mirror of
https://github.com/ruvnet/RuView.git
synced 2026-04-28 05:59:32 +00:00
81cc241b9e
The Rust port at v2/ has been the primary codebase since the rename in #427. The Python implementation at v1/ is no longer the active target; the only load-bearing path is the deterministic proof bundle at v1/data/proof/ (per ADR-011 / ADR-028 witness verification). Move the whole Python tree into archive/v1/ and document the policy in archive/README.md: no new features, bug fixes only when they affect a still-load-bearing path (currently just the proof), CI continues to verify the proof on every push and PR. Path references updated in 26 files via path-pattern sed (only matches v1/<known-child> patterns, never bare v1 or API URLs like /api/v1/). Two double-prefix typos (archive/archive/v1/) caught and hand-fixed in verify-pipeline.yml and ADR-011. Validated: - Python proof verify.py imports cleanly at archive/v1/data/proof/ (numpy/scipy still required; CI installs requirements-lock.txt from archive/v1/ now) - cargo test --workspace --no-default-features → 1,539 passed, 0 failed, 8 ignored (unaffected by Python tree relocation) - ESP32-S3 on COM7 untouched (no firmware paths changed) After-merge: contributors should re-run any local `python v1/...` commands as `python archive/v1/...` (CLAUDE.md and CHANGELOG already updated).
6 KiB
6 KiB
RuView / WiFi-DensePose -- QE Executive Summary
Date: 2026-04-05 Analysis: Full-spectrum Quality Engineering assessment (8 specialized agents) Codebase: ~305K lines across Rust (153K), Python (39K), C firmware (9K), TypeScript/JS (33K), Docs (71K) Fleet ID: fleet-02558e91
Overall Quality Score: 55/100 (C+) -- QUALITY GATE FAILED
| Domain | Score | Verdict |
|---|---|---|
| Code Quality & Complexity | 55-82/100 | CONDITIONAL PASS |
| Security | 68/100 | CONDITIONAL PASS |
| Performance | Borderline | AT RISK (37-54ms vs 50ms budget) |
| Test Suite Quality | Mixed | 3,353 tests but heavy duplication |
| Coverage | 77% file-level | FAIL (Python 30%, Firmware 19%) |
| Quality Experience (QX) | 71/100 | CONDITIONAL PASS |
| Product Factors (SFDIPOT) | TIME = CRITICAL | FAIL on time factor |
P0 -- Fix Immediately (Security + CI)
| # | Issue | File(s) | Impact |
|---|---|---|---|
| 1 | Rate limiter bypass -- trusts X-Forwarded-For without validation |
archive/v1/src/middleware/rate_limit.py:200-206 |
Any client can bypass rate limits via header spoofing |
| 2 | Exception details leaked in HTTP responses regardless of environment | archive/v1/src/api/routers/pose.py:140, stream.py:297, +5 others |
Stack traces visible to attackers |
| 3 | WebSocket JWT in URL -- tokens visible in logs, browser history, proxies | archive/v1/src/api/routers/stream.py:74, archive/v1/src/middleware/auth.py:243 |
Token exposure (CWE-598) |
| 4 | Rust tests not in CI -- 2,618 tests in largest codebase never run in pipeline | No cargo test in any GitHub Actions workflow |
Regressions ship undetected |
| 5 | WebSocket path mismatch -- mobile app sends to wrong endpoint | ui/mobile/src/services/ws.service.ts:104 vs constants/websocket.ts:1 |
Mobile WebSocket connections fail silently |
P1 -- Fix This Sprint (Performance + Code Health)
| # | Issue | File(s) | Impact |
|---|---|---|---|
| 6 | God file: 4,846 lines, CC=121 -- sensing-server main.rs | crates/wifi-densepose-sensing-server/src/main.rs |
Untestable, unmaintainable monolith |
| 7 | O(L*V) tomography voxel scan per frame | ruvsense/tomography.rs:345-383 |
~10ms wasted per frame; use DDA ray march for 5-10x speedup |
| 8 | Sequential neural inference -- defeats GPU batching | wifi-densepose-nn inference.rs:334-336 |
2-4x latency penalty |
| 9 | 720 .unwrap() calls in Rust production code |
Across entire Rust workspace | Each is a potential panic in real-time/safety-critical paths |
| 10 | Python Doppler: 112KB alloc per frame at 20Hz | archive/v1/src/core/csi_processor.py:412-414 |
Converts deque -> list -> numpy every frame |
P2 -- Fix This Quarter (Coverage + Safety)
| # | Issue | File(s) | Impact |
|---|---|---|---|
| 11 | 11/12 Python modules untested -- only CSI extraction has unit tests | archive/v1/src/services/, middleware/, database/, tasks/ |
12,280 LOC with zero unit tests |
| 12 | Firmware at 19% coverage -- WASM runtime, OTA, swarm bridge untested | firmware/esp32-csi-node/main/wasm_runtime.c (867 LOC) |
Security-critical code with no tests |
| 13 | MAT simulation fallback -- disaster tool auto-falls back to simulated data | ui/mobile/src/screens/MATScreen/index.tsx |
Risk of operators monitoring fake data during real incidents |
| 14 | Token blacklist never consulted during auth | archive/v1/src/api/middleware/auth.py:246-252 |
Revoked tokens remain valid |
| 15 | 50ms frame budget never benchmarked -- no latency CI gate | No benchmark harness exists | Real-time requirement is aspirational, not verified |
P3 -- Technical Debt
| # | Issue | Impact |
|---|---|---|
| 16 | 340 unsafe blocks need formal safety audit |
Potential UB in production |
| 17 | 5 duplicate CSI extractor test files (~90 redundant tests) | Maintenance burden |
| 18 | Performance tests mock inference with asyncio.sleep() |
Tests measure scheduling, not performance |
| 19 | CORS wildcard + credentials default | Browser security weakened |
| 20 | ESP32 UDP CSI stream unencrypted | CSI data interceptable on LAN |
Bright Spots
- 79 ADRs -- exceptional architectural governance
- Witness bundle system (ADR-028) -- deterministic SHA-256 proof verification
- Rust test depth -- 2,618 tests with mathematical rigor (Doppler, phase, losses)
- Daily security scanning in CI (Bandit, Semgrep, Safety)
- Mobile state management -- clean Zustand stores with good test coverage
- Ed25519 WASM signature verification on firmware
- Constant-time OTA PSK comparison -- proper timing-safe crypto
Reports Index
All detailed reports are in the docs/qe-reports/ directory:
| Report | Lines | Description |
|---|---|---|
| 00-qe-queen-summary.md | 315 | Master synthesis, quality score, cross-cutting analysis |
| 01-code-quality-complexity.md | 591 | Cyclomatic/cognitive complexity, code smells, top 20 hotspots |
| 02-security-review.md | 600 | 15 findings (0 CRITICAL, 3 HIGH, 7 MEDIUM), OWASP coverage |
| 03-performance-analysis.md | 795 | 23 findings (4 CRITICAL), frame budget analysis, optimization roadmap |
| 04-test-analysis.md | 544 | 3,353 tests inventoried, duplication analysis, quality assessment |
| 05-quality-experience.md | 746 | API/CLI/Mobile/DX/Hardware UX assessment, 3 oracle problems |
| 06-product-assessment-sfdipot.md | 711 | SFDIPOT analysis, 57 test ideas, 14 exploratory session charters |
| 07-coverage-gaps.md | 514 | Coverage matrix, top 20 risk gaps, 8-week improvement roadmap |
Total analysis: 4,816 lines across 8 reports (265 KB)
Generated by QE Swarm (8 agents, fleet-02558e91) on 2026-04-05 Orchestrated by QE Queen Coordinator with shared learning/memory