Files
wehub-resource-sync 9740bc64c9
Continuous Deployment / Deploy to Production (push) Blocked by required conditions
Continuous Deployment / Rollback Deployment (push) Blocked by required conditions
Continuous Deployment / Post-deployment Monitoring (push) Blocked by required conditions
Continuous Deployment / Notify Deployment Status (push) Blocked by required conditions
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier1) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (full-adr060) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (tdm-3node) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / Swarm Test (ADR-062) (push) Has been skipped
npm packages / tools/ruview-mcp (node 22) (push) Failing after 1s
nvsim-server → ghcr.io / build-and-publish (push) Failing after 1s
ruview-swarm CI guard / tests (full+train) (push) Failing after 2s
Bench Regression Guard / bench compile-verify (--no-run) (push) Failing after 0s
Bench Regression Guard / bench fast-run (informational, non-gating) (push) Has been skipped
Firmware CI / Verify version.txt matches release tag (push) Has been skipped
Dashboard a11y + cross-browser / a11y (push) Failing after 0s
nvsim Dashboard → GitHub Pages / build-and-deploy (push) Failing after 2s
Firmware CI / Build firmware (esp32s3 / 4mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / Build Espressif QEMU (push) Failing after 1s
Firmware QEMU Tests (ADR-061) / Fuzz Testing (ADR-061 Layer 6) (push) Failing after 1s
Continuous Deployment / Pre-deployment Checks (push) Has been skipped
Continuous Deployment / Deploy to Staging (push) Waiting to run
Firmware CI / Build firmware (esp32c6 / c6-4mb) (push) Failing after 15s
Firmware CI / Build firmware (esp32s3 / 8mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-max) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-min) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (default) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier0) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / NVS Matrix Generation (push) Failing after 1s
Security Scanning / Security Policy Compliance (push) Failing after 0s
Security Scanning / Security Report (push) Waiting to run
Security Scanning / Dependency Vulnerability Scan (push) Failing after 0s
Security Scanning / Static Application Security Testing (push) Failing after 1s
Security Scanning / Infrastructure Security Scan (push) Failing after 1s
Security Scanning / Secret Scanning (push) Failing after 1s
npm packages / harness/ruview (node 22) (push) Failing after 17s
Security Scanning / License Compliance Scan (push) Failing after 1s
Security Scanning / Container Security Scan (push) Failing after 4s
three.js demos → GitHub Pages / build-and-deploy (push) Failing after 1s
Verify Pipeline Determinism / Verify Pipeline Determinism (3.11) (push) Failing after 1s
Fix-Marker Regression Guard / Verify fix markers (push) Failing after 1s
ADR-115 MQTT integration tests / mqtt-integration (push) Failing after 1s
npm packages / harness/ruview (node 20) (push) Failing after 1s
npm packages / tools/ruview-mcp (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 22) (push) Failing after 1s
BFLD MQTT Integration / cargo test --features mqtt (live mosquitto) (push) Failing after 29s
ruview-swarm CI guard / build train_marl bin (push) Failing after 2s
ruview-swarm CI guard / clippy (-D warnings, --no-deps) (push) Failing after 3s
ruview-swarm CI guard / tests (ruflo) (push) Failing after 1s
ruview-swarm CI guard / tests (train) (push) Failing after 2s
ruview-swarm CI guard / tests (default) (push) Failing after 2s
Point Cloud Viewer → GitHub Pages / build-and-deploy (push) Failing after 8s
ruview-swarm CI guard / ITAR / publish guard (push) Failing after 0s
wifi-densepose sensing-server → Docker Hub + ghcr.io / build · push · smoke-test (push) Failing after 1s
chore: import upstream snapshot with attribution
2026-07-13 11:59:54 +08:00

5.3 KiB
Raw Permalink Blame History

GitHub Issue Draft

Title: feat: BFLD — Beamforming Feedback Layer for Detection (privacy-gated WiFi sensing)

Labels: enhancement, privacy, security, area/signal, area/firmware

Milestone: (TBD — suggest: v0.8.0)


Summary

Add a new crate wifi-densepose-bfld that turns raw 802.11 Beamforming Feedback Information (BFI) into bounded, privacy-gated sensing outputs. BFLD detects when RF data crosses from "ambient sensing" into "identity record" and structurally prevents identity-correlated data from leaving the node.

This is the safety layer that was missing from the CSI pipeline. As passive BFI sniffing tools (Wi-BFI, PicoScenes) become widely available and academic attacks (BFId at ACM CCS 2025, LeakyBeam at NDSS 2025) demonstrate >90% re-identification from commodity WiFi, the wifi-densepose ecosystem needs an explicit privacy layer before scaling deployment.

Motivation

  1. BFI is plaintext and passively sniffable. IEEE 802.11ac/ax CBFR frames are transmitted before WPA2/WPA3 encryption is applied. Any nearby device in monitor mode can capture them (NDSS 2025: https://www.ndss-symposium.org/ndss-paper/lend-me-your-beam-privacy-implications-of-plaintext-beamforming-feedback-in-wifi/).

  2. BFI enables re-identification. The KIT BFId paper (ACM CCS 2025: https://dl.acm.org/doi/10.1145/3719027.3765062) demonstrates >90% identity recognition from 5 seconds of BFI, from a dataset of 197 individuals, using only the Phi/Psi Givens rotation angles.

  3. The existing pipeline has no identity-leakage measurement. The rvCSI pipeline produces presence/motion/pose events without any indication of whether those outputs were derived from identity-discriminative data. An operator deploying in a care facility or shared office has no way to verify the system is behaving anonymously.

  4. WiFi 7 will make this worse. 802.11be (Wi-Fi 7) multi-link operation increases sounding frequency 35×. The attack surface is not static.

Proposed Solution

New crate at v2/crates/wifi-densepose-bfld/ with the following pipeline:

BFI capture (CBFR frames, Pi 5 / Nexmon monitor mode)
    → BFI extractor (Phi/Psi parser, 802.11ac/ax)
    → Normalization + temporal windowing
    → Feature extraction (9 named features)
    → Identity risk engine (in-RAM embeddings, coherence gate)
    → Privacy gate (privacy_class byte, field masking)
    → MQTT emitter (per-class topic routing)

Three structural invariants (not configurable, not policy):

  1. Raw BFI never leaves the node.
  2. Identity embedding is in-RAM-only (VecDeque, never persisted).
  3. Cross-site identity matching is cryptographically impossible via per-site BLAKE3 keyed hash with daily rotation.

Output events published on ruview/<node_id>/bfld/{presence,motion,person_count,...}/state.

Matter and HA expose only: presence, motion, person_count. Identity fields are rejected at both boundaries.

Acceptance Criteria

  • AC1: Parser handles 802.11ac VHT and 802.11ax HE CBFR frames at 20/40/80/160 MHz, 2×2 through 4×4 MIMO.
  • AC2: Presence detection latency ≤ 1s p95 from first non-empty BFI frame in a new occupancy event.
  • AC3: Motion score published at ≥ 1 Hz on ruview/<node_id>/bfld/motion/state during sustained occupancy.
  • AC4: Raw BFI bytes (Phi/Psi angle matrices) are never present in any serialized output at any privacy_class value.
  • AC5: Privacy mode suppresses all identity-derived fields (identity_risk_score, rf_signature_hash, identity_embedding) from all outbound events.
  • AC6: Identical BfiCapture input → bit-identical BfldFrame output (deterministic, cross-platform).
  • AC7: Pipeline produces valid BfldEvent with csi_matrix = None (BFI-only mode), without panic or significant accuracy degradation.

References

Out of Scope

  • Preventing passive BFI capture by external attackers (hardware-level problem, not software).
  • Differential privacy noise injection (noted as future extension in ADR-118).
  • Federated identity learning (local-only is sufficient for the current use case).
  • BFI capture directly from ESP32-S3 firmware (Espressif API does not expose CBFR; host-side Pi 5 / Nexmon capture is the implementation path).
  • WiFi 7 / 802.11be multi-link BFI (frame format versioning accommodates it; not in scope for v1 implementation).
  • ADR-028 witness bundle (ref: this repo's docs/WITNESS-LOG-028.md)
  • ADR-115 HA integration (21 entities — BFLD adds 6 more)
  • ADR-116 Matter seed packaging (cog-ha-matter crate needs Matter boundary update)
  • ADR-117 pip modernization (PyO3 pattern reused for BFLD Python bindings)
  • rvCSI platform (ADR-095/096) — Nexmon adapter shared with BFLD BFI capture path