End-to-end OTA verified on dc-0002 after resolving server-side schema
mismatch (server now emits update/size/sig_b64 alongside existing fields).
Firmware changes:
- Bump FW_VERSION 1.0.0 -> 1.0.1
- Replace log_i/w/e with Serial.printf in ota_updater so output appears
regardless of CORE_DEBUG_LEVEL (the prior macros were silent in prod)
- Log partition labels/offsets, per-128KB progress, computed sha256,
HTTP errors with body, esp_ota_* errors by name, Content-Length vs
expected size
- Check esp_ota_write return value (previously ignored -- silent
partition corruption on write failure) and abort cleanly on error
- Reject update if expected_size > target partition size
- Serial.flush() + 500ms delay before esp_restart() so the final log
line escapes the UART
- Boot-time: log running partition label/offset/state + FW_VERSION,
and call esp_ota_mark_app_valid_cancel_rollback() on PENDING_VERIFY
to prevent silent rollback after a successful OTA
Docs:
- Rewrite docs/ota-deployment-status.md to reflect resolved state,
document the schema fix and the .bin/.sig co-deploy invariant
Replaces placeholder ota_verify_signature_with_key with real mbedtls
ECDSA verify; adds 4-case native test suite with generated P-256 vectors.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Generates firmware signing keypair; private key stays in gitignored
secrets/, public key written as 65-byte C array to
firmware/lib/ota_updater/ota_pubkey.h for compile-time OTA verification.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
