test(core,cli): pin DoS-resistance of CSI deserialisers (ADR-127 security review)

Beyond-SOTA security review of wifi-densepose-core + wifi-densepose-cli.
Load-bearing-question verdict: the NaN-state-poisoning bug class does NOT
originate in core — core exposes no stateful accumulator (no Welford,
von-Mises, IIR, voxel grid, running mean); each downstream crate rolls its
own, so each fix is correctly local. Both crates confirmed clean on every
reviewed dimension (panic-on-adversarial-input, NaN handling, unbounded
memory, path traversal, secrets) — no production code changed.

Adds 4 regression pins locking in two existing-but-untested DoS guards:
- core: from_canonical_bytes shape guard (Vec::with_capacity bound) — proven
  to fail with `capacity overflow` when the saturating-mul guard is removed.
- core: canonical decoder never panics on arbitrary/truncated bytes.
- cli: parse_csi_packet rejects an oversized n_antennas*n_subcarriers claim
  before Array2 allocation (33 MB claim in a 2 KB datagram -> None).
- cli: parse_csi_packet never panics on arbitrary UDP bytes.

core: 35 -> 37 lib tests; cli: 24 -> 26 tests; 0 failed. Python proof
unchanged (f8e76f21…46f7a — off the signal path).

Co-Authored-By: claude-flow <ruv@ruv.net>

v2/crates/wifi-densepose-cli/src/calibrate.rs

@@ -471,6 +471,54 @@ mod tests {
         assert!(ht.record(&f).is_err());
     }
 
+    /// Security pin (review 2026-06, ADR-127): the UDP parser is the CLI's
+    /// widest attack surface — `calibrate` / `enroll` / `room-watch` bind it to
+    /// 0.0.0.0 by default, so any host on the LAN can send arbitrary bytes. A
+    /// header that *claims* a huge `n_antennas * n_subcarriers` must be rejected
+    /// by the length check BEFORE the `Array2::zeros` allocation, so a single
+    /// small datagram can never trigger a multi-MB allocation (unbounded-memory
+    /// DoS). The largest possible claim (255 × 65535 pairs ≈ 33 MB of IQ) inside
+    /// a RECV_BUF-sized (2048-byte) datagram parses to `None`, never OOMs.
+    #[test]
+    fn test_parse_csi_packet_oversized_claim_is_rejected_not_allocated() {
+        let mut buf = vec![0u8; RECV_BUF];
+        buf[0..4].copy_from_slice(&0xC511_0001u32.to_le_bytes());
+        buf[4] = 1; // node_id
+        buf[5] = 255; // n_antennas (max)
+        buf[6..8].copy_from_slice(&65535u16.to_le_bytes()); // n_subcarriers (max)
+        buf[8..12].copy_from_slice(&2432u32.to_le_bytes());
+        // n_pairs = 255 * 65535 = 16_711_425 → needs ~33 MB of IQ bytes that a
+        // 2048-byte datagram cannot carry → length check fails → None.
+        assert!(parse_csi_packet(&buf, "ht20").is_none());
+    }
+
+    /// Security pin (review 2026-06): the parser must never panic on ANY byte
+    /// string — truncated headers, lying length fields, odd sizes. IQ-loop
+    /// indexing is guarded by the length check; this sweeps a spread of
+    /// adversarial inputs to lock in panic-on-adversarial-input = 0.
+    #[test]
+    fn test_parse_csi_packet_never_panics_on_arbitrary_bytes() {
+        let mut st = 0x1234_5678u64;
+        let mut next = move || {
+            st = st
+                .wrapping_mul(6_364_136_223_846_793_005)
+                .wrapping_add(1_442_695_040_888_963_407);
+            (st >> 33) as u8
+        };
+        for len in 0..600usize {
+            let buf: Vec<u8> = (0..len).map(|_| next()).collect();
+            for tier in ["ht20", "he20", "garbage"] {
+                let _ = parse_csi_packet(&buf, tier);
+            }
+        }
+        // Valid magic, lying n_subcarriers, no payload → None (not a panic).
+        let mut buf = vec![0u8; 20];
+        buf[0..4].copy_from_slice(&0xC511_0001u32.to_le_bytes());
+        buf[5] = 3;
+        buf[6..8].copy_from_slice(&500u16.to_le_bytes());
+        assert!(parse_csi_packet(&buf, "ht20").is_none());
+    }
+
     #[test]
     fn test_freq_to_channel_24ghz() {
         assert_eq!(freq_mhz_to_channel(2437), 6);

v2/crates/wifi-densepose-core/src/types.rs

@@ -1636,6 +1636,67 @@ mod tests {
         }
     }
 
+    /// Security pin (review 2026-06, ADR-127) — `from_canonical_bytes` is a
+    /// deserialisation boundary for replayed/forwarded captures. A forged header
+    /// advertising an enormous `rows × cols` must be rejected by the
+    /// shape-vs-length check (`expect` uses saturating multiplies) BEFORE the
+    /// `Vec::with_capacity(rows * cols)` allocation — otherwise an attacker could
+    /// drive a multi-GB allocation from a few header bytes (unbounded-memory
+    /// DoS). The check guarantees `rows*cols*16 <= bytes.len()`, so the capacity
+    /// is bounded by the input the caller already holds. This must not OOM.
+    #[test]
+    fn canonical_decode_oversized_shape_is_bounded_not_allocated() {
+        use ndarray::Array2;
+        let meta = CsiMetadata::new(DeviceId::new("n"), FrequencyBand::Band2_4GHz, 1);
+        let data = Array2::from_shape_fn((1, 2), |(_, c)| Complex64::new(c as f64, 0.0));
+        let mut bytes = CsiFrame::new(meta, data).to_canonical_bytes();
+
+        // The (rows, cols) u32 pair is the last 8 bytes before the payload.
+        // Overwrite with a maximal claim (u32::MAX × u32::MAX) and lop off the
+        // payload so the buffer is tiny but the header lies enormously.
+        let shape_off = bytes.len() - 8 - 2 * 16; // 2 samples × 16 bytes payload
+        bytes[shape_off..shape_off + 4].copy_from_slice(&u32::MAX.to_le_bytes());
+        bytes[shape_off + 4..shape_off + 8].copy_from_slice(&u32::MAX.to_le_bytes());
+        bytes.truncate(shape_off + 8); // drop the real payload
+
+        // expect = MAX*MAX*16 (saturated) > found → PayloadMismatch, no alloc.
+        assert!(matches!(
+            CsiFrame::from_canonical_bytes(&bytes),
+            Err(CanonicalDecodeError::PayloadMismatch { .. })
+        ));
+    }
+
+    /// Security pin (review 2026-06) — the decoder must never panic on arbitrary
+    /// bytes: every malformed input is a typed `CanonicalDecodeError`, never an
+    /// unwinding panic (panic-on-adversarial-input = 0). Sweep truncations and a
+    /// deterministic fuzz spread.
+    #[test]
+    fn canonical_decode_never_panics_on_arbitrary_bytes() {
+        use ndarray::Array2;
+        let mut meta = CsiMetadata::new(DeviceId::new("node"), FrequencyBand::Band5GHz, 36);
+        meta.antenna_config.spacing_mm = Some(50.0);
+        let data = Array2::from_shape_fn((2, 8), |(r, c)| Complex64::new(r as f64, c as f64));
+        let good = CsiFrame::new(meta, data).to_canonical_bytes();
+
+        // Every prefix of a valid encoding must decode without panicking.
+        for n in 0..good.len() {
+            let _ = CsiFrame::from_canonical_bytes(&good[..n]);
+        }
+        // Deterministic LCG fuzz over varied lengths.
+        let mut st = 0xDEAD_BEEFu64;
+        for len in 0..400usize {
+            let buf: Vec<u8> = (0..len)
+                .map(|_| {
+                    st = st
+                        .wrapping_mul(6_364_136_223_846_793_005)
+                        .wrapping_add(1_442_695_040_888_963_407);
+                    (st >> 33) as u8
+                })
+                .collect();
+            let _ = CsiFrame::from_canonical_bytes(&buf);
+        }
+    }
+
     /// AC8c (review finding 7) — `Some(Uuid::nil())` calibration is an
     /// encoding error: nil is the wire sentinel for `None`, so encoding it
     /// would alias two distinct frames to one byte string (and one witness).