Preview subsystem rework: non-blocking resumable send + graceful degradation

[ewowi]

Summary

This branch grew well beyond its original title. It started as a control-validation refactor and became a large 3D-preview subsystem rework plus a batch of surrounding improvements: the preview now streams full-resolution frames to the browser without ever stalling the LED render tick, degrades gracefully on a slow link, and previews a 128² grid smoothly on all three boards (classic ESP32, S3, P4). Alongside it: firmware-identity controls moved to their own card, an audio level-display fix, a mDNS crash fix, a two-chapter Getting Started guide, and a browser-faithful preview-health probe.

What landed

Preview subsystem (the bulk of the branch)

• Non-blocking, resumable WebSocket send. The full-resolution colour frame streams from the producer buffer a memory-adaptive chunk per transport tick (drained on loop20ms, off the render hot path); the next frame starts only when the previous one drained, so the effective frame rate self-limits to what the link sustains — no loop stall, no connection drop. Drop-new backpressure (a frame offered while one is in flight is dropped, the in-flight one kept).
• Graceful degradation under transport backpressure (architecture.md names it): shed frame rate first, then resolution via a closed-form spatial-lattice downsample, with a memory-derived point cap so a tighter board downsamples sooner. The render loop is charged only a bounded slice per tick; a wedged client is closed past a spin budget and reconnects.
• Zero preview buffers — drivers read the producer buffer directly; the preview decoupled from core via the domain-neutral BinaryBroadcaster interface.
• Responsive UI — docked split-pane preview / floating draggable PiP; the grid draws the instant the coordinate table arrives; effective fps shown in the status bar.

Core / domain

• Control validation moved onto the control (ControlDescriptor::validate), removing the bespoke SET_DEVICE_MODEL Improv RPC; deviceModel is now set like any catalog default (APPLY_OP / POST /api/control).
• Firmware-identity controls (version, build, firmware, firmwarePartition) moved SystemModule → FirmwareUpdateModule, where they belong next to the OTA status.
• mDNS browse crash fixed — replaced the async-handle API (which raced the IDF expiry timer on a UI refresh) with a self-contained, throttled synchronous mdnsBrowse.
• GridLayout serpentine option; Layer measures mapping identity (dense fast path vs LUT); LinesEffect off-by-one sweep fix; NetworkSendDriver light_count slice.
• Audio level read-out shows the per-second peak of the RMS level (was reading 0 between beats); renamed to level RMS. Algorithm untouched.

Tooling / docs

• scripts/diag/preview_health.py — browser-faithful preview-stream health probe (reads frames, sends the 25 s keepalive ping, auto-reconnects), wired into MoonDeck's Live tab. Measures what a user watching the preview actually sees.
• Getting Started reworked into two chapters: install (chapter 1) + a UI tour for new users (chapter 2), with a note that projectMM's engine is reusable beyond lights (FastLED-MM as an example).
• Module specs, decisions.md lessons, and docs/history/plans/ (shipped plans marked) updated.

Verification

• Desktop build -Werror clean; 447 unit tests pass; all scenarios pass; spec + platform-boundary checks pass; host Python (4) + JS (6) suites pass.
• ESP32 builds (esp32s3-n16r8 + classic esp32) clean.
• Hardware: 128² preview verified streaming on classic / S3 / P4.
• Pre-merge Reviewer agent over the whole branch diff: architecturally sound, no blockers (its one should-fix — a dead WriteChunk struct — applied).
• CodeRabbit findings across the branch processed (fixed or accepted-with-reason).

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Removes the SET_DEVICE_MODEL vendor Improv RPC and routes deviceModel through APPLY_OP with a new per-control validate callback on ControlDescriptor. Replaces the scatter-gather WebSocket preview send with a non-blocking begin/push/end staged API and spatial-lattice downsampling. Switches mDNS discovery to a single synchronous mdnsBrowse call. Adds a responsive docked/PiP preview UI with two-pass WebGL rendering. Adds MoonDeck inject-defaults tooling, scenario runner optional-skip propagation, and driver light-count caps.

Changes

Per-control text validation and SET_DEVICE_MODEL removal

Layer / File(s)	Summary
Control validator contract, apply path, and tests src/core/Control.h, src/core/Control.cpp, test/unit/core/unit_Control_apply_absent_key.cpp, test/unit/core/unit_HttpServerModule_apply.cpp, docs/moonmodules/core/SystemModule.md, docs/backlog/backlog.md	ControlDescriptor gains an optional validate function pointer; addText accepts it; applyControlValue parses into a scratch buffer, calls the validator, returns Malformed on rejection, and only then commits via strncpy; unit tests cover valid, malformed, boundary, and unvalidated paths through both applyControlValue and applyOp.
SystemModule validator wiring and ImprovProvisioningModule cleanup src/core/SystemModule.h, src/core/ImprovProvisioningModule.h, src/main.cpp	SystemModule replaces setDeviceModel with a static validateDeviceModel registered via addText; ImprovProvisioningModule removes pendingDeviceModel_ fields and the loop1s polling block; main comments describe the new APPLY_OP injection path.
Platform Improv API and ESP32/desktop SET_DEVICE_MODEL removal src/platform/platform.h, src/platform/esp32/platform_esp32_improv.cpp, src/platform/desktop/platform_desktop.cpp	platform.h drops device-model extension output parameters from improvProvisioningInit; ESP32 Improv removes ImprovTaskState device-model fields, the SET_DEVICE_MODEL handler, and its dispatch path; the desktop stub signature is updated.
Installer flow switched to APPLY_OP-only defaults push docs/install/improv-frame.js, docs/install/install-orchestrator.js, docs/install/README.md, docs/install/index.html, docs/moonmodules/core/ImprovProvisioningModule.md	IMPROV_CMD_SET_DEVICE_MODEL constant removed; install-orchestrator drops the SET_DEVICE_MODEL frame helpers, import, and UART settle wait, making pushDefaultsOverSerial call sendConfigOverSerial directly; install page copy and ImprovProvisioningModule.md wire-contract are updated.

Non-blocking WebSocket preview: writeSome, staged drain, spatial lattice, generation resend

Layer / File(s)	Summary
TcpConnection writeSome API replacing writeChunks src/platform/platform.h, src/platform/esp32/platform_esp32.cpp, src/platform/desktop/platform_desktop.cpp	WriteResult enum and writeChunks scatter-gather API are removed; writeSome(data, len) performs a single non-blocking write and returns byte count, 0 (would-block), or -1 (error) on both ESP32 (lwip) and desktop (POSIX).
BinaryBroadcaster staged frame API and HttpServerModule implementation src/core/BinaryBroadcaster.h, src/core/HttpServerModule.h, src/core/HttpServerModule.cpp, docs/moonmodules/core/HttpServerModule.md, docs/history/plans/Plan-20260622 - Non-blocking preview send.md, docs/history/plans/Plan-20260623 - Stream preview from buffers, zero preview buffers.md	BinaryBroadcaster replaces broadcastBinary with bool-returning begin/push/end streaming frame methods and adds clientGeneration; HttpServerModule implements them using a sendAllOrClose helper with bounded non-blocking spin; WS upgrade increments wsClientGeneration_; plan docs record architecture decisions.
PreviewDriver spatial-lattice downsampling, generation resend, and coordPending retry src/light/drivers/PreviewDriver.h, docs/moonmodules/light/drivers/PreviewDriver.md, test/unit/light/unit_PreviewDriver.cpp, docs/history/decisions.md	lastCoordTime_ replaced by lastClientGen_ for generation-driven coordinate table sends; buildAndSendCoordTable uses per-axis lattice sampling with a PSRAM-dependent cap; coordPending_ gates RGB frame sending; sendFrame returns bool; unit tests cover backpressure retry and no-timer-resend behaviors.

mDNS synchronous browse API

Layer / File(s)	Summary
platform.h and platform implementations for synchronous mdnsBrowse src/platform/platform.h, src/platform/esp32/platform_esp32.cpp, src/platform/desktop/platform_desktop.cpp, docs/history/decisions.md	mdnsBrowseStart/Poll/Stop are replaced by a single mdnsBrowse(service, proto, timeoutMs, cb, user) declaration; ESP32 performs one synchronous PTR query/iterate/free; desktop is a no-op; decisions doc captures the async-handle crash rationale.
DevicesModule throttled synchronous browse step src/core/DevicesModule.h	DevicesModule replaces the mdnsQuerying_ async state machine with mdnsTick_-based throttling that calls mdnsBrowse once per cadence for the current service type.

Responsive docked split-pane and draggable PiP preview UI

Layer / File(s)	Summary
Workspace HTML structure and docked/PiP CSS layout src/ui/index.html, src/ui/style.css, docs/history/plans/Plan-20260622 - Responsive split-pane preview with draggable PiP.md	index.html introduces workspace/preview-pane/preview-bar with dock, close, show controls, and labels canvas overlay; CSS defines mode-docked two-column sticky/scroll layout and mode-pip fixed floating pane with drag states, grip, and dismissed/restore affordances.
preview3d setupLayout controller and WebGL rendering updates src/ui/preview3d.js, src/ui/app.js	Adds setupLayout with guarded localStorage prefs, mode switching, PiP drag/clamp/corner snap, dot-size and sequence-number controls; WebGL gains two-pass lit/unlit LED rendering, wireframe bounding box, depth-correct point sizing, cursor-anchored zoom, and u32 count parsing for 0x02/0x03 frames with desync guard; app.js wires setupLayout.

MoonDeck inject defaults, scenario runner optional skipping, and driver light-count caps

Layer / File(s)	Summary
MoonDeck board push helper and inject-defaults button scripts/moondeck_ui/app.js, scripts/moondeck_ui/style.css	pushBoard POSTs to /api/push-board with a 10s timeout; the inject-defaults button validates selection, disables during request, shows ok/fail feedback; board-row CSS becomes a flex container so the picker and button share the row.
Scenario runner optional module skip propagation scripts/scenario/run_live_scenario.py	skipped_ids tracks platform-unavailable optional add_module IDs; subsequent optional measure/set_control/remove_module steps on skipped IDs become no-ops without issuing REST calls.
NetworkSendDriver light_count control and RmtLedDriver pin-count cap src/light/drivers/NetworkSendDriver.h, src/light/drivers/RmtLedDriver.h, docs/moonmodules/light/drivers/NetworkSendDriver.md	NetworkSendDriver adds a lightCount field and light_count UI control limiting transmitted frame size to N lights; RmtLedDriver accumulates txLightCount_ from pinCounts_ in parseConfig and uses it to cap encoded lights per loop.

Documentation and scenario fixture refreshes

Layer / File(s)	Summary
Writing policy and landing page updates CLAUDE.md, docs/landing/index.html	CLAUDE.md expands the present-tense rule to forbid absence-narration with explicit exceptions for backlog/history/decisions; docs/landing adds a getting-started note link and expanded links section.
Scenario observed metric and timestamp refresh test/scenarios/light/scenario_*.json	All affected scenario JSON fixtures receive updated tick_us, free_heap, max_alloc_block, and at timestamps reflecting June 22, 2026 measurements across pc-macos, esp32s3-n16r8, and esp32p4-eth platforms.

Sequence Diagram(s)

sequenceDiagram
  participant Installer as Web Installer
  participant ImprovSerial as Improv Serial (ESP32)
  participant applyOp as HttpServerModule::applyOp
  participant applyControlValue
  participant SystemModule

  Installer->>ImprovSerial: APPLY_OP frame: set System.deviceModel
  ImprovSerial->>applyOp: opOut JSON (via pendingOp_)
  applyOp->>applyControlValue: JSON string value
  applyControlValue->>SystemModule: validateDeviceModel(scratch)
  alt invalid (non-printable / empty / too long)
    SystemModule-->>applyControlValue: false
    applyControlValue-->>applyOp: ApplyResult::Malformed
  else valid
    SystemModule-->>applyControlValue: true
    applyControlValue->>SystemModule: strncpy deviceModel_
    applyControlValue-->>applyOp: ApplyResult::Ok
    applyOp-->>ImprovSerial: ack OK
  end

Loading

sequenceDiagram
  participant PreviewDriver
  participant BinaryBroadcaster as HttpServerModule BinaryBroadcaster
  participant sendAllOrClose
  participant WsClient as WebSocket Client

  PreviewDriver->>BinaryBroadcaster: beginBinaryFrame(totalLen)
  BinaryBroadcaster->>sendAllOrClose: write WS frame header
  sendAllOrClose->>WsClient: writeSome (non-blocking)
  PreviewDriver->>BinaryBroadcaster: pushBinaryFrame(coordBytes)
  BinaryBroadcaster->>sendAllOrClose: write coord payload
  sendAllOrClose->>WsClient: writeSome (bounded spins)
  PreviewDriver->>BinaryBroadcaster: endBinaryFrame()
  BinaryBroadcaster-->>PreviewDriver: false = backpressure → increase previewStride_
  note over PreviewDriver: coordPending_ gates RGB send until endBinaryFrame() returns true
  PreviewDriver->>BinaryBroadcaster: beginBinaryFrame + push RGB frame
  BinaryBroadcaster-->>PreviewDriver: true = all clients accepted

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• MoonModules/projectMM#2: Both PRs modify ControlDescriptor in src/core/Control.h — this PR adds a validate callback field and validator-aware addText/write-path enforcement to the same struct changed in #2.
• MoonModules/projectMM#22: Both PRs modify deviceModel identity plumbing in SystemModule/ImprovProvisioningModule; #22 introduced SET_DEVICE_MODEL which this PR removes in favor of APPLY_OP with per-control validation.
• MoonModules/projectMM#23: Directly continues the device-model-via-APPLY_OP work from #23, touching the same installer framing (docs/install/improv-frame.js, install-orchestrator.js) and device-side provisioning paths.

Poem

🐇 Hop, hop — no more SET_DEVICE_MODEL in sight,
The model glides in via APPLY_OP, light!
The preview floats in PiP or docks with grace,
Non-blocking sends keep latency in place.
mDNS browses once and hops away,
A bunny's tidy warren — hip hooray! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the major preview streaming rewrite and its backpressure/degradation focus.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch next-iteration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/moonmodules/core/ImprovProvisioningModule.md`:
- Line 30: The documentation states that the installer awaits each ack for
APPLY_OP operations, but the actual implementation in install-orchestrator.js
uses open-loop pacing without reading ack responses. Update the APPLY_OP
description in the ImprovProvisioningModule.md file to accurately reflect that
the installer does not wait for acks and instead uses open-loop pacing for
sending operations, removing or correcting the phrase "the installer awaits each
ack" to match the actual behavior documented in install-orchestrator.js lines
144-153.

In `@docs/moonmodules/core/SystemModule.md`:
- Line 19: The deviceModel bullet point in SystemModule.md contains historical
narration at the end that violates the documentation's present-state-only rule.
Remove the trailing sentence beginning with "Was its own `BoardModule` child
until folded into System" from the deviceModel bullet description, keeping all
the current operational details about how it functions but trimming the
historical context about its past organizational structure.

In `@src/core/Control.cpp`:
- Around line 275-279: The scratch buffer in the Text/Password control
validation path is fixed at 64 bytes, causing silent truncation when maxLen
exceeds 64. Instead of using a fixed char scratch[64] array, allocate the
scratch buffer dynamically to accommodate the actual maxLen value. The
mm::json::parseString call should parse into a buffer sized to hold the maximum
length specified by maxLen, not hardcoded to sizeof(scratch). This ensures
validated text values larger than 63 characters are properly preserved rather
than silently truncated.

In `@src/core/Control.h`:
- Around line 181-187: The validate function pointer is being added directly to
the ControlDescriptor structure, which unnecessarily increases memory overhead
for every control descriptor instance even when validation is not needed,
conflicting with the <16 bytes per descriptor guideline. Instead of adding this
pointer to the ControlDescriptor structure itself, implement a separate
validation registry or lookup mechanism that only stores validators for controls
that actually require them, keeping the descriptor structure lean and only
allocating validation storage when necessary.

In `@test/unit/core/unit_Control_apply_absent_key.cpp`:
- Around line 119-142: The test for applyControlValue with the
acceptPrintableAscii validator is missing boundary checks for the maximum
allowed string length. The validator accepts 1 to 31 characters maximum (31
chars + 1 null terminator in the 32-byte buffer), but the current test only
validates empty strings and control-byte rejection. Add two additional CHECK
statements after the existing tests: one that verifies a 31-character valid
string is accepted and applied successfully, and another that verifies a
32-character string is rejected as Malformed with the prior value preserved.
These boundary tests should use the same applyControlValue and applyPolicy calls
as the existing test cases to ensure length validation is properly exercised.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ae6f1c93-96c6-4caa-aa8c-ba80793ce62f

📥 Commits

Reviewing files that changed from the base of the PR and between 57be007 and 41303e4.

📒 Files selected for processing (19)

• CLAUDE.md
• docs/backlog/backlog.md
• docs/install/README.md
• docs/install/improv-frame.js
• docs/install/index.html
• docs/install/install-orchestrator.js
• docs/landing/index.html
• docs/moonmodules/core/ImprovProvisioningModule.md
• docs/moonmodules/core/SystemModule.md
• src/core/Control.cpp
• src/core/Control.h
• src/core/ImprovProvisioningModule.h
• src/core/SystemModule.h
• src/main.cpp
• src/platform/desktop/platform_desktop.cpp
• src/platform/esp32/platform_esp32_improv.cpp
• src/platform/platform.h
• test/unit/core/unit_Control_apply_absent_key.cpp
• test/unit/core/unit_HttpServerModule_apply.cpp

💤 Files with no reviewable changes (3)

• docs/install/improv-frame.js
• docs/backlog/backlog.md
• src/platform/desktop/platform_desktop.cpp

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | 🏗️ Heavy lift

Avoid widening ControlDescriptor for every control entry.

Adding a raw function pointer to every descriptor increases per-control memory permanently, even for controls that never use validation. This pushes the structure farther from the ESP32 descriptor-size target and scales poorly with control count.

As per coding guidelines: "Target <16 bytes per control descriptor on ESP32."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/Control.h` around lines 181 - 187, The validate function pointer is
being added directly to the ControlDescriptor structure, which unnecessarily
increases memory overhead for every control descriptor instance even when
validation is not needed, conflicting with the <16 bytes per descriptor
guideline. Instead of adding this pointer to the ControlDescriptor structure
itself, implement a separate validation registry or lookup mechanism that only
stores validators for controls that actually require them, keeping the
descriptor structure lean and only allocating validation storage when necessary.

Source: Coding guidelines

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/moonmodules/core/ImprovProvisioningModule.md`:
- Line 30: The APPLY_OP description in the ImprovProvisioningModule.md
documentation contains backward-looking language that narrates the absence of
old features. Remove or rewrite the final parenthetical statement that begins
with "(The device-side catalog fetch + the old `?deviceModel=` handoff are
removed..." to focus only on present-state functionality. Either delete this
sentence entirely or rephrase it to describe current capabilities (such as using
MoonDeck on the LAN) without referencing what has been removed, as per the
documentation style guidelines requiring present-state wording only.

In `@src/ui/index.html`:
- Around line 37-42: The preview control buttons with IDs preview-dock,
preview-close, and preview-reset use only symbol icons and title attributes,
which is insufficient for screen reader accessibility. Add aria-label attributes
to each of these buttons to provide explicit accessible names that screen
readers can reliably announce, ensuring the accessible names clearly describe
the actions (e.g., "Pop preview out or dock", "Hide preview", "Reset camera").

In `@src/ui/preview3d.js`:
- Around line 205-214: The preview-close button currently persists the dismissed
state even when the preview is in docked mode, causing confusing behavior when
the narrow mode auto-PiP is triggered later. Find the click handler for the
preview-close element (referenced at lines 234-238 according to the comment) and
add a condition to only set dismissed=true when the preview is actually in PiP
mode (check the pip variable state or similar condition that indicates PiP
mode). This ensures that closing the preview in docked mode does not persist a
hidden state that will affect the appearance when auto-PiP is activated in
narrow mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 652e242d-56e4-4cda-8856-24ae9ca7e1e7

📥 Commits

Reviewing files that changed from the base of the PR and between 41303e4 and 37be156.

📒 Files selected for processing (10)

• docs/history/plans/Plan-20260622 - Responsive split-pane preview with draggable PiP.md
• docs/moonmodules/core/ImprovProvisioningModule.md
• docs/moonmodules/core/SystemModule.md
• src/core/Control.cpp
• src/ui/app.js
• src/ui/index.html
• src/ui/preview3d.js
• src/ui/style.css
• test/scenarios/light/scenario_Driver_mutation.json
• test/unit/core/unit_Control_apply_absent_key.cpp

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

docs/moonmodules/core/ImprovProvisioningModule.md (1)

30-32: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Keep this paragraph in present tense.

The no HTTP, no browser handoff, and there's no STA phrasing still reads as absence narration. This is the same doc-style cleanup already called out above; please rephrase those clauses to describe the current flow directly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/moonmodules/core/ImprovProvisioningModule.md` around lines 30 - 32,
Rephrase the negative absence constructions in this documentation paragraph to
describe the actual present-tense flows directly. Specifically, convert phrases
like "no HTTP and no browser handoff", "there's no STA to provision", and
"aren't linked" into active descriptions of what actually happens or what is
available on eth-only builds. Replace absence narration with direct statements
of the current behavior and capabilities, keeping the entire paragraph in
present tense throughout.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/moondeck_ui/app.js`:
- Around line 893-899: The pushBoard function lacks timeout protection, which
can wedge the button indefinitely if a network request stalls. Add an
AbortController to the fetch call in pushBoard with a timeout (e.g., 10 seconds)
that aborts the request if it exceeds the duration, ensuring the abort triggers
the existing catch handler to call onDone(false) and allow the button to be
re-enabled. Pass the abort signal to the fetch request options.
- Around line 893-899: The pushBoard function is incorrectly using r.ok (HTTP
status) to determine operation success, but the /api/push-board endpoint returns
the actual success status in the JSON response body as {"ok": ...}. Since HTTP
200 can be returned even when the operation failed, this causes false success
reports. Fix this by parsing the response as JSON using r.json() and checking
the ok field from the parsed JSON object, then passing that value to onDone.
Apply the same fix to the other location mentioned at lines 926-928.

In `@src/platform/esp32/platform_esp32.cpp`:
- Around line 1005-1007: Update the documentation comments in the mDNS service
browse section to reflect the current synchronous implementation instead of the
removed async pattern. Remove or update the comments at lines 1005–1006 that
reference the old async behavior (mentions of "poll a few ms each tick",
"mdnsSearch_", and "cancelMdnsBrowse"). Additionally, update the section header
at line 1002 that labels this section as "(async, non-blocking)" to accurately
describe the current synchronous behavior, ensuring the documentation matches
the actual implementation.

In `@src/ui/preview3d.js`:
- Around line 480-483: The comment block describes adding "plus half a cell" to
the half-extents calculation to enclose the outermost LED centres, but the
actual code computing hx = previewBox_.x / 2 / md does not implement this
offset. Update the comment to accurately describe what the code actually
does—remove the mention of "plus half a cell" since that adjustment is not
present in the hx calculation, making the documentation match the actual
implementation.

---

Duplicate comments:
In `@docs/moonmodules/core/ImprovProvisioningModule.md`:
- Around line 30-32: Rephrase the negative absence constructions in this
documentation paragraph to describe the actual present-tense flows directly.
Specifically, convert phrases like "no HTTP and no browser handoff", "there's no
STA to provision", and "aren't linked" into active descriptions of what actually
happens or what is available on eth-only builds. Replace absence narration with
direct statements of the current behavior and capabilities, keeping the entire
paragraph in present tense throughout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3aee67fe-270c-4cd5-9813-6759c2a6be24

📥 Commits

Reviewing files that changed from the base of the PR and between 37be156 and 0c9fbd3.

📒 Files selected for processing (18)

• docs/history/decisions.md
• docs/moonmodules/core/ImprovProvisioningModule.md
• scripts/moondeck_ui/app.js
• scripts/moondeck_ui/style.css
• src/core/BinaryBroadcaster.h
• src/core/DevicesModule.h
• src/core/HttpServerModule.cpp
• src/core/HttpServerModule.h
• src/light/drivers/PreviewDriver.h
• src/platform/desktop/platform_desktop.cpp
• src/platform/esp32/platform_esp32.cpp
• src/platform/platform.h
• src/ui/index.html
• src/ui/preview3d.js
• test/scenarios/light/scenario_GridLayout_resize.json
• test/scenarios/light/scenario_perf_full.json
• test/scenarios/light/scenario_perf_light.json
• test/unit/light/unit_PreviewDriver.cpp

[coderabbitai]

Actionable comments posted: 16

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/moonmodules/core/ImprovProvisioningModule.md (1)

23-30: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Stale vendor-extension count after SET_DEVICE_MODEL removal.

Line 23 states the implementation supports "four standard RPC commands plus three vendor extensions," but with SET_DEVICE_MODEL (0xFE) deleted in this PR, only two vendor extensions remain in the list below (SET_TX_POWER 0xFD, APPLY_OP 0xFC).

📝 Suggested correction

-Both transports speak the same Improv-WiFi serial protocol — frames of `IMPROV` + version byte + type + length + payload + checksum. Full protocol details: <https://www.improv-wifi.com/serial/>. The on-device implementation supports four standard RPC commands plus three vendor extensions:
+Both transports speak the same Improv-WiFi serial protocol — frames of `IMPROV` + version byte + type + length + payload + checksum. Full protocol details: <https://www.improv-wifi.com/serial/>. The on-device implementation supports four standard RPC commands plus two vendor extensions:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/moonmodules/core/ImprovProvisioningModule.md` around lines 23 - 30, The
vendor extension count in the opening paragraph is outdated. Update the text
that currently states "four standard RPC commands plus three vendor extensions"
to reflect that only two vendor extensions remain after the removal of
SET_DEVICE_MODEL in this PR. Change "three vendor extensions" to "two vendor
extensions" to align with the documented extensions below (SET_TX_POWER and
APPLY_OP).

src/core/HttpServerModule.cpp (1)

46-58: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Drain queued preview bytes before accepting HTTP work.

Line 51 returns after every accepted HTTP connection, so an HTTP request burst skips drainWsSends() indefinitely. The staged frame stays queued, wsPreviewLen_ remains non-zero, and later broadcastBinary() calls all see backpressure.

Proposed fix

 void HttpServerModule::loop20ms() {
+    // Drain staged preview bytes first; queued preview bytes keep advancing during HTTP bursts.
+    drainWsSends();
+
     // Accept one HTTP connection per tick
     auto conn = server_.accept();
     if (conn.valid()) {
         handleConnection(conn);
         return; // don't broadcast in same tick as accept (WebSocket needs time to process 101)
     }
-
-    // Drain the live-preview frame queued by broadcastBinary() — a slice per tick, never
-    // blocking. This is the consumer side of the preview producer/consumer handoff; the
-    // producer (PreviewDriver) only stages bytes, the transport poll sends them. (When the
-    // §145 two-task split lands, this call moves to the consumer/network task unchanged.)
-    drainWsSends();
 }

Based on learnings, “No UI action or API-call sequence should crash or wedge a running device; robustness is mandatory.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 46 - 58, The early return
statement in the loop20ms() method after handleConnection(conn) prevents
drainWsSends() from ever being called when HTTP connections are being accepted
in bursts, causing queued preview bytes to remain stuck indefinitely. To fix
this, move the drainWsSends() call to execute before the HTTP connection
accept/handle block so that queued WebSocket preview data is always drained on
each tick regardless of incoming HTTP traffic, ensuring the preview
producer/consumer handoff remains responsive and backpressure is relieved even
during connection bursts.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/history/plans/Plan-20260622` - Non-blocking preview send.md:
- Line 33: In the section describing HttpServerModule::drainWsSends() at line
33, replace the reference to the outdated API name writeChunks with the current
implemented transport API name writeSome to maintain consistency with the actual
shipped interface. The rest of the explanation about the non-blocking behavior
and staging buffer flushing should remain unchanged.

In `@docs/moonmodules/core/HttpServerModule.md`:
- Around line 56-63: In the documentation around the `broadcastBinary` method
and backpressure description, replace the inaccurate "newest-wins" language with
wording that correctly states the in-flight frame is retained and newer frames
are dropped while draining. Additionally, convert all future-tense language
(such as "will later host") to present-tense and eliminate absence-narration to
comply with the style guideline requiring present-tense documentation. Ensure
the prose describes the current behavior and structure positively rather than
describing future intentions or what is absent.

In `@docs/moonmodules/light/drivers/PreviewDriver.md`:
- Line 17: The documentation for the 0x03 coordinate table message describes a
periodic (~1s) rebroadcast mechanism for newly-connected clients, but this does
not match the current implementation which re-sends based on generation change
or pending retry triggers. Update the coordinate table description to remove the
~1s periodic rebroadcast language and instead document that it is sent when the
generation changes or on pending retry attempts, removing the outdated
"newly-connected client catches up" concept.

In `@scripts/moondeck_ui/app.js`:
- Around line 898-904: The promise chain starting with the fetch call to
"/api/push-board" uses .then() and .catch() syntax, which conflicts with the
repository's requirement to use async/await for promise handling. Refactor this
code by converting the entire fetch operation into an async/await structure.
Ensure the fetch call (with AbortSignal.timeout), the response.json() call, and
the callback invocation are all handled using await, and replace the .catch()
block with a proper try/catch statement to handle any errors that occur during
the fetch or JSON parsing.

In `@scripts/scenario/run_live_scenario.py`:
- Around line 425-434: The HTTPError exception handler currently treats all HTTP
errors as skippable for optional steps, but this silently suppresses legitimate
failures like backend errors or permission issues. Instead, inspect the HTTP
status code within the urllib.error.HTTPError exception object. Only treat HTTP
404 (Not Found) responses as true "not present" cases that should be skipped for
optional steps and marked as success. For other HTTP error codes (500, 403,
etc.), either log the error details or re-raise the exception to prevent silent
failure masking.
- Around line 368-378: The code currently treats all HTTPError exceptions the
same way as when a step is explicitly optional, marking any failure as "ok" and
skipped. You need to distinguish between "type unavailable" errors and other
actual failures. In the except urllib.error.HTTPError block, inspect the error
response to check if it specifically indicates the type is unavailable (check
the HTTP status code or response body for the appropriate indicator). Only when
it's a "type unavailable" error should you set step_result["status"] to "ok" and
skip it; for all other HTTPError cases, allow the error to propagate or set
step_result["status"] to "error" to properly surface real issues like bad
parent_id or malformed requests.

In `@src/core/HttpServerModule.cpp`:
- Around line 1145-1147: The code in the HttpServerModule.cpp at the anyClient
check is incorrectly returning false when there are no connected WebSocket
clients, which BinaryBroadcaster consumers interpret as a backpressure signal.
This causes unnecessary producer congestion adaptation when no clients are
connected. Instead of returning false when anyClient is false, restructure the
logic to return true (indicating no backpressure) when there are no clients, and
only return false as a backpressure indicator when there are actual connected
clients experiencing congestion. This ensures idle periods without clients are
not misreported as backpressure events.
- Around line 1211-1246: The wsPreviewAge_ counter resets whenever any byte
moves across all WebSocket clients, allowing a single slow client that trickles
data to indefinitely block frame transmission for all clients. Modify the
stuck-client guard logic to track progress more granularly—either implement
per-client age counters or measure overall frame drain speed—so that clients
draining too slowly over consecutive ticks (not just completely stalled ones)
trigger the kPreviewMaxDrainTicks timeout. When the timeout fires, close any
unfinished clients and clear wsPreviewLen_ to allow broadcastBinary() to send
new frames instead of remaining stuck on a stale frame held up by a slow
trickling client.

In `@src/core/HttpServerModule.h`:
- Around line 97-121: The comment block describing wsPreviewBuf_ and related
fields contains two issues: it incorrectly describes backpressure as "PER
CLIENT" when the implementation actually enforces global backpressure (refusing
new frames while ANY client drains), and it violates present-tense coding
guidelines by using future-tense phrases like "will host" and absence-narration
like "never freezes" and "never stalling". Revise the entire comment block to
accurately characterize the global backpressure model where frame acceptance is
blocked until all clients complete draining, and rewrite all sentences in
present-tense without future or absence narration (e.g., replace "will host"
with current description, replace "never freezes" and "never stalling" with
present-tense descriptions of what actually happens).

In `@src/light/drivers/PreviewDriver.h`:
- Around line 83-84: The buildAndSendCoordTable() method contains heap
allocations (coords_.allocate and new[] operations) that execute on the hot path
when called from loop(). Remove all heap allocations from
buildAndSendCoordTable() and any other methods invoked from the loop path (as
referenced in lines 109-113 and 181-190). Pre-allocate buffers and memory during
initialization or configuration time instead, so that the loop-reachable code
paths only use pre-allocated resources without triggering memory growth or
fragmentation.
- Around line 167-173: The latticeCount lambda in the stride selection logic
computes lattice grid points based on bounding box dimensions (ax, ay, az)
rather than the actual light count n, causing sparse layouts to be prematurely
downsampled. Replace the latticeCount lambda to operate on the actual light
count n instead, computing the stride that would result in downsampled light
count using the formula (n + s - 1) / s, and update the while loop condition to
check if this downsampled light count exceeds MAX_PREVIEW_POINTS rather than
checking lattice grid points.

In `@src/platform/desktop/platform_desktop.cpp`:
- Around line 701-712: In the TcpConnection::writeSome method, the socket needs
to be toggled to non-blocking mode before the ::send() call and restored to
blocking mode after it to prevent indefinite blocking when the kernel send
buffer is full. Add a call to make_nonblocking(fd_) immediately before the
::send() line, and add a call to make_blocking(fd_) immediately after the
::send() line completes, ensuring the socket's blocking state is restored to
maintain SO_RCVTIMEO semantics for read operations as documented in the design
comments.

In `@src/ui/index.html`:
- Line 40: The input element with id="preview-dot" is missing an explicit
`<label>` element that associates with it via the `for` attribute, which is
required by the input-requires-label linting rule. Add a `<label>` element with
`for="preview-dot"` that contains descriptive text (such as "Dot size" to match
the aria-label and title attributes). The label can be visually hidden using CSS
if visual presentation is a concern, but the HTML element must be present to
satisfy both accessibility standards and the linter configuration.

In `@src/ui/preview3d.js`:
- Around line 57-58: The dotScale_ variable accepts unbounded values from
localStorage without validation, which can cause performance issues. Clamp the
parseFloat result to the range [0.25, 1.5] when initializing dotScale_ at the
load time. Additionally, apply the same clamping logic to any input handlers or
updates to dotScale_ that occur around lines 377-383 where user input modifies
this value. Ensure all assignments to dotScale_ use a helper function or inline
logic to constrain the value within the specified bounds before it takes effect.
- Around line 485-497: The stride field from the incoming frame header at offset
5 (as a u16 value) is currently being ignored during validation. Extract the
stride value from the header using the view object and compare it against the
expected stride from the active coordinate table (alongside the existing count
validation). Return early if the stride does not match, preventing color
misalignment when the stride changes even if the count remains the same. This
ensures both the count and stride are synchronized before drawing the colors.

In `@test/unit/light/unit_PreviewDriver.cpp`:
- Around line 128-160: The current test only validates dense-grid downsampling
where the pixel count exceeds the RAM cap, but does not cover the sparse-layout
edge case where bounding-box dimensions are large but totalLightCount() remains
under cap. Add a new TEST_CASE function following the same pattern as the
existing "PreviewDriver downsamples a large layout on a regular spatial lattice"
test that creates a mm::GridLayout with large dimensions (e.g., 512x512) but
sparse lighting content (low totalLightCount under 131072), instantiates a
PreviewRig with that layout, calls rig.produce(), and then asserts that
rig.cap.coordStride() equals 1 to verify full-resolution output is preserved
when the actual light count does not require downsampling despite large spatial
bounds.

---

Outside diff comments:
In `@docs/moonmodules/core/ImprovProvisioningModule.md`:
- Around line 23-30: The vendor extension count in the opening paragraph is
outdated. Update the text that currently states "four standard RPC commands plus
three vendor extensions" to reflect that only two vendor extensions remain after
the removal of SET_DEVICE_MODEL in this PR. Change "three vendor extensions" to
"two vendor extensions" to align with the documented extensions below
(SET_TX_POWER and APPLY_OP).

In `@src/core/HttpServerModule.cpp`:
- Around line 46-58: The early return statement in the loop20ms() method after
handleConnection(conn) prevents drainWsSends() from ever being called when HTTP
connections are being accepted in bursts, causing queued preview bytes to remain
stuck indefinitely. To fix this, move the drainWsSends() call to execute before
the HTTP connection accept/handle block so that queued WebSocket preview data is
always drained on each tick regardless of incoming HTTP traffic, ensuring the
preview producer/consumer handoff remains responsive and backpressure is
relieved even during connection bursts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 08f7c2a0-2883-4108-8da3-d914546a986e

📥 Commits

Reviewing files that changed from the base of the PR and between 0c9fbd3 and 1e48e92.

📒 Files selected for processing (22)

• docs/history/plans/Plan-20260622 - Non-blocking preview send.md
• docs/moonmodules/core/HttpServerModule.md
• docs/moonmodules/core/ImprovProvisioningModule.md
• docs/moonmodules/light/drivers/PreviewDriver.md
• scripts/moondeck_ui/app.js
• scripts/scenario/run_live_scenario.py
• src/core/BinaryBroadcaster.h
• src/core/HttpServerModule.cpp
• src/core/HttpServerModule.h
• src/light/drivers/PreviewDriver.h
• src/platform/desktop/platform_desktop.cpp
• src/platform/esp32/platform_esp32.cpp
• src/platform/platform.h
• src/ui/index.html
• src/ui/preview3d.js
• src/ui/style.css
• test/scenarios/light/scenario_Audio_mutation.json
• test/scenarios/light/scenario_Driver_mutation.json
• test/scenarios/light/scenario_Layouts_mutation.json
• test/scenarios/light/scenario_perf_full.json
• test/scenarios/light/scenario_perf_light.json
• test/unit/light/unit_PreviewDriver.cpp

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Use async/await for pushBoard promise handling.

Line 898-Line 904 uses .then/.catch, which conflicts with the repository JS rule requiring async/await.

Suggested refactor

-        const pushBoard = (board, onDone) => {
-            // Success is the device-side result in the JSON body ({"ok": bool} from
-            // _push_board_to_device) — HTTP 200 alone can wrap a failed push (a device
-            // timeout / non-2xx mid-fan-out), so r.ok would falsely report success.
-            // 10s AbortSignal timeout so a stalled request can't wedge the button forever.
-            fetch("/api/push-board", {
-                method: "POST",
-                headers: {"Content-Type": "application/json"},
-                body: JSON.stringify({ip: device.ip, board}),
-                signal: AbortSignal.timeout(10000),
-            }).then(r => r.json()).then(j => onDone && onDone(!!j.ok))
-              .catch(() => onDone && onDone(false));
-        };
+        const pushBoard = async (board, onDone) => {
+            // Success is the device-side result in the JSON body ({"ok": bool} from
+            // _push_board_to_device) — HTTP 200 alone can wrap a failed push (a device
+            // timeout / non-2xx mid-fan-out), so r.ok would falsely report success.
+            // 10s AbortSignal timeout so a stalled request can't wedge the button forever.
+            try {
+                const response = await fetch("/api/push-board", {
+                    method: "POST",
+                    headers: {"Content-Type": "application/json"},
+                    body: JSON.stringify({ip: device.ip, board}),
+                    signal: AbortSignal.timeout(10000),
+                });
+                const payload = await response.json();
+                if (onDone) onDone(!!payload.ok);
+            } catch (_) {
+                if (onDone) onDone(false);
+            }
+        };

As per coding guidelines, “Always use async/await for promises in JavaScript/TypeScript”.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/moondeck_ui/app.js` around lines 898 - 904, The promise chain
starting with the fetch call to "/api/push-board" uses .then() and .catch()
syntax, which conflicts with the repository's requirement to use async/await for
promise handling. Refactor this code by converting the entire fetch operation
into an async/await structure. Ensure the fetch call (with AbortSignal.timeout),
the response.json() call, and the callback invocation are all handled using
await, and replace the .catch() block with a proper try/catch statement to
handle any errors that occur during the fetch or JSON parsing.

Source: Coding guidelines

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Narrow optional add_module skip to only “type unavailable” failures

Current logic marks any optional add_module failure as success (ok:false and every HTTPError). That hides real regressions (e.g., bad parent_id, malformed request, handler errors) and can turn broken scenarios into false passes.
Please only skip when the backend explicitly reports “unknown/unavailable type” (or the exact status/code used for that case), and fail other errors.

Proposed fix

                 try:
                     resp = client.post("/api/modules", data)
                     if resp.get("ok"):
                         step_result["status"] = "ok"
                         if resp.get("note") == "already exists":
                             print(f"  =     {step.get('id', '?')} (exists)")
                         else:
                             print(f"  +     {step.get('id', '?')} ({step['type']})")
                             created_modules.append(step.get("id", ""))
-                    elif step.get("optional"):
+                    elif step.get("optional") and "unknown type" in str(resp.get("error", "")).lower():
                         step_result["status"] = "ok"
                         skipped_ids.add(step.get("id", ""))
                         print(f"  +     {step.get('id','?')} ({step['type']}) — skipped (optional, type unavailable on {target})")
                     else:
                         step_result["status"] = "error"
-                except urllib.error.HTTPError:
-                    if step.get("optional"):
+                except urllib.error.HTTPError as e:
+                    if step.get("optional") and e.code == 400:
                         step_result["status"] = "ok"
                         skipped_ids.add(step.get("id", ""))
                         print(f"  +     {step.get('id','?')} ({step['type']}) — skipped (optional, type unavailable on {target})")
                     else:
                         raise

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/scenario/run_live_scenario.py` around lines 368 - 378, The code
currently treats all HTTPError exceptions the same way as when a step is
explicitly optional, marking any failure as "ok" and skipped. You need to
distinguish between "type unavailable" errors and other actual failures. In the
except urllib.error.HTTPError block, inspect the error response to check if it
specifically indicates the type is unavailable (check the HTTP status code or
response body for the appropriate indicator). Only when it's a "type
unavailable" error should you set step_result["status"] to "ok" and skip it; for
all other HTTPError cases, allow the error to propagate or set
step_result["status"] to "error" to properly surface real issues like bad
parent_id or malformed requests.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/light/drivers/NetworkSendDriver.h (1)

149-151: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

light_count cap is bypassed in the passthrough branch.

When correction is unavailable, the code still sends sourceBuffer_->bytes(), so light_count is ignored and full frames are transmitted.

Proposed fix

         } else {
             data = sourceBuffer_->data();
-            totalBytes = sourceBuffer_->bytes();
+            totalBytes = static_cast<size_t>(nLights) * sourceBuffer_->channelsPerLight();
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/light/drivers/NetworkSendDriver.h` around lines 149 - 151, In the
passthrough branch where correction is unavailable, the code assigns totalBytes
= sourceBuffer_->bytes() without applying the light_count cap, which bypasses
the intended frame size limit. Apply the same light_count capping logic that is
used in the correction path to this passthrough branch by ensuring totalBytes
respects the light_count limit when setting its value from
sourceBuffer_->bytes(), similar to how it is handled when correction is
available.

src/light/drivers/PreviewDriver.h (1)

261-269: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Update the cap rationale comment to the current streaming path.

The comment still cites broadcastBinary/drainWsSends, which no longer matches this implementation’s beginBinaryFrame/pushBinaryFrame/endBinaryFrame flow.

As per coding guidelines, src/**/*.{h,cpp,ts,tsx,js} content “describe[s] the system as it is now in present tense.”

Suggested fix

-    // Frame cap: the most points one preview frame carries before the spatial-lattice
-    // downsample engages. The old ~1800 limit was the single-writev wall; that's gone now —
-    // broadcastBinary enqueues the frame and HttpServerModule::drainWsSends() streams it
-    // across loop20ms ticks (non-blocking), so the cap is no longer "what fits one writev"
-    // but "how big a frame the device can stage + stream comfortably". That's RAM-bound:
-    // the staging frame is points×3 bytes (16K LEDs = 48 KB), so a no-PSRAM classic board
+    // Frame cap: the most points one preview frame carries before the spatial-lattice
+    // downsample engages. Frames stream via begin/push/end, so the cap reflects how much
+    // payload the device can generate and send comfortably at runtime. That's RAM-bound:
+    // 16K LEDs = 48 KB payload, so a no-PSRAM classic board

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/light/drivers/PreviewDriver.h` around lines 261 - 269, The frame cap
rationale comment in PreviewDriver.h references outdated method names
broadcastBinary and drainWsSends that no longer match the current
implementation. Update this multi-line comment (starting around the "Frame cap"
explanation) to replace references to broadcastBinary and drainWsSends with the
current streaming flow methods: beginBinaryFrame, pushBinaryFrame, and
endBinaryFrame. Ensure the comment uses present tense language that accurately
describes how the system currently works, rather than how it worked previously.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/history/plans/Plan-20260622` - Non-blocking preview send.md:
- Line 33: The documentation at line 33 in the file describes an outdated
implementation that references the removed `HttpServerModule::drainWsSends()`
method. Replace this stale description with documentation that accurately
reflects the current implementation using the streamed binary frame API.
Specifically, remove the references to `drainWsSends()` and instead document
that binary frames are streamed through `beginBinaryFrame()`,
`pushBinaryFrame()`, and `endBinaryFrame()` methods, and clarify that
`loop20ms()` now only handles connection acceptance rather than draining a send
queue. Either provide the corrected description of the current staged API design
or explicitly reference any newer documentation that supersedes this approach.

In `@src/core/HttpServerModule.cpp`:
- Around line 1127-1182: The frame streaming implementation does not track
frame-level state, causing the stall counter in sendAllOrClose to reset per
slice (wasting the intended stall budget) and lacking verification that pushed
bytes match the totalLen declared in beginBinaryFrame. Add frame-state member
variables to track whether a frame is open, the remainingBytes from totalLen,
and a frame-wide stall budget. In beginBinaryFrame, initialize the frame state
(open=true, remainingBytes=totalLen, reset the frame-wide stall counter). In
pushBinaryFrame, decrement remainingBytes by the len being pushed and close all
clients if remainingBytes goes negative (over-push detected), while using the
frame-wide stall counter instead of letting sendAllOrClose reset it per slice.
In endBinaryFrame, verify that remainingBytes equals zero before marking
success; if there is a mismatch or the frame-wide stall budget is exhausted,
return false and ensure the frame is marked closed.

In `@src/light/drivers/NetworkSendDriver.h`:
- Around line 40-43: The comment for the lightCount variable in
NetworkSendDriver.h contains future-tense roadmap wording with the phrase "A
start offset for arbitrary slices is a planned follow-up across all drivers."
This violates the coding guidelines requiring present-tense comments. Remove the
sentence about the planned follow-up and keep only the description of the
current behavior of the lightCount variable (that it controls how many lights to
send, with 0 meaning the whole buffer and greater than 0 sending the first N
lights, allowing sinks to cover their own slice).

In `@src/light/drivers/PreviewDriver.h`:
- Around line 241-249: In the ColCtx struct definition and its initialization in
the sendFrame() method, the stride value s is being truncated to uint8_t which
causes incorrect lattice predicate behavior when previewStride_ exceeds 255.
Change the type of the s member variable in the ColCtx struct from uint8_t to a
wider type (such as uint16_t) that can accommodate the full stride value, and
update the ColCtx initialization to remove the cast that truncates s to uint8_t,
ensuring the complete stride width is preserved for the modulo operation in the
lambda's keep predicate.

In `@src/light/drivers/RmtLedDriver.h`:
- Around line 200-205: The encoding is capped to variable n (minimum of
txLightCount_ and sourceBuffer_->count()), but each pin still transmits its full
configured pinCounts_[i], creating a mismatch. When txLightCount_ exceeds
sourceBuffer_->count(), pins will transmit unencoded lights with stale symbol
data. Fix this by ensuring each pin only transmits up to the number of lights
that were actually encoded in this frame (n). Either cap the per-pin
transmission counts to not exceed n, or adjust the transmission loop logic to
stop transmitting each pin at the encoded boundary rather than using the full
pinCounts_[i].

In `@src/ui/style.css`:
- Around line 287-290: In the `.visually-hidden` class, replace or augment the
deprecated `clip: rect(0 0 0 0)` property with the modern equivalent `clip-path:
inset(50%)`. This will resolve the stylelint warning while maintaining the
screen-reader-only styling functionality that hides the element visually but
keeps it accessible to assistive technologies.

---

Outside diff comments:
In `@src/light/drivers/NetworkSendDriver.h`:
- Around line 149-151: In the passthrough branch where correction is
unavailable, the code assigns totalBytes = sourceBuffer_->bytes() without
applying the light_count cap, which bypasses the intended frame size limit.
Apply the same light_count capping logic that is used in the correction path to
this passthrough branch by ensuring totalBytes respects the light_count limit
when setting its value from sourceBuffer_->bytes(), similar to how it is handled
when correction is available.

In `@src/light/drivers/PreviewDriver.h`:
- Around line 261-269: The frame cap rationale comment in PreviewDriver.h
references outdated method names broadcastBinary and drainWsSends that no longer
match the current implementation. Update this multi-line comment (starting
around the "Frame cap" explanation) to replace references to broadcastBinary and
drainWsSends with the current streaming flow methods: beginBinaryFrame,
pushBinaryFrame, and endBinaryFrame. Ensure the comment uses present tense
language that accurately describes how the system currently works, rather than
how it worked previously.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 313d08bf-6bfd-45db-b52f-b90ae9a1bd1f

📥 Commits

Reviewing files that changed from the base of the PR and between 1e48e92 and c26ef2a.

📒 Files selected for processing (17)

• docs/history/plans/Plan-20260622 - Non-blocking preview send.md
• docs/history/plans/Plan-20260623 - Stream preview from buffers, zero preview buffers.md
• docs/moonmodules/core/HttpServerModule.md
• docs/moonmodules/core/ImprovProvisioningModule.md
• docs/moonmodules/light/drivers/NetworkSendDriver.md
• docs/moonmodules/light/drivers/PreviewDriver.md
• src/core/BinaryBroadcaster.h
• src/core/HttpServerModule.cpp
• src/core/HttpServerModule.h
• src/light/drivers/NetworkSendDriver.h
• src/light/drivers/PreviewDriver.h
• src/light/drivers/RmtLedDriver.h
• src/platform/desktop/platform_desktop.cpp
• src/ui/index.html
• src/ui/preview3d.js
• src/ui/style.css
• test/unit/light/unit_PreviewDriver.cpp

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Replace the stale drain-queue description with the shipped streamed API.

Line 33 still says HttpServerModule::drainWsSends() exists and runs before accept, but the current implementation streams binary frames through beginBinaryFrame() / pushBinaryFrame() / endBinaryFrame() and loop20ms() only accepts/handles a connection. This design record now points readers at a removed path; update this bullet to describe the staged API or explicitly defer to the newer zero-buffer plan.

Suggested wording

-- New **`HttpServerModule::drainWsSends()`** called from `loop20ms()`: flush the staging buffer with the **non-blocking** `writeSome` — send what the socket takes now, advance `sent`, leave the rest for the next tick. Mid-frame partial is expected (we own the offset); only a real socket error closes. The exact function §145 later hosts on the consumer task. (As implemented, the drain runs before the accept so a connection burst can't strand it.)
+- Binary preview frames use **`BinaryBroadcaster::beginBinaryFrame()` / `pushBinaryFrame()` / `endBinaryFrame()`**: the server sends the WS header up front and fans each payload slice to clients through non-blocking `writeSome` via `sendAllOrClose()`. There is no staging-buffer drain step in the shipped path; the zero-buffer streaming plan records that follow-up design.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- New **`HttpServerModule::drainWsSends()`** called from `loop20ms()`: flush the staging buffer with the **non-blocking** `writeSome` — send what the socket takes now, advance `sent`, leave the rest for the next tick. Mid-frame partial is expected (we own the offset); only a real socket error closes. The exact function §145 later hosts on the consumer task. (As implemented, the drain runs before the accept so a connection burst can't strand it.)

- Binary preview frames use **`BinaryBroadcaster::beginBinaryFrame()` / `pushBinaryFrame()` / `endBinaryFrame()`**: the server sends the WS header up front and fans each payload slice to clients through non-blocking `writeSome` via `sendAllOrClose()`. There is no staging-buffer drain step in the shipped path; the zero-buffer streaming plan records that follow-up design.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/history/plans/Plan-20260622` - Non-blocking preview send.md at line 33,
The documentation at line 33 in the file describes an outdated implementation
that references the removed `HttpServerModule::drainWsSends()` method. Replace
this stale description with documentation that accurately reflects the current
implementation using the streamed binary frame API. Specifically, remove the
references to `drainWsSends()` and instead document that binary frames are
streamed through `beginBinaryFrame()`, `pushBinaryFrame()`, and
`endBinaryFrame()` methods, and clarify that `loop20ms()` now only handles
connection acceptance rather than draining a send queue. Either provide the
corrected description of the current staged API design or explicitly reference
any newer documentation that supersedes this approach.

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Track frame-level send state instead of resetting it per slice.

sendAllOrClose() resets its stall counter on every pushBinaryFrame() slice, so a large coordinate table streamed in many chunks can spend kDirectSendSpins repeatedly on the scheduler loop. The begin/push/end implementation also never verifies that pushed bytes add up to totalLen; an under-push leaves clients waiting for bytes, and an over-push corrupts the WebSocket message boundary. Carry frame state from begin to end (open, remainingBytes, and a frame-wide or per-client stall budget), then close/return false on mismatch or budget exhaustion. As per coding guidelines, “No UI action or API-call sequence must crash or wedge a running device, including deleting, replacing, or clearing modules in any order; crashes and hangs are bugs, not user error.”

Sketch of the expected state tracking

 // HttpServerModule.h
     bool wsFrameAllSent_ = true;
+    bool wsFrameOpen_ = false;
+    size_t wsFrameRemaining_ = 0;
+    int wsFrameStallBudget_ = 0;

-bool HttpServerModule::sendAllOrClose(platform::TcpConnection& ws, const uint8_t* data, size_t len) {
+bool HttpServerModule::sendAllOrClose(platform::TcpConnection& ws, const uint8_t* data, size_t len,
+                                      int& stallBudget) {
     size_t sent = 0;
-    int stalls = 0;
     while (sent < len) {
         int n = ws.writeSome(data + sent, len - sent);
         if (n < 0) { ws.close(); return false; }
         if (n == 0) {
-            if (++stalls > kDirectSendSpins) { ws.close(); return false; }
+            if (--stallBudget < 0) { ws.close(); return false; }
             continue;
         }
         sent += static_cast<size_t>(n);
     }
     return true;
 }

 void HttpServerModule::beginBinaryFrame(size_t totalLen) {
     wsFrameAllSent_ = true;
+    wsFrameOpen_ = true;
+    wsFrameRemaining_ = totalLen;
+    wsFrameStallBudget_ = kDirectSendSpins;
     ...
 }

 void HttpServerModule::pushBinaryFrame(const uint8_t* data, size_t len) {
-    if (!data || len == 0) return;
+    if (!wsFrameOpen_ || len == 0) return;
+    if (!data || len > wsFrameRemaining_) {
+        wsFrameAllSent_ = false;
+        return;
+    }
     ...
+    wsFrameRemaining_ -= len;
 }

-bool HttpServerModule::endBinaryFrame() { return wsFrameAllSent_; }
+bool HttpServerModule::endBinaryFrame() {
+    const bool ok = wsFrameOpen_ && wsFrameRemaining_ == 0 && wsFrameAllSent_;
+    if (!ok) {
+        for (auto& wsClient : wsClients_) {
+            if (wsClient.valid()) {
+                wsClient.close();
+            }
+        }
+    }
+    wsFrameOpen_ = false;
+    wsFrameRemaining_ = 0;
+    return ok;
+}

🧰 Tools

🪛 Clang (14.0.6)

[warning] 1127-1127: use a trailing return type for this function

(modernize-use-trailing-return-type)

---

[warning] 1127-1127: parameter name 'ws' is too short, expected at least 3 characters

(readability-identifier-length)

---

[warning] 1132-1132: variable name 'n' is too short, expected at least 3 characters

(readability-identifier-length)

---

[warning] 1156-1156: do not declare C-style arrays, use std::array<> instead

(modernize-avoid-c-arrays)

---

[warning] 1157-1157: variable 'wsHeaderLen' is not initialized

(cppcoreguidelines-init-variables)

---

[warning] 1165-1165: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1169-1169: variable name 'ws' is too short, expected at least 3 characters

(readability-identifier-length)

---

[warning] 1170-1170: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1176-1176: implicit conversion 'const uint8_t *' (aka 'const unsigned char *') -> bool

(readability-implicit-bool-conversion)

---

[warning] 1176-1176: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1177-1177: variable name 'ws' is too short, expected at least 3 characters

(readability-identifier-length)

---

[warning] 1178-1178: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1182-1182: use a trailing return type for this function

(modernize-use-trailing-return-type)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 1127 - 1182, The frame streaming
implementation does not track frame-level state, causing the stall counter in
sendAllOrClose to reset per slice (wasting the intended stall budget) and
lacking verification that pushed bytes match the totalLen declared in
beginBinaryFrame. Add frame-state member variables to track whether a frame is
open, the remainingBytes from totalLen, and a frame-wide stall budget. In
beginBinaryFrame, initialize the frame state (open=true,
remainingBytes=totalLen, reset the frame-wide stall counter). In
pushBinaryFrame, decrement remainingBytes by the len being pushed and close all
clients if remainingBytes goes negative (over-push detected), while using the
frame-wide stall counter instead of letting sendAllOrClose reset it per slice.
In endBinaryFrame, verify that remainingBytes equals zero before marking
success; if there is a mismatch or the frame-wide stall budget is exhausted,
return false and ensure the frame is marked closed.

Source: Coding guidelines

[coderabbitai]

Note

Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[coderabbitai]

Note

Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[coderabbitai]

✅ Created PR with unit tests: #25

[coderabbitai]

✅ Created PR with unit tests: #26

[ewowi]

@coderabbitai, please review e0e5b32

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch the commit details
gh api repos/MoonModules/projectMM/commits/e0e5b328e277892f9611d6650e8c3fb47dd8d4fe \
  --jq '{sha: .sha, message: .commit.message, author: .commit.author.name, date: .commit.author.date, files: [.files[] | {filename: .filename, status: .status, additions: .additions, deletions: .deletions, patch: .patch}]}'

Length of output: 47629

---

---

@ewowi Here is the review of commit e0e5b328:

---

Commit Review

Summary: Adds serpentine to GridLayout, switches the Layer identity-path check from a count heuristic to a measured isNaturalOrder() walk, and batch-processes a set of CodeRabbit bug findings (stride overflow in PreviewDriver, stale RMT symbols in RmtLedDriver, and the passthrough branch ignoring light_count in NetworkSendDriver). Also includes a UI fix for immediate preview rendering on coord-table arrival and various doc/comment cleanups.

---

Bugs fixed — all verified correct

Driver	Finding	Fix
PreviewDriver	Stride stored as uint8_t → overflows at stride > 255, misaligning colour and coord frames on large layouts	Widened to nrOfLightsType ✅
RmtLedDriver	Pin could transmit stale symbols past the encoded boundary when the buffer shrank between a parseConfig and the next loop()	Caps each pin's transmit to min(pinLights, n - pinStart) ✅
NetworkSendDriver	No-correction passthrough branch sent sourceBuffer_->bytes() ignoring light_count	Now uses nLights * channelsPerLight() ✅

---

src/light/layers/Layer.h — isNaturalOrder()

Unused box field in Ctx:

struct Ctx { lengthType w, h; nrOfLightsType box; bool ok; };
Ctx ctx{physicalWidth_, physicalHeight_, boxCount, true};

The box member is initialized to boxCount but never read inside the lambda — the lambda recomputes the index locally from x/y/z. It can be removed:

struct Ctx { lengthType w, h; bool ok; };
Ctx ctx{physicalWidth_, physicalHeight_, true};

No early exit once mismatch is found:

Once k->ok = false, the lambda continues iterating all remaining coordinates. For a 128×128 serpentine grid the first mismatch lands at driver index 4 (first reversed-row entry) — still 16380 iterations to go. This runs on the cold path (onBuildState) so it is not a correctness issue, but an early-exit would be a cheap improvement. Since forEachCoord uses a plain C callback with no stop signal, the cleanest approach is a flag check at the top of the lambda:

layouts_->forEachCoord([](void* c, nrOfLightsType driverIdx, lengthType x, lengthType y, lengthType z) {
    auto* k = static_cast<Ctx*>(c);
    if (!k->ok) return;   // short-circuit once mismatch found
    nrOfLightsType box = ...;
    if (driverIdx != box) k->ok = false;
}, &ctx);

---

src/light/layouts/GridLayout.h — serpentine logic

The boustrophedon logic is correct and clean:

const bool reverse = serpentine && (y & 1);
for (lengthType i = 0; i < width && idx < limit; i++) {
    const lengthType x = reverse ? static_cast<lengthType>(width - 1 - i) : i;
    cb(ctx, static_cast<nrOfLightsType>(idx++), x, y, z);
}

Emits the true (x, y, z) coordinate while advancing the driver index linearly — the order change (not the position) is what breaks the identity path. The z-loop outer nesting is preserved correctly.

---

src/ui/preview3d.js — drawLights(null) on coord table arrival

Good fix. Extracting drawLights(rgb) with rgb ? rgb[i*3]/255 : 0 correctly renders placeholder geometry (all-off LEDs) the moment the coordinate table lands, rather than waiting for the first colour frame (which never arrives on a paused scene). No concerns.

---

src/ui/style.css — .visually-hidden

clip-path: inset(50%) in place of the deprecated clip: rect(0 0 0 0) is the currently recommended pattern — correct change.

---

Tests

• unit_GridLayout serpentine assertions are correct — even rows L→R, odd rows R→L, toggling off restores natural order. ✅
• unit_Layer_sparse_mapping LUT assertions are correct:
  • driverOf(4) == 7 (box cell (x=0,y=1) maps to driver index 7 — far end of the reversed row). ✅
  • driverOf(7) == 4 (box cell (x=3,y=1) maps to driver index 4 — near end). ✅
  • Toggling serpentine = false and calling onBuildState() returns to !hasLUT(). ✅

---

Overall: Solid batch of fixes with comprehensive tests. The only actionable item is removing the unused box field from isNaturalOrder()'s Ctx and optionally adding the early-exit guard in the lambda.

[coderabbitai]

Actionable comments posted: 14

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/ui/preview3d.js (2)

467-471: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Commit previewStride_ only after accepting the coordinate packet.

Lines 469-470 update global parser state before the payload-length guard. A truncated 0x03 table can change previewStride_ without replacing previewCoords_, so subsequent valid 0x02 frames for the current table fail the stride check and the preview freezes until another valid coord table arrives.

🐛 Proposed fix

     const count = view.getUint32(1, true);
     const bx = view.getUint8(5), by = view.getUint8(6), bz = view.getUint8(7);
-    previewStride_ = view.getUint16(8, true) || 1;   // = device's adaptive downscale factor
-    updatePreviewStatus();
+    const stride = view.getUint16(8, true) || 1;     // = device's adaptive downscale factor
     if (buf.byteLength < 10 + count * 3) return;
     const pos = new Uint8Array(buf, 10);
@@
     }
+    previewStride_ = stride;
     previewCoordCount_ = count;
     previewBox_ = { x: bx, y: by, z: bz };
+    updatePreviewStatus();

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/ui/preview3d.js` around lines 467 - 471, The global parser state updates
(the previewStride_ assignment and updatePreviewStatus() call on lines 469-470)
must be moved to after the payload-length validation check on line 471.
Currently, if the buffer is truncated and the function returns early due to
insufficient bytes, previewStride_ and preview status have already been modified
without the corresponding coordinate data being updated, causing the parser
state to become inconsistent. Move both the previewStride_ assignment and
updatePreviewStatus() call to execute only after confirming that buf.byteLength
is sufficient for the full payload.

---

338-356: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Rewrite changed comments in present tense.

These comments use hypothetical/future narration (would only catch, would be, would land, would spike). The repo rule asks JS comments/docs to stay present-tense; rewrite them as state descriptions.

♻️ Proposed comment cleanup

-    // matchMedia would only catch the breakpoint crossing; a resize listener also keeps
+    // matchMedia catches only the breakpoint crossing; a resize listener also keeps
@@
-    // only vanished later when narrow auto-PiP kicked in would be a confusing surprise.
+    // disappears later when narrow auto-PiP activates.
@@
-    // mid-flight: the colours would land on the wrong positions (a visibly scrambled frame).
+    // mid-flight: the colours map to the wrong positions (a visibly scrambled frame).
@@
-// reading would spike to absurd values on a 0 ms gap (the "200 fps" artifact). Counting over a
+// reading spikes to absurd values on a 0 ms gap (the "200 fps" artifact). Counting over a

As per coding guidelines, "**/*.{h,cpp,hpp,js,py,md}: Sweep documentation for forward-looking language ... rewrite present-tense or move to docs/backlog/backlog.md." Based on learnings, "Use present tense only in code, comments, and documentation."

Also applies to: 501-516

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/ui/preview3d.js` around lines 338 - 356, The comments in the resize event
listener section and the preview-dock click handler use future/hypothetical
tense ("would only catch", "would be") which violates the repo's present-tense
documentation guideline. Rewrite the comment above the resize addEventListener
call to describe in present tense what matchMedia and resize listeners actually
do together, and rewrite the comment following the preview-dock click handler to
describe in present tense how the dismissal behavior works across docked and PiP
modes instead of using conditional language like "would be". Also apply the same
present-tense rewriting to the comments in the sections mentioned to exist
around lines 501-516.

Sources: Coding guidelines, Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/architecture.md`:
- Line 314: In the graceful degradation section of the architecture
documentation, correct the backpressure mechanism description by replacing
"newest-wins backpressure" with "drop-new backpressure" to accurately reflect
that the mechanism keeps the in-flight frame and rejects new frames (not the
inverse), and replace the forward-looking phrase "a future bulky stream could
ride the same transport" with present-tense wording such as "other bulky streams
can ride the same transport" to comply with documentation guidelines requiring
present-tense language throughout.

In `@docs/history/plans/Plan-20260623` - Resumable adaptive preview send.md:
- Around line 29-75: Add the missing language specifier to the code fence around
the PreviewSend struct definition by changing the opening triple backticks to
include the language tag (use `text`). Additionally, add a blank line after the
"### §2 Adaptive frame rate (the elegant part)" heading to satisfy the MD022
rule for blank lines around headings. These changes will resolve the
markdownlint violations MD040 and MD022 respectively.

In `@docs/history/plans/Plan-20260623` - Stream preview from buffers, zero preview
buffers.md:
- Around line 1-3: The document at the title "# Plan — Stream the preview from
the producer buffer; eliminate all preview-side buffers" uses forward-looking
language but lacks the required one-line archival justification. Add a one-line
note immediately after the main title heading that explains this is an
intentional archival plan document using forward-looking language, following the
same pattern used in the sibling 2026-06-23 plan document to satisfy the
documentation policy requirements for archived product-owner plans.

In `@docs/moonmodules/light/drivers/NetworkSendDriver.md`:
- Line 12: The documentation for the `light_count` parameter in
NetworkSendDriver.md contains forward-looking language with a "planned
follow-up" reference, which violates the present-tense documentation style
guide. Remove or rephrase the parenthetical statement about the planned offset
feature to eliminate forward-looking language. Either delete the parenthetical
sentence entirely if it's not essential to current functionality, or if the
roadmap item is important, move that roadmap note to `docs/backlog/backlog.md`
instead. Keep the remainder of the `light_count` documentation description in
present tense, describing only current behavior.

In `@src/core/BinaryBroadcaster.h`:
- Around line 35-43: Update the documentation comments for the BinaryBroadcaster
class methods starting at sendBufferedFrame(). First, change the "newest-wins
backpressure" terminology to "drop-new-frame-wins" or "current-frame-wins" to
accurately describe the behavior. Second, fix the cancelBufferedSend()
documentation to reflect that browsers do not discard partially sent WebSocket
frames but instead consume subsequent bytes as part of the payload, and update
the contract to require implementations to close clients that have received a
partial buffered frame upon cancellation rather than relying on browser-side
discard behavior.

In `@src/core/DevicesModule.h`:
- Around line 383-390: The comment block containing kMdnsBrowseMs and
kMdnsEveryTicks constants includes historical explanation about the old async
API behavior (the portion describing how "The old async API polled cheaply every
tick but raced..."). Remove this changelog prose that describes past
implementation details. Additionally, update the nearby comment block that still
describes mDNS as async and non-blocking every tick to accurately reflect the
current synchronous and throttled contract. Rewrite both comment sections in
present-tense to describe what the current implementation does (the synchronous
polling with throttling mechanism) rather than explaining what the old behavior
was.
- Around line 273-278: The comment block for the kProbeTimeoutMs constant
contains forward-looking language about a backlog fix that should be removed to
keep the comment focused on the current invariant. Remove the clause starting
with "The real fix — running the probe on its own task..." and rewrite the
remaining comment to describe only the present-tense rationale for the 30ms
timeout value. Leave any backlog items for tracking in docs/backlog/backlog.md
instead of including them in source code comments.

In `@src/core/HttpServerModule.cpp`:
- Around line 49-51: In the comment block within HttpServerModule.cpp, replace
the forward-looking roadmap language about the two-core render/transport split
with present tense architecture guidance. Rewrite the phrase "When the two-core
render/transport split lands" to describe the current two-task architecture in
present tense, clarifying where the drain belongs and identifying the
architectural seam (such as loop20ms) that represents this boundary. Remove all
future-looking language and use statements that describe the existing design
rather than planned changes.
- Around line 1239-1267: Add timeout tracking to prevent buffered sends from
blocking indefinitely when valid clients repeatedly return 0 from writeSome().
Modify the drainPreviewSend() method to track either per-client idle tick
counters in the previewSend_ structure or the total age of the frame being sent,
then close any client that exceeds a bounded timeout window within the loop that
iterates through wsClients_ and checks ws.valid(). This allows allDone to
eventually become true and previewSend_.active to be set to false, enabling the
producer to send a replacement frame without waiting for external events.
- Around line 1081-1086: The current code at the previewSend_.active assignment
abandons in-flight frames without closing clients that are mid-transmission,
causing parsing corruption. Create a cancelBufferedSend() helper method that
checks if previewSend_.active is true, calculates the total frame size by adding
previewSend_.hdrLen and previewSend_.bodyLen, iterates through all
MAX_WS_CLIENTS to identify any clients where 0 < sent[i] < total (indicating
partial transmission), closes those clients via wsClients_[i].close(), then
clears all sent[i] counters and resets previewSend_.active, previewSend_.body,
previewSend_.bodyLen, and previewSend_.hdrLen to their default states. Replace
the direct assignment of previewSend_.active = false with a call to this
cancelBufferedSend() helper, and use the same helper for any existing
cancelBufferedSend() method to ensure consistent behavior.

In `@src/core/HttpServerModule.h`:
- Around line 116-122: The comment in the HttpServerModule.h file (starting with
"Resumable full-frame send") contains references to a nonexistent
bodyGeneration_ field and guard mechanism that do not exist in the PreviewSend
class. Remove the portion of the comment that describes bodyGeneration_
invalidating sends and the stale drain guard behavior (the text about
"bodyGeneration_ invalidates a send..." through "...between cancel and the next
begin"). Additionally, replace the phrase "newest-wins" with
"drop-new/current-frame-wins" to better describe the frame dropping behavior.
Keep the core explanation about the resumable send mechanism, buffering
strategy, and the one-in-flight-at-a-time constraint.

In `@src/light/drivers/PreviewDriver.h`:
- Around line 108-110: The framesWaiting_ member variable is declared as
uint8_t, which can only hold values 0-255, causing the counter to wrap when
incremented past 255 fps slots. This wrapping breaks the slow-frame detection in
the sentFrameWasSlow check, delaying downscaling on slow links. Implement a
saturating counter pattern for framesWaiting_ by preventing it from exceeding
its maximum useful value instead of allowing it to overflow. Apply this fix to
both the increment operation around line 109 (in the else block) and the other
location mentioned at line 417.
- Around line 84-87: The issue is that `loop()` method calls
`buildAndSendCoordTable()` and `sendFrame()` which trigger staged WebSocket
writes using beginBinaryFrame/pushBinaryFrame/endBinaryFrame operations that are
drained synchronously with repeated writeSome() calls in the hot path. This can
block the render tick when dealing with slow browser connections. Refactor these
operations to either queue the staged streams for transport cadence similar to
how sendBufferedFrame() works, or convert the writes to single non-blocking
attempts with resumable state that can complete asynchronously. Ensure that
buildAndSendCoordTable() and the downsampled sendFrame() path do not perform
blocking socket drain work directly within the loop() method execution.

In `@test/unit/light/unit_GridLayout.cpp`:
- Around line 88-94: The second pass of the test accesses coords[4] and
coords[5] after clearing and refilling the coords vector without verifying the
vector has sufficient size. If the count of coordinates regresses, accessing
these indices will cause undefined behavior instead of a clear test failure. Add
a size assertion (CHECK) immediately after the grid.forEachCoord call in the
second pass to verify that coords has at least 6 elements before attempting to
access coords[4] and coords[5].

---

Outside diff comments:
In `@src/ui/preview3d.js`:
- Around line 467-471: The global parser state updates (the previewStride_
assignment and updatePreviewStatus() call on lines 469-470) must be moved to
after the payload-length validation check on line 471. Currently, if the buffer
is truncated and the function returns early due to insufficient bytes,
previewStride_ and preview status have already been modified without the
corresponding coordinate data being updated, causing the parser state to become
inconsistent. Move both the previewStride_ assignment and updatePreviewStatus()
call to execute only after confirming that buf.byteLength is sufficient for the
full payload.
- Around line 338-356: The comments in the resize event listener section and the
preview-dock click handler use future/hypothetical tense ("would only catch",
"would be") which violates the repo's present-tense documentation guideline.
Rewrite the comment above the resize addEventListener call to describe in
present tense what matchMedia and resize listeners actually do together, and
rewrite the comment following the preview-dock click handler to describe in
present tense how the dismissal behavior works across docked and PiP modes
instead of using conditional language like "would be". Also apply the same
present-tense rewriting to the comments in the sections mentioned to exist
around lines 501-516.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 899c75b1-6b10-4ebf-ae1e-5272fd1339f4

📥 Commits

Reviewing files that changed from the base of the PR and between 1e48e92 and 63a8fe8.

⛔ Files ignored due to path filters (1)

• scripts/build/build_esp32.py is excluded by !**/build/**

📒 Files selected for processing (36)

• docs/architecture.md
• docs/backlog/backlog.md
• docs/building.md
• docs/history/plans/Plan-20260622 - Non-blocking preview send.md
• docs/history/plans/Plan-20260623 - Resumable adaptive preview send.md
• docs/history/plans/Plan-20260623 - Stream preview from buffers, zero preview buffers.md
• docs/install/firmwares.json
• docs/moonmodules/core/HttpServerModule.md
• docs/moonmodules/core/ImprovProvisioningModule.md
• docs/moonmodules/light/drivers/NetworkSendDriver.md
• docs/moonmodules/light/drivers/PreviewDriver.md
• docs/moonmodules/light/layouts/GridLayout.md
• docs/testing.md
• scripts/MoonDeck.md
• scripts/scenario/run_live_scenario.py
• src/core/BinaryBroadcaster.h
• src/core/DevicesModule.h
• src/core/HttpServerModule.cpp
• src/core/HttpServerModule.h
• src/light/drivers/NetworkSendDriver.h
• src/light/drivers/PreviewDriver.h
• src/light/drivers/RmtLedDriver.h
• src/light/effects/LinesEffect.h
• src/light/layers/Layer.h
• src/light/layouts/GridLayout.h
• src/platform/desktop/platform_desktop.cpp
• src/platform/esp32/platform_config.h
• src/platform/esp32/platform_esp32.cpp
• src/ui/index.html
• src/ui/preview3d.js
• src/ui/style.css
• test/scenarios/light/scenario_Driver_mutation.json
• test/unit/core/unit_HttpServerModule_apply.cpp
• test/unit/light/unit_GridLayout.cpp
• test/unit/light/unit_Layer_sparse_mapping.cpp
• test/unit/light/unit_PreviewDriver.cpp

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Fix the buffered-send abort contract.

A browser does not discard a partially sent WebSocket frame while the TCP connection stays open; it consumes subsequent frame bytes as the unfinished payload. The contract should require implementations to close clients that have received a partial buffered frame on cancel. Also rename newest-wins to drop-new/current-frame-wins because the in-flight frame is retained.

Contract wording sketch

-    //   sendBufferedFrame(...) — begin a send; while one is in flight a new call is DROPPED
-    //                            (newest-wins backpressure), the caller reads that as "link busy".
+    //   sendBufferedFrame(...) — begin a send; while one is in flight a new call is dropped
+    //                            (drop-new backpressure), the caller reads that as "link busy".
@@
-    //   cancelBufferedSend()   — abandon the in-flight send NOW (its WS messages end incomplete →
-    //                            the browser discards them). The caller MUST call this before the
+    //   cancelBufferedSend()   — abort the in-flight send and close clients that have received a
+    //                            partial WS frame. The caller MUST call this before the

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// sendBufferedFrame(...) — begin a send; while one is in flight a new call is DROPPED
	// (newest-wins backpressure), the caller reads that as "link busy".
	// bufferedSendIdle() — true when no send is in flight (the previous frame fully drained
	// or was cancelled). The caller gates the next frame on this, so the
	// effective frame rate self-limits to what the link sustains.
	// cancelBufferedSend() — abandon the in-flight send NOW (its WS messages end incomplete →
	// the browser discards them). The caller MUST call this before the
	// `body` buffer is freed/reallocated (e.g. a geometry rebuild), so a
	// cursor never reads freed memory.
	// sendBufferedFrame(...) — begin a send; while one is in flight a new call is dropped
	// (drop-new backpressure), the caller reads that as "link busy".
	// bufferedSendIdle() — true when no send is in flight (the previous frame fully drained
	// or was cancelled). The caller gates the next frame on this, so the
	// effective frame rate self-limits to what the link sustains.
	// cancelBufferedSend() — abort the in-flight send and close clients that have received a
	// partial WS frame. The caller MUST call this before the
	// `body` buffer is freed/reallocated (e.g. a geometry rebuild), so a
	// cursor never reads freed memory.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/BinaryBroadcaster.h` around lines 35 - 43, Update the documentation
comments for the BinaryBroadcaster class methods starting at
sendBufferedFrame(). First, change the "newest-wins backpressure" terminology to
"drop-new-frame-wins" or "current-frame-wins" to accurately describe the
behavior. Second, fix the cancelBufferedSend() documentation to reflect that
browsers do not discard partially sent WebSocket frames but instead consume
subsequent bytes as part of the payload, and update the contract to require
implementations to close clients that have received a partial buffered frame
upon cancellation rather than relying on browser-side discard behavior.

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Add a timeout for buffered sends that stop draining.

If a valid client keeps returning 0 from writeSome(), allDone stays false and previewSend_.active remains true forever. The producer only observes bufferedSendIdle() == false, so it cannot send a smaller replacement frame until an external rebuild/client event cancels the send. Track per-client idle ticks or total frame age and close unfinished clients after a bounded window.

🧰 Tools

🪛 Clang (14.0.6)

[warning] 1240-1240: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1246-1246: variable name 'ws' is too short, expected at least 3 characters

(readability-identifier-length)

---

[warning] 1247-1247: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1253-1253: variable 'src' is not initialized

(cppcoreguidelines-init-variables)

---

[warning] 1254-1254: variable 'span' is not initialized

(cppcoreguidelines-init-variables)

---

[warning] 1257-1257: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1258-1258: variable name 'n' is too short, expected at least 3 characters

(readability-identifier-length)

---

[warning] 1260-1260: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1264-1264: statement should be inside braces

(readability-braces-around-statements)

---

[warning] 1267-1267: statement should be inside braces

(readability-braces-around-statements)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 1239 - 1267, Add timeout tracking
to prevent buffered sends from blocking indefinitely when valid clients
repeatedly return 0 from writeSome(). Modify the drainPreviewSend() method to
track either per-client idle tick counters in the previewSend_ structure or the
total age of the frame being sent, then close any client that exceeds a bounded
timeout window within the loop that iterates through wsClients_ and checks
ws.valid(). This allows allDone to eventually become true and
previewSend_.active to be set to false, enabling the producer to send a
replacement frame without waiting for external events.

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Keep staged WebSocket writes off loop().

loop() can call buildAndSendCoordTable() and the downsampled sendFrame() path, both of which use beginBinaryFrame() / pushBinaryFrame() / endBinaryFrame(). The current server implementation drains each pushed slice with repeated writeSome() calls, so a slow browser can charge socket-drain work to the render tick. Queue these staged streams for the transport cadence like sendBufferedFrame(), or make each push a single non-blocking attempt with resumable state. Based on learnings, hot-path code must avoid blocking work in loop() methods.

Also applies to: 123-131, 297-330

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/light/drivers/PreviewDriver.h` around lines 84 - 87, The issue is that
`loop()` method calls `buildAndSendCoordTable()` and `sendFrame()` which trigger
staged WebSocket writes using beginBinaryFrame/pushBinaryFrame/endBinaryFrame
operations that are drained synchronously with repeated writeSome() calls in the
hot path. This can block the render tick when dealing with slow browser
connections. Refactor these operations to either queue the staged streams for
transport cadence similar to how sendBufferedFrame() works, or convert the
writes to single non-blocking attempts with resumable state that can complete
asynchronously. Ensure that buildAndSendCoordTable() and the downsampled
sendFrame() path do not perform blocking socket drain work directly within the
loop() method execution.

Source: Learnings

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

src/core/HttpServerModule.h (1)

44-45: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Rewrite absence narration in the preview-send comments.

never spins / never reads freed memory violate the C++ comment tense rule. Prefer direct present-tense behavior wording such as “drains with bounded loop20ms work” and “the caller cancels before freeing/reallocating the body.”

Also applies to: 120-122

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.h` around lines 44 - 45, Revise the preview-send
comments in HttpServerModule to use direct present-tense behavior wording
instead of absence narration; update the comment near the resumable one-frame
send and the related comment around BinaryBroadcaster so they describe what the
code does now, such as bounded loop20ms draining and caller cancellation before
body reallocation, rather than saying it “never spins” or “never reads freed
memory.”

Source: Coding guidelines

docs/history/plans/Plan-20260623 - Resumable adaptive preview send.md (1)

37-43: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Mark the superseded generation-guard design or update it to the implemented cancel contract.

This archive still documents bodyGeneration, a drain-time tag check, and immediate header sends, but the current PreviewSend state uses only copied header/body pointers, cursors, and active. Either prune these absorbed details or add a short “superseded by cancelBufferedSend() + clientGeneration re-prime” note. As per path instructions, “History documents are backward-looking and should be pruned when their lessons are absorbed into code, docs, or principles.”

Also applies to: 57-65

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/history/plans/Plan-20260623` - Resumable adaptive preview send.md around
lines 37 - 43, The history note still describes the old generation-guard based
PreviewSend design, but the implemented contract now uses cancelBufferedSend()
and clientGeneration re-prime with copied header/body pointers, cursors, and
active state. Update the plan entry by removing or pruning the obsolete
bodyGeneration/drain-time tag-check language, or add a brief superseded-by note
that points to cancelBufferedSend() and the current PreviewSend flow so the
documentation matches the code.

Source: Path instructions

src/core/HttpServerModule.cpp (1)

1196-1199: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Rename this to drop-new backpressure.

The active frame is kept and the newly offered frame is rejected, so Newest-wins describes the opposite behavior and conflicts with the interface wording.

Suggested wording

-    // Newest-wins backpressure: one frame in flight at a time. A caller that asks while a send is
-    // active is told "busy" and drops this frame — the producer reads that as the link not keeping
+    // Drop-new backpressure: one frame in flight at a time. A caller that asks while a send is
+    // active is told "busy" and drops the offered frame — the producer reads that as the link not keeping

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 1196 - 1199, The backpressure
comment and related wording in HttpServerModule’s preview send path describe the
wrong policy: the code in the previewSend_ check keeps the active frame and
rejects the newly offered one, so rename the behavior from “Newest-wins” to
“drop-new” and update the surrounding comment/message to match the actual
interface semantics. Use the previewSend_ active-state check to locate the spot
and make the terminology consistent everywhere it’s referenced.

src/light/drivers/PreviewDriver.h (1)

83-87: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Cancel the in-flight buffered frame before the generation-triggered coord resend.

A clientGeneration() bump can arrive while the full-res 0x02 sendBufferedFrame() is still draining. This block immediately starts a streamed 0x03 via buildAndSendCoordTable(), so the server can write a new WebSocket message before the old buffered one finishes. BinaryBroadcaster’s contract already calls out new-client connect as a cancelBufferedSend() case.

Suggested fix

         uint32_t gen = broadcaster_ ? broadcaster_->clientGeneration() : 0;
         if (coordCount_ == 0 || gen != lastClientGen_ || coordPending_) {
+            if (gen != lastClientGen_ && broadcaster_) broadcaster_->cancelBufferedSend();
             lastClientGen_ = gen;
             buildAndSendCoordTable();   // streams positions; sets coordPending_ if not all clients got it
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/light/drivers/PreviewDriver.h` around lines 83 - 87, The
generation-triggered coord resend in PreviewDriver::buildAndSendCoordTable is
starting while a buffered send may still be in flight from sendBufferedFrame,
which can interleave WebSocket messages. Before calling buildAndSendCoordTable
when clientGeneration() changes, cancel any active buffered frame through
BinaryBroadcaster’s cancelBufferedSend path (the same lifecycle used for
new-client connect) and then proceed with the coord resend; keep the
lastClientGen_ update and coordPending_ flow unchanged.

♻️ Duplicate comments (6)

src/core/HttpServerModule.cpp (3)

1082-1086: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Use the real buffered-send cancel path here.

This direct active = false has the same partial-frame corruption risk as cancelBufferedSend(): existing clients can remain mid-message while the next bytes are parsed as payload. After fixing the helper, call it here instead of clearing the flag.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 1082 - 1086, The buffered-send
abandon logic in HttpServerModule should use the existing cancellation helper
instead of manually clearing the active flag. Update the code path that
currently sets previewSend_.active to false so it calls cancelBufferedSend() (or
the helper you just fixed) to ensure any in-flight frame is fully cancelled and
clients cannot stay mid-message. Keep the generation bump behavior intact around
this change.

---

1239-1268: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Bound buffered sends that make no progress.

If a live client keeps returning 0 from writeSome(), previewSend_.active remains true forever and the producer only sees bufferedSendIdle() == false. Track per-client idle ticks or frame age and close unfinished clients after a bounded window so replacement frames can resume.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 1239 - 1268, drainPreviewSend()
can stay active forever if a live wsClients_ entry keeps returning 0 from
writeSome(), because previewSend_.sent never advances and previewSend_.active is
never cleared. Add a bounded progress watchdog in
HttpServerModule::drainPreviewSend() tied to each client’s previewSend_ state,
such as per-client idle ticks or frame age, and close or drop unfinished clients
once they exceed the limit so new preview frames can proceed. Use the existing
symbols previewSend_, wsClients_, ws.writeSome(), and previewChunkBytes() to
implement the timeout cleanly.

---

1161-1189: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Track the streamed frame’s declared length across begin/push/end.

beginBinaryFrame(totalLen) sends a WS header but no state verifies that later pushBinaryFrame() calls add up to exactly totalLen; under-push leaves clients waiting for payload, and over-push corrupts the next WS frame boundary. Add open/remainingBytes state and make endBinaryFrame() fail/close partial clients on mismatch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.cpp` around lines 1161 - 1189,
`HttpServerModule::beginBinaryFrame`, `pushBinaryFrame`, and `endBinaryFrame`
currently send a header and payload without tracking whether the pushed bytes
match the declared `totalLen`. Add per-frame state on `HttpServerModule` (such
as an open flag and remaining/expected byte count) so `pushBinaryFrame()`
decrements and validates progress, and make `endBinaryFrame()` detect
mismatches, fail the frame, and close or mark partial websocket clients
accordingly.

src/core/BinaryBroadcaster.h (1)

41-46: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Require cancel to close partially framed clients.

This still documents an unsafe abort: a browser that has received part of a WebSocket message stays inside that message, so the next “fresh” frame is consumed as payload unless the connection is closed. Make the contract require closing clients with partial buffered-frame bytes before clearing the in-flight send.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/BinaryBroadcaster.h` around lines 41 - 46, The BinaryBroadcaster
buffered-send contract still allows an unsafe abort path: a client that has
already received part of a WebSocket frame can remain partially framed and
consume the next message incorrectly. Update the cancelBufferedSend-related
contract in BinaryBroadcaster to require closing any client with partial
buffered-frame bytes before clearing the in-flight send, and adjust the
surrounding documentation/comments so it reflects that partial sends must not be
left open.

src/core/HttpServerModule.h (1)

49-49: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Make buffered-send cancellation close partial clients and reset state.

Clearing only active abandons any clients already inside the WS payload and leaves stale cursors/body metadata. Move this out of line and close clients where 0 < sent[i] < hdrLen + bodyLen, then reset sent, hdrLen, body, and bodyLen; use the same helper from new-client handling.

Suggested direction

-    void cancelBufferedSend() override { previewSend_.active = false; }
+    void cancelBufferedSend() override;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/HttpServerModule.h` at line 49, The buffered-send cancellation in
`cancelBufferedSend()` only flips `previewSend_.active`, but it leaves partially
sent clients and stale payload state behind. Move this logic out of the inline
override into a shared helper used by both cancellation and new-client handling,
and ensure it closes any client with `0 < sent[i] < hdrLen + bodyLen` before
resetting `sent`, `hdrLen`, `body`, and `bodyLen` on the preview send state.

src/light/drivers/PreviewDriver.h (1)

84-87: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

loop() still does synchronous socket-drain work on the coord-table and downsampled paths.

This is the same hot-path problem noted earlier: loop() can still reach beginBinaryFrame() / pushBinaryFrame() / endBinaryFrame(), and HttpServerModule::sendAllOrClose() drains those slices with repeated writeSome() calls. Slow clients therefore still charge variable socket work to PreviewDriver::loop() whenever coords resend or stride > 1/cpl != 3 forces the streamed path.

Also applies to: 105-106, 130-130, 297-330

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/light/drivers/PreviewDriver.h` around lines 84 - 87,
`PreviewDriver::loop()` still performs synchronous socket-drain work through
coord-table resends and the streamed/downsampled paths, so move that send/drain
work off the hot path. Update `buildAndSendCoordTable()`, the
`beginBinaryFrame()`/`pushBinaryFrame()`/`endBinaryFrame()` flow, and
`HttpServerModule::sendAllOrClose()` so `loop()` only queues or marks pending
data while the actual `writeSome()` draining happens asynchronously or in a
separate send step. Keep the fix centered on `PreviewDriver`,
`buildAndSendCoordTable`, and `HttpServerModule::sendAllOrClose` so slow clients
no longer add variable socket cost to `loop()`.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/architecture.md`:
- Line 314: The transport contract in the preview architecture text uses
absolute “never” guarantees that overstate the implementation. Rephrase the
`PreviewDriver` + `HttpServerModule` description to focus on bounded work,
complete delivered frames, adaptive downsampling, and reconnect behavior, and
remove any wording that promises the connection or render loop is never shed
when `sendAllOrClose()` may close slow direct-stream clients.

In `@docs/moonmodules/core/FirmwareUpdateModule.md`:
- Around line 11-14: The control-location rename is incomplete in this spec: the
table now places `version`, `build`, `firmware`, and `firmwarePartition` under
`FirmwareUpdateModule`, but the later lifecycle/OTA text still references the
`SystemModule` card. Update the remaining prose in this document to consistently
describe these controls as belonging to `FirmwareUpdateModule` and align any OTA
flow wording so readers follow the same module name throughout.

In `@docs/moonmodules/light/drivers/NetworkSendDriver.md`:
- Line 12: The NetworkSendDriver docs entry for light_count uses
absence-narration and negative phrasing that violates the docs style rule.
Reword the sentence in positive present tense in the same Markdown section so it
describes what happens for owned lights and slice-based sending without using
phrases like “isn’t” or “doesn’t”; update the wording around the light_count
description to keep the behavior clear while staying in positive phrasing.

In `@src/core/AudioModule.h`:
- Line 93: The control name exposed from AudioModule::initControls() is
misleading because loop1s() publishes the maximum RMS-derived level over the
last second, not a raw RMS snapshot. Rename the read-only control added via
controls_.addReadOnly("level RMS", ...) to match the sampled statistic, and keep
the label consistent with the value computed in loop1s() and stored in
levelStr_.

In `@src/core/DevicesModule.h`:
- Around line 376-382: Update the mDNS browse comment near
DevicesModule::mdnsBrowse so it matches the platform.h contract by saying it
blocks up to timeoutMs, not the full timeout, and rewrite the wording in present
tense. Also remove absence-narration phrases like “does not,” “doesn’t,” and
“can’t” from that comment block while preserving the same intent and details.

In `@test/unit/core/unit_FirmwareUpdateModule.cpp`:
- Around line 33-40: The FirmwareUpdateModule test currently verifies only the
version/build/firmware string controls, but it does not assert the new
firmwarePartition control added to the module contract. Update the unit test
around fw.controls() to also check for firmwarePartition alongside the existing
control-name checks, using the same control iteration pattern and identifiers in
unit_FirmwareUpdateModule so the spec change is covered.

---

Outside diff comments:
In `@docs/history/plans/Plan-20260623` - Resumable adaptive preview send.md:
- Around line 37-43: The history note still describes the old generation-guard
based PreviewSend design, but the implemented contract now uses
cancelBufferedSend() and clientGeneration re-prime with copied header/body
pointers, cursors, and active state. Update the plan entry by removing or
pruning the obsolete bodyGeneration/drain-time tag-check language, or add a
brief superseded-by note that points to cancelBufferedSend() and the current
PreviewSend flow so the documentation matches the code.

In `@src/core/HttpServerModule.cpp`:
- Around line 1196-1199: The backpressure comment and related wording in
HttpServerModule’s preview send path describe the wrong policy: the code in the
previewSend_ check keeps the active frame and rejects the newly offered one, so
rename the behavior from “Newest-wins” to “drop-new” and update the surrounding
comment/message to match the actual interface semantics. Use the previewSend_
active-state check to locate the spot and make the terminology consistent
everywhere it’s referenced.

In `@src/core/HttpServerModule.h`:
- Around line 44-45: Revise the preview-send comments in HttpServerModule to use
direct present-tense behavior wording instead of absence narration; update the
comment near the resumable one-frame send and the related comment around
BinaryBroadcaster so they describe what the code does now, such as bounded
loop20ms draining and caller cancellation before body reallocation, rather than
saying it “never spins” or “never reads freed memory.”

In `@src/light/drivers/PreviewDriver.h`:
- Around line 83-87: The generation-triggered coord resend in
PreviewDriver::buildAndSendCoordTable is starting while a buffered send may
still be in flight from sendBufferedFrame, which can interleave WebSocket
messages. Before calling buildAndSendCoordTable when clientGeneration() changes,
cancel any active buffered frame through BinaryBroadcaster’s cancelBufferedSend
path (the same lifecycle used for new-client connect) and then proceed with the
coord resend; keep the lastClientGen_ update and coordPending_ flow unchanged.

---

Duplicate comments:
In `@src/core/BinaryBroadcaster.h`:
- Around line 41-46: The BinaryBroadcaster buffered-send contract still allows
an unsafe abort path: a client that has already received part of a WebSocket
frame can remain partially framed and consume the next message incorrectly.
Update the cancelBufferedSend-related contract in BinaryBroadcaster to require
closing any client with partial buffered-frame bytes before clearing the
in-flight send, and adjust the surrounding documentation/comments so it reflects
that partial sends must not be left open.

In `@src/core/HttpServerModule.cpp`:
- Around line 1082-1086: The buffered-send abandon logic in HttpServerModule
should use the existing cancellation helper instead of manually clearing the
active flag. Update the code path that currently sets previewSend_.active to
false so it calls cancelBufferedSend() (or the helper you just fixed) to ensure
any in-flight frame is fully cancelled and clients cannot stay mid-message. Keep
the generation bump behavior intact around this change.
- Around line 1239-1268: drainPreviewSend() can stay active forever if a live
wsClients_ entry keeps returning 0 from writeSome(), because previewSend_.sent
never advances and previewSend_.active is never cleared. Add a bounded progress
watchdog in HttpServerModule::drainPreviewSend() tied to each client’s
previewSend_ state, such as per-client idle ticks or frame age, and close or
drop unfinished clients once they exceed the limit so new preview frames can
proceed. Use the existing symbols previewSend_, wsClients_, ws.writeSome(), and
previewChunkBytes() to implement the timeout cleanly.
- Around line 1161-1189: `HttpServerModule::beginBinaryFrame`,
`pushBinaryFrame`, and `endBinaryFrame` currently send a header and payload
without tracking whether the pushed bytes match the declared `totalLen`. Add
per-frame state on `HttpServerModule` (such as an open flag and
remaining/expected byte count) so `pushBinaryFrame()` decrements and validates
progress, and make `endBinaryFrame()` detect mismatches, fail the frame, and
close or mark partial websocket clients accordingly.

In `@src/core/HttpServerModule.h`:
- Line 49: The buffered-send cancellation in `cancelBufferedSend()` only flips
`previewSend_.active`, but it leaves partially sent clients and stale payload
state behind. Move this logic out of the inline override into a shared helper
used by both cancellation and new-client handling, and ensure it closes any
client with `0 < sent[i] < hdrLen + bodyLen` before resetting `sent`, `hdrLen`,
`body`, and `bodyLen` on the preview send state.

In `@src/light/drivers/PreviewDriver.h`:
- Around line 84-87: `PreviewDriver::loop()` still performs synchronous
socket-drain work through coord-table resends and the streamed/downsampled
paths, so move that send/drain work off the hot path. Update
`buildAndSendCoordTable()`, the
`beginBinaryFrame()`/`pushBinaryFrame()`/`endBinaryFrame()` flow, and
`HttpServerModule::sendAllOrClose()` so `loop()` only queues or marks pending
data while the actual `writeSome()` draining happens asynchronously or in a
separate send step. Keep the fix centered on `PreviewDriver`,
`buildAndSendCoordTable`, and `HttpServerModule::sendAllOrClose` so slow clients
no longer add variable socket cost to `loop()`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7788f162-9162-47f1-b1fd-3cc48c361e44

📥 Commits

Reviewing files that changed from the base of the PR and between 63a8fe8 and 0c0e992.

📒 Files selected for processing (22)

• docs/architecture.md
• docs/history/plans/Plan-20260623 - Resumable adaptive preview send.md
• docs/history/plans/Plan-20260623 - Stream preview from buffers, zero preview buffers.md
• docs/moonmodules/core/AudioModule.md
• docs/moonmodules/core/FirmwareUpdateModule.md
• docs/moonmodules/core/SystemModule.md
• docs/moonmodules/light/drivers/NetworkSendDriver.md
• scripts/scenario/run_live_scenario.py
• src/core/AudioModule.h
• src/core/BinaryBroadcaster.h
• src/core/DevicesModule.h
• src/core/FirmwareUpdateModule.h
• src/core/HttpServerModule.cpp
• src/core/HttpServerModule.h
• src/core/SystemModule.h
• src/light/drivers/PreviewDriver.h
• src/ui/app.js
• src/ui/preview3d.js
• test/CMakeLists.txt
• test/unit/core/unit_FirmwareUpdateModule.cpp
• test/unit/core/unit_SystemModule.cpp
• test/unit/light/unit_GridLayout.cpp

💤 Files with no reviewable changes (1)

• docs/moonmodules/core/SystemModule.md

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Rename the control to match the sampled statistic.

Line 93 exposes level RMS, but loop1s() publishes the maximum RMS-derived level seen over the last second, not a plain RMS snapshot. That makes the wire/UI name misleading for consumers reading this control.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/AudioModule.h` at line 93, The control name exposed from
AudioModule::initControls() is misleading because loop1s() publishes the maximum
RMS-derived level over the last second, not a raw RMS snapshot. Rename the
read-only control added via controls_.addReadOnly("level RMS", ...) to match the
sampled statistic, and keep the label consistent with the value computed in
loop1s() and stored in levelStr_.

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/core/AudioModule.h (1)

169-173: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Use present-tense wording in this comment block.

Line 171 and Line 172 use backward-looking phrasing (“caught… showed”). Please rewrite in present tense to match repo policy.

As per coding guidelines, "**/*.{h,hh,hpp,hxx,cpp,cc,cxx}: Write code, comments, and documentation in the present tense only; avoid changelog-style or backward-looking phrasing...".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/AudioModule.h` around lines 169 - 173, Update the comment block in
AudioModule.h to use present-tense wording throughout. In the PEAK-level
explanation near the frame_.level and UI string logic, replace backward-looking
phrasing like “caught” and “showed” with present-tense equivalents while keeping
the technical meaning unchanged. Preserve the same intent around display-only
window peak behavior and the live frame_.level path used by the effects/LEDs.

Source: Coding guidelines

docs/moonmodules/core/FirmwareUpdateModule.md (1)

11-14: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Rewrite this controls-row prose in present tense.

Line 13 and Line 14 include backward-looking/history phrasing (for example “flashed before…”, “once broke…”, “historical/predates…”). Rephrase in present tense, and keep historical notes in allowed history/backlog locations only.

As per coding guidelines, "**/*.{md,mdx}: Write code, comments, and documentation in the present tense only; avoid changelog-style or backward-looking phrasing except in docs/backlog/, docs/history/, and decisions.md lessons."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/moonmodules/core/FirmwareUpdateModule.md` around lines 11 - 14, The
controls-row prose in the firmware update module still uses backward-looking
phrasing in the `version` and `firmware` entries. Rewrite the affected
descriptions in present tense only, keeping the meaning intact, and remove
references like “flashed before,” “once broke,” or similar history-style wording
from this table. Use the existing `version` and `firmware` labels to locate the
text and leave any historical notes for approved history/backlog docs only.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/diag/preview_health.py`:
- Around line 146-170: The reconnect logic in preview_health.py is not matching
the browser because the backoff only applies during the _Ws(host) handshake and
is skipped after an established ws.recv_frame() session closes. Update the
reconnect path around the websocket receive loop so any close/error from
ws.recv_frame() or the surrounding try/except uses the same 500 ms to 5 s delay
as src/ui/app.js connectWs, and reset that delay only after a connection is
successfully established.
- Line 1: The script entrypoint still uses python3 directly, bypassing the
repo-managed uv environment. Update the shebang in preview_health.py so direct
execution goes through uv run instead of python3, matching the scripting
convention used across scripts/**/*.py and keeping the execution environment
consistent.
- Around line 227-231: The preview_health main flow always exits 0 even when
measure() returns CHOPPY or DEAD, so MoonDeck treats unhealthy runs as passing.
Update main() to propagate a non-zero exit code for unhealthy verdicts, or
change the /api/stream contract and the Live-tab logic in app.js to read the
verdict separately instead of relying only on exitCode. Use the existing main()
and measure() symbols to locate the fix.
- Around line 125-128: The grid probe in preview_health.py mutates Grid.width,
Grid.height, and Grid.depth and never restores them, which leaves the device
changed after the diagnostic runs. Update the logic around the grid handling
block to snapshot the original control values before calling _set_control in the
grid path, then restore those values in a finally block so the probe remains
non-destructive; use the existing _set_control helper and the grid branch in the
preview/health flow to locate the fix.

In `@scripts/moondeck_config.json`:
- Around line 155-163: The preview_health config currently forces device
selection through needs_device: true, which blocks the no-host sweep path from
the UI. Update the preview_health entry in moondeck_config.json so it can launch
without a selected device, either by removing needs_device or by introducing a
separate non-device launch configuration that maps to
scripts/diag/preview_health.py and preserves the documented sweep behavior.

In `@test/unit/core/unit_FirmwareUpdateModule.cpp`:
- Around line 33-36: The test comment in unit_FirmwareUpdateModule.cpp is
written in backward-looking language and should be rewritten in present tense.
Update the nearby comment describing version/build and firmwarePartition so it
states the current behavior of the FirmwareUpdateModule test setup, avoiding
phrasing like “moved here” while keeping the explanation about
platform::firmwarePartition() and the Progress control.

---

Outside diff comments:
In `@docs/moonmodules/core/FirmwareUpdateModule.md`:
- Around line 11-14: The controls-row prose in the firmware update module still
uses backward-looking phrasing in the `version` and `firmware` entries. Rewrite
the affected descriptions in present tense only, keeping the meaning intact, and
remove references like “flashed before,” “once broke,” or similar history-style
wording from this table. Use the existing `version` and `firmware` labels to
locate the text and leave any historical notes for approved history/backlog docs
only.

In `@src/core/AudioModule.h`:
- Around line 169-173: Update the comment block in AudioModule.h to use
present-tense wording throughout. In the PEAK-level explanation near the
frame_.level and UI string logic, replace backward-looking phrasing like
“caught” and “showed” with present-tense equivalents while keeping the technical
meaning unchanged. Preserve the same intent around display-only window peak
behavior and the live frame_.level path used by the effects/LEDs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ab13031-4542-449e-953d-792238b7a918

📥 Commits

Reviewing files that changed from the base of the PR and between 0c0e992 and bf1a05b.

⛔ Files ignored due to path filters (22)

• docs/assets/gettingstarted/01-01-installer-start.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-02-select-port.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-03-port-selected.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-04-pick-device.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-05-device-details.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-06-device-setup.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-07-erasing.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-08-installing.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-09-wifi-credentials.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-10-online-wifi.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-11-online-ethernet.png is excluded by !**/*.png
• docs/assets/gettingstarted/01-12-online-existing-ip.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-01-UI-large.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-02-UI-mid.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-03-UI-small.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-04-UI-Preview.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-05-UI-System.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-06-UI-Firmware.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-07-UI-Network.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-08-UI-Layouts.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-09-UI-Layers.png is excluded by !**/*.png
• docs/assets/gettingstarted/02-10-UI-Drivers.png is excluded by !**/*.png

📒 Files selected for processing (18)

• docs/architecture.md
• docs/gettingstarted.md
• docs/moonmodules/core/FirmwareUpdateModule.md
• docs/moonmodules/light/drivers/NetworkSendDriver.md
• scripts/MoonDeck.md
• scripts/diag/preview_health.py
• scripts/moondeck_config.json
• src/core/AudioModule.h
• src/core/BinaryBroadcaster.h
• src/core/DevicesModule.h
• src/core/HttpServerModule.cpp
• src/core/HttpServerModule.h
• test/scenarios/light/scenario_Audio_mutation.json
• test/scenarios/light/scenario_Driver_mutation.json
• test/scenarios/light/scenario_MultiplyModifier_pipeline.json
• test/scenarios/light/scenario_perf_full.json
• test/scenarios/light/scenario_perf_light.json
• test/unit/core/unit_FirmwareUpdateModule.cpp

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Use uv for direct script execution.

The shebang still invokes python3 directly, so anyone running the file directly bypasses the repo-managed uv environment.

As per coding guidelines, scripts/**/*.py: Use uv run for every Python invocation; never call python or python3 directly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/diag/preview_health.py` at line 1, The script entrypoint still uses
python3 directly, bypassing the repo-managed uv environment. Update the shebang
in preview_health.py so direct execution goes through uv run instead of python3,
matching the scripting convention used across scripts/**/*.py and keeping the
execution environment consistent.

Source: Coding guidelines

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

--grid leaves the device mutated after the probe.

This path writes Grid.width, Grid.height, and Grid.depth and never restores the previous values, so the diagnostic changes live device state after measurement ends. That also contradicts the "Stamps nothing on the device" contract in scripts/MoonDeck.md. Snapshot the original controls and restore them in a finally block.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/diag/preview_health.py` around lines 125 - 128, The grid probe in
preview_health.py mutates Grid.width, Grid.height, and Grid.depth and never
restores them, which leaves the device changed after the diagnostic runs. Update
the logic around the grid handling block to snapshot the original control values
before calling _set_control in the grid path, then restore those values in a
finally block so the probe remains non-destructive; use the existing
_set_control helper and the grid branch in the preview/health flow to locate the
fix.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Reconnect timing is not browser-faithful yet.

After an established socket closes, the outer loop reconnects immediately. The 500 ms→5 s backoff only runs when _Ws(host) fails during the handshake, so short device-side closes look healthier here than they do in src/ui/app.js's connectWs. Apply the same delay on every close/error reconnect path, and reset the delay when a connection opens successfully.

🧰 Tools

🪛 Ruff (0.15.18)

[warning] 155-155: Abstract raise to an inner function

(TRY301)

---

[warning] 155-155: Avoid specifying long messages outside the exception class

(TRY003)

---

[error] 169-170: try-except-pass detected, consider logging the exception

(S110)

---

[warning] 169-169: Do not catch blind exception: Exception

(BLE001)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/diag/preview_health.py` around lines 146 - 170, The reconnect logic
in preview_health.py is not matching the browser because the backoff only
applies during the _Ws(host) handshake and is skipped after an established
ws.recv_frame() session closes. Update the reconnect path around the websocket
receive loop so any close/error from ws.recv_frame() or the surrounding
try/except uses the same 500 ms to 5 s delay as src/ui/app.js connectWs, and
reset that delay only after a connection is successfully established.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

MoonDeck will show DEAD runs as passing.

main() always returns 0, but scripts/moondeck_ui/app.js:542-553 marks the Live-tab status dot as pass whenever exitCode === 0. With this integration, a CHOPPY or DEAD verdict still renders green. Either propagate unhealthy verdicts via exit code, or extend the /api/stream payload/UI contract to carry the verdict separately.

🧰 Tools

🪛 Ruff (0.15.18)

[warning] 231-231: Useless if-else condition

(RUF034)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/diag/preview_health.py` around lines 227 - 231, The preview_health
main flow always exits 0 even when measure() returns CHOPPY or DEAD, so MoonDeck
treats unhealthy runs as passing. Update main() to propagate a non-zero exit
code for unhealthy verdicts, or change the /api/stream contract and the Live-tab
logic in app.js to read the verdict separately instead of relying only on
exitCode. Use the existing main() and measure() symbols to locate the fix.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
ast-grep outline scripts/moondeck_ui/app.js --view expanded
rg -n -C3 '"needs_device"|needs_device|host' scripts/moondeck_ui/app.js scripts/moondeck.py
sed -n '480,620p' scripts/moondeck_ui/app.js
sed -n '1210,1265p' scripts/moondeck.py

Repository: MoonModules/projectMM

Length of output: 23570

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,260p' scripts/diag/preview_health.py
printf '\n--- MoonDeck.md ---\n'
rg -n -C3 'preview_health|no host|all online devices|needs_device' scripts/MoonDeck.md scripts/moondeck_config.json

Repository: MoonModules/projectMM

Length of output: 15734

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ast-grep outline scripts/diag/preview_health.py --view expanded

Repository: MoonModules/projectMM

Length of output: 612

---

Allow preview_health to launch without a selected device. needs_device: true makes the Live tab require selected devices and forces --host per device, so the documented no-host sweep path in scripts/diag/preview_health.py is not reachable from the UI. Either drop needs_device here or add a separate non-device launch path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/moondeck_config.json` around lines 155 - 163, The preview_health
config currently forces device selection through needs_device: true, which
blocks the no-host sweep path from the UI. Update the preview_health entry in
moondeck_config.json so it can launch without a selected device, either by
removing needs_device or by introducing a separate non-device launch
configuration that maps to scripts/diag/preview_health.py and preserves the
documented sweep behavior.

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Keep the test comment in present tense.

Line 33 uses backward-looking wording (“moved here”). Please rephrase to present tense to align with the repo rule.

As per coding guidelines, "**/*.{h,hh,hpp,hxx,cpp,cc,cxx}: Write code, comments, and documentation in the present tense only; avoid changelog-style or backward-looking phrasing..."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/unit/core/unit_FirmwareUpdateModule.cpp` around lines 33 - 36, The test
comment in unit_FirmwareUpdateModule.cpp is written in backward-looking language
and should be rewritten in present tense. Update the nearby comment describing
version/build and firmwarePartition so it states the current behavior of the
FirmwareUpdateModule test setup, avoiding phrasing like “moved here” while
keeping the explanation about platform::firmwarePartition() and the Progress
control.

Source: Coding guidelines