feat(wigle): wigle_upload — authenticated wardrive-CSV upload to wigle.net (P2-26)#181
Merged
Conversation
…e.net (P2-26) Implements the upload half of roadmap P2-26: a wigle_upload tool that POSTs a WigleWifi-1.4 wardrive CSV (the output of wigle_wardrive_export) to the WiGLE v2 file-upload API. This is the first outward-network-egress capability, so it is deliberately conservative. Design — outward egress, double-gated: - Gate 1 (config opt-in): wigle.upload_enabled defaults false; the tool refuses with a friendly message until the operator arms it. The egress capability cannot be exercised out of the box. - Gate 2 (dispatch): classified risk.High, so every call goes through the standard confirmation + audit gates (and, over MCP, requires PROMPTZERO_MCP_ALLOW_HIGH). The two gates are independent and layered. - Credentials (WiGLE API name + token) come from wigle.api_name/api_token or the WIGLE_API_NAME / WIGLE_API_TOKEN env vars — never from tool arguments (which are logged/audited) — and are never echoed into results or error messages. Client (internal/wigle/client.go): - multipart/form-data POST, HTTP Basic auth (API name = user, token = password — WiGLE's actual auth; the roadmap said "OAuth" but the real API is Basic). - 401 and 429 reported distinctly (auth failure vs rate-limit exhaustion); any other non-2xx and a success:false body surface as errors, not false success. - Request size (32 MiB) and response read (1 MiB) bounded; donate defaults off (donation is opt-in). Endpoint is overridable so tests hit an httptest mock — NO live egress occurs during development or CI. Guardrails updated as required for a new High tool: register(High,...) in internal/risk, the registry-size pin (702 -> 703), and the gatedTools golden set (risk_danger_gate_test). classify==spec and risk-coverage invariants hold. Tests (all offline against a mock endpoint): - client: success + auth/multipart/donate assertions, 401, 429, success:false, malformed body, and local input guards (missing creds / empty / oversized). - handler: disabled-by-default refusal, missing-credentials refusal, blank-csv refusal, full success (asserts Basic auth sent + token NOT leaked into the result), donate defaults false, and remote-error propagation. Out of scope (still open on P2-26): GPS auto-stamping (flipper_gps_fix + Marauder scan stamping) is hardware-dependent. Verified: task ci green (lint 0 / vet / build / test:full -race 0 fail / govulncheck clean); task eval 17/17.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the upload half of roadmap P2-26. A wigle_upload tool POSTs a WigleWifi-1.4 CSV (from wigle_wardrive_export) to the WiGLE v2 file-upload API. First outward-egress capability, so double-gated: (1) config opt-in wigle.upload_enabled (default false → refuse); (2) risk.High → confirmation + audit on every call (MCP also needs PROMPTZERO_MCP_ALLOW_HIGH). Credentials from config/env (WIGLE_API_NAME/WIGLE_API_TOKEN), never tool args, never echoed into results/errors. Client: multipart POST, HTTP Basic auth, distinct 401/429 handling, success:false surfaced as error, bounded request/response, donate opt-in, endpoint overridable so all tests hit an httptest mock (NO live egress in dev/CI). Guardrails updated (register High, registry-size 702→703, gatedTools golden set). 13 offline tests (7 client + 6 handler, incl. token-not-leaked). GPS auto-stamping half of P2-26 remains open (hardware). task ci green; eval 17/17.