Follow-up to the holistic review of the PIN-unification branch:
- /system/status now reads the real arm state from the arm_state_log
table via get_current_arm_state, instead of returning a hardcoded
'DISARMED' stub. Without this, polling after the new async 202
arm/disarm flow was a UX dead-end — clients never saw the state
change they just requested. DB read failures degrade gracefully.
- Operator guide: correct the claim that 'vigilar config set-pin'
populates recovery_passphrase_hash. It doesn't. recovery_passphrase
_hash has no CLI helper today; it must be set manually.
- Tests: add a fail-closed regression for verify_pin on malformed
stored hashes, and a companion test confirming the deprecation
warning stays silent on a fully migrated config.
All address specific review comments on the branch; no scope creep.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Describes the canonical [security] pin_hash key, the PBKDF2 format
emitted by 'vigilar config set-pin', and the deprecation warning for
the legacy [system] arm_pin_hash. Drops the three-way mismatch
known-limitation.
Plan document for issue #2 — the three-way PIN hash mismatch across
CLI, events FSM, and web arm/disarm. Proposes canonicalizing on
PBKDF2-SHA256 via alerts/pin and [security] pin_hash, deprecating
[system] arm_pin_hash, and wiring web arm/disarm through MQTT to the
FSM so the web buttons actually transition state.
Nine tasks, TDD throughout. No code changes in this commit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes#1.
The Flask event-timeline was dead: `broadcast_sse_event` existed in
`vigilar/web/blueprints/events.py` but had zero call sites. Clients
subscribed to `/events/stream`, received the initial "connected"
message, and then only keepalives — a page refresh was required to
see new events. (Web Push via VAPID was independent and already worked.)
The root cause was a process-boundary gap: the events subsystem runs
in its own OS process and emits to MQTT, while the Flask app runs in a
separate process with no MQTT client of its own.
This change adds a thin bridge:
- EventProcessor._handle_event now publishes a classified summary
(id, ts, type, severity, source_id, payload) to a new topic
`Topics.EVENTS_PUBLISHED = "vigilar/events/published"` right after
`insert_event()`. Classification logic stays in one place.
- A new module `vigilar/web/sse_bridge.py` provides `forward_event`
(MQTT handler) and `start_sse_bridge(cfg)` (creates a MessageBus,
subscribes forward_event to EVENTS_PUBLISHED, connects, returns the
bus).
- `vigilar/main.py:_run_web` starts the bridge after `create_app(cfg)`
and disconnects it on shutdown. Bridge failure is logged but does
not kill the web process — the UI still works without live updates.
- `create_app` is deliberately NOT changed. Keeping the bridge out of
the app factory means no existing test triggers a real MQTT
connection, and the bridge stays a production-only concern wired by
the supervisor.
Tests (all added with TDD, RED verified before GREEN):
- tests/unit/test_events.py::TestEventsPublishedBroadcast — asserts
`_handle_event` publishes the classified payload for a motion event
and does NOT publish for unclassified topics (heartbeats).
- tests/unit/test_sse_bridge.py — asserts `forward_event` reaches SSE
subscribers, and `start_sse_bridge` wires the handler to
`Topics.EVENTS_PUBLISHED` on a connected bus (fake bus, no real
MQTT in tests).
Also refreshes the docs that previously flagged the dead SSE as a
known limitation (operator guide, web architecture doc).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Convert the "Where to go next" items in the architecture overview from
plain text to proper Markdown links. This was the only finding from the
Task 18 verification pass; everything else (links, commands, TOML
coverage, subsystem coverage, terminology) is self-consistent across
the 17 new doc files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Linear walkthrough from bare mini PC to working cameras on phone, with
optional NAS backup. Verified against real install.sh, backup.sh, and
CLI subcommands; honest about the in-browser event timeline not being
wired to SSE yet (push notifications do work).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
18 tasks covering README, home user guide, operator guide, architecture
overview + conventions, and 12 per-subsystem reference docs. Each task
is grounded in reading real source to avoid invented facts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Specify that backup timer snippets are inline in the guides, not
shipped as new unit files, to match the no-code-changes scope.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Captures scope and structure for top-level README, home user guide,
operator guide, and architecture docs (overview + conventions + 12
per-subsystem files). Approach 3 (hybrid): monolithic user guides,
split architecture reference.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Local face recognition with visitor profiles, unknown clustering,
household presence integration, and privacy-first opt-in model.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Per-pet configurable rules with conditions (zone, time, presence)
and actions (push, log, record). Walk tracker, missing pet, on-the-loose
detection via composable rule builder UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Highlight reel video, kiosk ambient mode for magic picture frame,
and on-demand time-lapse generator with scheduling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Activity heatmaps, wildlife journal with weather correlation,
and package detection with sunset-aware reminders.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Notification delivery, recording playback/encryption, HLS.js bundle,
and PIN verification with recovery passphrase.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
18 tasks covering: YOLOv8 detector, pet ID classifier, wildlife threat
classification, crop management, alert integration, web UI, and training.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Covers pet detection (YOLOv8), pet ID classifier, wildlife threat
tiers, zone-based alerting, training UI, and pet dashboard.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5-task plan covering presence detection, person/vehicle AI detection,
smart alert profiles, recording timeline UI, and health monitoring.
Tasks 1-3 parallelizable, 4 depends on 1+2, 5 depends on 2.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Spec covers 5 feature areas for making Vigilar a system a household
relies on daily: multi-person presence detection, MobileNet person +
vehicle detection with driveway fencing, smart alert profiles with
presence/time awareness, recording timeline UI, and health monitoring
with auto-prune and daily digest.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
