fix(firmware): node_id early capture + SPI cache crash fix + provision.py compat

[proffesor-for-testing]

Summary

Five fixes for the ESP32-S3 CSI firmware, tested on a 3-node fleet with 3 Pi Zero seeds.

Builds on top of merged PR #393 (v0.6.1). Addresses two bugs:

1. The node_id clobber that fix(firmware): defensive node_id capture prevents runtime clobber (#390) #393 didn't fully fix (late capture after WiFi init)
2. The LoadProhibited crash in promiscuous mode (RuView#396)

Commits

1. fix(firmware): move defensive node_id capture before wifi_init_sta()

PR #393's defensive copy at csi_collector_init() runs AFTER wifi_init_sta(), which corrupts g_nvs_config on our hardware (MAC 80:b5:4e:c1:be:b8). Adds csi_collector_set_node_id() called immediately after nvs_config_load(), before WiFi init.

Verified: NVS node_id=5 → seed receives node_id=5 (was receiving 1 with #393's fix).

2. fix(firmware): defensive copy of filter_mac to prevent callback crash

The CSI callback reads g_nvs_config.filter_mac_set on every invocation (100-500 Hz). Same struct corruption from WiFi init. Extends the defensive-copy pattern to filter_mac.

3. fix(firmware): MGMT-only promiscuous filter to prevent SPI cache crash

The core crash fix. wDev_ProcessFiq (ESP-IDF WiFi blob) crashes in cache_ll_l1_resume_icache when promiscuous mode captures MGMT+DATA frames at 100-500 Hz. Reduces filter to MGMT-only (~10 Hz beacons). See #396 for the full 10-test investigation.

Also re-enables htltf_en and stbc_htltf2_en for full CSI quality (128/256/384 byte frames with LLTF+HT-LTF+STBC).

4. fix(provision): write-flash → write_flash for esptool v5 compat

esptool v5+ rejects hyphenated subcommands.

5. fix(firmware): 50 Hz callback rate gate + sdkconfig extra IRAM opt

Defense-in-depth: early rate gate drops excess callbacks before processing. CONFIG_ESP_WIFI_EXTRA_IRAM_OPT=y in sdkconfig.defaults. Includes disabled null-data injection timer infrastructure for future use.

Test results

Tested on 3x Waveshare ESP32-S3 AMOLED 1.8" (QFN56 rev v0.2, 8MB PSRAM, 16MB flash).

Test	Result
v0.6.1 release (no fixes)	Crash — 19 panics in 2 min
This PR (MGMT-only)	Stable — 3 nodes, 1.44M+ frames, zero crashes
node_id early capture	Fixed — NVS value preserved through WiFi init
Edge processing at 10 Hz	Working — vitals: br=25-36, hr=76-99, presence=YES

Full test matrix (10 configurations tested) in #396.

Impact on CSI rate

CSI rate drops from ~500 Hz to ~10 Hz (beacons only). This matches the cog sample rate (10 Hz) and satisfies Nyquist for heart rate (2.0 Hz) and breathing (0.5 Hz). The sample_rate constant in edge_processing.c:718 should be updated from 20.0 to 10.0 to match — left for a separate commit since it's in Ruv's code.

Refs

• Closes ESP32-S3 CSI crash: SPI flash cache race in wDev_ProcessFiq during promiscuous mode #396 (SPI cache crash)
• Improves ESP32-S3: g_nvs_config.node_id clobbered to 1 between main.c:140 and csi_collector_init + LoadProhibited panic loop #390 (node_id clobber — early capture)
• Related: ruvnet/optimizer#83 (fleet status)

Test plan

• Builds clean (ESP-IDF v5.4 Docker, 48% flash free)
• Flashes + provisions all 3 ESP32 nodes
• node_id verified on all 3 seeds (CSI API shows correct node_id)
• Zero crashes over 4+ minutes per node
• Edge processing vitals output valid
• Seeds receiving CSI data (1.44M, 1.04M, 310K frames)
• Display ON with zero crashes
• Needs Ruv verification on his hardware

Co-Authored-By: Ruflo & AQE

[proffesor-for-testing]

Post-merge investigation — corrected stability data and v5.4.4 / v5.5.4 tests

While Ruv was deciding what to do with this PR, we ran a much longer soak than the 4-minute window we reported originally. The earlier claim "Stable — 3 nodes, 1.44M+ frames, zero crashes / 4+ minutes per node" did not hold up to longer observation. Corrected data below.

What was wrong with the original test

• 4-minute windows are too short for a bug that fires on average every 30–60 s
• The "1.44M frames" number was cumulative across many boots, not a single stretch
• We measured on the seed (downstream UDP ingest) instead of the ESP32's own serial — reboots were masked by fast re-association (~2 s)
• No programmatic counting of rst:0x or Guru Meditation boot markers

Real 30-min soak — PR #397 firmware (MGMT-only + fix #1 stack-static) on ESP-IDF v5.4.0

Boot	Uptime	Failure mode	Saved PC
1	156 s	TG0WDT silent hang	0x40041a79
2	22 s	TG0WDT silent hang	0x40041a76
3	22 s	TG0WDT silent hang	0x40041a7c
4	42 s	Guru LoadProhibited → 8× panic-in-panic → Double exception	wDev_ProcessFiq path

4 crashes in 30 min → ~1 crash every 7.5 min at 10 Hz CSI. Recovery is <2 s, edge processing re-calibrates within 1200 frames. Acceptable for product but not "stable".

Additional experiments today (all Ruv-only baseline, MGMT+DATA promiscuous)

Config	Mean uptime	First-crash PC	Notes
ESP-IDF v5.4.0 Ruv-only	16–49 s (n=2)	0x40040878 / wDev_ProcessFiq	Baseline reproducer
ESP-IDF v5.4.4 (submodule WiFi lib bumped)	~45 s (n=8)	Same PC, same path	No real improvement
ESP-IDF v5.5.4 (major blob gen jump)	45 s mean, 90 s best (n=13)	Same PC, same path	New "Panic handler entered multiple times. Abort panic handling." fast-abort — cleaner reboot via rst:0xc (RTC_SW_CPU_RST) instead of rst:0x7 (TG0WDT_SYS_RST), but same underlying bug

Same backtrace across 3 IDF versions: ppTask → wDev_ProcessRxSucData → wDev_IndicateFrame → wDev_ProcessFiq → _xt_lowint1 → PC=0x00000000 (InstrFetchProhibited) or PC=0x40040878 (LoadProhibited). All inside Espressif's closed-source libpp.a.

Fix attempts that didn't work

• Static frame_buf (uint8_t frame_buf[2068] → static): moved 2 KB off the WiFi task's 6656-byte stack. ~1.5–2× longer time-to-crash but does not stop the bug. Kept in PR fix(firmware): node_id early capture + SPI cache crash fix + provision.py compat #397 because it's good stack hygiene regardless.
• IRAM_ATTR on wifi_csi_callback / wifi_promiscuous_cb: regressed — time-to-crash dropped from ~60 s to ~22 s. IRAM placement of the entry function doesn't help because the body still calls flash-resident helpers (memcpy, ESP_LOGI, sendto). Reverted.
• STA-mode CSI (no promiscuous): esp_wifi_set_promiscuous(false) + keep esp_wifi_set_csi(true). No wDev_ProcessFiq crashes in brief tests but CSI rate was inconsistent — saw cb Best Way to Block #1–3 on one boot, 90+ s of zero callbacks on another. Needs more driver-level config work to be production-viable. Not shipped.
• SPIRAM Octal XIP: tested yesterday; changes crash type from LoadProhibited to Cache disabled but cached memory region accessed, does not fix the race.

Conclusion

The bug is in the ESP-IDF WiFi binary blob on ESP32-S3 + QSPI-display hardware (Waveshare AMOLED 1.8″). It reproduces on v5.4.0, v5.4.4, and v5.5.4 with identical signatures. Application-level mitigations (filter reduction, stack hygiene, IRAM pinning) only change when it fires, not whether it fires.

Recommendation: merge PR #397 as-is. The MGMT-only filter is the only mitigation that keeps crash frequency tolerable for product use (1 crash per ~7 min at 10 Hz CSI, 2 s recovery). Seeds' edge-processing adaptive calibration handles the brief gaps. We'll add a CSI-starvation watchdog in a follow-up PR to catch the silent TG0WDT hangs and turn them into faster reboots.

Upstream bug report to Espressif + detailed crash dumps → #396 updated.

What I got wrong

• Reported "stable" when I had 4-min samples against a ~60 s MTBF bug
• Presented cumulative frame counts as evidence of sustained uptime
• Didn't count reboot markers in the soak window
• Skipped writing a long-running serial capture rig before making claims

Happy to backfill longer soaks or run any additional configs if useful.