Release 1.5.0-rc.2

Author: hhvrc

.github/scripts/package.json

@@ -8,7 +8,7 @@
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "dependencies": {
-    "@actions/core": "^1.10.1",
+    "@actions/core": "^2.0.1",
     "@actions/github": "^6.0.1",
     "ini": "^6.0.0",
     "semver": "^7.7.3"

.github/scripts/pnpm-lock.yaml

@@ -202,7 +202,7 @@ jobs:
 
     steps:
       - name: Download release artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
 
       - name: Display artifacts
         run: ls -R

.github/workflows/ci-build.yml

@@ -1,3 +1,34 @@
+# Version 1.5.0-rc.2 Release Notes
+
+This release candidate focuses on **E-Stop reliability**, **rate limiting behavior**, and **general internal cleanup and correctness improvements**.
+
+## Highlights
+
+* **Improved E-Stop handling**
+
+  * More reliable state transitions.
+  * Removed event spamming by introducing change detection.
+  * Added a short **re-arm grace period** after clearing to prevent immediate re-triggering due to switch bounce or noise.
+  * Cleaner handling of external E-Stop triggers.
+
+* **Rate limiter improvements**
+
+  * More efficient internal tracking of recent requests.
+  * Corrected cleanup and timing behavior under sustained load.
+  * More predictable blocking behavior when limits are exceeded.
+
+## Stability & Internal Cleanup
+
+* Safer handling of integer formatting and digit counting (avoids edge-case overflows).
+* Reduced unnecessary string copying by tightening ownership where appropriate.
+* Command handling and serial logic cleaned up for clearer control flow.
+* General warning cleanups, minor API refinements, and consistency improvements across the codebase.
+
+## Build & Tooling
+
+* Minor CI and dependency updates.
+* Expanded compiler warnings where possible to catch issues earlier during development.
+
 # Version 1.5.0-rc.1 Release Notes
 
 This release candidate focuses on **radio reliability**, **firmware behavior improvements**, and a refreshed **frontend**.

CHANGELOG.md

@@ -0,0 +1,12 @@
+# -----------------------------------------------------------------------------
+# Custom CA certificates (local / self-hosted trust extensions)
+# -----------------------------------------------------------------------------
+# These files expand the TLS trust boundary and are intentionally NOT tracked.
+# Add only in local or deployment-specific environments.
+custom_certs/
+
+# Safety net: never commit private keys if mis-placed
+*.key
+*.pem.key
+*.p12
+*.pfx

certificates/.gitignore

@@ -1,16 +1,108 @@
 # Certificates used for HTTPS
 
-These certificates are fetched from [CURL's website](https://curl.se/docs/caextract.html) and are used for HTTPS connections.
+This project uses a curated CA certificate bundle for TLS/SSL verification on the ESP32.
 
-## How to update
+The bundle is sourced from **curl’s official CA extract** and can optionally be extended with **user-provided custom CA certificates**.
 
-1. Download the latest version of the certificate bundle along with its sha256 from [CURL's website](https://curl.se/docs/caextract.html).
-2. Replace the `cacrt_all.pem` file in this directory with the new one.
-3. Run `gen_crt_bundle.py` to generate the new `x509_crt_bundle` file.
-4. Commit the changes.
+## Source of Trust
+
+- The base CA bundle comes from:
+  [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html)
+- `cacert.pem` is downloaded directly from curl.se
+- A SHA-256 checksum is computed locally and compared against curl’s published checksum
+- All certificates are parsed and validated using `cryptography`
+- Any parsing error, mismatch, or invalid certificate **aborts generation**
+
+> ⚠️ **Trust warning**
+> The PEM file and its checksum are fetched from the same domain.
+> If curl.se were compromised or TLS trust failed, both could be malicious but internally consistent.
+> **Manual verification against curl’s website is therefore mandatory.**
+
+## Updating the Bundle
+
+### 1. Generate
+
+Run:
+
+```sh
+python3 gen_crt_bundle.py
+```
+
+The script will:
+
+- Download `cacert.pem`
+- Compute its SHA-256 hash
+- Download curl’s published checksum
+- Verify the PEM matches the computed checksum
+- Optionally include custom certificates (see below)
+- Abort on any error or inconsistency
+
+### 2. **Mandatory Manual Verification**
+
+⚠️ **Do not commit anything before completing the steps below.**
+
+1. Open: [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html)
+2. Locate the latest published SHA-256 checksum
+3. Manually compare it against:
+
+```sh
+sha256sum cacert.pem
+```
+
+Both values **must match exactly**.
+
+If they do not:
+
+- Do not commit
+- Treat the bundle as untrusted
+
+> Automatic checks ensure internal consistency.
+> Manual verification establishes the external trust boundary.
+
+### 3. Commit
+
+After successful manual verification, commit:
+
+- `cacert.pem`
+- `x509_crt_bundle`
+
+❌ **Never commit anything under `custom_certs/`.**
+
+## Custom Certificates (Optional)
+
+Self-hosted setups may require trusting additional Certificate Authorities (e.g. internal PKI or private reverse proxies).
+
+Custom CA certificates can be added locally and merged into the bundle.
+
+### How to add
+
+Place certificates in:
+
+```text
+custom_certs/
+```
+
+Only files ending in `.pem` are considered.
+
+### Requirements
+
+Each custom certificate file must contain exactly one PEM certificate block and nothing else.
+
+The script will parse and validate them as CA certificates and reject anything invalid or duplicated.
+
+> ⚠️ Adding custom CAs expands the ESP32’s trust boundary.
+> Only add certificates you fully trust and control.
+
+If `custom_certs/` does not exist or doesn't contain any .pem certificates, only curl’s CA bundle is used.
+
+## Trust Model Summary
+
+- Automatic verification protects against corruption and mismatched downloads
+- Manual verification anchors trust outside the update mechanism
+- Custom certificates explicitly extend trust and are opt-in only
+- The generated bundle is deterministic for a given input set
 
 ## References
 
-- [CURL's website](https://curl.se/docs/caextract.html)
-- [Espressif's documentation](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/protocols/esp_crt_bundle.html)
-- [WiFiClientSecure Documentation](https://github.com/espressif/arduino-esp32/tree/master/libraries/WiFiClientSecure#using-a-bundle-of-root-certificate-authority-certificates)
+- [curl - CA Extract](https://curl.se/docs/caextract.html)
+- [Espressif ESP-IDF certificate bundle documentation](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/protocols/esp_crt_bundle.html)