Adjacent secret leak in show_cmd noticed during Task 3 code review.
SecurityConfig has two sensitive fields and the redaction block only
covered pin_hash. vigilar config show would print the recovery
passphrase hash verbatim whenever one was configured.
One-line fix; same redaction pattern as the surrounding secrets.
Part of issue #2.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Was: HMAC-SHA256(random, pin) written to [system] arm_pin_hash —
no verifier in the codebase accepted this output.
Now: PBKDF2-SHA256 via alerts.pin.hash_pin written to [security]
pin_hash, matching what the web and FSM paths verify against.
Also fixes show_cmd to redact the new location.
Code review feedback on the Task 2 commit (7fda351):
- The 'verify_pin as _verify_pin_hash' alias was unnecessary — the
method self.verify_pin and the module-level verify_pin do not
collide (one is accessed via self, the other via the bare name).
Removing the alias matches how web/blueprints/system.py already
imports verify_pin and makes the call site read cleanly.
- The comment on the insert_arm_state None argument now explains
WHY (PBKDF2 salt is fresh per call, so re-hashing is worthless for
audit correlation) instead of only referencing the issue.
No behavior change. Part of issue #2.
Was: unsalted SHA-256 read from [system] arm_pin_hash.
Now: PBKDF2-SHA256 600k iterations read from [security] pin_hash,
matching the web arm/disarm path and the alerts/pin module.
Also drops the redundant pin re-hash on the arm_state_log audit row
(a fresh PBKDF2 salt made the column valueless for traceability).
Part of issue #2 PIN hashing unification.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Topic for web-originated arm/disarm requests that the event processor
will subscribe to and dispatch to ArmStateFSM.transition. Part of the
PIN unification work (issue #2).
Plan document for issue #2 — the three-way PIN hash mismatch across
CLI, events FSM, and web arm/disarm. Proposes canonicalizing on
PBKDF2-SHA256 via alerts/pin and [security] pin_hash, deprecating
[system] arm_pin_hash, and wiring web arm/disarm through MQTT to the
FSM so the web buttons actually transition state.
Nine tasks, TDD throughout. No code changes in this commit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes#1.
The Flask event-timeline was dead: `broadcast_sse_event` existed in
`vigilar/web/blueprints/events.py` but had zero call sites. Clients
subscribed to `/events/stream`, received the initial "connected"
message, and then only keepalives — a page refresh was required to
see new events. (Web Push via VAPID was independent and already worked.)
The root cause was a process-boundary gap: the events subsystem runs
in its own OS process and emits to MQTT, while the Flask app runs in a
separate process with no MQTT client of its own.
This change adds a thin bridge:
- EventProcessor._handle_event now publishes a classified summary
(id, ts, type, severity, source_id, payload) to a new topic
`Topics.EVENTS_PUBLISHED = "vigilar/events/published"` right after
`insert_event()`. Classification logic stays in one place.
- A new module `vigilar/web/sse_bridge.py` provides `forward_event`
(MQTT handler) and `start_sse_bridge(cfg)` (creates a MessageBus,
subscribes forward_event to EVENTS_PUBLISHED, connects, returns the
bus).
- `vigilar/main.py:_run_web` starts the bridge after `create_app(cfg)`
and disconnects it on shutdown. Bridge failure is logged but does
not kill the web process — the UI still works without live updates.
- `create_app` is deliberately NOT changed. Keeping the bridge out of
the app factory means no existing test triggers a real MQTT
connection, and the bridge stays a production-only concern wired by
the supervisor.
Tests (all added with TDD, RED verified before GREEN):
- tests/unit/test_events.py::TestEventsPublishedBroadcast — asserts
`_handle_event` publishes the classified payload for a motion event
and does NOT publish for unclassified topics (heartbeats).
- tests/unit/test_sse_bridge.py — asserts `forward_event` reaches SSE
subscribers, and `start_sse_bridge` wires the handler to
`Topics.EVENTS_PUBLISHED` on a connected bus (fake bus, no real
MQTT in tests).
Also refreshes the docs that previously flagged the dead SSE as a
known limitation (operator guide, web architecture doc).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Some web endpoint handlers call _save_and_reload(), which resolves the
target path via VIGILAR_CONFIG env var with a fallback to the relative
"config/vigilar.toml". Any test exercising such an endpoint without
setting the env var rewrites the repo's committed config file via a
Pydantic model_dump round-trip, stripping comments and non-default
fields. The culprit discovered was test_reset_pin_correct_passphrase
in tests/unit/test_system_pin.py.
Add an autouse session-scoped fixture in tests/conftest.py that points
VIGILAR_CONFIG at a path inside pytest's session tmp dir so no test
can touch the real file. Restore the previous env var value on teardown.
Fixes#3.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The set_password_cmd docstring and inline comment claimed bcrypt /
SHA-256, but the implementation actually uses scrypt via
cryptography.hazmat.primitives.kdf.scrypt. Correct the docstring,
drop the misleading comment, and remove the now-unused hashlib import.
No behavior change.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Convert the "Where to go next" items in the architecture overview from
plain text to proper Markdown links. This was the only finding from the
Task 18 verification pass; everything else (links, commands, TOML
coverage, subsystem coverage, terminology) is self-consistent across
the 17 new doc files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Front-door for the repo. Pitches the project, surfaces known limitations
honestly (timeline not live, CTR not authenticated, no migrations), and
links into the three doc trees: home user guide, operator guide, and
architecture overview + 12 subsystem references.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Linear walkthrough from bare mini PC to working cameras on phone, with
optional NAS backup. Verified against real install.sh, backup.sh, and
CLI subcommands; honest about the in-browser event timeline not being
wired to SSE yet (push notifications do work).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
18 tasks covering README, home user guide, operator guide, architecture
overview + conventions, and 12 per-subsystem reference docs. Each task
is grounded in reading real source to avoid invented facts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Specify that backup timer snippets are inline in the guides, not
shipped as new unit files, to match the no-code-changes scope.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Captures scope and structure for top-level README, home user guide,
operator guide, and architecture docs (overview + conventions + 12
per-subsystem files). Approach 3 (hybrid): monolithic user guides,
split architecture reference.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Group A (Foundation): Web Push notifications, AES-256-CTR recording
encryption/playback, HLS.js v1.5.17, PIN verification on arm/disarm
Group C (Detection Intelligence): Activity heatmaps, wildlife journal
with Open-Meteo weather correlation, package delivery detection with
NOAA sunset-aware reminders
Group E (Pet Lifestyle): Composable per-pet rules engine with 6
condition types, cooldown management, CRUD API, 6 quick-add templates
Group D (Visitor Recognition): Local face recognition via dlib,
face profile/embedding storage, consent-gated labeling, visitor
dashboard with privacy controls (forget/ignore)
Group B (Daily Delight): Daily highlight reel generator with event
scoring, kiosk ambient mode with alert takeover, time-lapse generator
with scheduled presets
37 commits, 63 files changed, 360 tests passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add `requests` to pyproject.toml dependencies (used by detection/weather.py)
- Wire PACKAGE_DELIVERED/REMINDER/COLLECTED and KNOWN/UNKNOWN_VISITOR event
types in EventProcessor._classify_event
- Add normalized bbox to all detection payloads in camera worker
(domestic_animal, wildlife, person, vehicle)
- Integrate highlight reel and timelapse scheduling in HealthMonitor.run()
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Use hmac.compare_digest() in verify_pin() to prevent timing-based PIN oracle attacks
- Redact entire [security] section (pin_hash, recovery_passphrase_hash) from /api/config response
- Sunset sign fix was skipped: existing longitude - ha formula is correct per NOAA equations and verified by test_sunset_equator; longitude + ha produces sunrise, not sunset
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add GET /kiosk/ambient route and standalone fullscreen template with
rotating camera snapshots (crossfade), top bar clock/date, pet status
bottom bar, SSE-driven alert takeover with HLS playback, configurable
screen dimming, and 6-hour auto-refresh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add /visitors/ blueprint with REST API endpoints for listing profiles and
visits, labeling (with consent gate), household linking, ignore/unignore,
and cascading forget. Register blueprint in app.py. Add dashboard and profile
detail templates (Bootstrap 5 dark, tab navigation, fetch-based JS). All six
API tests pass (339 total).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add FaceRecognizer class that loads face encodings from the database,
supports runtime add_encoding(), and matches new encodings by L2 distance.
face_recognition import is deferred so the class works without dlib installed.
FaceResult dataclass carries profile_id, name, confidence, crop, and bbox.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add create/get/update/delete_cascade for face_profiles, insert/get for
face_embeddings, and insert/get/get_active for visits. All seven query
functions covered by unit tests (327 passing).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add three new SQLAlchemy Core tables to schema.py for visitor recognition:
face_profiles (identity store), face_embeddings (per-profile encodings),
and visits (arrival/departure log). Indexes on profile_id and arrived_at.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add KNOWN_VISITOR, UNKNOWN_VISITOR, VISITOR_DEPARTED to EventType enum.
Add VisitorsConfig model to config.py and wire into VigilarConfig.
Add face_recognition>=1.3.0 under [face] optional-dependencies in pyproject.toml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add insert/get/update queries for package_events table, and
notification content for PACKAGE_DELIVERED and PACKAGE_REMINDER events.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add wildlife_bp with sightings, stats, frequency, and CSV export
endpoints; Bootstrap 5 dark journal template with live-updating
summary cards, species bars, time-of-day frequency chart, and
paginated/filterable sightings table.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
