Skip to content

feat(wigle): wigle_upload — authenticated wardrive-CSV upload to wigle.net (P2-26)#181

Merged
xunholy merged 1 commit into
mainfrom
feat/wigle-upload
Jul 8, 2026
Merged

feat(wigle): wigle_upload — authenticated wardrive-CSV upload to wigle.net (P2-26)#181
xunholy merged 1 commit into
mainfrom
feat/wigle-upload

Conversation

@xunholy

@xunholy xunholy commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Implements the upload half of roadmap P2-26. A wigle_upload tool POSTs a WigleWifi-1.4 CSV (from wigle_wardrive_export) to the WiGLE v2 file-upload API. First outward-egress capability, so double-gated: (1) config opt-in wigle.upload_enabled (default false → refuse); (2) risk.High → confirmation + audit on every call (MCP also needs PROMPTZERO_MCP_ALLOW_HIGH). Credentials from config/env (WIGLE_API_NAME/WIGLE_API_TOKEN), never tool args, never echoed into results/errors. Client: multipart POST, HTTP Basic auth, distinct 401/429 handling, success:false surfaced as error, bounded request/response, donate opt-in, endpoint overridable so all tests hit an httptest mock (NO live egress in dev/CI). Guardrails updated (register High, registry-size 702→703, gatedTools golden set). 13 offline tests (7 client + 6 handler, incl. token-not-leaked). GPS auto-stamping half of P2-26 remains open (hardware). task ci green; eval 17/17.

…e.net (P2-26)

Implements the upload half of roadmap P2-26: a wigle_upload tool that POSTs a
WigleWifi-1.4 wardrive CSV (the output of wigle_wardrive_export) to the WiGLE v2
file-upload API. This is the first outward-network-egress capability, so it is
deliberately conservative.

Design — outward egress, double-gated:
- Gate 1 (config opt-in): wigle.upload_enabled defaults false; the tool refuses
  with a friendly message until the operator arms it. The egress capability
  cannot be exercised out of the box.
- Gate 2 (dispatch): classified risk.High, so every call goes through the
  standard confirmation + audit gates (and, over MCP, requires
  PROMPTZERO_MCP_ALLOW_HIGH). The two gates are independent and layered.
- Credentials (WiGLE API name + token) come from wigle.api_name/api_token or the
  WIGLE_API_NAME / WIGLE_API_TOKEN env vars — never from tool arguments (which
  are logged/audited) — and are never echoed into results or error messages.

Client (internal/wigle/client.go):
- multipart/form-data POST, HTTP Basic auth (API name = user, token = password —
  WiGLE's actual auth; the roadmap said "OAuth" but the real API is Basic).
- 401 and 429 reported distinctly (auth failure vs rate-limit exhaustion); any
  other non-2xx and a success:false body surface as errors, not false success.
- Request size (32 MiB) and response read (1 MiB) bounded; donate defaults off
  (donation is opt-in). Endpoint is overridable so tests hit an httptest mock —
  NO live egress occurs during development or CI.

Guardrails updated as required for a new High tool: register(High,...) in
internal/risk, the registry-size pin (702 -> 703), and the gatedTools golden set
(risk_danger_gate_test). classify==spec and risk-coverage invariants hold.

Tests (all offline against a mock endpoint):
- client: success + auth/multipart/donate assertions, 401, 429, success:false,
  malformed body, and local input guards (missing creds / empty / oversized).
- handler: disabled-by-default refusal, missing-credentials refusal, blank-csv
  refusal, full success (asserts Basic auth sent + token NOT leaked into the
  result), donate defaults false, and remote-error propagation.

Out of scope (still open on P2-26): GPS auto-stamping (flipper_gps_fix + Marauder
scan stamping) is hardware-dependent.

Verified: task ci green (lint 0 / vet / build / test:full -race 0 fail /
govulncheck clean); task eval 17/17.
@xunholy xunholy merged commit de88358 into main Jul 8, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant