sprint-8: EKF + adaptive tuner + HWID + SHA-256 audit hash-chain

- heading_ekf.py: 2-state Kalman filter fusing PGN 127250 heading and
  127251 ROT with shortest-arc innovation and symmetric covariance update
- adaptive_tuner.py: gradient-descent outer-loop Kp/Ki adjuster bounded
  to ±adaptive_max_deviation_pct; oscillation vs steady-state detection
- hwid.py: HMAC-SHA256 activation token (verify side); hwid_from_mac_words
  converts three Modbus uint16 MAC words to 12-char hex HWID
- audit.py: SHA-256 hash-chain -- each JSONL line carries prev_hash and
  line_hash; verify_chain() detects tampering, deletion, insertion
- firmware/system/hwid.h+cpp: esp_efuse_mac_get_default wrapper + FNV-32
  hash + "AA:BB:CC:DD:EE:FF" formatter
- modbus_registers.yaml + generated .h/.py: HWID_MAC_01/23/45 at
  input addrs 9/10/11 (three 16-bit words = 6-byte MAC)
- modbus_slave.cpp: INPUT_HWID_MAC_01/23/45 cases read eFuse MAC
- main.cpp: logs HWID string + FNV-32 hash at boot (activation traceability)
- tests: 72 new tests (audit signing, EKF, adaptive tuner, HWID) -- 398 total

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-20 03:07:27 -04:00
parent 5f9b445572
commit 45642fda0e
15 changed files with 1217 additions and 5 deletions
+107 -4
View File
@@ -15,6 +15,7 @@ instances + a CLI tool don't interleave half-written events.
from __future__ import annotations
import hashlib
import json
from datetime import UTC, datetime
from enum import StrEnum
@@ -23,6 +24,9 @@ from typing import Any
from pydantic import BaseModel, ConfigDict, Field
# Sentinel used as the "previous hash" for the very first entry in a log.
GENESIS_HASH = "0" * 64
class AuditOutcome(StrEnum):
SUCCESS = "success"
@@ -67,26 +71,85 @@ class AuditEvent(BaseModel):
)
extra: dict[str, Any] = Field(default_factory=dict)
# ----- Hash-chain fields (Sprint 8) -------------------------------------
# Set by AuditLog.append(); must not be set by the caller.
prev_hash: str | None = Field(
default=None,
min_length=64,
max_length=64,
pattern=r"^[0-9a-f]{64}$",
description="SHA-256 hex digest of the previous JSONL line (or GENESIS_HASH for first).",
)
line_hash: str | None = Field(
default=None,
min_length=64,
max_length=64,
pattern=r"^[0-9a-f]{64}$",
description="SHA-256 hex digest of (prev_hash + this event's canonical JSON).",
)
def to_jsonl(self) -> str:
"""Render as one JSON line (no trailing newline)."""
return json.dumps(self.model_dump(mode="json"), ensure_ascii=False)
@staticmethod
def _compute_hash(prev_hash: str, payload: str) -> str:
"""Return SHA-256(prev_hash + payload) as a lower-case hex string."""
return hashlib.sha256((prev_hash + payload).encode()).hexdigest()
class AuditLog:
"""Append-only writer to a JSONL audit file."""
"""Append-only writer to a JSONL audit file with SHA-256 hash-chain.
Each appended event is automatically chained: the ``prev_hash`` is set
to the SHA-256 of the previous JSONL line (or GENESIS_HASH for the first
entry), and ``line_hash`` is SHA-256(prev_hash + canonical_json).
The chain is verified by :meth:`verify_chain`.
"""
def __init__(self, path: Path | str) -> None:
self.path = Path(path)
self.path.parent.mkdir(parents=True, exist_ok=True)
# Touch the file so subsequent appends work even on first run.
if not self.path.exists():
self.path.touch()
# Bootstrap: read the last hash from the file tail.
self._last_line_hash: str = self._read_last_hash()
def _read_last_hash(self) -> str:
"""Return the line_hash of the last entry, or GENESIS_HASH if empty."""
if not self.path.exists() or self.path.stat().st_size == 0:
return GENESIS_HASH
last_line = ""
with self.path.open("r", encoding="utf-8") as f:
for line in f:
stripped = line.strip()
if stripped:
last_line = stripped
if not last_line:
return GENESIS_HASH
try:
data = json.loads(last_line)
return data.get("line_hash") or GENESIS_HASH
except (json.JSONDecodeError, KeyError):
return GENESIS_HASH
def append(self, event: AuditEvent) -> None:
"""Append one event to the log. Atomic at the line level (single write())."""
"""Append one event with hash-chain fields filled in."""
prev = self._last_line_hash
# Build the payload (without hash fields) for signing.
payload_dict = event.model_dump(mode="json")
payload_dict.pop("prev_hash", None)
payload_dict.pop("line_hash", None)
canonical = json.dumps(payload_dict, ensure_ascii=False, sort_keys=True)
h = AuditEvent._compute_hash(prev, canonical)
# Create a signed copy.
signed = event.model_copy(update={"prev_hash": prev, "line_hash": h})
line = signed.to_jsonl()
with self.path.open("a", encoding="utf-8") as f:
f.write(event.to_jsonl())
f.write(line)
f.write("\n")
self._last_line_hash = h
def read_all(self) -> list[AuditEvent]:
"""Read every event in chronological order."""
@@ -107,6 +170,46 @@ class AuditLog:
events.append(AuditEvent.model_validate(data))
return events
def verify_chain(self) -> tuple[bool, str]:
"""Verify the hash-chain integrity of the entire log.
Returns ``(True, "ok")`` on success, or ``(False, reason)`` on
the first detected tampering.
"""
prev = GENESIS_HASH
with self.path.open("r", encoding="utf-8") as f:
for line_no, raw in enumerate(f, start=1):
line = raw.strip()
if not line:
continue
try:
data = json.loads(line)
except json.JSONDecodeError:
return False, f"line {line_no}: invalid JSON"
stored_prev = data.get("prev_hash")
stored_hash = data.get("line_hash")
if stored_prev != prev:
return False, (
f"line {line_no}: prev_hash mismatch "
f"(expected {prev[:16]}… got {str(stored_prev)[:16]}…)"
)
# Recompute canonical payload (fields minus hash fields).
payload = {k: v for k, v in data.items()
if k not in ("prev_hash", "line_hash")}
canonical = json.dumps(payload, ensure_ascii=False, sort_keys=True)
expected = AuditEvent._compute_hash(prev, canonical)
if stored_hash != expected:
return False, (
f"line {line_no}: line_hash mismatch -- entry tampered"
)
prev = stored_hash
return True, "ok"
def __len__(self) -> int:
if not self.path.exists():
return 0