Files
wehub-resource-sync 9740bc64c9
Continuous Deployment / Deploy to Production (push) Blocked by required conditions
Continuous Deployment / Rollback Deployment (push) Blocked by required conditions
Continuous Deployment / Post-deployment Monitoring (push) Blocked by required conditions
Continuous Deployment / Notify Deployment Status (push) Blocked by required conditions
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier1) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (full-adr060) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (tdm-3node) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / Swarm Test (ADR-062) (push) Has been skipped
npm packages / tools/ruview-mcp (node 22) (push) Failing after 1s
nvsim-server → ghcr.io / build-and-publish (push) Failing after 1s
ruview-swarm CI guard / tests (full+train) (push) Failing after 2s
Bench Regression Guard / bench compile-verify (--no-run) (push) Failing after 0s
Bench Regression Guard / bench fast-run (informational, non-gating) (push) Has been skipped
Firmware CI / Verify version.txt matches release tag (push) Has been skipped
Dashboard a11y + cross-browser / a11y (push) Failing after 0s
nvsim Dashboard → GitHub Pages / build-and-deploy (push) Failing after 2s
Firmware CI / Build firmware (esp32s3 / 4mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / Build Espressif QEMU (push) Failing after 1s
Firmware QEMU Tests (ADR-061) / Fuzz Testing (ADR-061 Layer 6) (push) Failing after 1s
Continuous Deployment / Pre-deployment Checks (push) Has been skipped
Continuous Deployment / Deploy to Staging (push) Waiting to run
Firmware CI / Build firmware (esp32c6 / c6-4mb) (push) Failing after 15s
Firmware CI / Build firmware (esp32s3 / 8mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-max) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-min) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (default) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier0) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / NVS Matrix Generation (push) Failing after 1s
Security Scanning / Security Policy Compliance (push) Failing after 0s
Security Scanning / Security Report (push) Waiting to run
Security Scanning / Dependency Vulnerability Scan (push) Failing after 0s
Security Scanning / Static Application Security Testing (push) Failing after 1s
Security Scanning / Infrastructure Security Scan (push) Failing after 1s
Security Scanning / Secret Scanning (push) Failing after 1s
npm packages / harness/ruview (node 22) (push) Failing after 17s
Security Scanning / License Compliance Scan (push) Failing after 1s
Security Scanning / Container Security Scan (push) Failing after 4s
three.js demos → GitHub Pages / build-and-deploy (push) Failing after 1s
Verify Pipeline Determinism / Verify Pipeline Determinism (3.11) (push) Failing after 1s
Fix-Marker Regression Guard / Verify fix markers (push) Failing after 1s
ADR-115 MQTT integration tests / mqtt-integration (push) Failing after 1s
npm packages / harness/ruview (node 20) (push) Failing after 1s
npm packages / tools/ruview-mcp (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 22) (push) Failing after 1s
BFLD MQTT Integration / cargo test --features mqtt (live mosquitto) (push) Failing after 29s
ruview-swarm CI guard / build train_marl bin (push) Failing after 2s
ruview-swarm CI guard / clippy (-D warnings, --no-deps) (push) Failing after 3s
ruview-swarm CI guard / tests (ruflo) (push) Failing after 1s
ruview-swarm CI guard / tests (train) (push) Failing after 2s
ruview-swarm CI guard / tests (default) (push) Failing after 2s
Point Cloud Viewer → GitHub Pages / build-and-deploy (push) Failing after 8s
ruview-swarm CI guard / ITAR / publish guard (push) Failing after 0s
wifi-densepose sensing-server → Docker Hub + ghcr.io / build · push · smoke-test (push) Failing after 1s
chore: import upstream snapshot with attribution
2026-07-13 11:59:54 +08:00
..

BFLD Research Bundle — Beamforming Feedback Layer for Detection

BFLD is the safety layer that detects when RF data becomes identifying. It sits between raw 802.11 beamforming feedback (BFI) and every downstream consumer — home automation, MQTT, Matter, cloud — measuring the identity-leakage potential of each frame and gating what leaves the node. It does not produce identity; it guards against accidental or adversarial exposure of identity.


Table of Contents

File Purpose
01-sota-survey.md State-of-the-art literature: BFI vs CSI, attack tooling, identity-inference research, privacy-preserving techniques
02-soul.md Architectural intent, ethical stance, three non-negotiable invariants
03-security-threat-model.md Adversary classes, attack trees, mitigations, trust-boundary diagram, per-privacy-class analysis
04-privacy-gating.md privacy_class byte semantics, hash rotation algorithm, embedding lifecycle, wire-format diffs
05-automation-integration.md Home Assistant entities, Matter clusters, MQTT ACLs, cognitum federation
06-implementation-plan.md New crate layout, reuse map, ESP32 additions, test plan, phased rollout
07-benchmarks-and-evaluation.md Datasets, metrics, red-team protocol, comparison baselines
08-adr-draft.md Draft ADR-118 for formal project adoption
09-github-issue.md GitHub issue draft for tracking implementation
10-gist.md Public-facing one-pager / blog summary

Executive Summary

  1. Problem. IEEE 802.11ac/ax beamforming feedback (BFI) — the compressed angle matrices (Phi/Psi, Givens rotation) exchanged between client and AP — is transmitted unencrypted on the management plane. Academic work (BFId at ACM CCS 2025, LeakyBeam at NDSS 2025) demonstrates that a passive sniffer with commodity hardware can re-identify individuals and infer occupancy through walls using only these frames. Existing CSI-based sensing pipelines have no explicit layer to detect when their output crosses from "motion event" into "identity record."

  2. Approach. BFLD is a new crate (wifi-densepose-bfld) that wraps the BFI extraction and normalization path in an identity-leakage estimator. Every output frame carries a computed identity_risk_score and a privacy_class byte; downstream consumers decide whether to act based on those tags rather than on raw measurements.

  3. Novel contribution. BFLD does not try to suppress identity inference — it tries to measure it continuously and make the measurement explicit in every event. This transforms a latent, silent risk into an observable, auditable signal. The combination of per-day per-site hash rotation and a local-only identity embedding creates structural impossibility of cross-site re-identification — not merely a policy promise.

  4. Security posture. Raw BFI never leaves the node. Identity embeddings live only in an in-RAM ring buffer. The rf_signature_hash rotates daily using a per-site blake3 keyed-hash that is never transmitted. Matter and HA expose only presence, motion, and person_count — never risk scores or embeddings.

  5. Integration plan. Six phases: P1 frame format + extractor stub, P2 feature extraction + identity_risk, P3 privacy gate + MQTT, P4 HA integration, P5 Matter exposure, P6 cognitum federation. Each phase maps to a numbered acceptance criterion. The crate slots into the existing workspace between wifi-densepose-signal and wifi-densepose-sensing-server.