cleargrow/controller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases 1 Wiki Activity
Files
main
controller/Kconfig.projbuild
ClearGrow Agent 9576f2503c
All checks were successful
ci/woodpecker/push/build Pipeline was successful
Details
fix: CG-38 enforce HTTPS-only in production mode 
Production builds now reject HTTP configuration for security:
- network_api_start_server() returns ESP_ERR_INVALID_ARG if http_port > 0
  when CONFIG_NETWORK_API_PRODUCTION_MODE is enabled
- Development mode logs detailed security warnings about HTTP usage
- Improved warning messages when HTTP enabled with secure boot
- Updated Kconfig documentation to clarify production mode behavior

This prevents accidental exposure of API keys, JWT tokens, and sensor
data over unencrypted HTTP connections in production environments.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-11 15:10:01 -07:00

89 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

menu "ClearGrow Configuration"
menu "Pairing Configuration"
config CODE_PAIRING_ENABLED
bool "Enable code-based pairing"
default y
help
Enable pairing via manual PSKd code entry and discovery mode.
This is the primary pairing method.
config CODE_PAIRING_TIMEOUT_MS
int "Code pairing timeout (ms)"
default 120000
range 30000 600000
depends on CODE_PAIRING_ENABLED
help
Time to wait for probe to join after entering code.
Default: 120000 (2 minutes)
config DISCOVERY_SCAN_TIMEOUT_MS
int "Discovery scan timeout (ms)"
default 30000
range 10000 120000
depends on CODE_PAIRING_ENABLED
help
Time to scan for probes in discovery mode.
Default: 30000 (30 seconds)
config MAX_PENDING_JOINERS
int "Maximum pending joiner entries"
default 4
range 1 16
help
Number of joiner entries that can be active simultaneously.
endmenu
menu "Machine Learning"
config CLEARGROW_ENABLE_ML
bool "Enable TensorFlow Lite anomaly detection"
default n
help
Enable TensorFlow Lite Micro for sensor anomaly detection.
Requires additional ~200KB flash and ~64KB RAM.
endmenu
menu "Network API Security"
config NETWORK_API_PRODUCTION_MODE
bool "Enable production mode (HTTPS only, HTTP rejected)"
default n
help
When enabled, enforces HTTPS-only communications for security:
- HTTP server is disabled by default (http_port = 0)
- Any attempt to enable HTTP via configuration is REJECTED
- network_api_start_server() returns ESP_ERR_INVALID_ARG if http_port > 0
This prevents accidental exposure of credentials and data over
unencrypted HTTP connections. API keys, JWT tokens, and sensor
data are protected by requiring TLS encryption.
IMPORTANT: This setting should ALWAYS be enabled for production
builds, especially when using secure boot and flash encryption.
In development mode (this option disabled), HTTP is allowed but
a security warning is logged at startup.
endmenu
menu "Multi-Controller Synchronization"
config CONTROLLER_SYNC_DISCOVERY_INTERVAL_MS
int "mDNS discovery scan interval (ms)"
default 10000
range 5000 60000
help
Time between periodic mDNS scans for peer controllers.
Lower values provide faster peer discovery but increase CPU/network overhead.
Default: 10000 (10 seconds) - balanced responsiveness and efficiency.
Range: 5000-60000 ms (5 seconds - 1 minute).
endmenu
endmenu
Reference in New Issue View Git Blame Copy Permalink