Develop 2.8 merge to master#10777
Open
thebentern wants to merge 351 commits into
Open
Conversation
Fixes issues with #includes inherited from `configuration.h` when building for pioarduino. Aligns t5s3_epaper with other variants like t_deck_pro.
* Detach power interrupts for sleep * Gate PMU IRQ behind a found PMU
…ty (#10250) `memcpy(... p.payload.bytes, meshtastic_Constants_DATA_PAYLOAD_LEN)` reads past the actual payload when the incoming packet's payload is shorter than `DATA_PAYLOAD_LEN` (237 bytes). The code just above already records the correct size: this->packetHistory[...].payload_size = p.payload.size; but then the memcpy ignores that and copies the full buffer capacity, pulling uninitialized / adjacent memory bytes into the history entry. Those extra bytes are later rebroadcast whenever the Store & Forward module replays the packet. Fix: memcpy using `p.payload.size` (the actual payload length) instead of the constant buffer capacity. Classification: bounded out-of-bounds READ into the protobuf scratch buffer. Not directly exploitable for RCE (the destination buffer is also DATA_PAYLOAD_LEN), but leaks adjacent memory into replayed packets and is a latent correctness bug.
…UAF (#10254) The constructor sets `RadioLibInterface::instance = this` immediately, before `init()` runs. `initLoRa()` in RadioInterface.cpp creates each radio variant with `new SX1262Interface(...)` or similar, then calls `init()`, and if init fails the `unique_ptr<RadioInterface>` is reset to nullptr — destroying the object — while the static `instance` pointer continues to point at the freed memory. Main loop then checks `RadioLibInterface::instance != nullptr` and calls `pollMissedIrqs()` or `resetAGC()` on the dangling pointer → Guru Meditation (IllegalInstruction / LoadProhibited). Reported in #9880 on an ESP32-S3 dev board without radio hardware attached, where init always fails and the leftover pointer crashes the device on the next `loop()` iteration. Fix: add a virtual destructor to `RadioLibInterface` that clears the static pointer iff it still references this object. A later successful init() may have replaced `instance` with a different interface — the `instance == this` guard preserves that case. Fixes #9880 Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
…0259) The "Invalid protobufs (bad psk?)" and "Invalid portnum (bad psk?)" messages fire every time a neighbor transmits on a channel whose 8-bit hash matches one of ours but the PSK differs. In RF environments with multiple mesh groups nearby this is routine — a single device can see dozens of these per minute from SAR/MeshCA/private networks sharing a hash collision. LOG_ERROR for a benign "not our PSK" event: - spams the log when you have any neighboring mesh group - makes a genuine PSK misconfiguration on YOUR own channel indistinguishable from the constant cross-channel noise - hides actual errors in the stream LOG_DEBUG matches how similar decryption-failure paths are handled elsewhere (eg. the PKC "decrypt attempted but failed" uses LOG_WARN). Dropping the trailing "!" as well — these are expected events, not exceptional ones.
…ig iteration (#10256) * PhoneAPI: add missing tak_tag case + skip reserved gap in module-config iteration The STATE_SEND_MODULECONFIG state machine iterates config_state through ModuleConfigType enum values (1..MAX+1 = 16) and switches on meshtastic_ModuleConfig_*_tag values. Two of the resulting tag values land in the default / LOG_ERROR path: 1. `tak_tag` (16) — the meshtastic_ModuleConfig_TAKConfig struct exists in the protobuf and has a `.tak` member in payload_variant, but no PhoneAPI case ever sends it to the phone. As a result, Android clients can't read the persisted TAK (Team Awareness Kit) module config at all. Added case that sends moduleConfig.tak, matching the pattern used for all other module-config tags (paxcounter, traffic_management, etc.). NodeDB already persists the struct via the moduleConfig protobuf save; this just wires the read path to the phone. 2. Tag 14 — reserved gap in the oneof numbering. No payload_variant member exists at tag 14. Without this patch, every phone reconnect walks through config_state=14 and hits `LOG_ERROR("Unknown module config type %d", config_state)`. On an active deployment that's ~1,400 LOG_ERROR lines per day per node — burying real errors. Added explicit `case 14: break;` so the gap is silently skipped. Also: lowered the `default:` log level from LOG_ERROR to LOG_DEBUG. A truly-new unknown type number would indicate firmware lagging the protobuf — annoying but not an error event worth LOG_ERROR, especially since this path runs on every phone handshake. If a new ModuleConfig tag appears, devs will notice via the phone UI missing it, not via log. Observed on a Station G2 fleet: 1403 "Unknown module config type 16" and 1427 "Unknown module config type 14" LOG_ERROR lines in 24 hours from routine phone reconnects. * Get rid of the placeholder --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
* Delete unused clearNVS() (last used in commit 761804b). * virtual methods: add 'override' to ensure we get the signature right. This is a safety net for pioarduino/NimBLE work where there's multiple similar variants of the same method (eg. onConnect) and it's easy to get the wrong one and accidentally miss a callback.
Mirror the EXT_PWR_DETECT pattern: replace runtime static variables (ext_chrg_detect_mode, ext_chrg_detect_value) with compile-time macros. Auto-infer EXT_CHRG_DETECT_VALUE from EXT_CHRG_DETECT_MODE when the mode is INPUT_PULLUP (→ LOW) or INPUT_PULLDOWN (→ HIGH); default to HIGH. This fixes inverted polarity on variants that define EXT_CHRG_DETECT_MODE INPUT_PULLUP without an explicit EXT_CHRG_DETECT_VALUE (e.g. russell): previously the runtime default of HIGH caused isCharging() to return the opposite of the correct value. With auto-inference the correct LOW active level is now derived at compile time. Remove the now-redundant EXT_CHRG_DETECT_VALUE HIGH from ELECROW-ThinkNode-M4 variant.h since HIGH is the inferred default. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Andrew Yong <noreply@example.com> Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz>
…lify EXT_PWR_DETECT (#10140) Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Andrew Yong <me@ndoo.sg>
Looks like a copy'n'paste typo from the previous line. It definitely meant to be RX_ALL_LOG according to comment.
* Use hash table for O(1) lookup of recently seen packets * Eliminate a packet lookup during deduplication * Infinite loop checks for find and remove * Consolidate conditional compilation * Exclude hash table from minimal build * Additional comment on hash table capacity * Unit tests for packet history changes * Update incorrect comment about size clamp Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Const --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
…p alloc (#10251) * PositionModule::sendLostAndFoundText: use stack buffer, eliminate heap alloc The lost-and-found message was built with an unnecessary heap allocation: char *message = new char[60]; sprintf(message, "..."...); ... delete[] message; Two problems: 1. **Buffer too small.** The format string expands with two %f (IEEE 754 doubles), which `sprintf` prints with full precision — easily 15+ digits each plus separators — so the actual rendered string can run 40-50 characters before even considering the emoji (4 UTF-8 bytes) and the embedded BEL. A pathological lat/lon can overflow 60 bytes and corrupt heap metadata. Unbounded `sprintf` with no size check. 2. **Heap churn in a GPS callback.** This function is called from the position-update path which is already heap-sensitive. An infrequent 60-byte transient alloc isn't catastrophic, but stack is trivially available here and removes the failure mode entirely. Fix: replace with a 128-byte stack buffer and `snprintf` bounded by `sizeof(message)`. Drop the matching `delete[]` since there's nothing to delete. Behavior is identical on the happy path; the overflow case now truncates safely instead of scribbling over heap. * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * PositionModule.cpp: add trailing newline for clang-format * Address Copilot review: cleaner snprintf size handling Review feedback from @Copilot on PR #10251: the ternary-plus-static-cast form mixed signed/unsigned types (int written vs. pb_size_t payload.size vs. size_t sizeof(message)) and was harder to read than necessary. Cleaner form: const size_t msg_len = std::min(static_cast<size_t>(written), sizeof(message) - 1); p->decoded.payload.size = msg_len; Same behaviour (clamp to buffer-minus-NUL) with one explicit cast and a size_t variable that names the meaning. Handles the encoding-error path (written < 0) separately so no bad values leak into payload.size. * Trunk --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* PMU interrupt pin defined in t-watch s3 * Implement button control on T-Watch S3 Added interrupt handling for the Power/Corona button on T-Watch S3, I use it to control screen state. * Reducing labels * Reducing labels * Updated the comment * ISR is now IRAM-safe Updated interrupt management not to cause random crashes. * Trunk * Simplify and use INPUT_BROKER_CANCEL --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz>
* Fix INA226 detection for non-TI compatible chip (Silergy) * Removed extra I2C transaction + 20ms delay on every scan of address 0x40 (including real SHT2x sensors). Changes suggested by Copilot Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Apply formatting (trunk fmt) --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Marker boxes, the own-node bullseye, and the labeled-marker cross were all hardcoded in pixels (11px box, r=8 circle, 12px cross). On the T5S3 with a 12pt fontSmall (~17px line height) the hop-count digit overflowed its box entirely. Sizes now derive from fontSmall.lineHeight() so the applet renders correctly on both small (6pt) and large (12pt+) display variants. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* InkHUD touch rework * Applet Switcher * Update ED047TC1.cpp * trunk fix * Custom tip screen for T5s3 * Update TouchScreenImpl1.cpp * Update ED047TC1.cpp * Delete variant.cpp
Co-authored-by: Copilot <copilot@github.com>
…10297) Fixes issues with #includes inherited from `configuration.h` when building for pioarduino. Aligns t5s3_epaper with other variants like t_deck_pro. Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
* True Colors on TFT (Heltec Mesh Node T114, Heltec Vision Master T190, CardPuter Adv, T-Deck, T-Lora Pager) * Theme support - New and some Classic Themes! * Colored Compass --------- Co-authored-by: Jason P <applewiz@mac.com> Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
…s3 (#10285) * Standardize PMU IRQ handling and enable power button as cancel on tbeam s3 * Original T-beam, too
…#10311) Router::handleReceived stores its allocCopy of the encrypted packet in the class member p_encrypted. callModules() invokes module replies that re-enter the router via MeshService::sendToMesh -> Router::sendLocal, which on a broadcast reply recursively calls handleReceived. The inner call overwrites the outer's p_encrypted without releasing it; on the way out it nulls the member, the outer release(p_encrypted) now releases nullptr, and the original allocation is permanently leaked. ~381 B per recursion. Promote p_encrypted to a function-local so each invocation owns its own copy for its full lifetime. The MQTT-publish null check at the call site (added by PR #9136 as a workaround for this bug) stays in place because allocCopy can still legitimately return nullptr on packetPool exhaustion. Copilot's review of PR #8999 (the original introduction) flagged this exact pattern at merge time: "Storing p_encrypted as a class member can cause issues with recursive or concurrent calls to handleReceived() since each call would overwrite the previous packet pointer." The historical reason for the member (S&F needing to retain the encrypted copy across calls) was satisfied differently by PR #9799 (ServerAPI converted to std::unique_ptr + cleanup on connection close), so the member is no longer load-bearing. Reproduces issues #9632 / #10101 / #8729 (heap leak when MeshMonitor connected; TCP drops on Station G2 / LILYGO ServerAPI dump abort). Hardware A/B on Station G2 under sustained TCP-API retry storm (open :4403, request config, disconnect mid-stream, repeat at ~0.6/s) - 9 min run: | Build | heapFree drift | rebootCount delta | | this patch | -1.5 KB (noise)| 0 | | stock 2.7.13 | -73 KB (8.1KB/min) | +1 (OOM crash) | Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
Forward-port master-only fixes to develop
Forward-port: Add Lilygo T-Impulse-Plus (#10497) to develop
Update native to exit when configured with an unknown module
…count to 19; add Copilot interface caveat
docs: update test instructions to prefer bin/run-tests.sh;
raghumad
pushed a commit
to raghumad/mezulla-firmware
that referenced
this pull request
Jun 25, 2026
… getFiles (meshtastic#10778) Forward-port of meshtastic#10754 and meshtastic#10757 from master (2.7) into develop, so the develop->master 2.8 promotion (meshtastic#10777) doesn't drop them. meshtastic#10754: PhoneAPI no longer walks the filesystem to build the file manifest on node-info-only config requests (SPECIAL_NONCE_ONLY_NODES), which never consume it. getFiles() is now bounded (default 64 entries, depth 3) via collectFiles(), takes an optional wasLimited out-param, and reserves capacity with a bad_alloc/ length_error fallback. The manifest vector is freed via swap (releaseFilesManifest). meshtastic#10757: getFiles()/collectFiles() now guard against empty file names returned by the Adafruit LittleFS nRF52 glue (issue 4395). Ported by hand rather than cherry-picked: master had reflowed FSCommon.cpp to a different brace style (every line conflicted), meshtastic#10754 already subsumes meshtastic#10757, and develop carries a MESHTASTIC_EXCLUDE_FILES_MANIFEST path (nRF54L15) that master lacks. The exclude path is preserved and now also short-circuits + frees the manifest. Verified: native Docker suite 448/448, clang-format clean.
Make the PowerFSM DARK-to-LS timeout immediate when Bluetooth support is compiled out or config.bluetooth.enabled is false. The configured wait_bluetooth_secs default behavior is unchanged when Bluetooth is enabled.
…r bluetooth is disabled (#10398) * esp32: release BTDM heap when Bluetooth inactive Release ESP-IDF BTDM memory after config load when Bluetooth is disabled or WiFi is enabled, recovering heap on ESP32 targets where BLE won’t be used for this boot. * Address BT memory release review comments --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
* Add native Portduino malloc shim * Taking copilots advice Honestly I don't think it matters that much, but if it makes copilot happy, return ret if something weird happens. Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| # acknowledge this deliberate, scoped use of shell=True. | ||
| result = subprocess.run( # nosec B602 | ||
| gcc_cmd, | ||
| shell=True, # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true |
There was a problem hiding this comment.
Suggested change
| shell=True, # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | |
| # acknowledge this deliberate, scoped use of shell=True. |
* Tips robot virtual node / relayer to different LoRa modes & channels Note that this commit has details hardcoded for the Wellington (NZ) mesh, and also requires the following patch to the protobufs: ----- diff --git a/meshtastic/mesh.proto b/meshtastic/mesh.proto index 03162d8..ec54c99 100644 --- a/meshtastic/mesh.proto +++ b/meshtastic/mesh.proto @@ -1393,6 +1393,21 @@ message MeshPacket { * Set by the firmware internally, clients are not supposed to set this. */ uint32 tx_after = 20; + + /* + * The modem preset to use fo rthis packet + */ + uint32 modem_preset = 21; + + /* + * The frequency slot to use for this packet + */ + uint32 frequency_slot = 22; + + /* + * Whether the packet has a nonstandard radio config + */ + bool nonstandard_radio_config = 23; } /* ----- * fix: repair mesh tips CI build * feat: add MeshBeacon module (Phase 1 — proto + generated code + initial stub) * feat(beacon): implement broadcaster + listener (phases 2-5) * feat(beacon): wire RadioLibInterface hooks + admin validation (phases 6-7) * fix(beacon): fix LocalModuleConfig flat access (no payload_variant), add localonly proto field * feat(beacon): fix broadcaster inheritance, add preset/region validation + proto cache - MeshBeaconBroadcastModule now inherits ProtobufModule<meshtastic_MeshBeacon> (alongside private MeshBeaconModule + OSThread), giving it allocDataPacket() and setStartDelay() without extra includes. - Payload cache: rebuildCache() encodes the MeshBeacon protobuf once and stores it in payloadCache[]/payloadCacheSize; sendBeacon() only calls rebuildCache() when payloadCacheDirty==true. AdminModule calls invalidateCache() after saving new config so the next broadcast picks up changes. - Region/preset validation in handleSetModuleConfig (mesh_beacon_tag): broadcast_on_preset is validated against the device's current region via RadioInterface::validateConfigLora(); broadcast_offer_region is validated via RadioInterface::validateConfigRegion(). Invalid values are zeroed with a LOG_WARN before saving. * feat(beacon): add unit tests for MeshBeaconModule and AdminModule configuration validation * remove old meshtips * more validation in NodeDB and AdminModule, and userprefs for baked in goodness * copilot is my gravity * mmmmm... beacon * oops * Enhance unit tests for MeshBeaconModule with detailed validation checks and output formatting * new lines. Why not? * finally * legacy mode activate! * Update protobufs (#17) Co-authored-by: NomDeTom <116762865+NomDeTom@users.noreply.github.com> * better logic, fixed a test * updated for packet signing fixed a test added guards for licensed/ham mode * channel numbers * beacon: encrypt on the beacon channel PSK; fix split note When broadcast_on_channel overrides the primary channel's name/PSK, the beacon was encrypted with the PRIMARY PSK: perhapsEncode keys encryption off the primary slot, but the radio-thread channel switch happens only after encryption. sendBeaconPacket() now installs the beacon channel into the primary slot for the synchronous duration of send() (cooperative threading => no interleaving) so encryption/hash use the beacon channel, then restores it. A shared beaconChannelSettings() helper builds the channel for both the encrypt-time swap and the RF-time swap so the key+hash cannot drift. Also: correct the legacy-split comments (both packets go out on the same beacon radio settings, not the normal config) and merge the two consecutive `if (hasText)` blocks in the listener (cppcheck duplicateCondition). Tests: add channelPskOverride_swapsBeaconChannelAndRestores and noChannelOverride_doesNotSwapPrimary; MockRouter snapshots the primary channel at send() time. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * test/beacon: drain toPhoneQueue in tearDown to fix LSan leak abort The listener delivers received text via MeshService::sendToPhone(), which enqueues the packet into toPhoneQueue and takes ownership. Nothing dequeues it in tests, so the three listener tests carrying message text stranded a MeshPacket each — 1272 bytes / 3 allocations that LeakSanitizer flagged at process exit, aborting the coverage run (surfaced by pio as [ERRORED] / SIGHUP even though all 40 assertions passed). Drain the phone queue in tearDown (getForPhone()/releaseToPool) so the packets return to packetPool. Suite is now GREEN with no sanitizer abort. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * legacy hop override for zero-hoppers * ever more beacons * beacon: comment out broadcast_send_as_node pending further review Functionality preserved in comments with full signing/has_bitfield notes for when it is re-enabled. Proto tag 3 retained on the wire. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test/beacon: fix fromIsCustomNodeWhenSet now that send-as-node is disabled broadcast_send_as_node is commented out; from is always the local node. Update the test assertion and doc comment to match current behaviour. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Update protobufs (#21) Co-authored-by: NomDeTom <116762865+NomDeTom@users.noreply.github.com> * flags for beacons * beacon: do more with less — slot-index targets + validation Multi-target beacons embedded a full ChannelSettings in every BroadcastTarget, blowing ModuleConfig past the 512-byte BLE FromRadio budget so the firmware would not compile. Targets now reference an existing channel-table slot by channel_index and the broadcaster resolves it via channels.getByIndex() at TX time. Net effect: the same multi-target capability for a fraction of the bytes — FromRadio 609 -> 510 B, MeshBeaconConfig 596 -> 324 B, AdminMessage 615 -> 511 B. - proto: BroadcastTarget.channel (embedded) -> channel_index (uint32 ref); regen all generated headers (size constants propagate to admin/localonly/deviceonly/mesh). - broadcaster: resolve channel_index from the channel table; an out-of-range or blank slot falls back to the default channel for the target preset rather than borrowing the primary's name/PSK. - AdminModule: validate broadcast_targets entries on write (region/preset sanitised like the single-target fields; channel_index range-checked). - userPrefs: TARGET_<n>_CHANNEL_{NAME,NUM,PSK} collapse to a single CHANNEL_INDEX. - docs: two-step (set_channel -> set_module_config) multi-target setup, inline-vs- reference distinction, and single-/multi-target are equal (not "legacy") options. - tests: target validation + channel-index resolution incl. blank-slot fallback (47/47 green on `./bin/run-tests.sh -e native -f test_mesh_beacon`). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NRAF5csgsMn6p1zEcFL8Qz * throttling after reboot * address copilot review * simplify * fix(beacon): use 0x%08x for node/packet IDs in logs; register test suite The %#08lx log specifiers passed uint32_t (NodeNum/PacketId) to a %lx length modifier — undefined behaviour on 64-bit (native test) targets and non-standard width. Switch to the project-standard 0x%08x. Also bump test/native-suite-count to 25 for the added test_mesh_beacon suite. clod helped too * copilot & clarity clod helped too * refactor(beacon): use auto for the sanitized config copy clod helped too * fix(beacon): guard empty-payload sends; gate has_mesh_beacon on build flag; document ISR_TX pre-switch clod helped too --------- Co-authored-by: Steve Gilberd <steve@erayd.net> Co-authored-by: Darafei Praliaskouski <me@komzpa.net> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Manuel1910
suggested changes
Jun 27, 2026
| # acknowledge this deliberate, scoped use of shell=True. | ||
| result = subprocess.run( # nosec B602 | ||
| gcc_cmd, | ||
| shell=True, # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true |
There was a problem hiding this comment.
Suggested change
| shell=True, # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | |
| # acknowledge this deliberate, scoped use of shell=True. |
* InkHUD: map tile background, zoom controls, and GPS live tracking - Map background tiles are now rendered on the display when available, compressed with LZ4 to keep flash usage low - If no map tiles are loaded, the map applets behave exactly as before - Zoom in, zoom out, and reset zoom (back to auto-fit) are accessible from the menu, and only appear when the menu is opened from a map screen - The map updates automatically whenever GPS gets a new position or your phone shares a location - The Positions and Favorites map applets now also refresh when mesh position packets arrive for your own node - The Favorites map now shows your position on the map even if you have no favorites yet * README Update * Update MapApplet.cpp * Zoom fixed * Zoom with no tiles fix * CI fix
* Add ARCH_PORTDUINO_WASM build: meshtasticd in WebAssembly over WebUSB
Compile the full portduino firmware to WebAssembly (Emscripten) so a real node runs in a browser tab or headless Node, driving a LoRa radio over WebUSB through a CH341 — the desktop Ch341Hal path with its libusb backend swapped for a WebUSB one. The native/desktop portduino build is unchanged.
New build env under src/platform/portduino/wasm/ (excluded from the native build_src_filter): WebUSB libpinedio backend, config/FS/region/MAC/PhoneAPI glue, wasm setup/loop, JS WebUSB runtime, and build stubs. bin/build-portduino-wasm.sh runs a standalone cached emcc build to build/wasm/meshnode.{mjs,wasm}.
Six firmware sources gain #ifdef ARCH_PORTDUINO_WASM guards (single-threaded cooperative emscripten_sleep loop, continuous RX, US region default, std RNG, no-popen exec); none affect non-wasm builds.
* PortDuino WASM: CI build job, cross-platform libdeps, configurable adapter
bin/build-portduino-wasm.sh: auto-detect native-macos (macOS) vs native (Linux/CI) libdeps with a NATIVE_ENV override, and use the SAME env's Crypto with an XEdDSA-present guard. Drops the heltec-v3/Crypto borrow — the meshtastic/Crypto pin already ships XEdDSA; the native libdeps cache was just stale. No env pin change.
Add .github/workflows/build_portduino_wasm.yml: build the ARCH_PORTDUINO_WASM target in CI (ubuntu + emsdk, native libdeps) so it can't silently bit-rot; asserts build/wasm/meshnode.{mjs,wasm}.
src/platform/portduino/wasm: add wasm_set_lora_* setters so the JS host can configure any CH341 LoRa adapter (module, USB ids, DIO/TCXO, SPI speed, pins); wasm_config_apply falls back to the MeshToad defaults when unset.
* WASM: build as a first-class [env:wasm] via platform-wasm (retire emcc script)
Replace the standalone emcc build (bin/build-portduino-wasm.sh) with a normal
PlatformIO env, `pio run -e wasm`, using the new meshtastic/platform-wasm
platform (emcc/em++ + Asyncify, the WASM sibling of platform-native). The
portduino WebAssembly node is now built the same way as every other target.
- variants/native/portduino/platformio.ini: add [env:wasm] (platform pinned to
platform-wasm, board wasm). Translates the script's source set into a curated
build_src_filter, the ~30 EXCLUDE_* defines, and the lib set; defines
ARCH_PORTDUINO_WASM in-repo so correctness doesn't hinge on the platform's
board.json.
- extra_scripts/wasm_link_flags.py: the firmware-specific emcc *link* settings
(EXPORT_NAME, EXPORTED_RUNTIME_METHODS, EXPORTED_FUNCTIONS, ASYNCIFY_IMPORTS).
PlatformIO feeds build_flags to compile only, so these must ride LINKFLAGS;
without it the WebUSB Asyncify seam and the JS host's runtime methods are
dropped (the _wasm_* exports survive only via EMSCRIPTEN_KEEPALIVE).
- PortduinoGlue.{h,cpp}: guard the yaml-cpp dependency out of the WASM build
(#ifndef ARCH_PORTDUINO_WASM around the include, emit_yaml/loadConfig/
readGPIOFromYaml). The browser node configures via the wasm_set_lora_* setters
and dead-strips the YAML path; this drops the host yaml-cpp build dependency
entirely. Native is unchanged (guards are inert there).
- portduino_glue_wasm.cpp / portduino_main_wasm.cpp: repair EM_ASM JS that a
formatter had mangled (!== -> != =, regex split) in the prior landing; the
emcc link succeeds regardless, so CI now runs `node --check meshnode.mjs`.
- .github/workflows/build_portduino_wasm.yml: build via `pio run -e wasm`
(artifacts under .pio/build/wasm/), trigger on the shared inputs the env
inherits (root platformio.ini, bin/platformio-*.py).
- NodeDB.cpp: drop the dead ARCH_PORTDUINO_WASM region-default branch (region
now defaults the same as native).
- Crypto renovate pins: add the missing gitBranch so they track upstream.
Output: .pio/build/wasm/meshnode.{mjs,wasm} (ES module, factory createMeshNode).
Verified: pio run -e wasm (against the published platform archive), node --check,
module instantiates in Node with all exports; native-macos + Docker native unit
tests (450/450) still pass.
* Fix name on the Piggystick
* wasm: pin platform-wasm at the GPL-3.0-relicensed commit
platform-wasm's LICENSE was always GPLv3 (matching this firmware), but its
platform.json/README still declared Apache-2.0 (mis-copied from platform-native).
That's fixed upstream in b83fa5b; bump the [env:wasm] pin to it. Build output is
unchanged (license metadata only). Verified: pio run -e wasm against b83fa5b.
* wasm: make reboot() actually restart the node (was a no-op)
In wasm the reboot path is live (main.cpp -> Power::powerCommandsCheck ->
Power::reboot), but Power::reboot's ARCH_PORTDUINO arm tore down SPI/Wire/Serial
and then called the no-op ::reboot() stub — leaving the node running with a dead
radio until the tab was manually reloaded. Triggers include an admin/phone
reboot, factory reset, the "reconfigure failed" path, and the 60 s stuck-TX
hardware watchdog (RadioLibInterface).
- Power::reboot(): add an ARCH_PORTDUINO_WASM arm (before ARCH_PORTDUINO, since
the wasm build defines both) that skips the host teardown and just calls
::reboot(). notifyReboot already let modules persist.
- ::reboot() (glue): hand off to the JS host — browser reloads the tab (NodeDB
state survives via IDBFS, same identity returns); headless calls Module.onReboot
if provided, else logs. Loose !=/== so clang-format doesn't mangle the EM_ASM JS.
- README: document the reboot handoff + the Module.onReboot hook.
Verified: pio run -e wasm + node --check (EM_ASM intact); native-macos unaffected.
* wasm: rename env to native-wasm and run it in the main CI matrix
Rename [env:wasm] -> [env:native-wasm] for consistency with the portduino
native family (native, native-macos, native-tft). The build dir follows to
.pio/build/native-wasm/ (artifact is still meshnode.{mjs,wasm}); the PIOENV
guard in extra_scripts/wasm_link_flags.py, the README, and the companion wrapper
move with it. The board stays `wasm`.
Also wire the build into normal CI: build_portduino_wasm.yml becomes a reusable
workflow (workflow_call) invoked as the `build-wasm` job of main_matrix.yml, so
the WebAssembly node is built like every other platform instead of on a separate
path trigger.
* native-wasm: auto-locate the Emscripten SDK (pre-build script)
`pio run -e native-wasm` failed with "emcc not found" whenever it was invoked
from a shell that hadn't sourced emsdk_env.sh — a VS Code task, an IDE build
button, a bare terminal. Add a pre: extra script that probes the usual emsdk
locations ($EMSDK_ENV, $EMSDK, ~/emsdk, ./.emsdk, the sibling companion
checkout), sources emsdk_env.sh, and imports the resulting environment so the
platform builder and emcc see PATH/EMSDK/EM_CONFIG. No-op when emcc is already
reachable (CI), silent when no SDK is found (the platform emits its own error).
* wasm: address PR review feedback
- js/bridge.js: import CH341 from "./ch341.js" (sibling in this layout), not
"../src/ch341.js" which doesn't resolve here.
- js/ch341.js: a zero-length transferIn while MISO bytes are still outstanding
now throws instead of breaking out with a partially-filled buffer — silent SPI
corruption becomes a loud error, matching the comment above it.
- libpinedio_webusb.c: webusb_set_auto_cs honors the AUTO_CS option (? 1 : 0)
instead of the always-on ? 1 : 1. Runtime behavior is unchanged — Ch341Hal sets
AUTO_CS=0 right after pinedio_init (RadioLib drives the active-low NSS); the
option just isn't set yet at init, so this now correctly defaults off.
- SX126xInterface.cpp: the RX-start error log now names the method actually
called (startReceive vs startReceiveDutyCycleAuto) instead of hardcoding the
duty-cycle name in the WASM branch.
* native-wasm: drop the emsdk bootstrap shim (now in platform-wasm)
The Emscripten SDK auto-location moved into the platform-wasm builder, so the
firmware no longer needs its own pre: extra script. Remove
extra_scripts/wasm_emsdk_env.py and bump the platform pin to the build that
carries the bootstrap. The wasm_link_flags.py post script stays — those exported
fns / runtime methods / Asyncify import seam are firmware-app-specific.
* wasm: use the canonical companion name (meshtasticd-wasm-node)
The companion repo was renamed meshtastic-web-node -> meshtasticd-wasm-node; fix
the stale name in the wasm README and bump the platform pin to the build that
promotes the canonical name in its emsdk auto-location.
* wasm: re-entrancy guard for the API/region entry points + flaky-open retry
Two robustness fixes for the browser node:
- Re-entrancy guard. The node is single-threaded + Asyncify: while setup()/loop()
is suspended inside a WebUSB transfer, the JS event loop is free, so a stray
DOM/timer callback that re-enters a wasm_* entry point starts a second Asyncify
unwind ("async operation already in flight" abort) or clobbers shared PhoneAPI
state (observed as a "PhoneAPI::available unexpected state" flood). Add a
g_wasm_in_firmware flag set around setup()/loop() (portduino_main_wasm.cpp); the
wasm_set_region / wasm_api_to_radio / wasm_api_from_radio / wasm_api_available
entry points now reject a mid-tick call (return busy) instead of corrupting or
aborting. The host must still call them between ticks — this is the safety net
the design lacked, not a substitute for the JS queue.
- CH341 open retry (js/bridge.js). First-connect WebUSB is flaky — the interface
is briefly unclaimable right after the grant, or held by a prior session,
giving a transient "Could not open SPI: -1". Retry the open with a short
backoff, closing the device between attempts so claimInterface starts clean.
* wasm: exclude emscripten-only sources from cppcheck
The `check` board matrix runs `pio check` (cppcheck) over all of src/,
including src/platform/portduino/wasm/. cppcheck can't parse the EM_ASYNC_JS/
EM_JS macros (Syntax Error: AST broken at libpinedio_webusb.c:39,
internalAstError) and these sources are not part of any checked board build
([env:native-wasm] is board_level=extra, compiled by the build-wasm CI job).
Suppress the wasm dir in suppressions.txt, the same way generated/ and .pio/
are already excluded.
* wasm: coalesce FS.syncfs so two never run at once
IDBFS syncfs is async; the explicit wasm_fs_sync (5s timer + post-save +
beforeunload) could overlap a prior in-flight sync, warning "2 FS.syncfs
operations in flight at once". Serialize: if a sync is running, mark a pending
re-sync and let the in-flight one chain it on completion — at most one in flight,
trailing writes still flushed. (Companion drops IDBFS autoPersist so this is the
single persistence path.)
* wasm: silence false-positive SAST on the emscripten glue
- extra_scripts/wasm_link_flags.py: restore the trunk-ignore-all(ruff/F821,
flake8/F821) header every other SCons extra_script carries; Import/env are
SConscript-injected globals, so ruff/flake8 flag them as undefined.
- .semgrepignore: exclude src/platform/portduino/wasm/js/ (browser WebUSB glue,
not part of the firmware binary). The unsafe-formatstring rule false-positives
on its benign retry/diagnostic console logs.
* Update .github/workflows/build_portduino_wasm.yml
Co-authored-by: Austin <vidplace7@gmail.com>
---------
Co-authored-by: Austin <vidplace7@gmail.com>
* Fixes * Update KeyboardApplet.cpp * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Disable gps thread on startup if lora region is unset There is little reason to waste battery on the gps if the data cannot yet be used. * fix goobered merge Refactor GPS enabling logic and remove duplicate code. * trunk --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz>
* fix: stop unexpected NodeNum regeneration from PKI key loss A node's NodeNum is derived from its PKI public key (my_node_num == crc32(public_key)), so it changes only when the keypair is regenerated -- which happens only when a keygen path runs while config.security.private_key.size != 32. Two paths could trigger that without the user intending a new identity: 1. Boot: loadFromDisk() collapsed every non-success loadProto() result for the config file into installDefaultConfig() (preserveKey=false), which memset()s config and wipes the private key. loadProto() distinguishes DECODE_FAILED (file present but undecodable/undecryptable) from OTHER_FAILURE (absent), so a transient/corrupt read silently minted a new identity. A new configDecodeFailed flag now gates the boot keygen and the boot config-save directly (not via region, so it survives the userprefs/region overrides that run later in loadFromDisk): identity is frozen, the unreadable file is left intact for a later clean boot to recover, and the node boots radio-silent (region UNSET, TX off). A genuinely-absent config still gets defaults + keygen. 2. AdminModule security SET: config.security = c.payload_variant.security wholesale-clobbered the keypair, then regenerated whenever the incoming private_key.size != 32. A client editing an unrelated security field without round-tripping the private key would re-mint identity. The existing keypair is now preserved when the incoming config omits it; first provisioning and key import are unchanged. Intentional reset goes through factory_reset. Native PlatformIO unit suite (Docker): 499/499 test cases pass. * test: cover security keypair preservation; clarify load-failure comment Addresses PR review feedback: - Add native unit tests (test_admin_radio) asserting handleSetConfig preserves the existing identity keypair when a security SET omits the private key, and applies a full supplied keypair (key import). Guards against reintroduced NodeNum/keypair regeneration. AdminModuleTestShim (now a friend) defers saves so the lightweight harness doesn't saveToDisk an uninitialized node database. - Clarify the non-DECODE_FAILED config-load comment: OTHER_FAILURE / NO_FILESYSTEM cover an absent or unopenable file, not just first boot.
…save() (#10809) Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
* Chop down tft-related loooong ifdefs chains * Fix accidental sweep-up of portduino into screen #ifdef refactor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Comment |
Manuel1910
approved these changes
Jun 30, 2026
Manuel1910
approved these changes
Jun 30, 2026
Manuel1910
approved these changes
Jun 30, 2026
* addsVARIANT_TOUCHSCREEN and ENABLE_TOUCH_INT * Remove a duplicated _getTouch function pointer
* Document that src/mesh/generated is auto-generated and must not be edited * Fix esp32s2 build by enabling native USB CDC, add S2 to check matrix (#10799)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Master branch has been forked to 2.7 for maintenance