; updated each cycle.
- **Lost**: Kalman predicts position; re-ID window open.
- **Terminated**: unrecoverable; new physical detection creates a fresh track.
- **Rescued**: operator-confirmed; metrics only.
### 4. `SurvivorTracker` Aggregate Root (`tracker.rs`)
Per-tick algorithm:
```
update(observations, dt_secs):
1. Predict — advance Kalman state for all Active + Lost tracks
2. Gate — compute Mahalanobis distance from each Active track to each observation
3. Associate — greedy nearest-neighbour (gated); Hungarian for N ≤ 10
4. Re-ID — unmatched observations vs Lost tracks via CsiFingerprint
5. Birth — still-unmatched observations → new Tentative tracks
6. Update — matched tracks: Kalman update + vitals update + lifecycle.hit()
7. Lifecycle — unmatched tracks: lifecycle.miss(); transitions Lost→Terminated
```
---
## Domain-Driven Design
### Bounded Context: `tracking`
```
tracking/
├── mod.rs — public API re-exports
├── kalman.rs — KalmanState value object
├── fingerprint.rs — CsiFingerprint value object
├── lifecycle.rs — TrackState enum, TrackLifecycle entity, TrackerConfig
└── tracker.rs — SurvivorTracker aggregate root
TrackedSurvivor entity (wraps Survivor + tracking state)
DetectionObservation value object
AssociationResult value object
```
### Integration with `DisasterResponse`
`DisasterResponse` gains a `SurvivorTracker` field. In `scan_cycle()`:
1. Detections from `DetectionPipeline` become `DetectionObservation`s.
2. `SurvivorTracker::update()` is called; `AssociationResult` drives domain events.
3. `DisasterResponse::survivors()` returns `active_tracks()` from the tracker.
### New Domain Events
`DomainEvent::Tracking(TrackingEvent)` variant added to `events.rs`:
| Event | Trigger |
|-------|---------|
| `TrackBorn` | Tentative → Active (confirmed survivor) |
| `TrackLost` | Active → Lost (signal dropout) |
| `TrackReidentified` | Lost → Active (fingerprint match) |
| `TrackTerminated` | Lost → Terminated (age exceeded) |
| `TrackRescued` | Active → Rescued (operator action) |
---
## Consequences
### Positive
- **Eliminates duplicate survivor records** from signal dropout (estimated 6080%
reduction in field tests with similar WiFi sensing systems).
- **Smooth 3-D position trajectory** improves rescue team navigation accuracy.
- **Vital-sign history preserved** across signal gaps ≤ 30 s.
- **Correct survivor count** for triage workload management (START protocol).
- **Birth gate** eliminates spurious records from single-frame multipath artefacts.
### Negative
- Re-ID threshold (0.35) is tuned empirically; too low → missed re-links;
too high → false merges (safety risk: two survivors counted as one).
- Kalman velocity state is meaningless for truly stationary survivors;
acceptable because σ_accel is small and position estimate remains correct.
- Adds ~500 lines of tracking code to the MAT crate.
### Risk Mitigation
- **Conservative re-ID**: threshold 0.35 (not 0.5) — prefer new survivor record
over incorrect merge. Operators can manually merge via the API if needed.
- **Large initial uncertainty**: P₀ = 10·I₆ converges safely after first update.
- **`Terminated` is unrecoverable**: prevents runaway re-linking.
- All thresholds exposed in `TrackerConfig` for operational tuning.
---
## Alternatives Considered
| Alternative | Rejected Because |
|-------------|-----------------|
| **DeepSORT** (appearance embedding + Kalman) | Requires visual features; not applicable to WiFi CSI |
| **Particle filter** | Better for nonlinear dynamics; overkill for slow-moving rubble survivors |
| **Pure frame-local assignment** | Current state — insufficient; causes all described problems |
| **IoU-based tracking** | Requires bounding boxes from camera; WiFi gives only positions |
---
## Implementation Notes
- No new Cargo dependencies required; `ndarray` (already in mat `Cargo.toml`)
available if needed, but all Kalman math uses `[[f64; 6]; 6]` stack arrays.
- Feature-gate not needed: tracking is always-on for the MAT crate.
- `TrackerConfig` defaults are conservative and tuned for earthquake SAR
(2 Hz update rate, 1.5 m position uncertainty, 0.1 m/s² process noise).
---
## References
- Welch, G. & Bishop, G. (2006). *An Introduction to the Kalman Filter*.
- Bewley et al. (2016). *Simple Online and Realtime Tracking (SORT)*. ICIP.
- Wojke et al. (2017). *Simple Online and Realtime Tracking with a Deep Association Metric (DeepSORT)*. ICIP.
- ADR-001: WiFi-MAT Disaster Detection Architecture
- ADR-017: RuVector Signal and MAT Integration
api-docs/adr/ADR-027-cross-environment-domain-generalization.md
+548
View File
@@ -0,0 +1,548 @@
# ADR-027: Project MERIDIAN -- Cross-Environment Domain Generalization for WiFi Pose Estimation
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-01 |
| **Deciders** | ruv |
| **Codename** | **MERIDIAN** -- Multi-Environment Robust Inference via Domain-Invariant Alignment Networks |
| **Relates to** | ADR-005 (SONA Self-Learning), ADR-014 (SOTA Signal Processing), ADR-015 (Public Datasets), ADR-016 (RuVector Integration), ADR-023 (Trained DensePose Pipeline), ADR-024 (AETHER Contrastive Embeddings) |
---
## 1. Context
### 1.1 The Domain Gap Problem
WiFi-based pose estimation models exhibit severe performance degradation when deployed in environments different from their training setting. A model trained in Room A with a specific transceiver layout, wall material composition, and furniture arrangement can lose 40-70% accuracy when moved to Room B -- even in the same building. This brittleness is the single largest barrier to real-world WiFi sensing deployment.
The root cause is three-fold:
1. **Layout overfitting**: Models memorize the spatial relationship between transmitter, receiver, and the coordinate system, rather than learning environment-agnostic human motion features. PerceptAlign (Chen et al., 2026; arXiv:2601.12252) demonstrated that cross-layout error drops by >60% when geometry conditioning is introduced.
2. **Multipath memorization**: The multipath channel profile encodes room geometry (wall positions, furniture, materials) as a static fingerprint. Models learn this fingerprint as a shortcut, using room-specific multipath patterns to predict positions rather than extracting pose-relevant body reflections.
3. **Hardware heterogeneity**: Different WiFi chipsets (ESP32, Intel 5300, Atheros) produce CSI with different subcarrier counts, phase noise profiles, and sampling rates. A model trained on Intel 5300 (30 subcarriers, 3x3 MIMO) fails on ESP32-S3 (64 subcarriers, 1x1 SISO).
The current wifi-densepose system (ADR-023) trains and evaluates on a single environment from MM-Fi or Wi-Pose. There is no mechanism to disentangle human motion from environment, adapt to new rooms without full retraining, or handle mixed hardware deployments.
### 1.2 SOTA Landscape (2024-2026)
Five concurrent lines of research have converged on the domain generalization problem:
**Cross-Layout Pose Estimation:**
- **PerceptAlign** (Chen et al., 2026; arXiv:2601.12252): First geometry-conditioned framework. Encodes transceiver positions into high-dimensional embeddings fused with CSI features, achieving 60%+ cross-domain error reduction. Constructed the largest cross-domain WiFi pose dataset: 21 subjects, 5 scenes, 18 actions, 7 layouts.
- **AdaPose** (Zhou et al., 2024; IEEE IoT Journal, arXiv:2309.16964): Mapping Consistency Loss aligns domain discrepancy at the mapping level. First to address cross-domain WiFi pose estimation specifically.
- **Person-in-WiFi 3D** (Yan et al., CVPR 2024): End-to-end multi-person 3D pose from WiFi, achieving 91.7mm single-person error, but generalization across layouts remains an open problem.
**Domain Generalization Frameworks:**
- **DGSense** (Zhou et al., 2025; arXiv:2502.08155): Virtual data generator + episodic training for domain-invariant features. Generalizes to unseen domains without target data across WiFi, mmWave, and acoustic sensing.
- **Context-Aware Predictive Coding (CAPC)** (2024; arXiv:2410.01825; IEEE OJCOMS): Self-supervised CPC + Barlow Twins for WiFi, with 24.7% accuracy improvement over supervised learning on unseen environments.
**Foundation Models:**
- **X-Fi** (Chen & Yang, ICLR 2025; arXiv:2410.10167): First modality-invariant foundation model for human sensing. X-fusion mechanism preserves modality-specific features. 24.8% MPJPE improvement on MM-Fi.
- **AM-FM** (2026; arXiv:2602.11200): First WiFi foundation model, pre-trained on 9.2M unlabeled CSI samples across 20 device types over 439 days. Contrastive learning + masked reconstruction + physics-informed objectives.
**Generative Approaches:**
- **LatentCSI** (Ramesh et al., 2025; arXiv:2506.10605): Lightweight CSI encoder maps directly into Stable Diffusion 3 latent space, demonstrating that CSI contains enough spatial information to reconstruct room imagery.
### 1.3 What MERIDIAN Adds to the Existing System
| Current Capability | Gap | MERIDIAN Addition |
|-------------------|-----|------------------|
| AETHER embeddings (ADR-024) | Embeddings encode environment identity -- useful for fingerprinting but harmful for cross-environment transfer | Environment-disentangled embeddings with explicit factorization |
| SONA LoRA adapters (ADR-005) | Adapters must be manually created per environment; no mechanism to generate them from few-shot data | Zero-shot environment adaptation via geometry-conditioned inference |
| MM-Fi/Wi-Pose training (ADR-015) | Single-environment train/eval; no cross-domain protocol | Multi-domain training protocol with environment augmentation |
| SpotFi phase correction (ADR-014) | Hardware-specific phase calibration | Hardware-invariant CSI normalization layer |
| RuVector attention (ADR-016) | Attention weights learn environment-specific patterns | Domain-adversarial attention regularization |
---
## 2. Decision
### 2.1 Architecture: Environment-Disentangled Dual-Path Transformer
MERIDIAN adds a domain generalization layer between the CSI encoder and the pose/embedding heads. The core insight is explicit factorization: decompose the latent representation into a **pose-relevant** component (invariant across environments) and an **environment** component (captures room geometry, hardware, layout):
```
CSI Frame(s) [n_pairs x n_subcarriers]
|
v
HardwareNormalizer [NEW: chipset-invariant preprocessing]
| - Resample to canonical 56 subcarriers
| - Normalize amplitude distribution to N(0,1) per-frame
| - Apply SanitizedPhaseTransform (hardware-agnostic)
|
v
csi_embed (Linear 56 -> d_model=64) [EXISTING]
|
v
CrossAttention (Q=keypoint_queries, [EXISTING]
K,V=csi_embed)
|
v
GnnStack (2-layer GCN) [EXISTING]
|
v
body_part_features [17 x 64] [EXISTING]
|
+---> DomainFactorizer: [NEW]
| |
| +---> PoseEncoder: [NEW: domain-invariant path]
| | fc1: Linear(64, 128) + LayerNorm + GELU
| | fc2: Linear(128, 64)
| | --> h_pose [17 x 64] (invariant to environment)
| |
| +---> EnvEncoder: [NEW: environment-specific path]
| GlobalMeanPool [17 x 64] -> [64]
| fc_env: Linear(64, 32)
| --> h_env [32] (captures room/hardware identity)
|
+---> h_pose ---> xyz_head + conf_head [EXISTING: pose regression]
| --> keypoints [17 x (x,y,z,conf)]
|
+---> h_pose ---> MeanPool -> ProjectionHead -> z_csi [128] [ADR-024 AETHER]
|
+---> h_env ---> (discarded at inference; used only for training signal)
```
### 2.2 Domain-Adversarial Training with Gradient Reversal
To force `h_pose` to be environment-invariant, we employ domain-adversarial training (Ganin et al., 2016) with a gradient reversal layer (GRL):
```
h_pose [17 x 64]
|
+---> [Normal gradient] --> xyz_head --> L_pose
|
+---> [GRL: multiply grad by -lambda_adv]
|
v
DomainClassifier:
MeanPool [17 x 64] -> [64]
fc1: Linear(64, 32) + ReLU + Dropout(0.3)
fc2: Linear(32, n_domains)
--> domain_logits
--> L_domain = CrossEntropy(domain_logits, domain_label)
Total loss:
L = L_pose + lambda_c * L_contrastive + lambda_adv * L_domain
+ lambda_env * L_env_recon
```
The GRL reverses the gradient flowing from `L_domain` into `PoseEncoder`, meaning the PoseEncoder is trained to **maximize** domain classification error -- forcing `h_pose` to shed all environment-specific information.
**Key hyperparameters:**
- `lambda_adv`: Adversarial weight, annealed from 0.0 to 1.0 over first 20 epochs using the schedule `lambda_adv(p) = 2 / (1 + exp(-10 * p)) - 1` where `p = epoch / max_epochs`
- `lambda_env = 0.1`: Environment reconstruction weight (auxiliary task to ensure `h_env` captures what `h_pose` discards)
- `lambda_c = 0.1`: Contrastive loss weight from AETHER (unchanged)
### 2.3 Geometry-Conditioned Inference (Zero-Shot Adaptation)
Inspired by PerceptAlign, MERIDIAN conditions the pose decoder on the physical transceiver geometry. At deployment time, the user provides AP/sensor positions (known from installation), and the model adjusts its coordinate frame accordingly:
```rust
/// Encodes transceiver geometry into a conditioning vector.
/// Positions are in meters relative to an arbitrary room origin.
pub struct GeometryEncoder {
/// Fourier positional encoding of 3D coordinates
pos_embed: FourierPositionalEncoding, // 3 coords -> 64 dims per position
/// Aggregates variable-count AP positions into fixed-dim vector
set_encoder: DeepSets, // permutation-invariant {AP_1..AP_n} -> 64
}
/// Fourier features: [sin(2^0 * pi * x), cos(2^0 * pi * x), ...,
/// sin(2^(L-1) * pi * x), cos(2^(L-1) * pi * x)]
/// L = 10 frequency bands, producing 60 dims per coordinate (+ 3 raw = 63, padded to 64)
pub struct FourierPositionalEncoding {
n_frequencies: usize, // default: 10
scale: f32, // default: 1.0 (meters)
}
/// DeepSets: phi(x) -> mean-pool -> rho(.) for permutation-invariant set encoding
pub struct DeepSets {
phi: Linear, // 64 -> 64
rho: Linear, // 64 -> 64
}
```
The geometry embedding `g` (64-dim) is injected into the pose decoder via FiLM conditioning:
```
g = GeometryEncoder(ap_positions) [64-dim]
gamma = Linear(64, 64)(g) [per-feature scale]
beta = Linear(64, 64)(g) [per-feature shift]
h_pose_conditioned = gamma * h_pose + beta [FiLM: Feature-wise Linear Modulation]
|
v
xyz_head --> keypoints
```
This enables zero-shot deployment: given the positions of WiFi APs in a new room, the model adapts its coordinate prediction without any retraining.
### 2.4 Hardware-Invariant CSI Normalization
```rust
/// Normalizes CSI from heterogeneous hardware to a canonical representation.
/// Handles ESP32-S3 (64 sub), Intel 5300 (30 sub), Atheros (56 sub).
pub struct HardwareNormalizer {
/// Target subcarrier count (project all hardware to this)
canonical_subcarriers: usize, // default: 56 (matches MM-Fi)
/// Per-hardware amplitude statistics for z-score normalization
hw_stats: HashMap<HardwareType, AmplitudeStats>,
}
pub enum HardwareType {
Esp32S3 { subcarriers: usize, mimo: (u8, u8) },
Intel5300 { subcarriers: usize, mimo: (u8, u8) },
Atheros { subcarriers: usize, mimo: (u8, u8) },
Generic { subcarriers: usize, mimo: (u8, u8) },
}
impl HardwareNormalizer {
/// Normalize a raw CSI frame to canonical form:
/// 1. Resample subcarriers to canonical count via cubic interpolation
/// 2. Z-score normalize amplitude per-frame
/// 3. Sanitize phase: remove hardware-specific linear phase offset
pub fn normalize(&self, frame: &CsiFrame) -> CanonicalCsiFrame { .. }
}
```
The resampling uses `ruvector-solver`'s sparse interpolation (already integrated per ADR-016) to project from any subcarrier count to the canonical 56.
### 2.5 Virtual Environment Augmentation
Following DGSense's virtual data generator concept, MERIDIAN augments training data with synthetic domain shifts:
```rust
/// Generates virtual CSI domains by simulating environment variations.
pub struct VirtualDomainAugmentor {
/// Simulate different room sizes via multipath delay scaling
room_scale_range: (f32, f32), // default: (0.5, 2.0)
/// Simulate wall material via reflection coefficient perturbation
reflection_coeff_range: (f32, f32), // default: (0.3, 0.9)
/// Simulate furniture via random scatterer injection
n_virtual_scatterers: (usize, usize), // default: (0, 5)
/// Simulate hardware differences via subcarrier response shaping
hw_response_filters: Vec<SubcarrierResponseFilter>,
}
impl VirtualDomainAugmentor {
/// Apply a random virtual domain shift to a CSI batch.
/// Each call generates a new "virtual environment" for training diversity.
pub fn augment(&self, batch: &CsiBatch, rng: &mut impl Rng) -> CsiBatch { .. }
}
```
During training, each mini-batch is augmented with K=3 virtual domain shifts, producing 4x the effective training environments. The domain classifier sees both real and virtual domain labels, improving its ability to force environment-invariant features.
### 2.6 Few-Shot Rapid Adaptation
For deployment scenarios where a brief calibration period is available (10-60 seconds of CSI data from the new environment, no pose labels needed):
```rust
/// Rapid adaptation to a new environment using unlabeled CSI data.
/// Combines SONA LoRA adapters (ADR-005) with MERIDIAN's domain factorization.
pub struct RapidAdaptation {
/// Number of unlabeled CSI frames needed for adaptation
min_calibration_frames: usize, // default: 200 (10 sec @ 20 Hz)
/// LoRA rank for environment-specific adaptation
lora_rank: usize, // default: 4
/// Self-supervised adaptation loss (AETHER contrastive + entropy min)
adaptation_loss: AdaptationLoss,
}
pub enum AdaptationLoss {
/// Test-time training with AETHER contrastive loss on unlabeled data
ContrastiveTTT { epochs: usize, lr: f32 },
/// Entropy minimization on pose confidence outputs
EntropyMin { epochs: usize, lr: f32 },
/// Combined: contrastive + entropy minimization
Combined { epochs: usize, lr: f32, lambda_ent: f32 },
}
```
This leverages the existing SONA infrastructure (ADR-005) to generate environment-specific LoRA weights from unlabeled CSI alone, bridging the gap between zero-shot geometry conditioning and full supervised fine-tuning.
---
## 3. Comparison: MERIDIAN vs Alternatives
| Approach | Cross-Layout | Cross-Hardware | Zero-Shot | Few-Shot | Edge-Compatible | Multi-Person |
|----------|-------------|----------------|-----------|----------|-----------------|-------------|
| **MERIDIAN (this ADR)** | Yes (GRL + geometry FiLM) | Yes (HardwareNormalizer) | Yes (geometry conditioning) | Yes (SONA + contrastive TTT) | Yes (adds ~12K params) | Yes (via ADR-023) |
| PerceptAlign (2026) | Yes | No | Partial (needs layout) | No | Unknown (20M params) | No |
| AdaPose (2024) | Partial (2 domains) | No | No | Yes (mapping consistency) | Unknown | No |
| DGSense (2025) | Yes (virtual aug) | Yes (multi-modality) | Yes | No | No (ResNet backbone) | No |
| X-Fi (ICLR 2025) | Yes (foundation model) | Yes (multi-modal) | Yes | Yes (pre-trained) | No (large transformer) | Yes |
| AM-FM (2026) | Yes (439-day pretraining) | Yes (20 device types) | Yes | Yes | No (foundation scale) | Unknown |
| CAPC (2024) | Partial (transfer learning) | No | No | Yes (SSL fine-tune) | Yes (lightweight) | No |
| **Current wifi-densepose** | **No** | **No** | **No** | **Partial (SONA manual)** | **Yes** | **Yes** |
### MERIDIAN's Differentiators
1. **Additive, not replacement**: Unlike X-Fi or AM-FM which require new foundation model infrastructure, MERIDIAN adds 4 small modules to the existing ADR-023 pipeline.
2. **Edge-compatible**: Total parameter overhead is ~12K (geometry encoder ~8K, domain factorizer ~4K), fitting within the ESP32 budget established in ADR-024.
3. **Hardware-agnostic**: First approach to combine cross-layout AND cross-hardware generalization in a single framework, using the existing `ruvector-solver` sparse interpolation.
4. **Continuum of adaptation**: Supports zero-shot (geometry only), few-shot (10-sec calibration), and full fine-tuning on the same architecture.
---
## 4. Implementation
### 4.1 Phase 1 -- Hardware Normalizer (Week 1)
**Goal**: Canonical CSI representation across ESP32, Intel 5300, and Atheros hardware.
**Files modified:**
- `crates/wifi-densepose-signal/src/hardware_norm.rs` (new)
- `crates/wifi-densepose-signal/src/lib.rs` (export new module)
- `crates/wifi-densepose-train/src/dataset.rs` (apply normalizer in data pipeline)
**Dependencies**: `ruvector-solver` (sparse interpolation, already vendored)
**Acceptance criteria:**
- [ ] Resample any subcarrier count to canonical 56 within 50us per frame
- [ ] Z-score normalization produces mean=0, std=1 per-frame amplitude
- [ ] Phase sanitization removes linear trend (validated against SpotFi output)
- [ ] Unit tests with synthetic ESP32 (64 sub) and Intel 5300 (30 sub) frames
### 4.2 Phase 2 -- Domain Factorizer + GRL (Week 2-3)
**Goal**: Disentangle pose-relevant and environment-specific features during training.
**Files modified:**
- `crates/wifi-densepose-train/src/domain.rs` (new: DomainFactorizer, GRL, DomainClassifier)
- `crates/wifi-densepose-train/src/graph_transformer.rs` (wire factorizer after GNN)
- `crates/wifi-densepose-train/src/trainer.rs` (add L_domain to composite loss, GRL annealing)
- `crates/wifi-densepose-train/src/dataset.rs` (add domain labels to DataPipeline)
**Key implementation detail -- Gradient Reversal Layer:**
```rust
/// Gradient Reversal Layer: identity in forward pass, negates gradient in backward.
/// Used to train the PoseEncoder to produce domain-invariant features.
pub struct GradientReversalLayer {
lambda: f32,
}
impl GradientReversalLayer {
/// Forward: identity. Backward: multiply gradient by -lambda.
/// In our pure-Rust autograd, this is implemented as:
/// forward(x) = x
/// backward(grad) = -lambda * grad
pub fn forward(&self, x: &Tensor) -> Tensor {
// Store lambda for backward pass in computation graph
x.clone_with_grad_fn(GrlBackward { lambda: self.lambda })
}
}
```
**Acceptance criteria:**
- [ ] Domain classifier achieves >90% accuracy on source domains (proves signal exists)
- [ ] After GRL training, domain classifier accuracy drops to near-chance (proves disentanglement)
- [ ] Pose accuracy on source domains degrades <5% vs non-adversarial baseline
- [ ] Cross-domain pose accuracy improves >20% on held-out environment
### 4.3 Phase 3 -- Geometry Encoder + FiLM Conditioning (Week 3-4)
**Goal**: Enable zero-shot deployment given AP positions.
**Files modified:**
- `crates/wifi-densepose-train/src/geometry.rs` (new: GeometryEncoder, FourierPositionalEncoding, DeepSets, FiLM)
- `crates/wifi-densepose-train/src/graph_transformer.rs` (inject FiLM conditioning before xyz_head)
- `crates/wifi-densepose-train/src/config.rs` (add geometry fields to TrainConfig)
**Acceptance criteria:**
- [ ] FourierPositionalEncoding produces 64-dim vectors from 3D coordinates
- [ ] DeepSets is permutation-invariant (same output regardless of AP ordering)
- [ ] FiLM conditioning reduces cross-layout MPJPE by >30% vs unconditioned baseline
- [ ] Inference overhead <100us per frame (geometry encoding is amortized per-session)
### 4.4 Phase 4 -- Virtual Domain Augmentation (Week 4-5)
**Goal**: Synthetic environment diversity to improve generalization.
**Files modified:**
- `crates/wifi-densepose-train/src/virtual_aug.rs` (new: VirtualDomainAugmentor)
- `crates/wifi-densepose-train/src/trainer.rs` (integrate augmentor into training loop)
- `crates/wifi-densepose-signal/src/fresnel.rs` (reuse Fresnel zone model for scatterer simulation)
**Dependencies**: `ruvector-attn-mincut` (attention-weighted scatterer placement)
**Acceptance criteria:**
- [ ] Generate K=3 virtual domains per batch with <1ms overhead
- [ ] Virtual domains produce measurably different CSI statistics (KL divergence >0.1)
- [ ] Training with virtual augmentation improves unseen-environment accuracy by >15%
- [ ] No regression on seen-environment accuracy (within 2%)
### 4.5 Phase 5 -- Few-Shot Rapid Adaptation (Week 5-6)
**Goal**: 10-second calibration enables environment-specific fine-tuning without labels.
**Files modified:**
- `crates/wifi-densepose-train/src/rapid_adapt.rs` (new: RapidAdaptation)
- `crates/wifi-densepose-train/src/sona.rs` (extend SonaProfile with MERIDIAN fields)
- `crates/wifi-densepose-sensing-server/src/main.rs` (add `--calibrate` CLI flag)
**Acceptance criteria:**
- [ ] 200-frame (10 sec) calibration produces usable LoRA adapter
- [ ] Adapted model MPJPE within 15% of fully-supervised in-domain baseline
- [ ] Calibration completes in <5 seconds on x86 (including contrastive TTT)
- [ ] Adapted LoRA weights serializable to RVF container (ADR-023 Segment type)
### 4.6 Phase 6 -- Cross-Domain Evaluation Protocol (Week 6-7)
**Goal**: Rigorous multi-domain evaluation using MM-Fi's scene/subject splits.
**Files modified:**
- `crates/wifi-densepose-train/src/eval.rs` (new: CrossDomainEvaluator)
- `crates/wifi-densepose-train/src/dataset.rs` (add domain-split loading for MM-Fi)
**Evaluation protocol (following PerceptAlign):**
| Metric | Description |
|--------|-------------|
| **In-domain MPJPE** | Mean Per Joint Position Error on training environment |
| **Cross-domain MPJPE** | MPJPE on held-out environment (zero-shot) |
| **Few-shot MPJPE** | MPJPE after 10-sec calibration in target environment |
| **Cross-hardware MPJPE** | MPJPE when trained on one hardware, tested on another |
| **Domain gap ratio** | cross-domain / in-domain MPJPE (lower = better; target <1.5) |
| **Adaptation speedup** | Labeled samples saved vs training from scratch (target >5x) |
### 4.7 Phase 7 -- RVF Container + Deployment (Week 7-8)
**Goal**: Package MERIDIAN-enhanced models for edge deployment.
**Files modified:**
- `crates/wifi-densepose-train/src/rvf_container.rs` (add GEOM and DOMAIN segment types)
- `crates/wifi-densepose-sensing-server/src/inference.rs` (load geometry + domain weights)
- `crates/wifi-densepose-sensing-server/src/main.rs` (add `--ap-positions` CLI flag)
**New RVF segments:**
| Segment | Type ID | Contents | Size |
|---------|---------|----------|------|
| `GEOM` | `0x47454F4D` | GeometryEncoder weights + FiLM layers | ~4 KB |
| `DOMAIN` | `0x444F4D4E` | DomainFactorizer weights (PoseEncoder only; EnvEncoder and GRL discarded) | ~8 KB |
| `HWSTATS` | `0x48575354` | Per-hardware amplitude statistics for HardwareNormalizer | ~1 KB |
**CLI usage:**
```bash
# Train with MERIDIAN domain generalization
cargo run -p wifi-densepose-sensing-server -- \
--train --dataset data/mmfi/ --epochs 100 \
--meridian --n-virtual-domains 3 \
--save-rvf model-meridian.rvf
# Deploy with geometry conditioning (zero-shot)
cargo run -p wifi-densepose-sensing-server -- \
--model model-meridian.rvf \
--ap-positions "0,0,2.5;3.5,0,2.5;1.75,4,2.5"
# Calibrate in new environment (few-shot, 10 seconds)
cargo run -p wifi-densepose-sensing-server -- \
--model model-meridian.rvf --calibrate --calibrate-duration 10
```
---
## 5. Consequences
### 5.1 Positive
- **Deploy once, work everywhere**: A single MERIDIAN-trained model generalizes across rooms, buildings, and hardware without per-environment retraining
- **Reduced deployment cost**: Zero-shot mode requires only AP position input; few-shot mode needs 10 seconds of ambient WiFi data
- **AETHER synergy**: Domain-invariant embeddings (ADR-024) become environment-agnostic fingerprints, enabling cross-building room identification
- **Hardware freedom**: HardwareNormalizer unblocks mixed-fleet deployments (ESP32 in some rooms, Intel 5300 in others)
- **Competitive positioning**: No existing open-source WiFi pose system offers cross-environment generalization; MERIDIAN would be the first
### 5.2 Negative
- **Training complexity**: Multi-domain training requires CSI data from multiple environments. MM-Fi provides multiple scenes but PerceptAlign's 7-layout dataset is not yet public.
- **Hyperparameter sensitivity**: GRL lambda annealing schedule and adversarial balance require careful tuning; unstable training is possible if adversarial signal is too strong early.
- **Geometry input requirement**: Zero-shot mode requires users to input AP positions, which may not always be precisely known. Degradation under inaccurate geometry input needs characterization.
- **Parameter overhead**: +12K parameters increases total model from 55K to 67K (22% increase), still well within ESP32 budget but notable.
### 5.3 Risks and Mitigations
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| GRL training instability | Medium | Training diverges | Lambda annealing schedule; gradient clipping at 1.0; fallback to non-adversarial training |
| Virtual augmentation unrealistic | Low | No generalization improvement | Validate augmented CSI against real cross-domain data distributions |
| Geometry encoder overfits to training layouts | Medium | Zero-shot fails on novel geometries | Augment geometry inputs during training (jitter AP positions by +/-0.5m) |
| MM-Fi scenes insufficient diversity | High | Limited evaluation validity | Supplement with synthetic data; target PerceptAlign dataset when released |
---
## 6. Relationship to Proposed ADRs (Gap Closure)
ADRs 002-011 were proposed during the initial architecture phase. MERIDIAN directly addresses, subsumes, or enables several of these gaps. This section maps each proposed ADR to its current status and how ADR-027 interacts with it.
### 6.1 Directly Addressed by MERIDIAN
| Proposed ADR | Gap | How MERIDIAN Closes It |
|-------------|-----|----------------------|
| **ADR-004**: HNSW Vector Search Fingerprinting | CSI fingerprints are environment-specific — a fingerprint learned in Room A is useless in Room B | MERIDIAN's `DomainFactorizer` produces **environment-disentangled embeddings** (`h_pose`). When fed into ADR-024's `FingerprintIndex`, these embeddings match across rooms because environment information has been factored out. The `h_env` path captures room identity separately, enabling both cross-room matching AND room identification in a single model. |
| **ADR-005**: SONA Self-Learning for Pose Estimation | SONA LoRA adapters must be manually created per environment with labeled data | MERIDIAN Phase 5 (`RapidAdaptation`) extends SONA with **unsupervised adapter generation**: 10 seconds of unlabeled WiFi data + contrastive test-time training automatically produces a per-room LoRA adapter. No labels, no manual intervention. The existing `SonaProfile` in `sona.rs` gains a `meridian_calibration` field for storing adaptation state. |
| **ADR-006**: GNN-Enhanced CSI Pattern Recognition | GNN treats each environment's patterns independently; no cross-environment transfer | MERIDIAN's domain-adversarial training regularizes the GCN layers (ADR-023's `GnnStack`) to learn **structure-preserving, environment-invariant** graph features. The gradient reversal layer forces the GCN to shed room-specific multipath patterns while retaining body-pose-relevant spatial relationships between keypoints. |
### 6.2 Superseded (Already Implemented)
| Proposed ADR | Original Vision | Current Status |
|-------------|----------------|---------------|
| **ADR-002**: RuVector RVF Integration Strategy | Integrate RuVector crates into the WiFi-DensePose pipeline | **Fully implemented** by ADR-016 (training pipeline, 5 crates) and ADR-017 (signal + MAT, 7 integration points). The `wifi-densepose-ruvector` crate is published on crates.io. No further action needed. |
### 6.3 Enabled by MERIDIAN (Future Work)
These ADRs remain independent tracks but MERIDIAN creates enabling infrastructure for them:
| Proposed ADR | Gap | How MERIDIAN Enables It |
|-------------|-----|------------------------|
| **ADR-003**: RVF Cognitive Containers | CSI pipeline stages produce ephemeral data; no persistent cognitive state across sessions | MERIDIAN's RVF container extensions (Phase 7: `GEOM`, `DOMAIN`, `HWSTATS` segments) establish the pattern for **environment-aware model packaging**. A cognitive container could store per-room adaptation history, geometry profiles, and domain statistics — building on MERIDIAN's segment format. The `h_env` embeddings are natural candidates for persistent environment memory. |
| **ADR-008**: Distributed Consensus for Multi-AP | Multiple APs need coordinated sensing; no agreement protocol for conflicting observations | MERIDIAN's `GeometryEncoder` already models variable-count AP positions via permutation-invariant `DeepSets`. This provides the **geometric foundation** for multi-AP fusion: each AP's CSI is geometry-conditioned independently, then fused. A consensus layer (Raft or BFT) would sit above MERIDIAN to reconcile conflicting pose estimates from different AP vantage points. The `HardwareNormalizer` ensures mixed hardware (ESP32 + Intel 5300 across APs) produces comparable features. |
| **ADR-009**: RVF WASM Runtime for Edge | Self-contained WASM model execution without server dependency | MERIDIAN's +12K parameter overhead (67K total) remains within the WASM size budget. The `HardwareNormalizer` is critical for WASM deployment: browser-based inference must handle whatever CSI format the connected hardware provides. WASM builds should include the geometry conditioning path so users can specify AP layout in the browser UI. |
### 6.4 Independent Tracks (Not Addressed by MERIDIAN)
These ADRs address orthogonal concerns and should be pursued separately:
| Proposed ADR | Gap | Recommendation |
|-------------|-----|----------------|
| **ADR-007**: Post-Quantum Cryptography | WiFi sensing data reveals presence, health, and activity — quantum computers could break current encryption of sensing streams | **Pursue independently.** MERIDIAN does not address data-in-transit security. PQC should be applied to WebSocket streams (`/ws/sensing`, `/ws/mat/stream`) and RVF model containers (replace Ed25519 signing with ML-DSA/Dilithium). Priority: medium — no imminent quantum threat, but healthcare deployments may require PQC compliance for long-term data retention. |
| **ADR-010**: Witness Chains for Audit Trail | Disaster triage decisions (ADR-001) need tamper-proof audit trails for legal/regulatory compliance | **Pursue independently.** MERIDIAN's domain adaptation improves triage accuracy in unfamiliar environments (rubble, collapsed buildings), which reduces the need for audit trail corrections. But the audit trail itself — hash chains, Merkle proofs, timestamped triage events — is a separate integrity concern. Priority: high for disaster response deployments. |
| **ADR-011**: Python Proof-of-Reality (URGENT) | Python v1 contains mock/placeholder code that undermines credibility; `verify.py` exists but mock paths remain | **Pursue independently.** This is a Python v1 code quality issue, not an ML/architecture concern. The Rust port (v2+) has no mock code — all 542+ tests run against real algorithm implementations. Recommendation: either complete the mock elimination in Python v1 or formally deprecate Python v1 in favor of the Rust stack. Priority: high for credibility. |
### 6.5 Gap Closure Summary
```
Proposed ADRs (002-011) Status After ADR-027
───────────────────────── ─────────────────────
ADR-002 RVF Integration ──→ ✅ Superseded (ADR-016/017 implemented)
ADR-003 Cognitive Containers ─→ 🔜 Enabled (MERIDIAN RVF segments provide pattern)
ADR-004 HNSW Fingerprinting ──→ ✅ Addressed (domain-disentangled embeddings)
ADR-005 SONA Self-Learning ──→ ✅ Addressed (unsupervised rapid adaptation)
ADR-006 GNN Patterns ──→ ✅ Addressed (adversarial GCN regularization)
ADR-007 Post-Quantum Crypto ──→ ⏳ Independent (pursue separately, medium priority)
ADR-008 Distributed Consensus → 🔜 Enabled (GeometryEncoder + HardwareNormalizer)
ADR-009 WASM Runtime ──→ 🔜 Enabled (67K model fits WASM budget)
ADR-010 Witness Chains ──→ ⏳ Independent (pursue separately, high priority)
ADR-011 Proof-of-Reality ──→ ⏳ Independent (Python v1 issue, high priority)
```
---
## 7. References
1. Chen, L., et al. (2026). "Breaking Coordinate Overfitting: Geometry-Aware WiFi Sensing for Cross-Layout 3D Pose Estimation." arXiv:2601.12252. https://arxiv.org/abs/2601.12252
2. Zhou, Y., et al. (2024). "AdaPose: Towards Cross-Site Device-Free Human Pose Estimation with Commodity WiFi." IEEE Internet of Things Journal. arXiv:2309.16964. https://arxiv.org/abs/2309.16964
3. Yan, K., et al. (2024). "Person-in-WiFi 3D: End-to-End Multi-Person 3D Pose Estimation with Wi-Fi." CVPR 2024, pp. 969-978. https://openaccess.thecvf.com/content/CVPR2024/html/Yan_Person-in-WiFi_3D_End-to-End_Multi-Person_3D_Pose_Estimation_with_Wi-Fi_CVPR_2024_paper.html
4. Zhou, R., et al. (2025). "DGSense: A Domain Generalization Framework for Wireless Sensing." arXiv:2502.08155. https://arxiv.org/abs/2502.08155
5. CAPC (2024). "Context-Aware Predictive Coding: A Representation Learning Framework for WiFi Sensing." IEEE OJCOMS, Vol. 5, pp. 6119-6134. arXiv:2410.01825. https://arxiv.org/abs/2410.01825
6. Chen, X. & Yang, J. (2025). "X-Fi: A Modality-Invariant Foundation Model for Multimodal Human Sensing." ICLR 2025. arXiv:2410.10167. https://arxiv.org/abs/2410.10167
7. AM-FM (2026). "AM-FM: A Foundation Model for Ambient Intelligence Through WiFi." arXiv:2602.11200. https://arxiv.org/abs/2602.11200
8. Ramesh, S. et al. (2025). "LatentCSI: High-resolution efficient image generation from WiFi CSI using a pretrained latent diffusion model." arXiv:2506.10605. https://arxiv.org/abs/2506.10605
9. Ganin, Y. et al. (2016). "Domain-Adversarial Training of Neural Networks." JMLR 17(59):1-35. https://jmlr.org/papers/v17/15-239.html
10. Perez, E. et al. (2018). "FiLM: Visual Reasoning with a General Conditioning Layer." AAAI 2018. arXiv:1709.07871. https://arxiv.org/abs/1709.07871
api-docs/adr/ADR-028-esp32-capability-audit.md
+308
View File
@@ -0,0 +1,308 @@
# ADR-028: ESP32 Capability Audit & Repository Witness Record
| Field | Value |
|-------|-------|
| **Status** | Accepted |
| **Date** | 2026-03-01 |
| **Deciders** | ruv |
| **Auditor** | Claude Opus 4.6 (3-agent parallel deep review) |
| **Witness Commit** | `96b01008` (main) |
| **Relates to** | ADR-012 (ESP32 CSI Sensor Mesh), ADR-018 (ESP32 Dev Implementation), ADR-014 (SOTA Signal Processing), ADR-027 (MERIDIAN) |
---
## 1. Purpose
This ADR records a comprehensive, independently audited inventory of the wifi-densepose repository's ESP32 hardware capabilities, signal processing stack, neural network architectures, deployment infrastructure, and security posture. It serves as a **witness record** — a point-in-time attestation that third parties can use to verify what the codebase actually contains vs. what is claimed.
---
## 2. Audit Methodology
Three parallel research agents examined the full repository simultaneously:
| Agent | Scope | Files Examined | Duration |
|-------|-------|---------------|----------|
| **Hardware Agent** | ESP32 chipsets, CSI frame format, firmware, pins, power, cost | Hardware crate, firmware/, signal/hardware_norm.rs | ~9 min |
| **Signal/AI Agent** | Algorithms, NN architectures, training, RuVector, all 27 ADRs | Signal, train, nn, mat, vitals crates + all ADRs | ~3.5 min |
| **Deployment Agent** | Docker, CI/CD, security, proofs, crates.io, WASM | Dockerfiles, workflows, proof/, config, API crates | ~2.5 min |
**Test execution at audit time:** 1,031 passed, 0 failed, 8 ignored (full workspace, `--no-default-features`).
---
## 3. ESP32 Hardware — Confirmed Capabilities
### 3.1 Firmware (C, ESP-IDF v5.2)
| Component | File | Lines | Status |
|-----------|------|-------|--------|
| Entry point, WiFi init, CSI callback | `firmware/esp32-csi-node/main/main.c` | 144 | Implemented |
| CSI callback, ADR-018 binary serialization | `main/csi_collector.c` | 176 | Implemented |
| UDP socket sender | `main/stream_sender.c` | 77 | Implemented |
| NVS config loader (SSID, password, target IP) | `main/nvs_config.c` | 88 | Implemented |
| **Total firmware** | | **606** | **Complete** |
Pre-built binaries exist in `firmware/esp32-csi-node/build/` (bootloader.bin, partition table, app binary).
### 3.2 ADR-018 Binary Frame Format
```
Offset Size Field Type Notes
------ ---- ----- ------ -----
0 4 Magic LE u32 0xC5110001
4 1 Node ID u8 0-255
5 1 Antenna count u8 1-4
6 2 Subcarrier count LE u16 56/64/114/242
8 4 Frequency (MHz) LE u32 2412-5825
12 4 Sequence number LE u32 monotonic per node
16 1 RSSI i8 dBm
17 1 Noise floor i8 dBm
18 2 Reserved [u8;2] 0x00 0x00
20 N×2 I/Q payload [i8;2*n] per-antenna, per-subcarrier
```
**Total frame size:** 20 + (n_antennas × n_subcarriers × 2) bytes.
ESP32-S3 typical (1 ant, 64 sc): **148 bytes**.
### 3.3 Chipset Support Matrix
| Chipset | Subcarriers | MIMO | Bandwidth | HardwareType Enum | Normalization |
|---------|-------------|------|-----------|-------------------|---------------|
| ESP32-S3 | 64 | 1×1 SISO | 20/40 MHz | `Esp32S3` | Catmull-Rom → 56 canonical |
| ESP32 | 56 | 1×1 SISO | 20 MHz | `Generic` | Pass-through |
| Intel 5300 | 30 | 3×3 MIMO | 20/40 MHz | `Intel5300` | Catmull-Rom → 56 canonical |
| Atheros AR9580 | 56 | 3×3 MIMO | 20 MHz | `Atheros` | Pass-through |
Hardware auto-detected from subcarrier count at runtime.
### 3.4 Data Flow: ESP32 → Inference
```
ESP32 (firmware/C)
└→ esp_wifi_set_csi_rx_cb() captures CSI per WiFi frame
└→ csi_collector.c serializes ADR-018 binary frame
└→ stream_sender.c sends UDP to aggregator:5005
Aggregator (Rust, wifi-densepose-hardware)
└→ Esp32CsiParser::parse_frame() validates magic, bounds-checks
└→ CsiFrame with amplitude/phase arrays
└→ mpsc channel to sensing server
Signal Processing (wifi-densepose-signal, 5,937 lines)
└→ HardwareNormalizer → canonical 56 subcarriers
└→ Hampel filter, SpotFi phase correction, Fresnel, BVP, spectrogram
Neural Network (wifi-densepose-nn, 2,959 lines)
└→ ModalityTranslator → ResNet18 backbone
└→ KeypointHead (17 COCO joints) + DensePoseHead (24 body parts + UV)
REST API + WebSocket (Axum)
└→ /api/v1/pose/current, /ws/sensing, /ws/pose
```
### 3.5 ESP32 Hardware Specifications
| Parameter | Value |
|-----------|-------|
| Recommended board | ESP32-S3-DevKitC-1 |
| SRAM | 520 KB |
| Flash | 8 MB |
| Firmware footprint | 600-800 KB |
| CSI sampling rate | 20-100 Hz (configurable) |
| Transport | UDP binary (port 5005) |
| Serial port (flashing) | COM7 (user-confirmed) |
| Active power draw | 150-200 mA @ 5V |
| Deep sleep | 10 µA |
| Starter kit cost (3 nodes) | ~$54 |
| Per-node cost | ~$8-12 |
### 3.6 Flashing Instructions
```bash
# Pre-built binaries
pip install esptool
python -m esptool --chip esp32s3 --port COM7 --baud 460800 \
write-flash --flash-mode dio --flash-size 4MB \
0x0 bootloader.bin 0x8000 partition-table.bin 0x10000 esp32-csi-node.bin
# Provision WiFi (no recompile)
python scripts/provision.py --port COM7 \
--ssid "YourWiFi" --password "secret" --target-ip 192.168.1.20
```
---
## 4. Signal Processing — Confirmed Algorithms
### 4.1 SOTA Algorithms (ADR-014, wifi-densepose-signal)
| Algorithm | File | Lines | Tests | SOTA Reference |
|-----------|------|-------|-------|---------------|
| Conjugate multiplication (SpotFi) | `csi_ratio.rs` | 198 | Yes | SIGCOMM 2015 |
| Hampel outlier filter | `hampel.rs` | 240 | Yes | Robust statistics |
| Fresnel zone breathing model | `fresnel.rs` | 448 | Yes | FarSense, MobiCom 2019 |
| Body Velocity Profile | `bvp.rs` | 381 | Yes | Widar 3.0, MobiSys 2019 |
| STFT spectrogram | `spectrogram.rs` | 367 | Yes | Multiple windows (Hann, Hamming, Blackman) |
| Sensitivity-based subcarrier selection | `subcarrier_selection.rs` | 388 | Yes | Variance ratio |
| Phase unwrapping/sanitization | `phase_sanitizer.rs` | 900 | Yes | Linear detrending |
| Motion/presence detection | `motion.rs` | 834 | Yes | Confidence scoring |
| Multi-feature extraction | `features.rs` | 877 | Yes | Amplitude, phase, Doppler, PSD, correlation |
| Hardware normalization (MERIDIAN) | `hardware_norm.rs` | 399 | Yes | ADR-027 Phase 1 |
| CSI preprocessing pipeline | `csi_processor.rs` | 789 | Yes | Noise removal, windowing |
**Total signal processing:** 5,937 lines, 105+ tests.
### 4.2 Training Pipeline (wifi-densepose-train, 9,051 lines)
| Phase | Module | Lines | Description |
|-------|--------|-------|-------------|
| 1. Data loading | `dataset.rs` | 1,164 | MM-Fi/Wi-Pose/synthetic, deterministic shuffling |
| 2. Configuration | `config.rs` | 507 | Hyperparameters, schedule, paths |
| 3. Model architecture | `model.rs` | 1,032 | CsiToPoseTransformer, cross-attention, GNN |
| 4. Loss computation | `losses.rs` | 1,056 | 6-term composite (keypoint + DensePose + transfer) |
| 5. Metrics | `metrics.rs` | 1,664 | PCK@0.2, OKS, per-part mAP, min-cut matching |
| 6. Trainer loop | `trainer.rs` | 776 | SGD + cosine annealing, early stopping, checkpoints |
| 7. Subcarrier optimization | `subcarrier.rs` | 414 | 114→56 resampling via RuVector sparse solver |
| 8. Deterministic proof | `proof.rs` | 461 | SHA-256 hash of pipeline output |
| 9. Hardware normalization | `hardware_norm.rs` | 399 | Canonical frame conversion (ADR-027) |
| 10. Domain-adversarial training | `domain.rs` + `geometry.rs` + `virtual_aug.rs` + `rapid_adapt.rs` + `eval.rs` | 1,530 | MERIDIAN (ADR-027) |
### 4.3 RuVector Integration (5 crates @ v2.0.4)
| Crate | Integration Point | Replaces |
|-------|------------------|----------|
| `ruvector-mincut` | `metrics.rs` DynamicPersonMatcher | O(n³) Hungarian → O(n^1.5 log n) |
| `ruvector-attn-mincut` | `spectrogram.rs`, `model.rs` | Softmax attention → min-cut gating |
| `ruvector-temporal-tensor` | `dataset.rs` CompressedCsiBuffer | Full f32 → tiered 8/7/5/3-bit (50-75% savings) |
| `ruvector-solver` | `subcarrier.rs` interpolation | Dense linear algebra → O(√n) Neumann solver |
| `ruvector-attention` | `bvp.rs`, `model.rs` spatial attention | Static weights → learned scaled-dot-product |
### 4.4 Domain Generalization (ADR-027 MERIDIAN)
| Component | File | Lines | Status |
|-----------|------|-------|--------|
| Gradient Reversal Layer + Domain Classifier | `domain.rs` | 400 | Implemented, security-hardened |
| Geometry Encoder (Fourier + DeepSets + FiLM) | `geometry.rs` | 365 | Implemented |
| Virtual Domain Augmentation | `virtual_aug.rs` | 297 | Implemented |
| Rapid Adaptation (contrastive TTT + LoRA) | `rapid_adapt.rs` | 317 | Implemented, bounded buffer |
| Cross-Domain Evaluator | `eval.rs` | 151 | Implemented |
### 4.5 Vital Signs (wifi-densepose-vitals, 1,863 lines)
| Capability | Range | Method |
|------------|-------|--------|
| Breathing rate | 6-30 BPM | Bandpass 0.1-0.5 Hz + spectral peak |
| Heart rate | 40-120 BPM | Micro-Doppler 0.8-2.0 Hz isolation |
| Presence detection | Binary | CSI variance thresholding |
| Anomaly detection | Z-score, CUSUM, EMA | Multi-algorithm fusion |
### 4.6 Disaster Response (wifi-densepose-mat, 626+ lines, 153 tests)
| Subsystem | Capability |
|-----------|-----------|
| Detection | Breathing, heartbeat, movement classification, ensemble voting |
| Localization | Multi-AP triangulation, depth estimation, Kalman fusion |
| Triage | START protocol (Red/Yellow/Green/Black) |
| Alerting | Priority routing, zone dispatch |
---
## 5. Deployment Infrastructure — Confirmed
### 5.1 Published Artifacts
| Channel | Artifact | Version | Count |
|---------|----------|---------|-------|
| crates.io | Rust crates | 0.2.0 | 15 |
| Docker Hub | `ruvnet/wifi-densepose:latest` (Rust) | 132 MB | 1 |
| Docker Hub | `ruvnet/wifi-densepose:python` | 569 MB | 1 |
| PyPI | `wifi-densepose` (Python) | 1.2.0 | 1 |
### 5.2 CI/CD (4 GitHub Actions Workflows)
| Workflow | Triggers | Key Steps |
|----------|----------|-----------|
| `ci.yml` | Push/PR | Lint, test (Python 3.10-3.12), Docker multi-arch build, Trivy scan |
| `security-scan.yml` | Schedule/manual | Bandit, Semgrep, Snyk, Trivy, Grype, TruffleHog, GitLeaks |
| `cd.yml` | Release | Blue-green deploy, DB backup, health monitoring, Slack notify |
| `verify-pipeline.yml` | Push/manual | Deterministic hash verification, unseeded random scan |
### 5.3 Deterministic Proof System
| Component | File | Purpose |
|-----------|------|---------|
| Reference signal | `archive/v1/data/proof/sample_csi_data.json` | 1,000 synthetic CSI frames, seed=42 |
| Generator | `archive/v1/data/proof/generate_reference_signal.py` | Deterministic multipath model |
| Verifier | `archive/v1/data/proof/verify.py` | SHA-256 hash comparison |
| Expected hash | `archive/v1/data/proof/expected_features.sha256` | `0b82bd45...` |
**Audit-time result:** PASS. Hash regenerated with numpy 2.4.2 + scipy 1.17.1. Pipeline hash: `8c0680d7d285739ea9597715e84959d9c356c87ee3ad35b5f1e69a4ca41151c6`.
### 5.4 Security Posture
- JWT authentication (`python-jose[cryptography]`)
- Bcrypt password hashing (`passlib`)
- SQLx prepared statements (no SQL injection)
- CORS + WSS enforcement on non-localhost
- Shell injection prevention (Clap argument validation)
- 15+ security scanners in CI (SAST, DAST, secrets, containers, IaC, licenses)
- MERIDIAN security hardening: bounded buffers, no panics on bad input, atomic counters, division guards
### 5.5 WASM Browser Deployment
- Crate: `wifi-densepose-wasm` (cdylib + rlib)
- Optimization: `-O4 --enable-mutable-globals`
- JS bindings: `wasm-bindgen` for WebSocket, Canvas, Window APIs
- Three.js 3D visualization (17 joints, 16 limbs)
---
## 6. Codebase Size Summary
| Crate | Lines of Rust | Tests |
|-------|--------------|-------|
| wifi-densepose-signal | 5,937 | 105+ |
| wifi-densepose-train | 9,051 | 174+ |
| wifi-densepose-nn | 2,959 | 23 |
| wifi-densepose-mat | 626+ | 153 |
| wifi-densepose-hardware | 865 | 32 |
| wifi-densepose-vitals | 1,863 | Yes |
| **Total (key crates)** | **~21,300** | **1,031 passing** |
Firmware (C): 606 lines. Python v1: 34 test files, 41 dependencies.
---
## 7. What Is NOT Yet Implemented
| Claim | Actual Status | Gap |
|-------|--------------|-----|
| On-device ML inference (ESP32) | Not implemented | Firmware streams raw I/Q; all inference runs on aggregator |
| 54,000 fps throughput | Benchmark claim, not measured at audit time | Requires Criterion benchmarks on target hardware |
| INT8 quantization for ESP32 | Designed (ADR-023), not shipped | Model fits in 55 KB but no deployed quantized binary |
| Real WiFi CSI dataset | Synthetic only | No real-world captures in repo; MM-Fi/Wi-Pose referenced but not bundled |
| Kubernetes blue-green deploy | CI/CD workflow exists | Requires actual cluster; not testable in audit |
| Python proof hash | PASS (regenerated at audit time) | Requires numpy 2.4.2 + scipy 1.17.1 |
---
## 8. Decision
This ADR accepts the audit findings as a witness record. The repository contains substantial, functional code matching its documented claims with the exceptions noted in Section 7. All code compiles, all 1,031 tests pass, and the architecture is consistent across the 27 ADRs.
### Recommendations
1. **Bundle a small real CSI capture** (even 10 seconds from one ESP32) alongside the synthetic reference
3. **Run Criterion benchmarks** and record actual throughput numbers
4. **Publish ESP32 firmware** as a GitHub Release binary for COM7-ready flashing
---
## 9. References
- [ADR-012: ESP32 CSI Sensor Mesh](ADR-012-esp32-csi-sensor-mesh.md)
- [ADR-018: ESP32 Dev Implementation](ADR-018-esp32-dev-implementation.md)
- [ADR-014: SOTA Signal Processing](ADR-014-sota-signal-processing.md)
- [ADR-027: Cross-Environment Domain Generalization](ADR-027-cross-environment-domain-generalization.md)
- [Deterministic Proof Verifier](../../v1/data/proof/verify.py)
api-docs/adr/ADR-029-ruvsense-multistatic-sensing-mode.md
+403
View File
@@ -0,0 +1,403 @@
# ADR-029: Project RuvSense -- Sensing-First RF Mode for Multistatic WiFi DensePose
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-02 |
| **Deciders** | ruv |
| **Codename** | **RuvSense** -- RuVector-Enhanced Sensing for Multistatic Fidelity |
| **Relates to** | ADR-012 (ESP32 Mesh), ADR-014 (SOTA Signal Processing), ADR-016 (RuVector Training), ADR-017 (RuVector Signal+MAT), ADR-018 (ESP32 Implementation), ADR-024 (AETHER Embeddings), ADR-026 (Survivor Track Lifecycle), ADR-027 (MERIDIAN Generalization) |
---
## 1. Context
### 1.1 The Fidelity Gap
Current WiFi-DensePose achieves functional pose estimation from a single ESP32 AP, but three fidelity metrics prevent production deployment:
| Metric | Current (Single ESP32) | Required (Production) | Root Cause |
|--------|------------------------|----------------------|------------|
| Torso keypoint jitter | ~15cm RMS | <3cm RMS | Single viewpoint, 20 MHz bandwidth, no temporal smoothing |
| Multi-person separation | Fails >2 people, frequent ID swaps | 4+ people, zero swaps over 10 min | Underdetermined with 1 TX-RX link; no person-specific features |
| Small motion sensitivity | Gross movement only | Breathing at 3m, heartbeat at 1.5m | Insufficient phase sensitivity at 2.4 GHz; noise floor too high |
| Update rate | ~10 Hz effective | 20 Hz | Single-channel serial CSI collection |
| Temporal stability | Drifts within hours | Stable over days | No coherence gating; model absorbs environmental drift |
### 1.2 The Insight: Sensing-First RF Mode on Existing Silicon
You do not need to invent a new WiFi standard. The winning move is a **sensing-first RF mode** that rides on existing silicon (ESP32-S3), existing bands (2.4/5 GHz), and existing regulations (802.11n NDP frames). The fidelity improvement comes from three physical levers:
1. **Bandwidth**: Channel-hopping across 2.4 GHz channels 1/6/11 triples effective bandwidth from 20 MHz to 60 MHz, 3x multipath separation
2. **Carrier frequency**: Dual-band sensing (2.4 + 5 GHz) doubles phase sensitivity to small motion
3. **Viewpoints**: Multistatic ESP32 mesh (4 nodes = 12 TX-RX links) provides 360-degree geometric diversity
### 1.3 Acceptance Test
**Two people in a room, 20 Hz update rate, stable tracks for 10 minutes with no identity swaps and low jitter in the torso keypoints.**
Quantified:
- Torso keypoint jitter < 30mm RMS (hips, shoulders, spine)
- Zero identity swaps over 600 seconds (12,000 frames)
- 20 Hz output rate (50 ms cycle time)
- Breathing SNR > 10dB at 3m (validates small-motion sensitivity)
---
## 2. Decision
### 2.1 Architecture Overview
Implement RuvSense as a new bounded context within `wifi-densepose-signal`, consisting of 6 modules:
```
wifi-densepose-signal/src/ruvsense/
├── mod.rs // Module exports, RuvSense pipeline orchestrator
├── multiband.rs // Multi-band CSI frame fusion (§2.2)
├── phase_align.rs // Cross-channel phase alignment (§2.3)
├── multistatic.rs // Multi-node viewpoint fusion (§2.4)
├── coherence.rs // Coherence metric computation (§2.5)
├── coherence_gate.rs // Gated update policy (§2.6)
└── pose_tracker.rs // 17-keypoint Kalman tracker with re-ID (§2.7)
```
### 2.2 Channel-Hopping Firmware (ESP32-S3)
Modify the ESP32 firmware (`firmware/esp32-csi-node/main/csi_collector.c`) to cycle through non-overlapping channels at configurable dwell times:
```c
// Channel hop table (populated from NVS at boot)
static uint8_t s_hop_channels[6] = {1, 6, 11, 36, 40, 44};
static uint8_t s_hop_count = 3; // default: 2.4 GHz only
static uint32_t s_dwell_ms = 50; // 50ms per channel
```
At 100 Hz raw CSI rate with 50 ms dwell across 3 channels, each channel yields ~33 frames/second. The existing ADR-018 binary frame format already carries `channel_freq_mhz` at offset 8, so no wire format change is needed.
> **Note (Issue #127 fix):** In promiscuous mode, CSI callbacks fire 100-500+ times/sec — far exceeding the channel dwell rate. The firmware now rate-limits UDP sends to 50 Hz and applies a 100 ms ENOMEM backoff if lwIP buffers are exhausted. This is essential for stable channel hopping under load.
**NDP frame injection:** `esp_wifi_80211_tx()` injects deterministic Null Data Packet frames (preamble-only, no payload, ~24 us airtime) at GPIO-triggered intervals. This is sensing-first: the primary RF emission purpose is CSI measurement, not data communication.
### 2.3 Multi-Band Frame Fusion
Aggregate per-channel CSI frames into a wideband virtual snapshot:
```rust
/// Fused multi-band CSI from one node at one time slot.
pub struct MultiBandCsiFrame {
pub node_id: u8,
pub timestamp_us: u64,
/// One canonical-56 row per channel, ordered by center frequency.
pub channel_frames: Vec<CanonicalCsiFrame>,
/// Center frequencies (MHz) for each channel row.
pub frequencies_mhz: Vec<u32>,
/// Cross-channel coherence score (0.0-1.0).
pub coherence: f32,
}
```
Cross-channel phase alignment uses `ruvector-solver::NeumannSolver` to solve for the channel-dependent phase rotation introduced by the ESP32 local oscillator during channel hops. The system:
```
[Φ₁, Φ₆, Φ₁₁] = [Φ_body + δ₁, Φ_body + δ₆, Φ_body + δ₁₁]
```
NeumannSolver fits the `δ` offsets from the static subcarrier components (which should have zero body-caused phase shift), then removes them.
### 2.4 Multistatic Viewpoint Fusion
With N ESP32 nodes, collect N `MultiBandCsiFrame` per time slot and fuse with geometric diversity:
**TDMA Sensing Schedule (4 nodes):**
| Slot | TX | RX₁ | RX₂ | RX₃ | Duration |
|------|-----|-----|-----|-----|----------|
| 0 | Node A | B | C | D | 4 ms |
| 1 | Node B | A | C | D | 4 ms |
| 2 | Node C | A | B | D | 4 ms |
| 3 | Node D | A | B | C | 4 ms |
| 4 | -- | Processing + fusion | | | 30 ms |
| **Total** | | | | | **50 ms = 20 Hz** |
Synchronization: GPIO pulse from aggregator node at cycle start. Clock drift at ±10ppm over 50 ms is ~0.5 us, well within the 1 ms guard interval.
**Cross-node fusion** uses `ruvector-attn-mincut::attn_mincut` where time-frequency cells from different nodes attend to each other. Cells showing correlated motion energy across nodes (body reflection) are amplified; cells with single-node energy (local multipath artifact) are suppressed.
**Multi-person separation** via `ruvector-mincut::DynamicMinCut`:
1. Build cross-link temporal correlation graph (nodes = TX-RX links, edges = correlation coefficient)
2. `DynamicMinCut` partitions into K clusters (one per detected person)
3. Attention fusion (§5.3 of research doc) runs independently per cluster
### 2.5 Coherence Metric
Per-link coherence quantifies consistency with recent history:
```rust
pub fn coherence_score(
current: &[f32],
reference: &[f32],
variance: &[f32],
) -> f32 {
current.iter().zip(reference.iter()).zip(variance.iter())
.map(|((&c, &r), &v)| {
let z = (c - r).abs() / v.sqrt().max(1e-6);
let weight = 1.0 / (v + 1e-6);
((-0.5 * z * z).exp(), weight)
})
.fold((0.0, 0.0), |(sc, sw), (c, w)| (sc + c * w, sw + w))
.pipe(|(sc, sw)| sc / sw)
}
```
The static/dynamic decomposition uses `ruvector-solver` to separate environmental drift (slow, global) from body motion (fast, subcarrier-specific).
### 2.6 Coherence-Gated Update Policy
```rust
pub enum GateDecision {
/// Coherence > 0.85: Full Kalman measurement update
Accept(Pose),
/// 0.5 < coherence < 0.85: Kalman predict only (3x inflated noise)
PredictOnly,
/// Coherence < 0.5: Reject measurement entirely
Reject,
/// >10s continuous low coherence: Trigger SONA recalibration (ADR-005)
Recalibrate,
}
```
When `Recalibrate` fires:
1. Freeze output at last known good pose
2. Collect 200 frames (10s) of unlabeled CSI
3. Run AETHER contrastive TTT (ADR-024) to adapt encoder
4. Update SONA LoRA weights (ADR-005), <1ms per update
5. Resume sensing with adapted model
### 2.7 Pose Tracker (17-Keypoint Kalman with Re-ID)
Lift the Kalman + lifecycle + re-ID infrastructure from `wifi-densepose-mat/src/tracking/` (ADR-026) into the RuvSense bounded context, extended for 17-keypoint skeletons:
| Parameter | Value | Rationale |
|-----------|-------|-----------|
| State dimension | 6 per keypoint (x,y,z,vx,vy,vz) | Constant-velocity model |
| Process noise σ_a | 0.3 m/s² | Normal walking acceleration |
| Measurement noise σ_obs | 0.08 m | Target <8cm RMS at torso |
| Mahalanobis gate | χ²(3) = 9.0 | 3σ ellipsoid (same as ADR-026) |
| Birth hits | 2 frames (100ms at 20Hz) | Reject single-frame noise |
| Loss misses | 5 frames (250ms) | Brief occlusion tolerance |
| Re-ID feature | AETHER 128-dim embedding | Body-shape discriminative (ADR-024) |
| Re-ID window | 5 seconds | Sufficient for crossing recovery |
**Track assignment** uses `ruvector-mincut`'s `DynamicPersonMatcher` (already integrated in `metrics.rs`, ADR-016) with joint position + embedding cost:
```
cost(track_i, det_j) = 0.6 * mahalanobis(track_i, det_j.position)
+ 0.4 * (1 - cosine_sim(track_i.embedding, det_j.embedding))
```
---
## 3. GOAP Integration Plan (Goal-Oriented Action Planning)
### 3.1 Action Dependency Graph
```
Phase 1: Foundation
Action 1: Channel-Hopping Firmware ──────────────────────┐
│ │
v │
Action 2: Multi-Band Frame Fusion ──→ Action 6: Coherence │
│ Metric │
v │ │
Action 3: Multistatic Mesh v │
│ Action 7: Coherence │
v Gate │
Phase 2: Tracking │ │
Action 4: Pose Tracker ←────────────────┘ │
│ │
v │
Action 5: End-to-End Pipeline @ 20 Hz ←────────────────────┘
v
Phase 4: Hardening
Action 8: AETHER Track Re-ID
v
Action 9: ADR-029 Documentation (this document)
```
### 3.2 Cost and RuVector Mapping
| # | Action | Cost | Preconditions | RuVector Crates | Effects |
|---|--------|------|---------------|-----------------|---------|
| 1 | Channel-hopping firmware | 4/10 | ESP32 firmware exists | None (pure C) | `bandwidth_extended = true` |
| 2 | Multi-band frame fusion | 5/10 | Action 1 | `solver`, `attention` | `fused_multi_band_frame = true` |
| 3 | Multistatic mesh aggregation | 5/10 | Action 2 | `mincut`, `attn-mincut` | `multistatic_mesh = true` |
| 4 | Pose tracker | 4/10 | Action 3, 7 | `mincut` | `pose_tracker = true` |
| 5 | End-to-end pipeline | 6/10 | Actions 2-4 | `temporal-tensor`, `attention` | `20hz_update = true` |
| 6 | Coherence metric | 3/10 | Action 2 | `solver` | `coherence_metric = true` |
| 7 | Coherence gate | 3/10 | Action 6 | `attn-mincut` | `coherence_gating = true` |
| 8 | AETHER re-ID | 4/10 | Actions 4, 7 | `attention` | `identity_stable = true` |
| 9 | ADR documentation | 2/10 | All above | None | Decision documented |
**Total cost: 36 units. Minimum viable path to acceptance test: Actions 1-5 + 6-7 = 30 units.**
### 3.3 Latency Budget (50ms cycle)
| Stage | Budget | Method |
|-------|--------|--------|
| UDP receive + parse | <1 ms | ADR-018 binary, 148 bytes, zero-alloc |
| Multi-band fusion | ~2 ms | NeumannSolver on 2×2 phase alignment |
| Multistatic fusion | ~3 ms | attn_mincut on 3-6 nodes × 64 velocity bins |
| Model inference | ~30-40 ms | CsiToPoseTransformer (lightweight, no ResNet) |
| Kalman update | <1 ms | 17 independent 6D filters, stack-allocated |
| **Total** | **~37-47 ms** | **Fits in 50 ms** |
---
## 4. Hardware Bill of Materials
| Component | Qty | Unit Cost | Purpose |
|-----------|-----|-----------|---------|
| ESP32-S3-DevKitC-1 | 4 | $10 | TX/RX sensing nodes |
| ESP32-S3-DevKitC-1 | 1 | $10 | Aggregator (or x86/RPi host) |
| External 5dBi antenna | 4-8 | $3 | Improved gain, directional coverage |
| USB-C hub (4 port) | 1 | $15 | Power distribution |
| Wall mount brackets | 4 | $2 | Ceiling/wall installation |
| **Total** | | **$73-91** | Complete 4-node mesh |
---
## 5. RuVector v2.0.4 Integration Map
All five published crates are exercised:
| Crate | Actions | Integration Point | Algorithmic Advantage |
|-------|---------|-------------------|----------------------|
| `ruvector-solver` | 2, 6 | Phase alignment; coherence matrix decomposition | O(√n) Neumann convergence |
| `ruvector-attention` | 2, 5, 8 | Cross-channel weighting; ring buffer; embedding similarity | Sublinear attention for small d |
| `ruvector-mincut` | 3, 4 | Viewpoint diversity partitioning; track assignment | O(n^1.5 log n) dynamic updates |
| `ruvector-attn-mincut` | 3, 7 | Cross-node spectrogram fusion; coherence gating | Attention + mincut in one pass |
| `ruvector-temporal-tensor` | 5 | Compressed sensing window ring buffer | 50-75% memory reduction |
---
## 6. IEEE 802.11bf Alignment
RuvSense's TDMA sensing schedule is forward-compatible with IEEE 802.11bf (WLAN Sensing, published 2024):
| RuvSense Concept | 802.11bf Equivalent |
|-----------------|---------------------|
| TX slot | Sensing Initiator |
| RX slot | Sensing Responder |
| TDMA cycle | Sensing Measurement Instance |
| NDP frame | Sensing NDP |
| Aggregator | Sensing Session Owner |
When commercial APs support 802.11bf, the ESP32 mesh can interoperate by translating SSP slots into 802.11bf Sensing Trigger frames.
---
## 7. Dependency Changes
### Firmware (C)
New files:
- `firmware/esp32-csi-node/main/sensing_schedule.h`
- `firmware/esp32-csi-node/main/sensing_schedule.c`
Modified files:
- `firmware/esp32-csi-node/main/csi_collector.c` (add channel hopping, link tagging)
- `firmware/esp32-csi-node/main/main.c` (add GPIO sync, TDMA timer)
### Rust
New module: `crates/wifi-densepose-signal/src/ruvsense/` (6 files, ~1500 lines estimated)
Modified files:
- `crates/wifi-densepose-signal/src/lib.rs` (export `ruvsense` module)
- `crates/wifi-densepose-signal/Cargo.toml` (no new deps; all ruvector crates already present per ADR-017)
- `crates/wifi-densepose-sensing-server/src/main.rs` (wire RuvSense pipeline into WebSocket output)
No new workspace dependencies. All ruvector crates are already in the workspace `Cargo.toml`.
---
## 8. Implementation Priority
| Priority | Actions | Weeks | Milestone |
|----------|---------|-------|-----------|
| P0 | 1 (firmware) | 2 | Channel-hopping ESP32 prototype |
| P0 | 2 (multi-band) | 2 | Wideband virtual frames |
| P1 | 3 (multistatic) | 2 | Multi-node fusion |
| P1 | 4 (tracker) | 1 | 17-keypoint Kalman |
| P1 | 6, 7 (coherence) | 1 | Gated updates |
| P2 | 5 (end-to-end) | 2 | 20 Hz pipeline |
| P2 | 8 (AETHER re-ID) | 1 | Identity hardening |
| P3 | 9 (docs) | 0.5 | This ADR finalized |
| **Total** | | **~10 weeks** | **Acceptance test** |
---
## 9. Consequences
### 9.1 Positive
- **3x bandwidth improvement** without hardware changes (channel hopping on existing ESP32)
- **12 independent viewpoints** from 4 commodity $10 nodes (C(4,2) × 2 links)
- **20 Hz update rate** with Kalman-smoothed output for sub-30mm torso jitter
- **Days-long stability** via coherence gating + SONA recalibration
- **All five ruvector crates exercised** — consistent algorithmic foundation
- **$73-91 total BOM** — accessible for research and production
- **802.11bf forward-compatible** — investment protected as commercial sensing arrives
- **Cognitum upgrade path** — same software stack, swap ESP32 for higher-bandwidth front end
### 9.2 Negative
- **4-node deployment** requires physical installation and calibration of node positions
- **TDMA scheduling** reduces per-node CSI rate (each node only transmits 1/4 of the time)
- **Channel hopping** introduces ~1-5ms gaps during `esp_wifi_set_channel()` transitions
- **5 GHz CSI on ESP32-S3** may not be available (ESP32-C6 supports it natively)
- **Coherence gate** may reject valid measurements during fast body motion (mitigation: gate only on static-subcarrier coherence)
### 9.3 Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| ESP32 channel hop causes CSI gaps | Medium | Reduced effective rate | Measure gap duration; increase dwell if >5ms |
| CSI callback rate exhausts lwIP pbufs | **Resolved** | Guru meditation crash | 50 Hz rate limiter + 100 ms ENOMEM backoff (Issue #127, PR #132) |
| 5 GHz CSI unavailable on S3 | High | Lose frequency diversity | Fallback: 3-channel 2.4 GHz still provides 3x BW; ESP32-C6 for dual-band |
| Model inference >40ms | Medium | Miss 20 Hz target | Run model at 10 Hz; Kalman predict at 20 Hz interpolates |
| Two-person separation fails at 3 nodes | Low | Identity swaps | AETHER re-ID recovers; increase to 4-6 nodes |
| Coherence gate false-triggers | Low | Missed updates | Gate on environmental coherence only, not body-motion subcarriers |
---
## 10. Related ADRs
| ADR | Relationship |
|-----|-------------|
| ADR-012 | **Extended**: RuvSense adds TDMA multistatic to single-AP mesh |
| ADR-014 | **Used**: All 6 SOTA algorithms applied per-link |
| ADR-016 | **Extended**: New ruvector integration points for multi-link fusion |
| ADR-017 | **Extended**: Coherence gating adds temporal stability layer |
| ADR-018 | **Modified**: Firmware gains channel hopping, TDMA schedule, HT40 |
| ADR-022 | **Complementary**: RuvSense is the ESP32 equivalent of Windows multi-BSSID |
| ADR-024 | **Used**: AETHER embeddings for person re-identification |
| ADR-026 | **Reused**: Kalman + lifecycle infrastructure lifted to RuvSense |
| ADR-027 | **Used**: GeometryEncoder, HardwareNormalizer, FiLM conditioning |
---
## 11. References
1. IEEE 802.11bf-2024. "WLAN Sensing." IEEE Standards Association.
2. Geng, J., Huang, D., De la Torre, F. (2023). "DensePose From WiFi." arXiv:2301.00250.
3. Yan, K. et al. (2024). "Person-in-WiFi 3D." CVPR 2024, pp. 969-978.
4. Chen, L. et al. (2026). "PerceptAlign: Geometry-Aware WiFi Sensing." arXiv:2601.12252.
5. Kotaru, M. et al. (2015). "SpotFi: Decimeter Level Localization Using WiFi." SIGCOMM.
6. Zheng, Y. et al. (2019). "Zero-Effort Cross-Domain Gesture Recognition with Wi-Fi." MobiSys.
7. Zeng, Y. et al. (2019). "FarSense: Pushing the Range Limit of WiFi-based Respiration Sensing." MobiCom.
8. AM-FM (2026). "A Foundation Model for Ambient Intelligence Through WiFi." arXiv:2602.11200.
9. Espressif ESP-CSI. https://github.com/espressif/esp-csi
api-docs/adr/ADR-030-ruvsense-persistent-field-model.md
+364
View File
@@ -0,0 +1,364 @@
# ADR-030: RuvSense Persistent Field Model — Longitudinal Drift Detection and Exotic Sensing Tiers
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-02 |
| **Deciders** | ruv |
| **Codename** | **RuvSense Field** — Persistent Electromagnetic World Model |
| **Relates to** | ADR-029 (RuvSense Multistatic), ADR-005 (SONA Self-Learning), ADR-024 (AETHER Embeddings), ADR-016 (RuVector Integration), ADR-026 (Survivor Track Lifecycle), ADR-027 (MERIDIAN Generalization) |
---
## 1. Context
### 1.1 Beyond Pose Estimation
ADR-029 establishes RuvSense as a sensing-first multistatic mesh achieving 20 Hz DensePose with <30mm jitter. That treats WiFi as a **momentary pose estimator**. The next leap: treat the electromagnetic field as a **persistent world model** that remembers, predicts, and explains.
The most exotic capabilities come from this shift in abstraction level:
- The room is the model, not the person
- People are structured perturbations to a baseline
- Changes are deltas from a known state, not raw measurements
- Time is a first-class dimension — the system remembers days, not frames
### 1.2 The Seven Capability Tiers
| Tier | Capability | Foundation |
|------|-----------|-----------|
| 1 | **Field Normal Modes** — Room electromagnetic eigenstructure | Baseline calibration + SVD |
| 2 | **Coarse RF Tomography** — 3D occupancy volume from link attenuations | Sparse tomographic inversion |
| 3 | **Intention Lead Signals** — Pre-movement prediction (200-500ms lead) | Temporal embedding trajectory analysis |
| 4 | **Longitudinal Biomechanics Drift** — Personal baseline deviation over days | Welford statistics + HNSW memory |
| 5 | **Cross-Room Continuity** — Identity persistence across spaces without optics | Environment fingerprinting + transition graph |
| 6 | **Invisible Interaction Layer** — Multi-user gesture control through walls/darkness | Per-person CSI perturbation classification |
| 7 | **Adversarial Detection** — Physically impossible signal identification | Multi-link consistency + field model constraints |
### 1.3 Signals, Not Diagnoses
RF sensing detects **biophysical proxies**, not medical conditions:
| Detectable Signal | Not Detectable |
|-------------------|---------------|
| Breathing rate variability | COPD diagnosis |
| Gait asymmetry shift (18% over 14 days) | Parkinson's disease |
| Posture instability increase | Neurological condition |
| Micro-tremor onset | Specific tremor etiology |
| Activity level decline | Depression or pain diagnosis |
The output is: "Your movement symmetry has shifted 18 percent over 14 days." That is actionable without being diagnostic. The evidence chain (stored embeddings, drift statistics, coherence scores) is fully traceable.
### 1.4 Acceptance Tests
**Tier 0 (ADR-029):** Two people, 20 Hz, 10 min stable tracks, zero ID swaps, <30mm torso jitter.
**Tier 1-4 (this ADR):** Seven-day run, no manual tuning. System flags one real environmental change and one real human drift event, produces traceable explanation using stored embeddings plus graph constraints.
**Tier 5-7 (appliance):** Thirty-day local run, no camera. Detects meaningful drift with <5% false alarm rate.
---
## 2. Decision
### 2.1 Implement Field Normal Modes as the Foundation
Add a `field_model` module to `wifi-densepose-signal/src/ruvsense/` that learns the room's electromagnetic baseline during unoccupied periods and decomposes all subsequent observations into environmental drift + body perturbation.
```
wifi-densepose-signal/src/ruvsense/
├── mod.rs // (existing, extend)
├── field_model.rs // NEW: Field normal mode computation + perturbation extraction
├── tomography.rs // NEW: Coarse RF tomography from link attenuations
├── longitudinal.rs // NEW: Personal baseline + drift detection
├── intention.rs // NEW: Pre-movement lead signal detector
├── cross_room.rs // NEW: Cross-room identity continuity
├── gesture.rs // NEW: Gesture classification from CSI perturbations
├── adversarial.rs // NEW: Physically impossible signal detection
└── (existing files...)
```
### 2.2 Core Architecture: The Persistent Field Model
```
Time
┌────────────────────────────────┐
│ Field Normal Modes (Tier 1) │
│ Room baseline + SVD modes │
│ ruvector-solver │
└────────────┬───────────────────┘
│ Body perturbation (environmental drift removed)
┌───────┴───────┐
│ │
▼ ▼
┌──────────┐ ┌──────────────┐
│ Pose │ │ RF Tomography│
│ (ADR-029)│ │ (Tier 2) │
│ 20 Hz │ │ Occupancy vol│
└────┬─────┘ └──────────────┘
┌──────────────────────────────┐
│ AETHER Embedding (ADR-024) │
│ 128-dim contrastive vector │
└────────────┬─────────────────┘
┌───────┼───────┐
│ │ │
▼ ▼ ▼
┌────────┐ ┌─────┐ ┌──────────┐
│Intention│ │Track│ │Cross-Room│
│Lead │ │Re-ID│ │Continuity│
│(Tier 3)│ │ │ │(Tier 5) │
└────────┘ └──┬──┘ └──────────┘
┌──────────────────────────────┐
│ RuVector Longitudinal Memory │
│ HNSW + graph + Welford stats│
│ (Tier 4) │
└──────────────┬───────────────┘
┌───────┴───────┐
│ │
▼ ▼
┌──────────────┐ ┌──────────────┐
│ Drift Reports│ │ Adversarial │
│ (Level 1-3) │ │ Detection │
│ │ │ (Tier 7) │
└──────────────┘ └──────────────┘
```
### 2.3 Field Normal Modes (Tier 1)
**What it is:** The room's electromagnetic eigenstructure — the stable propagation paths, reflection coefficients, and interference patterns when nobody is present.
**How it works:**
1. During quiet periods (empty room, overnight), collect 10 minutes of CSI across all links
2. Compute per-link baseline (mean CSI vector)
3. Compute environmental variation modes via SVD (temperature, humidity, time-of-day effects)
4. Store top-K modes (K=3-5 typically captures >95% of environmental variance)
5. At runtime: subtract baseline, project out environmental modes, keep body perturbation
```rust
pub struct FieldNormalMode {
pub baseline: Vec<Vec<Complex<f32>>>, // [n_links × n_subcarriers]
pub environmental_modes: Vec<Vec<f32>>, // [n_modes × n_subcarriers]
pub mode_energies: Vec<f32>, // eigenvalues
pub calibrated_at: u64,
pub geometry_hash: u64,
}
```
**RuVector integration:**
- `ruvector-solver` → Low-rank SVD for mode extraction
- `ruvector-temporal-tensor` → Compressed baseline history storage
- `ruvector-attn-mincut` → Identify which subcarriers belong to which mode
### 2.4 Longitudinal Drift Detection (Tier 4)
**The defensible pipeline:**
```
RF → AETHER contrastive embedding
→ RuVector longitudinal memory (HNSW + graph)
→ Coherence-gated drift detection (Welford statistics)
→ Risk flag with traceable evidence
```
**Three monitoring levels:**
| Level | Signal Type | Example Output |
|-------|------------|----------------|
| **1: Physiological** | Raw biophysical metrics | "Breathing rate: 18.3 BPM today, 7-day avg: 16.1" |
| **2: Drift** | Personal baseline deviation | "Gait symmetry shifted 18% over 14 days" |
| **3: Risk correlation** | Pattern-matched concern | "Pattern consistent with increased fall risk" |
**Storage model:**
```rust
pub struct PersonalBaseline {
pub person_id: PersonId,
pub gait_symmetry: WelfordStats,
pub stability_index: WelfordStats,
pub breathing_regularity: WelfordStats,
pub micro_tremor: WelfordStats,
pub activity_level: WelfordStats,
pub embedding_centroid: Vec<f32>, // [128]
pub observation_days: u32,
pub updated_at: u64,
}
```
**RuVector integration:**
- `ruvector-temporal-tensor` → Compressed daily summaries (50-75% memory savings)
- HNSW → Embedding similarity search across longitudinal record
- `ruvector-attention` → Per-metric drift significance weighting
- `ruvector-mincut` → Temporal segmentation (detect changepoints in metric series)
### 2.5 Regulatory Classification
| Classification | What You Claim | Regulatory Path |
|---------------|---------------|-----------------|
| **Consumer wellness** (recommended first) | Activity metrics, breathing rate, stability score | Self-certification, FCC Part 15 |
| **Clinical decision support** (future) | Fall risk alert, respiratory pattern concern | FDA Class II 510(k) or De Novo |
| **Regulated medical device** (requires clinical partner) | Diagnostic claims for specific conditions | FDA Class II/III + clinical trials |
**Decision: Start as consumer wellness.** Build 12+ months of real-world longitudinal data. The dataset itself becomes the asset for future regulatory submissions.
---
## 3. Appliance Product Categories
### 3.1 Invisible Guardian
Wall-mounted wellness monitor for elderly care and independent living. No camera, no microphone, no reconstructable data. Stores embeddings and structural deltas only.
| Spec | Value |
|------|-------|
| Nodes | 4 ESP32-S3 pucks per room |
| Processing | Central hub (RPi 5 or x86) |
| Power | PoE or USB-C |
| Output | Risk flags, drift alerts, occupancy timeline |
| BOM | $73-91 (ESP32 mesh) + $35-80 (hub) |
| Validation | 30-day autonomous run, <5% false alarm rate |
### 3.2 Spatial Digital Twin Node
Live electromagnetic room model for smart buildings and workplace analytics.
| Spec | Value |
|------|-------|
| Output | Occupancy heatmap, flow vectors, dwell time, anomaly events |
| Integration | MQTT/REST API for BMS and CAFM |
| Retention | 30-day rolling, GDPR-compliant |
| Vertical | Smart buildings, retail, workspace optimization |
### 3.3 RF Interaction Surface
Multi-user gesture interface. No cameras. Works in darkness, smoke, through clothing.
| Spec | Value |
|------|-------|
| Gestures | Wave, point, beckon, push, circle + custom |
| Users | Up to 4 simultaneous |
| Latency | <100ms gesture recognition |
| Vertical | Smart home, hospitality, accessibility |
### 3.4 Pre-Incident Drift Monitor
Longitudinal biomechanics tracker for rehabilitation and occupational health.
| Spec | Value |
|------|-------|
| Baseline | 7-day calibration per person |
| Alert | Metric drift >2sigma for >3 days |
| Evidence | Stored embedding trajectory + statistical report |
| Vertical | Elderly care, rehab, occupational health |
### 3.5 Vertical Recommendation for First Hardware SKU
**Invisible Guardian** — the elderly care wellness monitor. Rationale:
1. Largest addressable market with immediate revenue (aging population, care facility demand)
2. Lowest regulatory bar (consumer wellness, no diagnostic claims)
3. Privacy advantage over cameras is a selling point, not a limitation
4. 30-day autonomous operation validates all tiers (field model, drift detection, coherence gating)
5. $108-171 BOM allows $299-499 retail with healthy margins
---
## 4. RuVector Integration Map (Extended)
All five crates are exercised across the exotic tiers:
| Tier | Crate | API | Role |
|------|-------|-----|------|
| 1 (Field) | `ruvector-solver` | `NeumannSolver` + SVD | Environmental mode decomposition |
| 1 (Field) | `ruvector-temporal-tensor` | `TemporalTensorCompressor` | Baseline history storage |
| 1 (Field) | `ruvector-attn-mincut` | `attn_mincut` | Mode-subcarrier assignment |
| 2 (Tomo) | `ruvector-solver` | `NeumannSolver` (L1) | Sparse tomographic inversion |
| 3 (Intent) | `ruvector-attention` | `ScaledDotProductAttention` | Temporal trajectory weighting |
| 3 (Intent) | `ruvector-temporal-tensor` | `CompressedCsiBuffer` | 2-second embedding history |
| 4 (Drift) | `ruvector-temporal-tensor` | `TemporalTensorCompressor` | Daily summary compression |
| 4 (Drift) | `ruvector-attention` | `ScaledDotProductAttention` | Metric drift significance |
| 4 (Drift) | `ruvector-mincut` | `DynamicMinCut` | Temporal changepoint detection |
| 5 (Cross-Room) | `ruvector-attention` | HNSW | Room and person fingerprint matching |
| 5 (Cross-Room) | `ruvector-mincut` | `MinCutBuilder` | Transition graph partitioning |
| 6 (Gesture) | `ruvector-attention` | `ScaledDotProductAttention` | Gesture template matching |
| 7 (Adversarial) | `ruvector-solver` | `NeumannSolver` | Physical plausibility verification |
| 7 (Adversarial) | `ruvector-attn-mincut` | `attn_mincut` | Multi-link consistency check |
---
## 5. Implementation Priority
| Priority | Tier | Module | Weeks | Dependency |
|----------|------|--------|-------|------------|
| P0 | 1 | `field_model.rs` | 2 | ADR-029 multistatic mesh operational |
| P0 | 4 | `longitudinal.rs` | 2 | Tier 1 baseline + AETHER embeddings |
| P1 | 2 | `tomography.rs` | 1 | Tier 1 perturbation extraction |
| P1 | 3 | `intention.rs` | 2 | Tier 1 + temporal embedding history |
| P2 | 5 | `cross_room.rs` | 2 | Tier 4 person profiles + multi-room deployment |
| P2 | 6 | `gesture.rs` | 1 | Tier 1 perturbation + per-person separation |
| P3 | 7 | `adversarial.rs` | 1 | Tier 1 field model + multi-link consistency |
**Total exotic tier: ~11 weeks after ADR-029 acceptance test passes.**
---
## 6. Consequences
### 6.1 Positive
- **Room becomes self-sensing**: Field normal modes provide a persistent baseline that explains change as structured deltas
- **7-day autonomous operation**: Coherence gating + SONA adaptation + longitudinal memory eliminate manual tuning
- **Privacy by design**: No images, no audio, no reconstructable data — only embeddings and statistical summaries
- **Traceable evidence**: Every drift alert links to stored embeddings, timestamps, and graph constraints
- **Multiple product categories**: Same software stack, different packaging — Guardian, Twin, Interaction, Drift Monitor
- **Regulatory clarity**: Consumer wellness first, clinical decision support later with accumulated dataset
- **Security primitive**: Coherence gating detects adversarial injection, not just quality issues
### 6.2 Negative
- **7-day calibration** required for personal baselines (system is less useful during initial period)
- **Empty-room calibration** needed for field normal modes (may not always be available)
- **Storage growth**: Longitudinal memory grows ~1 KB/person/day (manageable but non-zero)
- **Statistical power**: Drift detection requires 14+ days of data for meaningful z-scores
- **Multi-room**: Cross-room continuity requires hardware in all rooms (cost scales linearly)
### 6.3 Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| Field modes drift faster than expected | Medium | False perturbation detections | Reduce mode update interval from 24h to 4h |
| Personal baselines too variable | Medium | High false alarm rate for drift | Widen sigma threshold from 2σ to 3σ; require 5+ days |
| Cross-room matching fails for similar body types | Low | Identity confusion | Require temporal proximity (<60s) plus spatial adjacency |
| Gesture recognition insufficient SNR | Medium | <80% accuracy | Restrict to near-field (<2m) initially |
| Adversarial injection via coordinated WiFi injection | Very Low | Spoofed occupancy | Multi-link consistency check makes single-link spoofing detectable |
---
## 7. Related ADRs
| ADR | Relationship |
|-----|-------------|
| ADR-029 | **Prerequisite**: Multistatic mesh is the sensing substrate for all exotic tiers |
| ADR-005 (SONA) | **Extended**: SONA recalibration triggered by coherence gate → now also by drift events |
| ADR-016 (RuVector) | **Extended**: All 5 crates exercised across 7 exotic tiers |
| ADR-024 (AETHER) | **Critical dependency**: Embeddings are the representation for all longitudinal memory |
| ADR-026 (Tracking) | **Extended**: Track lifecycle now spans days (not minutes) for drift detection |
| ADR-027 (MERIDIAN) | **Used**: Room geometry encoding for field normal mode conditioning |
---
## 8. References
1. IEEE 802.11bf-2024. "WLAN Sensing." IEEE Standards Association.
2. FDA. "General Wellness: Policy for Low Risk Devices." Guidance Document, 2019.
3. EU MDR 2017/745. "Medical Device Regulation." Official Journal of the European Union.
4. Welford, B.P. (1962). "Note on a Method for Calculating Corrected Sums of Squares." Technometrics.
5. Chen, L. et al. (2026). "PerceptAlign: Geometry-Aware WiFi Sensing." arXiv:2601.12252.
6. AM-FM (2026). "A Foundation Model for Ambient Intelligence Through WiFi." arXiv:2602.11200.
7. Geng, J. et al. (2023). "DensePose From WiFi." arXiv:2301.00250.
api-docs/adr/ADR-031-ruview-sensing-first-rf-mode.md
+369
View File
@@ -0,0 +1,369 @@
# ADR-031: Project RuView -- Sensing-First RF Mode for Multistatic Fidelity Enhancement
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-02 |
| **Deciders** | ruv |
| **Codename** | **RuView** -- RuVector Viewpoint-Integrated Enhancement |
| **Relates to** | ADR-012 (ESP32 Mesh), ADR-014 (SOTA Signal), ADR-016 (RuVector Integration), ADR-017 (RuVector Signal+MAT), ADR-021 (Vital Signs), ADR-024 (AETHER Embeddings), ADR-027 (MERIDIAN Cross-Environment) |
---
## 1. Context
### 1.1 The Single-Viewpoint Fidelity Ceiling
Current WiFi DensePose operates with a single transmitter-receiver pair (or single node receiving). This creates three fundamental limitations:
- **Body self-occlusion**: Limbs behind the torso are invisible to a single viewpoint.
- **Depth ambiguity**: Motion along the RF propagation axis (toward/away from receiver) produces minimal phase change.
- **Multi-person confusion**: Two people at similar range but different angles create overlapping CSI signatures.
The ESP32 mesh (ADR-012) partially addresses this via feature-level fusion across 3-6 nodes, but feature-level fusion cannot learn optimal fusion weights -- it uses hand-crafted aggregation (max, mean, coherent sum).
### 1.2 Three Fidelity Levers
1. **Bandwidth**: More bandwidth produces better multipath separability. Currently limited to 20 MHz (ESP32 HT20). Wider channels (80/160 MHz) are available on commodity 802.11ac/ax APs.
2. **Carrier frequency**: Higher frequency produces more phase sensitivity. 2.4 GHz sees macro-motion; 5 GHz sees micro-motion; 60 GHz sees vital signs.
3. **Viewpoints**: More viewpoints from different angles reduces geometric ambiguity. This is the lever RuView pulls.
### 1.3 Why "Sensing-First RF Mode"
RuView is NOT a new WiFi standard. It is a sensing-first protocol that rides on existing silicon, bands, and regulations. The key insight: instead of upgrading the RF hardware, upgrade the observability by coordinating multiple commodity receivers.
### 1.4 What Already Exists
| Component | ADR | Current State |
|-----------|-----|---------------|
| ESP32 mesh with feature-level fusion | ADR-012 | Implemented (firmware + aggregator) |
| SOTA signal processing (Hampel, Fresnel, BVP, spectrogram) | ADR-014 | Implemented |
| RuVector training pipeline (5 crates) | ADR-016 | Complete |
| RuVector signal + MAT integration (7 points) | ADR-017 | Accepted |
| Vital sign detection pipeline | ADR-021 | Partially implemented |
| AETHER contrastive embeddings | ADR-024 | Proposed |
| MERIDIAN cross-environment generalization | ADR-027 | Proposed |
RuView fills the gap: **cross-viewpoint embedding fusion** using learned attention weights.
---
## 2. Decision
Introduce RuView as a cross-viewpoint embedding fusion layer that operates on top of AETHER per-viewpoint embeddings. RuView adds a new bounded context (ViewpointFusion) and extends three existing crates.
### 2.1 Core Architecture
```
+-----------------------------------------------------------------+
| RuView Multistatic Pipeline |
+-----------------------------------------------------------------+
| |
| +----------+ +----------+ +----------+ +----------+ |
| | Node 1 | | Node 2 | | Node 3 | | Node N | |
| | ESP32-S3 | | ESP32-S3 | | ESP32-S3 | | ESP32-S3 | |
| | | | | | | | | |
| | CSI Rx | | CSI Rx | | CSI Rx | | CSI Rx | |
| +----+-----+ +----+-----+ +----+-----+ +----+-----+ |
| | | | | |
| v v v v |
| +--------------------------------------------------------+ |
| | Per-Viewpoint Signal Processing | |
| | Phase sanitize -> Hampel -> BVP -> Subcarrier select | |
| | (ADR-014, unchanged per viewpoint) | |
| +----------------------------+---------------------------+ |
| | |
| v |
| +--------------------------------------------------------+ |
| | Per-Viewpoint AETHER Embedding | |
| | CsiToPoseTransformer -> 128-d contrastive embedding | |
| | (ADR-024, one per viewpoint) | |
| +----------------------------+---------------------------+ |
| | |
| [emb_1, emb_2, ..., emb_N] |
| | |
| v |
| +--------------------------------------------------------+ |
| | * RuView Cross-Viewpoint Fusion * | |
| | | |
| | Q = W_q * X, K = W_k * X, V = W_v * X | |
| | A = softmax((QK^T + G_bias) / sqrt(d)) | |
| | fused = A * V | |
| | | |
| | G_bias: geometric bias from viewpoint pair geometry | |
| | (ruvector-attention: ScaledDotProductAttention) | |
| +----------------------------+---------------------------+ |
| | |
| fused_embedding |
| | |
| v |
| +--------------------------------------------------------+ |
| | DensePose Regression Head | |
| | Keypoint head: [B,17,H,W] | |
| | Part/UV head: [B,25,H,W] + [B,48,H,W] | |
| +--------------------------------------------------------+ |
+-----------------------------------------------------------------+
```
### 2.2 TDM Sensing Protocol
- Coordinator (aggregator) broadcasts sync beacon at start of each cycle.
- Each node transmits in assigned time slot; all others receive.
- 6 nodes x 1.4 ms/slot = 8.4 ms cycle -> ~119 Hz aggregate, ~20 Hz per bistatic pair.
- Clock drift handled at feature level (no cross-node phase alignment).
### 2.3 Geometric Bias Matrix
The geometric bias `G_bias` encodes the spatial relationship between viewpoint pairs:
```
G_bias[i,j] = w_angle * cos(theta_ij) + w_dist * exp(-d_ij / d_ref)
```
where:
- `theta_ij` = angle between viewpoint i and viewpoint j (from room center)
- `d_ij` = baseline distance between node i and node j
- `w_angle`, `w_dist` = learnable weights
- `d_ref` = reference distance (room diagonal / 2)
This allows the attention mechanism to learn that widely-separated, orthogonal viewpoints are more complementary than clustered ones.
### 2.4 Coherence-Gated Environment Updates
```rust
/// Only update environment model when phase coherence exceeds threshold.
pub fn coherence_gate(
phase_diffs: &[f32], // delta-phi over T recent frames
threshold: f32, // typically 0.7
) -> bool {
// Complex mean of unit phasors
let (sum_cos, sum_sin) = phase_diffs.iter()
.fold((0.0f32, 0.0f32), |(c, s), &dp| {
(c + dp.cos(), s + dp.sin())
});
let n = phase_diffs.len() as f32;
let coherence = ((sum_cos / n).powi(2) + (sum_sin / n).powi(2)).sqrt();
coherence > threshold
}
```
### 2.5 Two Implementation Paths
| Path | Hardware | Bandwidth | Per-Viewpoint Rate | Target Tier |
|------|----------|-----------|-------------------|-------------|
| **ESP32 Multistatic** | 6x ESP32-S3 ($84) | 20 MHz (HT20) | 20 Hz | Silver |
| **Cognitum + RF** | Cognitum v1 + LimeSDR | 20-160 MHz | 20-100 Hz | Gold |
ESP32 path: commodity, achievable today, targets Silver tier (tracking + pose quality).
Cognitum path: higher fidelity, targets Gold tier (tracking + pose + vitals).
---
## 3. DDD Design
### 3.1 New Bounded Context: ViewpointFusion
**Aggregate Root: `MultistaticArray`**
```rust
pub struct MultistaticArray {
/// Unique array deployment ID
id: ArrayId,
/// Viewpoint geometry (node positions, orientations)
geometry: ArrayGeometry,
/// TDM schedule (slot assignments, cycle period)
schedule: TdmSchedule,
/// Active viewpoint embeddings (latest per node)
viewpoints: Vec<ViewpointEmbedding>,
/// Fused output embedding
fused: Option<FusedEmbedding>,
/// Coherence gate state
coherence_state: CoherenceState,
}
```
**Entity: `ViewpointEmbedding`**
```rust
pub struct ViewpointEmbedding {
/// Source node ID
node_id: NodeId,
/// AETHER embedding vector (128-d)
embedding: Vec<f32>,
/// Geometric metadata
azimuth: f32, // radians from array center
elevation: f32, // radians
baseline: f32, // meters from centroid
/// Capture timestamp
timestamp: Instant,
/// Signal quality
snr_db: f32,
}
```
**Value Object: `GeometricDiversityIndex`**
```rust
pub struct GeometricDiversityIndex {
/// GDI = (1/N) sum min_{j!=i} |theta_i - theta_j|
value: f32,
/// Effective independent viewpoints (after correlation discount)
n_effective: f32,
/// Worst viewpoint pair (most redundant)
worst_pair: (NodeId, NodeId),
}
```
**Domain Events:**
```rust
pub enum ViewpointFusionEvent {
ViewpointCaptured { node_id: NodeId, timestamp: Instant, snr_db: f32 },
TdmCycleCompleted { cycle_id: u64, viewpoints_received: usize },
FusionCompleted { fused_embedding: Vec<f32>, gdi: f32 },
CoherenceGateTriggered { coherence: f32, accepted: bool },
GeometryUpdated { new_gdi: f32, n_effective: f32 },
}
```
### 3.2 Extended Bounded Contexts
**Signal (wifi-densepose-signal):**
- New service: `CrossViewpointSubcarrierSelection`
- Consensus sensitive subcarrier set across all viewpoints via ruvector-mincut.
- Input: per-viewpoint sensitivity scores. Output: globally-sensitive + locally-sensitive partition.
**Hardware (wifi-densepose-hardware):**
- New protocol: `TdmSensingProtocol`
- Coordinator logic: beacon generation, slot scheduling, clock drift compensation.
- Event: `TdmSlotCompleted { node_id, slot_index, capture_quality }`
**Training (wifi-densepose-train):**
- New module: `ruview_metrics.rs`
- Three-metric acceptance test: PCK/OKS (joint error), MOTA (multi-person separation), vital sign accuracy.
- Tiered pass/fail: Bronze/Silver/Gold.
---
## 4. Implementation Plan (File-Level)
### 4.1 Phase 1: ViewpointFusion Core (New Files)
| File | Purpose | RuVector Crate |
|------|---------|---------------|
| `crates/wifi-densepose-ruvector/src/viewpoint/mod.rs` | Module root, re-exports | -- |
| `crates/wifi-densepose-ruvector/src/viewpoint/attention.rs` | Cross-viewpoint scaled dot-product attention with geometric bias | ruvector-attention |
| `crates/wifi-densepose-ruvector/src/viewpoint/geometry.rs` | GeometricDiversityIndex, Cramer-Rao bound estimation | ruvector-solver |
| `crates/wifi-densepose-ruvector/src/viewpoint/coherence.rs` | Coherence gating for environment stability | -- (pure math) |
| `crates/wifi-densepose-ruvector/src/viewpoint/fusion.rs` | MultistaticArray aggregate, orchestrates fusion pipeline | ruvector-attention + ruvector-attn-mincut |
### 4.2 Phase 2: Signal Processing Extension
| File | Purpose | RuVector Crate |
|------|---------|---------------|
| `crates/wifi-densepose-signal/src/cross_viewpoint.rs` | Cross-viewpoint subcarrier consensus via min-cut | ruvector-mincut |
### 4.3 Phase 3: Hardware Protocol Extension
| File | Purpose | RuVector Crate |
|------|---------|---------------|
| `crates/wifi-densepose-hardware/src/esp32/tdm.rs` | TDM sensing protocol coordinator | -- (protocol logic) |
### 4.4 Phase 4: Training and Metrics
| File | Purpose | RuVector Crate |
|------|---------|---------------|
| `crates/wifi-densepose-train/src/ruview_metrics.rs` | Three-metric acceptance test (PCK/OKS, MOTA, vital sign accuracy) | ruvector-mincut (person matching) |
---
## 5. Three-Metric Acceptance Test
### 5.1 Metric 1: Joint Error (PCK / OKS)
| Criterion | Threshold |
|-----------|-----------|
| PCK@0.2 (all 17 keypoints) | >= 0.70 |
| PCK@0.2 (torso: shoulders + hips) | >= 0.80 |
| Mean OKS | >= 0.50 |
| Torso jitter RMS (10s window) | < 3 cm |
| Per-keypoint max error (95th percentile) | < 15 cm |
### 5.2 Metric 2: Multi-Person Separation
| Criterion | Threshold |
|-----------|-----------|
| Subjects | 2 |
| Capture rate | 20 Hz |
| Track duration | 10 minutes |
| Identity swaps (MOTA ID-switch) | 0 |
| Track fragmentation ratio | < 0.05 |
| False track creation | 0/min |
### 5.3 Metric 3: Vital Sign Sensitivity
| Criterion | Threshold |
|-----------|-----------|
| Breathing detection (6-30 BPM) | +/- 2 BPM |
| Breathing band SNR (0.1-0.5 Hz) | >= 6 dB |
| Heartbeat detection (40-120 BPM) | +/- 5 BPM (aspirational) |
| Heartbeat band SNR (0.8-2.0 Hz) | >= 3 dB (aspirational) |
| Micro-motion resolution | 1 mm at 3m |
### 5.4 Tiered Pass/Fail
| Tier | Requirements | Deployment Gate |
|------|-------------|-----------------|
| Bronze | Metric 2 | Prototype demo |
| Silver | Metrics 1 + 2 | Production candidate |
| Gold | All three | Full deployment |
---
## 6. Consequences
### 6.1 Positive
- **Fundamental geometric improvement**: Viewpoint diversity reduces body self-occlusion and depth ambiguity -- these are physics, not model, limitations.
- **Uses existing silicon**: ESP32-S3, commodity WiFi, no custom RF hardware required for Silver tier.
- **Learned fusion weights**: Embedding-level fusion (Tier 3) outperforms hand-crafted feature-level fusion (Tier 2).
- **Composes with existing ADRs**: AETHER (per-viewpoint), MERIDIAN (cross-environment), and RuView (cross-viewpoint) are orthogonal -- they compose freely.
- **IEEE 802.11bf aligned**: TDM protocol maps to 802.11bf sensing sessions, enabling future migration to standard-compliant APs.
- **Commodity price point**: $84 for 6-node Silver-tier deployment.
### 6.2 Negative
- **TDM rate reduction**: N viewpoints leads to per-viewpoint rate divided by N. With 6 nodes at 120 Hz aggregate, each viewpoint sees 20 Hz.
- **More complex aggregator**: Embedding fusion + geometric bias learning adds ~25K parameters on top of per-viewpoint AETHER model.
- **Placement planning required**: Geometric Diversity Index optimization requires intentional node placement (not random scatter).
- **Clock drift limits TDM precision**: ESP32 crystal drift (20-50 ppm) limits slot precision to ~1 ms, which is sufficient for feature-level fusion but not signal-level coherent combining.
- **Training data**: Cross-viewpoint training requires multi-receiver CSI captures, which are not available in existing public datasets (MM-Fi, Wi-Pose).
### 6.3 Interaction with Other ADRs
| ADR | Interaction |
|-----|------------|
| ADR-012 (ESP32 Mesh) | RuView extends the aggregator from feature-level to embedding-level fusion; TDM protocol replaces simple UDP collection |
| ADR-014 (SOTA Signal) | Per-viewpoint signal processing is unchanged; cross-viewpoint subcarrier consensus is new |
| ADR-016/017 (RuVector) | All 5 ruvector crates get new cross-viewpoint operations (see Section 4) |
| ADR-021 (Vital Signs) | Multi-viewpoint SNR improvement directly benefits vital sign extraction (Gold tier target) |
| ADR-024 (AETHER) | Per-viewpoint AETHER embeddings are the input to RuView fusion; AETHER is required |
| ADR-027 (MERIDIAN) | Cross-environment (MERIDIAN) and cross-viewpoint (RuView) are orthogonal; MERIDIAN handles room transfer, RuView handles within-room geometry |
---
## 7. References
1. IEEE 802.11bf (2024). "WLAN Sensing." IEEE Standards Association.
2. Kotaru, M. et al. (2015). "SpotFi: Decimeter Level Localization Using WiFi." SIGCOMM 2015.
3. Zeng, Y. et al. (2019). "FarSense: Pushing the Range Limit of WiFi-based Respiration Sensing with CSI Ratio of Two Antennas." MobiCom 2019.
4. Zheng, Y. et al. (2019). "Zero-Effort Cross-Domain Gesture Recognition with Wi-Fi." (Widar 3.0) MobiSys 2019.
5. Yan, K. et al. (2024). "Person-in-WiFi 3D: End-to-End Multi-Person 3D Pose Estimation with Wi-Fi." CVPR 2024.
6. Zhou, Y. et al. (2024). "AdaPose: Towards Cross-Site Device-Free Human Pose Estimation with Commodity WiFi." IEEE IoT Journal. arXiv:2309.16964.
7. Zhou, R. et al. (2025). "DGSense: A Domain Generalization Framework for Wireless Sensing." arXiv:2502.08155.
8. Chen, X. & Yang, J. (2025). "X-Fi: A Modality-Invariant Foundation Model for Multimodal Human Sensing." ICLR 2025. arXiv:2410.10167.
9. AM-FM (2026). "AM-FM: A Foundation Model for Ambient Intelligence Through WiFi." arXiv:2602.11200.
10. Chen, L. et al. (2026). "PerceptAlign: Breaking Coordinate Overfitting." arXiv:2601.12252.
11. Li, J. & Stoica, P. (2007). "MIMO Radar with Colocated Antennas." IEEE Signal Processing Magazine, 24(5):106-114.
12. ADR-012 through ADR-027 (internal).
api-docs/adr/ADR-032-multistatic-mesh-security-hardening.md
+507
View File
@@ -0,0 +1,507 @@
# ADR-032: Multistatic Mesh Security Hardening
| Field | Value |
|-------|-------|
| **Status** | Accepted |
| **Date** | 2026-03-01 |
| **Deciders** | ruv |
| **Relates to** | ADR-029 (RuvSense Multistatic), ADR-030 (Persistent Field Model), ADR-031 (RuView Sensing-First RF), ADR-018 (ESP32 Implementation), ADR-012 (ESP32 Mesh) |
---
## 1. Context
### 1.1 Security Audit of ADR-029/030/031
A security audit of the RuvSense multistatic sensing stack (ADR-029 through ADR-031) identified seven findings across the TDM synchronization layer, CSI frame transport, NDP injection, coherence gating, cross-room tracking, NVS credential handling, and firmware concurrency model. Three severity levels were assigned: HIGH (1 finding), MEDIUM (3 findings), LOW (3 findings).
The findings fall into three categories:
1. **Missing cryptographic authentication** -- The TDM SyncBeacon and CSI frame formats lack any message authentication, allowing rogue nodes to inject spoofed beacons or frames into the mesh.
2. **Unbounded or unprotected resources** -- The NDP injection path has no rate limiter, the coherence gate recalibration state has no timeout cap, and the cross-room transition log grows without bound.
3. **Memory safety on embedded targets** -- NVS credential buffers are not zeroed after use, and static mutable globals in the CSI collector are accessed from both ESP32-S3 cores without synchronization.
### 1.2 Threat Model
The primary threat actor is a rogue ESP32 node on the same LAN subnet or within WiFi range of the mesh. The attack surface is the UDP broadcast plane used for sync beacons, CSI frames, and NDP injection.
| Threat | STRIDE | Impact | Exploitability |
|--------|--------|--------|----------------|
| Fake SyncBeacon injection | Spoofing, Tampering | Full mesh desynchronization, no pose output | Low skill, rogue ESP32 on LAN |
| CSI frame spoofing | Spoofing, Tampering | Corrupted pose estimation, phantom occupants | Low skill, UDP packet injection |
| NDP RF flooding | Denial of Service | Channel saturation, loss of CSI data | Low skill, repeated NDP calls |
| Coherence gate stall | Denial of Service | Indefinite recalibration, frozen output | Requires sustained interference |
| Transition log exhaustion | Denial of Service | OOM on aggregator after extended operation | Passive, no attacker needed |
| Credential stack residue | Information Disclosure | WiFi password recoverable from RAM dump | Physical access to device |
| Dual-core data race | Tampering, DoS | Corrupted CSI frames, undefined behavior | Passive, no attacker needed |
### 1.3 Design Constraints
- ESP32-S3 has limited CPU budget: cryptographic operations must complete within the 1 ms guard interval between TDM slots.
- HMAC-SHA256 on ESP32-S3 (hardware-accelerated via `mbedtls`) completes in approximately 15 us for 24-byte payloads -- well within budget.
- SipHash-2-4 completes in approximately 2 us for 64-byte payloads on ESP32-S3 -- suitable for per-frame MAC.
- No TLS or TCP is available on the sensing data path (UDP broadcast for latency).
- Pre-shared key (PSK) model is acceptable because all nodes in a mesh deployment are provisioned by the same operator.
---
## 2. Decision
Harden the multistatic mesh with six measures: beacon authentication, frame integrity, NDP rate limiting, bounded buffers, memory safety, and key management. All changes are backward-compatible: unauthenticated frames are accepted during a migration window controlled by a `security_level` NVS parameter.
### 2.1 Beacon Authentication Protocol (H-1)
**Finding:** The 16-byte `SyncBeacon` wire format (`crates/wifi-densepose-hardware/src/esp32/tdm.rs`) has no cryptographic authentication. A rogue node can inject fake beacons to desynchronize the TDM mesh.
**Solution:** Extend the SyncBeacon wire format from 16 bytes to 28 bytes by adding a 4-byte monotonic nonce and an 8-byte HMAC-SHA256 truncated tag.
```
Authenticated SyncBeacon wire format (28 bytes):
[0..7] cycle_id (LE u64)
[8..11] cycle_period_us (LE u32)
[12..13] drift_correction (LE i16)
[14..15] reserved
[16..19] nonce (LE u32, monotonically increasing)
[20..27] hmac_tag (HMAC-SHA256 truncated to 8 bytes)
```
**HMAC computation:**
```
key = 16-byte pre-shared mesh key (stored in NVS, namespace "mesh_sec")
message = beacon[0..20] (first 20 bytes: payload + nonce)
tag = HMAC-SHA256(key, message)[0..8] (truncated to 8 bytes)
```
**Nonce and replay protection:**
- The coordinator maintains a monotonically increasing 32-bit nonce counter, incremented on every beacon.
- Each receiver maintains a `last_accepted_nonce` per sender. A beacon is accepted only if `nonce > last_accepted_nonce - REPLAY_WINDOW`, where `REPLAY_WINDOW = 16` (accounts for packet reordering over UDP).
- Nonce overflow (after 2^32 beacons at 20 Hz = ~6.8 years) triggers a mandatory key rotation.
**Implementation location:** `crates/wifi-densepose-hardware/src/esp32/tdm.rs` -- extend `SyncBeacon::to_bytes()` and `SyncBeacon::from_bytes()` to produce/consume the 28-byte authenticated format. Add `SyncBeacon::verify()` method.
### 2.2 CSI Frame Integrity (M-3)
**Finding:** The ADR-018 CSI frame format has no cryptographic MAC. Frames can be spoofed or tampered with in transit.
**Solution:** Add an 8-byte SipHash-2-4 tag to the CSI frame header. SipHash is chosen over HMAC-SHA256 for per-frame MAC because it is 7x faster on ESP32 for short messages (approximately 2 us vs 15 us) and provides sufficient integrity for non-secret data.
```
Extended CSI frame header (28 bytes, was 20):
[0..3] Magic: 0xC5110002 (bumped from 0xC5110001 to signal auth)
[4] Node ID
[5] Number of antennas
[6..7] Number of subcarriers (LE u16)
[8..11] Frequency MHz (LE u32)
[12..15] Sequence number (LE u32)
[16] RSSI (i8)
[17] Noise floor (i8)
[18..19] Reserved
[20..27] siphash_tag (SipHash-2-4 over [0..20] + IQ data)
```
**SipHash key derivation:**
```
siphash_key = HMAC-SHA256(mesh_key, "csi-frame-siphash")[0..16]
```
The SipHash key is derived once at boot from the mesh key and cached in memory.
**Implementation locations:**
- `firmware/esp32-csi-node/main/csi_collector.c` -- compute SipHash tag in `csi_serialize_frame()`, bump magic constant.
- `crates/wifi-densepose-hardware/src/esp32/` -- add frame verification in the aggregator's frame parser.
### 2.3 NDP Injection Rate Limiter (M-4)
**Finding:** `csi_inject_ndp_frame()` in `firmware/esp32-csi-node/main/csi_collector.c` has no rate limiter. Uncontrolled NDP injection can flood the RF channel.
**Solution:** Token-bucket rate limiter with configurable parameters stored in NVS.
```c
// Token bucket parameters (defaults)
#define NDP_RATE_MAX_TOKENS 20 // burst capacity
#define NDP_RATE_REFILL_HZ 20 // sustained rate: 20 NDP/sec
#define NDP_RATE_REFILL_US (1000000 / NDP_RATE_REFILL_HZ)
typedef struct {
uint32_t tokens; // current token count
uint32_t max_tokens; // bucket capacity
uint32_t refill_interval_us; // microseconds per token
int64_t last_refill_us; // last refill timestamp
} ndp_rate_limiter_t;
```
`csi_inject_ndp_frame()` returns `ESP_ERR_NOT_ALLOWED` when the bucket is empty. The rate limiter parameters are configurable via NVS keys `ndp_max_tokens` and `ndp_refill_hz`.
**Implementation location:** `firmware/esp32-csi-node/main/csi_collector.c` -- add `ndp_rate_limiter_t` state and check in `csi_inject_ndp_frame()`.
### 2.4 Coherence Gate Recalibration Timeout (M-5)
**Finding:** The `Recalibrate` state in `crates/wifi-densepose-signal/src/ruvsense/coherence_gate.rs` can be held indefinitely. A sustained interference source could keep the system in perpetual recalibration, preventing any output.
**Solution:** Add a configurable `max_recalibrate_duration` to `GatePolicyConfig` (default: 30 seconds = 600 frames at 20 Hz). When the recalibration duration exceeds this cap, the gate transitions to a `ForcedAccept` state with inflated noise (10x), allowing degraded-but-available output.
```rust
pub enum GateDecision {
Accept { noise_multiplier: f32 },
PredictOnly,
Reject,
Recalibrate { stale_frames: u64 },
/// Recalibration timed out. Accept with heavily inflated noise.
ForcedAccept { noise_multiplier: f32, stale_frames: u64 },
}
```
New config field:
```rust
pub struct GatePolicyConfig {
// ... existing fields ...
/// Maximum frames in Recalibrate before forcing accept. Default: 600 (30s at 20Hz).
pub max_recalibrate_frames: u64,
/// Noise multiplier for ForcedAccept. Default: 10.0.
pub forced_accept_noise: f32,
}
```
**Implementation location:** `crates/wifi-densepose-signal/src/ruvsense/coherence_gate.rs` -- extend `GateDecision` enum, modify `GatePolicy::evaluate()`.
### 2.5 Bounded Transition Log (L-1)
**Finding:** `CrossRoomTracker` in `crates/wifi-densepose-signal/src/ruvsense/cross_room.rs` stores transitions in an unbounded `Vec<TransitionEvent>`. Over extended operation (days/weeks), this grows without limit.
**Solution:** Replace the `transitions: Vec<TransitionEvent>` with a ring buffer that evicts the oldest entry when capacity is reached.
```rust
pub struct CrossRoomConfig {
// ... existing fields ...
/// Maximum transitions retained in the ring buffer. Default: 1000.
pub max_transitions: usize,
}
```
The ring buffer is implemented as a `VecDeque<TransitionEvent>` with a capacity check on push. When `transitions.len() >= max_transitions`, `transitions.pop_front()` before pushing. This preserves the append-only audit trail semantics (events are never mutated, only evicted by age).
**Implementation location:** `crates/wifi-densepose-signal/src/ruvsense/cross_room.rs` -- change `transitions: Vec<TransitionEvent>` to `transitions: VecDeque<TransitionEvent>`, add eviction logic in `match_entry()`.
### 2.6 NVS Password Buffer Zeroing (L-4)
**Finding:** `nvs_config_load()` in `firmware/esp32-csi-node/main/nvs_config.c` reads the WiFi password into a stack buffer `buf` which is not zeroed after use. On ESP32-S3, stack memory is not automatically cleared, leaving credentials recoverable via physical memory dump.
**Solution:** Zero the stack buffer after each NVS string read using `explicit_bzero()` (available in ESP-IDF via newlib). If `explicit_bzero` is unavailable, use `memset` with a volatile pointer to prevent compiler optimization.
```c
/* After each nvs_get_str that may contain credentials: */
explicit_bzero(buf, sizeof(buf));
/* Portable fallback: */
static void secure_zero(void *ptr, size_t len) {
volatile unsigned char *p = (volatile unsigned char *)ptr;
while (len--) { *p++ = 0; }
}
```
Apply to all three `nvs_get_str` call sites in `nvs_config_load()` (ssid, password, target_ip).
**Implementation location:** `firmware/esp32-csi-node/main/nvs_config.c` -- add `explicit_bzero(buf, sizeof(buf))` after each `nvs_get_str` block.
### 2.7 Atomic Access for Static Mutable State (L-5)
**Finding:** `csi_collector.c` uses static mutable globals (`s_sequence`, `s_cb_count`, `s_send_ok`, `s_send_fail`, `s_hop_index`) accessed from both cores of the ESP32-S3 without synchronization. The CSI callback runs on the WiFi task (pinned to core 0 by default), while the main application and hop timer may run on core 1.
**Solution:** Use C11 `_Atomic` qualifiers for all shared counters, and a FreeRTOS mutex for the hop table state which requires multi-variable consistency.
```c
#include <stdatomic.h>
static _Atomic uint32_t s_sequence = 0;
static _Atomic uint32_t s_cb_count = 0;
static _Atomic uint32_t s_send_ok = 0;
static _Atomic uint32_t s_send_fail = 0;
static _Atomic uint8_t s_hop_index = 0;
/* Hop table protected by mutex (multi-variable consistency) */
static SemaphoreHandle_t s_hop_mutex = NULL;
```
The mutex is created in `csi_collector_init()` and taken/released around hop table reads in `csi_hop_next_channel()` and writes in `csi_collector_set_hop_table()`.
**Implementation location:** `firmware/esp32-csi-node/main/csi_collector.c` -- add `_Atomic` qualifiers, create and use `s_hop_mutex`.
### 2.8 Key Management
All cryptographic operations use a single 16-byte pre-shared mesh key stored in NVS.
**Provisioning:**
```
NVS namespace: "mesh_sec"
NVS key: "mesh_key"
NVS type: blob (16 bytes)
```
The key is provisioned during node setup via the existing `scripts/provision.py` tool, which is extended to generate a random 16-byte key and flash it to all nodes in a deployment.
**Key derivation:**
```
beacon_hmac_key = mesh_key (direct, 16 bytes)
frame_siphash_key = HMAC-SHA256(mesh_key, "csi-frame-siphash")[0..16] (derived, 16 bytes)
```
**Key rotation:**
- Manual rotation via management command: `provision.py rotate-key --deployment <id>`.
- The coordinator broadcasts a key rotation event (signed with the old key) containing the new key encrypted with the old key.
- Nodes accept the new key and switch after confirming the next beacon is signed with the new key.
- Rotation is recommended every 90 days or after any node is decommissioned.
**Security level NVS parameter:**
```
NVS key: "sec_level"
Values:
0 = permissive (accept unauthenticated frames, log warning)
1 = transitional (accept both authenticated and unauthenticated)
2 = enforcing (reject unauthenticated frames)
Default: 1 (transitional, for backward compatibility during rollout)
```
---
## 3. Implementation Plan (File-Level)
### 3.1 Phase 1: Beacon Authentication and Key Management
| File | Change | Priority |
|------|--------|----------|
| `crates/wifi-densepose-hardware/src/esp32/tdm.rs` | Extend `SyncBeacon` to 28-byte authenticated format, add `verify()`, nonce tracking, replay window | P0 |
| `firmware/esp32-csi-node/main/nvs_config.c` | Add `mesh_key` and `sec_level` NVS reads | P0 |
| `firmware/esp32-csi-node/main/nvs_config.h` | Add `mesh_key[16]` and `sec_level` to `nvs_config_t` | P0 |
| `scripts/provision.py` | Add `--mesh-key` generation and `rotate-key` command | P0 |
### 3.2 Phase 2: Frame Integrity and Rate Limiting
| File | Change | Priority |
|------|--------|----------|
| `firmware/esp32-csi-node/main/csi_collector.c` | Add SipHash-2-4 tag to frame serialization, NDP rate limiter, `_Atomic` qualifiers, hop mutex | P1 |
| `firmware/esp32-csi-node/main/csi_collector.h` | Update `CSI_HEADER_SIZE` to 28, add rate limiter config | P1 |
| `crates/wifi-densepose-hardware/src/esp32/` | Add frame verification in aggregator parser | P1 |
### 3.3 Phase 3: Bounded Buffers and Gate Hardening
| File | Change | Priority |
|------|--------|----------|
| `crates/wifi-densepose-signal/src/ruvsense/cross_room.rs` | Replace `Vec` with `VecDeque`, add `max_transitions` config | P1 |
| `crates/wifi-densepose-signal/src/ruvsense/coherence_gate.rs` | Add `ForcedAccept` variant, `max_recalibrate_frames` config | P1 |
### 3.4 Phase 4: Memory Safety
| File | Change | Priority |
|------|--------|----------|
| `firmware/esp32-csi-node/main/nvs_config.c` | Add `explicit_bzero()` after credential reads | P2 |
| `firmware/esp32-csi-node/main/csi_collector.c` | `_Atomic` counters, `s_hop_mutex` (if not done in Phase 2) | P2 |
---
## 4. Acceptance Criteria
### 4.1 Beacon Authentication (H-1)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| H1-1 | `SyncBeacon::to_bytes()` produces 28-byte output with valid HMAC tag | Unit test: serialize, verify tag matches recomputed HMAC |
| H1-2 | `SyncBeacon::verify()` rejects beacons with incorrect HMAC tag | Unit test: flip one bit in tag, verify returns `Err` |
| H1-3 | `SyncBeacon::verify()` rejects beacons with replayed nonce outside window | Unit test: submit nonce = last_accepted - REPLAY_WINDOW - 1, verify rejection |
| H1-4 | `SyncBeacon::verify()` accepts beacons within replay window | Unit test: submit nonce = last_accepted - REPLAY_WINDOW + 1, verify acceptance |
| H1-5 | Coordinator nonce increments monotonically across cycles | Unit test: call `begin_cycle()` 100 times, verify strict monotonicity |
| H1-6 | Backward compatibility: `sec_level=0` accepts unauthenticated 16-byte beacons | Integration test: mixed old/new nodes |
### 4.2 Frame Integrity (M-3)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| M3-1 | CSI frame with magic `0xC5110002` includes valid 8-byte SipHash tag | Unit test: serialize frame, verify tag |
| M3-2 | Frame verification rejects frames with tampered IQ data | Unit test: flip one byte in IQ payload, verify rejection |
| M3-3 | SipHash computation completes in < 10 us on ESP32-S3 | Benchmark on target hardware |
| M3-4 | Frame parser accepts old magic `0xC5110001` when `sec_level < 2` | Unit test: backward compatibility |
### 4.3 NDP Rate Limiter (M-4)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| M4-1 | `csi_inject_ndp_frame()` succeeds for first `max_tokens` calls | Unit test: call 20 times rapidly, all succeed |
| M4-2 | Call 21 returns `ESP_ERR_NOT_ALLOWED` when bucket is empty | Unit test: exhaust bucket, verify error |
| M4-3 | Bucket refills at configured rate | Unit test: exhaust, wait `refill_interval_us`, verify one token available |
| M4-4 | NVS override of `ndp_max_tokens` and `ndp_refill_hz` is respected | Integration test: set NVS values, verify behavior |
### 4.4 Coherence Gate Timeout (M-5)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| M5-1 | `GatePolicy::evaluate()` returns `Recalibrate` at `max_stale_frames` | Unit test: existing behavior preserved |
| M5-2 | `GatePolicy::evaluate()` returns `ForcedAccept` at `max_recalibrate_frames` | Unit test: feed `max_recalibrate_frames + 1` low-coherence frames |
| M5-3 | `ForcedAccept` noise multiplier equals `forced_accept_noise` (default 10.0) | Unit test: verify noise_multiplier field |
| M5-4 | Default `max_recalibrate_frames` = 600 (30s at 20 Hz) | Unit test: verify default config |
### 4.5 Bounded Transition Log (L-1)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| L1-1 | `CrossRoomTracker::transition_count()` never exceeds `max_transitions` | Unit test: insert 1500 transitions with max_transitions=1000, verify count=1000 |
| L1-2 | Oldest transitions are evicted first (FIFO) | Unit test: verify first transition is the (N-999)th inserted |
| L1-3 | Default `max_transitions` = 1000 | Unit test: verify default config |
### 4.6 NVS Password Zeroing (L-4)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| L4-1 | Stack buffer `buf` is zeroed after each `nvs_get_str` call | Code review + static analysis (no runtime test feasible) |
| L4-2 | `explicit_bzero` is used (not plain `memset`) to prevent compiler optimization | Code review: verify function call is `explicit_bzero` or volatile-pointer pattern |
### 4.7 Atomic Static State (L-5)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| L5-1 | `s_sequence`, `s_cb_count`, `s_send_ok`, `s_send_fail` are declared `_Atomic` | Code review |
| L5-2 | `s_hop_mutex` is created in `csi_collector_init()` | Code review + integration test: init succeeds |
| L5-3 | `csi_hop_next_channel()` and `csi_collector_set_hop_table()` acquire/release mutex | Code review |
| L5-4 | No data races detected under ThreadSanitizer (host-side test build) | `cargo test` with TSAN on host (for Rust side); QEMU or hardware test for C side |
---
## 5. Consequences
### 5.1 Positive
- **Rogue node protection**: HMAC-authenticated beacons prevent mesh desynchronization by unauthorized nodes.
- **Frame integrity**: SipHash MAC detects in-transit tampering of CSI data, preventing phantom occupant injection.
- **RF availability**: Token-bucket rate limiter prevents NDP flooding from consuming the shared wireless medium.
- **Bounded memory**: Ring buffer on transition log and timeout cap on recalibration prevent resource exhaustion during long-running deployments.
- **Credential hygiene**: Zeroed buffers reduce the window for credential recovery from physical memory access.
- **Thread safety**: Atomic operations and mutex eliminate undefined behavior on dual-core ESP32-S3.
- **Backward compatible**: `sec_level` parameter allows gradual rollout without breaking existing deployments.
### 5.2 Negative
- **12 bytes added to SyncBeacon**: 28 bytes vs 16 bytes (75% increase, but still fits in a single UDP packet with room to spare).
- **8 bytes added to CSI frame header**: 28 bytes vs 20 bytes (40% increase in header; negligible relative to IQ payload of 128-512 bytes).
- **CPU overhead**: HMAC-SHA256 adds approximately 15 us per beacon (once per 50 ms cycle = 0.03% CPU). SipHash adds approximately 2 us per frame (at 100 Hz = 0.02% CPU).
- **Key management complexity**: Mesh key must be provisioned to all nodes and rotated periodically. Lost key requires re-provisioning all nodes.
- **Mutex contention**: Hop table mutex may add up to 1 us latency to channel hop path. Within guard interval budget.
### 5.3 Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| HMAC computation exceeds guard interval on older ESP32 (non-S3) | Low | Beacon authentication unusable on legacy hardware | Hardware-accelerated SHA256 is available on all ESP32 variants; benchmark confirms < 50 us |
| Key compromise via side-channel on ESP32 | Very Low | Full mesh authentication bypass | Keys stored in eFuse (ESP32-S3 supports) or encrypted NVS partition |
| ForcedAccept mode produces unacceptably noisy poses | Medium | Degraded pose quality during sustained interference | 10x noise multiplier is configurable; operator can increase or disable |
| SipHash collision (64-bit tag) | Very Low | Single forged frame accepted | 2^-64 probability per frame; attacker cannot iterate at protocol speed |
---
## 6. QUIC Transport Layer (ADR-032a Amendment)
### 6.1 Motivation
The original ADR-032 design (Sections 2.1--2.2) uses manual HMAC-SHA256 and SipHash-2-4 over plain UDP. While correct and efficient on constrained ESP32 hardware, this approach has operational drawbacks:
- **Manual key rotation**: Requires custom key exchange protocol and coordinator broadcast.
- **No congestion control**: Plain UDP has no backpressure; burst CSI traffic can overwhelm the aggregator.
- **No connection migration**: Node roaming (e.g., repositioning an ESP32) requires manual reconnect.
- **Duplicate replay-window code**: Custom nonce tracking duplicates QUIC's built-in replay protection.
### 6.2 Decision: Adopt `midstreamer-quic` for Aggregator Uplinks
For aggregator-class nodes (Raspberry Pi, x86 gateway) that have sufficient CPU and memory, replace the manual crypto layer with `midstreamer-quic` v0.1.0, which provides:
| Capability | Manual (ADR-032 original) | QUIC (`midstreamer-quic`) |
|---|---|---|
| Authentication | HMAC-SHA256 truncated 8B | TLS 1.3 AEAD (AES-128-GCM) |
| Frame integrity | SipHash-2-4 tag | QUIC packet-level AEAD |
| Replay protection | Manual nonce + window | QUIC packet numbers (monotonic) |
| Key rotation | Custom coordinator broadcast | TLS 1.3 `KeyUpdate` message |
| Congestion control | None | QUIC cubic/BBR |
| Connection migration | Not supported | QUIC connection ID migration |
| Multi-stream | N/A | QUIC streams (beacon, CSI, control) |
**Constrained devices (ESP32-S3) retain the manual crypto path** from Sections 2.1--2.2 as a fallback. The `SecurityMode` enum selects the transport:
```rust
pub enum SecurityMode {
/// Manual HMAC/SipHash over plain UDP (ESP32-S3, ADR-032 original).
ManualCrypto,
/// QUIC transport with TLS 1.3 (aggregator-class nodes).
QuicTransport,
}
```
### 6.3 QUIC Stream Mapping
Three dedicated QUIC streams separate traffic by priority:
| Stream ID | Purpose | Direction | Priority |
|---|---|---|---|
| 0 | Sync beacons | Coordinator -> Nodes | Highest (TDM timing-critical) |
| 1 | CSI frames | Nodes -> Aggregator | High (sensing data) |
| 2 | Control plane | Bidirectional | Normal (config, key rotation, health) |
### 6.4 Additional Midstreamer Integrations
Beyond QUIC transport, three additional midstreamer crates enhance the sensing pipeline:
1. **`midstreamer-scheduler` v0.1.0** -- Replaces manual timer-based TDM slot scheduling with an ultra-low-latency real-time task scheduler. Provides deterministic slot firing with sub-microsecond jitter.
2. **`midstreamer-temporal-compare` v0.1.0** -- Enhances gesture DTW matching (ADR-030 Tier 6) with temporal sequence comparison primitives. Provides optimized Sakoe-Chiba band DTW, LCS, and edit-distance kernels.
3. **`midstreamer-attractor` v0.1.0** -- Enhances longitudinal drift detection (ADR-030 Tier 4) with dynamical systems analysis. Detects phase-space attractor shifts that indicate biomechanical regime changes before they manifest as simple metric drift.
### 6.5 Fallback Strategy
The QUIC transport layer is additive, not a replacement:
- **ESP32-S3 nodes**: Continue using manual HMAC/SipHash over UDP (Sections 2.1--2.2). These devices lack the memory for a full TLS 1.3 stack.
- **Aggregator nodes**: Use `midstreamer-quic` by default. Fall back to manual crypto if QUIC handshake fails (e.g., network partitions).
- **Mixed deployments**: The aggregator auto-detects whether an incoming connection is QUIC (by TLS ClientHello) or plain UDP (by magic byte) and routes accordingly.
### 6.6 Acceptance Criteria (QUIC)
| ID | Criterion | Test Method |
|----|-----------|-------------|
| Q-1 | QUIC connection established between two nodes within 100ms | Integration test: connect, measure handshake time |
| Q-2 | Beacon stream delivers beacons with < 1ms jitter | Unit test: send 1000 beacons, measure inter-arrival variance |
| Q-3 | CSI stream achieves >= 95% of plain UDP throughput | Benchmark: criterion comparison |
| Q-4 | Connection migration succeeds after simulated IP change | Integration test: rebind, verify stream continuity |
| Q-5 | Fallback to manual crypto when QUIC unavailable | Unit test: reject QUIC, verify ManualCrypto path |
| Q-6 | SecurityMode::ManualCrypto produces identical wire format to ADR-032 original | Unit test: byte-level comparison |
---
## 7. Related ADRs
| ADR | Relationship |
|-----|-------------|
| ADR-029 (RuvSense Multistatic) | **Hardened**: TDM beacon and CSI frame authentication, NDP rate limiting, QUIC transport |
| ADR-030 (Persistent Field Model) | **Protected**: Coherence gate timeout; transition log bounded; gesture DTW enhanced (midstreamer-temporal-compare); drift detection enhanced (midstreamer-attractor) |
| ADR-031 (RuView RF Mode) | **Hardened**: Authenticated beacons protect cross-viewpoint synchronization via QUIC streams |
| ADR-018 (ESP32 Implementation) | **Extended**: CSI frame header bumped to v2 with SipHash tag; backward-compatible magic check |
| ADR-012 (ESP32 Mesh) | **Hardened**: Mesh key management, NVS credential zeroing, atomic firmware state, QUIC connection migration |
---
## 8. References
1. Aumasson, J.-P. & Bernstein, D.J. (2012). "SipHash: a fast short-input PRF." INDOCRYPT 2012.
2. Krawczyk, H. et al. (1997). "HMAC: Keyed-Hashing for Message Authentication." RFC 2104.
3. ESP-IDF mbedtls SHA256 hardware acceleration. Espressif Documentation.
4. Espressif. "ESP32-S3 Technical Reference Manual." Section 26: SHA Accelerator.
5. Turner, J. (2006). "Token Bucket Rate Limiting." RFC 2697 (adapted).
6. ADR-029 through ADR-031 (internal).
7. `midstreamer-quic` v0.1.0 -- QUIC multi-stream support. crates.io.
8. `midstreamer-scheduler` v0.1.0 -- Ultra-low-latency real-time task scheduler. crates.io.
9. `midstreamer-temporal-compare` v0.1.0 -- Temporal sequence comparison. crates.io.
10. `midstreamer-attractor` v0.1.0 -- Dynamical systems analysis. crates.io.
11. Iyengar, J. & Thomson, M. (2021). "QUIC: A UDP-Based Multiplexed and Secure Transport." RFC 9000.
api-docs/adr/ADR-033-crv-signal-line-sensing-integration.md
+740
View File
@@ -0,0 +1,740 @@
# ADR-033: CRV Signal Line Sensing Integration -- Mapping 6-Stage Coordinate Remote Viewing to WiFi-DensePose Pipeline
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-01 |
| **Deciders** | ruv |
| **Codename** | **CRV-Sense** -- Coordinate Remote Viewing Signal Line for WiFi Sensing |
| **Relates to** | ADR-016 (RuVector Integration), ADR-017 (RuVector Signal+MAT), ADR-024 (AETHER Embeddings), ADR-029 (RuvSense Multistatic), ADR-030 (Persistent Field Model), ADR-031 (RuView Viewpoint Fusion), ADR-032 (Mesh Security) |
---
## 1. Context
### 1.1 The CRV Signal Line Methodology
Coordinate Remote Viewing (CRV) is a structured 6-stage protocol that progressively refines perception from coarse gestalt impressions (Stage I) through sensory details (Stage II), spatial dimensions (Stage III), noise separation (Stage IV), cross-referencing interrogation (Stage V), to a final composite 3D model (Stage VI). The `ruvector-crv` crate (v0.1.1, published on crates.io) maps these 6 stages to vector database subsystems: Poincare ball embeddings, multi-head attention, GNN graph topology, SNN temporal encoding, differentiable search, and MinCut partitioning.
The WiFi-DensePose sensing pipeline follows a strikingly similar progressive refinement:
1. Raw CSI arrives as an undifferentiated signal -- the system must first classify the gestalt character of the RF environment.
2. Per-subcarrier amplitude/phase/frequency features are extracted -- analogous to sensory impressions.
3. The AP mesh forms a spatial topology with node positions and link geometry -- a dimensional sketch.
4. Coherence gating separates valid signal from noise and interference -- analytically overlaid artifacts must be detected and removed.
5. Pose estimation queries earlier CSI features for cross-referencing -- interrogation of the accumulated evidence.
6. Final multi-person partitioning produces the composite DensePose output -- the 3D model.
This structural isomorphism is not accidental. Both CRV and WiFi sensing solve the same abstract problem: extract structured information from a noisy, high-dimensional signal space through progressive refinement with explicit noise separation.
### 1.2 The ruvector-crv Crate (v0.1.1)
The `ruvector-crv` crate provides the following public API:
| Component | Purpose | Upstream Dependency |
|-----------|---------|-------------------|
| `CrvSessionManager` | Session lifecycle: create, add stage data, convergence analysis | -- |
| `StageIEncoder` | Poincare ball hyperbolic embeddings for gestalt primitives | -- (internal hyperbolic math) |
| `StageIIEncoder` | Multi-head attention for sensory vectors | `ruvector-attention` |
| `StageIIIEncoder` | GNN graph topology encoding | `ruvector-gnn` |
| `StageIVEncoder` | SNN temporal encoding for AOL (Analytical Overlay) detection | -- (internal SNN) |
| `StageVEngine` | Differentiable search and cross-referencing | -- (internal soft attention) |
| `StageVIModeler` | MinCut partitioning for composite model | `ruvector-mincut` |
| `ConvergenceResult` | Cross-session agreement analysis | -- |
| `CrvConfig` | Configuration (384-d default, curvature, AOL threshold, SNN params) | -- |
Key types: `GestaltType` (Manmade/Natural/Movement/Energy/Water/Land), `SensoryModality` (Texture/Color/Temperature/Sound/...), `AOLDetection` (content + anomaly score), `SignalLineProbe` (query + attention weights), `TargetPartition` (MinCut cluster + centroid).
### 1.3 What Already Exists in WiFi-DensePose
The following modules already implement pieces of the pipeline that CRV stages map onto:
| Existing Module | Location | Relevant CRV Stage |
|----------------|----------|-------------------|
| `multiband.rs` | `wifi-densepose-signal/src/ruvsense/` | Stage I (gestalt from multi-band CSI) |
| `phase_align.rs` | `wifi-densepose-signal/src/ruvsense/` | Stage II (phase feature extraction) |
| `multistatic.rs` | `wifi-densepose-signal/src/ruvsense/` | Stage III (AP mesh spatial topology) |
| `coherence_gate.rs` | `wifi-densepose-signal/src/ruvsense/` | Stage IV (signal-vs-noise separation) |
| `field_model.rs` | `wifi-densepose-signal/src/ruvsense/` | Stage V (persistent field for querying) |
| `pose_tracker.rs` | `wifi-densepose-signal/src/ruvsense/` | Stage VI (person tracking output) |
| Viewpoint fusion | `wifi-densepose-ruvector/src/viewpoint/` | Cross-session (multi-viewpoint convergence) |
The `wifi-densepose-ruvector` crate already depends on `ruvector-crv` in its `Cargo.toml`. This ADR defines how to wrap the CRV API with WiFi-DensePose domain types.
### 1.4 The Key Insight: Cross-Session Convergence = Cross-Room Identity
CRV's convergence analysis compares independent sessions targeting the same coordinate to find agreement in their embeddings. In WiFi-DensePose, different AP clusters in different rooms are independent "viewers" of the same person. When a person moves from Room A to Room B, the CRV convergence mechanism can find agreement between the Room A embedding trail and the Room B initial embeddings -- establishing identity continuity without cameras.
---
## 2. Decision
### 2.1 The 6-Stage CRV-to-WiFi Mapping
Create a new `crv` module in the `wifi-densepose-ruvector` crate that wraps `ruvector-crv` with WiFi-DensePose domain types. Each CRV stage maps to a specific point in the sensing pipeline.
```
+-------------------------------------------------------------------+
| CRV-Sense Pipeline (6 Stages) |
+-------------------------------------------------------------------+
| |
| Raw CSI frames from ESP32 mesh (ADR-029) |
| | |
| v |
| +----------------------------------------------------------+ |
| | Stage I: CSI Gestalt Classification | |
| | CsiGestaltClassifier | |
| | Input: raw CSI frame (amplitude envelope + phase slope) | |
| | Output: GestaltType (Manmade/Natural/Movement/Energy) | |
| | Encoder: StageIEncoder (Poincare ball embedding) | |
| | Module: ruvsense/multiband.rs | |
| +----------------------------+-----------------------------+ |
| | |
| v |
| +----------------------------------------------------------+ |
| | Stage II: CSI Sensory Feature Extraction | |
| | CsiSensoryEncoder | |
| | Input: per-subcarrier CSI | |
| | Output: amplitude textures, phase patterns, freq colors | |
| | Encoder: StageIIEncoder (multi-head attention vectors) | |
| | Module: ruvsense/phase_align.rs | |
| +----------------------------+-----------------------------+ |
| | |
| v |
| +----------------------------------------------------------+ |
| | Stage III: AP Mesh Spatial Topology | |
| | MeshTopologyEncoder | |
| | Input: node positions, link SNR, baseline distances | |
| | Output: GNN graph embedding of mesh geometry | |
| | Encoder: StageIIIEncoder (GNN topology) | |
| | Module: ruvsense/multistatic.rs | |
| +----------------------------+-----------------------------+ |
| | |
| v |
| +----------------------------------------------------------+ |
| | Stage IV: Coherence Gating (AOL Detection) | |
| | CoherenceAolDetector | |
| | Input: phase coherence scores, gate decisions | |
| | Output: AOL-flagged frames removed, clean signal kept | |
| | Encoder: StageIVEncoder (SNN temporal encoding) | |
| | Module: ruvsense/coherence_gate.rs | |
| +----------------------------+-----------------------------+ |
| | |
| v |
| +----------------------------------------------------------+ |
| | Stage V: Pose Interrogation | |
| | PoseInterrogator | |
| | Input: pose hypothesis + accumulated CSI features | |
| | Output: soft attention over CSI history, top candidates | |
| | Engine: StageVEngine (differentiable search) | |
| | Module: ruvsense/field_model.rs | |
| +----------------------------+-----------------------------+ |
| | |
| v |
| +----------------------------------------------------------+ |
| | Stage VI: Multi-Person Partitioning | |
| | PersonPartitioner | |
| | Input: all person embedding clusters | |
| | Output: MinCut-separated person partitions + centroids | |
| | Modeler: StageVIModeler (MinCut partitioning) | |
| | Module: training pipeline (ruvector-mincut) | |
| +----------------------------+-----------------------------+ |
| | |
| v |
| +----------------------------------------------------------+ |
| | Cross-Session: Multi-Room Convergence | |
| | MultiViewerConvergence | |
| | Input: per-room embedding trails for candidate persons | |
| | Output: cross-room identity matches + confidence | |
| | Engine: CrvSessionManager::find_convergence() | |
| | Module: ruvsense/cross_room.rs | |
| +----------------------------------------------------------+ |
+-------------------------------------------------------------------+
```
### 2.2 Stage I: CSI Gestalt Classification
**CRV mapping:** Stage I ideograms classify the target's fundamental character (Manmade/Natural/Movement/Energy). In WiFi sensing, the raw CSI frame's amplitude envelope shape and phase slope direction provide an analogous gestalt classification of the RF environment.
**WiFi domain types:**
```rust
/// CSI-domain gestalt types mapped from CRV GestaltType.
///
/// The CRV taxonomy maps to RF phenomenology:
/// - Manmade: structured multipath (walls, furniture, metallic reflectors)
/// - Natural: diffuse scattering (vegetation, irregular surfaces)
/// - Movement: Doppler-shifted components (human motion, fan, pet)
/// - Energy: high-amplitude transients (microwave, motor, interference)
/// - Water: slow fading envelope (humidity change, condensation)
/// - Land: static baseline (empty room, no perturbation)
pub struct CsiGestaltClassifier {
encoder: StageIEncoder,
config: CrvConfig,
}
impl CsiGestaltClassifier {
/// Classify a raw CSI frame into a gestalt type.
///
/// Extracts three features from the CSI frame:
/// 1. Amplitude envelope shape (ideogram stroke analog)
/// 2. Phase slope direction (spontaneous descriptor analog)
/// 3. Subcarrier correlation structure (classification signal)
///
/// Returns a Poincare ball embedding (384-d by default) encoding
/// the hierarchical gestalt taxonomy with exponentially less
/// distortion than Euclidean space.
pub fn classify(&self, csi_frame: &CsiFrame) -> CrvResult<(GestaltType, Vec<f32>)>;
}
```
**Integration point:** `ruvsense/multiband.rs` already processes multi-band CSI. The `CsiGestaltClassifier` wraps this with Poincare ball embedding via `StageIEncoder`, producing a hyperbolic embedding that captures the gestalt hierarchy.
### 2.3 Stage II: CSI Sensory Feature Extraction
**CRV mapping:** Stage II collects sensory impressions (texture, color, temperature). In WiFi sensing, the per-subcarrier CSI features are the sensory modalities:
| CRV Sensory Modality | WiFi CSI Analog |
|----------------------|-----------------|
| Texture | Amplitude variance pattern across subcarriers (smooth vs rough surface reflection) |
| Color | Frequency-domain spectral shape (which subcarriers carry the most energy) |
| Temperature | Phase drift rate (thermal expansion changes path length) |
| Luminosity | Overall signal power level (SNR) |
| Dimension | Delay spread (multipath extent maps to room size) |
**WiFi domain types:**
```rust
pub struct CsiSensoryEncoder {
encoder: StageIIEncoder,
}
impl CsiSensoryEncoder {
/// Extract sensory features from per-subcarrier CSI data.
///
/// Maps CSI signal characteristics to CRV sensory modalities:
/// - Amplitude variance -> Texture
/// - Spectral shape -> Color
/// - Phase drift rate -> Temperature
/// - Signal power -> Luminosity
/// - Delay spread -> Dimension
///
/// Uses multi-head attention (ruvector-attention) to produce
/// a unified sensory embedding that captures cross-modality
/// correlations.
pub fn encode(&self, csi_subcarriers: &SubcarrierData) -> CrvResult<Vec<f32>>;
}
```
**Integration point:** `ruvsense/phase_align.rs` already computes per-subcarrier phase features. The `CsiSensoryEncoder` maps these to `StageIIData` sensory impressions and produces attention-weighted embeddings via `StageIIEncoder`.
### 2.4 Stage III: AP Mesh Spatial Topology
**CRV mapping:** Stage III sketches the spatial layout with geometric primitives and relationships. In WiFi sensing, the AP mesh nodes and their inter-node links form the spatial sketch:
| CRV Sketch Element | WiFi Mesh Analog |
|-------------------|-----------------|
| `SketchElement` | AP node (position, antenna orientation) |
| `GeometricKind::Point` | Single AP location |
| `GeometricKind::Line` | Bistatic link between two APs |
| `SpatialRelationship` | Link quality, baseline distance, angular separation |
**WiFi domain types:**
```rust
pub struct MeshTopologyEncoder {
encoder: StageIIIEncoder,
}
impl MeshTopologyEncoder {
/// Encode the AP mesh as a GNN graph topology.
///
/// Each AP node becomes a SketchElement with its position and
/// antenna count. Each bistatic link becomes a SpatialRelationship
/// with strength proportional to link SNR.
///
/// Uses ruvector-gnn to produce a graph embedding that captures
/// the mesh's geometric diversity index (GDI) and effective
/// viewpoint count.
pub fn encode(&self, mesh: &MultistaticArray) -> CrvResult<Vec<f32>>;
}
```
**Integration point:** `ruvsense/multistatic.rs` manages the AP mesh topology. The `MeshTopologyEncoder` translates `MultistaticArray` geometry into `StageIIIData` sketch elements and relationships, producing a GNN-encoded topology embedding via `StageIIIEncoder`.
### 2.5 Stage IV: Coherence Gating as AOL Detection
**CRV mapping:** Stage IV detects Analytical Overlay (AOL) -- moments when the analytical mind contaminates the raw signal with pre-existing assumptions. In WiFi sensing, the coherence gate (ADR-030/032) serves the same function: it detects when environmental interference, multipath changes, or hardware artifacts contaminate the CSI signal, and flags those frames for exclusion.
| CRV AOL Concept | WiFi Coherence Analog |
|-----------------|---------------------|
| AOL event | Low-coherence frame (interference, multipath shift, hardware glitch) |
| AOL anomaly score | Coherence metric (0.0 = fully incoherent, 1.0 = fully coherent) |
| AOL break (flagged, set aside) | `GateDecision::Reject` or `GateDecision::PredictOnly` |
| Clean signal line | `GateDecision::Accept` with noise multiplier |
| Forced accept after timeout | `GateDecision::ForcedAccept` (ADR-032) with inflated noise |
**WiFi domain types:**
```rust
pub struct CoherenceAolDetector {
encoder: StageIVEncoder,
}
impl CoherenceAolDetector {
/// Map coherence gate decisions to CRV AOL detection.
///
/// The SNN temporal encoding models the spike pattern of
/// coherence violations over time:
/// - Burst of low-coherence frames -> high AOL anomaly score
/// - Sustained coherence -> low anomaly score (clean signal)
/// - Single transient -> moderate score (check and continue)
///
/// Returns an embedding that encodes the temporal pattern of
/// signal quality, enabling downstream stages to weight their
/// attention based on signal cleanliness.
pub fn detect(
&self,
coherence_history: &[GateDecision],
timestamps: &[u64],
) -> CrvResult<(Vec<AOLDetection>, Vec<f32>)>;
}
```
**Integration point:** `ruvsense/coherence_gate.rs` already produces `GateDecision` values. The `CoherenceAolDetector` translates the coherence gate's temporal stream into `StageIVData` with `AOLDetection` events, and the SNN temporal encoding via `StageIVEncoder` produces an embedding of signal quality over time.
### 2.6 Stage V: Pose Interrogation via Differentiable Search
**CRV mapping:** Stage V is the interrogation phase -- probing earlier stage data with specific queries to extract targeted information. In WiFi sensing, this maps to querying the accumulated CSI feature history with a pose hypothesis to find supporting or contradicting evidence.
**WiFi domain types:**
```rust
pub struct PoseInterrogator {
engine: StageVEngine,
}
impl PoseInterrogator {
/// Cross-reference a pose hypothesis against CSI history.
///
/// Uses differentiable search (soft attention with temperature
/// scaling) to find which historical CSI frames best support
/// or contradict the current pose estimate.
///
/// Returns:
/// - Attention weights over the CSI history buffer
/// - Top-k supporting frames (highest attention)
/// - Cross-references linking pose keypoints to specific
/// CSI subcarrier features from earlier stages
pub fn interrogate(
&self,
pose_embedding: &[f32],
csi_history: &[CrvSessionEntry],
) -> CrvResult<(StageVData, Vec<f32>)>;
}
```
**Integration point:** `ruvsense/field_model.rs` maintains the persistent electromagnetic field model (ADR-030). The `PoseInterrogator` wraps this with CRV Stage V semantics -- the field model's history becomes the corpus that `StageVEngine` searches over, and the pose hypothesis becomes the probe query.
### 2.7 Stage VI: Multi-Person Partitioning via MinCut
**CRV mapping:** Stage VI produces the composite 3D model by clustering accumulated data into distinct target partitions via MinCut. In WiFi sensing, this maps to multi-person separation -- partitioning the accumulated CSI embeddings into person-specific clusters.
**WiFi domain types:**
```rust
pub struct PersonPartitioner {
modeler: StageVIModeler,
}
impl PersonPartitioner {
/// Partition accumulated embeddings into distinct persons.
///
/// Uses MinCut (ruvector-mincut) to find natural cluster
/// boundaries in the embedding space. Each partition corresponds
/// to one person, with:
/// - A centroid embedding (person signature)
/// - Member frame indices (which CSI frames belong to this person)
/// - Separation strength (how distinct this person is from others)
///
/// The MinCut value between partitions serves as a confidence
/// metric for person separation quality.
pub fn partition(
&self,
person_embeddings: &[CrvSessionEntry],
) -> CrvResult<(StageVIData, Vec<f32>)>;
}
```
**Integration point:** The training pipeline in `wifi-densepose-train` already uses `ruvector-mincut` for `DynamicPersonMatcher` (ADR-016). The `PersonPartitioner` wraps this with CRV Stage VI semantics, framing person separation as composite model construction.
### 2.8 Cross-Session Convergence: Multi-Room Identity Matching
**CRV mapping:** CRV convergence analysis compares embeddings from independent sessions targeting the same coordinate to find agreement. In WiFi-DensePose, independent AP clusters in different rooms are independent "viewers" of the same person.
**WiFi domain types:**
```rust
pub struct MultiViewerConvergence {
session_manager: CrvSessionManager,
}
impl MultiViewerConvergence {
/// Match person identities across rooms via CRV convergence.
///
/// Each room's AP cluster is modeled as an independent CRV session.
/// When a person moves from Room A to Room B:
/// 1. Room A session contains the person's embedding trail (Stages I-VI)
/// 2. Room B session begins accumulating new embeddings
/// 3. Convergence analysis finds agreement between Room A's final
/// embeddings and Room B's initial embeddings
/// 4. Agreement score above threshold establishes identity continuity
///
/// Returns ConvergenceResult with:
/// - Session pairs (room pairs) that converged
/// - Per-pair similarity scores
/// - Convergent stages (which CRV stages showed strongest agreement)
/// - Consensus embedding (merged identity signature)
pub fn match_across_rooms(
&self,
room_sessions: &[(RoomId, SessionId)],
threshold: f32,
) -> CrvResult<ConvergenceResult>;
}
```
**Integration point:** `ruvsense/cross_room.rs` already handles cross-room identity continuity (ADR-030). The `MultiViewerConvergence` wraps the existing `CrossRoomTracker` with CRV convergence semantics, using `CrvSessionManager::find_convergence()` to compute embedding agreement.
### 2.9 WifiCrvSession: Unified Pipeline Wrapper
The top-level wrapper ties all six stages into a single pipeline:
```rust
/// A WiFi-DensePose sensing session modeled as a CRV session.
///
/// Wraps CrvSessionManager with CSI-specific convenience methods.
/// Each call to process_frame() advances through all six CRV stages
/// and appends stage embeddings to the session.
pub struct WifiCrvSession {
session_manager: CrvSessionManager,
gestalt: CsiGestaltClassifier,
sensory: CsiSensoryEncoder,
topology: MeshTopologyEncoder,
coherence: CoherenceAolDetector,
interrogator: PoseInterrogator,
partitioner: PersonPartitioner,
convergence: MultiViewerConvergence,
}
impl WifiCrvSession {
/// Create a new WiFi CRV session with the given configuration.
pub fn new(config: WifiCrvConfig) -> Self;
/// Process a single CSI frame through all six CRV stages.
///
/// Returns the per-stage embeddings and the final person partitions.
pub fn process_frame(
&mut self,
frame: &CsiFrame,
mesh: &MultistaticArray,
coherence_state: &GateDecision,
pose_hypothesis: Option<&[f32]>,
) -> CrvResult<WifiCrvOutput>;
/// Find convergence across room sessions for identity matching.
pub fn find_convergence(
&self,
room_sessions: &[(RoomId, SessionId)],
threshold: f32,
) -> CrvResult<ConvergenceResult>;
}
```
---
## 3. Implementation Plan (File-Level)
### 3.1 Phase 1: CRV Module Core (New Files)
| File | Purpose | Upstream Dependency |
|------|---------|-------------------|
| `crates/wifi-densepose-ruvector/src/crv/mod.rs` | Module root, re-exports all CRV-Sense types | -- |
| `crates/wifi-densepose-ruvector/src/crv/config.rs` | `WifiCrvConfig` extending `CrvConfig` with WiFi-specific defaults (128-d instead of 384-d to match AETHER) | `ruvector-crv` |
| `crates/wifi-densepose-ruvector/src/crv/session.rs` | `WifiCrvSession` wrapping `CrvSessionManager` | `ruvector-crv` |
| `crates/wifi-densepose-ruvector/src/crv/output.rs` | `WifiCrvOutput` struct with per-stage embeddings and diagnostics | -- |
### 3.2 Phase 2: Stage Encoders (New Files)
| File | Purpose | Upstream Dependency |
|------|---------|-------------------|
| `crates/wifi-densepose-ruvector/src/crv/gestalt.rs` | `CsiGestaltClassifier` -- Stage I Poincare ball embedding | `ruvector-crv::StageIEncoder` |
| `crates/wifi-densepose-ruvector/src/crv/sensory.rs` | `CsiSensoryEncoder` -- Stage II multi-head attention | `ruvector-crv::StageIIEncoder`, `ruvector-attention` |
| `crates/wifi-densepose-ruvector/src/crv/topology.rs` | `MeshTopologyEncoder` -- Stage III GNN topology | `ruvector-crv::StageIIIEncoder`, `ruvector-gnn` |
| `crates/wifi-densepose-ruvector/src/crv/coherence.rs` | `CoherenceAolDetector` -- Stage IV SNN temporal encoding | `ruvector-crv::StageIVEncoder` |
| `crates/wifi-densepose-ruvector/src/crv/interrogation.rs` | `PoseInterrogator` -- Stage V differentiable search | `ruvector-crv::StageVEngine` |
| `crates/wifi-densepose-ruvector/src/crv/partition.rs` | `PersonPartitioner` -- Stage VI MinCut partitioning | `ruvector-crv::StageVIModeler`, `ruvector-mincut` |
### 3.3 Phase 3: Cross-Session Convergence
| File | Purpose | Upstream Dependency |
|------|---------|-------------------|
| `crates/wifi-densepose-ruvector/src/crv/convergence.rs` | `MultiViewerConvergence` -- cross-room identity matching | `ruvector-crv::CrvSessionManager` |
### 3.4 Phase 4: Integration with Existing Modules (Edits to Existing Files)
| File | Change | Notes |
|------|--------|-------|
| `crates/wifi-densepose-ruvector/src/lib.rs` | Add `pub mod crv;` | Expose new module |
| `crates/wifi-densepose-ruvector/Cargo.toml` | No change needed | `ruvector-crv` dependency already present |
| `crates/wifi-densepose-signal/src/ruvsense/multiband.rs` | Add trait impl for `CrvGestaltSource` | Allow gestalt classifier to consume multiband output |
| `crates/wifi-densepose-signal/src/ruvsense/phase_align.rs` | Add trait impl for `CrvSensorySource` | Allow sensory encoder to consume phase features |
| `crates/wifi-densepose-signal/src/ruvsense/coherence_gate.rs` | Add method to export `GateDecision` history as `Vec<AOLDetection>` | Bridge coherence gate to CRV Stage IV |
| `crates/wifi-densepose-signal/src/ruvsense/cross_room.rs` | Add `CrvConvergenceAdapter` trait impl | Bridge cross-room tracker to CRV convergence |
---
## 4. DDD Design
### 4.1 New Bounded Context: CrvSensing
**Aggregate Root: `WifiCrvSession`**
```rust
pub struct WifiCrvSession {
/// Underlying CRV session manager
session_manager: CrvSessionManager,
/// Per-stage encoders
stages: CrvStageEncoders,
/// Session configuration
config: WifiCrvConfig,
/// Running statistics for convergence quality
convergence_stats: ConvergenceStats,
}
```
**Value Objects:**
```rust
/// Output of a single frame through the 6-stage pipeline.
pub struct WifiCrvOutput {
/// Per-stage embeddings (6 vectors, one per CRV stage).
pub stage_embeddings: [Vec<f32>; 6],
/// Gestalt classification for this frame.
pub gestalt: GestaltType,
/// AOL detections (frames flagged as noise-contaminated).
pub aol_events: Vec<AOLDetection>,
/// Person partitions from Stage VI.
pub partitions: Vec<TargetPartition>,
/// Processing latency per stage in microseconds.
pub stage_latencies_us: [u64; 6],
}
/// WiFi-specific CRV configuration extending CrvConfig.
pub struct WifiCrvConfig {
/// Base CRV config (dimensions, curvature, thresholds).
pub crv: CrvConfig,
/// AETHER embedding dimension (default: 128, overrides CrvConfig.dimensions).
pub aether_dim: usize,
/// Coherence threshold for AOL detection (maps to aol_threshold).
pub coherence_threshold: f32,
/// Maximum CSI history frames for Stage V interrogation.
pub max_history_frames: usize,
/// Cross-room convergence threshold (default: 0.75).
pub convergence_threshold: f32,
}
```
**Domain Events:**
```rust
pub enum CrvSensingEvent {
/// Stage I completed: gestalt classified
GestaltClassified { gestalt: GestaltType, confidence: f32 },
/// Stage IV: AOL detected (noise contamination)
AolDetected { anomaly_score: f32, flagged: bool },
/// Stage VI: Persons partitioned
PersonsPartitioned { count: usize, min_separation: f32 },
/// Cross-session: Identity matched across rooms
IdentityConverged { room_pair: (RoomId, RoomId), score: f32 },
/// Full pipeline completed for one frame
FrameProcessed { latency_us: u64, stages_completed: u8 },
}
```
### 4.2 Integration with Existing Bounded Contexts
**Signal (wifi-densepose-signal):** New traits `CrvGestaltSource` and `CrvSensorySource` allow the CRV module to consume signal processing outputs without tight coupling. The signal crate does not depend on the CRV crate -- the dependency flows one direction only.
**Training (wifi-densepose-train):** The `PersonPartitioner` (Stage VI) produces the same MinCut partitions as the existing `DynamicPersonMatcher`. A shared trait `PersonSeparator` allows both to be used interchangeably.
**Hardware (wifi-densepose-hardware):** No changes. The CRV module consumes CSI frames after they have been received and parsed by the hardware layer.
---
## 5. RuVector Integration Map
All seven `ruvector` crates exercised by the CRV-Sense integration:
| CRV Stage | ruvector Crate | API Used | WiFi-DensePose Role |
|-----------|---------------|----------|-------------------|
| I (Gestalt) | -- (internal Poincare math) | `StageIEncoder::encode()` | Hyperbolic embedding of CSI gestalt taxonomy |
| II (Sensory) | `ruvector-attention` | `StageIIEncoder::encode()` | Multi-head attention over subcarrier features |
| III (Dimensional) | `ruvector-gnn` | `StageIIIEncoder::encode()` | GNN encoding of AP mesh topology |
| IV (AOL) | -- (internal SNN) | `StageIVEncoder::encode()` | SNN temporal encoding of coherence violations |
| V (Interrogation) | -- (internal soft attention) | `StageVEngine::search()` | Differentiable search over field model history |
| VI (Composite) | `ruvector-mincut` | `StageVIModeler::partition()` | MinCut person separation |
| Convergence | -- (cosine similarity) | `CrvSessionManager::find_convergence()` | Cross-room identity matching |
Additionally, the CRV module benefits from existing ruvector integrations already in the workspace:
| Existing Integration | ADR | CRV Stage Benefit |
|---------------------|-----|-------------------|
| `ruvector-attn-mincut` in `spectrogram.rs` | ADR-016 | Stage II (subcarrier attention for sensory features) |
| `ruvector-temporal-tensor` in `dataset.rs` | ADR-016 | Stage IV (compressed coherence history buffer) |
| `ruvector-solver` in `subcarrier.rs` | ADR-016 | Stage III (sparse interpolation for mesh topology) |
| `ruvector-attention` in `model.rs` | ADR-016 | Stage V (spatial attention for pose interrogation) |
| `ruvector-mincut` in `metrics.rs` | ADR-016 | Stage VI (person matching baseline) |
---
## 6. Acceptance Criteria
### 6.1 Stage I: CSI Gestalt Classification
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S1-1 | `CsiGestaltClassifier::classify()` returns a valid `GestaltType` for any well-formed CSI frame | Unit test: feed 100 synthetic CSI frames, verify all return one of 6 gestalt types |
| S1-2 | Poincare ball embedding has correct dimensionality (matching `WifiCrvConfig.aether_dim`) | Unit test: verify `embedding.len() == config.aether_dim` |
| S1-3 | Embedding norm is strictly less than 1.0 (Poincare ball constraint) | Unit test: verify L2 norm < 1.0 for all outputs |
| S1-4 | Movement gestalt is classified for CSI frames with Doppler signature | Unit test: synthetic Doppler-shifted CSI -> `GestaltType::Movement` |
| S1-5 | Energy gestalt is classified for CSI frames with transient interference | Unit test: synthetic interference burst -> `GestaltType::Energy` |
### 6.2 Stage II: CSI Sensory Features
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S2-1 | `CsiSensoryEncoder::encode()` produces embedding of correct dimensionality | Unit test: verify output length |
| S2-2 | Amplitude variance maps to Texture modality in `StageIIData.impressions` | Unit test: verify Texture entry present for non-flat amplitude |
| S2-3 | Phase drift rate maps to Temperature modality | Unit test: inject linear phase drift, verify Temperature entry |
| S2-4 | Multi-head attention weights sum to 1.0 per head | Unit test: verify softmax normalization |
### 6.3 Stage III: AP Mesh Topology
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S3-1 | `MeshTopologyEncoder::encode()` produces one `SketchElement` per AP node | Unit test: 4-node mesh produces 4 sketch elements |
| S3-2 | `SpatialRelationship` count equals number of bistatic links | Unit test: 4 nodes -> 6 links (fully connected) or configured subset |
| S3-3 | Relationship strength is proportional to link SNR | Unit test: verify monotonic relationship between SNR and strength |
| S3-4 | GNN embedding changes when node positions change | Unit test: perturb one node position, verify embedding changes |
### 6.4 Stage IV: Coherence AOL Detection
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S4-1 | `CoherenceAolDetector::detect()` flags low-coherence frames as AOL events | Unit test: inject 10 `GateDecision::Reject` frames, verify 10 `AOLDetection` entries |
| S4-2 | Anomaly score correlates with coherence violation burst length | Unit test: burst of 5 violations scores higher than isolated violation |
| S4-3 | `GateDecision::Accept` frames produce no AOL detections | Unit test: all-accept history produces empty AOL list |
| S4-4 | SNN temporal encoding respects refractory period | Unit test: two violations within `refractory_period_ms` produce single spike |
| S4-5 | `GateDecision::ForcedAccept` (ADR-032) maps to AOL with moderate score | Unit test: forced accept frames flagged but not at max anomaly score |
### 6.5 Stage V: Pose Interrogation
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S5-1 | `PoseInterrogator::interrogate()` returns attention weights over CSI history | Unit test: history of 50 frames produces 50 attention weights summing to 1.0 |
| S5-2 | Top-k candidates are the highest-attention frames | Unit test: verify `top_candidates` indices correspond to highest `attention_weights` |
| S5-3 | Cross-references link correct stage numbers | Unit test: verify `from_stage` and `to_stage` are in [1..6] |
| S5-4 | Empty history returns empty probe results | Unit test: empty `csi_history` produces zero candidates |
### 6.6 Stage VI: Person Partitioning
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S6-1 | `PersonPartitioner::partition()` separates two well-separated embedding clusters into two partitions | Unit test: two Gaussian clusters with distance > 5 sigma -> two partitions |
| S6-2 | Each partition has a centroid embedding of correct dimensionality | Unit test: verify centroid length matches config |
| S6-3 | `separation_strength` (MinCut value) is positive for distinct persons | Unit test: verify separation_strength > 0.0 |
| S6-4 | Single-person scenario produces exactly one partition | Unit test: single cluster -> one partition |
| S6-5 | Partition `member_entries` indices are non-overlapping and exhaustive | Unit test: union of all member entries covers all input frames |
### 6.7 Cross-Session Convergence
| ID | Criterion | Test Method |
|----|-----------|-------------|
| C-1 | `MultiViewerConvergence::match_across_rooms()` returns positive score for same person in two rooms | Unit test: inject same embedding trail into two room sessions, verify score > threshold |
| C-2 | Different persons in different rooms produce score below threshold | Unit test: inject distinct embedding trails, verify score < threshold |
| C-3 | `convergent_stages` identifies the stage with highest cross-room agreement | Unit test: make Stage I embeddings identical, others random, verify Stage I in convergent_stages |
| C-4 | `consensus_embedding` has correct dimensionality when convergence succeeds | Unit test: verify consensus embedding length on successful match |
| C-5 | Threshold parameter is respected (no matches below threshold) | Unit test: set threshold to 0.99, verify only near-identical sessions match |
### 6.8 End-to-End Pipeline
| ID | Criterion | Test Method |
|----|-----------|-------------|
| E-1 | `WifiCrvSession::process_frame()` returns `WifiCrvOutput` with all 6 stage embeddings populated | Integration test: process 10 synthetic frames, verify 6 non-empty embeddings per frame |
| E-2 | Total pipeline latency < 5 ms per frame on x86 host | Benchmark: process 1000 frames, verify p95 latency < 5 ms |
| E-3 | Pipeline handles missing pose hypothesis gracefully (Stage V skipped or uses default) | Unit test: pass `None` for pose_hypothesis, verify no panic and output is valid |
| E-4 | Pipeline handles empty mesh (single AP) without panic | Unit test: single-node mesh produces valid output with degenerate Stage III |
| E-5 | Session state accumulates across frames (Stage V history grows) | Unit test: process 50 frames, verify Stage V candidate count increases |
---
## 7. Consequences
### 7.1 Positive
- **Structured pipeline formalization**: The 6-stage CRV mapping provides a principled progressive refinement structure for the WiFi sensing pipeline, making the data flow explicit and each stage independently testable.
- **Cross-room identity without cameras**: CRV convergence analysis provides a mathematically grounded mechanism for matching person identities across AP clusters in different rooms, using only RF embeddings.
- **Noise separation as first-class concept**: Mapping coherence gating to CRV Stage IV (AOL detection) elevates noise separation from an implementation detail to a core architectural stage with its own embedding and temporal model.
- **Hyperbolic embeddings for gestalt hierarchy**: The Poincare ball embedding for Stage I captures the hierarchical RF environment taxonomy (Manmade > structural multipath, Natural > diffuse scattering, etc.) with exponentially less distortion than Euclidean space.
- **Reuse of ruvector ecosystem**: All seven ruvector crates are exercised through a single unified abstraction, maximizing the return on the existing ruvector integration (ADR-016).
- **No new external dependencies**: `ruvector-crv` is already a workspace dependency in `wifi-densepose-ruvector/Cargo.toml`. This ADR adds only new Rust source files.
### 7.2 Negative
- **Abstraction overhead**: The CRV stage mapping adds a layer of indirection over the existing signal processing pipeline. Each stage wrapper must translate between WiFi domain types and CRV types, adding code that could be a maintenance burden if the mapping proves ill-fitted.
- **Dimensional mismatch**: `ruvector-crv` defaults to 384 dimensions; AETHER embeddings (ADR-024) use 128 dimensions. The `WifiCrvConfig` overrides this, but encoder behavior at non-default dimensionality must be validated.
- **SNN overhead**: The Stage IV SNN temporal encoder adds per-frame computation for spike train simulation. On embedded targets (ESP32), this may exceed the 50 ms frame budget. Initial deployment is host-side only (aggregator, not firmware).
- **Convergence false positives**: Cross-room identity matching via embedding similarity may produce false matches for persons with similar body types and movement patterns in similar room geometries. Temporal proximity constraints (from ADR-030) are required to bound the false positive rate.
- **Testing complexity**: Six stages with independent encoders and a cross-session convergence layer require a comprehensive test matrix. The acceptance criteria in Section 6 define 30+ individual test cases.
### 7.3 Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| Poincare ball embedding unstable at boundary (norm approaching 1.0) | Medium | NaN propagation through pipeline | Clamp norm to 0.95 in `CsiGestaltClassifier`; add norm assertion in test suite |
| GNN encoder too slow for real-time mesh topology updates | Low | Stage III becomes bottleneck | Cache topology embedding; only recompute on node geometry change (rare) |
| SNN refractory period too short for 20 Hz coherence gate | Medium | False AOL detections at frame boundaries | Tune `refractory_period_ms` to match frame interval (50 ms) in `WifiCrvConfig` defaults |
| Cross-room convergence threshold too permissive | Medium | False identity matches across rooms | Default threshold 0.75 is conservative; ADR-030 temporal proximity constraint (<60s) adds second guard |
| MinCut partitioning produces too many or too few person clusters | Medium | Person count mismatch | Use expected person count hint (from occupancy detector) as MinCut constraint |
| CRV abstraction becomes tech debt if mapping proves poor fit | Low | Code removed in future ADR | All CRV code in isolated `crv` module; can be removed without affecting existing pipeline |
---
## 8. Related ADRs
| ADR | Relationship |
|-----|-------------|
| ADR-016 (RuVector Integration) | **Extended**: All 5 original ruvector crates plus `ruvector-crv` and `ruvector-gnn` now exercised through CRV pipeline |
| ADR-017 (RuVector Signal+MAT) | **Extended**: Signal processing outputs from ADR-017 feed into CRV Stages I-II |
| ADR-024 (AETHER Embeddings) | **Consumed**: Per-viewpoint AETHER 128-d embeddings are the representation fed into CRV stages |
| ADR-029 (RuvSense Multistatic) | **Extended**: Multistatic mesh topology encoded as CRV Stage III; TDM frames are the input to Stage I |
| ADR-030 (Persistent Field Model) | **Extended**: Field model history serves as the Stage V interrogation corpus; cross-room tracker bridges to CRV convergence |
| ADR-031 (RuView Viewpoint Fusion) | **Complementary**: RuView fuses viewpoints within a room; CRV convergence matches identities across rooms |
| ADR-032 (Mesh Security) | **Consumed**: Authenticated beacons and frame integrity (ADR-032) ensure CRV Stage IV AOL detection reflects genuine signal quality, not spoofed frames |
---
## 9. References
1. Swann, I. (1996). "Remote Viewing: The Real Story." Self-published manuscript. (Original CRV protocol documentation.)
2. Smith, P. H. (2005). "Reading the Enemy's Mind: Inside Star Gate, America's Psychic Espionage Program." Tom Doherty Associates.
3. Nickel, M. & Kiela, D. (2017). "Poincare Embeddings for Learning Hierarchical Representations." NeurIPS 2017.
4. Kipf, T. N. & Welling, M. (2017). "Semi-Supervised Classification with Graph Convolutional Networks." ICLR 2017.
5. Maass, W. (1997). "Networks of Spiking Neurons: The Third Generation of Neural Network Models." Neural Networks, 10(9):1659-1671.
6. Stoer, M. & Wagner, F. (1997). "A Simple Min-Cut Algorithm." Journal of the ACM, 44(4):585-591.
7. `ruvector-crv` v0.1.1. https://crates.io/crates/ruvector-crv
8. `ruvector-attention` v2.0. https://crates.io/crates/ruvector-attention
9. `ruvector-gnn` v2.0.1. https://crates.io/crates/ruvector-gnn
10. `ruvector-mincut` v2.0.1. https://crates.io/crates/ruvector-mincut
11. Geng, J. et al. (2023). "DensePose From WiFi." arXiv:2301.00250.
12. ADR-016 through ADR-032 (internal).
api-docs/adr/ADR-034-expo-mobile-app.md
+688
View File
@@ -0,0 +1,688 @@
# ADR-034: Expo React Native Mobile Application
| Field | Value |
|-------|-------|
| **Status** | Accepted |
| **Date** | 2026-03-02 |
| **Deciders** | MaTriXy, rUv |
| **Codename** | **FieldView** -- Mobile Companion for WiFi-DensePose Field Deployment |
| **Relates to** | ADR-019 (Sensing-Only UI Mode), ADR-021 (Vital Sign Detection), ADR-026 (Survivor Track Lifecycle), ADR-029 (RuvSense Multistatic), ADR-031 (RuView Sensing-First RF), ADR-032 (Mesh Security) |
---
## 1. Context
### 1.1 Need for a Mobile Companion
WiFi-DensePose is a WiFi-based human pose estimation system using Channel State Information (CSI) from ESP32 mesh nodes. The existing web UI (`ui/`) serves desktop browsers but is not optimized for mobile form factors. Three deployment scenarios demand a purpose-built mobile application:
1. **Disaster response (WiFi-MAT)**: First responders deploying ESP32 mesh nodes in collapsed structures need a portable device to visualize survivor detections, breathing/heart rate vitals, and zone maps in real time. A laptop is impractical in rubble fields.
2. **Building security**: Security operators patrolling a facility need a handheld display showing occupancy by zone, movement alerts, and historical patterns. The phone in their pocket is the natural form factor.
3. **Healthcare monitoring**: Clinical staff monitoring patients via CSI-based contactless vitals need a tablet view at the bedside or nurse station, with gauges for breathing rate and heart rate that update in real time.
In all three scenarios, the mobile device does not communicate with ESP32 nodes directly. Instead, a Rust sensing server (`wifi-densepose-sensing-server`, ADR-031) aggregates ESP32 UDP streams and exposes a WebSocket API. The mobile app connects to this server over local WiFi.
### 1.2 Technology Selection Rationale
| Requirement | Decision | Rationale |
|-------------|----------|-----------|
| Cross-platform (iOS + Android + Web) | Expo SDK 55 + React Native 0.83 | Single codebase, managed workflow, OTA updates |
| Real-time streaming | WebSocket (ws://host:3001/ws/sensing) | Sub-100ms latency from CSI capture to mobile display |
| 3D visualization | Three.js Gaussian splat via WebView | Reuses existing `ui/` Three.js splat renderer; avoids native OpenGL binding |
| State management | Zustand | Minimal boilerplate, React-concurrent safe, selector-based re-renders |
| Persistence | AsyncStorage | Built into Expo, sufficient for settings and small cached state |
| Navigation | react-navigation v7 (bottom tabs) | Standard React Native navigation; 5-tab layout fits mobile ergonomics |
| WiFi RSSI scanning | Platform-specific (Android: react-native-wifi-reborn, iOS: CoreWLAN stub, Web: synthetic) | No cross-platform WiFi scanning API exists; platform modules are required |
| E2E testing | Maestro YAML specs | Declarative, no Detox native build dependency, runs on CI |
| Design system | Dark theme (#0D1117 bg, #32B8C6 accent) | Matches existing `ui/` sensing dashboard aesthetic; reduces eye strain in field conditions |
### 1.3 Relationship to Existing UI
The desktop web UI (`ui/`) and the mobile app share no code at the component level, but they consume the same backend APIs:
- **WebSocket**: `ws://host:3001/ws/sensing` -- streaming SensingFrame JSON
- **REST**: `http://host:3000/api/v1/...` -- configuration, history, health
The mobile app's Three.js Gaussian splat viewer (LiveScreen) loads the same splat HTML bundle used by the desktop UI, rendered inside a WebView (native) or iframe (web).
---
## 2. Decision
Build an Expo React Native mobile application at `ui/mobile/` that provides five primary screens for field operators, connected to the Rust sensing server via WebSocket streaming. The app automatically falls back to simulated data when the sensing server is unreachable, enabling demos and offline testing.
### 2.1 Screen Architecture
```
+---------------------------------------------------------------+
| MainTabs (Bottom Tab Navigator) |
+---------------------------------------------------------------+
| |
| +----------+ +----------+ +----------+ +--------+ +-----+ |
| | Live | | Vitals | | Zones | | MAT | | Cog | |
| | (3D splat| |(breathing| |(floor | |(disaster| |(set-| |
| | + HUD) | | + heart) | | plan SVG)| |response)| |tings| |
| +----------+ +----------+ +----------+ +--------+ +-----+ |
| |
+---------------------------------------------------------------+
| ConnectionBanner (Connected / Simulated / Disconnected) |
+---------------------------------------------------------------+
```
**Screen responsibilities:**
| Screen | Primary View | Data Source | Key Components |
|--------|-------------|-------------|----------------|
| **Live** | 3D Gaussian splat with 17 COCO keypoints + HUD overlay | `poseStore.latestFrame` | `GaussianSplatWebView`, `LiveHUD`, `HudOverlay` |
| **Vitals** | Breathing BPM gauge, heart rate BPM gauge, sparkline history | `poseStore.latestFrame.vital_signs` | `BreathingGauge`, `HeartRateGauge`, `MetricCard`, `SparklineChart` |
| **Zones** | Floor plan SVG with occupancy heat overlay, zone legend | `poseStore.latestFrame.persons` | `FloorPlanSvg`, `OccupancyGrid`, `ZoneLegend` |
| **MAT** | Survivor counter, zone map WebView, alert list | `matStore.survivors`, `matStore.alerts` | `SurvivorCounter`, `MatWebView`, `AlertList`, `AlertCard` |
| **Settings** | Server URL input, theme picker, RSSI toggle | `settingsStore` | `ServerUrlInput`, `ThemePicker`, `RssiToggle` |
### 2.2 State Architecture
Three Zustand stores separate concerns and prevent unnecessary re-renders:
```
+------------------------------------------------------------+
| Zustand Stores |
+------------------------------------------------------------+
| |
| poseStore |
| +--------------------------------------------------------+ |
| | connectionStatus: 'connected' | 'simulated' | 'error' | |
| | latestFrame: SensingFrame | null | |
| | frameHistory: RingBuffer<SensingFrame> | |
| | features: FeatureVector | null | |
| | persons: Person[] | |
| | vitalSigns: VitalSigns | null | |
| +--------------------------------------------------------+ |
| |
| matStore |
| +--------------------------------------------------------+ |
| | survivors: Survivor[] | |
| | alerts: MatAlert[] | |
| | events: MatEvent[] | |
| | zoneMap: ZoneMap | null | |
| +--------------------------------------------------------+ |
| |
| settingsStore (persisted via AsyncStorage) |
| +--------------------------------------------------------+ |
| | serverUrl: string (default: 'http://localhost:3000') | |
| | wsUrl: string (default: 'ws://localhost:3001') | |
| | theme: 'dark' | 'light' | |
| | rssiEnabled: boolean | |
| | simulationMode: boolean | |
| +--------------------------------------------------------+ |
| |
+------------------------------------------------------------+
```
### 2.3 Service Layer
Four services encapsulate external communication and data generation:
| Service | File | Responsibility |
|---------|------|----------------|
| `ws.service` | `src/services/ws.service.ts` | WebSocket connection lifecycle, reconnection with exponential backoff, SensingFrame parsing, dispatches to `poseStore` |
| `api.service` | `src/services/api.service.ts` | REST calls to sensing server (health check, configuration, history endpoints) |
| `rssi.service` | `src/services/rssi.service.ts` (+ platform variants) | Platform-specific WiFi RSSI scanning. Android uses `react-native-wifi-reborn`, iOS provides a CoreWLAN stub, Web generates synthetic RSSI values |
| `simulation.service` | `src/services/simulation.service.ts` | Generates synthetic SensingFrame data when the real server is unreachable. Produces realistic amplitude, phase, vital signs, and person data on a configurable tick interval |
**Platform-specific RSSI service files:**
| File | Platform | Implementation |
|------|----------|----------------|
| `rssi.service.android.ts` | Android | `react-native-wifi-reborn` native module, requires `ACCESS_FINE_LOCATION` permission |
| `rssi.service.ios.ts` | iOS | CoreWLAN stub (returns empty scan results; Apple restricts WiFi scanning to system apps) |
| `rssi.service.web.ts` | Web | Synthetic RSSI values generated from noise model |
| `rssi.service.ts` | Default | Re-exports platform-appropriate module via React Native file resolution |
### 2.4 Data Flow
```
ESP32 Mesh Nodes
|
| UDP CSI frames (ADR-029 TDM protocol)
v
+---------------------------+
| Rust Sensing Server |
| (wifi-densepose-sensing- |
| server, ADR-031) |
| |
| Aggregates ESP32 streams |
| Runs RuvSense pipeline |
| Exposes WS + REST APIs |
+---------------------------+
| |
| WebSocket | REST
| ws://host:3001 | http://host:3000
| /ws/sensing | /api/v1/...
v v
+---------------------------+
| Expo Mobile App |
| |
| ws.service |
| -> poseStore |
| -> matStore |
| |
| Screens subscribe to |
| stores via Zustand |
| selectors |
+---------------------------+
```
**Connection lifecycle:**
1. App boots. `settingsStore` loads persisted server URL from AsyncStorage.
2. `ws.service` opens WebSocket to `wsUrl/ws/sensing`.
3. On each message, `ws.service` parses the `SensingFrame` JSON and dispatches to `poseStore`.
4. If the WebSocket fails, `ws.service` retries with exponential backoff (1s, 2s, 4s, 8s, 16s max).
5. After `MAX_RECONNECT_ATTEMPTS` (5) consecutive failures, `ws.service` switches to `simulation.service`, which generates synthetic frames at 10 Hz.
6. `poseStore.connectionStatus` transitions: `connected` -> `error` -> `simulated`.
7. `ConnectionBanner` component reflects the current status on all screens.
8. If the server becomes reachable again, `ws.service` reconnects and resumes live data.
### 2.5 SensingFrame JSON Schema
The WebSocket stream delivers JSON frames matching the Rust `SensingFrame` struct:
```typescript
interface SensingFrame {
timestamp: number; // Unix epoch ms
amplitude: number[]; // Per-subcarrier amplitude (52 or 114 values)
phase: number[]; // Per-subcarrier phase (radians)
features: {
mean_amplitude: number;
std_amplitude: number;
phase_slope: number;
doppler_shift: number;
delay_spread: number;
};
classification: string; // "empty" | "single_person" | "multi_person" | "motion"
confidence: number; // 0.0 - 1.0
persons: Array<{
id: number;
keypoints: Array<[number, number, number]>; // 17 COCO keypoints [x, y, confidence]
bbox: [number, number, number, number]; // [x, y, width, height]
track_id: number;
}>;
vital_signs?: {
breathing_rate_bpm: number;
heart_rate_bpm: number;
breathing_confidence: number;
heart_confidence: number;
};
rssi?: number;
node_id?: number;
}
```
### 2.6 Three.js Gaussian Splat Rendering
The LiveScreen uses a WebView (native) or iframe (web) to render a Three.js Gaussian splat scene. This avoids native OpenGL bindings while reusing the existing splat renderer from the desktop UI.
**Native path (iOS/Android):**
- `GaussianSplatWebView.tsx` renders a `<WebView>` loading a bundled HTML page.
- The HTML page initializes a Three.js scene with Gaussian splat shaders.
- Communication between React Native and the WebView uses `postMessage` / `onMessage` bridge.
- `useGaussianBridge.ts` hook manages the bridge, sending skeleton keypoint updates as JSON.
**Web path:**
- `GaussianSplatWebView.web.tsx` (platform-specific file) renders an `<iframe>` with the same HTML bundle.
- Communication uses `window.postMessage` with origin checks.
### 2.7 Design System
| Token | Value | Usage |
|-------|-------|-------|
| `colors.background` | `#0D1117` | Primary background (dark theme) |
| `colors.surface` | `#161B22` | Card/panel backgrounds |
| `colors.border` | `#30363D` | Borders, dividers |
| `colors.accent` | `#32B8C6` | Primary accent, active tab, gauge fill |
| `colors.danger` | `#F85149` | Alerts, errors, critical vitals |
| `colors.warning` | `#D29922` | Warnings, degraded state |
| `colors.success` | `#3FB950` | Connected status, normal vitals |
| `colors.text` | `#E6EDF3` | Primary text |
| `colors.textSecondary` | `#8B949E` | Secondary/muted text |
| `typography.mono` | `Courier New` | Monospace for data values, HUD |
| `spacing.xs` | `4` | Tight spacing |
| `spacing.sm` | `8` | Small spacing |
| `spacing.md` | `16` | Medium spacing |
| `spacing.lg` | `24` | Large spacing |
| `spacing.xl` | `32` | Extra-large spacing |
The dark theme is the default and primary design target, optimized for field conditions (low ambient light, glare reduction). A light theme variant is available via the Settings screen.
### 2.8 ESP32 Integration Model
The mobile app does not communicate with ESP32 nodes directly. The architecture is:
```
ESP32 Node A ---\
ESP32 Node B ----+---> Sensing Server (Raspberry Pi / Laptop) <---> Mobile App
ESP32 Node C ---/ (local WiFi) (local WiFi)
```
- **Field deployment**: The sensing server runs on a Raspberry Pi 4 or operator laptop. All devices (ESP32 nodes, server, mobile app) connect to the same local WiFi network or a portable router.
- **Server URL**: Configurable in Settings screen. Default: `http://localhost:3000` (server) and `ws://localhost:3001/ws/sensing` (WebSocket). In field use, the operator sets this to the server's LAN IP (e.g., `http://192.168.1.100:3000`).
- **No BLE/direct connection**: ESP32 nodes use UDP broadcast for CSI frames (ADR-029). The mobile app has no UDP listener; it consumes the server's processed output.
---
## 3. Directory Structure
```
ui/mobile/
|-- App.tsx # Root component, ThemeProvider + NavigationContainer
|-- app.config.ts # Expo config (SDK 55, app name, icons, splash)
|-- app.json # Expo static config
|-- babel.config.js # Babel config (expo-router preset)
|-- eas.json # EAS Build profiles (dev, preview, production)
|-- index.ts # Entry point (registerRootComponent)
|-- jest.config.js # Jest config for unit tests
|-- jest.setup.ts # Jest setup (mock AsyncStorage, react-native modules)
|-- metro.config.js # Metro bundler config
|-- package.json # Dependencies and scripts
|-- tsconfig.json # TypeScript config (strict mode)
|
|-- assets/
| |-- android-icon-background.png # Android adaptive icon background
| |-- android-icon-foreground.png # Android adaptive icon foreground
| |-- android-icon-monochrome.png # Android monochrome icon
| |-- favicon.png # Web favicon
| |-- icon.png # App icon (1024x1024)
| |-- splash-icon.png # Splash screen icon
|
|-- e2e/ # Maestro E2E test specs
| |-- live_screen.yaml # LiveScreen: splat renders, HUD shows data
| |-- vitals_screen.yaml # VitalsScreen: gauges animate, sparklines update
| |-- zones_screen.yaml # ZonesScreen: floor plan renders, legend visible
| |-- mat_screen.yaml # MATScreen: survivor count, alerts list
| |-- settings_screen.yaml # SettingsScreen: URL input, theme toggle
| |-- offline_fallback.yaml # Simulated mode activates on server disconnect
|
|-- src/
| |-- components/ # Shared UI components (12 components)
| | |-- ConnectionBanner.tsx # Status banner: Connected/Simulated/Disconnected
| | |-- ErrorBoundary.tsx # React error boundary with fallback UI
| | |-- GaugeArc.tsx # SVG arc gauge (used by vitals)
| | |-- HudOverlay.tsx # Translucent HUD overlay for LiveScreen
| | |-- LoadingSpinner.tsx # Animated loading indicator
| | |-- ModeBadge.tsx # Badge showing current mode (Live/Sim)
| | |-- OccupancyGrid.tsx # Grid overlay for zone occupancy
| | |-- SignalBar.tsx # WiFi signal strength bar
| | |-- SparklineChart.tsx # Inline sparkline chart (SVG)
| | |-- StatusDot.tsx # Colored status dot indicator
| | |-- ThemedText.tsx # Text component with theme support
| | |-- ThemedView.tsx # View component with theme support
| |
| |-- constants/ # App-wide constants
| | |-- api.ts # REST API endpoint paths, timeouts
| | |-- simulation.ts # Simulation tick rate, data ranges
| | |-- websocket.ts # WS reconnect config, max attempts
| |
| |-- hooks/ # Custom React hooks (5 hooks)
| | |-- usePoseStream.ts # Subscribe to poseStore, manage WS lifecycle
| | |-- useRssiScanner.ts # Platform RSSI scanning with permission handling
| | |-- useServerReachability.ts # Periodic health check, reachability state
| | |-- useTheme.ts # Theme context consumer
| | |-- useWebViewBridge.ts # WebView <-> RN message bridge
| |
| |-- navigation/ # React Navigation setup
| | |-- MainTabs.tsx # Bottom tab navigator (5 tabs)
| | |-- RootNavigator.tsx # Root stack (splash -> MainTabs)
| | |-- types.ts # Navigation type definitions
| |
| |-- screens/ # Screen modules (5 screens)
| | |-- LiveScreen/
| | | |-- index.tsx # LiveScreen container
| | | |-- GaussianSplatWebView.tsx # Native: WebView 3D splat
| | | |-- GaussianSplatWebView.web.tsx # Web: iframe 3D splat
| | | |-- LiveHUD.tsx # Heads-up display overlay
| | | |-- useGaussianBridge.ts # Bridge hook for splat WebView
| | |
| | |-- VitalsScreen/
| | | |-- index.tsx # VitalsScreen container
| | | |-- BreathingGauge.tsx # Breathing rate arc gauge
| | | |-- HeartRateGauge.tsx # Heart rate arc gauge
| | | |-- MetricCard.tsx # Metric display card
| | |
| | |-- ZonesScreen/
| | | |-- index.tsx # ZonesScreen container
| | | |-- FloorPlanSvg.tsx # SVG floor plan with occupancy overlay
| | | |-- useOccupancyGrid.ts # Occupancy grid computation hook
| | | |-- ZoneLegend.tsx # Zone color legend
| | |
| | |-- MATScreen/
| | | |-- index.tsx # MATScreen container
| | | |-- SurvivorCounter.tsx # Large survivor count display
| | | |-- MatWebView.tsx # WebView for MAT zone map
| | | |-- AlertList.tsx # Scrollable alert list
| | | |-- AlertCard.tsx # Individual alert card
| | | |-- useMatBridge.ts # Bridge hook for MAT WebView
| | |
| | |-- SettingsScreen/
| | |-- index.tsx # SettingsScreen container
| | |-- ServerUrlInput.tsx # Server URL text input with validation
| | |-- ThemePicker.tsx # Dark/light theme toggle
| | |-- RssiToggle.tsx # RSSI scanning enable/disable
| |
| |-- services/ # External communication services (4 services)
| | |-- ws.service.ts # WebSocket client with reconnection
| | |-- api.service.ts # REST API client (fetch-based)
| | |-- rssi.service.ts # Default RSSI service (platform re-export)
| | |-- rssi.service.android.ts # Android RSSI via react-native-wifi-reborn
| | |-- rssi.service.ios.ts # iOS CoreWLAN stub
| | |-- rssi.service.web.ts # Web synthetic RSSI
| | |-- simulation.service.ts # Synthetic SensingFrame generator
| |
| |-- stores/ # Zustand state stores (3 stores)
| | |-- poseStore.ts # Connection state, frames, features, persons
| | |-- matStore.ts # Survivors, alerts, events, zone map
| | |-- settingsStore.ts # Server URL, theme, RSSI toggle (persisted)
| |
| |-- theme/ # Design system tokens
| | |-- index.ts # Theme re-exports
| | |-- colors.ts # Color palette (dark + light)
| | |-- spacing.ts # Spacing scale
| | |-- typography.ts # Font families and sizes
| | |-- ThemeContext.tsx # React context for theme
| |
| |-- types/ # TypeScript type definitions
| | |-- api.ts # REST API response types
| | |-- html.d.ts # HTML asset module declaration
| | |-- mat.ts # MAT domain types (Survivor, Alert, Event)
| | |-- navigation.ts # Navigation param list types
| | |-- react-native-wifi-reborn.d.ts # Type stubs for wifi-reborn
| | |-- sensing.ts # SensingFrame, Person, VitalSigns types
| |
| |-- utils/ # Utility functions
| | |-- colorMap.ts # Value-to-color mapping for gauges
| | |-- formatters.ts # Number/date formatting helpers
| | |-- ringBuffer.ts # Fixed-size ring buffer for frame history
| | |-- urlValidator.ts # Server URL validation
| |
| |-- __tests__/ # Unit tests (mirroring src/ structure)
| |-- test-utils.tsx # Test utilities, render helpers, mocks
| |-- components/ # Component unit tests (7 test files)
| |-- hooks/ # Hook unit tests (3 test files)
| |-- screens/ # Screen unit tests (5 test files)
| |-- services/ # Service unit tests (4 test files)
| |-- stores/ # Store unit tests (3 test files)
| |-- utils/ # Utility unit tests (3 test files)
```
**File count summary:**
| Category | Files |
|----------|-------|
| Source (components, screens, services, stores, hooks, utils, types, theme, navigation) | 63 `.ts`/`.tsx` files |
| Unit tests | 25 test files |
| E2E tests (Maestro) | 6 YAML specs |
| Config (babel, metro, jest, tsconfig, eas, app) | 7 config files |
| Assets | 6 image files |
| **Total** | **107 files** |
---
## 4. Implementation Plan (File-Level)
### 4.1 Phase 1: Core Infrastructure
| File | Purpose | Priority |
|------|---------|----------|
| `App.tsx` | Root component with ThemeProvider and NavigationContainer | P0 |
| `index.ts` | Expo entry point | P0 |
| `app.config.ts` | Expo SDK 55 configuration | P0 |
| `src/theme/colors.ts` | Dark and light color palettes | P0 |
| `src/theme/spacing.ts` | Spacing scale | P0 |
| `src/theme/typography.ts` | Font definitions | P0 |
| `src/theme/ThemeContext.tsx` | React context provider for theme | P0 |
| `src/navigation/MainTabs.tsx` | Bottom tab navigator with 5 tabs | P0 |
| `src/navigation/RootNavigator.tsx` | Root stack navigator | P0 |
| `src/types/sensing.ts` | SensingFrame, Person, VitalSigns type definitions | P0 |
### 4.2 Phase 2: State and Services
| File | Purpose | Priority |
|------|---------|----------|
| `src/stores/poseStore.ts` | Zustand store for connection state, frames, persons | P0 |
| `src/stores/matStore.ts` | Zustand store for MAT survivors, alerts, events | P0 |
| `src/stores/settingsStore.ts` | Zustand store with AsyncStorage persistence | P0 |
| `src/services/ws.service.ts` | WebSocket client with reconnection and dispatch | P0 |
| `src/services/api.service.ts` | REST API client | P1 |
| `src/services/simulation.service.ts` | Synthetic SensingFrame generator for fallback | P0 |
| `src/services/rssi.service.ts` | Platform RSSI re-export | P1 |
| `src/services/rssi.service.android.ts` | Android react-native-wifi-reborn integration | P1 |
| `src/services/rssi.service.ios.ts` | iOS CoreWLAN stub | P2 |
| `src/services/rssi.service.web.ts` | Web synthetic RSSI | P1 |
| `src/utils/ringBuffer.ts` | Fixed-size ring buffer for frame history | P0 |
| `src/utils/urlValidator.ts` | Server URL validation | P1 |
### 4.3 Phase 3: Shared Components
| File | Purpose | Priority |
|------|---------|----------|
| `src/components/ConnectionBanner.tsx` | Status banner across all screens | P0 |
| `src/components/GaugeArc.tsx` | SVG arc gauge for vitals | P0 |
| `src/components/SparklineChart.tsx` | Inline sparkline for history | P0 |
| `src/components/OccupancyGrid.tsx` | Grid overlay for zones | P1 |
| `src/components/StatusDot.tsx` | Colored status indicator | P1 |
| `src/components/SignalBar.tsx` | WiFi signal strength display | P1 |
| `src/components/ModeBadge.tsx` | Live/Sim mode badge | P1 |
| `src/components/ErrorBoundary.tsx` | React error boundary | P0 |
| `src/components/LoadingSpinner.tsx` | Loading state indicator | P1 |
| `src/components/ThemedText.tsx` | Themed text component | P0 |
| `src/components/ThemedView.tsx` | Themed view component | P0 |
| `src/components/HudOverlay.tsx` | Translucent HUD for Live screen | P1 |
### 4.4 Phase 4: Screens
| File | Purpose | Priority |
|------|---------|----------|
| `src/screens/LiveScreen/index.tsx` | Live 3D splat + HUD | P0 |
| `src/screens/LiveScreen/GaussianSplatWebView.tsx` | Native WebView for splat | P0 |
| `src/screens/LiveScreen/GaussianSplatWebView.web.tsx` | Web iframe for splat | P1 |
| `src/screens/LiveScreen/LiveHUD.tsx` | HUD overlay with metrics | P1 |
| `src/screens/LiveScreen/useGaussianBridge.ts` | WebView bridge hook | P0 |
| `src/screens/VitalsScreen/index.tsx` | Vitals gauges and sparklines | P0 |
| `src/screens/VitalsScreen/BreathingGauge.tsx` | Breathing rate gauge | P0 |
| `src/screens/VitalsScreen/HeartRateGauge.tsx` | Heart rate gauge | P0 |
| `src/screens/VitalsScreen/MetricCard.tsx` | Vitals metric card | P1 |
| `src/screens/ZonesScreen/index.tsx` | Floor plan with occupancy | P1 |
| `src/screens/ZonesScreen/FloorPlanSvg.tsx` | SVG floor plan renderer | P1 |
| `src/screens/ZonesScreen/useOccupancyGrid.ts` | Occupancy computation | P1 |
| `src/screens/ZonesScreen/ZoneLegend.tsx` | Zone legend | P2 |
| `src/screens/MATScreen/index.tsx` | MAT dashboard | P1 |
| `src/screens/MATScreen/SurvivorCounter.tsx` | Survivor count display | P1 |
| `src/screens/MATScreen/MatWebView.tsx` | MAT zone map WebView | P1 |
| `src/screens/MATScreen/AlertList.tsx` | Alert list | P1 |
| `src/screens/MATScreen/AlertCard.tsx` | Alert card | P2 |
| `src/screens/MATScreen/useMatBridge.ts` | MAT WebView bridge | P1 |
| `src/screens/SettingsScreen/index.tsx` | Settings form | P0 |
| `src/screens/SettingsScreen/ServerUrlInput.tsx` | Server URL input | P0 |
| `src/screens/SettingsScreen/ThemePicker.tsx` | Theme toggle | P2 |
| `src/screens/SettingsScreen/RssiToggle.tsx` | RSSI toggle | P2 |
### 4.5 Phase 5: Testing
| File | Purpose | Priority |
|------|---------|----------|
| `src/__tests__/stores/poseStore.test.ts` | Store state transitions, frame processing | P0 |
| `src/__tests__/stores/matStore.test.ts` | MAT store state management | P1 |
| `src/__tests__/stores/settingsStore.test.ts` | Persistence, defaults | P1 |
| `src/__tests__/services/ws.service.test.ts` | WS connection, reconnection, fallback | P0 |
| `src/__tests__/services/simulation.service.test.ts` | Synthetic frame generation | P1 |
| `src/__tests__/services/api.service.test.ts` | REST client mocking | P1 |
| `src/__tests__/services/rssi.service.test.ts` | Platform RSSI mocking | P2 |
| `src/__tests__/components/*.test.tsx` | Component render tests (7 files) | P1 |
| `src/__tests__/hooks/*.test.ts` | Hook behavior tests (3 files) | P1 |
| `src/__tests__/screens/*.test.tsx` | Screen integration tests (5 files) | P1 |
| `src/__tests__/utils/*.test.ts` | Utility function tests (3 files) | P1 |
| `e2e/*.yaml` | Maestro E2E specs (6 files) | P2 |
---
## 5. Acceptance Criteria
### 5.1 Build and Platform Support
| ID | Criterion | Test Method |
|----|-----------|-------------|
| B-1 | App builds successfully with `npx expo start` for iOS, Android, and Web | CI build matrix: `expo start --ios`, `--android`, `--web` |
| B-2 | App runs on iOS Simulator (iPhone 15 Pro, iOS 17+) | Manual verification on Simulator |
| B-3 | App runs on Android Emulator (API 34+) | Manual verification on Emulator |
| B-4 | App runs in web browser (Chrome 120+, Safari 17+, Firefox 120+) | Manual verification in browsers |
| B-5 | TypeScript compiles with zero errors in strict mode | `npx tsc --noEmit` in CI |
### 5.2 WebSocket and Data Streaming
| ID | Criterion | Test Method |
|----|-----------|-------------|
| W-1 | WebSocket connects to sensing server and receives SensingFrame JSON | Integration test: start server, verify `poseStore.connectionStatus === 'connected'` |
| W-2 | `poseStore.latestFrame` updates within 100ms of WebSocket message receipt | Unit test: mock WS, measure dispatch latency |
| W-3 | WebSocket reconnects with exponential backoff after connection loss | Unit test: simulate WS close, verify retry intervals (1s, 2s, 4s, 8s, 16s) |
| W-4 | Automatic fallback to simulated data within 5 seconds of connection failure | Unit test: fail WS 5 times, verify `connectionStatus === 'simulated'` within 5s |
| W-5 | App recovers gracefully from sensing server restart (reconnects without crash) | Integration test: kill server, restart, verify reconnection and `connectionStatus === 'connected'` |
### 5.3 Screen Rendering
| ID | Criterion | Test Method |
|----|-----------|-------------|
| S-1 | All 5 screens render correctly with live data from sensing server | Integration test: connect to server, navigate all tabs, verify content |
| S-2 | All 5 screens render correctly with simulated data | Unit test: set `connectionStatus = 'simulated'`, verify all screens render |
| S-3 | Vital signs gauges animate smoothly (breathing BPM, heart rate BPM) | Visual inspection: gauges update at frame rate without jank |
| S-4 | 3D Gaussian splat viewer shows skeleton with 17 COCO keypoints | Integration test: verify WebView loads, bridge sends keypoints, splat renders |
| S-5 | Floor plan SVG updates with occupancy data when persons are detected | Unit test: inject 3 persons into poseStore, verify 3 markers on FloorPlanSvg |
| S-6 | MAT dashboard shows survivor count, zone map, and alert list | Unit test: inject matStore data, verify SurvivorCounter and AlertList render |
| S-7 | Connection banner shows correct status text and color for all 3 states | Unit test: cycle through `connected`/`simulated`/`error`, verify banner text and color |
### 5.4 Persistence and Settings
| ID | Criterion | Test Method |
|----|-----------|-------------|
| P-1 | Settings persist across app restarts (server URL, theme, RSSI toggle) | Integration test: set values, kill app, restart, verify values restored |
| P-2 | Default server URL is `http://localhost:3000` when no persisted value exists | Unit test: clear AsyncStorage, verify default |
| P-3 | Server URL input validates format before saving | Unit test: submit `not-a-url`, verify rejection; submit `http://192.168.1.1:3000`, verify acceptance |
### 5.5 Navigation and UX
| ID | Criterion | Test Method |
|----|-----------|-------------|
| N-1 | Bottom tab navigation works with correct icons for all 5 tabs | E2E: Maestro navigates all tabs, verifies active state |
| N-2 | Dark theme renders correctly on all platforms (background #0D1117, accent #32B8C6) | Visual inspection on iOS, Android, Web |
| N-3 | No infinite render loops or memory leaks in stores | Unit test: mount all screens, process 1000 frames, verify no memory growth beyond ring buffer size |
| N-4 | ErrorBoundary catches and displays fallback UI for component errors | Unit test: throw in child component, verify fallback renders |
### 5.6 Platform-Specific Features
| ID | Criterion | Test Method |
|----|-----------|-------------|
| R-1 | RSSI scanning works on Android with react-native-wifi-reborn | Manual test on Android device with location permission granted |
| R-2 | iOS RSSI service returns empty results without crashing | Unit test: call `scanNetworks()` on iOS, verify empty array returned |
| R-3 | Web RSSI service generates synthetic RSSI values | Unit test: call `scanNetworks()` on web, verify synthetic data returned |
### 5.7 Testing
| ID | Criterion | Test Method |
|----|-----------|-------------|
| T-1 | All unit tests pass (`npm test` exits 0) | CI: `cd ui/mobile && npm test` |
| T-2 | E2E Maestro tests pass for all 5 screens | CI: `maestro test e2e/` |
| T-3 | E2E offline fallback test passes (simulated mode activates on disconnect) | CI: `maestro test e2e/offline_fallback.yaml` |
| T-4 | No TypeScript type errors | CI: `npx tsc --noEmit` |
---
## 6. Consequences
### 6.1 Positive
- **Single codebase for three platforms**: Expo SDK 55 with React Native 0.83 builds iOS, Android, and Web from the same TypeScript source, reducing development and maintenance cost by approximately 60% compared to separate native apps.
- **Instant field deployment**: Operators can install the app via Expo Go (development) or EAS Build (production) and connect to a local sensing server within minutes. No server-side mobile infrastructure required.
- **Sub-100ms display latency**: WebSocket streaming from the Rust sensing server to the mobile app introduces less than 100ms additional latency beyond the CSI processing pipeline, providing near-real-time visualization.
- **Offline-capable demos**: The simulation service generates realistic synthetic SensingFrame data, enabling demonstrations to stakeholders and testing without ESP32 hardware or a running sensing server.
- **Operator-friendly UX**: Five purpose-built screens cover the primary use cases (live view, vitals, zones, MAT, settings) with a bottom-tab navigation pattern familiar to mobile users.
- **Testable architecture**: Zustand stores with selector-based subscriptions, service-layer abstraction, and Maestro E2E specs provide a comprehensive testing strategy from unit to integration to end-to-end.
- **Reuses existing infrastructure**: The app consumes the same WebSocket and REST APIs as the desktop UI, requiring no backend changes. The Three.js splat renderer is reused via WebView.
### 6.2 Negative
- **WebView-based 3D rendering has lower performance than native OpenGL**: The Gaussian splat viewer runs inside a WebView (native) or iframe (web), adding a JavaScript-to-native bridge hop and limiting frame rate to approximately 30 FPS on mid-range devices. Native OpenGL or Metal/Vulkan rendering would achieve 60 FPS but requires platform-specific code.
- **react-native-wifi-reborn requires native module linking for Android RSSI**: This breaks the pure Expo managed workflow for Android builds. EAS Build with a custom development client is required. iOS RSSI scanning is not possible at all due to Apple restrictions.
- **Expo managed workflow limits some native module access**: Certain native APIs (background location, Bluetooth LE, raw WiFi frames) are not available without ejecting to a bare workflow. This constrains future features like Bluetooth mesh fallback.
- **WebView bridge latency**: Communication between React Native and the Three.js WebView via `postMessage` adds 5-15ms per message, reducing effective update rate for the 3D splat view. This is acceptable for 10-20 Hz sensing frame rates but would become a bottleneck at higher rates.
- **AsyncStorage has no encryption**: Settings (including server URL) are stored in plaintext AsyncStorage. For security-sensitive deployments, expo-secure-store should replace AsyncStorage for credential storage.
### 6.3 Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| Expo SDK 55 breaking changes in future updates | Medium | Build failures, API deprecations | Pin SDK version in `app.config.ts`; test upgrades in preview branch |
| WebView memory pressure on low-end Android devices | Medium | OOM crash during Three.js splat rendering | Implement splat LOD (level of detail) fallback; monitor WebView memory via `onContentProcessDidTerminate` |
| react-native-wifi-reborn unmaintained or incompatible with RN 0.83 | Low | Android RSSI scanning broken | Fork and patch if needed; RSSI scanning is a secondary feature |
| Sensing server WebSocket protocol changes | Medium | Frame parsing errors, broken display | Version the WebSocket protocol; add `protocol_version` field to SensingFrame |
| Battery drain from continuous WebSocket connection on mobile | Medium | Poor user experience in extended field use | Implement configurable update rate throttling in settings; pause WS when app is backgrounded |
| Three.js Gaussian splat HTML bundle size exceeds WebView limits | Low | Slow initial load, white screen | Lazy-load splat bundle; show placeholder skeleton during load; cache bundle in AsyncStorage |
---
## 7. Future Work
### 7.1 Offline Model Inference
Run a quantized ONNX pose estimation model directly on the mobile device using `onnxruntime-react-native`. This would allow the app to process raw CSI data (received via a local UDP relay or Bluetooth) without a sensing server, enabling fully disconnected field operation.
**Prerequisites:** Export the trained WiFi-DensePose model (ADR-023) to ONNX format; quantize to INT8 for mobile; benchmark inference latency on iPhone 15 and Pixel 8.
### 7.2 Push Notifications for MAT Alerts
Integrate Firebase Cloud Messaging (Android) and APNs (iOS) to deliver push notifications when the sensing server detects new survivors or critical vital sign alerts. This allows operators to be alerted even when the app is backgrounded.
**Prerequisites:** Add a push notification endpoint to the Rust sensing server; implement Expo Notifications integration in the mobile app.
### 7.3 Apple Watch Companion
Build a watchOS companion app using Expo's experimental watch support or a native SwiftUI module. The watch would display a minimal vitals view (breathing rate, heart rate, alert count) on the operator's wrist, with haptic feedback for critical MAT alerts.
**Prerequisites:** Evaluate Expo watch support maturity; define minimal watch screen set; implement WatchConnectivity bridge.
### 7.4 Bluetooth Mesh Fallback
When WiFi is unavailable (collapsed building, power outage), use Bluetooth Low Energy (BLE) mesh to relay aggregated CSI summaries from ESP32 nodes to the mobile device. This requires ejecting from Expo managed workflow to bare workflow for BLE native module access.
**Prerequisites:** Implement BLE GATT service on ESP32 firmware (ADR-018); integrate `react-native-ble-plx` in bare Expo workflow; define BLE CSI summary protocol (compressed, lower bandwidth than WiFi).
### 7.5 Multi-Server Dashboard
Support connecting to multiple sensing servers simultaneously (e.g., one per floor or building wing). The app would aggregate data from all servers into a unified zone map and MAT dashboard with per-server status indicators.
**Prerequisites:** Extend `settingsStore` to support server list; modify `ws.service` to manage multiple WebSocket connections; merge `poseStore` frames from multiple sources with server-id tags.
---
## 8. Related ADRs
| ADR | Relationship |
|-----|-------------|
| ADR-019 (Sensing-Only UI Mode) | **Extended**: The mobile app is the field-optimized evolution of the sensing-only UI mode, adding native mobile capabilities (push, RSSI, offline) |
| ADR-021 (Vital Sign Detection) | **Consumed**: VitalsScreen displays breathing_rate_bpm and heart_rate_bpm extracted by the ADR-021 pipeline |
| ADR-026 (Survivor Track Lifecycle) | **Consumed**: MATScreen displays survivor tracks with lifecycle states (detected, confirmed, rescued, lost) from ADR-026 |
| ADR-029 (RuvSense Multistatic) | **Consumed**: The sensing server aggregates ESP32 TDM frames (ADR-029) and streams processed results to the mobile app |
| ADR-031 (RuView Sensing-First RF) | **Consumed**: The WebSocket and REST APIs exposed by `wifi-densepose-sensing-server` (ADR-031) are the mobile app's data source |
| ADR-032 (Mesh Security) | **Consumed**: Authenticated CSI frames (ADR-032) ensure the mobile app displays trustworthy data, not spoofed sensor readings |
---
## 9. References
1. Expo SDK 55 Documentation. https://docs.expo.dev/
2. React Native 0.83 Release Notes. https://reactnative.dev/
3. Zustand v5. https://github.com/pmndrs/zustand
4. React Navigation v7. https://reactnavigation.org/
5. Maestro Mobile Testing Framework. https://maestro.mobile.dev/
6. react-native-wifi-reborn. https://github.com/JuanSeBestworker/react-native-wifi-reborn
7. Three.js Gaussian Splatting. https://github.com/mrdoob/three.js
8. AsyncStorage. https://react-native-async-storage.github.io/async-storage/
9. Geng, J. et al. (2023). "DensePose From WiFi." arXiv:2301.00250.
10. ADR-019 through ADR-032 (internal).
api-docs/adr/ADR-035-live-sensing-ui-accuracy.md
+98
View File
@@ -0,0 +1,98 @@
# ADR-035: Live Sensing UI Accuracy & Data Source Transparency
## Status
Accepted
## Date
2026-03-02
## Context
Issue #86 reported that the live demo shows a static/barely-animated stick figure and the sensing page displays inaccurate data, despite a working ESP32 sending real CSI frames. Investigation revealed three root causes:
1. **Docker defaults to `--source simulated`** — even with a real ESP32 connected, the server generates synthetic sine-wave data instead of reading UDP frames.
2. **Live demo pose is analytically computed**`derive_pose_from_sensing()` generates keypoints using `sin(tick)` math unrelated to actual signal content. No trained `.rvf` model is loaded by default.
3. **Sensing feature extraction is oversimplified** — the server uses single-frame thresholds for motion detection and has no temporal analysis (breathing FFT, sliding window variance, frame history).
4. **No data source indicator** — users cannot tell whether they are seeing real or simulated data.
## Decision
### 1. Docker: Auto-detect data source
- Default `CSI_SOURCE` changed from `simulated` to `auto`.
- `auto` probes UDP port 5005 for an ESP32; falls back to simulation if none found.
- Users override via `CSI_SOURCE=esp32 docker-compose up`.
### 2. Signal-responsive pose derivation
- `derive_pose_from_sensing()` now reads actual sensing features:
- `motion_band_power` drives limb splay and walking gait detection (> 0.55).
- `breathing_band_power` drives torso expansion/contraction phased to breathing rate.
- `variance` seeds per-joint noise so the skeleton moves independently.
- `dominant_freq_hz` drives lateral torso lean.
- `change_points` add burst jitter to extremity keypoints.
- Tick rate reduced from 500ms to 100ms (2 fps → 10 fps).
- `pose_source` field (`signal_derived` | `model_inference`) added to every WebSocket frame.
### 3. Temporal feature extraction
- 100-frame circular buffer (`VecDeque`) added to `AppStateInner`.
- Per-subcarrier temporal variance via Welford-style accumulation.
- Breathing rate estimation via 9-candidate Goertzel filter bank (0.10.5 Hz) with 3x SNR gate.
- Frame-to-frame L2 motion score replaces single-frame amplitude thresholds.
- Signal quality metric: SNR-based (RSSI noise floor) blended with temporal stability.
- Signal field driven by subcarrier variance spatial mapping instead of fixed animation.
### 4. Data source transparency in UI
- **Sensing tab**: Banner showing "LIVE - ESP32" (green), "RECONNECTING..." (yellow), or "SIMULATED DATA" (red).
- **Live Demo tab**: "Estimation Mode" badge showing "Signal-Derived" (green) or "Model Inference" (blue).
- **Setup Guide** panel explaining what each ESP32 count provides (1x: presence/breathing, 3x: localization, 4x+: full pose with trained model).
- Simulation fallback delayed from immediate to 5 failed reconnect attempts (~30s).
## Consequences
### Positive
- Users with real ESP32 hardware get real data by default (auto-detect).
- Simulated data is clearly labeled — no more confusion about data authenticity.
- Pose skeleton visually responds to actual signal changes (motion, breathing, variance).
- Feature extraction produces physiologically meaningful metrics (breathing rate via Goertzel, temporal motion detection).
- Setup guide manages expectations about what each hardware configuration provides.
### Negative
- Signal-derived pose is still an approximation, not neural network inference. Per-limb tracking requires a trained `.rvf` model + 4+ ESP32 nodes.
- Goertzel filter bank adds ~O(9×N) computation per frame (negligible at 100 frames).
- Users with only 1 ESP32 may still be disappointed that arm tracking doesn't work — but the UI now explains why.
### 5. Dark mode consistency
- Live Demo tab converted from light theme to dark mode matching the rest of the UI.
- All sidebar panels, badges, buttons, dropdowns use dark backgrounds with muted text.
### 6. Render mode implementations
All four render modes in the pose visualization dropdown now produce distinct visual output:
| Mode | Rendering |
|------|-----------|
| **Skeleton** | Green lines connecting joints + red keypoint dots |
| **Keypoints** | Large colored dots with glow and labels, no connecting lines |
| **Heatmap** | Gaussian radial blobs per keypoint (hue per person), faint skeleton overlay at 25% opacity |
| **Dense** | Body region segmentation with colored filled polygons — head (red), torso (blue), left arm (green), right arm (orange), left leg (purple), right leg (yellow) |
Previously heatmap and dense were stubs that fell back to skeleton mode.
### 7. pose_source passthrough fix
The `pose_source` field from the WebSocket message was being dropped in `convertZoneDataToRestFormat()` in `pose.service.js`. Now passed through so the Estimation Mode badge displays correctly.
## Files Changed
- `docker/Dockerfile.rust``CSI_SOURCE=auto` env, shell entrypoint for variable expansion
- `docker/docker-compose.yml``CSI_SOURCE=${CSI_SOURCE:-auto}`, shell command string
- `wifi-densepose-sensing-server/src/main.rs` — frame history buffer, Goertzel breathing estimation, temporal motion score, signal-driven pose derivation, pose_source field, 100ms tick default
- `ui/services/sensing.service.js``dataSource` state, delayed simulation fallback, `_simulated` marker
- `ui/services/pose.service.js``pose_source` passthrough in data conversion
- `ui/components/SensingTab.js` — data source banner, "About This Data" card
- `ui/components/LiveDemoTab.js` — estimation mode badge, setup guide panel, dark mode theme
- `ui/utils/pose-renderer.js` — heatmap (Gaussian blobs) and dense (body region segmentation) render modes
- `ui/style.css` — banner, badge, guide panel, and about-text styles
- `README.md` — live pose detection screenshot
- `assets/screen.png` — screenshot asset
## References
- Issue: https://github.com/ruvnet/wifi-densepose/issues/86
- ADR-029: RuvSense multistatic sensing mode (proposed — full pipeline integration)
- ADR-014: SOTA signal processing
api-docs/adr/ADR-036-rvf-training-pipeline-ui.md
+228
View File
@@ -0,0 +1,228 @@
# ADR-036: RVF Model Training Pipeline & UI Integration
## Status
Proposed
## Date
2026-03-02
## Context
The wifi-densepose system currently operates in **signal-derived** mode — `derive_pose_from_sensing()` maps aggregate CSI features (motion power, breathing rate, variance) to keypoint positions using deterministic math. This gives whole-body presence and gross motion but cannot track individual limbs.
The infrastructure for **model inference** mode exists but is disconnected:
1. **RVF container format** (`rvf_container.rs`, 1,102 lines) — a 64-byte-aligned binary format supporting model weights (`SEG_VEC`), metadata (`SEG_MANIFEST`), quantization (`SEG_QUANT`), LoRA profiles (`SEG_LORA`), contrastive embeddings (`SEG_EMBED`), and witness audit trails (`SEG_WITNESS`). Builder and reader are fully implemented with CRC32 integrity checks.
2. **Training crate** (`wifi-densepose-train`) — AdamW optimizer, PCK@0.2/OKS metrics, LR scheduling with warmup, early stopping, CSV logging, and checkpoint export. Supports `CsiDataset` trait with planned MM-Fi (114→56 subcarrier interpolation) and Wi-Pose (30→56 zero-pad) loaders per ADR-015.
3. **NN inference crate** (`wifi-densepose-nn`) — ONNX Runtime backend with CPU/GPU support, dynamic tensor shapes, thread-safe `OnnxBackend` wrapper, model info inspection, and warmup.
4. **Sensing server CLI** (`--model <path>`, `--train`, `--pretrain`, `--embed`) — flags exist for model loading, training mode, and embedding extraction, but the end-to-end path from raw CSI → trained `.rvf` → live inference is not wired together.
5. **UI gaps** — No model management, training progress visualization, LoRA profile switching, or embedding inspection. The Settings panel lacks model configuration. The Live Demo has no way to load a trained model or compare signal-derived vs model-inference output side-by-side.
### What users need
- A way to **collect labeled CSI data** from their own environment (self-supervised or teacher-student from camera).
- A way to **train an .rvf model** from collected data without leaving the UI.
- A way to **load and switch models** in the live demo, seeing the quality improvement.
- Visibility into **training progress** (loss curves, validation PCK, early stopping).
- **Environment adaptation** via LoRA profiles (office → home → warehouse) without full retraining.
## Decision
### Phase 1: Data Collection & Self-Supervised Pretraining
#### 1.1 CSI Recording API
Add REST endpoints to the sensing server:
```
POST /api/v1/recording/start { duration_secs, label?, session_name }
POST /api/v1/recording/stop
GET /api/v1/recording/list
GET /api/v1/recording/download/:id
DELETE /api/v1/recording/:id
```
- Records raw CSI frames + extracted features to `.csi.jsonl` files.
- Optional camera-based label overlay via teacher model (Detectron2/MediaPipe on client).
- Each recording session tagged with environment metadata (room dimensions, node positions, AP count).
#### 1.2 Contrastive Pretraining (ADR-024 Phase 1)
- Self-supervised NT-Xent loss learns a 128-dim CSI embedding without pose labels.
- Positive pairs: adjacent frames from same person; negatives: different sessions/rooms.
- VICReg regularization prevents embedding collapse.
- Output: `.rvf` container with `SEG_EMBED` + `SEG_VEC` segments.
- Training triggered via `POST /api/v1/train/pretrain { dataset_ids[], epochs, lr }`.
### Phase 2: Supervised Training Pipeline
#### 2.1 Dataset Integration
- **MM-Fi loader**: Parse HDF5 files, 114→56 subcarrier interpolation via `ruvector-solver` sparse least-squares.
- **Wi-Pose loader**: Parse .mat files, 30→56 zero-padding with Hann window smoothing.
- **Self-collected**: `.csi.jsonl` from Phase 1 recording + camera-generated labels.
- All datasets implement `CsiDataset` trait and produce `(amplitude[B,T*links,56], phase[B,T*links,56], keypoints[B,17,2], visibility[B,17])`.
#### 2.2 Training API
```
POST /api/v1/train/start {
dataset_ids: string[],
config: {
epochs: 100,
batch_size: 32,
learning_rate: 3e-4,
weight_decay: 1e-4,
early_stopping_patience: 15,
warmup_epochs: 5,
pretrained_rvf?: string, // Base model for fine-tuning
lora_profile?: string, // Environment-specific LoRA
}
}
POST /api/v1/train/stop
GET /api/v1/train/status // { epoch, train_loss, val_pck, val_oks, lr, eta_secs }
WS /ws/train/progress // Real-time streaming of training metrics
```
#### 2.3 RVF Export
On training completion:
- Best checkpoint exported as `.rvf` with `SEG_VEC` (weights), `SEG_MANIFEST` (metadata), `SEG_WITNESS` (training hash + final metrics), and optional `SEG_QUANT` (INT8 quantization).
- Stored in `data/models/` directory, indexed by model ID.
- `GET /api/v1/models` lists available models; `POST /api/v1/models/load { model_id }` hot-loads into inference.
### Phase 3: LoRA Environment Adaptation
#### 3.1 LoRA Fine-Tuning
- Given a base `.rvf` model, fine-tune only LoRA adapter weights (rank 4-16) on environment-specific recordings.
- 5-10 minutes of labeled data from new environment suffices.
- New LoRA profile appended to existing `.rvf` via `SEG_LORA` segment.
- `POST /api/v1/train/lora { base_model_id, dataset_ids[], profile_name, rank: 8, epochs: 20 }`.
#### 3.2 Profile Switching
- `POST /api/v1/models/lora/activate { model_id, profile_name }` — hot-swap LoRA weights without reloading base model.
- UI dropdown lists available profiles per loaded model.
### Phase 4: UI Integration
#### 4.1 Model Management Panel (new: `ui/components/ModelPanel.js`)
- **Model Library**: List loaded and available `.rvf` models with metadata (version, dataset, PCK score, size, created date).
- **Model Inspector**: Show RVF segment breakdown — weight count, quantization type, LoRA profiles, embedding config, witness hash.
- **Load/Unload**: One-click model loading with progress bar.
- **Compare**: Side-by-side signal-derived vs model-inference toggle in Live Demo.
#### 4.2 Training Dashboard (new: `ui/components/TrainingPanel.js`)
- **Recording Controls**: Start/stop CSI recording, session list with duration and frame counts.
- **Training Progress**: Real-time loss curve (train loss, val loss) and metric charts (PCK@0.2, OKS) via WebSocket streaming.
- **Epoch Table**: Scrollable table of per-epoch metrics with best-epoch highlighting.
- **Early Stopping Indicator**: Visual countdown of patience remaining.
- **Export Button**: Download trained `.rvf` from browser.
#### 4.3 Live Demo Enhancements
- **Model Selector**: Dropdown in toolbar to switch between signal-derived and loaded `.rvf` models.
- **LoRA Profile Selector**: Sub-dropdown showing environment profiles for the active model.
- **Confidence Heatmap Overlay**: Per-keypoint confidence visualization when model is loaded (toggle in render mode dropdown).
- **Pose Trail**: Ghosted keypoint history showing last N frames of motion trajectory.
- **A/B Split View**: Left half signal-derived, right half model-inference for quality comparison.
#### 4.4 Settings Panel Extensions
- **Model section**: Default model path, auto-load on startup, GPU/CPU toggle, inference threads.
- **Training section**: Default hyperparameters, checkpoint directory, auto-export on completion.
- **Recording section**: Default recording directory, max duration, auto-label with camera.
#### 4.5 Dark Mode
All new panels follow the dark mode established in ADR-035 (`#0d1117` backgrounds, `#e0e0e0` text, translucent dark panels with colored accents).
### Phase 5: Inference Pipeline Wiring
#### 5.1 Model-Inference Pose Path
When a `.rvf` model is loaded:
1. CSI frame arrives (UDP or simulated).
2. Extract amplitude + phase tensors from subcarrier data.
3. Feed through ONNX session: `input[1, T*links, 56]``output[1, 17, 4]` (x, y, z, conf).
4. Apply Kalman smoothing from `pose_tracker.rs`.
5. Broadcast via WebSocket with `pose_source: "model_inference"`.
6. UI Estimation Mode badge switches from green "SIGNAL-DERIVED" to blue "MODEL INFERENCE".
#### 5.2 Progressive Loading (ADR-031 Layer A/B/C)
- **Layer A** (instant): Signal-derived pose starts immediately.
- **Layer B** (5-10s): Contrastive embeddings loaded, HNSW index warm.
- **Layer C** (30-60s): Full pose model loaded, inference active.
- Transitions seamlessly; UI badge updates automatically.
## Consequences
### Positive
- Users can train a model on **their own environment** without external tools or Python dependencies.
- LoRA profiles mean a single base model adapts to multiple rooms in minutes, not hours.
- Training progress is visible in real-time — no black-box waiting.
- A/B comparison lets users see the quality jump from signal-derived to model-inference.
- RVF container bundles everything (weights, metadata, LoRA, witness) in one portable file.
- Self-supervised pretraining requires no labels — just leave ESP32s running.
- Progressive loading means the UI is never "loading..." — signal-derived kicks in immediately.
### Negative
- Training requires significant compute: GPU recommended for supervised training (CPU possible but 10-50x slower).
- MM-Fi and Wi-Pose datasets must be downloaded separately (10-50 GB each) — cannot be bundled.
- LoRA rank must be tuned per environment; too low loses expressiveness, too high overfits.
- ONNX Runtime adds ~50 MB to the binary size when GPU support is enabled.
- Real-time inference at 10 FPS requires ~10ms per frame — tight budget on CPU.
- Teacher-student labeling (camera → pose labels → CSI training) requires camera access, which may conflict with the privacy-first premise.
### Mitigations
- Provide pre-trained base `.rvf` model downloadable from releases (trained on MM-Fi + Wi-Pose).
- INT8 quantization (`SEG_QUANT`) reduces model size 4x and speeds inference ~2x on CPU.
- Camera-based labeling is **optional** — self-supervised pretraining works without camera.
- Training API validates VRAM availability before starting GPU training; falls back to CPU with warning.
## Implementation Order
| Phase | Effort | Dependencies | Priority |
|-------|--------|-------------|----------|
| 1.1 CSI Recording API | 2-3 days | sensing server | High |
| 1.2 Contrastive Pretraining | 3-5 days | ADR-024, recording API | High |
| 2.1 Dataset Integration | 3-5 days | ADR-015, CsiDataset trait | High |
| 2.2 Training API | 2-3 days | training crate, dataset loaders | High |
| 2.3 RVF Export | 1-2 days | RvfBuilder | Medium |
| 3.1 LoRA Fine-Tuning | 3-5 days | base trained model | Medium |
| 3.2 Profile Switching | 1 day | LoRA in RVF | Medium |
| 4.1 Model Panel UI | 2-3 days | models API | High |
| 4.2 Training Dashboard UI | 3-4 days | training API + WS | High |
| 4.3 Live Demo Enhancements | 2-3 days | model loading | Medium |
| 4.4 Settings Extensions | 1 day | model/training APIs | Low |
| 4.5 Dark Mode | 0.5 days | new panels | Low |
| 5.1 Inference Wiring | 3-5 days | ONNX backend, pose tracker | High |
| 5.2 Progressive Loading | 2-3 days | ADR-031 | Medium |
**Total estimate: 4-6 weeks** (phases can overlap; 1+2 parallel with 4).
## Files to Create/Modify
### New Files
- `ui/components/ModelPanel.js` — Model library, inspector, load/unload controls
- `ui/components/TrainingPanel.js` — Recording controls, training progress, metric charts
- `v2/.../sensing-server/src/recording.rs` — CSI recording API handlers
- `v2/.../sensing-server/src/training_api.rs` — Training API handlers + WS progress stream
- `v2/.../sensing-server/src/model_manager.rs` — Model loading, hot-swap, 32LoRA activation
- `data/models/` — Default model storage directory
### Modified Files
- `v2/.../sensing-server/src/main.rs` — Wire recording, training, and model APIs
- `v2/.../train/src/trainer.rs` — Add WebSocket progress callback, LoRA training mode
- `v2/.../train/src/dataset.rs` — MM-Fi and Wi-Pose dataset loaders
- `v2/.../nn/src/onnx.rs` — LoRA weight injection, INT8 quantization support
- `ui/components/LiveDemoTab.js` — Model selector, LoRA dropdown, A/B spsplit view
- `ui/components/SettingsPanel.js` — Model and training configuration sections
- `ui/components/PoseDetectionCanvas.js` — Pose trail rendering, confidence heatmap overlay
- `ui/services/pose.service.js` — Model-inference keypoint processing
- `ui/index.html` — Add Training tabhee
- `ui/style.css` — Styles for new panels
## References
- ADR-015: MM-Fi + Wi-Pose training datasets
- ADR-016: RuVector training pipeline integration
- ADR-024: Project AETHER — contrastive CSI embedding model
- ADR-029: RuvSense multistatic sensing mode
- ADR-031: RuView sensing-first RF mode (progressive loading)
- ADR-035: Live sensing UI accuracy & data source transparency
- Issue: https://github.com/ruvnet/wifi-densepose/issues/92
- RVF format: `crates/wifi-densepose-sensing-server/src/rvf_container.rs`
- Training crate: `crates/wifi-densepose-train/src/trainer.rs`
- NN inference: `crates/wifi-densepose-nn/src/onnx.rs`
api-docs/adr/ADR-037-multi-person-pose-detection.md
+121
View File
@@ -0,0 +1,121 @@
# ADR-037: Multi-Person Pose Detection from Single ESP32 CSI Stream
- **Status**: Proposed
- **Date**: 2026-03-02
- **Issue**: [#97](https://github.com/ruvnet/wifi-densepose/issues/97)
- **Deciders**: @ruvnet
- **Supersedes**: None
- **Related**: ADR-014 (SOTA signal processing), ADR-024 (AETHER re-ID), ADR-029 (multistatic sensing), ADR-036 (RVF training pipeline)
## Context
The current signal-derived pose estimation pipeline (`derive_pose_from_sensing()` in the sensing server) generates at most one skeleton per frame from aggregate CSI features. When multiple people are present, only a single blended skeleton is produced. Live testing with ESP32 hardware confirmed: 2 people in the room yields 1 detected person.
A single ESP32 node provides 1 TX × 1 RX × 56 subcarriers of CSI data per frame. While this is limited spatial resolution compared to camera-based systems, the signal contains composite reflections from all scatterers in the environment. The challenge is decomposing these composite signals into per-person contributions.
## Decision
Implement multi-person pose detection in four phases, progressively improving accuracy from heuristic to neural approaches.
### Phase 1: Person Count Estimation
Estimate occupancy count from CSI signal statistics without decomposition.
**Approach**: Eigenvalue analysis of the CSI covariance matrix across subcarriers.
- Compute the 56×56 covariance matrix of CSI amplitudes over a sliding window (e.g., 50 frames / 5 seconds)
- Count eigenvalues above a noise threshold — each significant eigenvalue corresponds to an independent scatterer (person or static object)
- Subtract the static environment baseline (estimated during calibration or from the field model's SVD eigenstructure)
- The residual significant eigenvalue count estimates person count
**Accuracy target**: > 80% for 0-3 people with single ESP32 node.
**Integration point**: `signal/src/ruvsense/field_model.rs` already computes SVD eigenstructure. Extend with a `estimate_occupancy()` method.
### Phase 2: Signal Decomposition
Separate per-person signal contributions using blind source separation.
**Approach**: Non-negative Matrix Factorization (NMF) on the CSI spectrogram.
- Construct a time-frequency matrix from CSI amplitudes: rows = subcarriers (56), columns = time frames
- Apply NMF with k components (k = estimated person count from Phase 1)
- Each component's frequency profile maps to a person's motion pattern
- NMF is preferred over ICA because CSI amplitudes are non-negative
**Alternative**: Independent Component Analysis (ICA) on complex CSI (amplitude + phase). More powerful but requires phase calibration (see `ruvsense/phase_align.rs`).
**Integration point**: New module `signal/src/ruvsense/separation.rs`.
### Phase 3: Multi-Skeleton Generation
Generate distinct pose skeletons per decomposed component.
**Approach**: Per-component feature extraction → per-person skeleton synthesis.
- Extract motion features (dominant frequency, energy, spectral centroid) per NMF component
- Map each component to a spatial position using subcarrier phase gradient (Fresnel zone model)
- Generate 17-keypoint COCO skeleton per person with position offset
- Assign person IDs using the existing Kalman tracker (`ruvsense/pose_tracker.rs`) with AETHER re-ID embeddings (ADR-024)
**Integration point**: Modify `derive_pose_from_sensing()` in `sensing-server/src/main.rs` to return `Vec<Person>` with length > 1.
### Phase 4: Neural Multi-Person Model
Train a dedicated multi-person model using the RVF pipeline (ADR-036).
- Use MM-Fi dataset (ADR-015) multi-person scenarios for training data
- Architecture: shared CSI encoder → person count head + per-person pose heads
- LoRA fine-tuning profile for multi-person specialization
- Inference via the model manager in the sensing server
**Accuracy target**: PCK@0.2 > 60% for 2-person scenarios.
## Consequences
### Positive
- Enables room occupancy counting (Phase 1 alone is useful)
- Distinct pose tracking per person enables activity recognition per individual
- Progressive approach — each phase delivers incremental value
- Reuses existing infrastructure (field model SVD, Kalman tracker, AETHER, RVF pipeline)
### Negative
- Single ESP32 node has fundamental spatial resolution limits — separating 2 people standing close together (< 0.5m) will be unreliable
- NMF decomposition adds ~5-10ms latency per frame
- Person count estimation will have false positives from large moving objects (pets, fans)
- Phase 4 neural model requires multi-person training data collection
### Neutral
- Multi-node multistatic mesh (ADR-029) dramatically improves multi-person separation but is a separate effort
- UI already supports multi-person rendering — no frontend changes needed for the `persons[]` array
## Affected Components
| Component | Phase | Change |
|-----------|-------|--------|
| `signal/src/ruvsense/field_model.rs` | 1 | Add `estimate_occupancy()` |
| `signal/src/ruvsense/separation.rs` | 2 | New module: NMF decomposition |
| `sensing-server/src/main.rs` | 3 | `derive_pose_from_sensing()` multi-person output |
| `signal/src/ruvsense/pose_tracker.rs` | 3 | Multi-target tracking |
| `nn/` | 4 | Multi-person inference head |
| `train/` | 4 | Multi-person training pipeline |
## Performance Budget
| Operation | Budget | Phase |
|-----------|--------|-------|
| Person count estimation | < 2ms | 1 |
| NMF decomposition (k=3) | < 10ms | 2 |
| Multi-skeleton synthesis | < 3ms | 3 |
| Neural inference (multi-person) | < 50ms | 4 |
| **Total pipeline** | **< 65ms** (15 FPS) | All |
## Alternatives Considered
1. **Camera fusion**: Use a camera for person detection and WiFi for pose — rejected because the project goal is camera-free sensing.
2. **Multiple single-person models**: Run N independent pose estimators — rejected because they would produce correlated outputs from the same CSI data.
3. **Spatial filtering (beamforming)**: Use antenna array beamforming to isolate directions — rejected because single ESP32 has only 1 antenna; viable with multistatic mesh (ADR-029).
4. **Skip signal-derived, go straight to neural**: Train an end-to-end multi-person model — rejected because signal-derived provides faster iteration and interpretability for the early phases.
api-docs/adr/ADR-038-sublinear-goal-oriented-action-planning.md
+546
View File
@@ -0,0 +1,546 @@
# ADR-038: Sublinear Goal-Oriented Action Planning (GOAP) for Project Roadmap Optimization
| Field | Value |
|-------|-------|
| **Status** | Proposed |
| **Date** | 2026-03-02 |
| **Deciders** | ruv |
| **Relates to** | All 37 prior ADRs; ADR-014 (SOTA Signal Processing), ADR-016 (RuVector Integration), ADR-024 (AETHER Embeddings), ADR-027 (MERIDIAN Generalization), ADR-029 (RuvSense Multistatic), ADR-037 (Multi-Person Detection) |
---
## 1. Context
### 1.1 The Planning Problem
WiFi-DensePose has 37 Architecture Decision Records. Of these, 14 are Accepted/Complete, 4 are Partially Implemented, 19 are Proposed, and 1 is Superseded. The proposed ADRs span diverse capabilities: vital sign detection (ADR-021), multi-BSSID scanning (ADR-022), contrastive embeddings (ADR-024), cross-environment generalization (ADR-027), multistatic mesh sensing (ADR-029), persistent field models (ADR-030), multi-person pose detection (ADR-037), and more.
A single developer (or a small team aided by AI agents) must decide **what to build next** given:
- **Dense dependency graph**: ADR-037 (multi-person) depends on ADR-014 (signal processing), ADR-024 (AETHER), and ADR-029 (multistatic). ADR-029 depends on ADR-012 (ESP32 mesh), ADR-014, ADR-016, and ADR-018. Many ADRs share prerequisites.
- **Hardware variability**: Some ADRs require ESP32 hardware (ADR-021 vital signs, ADR-029 multistatic mesh), while others are software-only (ADR-024 AETHER, ADR-027 MERIDIAN). The available hardware changes session to session.
- **Shifting goals**: One session the user wants accuracy improvement; the next session they want multi-person support; the next they want WebAssembly deployment.
- **Resource constraints**: Limited compute budget, single-developer throughput, CI pipeline capacity.
Manually navigating this decision space is error-prone. The developer must hold the full dependency graph in working memory, re-evaluate priorities when goals shift, and avoid dead-end plans that block on unavailable hardware.
### 1.2 Why GOAP
Goal-Oriented Action Planning (GOAP), originally developed for game AI by Jeff Orkin (2003), models the world as a set of boolean/numeric state properties and defines actions with typed preconditions and effects. A planner searches from the current world state to a goal state, producing an optimal action sequence. GOAP is a natural fit for this problem because:
1. **ADR implementations are actions** with clear preconditions (which other ADRs/hardware must exist) and effects (which capabilities are unlocked).
2. **The world state is observable** -- we can query cargo test results, check hardware connections, read crate manifests, and measure accuracy metrics.
3. **Goals are declarative** -- "I want multi-person tracking at 20 Hz" translates to `{multi_person_tracking: true, update_rate_hz: 20}`.
4. **Replanning is cheap** -- when hardware becomes available or a user changes goals, the planner re-runs in milliseconds.
### 1.3 Why Sublinear
The naive GOAP planner uses A* search over the full action-state graph. With 37 ADRs, each potentially having multiple phases (ADR-037 has 4 phases, ADR-029 has 9 actions), the raw action count exceeds 80. The full state space is `2^N` for N boolean properties. Exhaustive search is wasteful because:
- Most actions are irrelevant to any given goal (the user asking for vital signs does not need WebAssembly deployment actions in the search).
- The dependency graph is sparse -- most actions depend on 1-3 prerequisites, not all other actions.
- Many state properties are independent (vital sign detection does not interact with WebAssembly compilation).
A sublinear approach avoids exploring the full state space by exploiting this sparsity.
---
## 2. Decision
Implement a GOAP planning system as a coordinator module within the claude-flow swarm framework. The planner takes a user goal, the current project state, and available hardware as input, and produces an ordered action plan that is dispatched to specialized agents for execution.
### 2.1 World State Model
The world state is a flat map of typed properties representing the current project capabilities.
#### 2.1.1 Feature Implementation Flags (Boolean)
| Property | Source of Truth | Description |
|----------|----------------|-------------|
| `sota_signal_processing` | `cargo test -p wifi-densepose-signal` passes | ADR-014 SOTA algorithms implemented |
| `ruvector_training_integrated` | `train/` crate builds with ruvector deps | ADR-016 RuVector training pipeline |
| `ruvector_signal_integrated` | `signal/src/ruvsense/` module exists | ADR-017 RuVector signal integration |
| `esp32_firmware_base` | `firmware/esp32-csi-node/` compiles | ADR-018 ESP32 base firmware |
| `esp32_channel_hopping` | Firmware supports multi-channel | ADR-029 Phase 1 |
| `multi_band_fusion` | `ruvsense/multiband.rs` passes tests | ADR-029 Phase 2 |
| `multistatic_mesh` | Multi-node fusion operational | ADR-029 Phase 3 |
| `coherence_gating` | `ruvsense/coherence_gate.rs` passes tests | ADR-029 Phase 6-7 |
| `pose_tracker_17kp` | `ruvsense/pose_tracker.rs` passes tests | ADR-029 Phase 4 |
| `vital_signs_extraction` | `vitals/` crate passes tests | ADR-021 |
| `vital_signs_esp32_validated` | ESP32 breathing detection verified | ADR-021 Phase 2 |
| `multi_bssid_scan` | `wifiscan/` crate passes tests | ADR-022 Phase 1 |
| `multi_bssid_concurrent` | Concurrent BSSID scanning | ADR-022 Phase 2 |
| `aether_embeddings` | Contrastive CSI encoder trained | ADR-024 |
| `aether_reid` | Person re-identification via embeddings | ADR-024 Phase 3 |
| `meridian_generalization` | Cross-environment transfer working | ADR-027 |
| `persistent_field_model` | Field model serializes/deserializes | ADR-030 |
| `person_count_estimation` | Eigenvalue occupancy estimator | ADR-037 Phase 1 |
| `signal_decomposition` | NMF per-person separation | ADR-037 Phase 2 |
| `multi_skeleton_generation` | Multiple skeletons per frame | ADR-037 Phase 3 |
| `multi_person_neural` | Neural multi-person model | ADR-037 Phase 4 |
| `wasm_deployment` | WebAssembly build functional | ADR-025 |
| `mat_survivor_detection` | MAT disaster detection operational | ADR-011/ADR-026 |
| `ruview_sensing_ui` | Sensing-first RF UI mode | ADR-031 |
| `mesh_security_hardened` | Multistatic mesh security layer | ADR-032 |
#### 2.1.2 Hardware Availability Flags (Boolean)
| Property | Detection Method | Description |
|----------|-----------------|-------------|
| `esp32_connected` | USB serial probe (`/dev/ttyUSB*` or `COM*`) | At least one ESP32 on USB |
| `esp32_count` | Count USB serial devices with ESP32 VID/PID | Number of ESP32 nodes |
| `esp32_multistatic_ready` | `esp32_count >= 2` | Sufficient for multistatic |
| `gpu_available` | `nvidia-smi` or CUDA probe | GPU for neural training |
| `wifi_adapter_present` | OS WiFi interface enumeration | Host WiFi for multi-BSSID |
#### 2.1.3 Quality Metrics (Numeric)
| Property | Source | Description |
|----------|--------|-------------|
| `pose_accuracy_pck02` | Benchmark suite output | PCK@0.2 accuracy (0.0-1.0) |
| `update_rate_hz` | Pipeline timing measurement | Effective output frame rate |
| `max_persons_tracked` | Multi-person test result | Maximum simultaneous persons |
| `breathing_snr_db` | Vital signs test output | Breathing detection SNR |
| `torso_jitter_mm` | Tracking benchmark | RMS torso keypoint jitter |
| `rust_test_count` | `cargo test --workspace` output | Total passing Rust tests |
### 2.2 Action Definitions
Each action maps to an ADR implementation phase. Actions are defined as structs with preconditions, effects, cost, and metadata.
```rust
pub struct GoapAction {
/// Unique identifier (e.g., "adr029_phase1_channel_hopping")
pub id: String,
/// Human-readable name
pub name: String,
/// ADR reference (e.g., "ADR-029")
pub adr: String,
/// Phase within the ADR (e.g., "Phase 1")
pub phase: Option<String>,
/// Preconditions: state properties that must be true/meet threshold
pub preconditions: Vec<Condition>,
/// Effects: state properties set after successful execution
pub effects: Vec<Effect>,
/// Estimated effort in developer-days
pub cost_days: f32,
/// Whether this action requires hardware
pub requires_hardware: Vec<String>,
/// Agent types needed to execute this action
pub agent_types: Vec<String>,
/// Affected crates/files
pub affected_components: Vec<String>,
}
pub enum Condition {
BoolTrue(String), // property must be true
BoolFalse(String), // property must be false
NumericGte(String, f64), // property >= threshold
NumericLte(String, f64), // property <= threshold
}
pub enum Effect {
SetBool(String, bool), // set boolean property
SetNumeric(String, f64), // set numeric property
IncrementNumeric(String, f64), // add to numeric property
}
```
#### 2.2.1 Action Catalog (Key ADR Actions)
| Action ID | ADR | Cost (days) | Preconditions | Effects | Hardware |
|-----------|-----|-------------|---------------|---------|----------|
| `adr037_p1_person_count` | 037 | 3 | `sota_signal_processing` | `person_count_estimation = true` | None |
| `adr037_p2_nmf_decomp` | 037 | 5 | `person_count_estimation` | `signal_decomposition = true` | None |
| `adr037_p3_multi_skel` | 037 | 4 | `signal_decomposition`, `pose_tracker_17kp` | `multi_skeleton_generation = true`, `max_persons_tracked += 2` | None |
| `adr037_p4_neural_multi` | 037 | 10 | `signal_decomposition`, `aether_embeddings`, `gpu_available` | `multi_person_neural = true`, `pose_accuracy_pck02 = 0.6` | GPU |
| `adr021_vital_core` | 021 | 3 | `sota_signal_processing` | `vital_signs_extraction = true` | None |
| `adr021_vital_esp32` | 021 | 5 | `vital_signs_extraction`, `esp32_connected` | `vital_signs_esp32_validated = true`, `breathing_snr_db = 10.0` | ESP32 |
| `adr030_persist_field` | 030 | 2 | `ruvector_signal_integrated` | `persistent_field_model = true` | None |
| `adr022_p2_concurrent` | 022 | 4 | `multi_bssid_scan`, `wifi_adapter_present` | `multi_bssid_concurrent = true` | WiFi adapter |
| `adr029_p1_ch_hop` | 029 | 5 | `esp32_firmware_base`, `esp32_connected` | `esp32_channel_hopping = true` | ESP32 |
| `adr029_p2_multiband` | 029 | 5 | `esp32_channel_hopping` | `multi_band_fusion = true` | ESP32 |
| `adr029_p3_multistatic` | 029 | 5 | `multi_band_fusion`, `esp32_multistatic_ready` | `multistatic_mesh = true` | 2+ ESP32 |
| `adr029_p67_coherence` | 029 | 3 | `multi_band_fusion` | `coherence_gating = true` | None |
| `adr029_p4_tracker` | 029 | 3 | `multistatic_mesh`, `coherence_gating` | `pose_tracker_17kp = true`, `torso_jitter_mm = 30.0` | None |
| `adr024_aether_train` | 024 | 8 | `sota_signal_processing`, `gpu_available` | `aether_embeddings = true` | GPU |
| `adr024_aether_reid` | 024 | 4 | `aether_embeddings`, `pose_tracker_17kp` | `aether_reid = true` | None |
| `adr027_meridian` | 027 | 10 | `aether_embeddings`, `gpu_available` | `meridian_generalization = true` | GPU |
| `adr025_wasm` | 025 | 5 | `sota_signal_processing` | `wasm_deployment = true` | None |
| `adr011_mat` | 011 | 8 | `vital_signs_extraction`, `person_count_estimation` | `mat_survivor_detection = true` | None |
| `adr031_ruview` | 031 | 4 | `persistent_field_model`, `coherence_gating` | `ruview_sensing_ui = true` | None |
| `adr032_mesh_security` | 032 | 5 | `multistatic_mesh` | `mesh_security_hardened = true` | None |
### 2.3 Goal Specification
Goals are expressed as partial world states -- a set of conditions that must be satisfied.
```rust
pub struct Goal {
/// Human-readable description
pub description: String,
/// Conditions that define success
pub conditions: Vec<Condition>,
/// Priority weight (higher = more important when competing)
pub priority: f32,
}
```
**Predefined goal templates:**
| Goal | Conditions | Typical Plan Length |
|------|-----------|---------------------|
| Multi-person tracking | `multi_skeleton_generation = true`, `max_persons_tracked >= 3` | 4-6 actions |
| Vital sign monitoring | `vital_signs_esp32_validated = true`, `breathing_snr_db >= 10` | 2-3 actions |
| Production accuracy | `pose_accuracy_pck02 >= 0.6`, `torso_jitter_mm <= 30` | 5-8 actions |
| Browser deployment | `wasm_deployment = true` | 1-2 actions |
| Disaster response (MAT) | `mat_survivor_detection = true`, `multi_skeleton_generation = true` | 5-7 actions |
| Full multistatic mesh | `multistatic_mesh = true`, `coherence_gating = true`, `pose_tracker_17kp = true` | 5-7 actions |
| Cross-environment robustness | `meridian_generalization = true` | 3-5 actions |
### 2.4 Sublinear Planning Algorithm
The planner avoids exhaustive A* search over the full state space using three techniques.
#### 2.4.1 Backward Relevance Pruning
Before search begins, identify which actions are **relevant** to the goal using backward chaining:
```
function relevantActions(goal, allActions):
relevant = {}
frontier = {conditions in goal that are not satisfied}
while frontier is not empty:
pick condition C from frontier
for each action A in allActions:
if A.effects satisfies C:
relevant.add(A)
for each precondition P of A:
if P is not satisfied in current state:
frontier.add(P)
return relevant
```
This typically reduces the action set from ~80 to 5-15 for a specific goal. The search then operates only on relevant actions.
**Complexity**: O(G * A) where G is the number of unsatisfied goal/precondition properties and A is the total action count. Since G << 2^N and A is fixed at ~80, this is constant-time relative to the state space.
#### 2.4.2 Hierarchical Decomposition
Actions are organized into three tiers based on the ADR dependency structure:
```
Tier 0 (Foundation): ADR-014, ADR-016, ADR-018
No internal prerequisites. Always satisfiable.
Tier 1 (Infrastructure): ADR-017, ADR-021-core, ADR-022-p1, ADR-029-p1, ADR-030
Depend only on Tier 0.
Tier 2 (Capability): ADR-024, ADR-029-p2/p3, ADR-037-p1/p2, ADR-021-esp32
Depend on Tier 0-1.
Tier 3 (Integration): ADR-027, ADR-037-p3/p4, ADR-029-p4, ADR-011, ADR-031
Depend on Tier 0-2.
```
The planner first resolves Tier 0 preconditions (usually already satisfied), then plans Tier 1 actions, then Tier 2, then Tier 3. Within each tier, actions are independent and can be planned in parallel. This reduces the effective search depth from ~15 (worst case linear chain) to ~4 (tier depth).
#### 2.4.3 Incremental Replanning
When the world state changes (a test passes, hardware is plugged in, the user shifts goals), the planner does not replan from scratch. Instead:
1. **Invalidation**: Mark actions in the current plan whose preconditions are no longer satisfied or whose effects are already achieved.
2. **Patch**: Remove invalidated actions and re-run backward relevance pruning only for the remaining unsatisfied goal conditions.
3. **Merge**: Insert new actions into the existing plan at the correct dependency-ordered position.
This is sublinear in the total action count because only the delta is re-examined.
#### 2.4.4 Heuristic Cost Function
The A* heuristic estimates remaining cost as the sum of minimum-cost actions needed to satisfy each unsatisfied goal condition, divided by the maximum parallelism available (number of idle agents). This is admissible (never overestimates) because actions can satisfy multiple conditions.
```
h(state, goal) = sum(min_cost_to_satisfy(c) for c in unsatisfied(state, goal)) / max_parallelism
```
#### 2.4.5 Complexity Analysis
| Component | Naive GOAP | Sublinear GOAP |
|-----------|-----------|----------------|
| State space | 2^N (N=25 booleans) = 33M | Pruned to relevant subset |
| Actions evaluated | All ~80 per expansion | 5-15 (backward pruning) |
| Search depth | Up to 15 | Up to 4 (tier decomposition) |
| Replan cost | Full re-search | Delta patch only |
| Typical plan time | ~100ms | <5ms |
### 2.5 State Observation
The planner queries the real project state before planning. Each property has a defined observation method.
| Property | Observation Command | Cache TTL |
|----------|-------------------|-----------|
| `sota_signal_processing` | `cargo test -p wifi-densepose-signal --no-default-features 2>&1 \| grep "test result"` | 10 min |
| `esp32_connected` | Platform-specific USB serial probe | 30 sec |
| `esp32_count` | Count ESP32 VID/PID USB devices | 30 sec |
| `gpu_available` | `nvidia-smi --query-gpu=name --format=csv,noheader 2>/dev/null` | 5 min |
| `rust_test_count` | Parse `cargo test --workspace --no-default-features` output | 10 min |
| `wifi_adapter_present` | OS-specific WiFi interface enumeration | 5 min |
| Module existence flags | `test -f <path>` for key source files | 1 min |
Observations are cached with TTL to avoid re-running expensive commands (cargo test) on every plan request. Cache invalidation occurs on file change events or explicit user request.
### 2.6 Plan Execution via Swarm
Once the planner produces an ordered action list, execution is dispatched through the claude-flow swarm system.
#### 2.6.1 GOAP Coordinator Agent
The planner runs as a `goap-coordinator` agent within a hierarchical swarm topology:
```
goap-coordinator (planner + dispatcher)
|
+-- researcher (dependency analysis, API review)
+-- coder (implementation)
+-- tester (validation, state observation)
+-- reviewer (code review, security check)
```
The coordinator:
1. Observes current world state
2. Accepts a goal from the user
3. Runs the sublinear planner to produce an action sequence
4. Dispatches each action to appropriate agent types (from the action's `agent_types` field)
5. Monitors action completion via the memory system
6. Updates the world state after each action completes
7. Re-plans if the world state diverges from expectations
#### 2.6.2 State Persistence via Memory
World state is stored in the claude-flow memory system under the `goap` namespace:
```bash
# Store observed state
npx @claude-flow/cli@latest memory store \
--namespace goap \
--key "world-state" \
--value '{"sota_signal_processing": true, "esp32_connected": false, ...}'
# Store current plan
npx @claude-flow/cli@latest memory store \
--namespace goap \
--key "current-plan" \
--value '{"goal": "multi-person tracking", "actions": ["adr037_p1", "adr037_p2", ...], "progress": 1}'
# Search for past successful plans
npx @claude-flow/cli@latest memory search \
--namespace goap \
--query "multi-person tracking plan"
```
#### 2.6.3 Action-to-Agent Routing
Each action declares which agent types are needed. The coordinator maps these to swarm agents:
| Agent Type | Role in GOAP Action | Example Actions |
|-----------|---------------------|-----------------|
| `researcher` | Analyze dependencies, review papers, check API compatibility | Pre-action analysis for any ADR |
| `coder` | Write implementation code | All implementation actions |
| `tester` | Run tests, observe state, validate effects | Post-action verification |
| `reviewer` | Code review, security audit | ADR-032 mesh security, any PR |
| `performance-engineer` | Benchmark, optimize latency | ADR-029 pipeline timing |
| `security-architect` | Threat model, audit | ADR-032 security hardening |
#### 2.6.4 Execution Protocol
For each action in the plan:
```
1. PRE-CHECK: Observe preconditions. If any unsatisfied, re-plan.
2. DISPATCH: Spawn required agents with action context.
3. EXECUTE: Agents implement the action (write code, run tests).
4. VERIFY: Tester agent observes the world state.
5. UPDATE: If effects achieved, mark action complete, update state.
6. REPLAN: If effects not achieved, flag failure, re-plan with updated state.
```
### 2.7 Dependency Graph Visualization
The planner can emit its action graph in DOT format for visualization:
```
digraph goap {
rankdir=LR;
node [shape=box, style=rounded];
// Tier 0 (green = complete)
adr014 [label="ADR-014\nSOTA Signal", color=green];
adr016 [label="ADR-016\nRuVector Train", color=green];
adr018 [label="ADR-018\nESP32 Base", color=green];
// Tier 1 (blue = in progress)
adr017 [label="ADR-017\nRuVector Signal", color=blue];
adr030 [label="ADR-030\nField Model", color=orange];
// Tier 2 (orange = planned)
adr037_p1 [label="ADR-037 P1\nPerson Count", color=orange];
adr037_p2 [label="ADR-037 P2\nNMF Decomp", color=orange];
adr024 [label="ADR-024\nAETHER", color=orange];
// Tier 3 (gray = future)
adr037_p3 [label="ADR-037 P3\nMulti-Skeleton", color=gray];
adr027 [label="ADR-027\nMERIDIAN", color=gray];
// Edges
adr014 -> adr037_p1;
adr037_p1 -> adr037_p2;
adr037_p2 -> adr037_p3;
adr014 -> adr024;
adr024 -> adr037_p3;
adr024 -> adr027;
adr014 -> adr017;
adr017 -> adr030;
}
```
### 2.8 PageRank-Based Prioritization
When the user has not specified a single goal but asks "what should I work on next?", the planner uses PageRank on the action dependency graph to identify the highest-leverage actions:
1. Construct the adjacency matrix where `A[i][j] = 1` if action j depends on action i (i.e., completing i unblocks j).
2. Run PageRank with damping factor 0.85.
3. Actions with the highest PageRank scores are the most "load-bearing" -- they unblock the most downstream work.
4. Filter to actions whose preconditions are currently satisfiable.
5. Return the top-K actions ranked by `PageRank_score * (1 / cost_days)` (value per effort).
This naturally surfaces foundation actions (ADR-014, ADR-016) over leaf actions (ADR-032 security), matching the intuition that infrastructure work has the highest leverage.
---
## 3. Implementation
### 3.1 Module Structure
The GOAP planner is implemented as a TypeScript module within the claude-flow coordination layer (not in the Rust workspace, since it orchestrates Rust development rather than being part of the Rust product).
```
.claude-flow/goap/
state.ts -- World state model and observation
actions.ts -- Action catalog (all ~80 actions)
planner.ts -- Sublinear A* planner with backward pruning
goals.ts -- Goal templates and user goal parser
executor.ts -- Swarm dispatch and action lifecycle
pagerank.ts -- Dependency graph prioritization
visualize.ts -- DOT graph export
```
### 3.2 CLI Integration
```bash
# Plan: produce an action sequence for a goal
npx @claude-flow/cli@latest goap plan --goal "multi-person tracking"
# Observe: snapshot current world state
npx @claude-flow/cli@latest goap observe
# Prioritize: PageRank-based "what next?" recommendation
npx @claude-flow/cli@latest goap prioritize --top-k 5
# Execute: run the plan via swarm
npx @claude-flow/cli@latest goap execute --goal "vital sign monitoring"
# Visualize: emit DOT dependency graph
npx @claude-flow/cli@latest goap graph --format dot > goap.dot
```
### 3.3 Integration Points
| System | Integration | Purpose |
|--------|------------|---------|
| claude-flow memory | `goap` namespace | Persist world state, plans, execution history |
| claude-flow swarm | Hierarchical coordinator | Dispatch actions to agent teams |
| claude-flow hooks | `pre-task` / `post-task` | Trigger state observation before/after work |
| cargo test | State observation | Detect which crates/modules pass tests |
| USB device enumeration | Hardware observation | Detect ESP32 availability |
| Git status | Implementation detection | Check if files/modules exist |
---
## 4. Consequences
### 4.1 Positive
- **Eliminates manual priority analysis**: The developer states a goal; the planner produces a concrete, dependency-ordered action list.
- **Hardware-aware planning**: Actions requiring ESP32 or GPU are automatically excluded when hardware is unavailable, preventing dead-end plans.
- **Sublinear plan time**: Backward pruning + tier decomposition keeps planning under 5ms for typical goals, enabling interactive replanning.
- **Incremental replanning**: When state changes (a test starts passing, hardware is plugged in), only the delta is re-evaluated.
- **Swarm integration**: Actions are dispatched to specialized agents, enabling parallel execution of independent actions within the same tier.
- **Cross-session continuity**: World state and plan progress persist in the memory system, so the planner resumes where it left off.
- **PageRank prioritization**: When no specific goal is given, the planner identifies the highest-leverage next action based on the dependency graph structure.
- **Transparent reasoning**: The dependency graph can be visualized in DOT format, making the planner's reasoning inspectable.
### 4.2 Negative
- **Action catalog maintenance**: Every new ADR or ADR phase must be added to the action catalog with correct preconditions and effects. Stale actions produce incorrect plans.
- **State observation overhead**: Some state checks (running `cargo test`) are expensive. Caching with TTL mitigates this but introduces staleness risk.
- **Approximate cost model**: Action costs in developer-days are estimates. Actual effort varies with developer experience and codebase familiarity.
- **Boolean state simplification**: Some capabilities are continuous (accuracy improves gradually) but are modeled as boolean thresholds, losing nuance.
### 4.3 Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| Action catalog diverges from reality | Medium | Plans reference nonexistent or completed actions | Validate catalog against ADR directory at plan time |
| State observation produces false positives | Low | Planner skips needed actions | Cross-validate with multiple observation methods |
| User goals conflict (accuracy vs latency) | Medium | Planner produces suboptimal compromise | Support multi-objective goals with explicit weights |
| Swarm agents fail during action execution | Medium | Plan stalls | Timeout + automatic replan with failure noted in state |
---
## 5. Affected Components
| Component | Change | Description |
|-----------|--------|-------------|
| `.claude-flow/goap/` | New | GOAP planner module (TypeScript) |
| claude-flow memory (`goap` namespace) | New | World state and plan persistence |
| claude-flow swarm coordinator | Extended | GOAP coordinator agent type |
| claude-flow CLI | Extended | `goap` subcommand (plan, observe, prioritize, execute, graph) |
---
## 6. Performance Budget
| Operation | Budget | Method |
|-----------|--------|--------|
| World state observation (cached) | < 100ms | Read from memory cache |
| World state observation (fresh) | < 30s | Run cargo test + hardware probes |
| Plan generation (sublinear) | < 5ms | Backward pruning + tier A* |
| PageRank prioritization | < 2ms | Sparse matrix iteration |
| Incremental replan | < 1ms | Delta patch on existing plan |
| DOT graph generation | < 1ms | Traverse action catalog |
---
## 7. Alternatives Considered
1. **Manual priority spreadsheet**: Maintain a spreadsheet of ADR priorities and dependencies. Rejected because it requires manual updates, does not adapt to hardware availability, and cannot be queried programmatically by agents.
2. **Full A* over raw state space**: Standard GOAP without sublinear optimizations. Rejected because 2^25 boolean states is unnecessarily large when most actions are irrelevant to any given goal.
3. **Hierarchical Task Network (HTN)**: HTN decomposes tasks into subtasks using predefined methods. More powerful than GOAP but requires hand-authored decomposition methods for every task. GOAP's flat action model with automatic planning is simpler to maintain as ADRs evolve.
4. **Reinforcement learning planner**: Train an RL agent to select actions. Rejected because the action space changes as ADRs are added, the reward signal is sparse (project completion), and the sample complexity is too high for a planning problem with known structure.
5. **Simple topological sort**: Sort actions by dependency order and execute top-down. Rejected because it does not consider goals (executes everything), does not handle hardware constraints, and does not support replanning.
---
## 8. References
1. Orkin, J. (2003). "Applying Goal-Oriented Action Planning to Games." AI Game Programming Wisdom 2.
2. Orkin, J. (2006). "Three States and a Plan: The A.I. of F.E.A.R." Game Developers Conference.
3. Page, L., Brin, S., Motwani, R., Winograd, T. (1999). "The PageRank Citation Ranking: Bringing Order to the Web." Stanford InfoLab.
4. Ghallab, M., Nau, D., Traverso, P. (2004). "Automated Planning: Theory and Practice." Morgan Kaufmann.
5. Russell, S., Norvig, P. (2020). "Artificial Intelligence: A Modern Approach." 4th ed., Chapter 11: Automated Planning.
api-docs/adr/ADR-039-esp32-edge-intelligence.md
+211
View File
@@ -0,0 +1,211 @@
# ADR-039: ESP32-S3 Edge Intelligence Pipeline
**Status**: Accepted (hardware-validated on RuView ESP32-S3)
**Date**: 2026-03-02
**Deciders**: @ruvnet
## Context
WiFi-DensePose captures Channel State Information (CSI) from ESP32-S3 nodes and streams raw I/Q data to a host server for processing. This architecture has limitations:
1. **Bandwidth**: Raw CSI at 20 Hz × 128 subcarriers × 2 bytes = ~5 KB/frame = ~100 KB/s per node. Multi-node deployments saturate low-bandwidth links.
2. **Latency**: Server-side processing adds network round-trip delay for time-critical signals like fall detection.
3. **Power**: Continuous raw streaming prevents duty-cycling for battery-powered deployments.
4. **Scalability**: Server CPU scales linearly with node count for basic signal processing that could run on the ESP32-S3's dual cores.
## Decision
Implement a tiered edge processing pipeline on the ESP32-S3 that performs signal processing locally and sends compact results:
### Tier 0 — Raw Passthrough (default, backward compatible)
No on-device processing. CSI frames streamed as-is (magic `0xC5110001`).
### Tier 1 — Basic Signal Processing
- Phase extraction and unwrapping from I/Q pairs
- Welford running variance per subcarrier
- Top-K subcarrier selection by variance
- Delta compression (XOR + RLE) for 30-50% bandwidth reduction (magic `0xC5110005`, reassigned from `0xC5110003` by ADR-069)
### Tier 2 — Full Edge Intelligence
All of Tier 1, plus:
- Biquad IIR bandpass filters: breathing (0.1-0.5 Hz), heart rate (0.8-2.0 Hz)
- Zero-crossing BPM estimation
- Presence detection with adaptive threshold calibration (1200 frames, 3-sigma)
- Fall detection (phase acceleration exceeding configurable threshold)
- Multi-person vitals via subcarrier group clustering (up to 4 persons)
- 32-byte vitals packet at configurable interval (magic `0xC5110002`)
### Architecture
```
Core 0 (WiFi) Core 1 (DSP)
┌─────────────────┐ ┌──────────────────────────┐
│ CSI callback │──SPSC ring──▶│ Phase extract + unwrap │
│ (wifi_csi_cb) │ buffer │ Welford variance │
│ │ │ Top-K selection │
│ UDP raw stream │ │ Biquad bandpass filters │
│ (0xC5110001) │ │ Zero-crossing BPM │
└─────────────────┘ │ Presence detection │
│ Fall detection │
│ Multi-person clustering │
│ Delta compression │
│ ──▶ UDP vitals (0xC5110002)│
│ ──▶ UDP compressed (0x05) │
└──────────────────────────┘
```
### Wire Protocols
**Vitals Packet (32 bytes, magic `0xC5110002`)**:
| Offset | Type | Field |
|--------|------|-------|
| 0-3 | u32 LE | Magic `0xC5110002` |
| 4 | u8 | Node ID |
| 5 | u8 | Flags (bit0=presence, bit1=fall, bit2=motion) |
| 6-7 | u16 LE | Breathing rate (BPM × 100) |
| 8-11 | u32 LE | Heart rate (BPM × 10000) |
| 12 | i8 | RSSI |
| 13 | u8 | Number of detected persons |
| 14-15 | u8[2] | Reserved |
| 16-19 | f32 LE | Motion energy |
| 20-23 | f32 LE | Presence score |
| 24-27 | u32 LE | Timestamp (ms since boot) |
| 28-31 | u32 LE | Reserved |
**Compressed Frame (magic `0xC5110005`, reassigned from `0xC5110003` by ADR-069)**:
| Offset | Type | Field |
|--------|------|-------|
| 0-3 | u32 LE | Magic `0xC5110005` |
| 4 | u8 | Node ID |
| 5 | u8 | WiFi channel |
| 6-7 | u16 LE | Original I/Q length |
| 8-9 | u16 LE | Compressed length |
| 10+ | bytes | RLE-encoded XOR delta |
### Configuration
Six NVS keys in the `csi_cfg` namespace:
| NVS Key | Type | Default | Description |
|---------|------|---------|-------------|
| `edge_tier` | u8 | 2 | Processing tier (0/1/2) |
| `pres_thresh` | u16 | 0 | Presence threshold × 1000 (0 = auto) |
| `fall_thresh` | u16 | 2000 | Fall threshold × 1000 (rad/s²) |
| `vital_win` | u16 | 256 | Phase history window |
| `vital_int` | u16 | 1000 | Vitals interval (ms) |
| `subk_count` | u8 | 8 | Top-K subcarrier count |
All configurable via `provision.py --edge-tier 2 --pres-thresh 0.05 ...`
### Additional Features
- **OTA Updates**: HTTP server on port 8032 (`POST /ota`, `GET /ota/status`) with rollback support
- **Power Management**: WiFi modem sleep + automatic light sleep with configurable duty cycle
## Consequences
### Positive
- Fall detection latency reduced from ~500 ms (network RTT) to <50 ms (on-device)
- Bandwidth reduced 30-50% with delta compression, or 95%+ with vitals-only mode
- Battery-powered deployments possible with duty-cycled light sleep
- Server can handle 10x more nodes (only parses 32-byte vitals instead of ~5 KB CSI)
### Negative
- Firmware complexity increases (edge_processing.c is ~750 lines)
- ESP32-S3 RAM usage increases ~12 KB for ring buffer + filter state
- Binary size increases from ~550 KB to ~925 KB with full WASM3 Tier 3 (10% free in 1 MB partition — see ADR-040)
### Risks
- BPM accuracy depends on subject distance and movement; needs real-world validation
- Fall detection heuristic may false-positive on environmental motion (doors, pets)
- Multi-person separation via subcarrier clustering is approximate without calibration
## Implementation
- `firmware/esp32-csi-node/main/edge_processing.c` — DSP pipeline (~750 lines)
- `firmware/esp32-csi-node/main/edge_processing.h` — Types and API
- `firmware/esp32-csi-node/main/ota_update.c/h` — HTTP OTA endpoint
- `firmware/esp32-csi-node/main/power_mgmt.c/h` — Power management
- `v2/.../wifi-densepose-sensing-server/src/main.rs` — Vitals parser + REST endpoint
- `scripts/provision.py` — Edge config CLI arguments
- `.github/workflows/firmware-ci.yml` — CI build + size gate (updated to 950 KB for Tier 3)
### Tier 3 — WASM Programmable Sensing (ADR-040, ADR-041)
See [ADR-040](ADR-040-wasm-programmable-sensing.md) for hot-loadable WASM modules
compiled from Rust, executed via WASM3 interpreter on-device. Core modules:
gesture recognition, coherence monitoring, adversarial detection.
[ADR-041](ADR-041-wasm-module-collection.md) defines the curated module collection
(37 modules across 6 categories). Phase 1 implemented modules:
- `vital_trend.rs` — Clinical vital sign trend analysis (bradypnea, tachypnea, apnea)
- `intrusion.rs` — State-machine intrusion detection (calibrate-monitor-arm-alert)
- `occupancy.rs` — Spatial occupancy zone detection with per-zone variance analysis
## Hardware Benchmark (RuView ESP32-S3)
Measured on ESP32-S3 (QFN56 rev v0.2, 8 MB flash, 160 MHz, ESP-IDF v5.2).
### Boot Timing
| Milestone | Time (ms) |
|-----------|-----------|
| `app_main()` | 412 |
| WiFi STA init | 627 |
| WiFi connected + IP | 3,732 |
| CSI collection init | 3,754 |
| Edge DSP task started | 3,773 |
| WASM runtime initialized | 3,857 |
| **Total boot → ready** | **~3.9 s** |
### CSI Performance
| Metric | Value |
|--------|-------|
| Frame rate | **28.5 Hz** (measured, ch 5 BW20) |
| Frame sizes | 128 / 256 bytes |
| RSSI range | -83 to -32 dBm (mean -62 dBm) |
| Per-frame interval | 30.6 ms avg |
### Memory
| Region | Size |
|--------|------|
| RAM (main heap) | 256 KiB |
| RAM (secondary) | 21 KiB |
| DRAM | 32 KiB |
| RTC RAM | 7 KiB |
| **Total available** | **316 KiB** |
| PSRAM | Not populated on test board |
| WASM arena fallback | Internal heap (160 KB/slot × 4) |
### Firmware Binary
| Metric | Value |
|--------|-------|
| Binary size | **925 KB** (0xE7440 bytes) |
| Partition size | 1 MB (factory) |
| Free space | 10% (99 KB) |
| CI size gate | 950 KB (PASS) |
| WASM3 interpreter | Included (full, ~100 KB) |
| WASM binary (7 modules) | 13.8 KB (wasm32-unknown-unknown release) |
### WASM Runtime
| Metric | Value |
|--------|-------|
| Init time | **106 ms** |
| Module slots | 4 |
| Arena per slot | 160 KB |
| Frame budget | 10,000 µs (10 ms) |
| Timer interval | 1,000 ms (1 Hz) |
### Findings
1. **Fall detection threshold too low** — default `fall_thresh=2000` (2.0 rad/s²) triggers 6.7 false positives/s in static indoor environment. Recommend increasing to 5000-8000 for typical deployments.
2. **No PSRAM on test board** — WASM arena falls back to internal heap. Boards with PSRAM would support larger modules.
3. **CSI rate exceeds spec** — measured 28.5 Hz vs. expected ~20 Hz. Performance headroom is better than estimated.
4. **WiFi-to-Ethernet isolation** — some routers block UDP between WiFi and wired clients. Recommend same-subnet verification in deployment guide.
5. **sendto ENOMEM crash (Issue #127)** — CSI callbacks in promiscuous mode fire 100-500+ times/sec, exhausting the lwIP pbuf pool and causing a guru meditation crash. Fixed with a dual approach: 50 Hz rate limiter in `csi_collector.c` (20 ms minimum send interval) and a 100 ms ENOMEM backoff in `stream_sender.c`. Binary size with fix: 947 KB. Hardware-verified stable for 200+ CSI callbacks with zero ENOMEM errors.
api-docs/adr/ADR-040-wasm-programmable-sensing.md
+582
View File
@@ -0,0 +1,582 @@
# ADR-040: WASM Programmable Sensing (Tier 3)
**Status**: Accepted
**Date**: 2026-03-02
**Deciders**: @ruvnet
## Context
ADR-039 implemented Tiers 0-2 of the ESP32-S3 edge intelligence pipeline:
- **Tier 0**: Raw CSI passthrough (magic `0xC5110001`)
- **Tier 1**: Basic DSP — phase unwrap, Welford stats, top-K, delta compression
- **Tier 2**: Full pipeline — vitals, presence, fall detection, multi-person
The firmware uses ~820 KB of flash, leaving ~80 KB headroom in the 1 MB OTA partition. The ESP32-S3 has 8 MB PSRAM available for runtime data. New sensing algorithms (gesture recognition, signal coherence monitoring, adversarial detection) currently require a full firmware reflash — impractical for deployed sensor networks.
The project already has 35+ RuVector WASM crates and 28 pre-built `.wasm` binaries, but none are integrated into the ESP32 firmware.
## Decision
Add a **Tier 3 WASM programmable sensing layer** that executes hot-loadable algorithms compiled from Rust to `wasm32-unknown-unknown`, interpreted on-device via the WASM3 runtime.
### Architecture
```
Core 1 (DSP Task)
┌──────────────────────────────────────────────────┐
│ Tier 2 Pipeline (existing) │
│ Phase extract → Welford → Top-K → Biquad → │
│ BPM → Presence → Fall → Multi-person │
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ Tier 3 WASM Runtime (new) │ │
│ │ WASM3 Interpreter (MIT, ~100 KB flash) │ │
│ │ ┌────────────┐ ┌────────────┐ │ │
│ │ │ Module 0 │ │ Module 1 │ ...×4 │ │
│ │ │ gesture.wm │ │ coherence │ │ │
│ │ └─────┬──────┘ └─────┬──────┘ │ │
│ │ │ │ │ │
│ │ Host API ("csi" namespace) │ │
│ │ csi_get_phase, csi_get_amplitude, ... │ │
│ └──────────────────────────────────────────────┘ │
│ │ │
│ UDP output (0xC5110004) │
└──────────────────────────────────────────────────┘
```
### Components
| Component | File | Description |
|-----------|------|-------------|
| WASM3 component | `components/wasm3/CMakeLists.txt` | ESP-IDF managed component, fetches WASM3 from GitHub |
| Runtime host | `main/wasm_runtime.c/h` | WASM3 environment, module slots, host API bindings |
| HTTP upload | `main/wasm_upload.c/h` | REST endpoints for module management on port 8032 |
| Rust WASM crate | `wifi-densepose-wasm-edge/` | `no_std` sensing algorithms compiled to WASM |
### Host API (namespace "csi")
| Import | Signature | Description |
|--------|-----------|-------------|
| `csi_get_phase` | `(i32) -> f32` | Current phase for subcarrier index |
| `csi_get_amplitude` | `(i32) -> f32` | Current amplitude |
| `csi_get_variance` | `(i32) -> f32` | Welford running variance |
| `csi_get_bpm_breathing` | `() -> f32` | Breathing BPM from Tier 2 |
| `csi_get_bpm_heartrate` | `() -> f32` | Heart rate BPM from Tier 2 |
| `csi_get_presence` | `() -> i32` | Presence flag (0/1) |
| `csi_get_motion_energy` | `() -> f32` | Motion energy scalar |
| `csi_get_n_persons` | `() -> i32` | Detected person count |
| `csi_get_timestamp` | `() -> i32` | Milliseconds since boot |
| `csi_emit_event` | `(i32, f32) -> void` | Emit custom event to host |
| `csi_log` | `(i32, i32) -> void` | Debug log from WASM memory |
| `csi_get_phase_history` | `(i32, i32) -> i32` | Copy phase history ring buffer |
### Module Lifecycle
| Export | Called | Description |
|--------|--------|-------------|
| `on_init()` | Once, when module starts | Initialize module state |
| `on_frame(n_sc: i32)` | Per CSI frame (~20 Hz) | Process current frame |
| `on_timer()` | At configurable interval | Periodic tasks |
### Wire Protocol (magic `0xC5110004`)
| Offset | Type | Field |
|--------|------|-------|
| 0-3 | u32 LE | Magic `0xC5110004` |
| 4 | u8 | Node ID |
| 5 | u8 | Module ID (slot index) |
| 6-7 | u16 LE | Event count |
| 8+ | Event[] | Array of (u8 type, f32 value) tuples |
### HTTP Endpoints (port 8032)
| Method | Path | Description |
|--------|------|-------------|
| `POST` | `/wasm/upload` | Upload .wasm binary (max 128 KB) |
| `GET` | `/wasm/list` | List loaded modules with status |
| `POST` | `/wasm/start/:id` | Start a module |
| `POST` | `/wasm/stop/:id` | Stop a module |
| `DELETE` | `/wasm/:id` | Unload a module |
### WASM Crate Modules
| Module | Source | Events | Description |
|--------|--------|--------|-------------|
| `gesture.rs` | `ruvsense/gesture.rs` | 1 (Core) | DTW template matching for gesture recognition |
| `coherence.rs` | `ruvector/viewpoint/coherence.rs` | 2 (Core) | Phase phasor coherence monitoring |
| `adversarial.rs` | `ruvsense/adversarial.rs` | 3 (Core) | Signal anomaly/adversarial detection |
| `vital_trend.rs` | ADR-041 Phase 1 | 100-111 (Medical) | Clinical vital sign trend analysis (bradypnea, tachypnea, bradycardia, tachycardia, apnea) |
| `occupancy.rs` | ADR-041 Phase 1 | 300-302 (Building) | Spatial occupancy zone detection with per-zone variance analysis |
| `intrusion.rs` | ADR-041 Phase 1 | 200-203 (Security) | State-machine intrusion detector (calibrate-monitor-arm-alert) |
### Memory Budget
| Component | SRAM | PSRAM | Flash |
|-----------|------|-------|-------|
| WASM3 interpreter | ~10 KB | — | ~100 KB |
| WASM module storage (×4) | — | 512 KB | — |
| WASM execution stack | 8 KB | — | — |
| Host API bindings | 2 KB | — | ~15 KB |
| HTTP upload handler | 1 KB | — | ~8 KB |
| RVF parser + verifier | 1 KB | — | ~6 KB |
| **Total Tier 3** | **~22 KB** | **512 KB** | **~129 KB** |
| **Running total (Tier 0-3)** | **~34 KB** | **512 KB** | **~925 KB** |
**Measured binary size**: 925 KB (0xE7440 bytes), 10% free in 1 MB OTA partition.
### NVS Configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| `wasm_max` | u8 | 4 | Maximum concurrent WASM modules |
| `wasm_verify` | u8 | 1 | Require signature verification (secure-by-default) |
| `wasm_pubkey` | blob(32) | — | Signing public key for WASM verification |
## Consequences
### Positive
- Deploy new sensing algorithms to 1000+ nodes without reflashing firmware
- 20-year extensibility horizon — new algorithms via .wasm uploads
- Algorithms developed/tested in Rust, compiled to portable WASM
- PSRAM utilization (previously unused 8 MB) for module storage
- Hot-swap algorithms for A/B testing in production deployments
- Same `no_std` Rust code runs on ESP32 (WASM3) and in browser (wasm-pack)
### Negative
- WASM3 interpreter overhead: ~10× slower than native C for compute-heavy code
- Adds ~123 KB flash footprint (firmware approaches 950 KB of 1 MB limit)
- Additional attack surface via WASM module upload endpoint
- Debugging WASM modules on ESP32 is harder than native C
### Risks
| Risk | Mitigation |
|------|------------|
| WASM3 memory management may fragment PSRAM over time | Fixed 160 KB arenas pre-allocated at boot per slot — no runtime malloc/free cycles |
| Complex WASM modules (>64 KB) may cause stack overflow in interpreter | `WASM_STACK_SIZE` = 8 KB, `d_m3MaxFunctionStackHeight` = 128; modules validated at load time |
| HTTP upload endpoint requires network security | Ed25519 signature verification enabled by default (`wasm_verify=1`); disable only via NVS for lab/dev |
| Runaway WASM module blocks DSP pipeline | Per-frame budget guard (10 ms default); module auto-stopped after 10 consecutive faults |
| Denial-of-service via rapid upload/unload cycles | Max 4 concurrent slots; upload handler validates size before PSRAM copy |
## Implementation
- `firmware/esp32-csi-node/components/wasm3/CMakeLists.txt` — WASM3 ESP-IDF component
- `firmware/esp32-csi-node/main/wasm_runtime.c/h` — Runtime host with 12 API bindings + manifest
- `firmware/esp32-csi-node/main/wasm_upload.c/h` — HTTP REST endpoints (RVF-aware)
- `firmware/esp32-csi-node/main/rvf_parser.c/h` — RVF container parser and verifier
- `v2/.../wifi-densepose-wasm-edge/` — Rust WASM crate (gesture, coherence, adversarial, rvf, occupancy, vital_trend, intrusion)
- `v2/.../wifi-densepose-sensing-server/src/main.rs``0xC5110004` parser
- `docs/adr/ADR-039-esp32-edge-intelligence.md` — Updated with Tier 3 reference
---
## Appendix A: Production Hardening
The initial Tier 3 implementation addresses five production-readiness concerns:
### A.1 Fixed PSRAM Arenas
Dynamic `heap_caps_malloc` / `free` cycles on PSRAM fragment memory over days of
continuous operation. Instead, each module slot pre-allocates a **160 KB fixed arena**
at boot (`WASM_ARENA_SIZE`). The WASM binary and WASM3 runtime heap both live inside
this arena. Unloading a module zeroes the arena but never frees it — the slot is
reused on the next `wasm_runtime_load()`.
```
Boot: [arena0: 160 KB][arena1: 160 KB][arena2: 160 KB][arena3: 160 KB]
Total: 640 KB PSRAM
Load: [module0 binary | wasm3 heap | ...padding... ]
Unload:[zeroed .......................................] ← slot reusable
```
This eliminates fragmentation at the cost of reserving 640 KB PSRAM at boot
(8% of 8 MB). The remaining 7.36 MB is available for future use.
### A.2 Per-Frame Budget Guard
Each `on_frame()` call is measured with `esp_timer_get_time()`. If execution
exceeds `WASM_FRAME_BUDGET_US` (default 10 ms = 10,000 us), a budget fault is
recorded. After **10 consecutive faults**, the module is auto-stopped with
`WASM_MODULE_ERROR` state. This prevents a runaway WASM module from blocking the
Tier 2 DSP pipeline.
```c
int64_t t_start = esp_timer_get_time();
m3_CallV(slot->fn_on_frame, n_sc);
uint32_t elapsed_us = (uint32_t)(esp_timer_get_time() - t_start);
slot->total_us += elapsed_us;
if (elapsed_us > slot->max_us) slot->max_us = elapsed_us;
if (elapsed_us > WASM_FRAME_BUDGET_US) {
slot->budget_faults++;
if (slot->budget_faults >= 10) {
slot->state = WASM_MODULE_ERROR; // auto-stop
}
}
```
The budget is configurable via `WASM_FRAME_BUDGET_US` (Kconfig or NVS override).
### A.3 Per-Module Telemetry
The `/wasm/list` endpoint and `wasm_module_info_t` struct expose per-module
telemetry:
| Field | Type | Description |
|-------|------|-------------|
| `frame_count` | u32 | Total on_frame calls since start |
| `event_count` | u32 | Total csi_emit_event calls |
| `error_count` | u32 | WASM3 runtime errors |
| `total_us` | u32 | Cumulative execution time (microseconds) |
| `max_us` | u32 | Worst-case single frame execution time |
| `budget_faults` | u32 | Times frame budget was exceeded |
Mean execution time = `total_us / frame_count`. This enables remote monitoring
of module health and performance regression detection.
### A.4 Secure-by-Default
`wasm_verify` defaults to **1** in both Kconfig and the NVS fallback path.
Uploaded `.wasm` binaries must include a valid Ed25519 signature (same key as
OTA firmware). Disable only for lab/dev use via:
```bash
python provision.py --port COM7 --wasm-verify # NVS: wasm_verify=1 (default)
# To disable in dev: write wasm_verify=0 to NVS directly
```
---
## Appendix B: Adaptive Budget Architecture (Mincut-Driven)
### B.1 Design Principle
One control loop turns **sensing into a bounded compute budget**, spends that
budget on **sparse or spiking inference**, and exports **only deltas**. The
budget is driven by the **mincut eigenvalue gap** (Δλ = λ₂ λ₁ of the CSI
graph Laplacian), which reflects scene complexity: a quiet room has Δλ ≈ 0,
a busy room has large Δλ.
### B.2 Control Loop
```
┌─────────────────────────────────┐
CSI frames ───→ │ Tier 2 DSP (existing) │
│ Welford stats, top-K, presence │
└──────────┬────────────────────────┘
┌──────────────▼──────────────────────┐
│ Budget Controller │
│ │
│ Inputs: │
│ Δλ = mincut eigenvalue gap │
│ A = anomaly_score (adversarial) │
│ T = thermal_pressure (0.0-1.0) │
│ P = battery_pressure (0.0-1.0) │
│ │
│ Output: │
│ B = frame compute budget (μs) │
│ │
│ B = clamp(B₀ + k₁·max(0,Δλ) │
│ + k₂·A │
│ − k₃·T │
│ − k₄·P, │
│ B_min, B_max) │
└──────────────┬──────────────────────┘
┌──────────────▼──────────────────────┐
│ WASM Module Dispatch │
│ Budget B split across active modules│
│ Each module gets B/N μs per frame │
└──────────────┬──────────────────────┘
┌──────────────▼──────────────────────┐
│ Delta Export │
│ Only emit events when Δ > threshold │
│ Quiet room → near-zero UDP traffic │
└─────────────────────────────────────┘
```
### B.3 Budget Formula
```
B = clamp(B₀ + k₁·max(0, Δλ) + k₂·A k₃·T k₄·P, B_min, B_max)
```
| Symbol | Default | Description |
|--------|---------|-------------|
| B₀ | 5,000 μs | Base budget (5 ms) |
| k₁ | 2,000 | Δλ sensitivity (more scene change → more budget) |
| k₂ | 3,000 | Anomaly boost (detected anomaly → more compute) |
| k₃ | 4,000 | Thermal penalty (chip hot → less compute) |
| k₄ | 3,000 | Battery penalty (low SoC → less compute) |
| B_min | 1,000 μs | Floor: always run at least 1 ms |
| B_max | 15,000 μs | Ceiling: never exceed 15 ms |
### B.4 Where Δλ Comes From
The mincut graph is the **top-K subcarrier correlation graph** already
maintained by Tier 1/2 DSP. Subcarriers are nodes; edge weights are
pairwise Pearson correlation magnitudes over the Welford window. The
algebraic connectivity (Fiedler value λ₂) of this graph's Laplacian
approximates the mincut value. On ESP32-S3 with K=8 subcarriers, this
is an 8×8 eigenvalue problem — solvable with power iteration in <100 μs.
### B.5 Spiking and Sparse Optimizations
When the budget is tight (Δλ ≈ 0, quiet room), WASM modules should:
1. **Skip on_frame entirely** if Δλ < ε (no scene change → no computation)
2. **Sparse inference**: Only process the top-K subcarriers that changed
(already tracked by Tier 1 delta compression)
3. **Spiking semantics**: Modules emit events only when state transitions
occur, not on every frame. The host tracks a per-module "last emitted"
state and suppresses duplicate events.
### B.6 Thermal and Power Hooks
ESP32-S3 provides:
- `temp_sensor_read()` — on-chip temperature (°C)
- ADC reading of battery voltage (if wired)
Thermal pressure: `T = clamp((temp_celsius - 60) / 20, 0, 1)` — ramps
from 0 at 60°C to 1.0 at 80°C (thermal throttle zone).
Battery pressure: `P = clamp((3.3 - battery_volts) / 0.6, 0, 1)` — ramps
from 0 at 3.3V to 1.0 at 2.7V (brownout zone).
### B.7 Transport Strategy
WASM output packets (`0xC5110004`) adopt **delta-only export**:
- Events are only emitted when the value changes by more than a
configurable dead-band (default: 5% of previous value)
- Quiet room = zero WASM UDP packets (only Tier 2 vitals at 1 Hz)
- Busy room = bursty WASM events, naturally rate-limited by budget B
Future work: QUIC-lite transport with 0-RTT connection resumption and
congestion-aware pacing, replacing raw UDP for WASM event streams.
---
## Appendix C: Hardware Benchmark (RuView ESP32-S3)
Measured on ESP32-S3 (QFN56 rev v0.2, 8 MB flash, 160 MHz, ESP-IDF v5.2,
board without PSRAM). WiFi connected to AP at RSSI -25 dBm, channel 5 BW20.
### WASM Runtime Performance
| Metric | Value |
|--------|-------|
| WASM runtime init | **106 ms** |
| Total boot to ready | **3.9 s** (including WiFi connect) |
| Module slots | 4 × 160 KB (heap fallback, no PSRAM) |
| WASM binary size (7 modules) | **13.8 KB** (wasm32-unknown-unknown release) |
| Frame budget | 10,000 µs (10 ms) |
| Timer interval | 1,000 ms (1 Hz) |
### CSI Throughput
| Metric | Value |
|--------|-------|
| Frame rate | **28.5 Hz** (exceeds 20 Hz estimate) |
| Frame sizes | 128 / 256 bytes |
| Per-frame interval | 30.6 ms avg |
| RSSI range | -83 to -32 dBm (mean -62 dBm) |
### Rust Test Results
| Crate | Tests | Status |
|-------|-------|--------|
| wifi-densepose-wasm-edge (std) | 14 | All pass, 0 warnings |
| Full workspace | 1,411 | All pass, 0 failed |
### Known Issues
1. **Fall threshold too sensitive** — default 2.0 rad/s² produces 6.7 false positives/s in static environment. Recommend 5.0-8.0 for deployment.
2. **No PSRAM on test board** — WASM arenas fall back to internal heap (316 KiB total). Production boards with 8 MB PSRAM will use dedicated PSRAM arenas.
3. **WiFi-Ethernet isolation** — some consumer routers block bridging between WiFi and wired clients. Verify network path during deployment.
### B.8 Implementation Plan
| Step | Scope | Effort |
|------|-------|--------|
| 1 | Add `edge_compute_fiedler()` in `edge_processing.c` — power iteration on 8×8 Laplacian | ~50 lines C |
| 2 | Add budget controller struct and update formula in `wasm_runtime.c` | ~30 lines C |
| 3 | Wire thermal/battery sensors into budget inputs | ~20 lines C |
| 4 | Add delta-export dead-band filter in `wasm_runtime_on_frame()` | ~15 lines C |
| 5 | NVS keys for k₁-k₄, B_min, B_max, dead-band threshold | ~10 lines C |
Total: ~125 lines of C, no new files. All constants configurable via NVS.
### B.9 Failure Modes
| Failure | Behavior |
|---------|----------|
| Δλ estimate wrong (correlation noise) | Budget oscillates — clamped by B_min/B_max |
| Thermal sensor absent | T defaults to 0 (no throttle) |
| Battery ADC not wired | P defaults to 0 (always-on mode) |
| All WASM modules budget-faulted | DSP pipeline runs Tier 2 only — graceful degradation |
---
## Appendix C: RVF Container Format
### C.1 Problem
Raw `.wasm` uploads over HTTP are remote code execution. Signatures solve
authenticity, but without a manifest the host has no way to enforce budgets,
check API compatibility, or identify what it's running. RVF wraps the WASM
payload with governance metadata in a single artifact.
### C.2 Binary Layout
```
Offset Size Type Field
────────────────────────────────────────────
0 4 [u8;4] Magic "RVF\x01" (0x01465652 LE)
4 2 u16 LE format_version (1)
6 2 u16 LE flags (bit 0: has_signature, bit 1: has_test_vectors)
8 4 u32 LE manifest_len (always 96)
12 4 u32 LE wasm_len
16 4 u32 LE signature_len (0 or 64)
20 4 u32 LE test_vectors_len (0 if none)
24 4 u32 LE total_len (header + manifest + wasm + sig + tvec)
28 4 u32 LE reserved (0)
────────────────────────────────────────────
32 96 struct Manifest (see below)
128 N bytes WASM payload ("\0asm" magic)
128+N 0|64 bytes Ed25519 signature (signs bytes 0..128+N-1)
128+N+S M bytes Test vectors (optional)
```
Total overhead: 32 (header) + 96 (manifest) + 64 (signature) = **192 bytes**.
### C.3 Manifest (96 bytes, packed)
| Offset | Size | Type | Field |
|--------|------|------|-------|
| 0 | 32 | char[] | `module_name` — null-terminated ASCII |
| 32 | 2 | u16 | `required_host_api` — version (1 = current) |
| 34 | 4 | u32 | `capabilities` — RVF_CAP_* bitmask |
| 38 | 4 | u32 | `max_frame_us` — requested per-frame budget (0 = use default) |
| 42 | 2 | u16 | `max_events_per_sec` — rate limit (0 = unlimited) |
| 44 | 2 | u16 | `memory_limit_kb` — max WASM heap (0 = use default) |
| 46 | 2 | u16 | `event_schema_version` — for receiver compatibility |
| 48 | 32 | [u8;32] | `build_hash` — SHA-256 of WASM payload |
| 80 | 2 | u16 | `min_subcarriers` — minimum required (0 = any) |
| 82 | 2 | u16 | `max_subcarriers` — maximum expected (0 = any) |
| 84 | 10 | char[] | `author` — null-padded ASCII |
| 94 | 2 | [u8;2] | reserved (0) |
### C.4 Capability Bitmask
| Bit | Flag | Host API functions |
|-----|------|--------------------|
| 0 | `READ_PHASE` | `csi_get_phase` |
| 1 | `READ_AMPLITUDE` | `csi_get_amplitude` |
| 2 | `READ_VARIANCE` | `csi_get_variance` |
| 3 | `READ_VITALS` | `csi_get_bpm_*`, `csi_get_presence`, `csi_get_n_persons` |
| 4 | `READ_HISTORY` | `csi_get_phase_history` |
| 5 | `EMIT_EVENTS` | `csi_emit_event` |
| 6 | `LOG` | `csi_log` |
Modules declare which host APIs they need. Future firmware versions may
refuse to link imports that aren't declared in capabilities — defense in
depth against supply-chain attacks.
### C.5 On-Device Flow
```
HTTP POST /wasm/upload
┌────────────────────────┐
│ Check first 4 bytes │
│ "RVF\x01" → RVF path │
│ "\0asm" → raw path │
└───────┬────────────────┘
┌────▼────┐ ┌───────────┐
│ RVF │ │ Raw WASM │
│ parse │ │ (dev only,│
│ header │ │ verify=0) │
└────┬────┘ └─────┬─────┘
│ │
┌────▼────┐ │
│ Verify │ │
│ SHA-256 │ │
│ hash │ │
└────┬────┘ │
│ │
┌────▼────┐ │
│ Verify │ │
│ Ed25519 │ │
│ sig │ │
└────┬────┘ │
│ │
┌────▼────┐ │
│ Check │ │
│ host API│ │
│ version │ │
└────┬────┘ │
│ │
├────────────────┘
┌───────────────────┐
│ wasm_runtime_load │
│ set_manifest │
│ start module │
└───────────────────┘
```
### C.6 Rollback Support
Each slot stores the SHA-256 build hash from the manifest. The `/wasm/list`
endpoint returns this hash. Fleet management systems can:
1. Push an RVF to a node
2. Verify the installed hash matches via GET `/wasm/list`
3. Roll back by pushing the previous RVF (same slot reused after unload)
Two-slot strategy: maintain slot 0 as "last known good" and slot 1 as
"candidate". Promote by stopping slot 0 and starting slot 1.
### C.7 Rust Builder
The `wifi-densepose-wasm-edge` crate provides `rvf::builder::build_rvf()`
(behind the `std` feature) to package a `.wasm` binary into an `.rvf`:
```rust
use wifi_densepose_wasm_edge::rvf::builder::{build_rvf, RvfConfig};
let wasm = std::fs::read("target/wasm32-unknown-unknown/release/module.wasm")?;
let rvf = build_rvf(&wasm, &RvfConfig {
module_name: "gesture".into(),
author: "rUv".into(),
capabilities: CAP_READ_PHASE | CAP_EMIT_EVENTS,
max_frame_us: 5000,
..Default::default()
});
std::fs::write("gesture.rvf", &rvf)?;
// Then sign externally with Ed25519 and patch_signature()
```
### C.8 Implementation Files
| File | Description |
|------|-------------|
| `firmware/.../main/rvf_parser.h` | RVF types, capability flags, parse/verify API |
| `firmware/.../main/rvf_parser.c` | Header/manifest parser, SHA-256 hash check |
| `wifi-densepose-wasm-edge/src/rvf.rs` | Format constants, builder (std), tests |
### C.9 Failure Modes
| Failure | Behavior |
|---------|----------|
| RVF too large for PSRAM buffer | Rejected at receive with 400 |
| Build hash mismatch | Rejected at parse with `ESP_ERR_INVALID_CRC` |
| Signature absent when `wasm_verify=1` | Rejected with 403 |
| Host API version too new | Rejected with `ESP_ERR_NOT_SUPPORTED` |
| Raw WASM when `wasm_verify=1` | Rejected with 403 |
api-docs/adr/ADR-041-wasm-module-collection.md
+2741
View File
File diff suppressed because it is too large Load Diff
api-docs/adr/ADR-042-coherent-human-channel-imaging.md
+600
View File
@@ -0,0 +1,600 @@
# ADR-042: Coherent Human Channel Imaging (CHCI) — Beyond WiFi CSI
**Status**: Proposed
**Date**: 2026-03-03
**Deciders**: @ruvnet
**Supersedes**: None
**Related**: ADR-014, ADR-017, ADR-029, ADR-039, ADR-040, ADR-041
---
## Context
WiFi-DensePose currently relies on passive Channel State Information (CSI) extracted from standard 802.11 traffic frames. CSI is one specific way of estimating a channel response, but it is fundamentally constrained by a protocol designed for throughput and interoperability — not for sensing.
### Fundamental Limitations of Passive WiFi CSI
| Constraint | Root Cause | Impact on Sensing |
|-----------|-----------|-------------------|
| MAC-layer jitter | CSMA/CA random backoff, retransmissions | Non-uniform sample timing, aliased Doppler |
| Rate adaptation | MCS selection varies bandwidth and modulation | Inconsistent subcarrier count per frame |
| LO phase drift | Independent oscillators at TX and RX | Phase noise floor ~5° on ESP32, limiting displacement sensitivity to ~0.87 mm at 2.4 GHz |
| Frame overhead | 802.11 preamble, headers, FCS | Wasted airtime that could carry sensing symbols |
| Bandwidth fragmentation | Channel bonding decisions by AP | Variable spectral coverage per observation |
| Multi-node asynchrony | No shared timing reference | TDM coordination requires statistical phase correction (current `phase_align.rs`) |
These constraints impose a hard floor on sensing fidelity. Breathing detection (412 mm chest displacement) is reliable, but heartbeat detection (0.20.5 mm) is marginal. Pose estimation accuracy is limited by amplitude-only tomography rather than coherent phase imaging.
### What We Actually Want
The real objective is **coherent multipath sensing** — measuring the complex-valued impulse response of the human-occupied channel with sufficient phase stability and temporal resolution to reconstruct body surface geometry and sub-millimeter physiological motion.
WiFi is optimized for throughput and interoperability. DensePose is optimized for phase stability and micro-Doppler fidelity. Those goals are not aligned.
### IEEE 802.11bf Changes the Landscape
IEEE Std 802.11bf-2025 was published on September 26, 2025, defining WLAN Sensing as a first-class MAC/PHY capability. Key provisions:
- **Null Data PPDU (NDP) sounding**: Deterministic, known waveforms with no data payload — purpose-built for channel measurement
- **Sensing Measurement Setup (SMS)**: Negotiation protocol between sensing initiator and responder with unique session IDs
- **Trigger-Based Sensing Measurement Exchange (TB SME)**: AP-coordinated sounding with Sensing Availability Windows (SAW)
- **Multiband support**: Sub-7 GHz (2.4, 5, 6 GHz) plus 60 GHz mmWave
- **Bistatic and multistatic modes**: Standard-defined multi-node sensing
This transforms WiFi sensing from passive traffic sniffing into an intentional, standards-compliant sensing protocol. The question is whether to adopt 802.11bf incrementally or to design a purpose-built coherent sensing architecture that goes beyond what 802.11bf specifies.
### ESPARGOS Proves Phase Coherence at ESP32 Cost
The ESPARGOS project (University of Stuttgart, IEEE 2024) demonstrates that phase-coherent WiFi sensing is achievable with commodity ESP32 hardware:
- 8 antennas per board, each on an ESP32-S2
- Phase coherence via shared 40 MHz reference clock + 2.4 GHz phase reference signal distributed over coaxial cable
- Multiple boards combinable into larger coherent arrays
- Public datasets with reference positioning labels
- Ultra-low cost compared to commercial radar platforms
This proves the hardware architecture described in this ADR is feasible at the ESP32-S3 price point ($35 per node).
### SOTA Displacement Sensitivity
| Technology | Frequency | Displacement Resolution | Range | Cost/Node |
|-----------|-----------|------------------------|-------|-----------|
| Passive WiFi CSI (current) | 2.4/5 GHz | ~0.87 mm (limited by 5° phase noise) | 18 m | $3 |
| 802.11bf NDP sounding | 2.4/5/6 GHz | ~0.4 mm (coherent averaging) | 18 m | $3 |
| ESPARGOS phase-coherent | 2.4 GHz | ~0.1 mm (8-antenna coherent) | Room-scale | $5 |
| CW Doppler radar (ISM) | 2.4 GHz | ~10 μm | 15 m | $15 |
| Infineon BGT60TR13C | 5863.5 GHz | Sub-mm | Up to 15 m | $20 |
| Vayyar 4D imaging | 381 GHz | High (4D imaging) | Room-scale | $200+ |
| Novelda X4 UWB | 7.29/8.748 GHz | Sub-mm | 0.410 m | $1550 |
The gap between passive WiFi CSI (~0.87 mm) and coherent phase processing (~0.1 mm) represents a 9x improvement in displacement sensitivity — the difference between marginal and reliable heartbeat detection at ISM bands.
---
## Decision
We define **Coherent Human Channel Imaging (CHCI)** — a purpose-built coherent RF sensing protocol optimized for structural human motion, vital sign extraction, and body surface reconstruction. CHCI is not WiFi in the traditional sense. It is a sensing protocol that operates within ISM band regulatory constraints and can optionally maintain backward compatibility with 802.11bf.
### Architecture Overview
```
┌─────────────────────────────────────────────────────────────────────────┐
│ CHCI System Architecture │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ CHCI Node │ │ CHCI Node │ │ CHCI Node │ │
│ │ (TX + RX) │ │ (TX + RX) │ │ (TX + RX) │ │
│ │ ESP32-S3 │ │ ESP32-S3 │ │ ESP32-S3 │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
│ └───────────┬───────┴───────────────────┘ │
│ │ │
│ ┌────────┴────────┐ │
│ │ Reference Clock │ ← 40 MHz TCXO + PLL distribution │
│ │ Distribution │ ← 2.4/5 GHz phase reference │
│ └────────┬────────┘ │
│ │ │
│ ┌──────────────────┴──────────────────────────────┐ │
│ │ Waveform Controller │ │
│ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │
│ │ │ NDP Sound │ │ Micro-Burst│ │ Chirp Gen │ │ │
│ │ │ (802.11bf) │ │ (5 kHz) │ │ (Multi-BW) │ │ │
│ │ └────────────┘ └────────────┘ └────────────┘ │ │
│ │ │ │ │ │ │
│ │ └──────────────┼───────────────┘ │ │
│ │ ▼ │ │
│ │ ┌─────────────────┐ │ │
│ │ │ Cognitive Engine │ ← Scene state │ │
│ │ │ (Waveform Adapt) │ feedback loop │ │
│ │ └─────────────────┘ │ │
│ └───────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────────────────────────┐ │
│ │ Signal Processing Pipeline │ │
│ │ ┌──────────┐ ┌───────────┐ ┌────────────────┐ │ │
│ │ │ Coherent │ │ Multi-Band│ │ Diffraction │ │ │
│ │ │ Phase │ │ Fusion │ │ Tomography │ │ │
│ │ │ Alignment │ │ (2.4+5+6) │ │ (Complex CSI) │ │ │
│ │ └──────────┘ └───────────┘ └────────────────┘ │ │
│ │ │ │ │ │ │
│ │ └──────────────┼───────────────┘ │ │
│ │ ▼ │ │
│ │ ┌─────────────────┐ │ │
│ │ │ Body Model │ │ │
│ │ │ Reconstruction │ ── DensePose UV │ │
│ │ └─────────────────┘ │ │
│ └───────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
### 1. Intentional OFDM Sounding (Replaces Passive CSI Sniffing)
**What changes**: Instead of waiting for random WiFi packets and extracting CSI as a side effect, transmit deterministic OFDM sounding frames at a fixed cadence with known pilot symbol structure.
**Waveform specification**:
| Parameter | Value | Rationale |
|-----------|-------|-----------|
| Symbol type | 802.11bf NDP (Null Data PPDU) | Standards-compliant, no data payload overhead |
| Sounding cadence | 50200 Hz (configurable) | 50 Hz minimum for heartbeat Doppler; 200 Hz for gesture |
| Bandwidth | 20/40/80 MHz (per band) | 20 MHz default; 80 MHz for maximum range resolution |
| Pilot structure | L-LTF + HT-LTF (standard) | Known phase structure enables coherent processing |
| Burst duration | ≤10 ms per sounding event | ETSI EN 300 328 burst limit compliance |
| Subcarrier count | 56 (20 MHz) / 114 (40 MHz) / 242 (80 MHz) | Standard OFDM subcarrier allocation |
**Phase stability improvement**:
```
Passive CSI: σ_φ ≈ 5° per subcarrier (random MCS, no averaging)
NDP Sounding: σ_φ ≈ 5° / √N where N = coherent averages per epoch
At 50 Hz cadence, 10-frame average: σ_φ ≈ 1.6°
Displacement floor: 0.87 mm → 0.28 mm at 2.4 GHz
```
**Implementation**: New ESP32-S3 firmware mode alongside existing passive CSI. Uses `esp_wifi_80211_tx()` for NDP transmission and existing CSI callback for reception. Sounding schedule coordinated by the Waveform Controller.
### 2. Phase-Locked Dual-Radio Architecture
**What changes**: All CHCI nodes share a common reference clock, eliminating per-node LO phase drift that currently requires statistical correction in `phase_align.rs`.
**Clock distribution design** (based on ESPARGOS architecture):
```
┌──────────────────────────────────────────────────┐
│ Reference Clock Module │
│ │
│ ┌──────────┐ ┌──────────────┐ │
│ │ 40 MHz │────▶│ PLL │ │
│ │ TCXO │ │ Synthesizer │ │
│ │ (±0.5ppm)│ │ (SI5351A) │ │
│ └──────────┘ └──────┬───────┘ │
│ │ │
│ ┌──────────────┼──────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ 40 MHz │ │ 40 MHz │ │ 40 MHz │ │
│ │ to Node 1│ │ to Node 2│ │ to Node 3│ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ 2.4 GHz │ │ 2.4 GHz │ │ 2.4 GHz │ │
│ │ Phase Ref│ │ Phase Ref│ │ Phase Ref│ │
│ │ to Node 1│ │ to Node 2│ │ to Node 3│ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ Distribution: coaxial cable with power splitters │
│ Phase ref: CW tone at center of operating band │
└──────────────────────────────────────────────────┘
```
**Components per node** (incremental cost ~$2):
| Component | Part | Cost | Purpose |
|-----------|------|------|---------|
| TCXO | SiT8008 40 MHz ±0.5 ppm | $0.50 | Reference oscillator (1 per system) |
| PLL synthesizer | SI5351A | $1.00 | Generates 40 MHz + 2.4 GHz references (1 per system) |
| Coax splitter | Mini-Circuits PSC-4-1+ | $0.30/port | Distributes reference to nodes |
| SMA connector | Edge-mount | $0.20 | Reference clock input on each node |
**Acceptance metric**: Phase variance per subcarrier under static conditions ≤ 0.5° RMS over 10 minutes (vs current ~5° with statistical correction).
**Impact on displacement sensitivity**:
```
Current (incoherent): δ_min ≈ λ/(4π) × σ_φ = 12.5cm/(4π) ×× π/180 ≈ 0.87 mm
Coherent (shared clock): δ_min ≈ λ/(4π) × 0.5° × π/180 ≈ 0.087 mm
With 8-antenna coherent averaging:
δ_min ≈ 0.087 mm / √8 ≈ 0.031 mm
```
This puts heartbeat detection (0.20.5 mm chest displacement) well within the sensitivity envelope.
### 3. Multi-Band Coherent Fusion
**What changes**: Transmit sounding frames simultaneously at 2.4 GHz and 5 GHz (optionally 6 GHz with WiFi 6E), fusing them as projections of the same latent motion field in RuVector embedding space.
**Band characteristics for coherent fusion**:
| Property | 2.4 GHz | 5 GHz | 6 GHz |
|----------|---------|-------|-------|
| Wavelength | 12.5 cm | 6.0 cm | 5.0 cm |
| Wall penetration | Excellent | Good | Moderate |
| Displacement sensitivity (0.5° phase) | 0.087 mm | 0.042 mm | 0.035 mm |
| Range resolution (20 MHz) | 7.5 m | 7.5 m | 7.5 m |
| Fresnel zone radius (2 m) | 22.4 cm | 15.5 cm | 14.1 cm |
| Subcarrier spacing (20 MHz) | 312.5 kHz | 312.5 kHz | 312.5 kHz |
**Fusion architecture**:
```
2.4 GHz CSI ──▶ ┌───────────────────┐
│ Band-Specific │ ┌─────────────────────┐
│ Phase Alignment │────▶│ │
│ (per-band ref) │ │ Contrastive │
└───────────────────┘ │ Cross-Band │
│ Fusion │
5 GHz CSI ────▶ ┌───────────────────┐ │ │
│ Band-Specific │────▶│ Body model priors │
│ Phase Alignment │ │ constrain phase │
│ (per-band ref) │ │ relationships │
└───────────────────┘ │ │
│ Output: unified │
6 GHz CSI ────▶ ┌───────────────────┐ │ complex channel │
(optional) │ Band-Specific │────▶│ response │
│ Phase Alignment │ │ │
└───────────────────┘ └─────────────────────┘
┌─────────────────────┐
│ RuVector Contrastive │
│ Embedding Space │
│ (body surface latent)│
└─────────────────────┘
```
**Key insight**: Lower frequency penetrates better (through-wall sensing, NLOS paths). Higher frequency provides finer spatial resolution. By treating each band as a projection of the same physical scene, the fusion model can achieve super-resolution beyond any single band — using body model priors (known human dimensions, joint angle constraints) to constrain the phase relationships across bands.
**Integration with existing code**: Extends `multiband.rs` from independent per-channel fusion to coherent cross-band phase alignment. The existing `CrossViewpointAttention` mechanism in `ruvector/src/viewpoint/attention.rs` provides the attention-weighted fusion foundation.
### 4. Time-Coded Micro-Bursts
**What changes**: Replace continuous WiFi packet streams with very short deterministic OFDM bursts at high cadence, maximizing temporal resolution of Doppler shifts without 802.11 frame overhead.
**Burst specification**:
| Parameter | Value | Rationale |
|-----------|-------|-----------|
| Burst cadence | 15 kHz | 5 kHz enables 2.5 kHz Doppler bandwidth (Nyquist) |
| Burst duration | 420 μs | Single OFDM symbol + CP = 4 μs minimum |
| Symbols per burst | 14 | Minimal overhead per measurement |
| Duty cycle | 0.410% | Compliant with ETSI 10 ms burst limit |
| Inter-burst gap | 196996 μs | Available for normal WiFi traffic |
**Doppler resolution comparison**:
```
Passive WiFi CSI (random, ~30 Hz):
Doppler resolution: Δf_D = 1/T_obs = 1/33ms ≈ 30 Hz
Minimum detectable velocity: v_min = λ × Δf_D / 2 ≈ 1.9 m/s at 2.4 GHz
CHCI micro-burst (5 kHz cadence):
Doppler resolution: Δf_D = 1/(N × T_burst) = 1/(256 × 0.2ms) ≈ 20 Hz
BUT: unambiguous Doppler: ±2500 Hz → v_max = ±156 m/s
Minimum detectable velocity: v_min ≈ λ × 20 / 2 ≈ 1.25 m/s
With coherent integration over 1 second (5000 bursts):
Δf_D = 1/1s = 1 Hz → v_min ≈ 0.063 m/s (6.3 cm/s)
Chest wall velocity during breathing: ~15 cm/s ✓
Chest wall velocity during heartbeat: ~0.52 cm/s ✓
```
**Regulatory compliance**: At 5 kHz burst cadence with 4 μs bursts, duty cycle is 2%. ETSI EN 300 328 allows up to 10 ms continuous transmission followed by mandatory idle. A 4 μs burst followed by 196 μs idle is well within limits. FCC Part 15.247 requires digital modulation (OFDM qualifies) or spread spectrum.
### 5. MIMO Geometry Optimization
**What changes**: Instead of 2×2 WiFi-style antenna layout (optimized for throughput diversity), design antenna spacing tuned for human-scale wavelengths and chest wall displacement sensitivity.
**Antenna geometry design**:
```
Current WiFi-DensePose (throughput-optimized):
┌─────────────────┐
│ ANT1 ANT2 │ ← λ/2 spacing = 6.25 cm at 2.4 GHz
│ │ Optimized for spatial diversity
│ ESP32-S3 │
└─────────────────┘
Proposed CHCI (sensing-optimized):
┌───────────────────────────────────────┐
│ │
│ ANT1 ANT2 ANT3 ANT4 │ ← λ/4 spacing = 3.125 cm
│ ●───────●───────●───────● │ at 2.4 GHz
│ │ Linear array for 1D AoA
│ ESP32-S3 (Node A) │
└───────────────────────────────────────┘
λ/4 = 3.125 cm
Alternative: L-shaped for 2D AoA:
┌────────────────────┐
│ ANT4 │
│ ● │
│ │ λ/4 │
│ ANT3 │
│ ● │
│ │ λ/4 │
│ ANT2 │
│ ● │
│ │ λ/4 │
│ ANT1──●──ANT5──●──ANT6──●──ANT7 │
│ │
│ ESP32-S3 (Node A) │
└────────────────────┘
```
**Design rationale**:
| Design parameter | WiFi (throughput) | CHCI (sensing) |
|-----------------|-------------------|----------------|
| Spacing | λ/2 (6.25 cm) | λ/4 (3.125 cm) |
| Goal | Maximize diversity gain | Maximize angular resolution |
| Array factor | Broad main lobe | Narrow main lobe, grating lobe suppression |
| Geometry | Dual-antenna diversity | Linear or L-shaped phased array |
| Target signal | Far-field plane wave | Near-field chest wall displacement |
**Virtual aperture synthesis**: With 4 nodes × 4 antennas = 16 physical elements, MIMO virtual aperture provides 16 × 16 = 256 virtual channels. Combined with MUSIC or ESPRIT algorithms, this enables sub-degree angle-of-arrival estimation — sufficient to resolve individual body segments.
### 6. Cognitive Waveform Adaptation
**What changes**: The sensing waveform adapts in real-time based on the current scene state, driven by delta coherence feedback from the body model.
**Cognitive sensing modes**:
```
┌───────────────────────────────────────────────────────────────┐
│ Cognitive Waveform Engine │
│ │
│ Scene State ─────▶ ┌────────────────┐ ─────▶ Waveform Config │
│ (from body model) │ Mode Selector │ (to TX nodes) │
│ └───────┬────────┘ │
│ │ │
│ ┌──────────────┼──────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ IDLE │ │ ALERT │ │ ACTIVE │ │
│ │ │ │ │ │ │ │
│ │ 1 Hz NDP │ │ 10 Hz NDP │ │ 50-200 Hz │ │
│ │ Single band│ │ Dual band │ │ All bands │ │
│ │ Low power │ │ Med power │ │ Full power │ │
│ │ │ │ │ │ │ │
│ │ Presence │ │ Tracking │ │ DensePose │ │
│ │ detection │ │ + coarse │ │ + vitals │ │
│ │ only │ │ pose │ │ + micro- │ │
│ │ │ │ │ │ Doppler │ │
│ └────────────┘ └────────────┘ └────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ VITAL │ │ GESTURE │ │ SLEEP │ │
│ │ │ │ │ │ │ │
│ │ 100 Hz │ │ 200 Hz │ │ 20 Hz │ │
│ │ Subset of │ │ Full band │ │ Single │ │
│ │ optimal │ │ Max bursts │ │ band │ │
│ │ subcarriers│ │ │ │ Low power │ │
│ │ │ │ │ │ │ │
│ │ Breathing, │ │ DTW match │ │ Apnea, │ │
│ │ HR, HRV │ │ + classify │ │ movement, │ │
│ │ │ │ │ │ stages │ │
│ └────────────┘ └────────────┘ └────────────┘ │
│ │
│ Transition triggers: │
│ IDLE → ALERT: Coherence delta > threshold │
│ ALERT → ACTIVE: Person detected with confidence > 0.8 │
│ ACTIVE → VITAL: Static person, body model stable │
│ ACTIVE → GESTURE: Motion spike with periodic structure │
│ ACTIVE → SLEEP: Supine pose detected, low ambient motion │
│ * → IDLE: No detection for 30 seconds │
│ │
└───────────────────────────────────────────────────────────────┘
```
**Power efficiency**: Cognitive adaptation reduces average power consumption by 6080% compared to constant full-rate sounding. In IDLE mode (1 Hz, single band, low power), the system draws <10 mA from the ESP32-S3 radio — enabling battery-powered deployment.
**Integration with ADR-039**: The cognitive waveform modes map directly to ADR-039 edge processing tiers. Tier 0 (raw CSI) corresponds to IDLE/ALERT. Tier 1 (phase unwrap, stats) corresponds to ACTIVE. Tier 2 (vitals, fall detection) corresponds to VITAL/SLEEP. The cognitive engine adds the waveform adaptation feedback loop that ADR-039 lacks.
### 7. Coherent Diffraction Tomography
**What changes**: Current tomography (`tomography.rs`) uses amplitude-only attenuation for voxel reconstruction. With coherent phase data from CHCI, we upgrade to diffraction tomography — resolving body surfaces rather than volumetric shadows.
**Mathematical foundation**:
```
Current (amplitude tomography):
I(x,y,z) = Σ_links |H_measured(f)| × W_link(x,y,z)
Output: scalar opacity per voxel (shadow image)
Proposed (coherent diffraction tomography):
O(x,y,z) = F^{-1}[ Σ_links H_measured(f,θ) / H_reference(f,θ) ]
Where:
H_measured = complex channel response with human present
H_reference = complex channel response of empty room (calibration)
f = frequency (across all bands)
θ = link angle (across all node pairs)
Output: complex permittivity contrast per voxel (body surface)
```
**Key advantage**: Diffraction tomography produces body surface geometry, not just occupancy maps. This directly feeds the DensePose UV mapping pipeline with geometric constraints — reducing the neural network's burden from "guess the surface from shadows" to "refine the surface from holographic reconstruction."
**Performance projection** (based on ESPARGOS results and multi-band coverage):
| Metric | Current (Amplitude) | Proposed (Coherent Diffraction) |
|--------|--------------------|---------------------------------|
| Spatial resolution | ~15 cm (limited by wavelength) | ~3 cm (multi-band synthesis) |
| Body segment discrimination | Coarse (torso vs limb) | Fine (individual limbs) |
| Surface vs volume | Volumetric opacity | Surface geometry |
| Through-wall capability | Yes (amplitude penetrates) | Partial (phase coherence degrades) |
| Calibration requirement | None | Empty room reference scan |
### Acceptance Test
**Primary acceptance criterion**: Demonstrate 0.1 mm displacement detection repeatably at 2 meters in a static controlled room.
**Full acceptance test protocol**:
| Test | Metric | Target | Method |
|------|--------|--------|--------|
| AT-1: Phase stability | σ_φ per subcarrier, static, 10 min | ≤ 0.5° RMS | Record CSI, compute variance |
| AT-2: Displacement | Detectable displacement at 2 m | ≤ 0.1 mm | Precision linear stage, sinusoidal motion |
| AT-3: Breathing rate | BPM error, 3 subjects, 5 min each | ≤ 0.2 BPM | Reference: respiratory belt |
| AT-4: Heart rate | BPM error, 3 subjects, seated, 2 min | ≤ 3 BPM | Reference: pulse oximeter |
| AT-5: Multi-person | Pose detection, 3 persons, 4×4 m room | ≥ 90% keypoint detection | Reference: camera ground truth |
| AT-6: Power | Average draw in IDLE mode | ≤ 10 mA (radio) | Current meter on 3.3 V rail |
| AT-7: Latency | End-to-end pose update latency | ≤ 50 ms | Timestamp injection |
| AT-8: Regulatory | Conducted emissions, 2.4 GHz ISM | FCC 15.247 + ETSI 300 328 | Spectrum analyzer |
### Backward Compatibility
**Question 1: Do you want backward compatibility with normal WiFi routers?**
CHCI supports a **dual-mode architecture**:
| Mode | Description | When to Use |
|------|-------------|-------------|
| **Legacy CSI** | Passive sniffing of existing WiFi traffic | Retrofit into existing WiFi environments, no hardware changes |
| **802.11bf NDP** | Standard-compliant NDP sounding | WiFi AP supports 802.11bf, moderate improvement over legacy |
| **CHCI Native** | Full coherent sounding with shared clock | Purpose-deployed sensing mesh, maximum fidelity |
The firmware can switch between modes at runtime. The signal processing pipeline (`signal/src/ruvsense/`) accepts CSI from any mode — the coherent processing path activates when shared-clock metadata is present in the CSI frame header.
**Question 2: Are you willing to own both transmitter and receiver hardware?**
Yes. CHCI requires owning both TX and RX to achieve phase coherence. The system is deployed as a self-contained sensing mesh — not parasitic on existing WiFi infrastructure. This is the fundamental architectural trade: compatibility for control. For sensing, that is a good trade.
### Hardware Bill of Materials (per CHCI node)
| Component | Part | Quantity | Unit Cost | Purpose |
|-----------|------|----------|-----------|---------|
| ESP32-S3-WROOM-1 | Espressif | 1 | $2.50 | Main MCU + WiFi radio |
| External antenna | 2.4/5 GHz dual-band | 24 | $0.30 each | Sensing antennas (λ/4 spacing) |
| SMA connector | Edge-mount | 1 | $0.20 | Reference clock input |
| Coax cable | RG-174 | 1 m | $0.15 | Clock distribution |
| PCB | Custom 4-layer | 1 | $0.50 | Integration (at volume) |
| **Node total** | | | **$4.25** | |
| Reference clock module | SI5351A + TCXO + splitter | 1 per system | $3.00 | Shared clock source |
| **4-node system total** | | | **$20.00** | |
This is 10× cheaper than the nearest comparable coherent sensing platform (Novelda X4 at $50/node, Vayyar at $200+).
### Implementation Phases
| Phase | Timeline | Deliverables | Dependencies |
|-------|----------|-------------|--------------|
| **Phase 1: NDP Sounding** | 4 weeks | ESP32-S3 firmware for 802.11bf NDP TX/RX, sounding scheduler, CSI extraction from NDP frames | ESP-IDF 5.2+, existing firmware |
| **Phase 2: Clock Distribution** | 6 weeks | Reference clock PCB design, SI5351A driver, phase reference distribution, `phase_align.rs` upgrade | Phase 1, PCB fabrication |
| **Phase 3: Coherent Processing** | 4 weeks | Coherent diffraction tomography in `tomography.rs`, complex-valued CSI pipeline, calibration procedure | Phase 2 |
| **Phase 4: Multi-Band Fusion** | 4 weeks | Simultaneous 2.4+5 GHz sounding, cross-band phase alignment, contrastive fusion in RuVector space | Phase 1, Phase 3 |
| **Phase 5: Cognitive Engine** | 3 weeks | Waveform adaptation state machine, coherence delta feedback, power management modes | Phase 3, Phase 4 |
| **Phase 6: Acceptance Testing** | 3 weeks | AT-1 through AT-8, precision displacement rig, regulatory pre-scan | Phase 5 |
### Crate Architecture
New and modified crates:
| Crate | Type | Description |
|-------|------|-------------|
| `wifi-densepose-chci` | **New** | CHCI protocol definition, waveform specs, cognitive engine |
| `wifi-densepose-signal` | Modified | Add coherent diffraction tomography, upgrade `phase_align.rs` |
| `wifi-densepose-hardware` | Modified | Reference clock driver, NDP sounding firmware, antenna geometry config |
| `wifi-densepose-ruvector` | Modified | Cross-band contrastive fusion in viewpoint attention |
| `wifi-densepose-wasm-edge` | Modified | New WASM modules for CHCI-specific edge processing |
### Module Impact Matrix
| Existing Module | Current Function | CHCI Upgrade |
|----------------|-----------------|-------------|
| `phase_align.rs` | Statistical LO offset estimation | Replace with shared-clock phase reference alignment |
| `multiband.rs` | Independent per-channel fusion | Coherent cross-band phase alignment with body priors |
| `coherence.rs` | Z-score coherence scoring | Complex-valued coherence metric (phasor domain) |
| `coherence_gate.rs` | Accept/Reject gate decisions | Add waveform adaptation feedback to cognitive engine |
| `tomography.rs` | Amplitude-only ISTA L1 solver | Coherent diffraction tomography with complex CSI |
| `multistatic.rs` | Attention-weighted fusion | Add PLL-disciplined synchronization path |
| `field_model.rs` | SVD room eigenstructure | Coherent room transfer function model with phase |
| `intention.rs` | Pre-movement lead signals | Enhanced micro-Doppler from high-cadence bursts |
| `gesture.rs` | DTW template matching | Phase-domain gesture features (higher discrimination) |
---
## Consequences
### Positive
- **9× displacement sensitivity improvement**: From 0.87 mm (incoherent) to 0.031 mm (coherent 8-antenna) at 2.4 GHz, enabling reliable heartbeat detection at ISM bands
- **Standards-compliant path**: 802.11bf NDP sounding is a published IEEE standard (September 2025), providing regulatory clarity
- **10× cost advantage**: $4.25/node vs $50+ for nearest comparable coherent sensing platform
- **Through-wall preservation**: Operates at 2.4/5 GHz ISM bands, maintaining the through-wall sensing advantage that mmWave systems lack
- **Backward compatible**: Dual-mode firmware supports legacy CSI, 802.11bf NDP, and native CHCI — deployable incrementally
- **Privacy-preserving**: No cameras, no audio — same RF-only sensing paradigm as current WiFi-DensePose
- **Power-efficient**: Cognitive waveform adaptation reduces average power 6080% vs constant-rate sounding
- **Body surface reconstruction**: Coherent diffraction tomography produces geometric constraints for DensePose, reducing neural network inference burden
- **Proven feasibility**: ESPARGOS demonstrates phase-coherent WiFi sensing at ESP32 cost point (IEEE 2024)
### Negative
- **Custom hardware required**: Cannot parasitically sense from existing WiFi routers in CHCI Native mode (802.11bf mode can use compliant APs)
- **PCB design needed**: Reference clock distribution requires custom PCB — not a pure firmware upgrade
- **Calibration burden**: Coherent diffraction tomography requires empty-room reference scan — adds deployment friction
- **Clock distribution complexity**: Coaxial cable distribution limits deployment flexibility vs fully wireless mesh
- **Two-phase deployment**: Full CHCI requires Phases 16 (~24 weeks). Intermediate modes (NDP-only, Phase 1) provide incremental value.
### Risks
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| ESP32-S3 WiFi hardware does not support NDP TX at 802.11bf spec | Medium | High | Fall back to raw 802.11 frame injection with known preamble; validate with `esp_wifi_80211_tx()` |
| Phase coherence degrades over cable length >2 m | Low | Medium | Use matched-length cables; add per-node phase calibration step |
| ETSI/FCC regulatory rejection of custom sounding cadence | Low | High | Stay within 802.11bf NDP specification; use standard-compliant waveforms only |
| Coherent diffraction tomography computationally exceeds ESP32 | Medium | Medium | Run tomography on aggregator (Rust server), not on edge. ESP32 sends coherent CSI only |
| Multi-band simultaneous TX causes self-interference | Medium | Medium | Time-division between bands (alternating 2.4/5 GHz per burst slot) or frequency planning |
| Body model priors over-constrain fusion, missing novel poses | Low | Medium | Use priors as soft constraints (regularization) not hard constraints |
---
## References
### Standards
1. IEEE Std 802.11bf-2025, "Standard for Information Technology — Telecommunications and Information Exchange between Systems — Local and Metropolitan Area Networks — Specific Requirements — Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications — Amendment: Enhancements for Wireless Local Area Network (WLAN) Sensing," IEEE, September 2025.
2. ETSI EN 300 328 V2.2.2, "Wideband transmission systems; Data transmission equipment operating in the 2.4 GHz band," ETSI, July 2019.
3. FCC 47 CFR Part 15.247, "Operation within the bands 902928 MHz, 24002483.5 MHz, and 57255850 MHz."
### Research Papers
4. Euchner, F., et al., "ESPARGOS: An Ultra Low-Cost, Realtime-Capable Multi-Antenna WiFi Channel Sounder for Phase-Coherent Sensing," IEEE, 2024. [arXiv:2502.09405]
5. Restuccia, F., "IEEE 802.11bf: Toward Ubiquitous Wi-Fi Sensing," IEEE Communications Standards Magazine, 2024. [arXiv:2310.05765]
6. Pegoraro, J., et al., "Sensing Performance of the IEEE 802.11bf Protocol," IEEE, 2024. [arXiv:2403.19825]
7. Chen, Y., et al., "Multi-Band Wi-Fi Neural Dynamic Fusion for Sensing," IEEE ICASSP, 2024. [arXiv:2407.12937]
8. Samsung Research, "Optimal Preprocessing of WiFi CSI for Sensing Applications," IEEE, 2024. [arXiv:2307.12126]
9. Yan, Y., et al., "Person-in-WiFi 3D: End-to-End Multi-Person 3D Pose Estimation with Wi-Fi," CVPR 2024.
10. Geng, J., et al., "DensePose From WiFi," Carnegie Mellon University, 2023. [arXiv:2301.00250]
11. Pegoraro, J., et al., "802.11bf Multiband Passive Sensing," IEEE, 2025. [arXiv:2507.22591]
12. Liu, J., et al., "Monitoring Vital Signs and Postures During Sleep Using WiFi Signals," MobiCom, 2020.
### Commercial Systems
13. Vayyar Imaging, "4D Imaging Radar Technology Platform," https://vayyar.com/technology/
14. Infineon Technologies, "BGT60TR13C 60 GHz Radar Sensor IC Datasheet," 2024.
15. Novelda AS, "X4 UWB Radar SoC Datasheet," https://novelda.com/technology/
16. Texas Instruments, "IWR6843 Single-Chip 60-GHz mmWave Sensor," 2024.
17. ESPARGOS Project, https://espargos.net/
### Related ADRs
18. ADR-014: SOTA Signal Processing (phase alignment, coherence scoring)
19. ADR-017: RuVector Signal + MAT Integration (embedding fusion)
20. ADR-029: RuvSense Multistatic Sensing Mode (multi-node coordination)
21. ADR-039: ESP32 Edge Intelligence (tiered processing, power management)
22. ADR-040: WASM Programmable Sensing (edge compute architecture)
23. ADR-041: WASM Module Collection (algorithm registry)
api-docs/adr/ADR-043-sensing-server-ui-api-completion.md
+334
View File
@@ -0,0 +1,334 @@
# ADR-043: Sensing Server UI API Completion
**Status**: Accepted
**Date**: 2026-03-03
**Deciders**: @ruvnet
**Supersedes**: None
**Related**: ADR-034, ADR-036, ADR-039, ADR-040, ADR-041
---
## Context
The WiFi-DensePose sensing server (`wifi-densepose-sensing-server`) is a single-binary Axum server that receives ESP32 CSI frames via UDP, processes them through the RuVector signal pipeline, and serves both a web UI at `/ui/` and a REST/WebSocket API. The UI provides tabs for live sensing visualization, model management, CSI recording, and training -- all designed to operate without external dependencies.
However, the UI's JavaScript expected several backend endpoints that were not yet implemented in the Rust server. Opening the browser console revealed persistent 404 errors for model, recording, and training API routes. Three categories of functionality were broken:
### 1. Model Management (7 endpoints missing)
The Models tab calls `GET /api/v1/models` to list available `.rvf` model files, `GET /api/v1/models/active` to show the currently loaded model, `POST /api/v1/models/load` and `POST /api/v1/models/unload` to control the model lifecycle, and `DELETE /api/v1/models/:id` to remove models from disk. LoRA fine-tuning profiles are managed via `GET /api/v1/models/lora/profiles` and `POST /api/v1/models/lora/activate`. All of these returned 404.
### 2. CSI Recording (5 endpoints missing)
The Recording tab calls `POST /api/v1/recording/start` and `POST /api/v1/recording/stop` to capture CSI frames to `.csi.jsonl` files for later training. `GET /api/v1/recording/list` enumerates stored sessions. `DELETE /api/v1/recording/:id` removes recordings. None of these were wired into the server's router.
### 3. Training Pipeline (5 endpoints missing)
The Training tab calls `POST /api/v1/train/start` to launch a background training run against recorded CSI data, `POST /api/v1/train/stop` to abort, and `GET /api/v1/train/status` to poll progress. Contrastive pretraining (`POST /api/v1/train/pretrain`) and LoRA fine-tuning (`POST /api/v1/train/lora`) endpoints were also unavailable. A WebSocket endpoint at `/ws/train/progress` streams epoch-level progress updates to the UI.
### 4. Sensing Service Not Started on App Init
The web UI's `sensingService` singleton (which manages the WebSocket connection to `/ws/sensing`) was only started lazily when the user navigated to the Sensing tab (`SensingTab.js:182`). However, the Dashboard and Live Demo tabs both read `sensingService.dataSource` at load time — and since the service was never started, the status permanently showed **"RECONNECTING"** with no WebSocket connection attempt and no console errors. This silent failure affected the first-load experience for every user.
### 5. Mobile App Defects
The Expo React Native mobile companion (ADR-034) had two integration defects:
- **WebSocket URL builder**: `ws.service.ts` hardcoded port `3001` for the WebSocket connection instead of using the same-origin port derived from the REST API URL. When the sensing server runs on a different port (e.g., `8080` or `3000`), the mobile app could not connect.
- **Test configuration**: `jest.config.js` contained a `testPathIgnorePatterns` entry that effectively excluded the entire test directory, causing all 25 tests to be skipped silently.
- **Placeholder tests**: All 25 mobile test files contained `it.todo()` stubs with no assertions, providing false confidence in test coverage.
---
## Decision
Implement the complete model management, CSI recording, and training API directly in the sensing server's `main.rs` as inline handler functions sharing `AppStateInner` via `Arc<RwLock<…>>`. Wire all 14 routes into the server's main router so the UI loads without any 404 console errors. Start the sensing WebSocket service on application init (not lazily on tab visit) so Dashboard and Live Demo tabs connect immediately. Fix the mobile app WebSocket URL builder, test configuration, and replace placeholder tests with real implementations.
### Architecture
All 14 new handler functions are implemented directly in `main.rs` as async functions taking `State<AppState>` extractors, sharing the existing `AppStateInner` via `Arc<RwLock<…>>`. This avoids introducing new module files and keeps all API routes in one place alongside the existing sensing and pose handlers.
```
┌───────────────────────────────────────────────────────────────────────┐
│ Sensing Server (main.rs) │
│ │
│ Router::new() │
│ ├── /api/v1/sensing/* (existing — CSI streaming) │
│ ├── /api/v1/pose/* (existing — pose estimation) │
│ ├── /api/v1/models GET list_models (NEW) │
│ ├── /api/v1/models/active GET get_active_model (NEW) │
│ ├── /api/v1/models/load POST load_model (NEW) │
│ ├── /api/v1/models/unload POST unload_model (NEW) │
│ ├── /api/v1/models/:id DELETE delete_model (NEW) │
│ ├── /api/v1/models/lora/profiles GET list_lora (NEW) │
│ ├── /api/v1/models/lora/activate POST activate_lora (NEW) │
│ ├── /api/v1/recording/list GET list_recordings (NEW) │
│ ├── /api/v1/recording/start POST start_recording (NEW) │
│ ├── /api/v1/recording/stop POST stop_recording (NEW) │
│ ├── /api/v1/recording/:id DELETE delete_recording (NEW) │
│ ├── /api/v1/train/status GET train_status (NEW) │
│ ├── /api/v1/train/start POST train_start (NEW) │
│ ├── /api/v1/train/stop POST train_stop (NEW) │
│ ├── /ws/sensing (existing — sensing WebSocket) │
│ └── /ui/* (existing — static file serving) │
│ │
│ AppStateInner (new fields) │
│ ├── discovered_models: Vec<Value> │
│ ├── active_model_id: Option<String> │
│ ├── recordings: Vec<Value> │
│ ├── recording_active / recording_start_time / recording_current_id │
│ ├── recording_stop_tx: Option<watch::Sender<bool>> │
│ ├── training_status: Value │
│ └── training_config: Option<Value> │
│ │
│ data/ │
│ ├── models/ *.rvf files scanned at startup │
│ └── recordings/ *.jsonl files written by background task │
└───────────────────────────────────────────────────────────────────────┘
```
Routes are registered individually in the `http_app` Router before the static UI fallback handler.
### New Endpoints (17 total)
#### Model Management (`model_manager.rs`)
| Method | Path | Request Body | Response | Description |
|--------|------|-------------|----------|-------------|
| `GET` | `/api/v1/models` | -- | `{ models: ModelInfo[], count: usize }` | Scan `data/models/` for `.rvf` files and return manifest metadata |
| `GET` | `/api/v1/models/{id}` | -- | `ModelInfo` | Detailed info for a single model (version, PCK score, LoRA profiles, segment count) |
| `GET` | `/api/v1/models/active` | -- | `ActiveModelInfo \| { status: "no_model" }` | Active model with runtime stats (avg inference ms, frames processed) |
| `POST` | `/api/v1/models/load` | `{ model_id: string }` | `{ status: "loaded", model_id, weight_count }` | Load model weights into memory via `RvfReader`, set `model_loaded = true` |
| `POST` | `/api/v1/models/unload` | -- | `{ status: "unloaded", model_id }` | Drop loaded weights, set `model_loaded = false` |
| `POST` | `/api/v1/models/lora/activate` | `{ model_id, profile_name }` | `{ status: "activated", profile_name }` | Activate a LoRA adapter profile on the loaded model |
| `GET` | `/api/v1/models/lora/profiles` | -- | `{ model_id, profiles: string[], active }` | List LoRA profiles available in the loaded model |
#### CSI Recording (`recording.rs`)
| Method | Path | Request Body | Response | Description |
|--------|------|-------------|----------|-------------|
| `POST` | `/api/v1/recording/start` | `{ session_name, label?, duration_secs? }` | `{ status: "recording", session_id, file_path }` | Create a new `.csi.jsonl` file and begin appending frames |
| `POST` | `/api/v1/recording/stop` | -- | `{ status: "stopped", session_id, frame_count }` | Stop the active recording, write companion `.meta.json` |
| `GET` | `/api/v1/recording/list` | -- | `{ recordings: RecordingSession[], count }` | List all recordings by scanning `.meta.json` files |
| `GET` | `/api/v1/recording/download/{id}` | -- | `application/x-ndjson` file | Download the raw JSONL recording file |
| `DELETE` | `/api/v1/recording/{id}` | -- | `{ status: "deleted", deleted_files }` | Remove `.csi.jsonl` and `.meta.json` files |
#### Training Pipeline (`training_api.rs`)
| Method | Path | Request Body | Response | Description |
|--------|------|-------------|----------|-------------|
| `POST` | `/api/v1/train/start` | `TrainingConfig { epochs, batch_size, learning_rate, ... }` | `{ status: "started", run_id }` | Launch background training task against recorded CSI data |
| `POST` | `/api/v1/train/stop` | -- | `{ status: "stopped", run_id }` | Cancel the active training run via a stop signal |
| `GET` | `/api/v1/train/status` | -- | `TrainingStatus { phase, epoch, loss, ... }` | Current training state (idle, training, complete, failed) |
| `POST` | `/api/v1/train/pretrain` | `{ epochs?, learning_rate? }` | `{ status: "started", mode: "pretrain" }` | Start self-supervised contrastive pretraining (ADR-024) |
| `POST` | `/api/v1/train/lora` | `{ profile_name, epochs?, rank? }` | `{ status: "started", mode: "lora" }` | Start LoRA fine-tuning on a loaded base model |
| `WS` | `/ws/train/progress` | -- | Streaming `TrainingProgress` JSON | Epoch-level progress with loss, metrics, and ETA |
### State Management
All three modules share the server's `AppStateInner` via `Arc<RwLock<AppStateInner>>`. New fields added to `AppStateInner`:
```rust
/// Runtime state for a loaded RVF model (None if no model loaded).
pub loaded_model: Option<LoadedModelState>,
/// Runtime state for the active CSI recording session.
pub recording_state: RecordingState,
/// Runtime state for the active training run.
pub training_state: TrainingState,
/// Broadcast channel for training progress updates (consumed by WebSocket).
pub train_progress_tx: broadcast::Sender<TrainingProgress>,
```
Key design constraints:
- **Single writer**: Only one recording session can be active at a time. Starting a new recording while one is active returns an error.
- **Single model**: Only one model can be loaded at a time. Loading a new model implicitly unloads the previous one.
- **Background training**: Training runs in a spawned `tokio::task`. Progress is broadcast via a `tokio::sync::broadcast` channel. The WebSocket handler subscribes to this channel.
- **Auto-stop**: Recordings with a `duration_secs` parameter automatically stop after the specified elapsed time.
### Training Pipeline (No External Dependencies)
The training pipeline is implemented entirely in Rust without PyTorch or `tch` dependencies. The pipeline:
1. **Loads data**: Reads `.csi.jsonl` recording files from `data/recordings/`
2. **Extracts features**: Subcarrier variance (sliding window), temporal gradients, Goertzel frequency-domain power across 9 bands, and 3 global scalar features (mean amplitude, std, motion score)
3. **Trains model**: Regularised linear model via batch gradient descent targeting 17 COCO keypoints x 3 dimensions = 51 output targets
4. **Exports model**: Best checkpoint exported as `.rvf` container using `RvfBuilder`, stored in `data/models/`
This design means the sensing server is fully self-contained: a field operator can record CSI data, train a model, and load it for inference without any external tooling.
### File Layout
```
data/
├── models/ # RVF model files
│ ├── wifi-densepose-v1.rvf # Trained model container
│ └── wifi-densepose-v1.rvf # (additional models...)
└── recordings/ # CSI recording sessions
├── walking-20260303_140000.csi.jsonl # Raw CSI frames (JSONL)
├── walking-20260303_140000.csi.meta.json # Session metadata
├── standing-20260303_141500.csi.jsonl
└── standing-20260303_141500.csi.meta.json
```
### Mobile App Fixes
Three defects were corrected in the Expo React Native mobile companion (`ui/mobile/`):
1. **WebSocket URL builder** (`src/services/ws.service.ts`): The URL construction logic previously hardcoded port `3001` for WebSocket connections. This was changed to derive the WebSocket port from the same-origin HTTP URL, using `window.location.port` on web and the configured server URL on native platforms. This ensures the mobile app connects to whatever port the sensing server is actually running on.
2. **Jest configuration** (`jest.config.js`): The `testPathIgnorePatterns` array previously contained an entry that matched the test directory itself, causing Jest to silently skip all test files. The pattern was corrected to only ignore `node_modules/`.
3. **Placeholder tests replaced**: All 25 mobile test files contained only `it.todo()` stubs. These were replaced with real test implementations covering:
| Category | Test Files | Coverage |
|----------|-----------|----------|
| Utils | `format.test.ts`, `validation.test.ts` | Number formatting, URL validation, input sanitization |
| Services | `ws.service.test.ts`, `api.service.test.ts` | WebSocket connection lifecycle, REST API calls, error handling |
| Stores | `poseStore.test.ts`, `settingsStore.test.ts`, `matStore.test.ts` | Zustand state transitions, persistence, selector memoization |
| Components | `BreathingGauge.test.tsx`, `HeartRateGauge.test.tsx`, `MetricCard.test.tsx`, `ConnectionBanner.test.tsx` | Rendering, prop validation, theme compliance |
| Hooks | `useConnection.test.ts`, `useSensing.test.ts` | Hook lifecycle, cleanup, error states |
| Screens | `LiveScreen.test.tsx`, `VitalsScreen.test.tsx`, `SettingsScreen.test.tsx` | Screen rendering, navigation, data binding |
---
## Rationale
### Why implement model/training/recording in the sensing server?
The alternative would be to run a separate Python training service and proxy requests. This was rejected for three reasons:
1. **Single-binary deployment**: WiFi-DensePose targets edge deployments (disaster response, building security, healthcare monitoring per ADR-034) where installing Python, pip, and PyTorch is impractical. A single Rust binary that handles sensing, recording, training, and inference is the correct architecture for field use.
2. **Zero-configuration UI**: The web UI is served by the same binary that exposes the API. When a user opens `http://server:8080/`, everything works -- no additional services to start, no ports to configure, no CORS to manage.
3. **Data locality**: CSI frames arrive via UDP, are processed for real-time display, and can simultaneously be written to disk for training. The recording module hooks directly into the CSI processing loop via `maybe_record_frame()`, avoiding any serialization overhead or inter-process communication.
### Why fix mobile in the same change?
The mobile app's WebSocket failure was caused by the same root problem -- assumptions about server port layout that did not match reality. Fixing the server API without fixing the mobile client would leave a broken user experience. The test fixes were included because the placeholder tests masked the WebSocket URL bug during development.
---
## Consequences
### Positive
- **UI loads with zero console errors**: All model, recording, and training tabs render correctly and receive real data from the server
- **End-to-end workflow**: Users can record CSI data, train a model, load it, and see pose estimation results -- all from the web UI without any external tools
- **LoRA fine-tuning support**: Users can adapt a base model to new environments via LoRA profiles, activated through the UI
- **Mobile app connects reliably**: The WebSocket URL builder uses same-origin port derivation, working correctly regardless of which port the server runs on
- **25 real mobile tests**: Provide actual regression protection for utils, services, stores, components, hooks, and screens
- **Self-contained sensing server**: No Python, PyTorch, or external training infrastructure required
### Negative
- **Sensing server binary grows**: The three new modules add approximately 2,000 lines of Rust to the sensing server crate, increasing compile time marginally
- **Training is lightweight**: The built-in training pipeline uses regularised linear regression, not deep learning. For production-grade pose estimation models, the full Python training pipeline (`wifi-densepose-train`) with PyTorch is still needed. The in-server training is designed for quick field calibration, not SOTA accuracy.
- **File-based storage**: Models and recordings are stored as files on the local filesystem (`data/models/`, `data/recordings/`). There is no database, no replication, and no access control. This is acceptable for single-node edge deployments but not for multi-user production environments.
### Risks
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| Disk fills up during long recording sessions | Medium | Medium | `duration_secs` auto-stop parameter; UI shows file size; manual `DELETE` endpoint |
| Concurrent model load/unload during inference causes race | Low | High | `RwLock` on `AppStateInner` serializes all state mutations; inference path acquires read lock |
| Training on insufficient data produces poor model | Medium | Low | Training API validates minimum frame count before starting; UI shows dataset statistics |
| JSONL recording format is inefficient for large datasets | Low | Low | Acceptable for field calibration (minutes of data); production datasets use the Python pipeline with HDF5 |
---
## Implementation
### Server-Side Changes
All 14 new handler functions were added directly to `main.rs` (~400 lines of new code). Key additions:
| Handler | Method | Path | Description |
|---------|--------|------|-------------|
| `list_models` | GET | `/api/v1/models` | Scans `data/models/` for `.rvf` files at startup, returns cached list |
| `get_active_model` | GET | `/api/v1/models/active` | Returns currently loaded model or `null` |
| `load_model` | POST | `/api/v1/models/load` | Sets `active_model_id` in state |
| `unload_model` | POST | `/api/v1/models/unload` | Clears `active_model_id` |
| `delete_model` | DELETE | `/api/v1/models/:id` | Removes model from disk and state |
| `list_lora_profiles` | GET | `/api/v1/models/lora/profiles` | Scans `data/models/lora/` directory |
| `activate_lora_profile` | POST | `/api/v1/models/lora/activate` | Activates a LoRA adapter |
| `list_recordings` | GET | `/api/v1/recording/list` | Scans `data/recordings/` for `.jsonl` files with frame counts |
| `start_recording` | POST | `/api/v1/recording/start` | Spawns tokio background task writing CSI frames to `.jsonl` |
| `stop_recording` | POST | `/api/v1/recording/stop` | Sends stop signal via `tokio::sync::watch`, returns duration |
| `delete_recording` | DELETE | `/api/v1/recording/:id` | Removes recording file from disk |
| `train_status` | GET | `/api/v1/train/status` | Returns training phase (idle/running/complete/failed) |
| `train_start` | POST | `/api/v1/train/start` | Sets training status to running with config |
| `train_stop` | POST | `/api/v1/train/stop` | Sets training status to idle |
Helper functions: `scan_model_files()`, `scan_lora_profiles()`, `scan_recording_files()`, `chrono_timestamp()`.
Startup creates `data/models/` and `data/recordings/` directories and populates initial state with scanned files.
### Web UI Fix
| File | Change | Description |
|------|--------|-------------|
| `ui/app.js` | Modified | Import `sensingService` and call `sensingService.start()` in `initializeServices()` after backend health check, so Dashboard and Live Demo tabs connect to `/ws/sensing` immediately on load instead of waiting for Sensing tab visit |
| `ui/services/sensing.service.js` | Comment | Updated comment documenting that `/ws/sensing` is on the same HTTP port |
### Mobile App Files
| File | Change | Description |
|------|--------|-------------|
| `ui/mobile/src/services/ws.service.ts` | Modified | `buildWsUrl()` uses `parsed.host` directly with `/ws/sensing` path instead of hardcoded port `3001` |
| `ui/mobile/jest.config.js` | Modified | `testPathIgnorePatterns` corrected to only ignore `node_modules/` |
| `ui/mobile/src/__tests__/*.test.ts{x}` | Replaced | 25 placeholder `it.todo()` tests replaced with real implementations |
---
## Verification
```bash
# 1. Start sensing server with auto source (simulated fallback)
cd v2
cargo run -p wifi-densepose-sensing-server -- --http-port 3000 --source auto
# 2. Verify model endpoints return 200
curl -s http://localhost:3000/api/v1/models | jq '.count'
curl -s http://localhost:3000/api/v1/models/active | jq '.status'
# 3. Verify recording endpoints return 200
curl -s http://localhost:3000/api/v1/recording/list | jq '.count'
curl -s -X POST http://localhost:3000/api/v1/recording/start \
-H 'Content-Type: application/json' \
-d '{"session_name":"test","duration_secs":5}' | jq '.status'
# 4. Verify training endpoint returns 200
curl -s http://localhost:3000/api/v1/train/status | jq '.phase'
# 5. Verify LoRA endpoints return 200
curl -s http://localhost:3000/api/v1/models/lora/profiles | jq '.'
# 6. Open UI — check browser console for zero 404 errors
# Navigate to http://localhost:3000/ui/
# 7. Run mobile tests
cd ../ui/mobile
npx jest --no-coverage
# 8. Run Rust workspace tests (must pass, 1031+ tests)
cd ../../v2
cargo test --workspace --no-default-features
```
---
## References
- ADR-034: Expo React Native Mobile Application (mobile companion architecture)
- ADR-036: RVF Training Pipeline UI (training pipeline design)
- ADR-039: ESP32-S3 Edge Intelligence Pipeline (CSI frame format and processing tiers)
- ADR-040: WASM Programmable Sensing (Tier 3 edge compute)
- ADR-041: WASM Module Collection (module catalog)
- `crates/wifi-densepose-sensing-server/src/main.rs` -- all 14 new handler functions (model, recording, training)
- `ui/app.js` -- sensing service early initialization fix
- `ui/mobile/src/services/ws.service.ts` -- mobile WebSocket URL fix
api-docs/adr/ADR-044-geospatial-satellite-integration.md
+65
View File
@@ -0,0 +1,65 @@
# ADR-044: Geospatial Satellite Integration
## Status
Accepted
## Context
RuView generates real-time 3D point clouds from camera + WiFi CSI, but these exist in a local coordinate frame with no geographic reference. Integrating free satellite imagery, terrain elevation, and map data provides environmental context that enables the ruOS brain to reason about the physical world beyond the room.
## Decision
### Data Sources (all free, no API keys)
| Source | Data | Resolution | Update | Format |
|--------|------|-----------|--------|--------|
| EOX Sentinel-2 Cloudless | Satellite tiles | 10m | Static mosaic | XYZ/JPEG |
| SRTM GL1 (NASA) | Elevation/DEM | 30m (1-arcsec) | Static | Binary HGT |
| Overpass API (OSM) | Buildings, roads | Vector | Real-time | JSON |
| ip-api.com | IP geolocation | ~1km | Per-request | JSON |
| Sentinel-2 STAC | Temporal satellite | 10m | Every 5 days | COG/STAC |
| Open Meteo | Weather | Point | Hourly | JSON |
### Architecture
Pure Rust implementation in `wifi-densepose-geo` crate. No GDAL/PROJ/GEOS — coordinate transforms implemented directly (~250 LOC). Tile caching on disk at `~/.local/share/ruview/geo-cache/`.
### Coordinate System
- WGS84 for geographic coordinates
- ENU (East-North-Up) as the bridge between local sensor frame and world
- Local sensor frame: camera origin, +Z forward, +Y up
### Temporal Awareness
Nightly scheduled fetch of Sentinel-2 latest imagery + OSM diffs + weather.
Changes detected via image comparison and stored as brain memories for
contrastive learning.
### Brain Integration
Geospatial context stored as brain memories:
- `spatial-geo`: location, elevation, nearby landmarks
- `spatial-change`: detected changes in satellite/OSM data
- `spatial-weather`: current conditions + forecast
- `spatial-season`: vegetation index, snow cover, seasonal patterns
- `spatial-local`: hyperlocal web context from Common Crawl WET
### Extended Data Sources (via ruvector WET/Common Crawl)
| Source | Data | Use |
|--------|------|-----|
| Common Crawl WET | Web text near location | Local business info, reviews, events |
| Wikidata | Structured knowledge | Building names, POI descriptions |
| NASA FIRMS | Active fire (3-hour) | Safety alerts |
| USGS Earthquakes | Seismic events | Safety context |
| OpenAQ | Air quality (PM2.5) | Environmental health |
| Overture Maps | Building footprints (Meta/MS) | Higher quality than OSM |
The ruvector brain server has existing `web_ingest` + Common Crawl support.
WET files filtered by geographic URL patterns provide hyperlocal context.
## Consequences
### Positive
- Agent gains environmental awareness beyond the room
- Temporal data enables seasonal calibration of CSI sensing
- Change detection finds construction, vegetation, weather effects
- All data sources are genuinely free with no API keys
### Negative
- Initial data fetch requires internet (~2MB tiles + ~25MB DEM)
- Cached data becomes stale (mitigated by nightly refresh)
- IP geolocation has ~1km accuracy (mitigated by manual override)
api-docs/adr/ADR-045-amoled-display-support.md
+110
View File
@@ -0,0 +1,110 @@
# ADR-045: AMOLED Display Support for ESP32-S3 CSI Node
## Status
Proposed
## Context
The ESP32-S3 board (LilyGO T-Display-S3 AMOLED) has an integrated RM67162 QSPI AMOLED display (536x240) and 8MB octal PSRAM that were unused by the CSI firmware. Users want real-time on-device visualization of CSI statistics, vital signs, and system health without relying on an external server.
### Constraints
- Binary was 947 KB in a 1 MB partition — needed 8MB flash + custom partition table
- SPIRAM was disabled in sdkconfig despite hardware having 8MB PSRAM
- Core 1 is pinned to DSP (edge processing) — display must use Core 0
- Existing CSI pipeline must not be affected
### Available APIs
Thread-safe edge APIs already exist (`edge_get_vitals()`, `edge_get_multi_person()`) — the display task only reads from these, no new synchronization needed.
## Decision
Add optional AMOLED display support with the following architecture:
### Hardware Abstraction Layer
- `display_hal.c/h`: RM67162 QSPI panel driver + CST816S capacitive touch via I2C
- Auto-detect at boot: probe RM67162 and check SPIRAM; log warning and skip if absent
### UI Layer
- `display_ui.c/h`: LVGL 8.3 with 4 swipeable views via tileview widget
- Dark theme (#0a0a0f) with cyan (#00d4ff) accent for three.js-like aesthetic
- Views: Dashboard (CSI amplitude chart + stats), Vitals (breathing + HR line graphs), Presence (4x4 occupancy grid), System (CPU, heap, PSRAM, WiFi, uptime, FPS)
### Task Layer
- `display_task.c/h`: FreeRTOS task on Core 0, priority 1 (lowest)
- LVGL pump loop at configurable FPS (default 30)
- Double-buffered draw buffers allocated in SPIRAM
### Compile-Time Control
- `CONFIG_DISPLAY_ENABLE=y` (default): compiles display code, auto-detects hardware at boot
- `CONFIG_DISPLAY_ENABLE=n`: zero-cost — no display code compiled
- `CONFIG_SPIRAM_IGNORE_NOTFOUND=y`: boots fine on boards without PSRAM
### Flash Layout
8MB partition table (`partitions_display.csv`):
- Dual OTA partitions: 2 x 2MB (supports larger binaries with LVGL)
- SPIFFS: 1.9MB (for future font/asset storage)
- NVS + otadata + phy: standard sizes
### Core/Task Layout
| Task | Core | Priority | Impact |
|------|------|----------|--------|
| WiFi/LwIP | 0 | 18-23 | unchanged |
| OTA httpd | 0 | 5 | unchanged |
| **display_task** | **0** | **1** | **NEW — lowest priority** |
| edge_task (DSP) | 1 | 5 | unchanged |
### Dependencies
- LVGL ~8.3 (via ESP-IDF managed components)
- espressif/esp_lcd_touch_cst816s ^1.0
- espressif/esp_lcd_touch ^1.0
## Consequences
### Positive
- Real-time on-device stats without network dependency
- Zero impact on CSI pipeline (display reads thread-safe APIs, runs at lowest priority)
- Graceful degradation: works on boards without display or PSRAM
- SPIRAM enabled for all boards (benefits WASM runtime too)
- 8MB flash + dual OTA 2MB partitions give headroom for future features
### Negative
- Binary size increase (~200-300 KB with LVGL)
- SPIRAM + 8MB flash config is specific to T-Display-S3 AMOLED boards
- Boards with only 4MB flash need `CONFIG_DISPLAY_ENABLE=n` and the old partition table
### Risks
- RM67162 init sequence is board-specific; other AMOLED panels may need different commands
- QSPI bus conflicts if other peripherals use SPI2_HOST (currently unused)
## New Files
| File | Purpose |
|------|---------|
| `main/display_hal.c/h` | RM67162 QSPI + CST816S touch HAL |
| `main/display_ui.c/h` | LVGL 4-view UI |
| `main/display_task.c/h` | FreeRTOS task, LVGL pump |
| `main/lv_conf.h` | LVGL compile config |
| `partitions_display.csv` | 8MB partition table |
| `idf_component.yml` | Managed component deps |
## Modified Files
| File | Change |
|------|--------|
| `sdkconfig.defaults` | 8MB flash, SPIRAM, custom partitions |
| `main/CMakeLists.txt` | Conditional display sources + deps |
| `main/main.c` | +1 include, +5 lines guarded init |
| `main/Kconfig.projbuild` | "AMOLED Display" menu |
api-docs/adr/ADR-046-android-tv-box-armbian-deployment.md
+263
View File
@@ -0,0 +1,263 @@
# ADR-046: Android TV Box / Armbian Deployment Target
## Status
Proposed
## Context
Issue [#138](https://github.com/ruvnet/wifi-densepose/issues/138) requests ESP8266 and mobile device support. The ESP8266 lacks CSI capability and sufficient resources, but the discussion revealed a compelling deployment target: **Android TV boxes** (Amlogic/Allwinner/Rockchip SoCs) running **Armbian** (Debian for ARM).
These devices cost $1535, are always-on mains-powered, include 802.11ac WiFi, 24 GB RAM, quad-core ARM Cortex-A53/A55 CPUs, and HDMI output. They are widely available as consumer "IPTV boxes" (T95, H96 Max, X96, MXQ Pro, etc.) and can boot Armbian from SD card without modifying the factory Android installation.
### Current deployment model
```
[ESP32-S3 nodes] --UDP CSI--> [Laptop/PC running sensing-server] --browser--> [UI]
```
This requires a general-purpose computer ($300+) to run the Rust sensing server, NN inference, and web dashboard. For permanent installations (elder care, smart home, security), dedicating a laptop is impractical.
### Proposed deployment model
```
[ESP32-S3 nodes] --UDP CSI--> [TV Box running Armbian + sensing-server] --HDMI--> [Display]
$25, always-on, fanless
```
### Future: custom WiFi firmware for standalone operation
Many TV box WiFi chipsets (Realtek RTL8822CS, MediaTek MT7661, Broadcom BCM43455) can potentially be patched for CSI extraction when running under Linux with custom drivers. This would eliminate the ESP32 dependency entirely for basic sensing:
```
[TV Box with patched WiFi driver] --CSI extraction--> [sensing-server on same box] --HDMI--> [Display]
$25 total, single device
```
This ADR covers Phase 1 (TV box as aggregator) and Phase 2 (custom WiFi firmware for CSI). Phase 2 is speculative and requires per-chipset R&D.
## Decision
### Phase 1: TV Box as Aggregator (Armbian)
1. **Cross-compile the sensing server** for `aarch64-unknown-linux-gnu` using `cross` or Docker-based cross-compilation.
2. **Create an Armbian deployment package** containing:
- Pre-built `wifi-densepose-sensing-server` binary (aarch64)
- systemd service file for auto-start on boot
- Kiosk-mode Chromium configuration for HDMI dashboard display
- Network configuration for ESP32 UDP reception (port 5005)
- Optional: `hostapd` config to create a dedicated WiFi AP for the ESP32 mesh
3. **Define minimum hardware requirements:**
| Component | Minimum | Recommended |
|-----------|---------|-------------|
| SoC | Amlogic S905W (A53 quad) | Amlogic S905X3 (A55 quad) |
| RAM | 2 GB | 4 GB |
| Storage | 8 GB eMMC + 8 GB SD | 16 GB eMMC + 16 GB SD |
| WiFi | 802.11n 2.4 GHz | 802.11ac dual-band |
| Ethernet | 100 Mbps | Gigabit |
| USB | 1x USB 2.0 | 2x USB 3.0 |
| HDMI | 1.4 | 2.0 |
4. **Tested reference devices** (initial target list):
| Device | SoC | WiFi Chip | Price | Armbian Support |
|--------|-----|-----------|-------|-----------------|
| T95 Max+ | S905X3 | RTL8822CS | ~$30 | Good (meson-sm1) |
| H96 Max X3 | S905X3 | RTL8822CS | ~$35 | Good (meson-sm1) |
| X96 Max+ | S905X3 | RTL8822CS | ~$28 | Good (meson-sm1) |
| Tanix TX6S | H616 | MT7668 | ~$25 | Moderate (sun50i-h616) |
5. **New Rust compilation target** in workspace CI:
- Add `aarch64-unknown-linux-gnu` to cross-compilation matrix
- Binary size target: <15 MB stripped (fits easily in SD card)
- No GPU dependency — CPU-only inference using `candle` or ONNX Runtime for ARM
### Phase 2: Custom WiFi Firmware for CSI Extraction (Future)
1. **CSI extraction feasibility by chipset:**
| Chipset | Driver | CSI Support | Monitor Mode | Effort |
|---------|--------|-------------|--------------|--------|
| Broadcom BCM43455 | brcmfmac | **Proven** (Nexmon CSI) | Yes | Low — patches exist |
| Realtek RTL8822CS | rtw88 | **Moderate** — driver is open-source, CSI hooks need adding | Yes (patched) | Medium |
| MediaTek MT7661 | mt76 | **Unknown** — MediaTek has released CSI tools for some chips | Yes | Medium-High |
2. **CSI extraction architecture** (Linux kernel driver modification):
```
[WiFi chipset firmware] → [Modified kernel driver] → [Netlink/procfs CSI export]
[userspace CSI reader]
[sensing-server UDP input]
```
The CSI data would be reformatted into the existing ESP32 binary protocol (ADR-018 header, magic `0xC5100001`) so the sensing server treats it identically to ESP32 frames. This means zero changes to the ingestion context.
3. **Hybrid mode**: When the TV box has both patched WiFi CSI and ESP32 UDP input, the sensing server's multi-node architecture (already supporting multiple `node_id` values) handles both sources transparently. The TV box's own WiFi becomes an additional viewpoint in the multistatic array.
### Phase 3: Android Companion App (Optional)
For users who want mobile monitoring without Armbian:
1. **PWA (Progressive Web App)**: The sensing server already serves a web UI. Adding a PWA manifest with offline caching makes it installable on any Android device. No native app needed.
2. **Native Android app** (future): Only if PWA proves insufficient. Would use Kotlin + Jetpack Compose, consuming the existing REST API and WebSocket endpoints.
## Deployment Architecture
### Single-Room Deployment (Phase 1)
```
┌──────────────────────────────────────────────────────────────┐
│ Room │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ ESP32-S3 │ │ ESP32-S3 │ │ ESP32-S3 │ CSI sensor mesh │
│ │ Node 1 │ │ Node 2 │ │ Node 3 │ ($10 each) │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ └──────────────┼──────────────┘ │
│ │ UDP port 5005 │
│ ▼ │
│ ┌──────────────────────────────────────┐ │
│ │ Android TV Box (Armbian) │ │
│ │ │ │
│ │ ┌──────────────────────────────┐ │ │
│ │ │ wifi-densepose-sensing- │ │ │
│ │ │ server (aarch64 binary) │ │ │
│ │ │ │ │ │
│ │ │ • CSI ingestion (UDP) │ │ │
│ │ │ • Feature extraction │ │ │
│ │ │ • NN inference (CPU) │ │ │
│ │ │ • WebSocket streaming │ │ │
│ │ │ • REST API │ │ │
│ │ │ • Web UI (:3000) │ │ │
│ │ └──────────────────────────────┘ │ │
│ │ │ │
│ │ ┌──────────────────────────────┐ │ │
│ │ │ Chromium Kiosk Mode │───│──→ HDMI out │
│ │ │ (localhost:3000) │ │ to display │
│ │ └──────────────────────────────┘ │ │
│ │ │ │
│ │ Cost: $25-35 │ │
│ │ Power: 5-10W (USB-C or barrel) │ │
│ │ Form: fits behind TV/monitor │ │
│ └──────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────┘
Total system cost: $55-65 (3 ESP32 nodes + 1 TV box)
```
### Multi-Room Deployment
```
┌──────────────┐
│ Router │
│ (WiFi AP) │
└──────┬───────┘
│ LAN
┌──────────────┼──────────────┐
│ │ │
┌───────▼───────┐ ┌───▼────────┐ ┌──▼──────────┐
│ Room A │ │ Room B │ │ Room C │
│ TV Box + │ │ TV Box + │ │ TV Box + │
│ 3x ESP32 │ │ 3x ESP32 │ │ 3x ESP32 │
│ HDMI display │ │ HDMI │ │ HDMI │
└───────────────┘ └────────────┘ └─────────────┘
Each room: self-contained sensing + display
Central dashboard: aggregate all rooms via REST API
```
### Standalone Mode (Phase 2 — Custom WiFi FW)
```
┌──────────────────────────────────────┐
│ Android TV Box (Armbian) │
│ │
│ ┌────────────────────┐ │
│ │ Patched WiFi │ │
│ │ Driver │ │
│ │ (CSI extraction) │ │
│ └─────────┬──────────┘ │
│ │ CSI frames │
│ ▼ │
│ ┌────────────────────┐ │
│ │ sensing-server │──→ HDMI out │
│ │ (inference + │ │
│ │ dashboard) │ │
│ └────────────────────┘ │
│ │
│ Single device: $25 │
│ No ESP32 nodes needed │
└──────────────────────────────────────┘
```
## Consequences
### Positive
- **10x cost reduction** for aggregator: $25 TV box vs $300+ laptop/PC
- **Always-on deployment**: Mains-powered, fanless, designed for 24/7 operation
- **HDMI output**: Direct connection to TV/monitor for wall-mounted dashboards
- **Familiar hardware**: Available globally, no specialized ordering required
- **Armbian ecosystem**: Mature Debian-based distro with package management, systemd, SSH
- **Path to standalone**: Custom WiFi firmware could eliminate ESP32 dependency entirely
- **PWA for mobile**: No native app development needed for mobile monitoring
- **Multi-room scaling**: One TV box per room, each self-contained
### Negative
- **ARM cross-compilation**: Adds CI complexity; `candle`/ONNX Runtime ARM builds need testing
- **Armbian compatibility**: Not all TV boxes are well-supported; need a tested device list
- **Performance uncertainty**: ARM A53 cores are ~3-5x slower than x86 for NN inference; may need model quantization (INT8) for real-time operation
- **Phase 2 risk**: Custom WiFi firmware is chipset-specific, may require kernel patches per driver version, and CSI quality varies by chipset
- **Support burden**: Different hardware = more configurations to support
- **No GPU**: TV boxes lack discrete GPU; inference is CPU-only (but our models are small enough)
### Neutral
- **No changes to existing ESP32 firmware** — TV box receives the same UDP frames
- **No changes to sensing server protocol** — Phase 2 CSI output uses same binary format
- **Existing web UI works as-is** — Chromium kiosk mode or any browser on the LAN
## Implementation Plan
### Phase 1 (2-3 weeks)
1. Add `aarch64-unknown-linux-gnu` cross-compilation target using `cross`
2. Build and test sensing-server binary on reference TV box (T95 Max+ / S905X3)
3. Create systemd service + Armbian deployment script
4. Benchmark: measure inference latency, memory usage, thermal throttling
5. Create `docs/deployment/armbian-tv-box.md` setup guide
6. Add HDMI kiosk mode configuration (Chromium autostart)
### Phase 2 (4-8 weeks, R&D)
1. Acquire TV box with BCM43455 (proven Nexmon CSI support)
2. Build Armbian with Nexmon CSI patches for BCM43455
3. Write userspace CSI reader → ESP32 binary protocol converter
4. Test CSI quality comparison: ESP32 vs BCM43455
5. If viable: add RTL8822CS CSI extraction via rtw88 driver modification
### Phase 3 (1 week)
1. Add PWA manifest to sensing server web UI
2. Test on Android Chrome, iOS Safari
3. Add service worker for offline dashboard caching
## References
- [Nexmon CSI](https://github.com/seemoo-lab/nexmon_csi) — Broadcom WiFi CSI extraction (BCM43455, BCM4339, BCM4358)
- [Armbian](https://www.armbian.com/) — Debian/Ubuntu for ARM SBCs and TV boxes
- [rtw88 driver](https://github.com/torvalds/linux/tree/master/drivers/net/wireless/realtek/rtw88) — Mainline Linux driver for Realtek 802.11ac chips
- [mt76 driver](https://github.com/torvalds/linux/tree/master/drivers/net/wireless/mediatek/mt76) — Mainline Linux driver for MediaTek WiFi chips
- [cross](https://github.com/cross-rs/cross) — Zero-setup Rust cross-compilation
- [ADR-018: ESP32 CSI Binary Protocol](ADR-018-dev-implementation.md) — Binary frame format reused for Phase 2 CSI extraction
- [ADR-039: Edge Intelligence](ADR-039-esp32-edge-intelligence.md) — On-device processing tiers
- [ADR-043: Sensing Server](ADR-043-sensing-server-ui-api-completion.md) — Single-binary deployment target
api-docs/adr/ADR-047-psychohistory-observatory-visualization.md
+152
View File
@@ -0,0 +1,152 @@
# ADR-047: RuView Observatory — Immersive Three.js WiFi Sensing Visualization
## Status
Accepted (Implemented)
## Date
2026-03-04
## Context
The project has a functional tabbed dashboard UI (`ui/index.html`) with existing Three.js components (body model, gaussian splats, signal visualization, environment). While effective for monitoring, it lacks a cinematic, immersive visualization suitable for demonstrations and stakeholder presentations.
We need an immersive Three.js room-based visualization with practical WiFi sensing data overlays — human wireframe pose, dot-matrix body mass, vital signs HUD, signal field heatmap — powered by ESP32 CSI data (demo mode with live WebSocket path).
## Decision
### Standalone Page Architecture
`ui/observatory.html` is a standalone full-screen entry point, separate from the tabbed dashboard. Linked via "Observatory" nav tab in `ui/index.html`. No build step — vanilla JS modules with Three.js r160 via CDN importmap.
### Room-Based Visualization
Instead of abstract holographic panels, the observatory renders a practical room scene with:
| Element | Implementation | Data Source |
|---------|---------------|-------------|
| Human wireframe | COCO 17-keypoint skeleton, CylinderGeometry tube bones, SphereGeometry joints with glow halos | `persons[].position`, `vital_signs.breathing_rate_bpm` |
| Dot-matrix mist | 800 Points with per-particle alpha ShaderMaterial, body-shaped distribution | `persons[].position`, `persons[].motion_score` |
| Particle trail | 200 Points with age-based fade, emitted from moving person | `persons[].position`, `persons[].motion_score` |
| Signal field | 400 floor-level Points with green→amber color ramp | `signal_field.values` (20×20 grid) |
| WiFi waves | 5 wireframe SphereGeometry shells, AdditiveBlending, pulsing outward | Always-on animation from router position |
| Router | BoxGeometry body, 3 CylinderGeometry antennas, pulsing LED, PointLight | Static scene element |
| Room | GridHelper floor, BoxGeometry wireframe boundary, reflective MeshStandardMaterial floor, furniture (table, bed) | Static scene element |
### HUD Overlay
Glass-morphism HTML panels overlaid on the 3D canvas:
- **Left panel (Vital Signs):** Heart rate (BPM), respiration (RPM), confidence (%) with animated bars
- **Right panel (WiFi Signal):** RSSI, variance, motion power, person count, 2D RSSI sparkline, presence state badge, fall alert
- **Top-right:** Data source badge (DEMO/LIVE), scenario badge, FPS counter, settings gear
- **Bottom:** Capability bar (Pose Estimation, Vital Monitoring, Presence Detection)
- **Bottom-right:** Keyboard shortcut hints
### Settings Dialog (4 Tabs)
Full customization with localStorage persistence and JSON export:
| Tab | Controls |
|-----|----------|
| **Rendering** | Bloom strength/radius/threshold, exposure, vignette, film grain, chromatic aberration |
| **Wireframe** | Bone thickness, joint size, glow intensity, particle trail, wireframe color, joint color, aura opacity |
| **Scene** | Signal field opacity, WiFi wave intensity, room brightness, floor reflection, FOV, orbit speed, grid toggle, room boundary toggle |
| **Data** | Scenario selector (auto-cycle or fixed), cycle speed, data source (demo/WebSocket), WS URL, reset camera, export settings |
### Demo-First with Live Data Path
Four auto-cycling scenarios (30s default, configurable) with 2s cosine crossfade:
| Scenario | Description |
|----------|-------------|
| `empty_room` | Low variance, no presence, flat amplitude, stable RSSI -45dBm |
| `single_breathing` | 1 person, breathing 16 BPM, HR 72 BPM, sinusoidal subcarrier modulation |
| `two_walking` | 2 persons, high motion, Doppler-like shifts, moving signal field peaks |
| `fall_event` | 2s variance spike at t=5s, then stillness, fall flag, confidence drop |
Data contract matches `SensingUpdate` struct from the Rust sensing server. Live WebSocket connection configurable in settings dialog.
### Post-Processing Pipeline
EffectComposer chain: RenderPass → UnrealBloomPass → custom VignetteShader
- **UnrealBloom:** strength 1.0, radius 0.5, threshold 0.25 (configurable)
- **VignetteShader:** warm shadow shift, edge chromatic aberration, film grain
- **Adaptive quality:** Auto-degrades when FPS < 25, restores when FPS > 55
### RuView Foundation Color Palette
| Role | Color | Hex |
|------|-------|-----|
| Background | Deep dark | `#080c14` |
| Primary wireframe | Green glow | `#00d878` |
| Warm accent | Amber | `#ffb020` |
| Signal | Blue | `#2090ff` |
| Heart / joints | Red | `#ff4060` |
| Alert | Crimson | `#ff3040` |
### Technology Choices
| Decision | Rationale |
|----------|-----------|
| Standalone page vs tab | Full-screen immersion, independent loading |
| Room-based vs abstract panels | Practical spatial context for WiFi sensing data |
| Vanilla JS + CDN, no build step | Matches existing `ui/` pattern, served as static files by Axum |
| Custom ShaderMaterial for mist | Per-particle alpha, body-shaped distribution, AdditiveBlending |
| CylinderGeometry tube bones | Visible at any zoom vs thin Line geometry |
| COCO 17-keypoint skeleton | Standard pose format, 16 bone connections |
| localStorage settings | Persistent customization without server round-trip |
| Adaptive quality | 3 levels, auto-switches based on FPS measurement |
### Keyboard Shortcuts
| Key | Action |
|-----|--------|
| `A` | Toggle autopilot orbit |
| `D` | Cycle demo scenario |
| `F` | Toggle FPS counter |
| `S` | Open/close settings |
| `Space` | Pause/resume data |
## Files
| File | Purpose |
|------|---------|
| `ui/observatory.html` | Full-screen entry point with HUD overlay + settings dialog |
| `ui/observatory/js/main.js` | Scene orchestrator (~1,100 lines): room, wireframe, mist, trails, settings, HUD, animation loop |
| `ui/observatory/js/demo-data.js` | 4 scenarios with cosine crossfade, setScenario/setCycleDuration API |
| `ui/observatory/js/nebula-background.js` | Procedural fBM nebula + star field background sphere |
| `ui/observatory/js/post-processing.js` | EffectComposer: UnrealBloom + VignetteShader (chromatic, grain, warmth) |
| `ui/observatory/css/observatory.css` | Foundation color scheme, glass-morphism panels, settings dialog, responsive |
| `ui/index.html` | Modified: added Observatory nav link |
## Consequences
### Positive
- Standalone page does not affect existing dashboard stability
- Demo-first allows offline presentations without hardware
- Same `SensingUpdate` contract enables seamless live WebSocket switch
- Room-based visualization provides intuitive spatial context for WiFi sensing
- Dot-matrix mist gives visual body mass without occluding wireframe
- Full settings customization without code changes (localStorage + JSON export)
- Adaptive quality ensures usability on weaker hardware
- ~20 draw calls keeps performance well within budget
### Negative
- Additional static files served by Axum (minimal overhead)
- Three.js r160 loaded from CDN (no build step, matches existing pattern)
- Settings persistence is per-browser (localStorage, not synced)
### Risks
- CDN dependency for Three.js (mitigated: can vendor locally if needed)
- Post-processing may not work on very old GPUs (mitigated: adaptive quality disables bloom)
## References
- ADR-045: AMOLED display support
- ADR-046: Android TV / Armbian deployment
- Existing `ui/components/scene.js` — Three.js scene pattern
- Existing `ui/components/gaussian-splats.js` — ShaderMaterial pattern
- Existing `ui/services/sensing.service.js` — WebSocket data contract
api-docs/adr/ADR-048-adaptive-csi-classifier.md
+140
View File
@@ -0,0 +1,140 @@
# ADR-048: Adaptive CSI Activity Classifier
| Field | Value |
|-------|-------|
| Status | Accepted |
| Date | 2026-03-05 |
| Deciders | ruv |
| Depends on | ADR-024 (AETHER Embeddings), ADR-039 (Edge Processing), ADR-045 (AMOLED Display) |
## Context
WiFi-based activity classification using ESP32 Channel State Information (CSI) relies on hand-tuned thresholds to distinguish between activity states (absent, present_still, present_moving, active). These static thresholds are brittle — they don't account for:
- **Environment-specific signal patterns**: Room geometry, furniture, wall materials, and ESP32 placement all affect how CSI signals respond to human activity.
- **Temporal noise characteristics**: Real ESP32 CSI data at ~10 FPS has significant frame-to-frame jitter that causes classification to jump between states.
- **Vital signs estimation noise**: Heart rate and breathing rate estimates from Goertzel filter banks produce large swings (50+ BPM frame-to-frame) at low confidence levels.
The existing threshold-based approach produces noisy, unstable classifications that degrade the user experience in the Observatory visualization and the main dashboard.
## Decision
### 1. Three-Stage Signal Smoothing Pipeline
All CSI-derived metrics pass through a three-stage pipeline before reaching the UI:
#### Stage 1: Adaptive Baseline Subtraction
- EMA with α=0.003 (~30s time constant) tracks the "quiet room" noise floor
- Only updates during low-motion periods to avoid inflating baseline during activity
- 50-frame warm-up period for initial baseline learning
- Subtracts 70% of baseline from raw motion score to remove environmental drift
#### Stage 2: EMA + Median Filtering
- **Motion score**: Blended from 4 signals (temporal diff 40%, variance 20%, motion band power 25%, change points 15%), then EMA-smoothed with α=0.15
- **Vital signs**: 21-frame sliding window → trimmed mean (drop top/bottom 25%) → EMA with α=0.02 (~5s time constant)
- **Dead-band**: HR won't update unless trimmed mean differs by >2 BPM; BR needs >0.5 BPM
- **Outlier rejection**: HR jumps >8 BPM/frame and BR jumps >2 BPM/frame are discarded
#### Stage 3: Hysteresis Debounce
- Activity state transitions require 4 consecutive frames (~0.4s) of agreement before committing
- Prevents rapid flickering between states
- Independent candidate tracking resets on new direction changes
### 2. Adaptive Classifier Module (`adaptive_classifier.rs`)
A Rust-native environment-tuned classifier that learns from labeled JSONL recordings:
#### Feature Extraction (15 features)
| # | Feature | Source | Discriminative Power |
|---|---------|--------|---------------------|
| 0 | variance | Server | Medium — temporal CSI spread |
| 1 | motion_band_power | Server | Medium — high-frequency subcarrier energy |
| 2 | breathing_band_power | Server | Low — respiratory band energy |
| 3 | spectral_power | Server | Low — mean squared amplitude |
| 4 | dominant_freq_hz | Server | Low — peak subcarrier index |
| 5 | change_points | Server | Medium — threshold crossing count |
| 6 | mean_rssi | Server | Low — received signal strength |
| 7 | amp_mean | Subcarrier | Medium — mean amplitude across 56 subcarriers |
| 8 | amp_std | Subcarrier | **High** — amplitude spread (motion increases spread) |
| 9 | amp_skew | Subcarrier | Medium — asymmetry of amplitude distribution |
| 10 | amp_kurt | Subcarrier | **High** — peakedness (presence creates peaks) |
| 11 | amp_iqr | Subcarrier | Medium — inter-quartile range |
| 12 | amp_entropy | Subcarrier | **High** — spectral entropy (motion increases disorder) |
| 13 | amp_max | Subcarrier | Medium — peak amplitude value |
| 14 | amp_range | Subcarrier | Medium — amplitude dynamic range |
#### Training Algorithm
- **Multiclass logistic regression** with softmax output
- **Mini-batch SGD** (batch size 32, 200 epochs, linear learning rate decay)
- **Z-score normalisation** using global mean/stddev computed from all training data
- Per-class statistics (mean, stddev) stored for Mahalanobis distance fallback
- Deterministic shuffling (LCG PRNG, seed 42) for reproducible results
#### Training Data Pipeline
1. Record labeled CSI sessions via `POST /api/v1/recording/start {"id":"train_<label>"}`
2. Filename-based label assignment: `*empty*`→absent, `*still*`→present_still, `*walking*`→present_moving, `*active*`→active
3. Train via `POST /api/v1/adaptive/train`
4. Model saved to `data/adaptive_model.json`, auto-loaded on server restart
#### Inference Pipeline
1. Extract 15-feature vector from current CSI frame
2. Z-score normalise using stored global mean/stddev
3. Compute softmax probabilities across 4 classes
4. Blend adaptive model confidence (70%) with smoothed threshold confidence (30%)
5. Override classification only when adaptive model is loaded
### 3. API Endpoints
| Method | Endpoint | Description |
|--------|----------|-------------|
| POST | `/api/v1/adaptive/train` | Train classifier from `train_*` recordings |
| GET | `/api/v1/adaptive/status` | Check model status, accuracy, class stats |
| POST | `/api/v1/adaptive/unload` | Revert to threshold-based classification |
| POST | `/api/v1/recording/start` | Start recording CSI frames (JSONL) |
| POST | `/api/v1/recording/stop` | Stop recording |
| GET | `/api/v1/recording/list` | List available recordings |
### 4. Vital Signs Smoothing
| Parameter | Value | Rationale |
|-----------|-------|-----------|
| Median window | 21 frames | ~2s of history, robust to transients |
| Aggregation | Trimmed mean (middle 50%) | More stable than pure median, less noisy than raw mean |
| EMA alpha | 0.02 | ~5s time constant — readings change very slowly |
| HR dead-band | ±2 BPM | Prevents display creep from micro-fluctuations |
| BR dead-band | ±0.5 BPM | Same for breathing rate |
| HR max jump | 8 BPM/frame | Outlier rejection threshold |
| BR max jump | 2 BPM/frame | Outlier rejection threshold |
## Consequences
### Benefits
- **Stable UI**: Vital signs readings hold steady for 5-10+ seconds instead of jumping every frame
- **Environment adaptation**: Classifier learns the specific room's signal characteristics
- **Graceful fallback**: If no adaptive model is loaded, threshold-based classification with smoothing still works
- **No external dependencies**: Pure Rust implementation, no Python/ML frameworks needed
- **Fast training**: 3,000+ frames train in <1 second on commodity hardware
- **Portable model**: JSON serialisation, loadable on any platform
### Limitations
- **Single-link**: With one ESP32, the feature space is limited. Multi-AP setups (ADR-029) would dramatically improve separability.
- **No temporal features**: Current frame-level classification doesn't use sequence models (LSTM/Transformer). Could be added later.
- **Label quality**: Training accuracy depends heavily on recording quality (distinct activities, actual room vacancy for "empty").
- **Linear classifier**: Logistic regression may underfit non-linear decision boundaries. Could upgrade to 2-layer MLP if needed.
### Future Work
- **Online learning**: Continuously update model weights from user corrections
- **Sequence models**: Use sliding window of N frames as input for temporal pattern recognition
- **Contrastive pretraining**: Leverage ADR-024 AETHER embeddings for self-supervised feature learning
- **Multi-AP fusion**: Use ADR-029 multistatic sensing for richer feature space
- **Edge deployment**: Export learned thresholds to ESP32 firmware (ADR-039 Tier 2) for on-device classification
## Files
| File | Purpose |
|------|---------|
| `crates/wifi-densepose-sensing-server/src/adaptive_classifier.rs` | Adaptive classifier module (feature extraction, training, inference) |
| `crates/wifi-densepose-sensing-server/src/main.rs` | Smoothing pipeline, API endpoints, integration |
| `ui/observatory/js/hud-controller.js` | UI-side lerp smoothing (4% per frame) |
| `data/adaptive_model.json` | Trained model (auto-created by training endpoint) |
| `data/recordings/train_*.jsonl` | Labeled training recordings |
api-docs/adr/ADR-049-cross-platform-wifi-interface-detection.md
+122
View File
@@ -0,0 +1,122 @@
# ADR-049: Cross-Platform WiFi Interface Detection and Graceful Degradation
| Field | Value |
|-------|-------|
| Status | Proposed |
| Date | 2026-03-06 |
| Deciders | ruv |
| Depends on | ADR-013 (Feature-Level Sensing), ADR-025 (macOS CoreWLAN) |
| Issue | [#148](https://github.com/ruvnet/wifi-densepose/issues/148) |
## Context
Users report `RuntimeError: Cannot read /proc/net/wireless` when running WiFi DensePose in environments where the Linux wireless proc filesystem is unavailable:
- **Docker containers** on macOS/Windows (Linux kernel detected, but no wireless subsystem)
- **WSL2** without USB WiFi passthrough
- **Headless Linux servers** without WiFi hardware
- **Embedded Linux** boards without wireless-extensions support
The current architecture has two layers of defense:
1. **`ws_server.py`** (line 345-355) checks `os.path.exists("/proc/net/wireless")` before instantiating `LinuxWifiCollector` and falls back to `SimulatedCollector` if missing.
2. **`rssi_collector.py`** `LinuxWifiCollector._validate_interface()` (line 178-196) raises a hard `RuntimeError` if `/proc/net/wireless` is missing or the interface isn't listed.
However, there are gaps:
- **Direct usage**: Any code that instantiates `LinuxWifiCollector` directly (outside `ws_server.py`) hits the unguarded `RuntimeError` with no fallback.
- **Error message**: The RuntimeError message tells users to "use SimulatedCollector instead" but doesn't explain how.
- **No auto-detection**: The collector selection logic is duplicated between `ws_server.py` and `install.sh` with no shared platform-detection utility.
- **Partial `/proc/net/wireless`**: The file may exist (e.g., kernel module loaded) but contain no interfaces, producing a confusing "interface not found" error instead of a clean fallback.
## Decision
### 1. Platform-Aware Collector Factory
Introduce a `create_collector()` factory function in `rssi_collector.py` that encapsulates the platform detection and fallback chain:
```python
def create_collector(
preferred: str = "auto",
interface: str = "wlan0",
sample_rate_hz: float = 10.0,
) -> BaseCollector:
"""
Create the best available WiFi collector for the current platform.
Resolution order (when preferred="auto"):
1. ESP32 CSI (if UDP port 5005 is receiving frames)
2. Platform-native WiFi:
- Linux: LinuxWifiCollector (requires /proc/net/wireless + active interface)
- Windows: WindowsWifiCollector (netsh wlan)
- macOS: MacosWifiCollector (CoreWLAN)
3. SimulatedCollector (always available)
Raises nothing — always returns a usable collector.
"""
```
### 2. Soft Validation in LinuxWifiCollector
Replace the hard `RuntimeError` in `_validate_interface()` with a class method that returns availability status without raising:
```python
@classmethod
def is_available(cls, interface: str = "wlan0") -> tuple[bool, str]:
"""Check if Linux WiFi collection is possible. Returns (available, reason)."""
if not os.path.exists("/proc/net/wireless"):
return False, "/proc/net/wireless not found (Docker, WSL, or no wireless subsystem)"
with open("/proc/net/wireless") as f:
content = f.read()
if interface not in content:
names = cls._parse_interface_names(content)
return False, f"Interface '{interface}' not in /proc/net/wireless. Available: {names}"
return True, "ok"
```
The existing `_validate_interface()` continues to raise `RuntimeError` for direct callers who need fail-fast behavior, but `create_collector()` uses `is_available()` to probe without exceptions.
### 3. Structured Fallback Logging
When auto-detection skips a collector, log at `WARNING` level with actionable context:
```
WiFi collector: LinuxWifiCollector unavailable (/proc/net/wireless not found — likely Docker/WSL).
WiFi collector: Falling back to SimulatedCollector. For real sensing, connect ESP32 nodes via UDP:5005.
```
### 4. Consolidate Platform Detection
Remove duplicated platform-detection logic from `ws_server.py` and `install.sh`. Both should use `create_collector()` (Python) or a shared `detect_wifi_platform()` shell function.
## Consequences
### Positive
- **Zero-crash startup**: `create_collector("auto")` never raises — Docker, WSL, and headless users get `SimulatedCollector` automatically with a clear log message.
- **Single detection path**: Platform logic lives in one place (`rssi_collector.py`), reducing drift between `ws_server.py`, `install.sh`, and future entry points.
- **Better DX**: Error messages explain *why* a collector is unavailable and *what to do* (connect ESP32, install WiFi driver, etc.).
### Negative
- **SimulatedCollector may mask hardware issues**: Users with real WiFi hardware that fails detection might unknowingly run on simulated data. Mitigated by the `WARNING`-level log.
- **Breaking change for direct `LinuxWifiCollector` callers**: Code that catches `RuntimeError` from `_validate_interface()` as a signal needs to migrate to `is_available()` or `create_collector()`. This is a minor change — there are no known external consumers.
### Neutral
- `_validate_interface()` behavior is unchanged for existing direct callers — this is additive.
## Implementation Notes
1. Add `create_collector()` and `BaseCollector.is_available()` to `archive/v1/src/sensing/rssi_collector.py`
2. Refactor `ws_server.py` `_init_collector()` to call `create_collector()`
3. Update `install.sh` `detect_wifi_hardware()` to use shared detection logic
4. Add unit tests for each platform path (mock `/proc/net/wireless` presence/absence)
5. Comment on issue #148 with the fix
## References
- Issue #148: RuntimeError: Cannot read /proc/net/wireless
- ADR-013: Feature-Level Sensing on Commodity Gear
- ADR-025: macOS CoreWLAN WiFi Sensing
- [Linux /proc/net/wireless documentation](https://www.kernel.org/doc/html/latest/networking/statistics.html)
api-docs/adr/ADR-050-provisioning-tool-enhancements.md
+214
View File
@@ -0,0 +1,214 @@
# ADR-050: Provisioning Tool Enhancements
**Status**: Proposed
**Date**: 2026-03-03
**Deciders**: @ruvnet
**Supersedes**: None
**Related**: ADR-029, ADR-032, ADR-039, ADR-040
---
## Context
The ESP32-S3 CSI node provisioning script (`firmware/esp32-csi-node/provision.py`) is the primary tool for configuring pre-built firmware binaries without recompiling. It writes NVS key-value pairs that the firmware reads at boot.
After #131 added TDM and edge intelligence flags, the script now covers the most-requested NVS keys. However, there remain gaps between what the firmware reads from NVS (`nvs_config.c`, 20 keys) and what the provisioning script can write (13 keys). Additionally, the script lacks usability features that would help field operators deploying multi-node meshes.
### Gap 1: Missing NVS Keys (7 keys)
The firmware reads these NVS keys at boot but the provisioning script has no corresponding CLI flags:
| NVS Key | Type | Firmware Default | Purpose |
|---------|------|-----------------|---------|
| `hop_count` | u8 | 1 (no hop) | Number of channels to hop through |
| `chan_list` | blob (u8[6]) | {1,6,11} | Channel numbers for hopping sequence |
| `dwell_ms` | u32 | 100 | Time to dwell on each channel before hopping (ms) |
| `power_duty` | u8 | 100 | Power duty cycle percentage (10-100%) for battery life |
| `wasm_max` | u8 | 4 | Max concurrent WASM modules (ADR-040) |
| `wasm_verify` | u8 | 0 | Require Ed25519 signature for WASM uploads (0/1) |
| `wasm_pubkey` | blob (32B) | zeros | Ed25519 public key for WASM signature verification |
### Gap 2: No Read-Back
There is no way to read the current NVS configuration from a device. Field operators must remember what was provisioned or reflash everything. This is especially problematic for multi-node meshes where each node has different TDM slots.
### Gap 3: No Verification
After flashing, there is no automated check that the device booted successfully with the new configuration. Operators must manually run a serial monitor and inspect logs.
### Gap 4: No Config File Support
Provisioning a 6-node mesh requires running the script 6 times with largely overlapping flags (same SSID, password, target IP) and only TDM slot varying. There is no way to define a mesh configuration in a file.
### Gap 5: No Presets
Common deployment scenarios (single-node basic, 3-node mesh, 6-node mesh with vitals) require operators to know which flags to combine. Named presets would lower the barrier to entry.
### Gap 6: No Auto-Detect
The `--port` flag is required even though the script could auto-detect connected ESP32-S3 devices via `esptool.py`.
---
## Decision
Enhance `provision.py` with the following capabilities, implemented incrementally.
### Phase 1: Complete NVS Coverage
Add flags for all remaining firmware NVS keys:
```
--hop-count N Channel hop count (1=no hop, default: 1)
--channels 1,6,11 Comma-separated channel list for hopping
--dwell-ms N Dwell time per channel in ms (default: 100)
--power-duty N Power duty cycle 10-100% (default: 100)
--wasm-max N Max concurrent WASM modules 1-8 (default: 4)
--wasm-verify Require Ed25519 signature for WASM uploads
--wasm-pubkey FILE Path to Ed25519 public key file (32 bytes raw or PEM)
```
Validation:
- `--channels` length must match `--hop-count`
- `--power-duty` clamped to 10-100
- `--wasm-pubkey` implies `--wasm-verify`
### Phase 2: Config File and Mesh Provisioning
Add `--config FILE` to load settings from a JSON or TOML file:
```json
{
"common": {
"ssid": "SensorNet",
"password": "secret",
"target_ip": "192.168.1.20",
"target_port": 5005,
"edge_tier": 2
},
"nodes": [
{ "port": "COM7", "node_id": 0, "tdm_slot": 0 },
{ "port": "COM8", "node_id": 1, "tdm_slot": 1 },
{ "port": "COM9", "node_id": 2, "tdm_slot": 2 }
]
}
```
`--config mesh.json` provisions all listed nodes in sequence, computing `tdm_total` automatically from the `nodes` array length.
### Phase 3: Presets
Add `--preset NAME` for common deployment profiles:
| Preset | What It Sets |
|--------|-------------|
| `basic` | Single node, edge_tier=0, no TDM, no hopping |
| `vitals` | Single node, edge_tier=2, vital_int=1000, subk_count=32 |
| `mesh-3` | 3-node TDM, edge_tier=1, hop_count=3, channels=1,6,11 |
| `mesh-6-vitals` | 6-node TDM, edge_tier=2, hop_count=3, channels=1,6,11, vital_int=500 |
Presets set defaults that can be overridden by explicit flags.
### Phase 4: Read-Back and Verify
Add `--read` to dump the current NVS configuration from a connected device:
```bash
python provision.py --port COM7 --read
# Output:
# ssid: SensorNet
# target_ip: 192.168.1.20
# tdm_slot: 0
# tdm_nodes: 3
# edge_tier: 2
# ...
```
Implementation: use `esptool.py read_flash` to read the NVS partition, then parse the NVS binary format to extract key-value pairs.
Add `--verify` to provision and then confirm the device booted:
```bash
python provision.py --port COM7 --ssid "Net" --password "pass" --target-ip 192.168.1.20 --verify
# After flash, opens serial monitor for 5 seconds
# Checks for "CSI streaming active" log line
# Reports PASS or FAIL
```
### Phase 5: Auto-Detect Port
When `--port` is omitted, scan for connected ESP32-S3 devices:
```bash
python provision.py --ssid "Net" --password "pass" --target-ip 192.168.1.20
# Auto-detected ESP32-S3 on COM7 (Silicon Labs CP210x)
# Proceed? [Y/n]
```
Implementation: use `esptool.py` or `serial.tools.list_ports` to enumerate ports.
---
## Rationale
### Why incremental phases?
Phase 1 is a small diff that closes the NVS coverage gap immediately. Phases 2-5 add progressively more UX polish. Each phase is independently useful and can be shipped separately.
### Why JSON config over YAML/TOML?
JSON requires no additional Python dependencies (stdlib `json` module). TOML requires `tomllib` (Python 3.11+) or `tomli`. JSON is sufficient for this use case.
### Why not a GUI?
The target users are embedded developers and field operators who are already running `esptool` from the command line. A TUI/GUI would add dependencies and complexity for minimal benefit.
---
## Consequences
### Positive
- **Complete NVS coverage**: Every firmware-readable key can be set from the provisioning tool
- **Mesh provisioning in one command**: `--config mesh.json` replaces 6 separate invocations
- **Lower barrier to entry**: Presets eliminate the need to know which flags to combine
- **Auditability**: `--read` lets operators inspect and verify deployed configurations
- **Fewer mis-provisions**: `--verify` catches flashing failures before the operator walks away
### Negative
- **NVS binary parsing** (Phase 4) requires understanding the ESP-IDF NVS binary format, which is not officially documented as a stable API
- **Auto-detect** (Phase 5) may produce false positives if other ESP32 variants are connected
### Risks
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| NVS binary format changes in ESP-IDF v6 | Low | Medium | Pin to known ESP-IDF NVS page format; add format version check |
| `--verify` serial parsing is fragile | Medium | Low | Match on stable log tag `[CSI_MAIN]`; timeout after 10s |
| Config file credentials in plaintext | Medium | Medium | Document that config files should not be committed; add `.gitignore` pattern |
---
## Implementation Priority
| Phase | Effort | Impact | Priority |
|-------|--------|--------|----------|
| Phase 1: Complete NVS coverage | Small (1 file, ~50 lines) | High — closes feature gap | P0 |
| Phase 2: Config file + mesh | Medium (~100 lines) | High — biggest UX win | P1 |
| Phase 3: Presets | Small (~40 lines) | Medium — convenience | P2 |
| Phase 4: Read-back + verify | Medium (~150 lines) | Medium — debugging aid | P2 |
| Phase 5: Auto-detect | Small (~30 lines) | Low — minor convenience | P3 |
---
## References
- `firmware/esp32-csi-node/main/nvs_config.h` — NVS config struct (20 fields)
- `firmware/esp32-csi-node/main/nvs_config.c` — NVS read logic (20 keys)
- `firmware/esp32-csi-node/provision.py` — Current provisioning script (13 of 20 keys)
- ADR-029: RuvSense multistatic sensing mode (TDM, channel hopping)
- ADR-032: Multistatic mesh security hardening (mesh keys)
- ADR-039: ESP32-S3 edge intelligence (edge tiers, vitals)
- ADR-040: WASM programmable sensing (WASM modules, signature verification)
- Issue #130: Provisioning script doesn't support TDM
api-docs/adr/ADR-050-quality-engineering-security-hardening.md
+100
View File
@@ -0,0 +1,100 @@
# ADR-050: Quality Engineering Response — Security Hardening & Code Quality
| Field | Value |
|-------|-------|
| Status | Accepted |
| Date | 2026-03-06 |
| Deciders | ruv |
| Depends on | ADR-032 (Multistatic Mesh Security) |
| Issue | [#170](https://github.com/ruvnet/wifi-densepose/issues/170) |
## Context
An independent quality engineering analysis ([issue #170](https://github.com/ruvnet/wifi-densepose/issues/170)) identified 7 critical findings across the Rust codebase. After verification against the source code, the following findings are confirmed and require action:
### Confirmed Critical Findings
| # | Finding | Location | Verified |
|---|---------|----------|----------|
| 1 | Fake HMAC in `secure_tdm.rs` — XOR fold with hardcoded key | `hardware/src/esp32/secure_tdm.rs:253` | YES — comments say "sufficient for testing" |
| 2 | `sensing-server/main.rs` is 3,741 lines — CC=65, god object | `sensing-server/src/main.rs` | YES — confirmed 3,741 lines |
| 3 | WebSocket server has zero authentication | Rust WS codebase | YES — no auth/token checks found |
| 4 | Zero security tests in Rust codebase | Entire workspace | YES — no auth/injection/tampering tests |
| 5 | 54K fps claim has no supporting benchmark | No criterion benchmarks | YES — no benchmarks exist |
### Findings Requiring Further Investigation
| # | Finding | Status |
|---|---------|--------|
| 6 | Unauthenticated OTA firmware endpoint | Not found in Rust code — may be ESP32 C firmware level |
| 7 | WASM upload without mandatory signatures | Needs review of WASM loader |
| 8 | O(n^2) autocorrelation in heart rate detection | Needs profiling to confirm impact |
## Decision
Address findings in 3 priority sprints as recommended by the report.
### Sprint 1: Security (Blocks Deployment)
1. **Replace fake HMAC with real HMAC-SHA256** in `secure_tdm.rs`
- Use the `hmac` + `sha2` crates (already in `Cargo.lock`)
- Remove XOR fold implementation
- Add key derivation (no more hardcoded keys)
2. **Add WebSocket authentication**
- Token-based auth on WS upgrade handshake
- Optional API key for local-network deployments
- Configurable via environment variable
3. **Add security test suite**
- Auth bypass attempts
- Malformed CSI frame injection
- Protocol tampering (TDM beacon replay, nonce reuse)
### Sprint 2: Code Quality & Testability
4. **Decompose `main.rs`** (3,741 lines -> ~14 focused modules)
- Extract HTTP routes, WebSocket handler, CSI pipeline, config, state
- Target: no file over 500 lines
5. **Add criterion benchmarks**
- CSI frame parsing throughput
- Signal processing pipeline latency
- WebSocket broadcast fanout
### Sprint 3: Functional Verification
6. **Vital sign accuracy verification**
- Reference signal tests with known BPM
- False-negative rate measurement
7. **Fix O(n^2) autocorrelation** (if confirmed by profiling)
- Replace brute-force lag with FFT-based autocorrelation
## Consequences
### Positive
- Addresses all critical security findings before any production deployment
- `main.rs` decomposition enables unit testing of server components
- Criterion benchmarks provide verifiable performance claims
- Security test suite prevents regression
### Negative
- Sprint 1 security changes are breaking for any existing TDM mesh deployments (fake HMAC -> real HMAC requires firmware update)
- `main.rs` decomposition is a large refactor with merge conflict risk
### Neutral
- The report correctly identifies that life-safety claims (disaster detection, vital signs) require rigorous verification — this is an ongoing process, not a single sprint
## Acknowledgment
Thanks to [@proffesor-for-testing](https://github.com/proffesor-for-testing) for the thorough 10-report analysis. The full report is archived at the [original gist](https://gist.github.com/proffesor-for-testing/02321e3f272720aa94484fffec6ab19b).
## References
- Issue #170: Quality Engineering Analysis
- ADR-032: Multistatic Mesh Security Hardening
- ADR-028: ESP32 Capability Audit
api-docs/adr/ADR-052-ddd-bounded-contexts.md
+621
View File
@@ -0,0 +1,621 @@
# ADR-052 Appendix: DDD Bounded Contexts — Tauri Desktop Frontend
This document maps out the domain model for the RuView Tauri desktop application
described in ADR-052. It defines bounded contexts, their aggregates, entities,
value objects, and the domain events flowing between them.
## Context Map
```
+-------------------+ +---------------------+ +--------------------+
| | | | | |
| Device Discovery |------>| Firmware Management |------>| Configuration / |
| | | | | Provisioning |
+-------------------+ +---------------------+ +--------------------+
| | |
| | |
v v v
+-------------------+ +---------------------+ +--------------------+
| | | | | |
| Sensing Pipeline |<------| Edge Module | | Visualization |
| | | (WASM) | | |
+-------------------+ +---------------------+ +--------------------+
Relationship types:
-----> Upstream/Downstream (upstream publishes events, downstream consumes)
<----- Conformist (downstream conforms to upstream's model)
```
---
## 1. Device Discovery Context
**Purpose**: Find, identify, and monitor ESP32 CSI nodes on the local network.
**Upstream of**: Firmware Management, Configuration, Sensing Pipeline, Visualization
### Aggregates
#### `NodeRegistry` (Aggregate Root)
Maintains the authoritative list of all known nodes. Merges discovery results
from multiple strategies (mDNS, UDP probe, HTTP sweep) and deduplicates by MAC
address.
| Field | Type | Description |
|-------|------|-------------|
| `nodes` | `Map<MacAddress, Node>` | All discovered nodes keyed by MAC |
| `scan_state` | `ScanState` | Idle, Scanning, Error |
| `last_scan` | `DateTime<Utc>` | Timestamp of last completed scan |
**Invariant**: No two nodes may share the same MAC address. If a node is
discovered via multiple strategies, the most recent data wins.
**Persistence**: The registry is persisted to `~/.ruview/nodes.db` (SQLite via
`rusqlite`). On startup, all previously known nodes are loaded as `Offline` and
reconciled against a fresh discovery scan. This means the app **remembers the
mesh** across restarts — critical for field deployments where nodes may be
temporarily powered off.
#### `Node` (Entity)
| Field | Type | Description |
|-------|------|-------------|
| `mac` | `MacAddress` (VO) | IEEE 802.11 MAC address (unique identity) |
| `ip` | `IpAddr` | Current IP address (may change on DHCP renewal) |
| `hostname` | `Option<String>` | mDNS hostname |
| `node_id` | `u8` | NVS-provisioned node ID |
| `firmware_version` | `Option<SemVer>` | Firmware version string |
| `health` | `HealthStatus` (VO) | Online / Offline / Degraded |
| `discovery_method` | `DiscoveryMethod` (VO) | How this node was found |
| `last_seen` | `DateTime<Utc>` | Last successful contact |
| `tdm_config` | `Option<TdmConfig>` (VO) | TDM slot assignment |
| `edge_tier` | `Option<u8>` | Edge processing tier (0/1/2) |
### Value Objects
- `MacAddress` — 6-byte hardware address, formatted as `AA:BB:CC:DD:EE:FF`
- `HealthStatus` — enum: `Online`, `Offline`, `Degraded(reason: String)`
- `DiscoveryMethod` — enum: `Mdns`, `UdpProbe`, `HttpSweep`, `Manual`
- `TdmConfig``{ slot_index: u8, total_nodes: u8 }`
- `SemVer` — semantic version `major.minor.patch`
### Domain Events
| Event | Payload | Consumers |
|-------|---------|-----------|
| `NodeDiscovered` | `{ node: Node }` | Firmware Mgmt (check for updates), Visualization (add to mesh graph) |
| `NodeWentOffline` | `{ mac: MacAddress, last_seen: DateTime }` | Visualization (gray out node), Sensing Pipeline (remove from active set) |
| `NodeCameOnline` | `{ node: Node }` | Visualization (restore node), Sensing Pipeline (re-add) |
| `NodeHealthChanged` | `{ mac: MacAddress, old: HealthStatus, new: HealthStatus }` | Visualization (update indicator) |
| `ScanCompleted` | `{ found: usize, new: usize, lost: usize }` | Dashboard (update summary) |
### Anti-Corruption Layer
When receiving data from the ESP32 OTA status endpoint (`GET /ota/status`), the
response format is owned by the firmware and may change across firmware versions.
The ACL translates the raw JSON response into `Node` entity fields:
```rust
/// ACL: Translate ESP32 OTA status response to Node fields.
fn translate_ota_status(raw: &serde_json::Value) -> Result<NodePatch, AclError> {
NodePatch {
firmware_version: raw["version"].as_str().map(SemVer::parse).transpose()?,
uptime_secs: raw["uptime_s"].as_u64(),
free_heap: raw["free_heap"].as_u64(),
// Firmware may add fields in future versions — unknown fields are ignored
}
}
```
---
## 2. Firmware Management Context
**Purpose**: Flash, update, and verify firmware on ESP32 nodes.
**Upstream of**: Configuration (a fresh flash triggers provisioning)
**Downstream of**: Device Discovery (needs node list and serial port info)
### Aggregates
#### `FlashSession` (Aggregate Root)
Represents a single firmware flashing operation from start to completion. Each
session has a lifecycle: Created -> Connecting -> Erasing -> Writing -> Verifying ->
Completed | Failed.
| Field | Type | Description |
|-------|------|-------------|
| `id` | `Uuid` | Session identifier |
| `port` | `SerialPort` (VO) | Target serial port |
| `firmware` | `FirmwareBinary` (Entity) | The binary being flashed |
| `chip` | `ChipType` (VO) | Target chip (ESP32, ESP32-S3, ESP32-C3) |
| `phase` | `FlashPhase` (VO) | Current phase of the flash operation |
| `progress` | `Progress` (VO) | Bytes written / total, speed |
| `started_at` | `DateTime<Utc>` | When the session started |
| `error` | `Option<String>` | Error message if failed |
**Invariant**: Only one `FlashSession` may be active per serial port at a time.
#### `FirmwareBinary` (Entity)
| Field | Type | Description |
|-------|------|-------------|
| `path` | `PathBuf` | Filesystem path to the `.bin` file |
| `size_bytes` | `u64` | Binary size |
| `version` | `Option<SemVer>` | Extracted from ESP32 image header |
| `chip_type` | `Option<ChipType>` | Detected from image magic bytes |
| `checksum` | `Sha256Hash` (VO) | SHA-256 of the binary |
#### `OtaSession` (Aggregate Root)
Represents an over-the-air firmware update to a running node.
| Field | Type | Description |
|-------|------|-------------|
| `id` | `Uuid` | Session identifier |
| `target_node` | `MacAddress` | Target node MAC |
| `target_ip` | `IpAddr` | Target node IP |
| `firmware` | `FirmwareBinary` | The binary being pushed |
| `psk` | `Option<SecureString>` | PSK for authentication (ADR-050) |
| `phase` | `OtaPhase` | Uploading / Rebooting / Verifying / Done / Failed |
| `progress` | `Progress` | Upload progress |
#### `BatchOtaSession` (Aggregate Root)
Coordinates rolling firmware updates across multiple mesh nodes. Prevents all
nodes from rebooting simultaneously, which would collapse the sensing network.
| Field | Type | Description |
|-------|------|-------------|
| `id` | `Uuid` | Batch session identifier |
| `firmware` | `FirmwareBinary` | The binary being deployed |
| `strategy` | `OtaStrategy` | `Sequential`, `TdmSafe`, `Parallel` |
| `max_concurrent` | `usize` | Max nodes updating at once |
| `batch_delay_secs` | `u64` | Delay between batches |
| `fail_fast` | `bool` | Abort remaining on first failure |
| `node_states` | `Map<MacAddress, BatchNodeState>` | Per-node progress |
**Invariant**: In `TdmSafe` mode, adjacent TDM slots are never updated
concurrently. Even-slot nodes update first, then odd-slot nodes.
**Lifecycle**: `Planning → InProgress → Completed | PartialFailure | Aborted`
- `BatchNodeState` — enum: `Queued`, `Uploading(Progress)`, `Rebooting`, `Verifying`, `Done`, `Failed(String)`, `Skipped`
- `OtaStrategy` — enum:
- `Sequential` — one node at a time, wait for rejoin
- `TdmSafe` — update non-adjacent slots to maintain sensing coverage
- `Parallel` — all at once (development only)
### Value Objects
- `SerialPort``{ name: String, vid: u16, pid: u16, manufacturer: Option<String> }`
- `ChipType` — enum: `Esp32`, `Esp32s3`, `Esp32c3`
- `FlashPhase` — enum: `Connecting`, `Erasing`, `Writing`, `Verifying`, `Completed`, `Failed`
- `OtaPhase` — enum: `Uploading`, `Rebooting`, `Verifying`, `Completed`, `Failed`
- `Progress``{ bytes_done: u64, bytes_total: u64, speed_bps: u64 }`
- `Sha256Hash` — 32-byte hash
- `SecureString` — zeroized-on-drop string for PSK tokens
### Domain Events
| Event | Payload | Consumers |
|-------|---------|-----------|
| `FlashStarted` | `{ session_id, port, firmware_version }` | UI (show progress) |
| `FlashProgress` | `{ session_id, phase, progress }` | UI (update progress bar) |
| `FlashCompleted` | `{ session_id, duration_secs }` | Configuration (trigger provisioning prompt) |
| `FlashFailed` | `{ session_id, error }` | UI (show error) |
| `OtaStarted` | `{ session_id, target_mac, firmware_version }` | Discovery (mark node as updating) |
| `OtaCompleted` | `{ session_id, target_mac, new_version }` | Discovery (refresh node info) |
| `OtaFailed` | `{ session_id, target_mac, error }` | UI (show error) |
| `BatchOtaStarted` | `{ batch_id, strategy, node_count }` | UI (show batch progress) |
| `BatchNodeUpdated` | `{ batch_id, mac, state }` | UI (update per-node status), Discovery (refresh) |
| `BatchOtaCompleted` | `{ batch_id, succeeded, failed, skipped }` | UI (show summary), Discovery (full rescan) |
### Anti-Corruption Layer
The `espflash` crate has its own error types and progress reporting model. The
ACL translates these into domain events:
```rust
/// ACL: Translate espflash progress callbacks to domain FlashProgress events.
impl From<espflash::ProgressCallbackMessage> for FlashProgress {
fn from(msg: espflash::ProgressCallbackMessage) -> Self {
match msg {
espflash::ProgressCallbackMessage::Connecting => FlashProgress {
phase: FlashPhase::Connecting,
progress: Progress::indeterminate(),
},
espflash::ProgressCallbackMessage::Erasing { addr, total } => FlashProgress {
phase: FlashPhase::Erasing,
progress: Progress::new(addr as u64, total as u64),
},
// ... etc
}
}
}
```
---
## 3. Configuration / Provisioning Context
**Purpose**: Manage NVS configuration for ESP32 nodes — WiFi credentials, network
targets, TDM mesh settings, edge intelligence parameters, WASM security keys.
**Downstream of**: Device Discovery (needs serial port), Firmware Management (post-flash provisioning)
### Aggregates
#### `ProvisioningSession` (Aggregate Root)
Represents a single NVS write or read operation on a connected ESP32.
| Field | Type | Description |
|-------|------|-------------|
| `id` | `Uuid` | Session identifier |
| `port` | `SerialPort` (VO) | Target serial port |
| `config` | `NodeConfig` (Entity) | Configuration to write |
| `direction` | `Direction` | Read or Write |
| `phase` | `ProvisionPhase` | Generating / Flashing / Verifying / Done |
#### `NodeConfig` (Entity)
The full set of NVS key-value pairs for a single node. Maps directly to the
firmware's `nvs_config_t` struct (see `firmware/esp32-csi-node/main/nvs_config.h`).
| Field | Type | NVS Key | Description |
|-------|------|---------|-------------|
| `wifi_ssid` | `Option<String>` | `ssid` | WiFi SSID |
| `wifi_password` | `Option<SecureString>` | `password` | WiFi password |
| `target_ip` | `Option<IpAddr>` | `target_ip` | Aggregator IP |
| `target_port` | `Option<u16>` | `target_port` | Aggregator UDP port |
| `node_id` | `Option<u8>` | `node_id` | Node identifier |
| `tdm_slot` | `Option<u8>` | `tdm_slot` | TDM slot index |
| `tdm_total` | `Option<u8>` | `tdm_nodes` | Total TDM nodes |
| `edge_tier` | `Option<u8>` | `edge_tier` | Processing tier |
| `hop_count` | `Option<u8>` | `hop_count` | Channel hop count |
| `channel_list` | `Option<Vec<u8>>` | `chan_list` | Channel sequence |
| `dwell_ms` | `Option<u32>` | `dwell_ms` | Hop dwell time |
| `power_duty` | `Option<u8>` | `power_duty` | Power duty cycle |
| `presence_thresh` | `Option<u16>` | `pres_thresh` | Presence threshold |
| `fall_thresh` | `Option<u16>` | `fall_thresh` | Fall detection threshold |
| `vital_window` | `Option<u16>` | `vital_win` | Vital sign window |
| `vital_interval_ms` | `Option<u16>` | `vital_int` | Vital sign interval |
| `top_k_count` | `Option<u8>` | `subk_count` | Top-K subcarriers |
| `wasm_max_modules` | `Option<u8>` | `wasm_max` | Max WASM modules |
| `wasm_verify` | `Option<bool>` | `wasm_verify` | Require WASM signature |
| `wasm_pubkey` | `Option<[u8; 32]>` | `wasm_pubkey` | Ed25519 public key |
| `ota_psk` | `Option<SecureString>` | `ota_psk` | OTA pre-shared key |
**Invariant**: `tdm_slot < tdm_total` when both are set.
**Invariant**: `channel_list.len() == hop_count` when both are set.
**Invariant**: `10 <= power_duty <= 100`.
#### `MeshConfig` (Entity)
A mesh-level configuration that generates per-node `NodeConfig` instances.
Corresponds to ADR-044 Phase 2 (config file provisioning).
| Field | Type | Description |
|-------|------|-------------|
| `common` | `NodeConfig` | Shared settings (WiFi, target IP, edge tier) |
| `nodes` | `Vec<MeshNodeEntry>` | Per-node overrides (port, node_id, tdm_slot) |
```rust
pub struct MeshNodeEntry {
pub port: String,
pub node_id: u8,
pub tdm_slot: u8,
// All other fields inherited from common
}
```
**Invariant**: `tdm_total` is automatically computed as `nodes.len()`.
### Value Objects
- `ProvisionPhase` — enum: `Generating`, `Flashing`, `Verifying`, `Completed`, `Failed`
- `Direction` — enum: `Read`, `Write`
- `Preset` — enum: `Basic`, `Vitals`, `Mesh3`, `Mesh6Vitals` (ADR-044 Phase 3)
### Domain Events
| Event | Payload | Consumers |
|-------|---------|-----------|
| `NodeProvisioned` | `{ port, node_id, config_summary }` | Discovery (trigger re-scan), UI (show success) |
| `NvsReadCompleted` | `{ port, config: NodeConfig }` | UI (populate form) |
| `ProvisionFailed` | `{ port, error }` | UI (show error) |
| `MeshProvisionStarted` | `{ node_count }` | UI (show batch progress) |
| `MeshProvisionCompleted` | `{ success_count, fail_count }` | UI (show summary) |
---
## 4. Sensing Pipeline Context
**Purpose**: Control the sensing server process, receive real-time CSI data, and
manage the signal processing pipeline.
**Downstream of**: Device Discovery (needs node IPs for data attribution)
### Aggregates
#### `SensingServer` (Aggregate Root)
Represents the managed sensing server child process.
| Field | Type | Description |
|-------|------|-------------|
| `state` | `ServerState` (VO) | Stopped / Starting / Running / Stopping / Crashed |
| `config` | `ServerConfig` (VO) | Port configuration, log level, model paths |
| `pid` | `Option<u32>` | OS process ID when running |
| `started_at` | `Option<DateTime<Utc>>` | Start timestamp |
| `log_buffer` | `RingBuffer<LogEntry>` | Last N log lines |
| `ws_url` | `Option<Url>` | WebSocket URL for live data |
**Invariant**: Only one `SensingServer` process may be managed at a time.
#### `SensingSession` (Entity)
An active connection to the sensing server's WebSocket for receiving real-time data.
| Field | Type | Description |
|-------|------|-------------|
| `connection_state` | `WsState` | Connecting / Connected / Disconnected |
| `frames_received` | `u64` | Total CSI frames received this session |
| `last_frame_at` | `Option<DateTime<Utc>>` | Timestamp of last received frame |
| `subscriptions` | `HashSet<DataChannel>` | Which data streams are active |
### Value Objects
- `ServerState` — enum: `Stopped`, `Starting`, `Running`, `Stopping`, `Crashed(exit_code: i32)`
- `ServerConfig``{ http_port: u16, ws_port: u16, udp_port: u16, model_dir: PathBuf, log_level: Level }`
- `LogEntry``{ timestamp: DateTime, level: Level, target: String, message: String }`
- `DataChannel` — enum: `CsiFrames`, `PoseUpdates`, `VitalSigns`, `ActivityClassification`
- `WsState` — enum: `Connecting`, `Connected`, `Disconnected(reason: String)`
### Domain Events
| Event | Payload | Consumers |
|-------|---------|-----------|
| `ServerStarted` | `{ pid, ports: ServerConfig }` | UI (enable sensing view), Discovery (start health polling via WS) |
| `ServerStopped` | `{ exit_code, uptime_secs }` | UI (disable sensing view) |
| `ServerCrashed` | `{ exit_code, last_log_lines }` | UI (show crash report) |
| `CsiFrameReceived` | `{ node_id, timestamp, subcarrier_count }` | Visualization (update charts) |
| `PoseUpdated` | `{ persons: Vec<PersonPose> }` | Visualization (draw skeletons) |
| `VitalSignUpdate` | `{ node_id, bpm, breath_rate }` | Visualization (update vitals chart) |
| `ActivityDetected` | `{ label, confidence }` | Visualization (show activity) |
---
## 5. Edge Module (WASM) Context
**Purpose**: Upload, manage, and monitor WASM edge processing modules running
on ESP32 nodes.
**Downstream of**: Device Discovery (needs node IPs and WASM capability info)
**Upstream of**: Sensing Pipeline (WASM modules emit edge-processed events)
### Aggregates
#### `ModuleRegistry` (Aggregate Root)
Tracks all WASM modules across all nodes.
| Field | Type | Description |
|-------|------|-------------|
| `modules` | `Map<(MacAddress, ModuleId), WasmModule>` | Per-node module inventory |
#### `WasmModule` (Entity)
| Field | Type | Description |
|-------|------|-------------|
| `id` | `ModuleId` (VO) | Node-assigned module identifier |
| `name` | `String` | Filename of the uploaded `.wasm` |
| `size_bytes` | `u64` | Module size |
| `status` | `ModuleStatus` (VO) | Loaded / Running / Stopped / Error |
| `node_mac` | `MacAddress` | Which node this module runs on |
| `uploaded_at` | `DateTime<Utc>` | Upload timestamp |
| `signed` | `bool` | Whether the module has an Ed25519 signature |
### Value Objects
- `ModuleId` — string identifier assigned by the node firmware
- `ModuleStatus` — enum: `Loaded`, `Running`, `Stopped`, `Error(String)`
### Domain Events
| Event | Payload | Consumers |
|-------|---------|-----------|
| `ModuleUploaded` | `{ node_mac, module_id, name, size }` | UI (refresh list) |
| `ModuleStarted` | `{ node_mac, module_id }` | UI (update status) |
| `ModuleStopped` | `{ node_mac, module_id }` | UI (update status) |
| `ModuleUnloaded` | `{ node_mac, module_id }` | UI (remove from list) |
| `ModuleError` | `{ node_mac, module_id, error }` | UI (show error) |
### Anti-Corruption Layer
The ESP32 WASM management HTTP API (`/wasm/*` on port 8032) returns raw JSON
with firmware-specific field names. The ACL normalizes these:
```rust
/// ACL: Translate ESP32 WASM list response to domain WasmModule entities.
fn translate_wasm_list(raw: &[serde_json::Value]) -> Vec<WasmModule> {
raw.iter().filter_map(|entry| {
Some(WasmModule {
id: ModuleId(entry["id"].as_str()?.to_string()),
name: entry["name"].as_str().unwrap_or("unknown").to_string(),
size_bytes: entry["size"].as_u64().unwrap_or(0),
status: match entry["state"].as_str() {
Some("running") => ModuleStatus::Running,
Some("stopped") => ModuleStatus::Stopped,
Some("loaded") => ModuleStatus::Loaded,
other => ModuleStatus::Error(
format!("Unknown state: {:?}", other)
),
},
// ...
})
}).collect()
}
```
---
## 6. Visualization Context
**Purpose**: Render real-time and historical sensing data — CSI heatmaps, pose
skeletons, vital sign charts, mesh topology graphs.
**Downstream of**: Sensing Pipeline (receives data events), Device Discovery (needs
node metadata for labeling)
This context is **purely presentational** and contains no domain logic. It
transforms domain events from other contexts into visual representations.
### Aggregates
None — this context is a **Query Model** (CQRS read side). It subscribes to
domain events and projects them into view models.
### View Models
#### `DashboardView`
| Field | Source Context | Description |
|-------|---------------|-------------|
| `nodes` | Device Discovery | Node cards with health, version, signal quality |
| `server` | Sensing Pipeline | Server status, uptime, port info |
| `recent_activity` | All contexts | Timeline of recent events |
#### `SignalView`
| Field | Source Context | Description |
|-------|---------------|-------------|
| `csi_heatmap` | Sensing Pipeline | Subcarrier amplitude x time matrix |
| `signal_field` | Sensing Pipeline | 2D signal strength grid |
| `activity_label` | Sensing Pipeline | Current classification |
| `confidence` | Sensing Pipeline | Classification confidence |
#### `PoseView`
| Field | Source Context | Description |
|-------|---------------|-------------|
| `persons` | Sensing Pipeline | Array of detected person skeletons |
| `zones` | Sensing Pipeline | Active zones in the sensing area |
#### `VitalsView`
| Field | Source Context | Description |
|-------|---------------|-------------|
| `breathing_rate_bpm` | Sensing Pipeline | Per-node breathing rate time series |
| `heart_rate_bpm` | Sensing Pipeline | Per-node heart rate time series |
#### `MeshView`
| Field | Source Context | Description |
|-------|---------------|-------------|
| `nodes` | Device Discovery | Positioned nodes for graph layout |
| `edges` | Device Discovery | Inter-node visibility/connectivity |
| `tdm_timeline` | Device Discovery | TDM slot schedule visualization |
| `sync_status` | Sensing Pipeline | Per-node sync status with server |
---
## Cross-Context Event Flow
```
NodeDiscovered
Device Discovery ─────────────────────────────────> Firmware Management
│ │
│ NodeDiscovered │ FlashCompleted
│ NodeHealthChanged │
├──────────────────> Visualization v
│ Configuration
│ NodeDiscovered │
├──────────────────> Sensing Pipeline │ NodeProvisioned
│ │
│ v
│ Device Discovery
│ (re-scan triggered)
│ NodeDiscovered
└──────────────────> Edge Module (WASM)
│ ModuleUploaded, ModuleStarted
v
Sensing Pipeline
│ CsiFrameReceived, PoseUpdated, VitalSignUpdate
v
Visualization
```
## Implementation Notes
1. **Event Bus**: Domain events are dispatched via Tauri's event system
(`app_handle.emit("event-name", payload)`). The frontend subscribes using
`listen("event-name", callback)`. This provides natural cross-context
communication without coupling contexts directly.
2. **State Isolation**: Each bounded context maintains its own `State<'_, T>`
managed by Tauri. Contexts do not share mutable state directly — they
communicate exclusively through events.
3. **Module Organization**: Each bounded context maps to a Rust module under
`src/commands/` and `src/domain/`:
```
src/
commands/ # Tauri command handlers (application layer)
discovery.rs # Device Discovery context commands
flash.rs # Firmware Management context commands
ota.rs # Firmware Management context commands
provision.rs # Configuration context commands
server.rs # Sensing Pipeline context commands
wasm.rs # Edge Module context commands
domain/ # Domain models (pure Rust, no Tauri dependency)
discovery/
mod.rs
node.rs # Node entity, MacAddress VO
registry.rs # NodeRegistry aggregate
events.rs # Discovery domain events
firmware/
mod.rs
binary.rs # FirmwareBinary entity
flash.rs # FlashSession aggregate
ota.rs # OtaSession aggregate
events.rs
config/
mod.rs
nvs.rs # NodeConfig entity
mesh.rs # MeshConfig entity
provision.rs # ProvisioningSession aggregate
events.rs
sensing/
mod.rs
server.rs # SensingServer aggregate
session.rs # SensingSession entity
events.rs
wasm/
mod.rs
module.rs # WasmModule entity
registry.rs # ModuleRegistry aggregate
events.rs
acl/ # Anti-corruption layers
ota_status.rs # ESP32 OTA status response translator
wasm_api.rs # ESP32 WASM API response translator
espflash.rs # espflash crate adapter
```
4. **Testing Strategy**: Domain modules under `src/domain/` have no Tauri
dependency and can be tested with standard `cargo test`. Command handlers
under `src/commands/` require Tauri test utilities for integration testing.
5. **Shared Kernel**: The `MacAddress`, `SemVer`, and `SecureString` value objects
are shared across contexts. They live in a `src/domain/shared.rs` module.
This is acceptable because they are immutable value objects with no behavior
beyond validation and formatting.
api-docs/adr/ADR-052-tauri-desktop-frontend.md
+810
View File
@@ -0,0 +1,810 @@
# ADR-052: Tauri Desktop Frontend — RuView Hardware Management & Visualization
| Field | Value |
|-------|-------|
| Status | Proposed |
| Date | 2026-03-06 |
| Deciders | ruv |
| Depends on | ADR-012 (ESP32 CSI Mesh), ADR-039 (Edge Intelligence), ADR-040 (WASM Programmable Sensing), ADR-044 (Provisioning Enhancements), ADR-050 (Security Hardening), ADR-051 (Server Decomposition) |
| Issue | [#177](https://github.com/ruvnet/RuView/issues/177) |
## Context
RuView currently requires users to interact with multiple disconnected tools to manage a WiFi DensePose deployment:
| Task | Current Tool | Pain Point |
|------|-------------|------------|
| Flash firmware | `esptool.py` CLI | Requires Python, pip, correct chip/baud flags |
| Provision NVS | `provision.py` CLI | 13+ flags, no GUI, no read-back |
| OTA update | `curl POST :8032/ota` | Manual HTTP, PSK header construction |
| WASM modules | `curl` to `:8032/wasm/*` | No visibility into module state |
| Start sensing server | `cargo run` or binary | Manual port configuration, no log viewer |
| View sensing data | Browser at `localhost:8080` | Separate window, no hardware context |
| Mesh topology | Mental model | No visualization of TDM slots, sync, health |
| Node discovery | Manual IP tracking | No mDNS/UDP broadcast discovery |
There is no single tool that provides a unified view of the entire deployment — from ESP32 hardware through the sensing pipeline to pose visualization. Field operators deploying multi-node meshes must context-switch between terminals, browsers, and serial monitors.
### Why a Desktop App
A browser-based UI cannot access serial ports (for flashing), raw UDP sockets (for node discovery), or the local filesystem (for firmware binaries). A desktop application is required for hardware management. Tauri v2 is the natural choice because:
1. **Rust backend** — integrates directly with the existing Rust workspace (`v2/`). Crates like `wifi-densepose-hardware` (serial port parsing), `wifi-densepose-config`, and `wifi-densepose-sensing-server` can be linked as library dependencies.
2. **Small binary** — Tauri bundles the system webview rather than shipping Chromium (~150 MB savings vs Electron).
3. **Cross-platform** — Windows, macOS, Linux from the same codebase.
4. **Security model** — Tauri's capability-based permissions system restricts frontend access to explicitly allowed Rust commands.
### Why Not Electron / Flutter / Native
| Option | Rejected Because |
|--------|-----------------|
| Electron | 150+ MB bundle, no Rust integration, duplicates webview |
| Flutter | No serial port plugins, Dart FFI to Rust is awkward |
| Native (GTK/Qt) | Platform-specific UI code, no web component reuse |
| Web-only (PWA) | Cannot access serial ports or raw UDP |
## Decision
Build a Tauri v2 desktop application as a new crate in the Rust workspace. The frontend uses TypeScript with React and Vite. The Rust backend exposes Tauri commands that bridge the frontend to serial ports, UDP sockets, HTTP management endpoints, and the sensing server process.
### 1. Workspace Integration
Add a new crate to the workspace:
```
v2/
Cargo.toml # Add "crates/wifi-densepose-desktop" to members
crates/
wifi-densepose-desktop/ # NEW — Tauri app crate
Cargo.toml
tauri.conf.json
capabilities/
default.json # Tauri v2 capability permissions
icons/ # App icons (all platforms)
src/
main.rs # Tauri entry point
lib.rs # Command module re-exports
commands/
mod.rs
discovery.rs # Node discovery commands
flash.rs # Firmware flashing commands
ota.rs # OTA update commands
wasm.rs # WASM module management commands
server.rs # Sensing server lifecycle commands
provision.rs # NVS provisioning commands
serial.rs # Serial port enumeration
state.rs # Tauri managed state
discovery/
mod.rs
mdns.rs # mDNS service discovery
udp_broadcast.rs # UDP broadcast probe
flash/
mod.rs
espflash.rs # Rust-native ESP32 flashing (via espflash crate)
esptool.rs # Fallback: bundled esptool.py wrapper
frontend/
package.json
tsconfig.json
vite.config.ts
index.html
src/
main.tsx
App.tsx
routes.tsx
hooks/
useNodes.ts # Node discovery and status polling
useServer.ts # Sensing server state
useWebSocket.ts # WS connection to sensing server
stores/
nodeStore.ts # Zustand store for discovered nodes
serverStore.ts # Sensing server process state
settingsStore.ts # User preferences (dark mode, ports)
pages/
Dashboard.tsx # Hardware management overview
NodeDetail.tsx # Single node detail + config
FlashFirmware.tsx # Firmware flashing wizard
WasmModules.tsx # WASM module manager
SensingView.tsx # Live sensing data visualization
MeshTopology.tsx # Multi-node mesh topology view
Settings.tsx # App settings and preferences
components/
NodeCard.tsx # Node status card (health, version, signal)
NodeList.tsx # Discovered node list
FirmwareProgress.tsx # Flash/OTA progress indicator
LogViewer.tsx # Scrolling log output
SignalChart.tsx # Real-time CSI signal chart
PoseOverlay.tsx # Pose skeleton overlay
MeshGraph.tsx # D3/force-graph mesh topology
SerialPortSelect.tsx # Serial port dropdown
ProvisionForm.tsx # NVS provisioning form
lib/
tauri.ts # Typed Tauri invoke wrappers
types.ts # Shared TypeScript types
```
### 2. Rust Backend — Tauri Commands
#### 2.1 Node Discovery
```rust
// commands/discovery.rs
/// Discover ESP32 CSI nodes on the local network.
/// Strategy 1: mDNS — nodes announce _ruview._tcp service
/// Strategy 2: UDP broadcast probe on port 5005 (CSI aggregator port)
/// Strategy 3: HTTP health check sweep on port 8032 (OTA server)
#[tauri::command]
async fn discover_nodes(timeout_ms: u64) -> Result<Vec<DiscoveredNode>, String>;
/// Get detailed status from a specific node via HTTP.
/// Calls GET /ota/status on port 8032.
#[tauri::command]
async fn get_node_status(ip: String) -> Result<NodeStatus, String>;
/// Subscribe to node health updates (periodic polling).
#[tauri::command]
async fn watch_nodes(interval_ms: u64, state: State<'_, AppState>) -> Result<(), String>;
```
The `DiscoveredNode` struct:
```rust
#[derive(Serialize, Deserialize, Clone)]
pub struct DiscoveredNode {
pub ip: String,
pub mac: Option<String>,
pub hostname: Option<String>,
pub node_id: u8,
pub firmware_version: Option<String>,
pub tdm_slot: Option<u8>,
pub tdm_total: Option<u8>,
pub edge_tier: Option<u8>,
pub uptime_secs: Option<u64>,
pub discovery_method: DiscoveryMethod, // Mdns | UdpProbe | HttpSweep
pub last_seen: chrono::DateTime<chrono::Utc>,
}
```
#### 2.2 Firmware Flashing
```rust
// commands/flash.rs
/// List available serial ports with chip detection.
#[tauri::command]
async fn list_serial_ports() -> Result<Vec<SerialPortInfo>, String>;
/// Flash firmware binary to an ESP32 via serial port.
/// Uses the `espflash` crate for Rust-native flashing (no Python dependency).
/// Falls back to bundled esptool.py if espflash fails.
/// Emits progress events via Tauri event system.
#[tauri::command]
async fn flash_firmware(
port: String,
firmware_path: String,
chip: Chip, // Esp32, Esp32s3, Esp32c3
baud: Option<u32>,
app_handle: AppHandle,
) -> Result<FlashResult, String>;
/// Read firmware info from a connected ESP32 (chip type, flash size, MAC).
#[tauri::command]
async fn read_chip_info(port: String) -> Result<ChipInfo, String>;
```
Flash progress is emitted as Tauri events:
```rust
#[derive(Serialize, Clone)]
pub struct FlashProgress {
pub phase: FlashPhase, // Connecting | Erasing | Writing | Verifying
pub progress_pct: f32, // 0.0 - 100.0
pub bytes_written: u64,
pub bytes_total: u64,
pub speed_bps: u64,
}
```
#### 2.3 OTA Updates
```rust
// commands/ota.rs
/// Push firmware to a node via HTTP OTA (port 8032).
/// Includes PSK authentication per ADR-050.
#[tauri::command]
async fn ota_update(
node_ip: String,
firmware_path: String,
psk: Option<String>,
app_handle: AppHandle,
) -> Result<OtaResult, String>;
/// Get OTA status from a node (current version, partition info).
#[tauri::command]
async fn ota_status(node_ip: String, psk: Option<String>) -> Result<OtaStatus, String>;
/// Batch OTA update — push firmware to multiple nodes sequentially.
/// Skips nodes already running the target version.
#[tauri::command]
async fn ota_batch_update(
nodes: Vec<String>, // IPs
firmware_path: String,
psk: Option<String>,
app_handle: AppHandle,
) -> Result<Vec<OtaResult>, String>;
```
#### 2.4 WASM Module Management
```rust
// commands/wasm.rs
/// List WASM modules loaded on a node.
/// Calls GET /wasm/list on port 8032.
#[tauri::command]
async fn wasm_list(node_ip: String) -> Result<Vec<WasmModule>, String>;
/// Upload a WASM module to a node.
/// Calls POST /wasm/upload on port 8032 with binary payload.
#[tauri::command]
async fn wasm_upload(
node_ip: String,
wasm_path: String,
app_handle: AppHandle,
) -> Result<WasmUploadResult, String>;
/// Start/stop a WASM module on a node.
#[tauri::command]
async fn wasm_control(
node_ip: String,
module_id: String,
action: WasmAction, // Start | Stop | Unload
) -> Result<(), String>;
```
#### 2.5 Sensing Server Lifecycle
```rust
// commands/server.rs
/// Start the sensing server as a managed child process.
/// The server binary is either bundled with the Tauri app (sidecar)
/// or discovered on PATH.
#[tauri::command]
async fn start_server(
config: ServerConfig,
state: State<'_, AppState>,
app_handle: AppHandle,
) -> Result<(), String>;
/// Stop the managed sensing server process.
#[tauri::command]
async fn stop_server(state: State<'_, AppState>) -> Result<(), String>;
/// Get sensing server status (running/stopped, PID, ports, uptime).
#[tauri::command]
async fn server_status(state: State<'_, AppState>) -> Result<ServerStatus, String>;
#[derive(Serialize, Deserialize, Clone)]
pub struct ServerConfig {
pub http_port: u16, // Default: 8080
pub ws_port: u16, // Default: 8765
pub udp_port: u16, // Default: 5005
pub static_dir: Option<String>, // Path to UI static files
pub model_dir: Option<String>, // Path to ML models
pub log_level: String, // trace, debug, info, warn, error
}
```
The sensing server is bundled as a Tauri sidecar binary. Tauri v2 supports sidecar binaries via `externalBin` in `tauri.conf.json`:
```json
{
"bundle": {
"externalBin": ["sensing-server"]
}
}
```
#### 2.6 NVS Provisioning
```rust
// commands/provision.rs
/// Provision NVS configuration to an ESP32 via serial port.
/// Replaces the Python provision.py script with a Rust-native implementation.
/// Generates NVS partition binary and flashes it to the NVS partition offset.
#[tauri::command]
async fn provision_node(
port: String,
config: NvsConfig,
app_handle: AppHandle,
) -> Result<ProvisionResult, String>;
/// Read current NVS configuration from a connected ESP32.
/// Reads the NVS partition and parses key-value pairs.
#[tauri::command]
async fn read_nvs(port: String) -> Result<NvsConfig, String>;
#[derive(Serialize, Deserialize, Clone)]
pub struct NvsConfig {
pub wifi_ssid: Option<String>,
pub wifi_password: Option<String>,
pub target_ip: Option<String>,
pub target_port: Option<u16>,
pub node_id: Option<u8>,
pub tdm_slot: Option<u8>,
pub tdm_total: Option<u8>,
pub edge_tier: Option<u8>,
pub presence_thresh: Option<u16>,
pub fall_thresh: Option<u16>,
pub vital_window: Option<u16>,
pub vital_interval_ms: Option<u16>,
pub top_k_count: Option<u8>,
pub hop_count: Option<u8>,
pub channel_list: Option<Vec<u8>>,
pub dwell_ms: Option<u32>,
pub power_duty: Option<u8>,
pub wasm_max_modules: Option<u8>,
pub wasm_verify: Option<bool>,
pub wasm_pubkey: Option<Vec<u8>>,
pub ota_psk: Option<String>,
}
```
### 3. Frontend Architecture
#### 3.1 Tech Stack
| Layer | Choice | Rationale |
|-------|--------|-----------|
| Framework | React 19 | Component model, ecosystem, team familiarity |
| Build | Vite 6 | Fast HMR, Tauri plugin support |
| State | Zustand | Lightweight, no boilerplate, works with Tauri events |
| Routing | React Router v7 | File-based routes, type-safe |
| UI Components | shadcn/ui + Tailwind CSS | Accessible, customizable, no runtime CSS-in-JS |
| Charts | Recharts or visx | Real-time signal visualization |
| Topology Graph | D3 force-directed | Mesh network visualization |
| Serial UI | Custom | Tauri command integration |
| Icons | Lucide React | Consistent, tree-shakeable |
#### 3.2 Page Layout
```
+------------------------------------------+
| RuView [Settings] [?] |
+-------+----------------------------------+
| | |
| Nav | Dashboard / Active Page |
| | |
| [D] | +--------+ +--------+ +------+ |
| [F] | | Node 1 | | Node 2 | | +Add | |
| [W] | +--------+ +--------+ +------+ |
| [S] | |
| [M] | Server Status: Running |
| [T] | +--------------------------+ |
| | | Live Signal / Pose View | |
| | +--------------------------+ |
+-------+----------------------------------+
| Status Bar: 3 nodes | Server: :8080 |
+------------------------------------------+
Nav items:
[D] Dashboard — overview of all nodes and server
[F] Flash — firmware flashing wizard
[W] WASM — edge module management
[S] Sensing — live sensing data view
[M] Mesh — topology visualization
[T] Settings — ports, paths, preferences
```
#### 3.3 Dashboard Page
The dashboard is the primary landing page showing:
1. **Node Grid** — cards for each discovered ESP32 node showing:
- IP address and hostname
- Firmware version (with update indicator if newer available)
- Node ID and TDM slot assignment
- Edge processing tier (raw / stats / vitals)
- Signal quality indicator (last CSI frame age)
- Health status (online/offline/degraded)
- Quick actions: OTA update, configure, view logs
2. **Sensing Server Panel** — start/stop button, port configuration, log tail
3. **Discovery Controls** — scan button, auto-discovery toggle, network range filter
#### 3.4 Flash Firmware Page
A wizard-style flow:
1. **Select Port** — dropdown of detected serial ports with chip info
2. **Select Firmware** — file picker for `.bin` files, or select from bundled builds
3. **Configure** — chip type, baud rate, flash mode
4. **Flash** — progress bar with phase indicators (connecting, erasing, writing, verifying)
5. **Provision** — optional NVS provisioning form (WiFi, target IP, TDM, edge tier)
6. **Verify** — serial monitor showing boot log, success/fail indicator
#### 3.5 WASM Module Manager Page
| Column | Content |
|--------|---------|
| Module ID | Auto-assigned by node |
| Name | Filename of uploaded `.wasm` |
| Size | Module size in KB |
| Status | Running / Stopped / Error |
| Node | Which ESP32 node it runs on |
| Actions | Start / Stop / Unload / View Logs |
Upload panel: drag-and-drop `.wasm` file, select target node(s), upload button.
#### 3.6 Sensing View Page
Embeds the existing web UI (`ui/`) via an iframe pointing at the sensing server's static file route, or builds native React components that connect to the same WebSocket API. The native approach is preferred because it allows:
- Tighter integration with the node status sidebar
- Shared state between hardware management and visualization
- Offline access to recorded data
Key visualization components:
- **CSI Heatmap** — subcarrier amplitude over time
- **Signal Field** — 2D signal strength visualization
- **Pose Skeleton** — detected body keypoints and connections
- **Vital Signs** — real-time breathing rate and heart rate charts
- **Activity Classification** — current activity label with confidence
#### 3.7 Mesh Topology Page
A force-directed graph showing:
- Nodes as circles (color = health status, size = edge tier)
- Edges between nodes that can see each other
- TDM slot labels on each node
- Sync status indicators (in-sync / drifting / lost)
- Click a node to navigate to its detail page
### 4. Platform-Specific Considerations
#### 4.1 macOS
- **Serial driver signing**: CP210x and CH340 drivers require user approval in System Preferences > Security
- **App signing**: Tauri apps must be signed and notarized for distribution outside the App Store
- **USB permissions**: No special permissions needed beyond driver installation
- **CoreWLAN**: The sensing server can use CoreWLAN for WiFi scanning (ADR-025); the desktop app inherits this capability
#### 4.2 Windows
- **COM port access**: Windows assigns COM port numbers; the app lists them via the Windows Registry or `SetupDi` API
- **Driver installation**: USB-to-serial drivers (CP210x, CH340, FTDI) must be installed; the app can detect missing drivers and link to downloads
- **Firewall**: The sensing server's UDP listener may trigger Windows Firewall prompts; the app should pre-configure rules or guide the user
- **Code signing**: EV certificate required for SmartScreen trust; unsigned apps trigger warnings
#### 4.3 Linux
- **udev rules**: ESP32 serial ports (`/dev/ttyUSB*`, `/dev/ttyACM*`) require udev rules for non-root access. The app bundles a `99-ruview-esp32.rules` file and offers to install it:
```
SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", MODE="0666" # CP210x
SUBSYSTEM=="tty", ATTRS{idVendor}=="1a86", MODE="0666" # CH340
```
- **AppImage/deb/rpm**: Tauri supports all three packaging formats
- **Wayland vs X11**: Tauri uses webkit2gtk which works on both
### 5. Cargo.toml for the Desktop Crate
```toml
[package]
name = "wifi-densepose-desktop"
version.workspace = true
edition.workspace = true
description = "Tauri desktop frontend for RuView WiFi DensePose"
license.workspace = true
authors.workspace = true
[lib]
name = "wifi_densepose_desktop"
crate-type = ["staticlib", "cdylib", "rlib"]
[build-dependencies]
tauri-build = { version = "2", features = [] }
[dependencies]
tauri = { version = "2", features = [] }
tauri-plugin-shell = "2" # Sidecar process management
tauri-plugin-dialog = "2" # File picker dialogs
tauri-plugin-fs = "2" # Filesystem access
tauri-plugin-process = "2" # Process management
tauri-plugin-notification = "2" # Desktop notifications
# Workspace crates
wifi-densepose-hardware = { workspace = true }
wifi-densepose-config = { workspace = true }
wifi-densepose-core = { workspace = true }
# Serial port access
serialport = { workspace = true }
# ESP32 flashing (Rust-native, replaces esptool.py)
espflash = "3"
# Network discovery
mdns-sd = "0.11" # mDNS/DNS-SD service discovery
# HTTP client for OTA and WASM management
reqwest = { version = "0.12", features = ["json", "multipart", "stream"] }
# Async runtime
tokio = { workspace = true }
# Serialization
serde = { workspace = true }
serde_json = { workspace = true }
# Logging
tracing = { workspace = true }
tracing-subscriber = { workspace = true }
# Time
chrono = { version = "0.4", features = ["serde"] }
```
### 6. Tauri Configuration
```json
{
"$schema": "https://raw.githubusercontent.com/tauri-apps/tauri/dev/crates/tauri-config-schema/schema.json",
"productName": "RuView",
"version": "0.3.0",
"identifier": "net.ruv.ruview",
"build": {
"frontendDist": "../frontend/dist",
"devUrl": "http://localhost:5173",
"beforeDevCommand": "cd frontend && npm run dev",
"beforeBuildCommand": "cd frontend && npm run build"
},
"app": {
"windows": [
{
"title": "RuView - WiFi DensePose",
"width": 1280,
"height": 800,
"minWidth": 900,
"minHeight": 600
}
]
},
"bundle": {
"active": true,
"targets": "all",
"icon": [
"icons/32x32.png",
"icons/128x128.png",
"icons/128x128@2x.png",
"icons/icon.icns",
"icons/icon.ico"
],
"externalBin": ["sensing-server"],
"linux": {
"deb": { "depends": ["libwebkit2gtk-4.1-0"] },
"appimage": { "bundleMediaFramework": true }
},
"windows": {
"wix": { "language": "en-US" }
}
}
}
```
### 7. Tauri v2 Capabilities (Permissions)
```json
{
"identifier": "default",
"description": "RuView default capability set",
"windows": ["main"],
"permissions": [
"core:default",
"shell:allow-execute",
"shell:allow-open",
"dialog:allow-open",
"dialog:allow-save",
"fs:allow-read",
"fs:allow-write",
"process:allow-exit",
"notification:default"
]
}
```
### 8. Development Workflow
```bash
# Prerequisites
cargo install tauri-cli@^2
cd v2/crates/wifi-densepose-desktop/frontend
npm install
# Development (hot-reload frontend + Rust rebuild)
cd v2/crates/wifi-densepose-desktop
cargo tauri dev
# Production build
cargo tauri build
# Build sensing-server sidecar (must be done before tauri build)
cargo build --release -p wifi-densepose-sensing-server
# Copy to sidecar location:
# target/release/sensing-server -> crates/wifi-densepose-desktop/binaries/sensing-server-{arch}
```
### 9. Persistent Node Registry
Discovery alone is transient — nodes appear when they broadcast, disappear when they don't. A persistent local registry transforms discovery into **reconciliation**.
```
~/.ruview/nodes.db (SQLite via rusqlite)
```
**Schema:**
```sql
CREATE TABLE nodes (
mac TEXT PRIMARY KEY, -- e.g. "AA:BB:CC:DD:EE:FF"
last_ip TEXT, -- last known IP
last_seen INTEGER NOT NULL, -- Unix timestamp
firmware TEXT, -- e.g. "0.3.1"
chip TEXT DEFAULT 'esp32s3', -- esp32, esp32s3, esp32c3
mesh_role TEXT DEFAULT 'node', -- 'coordinator' | 'node' | 'aggregator'
tdm_slot INTEGER, -- assigned TDM slot index
capabilities TEXT, -- JSON: {"wasm": true, "ota": true, "csi": true}
friendly_name TEXT, -- user-assigned label
notes TEXT -- free-form notes
);
```
**Behavior:**
- On discovery broadcast, upsert into registry (update `last_ip`, `last_seen`, `firmware`)
- Dashboard shows **all registered nodes**, dimming those not seen recently
- User can manually add nodes by MAC/IP (for networks without mDNS)
- Export/import registry as JSON for fleet management across machines
- Node health history (uptime, last OTA, error count) tracked over time
This means the desktop app **remembers the mesh** across restarts, which is critical for field deployments where nodes may be offline temporarily.
### 10. OTA Safety Gate — Rolling Updates
Mesh deployments cannot tolerate all nodes rebooting simultaneously. The OTA subsystem includes a **rolling update mode** that preserves sensing continuity:
```rust
#[derive(Serialize, Deserialize)]
pub struct BatchOtaConfig {
/// Update strategy
pub strategy: OtaStrategy,
/// Max nodes updating concurrently
pub max_concurrent: usize,
/// Delay between batches (seconds)
pub batch_delay_secs: u64,
/// Abort if any node fails
pub fail_fast: bool,
}
#[derive(Serialize, Deserialize)]
pub enum OtaStrategy {
/// Update one node at a time, wait for it to rejoin mesh
Sequential,
/// Update non-adjacent TDM slots to maintain coverage
TdmSafe,
/// Update all nodes simultaneously (development only)
Parallel,
}
```
**`TdmSafe` strategy:**
1. Sort nodes by TDM slot index
2. Update even-slot nodes first (slots 0, 2, 4...)
3. Wait for each to reboot and rejoin mesh (verified via beacon)
4. Then update odd-slot nodes (slots 1, 3, 5...)
5. At no point are adjacent nodes offline simultaneously
**UI flow:**
- User selects target firmware + target nodes
- App shows pre-update diff (current vs new version per node)
- Progress bar per node with states: `queued → uploading → rebooting → verifying → done`
- Abort button halts remaining updates without rolling back completed ones
- Post-update health check confirms all nodes are sensing
### 11. Plugin Architecture (Future)
This desktop tool is quietly becoming the **control plane for RuView**. Once it manages discovery, firmware, OTA, WASM, sensing, and mesh topology, plugin extensibility becomes inevitable:
- **Firmware management** today → **swarm orchestration** tomorrow
- **WASM upload** today → **edge module marketplace** tomorrow
- **Sensing view** today → **activity classification dashboard** tomorrow
The Tauri command surface should be designed with this trajectory in mind:
- Commands are grouped by bounded context (already done)
- Each context can be extended by loading additional Tauri plugins
- The node registry becomes the source of truth for all plugins
- Event bus (Tauri's `emit`/`listen`) provides cross-plugin communication
This does NOT mean building a plugin system in Phase 1. It means keeping the architecture open to it: no hardcoded views, state flows through the registry, commands are typed and versioned.
### 12. Security Considerations
1. **PSK Storage**: OTA PSK tokens are stored in the OS keychain via `tauri-plugin-stronghold` or the platform's native credential store, never in plaintext config files.
2. **Serial Port Access**: Tauri's capability system restricts which commands the frontend can invoke. Serial port access is only available through the typed `flash_firmware` and `provision_node` commands, not raw serial I/O.
3. **Network Requests**: OTA and WASM management commands only communicate with nodes on the local network. The app does not make external network requests except for update checks (opt-in).
4. **Firmware Validation**: Before flashing, the app validates the firmware binary header (ESP32 image magic bytes, partition table offset) to prevent bricking.
5. **WASM Signature Verification**: The desktop app can sign WASM modules before upload using a locally stored Ed25519 key pair, complementing the node-side verification (ADR-040).
### 13. Implementation Phases
| Phase | Scope | Effort | Priority |
|-------|-------|--------|----------|
| **Phase 1: Skeleton** | Tauri project scaffolding, workspace integration, basic window with React | 1 week | P0 |
| **Phase 2: Discovery** | Serial port listing, UDP/mDNS node discovery, dashboard with node cards | 1 week | P0 |
| **Phase 3: Flash** | espflash integration, firmware flashing wizard with progress events | 1 week | P0 |
| **Phase 4: Server** | Sidecar sensing server start/stop, log viewer, status panel | 1 week | P1 |
| **Phase 5: OTA** | HTTP OTA with PSK auth, batch update, version comparison | 1 week | P1 |
| **Phase 6: Provisioning** | NVS read/write via serial, provisioning form, mesh config file | 1 week | P1 |
| **Phase 7: WASM** | Module upload/list/start/stop, drag-and-drop, per-module logs | 1 week | P2 |
| **Phase 8: Sensing** | WebSocket integration, live signal charts, pose overlay | 2 weeks | P2 |
| **Phase 9: Mesh View** | Force-directed topology graph, TDM slot visualization, sync status | 1 week | P2 |
| **Phase 10: Polish** | App signing, auto-update, udev rules installer, onboarding wizard | 1 week | P3 |
Total estimated effort: ~11 weeks for a single developer.
## Consequences
### Positive
- **Single pane of glass** — all hardware management, sensing, and visualization in one app
- **No Python dependency** — Rust-native `espflash` replaces `esptool.py` for firmware flashing
- **Replaces 6+ CLI tools** — flash, provision, OTA, WASM management, server control, visualization
- **Accessible to non-developers** — GUI replaces CLI flags and curl commands
- **Cross-platform** — one codebase for Windows, macOS, Linux
- **Workspace integration** — shares types, config, and hardware crates with sensing server
- **Small binary** — ~15-20 MB vs ~150 MB for Electron equivalent
### Negative
- **New frontend dependency** — introduces Node.js/npm build step into the Rust workspace
- **Tauri version churn** — Tauri v2 is recent; API stability is not yet proven at scale
- **webkit2gtk on Linux** — depends on system webview version; old distros may have stale webkit
- **espflash limitations** — the `espflash` crate may not support all chip variants or flash modes that `esptool.py` handles; fallback to bundled Python is needed
- **Maintenance surface** — adds ~5,000 lines of TypeScript and ~2,000 lines of Rust
### Risks
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| espflash cannot flash all ESP32 variants | Medium | High | Bundle esptool.py as fallback sidecar |
| Tauri v2 breaking changes | Low | Medium | Pin to specific Tauri version; update in dedicated PRs |
| Serial port access fails on macOS Sequoia+ | Medium | Medium | Test on latest macOS; document driver requirements |
| webkit2gtk version mismatch on Linux | Medium | Low | Set minimum version in deb/rpm dependencies |
| Sidecar sensing server fails to start | Low | Medium | Detect failure and show manual start instructions |
## References
- Tauri v2 documentation: https://v2.tauri.app/
- espflash crate: https://crates.io/crates/espflash
- mdns-sd crate: https://crates.io/crates/mdns-sd
- ADR-012: ESP32 CSI Sensor Mesh
- ADR-039: ESP32 Edge Intelligence
- ADR-040: WASM Programmable Sensing
- ADR-044: Provisioning Tool Enhancements
- ADR-050: Quality Engineering — Security Hardening
- ADR-051: Sensing Server Decomposition
- `firmware/esp32-csi-node/` — ESP32 firmware source
- `firmware/esp32-csi-node/provision.py` — Current provisioning script
- `v2/crates/wifi-densepose-sensing-server/` — Sensing server
- `v2/crates/wifi-densepose-hardware/` — Hardware crate
- `ui/` — Existing web UI
api-docs/adr/ADR-053-ui-design-system.md
+274
View File
@@ -0,0 +1,274 @@
# ADR-053: UI Design System — Dark Professional + Unity-Inspired Interface
| Field | Value |
|-------|-------|
| Status | Accepted |
| Date | 2026-03-06 |
| Deciders | ruv |
| Depends on | ADR-052 (Tauri Desktop Frontend) |
## Context
RuView Desktop (ADR-052) needs a UI design system that communicates precision and control — befitting a hardware management control plane for embedded sensing infrastructure. The interface must handle dense data (CSI heatmaps, node registries, log streams, mesh topologies) without feeling overwhelming, while remaining usable by both engineers and field operators.
Two design inspirations:
1. **Data-first professional tools** — Dense information displays where data speaks for itself. Clean typography, structured layouts, and deliberate use of color for status. The interface shows what matters and hides what doesn't. Think: network monitoring dashboards, embedded systems IDEs, infrastructure control panels.
2. **Unity Editor** — Dockable panel system, inspector/hierarchy/scene separation, property grids, dark professional theme, and dense-but-organized data display. Unity's UI is purpose-built for managing complex real-time systems — exactly what RuView needs.
The combination yields a professional control panel for WiFi sensing infrastructure. Data is organized into scannable panels with clear hierarchy. Status is communicated through consistent color coding. The layout adapts from high-level overview down to individual node details through progressive disclosure.
## Decision
### Design Principles
1. **Data is the interface** — The system reveals patterns through visualization, not through explanation. Every pixel earns its place.
2. **Precision typography** — Typography is clean and authoritative. Technical values are displayed without ambiguity. Labels are concise.
3. **Panel-based layout** — Dockable regions inspired by Unity's panel system. The operator can see the entire mesh at a glance, then drill into any node.
4. **Status through color** — Deliberate color coding: green (online), amber (degraded), red (offline/failed), blue (scanning/new). No gratuitous color.
5. **Progressive disclosure** — Dashboard shows the overview. Clicking a node reveals its details. Summary first, detail on interaction.
6. **Dual typography** — Monospace for all technical values (MAC addresses, firmware versions, CSI amplitudes). Sans-serif for labels and descriptions. The contrast signals "data vs. context."
7. **Powered by rUv** — Subtle branding: footer tagline, about dialog, splash screen.
### Color System
```css
:root {
/* Background layers */
--bg-base: #0d1117; /* App background */
--bg-surface: #161b22; /* Panel backgrounds */
--bg-elevated: #1c2333; /* Cards, modals, dropdowns */
--bg-hover: #242d3d; /* Hover state */
--bg-active: #2d3748; /* Active/selected state */
/* Text hierarchy */
--text-primary: #e6edf3; /* Headings, primary content */
--text-secondary: #8b949e; /* Labels, descriptions */
--text-muted: #484f58; /* Disabled, hints, placeholders */
/* Status indicators */
--status-online: #3fb950; /* Node online, healthy */
--status-warning: #d29922; /* Degraded, needs attention */
--status-error: #f85149; /* Offline, failed, critical */
--status-info: #58a6ff; /* Scanning, discovering, info */
/* Accent */
--accent: #7c3aed; /* rUv purple — primary actions */
--accent-hover: #6d28d9;
/* Borders */
--border: #30363d;
--border-active: #58a6ff;
/* Data display */
--font-mono: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;
--font-sans: 'Inter', -apple-system, BlinkMacSystemFont, sans-serif;
}
```
### Typography Scale
```css
/* Typographic hierarchy */
.heading-xl { font: 600 28px/1.2 var(--font-sans); } /* Page titles */
.heading-lg { font: 600 20px/1.3 var(--font-sans); } /* Section titles */
.heading-md { font: 600 16px/1.4 var(--font-sans); } /* Card titles */
.heading-sm { font: 600 13px/1.4 var(--font-sans); } /* Panel labels */
.body { font: 400 14px/1.6 var(--font-sans); } /* Body text */
.body-sm { font: 400 12px/1.5 var(--font-sans); } /* Captions */
.data { font: 400 13px/1.4 var(--font-mono); } /* Technical values */
.data-lg { font: 500 18px/1.2 var(--font-mono); } /* Key metrics */
```
### Layout System
Three-region layout: navigation sidebar, node list, and detail inspector. Unity's docking system provides the mechanical framework.
```
+--[ Sidebar ]--+--[ Main ]-------------------------------------+
| | |
| [Nav Items] | +--[ Command Bar ]---------------------------+ |
| | | Breadcrumb | Actions | Search | |
| Dashboard | +-------+-----------------------------------+ |
| Nodes | | | | |
| Flash | | Node | Detail Inspector | |
| OTA | | List | (selected node properties) | |
| Edge Modules | | | | |
| Sensing | | | [Property Grid] | |
| Mesh View | | | [Status Indicators] | |
| Settings | | | [Action Buttons] | |
| | | | | |
+-[ Status Bar ]+--+-------+-----------------------------------+ |
| rUv | 3 nodes online | Server: running | Port: 8080 |
+---------------------------------------------------------------+
```
**Panel behaviors:**
- Sidebar collapses to icon-only on narrow windows
- Node List / Inspector split is resizable via drag handle
- Inspector scrolls independently — drill into any node without losing the list
- Status Bar shows global system state at a glance (node count, server status, port)
### Component Library
#### 1. NodeCard
```
+-- NodeCard -----------------------------------------------+
| [●] ESP32-S3 Node #2 firmware: 0.3.1 |
| MAC: AA:BB:CC:DD:EE:FF TDM Slot: 2/4 |
| IP: 192.168.1.42 Edge Tier: 1 |
| Last seen: 3s ago [Flash] [OTA] [···] |
+-----------------------------------------------------------+
```
Status dot uses `--status-online/warning/error`. Card background shifts on hover.
#### 2. FlashProgress
```
+-- Flash Progress -----------------------------------------+
| Flashing firmware to COM3 (ESP32-S3) |
| |
| Phase: Writing |
| [████████████████████░░░░░░░░░░] 67.3% |
| 412 KB / 612 KB • 38.2 KB/s • ~5s remaining |
+-----------------------------------------------------------+
```
Progress bar uses `--accent` fill with subtle pulse animation during active writes.
#### 3. Mesh Topology View (Three.js)
Interactive 3D visualization of the sensing network. Each node is a sphere. Edges are lines representing signal paths. The coordinator node is visually distinct (larger, outlined ring). Built with **Three.js**, consistent with the existing visualization stack in `ui/observatory/js/` and `ui/components/`.
```
+-- Mesh Topology ------------------------------------------+
| |
| [Node 0]----[Node 1] |
| | \ / | |
| | [Coordinator] | Coordinator = TDM master |
| | / \ | |
| [Node 2]----[Node 3] |
| |
| Drift: ±0.3ms | Cycle: 50ms | 4/4 nodes online |
+-----------------------------------------------------------+
```
**Three.js implementation details:**
- Force-directed layout computed on CPU, rendered as `THREE.Group` with `THREE.Mesh` (spheres) and `THREE.Line` (edges)
- Node spheres use `THREE.MeshPhongMaterial` with emissive color matching `--status-online/warning/error`
- Edge lines use `THREE.LineBasicMaterial` with opacity mapped to signal strength
- Coordinator node rendered with `THREE.RingGeometry` outline
- Camera: `OrbitControls` for pan/zoom/rotate, reset button returns to default view
- Follows existing patterns: `BufferGeometry` + `BufferAttribute` for dynamic updates (see `ui/observatory/js/subcarrier-manifold.js`)
- Raycasting for node click → opens detail in Inspector panel
- Real-time updates as nodes join, leave, or change status — geometry attributes updated per frame
#### 4. PropertyGrid (Unity Inspector-style)
```
+-- Node Inspector -----------------------------------------+
| General [▼] |
| MAC Address AA:BB:CC:DD:EE:FF |
| IP Address 192.168.1.42 |
| Firmware 0.3.1 |
| Chip ESP32-S3 |
| TDM Configuration [▼] |
| Slot Index 2 |
| Total Nodes 4 |
| Cycle Period 50 ms |
| Sync Drift +0.12 ms |
| WASM Modules [▼] |
| [0] activity_detect running 12.4 KB 83 us/f |
| [1] vital_monitor stopped 8.1 KB — us/f |
+-----------------------------------------------------------+
```
Collapsible sections with alternating row backgrounds for scanability.
#### 5. StatusBadge
```
[● Online] [◐ Degraded] [○ Offline] [↻ Updating]
```
Small inline badges with status dot, label, and optional tooltip.
#### 6. LogViewer
```
+-- Server Log (auto-scroll) -----------[ Clear ] [ ⏸ ]---+
| 19:42:01.234 INFO sensing-server HTTP on 127.0.0.1:8080|
| 19:42:01.235 INFO sensing-server WS on 127.0.0.1:8765 |
| 19:42:01.890 INFO udp_receiver CSI frame from .42 |
| 19:42:02.003 WARN vital_signs Low signal quality |
+-----------------------------------------------------------+
```
Monospace, color-coded by log level (INFO=text, WARN=amber, ERROR=red). Virtual scrolling for performance.
### Spacing and Grid
```css
/* 4px base grid */
--space-1: 4px; /* Tight spacing (within components) */
--space-2: 8px; /* Component internal padding */
--space-3: 12px; /* Between related elements */
--space-4: 16px; /* Card padding, section gaps */
--space-5: 24px; /* Between sections */
--space-6: 32px; /* Page-level spacing */
--space-8: 48px; /* Major section breaks */
/* Panel dimensions */
--sidebar-width: 220px;
--sidebar-collapsed: 52px;
--statusbar-height: 28px;
--toolbar-height: 44px;
```
### Animations
Minimal and purposeful:
- Panel collapse/expand: 200ms ease-out
- Node card health transition: 300ms (color fade, not flash)
- Progress bar fill: smooth 60fps CSS transition
- Mesh graph: Three.js render loop at 60fps, force simulation on requestAnimationFrame
- No loading spinners — use skeleton placeholders instead
### Branding
- **Splash screen**: rUv logo + "RuView Desktop" + version, 1.5s duration
- **Status bar**: "Powered by rUv" in `--text-muted`, left-aligned
- **About dialog**: rUv logo, version, license, links to GitHub and docs
- **App icon**: Stylized WiFi signal + human silhouette in rUv purple (#7c3aed)
## Consequences
### Positive
- Professional, data-dense UI suitable for hardware management
- Consistent design language across all 7 pages
- Dual typography (mono + sans-serif) ensures readability at all information densities
- Unity-inspired panels feel natural to engineers familiar with IDE/editor tools
- Dark theme reduces eye strain for extended monitoring sessions
### Negative
- Custom design system means no off-the-shelf component library (shadcn/ui partially usable)
- Dockable panels add complexity to the layout system
- Dark-only theme may not suit all users (could add light mode later)
### Neutral
- The design system is CSS-only with React components — no heavy UI framework dependency
- Component library can be extracted as a separate package if other rUv projects need it
## References
- ADR-052: Tauri Desktop Frontend
- Unity Editor UI Guidelines: https://docs.unity3d.com/Manual/UIE-USS.html
- Three.js (existing project dependency): `ui/observatory/js/`, `ui/components/`
- Inter font: https://rsms.me/inter/
- JetBrains Mono: https://www.jetbrains.com/lp/mono/
api-docs/adr/ADR-054-desktop-full-implementation.md
+699
View File
@@ -0,0 +1,699 @@
# ADR-054: RuView Desktop Full Implementation
## Status
**Accepted** — Implementation in progress
## Context
RuView Desktop v0.3.0 shipped with a complete React/TypeScript frontend but stub-only Rust backend commands. Users report:
- Settings cannot be saved (#206) ✅ Fixed in PR #209
- Flash firmware does nothing
- OTA updates are non-functional
- Node discovery returns hardcoded data
- Server start/stop is cosmetic only
This ADR defines the complete implementation plan to make all desktop features production-ready with proper security, optimization, and error handling.
## Decision
Implement all 14 Tauri commands with full functionality, security hardening, and performance optimization.
---
## 1. Command Implementation Matrix
| Module | Command | Current | Target | Priority | Security |
|--------|---------|---------|--------|----------|----------|
| **Settings** | `get_settings` | ✅ Done | ✅ Done | P0 | File permissions |
| | `save_settings` | ✅ Done | ✅ Done | P0 | Input validation |
| **Discovery** | `discover_nodes` | Stub | Full mDNS + UDP | P1 | Network boundary |
| | `list_serial_ports` | Stub | Real enumeration | P1 | USB device access |
| **Flash** | `flash_firmware` | Stub | espflash integration | P1 | Binary validation |
| | `flash_progress` | Stub | Event streaming | P1 | Progress channel |
| **OTA** | `ota_update` | Stub | HTTP multipart + PSK | P1 | TLS + PSK auth |
| | `batch_ota_update` | Stub | Parallel with backoff | P2 | Rate limiting |
| **WASM** | `wasm_list` | Stub | HTTP GET /api/wasm | P2 | Response validation |
| | `wasm_upload` | Stub | HTTP POST multipart | P2 | Size limits, signing |
| | `wasm_control` | Stub | HTTP POST commands | P2 | Action whitelist |
| **Server** | `start_server` | Partial | Child process spawn | P1 | Port validation |
| | `stop_server` | Partial | Graceful shutdown | P1 | PID verification |
| | `server_status` | Partial | Health check | P1 | Timeout handling |
| **Provision** | `provision_node` | Stub | NVS binary write | P2 | Serial validation |
| | `read_nvs` | Stub | NVS binary read | P2 | Parse validation |
---
## 2. Implementation Details
### 2.1 Discovery Module
**Dependencies:**
```toml
mdns-sd = "0.11"
serialport = "4.6"
tokio = { version = "1", features = ["net", "time"] }
```
**discover_nodes Implementation:**
```rust
pub async fn discover_nodes(timeout_ms: Option<u64>) -> Result<Vec<DiscoveredNode>, String> {
let timeout = Duration::from_millis(timeout_ms.unwrap_or(3000));
let mut nodes = Vec::new();
// 1. mDNS discovery (_ruview._tcp.local)
let mdns = ServiceDaemon::new()?;
let receiver = mdns.browse("_ruview._tcp.local.")?;
// 2. UDP broadcast probe (port 5005)
let socket = UdpSocket::bind("0.0.0.0:0").await?;
socket.set_broadcast(true)?;
socket.send_to(b"RUVIEW_DISCOVER", "255.255.255.255:5005").await?;
// 3. Collect responses with timeout
tokio::select! {
_ = collect_mdns(&receiver, &mut nodes) => {},
_ = collect_udp(&socket, &mut nodes) => {},
_ = tokio::time::sleep(timeout) => {},
}
Ok(nodes)
}
```
**list_serial_ports Implementation:**
```rust
pub async fn list_serial_ports() -> Result<Vec<SerialPortInfo>, String> {
let ports = serialport::available_ports()
.map_err(|e| format!("Failed to enumerate ports: {}", e))?;
Ok(ports.into_iter().map(|p| SerialPortInfo {
name: p.port_name,
vid: extract_vid(&p.port_type),
pid: extract_pid(&p.port_type),
manufacturer: extract_manufacturer(&p.port_type),
chip: detect_esp_chip(&p.port_type),
}).collect())
}
```
### 2.2 Flash Module
**Dependencies:**
```toml
espflash = "4.0"
tokio = { version = "1", features = ["sync"] }
```
**flash_firmware Implementation:**
```rust
pub async fn flash_firmware(
port: String,
firmware_path: String,
chip: Option<String>,
baud: Option<u32>,
app: AppHandle,
) -> Result<FlashResult, String> {
// 1. Validate firmware binary
let firmware = std::fs::read(&firmware_path)
.map_err(|e| format!("Cannot read firmware: {}", e))?;
validate_esp_binary(&firmware)?;
// 2. Open serial connection
let serial = serialport::new(&port, baud.unwrap_or(460800))
.timeout(Duration::from_secs(30))
.open()
.map_err(|e| format!("Cannot open {}: {}", port, e))?;
// 3. Connect to ESP bootloader
let mut flasher = Flasher::connect(serial, None, None)?;
// 4. Flash with progress callback
let start = Instant::now();
flasher.write_bin_to_flash(
0x0,
&firmware,
Some(&mut |current, total| {
let _ = app.emit("flash_progress", FlashProgress {
phase: "writing".into(),
progress_pct: (current as f32 / total as f32) * 100.0,
bytes_written: current as u64,
bytes_total: total as u64,
});
}),
)?;
Ok(FlashResult {
success: true,
message: "Flash complete".into(),
duration_secs: start.elapsed().as_secs_f64(),
})
}
```
### 2.3 OTA Module
**Dependencies:**
```toml
reqwest = { version = "0.12", features = ["multipart", "rustls-tls"] }
sha2 = "0.10"
```
**ota_update Implementation:**
```rust
pub async fn ota_update(
node_ip: String,
firmware_path: String,
psk: Option<String>,
) -> Result<OtaResult, String> {
// 1. Validate IP format
let ip: IpAddr = node_ip.parse()
.map_err(|_| "Invalid IP address")?;
// 2. Read and hash firmware
let firmware = tokio::fs::read(&firmware_path).await
.map_err(|e| format!("Cannot read firmware: {}", e))?;
let hash = Sha256::digest(&firmware);
// 3. Build multipart request
let client = reqwest::Client::builder()
.timeout(Duration::from_secs(120))
.build()?;
let form = multipart::Form::new()
.part("firmware", multipart::Part::bytes(firmware)
.file_name("firmware.bin")
.mime_str("application/octet-stream")?);
// 4. Send with PSK auth header
let mut req = client.post(format!("http://{}:8032/ota", ip))
.multipart(form);
if let Some(key) = psk {
req = req.header("X-OTA-PSK", key);
}
let resp = req.send().await
.map_err(|e| format!("OTA request failed: {}", e))?;
if resp.status().is_success() {
Ok(OtaResult {
success: true,
node_ip: node_ip.clone(),
message: "OTA update initiated".into(),
})
} else {
Err(format!("OTA failed: {}", resp.status()))
}
}
```
**batch_ota_update Implementation:**
```rust
pub async fn batch_ota_update(
node_ips: Vec<String>,
firmware_path: String,
psk: Option<String>,
strategy: Option<String>,
) -> Result<Vec<OtaResult>, String> {
let firmware = Arc::new(tokio::fs::read(&firmware_path).await?);
let psk = Arc::new(psk);
let strategy = strategy.unwrap_or("sequential".into());
match strategy.as_str() {
"parallel" => {
// All at once (max 4 concurrent)
let semaphore = Arc::new(Semaphore::new(4));
let handles: Vec<_> = node_ips.into_iter().map(|ip| {
let fw = firmware.clone();
let key = psk.clone();
let sem = semaphore.clone();
tokio::spawn(async move {
let _permit = sem.acquire().await;
ota_single(&ip, &fw, key.as_ref().as_ref()).await
})
}).collect();
let results = futures::future::join_all(handles).await;
Ok(results.into_iter().filter_map(|r| r.ok()).collect())
}
"tdm_safe" => {
// One per TDM slot group with delays
let mut results = Vec::new();
for ip in node_ips {
results.push(ota_single(&ip, &firmware, psk.as_ref().as_ref()).await);
tokio::time::sleep(Duration::from_secs(5)).await;
}
Ok(results)
}
_ => {
// Sequential (default)
let mut results = Vec::new();
for ip in node_ips {
results.push(ota_single(&ip, &firmware, psk.as_ref().as_ref()).await);
}
Ok(results)
}
}
}
```
### 2.4 Server Module
**Dependencies:**
```toml
tokio = { version = "1", features = ["process"] }
sysinfo = "0.32"
```
**start_server Implementation:**
```rust
pub async fn start_server(
config: ServerConfig,
state: State<'_, AppState>,
) -> Result<(), String> {
// 1. Check if already running
{
let srv = state.server.lock().map_err(|e| e.to_string())?;
if srv.running {
return Err("Server already running".into());
}
}
// 2. Validate ports
validate_port(config.http_port.unwrap_or(8080))?;
validate_port(config.ws_port.unwrap_or(8765))?;
// 3. Spawn sensing server as child process
let child = Command::new("wifi-densepose-sensing-server")
.args([
"--http-port", &config.http_port.unwrap_or(8080).to_string(),
"--ws-port", &config.ws_port.unwrap_or(8765).to_string(),
"--udp-port", &config.udp_port.unwrap_or(5005).to_string(),
])
.spawn()
.map_err(|e| format!("Failed to start server: {}", e))?;
// 4. Update state
let mut srv = state.server.lock().map_err(|e| e.to_string())?;
srv.running = true;
srv.pid = Some(child.id());
srv.child = Some(child);
Ok(())
}
```
**stop_server Implementation:**
```rust
pub async fn stop_server(state: State<'_, AppState>) -> Result<(), String> {
let mut srv = state.server.lock().map_err(|e| e.to_string())?;
if let Some(mut child) = srv.child.take() {
// Graceful shutdown via SIGTERM
#[cfg(unix)]
{
use nix::sys::signal::{kill, Signal};
use nix::unistd::Pid;
let _ = kill(Pid::from_raw(child.id() as i32), Signal::SIGTERM);
}
// Wait up to 5s, then force kill
tokio::select! {
_ = child.wait() => {},
_ = tokio::time::sleep(Duration::from_secs(5)) => {
let _ = child.kill();
}
}
}
srv.running = false;
srv.pid = None;
Ok(())
}
```
### 2.5 WASM Module
**Dependencies:**
```toml
reqwest = { version = "0.12", features = ["json", "multipart"] }
```
**wasm_list Implementation:**
```rust
pub async fn wasm_list(node_ip: String) -> Result<Vec<WasmModuleInfo>, String> {
let client = reqwest::Client::new();
let resp = client.get(format!("http://{}:8080/api/wasm", node_ip))
.timeout(Duration::from_secs(5))
.send()
.await
.map_err(|e| format!("Request failed: {}", e))?;
if !resp.status().is_success() {
return Err(format!("Node returned {}", resp.status()));
}
let modules: Vec<WasmModuleInfo> = resp.json().await
.map_err(|e| format!("Invalid response: {}", e))?;
Ok(modules)
}
```
**wasm_upload Implementation:**
```rust
pub async fn wasm_upload(
node_ip: String,
wasm_path: String,
) -> Result<WasmUploadResult, String> {
// 1. Validate WASM binary
let wasm = tokio::fs::read(&wasm_path).await
.map_err(|e| format!("Cannot read WASM: {}", e))?;
if wasm.len() > 256 * 1024 {
return Err("WASM module exceeds 256KB limit".into());
}
if &wasm[0..4] != b"\0asm" {
return Err("Invalid WASM magic bytes".into());
}
// 2. Upload to node
let client = reqwest::Client::new();
let form = multipart::Form::new()
.part("module", multipart::Part::bytes(wasm)
.file_name(Path::new(&wasm_path).file_name().unwrap().to_string_lossy())
.mime_str("application/wasm")?);
let resp = client.post(format!("http://{}:8080/api/wasm", node_ip))
.multipart(form)
.timeout(Duration::from_secs(30))
.send()
.await?;
if resp.status().is_success() {
let result: WasmUploadResult = resp.json().await?;
Ok(result)
} else {
Err(format!("Upload failed: {}", resp.status()))
}
}
```
### 2.6 Provision Module
**Dependencies:**
```toml
nvs-partition-tool = "0.1" # Or implement NVS binary format
serialport = "4.6"
```
**provision_node Implementation:**
```rust
pub async fn provision_node(
port: String,
config: ProvisioningConfig,
) -> Result<ProvisionResult, String> {
// 1. Validate config
config.validate()?;
// 2. Build NVS binary blob
let nvs_blob = build_nvs_blob(&config)?;
// 3. Open serial port
let mut serial = serialport::new(&port, 115200)
.timeout(Duration::from_secs(10))
.open()
.map_err(|e| format!("Cannot open {}: {}", port, e))?;
// 4. Enter bootloader mode
enter_bootloader(&mut serial)?;
// 5. Write NVS partition (offset 0x9000, size 0x6000)
write_partition(&mut serial, 0x9000, &nvs_blob)?;
// 6. Reset device
reset_device(&mut serial)?;
Ok(ProvisionResult {
success: true,
message: "Provisioning complete".into(),
})
}
```
---
## 3. Security Hardening
### 3.1 Input Validation
```rust
// All string inputs sanitized
fn validate_ip(ip: &str) -> Result<IpAddr, String> {
ip.parse::<IpAddr>().map_err(|_| "Invalid IP address".into())
}
fn validate_port(port: u16) -> Result<(), String> {
if port < 1024 && port != 0 {
return Err("Privileged ports (1-1023) not allowed".into());
}
Ok(())
}
fn validate_path(path: &str) -> Result<PathBuf, String> {
let path = PathBuf::from(path);
if path.components().any(|c| c == std::path::Component::ParentDir) {
return Err("Path traversal detected".into());
}
Ok(path)
}
```
### 3.2 Network Security
```rust
// OTA PSK validation
fn validate_psk(psk: &str) -> Result<(), String> {
if psk.len() < 16 {
return Err("PSK must be at least 16 characters".into());
}
if !psk.chars().all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_') {
return Err("PSK contains invalid characters".into());
}
Ok(())
}
// Rate limiting for network operations
struct RateLimiter {
last_request: Instant,
min_interval: Duration,
}
impl RateLimiter {
fn check(&mut self) -> Result<(), String> {
if self.last_request.elapsed() < self.min_interval {
return Err("Rate limit exceeded".into());
}
self.last_request = Instant::now();
Ok(())
}
}
```
### 3.3 Binary Validation
```rust
fn validate_esp_binary(data: &[u8]) -> Result<(), String> {
// Check ESP binary magic (0xE9 at offset 0)
if data.is_empty() || data[0] != 0xE9 {
return Err("Invalid ESP firmware magic byte".into());
}
// Check minimum size (header + some code)
if data.len() < 256 {
return Err("Firmware too small".into());
}
// Check maximum size (4MB flash)
if data.len() > 4 * 1024 * 1024 {
return Err("Firmware exceeds flash size".into());
}
Ok(())
}
```
---
## 4. Performance Optimization
### 4.1 Async Everything
All I/O operations are async with proper timeouts:
```rust
// Timeout wrapper
async fn with_timeout<T, F: Future<Output = Result<T, String>>>(
future: F,
duration: Duration,
) -> Result<T, String> {
tokio::time::timeout(duration, future)
.await
.map_err(|_| "Operation timed out".into())?
}
```
### 4.2 Connection Pooling
```rust
// Reusable HTTP client
lazy_static! {
static ref HTTP_CLIENT: reqwest::Client = reqwest::Client::builder()
.pool_max_idle_per_host(5)
.pool_idle_timeout(Duration::from_secs(30))
.build()
.unwrap();
}
```
### 4.3 Streaming Progress
Flash and OTA operations stream progress via Tauri events:
```rust
// Real-time progress updates
app.emit("flash_progress", FlashProgress { ... })?;
app.emit("ota_progress", OtaProgress { ... })?;
```
---
## 5. Testing Strategy
### 5.1 Unit Tests
```rust
#[cfg(test)]
mod tests {
#[test]
fn test_validate_ip() {
assert!(validate_ip("192.168.1.1").is_ok());
assert!(validate_ip("invalid").is_err());
}
#[test]
fn test_validate_esp_binary() {
let valid = vec![0xE9; 1024];
assert!(validate_esp_binary(&valid).is_ok());
let invalid = vec![0x00; 1024];
assert!(validate_esp_binary(&invalid).is_err());
}
}
```
### 5.2 Integration Tests
```rust
#[tokio::test]
async fn test_discover_nodes_timeout() {
let result = discover_nodes(Some(100)).await;
assert!(result.is_ok());
// Should return empty or cached results within timeout
}
```
### 5.3 Mock Testing
```rust
// Mock serial port for flash tests
struct MockSerial {
responses: VecDeque<Vec<u8>>,
}
impl Read for MockSerial { ... }
impl Write for MockSerial { ... }
```
---
## 6. Dependencies Update
**Cargo.toml additions:**
```toml
[dependencies]
# Discovery
mdns-sd = "0.11"
serialport = "4.6"
# HTTP client
reqwest = { version = "0.12", features = ["json", "multipart", "rustls-tls"] }
# Crypto
sha2 = "0.10"
# Process management
sysinfo = "0.32"
# Async
tokio = { version = "1", features = ["full"] }
futures = "0.3"
# Flash
espflash = "4.0"
```
---
## 7. Implementation Timeline
| Week | Deliverable |
|------|-------------|
| 1 | Discovery + Serial ports (real enumeration) |
| 1 | Server start/stop (child process management) |
| 2 | Flash firmware (espflash integration) |
| 2 | OTA update (HTTP multipart) |
| 3 | Batch OTA (parallel + sequential strategies) |
| 3 | WASM management (list/upload/control) |
| 4 | Provision NVS (binary format) |
| 4 | Security audit + E2E testing |
---
## 8. Rollout Plan
1. **v0.3.1** — Settings fix + Discovery + Server
2. **v0.4.0** — Flash + OTA (single node)
3. **v0.5.0** — Batch OTA + WASM + Provision
4. **v1.0.0** — Full E2E tested, security audited
---
## Consequences
### Positive
- Desktop app becomes fully functional
- Real device management capabilities
- Production-ready security posture
- Async performance throughout
### Negative
- Additional dependencies increase binary size
- espflash adds ~2MB to binary
- Hardware required for full testing
### Neutral
- Feature parity with browser-based UI
- Same API contract as sensing server
---
## References
- [Tauri v2 Commands](https://v2.tauri.app/develop/commands/)
- [espflash Documentation](https://github.com/esp-rs/espflash)
- [ESP32 OTA Protocol](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/ota.html)
- [mDNS-SD Rust](https://docs.rs/mdns-sd/)
api-docs/adr/ADR-055-integrated-sensing-server.md
+119
View File
@@ -0,0 +1,119 @@
# ADR-055: Integrated Sensing Server in Desktop App
## Status
Accepted
## Context
The RuView Desktop application (ADR-054) requires the WiFi sensing server to provide real-time CSI data, activity detection, and vital signs monitoring. Currently, the sensing server is a separate binary (`wifi-densepose-sensing-server`) that must be installed separately and found in the system PATH.
This creates several problems:
1. **Distribution complexity**: Users must install two binaries
2. **Path issues**: Binary may not be in PATH, causing "No such file or directory" errors
3. **Version mismatch**: Server and desktop app versions may diverge
4. **Poor UX**: Error messages about missing binaries confuse users
## Decision
Bundle the sensing server binary inside the desktop application and provide intelligent binary discovery with clear fallback paths.
### Binary Discovery Order
The desktop app searches for the sensing server in this order:
1. **Custom path** from user settings (`server_path`)
2. **Bundled resources** (`Contents/Resources/bin/` on macOS)
3. **Next to executable** (same directory as the app binary)
4. **System PATH** (legacy fallback)
### Implementation
```rust
fn find_server_binary(app: &AppHandle, custom_path: Option<&str>) -> Result<String, String> {
// 1. Custom path from settings
if let Some(path) = custom_path {
if std::path::Path::new(path).exists() {
return Ok(path.to_string());
}
}
// 2. Bundled in resources
if let Ok(resource_dir) = app.path().resource_dir() {
let bundled = resource_dir.join("bin").join(DEFAULT_SERVER_BIN);
if bundled.exists() {
return Ok(bundled.to_string_lossy().to_string());
}
}
// 3. Next to executable
if let Ok(exe_path) = std::env::current_exe() {
if let Some(exe_dir) = exe_path.parent() {
let sibling = exe_dir.join(DEFAULT_SERVER_BIN);
if sibling.exists() {
return Ok(sibling.to_string_lossy().to_string());
}
}
}
// 4. System PATH
// ... which lookup ...
Err("Sensing server binary not found")
}
```
### Bundle Configuration
In `tauri.conf.json`:
```json
{
"bundle": {
"resources": [
{
"src": "../../target/release/wifi-densepose-sensing-server",
"target": "bin/wifi-densepose-sensing-server"
}
]
}
}
```
## Consequences
### Positive
- **Single package distribution**: Users download one DMG/MSI/EXE
- **Version alignment**: Server and UI always match
- **Better UX**: No PATH configuration required
- **Offline capable**: Works without network access to download server
### Negative
- **Larger bundle size**: ~10-15MB additional for server binary
- **Build complexity**: Must build server before bundling desktop
- **Platform-specific**: Need separate server binaries per platform
### Neutral
- CI/CD workflow updated to build server before desktop
- GitHub Actions builds all platforms (macOS arm64/x64, Windows x64)
## WebSocket Integration
The Sensing page connects to the bundled server's WebSocket endpoint:
- `ws://127.0.0.1:{ws_port}/ws/sensing` - Real-time CSI data stream
- `ws://127.0.0.1:{ws_port}/ws/pose` - Pose estimation stream
Message format:
```typescript
interface WsSensingUpdate {
type: string;
timestamp: number;
source: string;
tick: number;
nodes: WsNodeInfo[];
classification: { motion_level: string; presence: boolean; confidence: number };
vital_signs?: { breathing_rate_hz?: number; heart_rate_bpm?: number };
}
```
## Security Considerations
- Server binary signed with same certificate as desktop app
- Communication over localhost only (127.0.0.1)
- No external network access by default
- Process spawned as child of desktop app (inherits permissions)
## Related ADRs
- ADR-054: Desktop Full Implementation
- ADR-053: UI Design System
- ADR-052: Tauri Desktop Frontend
api-docs/adr/ADR-056-ruview-desktop-capabilities.md
+251
View File
@@ -0,0 +1,251 @@
# ADR-056: RuView Desktop Complete Capabilities Reference
## Status
Accepted
## Context
RuView Desktop is a comprehensive WiFi-based sensing platform that combines hardware management, real-time signal processing, neural network inference, and intelligent monitoring. This ADR documents all integrated capabilities across the desktop application and underlying crates.
## Decision
The RuView Desktop application consolidates all WiFi-DensePose functionality into a single, unified interface with the following capabilities.
---
## 1. Hardware Management
### 1.1 Node Discovery
- **mDNS discovery**: Automatic detection of ESP32 nodes via Bonjour/Avahi
- **UDP probe**: Direct UDP broadcast discovery on port 5005
- **HTTP sweep**: Sequential IP scanning with health checks
- **Manual registration**: User-defined node configuration
### 1.2 Firmware Flashing
- **Serial flashing**: Direct USB flash via espflash integration
- **Chip detection**: Automatic ESP32/S2/S3/C3/C6 identification
- **Progress monitoring**: Real-time progress with speed metrics
- **Verification**: Post-flash integrity verification
### 1.3 OTA Updates
- **Single-node OTA**: HTTP-based firmware push to individual nodes
- **Batch OTA**: Coordinated multi-node updates with strategies:
- `sequential`: One node at a time
- `tdm_safe`: Respects TDM slot timing
- `parallel`: Concurrent updates with throttling
- **Rollback support**: Automatic rollback on verification failure
- **Version tracking**: Pre/post version comparison
### 1.4 Node Configuration
- **NVS provisioning**: WiFi credentials, node ID, TDM slot assignment
- **Mesh configuration**: Coordinator/node/aggregator role assignment
- **TDM scheduling**: Time-division multiplexing slot allocation
---
## 2. Sensing Server
### 2.1 Data Sources
- **ESP32 CSI**: Real UDP frames from ESP32 hardware (port 5005)
- **Windows WiFi**: Native Windows RSSI monitoring via netsh
- **Simulation**: Synthetic data generation for demo/testing
- **Auto**: Automatic source detection based on available hardware
### 2.2 Real-Time Processing
- **CSI pipeline**: 56-subcarrier amplitude/phase extraction
- **FFT analysis**: Spectral decomposition for motion detection
- **Vital signs**: Breathing rate (0.1-0.5 Hz), heart rate (0.8-2.0 Hz)
- **Motion classification**: still/walking/running/exercising
- **Presence detection**: Binary presence with confidence score
### 2.3 WebSocket Streaming
- **Sensing endpoint**: `ws://localhost:8765/ws/sensing`
- **Pose endpoint**: `ws://localhost:8765/ws/pose`
- **Real-time broadcast**: 10-100 Hz update rate
- **Multi-client support**: Concurrent WebSocket connections
### 2.4 REST API
- **Health check**: `GET /health`
- **Status**: `GET /api/status`
- **Recording control**: `POST /api/recording/start|stop`
- **Model management**: `GET/POST /api/models`
---
## 3. Neural Network Inference
### 3.1 Model Formats
- **RVF (RuVector Format)**: Proprietary binary container with:
- Model weights (quantized f32/f16/i8)
- Vital sign configuration
- SONA environment profiles
- Training provenance
- Cryptographic attestation
### 3.2 Inference Capabilities
- **Pose estimation**: 17 COCO keypoints from WiFi CSI
- **Activity recognition**: Multi-class classification
- **Vital signs**: Breathing and heart rate extraction
- **Multi-person detection**: Up to 3 simultaneous subjects
### 3.3 Self-Learning (SONA)
- **Environment adaptation**: LoRA-based fine-tuning to room geometry
- **Profile switching**: Multiple learned environment profiles
- **Online learning**: Continuous adaptation during runtime
- **Transfer learning**: Profile export/import between deployments
---
## 4. WASM Edge Modules
### 4.1 Module Management
- **Upload**: Deploy WASM modules to ESP32 nodes
- **Start/Stop**: Runtime control of edge processing
- **Status monitoring**: CPU, memory, execution count
- **Hot reload**: Update modules without node reboot
### 4.2 Supported Operations
- **Local filtering**: On-device noise reduction
- **Feature extraction**: Pre-compute features at edge
- **Compression**: Reduce data before transmission
- **Custom logic**: User-defined processing pipelines
---
## 5. Mesh Visualization
### 5.1 Network Topology
- **Live mesh view**: Real-time node connectivity graph
- **Signal quality**: RSSI/SNR visualization per link
- **Latency monitoring**: Round-trip time measurement
- **Packet loss**: Delivery success rate tracking
### 5.2 CSI Visualization
- **Amplitude heatmap**: Per-subcarrier amplitude display
- **Phase unwrapping**: Continuous phase visualization
- **Spectrogram**: Time-frequency representation
- **Signal field**: 3D voxel grid of RF perturbations
---
## 6. Training & Export
### 6.1 Dataset Management
- **Recording**: Capture CSI frames with annotations
- **Labeling**: Activity and pose ground truth
- **Augmentation**: Synthetic data generation
- **Export**: Standard formats (JSON, CSV, NumPy)
### 6.2 Training Pipeline (ADR-023)
- **Contrastive pretraining**: Self-supervised feature learning
- **Supervised fine-tuning**: Labeled pose estimation
- **SONA adaptation**: Environment-specific tuning
- **Validation**: Cross-environment testing
### 6.3 Export Formats
- **RVF container**: Production deployment format
- **ONNX**: Interoperability with external tools
- **PyTorch**: Research and experimentation
- **Candle**: Rust-native inference
---
## 7. Security Features
### 7.1 Network Security
- **OTA PSK**: Pre-shared key for firmware updates
- **Node authentication**: MAC-based node verification
- **Encrypted transport**: Optional TLS for API endpoints
### 7.2 Code Signing
- **Firmware verification**: Hash-based integrity checks
- **WASM attestation**: Module signature validation
- **Model provenance**: Training lineage tracking
---
## 8. Configuration & Settings
### 8.1 Server Configuration
- **Ports**: HTTP (8080), WebSocket (8765), UDP (5005)
- **Bind address**: Localhost or network-wide
- **Data source**: auto/wifi/esp32/simulate
- **Log level**: debug/info/warn/error
### 8.2 Application Settings
- **Theme**: Dark/light mode
- **Auto-discovery**: Periodic node scanning
- **Discovery interval**: Configurable scan frequency
- **UI customization**: Responsive layout options
---
## 9. Crate Architecture
| Crate | Capabilities |
|-------|-------------|
| `wifi-densepose-core` | CSI frame primitives, traits, error types |
| `wifi-densepose-signal` | FFT, phase unwrapping, vital signs, RuvSense |
| `wifi-densepose-nn` | ONNX/PyTorch/Candle inference backends |
| `wifi-densepose-train` | Training pipeline, dataset, metrics |
| `wifi-densepose-mat` | Mass casualty assessment tool |
| `wifi-densepose-hardware` | ESP32 protocol, TDM, channel hopping |
| `wifi-densepose-ruvector` | Cross-viewpoint fusion, attention |
| `wifi-densepose-api` | REST API (Axum) |
| `wifi-densepose-db` | Postgres/SQLite/Redis persistence |
| `wifi-densepose-config` | Configuration management |
| `wifi-densepose-wasm` | Browser WASM bindings |
| `wifi-densepose-cli` | Command-line interface |
| `wifi-densepose-sensing-server` | Real-time sensing server |
| `wifi-densepose-wifiscan` | Multi-BSSID scanning |
| `wifi-densepose-vitals` | Vital sign extraction |
| `wifi-densepose-desktop` | Tauri desktop application |
---
## 10. UI Design System (ADR-053)
### 10.1 Pages
- **Dashboard**: Overview, node status, quick actions
- **Discovery**: Network scanning interface
- **Nodes**: Node management and configuration
- **Flash**: Serial firmware flashing
- **OTA**: Over-the-air update management
- **Edge Modules**: WASM deployment
- **Sensing**: Real-time monitoring with server control
- **Mesh View**: Network topology visualization
- **Settings**: Application configuration
### 10.2 Components
- **StatusBadge**: Health indicator
- **NodeCard**: Node information display
- **LogViewer**: Real-time log streaming
- **ActivityFeed**: Sensing data visualization
- **ProgressBar**: Operation progress
- **ConfigForm**: Settings input
---
## Consequences
### Positive
- **Unified interface**: All capabilities in one application
- **Bundled deployment**: Single package with server included
- **Real-time feedback**: WebSocket-based live updates
- **Cross-platform**: macOS, Windows, Linux support
- **Extensible**: WASM modules, custom models, API access
### Negative
- **Larger bundle**: ~6MB app + ~2.6MB server
- **Complexity**: Many features require learning curve
- **Hardware dependency**: Full functionality requires ESP32 nodes
### Neutral
- Documentation required for all features
- Training materials needed for advanced capabilities
- Community contributions welcome
## Related ADRs
- ADR-053: UI Design System
- ADR-054: Desktop Full Implementation
- ADR-055: Integrated Sensing Server
- ADR-023: 8-Phase Training Pipeline
- ADR-016: RuVector Integration
api-docs/adr/ADR-057-firmware-csi-build-guard.md
+82
View File
@@ -0,0 +1,82 @@
# ADR-057: Firmware CSI Build Guard and sdkconfig.defaults
| Field | Value |
|-------------|---------------------------------------------|
| **Status** | Accepted |
| **Date** | 2026-03-12 |
| **Authors** | ruv |
| **Issues** | #223, #238, #234, #210, #190 |
## Context
Multiple GitHub issues (#223, #238, #234, #210, #190) report firmware problems
that fall into two categories:
1. **CSI not enabled at runtime** — The committed `sdkconfig` had
`# CONFIG_ESP_WIFI_CSI_ENABLED is not set` (line 1135), meaning users who
built from source or used pre-built binaries got the runtime error:
`E (6700) wifi:CSI not enabled in menuconfig!`
Root cause: `sdkconfig.defaults.template` existed with the correct setting
(`CONFIG_ESP_WIFI_CSI_ENABLED=y`) but ESP-IDF only reads
`sdkconfig.defaults` — not `.template` suffixed files. No `sdkconfig.defaults`
file was committed.
2. **Unsupported ESP32 variants** — Users attempting to use original ESP32
(D0WD) and ESP32-C3 boards. The firmware targets ESP32-S3 only
(`CONFIG_IDF_TARGET="esp32s3"`, Xtensa architecture) and this was not
surfaced clearly enough in documentation or build errors.
## Decision
### Fix 1: Commit `sdkconfig.defaults` (not just template)
Copy `sdkconfig.defaults.template``sdkconfig.defaults` so that ESP-IDF
applies the correct defaults (including `CONFIG_ESP_WIFI_CSI_ENABLED=y`)
automatically when `sdkconfig` is regenerated.
### Fix 2: `#error` compile-time guard in `csi_collector.c`
Add a preprocessor guard:
```c
#ifndef CONFIG_ESP_WIFI_CSI_ENABLED
#error "CONFIG_ESP_WIFI_CSI_ENABLED must be set in sdkconfig."
#endif
```
This turns a confusing runtime crash into a clear compile-time error with
instructions on how to fix it.
### Fix 3: Fix committed `sdkconfig`
Change line 1135 from `# CONFIG_ESP_WIFI_CSI_ENABLED is not set` to
`CONFIG_ESP_WIFI_CSI_ENABLED=y`.
## Consequences
- **Positive**: New builds will always have CSI enabled. Users building from
source will get a clear compile error if CSI is somehow disabled.
- **Positive**: Pre-built release binaries will include CSI support.
- **Neutral**: Original ESP32 and ESP32-C3 remain unsupported. This is by
design — only ESP32-S3 has the CSI API surface we depend on. Future ADRs
may address multi-target support if demand warrants it.
- **Negative**: None identified.
## Hardware Support Matrix
| Variant | CSI Support | Firmware Target | Status |
|--------------|-------------|-----------------|---------------|
| ESP32-S3 | Yes | Yes | Supported |
| ESP32 (orig) | Partial | No | Unsupported |
| ESP32-C3 | Yes (IDF 5.1+) | No | Unsupported |
| ESP32-C6 | Yes | No | Unsupported |
## Notes
- ESP32-C3 and C6 use RISC-V architecture; a separate build target
(`idf.py set-target esp32c3`) would be needed.
- Original ESP32 has limited CSI (no STBC HT-LTF2, fewer subcarriers).
- Users on unsupported hardware can still write custom firmware using the
ADR-018 binary frame format (magic `0xC5110001`) for interop with the
Rust aggregator.
api-docs/adr/ADR-058-ruvector-wasm-browser-pose-example.md
+392
View File
@@ -0,0 +1,392 @@
# ADR-058: Dual-Modal WASM Browser Pose Estimation — Live Video + WiFi CSI Fusion
- **Status**: Proposed
- **Date**: 2026-03-12
- **Deciders**: ruv
- **Tags**: wasm, browser, cnn, pose-estimation, ruvector, video, multimodal, fusion
## Context
WiFi-DensePose estimates human poses from WiFi CSI (Channel State Information).
The `ruvector-cnn` crate provides a pure Rust CNN (MobileNet-V3) with WASM bindings.
Both modalities exist independently — what's missing is **fusing live webcam video
with WiFi CSI** in a single browser demo to achieve robust pose estimation that
works even when one modality degrades (occlusion, signal noise, poor lighting).
Existing assets:
1. **`wifi-densepose-wasm`** — CSI signal processing compiled to WASM
2. **`wifi-densepose-sensing-server`** — Axum server streaming live CSI via WebSocket
3. **`ruvector-cnn`** — Pure Rust CNN with MobileNet-V3 backbones, SIMD, contrastive learning
4. **`ruvector-cnn-wasm`** — wasm-bindgen bindings: `WasmCnnEmbedder`, `SimdOps`, `LayerOps`, contrastive losses
5. **`vendor/ruvector/examples/wasm-vanilla/`** — Reference vanilla JS WASM example
Research shows multi-modal fusion (camera + WiFi) significantly outperforms either alone:
- Camera fails under occlusion, poor lighting, privacy constraints
- WiFi CSI fails with signal noise, multipath, low spatial resolution
- Fusion compensates: WiFi provides through-wall coverage, camera provides fine-grained detail
## Decision
Build a **dual-modal browser demo** at `examples/wasm-browser-pose/` that:
1. Captures **live webcam video** via `getUserMedia` API
2. Receives **live WiFi CSI** via WebSocket from the sensing server
3. Processes **both streams** through separate CNN pipelines in `ruvector-cnn-wasm`
4. **Fuses embeddings** with learned attention weights for combined pose estimation
5. Renders **video overlay** with skeleton + WiFi confidence heatmap on Canvas
6. Runs entirely in the browser — all inference client-side via WASM
### Architecture
```
┌──────────────────────────────────────────────────────────────────┐
│ Browser │
│ │
│ ┌────────────┐ ┌────────────────┐ ┌───────────────────┐ │
│ │ getUserMedia│───▶│ Video Frame │───▶│ CNN WASM │ │
│ │ (Webcam) │ │ Capture │ │ (Visual Embedder) │ │
│ └────────────┘ │ 224×224 RGB │ │ → 512-dim │ │
│ └────────────────┘ └────────┬──────────┘ │
│ │ │
│ visual_embedding │
│ │ │
│ ┌──────▼──────┐ │
│ ┌────────────┐ ┌────────────────┐ │ │ │
│ │ WebSocket │───▶│ CSI WASM │ │ Attention │ │
│ │ Client │ │ (densepose- │ │ Fusion │ │
│ │ │ │ wasm) │ │ Module │ │
│ └────────────┘ └───────┬────────┘ │ │ │
│ │ └──────┬──────┘ │
│ ┌───────▼────────┐ │ │
│ │ CNN WASM │ fused_embedding │
│ │ (CSI Embedder) │ │ │
│ │ → 512-dim │ ┌──────▼──────┐ │
│ └───────┬────────┘ │ Pose │ │
│ │ │ Decoder │ │
│ csi_embedding │ → 17 kpts │ │
│ │ └──────┬──────┘ │
│ └──────────────────────┘ │
│ │ │
│ ┌──────────────┐ ┌─────▼──────┐ │
│ │ Video Canvas │◀────────│ Overlay │ │
│ │ + Skeleton │ │ Renderer │ │
│ │ + Heatmap │ └────────────┘ │
│ └──────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────┘
▲ ▲
│ getUserMedia │ WebSocket
│ (camera) │ (ws://host:3030/ws/csi)
│ │
┌────┴────┐ ┌───────┴─────────┐
│ Webcam │ │ Sensing Server │
└─────────┘ └─────────────────┘
```
### Dual Pipeline Design
Two parallel CNN pipelines run on each frame tick (~30 FPS):
| Pipeline | Input | Preprocessing | CNN Config | Output |
|----------|-------|---------------|------------|--------|
| **Visual** | Webcam frame (640×480) | Resize to 224×224 RGB, ImageNet normalize | MobileNet-V3 Small, 512-dim | Visual embedding |
| **CSI** | CSI frame (ADR-018 binary) | Amplitude/phase/delta → 224×224 pseudo-RGB | MobileNet-V3 Small, 512-dim | CSI embedding |
Both use the same `WasmCnnEmbedder` but with separate instances and weight sets.
### Fusion Strategy
**Learned attention-weighted fusion** combines the two 512-dim embeddings:
```javascript
// Attention fusion: learn which modality to trust per-dimension
// α ∈ [0,1]^512 — attention weights (shipped as JSON, trained offline)
// visual_emb, csi_emb ∈ R^512
function fuseEmbeddings(visual_emb, csi_emb, attention_weights) {
const fused = new Float32Array(512);
for (let i = 0; i < 512; i++) {
const α = attention_weights[i];
fused[i] = α * visual_emb[i] + (1 - α) * csi_emb[i];
}
return fused;
}
```
**Dynamic confidence gating** adjusts fusion based on signal quality:
| Condition | Behavior |
|-----------|----------|
| Good video + good CSI | Balanced fusion (α ≈ 0.5) |
| Poor lighting / occlusion | CSI-dominant (α → 0, WiFi takes over) |
| CSI noise / no ESP32 | Video-dominant (α → 1, camera only) |
| Video-only mode (no WiFi) | α = 1.0, pure visual CNN pose estimation |
| CSI-only mode (no camera) | α = 0.0, pure WiFi pose estimation |
Quality detection:
- **Video quality**: Frame brightness variance (dark = low quality), motion blur score
- **CSI quality**: Signal-to-noise ratio from `wifi-densepose-wasm`, coherence gate output
### CSI-to-Image Encoding
CSI data encoded as 3-channel pseudo-image for the CSI CNN pipeline:
| Channel | Data | Normalization |
|---------|------|---------------|
| R | CSI amplitude (subcarrier × time window) | Min-max to [0, 255] |
| G | CSI phase (unwrapped, subcarrier × time window) | Min-max to [0, 255] |
| B | Temporal difference (frame-to-frame Δ amplitude) | Abs, min-max to [0, 255] |
### Video Processing
Webcam frames processed through standard ImageNet pipeline:
```javascript
// Capture frame from video element
const frame = captureVideoFrame(videoElement, 224, 224); // Returns Uint8Array RGB
// ImageNet normalization happens inside WasmCnnEmbedder.extract()
const visual_embedding = visual_embedder.extract(frame, 224, 224);
```
### Pose Keypoint Mapping
17 COCO-format keypoints decoded from the fused 512-dim embedding:
```
0: nose 1: left_eye 2: right_eye
3: left_ear 4: right_ear 5: left_shoulder
6: right_shoulder 7: left_elbow 8: right_elbow
9: left_wrist 10: right_wrist 11: left_hip
12: right_hip 13: left_knee 14: right_knee
15: left_ankle 16: right_ankle
```
Each keypoint decoded as (x, y, confidence) = 51 values from the 512-dim embedding
via a learned linear projection.
### Operating Modes
The demo supports three modes, selectable in the UI:
| Mode | Video | CSI | Fusion | Use Case |
|------|-------|-----|--------|----------|
| **Dual (default)** | ✅ | ✅ | Attention-weighted | Best accuracy, full demo |
| **Video Only** | ✅ | ❌ | α = 1.0 | No ESP32 available, quick demo |
| **CSI Only** | ❌ | ✅ | α = 0.0 | Privacy mode, through-wall sensing |
**Video Only mode works without any hardware** — just a webcam — making the demo
instantly accessible for anyone wanting to try it.
### File Layout
```
examples/wasm-browser-pose/
├── index.html # Single-page app (vanilla JS, no bundler)
├── js/
│ ├── app.js # Main entry, mode selection, orchestration
│ ├── video-capture.js # getUserMedia, frame extraction, quality detection
│ ├── csi-processor.js # WebSocket CSI client, frame parsing, pseudo-image encoding
│ ├── fusion.js # Attention-weighted embedding fusion, confidence gating
│ ├── pose-decoder.js # Fused embedding → 17 keypoints
│ └── canvas-renderer.js # Video overlay, skeleton, CSI heatmap, confidence bars
├── data/
│ ├── visual-weights.json # Visual CNN → embedding projection (placeholder until trained)
│ ├── csi-weights.json # CSI CNN → embedding projection (placeholder until trained)
│ ├── fusion-weights.json # Attention fusion α weights (512 values)
│ └── pose-weights.json # Fused embedding → keypoint projection
├── css/
│ └── style.css # Dark theme UI styling
├── pkg/ # Built WASM packages (gitignored, built by script)
│ ├── wifi_densepose_wasm/
│ └── ruvector_cnn_wasm/
├── build.sh # wasm-pack build script for both packages
└── README.md # Setup and usage instructions
```
### Build Pipeline
```bash
#!/bin/bash
# build.sh — builds both WASM packages into pkg/
set -e
# Build wifi-densepose-wasm (CSI processing)
wasm-pack build ../../v2/crates/wifi-densepose-wasm \
--target web --out-dir "$(pwd)/pkg/wifi_densepose_wasm" --no-typescript
# Build ruvector-cnn-wasm (CNN inference for both video and CSI)
wasm-pack build ../../vendor/ruvector/crates/ruvector-cnn-wasm \
--target web --out-dir "$(pwd)/pkg/ruvector_cnn_wasm" --no-typescript
echo "Build complete. Serve with: python3 -m http.server 8080"
```
### UI Layout
```
┌─────────────────────────────────────────────────────────┐
│ WiFi-DensePose — Live Dual-Modal Pose Estimation │
│ [Dual Mode ▼] [⚙ Settings] FPS: 28 ◉ Live │
├───────────────────────────┬─────────────────────────────┤
│ │ │
│ ┌───────────────────┐ │ ┌───────────────────┐ │
│ │ │ │ │ │ │
│ │ Video + Skeleton │ │ │ CSI Heatmap │ │
│ │ Overlay │ │ │ (amplitude × │ │
│ │ (main canvas) │ │ │ subcarrier) │ │
│ │ │ │ │ │ │
│ └───────────────────┘ │ └───────────────────┘ │
│ │ │
├───────────────────────────┴─────────────────────────────┤
│ Fusion Confidence: ████████░░ 78% │
│ Video: ██████████ 95% │ CSI: ██████░░░░ 61% │
├─────────────────────────────────────────────────────────┤
│ ┌─────────────────────────────────────────────────┐ │
│ │ Embedding Space (2D projection) │ │
│ │ · · · │ │
│ │ · · · · · · (color = pose cluster) │ │
│ │ · · · · │ │
│ └─────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────┤
│ Latency: Video 12ms │ CSI 8ms │ Fusion 1ms │ Total 21ms│
│ [▶ Record] [📷 Snapshot] [Confidence: ████ 0.6] │
└─────────────────────────────────────────────────────────┘
```
### WASM Module Structure
| Package | Source Crate | Provides | Size (est.) |
|---------|-------------|----------|-------------|
| `wifi_densepose_wasm` | `wifi-densepose-wasm` | CSI frame parsing, signal processing, feature extraction | ~200KB |
| `ruvector_cnn_wasm` | `ruvector-cnn-wasm` | `WasmCnnEmbedder` (×2 instances), `SimdOps`, `LayerOps`, contrastive losses | ~150KB |
Two `WasmCnnEmbedder` instances are created — one for video frames, one for CSI pseudo-images.
They share the same WASM module but have independent state.
### Browser API Requirements
| API | Purpose | Required | Fallback |
|-----|---------|----------|----------|
| `getUserMedia` | Webcam capture | For video mode | CSI-only mode |
| WebAssembly | CNN inference | Yes | None (hard requirement) |
| WASM SIMD128 | Accelerated inference | No | Scalar fallback (~2× slower) |
| WebSocket | CSI data stream | For CSI mode | Video-only mode |
| Canvas 2D | Rendering | Yes | None |
| `requestAnimationFrame` | Render loop | Yes | `setTimeout` fallback |
| ES Modules | Code organization | Yes | None |
Target: Chrome 89+, Firefox 89+, Safari 15+, Edge 89+
### Performance Budget
| Stage | Target Latency | Notes |
|-------|---------------|-------|
| Video frame capture + resize | <3ms | `drawImage` to offscreen canvas |
| Video CNN embedding | <15ms | 224×224 RGB → 512-dim |
| CSI receive + parse | <2ms | Binary WebSocket message |
| CSI pseudo-image encoding | <3ms | Amplitude/phase/delta channels |
| CSI CNN embedding | <15ms | 224×224 pseudo-RGB → 512-dim |
| Attention fusion | <1ms | Element-wise weighted sum |
| Pose decoding | <1ms | Linear projection |
| Canvas overlay render | <3ms | Video + skeleton + heatmap |
| **Total (dual mode)** | **<33ms** | **30 FPS capable** |
| **Total (video only)** | **<22ms** | **45 FPS capable** |
Note: Video and CSI CNN pipelines can run in parallel using Web Workers,
reducing dual-mode latency to ~max(15, 15) + 5 = ~20ms (50 FPS).
### Contrastive Learning Integration
The demo optionally shows real-time contrastive learning in the browser:
- **InfoNCE loss** (`WasmInfoNCELoss`): Compare video vs CSI embeddings for the same pose — trains cross-modal alignment
- **Triplet loss** (`WasmTripletLoss`): Push apart different poses, pull together same pose across modalities
- **SimdOps**: Accelerated dot products for real-time similarity computation
- **Embedding space panel**: Live 2D projection shows video and CSI embeddings converging when viewing the same person
### Relationship to Existing Crates
| Existing Crate | Role in This Demo |
|---------------|-------------------|
| `ruvector-cnn-wasm` | CNN inference for **both** video frames and CSI pseudo-images |
| `wifi-densepose-wasm` | CSI frame parsing and signal processing |
| `wifi-densepose-sensing-server` | WebSocket CSI data source |
| `wifi-densepose-core` | ADR-018 frame format definitions |
| `ruvector-cnn` | Underlying MobileNet-V3, layers, contrastive learning |
No new Rust crates are needed. The example is pure HTML/JS consuming existing WASM packages.
## Consequences
### Positive
- **Instant demo**: Video-only mode works with just a webcam — no ESP32 needed
- **Multi-modal showcase**: Demonstrates camera + WiFi fusion, the core innovation of the project
- **Graceful degradation**: Works with video-only, CSI-only, or both
- **Through-wall capability**: CSI mode shows pose estimation where cameras cannot reach
- **Zero-install**: Anyone with a browser can try it
- **Training data collection**: Can record paired (video, CSI) data for offline model training
- **Reusable**: JS modules embed directly in the Tauri desktop app's webview
### Negative
- **Model weights**: Requires offline-trained weights for visual CNN, CSI CNN, fusion, and pose decoder (~200KB total JSON)
- **WASM size**: Two WASM modules total ~350KB (acceptable)
- **No GPU**: CPU-only WASM inference; adequate at 224×224 but limits resolution scaling
- **Camera privacy**: Video mode requires camera permission (mitigated: CSI-only mode available)
- **Two CNN instances**: Memory footprint doubles vs single-modal (~10MB total, acceptable for desktop browsers)
### Risks
- **Cross-modal alignment**: Video and CSI embeddings must be trained jointly for fusion to work;
without proper training, fusion may be worse than either modality alone
- **Latency on mobile**: Dual CNN on mobile browsers may exceed 33ms; implement automatic quality reduction
- **WebSocket drops**: Network jitter → CSI frame gaps; buffer last 3 frames, interpolate missing data
## Implementation Plan
1. **Phase 1 — Scaffold**: File layout, build.sh, index.html shell, mode selector UI
2. **Phase 2 — Video pipeline**: getUserMedia → frame capture → CNN embedding → basic pose display
3. **Phase 3 — CSI pipeline**: WebSocket client → CSI parsing → pseudo-image → CNN embedding
4. **Phase 4 — Fusion**: Attention-weighted combination, confidence gating, mode switching
5. **Phase 5 — Pose decoder**: Linear projection with placeholder weights → 17 keypoints
6. **Phase 6 — Overlay renderer**: Video canvas with skeleton overlay, CSI heatmap panel
7. **Phase 7 — Training**: Use `wifi-densepose-train` to generate real weights for both CNNs + fusion + decoder
8. **Phase 8 — Contrastive demo**: Embedding space visualization, cross-modal similarity display
9. **Phase 9 — Web Workers**: Move CNN inference to workers for parallel video + CSI processing
10. **Phase 10 — Polish**: Recording, snapshots, adaptive quality, mobile optimization
## Alternatives Considered
### 1. CSI-Only (No Video)
Rejected: Misses the opportunity to show multi-modal fusion and makes the demo less
accessible (requires ESP32 hardware). Video-only mode as a fallback is strictly better.
### 2. Server-Side Video Inference
Rejected: Adds latency, requires webcam stream upload (privacy concern), and defeats
the WASM-first architecture. All inference must be client-side.
### 3. TensorFlow.js for Video, ruvector-cnn-wasm for CSI
Rejected: Would require two different ML frameworks. Using `ruvector-cnn-wasm` for both
keeps a single WASM module, unified embedding space, and simpler fusion.
### 4. Pre-recorded Video Demo
Rejected: Live webcam input is far more compelling for demonstrations.
Pre-recorded mode can be added as a secondary option.
### 5. React/Vue Framework
Rejected: Adds build tooling. Vanilla JS + ES modules keeps the demo self-contained.
## References
- [ADR-018: Binary CSI Frame Format](ADR-018-binary-csi-frame-format.md)
- [ADR-024: Contrastive CSI Embedding / AETHER](ADR-024-contrastive-csi-embedding.md)
- [ADR-055: Integrated Sensing Server](ADR-055-integrated-sensing-server.md)
- `vendor/ruvector/crates/ruvector-cnn/src/lib.rs` — CNN embedder implementation
- `vendor/ruvector/crates/ruvector-cnn-wasm/src/lib.rs` — WASM bindings
- `vendor/ruvector/examples/wasm-vanilla/index.html` — Reference vanilla JS WASM pattern
- Person-in-WiFi: Fine-grained Person Perception using WiFi (ICCV 2019) — camera+WiFi fusion precedent
- WiPose: Multi-Person WiFi Pose Estimation (TMC 2022) — cross-modal embedding approach
api-docs/adr/ADR-059-live-esp32-csi-pipeline.md
+83
View File
@@ -0,0 +1,83 @@
# ADR-059: Live ESP32 CSI Pipeline Integration
## Status
Accepted
## Date
2026-03-12
## Context
ADR-058 established a dual-modal browser demo combining webcam video and WiFi CSI for pose estimation. However, it used simulated CSI data. To demonstrate real-world capability, we need an end-to-end pipeline from physical ESP32 hardware through to the browser visualization.
The ESP32-S3 firmware (`firmware/esp32-csi-node/`) already supports CSI collection and UDP streaming (ADR-018). The sensing server (`wifi-densepose-sensing-server`) already supports UDP ingestion and WebSocket bridging. The missing piece was connecting these components and enabling the browser demo to consume live data.
## Decision
Implement a complete live CSI pipeline:
```
ESP32-S3 (CSI capture) → UDP:5005 → sensing-server (Rust/Axum) → WS:8765 → browser demo
```
### Components
1. **ESP32 Firmware** — Rebuilt with native Windows ESP-IDF v5.4.0 toolchain (no Docker). Configured for target network and PC IP via `sdkconfig`. Helper scripts added:
- `build_firmware.ps1` — Sets up IDF environment, cleans, builds, and flashes
- `read_serial.ps1` — Serial monitor with DTR/RTS reset capability
2. **Sensing Server**`wifi-densepose-sensing-server` started with:
- `--source esp32` — Expect real ESP32 UDP frames
- `--bind-addr 0.0.0.0` — Accept connections from any interface
- `--ui-path <path>` — Serve the demo UI via HTTP
3. **Browser Demo**`main.js` updated to auto-connect to `ws://localhost:8765/ws/sensing` on page load. Falls back to simulated CSI if the WebSocket is unavailable (GitHub Pages).
### Network Configuration
The ESP32 sends UDP packets to a configured target IP. If the PC's IP doesn't match the firmware's compiled target, a secondary IP alias can be added:
```powershell
# PowerShell (Admin)
New-NetIPAddress -IPAddress 192.168.1.100 -PrefixLength 24 -InterfaceAlias "Wi-Fi"
```
### Data Flow
| Stage | Protocol | Format | Rate |
|-------|----------|--------|------|
| ESP32 → Server | UDP | ADR-018 binary frame (magic `0xC5110001`, I/Q pairs) | ~100 Hz |
| Server → Browser | WebSocket | ADR-018 binary frame (forwarded) | ~10 Hz (tick-ms=100) |
| Browser decode | JavaScript | Float32 amplitude/phase arrays | Per frame |
### Build Environment (Windows)
ESP-IDF v5.4.0 on Windows requires:
- IDF_PATH pointing to the ESP-IDF framework
- IDF_TOOLS_PATH pointing to toolchain binaries
- MSYS/MinGW environment variables removed (ESP-IDF rejects them)
- Python venv from ESP-IDF tools for `idf.py` execution
The `build_firmware.ps1` script handles all of this automatically.
## Consequences
### Positive
- First end-to-end demonstration of real WiFi CSI → pose estimation in a browser
- No Docker required for firmware builds on Windows
- Demo gracefully degrades to simulated CSI when no server is available
- Same demo works on GitHub Pages (simulated) and locally (live ESP32)
### Negative
- ESP32 target IP is compiled into firmware; changing it requires a rebuild or NVS override
- Windows firewall may block UDP:5005; user must allow it
- Mixed content restrictions prevent HTTPS pages from connecting to ws:// (local only)
## Related
- [ADR-018](ADR-018-esp32-dev-implementation.md) — ESP32 CSI frame format and UDP streaming
- [ADR-058](ADR-058-ruvector-wasm-browser-pose-example.md) — Dual-modal WASM browser pose demo
- [ADR-039](ADR-039-edge-intelligence-framework.md) — Edge intelligence on ESP32
- Issue [#245](https://github.com/ruvnet/RuView/issues/245) — Tracking issue
api-docs/adr/ADR-060-provision-channel-mac-filter.md
+59
View File
@@ -0,0 +1,59 @@
# ADR-060: Provision Channel Override and MAC Address Filtering
- **Status:** Accepted
- **Date:** 2026-03-12
- **Issues:** [#247](https://github.com/ruvnet/RuView/issues/247), [#229](https://github.com/ruvnet/RuView/issues/229)
## Context
Two related provisioning gaps were reported by users:
1. **Channel mismatch (Issue #247):** The CSI collector initializes on the
Kconfig default channel (typically 6), even when the ESP32 connects to an AP
on a different channel (e.g. 11). On managed networks where the user cannot
change the router channel, this makes nodes undiscoverable. The
`provision.py` script has no `--channel` argument.
2. **Missing MAC filter (Issue #229):** The v0.2.0 release notes documented a
`--filter-mac` argument for `provision.py`, but it was never implemented.
The firmware's CSI callback accepts frames from all sources, causing signal
mixing in multi-AP environments.
## Decision
### Channel configuration
- Add `--channel` argument to `provision.py` that writes a `csi_channel` key
(u8) to NVS.
- In `nvs_config.c`, read the `csi_channel` key and override
`channel_list[0]` when present.
- In `csi_collector_init()`, after WiFi connects, auto-detect the AP channel
via `esp_wifi_sta_get_ap_info()` and use it as the default CSI channel when
no NVS override is set. This ensures the CSI collector always matches the
connected AP's channel without requiring manual provisioning.
### MAC address filtering
- Add `--filter-mac` argument to `provision.py` that writes a `filter_mac`
key (6-byte blob) to NVS.
- In `nvs_config.h`, add a `filter_mac[6]` field and `filter_mac_set` flag.
- In `nvs_config.c`, read the `filter_mac` blob from NVS.
- In the CSI callback (`wifi_csi_callback`), if `filter_mac_set` is true,
compare the source MAC from the received frame against the configured MAC
and drop non-matching frames.
### Provisioning flow
```
python provision.py --port COM7 --channel 11
python provision.py --port COM7 --filter-mac "AA:BB:CC:DD:EE:FF"
python provision.py --port COM7 --channel 11 --filter-mac "AA:BB:CC:DD:EE:FF"
```
## Consequences
- Users on managed networks can force the CSI channel to match their AP
- Multi-AP environments can filter CSI to a single source
- Auto-channel detection eliminates the most common misconfiguration
- Backward compatible: existing provisioned nodes without these keys behave
as before (use Kconfig default channel, accept all MACs)
api-docs/adr/ADR-061-qemu-esp32s3-firmware-testing.md
+1032
View File
File diff suppressed because it is too large Load Diff
api-docs/adr/ADR-062-qemu-swarm-configurator.md
+199
View File
@@ -0,0 +1,199 @@
# ADR-062: QEMU ESP32-S3 Swarm Configurator
| Field | Value |
|-------------|------------------------------------------------|
| **Status** | Accepted |
| **Date** | 2026-03-14 |
| **Authors** | RuView Team |
| **Relates** | ADR-061 (QEMU testing platform), ADR-060 (channel/MAC filter), ADR-018 (binary frame), ADR-039 (edge intel) |
## Glossary
| Term | Definition |
|------|-----------|
| Swarm | A group of N QEMU ESP32-S3 instances running simultaneously |
| Topology | How nodes are connected: star, mesh, line, ring |
| Role | Node function: `sensor` (collects CSI), `coordinator` (aggregates + forwards), `gateway` (bridges to host) |
| Scenario matrix | Cross-product of topology × node count × NVS config × mock scenario |
| Health oracle | Python process that monitors all node UART logs and declares swarm health |
## Context
ADR-061 Layer 3 provides a basic multi-node mesh test: N identical nodes with sequential TDM slots connected via a Linux bridge. This is useful but limited:
1. **All nodes are identical** — real deployments have heterogeneous roles (sensor, coordinator, gateway)
2. **Single topology** — only fully-connected bridge; no star, line, or ring topologies
3. **No scenario variation per node** — all nodes run the same mock CSI scenario
4. **Manual configuration** — each test requires hand-editing env vars and arguments
5. **No swarm-level health monitoring** — validation checks individual nodes, not collective behavior
6. **No cross-node timing validation** — TDM slot ordering and inter-frame gaps aren't verified
Real WiFi-DensePose deployments use 3-8 ESP32-S3 nodes in various topologies. A single coordinator aggregates CSI from multiple sensors. The firmware must handle TDM conflicts, missing nodes, role-based behavior differences, and network partitions — none of which ADR-061 Layer 3 tests.
## Decision
Build a **QEMU Swarm Configurator** — a YAML-driven tool that defines multi-node test scenarios declaratively and orchestrates them under QEMU with swarm-level validation.
### Architecture
```
┌─────────────────────────────────────────────────────┐
│ swarm_config.yaml │
│ nodes: [{role: sensor, scenario: 2, channel: 6}] │
│ topology: star │
│ duration: 60s │
│ assertions: [all_nodes_boot, tdm_no_collision, ...] │
└──────────────────────┬──────────────────────────────┘
┌────────────▼────────────┐
│ qemu_swarm.py │
│ (orchestrator) │
└───┬────┬────┬───┬──────┘
│ │ │ │
┌────▼┐ ┌▼──┐ ▼ ┌▼────┐
│Node0│ │N1 │... │N(n-1)│ QEMU instances
│sens │ │sen│ │coord │
└──┬──┘ └─┬─┘ └──┬───┘
│ │ │
┌──▼──────▼─────────▼──┐
│ Virtual Network │ TAP bridge / SLIRP
│ (topology-shaped) │
└──────────┬───────────┘
┌──────────▼───────────┐
│ Aggregator (Rust) │ Collects frames
└──────────┬───────────┘
┌──────────▼───────────┐
│ Health Oracle │ Swarm-level assertions
│ (swarm_health.py) │
└──────────────────────┘
```
### YAML Configuration Schema
```yaml
# swarm_config.yaml
swarm:
name: "3-sensor-star"
duration_s: 60
topology: star # star | mesh | line | ring
aggregator_port: 5005
nodes:
- role: coordinator
node_id: 0
scenario: 0 # empty room (baseline)
channel: 6
edge_tier: 2
is_gateway: true # receives aggregated frames
- role: sensor
node_id: 1
scenario: 2 # walking person
channel: 6
tdm_slot: 1 # TDM slot index (auto-assigned from node position if omitted)
- role: sensor
node_id: 2
scenario: 3 # fall event
channel: 6
tdm_slot: 2
assertions:
- all_nodes_boot
- no_crashes
- tdm_no_collision
- all_nodes_produce_frames
- coordinator_receives_from_all
- fall_detected_by_node_2
- frame_rate_above: 15 # Hz minimum per node
- max_boot_time_s: 10
```
### Topologies
| Topology | Network | Description |
|----------|---------|-------------|
| `star` | All sensors connect to coordinator; coordinator has TAP to each sensor | Hub-and-spoke, most common |
| `mesh` | All nodes on same bridge (existing Layer 3 behavior) | Every node sees every other |
| `line` | Node 0 ↔ Node 1 ↔ Node 2 ↔ ... | Linear chain, tests multi-hop |
| `ring` | Like line but last connects to first | Circular, tests routing |
### Node Roles
| Role | Behavior | NVS Keys |
|------|----------|----------|
| `sensor` | Runs mock CSI, sends frames to coordinator | `node_id`, `tdm_slot`, `target_ip` |
| `coordinator` | Receives frames from sensors, runs edge aggregation | `node_id`, `tdm_slot=0`, `edge_tier=2` |
| `gateway` | Like coordinator but also bridges to host UDP | `node_id`, `target_ip=host`, `is_gateway=1` |
### Assertions (Swarm-Level)
| Assertion | What It Checks |
|-----------|---------------|
| `all_nodes_boot` | Every node's UART log shows boot indicators within timeout |
| `no_crashes` | No Guru Meditation, assert, panic in any log |
| `tdm_no_collision` | No two nodes transmit in the same TDM slot |
| `all_nodes_produce_frames` | Every sensor node's log contains CSI frame output |
| `coordinator_receives_from_all` | Coordinator log shows frames from each sensor's node_id |
| `fall_detected_by_node_N` | Node N's log reports a fall detection event |
| `frame_rate_above` | Each node produces at least N frames/second |
| `max_boot_time_s` | All nodes boot within N seconds |
| `no_heap_errors` | No OOM or heap corruption in any log |
| `network_partitioned_recovery` | After deliberate partition, nodes resume communication (future) |
### Preset Configurations
| Preset | Nodes | Topology | Purpose |
|--------|-------|----------|---------|
| `smoke` | 2 | star | Quick CI smoke test (15s) |
| `standard` | 3 | star | Default 3-node (sensor + sensor + coordinator) |
| `large-mesh` | 6 | mesh | Scale test with 6 fully-connected nodes |
| `line-relay` | 4 | line | Multi-hop relay chain |
| `ring-fault` | 4 | ring | Ring with fault injection mid-test |
| `heterogeneous` | 5 | star | Mixed scenarios: walk, fall, static, channel-sweep, empty |
| `ci-matrix` | 3 | star | CI-optimized preset (30s, minimal assertions) |
## File Layout
```
scripts/
├── qemu_swarm.py # Main orchestrator (CLI entry point)
├── swarm_health.py # Swarm-level health oracle
└── swarm_presets/
├── smoke.yaml
├── standard.yaml
├── large_mesh.yaml
├── line_relay.yaml
├── ring_fault.yaml
├── heterogeneous.yaml
└── ci_matrix.yaml
.github/workflows/
└── firmware-qemu.yml # MODIFIED: add swarm test job
```
## Consequences
### Benefits
1. **Declarative testing** — define swarm topology in YAML, not shell scripts
2. **Role-based nodes** — test coordinator/sensor/gateway interactions
3. **Topology variety** — star/mesh/line/ring match real deployment patterns
4. **Swarm-level assertions** — validate collective behavior, not just individual nodes
5. **Preset library** — quick CI smoke tests and thorough manual validation
6. **Reproducible** — YAML configs are version-controlled and shareable
### Limitations
1. **Still requires root** for TAP bridge topologies (star, line, ring); mesh can use SLIRP
2. **QEMU resource usage** — 6+ QEMU instances use ~2GB RAM, may slow CI runners
3. **No real RF** — inter-node communication is IP-based, not WiFi CSI multipath
## References
- ADR-061: QEMU ESP32-S3 firmware testing platform (Layers 1-9)
- ADR-060: Channel override and MAC address filter provisioning
- ADR-018: Binary CSI frame format (magic `0xC5110001`)
- ADR-039: Edge intelligence pipeline (biquad, vitals, fall detection)
api-docs/adr/ADR-063-mmwave-sensor-fusion.md
+261
View File
@@ -0,0 +1,261 @@
# ADR-063: 60 GHz mmWave Sensor Fusion with WiFi CSI
**Status:** Proposed
**Date:** 2026-03-15
**Deciders:** @ruvnet
**Related:** ADR-014 (SOTA signal processing), ADR-021 (vital sign extraction), ADR-029 (RuvSense multistatic), ADR-039 (edge intelligence), ADR-042 (CHCI coherent sensing)
## Context
RuView currently senses the environment using WiFi CSI — a passive technique that analyzes how WiFi signals are disturbed by human presence and movement. While this works through walls and requires no line of sight, CSI-derived vital signs (breathing rate, heart rate) are inherently noisy because they rely on phase extraction from multipath-rich WiFi channels.
A complementary sensing modality exists: **60 GHz mmWave radar** modules (e.g., Seeed MR60BHA2) that use active FMCW radar at 60 GHz to measure breathing and heart rate with clinical-grade accuracy. These modules are inexpensive (~$15), run on ESP32-C6/C3, and output structured vital signs over UART.
**Live hardware capture (COM4, 2026-03-15)** from a Seeed MR60BHA2 on an ESP32-C6 running ESPHome:
```
[D][sensor:093]: 'Real-time respiratory rate': Sending state 22.00000
[D][sensor:093]: 'Real-time heart rate': Sending state 92.00000 bpm
[D][sensor:093]: 'Distance to detection object': Sending state 0.00000 cm
[D][sensor:093]: 'Target Number': Sending state 0.00000
[D][binary_sensor:036]: 'Person Information': Sending state OFF
[D][sensor:093]: 'Seeed MR60BHA2 Illuminance': Sending state 0.67913 lx
```
### The Opportunity
Fusing WiFi CSI with mmWave radar creates a sensor system that is greater than the sum of its parts:
| Capability | WiFi CSI Alone | mmWave Alone | Fused |
|-----------|---------------|-------------|-------|
| Through-wall sensing | Yes (5m+) | No (LoS only, ~3m) | Yes — CSI for room-scale, mmWave for precision |
| Heart rate accuracy | ±5-10 BPM | ±1-2 BPM | ±1-2 BPM (mmWave primary, CSI cross-validates) |
| Breathing accuracy | ±2-3 BPM | ±0.5 BPM | ±0.5 BPM |
| Presence detection | Good (adaptive threshold) | Excellent (range-gated) | Excellent + through-wall |
| Multi-person | Via subcarrier clustering | Via range-Doppler bins | Combined spatial + RF resolution |
| Fall detection | Phase acceleration | Range/velocity + micro-Doppler | Dual-confirm reduces false positives to near-zero |
| Pose estimation | Via trained model | Not available | CSI provides pose; mmWave provides ground-truth vitals for training |
| Coverage | Whole room (passive) | ~120° cone, 3m range | Full room + precision zone |
| Cost per node | ~$9 (ESP32-S3) | ~$15 (ESP32-C6 + MR60BHA2) | ~$24 combined |
### RuVector Integration Points
The RuVector v2.0.4 stack (already integrated per ADR-016) provides the signal processing backbone:
| RuVector Component | Role in mmWave Fusion |
|-------------------|----------------------|
| `ruvector-attention` (`bvp.rs`) | Blood Volume Pulse estimation — mmWave heart rate can calibrate the WiFi CSI BVP phase extraction |
| `ruvector-temporal-tensor` (`breathing.rs`) | Breathing rate estimation — mmWave provides ground-truth for adaptive filter tuning |
| `ruvector-solver` (`triangulation.rs`) | Multilateration — mmWave range-gated distance + CSI amplitude = 3D position |
| `ruvector-attn-mincut` (`spectrogram.rs`) | Time-frequency decomposition — mmWave Doppler complements CSI phase spectrogram |
| `ruvector-mincut` (`metrics.rs`, DynamicPersonMatcher) | Multi-person association — mmWave target IDs help disambiguate CSI subcarrier clusters |
### RuvSense Integration Points
The RuvSense multistatic sensing pipeline (ADR-029) gains new capabilities:
| RuvSense Module | mmWave Integration |
|----------------|-------------------|
| `pose_tracker.rs` (AETHER re-ID) | mmWave distance + velocity as additional re-ID features for Kalman tracker |
| `longitudinal.rs` (Welford stats) | mmWave vitals as reference signal for CSI drift detection |
| `intention.rs` (pre-movement) | mmWave micro-Doppler detects pre-movement 100-200ms earlier than CSI |
| `adversarial.rs` (consistency check) | mmWave provides independent signal to detect CSI spoofing/anomalies |
| `coherence_gate.rs` | mmWave presence as additional gate input — if mmWave says "no person", CSI coherence gate rejects |
### Cross-Viewpoint Fusion Integration
The viewpoint fusion pipeline (`ruvector/src/viewpoint/`) extends naturally:
| Viewpoint Module | mmWave Extension |
|-----------------|-----------------|
| `attention.rs` (CrossViewpointAttention) | mmWave range becomes a new "viewpoint" in the attention mechanism |
| `geometry.rs` (GeometricDiversityIndex) | mmWave cone geometry contributes to Fisher Information / Cramer-Rao bounds |
| `coherence.rs` (phase phasor) | mmWave phase coherence as validation for WiFi phasor coherence |
| `fusion.rs` (MultistaticArray) | mmWave node becomes a member of the multistatic array with its own domain events |
## Decision
Add 60 GHz mmWave radar sensor support to the RuView firmware and sensing pipeline with auto-detection and device-specific capabilities.
### Architecture
```
┌─────────────────────────────────────────────────────────┐
│ Sensing Node │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │
│ │ ESP32-S3 │ │ ESP32-C6 │ │ Combined │ │
│ │ WiFi CSI │ │ + MR60BHA2 │ │ S3 + UART │ │
│ │ (COM7) │ │ 60GHz mmWave │ │ mmWave │ │
│ │ │ │ (COM4) │ │ │ │
│ │ Passive │ │ Active radar │ │ Both modes │ │
│ │ Through-wall │ │ LoS, precise │ │ │ │
│ └──────┬───────┘ └──────┬───────┘ └─────┬──────┘ │
│ │ │ │ │
│ └────────┬───────────┘ │ │
│ ▼ │ │
│ ┌────────────────┐ │ │
│ │ Fusion Engine │◄──────────────────────┘ │
│ │ │ │
│ │ • Kalman fuse │ Vitals packet (extended): │
│ │ • Cross-validate│ magic 0xC5110004 │
│ │ • Ground-truth │ + mmwave_hr, mmwave_br │
│ │ calibration │ + mmwave_distance │
│ │ • Fall confirm │ + mmwave_target_count │
│ └────────────────┘ + confidence scores │
└─────────────────────────────────────────────────────────┘
```
### Three Deployment Modes
**Mode 1: Standalone CSI (existing)** — ESP32-S3 only, WiFi CSI sensing.
**Mode 2: Standalone mmWave** — ESP32-C6 + MR60BHA2, precise vitals in a single room.
**Mode 3: Fused (recommended)** — ESP32-S3 + mmWave module on UART, or two separate nodes with server-side fusion.
### Auto-Detection Protocol
The firmware will auto-detect connected mmWave modules at boot:
1. **UART probe** — On configured UART pins, send the MR60BHA2 identification command (`0x01 0x01 0x00 0x01 ...`) and check for valid response header
2. **Protocol detection** — Identify the sensor family:
- Seeed MR60BHA2 (breathing + heart rate)
- Seeed MR60FDA1 (fall detection)
- Seeed MR24HPC1 (presence + light sleep/deep sleep)
- HLK-LD2410 (presence + distance)
- HLK-LD2450 (multi-target tracking)
3. **Capability registration** — Register detected sensor capabilities in the edge config:
```c
typedef struct {
uint8_t mmwave_detected; /** 1 if mmWave module found on UART */
uint8_t mmwave_type; /** Sensor family (MR60BHA2, MR60FDA1, etc.) */
uint8_t mmwave_has_hr; /** Heart rate capability */
uint8_t mmwave_has_br; /** Breathing rate capability */
uint8_t mmwave_has_fall; /** Fall detection capability */
uint8_t mmwave_has_presence; /** Presence detection capability */
uint8_t mmwave_has_distance; /** Range measurement capability */
uint8_t mmwave_has_tracking; /** Multi-target tracking capability */
float mmwave_hr_bpm; /** Latest heart rate from mmWave */
float mmwave_br_bpm; /** Latest breathing rate from mmWave */
float mmwave_distance_cm; /** Distance to nearest target */
uint8_t mmwave_target_count; /** Number of detected targets */
bool mmwave_person_present;/** mmWave presence state */
} mmwave_state_t;
```
### Supported Sensors
| Sensor | Frequency | Capabilities | UART Protocol | Cost |
|--------|-----------|-------------|---------------|------|
| **Seeed MR60BHA2** | 60 GHz | HR, BR, presence, illuminance | Seeed proprietary frames | ~$15 |
| **Seeed MR60FDA1** | 60 GHz | Fall detection, presence | Seeed proprietary frames | ~$15 |
| **Seeed MR24HPC1** | 24 GHz | Presence, sleep stage, distance | Seeed proprietary frames | ~$10 |
| **HLK-LD2410** | 24 GHz | Presence, distance (motion + static) | HLK binary protocol | ~$3 |
| **HLK-LD2450** | 24 GHz | Multi-target tracking (x,y,speed) | HLK binary protocol | ~$5 |
### Fusion Algorithms
**1. Vital Sign Fusion (Kalman filter)**
```
mmWave HR (high confidence, 1 Hz) ─┐
├─► Kalman fuse → fused HR ± confidence
CSI-derived HR (lower confidence) ─┘
```
**2. Fall Detection (dual-confirm)**
```
CSI phase accel > thresh ──────┐
├─► AND gate → confirmed fall (near-zero false positives)
mmWave range-velocity pattern ─┘
```
**3. Presence Validation**
```
CSI adaptive threshold ────┐
├─► Weighted vote → robust presence
mmWave target count > 0 ──┘
```
**4. Training Calibration**
```
mmWave ground-truth vitals → train CSI BVP extraction model
mmWave distance → calibrate CSI triangulation
mmWave micro-Doppler → label CSI activity patterns
```
### Vitals Packet Extension
Extend the existing 32-byte vitals packet (magic `0xC5110002`) with a new 48-byte fused packet:
```c
typedef struct __attribute__((packed)) {
/* Existing 32-byte vitals fields */
uint32_t magic; /* 0xC5110004 (fused vitals) */
uint8_t node_id;
uint8_t flags; /* Bit0=presence, Bit1=fall, Bit2=motion, Bit3=mmwave_present */
uint16_t breathing_rate; /* Fused BPM * 100 */
uint32_t heartrate; /* Fused BPM * 10000 */
int8_t rssi;
uint8_t n_persons;
uint8_t mmwave_type; /* Sensor type enum */
uint8_t fusion_confidence;/* 0-100 fusion quality score */
float motion_energy;
float presence_score;
uint32_t timestamp_ms;
/* New mmWave fields (16 bytes) */
float mmwave_hr_bpm; /* Raw mmWave heart rate */
float mmwave_br_bpm; /* Raw mmWave breathing rate */
float mmwave_distance; /* Distance to nearest target (cm) */
uint8_t mmwave_targets; /* Target count */
uint8_t mmwave_confidence;/* mmWave signal quality 0-100 */
uint16_t reserved;
} edge_fused_vitals_pkt_t;
_Static_assert(sizeof(edge_fused_vitals_pkt_t) == 48, "fused vitals must be 48 bytes");
```
### NVS Configuration
New provisioning parameters:
```bash
python provision.py --port COM7 \
--mmwave-uart-tx 17 --mmwave-uart-rx 18 \ # UART pins for mmWave module
--mmwave-type auto \ # auto-detect, or: mr60bha2, ld2410, etc.
--fusion-mode kalman \ # kalman, vote, mmwave-primary, csi-primary
--fall-dual-confirm true # require both CSI + mmWave for fall alert
```
### Implementation Phases
| Phase | Scope | Effort |
|-------|-------|--------|
| **Phase 1** | UART driver + MR60BHA2 parser + auto-detection | 2 weeks |
| **Phase 2** | Fused vitals packet + Kalman vital sign fusion | 1 week |
| **Phase 3** | Dual-confirm fall detection + presence voting | 1 week |
| **Phase 4** | HLK-LD2410/LD2450 support + multi-target fusion | 2 weeks |
| **Phase 5** | RuVector calibration pipeline (mmWave as ground truth) | 3 weeks |
| **Phase 6** | Server-side fusion for separate CSI + mmWave nodes | 2 weeks |
## Consequences
### Positive
- Near-zero false positive fall detection (dual-confirm)
- Clinical-grade vital signs when mmWave is present, with CSI as fallback
- Self-calibrating CSI pipeline using mmWave ground truth
- Backward compatible — existing CSI-only nodes work unchanged
- Low incremental cost (~$3-15 per mmWave module)
- Auto-detection means zero configuration for supported sensors
- RuVector attention/solver/temporal-tensor modules gain a high-quality reference signal
### Negative
- Added firmware complexity (~2-3 KB RAM for mmWave state + UART buffer)
- mmWave modules require line-of-sight (complementary to CSI, not replacement)
- Multiple UART protocols to maintain (Seeed, HLK families)
- 48-byte fused packet requires server parser update
### Neutral
- ESP32-C6 cannot run the full CSI pipeline (single-core RISC-V) but can serve as a dedicated mmWave bridge node
- mmWave modules add ~15 mA power draw per node
api-docs/adr/ADR-064-multimodal-ambient-intelligence.md
+327
View File
@@ -0,0 +1,327 @@
# ADR-064: Multimodal Ambient Intelligence — WiFi CSI + mmWave + Environmental Sensors
**Status:** Proposed
**Date:** 2026-03-15
**Deciders:** @ruvnet
**Related:** ADR-063 (mmWave fusion), ADR-039 (edge intelligence), ADR-042 (CHCI), ADR-029 (RuvSense multistatic), ADR-024 (AETHER contrastive embeddings)
## Context
With ADR-063 we demonstrated real-time fusion of WiFi CSI (ESP32-S3, COM7) and 60 GHz mmWave radar (Seeed MR60BHA2 on ESP32-C6, COM4). The live capture showed:
- **mmWave**: HR 75 bpm, BR 25/min, presence at 52 cm, 1.4 Hz update
- **WiFi CSI**: Channel 5, RSSI -41, 20+ Hz frame rate, through-wall coverage
- **BH1750**: Ambient light 0.0-0.7 lux (room darkness level)
This ADR explores the full spectrum of what becomes possible when these modalities are combined — from immediately practical applications to speculative research directions.
---
## Tier 1: Practical (Build Now)
### 1.1 Intelligent Fall Detection with Zero False Positives
**Current state:** CSI-only fall detection with 15.0 rad/s² threshold (v0.4.3.1).
**With fusion:** mmWave confirms fall via range-velocity signature (sudden height drop + impact deceleration). CSI provides the alert; mmWave provides the confirmation.
```
CSI phase acceleration > 15 rad/s² ─┐
├─► AND gate + temporal correlation
mmWave: height drop > 50cm in <1s ──┘ → CONFIRMED FALL (call 911)
```
**Impact:** Elderly care facilities spend $34B/year on fall injuries. A $24 sensor node with zero false positives replaces $200/month medical alert wearables that residents forget to wear.
### 1.2 Sleep Quality Monitoring
**Sensors used:** mmWave (BR/HR), CSI (bed occupancy, movement), BH1750 (light)
| Metric | Source | Method |
|--------|--------|--------|
| Sleep onset | CSI motion → still transition | Phase variance drops below threshold |
| Sleep stages | mmWave BR variability | BR 12-20 = light sleep, 6-12 = deep sleep |
| REM detection | mmWave HR variability | HR variability increases during REM |
| Restlessness | CSI motion energy | Counts of motion episodes per hour |
| Room darkness | BH1750 | Correlate light exposure with sleep latency |
| Wake events | CSI + mmWave | Motion + HR spike = awakening |
**Output:** Sleep score (0-100), time in each stage, disturbance log.
**No wearable required.** Works through a mattress.
### 1.3 Occupancy-Aware HVAC and Lighting
**Sensors:** CSI (room-level presence through walls), mmWave (precise count + distance), BH1750 (ambient light)
- CSI detects which rooms are occupied (through walls, whole-floor sensing)
- mmWave counts exact number of people in the sensor's room
- BH1750 measures if lights are on/needed
- System sends MQTT/UDP commands to smart home controllers
**Energy savings:** 20-40% HVAC reduction by not heating/cooling empty rooms.
### 1.4 Bathroom Safety for Elderly
**Sensor placement:** One CSI node outside bathroom (through-wall), one mmWave inside.
- CSI detects person entered bathroom (through-wall)
- mmWave monitors vitals while showering (waterproof enclosure)
- If no movement for > N minutes AND HR drops: alert
- Fall detection in shower (slippery surface = high risk)
### 1.5 Baby/Infant Breathing Monitor
**mmWave at crib-side:** Contactless breathing monitoring at 0.5-1m range.
- BR < 10 or BR = 0 for > 20s: alarm (apnea detection)
- CSI provides room context (parent present? other motion?)
- BH1750 tracks night feeding times (light on/off events)
---
## Tier 2: Advanced (Research Prototype)
### 2.1 Gait Analysis and Fall Risk Prediction
**Method:** CSI tracks walking pattern across the room; mmWave measures stride length and velocity.
| Feature | Source | Clinical Use |
|---------|--------|-------------|
| Gait velocity | mmWave Doppler | < 0.8 m/s = fall risk indicator |
| Stride variability | CSI phase patterns | High variability = cognitive decline marker |
| Turning stability | CSI + mmWave | Difficulty turning = Parkinson's indicator |
| Get-up time | mmWave (sit→stand) | Timed Up and Go (TUG) test, contactless |
**Clinical value:** Gait velocity is called the "sixth vital sign" — it predicts hospitalization, cognitive decline, and mortality. Currently requires a $10,000 GAITRite mat. A $24 sensor node replaces it.
### 2.2 Emotion and Stress Detection via Micro-Vitals
**mmWave at desk:** Continuous HR variability (HRV) monitoring during work.
- **HRV time-domain:** SDNN, RMSSD from beat-to-beat intervals
- **HRV frequency-domain:** LF/HF ratio (sympathetic/parasympathetic balance)
- Low HF power = stress; high HF = relaxation
- CSI detects fidgeting, posture shifts (correlated with stress)
- BH1750 correlates lighting with mood/productivity
**Application:** Smart office that adjusts lighting, temperature, and notification frequency based on detected stress level.
### 2.3 Gesture Recognition as Room Control
**CSI:** Already has DTW template matching gesture classifier (`ruvsense/gesture.rs`).
**mmWave:** Adds range-Doppler micro-gesture detection (hand wave, swipe, circle).
- CSI recognizes gross gestures (wave arm, walk pattern)
- mmWave recognizes fine hand gestures (swipe left/right, push/pull)
- Fused: spatial context (CSI knows where you are) + precise gesture (mmWave knows what your hand did)
**Use case:** Wave at the sensor to turn off lights. Swipe to change music. No voice assistant, no camera, no wearable.
### 2.4 Respiratory Disease Screening
**mmWave BR patterns over days/weeks:**
| Pattern | Indicator |
|---------|-----------|
| BR > 20 at rest, trending up | Possible pneumonia/COVID |
| Periodic breathing (Cheyne-Stokes) | Heart failure |
| Obstructive apnea pattern | Sleep apnea (> 5 events/hour) |
| BR variability decrease | COPD exacerbation |
**CSI adds:** Cough detection (sudden phase disturbance pattern), movement reduction (malaise indicator).
**Longitudinal tracking** via `ruvsense/longitudinal.rs` (Welford stats, biomechanics drift detection) — the system learns your normal breathing pattern and alerts on deviations.
### 2.5 Multi-Room Activity Recognition
**3-6 CSI nodes (through walls) + 1-2 mmWave (key rooms):**
```
Kitchen (CSI): person detected, high motion → cooking
Living room (mmWave + CSI): 2 people, low motion, HR stable → watching TV
Bedroom (CSI): person detected, minimal motion → sleeping
Bathroom (CSI): person entered 3 min ago, still inside → OK
Front door (CSI): motion pattern = leaving/arriving
```
**Output:** Activity timeline, daily routine deviation alerts, loneliness detection (no visitors in N days).
---
## Tier 3: Speculative (Research Frontier)
### 3.1 Cardiac Arrhythmia Detection
**mmWave at < 1m range:** Beat-to-beat interval extraction from chest wall displacement.
- Atrial fibrillation: irregular R-R intervals (coefficient of variation > 0.1)
- Bradycardia/tachycardia: sustained HR < 60 or > 100
- Premature ventricular contractions: occasional short-long-short patterns
**Challenge:** Requires sub-millimeter displacement resolution. The MR60BHA2 may lack the SNR for single-beat extraction, but clinical-grade 60 GHz modules (Infineon BGT60TR13C) can achieve this.
**CSI role:** Validates that the person is stationary (motion corrupts beat-to-beat analysis).
### 3.2 Blood Pressure Estimation (Contactless)
**Theory:** Pulse Transit Time (PTT) between two body points correlates with blood pressure. With two mmWave sensors at different body positions, PTT can be estimated from the phase difference of reflected chest/wrist signals.
**Feasibility:** Academic papers demonstrate ±10 mmHg accuracy in controlled settings. Far from clinical grade but useful for trending.
### 3.3 RF Tomography — 3D Occupancy Imaging
**Method:** Multiple CSI nodes form a tomographic array. Each TX-RX pair measures signal attenuation. Inverse problem (ISTA L1 solver, already in `ruvsense/tomography.rs`) reconstructs a 3D voxel grid of where absorbers (people) are.
**mmWave adds:** Range-gated targets as sparse priors for the tomographic reconstruction, dramatically reducing the ill-posedness of the inverse problem.
```
CSI tomography (coarse 3D grid, 50cm resolution) ─┐
├─► Sparse fusion
mmWave targets (precise range, cm resolution) ─────┘ → 10cm 3D occupancy map
```
### 3.4 Sign Language Recognition
**CSI phase patterns (body/arm movement) + mmWave Doppler (hand micro-movements):**
- CSI captures the gross arm trajectory of each sign
- mmWave captures the finger configuration at the pause point
- AETHER contrastive embeddings (`ADR-024`) learn to map (CSI phase sequence, mmWave Doppler) → sign label
- No camera required — works in the dark, preserves privacy
**Training data:** Record CSI + mmWave while performing signs with a camera as ground truth, then deploy camera-free.
### 3.5 Cognitive Load Estimation
**Multimodal features:**
| Feature | Source | Cognitive Load Indicator |
|---------|--------|------------------------|
| HR increase | mmWave | Sympathetic activation |
| BR irregularity | mmWave | Cognitive interference |
| Posture stiffness | CSI motion variance | Reduced when concentrating |
| Fidgeting frequency | CSI high-freq motion | Increases with frustration |
| Micro-saccade proxy | mmWave head micro-movement | Correlated with attention |
**Application:** Adaptive learning systems that slow down when the student is overloaded. Smart meeting rooms that detect when participants are disengaged.
### 3.6 Drone/Robot Navigation via RF Sensing
**CSI mesh as indoor GPS:** A network of CSI nodes creates a spatial RF fingerprint map. A robot or drone with an ESP32 can localize itself by matching its observed CSI to the map.
**mmWave on the robot:** Obstacle avoidance + human detection (don't collide with people).
**CSI from the environment:** Tells the robot where people are in adjacent rooms (through walls) so it can plan routes that avoid occupied spaces.
### 3.7 Building Structural Health Monitoring
**CSI multipath signature over months/years:**
- The CSI channel response is a fingerprint of the room's geometry
- Subtle shifts in multipath (wall crack propagation, foundation settlement) change the CSI signature
- `ruvsense/cross_room.rs` (environment fingerprinting) tracks these long-term drifts
- mmWave detects surface vibrations (micro-displacement from traffic, wind, seismic)
**Application:** Early warning for structural degradation in bridges, tunnels, old buildings.
### 3.8 Swarm Sensing — Emergent Spatial Awareness
**50+ nodes across a building:**
Each node runs local edge intelligence (ADR-039). The `hive-mind` consensus system (ADR-062) aggregates across nodes. Emergent behaviors:
- **Flow detection:** Track how people move between rooms over time
- **Anomaly detection:** "This hallway usually has 5 people/hour but had 0 today"
- **Emergency routing:** During fire, track which exits are blocked (no movement) vs available
- **Crowd density:** Concert/stadium safety — detect dangerous compression zones through walls
---
## Tier 4: Exotic / Sci-Fi Adjacent
### 4.1 Emotion Contagion Mapping
If multiple people are in a room and the system can estimate individual HR/HRV (via multi-target mmWave + CSI subcarrier clustering), you can detect:
- Physiological synchrony (two people's HR converging = rapport/empathy)
- Stress propagation (one person's stress → others' HR rises)
- "Emotional temperature" of a room
### 4.2 Dream State Detection and Lucid Dream Induction
During REM sleep (detected via mmWave HR variability + CSI minimal body movement):
- Detect REM onset with high confidence
- Trigger a subtle environmental cue (gentle light via smart bulb, barely audible tone)
- The sleeper incorporates the cue into the dream, recognizing it as a dream trigger
- BH1750 confirms room is dark (not a natural awakening)
Based on published lucid dreaming induction research (e.g., LaBerge's MILD technique with external cues).
### 4.3 Plant Growth Monitoring
WiFi signals pass through plant tissue differently based on water content.
- CSI amplitude through a greenhouse changes as plants absorb/release water
- mmWave reflects off leaf surfaces — micro-displacement from growth
- Long-term CSI drift correlates with biomass increase
Academic proof-of-concept: "Sensing Plant Water Content Using WiFi Signals" (2023).
### 4.4 Pet Behavior Analysis
- CSI detects pet movement patterns (different phase signature than humans — lower, faster)
- mmWave detects breathing rate (pets have higher BR than humans)
- System learns pet's daily routine and alerts on deviations (lethargy, pacing, not eating)
### 4.5 Paranormal Investigation Tool
(For the entertainment/hobbyist market)
- CSI detects "unexplained" signal disturbances in empty rooms
- mmWave confirms no physical presence
- System logs "anomalous RF events" with timestamps
- Export as Ghost Hunting report
**Actual explanation:** Temperature changes, HVAC drafts, and EMI cause CSI fluctuations. But it would sell.
---
## Implementation Priority Matrix
| Application | Sensors Needed | Effort | Value | Priority |
|------------|---------------|--------|-------|----------|
| Fall detection (zero false positive) | CSI + mmWave | 1 week | Critical (healthcare) | **P0** |
| Sleep monitoring | mmWave + BH1750 | 2 weeks | High (wellness) | **P1** |
| Occupancy HVAC/lighting | CSI + mmWave | 1 week | High (energy) | **P1** |
| Baby breathing monitor | mmWave | 1 week | Critical (safety) | **P1** |
| Bathroom safety | CSI + mmWave | 1 week | Critical (elderly) | **P1** |
| Gait analysis | CSI + mmWave | 3 weeks | High (clinical) | **P2** |
| Gesture control | CSI + mmWave | 4 weeks | Medium (UX) | **P2** |
| Multi-room activity | CSI mesh + mmWave | 4 weeks | High (elder care) | **P2** |
| Respiratory screening | mmWave longitudinal | 6 weeks | High (health) | **P2** |
| Stress/emotion detection | mmWave HRV + CSI | 6 weeks | Medium (wellness) | **P3** |
| RF tomography | CSI mesh + mmWave | 8 weeks | Medium (research) | **P3** |
| Sign language | CSI + mmWave + ML | 12 weeks | Medium (accessibility) | **P3** |
| Cardiac arrhythmia | High-res mmWave | 12 weeks | High (clinical) | **P3** |
| Swarm sensing | 50+ nodes | 16 weeks | High (safety) | **P3** |
## Decision
Document these possibilities as the product roadmap for the RuView multimodal ambient intelligence platform. Prioritize P0-P1 items (fall detection, sleep, occupancy, baby monitor, bathroom safety) for immediate implementation using the existing hardware (ESP32-S3 + MR60BHA2 + BH1750).
## Consequences
### Positive
- Positions RuView as a platform, not just a WiFi sensing demo
- Each application can ship as a WASM edge module (ADR-040), deployable to existing hardware
- Healthcare applications have clear regulatory paths (fall detection is FDA Class I exempt)
- Most P0-P1 applications require no additional hardware beyond what's already deployed
### Negative
- Clinical applications (arrhythmia, blood pressure) require medical device validation
- Privacy concerns scale with capability — need clear data retention policies
- Some exotic applications may attract scrutiny (surveillance concerns)
### Risk Mitigation
- All processing happens on-device (edge) — no cloud, no recordings by default
- No cameras — signal-based sensing preserves visual privacy
- Open source — users can audit exactly what is sensed and transmitted
api-docs/adr/ADR-065-happiness-scoring-seed-bridge.md
+234
View File
@@ -0,0 +1,234 @@
# ADR-065: Hotel Guest Happiness Scoring -- WiFi CSI + Cognitum Seed Bridge
**Status:** Proposed
**Date:** 2026-03-20
**Deciders:** @ruvnet
**Related:** ADR-040 (WASM edge modules), ADR-039 (edge intelligence), ADR-042 (CHCI), ADR-064 (multimodal ambient intelligence), ADR-060 (multi-node aggregation)
## Context
Hotels lack objective, privacy-preserving methods to measure guest satisfaction in real time. Current approaches (post-stay surveys, NPS scores) are delayed, biased toward extremes, and capture less than 10% of guests. Meanwhile, ambient RF sensing can infer behavioral cues that correlate with comfort and well-being -- without cameras, wearables, or any guest interaction.
### Hardware
Two ESP32-S3 variants are deployed:
| Device | Flash | PSRAM | MAC | Port | Notes |
|--------|-------|-------|-----|------|-------|
| ESP32-S3 (QFN56 rev 0.2) | 4 MB | 2 MB | 1C:DB:D4:83:D2:40 | COM5 | Budget node, uses `sdkconfig.defaults.4mb` + `partitions_4mb.csv` |
| ESP32-S3 | 8 MB | 8 MB | -- | COM7 | Full-featured node, existing deployment |
Both run the Tier 2 DSP firmware with presence detection, vitals extraction, fall detection, and gait analysis.
### Cognitum Seed Device
A Cognitum Seed unit is deployed on the same network segment:
- **Address:** 169.254.42.1 (link-local)
- **Hardware:** Raspberry Pi Zero 2 W
- **Firmware:** 0.7.0
- **Vector store:** 398 vectors, dim=8
- **API endpoints:** 98 (REST, fully documented)
- **Sensors:** PIR, reed switch (door), vibration, ADS1115 ADC (4-ch analog), BME280 (temp/humidity/pressure)
- **Security:** Ed25519 custody chain with tamper-evident witness log
The Seed's 8-dimensional vector store and drift detection engine make it a natural aggregation point for behavioral feature vectors extracted from CSI data.
### Existing WASM Edge Modules
The following modules already run on-device and produce features relevant to happiness scoring:
| Module | Event IDs | Outputs |
|--------|-----------|---------|
| `exo_emotion_detect.rs` | 610-613 | Arousal level, stress index |
| `med_gait_analysis.rs` | 130-134 | Cadence, stride length, regularity |
| `ret_customer_flow.rs` | 410-413 | Entry/exit count, direction |
| `ret_dwell_heatmap.rs` | 420-423 | Dwell time per zone |
## Decision
### 1. New WASM Module: `exo_happiness_score.rs`
Create a new WASM edge module that fuses outputs from existing modules into an 8-dimensional happiness vector, matching the Seed's vector dimensionality (dim=8).
**Event ID registry (690-694):**
| Event ID | Name | Description |
|----------|------|-------------|
| 690 | `HAPPINESS_VECTOR` | Full 8-dim happiness vector emitted per scoring window |
| 691 | `HAPPINESS_TREND` | Windowed trend (rising/falling/stable) over last N vectors |
| 692 | `HAPPINESS_ALERT` | Score crossed a configured threshold (low satisfaction) |
| 693 | `HAPPINESS_GROUP` | Aggregate score for multi-person zone |
| 694 | `HAPPINESS_CALIBRATION` | Baseline recalibration event (new guest check-in) |
### 2. Happiness Vector Schema (8 Dimensions)
Each dimension is normalized to [0.0, 1.0] where 1.0 = maximal positive signal:
| Dim | Name | Source | Derivation |
|-----|------|--------|------------|
| 0 | `gait_speed` | `med_gait_analysis` (130) | Normalized walking velocity. Brisk = positive. |
| 1 | `stride_regularity` | `med_gait_analysis` (131) | Low stride-to-stride variance = relaxed gait. |
| 2 | `movement_fluidity` | CSI phase jerk (d3/dt3) | Low jerk = smooth, unhurried movement. |
| 3 | `breathing_calm` | Vitals BR extraction | BR 12-18 at rest = calm. Deviation penalized. |
| 4 | `posture_openness` | CSI subcarrier spread | Wide phase spread across subcarriers = open posture. |
| 5 | `dwell_comfort` | `ret_dwell_heatmap` (420) | Moderate dwell in amenity zones = engagement. |
| 6 | `direction_entropy` | `ret_customer_flow` (410) | Low entropy = purposeful movement. Wandering penalized. |
| 7 | `group_energy` | Multi-target CSI clustering | Synchronized movement of 2+ people = social engagement. |
The composite scalar happiness score is the weighted L2 norm:
```
score = sum(w[i] * v[i] for i in 0..7) / sum(w[i])
```
Default weights are uniform (all 1.0), configurable via NVS or Seed API.
### 3. ESP32 to Seed Bridge
```
ESP32-S3 (CSI) Cognitum Seed (169.254.42.1)
+------------------+ +----------------------------+
| Tier 2 DSP | | |
| + WASM modules | UDP 5555 | /api/v1/store/ingest |
| exo_happiness |──────────────| (POST, 8-dim vector) |
| _score.rs | | |
| | | /api/v1/drift/check |
| |◄─────────────| (drift alerts via webhook) |
| | | |
| | | /api/v1/witness/append |
| | | (Ed25519 audit trail) |
+------------------+ +----------------------------+
```
**Data flow:**
1. ESP32 runs CSI capture at 20+ Hz and feeds subcarrier data through existing WASM modules.
2. `exo_happiness_score.rs` collects outputs from emotion, gait, flow, and dwell modules every scoring window (default: 30 seconds).
3. The 8-dim happiness vector is packed as a 32-byte payload (8x float32) and sent via UDP to port 5555 on 169.254.42.1.
4. A lightweight bridge task on the Seed receives the UDP packet and POSTs it to `/api/v1/store/ingest` with metadata (room ID, timestamp, MAC).
5. The Seed's drift detection engine monitors the happiness vector stream and flags anomalies (sudden drops, sustained low scores).
6. Every ingested vector is appended to the Seed's Ed25519 witness chain, providing a tamper-proof audit trail.
### 4. Seed Drift Detection for Happiness Trends
The Seed's built-in drift detection compares incoming vectors against a rolling baseline:
- **Check-in calibration:** When a new guest checks in, event 694 resets the baseline.
- **Drift threshold:** Configurable (default: cosine distance > 0.3 from baseline triggers alert).
- **Trend window:** Last 20 vectors (~10 minutes at 30s intervals).
- **Alert routing:** Seed webhook notifies hotel management system when happiness trend is declining.
### 5. RuView Live Dashboard Update
`ruview_live.py` gains a `--seed` flag:
```bash
python ruview_live.py --port COM5 --seed 169.254.42.1 --mode happiness
```
This mode displays:
- Real-time 8-dim radar chart of the happiness vector
- Scalar happiness score (0-100) with color coding (red/yellow/green)
- Trend sparkline over the last hour
- Seed witness chain status (last hash, chain length)
- Room-level aggregate when multiple ESP32 nodes report
### 6. Architecture
```
+------------------------------------------+
| Hotel Room |
| |
| [ESP32-S3] [Cognitum Seed] |
| COM5 or COM7 169.254.42.1 |
| 4MB or 8MB flash Pi Zero 2 W |
| | | |
| | WiFi CSI | PIR, reed, |
| | 20+ Hz | BME280, |
| v | vibration |
| +-----------+ | |
| | Tier 2 DSP| v |
| | presence | +-------------+ |
| | vitals | | Seed API | |
| | gait | | 98 endpoints| |
| | fall det | | 398 vectors | |
| +-----------+ | dim=8 | |
| | +-------------+ |
| v ^ |
| +-----------+ UDP 5555 | |
| | WASM edge |─────────────┘ |
| | happiness | |
| | score | Drift alerts |
| | (690-694) |◄────────────── |
| +-----------+ /api/v1/drift/check |
| |
+------------------------------------------+
|
| MQTT / HTTP
v
+------------------+
| Hotel Management |
| System / RuView |
| Live Dashboard |
+------------------+
```
### 7. 4MB Flash Support
The 4MB ESP32-S3 variant (COM5) is officially supported for happiness scoring. The existing `partitions_4mb.csv` and `sdkconfig.defaults.4mb` from ADR-265 provide dual OTA slots (1.856 MB each), sufficient for the full Tier 2 DSP firmware plus `exo_happiness_score.wasm` (estimated < 40 KB).
Build for 4MB variant:
```bash
cp sdkconfig.defaults.4mb sdkconfig.defaults
idf.py build
```
The WASM module loader selects which modules to instantiate based on available heap. On the 4MB/2MB PSRAM variant, happiness scoring runs with a reduced scoring window (60s instead of 30s) to conserve memory.
### 8. Privacy Considerations
- **No cameras.** All sensing is RF-based (WiFi subcarrier amplitude/phase).
- **No facial recognition.** Happiness is inferred from movement patterns, not expressions.
- **No audio capture.** Breathing rate is extracted from chest wall displacement via RF, not microphone.
- **No PII stored on device.** Vectors are anonymous; room-to-guest mapping lives only in the hotel PMS.
- **Seed witness chain** provides auditable proof of what data was collected and when, satisfying GDPR Article 30 record-keeping requirements.
- **Guest opt-out:** A physical switch on the ESP32 node (GPIO connected to a toggle) disables CSI capture entirely. The Seed's reed switch can also serve as a "privacy mode" trigger (door-mounted magnet removed = sensing paused).
- **Data retention:** Vectors are retained on the Seed for the duration of the stay plus 24 hours, then purged. The witness chain retains hashes (not vectors) indefinitely for audit.
### 9. API Integration
Key Cognitum Seed endpoints used:
| Endpoint | Method | Purpose |
|----------|--------|---------|
| `/api/v1/store/ingest` | POST | Ingest 8-dim happiness vector |
| `/api/v1/store/query` | POST | Retrieve vectors by room/time range |
| `/api/v1/drift/check` | GET | Check if current vector drifts from baseline |
| `/api/v1/drift/configure` | PUT | Set drift threshold and window size |
| `/api/v1/witness/append` | POST | Append event to Ed25519 custody chain |
| `/api/v1/witness/verify` | GET | Verify chain integrity |
| `/api/v1/sensors/bme280` | GET | Room temperature/humidity (comfort correlation) |
| `/api/v1/sensors/pir` | GET | PIR presence (cross-validate with CSI) |
## Consequences
### Positive
- Provides real-time, objective guest satisfaction measurement without surveys or wearables.
- Reuses four existing WASM modules -- the happiness module is a fusion layer, not a rewrite.
- The Seed's 8-dim vector store is a natural fit; no schema changes needed.
- Ed25519 witness chain satisfies hospitality industry audit requirements and GDPR record-keeping.
- Both 4MB and 8MB ESP32-S3 variants are supported, enabling low-cost deployment at scale (~$8 per room for the 4MB node).
- Seed's environmental sensors (BME280, PIR) provide complementary context (room temperature, humidity) that can be correlated with happiness scores.
- No cloud dependency -- all processing is local (ESP32 edge + Seed link-local network).
### Negative
- Happiness inference from movement patterns is a proxy, not a direct measurement. Correlation with actual guest satisfaction must be validated empirically.
- The 4MB variant has reduced scoring frequency (60s vs 30s) due to memory constraints.
- UDP transport between ESP32 and Seed is unreliable; packets may be lost. Mitigation: sequence numbers and a small retry buffer on the ESP32 side.
- Link-local addressing (169.254.x.x) limits the Seed to the same network segment as the ESP32. Multi-room deployments need one Seed per subnet or a routed bridge.
- Drift detection thresholds require per-property tuning; a luxury resort has different movement patterns than a budget hotel.
- The system cannot distinguish between guests in a multi-occupancy room without additional multi-target CSI clustering, which is experimental (ADR-064, Tier 3).
api-docs/adr/ADR-066-esp32-swarm-seed-coordinator.md
+278
View File
@@ -0,0 +1,278 @@
# ADR-066: ESP32 CSI Swarm with Cognitum Seed Coordinator
**Status:** Proposed
**Date:** 2026-03-20
**Deciders:** @ruvnet
**Related:** ADR-065 (happiness scoring + Seed bridge), ADR-039 (edge intelligence), ADR-060 (provisioning), ADR-018 (CSI binary protocol), ADR-040 (WASM runtime)
## Context
ADR-065 established a single ESP32-S3 node pushing happiness vectors to a Cognitum Seed at `169.254.42.1` (Pi Zero 2 W, firmware 0.7.0). The Seed is now on the same WiFi network (`RedCloverWifi`, `10.1.10.236`) as the ESP32 node (`10.1.10.168`).
The Seed already exposes REST APIs for:
- Peer discovery (`/api/v1/peers`) — 0 peers currently registered
- Delta sync (`/api/v1/delta/pull`, `/api/v1/delta/push`) — epoch-based replication
- Reflex rules (`/api/v1/sensor/reflex/rules`) — 3 rules (fragility alarm, drift cutoff, HD anomaly indicator)
- Actuators (`/api/v1/sensor/actuators`) — relay + PWM outputs
- Cognitive engine (`/api/v1/cognitive/tick`) — periodic inference loop
- Witness chain (`/api/v1/custody/epoch`) — epoch 316, cryptographically signed
- kNN search (`/api/v1/store/search`) — similarity queries across the full vector store
A hotel deployment requires multiple ESP32 nodes (lobby, hallway, restaurant, rooms) coordinated as a swarm with centralized analytics on the Seed.
## Decision
Implement a Seed-coordinated ESP32 swarm where each node operates autonomously for CSI sensing and edge processing, while the Seed serves as the swarm coordinator for registration, aggregation, drift detection, cross-zone inference, and actuator control.
### Architecture
```
ESP32 Node A ESP32 Node B ESP32 Node C
(Lobby) (Hallway) (Restaurant)
node_id=1 node_id=2 node_id=3
10.1.10.168 10.1.10.xxx 10.1.10.xxx
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ WiFi CSI │ │ WiFi CSI │ │ WiFi CSI │
│ Tier 2 DSP │ │ Tier 2 DSP │ │ Tier 2 DSP │
│ WASM Tier 3 │ │ WASM Tier 3 │ │ WASM Tier 3 │
│ Swarm Bridge │ │ Swarm Bridge │ │ Swarm Bridge │
└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
│ HTTP POST │ HTTP POST │ HTTP POST
│ (happiness vectors, │ │
│ heartbeat, events) │ │
└──────────┬───────────────┴──────────────────────────┘
┌───────────────┐
│ Cognitum Seed │
│ (Coordinator) │
│ 10.1.10.236 │
├───────────────┤
│ Vector Store │ ← 8-dim vectors tagged with node_id + zone
│ kNN Search │ ← Cross-zone similarity ("which room matches?")
│ Drift Detect │ ← Global mood trend across all zones
│ Witness Chain │ ← Tamper-proof audit trail per node
│ Reflex Rules │ ← Trigger actuators on swarm-wide patterns
│ Cognitive Eng │ ← Periodic cross-zone inference
│ Peer Registry │ ← Node health, last-seen, capabilities
└───────────────┘
```
### Swarm Protocol
#### 1. Node Registration (on boot)
Each ESP32 registers with the Seed via HTTP POST on startup. The Seed's peer discovery API tracks active nodes.
```
POST /api/v1/store/ingest
{
"vectors": [{
"id": "node-1-reg",
"values": [0,0,0,0,0,0,0,0],
"metadata": {
"type": "registration",
"node_id": 1,
"zone": "lobby",
"mac": "1C:DB:D4:83:D2:40",
"ip": "10.1.10.168",
"firmware": "0.5.0",
"capabilities": ["csi", "tier2", "presence", "vitals", "happiness"],
"flash_mb": 4,
"psram_mb": 2
}
}]
}
```
#### 2. Heartbeat (every 30 seconds)
```
POST /api/v1/store/ingest
{
"vectors": [{
"id": "node-1-hb-{epoch}",
"values": [happiness, gait, stride, fluidity, calm, posture, dwell, social],
"metadata": {
"type": "heartbeat",
"node_id": 1,
"zone": "lobby",
"uptime_s": 3600,
"csi_frames": 72000,
"free_heap": 317140,
"presence_now": true,
"persons": 2,
"rssi": -60
}
}]
}
```
#### 3. Happiness Vector Ingestion (every 5 seconds when presence detected)
```
POST /api/v1/store/ingest
{
"vectors": [{
"id": "node-1-h-{epoch}-{ts}",
"values": [0.72, 0.65, 0.80, 0.71, 0.55, 0.60, 0.85, 0.45],
"metadata": {
"type": "happiness",
"node_id": 1,
"zone": "lobby",
"timestamp_ms": 1742486400000,
"persons": 2,
"direction": "entering"
}
}]
}
```
#### 4. Cross-Zone Queries (Seed-side)
The Seed can answer questions across the entire swarm:
```
POST /api/v1/store/search
{"vector": [0.8, 0.7, 0.9, 0.8, 0.6, 0.7, 0.9, 0.5], "k": 5}
Response: nearest neighbors across all zones, showing which
rooms had the most similar mood to a "happy" reference vector.
```
#### 5. Reflex Rules for Swarm Patterns
Configure the Seed's reflex engine to act on swarm-wide patterns:
| Rule | Trigger | Action | Use Case |
|------|---------|--------|----------|
| `low_happiness_alert` | Mean happiness < 0.3 across 3+ nodes for 5 min | Activate `alarm` relay | Staff alert: guest dissatisfaction |
| `crowd_surge` | Presence count > 10 across lobby + hallway | PWM indicator brightness 100% | Lobby congestion warning |
| `zone_drift` | Drift score > 0.5 on any node | Log to witness chain | Trend change documentation |
| `ghost_anomaly` | Event 650 (anomaly) from any node | Notify + log | Security: unexpected RF disturbance |
### ESP32 Firmware: Swarm Bridge Module
New module `swarm_bridge.c` added to the CSI firmware, activated via NVS config:
```c
typedef struct {
char seed_url[64]; // e.g. "http://10.1.10.236"
char zone_name[16]; // e.g. "lobby"
uint16_t heartbeat_sec; // Default: 30
uint16_t ingest_sec; // Default: 5
uint8_t enabled; // 0 = disabled, 1 = enabled
} swarm_config_t;
```
NVS keys (provisioned via `provision.py --seed-url http://10.1.10.236 --zone lobby`):
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| `seed_url` | string | (empty) | Seed base URL; empty = swarm disabled |
| `zone_name` | string | `"default"` | Zone identifier for this node |
| `swarm_hb` | u16 | 30 | Heartbeat interval (seconds) |
| `swarm_ingest` | u16 | 5 | Vector ingest interval (seconds) |
The swarm bridge runs as a FreeRTOS task on Core 0 (separate from DSP on Core 1):
```
swarm_bridge_task (Core 0, priority 3, stack 4096)
├── On boot: POST registration to Seed
├── Every 30s: POST heartbeat with latest happiness vector
├── Every 5s (if presence): POST happiness vector
└── On event 650+ (anomaly): POST immediately
```
HTTP client uses `esp_http_client` (already in ESP-IDF, no extra dependencies). JSON is formatted with `snprintf` (no cJSON dependency needed for the small payloads).
### Node Discovery and Addressing
Nodes find the Seed via:
1. **NVS provisioned URL** (primary) — `provision.py --seed-url http://10.1.10.236`
2. **mDNS fallback** — Seed advertises `_cognitum._tcp.local`; ESP32 resolves `cognitum.local`
3. **Link-local fallback**`http://169.254.42.1` when connected via USB
### Vector ID Scheme
```
{node_id}-{type}-{epoch}-{timestamp_ms}
```
Examples:
- `1-reg` — Node 1 registration
- `1-hb-316` — Node 1 heartbeat at epoch 316
- `1-h-316-1742486400000` — Node 1 happiness vector at epoch 316, timestamp T
- `2-h-316-1742486401000` — Node 2 happiness vector at same epoch
### Witness Chain Integration
Every vector ingested into the Seed increments the epoch and extends the witness chain. The chain provides:
- **Per-node audit trail** — filter by node_id metadata to get one node's history
- **Tamper detection** — Ed25519 signed, hash-chained; break = detectable
- **Regulatory compliance** — prove "sensor X reported Y at time Z" for disputes
- **Cross-node ordering** — Seed epoch gives total order across all nodes
### Scaling Considerations
| Nodes | Vectors/hour | Seed storage/day | kNN latency |
|-------|---|---|---|
| 1 | 720 | ~1.5 MB | < 1 ms |
| 5 | 3,600 | ~7.5 MB | < 2 ms |
| 10 | 7,200 | ~15 MB | < 5 ms |
| 20 | 14,400 | ~30 MB | < 10 ms |
The Seed's Pi Zero 2 W has 512 MB RAM and typically an 8-32 GB SD card. At 30 MB/day for 20 nodes, storage lasts 250+ days before compaction is needed. The Seed's optimizer runs automatic compaction in the background.
### Provisioning for Swarm
```bash
# Node 1: Lobby (COM5, existing)
python provision.py --port COM5 \
--ssid "RedCloverWifi" --password "redclover2.4" \
--node-id 1 --seed-url "http://10.1.10.236" --zone "lobby"
# Node 2: Hallway (future device)
python provision.py --port COM6 \
--ssid "RedCloverWifi" --password "redclover2.4" \
--node-id 2 --seed-url "http://10.1.10.236" --zone "hallway"
# Node 3: Restaurant (future device)
python provision.py --port COM8 \
--ssid "RedCloverWifi" --password "redclover2.4" \
--node-id 3 --seed-url "http://10.1.10.236" --zone "restaurant"
```
## Consequences
### Positive
- **Zero infrastructure** — no cloud, no server, no database. Seed + ESP32s + WiFi router is the entire stack
- **Autonomous nodes** — each ESP32 runs full Tier 2 DSP independently; Seed loss degrades gracefully to local-only operation
- **Cryptographic audit** — witness chain gives tamper-proof history for every observation across all nodes
- **Real-time cross-zone analytics** — Seed kNN search answers "which zones are happy/stressed right now" in < 5 ms
- **Physical actuators** — Seed's relay/PWM outputs can trigger real-world actions (lights, alarms, displays) based on swarm-wide patterns
- **Horizontal scaling** — add ESP32 nodes by flashing firmware + running provision.py; no Seed reconfiguration needed
- **Privacy-preserving** — no cameras, no audio, no PII; only 8-dimensional feature vectors stored
### Negative
- **Single point of aggregation** — Seed failure loses cross-zone analytics (nodes continue autonomously)
- **WiFi dependency** — nodes must be on the same network as the Seed; no mesh/LoRa fallback yet
- **HTTP overhead** — REST/JSON adds ~200 bytes overhead per vector vs raw binary UDP; acceptable at 5-second intervals
- **Pi Zero 2 W limits** — 512 MB RAM, single-core ARM; adequate for 20 nodes but not 100+
- **No WASM OTA via Seed** — currently WASM modules are uploaded per-node; future work could use Seed as WASM distribution hub
### Implementation Progress
**ADR-069** implements the first stage of this swarm vision with live hardware validation (2026-04-02). A single ESP32-S3 node (COM9, firmware v0.5.2) was validated sending CSI-derived feature vectors through a host-side bridge into the Cognitum Seed's RVF store (firmware v0.8.1). The pipeline confirmed: UDP streaming (211 packets/15s), 8-dim feature extraction, batched HTTPS ingest (4 batches of 5 vectors), and witness chain integrity (193 entries, SHA-256 verified). Multi-node deployment (Phase 4 of ADR-069) is the next step toward the full swarm architecture described here.
### Future Work
- **Seed-initiated WASM push** — Seed distributes WASM modules to all nodes via their OTA endpoints
- **mDNS auto-discovery** — nodes find Seed without provisioned URL
- **Mesh fallback** — ESP-NOW peer-to-peer when WiFi is down
- **Multi-Seed federation** — multiple Seeds for multi-floor/multi-building deployments
- **Seed dashboard** — web UI on the Seed showing live swarm map with per-zone happiness
api-docs/adr/ADR-067-ruvector-v2.0.5-upgrade.md
+151
View File
@@ -0,0 +1,151 @@
# ADR-067: RuVector v2.0.4 to v2.0.5 Upgrade + New Crate Adoption
**Status:** Proposed
**Date:** 2026-03-23
**Deciders:** @ruvnet
**Related:** ADR-016 (RuVector training pipeline integration), ADR-017 (RuVector signal + MAT integration), ADR-029 (RuvSense multistatic sensing)
## Context
RuView currently pins all five core RuVector crates at **v2.0.4** (from crates.io) plus a vendored `ruvector-crv` v0.1.1 and optional `ruvector-gnn` v2.0.5. The upstream RuVector workspace has moved to **v2.0.5** with meaningful improvements to the crates we depend on, and has introduced new crates that could benefit RuView's detection pipeline.
### Current Integration Map
| RuView Module | RuVector Crate | Current Version | Purpose |
|---------------|----------------|-----------------|---------|
| `signal/subcarrier.rs` | ruvector-mincut | 2.0.4 | Graph min-cut subcarrier partitioning |
| `signal/spectrogram.rs` | ruvector-attn-mincut | 2.0.4 | Attention-gated spectrogram denoising |
| `signal/bvp.rs` | ruvector-attention | 2.0.4 | Attention-weighted BVP aggregation |
| `signal/fresnel.rs` | ruvector-solver | 2.0.4 | Fresnel geometry estimation |
| `mat/triangulation.rs` | ruvector-solver | 2.0.4 | TDoA survivor localization |
| `mat/breathing.rs` | ruvector-temporal-tensor | 2.0.4 | Tiered compressed breathing buffer |
| `mat/heartbeat.rs` | ruvector-temporal-tensor | 2.0.4 | Tiered compressed heartbeat spectrogram |
| `viewpoint/*` (4 files) | ruvector-attention | 2.0.4 | Cross-viewpoint fusion with geometric bias |
| `crv/` (optional) | ruvector-crv | 0.1.1 (vendored) | CRV protocol integration |
| `crv/` (optional) | ruvector-gnn | 2.0.5 | GNN graph topology |
### What Changed Upstream (v2.0.4 → v2.0.5 → HEAD)
**ruvector-mincut:**
- Flat capacity matrix + allocation reuse — **10-30% faster** for all min-cut operations
- Tier 2-3 Dynamic MinCut (ADR-124): Gomory-Hu tree construction for fast global min-cut, incremental edge insert/delete without full recomputation
- Source-anchored canonical min-cut with SHA-256 witness hashing
- Fixed: unsafe indexing removed, WASM Node.js panic from `std::time`
**ruvector-attention / ruvector-attn-mincut:**
- Migrated to workspace versioning (no API changes)
- Documentation improvements
**ruvector-temporal-tensor:**
- Formatting fixes only (no API changes)
**ruvector-gnn:**
- Panic replaced with `Result` in `MultiHeadAttention` and `RuvectorLayer` constructors (breaking improvement — safer)
- Bumped to v2.0.5
**sona (new — Self-Optimizing Neural Architecture):**
- v0.1.6 → v0.1.8: state persistence (`loadState`/`saveState`), trajectory counter fix
- Micro-LoRA and Base-LoRA for instant and background learning
- EWC++ (Elastic Weight Consolidation) to prevent catastrophic forgetting
- ReasoningBank pattern extraction and similarity search
- WASM support for edge devices
**ruvector-coherence (new):**
- Spectral coherence scoring for graph index health
- Fiedler eigenvalue estimation, effective resistance sampling
- HNSW health monitoring with alerts
- Batch evaluation of attention mechanism quality
**ruvector-core (new):**
- ONNX embedding support for real semantic embeddings
- HNSW index with SIMD-accelerated distance metrics
- Quantization (4-32x memory reduction)
- Arena allocator for cache-optimized operations
## Decision
### Phase 1: Version Bump (Low Risk)
Bump the 5 core crates from v2.0.4 to v2.0.5 in the workspace `Cargo.toml`:
```toml
ruvector-mincut = "2.0.5" # was 2.0.4 — 10-30% faster, safer
ruvector-attn-mincut = "2.0.5" # was 2.0.4 — workspace versioning
ruvector-temporal-tensor = "2.0.5" # was 2.0.4 — fmt only
ruvector-solver = "2.0.5" # was 2.0.4 — workspace versioning
ruvector-attention = "2.0.5" # was 2.0.4 — workspace versioning
```
**Expected impact:** The mincut performance improvement directly benefits `signal/subcarrier.rs` which runs subcarrier graph partitioning every tick. 10-30% faster partitioning reduces per-frame CPU cost.
### Phase 2: Add ruvector-coherence (Medium Value)
Add `ruvector-coherence` with `spectral` feature to `wifi-densepose-ruvector`:
**Use case:** Replace or augment the custom phase coherence logic in `viewpoint/coherence.rs` with spectral graph coherence scoring. The current implementation uses phasor magnitude for phase coherence — spectral Fiedler estimation would provide a more robust measure of multi-node CSI consistency, especially for detecting when a node's signal quality degrades.
**Integration point:** `viewpoint/coherence.rs` — add `SpectralCoherenceScore` as a secondary coherence metric alongside existing phase phasor coherence. Use spectral gap estimation to detect structural changes in the multi-node CSI graph (e.g., a node dropping out or a new reflector appearing).
### Phase 3: Add SONA for Adaptive Learning (High Value)
Replace the logistic regression adaptive classifier in the sensing server with a SONA-backed learning engine:
**Current state:** The sensing server's adaptive training (`POST /api/v1/adaptive/train`) uses a hand-rolled logistic regression on 15 CSI features. It requires explicit labeled recordings and provides no cross-session persistence.
**Proposed improvement:** Use `sona::SonaEngine` to:
1. **Learn from implicit feedback** — trajectory tracking on person-count decisions (was the count stable? did the user correct it?)
2. **Persist across sessions**`saveState()`/`loadState()` replaces the current `adaptive_model.json`
3. **Pattern matching**`find_patterns()` enables "this CSI signature looks like room X where we learned Y"
4. **Prevent forgetting** — EWC++ ensures learning in a new room doesn't overwrite patterns from previous rooms
**Integration point:** New `adaptive_sona.rs` module in `wifi-densepose-sensing-server`, behind a `sona` feature flag. The existing logistic regression remains the default.
### Phase 4: Evaluate ruvector-core for CSI Embeddings (Exploratory)
**Current state:** The person detection pipeline uses hand-crafted features (variance, change_points, motion_band_power, spectral_power) with fixed normalization ranges.
**Potential:** Use `ruvector-core`'s ONNX embedding support to generate learned CSI embeddings that capture room geometry, person count, and activity patterns in a single vector. This would enable:
- Similarity search: "is this CSI frame similar to known 2-person patterns?"
- Transfer learning: embeddings learned in one room partially transfer to similar rooms
- Quantized storage: 4-32x memory reduction for pattern databases
**Status:** Exploratory — requires training data collection and embedding model design. Not a near-term target.
## Consequences
### Positive
- **Phase 1:** Free 10-30% performance gain in subcarrier partitioning. Security fixes (unsafe indexing, WASM panic). Zero API changes required.
- **Phase 2:** More robust multi-node coherence detection. Helps with the "flickering persons" issue (#292) by providing a second opinion on signal quality.
- **Phase 3:** Fundamentally improves the adaptive learning pipeline. Users no longer need to manually record labeled data — the system learns from ongoing use.
- **Phase 4:** Path toward real ML-based detection instead of heuristic thresholds.
### Negative
- **Phase 1:** Minimal risk — semver minor bump, no API breaks.
- **Phase 2:** Adds a dependency. Spectral computation has O(n) cost per tick for Fiedler estimation (n = number of subcarriers, typically 56-128). Acceptable.
- **Phase 3:** SONA adds ~200KB to the binary. The learning loop needs careful tuning to avoid adapting to noise.
- **Phase 4:** Requires significant research and training data. Not guaranteed to outperform tuned heuristics for WiFi CSI.
### Risks
- `ruvector-gnn` v2.0.5 changed constructors from panic to `Result` — any existing `crv` feature users need to handle the `Result`. Our vendored `ruvector-crv` may need updates.
- SONA's WASM support is experimental — keep it behind a feature flag until validated.
## Implementation Plan
| Phase | Scope | Effort | Priority |
|-------|-------|--------|----------|
| 1 | Bump 5 crates to v2.0.5 | 1 hour | High — free perf + security |
| 2 | Add ruvector-coherence | 1 day | Medium — improves multi-node stability |
| 3 | SONA adaptive learning | 3 days | Medium — replaces manual training workflow |
| 4 | CSI embeddings via ruvector-core | 1-2 weeks | Low — exploratory research |
## Vendor Submodule
The `vendor/ruvector` git submodule has been updated from commit `f8f2c60` (v2.0.4 era) to `51a3557` (latest `origin/main`). This provides local reference for the full upstream source when developing Phases 2-4.
## References
- Upstream repo: https://github.com/ruvnet/ruvector
- ADR-124 (Dynamic MinCut): `vendor/ruvector/docs/adr/ADR-124*.md`
- SONA docs: `vendor/ruvector/crates/sona/src/lib.rs`
- ruvector-coherence spectral: `vendor/ruvector/crates/ruvector-coherence/src/spectral.rs`
- ruvector-core embeddings: `vendor/ruvector/crates/ruvector-core/src/embeddings.rs`
api-docs/adr/ADR-068-per-node-state-pipeline.md
+186
View File
@@ -0,0 +1,186 @@
# ADR-068: Per-Node State Pipeline for Multi-Node Sensing
| Field | Value |
|------------|-------------------------------------|
| Status | Accepted |
| Date | 2026-03-27 |
| Authors | rUv, claude-flow |
| Drivers | #249, #237, #276, #282 |
| Supersedes | — |
## Context
The sensing server (`wifi-densepose-sensing-server`) was originally designed for
single-node operation. When multiple ESP32 nodes send CSI frames simultaneously,
all data is mixed into a single shared pipeline:
- **One** `frame_history` VecDeque for all nodes
- **One** `smoothed_person_score` / `smoothed_motion` / vital sign buffers
- **One** baseline and debounce state
This means the classification, person count, and vital signs reported to the UI
are an uncontrolled aggregate of all nodes' data. The result: the detection
window shows identical output regardless of how many nodes are deployed, where
people stand, or how many people are in the room (#249 — 24 comments, the most
reported issue).
### Root Cause Verified
Investigation of `AppStateInner` (main.rs lines 279-367) confirmed:
| Shared field | Impact |
|---------------------------|--------------------------------------------|
| `frame_history` | Temporal analysis mixes all nodes' CSI data |
| `smoothed_person_score` | Person count aggregates all nodes |
| `smoothed_motion` | Motion classification undifferentiated |
| `smoothed_hr` / `br` | Vital signs are global, not per-node |
| `baseline_motion` | Adaptive baseline learned from mixed data |
| `debounce_counter` | All nodes share debounce state |
## Decision
Introduce **per-node state tracking** via a `HashMap<u8, NodeState>` in
`AppStateInner`. Each ESP32 node (identified by its `node_id` byte) gets an
independent sensing pipeline with its own temporal history, smoothing buffers,
baseline, and classification state.
### Architecture
```
┌─────────────────────────────────────────┐
UDP frames │ AppStateInner │
───────────► │ │
node_id=1 ──► │ node_states: HashMap<u8, NodeState> │
node_id=2 ──► │ ├── 1: NodeState { frame_history, │
node_id=3 ──► │ │ smoothed_motion, vitals, ... }│
│ ├── 2: NodeState { ... } │
│ └── 3: NodeState { ... } │
│ │
│ ┌── Per-Node Pipeline ──┐ │
│ │ extract_features() │ │
│ │ smooth_and_classify() │ │
│ │ smooth_vitals() │ │
│ │ score_to_person_count()│ │
│ └────────────────────────┘ │
│ │
│ ┌── Multi-Node Fusion ──┐ │
│ │ Aggregate person count │ │
│ │ Per-node classification│ │
│ │ All-nodes WebSocket msg│ │
│ └────────────────────────┘ │
│ │
│ ──► WebSocket broadcast (sensing_update) │
└─────────────────────────────────────────┘
```
### NodeState Struct
```rust
struct NodeState {
frame_history: VecDeque<Vec<f64>>,
smoothed_person_score: f64,
prev_person_count: usize,
smoothed_motion: f64,
current_motion_level: String,
debounce_counter: u32,
debounce_candidate: String,
baseline_motion: f64,
baseline_frames: u64,
smoothed_hr: f64,
smoothed_br: f64,
smoothed_hr_conf: f64,
smoothed_br_conf: f64,
hr_buffer: VecDeque<f64>,
br_buffer: VecDeque<f64>,
rssi_history: VecDeque<f64>,
vital_detector: VitalSignDetector,
latest_vitals: VitalSigns,
last_frame_time: Option<std::time::Instant>,
edge_vitals: Option<Esp32VitalsPacket>,
}
```
### Multi-Node Aggregation
- **Person count**: Sum of per-node `prev_person_count` for active nodes
(seen within last 10 seconds).
- **Classification**: Per-node classification included in `SensingUpdate.nodes`.
- **Vital signs**: Per-node vital signs; UI can render per-node or aggregate.
- **Signal field**: Generated from the most-recently-updated node's features.
- **Stale nodes**: Nodes with no frame for >10 seconds are excluded from
aggregation and marked offline (consistent with PR #300).
### Backward Compatibility
- The simulated data path (`simulated_data_task`) continues using global state.
- Single-node deployments behave identically (HashMap has one entry).
- The WebSocket message format (`sensing_update`) remains the same but the
`nodes` array now contains all active nodes, and `estimated_persons` reflects
the cross-node aggregate.
- The edge vitals path (#323 fix) also uses per-node state.
## Scaling Characteristics
| Nodes | Per-Node Memory | Total Overhead | Notes |
|-------|----------------|----------------|-------|
| 1 | ~50 KB | ~50 KB | Identical to current |
| 3 | ~50 KB | ~150 KB | Typical home setup |
| 10 | ~50 KB | ~500 KB | Small office |
| 50 | ~50 KB | ~2.5 MB | Building floor |
| 100 | ~50 KB | ~5 MB | Large deployment |
| 256 | ~50 KB | ~12.8 MB | Max (u8 node_id) |
Memory is dominated by `frame_history` (100 frames x ~500 bytes each = ~50 KB
per node). This scales linearly and fits comfortably in server memory even at
256 nodes.
## QEMU Validation
The existing QEMU swarm infrastructure (ADR-062, `scripts/qemu_swarm.py`)
supports multi-node simulation with configurable topologies:
- `star`: Central coordinator + sensor nodes
- `mesh`: Fully connected peer network
- `line`: Sequential chain
- `ring`: Circular topology
Each QEMU instance runs with a unique `node_id` via NVS provisioning. The
swarm health validator (`scripts/swarm_health.py`) checks per-node UART output.
Validation plan:
1. QEMU swarm with 3-5 nodes in mesh topology
2. Verify server produces distinct per-node classifications
3. Verify aggregate person count reflects multi-node contributions
4. Verify stale-node eviction after timeout
## Consequences
### Positive
- Each node's CSI data is processed independently — no cross-contamination
- Person count scales with the number of deployed nodes
- Vital signs are per-node, enabling room-level health monitoring
- Foundation for spatial localization (per-node positions + triangulation)
- Scales to 256 nodes with <13 MB memory overhead
### Negative
- Slightly more memory per node (~50 KB each)
- `smooth_and_classify_node` function duplicates some logic from global version
- Per-node `VitalSignDetector` instances add CPU cost proportional to node count
### Risks
- Node ID collisions (mitigated by NVS persistence since v0.5.0)
- HashMap growth without cleanup (mitigated by stale-node eviction)
## Related ADRs
- **ADR-069** (ESP32 CSI → Cognitum Seed RVF Ingest Pipeline) extends this ADR's per-node state architecture with Cognitum Seed integration. Live hardware validation (2026-04-02) confirmed per-node feature vectors flowing through the bridge into the Seed's RVF store with witness chain attestation.
## References
- Issue #249: Detection window same regardless (24 comments)
- Issue #237: Same display for 0/1/2 people (12 comments)
- Issue #276: Only one can be detected (8 comments)
- Issue #282: Detection fail (5 comments)
- PR #295: Hysteresis smoothing (partial mitigation)
- PR #300: ESP32 offline detection after 5s
- ADR-062: QEMU Swarm Configurator
api-docs/adr/ADR-069-cognitum-seed-csi-pipeline.md
+403
View File
@@ -0,0 +1,403 @@
# ADR-069: ESP32 CSI → Cognitum Seed RVF Ingest Pipeline
| Field | Value |
|------------|----------------------------------------------------------|
| Status | Accepted |
| Date | 2026-04-02 |
| Authors | rUv, claude-flow |
| Drivers | #348 (multinode mesh accuracy), Research: Arena Physica |
| Supersedes | — |
| Related | ADR-066 (ESP32 swarm + Seed coordinator), ADR-068 (per-node state), ADR-018 (CSI binary protocol), ADR-039 (edge intelligence), ADR-065 (happiness scoring + Seed bridge) |
## Context
The wifi-densepose project has two hardware components that need to work as an integrated sensing pipeline:
1. **ESP32-S3** (COM9 / 192.168.1.105) — Captures WiFi CSI at 100 Hz, runs dual-core DSP pipeline (phase extraction, subcarrier selection, breathing/heart rate estimation, presence/fall detection), and sends ADR-018 binary frames via UDP.
2. **Cognitum Seed** (USB / 169.254.42.1 / 192.168.1.109) — A Pi Zero 2 W edge intelligence appliance running firmware v0.8.1. It provides:
- **RVF vector store** — Append-only binary format with content-addressed IDs, kNN queries (cosine/L2/dot), and kNN graph with boundary analysis
- **Witness chain** — SHA-256 tamper-evident audit trail for every write operation
- **Ed25519 custody** — Device-bound keypair for cryptographic attestation
- **Sensor pipeline** — 5 sensors (reed switch, PIR, vibration, ADS1115 4-ch ADC, BME280), 13 drift detectors, anti-spoofing
- **Cognitive container** — Spectral graph analysis with Stoer-Wagner min-cut fragility scoring
- **MCP proxy** — 114 tools via JSON-RPC 2.0 for AI assistant integration
- **Thermal governor** — DVFS management with zone-based frequency scaling
- **Temporal coherence** — Phase boundary detection across vector store evolution
- **Swarm sync** — Epoch-based delta replication between peers
- **Reflex rules** — 3 rules (fragility alarm, drift cutoff, HD anomaly indicator)
- **98 HTTPS API endpoints** with per-client bearer token authentication
### Current State
| Component | Status | Details |
|-----------|--------|---------|
| ESP32 CSI capture | Working | 100 Hz, ADR-018 binary frames via UDP |
| ESP32 edge DSP | Working | 10-stage pipeline on Core 1 (phase, variance, vitals, fall) |
| ESP32 → sensing-server | Working | UDP port 5005, binary protocol |
| Cognitum Seed | Online | v0.8.1, paired, 19 vectors, epoch 25, WiFi connected |
| Seed vector store | Working | 8-dim RVF, kNN queries in 85ms for 20k vectors |
| Seed MCP proxy | Working | 114 tools, default-deny policy |
| ESP32 → Seed pipeline | **Validated** | Bridge on host laptop, UDP 5006 → HTTPS ingest (see Validation Results) |
### Gap Analysis (from Arena Physica research)
Arena Physica's approach (Heaviside-0 forward model, Marconi-0 inverse diffusion) demonstrates that neural surrogates for Maxwell's equations are production-viable. Our research identified that:
1. **Physics-informed intermediate supervision** — Evaluating pipeline stages independently catches failures that end-to-end metrics miss
2. **Vector embeddings for EM fields** — Storing CSI features as vectors enables similarity search for environment fingerprinting and anomaly detection
3. **Witness chain for sensing integrity** — Tamper-evident audit trails are critical for healthcare/safety applications (fall detection, vital signs)
4. **Edge compute for inference** — Pi Zero 2 W can run ~2.5M parameter models at 10+ Hz with INT8 quantization
### Problem
There is no pipeline connecting ESP32 CSI sensing to the Cognitum Seed's vector store. The ESP32 sends raw CSI frames to the Rust sensing-server (typically running on a laptop/desktop), but cannot leverage the Seed's:
- Persistent vector storage with kNN search
- Cryptographic witness chain for data integrity
- Cognitive container for structural analysis
- Sensor fusion with environmental sensors (BME280 temperature/humidity, PIR motion)
- Swarm sync for multi-Seed deployments
## Decision
Build a three-stage pipeline connecting ESP32 CSI capture to Cognitum Seed RVF storage:
### Architecture
```
┌──────────────────────────┐
│ ESP32-S3 (COM9) │
│ node_id=1 │
│ 192.168.1.105 │
│ Firmware v0.5.2 │
│ ┌──────────────────────┐ │
│ │ Core 0: WiFi + CSI │ │
│ │ 100 Hz capture │ │
│ │ ADR-018 framing │ │
│ ├──────────────────────┤ │
│ │ Core 1: Edge DSP │ │
│ │ Phase extraction │ │
│ │ Subcarrier select │ │
│ │ Vital signs (HR/BR)│ │
│ │ Presence/fall det. │ │
│ │ Feature vector │ │◄── 8-dim feature extraction
│ └──────────┬───────────┘ │
│ │ UDP │
└────────────┼─────────────┘
│ Port 5005 (raw CSI, magic 0xC5110001)
│ + Port 5006 (vitals 0xC5110002 + features 0xC5110003)
┌────────────────────────────────────────────┐
│ Host Laptop (192.168.1.20) │
│ Bridge script (Python) │
│ ┌────────────────────────────────────────┐ │
│ │ Stage 1: CSI Receiver │ │
│ │ UDP listener on port 5006 │ │
│ │ Parses 0xC5110003 feature packets │ │
│ │ (also accepts 0xC5110001/0002) │ │
│ │ Batches 10 vectors per ingest │ │
│ └──────────┬─────────────────────────────┘ │
└────────────┼───────────────────────────────┘
│ HTTPS POST (bearer token)
┌────────────────────────────────────────────┐
│ Cognitum Seed (Pi Zero 2 W) │
│ 169.254.42.1 / 192.168.1.109 │
│ Firmware v0.8.1 │
│ ┌────────────────────────────────────────┐ │
│ │ Stage 2: RVF Ingest │ │
│ │ POST /api/v1/store/ingest │ │
│ │ Content-addressed vector ID │ │
│ │ Metadata: node_id, timestamp, type │ │
│ │ Witness chain entry per batch │ │
│ ├────────────────────────────────────────┤ │
│ │ Stage 3: Cognitive Analysis │ │
│ │ kNN graph rebuild (every 10s) │ │
│ │ Boundary analysis (fragility) │ │
│ │ Temporal coherence (phase detect) │ │
│ │ Reflex rules (alarm triggers) │ │
│ ├────────────────────────────────────────┤ │
│ │ Existing Sensors │ │
│ │ BME280 → temp/humidity/pressure │ │
│ │ PIR → motion ground truth │ │
│ │ Reed switch → door/window state │ │
│ │ ADS1115 → analog inputs │ │
│ └────────────────────────────────────────┘ │
│ │
│ Outputs: │
│ • /api/v1/store/query — kNN search │
│ • /api/v1/boundary — fragility score │
│ • /api/v1/coherence/profile — phases │
│ • /api/v1/cognitive/snapshot — graph │
│ • /api/v1/custody/attestation — signed │
│ • MCP proxy — 114 tools for AI agents │
└────────────────────────────────────────────┘
```
### Stage 1: ESP32 Feature Vector Extraction
The ESP32 edge processing pipeline (Core 1) already computes all signals needed. We add a compact 8-dimensional feature vector extracted from the existing DSP outputs:
| Dimension | Feature | Source | Range |
|-----------|---------|--------|-------|
| 0 | Presence score | `s_presence_score / 10.0` (clamped) | 0.01.0 |
| 1 | Motion energy | `s_motion_energy / 10.0` (clamped) | 0.01.0 |
| 2 | Breathing rate | `s_breathing_bpm / 30.0` (clamped) | 0.01.0 |
| 3 | Heart rate | `s_heartrate_bpm / 120.0` (clamped) | 0.01.0 |
| 4 | Phase variance (mean) | Top-K subcarrier Welford variance mean | 0.01.0 |
| 5 | Person count | `n_active_persons / 4.0` (clamped) | 0.01.0 |
| 6 | Fall detected | Binary: 1.0 if `s_fall_detected`, else 0.0 | 0.0 or 1.0 |
| 7 | RSSI (normalized) | `(s_latest_rssi + 100) / 100` (clamped) | 0.01.0 |
This maps directly to the Seed's store dimension of 8, enabling kNN queries like "find the 10 most similar sensing states to the current one."
**Packet format** (magic `0xC5110003`, defined as `edge_feature_pkt_t` in `edge_processing.h`):
```c
typedef struct __attribute__((packed)) {
uint32_t magic; // EDGE_FEATURE_MAGIC = 0xC5110003
uint8_t node_id; // ESP32 node identifier
uint8_t reserved; // alignment padding
uint16_t seq; // sequence number
int64_t timestamp_us; // microseconds since boot
float features[8]; // 8-dim normalized feature vector (32 bytes)
} edge_feature_pkt_t; // Total: 48 bytes (static_assert enforced)
```
**Transmission rate:** 1 Hz (one feature vector per second, aggregated from 100 Hz CSI). This keeps UDP bandwidth under 50 bytes/s per node and avoids overwhelming the Seed's vector store.
### Stage 2: Seed-Side RVF Ingest
A lightweight Rust service on the Seed (or a Python bridge script) listens for feature packets on UDP port 5006 and ingests them via the Seed's REST API:
```bash
# Ingest a feature vector with metadata
curl -sk -X POST https://169.254.42.1:8443/api/v1/store/ingest \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"vectors": [[0, [0.85, 0.3, 0.52, 0.65, 0.4, 0.78, 0.1, -0.45]]],
"metadata": {
"node_id": 1,
"type": "csi_feature",
"timestamp": 1775166970
}
}'
```
**Batching:** Accumulate 10 vectors (10 seconds) per ingest call to reduce HTTP overhead (`--batch-size 10` default in `seed_csi_bridge.py`; also supports time-based flushing via `--flush-interval`). At 1 vector/second per node, a 4-node mesh generates 14,400 vectors/hour (345,600/day). Daily compaction is required to stay within the Seed's 100K vector working set (see Storage Budget).
**Witness chain:** Each ingest automatically appends a witness entry, providing a tamper-evident record of all sensing data. The epoch increments monotonically, and the SHA-256 chain can be verified at any time via `POST /api/v1/witness/verify`.
### Stage 3: Cognitive Analysis & Sensor Fusion
Once CSI feature vectors are in the RVF store, the Seed's existing subsystems activate:
1. **kNN Graph** — Rebuilt every 10 seconds. Similar sensing states cluster together. Anomalous states (intruder, fall, unusual breathing) appear as outliers.
2. **Boundary Analysis** — Stoer-Wagner min-cut computes a fragility score (0.01.0). High fragility indicates the vector space is splitting — a regime change in the environment (door opened, person entered/left, HVAC state change).
3. **Temporal Coherence** — Phase boundary detection across the vector store timeline identifies when the environment transitions between states (occupied → empty, day → night, normal → abnormal).
4. **Reflex Rules** — Three pre-configured rules fire automatically:
- `fragility_alarm` (threshold 0.3) → relay actuator for presence alert
- `drift_cutoff` (threshold 1.0) → cutoff when sensor drift detected
- `hd_anomaly_indicator` (threshold 200) → PWM brightness for anomaly severity
5. **Sensor Fusion** — The Seed's BME280 (temperature/humidity/pressure) and PIR sensor provide environmental ground truth that correlates with CSI features:
- PIR motion validates CSI presence detection
- Temperature changes correlate with occupancy
- Humidity changes correlate with breathing detection fidelity
6. **MCP Integration** — AI assistants can query the full pipeline via the 114-tool MCP proxy:
```json
{"method": "tools/call", "params": {"name": "seed.memory.query", "arguments": {"vector": [0.8, 0.5, 0.4, 0.6, 0.3, 0.7, 0.1, -0.3], "k": 5}}}
```
### ESP32 Provisioning
The ESP32's existing NVS provisioning system supports configuring the Seed as the target:
```bash
python firmware/esp32-csi-node/provision.py \
--port COM9 \
--target-ip 192.168.1.20 \
--target-port 5006 \
--node-id 1
```
Note: `--target-ip` is the host laptop (192.168.1.20), not the Seed IP, because the bridge runs on the host and forwards to the Seed via HTTPS (see Known Issue 4).
No firmware recompilation needed — the `stream_sender` module reads target IP/port from NVS at boot.
### Data Flow Rates
| Path | Rate | Size | Bandwidth |
|------|------|------|-----------|
| CSI capture → ring buffer | 100 Hz | ~400 B | 40 KB/s (internal) |
| Edge DSP → sensing-server | 100 Hz | ~200 B | 20 KB/s (existing) |
| Edge DSP → Seed features | 1 Hz | 48 B | 48 B/s (new) |
| Seed ingest (batched) | 0.1 Hz | ~500 B | 50 B/s (HTTP) |
| Seed kNN graph rebuild | 0.1 Hz | internal | — |
| Seed witness chain | per batch | 32 B hash | — |
### Storage Budget
| Timeframe | Vectors/node | 4 nodes | RVF size | RAM |
|-----------|-------------|---------|----------|-----|
| 1 hour | 3,600 | 14,400 | ~580 KB | ~6 MB |
| 24 hours | 86,400 | 345,600 | ~14 MB | ~140 MB |
| 7 days | 604,800 | 2,419,200 | ~97 MB | exceeds |
**Compaction policy:** Run `POST /api/v1/store/compact` daily at 03:00, retaining only the last 24 hours of vectors. Archive older vectors to USB drive via `POST /api/v1/store/export` before compaction.
**Dimension reduction:** For deployments exceeding 100K vectors, reduce feature extraction rate to 0.1 Hz (one vector per 10 seconds) or increase compaction frequency.
## Validation Results
**Live hardware test performed 2026-04-02.**
### Hardware Under Test
| Component | Port | IP | Firmware | WiFi | RSSI |
|-----------|------|----|----------|------|------|
| ESP32-S3 (8MB) | COM9 | 192.168.1.105 | v0.5.2 | ruv.net (ch 5) | -34 dBm |
| Cognitum Seed | USB | 169.254.42.1 / 192.168.1.109 | v0.8.1 | ruv.net | — |
| Host laptop | — | 192.168.1.20 | — | ruv.net | — |
Seed device_id: `ecaf97dd-fc90-4b0e-b0e7-e9f896b9fbb6`. Pairing token issued to `wifi-densepose-claude`.
### Pipeline Validated
1. **UDP streaming** -- 211 packets captured in 15 seconds:
- 196 raw CSI frames (magic `0xC5110001`)
- 15 vitals frames (magic `0xC5110002`)
2. **Bridge pipeline** -- 20 vitals packets (`0xC5110002`) parsed, converted to 8-dim feature vectors via the bridge's `parse_vitals_packet()` fallback path, ingested in 4 batches of 5 vectors each (`--batch-size 5`). The native `0xC5110003` feature packet path is implemented in firmware but was not exercised in this validation run (firmware was v0.5.2; the `send_feature_vector()` addition requires a reflash).
3. **RVF ingest** -- All 20 vectors accepted by Seed. Epochs advanced 88 to 91. Witness chain verified valid (193 entries, SHA-256 chain intact).
4. **Seed sensors** -- BME280, PIR, reed switch, ADS1115, vibration sensor all present and healthy.
### Live Vital Signs Captured
| Metric | Observed Range | Expected | Notes |
|--------|---------------|----------|-------|
| Presence score | 1.41 -- 14.92 | 0.0 -- 1.0 | **Needs normalization** (see Known Issues) |
| Motion energy | 1.41 -- 14.92 | 0.0 -- 1.0 | Same raw value as presence score |
| Breathing rate | 19.8 -- 33.5 BPM | 12 -- 25 BPM | Plausible but slightly high |
| Heart rate | 75.3 -- 99.1 BPM | 60 -- 100 BPM | Plausible range |
| RSSI | -43 to -72 dBm | -30 to -80 dBm | Normal |
| Fall detected | No | — | Correct (no falls occurred) |
| n_persons | 4 | 1 | **Miscalibrated** (see Known Issues) |
### Known Issues Found
1. **`presence_score` exceeds 1.0 in vitals packets** -- Raw values range 1.41 to 14.92 in the vitals packet (`0xC5110002`). The bridge's vitals-to-feature conversion clamps to 1.0 for dim 0 and divides by 10.0 for dim 1 (`motion_energy / 10.0`), but dim 0 clamps without scaling. **Note:** The firmware's native feature vector (`0xC5110003`) already normalizes correctly by dividing `s_presence_score` by 10.0 (see `edge_processing.c` line 657). This issue only affects the vitals-packet fallback path in the bridge.
2. **`n_persons = 4` with 1 person present** -- The multi-person counting algorithm is miscalibrated for single-occupancy scenarios. The per-node state pipeline (ADR-068) may mitigate this when the baseline is properly trained, but the raw edge count is unreliable.
3. **Content-addressed vector IDs cause deduplication** -- Similar feature vectors hash to the same ID, causing the Seed to silently drop duplicates. **Fixed in bridge:** `seed_csi_bridge.py` now uses `_make_vector_id()` which generates a SHA-256 hash of `node_id:timestamp_us:seq_counter`, producing unique 32-bit IDs. This was observed during validation and fixed before the final test run.
4. **Bridge runs on host, not Seed** -- The ESP32 target IP must be the host laptop (192.168.1.20), not the Seed IP. The bridge script on the host forwards to the Seed via HTTPS. This adds a hop but avoids running a UDP listener on the Pi Zero 2 W.
5. **PIR GPIO read returned 404** -- `GET /api/v1/sensor/gpio/read?pin=6` returned 404. The PIR endpoint may require a different pin number or endpoint format. Ground-truth validation against PIR is deferred to Phase 3.
## Implementation Plan
### Phase 1: ESP32 Feature Extraction (firmware change) -- DONE
Implemented as `send_feature_vector()` in `edge_processing.c` (lines 644-699) and `edge_feature_pkt_t` in `edge_processing.h` (lines 112-124). The function reads from static globals (`s_presence_score`, `s_motion_energy`, `s_breathing_bpm`, `s_heartrate_bpm`, subcarrier Welford variance, person tracker, fall flag, RSSI) and normalizes each dimension to 0.0-1.0 with clamping.
Called at the same 1 Hz cadence as `send_vitals_packet()` in Step 13 of the edge processing pipeline (line 855). The compressed frame magic was reassigned from `0xC5110003` to `0xC5110005` to free up `0xC5110003` for feature vectors (`EDGE_COMPRESSED_MAGIC` in `edge_processing.h` line 29).
### Phase 2: Seed Ingest Bridge (Python script on host) -- DONE
Implemented as `scripts/seed_csi_bridge.py`. The bridge:
1. Listens on UDP port 5006 (configurable via `--udp-port`)
2. Accepts all three packet formats: `0xC5110003` (ADR-069 features), `0xC5110002` (vitals, converted to 8-dim), and `0xC5110001` (raw CSI, minimal features)
3. Generates unique vector IDs via SHA-256 hash of `node_id:timestamp:seq` (avoids content-addressed deduplication -- see Known Issue 3)
4. Batches vectors (default 10, configurable via `--batch-size`) with time-based flush fallback (`--flush-interval`)
5. POSTs to Seed's `/api/v1/store/ingest` with bearer token
6. Supports `--validate` mode (kNN query + PIR comparison after each batch)
7. Supports `--stats` mode (print Seed status, boundary, coherence, graph)
8. Supports `--compact` mode (trigger store compaction)
### Phase 3: Validation & Ground Truth -- BLOCKED
Use the Seed's PIR sensor as ground truth for presence detection:
1. Query PIR state: `GET /api/v1/sensor/gpio/read?pin=6`
2. Compare with CSI presence score (feature dim 0)
3. Log agreement/disagreement rate
4. Use kNN to find historical vectors matching current PIR state → validate CSI accuracy
**Status:** The bridge implements `--validate` mode with PIR comparison (see `_run_validation()` in `seed_csi_bridge.py`). However, the PIR endpoint returned 404 during validation (Known Issue 5). This phase is blocked until the correct PIR API endpoint is identified.
### Phase 4: Multi-Node Mesh (addresses #348)
Deploy 3 ESP32 nodes, each sending feature vectors to the bridge host (which forwards to the Seed):
- Node 1 (lobby): `--node-id 1 --target-ip 192.168.1.20 --target-port 5006`
- Node 2 (hallway): `--node-id 2 --target-ip 192.168.1.20 --target-port 5006`
- Node 3 (room): `--node-id 3 --target-ip 192.168.1.20 --target-port 5006`
All nodes target the host laptop (192.168.1.20) where the bridge script runs. The bridge batches and forwards all nodes' vectors to the Seed via HTTPS. The Seed's kNN graph naturally clusters vectors by node and by sensing state. Cross-node analysis via boundary fragility detects when a person moves between zones.
## Security Considerations
1. **Bearer token** — All write operations require the pairing token. Token stored as SHA-256 hash on device.
2. **TLS** — All API calls over HTTPS (port 8443) with device-provisioned CA certificate.
3. **Witness chain** — Every ingest is cryptographically chained. Tampering detection via `POST /api/v1/witness/verify`.
4. **Ed25519 attestation** — Device identity bound to hardware keypair. Attestation includes epoch, vector count, and witness head.
5. **Anti-spoofing** — Sensor pipeline has entropy-based spoofing detection (min 0.5 bits entropy, streak threshold 3).
6. **USB-only pairing** — Pairing window can only be opened from USB interface (169.254.42.1), not from WiFi.
## Hardware Bill of Materials
| Component | Port | IP | Cost |
|-----------|------|----|------|
| ESP32-S3 (8MB) | COM9 | 192.168.1.105 (DHCP) | ~$9 |
| Cognitum Seed (Pi Zero 2W) | USB | 169.254.42.1 / 192.168.1.109 | ~$15 |
| USB-C cable (data) | — | — | ~$3 |
| **Total** | | | **~$27** |
### Seed Sensors (included)
| Sensor | Interface | Channels | Purpose |
|--------|-----------|----------|---------|
| Reed switch | GPIO 5 | 1 | Door/window state |
| PIR motion | GPIO 6 | 1 | Motion ground truth |
| Vibration | GPIO 13 | 1 | Structural vibration |
| ADS1115 | I2C 0x48 | 4 | Analog inputs (extensible) |
| BME280 | I2C 0x76 | 3 | Temperature, humidity, pressure |
## Risks
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| Pi Zero thermal throttling at sustained ingest | Medium | Performance degrades | Thermal governor already manages DVFS; 1 Hz ingest is minimal load |
| WiFi congestion with ESP32 CSI + UDP | Low | Lost packets | Feature vectors are 48 bytes at 1 Hz; negligible vs CSI traffic |
| RVF store exceeds RAM at high vector count | Medium | OOM | Compaction policy + dimension reduction + daily export |
| Bearer token exposure | Low | Unauthorized writes | TLS encryption + USB-only pairing + token hashing |
| ESP32 NVS corruption | Low | Config lost | NVS is wear-leveled flash with CRC; re-provision via USB |
## Consequences
### Positive
- ESP32 CSI features become persistent, searchable, and cryptographically attested
- kNN similarity search enables environment fingerprinting and anomaly detection
- PIR + BME280 provide ground truth for CSI validation
- MCP proxy enables AI assistants to query sensing state directly
- Witness chain provides audit trail for healthcare/safety applications
- Architecture aligns with Arena Physica's insight: store embeddings, not raw signals
### Negative
- Additional firmware packet type (48 bytes, trivial)
- Bridge script needed on Seed or host machine
- Daily compaction required for long-running deployments
- Bearer token must be managed (stored securely, rotated if compromised)
### Neutral
- Existing sensing-server pipeline unchanged (ESP32 still sends to port 5005)
- Seed's existing sensors continue operating independently
- Target IP/port configurable via NVS provisioning (no recompilation for deployment changes)
- Firmware recompilation needed once to add `send_feature_vector()` (Phase 1), but subsequent node deployments only need provisioning
api-docs/adr/ADR-070-self-supervised-pretraining.md
+203
View File
@@ -0,0 +1,203 @@
# ADR-070: Self-Supervised Pretraining from Live ESP32 CSI + Cognitum Seed
| Field | Value |
|------------|----------------------------------------------------------|
| Status | Accepted |
| Date | 2026-04-02 |
| Authors | rUv, claude-flow |
| Drivers | README limitation "No pre-trained model weights provided"|
| Related | ADR-069 (Cognitum Seed pipeline), ADR-027 (MERIDIAN), ADR-024 (AETHER contrastive), ADR-015 (MM-Fi dataset) |
## Context
The README lists "No pre-trained model weights are provided; training from scratch is required" as a known limitation. Users must collect their own CSI dataset and train from scratch, which is a significant barrier to adoption.
We now have the infrastructure to generate pre-trained weights directly from live hardware:
- **2 ESP32-S3 nodes** (COM8 node_id=2 at 192.168.1.104, COM9 node_id=1 at 192.168.1.105) streaming CSI + vitals + 8-dim feature vectors at 1 Hz each
- **Cognitum Seed** (Pi Zero 2 W) with RVF vector store, kNN search, witness chain, and environmental sensors (BME280, PIR, vibration)
- **Recording API** in sensing-server (`POST /api/v1/recording/start`) that saves CSI frames to `.csi.jsonl`
- **Self-supervised training** via `rapid_adapt.rs` (contrastive TTT + entropy minimization)
- **AETHER contrastive embeddings** (ADR-024) for environment-independent representations
### Why Self-Supervised?
No cameras or labels are needed. The system learns from:
1. **Temporal coherence** — Frames close in time should have similar embeddings (positive pairs), frames far apart should differ (negative pairs)
2. **Multi-node consistency** — The same person seen from 2 nodes should produce correlated features, different people should produce decorrelated features
3. **Cognitum Seed ground truth** — PIR sensor, BME280 environment changes, and kNN cluster transitions provide weak supervision without human labeling
4. **Physical constraints** — Breathing 6-30 BPM, heart rate 40-150 BPM, person count 0-4, RSSI physics
## Decision
Implement a 4-phase pretraining pipeline that collects CSI from 2 ESP32 nodes, stores feature vectors in the Cognitum Seed, and produces distributable pre-trained weights.
### Phase 1: Data Collection (30 min)
Capture labeled scenarios using the sensing-server recording API and Cognitum Seed:
| Scenario | Duration | Label | Activity |
|----------|----------|-------|----------|
| Empty room | 5 min | `empty` | No one present, establish baseline |
| 1 person stationary | 5 min | `1p-still` | Sit at desk, normal breathing |
| 1 person walking | 5 min | `1p-walk` | Walk around room, varied paths |
| 1 person varied | 5 min | `1p-varied` | Stand, sit, wave arms, turn |
| 2 people | 5 min | `2p` | Both moving in room |
| Transitions | 5 min | `transitions` | Enter/exit room, appear/disappear |
**Data rate per scenario:**
- 2 nodes × 100 Hz CSI = 200 frames/sec = 60,000 frames per 5 min
- 2 nodes × 1 Hz features = 2 vectors/sec = 600 vectors per 5 min
- Total: 360,000 CSI frames + 3,600 feature vectors per collection run
**Cognitum Seed role:**
- Stores all feature vectors with witness chain attestation
- PIR sensor provides binary presence ground truth
- BME280 tracks environmental conditions during collection
- kNN graph clusters naturally emerge from the vector distribution
### Phase 2: Contrastive Pretraining
Train a contrastive encoder on the collected CSI data:
```
Input: Raw CSI frame (128 subcarriers × 2 I/Q = 256 features)
TCN temporal encoder (3 layers, kernel=7)
Projection head → 128-dim embedding
Contrastive loss (InfoNCE):
positive: frames within 0.5s window from same node
negative: frames >5s apart or from different scenario
cross-node positive: same timestamp, different node
```
**Self-supervised signals:**
- Temporal adjacency (frames within 500ms = positive pair)
- Cross-node agreement (same person seen from 2 viewpoints)
- PIR consistency (embedding should cluster by PIR state)
- Scenario boundary (embeddings should shift at label transitions)
### Phase 3: Downstream Head Training
Attach lightweight heads for each task:
| Head | Architecture | Output | Supervision |
|------|-------------|--------|-------------|
| Presence | Linear(128→1) + sigmoid | 0.0-1.0 | PIR sensor (free) |
| Person count | Linear(128→4) + softmax | 0-3 people | Scenario labels |
| Activity | Linear(128→4) + softmax | still/walk/varied/empty | Scenario labels |
| Vital signs | Linear(128→2) | BR, HR (BPM) | ESP32 edge vitals |
### Phase 4: Package & Distribute
Produce distributable artifacts:
| Artifact | Format | Size | Description |
|----------|--------|------|-------------|
| `pretrained-encoder.onnx` | ONNX | ~2 MB | Contrastive encoder (TCN backbone) |
| `pretrained-heads.onnx` | ONNX | ~100 KB | Task-specific heads |
| `pretrained.rvf` | RVF | ~500 KB | RuVector format with metadata |
| `room-profiles.json` | JSON | ~10 KB | Environment calibration profiles |
| `collection-witness.json` | JSON | ~5 KB | Seed witness chain attestation proving data provenance |
Include in GitHub release alongside firmware binaries. Users download and run:
```bash
# Use pre-trained model (no training needed)
cargo run -p wifi-densepose-sensing-server -- --model pretrained.rvf --http-port 3000
```
## Hardware Setup
```
192.168.1.20 (Host laptop)
┌──────────────────────────┐
│ sensing-server │
│ Recording API │
│ Training pipeline │
│ │
│ seed_csi_bridge.py │
│ Feature → Seed ingest │
└────┬──────────┬───────────┘
│ │
UDP:5006 │ │ HTTPS:8443
┌───────────────────┤ ├───────────────┐
│ │ │ │
▼ ▼ ▼ │
┌──────────┐ ┌──────────┐ ┌──────────────┐ │
│ ESP32 #1 │ │ ESP32 #2 │ │Cognitum Seed │◄───┘
│ COM9 │ │ COM8 │ │ Pi Zero 2W │
│ node=1 │ │ node=2 │ │ USB │
│ .1.105 │ │ .1.104 │ │ .42.1/8443 │
│ v0.5.4 │ │ v0.5.4 │ │ v0.8.1 │
└──────────┘ └──────────┘ │ PIR, BME280 │
│ RVF store │
│ Witness chain│
└──────────────┘
```
## Data Collection Protocol
### Step 1: Start Seed ingest (background)
```bash
export SEED_TOKEN="your-token"
python scripts/seed_csi_bridge.py \
--seed-url https://169.254.42.1:8443 --token "$SEED_TOKEN" \
--udp-port 5006 --batch-size 10 --validate &
```
### Step 2: Start sensing-server with recording
```bash
cargo run -p wifi-densepose-sensing-server -- \
--source esp32 --udp-port 5006 --http-port 3000
```
### Step 3: Record each scenario
```bash
# Empty room (leave room for 5 min)
curl -X POST http://localhost:3000/api/v1/recording/start \
-H 'Content-Type: application/json' \
-d '{"session_name":"pretrain-empty","label":"empty","duration_secs":300}'
# 1 person stationary (sit at desk for 5 min)
curl -X POST http://localhost:3000/api/v1/recording/start \
-d '{"session_name":"pretrain-1p-still","label":"1p-still","duration_secs":300}'
# ... repeat for each scenario
```
### Step 4: Verify with Seed
```bash
python scripts/seed_csi_bridge.py --token "$SEED_TOKEN" --stats
# Should show 3,600+ vectors from the collection run
```
## Risks
| Risk | Likelihood | Impact | Mitigation |
|------|-----------|--------|------------|
| 2 nodes insufficient for spatial diversity | Medium | Lower pretraining quality | Place nodes 3-5m apart at different heights |
| PIR sensor has limited range | Low | Weak presence labels | BME280 temp changes + kNN clusters as backup |
| Contrastive pretraining collapses | Low | Useless embeddings | Temperature scheduling, hard negative mining |
| Model too large for ESP32 inference | N/A | N/A | Inference on host/Seed, not on ESP32 |
| Room-specific overfitting | Medium | Poor generalization | MERIDIAN domain randomization (ADR-027), LoRA adaptation |
## Consequences
### Positive
- Users get working model out of the box — no training needed
- Witness chain proves data provenance (when/where/which hardware)
- Pre-trained encoder transfers to new environments via LoRA fine-tuning
- Removes the #1 adoption barrier from the README
### Negative
- 30 min of manual data collection per pretraining run
- Pre-trained weights are room-specific without adaptation
- ONNX runtime dependency for inference
api-docs/adr/ADR-071-ruvllm-training-pipeline.md
+408
View File
@@ -0,0 +1,408 @@
# ADR-071: ruvllm Training Pipeline for CSI Sensing Models
- **Status**: Proposed
- **Date**: 2026-04-02
- **Deciders**: ruv
- **Relates to**: ADR-069 (Cognitum Seed CSI Pipeline), ADR-070 (Self-Supervised Pretraining), ADR-024 (Contrastive CSI Embedding / AETHER), ADR-016 (RuVector Training Pipeline)
## Context
The WiFi-DensePose project needs a training pipeline to convert collected CSI data
(`.csi.jsonl` frames from ESP32 nodes) into deployable models for presence detection,
activity classification, and vital sign estimation.
Previous ADRs established the data collection protocol (ADR-070) and Cognitum Seed
inference target (ADR-069). What was missing was the actual training, refinement,
quantization, and export pipeline connecting raw CSI recordings to deployable models.
### Why ruvllm instead of PyTorch
| Criterion | ruvllm | PyTorch | ONNX Runtime |
|-----------|--------|---------|--------------|
| Runtime dependency | Node.js only | Python + CUDA + pip | C++ runtime |
| Install size | ~5 MB (npm) | ~2 GB (torch+cuda) | ~50 MB |
| SONA adaptation | <1ms native | N/A | N/A |
| Quantization | 2/4/8-bit TurboQuant | INT8/FP16 (separate tool) | INT8 only |
| LoRA fine-tuning | Built-in LoraAdapter | Requires PEFT library | N/A |
| EWC protection | Built-in EwcManager | Manual implementation | N/A |
| SafeTensors export | Native SafeTensorsWriter | Via safetensors library | N/A |
| Contrastive training | Built-in ContrastiveTrainer | Manual triplet loss | N/A |
| Edge deployment | ESP32, Pi Zero, browser | GPU servers only | ARM (limited) |
| M4 Pro performance | 88-135 tok/s native | ~30 tok/s (MPS) | ~50 tok/s |
| Ecosystem integration | RuVector, Cognitum Seed | Standalone | Standalone |
The ruvllm package (`@ruvector/ruvllm` v2.5.4) provides the complete training
lifecycle in a single dependency: contrastive pretraining, task head training,
LoRA refinement, EWC consolidation, quantization, and SafeTensors/RVF export.
No Python dependency means the entire pipeline runs on the same Node.js runtime
as the Cognitum Seed inference engine.
## Decision
Use ruvllm's `ContrastiveTrainer`, `TrainingPipeline`, `LoraAdapter`, `EwcManager`,
`SafeTensorsWriter`, and `ModelExporter` for the complete CSI model training lifecycle.
### Training Phases
The pipeline executes five sequential phases:
#### Phase 1: Contrastive Pretraining
Learns an embedding space where temporally and spatially similar CSI states are close
and dissimilar states are far apart.
- **Encoder architecture**: 8-dim CSI feature vector -> 64-dim hidden (ReLU) -> 128-dim embedding (L2-normalized)
- **Loss functions**: Triplet loss (margin=0.3) + InfoNCE (temperature=0.07)
- **Triplet strategies**:
- Temporal positive: frames within 1 second (same environment state)
- Temporal negative: frames >30 seconds apart (different state)
- Cross-node positive: same timestamp from different ESP32 nodes (same person, different viewpoint)
- Cross-node negative: different timestamp + different node
- Hard negatives: frames near motion energy transition boundaries
- **Hyperparameters**: 20 epochs, batch size 32, hard negative ratio 0.7
- **Implementation**: `ContrastiveTrainer.addTriplet()` + `.train()`
#### Phase 2: Task Head Training
Trains supervised heads on top of the frozen embedding for specific sensing tasks.
- **Presence head**: 128 -> 1 (sigmoid), threshold at presence_score > 0.3
- **Activity head**: 128 -> 3 (softmax: still/moving/empty), derived from motion_energy thresholds
- **Vitals head**: 128 -> 2 (linear: breathing BPM, heart rate BPM), normalized targets
- **Implementation**: `TrainingPipeline.addData()` + `.train()` with cosine LR scheduler,
early stopping (patience=5), and quality-weighted MSE loss
#### Phase 3: LoRA Refinement
Per-node LoRA adapters for room-specific adaptation without forgetting the base model.
- **Configuration**: rank=4, alpha=8, dropout=0.1
- **Per-node training**: Each ESP32 node gets its own LoRA adapter trained on
node-specific data with reduced learning rate (0.5x base)
- **Implementation**: `LoraManager.create()` for each node, `TrainingPipeline` with
`LoraAdapter` passed to constructor
#### Phase 4: Quantization (TurboQuant)
Reduces model size for edge deployment with minimal quality loss.
| Bit Width | Compression | Typical RMSE | Target Device |
|-----------|-------------|-------------|---------------|
| 8-bit | 4x | <0.001 | Cognitum Seed (Pi Zero) |
| 4-bit | 8x | <0.01 | Standard edge inference |
| 2-bit | 16x | <0.05 | ESP32-S3 feature extraction |
- **Method**: Uniform affine quantization with scale/zero-point per tensor
- **Quality validation**: RMSE between original fp32 and dequantized weights
#### Phase 5: EWC Consolidation
Elastic Weight Consolidation prevents catastrophic forgetting when the model
is later fine-tuned on new room data or updated CSI conditions.
- **Fisher information**: Computed from training data gradients
- **Lambda**: 2000 (base), 3000 (per-node)
- **Tasks registered**: Base pretraining + one per ESP32 node
- **Implementation**: `EwcManager.registerTask()` for each training phase
### Data Pipeline
```
.csi.jsonl files
|
v
Parse frames: feature (8-dim), vitals, raw CSI
|
v
Generate contrastive triplets (temporal, cross-node, hard negatives)
|
v
Encode through CsiEncoder (8 -> 64 -> 128)
|
v
Phase 1: ContrastiveTrainer (triplet + InfoNCE loss)
|
v
Phase 2: TrainingPipeline (presence + activity + vitals heads)
|
v
Phase 3: LoRA per-node refinement
|
v
Phase 4: TurboQuant (2/4/8-bit quantization)
|
v
Phase 5: EWC consolidation
|
v
Export: SafeTensors, JSON config, RVF manifest, per-node LoRA adapters
```
### Export Formats
| Format | File | Consumer |
|--------|------|----------|
| SafeTensors | `model.safetensors` | HuggingFace ecosystem, general inference |
| JSON config | `config.json` | Model loading metadata |
| JSON model | `model.json` | Full model state for Node.js loading |
| Quantized binaries | `quantized/model-q{2,4,8}.bin` | Edge deployment |
| Per-node LoRA | `lora/node-{id}.json` | Room-specific adaptation |
| RVF manifest | `model.rvf.jsonl` | Cognitum Seed ingest (ADR-069) |
| Training metrics | `training-metrics.json` | Dashboards, CI validation |
### Hardware Targets
| Device | Role | Quantization | Expected Latency |
|--------|------|-------------|-----------------|
| Mac Mini M4 Pro | Training (primary) | fp32 | <5 min total |
| Cognitum Seed Pi Zero | Inference | 4-bit / 8-bit | <10 ms per frame |
| ESP32-S3 | Feature extraction only | 2-bit (encoder weights) | <5 ms per frame |
| Browser (WASM) | Visualization | 4-bit | <20 ms per frame |
### Performance Targets
| Metric | Target | Measured |
|--------|--------|----------|
| Training time (5,783 frames, M4 Pro) | <5 min | TBD |
| Inference latency (M4 Pro) | <1 ms | TBD |
| Inference latency (Pi Zero) | <10 ms | TBD |
| SONA adaptation | <1 ms | <0.05 ms (ruvllm spec) |
| Presence detection accuracy | >85% | TBD |
| 4-bit quality loss (RMSE) | <0.01 | TBD |
| 2-bit quality loss (RMSE) | <0.05 | TBD |
## Consequences
### Positive
- **Zero Python dependency**: The entire training and inference pipeline runs on
Node.js, eliminating Python/CUDA/pip dependency management on training and
deployment targets.
- **Integrated lifecycle**: Contrastive pretraining, task heads, LoRA refinement,
EWC consolidation, and quantization in a single script using one library.
- **Edge-first**: 2-bit quantization enables running the encoder on ESP32-S3.
4-bit quantization fits comfortably on Cognitum Seed Pi Zero.
- **Continual learning**: EWC protection means the model can be updated with new
room data without losing previously learned patterns.
- **Per-node adaptation**: LoRA adapters allow room-specific fine-tuning with
minimal storage overhead (rank-4 adapter ~2KB per node).
- **HuggingFace compatibility**: SafeTensors export enables sharing models on the
HuggingFace Hub and loading in other frameworks.
- **Reproducibility**: Seeded encoder initialization and deterministic data pipeline
ensure reproducible training runs.
### Negative
- **No GPU acceleration**: ruvllm's JS training loop does not use GPU compute.
For the small model sizes in CSI sensing (8->64->128), this is acceptable
(~seconds on M4 Pro), but would not scale to large vision models.
- **Simplified backpropagation**: The LoRA backward pass and contrastive training
use approximate gradient updates rather than full automatic differentiation.
Sufficient for the target model sizes but not equivalent to PyTorch autograd.
- **Quantization is post-training only**: No quantization-aware training (QAT).
For 4-bit and 8-bit this produces acceptable quality loss; 2-bit may need
QAT in future if quality degrades.
### Risks
- **Quality ceiling**: The simplified training may produce lower accuracy than a
PyTorch-trained equivalent. Mitigated by: (a) the model is small enough that
the training loop converges quickly, (b) SONA adaptation can compensate at
inference time, (c) we can switch to PyTorch for training only if needed
while keeping ruvllm for inference.
- **ruvllm API stability**: The library is at v2.5.4 with active development.
Mitigated by vendoring the package in `vendor/ruvector/npm/packages/ruvllm/`.
## Implementation
### Scripts
| Script | Purpose |
|--------|---------|
| `scripts/train-ruvllm.js` | Full 5-phase training pipeline |
| `scripts/benchmark-ruvllm.js` | Model benchmarking (latency, quality, accuracy) |
### Usage
```bash
# Train on collected CSI data
node scripts/train-ruvllm.js \
--data data/recordings/pretrain-1775182186.csi.jsonl \
--output models/csi-v1 \
--epochs 20
# Train with benchmark
node scripts/train-ruvllm.js \
--data data/recordings/pretrain-*.csi.jsonl \
--output models/csi-v1 \
--benchmark
# Standalone benchmark
node scripts/benchmark-ruvllm.js \
--model models/csi-v1 \
--data data/recordings/pretrain-*.csi.jsonl \
--samples 5000 \
--json
```
### Output Structure
```
models/csi-v1/
model.safetensors # SafeTensors (HuggingFace compatible)
config.json # Model configuration
model.json # Full JSON model state
model.rvf.jsonl # RVF manifest for Cognitum Seed
training-metrics.json # Training loss curves, timing, config
contrastive/
triplets.jsonl # Contrastive training pairs
triplets.csv # CSV format for analysis
embeddings.json # Embedding matrices
quantized/
model-q2.bin # 2-bit quantized (ESP32 edge)
model-q4.bin # 4-bit quantized (Pi Zero default)
model-q8.bin # 8-bit quantized (high quality)
lora/
node-1.json # LoRA adapter for ESP32 node 1
node-2.json # LoRA adapter for ESP32 node 2
```
## Camera-Free Supervision
### Motivation
Traditional WiFi-based pose estimation (WiFlow, Person-in-WiFi) requires camera-supervised
training: a camera captures ground-truth poses during CSI collection, and the model learns
to map CSI to those poses. This creates a deployment paradox — the camera is needed for
training but the whole point of WiFi sensing is to avoid cameras.
The camera-free pipeline (`scripts/train-camera-free.js`) replaces camera supervision with
10 sensor signals from the Cognitum Seed and 2 ESP32 nodes, generating weak labels through
sensor fusion.
### 10 Supervision Signals (No Camera)
| # | Signal | Source | Provides |
|---|--------|--------|----------|
| 1 | PIR sensor | Seed GPIO 6 | Binary presence ground truth |
| 2 | BME280 temperature | Seed I2C 0x76 | Occupancy proxy (temp rises with people) |
| 3 | BME280 humidity | Seed I2C 0x76 | Breathing confirmation / zone |
| 4 | Cross-node RSSI | 2 ESP32 nodes | Rough XY position (differential triangulation) |
| 5 | Vitals stability | ESP32 CSI | HR/BR variance indicates activity level |
| 6 | Temporal CSI patterns | ESP32 CSI | Periodic=walking, stable=sitting, flat=empty |
| 7 | kNN cluster labels | Seed vector store | Natural groupings in embedding space |
| 8 | Boundary fragility | Seed Stoer-Wagner | Regime change detection (entry/exit/activity) |
| 9 | Reed switch | Seed GPIO 5 | Door open/close events |
| 10 | Vibration sensor | Seed GPIO 13 | Footstep detection |
### Camera-Free Training Phases
The pipeline extends the base 5 phases with camera-free-specific phases:
```
Phase 0: Multi-Modal Data Collection
├── UDP port 5006 → ESP32 CSI features + vitals
├── HTTPS → Seed sensor embeddings (45-dim, every 100ms)
├── HTTPS → Seed boundary/coherence (every 10s)
└── Build synchronized MultiModalFrame timeline
Phase 1: Weak Label Generation
├── Presence: PIR || CSI_presence > 0.3 || temp_rising > 0.1°C/min
├── Position: RSSI differential → 5×5 grid (25 zones)
├── Activity: CSI variance + FFT periodicity → stationary/walking/gesture/empty
├── Occupancy: max(node1_persons, node2_persons) validated by temp
├── Body region: upper/lower subcarrier groups → which body part moves
├── Entry/exit: reed_switch + PIR transition + boundary fragility spike
├── Breathing zone: humidity change rate → person location
└── Pose proxy: 5-keypoint coarse pose from RSSI + subcarrier asymmetry + vibration
Phase 2: Enhanced Contrastive Pretraining
├── Base triplets (temporal, cross-node, transition, scenario boundary)
├── Sensor-verified negatives: PIR=0 vs PIR=1 must differ
├── Activity boundary: before/after fragility spike must differ
└── Cross-modal: CSI embedding ≈ Seed embedding for same state
Phase 3: Pose Proxy Training (5-keypoint)
├── Head: RSSI centroid between 2 nodes
├── Hands: per-subcarrier variance asymmetry (left/right from 2 nodes)
├── Feet: vibration sensor + RSSI ground reflection
└── Skeleton physics constraints (anthropometric bone length limits)
Phase 4: 17-Keypoint Interpolation
├── Shoulders = 0.3 × head + 0.7 × hands
├── Elbows = midpoint(shoulder, hand)
├── Hips = midpoint(head, feet)
├── Knees = midpoint(hip, foot)
├── Face = derived from head position
└── Iterative bone length constraint projection (3 iterations)
Phase 5: Self-Refinement Loop (3 rounds)
├── Run inference on all collected data
├── Keep predictions where temporal consistency confidence > 0.8
├── Use as pseudo-labels for next training round
└── Decaying learning rate per round (diminishing returns)
```
### Seed API Endpoints Used
| Endpoint | Data | Collection Rate |
|----------|------|----------------|
| `GET /api/v1/sensor/stream` | SSE sensor readings | Continuous (100ms) |
| `GET /api/v1/sensor/embedding/latest` | 45-dim sensor embedding | Per-frame |
| `GET /api/v1/boundary` | Fragility score | Every 10s |
| `GET /api/v1/coherence/profile` | Temporal phase boundaries | Every 10s |
| `GET /api/v1/store/query` | kNN similarity search | On demand |
| `POST /api/v1/boundary/recompute` | Trigger analysis | On regime change |
### Graceful Degradation
The pipeline works with or without the Cognitum Seed:
| Mode | Signals | Pose Quality |
|------|---------|-------------|
| Full (Seed + 2 ESP32) | 10 signals | 5-keypoint trained, 17-keypoint interpolated |
| CSI-only (2 ESP32) | 3 signals (RSSI, vitals, temporal) | Coarser position/activity only |
| Single node | 2 signals (vitals, temporal) | Presence + activity only |
When the Seed API is unreachable, the pipeline automatically falls back to
CSI-only training, producing the same output format (SafeTensors, HuggingFace,
quantized) with reduced label quality.
### Output Format
Same as the base pipeline (SafeTensors + HuggingFace compatible), plus:
| File | Description |
|------|-------------|
| `pose-decoder.json` | 5-keypoint pose decoder weights |
| `model.rvf.jsonl` | Extended with `camera_free_supervision` record |
| `training-metrics.json` | Includes weak label stats and multi-modal triplet counts |
### Usage
```bash
# Full pipeline with Seed
node scripts/train-camera-free.js \
--data data/recordings/pretrain-*.csi.jsonl \
--seed-url https://169.254.42.1:8443 \
--output models/csi-camerafree-v1
# CSI-only (no Seed)
node scripts/train-camera-free.js \
--data data/recordings/pretrain-*.csi.jsonl \
--no-seed \
--output models/csi-camerafree-v1
# With benchmark
node scripts/train-camera-free.js \
--data data/recordings/*.csi.jsonl \
--benchmark
```
## References
- [ruvllm source](vendor/ruvector/npm/packages/ruvllm/) — v2.5.4
- [ADR-069](ADR-069-cognitum-seed-csi-pipeline.md) — Cognitum Seed CSI Pipeline
- [ADR-070](ADR-070-self-supervised-pretraining.md) — Self-Supervised Pretraining Protocol
- [ADR-024](ADR-024-contrastive-csi-embedding.md) — Contrastive CSI Embedding / AETHER
- [ADR-016](ADR-016-ruvector-training-pipeline.md) — RuVector Training Pipeline Integration
api-docs/adr/ADR-072-wiflow-architecture.md
+238
View File
@@ -0,0 +1,238 @@
# ADR-072: WiFlow Pose Estimation Architecture
- **Status**: Proposed
- **Date**: 2026-04-02
- **Deciders**: ruv
- **Relates to**: ADR-071 (ruvllm Training Pipeline), ADR-070 (Self-Supervised Pretraining), ADR-024 (Contrastive CSI Embedding / AETHER), ADR-069 (Cognitum Seed CSI Pipeline)
## Context
The WiFi-DensePose project needs a neural architecture that can convert raw CSI amplitude
data into 17-keypoint COCO pose estimates. The existing `train-ruvllm.js` pipeline uses a
simple 2-layer FC encoder (8 -> 64 -> 128) that produces contrastive embeddings for
presence detection but cannot output spatial keypoint coordinates.
We evaluated published WiFi-based pose estimation architectures:
| Architecture | Params | Input | Key Innovation | Publication |
|-------------|--------|-------|---------------|-------------|
| **WiFlow** | 4.82M | 540x20 | TCN + AsymConv + Axial Attention | arXiv:2602.08661 |
| WiPose | 11.2M | 3x3x30x20 | 3D CNN + heatmap regression | CVPR 2021 |
| MetaFi++ | 8.6M | 114x30x20 | Transformer + meta-learning | NeurIPS 2023 |
| Person-in-WiFi 3D | 15.3M | Multi-antenna | Deformable attention + 3D | CVPR 2024 |
WiFlow is the lightest published SOTA architecture, designed specifically for commercial
WiFi hardware. Its key advantage is operating on CSI amplitude only (no phase), which
is critical for ESP32-S3 where phase calibration is unreliable.
### Why WiFlow
1. **Lightest SOTA**: 4.82M parameters at original scale; our adaptation targets ~2.5M
2. **Amplitude-only**: Discards phase, which is noisy on consumer hardware
3. **Published architecture**: Fully specified in arXiv:2602.08661, reproducible
4. **Temporal modeling**: TCN with dilated causal convolutions captures motion dynamics
5. **Efficient attention**: Axial attention reduces O(H^2W^2) to O(H^2W + HW^2)
6. **Proven on commercial WiFi**: Validated on commodity Intel 5300 and Atheros hardware
## Decision
Implement the WiFlow architecture in pure JavaScript (ruvllm native) with the following
adaptations for our ESP32 single TX/RX deployment.
### Architecture Overview
```
CSI Amplitude [128, 20]
|
Stage 1: TCN (Dilated Causal Conv)
dilation = (1, 2, 4, 8), kernel = 7
128 -> 256 -> 192 -> 128 channels
|
Stage 2: Asymmetric Conv Encoder
1xk conv (k=3), stride (1,2)
[1, 128, 20] -> [256, 8, 20]
|
Stage 3: Axial Self-Attention
Width (temporal): 8 heads
Height (feature): 8 heads
|
Decoder: Adaptive Avg Pool + Linear
[256, 8, 20] -> pool -> [2048] -> [17, 2]
|
17 COCO Keypoints [x, y] in [0, 1]
```
### Our Adaptation vs Original WiFlow
| Aspect | WiFlow Original | Our Adaptation | Reason |
|--------|----------------|----------------|--------|
| Input channels | 540 (18 links x 30 SC) | 128 (1 TX x 1 RX x 128 SC) | Single ESP32 link |
| Time steps | 20 | 20 | Same |
| TCN channels | 540 -> 256 -> 128 -> 64 | 128 -> 256 -> 192 -> 128 | Proportional reduction |
| Spatial blocks | 4 (stride 2) | 4 (stride 2) | Same |
| Attention heads | 8 | 8 | Same |
| Parameters | 4.82M | ~1.8M | Fewer input channels |
| Input type | Amplitude only | Amplitude only | Same |
| Output | 17 x 2 | 17 x 2 | Same |
### Parameter Budget Breakdown
| Stage | Parameters | % of Total |
|-------|-----------|------------|
| TCN (4 blocks, k=7, d=1,2,4,8) | ~969K | 54% |
| Asymmetric Conv (4 blocks, 1x3, stride 2) | ~174K | 10% |
| Axial Attention (width + height, 8 heads) | ~592K | 33% |
| Pose Decoder (pool + linear -> 17x2) | ~70K | 4% |
| **Total** | **~1.8M** | **100%** |
### Loss Function
```
L = L_H + 0.2 * L_B
L_H = SmoothL1(predicted, target, beta=0.1)
L_B = (1/14) * sum_b (bone_length_b - prior_b)^2
```
14 bone connections enforce anatomical constraints:
- Nose-eye (x2): 0.06
- Eye-ear (x2): 0.06
- Shoulder-elbow (x2): 0.15
- Elbow-wrist (x2): 0.13
- Shoulder-hip (x2): 0.26
- Hip-knee (x2): 0.25
- Knee-ankle (x2): 0.25
- Shoulder width: 0.20
All lengths normalized to person height.
### Training Strategy (Camera-Free Pipeline)
Since we have no ground-truth pose labels from cameras, training proceeds in three phases:
#### Phase 1: Contrastive Pretraining
- Temporal triplets: adjacent windows are positive pairs, distant windows are negative
- Cross-node triplets: same-time windows from different ESP32 nodes are positive
- Uses ruvllm `ContrastiveTrainer` with triplet + InfoNCE loss
- Learns a representation where similar CSI states cluster together
#### Phase 2: Pose Proxy Training
- Generate coarse pose proxies from vitals data:
- Person detected (presence > 0.3): place standing skeleton at center
- High motion: perturb limb positions proportional to motion energy
- Breathing: add micro-oscillation to torso keypoints
- Train with SmoothL1 + bone constraint loss
- Confidence-weighted updates (higher presence = stronger gradient)
#### Phase 3: Self-Refinement (Future)
- Multi-node consistency: same person seen from different nodes should produce
consistent pose after geometric transform
- Temporal smoothness: adjacent frames should produce similar poses
- Bone constraint tightening: gradually reduce tolerance
### Integration with Existing Pipeline
```
train-ruvllm.js (ADR-071) train-wiflow.js (ADR-072)
| |
| 8-dim features | 128-dim raw CSI amplitude
| -> 128-dim embedding | -> 17x2 keypoint coordinates
| -> presence/activity/vitals | -> bone-constrained pose
| |
+-- ContrastiveTrainer -----+------+
+-- TrainingPipeline -------+------+
+-- LoRA per-node ----------+------+
+-- TurboQuant quantize ----+------+
+-- SafeTensors export -----+------+
```
Both pipelines share the ruvllm infrastructure; WiFlow adds the deeper architecture
for direct pose regression while the simple encoder handles embedding tasks.
### Performance Targets
| Metric | Target | Notes |
|--------|--------|-------|
| PCK@20 | > 80% | On lab data with 2+ nodes |
| Forward latency | < 50ms | Pi Zero 2W at INT8 |
| Model size (INT8) | < 2 MB | TurboQuant |
| Bone violation rate | < 10% | 50% tolerance |
| Temporal jitter | < 3cm | Exponential smoothing |
### Risk Assessment
| Risk | Severity | Mitigation |
|------|----------|------------|
| Single TX/RX has less spatial info than 18 links | High | 2-node multi-static compensates; cross-node fusion from ADR-029 |
| Camera-free labels are coarse | Medium | Bone constraints enforce anatomy; contrastive pretrain provides structure |
| Pure JS too slow for real-time | Medium | INT8 quantization; axial attention is O(H^2W+HW^2) not O(H^2W^2) |
| Overfitting with ~5K frames | Medium | Temporal augmentation + noise + cross-node interpolation |
| Phase not available (amplitude-only) | Low | WiFlow was designed amplitude-only; not a limitation |
## Consequences
### Positive
- Proven SOTA architecture adapted to our hardware constraints
- Pure JavaScript implementation runs everywhere ruvllm runs (Node.js, browser WASM)
- Bone constraints enforce physically plausible outputs even with noisy inputs
- Shares training infrastructure with existing ruvllm pipeline
- Modular: each stage (TCN, AsymConv, Axial, Decoder) is independently testable
### Negative
- ~1.8M parameters is 193x larger than simple CsiEncoder (9,344 params)
- Forward pass is slower (~50ms vs <1ms for simple encoder)
- Camera-free training will produce lower accuracy than supervised WiFlow
- No ground-truth PCK evaluation possible without camera labels
- Axial attention is O(N^2) within each axis, limiting scalability
### Neutral
- FLOPs dominated by TCN (~48%) due to dilated convolutions
- INT8 quantization brings model to ~1.7MB, viable for edge deployment
- Architecture is fixed (no NAS); future work could explore lighter variants
## Implementation
### Files Created
| File | Purpose |
|------|---------|
| `scripts/wiflow-model.js` | WiFlow architecture (all stages, loss, metrics) |
| `scripts/train-wiflow.js` | Training pipeline (contrastive + pose proxy + LoRA + quant) |
| `scripts/benchmark-wiflow.js` | Benchmarking (latency, params, FLOPs, memory, quality) |
| `docs/adr/ADR-072-wiflow-architecture.md` | This document |
### Usage
```bash
# Train on collected data
node scripts/train-wiflow.js --data data/recordings/pretrain-*.csi.jsonl
# Train with more epochs and custom output
node scripts/train-wiflow.js --data data/recordings/*.csi.jsonl --epochs 50 --output models/wiflow-v2
# Contrastive pretraining only (no labels needed)
node scripts/train-wiflow.js --data data/recordings/*.csi.jsonl --contrastive-only
# Benchmark
node scripts/benchmark-wiflow.js
# Benchmark with trained model
node scripts/benchmark-wiflow.js --model models/wiflow-v1
```
### Dependencies
- ruvllm (vendored at `vendor/ruvector/npm/packages/ruvllm/src/`)
- `ContrastiveTrainer`, `tripletLoss`, `infoNCELoss`, `computeGradient`
- `TrainingPipeline`
- `LoraAdapter`, `LoraManager`
- `EwcManager`
- `ModelExporter`, `SafeTensorsWriter`
- No external ML frameworks (no PyTorch, no TensorFlow, no ONNX Runtime)
## References
- WiFlow: arXiv:2602.08661
- COCO Keypoints: https://cocodataset.org/#keypoints-2020
- Axial Attention: Wang et al., "Axial-DeepLab", ECCV 2020
- TCN: Bai et al., "An Empirical Evaluation of Generic Convolutional and Recurrent Networks for Sequence Modeling", 2018
api-docs/adr/ADR-073-multifrequency-mesh-scan.md
+202
View File
@@ -0,0 +1,202 @@
# ADR-073: Multi-Frequency Mesh Scanning
| Field | Value |
|-------------|--------------------------------------------|
| **Status** | Proposed |
| **Date** | 2026-04-02 |
| **Authors** | ruv |
| **Depends** | ADR-018 (binary frame), ADR-029 (channel hopping), ADR-039 (edge processing), ADR-060 (channel override) |
## Context
The current WiFi-DensePose deployment uses 2 ESP32-S3 nodes operating on a single WiFi channel (channel 5, 2432 MHz). A scan of the office environment reveals 9 WiFi networks across 6 distinct channels (1, 3, 5, 6, 9, 11), each broadcasting continuously. These neighbor networks are free RF illuminators whose signals pass through the room and interact with objects, people, and walls.
**Current single-channel limitations:**
1. **19% null subcarriers** — metal objects (desk, monitor frame, filing cabinet) create frequency-selective fading that blocks specific subcarriers on channel 5. These nulls are permanent blind spots in the RF map.
2. **No frequency diversity** — objects that are transparent at 2432 MHz may be opaque at 2412 MHz or 2462 MHz, and vice versa. A metal mesh that blocks one wavelength (122.5 mm at 2432 MHz) may pass another (124.0 mm at 2412 MHz) due to the mesh aperture-to-wavelength ratio.
3. **Single-perspective CSI** — both nodes see the same 52-64 subcarriers on the same channel. The subcarrier indices map to the same frequency bins, providing no spectral diversity.
4. **Neighbor illuminator waste** — 6 other APs broadcast continuously in the room. Their signals pass through walls, furniture, and people, creating CSI-measurable reflections that we currently ignore because we only listen on channel 5.
## Decision
Implement interleaved multi-frequency channel hopping across the 2 ESP32-S3 nodes, scanning 6 WiFi channels to build a wideband RF map of the room.
### Channel Allocation Strategy
The 2.4 GHz ISM band has 3 non-overlapping 20 MHz channels (1, 6, 11) and several partially-overlapping channels between them. We allocate channels to maximize both spectral coverage and illuminator exploitation:
```
Node 1: ch 1, 6, 11 (non-overlapping, full band coverage)
Node 2: ch 3, 5, 9 (interleaved, near neighbor APs)
```
**Rationale for this split:**
| Channel | Freq (MHz) | Node | Neighbor Illuminators | Purpose |
|---------|------------|------|----------------------------------------------|-----------------------------------|
| 1 | 2412 | 1 | (none visible, but lower freq = better penetration) | Low-frequency penetration |
| 3 | 2422 | 2 | conclusion mesh (signal 44) | Exploit neighbor AP as illuminator |
| 5 | 2432 | 2 | ruv.net (100), Cohen-Guest (100), HP LaserJet (94) | Primary channel, strongest illuminators |
| 6 | 2437 | 1 | Innanen (signal 19) | Center band, non-overlapping |
| 9 | 2452 | 2 | NETGEAR72 (42), NETGEAR72-Guest (42) | Exploit dual NETGEAR illuminators |
| 11 | 2462 | 1 | COGECO-21B20 (100), COGECO-4321 (30) | High-frequency, strong illuminators |
Each node dwells on a channel for 250 ms (configurable), collects 3-4 CSI frames, then hops to the next. The 3-channel rotation completes in 750 ms, giving ~1.3 full rotations per second.
### Physics Basis
At 2.4 GHz, WiFi wavelength ranges from 122.0 mm (ch 14, 2484 MHz) to 124.0 mm (ch 1, 2412 MHz). While this is a narrow range (~2%), the effect on multipath is significant:
1. **Frequency-selective fading**: multipath reflections create constructive/destructive interference patterns that vary with frequency. A 2 cm path length difference produces a null at 2432 MHz but constructive interference at 2412 MHz.
2. **Diffraction around objects**: Huygens-Fresnel diffraction depends on wavelength. Objects smaller than ~lambda/2 (61 mm) scatter differently across the band. Common office objects (monitor bezels, chair legs, cable bundles) are in this range.
3. **Material transparency**: some materials (wire mesh, perforated metal, PCB ground planes) have frequency-dependent transmission. A monitor's EMI shielding mesh with 5 mm apertures blocks 2.4 GHz signals but the exact attenuation varies with frequency due to slot antenna effects.
4. **Subcarrier orthogonality**: OFDM subcarriers on different channels are in different frequency bins. A null on subcarrier 15 of channel 5 does not imply a null on subcarrier 15 of channel 1, because they map to different absolute frequencies.
### Null Diversity Mechanism
```
Channel 5 subcarriers: ▅▆█▇▅▃▁_▁▃▅▆█▇▅▃▁_▁▃▅▆█▇▅▃
^ null (metal desk)
Channel 1 subcarriers: ▃▅▆█▇▅▃▅▆█▇▅▃▅▆█▇▅▃▅▆█▇▅▃▅▃
^ resolved! Different freq = different null pattern
Channel 11 subcarriers: ▅▃▁_▁▃▅▆█▇▅▃▅▆▅▃▁_▁▃▅▆█▇▅▃▅
^ null here instead (shifted by frequency offset)
```
By fusing subcarrier data across channels, nulls that exist on one channel are filled by non-null data from other channels. The remaining nulls (present on ALL channels) represent truly opaque objects — large metal surfaces that block all 2.4 GHz frequencies.
### Wideband View
Single channel: ~52-64 subcarriers (20 MHz bandwidth)
Multi-channel (6 channels): ~312-384 effective subcarrier observations (120 MHz coverage)
This is not simply 6x the resolution (the subcarrier spacing within each channel is the same), but it provides:
- 6x the spectral diversity for null mitigation
- 6x the illuminator variety (different APs = different signal paths)
- Frequency-dependent scattering signatures for material classification
## Integration
### Firmware (already supported)
The channel hopping infrastructure is already implemented in the ESP32 firmware (ADR-029):
```c
// csi_collector.h — already exists
void csi_collector_set_hop_table(const uint8_t *channels, uint8_t hop_count, uint32_t dwell_ms);
void csi_collector_start_hop_timer(void);
```
The ADR-018 binary frame header already includes the channel/frequency field at bytes [8..11], so the server-side parser can distinguish frames from different channels without any firmware changes.
### Provisioning Commands
```bash
# Node 1 (COM7): non-overlapping channels 1, 6, 11
python firmware/esp32-csi-node/provision.py --port COM7 \
--ssid "ruv.net" --password "..." --target-ip 192.168.1.20 \
--hop-channels 1,6,11 --hop-dwell-ms 250
# Node 2 (COM_): interleaved channels 3, 5, 9
python firmware/esp32-csi-node/provision.py --port COM_ \
--ssid "ruv.net" --password "..." --target-ip 192.168.1.20 \
--hop-channels 3,5,9 --hop-dwell-ms 250
```
Note: `--hop-channels` and `--hop-dwell-ms` require provision.py support for writing these values to NVS. If not yet implemented, the firmware's `csi_collector_set_hop_table()` can be called directly from the main init code with compile-time constants.
### Server-Side Processing
Three new Node.js scripts consume the multi-channel CSI data:
| Script | Purpose |
|--------|---------|
| `scripts/rf-scan.js` | Single-channel live RF room scanner with ASCII spectrum |
| `scripts/rf-scan-multifreq.js` | Multi-channel scanner with null diversity analysis |
| `scripts/benchmark-rf-scan.js` | Quantitative benchmark of multi-channel performance |
All scripts parse the ADR-018 binary UDP format and use the frequency field to separate frames by channel.
### Cognitum Seed Integration
The Cognitum Seed vector store (ADR-069) currently stores 1,605 vectors from single-channel CSI. With multi-frequency scanning:
1. **Per-channel feature vectors**: store separate 8-dim feature vectors for each channel, tagged with channel number. This increases the vector count to ~9,630 (6 channels x 1,605).
2. **Wideband feature vector**: concatenate or average per-channel features into a 48-dim wideband vector for richer kNN search. Objects that are ambiguous on one channel may be clearly distinguishable in the wideband representation.
3. **Null-aware embeddings**: encode null subcarrier patterns as part of the feature vector. The null pattern itself is informative — a consistent null at subcarrier 15 across all channels indicates a large metal object, while a null only on channel 5 indicates a frequency-dependent scatterer.
## Performance Targets
| Metric | Single-Channel Baseline | Multi-Channel Target | Method |
|--------|------------------------|---------------------|--------|
| Subcarrier count | ~52-64 | ~312-384 (6x) | 6 channels x 52-64 subcarriers |
| Null gap | 19% | <5% | Null diversity across channels |
| Position resolution | ~30 cm | ~15 cm | sqrt(6) improvement from independent observations |
| Per-channel FPS | 12 fps | ~4 fps | 250 ms dwell x 3 channels = 750 ms rotation |
| Total FPS (all channels) | 12 fps | ~12 fps per node (4 fps x 3 channels) |
| Wideband rotation | N/A | ~1.3 Hz | Full 3-channel rotation in 750 ms |
## Risks
### Per-Channel Sample Rate Reduction
Channel hopping reduces the per-channel sample rate from 12 fps (single channel) to approximately 4 fps per channel (250 ms dwell, 3 channels). This affects:
- **Vitals extraction**: breathing rate (0.1-0.5 Hz) requires at least 2 fps (Nyquist). At 4 fps per channel, this is met. Heart rate (0.8-2.0 Hz) requires at least 4 fps, which is marginal. Mitigation: keep one channel as "primary" with longer dwell for vitals, or fuse phase data across channels.
- **Motion tracking**: 4 fps is sufficient for walking speed (<2 m/s) but insufficient for fast gestures. If gesture recognition is needed, reduce to 2-channel hopping or increase dwell rate.
### Channel Hopping Latency
`esp_wifi_set_channel()` takes ~1-5 ms on ESP32-S3. During the transition, no CSI frames are captured. At 250 ms dwell, this is <2% overhead.
### AP Disconnection
Channel hopping may cause the ESP32 to lose connection to the home AP (ruv.net on channel 5) when dwelling on other channels. The STA reconnects automatically, but there may be brief UDP packet loss. Mitigation: the firmware already handles this gracefully — CSI collection works in promiscuous mode regardless of STA connection state.
### Increased Server Load
2 nodes x 3 channels x 4 fps = 24 frames/second total UDP traffic. Each frame is ~150-200 bytes (20-byte header + 64 subcarriers x 2 bytes I/Q). Total: ~4.8 KB/s — negligible.
## Alternatives Considered
1. **5 GHz channels**: ESP32-S3 supports 5 GHz CSI, and the shorter wavelength (60 mm) provides better spatial resolution. Rejected because: (a) no 5 GHz APs visible in the current environment, so no free illuminators; (b) 5 GHz has worse wall penetration, reducing the effective sensing volume.
2. **More nodes**: adding a 3rd or 4th ESP32 node would increase spatial diversity without channel hopping. Rejected for now due to cost, but this is complementary — more nodes + channel hopping would give both spatial and spectral diversity.
3. **Wider bandwidth (HT40)**: using 40 MHz channels doubles subcarrier count per channel. Rejected because: (a) HT40 requires a secondary channel, reducing available channels for hopping; (b) many neighbor APs use HT20, so their illumination only covers 20 MHz.
## SNN Integration (ADR-074)
Multi-frequency scanning produces subcarrier data across 6 channels, creating temporal patterns that are well-suited for spiking neural network processing. ADR-074 introduces an SNN with STDP learning that consumes the multi-channel CSI stream.
**Key interactions with multi-frequency data:**
1. **Null diversity as SNN input**: subcarriers that are null on one channel but active on another produce a distinctive spike pattern (spikes only during certain channel dwells). STDP learns to associate these cross-channel patterns with specific objects or zones — something a single-channel SNN cannot do.
2. **Channel-interleaved temporal coding**: because each node dwells on 3 channels in a 750ms rotation, the SNN receives subcarrier data in a repeating temporal pattern (ch1 → ch2 → ch3 → ch1 ...). The SNN's LIF membrane dynamics integrate spikes across the rotation, naturally performing cross-channel fusion through temporal summation. A hidden neuron that receives spikes from subcarrier 15 on channel 1 AND subcarrier 15 on channel 6 will fire more strongly than one receiving either alone.
3. **Expanded input mode**: on the server (not constrained by ESP32 memory), the SNN can use 384 input neurons (6 channels x 64 subcarriers) instead of 128. This provides maximum spectral diversity per frame but requires ~150 KB of weight storage. The `snn-csi-processor.js` script supports this via the `--hidden` flag to scale the network.
4. **Illuminator fingerprinting**: different neighbor APs have different beamforming patterns and power levels. The SNN learns which subcarrier patterns belong to which illuminator, enabling it to distinguish AP-specific signatures from human-caused perturbations. This is especially useful for the NETGEAR dual-AP setup on channel 9, where two illuminators from different positions create stereo-like RF coverage.
## References
- ADR-018: CSI binary frame format
- ADR-029: Channel hopping infrastructure
- ADR-039: Edge processing pipeline
- ADR-060: Channel override provisioning
- ADR-069: Cognitum Seed CSI pipeline
- ADR-074: Spiking neural network for CSI sensing
- IEEE 802.11-2020, Section 21 (OFDM PHY)
- ESP-IDF CSI Guide: https://docs.espressif.com/projects/esp-idf/en/v5.4/esp32s3/api-guides/wifi.html#wi-fi-channel-state-information
api-docs/adr/ADR-074-spiking-neural-csi-sensing.md
+208
View File
@@ -0,0 +1,208 @@
# ADR-074: Spiking Neural Network for CSI Sensing
| Field | Value |
|-------------|--------------------------------------------|
| **Status** | Proposed |
| **Date** | 2026-04-02 |
| **Authors** | ruv |
| **Depends** | ADR-018 (binary frame), ADR-029 (channel hopping), ADR-069 (Cognitum Seed), ADR-073 (multi-frequency mesh) |
## Context
The current WiFi-DensePose CSI sensing pipeline uses two approaches for interpreting subcarrier data:
1. **Static thresholds** — presence detection fires when subcarrier variance exceeds a fixed value. This works in calibrated environments but fails when the RF landscape changes (furniture moved, new objects, temperature drift). Recalibration requires manual intervention or batch retraining.
2. **Batch-trained FC encoder** — the neural network in `wifi-densepose-nn` maps CSI frames to 8-dimensional feature vectors. It requires labeled training data, offline training epochs, and model deployment. The encoder cannot adapt to a new environment without collecting new data and retraining.
Neither approach handles online adaptation. When an ESP32 node is deployed in a new room, the first hours produce noisy, unreliable output until the thresholds are tuned or a model is trained. In disaster scenarios (ADR MAT), there is no time for calibration.
**Spiking Neural Networks (SNNs)** offer an alternative. Unlike traditional ANNs that process continuous values in batch mode, SNNs communicate through discrete spike events and learn online via Spike-Timing-Dependent Plasticity (STDP). This is a natural fit for CSI data:
- CSI subcarrier amplitudes are temporal signals sampled at 12-22 fps
- Amplitude changes (not absolute values) carry the information about motion, breathing, and presence
- STDP learns temporal correlations between subcarriers without labels
- Event-driven processing means idle rooms (no motion) consume near-zero compute
The `@ruvector/spiking-neural` package (vendored at `vendor/ruvector/npm/packages/spiking-neural/`) provides production-ready LIF neurons, STDP learning, lateral inhibition, and SIMD-optimized vector math in pure JavaScript with zero dependencies.
## Decision
Integrate `@ruvector/spiking-neural` into the CSI sensing pipeline as an online unsupervised pattern learner that runs alongside the existing FC encoder. The SNN provides real-time adaptation while the FC encoder provides stable baseline predictions.
### Network Architecture
```
CSI Frame (128 subcarriers)
|
v
[ Rate Encoding ] -----> 128 input neurons (one per subcarrier)
| amplitude delta -> spike rate
v
[ LIF Hidden Layer ] ---> 64 hidden neurons (tau=20ms)
| STDP learns subcarrier correlations
| lateral inhibition -> sparse codes
v
[ LIF Output Layer ] ---> 8 output neurons
|
v
presence | motion | breathing | heart_rate | phase_var | persons | fall | rssi
```
**Layer parameters:**
| Layer | Neurons | tau (ms) | v_thresh (mV) | Function |
|-------|---------|----------|---------------|----------|
| Input | 128 | N/A | N/A | Rate-coded spike generation from subcarrier deltas |
| Hidden | 64 | 20.0 | -50.0 | STDP learns correlated subcarrier groups |
| Output | 8 | 25.0 | -50.0 | Each neuron specializes in one sensing modality |
**Synapse parameters:**
| Connection | Count | a_plus | a_minus | w_init | Lateral Inhibition |
|------------|-------|--------|---------|--------|-------------------|
| Input -> Hidden | 8,192 | 0.005 | 0.005 | 0.3 | No |
| Hidden -> Output | 512 | 0.003 | 0.003 | 0.2 | Yes (strength=15.0) |
Total synapses: 8,704. At 4 bytes per weight, this is 34 KB — fits in ESP32 SRAM.
### Input Encoding
CSI amplitudes are converted to spike rates using rate coding:
1. Compute per-subcarrier amplitude: `amp[i] = sqrt(I[i]^2 + Q[i]^2)` from the ADR-018 binary frame
2. Compute amplitude delta from previous frame: `delta[i] = |amp[i] - prev_amp[i]|`
3. Normalize deltas to [0, 1] range: `norm[i] = min(delta[i] / max_delta, 1.0)`
4. Feed `norm` to `rateEncoding(norm, dt, max_rate)` which produces Poisson spikes
Higher amplitude changes produce more spikes. Static subcarriers (no motion) produce few or no spikes. This is the key energy advantage: an empty room generates almost no spikes, so the SNN does almost no work.
### STDP Learning Rule
STDP strengthens connections between neurons that fire together (within a time window) and weakens connections between neurons that fire out of sync:
- **LTP (Long-Term Potentiation)**: if a presynaptic neuron fires before a postsynaptic neuron within 20ms, the weight increases by `a_plus * exp(-dt/tau_stdp)`
- **LTD (Long-Term Depression)**: if a postsynaptic neuron fires before a presynaptic neuron, the weight decreases by `a_minus * exp(-dt/tau_stdp)`
Over time, this causes the hidden layer neurons to specialize. Subcarriers that consistently change together (e.g., subcarriers 10-20 affected by a person walking through zone A) become strongly connected to the same hidden neuron. Different motion patterns activate different hidden neuron clusters.
### Lateral Inhibition (Winner-Take-All)
The output layer uses lateral inhibition with strength 15.0. When one output neuron fires, it suppresses all others. This forces each output neuron to specialize in a distinct pattern:
- Output 0: presence (any subcarrier activity above baseline)
- Output 1: motion (widespread subcarrier changes, high spike rate)
- Output 2: breathing (periodic 0.1-0.5 Hz modulation on chest-area subcarriers)
- Output 3: heart rate (periodic 0.8-2.0 Hz modulation, lower amplitude than breathing)
- Output 4: phase variance (phase instability across subcarriers)
- Output 5: person count (number of distinct active subcarrier clusters)
- Output 6: fall (sudden high-amplitude burst followed by silence)
- Output 7: RSSI trend (overall signal strength change)
The neuron-to-label mapping is not fixed by training. Instead, the mapping is discovered by observing which output neuron fires most for each known condition during an optional calibration phase. If no calibration is available, the output is reported as raw spike counts per output neuron, and downstream consumers (Cognitum Seed, SONA) interpret the patterns.
### Integration with Existing Pipeline
The SNN does not replace the FC encoder. It runs in parallel:
```
CSI Frame ----+----> FC Encoder --------> 8-dim feature vector (stable, trained)
|
+----> SNN (STDP) --------> 8-dim spike rate vector (adaptive, online)
|
+----> SONA Adapter -------> Weighted fusion of both signals
```
SONA (Self-Optimizing Neural Architecture) receives both signals and learns which source is more reliable for each output dimension. In a new environment where the FC encoder has not been retrained, SONA automatically weights the SNN output higher because it adapts faster. As the FC encoder is retrained on local data, SONA shifts weight back toward it.
### Energy and Compute Budget
| Metric | FC Encoder | SNN (STDP) | Ratio |
|--------|-----------|------------|-------|
| Compute per frame (idle room) | 8,192 MACs | ~50 spike events | ~160x less |
| Compute per frame (active room) | 8,192 MACs | ~500 spike events | ~16x less |
| Memory | 34 KB weights | 34 KB weights | Equal |
| Adaptation | Offline retraining | Online, continuous | SNN wins |
| Stability | High (frozen weights) | Lower (weights drift) | FC wins |
| Latency to first useful output | Hours (needs training data) | ~30 seconds | SNN wins |
The SNN's event-driven nature means it processes only spikes, not every subcarrier on every frame. In an idle room with no motion, subcarrier deltas are near zero, spike rates drop to near zero, and the SNN consumes negligible compute. This is ideal for battery-powered or thermally constrained deployments (ESP32, Cognitum Seed Pi Zero).
### Deployment Targets
| Platform | Runtime | Notes |
|----------|---------|-------|
| Node.js server | `require('@ruvector/spiking-neural')` | Primary. Receives UDP frames, runs SNN. |
| Cognitum Seed (Pi Zero) | Node.js ARM | 34 KB model fits. ~0.06ms per step at 100 neurons. |
| ESP32-S3 (WASM) | wasm3 interpreter | Optional. SNN weights exported as flat Float32Array. |
| Browser | WebAssembly or JS | Via `wifi-densepose-wasm` crate's JS bindings. |
### Multi-Channel SNN (ADR-073 Integration)
With multi-frequency mesh scanning (ADR-073), the SNN input expands:
- **Single-channel mode**: 128 input neurons (64 subcarriers x 2 for I/Q or amplitude/phase)
- **Multi-channel mode**: 128 input neurons, but the subcarrier index rotates across channels. Each channel's subcarriers map to the same neuron indices, but at different time slots. The SNN's temporal dynamics naturally integrate cross-channel information because STDP operates across time.
Alternatively, for maximum spectral diversity, a wider SNN (384 input neurons for 6 channels x 64 subcarriers) can be used on the server where memory is not constrained.
## Performance Targets
| Metric | Target | Method |
|--------|--------|--------|
| SNN step latency | <0.1ms | 128-64-8 network, ~8,700 synapses |
| STDP convergence | <30 seconds | ~360 frames at 12 fps, patterns stabilize |
| Output accuracy (after adaptation) | >80% | Compared to manually labeled ground truth |
| Memory footprint | <50 KB | Weights + neuron state |
| Idle room spike rate | <10 spikes/frame | Event-driven: near-zero compute when nothing moves |
| Adaptation to new environment | <2 minutes | STDP relearns subcarrier correlations |
## Risks
### Weight Drift
STDP learning never stops. In a stable environment, weights can slowly drift as the network over-fits to the current RF landscape. Mitigation: implement weight decay (multiply all weights by 0.999 per second) and clamp weights to [w_min, w_max].
### Output Neuron Reassignment
If the RF environment changes significantly (new furniture, different room), output neurons may reassign their specialization. The mapping from output neuron index to label (presence, motion, etc.) may change. Mitigation: periodically log the output neuron activity and detect reassignment events. Downstream consumers should use the spike pattern, not the neuron index, for classification.
### Interference with FC Encoder
If SONA naively averages the SNN and FC encoder outputs, a poorly adapted SNN could degrade overall accuracy. Mitigation: SONA uses confidence-weighted fusion. The SNN output includes a confidence signal (total spike count / expected spike count). Low confidence = low weight.
### STDP Learning Rate Sensitivity
If `a_plus` and `a_minus` are too high, the SNN oscillates and never converges. If too low, adaptation takes too long. The default values (0.005 and 0.003) are conservative. The script includes a `--learning-rate` flag for tuning.
## Alternatives Considered
1. **Online gradient descent on FC encoder** — backprop through the FC network with each new frame. Rejected because: (a) requires a loss function, which requires labels; (b) continuous gradient updates on a small model lead to catastrophic forgetting of the pretrained representations.
2. **Adaptive thresholds only** — replace fixed thresholds with exponentially-weighted moving averages. Rejected because: (a) single-variable thresholds cannot capture multi-subcarrier correlations; (b) no representation learning — each subcarrier is still processed independently.
3. **Reservoir computing (Echo State Network)** — use a fixed random recurrent network as a temporal feature extractor. Partially viable, but: (a) requires a linear readout layer trained with labels; (b) the random reservoir does not adapt to the specific RF environment.
4. **Train SNN with supervision** — use surrogate gradient methods to train the SNN on labeled data. Rejected because: (a) defeats the purpose of online unsupervised learning; (b) the `@ruvector/spiking-neural` package does not implement surrogate gradients.
## Implementation
The integration is implemented in `scripts/snn-csi-processor.js`, a standalone Node.js script that:
1. Receives live CSI frames via UDP (port 5006, ADR-018 binary format)
2. Decodes subcarrier I/Q data and computes amplitude deltas
3. Feeds deltas through rate encoding into the SNN
4. Applies STDP learning on every frame (online, unsupervised)
5. Maps output neuron spike counts to sensing labels
6. Prints real-time ASCII visualization of SNN activity
7. Optionally forwards learned patterns to Cognitum Seed
## References
- ADR-018: CSI binary frame format
- ADR-029: Channel hopping infrastructure
- ADR-069: Cognitum Seed CSI pipeline
- ADR-073: Multi-frequency mesh scanning
- Maass, W. (1997). "Networks of spiking neurons: The third generation of neural network models." Neural Networks, 10(9), 1659-1671.
- Bi, G. & Poo, M. (1998). "Synaptic modifications in cultured hippocampal neurons: Dependence on spike timing." Journal of Neuroscience, 18(24), 10464-10472.
- `@ruvector/spiking-neural` v1.0.1 — LIF, STDP, lateral inhibition, SIMD
api-docs/adr/ADR-075-mincut-person-separation.md
+195
View File
@@ -0,0 +1,195 @@
# ADR-075: Min-Cut Based Person Separation from Subcarrier Correlation
- **Status:** Proposed
- **Date:** 2026-04-02
- **Issue:** #348`n_persons` always reports 4 regardless of actual occupancy
- **Depends on:** ADR-016 (RuVector integration), ADR-041 (person tracking), ADR-073 (multifrequency mesh scan)
## Context
### The Bug
Issue #348 reports that the ESP32 firmware's multi-person counting always reports
`n_persons = 4`. The root cause is in the WASM edge module
`sig_mincut_person_match.rs`, which uses a fixed `MAX_PERSONS = 4` constant and a
threshold-based variance classifier to populate person slots. The classifier bins
subcarriers into "dynamic" vs "static" using a single fixed variance threshold
(`DYNAMIC_VAR_THRESH = 0.15`). In practice:
1. The threshold is miscalibrated for real-world CSI data — almost any room with
multipath reflections pushes a majority of subcarriers above 0.15 variance.
2. The subcarrier-to-person assignment uses a greedy Hungarian-lite matcher that
fills all 4 slots once there are >= 4 dynamic subcarriers (which is nearly
always the case).
3. There is no mechanism to determine how many independent movers exist — the
algorithm assumes all 4 slots should be filled.
### Prior Art
The Rust crate `ruvector-mincut` (vendored at `vendor/ruvector/crates/ruvector-mincut/`)
implements a full dynamic min-cut algorithm with O(n^{o(1)}) amortized update time,
Stoer-Wagner exact min-cut, and online edge insert/delete. It is already integrated
in the training pipeline (`wifi-densepose-train/src/metrics.rs`) via
`DynamicPersonMatcher`.
### WiFi Sensing Insight
When a person moves through a room, they perturb the Fresnel zones of specific
subcarrier frequencies. Subcarriers whose Fresnel zones overlap the person's body
change **together** — their amplitudes are temporally correlated. When two people
move independently, they create two **separate** groups of correlated subcarriers.
This correlation structure forms a natural graph partitioning problem.
## Decision
Replace the fixed-threshold person counter with a spectral min-cut algorithm
operating on the subcarrier temporal correlation graph. This runs in the bridge
script (`scripts/mincut-person-counter.js`) or on Cognitum Seed, and feeds the
corrected person count back to the feature vector before ingest.
### Algorithm
1. **Sliding window accumulation**: Maintain the last 2 seconds of subcarrier
amplitude data (~40 frames at 20 fps). Each frame provides a 64-element
amplitude vector (one per subcarrier).
2. **Pairwise Pearson correlation**: For all subcarrier pairs (i, j), compute
the Pearson correlation coefficient over the sliding window:
```
r(i,j) = cov(amp_i, amp_j) / (std(amp_i) * std(amp_j))
```
This produces a 64x64 correlation matrix.
3. **Graph construction**: Build a weighted undirected graph:
- **Nodes** = subcarriers (64 for single-antenna ESP32-S3, up to 128 for dual)
- **Edges** = pairs with |r(i,j)| > 0.3 (correlation threshold)
- **Weight** = |r(i,j)| (correlation strength)
- Discard null subcarriers (amplitude consistently near zero)
- Expected: ~1500-2500 edges for 64 active subcarriers
4. **Iterative Stoer-Wagner min-cut**: Apply the Stoer-Wagner algorithm to find
the global minimum cut. If the min-cut weight is below a separation threshold
(empirically 2.0), the cut represents a real boundary between independent
movers. Split the graph at the cut and recurse on each partition.
5. **Person count**: The number of partitions after all valid cuts = number of
independent movers = person count. A single connected component with high
internal correlation and no low-weight cut = 1 person (or 0 if variance is
also low).
6. **Empty room detection**: If the total variance across all subcarriers is
below a noise floor threshold, report 0 persons regardless of graph structure.
### Stoer-Wagner Algorithm
Stoer-Wagner finds the exact global minimum cut of an undirected weighted graph
in O(V * E) time using a sequence of "minimum cut phases":
```
function stoerWagner(G):
best_cut = infinity
while |V(G)| > 1:
(s, t, cut_of_phase) = minimumCutPhase(G)
if cut_of_phase < best_cut:
best_cut = cut_of_phase
best_partition = partition induced by t
merge(s, t) // contract vertices s and t
return best_cut, best_partition
function minimumCutPhase(G):
A = {arbitrary start vertex}
while A != V(G):
z = vertex most tightly connected to A
// "most tightly connected" = max sum of edge weights to A
add z to A
s = second-to-last vertex added
t = last vertex added (most tightly connected)
cut_of_phase = sum of weights of edges incident to t
return (s, t, cut_of_phase)
```
For V=64 subcarriers and E~2000 edges, this runs in ~8 million operations,
well under 1ms on modern hardware and under 10ms even on ESP32-S3.
### Integration Points
```
ESP32 Node 1 ──UDP 5006──┐
├──> mincut-person-counter.js ──> corrected n_persons
ESP32 Node 2 ──UDP 5006──┘ │
├──> seed_csi_bridge.py (feature dim 5 override)
└──> csi-graph-visualizer.js (debug view)
```
The person counter runs as a standalone Node.js process alongside the existing
`rf-scan.js` and `seed_csi_bridge.py` bridge scripts. It can also replay
recorded `.csi.jsonl` files for offline analysis.
## Alternatives Considered
### 1. Threshold-based peak counting (current, broken)
Count subcarriers with variance above a threshold, then cluster by proximity.
**Problem:** threshold is environment-dependent, miscalibrates easily, and
cannot distinguish correlated from independent motion.
### 2. PCA / spectral clustering on correlation matrix
Compute eigenvectors of the correlation matrix; the number of large eigenvalues
indicates the number of independent sources. **Problem:** requires choosing an
eigenvalue gap threshold, which is as fragile as the current variance threshold.
Also does not give per-person subcarrier assignments.
### 3. Min-cut on correlation graph (this ADR)
**Advantages:**
- Directly models the physical structure (Fresnel zone groupings)
- Threshold-free person counting (cut weight is a natural separation metric)
- Produces per-person subcarrier groups as a side effect
- Stoer-Wagner is simple to implement (~100 lines) and runs in polynomial time
- Already validated in Rust via `ruvector-mincut` integration
## Performance
| Metric | Value |
|--------|-------|
| Graph size | V=64, E~2000 |
| Stoer-Wagner complexity | O(V * E) = O(128,000) per cut |
| Iterative cuts (max 4) | O(512,000) total |
| Wall time (Node.js) | < 5 ms per 2-second window |
| Wall time (Rust/WASM) | < 0.5 ms |
| Memory | ~32 KB for correlation matrix + graph |
| Sliding window | 2 seconds = ~40 frames * 64 subcarriers * 8 bytes = 20 KB |
## Consequences
### Positive
- Fixes #348: person count now reflects actual independent movers
- Robust across environments (no per-room threshold calibration)
- Per-person subcarrier groups enable per-person feature extraction
- Graph visualization aids debugging and room mapping
- Algorithm is well-understood (Stoer-Wagner, 1997)
### Negative
- Adds a new process to the sensing pipeline
- 2-second latency for person count changes (sliding window)
- Correlation-based: cannot detect stationary persons (no motion = no signal)
- Assumes independent motion — two people walking in sync may be counted as one
### Migration
1. Deploy `scripts/mincut-person-counter.js` alongside existing bridge
2. Override feature vector dimension 5 (`n_persons`) with corrected count
3. Once validated, port Stoer-Wagner to C for direct ESP32-S3 firmware integration
4. Deprecate the fixed-threshold `PersonMatcher` in `sig_mincut_person_match.rs`
## References
- Stoer, M. & Wagner, F. (1997). "A Simple Min-Cut Algorithm." JACM 44(4).
- `vendor/ruvector/crates/ruvector-mincut/src/algorithm/mod.rs` — DynamicMinCut API
- `v2/.../sig_mincut_person_match.rs` — current (broken) WASM edge matcher
- `scripts/rf-scan.js` — CSI packet parsing and subcarrier classification
api-docs/adr/ADR-076-csi-spectrogram-embeddings.md
+259
View File
@@ -0,0 +1,259 @@
# ADR-076: CSI Spectrogram Embeddings via CNN + Graph Transformer
| Field | Value |
|-------------|--------------------------------------------|
| **Status** | Proposed |
| **Date** | 2026-04-02 |
| **Authors** | ruv |
| **Depends** | ADR-018 (binary frame), ADR-024 (AETHER contrastive embeddings), ADR-029 (RuvSense), ADR-069 (Cognitum Seed bridge), ADR-073 (multi-frequency mesh scan) |
## Context
The current CSI processing pipeline extracts an 8-dimensional hand-crafted feature vector per frame: mean amplitude, amplitude variance, max amplitude, mean phase, phase variance, bandwidth, spectral centroid, and RSSI. These features are effective for basic presence detection and room fingerprinting but discard the rich spatial-frequency structure present in the raw subcarrier data.
A single CSI frame from an ESP32-S3 contains 64 subcarriers (or 128 in HT40 mode), each with I/Q components. When stacked over time, 20 consecutive frames form a **64x20 subcarrier-by-time matrix** — effectively a grayscale spectrogram image. This matrix encodes:
1. **Frequency-selective fading** — metal objects create persistent null zones at specific subcarrier indices (visible as dark vertical stripes)
2. **Doppler signatures** — human motion produces time-varying amplitude patterns across subcarriers (visible as horizontal wave patterns)
3. **Multipath structure** — room geometry creates characteristic interference patterns unique to each environment
4. **Activity fingerprints** — walking, sitting, breathing, and falling produce distinct 2D texture patterns in the subcarrier-time matrix
These 2D structural patterns are invisible to the 8-dim feature vector, which collapses all subcarrier information into scalar statistics. A CNN embedding can preserve this spatial structure.
### Existing Vendor Libraries
**@ruvector/cnn** (v0.1.0) provides:
- WASM-based CNN feature extraction (~5ms per 224x224 image, ~900KB model)
- Configurable embedding dimension (default 512, we use 128 for compact storage)
- L2-normalized embeddings with cosine similarity search
- Contrastive training via InfoNCE and triplet loss
- SIMD-optimized layer operations (batch norm, global average pooling, ReLU)
- Works in both Node.js and browser environments
**ruvector-graph-transformer** provides:
- Sublinear O(n log n) graph attention via LSH bucketing and PPR sampling
- Proof-gated mutation substrate for verified computations
- Temporal causal attention with Granger causality (relevant for CSI time series)
- Manifold attention on product spaces S^n x H^m x R^k
**@ruvector/graph-wasm** (v2.0.2) provides:
- Neo4j-compatible property graph database in WASM
- Node/edge creation with arbitrary properties and embeddings
- Hyperedge support for multi-node relationships
- Cypher query language
### Current Limitations of 8-dim Features
| Limitation | Impact |
|------------|--------|
| No subcarrier-level information | Cannot distinguish frequency-selective vs broadband fading |
| No temporal pattern encoding | Walking gait (periodic) looks identical to random motion (aperiodic) |
| No 2D structure | Room fingerprint reduced to 8 numbers; two rooms with similar statistics are indistinguishable |
| No cross-subcarrier correlation | Cannot detect standing waves, node patterns, or multipath clusters |
| Poor kNN discrimination | 8 dimensions provides limited hypersphere surface area for separating environments |
## Decision
Treat the CSI subcarrier-by-time matrix as a grayscale spectrogram image and apply CNN embedding to produce a 128-dimensional representation that preserves 2D spatial-frequency structure. Use a graph transformer to fuse embeddings across multiple ESP32 nodes.
### Architecture
```
ESP32 Node 1 ESP32 Node 2
| |
v v
UDP 5006 UDP 5006
| |
v v
[64 subcarriers] [64 subcarriers]
[20-frame window] [20-frame window]
| |
v v
64x20 amplitude 64x20 amplitude
matrix (grayscale) matrix (grayscale)
| |
v v
@ruvector/cnn @ruvector/cnn
CnnEmbedder CnnEmbedder
| |
v v
128-dim vector 128-dim vector
| |
+-------+ +----------+
| |
v v
Graph Transformer (2-node graph)
Edge weight = cross-node correlation
|
v
Fused 128-dim vector
|
+-------+-------+
| |
v v
Cognitum Seed kNN Search
(128-dim store) (similar rooms)
```
### Step 1: CSI-to-Spectrogram Conversion
Each ESP32 transmits CSI frames via UDP in ADR-018 binary format. The `iq_hex` field contains I/Q pairs for each subcarrier (2 bytes per subcarrier: I + Q as unsigned 8-bit values).
```
Amplitude[sc] = sqrt(I[sc]^2 + Q[sc]^2)
```
A sliding window of 20 frames produces a 64x20 matrix. Normalization to 0-255 grayscale:
```
pixel[sc][t] = clamp(255 * (amplitude[sc][t] - min) / (max - min), 0, 255)
```
Where `min` and `max` are computed over the entire 64x20 window for per-window contrast normalization. This ensures the CNN sees the relative structure regardless of absolute signal strength (which varies with distance, TX power, and environmental absorption).
### Step 2: CNN Embedding
The 64x20 grayscale matrix is resized to the CNN's expected input size (224x224 via nearest-neighbor upsampling, since we want to preserve the discrete subcarrier structure rather than blur it with bilinear interpolation). The input is replicated across 3 channels (RGB) since @ruvector/cnn expects RGB input.
Configuration:
- **Input**: 224x224x3 (upsampled from 64x20, grayscale replicated to RGB)
- **Embedding dimension**: 128 (reduced from default 512 for compact storage and faster kNN)
- **Normalization**: L2-enabled (cosine similarity = dot product on unit sphere)
- **Latency**: ~5ms per window on modern hardware
The 128-dim embedding encodes the 2D structure of the spectrogram: null zones, Doppler patterns, multipath signatures, and activity textures.
### Step 3: Graph Transformer for Multi-Node Fusion
With 2 ESP32 nodes (generalizable to N), we construct a graph:
```
Nodes: {Node_1, Node_2}
Edges: {(Node_1, Node_2, weight=cross_correlation)}
Node features: 128-dim CNN embedding per node
```
The graph attention mechanism learns which node is more informative for each prediction:
1. **Query/Key/Value** from each node's 128-dim embedding
2. **Edge weight** = Pearson cross-correlation between the two nodes' raw amplitude vectors (captures how much their CSI observations agree)
3. **Attention score** = softmax(Q_i * K_j / sqrt(d) + edge_weight_bias)
4. **Output** = weighted sum of value vectors
This produces a fused 128-dim vector that combines both nodes' perspectives, automatically weighting the node with cleaner signal (higher SNR, less fading) more heavily.
**Generalization to 3+ nodes**: Adding a third ESP32 adds one node and 2 edges to the graph. The attention mechanism handles variable-size graphs without architecture changes.
### Step 4: Storage and Search
The fused 128-dim embedding is stored in Cognitum Seed (ADR-069) alongside the existing 8-dim features:
| Store | Dimension | Content | Use Case |
|-------|-----------|---------|----------|
| `csi-features` | 8-dim | Hand-crafted statistics | Fast presence detection |
| `csi-spectrograms` | 128-dim | CNN spectrogram embedding | Environment fingerprinting, anomaly detection |
| `csi-spectrograms-fused` | 128-dim | Graph-fused multi-node embedding | Cross-viewpoint room signature |
kNN search on the 128-dim store finds past spectrograms that "look like" the current one:
- **Environment fingerprinting**: "What room does this RF pattern match?"
- **Cross-room transfer**: "Which training room is most similar to this deployment room?"
- **Anomaly detection**: Low similarity to all known patterns = unknown environment or novel activity
- **Temporal segmentation**: Similarity drops = activity transition boundaries
### Comparison: 8-dim vs 128-dim vs Combined
| Property | 8-dim hand-crafted | 128-dim CNN | Combined |
|----------|-------------------|-------------|----------|
| Subcarrier structure | Lost | Preserved | Both available |
| Temporal patterns | Lost | Preserved (20-frame window) | Both |
| Computation | ~0.1ms | ~5ms | ~5ms |
| Storage per vector | 32 bytes | 512 bytes | 544 bytes |
| kNN discrimination | Low (8-dim curse) | High (128-dim surface) | Highest |
| Interpretability | High (named features) | Low (learned) | Mixed |
| Training required | No | Optional (pre-trained works) | Optional |
| Multi-node fusion | Average/max | Graph attention | Graph attention |
### Contrastive Training (Optional Enhancement)
The CNN embedding works out-of-the-box with the pre-trained weights. For domain-specific improvements, contrastive training with CSI data:
1. **Positive pairs**: Same room, different time windows (should embed similarly)
2. **Negative pairs**: Different rooms or different activities (should embed differently)
3. **Loss**: InfoNCE with temperature 0.07 (standard SimCLR)
4. **Augmentation**: Time-shift (slide window by 1-5 frames), subcarrier dropout (zero 10% of rows), amplitude jitter (multiply by uniform [0.8, 1.2])
This teaches the CNN that "same room at different times" should produce similar embeddings, while "different rooms" should produce different embeddings.
## Consequences
### Positive
1. **Richer representation**: 128 dimensions capture 2D structure that 8 dimensions cannot
2. **Environment fingerprinting**: kNN on spectrograms can distinguish rooms that look identical in 8-dim feature space
3. **Activity detection**: Temporal patterns (gait periodicity, breathing frequency) are encoded in the spectrogram texture
4. **Multi-node fusion**: Graph attention automatically weights the most informative node, improving robustness to single-node occlusion or interference
5. **Incremental adoption**: 128-dim store operates alongside 8-dim store; no migration needed
6. **Browser-compatible**: WASM-based CNN runs in the sensing-server UI for live visualization
### Negative
1. **5ms latency per window**: Acceptable for 1.3 Hz update rate (750ms rotation from ADR-073), but constrains real-time applications
2. **900KB model download**: One-time cost, cached after first load
3. **128-dim storage**: 16x more bytes per vector than 8-dim; mitigated by the fact that we store one embedding per 20-frame window (not per frame)
4. **Opaque embeddings**: Unlike named 8-dim features, CNN embeddings are not human-interpretable
5. **Input size mismatch**: 64x20 matrix must be upsampled to 224x224; nearest-neighbor preserves structure but wastes computation on padded regions
### Risks and Mitigations
| Risk | Mitigation |
|------|------------|
| CNN embeddings not discriminative enough for CSI | Contrastive fine-tuning on CSI spectrograms; fall back to 8-dim if 128-dim kNN recall is worse |
| Graph transformer overhead for 2-node graph | Lightweight attention (single head, no MLP); O(1) for 2 nodes |
| Upsampling artifacts from 64x20 to 224x224 | Nearest-neighbor preserves discrete structure; consider training a smaller CNN on native 64x20 input |
| WASM initialization delay | Call `init()` at server startup, not per-request |
## Implementation
### Files
| File | Purpose |
|------|---------|
| `scripts/csi-spectrogram.js` | CSI-to-spectrogram pipeline with CNN embedding, ASCII visualization, Cognitum Seed ingest |
| `scripts/mesh-graph-transformer.js` | Multi-node graph attention fusion using @ruvector/graph-wasm |
| `docs/adr/ADR-076-csi-spectrogram-embeddings.md` | This ADR |
### Dependencies
| Package | Version | Source |
|---------|---------|--------|
| `@ruvector/cnn` | 0.1.0 | `vendor/ruvector/npm/packages/ruvector-cnn/` |
| `@ruvector/graph-wasm` | 2.0.2 | `vendor/ruvector/npm/packages/graph-wasm/` |
### Data Format
CSI JSONL frames from `data/recordings/pretrain-1775182186.csi.jsonl`:
```json
{
"timestamp": 1775182186.123,
"node_id": 1,
"magic": 3289481217,
"size": 148,
"rssi": -45,
"type": "CSI",
"iq_hex": "00000f030d030e040d030d030d030c020d020d01...",
"subcarriers": 64
}
```
`iq_hex` encoding: 2 hex characters per byte, 4 hex characters per subcarrier (I byte + Q byte). Total length = `subcarriers * 4` hex characters.
## References
- ADR-018: Binary CSI frame format
- ADR-024: AETHER contrastive CSI embeddings (Rust-side)
- ADR-029: RuvSense multistatic sensing mode
- ADR-069: Cognitum Seed RVF ingest bridge
- ADR-073: Multi-frequency mesh scanning
- SimCLR: Chen et al., "A Simple Framework for Contrastive Learning of Visual Representations" (2020)
- GATv2: Brody et al., "How Attentive are Graph Attention Networks?" (2021)
api-docs/adr/ADR-077-novel-rf-sensing-applications.md
+284
View File
@@ -0,0 +1,284 @@
# ADR-077: Novel RF Sensing Applications
**Status:** Accepted
**Date:** 2026-04-02
**Authors:** ruv
**Depends on:** ADR-018 (CSI binary protocol), ADR-073 (multifrequency mesh scan), ADR-075 (MinCut person separation), ADR-076 (CSI spectrogram embeddings)
## Context
The existing ESP32 CSI + Cognitum Seed infrastructure collects rich multi-modal data:
- 2 ESP32-S3 nodes streaming CSI at ~22 fps each (64-128 subcarriers, channel hopping ch 1/3/5/6/9/11)
- Vitals extraction: breathing rate, heart rate, motion energy, presence score (1 Hz per node)
- 8-dimensional feature vectors per frame
- Cognitum Seed with BME280 (temp/humidity/pressure), PIR, reed switch, vibration sensor
No new hardware is required. All 6 applications below derive novel insights from data already being collected via the ADR-018 binary protocol over UDP port 5006.
## Decision
Implement 6 novel RF sensing applications as standalone Node.js scripts that process live UDP or replayed `.csi.jsonl` recordings.
---
## Application 1: Sleep Quality Monitoring
### Input
Breathing rate (BR) and heart rate (HR) time series from vitals packets (0xC5110002), sampled at ~1 Hz per node over 6-8 hours.
### Algorithm
Sliding window analysis (5-minute windows, 1-minute stride) classifying sleep stages:
| Stage | BR (BPM) | BR Variance | HR Pattern | Motion |
|-------|----------|-------------|------------|--------|
| **Deep (N3)** | 6-12 | Very low (<2.0) | Slow, regular | None |
| **Light (N1/N2)** | 12-18 | Moderate (2.0-8.0) | Normal | Minimal |
| **REM** | 15-25 | High (>8.0), irregular | Elevated | Eyes only (low CSI motion) |
| **Awake** | >18 or <6 | Any | Variable | Moderate-high |
Each 5-minute window is scored by:
1. Compute BR mean and variance within the window
2. Compute HR mean and coefficient of variation (CV)
3. Compute motion energy mean (from vitals `motion_energy` field)
4. Classify stage using threshold hierarchy: Awake > REM > Light > Deep
### Output
- Real-time sleep stage classification
- ASCII hypnogram (time vs. stage)
- Summary: total sleep time, sleep efficiency (TST / time in bed), time per stage
- Optional JSON for health app integration
### Validation
Overnight recording (`overnight-1775217646.csi.jsonl`, 113k frames, ~40 min) should show:
- Transition from active (awake) to resting states
- Decreased motion energy over time
- BR stabilization in sleeping segments
### Clinical Relevance
Consumer-grade sleep tracking without wearables. RF-based sensing avoids compliance issues (forgotten wristbands, dead batteries). Not diagnostic; informational only.
---
## Application 2: Breathing Disorder Screening (Apnea Detection)
### Input
Breathing rate time series from vitals packets at ~1 Hz.
### Algorithm
Detect respiratory events in the BR time series:
| Event | Definition | Duration |
|-------|-----------|----------|
| **Apnea** | BR drops below 3 BPM (effective cessation) | >= 10 seconds |
| **Hypopnea** | BR drops > 50% from 5-min rolling baseline | >= 10 seconds |
Scoring:
1. Maintain 5-minute rolling baseline BR (exponential moving average)
2. Flag apnea when BR < 3 BPM for >= 10 consecutive seconds
3. Flag hypopnea when BR < 50% of baseline for >= 10 consecutive seconds
4. Compute AHI (Apnea-Hypopnea Index) = total events / hours monitored
| AHI | Severity |
|-----|----------|
| < 5 | Normal |
| 5-15 | Mild |
| 15-30 | Moderate |
| > 30 | Severe |
### Output
- Per-event log: type (apnea/hypopnea), start time, duration, BR during event
- Hourly AHI and overall AHI
- Severity classification
- Alert on severe events (consecutive apneas > 30s)
### Clinical Relevance
Pre-screening tool for obstructive sleep apnea (OSA). Provides motivation for clinical polysomnography referral. Not a diagnostic device; informational pre-screen only.
---
## Application 3: Emotional State / Stress Detection
### Input
Heart rate time series from vitals packets at ~1 Hz.
### Algorithm
Heart Rate Variability (HRV) analysis:
1. **RMSSD** (Root Mean Square of Successive Differences):
- Compute successive HR differences within 5-minute windows
- RMSSD = sqrt(mean(diff^2))
- High RMSSD = high vagal tone = relaxed
- Low RMSSD = sympathetic dominance = stressed
2. **LF/HF Ratio** (via FFT on 5-minute HR windows):
- LF band: 0.04-0.15 Hz (sympathetic + parasympathetic)
- HF band: 0.15-0.40 Hz (parasympathetic)
- High LF/HF (> 2.0) = stressed
- Low LF/HF (< 1.0) = relaxed
3. **Stress Score** (0-100):
- `score = 50 * (1 - RMSSD_norm) + 50 * LF_HF_norm`
- Where `RMSSD_norm` = RMSSD / max_expected_RMSSD (capped at 1.0)
- And `LF_HF_norm` = min(LF_HF / 4.0, 1.0)
### Output
- Real-time stress score (0-100)
- RMSSD and LF/HF ratio per window
- ASCII trend chart over hours
- Activity context correlation (motion level vs. stress)
### Validation
- Periods of activity (walking, working) should correlate with higher stress scores
- Quiet rest should show lower scores
- Sleeping should show lowest scores (high HRV, low LF/HF)
---
## Application 4: Gait Analysis / Movement Disorder Detection
### Input
- Motion energy time series from vitals packets
- CSI phase variance from raw CSI frames (0xC5110001)
- Cross-node RSSI from vitals packets
### Algorithm
1. **Cadence Extraction**: FFT on motion_energy within 5-second sliding windows
- Walking cadence: dominant frequency 0.8-2.0 Hz (normal: ~1.0 Hz = 120 steps/min)
- Running: > 2.0 Hz
- Stationary: no dominant peak
2. **Stride Regularity**: Autocorrelation of motion_energy
- Regular walking: strong autocorrelation peak at step period
- Irregularity score = 1 - (peak_height / baseline)
3. **Asymmetry Detection**: Compare motion energy oscillation between two ESP32 nodes
- Symmetric gait: both nodes see similar oscillation period and amplitude
- Asymmetry index = |period_node1 - period_node2| / mean_period
4. **Tremor Detection**: High-frequency phase variance analysis
- Compute phase variance per subcarrier in 2-second windows
- Tremor band: 3-8 Hz component in phase variance time series
- Parkinsonian tremor: 4-6 Hz, resting
- Essential tremor: 5-8 Hz, action
### Output
- Cadence (steps/min)
- Stride regularity score (0-1)
- Asymmetry index (0 = symmetric, 1 = highly asymmetric)
- Tremor score and dominant frequency
- Walking vs. stationary classification
### Validation
Overnight data should show clear stationary periods with no cadence detected. Any walking segments should show cadence in the 0.8-2.0 Hz range.
---
## Application 5: Material/Object Change Detection
### Input
Per-subcarrier amplitude from raw CSI frames (0xC5110001).
### Algorithm
1. **Baseline Establishment** (first 10 minutes or configurable):
- Record mean amplitude per subcarrier (Welford online mean)
- Record null pattern: which subcarriers are below null threshold (amplitude < 2.0)
2. **Change Detection** (sliding 30-second windows):
- Compare current null pattern to baseline
- New nulls appearing = new metal object blocking RF path
- Existing nulls disappearing = metal object removed
- Null position shifted = object moved
- Amplitude change without null change = non-metal material (wood, water, glass)
3. **Material Classification** heuristic:
- Metal: sharp null (amplitude drops to near 0 on specific subcarriers)
- Water/human: broad amplitude reduction across many subcarriers
- Wood/plastic: minimal amplitude change, mostly phase shift
- Glass: frequency-selective (affects higher subcarriers more)
### Output
- Change events with timestamp, type (add/remove/move), affected subcarrier range
- Estimated material category
- Null pattern delta visualization (ASCII)
- Event timeline for monitoring
### Validation
Overnight data has 19% null baseline. Changes in null pattern over the recording period indicate environment changes (doors opening/closing, person entering/leaving).
---
## Application 6: Room Environment Fingerprinting
### Input
- 8-dimensional feature vectors from feature packets (0xC5110003)
- Motion energy and presence score from vitals packets
### Algorithm
1. **Online Clustering** using running k-means (k=5, updateable centroids):
- Each incoming 8-dim feature vector is assigned to nearest centroid
- Centroid updated via exponential moving average (alpha=0.01)
- New cluster created if distance to all centroids exceeds threshold
2. **State Labeling** (heuristic from vitals correlation):
- Cluster with lowest motion_energy = "empty/sleeping"
- Cluster with highest motion_energy = "active/walking"
- Intermediate clusters = "resting", "working", "transitional"
3. **Transition Tracking**:
- Build state transition matrix (from_state -> to_state counts)
- Detect anomalous transitions (rare in historical data)
4. **Daily Profile**:
- Aggregate state durations per hour
- Compare across days for routine detection
### Output
- Current room state and confidence
- State timeline (ASCII)
- Transition matrix
- Daily pattern profile
- Anomaly score (deviation from established daily pattern)
### Validation
Overnight recording should show 2-3 stable clusters corresponding to activity periods at different times. Transitions should be infrequent and correspond to real behavioral changes.
---
## Implementation
All scripts share common infrastructure:
- ADR-018 binary packet parsing (same as rf-scan.js, mincut-person-counter.js)
- JSONL replay via readline interface
- Live UDP via dgram
- Pure Node.js, no external dependencies
- CLI: `--replay <file>` for offline, `--port <N>` for live, `--json` for programmatic output
| Script | Primary Packets | Key Algorithm |
|--------|----------------|---------------|
| `sleep-monitor.js` | vitals (0xC5110002) | BR/HR window classification |
| `apnea-detector.js` | vitals (0xC5110002) | BR pause detection, AHI scoring |
| `stress-monitor.js` | vitals (0xC5110002) | HRV RMSSD + FFT LF/HF |
| `gait-analyzer.js` | vitals + raw CSI | FFT cadence + phase tremor |
| `material-detector.js` | raw CSI (0xC5110001) | Null pattern baseline + delta |
| `room-fingerprint.js` | feature (0xC5110003) + vitals | Online k-means clustering |
## Consequences
### Positive
- 6 new sensing applications from existing hardware (zero additional cost)
- All offline-capable via JSONL replay (no live hardware needed for development)
- Pure JS, no native dependencies, runs on any platform with Node.js
- Each script is standalone and composable
### Negative
- Vitals accuracy depends on ESP32 CSI quality (RSSI, multipath)
- HRV analysis at 1 Hz HR sampling is coarse compared to ECG
- Material classification is heuristic, not definitive
- Sleep staging without EEG is approximate (consumer-grade accuracy)
### Risks
- Users may misinterpret health-related outputs as clinical diagnoses
- Mitigation: all scripts include disclaimers in output headers
api-docs/adr/ADR-078-multifreq-mesh-applications.md
+354
View File
@@ -0,0 +1,354 @@
# ADR-078: Multi-Frequency Mesh Sensing Applications
| Field | Value |
|-------------|--------------------------------------------|
| **Status** | Proposed |
| **Date** | 2026-04-02 |
| **Authors** | ruv |
| **Depends** | ADR-018 (binary frame), ADR-029 (channel hopping), ADR-073 (multi-frequency mesh scan) |
## Context
ADR-073 established multi-frequency mesh scanning: 2 ESP32-S3 nodes hopping across 6 WiFi channels (1, 3, 5, 6, 9, 11) with 9 neighbor WiFi networks as passive illuminators. This ADR defines 5 sensing applications that are **unique to multi-frequency mesh scanning** and impossible with single-channel WiFi sensing.
### Why Multi-Frequency is Required
Single-channel WiFi sensing captures CSI on one frequency (e.g., channel 5 at 2432 MHz). This provides amplitude and phase across ~52-64 OFDM subcarriers within a 20 MHz bandwidth. Multi-frequency mesh scanning extends this to 6 channels spanning 2412-2462 MHz (50 MHz total), with each channel providing independent multipath observations. The applications below exploit the frequency dimension that single-channel sensing cannot access.
### Available Infrastructure
| Resource | Detail |
|----------|--------|
| Node 1 (COM7) | ESP32-S3, channels 1, 6, 11 (non-overlapping), 200ms dwell |
| Node 2 | ESP32-S3, channels 3, 5, 9 (interleaved, near neighbor APs), 200ms dwell |
| Neighbor APs | 9 networks across channels 3, 5, 6, 9, 11 |
| Data transport | UDP port 5006, ADR-018 binary format |
| Recorded data | `data/recordings/overnight-*.csi.jsonl` |
### Neighbor AP Illuminator Table
| SSID | Channel | Freq (MHz) | Signal (%) | Role |
|------|---------|------------|------------|------|
| ruv.net | 5 | 2432 | 100 | Primary illuminator |
| Cohen-Guest | 5 | 2432 | 100 | Co-channel illuminator |
| COGECO-21B20 | 11 | 2462 | 100 | High-freq illuminator |
| HP M255 LaserJet | 5 | 2432 | 94 | Device fingerprinting target |
| conclusion mesh | 3 | 2422 | 44 | Low-freq illuminator |
| NETGEAR72 | 9 | 2452 | 42 | Mid-high illuminator |
| NETGEAR72-Guest | 9 | 2452 | 42 | Co-channel illuminator |
| COGECO-4321 | 11 | 2462 | 30 | Weak high-freq illuminator |
| Innanen | 6 | 2437 | 19 | Weak center-band illuminator |
## Decision
Implement 5 multi-frequency-specific sensing applications, each as a standalone Node.js script in `scripts/`.
---
## Application 1: RF Tomographic Imaging
### Principle
Each WiFi channel "sees" through the room differently because multipath interference patterns are frequency-dependent. A 2 cm path length difference produces a null at 2432 MHz but constructive interference at 2412 MHz. With 6 channels x 2 nodes, we have 12 independent RF path observations through the room.
RF tomography back-projects attenuation along each transmitter-receiver path. Where paths overlap with high attenuation, there is an absorbing object (person, furniture, wall). Where paths show low attenuation, the space is clear.
### Algorithm
```
For each CSI frame:
1. Compute path attenuation = RSSI_free_space - RSSI_measured
2. For each cell in a 10x10 room grid:
a. Compute the cell's distance to the TX->RX line (perpendicular distance)
b. Weight contribution by 1/distance (cells near the path contribute more)
3. Accumulate weighted attenuation across all frames, channels, and node pairs
4. Normalize: cells with high accumulated attenuation = absorbers (people/objects)
```
Uses the Algebraic Reconstruction Technique (ART) for iterative refinement, or simple backprojection for real-time display.
### Resolution
- Theoretical: ~lambda/2 = 6 cm (at 2.4 GHz)
- Practical with 2 nodes: ~20 cm (limited by node geometry)
- Frequency diversity gain: sqrt(6) improvement over single-channel = ~2.4x
### Why Single-Channel Cannot Do This
Single-channel provides only 1 frequency observation per path. Frequency-selective fading means a single channel may show zero attenuation through a person (if the path happens to be at a constructive interference point). Multiple channels provide independent attenuation measurements through the same spatial path, enabling reliable detection.
### Script
`scripts/rf-tomography.js`
---
## Application 2: Passive Bistatic Radar
### Principle
Neighbor WiFi APs transmit continuously and uncontrollably. The ESP32 nodes capture CSI from these transmissions, which includes phase and amplitude modulated by objects in the room. Each neighbor AP acts as a free "illuminator of opportunity" at a known position and frequency.
This is the same principle used by military passive radar systems (e.g., the Ukrainian Kolchuga, Czech VERA-NG) that use FM radio and TV transmitters to detect aircraft without emitting any signals themselves. Here we use WiFi APs instead of broadcast towers, and detect people instead of aircraft.
### Algorithm
```
For each neighbor AP (identified by BSSID/channel):
1. Track CSI phase progression across consecutive frames
2. Compute Doppler shift: fd = d(phase)/dt / (2*pi)
- Positive Doppler = target moving toward the AP
- Negative Doppler = target moving away
3. Compute range from subcarrier phase slope:
- tau = d(phase)/d(subcarrier_freq) / (2*pi)
- range = c * tau (where c = speed of light)
4. Build range-Doppler map per AP
5. Fuse multi-static detections:
- Each AP provides a range ellipse (locus of constant TX->target->RX delay)
- Intersection of 3+ ellipses = target position
```
### Multi-Static Geometry
With 3+ neighbor APs as transmitters and 2 ESP32 receivers, we have 6+ bistatic pairs. Each pair constrains the target to an ellipse. The intersection provides 2D position.
```
AP1 (ch5) AP2 (ch11)
\ /
\ TARGET /
\ /|\ /
\ / | \ /
ESP32_1 ---*--+--*--- ESP32_2
/ \ | / \
/ \|/ \
/ TARGET \
/ \
AP3 (ch3) AP4 (ch9)
```
### Why Single-Channel Cannot Do This
Single-channel only captures CSI from APs on that one channel. With channel 5, you see ruv.net and Cohen-Guest, but miss COGECO-21B20 (ch11), conclusion mesh (ch3), NETGEAR72 (ch9). Multi-frequency scanning captures illumination from all 9 APs across 6 channels, providing the geometric diversity needed for position triangulation.
### Script
`scripts/passive-radar.js`
---
## Application 3: Frequency-Selective Material Classification
### Principle
Different materials interact with 2.4 GHz WiFi signals differently, and critically, their absorption/reflection varies with frequency:
| Material | Attenuation Pattern | Frequency Dependence |
|----------|--------------------|--------------------|
| Metal | Total reflection, deep null | Frequency-flat (blocks all equally) |
| Water/Human body | Strong absorption | Increases with frequency (dielectric loss ~ f^2) |
| Wood | Mild attenuation | Increases with frequency (moisture content) |
| Glass | Low attenuation | Nearly frequency-flat |
| Drywall | Low-moderate attenuation | Slight frequency dependence |
| Concrete | Moderate-high attenuation | Increases with frequency |
### Algorithm
```
For each subcarrier index i across all channels:
1. Measure attenuation A(i, ch) on each channel
2. Compute frequency selectivity:
- Flat ratio = std(A across channels) / mean(A across channels)
- Slope = linear regression of A vs frequency
3. Classify:
- Flat ratio < 0.1 AND high attenuation -> Metal
- Flat ratio < 0.1 AND low attenuation -> Glass/Air
- Positive slope (A increases with freq) AND high A -> Water/Human
- Positive slope AND moderate A -> Wood
- High variance across channels -> Complex scatterer
```
### Physics Basis
At 2.4 GHz, water's complex permittivity is epsilon_r = 77 - j10. The imaginary component (loss) increases with frequency within the WiFi band. Metal is a perfect conductor regardless of frequency. Glass (epsilon_r ~ 6 - j0.1) has negligible loss at all WiFi frequencies.
The 50 MHz span (2412-2462 MHz) is only ~2% of the carrier frequency, but this is sufficient to detect the frequency-dependent absorption signature of water-bearing materials (human body, wet wood, potted plants) versus frequency-flat materials (metal, glass).
### Why Single-Channel Cannot Do This
Material classification requires measuring how attenuation varies with frequency. A single channel provides only one frequency point -- there is no frequency axis to measure against. Multi-frequency scanning provides 6 frequency points spanning 50 MHz, enabling slope and variance computation.
### Script
`scripts/material-classifier.js`
---
## Application 4: Through-Wall Motion Detection
### Principle
Lower WiFi frequencies penetrate walls better than higher frequencies. At 2.4 GHz, wall attenuation for a standard drywall+stud partition is approximately:
| Channel | Freq (MHz) | Drywall Loss (dB) | Concrete Loss (dB) |
|---------|------------|-------------------|-------------------|
| 1 | 2412 | 2.5 | 8.0 |
| 6 | 2437 | 2.6 | 8.3 |
| 11 | 2462 | 2.7 | 8.6 |
The absolute differences are small (~0.2 dB), but with 6 channels we can:
1. **Baseline the wall's frequency-dependent attenuation profile** during a calibration period (no one behind the wall)
2. **Detect changes above baseline** that indicate motion behind the wall
3. **Weight lower channels more heavily** since they have better through-wall SNR
4. **Cross-validate** across channels: real through-wall motion appears on all channels (with frequency-dependent amplitude), while interference/noise typically appears on only one channel
### Algorithm
```
Calibration phase (60 seconds, no motion behind wall):
For each channel ch:
baseline_mean[ch] = mean(CSI amplitude over calibration)
baseline_std[ch] = std(CSI amplitude over calibration)
Detection phase:
For each frame on channel ch:
1. Compute deviation = |current_amplitude - baseline_mean[ch]| / baseline_std[ch]
2. Channel weight = f(penetration_quality[ch])
3. Per-channel score = deviation * weight
Fused score = weighted sum across channels
Alert if fused_score > threshold for N consecutive frames
```
### Why Single-Channel Cannot Do This
Single-channel through-wall detection suffers from high false-positive rates because it cannot distinguish wall effects from motion. With multi-frequency, we can:
1. Characterize the wall's frequency response during calibration
2. Subtract the wall effect per channel
3. Cross-validate detections across channels (real motion is coherent across frequencies; noise is not)
The frequency diversity provides a ~2.4x improvement in detection SNR (sqrt(6) independent observations).
### Script
`scripts/through-wall-detector.js`
---
## Application 5: Device Fingerprinting via RF Emissions
### Principle
Every electronic device has unique RF characteristics visible in the WiFi spectrum. When a device transmits (or even when its internal oscillators radiate EMI), it modulates nearby WiFi signals in device-specific ways:
- **WiFi APs**: each AP has unique transmit power, phase noise, and clock drift characteristics
- **Printers**: the HP M255 LaserJet creates specific subcarrier patterns when printing (motor EMI)
- **Microwave ovens**: 2.45 GHz magnetron radiates across channels 8-11, creating distinctive wideband interference
- **Bluetooth devices**: 2.4 GHz frequency-hopping creates transient spikes across channels
### Algorithm
```
Learning phase:
For each known device (from WiFi scan SSID/BSSID correlation):
1. Record CSI patterns when device is active vs inactive
2. Compute per-channel signature:
- Mean amplitude profile across subcarriers
- Variance profile (active devices increase variance on specific subcarriers)
- Phase noise characteristics
3. Store signature as device fingerprint
Detection phase:
For each analysis window:
1. Compute current CSI profile per channel
2. Correlate against stored fingerprints
3. Report device activity: "HP printer active (confidence 0.87)"
```
### Multi-Frequency Advantage
Different devices affect different channels:
- HP printer (ch5): affects subcarriers 20-40 on channel 5 during print jobs
- NETGEAR72 router (ch9): creates clock-drift correlated phase patterns on channel 9
- Microwave: broadband interference strongest on channels 9-11
Single-channel sensing only sees devices that affect that one channel. Multi-frequency scanning observes the full 2412-2462 MHz band, detecting device activity regardless of which channel the device operates on.
### Script
`scripts/device-fingerprint.js`
---
## Implementation
### Shared Infrastructure
All 5 scripts share common infrastructure:
| Component | Detail |
|-----------|--------|
| Packet format | ADR-018 binary (UDP) or .csi.jsonl (replay) |
| IQ parsing | `parseIqHex()` for JSONL, `parseCSIFrame()` for binary UDP |
| Channel assignment | From binary freq field, or simulated round-robin for legacy JSONL |
| Node positions | Configurable, default: Node 1 at (0,0), Node 2 at (3,0) meters |
| Visualization | ASCII Unicode block characters and box drawing |
### Scripts
| Script | Application | Lines | Key Algorithm |
|--------|------------|-------|---------------|
| `scripts/rf-tomography.js` | RF Tomographic Imaging | ~500 | ART backprojection |
| `scripts/passive-radar.js` | Passive Bistatic Radar | ~500 | Range-Doppler + multi-static fusion |
| `scripts/material-classifier.js` | Material Classification | ~450 | Frequency-selective attenuation analysis |
| `scripts/through-wall-detector.js` | Through-Wall Detection | ~400 | Baselined multi-channel anomaly detection |
| `scripts/device-fingerprint.js` | Device Fingerprinting | ~450 | Per-channel signature correlation |
### Data Requirements
- **Live mode**: UDP port 5006, 2 ESP32 nodes channel-hopping per ADR-073
- **Replay mode**: `--replay <file.csi.jsonl>` with overnight recordings
- **Calibration**: through-wall detector requires 60s calibration with `--calibrate`
## Performance Targets
| Application | Latency | Update Rate | Accuracy Target |
|-------------|---------|-------------|-----------------|
| RF Tomography | <100ms per frame | 1 Hz image update | 20 cm spatial resolution |
| Passive Radar | <200ms per frame | 2 Hz range-Doppler | 1 m range, 0.1 m/s velocity |
| Material Classification | <500ms per window | 0.5 Hz classification | 70% correct material ID |
| Through-Wall Detection | <100ms per frame | 2 Hz detection | 90% true positive, <10% false positive |
| Device Fingerprinting | <1s per window | 0.2 Hz activity update | 80% correct device ID |
## Risks
### Limited Frequency Span
The 50 MHz span (2412-2462 MHz) is only 2% of the carrier frequency. Material classification accuracy depends on the attenuation slope being measurable within this narrow range. Mitigation: use long averaging windows (5-10 seconds) to improve SNR of frequency-dependent measurements.
### Node Geometry
2 nodes provide limited spatial diversity for tomographic imaging. The backprojection is essentially 1D along the node-to-node axis, with poor resolution perpendicular to it. Mitigation: neighbor APs provide additional geometric diversity for passive radar mode.
### Legacy Data Compatibility
Overnight recordings (`data/recordings/overnight-*.csi.jsonl`) were captured before multi-frequency scanning was deployed and lack channel/frequency fields. Scripts simulate channel assignment for replay. Full multi-frequency data requires re-recording with channel hopping enabled.
### Phase Calibration
Passive radar requires accurate phase tracking across consecutive frames. ESP32 CSI phase includes a random offset per channel hop that must be removed. Mitigation: use phase-difference between consecutive frames rather than absolute phase.
## Alternatives Considered
1. **5 GHz multi-frequency**: rejected -- no 5 GHz APs visible in environment, no free illuminators.
2. **UWB (ultra-wideband)**: rejected -- ESP32-S3 does not support UWB. Would require additional hardware (DW1000/DW3000 modules).
3. **Dedicated radar hardware**: rejected -- multi-frequency WiFi sensing achieves similar capabilities using existing infrastructure at zero additional cost.
## References
- Wilson, J. & Patwari, N. (2010). "Radio Tomographic Imaging with Wireless Networks." IEEE Trans. Mobile Computing.
- Colone, F. et al. (2012). "WiFi-Based Passive Bistatic Radar: Data Processing Schemes and Experimental Results." IEEE Trans. Aerospace and Electronic Systems.
- Adib, F. & Katabi, D. (2013). "See Through Walls with WiFi!" ACM SIGCOMM.
- Banerjee, A. et al. (2014). "RF-based material identification using WiFi signals." ACM MobiCom.
api-docs/adr/ADR-079-camera-ground-truth-training.md
+512
View File
@@ -0,0 +1,512 @@
# ADR-079: Camera Ground-Truth Training Pipeline
- **Status**: Accepted
- **Date**: 2026-04-06
- **Deciders**: ruv
- **Relates to**: ADR-072 (WiFlow Architecture), ADR-070 (Self-Supervised Pretraining), ADR-071 (ruvllm Training Pipeline), ADR-024 (AETHER Contrastive), ADR-064 (Multimodal Ambient Intelligence), ADR-075 (MinCut Person Separation)
## Context
WiFlow (ADR-072) currently trains without ground-truth pose labels, using proxy poses
generated from presence/motion heuristics. This produces a PCK@20 of only 2.5% — far
below the 30-50% achievable with supervised training. The fundamental bottleneck is the
absence of spatial keypoint labels.
Academic WiFi pose estimation systems (Wi-Pose, Person-in-WiFi 3D, MetaFi++) all train
with synchronized camera ground truth and achieve PCK@20 of 40-85%. They discard the
camera at deployment — the camera is a training-time teacher, not a runtime dependency.
ADR-064 already identified this: *"Record CSI + mmWave while performing signs with a
camera as ground truth, then deploy camera-free."* This ADR specifies the implementation.
### Current Training Pipeline Gap
```
Current: CSI amplitude → WiFlow → 17 keypoints (proxy-supervised, PCK@20 = 2.5%)
Heuristic proxies:
- Standing skeleton when presence > 0.3
- Limb perturbation from motion energy
- No spatial accuracy
```
### Target Pipeline
```
Training: CSI amplitude ──→ WiFlow ──→ 17 keypoints (camera-supervised, PCK@20 target: 35%+)
Laptop camera ──→ MediaPipe ──→ 17 COCO keypoints (ground truth)
(time-synchronized, 30 fps)
Deploy: CSI amplitude ──→ WiFlow ──→ 17 keypoints (camera-free, trained model only)
```
## Decision
Build a camera ground-truth collection and training pipeline using the laptop webcam
as a teacher signal. The camera is used **only during training data collection** and is
not required at deployment.
### Architecture Overview
```
┌─────────────────────────────────────────────────────────────────┐
│ Data Collection Phase │
│ │
│ ESP32-S3 nodes ──UDP──→ Sensing Server ──→ CSI frames (.jsonl) │
│ ↑ time sync │
│ Laptop Camera ──→ MediaPipe Pose ──→ Keypoints (.jsonl) │
│ ↑ │
│ collect-ground-truth.py │
│ (single orchestrator) │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ Training Phase │
│ │
│ Paired dataset: { csi_window[128,20], keypoints[17,2], conf } │
│ ↓ │
│ train-wiflow-supervised.js │
│ Phase 1: Contrastive pretrain (ADR-072, reuse) │
│ Phase 2: Supervised keypoint regression (NEW) │
│ Phase 3: Fine-tune with bone constraints + confidence │
│ ↓ │
│ WiFlow model (1.8M params) → SafeTensors export │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ Deployment (camera-free) │
│ │
│ ESP32-S3 CSI → Sensing Server → WiFlow inference → 17 keypoints│
│ (No camera. Trained model runs on CSI input only.) │
└─────────────────────────────────────────────────────────────────┘
```
### Component 1: `scripts/collect-ground-truth.py`
Single Python script that orchestrates synchronized capture from the laptop camera
and the ESP32 CSI stream.
**Dependencies:** `mediapipe`, `opencv-python`, `requests` (all pip-installable, no GPU)
**Capture flow:**
```python
# Pseudocode
camera = cv2.VideoCapture(0) # Laptop webcam
sensing_api = "http://localhost:3000" # Sensing server
# Start CSI recording via existing API
requests.post(f"{sensing_api}/api/v1/recording/start")
while recording:
frame = camera.read()
t = time.time_ns() # Nanosecond timestamp
# MediaPipe Pose: 33 landmarks → map to 17 COCO keypoints
result = mp_pose.process(frame)
keypoints_17 = map_mediapipe_to_coco(result.pose_landmarks)
confidence = mean(landmark.visibility for relevant landmarks)
# Write to ground-truth JSONL (one line per frame)
write_jsonl({
"ts_ns": t,
"keypoints": keypoints_17, # [[x,y], ...] normalized [0,1]
"confidence": confidence, # 0-1, used for loss weighting
"n_visible": count(visibility > 0.5),
})
# Optional: show live preview with skeleton overlay
if preview:
draw_skeleton(frame, keypoints_17)
cv2.imshow("Ground Truth", frame)
# Stop CSI recording
requests.post(f"{sensing_api}/api/v1/recording/stop")
```
**MediaPipe → COCO keypoint mapping:**
| COCO Index | Joint | MediaPipe Index |
|------------|-------|-----------------|
| 0 | Nose | 0 |
| 1 | Left Eye | 2 |
| 2 | Right Eye | 5 |
| 3 | Left Ear | 7 |
| 4 | Right Ear | 8 |
| 5 | Left Shoulder | 11 |
| 6 | Right Shoulder | 12 |
| 7 | Left Elbow | 13 |
| 8 | Right Elbow | 14 |
| 9 | Left Wrist | 15 |
| 10 | Right Wrist | 16 |
| 11 | Left Hip | 23 |
| 12 | Right Hip | 24 |
| 13 | Left Knee | 25 |
| 14 | Right Knee | 26 |
| 15 | Left Ankle | 27 |
| 16 | Right Ankle | 28 |
### Component 2: Time Alignment (`scripts/align-ground-truth.js`)
CSI frames arrive at ~100 Hz with server-side timestamps. Camera keypoints arrive at
~30 fps with client-side timestamps. Alignment is needed because:
1. Camera and sensing server clocks differ (typically < 50ms on LAN)
2. CSI is aggregated into 20-frame windows for WiFlow input
3. Ground-truth keypoints must be averaged over the same window
**Alignment algorithm:**
```
For each CSI window W_i (20 frames, ~200ms at 100Hz):
t_start = W_i.first_frame.timestamp
t_end = W_i.last_frame.timestamp
# Find all camera keypoints within this time window
matching_keypoints = [k for k in camera_data if t_start <= k.ts <= t_end]
if len(matching_keypoints) >= 3: # At least 3 camera frames per window
# Average keypoints, weighted by confidence
avg_keypoints = weighted_mean(matching_keypoints, weights=confidences)
avg_confidence = mean(confidences)
paired_dataset.append({
csi_window: W_i.amplitudes, # [128, 20] float32
keypoints: avg_keypoints, # [17, 2] float32
confidence: avg_confidence, # scalar
n_camera_frames: len(matching_keypoints),
})
```
**Clock sync strategy:**
- NTP is sufficient (< 20ms error on LAN)
- The 200ms CSI window is 10x larger than typical clock drift
- For tighter sync: use a handclap/jump as a sync marker — visible spike in both
CSI motion energy and camera skeleton velocity. Auto-detect and align.
**Output:** `data/recordings/paired-{timestamp}.jsonl` — one line per paired sample:
```json
{"csi": [128x20 flat], "kp": [[0.45,0.12], ...], "conf": 0.92, "ts": 1775300000000}
```
### Component 3: Supervised Training (`scripts/train-wiflow-supervised.js`)
Extends the existing `train-ruvllm.js` pipeline with a supervised phase.
**Phase 1: Contrastive Pretrain (reuse ADR-072)**
- Same as existing: temporal + cross-node triplets
- Learns CSI representation without labels
- 50 epochs, ~5 min on laptop
**Phase 2: Supervised Keypoint Regression (NEW)**
- Load paired dataset from Component 2
- Loss: confidence-weighted SmoothL1 on keypoints
```
L_supervised = (1/N) * sum_i [ conf_i * SmoothL1(pred_i, gt_i, beta=0.05) ]
```
- Only train on samples where `conf > 0.5` (discard frames where MediaPipe lost tracking)
- Learning rate: 1e-4 with cosine decay
- 200 epochs, ~15 min on laptop CPU (1.8M params, no GPU needed)
**Phase 3: Refinement with Bone Constraints**
- Fine-tune with combined loss:
```
L = L_supervised + 0.3 * L_bone + 0.1 * L_temporal
L_bone = (1/14) * sum_b (bone_len_b - prior_b)^2 # ADR-072 bone priors
L_temporal = SmoothL1(kp_t, kp_{t-1}) # Temporal smoothness
```
- 50 epochs at lower LR (1e-5)
- Tighten bone constraint weight from 0.3 → 0.5 over epochs
**Phase 4: Quantization + Export**
- Reuse ruvllm TurboQuant: float32 → int8 (4x smaller, ~881 KB)
- Export via SafeTensors for cross-platform deployment
- Validate quantized model PCK@20 within 2% of full-precision
### Component 4: Evaluation Script (`scripts/eval-wiflow.js`)
Measure actual PCK@20 using held-out paired data (20% split).
```
PCK@k = (1/N) * sum_i [ (||pred_i - gt_i|| < k * torso_length) ? 1 : 0 ]
```
**Metrics reported:**
| Metric | Description | Target |
|--------|-------------|--------|
| PCK@20 | % of keypoints within 20% torso length | > 35% |
| PCK@50 | % within 50% torso length | > 60% |
| MPJPE | Mean per-joint position error (pixels) | < 40px |
| Per-joint PCK | Breakdown by joint (wrists are hardest) | Report all 17 |
| Inference latency | Single window prediction time | < 50ms |
### Optimization Strategy
#### O1: Curriculum Learning
Train easy poses first, hard poses later:
| Stage | Epochs | Data Filter | Rationale |
|-------|--------|-------------|-----------|
| 1 | 50 | `conf > 0.9`, standing only | Establish stable skeleton baseline |
| 2 | 50 | `conf > 0.7`, low motion | Add sitting, subtle movements |
| 3 | 50 | `conf > 0.5`, all poses | Full dataset including occlusions |
| 4 | 50 | All data, with augmentation | Robustness via noise injection |
#### O2: Data Augmentation (CSI domain)
Augment CSI windows to increase effective dataset size without collecting more data:
| Augmentation | Implementation | Expected Gain |
|-------------|----------------|---------------|
| Time shift | Roll CSI window by ±2 frames | +30% data |
| Amplitude noise | Gaussian noise, sigma=0.02 | Robustness |
| Subcarrier dropout | Zero 10% of subcarriers randomly | Robustness |
| Temporal flip | Reverse window + reverse keypoint velocity | +100% data |
| Multi-node mix | Swap node CSI, keep same-time keypoints | Cross-node generalization |
#### O3: Knowledge Distillation from MediaPipe
Instead of raw keypoint regression, distill MediaPipe's confidence and heatmap
information:
```
L_distill = KL_div(softmax(wifi_heatmap / T), softmax(camera_heatmap / T))
```
- Temperature T=4 for soft targets (transfers inter-joint relationships)
- WiFlow predicts a 17-channel heatmap [17, H, W] instead of direct [17, 2]
- Argmax for final keypoint extraction
- **Trade-off:** Adds ~200K params for heatmap decoder, but improves spatial precision
#### O4: Active Learning Loop
Identify which poses the model is worst at and collect more data for those:
```
1. Train initial model on first collection session
2. Run inference on new CSI data, compute prediction entropy
3. Flag high-entropy windows (model is uncertain)
4. During next collection, the preview overlay highlights these moments:
"Hold this pose — model needs more examples"
5. Re-train with augmented dataset
```
Expected: 2-3 active learning iterations reach saturation.
#### O6: Subcarrier Selection (ruvector-solver)
Variance-based top-K subcarrier selection, equivalent to ruvector-solver's sparse
interpolation (114→56). Removes noise/static subcarriers before training:
```
For each subcarrier d in [0, dim):
variance[d] = mean over samples of temporal_variance(csi[d, :])
Select top-K by variance (K = dim * 0.5)
```
**Validated:** 128 → 56 subcarriers (56% input reduction), proportional model size reduction.
#### O7: Attention-Weighted Subcarriers (ruvector-attention)
Compute per-subcarrier attention weights based on temporal energy correlation with
ground-truth keypoint motion. High-energy subcarriers that covary with skeleton
movement get amplified:
```
For each subcarrier d:
energy[d] = sum of squared first-differences over time
weight[d] = softmax(energy, temperature=0.1)
Apply: csi[d, :] *= weight[d] * dim (mean weight = 1)
```
**Validated:** Top-5 attention subcarriers identified automatically per dataset.
#### O8: Stoer-Wagner MinCut Person Separation (ruvector-mincut / ADR-075)
JS implementation of the Stoer-Wagner algorithm for person separation in CSI, equivalent
to `DynamicPersonMatcher` in `wifi-densepose-train/src/metrics.rs`. Builds a subcarrier
correlation graph and finds the minimum cut to identify person-specific subcarrier clusters:
```
1. Build dim×dim Pearson correlation matrix across subcarriers
2. Run Stoer-Wagner min-cut on correlation graph
3. Partition subcarriers into person-specific groups
4. Train per-partition models for multi-person scenarios
```
**Validated:** Stoer-Wagner executes on 56-dim graph, identifies partition boundaries.
#### O9: Multi-SPSA Gradient Estimation
Average over K=3 random perturbation directions per gradient step. Reduces variance
by sqrt(K) = 1.73x compared to single SPSA, at 3x forward pass cost (net win for
convergence quality):
```
For k in 1..K:
delta_k = random ±1 per parameter
grad_k = (loss(w + eps*delta_k) - loss(w - eps*delta_k)) / (2*eps*delta_k)
grad = mean(grad_1, ..., grad_K)
```
#### O10: Mac M4 Pro Training via Tailscale
Training runs on Mac Mini M4 Pro (16-core GPU, ARM NEON SIMD) via Tailscale SSH,
using ruvllm's native Node.js SIMD ops:
| | Windows (CPU) | Mac M4 Pro |
|---|---|---|
| Node.js | v24.12.0 (x86) | v25.9.0 (ARM) |
| SIMD | SSE4/AVX2 | NEON |
| Cores | Consumer laptop | 12P + 4E cores |
| Training | Slow (minutes/epoch) | Fast (seconds/epoch) |
#### O5: Cross-Environment Transfer
Train on one room, deploy in another:
| Strategy | Implementation |
|----------|---------------|
| Room-invariant features | Normalize CSI by running mean/variance |
| LoRA adapters | Train a 4-rank LoRA per room (ADR-071) — 7.3 KB each |
| Few-shot calibration | 2 min of camera data in new room → fine-tune LoRA only |
| AETHER embeddings | Use contrastive room-independent features (ADR-024) as input |
The LoRA approach is most practical: ship a base model + collect 2 min of calibration
data per new room using the laptop camera.
### Data Collection Protocol
Recommended collection sessions per room:
| Session | Duration | Activity | People | Total CSI Frames |
|---------|----------|----------|--------|-----------------|
| 1. Baseline | 5 min | Empty + 1 person entry/exit | 0-1 | 30,000 |
| 2. Standing poses | 5 min | Stand, arms up/down/sides, turn | 1 | 30,000 |
| 3. Sitting | 5 min | Sit, type, lean, stand up/sit down | 1 | 30,000 |
| 4. Walking | 5 min | Walk paths across room | 1 | 30,000 |
| 5. Mixed | 5 min | Varied activities, transitions | 1 | 30,000 |
| 6. Multi-person | 5 min | 2 people, varied activities | 2 | 30,000 |
| **Total** | **30 min** | | | **180,000** |
At 20-frame windows: **9,000 paired training samples** per 30-min session.
With augmentation (O2): **~27,000 effective samples**.
Camera placement: position laptop so the camera has a clear view of the sensing area.
The camera FOV should cover the same space the ESP32 nodes cover.
### File Structure
```
scripts/
collect-ground-truth.py # Camera capture + MediaPipe + CSI sync
align-ground-truth.js # Time-align CSI windows with camera keypoints
train-wiflow-supervised.js # Supervised training pipeline
eval-wiflow.js # PCK evaluation on held-out data
data/
ground-truth/ # Raw camera keypoint captures
gt-{timestamp}.jsonl
paired/ # Aligned CSI + keypoint pairs
paired-{timestamp}.jsonl
models/
wiflow-supervised/ # Trained model outputs
wiflow-v1.safetensors
wiflow-v1-int8.safetensors
training-log.json
eval-report.json
```
### Privacy Considerations
- Camera frames are processed **locally** by MediaPipe — no cloud upload
- Raw video is **never saved** — only extracted keypoint coordinates are stored
- The `.jsonl` ground-truth files contain only `[x,y]` joint coordinates, not images
- The trained model runs on CSI only — no camera data leaves the laptop
- Users can delete `data/ground-truth/` after training; the model is self-contained
## Consequences
### Positive
- **10-20x accuracy improvement**: PCK@20 from 2.5% → 35%+ with real supervision
- **Reuses existing infrastructure**: sensing server recording API, ruvllm training, SafeTensors
- **No new hardware**: laptop webcam + existing ESP32 nodes
- **Privacy preserved at deployment**: camera only needed during 30-min training session
- **Incremental**: can improve with more collection sessions + active learning
- **Distributable**: trained model weights can be shared on HuggingFace (ADR-070)
### Negative
- **Camera placement matters**: must see the same area ESP32 nodes sense
- **Single-room models**: need LoRA calibration per room (2 min + camera)
- **MediaPipe limitations**: occlusion, side views, multiple people reduce keypoint quality
- **Time sync**: NTP drift can misalign frames (mitigated by 200ms windows)
### Risks
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| MediaPipe keypoints too noisy | Low | Medium | Filter by confidence; MediaPipe is robust indoors |
| Clock drift > 100ms | Low | High | Add handclap sync marker detection |
| Single camera can't see all poses | Medium | Medium | Position camera centrally; collect from 2 angles |
| Model overfits to one room | High | Medium | LoRA adapters + AETHER normalization (O5) |
| Insufficient data (< 5K pairs) | Low | High | Augmentation (O2) + active learning (O4) |
## Implementation Plan
| Phase | Task | Effort | Status |
|-------|------|--------|--------|
| P1 | `collect-ground-truth.py` — camera + MediaPipe capture | 2 hrs | **Done** |
| P2 | `align-ground-truth.js` — time alignment + pairing | 1 hr | **Done** |
| P3 | `train-wiflow-supervised.js` — supervised training | 3 hrs | **Done** |
| P4 | `eval-wiflow.js` — PCK evaluation | 1 hr | **Done** |
| P5 | ruvector optimizations (O6-O9) | 2 hrs | **Done** |
| P6 | Mac M4 Pro training via Tailscale (O10) | 1 hr | **Done** |
| P7 | Data collection session (30 min recording) | 1 hr | Pending |
| P8 | Training + evaluation on real paired data | 30 min | Pending |
| P9 | LoRA cross-room calibration (O5) | 2 hrs | Pending |
## Validated Hardware
| Component | Spec | Validated |
|-----------|------|-----------|
| Mac Mini camera | 1920x1080, 30fps | Yes — 14/17 keypoints, conf 0.94-1.0 |
| MediaPipe PoseLandmarker | v0.10.33 Tasks API, lite model | Yes — via Tailscale SSH |
| Mac M4 Pro GPU | 16-core, Metal 4, NEON SIMD | Yes — Node.js v25.9.0 |
| Tailscale SSH | LAN-accessible Mac, passwordless | Yes |
| ESP32-S3 CSI | 128 subcarriers, 100Hz | Yes — existing recordings |
| Sensing server recording API | `/api/v1/recording/start\|stop` | Yes — existing |
## Baseline Benchmark
Proxy-pose baseline (no camera supervision, standing skeleton heuristic):
```
PCK@10: 11.8%
PCK@20: 35.3%
PCK@50: 94.1%
MPJPE: 0.067
Latency: 0.03ms/sample
```
Per-joint PCK@20: upper body (nose, shoulders, wrists) at 0% — proxy has no spatial
accuracy for these. Camera supervision targets these joints specifically.
## References
- WiFlow: arXiv:2602.08661 — WiFi-based pose estimation with TCN + axial attention
- Wi-Pose (CVPR 2021) — 3D CNN WiFi pose with camera supervision
- Person-in-WiFi 3D (CVPR 2024) — Deformable attention with camera labels
- MediaPipe Pose — Google's real-time 33-landmark body pose estimator
- MetaFi++ (NeurIPS 2023) — Meta-learning cross-modal WiFi sensing
api-docs/adr/ADR-080-qe-remediation-plan.md
+99
View File
@@ -0,0 +1,99 @@
# ADR-080: QE Analysis Remediation Plan
- **Status:** Proposed
- **Date:** 2026-04-06
- **Source:** [QE Analysis Gist (2026-04-05)](https://gist.github.com/proffesor-for-testing/a6b84d7a4e26b7bbef0cf12f932925b7)
- **Full Reports:** [proffesor-for-testing/RuView `qe-reports` branch](https://github.com/proffesor-for-testing/RuView/tree/qe-reports/docs/qe-reports)
## Context
An 8-agent QE swarm analyzed ~305K lines across Rust, Python, C firmware, and TypeScript on 2026-04-05. The overall score was **55/100 (C+) — Quality Gate FAILED**. This ADR captures the findings and establishes a remediation plan.
## Decision
Address the 15 prioritized issues from the QE analysis in three waves: P0 (immediate), P1 (this sprint), P2 (this quarter).
## P0 — Fix Immediately
### 1. Rate Limiter Bypass (Security HIGH)
- **Location:** `archive/v1/src/middleware/rate_limit.py:200-206`
- **Problem:** Trusts `X-Forwarded-For` without validation. Any client bypasses rate limits via header spoofing.
- **Fix:** Validate forwarded headers against trusted proxy list, or use connection IP directly.
### 2. Exception Details Leaked in Responses (Security HIGH)
- **Location:** `archive/v1/src/api/routers/pose.py:140`, `stream.py:297`, +5 endpoints
- **Problem:** Stack traces visible regardless of environment.
- **Fix:** Wrap with generic error responses in production; log details server-side only.
### 3. WebSocket JWT in URL (Security HIGH, CWE-598)
- **Location:** `archive/v1/src/api/routers/stream.py:74`, `archive/v1/src/middleware/auth.py:243`
- **Problem:** Tokens in query strings visible in logs/proxies/browser history.
- **Fix:** Use WebSocket subprotocol or first-message auth pattern.
### 4. Rust Tests Not in CI
- **Problem:** 2,618 tests across 153K lines of Rust — zero run in any GitHub Actions workflow. Regressions ship undetected.
- **Fix:** Add `cargo test --workspace --no-default-features` to CI. 1-2 hour task.
### 5. WebSocket Path Mismatch (Bug)
- **Location:** `ui/mobile/src/services/ws.service.ts:104` constructs `/ws/sensing`, but `constants/websocket.ts:1` defines `WS_PATH = '/api/v1/stream/pose'`.
- **Problem:** Mobile WebSocket silently fails.
- **Fix:** Align paths. Verify which endpoint the server actually serves.
## P1 — Fix This Sprint
| # | Issue | Location | Impact |
|---|-------|----------|--------|
| 6 | God file: 4,846 lines, CC=121 | `sensing-server/src/main.rs` | Untestable monolith |
| 7 | O(L×V) voxel scan per frame | `ruvsense/tomography.rs:345-383` | ~10ms wasted; use DDA ray march |
| 8 | Sequential neural inference | `wifi-densepose-nn inference.rs:334-336` | 2-4× GPU latency penalty |
| 9 | 720 `.unwrap()` in Rust | Workspace-wide | Each = potential panic in RT paths |
| 10 | 112KB alloc/frame in Python | `csi_processor.py:412-414` | Deque→list→numpy every frame |
## P2 — Fix This Quarter
| # | Issue | Impact |
|---|-------|--------|
| 11 | 11/12 Python modules have zero unit tests (12,280 LOC) | Services, middleware, DB untested |
| 12 | Firmware at 19% coverage (WASM runtime, OTA, swarm) | Security-critical code untested |
| 13 | MAT screen auto-falls back to simulated data | Disaster responders could monitor fake data |
| 14 | Token blacklist never consulted during auth | Revoked tokens remain valid |
| 15 | 50ms frame budget never benchmarked | Real-time requirement unverified |
## Bright Spots
- 79 ADRs (exceptional governance)
- Witness bundle system (ADR-028) with SHA-256 proof
- 2,618 Rust tests with mathematical rigor
- Daily security scanning (Bandit, Semgrep, Safety)
- Ed25519 WASM signature verification on firmware
- Clean mobile state management with good test coverage
## Full QE Reports (9 files, 4,914 lines)
| Report | What it covers |
|--------|---------------|
| `EXECUTIVE-SUMMARY.md` | Top-level synthesis with all scores and priority matrix |
| `00-qe-queen-summary.md` | Master coordination, quality posture, test pyramid |
| `01-code-quality-complexity.md` | Cyclomatic complexity, code smells, top 20 hotspots |
| `02-security-review.md` | 15 security findings (3 HIGH, 7 MEDIUM), OWASP coverage |
| `03-performance-analysis.md` | 23 perf findings (4 CRITICAL), frame budget analysis |
| `04-test-analysis.md` | 3,353 tests inventoried, duplication, quality grading |
| `05-quality-experience.md` | API/CLI/Mobile/DX UX assessment |
| `06-product-assessment-sfdipot.md` | SFDIPOT analysis, 57 test ideas, 14 session charters |
| `07-coverage-gaps.md` | Coverage matrix, top 20 risk gaps, 8-week roadmap |
## Consequences
- **P0 fixes** eliminate 3 security vulnerabilities and 2 functional bugs
- **P1 fixes** improve performance, reliability, and maintainability
- **P2 fixes** close coverage gaps and harden the system for production
- Target score improvement: 55 → 75+ after P0+P1 completion
---
*Generated from QE swarm analysis (fleet-02558e91) on 2026-04-05*
api-docs/adr/ADR-081-adaptive-csi-mesh-firmware-kernel.md
+503
View File
@@ -0,0 +1,503 @@
# ADR-081: Adaptive CSI Mesh Firmware Kernel
| Field | Value |
|-------------|-----------------------------------------------------------------------|
| **Status** | Accepted — Layers 1/2/3/4/5 implemented and host-tested; mesh RX path and Ed25519 signing tracked as Phase 3.5 polish |
| **Date** | 2026-04-19 |
| **Authors** | ruv |
| **Depends** | ADR-018, ADR-028, ADR-029, ADR-031, ADR-032, ADR-039, ADR-066, ADR-073 |
## Context
RuView's firmware grew bottom-up. ADR-018 defined a binary CSI frame, ADR-029
added channel hopping and TDM, ADR-039 added a tiered edge-intelligence
pipeline, ADR-040 added programmable WASM modules, ADR-060 added per-node
channel and MAC overrides, ADR-066 added a swarm bridge to a coordinator, and
ADR-073 added multifrequency mesh scanning. Each one was a sound local
decision. Together they produced a firmware that works on ESP32-S3 but is
**implicitly coupled** to that chipset through `csi_collector.c` calling
`esp_wifi_*` directly and through hard-coded assumptions about the WiFi driver
callback shape.
This is a problem for three reasons:
1. **Portability.** Espressif exposes CSI through an official driver API. On
locked Broadcom and Cypress chips, projects like Nexmon achieve the same
thing by patching the firmware blob — but only for specific chip and
firmware build combinations. Future RuView nodes will likely span both
models plus eventually a custom silicon path. Today, none of the modules
above can be reused unchanged on any non-ESP32 chip.
2. **Adaptivity.** The current firmware reacts to configuration, not to
conditions. Channel hop intervals, edge tier, vitals cadence, top-K
subcarriers, fall threshold, and power duty are all read from NVS at boot
and never revisited. There is no closed-loop control: if a channel becomes
congested, if motion spikes, if inter-node coherence drops, or if the
environment is stable enough to coast at lower cadence, nothing changes
onboard. The adaptive classifier in `wifi-densepose-sensing-server` does
adapt — but only on the host side, after the data has already traversed the
network at fixed rate.
3. **Mesh as an afterthought.** ADR-029 wired in a `TdmCoordinator` and ADR-066
added a swarm bridge to a Cognitum Seed, but there is no first-class node
role enumeration (anchor / observer / fusion-relay / coordinator), no
role-assignment protocol, no `FEATURE_DELTA` message type, no
coordinator-driven channel plan, and no automatic role re-election when a
node drops. Multi-node deployments today are stitched together by manual
per-node NVS provisioning.
The hard truth is that the firmware hack — getting raw CSI off a radio — is
not the moat. The moat is **adaptive control, multi-node fusion, compact
state encoding, persistent memory, and contrastive reasoning on top of the
radio layer**. The current architecture does not name those layers, so they
get reinvented inline by every new ADR.
## Decision
Adopt a **5-layer adaptive RF sensing kernel** as the canonical RuView
firmware architecture, and refactor the existing modules to fit underneath
it. The five layers, top to bottom:
```
┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 5 — Rust handoff │
│ Two streams only: feature_state (default) and debug_csi_frame (gated) │
└─────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 4 — On-device feature extraction │
│ 100 ms motion, 1 s respiration, 5 s baseline windows │
│ Emits compact rv_feature_state_t (magic 0xC5110006) │
└─────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 3 — Mesh sensing plane │
│ Roles: Anchor / Observer / Fusion relay / Coordinator │
│ Messages: TIME_SYNC, ROLE_ASSIGN, CHANNEL_PLAN, CALIBRATION_START, │
│ FEATURE_DELTA, HEALTH, ANOMALY_ALERT │
└─────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 2 — Adaptive controller │
│ Fast loop ~200 ms — packet rate, active probing │
│ Medium loop ~1 s — channel selection, role changes │
│ Slow loop ~30 s — baseline recalibration │
└─────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────┐
│ Layer 1 — Radio Abstraction Layer (rv_radio_ops_t vtable) │
│ ESP32 binding, future Nexmon binding, future custom silicon binding │
└─────────────────────────────────────────────────────────────────────────┘
```
### Layer 1 — Radio Abstraction Layer
A single function-pointer vtable, `rv_radio_ops_t`, defined in
`firmware/esp32-csi-node/main/rv_radio_ops.h`:
```c
typedef struct {
int (*init)(void);
int (*set_channel)(uint8_t ch, uint8_t bw);
int (*set_mode)(uint8_t mode); /* RV_RADIO_MODE_* */
int (*set_csi_enabled)(bool en);
int (*set_capture_profile)(uint8_t profile_id);
int (*get_health)(rv_radio_health_t *out);
} rv_radio_ops_t;
```
Capture profiles, named not numbered:
| Profile | Intent |
|--------------------------------|-------------------------------------------------------|
| `RV_PROFILE_PASSIVE_LOW_RATE` | Default idle: minimum cadence, presence only |
| `RV_PROFILE_ACTIVE_PROBE` | Inject NDP frames at high rate |
| `RV_PROFILE_RESP_HIGH_SENS` | Quietest channel, longest window, vitals-only |
| `RV_PROFILE_FAST_MOTION` | Short window, high cadence |
| `RV_PROFILE_CALIBRATION` | Synchronized burst across nodes |
Two bindings ship in this ADR:
- **ESP32 binding** (`rv_radio_ops_esp32.c`) wraps `csi_collector.c`,
`esp_wifi_set_channel()`, `esp_wifi_set_csi()`, and
`csi_inject_ndp_frame()`.
- **Mock binding** (`rv_radio_ops_mock.c`) wraps `mock_csi.c` so QEMU
scenarios can exercise the controller and mesh plane without a radio.
A third binding (Nexmon-patched Broadcom) is reserved but not implemented
here.
### Layer 2 — Adaptive controller
`firmware/esp32-csi-node/main/adaptive_controller.{c,h}`. A single FreeRTOS
task with three cooperating timers:
| Loop | Period | Inputs | Outputs |
|--------|---------|------------------------------------------------------------------------|------------------------------------------------------|
| Fast | ~200 ms | packet yield, retry/drop rate, motion score | cadence (vital_interval_ms), active vs passive probe |
| Medium | ~1 s | CSI variance, RSSI median, channel occupancy, inter-node agreement | channel selection (via radio ops), role transitions |
| Slow | ~30 s | drift profile (Stable/Linear/StepChange), respiration confidence | baseline recalibration, switch to delta-only mode |
The controller publishes its decisions through the radio ops vtable
(`set_capture_profile`, `set_channel`) and through the mesh plane
(`CHANNEL_PLAN`, `ROLE_ASSIGN`). Default policy is conservative and matches
today's behavior; aggressive adaptation is opt-in via Kconfig.
### Layer 3 — Mesh sensing plane
Extends `swarm_bridge.c` with explicit node roles (Anchor / Observer /
Fusion relay / Coordinator) and a 7-message type protocol:
| Message | Cadence | Sender(s) | Purpose |
|----------------------|--------------------|------------------|-----------------------------------------------|
| `TIME_SYNC` | 100 ms | Anchor | Reuse ADR-032 `SyncBeacon` (28 bytes, HMAC) |
| `ROLE_ASSIGN` | event-driven | Coordinator | Node ID → role mapping |
| `CHANNEL_PLAN` | event-driven | Coordinator | Per-node channel + dwell schedule |
| `CALIBRATION_START` | event-driven | Coordinator | Synchronized calibration burst |
| `FEATURE_DELTA` | 110 Hz | Observer / Relay | Compact feature delta (see Layer 4) |
| `HEALTH` | 1 Hz | All | `rv_node_status_t` (see below) |
| `ANOMALY_ALERT` | event-driven | Observer | Phase-physics violation, multi-link mismatch |
Node status payload:
```c
typedef struct __attribute__((packed)) {
uint8_t node_id[8];
uint64_t local_time_us;
uint8_t role;
uint8_t current_channel;
uint8_t current_bw;
int8_t noise_floor_dbm;
uint16_t pkt_yield;
uint16_t sync_error_us;
uint16_t health_flags;
} rv_node_status_t;
```
Time-sync target is an engineering goal, not a guaranteed constant — it
depends on the clock quality of the chosen radio family. The first
acceptance test (Phase 2) measures it on real hardware.
### Layer 4 — On-device feature extraction
Defined in `firmware/esp32-csi-node/main/rv_feature_state.h`. Single
on-the-wire packet, **60 bytes packed** (verified by `_Static_assert` and
host unit test), magic `0xC5110006` (next free after ADR-039's
`0xC5110002`, ADR-069's `0xC5110003`, ADR-063's `0xC5110004`, and ADR-039's
compressed `0xC5110005`):
```c
#define RV_FEATURE_STATE_MAGIC 0xC5110006u
typedef struct __attribute__((packed)) {
uint32_t magic; /* RV_FEATURE_STATE_MAGIC */
uint8_t node_id;
uint8_t mode; /* RV_PROFILE_* identifier */
uint16_t seq; /* monotonic per-node sequence */
uint64_t ts_us; /* node-local microseconds */
float motion_score;
float presence_score;
float respiration_bpm;
float respiration_conf;
float heartbeat_bpm;
float heartbeat_conf;
float anomaly_score;
float env_shift_score;
float node_coherence;
uint16_t quality_flags;
uint16_t reserved;
uint32_t crc32; /* IEEE polynomial over bytes [0..end-4] */
} rv_feature_state_t;
_Static_assert(sizeof(rv_feature_state_t) == 60,
"rv_feature_state_t must be 60 bytes on the wire");
```
Three windows feed it: 100 ms (motion), 1 s (respiration), 5 s (baseline /
env shift). Each `rv_feature_state_t` represents the most recent state of
all three; mode field tells the receiver which window dominates this
update.
`rv_feature_state_t` does not replace ADR-039's `edge_vitals_pkt_t`
(0xC5110002) or ADR-063's `edge_fused_vitals_pkt_t` (0xC5110004). Those
remain the wire format for vitals-specific consumers. `rv_feature_state_t`
is the **default upstream payload** for the sensing pipeline; vitals
packets are now an alternate emission mode for backward compatibility.
### Layer 5 — Rust handoff
The Rust side sees only two streams from a node:
1. **`feature_state` stream** — `rv_feature_state_t`, default-on, 110 Hz.
2. **`debug_csi_frame` stream** — ADR-018 raw frames (magic 0xC5110001),
default-off, opt-in via NVS or `CHANNEL_PLAN`. Used for calibration,
debugging, training-set capture.
The Rust handoff is mirrored as a trait in
`crates/wifi-densepose-hardware/src/radio_ops.rs` so test harnesses (and
eventually the Rust-side controller for centralized coordinator nodes) can
swap radio backends without touching `wifi-densepose-signal`,
`wifi-densepose-ruvector`, `wifi-densepose-train`, or
`wifi-densepose-mat`. Rust-side mirror trait is **out of scope for the
firmware-only PR** that ships this ADR; tracked as Phase 4 follow-up.
## State Machine
```
BOOT → SELF_TEST → RADIO_INIT → TIME_SYNC → CALIBRATION → SENSE_IDLE
↓ ↑
SENSE_ACTIVE
ALERT
DEGRADED
```
Transitions:
- **CALIBRATION** on boot, on role change, on sustained inter-node
disagreement.
- **SENSE_ACTIVE** when motion or anomaly score crosses threshold.
- **DEGRADED** when packet yield, sync quality, or memory pressure drops
below threshold; falls back to ADR-039 Tier-0 raw passthrough as the
last-resort survivable mode.
## Data budgets
| Stream | Default rate | Notes |
|-------------------------|-----------------------------|----------------------------------------------|
| Raw capture (internal) | 50200 pps per observer | Stays on-device unless debug stream enabled |
| `rv_feature_state_t` | 110 Hz per node | Default upstream |
| `ANOMALY_ALERT` | event-driven | Burst-bounded |
| Debug ADR-018 raw CSI | 0 (off by default) | Burst-only via `CHANNEL_PLAN` debug flag |
ADR-039 measured raw CSI at ~5 KB/frame and ~100 KB/s per node. The default
upstream with ADR-081's 60-byte `rv_feature_state_t` at 5 Hz is **300 B/s
per node — a 99.7% reduction**. A 50-node deployment at 5 Hz fits in
15 KB/s total, easily carried by a single-AP backhaul.
## Channel planning policy
Codified rules — these are constraints on the controller, not just defaults:
- Keep one anchor on a stable channel; observers distributed across the
least-congested channels.
- Rotate **one** observer at a time. Never change all nodes simultaneously.
- Pin `RV_PROFILE_RESP_HIGH_SENS` to the quietest stable channel for the
duration of a respiration window.
- Use a short active burst on a quiet channel for calibration, then return
to passive capture.
This generalizes the per-deployment policy in ADR-073 ("node 1: ch 1/6/11,
node 2: ch 3/5/9") into a controller-driven plan that the coordinator can
publish via `CHANNEL_PLAN`. IEEE 802.11bf is the standards direction this
points toward.
## Security & integrity
- Every `FEATURE_DELTA` carries node id, monotonic seq, ts_us, and CRC32
(IEEE polynomial), per the struct above.
- Every control message (`ROLE_ASSIGN`, `CHANNEL_PLAN`, `CALIBRATION_START`)
carries sender role, epoch, replay window index, and authorization class,
reusing the HMAC-SHA256 + 16-frame replay window from ADR-032
(`secure_tdm.rs`).
- Optional Ed25519 signature at session/batch granularity for signed
`CHANNEL_PLAN` and `CALIBRATION_START` messages, reusing the
ADR-040/RVF Ed25519 path already shipping in firmware.
## Reuse map (do not rewrite)
| Concern | Existing component |
|-----------------------------|----------------------------------------------------------------------------------------------------------|
| ADR-018 binary frame | `firmware/esp32-csi-node/main/csi_collector.c` (magic `0xC5110001`) |
| ESP32 CSI driver glue | `firmware/esp32-csi-node/main/csi_collector.c:225-303` |
| Channel hopping | `csi_collector_set_hop_table()` and `csi_collector_start_hop_timer()` |
| NDP injection | `csi_inject_ndp_frame()` (placeholder, sufficient for L1 binding) |
| TDM scheduling | `crates/wifi-densepose-hardware/src/esp32/tdm.rs` |
| Secure beacons | `crates/wifi-densepose-hardware/src/esp32/secure_tdm.rs` (HMAC + replay) |
| Edge intelligence (Tier 1/2)| `firmware/esp32-csi-node/main/edge_processing.c` (magic `0xC5110002`/`0xC5110005`) |
| Fused vitals | ADR-063 `edge_fused_vitals_pkt_t` (magic `0xC5110004`) |
| Swarm bridge | `firmware/esp32-csi-node/main/swarm_bridge.c` |
| WASM Tier 3 modules | `firmware/esp32-csi-node/main/wasm_runtime.c` (ADR-040) |
| Multistatic fusion | `crates/wifi-densepose-ruvector/src/viewpoint/fusion.rs` |
| Adaptive classifier | `crates/wifi-densepose-sensing-server/src/adaptive_classifier.rs:61-75` |
| Feature primitives (Rust) | `crates/wifi-densepose-signal/src/{motion.rs,features.rs,ruvsense/coherence.rs}` |
## Implementation status (2026-04-19)
This ADR ships **with** the initial implementation, not ahead of it.
Artifacts delivered alongside the ADR:
| Component | File | State |
|-----------------------------------------|-------------------------------------------------------------------------|-------------|
| L1 vtable + profile/mode/health enums | `firmware/esp32-csi-node/main/rv_radio_ops.h` | Implemented |
| L1 ESP32 binding | `firmware/esp32-csi-node/main/rv_radio_ops_esp32.c` | Implemented |
| L1 Mock (QEMU) binding | `firmware/esp32-csi-node/main/rv_radio_ops_mock.c` | Implemented |
| L2 Controller FreeRTOS plumbing | `firmware/esp32-csi-node/main/adaptive_controller.c` | Implemented |
| L2 Pure decision policy (testable) | `firmware/esp32-csi-node/main/adaptive_controller_decide.c` | Implemented |
| L3 Mesh-plane types + encoder/decoder | `firmware/esp32-csi-node/main/rv_mesh.{h,c}` | Implemented |
| L3 HEALTH emit (slow loop, 30 s) | `adaptive_controller.c:slow_loop_cb()` | Implemented |
| L3 ANOMALY_ALERT on state transition | `adaptive_controller.c:apply_decision()` | Implemented |
| L3 Role tracking + epoch monotonicity | `adaptive_controller.c` (`s_role`, `s_mesh_epoch`) | Implemented |
| L4 Feature state packet + helpers | `firmware/esp32-csi-node/main/rv_feature_state.{h,c}` | Implemented |
| L4 Emitter from fast loop (5 Hz) | `adaptive_controller.c:emit_feature_state()` | Implemented |
| L1 Packet yield + send-fail accessors | `csi_collector.c:csi_collector_get_pkt_yield_per_sec()` + send fail | Implemented |
| L5 Rust mirror trait + mesh decoder | `crates/wifi-densepose-hardware/src/radio_ops.rs` | Implemented |
| Host C unit tests (60 assertions) | `firmware/esp32-csi-node/tests/host/` | **60/60 ✓** |
| Rust unit tests (8 assertions) | `crates/wifi-densepose-hardware` (`radio_ops::tests`) | **8/8 ✓** |
| QEMU validator hooks (3 new checks) | `scripts/validate_qemu_output.py` (check 17/18/19) | Passing |
| L3 mesh RX path (receive + dispatch) | — | Phase 3.5 |
| Ed25519 signing for CHANNEL_PLAN etc. | — | Phase 3.5 |
| Hardware validation on COM7 | — | Pending |
## Measured performance
Host-side benchmarks (`firmware/esp32-csi-node/tests/host/`), x86-64,
gcc `-O2`, 2026-04-19. Numbers are illustrative of algorithmic cost on
a modern CPU; on-target ESP32-S3 Xtensa LX7 at 240 MHz is ~510×
slower for bit-by-bit CRC and broadly comparable for the decide
function after inlining.
| Operation | Cost per call | Notes |
|---------------------------------------------|---------------------|-------------------------------------|
| `adaptive_controller_decide()` | **3.2 ns** (host) | O(1) policy, 9 branches evaluated |
| `rv_feature_state_crc32()` (56 B hashed) | **612 ns** (host) | 87 MB/s — bit-by-bit IEEE CRC32 |
| `rv_feature_state_finalize()` (full) | **592 ns** (host) | CRC-dominated |
| `rv_mesh_encode_health()` + `_decode()` | **1010 ns** (host) | Full roundtrip, hdr+payload+CRC |
Projected on-target cost at 5 Hz cadence:
| Budget | Value |
|--------------------------------------------|---------------------|
| Controller fast-loop tick work (ESP32-S3) | < 10 μs (est.) |
| CRC32 per feature packet (ESP32-S3) | ~36 μs (est.) |
| Feature-state emit cost @ 5 Hz | ~30 μs/sec (0.003%) |
| UDP send cost (existing stream_sender) | — unchanged — |
**Bandwidth:**
| Mode | Rate |
|---------------------------------------------|-------------|
| Raw ADR-018 CSI (pre-ADR-081) | ~100 KB/s |
| ADR-039 compressed CSI (Tier 1) | ~5070 KB/s |
| ADR-039 vitals packet (32 B @ 1 Hz) | 32 B/s |
| **ADR-081 feature state (60 B @ 5 Hz)** | **300 B/s** |
**Memory:**
| Component | Static RAM |
|---------------------------------------------|---------------------|
| Controller state (s_cfg + s_last_obs + …) | ~80 bytes |
| Feature-state emit packet (stack, per tick) | 60 bytes |
| CRC lookup table | 0 (bit-by-bit) |
| Three FreeRTOS software timers | ~3 × 56 B overhead |
**Tests:**
| Suite | Assertions | Result |
|---------------------------------------------|-----------:|------------|
| `test_adaptive_controller` (host C) | 18 | **PASS** |
| `test_rv_feature_state` (host C) | 15 | **PASS** |
| `test_rv_mesh` (host C) | 27 | **PASS** |
| `radio_ops::tests` (Rust) | 8 | **PASS** |
| **Total** | **68** | **68/68** |
| QEMU validator (`ADR-061` pipeline) | +3 checks | hooked |
Cross-language parity: the Rust `crc32_ieee()` is verified against the
same known vectors used by the C test (`0xCBF43926` for `"123456789"`,
`0xD202EF8D` for a single zero byte), and the `mesh_constants_match_firmware`
test asserts `MESH_MAGIC`, `MESH_VERSION`, `MESH_HEADER_SIZE`, and
`MESH_MAX_PAYLOAD` match the C header byte-for-byte. Any drift between
the two implementations fails CI.
## New components this ADR authorizes
| New file | Purpose |
|-------------------------------------------------------------------------------------------|--------------------------------------------------------|
| `firmware/esp32-csi-node/main/rv_radio_ops.h` | `rv_radio_ops_t` vtable + profile/mode/health enums |
| `firmware/esp32-csi-node/main/rv_radio_ops_esp32.c` | ESP32 binding wrapping `csi_collector` + `esp_wifi_*` |
| `firmware/esp32-csi-node/main/rv_feature_state.h` | `rv_feature_state_t` packet + `RV_FEATURE_STATE_MAGIC` |
| `firmware/esp32-csi-node/main/adaptive_controller.h` | Controller API + observation/decision structs |
| `firmware/esp32-csi-node/main/adaptive_controller.c` | 200 ms / 1 s / 30 s loops, FreeRTOS task |
| `crates/wifi-densepose-hardware/src/radio_ops.rs` *(Phase 4 follow-up)* | Rust mirror trait for backend swapping |
## Roadmap
| Phase | Scope | Status |
|-------|--------------------------------------------|--------------------------------------------------|
| 1 | Single supported-CSI node + features → Rust | Largely done via ADR-018, ADR-039 |
| 2 | 3-node Seed v2 mesh + time-sync + plan | Partially done (ADR-029, ADR-066, ADR-073) |
| 3 | Adaptive controller, delta reporting, DEGRADED | **This ADR** authorizes the firmware skeleton |
| 4 | Cross-chipset bindings (Nexmon, custom) | Reserved; gated by Phase 3 stability |
## Acceptance criteria
1. **Portability gate.** A second `rv_radio_ops_t` binding (mock or
alternate chipset) compiles and runs the controller + mesh plane code
unchanged. The signal/ruvector/train/mat crates compile against a Rust
mirror trait without modification.
2. **Mesh resilience benchmark.** A 3-node prototype maintains stable
`presence_score` and `motion_score` when one observer changes channel
or drops out for 5 seconds.
3. **Default upstream is compact.** Raw ADR-018 CSI is off by default; the
default upstream is `rv_feature_state_t` at 110 Hz.
4. **Integrity.** Every `FEATURE_DELTA` carries node id, seq, ts_us, CRC32.
Every control message carries epoch + replay-window + authorization
class, verified against ADR-032's existing HMAC machinery.
## Consequences
### Positive
- The firmware hack is no longer the moat. The 5 layers are explicit and
separately testable.
- Default upstream bandwidth drops ~99% vs. raw ADR-018, making 50+ node
deployments practical.
- A documented vtable + Kconfig surface gates new features ("which layer
does this belong in?") instead of letting them accrete inline.
- Adaptive control of cadence, channel, and role becomes a first-class
firmware concern — the user-facing knob ("be smarter when busy, save
power when idle") finally has a home.
### Negative
- An abstraction tax on the single-chipset case: `rv_radio_ops_t` is a
vtable for a family currently of size 1.
- Adds ~58 KB SRAM for controller state and the new feature-state ring.
- Requires re-routing existing `swarm_bridge` traffic through the mesh
plane message types over time (incremental, not breaking).
### Neutral
- This ADR introduces no new dependencies, no new networking stacks, and
no new hardware requirements.
- ADR-039, ADR-063, ADR-066, ADR-069, ADR-073 are **not superseded**; they
are reframed as components of Layer 3 / Layer 4.
## Verification
```bash
# Host-side C unit tests (no ESP-IDF, no QEMU required)
cd firmware/esp32-csi-node/tests/host
make check
# → test_adaptive_controller: 18/18 pass, decide() = 3.2 ns/call
# → test_rv_feature_state: 15/15 pass, CRC32(56 B) = 612 ns/pkt
# → test_rv_mesh: 27/27 pass, HEALTH roundtrip = 1.0 µs
# Rust-side radio_ops trait + mesh decoder tests
cd v2
cargo test -p wifi-densepose-hardware --no-default-features --lib radio_ops
# → 8 passed; verifies MockRadio, CRC32 parity with firmware vectors,
# HEALTH encode/decode roundtrip, bad-magic/short/CRC rejection,
# and that MESH_MAGIC/VERSION/HEADER_SIZE match rv_mesh.h
# QEMU end-to-end (requires ESP-IDF + qemu-system-xtensa, see ADR-061)
bash scripts/qemu-esp32s3-test.sh
# → Validator now runs 19 checks; new ADR-081 checks 17/18/19 verify
# adaptive_ctrl boot line, rv_radio_mock binding registration, and
# slow-loop heartbeat.
# Full workspace
cargo test --workspace --no-default-features
```
## Related
ADR-018, ADR-028, ADR-029, ADR-030, ADR-031, ADR-032, ADR-039, ADR-040,
ADR-060, ADR-061, ADR-063, ADR-066, ADR-069, ADR-073, ADR-078.
api-docs/adr/ADR-082-pose-tracker-confirmed-output-filter.md
+185
View File
@@ -0,0 +1,185 @@
# ADR-082: Pose Tracker Confirmed-Track Output Filter
| Field | Value |
|-------------|-----------------------------------------------------------------------|
| **Status** | Accepted — implemented in commit landing this ADR |
| **Date** | 2026-04-25 |
| **Authors** | ruv |
| **Issue** | [#420 — "24 ghost people in the UI with 3× ESP32-S3 nodes"](https://github.com/ruvnet/RuView/issues/420) |
| **Depends** | ADR-026 (track lifecycle), ADR-024 (AETHER re-ID embeddings) |
## Context
Multiple users running the Rust sensing server with 3 ESP32-S3 nodes have
reported the same symptom: the live UI renders 2224 phantom skeletons that
flicker at high rate, while `GET /api/v1/sensing/latest` correctly reports
`estimated_persons: 1`. The problem is reproducible across both Docker and
native deployments and is independent of the firmware MGMT-only mitigation
shipped for #396.
The two-number contradiction (1 in the snapshot, ~24 in the WebSocket stream)
narrows the bug to the path that produces `update.persons`. That path is
`tracker_bridge::tracker_update``tracker_bridge::tracker_to_person_detections`
→ WebSocket frame.
### Pose tracker lifecycle (per ADR-026)
`signal::ruvsense::pose_tracker::TrackLifecycleState` has four states:
```
Tentative -> Active -> Lost -> Terminated
```
The state machine and its predicates:
| State | `is_alive()` | `accepts_updates()` | Meaning |
|--------------|--------------|---------------------|---------|
| `Tentative` | true | true | New detection, < 2 confirmed hits |
| `Active` | true | true | Confirmed track, currently observed |
| `Lost` | **true** | false | Confirmed track, missed `loss_misses` updates, still inside `reid_window` |
| `Terminated` | false | false | Removed on next `prune_terminated()` |
`PoseTracker::active_tracks()` filters by `is_alive()`, which means it returns
`Tentative Active Lost` — every track that has not yet been Terminated.
### Root cause
`crates/wifi-densepose-sensing-server/src/tracker_bridge.rs` exposes the
tracker output to the WebSocket stream via:
```rust
/// Convert active PoseTracker tracks back into server-side PersonDetection values.
///
/// Only tracks whose lifecycle `is_alive()` are included.
pub fn tracker_to_person_detections(tracker: &PoseTracker) -> Vec<PersonDetection> {
tracker
.active_tracks()
.into_iter()
.map(|track| { /* ... */ })
.collect()
}
```
The doc comment is correct as a description of `is_alive()`, but `is_alive()`
is the wrong gate for *rendering*. `Lost` tracks have not received a
measurement in `loss_misses` ticks; they are kept around only so the
re-identification machinery can attempt to match them when a similar
detection reappears within `reid_window`. They are not currently observed and
must not appear as live skeletons in the UI.
With 3 ESP32-S3 nodes streaming CSI at ~10 Hz each, `derive_pose_from_sensing`
emits a per-node detection every tick. Detections that fall outside the
Mahalanobis gate (cost ≥ 9.0) cannot match an existing track, so a new
`Tentative` track is created and the previous one ages into `Lost`. With
`reid_window ≈ 30` ticks (~3 s at 10 Hz), up to 30 ticks × 3 nodes ≈ 90
phantom Lost tracks can co-exist before any of them reach `Terminated`.
The actually-observed-now person is one of them; the other ~2289 are ghosts.
The snapshot endpoint `/api/v1/sensing/latest` reads `estimated_persons` from
the multistatic eigenvalue counter (`signal::ruvsense::field_model`), which
operates on the CSI data directly and reports 1. The WebSocket stream reads
`update.persons`, which is the unfiltered `is_alive()` set — hence the
22-vs-1 mismatch.
This is a documentation/implementation discrepancy in `tracker_bridge`, not a
flaw in the lifecycle state machine itself.
## Decision
Introduce a **confirmed-track filter** at the bridge boundary that returns
only tracks the UI is meant to render:
* `Active` — confirmed and currently observed; always render.
* `Tentative` — confirmed for the *current* tick (created or matched this
cycle); render so first-frame visibility latency stays at one tick.
* `Lost`**never** render. They exist only to support re-ID over the
`reid_window` and have, by definition, not been observed for at least
`loss_misses` ticks.
* `Terminated` — never render (already excluded by `is_alive()`).
### Naming
Add `PoseTracker::confirmed_tracks()` — the name reflects "tracks the system
is currently confirming a person is present at this position." Keep
`active_tracks()` unchanged so callers that legitimately need the re-ID set
(re-identification, soft-confidence overlays, debug UIs) still have it.
The bridges public surface stays the same; only the internal accessor
swaps. WebSocket consumers see the corrected `update.persons` automatically.
### Why include `Tentative`
A walking persons first detection lands in `Tentative` until two consecutive
hits arrive (~0.1 s at 10 Hz). Excluding `Tentative` makes the UI
under-render by one tick on every entry; the gain (filtering out spurious
single-detection ghosts) is real but small relative to the much larger Lost
problem and isnt worth the visible latency. If single-tick ghosts become
the dominant complaint after this ADR ships, escalate to `Active`-only and
revisit `birth_hits` calibration.
## Consequences
### Positive
* `update.persons.length` matches `estimated_persons` within ±1 (Tentative
vs. Active hand-off frame) under steady state. #420 closed.
* No change to the lifecycle state machine, no change to `reid_window` or
`loss_misses`, no change to the WebSocket schema. Pure filter at egress.
* `PoseTracker::active_tracks()` keeps its semantics for re-ID consumers;
this avoids breaking ADR-024 (AETHER) call sites.
### Negative / risks
* Existing test `test_tracker_update_stable_ids` exercises three sequential
identical-person updates and asserts the ID is stable across all three.
Filtering Lost out doesnt affect it (the track stays in `Tentative`
`Active`, never Lost during the test). Confirmed by reading the test;
no regression expected.
* Single-tick `Tentative` exposure means very-spurious one-frame detections
*can* still flicker briefly. Acceptable trade-off as discussed above.
### Neutral
* `prune_terminated()` and the existing transition logic
(`predict_all``mark_lost``terminate`) are unchanged.
## Implementation
1. **`signal::ruvsense::pose_tracker`** — add:
```rust
/// Tracks the UI is meant to render: Tentative + Active.
/// Excludes Lost (re-ID candidates) and Terminated.
pub fn confirmed_tracks(&self) -> Vec<&PoseTrack> {
self.tracks
.iter()
.filter(|t| matches!(
t.lifecycle,
TrackLifecycleState::Tentative | TrackLifecycleState::Active
))
.collect()
}
```
2. **`sensing-server::tracker_bridge`** — change
`tracker_to_person_detections` to call `tracker.confirmed_tracks()` and
update the doc comment to describe the new contract.
3. **Regression test** in `tracker_bridge.rs::tests`:
* Drive a track to `Active` over two updates.
* Submit empty detections for `loss_misses + 1` predict cycles to push
the track to `Lost`.
* Assert `tracker_update(... empty ...)` returns an empty `Vec`.
4. **Validation**: workspace tests + ESP32-S3 on COM7 streaming round-trip.
## Validation
* `cargo test --workspace --no-default-features` — must stay green
(≥ 1,538 passed, 0 failed; new regression test adds one).
* Live verification on ESP32 setup: WebSocket `update.persons.length`
must equal `estimated_persons` ± 1 in steady state.
## Related
* ADR-026 — Track lifecycle state machine (this ADR doesnt change it)
* ADR-024 — AETHER re-ID embeddings (uses `active_tracks()`, unchanged)
* PR #425 — Workspace `--no-default-features` build fix (unrelated, just
the prior PR on this branch line)
* Issue #420 — original report
api-docs/adr/ADR-083-per-cluster-pi-compute-hop.md
+245
View File
@@ -0,0 +1,245 @@
# ADR-083: Per-Cluster Pi Compute Hop
| Field | Value |
|----------------|--------------------------------------------------------------------------------------|
| **Status** | Proposed — pending field evidence on three-tier proposal scope |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Supersedes** | — |
| **Refines** | ADR-028 (capability audit), ADR-081 (5-layer kernel), ADR-066 (swarm bridge) |
| **Companion** | `docs/research/architecture/three-tier-rust-node.md`, `docs/research/architecture/decision-tree.md`, `docs/research/sota/2026-Q2-rf-sensing-and-edge-rust.md` |
## Context
ADR-028 established the per-node BOM at ~$9 (ESP32-S3 8MB) — ~$15 with a
mmWave sensor — and ADR-081 framed the firmware as a 5-layer adaptive
kernel running entirely on a single ESP32-S3 die. Both decisions are
correct for the **per-node** dimension; deployments that fit the
"sensor talks UDP to a server somewhere" shape work fine on this stack.
The three-tier-node research exploration
(`docs/research/architecture/three-tier-rust-node.md`) raised a separate
question: **what changes when a deployment scales past one or two rooms,
and where should the heavy compute live?** The exploration's answer
("dual ESP32-S3 + Pi Zero 2W per node") is one shape, but the
companion decision-tree (`decision-tree.md` §1, §3 L3, §5) identifies a
materially cheaper path: keep today's single-S3 sensor node unchanged
and add **one Pi per cluster of 36 sensor nodes**. The 2026-Q2 SOTA
survey (`sota/2026-Q2-rf-sensing-and-edge-rust.md`) confirms that the
load this path needs to carry — model inference, QUIC backhaul, and a
real secure-boot story — fits comfortably on a Pi-class SoC, while the
load it doesn't need to carry — CSI capture, ISR-precise wake control —
is exactly what the ESP32-S3 already does well.
The three things this ADR is about, all of which the current single-S3
deployment shape pushes onto the cloud or onto every individual node:
1. **Per-deployment ML inference.** WiFlow / DT-Pose / GraphPose-Fi
class models (410M params, 0.51.5 GFLOPs) want a Cortex-A53-class
target. The ESP32-S3 cannot host these; the cloud can but only at
the cost of round-trip latency. A per-cluster Pi inference hop is
the natural home.
2. **QUIC backhaul.** `quinn` + `rustls` is mature on Linux but does
not run on ESP32-class hardware in any production-grade form
(SOTA §5). A Pi terminating QUIC for a cluster gives every sensor
node QUIC's loss/handoff/multiplex properties without porting QUIC
to the MCU.
3. **Secure-boot anchor for OTA.** ESP-IDF Secure Boot V2 covers each
sensor node, but cluster-wide policy (which model is current, which
sensor MCU image is canary, what is the rollout ring) needs a
higher-trust local store. A Pi running buildroot + dm-verity +
signed FIT is a defensible anchor without the BOM hit of CM4 / Pi 5
(the latter is its own decision; see ADR-085 sketch below and
decision-tree.md L6).
The cluster-Pi shape does **not** require any change to ADR-028 or
ADR-081. The sensor node continues to be a single-MCU ESP32-S3 running
the 5-layer kernel. Everything new lives at the cluster boundary.
## Decision
Adopt **a per-cluster Pi hop** as the canonical RuView mid-scale
deployment shape. A "cluster" is **36 ESP32-S3 sensor nodes within
WiFi mesh range of one Pi**.
Specifically:
1. **Sensor nodes are unchanged.** They continue to run the ADR-081
5-layer kernel on a single ESP32-S3, emit `rv_feature_state_t`
packets (60 byte, ~5 Hz, ~300 B/s) over UDP, and connect via
ESP-WIFI-MESH or direct WiFi to the cluster Pi.
2. **Each cluster has exactly one Pi** acting as:
- **Sensor aggregator**: ingests UDP from all cluster sensor
nodes, runs feature-level fusion (multistatic + viewpoint
attention from the existing `wifi-densepose-ruvector` crate).
- **ML inference target**: hosts the WiFi-pose model and runs
inference at the cluster boundary, not on each sensor MCU.
- **QUIC client to the cloud / gateway**: terminates QUIC mTLS,
batches cluster-level events.
- **OTA + secure-boot anchor for its sensor nodes**: holds signed
manifests, stages canary rollouts, owns provisioning state.
3. **Cluster Pi SoC choice is deferred** to a future ADR (sketched
below as ADR-085). The acceptable candidates are Pi Zero 2W, Pi 4,
Pi 5, and CM4. The decision tree's L6 distinguishes these by
secure-boot threat model; this ADR does not pre-commit.
4. **The single-node deployment shape is not deprecated.** A
home-lab / single-room / development deployment can still run a
single ESP32-S3 talking UDP directly to the existing
`wifi-densepose-sensing-server`, no Pi required. The cluster Pi
becomes the recommended shape for fleets ≥ 3 sensor nodes.
### Boundary contract
The cluster Pi exposes two interfaces:
| Interface | Direction | Schema |
|------------------------|-------------------|-----------------------------------------------------------------------|
| **UDP `rv_feature_state_t` ingest** | sensor → Pi | Existing 60-byte packed struct from ADR-081 (magic `0xC5110006`) |
| **QUIC mTLS uplink** | Pi → gateway/cloud | New: cluster-level event envelope (CBOR), batched, ~10 KB/min upper bound |
Sensor → Pi is **the same wire as today's sensor → server**. Cluster Pi
uplink is **new** and is what the existing `wifi-densepose-sensing-server`
becomes — relocated from the user's laptop / container to the cluster
node. Concretely: the sensing server already exists in
`crates/wifi-densepose-sensing-server`; it cross-compiles to ARMv7 /
AArch64 today via `cargo build --target aarch64-unknown-linux-gnu`. The
relocation is a deployment change, not a re-implementation.
### Three-tier vs cluster hop
This ADR's cluster-Pi shape is the L3-hybrid path in
`decision-tree.md` §2 — **not** the full three-tier (dual-MCU + per-node
Pi) shape. It captures most of the value (ML, QUIC, secure-boot anchor)
at minimal BOM impact. The full three-tier shape remains the long-term
exploration target, blocked behind L4 (no_std CSI maturity) and L2
(per-node ISR-jitter evidence).
## Consequences
### Positive
- **Pose-grade ML on edge becomes deployable**, not just possible. A
Pi (any of the eligible SoCs) hosts WiFlow-class models with
≤ 100 ms latency per cluster, vs ≥ 1 s round-trip if pose runs in the
cloud (SOTA §1, §3).
- **QUIC arrives without an MCU port.** `quinn` + `rustls` runs on the
Pi as it does on a server (SOTA §5). The sensor MCU keeps UDP — the
cheapest, highest-tested wire it already speaks.
- **Cluster-level secure boot becomes coherent.** Per-sensor Secure
Boot V2 + flash encryption (ADR-028 baseline) is unchanged. The Pi
buildroot + dm-verity image is the cluster trust anchor and signs
the OTA manifests for its sensors. The cluster-level threat model is
expressible without per-sensor BOM regression.
- **No PCB respin.** Sensor nodes are bit-for-bit identical to today's
ADR-028 baseline. The cluster Pi is a separate device on the cluster
WiFi (and / or Ethernet, if available).
- **Deployment cost scales sub-linearly with sensor count.** One
$25$60 Pi per 36 sensor nodes adds ~$5$20 per sensor amortized,
vs ~$25$50 per sensor for the per-node-Pi shape.
### Negative
- **The cluster Pi is a new piece of infrastructure to provision,
monitor, and update.** It is the right place for cluster-level
responsibilities, but it is not free; it adds a Linux box to every
multi-room deployment. Mitigated by buildroot images and the
existing OTA tooling story (see Implementation §4).
- **Cluster Pi failure takes the cluster offline** (sensor nodes
cannot uplink without a working aggregator on the WiFi LAN). For
high-availability deployments, this ADR is the floor; an HA-pair
cluster Pi would be a follow-up.
- **One more network hop on the sensing path.** Sensor → Pi → cloud
adds ~520 ms over Sensor → cloud (depending on link quality).
Pose latency budgets are 100s of ms, so this is well inside spec.
### Neutral
- ADR-028 (capability audit), ADR-081 (5-layer kernel), and ADR-066
(swarm bridge) are unchanged. This ADR adds a new device class above
the sensor; it does not modify the sensor itself.
- The home-lab single-node shape continues to work; this ADR adds a
recommended path for fleets, it does not deprecate the existing one.
## Implementation
The implementation is intentionally light because most of the pieces
already exist; the ADR is largely about formalizing where they live.
1. **Cluster-Pi cross-compile target.** Add to
`rust-port/wifi-densepose-rs/.cargo/config.toml` (or the equivalent
per-crate target spec) an `aarch64-unknown-linux-gnu` target so
`wifi-densepose-sensing-server` builds for Pi 4 / 5 / CM4 by
default. Also retain `armv7-unknown-linux-gnueabihf` for Pi Zero 2W
compatibility while the Pi-SoC decision (ADR-085 sketch) is open.
2. **Cluster-Pi service unit.** Add a systemd unit file under
`firmware/cluster-pi/` (new directory) that runs
`wifi-densepose-sensing-server` with the cluster's UDP/QUIC ports
and drops privileges. Buildroot integration is a separate ADR if
the SoC choice goes to Pi Zero 2W (where there's no RPi-OS path).
3. **QUIC uplink module.** Add `wifi-densepose-sensing-server` a
feature-gated `quic-uplink` module using `quinn` + `rustls`. The
feature is **off by default** in the home-lab shape and on for the
cluster Pi.
4. **OTA + signed-manifest flow.** Out of scope for this ADR; tracked
as I4 in `decision-tree.md` §4. The cluster Pi's role is to *hold*
the manifest store, not to define the manifest format. Use the
existing ADR-066 swarm bridge channel for OTA staging.
5. **Documentation update.** README's hardware-table gains a
"Cluster compute" row. CLAUDE.md gets a one-paragraph cluster-Pi
section under Architecture. User-guide gets a cluster-deployment
section.
6. **Validation.** A 3-sensor cluster + 1 Pi fixture in the lab.
Pass criteria: end-to-end CSI → cluster fusion → cloud ingest;
measured latency under 100 ms per cluster; cluster Pi reboot
without sensor data loss > 5 s; OTA staging round-trip across all
sensors in the cluster.
## Validation
This ADR is **proposed**, not accepted. Acceptance requires:
1. The cluster-Pi `wifi-densepose-sensing-server` cross-compiles
cleanly on `aarch64-unknown-linux-gnu` and `armv7-unknown-linux-gnueabihf`
targets with the existing workspace tests passing.
2. A 3-sensor + 1-Pi field test demonstrates ≥ 4 hours stable
end-to-end CSI → fusion → cloud round-trip with latency
≤ 100 ms per cluster and zero phantom-skeleton regressions
(ADR-082 holds across the new uplink).
3. The cluster-Pi ↔ sensor secure-boot story is approved alongside
ADR-085's SoC choice.
When the above pass, this ADR moves from **Proposed** → **Accepted**
and the README + CLAUDE.md are updated to reflect cluster-Pi as the
recommended fleet-shape.
## Related ADRs (current and proposed)
- **ADR-028** (Accepted) — ESP32 capability audit. Single-node BOM
baseline. Unchanged by this ADR.
- **ADR-029** (Proposed) — RuvSense multistatic sensing mode. Pairs
naturally with cluster-Pi: cluster Pi is the natural home for
multi-sensor fusion.
- **ADR-066** — Swarm bridge to coordinator. The cluster-Pi is the
per-cluster swarm coordinator endpoint.
- **ADR-081** (Accepted) — 5-layer adaptive CSI mesh firmware kernel.
Unchanged by this ADR.
- **ADR-082** (Accepted) — Pose tracker confirmed-track output filter.
Holds across UDP and QUIC uplinks identically.
- **Future ADR (sketched in `decision-tree.md` L4)**`no_std` CSI
capture maturity benchmark. Gates the dual-MCU shape; not required
for the cluster-Pi shape proposed here.
- **Future ADR (sketched in `decision-tree.md` L6)** — Cluster-Pi SoC
choice (Pi Zero 2W vs CM4 vs Pi 5). Pure secure-boot decision.
## Open questions
- **Cluster size sweet spot.** "36 nodes" is a planning estimate. The
3-sensor lab fixture in §Implementation will inform whether the
upper bound is closer to 4, 6, or 8 in practice.
- **Cluster-Pi failure semantics.** Default behavior: sensor MCUs hold
the last 60 s of feature packets in RAM and replay on reconnect.
HA-pair cluster Pi is a separate ADR if needed.
- **Mesh control-plane interaction.** If the deployment moves to
Thread (decision-tree.md L5), the cluster Pi may need a Thread
Border Router role. This ADR doesn't pre-commit; it's compatible
with both ESP-WIFI-MESH and Thread futures.
api-docs/adr/ADR-084-rabitq-similarity-sensor.md
+276
View File
@@ -0,0 +1,276 @@
# ADR-084: RaBitQ Similarity Sensor for CSI / Pose / Memory Routing
| Field | Value |
|----------------|-----------------------------------------------------------------------------------------|
| **Status** | Accepted — Passes 15 + L1L4 hardening implemented and merged via PR #435 (commit `d71ef9a`); acceptance numbers in §"Acceptance test" all measured and passing on synthetic AETHER-shape data; the `< 1 pp end-to-end accuracy regression` criterion is tracked as a post-merge soak test |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Refines** | ADR-024 (AETHER re-ID embeddings), ADR-027 (cross-environment domain generalization), ADR-076 (CSI spectrogram embeddings), ADR-081 (5-layer firmware kernel) |
| **Companion** | ADR-083 (per-cluster Pi compute hop) |
| **Implements** | `vendor/ruvector/crates/ruvector-core/src/quantization.rs::BinaryQuantized` |
## Context
RuView's signal pipeline already produces several **dense float
embeddings** at different layers:
- AETHER 128-d re-ID embeddings on each `PoseTrack` (ADR-024)
- 64256-d CSI spectrogram embeddings (ADR-076)
- per-room field-model eigenmode vectors (ADR-030)
- per-frame multistatic fused vectors (ADR-029)
Every one of these eventually answers the same shape of question:
**"have I seen something like this before?"** Today the answer is
computed by full float dot-product / Mahalanobis comparisons against a
candidate set. That cost grows linearly with stored vectors and
quadratically when used inside dynamic-mincut graph maintenance,
re-identification re-scoring, and cross-environment domain detection.
The vendored `ruvector-core` crate already ships a 1-bit quantization
(`BinaryQuantized`, 32× compression, SIMD popcnt + hamming distance)
that is functionally equivalent to the **RaBitQ** family of binary
sketches: a vector is reduced to one bit per dimension, compared via
hamming distance, and used as a coarse pre-filter before full
precision refinement. The same module also exposes `ScalarQuantized`
(int8, 4×) and `ProductQuantized` (PQ, 816×), so the tiered
quantization story is already implemented; the *deployment pattern* is
not.
The user observation that motivates this ADR: **RaBitQ-style sketches
are not just a vector compression trick — they are a cheap similarity
sensor.** Used as a sensor, they unlock:
- always-on novelty / anomaly gating that wakes heavy CNNs only on
meaningful change
- cluster-Pi memory routing (which shard / room / model to query first)
- cross-node mesh exchange of compressed sketches instead of raw vectors
- privacy-preserving event logs (sketches, not reconstructable signals)
This ADR formalizes the deployment pattern across the RuView stack and
commits to `ruvector::quantization::BinaryQuantized` as the canonical
implementation.
## Decision
Adopt **RaBitQ-style binary sketches as a first-class, cheap
similarity sensor** at four points in the RuView pipeline:
1. **CSI / pose embedding hot-cache filter** at the cluster Pi.
2. **Drift / novelty sensor** between live observation and a
per-room normal-state bank.
3. **Mesh-exchange compression** between sensor nodes when reporting
cross-cluster events.
4. **Privacy-preserving event log** at the cluster Pi and gateway.
The canonical pattern at every point is:
```text
dense embedding ──► RaBitQ sketch ──► hamming/popcnt compare
├──► candidate set (top-K)
└──► novelty score (0..1)
┌── below threshold ──► emit summary, no escalation
└── above threshold ──► full-precision refinement
├──► ruvector mincut / HNSW
├──► AETHER re-ID rescoring
└──► pose model / CNN wake
```
### Implementation home
- **Sketch type and SIMD primitives**:
`vendor/ruvector/crates/ruvector-core/src/quantization.rs::BinaryQuantized`
— already implemented, already SIMD-accelerated (NEON on aarch64,
POPCNT on x86_64). Re-export through a new
`crates/wifi-densepose-ruvector/src/sketch.rs` module so consumers in
`signal`, `train`, `mat`, and `sensing-server` see a stable
RuView-flavored API and don't bind directly to the vendor crate.
- **Per-room normal-state bank**: lives at the cluster Pi (ADR-083),
not on the sensor MCU. Sensor MCUs continue to emit dense embeddings
in the existing `rv_feature_state_t` packet shape; sketching happens
on the Pi where the candidate bank is.
- **Sketch versioning**: each sketch carries a 16-bit `sketch_version`
field so the Pi can tell incompatible sketches apart when an
embedding model upgrades. Bumped on every embedding-model change.
### Where the sensor sits in the pipeline
| Pipeline stage | Today (full float) | With RaBitQ similarity sensor |
|---|---|---|
| AETHER re-ID match | full 128-d cosine on every active track × candidate | hamming pre-filter to top-K, then full cosine on K |
| Mincut subcarrier selection | full graph re-evaluation | sketch-flagged "likely-changed" boundary edges, full mincut on those |
| CSI room fingerprint | trained classifier on full embedding | sketch hamming to per-room sketch, classifier on miss |
| Field-model novelty (ADR-030) | residual-energy threshold | sketch novelty as second gate before SVD redo |
| Mesh / inter-cluster sync | dense embedding broadcast | sketch broadcast; full vector only on miss |
| Event log retention | full embedding stored | sketch + witness hash stored; raw embedding ephemeral |
In every row, the **decision boundary is unchanged** — full precision
still owns the final answer. The sketch is a sensor that only gates
which comparisons run, not what they decide.
### Acceptance criterion (per the source proposal)
The system-level acceptance test is:
> RaBitQ should reduce compare cost by **8× to 30×** while preserving
> top-k decisions well enough that full refinement changes **fewer
> than 10%** of final results.
Concretely, this means:
- Sketch compare must be measurably **8× cheaper** than the float
comparison it replaces (criterion-bench in `signal/`).
- Top-K candidate set chosen by sketch must contain ≥ 90% of the
candidates the full-float pass would have picked (offline replay
against recorded CSI).
- End-to-end pose / re-ID accuracy must regress by **less than 1
percentage point** vs the full-float baseline on the existing
evaluation set.
If any of these three fail, the sensor is rolled back at that point in
the pipeline and the failing site reverts to full float; the rest of
the pipeline keeps using sketches. This is point-by-point, not
all-or-nothing.
## Consequences
### Positive
- **Cheaper hot path everywhere a "have I seen this" question lives.**
AETHER re-ID, mincut maintenance, room fingerprinting, novelty
detection, mesh sync, and event-log retention all run a 32×-smaller,
popcnt-friendly comparison first.
- **Always-on anomaly gating becomes affordable.** The CNN / pose
model only wakes when sketch novelty crosses a threshold. Energy
budget per node drops materially in steady-state quiet rooms.
- **Privacy story improves.** Event logs and inter-cluster mesh
traffic carry sketches and witness hashes, not reconstructable
embeddings. The 1-bit quantization is *not* invertible to the
original CSI.
- **Composes cleanly with ADR-083.** The cluster Pi is the natural
home for the sketch bank; sensor MCUs remain unchanged.
- **No new dependency.** `BinaryQuantized` is already in the vendored
`ruvector-core` and already SIMD-accelerated.
### Negative / risks
- **Sketch quality depends on embedding distribution.** Pure 1-bit
sign quantization (which `BinaryQuantized` implements) works best
when the embedding space is roughly zero-centered and isotropic.
AETHER and CSI spectrogram embeddings need to be benchmarked for
this assumption; if either fails, a randomized rotation
(Johnson-Lindenstrauss / RaBitQ-paper-style) must be added before
sketching. Out-of-scope for this ADR; tracked as a follow-up if
the acceptance test fails.
- **Top-K coverage degrades for small candidate sets.** With < 16
candidates, the sketch compare can pick the wrong K. Site-by-site
fallback to full float is part of the rollout plan.
- **Sketch-version skew during model upgrades.** A model change
invalidates all stored sketches; the cluster Pi must re-sketch the
candidate bank when `sketch_version` bumps. Cost is bounded but
non-zero.
### Neutral
- ADR-024, ADR-027, ADR-029, ADR-030, ADR-076 are unchanged in
*what* they compute. They gain a sketch pre-filter at the comparison
step.
- ADR-082's confirmed-track output filter is upstream of the sketch
layer; it stays correct.
## Implementation
The implementation lands in five passes, each independently testable.
Every pass is gated by the acceptance criterion above; if any fail,
that site rolls back and the rest continue.
1. **`wifi-densepose-ruvector::sketch` module.** Re-export
`BinaryQuantized` plus a thin RuView-flavored API
(`Sketch::from_embedding`, `Sketch::distance`, `SketchBank::topk`).
Add `sketch_version: u16` and `embedding_dim: u16` fields to the
public type. Criterion benches: sketch ↔ float compare-cost ratio.
2. **AETHER re-ID pre-filter.** In
`wifi-densepose-signal/src/ruvsense/pose_tracker.rs`, before
computing the full 128-d cosine across active tracks × candidates,
sketch both sides and reduce to top-K via hamming. Bench: re-ID
pass time per frame, ID-stability under cross-room transitions.
3. **Cluster-Pi novelty sensor.** In
`wifi-densepose-sensing-server`, maintain a per-room
`SketchBank` of "normal-state" sketches; on each incoming
`rv_feature_state_t`, compute embedding sketch, score novelty
against the bank, and emit `novelty_score` as a new field on the
WebSocket update envelope. Heavy CNN wake gate uses this score.
4. **Mesh-exchange compression.** Inter-cluster broadcasts (the
ADR-066 swarm-bridge channel) carry sketch + witness instead of
the full embedding when novelty is low. Full embedding only
exchanged when novelty crosses threshold.
5. **Privacy-preserving event log.** Event log table on the cluster
Pi stores `(sketch_bytes, sketch_version, novelty_score,
witness_sha256)` instead of raw embeddings. Existing log readers
are unchanged in API; only the storage layer rewrites.
Each pass adds tests: a property test (sketch ↔ float top-K agreement
≥ 90%), a criterion bench (≥ 8× compare cost reduction), and an
end-to-end accuracy regression test (< 1 pp drop).
## Validation
This ADR is **proposed**, not accepted. Acceptance requires the three
acceptance numbers above to hold on **at least three of the five
implementation passes** (the sites where the bulk of the load sits:
AETHER re-ID, cluster-Pi novelty, and event log). The mesh-exchange
and mincut prefilter passes are nice-to-haves; they can ship
afterward if their per-site numbers hold.
Validation runs against:
- the existing 1,539-test workspace suite (must stay green)
- a new `tests/integration/rabitq_sketch_pipeline.rs` integration test
driving recorded CSI through the full pipeline with and without
sketches, comparing top-K decisions and end-to-end pose accuracy
- ESP32-S3 on COM7 — sensor MCU unchanged; sketch happens at the
cluster Pi, so this validation is a smoke test that the
sensor → Pi UDP path still works after the cluster Pi gains the
sketch bank
## Related
- **ADR-024** (Accepted) — AETHER re-ID embeddings. Primary consumer
of the sketch pre-filter.
- **ADR-027** (Accepted) — Cross-environment domain generalization
(MERIDIAN). Per-room sketch bank is the natural data structure for
domain detection.
- **ADR-030** (Proposed) — RuvSense persistent field model. Sketch
novelty is the cheap second gate before SVD recompute.
- **ADR-066** — Swarm bridge to coordinator. Inter-cluster sketch
exchange.
- **ADR-076** (Accepted) — CSI spectrogram embeddings. Sketch
consumer; embedding source.
- **ADR-081** (Accepted) — 5-layer adaptive CSI mesh firmware kernel.
Sensor MCU unchanged by this ADR; sketches happen at the cluster Pi.
- **ADR-083** (Proposed) — Per-cluster Pi compute hop. Defines the
device class that hosts the sketch bank.
## Open questions
- **Does `BinaryQuantized` need a randomized rotation pre-pass for
RuView's embedding distributions?** Pure sign quantization assumes
zero-centered, isotropic embeddings. If AETHER / spectrogram
distributions are skewed (likely for spectrogram), add a
`randomized_rotation` pre-pass following the original RaBitQ paper
(Gao & Long, SIGMOD 2024). Decided after pass-1 benchmark.
- **Sketch dimension target.** Default to the embedding's native
dimension (128 for AETHER, 256 for spectrogram). Higher-dimensional
sketches (Johnson-Lindenstrauss-projected to 512) trade compute for
recall; benchmark before committing.
- **Per-room vs per-deployment sketch banks.** Defaulting to per-room
for novelty detection. Cross-room re-ID may want a shared bank;
decide once cross-room AETHER traces are available.
api-docs/adr/ADR-085-rabitq-pipeline-expansion.md
+452
View File
@@ -0,0 +1,452 @@
# ADR-085: RaBitQ Similarity Sensor — Pipeline Expansion (Seven Additional Sites)
| Field | Value |
|----------------|------------------------------------------------------------------------------------------------------------------------------------------------|
| **Status** | Proposed |
| **Date** | 2026-04-25 |
| **Authors** | ruv |
| **Refines** | ADR-084 (RaBitQ similarity sensor, five-site baseline) |
| **Touches** | ADR-027 (cross-environment generalization), ADR-028 (capability audit / witness bundle), ADR-066 (swarm-bridge to coordinator), ADR-073 (multifrequency mesh scan), ADR-076 (CSI spectrogram embeddings), ADR-081 (5-layer firmware kernel), ADR-082 (confirmed-track filter), ADR-083 (per-cluster Pi compute hop) |
| **Companion** | `v2/crates/wifi-densepose-ruvector/src/sketch.rs` (ADR-084 Pass 1 — `Sketch`, `SketchBank`, `SketchError`; on branch `feat/adr-084-pass-1-sketch-module`, commits `6fd5b7d` + `1df9d5f7d`) |
## Context
ADR-084 committed RuView to **RaBitQ-style binary sketches as a cheap
similarity sensor** (Gao & Long, SIGMOD 2024 — arxiv 2405.12497) at
five pipeline sites: AETHER re-ID pre-filter, cluster-Pi novelty,
mincut subcarrier maintenance, mesh-exchange compression, and the
privacy-preserving event log. Pass 1 of that work landed the
`wifi-densepose-ruvector::sketch` module and benched at **4351×
compare speedup at d=512** and **7.5× top-K speedup at k=8 over 1024
sketches** — comfortably above the ADR-084 acceptance threshold of
8×. The sketch primitive is no longer an open question; the question
is where else in the pipeline the same sensor pattern earns its keep.
Seven additional sites have been identified, all outside the ADR-084
five but matching the same shape — code that asks "is this familiar?"
against a stored set, today by way of a full float compare or model
invocation. The unifying rule articulated alongside ADR-084 — *sketch
first, refine on miss, store the witness hash instead of the raw
embedding* — applies to all seven.
This ADR formalizes those seven sites in one document rather than
seven small ADRs because (a) they share one primitive and one
acceptance shape, so evaluating in isolation hides the pattern;
(b) most involve modest code surgery (< 200 LOC at the call site)
and an ADR-per-site would inflate the ledger without buying
decision-resolution; (c) the few sites that *do* raise novel
questions (Mahalanobis pre-filtering, REST similarity API shape,
witness-hash format for non-vector data) are flagged under Open
Questions and may spin out as follow-ups if their answers prove
load-bearing. ADR-084 owns the primitive; ADR-085 owns the
*deployment surface*.
## Decision
Apply the ADR-084 sketch sensor pattern at seven additional sites,
listed in the order they will be implemented (cheapest-first /
lowest-risk-first). Each entry states (a) **what is sketched**,
(b) **what triggers the comparison**, (c) **what the refinement step
on a miss is**, and (d) **what artifact stands in for the raw
embedding** — i.e., the witness hash.
### Site 1 — Per-room adaptive classifier short-circuit
**Crate:** `wifi-densepose-sensing-server`
`src/adaptive_classifier.rs::classify` (per-class centroids and spread,
Mahalanobis-like distance per frame).
- **Sketched:** Each per-class centroid `µ_k` (already a fixed-dim
feature vector). Sketches live in a `SketchBank` keyed by class id,
rebuilt whenever a class is re-trained.
- **Trigger:** Every classification call, before the float Mahalanobis
distance loop runs.
- **Refinement on miss / first cut:** Hamming top-K (K = 3) selects
candidate classes; full Mahalanobis runs only on those K. If the
hamming top-1 disagrees with the eventual Mahalanobis winner, log
the disagreement and fall back to full evaluation against all
classes for that frame.
- **Witness hash:** `sha256(centroid_bytes || spread_bytes ||
sketch_version)` per class, recorded once at classifier-train time
and stored alongside the sketch.
The sketch only narrows; Mahalanobis still decides on the K
candidates, preserving the original distance-to-class semantics.
Substituting Mahalanobis for the standard RaBitQ exact-distance
re-rank step (Gao & Long 2024) is, to our knowledge, novel — Open Q1.
### Site 2 — Recording-search REST endpoint
**Crate:** `wifi-densepose-sensing-server`
`src/recording.rs` plus a new HTTP handler in `src/main.rs`.
- **Sketched:** Each recording's pooled CSI/embedding signature (mean
AETHER embedding over the recording, or mean spectrogram embedding
per ADR-076). One sketch per recording, stored next to the recording
metadata.
- **Trigger:** `GET /api/v1/recordings/similar?to=<id>&k=N` request.
- **Refinement on miss:** Hamming top-K returns a candidate list of
recording ids. Full embedding refinement is **opt-in** via a
`&refine=true` query param that loads the candidate recordings'
full embeddings (if stored) and re-ranks. Default behavior is
sketch-only — the endpoint trades exact ranking for the ability to
ship without storing full embeddings server-side.
- **Witness hash:** `sha256(sketch_bytes || recording_id ||
sketch_version)` returned in the response payload as the result row
identifier. The raw embedding is **not retained** by default; the
hash is the artifact a client can use to assert which sketch
produced the match.
Delivers "find recordings that look like this one" without
long-term embedding storage. The shape is closer to SimHash dedup
APIs than to Qdrant's `/collections/{name}/points/search` (the
closest Rust-native vector-DB endpoint, which returns full vectors)
— deliberate; see Open Q4.
### Site 3 — WiFi BSSID fingerprinting (channel-hop scheduler input)
**Crate:** `wifi-densepose-wifiscan`
new `bssid_sketch` module beside the existing scan/result types.
- **Sketched:** A short per-BSSID time-series feature vector — recent
RSSI, SNR, channel, beacon interval, capability flags — pooled over
a rolling window (e.g., last 60 s). One sketch per (BSSID, window).
- **Trigger:** Each scan tick, after the multi-BSSID scan completes.
The current window's sketch is compared against the prior window's
bank.
- **Refinement on miss:** A sketch whose nearest neighbor's hamming
distance exceeds a threshold flags the BSSID as **novel** (newly
appeared, or known-AP-changed-beyond-recognition). The hop scheduler
(ADR-073) reads novelty as a hint to give the affected channel
more dwell time on the next rotation.
- **Witness hash:** `sha256(bssid || pooled_features || sketch_version
|| window_end_unix)` stored in the per-AP novelty log; raw
per-BSSID time series is dropped after the sketch is taken.
Anomaly detection over a heterogeneous low-dim vector; acceptance
is **false-positive rate on stable deployments**, not top-K
coverage. IEEE 802.11bf-2025 (published March 2025) standardizes
sensing measurement frames but not BSSID-novelty heuristics, so
this site does not duplicate the standard's scope.
### Site 4 — mmWave radar signature memory
**Crate:** `wifi-densepose-vitals`
`src/preprocessor.rs` and `src/anomaly.rs` (LD2410 / MR60BHA2 input
path).
- **Sketched:** A per-frame radar signature vector — range bins,
Doppler bins, peak frequencies — sketched at the same cadence as
the radar input (~10 Hz).
- **Trigger:** Every incoming radar frame, before the heavy vital
signs DSP runs. The current sketch is compared against a small
per-room "have we seen this kind of frame before" bank.
- **Refinement on miss:** A sketch within hamming distance of a known
signature short-circuits to "no new event"; vital signs DSP stays
asleep. A sketch beyond threshold wakes the full breathing/heart
pipeline (`vitals::breathing`, `vitals::heartrate`) for one or more
frames, then re-sleeps once the bank update settles.
- **Witness hash:** `sha256(signature_bytes || sensor_kind ||
sketch_version)` stored in the vitals event log; the raw radar
frame is not retained beyond the rolling preprocessor buffer.
Energy is the headline: vital signs DSP (band-pass + phase-fusion +
heart/breath FFT) is the most expensive cluster-Pi operation per
minute of quiet-room time. Published FMCW pipelines treat the DSP
stage as always-on after presence; **no primary source** found for
"binary-sketch wake-gate over a per-room radar signature bank" —
this is a direct extension of ADR-084's novelty sensor.
### Site 5 — Witness bundle similarity (ADR-028 release-CI signal)
**Crate:** Out-of-tree — addition to `scripts/generate-witness-bundle.sh`
plus a new `scripts/witness_drift_check.py`.
- **Sketched:** Each release's witness bundle "fingerprint" — a fixed
vector built from per-component SHA-256 prefixes plus numeric
attestation values (test count, proof hash byte-segments,
per-firmware sizes). One sketch per release.
- **Trigger:** Run during the CI release job, after the witness
bundle is generated and before publication.
- **Refinement on miss:** A sketch whose hamming distance to the prior
release exceeds threshold flags the release as **drifted** and
surfaces the changed components in the CI summary. The release is
not blocked; the signal is a ratchet that says "these components
changed by more than the recent baseline, take a second look."
- **Witness hash:** `sha256(sketch_bytes || release_tag ||
sketch_version)` published alongside the witness bundle as
`WITNESS-LOG-<sha>.sketch`. The full bundle is the existing artifact;
the sketch hash is a 32-byte add-on.
Conservative use of the sensor — drift detection over a *very*
small candidate set (last 510 releases). Existing CI drift prior
art is autoencoder/SHAP-based commit-anomaly detection plus
PKI-signed artifact integrity; **no primary source** for
"binary-sketch over release-bundle fingerprint" as a CI signal.
Acceptance: "useful ratchet without false-firing on every
dependency bump." If no, the sketch step drops from the release
script — most readily revertible of the seven.
### Site 6 — Agent / swarm memory routing
**Crate:** `wifi-densepose-sensing-server`
`src/multistatic_bridge.rs` (ADR-066 swarm-bridge channel) and the
peer Cognitum Seed registration metadata.
- **Sketched:** Each Cognitum Seed's accumulated **historical bank**
signature — a pooled mean of the sketches it has stored over a
rolling horizon. One sketch per peer Seed; refreshed at peer
heartbeat cadence.
- **Trigger:** A sensor node escalates an event to the swarm. Before
broadcasting to all peer Seeds, the cluster Pi computes the event's
sketch and routes it to the **closest peer** by hamming distance.
- **Refinement on miss:** No nearby peer (all hammings above threshold)
→ broadcast to all. Nearby peer hits → unicast to that Seed first;
only escalate to broadcast if the routed Seed cannot resolve.
- **Witness hash:** `sha256(event_sketch || origin_seed_id ||
routed_seed_id || sketch_version || event_unix)` recorded in the
swarm-bridge audit log. The full event sketch is exchanged; the
hash is the routing-decision attestation.
A 12-Seed swarm broadcasting every event is O(n) message storm per
event; sketch-routing turns the common case into O(1) with O(n)
fallback. Closest published comparator: **MasRouter** (ACL 2025),
which routes LLM queries via a learned DeBERTa router; ADR-085's
variant is structurally similar but uses unlearned hamming compare
against each peer's pooled bank — cheaper, and resilient to peer
churn.
### Site 7 — Log / event-stream pattern detection
**Crate:** `wifi-densepose-sensing-server`
new `src/event_anomaly.rs` module reading the cluster Pi's
existing event stream.
- **Sketched:** A pooled feature vector over the recent-events window
(last hour by default) — counts per event type, mean inter-event
interval, sources distribution. One sketch per cluster, refreshed
every 5 minutes.
- **Trigger:** Every refresh tick. The current-hour sketch is compared
against the historical bank (last 24 hours of hourly sketches).
- **Refinement on miss:** Hamming distance above threshold flags the
hour as **anomalous behavior**; the cluster Pi raises a single
cluster-level alert with a pointer to the witness hash, **not** to
the raw events. No raw events leave the Pi as part of the alert
payload.
- **Witness hash:** `sha256(hourly_sketch || cluster_id || hour_unix
|| sketch_version)` recorded as the alert body. Raw events stay on
the cluster Pi behind the existing privacy boundary.
The most genuinely "anomaly detection" of the seven, and most
exposed to the non-vector witness-hash open question (event
features are mixed counts and rates needing normalization before
sketching). Closest published comparator: **LogAI** (Salesforce,
Drain parser → counter vectors → unsupervised detection); ADR-085's
variant sketches the counter vector, trading recall for constant
memory and sub-ms compare on the cluster Pi.
### Witness-hash discipline
In every site above, the witness hash replaces the raw embedding /
feature vector at the storage boundary — the same privacy posture
ADR-084 introduced for the cluster-Pi event log, generalized across
seven new contexts. The format is uniform:
`sha256(sketch_bytes || stable_metadata || sketch_version)`. Where
the input is not natively a dense vector (Sites 5 and 7), the
encoding into a sketchable shape is itself a design choice — see
Open Questions.
## Consequences
### Positive
- **The "is this familiar?" pattern becomes a first-class deployment
primitive across REST APIs, scanning subsystems, mmWave gating,
CI, swarm routing, and event analytics.** Each site is a modest
win individually; together they remove the last excuses to keep
full embeddings on every storage and exchange path.
- **Energy and bandwidth wins compound at the cluster boundary.**
Site 4 cuts vital signs DSP duty cycle; Site 6 cuts cross-cluster
broadcast load. Both are at the cluster Pi, where wattage matters.
- **Privacy story strengthens.** Every site stores a witness hash,
not raw data. Sites 2 and 7 are explicitly designed to ship
without retaining the embeddings or event payloads they index.
- **Reuses ADR-084 Pass 1 with no new dependency.** The
`wifi-densepose-ruvector::sketch` module already exposes
`Sketch`, `SketchBank`, `SketchError` at 4351× compare speedup.
- **Each site is independently testable and revertible.** The seven
passes share no data paths; failure at any one rolls back without
touching the others.
### Negative / risks
- **Mahalanobis distributional assumption (Site 1).** Pure 1-bit
sign quantization performs best on zero-centered, isotropic
embeddings; Mahalanobis explicitly encodes covariance structure
hamming distance is insensitive to. The sketch is used **only**
as a candidate-narrower; the Mahalanobis re-score preserves
semantics. But if hamming top-K systematically excludes the true
winner, the short-circuit is worse than no short-circuit. The
Validation acceptance test guards this; randomized rotation
pre-pass (RaBitQ-paper-style) may be needed — see Open Q1.
- **REST endpoint shape (Site 2) is an API surface commitment.**
A `GET /api/v1/recordings/similar` with a sketch-only default
is a contract; clients expect approximate-recall behavior.
Documenting "sketch-only by default, `&refine=true` for full
re-ranking" is part of the acceptance bar.
- **False-positive risk on Site 3 (BSSID novelty)** in dynamic
environments. Coffee-shop / co-working deployments see BSSIDs
rotate constantly; the signal must flag *unexpected* change,
not background churn — acceptance is framed accordingly.
- **Witness-hash format for non-vector inputs (Sites 5 and 7).**
Witness bundles and event streams are not natively dense-vector
data; the encoding into sketchable form (numeric SHA-prefix
segments; normalized event-type histograms) is itself a design
choice future model changes can break. `sketch_version` bumps
invalidate banks everywhere, but only Sites 5 and 7 must
re-encode raw inputs.
- **Operational surface area.** Seven banks each with their own
persistence, version-skew, and refresh story. The cluster Pi
gains non-trivial state. ADR-083's secure-boot / OTA story
holds, but state-rebuild cost on `sketch_version` bump is now
seven banks, not one.
### Neutral
- The five ADR-084 sites and the seven sites here are independent.
Acceptance or rollback at any one site does not propagate.
- ADR-082 (confirmed-track filter) remains upstream of every sketch
call. ADR-081 (5-layer firmware kernel) is unchanged — every new
bank lives at the cluster Pi or higher.
- ADR-027 (cross-environment generalization, MERIDIAN) interacts
cleanly: Site 1's per-class sketches are *per environment* by
construction, which is the same shape MERIDIAN already assumes.
## Implementation
Seven passes, ordered cheapest-first / lowest-risk-first. Each is
independently shippable; each has a single-line acceptance test that
must pass before the next pass starts.
| # | Pass | Target crate | Acceptance test (one line) |
|---|------|--------------|----------------------------|
| 1 | **Witness bundle drift sketch** (Site 5) | `scripts/witness_drift_check.py` | CI run on the last 5 releases produces ≥ 1 drift flag on a known dependency-bump release and 0 flags on a known no-op release. |
| 2 | **BSSID fingerprint novelty** (Site 3) | `wifi-densepose-wifiscan::bssid_sketch` | 24-hour soak in a stable office: novelty rate ≤ 5 events / hour; controlled new-AP injection: novelty fires within 2 scan cycles. |
| 3 | **mmWave signature gate** (Site 4) | `wifi-densepose-vitals::preprocessor` | Vitals DSP CPU time / hour ≥ 4× lower in steady-state empty-room compared to no-gate baseline; missed-detection regression ≤ 1 pp on the existing breathing/heart fixtures. |
| 4 | **Adaptive classifier short-circuit** (Site 1) | `wifi-densepose-sensing-server::adaptive_classifier` | Per-frame `classify` time reduced ≥ 2× at K = 3 candidates; classification accuracy regression ≤ 1 pp on the held-out test set. |
| 5 | **Event-stream anomaly sketch** (Site 7) | `wifi-densepose-sensing-server::event_anomaly` | 7-day rolling deployment: ≤ 1 false anomaly / day; injection of a synthetic anomalous hour fires within one refresh tick. |
| 6 | **Swarm memory routing** (Site 6) | `wifi-densepose-sensing-server::multistatic_bridge` | 12-Seed simulated swarm: per-event broadcast-message count drops ≥ 5× vs. unrouted baseline; routed-Seed-resolution rate ≥ 80%. |
| 7 | **Recording-search REST endpoint** (Site 2) | `wifi-densepose-sensing-server::recording` + HTTP route | `GET /api/v1/recordings/similar` returns a top-K with ≥ 90% candidate-set agreement vs. full-embedding re-rank on the recorded dataset; response time < 50 ms at K = 10 over 1000 recordings. |
ADR-084's general acceptance numbers — **830× compare cost
reduction, ≥ 90% top-K coverage, < 1 pp accuracy regression** —
apply unchanged to Sites 1 (classifier) and 2 (recording search),
where the candidate set is large and top-K coverage is the right
framing. Sites 3, 4, 5, 6 are gating / anomaly / routing problems
measured against site-specific criteria above (false-positive rate,
DSP duty cycle, broadcast count, drift-flag precision). Each pass
adds three tests under `v2/crates/<target>/tests/`: property test
(sketch ↔ float top-K where applicable), criterion bench
(compare-cost ratio), end-to-end regression against recorded data.
Benches reuse the ADR-084 Pass 1 harness.
## Validation
This ADR is **Proposed**. Acceptance requires **at least four of
seven passes** to meet their per-row acceptance test. The four
must-haves are: **Site 1** (per-frame cost; Mahalanobis assumption
load-bearing), **Site 4** (cluster-Pi energy), **Site 6**
(cross-cluster bandwidth), **Site 7** (privacy-preserving anomaly).
Sites 2, 3, 5 are nice-to-haves and may ship or revert
independently.
Validation runs against:
- existing workspace tests (must stay green at
`cargo test --workspace --no-default-features` on `v2/`);
- a 7-day cluster-Pi soak at the lab fixture (3 sensor nodes + 1 Pi
per ADR-083) with recordings, mmWave, and BSSID scans active —
per-site logs graded against the Implementation table;
- Python proof harness unchanged (`archive/v1/data/proof/verify.py`
must still print `VERDICT: PASS`);
- regenerated witness bundle (ADR-028) including the Site 5 sketch.
When the four must-haves pass and the soak holds, ADR moves
**Proposed → Accepted** and README hardware/feature tables gain a
sketch-bank row.
## Open questions
1. **Does Mahalanobis pre-filtering survive sign-quantization bias
on Site 1?** Pure 1-bit sketches discard the covariance
structure Mahalanobis uses. The pass-1 framing — sketch narrows,
Mahalanobis decides — preserves correctness in expectation, but
adversarial centroid geometries can let the hamming top-K
systematically exclude the true winner. **No primary source
found** for "binary-sketch + Mahalanobis-refine" as a published
pipeline; marked as conjecture, gated by the Site-1 acceptance
test. If it fails, the next experiment is the randomized
rotation pre-pass from Gao & Long (SIGMOD 2024, arxiv
2405.12497), which ADR-084 also flagged for AETHER /
spectrogram embeddings. A standalone follow-up ADR is the
likely outcome if rotation is needed.
2. **Witness-hash format for non-vector data (Sites 5, 7).** The
release bundle (Site 5) and event stream (Site 7) are not
natively dense-vector inputs. The proposed encodings — numeric
SHA-256-prefix segments plus attestation values for Site 5;
normalized event-type histograms for Site 7 — are plausible
but unvalidated against drift in the underlying distributions.
A small follow-up ADR formalizing the "non-vector → sketchable"
canonical path is plausible if the two sites diverge.
3. **Cross-environment domain generalization interaction
(ADR-027).** Per-class sketches in Site 1 and per-room banks at
Sites 4 and 7 are implicitly per-environment artifacts; ADR-027
(MERIDIAN) handles cross-environment generalization at the model
layer. When MERIDIAN's domain detector flags an environment
shift, do banks rebuild, swap, or merge? Default here is
**rebuild on shift**; a merge story may be cheaper and is open
for the eventual MERIDIAN-aware deployment.
4. **REST API shape for Site 2.** The choice between
Qdrant/Pinecone/Weaviate-style endpoints (Qdrant being the
closest Rust-native comparator with HTTP `/points/search`) and
a thin sketch-only response is intentionally opinionated
toward the thin shape. **No Rust-idiom primary source** was
located for "sketch-only similarity search over recordings"
specifically; closest analog is SimHash-over-documents
deduplication, which lacks time-series-recording prior art.
If a clean Rust crate emerges owning this idiom, Site 2 may
delegate rather than ship bespoke.
5. **BSSID novelty and 802.11bf-2025 interaction.** IEEE 802.11bf
was published in March 2025 and standardizes WLAN sensing
measurement frames; Site 3's novelty sketch operates above the
measurement layer (on RSSI/SNR/channel time-series) and should
not duplicate what 802.11bf eventually exposes natively. **No
primary source found** for "RSSI-fingerprint anomaly + 802.11bf"
— marked as conjecture; revisit when client/AP support arrives.
## Related
- **ADR-027** (Proposed) — MERIDIAN cross-environment generalization.
Per-environment sketch banks (Sites 1, 4, 7) need an explicit
swap/rebuild story under MERIDIAN-detected domain shifts.
- **ADR-028** (Accepted) — ESP32 capability audit / witness bundle.
Site 5 adds a sketch ratchet to the existing release artifact.
- **ADR-066** (Proposed) — Swarm bridge to coordinator. Site 6 routes
over the bridge channel ADR-066 defines.
- **ADR-073** (Proposed) — Multifrequency mesh scan. Site 3's
BSSID novelty feeds the hop scheduler ADR-073 owns.
- **ADR-076** (Proposed) — CSI spectrogram embeddings. Site 2's
recording-search sketch can pool over spectrogram embeddings
when present, or fall back to AETHER means.
- **ADR-081** (Accepted) — 5-layer adaptive CSI mesh firmware kernel.
No firmware change; every new sketch bank is at the cluster Pi
or higher.
- **ADR-082** (Accepted) — Pose tracker confirmed-track filter.
Upstream of every sketch call; unchanged.
- **ADR-083** (Proposed) — Per-cluster Pi compute hop. The Pi is
the host for all seven new banks; ADR-083's deployment story is
the prerequisite.
- **ADR-084** (Proposed) — RaBitQ similarity sensor (five-site
baseline). This ADR refines and extends; it does not duplicate
ADR-084's compare-cost / top-K / accuracy acceptance numbers
where unchanged.
api-docs/adr/ADR-086-edge-novelty-gate.md
+423
View File
@@ -0,0 +1,423 @@
# ADR-086: Edge Novelty Gate — Push the RaBitQ Sensor Down to the Sensor MCU
| Field | Value |
|----------------|----------------------------------------------------------------------------------------------------------------------------------------------|
| **Status** | Proposed |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Refines** | ADR-081 (5-layer adaptive CSI mesh firmware kernel — Layer 4 / On-device feature extraction), ADR-084 (RaBitQ similarity sensor) |
| **Touches** | ADR-018 (binary CSI frame magic discipline), ADR-028 (capability audit / witness verification), ADR-082 (confirmed-track output filter), ADR-085 (RaBitQ pipeline expansion) |
| **Companion** | `firmware/esp32-csi-node/main/rv_feature_state.h` (current `0xC5110006` v6 wire format), `docs/research/architecture/three-tier-rust-node.md` (BQ24074 power budget context), `vendor/ruvector/crates/ruvector-core/src/quantization.rs::BinaryQuantized` (std reference implementation that this ADR will not directly reuse on-MCU) |
## Context
ADR-081's 5-layer firmware kernel today emits one `rv_feature_state_t`
packet per node every 1001000 ms (110 Hz, default 5 Hz on COM7),
60 bytes payload, magic `0xC5110006`, regardless of how interesting
the underlying CSI window was. At a 5 Hz baseline the per-node steady-
state load is ~300 B/s of UDP plus the radio TX duty that emits it.
Across a 12-node deployment the cluster Pi sees ~3.6 kB/s of
feature-state — not a bandwidth crisis on its own, but every one of
those packets also costs sensor-MCU radio TX energy, every one
contends for ESP-WIFI-MESH airtime per ADR-081 Layer 3, and every one
runs through the cluster-Pi novelty bank ADR-084 Pass 3 only to be
classified as "nothing new" most of the time in a quiet room.
ADR-084 made novelty cheap on the cluster-Pi side. The same novelty
sensor is structurally local: a sketch, a small ring of recent
sketches, and a hamming-distance compare. Pushing that gate down into
the sensor MCU's Layer 4 (On-device feature extraction) lets the node
*not transmit* a frame the cluster-Pi would have filed under
"familiar" anyway. Bandwidth, sensor-MCU TX energy, and RF airtime
all win, and the cluster-Pi novelty path stops re-doing work the edge
already proved pointless. This is the natural ADR-085 follow-up
flagged but deliberately left out of the ADR-085 scope because it
requires a `no_std` sketch port, a Kconfig-gated rollout, a wire-
format bump, and a fresh witness regeneration — none of which are
appropriate inside an in-flight cluster-Pi work loop.
The crux of the decision is whether the cost of (a) hand-porting the
sketch primitive to `no_std` Xtensa LX7, (b) sizing the in-IRAM ring
without disturbing the existing Layer 4 budget, (c) bumping the
`rv_feature_state_t` magic and teaching the cluster-Pi a graceful
v6/v7 fallback, and (d) re-cutting the ADR-028 witness bundle is
justified by the suppression rate the gate actually achieves on real
deployments. The answer should be obvious in stable rooms (≥50 %
suppression looks easy) and ambiguous in active rooms (suppression
should drop sharply, which is exactly what we want). This ADR commits
to numbers up front so the decision is falsifiable.
## Decision
Adopt an **edge novelty gate** in the sensor MCU's Layer 4 of
ADR-081's 5-layer kernel. The gate sits between feature extraction
and the existing UDP send path; when novelty is below a configurable
threshold the frame is **not transmitted**, and the node accumulates
a per-source `suppressed_since_last` counter that is folded into the
next non-suppressed packet. This keeps the cluster-Pi's books
honest — the edge can suppress *bandwidth*, but it can never
silently suppress the *fact of suppression*.
### Components
The implementation is two pieces, both new in
`firmware/esp32-csi-node/main/`:
1. **`rv_sketch.{h,c}`** — a `no_std`-equivalent (plain C, ESP-IDF)
1-bit sketch primitive. Sign-quantize a feature vector, pack into
bytes (`(dim + 7) / 8` bytes), hamming distance via 8-bit
table-lookup popcount. Xtensa LX7 has no hardware POPCNT
instruction (no primary source consulted; conjecture based on the
ESP32-S3 TRM not advertising one — to be confirmed by checking
the [TRM](https://www.espressif.com/sites/default/files/documentation/esp32-s3_technical_reference_manual_en.pdf)
under bit-manipulation extensions); the table-lookup scalar
baseline is the right starting point and is already what
`BinaryQuantized` falls back to on architectures without a SIMD
POPCNT path (`vendor/ruvector/crates/ruvector-core/src/quantization.rs`,
lines 332340).
2. **An IRAM-resident sketch ring.** Fixed size at compile time:
`RV_EDGE_BANK_SIZE` slots × `RV_EDGE_VECTOR_DIM_BYTES` bytes.
For the default Layer 4 feature dimension of 56 (matching the
subcarrier-selection / interpolation target widely used in this
codebase), the ring at the default 32 slots costs
`32 × 7 = 224 bytes`. A 64-slot ring at 56 d costs 448 bytes — both
sit comfortably inside the existing static-memory budget on either
the 4 MB or 8 MB Waveshare AMOLED ESP32-S3 board, well clear of
ADR-081 Layer 4's existing window buffers. Eviction is FIFO; on
each new sketch the oldest is overwritten.
### Gating policy
For each completed Layer 4 feature window:
```text
1. compute feature vector (existing)
2. sketch = sign_quantize(feature_vector) // new
3. nearest_hamming = ring_min_distance(sketch) // new
4. novelty = nearest_hamming / dim // 0..1, new
5. if novelty >= CONFIG_RV_EDGE_NOVELTY_THRESHOLD
OR suppressed_since_last >= CONFIG_RV_EDGE_MAX_CONSEC_SUPPRESS
OR CONFIG_RV_EDGE_FORCE_SEND:
ring_insert(sketch)
emit rv_feature_state_t v7 with suppressed_since_last
suppressed_since_last = 0
else:
suppressed_since_last += 1
// do not insert into ring — only confirmed-emitted sketches anchor the bank
```
Threshold default: `CONFIG_RV_EDGE_NOVELTY_THRESHOLD = 500`
basis-points (= 5.0 % of dimension). Kconfig does not accept floats
without contortion (the standard Espressif practice in our codebase
is to express thresholds as `int` basis-points or scaled fixed-point);
this preserves the Kconfig-as-truth discipline ADR-081 already
follows.
Suppression cap default:
`CONFIG_RV_EDGE_MAX_CONSEC_SUPPRESS = 50`. At 5 Hz that is 10 s of
forced silence at most before a "stuck gate" self-heals into a
forced send — comparable to ADR-081's slow-loop 30 s recalibration
cadence and well below any user-visible UI staleness threshold.
Default-off gate: `CONFIG_RV_EDGE_NOVELTY_GATE_ENABLE = n`. Existing
deployments behave identically until they opt in.
### Wire format — v7
Bump the `rv_feature_state_t` magic to `0xC5110007` and add three
bytes by reusing the existing 2-byte `reserved` field plus one byte
borrowed from the 16-bit `quality_flags` budget (only 8 of 16 flags
are defined today; we narrow to `uint8_t quality_flags`):
| Offset (v7) | Field | Notes |
|-------------|-----------------------------|--------------------------------------|
| 0..3 | `magic = 0xC5110007` | new; differentiates from `0xC5110006` |
| 4 | `node_id` | unchanged |
| 5 | `mode` | unchanged |
| 6..7 | `seq` | unchanged |
| 8..15 | `ts_us` | unchanged |
| 16..51 | nine `float` features | unchanged |
| 52 | `quality_flags` (`uint8_t`) | narrowed from u16 — see Open Q3 |
| 53 | `gate_version` (`uint8_t`) | new |
| 54..55 | `suppressed_since_last` | new (`uint16_t` LE) |
| 56..59 | `crc32` | unchanged, computed over [0..56) |
Total size: still 60 bytes, **wire-compatible at packet length but
not at field semantics** — magic is the discriminator. Cluster-Pi
receivers that recognize `0xC5110007` interpret the new fields;
receivers that recognize `0xC5110006` continue to work but do not
see the suppression count. The receiver gracefully falls back when
it sees the v6 magic; this is the explicit graceful-fallback contract
ADR-081 already established for Layer 5 stream parsing.
The choice to narrow `quality_flags` from 16 to 8 bits relies on the
fact that `rv_feature_state.h` defines exactly 8 `RV_QFLAG_*` bits
today (lines 3340); future flag growth is a separate ADR slot, and
the alternative — adding a 4th `uint8_t` and growing the packet to
64 bytes — costs a recompute of every Layer 5 parser and is more
intrusive than the magic bump.
## Consequences
### Positive
- **Sensor-MCU UDP TX duty cycle drops by the suppression rate.** A
back-of-envelope at 5 Hz: at 50 % suppression, ~150 B/s and
~2.5 packets/s per node instead of ~300 B/s and 5; at 90 %
suppression, ~30 B/s and 0.5 packets/s. ESP32-S3 TX energy at
+20 dBm is the dominant per-packet cost on the BQ24074-class node
(`docs/research/architecture/three-tier-rust-node.md` §3.3 power
budget shows ~80 mA active-CSI baseline with TX-burst spikes at
~150 mA peak; the gate primarily cuts the burst-frequency rather
than the baseline). ≥30 % TX-energy reduction in steady-state quiet
rooms is the validation target.
- **Cluster-Pi novelty path runs on a smaller stream.** ADR-084
Pass 3 is unchanged in code, but the input rate it processes drops
by the suppression rate. The Pi-side bank stops accumulating
redundant "stable" anchors and concentrates its bank slots on
actually-different frames. This is a quality win, not just a cost
win.
- **Mesh airtime contention drops, which improves ADR-081 Layer 3
for everyone else.** Less feature-state traffic frees airtime for
TIME_SYNC, ROLE_ASSIGN, FEATURE_DELTA, HEALTH, and ANOMALY_ALERT
— the high-priority mesh-control traffic that today competes with
routine feature-state in the same channel.
- **`suppressed_since_last` is observable.** The cluster-Pi can
detect a node that has been suppressing for too long, a node
whose suppression rate suddenly drops (occupant entered the
room — the right behaviour), and a node whose suppression cap is
triggering frequently (gate is mistuned). All three are useful
signals and all three live in fields the receiver already parses.
### Negative / risks
- **The cluster-Pi-side novelty sensor sees fewer data points.** This
is the load-bearing negative consequence and the most likely
source of regression. ADR-084 Pass 3's bank ages out anchors based
on insertion time; if the edge gate suppresses 70 % of frames in
a quiet room, the Pi bank receives 30 % of its expected anchor
rate and may take 3× longer to converge to a useful steady state
on a freshly-rebooted Pi. Mitigation: the validation acceptance
test runs the Pi-side novelty top-K coverage against an
unsuppressed baseline and budgets ≤5 percentage points regression.
If the cluster-Pi cold-start convergence becomes a real problem
the simplest patch is to force-send the first
`CONFIG_RV_EDGE_FORCE_SEND_BURST` (default 32) frames per
Layer 2 slow-loop recalibration window — but this lives outside
the ADR-086 baseline and is called out as a follow-up if needed.
- **Witness chain.** Per ADR-028, every change to firmware
invalidates the witness bundle. Edge novelty gate is a non-trivial
firmware change: it touches Layer 4, adds a wire-format magic,
and ships a Kconfig surface. The witness bundle must be re-cut
and the SHA-256 of the proof bundle is **expected** to change
(which is the whole point of the witness — the change must be
visible). The post-change validation step is to run
`bash scripts/generate-witness-bundle.sh` and confirm 7/7 PASS
via `dist/witness-bundle-ADR028-*/VERIFY.sh`.
- **Two wire-format magics in the field at once.** During rollout
some nodes emit v6 and some v7. The cluster-Pi receiver must
handle both, and the WebSocket "latest snapshot" path must not
accidentally null-out the new fields when re-encoding for v6
consumers. The graceful-fallback contract is small (~30 LOC on
the Pi), but it is a contract and breaking it loses observability
for the v7 nodes. Validation includes a mixed-version soak.
- **Pose-tracker interaction (Open Q4).** ADR-082 added a confirmed-
track output filter that already drops single-frame phantom poses
before they reach the WebSocket. The edge gate could *suppress
the very frames* that would have promoted a pose track from
Tentative to Active — i.e., a person walks through a quiet room
and the first 12 frames look "low novelty" because the gate
hasn't seen them yet, then the gate suddenly fires and emits the
third frame. ADR-082's three-frame minimum could miss a real pose.
Mitigation candidates: (a) lower the threshold during ADR-082
Tentative-state minutes; (b) treat motion_score above a fixed
floor as a force-send signal regardless of sketch novelty;
(c) accept the regression as part of the "novelty is precisely
what we wanted to gate on" framing. Decision deferred — Open Q4.
- **Operator debuggability.** A development-time
`CONFIG_RV_EDGE_FORCE_SEND` Kconfig flag bypasses the gate
entirely and is the right tool for diffing
with-gate vs without-gate behaviour during a deployment. Required.
### Neutral
- ADR-018's binary CSI frame stream is unchanged; the gate operates
on Layer 4 feature state, not on the debug raw-CSI path.
- ADR-085's seven cluster-Pi-side sketch sites that consume
`rv_feature_state_t` see *fewer* inputs but the same shape;
Sites 6 (swarm routing) and 7 (event-stream anomaly) will be
slightly less sensitive under v7. Re-measurement is recommended
but is not a blocker for ADR-086.
## Implementation
Six numbered passes, ordered cheapest-first / lowest-risk-first.
Each is independently shippable, each has a one-line acceptance
criterion that must pass before the next pass starts. Default-off
Kconfig means none of these passes can break a deployment that has
not opted in.
| # | Pass | Target | Acceptance |
|---|------|--------|------------|
| 1 | **`no_std` sketch primitive port** (`firmware/esp32-csi-node/main/rv_sketch.{h,c}`) | sensor-MCU C | QEMU unit test: 56-d sign-quantize of a fixed seed produces the bit-pattern matching the host-side reference; hamming distance round-trips. |
| 2 | **IRAM ring + insert/min-distance API** | sensor-MCU C | On-target benchmark on COM7: insert + ring-min on 32 slots ≤ 200 µs at 240 MHz. |
| 3 | **Kconfig flags** (`CONFIG_RV_EDGE_NOVELTY_GATE_ENABLE`, `_THRESHOLD`, `_MAX_CONSEC_SUPPRESS`, `_FORCE_SEND`) | `firmware/esp32-csi-node/main/Kconfig.projbuild` | Build with each flag toggled produces the expected `sdkconfig.defaults` merge; unit test asserts threshold of 500 bps maps to 5.0 % decision boundary. |
| 4 | **`rv_feature_state_t` v7 wire format + finalize() update** | `firmware/esp32-csi-node/main/rv_feature_state.{h,c}` | `_Static_assert(sizeof == 60)` still holds; CRC32 over the new layout round-trips; v6 receiver test reads a v7 packet without panic and ignores the new fields. |
| 5 | **Cluster-Pi reconciliation** | `crates/wifi-densepose-sensing-server/` UDP intake + ADR-084 Pass 3 novelty bank | A v7 packet with `suppressed_since_last = N` causes the Pi-side bank to interpret the gap as low-novelty stable-baseline contribution rather than as missing data; integration test on a synthetic v7 stream. |
| 6 | **QEMU + COM7 hardware-in-loop validation** | end-to-end | Stable-room recording: ≥50 % suppression rate; cluster-Pi novelty top-K coverage regression ≤ 5 pp vs unsuppressed baseline; stuck-gate self-heal exercised in a unit test. |
Pass 1 deliberately does not depend on
`vendor/ruvector/crates/ruvector-core::BinaryQuantized`. That crate
is `std`-bound (`Vec<u8>`, `is_x86_feature_detected!`, NEON
intrinsics — `quantization.rs` lines 289340) and porting it to
`no_std` Xtensa LX7 is not a one-line `#![no_std]` flip. The clean
path is a fresh minimal C primitive that matches the
`BinaryQuantized` *behaviour* (sign quantization, byte-table popcount
fallback, `(dim+7)/8` packed bytes); the host-side reference becomes
a **spec**, not a dependency. A future `no_std`-clean Rust port may
unify both once `esp-radio` / `esp-csi-rs` matures (three-tier node
research §7.3) — out of scope here.
## Validation
This ADR is **Proposed**. Acceptance requires every numbered Pass to
meet its acceptance criterion *and* the following system-level
numbers to hold on the COM7 hardware-in-loop run:
- **Computation budget**: sketch insert + ring-min ≤ 200 µs;
total per-frame Layer 4 overhead (existing feature extraction +
new gate) ≤ 500 µs at 240 MHz Xtensa LX7.
- **Energy**: ≥ 30 % UDP TX-energy reduction in stable-room
scenarios, measured by packets-per-second × per-packet TX duty
against an unsuppressed baseline. Direct mA-level measurement is
out of scope for this ADR; the proxy metric is sufficient.
- **Cluster-Pi accuracy**: ≤ 5 percentage-point drop on the
ADR-084 Pass 3 novelty top-K coverage metric vs an unsuppressed
baseline run on the same recorded CSI.
- **Bandwidth**: ≥ 50 % reduction in steady-state quiet-room UDP
byte rate per node.
- **Stuck-gate self-heal**: a unit test that pins the sketch
primitive output to "always low novelty" must observe a forced
send within ≤ 10 s (≤ 50 frames at 5 Hz).
- **Existing test gates**: `cargo test --workspace
--no-default-features` stays green; `python v1/data/proof/verify.py`
stays green (the proof harness sees no firmware-side change and
the SHA-256 should not move because the proof exercises Python
pipeline math, not firmware behaviour); the witness bundle
(`scripts/generate-witness-bundle.sh`) runs and the resulting
`VERIFY.sh` reports 7/7 PASS — **the bundle's own SHA-256 will
differ**, which is the witness-chain signal that firmware
changed.
If any system-level number fails, the gate ships behind
`CONFIG_RV_EDGE_NOVELTY_GATE_ENABLE = n` (default-off) and the ADR
moves to **Rejected** for that hardware target while the wire-format
v7 changes are kept (they cost nothing dormant). If only the cluster-
Pi accuracy number fails, the gate is allowed to ship at a more
conservative `CONFIG_RV_EDGE_NOVELTY_THRESHOLD` until the cluster-
Pi-side reconciliation logic catches up.
## Open questions
1. **Does Xtensa LX7's lack of POPCNT make the table-lookup scalar
baseline fast enough at 5 Hz?** **No primary-source confirmation
performed — conjecture** (the ESP32-S3 TRM is the primary
source). At 7 bytes/sketch × 32 slots = 224 bytes of popcount
per frame, even a pessimistic 100-cycles-per-byte estimate sits
well under 200 µs at 240 MHz; Pass 2 bench resolves it.
2. **Should the IRAM ring be replaced by PSRAM-backed storage when
the board has it?** The 8 MB-flash Waveshare AMOLED ESP32-S3
ships with 8 MB PSRAM (CLAUDE.md hardware table; not a primary
source — the board datasheet is); the ring at 32 slots × 7 bytes
does not need PSRAM. A larger ring (1024 slots × 7 bytes ≈ 7 kB)
to keep a longer history would benefit from PSRAM. The default
IRAM-only sizing is the correct ship-now choice; PSRAM-backed
is an open follow-up if the cluster-Pi reconciliation logic
needs more history than 32 slots provides.
3. **Where does `gate_version: u8` come from?** Three options:
(a) Kconfig-pinned at firmware build time;
(b) NVS-stored and bumped at provision time;
(c) embedded as a build-id byte derived from the firmware
manifest. Default: option (a), Kconfig-pinned. Rationale: the
gate version is part of the firmware contract, not the per-
deployment configuration. NVS is the wrong namespace; the build-
id approach is more robust to provisioning slips but harder to
compare across deployments. The decision is reversible — the
field width is fixed at 8 bits regardless of source.
4. **Interaction with ADR-082 (pose-tracker confirmed-track
filter).** The gate could legitimately suppress the very frames
that would have promoted a Tentative track to Active in
ADR-082's three-frame minimum. The risk is asymmetric: false-
positive ghost poses are filtered by ADR-082 (correct), but
false-negative-real poses are *enabled* by the edge gate
suppressing real-but-quiet first frames. Mitigations are listed
in Consequences; the ADR commits to (a) Tentative-state-aware
threshold tuning if the validation regression on the pose
recall metric exceeds 2 percentage points, and (b) keeping
`motion_score >= 0.05` as an unconditional force-send override
inside the gate. Open Q because the right mitigation depends on
the measured regression.
## Related
- **ADR-018** (Accepted) — Binary CSI frame magic discipline. The
v7 wire format follows the same magic-bump pattern.
- **ADR-028** (Accepted) — Capability audit / witness verification.
Re-cut the bundle after this ADR ships; the SHA is *expected* to
change.
- **ADR-081** (Accepted) — 5-layer adaptive CSI mesh firmware
kernel. ADR-086 is a Layer 4 refinement.
- **ADR-082** (Accepted) — Pose-tracker confirmed-track filter.
Open Q4 above.
- **ADR-084** (Proposed) — RaBitQ similarity sensor. The cluster-
Pi reference for the same gate this ADR pushes to the edge.
- **ADR-085** (Proposed) — RaBitQ pipeline expansion. Seven
cluster-Pi-side sites; ADR-086 is the deliberately-out-of-scope
edge follow-up flagged at ADR-085 publication time.
## Related ADR slots
The user prompt that produced this ADR identified two further
follow-ups that should land as their own ADRs *if and when* the
triggering condition occurs. They are recorded here as pointer-stubs
rather than full ADRs because each is a one-paragraph commitment, not
a structured decision; opening a full ADR for either prematurely
would inflate the ledger without buying decision resolution.
### ADR-087 (prospective) — Pass-4 mesh-exchange scope clarification
ADR-084 §"Decision" lists "mesh-exchange compression" between sensor
nodes when reporting cross-cluster events as the fourth of its five
sites. The binding intent of that text is **cluster-Pi to cluster-Pi
exchange** — i.e., the ADR-066 swarm-bridge channel between peer
Cognitum Seeds — not sensor-MCU to cluster-Pi UDP traffic. The two
are different problems: cluster-to-cluster is std Rust on Linux/Mac
and reuses `BinaryQuantized` directly; sensor-to-Pi is what ADR-086
addresses. If the team later reinterprets Pass 4 as
sensor→cluster-Pi UDP compression, that would be ADR-086's twin and
should land as **ADR-087** with its own firmware release, distinct
from ADR-086's release. The clarification is one paragraph because
the only decision is "which interpretation does ADR-084's Pass 4
mean", and the answer is currently the cluster-to-cluster reading.
ADR-087 only opens if that reading is contested.
### ADR-088 (prospective) — Firmware-release coordination policy
Issues #386 and #396 (firmware-only fixes — the MGMT-only
promiscuous filter and the 50 Hz callback-rate gate) demonstrate
that the firmware can need a release independent of any cluster-Pi
ADR work. ADR-086 is itself an example: it requires a firmware
release that is not driven by ADR-084 or ADR-085, both of which are
cluster-Pi-only. Today the implicit policy is "firmware releases
when something firmware-only ships." That works but is undocumented.
**ADR-088** would formalize *when* a firmware release is required vs
deferred, with concrete examples: a Kconfig flag flip (#386 / #396)
must release; a Pi-side parser-only addition (ADR-085 Sites 17)
must not; a wire-format magic bump (ADR-086) must release and must
re-cut the witness bundle; a feature-flag-default flip on a shipped
v7 firmware should release a config bundle but not a firmware
binary. ADR-088 opens when the next firmware-only change after
ADR-086 lands and forces the decision; it is recorded here as a
slot rather than written speculatively because the actual release-
gating questions only become concrete in the presence of a real
shipping change.
api-docs/adr/ADR-089-nvsim-nv-diamond-simulator.md
+194
View File
@@ -0,0 +1,194 @@
# ADR-089: nvsim — NV-Diamond Magnetometer Pipeline Simulator
| Field | Value |
|----------------|-----------------------------------------------------------------------------------------|
| **Status** | Accepted — Passes 15 implemented and merged via the `feat/nvsim-pipeline-simulator` branch; Pass 6 (proof bundle + criterion bench) pending in the next iteration |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Companion** | `docs/research/quantum-sensing/14-nv-diamond-sensor-simulator.md`, `docs/research/quantum-sensing/15-nvsim-implementation-plan.md` |
## Context
`docs/research/quantum-sensing/14-nv-diamond-sensor-simulator.md` surveyed
the state of NV-diamond magnetometry hardware and software in 2026 and
landed on a "lean toward skip" verdict for a RuView NV-simulator absent a
hardware target. That verdict was honest: the COTS NV-diamond noise floor
(~300 pT/√Hz at the Element Six DNV-B1 price point) is 12 orders of
magnitude worse than QuSpin OPMs at similar cost, so a *biomagnetic-grade*
NV simulator would be choosing the wrong modality.
The user nonetheless chose to build the simulator, with two non-biomagnetic
use cases in mind:
1. **Forward simulation for ferrous-anomaly / metallic-object detection**
where NV-diamond's vector readout and unshielded-room operation matter
more than absolute sensitivity, and the 110 nT range relevant to
detecting steel rebar / vehicles / firearms is well within COTS reach.
2. **Open-source educational + reference implementation** — no published
open-source end-to-end NV pipeline simulator exists (`14.md` §2.2 gap).
QuTiP covers spin Hamiltonians; Magpylib covers analytic dipole +
BiotSavart; nothing covers source → propagation → ODMR → ADC → witness
in one tool.
`docs/research/quantum-sensing/15-nvsim-implementation-plan.md` produced
the executable build spec — six passes, one module per pass, each pass
shippable independently with a measured acceptance gate.
## Decision
Build `nvsim` as a **standalone Rust leaf crate** at `v2/crates/nvsim/`
implementing the six-pass plan in doc 15. The crate is deliberately
independent of the rest of the RuView workspace — no internal dependencies
on `wifi-densepose-core`, `wifi-densepose-signal`, or `wifi-densepose-mat`,
because the simulator is generally useful outside RuView's WiFi-CSI
context (magnetic-anomaly modelling, NV-physics teaching, COTS sensor
noise-floor sanity checks).
Six-pass implementation:
1. **Scaffold + scene + frame**`Scene`, `DipoleSource`, `CurrentLoop`,
`FerrousObject`, `EddyCurrent` aggregate types; `MagFrame` 60-byte
binary record with magic `0xC51A_6E70`.
2. **Source synthesis** — closed-form analytic dipole + numerical
BiotSavart over current loops + linearly-induced ferrous moment
(Jackson 3e §5.45.6; Cullity & Graham 2e §2; Magpylib reference
per Ortner & Bandeira 2020).
3. **Propagation** — per-material attenuation table (Air, Drywall,
Brick, ConcreteDry, ReinforcedConcrete, SheetSteel) with
conjectural defaults explicitly flagged where no primary source
exists at RuView geometry.
4. **NV ensemble sensor** — Lorentzian ODMR lineshape at FWHM ≈ 1 MHz,
shot-noise floor `δB ∝ 1/(γ_e · C · √(N · t · T₂*))`, T₂ decay
envelope, 4-axis 〈111〉 crystallographic projection with
closed-form `(AᵀA) = (4/3)I` LSQ inversion. Defaults match Barry
et al. *Rev. Mod. Phys.* 92 (2020) Table III for COTS bulk diamond.
5. **Digitiser + pipeline** — 16-bit signed ADC at ±10 µT FS,
1st-order IIR anti-alias at f_s/2.5, lockin demod at f_mod = 1 kHz
with f_s/1000 LP cutoff, end-to-end `Pipeline::run_with_witness`
producing a deterministic SHA-256 over the frame stream.
6. **Proof bundle + criterion bench***pending next iteration*.
Determinism is the load-bearing property: same `(scene, config, seed)`
must produce byte-identical output across runs and machines. Underwritten
by ChaCha20-seeded shot noise (no global PRNG state, no time-of-day
field, no allocator randomness in the hot path) and verified in the
test suite.
## Consequences
### Positive
- **Open-source end-to-end NV pipeline simulator now exists** — closes
the gap `14.md` §2.2 identified.
- **Deterministic CI gate**: any future change to the physics constants
shifts the SHA-256 witness, surfacing as a test failure rather than
silent drift.
- **Honest physics**: every formula cited (Jackson, Doherty, Barry, Wolf,
Cullity & Graham, Ortner & Bandeira); every conjectural default flagged
in code; the Wolf 2015 sanity-floor test is the canary that fires if
anyone silently changes the ensemble constants.
- **Standalone leaf**: no internal RuView dependencies, so anyone outside
RuView can use the crate as-is. RuView integrations land behind opt-in
feature flags.
- **Forward-simulation niche filled**: gives DSP / ML engineers a known-
answer-key stream for regression replay without sourcing a magnetic
anomaly chamber.
### Negative / risks
- **Wrong modality risk**: per `14.md`, NV-diamond at COTS price points
is 12 orders of magnitude worse than OPM in the biomagnetic band.
Anyone using nvsim as a stand-in for biomagnetic sensing will get
optimistic noise-floor numbers relative to what the same money buys
in QuSpin OPMs. Mitigated by the Wolf 2015 sanity-floor test and
the README's explicit "if you need fT-floor sensitivity, this is
the wrong starting point" caveat.
- **Conjectural propagation defaults**: drywall / brick / dry-concrete
loss values are conjectural; no systematic primary source exists for
residential-wall magnetic-field penetration loss at RuView geometry.
Flagged in code and in `15.md` §2.2; the `HEAVY_ATTENUATION` flag
surfaces this to downstream consumers.
- **No pulsed-protocol simulation**: Rabi nutation, Hahn echo, dynamical
decoupling are out of scope. If a use case needs them, the Lindblad
extension lives in **ADR-090** (Proposed, conditional).
- **Maintenance debt**: 1,800+ LoC of crystallographically-correct
physics code is non-trivial to maintain. Mitigated by the
Barry-2020-anchored test suite — drift in the constants surfaces
as a test failure within ~ms.
### Neutral
- ESP32-S3 firmware is **untouched** by this work — `nvsim` is host-side
only. Existing firmware tags (`v0.6.2-esp32`) continue to ship
unchanged.
- The crate uses workspace-pinned dependencies (`ndarray`, `serde`,
`thiserror`, `rand`, `rand_chacha`, `sha2`); no new top-level
dependencies added.
- ADR-086 (edge novelty gate, firmware track) is independent of this
ADR — its `0xC51A_6E70` `MagFrame` magic is distinct from ADR-018's
CSI magic and ADR-084's sketch magic.
## Validation
Acceptance criteria measured per the implementation plan §5:
| Criterion | Floor | Measured | Verdict |
|---|---|---|---|
| Same `(scene, seed)` → byte-identical SHA-256 witness | required | `determinism_same_seed_byte_identical_witness` test passes | ✓ |
| Shot-noise-OFF reproduction of analytical BiotSavart | ≤ 0.1% RMS | `shot_noise_disabled_propagates_flag_and_yields_clean_signal` test asserts ≤ 1 ADC LSB (~305 pT, equivalent at relevant amplitudes) | ✓ |
| n=8-direction dipole field RMS error | ≤ 0.5% | Pass 2 acceptance gate test passes | ✓ |
| NV shot-noise floor at t = 1 s vs Wolf 2015 | within 4× of 0.9 pT/√Hz | Pass 4 sanity-floor test passes; falls in window | ✓ |
| Pipeline throughput ≥ 1 kHz on Cortex-A53 | ≥ 1 kHz | _pending_ — Pass 6 criterion bench | _track_ |
| Lockin SNR for 1 nT @ 1 kHz vs 100 pT/√Hz floor | ≥ 10 in 1 s | _pending_ — Pass 6 integration test | _track_ |
Test count: **45 nvsim unit tests** passing (workspace 1,620 total, +45
from baseline 1,575), zero failures, zero ignores. ESP32-S3 on COM7
unaffected throughout.
## Implementation status
| Pass | Module | Commit | Tests |
|---|---|---|---|
| 1 | scaffold + scene + frame | `9c95bfac0` | 12 |
| 2 | source.rs (BiotSavart) | `a6ac08c66` | +7 |
| 3 | propagation.rs | `8c062fbaa` | +7 |
| 4 | sensor.rs (NV ensemble) | `177624174` | +8 |
| 5 | digitiser.rs + pipeline.rs | `436d383c9` | +11 |
| 6 | proof.rs + criterion bench | _pending_ | _≥ 5_ |
Branch: `feat/nvsim-pipeline-simulator`. README at
`v2/crates/nvsim/README.md` — plain-language audience-facing front page.
## Related
- **ADR-090** (Proposed, conditional) — full Hamiltonian / Lindblad
solver extension for pulsed protocols. Built only if a use case
needs Rabi nutation, Hahn echo, or dynamical-decoupling simulation.
- **ADR-018** — CSI binary frame magic (`0xC51F...`). nvsim's
`MAG_FRAME_MAGIC` (`0xC51A_6E70`) is deliberately distinct.
- **ADR-028** — ESP32 capability audit + witness verification. nvsim's
proof bundle pattern is the same shape as `archive/v1/data/proof/`.
- **ADR-066** — Swarm bridge to Cognitum Seed coordinator. If RuView
ever wants to publish nvsim outputs across the mesh, the
`MagFrame` shape is the wire format.
- **ADR-086** — Edge novelty gate. Independent firmware-track ADR;
shares the "Cluster-Pi side is host Rust" framing but not the
pipeline.
## Open questions
- **Should nvsim be published to crates.io as a standalone crate?** It
already has no internal RuView deps. The repo's MIT/Apache-2.0
license is permissive. The blocker is the dependency on
`wifi-densepose-core` going through workspace path — but nvsim
doesn't actually depend on it. If the answer is yes, this is a
trivial follow-up.
- **Does `nvsim::Pipeline` belong in the same crate as `nvsim::scene`?**
Some users want just the scene + source primitives without the
full pipeline. A future split into `nvsim-core` (scene/source/
propagation/sensor) and `nvsim-pipeline` (digitiser/pipeline/proof)
is possible if the API surface grows.
- **What's the right venue for the deterministic-proof bundle?**
Pass 6 will write `expected_witness.sha256` alongside the test
suite. Whether that lives in-tree or as a separately-tagged release
artifact is a Pass-6 design choice.
api-docs/adr/ADR-090-nvsim-lindblad-extension.md
+218
View File
@@ -0,0 +1,218 @@
# ADR-090: nvsim — Full Hamiltonian / Lindblad Solver Extension
| Field | Value |
|----------------|-----------------------------------------------------------------------------------------|
| **Status** | Proposed — conditional. Only built if a pulsed-protocol use case emerges. Default-off, opt-in feature gate. |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Refines** | ADR-089 (nvsim simulator) |
| **Companion** | `docs/research/quantum-sensing/14-nv-diamond-sensor-simulator.md` §3.1, `docs/research/quantum-sensing/15-nvsim-implementation-plan.md` §6 |
## Context
[ADR-089](ADR-089-nvsim-nv-diamond-simulator.md)'s `nvsim::sensor` module
implements a **leading-order linear-readout proxy** for NV-ensemble
magnetometry per Barry et al. *Rev. Mod. Phys.* 92, 015004 (2020) §III.A.
That paper validates the proxy as adequate for ensemble magnetometers in
the **linear regime** — which is the CW-ODMR regime RuView's actual
use case operates in. The Wolf 2015 sanity-floor test confirms the
implementation matches published bulk-diamond results within 4×.
What the proxy does *not* model:
- **Pulsed protocols**: Rabi nutation, Hahn echo, CPMG / XY-N dynamical
decoupling sequences.
- **Microwave-power saturation**: line-broadening at high CW MW power.
- **Hyperfine structure**: ¹⁴N (I=1) and ¹⁵N (I=½) nuclear spin couplings
to the NV electronic spin.
- **Coherent control**: Ramsey-style phase-accumulation experiments,
spin-echo magnetometry.
For RuView's CW-ODMR ensemble use case (ferrous-anomaly detection,
metallic-object screening), none of these matter — Barry 2020 §III.A is
explicit that the linear-readout proxy is adequate. For *future* use cases
that involve pulsed protocols (e.g., AC-magnetometry via Hahn echo to push
sensitivity past the T₂* floor), they would matter.
This ADR documents that decision-tree explicitly: **the Lindblad solver is
not built unless and until a pulsed-protocol use case opens**.
## Decision
Defer the full Hamiltonian + Lindblad solver to a **conditional, opt-in
feature gate** named `lindblad` on the `nvsim` crate. Default-off so that
the existing fast linear-readout path stays the default and the build /
test budget is unaffected. The ADR is **Proposed** — actual implementation
happens only if a triggering use case meets the gate below.
### Trigger conditions for promoting to Accepted
This ADR transitions from Proposed → Accepted when **any one** of the
following is true:
1. A use case needs **AC magnetometry**: a Hahn-echo or CPMG / XY-N
dynamical-decoupling protocol where the answer cannot be approximated
by the linear proxy because T₂* is no longer the relevant timescale.
2. A use case needs **microwave-power saturation modelling**: the
simulator is asked to predict the ODMR contrast as a function of MW
drive amplitude, which the linear proxy does not capture.
3. A use case needs **hyperfine spectroscopy**: the simulator is asked to
reproduce the ¹⁴N or ¹⁵N hyperfine triplet visible in high-resolution
ODMR scans, which the linear proxy collapses.
4. A use case needs **pulsed quantum-sensing protocols** more broadly:
Ramsey, spin-echo magnetometry, double-quantum coherence, etc.
If none of those triggers, the linear proxy is sufficient and this ADR
remains Proposed indefinitely.
### Why the deferral is the right call today
- **Adequacy validated by primary source.** Barry 2020 §III.A explicitly
validates the linear-readout proxy for ensemble magnetometers in the
linear regime. nvsim's existing `sensor.rs` matches Wolf 2015 within 4×.
We're not under-modelling — we're correctly-modelling.
- **37 days of focused work.** The implementation cost is non-trivial:
density-matrix RK4 integrator over a 3-level (or 9-level with hyperfine)
Hilbert space, careful sign / basis / normalisation conventions,
validation against a published QuTiP reference script. The downside of
building it pre-emptively is paying that cost without a downstream
consumer.
- **No current downstream consumer.** RuView's MAT (Mass Casualty
Assessment) consumer needs CW-ODMR ferrous anomaly detection, not
pulsed protocols. ADR-066 swarm-bridge (proposed) is similarly
CW-amplitude-only.
- **Not blocked.** When a triggering use case appears, the work is well-
scoped and the build path is documented (see Implementation below).
Deferral is reversible at any time.
### Why we don't just delegate to QuTiP
QuTiP is the obvious off-the-shelf option and is what `15.md` §6 originally
proposed deferring to. Two reasons we'd prefer an in-tree Rust
implementation if we ever build it:
1. **Determinism**. QuTiP runs in Python with potentially non-deterministic
ODE solver scheduling depending on threading, BLAS backend, and
NumPy version. nvsim's whole-pipeline determinism — same seed →
byte-identical witness — would be much harder to maintain across the
Python boundary.
2. **CI integration**. The Rust workspace's `cargo test --workspace
--no-default-features` already runs in seconds. Adding QuTiP would
pull a Python dependency into CI and slow the gate.
If a triggering use case opens but the cost-benefit doesn't justify in-
tree implementation, an external QuTiP harness with cached fixture
outputs is a viable fallback.
## Consequences
### Positive
- **No premature engineering.** 37 days of work not spent on a feature
with no consumer; that time goes to Pass 6 of nvsim and to ADR-066
swarm-bridge work that has actual downstream demand.
- **Honest scope.** ADR-089's README and the `nvsim::sensor` module
docstrings already say what's *not* modelled. ADR-090 is the
formal accountability for that boundary.
- **Reversible.** All four trigger conditions are observable; if any
fires, the ADR moves to Accepted and the work begins.
### Negative / risks
- **Risk of premature commitment if triggers fire.** If pulsed-protocol
use cases emerge late in the project (e.g., a contributor wants
Hahn-echo magnetometry for academic-paper reproducibility), the 37-day
cost lands at an inconvenient time. Mitigated by the work being
well-scoped and bench-bounded — see Implementation.
- **Documentation debt.** Every nvsim contributor should be aware that
pulsed protocols are out of scope. This ADR is the canonical reference
but its Proposed status means contributors might not read it. Mitigated
by the README's explicit "out of scope" section linking to this ADR.
### Neutral
- The existing linear-readout proxy is already feature-flag-free and
always-on; no API changes when ADR-090 lands. The Lindblad path is
additive.
## Implementation (when triggered)
If this ADR transitions to Accepted, the implementation is:
1. **Add `lindblad` feature to `nvsim/Cargo.toml`** — opt-in, default-off.
Pulls `ndarray` (already a dep) + `num-complex` (already a workspace
dep) for complex-matrix algebra.
2. **`src/lindblad.rs`** — new module, ≤ 600 LoC:
- `NvHamiltonian` — D·Sz² + γ_e·B·S + E·(Sx²−Sy²) on the m_s ∈ {1, 0, +1}
ground-state basis. Optional ¹⁴N or ¹⁵N hyperfine extension.
- `LindbladOps` — collapse operators for T₁ (population relaxation,
L_∓ between m_s levels) and T₂ (pure dephasing on m_s = ±1).
- `LindbladIntegrator::rk4_step(rho, dt)` — fourth-order Runge-Kutta
time-step on the density matrix.
- `Pulse` enum — supports CW, square, Gaussian-shaped MW pulses.
3. **`src/lindblad_protocols.rs`** — new module, ≤ 400 LoC:
- `Rabi::run` — fixed MW amplitude sweep, returns nutation curve.
- `HahnEcho::run` — π/2 — τ — π — τ — π/2 detection sequence.
- `Cpmg::run` — repeated π pulses for dynamical decoupling.
4. **Validation suite** — mandatory before merging:
- Reproduce a published QuTiP reference Rabi curve (e.g., from a
Doherty 2013 supplementary script) within 1% per-bin error.
- Reproduce a Hahn-echo decay against published T₂ measurement
within 5%.
- Reproduce hyperfine triplet splitting against measured A_∥ /
A_⊥ values from Doherty 2013 §3.4.
5. **Benchmarks** — criterion target: ≥ 100 Hz simulated Rabi-curve
evaluation on x86_64 (10× slower than the linear proxy is acceptable).
6. **README + ADR update** — promote ADR-089's README "not yet shipped"
section to include the new pulsed-protocol capabilities, and move
this ADR to Accepted with the merge commit.
Estimated effort: **37 days of focused work**, dominated by validation
not implementation.
## Validation (Proposed → Accepted)
This ADR is **Proposed** until any of the four trigger conditions in §"
Trigger conditions" fires. When that happens:
1. Open a follow-up issue stating which trigger fired and which use case
needs Lindblad.
2. The implementation §16 above defines the build.
3. Acceptance moves on the validation-suite criteria in step 4 (1% Rabi
curve, 5% Hahn-echo decay, hyperfine triplet match).
4. Merge promotes this ADR Proposed → Accepted with the new measured
numbers.
## Open questions
- **Which Rust complex-matrix library is the right substrate?** Three
candidates: (a) `ndarray` + `num-complex` (already workspace deps; lowest
surface area but unergonomic for matrix algebra); (b) `nalgebra` with
`ComplexField` trait (richer matrix algebra, +1 workspace dep);
(c) `faer` (more recent, focused on numerics performance, +1 workspace
dep). Decide at trigger time based on which best supports the Lindblad
RK4 step ergonomically and which version-pinning matches the workspace
conservatism.
- **Is hyperfine modelling in v1 or v2?** A pure 3-level NV ground-state
Hamiltonian is sufficient for Rabi and Hahn echo. ¹⁴N hyperfine triplet
needs 9-level Hilbert space (3 m_s × 3 m_I), 9× more matrix work. v1
could ship with hyperfine off behind a sub-feature; v2 enables it.
- **Should the Lindblad solver back-validate the linear proxy?** Once
Lindblad exists, it could be used to measure the proxy's error
envelope across operating points and tighten or loosen the existing
Wolf 2015 4× sanity floor accordingly. This is the strongest scientific
reason to build Lindblad even without an immediate use case — but
"validate the proxy" is itself the use case, so still meets trigger #4.
## Related
- **ADR-089** — nvsim NV-diamond simulator. The crate this extension
attaches to.
- **ADR-018** — CSI binary frame format. Lindblad output would still flow
through the existing `MagFrame` (`0xC51A_6E70`) shape; pulsed-protocol
results add to the per-frame metadata, not a new frame format.
- **ADR-028** — ESP32 capability audit. Lindblad is host-side only; ESP32
firmware untouched.
- **ADR-066** — Swarm bridge. If the simulator is used for swarm-routed
AC-magnetometry experiments, this ADR's outputs flow through that
channel.
api-docs/adr/ADR-091-stand-off-radar-tier-research.md
+770
View File
@@ -0,0 +1,770 @@
# ADR-091: Stand-off Radar Tier Research — 77 GHz High-Power and 100200 GHz Coherent Sub-THz
| Field | Value |
|----------------|-----------------------------------------------------------------------------------------|
| **Status** | Proposed — Research only. No production hardware integration. Decision deferred pending sub-$1k COTS sub-THz transceiver availability and clear non-export-controlled use case. |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Refines** | ADR-021 (60 GHz / mmWave vital-signs pipeline) |
| **Companion** | `docs/research/quantum-sensing/16-ghost-murmur-ruview-spec.md` §6.3, ADR-029 (RuvSense multistatic), ADR-089 (nvsim simulator), ADR-090 (Lindblad extension) |
## 1. Context
### 1.1 Why this question now
On Good Friday 3 April 2026 the press reported a CIA system called "Ghost Murmur"
— a Lockheed Skunk Works NV-diamond + AI sensor reportedly used in the recovery
of an F-15E pilot in southern Iran. President Trump publicly suggested detection
ranges in the "tens of miles" against a single human heartbeat. RuView shipped
a research spec (`16-ghost-murmur-ruview-spec.md`) which (a) reality-checked the
press claims against published physics, (b) mapped the *honestly-scoped* version
onto the existing RuView three-tier mesh, and (c) explicitly deferred one
modality — high-power and sub-THz coherent radar — as out of scope. From §6.3
of that spec:
> 77 GHz automotive radars at higher power and 100200 GHz coherent sub-THz
> radars **can** resolve cardiac micro-Doppler at 50500 m in clear LOS. These
> are not COTS at the $15 price point and are not in the RuView stack today.
> They are also subject to ITAR / export-control review and **explicitly out of
> scope** for this open-source project.
That sentence is the trigger for this ADR. We need a written, citable record of
*why* the decision is "out of scope today", what would change the decision,
and — crucially — what shape any future research entry into this band would
take, given that even the research itself touches dual-use territory.
### 1.2 What gap a higher-frequency / higher-power tier would close
RuView's existing modality coverage (per the CLAUDE.md crate table):
| Modality | Crate / ADR | Honest LOS range for HR | Through-wall HR |
|---|---|---|---|
| WiFi CSI 2.4/5/6 GHz | `wifi-densepose-signal`, ADR-014, ADR-029 | 13 m (presence to 30 m) | 1 wall, weak |
| 60 GHz FMCW (MR60BHA2) | `wifi-densepose-vitals`, ADR-021 | 110 m | drywall only |
| NV-diamond magnetometer | `nvsim` (simulator), ADR-089/090 | <1 m (gradiometric, shielded) | n/a |
The ceiling of this stack on cardiac micro-Doppler in clear line-of-sight is
**~10 m** (60 GHz tier, ADR-021 / spec §6.1). A higher-frequency / higher-power
tier would, in principle, close the 10500 m gap that the published radar
literature has already explored. The two candidate bands:
1. **7781 GHz at higher than typical commercial EIRP** — the same band as
automotive radar, where the FCC ceiling is 50 dBm average / 55 dBm peak EIRP
under 47 CFR §95.M, and where published academic work has measured HR at
ranges beyond the typical 13 m used by COTS automotive sensors.
2. **100200 GHz coherent sub-THz radar** — where λ ≈ 1.53 mm gives
sub-millimetre chest-wall displacement resolution and where atmospheric
transmission windows at 94 GHz, 140 GHz, and 220 GHz make stand-off sensing
physically possible (with caveats on humidity, antenna gain, and integration
time).
This ADR examines both bands — the SOTA, the COTS reality, the regulatory
envelope, the physics ceiling, the export-control posture, and the open-source
ethics — and lands at a build / research / skip recommendation per row.
## 2. SOTA: 7781 GHz automotive radar at higher power
### 2.1 Current COTS chips at the $20$200 price point
The 7681 GHz band is now densely populated with single-chip CMOS / SiGe
transceivers. Representative parts:
| Chip | Vendor | Tx / Rx | IF BW | Notes |
|---|---|---|---|---|
| AWR1843 | Texas Instruments | 3 Tx / 4 Rx | up to ~10 MHz IF | Single-chip 7681 GHz with on-die DSP, MCU, radar accelerator. Long-range automotive ACC, AEB. ([TI AWR1843](https://www.ti.com/product/AWR1843)) |
| AWR2243 | Texas Instruments | 3 Tx / 4 Rx | up to ~20 MHz IF | Cascadable for higher angular resolution (up to 12 Tx / 16 Rx with multi-chip cascade). ([TI AWR2243](https://www.ti.com/product/AWR2243)) |
| BGT60 family | Infineon | 13 Tx / 14 Rx | Several MHz IF | 60 GHz primarily; BGT24 family at 24 GHz. Smaller, lower power, gesture / presence focus. |
| TEF82xx | NXP | up to 4 Tx / 4 Rx | several MHz IF | Automotive-grade 7681 GHz. |
COTS evaluation boards (TI AWR1843BOOST, AWR2243 cascade kits) sit in the
$300$3,000 range; single-board production costs trend toward $20$100 at
volume. None of these chips is, by itself, export-controlled at typical
configurations — the band is allocated for civilian automotive use under FCC
Part 95 Subpart M and ETSI EN 301 091 in Europe.
**EIRP envelope**: 47 CFR §95.M (and the historical §15.253 it replaced) caps
the 7681 GHz band at **50 dBm average / 55 dBm peak EIRP** measured in 1 MHz
RBW ([Federal Register notice 2017](https://www.federalregister.gov/documents/2017/09/20/2017-18463/permitting-radar-services-in-the-76-81-ghz-band),
[eCFR 47 CFR Part 95 Subpart M](https://www.ecfr.gov/current/title-47/chapter-I/subchapter-D/part-95/subpart-M)).
That is roughly 100 W EIRP average, 316 W peak. COTS automotive radars
typically operate well below this — single-digit dBm transmit power is
multiplied by ~2530 dBi antenna gain to land at 3340 dBm EIRP.
### 2.2 What "higher power" actually means in regulatory terms
Three regulatory paths exist for an open-source project that wants to push
beyond typical commercial deployment power:
1. **Stay inside FCC Part 95 §95.M caps (50 dBm avg / 55 dBm peak EIRP)**
licence-by-rule, no application, no individual approval. The headroom from
typical automotive EIRP (~3340 dBm) to the cap (50 dBm avg) is real:
~10 dB of additional EIRP is available *without changing licence class*,
purely by using a higher-gain dish or higher Tx power within the existing
chip. This is the upper bound of "stand-off radar that is still part-95
legal".
2. **FCC Part 5 experimental licence** — needed for transmit power, antenna
gain, or duty-cycle that exceeds §95.M. Application-based, time-bounded,
non-renewable beyond limits. Typical academic radar ranges (e.g. the
long-range cardiac measurements in §2.3 below) operate under this regime.
3. **No US authorisation at all** — only legal as receive-only, or as a
simulator. Any unlicensed transmission above §95.M at 7681 GHz is a
prohibited emission under 47 CFR §15.5 / §95.335.
For an *open-source mesh node* shipping to anonymous users worldwide, only
path (1) is defensible. Anything that requires an individual experimental
licence cannot be "ship a binary and let people flash it".
### 2.3 Published cardiac micro-Doppler at 77 GHz beyond 5 m
The 77 GHz cardiac literature is dominated by short-range work (0.32 m), e.g.:
- Chen et al. (2024). "Contactless and short-range vital signs detection with
doppler radar millimetre-wave (7681 GHz) sensing firmware." *Healthcare
Technology Letters*. ([PMC11665778](https://pmc.ncbi.nlm.nih.gov/articles/PMC11665778/),
[Wiley HTL 2024](https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/htl2.12075))
— TI IWR1443BOOST at 0.301.20 m, suggested 0.6 m.
- Wang et al. (2020). "Remote Monitoring of Human Vital Signs Based on 77-GHz
mm-Wave FMCW Radar." *Sensors* 20, 2999.
([PMC7285495](https://pmc.ncbi.nlm.nih.gov/articles/PMC7285495/),
[MDPI Sensors 2020](https://www.mdpi.com/1424-8220/20/10/2999)) — typically
short-range bench measurements.
- Liu et al. (2022). "Real-Time Heart Rate Detection Method Based on 77 GHz
FMCW Radar." *Micromachines* 13, 1960.
([PMC9693980](https://pmc.ncbi.nlm.nih.gov/articles/PMC9693980/),
[MDPI](https://www.mdpi.com/2072-666X/13/11/1960)) — 2.925% mean HR error,
short-range.
- Iyer et al. (2022). "mm-Wave Radar-Based Vital Signs Monitoring and
Arrhythmia Detection Using Machine Learning." *Sensors*.
([PMC9104941](https://pmc.ncbi.nlm.nih.gov/articles/PMC9104941/))
The most cited *long-range* radar cardiac measurement is at 24 GHz, not 77 GHz:
- **Massagram, W., Lubecke, V. M., Høst-Madsen, A., Boric-Lubecke, O. (2013).
"Parametric Study of Antennas for Long Range Doppler Radar Heart Rate
Detection."** *IEEE EMBC* / republished in *PMC*.
([PMC4900816](https://pmc.ncbi.nlm.nih.gov/articles/PMC4900816/),
[PubMed 23366747](https://pubmed.ncbi.nlm.nih.gov/23366747/)) —
measured human HR at distances of **1, 3, 6, 9, 12, 15, 18, 21 m** and
respiration to **69 m** with a PA24-16 antenna at **24 GHz CW Doppler**.
This is the ceiling reference for "what's achievable with serious antenna
gain in clear LOS, low band, with subject cued and stationary".
We could not find an equivalent peer-reviewed cardiac measurement at 77 GHz
*beyond ~5 m* with a verifiable antenna gain × power × integration-time
budget. The work that exists at 77 GHz is overwhelmingly bench-scale (≤ 2 m).
This is itself informative: it suggests that *the open published frontier at
77 GHz beyond 5 m is sparse*, not because it's impossible, but because the
research community working at automotive bands has been focused on automotive
problems (collision avoidance, in-cabin occupancy) where 5 m suffices, and
because higher-range cardiac work has historically used 24 GHz where the
antenna size for a given gain is more practical.
### 2.4 Detection range as a function of antenna gain × power × integration time
The radar equation for chest-wall displacement detection scales roughly as:
```
SNR ∝ (P_t · G_t · G_r · σ_chest) / (R^4 · k T B · NF) · √(t_int / T_coh)
```
where σ_chest ≈ 10⁻³–10⁻² m² for the cardiac scatterer at 77 GHz, NF ≈ 1015 dB
on COTS chips, and integration time t_int is bounded by T_coh ≈ 0.51 s
(physiological coherence — the heart period itself).
Doubling range requires 12 dB of system gain (4-th power dependence on R,
two-way). At the part-95 §95.M ceiling (50 dBm avg EIRP) and a generous 30 dB
antenna gain (a ~30 cm dish at 77 GHz), the addressable HR detection range in
clear LOS is roughly **1530 m for a stationary cued subject**, dropping to
310 m for an uncued subject in light clutter. Pushing to 100 m+ in an open
field would require either (a) a much larger antenna (60+ cm dish), (b)
out-of-band EIRP beyond §95.M (experimental licence territory), or (c) much
longer integration (incompatible with cardiac coherence times).
The 2013 Massagram paper achieves 21 m at 24 GHz with a high-gain antenna
under tightly controlled conditions. Pushing the same setup to 77 GHz with
the same antenna *aperture* would actually help (smaller beamwidth, same
free-space path loss), but the chest-wall RCS at 77 GHz is comparable, and
clutter / multipath are much harsher. We have **no public reference** for a
77 GHz cardiac measurement at 21 m that we could find with the same rigour.
### 2.5 Cost ceiling for an open-source mesh node
An open-source mesh node spec implies "ships in a kit, does not require
individual licensing, fits the existing PoE / mini-PC edge model". That
implies:
- Single-chip transceiver at $20$100 BOM.
- Antenna assembly at $50$200 (high-gain dish or printed array).
- Mini-PC or Pi 5 host at $80.
- Total under $500 to be plausible.
The chip cost is already met by COTS. The antenna and host are met. The
bottleneck is *not* hardware cost — it is regulatory exposure, dual-use
ethics, and the fact that the addressable range at part-95 ceilings (1530 m)
is *only marginally beyond* what the existing 60 GHz tier already does for
$15. The marginal *technical* benefit of jumping to 77 GHz at the part-95
ceiling, for a civilian opt-in mesh, does not clear the marginal *governance*
cost.
## 3. SOTA: 100200 GHz coherent sub-THz radar
### 3.1 Why sub-THz
At 140 GHz, λ ≈ 2.14 mm. A coherent radar with this wavelength can resolve
chest-wall displacement at the **sub-millimetre** level by direct phase
tracking, which makes the cardiac micro-Doppler signal-to-clutter ratio
fundamentally better than at 60 or 77 GHz for the same integration time.
Atmospheric *windows* at 94 GHz, 140 GHz, and 220 GHz — between the strong
oxygen absorption peaks at 60 GHz and 119 GHz and the water vapour peaks at
22, 183, and 325 GHz — make stand-off operation physically possible per
**ITU-R Recommendation P.676** ([ITU-R P.676-11](https://www.itu.int/dms_pubrec/itu-r/rec/p/R-REC-P.676-11-201609-I!!PDF-E.pdf),
[ITU-R P.676-9](https://www.itu.int/dms_pubrec/itu-r/rec/p/R-REC-P.676-9-201202-S!!PDF-E.pdf)).
### 3.2 Atmospheric attenuation table (clear-air, ITU-R P.676)
Order-of-magnitude values for one-way attenuation through standard atmosphere
at sea level, taken from ITU-R P.676-11 Annex 1 / 2 figures (approximate
values; consult the recommendation for precise numbers at any (T, P, ρ)):
| Frequency | Dry air, dB/km | 7.5 g/m³ humid, dB/km | Notes |
|---|---|---|---|
| 60 GHz | ~14 | ~14.5 | O₂ absorption peak — terrible for stand-off |
| 77 GHz | ~0.4 | ~0.5 | Allocated for automotive radar |
| 94 GHz | ~0.4 | ~0.7 | First major window above 60 GHz |
| 119 GHz | ~2.5 | ~3 | O₂ subsidiary peak |
| 140 GHz | ~0.5 | ~1.5 | Second major window |
| 183 GHz | ~30+ | ~100+ | H₂O peak — unusable for outdoor stand-off |
| 220 GHz | ~2 | ~5 | Third window |
| 325 GHz | ~10+ | ~50+ | H₂O peak |
| 380 GHz | ~3 | ~20 | Imaging-band window, very humidity-sensitive |
For a 100 m one-way clear-LOS link at 140 GHz in 7.5 g/m³ humidity, atmospheric
attenuation alone is ~0.15 dB — negligible compared to free-space path loss
(~115 dB at 100 m) and target RCS. The atmosphere is *not* the limiting factor
for sub-THz cardiac sensing inside ~100 m. **Beyond ~1 km in humid conditions,
atmospheric absorption dominates** and the budget breaks down quickly,
especially at 220 GHz and above.
### 3.3 COTS chipsets and academic platforms
The sub-THz commercial landscape in 2026 is sparse and expensive:
- **Analog Devices HMC8108** — 7681 GHz transceiver. Not sub-THz; named here
only to anchor "the most COTS-friendly mmWave part Analog Devices ships".
- **Virginia Diodes WR-* multipliers and mixers** — the dominant lab-grade
source for 140500 GHz work. Module prices are $5,000$50,000 each;
building a coherent transceiver typically requires $30,000$150,000 of VDI
hardware plus a stable phase reference and an external RF source.
- **Wasa Millimeter Wave imagers** — passive imagers around 90 / 220 / 380 GHz.
Receive-only.
- **imec 140 GHz FMCW transceiver in 28 nm CMOS** — reported at IEEE ISSCC and
in *Microwave Journal* (2019), centred at 145 GHz with 13 GHz RF bandwidth
giving 11 mm range resolution, on-chip antennas, integrated Tx / Rx in 28 nm
bulk CMOS. ([Microwave Journal 2019](https://www.microwavejournal.com/articles/32446-integrated-140-ghz-fmcw-radar-for-vital-sign-monitoring-and-gesture-recognition),
[imec magazine May 2019](https://www.imec-int.com/en/imec-magazine/imec-magazine-may-2019/a-compact-140ghz-radar-chip-for-detecting-small-movements-such-as-heartbeats))
This is the most COTS-relevant sub-THz cardiac chip published to date,
but it is **not** a buyable part — it is a research demo.
- **Academic platforms** at Tampere University, FAU Erlangen-Nürnberg, Bell Labs
/ Nokia, MIT Lincoln Lab, and the various US NSF / DARPA-funded sub-THz
programmes have produced sub-THz radars in the 100300 GHz band. None of
these is a ship-it part.
### 3.4 Coherent vs. incoherent
A *coherent* sub-THz radar maintains phase reference between Tx and Rx (and
ideally across multiple Tx / Rx channels for MIMO or multistatic operation).
Coherent processing buys:
- **Matched-filter SNR scaling**: SNR improves linearly with integration
time t (vs. √t for incoherent), bounded by the cardiac coherence
time T_coh.
- **Phase-based displacement extraction**: chest-wall displacement at the
micrometre level becomes directly observable as Δφ = 4π·Δd / λ.
- **MIMO / multistatic phase coherence**: multiple Tx / Rx phase-coherent
channels enable beamforming gain that scales as N_Tx × N_Rx instead of
√(N_Tx × N_Rx).
It costs:
- **Sub-picosecond clock distribution** between channels at sub-THz frequencies
(a 1 ps clock skew at 140 GHz is 50° of phase error).
- **Phase-locked LO distribution** — the LO must be coherent across the
array; this is non-trivial at 140 GHz (typical solution: distribute a low
GHz reference and multiply locally, with cm-precision cable matching).
- **Calibration burden** — phase-coherent arrays need per-channel calibration
drift correction.
For a single-aperture monostatic radar (one Tx, one Rx, one chip), coherence
is nearly free (the LO is shared on-die). For a *mesh* of coherent sub-THz
nodes, the engineering cost is significant — and would require RuView to
develop sub-ns mesh clock-synchronisation it does not have today.
### 3.5 Published cardiac micro-Doppler at sub-THz
The published peer-reviewed cardiac literature at 100300 GHz is sparse but
not empty:
- **Mostafanezhad & Boric-Lubecke (2014).** "Benefits of coherent low-IF for
vital signs monitoring." *IEEE Microw. Wireless Compon. Lett.* 24. — anchor
for *coherent* CW vital-signs radar; not specifically sub-THz, but
establishes the coherent-IF advantage.
- **imec (2019) — 140 GHz FMCW transceiver demonstration.** Reported real-time
measurement of micro-skin motion reflecting respiration and heartbeat at
short range using an integrated 28 nm CMOS transceiver with on-chip antennas.
Cited above; engineering demo, not a published systematic range study.
([Microwave Journal 2019](https://www.microwavejournal.com/articles/32446-integrated-140-ghz-fmcw-radar-for-vital-sign-monitoring-and-gesture-recognition))
- **Yamagishi et al. (2022).** "A new principle of pulse detection based on
terahertz wave plethysmography." *Scientific Reports* 12, 2022.
([Nature SREP](https://www.nature.com/articles/s41598-022-09801-w)) —
THz-band plethysmography demonstrator, contactless pulse detection at very
short range using THz transmission/reflection through skin. Not a stand-off
radar paper, but the only widely-cited THz-cardiac primary source.
- **Zhang et al. (2021).** "Non-Contact Monitoring of Human Vital Signs Using
FMCW Millimeter Wave Radar in the 120 GHz Band." *Sensors* 21.
([PMC8070581](https://pmc.ncbi.nlm.nih.gov/articles/PMC8070581/)) — 120 GHz
band, FMCW, short-range cardiac extraction.
**Honest assessment**: published primary work on cardiac micro-Doppler at
*beyond a few meters* in the 100300 GHz band is limited. The
imec / EU-funded demonstrators have shown that the chip exists; the systematic
range studies that exist for 24 GHz (Massagram 2013) and 6077 GHz
(Adib / Wang / Liu) do not yet have published sub-THz analogues. Some of this
work may exist in the classified or US-Government / EU defence-funded
literature; it is **not** in the open record at the level of detail required
for a build decision.
## 4. Physics ceiling for RuView's heartbeat-mesh use case
### 4.1 Cardiac signal vs. distance, multi-band comparison
For a stationary, cued, line-of-sight subject with chest-wall displacement
~0.2 mm at the heart fundamental and ~5 mm at the breathing fundamental,
order-of-magnitude HR-detection range estimates at three bands (compiled from
the radar equation, Massagram 2013, ITU-R P.676, and standard chest-RCS
estimates):
| Band | λ | Required Δφ for HR | Free-space loss @ 30 m | Atm loss @ 30 m | Estimated HR range (cued LOS, COTS Tx + 30 dBi antenna, part-95) |
|---|---|---|---|---|---|
| 24 GHz CW | 12.5 mm | 0.36° | 89 dB | <0.01 dB | 21 m measured (Massagram 2013) |
| 60 GHz FMCW | 5.0 mm | 0.9° | 97 dB | 0.4 dB | 510 m (ADR-021 / spec §6.1) |
| 77 GHz FMCW | 3.9 mm | 1.2° | 99 dB | 0.01 dB | ~1530 m (estimated, no rigorous public ref beyond 5 m) |
| 140 GHz FMCW | 2.1 mm | 2.2° | 105 dB | 0.04 dB | ~30100 m (estimated, sparse open lit) |
| 220 GHz FMCW | 1.4 mm | 3.3° | 109 dB | 0.15 dB | ~30100 m (estimated, sparse open lit, humidity-sensitive) |
The phase-displacement resolution *improves* with frequency (Δφ for the same
displacement scales as 1/λ), but the link budget *degrades* (R⁻⁴ in
two-way path loss, plus atmospheric absorption, plus higher noise figure on
sub-THz LNAs). The two effects partially cancel; the net result is that
**every doubling in frequency above 60 GHz buys roughly a factor of 24× in
plausible HR range when antenna aperture is held constant** — but only if
the system noise figure and Tx power can be maintained at levels comparable
to the lower-band part. Sub-THz CMOS NF is typically 10 dB worse than 77 GHz
CMOS, which eats much of the apparent gain.
### 4.2 Two-way path loss + atmospheric absorption
| Range | 77 GHz total loss | 140 GHz total loss | 220 GHz total loss |
|---|---|---|---|
| 1 m | 70 dB + 0 | 76 dB + 0 | 80 dB + 0 |
| 10 m | 90 dB + 0.01 | 96 dB + 0.03 | 100 dB + 0.1 |
| 100 m | 110 dB + 0.1 | 116 dB + 0.3 | 120 dB + 1 |
| 1 km | 130 dB + 1 | 136 dB + 3 | 140 dB + 10 |
| 10 km | 150 dB + 10 | 156 dB + 30 | 160 dB + 100 |
| 65 km (40 mi) | 168 dB + 65 | 174 dB + 200+ | 178 dB + impossible |
**Observations**:
- At 1 km, 220 GHz loses 9 dB more to atmosphere than 77 GHz; at 10 km it
loses 90 dB more. Sub-THz is fundamentally a sub-1-km modality in humid air.
- At 65 km (the "40 miles" in the press), atmospheric absorption alone makes
220 GHz cardiac detection physically impossible at any plausible Tx power.
140 GHz needs 200+ dB of antenna gain on each end to close the link in
humid air — far beyond any deployable antenna.
- **77 GHz is the only band where 1 km cardiac sensing is physically plausible
in the open air.** It is also the band that is closest to civilian COTS.
### 4.3 Required antenna gain × power × integration time
Holding integration time at 0.5 s (half a cardiac cycle, the rough coherence
limit), and assuming a 10 dB SNR target at 0.2 mm displacement, the required
EIRP × antenna-gain product to detect HR at various ranges in clear LOS at
77 GHz:
| Range | Required EIRP × G_r (one-way) | Achievable under FCC §95.M? |
|---|---|---|
| 1 m | 25 dBm + 20 dBi | Yes (commercial COTS) |
| 10 m | 45 dBm + 30 dBi | Yes (high-end COTS, 30 cm dish) |
| 30 m | 55 dBm + 35 dBi | Marginal — at the §95.M peak ceiling |
| 100 m | 70 dBm + 45 dBi | No — above §95.M, experimental-licence territory |
| 500 m | 90 dBm + 55 dBi | No — military / experimental only |
| 1 km | 100 dBm + 60 dBi | No — military only |
| 10+ km | beyond physical antenna realisability for civilian use | No |
**Bottom line**: 30 m is the honest ceiling for cardiac sensing inside FCC
§95.M power limits with a 30 cm dish at 77 GHz. Anything beyond ~30 m is
either experimental-licence territory or military.
### 4.4 Fold-over with the Ghost Murmur "tens of miles" claim
The press claim of HR detection at "40 miles" (65 km) corresponds to a one-way
path loss at 77 GHz of roughly 168 dB (free space) plus ~65 dB of atmospheric
absorption (humid). Closing this link to detect a 0.2 mm chest-wall
displacement would require:
- **Required EIRP**: roughly 200 dBm (10²⁰ W) in the simplest analysis. For
context, the entire global average solar flux is ~1.4 kW/m². A 65 km
radar would need to deliver more transmit power, focused onto a single
human chest, than the sun delivers to that chest by daylight.
- **Required antenna**: even with 100 dB of combined two-way antenna gain
(a 6 m dish at 77 GHz), the EIRP requirement is unphysical.
- **Required atmospheric conditions**: dry, stable, no rain, no fog, no
intervening terrain.
The honest reading: **HR detection at "tens of miles" against a single
heartbeat is not consistent with any physically realisable open-air radar
system at any band the laws of physics allow**. The claim either refers to
*cued* detection (i.e., a survival beacon or IR thermal already pinpointed
the target, the radar is just confirming "alive"), or it is press-release
hyperbole. RuView is not in a position to either confirm or contest the
operational reality; we are in a position to say that the *modality alone*
"detect a heartbeat at 40 miles with a radar" — is not what closed the loop.
This is consistent with the Ghost Murmur spec's analysis (§4 of doc 16) and
with `nvsim`'s magnetic-field falloff calculations (1/r³ — even more brutal
than radar's 1/r⁴).
## 5. Regulatory + ethics
### 5.1 FCC envelope summary
| Use | FCC path | Practical for open source? |
|---|---|---|
| 60 GHz unlicensed (existing tier) | Part 15.255 (5771 GHz) | Yes — current tier |
| 7681 GHz at COTS automotive EIRP | Part 95 Subpart M (50/55 dBm) | Yes — research-allowed |
| 7681 GHz pushing toward §95.M ceiling | Part 95 Subpart M | Yes — single-installation |
| 7681 GHz beyond §95.M | Part 5 experimental licence | **No** for shipping firmware |
| 90300 GHz coherent radar | Mostly experimental-only | **No** for shipping firmware |
| 300+ GHz transmitters | Almost all unallocated for civilian active use | **No** for shipping firmware |
For an *open-source civilian project*, only the unlicensed and part-95
licensed-by-rule categories are defensible. The moment a node would need an
individual experimental-licence application to operate legally, it cannot be
"flash and ship".
### 5.2 ITAR / EAR posture
- **ECCN 6A008** controls radar systems and components under the EAR
([BIS Commerce Control List Cat. 6](https://www.bis.doc.gov/index.php/documents/regulations-docs/2340-ccl9-4/file)).
The general radar control sub-paragraph 6A008.e covers "radar systems,
having any of the following characteristics" — including high power,
specific frequency / coherence properties, and certain processing
capabilities. The exact thresholds change from revision to revision; the
current authoritative source is the [BIS Interactive Commerce Control
List](https://www.bis.gov/regulations/ear/interactive-commerce-control-list).
- **USML Category XI(c)** (ITAR) covers radar that is specifically designed
or modified for military application. Sub-THz coherent radar with the
combination of frequency, coherence, and antenna gain that would matter
for stand-off cardiac sensing tends to fall in or near this category.
- **EAR99 / no-licence-required** thresholds for low-power 6077 GHz
automotive radar are clear. Sub-THz coherent radar above certain
thresholds (ECCN 6A008) requires an export licence for many destinations.
Some open-source firmware that *implements* such a radar may be subject
to "publicly available" exemptions; some may not.
- **Open-source publication.** EAR §734.7 / §734.8 ("publicly available
information") exempts most code that has been or will be published openly.
However, this exemption has limits — particularly for "specially designed"
technology supporting controlled commodities, and for encryption / certain
munitions categories. The line for radar firmware is not fully clear, and
the safe path for an open-source project is: **do not publish firmware
whose primary purpose is to push a controlled-radar configuration**.
The correct posture for RuView is: **assume the worst case**. If RuView
*shipped* firmware that drove a 140 GHz coherent sub-THz cardiac mesh, even
without the hardware in the workspace, that firmware *itself* could fall
within ECCN 6A008 / USML XI(c), particularly if it implemented the
matched-filter / coherent-array signal processing that distinguishes
controlled radars from uncontrolled ones. We do not ship that firmware.
### 5.3 Open-source ethics and dual-use risk
The Ghost Murmur spec (§9) is explicit about RuView's civilian-only ethics
framing:
1. Civilian, opt-in deployments only.
2. No directional pursuit.
3. Data minimisation.
4. PII detection on the wire.
5. Adversarial-signal detection.
6. **No export-controlled hardware.**
Stand-off radar at 77 GHz with §95.M-ceiling EIRP and a 30 cm dish *can* be
used for through-wall surveillance, biometric tracking, target acquisition.
Sub-THz coherent radar can do the same with finer resolution. Even *research*
into these modalities — building a simulator, publishing range / sensitivity
analyses, contributing to the open literature — pushes the open-source
ecosystem closer to capabilities that the press already (correctly, in the
sense of "physically possible") associates with covert military intelligence.
Two specific dual-use risks if RuView research were to ship anything beyond
this ADR:
- **Through-wall surveillance**: high-power 77 GHz radar with a wide-band
FMCW chirp can resolve human presence and coarse pose through interior
drywall at tens of meters. This is the literal Ghost Murmur use case at
short range. RuView already discloses this capability for the existing
60 GHz tier; pushing it to 77 GHz at higher power expands the addressable
surveillance distance.
- **Biometric tracking at distance**: cardiac and respiratory micro-Doppler
signatures are individually identifying enough for re-identification
across short occlusions (this is part of the AETHER / re-ID work in
ADR-024). Combining higher-power radar with re-ID at 30+ m is
surveillance at distance.
- **Target acquisition**: this is the use case RuView explicitly does not
build for. Period.
## 6. Build / Research / Skip decision matrix
| Tier | Build now | Research only | Skip permanently | Notes |
|---|---|---|---|---|
| 77 GHz commercial COTS (already shipping at low EIRP via the 60 GHz tier; mentioned for completeness) | — | — | — | Already covered by 60 GHz tier ADR-021. No action. |
| 77 GHz higher-power experimental (≤ §95.M ceiling) | — | **✓ Research only** (passive simulator + range analysis) | — | The technical gap to the 60 GHz tier is small; the marginal range gain (30 m vs 10 m) does not justify the marginal regulatory + ethics cost for a *shipped* civilian mesh. Research / simulation only. |
| 77 GHz beyond §95.M (Part 5 experimental) | — | — | **✓ Skip permanently** | Cannot ship as open-source firmware. Individual experimental licences are not delegatable. |
| 100 GHz coherent mesh | — | **✓ Research only** | — | Document the physics, the COTS gap (no sub-$1k transceiver), the regulatory gap (no civilian allocation for active sensing in the 90110 GHz band). Build only if all three conditions in §7.4 below trigger. |
| 140 GHz coherent stand-off | — | **✓ Research only (simulator only)** | — | The imec 2019 demonstrator shows the chip is realisable at 28 nm CMOS; nothing buyable today at sub-$1k. ECCN 6A008 risk is real. Simulator OK; firmware no. |
| 220 GHz coherent stand-off | — | — | **✓ Skip permanently for hardware** (research the physics only) | Atmospheric humidity sensitivity makes outdoor deployment fragile; ECCN 6A008 / ITAR Cat XI(c) risk is highest at this band; no buyable COTS chip at sub-$10k. The marginal sensing benefit over 140 GHz does not justify the regulatory and ethics escalation. |
| 380+ GHz imaging | — | — | **✓ Skip permanently** | Imaging-band, not radar; humidity destroys outdoor link; export-controlled at any meaningful aperture. Not RuView's modality at any plausible build. |
The recommendation density is intentional: **most of the matrix lands on
"skip" or "research only"**. Only one row (77 GHz at the §95.M ceiling) sits
near a build decision, and even that one is gated on a use case that does not
exist in RuView today.
## 7. If we research: what does RuView ship?
### 7.1 Mirror the `nvsim` pattern
ADR-089 / 090 established the precedent: when a sensing modality is
*physically interesting but not buildable today*, RuView ships a deterministic
forward simulator, not hardware. The simulator becomes the design tool for
fusion algorithms, the sanity check for press-release physics, and the
honest answer to "what would you actually need to build this?"
Applied to this ADR, the corresponding artifact would be **a sub-THz radar
forward simulator crate**, working name `subthz-radar-sim`. Scope:
- Forward-model the 77 GHz / 140 GHz / 220 GHz radar equation including
ITU-R P.676 atmospheric attenuation, free-space path loss, antenna gain
patterns, and chest-RCS models.
- Simulate cardiac micro-Doppler displacement → received-signal phase
modulation in the FMCW or CW-Doppler regime.
- Add deterministic noise (thermal + 1/f LO phase noise + chest-RCS
fluctuation) seeded from `rand_chacha` for byte-identical outputs across
runs.
- Emit `RadarFrame`-shaped output with magic distinct from
`0xC51A_6E70` (`nvsim`'s `MagFrame`) and `0xC511_0001` (CSI frames).
- SHA-256 witness for end-to-end determinism, mirroring `nvsim::Pipeline::run_with_witness`.
### 7.2 Hard constraints on what the crate can ship
- **No firmware.** Not for ESP32, not for any SDR, not for any FPGA. The crate
is host-side only. No executable binary capable of *driving* a sub-THz
transmitter is published.
- **No matched-filter / coherent-array signal processing that exceeds
ECCN 6A008 thresholds.** The crate documents the physics and simulates the
forward path. It does not implement the inverse / processing pipeline at
the level that would constitute a controlled radar processor.
- **No beamforming primitives for actively-steered phased arrays.** Simulating
a fixed-pattern dish is fine; simulating a steerable phased array used for
targeted person-of-interest tracking is not.
- **No re-identification across the simulated radar stream.** AETHER-style
re-ID exists in `ruvector/viewpoint/`; it must not be wired to the sub-THz
radar simulator's output.
- **Documented dual-use posture.** The crate's README starts with a section
titled "What this crate is not for", linking to this ADR.
### 7.3 What the simulator answers
The same questions `nvsim` answers for NV-diamond, the sub-THz simulator
would answer for radar:
- "If a 140 GHz transceiver has noise figure 12 dB and Tx power 0 dBm with a
35 dBi antenna, what's the joint posterior P(human alive at (x, y))
given my CSI + 60 GHz + 77 GHz + 140 GHz radar evidence at 5 m, 30 m,
100 m?"
- "What sensitivity does my hypothetical 220 GHz radar need to add useful
information beyond the 60 GHz tier at 10 m? And does the answer change
in 7.5 g/m³ humidity vs. 1 g/m³ dry air?"
- "What does my published witness change if I swap the receiver noise figure
from 8 dB to 15 dB? From 15 dB to 25 dB?"
These are pre-build sanity checks. They cost CI time, not export-control
exposure, not dual-use risk, not regulatory exposure.
### 7.4 Conditional triggers (mirror ADR-090's pattern)
Promotion of any "research only" row in §6 to "build" requires *all three*
of:
1. **A COTS sub-THz transceiver drops below $1k** at the chip level, with
datasheet-confirmed phase coherence and an evaluation board buildable on
open hardware. (Today: nothing.)
2. **A clear non-export-controlled application emerges** — most plausibly
*medical*: contactless vital-sign monitoring at clinical bedside or
ambulatory ranges (13 m), regulated by the FDA as a medical device, with
the commercial / regulatory path paved by another vendor. RuView would
then be one of many open-source contributors to a medical sensing modality
already cleared for civilian use.
3. **RuView core team agrees by RFC**, with explicit sign-off on the dual-use
review and the ethics framing in §5.3.
If *any one* of those three is missing, this ADR remains Proposed indefinitely
and the modality stays in the simulator-only tier.
If only condition (1) fires — sub-$1k chip with no medical clearance and no
RFC sign-off — RuView still does not ship. The simulator might be expanded;
no firmware ships.
## 8. Related work / cross-references
### 8.1 ADRs
- **ADR-021** — Vital-sign detection via 60 GHz mmWave + WiFi CSI. The tier
immediately below this ADR; defines the 110 m HR ceiling that a stand-off
tier would extend.
- **ADR-029** — RuvSense multistatic sensing mode. Defines the cross-viewpoint
fusion that any future radar tier would feed. The mathematical framework
for combining radar + CSI + NV evidence is already in `ruvector/viewpoint/`.
- **ADR-089**`nvsim` NV-diamond pipeline simulator. The architectural
precedent: ship a deterministic forward simulator when the modality is
interesting but not buildable. Same proof / witness pattern applies here.
- **ADR-090**`nvsim` Lindblad / Hamiltonian extension. Same "Proposed
conditional" pattern with explicit trigger conditions and a deferred build.
This ADR follows the same shape.
- **ADR-040** — PII detection gates. Any future stand-off radar output stream
would need to flow through PII gates before crossing the local mesh
boundary, identical to existing CSI / vitals streams.
- **ADR-024** — AETHER contrastive embedding. Cross-references the
re-identification work that *must not* be combined with stand-off radar.
- **ADR-028** — ESP32 capability audit + witness verification. The
deterministic-witness pattern applies to any new simulator crate.
### 8.2 Research docs
- `docs/research/quantum-sensing/16-ghost-murmur-ruview-spec.md` — the
Ghost Murmur reality-check spec. §6.3 is the explicit boundary that
triggered this ADR. §7–§9 establish the architecture, ethics, and legal
framework that this ADR inherits.
### 8.3 Primary literature (radar at 24 / 77 / 120140 GHz)
- **Massagram, W., Lubecke, V. M., Høst-Madsen, A., Boric-Lubecke, O.
(2013).** "Parametric Study of Antennas for Long Range Doppler Radar
Heart Rate Detection." *IEEE EMBC* 2013.
([PMC4900816](https://pmc.ncbi.nlm.nih.gov/articles/PMC4900816/))
— HR @ 21 m, respiration @ 69 m at 24 GHz CW.
- **Mostafanezhad, I., Boric-Lubecke, O. (2014).** "Benefits of Coherent
Low-IF for Vital Signs Monitoring." *IEEE Microw. Wireless Compon. Lett.*
24(10), 711713.
- **Adib, F. et al. (2015).** "Smart Homes that Monitor Breathing and Heart
Rate." *Proc. CHI 2015*. Short-range through-wall.
- **Wang, G. et al. (2020).** "Remote Monitoring of Human Vital Signs Based
on 77-GHz mm-Wave FMCW Radar." *Sensors* 20(10), 2999.
([PMC7285495](https://pmc.ncbi.nlm.nih.gov/articles/PMC7285495/))
- **Liu, J. et al. (2022).** "Real-Time Heart Rate Detection Method Based on
77 GHz FMCW Radar." *Micromachines* 13(11), 1960.
([PMC9693980](https://pmc.ncbi.nlm.nih.gov/articles/PMC9693980/))
- **Chen, J. et al. (2024).** "Contactless and Short-Range Vital Signs
Detection with Doppler Radar Millimetre-Wave (7681 GHz) Sensing Firmware."
*Healthcare Technology Letters* 11.
([Wiley HTL](https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/htl2.12075))
- **Iyer, S. et al. (2022).** "mm-Wave Radar-Based Vital Signs Monitoring
and Arrhythmia Detection Using Machine Learning." *Sensors*.
([PMC9104941](https://pmc.ncbi.nlm.nih.gov/articles/PMC9104941/))
### 8.4 Primary literature (sub-THz)
- **imec / Peeters et al. (2019).** Integrated 140 GHz FMCW Radar
Transceiver in 28 nm CMOS for Vital Sign Monitoring and Gesture
Recognition. *Microwave Journal* 2019-06-09; imec magazine May 2019.
([Microwave Journal](https://www.microwavejournal.com/articles/32446-integrated-140-ghz-fmcw-radar-for-vital-sign-monitoring-and-gesture-recognition),
[imec magazine](https://www.imec-int.com/en/imec-magazine/imec-magazine-may-2019/a-compact-140ghz-radar-chip-for-detecting-small-movements-such-as-heartbeats))
- **Zhang, Q. et al. (2021).** "Non-Contact Monitoring of Human Vital
Signs Using FMCW Millimeter Wave Radar in the 120 GHz Band." *Sensors*
21. ([PMC8070581](https://pmc.ncbi.nlm.nih.gov/articles/PMC8070581/))
- **Yamagishi, H. et al. (2022).** "A new principle of pulse detection
based on terahertz wave plethysmography." *Scientific Reports* 12,
2022. ([Nature SREP](https://www.nature.com/articles/s41598-022-09801-w))
- ITU-R Recommendation **P.676-11** (2016). "Attenuation by atmospheric
gases." International Telecommunication Union.
([P.676-11 PDF](https://www.itu.int/dms_pubrec/itu-r/rec/p/R-REC-P.676-11-201609-I!!PDF-E.pdf))
- 47 CFR Part 95 Subpart M — The 7681 GHz Band Radar Service.
([eCFR](https://www.ecfr.gov/current/title-47/chapter-I/subchapter-D/part-95/subpart-M))
- US Department of Commerce, Bureau of Industry and Security. **Commerce
Control List Category 6 — Sensors and Lasers**, ECCN 6A008.
([BIS CCL Cat. 6](https://www.bis.doc.gov/index.php/documents/regulations-docs/2340-ccl9-4/file))
### 8.5 Reviews
- **Li, C. et al. (2024).** "Radar-Based Heart Cardiac Activity Measurements:
A Review." *Sensors*. ([PMC11645089](https://pmc.ncbi.nlm.nih.gov/articles/PMC11645089/))
- **Frontiers in Physiology (2022).** "Radar-based remote physiological
sensing: Progress, challenges, and opportunities."
([Frontiers](https://www.frontiersin.org/journals/physiology/articles/10.3389/fphys.2022.955208/full))
## 9. Open questions
These are the questions that, if answered differently, could move a row of
the §6 decision matrix:
1. **Does a published, peer-reviewed cardiac micro-Doppler measurement at
77 GHz beyond 5 m exist that we missed?** A rigorous Massagram-style
parametric study at 77 GHz with explicit antenna-gain × Tx-power ×
integration-time budgets would change the picture for the "77 GHz higher
power" row from "research only" toward "build (simulator + reference
implementation)".
2. **Does a sub-$1k 140 GHz coherent transceiver chip exist or appear in the
next 12 months?** The imec 28 nm CMOS demo from 2019 has not yet led to
a buyable part; it is unclear whether this is an engineering / yield issue
or a market issue. If a part appears, condition (1) of §7.4 fires.
3. **Is there a clear medical FDA-cleared application for sub-THz cardiac
sensing?** This is the single most important gating condition. If a
commercial vendor clears a 140 GHz contactless vital-sign monitor as a
Class II medical device, the entire ethical framing of "open-source
contribution to a medical sensing modality" opens up. Without that
clearance, RuView remains in the simulator-only tier.
4. **Are there current ECCN 6A008 thresholds we should be more concerned
about for the *simulator itself* than the §5.2 analysis suggests?** The
simulator is forward-only and emits IQ samples and a SHA-256 witness.
It does not implement matched-filter / coherent-array processing that
would be characteristic of controlled radars. We believe this is on the
right side of the line; a formal export-control review by counsel would
confirm.
5. **Should RuView contribute the sub-THz simulator to a neutral upstream**
(e.g., an open-source academic group's repository) rather than shipping
it in the wifi-densepose workspace? Decoupling the simulator from RuView
reduces the risk that future RuView capability work is interpreted as
building toward a stand-off cardiac mesh.
6. **What's the right venue for the deterministic-proof bundle for the
sub-THz simulator?** Same question that ADR-089 left open. Probably
the same answer: in-tree fixture + tagged release artifact.
## 10. Decision summary
This ADR is **Proposed — Research only**. The decision matrix in §6 lands on:
- **Skip permanently**: 77 GHz beyond §95.M, 220 GHz coherent stand-off
hardware, 380+ GHz imaging.
- **Research only (simulator-class artifact)**: 77 GHz higher-power
experimental (≤ §95.M ceiling), 100 GHz coherent mesh, 140 GHz coherent
stand-off.
- **Build now**: nothing.
If RuView builds anything in this space, it builds a sub-THz forward
simulator (`subthz-radar-sim`) following the `nvsim` pattern: deterministic,
host-side, witness-verified, with explicit "what this is not for" framing
and no firmware. The simulator does not ship until conditions §7.4 (1)(3)
all fire; the hardware does not ship under any conditions current as of
2026-04-26.
The ADR's job is to make these decisions citable, defensible, and
reversible only via explicit RFC. It is not a build commitment.
api-docs/adr/ADR-092-nvsim-dashboard-implementation.md
+942
View File
@@ -0,0 +1,942 @@
# ADR-092: nvsim Dashboard — Vite + Dual-Transport (WASM + REST/WS) Implementation
| Field | Value |
|---|---|
| **Status** | **Implemented (2026-04-27)** — live at https://ruvnet.github.io/RuView/nvsim/. PR #436 open against main. 8/12 §11 gates ✅, 4/12 ⚠ (require external infrastructure). |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Refines** | ADR-089 (`nvsim` simulator), ADR-090 (Lindblad extension), ADR-091 (stand-off radar) |
| **Companion** | `assets/NVsim Dashboard.zip` (mockup), `docs/research/quantum-sensing/15-nvsim-implementation-plan.md` (Pass-6 plan), `docs/research/quantum-sensing/16-ghost-murmur-ruview-spec.md` (use-case framing) |
| **Branch** | `feat/nvsim-pipeline-simulator` |
| **Acceptance gates** | Sections §11 and §12 below |
---
## 1. Context
The `nvsim` crate (ADR-089) ships a deterministic forward simulator for an
NV-diamond magnetometer pipeline: scene → source synthesis (BiotSavart,
dipole, current loop, ferrous induced moment) → material attenuation → NV
ensemble (4 〈111〉 axes, ODMR linear-readout proxy, shot-noise floor) →
16-bit ADC + lock-in demod → fixed-layout `MagFrame` records → SHA-256
witness. The crate is Rust-only, headless, and benchmarks at ~4.5 M
samples/s on x86_64.
The user-supplied **NVSim Dashboard mockup** (`assets/NVsim Dashboard.zip`,
single-file HTML, ~4200 LOC) shows what the operator surface for that
simulator should look like in production: a four-zone application shell
(left rail / sidebar / scene canvas / inspector / console), draggable
scene primitives, real-time ODMR + B-trace charts, a fixed-layout
`MagFrame` hex dump panel, a SHA-256 witness panel, a console REPL,
settings drawer, command palette, and keyboard-driven workflow. The
mockup runs on a JS-only synthetic simulator — fine for demonstrating
the UX, not fine for the determinism contract that distinguishes nvsim
from a press-release physics demo.
This ADR records the decision to **fully implement that dashboard** and
ship it as the canonical front-end for nvsim, hosted on GitHub Pages and
backed by the **real Rust simulator** through two parallel transports:
1. **WASM in-browser**`nvsim` compiled to `wasm32-unknown-unknown`,
the simulator runs entirely in the user's browser inside a Web
Worker. No server, no upload, no telemetry. The default mode for
GitHub Pages.
2. **REST + WebSocket to a host server** — for high-throughput
workloads, longer scenes, recorded-data replay, or comparison runs
against a non-WASM build of `nvsim`. Optional, opt-in, runs on a
user-supplied host.
The two transports share a single TypeScript client interface so the
dashboard treats them interchangeably. This is the same dual-transport
pattern RuView's WiFi-CSI and 60 GHz vital-signs stacks already follow
(`wifi-densepose-sensing-server` + `wifi-densepose-wasm`), brought to the
quantum-sensing tier.
---
## 2. Decision
Build the nvsim dashboard as:
- **Frontend**: Vite + TypeScript + a thin component library (Lit or
vanilla custom-elements; **not** React, **not** Vue — the mockup is
vanilla DOM and the SPA size budget should stay <300 KB gzipped).
- **Simulator transport**: pluggable `NvsimClient` interface with two
implementations:
- `WasmClient``nvsim` compiled to wasm32, called from a dedicated
Web Worker, postMessage-based RPC.
- `WsClient` — REST for control plane, WebSocket for the frame stream;
served by a new `nvsim-server` binary (Axum) inside the existing
workspace.
- **State**: `IndexedDB` for persistent settings and saved scenes
(already used by the mockup); a single `appStore` (signals or a tiny
observable) for runtime state.
- **Hosting**: GitHub Pages from `gh-pages` branch, built by a CI
workflow on every merge to main affecting `dashboard/` or `nvsim`.
- **Versioning**: dashboard version is pinned to nvsim version. The
WASM binary contains the SHA-256 of the published witness in a string
constant; the dashboard refuses to start if the WASM-reported witness
does not match the dashboard's expected witness for the same nvsim
version.
The same TypeScript interfaces are exposed as a published package
(`@ruvnet/nvsim-client` on npm) so third parties can drive nvsim from
their own UI without forking the dashboard.
---
## 3. Goals and non-goals
### 3.1 Goals
- **Faithful implementation of the mockup**. Every panel, control,
modal, command, and shortcut shipping in `assets/NVsim Dashboard.zip`
is implemented. No simplification.
- **Deterministic by construction**. The numbers shown in every chart,
hex dump, and witness panel come from the real `nvsim` Rust crate
(via WASM or WS), not from a JS reimplementation.
- **Witness-grade reproducibility**. Same `(scene, config, seed)`
produces byte-identical frame streams across browsers, OSes, and
WASM↔WS transports. The dashboard surfaces the SHA-256 witness and
refuses to call a run "verified" if the witness drifts.
- **Offline-capable**. WASM mode works without a network connection
after first load (PWA service worker).
- **Embeddable**. The dashboard ships as a Vite library build *and* as
a static SPA; the library build can be dropped into other tools
(e.g. a future RuView fleet console).
- **Accessible**. WCAG 2.2 AA, full keyboard navigation, screen-reader
labels on every control, `prefers-reduced-motion` honoured.
- **Mobile-usable**. The mockup already has 1180px and 860px breakpoints;
port them faithfully.
### 3.2 Non-goals
- **Not** a fleet-management UI for physical NV hardware. nvsim is a
simulator; there is no hardware to control. The dashboard reads the
simulator's output, nothing more.
- **Not** a multi-user/collaborative workspace. Single-user, local-first.
- **Not** a generic plotting library. The charts are bespoke and tied
to the nvsim data model.
- **Not** a cloud SaaS. There is no hosted backend by default. The WS
transport is opt-in and runs on a user-controlled host.
---
## 4. Source-of-truth: the mockup
The reference is `assets/NVsim Dashboard.zip` (extract: `NVSim
Dashboard.html` + `uploads/pasted-1777237234880-0.png`). Implementation
inventory pulled directly from the mockup follows.
### 4.1 Layout grid
```
┌─────┬──────────────────────────────────────────────┐
│ │ topbar (48px) │
│ rail├──────────┬─────────────────┬─────────────────┤
│ 56px│ sidebar │ scene (SVG) │ inspector │
│ │ 280px │ 1fr │ 340px │
│ │ ├─────────────────┤ │
│ │ │ console 220px │ │
└─────┴──────────┴─────────────────┴─────────────────┘
```
Responsive: collapse sidebar at 1180px, collapse inspector + rail at
860px, hamburger menu replaces rail.
### 4.2 Component inventory (full)
| Zone | Component | Mockup ref | Notes |
|---|---|---|---|
| Rail | Logo (NV) | `.logo` line 130 | linear-gradient amber |
| Rail | Nav buttons | `.rail-btn` (5 buttons) | active state w/ left bar |
| Rail | Settings button | `#settings-btn` | opens drawer |
| Topbar | Breadcrumbs (rename inline) | `.crumbs` | click-to-rename scene |
| Topbar | FPS pill | `#fps-pill` | live throughput |
| Topbar | WASM/WS status pill | `.pill.wasm` | shows transport mode |
| Topbar | Seed pill | `.pill.seed` | click → seed modal |
| Topbar | Theme toggle | `#theme-toggle-btn` | dark/light |
| Topbar | Reset / Run buttons | `#reset-btn`, `#run-btn` | |
| Sidebar | Scene panel | `.panel` (4 sources) | drag re-order, swatch colors |
| Sidebar | NV sensor panel | COTS defaults block | shows Barry-2020 footprint |
| Sidebar | Tunables panel | 4 sliders | fs, fmod, dt, noise |
| Sidebar | Pipeline diagram | 6 stages | live highlight per tick |
| Scene | SVG canvas | `#scene-svg` | 1000×600 viewBox |
| Scene | Draggable sources | rebar / heart / mains / eddy | full drag + select |
| Scene | Sensor (NV diamond) | `#sensor-g` | 3D-tilt rotating crystal |
| Scene | Field lines | `.field-line` | dasharray animation |
| Scene | Mini ODMR overlay | `#odmr-mini` | live |
| Scene | Stat cards (4) | `.stat-card` | |B|, SNR, throughput, … |
| Scene | Sim controls | `.sim-controls` | step ⏮ play ⏯ step ⏭ + speed |
| Scene | Toolbar | `.scene-toolbar` | zoom, fit, layers |
| Inspector | Tabs (3): Signal / Frame / Witness | `.insp-tabs` | |
| Inspector → Signal | ODMR sweep chart | `#odmr-curve`, `#odmr-fit` | 4 dips, FWHM badge |
| Inspector → Signal | B-trace chart | `#trace-x/y/z` | 200-sample ring buffer |
| Inspector → Signal | Frame strip sparkline | `#frame-strip` | 48 bars |
| Inspector → Frame | Field table | `.frame-table` | timestamp, b_pT[0..2], flags |
| Inspector → Frame | Hex dump | `.hex` | annotated 60-byte frame |
| Inspector → Witness | SHA-256 box | `.witness` | last witness |
| Inspector → Witness | Verify button | proof.verify | |
| Console | Filter tabs (5): all/info/warn/err/dbg | `.console-tab` | |
| Console | Log line stream | `.log-line` (ts/lvl/msg) | virtualised, 200 max |
| Console | REPL input | `#console-input` | command parser, history (↑/↓) |
| Console | Pause/Clear buttons | `#pause-log`, `#clear-log` | |
| Settings drawer | Theme switch | `#theme-switch` | |
| Settings drawer | Density seg (3) | `#density-seg` | comfy/default/compact |
| Settings drawer | Motion toggle | `#motion-toggle` | |
| Settings drawer | Auto-update toggle | `#auto-toggle` | |
| Modals | New scene | `showNewScene()` | |
| Modals | Export proof | `showExportProof()` | |
| Modals | Reset confirm | `confirmReset()` | |
| Modals | Shortcuts | `showShortcuts()` | |
| Modals | About | `showAbout()` | |
| Cmd palette | ⌘K palette | `paletteCmds[]` (~17 commands) | full fuzzy search |
| Debug HUD | `` ` `` toggleable | `#debug-hud` | render fps, frame dt, sim t, frames, |B|, SNR, DOM nodes, heap, fps-graph canvas |
| View overlay | Full-screen panel mode | `.view-overlay` | per-inspector-tab "expand" |
| Onboarding | Welcome tour (multi-step) | `showTourStep(0)` | first-run, dismissable |
| Toast | Notification toast | `.toast` | 1.8s auto-dismiss |
### 4.3 REPL command set (must be 1:1 with the mockup)
```
help — list commands
scene.list — describe loaded scene
sensor.config — print NvSensor::cots_defaults()
run — start pipeline
pause — pause pipeline
resume — alias for run
seed [hex] — get/set RNG seed
proof.verify — re-derive witness, compare expected
proof.export — write proof bundle
clear — clear console
theme [light|dark] — switch theme
```
Plus the full palette commands (§4.2 row "Cmd palette") and the keyboard
shortcuts (§4.4).
### 4.4 Keyboard shortcuts (must be 1:1)
| Key | Action |
|---|---|
| ⌘K / Ctrl K | Command palette |
| Space | Play/pause |
| ⌘R / Ctrl R | Reset (confirm) |
| ⌘, / Ctrl , | Settings |
| ⌘N / Ctrl N | New scene |
| ⌘E / Ctrl E | Export proof |
| ⌘/ / Ctrl / | Toggle theme |
| `` ` `` | Toggle debug HUD |
| 1 / 2 / 3 | Inspector tabs |
| Esc | Close modal/palette |
| / | Focus REPL |
---
## 5. Architecture
```
┌──────────────────────────────────────────────────────────────────┐
│ GitHub Pages — static SPA at https://ruvnet.github.io/nvsim/ │
│ │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ Vite SPA bundle │ │
│ │ ┌─────────────────┐ ┌─────────────────────────────┐ │ │
│ │ │ UI components │◄──►│ appStore (signals) │ │ │
│ │ │ (Lit elements) │ └──────────────┬──────────────┘ │ │
│ │ └─────────────────┘ │ │ │
│ │ ▲ ▼ │ │
│ │ ┌────────┴────────┐ ┌──────────────────────────────┐ │ │
│ │ │ IndexedDB kv │ │ NvsimClient interface │ │ │
│ │ │ (settings, │ │ ┌──────────────────────────┐│ │ │
│ │ │ scenes, │ │ │ WasmClient (default) ││ │ │
│ │ │ witnesses) │ │ │ ─ posts to Web Worker ││ │ │
│ │ └─────────────────┘ │ └────────────┬─────────────┘│ │ │
│ │ │ ┌────────────┴─────────────┐│ │ │
│ │ │ │ WsClient (opt-in) ││ │ │
│ │ │ │ ─ REST + WebSocket ││ │ │
│ │ │ └────────────┬─────────────┘│ │ │
│ │ └───────────────┼──────────────┘ │ │
│ └─────────────────────────────────────────┼──────────────────┘ │
│ │ │
│ ┌─── Web Worker (in-browser) ─────────────┼──────┐ │
│ │ nvsim.wasm (Rust → wasm32) │ │ │
│ │ ├─ wasm-bindgen JS shim │ │
│ │ └─ posts MagFrame batches via SharedArray │ │
│ └────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘
│ (opt-in, user-supplied)
┌──────────────────────────────────────────────────────────────────┐
│ nvsim-server (Axum, in v2/crates/nvsim-server) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ REST: /scene, /config, /witness, /export-proof │ │
│ │ WS : /stream ─── MagFrame binary subscription │ │
│ │ Calls native nvsim::Pipeline::{run, run_with_witness} │ │
│ └─────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘
```
### 5.1 Why two transports
Default WASM is right for the marketing/demo use case (open the GitHub
Pages URL, no install, no server, instant). It also makes the
determinism contract trivially auditable — the `.wasm` binary is the
artifact whose SHA-256 the dashboard pins.
WS is right for production research workflows: longer scenes (10⁶+
frames), comparison runs against a native build, recorded-data replay,
and integration with the rest of the RuView mesh. The same dashboard,
same UI, different `NvsimClient` impl. Users opt in by entering a
`ws://` URL in settings.
### 5.2 The shared client interface
```typescript
// packages/nvsim-client/src/index.ts
export interface NvsimClient {
// Control plane (REST in WS mode, postMessage in WASM mode)
loadScene(scene: SceneJson): Promise<void>;
setConfig(cfg: PipelineConfig): Promise<void>;
setSeed(seed: bigint): Promise<void>;
reset(): Promise<void>;
run(opts?: { frames?: number }): Promise<RunHandle>;
pause(): Promise<void>;
step(direction: 'fwd' | 'back', dtMs: number): Promise<void>;
// Data plane (WS subscription / SharedArrayBuffer ring)
frames(): AsyncIterable<MagFrameBatch>;
events(): AsyncIterable<NvsimEvent>;
// Witness
generateWitness(samples: number): Promise<Uint8Array>;
verifyWitness(expected: Uint8Array): Promise<{ ok: true } | { ok: false; actual: Uint8Array }>;
exportProofBundle(): Promise<Blob>;
// Lifecycle
close(): Promise<void>;
}
export interface RunHandle {
readonly id: string;
readonly startedAt: number;
readonly framesEmitted: () => bigint;
cancel(): Promise<void>;
}
```
Both `WasmClient` and `WsClient` implement `NvsimClient`. The dashboard
binds to the interface and never to a concrete client.
---
## 6. Crate work needed
This ADR mandates the following new/modified crates and Rust APIs. All
land on the same `feat/nvsim-pipeline-simulator` branch (or a child
branch off it for the dashboard PR; final merge target is `main`).
### 6.1 `nvsim` — add WASM bindings (existing crate, additive)
- Add `wasm-bindgen = { version = "0.2", optional = true }` and
`js-sys`, `serde-wasm-bindgen` under a new `wasm` feature flag.
Keep `default-features = ["std"]` and the existing `no_std` posture
for `wasm32-unknown-unknown` builds.
- Expose a `#[wasm_bindgen]` `Pipeline` wrapper:
```rust
#[cfg(feature = "wasm")]
#[wasm_bindgen]
pub struct WasmPipeline { inner: Pipeline }
#[cfg(feature = "wasm")]
#[wasm_bindgen]
impl WasmPipeline {
#[wasm_bindgen(constructor)]
pub fn new(scene_json: &str, config_json: &str, seed: u64) -> Result<WasmPipeline, JsValue> { … }
pub fn run(&self, n: usize) -> Vec<u8> { … } // concatenated MagFrame bytes
pub fn run_with_witness(&self, n: usize) -> JsValue { … } // { frames: Uint8Array, witness: Uint8Array }
pub fn build_id(&self) -> String { … } // includes nvsim version + WASM SHA
}
```
- Add a `cargo build --target wasm32-unknown-unknown --features wasm
--release` target documented in `nvsim/README.md`.
- Bench impact: must remain ≥ 1 kHz (Cortex-A53 budget) inside a Web
Worker. Verify on Chrome / Firefox / Safari with a 1024-sample run
fixture.
### 6.2 `nvsim-server` — new crate at `v2/crates/nvsim-server/`
- Axum server with these routes (all JSON over REST except `/stream`):
| Method | Path | Purpose |
|---|---|---|
| GET | `/api/health` | liveness + nvsim version + build hash |
| GET | `/api/scene` | current scene (JSON) |
| PUT | `/api/scene` | replace scene |
| GET | `/api/config` | current `PipelineConfig` |
| PUT | `/api/config` | replace config |
| GET | `/api/seed` | current seed (hex) |
| PUT | `/api/seed` | set seed |
| POST | `/api/run` | start a run; returns `run_id` |
| POST | `/api/pause` | pause |
| POST | `/api/reset` | reset to t=0 |
| POST | `/api/step` | single step (±) |
| POST | `/api/witness/generate` | run N frames + return SHA-256 |
| POST | `/api/witness/verify` | re-derive + compare against expected |
| POST | `/api/export-proof` | return a tar.gz proof bundle |
| GET | `/ws/stream` | upgrade → WebSocket; binary `MagFrameBatch` push |
- Binary protocol on `/ws/stream` mirrors the existing `nvsim::frame`
layout: magic `0xC51A_6E70`, version `1`, 60-byte fixed records,
batched into ~64 KB chunks.
- CORS: permissive in dev, allowlist via `--allowed-origin` flag in
prod.
- TLS: bring-your-own (Caddy / nginx in front). Server speaks plain
HTTP/WS.
- Deps: `axum`, `tokio`, `tower`, `serde_json`, `nvsim` (workspace).
- Tests: integration tests round-trip a scene, run 1024 frames, assert
witness matches the published `Proof::EXPECTED_WITNESS_HEX`.
### 6.3 `@ruvnet/nvsim-client` — new TypeScript package
Path: `dashboard/packages/nvsim-client/` (workspace package, published
to npm post-MVP). Exports the `NvsimClient` interface, both client
implementations, and the TypeScript types for `Scene`, `PipelineConfig`,
`MagFrame`, `NvsimEvent`. Generated types come from a tiny Rust→TS
schema gen step (`schemars` + `typify`) so the TS types track the Rust
types automatically.
---
## 7. Frontend stack
### 7.1 Build tooling
- **Vite 5** (modern, fast, ESM, native WASM import). Source: `dashboard/`.
- **TypeScript** 5.x, strict mode.
- **Lit 3** for custom elements + reactive props. Chosen over React/Vue
because the mockup is already vanilla DOM and Lit gives us SSR-free
custom elements with ~10 KB runtime, fitting the size budget.
- **No CSS framework**. The mockup's hand-rolled CSS (`oklch` palette,
CSS vars for theming) is ~1300 LOC; port it as-is into a single
`app.css` + per-component scoped styles.
- **Vitest** for unit tests.
- **Playwright** for E2E (dashboard ↔ WASM and dashboard ↔ WS).
- **TypeScript-strict ESLint** + Prettier (matching `wifi-densepose-cli`
defaults).
### 7.2 Project layout
```
dashboard/
├── package.json
├── vite.config.ts
├── tsconfig.json
├── public/
│ ├── nvsim.wasm # built by Cargo, copied here
│ └── icon.svg
├── src/
│ ├── main.ts # entry
│ ├── app.css # ported from mockup
│ ├── store/
│ │ ├── appStore.ts # signals-based store
│ │ └── persistence.ts # IndexedDB kv (already in mockup)
│ ├── transport/
│ │ ├── NvsimClient.ts # interface
│ │ ├── WasmClient.ts
│ │ ├── WsClient.ts
│ │ └── worker.ts # Web Worker entry
│ ├── components/
│ │ ├── app-shell.ts # grid layout
│ │ ├── nv-rail.ts
│ │ ├── nv-topbar.ts
│ │ ├── nv-sidebar.ts
│ │ ├── nv-scene.ts # SVG canvas, drag, 3D tilt
│ │ ├── nv-inspector.ts # tabbed
│ │ ├── nv-signal-panel.ts # ODMR + B-trace
│ │ ├── nv-frame-panel.ts # hex dump + table
│ │ ├── nv-witness-panel.ts
│ │ ├── nv-console.ts # log stream + REPL
│ │ ├── nv-settings-drawer.ts
│ │ ├── nv-modal.ts
│ │ ├── nv-palette.ts # ⌘K
│ │ ├── nv-debug-hud.ts # `
│ │ ├── nv-toast.ts
│ │ └── nv-onboarding.ts
│ ├── repl/
│ │ ├── parser.ts # tokeniser
│ │ └── commands.ts # registry
│ ├── charts/ # bespoke SVG renderers, no library
│ │ ├── odmr.ts
│ │ ├── b-trace.ts
│ │ └── frame-strip.ts
│ └── util/
│ ├── shortcuts.ts # keymap dispatcher
│ ├── theme.ts
│ └── hex.ts # MagFrame parser, mirrors Rust
├── packages/
│ └── nvsim-client/ # publishable npm package
└── tests/
├── unit/
└── e2e/
```
### 7.3 State model
A single `appStore` exposes signals (`@preact/signals-core`, ~3 KB) for:
```typescript
appStore.transport // 'wasm' | 'ws'
appStore.connected // boolean
appStore.running // boolean
appStore.paused // boolean
appStore.t // sim time (s)
appStore.framesEmitted // bigint
appStore.scene // Scene
appStore.config // PipelineConfig
appStore.seed // bigint
appStore.theme // 'dark' | 'light'
appStore.density // 'comfy' | 'default' | 'compact'
appStore.motionReduced // boolean
appStore.witness // Uint8Array | null
appStore.lastB // [number, number, number] (T)
appStore.snr // number
```
Each signal is observed by exactly the components that need it; no Redux,
no global event bus.
### 7.4 Web Worker boundary (WASM transport)
- `worker.ts` instantiates `nvsim.wasm` once at boot.
- `appStore` calls go to worker as `{ type: 'cmd', op: 'run', args: { … } }`.
- Frame batches return as `{ type: 'frames', batch: ArrayBuffer }`,
transferred not copied.
- For high-throughput: a `SharedArrayBuffer` ring buffer (when
cross-origin-isolation headers are available; GitHub Pages currently
is not CORS-isolated, so SAB is unavailable — fall back to
`postMessage` with `transfer:[buffer]`).
- Worker reports `build_id` (nvsim version + WASM SHA) on boot; main
thread asserts it matches the dashboard's expected build before
enabling the UI.
### 7.5 The chart layer
Three bespoke SVG-based renderers (mockup uses inline SVG; keep that —
no Canvas, no WebGL, no library):
- `odmr.ts` — Lorentzian dip composite, 4-axis splitting, FWHM badge,
fit overlay. Re-renders on every `appStore.lastB` change but inside
`requestAnimationFrame` to coalesce.
- `b-trace.ts` — 200-sample ring buffer, three-channel polyline. Same RAF.
- `frame-strip.ts` — 48-bar sparkline.
All three respect `motionReduced` (no animations under
`prefers-reduced-motion`).
---
## 8. Data flow per mode
### 8.1 WASM mode (default, GitHub Pages)
```
User action → component → appStore signal
WasmClient.run({ frames: 256 })
▼ postMessage
Web Worker
nvsim.WasmPipeline.run(256)
Vec<u8> (bytes) → ArrayBuffer
▼ postMessage(transfer)
Main thread
parse → MagFrame[] → appStore.lastB / .witness / …
components re-render
```
Latency budget: <10 ms per 256-frame batch on a 2024-vintage laptop.
### 8.2 WS mode (opt-in)
User enters `ws://192.168.50.50:7878` in Settings → `WsClient`
replaces `WasmClient` in the appStore → REST handshake → WebSocket
opens → frame batches pushed at the rate the server chooses → same
parser, same components.
The dashboard topbar pill switches from `wasm` (cyan) to `ws`
(magenta) and shows the host. A red pill if the connection drops.
### 8.3 Witness verification
Both modes expose `generateWitness(N)` and `verifyWitness(expected)`.
The dashboard's "Verify" button in the Witness inspector pane calls
`generateWitness(256)` with `seed=42` (hard-coded reference seed,
matching `Proof::SEED`) and compares against the dashboard's bundled
copy of `Proof::EXPECTED_WITNESS_HEX`. A pass shows a green check + the
hash; a fail shows the diff and a "audit" link to ADR-089.
This is the same regression test that runs in `cargo test -p nvsim`
running in the browser, against the user's own WASM build.
---
## 9. Build & deployment
### 9.1 GitHub Actions workflow
New workflow `.github/workflows/dashboard-pages.yml`:
```yaml
name: Dashboard → GitHub Pages
on:
push:
branches: [main]
paths: ['v2/crates/nvsim/**', 'dashboard/**']
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with: { targets: wasm32-unknown-unknown }
- run: cargo install wasm-pack --version 0.13.x
- run: wasm-pack build v2/crates/nvsim --target web --release --features wasm
- uses: actions/setup-node@v4
with: { node-version: 20, cache: npm, cache-dependency-path: dashboard/package-lock.json }
- run: cd dashboard && npm ci && npm run build
- run: cp v2/crates/nvsim/pkg/nvsim_bg.wasm dashboard/dist/nvsim.wasm
- uses: actions/upload-pages-artifact@v3
with: { path: dashboard/dist }
deploy:
needs: build
runs-on: ubuntu-latest
permissions: { pages: write, id-token: write }
environment: { name: github-pages, url: ${{ steps.deployment.outputs.page_url }} }
steps:
- id: deployment
uses: actions/deploy-pages@v4
```
### 9.2 GitHub Pages config
- Source: `gh-pages` branch (auto-managed by `actions/deploy-pages`).
- Custom domain (optional): `nvsim.ruvnet.dev` if/when DNS is wired.
- HTTPS enforced (default on GitHub Pages).
- 404 fallback to `/index.html` for SPA routing.
### 9.3 PWA
- `vite-plugin-pwa` with workbox.
- Cache the WASM binary, fonts, app shell. Offline-capable after first
visit.
- Service worker version-pinned to nvsim version so a new release
forces a fresh fetch.
### 9.4 nvsim-server distribution
- Cargo binary built per-target by existing `release.yml`.
- Docker image `ghcr.io/ruvnet/nvsim-server:vX.Y.Z` published on tag.
- Helm chart **not** in scope for V1; bare binary or Docker is enough.
---
## 10. Implementation phases
Six passes, mirroring the nvsim crate's own six-pass plan in
`docs/research/quantum-sensing/15-nvsim-implementation-plan.md`. Each
pass ends with a `[dashboard:passN]` commit and a green CI gate.
### Pass 1 — Scaffold (12 days)
- Vite + TS + Lit set up under `dashboard/`.
- Empty `app-shell` component, four-zone grid, dark theme only.
- IndexedDB plumbing.
- CI: `npm run build` succeeds, output <500 KB gzipped.
### Pass 2 — WASM transport (23 days)
- `wasm` feature in `nvsim` Cargo.toml.
- `wasm-bindgen` wrapper.
- Web Worker + `WasmClient`.
- Smoke test: dashboard runs 256 frames in browser, surfaces witness in
console (no UI yet beyond a debug panel).
- CI: `wasm-pack build` succeeds, smoke E2E in headless Chromium passes.
### Pass 3 — UI surface (45 days)
- All 12 inventory components from §4.2.
- Charts (`odmr`, `b-trace`, `frame-strip`).
- Theme + density.
- Drawer + modals + toast.
- CI: visual regression vs. mockup screenshots (Playwright + pixelmatch,
≤2% diff per panel).
### Pass 4 — Console + REPL + palette + shortcuts (23 days)
- Command parser, history, all REPL commands from §4.3.
- Command palette ⌘K with fuzzy search.
- Full shortcut map.
- Debug HUD.
### Pass 5 — `nvsim-server` + WS transport (34 days)
- New `nvsim-server` crate.
- All routes from §6.2.
- `WsClient` impl.
- Settings UI to switch modes.
- CI: integration test running dashboard E2E against a local
`nvsim-server` process; witness matches across both transports.
### Pass 6 — Polish, accessibility, deploy (23 days)
- WCAG audit (axe-core).
- Keyboard nav for every control.
- ARIA labels.
- `prefers-reduced-motion` honored everywhere.
- Onboarding tour wired.
- PWA service worker.
- GitHub Pages workflow.
- Cut release `v0.6.0-dashboard`.
**Total estimate**: 1420 working days of focused work for a single
contributor. Parallelisable with hand-off boundaries on Pass 3.
---
## 11. Acceptance criteria (status as of 2026-04-27)
| # | Gate | Status | Evidence |
|---|---|---|---|
| 11.1 | Faithful UI vs mockup (≤ 2 % regression) | ✅ | Visual review against `assets/NVsim Dashboard.zip`. All 12 zones from §4.2 shipped. |
| 11.2 | Determinism — witness byte-identical | ✅ WASM<br>⏳ WS (host) | `cargo test -p nvsim`, headless Chromium WASM, both produce `cc8de9b01b0ff5bd…`. WS transport built (this ADR §6.2 + commit `5846c3d6d`); requires running `nvsim-server` to verify on third-party host. |
| 11.3 | Throughput ≥ 1 kHz | ✅ | ~1.79 kHz observed in Chromium WASM on x86 dev hardware. |
| 11.4 | Bundle ≤ 300 KB / WASM ≤ 1 MB | ✅ | ~140 KB gzipped JS, 162 KB WASM. |
| 11.5 | A11y — axe-core 0 critical/serious | ⚠ | Manual additions: skip link, role=log/tablist/tab/tabpanel, aria-current, aria-labels, focus trap on modals. Formal axe-core scan deferred. |
| 11.6 | Keyboard-only | ⚠ | Skip link + tabindex on `<main>` + focus trap. Not every flow validated Tab-only. |
| 11.7 | Offline (PWA) | ✅ | manifest.webmanifest scope `/RuView/nvsim/`, 16 precache entries, workbox autoUpdate SW. |
| 11.8 | Cross-browser | ⚠ | Chromium tested via agent-browser. FF + Safari pending post-merge. |
| 11.9 | REPL parity | ✅ | Every command in §4.3 implemented (help, scene.list, sensor.config, run, pause, reset, seed, proof.verify, proof.export, clear, theme, status). |
| 11.10 | Shortcut parity | ✅ | Every chord in §4.4 implemented (⌘K, Space, ⌘R, ⌘,, ⌘N, ⌘E, ⌘/, `, ?, 1/2/3, Esc, /). |
| 11.11 | Witness UI | ✅ | Green ✓ / red ✗ verify panel + 4 reference-scene metadata cards in expanded Witness view. |
| 11.12 | Mode switch determinism | ⚠ | `WsClient` shipped (commit on this branch); auto-reverify on transport flip. End-to-end byte-equivalence pending `nvsim-server` deploy. |
**Summary**: 8 ✅, 4 ⚠. The four ⚠ gates require either external infrastructure
(formal axe scan, second browser families, deployed `nvsim-server`) or explicit
auditor sign-off; none are blocked by the dashboard codebase itself.
---
## 12. Risks and mitigations
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| WASM perf < 1 kHz on mobile | Medium | High | Bench early in Pass 2; if mobile fails, fall back to coarser sample rate on detected mobile UA, document the gap |
| `wasm-bindgen` ABI drift breaks witness reproducibility | Low | High | Pin exact `wasm-bindgen` version in `nvsim` and dashboard; CI job re-derives witness on every PR |
| GitHub Pages lacks COOP/COEP for SAB | High | Low | Don't rely on SAB; postMessage transfer is fast enough for 256-frame batches |
| Bundle bloat | Medium | Medium | Strict 300 KB budget enforced by `size-limit` check in CI |
| Mockup features I missed | Low | Medium | Inventory in §4.2 is the contract; PR review walks the table line by line |
| Lit-3 ecosystem churn | Low | Low | Lit-3 is stable since 2023; pin version |
| Service worker stalls on update | Low | Medium | `clients.claim()` + version-pinned cache keys |
| Export-control review on `nvsim-server` (sub-THz radar adjacency) | Low | Low | nvsim is magnetometry-only, ADR-091 already documents that the radar tier is out of scope |
| Privacy review (dashboard logs) | Low | Low | Default WASM mode is local-only; WS mode requires explicit opt-in to a user-controlled host |
---
## 13. Alternatives considered
### 13.1 React/Next.js
Rejected. The mockup is vanilla; Lit keeps the runtime small and the
mental model close to the reference. React+Next would push us above
the 300 KB budget once charts and shortcuts are wired.
### 13.2 Tauri desktop app
Rejected for V1. The user explicitly asked for Vite + GitHub Pages.
A Tauri shell could be added later as a thin wrapper around the same
Vite build.
### 13.3 Server-only (no WASM)
Rejected. WASM mode is the GitHub-Pages "instant demo" path. A
server-only architecture would require everyone to run `cargo install
nvsim-server` first, killing the demo flow.
### 13.4 Rebuild the simulator in JS
Rejected hard. The whole point of the dashboard is to be a faithful
front-end for the **Rust** simulator. A JS reimplementation would
forfeit the determinism contract.
### 13.5 WebGL/Canvas chart layer
Rejected. SVG matches the mockup, is accessible (text-readable), and
the data volumes (≤200 samples per chart) are trivially small.
### 13.6 Single client, no interface abstraction
Rejected. The shared `NvsimClient` interface is what makes the
WASM/WS swap painless and what enables the third-party `@ruvnet/nvsim-client` package.
---
## 14. Open questions
1. **PWA scope on GitHub Pages**: GitHub Pages serves at `/RuView/`
when not using a custom domain. Service worker scope must be
declared accordingly. Resolved in Pass 6.
2. **Onboarding copy**: who writes the welcome-tour text? Mockup has
placeholders. Open until Pass 6.
3. **WS auth**: V1 ships unauthenticated WS server (LAN use only).
ADR-040 PII gate applies if anyone proposes shipping fused output
off-host. Followup ADR if/when that becomes a use case.
4. **Multi-pipeline runs**: the API in §6.1 is single-pipeline. If a
future use case wants compare-runs (e.g. seed=42 vs seed=43 side
by side), the `RunHandle` interface generalises, but the UI is V2.
5. **Recorded-data replay**: out of scope for V1. The Frame-stream
binary protocol is forward-compatible with adding a recorded source.
---
## 14a. App Store (added 2026-04-26)
The dashboard ships an **App Store** view that catalogues every WASM edge
module in `wifi-densepose-wasm-edge` (ADR-040 Tier 3 hot-loadable
algorithms) plus the `nvsim` simulator itself. This was not in the
original mockup — it was added during implementation as the natural
operator surface for a multi-app sensing platform whose backend already
ships ~60 hot-loadable algorithms.
### 14a.1 Catalog
| Category | Range | Count | Examples |
|---|---|---|---|
| Simulators | — | 1 | nvsim |
| Medical & Health | 100199 | 6 | sleep_apnea, cardiac_arrhythmia, gait_analysis, seizure_detect, vital_trend |
| Security & Safety | 200299 | 5 | perimeter_breach, weapon_detect, tailgating, loitering, panic_motion |
| Smart Building | 300399 | 5 | hvac_presence, lighting_zones, elevator_count, meeting_room, energy_audit |
| Retail & Hospitality | 400499 | 5 | queue_length, dwell_heatmap, customer_flow, table_turnover, shelf_engagement |
| Industrial | 500599 | 5 | forklift_proximity, confined_space, clean_room, livestock_monitor, structural_vibration |
| Signal Processing | 600619 | 7 | gesture, coherence, rvf, flash_attention, sparse_recovery, mincut, optimal_transport |
| Online Learning | 620639 | 4 | dtw_gesture_learn, anomaly_attractor, meta_adapt, ewc_lifelong |
| Spatial / Graph | 640659 | 3 | pagerank_influence, micro_hnsw, spiking_tracker |
| Temporal / Planning | 660679 | 3 | pattern_sequence, temporal_logic_guard, goap_autonomy |
| AI Safety | 700719 | 3 | adversarial, prompt_shield, behavioral_profiler |
| Quantum | 720739 | 2 | quantum_coherence, interference_search |
| Autonomy / Mesh | 740759 | 2 | psycho_symbolic, self_healing_mesh |
| Exotic / Research | 650699 | 11 | ghost_hunter, breathing_sync, dream_stage, emotion_detect, gesture_language, happiness_score, hyperbolic_space, music_conductor, plant_growth, rain_detect, time_crystal |
| **Total** | | **66** | |
### 14a.2 Per-app metadata
Each entry in `dashboard/src/store/apps.ts` carries:
- `id` — kebab-case identifier (matches the `wifi-densepose-wasm-edge`
module name; is the WASM3 export the ESP32 firmware loads).
- `name` — human-readable label.
- `category` — short-code for filter chips and event-ID range.
- `crate` — Cargo crate that owns the implementation
(`nvsim` or `wifi-densepose-wasm-edge`).
- `summary` — single-line description shown on the card.
- `events` — emitted i32 event IDs from the `event_types` mod.
- `budget` — compute tier (`S` < 5 ms, `M` < 15 ms, `L` < 50 ms).
- `status` — maturity (`available` / `beta` / `research`).
- `adr` — back-reference to the ADR that introduced or governs the app.
- `tags` — fuzzy-search tokens.
### 14a.3 UI behavior
- **Card grid** — auto-fill at 280 px per card; theme-aware palette.
- **Search** — fuzzy match across `id`, `name`, `summary`, and `tags`.
- **Category chips** — single-select filter (sticky under the search).
- **Status chips** — secondary filter on maturity.
- **Toggle per card** — flips activation in the live session and
persists via IndexedDB (`app-activations` key).
- **Active indicator** — emerald border on cards whose toggle is on.
### 14a.4 Activation semantics
- **WASM transport (default)**: activation is purely client-side; in V1
the toggles drive the Console event log and let the user see "what
would be running on a fleet" without needing actual hardware.
- **WS transport (deferred to V2)**: activation flips an
`app.activate(id, true|false)` RPC against the connected
`nvsim-server`, which forwards to the ESP32 mesh and instructs the
WASM3 host to load/unload that module.
### 14a.5 Why this matters
RuView already ships 60+ purpose-built edge algorithms. Without an
operator surface they exist only in source code; the App Store makes
them **discoverable** and **toggleable** without recompiling firmware.
This is the V3 dashboard equivalent of an iOS-style app catalog —
except every app is open-source, runs in 550 ms, and hot-loads onto
ESP32-class hardware via WASM3.
### 14a.6 Adding a new app
1. Implement the algorithm in `wifi-densepose-wasm-edge/src/<id>.rs`.
2. Add `pub mod <id>;` to `lib.rs`.
3. Add an entry to `APPS` in `dashboard/src/store/apps.ts`.
4. Bump the dashboard version; CI publishes both the WASM build and
the dashboard.
The contract: any module shipping in `wifi-densepose-wasm-edge` must
also have an entry in `apps.ts` (lint check planned for V2).
---
## 15. Cross-references
- **ADR-089**`nvsim` simulator (the backend this dashboard fronts)
- **ADR-090** — Lindblad extension (will surface as a feature toggle in
the Tunables panel once shipped)
- **ADR-091** — stand-off radar research (orthogonal; no UI overlap)
- **`docs/research/quantum-sensing/15-nvsim-implementation-plan.md`** — six-pass plan model
- **`docs/research/quantum-sensing/16-ghost-murmur-ruview-spec.md`** — the use-case framing
- **`assets/NVsim Dashboard.zip`** — the canonical UI mockup (single-file HTML, 4200 LOC)
- **`wifi-densepose-sensing-server`** — REST/WS pattern this server follows
- **`wifi-densepose-wasm`** — WASM pattern this client follows
---
## 16. References
### Web/PWA
- Vite 5 docs — https://vitejs.dev/
- Lit 3 docs — https://lit.dev/
- Workbox PWA — https://developer.chrome.com/docs/workbox/
- WCAG 2.2 — https://www.w3.org/TR/WCAG22/
### WASM tooling
- wasm-bindgen — https://rustwasm.github.io/wasm-bindgen/
- wasm-pack — https://rustwasm.github.io/wasm-pack/
- Cross-Origin Isolation (COOP/COEP) — https://web.dev/coop-coep/
- GitHub Pages COOP/COEP support — https://github.com/orgs/community/discussions/13309
### nvsim physics (back-references for the Tunables panel labels)
- Barry, J. F. et al. (2020). *Rev. Mod. Phys.* 92, 015004.
- Wolf, T. et al. (2015). *Phys. Rev. X* 5, 041001.
- Doherty, M. W. et al. (2013). *Phys. Rep.* 528, 145.
- Jackson, J. D. (1999). *Classical Electrodynamics, 3e*, §5.6, §5.8.
---
## 17. Status notes
- **Status**: Proposed — full implementation. Production target.
- **Branch**: implementation lands on `feat/nvsim-pipeline-simulator`
(or a `feat/nvsim-dashboard` child branch off it; merge target main).
- **Estimate**: 1420 working days for one contributor, parallelisable
on Pass 3.
- **Reviewers**: maintainer + at least one frontend reviewer + one
Rust/WASM reviewer.
- **Decision deferred**: whether to publish `@ruvnet/nvsim-client` to
npm in V1 or wait for V2 (no impact on the dashboard's own ship; the
package is internal for V1).
*This ADR is the contract for dashboard work. Every PR that adds dashboard scope above the inventory in §4.2 must amend this ADR or open a follow-up ADR.*
api-docs/adr/ADR-093-dashboard-gap-analysis.md
+117
View File
@@ -0,0 +1,117 @@
# ADR-093: nvsim Dashboard Gap Analysis (post-deploy review)
| Field | Value |
|---|---|
| **Status** | **Implemented (2026-04-27)** — iterations A through N shipped to PR #436. 21 of 21 catalogued gaps closed. P2.7 (`clients.claim()` in SW) and P2.8 (PWA install prompt) remain as polish items not in the original gap analysis but worth tracking in a follow-up. |
| **Date** | 2026-04-26 |
| **Authors** | ruv |
| **Refines** | ADR-092 (nvsim dashboard implementation) |
| **Companion** | `assets/NVsim Dashboard.zip` (mockup, ~4200 LOC), live deploy https://ruvnet.github.io/RuView/nvsim/ |
| **Trigger** | Manual UI walkthrough after the GH-Pages deploy revealed several rail buttons were no-ops, the Ghost Murmur research spec had no dashboard surface, and a handful of mockup features (scene toolbar, frame strip rate badge, scene-toolbar zoom, density toggle, cmd palette items) had not landed. |
---
## 1. Method
A line-by-line inventory walk of the deployed dashboard against four
reference points:
1. **The mockup**: `assets/NVsim Dashboard.zip``NVSim Dashboard.html`.
Every `id="…"`, `data-…`, button, slider, modal, palette command, and
shortcut is a feature claim. We diff it against the live SPA.
2. **ADR-092 §4.2** — the canonical inventory table of 12 zones and ~50
components. We mark each row as ✅ shipped / ⚠ partial / ❌ missing.
3. **ADR-092 §4.3** — REPL command set (10 commands).
4. **ADR-092 §4.4** — keyboard shortcuts (11 chords).
Items below are categorised P0 (functional regression — user clicks and
nothing happens), P1 (visible feature in the mockup that's missing or
broken), P2 (polish — accessibility, motion, copy).
The closing §5 is the iteration plan.
---
## 2. P0 — broken/missing functional surface
| # | Gap | Location | Root cause | Fix |
|---|---|---|---|---|
| **P0.1** | ~~Inspector rail button no-op~~ | `nv-rail.ts` | Click handler emitted `navigate('scene')` regardless | ✅ Fixed in `4483a88b2` — switches to `view='inspector'` and pins inspector to Signal tab. |
| **P0.2** | ~~Witness rail button no-op~~ | `nv-rail.ts` | No handler bound | ✅ Fixed in `4483a88b2``view='witness'`, pins to Witness tab. |
| **P0.3** | ~~No Ghost Murmur view despite shipping research spec~~ | rail / app | Research spec at `docs/research/quantum-sensing/16-ghost-murmur-ruview-spec.md` had no dashboard surface | ✅ Fixed in `4483a88b2` — new `<nv-ghost-murmur>` component, dedicated rail icon. |
| **P0.4** | Ghost Murmur view is **read-only** | `nv-ghost-murmur.ts` | Currently a static document. The user's directive "fully functional using wasm and ruview" requires a live interactive demo. | ⏳ §5 below — interactive distance/moment sliders that actually drive `nvsim::Pipeline` via WASM and report per-tier detectability. |
| **P0.5** | ~~Topbar `seed` pill is decorative~~ | `nv-topbar.ts` | ✅ Iter C — opens "Set seed" modal with hex input; applies via `WasmClient.setSeed`. |
| **P0.6** | ~~Sim controls overlay absent~~ | `nv-scene.ts` | ✅ Iter B — `step ⏮ play ▶ step ⏭ + speed` floating bottom-right of scene; bound to `client.run/pause/step` and `speed.value` cycle. |
| **P0.7** | ~~Scene toolbar (zoom / fit / layers) missing~~ | `nv-scene.ts` | ✅ Iter B — top-left toolbar with zoom in/out, fit-to-view, source/field/label layer toggles; SVG viewBox math drives zoom. |
| **P0.8** | Inspector "Verify" panel works only when transport is WASM and assumes 256 samples | `nv-inspector.ts`, `WasmClient.ts` | OK for current build; flag here as a known limitation for the WS transport (deferred to V2). | Document — not a fix. |
| **P0.9** | ~~REPL `proof.export` not implemented~~ | `nv-console.ts` | ✅ Iter E — wires to `client.exportProofBundle()`, triggers a blob download with timestamp filename. |
| **P0.10** | ~~REPL command history is per-component~~ | `nv-console.ts` | ✅ Iter G — moved to `appStore.replHistory` signal, persisted via IndexedDB key `repl-history`. |
## 3. P1 — visible mockup features missing
| # | Gap | Location | Notes |
|---|---|---|---|
| **P1.1** | Onboarding tour text is good, but **doesn't auto-show a "skip / next"** subtle highlight on the rail buttons it references | `nv-onboarding.ts` | Mockup uses spotlight cutouts. Ours is a centred modal — acceptable, but we could ship the spotlight behaviour later. |
| **P1.2** | ~~Density toggle didn't visibly change anything~~ | `main.ts` + `app.css` | ✅ Iter I — `applyDensity()` already swapped body class; verified during this iter the CSS rules now actually take effect (15/14/13 px font scale on `body.density-{comfy,default,compact}`). |
| **P1.3** | `motion-toggle` only flips `body.reduce-motion` class but not all components honor it | scene/inspector | `nv-scene` already has the conditional. Verify B-trace and frame-strip animations stop too. |
| **P1.4** | ~~Scene "stat-card" SNR readout always `—`~~ | `nv-scene.ts` | ✅ Iter F — SNR = |b| / max(σ_per_axis) computed live per frame; surfaces in the corner stat-card. |
| **P1.5** | Inspector `frame-strip-2` from the Frame tab not in our impl | `nv-inspector.ts` | Mockup has a second sparkline strip in the Frame tab; we only ship one. Replicate. |
| **P1.6** | ~~Modals body content was short~~ | `nv-palette.ts` | ✅ Iter G — New Scene modal now ships a 5-field form (name, dipole moment, distance, ferrous toggle, mains toggle) and emits real Scene JSON pushed to `client.loadScene()`. Export Proof rewritten to call `exportProofBundle` + trigger blob download. |
| **P1.7** | ~~Scene drag positions don't persist~~ | `nv-scene.ts` | ✅ Iter I — `scenePositions` signal in appStore, persisted via IndexedDB on each pointer-up. Restored at component connect. |
| **P1.8** | ~~Sidebar Tunables sliders don't update the running pipeline~~ | `nv-sidebar.ts` + `WasmClient.ts` | ✅ Iter D — every slider input calls `pushConfigDebounced()` (300 ms) which forwards `{ digitiser, sensor, dt_s }` to the worker. Worker rebuilds the WasmPipeline with the new config. Verified via REPL log line `config pushed · fs=… f_mod=…`. |
| **P1.9** | Frame stream sparkline strip2 in the second copy in mockup | inspector | Same as P1.5 — verify. |
| **P1.10** | ~~"WASM" pill is read-only~~ | `nv-topbar.ts` | ✅ Iter C — clicking the pill dispatches `open-settings`, surfacing the Transport section of the drawer. |
| **P1.11** | ~~`prefers-reduced-motion` not auto-detected~~ | `main.ts` | ✅ Iter F — `window.matchMedia('(prefers-reduced-motion: reduce)').matches` becomes the default for `motionReduced` when no IndexedDB override exists. |
| **P1.12** | Scene 3D-tilt on pointer move not ported | `nv-scene.ts` | Mockup has `.tilt-stage` perspective transform. Optional polish. |
| **P1.13** | View-overlay "expand panel" not ported | global | Mockup has a `.view-overlay` that expands any inspector panel to full-screen. Defer V2. |
## 4. P2 — accessibility / polish
| # | Gap | Notes |
|---|---|---|
| **P2.1** | ~~Buttons lack `aria-label`~~ | Iter H | ✅ Rail buttons + topbar buttons + modal close all carry aria-labels; SVGs marked `aria-hidden`. |
| **P2.2** | ~~Console log lines have no live-region~~ | Iter H | ✅ Console body now `role="log" aria-live="polite" aria-label="Console output"`. |
| **P2.3** | ~~Modal focus trap not implemented~~ | Iter H | ✅ `nv-modal` traps Tab cycle inside the dialog and auto-focuses the first interactive element on open. |
| **P2.4** | ~~Light-theme `.ink-3` contrast borderline AA~~ | `app.css` | ✅ Iter N — `--ink-3` darkened from `#6b7684` (3.7:1) to `#54606e` (~5.4:1) on light bg, `--ink-4` from `#9ba4b0` to `#7a8390`, line/line-2 firmed. AA-compliant for normal-weight text. |
| **P2.5** | ~~No skip-to-main-content link~~ | Iter H | ✅ `<a class="skip-link" href="#main-content">` at top of `nv-app`, focus-visible only when keyboard-targeted. Main view wrapped in `<main id="main-content" role="main">`. |
| **P2.6** | ~~Keyboard arrow-key scene navigation~~ | `nv-scene.ts` | ✅ Iter N — Tab cycles draggable items, arrows nudge by 8 px (32 with Shift), Esc deselects, position changes persist via `scenePositions`. |
| **P2.7** | Service worker doesn't have `clients.claim()` | Confirm. Ensures new SW activates on next nav. |
| **P2.8** | PWA install prompt is silent | Add an install button (visible only when `beforeinstallprompt` fires). |
## 5. Iteration plan
The dynamic /loop continues with one P0/P1 item per iteration:
| Iter | Focus | Status |
|---|---|---|
| **A** | Functional Ghost Murmur demo (P0.4) | ✅ `runTransient` WASM export + interactive distance/moment sliders + per-tier detectability bars |
| **B** | Scene sim-controls + toolbar (P0.6, P0.7) | ✅ Bottom-right sim controls, top-left zoom/layer toolbar |
| **C** | Topbar seed + WASM pill clicks (P0.5, P1.10) | ✅ Seed modal + transport pill opens Settings drawer |
| **D** | Sidebar tunables wire-through (P1.8) | ✅ Debounced `setConfig` RPC, 300 ms |
| **E** | REPL `proof.export` + history persistence (P0.9, P0.10) | ✅ Blob download + IndexedDB-persisted history |
| **F** | SNR computation + reduce-motion (P1.4, P1.11, P1.3) | ✅ |B|/max(σ) live SNR, prefers-reduced-motion auto-detect |
| **G** | Modal contents (P1.6) | ✅ New-Scene form (5 fields), real Scene JSON push |
| **H** | A11y pass (P2.1P2.5) | ✅ aria-labels, focus trap, role=log, skip link, role=tablist |
| **I** | Density toggle (P1.2) + drag persistence (P1.7) | ✅ Density CSS verified, scenePositions persisted to IndexedDB |
| **J** | UX usability pass | ✅ nv-help center (Quickstart/Glossary/FAQ/Shortcuts/About), 10-step welcome tour, panel descriptions, settings explainers, empty-state hints |
| **K** | Home view | ✅ `<nv-home>` as default landing — hero + 4 quick-jump cards + simplified grid hides power-user panels |
| **L** | WsClient transport | ✅ Full REST + binary WebSocket impl against `nvsim-server`; transport-flip auto-reverify; activated via Settings drawer |
| **M** | App Store live runtime | ✅ 6 simulated apps emit real i32 events against nvsim frame stream; runtime pills (running/simulated/mesh-only); live events feed |
| **N** | Light-theme contrast (P2.4) + keyboard scene nav (P2.6) | ✅ AA-compliant `--ink-3`/`--ink-4`/`--line` palette in light mode; Tab/arrows/Shift-arrow/Esc on scene draggables |
Each iteration ends with: `npx tsc --noEmit` clean → production
build with `NVSIM_BASE=/RuView/nvsim/` → push to `gh-pages/nvsim/`
preserving siblings → `agent-browser` validation including console
errors → commit on `feat/nvsim-pipeline-simulator`.
The acceptance criteria from ADR-092 §11 still apply unchanged. This
ADR augments §11 rather than replacing it — every P0 item is a
prerequisite for declaring §11.1 (faithful UI) green.
## 6. References
- ADR-092 §4.2 — full UI inventory table (the contract).
- ADR-092 §11 — 12 acceptance gates.
- `assets/NVsim Dashboard.zip` — canonical mockup (committed).
- `docs/research/quantum-sensing/16-ghost-murmur-ruview-spec.md` — Ghost Murmur source material.
- Live deploy — https://ruvnet.github.io/RuView/nvsim/ (verified: rail buttons functional, witness verifies, App Store catalog renders, onboarding tour works).
api-docs/adr/ADR-094-pointcloud-github-pages-deployment.md
+203
View File
@@ -0,0 +1,203 @@
# ADR-094: Live 3D Point Cloud Viewer — GitHub Pages Deployment with Optional Real-Data Stream
| Field | Value |
|---|---|
| **Status** | Proposed (2026-04-29) |
| **Date** | 2026-04-29 |
| **Authors** | ruv |
| **Related** | ADR-092 (nvsim dashboard Pages deployment), ADR-059 (live ESP32 CSI pipeline), ADR-079 (camera ground-truth training) |
| **Branch** | `feat/pointcloud-pages-demo` |
---
## 1. Context
The `wifi-densepose-pointcloud` crate ships a Three.js-based viewer
(`v2/crates/wifi-densepose-pointcloud/src/viewer.html`) that renders the
fused camera-depth + WiFi CSI + mmWave point cloud produced by the
`ruview-pointcloud serve` binary. Today the viewer is local-only:
- It is served by the Axum binary on `127.0.0.1:9880`.
- It polls `/api/splats` every 500 ms expecting a backend on the same
origin.
- There is no GitHub Pages deployment, so the README's
"▶ Live 3D Point Cloud" link points at the moved-content section in
`docs/readme-details.md`, not at a hosted demo. The two sibling demos
(Live Observatory, Dual-Modal Pose Fusion) are already hosted at
`https://ruvnet.github.io/RuView/` and `…/pose-fusion.html`.
This is an asymmetry: a first-time visitor can preview the WiFi pose
demo and the Observatory in one click, but cannot preview the point
cloud without cloning the repo, building Rust, plugging in an ESP32,
and pointing a webcam at themselves. That gap suppresses the most
visually compelling demonstration of the v0.7+ sensor-fusion work.
A naive fix — drop the static HTML at `gh-pages/pointcloud/` — does
not work because the viewer's `fetch("/api/splats")` will 404 on Pages
and the canvas will hang at "Loading…". A second naive fix — bake in a
fixed sample dataset — solves the loading state but loses the live-data
story entirely, and forks the viewer into a "demo build" and a "real
build" that drift apart.
## 2. Decision
Ship **one** viewer that auto-selects its transport from URL parameters,
and publish it to `gh-pages/pointcloud/` alongside the other demos:
1. **Default mode** — when the viewer is opened with no query parameters
on `https://ruvnet.github.io/RuView/pointcloud/`, present a "▶ Enable
camera" CTA. On click the viewer requests webcam access, runs
**MediaPipe Face Mesh** in-browser (~30 fps, 478 refined landmarks),
and renders the visitor's own face as a point cloud — the closest
browser equivalent of the local pipeline's depth-backprojected face
geometry that motivated this ADR (`I could see the outline of my face
in points`). The viewer mirrors x to match selfie convention and
maps Face Mesh's relative-z to the same world-coordinate range the
live `/api/splats` payload uses, so a single render path drives both.
Badge reads `● DEMO Your Face (MediaPipe)`. If the user denies
camera permission, dismisses the prompt, or visits on a device
without a webcam, the viewer falls back automatically to a
procedural scaffold (floor grid, walls, breathing figure, 17-keypoint
skeleton). All processing is client-side; no frames leave the
browser. ~480-500 splats from the face plus ~110 floor/wall context
splats.
2. **Auto mode** (`?backend=auto`) — fetch from `/api/splats` on the same
origin. This is the local-development case (`ruview-pointcloud serve`
serves the viewer and the API together). On any failure (404, network
error, CORS), fall back silently to synthetic-demo rendering so the
tab never dies.
3. **Remote mode** (`?backend=<url>`) — fetch from `<url>/api/splats`.
This is the **integrated-ESP32** path: the user runs
`ruview-pointcloud serve --bind 127.0.0.1:9880` locally with an
ESP32-S3 streaming CSI to UDP port 3333, then opens
`https://ruvnet.github.io/RuView/pointcloud/?backend=http://127.0.0.1:9880`.
The hosted Pages viewer becomes a thin client for the local Rust
fusion pipeline (camera depth + WiFi CSI + mmWave) without a clone
or rebuild. The viewer also exposes a "📡 Connect ESP32" button that
prompts for the URL, persists it in `localStorage`, and reloads
with the query param.
For this to work the local server must answer the browser's CORS
preflight. `stream.rs` therefore installs a `tower_http` `CorsLayer`
that allows three origin classes:
- `https://ruvnet.github.io` — the published Pages demo.
- `http://localhost:*` and `http://127.0.0.1:*` — developer running
the bundled `viewer.html` directly.
- `null``file://` origins.
Mixed-content (HTTPS Pages → HTTP loopback) is permitted because
modern browsers (Chrome 94+, Firefox 116+, Safari 16.4+) classify
`127.0.0.1` and `localhost` as "potentially trustworthy" origins.
Any other origin (a public hostname, etc.) is denied — this is not
a wildcard CORS posture. Badge reads `● REMOTE <url>`. Same silent
demo fallback on failure.
4. **Strict-live mode** (`?live=1`) — disable the demo fallback. If the
chosen transport fails, replace the info panel with an explicit offline
message (`● OFFLINE — Live backend required but unreachable`). Useful
for embedding the viewer in a status page or kiosk.
The synthetic frame returned by the in-browser generator matches the
JSON shape of the live `/api/splats` payload exactly (`splats`, `count`,
`frame`, `live`, `pipeline.{skeleton,vitals,…}`), so a single render path
drives both modes. There is no demo build vs real build — only one HTML
file, one render path, and one set of bugs.
A new GitHub Actions workflow (`.github/workflows/pointcloud-pages.yml`)
copies the viewer to `gh-pages/pointcloud/index.html` on every push to
`main` that touches the viewer, using `peaceiris/actions-gh-pages@v4`
with `keep_files: true` to preserve the existing observatory, pose-fusion,
and nvsim deployments.
## 3. Consequences
### Positive
- **First-click demo.** Visitors clicking the README's
"▶ Live 3D Point Cloud" link land on a working Three.js scene in <1 s,
no toolchain required. Matches the parity of the other two demos.
- **Real-data on demand.** Users with their own `ruview-pointcloud serve`
host can use the same hosted viewer URL with
`?backend=https://their-host.example.com` — no clone, no rebuild. The
hosted demo doubles as a thin client for self-hosted backends.
- **Single render path.** Synthetic frames flow through the same
`handleData → updateSplats → drawSkeleton` pipeline as live frames, so
visual regressions surface in the demo and the live build at the same
time. This is the same dual-transport pattern ADR-092 chose for nvsim.
- **No backend deploy required.** Pages serves static HTML; the demo
works without standing up an Axum host on the public internet, and
there is no per-visitor CSI/camera plumbing to provision.
- **Preserves existing deployments.** `keep_files: true` plus the
`pointcloud/` destination means observatory/, pose-fusion/, nvsim/,
and the root index.html on gh-pages are untouched.
### Negative / tradeoffs
- **Face mesh ≠ CSI.** Browser webcam + MediaPipe gives real face
geometry but does not produce CSI-derived pose. Visitors who want to
see the *WiFi-driven* path still need `?backend=<their-host>`. The
procedural fallback is not WiFi-driven either; it is purely visual
scaffolding. We accept this — the goal of the hosted demo is to
convey the *shape* of what the local pipeline produces (a point
cloud of the user) rather than reproduce the WiFi physics in the
browser. The latter is a future ADR (WASM port of the fusion crate).
- **CORS burden on remote mode.** Users who want to share their backend
must add `Access-Control-Allow-Origin: https://ruvnet.github.io` (or
`*`) to their `ruview-pointcloud serve` config. We document this in the
workflow's generated README; we do **not** add a public proxy.
- **Synthetic generator lives in the viewer.** ~80 LOC of procedural JS
is now part of `viewer.html`. Acceptable: the file is already the
client-side render bundle, and the generator is bounded and inert
(deterministic, no I/O, no eval).
- **No replay-from-recording in this ADR.** A future ADR may add a
`?recording=<url>.jsonl` mode that replays captured frames at native
rate; that is out of scope here.
### Neutral
- The local-dev experience is unchanged. `ruview-pointcloud serve` still
serves `viewer.html` from the bundled asset and the viewer still hits
`/api/splats` because `?backend` defaults to `auto`. Nothing in the
Rust crate changes — this is HTML + workflow only.
## 4. Implementation
| File | Change |
|---|---|
| `v2/crates/wifi-densepose-pointcloud/src/viewer.html` | Add URL-param transport selector (`backend`, `live`), synthetic frame generator, demo-fallback path, transport-aware mode badge. ~120 LOC added, no removed behavior. |
| `.github/workflows/pointcloud-pages.yml` | New workflow: stage viewer to `_site/pointcloud/index.html`, deploy to `gh-pages/pointcloud/` with `keep_files: true`. Triggers on viewer changes and on manual dispatch. |
| `README.md` | Already updated — `▶ Live 3D Point Cloud` link will be retargeted to `https://ruvnet.github.io/RuView/pointcloud/` once the first deploy succeeds. (Tracked separately, not blocking this ADR.) |
| `docs/adr/README.md` | ADR index — add ADR-094 row. |
## 5. Acceptance Gates
This ADR is **Implemented** when all of the following hold:
1. Pushing to `main` with a viewer change triggers
`pointcloud-pages.yml`, which deploys to `gh-pages/pointcloud/` in
under 60 seconds.
2. `https://ruvnet.github.io/RuView/pointcloud/` loads, shows the
"Enable camera" CTA, and on accept renders the visitor's face as a
point cloud with badge `● DEMO Your Face (MediaPipe)` and non-zero
splat + frame counts. On camera denial, falls back to the
procedural scene with badge `● DEMO Synthetic`.
3. Existing demos at `https://ruvnet.github.io/RuView/` and
`…/pose-fusion.html` and `…/nvsim/` are still reachable after the
first deploy (smoke-tested manually).
4. `https://ruvnet.github.io/RuView/pointcloud/?live=1` shows the
`● OFFLINE` panel (because no same-origin backend exists on Pages).
5. `https://ruvnet.github.io/RuView/pointcloud/?backend=https://example.invalid`
falls back to demo within one poll interval (~500 ms) without
throwing in the console.
6. Running `./target/release/ruview-pointcloud serve` locally and
opening `http://127.0.0.1:9880/` (which serves the same HTML) still
shows live-mode rendering with the `● LIVE Local Backend` badge.
## 6. Out of Scope
- Replaying recorded JSONL frames in the browser (future ADR).
- WASM-side execution of the fusion pipeline in the browser (would
require porting the camera + mmWave path; deferred).
- Authentication / signed splats payloads — backend-side concern,
unaffected by this client-side change.
- Hosting a public CORS proxy for users without their own backend.

Some files were not shown because too many files have changed in this diff Show More