docs/adr/ADR-050-quality-engineering-security-hardening.md
| Field | Value |
|---|---|
| Status | Accepted |
| Date | 2026-03-06 |
| Deciders | ruv |
| Depends on | ADR-032 (Multistatic Mesh Security) |
| Issue | #170 |
An independent quality engineering analysis (issue #170) identified 7 critical findings across the Rust codebase. After verification against the source code, the following findings are confirmed and require action:
| # | Finding | Location | Verified |
|---|---|---|---|
| 1 | Fake HMAC in secure_tdm.rs — XOR fold with hardcoded key | hardware/src/esp32/secure_tdm.rs:253 | YES — comments say "sufficient for testing" |
| 2 | sensing-server/main.rs is 3,741 lines — CC=65, god object | sensing-server/src/main.rs | YES — confirmed 3,741 lines |
| 3 | WebSocket server has zero authentication | Rust WS codebase | YES — no auth/token checks found |
| 4 | Zero security tests in Rust codebase | Entire workspace | YES — no auth/injection/tampering tests |
| 5 | 54K fps claim has no supporting benchmark | No criterion benchmarks | YES — no benchmarks exist |
| # | Finding | Status |
|---|---|---|
| 6 | Unauthenticated OTA firmware endpoint | Not found in Rust code — may be ESP32 C firmware level |
| 7 | WASM upload without mandatory signatures | Needs review of WASM loader |
| 8 | O(n^2) autocorrelation in heart rate detection | Needs profiling to confirm impact |
Address findings in 3 priority sprints as recommended by the report.
Replace fake HMAC with real HMAC-SHA256 in secure_tdm.rs
hmac + sha2 crates (already in Cargo.lock)Add WebSocket authentication
Add security test suite
Decompose main.rs (3,741 lines -> ~14 focused modules)
Add criterion benchmarks
Vital sign accuracy verification
Fix O(n^2) autocorrelation (if confirmed by profiling)
main.rs decomposition enables unit testing of server componentsmain.rs decomposition is a large refactor with merge conflict riskThanks to @proffesor-for-testing for the thorough 10-report analysis. The full report is archived at the original gist.