device-id, location-id, wifi-ssid, and wifi-password were interpolated
directly into the NVS partition CSV. A value containing comma, double
quote, CR, or LF would split the field/row and silently provision the
wrong NVS keys — easiest concrete failure: a Wi-Fi password containing
a comma. Validate operator-supplied strings before generating the CSV.
Add an empty tools/__init__.py so the regression tests can import the
helper as 'tools.flash_device' (matches the existing 'server.*' test
pattern).
Found via adversarial review (run 2026-05-01-192928, gpt-5.5 reviewer).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
--hmac-secret accepted any string and passed it through to NVS, silently
producing a device that cannot authenticate to the server. Reject anything
that isn't exactly 64 hex characters (32 bytes) before generating the NVS
image. Auto-generated secrets are validated too as a defensive check.
Found via adversarial review (both reviewers, run 2026-05-01-192928).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
